interconnecting cisco networking devices - · pdf fileaddress and pc sends request for router...

Interconnecting Cisco Networking Devices

By Tom Price

ICND1

ICND1

What is a network?

A network is a modern form of communication for humans.

Cisco is the 'debated' inventor of routers - the industry leader in network equipment.

Networks provide the infrastructure to transfer resources.

Common Network EquipmentSwitchesRoutersWireless Access PointsClient PC's and Servers

CablingEthernet - used to connect PC's, servers to wall jacks/switches. 100m max distance. Cost efficient.Fibre - gives much greater bandwidth than Ethernet and much greater distance. Used for connecting servers to switches and fast Internet connections.Serial - still used by ISP's to connect to a CSU/DSU. Being phased out and now uncommon.

SpeedNetworks handle speed in bits per second (eg. 100Mbps).Bit (smallest unit)Byte (8 Bits)Kilobyte (1024 Bytes)Megabyte (1024KB)Gigabyte (1024MB)Terabyte (1024)

REMEMBER - don’t get confused with megabytes per second (MBps) and megabits per second (Mbps)...you would need to divide Mbps by 8 to give the MBps speed!!

Ethernet - has speeds of 10Mbps, 100Mbps, 1000Mbps (1Gbps) and 10Gbps.

Example of Network SpeedImagine we have a 10Mbps network and we would like to save a 10MB picture to the file server.

10Mbps divide by 8 = 1.25MBps

10MB / 1.25 = 1.25 = 8 seconds

With the overhead of sending data in packets we would estimate the time taken to save the 10MB picture would be 10 seconds!!!

Network Foundations22 October 201409:08

ICND1

The OSI model is a network communication model.

It is a standard architecture defining network communication providing a system to "break down" network communication.

Each layer has its own standards.

ProtocolsOSI was an actual protocol and competed with TCP/IP protocol (like VHS and Betamax!).Simpler addressing in TCP/IP and so TCP/IP was chosen as the standard.

OSI Model - 7 Layers

7 Application

6 Presentation

5 Session

4 Transport

3 Network

2 Data Link

1 Physical

Remember!!**Please Do Not Throw Sausage Pizza Away**

Layers and their functions

Application - eg. Internet Explorer, Vuze, Firefox, Chrome, World of WarcraftPresentation - makes data generic. Eg. turns pics into GIF's, does encryption. Enables receiving application understand.Session - maintains the session and keeps the process alive.Transport - how data is sent - the application decides. TCP/UDP are main protocols used (ICMP for ping). Data apps would use TCP for reliability as provides acknowledgments (ack's). Voice/Video uses UDP for speed and not fussy if a packet or two is dropped - however Voice is affected by jitter. Transport layer uses ports - destination and source. Eg. Port 80 for HTTP.Network - logical addressing - IP addresses. Routers sit here.Data Link - physical addressing - MAC addresses. Switches sit here.Physical - bits sent over the wire. Network cable, NIC cards.

NoteRouters and switches also need to be able to send bits (Layer 1).

ExampleMake an online payment via Bank Website

Application - log into the Banks website using Internet Explorer.1.Presentation - converts data into standard required by the Web server regardless of the browser used. HTML, GIF etc.

2.

Session - was started when we logged into website.3.Transport - needs to be reliable - TCP!! Adds destination port so the receiving web server 4.

OSI Model22 October 201409:51

ICND1

Transport - needs to be reliable - TCP!! Adds destination port so the receiving web server knows which app the data is for - HTTPS 443. Adds source port (dynamic/random port) so the bank web server can send ack's back to tell us payment has been made!

4.

Network - used DNS to find out IP address of the Bank website. Uses source and destination IP addresses.

5.

Data Link - needs source and destination MAC address. Computer sees that bank website IP is in a different network and so sends an ARP request for the default gateway (router) MAC address and PC sends request for router to forward onto Bank web server.

6.

Physical - here the bits are sent over the wire through each router etc.7.

NOTESwitches sit at Layer 2 - Data Link.They learn physical addresses (MAC). Hubs worked at the physical layer but could not learn MAC addresses and just flooded all ports with broadcasts.Routers sit at Layer 3 - Network.They look at IP addresses and use their Routing table to decide where to send.

ICND1

The TCP/IP network model is a four-layer model. It is effectively a reduced version of the OSI model.However, the OSI model is more widely used as it breaks down the network layers into greater depth and gives a better explanation of data flow.

TCP/IP Model

4 Application

3 Transport

2 Internet

1 Network Interface

Spells NITA!

Layers and their functions

Application - defines TCP/IP protocols and how programs interface with transport layer. Eg. HTTP, Telnet, DNS, FTPTransport - provides session management and transport protocol. Eg. TCP, UDP, ICMP, RTP.Internet - packages data into IP datagrams and performs routing. Eg. ARP, IP.Network Interface - how data is physically sent through the network. Eg. Ethernet, Token ring

How the layers map between both models...

Ethernet Frame Diagram

Preamble8

Destination6

Source6

Type2

Data46-1500

FCS (CRC)4 bytes

A runt is a frame which is less than 64 bytes in size and a giant is a frame which is greater than 1518 bytes in size...both are discarded by a switch! !

TCP/IP Model12 November 201411:04

ICND1

Different devices require different cables when connected together in a network!

When devices are different then a straight-through cable is used.1.When the devices are the same then a crossover cable is used.2.

Two simple rules to remember!

Router to Router Crossover

Switch to Switch Crossover

PC to Router Crossover

PC to Switch Straight-Through

Switch to Router Straight-Through

Switch to Hub Crossover

Straight-Through CablesThese are used to connect computers, printers to a switch or hub (a client to a host).Pin 1 to Pin 1Pin 2 to Pin 2Pin 3 to Pin 3Etc…

Crossover CablesThese are commonly used to connect two hosts together. Eg. Router to Router, Switch to Switch or PC to PC.Pin 1 to Pin 3Pin 2 to Pin 6Pin 3 to Pin 1Pin 4 to Pin 7Pin 5 to Pin 8Etc…

Straight-Through, Crossover and Rollover Cables23 January 201510:34

ICND1

Rollover/Console CablesThese are used to connect a PC to a switch/router for management purposes.Pin 1 to Pin 8Pin 2 to Pin 7Pin 3 to Pin 6Pin 4 to Pin 5Etc…

ICND1

IPv432 bit addressConsists of four octets - 0 to 255 - eg 192.168.0.100 (In binary = 11000000.10101000.00000000.01100100 = 32 bits)Combines with default gateway and subnet mask.Eg. IP Address: 192.168.0.100Subnet Mask: 255.255.255.0Default Gateway: 192.168.0.1

Example of how IP addresses are usedPing to test connectivity between two PC's on same network

PC1 (192.168.0.4) types 'ping 192.168.0.5' in command prompt. This is IP address of PC2.This initiates an ARP request which is sent to the switch. The switch then sends this to all ports apart from the port PC1 is connected to. PC2 with the address 192.168.0.5 sends back its MAC address using a Unicast message. PC1 then sends the actual ping to PC2 once it knows its MAC. The switch also remembers the MAC addresses of each device and the port which they are connected to.

MAC address - 12 character (48 bit or 6 byte) hexadecimal address (eg. 1E:4T:FG:15:6F:8D). Each character is 4 bits (eg 1001). These are assigned to each NIC (network interface card).They have to be unique on the LAN (and they should be when assigned by manufacturer!) but in theory they could be the same on different LANs across a WAN link.

Default Gateway - is a router which takes us off our network and onto the Internet (or just another subnet within our network.)

NOTEIf the above ping was sent to a device which was on a different network to our own (eg. 11.25.200.46) then PC1 would have recognised that this IP is in a different network and would have sent an ARP for the MAC address of its default gateway (router).

Moving around Layer 2 & 3

Switches - sit at Layer 2 - only use MAC addressesRouters - sit at Layer 3 - use IP addresses

However, we do have L3 Switches which can remember IP addresses.

When sending data routers strip off the MAC addresses and adds a new source and destination MAC address.IP addresses never change in the packet.

Default Route (0.0.0.0)If a router does not know the route it sends it to the Internet/ISP router.BGP - Border Gateway Protocol - this holds all of the routes for the Internet!! Knows everything!!Useful command - arp -a - this shows all devices on the LAN (IP and MAC address).

Assigning IP Addresses

Static

IP Addressing22 October 201410:23

ICND1

StaticServers, Routers, printers.We can rename network connections to give a meaningful name (Go to Ctrl Panel -> Network Adapter -> Advanced).

DHCPThis is a server role - we define an IP address scope - eg. LAN PC's.When PC's boot up they send a broadcast for IP address. The DHCP server is listening using ports 67,68.We can add exclusions into scopes for any IP addresses which we may have defined statically (and also add reservations too). A router can also be a DHCP server.

DHCP RelayIf we have lots of remote offices we can run DHCP from a central point. We can enable DHCP relay on a router to allow DHCP broadcasts to grab IP addresses from the main office server. As remember...routers discard broadcasts by default

ICND1

Private - not routable on the Internet!!

10.0.0.0 -> 10.255.255.255

172.16.0.0 -> 172.31.255.255

192.168.0.0 -> 192.168.255.255

Automatic (APIPA)Assigned when PC cannot contact DHCP server.

169.254.0.0 -> 169.254.255.255

Loopback (ping) (127.0.0.1)

127.0.0.0 -> 127.255.255.255

Special AddressesThe first address of the subnet is the network ID.The last address of a subnet is the broadcast address.Eg.Network ID = 192.168.1.0/24Broadcast = 192.168.1.255

NAT is used so private addresses can be used on the Internet. It translates all private addresses to the external IP address given by your ISP.

Public and Private IP Addresses22 October 201411:15

ICND1

Default Subnet Mask

Class A 1 - 126 255.0.0.0 (/8)

Class B 128 - 191 255.255.0.0 (/16)

Class C 192 - 223 255.255.255.0 (/24)

Class D 224 - 239 (multicast addresses)

Class E 240 - 254 (experimental addresses)

Classfull addressing is where we use the default subnet mask as above.

Cisco advises not having a network with >500 devices due to broadcast traffic!

Classless AddressingThis is where we can use a Class C subnet mask with a Class A network.Eg.Class A network - 10.0.0.0Subnet Mask - 255.255.255.0 (This gives us 254 useable addresses)

Types of messagesUnicast - message sent to 1 deviceMulticast - message sent to a group of devices (devices tune into a specific IP address in the class D range)Broadcast - message sent to all devices

Classes of Addresses22 October 201411:24

ICND1

Transport Layer (Layer 4)TCP and UDP are the primary transport layer protocols used today.

UDP - says "I hope it got there!"

TCP - says "I know it got there!"TCP uses a 3 way handshake (SYN then SYN,ACK then ACK) to establish connection.

UDP (User Datagram Protocol)Less reliable than TCP.Used in VOIP and Video - real-time - no need to resubmit lost packets.DNS uses UDP as it is very fast. Nslookup - tell me the IP address of a hostname!!DNS - destination port would be 53 for any DNS requests. A random source port would be assigned eg. 50001.DNS is a simple answer and question - there is no confirmation of whether the question or answer was received.

TCP (Transmission Control Protocol)TCP uses a 3 way handshake to establish the connection. It uses acknowledgments to ensure packets have been received. HTTP is TCP based - ensures webpages load completely!

PC1 sends a SYN to PC2 with sequence number 10001.PC2 receives the SYN and sends back a SYN, ACK with sequence number 5000 and ack = 10012.PC1 then receives the SYN,ACK and sends an ACK to PC2 with ack = 50013.

3 Way Handshake process

The handshake process uses sequence numbers that increment when sending data.

Note: The ACK is always 1 more than the sequence number (see above for example!)

SYN,1.SYN + ACK2.ACK3.

TCP Communication always starts with a 3 way handshake before any actual data is transmitted.

TCP adds source and destination port to each packet.

TCP WindowingThis is the process where data is sent in groups of packets to speed up a download/copy process.Eg. You'll notice when we save a large file to a file server it will initially say '10 hours' then '6 hours' etc to copy. This is because sending PC will gradually increase the number of packets it sends at one time until the server says "No...that's enough packets...don't send any more than that at any one time"...and so the PC will stop increasing the number of packets it sends at one time. This is why the ETA always varies.

Windowing - see above!!!-

Buffering - where devices store incoming traffic in a memory queue, to be processed when possible.

-

Congestion Avoidance - is used during peak time where networks drop low priority traffic to maintain faster processing of higher priority traffic such as Voice or Video.

-

Flow Control Methods

How Applications Speak - TCP & UDP22 October 201411:47

ICND1

Common TCP Ports

21 FTP

22 SSH

23 Telnet

25 SMTP

53 DNS Server

80 HTTP

110 POP3

443 HTTPS

Common UDP Ports

53 DNS Client

69 TFTP (Trivial File Transfer Protocol)

We can use port numbers to restrict access. Eg. Block Internet access - port 80, 443.Need these ports allowed on the firewall if we are allowed the traffic.

FCS (Frame Check Sequence)This is a hash added to the end of each TCP packet. It tells us if the frame is good/not corrupt!Also called CRC (Cyclic Redundancy Check).

Data names at different Layers...Segment -> ApplicationPacket -> NetworkFrame -> Data Link

Common TCP and UDP Port Numbers22 October 201413:09

ICND1

1980's-

Uses CSMA/CD - to recover from collisions-

Sit at the physical layer-

One collision domain-

Half duplex - only 1 person can send or receive at any one time-

The hub sends all packets to all network ports (broadcast)-

No intelligence!-

No security-

Hubs

1990's-

Broke network into multiple collision domains-

Limited ports-

Separated hubs-

Learned MAC addresses (sit at layer 2)-

Software based - was very slow (not ASIC based like cisco routers/switches)-

Bridge

2000's-

Every port is its own collision domain - eg. 24 port switch will have 24 collision domains-

Full Duplex - everyone can send and receive at the same time!-

ASIC based (Application Specific Integrated Circuit) - hardware based and very fast.-

Varying port speeds Eg. 100Mbps, 1000Mbps-

Managed, Intelligent - can configure ports, VLAN's etc-

Learns MAC addresses of all connected devices-

Common to connect switches together-

Need SFP module on switch-

Multi mode - plastic, cheap-

Single mode - glass, expensive-

Fibre Optic

Switch

Stores MAC addresses and the associated port/interface the device is connected to-

Empty when the switch boots up-

Takes approx. 5 seconds for the switch to learn all MAC addresses of connected devices!-

CAM Table (Content Accessible Memory)

Switching22 October 201413:39

ICND1

Example

ARP broadcast (FFFF:FFFF:FFFF is the broadcast address) is sent to find out MAC address of PC2 using its IP address.

-

This is sent to all ports on the switch.-

Port with the matching IP replies with its MAC address using Unicast message-

Switch learns the MAC address of the sender & receiver of the ping message - stores the MAC address and Port/interface in its CAM table!

-

Entries in the CAM have a lifespan of 5 minutes.-

When a PC pings another PC using IP address on same network

Broadcast domainsIf we have several switches connected together we still only have 1 broadcast domain.Each port would still be in its own collision domain.

Layer 2 Switching Methods

Store-and-Forward SwitchingThe switch copies each Frame into it's memory and performs a CRC check (Cyclic Redundancy Check) for errors. If a CRC error is found then the Frame is discarded. If the Frame is error free then the switch forwards the frame out of the relevant interface.Bad CRCA Frame is discarded if it is smaller than 64 bytes in length, a runt, or if the Frame is larger than 1518 bytes in length - called a giant.

This method ensures high level of error-free network traffic.

Cut-Through SwitchingThe switch copies into memory only the destination MAC address which is located within the first 6 bytes of the Frame. The switch then looks up the MAC address in its CAM table and forwards out of the relevant interface. This method reduces delay as the Frames are not checked for errors and are forwarded as soon as the MAC address is read and the outgoing interface determined.However, bad frames are still forwarded. The destination will receive this bad frame and then performs a CRC and realises it is bad, and will then request for it to be re-sent. This wastes bandwidth and can cause slow network performance.

NOTETodays switches are better suited for a store-and-forward environment.

How a Switch behaves…22 October 201414:34

ICND1

Command line method to configure devices-

Consistent through nearly all cisco devices-

It is software like MS Windows, OSX, Linux.-

The Interconnect Operating System (IOS)

Allows us to configure a Cisco device using console cable and terminal program eg. Putty-

Console cable - RJ45-to-serial-

Console ports are normally 'blue'-

Get a console cable1.Connect to PC serial port2.Connect RJ45 end to console port on switch3.Get a terminal program eg. Putty.4.

BAUD rate = 9600a.Data Bits = 8b.Parity = Nonec.Stop Bits = 1d.

Set it to connect via COM port5.

Console Connection

NOTE - configuring the incorrect BAUD rate results in unreadable characters on screen while accessing the Cisco CLI!

IOS Command Modes

Switch> User Mode (User Exec)Basic View - cant do any configuration

Enable (en)

Switch# Priveleged Mode (Priv Exec)More commands available (eg. Show running-config) but still cannot configure

Configure terminal (conf t)

Switch(config)#

Global Config modeCan do all configuration, configure ports, VLANs, hostname, IP addr etc.

Use the 'tab' key to suggests commands.Use '?' to tell us available commands.

CTRL + Z exits all modes

Cisco IOS22 October 201416:45

ICND1

Switches can work straight out of the box-

Choose 'No' at the initial config question-

Initial Switch Configuration

Switch> Enable-

Switch# conf t-

Switch(config)# hostname Toms-Switch-

Switch (config)# no hostname-

Negate Commands (use 'no')

Name the Switch

Switches only have 1 console port-

Switch(config)# line console 0-

Switch(config-line)# password cisco-

Switch(config)# login <- REMEMBER THIS LINE-

Console Password

Switch(config)# line vty 0 15-

When looking at running config it will show 0-4 and 5-15 vty ports...this is because cisco devices only used to have telnet 5 ports.

-

We don’t need to use 'login' here as this is already enabled for vty ports.-

Switch(config-line)# password cisco-

Telnet Password (manage remotely)

We could have used enable password but this does not encrypt the password and could be seen as clear text in the running config.

-

Switch(config)# enable secret cisco-

Enable Mode Password (Priveleged mode)

This encrypts all passwords including vty and console….however these are easily cracked and only to prevent line of sight attacks.

Switch(config)# service password-encryption-

Encrypt Passwords (only line of sight - easily cracked)

Other Useful Commands (for the console line)

Switch(config)# line con 0-

Switch(config-line)# no exec-timeout-

The below command stops the console session from timing out!

Switch(config)# line con 0-

Switch(config-line)# logging synchronous-

This stops all status alerts from inserting into any command we may be typing!

Management (VLAN) IP AddressA switch needs an IP address to be managed remotely. Default VLAN is VLAN 1.

Switch(config)# interface vlan 1-

Switch(config-if)ip address 10.1.1.10 255.255.255.0-

We need to create a VLAN interface called an SVI (Switch Virtual Interface) .

Switch(config-if)# no shutdown-

All VLANs interfaces are shutdown by default...need to enable interface.

Base Configuration22 October 201417:01

ICND1

The interface will then change to up-


Default GatewayFor us to manage the above switch we would need to be logged onto a PC in VLAN 1 in the same subnet.

Switch(config)# ip default gateway 10.1.1.1-

So to manage the switch from another network we would need to configure a default gateway. If we need to do troubleshooting on a switch (eg. Ping, tracert) then we need this configured.

Shutdown Unused Ports

Switch(config)# int range fa0/10 - 15-

This shutdowns all ports in the range 10-15!Switch(config-if-range)# shutdown-

It is good practice to shutdown an unused ports to prevent people from plugging in infected laptops etc to the network.

Logon Banner

NOTE: '+' is the delimiting character...anything we type in between the + will be used as the banner!!

-

We could have used banner login but this only displays when there is login required/configured for the connection.

-

Switch(config)# banner motd + *****CENTRESOFT NETWORK - SWITCH 1*****+-

We can create a banner message to be displayed for all logins.

Saving ConfigurationsRunning config is saved in RAM...which is volatile and lost if switch is rebooted!

ORSwitch# copy running-config startup-config-

Switch# write memory (this method is no longer officially supported!)-

Startup config is stored in NVRAM...which is non volatile and safe if switch loses power!

SSH (Secure Shell)Telnet is not secure! None of the communication is encrypted - all in clear text! We could use Wireshark to intercept packets and find out passwords etc...still difficult to do though as we would need to still gain access to the switch.SSH is secure and communication is encrypted...so it is the preferred method of remote working!Uses certificates...Eg. Website has a certificate with a public and private key. It hands us the public key so we can encrypt our session key! We then send our encrypted session data over the Internet to the website which can decrypt the data using the private key!! The switch/router works in the same way...

Configure hostname1.

Switch(config)# ip domain-name nugget-lab.coma.Configure domain name 2.

Switch(config)# crypto key generate RSA 1024a.Generate encryption keys3.

switch(config)# username user secret ciscoa.Create local user accounts4.

Switch(config)# line vty 0 15a.Switch(config-line)# transport input ssh telnetb.

Choose to allow telnet + SSH5.

Switch(config-line)# login locala.Enable local logins6.

We then use SSH client to connect eg. Putty.

ICND1

Each Cisco device has a clock! It’s important that we have the correct time on the device as we sometimes have to check logs on the device and need to track certain events etc and so time is important! Another practical use to make sure we have the correct time is when we look at running configurations...we can see the last time the config was edited and by who!

We can set a cisco device as an NTP server or client.

R1(config)# clock set 12:00:00 4 Nov 2014a.

We simply set the time on the device, set device as master and other devices will pull the time from this device! The number is the stratum number.

i.R1(config)# ntp master 3b.

To configure an NTP server1.

We specify the IP address of the server. We can also just use Windows servers as the server.

i.

We can use the prefer command too if we want to set several time servers.ii.

R2(config)# ntp server A.B.C.Da.To configure an NTP client2.

To verify NTP we can use the below commands…

This tells us which server the device is synchronized to○

R2# show ntp status-

This tells us how many ntp servers we have configured for the device and which was is set as preferred/master and info about these ntp servers.

○

R2# show ntp associations-

NTP Stratum - this is the measure of hops away from the source.

Network Time Protocol (NTP)04 November 201415:51

ICND1

Creating a backup

Download and install TFTPD32 - freeware.1.Ensure port 69 inbound is allowed on PC firewall.2.Ensure Everyone group has access to the save file location in TFTPD32.3.Switch# copy running-config tftp4.Enter IP address of PC you are copying config to.5.

We can use TFTP to backup switch configs.

Restoring a backup

Switch# copy tftp running-config1.

Make sure you are connected via Ethernet and the switch/router has an IP address...may need to assign one before we restore config (eg. Assign management IP of switch).

Configuration Backups23 October 201410:31

ICND1

BYOD - Bring Your Own DeviceCommon for users laptop to have a virus/Trojan etc and potentially infect the network! Users bringing in these devices can also slow down the network/Internet!

Number of MAC addresses allowed per port (stops a user plugging in a hub with multiple devices)

-

What MAC address is allowed on a port (only allows users to plug in approved devices)-

Port Security allows us to restrict connections to the LAN in two ways…

We can react in 3 ways if one of the above conditions is broken…

Shutdown -> ERR-DISABLE - Shuts down the port!-

Protect -> Ignores any device which MAC is not allowed-

Restrict -> Same as Protect but adds info to the event logs-

Restricting by number of MAC addresses allowed

Switch(config)# int fa0/14-

Switch(config-if)# switchport mode access-

Switch(config-if)# switchport port-security maximum 1-

Switch(config-if)# switchport port-security violation shutdown (or protect/restrict)-

This command turns on port security!!!○

Switch(config-if)# switchport port-security-

We will configure a port to only allow 1 MAC address on the port...

We could set this number to 2 if we had PC and IP phone.

This will use the address of the currently connected device. If we then plug in another device then this will cause a violation! Instead of sticky we could just enter the MAC address (show mac address-table - can find MAC address here)

○

Switch(config-if)# switchport port-security mac-address sticky-

Restricting by MAC addresses

This will show us any ports with port-security enabled and any violations etc…○

Switch# show port-security-

We then need to 'shutdown' and then 'no shutdown' the port to bring it back up!○

If a port has been shut down if we do a show ip int brief the port status will show as ERR-DISABLE

-

Useful Commands

Port Security23 October 201410:36

ICND1

Network is slow...Its common for users to complain that the network is slow!!This can be due to speed and duplex issues on the switch.

Switches are set to auto-detect speed and duplex but with 100Mbps switches it is always best to hard code them!Most of the time auto-detect works fine...if both switch interface and PC network adapter are set to auto-detect.

Duplex Mismatch (causes Late Collisions!!!)Network issues normally lie with 'duplex' where one side is set to full-duplex and the other side set to half duplex - normally where the devices have been unable to auto-detect!! If a switch interface (100Mbps) fails to auto-detect then it will default to half-duplex!! This has been fixed in 1Gbps switches!!! This results in slow performance as packets drop and collide with high frequency.This is called a duplex mismatch. It is normally on routers/switches where we need to look at the config.To solve we simply hard code both devices as full duplex.

100Mbps devices -> Hard code them!! Router, switch, server.1000Mbps devices -> Auto (leave as auto-detect)

Switch(config)# int fa0/1-

Switch(config-if)# speed 100-

Switch(config-if)# duplex full-

Speed and Duplex Config

NOTE - If we hard code either speed or duplex then we must hard code both of them!

On the Server/PC we would go into the Network Adapter settings -> Advanced and choose the Speed/duplex option and set it there.

Troubleshooting slow networksThis is normally due to collisions on the network.

Here we can see the duplex/speed settings on that interface and confirm that it is set to 100Mbps and full etc.

○

We can also see that the interface is up and packets dropped/collisions!! We should never see collisions!!

○

Switch# show interface fa0/14-

Collison - this happens within the first 32 bytes (should only occur on hubs in a half-duplex environment).

-

Late Collision - this happens >32 bytes - this is normally due to a duplex mismatch!!-

CRC errors - CRC hash is added to each packet to confirm integrity….this is normally a faulty network cable! Also when there is "excessive noise"!!

Finding devicesPing IP address of device and then do an arp -a command to find out MAC address.

Switch# show mac address-table | mac-address-

If we type ping and press enter we can then specify several other parameters. EG. Protocol, repeat count, timeout period, datagram size.

○

Extended Ping-

We can then go to the switch and view the MAC address table

Switching - Day to Day23 October 201410:59

ICND1

Multiple collision domains (Eg. 24 port switch will have 24 collision domains)-

One broadcast domain (inc. switches which are daisy chained)-

Eg. 192.168.1.0/24○

One IP network subnet for all of its hosts-

One failure domain-

Limited security-

A "Normal Switch"

It can separate a switch into separate networks○

A VLAN logically groups users-

Will only broadcast on its own VLAN○

It segments the broadcast domain-

Eg. 192.168.1.0/24 and 192.168.2.0/24○

Offers subnet correlation-

Access control-

We can give VLAN's higher priority than another (eg. Voice over internet)○

Quality of service (QoS)-

Can give us Layer 3 control - L3 Switch!-

Switch adds a Frame tag which identifies which VLAN id the frame belongs to - these are carried over trunk links between switches

-

VLAN's limit broadcast propagation!-

VLAN Foundations

Trunk PortsA trunk carries all VLAN's and is used to connect switches together.Normally set to 1Gbps ports.

Servers in a VLAN○

Computers in a VLAN○

Phones in a VLAN○

Can group devices together. Eg…-

Feels good and reduces broadcast traffic!○

Can separate buildings/office into separate VLAN's-

Can separate Ethernet and WiFi traffic.-

We can setup a trunk on the interface connected to the DHCP server○

Server can then communicate with all VLAN's, devices and saves us having a server on each VLAN

○

Server Virtualization. Eg...-

Flexibility of VLAN's

VLAN's and Trunks23 October 201412:10

ICND1

VTP and 802.1q

Trunking places VLAN info into each frame (4 bit).-

802.1Q is the language used to tag packets with VLAN info.-

Trunking is a Layer 2 feature (Data Link).-

Trunking is the ability to link multiple switches together and pass VLAN info between them. Aka tagging.

Native VLAN

Eg. Telnet, SSH and CDP traffic.-

This is used to send info between switches which is not tagged with VLAN info.

The native VLAN must match on connecting switches. As default the native VLAN is 1.If the native VLAN's on switches do not match then we have a native VLAN mismatch. We could have a situation where VLAN 10 is the native VLAN on one switch and VLAN 20 is the native VLAN on another switch. And so, both of these VLANS would be sending unnecessary broadcasts to each other due to the native VLAN mismatch!! We configure the native VLAN on trunk port.Eg. To change the native vlan to VLAN 2…

switch(config)#int fa0/20switch(config-if)#switchport trunk native vlan 2

Note802.1q does not encapsulate Ethernet frames. Instead it inserts a header after the destination and source MAC address!

VTP (VLAN Trunking Protocol)VTP is actually not a trunking protocol...should be called a discovery and replication protocol!!It replicates all VLAN's across all switches.Must be careful when connecting switches as all switch configs will be replaced with the latest "rev" version!!Each time we make a change on a switch the "rev" version increases and will update on all other servers which are clients and servers.VTP revisions survive config resets (write erase).VTP works through a common domain name on all switches.

For example we could accidentally connect a lab switch to the live network and cause all VLAN's to be deleted!!

○

This is because it can be easily misused and can cause serious network outages-

Always best to manually create VLAN's on each switch.-

**Cisco does not recommend VTP!!**

VTP Modes

Gives the power to change VLAN info-

Sends and receives VTP updates-

Saves VLAN config-

Server (Default)

Client

VTP and 802.1Q23 October 201412:45

ICND1

Cannot change VLAN info - gets updates from the server-

Sends and receives VTP updates-

Does not save VLAN config-

Client

Power to change VLAN info-

Forwards (passes through) VTP updates-

Does not listen to VTP updates-

Saves VLAN config-

Transparent (Turns VTP Off!)

VLAN PruningThis keeps unnecessary broadcast traffic from crossing trunk links. Traffic will only be forwarded across a trunk link if that VLAN exists on the switch.

All switches need to be servers.-

Only works on VTP Servers.

ICND1

Reminder - we use VLAN's to separate users and devices to reduce broadcast traffic.

This gives a breakdown of all VLAN'si.Switch# show vlan briefa.

Switch(config)# vlan 50b.Switch(config-vlan)# name SERVERSc.

Create VLAN's and name1.

Switch(config)# int fa0/10a.Switch(config-if)# switchport mode accessb.

VLAN's will show down in 'show ip int brief' if there are no active ports in the VLANi.Switch(config-if)# switchport access vlan 50c.

Assign ports to VLAN's2.

Useful command

Switch# show vlan id 10We can also use the show vlan id x command to tell us what ports are tagged to that VLAN.

VLANs = IP Subnet = Broadcast Domain

Erase startup-config-

Delete vlan.dat-

Reload-

Note - VLAN's are stored in a database called VLAN.dat. The database survives a write erase and

so to completely delete we need to run the below..

VLAN InterfacesOn L3 switches we can create VLAN interfaces for each VLAN so they can communicate without a router.

Switch(config)# int vlan 50-

Switch(config-if)# ip address 10.1.50.10 255.255.255.0-


As remember - each VLAN is a different network/subnet and we need a L3 assistant to be able to communicate.

We could now set the above IP as the default gateway of a PC to communicate on our network. Has

to be a L3 Switch.

Configuring VLAN's on Mulitple Switches (using VTP)

Switch(config)# int range all portsi.Switch(config-if-range)# switchport mode accessii.

First we need to disable dynamic mode on all ports to stop them trying to be a trunka.

Switch(config)# vtp domain CBTi.Switch(config)# vtp mode serverii.Switch(config)# vtp password ciscoiii.

Now we set the name and modeb.

Set VTP name and Mode and password1.

Switch(config)# int fa0/1a.Switch(config-if)# switchport mode trunkb.

Configure Trunk ports2.

Configuring VLAN's23 October 201412:59

ICND1

Switch(config-if)# switchport mode trunkb.

See previous!a.Create VLANs and name3.

See previous!a.Assign ports to VLANs4.

Transparent mode disables VTP-

New switches will auto join the domain and download VLAN's etc so that’s why its important we disable dynamic mode on each port!

-

NOTE

Best practice is not use VTP and create VLANs manually on each Switch!!

To Turn Off Trunking......use the switchport mode access command!!!

ICND1

Dynamic Trunking Protocol allows for the creation of trunks between two switches. When two connected ports are configured in dynamic mode, and at least one of the ports is configured as desirable then the two switches will form a trunk across the link.

Switch (config-if)# switchport mode dynamic desirable/auto-

DTP is enabled by default on all modern switches. However this is bad design as we could have ports forming trunk links and causing a security risk.

The best thing is to disable DTP!!

Configure all ports as access ports. We can then configure any trunk ports as we need them which is best practice…

Switch(config-if-range)# switchport mode access-

However, even when a port is statically configured as an access port as above, DTP is still active on the port. If we setup a trunk between two switches in different VTP domains then we would get the below error...

%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of VTP domain mismatch.

DTP advertisements include the VTP domain name and so the trunk will not form if the VTP domain names are different. We can kill DTP once and for all with the below command…

Switch(config-if)# switchport nonegotiate-

This prevents DTP packets from being sent.

Dynamic Trunking Protocol (DTP)03 November 201409:10

ICND1

192.168.1.0/24 and 192.168.2.0/24○

Two different networks○

Eg. Move data between two networks via a Cisco router-

Packets not destined for its own network will be routed by its default gateway!-

Routing is the process of moving IP packets between IP-based networks.

The router looks at the packet and see's that it is not for itself (by IP address) and then looks at its routing table.

-

It will know where to forward next due to the routes stored in its table (static, OSPF or default route etc)

-

When a packet is sent for an outside network it is sent to the router (the default gateway).

NoteWhen packets go over a serial data link (across a WAN) they do not add the source and destination MAC Address. They use HDLC or PPP. HDLC uses the Type field in a packet so receiving devices can see what is encapsulated. It uses L2 headers for any next hop routers in a path.

CEF enhanced (Cisco Express Forwarding) - software based - (not ASIC based like Switches) very fast and powerful

-

Not as fast as switches!!-

IOS is the brain-power behind the routing process-

Popular model is 2800 series-

Normally 1U - take up 1 space on a rack-

Normally have 2 Ethernet interfaces-

WIC - Wan Interface Card to receive Internet line from the outside.-

'Blue' ports are console ports-

Routers

Process switching requires the CPU to be personally involved with every forwarding/routing decision. It is like doing math, long hand! You have to work out the route each time.

-

Fast Switching still uses the CPU, but once a packet has been forwarded it stores info about how to reach the destination in a fast-switching cache. When another packet goes to the same destination the cache is used...so the processor does not have to re-compute the route.

-

Cisco Express Forwarding (CEF) is the evolution of optimizing the router to make it able to forward more packets faster. CEF builds a Forwarding Information Base (FIB) and contains pre-computed reverse lookups and next hop information. CEF is like having programmed an Excel spreadsheet. As soon as the numbers hit the cells, the answer is already calculated!

-

Process Switching/Fast Switching/CEF

Base Config of a Router

Set hostname, console password etc.-However, all interfaces are set to shutdown by default - remember to use 'no shutdown'-Routers support more telnet sessions-

Eg. For interface facing the internet and facing our own network will need IP addresses assigning.

○

Set IP Address for interface/interfaces-

This sends any traffic which we don’t know to the Internet...let our ISP router find the route!

Ip route 0.0.0.0 0.0.0.0 fa0/1○

Set default route (0.0.0.0)-

SAME AS SWITCH CONFIG!!

Routing Overview23 October 201413:23

ICND1

the route!

Configuring a Loopback InterfaceLoopback interfaces are very common on Cisco routers as they allow for management, logging and authentication. They are logical interfaces that are 'always up'. They are not tied to any physical interface and therefore cannot go down unless they are administratively shutdown.

R1(config)# interface loopback 1-

R1(config-if)# ip address A.B.C.D 255.255.255.0-

We can use 'no' command to remove the interface.

ICND1

VLAN's are a L2 feature-

Hosts on different VLAN's cannot speak directly without a L3 assistant!-

...this is where the Router comes in!

Option 1 - Using separate interfacesWe can have the router connected to ports on the switch which are assigned to each VLAN on the switch.This is not used anymore as if we had 10 VLANs on a switch then we would need 10 physical connections from the router to the switch which is just not practical.

Option 2 - Using single interface and trunk portsThis is called Router-on-a-stick. We have 1 physical connection from the Router to the Switch.We create sub-interfaces on the router - one for each VLAN and set the port on the switch connecting to the router as a trunk port.

Example

Router(config)# int fa0/0.10○

Create sub interfaces on router for each VLAN1.

Router(config-if)# encapsulation dot1q 10○

Set encapsulation using dot1q to allow VLAN 10 traffic in this case2.

Router(config-if)# ip address 10.1.1.100 255.255.255.0a.Set IP address of interface (same range as all PC's in VLAN etc)3.

Switch(config-if)# switchport mode trunka.Switch(config-if)# switchport trunk allowed vlan 1,10,20b.

Set the interface on the switch to a trunk port4.

We have 1 router, 1 switch, 2 VLAN's (VLAN10, VLAN20)

We would then need to do the same for VLAN20!NOTE: Make sure you do a "no shutdown" on the physical interface too!! EG. Fa0/0

Option 3 - Layer 3 SwitchA Layer 3 Switch can handle IP addresses and so removes the need for a router! The switch does all of the routing.We simply create interfaces for all VLANS on the switch (like we did for the Management VLAN) and assign suitable IP Address!

Cisco 3550 is an example of a L3 Switch.

This option is much faster than using a router-on-a-stick as it has ASIC (Application Specific Integrated Circuitry) support - routes at wire speed.

Routing Data Between VLAN's23 October 201414:55

ICND1

Not much different here.

Create the VLANs and VLAN interfaces (SVI - Switch Virtual Interface) on the L3 switch (all client PC's in each VLAN have the VLAN interface IP address as it's default gateway)

1.

Then create a default route (0.0.0.0 etc) to the routers connected interface on the switch. Make sure we have an interface configured for the connection from the L3 switch to the router (use ip routing and no switchport command on switch interface to router to give L3 functionality).

2.

See below for more info...

http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

VLAN Routing on Layer 3 Switch03 November 201409:18

ICND1



Router(config)# ip dhcp pool SALESa.Router(dhcp-config)# network 192.168.20.0 255.255.255.0b.Router(dhcp-config)# default-router 192.168.20.1c.Router(dhcp-config)# lease 7 0 0d.

Create DHCP pools…1.

So...we would have SALES VLAN 20 configured on a switch….and we would have an interface configured on the router with IP address 192.168.20.1 255.255.255.0 (or we would use a L3 switch with VLAN interfaces configured). The lease command defines how long the assignment will last for until the router reassigns the IP address (lease days hours minutes). The command is optional...the default lease is 1 day.

We can also set DNS server by using dns-server A.B.C.D command.

Any PC which is connected to a port in VLAN 20 would pick up an IP in the 192.168.20.xx range!!

Excluded Addresses

This would exclude any addresses in the range 192.168.20.10 - 20!○

Router(config)# ip dhcp excluded-address 192.168.20.10 192.168.20.20 -

We can exclude addresses so that they are not used in any DHCP pools.

The client sends a discover message.1.The server sends an offer message.2.The client sends a request message.3.The server sends an acknowledgment message.4.

DHCP process (DORA!)

Configure Router as DHCP server23 October 201416:49

ICND1

We can use a server that routers and switches can use to authenticate logons to. This provides a central location of a user directory, authentication auditing and access control...it is much easier to manage.We can either use a RADIUS or TACACS+ server.

Uses UDP-

Encrypts only the password during transmission-

Combines authentication and authorization-

Is open standard and more interoperable than TACACS+-

Uses less memory and CPU cycles on routers-

Offers interoperability...it's supported by everyone!-

Excellent performance - very light on routers and switches-

RADIUS Server

Uses TCP-

Encrypts the entire session-

Separates Authentication, Authorization and Accountability.-

Only supported by Cisco-

Uses more memory than RADIUS-

Offers excellent security - more secure than RADIUS as whole session is encrypted-

Flexibility - TCP is much more flexible than UDP and can do much more in advanced networks-

TACACS+ server

Most Enterprise networks use RADIUS over TACACS+ as it is light on routers/switches and everything supports it!!

External Authentication Methods12 November 201413:54

ICND1

IPv4 address is a 4 octet address-

A = 255.0.0.0B = 255.255.0.0C = 255.255.255.0

Class A, B, C-

8 bits in a byte with values as below…-

Binary basics

A bit is a 1 or 0...on or off!!-

128 64 32 16 8 4 2 1

Subnetting based on number of networksExample 1Class C: 195.5.20.0Need: 50 networks

50 = 00110010 = 6 bitsa.Determine number of networks and convert to binary1.

255.255.255.0 = 11111111.11111111.11111111.00000000 = 11111111.11111111.11111111.11111100 = 255.255.255.252 = /30a.Increment is lowest network bit = 4b.

Reserve bits in subnet mask and find increment2.

Lowest network bit = 4a.Use increment to find network ranges3.

192.5.20.0 -> 195.5.20.3192.5.20.4 -> 195.5.20.7195.5.20.8 -> 195.5.20.11195.20.12 -> 195.5.20.15

Example 2Class A: 10.0.0.0Need: 100 networks

1000 = 11 11101000 = 10 bitsa.Determine number of networks and convert to binary1.

255.0.0.0 = 11111111.00000000.0000000.00000000 = 11111111.11111111.11000000.00000000 = 255.255.192.0 = /18a.Increment is lowest network bit = 64b.


Lowest network bit = 64a.Use increment to find network ranges3.

10.0.0.0 -> 10.0.63.25510.0.64.0 -> 10.0.127.25510.0.128.0 -> 10.0.191.25510.0.192.0 -> 10.0.255.25510.1.0.0 -> 10.1.0.63.25510.1.64.0 -> 10.1.127.25510.1.128.0 -> 10.1.191.255….

Hosts = 2^14 -2 = 16,382 4.Networks = 2^8 = 256

Subnetting based on host requirementsSame as before but this time we save the host bits as zeros (count from the right hand side)!!

Example 1Class C: 216.21.5.0Hosts: 30 per network

30 = 00011110 = 5 bits a.Determine the number of hosts and convert to binary1.

IP Subnetting23 October 201416:54

ICND1

255.255.255.0 = 255.255.255.11100000 = 255.255.255.224 = /27a.Increment is the lowest network bit = 32b.


Increment = 32a.

216.21.5.0 -> 216.21.5.31216.21.5.32 -> 216.21.5.63216.21.5.64 -> 216.21.5.95216.21.5.96 -> 216.21.5.127216.21.5.128 -> 216.21.5.159…

Use increment to find network ranges3.

Hosts = 32 -2 = 30 4.Networks = 2^3 = 8

Subnet ZeroYou may have noticed the ip subnet zero default command in running config. The subnet zero (or zero subnet) is the first subnet of a subnetted network.

Hosts = 50 = 00110010 = 110010 = 6 bits1.Subnet mask = 255.255.11000000.0000002.

172.16.0.0 -> 172.16.31.255a.172.16.32.0 -> 172.16.63.255b.172.16.64.0 -> 172.16.95.255c.172.16.96.0 -> 172.16.127.255d.

Ranges…3.

EG. Class B: 172.16.0.0. Need 50 hosts per network.

The first subnet would be subnet zero.

ICND1

We can use several different subnet masks if we need several networks of different sizes.We would this exactly in the same way accept we work out the subnet mask for the biggest network first (number of hosts) and then work out the next biggest etc.

ExampleNetwork ID: 192.168.1.0/24Number of networks = 3Hosts per network = 60, 30 20

Start with the largest subnet first...then work your way down in host size.

So… the biggest network here is 60.

60 = 00111100 = 6 bits1.

Increment = 64a.255.255.255.0 = 255.255.255.11000000 = 255.255.255.192 = /262.

192.168.1.0 -> 192.168.1.63Hosts = 2^6 -2 = 62 Networks = 2^2 = 4

Inc = 64, so the range for this network is...3.

The next biggest network is 30…

30 = 00011110 = 5 bits1.

Inc = 32a.255.255.255.0 = 255.255.255.11100000 = 255.255.255.224 = /272.

Inc = 32, so the range for this network is….remember to carry off where the 1st network ended…

3.

192.168.1.64 -> 192.168.1.95

The next biggest network is 20…

20 = 00010100 = 5 bits1.

Increment = 32a.255.255.255.0 = 255.255.255.11100000 = 255.255.255.224 = /272.

Inc = 32, so the range for this network is….remember to carry off where the 1st network ended…

3.

192.168.1.96 -> 192.168.1.127Hosts = 2^5 -2 = 30

NOTE: Variable Length Subnet Masks allow us to make more efficient use of available IP addresses.

VLSM - Variable Length Subnet Masking24 October 201413:52

ICND1

Purpose of Routing

Stopping broadcasts - helps reduce traffic (eg. DHCP requests, ARP requests)-

Find the best possible path to a destination-

Allows PC's on different subnets to communicate directly○

Move unicast traffic between networks-

Static Routing

Routers have no config out of the box!! They only know how to connect to networks configured on the router!!Each router has to have each network defined on an interface to be able to talk back and forth.

Eg. We can tell a router how to connect to a subnet which is not configured on the routers interface.Static routes allow us to "educate" the router to new places

Default route acts as "catch-all"...it sends any traffic which it does not have a route for to the Internet.

RULE - the more specific a route is the better...it will be chosen first!!

Router(config)# ip route 192.168.3.0 255.255.255.0 192.168.2.21.Router(config)# ip route 0.0.0.0 0.0.0.0 68.25.121.1992.

Route 1 would be chosen by the router as it is more specific...it states that the network is class C as it supplies a more specific subnet. If a more specific subnet mask appears in the routing table then that route will take precedence.

Example

This shows every network which the router know how to reach.○

Show ip route-

USEFUL COMMAND

Configure a Static Route

R1(config)# ip route 192.168.3.0 255.255.255.0 192.168.2.2-

Dest Network Subnet Mask Interface of connected router

R2(config)# ip route 192.168.1.0 255.255.255.0 192.168.2.1-

Static Routes are good for small networks with a couple of offices.They don’t work so well for larger networks as there are more routers, networks involved and would require lots of

Dest Network Subnet Mask Interface of connected router

Routing and Static Routes27 October 201412:06

ICND1

They don’t work so well for larger networks as there are more routers, networks involved and would require lots of config on each router!

ICND1

"Tell your friend what you know!!"-

Each router in a network tells all the other routers about it's networks.-

Routing protocols allow routers to tell connected routers of it's known routes!

Dynamic - automatically build routing table-

Redundancy - can have several routes in case a path is lost...failover automatically-

Best path - based on what protocol is used they can automatically determine best path (they use a metric).

-

They are/offer…

Link State vs Distance Vector protocols…Distance vector protocols simply use the shortest route (fewest hops)to the destination regardless of the connection speed. Link state will track the state and connection speed of each link and will choose the fastest route. Link state protocols do require more processing power on the router because of its awareness of connection speeds etc. Link state protocols converge quickly and build topology tables. Distance Vector protocols simply update the local routing table when updates are received from it's neighbours.

Like Fiat Punto!! Not Fast!!-

Says hello and tells routers about its routing table every 30 secs...not efficient!○

Default "Hello" advertising cycle is 30 secs-

Recovery - 90 secs-

Metric - best path - uses hop count - number of routers - not efficient!!-

Only pro is that all devices support it!-

Distance Vector protocol-

Inefficient as it keeps sending full routing table even if there has been no changes!-

RIPng for IPv6-

RIP

Cisco created to replace RIP-

Now obsolete as "hello" was set to 90 secs and recovery set to 270 secs!!-

THIS PROTOCOL CAN BE IGNORED!!-

IGRP

Open Shortest Path First-

Most popular routing protocol-

Like a Corvette!! Does routing very well!!-

Uses Dijkstra's Algorithm!-

After initial hello it only says "Hi" to each router instead of the whole routing table...if the routing table changes it will tell the router of the change...it is efficient!!

○

100/bandwidth. Eg. 100/1.44 (Mbps) = 69.4444

Metric: cost/bandwidth <- uses fastest speed!○

Uses the fastest route (which would be the lowest value)!!!○

Maintains a topology map○

Default hello is 10 secs-

Link state routing protocol-

OSPFv2 for IPv4-

OSPFv3 for IPv6

OSPF

Routing Protocols27 October 201412:30

ICND1

OSPFv3 for IPv6-

Like a 1967 Corvette!!-

OSPF won as it was used for TCP/IP○

Was competitor to OSPF - used for OSI!!-

Excellent protocol!!-

Rarely used...requires expertise!!-

IS-IS

Like a Ferrari!!-

Very fast protocol…but uncommon.-

Created by Cisco for Cisco...easy to configure.-

Metric - can include reliability, MTU, delay on packets...uses 'K' value.-

EIGRP

Border Gateway Protocol-

Like a Hummer!! Not fast but very robust!!-

Used for the Internet-

Handles thousands of routes-

Not for LAN's...used in ISP's-

BGP

NOTE:We can use a mixture of each protocol in our network….if a router has learned routes via different protocols then administrative distance is used. This tells us how believable the routing protocol is.

Administrative DistancesEach protocol has an administrative distance to tell us how believable it is!

RIP 120

IS-IS 115

OSPF 110

EIGRP 90

BGP 20

Static Route 1

Connected Interface 0

ICND1

How to get OSPF working…

The 1 is the Process ID (1-65535)...just use 1! The process ID is just the same as on Windows...each program has an ID so we can kill it via task manager etc...they don't need to match other routers and only have local significance.

i.R1(config)# router ospf 1a.

Turn on OSPF1.

Tell it what interfaces to use and what networks to advertise…the command does both things!!!!

2.

Best practice is to define the exact IP address of the interface we want to send hello packets on.

The wildcard bits tell us to "ignore the zeroes and look at the ones!!"The above commands turns on "hello" packets on that interface and also advertises 192.168.2.0 network to it's neighbours!

R1(config-router)# 192.168.2.1 0.0.0.0 area 01)BUT IT IS BETTER TO DEFINE THE EXACT INTERFACE IP...i.

R1(config-router)# network 192.168.2.0 0.0.0.255 area 0a.

Areas must match. Areas define how many routers to cover - summarize entries in the routing table (eg. 192.168.0.0/16 instead of 192.168.1.0/24 and 192.168.2.0/24).

On Router 1

R2(config)# router ospf 1a.Turn on OSPF1.

R2(config-router)# network 192.168.2.2 0.0.0.0 area 0a.Tell it what interfaces to use2.

On Router 2

HOWEVER….still more to do...Each router above already knows about those two networks as they are directly connected on those interfaces!!

Configuring OSPF27 October 201416:10

ICND1

interfaces!!We need to advertise the 192.168.1.0 network on R1 and the 192.168.3.0 network on R2. You will see from the diagram that there is no need to send hello packets on those two interfaces as there are no routers attached to those networks...we just need to advertise the route. We can do this by configuring the interfaces as passive interfaces. This advertises the route but does not send "hello"packets on the interface.

R1(config-router)# passive interface fa0/0a.Set interface as passive1.

R1(config-router)# network 192.168.1.1 0.0.0.0 area 0a.Tell it to advertise network2.

On Router 1

R2(config-router)# passive interface fa0/0a.Set interface as passive1.

R2(config-router)# network 192.168.3.1 0.0.0.0 area 0a.Tell it to advertise network2.

On Router 2

Now we're all done!!The 192.168.1.0 and 192.168.3.0 networks are now being advertised but are not sending "hello" packets which is what we want. The 192.168.2.xx interfaces are sending the "hello" packets to inform each router of the 192.168.1.0 and 192.168.3.0 networks!!

**USEFUL COMMANDS**

This tells us if the router has any neighbours and tells us the dead timer of a connected router

○

R1# show ip ospf neighbour-

Will tell us of routes established by OSPF○

R1# show ip route-

See if OSPF is enabled○

R1# show ip protocols-

Can see 'hello' messages○

R1# debug ip ospf packet-

Shows us the OSPF link states○

R1# show ip database-

Router IDThe router ID is the highest (loopback) IP address configured on a router (unless a router ID has been manually configured). If no loopback IP address is set then the Router uses the highest IP address configured on its active interfaces.

CDP (Cisco Discovery Protocol)We can use the Cisco Discovery Protocol to see information about connected devices.You may need to issue the CDP run command if none of the commands work.

This will tell us the IP address and outgoing/incoming ports of any attached devices!!-

R1# Show cdp neighbours detail

Again this tells us the IP address and outgoing/incoming ports of any attached devices!!-

R2# Show cdp entry *

Route Preference…Be aware that a more specific subnet mask beats administrative distance!!So... an RIP /26 learned route will beat an EIGRP /24 learned route!!!

ICND1

Designated Router (DR) and Backup Designated Router (BDR)A DR is a router chosen within an OSPF area where all other routers exchange their routing information with...instead of exchanging their routing info with all router across the area...a central point for exchanging OSPF routing information!!On LANs, DR and BDR have to be elected. Two rules are used to elect a DR and BDR:1. router with the highest OSPF priority will become a DR. By default, all routers have a priority of 12. if there is a tie, a router with the highest router ID wins the electionThe router with the second highest OSPF priority or router ID will become a BDR.

ICND1

Eg. Permit 192.168.2.50

Deny 192.168.1.0/24

Permit TCP port 80 for 200.1.1.1

An access list is a list of permit and deny statements.

Access lists are a matching mechanism.

Access control-

NAT-

Quality of service-

Demand dial routing-

Policy routing-

Route filtering-

They can be used for…

Using ACLs for Security

R1(config-std-nacl)# permit 10.1.5.1Deny 192.168.1.53Permit 172.30.0.0/16*IMPLICIT DENY*

Enter global config mode and then interface mode-

The list is read from top to bottom and stops at the first match.-

There is an implicit deny at the end of the list….all IP's are denied access unless there has been a permit statement in the list!

-

Inbound is traffic coming into the router-

Outbound is the traffic coming out of the router-

An ACL can be applied to an interface inbound or outbound.-

Be sure you have applied in the correct direction!!-

BE CAREFUL WHEN APPLYING AN ACCESS LIST

Access Control Lists28 October 201411:07

ICND1

Matches based only on source address-

Lower processor utilization-

Eg. Deny 10.1.1.1, permit 10.1.1.2○

Affect depends on application-

Apply as close to the destination as possible!-

Standard

Eg. TCP/IP - TCP allow, UDP deny, ICMP allow○

Matches based on source/destination IP address, protocol, source/destination port number-

Higher processor utilization-

Syntax takes some time to learn-

Apply as close to the source as possible!-

Extended

Eg. Users accesses Google.com - the webpage would be allowed to be sent back/received.

○

Allows traffic to be returned for any requests made from our local network-

Reflexive (established)

Standard and Extended Access List - Overview28 October 201411:23

ICND1

Scenario

**Assume all Ethernet ports are Fa0/0**

Configuration1.Application2.

Remember that there are two stages to creating an access list…

Example 1Use a standard access list to block 10.1.1.1 from reaching 10.1.1.6 and 192.168.1.0/24.

After looking at the network diagram I can see that we need to block R3 from reaching R1. Remember standard access lists can only block source IP address - in this case 10.1.1.1. We need to go as close as possible to the destination so we are not affecting any other network flow. In this case it will be best to create the access list on R1 and apply on S0/0 inbound.

-

Configuration1.

Each line we create in an access list has a sequence number which determines the order in which rules are evaluated. We can squeeze lines in where necessary!

-

Remember there is an implicit deny at the end of an access list.-

We need to add a permit any statement.-

R1(config)# access-list 1 deny host 10.1.1.1

This will add another step to the access list before the implicit deny!-

R1(config)# access-list 1 permit any

Configuration is now done!!

Configuring and Applying Standard Access Control Lists04 November 201409:22

ICND1

Configuration is now done!!

Application2.We need to apply the access list to S0/0 inbound on R1.R1(config)# int s0/0

Important we apply this in the correct direction!-

R1(config-if)# ip access-group 1 in

ALL DONE!! We have now configured and applied the access list. We would test by pinging and using telnets etc.

Example 2Use a standard access list to block access to the 192.168.1.0/24 from 192.168.2.128/25

Configuration1.Get as close to the destination as possible. Looking at diagram it will be best to create the access list on R1 and apply on the Fa0/0 interface outbound.

Here we are using a wildcard mask so we can block a network instead of a host.-

To get the wildcard mask we just subtract the subnet mask from 255!-

Remember to add the permit any command!-

R1(config)# access-list 2 deny 192.168.2.125 0.0.0.127

R1(config)# access-list 2 permit any

Config now done.

Application2.We need to apply the access list to Fa0/0 outbound on R1R1(config)# int fa0/0R1(config-if)# ip access-group 2 out

All done...we would test with pings etc to ensure all working OK!

Example 3 - Named Access ListsUse a standard access list to block 192.168.2.50 from reaching the 10.1.1.1 WAN IP address.

Configuration1.Looking at the diagram it would be most efficient to apply on R2 S0/1 outbound. We could apply on R3 S0/0 inbound but this would be creating unnecessary network traffic.

If we use the ip access-list command then we can give it a meaningful name!! Must better way to create access lists!

-

R2(config)# ip access-list standard BLOCK_PC2_ACL

R2(config-std-nacl)# deny 192.168.2.50

Remember this!!-

R2(config-std-nacl)# permit any

Application2.We need to apply to R2 S0/1 outbound.R2(config)# int s0/1

The name is case sensitive-

R2(config-if)# ip access-group BLOCK_PC2_ACL out

ALL DONE!! Again test with pings etc to ensure we have desired effect.

Using Standard ACL's to limit Telnet and SSH accessWe can create a standard access list and apply to the vty lines using the access-class command.Eg. We would like to permit only the 10.1.1.0/24 to be able to telnet/SSH to R1.

R1(config)# ip access-list LIMIT_SSH_TELNETR1(config-std-nacl)# permit 10.1.1.0 0.0.0.255R1(config-std-nacl)# deny any

R1(config)# line vty 0 15

ICND1

R1(config)# line vty 0 15R1(config-line)# access-class LIMIT_SSH_TELNET in

All done!!

ICND1

Remember that extended access control lists gives us more flexibility and control...we can block using source/destination IP address, protocol, source/destination port number!!

Scenario

**Assume all Ethernet ports are Fa0/0**

Example 1

We need to apply as close to the source as possible...and so in this case it would be most efficient to apply on R1 Fa0/0 inbound!

-

Config1.

Extended access lists have a number between 100-199...or we could just use ip access-list command to create a named access list.

-

Source address comes first and then destination address-

R1(config)# access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.128 0.0.0.127

Remember we need the permit any statement-

R1(config)# access-list 100 permit ip any any

Application2.R1(config)# int fa0/0R1(config-if)# ip access-group 100 in

Use an extended ACL to block 192.168.1.0/24 from reaching 192.168.2.128/25.

All done...we can test with pings.

Example 2

In this case we can just edit the previous access list! We will need to insert the commands to block http and https before the permit any statement. We can do this using the sequence number...use show ip access-list to see what

-

Block 192.168.1.50 from reaching 192.168.2.50 on https or http.

Configuring and Applying Extended Access Control Lists05 November 201408:58

ICND1

before the permit any statement. We can do this using the sequence number...use show ip access-list to see what sequence number we should use.

Config1.R1(config)# ip access-list extended 100R1(config-ext-nacl)# 11 deny tcp host 192.168.1.50 host 192.168.2.50 eq 80

This will add two commands before the permit any command to block http (80) and https (443)!!R1(config-ext-nacl)# 12 deny tcp host 192.168.1.50 host 192.168.2.50 eq 443

Telnet 192.168.2.50 80/443-

To test we could telnet to 192.168.2.50 from 192.168.1.50 on port 80 and 443.

We can then run the show ip-access-list on R1 to see how many packets have been dropped!

Application2.We already applied the ACL in Example 1 :).

Example 3

We need to configure as close to the source and so it will be most efficient to configure and apply on R2 Fa0/0 inbound. Telnet port is 23, SSH is 22.

-

Config1.R2(config)# ip access-list extended R3_TELNET_SSHR2(config-ext-nacl)# permit tcp 192.168.2.0 0.0.0.127 host 10.1.1.1 eq 22R2(config-ext-nacl)# permit tcp 192.168.2.0 0.0.0.127 host 10.1.1.1 eq 23

This denies all other traffic from 192.168.2.0 as we only want to allow SSH and Telnet as per above commands!

-

R2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.127 host 10.1.1.1

R2(config-ext-nacl)# permit any any

Permit 192.168.2.0/25 to access 10.1.1.1 using only telnet and SSH.

Application2.R2(config)# int fa0/0R2(config-if)# ip access-group R3_TELNET_SSH in

All done!! Just to confirm that the 192.168.2.0 would still be able to access the 192.168.2.128 network...it can still go through R3...just simply only able to telnet and SSH the 10.1.1.1 WAN Ip address!! The 192.168.2.128 network is a completely different subnet/network!

Example 4

So we need to block access to 10.1.1xx...all of the WAN links!-

Apply as close to the source as possible and so it will be best to apply on R1 Fa0/0 inbound.-

Config1.R1(config)# ip access-list extended BLOCK_WANR1(config-ext-nacl)# deny ip 192.168.1.0. 0.0.0.255 10.1.1.4 0.0.0.3R1(config-ext-nacl)# deny ip 192.168.1.0. 0.0.0.255 10.1.1.0 0.0.0.3R1(config-ext-nacl)# permit ip any any

Application2.R1(config)# int fa0/0R1(config-if)# ip access-group BLOCK_WAN in

Block 192.168.1.0/24 from reaching any WAN IP address.

NOTEThe 192.168.1.0 will still be able to access all of the LAN networks...eg 192.168.2.0 and 192.168.2.128...which is what we want! The network will just be unable to contact the WAN IP's directly! They can still pass through them though.

Example 5

As we do not know the source we will need to apply as close to destination as possible….so it would be most efficient to apply on R2 Fa0/0 outbound.

-

Config1.R2(config)# ip access-list extended EMAIL_FILTER_R2R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 25R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 110R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 143

Ensure we get no other traffic coming to 192.168.2.50 (as imagine it is an email/Exch server)-

R2(config-ext-nacl)# deny ip any host 192.168.2.50

Permit access to 192.168.2.50 using only SMTP (25), POP3(110) and IMAP(143) from anywhere.

ICND1

Ensure we get no other traffic coming to 192.168.2.50 (as imagine it is an email/Exch server)-

We need this command as we would have other PC's/devices on the 192.168.2.0 network and we wouldn't want to block all traffic to these devices!

-

R2(config-ext-nacl)# permit ip any any

Application2.R2(config)# int fa0/0R2(config-if)# ip access-group EMAIL_FILTER_R2 out

All sorted!! Test with pings etc...

NOTE:We can also use 'gt' or 'lt' instead of 'eq' if we want to specify a port with is greater than or less than the port specified.

This would allow all traffic to host 192.168.20.50 on a destination port greater than 100.-

R2(config-ext-nacl)# permit tcp any host 192.168.20.50 gt 100Eg.

Editing Access ListsTo edit an access list we can use the ip access-list command and then enter the relevant sequence number to insert the new command (or delete by using the no command). We would first use show ip access -list command so we can see the current sequence numbers in the access list…

R2# show ip access-list

10 permit tcp any any20 permit udp any any

Extended IP access list BLOCK_TRAFFIC

R2(config)# ip access-list BLOCK_TRAFFICR2(config-ext-nacl)# 15 permit icmp any anyR2(config-ext-nacl)# exit

We will now insert a command to allow ICMP traffic...

If we issue another show ip access -list command we will see the command has been inserted between the previous two entries…

R2# show ip access-list

10 permit tcp any any15 permit icmp any any20 permit udp any any

Extended IP access list BLOCK_TRAFFIC

This would remove just the '20 permit udp any any' line-

R2(config-ext-nacl)# no 20To remove a line from an access list we can issue the no command as follows in ACL config mode…

R2(config)# no access-list BLOCK_TRAFFICTo remove an access list completely we would issue the below command in global config mode…

Access Control List LoggingWe can add the log option to any access list which will then log any denied packets. Its does not log any packets which have been permitted.

R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 25 log

ICND1

Translates private addresses to public addresses!!-

ISP's do not allow private addresses to be routed on the Internet.-

This is where NAT comes in!-

Network Address Translation

How NAT works

PAT-

Dynamic-

Static-

There are 3 types of NAT…

PAT (Port Address Translation)

PC (192.168.1.10) attempts to access webpage on the Internet (Eg. Cisco.com).1.A source port is generated (eg. 6711) and is added to the request.2.The request for the webpage is received from the router which realises it is a private address with a source port.

3.

The router then translates the address to the assigned public address for the network and attaches the source port.

4.

This is then sent to Cisco.com over the Internet5.Cisco responds back to the public IP address which included the source port.6.The request then hits the router which can redirect it back to the PC using the source port!7.

This is very common and used everywhere! It translates many private addresses to 1 public address!!

Source port = any number between 1 - 65,535!

Dynamic NAT

We can have a pool of private and public addresses and do one-to-one mappings.-

Eg. 10 public and 10 private IP's.-

We don't save any IP addresses in this case-

Used for overlapping addresses - where we temporarily use the same private IP address in an organisation - router sits in between and does NAT.

-

Not used very often!-

This creates one-to-one mappings.

Static NAT

MX record (A/www record for website) points to the public IP○

On the internal router we configure it to forward port 25/80/443 traffic to the internal IP of the mail server/web server

○

Called port forwarding○

Eg. Used for a mail server or a web server.-

This also creates one-to-one mappings.

NAT Concepts10 November 201409:08

ICND1

Scenario

PAT

Do the base config on a router!1.

R1(config)# int fa0/0-

R1(config-if)# ip address 192.168.1.1 255.255.255.0-


R1(config-if)# ip address dhcp-

Configure interfaces on the router.2.

R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10-R1(config)# ip dhcp pool LAN-R1(dhcp-config)# network 192.168.1.0 255.255.255.0-R1(dhcp-config)# dns-server 8.8.8.8-R1(dhcp-config)# default-router 192.168.1.1-

Setup DHCP scope3.

Note - some routers will auto-configure the default route if we have configured the WAN interface to use DHCP.

Show ip int brief-


R1(config-if)# ip nat inside-


R1(config)# ip nat outside-

Identify our interfaces (inside and outside)4.

192.168.1.0/24-

Here we use an access list-

R1(config)# ip access-list standard INSIDE_NAT_ADDRESSES-

R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255-

Identify our inside IP addresses5.

The overload command enables PAT

Without this it would only allow 1 addresses to be NAT'd - this is dynamic NAT

R1(config)# ip nat inside source list INSIDE_NAT_ADDRESSES interface fa0/1 overload-

IP NAT Connection Command6.

NAT Configuration10 November 201409:24

ICND1

Without this it would only allow 1 addresses to be NAT'd - this is dynamic NAT

IP of server Public IP Address

R1(config)# ip nat inside source static 192.168.1.51 208.53.91.7-

Can add in port numbers to direct traffic to web server etc.-

R1(config)# ip nat inside source static tcp 192.168.1.53 80 208.53.91.7 80-

Static NAT

Types of NAT addresses

Inside Local - our Private Address!Inside Global - our Public Address!Outside Global - the Public Address of website we are accessing!

So...NAT translates Inside Local to Inside Global!!

This tells us how many active translations there are and how many packets have been translated etc.

-

R1# show ip nat statistics-

This tells us what inside IP addresses are being translated and to what...eg Inside Local and Inside Global addresses.

-

R1# show ip nat translations-

Useful NAT Commands

ICND1

There is an IP address shortage!! Only 4 billion IPv4 addresses!!-

Current IP addresses are poorly allocated...some companies/organisation were allocated a ridiculous number of addresses which are not being used…but IANA can't just ask for them back!!

-

New network devices are on the rise...even fridges and microwaves are now coming with network cards!

-

NAT (the current solution) is seen as a hindrance to innovation.-

Why do we need IPv6?

Address size moved from 32 bit (IPv4) to 128 bit (IPv6)-

Provides a ridiculously high number of addresses! We could assign an IP address to each atom on the surface of the Earth x 100!!!

-

Divided into 8 group of 4 hex characters - each character is 4 bits in length○

EG. 2001:0050:0000:0000:0000:0AB4:1E2B:98AA○

So each octet = 4 x 4 = 16 and the whole address = 16 x 8 = 128 bits!! ○

Addresses are hexadecimal (0-9, A-F)-

RULE 1 - Eliminate groups of consecutive zero'sUsing the above example…

Note - We can only use this once in an address.2001:0050::0AB4:1E2B:98AA

RULE 2 - Drop leading zero's2001:50::AB4:1E2B:98AA

IPv6 Addressing

Simpler for routers to process-

Uses the next header field which eliminates a lot of complexity-

Simplified IPv6 headers

NDP (Neighbour Discovery Protocol)PC's using IPv6 use NDP to learn MAC addresses on the same LAN (not ARP like IPv4!!).

Types of Communication and Addresses

Unicast -> one-to-one-

Multicast -> one-to-many-

We give the same address to multiple devices eg. Web server.○

When someone tries to access the website it uses the closest device as it will be most efficient.

○

Anycast -> one-to-closest-

No more broadcasts!! These have been replaced by multicasts...they provide the same functions as broadcasts!

-

Similar to IPv4 APIPA address (169.25.x.x)-

Layer 2-

Allows devices to communicate where no DHCP server is available...however unable to route on Internet

-

FE80: (FE80::/64)-

Uses EUI-64 addressing...uses MAC address of device and squeezes FFFE in the middle...eg MAC 02:FE:4G:8A:CH:1F

-

64 bits 64 bits

NETWORK HOST

Link Local address

IPv6 Concepts10 November 201410:12

ICND1

NETWORK HOST

FE80:0000:0000:0000 02FE:4GFF:FE8A:CH1F

Same as IPv4 private address-

Sometimes known as static unicast configuration!-

Unique/Site Local Addresses

Same as public IPv4 address-

High level 3 bits set to 001 (2000::/3) (0010 in binary)-

Global routing prefix is 48 bits or less-

Global Addresses begin with 2000::/3-

Global Prefix Subnet ID Interface ID

'n' bits 64 -n bits 64 bits

Global Address

IANA dish out the UIP addresses to all organizations!! They would decide the global routing prefix!Example

The Subnet ID is comprised of bits left over after the global routing prefix.The primary address expected to comprise the IPv6 internet are from the 2001::/16 subnet.

ICND1

Scenario

Turn on IPv6 Routing

R1(config)# ipv6 unicast-routing-

R2(config)# ipv6 unicast-routing-

IPv6 routing is turned off by default (unlike IPv4).


R1(config-if)# ipv6 address 2001:55::1/64-

R1(config-if)# no shutdown-

R1(config)# int s0/0-

R1(config-if)# ipv6 address 2001:210:10:1::1/64-



R2(config-if)# ipv6 address 2001:56::1/64-



R2(config-if)# ipv6 address 2001:210:10:1::2/64-


Assigning Addresses

R1# show ipv6 int brief-

R1# ping ipv6 ip-address-

Verify Addresses

Configure Static Routing

Dest Network Connected Interface

R1(config)# ipv6 route 2001:56::1/64 2001:210:10:1::2/64-

R2(config)# ipv6 route 2001:55::1/64 2001:210:10:1::1/64-

Pretty much same as IPv4!

All done!

IPv6 Configuration11 November 201410:00

ICND1

Configure Dynamic Routing - OSPFv3This is different to IPv4 as we no longer use the network command!

R1(config)# ipv6 router ospf1-

R1(config-rtr)# router-id 1.1.1.1-

R2(config)# ipv6 router ospf1-

In IPv6 we need to set the router-ID else the router will not send hello packets○

R2(config-rtr)# router-id 2.2.2.2-


R1(config-if)# ipv6 ospf 1 area 0-


Show ipv6 protocols○





Show ipv6 ospf neighbours-


All done!!

We enable OSPF, assign a router-ID and then add interfaces/networks we want to advertise to the OSPF process!

ICND1

Mulitple methods exist to provide a smooth, non-pressured transition…

This is where we simply enable IPv4 and IPv6 routing and assign each interface an IPv4 and IPv6 IP address!!

○

This enables us to communicate via IPv4 and IPv6 at the same time!○

Dual Stack routers-

This uses encapsulation where IPv6 packets are encapsulated within IPv4 packets for transmission over IPv4 networks (and vice versa for IPv4 over IPv6 networks).

○

Tunnelling (6to4 and 4to6)-

This is where a block of IPv4 addresses at an IPv4 interface is set aside for translating addresses as IPv6 hosts start sessions with IPv4 hosts.

○

NAT Protocol Translation (NAT-PT) -

The Migration to IPv612 November 201410:23

ICND1

interconnecting cisco networking devices - · pdf fileaddress and pc sends request for router...

Documents