scott ccna
TRANSCRIPT
7/14/2010
NETWORKING BASICS
NETWORKING The connection of two or more devices across a
small or wide geographical distance to allow communication between them with the purpose of sharing information and resources
LAN ( LOCAL AREA NETWORK ) A high speed network within a small
geographical distance WAN ( WIDE AREA NETWORK )
A low speed network that span a large area Connection of two or more LAN
7/14/2010
NETWORK COMPONENTS NETWORK INTERFACE CARDS (NIC)
An expansion card in the computer’s mother board Used to connect a system to the physical network media Inserted in the expansion slot on the mother board
An expansion slot is a slot located on a computer’s mother board that allow peripherals to be plugged directly in to it
A NIC has an inbuilt address called MAC Media Access Control (Burned In Address) is the physical
address of the computer A NIC has two Light Emitting Diodes (LED) that helps in
diagnosing problems with their functionality LINK LED : Illuminates when proper connectivity to an
active network is detected ACTIVITY LED: Flickers to indicate the intermittent
transmission or receipt of frames to or from the network Use “c:\> ipconfig/all” to check system MAC address
7/14/2010
NETWORK COMPONENTS HUBS
Concentrators or multiport repeaters Used in star topology to connect multiple stations Has One broadcast domain (Broadcast environment)
An environment where a single message can be send to all devices
Takes the incoming signal from one port and forwards it to all other ports
Has One collision domain An environment where collision occurs when multiple nodes
on the network put signal on the wire at exactly the same time The three types of Hub are
ACTIVE: Takes the incoming frames, amplifies the signal and forwards it
PASSIVE: Splits the signal and forwards it• It doesn’t amplify
Intelligent : it can be managed• Allow individual port configuration and traffic monitoring
7/14/2010
NETWORK COMPONENTS BRIDGES
A network device that connects two similar network segment together
The primary function is to keep traffic separated on both side of the bridge ; Divides a busy network into two segments
More intelligent than hub Increase network performance by segmenting networks in
separate collision domains (MULTIPLE) Maintain table with MAC address of all nodes Performs learning & forwarding functions Contains one broadcast domain
7/14/2010
NETWORK COMPONENTS SWITCH
A hard-ware based multiport bridge Connect multiple segments of a network together Maintains a table with MAC addresses per port to make
forwarding decision Performs learning & forwarding decision One Broadcast domain (DEFAULT) Multiple Collision domains(1 PER PORT)THE DIFFERENCE BETWEEN SWTCH & BRIDGE Switch has more ports than bridge
Switches are meant to replace hubs and improve network performance by creating a separate collision domain per port
Switches switches ( makes decisions ) in hardware (integrated circuit) while bridges switches in software
Switches offer more variance in speed An individual port can be assigned 10Mbps, 100Mbps, 1000Mbps,
or 10Gbps Controls broadcast domain
Has one broadcast domain by default but multiple can be configured with VLAN
• VLAN means Virtual Local Area Network
7/14/2010
NETWORK COMPONENTS
ROUTER A device that connects multiple network
segments into an internetworkAn internet is an example of internetwork
Route information between multiple networks by choosing an optimal path to destination
Interconnects LANS & WANS Resolves collision & broadcast issues
Multiple COLLISION and BROADCAST domains Stores information in routing table
7/14/2010
NETWORK COMPONENTS GATEWAYS
A hardware devices or a computer running software that allows communication between networks with dissimilar network protocols or architectures
Common use of gateways are Connection of Ethernet network to IBM Mainframe
environment Allows the communication of most LAN based
software( Novell’s Group Wise & Microsoft’s Exchange) with internet mail servers
The connection of analog phones to IP network
7/14/2010
NETWORK COMPONENTS CSU/DSU
Channel Service Unit/Data Service Unit A hardware device that convert digital data frames from
the communication technology used on a LAN into frames appropriate to WAN and vice versa
Primarily used on both ends of a T-1 or T-3 connections A T-1 or T-3 is a fast digital leased line often used for
high-speed internet connections CSU
Terminates the line at the customer premises Provides diagnostics and remote testing
DSU Does the actual transmission of the signal through
the CSU
7/14/2010
NETWORK COMPONENTS MODEMS
Used for low-speed long distance connections over telephone lines
Converts parallel digital data into serial analog data and vice versa This allows digital devices like computers to
communicate over an analog medium The two main types of modem are:
Internal expansion cards (PCI) or On-board External modems that connect to the serial RS-232 or
USB port and often have their own power supply A telephone line is connected to the modem using an RJ-
11 connector
7/14/2010
THE REFERENCE MODEL Reference model is a Developers Guide The two major models are OSI & TCP/IP
OSI REFERENCE MODEL Open System Interconnection Developed by ISO in 1984 Provides a reference model for the complex aspects
related to network communication Divides the different functions and services provided by
network technology in 7 layers This facilitates modular engineering Simplifies teaching and learning of network technologies Allows vendors to focus on just the layer(s) in which their
hardware or software is implemented and enables them to create products that are compatible, standardized and interoperable
7/14/2010
THE SEVEN LAYERS OF OSI MODEL
7/14/2010
DATA PROCESSING ACROSS THE MODEL The Application, Presentation and Session layer take user
input and converts it into data The Transport layer adds a segment header ( port number
) converting the data to segments The Network layer adds a network header ( IP address )
and converts the segments into packets / datagrams The Data-link layer adds a frame header (MAC address)
converting the packets/ datagrams into frames The MAC sub-layer converts the frames into bits, which
the physical layer puts on the wireNOTE
HOST A ENCAPSULATES HOST B DECAPSULATE
7/14/2010
THE SEVEN LAYERS OF OSI MODEL APPLICATION LAYER
Provides services directly to the user’s application Web browser Email
Allows end users to send messages, save files ,prints documents , browse the Web and perform any other activities within the network setting
The closest layer to the user Examples of protocols that operate on this layer are
TELNET HTTP : Hyper Text Transfer Protocol FTP : File Transfer Protocol TFTP : Trivial File Transfer Protocol SMTP: Simple Mail Transfer Protocol POP3: Post Office Protocol
7/14/2010
THE SEVEN LAYERS OF OSI MODEL PRESENTATION LAYER
Represent the data in a particular format to the application layer Reformats data for transmission to & from the network Defines encryption, compression and other coding functions Examples of specifications are
JPEG MPEG WMV WMA ASCII
SESSION LAYER Establishes, maintains and terminates end-to-end connections
(sessions) between two applications on two network nodes Controls the dialogue between the two nodes
Controls when and how far a node can send Provides error reporting for the Application, Presentation and
Session layer Examples of protocols
RPC: Remote Procedure call NETBIOS
7/14/2010
TRANSPORT LAYER Converts the data received from the upper layers into segments and
prepares them for transport Responsible for end-to-end delivery of the entire messages Allows data to be transferred reliably and uses sequencing to
guarantee orderly delivery Provides services like FLOW CONTROL( buffering, windowing and
congestion avoidance [In software]) and error checking Multiplexes using port numbers Protocols
1. TCP : TRANSMISSION CONTROL PROTOCOL2. UDP: USER DATAGRAM PROTOCOL3. NETBEUI (4) SPX: SEQUENCE PACKET EXCHANGE
Those protocols are either connection-oriented or connection-less Connection-oriented
• Connection must be established before any actual data can be exchanged– Guarantee delivery by sending acknowledgement
• TCP is a connection oriented protocol Connectionless
• The sender does not establish a connection before sending• No guarantee delivery of data• UDP is an example
7/14/2010
THE SEVEN LAYERS OF OSI MODEL NETWORK LAYER
Converts the segments from the transport layer into packets
Responsible for path determination ( routing) and the delivery of packets across internetworks
Responsible for logical addressing Protocols
IP IPX ICMP RIP OSPF BGP
Multilayer switches and router operate at this layer
7/14/2010
THE SEVEN LAYERS OF OSI MODEL
DATA-LINK LAYER Reassembling of bits to frames Provides error checking by adding CRC to the
frames Deal with physical addresses (MAC) Has two sub layers
LLC: Logical Link ControlMAC: Media Access Control
Switches, Bridges, WAP and NICs operates at this layer
PROTOCOLS: ETHERNET --- LAN FRAME-RELAY, ATM, X.25, PPP, HDLC --- WAN
7/14/2010
THE SEVEN LAYERS OF OSI MODEL PHYSICAL LAYER
Communicates directly with the physical medium It handles a raw bits stream and places it on the wire to be
picked up by the physical layer at the receiving node Defines
Electrical and optical signaling Voltage level, data transmissions rates Mechanical specifications such as cable lengths and
connectors, the amount of pins and their functions Devices
Hubs NICS WAP LAN & WAN Interfaces
7/14/2010
TCP/IP MODELTRANSMISSION CONTROL PROTOCOL / INTERNET PROTOCOLDEVELOPED BY THE DEPARTMENT OF DEFENCE OF AMERICANSIT IS THE INTERNET DE FAC TO
7/14/2010
IP ADDRESSING An numeric identifier assigned to each interface
on an IP network Internet protocol Software address There are two versions
IPV4: 32 bits IPV6: 128 bits
7/14/2010
IPV4 Has 4 bytes (Octets) with period between each
byte 11111111.11111111.11111111.11111111IPV4 FORMATS Computer Readable( Dotted Binary) Human Readable (Dotted Decimal)
255.255.255.255
7/14/2010
BINARY TO DECIMAL CONVERSION FOR BYTE
BIT POSITION 8th 7th 6th 5th 4th 3th 2th 1th
DECIMAL VALUE
128 64 32 16 8 4 2 1
POWER OF 2 27 26 25 24 23 22 21 20
7/14/2010
CLASSES OF IPV4CLASS USES DECIMAL RANGE HOST
ADDRESSES
A LARGE NETWORK
1 – 1260 & 127 ( RESE-RVED)
16,777,214
B MEDIUM 128 - 191 65,534
C SMALL 192 – 223 254
D MULTICAST 224 – 239 -
E RESEARCH 240 – 254255(RESERVED)
-
7/14/2010
COMPONENTS OF IPV4
NETWORK NUMBER Uniquely identifies a segment in the network
HOST NUMBER Uniquely identifies a device on a segment
IPV4NETWORK ADDR HOST ADDR
N H DB
7/14/2010
CLASSFUL NETWORK & HOST ADDRESSES
CLASS NETWORK BITS HOST BITS
A 8 [N] 24 [H.H.H]
B 16 [8.8] 16 [8.8]
C 24 [N.N.N] 8 [H]
7/14/2010
SUBNET MASK
A 32- Bit value Differentiate the network portion from the host portion A 1 in the bit position represent Network A 0 represent host All 1s must be contiguous as well as 0sSUBNET MASK REPRESENTATION DOTTED-DECIMAL : 192.168.2.0 255.255.255.0 NUMBER OF NETWORKING BITS :
192.168.2.0 /24 HEXADECIMAL : 192.168.1.0 0XFFFFFF00
7/14/2010
CLASSFUL/DEFAULT SUBNET MASKS CLASS A : 255.0.0.0 CLASS B : 255.255.0.0 CLASS C: 255.255.255.0CLASSLESS INTER-DOMAIN ROUTING Provides addresses in a certain block size i.e.
192.168.10.32/28 The slash (/) notation refers to the number of bits
that are turned on (1s)
7/14/2010
AVAILABLE CIDRSUBNET MASK CIDR CLASS
255.0.0.0 /8 CLASS A
255.128.0.0 /9
255.192.0.0 /10
255.224.0.0 /11
255.240.0.0 /12
255.252.0.0 /13
255.254.0.0 /14
255.255.0.0 15
7/14/2010
AVAILABLE CIDR255.255.0.0 /16 CLASS B
255.255.128.0 /17
255.255.192.0 /18
255.255.224.0 /19
255.255.240.0 /20
255.255.248.0 /21
255.255.252.0 /22
255.255.254.0 /23
7/14/2010
AVAILABLE CIDR255.255.255.0 /24 CLASS C
255.255.255.128 /25
255.255.255.192 /26
255.255.255.224 /27
255.255.255.240 /28
255.255.255.248 /29
255.255.255.252 /30
7/14/2010
SUBNETTING
The segmentation of a classful network into smaller networks
Allows the creation of smaller network numbers from the higher–order bits
These smaller networks with smaller number of hosts are called subnets
MERITS OF SUBNETS It reduces network traffic It optimizes network performance It simplifies management
7/14/2010
BASIC SUBNET CALCULATION 2X≥ The maximum number of subnets required 2y - 2 ≥ The number of hosts on the largest
segment X + Y ≤ The total number of classful hosts bits X = The number of higher-order bits needed from
the host portion to create your subnets Y = The number of lower-order bits needed from
the host portion to address your devices (hosts) 11111111.11111111.11111111.00000000
X Y
7/14/2010
SUBNET CALCULATION EXAMPLE:
What class of address can be used to satisfy the following requirements:
Number of segments = 4Number of hosts = 62SOLUTIONX=2 i.e. 22 ≥ 4 while Y = 6 i.e. 26-2 ≥ 62X+Y ≤ 8. Therefore, the answer is CLASS C
address
7/14/2010
SIX-STEP APPROACH TO IP ADDRESS SUBNETTING
Identify the network and the host requirement Satisfy the network and host requirement Figure out the subnet mask Calculate the block size Figure out the network addresses Figure out the directed broadcast Figure out the valid host addresses in each
network/subnet
7/14/2010
SUBNET QUESTION
You are given a single class C address ( 192.168.2.0/24 ) by your ISP but your organization has 4 subnets/networks and 62 maximum devices in the largest segment/network .As an administrator, you are required to subnet the given address to cater for the organization’s requirement
SOLUTIONSTEP 1
Address given is 192.168.2.0/24Organization’s requirement : 4 subnets and 62 devices/hosts
STEP 2X=2 (22 ≥ 4 ) Y= 6 ( 2y-2 ≥ 62 ) X + Y = 8
7/14/2010
SUBNET QUESTIONSTEP 3
11111111.11111111.11111111.0000000011111111.11111111.11111111.11000000
X Y255 . 255 . 255 . 192OR /26THE NEW IP ADDRESS = 192.168.2.0/26
STEP 4BLOCK SIZE : 64 (2Y 26) OR 256-192 = 64
7/14/2010
SUBNET QUESTION
STEP 5 , STEP 6 & STEP 7
Network addresses Valid Host address Directed Broadcast
192.168.2.0/26 192.168.2.1 - .2.62 192.168.2.63
192.168.2.64/26 192.168.2.65 – 126 192.168.2.127
192.168.2.128/26 192.168.2.129 –190
192.168.2.191
192.168.2.192/26 192.168.2.193 - 254 192.168.2.255
7/14/2010
VARIABLE LENGTH SUBNET MASK Allows the use of different subnet masks to the
same class address Allows for more efficient use of addresses Aids the ability to perform route summarization Deploy using classless routing protocols
7/14/2010
VLSM STEPS
Find the largest segment in the network Find the appropriate subnet mask for the largest
network segment Write down your new networks/subnets addresses For your smaller segments, re-subnet the newly
created subnets with an appropriate subnet mask Write down your new subnetted networks/subnets
addresses
7/14/2010
Using the topology below, subnet 192.168.2.0/24 to satisfy the network requirement while making efficient use of your IP address
7/14/2010
SOLUTION IP address: 192.168.2.0/24 Largest segment: Lagos [62 devices] Y = 6 [2y - 2 ≥ 62] New subnet mask = 255.255.255.192
11111111.11111111.11111111.11000000 Block size = 256-192=64
7/14/2010
The new network addresses:192.168.2.0/26 used for Lagos network192.168.2.64/26 re-subnet for Abuja and New York
segments 192.168.2.128/26 Reserved for future use192.168.2.192/26 The second larger segments are New York(30
devices) and Abuja(30 devices) New subnet address : 192.168.2.64/26 Y=5[ 25-2 ≥ 30] New subnet mask : 255.255.255.22411111111.11111111.11111111.11100000
7/14/2010
Block size : 256-224 = 32 New subnetted subnet addresses:192.168.2.64/27 used for the 2 larger segments192.168.2.96/27192.168.2.128/27 used for another segment192.168.2.160/27 Reserved192.168.2.192/27192.168.2.224/27
7/14/2010
The third larger segment is Free Town(14 devices) New subnet address : 192.168.2.128/27 Y=4[ 24-2 ≥ 14] New subnet mask : 255.255.255.24011111111.11111111.11111111.11110000 Block size : 256-240 = 16 New subnetted subnet addresses:192.168.2.128/28 Used192.168.2.144/28 Subnetted192.168.2.160/28 Reserved192.168.2.176/28192.168.2.192/28192.168.2.208/28192.168.2.224/28192.168.2.240/28
7/14/2010
The last segments are for the WAN link (2 devices each) New subnet address : 192.168.2.144/28 Y=2[ 22-2 ≥ 2] New subnet mask : 255.255.255.25211111111.11111111.11111111.11111100 Block size : 256-252 = 4 New subnetted subnet addresses:192.168.2.144/30 Used for WAN links192.168.2.148/30192.168.2.152/30 192.168.2.156/30 Reserved for future used192.168.2.160/30192.168.2.164/30
.
.192.168.2.252/30
7/14/2010
7/14/2010
SUMMARIZATION The act of aggregating addresses of several networks into
one address The ability to advertise a bunch of contiguous network
number in the routing table as a single summarized route Summarization must begin on a power of 2 boundary
based on the subnet mask value Summarization reduces routing table size, bandwidth
required for routing update and contains network problems Proper summarization requires a hierarchical addressing
design in your network
7/14/2010
HIERARCHICAL ADDRESSING
summary
7/14/2010
SUMMARIZATION RULES Summarize only the addresses that are
connected to or directly behind your router The first address is the parent address when
arranged in ascending order Summarization requires that the routing entries
have the same highest-order matching bits
7/14/2010
SUMMARIZATION METHODSMETHOD 1 Find the highest order bit Example
What is the best summary to R2
7/14/2010
METHOD 1SOLUTION STEP 1
Re-arrange the addresses in ascending order172.1.4.0/25172.1.4.128/25172.1.5.0/24172.1.6.0/24172.1.7.0/24
7/14/2010
METHOD 1
STEP 2 Pick the parent address
172.1.4.0 STEP 3
Convert all the addresses to binary in ascending order10101100.00000001.00000100.0000000010101100.00000001.00000100.1000000010101100.00000001.00000101.0000000010101100.00000001.00000110.0000000010101100.00000001.00000111.00000000
7/14/2010
METHOD 1
STEP 4 Locate the highest order matching bits10101100.00000001.00000100.0000000010101100.00000001.00000100.1000000010101100.00000001.00000101.0000000010101100.00000001.00000110.0000000010101100.00000001.00000111.00000000
STEP 5 Make the number of matching bits the number of
networking bits for the parent address 172.1.4.0/22 SUMMARY ADDRESS
7/14/2010
SUMMARIZATION METHODS METHOD 2
Add the total host addresses that can be provided by the summarized networks and find an equivalent block size for it
SAMPLEUSING THE SAME QUESTION AS METHOD 1
STEP 1 Re-arrange the addresses in ascending order172.1.4.0/25172.1.4.128/25172.1.5.0/24172.1.6.0/24172.1.7.0/24
7/14/2010
METHOD 2
STEP 2 Pick the parent address
172.1.4.0 STEP 3
Find the total host addresses each address can provide
172.1.4.0/25 can provide 128 addresses 32 – 25 = 7 27 = 128 OR 256 – 128 = 128 ( /25 = 255.255.255.128 )
7/14/2010
METHOD 2 STEP 3
172.1.4.0/25 128172.1.4.128/25 128172.1.5.0/24 256172.1.6.0/24 256172.1.7.0/24 256
1024 Total host addresses STEP 4
Find an equivalent number of networking bits for the total host addresses
7/14/2010
REMEMBER : 20 = 121 = 2 1 + 122 = 4 2 + 2 23 = 8 4 + 424 = 16 8 + 825 = 32 16 + 1626 = 64 32 + 3227 = 128 64 + 6428 = 256 128 + 12829 = 512 256 + 256210 = 1024 512 + 512
7/14/2010
METHOD 2 STEP 4
210 = 102432 – 10 = 22 The equivalent number of networking bits = 22
STEP 5 Make /22 the networking bit for the parent
address 172.1.4.0/22 SUMMARY
7/14/2010
SUMMARIZATION Q2
The network connected to router R2 have been summarized as 192.168.176.0/21 to R1. What is the range of the addresses?
7/14/2010
SOLUTION TO Q2 Summary 192.168.176.0/21Binary equivalent of the subnet mask
11111111.11111111.11111000.00000000255 255 248 0Block size = 256 -248 = 8 OR The first three network numbers starting from the
summarized address are :192.168.176.0 192.168.183.0192.168.184.0 192.168.191.0192.168.192.0
The range = 192.168.176.0 - 192.168.183.0
7/14/2010
CABLING AND CONNECTIONS Cabling is an IEEE 802.3 standards Ethernet cable comes in two standard
Flat Solid cable used when there is a need for a long cable
run It is not flexible; its position is always fixed
Braided Useful where a short cable run is needed Flexible
IEEE 802.3 specifies a series of standards for telecommunication technology over Ethernet LAN
7/14/2010
CABLING AND CONNECTIONS 802.3 uses UTP cable
Categories of UTP cables are Cat-3: 10 mbps Cat-5: 10/100 mbps Cat-5e: 10/100/1000 mbps Cat-6: 10/100/1000 mbps
There are a total of eight wires inside the cable twisted into four pairs
Each pair has a primary solid-colored wire and another one with a primary white with a colored stripe running through its centre
7/14/2010
CATEGORIES OF DEVICES
Category A Computer Router
Category B Switch Hub Bridge
NOTE The devices in the same category are said to be SIMILAR The devices in different category are said to be DIS-
SIMILAR
7/14/2010
TYPES OF CABLING CROSS-OVER
Used to connect similar devices Switch-switch PC-PC Router-Router Router-PC
STRAIGHT-THROUGH Used to connect dissimilar devices
Switch-router Pc-switch
ROLL OVER Used for device configuration
7/14/2010
CABLING CONFIGURATION
7/14/2010
CABLING CONFIGURATION
7/14/2010
COLOR CODE
CROSS-OVERPINS 568A 568B
1 WHITE-ORANGE WHITE-GREEN2 ORANGE GREEN3 WHITE-GREEN WHITE-ORANGE4 BLUE BLUE5 WHITE-BLUE WHITE-BLUE6 GREEN ORANGE7 WHITE-BROWN WHITE-BROWN8 BROWN BROWN
7/14/2010
COLOR CODE STRAIGHT-THROUGH
PINS 568A 568A1 WHITE-ORANGE WHITE-ORANGE2 ORANGE ORANGE3 WHITE-GREEN WHITE-GREEN4 BLUE BLUE5 WHITE-BLUE WHITE-BLUE6 GREEN GREEN7 WHITE-BROWN WHITE-BROWN8 BROWN BROWN
7/14/2010
CABLING CONSIDERATION FACTORS TO CONSIDER
INSTALLATION LOGISTICSDistance Physical security
SHIELDINGHow much noise( EMI) is present in the area
CROSSTALK Signal mixing caused by unshielded cable
TRANSMISSION SPEED
7/14/2010
CABLE CONNECTORS RJ-11
The acronym for Registered Jack 11 A 4 or 6 wire connector primarily used to connect telephone
equipment Some type of LAN uses RJ-11 connectors
RJ-45 8-wire connector use to connect computers to LAN particularly
Ethernet AUI
Attachment Unit Interface Used to connect transceiver (MAU) to the network interface card on
the computer Often used by thicknet
BNC British Naval Connector Used for both 10Base2 & 10Base5 Ethernet
7/14/2010
ROUTER COMPONENTS PROCESSOR ROM RAM FLASH NVRAM
7/14/2010
BOOT SEQUENCE ROM POST BOOTSTRAP
Find configuration Register value Load the IOS from either of these
ROM MONITOR : RX BOOT : FLASH : TFTP IOS
Locate the configuration file from NVRAM/TFTP
• IF YES MOVE TO CLI• IF NO GO TO SETUP MODE
CHARACTERISTICS OF THE CONFIGURATION REGISTER Hexadecimal value Resides in NVRAMROMMON MONITOR
CR 0X0001 Use for low level testing & troubleshooting in safe mode
RXBOOT Allows the downloading of IOS via TFTP if the device IOS image is
corrupt CR 0X0002
FLASH Stores the IOS image (default ) CR 0X0002 – 0xFFFF
7/14/2010
CISCO IOS BASICFEATURES Command abbreviation & completion Context-sensitive Help Command output Command RecallCLI MODES User Exec : Router > Privileged Exec : Router # Global Configuration Mode : Router (config) #
7/14/2010
CISCO IOS BASICNAVIGATION COMMANDS
EXIT END CTRL + Z ENABLE DISABLE LOGOUT CONFIGURE TERMINAL
CONNECTIVITY CONSOLE AUXILIARY VTY ( VIRTUAL TELET YPE )
7/14/2010
FILE TYPE
RUNNING CONFIGURATION Running-config
STARTUP-CONFIGURATION Startup-config
7/14/2010
BASIC ROUTER CONFIGURATION
Router >enableRouter #config tRouter (config)# hostname karroxKarrox (config)# enable secret ccnaKarrox (config)# interface f0/0Karrox (config-if)# ip address 192.168.2.1 255.255.255.0
Karrox (config-if)# no shutKarrox (config-if)# description karrox lanKarrox (config-if)# exitKarrox (config)# line console 0Karrox (config-line )# password ccna1
7/14/2010
BASIC ROUTER CONFIGURATION
Karrox (config-line )# loginKarrox (config-line )# line vty 0 4Karrox (config-line )# password ccna2Karrox (config-line )# loginKarrox (config-line )# line aux 0Karrox (config-line )# password ccna3Karrox (config-line )# loginKarrox (config-line )#exitKarrox (config)# banner motd # unauthorized access to
this device is prohibited #Karrox (config)# exitKarrox# copy run start
7/14/2010
Router >enableRouter #config tRouter (config)# hostname karroxKarrox (config)# enable secret ccnaKarrox (config)# interface f0/0Karrox (config-if)# ip address 192.168.4.1 255.255.255.0Karrox (config-if)# no shutKarrox (config-if)# description karrox lan
7/14/2010
BASIC ROUTER CONFIGURATION
Karrox (config-if)# interface S0/0/1Karrox (config-if)# Ip address 192.168.2.1
255.255.255.0Karrox (config-if)# no shutKarrox (config-if)# clock rate 64000Karrox (config-if)# exitKarrox (config)# line console 0Karrox (config-line )# password ccna1
7/14/2010
BASIC ROUTER CONFIGURATION
Karrox (config-line )# loginKarrox (config-line )# line vty 0 4Karrox (config-line )# password ccna2Karrox (config-line )# loginKarrox (config-line )# line aux 0Karrox (config-line )# password ccna3Karrox (config-line )# loginKarrox (config-line )#exitKarrox (config)# banner motd # unauthorized access to
this device is prohibited #Karrox (config)# exitKarrox# copy run start
7/14/2010
ROUTING BASIC
PURPOSE To get Datagram from one end of the
Network to the other ROUTING TABLE POPULATION
Connected route Static route
Manually configured on the router Dynamic route
Learn by running Routing Protocols
7/14/2010
STATIC ROUTE CONFIGURATION (config)# ip route destination _network_# ( subnet
mask ) ip_ address _of _the _ next hop neighbor | interface_ to_ exit
DEFAULT ROUTE A special type of static route Specify the path a router should use if it doesn’t
know how to reach the destination Configuration
(Config)# ip route 0.0.0.0 0.0.0.0 ip_ address _of _the _ next hop neighbor | interface_ to_ exit
7/14/2010
Router (config)# ip route 192.168.3.0 255.255.255.0 s0/0/1
Router (config)# ip route 192.168.3.0 255.255.255.0 192.168.2.2
7/14/2010
Router ( config ) # ip route 0.0.0.0 0.0.0.0 s0/0/1
Router ( config )# ip route 0.0.0.0 0.0.0.0 192.168.2.2
OR
7/14/2010
DYNAMIC ROUTING PROTOCOLS Use routing protocols to learn neighbors Router shares routing messages & information
with other routers running the same routing protocols
Examples of routing protocols are Routing Information Protocol ( RIP ) Enhanced Interior Gateway Routing Protocol (
EIGRP ) Open Shortest Path First (OSPF) Border Gateway protocol (BGP) Intermediate-system to intermediate-system (IS-
IS) Interior Gateway Routing Protocol (IGRP)
7/14/2010
DYNAMIC VS STATIC DYNAMIC
Configuration is independent of the network size Requires administrator’s advanced knowledge Automatically adapt to network change Suitable for simple and complex topologies Less secure Resources intensive Routes depend on the current topology
7/14/2010
DYNAMIC VS STATIC
STATIC Configuration increases with network size Administrator’s extra knowledge is not required Administrator’s intervention needed when there
is topology change Not scalable More secure Not resources intensive Routes to destination always the same
7/14/2010
ROUTING TERMINOLOGIES
METRIC The quantitative value assign to path by routing
protocol algorithmCOMMON ROUTING PROTOCOL METRICS
BANDWIDTH : The capacity of the links in Kbps EIGRP & IGRP
COST : Measurement in the inverse of the bandwidth of the linksOSPF
DELAY : Time it takes to reach the destination EIGRP & IGRP
7/14/2010
COMMON ROUTING PROTOCOL METRICS HOP COUNT : The number of router away from the
destination RIP
LOAD : The path with the least utilization EIGRP & IGRP
RELIABILITY : The path with the least amount of error or down time EIGRP & IGRP
MTU ( Maximum Transmission Unit) The path that support the largest frame size
EIGRP & IGRP
7/14/2010
ROUTING TERMINOLOGIES ADMINISTRATIVE DISTANCE
The measure of trustworthiness Ranks & assigns values to each routing protocolADMINISTRATIVE DISTANCE VALUES
0 CONNECTED INTERFACE0 OR 1 STATIC ROUTE90 EIGRP ROUTE ( INTERNAL )100 IGRP ROUTE110 OSPF120 RIP170 EIGRP (EXTERNAL – from another AS)255 UNKNOWN ROUTE
7/14/2010
ROUTING TERMINOLOGIES AUTONOMOUS SYSTEM
A group of network under a single administrative control CONVERGENCE
The state of consistency in the network Convergence Time is the time it takes router to share
information, calculate the best paths & update its routing table
LOAD BALANCING Using multiple paths to a destination when forwarding
packets Increases the utilization of network segments
Makes effective use of network bandwidth The two types LB are
Equal cost LB Unequal cost LB
7/14/2010
CLASSES OF ROUTING PROTOCOL
CLASSES OF RP
CLASSFULRIP & IGRP
CLASSLESSOSPF,EIGRP,IS-IS
RIPV2
7/14/2010
CLASSES OF ROUTING PROTOCOL
CLASSFUL ROUTING PROTOCOL Do not support route Summarization and VLSM Automatically summarizes to default subnet mask Do not support subnetted network number unless “ (config)
# ip classless” command is issued (Default) CLASSLESS ROUTING PROTOCOL
Support VLSM, Route Summarization and subnetted network number
Automatically summarized but can be stopped by “ (config-router)# no auto-summary ” command
7/14/2010
CATEGORIES OF ROUTING PROTOCOLS
CATEGORIES
DISTANCE VECTORRIP/IGRP
HYBDIDRIPV2/EIGRP/BGP
LINK-STATEIS-IS/OSPF
7/14/2010
TYPES OF ROUTING PROTOCOLS INTERIOR GATEWAY PROTOCOL (IGP)
Handles routing within the same autonomous system
Examples are : RIP, IGRP, EIGRP, OSPF, & IS-IS EXTERIOR GATEWAY PROTOCOL (EGP)
Handles routing between different AS Example is BGP
Border Gateway ProtocolUsed to route traffic across the internet backbone
between different ISP
7/14/2010
DISTANCE VECTOR PROTOCOLS The simplest Uses distance and direction (vector) to find path
to destination Uses Bellman-ford algorithm Route by rumor Periodically uses local broadcast
[255.255.255.255] to share routing information Slow convergence
7/14/2010
DISTANCE VECTOR'S UPDATE PROCESSING A distance vector routing protocol performs these steps when it
receives updates Increments the metrics of the incoming routes in the
advertisement by 1 Compares the routing updates with the one in his routing table If better, place it in the routing table and remove the old one If worse, ignore If the same as the one in the routing table, reset the timer for the
entry in the routing table If the neighbor’s information is a different path to a known
destination network, but with the same metric as the existing network in the routing table, the router will add along with the old one [load balancing ].Support 4 equal cost path load balancing by default (maximum of 6 )
NOTE: These six steps is referred to as BELLMAN-FORD ALGORITHM
7/14/2010
PROBLEMS WITH DISTANCE VECTOR PROTOCOLS Slow convergenceRESULT OF SLOW CONVERGENCE Routing loop
Confusion in a network related to the deficiencies of using periodic timer
7/14/2010
SOLUTION TO ROUTING LOOP Counting to infinity
The packet TTL field is decremented by one until it gets to zero where it will be dropped by the router
Split horizone States that if a neighboring router sends a route
to a router, the receiving router will not propagate the same route back to the advertising router on the same interface
7/14/2010
SOLUTION TO ROUTING LOOP
TRIGGERED TIMER Route poisoning
A router poison its route by assigning a hop count of 16 (15 is the maximum) to that route when he detects that the route has failed Making it an unreachable network
POISON REVERSE When such route is advertised, the receiving router
breaks the rule of split horizone by advertizing it back to the originating router
HOLD-DOWN TIMER The poison is frozen in the routing table for a period
of the hold down timer (3 x routing update interval)
7/14/2010
LINK-STATE PROTOCOLS Uses the Shortest Path First ( SPF ) algorithm invented by
Dijkstra Learns the complete topology of the network Uses multicast for Link State Advertisement (LSA)
224.0.0.5 & 224.0.0.6 LSA is a piece of routing information that contains
who originated the advertisement & what the network number is.
Send incremental update LSA generated only when there are changes in the
network Use hierarchical structure that helps limit the distance that
an LSA travels Support classless routing
7/14/2010
HYBRID ROUTING PROTOCOLS Takes the advantage of both Link–state and
Distance-Vector routing protocols Examples are:
RIPv2 EIGRP BGP
7/14/2010
CHARACTERISTICS OF RIPv1 & RIPv2 RIPV1
Routes update every 30 seconds Classful Broadcast updates using 255.255.255.255 No authentication support
RIPv2 Classless Multicast updated using 224.0.0.9 Support manual route summarization Support authentication
7/14/2010
SIMILARITIES BETWEEN RIPv1 and RIPv2 Use hop count as metric Have maximum hop counts of 15 Use of split horizone Use of triggered update when there is topology
changes
7/14/2010
CONFIGURATION OF RIPV1 & V2(CONFIG)# router rip
Start RIP routing process Version 1 by default
(config-router)# version 2Defines RIPv2 on the router
(config-router)# network network-no Selects participating attached networks
7/14/2010
EXAMPLE
(CONFIG)# router RIP
(CONFIG-ROUTER)# network 192.168.2.0
(CONFIG-ROUTER)# network 193.169.2.0
7/14/2010
RIPv2 ADDITIONAL CONFIGURATION
(CONFIG-IF)# ip rip send / receive version 1 / 2 0r 1 2 Specifies the rip version that will be sent or receive on an
interface By default, V1 is sent while 1 / 2 can be received
(CONFIG-IF)# ip summary-address rip network mask Enable manual summarization
(CONFIG-ROUTER)# no auto-summary Disable auto summarization
7/14/2010
VERIFICATION Show ip protocols
Displays all of the ip routing protocols that you configured & are running on the router
Show ip route To see the routing table
Show ip interface brief List a summary of interface ip information & status
Debug ip rip Display RIP routing updates as they are sent & received
No debug all Turn off debugging
7/14/2010
B(Config)# router rip(Config-router)# network 193.169.2.0(config-router)# network 200.168.2.0(config-router)# exit(Config)# interface f3(Config-if)# ip rip send version 2(config-if)# ip rip receive version 2
RIP CONFIGURATION
7/14/2010
R3(Config)# router rip(config-router)# version 2(Config-router)# network 172.16.0.0(config-router)# network 200.168.2.0(config-router)# no auto-summary
RIP CONFIGURATION
7/14/2010
EIGRP FEATURES Advance Distance Vector Fast convergence Support VLSM : classless routing Sends partial updates Multicast & Unicast but no broadcast Support Manual summarization 100% loop free easy configuration for LAN & WAN Load balances across equal & unequal cost paths Multicast hello packet between neighbors using
224.0.0.10
7/14/2010
EIGRP KEY TECHNOLOGIES Neighbor discovery/ recovery process using 224.0.0.10 Real Time Transport protocol
Responsible for guaranteed, Ordered delivery of EIGRP packets to all neighbors
Protocol Dependent Module (PDM) EIGRP supports Novell Netware, Apple talk & IP Each protocol has its own EIGRP module and operates
independently of any of the others that may be running DUAL Fine-state Algorithm
Select lowest-cost, loop free paths to each destination
7/14/2010
DUAL TERMINOLOGY Advertised Distance
The cost between the next hop router & the destination
Feasible Distance Cost from the local router to the destination
Successor Next hop router with lowest-cost, loop-free path to
the destination Feasible Successor
A backup router with lower cost, loop free path to the destination
7/14/2010
EIGRP TABLE TYPES Neighbor Table
List of directly connected routers running EIGRP with which the local router has an adjacency
Topology Table List of all routers learned from each EIGRP
neighbors Routing Table
List of all best route
7/14/2010
EIGRP PACKET TYPE HELLO
Establish neighbor relationship UPDATE
Send routing updates QUERY
Ask neighbors about routing information REPLY
Response to query about routing information ACKNOWLEDGEMENT
Acknowledge a reliable packet
7/14/2010
EIGRP METRIC BANDWIDTH [ DEFAULT] DELAY [DEFAULT] RELIABILITY LOAD MTUEIGRP CONFIGURATION(CONFIG)# router eigrp autonomous-system-no
(CONFIG)# network network-number [ wildcard mask]NOTE: * All routers in the inter-network that exchange EIGRP
routing updates must have the same AS* Wildcard mask is an inverse mask used to determine how to interpret internet address
7/14/2010
EIGRP CONFIGURATION EXAMPLE
7/14/2010
EIGRP CONFIGURATION FOR ROUTER 1(Config)# router eigrp 300(Config-router)# network 192.168.4.0(Config-router)# network 192.168.5.0(Config-router)# network 192.168.6.0(Config-router)# exit(config)# exit# copy run startVERIFICATION COMMANDS Show ip route Show ip eigrp neighbors Show ip eigrp topology Show ip protocols Show ip eigrp traffic Show ip eigrp interfaces
7/14/2010
OSPF Open Shortest Path First Link-state routing protocol Uses Dijkstra Algorithm 100% loop free Multicast update Uses hierarchical network design Class routing protocol Successful in large networks
7/14/2010
LINK-STATE DATA STRUCTURES NEIGHBOR TABLE [ Adjacency Database]
contains list of recognized neighbors TOPOLOGY TABLES
Link-state Database Contains all router & their attached links in the
area or network Identical LSDB for all routers within an area
ROUTING TABLE Forwarding Database Contains list of best paths to destinations
7/14/2010
LINK-STATE DATA STRUCTURE: NETWORK HIERARCHY
Two-level hierarchy Transit area (backbone or area 0) Regular areas ( non backbone areas)
7/14/2010
AREA CHARACTERISTICS Minimizes routing table entries Localizes the impact of a topology changes within an
area Detailed LSA flooding stops at the area boundary Require a hierarchical network designAREA TERMINOLOGY BACKBONE ROUTERS
Router in area 0 AREA BORDER ROUTER (ABR)
Routers that attach other areas to area 0
7/14/2010
OSPF ADJACENCIES Routers discover neighbors by exchanging hello
packets Parameters that must match in the hello packet
before neigborship are like: Hello & Dead interval time Area ID Authentication password Stub area flag
7/14/2010
OSPF PACKET TYPES HELLO PACKET
Use to discover neighbors and build adjacency between them
Uses 224.0.0.5 to send hello packets DATABASE DESCRIPTION [DBD]
Checks for database synchronization between routers LINK-STATE REQUEST [LSR]
Request specific link-state records from router to router LINK-STATE UPDATE [LSU
Sends specifically requested link-state records LSACK
Acknowledges send by router in confirmation of the receipt of other packets
7/14/2010
OSPF NETWORK TYPE POINT-TO-POINT
A single pair of router Usually on WAN LINK Routers automatically discover themselves to form full
adjacency BROADCAST
Routers connected in a broadcast environment like Ethernet Neighbor form full adjacency with the Designated router and
the Backup designated router The DR is the router with the highest priority value or IP
address on it physical interface The BDR is the router with the second highest priority value
or IP address Routers maintain two-way state with the other routers
(Drothers) Update are passed only between adjacent routers Link-State Data Base (LSDB) are synchronized by adjacent
routers by exchanging LSAs LSA are flooded reliably throughout the area
7/14/2010
OSPF NETWORK TYPE:DR & BDR ELECTION PROCESS IN BROADCAST NETWORK
OSPF router with the highest priority values becomes DR for the segment Priority values ranges from 0 – 255 (Default is 1)
If priority values tie, the router with the highest router ID (highest IP address) becomes the DR
If an address is configured on the loopback interfaces, such will be used as router ID instead of physical interface address
Use ( Config-router)# router-id ip address to set router id manually
OSPF router talks to a DR/BDR using 224.0.0.6 while the DR/BDR talks to other router (Drothers) using 224.0.0.5
7/14/2010
OSPF NETWORK TYPE NON BROADCAST
Does not allow multicast/broadcast traffic Usually a WAN technologies like Frame-relay,
ATM, X.25 etcOSPF CONFIGURATION SINGLE AREA CONFIGURATION
All routers interfaces in single area MULTIPLE AREA CONFIGURATION
Routers interfaces in more than one area ( Config )# router Ospf process-id
( Config-router)# network ip-address wildcard-mask area area-id
7/14/2010
SINGLE AREA CONFIGURATION
ROUTER A(Config)# router ospf 100(Config-router)# network 192.168.4.0 0.0.0.255
area 0(Config-router)# network 192.1682.1 0.0.0.0 area 0
7/14/2010
MULTIPLE AREA CONFIGURATION
ROUTER A (Config)# router ospf 100 (Config-router)# network 192.168.4.0 0.0.0.255
area 1 (Config-router)# network 192.1682.1 0.0.0.0 area 0
7/14/2010
OSPF VERIFICATION Show ip ospf Show ip protocols Show ip route Show ip ospf interface [type number]
Show ip ospf neighbor Show ip ospf adjacency
7/14/2010
BRIDGES AND SWITCHES Both are layer 2 devices They are used to solve bandwidth or collision problems
FUNCTIONS BRIDGES SWITCHES
FORM OF SWITCHING SOFTWARE HARDWARE(ASCI)
SWITCHING METHOD STORE & FORWARD
STORE&FORWARD, CUT-THROUGH & FRAGMRNT FREE
DUPLEXING HALF HALF & FULL
COLLISION DOMAIN 1 PER PORT 1 PER PORT
BROADCAST DOMAIN 1 1 PER VLAN (DEFAULT=1)
STP INSTANCES 1 1 PER VLAN
7/14/2010
METHOD OF SWITCHING STORE & FORWARD
1. Pull in the entire frame into the buffer memory of the port
2. Check the CRC (Cyclic Redundancy Check)3. Then, process the frame
CUT-THROUGH Check the destination address and immediately
begins forwarding FRAGMENT FREE
Check up to the first 64 bytes of the frame before forwarding
7/14/2010
FUNCTIONS OF SWITCH & BRIDGE LEARNING
Learns the MAC address of the connected devices that are attached to each of its port
FORWARDING Intelligently switch frames to the port where the
destination device is located LOOP AVOIDANCE
Use STP to prevent frames continual circle in the network (layer-2 loop)
7/14/2010
LEARNING AND FORWARDING ILLUSTRATION ILLUSTRATION
ADDRESS PORTS
7/14/2010
The switch MAC address table is empty at startup Host A sends frame to host B The switch check the MAC address table to verify if
it has the source MAC address in its table The switch learns by adding it to it MAC address
tableADDRESS PORTS
The switch check its table again to verify if it has the destination MAC address in its table
The switch floods the frame to all ports except the port through which its came in because it doesn’t have the MAC address of the destination device
7/14/2010
Host B reply to the frame The switch check its MAC table again for the
source MAC address The switch learns the MAC address since it doesn’t
have it in its table The switch check the destination address in it MAC
table The switch then forward the frame to host A since
it has the MAC address in its MAC table
ADDRESS PORTS
7/14/2010
FLOODED FRAMES The switch flood three types of frame
1. Unknown unicast2. Broadcast3. MulticastREDUNDANT TOPOLOGY WITH SWITCHES Topology with multiple paths Eliminates a single point of failurePROBLEMS OF REDUNDANT TOPOLOGY Broadcast storm Multiple frame copies MAC Address table instability
7/14/2010
REDUNDANT TOPOLOGY
7/14/2010
SWITCH BASIC CONFIGURATION Configuration is only needed on a switch for
management purpose Same configuration as the router with little
exception: (config)# Line vty 0 15 ( Config-line)# password password (Config-line)# login (Config-line)# exit (Config)# interface vlan 1 (Config-if)# ip address address mask ( Config-if)# no shut (Config-if)# exit ( Config)#ip default-gateway default gateway
7/14/2010
SWITCH CONFIGURATION
Switch# conf tswitch#( config)# hostname bisBis( Config)# enable secret ccnaBis (Config)# int vlan 1Bis (config-if)# ip address 192.168.2.2 255.255.255.0Bis (config-if)#no shutBis (config)# ip default-gateway 192.168.2.1Bis (config)# line con 0
7/14/2010
Bis (config-line)# password ccnabis (Config-line)# loginBis (config-line)# line vty 0 15Bis (config-line)# loginBis (config-line)#exitBis (config)# banner motd # keep off #Bis (config)# exitBis # copy run start
SETTING DUPLEX & SPEEDBis (config)# interface f0/1Bis (config-if)# speed 10/100/autoBis (config)# duplex auto/ full /half
7/14/2010
VERIFICATION Show run Show Mac-address-table Show vlan Show flash Show version Show interface (brief) Clear Mac-address-table
7/14/2010
MAC-ADDRESS CONFIGURATIONStaticBis(config)# mac-address-table static
xxxx.xxxx.xxxx vlan 1 interface type slot_#/port_#DynamicAutomatic learningEXAMPLEBis (config)# Mac-address-table static
0021.34ab.6501 vlan 1 interface f0/0
7/14/2010
PORT SECURITY(CONFIG)# INT F0/1(CONFIG-IF)#SWITCHPORT PORT-SECURITY(CONFIG-IF)#SWITCHPORT PORT-SECURITY
MAXIMUM 2(CONFIG-IF)#SWITCHPORT PORT-SECURITY
VIOLATION (RESTRICT/PROTECT/SHUTDOWN)(CONFIG-IF)#SWITCHPORT PORT-SECURITY
MAC-ADDRESS 0580.6452.3321STICKY MAC-ADDRESS(CONFIG-IF)#SWITCHPORT PORT-SECURITY
MAC-ADDRESS STICKYVERIFICATION: SHOW PORT-SECURITY
7/14/2010
SPANNING TREE PROTOCOL
IEEE 802.1D
7/14/2010
STP A mechanism that prevents bridge loops in a
redundant topology by reconfiguring the paths over which the switches forward frame
7/14/2010
STP MECHANISM Configuration messages (BPDU) is sent out of every
port among the switches A single root bridge is elected to serve as the
reference point from which a loop-free topology is built for all switches
A root port is determined by all the3 other switches (non-root) to provide the best path to the root bridge
A port between two non-root switches become a designated port
Any port state change on any switch is considered a topology change and an STA must be run on all switches to adapt to the new topology
7/14/2010
BPDU CONTENTS Bridge Protocol Data Unit BPDU contents are :
PROTOCOL ID VERSION MESSAGE TYPE FLAG ROOT ID : The lowest Bridge ID in the topology BID :The Bridge ID of the transmitting frame
MAC Address Priority (0-61440) . Default is 32768
COST OF PATH :Cost of all the links from the transmitting switch to the root bridge
PORT ID : Transmitting switch port ID STP TIMER VALUES : Max age, hello time (2s),
forward delay
7/14/2010
PORT STATES BLOCKING
Does not participate in frame forwarding It receives BPDU to determine the root bridge, root port & its
final active state It spends 20s (Max age)
LISTENING The port participate in frame forwarding according to the
receive BPDU It is transmitting and receiving BPDU Forwarding Delay(15s)
7/14/2010
PORT STATES LEARNING
Populating the CAM table (MAC) Forward delay(15s)
FORWARDING Forwarding frame Sending and receiving BPDU
DISABLED Doesn’t participate in STP Doesn’t forward any frame
7/14/2010
PORT ROLES ROOT PORT
The port with the best part to the root bridge One per bridge (Non-root)
DESIGNATED PORT The port that will receive and forward frames
toward the root bridge It exists on both root & non-root bridges One designated port per segment Election occurs if multiple switches exists in a
segment All the ports on a root bridge are designated ports
7/14/2010
PORT ROLES NON-DESIGNATED PORT
It doesn’t forward data frames (blocking) It doesn’t populate MAC address table
DISABLE It is shut down
7/14/2010
ROOT PORT ELECTION Lowest path cost Lowest sender BID Lowest sender port ID
7/14/2010
STP COST
LINK SPEED COST (Revised IEEE specification)
COST(previous specification)
10 GBPS 2 1
1GBPS 4 1
100 MBPS 19 10
10 MBPS 100 100
7/14/2010
PORT FAST A mechanism that causes an interface configured
as a layer 2 access port to transition from blocking to forwarding state immediately by bypassing the listening and learning states
Minimizes the time that an access port spends before STP converges
7/14/2010
PORT FAST COMMAND
(CONFIG-IF)# spanning-tree portfastOR
(CONFIG)# spanning-tree portfast defaultELECTION MANIPULATION (CONFIG)# spanning-tree vlan 1 root primary
Forces the switches to be the root ( assigns a priority of 24576
(CONFIG)# spanning-tree vlan 1 root secondary Forces the switch to be the secondary root (priority =
28672)
7/14/2010
RSTP Rapid Spanning-Tree ProtocolRSTP PORT STATE DISCARDING : Blocking , Listening and Disabled LEARNING FORWARDING
7/14/2010
RSTP PORT ROLES ROOT PORT DESIGNATED PORT ALTERNATIVE PORT
Offers an alternative path towards the root bridge BACKUP PORT
An additional switch port on the designated switch with a redundant link to the segment for with the switch is designated
7/14/2010
RSTP EDGE PORT Functions similar to port fast Will never have a switch connected to it Configured same as port fast i.e. spanning-tree port fastRSTP LINK TYPES POINT-TO-POINT
Operating in full duplex Believe to be connected to a single switch
device Makes convergence faster
SHARED Half-duplex Connected to a shared medium
7/14/2010
RSTP CONFIGURATION(CONFIG)# spanning-tree mode rapid-pvst VERIFICATION
Show running-config interface slot/port Show spanning-tree (vlan vlan {detail} )
7/14/2010
VIRTUAL LAN A group of networking devices in the same broadcast
domain A logical broadcast domain that can span multiple
physical LAN segment A logical groupnig of devices by function Switches are used to create VLAN ( separate
broadcast domains) A multiple segments on a single switchTYPES OF VLAN END-TO-END VLAN
A vlan that span an entire enterprise network LOCAL VLAN
Confine to a wiring closet
7/14/2010
EXAMPLE OF VLAN TOPOLOGY
7/14/2010
MERITS OF VLAN Segmentation Security FlexibilityACCESS-LINK AND TRUNK-LINK CONNECTION ACCESS-LINK
A connection to a device that has standardize Ethernet frames (i.e. computers )
Can only be associated with a single VLAN computer-to-switch connection
TRUNK-LINK Carry traffic for multiple VLAN Trunking modify the original Ethernet frame to carry VLAN
information (source port’s VLAN identifier) This extra information maintained broadcast integrity Switch-to-switch,: switch-to-router connection
7/14/2010
TRUNKING METHODS ISL – Inter Switch Link
Cisco proprietary Interface must support at least 100mbps All frames are tagged ISL encapsulates the original frame by adding a 26-byte
header & a 4-byte CRC trailer This extra information must be stripped off before
forwarding it to an access link device 802.1Q
Allows trunks between different vendors’ devices ( open standard )
Adds only 4 bytes called tag field Has both tagged and untagged frames Untagged frame does not carry any VLAN identification
information in it (simple Ethernet Frame ) Untagged frame usually belong to VLAN 1 ( native vlan )
7/14/2010
VLAN TRUNKING PROTOCOL Cisco Proprietary Used to share VLAN configuration information
between cisco switches on trunk connections Allows a consistent VLAN configuration VTP messages (layer 2 multicast ) propagate only
across trunk connection A switch must be associated with a domain
A domain is a group of switches that have the same VLAN information applied to them
7/14/2010
VTP MODES CLIENT , SERVER AND TRANSPARENT
CAPABILITY SERVER(Default)
CLIENT TRANSPARENT
Can add, modify & delete VLAN
YES NO YES
Generate VTP messages YES NO NO
Propagate VTP messages YES YES YES
Accept changes in VTP message
YES YES NO
VLAN configuration storage NVRAM RAM NVRAM
7/14/2010
VTP MESSAGE TYPE ADVERTISEMENT REQUEST
Request sends to server by client SUBSET ADVERTISEMENT
Contains detailed VLAN configuration information sent to requested clients
SUMMARY ADVERTISEMENT Generated by server every 5 minutes (300 seconds) or when
a configuration changes take placeVTP VERSIONS
VERSION 1 Not interoperable with version 2
VERSION 2 Consistency check on configuration Support token ring switch
VERSION 3 Interact with version 1 and 2 Improved server authentication Support for extended VLAN (1006-4096) Support for private VLAN
7/14/2010
VTP CONFIGURATION (CONFIG)# vtp domain domain name (config)# vtp mode server/client/transparent (config)# vtp password password (config)# vtp pruningVERIFICATION SHOW VTP STATUS SHOW VTP COUNTERS
7/14/2010
VLAN CONFIGURATION CREATE VLAN
METHOD 1 SWITCH # Vlan database SWITCH (vlan)# VLAN VLAN_# (name vlan_name)
METHOD 2 STARTING FROM IOS 12.1 SWITCH(CONFIG)# VLAN VLAN_# SWITCH(CONFIG-VLAN)# name vlan-name
ASSIGN VLAN TO INTERFACES SWITCH(CONFIG)# interface type_#/port_# SWITCH(CONFIG-IF)# switchport mode access SWITCH(CONFIG-IF)# switchport access vlan vlan_#
7/14/2010
VLAN CONFIGURATION CONFIGURE SWITCH TRUNK INTERFACES
SWITCH(CONFIG)# interface type _#/port_# SWITCH(CONFIG-IF)# switchport mode trunk /
dynamic desirable/dynamic auto/no negotiate SWITCH(CONFIG-IF)# switchport trunk (dot1q/isl)
Used on all switches except 2950 series CREATE SUB INTERFACES ON THE ROUTER FOR
INTERVLAN CONFIGURATION (CONFIG)# interface type_#/port_# (CONFIG-IF)# no shut (CONFIG-IF)# exit (CONFIG)# interface type 0/port_# . Subif_# (CONFIG-SUBIF)# encapsulation dot1q / isl vlan_# (CONFIG-SUBIF)# ip address ip address subnet mask
7/14/2010
VERIFICATION SHOW VLAN SHOW INTERFACE TRUNK SHOW INTERFACES TYPE_#/PORT_# (SWITCHPORT/TRUNK)VLAN CONFIGURATION EXAMPLE
7/14/2010
TOPOLOGY INFORMATION VLAN 3 ------ FINANCE
SWITCH 1 -------- F0/5 & F0/4 SWITCH 2 --------F0/10 SWITCH 3 -------- F0/7 IP ADDRESS ---- 192.168.2.0/28
VLAN 5 ----------- SECURITY SWITCH 1 ----- F0/6 SWITCH 2 ----- F0/11 & F0/9 SWITCH 3 ----- F0/8 IP ADDRESS ----- 192.168.2.64/28
TRUNK PORTS SWITCH 1 ---- F0/1, F0/3 & F0/10 SWITCH 2 ----- F0/3 & F0/2 SWITCH 3 ----- F0/2 & F0/1
7/14/2010
SWITCH 1 CONFIGURATION (config)# vlan 3 (config-vlan)# name finance (config-vlan)# vlan 5 (config-vlan)# name security (config-vlan)# exit (config)# interface f0/5 (config-if)# switchport mode access (config-if)# switchport access vlan 3 (config-if)# interface f0/4 (config-if)# switchport mode access (config-if)# interface f0/6 (config-if)# switchport access vlan 3 (config-if)# switchport mode access (config-if)# switchport access vlan 5 (config-if)# interface f0/1 (config-if)# switchport mode trunk (config-if)# interface f0/3 (config-if)# switchport mode trunk (config-if)# interface f0/10 (config-if)# switchport mode trunk
7/14/2010
SWITCH 2 CONFIGURATION (config)# vlan 3 (config-vlan)# name finance (config-vlan)# vlan 5 (config-vlan)# name security (config-vlan)# exit (config)# interface range f 0/9 , f 0/11 (config-if-range)# switchport mode access (config-if-range)# switchport access vlan 5 (config-if-range)# exit (config)# int f0/10 (config-if)# switchport mode access (config-if)# switchport access vlan 3 (config-if)# exit (config)# int range f0/2 - f 0/3 (config-if-range)# switchport mode trunk (config-if-range)# exit (config)# exit # copy run start
7/14/2010
SWITCH 3 CONFIGURATION (config)# vlan 3 (config-vlan)# name finance (config-vlan)# vlan 5 (config-vlan)# name security (config-vlan)# exit (config)# interface f0/8 (config-if)# switchport mode access (config-if)# switchport access vlan 5 (config-if)# exit (config)# int f0/7 (config-if)# switchport mode access (config-if)# switchport access vlan 3 (config-if)# exit (config)# int range f0/1 - f 0/2 (config-if-range)# switchport mode trunk (config-if-range)# exit (config)# exit # copy run start
7/14/2010
INTER-VLAN CONFIGURATION ON ROUTER (config)# interface F0/0 (config-if)# no shut (config-if)# exit (config)# interface f0/0.10 (config- subif)# encapsulation dot1q 3 (config - subif)# ip address 192.168.2.1
255.255.255.240 (config- subif)# int f0/0.20 (config- subif)# encapsulation dot1q 5 (config- subif)# ip address 192.168.2.65
255.255.255.240 (config - subif)# exit (config)# exit router# copy run start
7/14/2010
ADDRESS TRANSLATION OVERVIEW Originally developed to solve two problems
Handling the shortage of IP address Hiding network addressing schemes
SOLUTIONS TO IP ADDRESS SHORTAGE Enhancement to the TCP/IP protocol stack
addressing format called IPV6( long Term)
7/14/2010
SOLUTIONS TO IP ADDRESS SHORTAGE
PRIVATE ADDRESSES RFC 1981 IETF standard The set aside addresses are
Class A : 10.0.0.0 – 10.255.255.255 Class B : 172.168.16.0 – 172.31.255.255 Class C : 192.168.0.0 – 192.168.255.255
ADDRESS TRANSLATION RFC 1631 Defines the process called NAT NAT allows the changing of an IP address in a packet to a
different address
7/14/2010
WHEN TO EMPLOY ADDRESS TRANSLATION
When you want to use private addressing because your ISP didn’t assign you enough public addresses
You are using public addresses but have changed ISPs but your new ISP doesn’t support these public addresses
You are merging two companies that are using the same address space
You want to assign the same IP address to multiple machines so that users on the internet see this as a single logical computer
7/14/2010
TYPES OF NAT STATIC NAT
Manually maps an unregistered IP address to a registered IP address on a one-to-one basis
DYNAMIC NAT Maps an unregistered IP address to a registered IP address
from a group of registered IP addresses PAT [OVERLOADING]
Maps multiple unregistered IP addresses to a single registered IP address by using different ports (one-to-many)
7/14/2010
NAT TERMINILOGIES
INSIDE Network located on the inside of your network
OUTSIDE Network located outside of your network
LOCAL The private address assigned to a device
GLOBAL The public address assigned to a device
INSIDE LOCAL IP ADDRESS An inside device with an assigned private IP address
7/14/2010
NAT TERMINILOGIES INSIDE GLOBAL IP ADDRESS
An inside device with a registered public IP address OUTSIDE LOCAL IP ADDRESS
An outside device with an assigned private IP address OUTSIDE GLOBAL IP ADDRESS
An outside device with a registered public IP address
7/14/2010
NAT CONFIGURATION STATIC
(config)# ip nat inside source static inside_local_source_ip_address inside_global_source_ip_address
(Config)# interface type [slot_#/port_#] (config-if)# ip nat inside/outside
STATIC NAT EXAMPLEIp nat inside source static 192.168.1.1 200.200.200.1Interface f0/0Ip nat insideInterface s0/0Ip nat outside
7/14/2010
DYNAMIC NAT (config)# ip nat inside source list standard_ip_acl_# pool
nat_pool_name (config)# ip nat pool nat_pool_name
Beginning_inside_Global_ip_address Ending_inside_global_ip_address netmask subnet_mask
(config)# access-list ACL_# permit Private_Network_address Network _mask
EXAMPLE OF DYNAMIC NATIp nat inside source list 1 pool nat_poolIp nat pool nat_pool 200.200.200.1 200.200.200.7
netmask 255.255.255.0Access-list 1 permit 192.168.1.0 0.0.0.255Interface f0/0Ip nat insideInterface s0/0Ip nat outside
7/14/2010
PAT CONFIGURATION (config)# ip nat inside source list standard_ip_acl_# pool
nat_pool_name OVERLOAD (config)# ip nat pool nat_pool_name
Beginning_inside_Global_ip_address Ending_inside_global_ip_address netmask subnet_mask
(config)# access-list ACL_# permit Private_Network_address Network _mask
EXAMPLE OF DYNAMIC NATIp nat inside source list 1 pool nat_pool OVERLOADIp nat pool nat_pool 200.200.200.1 200.200.200.7 netmask
255.255.255.0Access-list 1 permit 192.168.1.0 0.0.0.255Interface f0/0Ip nat insideInterface s0/0Ip nat outside
7/14/2010
DHCP Dynamic Host Configuration Protocol Allows devices to dynamically acquire their
addressing information Defined in RFC 2131 Based on BOOTP Built on a client/server model
7/14/2010
MERITS OF DHCP It reduces the amount of configuration on devices It reduces likelihood of configuration errors It gives you more control by centralizing IP
addressing information
7/14/2010
CLIENTS ADDRESS ACQUISITION STEPS DHCPDISCOVER
Broadcast message generates by the client DHCPOFFER
All server unicast response Includes IP address, Default gateway , DNS Domain
name, DNS server address, WINS & TFTP server addresses and the lease period
DHCPREQUEST clients unicast message to the preferred server
DHCPACK/DHCPNACK Servers confirmationsNOTE: DHCPRELEASE is generated by the clients to
inform the server of his graceful shut down
7/14/2010
DHCP ADDRESS ALLOCATION TYPES AUTOMATIC
Server assigns a permanent IP address to the clients DYNAMIC
Server assigns an IP address to a client for a period of time MANUAL
Ip address manually configured on the clients while DHCP is used to convey additional addressing information & verification
7/14/2010
ROUTER DHCP SERVER CONFIGURATION(config)# (no) service dhcp(config)# ip dhcp pool pool_Name(config-dhcp)# network network_no ( subnet_mask |
/prefix-length )(config-dhcp)# Domain-name domain-name(config-dhcp)# dns-server ip_address(config-dhcp)# default-router ip_address(config-dhcp)# lease days [ hours] [ minutes]|
Infinite(config-dhcp)# exit(Config)# ip dhcp excluded-address
beginning_ip_address ( ending_ip_address)
7/14/2010
ROUTER DHCP CLIENT CONFIGURATION(config)# interface type ( slot_#/port_#)(config-if)# ip address dhcp
IP HELPER ADDRESS Helper address provides selective connectivity Routers do not forward broadcast by default Ip helper address is configured on router to make it a Relay agent Dhcp relay agent is any host that forwards DHCP packets between
clients & server Relay agents are used to forward requests & replies between
clients and server when they are not on the same physical subnet Relay agents change broadcast to unicast to reach server using the
configured helper address Ip helper-address command enables the forwarding of all of the
well-known UDP ports that may be included in an UDP broadcast message
7/14/2010
IP HELPER ADDRESS The UDP well-known ports identified by default forward
UDP services are TIME : 37 TACACS : 49 DNS : 53 BOOTP/DHCP SERVER : 67 BOOTP/DHCP CLIENT:68 TFTP :69 NETBIOS NAME SERVICE : 137 NETBIOS DATAGRAM SERVICE : 138
To enable other protocols, (config)# ip forward-protocol { udp [port] }
To enable ip helper address use (config-if)# ip helper-address address
7/14/2010
DHCP CONFIGURATION EXAMPLE(config)#Ip dhcp pool ccna-pool(config-dhcp)#Network 200.200.200.0 255.255.255.0Domain-name karrox.comDns-server 200.200.200.2Default-router 200.200.200.1Lease 2Exit(Config)# ip dhcp excluded-address 200.200.200.1
200.200.200.2DHCP VERIFICATION Show ip dhcp database Show ip dhcp server statistics
7/14/2010
NETWORK SECURITY TYPES OF NETWORK
CLOSED NETWORK No connection to public network
OPEN NETWORK Modern
VARIETY OF ATTACKS Unstructured Structured External Internal
7/14/2010
SECURITY TERMINOLOGIES VULNERABILITY
An existence of weakness or design error that compromises the security of a network
EXPLOIT A defined way to breach the security of an
organization SECURITY POLICY
A formal statement of rules that govern the people who have access to organization’s technology and information assets
7/14/2010
THE WHEEM OF SECURITY POLICY SECURE MONITOR TEST IMPROVEMENT
7/14/2010
NETWORK ATTACKS RECONNAISSANCE ATTACKS
PACKET SNIFFERS PORT SCAN PING SWEEPS INTERNET INFORMATION QUERIES
ACCESS ATTACKS PASSWORD ATTACKS TRUST EXPLOITATION MAN-IN-THE-MIDDLE PORT REDIRECTION
DENIAL OF SERVICE ATTACKS IP SPOOFING DDOS
WORM, VIRUS & TROGAN HORSE ATTACKS APPLICATION-LAYER ATTACKS
7/14/2010
DETERMINING NETWORK VULNERABILITIES GNU NETCAT SCAN ETHEREAL BLUE’S PORT SCAN MICROSOFT BASELINE
SECURITY ANALYZER
7/14/2010
ACCESS CONTROL LIST ACLS are statements grouped together by number
or name to filter traffic entering or leaving an interface
ACLS can be used to: Filter traffic Restrict telnets to the router Filter routing information Prioritized WAN traffic Trigger phone calls with dial-on-demand routing Change the administrative distance of routes
7/14/2010
TYPES OF ACL STANDARD ACL
Filter only on the source IP address inside a packet
EXTENDED ACL Allows filtering on the source & destination IP
address, IP protocols (IP, TCP, UDP & ICMP) & protocol information (i.e TCP & UFP source & destination port numbers
ACL REFERENCE Both standard and extended are referenced by
1. NAME• A name ACL is assigned a unique name among all
ACLS• The number of name ACL is restricted by the size of
RAM & NVRAM
7/14/2010
ACL REFERENCE2. NUMBERED
A numbered ACL is assigned a unique number among all ACLS.
There is a limited number of list that can be used STANDARD NUMBERED ACLS
1 – 99 : 1300 – 1999 EXTENDED NUMBERED ACLS
100 – 199 : 2000 – 2699ACLS’ PROCESSING ACLS are processed top – down by the router
A packet is compared to the first statement in the ACL If a match between the packet and the statement is
found, the router either permit or deny the packet If no match is found, the router proceed to the next
statement. If the router goes through the entire list and doesn’t find
a match, the packet will be dropped (IMPLICIT DENY) IMPLICIT DENY :An invisible statement that drops all
traffic that doesn’t match any of the preceding statements in the ACL
7/14/2010
IMPORTANT CONFIGURATION GUIDELINES1. Each ACL needs either a unique number or name2. The order of statements is important3. ACL statements are processed top – down4. Once a match is found, no further statement is processed5. An implicit deny statement exists at the end of every ACL
statements6. The router cannot filter the traffic it originates by itself
except telnet7. Only one access-list can be applied per protocol, per
interface & per direction8. An empty ACL applied to an interface permits all traffic by
default: At least one permit or deny statement is needed to have an implicit deny
7/14/2010
ACLS APPLICATION INBOUND
Packets are processed as they are routed into the interface Incoming packets are processed before being
routed to an exit (outbound) interface OUTBOUND
Packets are routed to the exit interface before being processed by the outbound ACL
7/14/2010
WILDCARD MASK An inverse of a subnet mask Used to match on a range of addresses Tell the router the addressing bits that must match in the
address of the ACL statement With a wildcard mask, a 0 in a bit position means exact
match while 1 means not an exact match ( I don’t care)SPECIAL WILDCARD MASKS 0.0.0.0
All the 32 bits of the address must match before being processed
It is often converted to host by the router 192.168.3.2 0.0.0.0 Host 192.168.3.2
7/14/2010
SPECIAL WILDCARD MASK 255.255.255.255
This tell the router that it doesn’t matter what is in the packet that it is comparing to the ACL statements
It can be written as any 192.168.3.2 255.255.255.255Any 192.168.3.2
7/14/2010
STANDARD NUMBERED ACLS CONFIGURATION
(CONFIG)# access-list acl_# permit/deny source ip address (wildcard mask) (log) Log causes any match to be printed to the console port
of the routerACTIVATING A STANDARD IP ACL(Config)# interface type slot_#/port_#(Config-if)# ip access-group acl_# in/outEXAMPLE 1(Config)# access-list 1 deny 192.168.1.2(Config)# access-list 1 permit 192.168.1.0 0.0.0.255(Config)# interface s0/0(Config-if)# ip access-group 1 in
7/14/2010
EXAMPLE 2
Deny access to the servers from all members of 192.168.2.0 except 192.168.2.2
7/14/2010
SOLUTION TO EXAMPLE 2 (config)# access-list 2 permit 192.168.2.2 0.0.0.0 (config)# access-list 2 deny 192.168.2.0 0.0.0.31 (config)# int f0/1 (config-if)# ip access-group 2 outCLASS WORKCorrect this ACL statement and reduce the statement Access-list 5 deny 192.168.1.0Access-list 5 permit 172.16.0.0Access-list 4 permit 192.168.1.1Access-list 5 deny 172.16.0.1Int f0/0Ip access-list 5 out
7/14/2010
CORRECTIONAccess-list 4 permit 192.168.1.1 Access-list 5 deny 192.168.1.0 0.0.0.255Access-list 5 deny 172.16.0.1 Access-list 5 permit 172.16.0.0 0.0.0.255Int f0/0Ip access-list 5 out
7/14/2010
RESTRICTING TELNET ACCESS TO THE ROUTER Create a standard ACL that permits all allowed
systems Activate the ACL An IN parameter restrict telnet to the router itself
while OUT restricts what destinations the router can telnet to
EXAMPLE (config)# access-list 98 permit 192.168.1.2 0.0.0.0 (config)# line vty 0 4 (config-line)# access-class 98 in
7/14/2010
EXTENDED NUMBERED ACLS (config)# access-list 100 – 199 / 2000-2699
permit/deny ip protocol source ip wildcard (protocol info) destination address destination wildcard (protocol info) (log)
TCP & UDP Syntax for configuring an extended ACL for TCP
or UDP (config)# access-list 100 – 199 / 2000-2699
permit/deny tcp/udp source ip wildcard (operator source port_#) destination address destination wildcard (operator destination port_#) (established) (log)
7/14/2010
OPERATORS It tells the router on how to match on the port
number Either source or dstination or both source and
destination port number can be specified with TCP and UDP
Operator applies to only TCP and UDP but not other IP protocols
TCP AND UDP OPERATORSOPERATORS EXPLANATIONLt less thanGt greater thanNeq not equal toEq equal toRange range of port numbers
7/14/2010
PORT NUMBERS AND NAMES For TCP & UDP connections, you can list either the
name of the port or the number of the port If the port names or number is omitted, ACL looks
for a match on all TCP connection COMMON TCP PORT NAMES AND NUMBERS
PORT NAMES COMMAND PARAMETERS PORT NUMBERFTP DATA FTP-DATA 20
FTP CONTROL FTP 21
TELNET TELNET 23
SMTP SMTP 25
WWW WWW 80
DNS DNS 53
7/14/2010
UDP CONNECTIONDNS QUERY DNS 53
TFTP TFTP 69
SNMP SNMP 161
IP RIP RIP 520
7/14/2010
ICMP INTERNET CONTROL MESSAGE PROTOCOL (CONFIG)# access-list 100 – 199/2000 -2699 permit/deny
icmp source ip source wild card mask destination address destination wildcard (ICMP message) (log)
ICMP uses message-type instead of port number. The common ICMP messages are:
Administratively-prohibited Messages that says someone filtered a packet
Echo Used by ping to check a destination connectivity
Echo-reply A response to an echo message created by ping
Host-unreachable The subnet is reachable but the host is not responding
Net-unreachable The network/subnet is not reachable
Trace route filters on trace route information
7/14/2010
ACTIVATING AN EXTENDED IP ACL (CONFIG)# interface type slot_#/port_# (CONFIG-IF)# ip access-group ACL_# in/out EXTENDED ACLS CONFIGURATION access-list 101 permit tcp host 199.199.199.1 host
200.200.200.1 eq dns Access-list 101 permit udp any host 200.200.200.1 eq dns Access-list 101 permit tcp any host 200.200.200.2 eq www access-list 101 permit icmp any host 200.200.200.3 Int e0 Ip access-group 101 in
7/14/2010
NAMED ACLS It support both IP and IPX protocols A single entry can be deleted
There is no ability to modify or insert a new entry into the middle of an existing ACL
ACLS PLACEMENT EXTENDED ACLS SHOULD BE PLACED AS
CLOSE TO THE SOURCE AS POSSIBLE STANDARD ACLS SHOULD BE PLACED AS
CLOSED TO THE DESTINATION AS POSSIBLE
7/14/2010
UNDERSTANDING BASIC CONCEPT & ADDRESSING OF IPV6
RATIONALE FOR 1PV6 There is an IP address shortage
USA is still sitting prettyAsia & Africa received single class C for entire
country Current IP addresses poorly allocated
Agencies needing class C asked for B Estimates on IPv4 exhaustion largely debated
(2009-2041)
7/14/2010
UNDERSTANDING BASIC CONCEPT & ADDRESSING OF IPV6
New network devices on the rise NAT is seen as a hindrance to innovation Potential future features
IPSEC Mobility Simple Header
7/14/2010
IPV6 ADVANCED FEATURES Larger address space:
Global reachability and flexibility Aggregation Multihoming Auto configuration Plug and play End-to-End without NAT Renumbering
7/14/2010
IPV6 ADVANCED FEATURES Simpler Header
Routing Efficiency Performance and forwarding rate scalability No broadcast No checksums Extension headers Flow labels
7/14/2010
IPV6 ADVANCED FEATURES Mobility and Security
Mobile IP RFC compliant IPSEC mandatory for IPV6
Transition richness Dual stack 6 to 4 tunnels Translation
7/14/2010
IPV6 ADDRESSING Address size moved from 32-bit (ipv4) to 128-bit(IPV6) Provides
340,282,366,920,938,463,463,374,607,431,770,000,000 addresses
Divided into 8 groups of 4 hexadecimal characters each To make addresses more readable X:X:X:X:X:X:X:X where X is a 16-bit hexadecimal field
Case-insensitive for hexadecimal A B C D E and F Example :
2001:0050:0000:0000:0000:0AB4:1E2B:98AA
7/14/2010
IPV6 ADDRESSING RULES Eliminate group of consecutive zeros
Successive fields of 0s can be represented as :: but only once per address 2001:0050:0000:0000:0AB4:0000:0000:08AA
• 2001:0050::0AB4:0000:0000:08AA Drop leading zeros
Leading zeros in a field are optional• 2001:0050::0AB4:0000:0000:08AA
– 2001:50::ab4:0:0:8aa
7/14/2010
TYPES OF COMMUNICATION Unicast
One-to-one Address for a single interface
Multicast One-to-many
Anycast One-to-closest Multiple devices share the same address All anycast node should provide uniform service Suitable for load balancing and content delivery
7/14/2010
TYPES OF ADDRESES LINK-LOCAL SCOPE
Assigned automatically as an IPv6 host comes online Similar to the 169.254.X.X addresses of IPv4 but always
generated whether there is a DHCP server or not Always begin with FE80 (first 10 bits : 1111 1110 10 )
followed by 54 bits of zeros Last 64 bits is the 48-bit MAC address with FFFE (EUI-64
format ) squeezed in the middle Example
FE80:0000:0000:0000:0019:D1FF:FE22:DCF3• MAC address:0019.d122.dcf3• EUI-64 :FFFE
7/14/2010
UNIQUE –LOCAL( RFC 4193 ) / SITE-LOCAL (RFC 3513 ) Used within enterprise networks to identify the
boundary of their networks Uses the following format
111110(L) Global ID subnet ID interface ID40 bits 16 bits 64 bits
FC00::/7 1 = locally assigned 0= future use
TYPES OF ADDRESES
7/14/2010
TYPES OF ADDRESES
GLOBAL ADDRESSES Have their high-level 3 bits set to 001
(2000::/3) Global routing subnet ID
interface IDprefix 001
N bits 64- N bits 64 Bits Global routing prefix is 48 bits or less Subnet ID is comprised of whatever bits are
left over after global routing prefix
7/14/2010
GLOBAL ADDRESSES
The primary addresses expected to comprise the ipv6 internet are from the 2001::/16 subnet
MULTICAST ADDRESSING Unlike IPv4, multicast is huge in IPv6 First 8 bits are always FF
1111 1111 flag scope Address Flag currently has four bits defined
Temporary / permanent
7/14/2010
GLOBAL ADDRESSES
Scope defines how far the multicast goes 1 – interface 2 – link 3 – subnet 4 – Admin 5 – Site 8 – Organization E - global
7/14/2010
MULTICAST SCOPE Interface-local
Span only a single interface on a node and is useful only for loopback transmission of multicast
Link-local & site-local Span the same topological regions as the corresponding
unicast scopes Admin-local
Smallest scope that must be administratively configured i.e. not automatically derived from physical connectivity
Organization-local Intended to span multiple sites belonging to a single
organization
7/14/2010
SOME WELL KNOWN (PERMANENT) MULTICAST ADDRESSES FF02::1 ALL NODES (ON LINK) FF02::2 ALL ROUTERS FFO2::9 ALL RIP ROUTERS (ON LINK) FF02::1 : FFXX:XXX AN IPV6 ‘ ARP’
MESSAGE ( ON LINK) FF05::101 ALL NTP SERVERS (WITHIN SITE)
7/14/2010
MIGRATION TO IPV6
DUAL-STACKING ROUTERS TUNNELING ( 6 TO 4 & 4TO 6) NAT PROTOCOL TRANSLATION (NAT PT)
7/14/2010
NETWORK ADMINISTRATION & TROUBLESHOOTING
PASSWORD-RECOVERY Aided by a configuration register value of 2142 Configuration register is a 16-bit field (stored in NVRAM)
split up into groups of 4Each group is represented by a hexadecimal digit
15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 bit places0 0 1 0 0 0 0 1 0 1 0 0 0 0 1 0 register bits
2 1 4 2 hex equivalent The boot field is influenced by the last 2 HEX value BOOT FILED & MEANING 2100 Stay at the Rom monitor on a reload 2101 Boots the 1st image in flash memory as a system
image 2102-F Enables default booting from flash memory
Enables boot system commands that overide default memory
7/14/2010
PASSWORD-RECOVERY PROCEDURES FOR ROUTERS STEP 1
Power-Cycle the router & interrupt the boot sequence by pressing Ctrl + Break immediately after reload
Result --- rommon 1> STEP 2
Change the configuration register to ignore contents of NVRAM ROMMON> Confreg 0x2142
STEP 3 Reload the router
ROMMON > reset STEP 4
Access the privileged mode ROUTER> enable ROUTER #
7/14/2010
STEP 5 Copy the startup config into the running config
ROUTER# copy startup-config running-config STEP 6
Change the password ROUTER# configure terminal ROUTER(CONFIG)# enable secret ccna ROUTER(CONFIG)# line con 0 ROUTER(CONFIG)# password ccna ROUTER(CONFIG)# login
STEP 7 Reset the configuration register back to its default
setting (Config)# config-register 0x2102 (config)# exit
7/14/2010
STEP 8 Save the configuration
ROUTER# COPY RUNNING-CONFIG STARTUP-CONFIG
PASSWORD RECOVERY FOR 2960 SWITCHES Unplug the power supply Hold down the mode button & plug back the power
supply Release the mode button when the SYST LED blinks
amber & then turns solid green Initialize the flash memory
Switch: flash_init Switch:load_helper
Display the files in flash memory Switch: dir_flash:
7/14/2010
RENAME THE CONFIGURATION FILE Switch: rename flash: config.text flash: config.old NOTE:
Config.text– contains the lost password Config.old– A nonexistent file
BOOT THE SWITCH Switch: boot
Enter privilege mode Switch> enable Switch#
RENAME THE CONFIGURATION FILE BACK TO ITS ORIGINAL NAME Switch: rename flash:config.old flash:config.text
COPY THE CONFIGURATION FILE INTO MEMORY Switch: copy flash: config.text system: running-config
7/14/2010
CHANGE THE PASSWORD Switch# config t switch(config)# enable secret ccna Switch (config)# line con 0 Switch (config-line)# password ccna Switch (config-line)# login Switch (config-line)# exit Switch (config)# exit Switch#
SAVE THE CONFIGURATION INTO NVRAM WITH THE NEW PASSWORD Switch# copy run start
7/14/2010
PROTOCOLS & COMMANDS TELNET
Use to access device’s command line interface over the network
Works at layer 7 ROUTER# telnet ip address
telnet 172.16.0.1 Ctrl + shift + 6, followed by X to suspend your current
telnet session PING
Use to check for layer 3 connectivity between devices Works at layer 3 TWO TYPES
• SIMPLE PING– # PING 172.16.0.1
• EXTENDED PING– # ping – Hit ENTER KEY and follow the instruction
7/14/2010
TRACEROUTE Discovers the route taken to travel to the destination Works at layer 3 Two types
Simple & extended Same procedure as ping
CISCO DISCOVERY PROTOCOL Enable by default Works at layer 2 Use to discover cisco devices (config)# cdp run ---- to enable cdp (Config-if)# cdp enable – to enable cdp interface Verification
Show cdp --- display global cdp information Show cdp neighbors (detail)
7/14/2010
CONFIGURING THE SECURE SHELL PROTOCOL
SSH is required for secure communication More secure the telnet
SSH require a local username, a local IP domain & an RSA key to be generated
The cisco IOS image must support RSA ( Rivest-Shamir_Adleman) Authentication & a minimum data encryption standard (DES)
Configuration (config)# username cisc password/secret ccna (config)# ip domain-name ccna.com (config)# crypto key generate rsa (config)# line vty 0 4 (config-line)# transport input ssh
7/14/2010
BACKING UP & RESTORING CISCO IMAGES & CONFIGURATION FILES ROUTER# copy tftp running-config
Restore configuration file from tftp server ROUTER# copy running-config tftp
Backup RAM to tftp ROUTER# Copy flash tftp
Back up IOS image to tftp server Copy tftp flash Example
Copy flash tftpSource filename[ ]? C1700-advseck9-mz.123-20.binAddress or name of remote host [ ]? 172.16.32.109Destination filename (c1700-advseck9-mz.123-20.bin)?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!8906589 bytes copied in 263.68 seconds
7/14/2010
RESTORING CONFIGURATION ROUTER# copy tftp running-configAddress or name of remote host[ ]? 172.16.32.109Source filename[ }? Router-configDestination filename [router-config]?Accessing tftp://172.16.32.109/Router-config….Loading router-config from 172.16.32.109(via fast Ethernet 0/1)!!!!!!!!!!!!!!!!!!!!Ok -350 bytes350 bytes copied in 5.45 seconds
7/14/2010
RESTORING cisco ios using tftpdnld commandROMMON1>IP_ADDRESS= 192.168.100.1ROMMON2>IP_SUBNET_MASK=255.255.255.0ROMMON3>DEFAULT_GATEWAY=192.168.100.1ROMMON4>TFTP_SERVER=192.168.100.2ROMMON5>TFTP_FILE=c1841-enbase-mz.124-
7.binROMMON6> TFTPDNLD --------- Starts the process
7/14/2010
BOOT SYSTEM COMMANDS
(CONFIG)# BOOT SYSTEM FLASH IMAGE NAME
Loads the cisco IOS software with image nameBoot system flash c1700-advsecurityk9-mz.123-20
bin (config)# BOOT SYSTEM TFTP IMAGENAME IP
ADDRESS Loads from a tftp server (172.16.10.3)
(config)# BOOT SYSTEM ROMLoads the image from ROMMON MONITOR
7/14/2010
WIRELESS Communications using Radio Frequencies (RF) The three major wireless organizations/standards
are: ITU-R
International Telecommunication Union – Radio communication sector
Regulates the radio frequencies (RF) used for wireless transmission
IEEE Institute Of Electrical & Electronic EngineersMaintains the 802.11 wireless transmission standard
WI-FIWIRELESS FIDILITY Ensures certified interoperability between 802.11
wireless vendors
7/14/2010
WIRELESS LAN LAN with wireless transmission Uses CSMA/CD An 802.11 technology Half-duplex Wireless RF signals are sent through the air using an
antennaWLAN CHALLENGES Reflection Refraction Absorption Scattering Interference form other wireless devices
Cordless phone, bluethooth, microwave oven, wireless mic etc
7/14/2010
UNLICENSED RF BANDS All 802.11 technology uses unlicensed RF bands The three unlicensed RF bands are called industrial,
scientific & medical (ISM) bands These bands are
900MHZ band: 902MHZ - 928MHZ 2.4GHZ BAND: 2.400GHZ – 2.483GHZ 5GHZ band: 5.150GHZ – 5.3GHZ & 5.725 – 5.825GHZ
RF CHARACTERISTICS FOR WLAN Higher frequencies allow for higher data rates Higher frequencies have shorter transmission distance
(range) Shorter distances can be compensated for by using high-
powered antenna Radio transmission power is regulated by every country
7/14/2010
CHANNEL SELECTION A good wireless design requires 10%-15% overlapping
signals This overlapping signals allow for a seamless roaming but
causes interference from adjacent transmitters To avoid performance degradation caused by overlapping
signals, a non overlapping channels must be selected for adjacent access point An access point is a device that distributes wired signal to
wireless devices The three non overlapping channels for 2.4GHZ band are
channels 1,6 & 11 5GHZ band support up to 23 non-overlapping channels
7/14/2010
802.11 standards 802.11a 802.11b 802.11g 802.11n newly proposed 802.11e Qos for 802.11 802.11i wireless security
7/14/2010
802.11a Released 1999 Uses 5GHZ RF band Has up to 54MBPS bandwidth Has 23 non-overlapping channels Outdoor range: 75 meters (approximately) Indoor range : 25 meters (approximately) Uses Orthogonal Frequency Division Multiplexing (OFDM)
as modulation technique Data Rates:54MBPS, 48, 36, 24, 18, 12, 9 & 6MBPS No interference from other wireless divices Not backward compatible with 11b/g No multipath issues Has a low market penetration (demerit)
7/14/2010
802.11g Rectified 2003 54MBPS bandwidth Uses 2.4GHZ frequency band 3 non-overlapping channels: 1,6 & 11 Outdoor range: 95 meters (approx) Indoor range : 40 meters (approx) Backward compatibility with 11b Uses OFDM & DSSS (Direct Sequence Spread Spectrum)
modulation techniques Interference from 11b devices Data Rates: 54, 48,36, 24, 18, 12, 9, 6 & 11,5.5, 2 ,1
7/14/2010
802.11b Rectified 1999 11MBPS bandwidth 2.4GHZ RF band 3 non-overlapping channels Data Rates: 11, 5.5, 2. 1MBPS uses DSSS modulation techniques Interference from 2.4GHZ devices outdoor range: 100 meters Indoor range: 45 meters
7/14/2010
FORMS OF WIRELESS LAN DEPLOYMENT ADHOC
Wireless devices connect to one another directly without an access point
Uses independent basic service set (IBSS) topology
Can be created by users on-the-fly to share files or services with one another
Limited in range & security capabilities
7/14/2010
INFRASTRUCTURE WIRELESS NETWORK Uses a dedicated piece of equipment ( access point) to
initiate & manage wireless network The two infrastructure modes are1. BSS (Basic Service Set)
- A single wireless access point managing a group of clients
2. ESS (Extended Service Set)- involves two or more wireless Access points providing extended wireless coverage across the network- 10% - 15% overlapping of wireless coverage area is required for seamless roaming- uses non-overlapping channels
7/14/2010
BSS TOPOLOGY
7/14/2010
ESS TOPOLOGY
7/14/2010
WIRELESS DATA RATE The actual data rate of wireless technologies are
about half of the theoretical data rate on averageWIRELESS IMPLIMENTATION1. Ensure hardware operation2. Install the wireless AP & connect it to your
network3. Configure a basic wireless network and test4. Add wireless security & test
7/14/2010
WLAN SECURITY THREATS WAR DRIVING DIRECT HACKING
Breaking into the WLAN Decrypting data Attempting a wireless DOS attack
EMPLOYEE IGNORANCE & DISOBEDIENCE
7/14/2010
DEPLOYING A SECURED WLAN(A) wireless encryptionWEP (Wired Equivalent Privacy) First measure of security released Based on the simple concept of using preshared keys
(PSK) to generate an encryption algorithm Uses an encryption standard called RC4
A mathematical formula that takes every piece of data you want to encrypt and scramble it
Uses 64-bits/128-bits encryptionWPA(WI-FI Protected Access)Proposed 2003Uses TKIP (Temporary Key Integrity Protocol) encryption
algorithmUses 128-bits encryption strengthMore secure that WEP but uses the same hardware as WEP
7/14/2010
WPA2 Proposed 2004 Officially called 802.11i Uses a completely different standard called AES(
Advanced Encryption Standard ) Backward compatibility with WPA & WEP Uses new hardware (AES enabled APs and cards)(B) WIRELESS AUTHENTICATION (802.1X)Allows systems to grant or restrict access based on a
variety of criteria9username, password or certificates)
7/14/2010
802.1x designates three network devices for authentication:
1. The supplicant --- PC/LAPTOP2. Authenticator ---AP3. Authentication server --- RADIUS SERVER* Both WPA & WPA2 allows for dynamic key &
802.1x authenticationWLAN INTRUSION PREVENTION SYSTEM (IPS) Set a sensor that detect policy violation
7/14/2010
WIDE AREA NETWORK Connects two or more LANS Service providers supply d logical connection
between sites WAN encompasses the physical & data-link
layers of the OSI modelWAN CONNECTION TYPESA. LEASED LINES A dedicated point-to-point link between two
locations Typically the most expensive connection types Guaranteed level of service Efficient for VOIP
7/14/2010
Factors that affect leased-line cost are The distance apart The amount of bandwidth required
B. CIRCUIT-SWITCHED NETWORKS Established a dedicated channel (or circuit) for
the duration of transmission & tears down the channel at the end i.e. Dial-on-demand routing
Telephone system is the world largest circuit-switched network
Connection oriented
7/14/2010
C. PACKET-SWITCHED NETWORK Enable service provider to create a large pool of
bandwidth for their clients Clients apply for a specific circuit between their
site through the service provider networkD. BROADBAND Enables the transmission of multiple signals over
a wire at one time i.e cable TV, high-speed internet, telephone services etc
SOHO uses cable modem / DSL technology to connect to the internet
7/14/2010
E. VPN (VIRTUAL PRIVATE NETWORK) A secure private network over a public network (internet) Enables the creation of tunnel through a standard internet
connection to remote sites Relatively cheaperF. METROPOLITAN ETHERNET Connect offices within a metro- politan area (major cities) Fiber-optic based networks layed throught many of the
major metropolitan area Allows for WAN links at the speed of 1000MBPS or above It can terminate onto a standard cat 5e/6 UTP copper
cable & plug directly into a switch using a fiber to copper converter at the customer premise
Allows for WAN connection without router
7/14/2010
WAN PHYSICAL LAYER Variety of standard available Physical connections to WAN are influenced by
CSU/DSU CSU/DSU is a divice that connects & converts
customers WAN cabling to the service provider’s WAN cabling
7/14/2010
WAN INTERFACES ON CISCO ROUTERA. SERIAL INTERFACES Typically used by cisco routers There are two types
DB- TO serial interfaces ( typically old routers) Smart serial interfaces (much more space efficient)
WAN interface card can be installed into any cisco’s mainline routers ( 1700,2600,3600/3800 series)
SERIAL WAN CABLE Connects router to CSU/DSU Convert from cisco router interface to a standard based
CSU/DSU connector The five primary standard connectors for CSU/DSU units
are: V.35, X.21, EIA/TIA-232, EIA/TIA-449, & EIA/TIA-530
7/14/2010
B. T1 INTERFACES Uses an RJ-48 connector Comes with a buit-in CSU/DSU RJ-45 connector is fastened to STP cabling in
other to reduce noiseWAN DATA LINK ENCAPSULATIONS1. SLIP Serial Line Internet Protocol Used to be a standard based protocol for point-to-
point serial connections that use only TCP/IP Not longer used
7/14/2010
2. POINT-TO-POINT PROTOCOL (PPP) Support TCP/IP & non-TCP/IP protocols Support an encrypted authentication Popular for connecting point-to-point WAN
connections3. CISCO HIGH-LEVEL DATA LINK CONTROL
(HDLC) Default encapsulation on all serial interfaces on
cisco routers Support for multiple network layer protocols unlike
the standard HDLC that supported a single network-layer protocol
7/14/2010
4. X.25 LINK ACCESS PROCEDURE, BALANCED (LAPB)
Used on X.25 based network( frame-relay predecessor)
Used in less technologically advanced countries5. FRAME-RELAY Used in frame-relay wan connections6. ASYNCHRONOUS TRANSFER MODE (ATM) Chops packets into very small pieces(53 bytes
each) called cells Could adapt to run over fiber optic cabling
7/14/2010
7. PPPOE & PPPOA Allow service providers to harness the features of ppp on
an Ethernet or ATM connections Used in DSL high speed internet deployments
CONFIGURATIONA. CISCO HDLC (CONFIG-IF)# encapsulation hdlcB. PPP Comprises multiple sub-protocol that serve multiple
functions Has multiple sub-layers
NETWORK LAYERS NETWORK CONTROL PROTOCOL
DATA-LINK LAYER LINK CONTROL PROTOCOL ISO HIGH-LEVEL DATA LINK CONTROL
PHYSICAL LAYER
7/14/2010
PPP SUB-LAYERSA. ISO HDLC Responsible for allowing PPP to be supported by
multiple devices Enables the base PPP communication to
continue on HDLC devices that support different features negotiated by LCP
B. LCP Features negotiation layer These features include1. AUTHENTICATION Require A username & password for the
connecting devices to bring up WAN
7/14/2010
AUTHENTICATION Most useful for dial-up connections that could be
reached by users connected via PSTN Ie A dial-up access to the router from the
modem via the auxiliary port The two types of authentication areI. PAP ( password authentication protocol)II. CHAP (Challenge Handshake Authentication
Protocol)
7/14/2010
I. PAP Sends password in plain text vulnerable to packet sniffing Susceptible to play back attack Client in complete control of authentication attempt
The client dictates the timing of sending of the user name and password
Only recommended when using a very old equipment with no support for CHAP
PAP CALL FLOW PROCESSES Client dials up to a ppp router Client sends its username and password at the LCP
layer after the link connection is established The PPP router authenticates & grant access
7/14/2010
II. CHAP More secure ( uses MD5)CHAP PROCESS FLOW Client dials up a router running PPP The router sends challenge message to the
client The client replies with its password hash The router authenticates the hash password Re-authentication messages are sent at random
interval to the client
7/14/2010
FEATURES OF LCP2. CALLBACK Enables a dial-up server to use a predefined number to
call back the person that initially dialed into the location MERITS
Increased security Tool consolidation
PROCESS FLOW A user dial into the router & authenticates The router terminates the connection & dial the user back
using the preconfigured number The user authenticates the second time upon reconnect The user is granted a network access upon a successful
authentication
7/14/2010
3. COMPRESSION Conserves bandwidth The methods used arei. STACKER Analyzes the sent data & replaces continuous streams of
characters with codes These codes are stored in a dictionary & looked up on the
other end of the connection to rebuild the original data Heavy on CPU but has less effect on the router’s memory
resources Good for connection that has constantly varying data
types crossing them i.e SQL, HTTP, FTP etc
7/14/2010
ii. PREDICTOR Attempts to predict the next character stream that
will be sent or received Uses a similar dictionary lookup process but it
takes the most common characters looked up & builds a cached index file
It check the index file any time some traffic needs to be sent or received otherwise consults the full dictionary if the character stream is not found
Good for connection that has fairly similar traffic pattern
Memory intensive but less effect on CPU
7/14/2010
iii. Microsoft point-to-point compression Used only to allow windows dial-up users to use
compression4. MULTILINK Enables you to bundle multiple WAN connection into a
single logical connection MERITS
A single point of management for the logical link DEMERIT
Process and memory intensiveC. NETWORK CONTROL PROTOCOL Allow multiple network layer protocols to run across a
single WAN link e.g. IPCP(TCP/IP), IPXCP (IPX/SPX) ,CDPCP ---- CP – CONTROL PROTOCOL
7/14/2010
PPP CONFIGURATION (CONFIG-IF)# ENCAPSULATION PPP
PPP AUTHENTICATION(CONFIG)# hostname local router name(CONFIG)# username remote-router Password string(CONFIG-if)# encapsulation ppp(CONFIG-if)# ppp authentication pap/chap pap chap
chap pap
7/14/2010
CONFIGURATION EXAMPLE
ROUTER A ROUTER BHostname A hostname BUsername B password n1 username A password
n1 Int s0/0 int s0/1Encapsulation ppp encapsulation pppPpp authentication pap ppp authentication papCompression stac compression stac
7/14/2010
PPP VERIFICATION1. Show ip interface brief2. Show interface serial 0/0*LCP STATES: OPEN, CLOSED, ACKSENT,
LISTEN, TERSENT OPEN --- SUCCESSFUL AUTHENTICATION CLOSED --- FAILED AUTHENTICATION