Académique Documents
Professionnel Documents
Culture Documents
• When we run a network that contains applications we care about the following :
1. Speed :
Bit = o or 1 ( binary )
Byte = 8bit ( character ) , as an example if we type the letter W , that letter
represent 8 bit or a byte , another example is the word WAS represent 3 bytes
W = 1 byte = 8 bit = 00101010 as an example
Kilobyte = 1024 byte
Megabyte = 1024 ki kilobyte
Gigabyte=1024 megabyte
Terabyte = 1024 gigabyte
Bit
Multiply 8 ( X 8 ) byte Bit X 8 = byte
Multiply 1024 ( X 1024 ) Kilobyte Byte X1024 = kilobyte
Multiply 1024 ( X 1024 ) megabyte kilobyte X1024 = megabyte
Multiply 1024 ( X 1024 ) gigabyte megabyte X1024 = gigabyte
Multiply 1024 ( X 1024 ) Terabyte gigabyte X1024 = terabyte
All the network is tied to Bits , as an example a modem speed 56kbps means 56 kilo bits
per second ( this is called also the throughput )
Kbps
ps = kilo bit per seconds
kBps
ps = kilo byte per seconds
lan links speeds are in general : 10Mbps , 100mbps , 1000mbps
wan links speeds are in general : 56kbps , 1.544mbps ( T1 ) , 100mbps ( as you notice wan
link speeds are slower than lan link speeds )
2. delay : like what happens in voice over ip (VOIP ) , ip phones found in the network is
an example of the delay that happens
3. availability : availability of the bandwidth
• network designs ( topologies ) : ways of connecting your devices together
1. bus topology : The problem of this topology
is if the thick line went down then we lose a
group of devices
Examples:
Source Destination
Application layer Send me a webpage ( get Cisco web site ) Application layer
Presentation layer Package it in http Presentation layer
Session layer Creating an own session for requesting Session layer
Cisco site Transport layer
Transport layer Use TCP protocol ( because http uses TCP Network layer
in general ) plus specify the source and Data link layer
destination ports , the source port is the Physical layer
web browser port ( its dynamic as an
example 1098 and the destination port is
80
Network layer It adds source and destination ip address
NOTE: there is a page that describe the correlation between the 2 models
• Ip address format
1. The ip address has 4 octets , it’s always combined with a subnet mask and a
default gateway
2. The subnet mask dictates which portion of the IP address identifies the network
and the host , in the subnet mask the number 255 represents a network and the
number 0 represents a host
Example:
Ip address: 172.30.3.82 (those represent 4 octets)
Subnet mask: 255.255.255.0
Default gateway: 172.30.3.1
Every interface on the router represents a network ( connected to a specific network )
Example:
Source ip address: 10.1.1.10 source MAC address: MAC router interface 10.2.2.1
Destination ip address: 10.5.5.100 destination MAC address: MAC router interface 10.2.2.2
Step 3: source ip address: 10.1.1.10 source MAC address: MAC router interface 10.3.3.1
Destination ip address: 10.5.5.100 destination MAC address: MAC router interface 10.3.3.2
And so on until the packet reaches 10.5.5.100
TCP windowing : it increases the number of data sent based on how reliable it detects the
th
connection
Example:
3.
Sequence numbers reflect how many bytes a computer is sending at once , because that in
real life it appears as big numbers
If the packet is sent locally on the same network the source uses the ARP to know the MAC
address of the destination
If the packet is sent on a different network , it doesn’t use ARP because the router doesn’t
forward broadcast packets ( ARP ) , so the packet is sent to the default gateway ( interface of
the router ) , in this case only an ARP packet is sent but not to know the destination MAC
address instead its sent to know the MAC address of the router interface ( default gateway )
Ethernet speed is measured in bits per second ( bps ) not bytes per second ( Bps ) ( as an
example Ethernet speed = 10 Mbps not 10 MBps )
• Ethernet operates in physical layer and data link layer :
Data link layer Logical link control ( LLC ) layer : it picks
which direction it will go in the network layer
Media access control ( MAC ) layer : this sub
layer defines the addressing used by Ethernet
( it defines the MAC addresses )
Physical layer : examples of the physical
standards are CAT 5 and RJ45 connections ,
wireless and fiber optic
CSMA/CD ( carrier sense , multiple access / collision detection ) , CSMA/CD is a set of rules
governing how you talk on an Ethernet network :
Carrier : the network signal
Sense : the ability to detect if there is a carrier signal ( in general Ethernet devices
detects the carrier signals )
Multiple access : all devices have equal access
Collision : what happens if two devices send at the same time
Detection : how the computers handle collisions when they happen
Any Ethernet device like a switch port or a NIC must support CSMA/CD
Ethernet uses CSMA/CD and token ring uses CSMA/CA ( carrier sense multiple access
/collision avoidance ) , in token rings there won’t happen a collision at all because the is
only one token available – only one device sends at a time –
• Methods of communication :
1. Unicast message : when one computer wants to send to another computer
2. Broadcast message : one message sent to all (example : an ARP packet, it will go
out all of the switch ports except the one it received on )
3. Multicast message : one message sent to group of devices , the message is arrived
to a group of computers if they were members of that multicast group , the main
advantage of multicast messages is it helps with reducing the consumption of
bandwidth available
Example of using multicast : the radio stream , if this radio stream uses unicast messages then it will
use a lot of bandwidth to maintain a link for each PC running that radio channel and if it’s using
broadcast messages then the network will be flooded so the best solution for radio streams is to use
multicast messages
• Ethernet cables :
Category 5 ( CAT 5 ) Multi mode fiber Single mode fiber
unshielded twisted
pair ( UTP )
Maximum distance 100 meters 275 meters to a few miles 1 mile to many
miles
Connection type RJ – 45 ( a famous type Varies , this type is better Varies
• cabling standards :
Color number 1 2 3 4 5 6 7 8
/cabling standard
T568-A Green green Orange blue Blue orange Brown Brown
strip strip strip strip
T568-B Orange orange Green blue Blue green Brown Brown
strip strip strip strip
straight through connection = T568A+ T568A OR T568B+T568B
cross over connection = T568A+t568B
You can do a customized cabling standard but in this case it won’t support the maximum
standard distance of CAT 5, which is 100 meters!
• Ethernet connection rules :
1. Unlike devices use straight through cables
Examples: PC connected to a switch, router connected to a switch, PC connected to a HUB, router
connected to a HUB
2. Like devices use cross over cables
Examples: PC connected to another PC, router connected to another router, PC connected to a router,
switch connected to another switch, HUB connected to another HUB, switch connected to a HUB
• HUBS :
only regenerates the signal ( a packet that is sent is received for all )
hub= 1 collision domain and 1 broadcast domain
Hub is also called shared CSMA/CD
the problem of a hub is only 1 device can send or receive at a time , in case a
collision occurred ( two devices sent at the same time ) one of the devices who
detected the collision will send a jam packet to stop all the network
communications
the more the devices on a hub the more the chance of a collision to happen
hubs work on physical layer
collision domain : how many devices can send and receive at the same time
11. LANS: working with the Cisco switch IOS (29:15 mins)
Router# show history , this command is used to check all the commands I typed before , it
memorizes up to 10 by default and this value can be changed
• IOS modes :
1. Switch > this is called user mode ( user exec ) , only basic show commands , telnet commands
and pin command can be run in this mode
2. Switch # this is called privileged mode ( privileged exec ) , from user mode you type the
command ENABLE to enter this mode , you can view anything in this mode like viewing the
current configuration of the switch/router
3. Switch (config) # this is called global configuration mode, in this mode we can configure global
command, and those global commands globally affect the switch/router, as an example if you
type switch (config) #hostname …. Command this will change the hostname of the
router/switch , to enter this mode you type from the privileged mode config terminal switch #
config terminal
4. Switch (config-if)# this is called interface configuration mode , any command typed in this
mode affect a specific interface only , to enter this mode you type as an example the
command switch (config ) # interface fa0/0 from global configuration mode
Switch (config-if)# end , this moves you back to privilege mode from interface mode
If you type the command EXIT in any mode it will move you back one step
CTRL+Z , moves you back to privilege mode from any mode
CTRL+E , moves the cursor to the end of the line
CTRL+A , moves the cursor to the beginning of the line
• Once you boot the switch you will notice the following on the screen (IN ORDER!):
the MAC address of the switch
the flash that have the IOS
the decompression process for the IOS and copying the IOS information to the
NVRAM
The switch model , the IOS version and the .bin flash name
It shows the test process for the internal parts
It shows the memory of the switch , as an example 65526K/8192K
It shows how many interfaces are installed
It shows how much NVRAM is found ( this is where the switch stores its
configuration)
At the end of the boot process it will ask you to enter the initial setup wizard or
not
Enable secret and enable password commands allows you to protect the privilege mode
Router (config) # enable password PASSWORD
Router (config) # enable secret PASSWORD
CTRL+C command is used to exit the initial setup wizard mode
Router ( config ) # hostname NAME command is used to change the hostname of the router
• General information about VLANS :
Number of VLANS = number of broadcast domains
Using VLANS , each VLAN is isolated from others
by default VLAN 1 is created and all the interfaces in the switch are assigned to
that default VLAN ( VLAN1 )
To configure a management IP for the switch we need to configure interface VLAN 1 :
Interface vlan1 is a virtual interface that is used in general for configuring an IP address for
the switch to have the ability to telnet to that particular switch , in general all members of
VLAN1 can reach interface VLAN 1
To have the ability to telnet to a switch we need to configure an ip address and a default
gateway
To configure an ip address and a default gateway for the switch :
Switch (config) # interface VLAN 1
Switch (config-if) # ip address 172.30.2.180 255.255.255.0 (this to configure an IP)
Switch (config - if) # no shutdown
Switch (config) # ip default-gateway 172.30.2.1 (this is to configure a DG)
Switch # Show interface VLAN 1 command is used to see the status of the interface VLAN 1
and the ip configured for that particular switch , if we ran that command and noticed the
following : VLAN1 is administratively down , line protocol is down (VLAN1 is administratively
down means that the port is shutdown and we need to enable it with the no shutdown
command - Switch (config - if) # no shutdown - and it shows the physical state ( physical layer
state ) , line protocol is down shows the data link state ( data link layer state )
Switch # show running-config command ( switch # show run ) is used to show the current
configuration ( running-config is the configuration found in the RAM ) , if the switch goes
down we will then lose this configuration because that we save all the running- config
configuration to the startup-config ( startup-config is the configuration found in NVRAM – non
volatile RAM - )
Switch # show startup-config command is used to show the startup configuration ( startup-
config is the configuration found in the NVRAM)
Switch # show version command is used to show the model of the switch , current IOS version
that is running on the switch , how long the switch was up and running , model number of the
switch and the memory available on the switch
Switch# copy running – config startup – config command is used to copy the configuration
from the RAM to the NVRAM so that if the switch went down we won’t lose the configuration
If you don’t set password on the switch it won’t allow you to telnet to it until you set one
User mode passwords are passwords on telnet ports ,console ports and auxiliary ports
Privilege mode passwords are passwords configured using the commands switch ( config ) #
enable password PASSWORD and switch ( config ) # enable secret PASSWORD
Switch ( config ) # enable password PASSWORD command is used to enable security on the
privilege mode ( #) ( enable privilege mode password ) , the problem of this command is it
appears in the Switch # show run as plain text
Example:
> enable
Password:
#
Switch (config ) # enable secret PASSWORD command is used to enable security on the
privilege mode ( #) ( enable privilege mode password ) , this command appears in the Switch #
show run as hashed or encrypted , the Switch (config ) # enable secret PASSWORD command
supersedes Switch ( config ) # enable password PASSWORD command
To do a quick backup for the switch /router we copy the running configuration to a notepad
and if we want to restore that configuration back we just enter to the global configuration
mode and paste it there
Switch # show run command is used to view the configured passwords ( privileged mode
password and user mode passwords) , in general telnet passwords , console passwords ,
enable password and auxiliary passwords appears in plain text and enable secret password is
the only one that appears encrypted
Based on the previous point if we want to encrypt all the passwords that appear in the Switch
# show run command we use the Switch (config ) # service password-encryption command
Example:
Switch # show run
Enable secret 5 2nbjhb/$ksjh this is called level 5 encryption (MD5 hashing)
!
!
Line con 0
Password 7 234shdj this is called level 7 encryption, this is weak and can be
Broke easily (you can Google for a BREAK CISCO PASSWORD)
To protect privilege mode (#) with a password we use the Switch (config ) # enable secret
PASSWORD command or Switch ( config ) # enable password PASSWORD command
To protect user mode (>) with a password we secure the telnet ports , the console port and
the auxiliary port
To configure a password on the console port :
Switch (config) # line con 0
Switch (config- line) # password PASSWORD assigns a password to console
Switch (config-line) # login to inform the router to ask for a password
To configure a password on the telnet ports :
Switch (config) # line vty 0 4
Switch (config- line) # password PASSWORD
• Notes:
Switch ( config-line )# login command in telnet is configured by default , this
command gives you the prompt password required none is set in case we didn’t
configure a password , or password : in case we configured a password
If we configured the command Switch ( config-line )# no login then you can
enter the switch using telnet without prompting you for entering a password
Vty ports are ports that accept telnet sessions , as an example if we configure the
command Switch ( config ) # line vty 0 15 that means we are configuring for 16
telnet sessions ( this is the maximum the switch can handle ) , in this case 16 telnet
sessions can be active at the same time (16 people can telnet at the same time )
If we configure the command Switch ( config ) # line vty 0 1 then only 2 people will
be requested for a password and can telnet to the switch
• Logger banners :
1. Banner login : this banner is displayed when you login using VTY ( it appears before requesting
the user name and password )
2. Banner MOTD : this banner is displayed once you connect to the router directly , or you telnet
to the router or connect by console
Note: if you configure both the banner MOTD and the banner login, the banner MOTD will
appear before the banner login
Switch ( config ) # banner motd “ here I type anything I want it to appear “ command is used
to configure the banner MOTD , the “ is any symbol I can use but it must be the same at the
beginning and the end of the text I want to include
telnet is weak because it uses a password that can be caught by packet sniffers like wireshark
program
to configure telnet we only need to configure a password for it
SSH ( secure shell ) : it’s telnet plus encryption protocol
• to configure SSH :
1. it needs a user name and password
2. assign a domain name that will be used to generate the encryption certificates
3. Generate RSA keys to secure the SSH sessions, the general template looks like: switch name.
Domain name( example : SW1.virus.com , SW1 is the switch name and virus.com is the
domain name )
4. specify which version of SSH to use
5. configure to use SSH instead of telnet
The following example will show how to configure SSH with specifying each point from above:
switch # show ip interface brief command is used to show what ip addresses are configure and
what interfaces we have on the switch , it will appear as a table , in the table there is a column
called status that represents the physical layer and another column called protocol that
represents the data link layer
switch # terminal monitor command is used to display all the sys messages on the screen
while connected using telnet/ssh session
Example: 01:38:06: % sys-5-config-I configured from console by shady on VTY0 (172.30.2.50)
Console session will show those messages by default on the screen
switch # show Mac address-table command is used to show the MAC address table , it
contains static MAC addresses ( learnt manually by adding it to the table list) and dynamic
MAC addresses ( learnt automatically )
• port security :
port security is a way to lock down what devices can plug-in to the switch or how
many devices can plug-in to your switch
using port security we can secure the port by MAC address so that only specific
computers can connect to specific ports
to configure port security :
Switch (config) # interface fastethernet 0/5
Switch (config-if) # switchport mode access this command is used to change the port mode to be
An access port (access ports are configured if we
An end device to that port like a PC or a router), in
Case this port is connected to another switch then we
Configure the port mode to be TRUNK
Switch (config-if) # switchport port-security this command is used to enable port security only
Switch (config-if) # switchport port-security maximum 1 this command means that the maximum
MAC addresses allowed connecting to
This port (interface) is 1 and because
Number 1 is the default this command
Won’t appear in the switch# show run
Results
switch(config-if)# do show run int fa0/5 , the DO command allow us to run any show
command from any mode instead of running it from privilege mode only
Switch # show port-security interface fastethernet 0/5 command is used to show port security
information for a specific interface
Example:
Switch # show port-security interface fastethernet 0/5
Port status: secure-up
Security violation count: 0
Last source address: VLAN: 0015.c5af.ea37:1
• Notes about the above example:
if the pc is connected to the port the port status will show secure-up and if the pc
isn’t connected to the port it will show secure-down and finally if the port is
shutdown and has been violated it will show us secure-shutdown
the security violation count shows how many violations happened on this port ,
restrict keyword will increase this count but protect keyword wont
the command switch # show port-security interface fastethernet 0/5 shows the
last Mac address that violated security
switch # show port-security command is used to show the port security information for all
interfaces
switch(config)# interface range fastethernet 0/2-24 this command is used to configure a
Range of ports at the same time with
the same configuration, this command
configures the ports 2-24
Switch (config-if-range) # switchport mode access
Switch (config-if-range) # switchport port-security
by default each port on the switch is configured as auto duplex and auto speed ( it auto
detects the duplex and speed ) , most of the problems that happen on the switch isn’t from
detecting the speed but from detecting the duplex like duplex mismatch problem
Duplex mismatch is a problem that happens if one side is configured as half duplex and the
other side is configured as full duplex (a PC connecting slow is a result from duplex mismatch.
Another example is a switch that contains collisions because as we know there isn’t an
collisions found when we use switches but in case there is the problem would be properly a
duplex mismatch issue )
full duplex is to send and receive at the same time
domain lookup : this is a feature that allows you to type in privilege mode any word and the
router/switch start trying to translate that word to an ip address , but in general we disable
this feature using the command switch (config)# no ip domain-lookup
Example:
Before applying the command switch (config) # no ip domain-lookup
Switch# flow
Translating “flow” …. Domain server (255.255.255.255)
%unknown command or computer name, or unable to find computer address
Above it’s trying to resolve the word flow (properly a device on the network) to an ip address by
sending broadcast messages to know that ip address
Switch# flow
%unknown command or computer name, or unable to find computer address
There isn’t any translation process now so no broadcast messages to be sent even
alias : in case we have a long command we can make an alias for it to use it instead of typing
that command every time
Switch (config) # alias exec s show ip interface brief
In this command we must specify the mode the actual command (show show ip interface brief) runs
in, here its privilege mode (exec) and the alias we chose is the letter (S)
• broadcast storms and STP ( spanning tree protocol )
•
If there is 17928 packets input and 14446 broadcasts received then the broadcast packets
would be 14446/17928=0.80=80% (80% of the packets are broadcasts), in general the
broadcast packets mustn’t be more than 20%
switch # show interface description command shows the ports of the switch, the status of
each port and the description ( what has been configured using switch (config-if)#description
DESCRIPTION command ) of each port , it also shows all the bad packets like runts , giants ,
input errors , CRC , frame , overrun , ignored and throttles , finally it shows you the total
packets output , collision and late collision
runts ( packets that are too small in size ) and giants ( packets that are too big in size ) are
dropped in general and they are resulted from bad connections
input errors , CRC and frames are resulted usually from a faulty NIC or switch port or if there is
any interference on the cable itself
late collision happens if the cable is too long ( longer than 100 meters for CAT 5 cables )
because if the cable is too long then the distance for the packet to arrive is long as well
collisions happens usually when there is a duplex mismatch
switch # show run command is the easiest way to check the current configurations
1. 900 MHZ range : 902MHZ-928MHZ ( this is a low data rate and it covers big ranges ) , we don’t
find a lot of devices within this range because the lower the frequency ( lower data rates )
you have the further range you will get but that results to less bandwidth ( lower frequency=
further range = less bandwidth )
2. 2.4GHZ range : 2.400GHZ-2.483GHZ
3. 5GHZ range : 5.150GHZ-5.350GHZ ( this is a high data rate and covers shorter ranges )
• Understanding radio frequencies ( RF ) :
1. Radio frequency (RF) waves are absorbed ( passing through walls ) or reflected ( by metal )
2. Higher data rates ( high frequencies ) have shorter ranges ( the more speed you are using the
closer in you must be to the WAP )
3. In general the more you get far from the wireless access point the weaker the signal becomes
4. 802.11 ( wireless ) , 802.3 ( Ethernet )
• The 802.11 line up :
1. 802.11B:
Most popular standard ( more popular than 802.11A although 802.11A is better )
The speed reaches Up to 11MBps ( 1, 2,5.5,11 data rates )
Three clean channels available without any interference
It uses 2.4GHZ RF
2. 802.11G :
Backwards compatible with 802.11B
The speed reaches up to 54MBps ( 12 data rates )
Three clean channels available without any interference
It uses 2.4GHZ RF
3. 802.11A:
The speed reaches up to 54MBps ( 12 data rates )
12 to 23 clean channels available without any interference
It uses 5.8GHZ RF
Not cross compatible with 802.11B/G because 802.11A uses a different range ( 5.8GHZ
) than 802.11B/G(2.4GHZ )
NOTE: there is a page that describes wireless channels and the clean channels
Wireless access points ( WAP ) in general has a coverage of 300 feet without obstructions
ITU-R : international telecommunication union – radio communication sector , this regulates
the radio frequencies used for wireless transmission
Institute of electrical and electronic engineers (IEEE) maintains the 802.11 wireless
transmission standards
WI-FI alliance ensures certified interoperability between 802.11 wireless vendors
1. War driving : is to drive your car in a neighborhood that have a wireless connection and
using that connection for free
2. Hackers
3. Employees : some of the employees may bring their own wireless access points and plug it
in the company network to have a wireless connection , those wireless access points are
called rouge wireless access points
• Wireless security : it’s in general a combination of authentication and encryption
1. Authentication : an example of authentication is to require a user name and password
or using certificates to accomplish the authentication process , ( examples of
authentication methods are 802.1x authentication and pre shared keys )
2. Encryption: anything sent on the network is encrypted to protect the data , ( examples
of encryption methods are WEP- wired equivalent privacy - , WPA – WI-FI protected
access – and WPA2 )
3. Intrusion prevention system ( IPS ) : is used to detect rouge wireless access points , if
IPS detects a rouge access point it will shutdown the port the rouge access point has
been connected to or the IPS will send you a message or email
• Evolution of wireless security
1. Originally : pre-shared key WEP : Pre-shared key is a system of security where you type a key
on the wireless access point and all the clients that join that wireless access point must type
that same key , In general pre-shared key method is weak because if one of the employers left
the company then you need to change that key on all the devices
2. Evolution 1 : pre-shared key WPA1 : This evolution improves the security from WEP
encryption to WPA1 encryption as WPA1 uses TKIP (temporal key integrity protocol) method
for the encryption and that is a bit strong compared to WEP encryption
3. Evolution 2 : WPA1 and 802.1x authentication : In general the 802.1x authentication concept
is when a device joins the wireless access point it sends to that access point a user name and
password or a certificate based on what authentication method the device is using , the
access point passes that user name and password or that certificate to a specific server to
check that this user name and password or this certificate is valid , after that the server sends
back to the access point that the user name and password or the certificate is valid , finally the
device join the wireless access point network
Each time a device is joined to the wireless access point several encryption keys (those aren’t
pre-shared keys) are generated using an encryption algorithm (every new session established
creates new encryption keys)
The advantage of 802.1x authentication is it’s a bit strong , let’s say for an example one of the
employees left the company we don’t need to change the key as we did in the pre-shared key
method instead we just disable the user account or the certificate that employee was using
from the main server
4. Evolution 3 : WPA2 ( 802.11I )and 802.1x authentication : this evolution improves the security
from WPA1 encryption and 802.1x authentication to WPA2 encryption and 802.1x
authentication as WPA2 uses AES (advanced encryption standard ) method for the encryption
and that is a bit strong compared to WPA1 that uses TKIP ( temporal key integrity protocol )
method for the encryption
NOTE: evolution 2 and evolution 3 supports pre pre-shared keys as well
• Understanding the SSID :
The service set identifier (SSID ) uniquely identifies and separates wireless networks ,
SSID is the name of the wireless network
You can have a wireless access point that have multiple SSID as an example you can
have a wireless access point that have 2 SSID one is called public ( unsecured network
) and the other is called private ( secured netwo
network )
When a wireless client is enabled the following happens :
1. The client issues a probe ( request )
2. The wireless access point respond with a beacon ( on the client side all the available SSID
appears , in other words the client can notice the available networks )
3. The client associates with a chosen SSID ( the client joins the SSID that is held by the wireless
access point who have the strongest signal as may be this SSID is shared by multiple wireless
access points so the client joins itself with the on
onee who provides the strongest signal )
4. The wireless access point adds the client MAC address to its association table
If the signal goes weak then the client re issue another probe ( request ) , the closer wireless access
point with the same SSID will reply back to the client
• The correct design of a wireless LAN ( WLAN )
:
1. Radio frequencies ( RF) service areas should
have 10%-15% overlap ( this percentage can
be known by using fluke networks or
software sniffers )
2. Repeaters should have 50% overlap
3. Bordering access points should use different
channels
• Setting up a wireless network :
1. Pretest the switch port that will be used to
connect the wireless access point on it with a
laptop by testing DHCP service and DNS
service on that laptop while its connected to
that switch port
2. Connect the wireless access point to that
switch port
3. Setup and test the SSID that have been crea created
ted without configuring additional security
4. Add security ( WEP/WPA1/WPA2 ) to the wireless access point and test it
5. Add authentication ( 802.1x/pre
802.1x/pre-shared
shared key ) to the wireless access point and test it
• IPv4 address :
IPv4 address can be one of 3 different classes : class A , class B and class C
When the IP address is combined with a subnet mask it defines a network and host
portion ( example : if we have the ip address 10.1.1.1 with a subnet mask 255.0.0.0 we
notice that 10 is the network part ( because its linked with 255 from the subnet mask )
and 1.1.1 is the host part ( because its linked with 0 from the subnet mask )
IP protocol Operates at layer 3 of the OSI model
IPv4 address is a 4 octet address ( 4 byte address as 1 octet equals 1 byte or 32 bit
address , example : 10.10.10.10)
Working with binary :
Example: we want to convert 210 in decimal to binary
27 26 25 24 23 22 21 20
128 64 32 16 8 4 2 1
binary 1 1 0 1 0 0 1 0
After adding the numbers that is linked with 1 in binary we will have the number:
32+16+4+2=54 in decimal
NOTE: this section will explain sub netting based on reverse engineering method ( we are
given the IP and the subnet mask and we need to know the network range for that specific IP )
Example: if you have the IP address 192.168.1.127 and the subnet mask 255.255.255.224 what
will the network range be that includes this given IP ADDRESS?
256-224 = 32 increment so we start doing the increment process until we find the following
range:
192.168.1.96-192.168.1.127, finally we discover that the ip 192.168.1.127 isn’t a valid host ip
instead it’s a broadcast IP!!
23.
NOTE : if we change the domain name after creating the crypto keys then we need to
regenerate those keys to adopt with the new domain name
2. Router ( config ) # ip http server this command is used to turn on the
Http server (port 80)
Router (config) # ip http secure-server this command is used to turn on https
Server (port 443)
3. Router (config) # username USERNAME privilege 15 ? this command is used to create a user
Name that have a privilege level 15 (
This privilege level is the highest and
Its called enable mode level as well)
?= a) password PASSWORD keyword is used to specify a password that will use level 0
(unencrypted password and this level is the default) (it’s the same like the router (config) #
enable password PASSWORD command)
c) Secret PASSWORD keyword is used to specify a password that is encrypted and stronger
from using password keyword (it is the same like the router (config) # enable secret
PASSWORD command
If I use the username and password declared in this point it will enter me directly to privilege
mode (passing enable mode) because the privilege level I’m using is 15
4. router(config)# ip http authentication local this command is used to secure http access ports
(Http server) and to use the local user
Database
The local keyword means that once we enter a user name and password in the browser to
access SDM the router checks that user name and password with its local DB ( what has been
configured in point 3 is called the local DB )
We can use the command router(config)# ip http authentication enable instead of the
command router(config)# ip http authentication local if we want the router to check the
username and password and compare it with the enable passwords ( what has been entered
enter
using the Router (config) # enable password PASSWORD or Router (config) # enable secret
PASSWORD commands instead of checking the local DB ( what has been entered using Router
( config ) # username USERNAME privilege 15 password PASSWORD command )
Router (config-line) # transport input all this command both telnet and SSH on the
Router and its equivalent to the command
Switch (config) #transport
transport input telnet Ssh
5. Open SDM by browser ( if the SDM is installed on the router ) or from the SDM program itself
if its installed on the local PC
24. Routing: SDM and DHCP server configuration, part 2 (20: 02 mins)
• Dynamic host configuration
onfiguration protocol ( DHCP ):
1. DHCP allows you to give devices IP addresses without manual configuration
2. DHCP IP address is Typically given for a specific time
3. Can be manually allocated for key network devices ( we can reserve an IP address based on
the MAC address device )
4. DHCP servers can be server based or router based , server based advantage is that it would be
easier to use using the GUI , router based
advantage is that it would be more stable
• DHCP process :
1. DHCP discover message ( Broadcast
message )
2. DHCP offer message ( unicast
message )
3. DHCP request message ( unicast
message )
4. DHCP ACK ( unicast message )
• To configure DHCP using SDM , this could be done from additional tools tab :
Domain name : if we choose this option for DHCP then once you double check the
name of any client in the network who has been assigned with this DHCP option you
will notice that the name of the client has been added beside it this domain name
Tick mark ( ) import all the DHCP options into the DHCP server database , in case the
router has been assigned a dynamically IP address from the ISP , using this option it
can pull other DHCP options provided from the same ISP , once the router receives
those options it starts assigning it dynamically to the clients who requests an ip
address from this router
In SDM if you press on the DHCP pool status tab you will notice the leased IP addresses
To configure the DHCP using command line :
Router (config) # ip DHCP pool POOLNAME this command is used to configure the
DHCP pool name
Router (config) #network 192.168.1.0 255.255.255.0 this command is used to configure the IP
Addresses that will be available in this
DHCP pool (those IP addresses will be
Leased to clients)
Router (config) # domain-name DOMAINNAME this command is used to configure the
Domain name that would be offered by
The DHCP router to the clients when
They assign an IP address from this
Router
Router (config) # import all this command is the same of Tick mark
The two above commands Excludes those IP address Ranges from our pool so the available ip
addresses Left that will be leased for Clients is 192.168.1.20-192.168.1.100
Router# show ip DHCP binding this command shows all the IP addresses leased to the
Clients using DHCP and the MAC addresses for the
Clients that are using the leased ip addresses
the above command is to configure a static route , the general command syntax is :
R1(config)# ip route destination_network
stination_network next_hop_address the next hop address could be
an ip address of the next router , in our example it would be 192.168.2.2 or we can use the
local interface , according
ing to our example it will be S1
Default route : any route the router can’t reach it ( it’s not found in the routing table ) will
start using the default route to reach the unreachable networks
To configure default route :
R1 (config) # ip route 0.0.0.0 0.0.0.0 S1 this command is used to configure default route
On R1, we can use instead of S1 keyword
68.110.171.97
Router(config)# ip name-server
server 4.2.2.2 this command is used to configure a DNS server for
The router so that if we want to resolve the ip
Address of www.google.com this DNS server
RIPv2 uses multicast , only RIP routers receive the hello packets , in RIPv1 the
technique used was broadcasting those hello packets for all the devices in the
network
Steps to configure RIP :
1. Turn on RIP using its global configuration command
2. Change the version of RIP used
3. Enter the network statements , those statements are used to :
a) Tells RIP what networks to advertise
b) Tells RIP what interfaces to send advertisements on
To configure RIP :
Router (config) #router rip this command is used to turn on RIP routing
Protocol
Router (config-router) # version 2 this command is used to change version of RIP
To version 2, the default version is version 1
Router (config-router) # network 192.168.1.0 this command is used to advertise the directly
connected networks , in general the syntax of
the network we type must be Classfull , in case
we didn’t type a Classfull network address the
IOS will change that command automatically
to be Classfull
Router (config-router) # no auto-summary this command is used to disable RIP from auto
Summarizing the network addresses to Classfull
addresses, in router# show ip route command
it will start showing details about the subnets
Example:
Router# show run | include ip route command is used to only show the commands that
include the word ip route in it
Router# debug ip rip command is used to show details of the RIP process
Router# show ip protocols command is used to show what routing protocols are running on
the router plus showing details on it
27. Routing: internet access with NAT and PAT (24 (24: 41 mins)
Router# u all command is used to disable all debugging commands on the router
NAT ( network address translation ) allows multiple devices to share an internet IP address
addres ( a
public address )
PAT( port address translation
nslation ) is a form of NAT and it’s called NAT overload
Static Nat is usually used with web servers
To configure NAT using SDM there is a tab for NAT that contain 2 options :
1. Basic NAT : it’s the same PAT ( NA
NAT overload )
2. Advanced NAT or static NAT
How PAT works :
Steps to configure PAT : note that this is a example without explanation as this section is only
an introduction for NAT and PAT
Router (config) # access-list
list 1 permit 192.168.1.0 0.0.0.255
Router (config) #interface
interface VLAN1
Router (config-if) # ip Nat inside
Router (config-if) # exit
Router (config) # interface fastethernet 0/4
Router (config-if) #ip Nat outside
Router (config-if) # exit
Router (config) # ip Nat inside source list 1 interface fast Ethernet 0/4 overload
In the last command the overload keyword means that I can allow more than a client (the IP
range that is declared in access list 1) to use the public IP address we have
Router# show ip Nat transl
translations command is used to show all the Nat translations that is held
by the router , it also shows the following :
1. Inside local address : this represents my PC
2. Inside global address : this represents the local public
IP address configured on our local router
uter
Moderate overhead
Feature- riffic , it supports four major features :
1. Authentication : you add a user name and password on the wan link , it
must match on both sides
2. Compression : it helps to use less bandwidth but it will use more
processing on routers
3. Call back feature , this primarily used on modems , when you dial in to the
modem and authenticate ( type your username and password ) , the
router immediately hangs up on you and dials you back to a predefined
number ( this is used for security or if we want the call distances bill to be
charged on the other side not on us )
4. Multilink : it’s a system you employ that allows you to combine the
bandwidth of multiple wan connections into one , say as an example we
have 3 T1 links , the multilink feature combines that bandwidth together
so the result is we have 4.5Mbps and it loads balance the traffic over those
3 links !
The encapsulation ( HDLC/PPP ) must be matched at both ends of the link , if it’s not the
same then the link won’t work and it will show protocol status down in the results of the
command Router# show ip interface brief
Router # show run interface serial 0/0 command is used to show the configuration of
serial 0/0 from the router # show run command only
If the encapsulation used was HDLC ( the default encapsulation used on Cisco devices ) it
won’t appear using the router # show run command
Router# show interfaces serial 0/0 command is used to show all the details about a
specific interface ( in this example showing the details of serial 0/0 ) , this command is
used to check the current encapsulation used on this serial in case we have a leased line (
it shows the HDLC and PPP information and if those protocols are working or not )
Example: this example shows that PPP is working fine
Router# show interfaces serial 0/0
Encapsulation PPP, LCP open
Open IPCP, CDPCP LCP is the link control protocol and its responsible to
negotiate the PPP features , it will show us LCP closed
if there is a problem to negotiate with compression ,
authentication , multilink or call back feature , IPCP (ip
control protocol ) and CDPCP ( Cisco discovery protocol
control protocol ) are control protocols; IPCP lets the IP
protocol (TCP/IP ) to work on the WAN link ( PPP link )
,CDPCP allows CDP to work over a WAN link
Router# show controllers serial 0/0 command is used to know the cable type connected to
this specific interface ( it will show that the type of the cable is DTE or DCE ) ( DCE is
always connected to the ISP side and DTE is connected on our side )
Router# show ip interface brief command is used mostly to show the protocol status , if
the protocol is showing down status then properly the problem is a mismatch
encapsulation ( another command to check the function of HDLC or PPP )
• How to configure PPP :
Router (config) interface serial 0/0
Router (config-if) # encapsulation PPP this command is used to configure the encapsulation
On this interface that is used to configure leased line
On it
Router (config-if) # clock 56000 this command is used to specify the speed of the
connection, this is configured if and only if this
specific interface is a DCE ( data clock equipment , is
a type of connector that needs clock configuration to
work properly – it determines how fast the WAN
connection goes - , this value is usually configured
from the ISP side but if we are in a lab environment
we need to configure it as if it’s not configured the
link won’t work ) , 56000 is measured in bits per
second so the value here is 56 kilo bit per second
29. Management and security: telnet, SSH and CDP (28: 48 mins)
Router# telnet 192.168.2.2 command is used to telnet to another router form our router
• Managing telnet/SSH :
1. Press < CTRL , SHIFT , 6 > then X : this suspends the telnet/SSH session , to resume that
session we just type the command router# resume 1 ( number 1 represents the
session number ) from our router or we press the button ENTER in privilege mode , the
later command will resume the recent session opened
2. Router# show sessions command is used to show the open sessions from your router (
when you run this command you will notice an asterisk * that shows the recent open
session )
3. Router# show users command is used to show the open sessions to your router ( when
you run this command you will notice a column called location , this column will show
you which users –routers – are connected to your router , usually when you run this
command it takes some time until the IP addresses found under the locations column
is resolved to its names , to get around this issue we just run the command
router(config)# no ip domain-lookup to disable the domain lookup feature and stop
the resolving issue , in this case it runs faster than before )
4. Router# disconnect command is used to kill one of your open telnet sessions ( at 1st I
run the command Router# show sessions to know which session Is opened from my
router and I want to kill then I run this command )
5. Router# clear line X command where X represents the number of session opened to
my router ( at 1st I run the command Router# show users to know which session is
opened to my router and I want to kill then I run this command )
6. Router# exit command is used to kill a telnet session , in case I want to telnet again to
that same device I need to run the command Router# telnet IPADDRESS again
7. Router # show lines command is used to show all the lines ( telnet connection ports )
on your router and the status of each one
• CDP ( Cisco discovery protocol ) :
1. CDP allows you to discover directly connected Cisco devices
2. It’s a Cisco proprietary protocol
3. CDP is useful for building accurate network diagrams because using CDP we can know
the IP address , IOS version and the router platform of Cisco neighbor devices
4. CDP is a broadcast packet that is sent every 60 seconds
• Some useful CDP commands :
1. Router# show cdp neighbors command is used to discover basic information for
directly connected Cisco devices , some of the basic information that is discovered
(This command is used to know the local and remote interfaces)
When we run this command:
a) The local interface : this is the interface on our router that is connected to the
other directly Cisco device , this same information can be known if we run the
command router# show ip interface brief
b) The port ID : this is the remote interface of the connected Cisco device
2. Router# show cdp entry * command is used to show all the remote connected devices
on our router , if I run the command router# show cdp entry NAMEOFROUTER it will
show me the remote IP address for a specific Cisco device
3. Router# show cdp neighbors detail command is the same function of router# show
cdp entry command ( this command is used to know remote IP addresses )
4. Router ( config-if)# no cdp enable command is used to disable CDP on a specific
interface ( if we run this command then the directly connected Cisco device to this
interface won’t be discovered )
5. Router(config)# no cdp run command is used to disable CDP on all the interfaces found
on the router
We usually use telnet commands , CDP commands and router# show ip interface brief
command to know all the IP addresses and interfaces found in a network
Router# show flash command is used to see all the files in the flash like the name of the
IOS file ( this is what Router# show version do as well )
Router# show running-config command is used to check what the RAM contains
Router# show startup-config command is used to check what the NVRAM contains
Router# show version command is used to check the value of the RAM and NVRAM and to
know the name of the IOS file as well
Example:
Router# show version
238592K/23552K those two values combined together is the NVRAM
• Memory components :
1. RAM : RAM represents the running config file the benefit of the RAM that its very fast in
read/write but the disadvantage of RAM is it loses data when the router is shutdown or
restarted because that we usually copy the configuration file from RAM to NVRAM before
restart using the command router# copy running-config startup-config
Example of using the RAM is for packet buffers
2. NVRAM : this is considered small in size and it represents the startup config file
3. Flash : this component is used to store the IOS , in general once you start the router it
starts decompressing the IOS from the flash to the RAM
• Some useful commands :
1. Router# copy running-config startup-config command is used to copy the configuration file
from RAM to NVRAM ( router# wr command do the same function as well )
2. Router# copy running-config TFTP command is used to copy the configuration file from RAM
to TFTP server
3. Router# copy flash TFTP command is used to copy the configuration file from flash to TFTP
server ( to backup the IOS on a TFTP server ) ( this command can be typed like this as well :
router# copy flash : NAMEOFIOS.bin TFTP://IPOFTFTPSERVER/NAMEOFIOS.bin )
4. Router# copy TFTP run command is used to copy the configuration file from TFTP server to the
RAM ( NOTE that if you run this command and we had already a running config file it won’t
overwrite the current file instead it will merge both configuration files to appear as one file , it
will overwrite entries in the current configuration file if there is a conflict only )
5. Router# copy tftp startup-config command is used to copy the configuration file from TFTP
server to NVRAM ( not like router# copy TFTP run it won’t merge with the current
configuration file instead it will replace it totally )
6. Router # reload command is used to restart the router and reload the configuration file from
NVRAM
• If want to restore our configuration we do the following :
1. Router# copy TFTP startup-config
2. Router# reload
Note that we didn’t run the command router# copy startup-config running-config because it will do
the merge (anything copied to running-config will be merged) plus once we reboot the router all the
running config found in RAM will be erased (flushed)
auxiliary ports are found only on routers and they are used to connect modems on it
• to build a small office at 1st we care about configuring the switches ( LAN tasks ) :
1) beginning : wipe out configurations :
This is done using switch# erase startup-config and switch# write erase commands
2) security : passwords and banners
a) this is done by configuring passwords for privilege mode using switch (config) # enable
password PASSWORD and switch (config) # enable secret PASSWORD commands
b) this is done by configuring passwords for telnet ports , auxiliary ports and con ports
c) this is done by configuring banners on the switches using the command Switch ( config ) #
banner motd “ here I type anything I want it to appear “
d) use the command switch (config)# service password-encryption to encrypt all the clear
text passwords
3) cosmetics : name , work environment
a) configure names for the switches using the command switch(config)# hostname
HOSTNAME
b) configure work environment :
2) security : passwords and banners ( for routers there is an additional configuration for
auxiliary ports , in case the console port can’t be used to login to the router we can use
this aux port to do the task )
3) cosmetics : names , work environment
4) interfaces : identify IP address , speed , duplex and description
5) routing : default routes ( used for external routing-internet- ) , RIP ( used for internal
routing)
6) verify and backup : CDP , TFTP , show ip router , show interfaces
most of the points mentioned above are discussed before and they are similar to switches
tasks
ISL ( inter switch link ) : it’s a Cisco proprietary trunking protocol and it has
been discontinued
3. VTPTP must be named VRP ( vlan replication protocol ) to stop confusing VTP with
802.1Q ( read the above notes for more details )
4. VTP replicates VLANS , once you add a new VLAN on a switch , its replicated using VTP
to other switches , VTP only replicates aadded
dded and deleted VLANS , we still need to
assign ports to each created VLAN manually
5. VTP works on trunk links
with VTP once you create a VLAN on any switch the VTP database counter increases
increase by 1 , (
the VTP database that have the highest counter number replicates to the rest of the switches
because it assumes that it contains the latest updated information )
if we bring an old switch that contains some existing configuration for VLANS and plugged it to
our network,, if that old switch contains a higher counter number than the other switches it
will replicate its configuration to our switches and ruin the network , if we tried to restore the
configuration on our switches it won’t solve the problem because it will still contain a lower
counter number than an the counter number of the old switch so the old switch will replicate
again,, to work around this issue we configure our switches with VLAN configurations
manually to update the database
atabase counter and make it the highest
to protect the replication process we configure VTP domain names , in this case only the
switches that have the same VTP domain names will do a replication among each other using
VTP
• Native VLANS :
1. The default Native VLAN is VLAN 1
Example 2:
VTP modes :
1. Server mode ( default mode ) :
Power to change VLAN information ( adding, deleting and changing )
Sends and receives VTP updates
Saves VLAN configuration
2. Client mode :
Can’t change VLAN information
Sends and receives VTP updates
Doesn’t save VLAN configuration
3. Transparent mode :
Power to change VLAN information
Forwards ( passes through ) VTP updates
Doesn’t listen to VTP advertisements
Save VLAN information
Note that if we configured all the switches in the network in transparent mode
this is like disabling VTP in our network
In general we configure one VTP server and the rest as VTP clients ( in this case we do the
changes on the VTP server only and then the changes are replicated to the VTP clients ) , if we
configured a switch as transparent mode it will have its own database (VLAN information
)that don’t replicate with others , it receives from VTP servers but don’t change it on its own
database, it only passes those updates to the connected devices on the transparent switch
• VLAN pruning :
It keeps unnecessary broadcast traffic from crossing trunk links
This technique only works on VTP servers
Switch(config)# VTP pruning command is used only on VTP servers to turn on VTP pruning
Example:
1. configure trunks ( the links that are found between switches to pass the VLAN
information )
2. configure VTP :
configure VTP domain name
configure a password for the VTP domain name
configure the VTP mode
3. configure VLANS
4. assign ports to each created VLAN
switch# show run interface fastethernet 0/1 command shows only information related about
this specific interface
switch # show VTP status command shows all the information related to VTP like VTP version ,
VTP revision ( how many changes was made to this switch ) , max VLAN supported at one time
( in general the maximum number of VLANS we can have on a switch is 1-4094 ) , number of
existing VLANS , VTP domain name , VTP mode and finally it shows the local updater ID
Example: switch # show VTP status
Configuration last modified by 0.0.0.0 0.0.0.0 means that this switch we ran this command
local updater ID is 192.168.1.12 on (usually this switch is configured as a VTP server,
switch# show VLAN command is used to show what VLANS was created on the network and it
only shows you the access ports assigned to every VLAN
Example: switch# show VLAN
1: native VLAN those are predefined VLANs created to support different
1002: fddi-default networks
1003: token-ring-default
1004: fddinet-default
1005: trnet-default
switch# show interfaces trunk command is used to show the trunk ports configured on the
switch
switch# show interfaces fastethernet 0/0 switchport command is used to show the status of a
specific port if its configured as access port or trunk port and the status of the encapsulation
mode if its trunk or dynamic
Example: switch# show interfaces fastethernet 0/0 switchport
Administrative mode: the administrative mode entry will show you the status of the
encapsulation mode, by default it will show you the keyword
dynamic, if we ran the command switch (config-if) #
switchport trunk encapsulation dot1Q then it will show you
the keyword trunk
Operational mode: the operational mode entry shows the status of the port if its
trunk or access
if we have 3 switches and we configured only one switch with a domain name ( the rest have
BLANK domain names ) , that configured domain name will be replicated to the switches that
have a blank domain name , if we configure later a new domain name it won’t be replicated
like what happened before as the replication is done only if there is a BLANK domain name
2. configure VTP
Switch (config) # VTP domain DOMAINNAME this command is used to configure the domain
Name, note that the DOMAINNAME is case
Sensitive
Switch (config) # VTP password PASSWORD this command is used to configure a password
For the domain name
Switch (config) # VTP mode client this command is used to configure the mode
For the switch, if we didn’t configure the VTP
mode, by default it will be a VTP server
3. configure VLANS
Switch (config) # VLAN NUMBER this command is used to create only a VLAN
NOTE : in this section we will continue the configuration of the switches based on the previous
section , we will finalize point 4 and point 5 in this section
4. Assign ports to VLANS :
Switch (config) # interface fastethernet 0/0
Switch (Config-if) # switchport access VLAN NUMBER this command is used to assign
interface
Fastethernet 0/0 to a specific VLAN
number, in this case any PC connected
to this port will be joined to that specific
VLAN number
The best practice to assign VLAN numbers is : Vlan number = subnet number
As an example VLAN 1 has a subnet of 192.168.1.0, VLAN 10 has a subnet of 192.168.10.0;
VLAN 20 has a subnet of 192.168.20.0 and so on
2. Layer 3 switch
3. Router on a stick
1. Separate port to each VLAN :
2. Layer 3 switch :
A layer 3 switch is a switch that has layer 3 capabilities , it works based on creating interface
VLANS
A layer 2 switch is a switch that has layer 2 capabilities only
3. Router on a stick
1. Router ( config ) # interface fastethernet 0/0.50 this command is used to create a sub
Interface, the number 50 is any
number we specify but we prefer to
match it with the VLAN number for
simplicity
Router (config - subif) # ip address 192.168.1.1 255.255.255.0
After running the above command you will receive a message:
% configuring IP routing on a LAN subinterface is only allowed if that sub interface is already
configured as part of an IEEE 802.10, IEEE 802.1Q or ISL VLAN
That means we need to inform the router that this created sub interface will respond to packets that
come from a specific VLAN ( in our example its 50 ) , to solve this message we run the command
router (config-subif)#
subif)# encapsulation dot1Q 50
2. switch ( config) # interface fastethernet 0/0
If the interface doesn’t support baby giant frames , maximum MTU of the interface has to be reduced
by 4 bytes on both sides of the connection to properly transmit or receive large packets , please refer
to documentation on configuring IEEE 802.1Q VLANS
Baby giant frame : the biggest packet you can send is 1500bytes , in case that packet is tagged
to be sent over a trunk we will add a 4 byte ( tag size ) to the 1500 to result 1504bytes for the
packet , that is called baby giant frame and that must be supported by switches and routers ,
in general the routers and switches adjust the size of the packet to be 1496 bytes instead of
1500 bytes so that when that packet is tagged it will be 1500 bytes ( this is the maximum size
that can be handled by Ethernet technology )
If we ping from a PC in one VLAN to a PC in another VLAN and it wasn’t successful then we
need to check the router if it contains any routing entries for those VLANS
Switches send “ probes “ into the network , those probes are called BPDUs ( bridge
protocol data units ) to discover loops , once a BPDU is arrived on a switch , the switch
starts to analyze that BPDU , if it found its name in it then that means this BPDU was
passed before from this switch that results there is a loop in the network
The BPDU also helps to elect a root bridge ( this is the core switch of the network )
The simplest view of STP : all switches find the best path to reach the root bridge then
block all the redundant links ( the remaining links that cause the loops )
Switches run STP by default
• General notes about STP elections :
There are 3 port types in general :
1. Root port ( RP ) : this port is used to reach the root bridge
2. Designated port ( DP ) : this port is a forwarding port , there must be one DP per
link
3. Blocking / non- designated port : this is a blocked port ( where the tree falls )
Bridge ID = prority.MAC address , the default number of the priority is 32768 and the
Mac address is the MAC of the switch itself not the interfaces , the lower the priority
it is the best to be elected as a root bridge , if all the switches are equal in there
priority the n we compare based on the MAC address , the lower Mac address will be
the best to be elected as a root bridge
By default STP elects the oldest manufactured switch as a root bridge because by
default it contains the lowest bridge ID
• STP election process ( how STP finds the best path ) :
1. Elect the root bridge: STP must elect a root bridge, which is based on Lower Priority. by
default all STP switches have 32768 so STP Priority+ Mac address is considered ( based on
lower MAC address )
2. Root Bridge will have all its ports as designated ports
3. Elect the RP: All other Switches or Non Root Switches must select a path to the Root
Bridge. This depends on the lower cost path to the root, regardless of direct or indirect
connectivity with Root Bridge. Every switch must have a RP; the minimum root path
calculation is performed by processing Incoming BPDUs. , The Incoming BPDU carry Root
path cost that is the cumulative path cost of number of paths between the Root Bridge
and Non Root Bridge.
NOTE: if the cost path is tied then we elect based on lower bridge ID, if the lower bridge ID
is tied then we elect based on the lower physical port ID
Bandwidth of the link Cost of the link
10Mbps 100
100Mbps 19
1Gbps 4
10Gbps 2
4. All other Switches or non Root Bridges must select one DP, the election of DP is done like
RP exactly!
In brief:
RP: lowest path, if tied then we will go to lowest bridge id, if tied then we will go to lowest physical
port id
DP: lowest bridge id, if tied then we will go to the lowest physical port id
Example:
Exclusion examples:
1.
2.
Example:
1. The root bridge priority is 32769 and the Mac address is 0009.e848.6c00
2. The root bridge is connected on DS1 local port fa0/27
3. The priority for DS1 is 32769 = 32768 ( default ) + 1 vlan number ( sys
sys-id-ext
ext ) as PVST+ is
running on this switch by default
Example:
1. One of the features that you will know in next section about PVST+ is we can have a root
bridge for each VLAN , in this example we will find for VLAN 20 DS1 is the root bridge and the
priority is 32788 = 32768 ( default ) + 20 ( vlan number )
• There are 2 ways To configure a switch to be the root bridge manually :
1. Switch (config)# spanning-treetree vl
vlan 1 root primary this command is used to configure a switch
to be a root bridge ( it will decrease the priority as much as needed to elect this switch as a
root bridge ) , we must specify in the command the VLAN to modify STP in that VLAN , if we
used instead of the primary keyword the secondary keyword it will configure this switch as a
backup switch , this command is basically used with PVST+ to configure a root bridge for each
VLAN we have in the network
2. Switch (config)# spanning-treetree vlan 1 priority 0 this command will configure this switch to be
a root bridge by specifying manually the priority to be 0 , the priority can be configured with a
number between 0-61440
61440 with increments of 4096
If somebody connects a switch to the network an and changed the priority for that switch to be
the lowest to elect it as a root bridge , in this case it will ruin the network , to protect our
network from such attacks we configure root guard
•Notes :
1. When you 1st plug in a device to a switch port it will take 30 seconds ( 15 seconds in
listening mode and 15 seconds in learning mode ) to check the device , the 1st 15 seconds
of listening mode is used basically to double check that this port doesn’t have another
switch connected on it and that is done by checking if the port receives a BPDU or not , if a
port is configured to not receive BPDUs , and it received one in the 1st 15 seconds (
listening mode ) then instead of entering the learning mode it will be shutdown
2. A blocking port transitioning from the blocking state to a forwarding state ( changing from
blocking mode to listening mode to learning mode and finally transferred to forwarding
mode ) will take 50 seconds = 20 seconds in blocking mode , 15 seconds in listening mode
and 15 seconds in learning mode
3. When there is a failover in STP ( one link goes down and another link works until the 1st
links is functioning ) , it will take 30-50 seconds , if there is another failover ( the original
link is up again and functioning ) it will take 1-1:30 mins because we add a blocking timer
to the 30-50 seconds that happened In the 1st failover
• Problems and solutions of STP :
1. STP faces some problems with PCs : modern PCs can boot faster than 30 seconds (
listening and learning modes ) and that amount is faster than a port transitioning from
blocking state to forwarding state ( 50 seconds ) , in this case the PCs are forced to wait
those 50 seconds until it starts communicating on the network as the PC won’t work until
the port works
The solution for this problem is to use portfast feature , this feature transitions the port
from blocking mode to forwarding mode immediately without entering the listening and
learning modes , this feature is enabled using the command switch (config-if)# spanning-
tree portfast ( this command disables STP on that port and its configured only on access
ports )
2. STP faces some problems with uplink ports (ports that are connecting to other switches ) :
if this port transition from blocking mode to forwarding mode it will spend approximately
50 seconds and that is a big amount that causes trouble in our network
The solution for this problem is to use RSTP (rapid spanning tree)
• Initial STP enhancements :
1. PVST+ ( per VLAN spanning tree + ) :
Runs as an instance of STP per VLAN
Allows different root bridges per VLAN
In STP we had a disabled link ( resulted from a blocking port ) , using PVST+ all the
links will be used based on VLANS
By default PVST+ runs on Cisco switches
Example:
11. General switching: troubleshooting and security best practices (29:23 mins)
Solve the immediate issue ( disconnect redundant links ) , in this case we won’t
face any spanning tree problems once we specify which redundant link to disable
of course by using STP technology
Ensure all the links are reflected on a network diagram as we need an updated
network diagram , in general spanning tree has an effective radius ( distance ) of 7
devices
Ensure root bridge selection is appropriate
Make sure all the switches are running RSTP
3. VLAN and trunking issues :
Watch for native VLAN mismatch , as in page 52 from this document if the native
VLAN didn’t match we will face a problem , so we prefer to unify it on all switches
Hard code trunk ports to be “ on “ using the command switch ( config – if ) #
switchport mode trunk , by default its configured as dynamically allocated
Verify the IP address assignments in a VLAN
Use ping and traceroute commands to diagnose routing issues
4. VTP issues :
Verify the trunks
Verify VTP information like the VTP password , VTP version , VTP domain name
and the VTP modes
Last resort to solve VTP issues is to delete the VLAN.dat that is found in the flash
and reconfigure the VLANS from beginning , all the VLAN information in general is
found in VLAN .dat , if you want to flush all the VLAN configuration just run the
command switch # delete flash : VLAN.dat then reboot the switch
• Switch security is essential :
Most security focuses around the network perimeter
Switch security checklist :
a. Physical security : we secure the location of the switch itself because if somebody as
an example pressed the mode button found on the switch for 10 seconds it will erase
all the configuration , this feature can be disabled using command line
b. Set passwords and logon banners
c. Disable the web server , this feature is used to give a GUI page through web browser
to check the switch ports and configure them , the web server can be disabled by
running the command switch ( config ) # no ip http server
d. Limit remote access subnets using ACL
e. Use SSH whenever its possible
f. Configure logging , this is done in 2 ways :
1. Logging the messages on the local switch :
Switch (config) # logging buffered 64000 this command will allocate 64000 bytes
for memory buffer to log messages like when an interface is up or down it will log
that event
Switch # show logging command is used to show the logged messages on the
switch
2. Logging all the messages to be saved on a remote host that has a program to
receive those messa
messages ges like kiwi syslog demon , to configure the switch to send
those logs we run the command switch ( config ) # logging A.B.C.D
g. Limit CDP reach when it’s possible : we disable CDP in case we want to protect our
network from packet sniffers as they can read CDP packets but we don’t recommend
disabling CDP as IP phones use CDP to function
To limit CDP reach it can be done in 2 ways:
1. Switch(Config)# no CDP run
2. Switch ( config
config- if ) # no CDP enable
h. Use BDPU guard on po portfast ports :in general BPDU is used with STP to announce
switches and discover if there are any loops in the network , we enable BPDUguard on
portfast ports ( ports connected to PCs ) as those ports don’t need to receive a BPDU
because PCs are connected on those ports only , in case we connected a switch on this
port and it started to send BPDUs , once the portfast that is enabled for BPDUguard
received a BPDU it will shut down the port ( it enters in an error0disabled state ) and
that helps to prevent lo loops
In brief: The BPDU guard feature puts Port Fast Fast-enabled
enabled interfaces that receive BPDUs
in an error-disabled
disabled state.
This feature can be enabled using the command switch (config) # spanning-tree
spanning
bpduguard
Example:
If we configured BPDUfilter using the command switch (config) # spanning-tree tree bpdufilter, The
BPDU filtering feature prevents the switch interface from sending or receiving BPDUs.
bdpuguard stops sending BPDU from an interface and in case it receives a BPDU it goes in
error state ( shut down ) and this is activated on portfast ports in general , it’s used to protect
our network from connecting an additional hub or switch on our existing switch , bpdufilter
from other hand stops sending AND receiving on the port , in case it receives any BPDU it will
only discard it and its used on the access layer switches ports as we don’t need to receive STP
information there
VLSM ( variable link subnet mask ) : can change my subnet mask whenever and wherever
If you use VLSM then you need a classless routing protocol to work with VLSM like RIPv2 ,
OSPF , IS-IS
IS and EIGRP , the class full routing protocols like IGRP and RIPv1 won’t work with
VLSM in a proper way
• In any VLSM scenario we do the following :
1. Start with the largest subnet
2. After specify the 1st network range we do sub netting again and pick a suitable network
range
3. Don’t forget the point to point links
Example:
1. DV routing protocols send the entire routing table at specific intervals ( as an example RIP
sends its entire routing table to the entire network as broadcasts or multicasts (
depending on the version of RIP ) every 30 seconds , those updates are keepalives of the
RIP , if a RIP router didn’t
dn’t receive this update every 30 seconds then there is properly a
problem occurring )
2. In their simplicity DV routing protocols have looping ississues like countdown to infinity
Example on countdown to infinity problem:
All areas must connect to area 0 , an area in general is a group of routers that all have
the same routing information , each area mustn’t contain more than 50 routers ,
usually we use different areas to represent different geographical locations and to
summarize ( we use multiple areas to summarize ) , inside of the areas you have
internal routers ( only connected in the same area )
All routers in an area have the same topology table ( topology table shows all the map
of an area with all the paths ) but every router within the same area have different
routing tables , as an example in case a router in area 0 went down the other routers
will check the topology table to recreate an alternate path to reach the destination ,
but the routing table is different from router to another within the same area
Requires a hierarchal design , you group similar subnets in similar areas to form
summarization addresses
The goal is to localize updates within an area
The purpose of using OSPF with multiple areas is to use summarization as much as we
can so that if we can do summarization we do it!
Notes about the example above:
Area 1 summarizes the 172.16.1.0-172.16.4.0 = 172.16.1.0/16
Area 2 summarizes the 172.17.1.0-172.17.15.0 = 172.17.1.0/16
The internet section is an external routing protocol like RIP or EIGRP
Summarization is done on ABR and ASBR routers only in OSPF network
• ABR ( area border routers ) :
It contains two topology tables one for area 0 that explains about routers in area 0
and one for the other area connected to area 0
The summarization happens on ABR routers
Connect between area 0 and another area
Sits between areas
• ASBR ( autonomous system boundary router ) :
Routers in OSPF that connects to routers outside your network , it connects OSPF to
internet or another routing protocol like RIP or EIGRP
The summarization happens on ASBR routers
• Understanding OSPF neighbor relationships ( how OSPF forms neighbors ) :
Unlike RIP , OSPF form a direct relationship with routers it want to speak with
In OSPF , routers exchange routes between each other and then maintain that
relationship using hello protocol
OSPF hello packet is used to allow routers to form a relationship with other OSPF
routers and exchange routes
Hello messages are sent when you configure OSPF on the interfaces you designate (
hello messages sent on chosen interfaces )
Hellos messages are sent once every 10 seconds on broadcast and point to point
networks ( usually we change this value to be lower so that we can detect failures
faster ) and is sent one every 30 seconds on non broadcast multi-access networks like
frame relay
Hello messages contains all sort of information like :
1. Router ID , the name of the OSPF router
2. Hello and dead timers ***, the dead timer is the time to keep the relation
available in case we didn’t receive a hello packet
3. Network mask ***
4. Area ID ***
5. DR/BDR ip addresses
6. Router priority
7. Neighbors , this includes the list of neighbors each router knows
8. Authentication password ***
NOTE *** means that it must match between routers to form a relationship
14. Routing protocols: OSPF configuration and troubleshooting (39:53 mins)
Router ( config ) # router OSPF 1 this command is used to enable OSPF routing
Protocol, the process ID (1 in our example) is
used to identify the OSPF process, the process
ID is a number between 1-65535 and it mustn’t
be the same on all the routers but it’s
recommended to unify it
Router (config- router) # network 192.168.1.0 0.0.0.255 area 0 this command is used to
configure what networks to
advertise ( send hello packets
to specific destinations ) , the
192.168.1.0 is a classfull
network ( this is configured like
what we do in RIP ) , the
0.0.0.255 is a wildcard mask
that is used as a match
statement , the 0 bit means
match and the 255 means I
don’t care
Router (config – router) # default-information originate this command is used to
advertise static routes in OSPF
( the router who have any
static or static default route
will advertise it using OSPF
protocol to other routers , the
other routers who receive that
advertise will have a new route
Examples:
2.
3.
4.
5.
2. Router # show ip OSPF neighbor command is used to show the OSPF neighbors formed
with this router
3. Router ( config ) # show run | include ip route command will show only the command that
contains the keywords IP route
Example:
Router # show ip OSPF neighbor
Neighbor ID pri state dead time address interface
192.168.1.1 1 full/DR 00:00:33 192.168.1.1 fastethernet 0/0
The address column represents the IP address of the neighbor interface connected to this router
• Understanding the OSPF router ID
1. The OSPF route ID is the name of the router , it identifies the router to the OSPF neighbors
2. The router ID is elected by the following sequence :
At startup The router ID will be the highest physical interface on that router by
default
If there is a loopback address it will be preferred on the physical interface even if
it was lower that the physical interface , this can be configured using the
command :
Router (config) # interface loopback 0
Router (config – if) # ip address 192.168.1.1 255.255.255.0
In case we configured the router ID manually it will be preferred on the loopback
address and the physical interface , this can be done running the command
Router ( config-router ) # router-ID A.B.C.D notice that if you run this command
you need to reboot the router to take effect or at least reboot the OSPF process
using the command router # clear ip process OSPF ( this command will shutdown
the neighbors and then those neighbors are formed again )
• Troubleshooting OSPF :
Run the command router # debug ip ospf adj to show the process of forming the
neighbors
The best way to troubleshoot OSPF is to run the command router # show ip ospf
neighbors , if there wasn’t any neighbors showing then we need to check that the
hello and dead timers , the network mask , the area id and the authentication
passwords are matching between the routers to form the neighbors relation
went down , EIGRPIGRP will use the backup route immediately as the best route without any
additional calculations ( in OSPF and RIP it do
does the calculation again to know the new
best route )
DUAL stands for diffused update algorithm , DUAL is the engine that runs EIGRP (
its responsible for calculating the routes in EIGRP , in OSPF the engine is called SPF
)
DUAL is better than SPF because it doesn’t increase any load on the process of the
routers
2. Simple configuration
3. Flexibilityy in summarization , in OSPF you configure summarization at the ABR and ASBR
only , in EIGRP you can configure summarization whenever and wherever you want
4. It allows for unequal load balancing ( all the other protocols use equal load balancing )
5. Combines best of distance vector and link state
6. Supports multiple network protocols ( like IPX , apple talk and IP )
7. EIGRP uses hello packets like OSPF to discover neighbors , by default EIGRP sends hello
packets every 5 seconds
8. EIGRP supports sub second convergence
• EIGRP tables :
1. Neighbor table : this table shows all the neighbors formed
2. Topology table : this table contains the EIGRP whole map for the network , it remembers
all of the best routes ( appeared in the topology table as a successor – primary link - ) and
the backup routes ( appeared in the topology table as a feasible successor – backup link - )
3. Routing table : this table contains all the best routes ( successors )
Example:
Configuring EIGRP :
Router ( config ) # router EIGRP 1 this command
nd is used to enable EIGRP
, the number 1 is called an AS (
autonomous system number ) , it’s a
number between 1-65535
65535 and it must
be matched on all the routers running
this same EIGRP process
Router (config – router) # network 192.168.1.0 this command is used to advertise the
Directly connected networks and it has
the same syntax of RIP, we can use the
command router (config – router) #
network 192.168.1.0 0.0.0.255 as well
like OSPF but of course without the
area keyword
Some useful commands :
Router # show ip EIGRP neighbors command is used to show you the neighbors this
router formed a relation with
Example:
Router # show ip EIGRP neighbors
H address interface hold uptime (sec) SRTT (ms) RTO QCNT Seq num
0 192.168.1.1 FA0/0 11 00: 00: 40 4 200 0 2
The H column lists all the neighbors in the order it received it
The address column represents the neighbor IP
The interface column represents the local int
interface
erface on this router that is connected to the neighbor
The hold uptime column represents how long it believes until that neighbor is dead
The SRTT ( source round trip timer ) column represents how long it gets to the neighbor and back , it
helps to engage
age how long it should be waiting before it expects a hello packet
Router # show ip route command is used to show the EIGRP routes , it appears as D
Summarization in EIGRP :
EIGRP summarizes addresses automatically ( auto summary is enabled by default ) ,
anytime you have a discontinues network ( a network advertised across a boundary
that is not the same network , in the following example I will explain this further )
16. Access-lists: the rules of ACLs (access control lists) (27:44 mins)
An ACL is an identifier list that allows ( permits ) or deny specific traffic based on a list of
permit and deny statements
Examples:
1. ACL can be used to allow for a specific host ( example permit 192.168.2.58 )
2. ACL can be used to deny a whole subnet ( example deny 192.168.1.0/24 )
3. ACL can be used to allow a specific port for an IP ( example permit TCP port 80 for 200.1.1.1 )
4. ACL can be used to deny a range of ports for a whole subnet ( example permit all TCP traffic
for 210.0.1.0/24 )
• ACL can be used for :
Access control : permitting and denying traffic
NAT : permit or deny hosts to be translated to public IPs
Quality of service : configuring a specific host to have a higher priority than others
Demand dial routing
Policy routing
Route filtering
Security concerns
• Rules of ACLs :
1. ACLs are read from top to bottom , once the 1st match is found you stop reading and exit
the ACL
Example:
Deny 10.1.5.1 according to this example we read the 1st sentence from top and realize that we
Permit 5.3.1.2 deny 10.1.5.1 then we permit 5.3.1.2, now in the 3rd sentence we don’t give
Permit 10.1.5.1 attention for it because we already denied 10.1.5.1 so we won’t permit it again
(the
1st match applies only)
2. At the bottom of each ACL there is an invisible implicit deny statement , because that we
use at least one permit statement in the ACL unless our goal was to deny all the traffic
3. The ACL is applied to an interface as inbound ( into that interface ) or outbound ( out that
interface )
4. In every ACL the order is important
• Adding ACL capabilities ( types ) :
1. Standard :
Standard ACL matches based on the source of the IP address only ( who you are )
It has a lower processor utilization
It affects depends on applications ( if I apply this ACL in an outbound way it will
have an affect different that applying it in an inbound way )
Example:
2. Extended :
Extended ACL matches based on source/destination addresses , protocol ,
source/destination port numbers
It has a higher processor utilization
The syntax of extended ACL takes some time to learn it
3. Dynamic : this type of ACL expands and shrinks depending on whose going through at a
time
Example : an ACL has been created to allow users to access the internet for a specific amount of time ,
if the username and password provided by that user didn’t match that ACL they won’t have the ability
to access the internet , if the username and password have been matched then they can use the
internet for a specific amount of time configured based on the ACL
4. Established ( reflexive ) : this type of ACL allows the return traffic for internal requests (
requests that have originated from inside the network ) , this type is basically used If we
want to deny all traffic that are originated from internet
Example in theory:
5. Time based : this type of ACL is activated for a moment of time only
Example: we create a time based ACL if we want to allow internet access after business hours (in this
case the ACL will be activated during business hours to deny internet access)
6. Context – based access control ( CBAC ) : this type of ACL is a new way to turn the router
to work as a Cisco firewall ( pix firewall or ASA ) , it turns on the router some firewall
features , in this case the router starts to inspect all traffic going through it
Router# show access-list command is used to show what ACL lists are created on the router
and it shows you how many times it permitted the traffic or denied the traffic
Router # show ip access-lists command is used to show what ACL lists are created on the
router and it has the same function of Router# show access-list
Router # show access-lists 70 command is used to show the ACL 70 only
Example: in this example 192.168.5.100 pings the router interface 192.168.2.1
Router# show access-list
Standard IP access-list 1
10 deny 192.168.5.100 (8 matches)
20 permit 192.168.0.0 wildcard bits 0.0.255.255
30 permit 192.168.5.0 wildcard bits 0.0.0.255
According to the above example we note the following:
20 permit 192.168.0.0 wildcard bits 0.0.255.255 can be created using the command Router (
config )# access-list 1 permit 192.168.5.100 0.0.255.255
8 matches shows that the ACL blocked the traffic coming from 192.168.5.100 8 times ( every
ping send 4 packets and shows in the ACL as 8 times ( send/receive ) , each time 192.168.5.100
pings the router a reply will be : reply from 192.168.2.1 destination host unreachable because
there is a deny statement for 192.168.5.100
10, 20 and 30 are called sequence numbers and can be edited only in named ACL , this number
helps to modify the existing ACL or entering a new statement in that existing ACL as before
using sequence numbers we had to copy all the applied commands of the ACL to a notepad to
edit it then pasting it back in the configuration mode
Example: in this example 192.168.10.50 is telnetting to router
Router# show access-lists 70
Standard IP access-list 1
10 deny 192.168.10.50 (6 matches)
20 permit any (2 matches)
2 matches shows that the ACL allowed the traffic coming from 192.168.10.50 2 times ( every
telnet send 2 packets
We configure an ACL to prevent telnet or SSH because in general if you don’t know the
username and password to access the router , still you have the ability to guess that password
to enter the router so we create an ACL to allow only specific hosts to telnet
For telnet and SSH we apply the ACL on the VTY ports instead of applying them on a specific
interface like what we do in general with the standard ACL
Router ( config ) # access-list 70 remark THIS WILL DENY HOST A FROM TELLNETTING TO R1
This command is only a comment, it will appear in the router# show run and router# show
access-list commands
Router (config) # access-list 70 deny 192.168.10.50 0.0.0.0
Router (config) # access-list 70 permit any
Router (config) # line vty 0 4
Router (config-line) # access-class 70 in this command is used to apply
ACL 70 on the VTY ports, we
always use the in keyword
with telnet or SSH
care a lot about the eq 80 related to the source , we concern more about the destination so
the correctt way to write the above command is :
Router (config) # access-list
list 150 deny IP host 192.168.10.50 any eq 80
Router ( config ) # access-listlist 150 permit ip any any command is used at the end of each
extended ACL to allow the rest of the traffic as there is an implicit deny
Router ( config-ifif ) # ip access
access-group 150 in command is used to apply the extended ACL 150 to
an interface in an inbound way
Examples showing full typing of the commands mentioned above:
Router (config-ext-nacl)
nacl) # permit ip host 192.168.10.50 host 4.2.2.2
Router (config) # interface gigabitethernet0/1
Router (config-if) # ip access
access-group DENY_HOSTA in
1) router ( config ) # ip access
access-list extended DENY_HOSTA this command is to used to edit
ACL 150
Router (config-ext-nacl
nacl) # no 20 this command will delete entry
20
For this example if we run the command router# show ip access-list it will show you the following:
Router# show ip access-list
Extended ip access list 150
10 permit ip host 192.168.10.50 host 4.2.2.2
30 permit ip any any the entry 20 has been deleted
18. NAT (network address translation): understanding the 3 styles of NAT (20:00 mins)
mins
NAT allows you to convert the private cooperate addresses to public addresses that work on
internet
We don’t recommended to assign the public IP addresses that are used in NAT to any router
interfaces but it can be used as we will notice in this section
• Types of NAT :
1. Dynamic NAT
2. NAT overload
3. Static NAT
• Understanding dynamic NAT :
Each client gain a public IP
from a pool of addresses
The client must own the IP
addresses used in a NAT
pool
Dynamic NAT is used to
solve problems with
addressing like overlapping
addresses
Dynamic NAT is using in
general 1-11 NAT translations
based on a pool
We use dynamic NAT with
NAT overload in big organizations if we want clients to use pool of public addresses to surf the
internet
Example on the overlapping addresses situation
clients to surf the internet and the static NAT will be use
used
d to provide inbound access
for our hosting servers like our web servers
1. Label the interfaces , this is done to know which interface represents the internal network and
which
ch one represents the outside network
2. Identify internal IP addresses to be translated , this is done by using ACL to tell the router
which internal IPs we want to translate and which IPs we don’t
3. Enable Nat overload
Example showing how the steps are im implemented to configure NAT overload:
internal addresses to use this single public IP address 68.110.171.98 , if we don’t overload then only 1
client will have internet access )
• Configuring static Nat : static Nat is what allows me to create mappings to let internal hosts be
accessible from outside , in general we don’t use the IP address of the router interface to Nat
a host from our network , but if that public IP that is assigned to the router interface is the
only public IP we have then we configure static port mappings , the below examples will show
the configuration of static Nat and static port mapping
1. Router ( config ) # ip Nat inside source static 192.168.10.50 68.110.171.99
This example shows how to translate the ip 192.168.10.50 to a public IP 68.110.171.99
2. Router ( config ) # ip Nat inside source static TCP 192.168.10.50 80 interface ethernet0/1 80
a. This example shows that we only have only 1 public IP (68.110.171.98 ) and we need
to publish our web server ( 192.168.10.50 ) so we specify the ports 80 with the static
Nat command , in this case whenever Ethernet 0/1 gets a request on port 80 it will
translate that request to 192.168.10.50 on port 80
b. We can replace interface ethernet0/1 keyword with the public IP 68.110.171.98 as it’s
the same , in general if we use the same ip of the interface we use the interface
ethernet0/1 keyword and if we use a different ip than the ip of the router interface
we just type it in clear text
• Configuring dynamic Nat with overload :
Router (config) ip Nat pool PUBLIC_ADDRESSES 68.110.171.99 68.110.171.100 netmask 255.255.255.0
This command creates a pool of public IP addresses starting from 68.110.171.99 and ending to
68.110.171.100 (this pool contains only 2 public IP addresses)
Router (config) # ip Nat inside source list NAT_ADDRESSESS pool PUBLIC_ADDRESSES overload
This command is using allowing the clients declared in NAT_ADDRESSESS (the explanation of this ACL
is found in page 93) to be translated to the public IP addresses declared in the pool
PUBLIC_ADDRESSES and to use the overload feature
a. In the overload configuration found in page 93 we were using instead of PUBLIC_ADDRESSES
pool the interface Ethernet 0/1 keyword because we were using the IP address of the router
interface not a pool of public IP addresses ( in our example 2 public IPs )
b. If we didn’t use the overload keyword then we will only have 2 clients accessing the internet
because we only have 2 public IP addresses available in the pool PUBLIC_ADDRESSES
• Remote access :
Remote access style is used to connect homes or laptops to the office
Remote access client is installed usually on those home PCs and laptops , and it’s
called VPN client
Once the VPN client is authenticated with the office , the home PC or laptop is then
connected to the office securely and the traffic is sent in an encrypted way
We can use this style to connect an IP phone at home and use that phone as I’m sitting
in the office
Ssl VPN ( web VPN ) : instead of installing VPN client on a laptop or home PC we use
SSL VPN , the function of SSL VPN is to allow the router to generate a website that
request for a username and password from the user ,once the user authenticates with
the website the router will install on your laptop or home PC a mini VPN client as
long as you are connected to that VPN , once your disconnected form that VPN the
mini VPN client is removed
• IPSEC :
The IPSEC is the security protocol of VPN ( IPSEC does the encryption on VPN)
IPSEC works at the transport layer ( it’s another protocol like TCP, UDP ,IP )
IPSEC contains 4 categories :
1. Encryption protocols :
Encryption protocols are used to secure the data
The weaker the encryption the faster the connection and the less the
processing on the router
The stronger the encryption the more secure you are but there is more
overhead on the router
The Encryption protocols are DES ( weakest ) , 3DES, AES (strongest )
2. Authentication protocols :
Authentication protocols makes sure that data isn’t changed when its
transferred from one end to another ,authentication protocols stops man in
the middle attacks ( maybe some intruders will spoof the traffic ( send fake
traffic ) when we send traffic through VPN )
The Authentication protocols are : MD5 , SHA-1
3. Protection protocols :
When somebody sends traffic on the VPN connection it will be sent as
encrypted data ( scrambled ) , both ends of the VPN connection must have the
encryption /decryption keys to understand the encrypted data that was
transferred , both ends of the VPN connection must have the same encryption
keys to understand that encrypted traffic , protection protocols transfer those
encryption keys from one end to another without being attacked by man in
the middle attackers
The protection protocols are : DH1 ( deffi Hellman ) , DH2, DH5, DH7
4. Negotiation protocols
The negotiation protocols are : AH ( authentication header , this protocol
can’t do encryption ) , ESP (encapsulated security payload , this protocol can
do encryption , authentication and protection , ESP+AH
Negotiation protocols are the changer of IPSEC , if we want only to have
authentication protocols ( point 2 ) we use AH , if we want authentication ,
speak between the router and the service provider , it’s a sigsignaling
naling protocol that the
ISP uses to send you statistics on the line like giving you information about the status
, the relative quality of your transmission if its dropping packets or not , it can also be
used to send DLCI information
DLCI ( data link connection identifier ) : every site is identified by a DLCI and it’s the
equivalent of Mac addresses in Ethernet technology
PVC ( permanent virtual circuit ) : each PVC has its own CIR and has a recurring
monthly cost
• How DLCIs work :
1. DLCIs are locallyy significant ( you can have similar DLCI numbers in your design but you can
have the same DLCI number on the same interface in the same location
Example
For R1
Router1 (config) # interface serial 0/1/0
Router1 (config –if) # ip address 192.168.1.1 255.255.255.0
Router1 (config-if) #no shutdown
Router1 (config-if) # encapsulation frame-relay this command is used to enable
frame
Relay on the interface
router1 (config-if) # frame-relay lmi-type Cisco this command is used to configure
which signaling to use between our
router and the ISP router , in modern
routers we don’t need to run this
command as they have the ability to
auto detect what signaling protocol is
running , we can specify instead of
the Cisco keyword ansi or q933a
signaling protocols
router1 (config-if) # frame-relay map ip 192.168.1.2 102 broadcast this command is used
for every neighbor we
have to connect to ( we
use this command to
connect PVCs together
and as we have 2
neighbors so we must
have 2 frame-relay map
commands ) , we specify
the remote ip address to
reach that network ( in
For R1
Router1 (config)
config) # interface serial 0/1/0
Router1 (config-if) # encapsulation frame
frame-relay we don’t specify any command below
the physical interface as everything
must be mentioned below the sub
interfaces only
Router (config-if) # no shutdown once we enable the main interface all
the sub interfaces will be enabled as
well
Router (config-if) #exit
Router1 (config) # interface serial 0/1/0.102 point
point-to-point this command is used to configure
Point to point interface, we can
replace the point-to
to-point keyword
with the multipoint keyword
(default)
Router1 (config-subif) # ip address 192.168.1.1 255.255.255.0
Router1 (config-subif) # frame-relay
relay interface
interface-dlci 102 in multipoint configuration
configur we
needed to specify the frame really
MAP command and the broadcast
keyword plus we needed to disable
the split horizon , in point to point
Cisco means that the LMI type is Cisco and it must be matched with other routers
status defined , inactive means that this router is setup but the other router
connected on the other side isn’t configured till now , if its shows status defined ,
active then that means that both routers from both ends are configured and ready to
communicate , if it shows status deleted , inactive then that means the map we
configured on our router can’t be recognized by the ISP ( doesn’t exist )
2. router# show frame-relay LMI command is used to show if the data link connectivity was
down and the signaling protocols ( LMI types ) between your router and the ISP ( what we
care mostly in this command the num status enq.sent VS num status msgs received- they
must be approximately the same - , if there was an increase in num status enq.sent
related to num status timeout then there is a mismatch in LMI
3. router# show frame-relay pvc command is used to show every DLCI we have on our router
, the status and stats of that DLCI ( like how many packets has sent and how many
broadcasts are sent) and what interfaces it’s on
3. Global scope address : this type is used for internet ( this type of address is called internet
2 , those are public addresses ,with ipv6 every device in our network can have a global
scope address not like in IPv4 )
• Unique-local
local (RFC 4193 ) /site
/site-local (RFC 3513 ) addresses :
The new name of this type is called unique local address , it was known before as site
local address
This type is used within the enterprise networks to identify the boundary of their
networks
This type of addresses look like the private addresses in IPv
IPv4
Use the following format :
The 1st 3 bits ( high level bits ) are set to 001 ( 2000::/3 = 001xxxx…::/3 )
The primary addresses expected to comprise the IPv6 internet are from the 2001::/16
subnet ( this block is assigned to internet – to be public on internet - )
Configuring IPv6
R1 (config) # ip routing this command is used to enable TCP/IP on
the router, in newer routers this is enabled
by default
R1 (config) # ipv6 unicast-routing
routing this command is used to turn on the IPv6
unicast routing (there is multicast routing and
anycast routing as well but in CCNA we are
only concerned about unicast routing
R1 (config) # interface fastethernet 00/0
R1 (config-if) # ipv6 address 1FE0:1111::1/32 this command is used to assign an IPv6
address
To this specific interface
R1 (config-if) #no
no shutdown
R1 (config) # interface serial 00/0
R1 (config-if) # ipv6 address 2001:210:10:1
2001:210:10:1:1/64
2. Tunneling :
a. 6 to 4
b. 4 to 6