CCNA Journey

A CCNA Journey 1
Cisco ccna/ccent interconnecting Cisco networking devices part 1
1. Welcome to Cisco ccent ( 35:26 mins )

To check details about certifications go to www.cisco.com/certification
ICND2 is called as well CCNA
Ccent ( ICND 1 )
2. Foundation : what is a network ( 35:32 mins )

network : collection of devices that can communicate together
lan : PC + switch to connect together
router : used to connect different lans together
• difference between internet and wan
1) internet :
public network
no security
no guarantee
antee services
can be used to connect different
offices
2) wan :
private network
security
guarantee services because we
pay AT&T as an example to
maintain
ntain our links through the
AT&T network ( those links are
fast but the problem is they are
costly )
• When we run a network that contains applications we care about the following :
1. Speed :
Bit = o or 1 ( binary )
Byte = 8bit ( character ) , as an example if we type the letter W , that letter
represent 8 bit or a byte , another example is the word WAS represent 3 bytes
W = 1 byte = 8 bit = 00101010 as an example
Kilobyte = 1024 byte
Megabyte = 1024 ki kilobyte
Gigabyte=1024 megabyte
Terabyte = 1024 gigabyte
Disclaimer: – This is an excerpt from CCIE journey

A CCNA Journey 2
Bit
Multiply 8 ( X 8 ) byte Bit X 8 = byte
Multiply 1024 ( X 1024 ) Kilobyte Byte X1024 = kilobyte
Multiply 1024 ( X 1024 ) megabyte kilobyte X1024 = megabyte
Multiply 1024 ( X 1024 ) gigabyte megabyte X1024 = gigabyte
Multiply 1024 ( X 1024 ) Terabyte gigabyte X1024 = terabyte
All the network is tied to Bits , as an example a modem speed 56kbps means 56 kilo bits
per second ( this is called also the throughput )
Kbps
ps = kilo bit per seconds
kBps
ps = kilo byte per seconds
lan links speeds are in general : 10Mbps , 100mbps , 1000mbps
wan links speeds are in general : 56kbps , 1.544mbps ( T1 ) , 100mbps ( as you notice wan
link speeds are slower than lan link speeds )
2. delay : like what happens in voice over ip (VOIP ) , ip phones found in the network is
an example of the delay that happens
3. availability : availability of the bandwidth
• network designs ( topologies ) : ways of connecting your devices together
1. bus topology : The problem of this topology
is if the thick line went down then we lose a
group of devices
2. token ring topology : There is a token ring

that is arrived to each device and grapping
the data sending or receiving and delivering
to each device
3. star topology ( most used nowadays ) : It

looks like a star, there is a switch in the
middle and all other devices (PC) connected
to it

A CCNA Journey 3
Examples:
3. Foundations in the OSI world (43: 30 mins)

• OSI functions :
1. Helps break down network functions
2. Create standards for equipment manufacturing
3. Allows vendors to focus in specialized areas of the network
4. To memorize the OSI model use one of the following :
5. Please do not throw sausage pizza away
6. All people seems to need dominos pizza
OSI Model :
Layer name Remarks
Application layer • It provides an interface that allows applications to communicate
across the network like email system , online games or a browser
Presentation layer • The data becomes formatted in a general format that is
understandable by any server communicating to like if you are
going to www.google.com , that site is formatted in a general
format ( HTML ) and maybe it contains a picture
icture ( JPEG format ) ,
HTML and JPEG are generic formats that are understood by all
Generic encryption services like what’s used on online banking
sites
Session layer • It starts and ends a session
• Logically keeps sessions separate
Transport layer • Describes how the data is sent , we can send the data reliably or
unreliably ( TCP is a reliable protocol and UDP is an unreliable
protocol )
• Define well known services ( ports )
Network layer • Provides logical addressing ( ip addresses ) ( when you assign an ip

A CCNA Journey 4
address it happens in this layer )

• Finds best path to a destination
• Routers work here
Data link layer • Provides physical addressing ( Mac address ) , Mac address is the
address of network interface cards ( NIC )
• Ensures data is error free , it ensures that the packet once it has
been sent to once it has been received it won’t be changed (
packet won’t change during its travel from source to destination )
• Switches work here
Physical layer • Provides access to the cable
• Electrical signals , ones and zeros ( 0 or 1 )
• Physical connections like cables , network cards , wan interfaces
In Cisco , application , presentation and session layers are least important because its handled
by windows
Reliable protocol ( TCP ) means once you send a message to a server that server replies back
with an ACK packet , in case the sender didn’t receive an ACK packet from the server then the
source will resend the packet until it receives the ACK packet
Unreliable protocol ( UDP ) is used with real time applications like VOIP or video over IP ( as an
example streaming a movie on the network ) , in case a packet is dropped we will then have
some glitches in video or the voice goes scramble in the unreliable protocol we don’t care if
the packet was dropped or not
MAC address is used to allow computers to communicate on the network
Ports are used to designate what service you are trying to access as an example maybe a
server has a DB and email system on it , to differentiate between those two features we use
ports to designate which service to use
Transport layer chooses reliability protocols ( TCP or UDP ) and port numbers
• OSI model in real world :
Example: a client wants to access Cisco website
Client information: ip address 10.1.1.5
Mac address: 00a0151189f2
Server information: ip address 200.1.1.1(cisco.com)
Source Destination
Application layer Send me a webpage ( get Cisco web site ) Application layer
Presentation layer Package it in http Presentation layer
Session layer Creating an own session for requesting Session layer
Cisco site Transport layer
Transport layer Use TCP protocol ( because http uses TCP Network layer
in general ) plus specify the source and Data link layer
destination ports , the source port is the Physical layer
web browser port ( its dynamic as an
example 1098 and the destination port is
80
Network layer It adds source and destination ip address

A CCNA Journey 5
Data link layer It adds source and destination Mac

address
Physical layer Putting all the information on wire
Mac address Mac address

0089:1111:2222 0089:1111:3333
• Notes about the example above:
All the 7 steps are done in a reverse way on the destination side starting from the
physical layer going up to the application layer
The Mac address changes when the packet is sent from the source to the
destination
At 1st the source Mac address will be 00a0151189f2 and the destination will be
0089:1111:2222
2nd the source Mac address will be 0089:1111:2222 and the destination will be
0089:1111:3333 and so on until it arrives to the destination
The ip address don’t change from the beginning of sending the packet to its arrival
at the destination the source ip address is 10.1.1.5 and the destination ip address
is 200.1.1.1
Ipconfig/all command is used to show the Mac address in hexadecimal
Netstat –n command is used to show all the open sessions from my computer by ip address
only
Netstat command is used to show all the open sessions from my computer in general
4. basic TCP/IP : addressing fundamentals ( 39: 42 mins )

• how OSI and TCP/IP models relate together :
OSI model describes how network communicates
TCP/IP model describes how network communications actually happen
OSI model TCP/IP model (department of defense model) (DOD)

Application layer Application layer
Presentation layer
Session layer
Transport layer Transport layer
Network layer Internet layer
Data link layer Network access layer
Physical layer

A CCNA Journey 6
NOTE: there is a page that describe the correlation between the 2 models
• Ip address format
1. The ip address has 4 octets , it’s always combined with a subnet mask and a
default gateway
2. The subnet mask dictates which portion of the IP address identifies the network
and the host , in the subnet mask the number 255 represents a network and the
number 0 represents a host
Example:
Ip address: 172.30.3.82 (those represent 4 octets)
Subnet mask: 255.255.255.0
Default gateway: 172.30.3.1
Every interface on the router represents a network ( connected to a specific network )
Example:
If 10.1.1.10 wants to communicate with 10.1.1.11 it sends an address resolution protocol (

ARP ) to know the ip address of the destination , ARP is a broadcast message , once
10.1.1.11 receives the ARP message it will respond back with its MAC address , then
10.1.1.10 starts transferring data to 10.1.1.11
Computers don’t start talking with other computers directly it must use data link
addresses at 1st (MAC address)
If 10.1.1.10 wants to communicate with 10.5.5.100 , we can’t use ARP because they are on
different networks and the routers DON’T forward broadcasts , so the source address will
forward the packet to the default gateway ( there will be an ARP process but only to send
the packet to the address of the default gateway )
Step 1: source ip address: 10.1.1.10 source MAC address: MAC 10.1.1.10
Destination ip address: 10.5.5.100 destination MAC address: MAC router interface 10.1.1.1
Step 2: the router checks based on the routing table it contains so that it can know how to reach
10.5.5.100

A CCNA Journey 7
Source ip address: 10.1.1.10 source MAC address: MAC router interface 10.2.2.1
Step 3: source ip address: 10.1.1.10 source MAC address: MAC router interface 10.3.3.1
And so on until the packet reaches 10.5.5.100
• Default address classes :

1. Class A :
1st octet of the ip address is in the range 1-126 ( as an example 10.5.1.1 )
Subnet mask 255.0.0.0
Hosts available In this class is 16777214 ( Cisco recommends to have 500 hosts per
network
2. Class B :
1st octet of the ip address in the range 128-191 ( as an example 150.51.233.1 )
Hosts available In this class is 65536
3. Class C :
1st octet of the ip address in the range 192-223 ( as an example 220.1.50.63 )
Hosts available In this class is 254
Any address starts with 127 in the 1st octet field is a loopback address ( 127.x.x.x )
• Public addresses VS private addresses :
1. Public addresses are usable on the internet and internal networks and they are provided
by the ISP
2. Private addresses are usable on internal networks only , there are 3 ranges of private
addresses :
Class A : 10.0.0.0-10.255.255.255
Class B : 172.16.0.0-172.31.255.255
Class C : 192.168.0.0-192.168.255.255
The loopback range is 127.x.x.x and its used for testing purposes only
Network address translation ( NAT ) is used to allow people to share public addresses to surf
the internet ( as an example using one public ip address for several computers instead of using
multiple IP addresses for each computer )
Auto configuration range ( APIPA ) is 169.254.x.x and its used if a host can’t get an ip address
automatically from a DHCP server
5. Basic TCP/IP: TCP and UDP communication (23:20 mins)
Basic difference between TCP and UDP protocols :

TCP ( transmission control protocol ) UDP ( user datagram protocol )
Build connections : when sending packets it Connection less : when sending packets you
creates sessions and uses 3 way handshake in don’t know if the packet is dropped or not ( it

A CCNA Journey 8
its sending doesn’t care if the packet arrives or not )

Uses sequence numbers Best effort delivery ( used with real time
applications like VOIP )
Reliable protocol : it uses ACK packets , if tthe Unreliable protocol
sender didn’t receive an ACK packet it will
resend the packet until it receives the ACK
packet
• TCP 3 way handshake process :
1. Source sends SYN packet to the destination
2. The destination sends back a SYN SYN-ACK
ACK packet to the source to acknowledge that it
received the packet
3. The source sends back an ACK packet to the destination to acknowledge receiving
the SYN-ACK
ACK packet
After those 3 way handshake the communication starts , every time you open a
website as an example you must enter the 3 way handshake process
• Sequence numbers :
TCP windowing : it increases the number of data sent based on how reliable it detects the
th
connection

A CCNA Journey 9
Example:
3.
Sequence numbers reflect how many bytes a computer is sending at once , because that in
real life it appears as big numbers
6. Basic TCP/IP: understanding port numbers (17:17 mins)
Ports are used to separate different applications used on my computer ( as an example

one server that contains two services like a DB and an email system , if we want to
differentiate between those two services we specify the port number )
Port numbers aree used to specify which session to use in sending or receiving packets
Socket = ip address : port number ( example 10.5.1.100:80 , this is called together socket )
0-1023
1023 are considered well known ports ( reserved and can’t be assigned )
• Well known TCP/UDP /UDP Port numbers :
TCP ( transmission control protocol ( 0-65535) UDP(( user datagram protocol ) ( 0-65535 )
Port 21 : FTP ( file transfer protocol ) port , used Port 53 : DNS client port ( as an example this
for sending and receiving files port is used if I’m using my pc to retrieve the ip
address of www.yahoo.com when I type it in
any browser
Port 80 : http port Port 69 : TFTP ( trivial file transfer protocol
protoco )
port , used to send and receive from Cisco
devices
Port 110 : pop3 ( post office protocol ) port ,

A CCNA Journey 10
used for receiving emails

Port 443 : https port
Port 22 : SSH port , its considered encrypted
telnet
Port 23 : telnet port , this is considered non
secure
Port 25 : SMTP ( simple mail transfer protocol )
port , used for sending mails
Port 53 : DNS server port , used so that servers
can resolve names to ip addresses
7. Basic TCP/IP: the tale of two packets (20:47 mins)
If the packet is sent locally on the same network the source uses the ARP to know the MAC
address of the destination
If the packet is sent on a different network , it doesn’t use ARP because the router doesn’t
forward broadcast packets ( ARP ) , so the packet is sent to the default gateway ( interface of
the router ) , in this case only an ARP packet is sent but not to know the destination MAC
address instead its sent to know the MAC address of the router interface ( default gateway )
8. LANS: welcome to Ethernet (22:31 mins)
Ethernet speed is measured in bits per second ( bps ) not bytes per second ( Bps ) ( as an
example Ethernet speed = 10 Mbps not 10 MBps )
• Ethernet operates in physical layer and data link layer :
Data link layer Logical link control ( LLC ) layer : it picks
which direction it will go in the network layer
Media access control ( MAC ) layer : this sub
layer defines the addressing used by Ethernet
( it defines the MAC addresses )
Physical layer : examples of the physical
standards are CAT 5 and RJ45 connections ,
wireless and fiber optic
CSMA/CD ( carrier sense , multiple access / collision detection ) , CSMA/CD is a set of rules
governing how you talk on an Ethernet network :
Carrier : the network signal
Sense : the ability to detect if there is a carrier signal ( in general Ethernet devices
detects the carrier signals )
Multiple access : all devices have equal access
Collision : what happens if two devices send at the same time
Detection : how the computers handle collisions when they happen
Any Ethernet device like a switch port or a NIC must support CSMA/CD

A CCNA Journey 11
Ethernet uses CSMA/CD and token ring uses CSMA/CA ( carrier sense multiple access
/collision avoidance ) , in token rings there won’t happen a collision at all because the is
only one token available – only one device sends at a time –
• Methods of communication :
1. Unicast message : when one computer wants to send to another computer
2. Broadcast message : one message sent to all (example : an ARP packet, it will go
out all of the switch ports except the one it received on )
3. Multicast message : one message sent to group of devices , the message is arrived
to a group of computers if they were members of that multicast group , the main
advantage of multicast messages is it helps with reducing the consumption of
bandwidth available
Example of using multicast : the radio stream , if this radio stream uses unicast messages then it will
use a lot of bandwidth to maintain a link for each PC running that radio channel and if it’s using
broadcast messages then the network will be flooded so the best solution for radio streams is to use
multicast messages
• MAC addresses : the official explanation
9. LANS: understanding the physical connections (18: 17 mins)
• Ethernet cables :
Category 5 ( CAT 5 ) Multi mode fiber Single mode fiber
unshielded twisted
pair ( UTP )
Maximum distance 100 meters 275 meters to a few miles 1 mile to many
miles
Connection type RJ – 45 ( a famous type Varies , this type is better Varies

A CCNA Journey 12
of CAT 5 is CAT5e than single mode as :

it sends multi
signals through
the path
it’s cheaper and
its lower in cost
• cabling standards :
Color number 1 2 3 4 5 6 7 8
/cabling standard
T568-A Green green Orange blue Blue orange Brown Brown
strip strip strip strip
T568-B Orange orange Green blue Blue green Brown Brown
strip strip strip strip
straight through connection = T568A+ T568A OR T568B+T568B
cross over connection = T568A+t568B
You can do a customized cabling standard but in this case it won’t support the maximum
standard distance of CAT 5, which is 100 meters!
• Ethernet connection rules :
1. Unlike devices use straight through cables
Examples: PC connected to a switch, router connected to a switch, PC connected to a HUB, router
connected to a HUB
2. Like devices use cross over cables
Examples: PC connected to another PC, router connected to another router, PC connected to a router,
switch connected to another switch, HUB connected to another HUB, switch connected to a HUB
Like devices are :

1. PC , Router
2. Switch , HUB
10. LANS: understanding LAN switches (19: 46 mins)
• HUBS :

only regenerates the signal ( a packet that is sent is received for all )

hub= 1 collision domain and 1 broadcast domain

Hub is also called shared CSMA/CD

the problem of a hub is only 1 device can send or receive at a time , in case a
collision occurred ( two devices sent at the same time ) one of the devices who
detected the collision will send a jam packet to stop all the network
communications
the more the devices on a hub the more the chance of a collision to happen
hubs work on physical layer
collision domain : how many devices can send and receive at the same time

A CCNA Journey 13
broadcast domain : how far a broadcast will travel before it stops

• bridges :
bridges are software based
number of collision domains = number of ports on the bridge
bridges are slow in general
bridges has the capability to learn MAC addresses
bridges have a low number of ports
bridges work on data link layer
• switches :
switches support full duplex communications , each port connected to a device
can send and receive at the same time ( no collisions happens at all with switches )
switches are hardware based , its application specific integration circuitry ( ASIC )
devices
number of collision domains = number of ports on the switch
switches work on data link layer
example on full duplex link , if we have 100 mbps link speed , that means it is 200mbps full
duplex ( 100mbps to send data and 100mbps to receive data )
how a switch work : once the switch 1st boot up it starts building its CAM ( content access
memory ) table
Example:
11. LANS: working with the Cisco switch IOS (29:15 mins)
• what is the Cisco IOS :

1. the internetwork operating system
2. a command line method of configuring a Cisco device

A CCNA Journey 14
3. software that is consistent through nearly all Cisco devices

4. learn it once , use it many times
5. more powerful than any graphic interface
• connecting to the Cisco switch :
1. get a console cable
2. plug the serial end into the back of your PC
3. plug the RJ 45 end into the console port on the switch
4. get a terminal program like :
hyper terminal
teraterm
minicom
securecrt
5. set it to connect via com port with the following configurations :
baud rate : 9600
data bits : 8
parity : none
stop bits : 1
Flow control : none
• Tips about the commands in the Cisco IOS:
If you type ? at any sentence in the IOS it will show you a full list of commands , after that
press ENTER to go sentence by sentence , press SPACE to go page by page and finally you can
press ANY CHARACTER to get out of the help system
Router#c? In this way the ? will show all the commands that start with the letter C
If we typed ? and found <CR> , that means carriage return and it means there are no
commands left to include in the command we type
In the help system if you find any word with capital letters that means its variable and you
need to enter something to fill that variable
Example:
Router#clock set 13:16:30 ? Say we want to enter a month name instead of
<1-31> day of the month entering a number (1-31) the command
MONTH month of the year then will be: Router#clock set 13:16:30 September
You can use the TAB key on the keyboard to auto complete the command
If we typed any command and had the message incomplete command , then that means that
there is a missing parameter
If we typed any command and had the message ambiguous command , then that means that I
typed a command in an incomplete way ( I must type it in a full way because there would be
properly more than a command that have the same start , For instance, you could type "qu,"
but that would be an ambiguous command because both "quit" and "quote" are valid
commands
If we typed any command and had the message unrecognized command , then that means
that I typed the command in the wrong mode

A CCNA Journey 15
Router# show history , this command is used to check all the commands I typed before , it
memorizes up to 10 by default and this value can be changed
• IOS modes :
1. Switch > this is called user mode ( user exec ) , only basic show commands , telnet commands
and pin command can be run in this mode
2. Switch # this is called privileged mode ( privileged exec ) , from user mode you type the
command ENABLE to enter this mode , you can view anything in this mode like viewing the
current configuration of the switch/router
3. Switch (config) # this is called global configuration mode, in this mode we can configure global
command, and those global commands globally affect the switch/router, as an example if you
type switch (config) #hostname …. Command this will change the hostname of the
router/switch , to enter this mode you type from the privileged mode config terminal switch #
config terminal
4. Switch (config-if)# this is called interface configuration mode , any command typed in this
mode affect a specific interface only , to enter this mode you type as an example the
command switch (config ) # interface fa0/0 from global configuration mode
Switch (config-if)# end , this moves you back to privilege mode from interface mode
If you type the command EXIT in any mode it will move you back one step
CTRL+Z , moves you back to privilege mode from any mode
CTRL+E , moves the cursor to the end of the line
CTRL+A , moves the cursor to the beginning of the line
12. LANS: initial setup of a Cisco switch (35:03 mins)
• Understanding the physical indicators on the switch ( the lights ) :

1. System indicator : if its green then its good , if its amber ( yellow ) that means there is a
problem , usually after booting the switch the system indicator gets solid green
2. Rps ( redundant power supply ) indicator : in case we connected both batteries found in the
switch to electricity it will get solid green ( that means the switch is power redundant )
3. Mode button : this gives us the option to choose a specific mode for the switch
Stat mode : this is the default mode , this shows on the switch the status of the port ,
if as an example a port is plugged in it will show a green light
Util mode : this shows on the switch the utilization status of the switch , as an
example if the switch is 10% utilized then the 1st 4 ports of the switch will show green ,
if the utilization of the switch is 100% then all the ports are lit green , this mode only
shows how much throughput is going through the switch
Duplex mode : this mode will show the duplex status for each port on the switch , if
the port is lit green it means that the port is configured as full duplex and if the port
isn’t lit then it means that the port is configured as half duplex mode
Speed mode : this mode shows the speed of each port on the switch , if the speed of
the port is 100mbps then it will be lit green and if its 10mbps it won’t be lit green

A CCNA Journey 16
• Once you boot the switch you will notice the following on the screen (IN ORDER!):
the MAC address of the switch
the flash that have the IOS
the decompression process for the IOS and copying the IOS information to the
NVRAM
The switch model , the IOS version and the .bin flash name
It shows the test process for the internal parts
It shows the memory of the switch , as an example 65526K/8192K
It shows how many interfaces are installed
It shows how much NVRAM is found ( this is where the switch stores its
configuration)
At the end of the boot process it will ask you to enter the initial setup wizard or
not
Enable secret and enable password commands allows you to protect the privilege mode
Router (config) # enable password PASSWORD
Router (config) # enable secret PASSWORD
CTRL+C command is used to exit the initial setup wizard mode
Router ( config ) # hostname NAME command is used to change the hostname of the router
• General information about VLANS :
Number of VLANS = number of broadcast domains
Using VLANS , each VLAN is isolated from others
by default VLAN 1 is created and all the interfaces in the switch are assigned to
that default VLAN ( VLAN1 )
To configure a management IP for the switch we need to configure interface VLAN 1 :
Interface vlan1 is a virtual interface that is used in general for configuring an IP address for
the switch to have the ability to telnet to that particular switch , in general all members of
VLAN1 can reach interface VLAN 1
To have the ability to telnet to a switch we need to configure an ip address and a default
gateway
To configure an ip address and a default gateway for the switch :
Switch (config) # interface VLAN 1
Switch (config-if) # ip address 172.30.2.180 255.255.255.0 (this to configure an IP)
Switch (config - if) # no shutdown
Switch (config) # ip default-gateway 172.30.2.1 (this is to configure a DG)
Switch # Show interface VLAN 1 command is used to see the status of the interface VLAN 1
and the ip configured for that particular switch , if we ran that command and noticed the
following : VLAN1 is administratively down , line protocol is down (VLAN1 is administratively
down means that the port is shutdown and we need to enable it with the no shutdown
command - Switch (config - if) # no shutdown - and it shows the physical state ( physical layer
state ) , line protocol is down shows the data link state ( data link layer state )
Switch # show running-config command ( switch # show run ) is used to show the current
configuration ( running-config is the configuration found in the RAM ) , if the switch goes

A CCNA Journey 17
down we will then lose this configuration because that we save all the running- config
configuration to the startup-config ( startup-config is the configuration found in NVRAM – non
volatile RAM - )
Switch # show startup-config command is used to show the startup configuration ( startup-
config is the configuration found in the NVRAM)
Switch # show version command is used to show the model of the switch , current IOS version
that is running on the switch , how long the switch was up and running , model number of the
switch and the memory available on the switch
Switch# copy running – config startup – config command is used to copy the configuration
from the RAM to the NVRAM so that if the switch went down we won’t lose the configuration
13. LANS: configuring switch security, part 1 (37: 08 mins)
If you don’t set password on the switch it won’t allow you to telnet to it until you set one
User mode passwords are passwords on telnet ports ,console ports and auxiliary ports
Privilege mode passwords are passwords configured using the commands switch ( config ) #
enable password PASSWORD and switch ( config ) # enable secret PASSWORD
Switch ( config ) # enable password PASSWORD command is used to enable security on the
privilege mode ( #) ( enable privilege mode password ) , the problem of this command is it
appears in the Switch # show run as plain text
Example:
> enable
Password:
#
Switch (config ) # enable secret PASSWORD command is used to enable security on the
privilege mode ( #) ( enable privilege mode password ) , this command appears in the Switch #
show run as hashed or encrypted , the Switch (config ) # enable secret PASSWORD command
supersedes Switch ( config ) # enable password PASSWORD command
To do a quick backup for the switch /router we copy the running configuration to a notepad
and if we want to restore that configuration back we just enter to the global configuration
mode and paste it there
Switch # show run command is used to view the configured passwords ( privileged mode
password and user mode passwords) , in general telnet passwords , console passwords ,
enable password and auxiliary passwords appears in plain text and enable secret password is
the only one that appears encrypted
Based on the previous point if we want to encrypt all the passwords that appear in the Switch
# show run command we use the Switch (config ) # service password-encryption command
Example:
Switch # show run
Enable secret 5 2nbjhb/$ksjh this is called level 5 encryption (MD5 hashing)
!

A CCNA Journey 18
!
Line con 0
Password 7 234shdj this is called level 7 encryption, this is weak and can be
Broke easily (you can Google for a BREAK CISCO PASSWORD)
To protect privilege mode (#) with a password we use the Switch (config ) # enable secret
PASSWORD command or Switch ( config ) # enable password PASSWORD command
To protect user mode (>) with a password we secure the telnet ports , the console port and
the auxiliary port
To configure a password on the console port :
Switch (config) # line con 0
Switch (config- line) # password PASSWORD assigns a password to console
Switch (config-line) # login to inform the router to ask for a password
To configure a password on the telnet ports :
Switch (config) # line vty 0 4
Switch (config- line) # password PASSWORD
• Notes:
Switch ( config-line )# login command in telnet is configured by default , this
command gives you the prompt password required none is set in case we didn’t
configure a password , or password : in case we configured a password
If we configured the command Switch ( config-line )# no login then you can
enter the switch using telnet without prompting you for entering a password
Vty ports are ports that accept telnet sessions , as an example if we configure the
command Switch ( config ) # line vty 0 15 that means we are configuring for 16
telnet sessions ( this is the maximum the switch can handle ) , in this case 16 telnet
sessions can be active at the same time (16 people can telnet at the same time )
If we configure the command Switch ( config ) # line vty 0 1 then only 2 people will
be requested for a password and can telnet to the switch
• Logger banners :
1. Banner login : this banner is displayed when you login using VTY ( it appears before requesting
the user name and password )
2. Banner MOTD : this banner is displayed once you connect to the router directly , or you telnet
to the router or connect by console
Note: if you configure both the banner MOTD and the banner login, the banner MOTD will
appear before the banner login
Switch ( config ) # banner motd “ here I type anything I want it to appear “ command is used
to configure the banner MOTD , the “ is any symbol I can use but it must be the same at the
beginning and the end of the text I want to include
telnet is weak because it uses a password that can be caught by packet sniffers like wireshark
program
to configure telnet we only need to configure a password for it
SSH ( secure shell ) : it’s telnet plus encryption protocol

A CCNA Journey 19
• to configure SSH :
1. it needs a user name and password
2. assign a domain name that will be used to generate the encryption certificates
3. Generate RSA keys to secure the SSH sessions, the general template looks like: switch name.
Domain name( example : SW1.virus.com , SW1 is the switch name and virus.com is the
domain name )
4. specify which version of SSH to use
5. configure to use SSH instead of telnet
The following example will show how to configure SSH with specifying each point from above:
1. switch ( config ) # username USERNAME password PASSWORD

2. switch ( config ) # ip domain – name DOMAINNAME
3. switch ( config ) # crypto key generate rsa this command will request from us the size of the
Key to generate, the best to choose is 1024 (the
Default is 512)
4. switch ( config ) # ip ssh version 2
5. switch ( config ) # line vty 0 4
Switch (config) # transport input Ssh this command enables SSH and disables telnet,
The default command is switch (config) #
Transport input telnet and it’s enabled by default,
We can also enable both telnet and SSH using the
Command switch (config) # transport input telnet
Ssh
14. LANS: configuring switch security, part 2 (19: 00 mins)
switch # show ip interface brief command is used to show what ip addresses are configure and
what interfaces we have on the switch , it will appear as a table , in the table there is a column
called status that represents the physical layer and another column called protocol that
represents the data link layer
switch # terminal monitor command is used to display all the sys messages on the screen
while connected using telnet/ssh session
Example: 01:38:06: % sys-5-config-I configured from console by shady on VTY0 (172.30.2.50)
Console session will show those messages by default on the screen
switch # show Mac address-table command is used to show the MAC address table , it
contains static MAC addresses ( learnt manually by adding it to the table list) and dynamic
MAC addresses ( learnt automatically )
• port security :
port security is a way to lock down what devices can plug-in to the switch or how
many devices can plug-in to your switch

A CCNA Journey 20
using port security we can secure the port by MAC address so that only specific
computers can connect to specific ports
to configure port security :
Switch (config) # interface fastethernet 0/5
Switch (config-if) # switchport mode access this command is used to change the port mode to be
An access port (access ports are configured if we
An end device to that port like a PC or a router), in
Case this port is connected to another switch then we
Configure the port mode to be TRUNK
Switch (config-if) # switchport port-security this command is used to enable port security only
Switch (config-if) # switchport port-security maximum 1 this command means that the maximum
MAC addresses allowed connecting to
This port (interface) is 1 and because
Number 1 is the default this command
Won’t appear in the switch# show run
Results
Switch (config-if) # switchport port-security violation ?

This command is used to tell us what I will do if somebody violates my policy
? = 1) shutdown: it will shutdown the port and the only way to enable that port again is to run the
command switch (config-if) # no shutdown
2) Protect: based on our example if somebody attaches more than a device (more than a MAC
address ) to this port , it will just accept the 1st device and the other will be ignored and cant access
the network ( in other words it will just tell the new device that I’m sorry , I’m not listening to you )
3) restrict : restrict is like protect keyword plus logging the violation breach , this is used a lot just
to know who violated that port as it logs all the violations that happen on the port
NOTE: restrict and protect don’t shut down the port but they just ignore it
Switch (config-if) # switchport port-security Mac-address ?

This command is used to specify the MAC addresses allowed by learning them manually or learning
them automatically
? = 1) H.H.H: to specify a MAC address manually by typing it in the format H.H.H
2) Sticky: to learn the Mac address that is connected to the port automatically, the automatic
learnt MAC address will appear in the running config
Example: this is a sample running config file (NOTE: you won’t find the command switchport port
Security maximum as based on this example its using the default number so it won’t appear in the
Running config file):
Interface fastethernet 0/5
Switchport mode access
Switchport port-security

A CCNA Journey 21
Switchport port-security Mac-address sticky

Switchport port-security Mac-address sticky 0015.c5af.ea57 this appears automatically if we
Used the keyword sticky
switch(config-if)# do show run int fa0/5 , the DO command allow us to run any show
command from any mode instead of running it from privilege mode only
Switch # show port-security interface fastethernet 0/5 command is used to show port security
information for a specific interface
Example:
Switch # show port-security interface fastethernet 0/5
Port status: secure-up
Security violation count: 0
Last source address: VLAN: 0015.c5af.ea37:1
• Notes about the above example:
if the pc is connected to the port the port status will show secure-up and if the pc
isn’t connected to the port it will show secure-down and finally if the port is
shutdown and has been violated it will show us secure-shutdown
the security violation count shows how many violations happened on this port ,
restrict keyword will increase this count but protect keyword wont
the command switch # show port-security interface fastethernet 0/5 shows the
last Mac address that violated security
switch # show port-security command is used to show the port security information for all
interfaces
switch(config)# interface range fastethernet 0/2-24 this command is used to configure a
Range of ports at the same time with
the same configuration, this command
configures the ports 2-24
Switch (config-if-range) # switchport mode access
Switch (config-if-range) # switchport port-security
15. LANS: optimizing and troubleshooting switches (31: 44 mins)
by default each port on the switch is configured as auto duplex and auto speed ( it auto
detects the duplex and speed ) , most of the problems that happen on the switch isn’t from
detecting the speed but from detecting the duplex like duplex mismatch problem
Duplex mismatch is a problem that happens if one side is configured as half duplex and the
other side is configured as full duplex (a PC connecting slow is a result from duplex mismatch.
Another example is a switch that contains collisions because as we know there isn’t an
collisions found when we use switches but in case there is the problem would be properly a
duplex mismatch issue )
full duplex is to send and receive at the same time

A CCNA Journey 22
half duplex is to send OR receive at one time

collection of commands to know :
Switch (config-if) # duplex half command used to configure the port as half duplex
Switch (config-if) # duplex full command used to configure the port as full duplex
Switch (config-if) #speed 10 command used to set the speed to 10Mbps (NOTE that
There isn’t an available command for Ethernet ports, speed
Commands are only available for fastethernet ports or
gigabit Ethernet ports)
Switch (config) # line con 0
Switch (config-line) # logging synchronous
Switch (config-line) # exec-timeout 30 0
Switch (config-line) # exit
Switch (config) # line vty 0 4
Switch (config-line) # logging synchronous this command is used to make the
Log/status messages appear on the
Screen in separate lines instead of
Interrupting the commands we type
Switch (config-line) # exec-timeout 30 5 in general if you don’t type anything for
5 minutes then the session you opened
Will timeout and you will get
Disconnected, with this command you
Extend the time to 30 minutes and 5
Seconds
Switch (config-line) # no exec-timeout 30 0 this command is used in case you don’t
Want to disconnect your open session at
All (you cancel any timeout period)
domain lookup : this is a feature that allows you to type in privilege mode any word and the
router/switch start trying to translate that word to an ip address , but in general we disable
this feature using the command switch (config)# no ip domain-lookup
Example:
Before applying the command switch (config) # no ip domain-lookup
Switch# flow
Translating “flow” …. Domain server (255.255.255.255)
%unknown command or computer name, or unable to find computer address
Above it’s trying to resolve the word flow (properly a device on the network) to an ip address by
sending broadcast messages to know that ip address

A CCNA Journey 23
After applying the command switch (config

(config) # no ip domain-lookup
Switch# flow
%unknown command or computer name, or unable to find computer address
There isn’t any translation process now so no broadcast messages to be sent even
alias : in case we have a long command we can make an alias for it to use it instead of typing
that command every time
Switch (config) # alias exec s show ip interface brief
In this command we must specify the mode the actual command (show show ip interface brief) runs
in, here its privilege mode (exec) and the alias we chose is the letter (S)
• broadcast storms and STP ( spanning tree protocol )
•
• troubleshooting using show commands :

switch # show ip interface brief command will show you all the ports available on the switch
and the status of every port , if the protocol status is showing down then there is a data link
layer problem like mismatch encapsulation
switch# show interface fastethernet 0/2 command will show how you details about a specific port (
in this example fa0/2 ) like the Mac address , MTU , bandwidth , delay , reliability ( in general
this must be 255/255 , if the cable was flipping then this amount will decrease – that means
the flip cable won’t be reliable - ) , it also shows the duplex mode , speed , txload ( how much
load you are sending , if its 1/255 that means this port isn’t sending a lot ) and rxload ( how
much load you are receiving ) and finally it shows you how many bits per rate are received
rece and
sent ( input/output rate ) , how many packet was in/out from this port and how many
broadcast packets has been received
Example:

A CCNA Journey 24
If there is 17928 packets input and 14446 broadcasts received then the broadcast packets
would be 14446/17928=0.80=80% (80% of the packets are broadcasts), in general the
broadcast packets mustn’t be more than 20%
switch # show interface description command shows the ports of the switch, the status of
each port and the description ( what has been configured using switch (config-if)#description
DESCRIPTION command ) of each port , it also shows all the bad packets like runts , giants ,
input errors , CRC , frame , overrun , ignored and throttles , finally it shows you the total
packets output , collision and late collision
runts ( packets that are too small in size ) and giants ( packets that are too big in size ) are
dropped in general and they are resulted from bad connections
input errors , CRC and frames are resulted usually from a faulty NIC or switch port or if there is
any interference on the cable itself
late collision happens if the cable is too long ( longer than 100 meters for CAT 5 cables )
because if the cable is too long then the distance for the packet to arrive is long as well
collisions happens usually when there is a duplex mismatch
switch # show run command is the easiest way to check the current configurations
16. Wireless: understanding wireless networking (34:25 mins)

• types of wireless networks :
personal area network ( PAN ) : it uses a small radius feet like connecting a Bluetooth
set to a mobile device or connecting a wireless mouse
local area network (LAN )
metropolitan area network ( MAN ) like a point to point wireless bridges
wide area network (WAN ) like cellular networks
• wireless LAN facts :
1. a wireless access point (WAP ) communicates like a hub :
2. it has a shared signal ( in other words the more users connected to the wireless access
point the more bandwidth is used )
3. it acts as half duplex
4. uses unlicensed bands of radio frequency (RF ) , unlicensed means not managed
internationally ( no need to buy a license to use it ) , as an example if you go to a park and
the wireless that was available in that park is saturated , you can’t complain to anybody to
fix that issue because it doesn’t comply with any license
5. wireless is a physical layer and data link layer standard
6. facing connectivity issues because of interference
7. uses CSMA/CA instead of CSMA/CD ( like token rings ) as an example if a user wants to
send a packet it informs at 1st the whole wireless network that it will send a packet , when
the access point ( AP ) replies back to that user then that user can start sending
• unlicensed frequencies :

A CCNA Journey 25
1. 900 MHZ range : 902MHZ-928MHZ ( this is a low data rate and it covers big ranges ) , we don’t
find a lot of devices within this range because the lower the frequency ( lower data rates )
you have the further range you will get but that results to less bandwidth ( lower frequency=
further range = less bandwidth )
2. 2.4GHZ range : 2.400GHZ-2.483GHZ
3. 5GHZ range : 5.150GHZ-5.350GHZ ( this is a high data rate and covers shorter ranges )
• Understanding radio frequencies ( RF ) :
1. Radio frequency (RF) waves are absorbed ( passing through walls ) or reflected ( by metal )
2. Higher data rates ( high frequencies ) have shorter ranges ( the more speed you are using the
closer in you must be to the WAP )
3. In general the more you get far from the wireless access point the weaker the signal becomes
4. 802.11 ( wireless ) , 802.3 ( Ethernet )
• The 802.11 line up :
1. 802.11B:
Most popular standard ( more popular than 802.11A although 802.11A is better )
The speed reaches Up to 11MBps ( 1, 2,5.5,11 data rates )
Three clean channels available without any interference
It uses 2.4GHZ RF
2. 802.11G :
Backwards compatible with 802.11B
The speed reaches up to 54MBps ( 12 data rates )
Three clean channels available without any interference
It uses 2.4GHZ RF
3. 802.11A:
The speed reaches up to 54MBps ( 12 data rates )
12 to 23 clean channels available without any interference
It uses 5.8GHZ RF
Not cross compatible with 802.11B/G because 802.11A uses a different range ( 5.8GHZ
) than 802.11B/G(2.4GHZ )
NOTE: there is a page that describes wireless channels and the clean channels
Wireless access points ( WAP ) in general has a coverage of 300 feet without obstructions
ITU-R : international telecommunication union – radio communication sector , this regulates
the radio frequencies used for wireless transmission
Institute of electrical and electronic engineers (IEEE) maintains the 802.11 wireless
transmission standards
WI-FI alliance ensures certified interoperability between 802.11 wireless vendors
17. Wireless: wireless security and implementation (29:27 mins)

• Wireless dangers :

A CCNA Journey 26
1. War driving : is to drive your car in a neighborhood that have a wireless connection and
using that connection for free
2. Hackers
3. Employees : some of the employees may bring their own wireless access points and plug it
in the company network to have a wireless connection , those wireless access points are
called rouge wireless access points
• Wireless security : it’s in general a combination of authentication and encryption
1. Authentication : an example of authentication is to require a user name and password
or using certificates to accomplish the authentication process , ( examples of
authentication methods are 802.1x authentication and pre shared keys )
2. Encryption: anything sent on the network is encrypted to protect the data , ( examples
of encryption methods are WEP- wired equivalent privacy - , WPA – WI-FI protected
access – and WPA2 )
3. Intrusion prevention system ( IPS ) : is used to detect rouge wireless access points , if
IPS detects a rouge access point it will shutdown the port the rouge access point has
been connected to or the IPS will send you a message or email
• Evolution of wireless security
1. Originally : pre-shared key WEP : Pre-shared key is a system of security where you type a key
on the wireless access point and all the clients that join that wireless access point must type
that same key , In general pre-shared key method is weak because if one of the employers left
the company then you need to change that key on all the devices
2. Evolution 1 : pre-shared key WPA1 : This evolution improves the security from WEP
encryption to WPA1 encryption as WPA1 uses TKIP (temporal key integrity protocol) method
for the encryption and that is a bit strong compared to WEP encryption
3. Evolution 2 : WPA1 and 802.1x authentication : In general the 802.1x authentication concept
is when a device joins the wireless access point it sends to that access point a user name and
password or a certificate based on what authentication method the device is using , the
access point passes that user name and password or that certificate to a specific server to
check that this user name and password or this certificate is valid , after that the server sends
back to the access point that the user name and password or the certificate is valid , finally the
device join the wireless access point network
Each time a device is joined to the wireless access point several encryption keys (those aren’t
pre-shared keys) are generated using an encryption algorithm (every new session established
creates new encryption keys)
The advantage of 802.1x authentication is it’s a bit strong , let’s say for an example one of the
employees left the company we don’t need to change the key as we did in the pre-shared key
method instead we just disable the user account or the certificate that employee was using
from the main server
4. Evolution 3 : WPA2 ( 802.11I )and 802.1x authentication : this evolution improves the security
from WPA1 encryption and 802.1x authentication to WPA2 encryption and 802.1x
authentication as WPA2 uses AES (advanced encryption standard ) method for the encryption

A CCNA Journey 27
and that is a bit strong compared to WPA1 that uses TKIP ( temporal key integrity protocol )
method for the encryption
NOTE: evolution 2 and evolution 3 supports pre pre-shared keys as well
• Understanding the SSID :
The service set identifier (SSID ) uniquely identifies and separates wireless networks ,
SSID is the name of the wireless network
You can have a wireless access point that have multiple SSID as an example you can
have a wireless access point that have 2 SSID one is called public ( unsecured network
) and the other is called private ( secured netwo
network )
When a wireless client is enabled the following happens :
1. The client issues a probe ( request )
2. The wireless access point respond with a beacon ( on the client side all the available SSID
appears , in other words the client can notice the available networks )
3. The client associates with a chosen SSID ( the client joins the SSID that is held by the wireless
access point who have the strongest signal as may be this SSID is shared by multiple wireless
access points so the client joins itself with the on
onee who provides the strongest signal )
4. The wireless access point adds the client MAC address to its association table
If the signal goes weak then the client re issue another probe ( request ) , the closer wireless access
point with the same SSID will reply back to the client
• The correct design of a wireless LAN ( WLAN )
:
1. Radio frequencies ( RF) service areas should
have 10%-15% overlap ( this percentage can
be known by using fluke networks or
software sniffers )
2. Repeaters should have 50% overlap
3. Bordering access points should use different
channels
• Setting up a wireless network :
1. Pretest the switch port that will be used to
connect the wireless access point on it with a
laptop by testing DHCP service and DNS
service on that laptop while its connected to
that switch port
2. Connect the wireless access point to that
switch port
3. Setup and test the SSID that have been crea created
ted without configuring additional security
4. Add security ( WEP/WPA1/WPA2 ) to the wireless access point and test it
5. Add authentication ( 802.1x/pre
802.1x/pre-shared
shared key ) to the wireless access point and test it
18. Advanced TCP/IP: working with binary (25:51 mins)

A CCNA Journey 28
• IPv4 address :
IPv4 address can be one of 3 different classes : class A , class B and class C
When the IP address is combined with a subnet mask it defines a network and host
portion ( example : if we have the ip address 10.1.1.1 with a subnet mask 255.0.0.0 we
notice that 10 is the network part ( because its linked with 255 from the subnet mask )
and 1.1.1 is the host part ( because its linked with 0 from the subnet mask )
IP protocol Operates at layer 3 of the OSI model
IPv4 address is a 4 octet address ( 4 byte address as 1 octet equals 1 byte or 32 bit
address , example : 10.10.10.10)
Working with binary :
Example: we want to convert 210 in decimal to binary
27 26 25 24 23 22 21 20
128 64 32 16 8 4 2 1
binary 1 1 0 1 0 0 1 0
Example: we want to convert 00110110 in binary to decimal

27 26 25 24 23 22 21 20
128 64 32 16 8 4 2 1
Binary 0 0 1 1 0 1 1 0
After adding the numbers that is linked with 1 in binary we will have the number:
32+16+4+2=54 in decimal
19. advanced TCP/IP: IP sub netting part 1 (55:06 mins)

Every interface on the router represents a network
Sub netting stands for breaking our main network to multiple networks
• Steps for sub netting :
1. Determine the number of networks and convert it to binary
2. Reserve bits in your subnet mask and find your increment
3. Use increment to find your network ranges
Example: if we have the IP address 216.21.5.0 with a subnet mask 255.255.255.0 and we want 5
networks to implement with that given IP address
1. 5 networks , 5 = 00000101 , 3 bits reserved to implement the number 5 or we can just do the
following : 23-2=6 , 3 bits covers 6 networks and what we want is 5
To know the number of subnets, it equals 2x where x is the number of bits; according to this
example we have 3 bits so there are 8 subnets
2. The result from point 1 is we want 3 bits
We use 255.255.255.0 subnet mask as the IP address 216.21.5.0 is a class C address , if it was
class A address we will use 255.0.0.0 ( /8) and if its class B address we will use 255.255.0.0
(/16)
255.255.255.0 = 11111111.11111111.11111111.00000000 those are the 3 bits found in point 1

A CCNA Journey 29
11111111.11111111.11111111.11100000 so the subnet mask to use is

255.255.255.224, after that we subtract 256-224=32 to know the increment
According to the above subnet mask if we want to know the number of hosts in each subnet =
2x-2 where x= number of zeros, in the example above 25-2=30 host per subnet
3. From point 2 we knew the increment = 32 so we start incrementing based on that
Network ID Broadcast ID Usable hosts

210.21.5.0 210.21.5.31 1-30
210.21.5.32 210.21.5.63 33-62
210.21.5.64 210.21.5.95 65-94
210.21.5.96 210.21.5.107 97-106
210.21.5.108 210.21.5.139 109-138
210.21.5.140 210.21.5.171 141-170
210.21.5.172 210.21.5.223 173-222
210.21.5.224 210.21.5.255 225-254
Bit notation : example of bit notation = 255.255.255.0 - /24 ( 24 1 bits )
The subnet 255.255.255.252 gives 2 usable networks and that is usually useful for point to
point wan links
20. advanced TCP/IP: IP sub netting part 2 (22:29 mins)

NOTE: this section will explain sub netting based on the number of hosts
Example: if you have the IP address 216.21.5.0 and you want to use that ip address for 5
networks and 30 hosts per network
1. To have 30 hosts : 25-2 = 30 , that results to have 5 bits to cover the situation
2. 255.255.255.0 = 11111111.11111111.11111111.00000000 those are the 5 bits found in point 1
11111111.11111111.11111111.11100000 so the subnet mask to use is
255.255.255.224 as we care for the SUBNET BITS! , after that we subtract 256-224=32 to know
the increment
The number of subnets = 23 = 8
The number of hosts per subnet = 25-2=30 hosts per subnet
3.
Network ID Broadcast ID Usable hosts
210.21.5.0 210.21.5.31 1-30
210.21.5.32 210.21.5.63 33-62
210.21.5.64 210.21.5.95 65-94
210.21.5.96 210.21.5.107 97-106
210.21.5.108 210.21.5.139 109-138
210.21.5.140 210.21.5.171 141-170
210.21.5.172 210.21.5.223 173-222
210.21.5.224 210.21.5.255 225-254
21. advanced TCP/IP: IP subnetting part 3 (19:53 mins)

A CCNA Journey 30
NOTE: this section will explain sub netting based on reverse engineering method ( we are
given the IP and the subnet mask and we need to know the network range for that specific IP )
Example: if you have the IP address 192.168.1.127 and the subnet mask 255.255.255.224 what
will the network range be that includes this given IP ADDRESS?
256-224 = 32 increment so we start doing the increment process until we find the following
range:
192.168.1.96-192.168.1.127, finally we discover that the ip 192.168.1.127 isn’t a valid host ip
instead it’s a broadcast IP!!
22. Routing: initial router configuration (31: 07 mins)

There is a USB port on the router that is used usually to connect a USB drive to hold the
encryption keys or to use it as a flash for the router
A WIC card is a wan internet card
2801 router model have different cards installed on it , it contains 2 fast Ethernet ports ( one is
used for example to connect to internet and the other is used to connect to the internal
network , it also contains a T1 interface that is used to connect T1 lines and finally it has
switch ports ) , because those available cards on this model we can use this router as a router
and switch in the same time
• Router boot process ( what happens when you boot up the router ) :
1. It shows the total memory of the router and the model of the router
2. It shows the name of the IOS image found in the flash of the router
3. It shows how many interfaces are available on the router
4. It shows the size of the flash and NVRAM available on the router
All the commands we applied on the switch in PREVIOUS sections are the same that are
applied to the routers except for configuring the IP address and the default gateway
Router (config) # interface fastethernet 4
Router (config-if) # description DESCRIPTION this command is used to configure
The description for the port
Router (config-if) # ip address 68.110.171.98 255.255.255.224 this command is used to assign a
Static ip to this specific interface, in
Case we want to assign a dynamic
Ip address to this specific interface
Then we use the command
Router (config-if) # ip address DHCP
Router (config-if) # no shutdown

A CCNA Journey 31
23.
Routing: SDM and DHCP server configuration, part 1 (32: 06 mins)

• SDM :
1. SDM means Security device manager
2. SDM is a Graphical user interface (GUI ) that you can use to configure and manage
your router
3. SDM is a web based tool that uses java
4. SDM works on all main line routers ( all models ) like 2800 , 800 and 2600 router
models
5. SDM is designed to allow IOS conconfiguration
figuration without extensive knowledge about that
• Steps for configuring your router to support SDM :
1. Generate encryption keys ( used in SSH and https ) , to generate those keys we need
to configure a domain name
2. Turn on the http/https servers for your ro router
3. Create a privilege level 15 user account
4. Configure your VTY and http access ports for privilege level 15 and to use the local
user database
5. Install java on your PC and access the router using one of the following ways :
a) Using a web browser if SDM is installed on the router only , new routers come by
default with SDM installed on it
b) Using the SDM java program if the SDM is installed on the PC ,the advantage of
using this method is its faster
As you notice we can install the SDM on the flash of the router or on the PC or on both of
them , depending on the way we install the SDM we can use the above methods to access the
router and configure it
• Configuring your router to support SDM ( based on the points above ) :
1. Router ( config)# ip domain
domain-name DOMAIN NAME this command is used to configure a

A CCNA Journey 32
Domain name as the keys for SSH and https

can’t be generated without a domain name
Router (config) # crypto key generate rsa ? This command will request from us the size
Of the Key to generate, the best to choose
Is 1024 (the default is 512)
?= a) general-keys keyword, if you generate general-purpose keys, only one pair of RSA keys
will be generated. This pair will be used with IKE policies specifying either RSA signatures or
RSA-encrypted nonces. Therefore, a general-purpose key pair might be used more frequently
than a special-usage key pair. ( if I don’t type it , this will be applied by default )
b) usage-keys keyword, if you generate special-usage keys, two pairs of RSA keys will be
generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies
RSA signatures as the authentication method, and the other pair used with any IKE policy that
specifies RSA-encrypted nonce’s as the authentication method.
NOTE : if we change the domain name after creating the crypto keys then we need to
regenerate those keys to adopt with the new domain name
2. Router ( config ) # ip http server this command is used to turn on the
Http server (port 80)
Router (config) # ip http secure-server this command is used to turn on https
Server (port 443)
3. Router (config) # username USERNAME privilege 15 ? this command is used to create a user
Name that have a privilege level 15 (
This privilege level is the highest and
Its called enable mode level as well)
?= a) password PASSWORD keyword is used to specify a password that will use level 0
(unencrypted password and this level is the default) (it’s the same like the router (config) #
enable password PASSWORD command)
b) Password 7 PASSWORD keyword is used to specify a password that will be encrypted if

we run the router# sh run command but this password can be breakable
c) Secret PASSWORD keyword is used to specify a password that is encrypted and stronger
from using password keyword (it is the same like the router (config) # enable secret
PASSWORD command
If I use the username and password declared in this point it will enter me directly to privilege
mode (passing enable mode) because the privilege level I’m using is 15
4. router(config)# ip http authentication local this command is used to secure http access ports
(Http server) and to use the local user
Database

A CCNA Journey 33
The local keyword means that once we enter a user name and password in the browser to
access SDM the router checks that user name and password with its local DB ( what has been
configured in point 3 is called the local DB )
We can use the command router(config)# ip http authentication enable instead of the
command router(config)# ip http authentication local if we want the router to check the
username and password and compare it with the enable passwords ( what has been entered
enter
using the Router (config) # enable password PASSWORD or Router (config) # enable secret
PASSWORD commands instead of checking the local DB ( what has been entered using Router
( config ) # username USERNAME privilege 15 password PASSWORD command )
Router (config) # line vty 0 4

Router (config-line) # login local this command is used to secure the VTY ports and to
Use the local user database
The local keyword means that once we enter a user name and password in the telnet session
to access the router , that router will check the user name and password with its local DB (
what has been configured in point 3 is called the local DB ) instead of using the password that
is configured usually using the router (config-line)# password PASSWORD command
Router (config-line) # transport input all this command both telnet and SSH on the
Router and its equivalent to the command
Switch (config) #transport
transport input telnet Ssh
5. Open SDM by browser ( if the SDM is installed on the router ) or from the SDM program itself
if its installed on the local PC
24. Routing: SDM and DHCP server configuration, part 2 (20: 02 mins)
• Dynamic host configuration
onfiguration protocol ( DHCP ):
1. DHCP allows you to give devices IP addresses without manual configuration
2. DHCP IP address is Typically given for a specific time
3. Can be manually allocated for key network devices ( we can reserve an IP address based on
the MAC address device )
4. DHCP servers can be server based or router based , server based advantage is that it would be
easier to use using the GUI , router based
advantage is that it would be more stable
• DHCP process :
1. DHCP discover message ( Broadcast
message )
2. DHCP offer message ( unicast
message )
3. DHCP request message ( unicast
message )
4. DHCP ACK ( unicast message )

A CCNA Journey 34
• To configure DHCP using SDM , this could be done from additional tools tab :
Domain name : if we choose this option for DHCP then once you double check the
name of any client in the network who has been assigned with this DHCP option you
will notice that the name of the client has been added beside it this domain name
Tick mark ( ) import all the DHCP options into the DHCP server database , in case the
router has been assigned a dynamically IP address from the ISP , using this option it
can pull other DHCP options provided from the same ISP , once the router receives
those options it starts assigning it dynamically to the clients who requests an ip
address from this router
In SDM if you press on the DHCP pool status tab you will notice the leased IP addresses
To configure the DHCP using command line :
Router (config) # ip DHCP pool POOLNAME this command is used to configure the
DHCP pool name
Router (config) #network 192.168.1.0 255.255.255.0 this command is used to configure the IP
Addresses that will be available in this
DHCP pool (those IP addresses will be
Leased to clients)
Router (config) # domain-name DOMAINNAME this command is used to configure the
Domain name that would be offered by
The DHCP router to the clients when
They assign an IP address from this
Router
Router (config) # default-router 192.168.1.1 this command is used to configure the

Default gateway that would be offered
By the DHCP router to the clients when
They assign an IP address from this
Router
Router (config) # import all this command is the same of Tick mark
) import all the DHCP options into the

(
DHCP server database
Router (config) # lease 3 this command is used if we want to
Lease the IP addresses for 3 days
Router (config) # ip DHCP excluded-address 192.168.1.1 192.168.1.19

Router (config) # ip DHCP excluded-address 192.168.1.101 192.168.1.254

A CCNA Journey 35
The two above commands Excludes those IP address Ranges from our pool so the available ip
addresses Left that will be leased for Clients is 192.168.1.20-192.168.1.100
Router# show ip DHCP binding this command shows all the IP addresses leased to the
Clients using DHCP and the MAC addresses for the
Clients that are using the leased ip addresses
25. Routing: implementing static routing (37: 32 mins)

The purpose of the routers is to stop broadcast and allow traffic to move from oneo network to
another
Router# show ip route command allow us to know what networks can be reachable by the
router ( it shows us the list of networks a router can reach )
Example:
Router# show ip route
Gateway of last resort this sentence shows us the details of the default route
To configure static routes :
R1 (config) # Ip route 192.168.3.0 255.255.255.0 192.168.2.2
the above command is to configure a static route , the general command syntax is :
R1(config)# ip route destination_network
stination_network next_hop_address the next hop address could be
an ip address of the next router , in our example it would be 192.168.2.2 or we can use the
local interface , according
ing to our example it will be S1
Default route : any route the router can’t reach it ( it’s not found in the routing table ) will
start using the default route to reach the unreachable networks
To configure default route :
R1 (config) # ip route 0.0.0.0 0.0.0.0 S1 this command is used to configure default route
On R1, we can use instead of S1 keyword
68.110.171.97
Router(config)# ip name-server
server 4.2.2.2 this command is used to configure a DNS server for
The router so that if we want to resolve the ip
Address of www.google.com this DNS server

A CCNA Journey 36
4.2.2.2 Will do the task
26. Routing: implementing dynamic routing with RIP (40: 46 mins)

Routing protocols : routing protocols tells other routers on the network what stuff I know , it
allows routers to build paths automatically by saving those paths and the next hop addresses
to reach those routers in routing tables
• Types of routing protocols ls :
1. Distance vector routing protocols:
Distance vector routing protocols is easy to configure
It doesn’t contain a lot of features ( its slow in detecting problems on the
network )
some distance vector routing protocols examples are RIP and IGRP
2. links state
tate routing protocols :

A CCNA Journey 37
link state routing protocols are difficult to configure ( more knowledge is

required )
link state routing protocol is rich of features
some link state routing protocols examples are OSPF and IS IS-IS ( it’s an OSI
protocol )
3. hybrid routing protocols :
hybrid routing protocols combines the best of link state routing protocol and
distance vector routing protocol
it’s a Cisco proprietary routing protocol ( it only works with Cisco devices )
some hybrid routing protocols examples are EEIGRP IGRP ( enhanced entries gateway
routing protocol )
• RIP ( routing information protocol ) : RIP comes in 2 versions
1. RIPv1 :
Classfull version , it doesn’t support VLSM (variable length subnet mask and it
means changing your subnet mask wherever and whene whenever
ver you want ) , it only
advertise networks but without their subnet masks
Example:
No authentication : the RIP authentication in general means to request a

password to add a route to the routing table or to request a password for joining
the RIP routing network , RIPv1 doesn’t support authentication and that is a
problem as I can just connect a rouge RIP ro
router
uter to poison the routing table with
fake routes that results making the network goes down
RIPv1 uses broadcast , it sends packets every 30 seconds to check the entries
found in the routing table that they are still valid or not
2. RIPv2 :
Classless version , it supports VLSM ( it advertises the routes with their subnet
masks )
RIPv2 supports authentication

A CCNA Journey 38
RIPv2 uses multicast , only RIP routers receive the hello packets , in RIPv1 the
technique used was broadcasting those hello packets for all the devices in the
network
Steps to configure RIP :
1. Turn on RIP using its global configuration command
2. Change the version of RIP used
3. Enter the network statements , those statements are used to :
a) Tells RIP what networks to advertise
b) Tells RIP what interfaces to send advertisements on
To configure RIP :
Router (config) #router rip this command is used to turn on RIP routing
Protocol
Router (config-router) # version 2 this command is used to change version of RIP
To version 2, the default version is version 1
Router (config-router) # network 192.168.1.0 this command is used to advertise the directly
connected networks , in general the syntax of
the network we type must be Classfull , in case
we didn’t type a Classfull network address the
IOS will change that command automatically
to be Classfull
Router (config-router) # no auto-summary this command is used to disable RIP from auto
Summarizing the network addresses to Classfull
addresses, in router# show ip route command
it will start showing details about the subnets
Example:
Router# show run | include ip route command is used to only show the commands that
include the word ip route in it
Router# debug ip rip command is used to show details of the RIP process
Router# show ip protocols command is used to show what routing protocols are running on
the router plus showing details on it

A CCNA Journey 39
27. Routing: internet access with NAT and PAT (24 (24: 41 mins)
Router# u all command is used to disable all debugging commands on the router
NAT ( network address translation ) allows multiple devices to share an internet IP address
addres ( a
public address )
PAT( port address translation
nslation ) is a form of NAT and it’s called NAT overload
Static Nat is usually used with web servers
To configure NAT using SDM there is a tab for NAT that contain 2 options :
1. Basic NAT : it’s the same PAT ( NA
NAT overload )
2. Advanced NAT or static NAT
How PAT works :
Steps to configure PAT : note that this is a example without explanation as this section is only
an introduction for NAT and PAT
Router (config) # access-list
list 1 permit 192.168.1.0 0.0.0.255
Router (config) #interface
interface VLAN1
Router (config-if) # ip Nat inside
Router (config-if) # exit
Router (config) # interface fastethernet 0/4
Router (config-if) #ip Nat outside
Router (config-if) # exit
Router (config) # ip Nat inside source list 1 interface fast Ethernet 0/4 overload
In the last command the overload keyword means that I can allow more than a client (the IP
range that is declared in access list 1) to use the public IP address we have
Router# show ip Nat transl
translations command is used to show all the Nat translations that is held
by the router , it also shows the following :
1. Inside local address : this represents my PC
2. Inside global address : this represents the local public
IP address configured on our local router
uter

A CCNA Journey 40
3. Outside global : this represents the remote public IP

address configured on remote router
4. Outside local : this represents the remote PC
28. Routing: WAN connectivity (27(27: 38 mins)

Wan connections is used to connect you to the internet like frame rel relay
ay , ATM , PPP and HDLC
Lan connections is used to connect you local like Ethernet technology
Wan links define a new type of layer 1 and layer 2 connectivity :
Wan links allows links to the internet or other offices
Data link layer ISDN , metro Etherne
Ethernett , MPLS , T1,E1, dial up modems , frame relay , ATM ,
PPP and HDLC ( in lan there was Mac addresses )
Physical layer serial physical connections ( in lan connections it was Ethernet cables like
CAT5E and RJ45 connections )
Frame relay connects using DLCI , DLCI is like MAC addresses in LAN
ATM connects using VPI/VCI pair, VPI/VCI pair is like MAC addresses in LAN
Leased line protocols are HDLC and PPP ( the y are the only protocols that work on point
to point connections like leased lines )
• Styles of WAN connections ( data link layer
connections ):
1. Leased lines connections :
It’s a dedicated bandwidth
line ( bandwidth is only
assigned for me and it’s not
shared )
It’s very expensive
Examples on leased lines : T1
CAS ( 1.544Mbps) and E1 CAS
The problem is if you have a
high bandwidth speed link , if you don’t use all of it the rest will remain
unused without having any benefit from it
2. Circuit switched connections :

It’s an on demand bandwidth used between different locations ( we use the
dial up technology to get it when we need it )
The advantage of this technology is it’s the very cheap
The disadvantage of this technology is it’s slow bandwi
bandwidth
dth and the time we
spend to install this technology
Examples on circuit switched connections : dialup modems and ISDN
3. Packet switched connections :

A CCNA Journey 41
It’s a shared bandwidth

technology but a
guaranteed bandwidth
between locations ( if you
pay for this sservice you
guarantee a specific
bandwidth but maybe you
gain more ( this is called
bursting ) but no less
The advantage of this
technology is that you can
connect a serial cable to the
internet cloud and from that
cloud we can connect to
multiple offices using only one packet switched connection ( that is done using
that is done using virtual circuits )
Examples on packet switched connections : ATM , frame relay , X.25 ( old
technology ) and MPLS
The 1st technology was x.25 then it became frame relay th
then
en ATM and now
MPLS
• The physical connections for WAN ( physical layer connections ):

A CCNA Journey 42
• configuring leased line connections :

1. Leased line can be configured using HDLC ( high level data link control )
This is a layer 2 WAN protocol ( if you want to compare it to layer 2 LAN
protocol it will be Ethernet technology )
This is a Cisco proprietary protocol ( it only works with Cisco routers )
the default protocol that is used
It’s simple to configure and use
Extremely low overhead
No features
2. Leased line can be also configured using PPP ( point to point protocol )
This protocol is alternative to HDLC
Industry standard ( This protocol works with all the routers and it’s not
proprietary to Cisco only )

A CCNA Journey 43
Moderate overhead
Feature- riffic , it supports four major features :
1. Authentication : you add a user name and password on the wan link , it
must match on both sides
2. Compression : it helps to use less bandwidth but it will use more
processing on routers
3. Call back feature , this primarily used on modems , when you dial in to the
modem and authenticate ( type your username and password ) , the
router immediately hangs up on you and dials you back to a predefined
number ( this is used for security or if we want the call distances bill to be
charged on the other side not on us )
4. Multilink : it’s a system you employ that allows you to combine the
bandwidth of multiple wan connections into one , say as an example we
have 3 T1 links , the multilink feature combines that bandwidth together
so the result is we have 4.5Mbps and it loads balance the traffic over those
3 links !
The encapsulation ( HDLC/PPP ) must be matched at both ends of the link , if it’s not the
same then the link won’t work and it will show protocol status down in the results of the
command Router# show ip interface brief
Router # show run interface serial 0/0 command is used to show the configuration of
serial 0/0 from the router # show run command only
If the encapsulation used was HDLC ( the default encapsulation used on Cisco devices ) it
won’t appear using the router # show run command
Router# show interfaces serial 0/0 command is used to show all the details about a
specific interface ( in this example showing the details of serial 0/0 ) , this command is
used to check the current encapsulation used on this serial in case we have a leased line (
it shows the HDLC and PPP information and if those protocols are working or not )
Example: this example shows that PPP is working fine
Router# show interfaces serial 0/0
Encapsulation PPP, LCP open
Open IPCP, CDPCP LCP is the link control protocol and its responsible to
negotiate the PPP features , it will show us LCP closed
if there is a problem to negotiate with compression ,
authentication , multilink or call back feature , IPCP (ip
control protocol ) and CDPCP ( Cisco discovery protocol
control protocol ) are control protocols; IPCP lets the IP
protocol (TCP/IP ) to work on the WAN link ( PPP link )
,CDPCP allows CDP to work over a WAN link
Router# show controllers serial 0/0 command is used to know the cable type connected to
this specific interface ( it will show that the type of the cable is DTE or DCE ) ( DCE is
always connected to the ISP side and DTE is connected on our side )

A CCNA Journey 44
Router# show ip interface brief command is used mostly to show the protocol status , if
the protocol is showing down status then properly the problem is a mismatch
encapsulation ( another command to check the function of HDLC or PPP )
• How to configure PPP :
Router (config) interface serial 0/0
Router (config-if) # encapsulation PPP this command is used to configure the encapsulation
On this interface that is used to configure leased line
On it
Router (config-if) # clock 56000 this command is used to specify the speed of the
connection, this is configured if and only if this
specific interface is a DCE ( data clock equipment , is
a type of connector that needs clock configuration to
work properly – it determines how fast the WAN
connection goes - , this value is usually configured
from the ISP side but if we are in a lab environment
we need to configure it as if it’s not configured the
link won’t work ) , 56000 is measured in bits per
second so the value here is 56 kilo bit per second
29. Management and security: telnet, SSH and CDP (28: 48 mins)
Router# telnet 192.168.2.2 command is used to telnet to another router form our router
• Managing telnet/SSH :
1. Press < CTRL , SHIFT , 6 > then X : this suspends the telnet/SSH session , to resume that
session we just type the command router# resume 1 ( number 1 represents the
session number ) from our router or we press the button ENTER in privilege mode , the
later command will resume the recent session opened
2. Router# show sessions command is used to show the open sessions from your router (
when you run this command you will notice an asterisk * that shows the recent open
session )
3. Router# show users command is used to show the open sessions to your router ( when
you run this command you will notice a column called location , this column will show
you which users –routers – are connected to your router , usually when you run this
command it takes some time until the IP addresses found under the locations column
is resolved to its names , to get around this issue we just run the command
router(config)# no ip domain-lookup to disable the domain lookup feature and stop
the resolving issue , in this case it runs faster than before )
4. Router# disconnect command is used to kill one of your open telnet sessions ( at 1st I
run the command Router# show sessions to know which session Is opened from my
router and I want to kill then I run this command )

A CCNA Journey 45
5. Router# clear line X command where X represents the number of session opened to
my router ( at 1st I run the command Router# show users to know which session is
opened to my router and I want to kill then I run this command )
6. Router# exit command is used to kill a telnet session , in case I want to telnet again to
that same device I need to run the command Router# telnet IPADDRESS again
7. Router # show lines command is used to show all the lines ( telnet connection ports )
on your router and the status of each one
• CDP ( Cisco discovery protocol ) :
1. CDP allows you to discover directly connected Cisco devices
2. It’s a Cisco proprietary protocol
3. CDP is useful for building accurate network diagrams because using CDP we can know
the IP address , IOS version and the router platform of Cisco neighbor devices
4. CDP is a broadcast packet that is sent every 60 seconds
• Some useful CDP commands :
1. Router# show cdp neighbors command is used to discover basic information for
directly connected Cisco devices , some of the basic information that is discovered
(This command is used to know the local and remote interfaces)
When we run this command:
a) The local interface : this is the interface on our router that is connected to the
other directly Cisco device , this same information can be known if we run the
command router# show ip interface brief
b) The port ID : this is the remote interface of the connected Cisco device
2. Router# show cdp entry * command is used to show all the remote connected devices
on our router , if I run the command router# show cdp entry NAMEOFROUTER it will
show me the remote IP address for a specific Cisco device
3. Router# show cdp neighbors detail command is the same function of router# show
cdp entry command ( this command is used to know remote IP addresses )
4. Router ( config-if)# no cdp enable command is used to disable CDP on a specific
interface ( if we run this command then the directly connected Cisco device to this
interface won’t be discovered )
5. Router(config)# no cdp run command is used to disable CDP on all the interfaces found
on the router
We usually use telnet commands , CDP commands and router# show ip interface brief
command to know all the IP addresses and interfaces found in a network
30. Management and security: file management (20: 11 mins)

TFTP ( trivial file transfer protocol ) server uses UDP port 69 and its main function to copy
from/to the router to do a backup or restore for the IOS found on the router to this TFTP
server
RAM equals running config and NVRAM equals startup config

A CCNA Journey 46
Router# show flash command is used to see all the files in the flash like the name of the
IOS file ( this is what Router# show version do as well )
Router# show running-config command is used to check what the RAM contains
Router# show startup-config command is used to check what the NVRAM contains
Router# show version command is used to check the value of the RAM and NVRAM and to
know the name of the IOS file as well
Example:
Router# show version
238592K/23552K those two values combined together is the NVRAM
• Memory components :
1. RAM : RAM represents the running config file the benefit of the RAM that its very fast in
read/write but the disadvantage of RAM is it loses data when the router is shutdown or
restarted because that we usually copy the configuration file from RAM to NVRAM before
restart using the command router# copy running-config startup-config
Example of using the RAM is for packet buffers
2. NVRAM : this is considered small in size and it represents the startup config file
3. Flash : this component is used to store the IOS , in general once you start the router it
starts decompressing the IOS from the flash to the RAM
• Some useful commands :
1. Router# copy running-config startup-config command is used to copy the configuration file
from RAM to NVRAM ( router# wr command do the same function as well )
2. Router# copy running-config TFTP command is used to copy the configuration file from RAM
to TFTP server
3. Router# copy flash TFTP command is used to copy the configuration file from flash to TFTP
server ( to backup the IOS on a TFTP server ) ( this command can be typed like this as well :
router# copy flash : NAMEOFIOS.bin TFTP://IPOFTFTPSERVER/NAMEOFIOS.bin )
4. Router# copy TFTP run command is used to copy the configuration file from TFTP server to the
RAM ( NOTE that if you run this command and we had already a running config file it won’t
overwrite the current file instead it will merge both configuration files to appear as one file , it
will overwrite entries in the current configuration file if there is a conflict only )
5. Router# copy tftp startup-config command is used to copy the configuration file from TFTP
server to NVRAM ( not like router# copy TFTP run it won’t merge with the current
configuration file instead it will replace it totally )
6. Router # reload command is used to restart the router and reload the configuration file from
NVRAM
• If want to restore our configuration we do the following :
1. Router# copy TFTP startup-config
2. Router# reload
Note that we didn’t run the command router# copy startup-config running-config because it will do
the merge (anything copied to running-config will be merged) plus once we reboot the router all the
running config found in RAM will be erased (flushed)

A CCNA Journey 47
• If you want to upgrade your IOS you do the following :

1. We put the new IOS and place it on a TFTP server
2. we boot the router from the TFTP server using the command router# boot system
TFTP : //IPOFTFTPSERVER/NAMEOFIOS.bin , to check that the new IOS is working fine
3. if we find that the new IOS is corrupted then we just boot normally from flash with
using the current IOS
4. if we find that the new IOS is working fine from TFTP then we copy that new IOS to
the flash using the command router# copy TFTP flash
Cisco ccna interconnecting Cisco networking devices part 2
1. review : rebuilding the small office network part 1 ( 33:54 mins )

• to delete all the configuration on the router :
There are two ways to do that:
1) router# erase startup-config this command is used to delete all the
Configuration file found in NVRAM
Router# reload this command is used to reboot the router,
When the prompt asks to save the
configuration or not we choose NO
2) router# write erase this command has the same function of
Router# erase startup-config
Router# reload
auxiliary ports are found only on routers and they are used to connect modems on it
• to build a small office at 1st we care about configuring the switches ( LAN tasks ) :
1) beginning : wipe out configurations :
This is done using switch# erase startup-config and switch# write erase commands
2) security : passwords and banners
a) this is done by configuring passwords for privilege mode using switch (config) # enable
password PASSWORD and switch (config) # enable secret PASSWORD commands
b) this is done by configuring passwords for telnet ports , auxiliary ports and con ports
c) this is done by configuring banners on the switches using the command Switch ( config ) #
banner motd “ here I type anything I want it to appear “
d) use the command switch (config)# service password-encryption to encrypt all the clear
text passwords
3) cosmetics : name , work environment
a) configure names for the switches using the command switch(config)# hostname
HOSTNAME
b) configure work environment :

A CCNA Journey 48
use the command switch(config-line)# no exec-timeout or switch(config-line)#

exec-timeout 0 0 so that the connection sessions last forever without been kicking
out
use the command switch(config-line)# logging synchronous to make the
Log/status messages appear on the Screen in separate lines instead of Interrupting
the commands we type
use the command switch(config)# no ip domain-lookup to stop the feature of
translating names to IP addresses that results fasting the issues
4) management : IP address and gateway
all switch ports in general are assigned to VLAN1
to configure an ip address and DG for the switch :
Switch (config) # interface VLAN 1
Switch (config-if) # ip address 172.30.2.180 255.255.255.0
Switch (config - if) # no shutdown
Switch (config) # ip default-gateway 172.30.2.1
We assign the ip address for interface VLAN1 and we enable that interface as its
administratively down by default
5) Interfaces : speed , duplex and description :
We configure the speed of the port by using the command Switch (config-if)
#speed 10
We configure the duplex for the port using the command Switch (config-if) #
duplex full or Switch (config-if) # duplex half
We use the command switch (config-if)#description DESCRIPTION to configure a
description for the switch port
6) Verify and backup : CDP, TFTP , show interfaces
a) For CDP we use the command :
switch# show cdp neighbors command to know the local and remote interfaces
switch# show cdp neighbors details command to know the remote IP addresses
b) for TFTP we use the command :
switch# copy flash TFTP command to back up the IOS to a TFTP server
Router# copy run TFTP command to backup the configuration file to a TFTP server
( we can also copy the running configuration by copying and paste it starting from
the ! mark to a notepad and in case we want to restore that configuration back
then we just copy all that configuration starting from ! mark and paste it in the
global configuration mode )
c) Switch# show interfaces command is used to show each interface in details

• router tasks :
1) beginning : wipe out config

A CCNA Journey 49
2) security : passwords and banners ( for routers there is an additional configuration for
auxiliary ports , in case the console port can’t be used to login to the router we can use
this aux port to do the task )
3) cosmetics : names , work environment
4) interfaces : identify IP address , speed , duplex and description
5) routing : default routes ( used for external routing-internet- ) , RIP ( used for internal
routing)
6) verify and backup : CDP , TFTP , show ip router , show interfaces
most of the points mentioned above are discussed before and they are similar to switches
tasks


• to access internet we need a default route on the router plus NAT
on internet routers we use a default route to reach routes beyond ISP ( to reach
internet )
on internet routers we configure NAT to let all internal routers reach and surf the
internet
• some useful commands :
1) router(config)# interface fastethernet 0/0
Router (config-if) # no keepalive this command is used to disable this specific
interface from sending keepalive messages
that is used mainly to know what is connected
on that interface , if the keepalive messages
are disabled and we ran the command router#
show ip interface brief the status of this port
will be UP/UP regardless if there is a cable
connected or not ! (Be aware from using this
command)
2) router# show ip protocols this command is used to show what routing

A CCNA Journey 50
protocols are configured on this router ( as an

example if we run this router that was
configured for RIP it will show under the
sentence routing information sources all the
routers in the network that is configured for
RIP and has been learnt by this router )
3) router# traceroute 192.168.3.1 this command is used to track the path to a
Specific ip address
Example:
Router# traceroute 192.168.3.1
1 192.168.1.2 0msec 0msec 4msec
2 192.168.2.2 0msec * 4msec notice the *, this is a normal issue (the IOS
always drops the second ping on the final hop)
4) router(config)# router RIP
Router (config-router) # redistribute static this command is used to advertise static
routes in RIP ( the router who have any static
or static default route will advertise it using
RIP protocol to other routers , the other
routers who receive that advertise will have a
new route learnt by RIP with a symbol R* -
that means static routes advertised by RIP - ) ,
the main function of this command is to
configure a static default route on one router
then advertising it to other routers using the
RIP protocol instead of visiting each router and
configuring that static default route manually !
4. Switch VLANS : understanding VLANS ( 16:09 mins )

• VLANS ( virtual LANS ) :
VLANS are logically groups of users
VLANS segments broadcast domains , only the broadcast packet is sent in the same
VLAN
VLAN support access control
VLAN helps in quality of service ( prioritize traffic is placed in a separate VLAN )
Trunk ports : those ports help to span VLAN among multiple switches , it carries VLAN
information ( VLAN traffic ) between switches , trunk ports are assigned to ALL the
VLANS ( in other words it carries ALL the different VLANS traffic )
Number of VLANS = number of broadcast domains =number of subnets
VLAN is a subnet correlation (each VLAN has a separate subnet, so to let the VLANS
talk together they must have a route between them)
• Normal switching functions :

A CCNA Journey 51
One broadcast domain ( broadcasts sent to all ports )

One subnet per LAN
Number of collision domains = number of ports on the switch
Very limited access control, switches are very difficult to restrict traffic, the only way
to restrict the traffic in switches is to use access lists and that is a headache! , to work
around this issue we use VLANS
• Flexibility of VLANS :
Segmentation of users without routers
No longer limited to physical locations ( the user can be located anywhere , we just
plug that user port to the assigned VLAN )
Tighter control of broadcasts
5. Switch VLANS : understanding trunks and VTP( 39:07 mins )

• What is trunking ( tagging ) :
1. Trunking passes multi VLAN information between switches
2. Places vlan information Into each frame
3. Layer 2 feature
4. Trunk links are also called tag links because its responsible of tagging VLAN traffic
while it passes the link
Before the packet is sent on trunk ports its tagged and once it arrives the destination the
packet will be untagged and arrives as normal data
NOTE : anything below in this section written as VTP will be meant about the method of Cisco
to manage the VLANS because they also call the vlan trunking protocols ( ISL , 802.1Q ) as VTP
as well so if you notice any term VTP we meant the messaging protocol that manages the
addition ,deletion and renaming of VLANS , and if you notice any term called VLAN trunking
protocol ( tagging protocols or trunking protocols ) we mean ISL and 802.1q
• VTP (we will call this VRP , the details are mentioned below ) :
1. Is a Cisco proprietary Layer 2 messaging protocol that manages the addition, deletion,
and renaming of VLANs on a network-wide basis.
2. The only vlan trunking protocol ( tagging protocol ) is 802.1Q
Before there was:
802.1Q : it’s a industry standard and this is currently used , this tagging
protocol allows switches that have different VLANS to communicate together

A CCNA Journey 52
ISL ( inter switch link ) : it’s a Cisco proprietary trunking protocol and it has
been discontinued
3. VTPTP must be named VRP ( vlan replication protocol ) to stop confusing VTP with
802.1Q ( read the above notes for more details )
4. VTP replicates VLANS , once you add a new VLAN on a switch , its replicated using VTP
to other switches , VTP only replicates aadded
dded and deleted VLANS , we still need to
assign ports to each created VLAN manually
5. VTP works on trunk links
with VTP once you create a VLAN on any switch the VTP database counter increases
increase by 1 , (
the VTP database that have the highest counter number replicates to the rest of the switches
because it assumes that it contains the latest updated information )
if we bring an old switch that contains some existing configuration for VLANS and plugged it to
our network,, if that old switch contains a higher counter number than the other switches it
will replicate its configuration to our switches and ruin the network , if we tried to restore the
configuration on our switches it won’t solve the problem because it will still contain a lower
counter number than an the counter number of the old switch so the old switch will replicate
again,, to work around this issue we configure our switches with VLAN configurations
manually to update the database
atabase counter and make it the highest
to protect the replication process we configure VTP domain names , in this case only the
switches that have the same VTP domain names will do a replication among each other using
VTP
• Native VLANS :
1. The default Native VLAN is VLAN 1

A CCNA Journey 53
2. Native VLANs must match on all switches to funct

function in a proper way
3. Native VLAN is designed in general for packets received on trunks that haven’t been
tagged
Example 1:

A CCNA Journey 54
Example 2:
VTP modes :
1. Server mode ( default mode ) :
Power to change VLAN information ( adding, deleting and changing )
Sends and receives VTP updates
Saves VLAN configuration
2. Client mode :
Can’t change VLAN information
Sends and receives VTP updates
Doesn’t save VLAN configuration
3. Transparent mode :
Power to change VLAN information
Forwards ( passes through ) VTP updates
Doesn’t listen to VTP advertisements
Save VLAN information
Note that if we configured all the switches in the network in transparent mode
this is like disabling VTP in our network

A CCNA Journey 55
In general we configure one VTP server and the rest as VTP clients ( in this case we do the
changes on the VTP server only and then the changes are replicated to the VTP clients ) , if we
configured a switch as transparent mode it will have its own database (VLAN information
)that don’t replicate with others , it receives from VTP servers but don’t change it on its own
database, it only passes those updates to the connected devices on the transparent switch
• VLAN pruning :
It keeps unnecessary broadcast traffic from crossing trunk links
This technique only works on VTP servers
Switch(config)# VTP pruning command is used only on VTP servers to turn on VTP pruning
Example:
6. Switch VLANS: configuring VLANS and VTP part 11(35:58 mins)
1. configure trunks ( the links that are found between switches to pass the VLAN
information )
2. configure VTP :
configure VTP domain name
configure a password for the VTP domain name
configure the VTP mode
3. configure VLANS
4. assign ports to each created VLAN

A CCNA Journey 56
5. configuring routing protocols to route traffics between created VLANS

access ports on the switch are used to connect devices such as PCS on it
trunk ports on the switch are used to connect trunk links between switches
1. configure trunks
Switch (config-if) # switchport mode trunk this command is used to configure the port as
a trunk port ( this means that this port is
connected to another switch ) , by default the
mode for any port switch is dynamic desirable
( this means that this port can be an access
port or a trunk port depending on what is
connected on that port )
NOTE that if we ran the command switch (config-if) # switchport mode trunk on some switches
you may face an error:
Command rejected: an interface whose trunk encapsulation is ‘auto’ cannot be configured to
‘trunk’ mode
This happens because some switches have the choice to choose between the 2 trunking protocols
ISL and 802.1Q like the 3550 switch, to overcome this issue we specify the encapsulation to be
802.1q instead of being the default as auto negotiate using the command: switch (config-if) #
switchport trunk encapsulation dot1q, if we didn’t receive this error that means that this switch
only supports the dot1q encapsulation
Switch (config) # interface range fastethernet 0/2-24 this command is used to specify a range
Of interfaces to configure a similar
command for all those interfaces
instead of accessing each interface
individually
Switch (config-if) # switchport mode access this command is used to configure the
port as a access port , we use this
command after specifying the trunk
ports as we need to configure all the
ports on the switch to be access ports or
trunk ports
switch# show run interface fastethernet 0/1 command shows only information related about
this specific interface
switch # show VTP status command shows all the information related to VTP like VTP version ,
VTP revision ( how many changes was made to this switch ) , max VLAN supported at one time
( in general the maximum number of VLANS we can have on a switch is 1-4094 ) , number of
existing VLANS , VTP domain name , VTP mode and finally it shows the local updater ID
Example: switch # show VTP status
Configuration last modified by 0.0.0.0 0.0.0.0 means that this switch we ran this command
local updater ID is 192.168.1.12 on (usually this switch is configured as a VTP server,

A CCNA Journey 57
If this switch is a VTP client the 0.0.0.0 won’t appear as

we can’t modify the configuration of VLAN except in
VTP server mode, so it will show us the IP of the VTP
server switch instead of 0.0.0.0
switch# show VLAN command is used to show what VLANS was created on the network and it
only shows you the access ports assigned to every VLAN
Example: switch# show VLAN
1: native VLAN those are predefined VLANs created to support different
1002: fddi-default networks
1003: token-ring-default
1004: fddinet-default
1005: trnet-default
switch# show interfaces trunk command is used to show the trunk ports configured on the
switch
switch# show interfaces fastethernet 0/0 switchport command is used to show the status of a
specific port if its configured as access port or trunk port and the status of the encapsulation
mode if its trunk or dynamic
Example: switch# show interfaces fastethernet 0/0 switchport
Administrative mode: the administrative mode entry will show you the status of the
encapsulation mode, by default it will show you the keyword
dynamic, if we ran the command switch (config-if) #
switchport trunk encapsulation dot1Q then it will show you
the keyword trunk
Operational mode: the operational mode entry shows the status of the port if its
trunk or access
if we have 3 switches and we configured only one switch with a domain name ( the rest have
BLANK domain names ) , that configured domain name will be replicated to the switches that
have a blank domain name , if we configure later a new domain name it won’t be replicated
like what happened before as the replication is done only if there is a BLANK domain name
2. configure VTP
Switch (config) # VTP domain DOMAINNAME this command is used to configure the domain
Name, note that the DOMAINNAME is case
Sensitive
Switch (config) # VTP password PASSWORD this command is used to configure a password
For the domain name
Switch (config) # VTP mode client this command is used to configure the mode
For the switch, if we didn’t configure the VTP
mode, by default it will be a VTP server
3. configure VLANS
Switch (config) # VLAN NUMBER this command is used to create only a VLAN

A CCNA Journey 58
With a specified number and we can verify

that using the command switch# show
VLAN
Switch (config-vlan) # name NAME this command is used to assign a name to the
VLAN
Switch (config-vlan) # exit
7. Switch VLANS: configuring VLANS and VTP part 2(39:36 mins)
NOTE : in this section we will continue the configuration of the switches based on the previous
section , we will finalize point 4 and point 5 in this section
4. Assign ports to VLANS :
Switch (Config-if) # switchport access VLAN NUMBER this command is used to assign
interface
Fastethernet 0/0 to a specific VLAN
number, in this case any PC connected
to this port will be joined to that specific
VLAN number
The best practice to assign VLAN numbers is : Vlan number = subnet number
As an example VLAN 1 has a subnet of 192.168.1.0, VLAN 10 has a subnet of 192.168.10.0;
VLAN 20 has a subnet of 192.168.20.0 and so on

5. Routing between VLANS

• There are three methods to route between VLANS :
1. Separate port to each VLAN

A CCNA Journey 59
2. Layer 3 switch
3. Router on a stick
1. Separate port to each VLAN :
2. Layer 3 switch :
A layer 3 switch is a switch that has layer 3 capabilities , it works based on creating interface
VLANS
A layer 2 switch is a switch that has layer 2 capabilities only

A CCNA Journey 60
3. Router on a stick
• There are 3 steps to configure router on the stick :

1. Configure router sub interfaces , NOTE that we don’t assign an ip address to the physical
interface , all the assigne
assigned ip addresses are for the created sub interfaces
2. Configuring the switch port connected to the router as a trunk port
3. Assign a VLAN number to each created sub interface
Router on a stick method is useful because we can secure VLANS by using access lists (ACL ) as
an example to prevent users of a specific vlan to reach users of another vlan
1. Router ( config ) # interface fastethernet 0/0.50 this command is used to create a sub
Interface, the number 50 is any
number we specify but we prefer to
match it with the VLAN number for
simplicity
Router (config - subif) # ip address 192.168.1.1 255.255.255.0
After running the above command you will receive a message:
% configuring IP routing on a LAN subinterface is only allowed if that sub interface is already
configured as part of an IEEE 802.10, IEEE 802.1Q or ISL VLAN
That means we need to inform the router that this created sub interface will respond to packets that
come from a specific VLAN ( in our example its 50 ) , to solve this message we run the command
router (config-subif)#
subif)# encapsulation dot1Q 50
2. switch ( config) # interface fastethernet 0/0

A CCNA Journey 61
Switch (config-if) # switchport mode trunk

3. Router(config –subif )# encapsulation dot1Q 50 this command configures
Encapsulation for a specific sub
interface to respond to all the traffic
that comes from a specific VLAN (in
our example its 50) and eliminate the
message we received in point 1
After running the above command you will receive a message:
If the interface doesn’t support baby giant frames , maximum MTU of the interface has to be reduced
by 4 bytes on both sides of the connection to properly transmit or receive large packets , please refer
to documentation on configuring IEEE 802.1Q VLANS
Baby giant frame : the biggest packet you can send is 1500bytes , in case that packet is tagged
to be sent over a trunk we will add a 4 byte ( tag size ) to the 1500 to result 1504bytes for the
packet , that is called baby giant frame and that must be supported by switches and routers ,
in general the routers and switches adjust the size of the packet to be 1496 bytes instead of
1500 bytes so that when that packet is tagged it will be 1500 bytes ( this is the maximum size
that can be handled by Ethernet technology )
If we ping from a PC in one VLAN to a PC in another VLAN and it wasn’t successful then we
need to check the router if it contains any routing entries for those VLANS
8. Switch STP: understanding the spanning tree protocol (28:18 mins)
• An ideal design for any network is to divide it to switch layers :

A layered approach allows for easy, manageable growth
Ether channel technology can provide more bandwidth on key links , ether channel
can bundle 2-8 ports in a single pipe , in this case we can have increased bandwidth (
throughput )
Redundant connections eliminates a single point of failure
• Redundancy chaos :
Switches forward broadcast packets out of all its ports by design except the one it
receives on
Redundant connections are necessary in business networks
The place of spanning tree : we drop tress on a redundant link ( block a specific
redundant link ) until those links are needed then that tree ( block ) is removed from
that link
TTL ( time to live ) : TTL is how long the packet survive , TTL is a layer 3 field that works only
with routers , if switches was capable to understand the TTL field then we wouldn’t face any
loops
• STP (Spanning tree protocol ) :
Original STP ( 802.1D) was created to prevent loops

A CCNA Journey 62
Switches send “ probes “ into the network , those probes are called BPDUs ( bridge
protocol data units ) to discover loops , once a BPDU is arrived on a switch , the switch
starts to analyze that BPDU , if it found its name in it then that means this BPDU was
passed before from this switch that results there is a loop in the network
The BPDU also helps to elect a root bridge ( this is the core switch of the network )
The simplest view of STP : all switches find the best path to reach the root bridge then
block all the redundant links ( the remaining links that cause the loops )
Switches run STP by default
• General notes about STP elections :
There are 3 port types in general :
1. Root port ( RP ) : this port is used to reach the root bridge
2. Designated port ( DP ) : this port is a forwarding port , there must be one DP per
link
3. Blocking / non- designated port : this is a blocked port ( where the tree falls )
Bridge ID = prority.MAC address , the default number of the priority is 32768 and the
Mac address is the MAC of the switch itself not the interfaces , the lower the priority
it is the best to be elected as a root bridge , if all the switches are equal in there
priority the n we compare based on the MAC address , the lower Mac address will be
the best to be elected as a root bridge
By default STP elects the oldest manufactured switch as a root bridge because by
default it contains the lowest bridge ID
• STP election process ( how STP finds the best path ) :
1. Elect the root bridge: STP must elect a root bridge, which is based on Lower Priority. by
default all STP switches have 32768 so STP Priority+ Mac address is considered ( based on
lower MAC address )
2. Root Bridge will have all its ports as designated ports
3. Elect the RP: All other Switches or Non Root Switches must select a path to the Root
Bridge. This depends on the lower cost path to the root, regardless of direct or indirect
connectivity with Root Bridge. Every switch must have a RP; the minimum root path
calculation is performed by processing Incoming BPDUs. , The Incoming BPDU carry Root
path cost that is the cumulative path cost of number of paths between the Root Bridge
and Non Root Bridge.
NOTE: if the cost path is tied then we elect based on lower bridge ID, if the lower bridge ID
is tied then we elect based on the lower physical port ID
Bandwidth of the link Cost of the link
10Mbps 100
100Mbps 19
1Gbps 4
10Gbps 2
4. All other Switches or non Root Bridges must select one DP, the election of DP is done like
RP exactly!

A CCNA Journey 63
In brief:
RP: lowest path, if tied then we will go to lowest bridge id, if tied then we will go to lowest physical
port id
DP: lowest bridge id, if tied then we will go to the lowest physical port id
Example:
Exclusion examples:
1.

A CCNA Journey 64
2.
9. Switch STP:: configuring basic STP (21:16 mins)
• Switch # show spanning-treetree command shows you the following :

1. It shows you the root ID ( bridge ID ) , the root ID is the bridge ID for the root bridge , it
shows the priority value , the Mac address of the root bridge , the local switch port that
the root bridge is connected on ( this shows the local port switch that we ran this
command on )
2. It shows you the bridge ID of the switch that you ran this command on , if we ran this
command on the root bridge the root ID will give the same information of the bridge ID
and it will show you that this is the root bridge plus all the ports will be In forwarding
state ( designated ports )
3. It shows you the port status on the switch
PVST+ (Per VLAN STP ) : it’s an enhanced version of STP that runs by default on Cisco switches
, once you run the command Switch # show spanning-tree you will notice that the priority
value = priority + VLAN number ( syssys-id ext ) , more details about
bout this enhancement version
will be found in next section

A CCNA Journey 65
Example:
According to the above example:
1. The root bridge priority is 32769 and the Mac address is 0009.e848.6c00
2. The root bridge is connected on DS1 local port fa0/27
3. The priority for DS1 is 32769 = 32768 ( default ) + 1 vlan number ( sys
sys-id-ext
ext ) as PVST+ is
running on this switch by default
Example:

A CCNA Journey 66
According to the above example:
1. One of the features that you will know in next section about PVST+ is we can have a root
bridge for each VLAN , in this example we will find for VLAN 20 DS1 is the root bridge and the
priority is 32788 = 32768 ( default ) + 20 ( vlan number )
• There are 2 ways To configure a switch to be the root bridge manually :
1. Switch (config)# spanning-treetree vl
vlan 1 root primary this command is used to configure a switch
to be a root bridge ( it will decrease the priority as much as needed to elect this switch as a
root bridge ) , we must specify in the command the VLAN to modify STP in that VLAN , if we
used instead of the primary keyword the secondary keyword it will configure this switch as a
backup switch , this command is basically used with PVST+ to configure a root bridge for each
VLAN we have in the network
2. Switch (config)# spanning-treetree vlan 1 priority 0 this command will configure this switch to be
a root bridge by specifying manually the priority to be 0 , the priority can be configured with a
number between 0-61440
61440 with increments of 4096
If somebody connects a switch to the network an and changed the priority for that switch to be
the lowest to elect it as a root bridge , in this case it will ruin the network , to protect our
network from such attacks we configure root guard
10. Switch STP: enhancements to STP (29:54 mins)

A CCNA Journey 67
•Notes :
1. When you 1st plug in a device to a switch port it will take 30 seconds ( 15 seconds in
listening mode and 15 seconds in learning mode ) to check the device , the 1st 15 seconds
of listening mode is used basically to double check that this port doesn’t have another
switch connected on it and that is done by checking if the port receives a BPDU or not , if a
port is configured to not receive BPDUs , and it received one in the 1st 15 seconds (
listening mode ) then instead of entering the learning mode it will be shutdown
2. A blocking port transitioning from the blocking state to a forwarding state ( changing from
blocking mode to listening mode to learning mode and finally transferred to forwarding
mode ) will take 50 seconds = 20 seconds in blocking mode , 15 seconds in listening mode
and 15 seconds in learning mode
3. When there is a failover in STP ( one link goes down and another link works until the 1st
links is functioning ) , it will take 30-50 seconds , if there is another failover ( the original
link is up again and functioning ) it will take 1-1:30 mins because we add a blocking timer
to the 30-50 seconds that happened In the 1st failover
• Problems and solutions of STP :
1. STP faces some problems with PCs : modern PCs can boot faster than 30 seconds (
listening and learning modes ) and that amount is faster than a port transitioning from
blocking state to forwarding state ( 50 seconds ) , in this case the PCs are forced to wait
those 50 seconds until it starts communicating on the network as the PC won’t work until
the port works
The solution for this problem is to use portfast feature , this feature transitions the port
from blocking mode to forwarding mode immediately without entering the listening and
learning modes , this feature is enabled using the command switch (config-if)# spanning-
tree portfast ( this command disables STP on that port and its configured only on access
ports )
2. STP faces some problems with uplink ports (ports that are connecting to other switches ) :
if this port transition from blocking mode to forwarding mode it will spend approximately
50 seconds and that is a big amount that causes trouble in our network
The solution for this problem is to use RSTP (rapid spanning tree)
• Initial STP enhancements :
1. PVST+ ( per VLAN spanning tree + ) :
Runs as an instance of STP per VLAN
Allows different root bridges per VLAN
In STP we had a disabled link ( resulted from a blocking port ) , using PVST+ all the
links will be used based on VLANS
By default PVST+ runs on Cisco switches
Example:

A CCNA Journey 68
2. RSTP ( rapid STP ) :

RSTP is also known as 802.1W
RSTP is designed to be a proactive system ,in STP it forgets about the blocked
ports and in case it wants to transfer a blocked port to a forwarding port it must
rediscover it from beginning and that takes time , in RSTP it remembers all the
ports and mark rk the blocked ports ( named in STP ) as alternate ports
RSTP Redefines port roles
that help in improving the
performance :
1. Root port : this port is
used to reach the
root bridge ( it’s the
same like STP )
2. Designated port : this
is a forwarding port
and there must be
one port per link ( it’s

A CCNA Journey 69
the same like STP )

3. Alternate ports : this port is a discarding port ( in STP there are blocking ports
and in RSTP it’s called alternate ports so instead of having a disabled link like
in STP we have a backup path to the root using RSTP )
RSTP have many similarities with STP
RSTP must be running on all the switches found in our network because if we have
any switch running STP and the others are configured as RSTP , that STP switch
will slow down the network
Usually we enable with RSTP the portfast feature using the command switch(config)#
spanning-tree portfast to improve the performance and have a fast network
When a port goes down in RSTP it is transitioned to alternate port mode and won’t give any
outage , but when you failback to that alternate port ( to transition to forwarding mode again
) it will be down for 1-2 seconds only
Switch # show spanning –tree command is used to show the status of RSTP if its running or
not
Switch(config )# spanning-tree mode rapid-pvst command is used to enable RSTP on the
switch , this command must be run on all the switches in the network to have a fast network ,
we can also use the keywords MST ( multiple spanning tree instead of rapid-pvst , this
spanning tree mode is the oldest mode and it runs one instance of spanning tree on all the
VLANS , this type is used when there are a lot of VLANS on the network and we don’t want to
consume a lot of router resources ) or PVST+ ( this is the default spanning tree running , so no
need to enable it )
11. General switching: troubleshooting and security best practices (29:23 mins)
• Troubleshooting a switched network :

1. Get familiar with the network
2. Absolutely have an accurate network diagram
3. Work logically , from the bottom-up ( OSI )
• Common troubleshooting issues :
1. Port issues :
Check cabling issues
Verify speed and duplex auto configuration , usually the problem we face is from
the duplex mismatch not from the speed
Check that the assigned VLANS has not been deleted , if a PC is assigned to a VLAN
and that VLAN was deleted it will show the port switch as amber and the PC can’t
communicate anymore with the network
2. Spanning tree issues : usually if there is a problem all the lights on the switch will appear
as amber

A CCNA Journey 70
Solve the immediate issue ( disconnect redundant links ) , in this case we won’t
face any spanning tree problems once we specify which redundant link to disable
of course by using STP technology
Ensure all the links are reflected on a network diagram as we need an updated
network diagram , in general spanning tree has an effective radius ( distance ) of 7
devices
Ensure root bridge selection is appropriate
Make sure all the switches are running RSTP
3. VLAN and trunking issues :
Watch for native VLAN mismatch , as in page 52 from this document if the native
VLAN didn’t match we will face a problem , so we prefer to unify it on all switches
Hard code trunk ports to be “ on “ using the command switch ( config – if ) #
switchport mode trunk , by default its configured as dynamically allocated
Verify the IP address assignments in a VLAN
Use ping and traceroute commands to diagnose routing issues
4. VTP issues :
Verify the trunks
Verify VTP information like the VTP password , VTP version , VTP domain name
and the VTP modes
Last resort to solve VTP issues is to delete the VLAN.dat that is found in the flash
and reconfigure the VLANS from beginning , all the VLAN information in general is
found in VLAN .dat , if you want to flush all the VLAN configuration just run the
command switch # delete flash : VLAN.dat then reboot the switch
• Switch security is essential :
Most security focuses around the network perimeter
Switch security checklist :
a. Physical security : we secure the location of the switch itself because if somebody as
an example pressed the mode button found on the switch for 10 seconds it will erase
all the configuration , this feature can be disabled using command line
b. Set passwords and logon banners
c. Disable the web server , this feature is used to give a GUI page through web browser
to check the switch ports and configure them , the web server can be disabled by
running the command switch ( config ) # no ip http server
d. Limit remote access subnets using ACL
e. Use SSH whenever its possible
f. Configure logging , this is done in 2 ways :
1. Logging the messages on the local switch :
Switch (config) # logging buffered 64000 this command will allocate 64000 bytes
for memory buffer to log messages like when an interface is up or down it will log
that event
Switch # show logging command is used to show the logged messages on the
switch

A CCNA Journey 71
2. Logging all the messages to be saved on a remote host that has a program to
receive those messa
messages ges like kiwi syslog demon , to configure the switch to send
those logs we run the command switch ( config ) # logging A.B.C.D
g. Limit CDP reach when it’s possible : we disable CDP in case we want to protect our
network from packet sniffers as they can read CDP packets but we don’t recommend
disabling CDP as IP phones use CDP to function
To limit CDP reach it can be done in 2 ways:
1. Switch(Config)# no CDP run
2. Switch ( config
config- if ) # no CDP enable
h. Use BDPU guard on po portfast ports :in general BPDU is used with STP to announce
switches and discover if there are any loops in the network , we enable BPDUguard on
portfast ports ( ports connected to PCs ) as those ports don’t need to receive a BPDU
because PCs are connected on those ports only , in case we connected a switch on this
port and it started to send BPDUs , once the portfast that is enabled for BPDUguard
received a BPDU it will shut down the port ( it enters in an error0disabled state ) and
that helps to prevent lo loops
In brief: The BPDU guard feature puts Port Fast Fast-enabled
enabled interfaces that receive BPDUs
in an error-disabled
disabled state.
This feature can be enabled using the command switch (config) # spanning-tree
spanning
bpduguard
Example:
If we configured BPDUfilter using the command switch (config) # spanning-tree tree bpdufilter, The
BPDU filtering feature prevents the switch interface from sending or receiving BPDUs.
bdpuguard stops sending BPDU from an interface and in case it receives a BPDU it goes in
error state ( shut down ) and this is activated on portfast ports in general , it’s used to protect
our network from connecting an additional hub or switch on our existing switch , bpdufilter
from other hand stops sending AND receiving on the port , in case it receives any BPDU it will
only discard it and its used on the access layer switches ports as we don’t need to receive STP
information there

A CCNA Journey 72
12. Sub netting: understanding VLSM (18:42 mins)
VLSM ( variable link subnet mask ) : can change my subnet mask whenever and wherever
If you use VLSM then you need a classless routing protocol to work with VLSM like RIPv2 ,
OSPF , IS-IS
IS and EIGRP , the class full routing protocols like IGRP and RIPv1 won’t work with
VLSM in a proper way
• In any VLSM scenario we do the following :
1. Start with the largest subnet
2. After specify the 1st network range we do sub netting again and pick a suitable network
range
3. Don’t forget the point to point links
Example:
13. Routing protocols: distance vector VS link state (26:25 mins)

Types of routing protocols: refer to page 36 for more information
• Distance vector ( DV ) routing protocols :

A CCNA Journey 73
1. DV routing protocols send the entire routing table at specific intervals ( as an example RIP
sends its entire routing table to the entire network as broadcasts or multicasts (
depending on the version of RIP ) every 30 seconds , those updates are keepalives of the
RIP , if a RIP router didn’t
dn’t receive this update every 30 seconds then there is properly a
problem occurring )
2. In their simplicity DV routing protocols have looping ississues like countdown to infinity
Example on countdown to infinity problem:
•DV loop preventions :

1. Maximum distance ce : the maximum distance for RIP is 16 hops away , the 16th hop is
considered as dead
2. Route poisoning : in case there is a down network , it will be advertised by RIP as a 16 hop
and according to the 1st mechanism ( maximum distance ) that hop will be considered
dead
3. Triggered update : when there is a change in the network ( properly a network is down ) ,
the router immediately triggers an update ( instead of waiting for 30 seconds to send an
update about that change nge ) to update other routers that there is a network change( the
down network will be advertised as route poisoning )
4. Hold down timers : when there is a down network , all the routers that aren’t connected
directly to that down network will set this time
timer so that it won’t receive any updates
related to that down network until the hold timer expires ( by default its 180 seconds ) ,
this mechanism is useful if we have flapping links that goes up and down frequently
5. Split horizon : it informs the router no
nott to send updates back in the same direction they
received them on networks than have been advertised , this mechanism causes a lot of
problems in frame relays so we prefer to disable this mechanism in frame relay
Example:

A CCNA Journey 74
• link state (LS ) routing prot

protocol :
1. It forms neighbor relationships rather than sending broadcasts as in DV , after the
relationship is established the LS routing protocols starts to send hello packets at specific
intervals to double check that the neighbors is still alive
2. After the
he initial routing tables has been exchanged , routers send small event based updates (
update is sent when we there is a change )
3. There are currently two LS protocols : OSPF and ISIS-IS
• Advantages of LS routing :
1. Much faster to converge
2. No routing loops because the routers have a map for all the network ( they know everything I
the network )
3. Forces you to design your network in a proper way
• Disadvantages of LS routing :
1. Demand on router resources , as LS routing protocols uses a lot of memory and CPU
2. LS is considered a technical complexity
3. LS requires a solid network design
13. Routing protocols: OSPF concepts (30:36 mins)

• Route summarization :
The purpose of route summarization is to have smaller routing tables ( fewer routes
found in the routing table ) because if we have larger routing tables that leads to
having slower routers
Route summarization is the process of summing up all these routes into fewer
advertisements
Routing summarization suppress routing tables and routing updates ( the routing table
is small and the router is faster in processing )
Example:

A CCNA Journey 75
• OSPF area designs and terms

A CCNA Journey 76
All areas must connect to area 0 , an area in general is a group of routers that all have
the same routing information , each area mustn’t contain more than 50 routers ,
usually we use different areas to represent different geographical locations and to
summarize ( we use multiple areas to summarize ) , inside of the areas you have
internal routers ( only connected in the same area )
All routers in an area have the same topology table ( topology table shows all the map
of an area with all the paths ) but every router within the same area have different
routing tables , as an example in case a router in area 0 went down the other routers
will check the topology table to recreate an alternate path to reach the destination ,
but the routing table is different from router to another within the same area
Requires a hierarchal design , you group similar subnets in similar areas to form
summarization addresses
The goal is to localize updates within an area
The purpose of using OSPF with multiple areas is to use summarization as much as we
can so that if we can do summarization we do it!
Notes about the example above:
Area 1 summarizes the 172.16.1.0-172.16.4.0 = 172.16.1.0/16
Area 2 summarizes the 172.17.1.0-172.17.15.0 = 172.17.1.0/16
The internet section is an external routing protocol like RIP or EIGRP
Summarization is done on ABR and ASBR routers only in OSPF network
• ABR ( area border routers ) :
It contains two topology tables one for area 0 that explains about routers in area 0
and one for the other area connected to area 0
The summarization happens on ABR routers
Connect between area 0 and another area
Sits between areas
• ASBR ( autonomous system boundary router ) :
Routers in OSPF that connects to routers outside your network , it connects OSPF to
internet or another routing protocol like RIP or EIGRP
The summarization happens on ASBR routers
• Understanding OSPF neighbor relationships ( how OSPF forms neighbors ) :
Unlike RIP , OSPF form a direct relationship with routers it want to speak with
In OSPF , routers exchange routes between each other and then maintain that
relationship using hello protocol
OSPF hello packet is used to allow routers to form a relationship with other OSPF
routers and exchange routes
Hello messages are sent when you configure OSPF on the interfaces you designate (
hello messages sent on chosen interfaces )
Hellos messages are sent once every 10 seconds on broadcast and point to point
networks ( usually we change this value to be lower so that we can detect failures

A CCNA Journey 77
faster ) and is sent one every 30 seconds on non broadcast multi-access networks like
frame relay
Hello messages contains all sort of information like :
1. Router ID , the name of the OSPF router
2. Hello and dead timers ***, the dead timer is the time to keep the relation
available in case we didn’t receive a hello packet
3. Network mask ***
4. Area ID ***
5. DR/BDR ip addresses
6. Router priority
7. Neighbors , this includes the list of neighbors each router knows
8. Authentication password ***
NOTE *** means that it must match between routers to form a relationship
14. Routing protocols: OSPF configuration and troubleshooting (39:53 mins)
Router ( config ) # router OSPF 1 this command is used to enable OSPF routing
Protocol, the process ID (1 in our example) is
used to identify the OSPF process, the process
ID is a number between 1-65535 and it mustn’t
be the same on all the routers but it’s
recommended to unify it
Router (config- router) # network 192.168.1.0 0.0.0.255 area 0 this command is used to
configure what networks to
advertise ( send hello packets
to specific destinations ) , the
192.168.1.0 is a classfull
network ( this is configured like
what we do in RIP ) , the
0.0.0.255 is a wildcard mask
that is used as a match
statement , the 0 bit means
match and the 255 means I
don’t care
Router (config – router) # default-information originate this command is used to
advertise static routes in OSPF
( the router who have any
static or static default route
will advertise it using OSPF
protocol to other routers , the
other routers who receive that
advertise will have a new route

A CCNA Journey 78
learnt by OSPF with a symbol

O*E2 - that means static routes
advertised by OSPF - ) , the
main function of this command
is to configure a static default
route on one router then
advertising itt to other routers
using the OSPF protocol
instead of visiting each router
and configuring that static
default route manually ! This
command d is like Router
(config-router)
router) # redistribute
static in RIP
Examples:
1. If we have the network range : 172.30.0.0/16 – 172.30.7.0/16 and we wanted to advertise

them using OSPF , that can be done in one of the following ways :
a. Router (config-router
router ) # ne
network 172.30.0.0 0.0.255.255 area 0
b. Router ( config-router
router ) # network 172.30.0.0 0.0.7.255 area 0
According to the second command the wildcard mask is 0.0.7.255 and that can be calculated by
subtracting 255.255.255.255 from 255.255.248.0 ( /21 the summa
summarization
rization subnet mask ) , the number
7 here means 172.30.0.0-172.30.7.0 .0 and is usually matched with the last network id in the range (
172.30.7.0
.0 ) but this case only works in OSPF and it doesn’t work in ACL
2.

A CCNA Journey 79
3.
4.
5.
Some useful commands :

1. Router ( config ) # no router RIP command is used to disable RIP protocol

A CCNA Journey 80
2. Router # show ip OSPF neighbor command is used to show the OSPF neighbors formed
with this router
3. Router ( config ) # show run | include ip route command will show only the command that
contains the keywords IP route
Example:
Router # show ip OSPF neighbor
Neighbor ID pri state dead time address interface
192.168.1.1 1 full/DR 00:00:33 192.168.1.1 fastethernet 0/0
The address column represents the IP address of the neighbor interface connected to this router
• Understanding the OSPF router ID
1. The OSPF route ID is the name of the router , it identifies the router to the OSPF neighbors
2. The router ID is elected by the following sequence :
At startup The router ID will be the highest physical interface on that router by
default
If there is a loopback address it will be preferred on the physical interface even if
it was lower that the physical interface , this can be configured using the
command :
Router (config) # interface loopback 0
Router (config – if) # ip address 192.168.1.1 255.255.255.0
In case we configured the router ID manually it will be preferred on the loopback
address and the physical interface , this can be done running the command
Router ( config-router ) # router-ID A.B.C.D notice that if you run this command
you need to reboot the router to take effect or at least reboot the OSPF process
using the command router # clear ip process OSPF ( this command will shutdown
the neighbors and then those neighbors are formed again )
• Troubleshooting OSPF :
Run the command router # debug ip ospf adj to show the process of forming the
neighbors
The best way to troubleshoot OSPF is to run the command router # show ip ospf
neighbors , if there wasn’t any neighbors showing then we need to check that the
hello and dead timers , the network mask , the area id and the authentication
passwords are matching between the routers to form the neighbors relation
15. Routing protocols: EIGRP concepts and configuration (32:28 mins)

EIGRP is the best routing protocol so far but its own problem is that it’s a Cisco proprietary
protocol
Why you would choose to use EIGRP :
1. It uses backup routes ( fast convergence /DUAL ) , OSPF and RIP only remember the best
route and put that route in the routing table , if that route went down it needs to search
again for another best route , EIGRP from other hand uses backup routes and it saves
those routes in the topology table , in case the best route that is found in the routing table

A CCNA Journey 81
went down , EIGRPIGRP will use the backup route immediately as the best route without any
additional calculations ( in OSPF and RIP it do
does the calculation again to know the new
best route )
DUAL stands for diffused update algorithm , DUAL is the engine that runs EIGRP (
its responsible for calculating the routes in EIGRP , in OSPF the engine is called SPF
)
DUAL is better than SPF because it doesn’t increase any load on the process of the
routers
2. Simple configuration
3. Flexibilityy in summarization , in OSPF you configure summarization at the ABR and ASBR
only , in EIGRP you can configure summarization whenever and wherever you want
4. It allows for unequal load balancing ( all the other protocols use equal load balancing )
5. Combines best of distance vector and link state
6. Supports multiple network protocols ( like IPX , apple talk and IP )
7. EIGRP uses hello packets like OSPF to discover neighbors , by default EIGRP sends hello
packets every 5 seconds
8. EIGRP supports sub second convergence
• EIGRP tables :
1. Neighbor table : this table shows all the neighbors formed
2. Topology table : this table contains the EIGRP whole map for the network , it remembers
all of the best routes ( appeared in the topology table as a successor – primary link - ) and
the backup routes ( appeared in the topology table as a feasible successor – backup link - )

A CCNA Journey 82
3. Routing table : this table contains all the best routes ( successors )
Example:
Configuring EIGRP :
Router ( config ) # router EIGRP 1 this command
nd is used to enable EIGRP
, the number 1 is called an AS (
autonomous system number ) , it’s a
number between 1-65535
65535 and it must
be matched on all the routers running
this same EIGRP process
Router (config – router) # network 192.168.1.0 this command is used to advertise the
Directly connected networks and it has
the same syntax of RIP, we can use the
command router (config – router) #
network 192.168.1.0 0.0.0.255 as well
like OSPF but of course without the
area keyword
Some useful commands :
Router # show ip EIGRP neighbors command is used to show you the neighbors this
router formed a relation with

A CCNA Journey 83
Example:
Router # show ip EIGRP neighbors
H address interface hold uptime (sec) SRTT (ms) RTO QCNT Seq num
0 192.168.1.1 FA0/0 11 00: 00: 40 4 200 0 2
The H column lists all the neighbors in the order it received it
The address column represents the neighbor IP
The interface column represents the local int
interface
erface on this router that is connected to the neighbor
The hold uptime column represents how long it believes until that neighbor is dead
The SRTT ( source round trip timer ) column represents how long it gets to the neighbor and back , it
helps to engage
age how long it should be waiting before it expects a hello packet
Router # show ip route command is used to show the EIGRP routes , it appears as D
Summarization in EIGRP :
EIGRP summarizes addresses automatically ( auto summary is enabled by default ) ,
anytime you have a discontinues network ( a network advertised across a boundary
that is not the same network , in the following example I will explain this further )

A CCNA Journey 84
16. Access-lists: the rules of ACLs (access control lists) (27:44 mins)
An ACL is an identifier list that allows ( permits ) or deny specific traffic based on a list of
permit and deny statements
Examples:
1. ACL can be used to allow for a specific host ( example permit 192.168.2.58 )
2. ACL can be used to deny a whole subnet ( example deny 192.168.1.0/24 )
3. ACL can be used to allow a specific port for an IP ( example permit TCP port 80 for 200.1.1.1 )
4. ACL can be used to deny a range of ports for a whole subnet ( example permit all TCP traffic
for 210.0.1.0/24 )
• ACL can be used for :
Access control : permitting and denying traffic
NAT : permit or deny hosts to be translated to public IPs
Quality of service : configuring a specific host to have a higher priority than others
Demand dial routing
Policy routing
Route filtering
Security concerns
• Rules of ACLs :
1. ACLs are read from top to bottom , once the 1st match is found you stop reading and exit
the ACL
Example:
Deny 10.1.5.1 according to this example we read the 1st sentence from top and realize that we
Permit 5.3.1.2 deny 10.1.5.1 then we permit 5.3.1.2, now in the 3rd sentence we don’t give
Permit 10.1.5.1 attention for it because we already denied 10.1.5.1 so we won’t permit it again
(the
1st match applies only)
2. At the bottom of each ACL there is an invisible implicit deny statement , because that we
use at least one permit statement in the ACL unless our goal was to deny all the traffic
3. The ACL is applied to an interface as inbound ( into that interface ) or outbound ( out that
interface )
4. In every ACL the order is important
• Adding ACL capabilities ( types ) :
1. Standard :
Standard ACL matches based on the source of the IP address only ( who you are )
It has a lower processor utilization
It affects depends on applications ( if I apply this ACL in an outbound way it will
have an affect different that applying it in an inbound way )

A CCNA Journey 85
Example:
2. Extended :
Extended ACL matches based on source/destination addresses , protocol ,
source/destination port numbers
It has a higher processor utilization
The syntax of extended ACL takes some time to learn it
3. Dynamic : this type of ACL expands and shrinks depending on whose going through at a
time
Example : an ACL has been created to allow users to access the internet for a specific amount of time ,
if the username and password provided by that user didn’t match that ACL they won’t have the ability
to access the internet , if the username and password have been matched then they can use the
internet for a specific amount of time configured based on the ACL
4. Established ( reflexive ) : this type of ACL allows the return traffic for internal requests (
requests that have originated from inside the network ) , this type is basically used If we
want to deny all traffic that are originated from internet

A CCNA Journey 86
Example in theory:
Example in practical based on commands that will be explained in page 89:
5. Time based : this type of ACL is activated for a moment of time only
Example: we create a time based ACL if we want to allow internet access after business hours (in this
case the ACL will be activated during business hours to deny internet access)

A CCNA Journey 87
6. Context – based access control ( CBAC ) : this type of ACL is a new way to turn the router
to work as a Cisco firewall ( pix firewall or ASA ) , it turns on the router some firewall
features , in this case the router starts to inspect all traffic going through it
16. Access-lists: configuring ACLs part 1 (34:40 mins)

In the standard ACL we place the ACL as close as possible to the destination because we can’t
specify except source IPs using the standard ACL , if we place the standard ACL near the source
we will then deny alot of traffic and that isn’t recommended
To create a standard ACL :
Create the ACL standard
Apply that ACL on a specific interface as inbound or outbound
Router ( config )# access-list 1 deny 192.168.5.100 0.0.0.0 command is used to create a
standard ACL ( standard ACL
uses a number between 1-99
or 1300-1999) that uses a
number of 1 , this ACL denies
traffic coming from a host ( in
our example 192.168.5.100 ) ,
we can use instead of the deny
keyword the permit keyword
or the remark keyword ( the
remark keyword is used only to
put comments on that created
ACL ) , this command can be
written in another way :
Router ( config ) access-list 1
deny host 192.168.5.100 ( as
0.0.0.0 = the host keyword )
Router (config) # access-list 1 permit 192.168.5.0 0.0.0.255 command is used to permit
Traffic from a network
192.168.5.0
Router (config) # access-list 1 permit any this command is used to
Overcome the implicit deny,
this is usually typed at the end
of each ACL, the any keyword
represents 0.0.0.0
255.255.255.255
Router (config) # interface serial 0/0

Router (config-if) # ip access-group 1 in this command is used to apply

A CCNA Journey 88
The ACL on a specific interface,

in our example we are applying
the ACL number 1 on serial 0/0
in an inbound way, we can use
the out keyword instead of in
keyword as well
Router# show access-list command is used to show what ACL lists are created on the router
and it shows you how many times it permitted the traffic or denied the traffic
Router # show ip access-lists command is used to show what ACL lists are created on the
router and it has the same function of Router# show access-list
Router # show access-lists 70 command is used to show the ACL 70 only
Example: in this example 192.168.5.100 pings the router interface 192.168.2.1
Router# show access-list
Standard IP access-list 1
10 deny 192.168.5.100 (8 matches)
20 permit 192.168.0.0 wildcard bits 0.0.255.255
30 permit 192.168.5.0 wildcard bits 0.0.0.255
According to the above example we note the following:
20 permit 192.168.0.0 wildcard bits 0.0.255.255 can be created using the command Router (
config )# access-list 1 permit 192.168.5.100 0.0.255.255
8 matches shows that the ACL blocked the traffic coming from 192.168.5.100 8 times ( every
ping send 4 packets and shows in the ACL as 8 times ( send/receive ) , each time 192.168.5.100
pings the router a reply will be : reply from 192.168.2.1 destination host unreachable because
there is a deny statement for 192.168.5.100
10, 20 and 30 are called sequence numbers and can be edited only in named ACL , this number
helps to modify the existing ACL or entering a new statement in that existing ACL as before
using sequence numbers we had to copy all the applied commands of the ACL to a notepad to
edit it then pasting it back in the configuration mode
Example: in this example 192.168.10.50 is telnetting to router
Router# show access-lists 70
Standard IP access-list 1
10 deny 192.168.10.50 (6 matches)
20 permit any (2 matches)
2 matches shows that the ACL allowed the traffic coming from 192.168.10.50 2 times ( every
telnet send 2 packets
We configure an ACL to prevent telnet or SSH because in general if you don’t know the
username and password to access the router , still you have the ability to guess that password
to enter the router so we create an ACL to allow only specific hosts to telnet
For telnet and SSH we apply the ACL on the VTY ports instead of applying them on a specific
interface like what we do in general with the standard ACL
Router ( config ) # access-list 70 remark THIS WILL DENY HOST A FROM TELLNETTING TO R1

A CCNA Journey 89
This command is only a comment, it will appear in the router# show run and router# show
access-list commands
Router (config) # access-list 70 deny 192.168.10.50 0.0.0.0
Router (config) # access-list 70 permit any
Router (config) # line vty 0 4
Router (config-line) # access-class 70 in this command is used to apply
ACL 70 on the VTY ports, we
always use the in keyword
with telnet or SSH
17. Access-lists: configuring ACLs part 2 (48:42 mins)

The rule of ACL is to apply one ACL per interface per direction , if we have as an example one
ACL on one interface in an inbound way and we wanted to add another ACL on the same
interface In an inbound way as well we can’t because we already have an existing ACL on that
interface in the same direction , but if we add an ACL on that interface in an outbound way it
can be done but usually if we are concerned about the inbound way and we can’t add a new
ACL we can just edit the existing ACL and add some entries to it
We apply the extended ACL as close to the source
We try our best to use less entries in ACL because the larger the ACL is the more processing is
done for it
Router ( config ) # no access-list 25 command is used to remove the access list number 25
Router ( config ) # access-list 150 deny IP 192.168.10.50 0.0.0.0 192.168.3.50 0.0.0.0
This command is used to block the IP traffic from the source 192.168.10.50 to the destination
192.168.3.50
Notes about the above command:
The extended ACL uses the numbers 100-199 or 2000-2699
In the CCNA level we care about five types of layer 4 OSI model protocols :
1. TCP : it’s a reliable connection like web browsing , FTP , telnet , ssh , email
2. UDP : unreliable connection like VOIP , video streaming , online games , instant messages
3. ICMP ( internet control message protocol ) : this type of protocol is used for a lot of things
like ping ( it sends an ICMP echo and ICMP echo reply )
4. IP : this type includes all the above protocols : TCP , UDP and ICMP , this is used in case I
want to include all the layer 4 protocols , in case I am concerned about TCP only as an
example I just use the TCP keyword , if I care about UDP traffic only I just include the UDP
keyword only and so on
5. ESP ( encapsulation security payload ) : this protocol is used for VPN connections
The above command can be written in another way :
Router (config) # access-list 150 deny IP host 192.168.10.50 host 192.168.3.50
Router ( config ) # access-list 150 deny IP host 192.168.10.50 eq 80 any eq 80
This command is used to block the IP traffic from the source 192.168.10.50 that matches port
80 only to the destination 192.168.3.50 that matches port 80 only , as you notice we don’t

A CCNA Journey 90
care a lot about the eq 80 related to the source , we concern more about the destination so
the correctt way to write the above command is :
Router (config) # access-list
list 150 deny IP host 192.168.10.50 any eq 80
Router ( config ) # access-listlist 150 permit ip any any command is used at the end of each
extended ACL to allow the rest of the traffic as there is an implicit deny
Router ( config-ifif ) # ip access
access-group 150 in command is used to apply the extended ACL 150 to
an interface in an inbound way
Examples showing full typing of the commands mentioned above:
named ACL examples :

1) router ( config ) # ip access
access-list extended DENY_HOSTA this command is used to
Create an Extended named ACL
(we can create a standard
named ACL as well) with the
name DENY_HOSTA
Router (config-ext-nacl)
nacl) # permit ip host 192.168.10.50 host 4.2.2.2
Router (config) # interface gigabitethernet0/1
Router (config-if) # ip access
access-group DENY_HOSTA in
1) router ( config ) # ip access
access-list extended DENY_HOSTA this command is to used to edit
ACL 150
Router (config-ext-nacl
nacl) # no 20 this command will delete entry
20
For this example if we run the command router# show ip access-list it will show you the following:
Router# show ip access-list
Extended ip access list 150
10 permit ip host 192.168.10.50 host 4.2.2.2
30 permit ip any any the entry 20 has been deleted
18. NAT (network address translation): understanding the 3 styles of NAT (20:00 mins)
mins

A CCNA Journey 91
NAT allows you to convert the private cooperate addresses to public addresses that work on
internet
We don’t recommended to assign the public IP addresses that are used in NAT to any router
interfaces but it can be used as we will notice in this section
• Types of NAT :
1. Dynamic NAT
2. NAT overload
3. Static NAT
• Understanding dynamic NAT :
Each client gain a public IP
from a pool of addresses
The client must own the IP
addresses used in a NAT
pool
Dynamic NAT is used to
solve problems with
addressing like overlapping
addresses
Dynamic NAT is using in
general 1-11 NAT translations
based on a pool
We use dynamic NAT with
NAT overload in big organizations if we want clients to use pool of public addresses to surf the
internet
Example on the overlapping addresses situation

A CCNA Journey 92
• Understanding NAT overload ( the most common used type ) :

In Nat overload multiple devices share a single public IP address
Nat overload is commonly called PAT ( port address translation ) because it works
based on ports
• Understanding static NAT ( hosting servers ) :

Static NAT is
used to host
servers
We usually
combine the
static Nat with
NAT overload ,
NAT overload
will be used to
provide
outbound
access for

A CCNA Journey 93
clients to surf the internet and the static NAT will be use
used
d to provide inbound access
for our hosting servers like our web servers
19. NAT: command line NAT configuration (35:41 mins)

Router ( config ) # ip domain
domain-lookup command is used to enable the domain lookup feature
that is used to translate names to ip addresses , this command relies on the router (config )#
ip name –server A.B.C.D command to know what names are mapped to what IP addresses
We use static default routes tes on the routers to let routers access the internet and we use along
with that Nat to let clients access the internet
Router# ping 4.2.2.2 source Ethernet 0/0 command is used to ping the ip 4.2.2.2 from the
router interface e0/0 , we specify which interface to ping from because maybe other
interfaces on the router are denied from pinging
Router # show ip Nat translations command is used to show you all the Nat happening on a
specific router , it will show you the inside local address ( our private local addresses ) , inside
global address ( our public IP address ) , outside local address and outside global address
• Steps to configure NAT overload :

A CCNA Journey 94
1. Label the interfaces , this is done to know which interface represents the internal network and
which
ch one represents the outside network
2. Identify internal IP addresses to be translated , this is done by using ACL to tell the router
which internal IPs we want to translate and which IPs we don’t
3. Enable Nat overload
Example showing how the steps are im implemented to configure NAT overload:
1. router (config ) # interface Ethernet 0/0

Router (config-if) # ip Nat inside this command is used to tell the router that
Ethernet 0/0 is the inside interface (
represents the internal network)
Router (config-if) # interface Ethernet 0/1
Router (config-if) # ip Nat outside this command is used to tell the router that
Ethernet 0/1 is the outside interface (
represents the outside network)
2. Router (config) # ip access
access-list standard NAT_ADDRESSESS this command will create a
Standard ACL that will specify
what IPs are allowed to be
Natted or denied based on
source addresses (client IPs)
Router (config-ext-nacl) # deny 192.168.3.0 0.0.0.255 this command excludes the
network 192.168.3.0/24 from
being allowed to be Natted
Router (config-ext-nacl) # permit 192.168.0.0 0.0.255.255 this command will allow the
Rest of the network
192.168.0.0/24
24 to be Natted
3. Router (config ) # ip Nat inside source list NAT_ADDRESSESS interface Ethernet 0/1 overload
This command means I want to Nat ((ip Nat ) from inside of the network (inside ) based on the source
address translation (source ) the source addresses that I want to translate are in ACL (list
( ) that is
called NAT_ADDRESSESS (NAT_ADDRESSESS
NAT_ADDRESSESS ) sending them outside interface Ethernet 0/1 ( interface
Ethernet 0/1 , we use the ip address of the interface Ethernet 0/1 to do the translation and reach the
internet , in our example its 68.110
68.110.171.98 ) and overload ( overload , this keyword will allow multiple

A CCNA Journey 95
internal addresses to use this single public IP address 68.110.171.98 , if we don’t overload then only 1
client will have internet access )
• Configuring static Nat : static Nat is what allows me to create mappings to let internal hosts be
accessible from outside , in general we don’t use the IP address of the router interface to Nat
a host from our network , but if that public IP that is assigned to the router interface is the
only public IP we have then we configure static port mappings , the below examples will show
the configuration of static Nat and static port mapping
1. Router ( config ) # ip Nat inside source static 192.168.10.50 68.110.171.99
This example shows how to translate the ip 192.168.10.50 to a public IP 68.110.171.99
2. Router ( config ) # ip Nat inside source static TCP 192.168.10.50 80 interface ethernet0/1 80
a. This example shows that we only have only 1 public IP (68.110.171.98 ) and we need
to publish our web server ( 192.168.10.50 ) so we specify the ports 80 with the static
Nat command , in this case whenever Ethernet 0/1 gets a request on port 80 it will
translate that request to 192.168.10.50 on port 80
b. We can replace interface ethernet0/1 keyword with the public IP 68.110.171.98 as it’s
the same , in general if we use the same ip of the interface we use the interface
ethernet0/1 keyword and if we use a different ip than the ip of the router interface
we just type it in clear text
• Configuring dynamic Nat with overload :
Router (config) ip Nat pool PUBLIC_ADDRESSES 68.110.171.99 68.110.171.100 netmask 255.255.255.0
This command creates a pool of public IP addresses starting from 68.110.171.99 and ending to
68.110.171.100 (this pool contains only 2 public IP addresses)
Router (config) # ip Nat inside source list NAT_ADDRESSESS pool PUBLIC_ADDRESSES overload
This command is using allowing the clients declared in NAT_ADDRESSESS (the explanation of this ACL
is found in page 93) to be translated to the public IP addresses declared in the pool
PUBLIC_ADDRESSES and to use the overload feature
a. In the overload configuration found in page 93 we were using instead of PUBLIC_ADDRESSES
pool the interface Ethernet 0/1 keyword because we were using the IP address of the router
interface not a pool of public IP addresses ( in our example 2 public IPs )
b. If we didn’t use the overload keyword then we will only have 2 clients accessing the internet
because we only have 2 public IP addresses available in the pool PUBLIC_ADDRESSES
20. Wan connections: concepts of VPN technology (33:20 mins)

• VPN ( virtual private network ) :
1. VPN is a cheaper connection
2. The VPN is available anywhere the internet is available
3. The VPN is heavily encrypted and secured but that makes more overhead on the router
4. VPN is a many to many connection , it allows anybody to connect to anybody

A CCNA Journey 96
• Cisco VPN styles :

1. Site to site ( L2L) ( lan 2 lan )
2. Remote access
• Site to site ( L2L ):
Site to site style is a replacement of private lines ( lines used to connect offices )
Site to site is used for connecting offices
• Remote access :
Remote access style is used to connect homes or laptops to the office
Remote access client is installed usually on those home PCs and laptops , and it’s
called VPN client

A CCNA Journey 97
Once the VPN client is authenticated with the office , the home PC or laptop is then
connected to the office securely and the traffic is sent in an encrypted way
We can use this style to connect an IP phone at home and use that phone as I’m sitting
in the office
Ssl VPN ( web VPN ) : instead of installing VPN client on a laptop or home PC we use
SSL VPN , the function of SSL VPN is to allow the router to generate a website that
request for a username and password from the user ,once the user authenticates with
the website the router will install on your laptop or home PC a mini VPN client as
long as you are connected to that VPN , once your disconnected form that VPN the
mini VPN client is removed
• IPSEC :
The IPSEC is the security protocol of VPN ( IPSEC does the encryption on VPN)
IPSEC works at the transport layer ( it’s another protocol like TCP, UDP ,IP )
IPSEC contains 4 categories :
1. Encryption protocols :
Encryption protocols are used to secure the data
The weaker the encryption the faster the connection and the less the
processing on the router
The stronger the encryption the more secure you are but there is more
overhead on the router
The Encryption protocols are DES ( weakest ) , 3DES, AES (strongest )
2. Authentication protocols :
Authentication protocols makes sure that data isn’t changed when its
transferred from one end to another ,authentication protocols stops man in
the middle attacks ( maybe some intruders will spoof the traffic ( send fake
traffic ) when we send traffic through VPN )
The Authentication protocols are : MD5 , SHA-1
3. Protection protocols :
When somebody sends traffic on the VPN connection it will be sent as
encrypted data ( scrambled ) , both ends of the VPN connection must have the
encryption /decryption keys to understand the encrypted data that was
transferred , both ends of the VPN connection must have the same encryption
keys to understand that encrypted traffic , protection protocols transfer those
encryption keys from one end to another without being attacked by man in
the middle attackers
The protection protocols are : DH1 ( deffi Hellman ) , DH2, DH5, DH7
4. Negotiation protocols
The negotiation protocols are : AH ( authentication header , this protocol
can’t do encryption ) , ESP (encapsulated security payload , this protocol can
do encryption , authentication and protection , ESP+AH
Negotiation protocols are the changer of IPSEC , if we want only to have
authentication protocols ( point 2 ) we use AH , if we want authentication ,

A CCNA Journey 98
protection and encryption protocols included in the IPSEC ( point 1,point 2

and point 3 ) we will use ESP and so on , in other words
rds using those protocols I
can specify what IPSEC category is included within IPSEC
The negotiation protocol gives the IPSEC a feature not to be replaced in future
because it customizes the IPSEC as much as we want
• Security over a public network :
VPN works orks based on encryption keys
Encryption key styles ( types ) :
1. Symmetric encryption :
Symmetric encryption uses the same key to encrypt and decrypt the data
The benefit of symmetric encryption is its fast
Examples on the symmetric encryption : DES,3DES and AES
The problem of this method is whenever the client connects to the VPN
the router creates an encryption key ( it’s called shared secret key ) and it
must send that created
reated encryption key all over the internet to the other
router to form the VPN iin a successful way
2. Asymmetric encryption :
Asymmetric encryption use two different types of encryption keys , public
and private keys ( anything encrypted by the public key can be decrypted
with the private key and anything encrypted by the private key canca be
decrypted by the public key )
VPN site to site type uses both symmetric and asymmetric keys : When the VPN is established
between 2 routers ,each
each router will have 2 keys one public sent to the other router and one
private kept in the router , R1 sends a DH public key from R1 to R2 (anything
anything encrypted with
this public key can’t be decrypt
decrypted except with the private key ) the private key is kept hidden
in R1 , R2 generates a symmetric secret key and encrypt it with the public key it received from
R1 , then it sends the encrypted shared secret key from R2 to R1 and then R1 decrypts the
encrypted shared secret key , the result R1 and R2 use the same shared secret key , once the
VPN is done the shared secret key is dropped and every time a new VPN session or new data
transfer will create a new symmetric keys ( all the above if R1 connects to R2 , if R2 connects
to R1 the same procedure applies )

A CCNA Journey 99
21. Wan connections: implementing PPP authentication (34:39 mins)

The physical connections : refer to page 41 for more information
The point to point leased line protocols : refer to page 41-43 for more information
• PPP authentication :
1. PAP ( password authentication protocol ) : this type is rarely used because the username
and password is sent in clear text
2. CHAP ( challenge handshake authentication protocol ) : this type doesn’t send the
password over the link , it only sends the username and the password is hashed using the
MD5 hash
• The difference between hashing and encryption :
Encryption uses a formula to encrypt data and this formula is the same one used to
decrypt the data
Hashing : the password we type on the 1st router enters a hashing algorithm , the
result from that algorithm is sent over the link , the password we type on the 2nd
router enters another hashing algorithm as well and the result will be compared
with the result received from the 1st router , if both results matched then the
routers are successfully authenticated , if not then they don’t form an
authentication relation
• Configuring PPP authentication :
1. Create a user account
2. Enable it
Enabling PPP and Configuring it for authentication :
Router1 (config) # username Router2 password Cisco this command is used to create a
Username and password on the router,
as you notice the username router2
must match the hostname of the 2nd
router (found in the below command
and that was configured using the
command router2 (config) #hostname
router2) and the password must match
on router1 and router2
Router2 (config) #username Router1 password Cisco this command and the above are used
To configure the PPP authentication
(point 1 in configuring PPP
authentication)
Router1 (config) #interface serial 0/0
Router1 ( config-if)# encapsulation PPP this command is used to enable the
PPP encapsulation on this specific
interface , note that this encapsulation
must be matched with the other end of

A CCNA Journey 100
the link , in case it didn’t match it will

show you if we run the command
router# show interface serial 0/0
physical up data link down
router (config-if) # PPP authentication chap this command is used to enable chap
PPP authentication type, we can use
instead the chap keyword the PAP
keyword to enable pap, if the
authentication type configured on this
router didn’t match with the other
router on the other side of the link
then once you run the command
router # show interfaces serial 0/0 it
will show LCP termsent instead of LCP
open (point 2 in configuring PPP
authentication)
Router# debug PPP authentication command is used to show the ppp authentication
establishing between the routers
22. Wan connections: understanding frame relay (28:42 mins)

Frame relay is a packet switching technology , more information can be found on page 41
• Frame relay terminology :
CIR ( committed information rate ) : this is the minimum bandwidth the ISP
guarantees you ( we pay for this bandwidth ) , if there is a bandwidth available we
can burst above the CIR
( the CIR is considered
as a logical speed )
LAR ( local access rate
) : this is physically
how fast that circuit
can go , as an example
if the physical
ysical cable
speed is 2Mbps and
the CIR is only 50Kbps
, the router will only
send based on CIR (
LAR is considered as a
physical speed )
LMI ( Local
management interface
) : the language you

A CCNA Journey 101
speak between the router and the service provider , it’s a sigsignaling
naling protocol that the
ISP uses to send you statistics on the line like giving you information about the status
, the relative quality of your transmission if its dropping packets or not , it can also be
used to send DLCI information
DLCI ( data link connection identifier ) : every site is identified by a DLCI and it’s the
equivalent of Mac addresses in Ethernet technology
PVC ( permanent virtual circuit ) : each PVC has its own CIR and has a recurring
monthly cost
• How DLCIs work :
1. DLCIs are locallyy significant ( you can have similar DLCI numbers in your design but you can
have the same DLCI number on the same interface in the same location
Example
2. it’s any number between 16 and 1024

A CCNA Journey 102
• frame relay PVC designs :

1. Hub and spoke design :
This design n is the most common design used because it’s cheap
The disadvantages of using this design :
a. You have a single point of
failure , if that links is down
everything will be down
b. There is a delay in this design :
the delay is how long it will
take a packet to arrive from
one place to another , we care
lately about delay issues
because there is a VOIP traffic
implemented newly in the
data networks

A CCNA Journey 103
2. Full mesh design :

every officece has a PVC with other
offices
the disadvantage of this design is its
costly ( very expensive )
3. partial mesh design :

critical sites only have full
connectivity to other offices (
not all routers have full
redundant links to all offices )
it’s a good compromise between
redundancy , performance and
cost
• frame relay interface configuration : it can be configured in 2 ways

1. multi point design :
all routers must be on the same subnet
multiple DLCI numbers are mapped to the multipoint interface
multipoint configuration causes problems with split horizon , to overcome this
issue we shutdown the split horizon mechanism

A CCNA Journey 104
2. point to point design

This is the best design to use
All routers must be on different subnets
This design doesn’t face any problem with split horizon
We create point to point sub interfaces for each peer ( one sub interface for each
DLCI )

A CCNA Journey 105
23. Wan connections: configuring frame relay (30:52 mins)

Multipoint configuration :
For R1
Router1 (config) # interface serial 0/1/0
Router1 (config –if) # ip address 192.168.1.1 255.255.255.0
Router1 (config-if) #no shutdown
Router1 (config-if) # encapsulation frame-relay this command is used to enable
frame
Relay on the interface
router1 (config-if) # frame-relay lmi-type Cisco this command is used to configure
which signaling to use between our
router and the ISP router , in modern
routers we don’t need to run this
command as they have the ability to
auto detect what signaling protocol is
running , we can specify instead of
the Cisco keyword ansi or q933a
signaling protocols
router1 (config-if) # frame-relay map ip 192.168.1.2 102 broadcast this command is used
for every neighbor we
have to connect to ( we
use this command to
connect PVCs together
and as we have 2
neighbors so we must
have 2 frame-relay map
commands ) , we specify
the remote ip address to
reach that network ( in

A CCNA Journey 106
our example 192.168.1.2 )

and we specify the local
DLCI ( in our example 102
) , the broadcast keyword
is used to send broadcast
addresses from this router
to the other routers
connected ( broadcast is
used with RIP
advertisements ,OSPF
advertisements and EIGRP
advertisements and by
default frame relay denies
those broadcasts , if this
wasn’t included the
routing protocols won’t
work ) , we can use
instead of the broadcast
keyword the IETF keyword
if the other router we are
communicating with isn’t
Cisco
router1 (config-if) # frame-relay map ip 192.168.1.3 103 broadcast
router1 (config-if) no ip split-horizon this command is used to disable the
split horizon on R1 as in multipoint
configuration we need to disable this
mechanism to avoid problems
For R2
Router2 (config) # interface serial 0/0
Router2 (config-if) # encapsulation frame-relay
Router2 (config-if) # frame-relay map ip 192.168.1.1 201 broadcast
Now R2 and R1 can ping each other
For R3
Router3 (config) # interface serial 0
Router3 (config-if) # frame-relay map ip 192.168.1.1 301 broadcast
Now R3 can ping R1 BUT it can’t ping R2 because that we add a frame relay map command on
R2 and R3 to reach each other , after adding the below commands R2 can be able to ping R3

A CCNA Journey 107
Router3 (config-if) # frame

frame-relay map ip 192.168.1.2 301 broadcast this allows R3 to reach
R2 through R1
Router3 (config-if) # frame
frame-relay map ip 192.168.1.3 201 broadcast this allows R2 to reach R3
Through R1
Point to point configuration :
For R1
Router1 (config)
config) # interface serial 0/1/0
Router1 (config-if) # encapsulation frame
frame-relay we don’t specify any command below
the physical interface as everything
must be mentioned below the sub
interfaces only
Router (config-if) # no shutdown once we enable the main interface all
the sub interfaces will be enabled as
well
Router (config-if) #exit
Router1 (config) # interface serial 0/1/0.102 point
point-to-point this command is used to configure
Point to point interface, we can
replace the point-to
to-point keyword
with the multipoint keyword
(default)
Router1 (config-subif) # ip address 192.168.1.1 255.255.255.0
Router1 (config-subif) # frame-relay
relay interface
interface-dlci 102 in multipoint configuration
configur we
needed to specify the frame really
MAP command and the broadcast
keyword plus we needed to disable
the split horizon , in point to point

A CCNA Journey 108
we only specify the local DLCI as this

command will enable the broadcast
by default and the routing protocols
will work fine ( in point to point we
don’t need to map for each
neighbor to reach all networks and
we don’t need to disable split
horizon )
router1 (config-fr-dlci) # exit
router1 (config-subif) #exit
Router1 (config) # interface serial 0/1/0.103 point-to-point
Router1 (config-subif) # frame-relay interface-dlci 103
For R2
Router2 (config) # interface serial 0/0.102 point-to-point
Router2 (config-fr-dlci) #interface serial 0/0
forR3
Router3 (config) # interface serial 0.103 point-to-point
Router3 (config-fr-dlci) #interface serial 0/0
• To verify frame relay configuration :
1. Router# show frame –relay map ( in short it can be written as router# sh frame map )
This command is used to show what frame relay maps do we have on the router (what
DLCI is mapped to what interfaces)
Example
Router# show frame –relay map
Serial 0/1/0 (up): IP 192.168.1.2 dlci 102(0x66, 0x1860), static, broadcast
Cisco, status defined, inactive
Notes about the above result :
The above result shows us that we can reach the IP 192.168.1.2 using the DLCI 102
Static means that the map has been statically entered by the admin
Broadcast shows us that we specified the broadcast keyword in the frame relay map
command

A CCNA Journey 109
Cisco means that the LMI type is Cisco and it must be matched with other routers
status defined , inactive means that this router is setup but the other router
connected on the other side isn’t configured till now , if its shows status defined ,
active then that means that both routers from both ends are configured and ready to
communicate , if it shows status deleted , inactive then that means the map we
configured on our router can’t be recognized by the ISP ( doesn’t exist )
2. router# show frame-relay LMI command is used to show if the data link connectivity was
down and the signaling protocols ( LMI types ) between your router and the ISP ( what we
care mostly in this command the num status enq.sent VS num status msgs received- they
must be approximately the same - , if there was an increase in num status enq.sent
related to num status timeout then there is a mismatch in LMI
3. router# show frame-relay pvc command is used to show every DLCI we have on our router
, the status and stats of that DLCI ( like how many packets has sent and how many
broadcasts are sent) and what interfaces it’s on
24. IPv6: understanding basic concepts and addressing (33:59 mins)

• IPv6 addressing :
1. Address size moved from 32 bits ( ipv4 ) to 128 bits ( ipv6) , it provides
340282366920938463463374607431770000000 addresses
2. To made addresses more manageable , its divided into 8 groups of 4 hex characters each
Example:
2001:0050:0000:0000:0000:0ab4:1e2b:98aa as you notice each group (as an example 98aa)
is a 4 hex character
• Rules of ipv6 addresses to manage :
1. Rule 1 : eliminate groups of consecutive zeros by using a double colon ( :: ) , but you can
use this rule only once per address
2. Rule 2 : drop leadings zeros
Example:
The original IPv6: 2001:0050:0000:0000:0000:0ab4:1e2b:98aa
Applying rule 1:2001:0050::0ab4:1e2b:98aa
Applying rule 2: 2001:50::ab4:1e2b:98aa
• Types of communication ( messages ) in IPv6 :
1. Unicast : this is a one to one communication type
2. Multicast : this is a one too many communication type
3. Anycast : this is a one to closet communication type , this type gives multiple devices the
same IP addresses
Examples on anycast type:

A CCNA Journey 110
1. As an example eBay company ha have

ve 3 servers for hosting its website and they were configured
for anycast address , one in china , the other in UK and one in US , if I was living in UK and I
wanted to access the eBay website I would be directed using the routing protocols to the
server located in UK ( the closet ) , if I was living in china and I wanted to access the eBay
website I would be directed using the routing protocols to the server located in china ( the
closet ) and so on
2.
NOTE: there is a page that describes the IPv6 header

In IPv6 there isn’t a broadcast type , all the communications done by broadcast is done now in
IPv6 using multicast
• Types of addresses in IPv6 :
1. Link-local
local scope address : this type of address is used to communicate in layer 2 domain (
used to communicate with devices on the same switch )
2. Unique/site –locallocal scope address : this type is used for organizations ( this type of address
is like the private
ate addresses in IPv4 )

A CCNA Journey 111
3. Global scope address : this type is used for internet ( this type of address is called internet
2 , those are public addresses ,with ipv6 every device in our network can have a global
scope address not like in IPv4 )
• Link local address :

This address is assigned automatically when the IPv6 host comes online , this address
is auto generated IF OR IF THERE ISNT a DHCP
This type is similar to 169.254.x.x addresses in IPv4 ( in IPv4 the 169.254.x.x address is
generated when
hen there isn’t any DHCP available but in IPv6 the link local address is
generated with or without the DHCP )
Every device has a link local address
This type of address always begin with ““FE80 “ ( first 10 bits : 1111(F)
(F)1110(E)10(1000
st
represents 8 ) followed
llowed by 54 bits of zeros ( 10+54 = 1 64 bits )
Last 64 bits is the 48 bit Mac address with “FFFE” squeezed in the middle
Link local address is only used if you are speaking with another device on the same
link ( same switch ) , the other types of ad
addresses
dresses are used to communicate us with
other devices connected in other subnets or on other switches/routers

A CCNA Journey 112
• Unique-local
local (RFC 4193 ) /site
/site-local (RFC 3513 ) addresses :
The new name of this type is called unique local address , it was known before as site
local address
This type is used within the enterprise networks to identify the boundary of their
networks
This type of addresses look like the private addresses in IPv
IPv4
Use the following format :
Currently , the site address begin with FD FD00::/8

00::/8 ( that means 1111 1101
110 , the (L) is 1 –
locally assigned - ) , what is showing in the picture above is FC00::/7 ( in case L =0 )
• Global addresses :
This is the new pool of addresses that will build IPv6 internet

A CCNA Journey 113
The 1st 3 bits ( high level bits ) are set to 001 ( 2000::/3 = 001xxxx…::/3 )
The primary addresses expected to comprise the IPv6 internet are from the 2001::/16
subnet ( this block is assigned to internet – to be public on internet - )
25. IPv6: configuring, routing and interoperating (23:36 mins)
Configuring IPv6
R1 (config) # ip routing this command is used to enable TCP/IP on
the router, in newer routers this is enabled
by default
R1 (config) # ipv6 unicast-routing
routing this command is used to turn on the IPv6
unicast routing (there is multicast routing and
anycast routing as well but in CCNA we are
only concerned about unicast routing
R1 (config) # interface fastethernet 00/0
R1 (config-if) # ipv6 address 1FE0:1111::1/32 this command is used to assign an IPv6
address
To this specific interface
R1 (config-if) #no
no shutdown
R1 (config) # interface serial 00/0
R1 (config-if) # ipv6 address 2001:210:10:1
2001:210:10:1:1/64

A CCNA Journey 114
R1 (config-if) #no shutdown

Router# ping ipv6 2001:210:10:1::1 command is used to verify connectivity by pinging a
specific ipv6 address
Router # show ipv6 interface brief command is used to verify the ipv6 addresses assigned to
the interfaces , it shows as well all the link local addresses ( the main benefit from knowing
the link local address is to derive the Mac address from it )
• Ipv6 routing protocols : in addition to static routing nearly every protocol has been updated to
support IPv6 :
RIPng ( RIP next generation )
OSPFv3
EIGRP for IPv6
IS-IS for IPv6
MP-BGP4 (Multiprotocol BGPv4) , BGP is a routing protocol for internet , this is
explained further in CCNP
Configuring RIPng from global configuration mode :
Router (config) # ipv6 router rip 1 this command is used to enable RIPng
on this
Router from global configuration mode, RIPng
uses a tag that identifies this rip process (in
our example number 1) and it could be any
number (this tag is only used to identify the
rip process
Router (config-rtr) # exit there is no need to run any network
Commands like the normal rip protocol
Configuring RIPng from interface mode :
Router (config) # interface fastethernet0/0
Router (config-if) # ipv6 rip 1 enable this command is used to enable RIPng
From The interface mode, in this
example it uses the TAG number
Router (config) # interface serial 0/0
Router (config-if) # ipv6 rip 1 enable
Router # show ipv6 rip command is used to show information about the RIPng process , it will
show you the multicast address group ( RIPng sends to a multicast group FF02::9 as there is no
broadcast in IPv6 )
Router# show ipv6 route command is used to show the IPv6 routing table ( the L icon means
it’s a link local address )
Router # traceroute ipv6 1Fe0:2222::1 command is used to trace an ipv6 address
• Migration mechanisms to IPv6 :
1. Dual-stack routers : we setup a router that supports both protocols IPv4 and IPv6

A CCNA Journey 115
2. Tunneling :
a. 6 to 4
b. 4 to 6

A CCNA Journey 116
3. NAT protocol translation ( NAT

NAT-PT)

CCNA Journey

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CCNA Journey

Transféré par

Droits d'auteur :

Formats disponibles

A CCNA Journey 1

Cisco ccna/ccent interconnecting Cisco networking devices part 1

1. Welcome to Cisco ccent ( 35:26 mins )

2. Foundation : what is a network ( 35:32 mins )

Disclaimer: – This is an excerpt from CCIE journey

2. token ring topology : There is a token ring

3. star topology ( most used nowadays ) : It

Disclaimer: – This is an excerpt from CCIE journey

3. Foundations in the OSI world (43: 30 mins)

Disclaimer: – This is an excerpt from CCIE journey

address it happens in this layer )

Disclaimer: – This is an excerpt from CCIE journey

Data link layer It adds source and destination Mac

Mac address Mac address

4. basic TCP/IP : addressing fundamentals ( 39: 42 mins )

OSI model TCP/IP model (department of defense model) (DOD)

Disclaimer: – This is an excerpt from CCIE journey

If 10.1.1.10 wants to communicate with 10.1.1.11 it sends an address resolution protocol (

Disclaimer: – This is an excerpt from CCIE journey

• Default address classes :

5. Basic TCP/IP: TCP and UDP communication (23:20 mins)

Basic difference between TCP and UDP protocols :

Disclaimer: – This is an excerpt from CCIE journey

its sending doesn’t care if the packet arrives or not )

Disclaimer: – This is an excerpt from CCIE journey

6. Basic TCP/IP: understanding port numbers (17:17 mins)

Ports are used to separate different applications used on my computer ( as an example

Disclaimer: – This is an excerpt from CCIE journey

used for receiving emails

7. Basic TCP/IP: the tale of two packets (20:47 mins)

8. LANS: welcome to Ethernet (22:31 mins)

Disclaimer: – This is an excerpt from CCIE journey

• MAC addresses : the official explanation

9. LANS: understanding the physical connections (18: 17 mins)

Disclaimer: – This is an excerpt from CCIE journey

of CAT 5 is CAT5e than single mode as :

Like devices are :

10. LANS: understanding LAN switches (19: 46 mins)

Disclaimer: – This is an excerpt from CCIE journey

broadcast domain : how far a broadcast will travel before it stops

• what is the Cisco IOS :

Disclaimer: – This is an excerpt from CCIE journey

3. software that is consistent through nearly all Cisco devices

Disclaimer: – This is an excerpt from CCIE journey

12. LANS: initial setup of a Cisco switch (35:03 mins)

• Understanding the physical indicators on the switch ( the lights ) :

Disclaimer: – This is an excerpt from CCIE journey

Disclaimer: – This is an excerpt from CCIE journey

13. LANS: configuring switch security, part 1 (37: 08 mins)

Disclaimer: – This is an excerpt from CCIE journey

Disclaimer: – This is an excerpt from CCIE journey

1. switch ( config ) # username USERNAME password PASSWORD

14. LANS: configuring switch security, part 2 (19: 00 mins)

Disclaimer: – This is an excerpt from CCIE journey

Switch (config-if) # switchport port-security violation ?

Switch (config-if) # switchport port-security Mac-address ?

Disclaimer: – This is an excerpt from CCIE journey

Switchport port-security Mac-address sticky

15. LANS: optimizing and troubleshooting switches (31: 44 mins)

Disclaimer: – This is an excerpt from CCIE journey

half duplex is to send OR receive at one time

Disclaimer: – This is an excerpt from CCIE journey

After applying the command switch (config