VPN(Virtual private network) Use internet to communicate between offices/home users

Cheaper than leased line, heavily encrypted & secured, many to may communications
Types of VPN:
1.

Site to Site- L2L- direct replacement for leased line/private lines

2.

Remote access-its like they are connected in office as long as they are using VPN SSL VPN or WEB VPNit install mini
VPN client for that session from webpage.

IPSec- the security protocol of VPN- works with TCP/IP- contains or made up of many protocols like TCP/IP
1.

Encryption: secures data(DES,3DES, AES) symmetric method

2.

Authentication: make sure data is intact or unchanged over network MD5, SHA1

3.

Protection: to exchange encryption/Private/public key- DH1,2,5,7

4.

Negotiation: Engine of IPSec- allows IPSec to be changeable over period of time

Type of Encryption:
Symmetric- use the same shared key(to encrypt & decrpt) on both side i.e sender/receiver, low processor overhead e.g
DES.3DES
Asymmetric- use private and public key high on processor (Defy helm)
Only use to encrypt shared key and once it is shared, then router use the shared key to encrypt data
PPP/HDLC (leased line protocols) WAN language
No mac address, use DLCI instead; Data link changes to Frame Relay ATM, PP, HDLC ; Physical changes to serial link
PPP- Industry standard, featureriffic(like authentication, data compression, callback, multilink-combine multiple serial link
bandwidth into one), moderate overhead
HDLC- Cisco proprietary, low overhead, no features
Type of PPP authentication:

1.

PAP (password authentication protocol): credentials is send in clear text: not used nowadays

2.

CHAP(challenge handshake authentication protocols): password is send in hash form and should be same on all router

costefficient data transmission for intermittent traffic between local area networks (LANs) and between endpoints in
wide area networks .
FRAME RELAY- standardized WAN technology that specifies physical & data link using Packet switching g methodology or

CIR- Committed information rate minimum bandwidth allowed for a connection- logical speed
LAR- Local access rate- how fast local connection can go-physical speed
LMI- local management interface language bw ISP and u/router- signaling protocol/send DLCI
DLCI- data link connection identifier locally significant to identify connection
PVC- permanent virtual circuit- can get different pvc for different region- one serial connection can have many connection
DLCI Locally significant (act as mac address for data link layer in WAN) receiving end knows which information connection a frame
belongs to.
Frame Relay PVC design

1.

HUB and Spoke: low on cost but got single point of failure and delay problems for VoIP

2.

Full mesh: High on cost but ideal design

3.

Partial Mesh: mostly used. Important point all PVC connected

Frame Relay configuration: (user responsibility to configure it)

1.

Multipoint Design: all routers are on subnet, multiple DLCI numbers mapped to interface, causes problem with Split horizon

2.

Point to Point design: all routers on different subnets, p2p sub interface for each peer, no problem with split horizon

Go to serial interface config-subif)# Encapsulation frame-relay (to turn on frame-relay)

config-subif)# frame-relay lmi-type (in older router)
#show frame-relay
config-subif)# frame-relay map ip x.x.x.x <dlc(16-1007)> broadcast for Routing protocols to work (use ietf if u r using
other than cisco router)
#show frame-relay map (to check status- inactive (u r active and other side is not)/deleted (not valid DLCI))
#int s 0/1/0.102 (point to point/multipoint)
#frame-relay interface-dlci <16-1007>
# show frame-relay pvc
*Once u turn on physical interface, it automatically turn on logical/sub interfaces

ACL
List of permit and deny statement used to identify network traffic on both way; Used for Access control, NAT, QoS etc
ACl read from top to bottom, invisible implicit DENY ALL at bottom and applied to in/out bound interface
Types of ACLs
Standard: matches on based source IP address, lower on processor <1-99, 1300-1999>
Extended: based on source/destination IP, port, , protocol; higher processor<100-199,2000-2699>
Dynamic: username/password is setup to provide access to some specific user
Established (Reflexive): allows return traffic for internal router;
Time-based: ACL active for specific time
Context-based access control (CBAC): turn firewall feature on which filter TCP/UDP packets based on application layer protocol session
information.

Configure standard access list () [mainly use to block telnet/ssh access]

Config# access-list <1-99>

<deny/permit/remark>

<x.x.x.x/host/any>

<wildcard bits>

#Show access list <>

To apply ACL on an interface, go to interface (close to destination)
Config-if)# ip access-group

<>

<in/out>

Config-line)# access-class

<>

<in/out> (for vtp/ssh)

Configure extended list: (manage on the basis of IP,TCP,UDP, ICMP(ping or echo))

Config)# Access-list <100-199 <>p/d> <UDP/TCP(protocol)> <Source> <Destination>

Config)#access-list 150 permit <TCP> <source IP> <any> eq 80
To apply ACL on an interface, go to interface (close to source)
Config-if)#Ip Access-group <> <in/out>
NOTE: one ACL per interface per direction
Config)# ip access-list extended (word) ------ named access list
Config-ext-nacl)#permit/deny (no need to type access-list before)

Reflexive ACL

Config#ip access-list extended <word>

Config-ext-nacl)# permit tcp any any established (and apply to interface afterwards)
NAT- Network address translations

Dynamic NAT: one to one translations(used in overlapping network work with DNS)

NAT overload/PAT: allows many internal host to share same public address by using port numbers(0-65535), one to
many

Static NAT: for hosting internal servers in ur network, combine with PAT and map server address for internal access

Configuring NAT (overload)

**Config)#ip name-server x.x.x.x and then turn on ip domain-lookup (then u can ping www.google.com)

Label interface> config-if)# ip nat inside/outside

Configure ACL> config-if)# ip access-list standard NAT_ADDRESSEs

>config-std-nacl)# deny /permit

enable NAT- > config-if)# ip nat inside/ouside source list <ACL> interface fas 0/0 overload

config)#show ip nat translations

for static NAT: (no need to create ACLs)
config)# ip nat inside source static <inside local IP address> <outside global IP address>
Static NAT with overload:

Config)# ip nat inside source static tcp <inside local IP address> <source port:80> interface f0/0 <port number:80>

Dynamic NAT with overload:

Config)# ip nat pool <word> <start ip> <end IP> netmask <x.x.x.x> (create a pool)
Config)# ip nat inside source list/pool <acl> pool <word> overload
Distance Vector(RIP)

Link State (OSPF)

Easy to configure

more knowledge required to configure

Not many features

got lots of feature

Loops

No loops

Hybrid- best of both world but proprietary (easy to configure & sill got lots of features) e.g EIGRP

Distance Vector Routing protocol Sends entire table at specific interval

Have looping issue, To prevent Loop.. Loop Prevention:
1.

Maximum distance: 16 hops in case of RIP, after 16 hops, route is declare dead/down

2.

Route Poisoning: combine with maximum and set/poision that route for Network to maximum distance

3.

Triggered updates : combine with both above and ask to send triggered updates immediately negating update timer
and tell that this network is down

4.

Split Horizon: tells router do not send update back in same direction you receive them on networks that are being
advertise

5.

Hold down timers: tells not to believe/send/receive to any updates for x amount of time(used for flapping interface)

Link State Routing Protocol: forms neighbor relationship rather than broadcast and after initial routing table
exchanged, routers sends small event-based updates call HELLO packet
Advantages of link state routing protocol:

disadvantages of link state routing protocol:

No looping issue

Heavy on router processor

Much faster o converge(find problem and fix it

faster)

Require solid network design

Forces you to design network design correctly

Technical complexity

OSPF- (open shortest path first)

Note: Larger routing table =slower routers; So we use Route summarization: - to make routing table small
Area Design & terms in OSPF

Area is group of router having same information.

ALL Area must connect to Area 0 (recommended Area =50 routers)

ABR: Area Border Router: only one able to summarize & connect two area , having more processing power

Localize updates within an Area & require a hierarchical design

All routers in an Area have same topology table but different routing table

ASBR: Area System boundary router- completely different network or internet

OSPF Neighbor Relationship

HELLO messages sent on chosen interface
Once every 10 sec on broadcast P2P networks , once every 30 second on NBMA networks
Contains all sorts of information:
1.

Router ID: name of OSP router & ip address

2.

Hello and Dead timer*: how often they say HELLO and after how soon until they believe that router is down

3.

Network mask; Area ID*; Neighbors; Router priority ; DR/BDR IP address; Authentication password*

OSPF Configuration:
Confi)# router ospf <process ID> (Process ID: does not have to same on all routers )
Config-router)#network x.x.x.x 0.0.0.255 area 0 (Area 0 is to be configured first)

Config-router)default-information originate (send default information other router also)

Config-router) area 1 range <network/x.x.x.x> <subnet mask>
# show ip ospf neighbor (shows neighbors on which RP running)
# show ip protocol (show running routing protocol information)
# show ip route (show all information of network on which RP is running)
To create loopback inter Config)#interface loopback 0
ROUTER IDRouter ID is the name of router, identifies the router to OSPF neighbors
*Highest Physical interface at startup< Loop interface beats physical<new router ID command beats all
New router ID command Config-router)#Router- id x.x.x.x (need to reboot OSPF clear ip ospf process)
OSPF Troubleshooting:
#Show ip ospf neighbor: (check bellow criteria incase neighbor are not forming)
*Hello and Dead Timers, Network mask, Area ID, authentication password shoud be same
EIGRP: (Enhanced Interior gateway routing protocol)
Why to Use EIGRP over OSPF:
1.

Only protocol remember backup routes which result in fast convergence (DUAL- diffused updates algorithm)

2.

Easy to configure

3.

Flexibility in summarization; can summarize anywhere you want

4.

Unequal cost load balancing (use variance)

5.

Combine best of Distance vector & link state

EIGRP Tables & Terminology Router running EIGRP maintains 3 tables:

1.

Neighbor Table

2.

Topology Table (Feasible successor- Backup route)

3.

Routing table (Successor-Primary route)

Configuring EIGRP:
Config) # router eigrp <Autonomous number> (autonomous number shd be same)
Config-router) #network x.x.x.x 0.0.0.255
# show ip eigrp neighbor (HOLD uptime- how long I believe its neighbor is dead ;default= 10 sec) SRTT- source trip timer- for what
time it will wait for HOLD
Config-router)# no auto-summary (use for classless network) (Note: Do auto summary for contiguous network)
Go to interface where you want to send summarize: config-if)# ip summary-address eigrp <autonomous number> <IP address>
<subnet mask>
Static Routing: Static routing is what we as an administrator tells router where to forward packets, (manually managed)
Purpose of Router: to stop broadcast & move packets from one network to another; Router uses routing table to see where to forward
packets.
Config)# ip route <destination network> <destination subnet mask> <next/forwarding routers address>

Use of Static routing: Configuring default route that tells router to send anything which router doesnt know how to reach. -
Config)# ip route 0.0.0.0 0.0.0.0 <ISP address> (gateway of last resort is ISP address)
Config)# ip name-server 4.2.2.2 (use DNS server to resolve name, can directly ping domain instead of IP)
Dynamic Routing: Routing protocols: tells your friend what you know (networks) & build paths automatically.

RIP (Routing information protocol)

RIPv1

RIPv2

Classful version

Classless version

No VLSM

Supports VLSM

No authentication

adds authentication

Uses Broadcast

uses multicast

Note [RIP has 120 administrative distance (how good/believable a route is/network is)/1-metric (how far away is that network)]
Configuring RIP version 2 Config)# router rip
Config-router) #version 2
Config-router) # network <X.X.X.X>
Config)# show ip route (shows all network connected)
Config-router)# no auto-summary (To turn on classless feature)
TELNET, SSH & CDP (Note:Ping router before you do telnet/ssh)
Managing Telnet & SSH sessions

#<CTRL, SHIFT,6> then X suspends telnet/ssh sessions

#Show sessions- show open session from ur router

#disconnect <connection no.>- kills one of ur open telnet session

#show users- show open session to your router

#clear line <X> - kills open session to ur router

Cisco discovery protocol (CDP) (proprietary) Allows u to see information of directly connected cisco devices like routers,
switches; Useful to build accurate network design
#show cdp neighbors: (show neighbors info like Device ID, local int, platform/model, port id)
#show CDP entry (show cdp neighbor detail) : <name of cdp neighbor/all:*> : full information about neighbor
#no cdp enable: (disable CDP on specific on interface/direction)
# no cdp run: (disable cdp on whole router)
File Management:COPY command:- allows us to move files between components like

RAM(running-config) very fast, stores until router/switches is running

NVRAM(startup-config)slow, stores permanently ; Flash(stores IOS) ; TFTP- server (udp 69)
#copy running-config startup-config
#copy running-config tftp://<address/name of remote host> <destination filename>
#copy flash:filename tftp://<address/name of remote host> <destination filename>
When u copy from TFTP to Running-config, it will merge two config together
When u copy from TFTP to startup-config , it will replace from NVram (reboot in order to apply changes)
Config)#Boot system <flash/tftp> : helps u boot up from TFTP(incase update fails)
VLANs & Trunks:
What Vlans are used for:1.

Logically groups users, Segments Broadcast domains, Subnet correlation: (vlan=broadcast domain= subnet)

2.

Access control; Quality of service: prioritize traffic like cisco ip phones;

Normal Switching one subnet per lan, limited access control, broadcast sent to all ports, one collision domain per port
Flexibility of VlansWhy to use Vlans?
-

Segmentation of users without routers ;No longer limited to physical location (scalability ); Tighter control of broadcast

TRUNKS (layer 2 feature) & VTP(cisco proprietary)

Trunking(tagging):passes multi-vlan information between switches, places vlan information into each frame.
Trunking protocol 802.1Q is industry standard, insert 4 byte tag (3 bit priority + vlan info)
Native Vlan: the packets that are not tagged goes to native vlan, used in VoIP (cisco iphone)
(Native vlan mismatch: one or more switch is set with different native vlan)
VTP: Vlan trunking protocol (vlan replication protocol)replicate/sends or receive vlans on all switches, works on revision no.
VTP Modes:
1.

Server (default mode): modify vlans, save vlans config, sends/receive vlan updates

2.

Client:sends/receive vlans updates, cannot change/save vlans config

3.

Transparent: can change/save vlans config, forwards vtp updates, does not listen to vtp advertisement

Vlan Pruning: Keeps unnecessary broadcast traffic from closing trunk links (only works on vtp server)
Configuring Vlans & VTP: (maximum vlans= 1-4096)
remote)

(*Note Vlan 1 is use for switch management like configuring from

#show vlan (shows all vlans info)

#show running-config interfaces fast <> (shows specific interface switchport mode)
Switchport modes:-

Dynamic desirable: either become access or trunk depend on what device connected on other end

Access (for end devices like PC, server) & trunk mode (for switches)

1.

Configure trunk mode----Go to interface config-if)# switchport mode <access/trunk/access>

(If switch is old/ or above command gives an error then config-if)# swichport trunk encapsulation dot1q)

Set rest of access port once you have set trunk port config)# interface range fast <X> - <Y> (X,Y=0-24)
Config-if) switchport mode access
2.

Configure VTP
a.

Domain Name: config)# vtp domain <word> ( first time, you just need to set on one & will pass on others)

b.

Password: vtp password <word>

c.

Mode: vtp mode <client/server/transparent>

#Show vtp status (show vtp info like vtp version, mode,revision no, pruning mode, no of vlans)
(*Note: other 4 vlans are extended vlans for different networks like token ring)
3.

Configure Vlans vlans <number/word> (number=1-4096; can work only on server or transparent)
Config-vlan)# name <word> (vlan name)

Commandshow interfaces fast <X> switchport (X= interface no.; shows administrative/operational mode)
Config)# vtp pruning (turn on prunning)
Config)# show interfaces (trunk/access)
4.

Assign ports to Vlans:- go to interfaceconfig-if)# switchport mode access vlan <X> (vlan number)

Routing between Vlans:-> 3 methods

1.

Separate port to each port: its not used anymore becoz we will get short of interfaces

2.

Router on-a-stick: set trunk between router and switch, use sub interfaces concept (hv minimum fast interface)
Create sub interfaces interface fastethernet 0/0.<X> (X=0-4294967295)
Tells to accept which vlans info Config-subif)# encapsulation dot1q <vlan number> , assign ip address then
Configure trunk link between switch &router

3.

Layer 3 switching: router inside switch & use virtual interface concept
Create vlan interface config)# interface vlan <X>
Assign ip address:config-if)ip address x.x.x.x x.x.x.x
Config)#ip routing (turn on routing capability on switch)

STP: spanning tree protocol (802.1d ) industry standard- is a network protocol that ensures a loop-free topology for
any bridged Ethernet local area network.
Ether channel: provide more bandwidth on key link ;Redundant link eliminate single point of failure
STP is used to prevent loops by finding best way/path to reach the root bridge then block all redundant links
BPDU: Bridge protocol data units: Switches send probes into the network to discover loops and help to elect the core switch of
network call Root Bridge

Port Type: three types of port type

Root Port: used to reach Root Bridge (root)
Designated port: forwarding port, per link(Des)
Blocked/Non-designated port: ( Alt)

How to STP finds the Best path

1.

Elect the Root using

How Root Bridge is elected: based on Bridge ID which is combination of priority (32768)>manufacture date/mac address
(lower the value, greater chances of becoming Root Bridge) ; We can set priority and by default priority is 32768 for all
switches and can decide which one should be Root

2.

Switch find lowest cost path to root

Link bandwidth

Cost

10/100 Mbps

100/19

1/10 Gbps

4/2

Configuring STP:#Show spanning tree (shows root ID, Bridge ID & running STP info)
Config)# spanning-tree vlan 1 root <primary (to make root bridge)/secondary(to make backup )
Config)# spanning-tree vlan 1 priority <0-61440>( increment of 4096)
STP goes through following phases/transitions
Listening- initial 15 sec for listening, sends/receives BPDU to discover loops
Learning- 15 sec for learning mac address & populate switch cam table
Forwarding: Port is forwarding traffic
Blocking- 20 sec wait time before moving into listening phase
Problem 1:- Modern PC boo faster than 30 sec
Solution: Portfast (disable spanning tree on port, applied on access port) --- command config-if)# spanning-tee portfast
Problem: 50 sec if downtime causes big problem to uplink port(connecting to switch port)
Solution: Rapid spanning tree
PVST+ : Per Vlan spanning tree
Runs an instance a STP per Vlan which allows different root bridge per vlan.
Config)# spanning-tree vlan 1,2,10 root primary (to make root bridge for all vlan)
Rapid spanning Tree: (802.1w)
Remember backup/blocked root and backward compatible with STP, but recommended to use everywhere
PORT TYPE:>
Root port: to reach root bridge
Designated port: forwarding port, one per link
Alternate port: discarding port, backup path to root
Configuring RSTP
Config)# spanning-tree mode <pvst/rapid-pvst> (by default cisco router run pVSTP)
Config-if)# spanning-tree portfast (enable on single connected device)
Troubleshooting & securing switches: Absolutely have an accurate network diagram & Work logically from bottom-up (OSI)
Common troubleshooting Issue:-

1.

Port issue (light turn amber)

-Check cabling issues
-Verify speed and duplex auto negotiation
-Check that assigned vlan has not been deleted

2.

Spanning Tree issue (light blinking like hell) (upto 7 switches, STP work fine)
-Immediate solution- disconnect redundant links
-ensure all links are reflected on network diagram
-ensure root bridge section is appropriate
-make sure all switches are running RSTP

3.

Vlan and trunking Issues()

-Native vlan mismatch configure native vlan
-hardcore trunk/access port to on
-verify ip address assignment in vlan
-use ping traceroute to diagnose routing issue

4.

VTP issues
-verify trunks
-verify vtp info like name, password, version, modes
-last resort: delete flash:|vlan.dat
Switch security checklist

Physical security; Set password and logon banners ;Disable the web server, so that no one can access thru web
interface

Limit remote access subnet , use ACls ;Use SSH instead of telnet wherever possible

Configure logging config)#logging buffered <> ; Limit CDP;

Use BPDU guard on portfast ports; config-if)# spanning-tree BPDUguard

Wireless Networking:
Types of Wireless Networks:Personal Area Network (PAN) e.g Bluetooth, wireless mouse, few feet radius
LAN: e.g access point
Metropolitan Area Network (MAN) : point to point bridges
Wide Area Network (WAN) : e.g cellular technology

Wireless access Point (WAP) communicate like hub, shared signal and half duplex

a.

Uses unlicensed band of radio frequency (RF) ; Wireless is a physical & data link standard

b.

Uses CSMA/CA instead of CSMA/CD ; Faces connectivity issues becoz of interference

Unlicensed Frequencies: (lower the frequency, further the range, lesser the bandwidth)

a.

900 MHz Range

b.

2.4 GHz Range

c.

5 GHz Range

RF waves are absorbed (by wall), transmitted (by metal)

Higher data rates= higher frequencies= shorter ranges and vice versa

802.11 standard for wireless network (Ethernet is 802.3)

Organiza
tion that
manage/control
the wireless world:
1.

International

Telecommunication Union radiocommunication sector (ITU-R)- Regulate/control RF used for Wireless transmission.
2.

Institute of electrical and electronic engineering (IEEE): maintain 802.11 wireless standard like (802.11a,b,g,n)

3.

Wi-Fi Alliance: ensures certified interoperability between 802.11 wireless vendor

Wireless Security: following can be used

Authentication : username/password to allow specific user to access wireless

Encryption: data send/receive over wireless is encrypted

Intrusion Prevention System (IPS): it detect rogue access point/wireless network and then it shut down or notify you

Encryption & authentication combination

1.

Pre-shared key WEP- (pre-shared, is same key used by all users)

2.

Pre-shared key WPA (TKIP)

3.

WPA and 802.1x authentication(username/password saved in router /server and when user put that, it generat encryption
key for that session)

4.

WPA2(802.11I) (use AES encryption)and 802.1x authentication (PSK still supported)

Service set Identifier (SSID) uniquely identifies and separately wireless networks (name of wireless network); Can have
many SSID like private and public
When a Wireless client is enabled
1.

Client issue/send a probe.

2.

AP responds with a becon (with all SSIDs info)

3.

Client associate with chosen SSID

4.

AP adds client mac to association table

If client move to another location and connection gets weak, then client again send probe and nearest AP respond and
associate it
RF service areas shd 10-15% overlap, repeaters shd hv 50% overlap, bordering AP shd use different channel.
BSS (Basic service set)- single access point and area it covers
ESS(Extended service set) is two or more BSS and area it cover.
Roaming: moving from BSS to other

Setting up wireless network:-

Pre-test switch port with laptop (DHCP,DNS etc)

Connect WAP

Set up and test SSID with no security

Add and test security (pre-shared key)

Add and test authentication (8022.1x)

OSI- open system interconnection:-hierarchal model to break down network function into layers

IP address format : X.X.X.X where (X= 0-255), 32 bit, 4 byte

Subnet mask: tells what portion of IP represents the Network and the host
IP address classes:
1.

Class A : 1-126, 255.0.0.0

2.

Class B : 128-191 , 255.255.0.0

3.

Class C: 192-223, 255.255.255.0

4.

Class D : 224- 239 reserved for multicast

5.

Class E : 240-255 scientific and research purpose

The 127.0.0.0 network is reserved for loopback testing. Routers or local machines can use this address to send packets back to
themselves. Therefore, this number cannot be assigned to a network
Public & Private addresses:
Public address: usable on internet and intranet
Private address: usable on internal networks
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

169.254.0.0-169.254.255.255 for Automatic Private IP Addressing (APIPA)- These addresses are only valid on the link, such as a
local network segment or point-to-point connection, that a host is connected to. These addresses are not routable and like private
addresses cannot be the source or destination of packets traversing the Internet.
TCP and UDP communication
TCP

UDP

Connection oriented

Connectionless (real-time)

Sequence number/acknowledgments/windowing

No Sequence number & Acknowledgment

Reliable

Unreliable

TCP Three-Way Handshake

1.

A sends SYN packet over to B (before sending data)

2.

B will responds with SYN and ACK to A

3.

A sends ACK to B (start sending/receiving data)

Windowing:- The amount of octets that can be transmitted without receiving an acknowledgement from the other side".
PORT Numbers (0-65535)
Combine with TCP/UDP, a port number is part of the addressing information used to identify the senders and receivers of message
X.X.X.X:Y (Y is port number)
Well known port number: range from 0 to 1023 is the well-known ports or system ports. They are used by system processes that
provide widely used types of network services
Registered port number: range of port numbers from 1024 to 49151 are the registered ports. They are assigned by IANA for
specific service upon application by a requesting entity. [1] On most systems, registered ports can be used by ordinary users.
TCP 21- ftp

22-ssh

UDP 53 DNS client

23-telnet

25-smtp

53- dns server

80-HTTP

110-POP3

69-TFTP

Ethernet- L2 Layer- (802.3)- industry standard :- Data Link: Ethernet is divided into 2 layers
-Logical link control (LLC) : in what direction it will go with network layer
-Media access control (Mac) : define the addressing Ethernet uses
CSMA/CD: Set Of Rules governing how you communicate/talk on Ethernet network

443-HTTPS

Carrier- network signal

Sense- ability to detect network signal

Multiple access: all devices hv equal access

Collision: what happen if two devices send at once

Detection: how computer handle collision when they happen

Method of communication: Unicast, Multicast, Broadcast

MAC ADDRESS: 12 hexadecimal:48 bit, physical address
First 24 bit (6 hexa) Organization Unique Identifier (OUI)
Last 24 bit (6 hexa) vendor assigned
Ethernet Cable:
1.

Category 5 unshielded twisted pair (UTP): 100 meters mas distance, connection- RJ45

2.

Multi-mode Fiber: 275 mtrs to few miles

3.

Single mode fiber: 1 mile o many miles

Cabling standard:
T568A and T568B (A+A=B+B= straight through; A+B= crossover cable)
Straight thru cable: unlike devices; Crossover cable: like devices
Collision domain: a section network where data packet can collide with one another on a shared medium. Collision occurs when two
device send data at same time, this collision are resolved by CSMA/CD.
Broadcast domain: a section of network where all the nodes can be reached via broadcast at the datalink layer.
HUB

(works at Layer 1 ) Half duplex

Switch (Works at Layer 2) Full duplex

A network hub cannot learn or store MAC address

A network switch stores MAC addresses in a lookup table(cam

table). (ASCII)

Only have one collision domain

Each port is a collision domain

CISCO IOS: Internetwork operating system

Command line method/interface for configuring a cisco device more powerful than graphic interface.

Connecting to cisco switch

1.

(Plug Console cable into console port ) use to connect switch directly to pc/laptop

2.

Get a terminal program like hyperterm/teraterm

3.

Set it to connect via COM port with following setting:

Baud rate : 9600

Data bits:8

Parity:none

Stop bits:1

Flow control:None

IOS command modes:

switch> user mode (user exec)--------- basic show commands
switch# privileged mode (priv exec)------------- all show commands
switch(config)# Global configuration mode ----------------do all configuration
Cisco Switch interface
Physical indicators system: should be green; RPS: redundant power supply; stat: show if any data is being send/receive
UTIL- show utilization; duplex: show light for full duplex ; Speed: show 100 Mbps light
VLAN1 is management portuse to manage from remote location
Switch(config)# ip default-gateway (X.X.X.X) (to set default gateway for whole switch)
Config)#enable password(unencrypted)/secret(encrypted) WORD
To protect console/command line mode config)#line console 0 config-line)# password WORD config-line)# login
To protect VTY (telnet) access remotely mode config)# line VTY 0 4 config-line)# login config-line)# password WORD
TO encrypt all unencrypted password on switch Config)# service password-encryption
Config)# banner login(VTY)/motd(display everywhere from where I login)
Configuring and enabling SSH
-- >TO set username and password config)# username WORD password WORD2
config)# ip domain-name (WORD.COM)(generate certificate)
config)# crypto key generate rsa <360-2048>
ip ssh version 2
Go to VTY port config-line) transport input <all/none/ssh/telnet>

PORT SECURITY way to lock down/control how many or which devices can connect to switch.
#show mac address-table
Go to interface Config)# inter fas 0/X config-if)#switchport mode access (connect to end device not switch)
config-if)# switchport port-security (enable port security) config-if)# switchport port- security maximum <1-5120>
conig-if) swichport port-security violation <protect(ignore)/restrict (ignore and log)/shutdown(by default)>
config-if) switchport port-security mac-address <mac address/sticky> (what mac address are allowed)
To view port security #show port-security (for all interface )interface fast 0/X (for specific interface)
Optimizing & troubleshooting:
Configuring Speed & Duplex config-if)# speed 10/100 or duplex half/full
Config-line)#logging synchoronous ; Config-line)# exec-timeout X X ; Config)# no ip domain-lookup
Condif)# alias exec(mode) (new command) (old command)
IPv6 128 bit, 8 octets with 4 hexadecimal characters each
Colons (:) instead of dot Rules to make it short or eliminate zeroes

1.

Eliminate groups of consective zeroes with (::) double colon but can only use once.

2.

Drop leading zeros

IPv6 provide simpler header & Type of communication in IPv6: Unicast; Multicast; Any cast(one to closest)
Type of IPv6 address--1.

Link Local scope address: use to communicate in Layer 2 domain (local communication if connected to same switch)

Assigned automatically as IPv6 host comes online (similar to 169.254.x.x of IPv4)

Begin wih FE80(first 10 bits 1111 1110 10) followed by 54 bits of zero

Last 64 bit is 48 bit mac addres with FFFE squeezed in middle

2.

Unique/site local scope address: organization (like private address); optional

Use within enterprise networks to identify their boundry

First 8 bits wouldd be FD00::/8; second 40 bits is global ID; next 16 bits is subnet ID; last 64 bits is interface ID

3.

Global scope address: internet

First 3bits to 001 (2000::/3); global routing prefix is 48 bits or less

Subnet ID is whatever bits left over after global routing prefix

IPv6 Routing: (use IPv6 instead IP)- we can do static routing,

RIPng- RIP next generation, OSPFv3, EIGRP
Configuring IPv6:- (private address shd be start 1FE))
On Router config)# ipv6 inicast routing (to turn on IPv6 routing)
Go to interface config-if)# ipv6 address xxxx:xxxx::xxxx/Y (Y = subnet mask)
To turn RIPng on router:- config)# ipv6 router rip 1 (and then exit , no need to enter network statements)
To turn RIPng on interface config-if)$ ipv6 rip 1 enable
Migration to IPv6

3.

1.

Dual Stack Router- Router can run both IPv4 and IPv6

2.

Tunneling- can create tunnel through IPv6 to connect IPv6 or vice-versa

NAT-PT- > Nat protocol translations: