Académique Documents
Professionnel Documents
Culture Documents
Handout
Networking Level – 1
Section 5 Switching
Basics of Networking
Network
Network can be said as devices connected together to share information, resources and
Services. Some types of data or services that can be shared on a network are documents,
music, email, websites, databases, printers, faxes, telephony, videoconferencing, etc.
As network grows, Traffic also increases and the flow becomes inefficient and overloaded.
Devices like Router, Switch and bridges perform segmentation to manage the traffic flow.
Protocols are set of rules, which define the method by which devices share data and services.
LAN (Local Area Networks) - a high-speed network that covers a relatively small geographic
area.
WAN (Wide Area Networks) – A WAN is a collection of networks that spans large
geographical locations, usually to interconnect multiple LANs.
MAN (Metropolitan Area Network). A MAN is defined as a network that spans several LAN‟s
across a city-wide geographic area.
CAN (Campus Area Network). A CAN is defined as a network that confines within a campus
area.
PAN (Personnel Area Network) - A personal area network (PAN) is the interconnection of
information technology devices within the range of an individual person. Example: like
connecting Mobile, PDA to LAPTOP.
Network Types:
• Peer-to-Peer networks
• Client/Server networks
• Mainframe/Terminal networks
When using a peer-to-peer architecture, all hosts on the network can both request and
service data. For example, configuring two Windows XP workstations to share files would be
considered a peer-to-peer network.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 3
Disadvantages of this type are that the data is spread across multiple devices, making it difficult
to manage and back-up that data. And more ever, security becomes non manageable, as you
must configure individual permissions and user accounts on each host. And this is not a Scalable
solution for enterprise, but can be used for very small networks.
When using client/server architecture, hosts are assigned specific roles. Clients request data
and services stored on Servers. Example: Connecting Windows XP workstations to a Windows
2003 Domain.
Advantage is that the data is now centrally located on a server or servers, and hence only one
or few entities to manage, back-up, and secure the data and is more scalable.
The Disadvantage here is being a single point of failure, but this can be overcome by using
Clustering.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 4
Section 2
OSI Reference Model
The Open Systems Interconnection (OSI) model was developed in early 1970‟s and
formulated in 1983 by the International Organization for Standardization (ISO). It was the first
networking model, and provided the framework governing how information is sent across a
network. It is a set of guidelines for communicating between two end users.
The OSI Model consists of seven layers, each corresponding to a particular network function:
Layer 7 Application
Layer 6 Presentation
Layer 5 Session
Layer 4 Transport
Layer 3 Network
Layer 2 Data Link
Layer 1 Physical
A more practical model was developed by the Department of Defense, and became the basis
for the TCP/IP protocol suite.
The Application layer (Layer 7) provides the actual interface between the user application
and the network. This is the layer where user directly interacts. This layer ensures that the
remote communication peer is available and agrees upon the data integrity, privacy etc.
Examples of application layer protocols include:
• FTP (via an FTP client)
• HTTP (via a web-browser)
• SMTP (via an email client)
• Telnet
The Presentation layer (Layer 6) controls the formatting of user data, whether it is text,
video, sound, or an image. The presentation layer ensures that data from the sender to receiver
are in understandable format. This layer also performs encryption and compression of data.
Examples of presentation layer formats include:
• Text (RTF, ASCII, EBCDIC)
• Music (MIDI, MP3, WAV)
• Images (GIF, JPG, TIF, PICT)
• Movies (MPEG, AVI, MOV)
The Session layer (Layer 5) establishes, maintains, and finally terminates connections
between devices. Sessions can be full-duplex or half-duplex. Sessions might be for just a second
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 5
for sending one message or for longer duration. Each session to related to certain ports which
might be static or dynamic (Static ports are defined as well-known ports)
The four layers below the upper layers are referred as the lower Layers.
The Transport layer (Layer 4) is concerned with the reliable transfer of data, end-to-end.
This layer ensures transporting data in two methods that is Connection-oriented (reliable) or
Connectionless (Unreliable).
Flow Control (Windowing) – Dictating how much data can be sent between
acknowledgements
TCP uses a series of acknowledgements enforcing flow control. When a router receives a
packet, it sends an acknowledgement back to the sender. If the sender does not receive
acknowledge the segment will be resent and reassembled in the correct order at the receiver.
Congestion Control:
This prevents the receiver‟s buffer from being overloaded, since packets that are not received
due to a full buffer are not acknowledged.
Error-Checking:
The transport layer does not actually send data. Instead, it segments data into smaller pieces for
transport. Each segment is assigned a sequence number, so that the receiving device can
reassemble the data on arrival.
Examples of transport layer protocols include Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP).
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 6
Windowing:
The term refers to data sent during the time after the sender sent a packet, but before it
completes processing the acknowledgement it receives.
Size of window means the number of packets the sender can transmit before it must wait for an
acknowledgement. Sliding windows is nothing but changing the window size dynamically based
on the traffic.
Example: Transport control Protocol (TCP) and User Datagram Protocol (UDP). Sequenced
Packet Exchange (SPX) is the transport layer protocol in the IPX protocol suite.
TCP Header
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 7
UDP Header
TCP and UDP use ports to identify the different types of service,
The Network layer (Layer 3) has two key responsibilities. First, this layer controls the
logical addressing of devices. Logical addresses are organized as a hierarchy, and are not
embedded on devices. And also the network layer determines the best path to a particular
destination network, and routes the data appropriately.
Examples: Internet Protocol (IP) and Internetwork Packet Exchange (IPX).
Routed Protocol means the one which are routed like IP and Routing Protocol means the
one which determine the path by exchanging the routes.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 8
The MAC sub-layer controls access to the physical medium, serving as mediator if multiple
devices are trying to utilize the same physical link. Specific technologies have various methods
of accomplishing this.
Example: Ethernet uses CSMA/CD, Token Ring utilizes a token.
A frame contains a source and destination hardware or physical address. Hardware addresses
usually contain no hierarchy, and are often hard-coded on a device. Each device must have a
unique hardware address on the network.
As data is passed from the Application layer down the virtual layers of the OSI model, each of
the lower layers adds a header/Trailer containing protocol information specific to that layer.
These headers are called Protocol Data Units (PDUs), and the process of adding these headers
is called encapsulation.
Order of Encapsulation:
The following illustrates the OSI model in more practical terms, using a FTP request as an
example:
• At the Application layer, a web browser serves as the user interface for accessing FTP sites.
Specifically, FTP interfaces between the web browser and the FTP server.
• The format of the data being accessed is a Presentation layer function. Common data formats
on the Internet include HTML, XML, PHP, GIF, JPG, ASCII etc. Additionally, any encryption or
compression mechanisms used on a FTP page are a function of this layer.
• The Session layer establishes the connection between the Requestor and FTP Server. It
determines whether the communication is half-duplex or full-duplex.
Since FTP is the protocol used it takes the help of TCP for connection oriented data transfer.
• The TCP protocol ensures the reliable delivery of data from the FTP server to the client.
These are functions of the Transport layer.
Here before sending the Data three-way handshake is performed for which it takes the help of
IP to send the SYN packet to the destination. Get the SYN, ACK packet from the destination
and send back ACK packet before sending the FTP request data.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 9
• The logical in this case, IP addresses configured on the client and FTP server are a Network
Layer function. Additionally, the routers that determine the best path from the client to the
FTP server operate at this layer.
The network layer takes the help of Data link layer to identify the Layer 3 to Layer 2 mapping
using ARP
Note: ARP is used when the devices wants to map a Known IP to an Unknown MAC Address.
When devices learn MAC address it builds & maintains an ARP Cache table. The devices lookup
these ARP cache for proper MAC Address, if not found sends an ARP Broadcast with the
Known IP Address and for which gets an ARP Reply from the destination with the required
MAC Address.
• The actual cabling, network cards, hubs, and other devices that provide the physical
connection between the client and the web server operate at the Physical layer.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 10
Section 3
Ethernet Technology
Ethernet has become the standard technology used in LAN networking. It is a transmission
method where each host on the network shares bandwidth on the link. There are different
IEEE categories of Ethernet:
802.3 - Ethernet (10 Mbps)
802.3u - Fast Ethernet (100 Mbps)
802.3z or 802.3ab - Gigabit Ethernet (1000 Mbps)
Half-Duplex
Half duplex, devices can either transmit or receive data, but not simultaneously. Devices
connected to a hub operate at half-duplex
Full-Duplex
Full-duplex allows devices to both transmit and receive at the same time. Devices connected to
a switch can operate at full-duplex.
Twisted-Pair Cabling
Twisted-pair cable contains 2 or 4 pairs of wire, which are twisted around each other to
reduce crosstalk. Crosstalk is a form of electromagnetic interference EMI that reduces the
strength and
Quality of the signal. Twisted-pair cabling can be either shielded or unshielded.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 11
Types of twisted Pair cables:
Straight-through Cable
Crossover Cable
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 12
Rollover Cable
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 13
Section 4
Before knowing the difference between different networking devices, let us define two terms
Broadcast Domain and Collision Domain.
Broadcast Domain:
It‟s a set of networking devices that will receive all broadcasts sent on that segment. Broadcast
message will not have a specific destination, and will be received by each single device. If too
many devices are there in the broadcast domain, congestion can occur.
Collision Domain:
Any part of the network where there is a possibility that packets from two or more nodes will
interfere with each other is considered to be part of the same collision domain.
A network with a large number of nodes on the same segment will often have a lot of
collisions and therefore a large collision domain.
Hubs are Layer 1 devices that physically connect network devices together for
communication.
Hubs do not look at the Data-Link header, and thus cannot make intelligent forwarding
decisions based on MAC address. Thus, hubs will always forward every frame, including
unicasts, out every port, excluding the port that frame originated from. Hubs are basically
multiport repeaters. Hub cannot be used to break up a broadcast domain or a collision domain.
Repeaters are used to regenerate an electrical signal to allow the signal to travel long distance.
Bridges are used to break up collision domains but not broadcast domain.
Switches are basically a highly intelligent bridge. Switches also offer many more ports than a
bridge. Switches break up collision domains by logically placing hosts into their own, smaller
collision domains. Consider an Ethernet network with 50 hosts. Using CSMA/CD, if one host is
transmitting then the other 49 hosts cannot transmit. Switches can be used to create virtual
networks, each containing a smaller amount of hosts. In a network of 10 hosts if switches are
used and if one host is transmitting data would not affect the other nine users in that virtual
network. The chance of collisions decreases as well. Both Bridges and Switches operate at
Layer 2 of OSI model.
Router breaks up a broadcast domain due to one simple rule: routers do not forward
broadcasts. Routers also break up collision domains, but not by default. Router operate at
Layer 3 of OSI model
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 14
In the above example, there are THREE broadcast domains, and FIVE separate collision
domains. In this all ports coming from Router creates a separate broadcast AND collision domain
and each port of a switch creates a separate collision domain but whereas Hubs belong to only
one collision domain.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 15
Section 5
SWITCHING
Switches build CAM (Content Addressable memory) tables, to make intelligent forwarding
decisions on frames. The MAC address table maintains a list of MAC addresses and the switch
port each MAC is associated with.
When a Layer-2 switch is first powered on, it behaves much like a hub. The switch will flood
every frame, including unicasts, out every port except for the port the frame was received on.
The switch will then build a MAC address table by looking at the source MAC address of
each frame.
Layer-2 switches will forward a broadcast or multicast out every port, except for the port the
broadcast or multicast was received on.
Only Layer-3 devices can break apart broadcast domains. Because of this, Layer-2 switches are
not well suited for large, scalable networks. Layer-2 switches make forwarding decisions solely
based on Data-Link layer MAC addresses, and cannot differentiate different networks for which
Routers are must.
In the above diagram, Comp-A is attached to interface E0 and Comp-B is attached to interface
E1. When Comp-A sends a frame to Comp-B, the switch will add Comp-A‟s MAC address to
its table and associate it with port E0. Since the Switch does not have the MAC of Comp-B in
its CAM table it will send a flood the frame out all ports except on which it was received, for
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 16
which it will get a reply from only Comp-B. Once it receives a frame from Comp-B, the switch
will add Comp-B‟s MAC address to its table and associate it with port E1. In future any frame
Comp-A to Comp-B will be sent out only from port E0 through E1.
A switch is always in a perpetual state of learning. However, as the MAC address table becomes
populated, the flooding of frames will decrease, allowing the switch to perform more intelligent
forwarding decisions.
These forwarding decisions are made at wire speed, due to specialized hardware circuits called
ASICs (Application-Specific Integrated Circuits).
Switching Methods:
Switches support three methods of forwarding frames.
Cut-Through method reads only the header of a frame to determine its destination address.
This method transfers frames at wire speed, and has the least latency. No error checking is
attempted when using the cut-through method.
FragmentFree - Modified Cut-Through method reads only the first 64 bytes of a frame,
which is minimize size of an Ethernet packet. Most collisions or corruption occurs in the first
64 bytes of a frame.
Store-and-Forward method reads the entire frame, and performs a Cycle Redundancy Check (CRC)
to ensure complete reliability. However, this additional error-checking causes store-and-forward to have
the highest latency of any of the switching methods.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 17
Section 6
Spanning Tree Protocol
Switching Loops
By default, a switch will forward a broadcast or multicast out all ports, except for the port the
broadcast or multicast was received on.
When a loop is introduced into the network, a highly destructive broadcast storm can develop
within seconds. Broadcast storms occur when broadcasts are endlessly switched through the
loop, choking off all other traffic.
If the computer connected to Switch 3 sends out a broadcast, the switch will forward the
broadcast out all ports, including the ports connecting to Switch 1 and Switch 4. Those
switches, likewise, will forward that broadcast out all ports, including to their neighboring
switches.
The broadcast will loop around the switches infinitely. In fact, there will be two separate
broadcast storms cycling in opposite directions through the switching loop. Only powering off
the switch or physically removing the loop will stop the storm. Along with this it creates
problems like Inconsistency in CAM table and multiple frame copies to the gateway. To avoid
all these Spanning tree Protocol is used.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 18
STP enabled switches communicate to form a topology of the entire switching network, and
then blocks a port if a loop exists. The blocked port can be reactivated if another link on the
switching network goes down, thus preserving fault-tolerance.
STP switches send BPDU’s (Bridge Protocol Data Units) to each other to form their
topology databases. BPDU‟s are sent out all ports every two seconds, are forwarded to a
specific MAC multicast address: 0180.c200.0000.
STP Process
Elect a Root Bridge, which serves as the centralized point of the STP topology. Good design
practice dictates that the Root Bridge be placed closest to the center of the STP topology.
The Root Bridge is determined by a switch‟s priority. The default priority is 32,768, and the
lowest priority wins. In case of a tie in priority, the switch with the lowest MAC address will be
elected root bridge. The combination of a switch‟s priority and MAC address make up that
switch‟s Bridge ID.
In the above example:
Switches 1 to 4 have the default priority set. However, Switch 1 will become the root bridge, as
it has the lowest MAC address.
Switches exchange BPDU‟s to perform the election process. By default, all switches believe they
are the Root Bridge, until a switch with a lower Bridge ID is discovered.
Root Bridge elections are a continuous process. If a new switch with a lower Bridge ID is added
to the topology, it will be elected as the new Root Bridge.
Root Ports are the port on each switch that has the lowest path cost to get to the Root Bridge.
Each switch has only one Root Port, and the Root Bridge cannot have a Root Port.
Path Cost is a cumulative cost based on the bandwidth of the links. The higher the bandwidth,
the lower the Path Cost:
Bandwidth Cost
4 Mbps 250
10 Mbps 100
16 Mbps 62
100 Mbps 19
1 Gbps 4
10 Gbps 2
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 19
Assume the links between all switches are 100Mbps Ethernet, with a Path Cost of 19. Each
switch will identify the port with the least cumulative Path Cost to get to the Root Bridge.
For Switch 2, the port leading up to Switch 1 has a Path Cost of 19, and becomes the Root
Port. For Switch 3, the port leading up to Switch 1 has a Path Cost of 19, and becomes the
Root Port.
For Switch 4, the port leading up to Switch 1 via Switch 2 and Switch 3 has a Path Cost of 38,
but the lowest senders (either Switch 2 or Switch 3) Bridge ID becomes the tie breaker and
hence for Switch 3, the port leading up to Switch 1 via switch 2 becomes the Root Port.
Ports on the Root Bridge are never placed in a blocking state, and hence all ports originating
from Root bride will become Designated Ports for directly attached segments.
For the network segments between Switches 1 and 3, and between Switches 1 and 2, Switch 1‟s
port will become the designated port. But for the network segments between Switches 2 and 4,
and between Switches 3 and 4, both require a Designated Port. The ports on Switch 2 and
Switch 3 have the lowest Path Cost to the Root Bridge for the two respective segments, and
thus both become Designated Ports.
The segment between Switch 3 and Switch 4 does not contain a Root Port but one of the ports
must be elected the Designated Port for that segment, and Switch 3 have the lowest Path Cost
to the Root Bridge and hence become designated port, the other must be placed in a blocking
state.
Electing Root Port if the Bridge ID and the Port Cost is same
In case if the bandwidth of two links are equal as above, then both of Switch 2‟s interfaces have
an equal path cost to the Root Bridge. The tiebreaker to elect Root Port should be the lowest
bridge ID but if that is same then in these circumstances, Port ID will be used as the
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 20
tiebreaker. An interface‟s Port ID consists of two parts - a 6-bit port priority value, and the
MAC address for that port. Whichever interface has the lowest Port ID will become the Root
Port.
Blocking – The default state of an STP port when a switch is powered on, Ports in a blocking
state do not forward frames or learn MAC addresses. It will still listen for BPDUs from other
switches.
Listening – A port will progress from a Blocking to a Listening state only if the switch believes
that the port will not be shut down to eliminate a loop. The port will listen for BPDU‟s to
participate in the election of a Root Bridge, Root Ports, and Designated Ports. Ports in a
listening state will not forward frames or learn MAC addresses.
Learning – After a brief period of time, called a Forward Delay, a port in a listening state
will be elected either a Root Port or Designated Port, and placed in a learning state. Ports in a
learning state listen for BPDUs, and also begin to learn MAC addresses. However, ports in a
learning state will still not forward frames.
Forwarding – After another Forward Delay, a port in learning mode will be placed in
forwarding mode. Ports in a forwarding state can send and receive all data frames, and continue
to build the MAC address table. All designated, root, and non-uplink ports will eventually be
placed in a forwarding state.
Disabled – A port in disabled state has been administratively shut down, and does not
participate in STP or forward frames at all.
On average, a port in a blocking state will take approx. 50 seconds to reach a forwarding state.
STP Timers
• Hello Timer – Default is 2 seconds. Indicates how often BPDU‟s are sent by switches.
• Forward Delay – Default is 15 seconds. This timer indicates a delay period in both the
listening and learning states of a port, for a total of 30 seconds.
• Max Age – Default is 20 seconds. Indicates how long a switch will keep BPDU information
from a neighboring switch before discarding it.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 21
Section 7
There are two types of Addressing Hardware Addressing and Logical Addressing,
Hardware Addressing
The hardware address is used by devices to communicate on the local network. Hardware
addressing is a function of the data-link layer of the OSI model (Layer-2). The hardware address
for Ethernet networks is the MAC address, a 48-bit hexadecimal address that is usually hard-
coded on the network card. The first six hexadecimal digits of a MAC identify the manufacturer
of the network card (referred to as the OUI (Organizational Unique Identifier)), and the last 6
digits identify the host device (referred to as the host ID).
Logical Addressing
Logical addressing is a function of the network layer-3 of the OSI Model. Logical addresses
provide a hierarchical structure to separate networks. A logical address identifies not only a
unique Host ID, but also the network that host belongs to. Additionally, logical addresses are
rarely hard-coded onto hosts, and can be changed freely.
IPv4 Addressing
An IP address is separated into four octets and represented in decimal as 192.168.10. Each
octet is 8 bits long, resulting in a 32-bit IP address. A computer understands an IP address in
its binary form; the above address in binary would look as follows:
11000000.10101000.00001010.00000001
In the above IP address one part identifies the network and the other part address identifies the
host. A subnet mask helps make this distinction.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 22
Hosts on the same logical network will have identical network addresses, and can communicate
freely. For example, the following two hosts are on the same network:
Host A: 192.168.10.1 255.255.255.0
Host B: 192.168.10.2 255.255.255.0
Both share the same network address of 192.168.10., which is determined by the 255.255.255.0
subnet mask.
Hosts that are on different networks cannot communicate without an intermediating device.
For example:
Host A: 192.168.10.1 255.255.255.0
Host B: 192.168.11.1 255.255.255.0
IP Address Classes
The IPv4 address has three classes of Addresses. The value of the first octet of an address
determines the class of the network:
Class A networks range from 1 to 127. The default subnet mask is 255.0.0.0; thus, by default,
the first octet defines the network, and last three octets define the host. This results in a
maximum of 127 Class A networks, with 16,777,214 hosts per network.
Class A address: Address: 10.0.0.1, Subnet Mask: 255.0.0.0
Class B networks range from 128 to 191. The default subnet mask is 255.255.0.0; thus, by
default, the first two octets define the network, and the last two octets define the host. This
results in a maximum of 16,384 Class B networks, with 65,534 hosts per network.
Class B address: Address: 172.16.12.195, Subnet Mask: 255.255.0.0
Class C networks range from 192 to 223. The default subnet mask is 255.255.255.0; thus, by
default, the first three octets define the network, and the last octet defines the host. This
results in a maximum of 2,097,152 Class C networks, with 254 hosts per network.
Class C address: Address: 192.168.10.1, Subnet Mask: 255.255.255.0
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 23
11111111.11111111.11111111.11100000
The first 28 bits of the above subnet mask are set to 1. To represent this in CIDR notation: /27
Two addresses have been reserved on each network for special use. Each network must have a
subnet / network address, and a broadcast address. Neither of these addresses can be assigned
to a host device. The subnet address is used to identify the network itself. Routing tables
contain lists of networks, and each network is identified by its subnet address.
Subnet addresses contain all 0 bits in the host portion of the address.
Example the following is a subnet address: 192.168.1.0/24
The broadcast address identifies all hosts on a particular network. A packet sent to the
broadcast address will be received and processed by every device on that network. Broadcast
addresses contain all 1 bits in the host portion of the address.
Example, the following is a broadcast address: 192.168.1.255/24
Subnetting
Subnetting is the process of dividing Major Network into smaller networks or subnets by
taking bits from the host portion of a subnet mask.
The default subnet mask for this network is 255.255.255.0. This single network can be
subnetted into multiple networks. For example, assume a minimum of 14 new networks are
required. Resolving this is possible using the following magical formula:
2n – 2, where n identifies the number of bits to be considered from the host portion of the
subnet mask.
There are a total of 24 bits set to 1, which are used to identify the network.
There are a total of 8 bits set to 0, which are used to identify the host, and these host bits can
be considered for Subnets.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 24
Taking bits from host essentially means changing host bits from 0 or off to 1 or on.
Network bits in a subnet mask must always be sequential, skipping bits is not allowed.
Consider the result if four bits are taken. Using the formula:
To determine the number of hosts in each network, the same formula can be used: 2n – 2
Thus, subnetting a Class C network with a /28 mask creates fourteen new networks, with
fourteen usable hosts per network.
Calculating the ranges of subnetted networks can be quickly calculated using shortcut method
by taking the subnet mask 255.255.255.240 and subtracting the subnetted octet that is, 240
from 256.
256 – 240 = 16
Assuming ip subnet-zero is enabled; the first network will begin at 0. Then, simply continue
adding 16 to list the first address of each new network:
Knowing the first address of each new network makes it simple to determine the last address
of each network:
First Address 0 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240
Valid Host 1 17 33 49 65 81 97 113 129 145 161 177 193 209 225 241
Range 14 30 46 62 78 94 110 126 142 158 174 190 206 222 238 254
Last Address 15 31 47 63 79 95 111 127 143 159 175 191 207 223 239 255
The last address of each network becomes the broadcast address for that network.
Note: There is a specific purpose for the „– 2‟ portion of the 2n – 2formula. Earlier it was not
acceptable to use an address that contained all 0 or all 1 bits in the network portion of the
address.
However, this is no longer true on modern systems. Specifically, on Cisco IOS devices, the
following command is now enabled by default:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 25
Router(config)# ip subnet-zero
The ip subnet-zero commands allows for the use of networks with all „0‟ or all „1‟ bits in the
network portion of the address. Thus, the formula for calculating the number of new network
is slightly altered, to simply 2n.
Hence if four bits are considered for networks: then it would be 2n = 24 = 16 networks.
A public address is a unique address on the internet and can be routed on the Internet.
Hence devices that should be Internet accessible must be configured with public addresses.
A private address is only used within an organization, and can never be routed on the
internet. Three private addressing ranges were allocated, one for each IPv4 class:
Class Range
Class A 10.0.0.0 – 10.255.255.255
Class B 172.16.0.0 – 172.31.255.255
Class C 192.168.0.0 – 192.168.255.255
Diagnostic Purposes - Loop Back Testing 127.0.0.0 – 127.255.255.255
Automatic Private IP Addressing (APIPA) 169.254.0.0 – 169.254.255.255
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 26
Section 8
Router Components
• Flash
Boot Sequence:
ROM contains a bootstrap program called ROM Monitor also referred as ROMmon. When a
router is powered on, the bootstrap runs a hardware diagnostic called POST (Power-On Self
Test). If POST completes successfully, the bootstrap then attempts to locate an IOS based on
the configuration file present in NVRAM, wherein we might have Boot System command
configured to locate a particular IOS (Internetwork Operating System) file, if not it will load
the Cisco IOS stored in Flash memory. Flash memory can be erased or overwritten, thus
making the Cisco IOS upgradeable. If the bootstrap cannot find the IOS in Flash, a basic version
of the IOS will be loaded from ROM. The contents of ROM cannot be altered or erased; the
entire ROM chip must be replaced if an upgrade/repair is necessary. If the bootstrap does find
the IOS in Flash, it is loaded into RAM and attempts to find a Startup Configuration file in
NVRAM. NVRAM is non-volatile, thus its contents will survive a power-cycle. If the IOS cannot
find a startup-config file in NVRAM, it will attempt to load a configuration file from a TFTP
server where in the request is broadcasted to 255.255.255.255. If no TFTP server responds,
the IOS will enter Initial Configuration Mode, a series of interactive questions intended for
quick configuration of the router. If the IOS does find a startup-config file in NVRAM, this file is
loaded into RAM, and becomes the Running Configuration (running-config). RAM is a volatile
memory, and thus its contents will be lost if the router is power cycled.
Interfaces vs Lines
Cisco devices contain two different types of ports that are, interfaces and lines.
Interfaces connect routers and switches to each other. In other words, traffic is actually
routed or switched across interfaces. Some of the interfaces include:
• Serial interfaces
• Ethernet interfaces
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 27
• Fast Ethernet interfaces
• Token Ring interfaces
• ATM interfaces
• BRI/PRI interfaces
Interfaces are identified by both the type of interface, and the interface number which usually
begins with 0.Example: Ethernet 0, Serial 0 etc. There are other router families such as the
3600 series which are modular, and have multiple slots for interfaces. In which case, the
interfaces on these routers are identified by both the module number and the interface
number. Example: The Second Serial interface on the first modular slot would be identified as
Serial0/1.
Lines identify ports that allow us to connect into, and then configure, Cisco devices. The most
common examples of lines include:
• Console ports
• Auxiliary ports
• VTY or telnet ports
Just like interfaces, lines are identified by both the type of line and the line number Example:
The first console port on a router would be identified as Console0.
All Cisco router or switch includes a console port, sometimes labeled on the device simply as
con. The console port is generally a RJ-45 connector, and requires a rollover cable to connect
to. The opposite side of the rollover cable connects to a PC‟s serial port using a serial terminal
adapter.
From the PC, software such as HyperTerminal is required to make a connection from the
local serial port to the router console port. The following settings are necessary for a
successful connection:
Cisco devices also include an auxiliary port, which is similarly to a console port, and can be
accessed using a rollover cable. Additionally, auxiliary ports support modem commands, thus
providing dial-in access to Cisco devices.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 28
Telnet, and secured SSH, are the most common methods of remote access to routers and
switches. The standard edition of the IOS supports up to 5 simultaneous VTY connections.
Enterprise editions of the IOS support up to 255 VTY connections.
There are two requirements before a router/switch will accept a VTY connection:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 29
Section 9
Cisco IOS Configuration
Cisco IOS
The Cisco IOS is stored in Flash on Cisco routers and Catalyst switches, in a .BIN file format.
It can be upgraded using one of several methods:
The IOS .bin file stored in flash follows a specific naming convention. Observe the following IOS
image: c3640-advipservicesk9-mz.121-3.S.bin
By default the first mode you enter when logged into a Cisco device is User EXEC mode. We
can identify the User EXEC mode by the prompt “>” after the device hostname:
Router>
In this mode no configuration can be changed or viewed. Only basic status information can be
viewed from this mode.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 30
Next mode is Privileged EXEC mode allows all configuration files, settings, and status
information to be viewed. We can identify the Privileged mode by the prompt “#” after the
device hostname:
Router#
Router> enable
Router#
Router# disable
Router>
Only very little configuration can be done directly from Privileged mode.
Router(config)#
To enter Global Configuration mode, type configure terminal from Privileged Mode:
Router(config)#
Router(config)# exit
Router#
To configure an interface:
Router(config-if)#
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 31
To configure a line:
Router(config-line)#
Command Description
Router# show history Displays previously entered commands
Router# ? Displays all available commands in that mode
Router# cl? Displays all commands which starts with cl
Router# clock ? Displays available options and Arguments for that
command
Router# show version Displays all info about the device including
Configuration register value
Router# show hardware Similar to show version
Router# show protocols Displays routed protocol information
Router# show ip protocols Displays routing protocol information
Router# show running-configure Displays the contents Active configuration or content
of RAM
Router# show startup-configure Displays startup configuration or content of NVRAM
Router# show terminal Displays information of Terminal and history size
Router# show ip interface brief Displays ip information of all interfaces
Router# show interface Fa0/0 Displays status if a specific interface
Router# show ip route Displays Routing table
Router# show process cpu Displays CPU usage and interrupts.
Router# show interfaces Displays information of all interfaces
Router# show controllers serial 0 Displays information about DCE / DTE and clock rate
interface brief
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 32
Router(config)# hostname R1 Changes the host name
Router(config-if)#description link Gives a description to the interface
is connected to TCL
Router(config)# banner motd # Creates a banner
Router# copy run start Copies content from RAM to NVRAM
Router# copy start run Copies content from NVRAM to RAM
Passwords can be configured on router lines, such as telnet (vty), console, and auxiliary ports.
To set or change the password for a console port and all telnet ports:
Router(config-line)# login
Router(config-line)# exec-timeout 0 0
Router(config-line)# login
Router(config-line)# exec-timeout 0 0
The exec-timeout 0 0 command is optional, and disables the automatic timeout of your
connection. The two zeroes represent the timeout value in minutes and seconds, respectively.
Thus, to set a timeout for 5 minutes and 20 seconds:
Router(config-line)# exec-timeout 5 20
The logging synchronous command is also optional, and prevents system messages from
interrupting your command prompt.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 33
The enable password command sets an unencrypted password and the enable secret command
sets an MD5-hashed password and is more secured. The enable password and enable secret
passwords cannot be the same.
By default line passwords are stored in clear-text in configuration files. To ensure that these
passwords are encrypted in all configuration files:
By default, all router interfaces are administratively shutdown. To take an interface out of
an administratively shutdown state:
Router(config-if)# no shutdown
On the DCE (Data Communication Equipment) side of a serial connection we must set the
speed, or clock rate, for the DTE (Data Terminal Equipment) side. Clock rate is in BPS (bits-
per-second).
To set the clock rate, if you are the DCE side of a serial connection:
Serial 0 is up, line protocol is up – This means that the interface is up and running and both
ends are sending and receiving keepalives as well as traffic can be routed across an interface.
The first part of this status Serial0 is up refers to the physical layer status of the interface. The
second part line protocol is up refers to the data-link layer status of the interface.
Serial 0 is down, line protocol is down – This means that the interface is physically down,
this may be because a defective or unplugged cable or interface.
Serial 0 is up, line protocol is down – This means that line protocol is down which refers
to data-link layer functions. This may be because of:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 34
• Absence of keepalives being sent or received
• Clock rate not set on the DCE side of a serial connection
• Different encapsulation types set on either side of the link
Serial 0 is administratively down, line protocol is down – This means the interface has
been administratively shutdown.
Command Description
Router# show tech-support Displays every config file and many show commands
together.
Router# debug ip packet Displays real time info of each and every packet
Router# debug all Debugs all possible options
Router# undebug all Stop all debug options
Router# ping 192.168.10.1 Checks connectivity to a particular IP
Router# traceroute 192.168.10.1 Checks hop by hop connectivity
Router# telnet 192.168.10.1 telnet to a remote device
Router# exit
To return to the router you telnetted from, without exiting the session:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 35
Section 10
Cisco Advanced IOS Configuration
• Baud Rate
• Boot Messages (enable/disable)
• Break (disable/ignore)
• Flash (read-only, read-write)
• NVRAM (use startup-config/bypass startup-config)
• The default config-register is 0x2102.
This configuration change does not take effect until the next reboot.
The Cisco IOS is stored in flash. Multiple IOS files can be loaded into flash, assuming there is
enough free space. You can view available free space, and the name of any file(s) in flash, by
typing:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 36
CDP - Cisco Discovery Protocol
CDP is a Cisco propriety protocol used to collect information about locally attached Cisco
switches and routers. CDP is enabled by default on all routers and switches, and sends out
updates every 60 seconds and hold time is 180 seconds. CDP protocol is used to identify
the VOICE VLAN information.
CDP will provide the following information about directly connected neighbors:
Command Description
Router# show cdp Displays CDP timer and hold down information
Router# show cdp neighbors Displays neighbor information
Router# show cdp traffic Displays CDP traffic stats
Router# show cdp interface Displays CDP interface and port information
Router(config)# no cdp run To disable CDP globally
Router(config-if)# no cdp enable To disable CDP at an interface
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 37
Section 11
Routing Fundamentals
Routing is done by Router or Layer 3 Switch which helps in sending information from one
network to another network. Devices use paths usually based on the destination network, and
not the destination host.
To determine the best route to a destination, a router considers three important aspects
Prefix-length of the Network, Metric and Administrative distance in the same order as listed.
Prefix-length is the number of bits used to identify the network, and is used to determine the
most specific route. A longer prefix-length indicates a more specific route.
Example, if there are three routes to reach a host address of 172.16.0.0/16 in the routing table
like,
172.16.0.0/16
172.16.1.0/24
172.16.1.0/26
The router will do a bit-by-bit comparison to find the most specific route i.e., longest matching
prefix. Since the 172.16.1.0/26 network is more specific, that route will be used, irrespective of
the metric or Administrative distance.
Metric allows a router to choose the best path within a routing protocol. That means it will
choose the best among two or more paths as suggested by the same routing protocol. Distance
vector routing protocols use distance and direction as their metric. Link state protocols utilize
cost as their metric. Example: RIP uses hop count as the metric, so if there are two paths to
reach a particular destination with Hop count of 2 and 3 respectively, then the best path would
be the one with lesser hops (i.e. 2 hops) as this would be having lesser metric. Only routes with
the best metric are added to the routing table. If multiple equal-metric routes exist to a
particular network, most routing protocols will load-balance.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 38
Administrative Distance is used to determine which routing protocol to trust the most.
This parameter will come to play when two or more routing protocols are used. Always lowest
administrative distance will win. If a router receives a route from RIP and OSPF to the same
network, then it will use Administrative Distance to determine which routing path to choose.
So always remember that the best path to a destination is firstly based on highest Prefix-length,
then the Metric and finally AD between routing protocols.
STATIC ROUTING:
There are two basic methods of building a routing table: Statically or Dynamically.
A static routing table is created, maintained, and updated by a network administrator,
manually.
Static routes have an AD of 1, will always be preferred over dynamic routes, unless the default
AD is changed. A static route with an adjusted AD is called a floating static route.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 39
DYNAMIC ROUTING
Link state Protocol does not send periodic updates, but instead exchange updates only when
there is a topology change.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 40
Link-state protocols maintain three separate tables:
• Neighbor table – contains a list of all neighbors, and the interface each neighbor is
connected off of. Neighbors are formed by sending Hello packets.
• Topology table – contains a map of all links within an area, including each link‟s status.
• Routing table – contains the best routes to each particular destination
Link-state protocols can converge very quickly and are immune to routing loops. Additionally,
because updates are sent only during a link-state change, and contain only the change and not
the full table, link-state protocols are less bandwidth intensive than distance-vector protocols.
Link-state protocol utilizes more RAM and CPU on the router itself. Link-state protocols uses
the metric of cost, usually based on bandwidth, to calculate a route‟s metric. The Dijkstra
formula is used to determine the shortest path.
Classful routing protocols do not send subnet mask information along with their routing
updates.
• If the router has a directly connected interface belonging to the same major
network, it will apply the same subnet mask as that of the interface on which it
received.
• If the router does not have any interfaces belonging to the same major network, it
will apply the classful subnet mask to the route once it is received.
• Classful routing protocol does not support VLSM (Variable Length Subnet Masks).
Examples of Classful routing protocol are RIP v1, IGRP.
• Always ensure that if networks are subnetted then all are in the same major
network and using the same subnet mask.
Classless routing protocols do send the subnet mask with their updates. Class less routing
supports VLSM. Examples: RIP v2, EIGRP, OSPF, IS-IS
Router(config)# ip classless
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 41
Section 12
STATIC ROUTING
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
RouterA has 192.168.20.0/24 and 192.168.30.0/24 networks in its routing table as directly-
connected routes.
To add a static route on RouterA to reach the 192.168.40.0/24 network via RouterB:
RouterA(config)# ip route 192.168.40.0 255.255.255.0 192.168.30.2
RouterB(config)# ip route 192.168.20.0 255.255.255.0 192.168.20.1
Always a static route configured using an exit-interface will have an Administrative Distance of
0. But if configured with next hop Administrative distance will be default AD of 1.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 42
Floating Static Routing:
The Administrative Distance of a static route can be changed to create a floating static route. A
floating static route is often used as a backup route to a dynamic routing protocol.
Static routes will only remain in the routing table as long as the interface connecting to the
next-hop router is up. To ensure a static route remains permanently in the routing table, even if
the next-hop interface is down:
Static routes can be used to discard traffic to specific networks by sending that traffic to a
logical null interface:
If a specific route to a particular network does not exist in the routing table the router will
drop all traffic destined to that network.
A default route, or gateway of last resort, allows traffic to be forwarded, even when a specific
route to that particular network is not there in the routing table.
The default route is identified by all zeros in both the network and subnet mask that is 0.0.0.0
0.0.0.0
The word “gateway of last resort” is used since it is the lastly used route, and will be used
only if a more specific route does not exist.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 43
Section 13
RIP is an Open standard Distance Vector protocol that means it can be used on multiple
vendor environments. RIP is used for smaller networks.
RIP V1 RIP v2
Classful Classless
Does not support VLSM Does support VLSM
Send updates as Broadcast Send updates as Multicast to IP 224.0.0.9
Max Hop count 15 Max Hop count 15
Does not support Authentication of Does support Authentication of Routing
Routing updates updates
RIP v1 routers will sent only Version 1 RIP v2 routers will sent only Version 2 packets
packets
RIP v1 routers will receive both Version RIP v2 routers will receive only Version 2
1 and 2 updates updates
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 44
RIP Loop Avoidance Mechanisms
RIP, as a Distance Vector routing protocol, is susceptible to loops due to its slow convergence.
Let‟s assume no loop avoidance mechanisms are configured on either router.
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
As in the above example if the 192.168.40.0 network fails, Router B will send out an update to
Router A within 30 seconds when its update timer expires informing Router A that route is
unreachable with a metric = 16. But before the update is sent from Router B to Router A, if an
update from Router A reaches Router B, then Router A believes it can reach the 192.168.40.0
network in one hop through Router B. This update will cause Router B to believe it can reach
the failed 192.168.40.0 network in two hops, through Router A. Both routers will continue to
increment the metric for the network until they reach a hop count of 16, which is unreachable.
This behavior is known as counting to infinity.
Split-Horizon – Prevents a routing update from being sent out the interface on which it was
received. In our above example, this would prevent Router A from sending an update for the
192.168.40.0 network back to Router B, as it originally learned the route from Router B. Split-
horizon is enabled by default on Cisco Routers.
Hold-Down Timers – Prevents RIP from accepting any new updates for routes in a hold-
down state, until the hold-down timer expires. If Router A sends an update to Router B with a
higher metric than what is currently in Router B‟s routing table, that route will be placed in a
hold-down state.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 45
RIP Timers:
The timers basic command allows us to change the update, invalid, hold-down, and flush timers.
RIP Configuration:
Router(config)#router rip
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
The first command, router rip, enables the RIP process. The network statements tell RIP which
networks you wish to advertise to other RIP routers.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 46
To enable RIP v2
RouterA(config)# router rip
RouterA(config-router)# version 2
Even when router sends a RIPv2 update, by default it will still summarize the network to its
Classful boundary. Thus, RIPv2 acts like RIPv1, unless we disable auto summarization:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 47
Section 14
As shown in the diagram RouterA has three paths to reach the Destination Network RouterH,
either through Router B, C, or D. If we sum up the metrics to form a distance, we can
determine the following:
• RouterB‟s Feasible Distance to the Destination Network is 10.
• RouterC‟s Feasible Distance to the Destination Network is 25.
• RouterD‟s Feasible Distance to the Destination Network is 11.
RouterB sends an update to RouterA, it will provide an Advertised Distance of 10 to the
Destination Network. RouterC will provide an AD of 25, and D will provide an AD of 11.
RouterA calculates the total distance to the Destination network by adding the AD of the
advertising router, with its own distance to reach that advertising router. For example,
RouterA‟s metric to RouterB is 9; thus, the total distance will be 19 to reach the Destination
Network through RouterB.
From RouterA the successor route must be the route with the lowest metric. If we add the
Advertised Distance with the local metric between each router, we would see that:
• The route through RouterB has a distance of 19 to the destination
• The route through RouterC has a distance of 30 to the destination
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 49
• The route through RouterD has a distance of 14 to the destination
Hence route through RouterD (metric of 14) would become the Feasible Distance for
RouterA, and is added to the routing table as the best route.
To allow convergence to occur quickly if a link fails, EIGRP includes backup routes in the
topology table called Feasible Successors (FS). A route will only become a Successor if its
Advertised Distance is less than the current Feasible Distance. This is known as a Feasible
Condition (FC).
For example, we determined that RouterA‟s Feasible Distance to the destination is 14, through
RouterD. RouterC‟s Advertised Distance is 25, and thus would not become a feasible
successor, as it has a higher metric than RouterA‟s current Feasible Distance. Routes that are
not Feasible Successors become route Possibilities. RouterB‟s Advertised Distance is 8, which
is less than RouterA‟s current Feasible Distance. Thus, the route through RouterB to the
Destination Network would become a Feasible Successor. Feasible Successors provide EIGRP
with redundancy, without forcing routers to re-converge (thus stopping the flow of traffic)
when a topology change occurs. If no Feasible Successor exists and a link fails, a route will enter
an Active (converging) state until an alternate route is found.
Packet Type
Hello Packet Multicast
Update Packet Unicasts or Multicast
Query Packet Multicast
Reply Packet Unicasts
Acknowledgement Packet Unicasts
EIGRP Metrics
EIGRP can utilize 5 separate metrics to determine the best route to a destination:
By default it uses only K1 and K3 that is Bandwidth and Delay as the cumulative metric. And
moreover The MTU value is actually never used to calculate the metric. And by default the
formula is [10000000/bandwidth + delay] * 256. Else the complete formula is:
[K1 * bandwidth * 256 + (K2 * bandwidth) / (256 - load) + K3 * delay * 256] * [K5 / (reliability
+ K4)]
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 50
EIGRP Configuration:
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
The first command, router eigrp 100, enables the EIGRP process. The 100 indicates the
Autonomous System number. The Autonomous System number can range from 1 to 65535.
Only other EIGRP routers in Autonomous System 100 will form neighbor adjacencies and share
updates with this router.
An EIGRP route can exist in one of two states, in the topology table:
• Active state
• Passive State
A Passive state indicates that a route is reachable, and that EIGRP is fully converged. A stable
working EIGRP network will have all routes in a Passive state.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 51
Stuck in Active (SIA)
Routes will become Stuck-in-Active (SIA) when a router sends out an EIGRP Query packet, but
does not receive an EIGRP Reply packet within three minutes. In other words, a route will
become SIA if EIGRP fails to re-converge.
EIGRP Load-Balancing
By default, EIGRP will automatically load-balance across equal-metric routes four by default, six
maximum depending on the IOS. EIGRP also supports load-balancing across routes with an
unequal metric using the Variance command. The variance command assigns a “multiplier,”
in this instance of X. Multiply this variance value by the metric of our Successors Feasible
Distance to balance load on all paths equal or up to the value calculated.
Command Description
Router(config-if)# ip hello-interval eigrp 100 8 Changes the hello interval to 8 seconds for
AS 100
Router(config-if)# ip hold-interval eigrp 100 24 Changes the dead interval to 24 seconds for
AS 100
Router(config-router)# no auto-summary Disables auto summarization
RouterC(config-router)# passive-interface s0 Displays EIGRP updates being sent out of an
interface as well will not form neighbor
relationship
Router(config-if)# bandwidth 64000 Changes Bandwidth on an interface
Router(config-if)# ip bandwidth-percent eigrp Limits EIGRP usage of bandwidth on an
10 30 interface.
Router(config-if)# delay 10000 Changes delay on an interface
RouterA(config-router)# variance 2 Used for Un-equal load balancing
Router# show ip eigrp neighbor View EIGRP neighbor table
Router# show ip eigrp topology View EIGRP topology table
Router# show ip eigrp traffic View EIGRP traffic sent and received
Router# debug eigrp neighbors
Router# debug eigrp packet Debug EIGRP
Router# debug eigrp route
Router# debug eigrp summary
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 52
Section 15
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 53
Different OSPF router types:
• OSPF forms neighbor relationships, called adjacencies, with other routers in the
same Area by exchanging Hello packets to multicast address 224.0.0.5. Only after an
adjacency is formed can routers share routing information. Each OSPF router is
identified by a unique Router ID. The Router ID can be configured in three ways:
• The Router ID can be manually specified.
• If not manually specified, the highest IP address configured on any Loopback
interface on the router will become the Router ID.
• If no loopback interface exists, the highest IP address configured on any Physical
interface will become the Router ID.
• By default, Hello packets are sent out OSPF-enabled interfaces every 10 seconds
for broadcast and point-to-point interfaces, and 30 seconds for non-broadcast and
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 54
point-to-multipoint interfaces. Dead interval is four times the hello interval, that
means dead interval on a broadcast or point-to-point interface is 40 where as on a
non-broadcast and point-to-multipoint interface is 120.
• OSPF routers will form adjacency only if the following parameters within a Hello
packet are same on each router:
Area ID
Authentication
Subnet Mask
Hello Interval
Dead Interval
In multi-access networks such as Ethernet, we will have many neighbor relationships on the
same physical segment. As in the above example there are five routers connected into the same
multi-access segment. Hence total number of neighbor relationship would be n(n-1)/2, where
n is the number of routers, hence we require 10 separate adjacencies for a fully meshed
network. As the number of devices increases it leads to unnecessary Link State Advertisement
(LSA) traffic. And more ever if a link on one of the Router fails; it would flood this information
to all neighbors and each neighbor, in turn, would then flood that same information to all other
neighbors. This is a waste of bandwidth and processor load. To prevent this, OSPF will elect a
Designated Router (DR) for each multi-access networks, accessed via multicast address
224.0.0.6. As always for redundancy purposes, a Backup Designated Router (BDR) is also
elected.
OSPF routers will form adjacencies with the DR and BDR. If a change occurs to a link, the
update is forwarded only to the DR, which then forwards it to all other routers. This greatly
reduces the flooding of LSAs. DR and BDR elections are determined by a router‟s OSPF
priority, which is configured on a per-interface basis. The router with the highest priority
becomes the DR; second highest becomes the BDR. If priorities are same then the tie breaker
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 55
would be the routers Router ID, Which ever the router has the highest Router ID will become
the DR.
Default priority on Cisco routers is 1.
A priority of 0 will prevent the router from being elected DR or BDR.
Example: As per the above diagram RouterE will be the DR and RouterD will be the
BDR.
As neighbor adjacencies are formed, they will progress through several “states,” including:
State Description
Down No Hellos have been heard from the neighboring router.
Init Hello packet has been heard from the neighbor, but two way communication
has not yet been initialized.
2-Way Indicates Neighbor adjacency, and is possible if a router sees its own Router
ID in its neighbor‟s hello packet. DR and BDR is also elected in this state.
EXSTART Election of Master/slave relationships are formed between routers to
determine who will begin the exchange.
Exchange Routers exchanging Database Descriptors (DBDs). DBDs contain a
description of the router‟s Topology Database. A router will examine a
neighbor‟s DBD to determine if it has information to share.
Loading Exchange of Link State Advertisements, containing information about all
links connected to each router. Essentially, routers are sharing their
topology tables with each other by sending and receiving LSU’s
Full Routers are fully synchronized and have exchanges LSAcks.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 56
LSA TYPES:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 57
OSPF Configuration:
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
The 100 in the router ospf statement, indicates the OSPF process ID, and can be unique on
each router. The process ID allows multiple OSPF processes to run on the same router.
After the network we are using wildcard mask instead of a subnet mask in the network
statement. With OSPF, we don‟t advertise the networks instead we enable the interfaces to be
in specific areas, so that those routers can form neighbor relationships. The wildcard mask
0.0.0.255 tells us that the last octet can match any number.
The first network statement places interface Fa0/0 on RouterA into Area 1, and the second
network statement places interface Fa0/1 on RouterA into Area 0. We could also have written
the network statement more specifically like
In order for Router B to form a neighbor relationship with RouterA, its connecting interface
must be put in the same Area and subnet as RouterA:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 58
OSPF COMMAND REFERENCES
Command Description
RouterC(config-router)# passive-interface s0 Prevents Neighbor relationship as well, will
not send and receive updates.
RouterC(config-router)# router-id 1.1.1.1 Manually specifies the Router-Id
RouterC(config-router)# area 1 virtual-link 3.3.3.3 Create Virtual Links, where Virtual links can
be used as a workaround, to allow logically
connect separated areas to Area 0
Router(config-if)# bandwidth 64000 Change the bandwidth on an interface
Router(config-if)# ip ospf cost 5 Change the cost of an interface
Router(config-router)# ospf auto-cost reference- Changes the reference used in calculating
bandwidth 100 the metric
Router(config-if)# ip ospf priority 2 Changes the ospf priority of an interface
Router# show ip ospf neighbor Displays Neighbor Table
Router# show ip ospf database Displays Database table
Router# show ip ospf 100 View Specific OSPF process
Router# show ip ospf interface fa0/0 View Specific OSPF process on an interface
Router# debug ip ospf adj
Router# debug ip ospf events Debug OSPF in real time
Router# debug ip ospf hello
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 59
Section 16
As in above diagram six computers are connected to a Layer 2 switch. PC1, PC3 and PC5
belong to VLAN 1, and PC2, PC4 and PC6 belong to VLAN 2. Since PC1, PC3 and PC5 belong
to the same VLAN, IP subnet and broadcast domain they can communicate to each other
without the need of a router. Similarly PC2, PC4 and PC6 belong to the same VLAN, IP subnet
and broadcast domain they can communicate to each other without a router, But PC1, PC3
and PC5 will not be able to communicate with PC2, PC4, or PC6 as they belong to separate
VLANs and separate IP subnets. Broadcasts from VLAN 1 will never go out ports configured
for VLAN 2. A router will be necessary for both VLANs to communicate.
Most Catalyst multi-layer switches have integrated or modular routing processors. Otherwise,
an external router is required for inter-VLAN communication.
By default with Cisco Catalysts, all ports on every switch belong to VLAN 1. VLAN 1 is also
considered the management VLAN.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 60
Advantages of VLAN:
VLAN Membership
Statically – One or more switch-ports must be manually assigned to a VLAN. Any device
connecting to these switch-ports becomes a member of that VLAN.
Dynamically – Devices are automatically assigned into a VLAN based on its MAC address.
Cisco developed a dynamic VLAN product called the VLAN Membership Policy Server
(VMPS). In more sophisticated systems, a user‟s network account can be used to determine
VLAN membership.
There are two types of ports supported on a VLAN-enabled switch, access ports and trunk
ports.
An access port belongs to only one VLAN. Host devices, such as computers and printers, plug
into access ports. A host automatically becomes a member of the VLAN, which the switch-port
is assigned to. This is done transparently, and the host is usually unaware of the VLAN
infrastructure. By default, all switch ports are access ports.
Trunk ports do not belong to a single VLAN. Any or all VLANs can traverse trunk links to
reach other switches. Only Fast or Gigabit Ethernet ports can be used as trunk links.
VLAN Frame-Tagging
On trunk links, switches need to differentiate the frames with respect to VLAN it belongs to.
Frame tagging places a VLAN ID in each frame, identifying which VLAN the frame belongs
to. Tagging occurs only when a frame is sent out a trunk port.
Cisco switches support two frame-tagging protocols, Inter-Switch Link (ISL) and IEEE 802.1Q.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 61
Inter-Switch Link (ISL) is a Cisco‟s proprietary frame-tagging protocol, and supports frames
like Ethernet, Token Ring, FDDI, and ATM frames. ISL encapsulates a frame with an additional
header (26 bytes) and trailer (4 bytes), increasing the size of an Ethernet frame up to 30 bytes.
The header contains the 10 byte VLAN ID. Since ISL increases the size of a frame, non-Cisco
devices will actually drop ISL-tagged frames. Many devices are configured with a maximum
acceptable size for Ethernet frames (usually 1518 bytes). ISL frames can be as large as 1544
bytes, and thus are considered to be “giants” or corrupt.
IEEE 802.1Q is an Open standard frame tagging protocol supported by most switch
manufacturers, including Cisco. Instead of adding an additional header and trailer, 802.1Q
actually embeds a 4-byte VLAN ID into the Layer 2 frame header. This still increases the size of
a frame from its usual 1518 bytes to 1522 bytes which is supported by most of the devices.
ISL or 802.1Q tagging can either be manually configured on Catalyst trunk ports, or dynamically
decided using Cisco‟s proprietary Dynamic Trunking Protocol (DTP).
A port can be placed into a dynamic trunk mode, or into static trunk mode. The either ends
can be different modes to create a trunk link.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 62
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 63
Switch Configuration:
The above command configures the interface fa0/1 as an access port, and assigns this access
port to VLAN 100.
To view the list of VLANs, including which ports are assigned to each VLAN:
Switch# show vlan
The command sets the interface as a trunk port and also manually sets the tagging protocol the
trunk link will use. Both sides of the trunk line must be configured with the same tagging
protocol.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 64
The Catalyst switch can negotiate the tagging protocol:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 65
VLAN Trunking Protocol (VTP)
In large switched networks, it will be difficult to maintain a consistent VLAN database across all
switches on the network. VLAN Trunking Protocol (VTP) allows the VLAN database to be
easily managed and consistent throughout the network.
Switches configured with VTP are joined to a VTP domain. Only switches belonging to the same
domain will share VLAN information, and a switch can only belong to a single domain. When an
update is made to the VLAN database, this information is propagated to all switches via VTP
advertisements.
By default, VTP updates are sent out every 300 seconds, or anytime a change to the database
occurs. VTP updates are sent across VLAN 1 and are only sent out trunk ports.
VTP Modes
Server – Switches can create, modify or delete entries in the VLAN database. Servers
advertise their VLAN database to all other switches on the network. Servers can synchronize
their database along with other Servers switches or Client switches. This is the default mode
for Cisco Catalyst switches. Servers can only advertise VLANs 1 - 1005.
Client – Switches cannot make modifications to the VLAN database, and will receive all of
their VLAN information from VTP servers. A client will also forward an update from a server
to other clients.
Transparent – Switches will not advertise or accept any VLAN database information from
other switches. Changes made are only local to the transparent switch. However, transparent
VTP switches will forward VTP information from servers to clients.
Catalyst switches that participate in a VTP domain support up to 1005 VLANs. Catalyst
switches configured in VTP transparent mode support up to 4094 VLANs.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 66
Configuring VTP
All switches participating in the VTP domain must be configured with the same password.
VTP version 2 supports additional functionality, including error checking and support for token
Ring. VTP version 2 also allows transparent switches to always forward update information
from servers to clients, even if the transparent switch is in a separate domain. By default, a
Catalyst switch uses VTP version 1.
To view status information about VTP, including version, domain and mode:
Switch# show vtp status
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 67
VTP Pruning
In the above example, VTP pruning would prevent VLAN 3, VLAN 4 and VLAN 5 broadcasts
from being sent to Switch 3. Also Pruning would prevent VLAN 5 broadcasts from being sent
to Switch 2.
VTP pruning is disabled by default on Catalyst IOS switches. To enable VTP pruning:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 68
Section 17
Access control lists is used not only to filter traffic, but also to identify traffic.
Access lists are a set of rules or written statements, organized in a rule table. Each rule or line
in an access-list provides a condition, to either permit or deny:
When access-list is used to filter traffic, and when the permit statement is used, it means to
allow the traffic and when a deny statement is used it means to block the traffic.
And as with the second functionality of using an access list to identify traffic, the permit
statement is used to include traffic and a deny statement is used to not to include the
traffic.
After configuring ACL or set of rules, these ACL are applied on interfaces. When a packet
enters or exits an interface with an ACL applied, the packet is compared against the criteria of
the ACL. If the packet matches the first line of the ACL, the appropriate action as to whether
permit or deny is taken. If there is no match, then the second line criteria is examined. Again, if
there is a match, the appropriate action is taken; if there is no match, the third line of the ACL
is compared to the packet and the process continues until a match is found, at which time the
ACL stops running. If no match is found, then there is an implicit ‘deny all’ at the end of all
access lists which will deny all traffic. You don‟t create it, and you can‟t delete it. Thus, access
lists that contain only deny statements will prevent all traffic.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 69
Only one access list per interface, per protocol, per direction is allowed. More specific
and frequently used rules should be at the top of your access list, to optimize CPU usage. New
entries to an access list are added to the bottom. You cannot remove individual lines from
numbered access list. You must delete and recreate the access to truly make changes.
Types of Access Lists
Numbered access lists is based on several ranges of numbers dedicated to a specific protocol,
ACL are defined. Example:
1–99 IP standard access list
100-199 IP extended access list
1300-1999 IP standard access list (expanded range)
2000-2699 IP extended access list (expanded range)
Named access lists provide a bit more flexibility. Descriptive names can be used to identify
your access-lists. Additionally, individual lines can be added and removed from a named access-
list. However, like numbered lists, all new entries are still added to the bottom of the access
list.
Standard IP access-lists are based upon the source host or network IP address, and should be
placed closest to the destination network.
Example:
This list allows traffic from all addresses in the range 192.168.10.0 to 192.168.10.255
Extended IP access-lists block based upon the source IP address, destination IP address, and
TCP or UDP port number. Extended access-lists should be placed closest to the source
network.
Example:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 70
ACL 100 says to permit only HTTP traffic originating from any address on the 192.168.10.0/24 network
to 192.168.20.0/24 network.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 71
Standard IP Access List Example:
Syntax: access-list [1-99] [permit | deny] [source address] [wildcard mask] [log]
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
Example: To block Hosts in network 192.168.20.0 from accessing the hosts in the
192.168.40.0 network
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 72
Extended IP Access List Example:
Syntax: access-list [100-199] [permit | deny] [protocol] [source address] [wildcard mask]
[destination address] [wildcard mask] [operator [port]] [log]
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 73
Telnet Access List Example
Even though telnet access can be restricted using extended ACL it would be of more overhead
on Routers memory since it has to check for each packet entering or leaving the router, hence
we use telnet access lists which gives us the flexibility of applying the same on telnet lines rather
on an interface.
Router A:
Fa0/0 – 192.168.20.1 /24, Fa0/1- 192.168.30.1 /24
Router B:
Fa0/0 – 192.168.30.2 /24, Fa0/1- 192.168.40.1 /24
Example: Create an access list that prevents anyone from 192.168.40.x network from
telneting into Router A, but allow all other networks telnet access to RouterA.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 74
Section 18
WAN spans a large geographic area, such as a state, province or country. WANs often connect
multiple smaller networks, such as local area networks or metro area networks.
The world's most popular WAN is the Internet. WANs generally utilize different and much
more expensive networking equipment than do LANs. Key technologies often found in WANs
include SONET, Frame Relay, and ATM.
Point-to-Point connection also known as leased line is used to provide full connectivity
between two sites in a point-to-point manner. This type of connection is purchased from the
telephone company and uses a permanent path through the Telco‟s infrastructure, from one
site to another. There is no call setup and teardown, which means the circuit, is always
available.
Since the company owns the line, it has full use of the bandwidth, whether it is used or not. The
speed of the link can range up to a T3, which is approximately 45 Mbps. This is a very costly
connection type as the distance increases. This type of connection is usually done with a
synchronous serial type of connection. Cisco supports this type with virtually all of their
routers, using one or more different types of synchronous serial connections, including
EIA/TIA-232
V.35
HSSI
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 75
In Circuit-Switched Connections the circuit, or dedicated path, is created when the call is
initiated to the remote site and the circuit is destroyed when the call ends. The best example of
a circuit-switched network is the Public Switched Telephone Network (PSTN). There are two
types of circuit-switched connections available: Asynchronous and ISDN (Integrated
Services Digital Network).
Asynchronous circuits for data transfer are accomplished through a modem and the use of
the telephone network. The cost is less when compared to other types of WAN connections,
but at the same time low bandwidth is available. Depending on the setup of the connection, the
best that can be accomplished is 56 Kbps.
ISDN has two flavors that are used for WAN connections. The first is Basic Rate Interface
(BRI) and has a maximum bandwidth of 128 Kbps and the other is Primary Rate Interface (PRI)
and can reach speeds up to 2 Mbps.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 76
WAN Terminologies
The Demarc refers to the point of last responsibility for the service provider. All equipment
on the Customer Premises side of the Demarc is the customer‟s responsibility to maintain.
The Smart Jack physically terminates the T1 line. If there is a connectivity issue, the provider
will perform a ping test to the smart jack.
The Local Loop or Last Mile refers to the physical line connecting from the Customer
Premises to the provider‟s nearest Central Office (CO).
There are many different types of protocols used on WAN. These protocols all operate at
layer 2 (at least) of the OSI model (data-link layer).
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 77
Section 19
PPP uses:
PPP Features:
• Authentication
• Compression
• Multi-link
• Error Control
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 78
Configuring HDLC
Configuring PPP
After setting the hostname the username and password used for PPP authentication is set. The
username must be the hostname of the remote router, and the password must be the same on
both routers.
The above configuration sets the authentication to chap. To instead configure pap
authentication:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 79
Section 20
Frame Relay
All customer devices connect into the frame relay cloud, this cloud contains many Frame-Relay
switches and routers. Virtual circuits (VC) must be created for each end to end
communication. A VC is a one-way path through the Frame-Relay cloud.
In the above example, in order to establish full communication between all the four, A virtual
circuit between all of them which can be calculated using the formula n(n-1)/2, which in this
case would be 6 Virtual Circuits. Frame-relay circuits can either be permanent (PVC), or
switched (SVC). A permanent virtual circuit is always kept active and most commonly used
virtual circuit. A switched virtual circuit is created and terminated as and when required like a
circuit switched network. Like in Ethernet where Layer 2 to layer 3 mapping with respect to
MAC Address and IP Address, Frame relay uses Data Link Connection Identifiers (DLCIs)
to create virtual circuits. Frame-Relay switches make forwarding decisions based on DLCIs.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 80
Frame-Relay Local Management Interface (LMI)
LMI is the type of signaling used between the customer router and provider‟s Frame-Relay
switch. LMI provides status updates of Virtual Circuits between the Frame switch and the
router. It is also the keepalive mechanism.
INDIA SINGAPORE
INDIA(config)# int s0
INDIA(config-if)# ip address 192.168.30.1 255.255.0.0
INDIA(config-if)# encapsulation frame-relay
INDIA(config-if)# frame-relay lmi-type cisco
INDIA(config-if)# frame-relay interface-dlci 102
INDIA(config-if)# no shut
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 81
Router can get all PVC and DLCI information directly from the Frame-Relay switch via LMI,
using Inverse-ARP. Inverse-ARP is enabled by default on Cisco routers.
INDIA(config)# int s0
INDIA(config-if)# ip address 192.168.30.1 255.255.0.0
INDIA(config-if)# encapsulation frame-relay ietf
INDIA(config-if)# frame-relay lmi-type cisco
INDIA(config-if)# no frame-relay inverse-arp
INDIA(config-if)# frame-relay map ip 192.168.30.2 102 broadcast
INDIA(config-if)# frame-relay map ip 192.168.30.3 103 broadcast
INDIA(config-if)# no shut
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 82
Router Configuration on MALAYSIA
MALAYSIA(config)# int s0
MALAYSIA (config-if)# ip address 192.168.30.1 255.255.0.0
MALAYSIA(config-if)# encapsulation frame-relay ietf
MALAYSIA(config-if)# frame-relay lmi-type cisco
MALAYSIA(config-if)# no frame-relay inverse-arp
MALAYSIA(config-if)# frame-relay map ip 192.168.30.1 301 broadcast
MALAYSIA(config-if)# frame-relay map ip 192.168.30.2 302 broadcast
MALAYSIA(config-if)# no shut
Full-mesh Frame-Relay environments can get quite expensive. Partial-mesh environments are
often more cost-effective. Example of partial Mesh topology is hub-and-spoke, with one
central or hub location that connects all other locations called spokes. In a partial-mesh
environment, if both spokes terminate on the Hub router‟s physical serial interface, split-
horizon will prevent one spokes network reaching the other spokes. To overcome this, at
Hub we can use sub-interfaces with different subnets creating Point-to-point links with
each spoke.
Frame-Relay Commands:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 83
Section 21
A public address is a unique address on the internet and can be routed on the Internet.
Hence devices that should be Internet accessible must be configured with public addresses.
A private address is only used within an organization, and can never be routed on the
internet. Three private addressing ranges were allocated, one for each IPv4 class:
Class Range
Class A 10.0.0.0 – 10.255.255.255
Class B 172.16.0.0 – 172.31.255.255
Class C 192.168.0.0 – 192.168.255.255
NAT is used to translate between private addresses and public addresses. NAT allows devices
configured with a private address to be changed to public address and vice versa allowing those
devices to communicate across the Internet.
NAT provides an additional benefit – hiding the specific addresses and addressing structure of
the internal network.
NAT Types
Static NAT – Static NAT does an one-to-one translation between two addresses, or between
a port on one address to a port on another address. Static NAT is most often used to assign a
public address to a device behind a NAT-enabled firewall/router.
Dynamic NAT – Uses a pool of global addresses to dynamically translate the outbound traffic
of clients.
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 84
NAT Terminology
Inside Local – the specific IP address assigned to an inside host – usually a Private address.
Inside Global – the address that identifies an inside host to the outside world - usually a
public address.
Outside Global – the address assigned to an outside host - usually a public address at the
remote site.
Outside Local – the address that identifies an outside host to the inside network.
Configuration of NAT
The above command translates Inside Local address of 192.168.20.1 to inside global of
128.168.1.1. Also the inside and outside interfaces are identified:
The above command creates a Pool of Inside Global IP‟s in the name of Outpool, so that the
clients as identified by the ACL can pick an address dynamically from the pool before exiting
the network. Also the inside and outside interfaces are identified:
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 85
Configuring NAT Overload (or PAT)
Any inside host with a source that matches access-list 10 will be translated with overload to the
IP address configured on the Serial0/0 interface. Also the inside and outside interfaces are
identified.
NAT Commands
Router# show ip nat translations Displays all current static and dynamic translations
Router# show ip nat statistics Displays an interface Status of inside or outside, displays
NAT translations statistics:
Router# debug ip nat Displays NAT translations in real-time
Router# clear ip nat translation Clear all dynamic NAT entries from the translation
table
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 86
TCL Network Associate Handout
Designed & Developed by TATA Communications Ltd. for internal purpose | Confidential 87