CCNA

Engineer Ashebir Gebre
Cisco Certified Instructor
Empowering the Generation

Communications and Services
Certifications
2
3
CCNA Exam
Exam Number – 200-125
Total Marks - 1000
Duration – 90 Mts
Passing score – 825
Questions -45-55
Multiple Choice
Simulations
Drag and Drop
4
5
Note
• There are 800+ slides in this presentation…

•6 But we will only be covering the first 18000000 or so. 
Cisco Icons and Symbols
7
Data Networks
•Today you will learn about the following:

– Network devices and diagrams
– The OSI and TCP models
– Cables and media
– Connecting to a router
•This module maps to the following ICND1 syllabus requirements:
– Recognise the purpose and functions of various network devices, such as
routers,
– switches, bridges, and hubs
– Select the components required to meet a given network specification
– Identify common applications and their impact on the network
– Describe the purpose and basic operation of the protocols in the OSI and
TCP/IP models
– Predict the data flow between two hosts across a network
– Identify the appropriate media, cables, ports, and connectors to connect Cisco
network devices to other network devices and hosts in a LAN 8
Data Networks
Sharing data through the use of floppy disks is not an efficient

or cost-effective manner.
Businesses needed a solution that would successfully address

the following three problems:
• How to avoid duplication of equipment and resources
• How to communicate efficiently
• How to set up and manage a network
Businesses realized that networking technology could increase

productivity while saving money.
9
Networking Devices
Equipment that connects directly to a network segment is

referred to as a device.
These devices are broken up into two classifications.

 End-user devices
 Network devices
End-user devices include computers, printers, scanners, and

other devices that provide services directly to the user.
Network devices include all the devices that connect the end-
user devices together to allow them to communicate.
10
Network Interface Card
A network interface card (NIC) is a printed circuit board

that provides network communication capabilities to and
from a personal computer. Also called a LAN adapter.
11
Hub
Connects a group of Hosts
12
Switch
Switches add more

intelligence to data transfer
management.
13
Router
Routers are used to connect networks together
Route packets of data from one network to another
Cisco became the de facto standard of routers because of their high-
quality router products
Routers, by default, break up a broadcast domain
14
Network Topologies
Network topology defines the structure of the network.
One part of the topology definition is the physical topology,

which is the actual layout of the wire or media.
The other part is the logical topology,which defines how the

media is accessed by the hosts for sending data.
15
Bus Topology
A bus topology uses a single backbone cable that is
terminated at both ends.
All the hosts connect directly to this backbone.
16
Ring Topology
A ring topology connects one host to the next and the last
host to the first.
This creates a physical ring of cable.
17
Star Topology
A star topology connects all cables to a central point of
concentration.
18
Extended Star Topology
An extended star topology links individual stars together by
connecting the hubs and/or switches.This topology can extend
the scope and coverage of the network.
19
Mesh Topology
A mesh topology is implemented to provide as much
protection as possible from interruption of service.
Each host has its own connections to all other hosts.
 Although the Internet has multiple paths to any one
location, it does not adopt the full mesh topology.
20
Physical and Logical Topology
21
LANs, MANs, & WANs
One early solution was the creation of local-area network

(LAN) standards which provided an open set of guidelines for
creating network hardware and software, making equipment
from different companies compatible.
What was needed was a way for information to move

efficiently and quickly, not only within a company, but also
from one business to another.
The solution was the creation of metropolitan-area networks

(MANs) and wide-area networks (WANs).
22
LANs
23
WANs
24
Virtual Private Network
A VPN is a private network that is constructed within a public network
infrastructure such as the global Internet. Using VPN, a telecommuter
can access the network of the company headquarters through the
Internet by building a secure tunnel between the telecommuter’s PC
and a VPN router in the headquarters.
25
Bandwidth
26
Measuring Bandwidth
27
Internetworking Devices
28
What Are The Components Of A
Network ?
Home Mobile
Office Users
Internet
Branch Office Main Office

29
Network Structure &
Hierarchy
Core Layer
Distribution
Layer
Access
Layer
30
Institute of Electrical and Electronics
Engineers (IEEE) 802 Standards
 IEEE 802.1: Standards related to network management.
 IEEE 802.2: General standard for the data link layer in the OSI
Reference Model. The IEEE divides this layer into two sublayers --
the logical link control (LLC) layer and the media access control
(MAC) layer.
 IEEE 802.3: Defines the MAC layer for bus networks that use
CSMA/CD. This is the basis of the Ethernet standard.
 IEEE 802.4: Defines the MAC layer for bus networks that use a
token-passing mechanism (token bus networks).
 IEEE 802.5: Defines the MAC layer for token-ring networks.
 IEEE 802.6: Standard for Metropolitan Area Networks (MANs)

31
32
Why do we need the OSI Model?
To address the problem of networks increasing in size and in number, the
International Organization for Standardization (ISO) researched many
network schemes and recognized that there was a need to create a network
model
This would help network builders implement networks that could

communicate and work together
ISO therefore, released the OSI reference model in 1984.
33
Don’t Get Confused.
ISO - International Organization for Standardization
OSI - Open System Interconnection
IOS - Internetwork Operating System
To avoid confusion, some people say “International

Standard Organization.”
34
Network Model
• Reduce complexity
• Standardize interfaces
• Assist understanding
• Promote rapid product development
• Support interoperability
• Facilitate modular engineering
35
The OSI Reference Model
7 Application The OSI Model will be

used throughout your
6 Presentation
entire networking
5 Session career!
4 Transport
3 Network
Memorize it!
2 Data Link
1 Physical
36
OSI Model
Application
Application
(Upper) Presentation
Layers
Session
Transport
Network
Data Flow
Layers
Data-Link
Physical
37
Layer 7 - The Application Layer
7 Application This layer deal with

networking applications.
6 Presentation determines resource
availability.
5 Session
Examples:
4 Transport  Email (smtp,
3 Network pop3)
 Web browsers
2 Data Link  file transfer services
1 Physical (using FTP).
PDU - User Data
Each of the layers have Protocol Data Unit (PDU) 38

Layer 6 - The Presentation Layer
7 Application This layer is responsible

for presenting the data in
6 Presentation
the required format which
5 Session may include:
4 Transport Code Formatting
Encryption
3 Network Compression
2 Data Link Multimedia works here
1 Physical
PDU - Formatted Data
39
Layer 5 - The Session Layer
7 Application This layer establishes, manages, and

terminates sessions between two
communicating hosts.
6 Presentation Creates Virtual Circuit
Coordinates communication between systems
5 Session Organize their communication by offering
three different modes
4 Transport Simplex
Half Duplex
3 Network Full Duplex
Example:
2 Data Link client Software (Used for logging
in)
1 Physical SQL, RPC, and NFS
PDU - Formatted Data

40
Half Duplex
• It uses only one wire pair with a digital signal running in
both directions on the wire.
• It also uses the CSMA/CD protocol to help prevent

collisions and to permit retransmitting if a collision does
occur.
• If a hub is attached to a switch, it must operate in half-

duplex mode because the end stations must be able to
detect collisions.
• Half-duplex Ethernet—typically 10BaseT—is only about

30 to 40 percent efficient because a large 10BaseT
network will usually only give you 3 to 4Mbps—at most.
41
Full Duplex
In a network that uses twisted-pair cabling, one pair is used to carry the transmitted
signal from one node to the other node. A separate pair is used for the return or
received signal. It is possible for signals to pass through both pairs simultaneously.
The capability of communication in both directions at once is known as full duplex.
42
Layer 4 - The Transport Layer
7 Application Virtual circuits are set up here

It also is used to insure reliable data
6 Presentation transport across the network.
Can be reliable or unreliable
5 Session Connection oriented/connectionless
Windowing /Sliding window
4 Transport Sequencing
Acknowledgment
3 Network Retransmission
Flow Control
2 Data Link TCP/UDP
1 Physical PDU - Segments
43
TCP/IP
Flow control
Windowing
44
TCP/IP
Acknowledgement
Three-Way Handshake
45
Most common port address
• FTP Data – 20 FTP Control – 21
• SSH – 22
• Telnet – 23
• SMTP – 25
• DNS – 53 (also uses UDP)
• HTTP – 80
• POP3 – 110
• SNMP – 161/162
• TFTP – 69
• TLS/SSL – 443
46
UDP
• Uses port address
• Limited error checking
• Unreliable and connections less
• No flow control mechanism
• Requires socket address
• Little overhead and offers fast delivery
47
TCP
• Use port number
• Uses socket number
• Use checksum field – for error checking
• Uses window sizing
• Uses buffering
• Reliable – flow control / acknowledgment
48
Layer 3 - The Network Layer
Sometimes referred to as the “Cisco Layer”.
7 Application Best effort
Provide logical addressing that routers use for
6 Presentation path determination
packets are encapsulated
5 Session Internetwork Communication
Packet forwarding
4 Transport Packet Filtering
Makes “Best Path Determination”
3 Network ARP, RARP, ICMP (ping, tracert/traceroute) and
ProxyArp
2 Data Link •ICMP is a protocol used to report problems or
issues with IP packets (or datagrams) on a
network.
1 Physical
PDU – Packets – IP/IPX
49
ping output
• ping packet is 32 bytes long,

• the Time field reports how many milliseconds the response took,
• TTL is the Time to Live field (i.e., how many milliseconds before the
packet expires)
50
• ! – One exclamation mark per response
• – One period for each timeout
• U – Destination unreachable message
• N – Network unreachable message
• P – Protocol unreachable message
• Q – Source quench message
• M – Could not fragment
• ? – Unknown packet type
51
Layer 2 - The Data Link Layer
Performs Physical Addressing
7 Application This layer provides reliable transit of
data across a physical link.
6 Presentation Combines bits into bytes and
bytes into frames
5 Session Access to media using MAC address
Error detection, not correction
4 Transport LLC and MAC
Logical Link Control performs Link
establishment
3 Network MAC Performs Access method
HDLC, ISDN, and PPP, Ethernet,VPN
2 Data Link
1 Physical
PDU - Frames
Preamble DMAC SMAC Data length DATA FCS
52
Structure of Unicast Ethernet
Address
Broadcast address FFFF.FFFF.FFFF

Multicast address 0100.5exx.xxxx
53
Layer 1 - The Physical Layer
7 Application
6 Presentation
5 Session This is the physical media
through which the data,
4 Transport represented as electronic signals,
3 Network is sent from the source host to
the destination host.
2 Data Link
Move bits between devices
1 Physical Encoding
PDU - Bits
54
Physical layer
• There are three basic forms of network media on which
data is represented:
– Copper cable
– Fiber
– Wireless (IEEE 802.11)
• Bits are represented on the medium by changing one or

more of the following characteristics of a signal:
– Amplitude
– Frequency
– Phase
55
56
Data Encapsulation
Application
Presentation
PDU
Upper-Layer Data Session
Transport Segment
TCP Header Upper-Layer Data
Network Packet
IP Header Data
LLC Header Data FCS

Data-Link Frame
MAC Header Data FCS
Physical Bits
0101110101001000010
57
Data Encapsulation
58
59
Summary
60
OSI Model Analogy
Application Layer - Source Host
After riding your new bicycle a few times in Addis

Ababa, you decide that you want to give it to a
friend who lives in Combolcha, Dessie. 61
OSI Model Analogy
Presentation Layer - Source Host
Make sure you have the proper directions to

disassemble and reassemble the bicycle.
62
OSI Model Analogy
Session Layer - Source Host
Call your friend and make sure you have his

correct address.
63
OSI Model Analogy
Transport Layer - Source Host
Disassemble the bicycle and put different pieces

in different boxes. The boxes are labeled
“1 of 3”, “2 of 3”, and “3 of 3”. 64
OSI Model Analogy
Network Layer - Source Host
Put your friend's complete mailing address (and

yours) on each box.Since the packages are too
big for your mailbox (and since you don’t have
enough stamps) you determine that you need to
65
go to the post office.
OSI Model Analogy
Data Link Layer – Source Host
Addis Ababa post office takes possession of the

boxes.
66
OSI Model Analogy
Physical Layer - Media
The boxes are flown from Addis Ababa to Dessie.

67
OSI Model Analogy
Data Link Layer - Destination
Combolcha post office receives your boxes.
68
OSI Model Analogy
Network Layer - Destination
Upon examining the destination address,

Combolcha post office determines that
your boxes should be delivered to your
written home address. 69
OSI Model Analogy
Transport Layer - Destination
Your friend calls you and tells you he got all 3

boxes and he is having another friend named
Shegawe reassemble the bicycle. 70
OSI Model Analogy
Session Layer - Destination
Your friend hangs up because he is done talking

to you.
71
OSI Model Analogy
Presentation Layer - Destination
Shegawe is finished and “presents” the bicycle

to your friend. Another way to say it is that your
friend is finally getting him “present”. 72
OSI Model Analogy
Application Layer - Destination
Your friend enjoys riding his new bicycle in

Combolcha.
73
Data Flow Through a Network
74
Type of Transmission
Unicast
Multicast
Broadcast
75
Type of Transmission
76
Broadcast Domain
A group of devices receiving broadcast frames
initiating from any device within the group
Routers do not forward broadcast frames,

broadcast domains are not forwarded from one
broadcast to another.
77
Collision
 The effect of two nodes sending transmissions
simultaneously in Ethernet. When they meet on the
physical media, the frames from each node collide and
are damaged.
78
Collision Domain
The network area in Ethernet over which frames
that have collided will be detected.
Collisions are propagated by hubs and repeaters
Collisions are Not propagated by switches,
routers, or bridges
79
Physical Layer
Defines
• Media type
802.3
Physical
• Connector type
• Signaling type
802.3 is responsible for LANs based on the carrier sense multiple access
collision detect (CSMA/CD) access methodology. Ethernet is an example
of a CSMA/CD network.
80
Physical Layer:
Ethernet/802.3
10Base2—Thin Ethernet
10Base5—Thick Ethernet
Host
Hub
10BaseT—Twisted Pair
Hosts
81
Device Used At Layer 1
Physical
A B C D
• All devices are in the same collision domain.

• All devices are in the same broadcast domain.
• Devices share the same bandwidth. 82
Hubs & Collision Domains
• More end stations means

more collisions.
• CSMA/CD is used.
83
Layer 2
MAC Layer—802.3
Number of Bytes 8 6 6 2 Variable 4
Preamble Destination Address Source Address Length Data FCS
Ethernet II
uses “Type”
0000.0C xx.xxxx here and
does not use
IEEE Assigned Vendor 802.2.
Assigned
MAC Address
synchronize senders and receivers
84
Devices On Layer 2
(Switches & Bridges)
Data-Link
1 2 3 4 OR 1 2
• Each segment has its own collision domain.

• All segments are in the same broadcast domain.
85
Switches
Switch
Memory
• Each segment is its
own collision domain.
• Broadcasts are
forwarded to all
segments.
86
Layer 3 : Network Layer
Network
• Defines logical IP, IPX
source and
destination
Data-Link
addresses 802.2
associated with a
specific protocol
• Defines paths
Physical
802.3
EIA/TIA-232
through network V.35
87
Layer 3 : (cont.)
Network Layer End-Station Packet

Source Destination
IP Header Data
Address Address
Logical
Address
172.15.1.1
Network Node
Route determination occurs at this layer, so a packet must include a source and
destination address.
Network-layer addresses have two components: a network component for
internetwork routing, and a node number for a device-specific address. The
example in the figure is an example of an IP packet and address.
88
Layer 3 (cont.)
Address Mask
172.16.122.204 255.255.0.0
172 16 122 204
Binary
Address 10101100 00010000 01111010 11001100
255 255 0 0
Binary
Mask 11111111 11111111 00000000 00000000
Network Host
89
Device On Layer 3
Router
• Broadcast control
• Multicast control
• Optimal path
determination
• Traffic management
• Logical addressing
• Connects to WAN
services
90
Layer 4 : Transport Layer
• Distinguishes between
upper-layer applications
Transport
• Establishes end-to-end
connectivity between TCP UDP SPX
applications
• Defines flow control
Network
IP IPX
• Provides reliable or
unreliable services for
data transfer
91
Reliable Service
Sender Receiver
Synchronize
Acknowledge, Synchronize
Acknowledge
Connection Established
Data Transfer
(Send Segments)
92
How They Operate
Hub Bridge Switch Router
Collision Domains:
1 4 4 4
Broadcast Domains:
1 1 1 4
93
94
Why Another Model?
Although the OSI reference model is universally recognized, the

historical and technical open standard of the Internet is
Transmission Control Protocol / Internet Protocol (TCP/IP).
The TCP/IP reference model and the TCP/IP protocol stack

make data communication possible between any two
computers, anywhere in the world, at nearly the speed of light.
The U.S. Department of Defense (DoD) created the TCP/IP

reference model because it wanted a network that could survive
any conditions, even a nuclear war. 95
TCP/IP Model
96
97
OSI OSI Layer TCP TCP/IP Layer Encapsul
# Name / IP# Name . Units .
7 application 4 application data
6 presentation 4 application data
5 session 4 application data
4 transport 3 transport segment
3 network 2 internet packet
2 Data link 1 Netw. access frame
1 physical 1 Netw. access bits
Do not plot harm against your
neighbor , who lives trustfully near
Well this has been fun !!
TCP Segment Format
Bit 0 Bit 15 Bit 16 Bit 31
Source Port (16) Destination Port (16)
Sequence Number (32)
Acknowledgment Number (32) 20

Bytes
Header
Length (4) Reserved (6) Code Bits (6) Window (16)
Checksum (16) Urgent (16)
Options (0 or 32 if Any)
Data (Varies)
100
Port Numbers
F T S D T S R
T E M N F N I
Application P
P L T S T M
Layer
N P P P
E
T
21 23 25 53 69 161 520 Port

Transport Numbers
Layer TCP UDP
101
TCP Port Numbers
Source Destination
…
Port Port
Telnet Z
Host A Host Z
SP DP Destination port = 23.

Send packet to my
1028 23 …
Telnet
application.
102
TCP Port Numbers
103
TCP Three-Way
Handshake/Open Connection
Host A Host B
Send SYN
1 (seq = 100 ctl = SYN)
SYN Received
Send SYN, ACK 2

SYN Received (seq = 300 ack = 101
ctl = syn,ack)
Established
3 (seq = 101 ack = 301
ctl = ack)
104
Opening & Closing Connection
105
Windowing
• Windowing in networking means the quantity of data
segments which is measured in bytes that a machine can
transmit/send on the network without receiving an
acknowledgement
106
TCP Simple Acknowledgment
Sender Receiver
Send 1
Receive 1
Send ACK 2
Receive ACK 2
Send 2
Receive 2
Send ACK 3
Receive ACK 3
Send 3
Receive 3
Receive ACK 4 Send ACK 4
• Window Size = 1 107

TCP Sequence and
Acknowledgment Numbers
Source Destination Sequence Acknowledgment
…
Port Port
I just
sent number I just got number
11. 11, now I need
number 12.
Source Dest. Seq. Ack.

1028 23 10 100
23 1028 100 11
1028 23 11 101
23 1028 101 12 108
Windowing
 There are two window sizes—one set to 1 and one set to

3.
 When you’ve configured a window size of 1, the sending
machine waits for an acknowledgment for each data
segment it transmits before transmitting another
 If you’ve configured a window size of 3, it’s allowed to
transmit three data segments before an
acknowledgment is received.
109
Windowing
110
Transport Layer Reliable Delivery
111
Flow Control
 Another function of the transport layer is to provide
optional flow control.
 Flow control is used to ensure that networking devices

don’t send too much information to the destination,
overflowing its receiving buffer space, and causing it to
drop the sent information
 The purpose of flow control is to ensure the destination

doesn't get overrun by too much information sent by the
source
112
Flow Control
3072
SEQ 1024 3
A
SEQ 2048 B
SEQ 3072
113
User Datagram Protocol (UDP)
User Datagram Protocol (UDP) is the connectionless transport protocol in

the TCP/IP protocol stack.
UDP is a simple protocol that exchanges datagrams, without

acknowledgments or guaranteed delivery. Error processing and
retransmission must be handled by higher layer protocols.
UDP is designed for applications that do not need to put sequences of

segments together.
The protocols that use UDP include:

• TFTP (Trivial File Transfer Protocol)
• SNMP (Simple Network Management Protocol)
• DHCP (Dynamic Host Control Protocol)
• DNS (Domain Name System)
114
UDP Segment Format
Bit
1 0 Bit 15 Bit 16 Bit 31
Source Port (16) Destination Port (16)

8
Bytes
Length (16) Checksum (16)
Data (if Any)
• No sequence or acknowledgment fields
115
TCP vs UDP
116
IP Datagram
Bit
1 0 Bit 15 Bit 16 Bit 31
Version Header Priority &Type
(4) Length (4) Total Length (16)
of Service (8)
Flags
Identification (16) (3) Fragment Offset (13)
Time-to-Live (8) Protocol (8) Header Checksum (16) 20

Bytes
Source IP Address (32)
Destination IP Address (32)
Options (0 or 32 if Any)
Data (Varies if Any)
117
Protocol Field
Transport
TCP UDP
Layer
6 17 Protocol
Numbers
Internet
Layer IP
• Determines destination upper-layer protocol

118
Address Resolution Protocol
I need the
I heard that broadcast.
Ethernet
The message is for me.
address of
Here is my Ethernet
176.16.3.2.
address.
172.16.3.1 172.16.3.2
IP: 172.16.3.2 = ???
IP: 172.16.3.2
Ethernet: 0800.0020.1111
• Map IP MAC
• Local ARP 119
Reverse ARP
I heard that
broadcast.
What is
Your IP
my IP
address is
address?
172.16.3.25.
Ethernet: 0800.0020.1111 IP = ???
Ethernet: 0800.0020.1111
IP: 172.16.3.25
• Map MAC IP
120
121
Origin of Ethernet
Found by Xerox Palo Alto Research Center (PARC) in

1975
Original designed as a 2.94 Mbps system to connect
100 computers on a 1 km cable
Later, Xerox, Intel and DEC drew up a standard
support 10 Mbps – Ethernet II
Basis for the IEEE’s 802.3 specification
Most widely used LAN technology in the world
122
10 Mbps IEEE Standards - 10BaseT
• 10BaseT  10 Mbps, baseband, Unshielded twisted-pair

over Twisted-pair cable
• Running Ethernet over twisted-pair
wiring as specified by IEEE 802.3
• Configure in a star pattern
• Twisting the wires reduces EMI
• Fiber Optic has no EMI RJ-45 Plug and Socket
123
Twisted Pair Cables
 Unshielded Twisted Pair Cable (UTP)

most popular
maximum length 100 m
prone to noise
Category 1 Voice transmission of traditional telephone

Category 2 For data up to 4 Mbps, 4 pairs full-duplex
124
125
Baseband VS Broadband
 Baseband Transmission
 Entire channel is used to transmit a single digital signal
 Complete bandwidth of the cable is used by a single signal
 The transmission distance is shorter
 The electrical interference is lower
 Broadband Transmission
 Use analog signaling and a range of frequencies
 Continuous signals flow in the form of waves
 Support multiple analog transmission (channels)
 SHARED
Baseband Modem Broadband

Network 126
Transmission Transmission
Card
10BASE-T and 100BASE-TX Pin
Pairs Used
127
Straight-through cable
128
Straight-through cable pinout
129
Crossover cable
130
Crossover cable
131
Rollover cable
132
Rollover cable pinout
133
Console cable
134
135
Outline
• Introduction
– Ethernet Cable
– Category
• How to wire
– Straight through
– Crossover
• Reference
2019/3/31 Ethernet Cable 136

Ethernet Cable
• The name, Ethernet
Cable, always refers
to the following
category:
– Category 5
– Category 5e
– Category 6
– Or more than those
categories.

Category
Category Data Rate Signal Frequency Standard
Cat5 100 Mbps 100 MHz TIA/EIA
Cat5e 100 Mbps /1 Gbps 100 MHz TIA/EIA-568-B
Cat6 1Gbps / 10 Gbps 250 MHz TIA/EIA-568-B
ANSI/TIA/EIA-
Cat6a 1Gbps / 10 Gbps 500 MHz
568-B.2-10
• TIA/EIA is a set of three telecommunications

standards from the Telecommunications Industry
Association.

Ethernet Cable
• It is composed of 4-
pair twist wirings.
– Orange
– Green
– Blue
– Brown
Cat5e cable
2019/3/31 Ethernet Cable http://www.cat5ecable.co.u 139
k/
Ethernet Cable
Color Pin (T568B)
White/Orange 1
Orange 2
White/Green 3
Blue 4
White/Blue 5
Green 6
White/Brown 7
Brown 8
• You can use the order of rainbow colors to

memorize the order of this wiring.

Ethernet Cable
Pin Usage
1 Transmission (Tx+)
2 Transmission (Tx-)
3 Receive (Rx+)
4 --
5 --
6 Receive (Rx-)
7 --
8 --
• We can use the concept to justify the order of the

wiring colors of straight through and crossover.

How to wire
• Prepare the materials and tools.
– Cable & RJ-45 plugs
– Scissors
– Crimping tool
Crimping tool For RJ-45 plug.

How to wire
• Strip off suitable length of the cable sheath.
– About 2-2.5 cm
– You can mark the position first.

How to wire
• Align the colored wires according to the
specific order.
(Later we will talk about.)
1 2345 678

How to wire
• Straight Through
– All order of the wirings is the same as the
other side.
1→8
1 2345 678 1 2345 678

Straight Through
Host A Host B
Pin Usage Color Color Usage Pin
1 Tx+ Tx+ 1
2 Tx- Tx- 2
3 Rx+ Rx+ 3
4 -- -- 4
5 -- -- 5
6 Rx- Rx- 6
7 -- -- 7
8 -- -- 8

How to wire
• Crossover
– We need to change the order of the
transmission and receiving wirings.
1→8
1 2345 678 1 2345 678

Crossover
Host A Host B
Pin Usage Color Color Usage Pin
1 Tx+ Tx+ 1
2 Tx- Tx- 2
3 Rx+ Rx+ 3
4 -- -- 4
5 -- -- 5
6 Rx- Rx- 6
7 -- -- 7
8 -- -- 8

How to wire
• Trim all the wires to the same length.

How to wire
• Insert the wires into the RJ45 plug.

How to wire
• Crimp the RJ45 plug with the crimping tool.

How to wire
• Verify the order of the wires is correct and
all the wires are correctly making good
contact with the metal contacts
Correct
in the
RJ45Incorrect
plug.

How to wire
• Cut the cable into suitable length and
repeat the below steps for the other side.
– Please be sure what kind of the cable you are
wiring.
• Testing
Straight Through Crossover 153

2019/3/31 Ethernet Cable
Reference
• Wikipedia
http://en.wikipedia.org/wiki/Category_5_cable
• Cat5e Cable
http://www.cat5ecable.co.uk/
• How to wire Ethernet Cables

http://www.ertyu.org/steven_nikkel/ethernetcables.html

Straight-Thru or Crossover
Use straight-through cables for the following cabling:

 Switch to router
 Switch to PC or server
 Hub to PC or server
Use crossover cables for the following cabling:

 Switch to switch
 Switch to hub
 Hub to hub
 Router to router
 PC to PC
 Router to PC
155
Connecting a router
• HyperTerminal has been the default for many
years
• You can download PuTTY from www.putty.org.
156
Using putty
157
using a USB-to-rollover cable
Use driver CD,

In this case the drive
assigned com4
158
using HyperTerminal
159
Router Modes
• User Mode:-has a very limited set of commands
Router>
• Privileged mode or Privileged Exec mode
Router>enable
Router#
• Global Configuration Mode:-
• Router#config
• Configuring from terminal, memory, or network[terminal]? ← press
• Enter
• Enter configuration commands, one per line. End with CNTL/Z.
• Router(config)# 160
Router modes
• Interface Configuration Mode
Router(config)#interface Serial0
Router(config-if)#
• Line Configuration Mode

Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line console 0
Router(config-line)#
161
enter Initial Configuration mode
162
The Router Boot-up Text
163
Configuring a Router
164
CONFIGURING A ROUTER
Router#cl?
clear clock
Router#copy ru ← press the Tab key here
Router#copy running-config
Show Commands
165
Show command
166
Show command
167
Show history
168
Show memory
169
Show Version
• Type of router (another useful command for
listing the router hardware is show inventory)
• IOS version
• Memory capacity
• Memory usage
• CPU type
• Flash capacity
• Other hardware parameters
• Reason for last reload
170
Show version
171
Show run
• The show running-config command
provides full configuration on the router,
and it can be used to verify that the device
is configured with the proper features.
172
Lab 1
• 1. Use a console cable, along with PuTTY
(free online; search for “PuTTY”), to
connect to a router console port
• exploring various router modes and
commands
• Configure the clock
• Configure various passwords
• Configure banner
• Configure telnet access 173
Thank you
for your
time ! 
‫شكرا‬
‫جزاكم هللا خير‬
Today what will be covered
• Distinguish between collision and
broadcast domain
• Router boot process
• Binary conversion to decimal and hex-
decimal ( vice versa)
• IP address
– Classes
– Identifying network and host section
– Subnet mask 175
– Classless
Router
• RAM – stores routing tables, ARP cache and holds temporary

memory for configuration file
• NVRAM - Provides storage for the startup configuration file
• Flash - Holds the operating system image (IOS )
• ROM – stores the bootstrap program
• Interfaces
•Console Port - provides physical access for initial configuration 176
Router = “PC”
177
Router inside parts
178
Router external parts
179
Router internal componets
• CPU - executes instructions in the operating system
• RAM - used for routing table information, fast switching cache,
running configuration, and packet queues
• Flash - used for storage of a full Cisco IOS software image
• NVRAM - used to store the startup configuration
• CPU bus - used by the CPU for accessing components from router
storage
• system bus - used for communication between the CPU and the
interfaces and/or expansion slots
• ROM - used for permanently storing startup diagnostic code
• Interfaces - the router connections to the outside
• 180
Power supply - provides the necessary power to operate the internal
components
Internal Components
RAM NVRAM Flash ROM

Console
Interfaces
Auxiliary
RAM
• Temporary storage for router configuration
files
• RAM content is lost on power down or
restart
• Stores...
– Routing tables
– ARP cache
– Fast switching cache
– Packet buffering
– And Packet hold queues
NVRAM
• Non-volatile RAM
• Stores backup/startup configuration files
• Content is not lost when router is powered
down or restarted.
Flash
• EEPROM (Electronically Erasable
Programmable Read-Only Memory)
• Holds the Cisco IOS (Internet Operating
System)
• Allows updating of software without
replacing the Flash chip
• Multiple versions of IOS can be stored
• Retained on power down
Connecting router for co
185
Modem connection ( old timer)
186
Boot sequence
187
Router#show interfaces
Router#show version Router#show flash
RAM NVRAM Flash
Internetwork Operating System
Interfaces
Backup
Operating
Configuration
File Systems
Active Tables
Programs Configuration and
File Buffers
Router#show mem
Router#show processes CPU
Router#show stacks
Router#show protocols
Router#show buffers
Router#show running-config Router#show startup-config

Router#write term Router#show config
Router Startup Sequence
189
Locating the cisco IOS
190
Software componets
191
Fields in the IOS
192
Cisco IOs
• Carrying network protocols and functions
• Connecting high-speed traffic between devices
• Adding security to control access and stop
unauthorized network use
• Providing scalability for ease of network growth
and redundancy
• Supplying network reliability for connecting to
network resources
• Note : new ISR routers use cisco as the
username and cisco as the password by default. 193
• Outbound --- out of network aux using
modem , console
• Inbound --- within network using telnet,
web browser
• SDM is a Web-based device-management
tool for Cisco routers that can help you
configure a router via a web console.
194
Router user interface
195
Router user interface modes
196
Command line
197
Configuring passwords
198
Configuring interface
shegawe(config)#Interface fasternet 0/0
shegawe(config-if)#ip address 192.168.1.1 255.255.255.0
shegawe(config-if )#description my connection to LAN

By default all router interfaces are shutdown !!!!
shegawe(config-if)#no shutdown
199
Viewing, & Saving Configurations
• Viewing & Saving Configurations

– running-config saved in DRAM
– startup-config saved in NVRAM
copy run start
sh run
sh start
erase startup-config
200
Verifying your configurations
Tools:
– show running-config
– show startup-config
– ping
– show cdp nei detail
– trace
– telnet
201
more verifications
• Verifying with the show interface
command
– Router#show interface ?
• Verifying with the show ip interface
command
– Router#show ip interface
– Router#show ip interface brief
– Router#show controllers
202
• Connecting to a router
• Bringing up a router
• Logging into a router
• Understanding the router prompts
• Understanding the CLI prompts
• Performing editing and help features
• Gathering basic routing information
• Setting administrative functions
• Setting hostnames
• Setting banners
• Setting passwords
• Setting interface descriptions
• Performing interface configurations

203
• Viewing, saving, and erasing configurations
Got it !!!!!
• by erasing the startupconfig and reloading
the router. This will give you a clean router
with no default configuration
204
Router-Command History
• Command Meaning
• Ctrl+P or up arrow Shows last command entered
• Ctrl+N or down arrow Shows previous
commands entered
• show history Shows last 10 commands entered
by default
• show terminal Shows terminal configurations
and history buffer size
• terminal history size Changes buffer size (max
256) 205
Decimal to Binary
172
172 – Base 10
1 2
100 = 1
10 70 101 = 10
100 100 102 = 100
1000
172 103 = 1000
10101100
20 = 1
21 = 2
10101100– Base 2 0
1
2 0 22 = 4
4 4 23 = 8
8
8
16 0
24 = 16
32 32 25 = 32
64 0 26 = 64
128 128
27 = 128
172
206
Binary octet
• An octet is made up of eight “1”s and “0”s, representing
the following values:
• 128 64 32 16 8 4 2 1
• So the value of 140 (the first octet of our example) looks

like this:
• 1 0 0 0 1 1 0 0
207
208
Base 2 Number System
101102 = (1 x 24 = 16) + (0 x 23 = 0) + (1 x 22 = 4) +
(1 x 21 = 2) + (0 x 20 = 0) = 22
209
Converting Decimal to Binary
Convert 20110 to binary:

201 / 2 = 100 remainder 1
100 / 2 = 50 remainder 0
50 / 2 = 25 remainder 0
25 / 2 = 12 remainder 1
12 / 2 = 6 remainder 0
When the quotient is 0, take all the remainders in
reverse order for your answer: 20110 = 110010012 210
Decimal Equivalents of Bit
Patterns
128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0 = 0
1 0 0 0 0 0 0 0 = 128
1 1 0 0 0 0 0 0 = 192
1 1 1 0 0 0 0 0 = 224
1 1 1 1 0 0 0 0 = 240
1 1 1 1 1 0 0 0 = 248
1 1 1 1 1 1 0 0 = 252
1 1 1 1 1 1 1 0 = 254
1 1 1 1 1 1 1 1 = 255 211
Binary to Decimal Chart
212
Hex to Binary to Decimal Chart
213
IP Address Breakdowns:
• The class of the address determines, by default,
which part is for the network (N) and which part
belongs to the node (n)
Class A:
NNNNNNNN.nnnnnnnn.nnnnnnnn.nnnnnnnn
Class B:
NNNNNNNN.NNNNNNNN.nnnnnnnn.nnnnnnnn
Class C:
NNNNNNNN.NNNNNNNN.NNNNNNNN.nnnnnnnn
214
There are 5 different address
classes
• Only 3 are in commercial use at this time.
• You can determine the class of the address by looking at
the first 4 bits of the IP address:
– Class A begin with 0xxx, or 1 to 126 decimal
– Class B begin with 10xx, or 128 to 191 decimal
– Class C begin with 110x, or 192 to 223 decimal
– Class D begin with 1110, or 224 to 239 decimal
– Class E begin with 1111, or 240 to 254 decimal
215
example a Class B address
• By default, the Network part of the address is

defined by the first 2 octets: 140.179.x.x
• By default, the node part of the address is
defined by the last 2 octets: x.x.220.200
*Note that the network part of the address is

also known as the Network Address
216
Default mask
217
Default class
218
Reserved Addresses on a
Subnet:
• In order to specify the Network Address of a
given IP address, the node portion is set to all
“0”s:
– 140.179.0.0
• If all the bits in the node portion are set to “1”s,

then this specifies the broadcast address that is
sent to all nodes on the network:
– 140.179.255.255
219
Introduction to TCP/IP
Addresses
172.18.0.1 172.16.0.1
172.18.0.2 172.16.0.2
HDR SA DA DATA
10.13.0.0 192.168.1.0
10.13.0.1 172.17.0.1 172.17.0.2 192.168.1.1
– Unique addressing allows communication

between end stations.
– Path choice is based on destination address.
• Location is represented by an address
220
IP Addressing
32 Bits
Dotted
Decimal Network Host
Maximum 255 255 255 255

1 8 9 16 17 24 25 32
Binary 11111111 11111111 11111111 11111111
1
128
64
32
16
8
4
2
2
128
64
32
16
8
4
1
16
8
4
128
64
32
8
4
2
1
128
64
32
16
2
1
Example
Decimal 172 16 122 204
Example 10101100 00010000 01111010 11001100
Binary 221
IP Address Classes
8 Bits 8 Bits 8 Bits 8 Bits
•Class A: Network Host Host Host
•Class B: Network Network Host Host
•Class C: Network Network Network Host
•Class D: Multicast
•Class E: Research
222
IP Address Classes
Bits: 1 8 9 16 17 24 25 32
0NNNNNNN Host Host Host
Class A:
Range (1-126)
Bits: 1 8 9 16 17 24 25 32
10NNNNNN Network Host Host
Class B:
Range (128-191)
1 8 9 16 17 24 25 32
Bits:
110NNNNN Network Network Host
Class C:
Range (192-223)
1 8 9 16 17 24 25 32
Bits:
1110MMMM Multicast Group Multicast Group Multicast Group
Class D:
Range (224-239)
223
Host Addresses
172.16.2.2 10.1.1.1
10.6.24.2
E1
172.16.3.10 E0 10.250.8.11
172.16.2.1
172.16.12.12 10.180.30.118
Routing Table
172.16 . 12 . 12 Network Interface
Network Host 172.16.0.0 E0
10.0.0.0 E1
224
Classless Inter-Domain Routing
(CIDR)
• Basically the method that ISPs (Internet Service
Providers) use to allocate an amount of
addresses to a company, a home
• Ex : 192.168.10.32/28
• The slash notation (/) means how many bits are
turned on (1s)  for subnet mask
225
CIDR Values
226
Determining Available Host
Addresses
Network Host
172 16 0 0
N
13
4
16
15
14
12
11
10
9
8
7
6
5
3
2
1
10101100 00010000 00000000 00000000 1
00000000 00000001 2
00000000 00000011 3
...
...
...
11111111 11111101 65534
11111111 11111110 65535
11111111 11111111 65536
– 2
2N – 2 = 216 – 2 = 65534 65534
227
IP Address Classes Exercise
Address Class Network Host
10.2.1.1
128.63.2.100
201.222.5.64
192.6.141.2
130.113.64.16
256.241.201.10
228
IP Address Classes Exercise
Answers
Address Class Network Host
10.2.1.1 A 10.0.0.0 0.2.1.1
128.63.2.100 B 128.63.0.0 0.0.2.100
201.222.5.64 C 201.222.5.0 0.0.0.64
192.6.141.2 C 192.6.141.0 0.0.0.2

130.113.64.16 B 130.113.0.0 0.0.64.16
256.241.201.10 Nonexistent
229
Subnetting
Subnetting is logically dividing the network

by extending the 1’s used in SNM
Advantage
Can divide network in smaller parts
Restrict Broadcast traffic
Security
Simplified Administration
230
Formula
 Number of subnets – 2x-2
Where X = number of bits borrowed
 Number of Hosts – 2y-2

Where y = number of 0’s
 Block Size = Total number of Address

Block Size = 256-Mask
231
Subnetting
 Classful IP Addressing SNM are a set of 255’s and 0’s.
 In Binary it’s contiguous 1’s and 0’s.
 SNM cannot be any value as it won’t follow the rule of
contiguous 1’s and 0’s.
 Possible subnet mask values
– 0
– 128
– 192
– 224
– 240
– 248
– 252
– 254
– 255
232
Addressing Without Subnets
172.16.0.1 172.16.0.2 172.16.0.3 172.16.255.253 172.16.255.254
…...
172.16.0.0
• Network 172.16.0.0 233

Addressing with Subnets
172.16.3.0
172.16.4.0
172.16.1.0 172.16.2.0
• Network 172.16.0.0 234

Subnet Addressing
172.16.2.200 172.16.3.5
172.16.3.1
E1
172.16.2.2 E0 172.16.3.100
172.16.2.1
172.16.2.160 172.16.3.150
New Routing Table

Network Host 172.16.0.0 E0
172.16.0.0 E1
235
Subnet Addressing
172.16.2.200 172.16.3.5
172.16.3.1
E1
172.16.2.2 E0 172.16.3.100
172.16.2.1
172.16.2.160 172.16.3.150
New Routing Table

Network Subnet Host 172.16.2.0 E0
172.16.3.0 E1
236
Subnet Mask
Network Host
IP
Address
172 16 0 0
Network Host
Default
Subnet
Mask
255 255 0 0
11111111 11111111 00000000 00000000
• Also written as “/16,” where 16 represents the number of 1s
in the mask
Network Subnet Host
8-Bit
Subnet 255 255 255 0
Mask
• Also written as “/24,” where 24 represents the number of
1s in the mask 237
Subnet Mask Without Subnets
Network Host
172.16.2.160 10101100 00010000 00000010 10100000
255.255.0.0 11111111 11111111 00000000 00000000
10101100 00010000 00000000 00000000
Network
172 16 0 0
Number
• Subnets not in use—the default

238
Subnet Mask with Subnets
Network Subnet Host
172.16.2.160 10101100 00010000 00000010 10100000
255.255.255.0 11111111 11111111 11111111 00000000
10101100 00010000 00000010 00000000
255
128
192
224
240
248
252
254
Network
Number 172 16 2 0
• Network number extended by eight bits

239
Subnet Mask with Subnets
(cont.)
Network Subnet Host
172.16.2.160 10101100 00010000 00000010 10100000
255.255.255.192 11111111 11111111 11111111 11000000
10101100 00010000 00000010 10000000
255
255
128
192
224
240
248
252
254
128
192
224
240
248
252
254
Network
Number 172 16 2 128
• Network number extended by ten bits

240
Subnet Mask Exercise
Address Subnet Mask Class Subnet
172.16.2.10 255.255.255.0
10.6.24.20 255.255.240.0
10.30.36.12 255.255.255.0
241
Subnet Mask Exercise Answers
Address Subnet Mask Class Subnet
172.16.2.10 255.255.255.0 B 172.16.2.0
10.6.24.20 255.255.240.0 A 10.6.16.0
10.30.36.12 255.255.255.0 A 10.30.36.0
242
Subnet Masking (continued)
243
244
Subnet Masking (continued)
245
Broadcast Addresses
172.16.3.0
172.16.4.0
172.16.1.0
172.16.3.255 172.16.2.0
(Directed Broadcast)
255.255.255.255
(Local Network Broadcast)
X
172.16.255.255
(All Subnets Broadcast)
246
Addressing Summary Example
172 16 2 160
3
172.16.2.160 10101100 00010000 00000010 10100000 Host 1
255.255.255.192 11111111 11111111 11111111 11000000 Mask 2

9 8
172.16.2.128 10101100 00010000 00000010 10000000 Subnet 4
172.16.2.191 10101100 00010000 00000010 10111111 Broadcast

5
172.16.2.129 10101100 00010000 00000010 10000001 First 6
172.16.2.190 10101100 00010000 00000010 10111110 Last 7

247
Class B Subnet Example
IP Host Address: 172.16.2.121
Subnet Mask: 255.255.255.0
Network Network Subnet Host
172.16.2.121: 10101100 00010000 00000010 01111001

255.255.255.0: 11111111 11111111 11111111 00000000
Subnet: 10101100 00010000 00000010 00000000

Broadcast: 10101100 00010000 00000010 11111111
• Subnet Address = 172.16.2.0

• Host Addresses = 172.16.2.1–172.16.2.254
• Broadcast Address = 172.16.2.255
• Eight Bits of Subnetting
248
Subnet Planning
20 Subnets
5 Hosts per Subnet
Class C Address:
192.168.5.0
192.168.5.16
Other
Subnets
192.168.5.32 192.168.5.48
249
Class C Subnet Planning
Example
IP Host Address: 192.168.5.121
Subnet Mask: 255.255.255.248
Network Network Network Subnet Host
192.168.5.121: 11000000 10101000 00000101 01111001

255.255.255.248: 11111111 11111111 11111111 11111000
Subnet: 11000000 10101000 00000101 01111000

Broadcast: 11000000 10101000 00000101 01111111
• Subnet Address = 192.168.5.120

• Host Addresses = 192.168.5.121–192.168.5.126
• Broadcast Address = 192.168.5.127
• Five Bits of Subnetting 250
Exercise
• 192.168.10.0
• /27
? – SNM
? – Block Size
?- Subnets
251
Exercise
• /27
? – SNM – 224
? – Block Size = 256-224 = 32
?- Subnets
Subnets 10.0 10.32 10.64

FHID 10.1 10.33
LHID 10.30 10.62

Broadcast 10.31 10.63
252
Exercise
• 192.168.10.0
• /30
? – SNM
? – Block Size
?- Subnets
253
Exercise
• /30
? – SNM – 252
? – Block Size = 256-252 = 4
?- Subnets
Subnets 10.0 10.4 10.8

FHID 10.1 10.5
LHID 10.2 10.6

Broadcast 10.3 10.7
254
Exercise
Mask Subnets Host
/26 ? ? ?
/27 ? ? ?
/28 ? ? ?
/29 ? ? ?
/30 ? ? ?
255
Exercise
Mask Subnets Host
/26 192 4 62
/27 224 8 30
/28 240 16 14
/29 248 32 6
/30 252 64 2
256
Exam Question
• Find Subnet and Broadcast address
– 192.168.0.100/27
257
Exercise
192.168.10.54 /29
Mask ?
Subnet ?
Broadcast ?
258
Exercise
192.168.10.130 /28
Mask ?
Subnet ?
Broadcast ?
259
Exercise
192.168.10.193 /30
Mask ?
Subnet ?
Broadcast ?
260
Exercise
192.168.1.100 /26
Mask ?
Subnet ?
Broadcast ?
261
Exercise
192.168.20.158 /27
Mask ?
Subnet ?
Broadcast ?
262
Class B
172.16.0.0 /19
Subnets ?
Hosts ?
Block Size ?
263
Class B
172.16.0.0 /19
Subnets 23 -2 = 6
Hosts 213 -2 = 8190
Block Size 256-224 = 32
Subnets 0.0 32.0 64.0 96.0
FHID 0.1 32.1 64.1 96.1
LHID 31.254 63.254 95.254 127.254
Broadcast 31.255 63.255 95.255 127.255
264
Class B
172.16.0.0 /27
Subnets ?
Hosts ?
Block Size ?
265
Class B
172.16.0.0 /27
Subnets 211 -2 = 2046
Hosts 25 -2 = 30
Block Size 256-224 = 32
Subnets 0.0 0.32 0.64 0.96
FHID 0.1 0.33 0.65 0.97
LHID 0.30 0.62 0.94 0.126
Broadcast 0.31 0.63 0.95 0.127
266
Class B
172.16.0.0 /23
Subnets ?
Hosts ?
Block Size ?
267
Class B
172.16.0.0 /23
Subnets 27 -2 = 126
Hosts 29 -2 = 510
Block Size 256-254 = 2
Subnets 0.0 2.0 4.0 6.0
FHID 0.1 2.1 4.1 6.1
LHID 1.254 3.254 5.254 7.254
Broadcast 1.255 3.255 5.255 7.255
268
Class B
172.16.0.0 /24
Subnets ?
Hosts ?
Block Size ?
269
Class B
172.16.0.0 /24
Subnets 28 -2 = 254
Hosts 28 -2 = 254
Block Size 256-255 = 1
Subnets 0.0 1.0 2.0 3.0
FHID 0.1 1.1 2.1 3.1
LHID 0.254 1.254 2.254 3.254
Broadcast 0.255 1.255 2.255 3.255
270
Class B
172.16.0.0 /25
Subnets ?
Hosts ?
Block Size ?
271
Class B
172.16.0.0 /25
Subnets 29 -2 = 510
Hosts 27 -2 = 126
Block Size 256-128 = 128
Subnets 0.0 0.128 1.0 1.128 2.0 2.128
FHID 0.1 0.129 1.1 1.129 2.1 2.129
LHID 0.126 0.254 1.126 1.254 2.126 2.254
Broadcast 0.127 0.255 1.127 1.255 2.127 2.255
272
Find out Subnet and Broadcast
Address
• 172.16.85.30/29
274
Address
• 172.30.101.62/23
275
Address
• 172.20.210.80/24
276
Exercise
• Find out the mask which gives 100
subnets for class B
277
Exercise
• Find out the Mask which gives 100 hosts
for Class B
278
Class A
10.0.0.0 /10
Subnets ?
Hosts ?
Block Size ?
279
Class A
10.0.0.0 /10
Subnets 22 -2 = 2
Hosts 222 -2 = 4194302
Block Size 256-192 = 64
Subnets 10.0 10.64 10.128 10.192
FHID 10.0.0.1 10.64.0.1 10.128.0.1 10.192.0.1
LHID 10.63.255.254 10.127.255.254 10.191.255.254 10.254.255.254
Broadcast 10.63.255.255 10.127.255.255 10.191.255.255 10.254.255.255
280
Class A
10.0.0.0 /18
Subnets ?
Hosts ?
Block Size ?
281
Class A
10.0.0.0 /18
Subnets 210 -2 = 1022
Hosts 214 -2 = 16382
Block Size 256-192 = 64
Subnets 10.0.0.0 10.0.64.0 10.0.128.0 10.0.192.0
FHID 10.0.0.1 10.0.64.1 10.0.128.1 10.0.192.1
LHID 10.0.63.254 10.0.127.254 10.0.191.254 10.0.254.254
Broadcast 10.0.63.255 10.0.127.255 10.0.191.255 10.0.254.255
282
Broadcast Addresses Exercise
Address Subnet Mask Class Subnet Broadcast
201.222.10.60 255.255.255.248
15.16.193.6 255.255.248.0
128.16.32.13 255.255.255.252
153.50.6.27 255.255.255.128
283
Broadcast Addresses Exercise
Answers
Address Subnet Mask Class Subnet Broadcast
201.222.10.60 255.255.255.248 C 201.222.10.56 201.222.10.63

15.16.193.6 255.255.248.0 A 15.16.192.0 15.16.199.255
128.16.32.13 255.255.255.252 B 128.16.32.12 128.16.32.15
153.50.6.27 255.255.255.128 B 153.50.6.0 153.50.6.127
284
VLSM
• VLSM is a method of designating a different subnet
mask for the same network number on different subnets
• Can use a long mask on networks with few hosts and a

shorter mask on subnets with many hosts
• With VLSMs we can have different subnet masks for

different subnets.
285
Variable Length Subnetting
 VLSM allows us to use one class C address to
design a networking scheme to meet the
following requirements:
 Addis Ababa 60 Hosts
 Dessie 28 Hosts
 Jimma 12 Hosts
 Hawassa 12 Hosts
 WAN 1 2 Hosts
 WAN 2 2 Hosts
 WAN 3 2 Hosts
286
Networking Requirements
Addis Ababa 60
WAN 2
WAN 1
WAN 3
Jimma 60 Hawassa 60
Dessie 60
In the example above, a /26 was used to provide the 60 addresses
for Addis Ababa and the other LANs. There are no addresses left for
WAN links 287
Networking Scheme
Dessie 192.168.10.64/27
28
WAN 192.168.10.129 and 130 WAN 192.198.10.133 and 134
192.168.10.128/30 192.168.10.132/30
2 2
2 WAN 192.198.10.137 and 138
192.168.10.136/30
60 12 12
Addis Ababa Jimma 192.168.10.96/28

192.168.10.0/26
Hawassa 192.168.10.112/28
288
VLSM Exercise
2
12
40 2
25
192.168.1.0
289
VLSM Exercise
192.168.1.8/30 192.168.1.16/28
192.168.1.64/26
12
2
40 2
2
192.168.1.12/30
192.168.1.4/30
25
192.168.1.32/27
192.168.1.0
290
VLSM Exercise
2
8 5
2
2
2
35
15
192.168.1.0
291
excercise
292
Answer
293
Summarization
• Summarization, also called route aggregation, allows
routing protocols to advertise many networks as one
address.
• The purpose of this is to reduce the size of routing tables
on routers to save memory
• Route summarization (also called route aggregation or
supernetting) can reduce the number of routes that a
router must maintain
• Route summarization is possible only when a proper
addressing plan is in place
• Route summarization is most effective within a
subnetted environment when the network addresses are
in contiguous blocks
294
Subnetting Formulas
(continued)
295
Subnetting Formulas
(continued)
296
Summarization
297
Supernetting
Network Network Network Subnet

16 8 4 2 1
172.16.12.0 11000000 10101000 00001100 00000000
172.16.13.0 11000000 10101000 00001101 00000000
172.16.14.0 11000000 10101000 00001110 00000000
172.16.15.0 11000000 10101000 00001111 00000000
255.255.255.0 11111111 11111111 11111111 00000000
298
Supernetting
Network Network Network Subnet

16 8 4 2 1
172.16.12.0 11000000 10101000 00001100 00000000
172.16.13.0 11000000 10101000 00001101 00000000
172.16.14.0 11000000 10101000 00001110 00000000
172.16.15.0 11000000 10101000 00001111 00000000
255.255.252.0 11111111 11111111 11111100 00000000
172.16.12.0/24
172.16.13.0/24 172.16.12.0/22
172.16.14.0/24
172.16.15.0/24 299
Supernetting Question
 What is the most efficient summarization that TK1 can use to advertise its
networks to TK2?
A. 172.1.4.0/24172.1.5.0/24172.1.6.0/24172.1.7.0/24
B. 172.1.0.0/22
C. 172.1.4.0/25172.1.4.128/25172.1.5.0/24172.1.6.0/24172.1.7.0/24
D. 172.1.0.0/21
E. 172.1.4.0/22
300
Thank you
for your
time ! 
‫شكرا‬
Today’s topic
• Routing table
• Explain routing protocol
302
Routing table
• Routing Table is stored in ram and contains information
about:
 Directly connected networks - this occurs when a
device is connected to another router interface
 Remotely connected networks - this is a network that
is not directly connected to a particular router
 Detailed information about the networks include
source of information, network address & subnet
mask, and Ip address of next-hop router
 Router match the most specific address
• Show ip route command is used to view a routing table
303
Routing table
• Note: at network layer the destination address is examined
– a. If the destination address is router ‘s interface or an all-
hosts broadcast address -> to internal process
– b. Any other address calls for routing  do route table
lookup
– Minimum information to be routed needed :

• a. destination address
• b. pointer to destination (exiting interface or next hop ip
address)
– Router match the most specific address
– A routing table is a list of the best-known available
304
routes
Routing table principles
Principle 1: every router makes its decision alone, based

on the information it has in its routing table
Principle 2: the fact that one router has certain

information in its routing table doe not mean that others
have the same information
Principle 3: routing information about a path from one

network to another does not provide routing information
about the reverse, or return, path
***Cisco ip routing by Alex ZInn
Routing Table Principles
– 3 principles regarding routing tables:
 Every router makes its decisions alone, based
on the information it has in its routing table.
 Different routing table may contain different
information
 A routing table can tell how to get to a
destination but not how to get back
Routing Table Structure
• Effects of the 3 Routing Table Principles
• -Packets are forwarded through the network
from one router to another, on a hop by hop
basis.
• -Packets can take path “X” to a destination but
return via path “Y” (Asymmetric routing).
Router Paths and Packet
•
Switching
A Metric is a numerical value used by routing protocols help
determine the best path to a destination
– The smaller the metric value the better the path
• 2 types of metrics used by routing protocols are:
– Hop count - this is the number of routers a packet must travel
through to get to its destination
– Bandwidth - this is the “speed” of a link also known as the data
capacity of a link
Switching
• Equal cost metric is a condition where a router has multiple
paths to the same destination that all have the same metric
• To solve this dilemma, a router will use Equal Cost Load
Balancing. This means the router sends packets over the
multiple exit interfaces listed in the routing table.
Switching
• Path determination is a process used by a router to pick the best
path to a destination
• One of 3 path determinations results from searching for the best
path
– Directly connected network
– Remote network
– No route determined
Switching
• As a packet travels from one networking device to another
– The Source and Destination IP addresses NEVER change
– The Source & Destination MAC addresses CHANGE as packet is
forwarded from one router to the next.
– TTL field decrement by one until a value of zero is reached at which
point router discards packet (prevents packets from endlessly
traversing the network)
Switching
• Path determination and switching
function details. PC1 Wants to send
something to PC 2 here is part of what
happens
– Step 1 - PC1 encapsulates packet into a
frame. Frame contains R1’s destination
MAC address
• Adding a connected network to the routing table
– Router interfaces
 Each router interface is a member of a different network
 Activated using the no shutdown command
 In order for static and dynamic routes to exist in routing table
you must have directly connected networks
Switching
Summary
• Routers are computers that specialize in sending data over a network.
• Routers are composed of:
– Hardware i.e. CPU, Memory, System bus, Interfaces
– Software used to direct the routing process
 IOS
 Configuration file
• Routers need to be configured. Basic configuration consists of:
– Router name
– Router banner
– Password(s)
– Interface configurations i.e. IP address and subnet mask
• Routing tables contain the following information
– Directly connected networks
– Remotely connected networks
– Network addresses and subnet masks
– IP address of next hop address
Summary
• Routers determine a packets path to its
destination by doing the following
 Receiving an encapsulated frame &
examining destination MAC address.
 If the MAC address matches then Frame is
de-encapsulated so that router can examine
the destination IP address.
 If destination IP address is in routing table
or there is a static route then Router
determines next hop IP address. Router will
re-encapsulate packet with appropriate layer
2 frame and send it out to next destination.
Routing,
at its essence,
is concerned
with forwarding packets
from their source on one subnet
to their destination on another subnet.

Routing
• One of a router’s primary jobs is to
determine the best path to a given
destination
• A router learns
– paths, or routes,
• static configuration entered by an administrator
• or dynamically from other routers, through routing
protocols
318
Comparing routing protocol
• Scalability
• Vendor interoperability
• IT staff’s familiarity with protocol
• Speed of convergence
• Capability to perform summarization
• Interior or exterior routing
• Type of routing protocol
Classification of Routing protocol
A. Static routing (including default route)
B. Dynamic routing
A. Interior (CCNA)
B. Exterior (CCNP)
320
Static route
• When to use static routes
– When network only consists of a few routers
– Network is connected to internet only through
one ISP
– Hub & spoke topology is used on a large
network
321
Modifying static route
• Des. Network is no longer exists
• Change in topology
• To modify you need to delete the static

route and configure the new one !
322
• Connected and Static routes
Default route
• Used to represent all routes with zero or
no bits matching
• No routes that have a more specific match
• In case of stub networks
• Note
– Default routes are used when the router
cannot match a destination network with a
specific entry in the routing table
324
Checking routing table
325
Floating static
Floating static = backup route only used if primary
path
(link) fails
AA(config)#ip route 10.1.3.0 255.255.255.192 se 2/0
AA(config)#ip route 10.1.3.0 255.255.255.192 se 3/0 50
Using administrative distance ( measure of

preferability)
We duplicate the path to the same destination, the
lower AD
Would be preferred.
Metric – specifies the preferability of a route
AD – preferability of the means by which
the route
Static route pointing to next hop have an AD of

1, using an exiting interface have an AD of 0
Multiple paths toward destination network with equal AD implies Load sharing(ba
“what did he know when did he know
it”
• When troubleshooting routing problems
– What does the router know?
– How long has the information been in the route table?
– Dose the router know to reach the destination in question?
– Is the information in the route table accurate ?
– Use show ip route , ping , tratceroute ( tracert)
• Knowing how to trace a route is essential to successfully

troubleshooting a network
• Note: check both the destination and return path when a
route fails
Routing table
Level 2
Level 1 Child route
Parent route Subnet of
Added when child classful
route is added network
No exit information
328
Routing source
• Routing sources
• Directly connected
Build up routing
networks
table
• Static routes Can use several
sources
• Classful routing protocols
RIPv1,
• Classless routing protocols
RIPv2, EIGRP, OSPF,
329
Routing protocol
• Protocol= an agreed upon set of rules
• Routing protocol
• rules that describe how layer 3 devices send updates
between each other about available networks
• A routing protocol is the mechanism used to update layer

3 devices.
• routing protocol is an application on the router

• purpose is to ensure the correct timely exchange of
info
• about the networks
330
• Routes learned from routing update are held in routing
How routing protocol works
• a. Routing protocol sends the information
about the networks (routes)
• b. Routing table receive updates from the
routing protocol ..
• c. Forwarding process determines which
path to select
331
Path selection
• Metrics
• used to calculate which path to select
• Administrative distance
• if more than one routing protocol is running
on the router AD helps which routing protocol to
be selected
• Prefix length
• the most number of sunbet bits much that
determine the destination network.
332
Review Static route
• No overhead
• No bandwidth usage
• Adds security
• cons
• More work
• Needs knowledge of the network
• Not suitable for large networks
333
Dynamic routing protocol
• allows routers configured for that protocol to exchange route
information and update that information based on changing network
conditions
– Used to add remote networks to a routing table
– Are used to discover networks
– Are used to update and maintain routing tables
• Automatic network discovery
– Routers are able discover new networks by sharing
routing table information
334
Dynamic routing protocol
• Discovering remote networks
• Maintain up-to-date routing information
• Choosing the best path to destination
network
• Having the ability to find a new path if the
current path is no longer available
• Routing protocols
• Interior gateway protocols
• Exterior gateway protocols
335
Routing protocol operation
1. the router sends and receive routing
message on its interface
2. The router shares routing message and
routing information with other routers that
are using the same routing protocol
3. Router exchanges routing information
and learn more about remote networks
4. When a router detects a topology change
the routing protocol can advertise this
change to other routers 336
Routing algorithm
• Mechanism for sending and receiving
routing information
• Mechanism for calculating the best path
• Installing the routes in the routing table
• Mechanism for detecting and reacting
topology changes
337
Routing protocol characteristics
• Time to converge
• Scalability
• Classless or classful
• Resources usage
• Implementation and maintenance
338
convergence
• how quickly the route propagates
• Speed of calculating the best-path
• A network is not completely operable until

it has converged
339
Maintaining the routing table
• Change might occur
a.Failure of a link
b.Failure of a router
c.Change of link parameter
d.Introduction of a new link
340
Routing loop
a. Incorrectly configured static routes
b. Incorrectly configured route redistribution
(CCNP)
c. Inconsistent routing table not being
update due to slow updates
341
Implication of routing loop
• Link BW will be used for traffic looping and
forth between the routers in a loop
• A router’s CPU will be burdened with
useless packets
• Routing update might get lost or not be
processed in a timely manner
• Packet might get lost in “black holes”
never reaching their intended destination
342
Administrative Distance
The router uses these values to select the source of information to use
when multiple routes to a destination exist.
A smaller number indicates a more trusted route.
Distance vector
• does not have the knowledge of the entire
path
• Knows only
• The direction in which or interface to which
packet should be forward
• The distance to the destination network
344
Distance vector
• Sends entire routing table
• Sends periodical update
• Updates consumes lots of BW
• Consumes lots of router CPU process
345
Distance vector
• Use the Bellman-Ford algorithm
• Send complete routing table at regular intervals
– to neighbour routers
• do not actually identify their neighbors for direct
communication
• neighbor router receive /send the broadcast update
• Concerns on direction, of destination networks
• easy to configure,
• use less memory and processing power
346
RIP v.1
• Class full routing protocol
• Update is sent every 30 seconds
• Sends update via 255.255.255.255 as
broadcast
• Sends entire routing table
• Uses hop count as metric
• Maximum hop count is 15
• Load- balance up to six equal cost (default
is 4) 347
RIP v.1
• Learns about other path from its neighbor
• Consumes lots of BW
• Slow to converge(there is loop)
• Uses timer to determine when the neighbor is
no longer available
• Uses trigger update to help to speed
convergence time
• Uses hold-down timer to prevent the router from
using another route to a recently down network
348
RIP v.1
• Automatically summarizes to classful
network address address
• Does not support VLSM/CIDR
• Does not support discontiguous subnets
• easy to configure
• Wollo(config)#router rip
• Wollo(config-router)# network 192.169.1.0
(the network you want to advertise
349
Verification
• Show ip route
• Show ip protocols
• Debug ip rip
• Debug ip packet
350
Passive interface
• Prevent RIP update being sent, allows to
receive updates(can speak but cannot
hear )
• BW is wasted
• Advertising updates on a broadcast
network is a security risk.
• STOPING unnecessary RIP updates
351
Advantage and disadvantage of
automatic summarization
• Advantage
• Smaller routing update
• Use of less BW (for routing update)
• Using a single route (for faster lookup
process)
• Disadvantage
• Not be able to support discontigous
subnets
• Summarization is advertising of
contiguous addresses 352
Defualt route
• R2(config-router)# defuault-information originate
353
A static default route will have precedence
over a default router learned through a
dynamic routing protocol
354
Classful and Classless Routing
Protocols
• Classful routing protocols
– Summarize networks to their major network
boundaries (Class A, B, or C)
– Do not carry subnet mask information in their
routing table updates
– Cannot be used in networks with either
discontiguous subnets or networks using
variable length subnet masks (VLSM)
– Examples: RIPv1
355
Network with discontigous subnets 356
357
Protocols (continued)
358
359
• Classless routing protocols
– Allow dynamic routing in discontiguous
networks
– Carry subnet mask information in the routing
table updates
– Examples: RIPv2, EIGRP, OSPF, and BGP
360
Comparing RIPv1 and V2
361
RIPv2
• interior gateway protocols (IGP)
• Classless, distance-vector, timer-driven
• Hop count
• 15 as the maximum usable metric
• 224.0.0.9 multicast (version 1 uses 255.255.255.255)
• Update interval 30 seconds
• Full updates each interval
• Authentication (not supported on version 1)
• sending RIPv2 updates on each RIPv2-enabled interface
362
Configuring RIPv2
363
364
RIPv2 Network Operation
Dude they are done learning
Now all of the routers have

learned about all of the routes in
the entire network and have
reached convergence
369
Challenge lab
370
Lab answer
• Configure RIP V. 2 between Dessie, Bati,
Kemmise and HQ
• Configure static route toward HQ from ISP
• Configure default toward ISP
• Configure passive interface toward all
LANs
• Enable the auto summarize feature as
needed
371
if router receives a routing update that
contains a higher cost path to network , the
update is ignored
372
Classful Route Lookups
• classful route lookups, in which a

destination address is first matched to its
major network address in the routing table
and then is matched to a subnet of the
major network. If no match is found at
either of these steps, the packet is
dropped
Classless Route Lookups
• When a router performs classless route
lookups, it does not pay attention to the class of
the destination address
• Using ip classless command
– (in global configuration mode)
Classless Routing Protocols
is their capability to carry subnet

masks in their route
advertisements
Note: subnet mask with updates
• The major classful routing protocols are
– RIPv1
– BGP3
• The major classless routing protocols are
– RIPv2
– EIGRP
– OSPF
– IS-IS
– BGP4
Discontiguous Subnets and Classless
Routing
• Route summarization reduces the amount of
routing information in the routing tables
• default behavior of RIPv2 is to summarize at
network boundaries, the same as RIPv1
• Use the no auto-summary command with the
RIP process to turn off summarization and
allow subnets to be advertised across network
boundaries
378
debug Commands
• Two configuration problems common to RIPv2
are mismatched versions and misconfigured
authentication
• Router#debug ip rip
RIP: bad version 128 from 160.89.80.43
Routing Information Protocol
version 2 (continued)
380
Routing Information Protocol
version 2 (continued)
381
382
Summary
• RIP is still used despite the emergence of more
sophisticated routing protocols.
• RIP is mature, stable, widely supported, and
easy to configure.
• Although RIPv2 offers some decided
improvements over RIPv1, it is still limited to a
maximum of 15 hops and small internetworks.
• Design strategies such as VLSM have become
very powerful tools for controlling protocols.
• One of the major improvements in and benefits
of using RIPv2 compared to RIPv1 is that
RIPv2 provides authentication
Summary
Key Terms
• convergence The speed and ability of a group of

internetworking devices running a specific
• routing protocol to agree on an internetwork’s
topology after a change in that topology.
• metric A method by which a routing algorithm
determines that one route is better than
another.
– This information is stored in routing tables. Metrics
include bandwidth, communication cost, delay, hop
count, load, path cost, and reliability.
• Summary …
multicasting A technique for simultaneously
advertising routing information to multiple RIPv2
devices.
• RIPv2 is not a new protocol; it is just RIPv1 with some
extensions to bring it up-to-date with modern routing
environments.
• RIPv2 has been updated
– to support VLSM, authentication, and multicast
updates.
• route summarization Consolidation of advertised
addresses. This causes a single summary route to
be advertised to other routers.
Routing …
• routing update A message sent from a
router to indicate network reachability
and associated cost information.
• Routing updates are typically sent at
regular intervals and after a change in
network topology.
386
To do list
a. Do command (config)#do sh run

b. Configuring RIP version 2
a. Passive-interface
c. telnet configuration ( %no password set)
a. Use Ctrl+Shift+6, then X
d. Try using traceroute and tracert
e. Configuring ssh
f. Console vs. aux
g. Verify and troubleshooting commands
Link-State
• similar to a global positioning system (GPS) in
a car, a router can execute an algorithm to
calculate an optimal path (or paths) to a
destination network
• information about adjacencies sent to
all routers
• each router builds a topology database
• a "shortest path" algorithm is used to
find best route
• converge as quickly as databases can
be updated 388
•Note that a network can
simultaneously support
more than one routing
protocol through the
process of route
redistribution.
OSPF
• Is a public (non-proprietary) routing protocol.
• Sends the subnet mask in the routing update. It
supports route summarization and VLSM
• Is not susceptible to routing loops
• Uses hello packets to discover neighbor
routers.
• Shares routing information through Link State
Advertisements (LSAs)
• Converges faster than a distance vector
protocol
OSPF
• Metric - cost
• use a Shortest Path First (SPF) –Dijkstra
algorithm
• Hello interval
• Dead interval
• Full or partial update
• Authentication
• VLSM/classless
• Manual route summerization
• Good design can minimize resources
OSPF
• Uses hierarchical design (reason for difficulty to
configure it)
– To speed convergence
– To confine network stability
– To decrease routing overhead
• OSPF routers discover neighbor first
before exchanging routing information
• In OSPF area all routers have the same
topology table ( have common view)
• OSPF calculates shortest path first
• OSPF uses event trigger updates
OSPF
• Designed for TCP/IP
• Low Bandwidth Utilization
– Only propagate changes
– Use Multicast in multi-access networks
• Multi-Access networks
– All routers must accept packets sent to the
AllSPFRouters (224.0.0.5) address
– All DR and BDR routers must accept packets sent to
the AllDRouters (224.0.0.6) address
OSPF
OSPF works with the concepts of areas and by default you will always have a single area,
normally this is area 0 or also called the backbone area.
394
Hello packet
Routers have to be become neighbors first; once we have become neighbors

we are going to exchange linkstate advertisements.
395
OSPF Area
What is in hello packet
397
cost
• Cost = Reference Bandwidth / Interface Bandwidth
• Example:
If you have a 100 Mbit interface what will the cost be?
Cost = Reference bandwidth / Interface bandwidth.
100 Mbit / 100 Mbit = COST 1
398
Equal cost implies load balance
• Paths must have an equal cost.
• 4 equal cost paths will be placed in
routing table.
• Maximum of 16 paths.
• To make paths equal cost, change the
“cost” of a link
399
Router Classification
IR
Area 2 Area 3
ABR/BR
Area 0
ASBR • Internal Router (IR)

• Area Border Router
To another AS (ABR)
• Backbone Router (BR)
• Autonomous System
Border Router (ASBR)
OSPF Route Types
Area 2 Area 0 Area 3
ABR
Intra-Area Route
ASBR All routes within an area
Inter-Area Route
Routes announced from area to
another by an ABR
External Route
Routes imported into OSPF from
another protocol or Static routes
Topology/Links-State DB
• A router has a separate DB for each area it
belongs
• All routers within an area have an identical DB
• SPF calculation is done separately for each
area
• LSA flooding is limited to the particular area
router ID
• The highest IP address assigned to a loopback
(logical) interface.
• If a loopback interface is not defined, the
highest IP address of the router's physical
interfaces.
More on OSPF
Each LSA has an aging timer
which carries the link-state age field.
By default each OSPF
LSA is only valid for 30 minutes.
There are 4 bytes or 32-bits.

Begins with 0x80000001 and
ends at 0x7FFFFFFF.
Every 30 minutes each LSA will

age out and will be flooded:
The sequence number will

increment by one.
Link-state routing protocols operate by sending link-state advertisements (LSA) to all

other link-state routers. 405
More on OSPF
406
More on OSPF
compare the LSDB to having a full map of your country.
Once every router has a complete map we can start calculating the shortest path to all the
different destinations by using the shortest-path first (SPF) algorithm. The BEST
information goes into the routing table.
407
OSPF packet types
Hello: neighbor discovery, build neighbor
adjacencies and maintain them.
DBD: This packet is used to check if the

LSDB between 2 routers is the same. The
DBD is a summary of the LSDB.
LSR: Requests specific link-state records

from an OSPF neighbor.
LSU: Sends specific link-state records that

were requested. This packet is like an
envelope with multiple LSAs in it.
LSAck: OSPF is a reliable protocol so we

have a packet to acknowledge the others.
408
OSPF 7 states
1. Down: no OSPF neighbors detected at this moment.
2. Init: Hello packet received.
3. Two-way: own router ID found in received hello packet.
4. Exstart: master and slave roles determined.
5. Exchange: database description packets (DBD) are
sent.
6. Loading: exchange of LSRs (Link state request) and
LSUs (Link state update)
packets.
7. Full: OSPF routers now have an adjacency.
409
State …
R0
Down state R1
Init state Neighbor Table

Router R0
410
OSPF state …
R0 R1
Two-Way State
R0 will receive this hello packet and sees her own router ID. We are now in the
two-way state.
411
OSPF state …
R0 R1
Our routers are ready to sync their LSDB. At this step
we have to select a master and slave role. The router with the highest router ID will
become the master. Router R1 has the highest router ID and will become the master.
412
R0 R1
Exchange State
our routers are sending a
DBD with a summary of
the LSDB.
This way the routers can
find out what networks
they don’t know about.
413
OSPF states ….
Loading State
Send an acknowledgement using the LSAck packet.
Compare the information in the DBD with the information it already has:
If the neighbor has new or newer information it will send a LSR (Link
State Request) packet to request for this information
When the routers start sending a LSR (Link State Request) we are in the
loading state.
The other router will respond with a LSU (Link State Update) with the requested
information. 414
Full State
Both routers have a synchronized LSDB and
we are ready to route!
415
multi-access
416
No election
417
OSPF network types:
• Non-Broadcast (NBMA)
• Point-to-multipoint
• Point-to-multipoint non-broadcast
• Broadcast
• Point-to-Point
418
Default values
DR/BDR elextion
419
EIGRP
• No longer a closed proprietary of Cisco
• EIGRP features
– Transport ( port 88), use RTP (reliable unicast and
multicast, similar to TCP)
• RTP – delivery is guarantee ( Not POST OFFICE—Geretatios)
• RTP gives service to hello and ACK (unreliable packets)
– Metric (bandwidth and delay by default)
• Extended(optional) metrics load, reliability
• Not used metric MTU
– Hello interval (5 or 60 seconds default)
– Hold timer – determine when a neighboring route has
failed (3X hello interval , 15 or 180 seconds by default)
– Full or partial updates
– Authentication
EIGRP
– VLSM/classless
– Summarization ( to classfull by default)
• Manual summarization allowed at interface
– Protocol-dependent modules
• Multiprotocol supports ( IPV6,IP, IPX, AppleTalk)
– No periodical updates
• Uses hello packet to announce continuous presence
– Hello packet
• To build and maintain neighbor adjacencies
• Note: use of RTP and hellos what makes to
abandon periodic updates, changes are sent in
event-driven
– Uses Diffusion update algorithm (DUAL)
• rapid convergence implies no loop
EIGRP
• Diffuses (sent) updates to affected area (
bounded)
• Sends update only – partial
• Default hop count is 100
– Router(config-router)# metric maximu-hop {1 – 255}
• Administrative distance is 90
– External route AD is 170
– Router(config-router)# distance eigrp { 1 – 255}
• Can be adjusted for the external too !!!
EIGRP
• Metrics (composite metrics)
– Bandwidth (default)
• Transmission speed of an interface
– Reliability
• Expressed in ration of 255 ( 255 implies 100% reliable)
– Delay (default) tens of microseconds
• Maximum delay value indicates unreachable
• Measure of the time it takes for a packet to traverse a route
– Load
• Amount of traffic flowing (expressed as a fraction of 255
• 1 implies empty , 255 fully utilized (the lower the fraction the
less load on the link)
– MTU and hop count (fallback measure)
• Are unused in best path selection or composite metric
calculation (advertised)
EIGRP Delay
EIGRP
• By default EIGRP uses up to 50% of the
configured bandwidth
• Bandwidth command does NOT change the
physical bandwidth of the link
EIGRP
• Packets( bold letter are the 5 EIGRP packet
usually discussed)
– Hello
– Acknowledgment
– Update
– Query
– Reply
– SIA- query
– SIA-Reply
• Red packets are reliable packets- EIGRP
makes sure they are delivered
Neighbor Discovery / recovery
EIGRP
• EIGRP packet in action
– R# Show ip eigrp traffic (eigrp traffic counters)
• Hello packets
– To discover , verify and rediscover neighbors
– Are sent on EIGRP enabled interface (224.0.0.10)
– Default interval is 5 and 60 seconds
– Not acknowledged (unreliable – no response
require)
• No need to say hello back to SELMETA (rude
…hahhaha)
• Acknowledgment packets
– To facilitate reliable delivery (dataless Hello
EIGRP
• Update packets
– Can be unicast or multicast
– unicast
• Between newly discovered neighbor
• Point to point connection
– multicast
• Multiple new neighbors
• after fully synchronized
• Sent when topology changes
• Note: updates are delivered reliably

– They are always acknowledge and retransmitted
– If no acknowledgement is heard in certain time
EIGRP
• Query Packet
– Searching for the best route
– delivered reliably
– Can be unicast or multicast (in some books
always multicast)
– To unresponsive neighbor sent as unicast
– Point to point interfaces ( unicast)
– Must be acknoweldge (ACK)
• Reply packet
– Response to query
– Always unicast
– Delivered reliably
EIGRP
• SIA-Query and SIA-Reply packet
– Used on prolong diffusion computation
– To verify a neighbor that has not sent a reply to a
query to truly reachable
– SIA-Reply  to SIA-Query
– Until the maximum time allowed
– Are unicast and reliably delivered
EIGRP
• Router adjacency
– Dynamically
– static ( using neighbor command ) on such as
Frame Relay
• To be neighbor (must agree on)
– Authentication parameters (of configured)
– K- Values (metrics)
– Autonomous system number (AS)
– Common IP network address
– Hello and hold-down timers do not need to match !!!
EIGRP
• How to adjust hello and hold timers ( Intervals)
– R1(config-if)#ip hello-interval eigrp 100 { seconds}
– R1(config-if)#ip hold-time eigrp 100 { seconds}
– 100 is the AS number
EIGRP : neighbor table
EIGRP
• neighbor table
• H – handle number used to identify neighbors (internal )
• Address and interface – neighbor IP address and this router’s
interface toward the neighbor
• Hold time - derived from the value advertised by the neighbor
and decrement each seconds
– Is reset every time after packet received from the neighbor
• SRTT- estimates the turnover time between sending a reliable
packet and receiving an acknowledgment (from neighbor
appropriate packet)
• RT0 – time to wait for acknowledgement of retransmitted
unicast packet
• Q Cnt – number of enqueued reliable packets (must be zero)
• Sequence number – show sequence number of the last reliable
packet (update, replay, SIA-query, or SIA-reply)
EIGRP
EIGRP
• Diffusion Update Algorithm
– Center of EIGRP
– Tracks all routes advertised , to select efficent ,
loop-free path to all destination
• Topology table – all learned paths
– Populated
– from injected networks (via interface)
– Updates
– ** remote network must first be present in this table
before installed in routing table
EIGRP
• States of EIGRP
– Passive  path to network has been already found
• Prohibited from modifying the router table entry
• Operational , stable state
– Active  currently searching for new path (sending
query)
• Undergoing recomputation
EIGRP
• EIGRP conditions
• Reported Distance (advertised distance)
– Distance from neighbor toward destination
• Cost from nest-hop router toward destination
– Smaller than feasible distance (strictly)
• Feasible condition
– Sufficient condition to provide loop-free path
• Feasible Distance
– The lowest distance since the last transition (from active
to passive state) toward destination (from active to
passive state)
– The smallest known distance since last time the router
went to passive state
• Cost of { AD(RD) + local router to next-hop)
EIGRP
• Feasible successor
– Guarantee a loop free path
– Can be one or more path
– 2nd best path (backup route, alternate route, no the
lease cost path)
– Kept in topology table
• Show ip eigrp topology
– To see all successor and feasible successor
• Show ip eigrp topology all-links
– To see to see neighbors that do not meet feasible
condition
• Successor
– Best path toward destination
– Loop free
– Kept in routing tavle
EIGRP- tables summary
• Neighbor table
– Contains neighbor address and the interfaces
through which they can be reached
• Topology table
– Contains all destination advertised by neighboring
tables
• Routing table
– Contains successor routes
EIGRP
• Configuration
– R1(config)# router eigrp { AS -id}
– R1(config-router)# network {mask}
• Mask optional for this class
• Mask is wild-card mask (inverse of subnet mask)
• To define bandwidth
– R1(config-if)# bandwidth {kilobits}
• Eg to use 512, 000 bps use bandwidth 512 command
• Used by routing protocol in metric calculation
• *** doest not change the speed of the interface
• Summarization
– R1(config-router)#auto-summary
– Acts like classful routing protocol
– No disable use no auto-summarry command
Configuring EIGRP example :
classful
Configuring EIGRP example :
classful
Verifying EIGRP example
Configuring EIGRP: classless
• Verifiying classless using sh ip protocols
Verification EIGRP: debug EIGRP
packets
• Verifying using debug dig
EIGRP
• Route summarization
– by default auto summarizes at a major network
– Due to pre configured auto-summary
EIGRP passive-interface
• Prevent EIGRP updates out a specified router
interface
• R1(config-router)# passive-interface [type}
{number}
– Type  serial/ fastethernet
– Number 2/0, 0/0 …
• Prevents neighbor relationship
• Routing updates from a neighbor ignored
• Allows a subnet on a passive interface to be
announced in EIGRP
Passive-interface example
EIGRP
• Propagating a default route
• A. use the ip defualt-network {network-numer}
in global configuration
• B. ip route 0.0.0.0 0.0.0.0 [next-hop] or exiting
interface command
EIGRP load balance
• On equal metric “equal-cost load balanceing”
• Default is 4
• Maximum is 16 ( maximum-path) option 1
disables load balance
• On unequal-cost EIGRP performs load balance
– Using variance multiplier
– Default is 1  means equal-cost load balancing
– >1 allows to install multiple loop-free routes
• Variance allows feasible successors as candidate route to
be potentially be installed in the routing table
EIGRP load balance on equal-cost
EIGRPload balance on unequal cost
• Switch concepts
466
Ethernet
Destination Source Address Type DATA FCS
Address (MAC) (MAC) (Data?) (IP, etc.) (Errors?)
Ethernet
•Layer 2 – Data Link Layer
•NIC (Source MAC address)
to NIC (Destination MAC
address) communications in
the same network
•Source MAC address –
467
Address of the sender’s NIC
Hubs versus Switches
• Ethernet Hubs (almost obsolete)
– Layer 1 device – Examine only the
bits.
– What ever comes in one interface is
forwarded out all other interfaces
(except the one it came in on).
– Half-duplex interfaces – Only one
device can send or we have a
collision.
 Ethernet Switches
 Layer 2 device – Examine Ethernet frames
 Mac Address Tables – Filter or flood Ethernet frames
 Flood – Ethernet broadcasts and unknown unicasts
 Unknown unicast is when the Destination MAC address is
not in the switches MAC address table.
 Full-duplex interfaces – Can both send and receive at the
468
same time - NO collisions.
MAC Address Table
MAC Address Table
Port Source MAC Add. Port Source MAC
Add.
1 • Switches bind MAC addresses with switch
1111
ports and store the information in a MAC

Address table.
– Also known as a switch table, CAM table, or
bridge table.
• The MAC address table is used to make

forwarding decisions.
469
Mac Address Table
1.Learn – Examine Source
Forwarding Frames
MAC address
In table: Reset 5 min timer
Unicast Not in table: Add Source MAC
address and port # to table
BBBB AAAA
2.Forward – Examine
Destination MAC address
In table: Forward out that
Mac Address Table port.
Port MAC Address Not in table: Flood out all
1 AAAA ports except incoming port.
Unknown Unicast
1 2
470
AAAA BBBB
Mac Address Table
Forwarding Frames
MAC address
AAAA BBBB
2 BBBB
1 2
471
AAAA BBBB
Mac Address Table
Forwarding Frames
MAC address
BBBB AAAA
2 BBBB
1 2
472
AAAA BBBB
Mac Address Table
Forwarding Frames
MAC address
Broadcast Not in table: Add Source MAC
FFFF AAAA
2 BBBB
Broadcast
Domain
1 2
473
AAAA BBBB
Switched Environment
Router/Switch Bootup Process
475
Bootup Process
running-config startup-config IOS Bootup program

IOS (running) ios (partial)
476
Switch Boot Sequence
S1(config)# boot system flash:/c2960-lanbasek9-mz.150-
2.SE/c2960-lanbasek9-mz.150-2.SE.bin
 By default, the the boot loader attempts to load

and execute the first executable file it can by
searching the flash file system.
If boot system commands in startup-
config
a. Run boot system commands in order
they
477
appear in startup-config to locate the
IOS
Directory Listing in Book
Loader
478
Switch LED Indicators
• Each port on the Cisco Catalyst switches
have status LED indicator lights.
– LED lights reflect port activity, but they can
also provide other information about the
switch through the Mode button.
• The following modes are available on

Catalyst 2960 switches:
1. System LED
2. Redundant Power System (RPS) LED
• If RPS is supported on the switch
3. Port Status LED (Default mode)
480
4. Port Duplex LED
Status LEDs LED is … Description
Off System is not powered
System LED Green System is operating normally
Amber System is receiving power but is not functioning properly
Off RPS is off or not properly connected
Green RPS is connected and ready to provide back-up
Redundant
Blinking Green RPS providing power to another device
Power
Amber RPS is in standby mode or in a fault condition.
Blinking Amber Internal power supply has failed, and the RPS is providing power.
Green A link is present.
Off There is no link, or the port was administratively shut down
Blinking green Activity and the port is sending or receiving data.
Port Status LED
Alternating Green-Amber There is a link fault.
Amber Port is blocked to ensure there is no STP loop
Blinking amber Port is blocked to prevent a possible loop in the forwarding domain.
Off Ports are in half-duplex mode.
Port Duplex LED
Green Port is in full-duplex mode.
Off Port is operating at 10 Mb/s.
Port speed LED Green Port is operating at 100 Mb/s.
Blinking Green Port is operating at 1000 Mb/s.
Off LED is off, the PoE is off.
PoE Status Green LED is green, the PoE is on

(If supported) Alternating Green-Amber PoE is denied because it will exceed the switch power capacity
481
Blinking Amber LED is blinking amber, PoE is off due to a fault.
Amber PoE for the port has been disabled.
Configure Switch Management
S1# conf t Interface
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)# interface vlan 99
S1(config-if)# ip address 172.17.99.11 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# end
S1# copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
S1#
483
Assign a Default Gateway
Default Gateway
172.17.99.11
172.17.99.1
172.17.99.100
Def Gw 172.17.99.1
S1(config)# ip default-gateway
172.17.99.1
S1(config)# end
S1#
484
Assign a Default Gateway
Default Gateway
172.17.99.11
172.17.99.1
172.17.99.100
Def Gw 172.17.99.1
S1# show ip interface brief
Interface IP-Address OK? Method Status Protocol

Vlan99 172.17.99.11 YES manual up up
485
Configure Switch Ports
Full-Duplex Communication
• Switch ports by default operate in full

duplex (unless attached to a hub).
• Increases effective bandwidth allowing
bidirectional forwarding.
487
488
Configure Duplex and Speed
Duplex and speed settings on most

switches are autosensed.
Manual
Switch(config-if)# speed [10 | 100
| 1000 | auto]
490 Switch(config-if)# duplex [half |
Real World Troubleshooting – Duplex
Mismatch
I’m full-duplex so I I’m half-duplex and
Internet
don’t see any I keep seeing
router
collisions Full Half collisions
Duplex Duplex
W
A switch Port 8 Port 1 switch
X
B C D X Y Z
switch switch switch switch switch switch
 The problem is that

 Switch A, Port 8 is in Full-duplex mode
 Switch W, Port 1 is in Half-duplex mode
 Switch A sends whenever it wants to without listening first to see if
491
Switch W is sending.
Real World Troubleshooting – Duplex
Mismatch
Internet
router Full Full
Duplex Full Duplex Duplex
W
A switch Port 8 Transmissions Port 1 switch
B C D X Y Z
switch switch switch switch switch switch
 Configure Switch W, Port 1 to be in full duplex, the same as Switch A,

Port A.
492
Configure Duplex and Speed
• It’s best practice is to manually set the speed/duplex settings when

connecting to known devices (i.e., servers, dedicated workstations, or
network devices).
S1(config)# interface fastethernet 0/1
S1(config-if)# speed ? S2(config)# interface fastethernet
10 Force 10 Mbps operation 0/1
100 Force 100 Mbps operation S2(config-if)# speed 100
auto Enable AUTO speed configuration S2(config-if)# duplex full
S1(config-if)# speed 100 S2(config-if)# ^Z
S1(config-if)# duplex ? S2#
auto Enable AUTO duplex configuration
full Force full duplex operation
half Force half-duplex operation
S1(config-if)# duplex full
S1(config-if)# ^Z
S1#
494
Auto-MDIX
Crossover
Straight-through
Straight-through
Crossover
• Connections between specific devices,

such as switch-to-switch, switch-to-router,
switch-to-host, and router-to-host device,
once required the use of a specific cable
types (crossover or straight-through).
•496Modern Cisco switches support the mdix
Configuring MDIX Setting
• mdix auto interface configuration

– Requires the commands speed auto and
duplex
S1(config)# auto
interface fa0/1 S1(config)# interface fa0/1
S1(config-if)# speed auto S1(config-if)# speed auto
S1(config-if)# duplex auto S1(config-if)# duplex auto
S1(config-if)# mdix auto S1(config-if)# mdix auto
S1(config-if)# S1(config-if)#
497
Verify MDIX Setting
S1# show controllers ethernet-controller fa 0/1 phy | include Auto-MDIX
Auto-MDIX : On [AdminState=1 Flags=0x00056248]
S1#
498
Verifying Switch Port
Configuration
Cisco Switch IOS Commands
Display interface status and configuration. S1# show interfaces [interface-id]
Display current startup configuration. S1# show startup-config
Display current operating config. S1# show running-config
Displays info about flash filesystem. S1# show flash
Displays system hardware & software status. S1# show version
Display history of commands entered. S1# show history
Display IP information about an interface. S1# show ip [interface-id]
S1# show mac-address-table

Display the MAC address table. or
S1# show mac address-table
499
Troubleshooting Access Layer
Issues
S1# show interfaces fa 0/1
FastEthernet0/1 is up, line protocol is up (connected)
Hardware is Lance, address is 000d.bda1.5601 (bia 000d.bda1.5601)
BW 100000 Kbit, DLY 1000 usec,
reliability
If the output is:250/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
•up down:set
Keepalive Encapsulation
(10 sec) type mismatch, the interface on the other end
Full-duplex, 100Mb/s
could be error-disabled, or there could be a hardware problem.
input flow-control is off, output flow-control is off
•down
ARP type:down: A cable
ARPA, is not 04:00:00
ARP Timeout attached or some other interface problem
Last input 00:00:08, output 00:00:05, output hang never
exists.
Last clearing of "show interface" counters never
•administratively
Input queue: 0/75/0/0down: The shutdown command
(size/max/drops/flushes); hasoutput
Total been issued.
drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
956 packets input, 193351 bytes, 0 no buffer
Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
2357 packets output, 263570 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
500
0 output buffer failures, 0 output buffers swapped out
S1#
Issues
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s
inputFrames
Runt flow-control is off,
- Ethernet outputthat
frames flow-control
are shorteris than
off the 64-byte
ARP type: ARPA, ARP Timeout 04:00:00
minimum
Last inputallowed length
00:00:08, are00:00:05,
output called runts.
output hang never
Last clearing of "show interface" counters never
Giants - Ethernet frames that are longer than the maximum allowed
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
length are strategy:
Queueing called giants.
fifo (Bad NIC)
Output queue :0/40 (size/max)
CRC errors
5 minute - On
input Ethernet
rate and serial
0 bits/sec, interfaces, CRC errors usually
0 packets/sec
indicate
5 minutea output
media rate
or cable error. 0 packets/sec
0 bits/sec,
956 packets input, 193351 bytes, 0 no buffer
Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
2357 packets output, 263570 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
501
0 output buffer failures, 0 output buffers swapped out
S1#
Issues
S1#
Collisions – Only part of normal operations if interface is operating in half duplex –

connected to a hub.
Late Collisions – Operating in half duplex and excessive cable length.
Cause – Result of duplex mismatch
•One side half duplex
•Other side full duplex
502
Security Concerns in LANs
Switch Vulnerabilities
• Switches are vulnerable to a variety of attacks including:
– Password attacks
– DoS attacks
– CDP attacks
– MAC address flooding
– DHCP attacks
• To mitigate against these attacks:

– Disable unused ports
– Disable CDP
– Configure Port Security
– Configure DHCP snooping
504
Disable Unused Ports and
Assign to an Unused (Garbage)
VLAN
S1(config)#int range fa0/20 – 24
S1(config-if-range)# switchport access vlan 100
S1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/20, changed state to
administratively down
S1(config-if-range)#
506
Leveraging the Cisco Discovery
Protocol
• The Cisco Discovery Protocol is a Layer 2 Cisco proprietary protocol

used to discover other directly connected Cisco devices.
– It is designed to allow the devices to autoconfigure their
connections.
• If an attacker is listening to Cisco Discovery Protocol messages, it
could learn important information, such as the device model or the
507running software version.
Leveraging the Cisco Discovery
Protocol
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version

12.2(44)SE, RELEASE SOFTWARE (fc1)…
Cisco recommends disabling CDP when it

is not in use.
508
Disabling CDP
S1(config)# no cdp run
S1(config)#
S1(config)# interface range fa0/1 – 24

S1(config-if-range)# no cdp enable
S1(config-if-range)#exit
S1(config)#
509
Layer
In this scenario, the
2 Switching
192.168.1.0 /24
switch has just
.10 .11
rebooted.
000a.f38e.74b3 00d0.ba07.8499
F0/1 F0/2
Verify the content of
the MAC address F0/3 F0/4
table.
.12 .13
0090.0c23.ceca
0001.9717.22e0
Sw1# show mac-address-table

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports

---- ----------- -------- -----
Sw1#
510 Packet Tracer Topology
Layer 2 Switching
192.168.1.0 /24
.10 .11
000a.f38e.74b3 00d0.ba07.8499
F0/1 F0/2
PC-A pings PC-B. F0/3 F0/4
.12 .13
0090.0c23.ceca
0001.9717.22e0
PC-A> ping 192.168.1.11
Pinging 192.168.1.11 with 32 bytes of data:
Reply from 192.168.1.11: bytes=32 time=62ms TTL=128

Ping statistics for 192.168.1.11:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 62ms, Maximum = 63ms, Average = 62ms
511
PC-A>
Layer 2 Switching
192.168.1.0 /24
.10 .11
000a.f38e.74b3 00d0.ba07.8499
F0/1 F0/2
F0/3 F0/4
.12 .13
0090.0c23.ceca
0001.9717.22e0
Sw1# show mac-address-table

Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports

---- ----------- -------- -----
1 000a.f38e.74b3 DYNAMIC Fa0/1

1 00d0.ba07.8499 DYNAMIC Fa0/2
Sw1#
512
Mac Address Table
Unicast Flooding
MAC address
BBBB AAAA
ports except incoming port.
Not in table
Unknown Unicast
1 2
513
AAAA BBBB
MAC Flood Attack
• If the attack is launched before the beginning of
the day, the CAM table would be full as the
majority of devices are powered on.
• If the initial, malicious flood of invalid CAM
table entries is a one-time event:
– Can generate 155,000 MAC entries per
minute
– “Typical” switch can store 4,000 to 8,000
MAC entries
– Eventually, the switch will age out older,
invalid CAM table entries
– New, legitimate devices will be able to
create an entry in the CAM
– Traffic flooding will cease
– Intruder may never be detected (network
seems normal).
514
Mac Address Table
Unicast Flooding
MAC address
BBBB AAAA
ports except incoming port.
Not in table or table is full
Unknown Unicast
1 2
515
AAAA BBBB
Configure Port Security
• Port security allows an administrator to limit the number
of MAC addresses learned on a port.
– If this is exceeded, a switch action can be configured.
• Configure each access port to accept 1 MAC address
1 1 1 1
only or a small group of MAC addresses.
– Frames from any other MAC addresses are not
forwarded.
– By default, the port will shut down if the wrong device
connects.
• It has to be brought up again manually.
516
Configuring Port Security
• Use the switchport port-security interface
command to enable port security on a port.
Switch(config-if)#
switchport port-security [max value] [violation {protect |
restrict | shutdown}] [mac-address mac-address [sticky]]
[aging time value]
• It is used to:
– Set a maximum number of MAC addresses.
– Define violation actions.
– MAC address(es) can be learned dynamically, entered manually,
or learned and retained dynamically.
– Set the aging time for dynamic and static secure address entries.
• To verify port security status: show port-security
517
Port Security: Secure MAC
•
• Static
Addresses
The switch supports these types of secure MAC addresses:
– Configured using switchport port-security mac-address

mac-address
– Stored in the address table
– Added to running configuration.
• Dynamic
– These are dynamically configured
– Stored only in the address table
– Removed when the switch restarts
• Sticky
– These are dynamically configured
– Stored in the address table
– Added to the running configuration.
– If running-config saved to startup-config, when the switch restarts, the
interface does not need to dynamically reconfigure them.
– Note: When you enter this command, the interface converts all the
dynamic secure MAC addresses, including those that were dynamically
learned before sticky learning was enabled, to sticky secure MAC
addresses. The interface adds all the sticky secure MAC addresses to
518 the running configuration.
Port Security: Steps
519
Feature
Port Security
Default setting
Defaults
Port Security Disabled on a port
Maximum # of Secure MAC

1
Addresses
Shutdown
Violation • The port shuts down when the maximum number of secure MAC
addresses is exceeded, and an SNMP trap notification is sent.
Sticky Address Learning Disabled
• Secure MAC addresses can be configured as

follows:
– Dynamically (learned but not retained after a
reboot)
– Statically (prone to errors)
– Sticky (learned dynamically and retained)
520
Dynamic Secure MAC address
• Learned dynamically
– S1(config-if)# switchport mode access
– S1(config-if)# switchport port-security
• By default, only 1 address is learned.
– Put in MAC address table
– Not shown in running configuration
• It is not saved or in the configuration when switch restarts.
521
Static Secure MAC address
Static secure MAC address is manually

configured in interface config mode
S1(config-if)# switchport mode

access
S1(config-if)# switchport port-
security mac-address
000c.7259.0a63
522
Sticky Secure MAC address
• Dynamically learned and can be retained.

– S1(config-if)# switchport mode access
– S1(config-if)# switchport port-security mac-address sticky
• You can choose how many can be learned (default 1).

• Added to the running configuration
• Saved only if you save running configuration.
• Note:
– When you enter this command, the interface converts all the dynamic
secure MAC addresses, including those that were dynamically learned
before sticky learning was enabled, to sticky secure MAC addresses.
– The interface adds all the sticky secure MAC addresses to the running
523 configuration.
interface FastEthernet0/2
switchport mode access
– Sets the interface mode as access; an interface in the default mode (dynamic
desirable) cannot be configured as a secure port.
switchport port-security
– Enables port security on the interface
switchport port-security maximum 6
– (Optional) Sets the maximum number of secure MAC addresses for the interface. The
range is 1 to 132; the default is 1.
switchport port-security aging time 5
– Learned addresses are not aged out by default but can be with this command. Value
from 1 to 1024 in minutes.
switchport port-security mac-address 0000.0000.000b
– (Optional) Enter a static secure MAC address for the interface, repeating the
command as many times as necessary. You can use this command to enter the
maximum number of secure MAC addresses. If you configure fewer secure MAC
addresses than the maximum, the remaining MAC addresses are dynamically
learned.
switchport port-security mac-address sticky
– (Optional) Enable stick learning on the interface.
switchport port-security violation shutdown
– (Optional) Set the violation mode, the action to be taken when a security violation is
detected. (Next)
NOTE: switchport host command will disable channeling, and enable access/portfast
Switch(config-if)# switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
524
X
Port Security: Static
Addresses
Switch(config)# interface fa 0/1

Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 3
Switch(config-if)# switchport port-security mac-address 0000.0000.000a
Switch(config-if)# switchport port-security mac-address 0000.0000.000b
Switch(config-if)# switchport port-security mac-address 0000.0000.000c
• Restricts input to an interface by limiting and identifying MAC

addresses of the stations allowed to access the port.
• The port does not forward packets with source addresses outside the
527
group of defined addresses .
Port Security: Violation
• Station attempting to
access the port is
different from any of
the identified secure
MAC addresses, a
security violation
occurs.
528
Port Security: Violation
Switch(config-if)#switchport port-security violation
{protect | restrict | shutdown}
• By default, if the maximum number of connections is achieved and a

new MAC address attempts to access the port, the switch must take
one of the following actions:
• Protect: Frames from the nonallowed address are dropped, but there
is no log of the violation.
• Restrict: Frames from the nonallowed address are dropped, a log
message is created and Simple Network Management Protocol
(SNMP) trap sent.
• Shut down: If any frames are seen from a nonallowed address, the
interface is errdisabled, a log entry is made, SNMP trap sent and
manual intervention (no shutdown) or errdisable recovery must be
used to make the interface usable.
529
Configuring the Switch S1
S1# conf t
S1(config)# vlan 99
S1(config-vlan)# name Management
S1(config-vlan)# exit
S1(config)# interface vlan 99
%LINK-5-CHANGED: Interface Vlan99, changed state to up
S1(config-if)# ip address 172.16.99.11 255.255.255.0
S1(config-if)# no shut
S1(config-if)# exit
S1(config)# inter fa0/5
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed
state to up
S1(config-if) #exit
S1(config)# inter fa 0/6
S1(config-if)# switchport mode access
S1(config-if)# switchport access vlan 99
S1(config-if)# end
S1# copy running-config startup-config
S1#
530
531
Managing Switch Configurations
TO CLEAR A SWITCH
 ALWAYS DO THE FOLLOWING TO CLEAR A SWITCH!!
S1# delete vlan.dat

Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
S1# erase startup-config

Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
S1# reload
Proceed with reload? [confirm]
533
Virtual LANs
Introduction to VLANs
VLANs
VLANs logically segment switched networks

based on an organization's functions, project
teams, or applications as opposed to a
physical or geographical basis.
Broadcast Domains
Example with 3 Broadcast
Domains,
3 VLANs
Static VLANs
Benefits of VLANs
• Easily move workstations on the LAN
• Easily add workstations to the LAN
• Easily change the LAN configuration
• Easily control network traffic
• Improve security
Dynamic VLANs
Port-Centric VLANs
VLAN Membership
• Static VLAN configuration
• Dynamic VLAN assignment
Configuring Static VLANs

• VLAN 1 is the default VLAN for every switch port.
• VLANs 1002 to 1005 legacy (Token Ring and FDDI
switching)
• Catalyst switches can also support extended-range VLAN
numbers 1006 through 4094 vtp mode transparent (VTP
Versions 1 and 2 limitation) no problem with VTP mode v3
Configuring Static VLANs
• Switch(config)# vlan vlan-num
• Switch(config-vlan)# name vlan-name
• Switch(config)# vlan 2
• Switch(config-vlan)# name Engineering
• Switch(config-vlan)# vlan 101
• Switch(config-vlan)# name Marketing
• Switch(config)# interface type member/module/number
• Switch(config-if)# switchport
• Switch(config-if)# switchport mode access
• Switch(config-if)# switchport access vlan vlan-num
Dynamic VLANs
based on the MAC address of an end-user device
• A network administrator also must assign the user’s MAC address to aVLAN in
the database of a VLAN Membership Policy Server (VMPS)
Deploying VLANs
• the number of VLANs depends on traffic patterns,
application types, segmentation, and network-
management requirements
• you should not allow VLANs to extend beyond the Layer
2 domain of a distribution switch
• VLANs can be scaled in the switch block by using two

basic methods:
• End-to-end VLANs
• Local VLANs
• End-to-End VLANs
• following the 80/20 rule
• End-to-end VLANs are not

recommended
Local VLANs
20/80 rule
L3 functionality in distribution
And core
VLAN TRUNK
SW2
SW1
FA0/1 FA0/1
FA0/2
FA0/2
FA0/1 FA0/1
FA0/2 FA0/2 SW4

SW3
VLAN Trunks
• VLAN Frame Identification
ID as the VLAN number or VLAN “unique color”
• Inter-Switch Link (ISL) protocol

• IEEE 802.1Q protocol
Inter-Switch Link Protocol
• Cisco-proprietary
• ISL adds a 26-byte header and a 4-
• byte trailer to the frame.
• The source VLAN is identified with a 15-bit
• The trailer contains a cyclic
• redundancy check (CRC) value to ensure the data
integrity
IEEE 802.1Q Protocol
• encapsulating each frame with a VLAN ID header and trailer,
802.1Q embeds its tagging information within the Layer 2 frame
• 802.1Q also introduces “native VLAN” concept
• 1- 1st (2 byte)tag protocol identifier (TPID) ……0x8100
• 2- 2nd (2byte) Tag Control Information (TCI) field for class of service
(CoS)
• The last 12 bits are used as a VLAN identifier (VID)
• ISL adds a total of 30 bytes to each frame, whereas 802.1Q adds 4
bytes
Configuring 802.1Q Trunking
Switch(config)#interface fastethernet 5/8

Switch(config-if)#shutdown
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport trunk allowed vlan 1,15,11,1002-1005
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport nonegotiate
Switch(config-if)#no shutdown
Verifying 802.1Q Trunking
Switch#show running-config interface {fastethernet |
gigabitethernet} slot/port
Switch#show interfaces [fastethernet | gigabitethernet]

slot/port [ switchport | trunk ]
Switch#show interfaces gigabitEthernet 0/1 switchport

Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
. . .
Problem: A Device Cannot
Establish a Connection Across
a Trunk Link
• Make sure:
– The Layer 2 interface mode configured on
both ends of the link is valid.
– The trunk encapsulation type configured on
both ends of the link is valid.
– The native VLAN is the same on both ends of
the trunk (802.1Q trunks).
Native VLANs
•trunk port tags frames with a VLAN ID

•But what happens if a trunk port receives an untagged
frame?
•The native VLAN determines the VLAN that untagged traffic
belongs to
•By default on all trunking ports, the native VLAN is VLAN 1
•The native VLAN can be changed on a per trunk port basis:
•Switch(config)# interface gi2/24
•Switch(config-if)# switchport mode trunk
•Switch(config-if)# switchport trunk native vlan 42
•Only one native VLAN can be assigned to a trunk port
•Native VLANS are only supported on 802.1Q trunk ports.
Summary
– A trunk is a Layer 2 point-to-point link between networking
devices capable of Layer 2 operations. Trunks carry the
traffic of multiple VLANs or multiple networks over a single
physical link.
– ISL is a Cisco proprietary protocol for interconnecting
Layer 2-capable devices. The 802.1Q protocol is an open
standard protocol used to interconnect multiple Layer 2-
capable devices.
– 802.1Q trunks define a native VLAN for frames that are not
tagged by default.
– ISL VLAN numbers are in the range 1 to 1001, while
802.1Q VLAN numbers are in the range 0 to 4094.
Summary (Cont.)
– 802.1Q tunneling allows service providers to transport
VLANs within VLANs, preserving individual customer’s
VLAN assignments without requiring them to be unique.
– Switch ports are configured for ISL trunking using Cisco
IOS commands.
– Switch ports are configured for 802.1Q trunking using
Cisco IOS commands.
– If a problem exists with a trunking link, make sure that the
interface modes, encapsulation types, and native VLANs
are correct on both sides of the link.
Voice VLANs
• The voice
packets must be
carried over a
unique voice
VLAN (known as
the voice VLAN
ID or VVID) or
over the regular
data VLAN
(known as the
native VLAN or
the port VLAN ID,
PVID)
Medium-Sized Switched
Network Construction
Routing Between VLANs
VLAN-to-VLAN Overview
 Network layer devices combine multiple broadcast domains.

Dividing a Physical Interface
into Subinterfaces
 Physical interfaces can be divided into multiple subinterfaces.

Routing Between VLANs with
802.1Q Trunks
interface fastethernet 0/0

ip address 10.1.1.1 255.255.255.0
interface fastethernet 0/0.2
ip address 10.2.2.1 255.255.255.0
encapsulation dot1q 2
Summary
– Inter-VLAN routing using a router on a stick
utilizes an external router to pass traffic
between VLANs.
– A router on a stick is configured with a
subinterface for each VLAN and 802.1Q trunk
encapsulation.
Any questions ?
Eyobe
Degene
Teddy
Eyobe
VLAN Trunking Protocol (VTP)
• Cisco-proprietary protocol
• Automates the propagation of VLAN information between switches via
trunk links.
• Minimizes misconfigurations and configuration inconsistencies.
• VTP domains define sets of interconnected switches sharing the same
VTP configuration.
Mode Description
VTP Modes
Client • Cannot create, change, or delete VLANs on command-line interface
(CLI).
• Forwards advertisements to other switches.
• Synchronizes VLAN configuration with latest information received from
other switches in the management domain.
• Does not save VLAN configuration in nonvolatile RAM (NVRAM).
Server • Can create, modify, and delete VLANs.

• Sends and forwards advertisements to other switches.
• Synchronizes VLAN configuration with latest information received from
other switches in the management domain.
• Saves VLAN configuration in NVRAM.
Transparent • Can create, modify, and delete VLANs only on the local switch.
• Forwards VTP advertisements received from other switches in the same
management domain.
• Does not synchronize its VLAN configuration with information received
from other switches in the management domain.
• Saves VLAN configuration in NVRAM.
VTP
1. VTP adds / modifies / deletes vlans.
2. For every change the revision number will
increase.
3. The latest advertisement will be sent to all
VTP clients.
4. VTP clients will synchronize themselves
with the latest information.
• VTP Operating mode: the default is VTP server
VTP Versions
• Three VTP versions: V1, V2, V3.

• Versions are not interoperable
– V2 supports token ring VLANs but V1 does
not
Note
• VTP server is also a VTP Client and any
VTP client will synchronize itself with the
highest revision number.
569
Danger of VTP
1. You take the VTP client switch out of the network.

2. You configure it so it’s no longer a VTP Client but a VTP
server.
3. You play around with VTP, create some vlans, and modify
some.
4. Every time you make a change the revision number increases.
5. You are done playing…you delete all vlans.
6. You configure the switch from VTP Server to VTP Client.
7. You connect your switch to your production network.
POOF all your vlans are gone !!!!!

570
STP- short notes
•developed to prevent the broadcast storms
caused by switching loops
•STP will build a map or topology of the entire
switching network
•disable or block as many ports as necessary to
eliminate all loops in the topology
•A blocked port can be reactivated if another port
goes down
•STP to maintain redundancy and fault-tolerance
•exchange Bridge Protocol Data Units (BPDU’s)
to build the topology database
BPDU
• forwarded out all ports every two seconds,
• to a dedicated MAC multicast address of
0180.c200.0000
•Building the STP topology is a multistep
Convergence process:
•A Root Bridge is elected
•Root ports are identified
•Designated ports are identified
•Ports are placed in a blocking state as required,
to eliminate loops
Root Bridge
•Root switch : serves as the central reference
point for the STP topology
•STP is enabled by default
•Electing an STP Root Bridge
•based on its Bridge ID
•16-bit Bridge priority
•48-bit MAC address
•default priority is 32,768
•lowest priority wins
•By default, a switch will always believe it is the
Root Bridge, (superior BPDU)
•lowest Bridge ID is added to the topology, it will
be elected
•Lowest Bridge ID is always used to determine
the Root Bridge.
Identifying Root Ports
•lowest root path cost to get to the Root Bridge
•switch can only have one root port
•Root Bridge cannot have a root port
•Path cost is a cumulative cost to the Root Bridge
Bandwidth Cost
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
1 Gbps 4
10 Gbps 2
Root port
•Root Bridge will advertise BPDU’s with a path cost of 0
•downstream switches receive these BPDU’s, they will
add the path cost of the receiving port
•Path cost can be artificially adjusted
•SwitchD(config)# int gi2/22
•SwitchD(config-if)# spanning-tree vlan 101 cost 42
•Identifying Designated Ports
•A single designated port is identified for each
network segment
•responsible for forwarding BPDUs and frames
to that segment
•two ports are eligible to become the designated
port, then there is a loop
Identifying Designated Ports
•determined by the lowest cumulative path
cost leading the Root Bridge
•A designated port will never be placed in a
blocking state,
•unless there is a change to the switching
topology and a more preferred designated port is
elected
•Note: A port can never be

both a designated port and a
root port.
notes
•Ports on the Root Bridge are never placed in
a blocking state
•every network segment must have one
designated port
•lowest cumulative path cost will have its
port become designated
•switch with the highest path cost will have
its port blocked
•there is a tie in cumulative path cost
•lowest Bridge ID is used as the tiebreaker
•Any port not elected as a root or designated
port will be placed in a blocking state
Port ID
• is used as the final tiebreaker,
•4-bit port priority (default is 128)
•12-bit port number, derived from the physical port
number
•lower priority is preferred
•sender port ID determines the tie break
•To change the port priority
Switch(config)# int gi2/11

Switch(config-if)# spanning-tree vlan 101 port-priority
32
Note: Some reference material may state that the Port ID is
comprised of an 8-bit priority and 8-bit port number. This
was accurate in the original 802.1D specification.
Port ID
•STP determines root and designated ports
•Lowest path cost to the Root Bridge
•Lowest bridge ID
•Lowest sender port ID
Port ID
•some whitepapers on Cisco’s website will
define the Port ID as a combination of port
priority and MAC address, instead of port
number. This is not accurate in modern STP
implementations
•Remember: Port ID is the last tiebreaker STP
will consider
Port ID---note
•STP determines root and designated ports
using
•Lowest path cost to the Root Bridge
•Lowest bridge ID
•Lowest sender port ID
Versions of STP
A. Common Spanning Tree (CST)
•utilizes a single STP instance for all VLANs,
•sent over the native VLAN
•on a trunk port, and thus are untagged
B. Per-VLAN Spanning Tree (PVST)
•employs a separate STP instance for each
VLAN,
•PVST and CST are not compatible.
C. Per-VLAN Spanning Tree Plus (PVST+)
•compatible with both CST and PVST,
•default mode on many Cisco platforms
583
Modern extensions of STP
D. Rapid Spanning Tree Protocol (RSTP)
•does not need a listening state ( more ….coming)
•Switches no longer require artificial forward delay
timers
•switches will handshake directly with their
neighbors, allowing the topology to be quickly
synchronized
E. Multiple Spanning Tree (MST)

•defined in IEEE 802.1s, allows a group of VLANs to
be mapped to an STP instance
• each instance builds its own RSTP topology
database
•separates the STP topology into regions
Basic STP Configuration
•STP is enabled by default on all Cisco
switches,
•STP can be disabled
•Switch(config)# no spanning-tree vlan 101
•A range of VLANs can be specified:
Switch(config)# no spanning-tree vlan 1 -
4094
•STP can also be disabled on a per-port
basis, for a specific VLAN:
Switch(config)# interface gi2/23
Switch(config-if)# no spanning-tree vlan 101
•Priority can be configured on a per-VLAN basis
SwitchA(config)# spanning-tree vlan 101 priority 8192
•forcing to become the Root Bridge
SwitchA(config)# spanning-tree vlan 101 root primary
•The root primary parameter automatically lowers the
priority to 24,576.
•STP does not technically support a backup Root Bridge
•The root secondary command can increase the likelihood
that a specified switch will succeed as the new Root Bridge
in the event of a failure:
SwitchB(config)# spanning-tree vlan 101 root secondary
•root secondary parameter in the above command
automatically lowers the switch’s priority to 28,672.
STP Port States
• Blocking:
•will not forward frames or learn MAC addresses.
•will still listen for BPDUs from other switches, to learn about
changes to the switching topology.
• Listening :
•will not forward frames or learn MAC addresses.
•not elected as a root or a designated Port, it will transition back to a
blocking state
• Learning
•port will begin to add MAC addresses to the CAM table
• Forwarding
•is fully functional
•Root and designated ports will eventually transition to a
forwarding state
•disabled
• has been administratively shutdown.
•A disabled port does not forward frames or participate in
STP convergence
•To view the current state of a port:
STP Timers
• Hello timer:sent every 2 seconds.
• Forward delay timer:default, the forward delay is 15 seconds.
• Max age timer:By default, the max age timer is 20 seconds.
•Timers must be changed on the Root Bridge. The Root Bridge will
propagate the new timer values to all switches using BPDUs
•To manually adjust the three STP timers for
a specific VLAN:
Switch(config)# spanning-tree vlan 101 hello-
time 10
Switch(config)# spanning-tree vlan 101 forward-
time 20
Switch(config)# spanning-tree vlan 101 max-age
40
note
Note: PortFast does not disable STP on a

port - it merely accelerates STP convergence.
PortFast eliminates this unnecessary BPDU
traffic and frame flooding.
•Portfast is disabled by default.
• To enable PortFast on a switch port:
SwitchD(config)# int gi1/14
SwitchD(config-if)# spanning-tree portfast
PortFast can also be globally enabled for all
interfaces:
SwitchD(config)# spanning-tree portfast default
Rapid Spanning Tree Protocol
(RSTP)
• RSTP is similar in many respects to STP:
– BPDUs are forwarded between switches
– A Root Bridge is elected, based on the lowest Bridge ID.
– Root and designated ports are elected and function identically to
STP.
• RSTP defines four port roles:
– Root Port – Port on each switch that has the best path cost to the RootBridge. A
switch can only have one root port.
– Alternate Port – Backup root port that has a less desirable path cost.
– Designated Port – Non-root port that represents the best path cost for each network
segment to the Root Bridge.
– Backup Port – Backup designated port that has a less desirable path
• 802.1D STP supported five port states, while RSTP supports three:
– Discarding
– Learning
– Forwarding
RSTP vs STP
592
EtherChannel :
Campus Core
Distribution Layer
← Switches →
Access Layer Switches
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 594
“EtherChannel simplifiers
design improves operation
when multiple physical
interfaces are needed to
interconnect switches”.
Spanning-tree operation
• With two redundant links spanning-tree will

block on one port to prevent loops
• EtherChannel allows spanning-tree to treat

the two physical links as one logical port and
thus both ports can operate in full forwarding
mode
EtherChannel operation
• If a physical link in the group goes down the

EtherChannel only loses the bandwidth that link
supplied. If the physical link comes back up it is
dynamically added back into the EtherChannel.
• Spanning-tree treats the EtherChannel bundle as a
single logical switchport and adjusts the spanning-
tree cost to reflect the increased bandwidth.
• The EtherChannel may or may not be configured
to trunk depending on the needed design
EtherChannel terminology
• We aggregate multiple physical Ethernet ports together

using a channel-group command. A single logical
interface is created called a port-channel.
• On the Cisco Catalyst switches we can aggregate up to
eight 10/100 ports together creating a port-channel with
800 Mbps bandwidth (literature may indicate 1600 Mbps as
the bundle has full-duplex operation).
• If available we can aggregate up to eight gigabit ports
• All ports in a bundle must have identical operational status
and configuration
EtherChannel load-balancing
• EtherChannel loads shares (load balances) across

all the physical ports in the EtherChannel group.
• The default method of load sharing uses the
source MAC in frames. Frames from different
sources are sent out different ports but all frames
from one source will be sent out the same port.
We can change the default load-balancing via a
global command port-channel load-balance [dst-ip
| dst-mac | src-dst-ip | src-dst-mac | src-ip | src-
mac]
Channeling protocols
• Catalyst switches can leverage a protocol to

dynamically establish and maintain the
EtherChannel bundle.
• The channel-group mode command allows you
to decide if the EtherChannel group uses Port
aggregation Protocol (PAgP), Link Aggregation
Protocol (LACP), or to simply force the interface
to channel without PAgP or LACP.
• Forcing interfaces to channel may create problems
if any interfaces have dissimilar configurations.
Port Aggregation Protocol
• PAgP allows the switches to learn the capabilities

of each interface assigned to an EtherChannel
bundle and reliably activates interfaces of similar
configuration to form a port-channel.
• PAgP transmits and receives messages on all
interfaces in the EtherChannel bundle and restricts
the PAgP traffic to the native VLAN if the ports are
in trunking mode.
• LACP is similar in operation to PAgP and
standards based while PAgP is Cisco proprietary.
Spanning-tree Costs
• Spanning-tree reflects the increased bandwidth provided by

EtherChannel.
• The default cost for a 100 Mbps link is 19 and if a port-
channel is created that has only two 100 Mbps links the
spanning-tree cost will be 9.
• A port-channel with six or more 100 Mbps physical ports
will have an STP cost of 5.
• STP costs for port-channels vary according to how many
ports are assigned to the bundle, not how many are
active within the bundle.
EtherChannel configuration
Switch(config)# interface range fa0/1 – 4 {we can use the

range or single interface}
Switch(config-if)# channel-group [1 – 6] mode [auto |
desirable | on | active | passive]
The number of channel groups is platform dependent.

Auto and desirable modes activate PAgP.
Active and passive activate LACP.
Mode on forces the interface to channel without PAgP or
LACP.
EtherChannel verification
If we wish to view the operation we use the

term “etherchannel”.
Switch# show interface etherchannel
Switch# show etherchannel [summary |
load balance | port-channel]
The following slides provide insight into an

EtherChannel setup between two switches.
Switch0# show etherchannel
Channel-group listing:
----------------------
Group: 1
----------
Group state = L2
Ports: 2 Maxports = 8
Port-channels: 1 Max
Portchannels = 1
Protocol: PAGP
Switch0# show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1

Number of aggregators: 1
Group Port-channel Protocol Ports
1 Po1(SU) PAgP Fa0/1(P) Fa0/2(P)
Switch0# show etherchannel load-balance
EtherChannel Load-Balancing Operational
State (src-mac):
Non-IP: Source MAC address
IPv4: Source MAC address
IPv6: Source MAC address
Switch0# show etherchannel port-channel
Port-channel: Po1
------------
Age of the Port-channel = 00d:01h:22m:29s
Logical slot/port = 2/1 Number of ports = 2
GC = 0x00000000 HotStandBy port = null
Port state = Port-channel
Protocol = PAGP
Port Security = Disabled
Ports in the Port-channel:

Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Fa0/2 Desirable-Sl 0
0 00 Fa0/1 Desirable-Sl 0
Time since last port bundled: 00d:00h:37m:14s Fa0/1
EtherChannel verification
continued
The previous slide provided the output from the show
etherchannel port-channel command. PAgP messages are
carried on Fa01 – hence the highlight.
Another command with considerable output is:
Switch# show interface etherchannel
All of these commands are useful to troubleshoot
EtherChannel operation. When troubleshooting always begin
by verifying the physical ports all have the same operational
parameters and do this at both ends of the EtherChannel.
Next verify channel-group settings again at both ends of the
EtherChannel. Do not make assumptions – verify and test.
Are you tired . . .?
frustrated . . .?
confused . . .?
’Cause your @#$!% PASSWORD won’t work!#&

Password recover for router
613
No problem, I’ve got just the key!
Given that you’re already consoled in to the offending router,
manually flip the router switch off and then on again.
As soon as you turn the router back on, you will see text scrolling
by indicating that the router is rebooting. Within 60 seconds of
re-powering the router, press Ctrl + Break.
Pause
Break
Ctrl
Keyboards will vary.

As the router is rebooting, it will discover that it cannot find its
configuration files (because you tricked it) and it will ask you if
you would like to enter setup mode. Type n for “no” and press
n
Enter
Following reboot, you will see a generic prompt. Type enable
to enter priveleged mode. Notice that you didn’t need a password
because the router is not utilizing the contents of NVRAM where
that password is stored.
Once you have entered the privileged mode, you have successfully
overcome your initial problem -- remember?
Your @#$!% PASSWORD

work!#&(*!!!
work!#&(*!!
wouldn’t
!
Now we must get the router back to the way
it was before you broke into it!
At the privileged prompt, type copy start run .

copy
Start
run
Moves the contents

of NVRAM into RAM,
your running-configuration.
Now that we’re back where we want to be, let’s change the passwords
back to the way they should be.
config t
Enter global configuration mode:
Change your secret password: enable secret *****
Enter line configuration mode:
Log in to the console: line con 0
Reconfigure the console password: login
Return to global configuration mode:
password *****
exit
Enter follows each of these commands.

We’re almost done! Now we must go back and undo
what we’ve done to the config-register.
Right now you have your router set so that it boots to 0x2142.
This needs to be changed to 0x2102 so that your
router will find its running-config files in
NVRAM when it boots.
Return to global configuration mode.
SuperRouter(config-
line)#exit
SuperRouter(config)#
Change the config-register back by entering config-register 0x2102
And then to verify that the change has been made.
show ver
SuperRouter(config)#config-register 0x2102
SuperRouter(config)# do show ver
Configuration register is 0x2142 (will be 0x2102 at next reboot)

You made it! Now all you need to do is copy your present configuration
back into your NVRAM so that when you re-boot your router, you won’t
have any more password woes.
SuperRouter#copy run start

Destination filename [startup-config]?
Building configuration...
[OK]
That’s all you do!
Within 60 seconds of re-booting the router, <ctrl break>.

Set up a register entry to ignore NVRAM , <confreg 0x2142>
Restart the router, <reset>
Bypass the configuration utility, <n> or <Ctrl c>
Enter privileged mode, <enable>
Copy NVRAM to RAM, <copy start run>
Enter global configuration mode, <config t>
Change secret password, <enable secret *****>
Change console password, < line con 0>, <login>, <password ****
Return to global configuration mode, <exit> or <Ctrl z>
Reset register entry, <config-register 0x2102>
Verify changes, <show ver>
Copy RAM to NVRAM, <copy run start>
Be saved !
Access Control Lists
“There is no God!” the foolish saith,

What Are ACLs?
– An ACL is a list of instructions that tells a router what type of
packets to permit or deny.
• You must configure an ACL before a router will deny
packets. Otherwise, the router will accept and forward all
packets as long as the link is up.
• You can permit or deny packets based upon such thing as:
– Source address
– Destination address
– Upper Layer protocols (e.g. TCP & UDP port numbers)
• ACLs can be written for all supported routed protocols.
However, each routed protocol configured on an interface
would need a different ACL to filter traffic.
Testing Packets with ACLs
– To determine whether a packet is to be permitted or denied, it is
tested against the ACL statements in sequential order.
• When a statement “matches,” no more statements are
evaluated. The packet is either permitted or denied.
– There is an implicit “deny any” statement at the end of the ACL
• If a packet does not match any of the statements in the ACL, it
is dropped.
– ACLs are created in real-time. This means you cannot return
later and update an ACL. It must be completely rewritten.
• It is a good idea to use a text editor to write an ACL instead of
configuring it directly on the router. That way, changes and
corrections can be made before you “Paste to Host” in
HyperTerm.
How a Router Uses an ACL (outbound)
– Check to see if packet is routable. If so, look

up route in routing table
– Check for an ACL for the outbound interface
– If no ACL, switch the packet out the
destination interface
– If an ACL, check the packet against the ACL
statements sequentially--denying or permitting
based on a matched condition.
– If no statement matches, what happens?
Outbound Standard ACL
Process
Do route table ACL on No
Outgoing Packet
lookup interface?
Yes
Does source
Next entry in list
address match?
No Yes
Yes More
entries?
Apply condition
No
Deny Permit
ICMP Message Forward Packet
Two Basic Tasks (Standard
ACL)
• Write the ACL statements sequentially in
global configuration mode.
Router(config)#access-list access-list-
number {permit/deny} {test-conditions}
Lab-D(config)#access-list 1 deny
192.5.5.10 0.0.0.0
• Group the ACL to one or more interfaces in
interface configuration mode.
Router(config-if)#{protocol} access-group
access-list-number {in/out}
Lab-D(config-if)#ip access-group 1 out
The access-list-number parameter
– ACLs come in many types. The access-

list-number specifies what types.
– The table below shows common access list
types. ACL Type ACL Number
IP Standard 1 to 99
IP Extended 100 to 199
AppleTalk 600 to 699
IPX Standard 800 to 899
IPX Extended 900 to 999
IPX SAP 1000 to 1099
Router(config)#access-list access-list-number {permit/deny}{test-conditions}
The permit/deny parameter
– After you’ve typed access-list and chosen
the correct access-list-number, you type
either permit or deny depending on the
action you wish to take.
Permit Deny
Forward Packet ICMP Message

The {test-conditions} parameter
– In the {test conditions} portion of the ACL, you will specify various
parameters depending on the type of access list.
– Common to most access lists is the source address’ ip mask and
wildcard mask.
– The source address can be a subnet, a range of addresses, or a
single host. It is also referred to as the ip mask because the
wildcard mask uses the source address to check bits.
– The wildcard mask tells the router what bits to check. We will spend
some time now learning its function.
ip mask Wild-card mask
Lab-A(config)#access-list 1 deny 192.5.5.10 0.0.0.0

The Wildcard Mask
– A wildcard mask is written to tell the router what bits
in the address to match and what bits to ignore.
– A “0” bit means means check this bit position. A “1”
means ignore this bit position. This is completely
different than the ANDing process we studied in
Semester 1.
– Our previous example of 192.5.5.10 0.0.0.0 can be
rewritten in binary as:
11000000.00000101.00000101.00001010 (Source
address)
00000000.00000000.00000000.00000000 (Wildcard
mask)
– What do all the bits turned off in the wildcard mask tell
the router?
The Wildcard Mask
– This table from the curriculum may help:
Masking Practice
– Write an ip mask and wildcard mask to check for all hosts in the
subnet: 192.5.5.32 255.255.255.224
• If you answered 192.5.5.32 0.0.0.31 YOU’RE RIGHT!!
• 0.0.0.31 is the mirror image of 255.255.255.224
• Let’s look at both in binary:
– 11111111.11111111.11111111.11100000
(255.255.255.224)
– 00000000.00000000.00000000.00011111 (0.0.0.31)
• To prove this wildcard mask will work, let’s look at a host
address within the .32 subnet--192.5.5.55
– 11000000.00000101.00000101.00110111 (192.5.5.55)
host address
– 11000000.00000101.00000101.00100000 (192.5.5.32) ip
mask
– 00000000.00000000.00000000.00011111 (0.0.0.31)
wildcard mask
Masking Practice
– Notice in the previous example (repeated below), some bits were
colored blue. These bits are the bits that must match.
– 11000000.00000101.00000101.00110111 (192.5.5.55)
host address
– 11000000.00000101.00000101.00100000 (192.5.5.32) ip
mask
– 00000000.00000000.00000000.00011111 (0.0.0.31)
wildcard mask
• Remember: a “0” bit in the wildcard mask means check the
bit; a “1” bit in the wildcard mask means ignore.
• The “0”s must match between the address of the packet
(192.5.5.55) being filtered and the ip mask configured in the
access list (192.5.5.32)
– Write an ip mask and wildcard mask for the subnet 192.5.5.64
with a subnet mask of 255.255.255.192?
• Answer: 192.5.5.64 0.0.0.63
Masking Practice
– Write an ip mask and wildcard mask for the subnet
172.16.128.0 with a subnet mask of 255.255.128.0?
• Answer: 172.16.128.0 0.0.127.255
– Write an ip mask and wildcard mask for the subnet
172.16.16.0 with a subnet mask of 255.255.252.0?
• Answer: 172.16.16.0 0.0.3.255
– Write an ip mask and wildcard mask for the subnet 10.0.8.0
with a subnet mask of 255.255.248.0?
• Answer: 10.0.8.0 0.0.7.255
– By now, you should have the hang of ip mask and wildcard
masks when dealing with a subnet. If not, go back & review.
Time Savers: the any command
– Since ACLs have an implicit “deny any” statement at the
end, you must write statements to permit others through.
– Using our previous example, if the students are denied
access and all others are allowed, you would write two
statements:
• Lab-A(config)#access-list 1 deny
192.5.5.0 0.0.0.127
• Lab-A(config)#access-list 1 permit
0.0.0.0 255.255.255.255
– Since the last statement is commonly used to override the
“deny any,” Cisco gives you an option--the any command:
• Lab-A(config)#access-list 1 permit any
Time Savers: the host
command
– Many times, a network administrator will need
to write an ACL to permit a particular host (or
deny a host). The statement can be written in
two ways. Either...
192.5.5.10 0.0.0.0
– or...
host 192.5.5.10
Correct Placement of Standard ACLs
– Standard ACLs do not have a destination

parameter. Therefore, you place standard ACLs as
close to the destination as possible.
– To see why, ask yourself what would happen to all
ip traffic if you placed a “deny 192.5.5.0 0.0.0.255”
statement on Lab-A’s E0?
Extended ACL Overview
– Extended ACLs are numbered from 100 - 199 and “extend” the
capabilities of the standard ACL.
– Extensions include the ability to filter traffic based on...
• destination address
• portions of the ip protocol
– You can write statements to deny only protocols such
as “icmp” or routing protocols like “rip” and “igrp”
• upper layers of the TCP/IP protocol suite
– You can write statements to deny only protocols such
as “tftp” or “http”
– You can use an operand like eq, gt, lt, and neg (equal
to, greater than, less than, and not equal to) to specify
how to handle a particular protocol.
– For example, if you wanted an access list to permit all
traffic except http access, you would use permit ip
any any neg 80
Two Basic Tasks (Extended
ACL)
– Write the ACL statements sequentially in global
configuration mode.
Router(config)# access-list access-list-number
{permit|deny} {protocol|protocol-keyword}{source
source-wildcard} {destination destination-wildcard}
[protocol-specific options] [log]
Lab-A(config)#access-list 101 deny tcp 192.5.5.0
0.0.0.255 210.93.105.0 0.0.0.255 eq telnet log
– Group the ACL to one or more interfaces in
interface configuration mode (same command
syntax as standard)
Router(config-if)#{protocol} access-group access-
list-number {in/out}
Lab-A(config-if)#ip access-group 101 out
The Extended Parameters
– access-list-number
• choose from the range 100 to 199
– {protocol | protocol-number}
• For the CCNA, you only need to know ip and tcp--
many more are available
– {source source-wildcard}
• same as in standard
– {destination destination-wildcard}
• formatted like the standard, but specifies the
destination
– [protocol-specific options]
• This parameter is used to specify particular parts of a
protocol that needs filtering.
Port Numbers
– Review the various port numbers for the tcp and
udp protocols and know the most common ones
below.
– You can also simply type the name (telnet)
instead of the number (23) in the {protocol-
specific options}
Port Number Description
21 FTP
23 Telnet
25 SMTP
53 DNS
69 TFTP
Correct Placement of Extended ACLs
– Since extended ACLs have destination

information, you want to place it as close to the
source as possible.
– Place an extended ACL on the first router
interface the packet enters and specify inbound in
the access-group command.
Correct Placement of Extended ACLs
– In the graphic below, we want to deny network 221.23.123.0 from

accessing the server 198.150.13.34.
– What router and interface should the access list be applied to?
• Write the access list on Router C, apply it to the E0, and
specify in
• This will keep the network free of traffic from 221.23.123.0
destined for 198.150.13.34 but still allow 221.23.123.0 access
to the Internet
Writing & Applying the ACL
Router-C(config)#access-list 100 deny ip 221.23.123.0

0.0.0.255 198.150.13.34 0.0.0.0
Router-C(config)#access-list 100 permit ip any any
Router-C(config)#int e0
Router-C(config-if)#ip access-group 100 in
Naming ACLs
– One nice feature in the Cisco IOS is the ability to name
ACLs. This is especially helpful if you need more than 99
standard ACLs on the same router.
– Once you name an ACL, the prompt changes and you no
longer have to enter the access-list and access-
list-number parameters.
– In the example below, the ACL is named over_and as a
hint to how it should be placed on the interface--out
Lab-A(config)# ip access-list standard over_and

Lab-A(config-std-nacl)#deny host 192.5.5.10
.........
Lab-A(config-if)#ip access-group over_and out
Verifying ACLs
• Show commands:
– show access-lists
• shows all access-lists configured on the router
– show access-lists {name | number}
• shows the identified access list
– show ip interface
• shows the access-lists applied to the interface--both
inbound and outbound.
– show running-config
• shows all access lists and what interfaces they are
applied on
Network Address Translation
• IP depletion Problem ?
• Conserve IP addresses
• Enable networks to use private IP
addresses on internal networks
• Security ?
652 of 26
Private IP address
Class RFC 1918 CIDR prefix
A 10.0.0.0 – 10.255.255.255 10.0.0.0/8
B 172.16.0.0 – 172.31.255.255 172.16.0.0/12
C 192.168.0.0 – 192.168.255.255 192.168.0.0/16
653 of 26
NAT
• Operates at the border of a stub network
654 of 26
NAT
655 of 26
Configure NAT
• Static Translation
• Dynamic Translation
656 of 26
Static Translation
657 of 26
Dynamic Translation
658 of 26
PAT (Overloaded NAT)
659 of 26
PAT
660 of 26
NAT command
debug ip nat
661 of 26
Disadvantages of NAT
• Delay
• Loss of end-to-end ability
• Might not work with some applications
662 of 26
Dynamic Host Configuration
Protocol
• Dynamic Host Configuration Protocol (DHCP)
– Provides IP configuration information to hosts
on bootup
– This functionality is much like that provided by
older protocols RARP and BOOTP
• DHCP manages addressing by leasing the IP
information to the hosts
– This leasing allows the information to be
recovered when not in use and reallocated
when needed
663
Protocol (continued)
664
• You can configure your Cisco router to be a DHCP server
• DHCP relay
– The router can forward the request to other DHCP
servers if it cannot satisfy a DHCP request
• Configuring the router to be a DHCP server
– Enable the service using the service dhcp
command at the global configuration mode prompt
– Configure DHCP bindings and decide where to store
the DHCP bindings database
665
• Configuring the router to be a DHCP server (continued)
– Define the pool of addresses
– Configure any optional IP configuration parameters
– Exclude any statically configured addresses
• Monitoring DHCP
– The best way to check the bindings is to execute the
show ip dhcp binding command on the router
– For information on the specific DHCP address pool,
use the show ip dhcp pool command
666
667
668
• A DHCP server uses ping to resolve
address conflict
•
669 of 26
Managing Cisco Devices
Network Environment
Management
Cisco IOS File System and
Devices
Managing Cisco IOS Images
Verifying Memory and
Deciphering Image Filenames
RouterX#sh flash
-#- --length-- -----date/time------ path
1 14951648 Feb 22 2007 21:38:56 +00:00 c2800nm-ipbase-mz.124-5a.bin
2 1823 Dec 14 2006 08:24:54 +00:00 sdmconfig-2811.cfg
3 4734464 Dec 14 2006 08:25:24 +00:00 sdm.tar
4 833024 Dec 14 2006 08:25:38 +00:00 es.tar
5 1052160 Dec 14 2006 08:25:54 +00:00 common.tar
6 1038 Dec 14 2006 08:26:08 +00:00 home.shtml
7 102400 Dec 14 2006 08:26:22 +00:00 home.tar
8 491213 Dec 14 2006 08:26:40 +00:00 128MB.sdf
41836544 bytes available (22179840 bytes used)
• Verify that flash memory has

room for the
Cisco IOS image.
Creating a Software Image
Backup
RouterX#copy flash tftp:

Source filename []? c2800nm-ipbase-mz.124-5a.bin Address or name of remote host []? 10.1.1.1
Destination filename [c2800nm-ipbase-mz.124-5a.bin]
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <output omitted>
12094416 bytes copied in 98.858 secs (122341 bytes/sec)
RouterX#
• Back up current files prior to updating flash

memory.
Upgrading the Image from the
Network
RouterX#copy tftp flash:

Address or name of remote host [10.1.1.1]?
Source filename []? c2800nm-ipbase-mz.124-5a.bin
Destination filename [c2800nm-ipbase-mz.124-5a.bin]
Accessing tftp://10.1.1.1/c2600-js-mz.122-21a.bin...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeee (output omitted) ...erased
Erase of flash: complete
Loading c2800nm-ipbase-mz.124-5a.bin from 10.1.1.1 (via Ethernet0/0): !!!!!!!!!!!!!!!
(output omited)
[OK - 12094416 bytes]
Verifying checksum... OK (0x45E2)
RouterX
Device Configuration Files
Cisco IOS copy Command
 NVRAM
 Terminal
 TFTP server
 Erase start
copy run tftp and copy tftp run
Commands
RouterX#copy running-config: tftp:

Address or name of remote host []? 10.1.1.1
Destination filename [running-config]? wgroa.cfg
.!!
RouterX#copy tftp: running-config:

Address or name of remote host []? 10.1.1.1
Source filename []? wgroa.cfg
Destination filename [running-config]?
Accessing tftp://10.1.1.1/wgroa.cfg...
Loading wgroa.cfg from 10.1.1.1 (via Ethernet0): !
[OK - 1684/3072 bytes]

Cisco IOS copy Command
Example
show and debug Commands
Considerations When Using
debug Commands
– May generate output in a variety of formats
that may not identify the problem
– Require high overhead, possibly disrupting
network device operation
– Useful for obtaining information about network
traffic and router status
Commands Related to debug
RouteX(config)#
service timestamps debug datetime msec
 Adds a time stamp to a debug or log message

RouteX#
show processes
 Displays the CPU utilization for each process

RouteX#
no debug all
 Disables all debug commands

RouteX#
terminal monitor
 Displays debug output on your current vty session

Summary
– The Cisco IFS feature provides a single
interface to all the file systems (NVRAM,
RAM, TFTP, flash) that a router uses.
– As a network grows, storage of the Cisco IOS
Software and configuration files on a central
server enables control of the number and
revision level of software images and
configuration files that must be maintained.
– Having proper backup of the current device
configuration stored in a TFTP server can
help reduce device downtime.
Summary (Cont.)
– The Cisco IOS Software copy commands can
be used to move configurations from one
component or device to another, such as
RAM, NVRAM, or a file server.
– The show and debug commands are built-in
tools for troubleshooting. The show command
is used to display static information, while the
debug command is used to display dynamic
data.
Why IPv6?
• Deficiency of IPv4
• Address space exhaustion
• New types of service  Integration
– Multicast
– Quality of Service
– Security
– Mobility (MIPv6)
• Header and format limitations
Recommended
Reading
• The TCP/IP Guide:
A Comprehensive,
Illustrated Internet
Protocols
Reference
[Hardcover]
• Charles M. Kozierok
(Author)
686
Advantages of IPv6 over IPv4
• Larger address space
• Better header format
• New options
• Allowance for extension
• Support for resource allocation
• Support for more security
• Support for mobility
Why Do We Need a Larger
Address Space?
• Internet population
– Approximately 973 million users in November 2005
– Emerging population and geopolitical and address space
• Mobile users
– phones, iPads, tablets ,etc
– Approximately 20 million in 2004
• Mobile phones
– Already 1 billion mobile phones delivered by the industry
• Transportation
– Planes, trains, busses, automobiles
• Consumer devices
– Billions of home and industrial appliances
688
Larger Address Space
IPv4
• 32 bits or 4 bytes long
4,200,000,000 possible addressable nodes
IPv6
• 128 bits or 16 bytes: four times the bits of IPv4
3.4 * 1038 possible addressable nodes
340,282,366,920,938,463,374,607,432,768,211,456
5 * 1028 addresses per person
50,000,000,000,000,000,000,000,000,000
689
Larger Address Space Enables
Address Aggregation
• Aggregation of prefixes announced in the global routing table

• Efficient and scalable routing
690
Header: from IPv4 to IPv6
Changed Removed
IPv6 Header Format
IPv6 Packet Header
• IPv6 has fewer fields

• The header is 64-bit aligned which enables fast, efficient, hardware-based
processing.
– Hardware-based, efficient processing
– Improved routing efficiency and performance
– Faster forwarding rate with better scalability
• The IPv6 address fields are four times larger than in IPv4.
– IPv6 header is 40 octets
– IPv6 header is 20 octets in the IPv4 header.
693
IPv4 Header IPv6 Header
Type of
Version IHL Total Length Traffic
Service Version Flow Label
Fragment Class
Identification Flags
Offset
Next
Time to Live Protocol Header Checksum Payload Length Hop Limit
Header
Source Address
Destination Address
Options Padding
Source Address
Legend
Field’s Name Kept from IPv4 to IPv6

Fields Not Kept in IPv6
Destination Address
Name and Position Changed in IPv6
New Field in IPv6
 The IPv4 header:

 12 basic header fields + Options and Padding
 Data portion (usually transport layer segment)
 Fixed size of 20 octets
 An options field
 Variable-length options field increases the size of the total IP header
 IPv6
694  8 fields: 1 new (Flow Label); 7 similar IPv4; 7 not brought over from IPv4.
Resources
• IPv6 Addressing At-A-Glance
– http://cisco.com/application/pdf/en/us/guest/tech/tk872/c1550/cdccont_0900aecd80
26003d.pdf
• IPv6 Extension Headers Review and Considerations
– http://cisco.com/en/US/partner/tech/tk872/technologies_white_paper0900aecd8054
d37d.shtml
• IPv6 Headers At-A-Glance
260042.pdf
• IPv6 Mobility At-A-Glance
260046.pdf
• Internet Protocol Version 6 Q&A
– http://cisco.com/en/US/partner/products/ps6553/products_qanda_item0900aecd803
715bf.shtml
• IPV6 Case Studies
– http://cisco.com/en/US/partner/products/ps6553/prod_case_studies_list.html
• IPv6 Allocations
– http://www.ripe.net/rs/ipv6/stats/
• Cisco IPv6 Solutions
695 – http://cisco.com/en/US/partner/products/ps6553/products_white_paper09186a0080
2219bc.shtml
Address Representation
• 128-bit IPv6 addresses are represented by
breaking them up into eight 16-bit
segments.
• Each segment is written in hexadecimal
(non-case sensitive) between 0x0000 and
0xFFFF, separated by colons.
• An example of a written IPv6 address is
3ffe:1944:0100:000a:0000:00bc:2
500:0d0b
696
Rule 1: Leading 0’s
• Two rules for reducing the size of written IPv6 addresses.
• The first rule is:
• The leading zeroes in any 16-bit segment do not have to be written; if any 16-bit
segment has fewer than four hexadecimal digits, it is assumed that the missing digits
are leading zeroes.
Example
3ffe : 1944 : 0100 : 000a : 0000 : 00bc : 2500 : 0d0b
3ffe : 1944 : 100 : a : 0 : bc : 2500 : d0b
697
Practice
3ffe : 0404 : 0001 : 1000 : 0000 : 0000 : 0ef0 : bc00

3ffe : 404 : 1 : 1000 : 0 : 0 : ef0 : bc00
3ffe : 0000 : 010d : 000a : 00dd : c000 : e000 : 0001

3ffe : 0 : 10d : a : dd : c000 : e000 : 1
ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005

ff02 : 0 : 0 : 0 : 0 : 0 : 0 : 5
698
• Only leading zeroes can be omitted; trailing zeroes cannot, because
doing so would make the segment ambiguous.
• You would not be able to tell whether the missing zeroes belonged
before or after the written digits.
3ffe : 1944 : 100 : a : 0 : bc : 2500 : d0b
Correct Original Address

3ffe : 1944 : 0100 : 000a : 0000 : 00bc : 2500 : 0d0b
Wrong, Ambiguous Original Address

3ffe : 1944 : 1000 : a000 : 0000 : bc00 : 2500 : d0b0
699
Rule 2: Double colon :: equals
0000…0000
• The second rule can reduce this address even further:
• Any single, contiguous string of one or more 16-bit
segments consisting of all zeroes can be represented
with a double colon.
ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005

ff02 : 0 : 0 : 0 : 0 : 0 : 0 : 5
ff02 : : 5
ff02::5
700
•
0000…0000
Only a single contiguous string of all-zero segments can be represented with a double
colon.
Example: Both of these are correct

2001 : 0d02 : 0000 : 0000 : 0014 : 0000 : 0000 : 0095
2001 : d02 :: 14 : 0 : 0 : 95
2001 : d02 :: 14 : 0 : 0 : 95
OR
2001 : d02 : 0 : 0 : 14 :: 95
2001 : d02 : 0 : 0 : 14 :: 95
Another example:
2031 : 0000 : 130F : 0000 : 0000 : 09C0 : 876A : 130B
2031 : 0 : 130F :: 9C0 : 876A : 130B
701
0000…0000
• Using the double colon more than once in an IPv6
address can create ambiguity.
Example
2001:d02::14::95
• Illegal because the length of the two all-zero strings is

ambiguous; it could represent any of the following IPv6
addresses:
2001:0d02:0000:0000:0014:0000:0000:0095
2001:0d02:0000:0000:0000:0014:0000:0095
2001:0d02:0000:0014:0000:0000:0000:0095
702
Network Prefixes
• IPv4, the prefix—the network portion of the address—
can be identified by a dotted decimal or bitcount.
255.255.255.0 or /24
• IPv6 prefixes are always identified by bitcount.

• The address is followed by a forward slash and a
decimal number indicating how many of the first bits of
the address are the prefix bits.
• CIDR notation or prefix notation
3ffe:1944:100:a::/64
16 32 48 64 bits
703
All 0’s IPv6 Address
• An IPv6 address consisting of all zeroes can be written simply with a double
colon.
• There are two cases where an all-zeroes address is used.
1. Default address, The address is all zeroes and the prefix length is zero:
::/0
2. Unspecified address, which is used in some Neighbor Discovery Protocol
procedures (later).
– An unspecified address is a filler, indicating the absence of a real IPv6
address.
– When writing an unspecified address, it is differentiated from a default
address by its prefix length:
::/128
704
705
IPv6 Addressing Model
• Addresses are assigned to interfaces,
not hosts
• Interface expected to have multiple
addresses
• Addresses have scope
– Link-Local
– Site-Local  Unique Local
– Global
Interface
Identifiers in IPv6
Addresses
• In IPv6, a link is a network medium over which network nodes

communicate using the link layer.
• Interface identifiers (IDs) in IPv6 addresses:
– Used to identify a unique interface on a link
– Thought of as the “host portion” of an IPv6 address.
– Required to be unique on a link
– Always 64 bits
– May be dynamically created based on Layer 2 media and encapsulation
707
• The data link layer defines how IPv6 interface identifiers are created and
how neighbor discovery deals with data link layer address resolution.
• RFCs describe these processes (not all supported by Cisco)
•708Let’s look at the process for Ethernet Interface Identifier…
Calculating the Interface ID Using EUI-64
• To automatically create a guaranteed-unique interface ID, IPv6 defines a

method to calculate a 64-bit interface ID derived from that host's MAC
address.
• The eighth bit in an IPv6 interface identifier, also known as the “G” bit, is the
709
group/individual bit for managing groups.
bia: xxxx xx0x
Configured: xxxx xx1x
• The Universally/Locally (U/L) bit is the seventh bit of the first byte and is
used to determine whether the address is universally or locally
administered.
– If 0, the IEEE, through the designation of a unique company ID, has
administered the address.
– If 1, the address is locally administered - the network administrator
has overridden the manufactured address and specified a different
address.
• Seems to be some debate on whether Cisco should flip it if it is already a 1.
•r710“The standard says leave the U/L bit a 1 if it's a 1 and the "Cisco" way says
to flip it regardless.”
Subnet: 2001:8:85a3:4289::/64
MAC Address: 001B:D55B:A408
Global Unicast Address:
2001:8:85a3:4289 : 021B:D5FF:FE5B:A408
Interface ID
• Because of privacy and security concerns, hosts may create a random

interface identifier using the MAC address as a base.
• This is considered a privacy extension because, without it, creating an
interface identifier from a MAC address allows activity to be tracked to the
point of connection.
• Windows XP implements this capability
711
Three types of IPv6
Addresses
Three types of IPv6 Addresses
The three types of IPv6 address follow:

1. Unicast
– Global Unicast
– Link Local Unicast
– Site Local Unicast (now deprecated)
2. Multicast
3. Anycast
• Unlike IPv4, there is no IPv6 broadcast address.

•713 There is, however, an "all nodes" multicast address, which serves
essentially the same purpose as a broadcast address.
Global Unicast Addresses
• A unicast address is an address that identifies a single device.

• A global unicast address is a unicast address that is globally unique.
– Has global scope.
– Also known as global aggregatable
714– Globally unique and can therefore be routed globally with no modification.
• The host portion of the address is called the Interface ID.

• Host can have more than one IPv6 interface
• Address more correctly identifies an interface on a host than a host itself.
• A single interface can have multiple IPv6 addresses, and can have an IPv4
715
address in addition.
• Another big difference between IPv4 addresses and IPv6 addresses:

location of the Subnet Identifier
• Subnet Identifier is part of the network portion of the address rather than
the host portion.
•716Allows an organization to use up to 65,536 individual subnets
Global Unicast
Prefix Assignment
• The current global unicast address assignment IANA uses the range of
addresses that start with binary value 001 or 2000::/3
• The start with the same 3 bits (001) as 2000
• 4 hexadecimal digits, before the first colon
• More easily recognized as beginning with a hexadecimal 2 or 3.
0010 xxxx or 0011 xxxx
• ICANN assigns global unicast IPv6 addresses as public and globally-unique
IPv6 addresses
• No need for NAT
• This is one-eighth (12.5%) of the total IPv6 address space and is the largest
717
block of assigned addresses.
Address Autoconfiguration (1)
• Allow plug and play
• BOOTP and DHCP are used in IPv4
• DHCPng will be used with IPv6
• Two Methods: Stateless and Stateful
• Stateless:
– A system uses link-local address as source and
multicasts to "All routers on this link"
– Router replies and provides all the needed prefix info
– All prefixes have a associated lifetime
– System can use link-local address permanently if no
router
Address Autoconfiguration (2)
• Stateful:
– Problem w/ stateless: Anyone can connect
– Routers ask the new system to go DHCP server (by
setting managed configuration bit)
– System multicasts to "All DHCP servers"
– DHCP server assigns an address
Network Layer in v4 & v6
Transition from IPv4 to IPv6
Advantages of IPv6 over
IPv4 (1)
Feature IPv4 IPv6
Source and 32 bits 128 bits
destination address
IPSec Optional required
Payload ID for QoS in No identification Using Flow label field

the header
Fragmentation Both router and the Only supported at the
sending hosts sending hosts
Header checksum included Not included
Resolve IP address to broadcast ARP Multicast Neighbor

a link layer address request Solicitation message
Advantages of IPv6 over
IPv4 (2)
Feature IPv4 IPv6
Determine the ICMP Router ICMPv6 Router
address of the best Discovery(optional) Solicitation and
default gateway Router Advertisement
(required)
Send traffic to all Broadcast Link-local scope all-
nodes on a subnet nodes multicast
address
Configure address Manually or DHCP Autoconfiguration
Manage local subnet (IGMP) Multicast Listener

group membership Discovery (MLD)
IPv6 Addressing Scheme and Subnets
• IPv6 uses the same method as IPv4 to subnet their
addresses.
• /127 gives you 2 addresses.
• /124 gives you 16 addresses
• /120 gives you 256 addresses
• The first address in a network consists of all 0's and the last
address consists of all F's.
• It’s recommended for simplicity and design purposes to use
/64 everywhere. Using anything less than /64 could
potentially break IPv6 features and cause increased design
complexity.
Leading Zeroes and Double
Colons (::)
• Leading 0s (zeroes) in any 16-bit section can be omitted.
Address before omission:
2001:0DB8:0001:5270:0127:00AB:CAFE:0E1F /64
Address after omission:
2001:DB8:1:5270:127:AB:CAFE:E1F /64
• This rule applies only to leading 0s; if trailing 0s are
omitted, the address would be vague.
Leading Zeroes and Double
Colons (::)
• A Double Colons or Compressing Zeroes can be used to
shorten an IPv6 address when one or more hextets consist
of all 0s.
• Double Colons can only be used to compress a single

contiguous 16-bits blocks. You cannot use double colons to
include part of a block.
• Double Colons can only be used once in an address, if it's

used more than once the address could be ambiguous
Types of IPv6 Addresses
• Multicast Address
(cont'd)
• A Multicast address identifies a group of interfaces.
• All Multicast address are identified by their reserved address range
FF00::0/8
• A packet sent to a multicast address is delivered to all devices that
are identified by that address.
Protocol IPv4 Multicast IPv6 Multicast
OSPF (Router) 224.0.0.5 FF02::5
OSPF (DR/BDR) 224.0.0.6 FF02::6
RIPv2 224.0.0.9 FF02::9
EIGRP 224.0.0.10 FF02::A
• Anycast Address
• A unicast address can be assigned to several interfaces/devices.
• A packet sent to an Anycast address goes only to the nearest
member of the group, according to the routing protocols measures
of distance.
• Anycast is described as a cross between a Unicast and Multicast.
• The difference between an Anycast and Multicast is that in Anycast
packet is only delivered to a single device, while Multicast send it to
multiple devices.
Types of IPv6 Addresses
Link-Local Address
(cont'd)
• Link-Local address are designed for use on a single local link.
• Link-Local address are automatically configured on all interfaces.
• The prefix used for a Link-Local address is FE80::X/10.
• Routers do not forward packet with a destination and source
address containing a link-local address.
Loopback Address
• Similar function to IPv4 127.0.0.1 address
• The Loopback address is 0:0:0:0:0:0:0:1 or may be simplify by using
double colons as ::1.
• It is used by a device to send a packet to itself
Representation IPv6 Loopback Address
Preferred 0000:0000:0000:0000:0000:0000:0000:0001
No Leading 0’s 0:0:0:0:0:0:0:1
Compresses ::1
IPv6 IPv4
• 128-bits address • 32-bits addressing scheme
containing global routing containing a host and a
prefix, subnet ID and network portion.
interface ID. •Use binary format between
• Uses a hexadecimal format 0 and 1.
ranging from 0-9, A-F. • Maximum Transmission
• Maximum Transmission Unit up to 576 bytes.
Unit up to 1280 bytes. • Network address and
• Network address and broadcasts address cannot
broadcasts address can be be assigned to an interface
assigned to an interface or or end device.
end device. • VPN technologies must be
• Native IPsec encryption used to encrypt IPv4
packets.
IPv6 Co-existence Solutions
IPv4
Dual-Stack IPv6
Enterprise Co-existence strategy
Tunneling
Services
IPv4 over IPv6 IPv6 over IPv4
Connect Islands of IPv6 or IPv4
Government
Translation IPv6
Agencies
International
Sites
Remote
Services IPv Workers
4 Internet consumers
Connect to the IPv6 community

Dual-Stack Techniques
• Hosts and network devices run both IPv4 and IPv6 at
the same time.
– This technique is useful as a temporary transition, but it
adds overhead and uses many resources.
• Cisco IOS Software is IPv6 ready.
– As soon as IPv4 and IPv6 configurations are complete, the
interface is dual stacked and it forwards both IPv4 and
IPv6 traffic.
• Drawback of dual stacking includes:
– The additional resources required to keep and process
dual routing tables, routing protocol topology tables, etc.
– The higher administrative overhead, troubleshooting, and
monitoring, is more complex.
Dual-Stack Example
10.10.10.1 10.10.10.2
R1 2001:12::1/64 2001:12::2/64 R2
R1(config)# interface fa0/0

R1(config-if)# ip address 10.10.10.1 255.255.255.0
R1(config-if)# ipv6 address 2001:12::1/64
R1(config-if)# ^Z
R1#
• The FastEthernet 0/0 interface of R1 is dual stacked.

– It is configured with an IPv4 and an IPv6 address.
– Also notice that for each protocol, the addresses on
R1 and R2 are on the same network.
Dual-Stack Example
10.10.10.1 10.10.10.2
R1 2001:12::1/64 2001:12::2/64 R2
R1# show ip interface fa0/0

FastEthernet0/0 is up, line protocol is up
Internet address is 10.10.10.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always present
<output omitted>
 The output confirms that the Fa0/0 interface is operational and uses the
IPv4 address.
Dual-Stack Example
10.10.10.1 10.10.10.2
R1 2001:12::1/64 2001:12::2/64 R2
R1# show ipv6 interface fa0/0

FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::219:56FF:FE2C:9F60
Global unicast address(es):
2001:12::1, subnet is 2001:12::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FF2C:9F60
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
<output omitted>
 The output confirms that the Fa0/0 interface is operational and also
uses the IPv6 address.
Tunneling Techniques
• Isolated IPv6 networks are connected over
an IPv4 infrastructure using tunnels.
• The edge devices are the only ones that
need to be dual-stacked.
• Scalability may be an issue if many tunnels
need to be created.
– Tunnels can be either manually or automatically
configured, depending on the scale required and
administrative overhead tolerated.
• For IPv6, tunneling is an integration method in which an
IPv6 packet is encapsulated within IPv4.
• This enables the connection of IPv6 islands without the
need to convert the intermediary network to IPv6.
• In this example, the tunnel between sites is using:
• IPv4 as the transport protocol (the protocol over which the tunnel is
created).
• IPv6 is the passenger protocol (the protocol encapsulated in the tunnel
and carried through the tunnel).
• GRE is used to create the tunnel, and is known as the tunneling
protocol.
Types of Tunnels
• Tunnels can be created manually using:
– Manual IPv6 tunnels
– GRE IPv6 tunnels (not covered in this
presentation)
• Tunnels can also be created automatically
using:
– IPv4-Compatible IPv6 Tunnels (now
deprecated)
– 6to4 tunnels
– ISATAP Tunnels
Manual Tunnel Configuration
• Create a tunnel interface.
Router(config)#
interface tunnel number
• Creates a tunnel interface which is virtual.

• Once in interface configuration mode,
configure the tunnel parameters including:
– IP address
– Tunnel source
– Tunnel destination
– Tunnel mode (type of tunnel)
Tunnel Configuration
Command Commands
Description
tunnel source interface- An interface configuration command that sets
type interface-number the source address for a tunnel interface as
the address of the specified interface
tunnel destination ip- An interface configuration command that
address specifies the destination address for a tunnel
interface. In this case the ip-address
parameter is an IPv4 address
tunnel mode ipv6ip An interface configuration command that sets

the encapsulation mode for the tunnel
interface to use IPv6 as the passenger
protocol, and IPv4 as both the encapsulation
and transport protocol.
Manual IPv6 Tunnel Example
Lo101: Lo102:
10.1.1.1/24 10.1.1.2/24
Tu12 Tu12
13::3/64 13::1/64 12::1/64 12::2/64 24::2/64 24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP
R1(config)# interface tunnel 12

R1(config-if)#
*Aug 16 09:34:46.643: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12,
changed state to down
R1(config-if)# no ip address
R1(config-if)# ipv6 address 12::1/64
R1(config-if)# tunnel source loopback 101
R1(config-if)# tunnel destination 10.1.1.2
R1(config-if)#
changed state to up
R1(config-if)# tunnel mode ipv6ip
R1(config-if)#
 R1 is configured with the manual tunnel configuration.

Lo101: Lo102:
10.1.1.1/24 10.1.1.2/24
Tu12 Tu12
13::3/64 13::1/64 12::1/64 12::2/64 24::2/64 24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP

R2(config-if)#
changed state to down
R2(config-if)# ipv6 address 12::2/64
R2(config-if)# tunnel destination 10.1.1.1
R2(config-if)#
changed state to up
R2(config-if)# tunnel mode ipv6ip
R2(config-if)#
 R2 is configured with the manual tunnel configuration.

Lo101: Lo102:
10.1.1.1/24 10.1.1.2/24
Tu12 Tu12
13::3/64 13::1/64 12::1/64 12::2/64 24::2/64 24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP
R1# show interface tunnel 12

Tunnel12 is up, line protocol is up
Hardware is Tunnel
MTU 1514 bytes,BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.1.1.1 (Loopback101), destination 10.1.1.2
Tunnel protocol/transport IPv6/IP
Tunnel TTL 255
Fast tunneling enabled
<output omitted>
 The tunnel interface is examined.

 Next, RIPng will be configured to cross the tunnel.
Lo101: Lo102:
10.1.1.1/24 10.1.1.2/24
Tu12 Tu12
13::3/64 13::1/64 12::1/64 12::2/64 24::2/64 24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP
R1(config)# ipv6 unicast-routing

R1(config-if)# ipv6 rip RIPoTU enable
R1(config-if)# interface fa0/0
R1(config-if)#

R2(config-if)# interface fa0/0
R2(config-if)#
 RIPng is enabled on the tunnel interfaces and on the FastEthernet

interfaces of R1 and R2.
Lo101: Lo102:
10.1.1.1/24 10.1.1.2/24
Tu12 Tu12
13::3/64 13::1/64 12::1/64 12::2/64 24::2/64 24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP

R3(config-if)#

R4(config-if)#
 RIPng is enabled on the FastEthernet interfaces of R3 and R4.

 Now end-to-end connectivity should be achieved.
Lo101: Lo102:
10.1.1.1/24 10.1.1.2/24
Tu12 Tu12
13::3/64 13::1/64 12::1/64 12::2/64 24::2/64 24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP
R4# show ipv6 route rip
<output omitted>
R 12::/64 [120/2]
via FE80::2, FastEthernet0/0
R 13::/64 [120/3]
via FE80::2, FastEthernet0/0
R4#
R3# ping 24::4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24::4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/20 ms
R3#
Manual IPv6 Tunnel Summary
• Manual tunnels are simple to configure, and
are therefore useful for a small number of
sites.
• However, for large networks manual tunnels
are not scalable, from both a configuration
and management perspective.
• The edge routers on which the tunnels
terminate need to be dual stacked, and
therefore must be capable of running both
protocols and have the capacity to do so.
6to4 Tunnels
• 6to4 tunnels, also known as a 6-to-4 tunnel, is an
automatic tunneling method.
• 6to4 tunnels are point-to-multipoint, rather than the
point-to-point tunnels.
• The 6to4 tunnels are built automatically by the
edge routers, based on embedded IPv4 address
within the IPv6 addresses of the tunnel interfaces
on the edge routers.
• 6to4 tunnels enable the fast deployment of IPv6 in
a corporate network without the need for public
IPv6 addresses from ISPs or registries.
6to4 Tunnel Example
• When Router A receives an IPv6 packet with a destination address in

the range of 2002::/16 (the address 2002:c0a8:1e01::/48 in the example), it
determines that the packet must traverse the tunnel.
• The router extracts the IPv4 address embedded in the third to sixth octets,
inclusively, in the IPv6 next-hop address.
• In this example, these octets are c0a8:1e01 which is therefore 192.168.30.1.
• This IPv4 address is the IPv4 address of the 6to4 router at the
destination site, Router B.
6to4 Tunnel Example
• Router A encapsulates the IPv6 packet in an IPv4 packet

with Router B’s extracted IPv4 address as the destination
address.
• The packet passes through the IPv4 network.
• Router B, decapsulates the IPv6 packet from the received
IPv4 packet and forwards the IPv6 packet to its final
destination.
6to4 Limitations
• Only static routes or BGP are supported.
– This is because the other routing protocols use
link-local addresses to form adjacencies and
exchange updates and these do not conform to
the address requirements for 6to4 tunnels.
– The example presented here will use static
routes.
• NAT cannot be used along the IPv4 path of
the tunnel, again because of the 6to4
address requirements.
6to4 Tunnel Example
Lo101: 172.16.101.1 Lo102: 172.16.102.1
Automatic 6to4 Tunnel
Tu12 Tu12
2002:AC10:6501::/12 2002:AC10:6601::/12
13:13::3/64 13:13::1/64 8 8 24:24::2/64 24:24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP
 In this example, there are two IPv6 networks separated by an IPv4

network.
 The objective of this example is to again provide full connectivity
between the IPv6 islands over the IPv4-only infrastructure.
 The first step is to configure routers R1 and R2 so that they can
establish the 6to4 tunnel between them.
6to4 Tunnel Example
Lo101: 172.16.101.1 Lo102: 172.16.102.1
Tu12 Tu12
2002:AC10:6501::/12 2002:AC10:6601::/12
13:13::3/64 13:13::1/64 8 8 24:24::2/64 24:24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP

R1(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12, changed state to down
R1(config-if)# ipv6 address 2002:AC10:6501::/128
R1(config-if)# tunnel mode ipv6ip 6to4
R1(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel12, changed state to up
R1(config-if)# exit
 R1 is configured with the 6to4 tunnel.

 Notice that the configuration is similar to the manual tunnel configurations
except that the tunnel destination is not specified.
6to4 Tunnel Example
Lo101: 172.16.101.1 Lo102: 172.16.102.1
Tu12 Tu12
2002:AC10:6501::/12 2002:AC10:6601::/12
13:13::3/64 13:13::1/64 8 8 24:24::2/64 24:24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP
R1(config)# ipv6 route 2002::/16 tunnel 12

R1(config)# ipv6 route 24::/64 2002:AC10:6601::
R1(config)#
 R1 is configured with static routes.

6to4 Tunnel Example
Lo101: 172.16.101.1 Lo102: 172.16.102.1
Tu12 Tu12
2002:AC10:6501::/12 2002:AC10:6601::/12
13:13::3/64 13:13::1/64 8 8 24:24::2/64 24:24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP

R2(config-if)#
R2(config-if)# ipv6 address 2002:AC10:6601::/128
R2(config-if)# tunnel mode ipv6ip 6to4
R2(config-if)#
R2(config-if)# exit
 R2 is configured with the 6to4 tunnel.

6to4 Tunnel Example
Lo101: 172.16.101.1 Lo102: 172.16.102.1
Tu12 Tu12
2002:AC10:6501::/12 2002:AC10:6601::/12
13:13::3/64 13:13::1/64 8 8 24:24::2/64 24:24::4/64
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP
R2(config)# ipv6 route 2002::/16 tunnel 12

R2(config)# ipv6 route 13::/64 2002:AC10:6501::
R2(config)#
 R2 is configured with static routes.

ISATAP Tunnels
• An Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
tunnel is very similar to a 6to4 IPv6 tunnel.
– It is used to connect IPv6 domains over an IPv4 network.
– It embeds an IPv4 address within the IPv6 address.
• The goal of ISATAP is to provide connectivity for IPv6 hosts to
a centralized IPv6-capable router, over an IPv4-only access
network.
• ISATAP was designed to transport IPv6 packets within a site
(hence the “intra-site” part of its name).
– It can still be used between sites, but its purpose is within sites.
• ISATAP tunnels use IPv6 addresses consisting of a 64-bit
prefix concatenated to a 64-bit interface ID in EUI-64 format.
ISATAP Tunnel Example
Lo101: 172.16.101.1 Lo102: 172.16.102.1
Automatic ISATAP Tunnel
Tu12 Tu12
12:12::5EFE:AC10:650 12:12::5EFE:AC10:660
13:13::3/6
13:13::1/64 1 1 24:24::2/64 24:24::4/64
4
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP
 In this example, there are two IPv6 networks separated by an IPv4

network.
 The objective of this example is to again provide full connectivity
between the IPv6 islands over the IPv4-only infrastructure.
 The first step is to configure routers R1 and R2 so that they can
establish the ISATAP tunnel between them.
Lo101: 172.16.101.1 Lo102: 172.16.102.1
Tu12 Tu12
12:12::5EFE:AC10:650 12:12::5EFE:AC10:660
13:13::3/6
13:13::1/64 1 1 24:24::2/64 24:24::4/64
4
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP

R1(config-if)#
R1(config-if)# ipv6 address 12:12::/64 eui-64
R1(config-if)# tunnel mode ipv6ip isatap
R1(config-if)# exit
R1(config)# ipv6 route 24::/64 tunnel12 FE80::5EFE:AC10:6601
R1(config)#
 R1 is configured with the ISATAP tunnel and a static route.

 Notice that the configuration is similar to the manual and GRE tunnel
configurations except that the tunnel destination is not specified.
Lo101: 172.16.101.1 Lo102: 172.16.102.1
Tu12 Tu12
12:12::5EFE:AC10:650 12:12::5EFE:AC10:660
13:13::3/6
13:13::1/64 1 1 24:24::2/64 24:24::4/64
4
Fa0/0 Fa0/0 Fa0/0 Fa0/0
R3 R1 S0/1/0 R2 R4
172.16.12.1/24 S0/1/0
172.16.12.2/24
IPv4 RIP

R2(config-if)#
R2(config-if)# ipv6 address 12:12::/64 eui-64
R2(config-if)# tunnel mode ipv6ip isatap
R2(config-if)# exit
R2(config)# ipv6 route 13::/64 tunnel12 FE80::5EFE:AC10:6501
R2(config)#
 R2 is configured with the ISATAP tunnel and a static route.

IPv6 Routing
Static Route Dynamic Routing
Directly Attached RIPng
Fully Specified OSPFv3
Floating EIGRP for IPv6
Default Multiprotocol BGP version 4

(MP-BGPv4)
Directly Attached IPv6 Static Route
Example
2001:1::1/64 2001:1::2/64
Lo100: 10::10:1/64 Lo102: 13::13:1/64
R1 S0/0/0 R2
S0/0/0
Lo101: 11::11:1/64
R1# config t
R1(config)# ipv6 route 13::/64 s0/0/0
R1(config)# exit
R1# show ipv6 route static
IPv6 Routing Table – 9 entries
Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP
U – Per-user Static route
I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
S 13::/64 [1/0]
via ::, Serial0/0/0
R1#
• A directly attached static route to the 13::13:1/64 network is configured

on router R1.
Fully Specified IPv6 Static Route
Example 2001:1::1/64 2001:1::2/64
Lo100: 10::10:1/64 Lo102: 13::13:1/64
R1 S0/0/0 R2
S0/0/0
Lo101: 11::11:1/64
R1# config t
R1(config)# ipv6 route 13::/64 s0/0/0 2001:1::2
R1(config)# exit
IPv6 Routing Table - Default - 8 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S 13::/64 [1/0]
via 2001:1::2, Serial0/0/0
R1#
• A fully specified static route to the 13::13:1/64 network is configured on

router R1.
Floating IPv6 Static Route Example
2001:1::1/64 2001:1::2/64
Lo100: 10::10:1/64 Lo102: 13::13:1/64
R1 S0/0/0 R2
S0/0/0
Lo101: 11::11:1/64
R1# config t
R1(config)# ipv6 route 13::/64 130
R1(config)# exit
R1#
• For example, R1 is configured with a floating static route specifying an

administrative distance of 130 to the R2 LAN.
• If an IGP already has an entry in the IPv6 routing table to this LAN, then the static route
would only appear in the routing table if the IGP entry was removed.
Default IPv6 Static Route Example
2001:1::1/64 2001:1::2/64
Lo100: 10::10:1/64 Lo102: 13::13:1/64
R1 S0/0/0 R2
S0/0/0
Lo101: 11::11:1/64
R2# config t
R2(config)# ipv6 route ::/0 s0/0/0
R2(config)# exit
IPv6 Routing Table – 9 entries
Codes: C – Connected, L – Local, S – Static, R – RIP, B – BGP
U – Per-user Static route
I1 – ISIS L1, I2 – ISIS L2, IA – ISIS interarea, IS – ISIS summary
O – OSPF intra, OI – OSPF inter, OE1 – OSPF ext 1, OE2 – OSPF ext 2
ON1 – OSPF NSSA ext 1, ON2 – OSPF NSSA ext 2
S ::/0 [1/0]
via ::, Serial0/0/0
R2#
• For example, a default static route as specified by the “::/0” entry is

configured on router R2 to reach all other networks connected to R1.
Configuring IPv6 EIGRP on a
•
Network
IPv6 packet forwarding is disabled by default. To enable IPv6
packet forwarding, use the ipv6 unicast-routing command in
global configuration mode before enabling EIGRP.
Branch-1(config)# ipv6 router eigrp 100
% IPv6 routing not enabled
Branch-1(config)# ipv6 unicast-routing
• A router ID is mandatory for IPv6 EIGRP to be functioning properly.
If one isn't manually configured, one will be generated using the
loopback or physical interface.

Branch-1(config-rtr)# router-id 1.1.1.1 Packet Tracer
Branch-1(config-rtr)# no shutdown
Real Equipment
Branch-1(config-rtr)# eigrp router-id
1.1.1.1
Network
• Unlike IPv4 EIGRP, IPv6 EIGRP does not require the use
of network command to advertise its networks. Instead
IPv6 EIGRP must be enabled on all of the router's
interfaces.Branch-1(config)# int s0/0/0
Branch-1(config-if)# ipv6 eigrp 100
Branch-1(config-if)# int g0/0
Branch-1(config-if)# int g0/1
• This command must be configured on all of the router's interfaces that are
participating in EIGRP. If we fail to configure this command on an interface, that
network will not be advertised, therefore, will not be learned by its neighbors.
Network
• When IPv6 EIGRP is configured on all
interfaces, a log
Branch-2(config)# int s0/0/0
message will inform you
that an adjacency
Branch-2(config-if)#
ipv6 eigrp 100 has formed.
%DUAL-5-NBRCHANGE: IPv6-EIGRP 100: Neighbor FE80::1 (Serial0/0/0) is up:

new adjacency
Branch-2(config-if)# int s0/0/1

%DUAL-5-NBRCHANGE: IPv6-EIGRP 100: Neighbor FE80::3 (Serial0/0/1) is up:
new adjacency
IPv6 Show Commands
Branch-2# show ipv6 eigrp neighbor
IPv6-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 Link-local address: Se0/0/0 14 00:01:31 40 1000 0 18
FE80::1
1 Link-local address: Se0/0/1 12 00:01:24 40 1000 0 20
FE80::3
Neighbor’s IPv6 Local

Link-local Address Seconds remaining Amount of
Interface
before declaring
receiving time since
neighbor down.
EIGRP for this neighbor
IPv6 Hello was added to
The current hold
packets the neighbor
time and is reset to
the maximum hold table.
time whenever a
Hello packet is
received.
IPv6 Show Commands
Branch-2# show ipv6 protocols

IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "static
Routing protocol and Process ID (AS Number)
IPv6 Routing Protocol is "eigrp 100 "
EIGRP metric weight K1=1, K2=0,
K values used in composite metric
K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Interfaces:
Serial0/0/0 Interfaces enabled for this EIGRP for IPv6.
Serial0/0/1
Redistributing: eigrp 100
Maximum path: 16
Distance: internal 90 external 170 EIGRP Administrative Distances
IP Services
By Ashebir Gebre (aka Shegawe)

HSRP
High availability is critical in most

environments
To reach other networks, HostA must utilize a single gateway – SwitchA.

The gateway represents a single point of failure on this network.
First Hop Redundancy
• Hot Standby Router Protocol (HSRP)

Cisco informational RFC 2281 ( March 1998)
• Virtual Router Redundancy Protocol (VRRP)
IETF Standard RFC 2338 (April 1998)
• Gateway Load Balancing Protocol (GLBP)
Cisco designed, load sharing, patent pending
773
HSRP
Layer-3 redundancy must be transparent to each host. Hosts

should not be configured with multiple default gateways.
HSRP
• Cisco supports three protocols to provide transparent Layer-3 redundancy:
– • Hot Standby Router Protocol (HSRP)
– • Virtual Router Redundancy Protocol (VRRP)
– • Gateway Load Balancing Protocol (GLBP)
• Hot Standby Router Protocol (HSRP)
 allow multiple routers or multilayer switches to masquerade as a single
gateway
 by assigning a virtual IP and MAC address to all routers participating in an
HSRP group
 group must be assigned the same group number, which can range from 0
to 255
 most Cisco platforms only support 16 configured HSRP groups
• HSRP routers(layer 3 device) are elected to specific roles:
– • Active Router – router currently serving as the gateway.
– • Standby Router – backup router to the Active Router.
– • Listening Router – all other routers participating in HSRP
 Only one active and one standby router are allowed per HSRP group.
Thus, HSRP provides Layer-3 redundancy, but no inherent load balancing.
HSRP
• Hello packets are used to elect HSRP roles and to ensure all routers
are functional
• Default, hello packets are sent every 3 seconds
• role of an HSRP router is dictated by its priority.
• The priority can range from 0 – 255, with a default of 100.
• A higher priority is preferred
• If all priorities are equal,
 the one with highest IP Address on its HSRP interface is elected as
active router
 HSRP States
 Disabled
 Initial
 Learn
 Listen
 Speak
 Standby
 Active
HSRP
• hello packets are only exchanged in three
HSRP states:
– • Speak
– • Standby
– • Active
• Interfaces in a listen state will only listen for
hello packets.
 If an active or standby router fails,
 a listen interface will transition to a speak state to
participate in a new election.
HSRP Basic Configuration
• On a router
– Router(config)# interface gi0/3
– Router(config-if)# standby 1 priority 150
– Router(config-if)# standby 1 ip 10.1.1.1
• On a switch
– SwitchB(config)# interface vlan 100
– SwitchB(config-if)# standby 1 priority 150
– SwitchA(config-if)# standby 1 ip 10.1.1.1
VRRP
• Very similar to HSRP

• A group of routers function as one virtual router by
sharing ONE virtual IP address and ONE virtual MAC
address
• One (master) router performs packet forwarding for
local hosts
• The rest of the routers act as “back up” in case the
master router fails
• Backup routers stay idle as far as packet forwarding
from the client side is concerned
GLBP Defined
• A group of routers function as one virtual
router by sharing ONE virtual IP address
but using Multiple virtual MAC addresses
for traffic forwarding
• Provides uplink load-balancing as well as
first hop fail-over
SNMP
• SNMP is an application layer protocol that provides a message

format for communication between what are termed managers
and agents
• Components include
– SNMP manager
– SNMP agent
– Management Information Base
SNMP Messages
• Get
• Set
• Trap - unreliable
• Trap (SNMPv3 uses ACK) - reliable
Elements of Simple Network
Management Protocol
SNMP in Use for Monitoring the
Network
SNMP in Use for Monitoring the
Network
The Management Information
Base (MIB)
• MIB defines each variable as an object ID (OID)
• Organizes the into a hierarchy of OIDs, usually shown as a tree
• MIB for any device includes some branches of the tree with variables
common to many networking devices and branches with variables
specific to that device.
• Networking equipment vendors like Cisco can define their own private
branches of the tree
MIB tree
Obtaining MIB value with
snmpget
-v2c The version on SNMP in use

-c community The SNMP password, called a community string
10.250.250.14 The IP address of the monitored device
1.3.6.1.4.1.9.2.1.58.0 The numeric object identifier
(OID) of the MIB variable
Configuring SNMPv2
There are two types of community strings in SNMP Version 2c:
• Read-only (RO): Provides access to the MIB variables, but does
not allow these variables to changed, only read. Because
security is so weak in Version 2c, many organizations only use
SNMP in this read-only mode.
• Read-write (RW): Provides read and write access to all objects
in the MIB.
Configuring SNMP Version 2c for Read-Only
Access
R1(config)# ip access-list standard ACL_PROTECTSNMP
R1(config-std-nacl)# permit host 10.10.10.101
R1(config-std-nacl)# exit
R1(config)# snmp-server community V011eyB@11!!! RO ACL_PROTECTSNMP
R1(config)# snmp-server location Tampa
R1(config)# snmp-server contact Anthony Sequeira
R1(config)# end
R1#
Configuring SNMP Version 2c for
Read and Write Access
R2(config)# ip access-list standard ACL_PROTECTSNMP
R2(config-std-nacl)# permit host 10.20.20.201
R2(config-std-nacl)# exit
R2(config)# snmp-server community T3nn1sB@ll RW ACL_PROTECTSNMP
R2(config)# snmp-server location New York
R2(config)# snmp-server contact John Sequeira
R2(config)# end
R2#
SNMPv3
• Message integrity: This helps ensure that a packet has not
been tampered with in transit
• Authentication: This helps ensure that the packet came from a
known and trusted source
• Encryption: This helps to ensure that information cannot be
read if the data is captured in transit
Possible Security modes of SNMPv3
Syslog
• Syslog permits various Cisco devices (and some other non-Cisco
devices) to send their system messages across the network to
syslog servers
• You can even build a special out-of-band (OOB) network for this
purpose
• There are many different Syslog server software packages for
Windows and UNIX
Popular destinations for syslog
messages
• The logging buffer (RAM inside the router or switch)
• The console line
• The terminal lines
• A syslog server
Syslogging in the Network
System Message Format
• A timestamp: *Dec 18 17:10:15.079

• The facility on the router that generated the message: %LINEPROTO
• The severity level: 5
• A mnemonic for the message: UPDOWN
• The description of the message: Line protocol on Interface
FastEthernet0/0, changed state to down
Modifying System Messages
System Message Severity Levels
Configuring and Verifying Syslog
• R1(config)#logging 192.168.1.101
• R1(config)#logging trap 4
• By default, Cisco routers and switches send log
messages for all severity levels to the console. On some
IOS versions, the device also buffers those log messages
by default
– R1(config)# logging console
– R1(config)# logging buffered
• R1# show logging
References
• Wendell Odom, "Cisco CCNA Routing and
Switching ICND2 200-101 Official Cert Guide",
Cisco Press, May 14, 2013.
NET FLOW Objectives:
Upon completing this lesson, you will be able
to meet these objectives:
• Describe the purpose of NetFlow
• Describe the NetFlow architecture
• Configure and verify NetFlow on a Cisco
device
NetFlow Overview
• NetFlow is an application for collecting IP
traffic information.
• Reports from NetFlow are like a phone bill.
• NetFlow enables the following:
– - Measuring who uses network resources
– - Accounting and charging for resource
utilization
– - Using the measured information to do
effective network planning
– - Using the measured information to customize
applications and services
NetFlow Overview (Cont.)
Example of analysis on a NetFlow collector:
Shows top talkers, top listeners, top protocols, and more.

• NetFlow components:
– - NetFlow-enabled network devices
– - NetFlow collector
• NetFlow devices generate NetFlow records
that are exported and then collected by a
NetFlow collector. Cisco Network Analysis
Module is an example of a NetFlow
collector. It also processes NetFlow data
andNetFlow-Enabled
provides theRouter
results through its GUI.
NetFlow Collector
• Cisco defines a flow as a unidirectional
sequence of packets with seven common
values:
–- Source IP address
–- Destination IP address
–- Source port number
–- Destination port number
–- Layer 3 protocol type
–- ToS
–- Input logical interface
NetFlow Configuration
• Configure NetFlow data capture
• Configure NetFlow data export
• Configure NetFlow data export version
• Verify NetFlow, its operation, and statistics
NetFlow Configuration (Cont.)
R1(config)# interface GigabitEthernet0/0

R1(config-if)# ip flow ingress
R1(config-if)# ip flow egress
R1(config-if)# exit
R1(config)# ip flow-export destination 10.1.10.100 9996
R1(config)# ip flow-export version 9
Configuration of NetFlow on router R1

R1# show ip flow interface
GigabitEthernet0/0
ip flow ingress
ip flow egress
Displays if NetFlow is enabled on an interface
R1# show ip flow export

Flow export v9 is enabled for main cache
Export source and destination details :
VRF ID : Default
Destination(1) 10.1.10.100 (9996)
Version 9 flow records
43 flows exported in 15 udp datagrams
Displays the status and the statistics for NetFlow data

export
R1# show ip cache flow
<output omitted>
IP Flow Switching Cache, 278544 bytes
2 active, 4094 inactive, 31 added
6374 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
2 active, 1022 inactive, 31 added, 31 added to flow
0 alloc failures, 0 force free
1 chunk, 0 chunks added
last clearing of statistics 00:49:48
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-Telnet 19 0.0 19 58 0.1 6.5 11.7
TCP-WWW 14 0.0 8 202 0.0 0.0 1.5
TCP-other 2 0.0 19 98 0.0 2.2 8.9
<output omitted>
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Gi0/1 172.16.1.100 Gi0/0 10.2.23.105 01 0401 0017 1341
Displays a summary of the NetFlow accounting statistics

Summary
• NetFlow provides statistics on packets
flowing through the routing devices in the
network.
• The configuration part of NetFlow consists of
configuring data capture and configuring
data export.
VPN
• Concepts of VPNs
• Reasons why VPNs were introduced
• VPN implementation models
• List benefits and drawbacks of VPNs
• VPN is not hard concept !!!!!

VPN
• Traditional routers based networks connect
customer sites via dedicated point-to-point
links
VPN
• Traditional router-based network
• Advantage
– Complete secure
– High bandwidth
– Superior quality
– Reliable
• Disadvantage
– Expensive
– Permanent physical connection
– Not scalable
VPN
• Replaces dedicated point-to-point
• Emulate point-to-point links
• Used to reduce operational cost
VPN
• Cost savings
• Scalability
• Improved security
• Better performance
• Flexible
• Reliable
VPN terminology
MPLS VPN..FYI
Benefit of VPN
• Security
• Cost savings
• Scalability
• Compatibility with broadband technology
Enterprise-managed VPNS
• Remote – access VPNS
• Site-to-Site VPNS
Extranet VPNS
Introduction to cisco IOS IPSec
• IPSEC
– An industry-wide standard framework of
protocols and algorithms that allows for secure
data transmission
– Is an IP-based and functions at the layer 3
– IPsec can not be used to encrypt non-IP traffic
– Use GRE to create tunnel
IPsec
• IPsec transform: specifies a single security
protocol with its corresponding security
algorithm
• Security protocols used by IPsec:
– authentication header and encapsulating
security payload(ESP)
AH- provides authentication for the data using
one-way hash (no encryption)
ESP
• Provide
– Confidentiality
– Data origin authentication
– Connectionless integrity
– Anti-reply service
– And limited traffic-flow confidentiality
Components of ESP
• Confidentiality ( encryption)
– Use of like DES or 3DES (must be the same on
both side
• Data integrity
– Insure the data is not altered (uses checksums)
• Anti-replay service
– Receiver check the sequence number
• Authentication
– Ensure the connection is with correct partner
• Traffic flow
– Tunnel modes is selected
GRE tunnel
VPN lab
BGP
• Exterior gateway protocol
• Advance distance vector
• List of attributes influence the best path
• Uses AS through which route update has
passed
• Ensures loop-free by enforcing no As path
list is allowed to contain the same AS
number twice
• Is classles
BGP
• Relies upon TCP (port # 179)
• Uses unicast packets to exchange route
information , keepalive and other messages
• Neighbors exchange updates on a triggered
basis
• iBGP in the dame As
• eBGP live in different ASs
• Can advertise: dynamically, statically or
redistribution
Configuring BGP
Thank you
for your
time ! 
‫شكرا‬

CCNA

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CCNA

Transféré par

Droits d'auteur :

Formats disponibles

Engineer Ashebir Gebre

Cisco Certified Instructor

Empowering the Generation

• There are 800+ slides in this presentation…

•Today you will learn about the following:

Sharing data through the use of floppy disks is not an efficient

Businesses needed a solution that would successfully address

Businesses realized that networking technology could increase

Equipment that connects directly to a network segment is

These devices are broken up into two classifications.

End-user devices include computers, printers, scanners, and

A network interface card (NIC) is a printed circuit board

Switches add more

One part of the topology definition is the physical topology,

The other part is the logical topology,which defines how the

All the hosts connect directly to this backbone.

This creates a physical ring of cable.

One early solution was the creation of local-area network

What was needed was a way for information to move

The solution was the creation of metropolitan-area networks

Branch Office Main Office

 IEEE 802.5: Defines the MAC layer for token-ring networks.

 IEEE 802.6: Standard for Metropolitan Area Networks (MANs)

This would help network builders implement networks that could

ISO therefore, released the OSI reference model in 1984.

ISO - International Organization for Standardization

OSI - Open System Interconnection

IOS - Internetwork Operating System

To avoid confusion, some people say “International

7 Application The OSI Model will be

7 Application This layer deal with

Each of the layers have Protocol Data Unit (PDU) 38

7 Application This layer is responsible

7 Application This layer establishes, manages, and

PDU - Formatted Data

• It also uses the CSMA/CD protocol to help prevent

• If a hub is attached to a switch, it must operate in half-

• Half-duplex Ethernet—typically 10BaseT—is only about

7 Application Virtual circuits are set up here

1 Physical PDU - Segments

• ping packet is 32 bytes long,

Broadcast address FFFF.FFFF.FFFF

• Bits are represented on the medium by changing one or

LLC Header Data FCS

MAC Header Data FCS

After riding your new bicycle a few times in Addis

Make sure you have the proper directions to

Call your friend and make sure you have his

Disassemble the bicycle and put different pieces

Put your friend's complete mailing address (and

Addis Ababa post office takes possession of the

The boxes are flown from Addis Ababa to Dessie.

Combolcha post office receives your boxes.

Upon examining the destination address,

Your friend calls you and tells you he got all 3

Your friend hangs up because he is done talking

Shegawe is finished and “presents” the bicycle

Your friend enjoys riding his new bicycle in

Routers do not forward broadcast frames,

• All devices are in the same collision domain.

• More end stations means

• Each segment has its own collision domain.

Network Layer End-Station Packet

Although the OSI reference model is universally recognized, the