Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

The Big Book of CCNA Study

Download as pdf or txt
Download as pdf or txt
You are on page 1of 381

THE BIG BOOK OF CCNA STUDY

1|Page
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Table of Contents
Part 1: Fundamentals of Computer Networking........................................................................................... 5
Chapter 1: Fundamentals of Computer Networking & Ethernet LANs ..................................................... 5
Chapter 2: Fundamentals of TCP/IP Transport, Applications & Security:............................................... 22
Chapter 3: Introduction to WANs ........................................................................................................... 29
Chapter 4: Fundamentals of IPv4 Addressing and Routing .................................................................... 36
Part 2- IPv4 Subnetting & Variable Length Subnet Mask ........................................................................... 43
Chapter 5- Perspective on IPv4 Subnetting ............................................................................................ 43
Chapter 6- Analyzing Classful IPv4 Networks ......................................................................................... 47
Chapter 7: Converting subnet masks ...................................................................................................... 50
Chapter 8: Analyzing Existing Subnet Masks ......................................................................................... 55
Chapter 9: Designing Subnet Masks ....................................................................................................... 60
Chapter 10: Variable Length Subnet Masking (VLSM) ............................................................................ 65
Chapter 11: Route Summarization: A Need of Routing Table ................................................................ 69
Part 3: Introduction to Router and Cisco IOS .............................................................................................. 75
Chapter 12: Introduction to Routers and their Operation...................................................................... 75
Chapter 12.5- Managing Cisco IOS Licensing .......................................................................................... 83
Chapter 13- Setting a password in a Router and its Recovery................................................................ 90
Part 4: IPv4 Routing .................................................................................................................................... 96
Chapter 14- Different Methods of Routing and Routing Protocols ........................................................ 96
Chapter 15 - Routing Information Protocol- RIP v2 and RIPv1 ............................................................. 101
Chapter 16 - Enhanced Interior Gateway Routing Protocol (EIGRP) .................................................... 107
Chapter 17- Introduction to Open Shortest Path First (OSPF) Protocol: .............................................. 115
Chapter 18: OSPF Areas ........................................................................................................................ 127
Chapter 19: OSPF Troubleshooting ....................................................................................................... 139
Chapter 20: Necessity of Route Redistribution..................................................................................... 151
Part 5: IPv6 Addressing & Routing ............................................................................................................ 156
Chapter 21: Fundamentals of IPv6 Addressing & Routing .................................................................... 156
Chapter 22: OSPF in IPv6(OSPFv3) ........................................................................................................ 163
Chapter 23: EIGRP in IPv6 ..................................................................................................................... 173
Part 6: LAN Switching Technologies .......................................................................................................... 179

2|Page
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 24: Introduction to LAN Switching Technologies .................................................................... 179


Chapter 26: Installing and Operating Cisco Switches ........................................................................... 185
Chapter 26- Virtual Local Area Network (VLAN) ................................................................................... 192
Chapter 27- Inter VLAN Routing ........................................................................................................... 206
Chapter 28- Virtual Trunking Protocol (VTP) ........................................................................................ 212
Chapter 29- Spanning Tree Protocol ..................................................................................................... 221
Chapter 30: EtherChannel..................................................................................................................... 251
Chapter 31: Troubleshooting LAN Switches ......................................................................................... 257
Chapter 32: Introduction to Wireless LAN ............................................................................................ 274
Part 7: IP Services ...................................................................................................................................... 279
Chapter 33- Configuring and Verifying DHCP ....................................................................................... 279
Chapter 34: First Hop Redundancy Protocols (HSRP, VRRP & GLBP).................................................... 284
Chapter 35: Network Management Protocol (SNMP, Syslog & NTP) ................................................... 299
Part 8: Network Security ........................................................................................................................... 306
Chapter 36: Introduction to Network Security ..................................................................................... 306
Chapter 37: IP Access Control Lists ....................................................................................................... 310
Chapter 38: Understanding Wildcard Masks ........................................................................................ 319
Chapter 39: NAT/PAT - The Technique behind Private and Public IP Communication ........................ 327
Chapter 40: An Introduction to Virtual Private Network (VPN)............................................................ 331
Part 9- Wide Area Network (WAN ............................................................................................................ 335
Chapter 41: Point-to-Point WANs ......................................................................................................... 335
Chapter 42: Demystifying Frame Relay................................................................................................. 346
Chapter 43: Troubleshooting Frame Relay ........................................................................................... 356
Chapter 44: GRE Tunnels ...................................................................................................................... 370
Appendix ................................................................................................................................................... 377

3|Page
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Acknowledgement:

There are numerous people who have influenced and helped me to write this book. These include
all of my co-authors (Paris Arau, Muhammad Furqan, Tolulope Ogunsina, Costi Serban), who are
continuously writing their articles on the Intense School Resources website.

I would like to acknowledge the encouragement and time provided by entire management of
Infosec Institute. In particular, I would like to thank Mr. Chris Sienko, Director of Online Content
at Intense School, for giving me the opportunity in first place. A special thanks to my friend and
colleague Nitin Vashisht for his continuous input, not only for this book, but also for my life.

Special thanks to all readers and students at Intense School, who generously support us by
reading and sharing these articles at Intense School Resources.

Finally, I would like to give special thanks to my lovely wife Ambia for giving me the time and
opportunity to concentrate on writing this. Without her continuous support, this book would not
be possible, so I am grateful to her.

Dedication:
This book is dedicated to my parents, family and my wife, Ambia.

-------------- Afazuddin Ahamed

January, 2016

4|Page
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Part 1: Fundamentals of Computer Networking


Chapter 1: Fundamentals of Computer Networking & Ethernet LANs

In this introductory chapter, we will discuss some basics of computer networking. This is very
important for anyone who wants to make a career in Telecommunication & Computer
Networking field to understand the fundamentals of computer networking.

Packet Switching, Message Switching and Circuit switching

Let's start with a discussion about switching technology. I have seen so many professionals that
simply don't understand the concept of switching. If I ask them some questions about switching
in an interview, they simply misunderstand and answer about a device called Switch. In reality,
it is just a switching device, much like a Router, Hub, etc.

In the communications world, Circuit Switching dominated most of the 20th century. You can
still see this technique present in a traditional Telephony connection called Public Switched
Telephone Network (PSTN). This is where a dedicated physical connection circuit is established
between two different nodes and the information flows along the same route for the entire
duration of a "Call." There is no storage of information en route. If you think about reliability
and quality of service, it is too good to replace. But from the term itself, you can understand
that it is very slow, due to the reservation of the circuit.

That's why engineering scientists came up with an improvement of this technology called
Message Switching. In Message Switching, no call is established between two parties, so no
dedication path is required. It uses store and forward mechanism so it is much faster than
Circuit Switching. X.25 was a good example for this technology, but it certainly can't provide
you the desired network speed. Still, it provides error checking, flow control & rate conversion.

Then comes Packet Switching, which I believe is a revolutionary technology in the


telecommunication industry. Packet Switching derived from Message Switching, wherein the
circuit places a limit on the message size. With this advent of packet switching, a node can send
its data or information into a packet. It still uses store and forward techniques, but packets
need sequence numbers for message reconstruction. SS7 and the internet is the perfect
example of packet switching which provides high fault tolerance, reduced delay, and improved
efficiency. The main disadvantage of packet-switched network is jitter.

Our main focus of this book will be packet switching technology, as the internet has already
become the de-facto switching technology in communication world for data, voice & video
traffics in the developed world.

5|Page
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

What is Computer Networking? By definition, computer networking means a group of


computers or nodes connected by communication paths.

You might have heard something about computer networking or simply have experience of
setting a home network using a wireless router, but if you want to make a living out of this,
then you need to understand how big corporations, governments, or consumer industries use
this technology.

Types of Networks:

LAN – Local Area Network connects a group of nodes or hosts covered in a small physical area.
Most of our office, home, and building networks are perfect examples of Local Area Networks.
Among all possible network types, LANs enable higher transfer rate of data within a small
coverage area. However, one LAN can be connected to other LANs over any distance via
telephone lines and radio waves.

WAN – Wide Area Network connects a group of nodes covering in different geographic locations. WAN
typically connects and allows communication between regions or national boundaries or even the entire
planet. The most common example of WAN is the internet.

MAN – If a university has several departments throughout the city, then all campuses must connect using
Metropolitan Area Network.

6|Page
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Virtual Private Networks (VPN): A Virtual Private Network connects nodes in some greater areas by virtual
circuits on the internet instead of using physical wires. VPNs are used for securing traffic traveling over a
public network such as the internet.

There are two main types of VPN:

 Site-to-Site VPNs – Set up permanently between two buildings/connections.


 Access VPNs – Temporary for roaming users.

Intranet – An intranet uses packet switching technology to share data or other computing services within
an organization. It is a set of networks under the control of a single administrative person. It can be
considered an internal network or private extension of Internet for an organization.

Extranet – An extranet is a private network that uses Packet Switching or Circuit Switching technology to
secure a business's information or operations with suppliers, vendors, partners, and customers. An
extranet can be viewed as part of a company's intranet that is extended to users outside the company.

Internet – The internet is a worldwide system of interconnected network nodes that use TCP/IP protocol
suit. Simply put, it is a network of networks that connects millions of enterprise, buildings, universities,
private, public, government’s networking nodes and machines in a global network. It is slow compared to
a local area network.

Why do we need computer networks?


Computer networks help users on the network to share the resources and in communication. Can you
imagine a world now without emails, online newspapers, blogs, chat and the other services offered by the
Internet?

The following are the important benefits of a computer network:

 File sharing: Networking computers helps users to share data files across the network.
 Hardware sharing: Allows you to get experience sharing devices such as printers and scanners in your
home or office network.
 Application sharing: Sharing applications using your smartphone.
 User communication: Networks allow users to communicate using e-mail, newsgroups, and video
conferencing by their smartphones.
 Network gaming: I am sure you’ve already had the experience of using internet to play online games.

Apart from this traditional services, today's network also play a significant role in various areas such as
Smart & Green Buildings, Smart City & Communities, Smart Energy Management, Smart Grid & Metering,
Smart Water Management, Smart Transportation & Logistics, Security & Public Safety, Public Health &
Medicare, etc.

Like everyone else, I also saw a newly built skyscraper in various parts of India, and I thought as an ICT
engineer I have very little to offer infrastructure projects. Maybe many of you have thought the same
thing, that it is a shame that our professors in universities do not give us a vision to love the technology.

7|Page
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Though this book doesn't allow me to discuss more about IP Converged Communications to build the
smarter world, still I am giving a diagram of Japanese Electronic System Integrating Company named
Fujitsu.

From the below diagram you can understand that the internet is providing the backbone infrastructure to
carrying the data traffic. It is very important to you to get the vision about the importance of computer
networking.

Source- : http://www.fujitsu.com/global/about/environment/green-it/feature/

Half Duplex and Full Duplex Technology:

A half-duplex (HDX) system provides communication in both directions, but only one direction at a time.
Typically, once any party begins receiving a signal, it must wait for the sender to stop transmitting.

An example of a half-duplex system is walkie-talkie, where in one party must wait for the ending of a
transmission started by other party.

8|Page
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

A full-duplex (FDX) allows communication in both directions, allowing this to happen simultaneously.

Traditional Telephony Networks (PSTN) is a good example of the full-duplex system, as it allow both
callers to speak and be heard at the same time.

 Local Area Network – Ethernet Technology:

Ethernet technology was first created by Xerox in 1973. It is a connection-based media access method
that allows all hosts on a network to share the same bandwidth of a link. Ethernet is the most popular
LAN technology because it is simple to configure and maintain, as Ethernet is also upgrading its speed by
fast Ethernet to Gigabit Ethernet into an existing network infrastructure.

IEEE subdivided Data Link Layer into two sub layers for Ethernet Technology: Logical Link Control (LLC)
Layer and Media Access Control (MAC) Layer. In MAC layer, Ethernet uses MAC addressing for
communication, while LLC works to pick which direction it will go into the network layer.

Ethernet

Logical Link Control (LLC) Layer

Media Access Control (MAC) Layer


Physical Standards
(Copper-CAT6, Fiber, RF/Wireless)

What is CCMA/CD: Carrier Sense Multiple Access /Collision Domain?

CCMA/CD is a set of rules governing how network node will talk with each other on an Ethernet network.
This protocol helps devices share bandwidth evenly without having two devices transmit at the same time
of the network medium.

- Carrier: The signal of the network.

- Sense: The ability to detect.

- Multiple Access: All devices have equal access in a network segment.

- Collision: This happens whenever two devices try to send information at the same time.

- Detection: How the network node or workstation handles a collision.

With this set of rules, all the networking systems like workstation, router, switch, etc. can inform all
remaining devices in a network segment that a collision occurred. It can cause delay, congestion and low
throughput in a network.

9|Page
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Remember, before the invention of Ethernet technology, Token Ring technology was popular in places
where the Collision Sense Multiple Access/Collision Avoidance Mechanism was used. This was much
slower than Ethernet technology, because all other hosts needed to wait when any nodes had the token
with them.

 Network Topology:
A network topology describes the layout of a network. It describes how different nodes and elements are
connected to each other. Different types of topology include:

a. Ring:

 All nodes are connected with one another in a loop.


 Each device is connected to one or more devices on either side.

The above topology is an example of Ring topology, where each device is connected on either side. This
network topology is not good in practice because it simply needs too much wiring. It is slow because
packets need to travel to all available nodes to reach the destination. If any workstation fails, then other
nodes will also fail to communicate with each other.

b. Bus:

 All nodes are connected to a central and a common cable called a backbone.
 In bus topology, the server is at one end and the clients are connected at different positions across
the network.

10 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Bus topology is easy to manage and install, and less wiring is needed compared to other topologies.
 However, if the backbone fails, the entire communication fails.

c. Star:

 The communication between the nodes is through the centrally-located switch or hub.
 Requires relatively more cables when compared to BUS. However if any node fails, it won’t affect the
entire LAN.
 In today's world, almost all buildings or enterprises use star topology, where each of the
telecommunication nodes/outlets is connected to access layer switch situated in IDFs. But remember
that UTP/STP CAT 6/6A Cable must not exceed 100 meters, otherwise the signal may become weak.

IP Systems Cable: Cables are commonly used to carry communication signals within a LAN or WAN. There
are three common types of cable media that can be used to connect devices to a network. They are:
coaxial cable, twisted-pair cable, and fibre-optic cable.

Coaxial cable: Today, Coaxial Cable is used for only Cable TV/SMATV or Analogue CCTV Systems within an
enterprise network. A solid-core copper wire runs down the middle of the coaxial cable. Around that solid-
core copper wire is a layer of insulation, and covering that insulation is braided wire and metal foil, which
shields against electromagnetic interference. A final layer of insulation covers the braided wire. The
bandwidth for coaxial cable is 10 mbps (megabits per second).

11 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Twisted Pair Cable: A pair of wires forms a circuit that can transmit data. Inside cable, the pairs are twisted
to protect from crosstalk, which is a common type of noise generated by adjacent pairs (common noise
in PSTN). When a wire is carrying a current, the current creates a magnetic field around the wire. This field
can interfere with signals on nearby wires. To eliminate this, pairs of wires carry signals in opposite
directions, so that the two magnetic fields also occur in opposite directions and cancel each other out.
This process is known as cancellation. Two Types of Twisted Pairs are present such as Shielded Twisted
Pair (STP) and Unshielded Twisted Pair (UTP) cable.

Unshielded Twisted-Pair (UTP) Cable: This is the most common networking media. Unshielded Twisted-
Pair (UTP) consists of four pairs of thin copper wires covered in colour-coded plastic insulation that are
twisted together. The wire pairs are then covered with a plastic outer jacket. The connector used on a
UTP cable is called a Registered Jack 45 (RJ-45) connector. UTP cables are of small diameter and it doesn’t
need grounding. But remember, cable is going through a cable tray, trunk, and conduit must be connected
to the building grounding system to protect from any types of hazard. Since there is no shielding for UTP
cabling, it relies only on the cancellation to avoid noise.

Shielded Twisted-Pair Cable is much more expensive than UTP cable, because it is uses a shielded twisted
pair. As it is shielded, it causes less crosstalk compared to UTP cable. It mostly used for IP TV/BMS/Video
Conference applications, as video communication which need much more bandwidth (with less noise)
than data or voice communication.

Optical Fibre Cabling: Optical Fibre cables uses fiberglass as a core to carry digital data signals in the form
of modulated pulses of light. An optical fibre consists of an extremely thin cylinder of glass, called the
core, surrounded by a concentric layer of glass, known as the cladding. There are two fibres per cable—
one to transmit and one to receive. The core also can be an optical-quality clear plastic, and the cladding
can be made up of gel that reflects signals back into the fibre to reduce signal loss. There are two types of
fibre optic cable: Single Mode Fibre (SMF) and Multi-Mode Fibre (MMF).

Single Mode Fibre (SMF) uses a single ray of light to carry transmissions over long distances. Single Mode
Fibre is mainly used for outside plant communication.

Multi-Mode Fibre (MMF) uses multiple rays of light simultaneously with each ray of light running at a
different reflection angle to carry the transmission over short distances. It is normally deployed to connect
IDF room to MDF room (Data Centre) in a building or campus.

Straight-Through Cabling: CAT 6 UTP cabling usually uses only use 2 pair of wires (out of 4 pairs) when
sending and receiving information on the network.
The four wires, which are used, are wires 1, 2, 3, and
6. When you configure the wire for the same pin at
either end of the cable, this is known as a straight-
through cable. From the below figure, we can see that
wires 1 and 2 are used to transmit the data from the
computer and 3 and 6 are used to receive data on the
computer. The transmit wire on the computer
matches with the receive wire on the hub. For the
transmission of data to take place, the transmit pins
on the computer should match with the receive pins

12 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

on the hub and the transmit pins on the hub should match with receive pins on the computer. Here we
can see that the pins 1, 2, 3 and 6 on the computer matches with pins 1, 2, 3 and 6 on the hub. Hence we
use the term Straight-through.

For more information about telecommunication wiring, please refer to TIA 568 A/B Standard
(http://www.utm.edu/staff/leeb/568/568.htm). Depends upon your country location, you will use
standard A/B, like I use standard B here in the Middle East.

Cross-Over Cabling: We will not be able to connect two


computers or two hubs together using straight-through
cables. To connect two computers together without the use
of a hub/switch, we need a crossover cable by switching wires
1 and 2 with wires 3 and 6 at one end of the cable. If we shift
the pins, we can make sure that the transmit pins on
Computer A will match with the receive pins on Computer B
and the transmit pins on Computer B will match with the
receive pins on Computer A.

 Why is Structured Cabling required for today's network?

13 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In buildings (hotels, hospitals or offices),


Industrial Plants, or any enterprise
network, it is mandatory to use proper
structured cabling infrastructure to run
Information Communication Technology
networks. I have seen many a Cisco
Engineer that does not give great value
to these ICT passive components. But in
reality, lots of network related problems
occur due to poor cabling management
systems. As a Network Engineer (ICT
Active Components Specialist), you must
understand the ICT passive components
for Telecommunication wiring inside
IDFs & MDFs.

A typical Rack configuration (21 U) -


prepared in AutoCad, as per BICSI-TIA
568/B Standard.

In this diagram, I have given detailed


engineering design of a RACK
configuration (IDFs), which is prepared
by AutoCad software.

Remember, normally Rack/Cabinet size


(9 U, 15 U, 21U, 42 U) used inside IDF, MDF and Data Centre depends upon a number of
telecommunication outlets. For ICT Passive components such as Patch Panel (UTP, STP & Fibre Optics),
the cable organizer and other rack accessories design are prepared by a structured cabling designer.

Most structured cable designers needs to follow the BICSI (Building Industry Consulting Service
International) standards to lay the cable inside electrical trunks, conduits & raceways. In order to meet
the needs of the customer, we typically use passive components like central patch panel in a Rack inside
the IDF room, from where each modular connection can be used as needed. Each outlet is then patched
into a network switch (an access layer switch in case of IDF room or core switch in case of Data centre) by
using small patch cord to get the IP infrastructure of the building. Each cable needs to have proper
labelling for identification; this is required for configuring & troubleshooting the network switch port.

Please see the Riser diagram below (a total of three levels), which is a good example of structured cabling
– Layout for a Building environment. As you can see, each level has no racks (Intermediate Distribution
Frame, or IDFs) that are connected to the Data Centre Core Switch via Multimode Fibre Optics Cable. From
IDFs to end user outlets (such as IPTV, Data, CCTV, BMS, IP Telephone etc.), it is running 1 CAT 6/6A
UTP/STP Cables horizontally. Remember the length of the cable must not exceed 90 meters.

14 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

At the CCNA level, I don't have the scope to discuss more about this, so I would encourage you to get
yourself a copy of the Cabling Guide ( by Oliviero & Woodward-Willey Publication) or simply visit the BISCI
website (https://www.bicsi.org) to get more information about Structured Cabling.

Connection type – Point to Point, Point to Multipoint, Unicast, Multicast, Broadcast:

 UNICAST: A Frame with a destination UNICAST MAC address is intended for only one network
component on a segment. This type of connection is called Point-to-Point Connection.
PSTN/Traditional Telephony System is a perfect example of a Point-to-Point connection.
 Multicast: Multicast address represents a group of devices on a segment. The multicast group can
contain anything from a group of devices to every single device on a segment. Point-to-Multipoint
connection uses multicast address to send information to group of systems.
 Broadcast: Broadcast is a data link frame that is intended for every networking component on the
same segment. Broadcast is used in two situations; first, broadcasts are more effective than UNICAST
if we need to send more information to every machine. With a UNICAST, we can create a separate
frame for each machine on the segment; with a broadcast, we can do the same thing using a single
frame. Radio communication uses the Broadcast communication method.
 Collision Domain: Collision domain is an Ethernet term where one device sends a packet on a network
segment, thereby forcing every other device on the same physical segment to pay attention on it. This
can be bad if two devices on one physical segment transmit at the same time, called a collision event,
where each device’s digital signal interfere with another on the wire occurs and forces the device to
re-transmit later. It can causes congestion in the network and thus become very slow.

15 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Broadcast Domain: Broadcast domain refers to a group of devices on a network segment that hear
all the broadcasts sent on the network segment. Even though a broadcast domain is typically a
boundary delimited by physical media like switches and routers-it can also reference a logical division
of a network segments where all hosts can reach other via Data link layer broadcast.

Common networking device:

HUB:

HUB
File/Email Server

Typical Home office Connected by HUB


A hub, sometimes called a concentrator, is a device for connecting multiple Ethernet devices together and
making them act as a single network segment. It has multiple input/output (I/O) ports, in which a signal
introduced at the input of any port appears at the output of every port except the original incoming. A
hub works at the physical layer (layer 1) of the OSI model and in a single collision domain, which means
all the connections do 'talk' over a single logical connection. That's why a hub is slower than other
networking device, such as a router or switch.

Repeater:
A repeater is also called a regenerator; it is an electronic device that operates only at the physical layer. It
regenerates the original bit pattern and puts the refreshed copy back in to the link in order to receive the
signal in the network before it becomes weak. Data transmissions can only span a limited distance before
the quality of the signal degrades. Repeaters attempt to preserve signal integrity and extend the distance
over which data can safely travel.

110 m 80 m

Server Repeater
Client pc
Bridge:
A bridge device filters data traffic at a network boundary. Bridges reduce the amount of traffic on a LAN
by dividing it into two segments. They divide a larger network in to smaller segments and works well in
Layer 2 of OSI model.

16 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Sales database server

Bridge

Corporate LAN Department Sales Department

A typical small office network connected with Bridge

Bridges inspect incoming traffic and decide whether to forward or discard it. An Ethernet bridge, for
example, inspects each incoming Ethernet frame - including the source and destination MAC addresses,
and sometimes the frame size - in making individual forwarding decisions. Traditional bridges, though,
support one network boundary, whereas switches usually offer four or more hardware ports. Switches
are sometimes called "multi-port bridges" for this reason but Bridges do not understand physical
addressing/MAC addressing.

Switch:
Each Port is in separate collision Domain

Access Layer Switch

All Node PC are in same Broadcast Domain, thus each host has dedicated bandwidth usage.

17 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

A switch links network segments or network devices. The term commonly refers to a multi-port network
bridge that processes and routes data at the data link layer (layer 2) of the OSI model. Switches that
additionally process data at the network layer (layer 3) and above are often called layer-3 switches or
multi-layer switches. A layer 2 switch uses Mac addresses for communication. We will discuss more about
switches in later chapters of this book.

Router:
A router routes data packets from one network to another. The two networks connect to the router using
their own wiring type and connection type. A router is a layer 3 device and uses logical addressing for
communication. We will discuss more about routers later.

Internet

Public IP address (120.60.35.54)


External Public Network
Internal Private Network
Private IP address (192.168.5.1)
Home Router

Private IP address (192.168.5.2)

A Typical Home Network-


Connected with Wireless Router
The above diagram is an example of a router in a home network, where local networks get their Internal
Private IP addresses (mostly class C Private addresses) and unique Public IP, which the home router gets
from the service provider to connect with the outside world. We will discuss more about routers and their
working in later chapters of this book.

OSI reference model Vs TCP/IP Protocol suit:

18 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Layer 1: Physical layer: It represents all the electrical and physical specifications for devices. This layer
defines how the cable is attached to the network adapter and what transmission technique is used to
send data over the cable.

Layer 2: Data link layer: It provides the functional and procedural means to transfer data between
network entities and to detect and possibly correct errors that may occur in the Physical layer. Switch,
Cable modems, DSL & Wireless Access Point work in this layer. Frame Relay is the popular WAN technology
used in Data Link Layer. MAC addressing is used in this layer and generally refers to layer 2 address.

Layer 3: Network layer: The Network layer provides the functional and procedural means of transferring
variable length data sequences from a source to a destination via one or more networks. As Router runs
in this layer, often this layer is referred to as "The Routing Layer." It uses IP addresses for its
communication, and network admins have a great deal of interaction with the network by using IP
addresses.

Layer 4: Transport layer: This layer provides transparent transfer of data between end-users by
establishing a logical end-to-end connection. Both TCP, which is a connection-oriented protocol, and the
connectionless protocol, called UDP, work in this layer to provide communication.

Layer 5: Session layer: This layer controls the sessions between computers. It connects, manages, and
terminates the connections between the local and remote application. It often called the Manager of the
OSI model. This layer handles the creation, maintenance and teardown of communication between two
hosts.

Layer 6: Presentation layer: This transforms data to provide a standard. This is the layer where data
encryption, compression, and translation happen. Protocol developer also works on this layer.

Layer 7: Application Layer: This layer provides a means for the user to access information on the network
through an application. The end user interacts with this layer, and authentication services also run on this
layer. Telnet, HTTP, FTP, etc. are examples of Application Layer.

In the TCP/IP model, the application layer maps with the Application, Presentation & Session Layer of the
OSI model, as well as the Network Access Layer maps with Data Link Layer and Physical Layer.

Data encapsulation/De-encapsulation:

In the OSI reference model, with data passed from higher to lower layers, each layer adds information to
the original data – normally a header or trailer. This process is called Data Encapsulation. A Protocol Data
Unit (PDU) is used to describe data and its overhead.

19 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Source:http://www.highteck.net/EN/Communicating/Communicating_over_the_Network.html

In the above diagram, in which a user requested to email his personal message to his friends on the
internet, email data remains as data when it is passing down the stack of the Application/Session layer to
the Transport layer, and the transport layer encapsulates the data PDU into a segment. As PDU
information is passed down to the network layer, it adds a layer 3 header and is called packets in this
layer. In the data link layer, it adds both a layer 2 header and trailer and is called Frame in this layer. Over
the physical layer, the data link layer frames converts into signal or voltage or another source according
to medium. This process is called Encapsulation.

When his friends receive the information on other side of the internet, it goes through a reverse process
of de-encapsulating, means striping header and trailer information from the PDU. As this is the reverse
of Encapsulation, this is known as De-Encapsulation.

TCP, IP, UDP:

TCP – Transmission Control Protocol is used to establish communication between nodes or networks and
exchange data packets. TCP is a connection-oriented protocol and works on the transport layer of the OSI
model. It detects errors by checking sequences and acknowledging numbers. It uses a three-way
handshaking mechanism, which means the two devices have to agree on some basic parameters before
segments can be sent, and if the sender does not receive acknowledgement from the receiver, it re-
transmits the data again. That's why the entire process is commonly known as Positive Acknowledgement

20 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

with Re-transmission (PAR). TCP is most commonly used in all applications that require guaranteed
delivery of data, so it is slow compared to UDP.

UDP – User Datagram Protocol is a connectionless protocol. It is normally used as an alternative for
TCP/IP. UDP does not divide data into packets. Also, UDP does not send data packets in sequence. Hence,
the application program must ensure the sequencing. UDP uses port numbers to distinguish user requests.
It is faster than TCP because it does not wait for acknowledgment from the receiver.

IP – Internet Protocol is used for transmission of data over the internet. IP uses IP addresses to identity
each machine uniquely. A message is sent using small packets. The packet contains both the sender and
receiver’s address. IP does not guarantee the delivery in the same order as sent. This is because the
packets are sent via different routes. It is a connectionless communication protocol and works in the
network layer of the OSI reference model.

TCP vs UDP:
o TCP guarantees the delivery of data. UDP, on the other hand, does not guarantee delivery of data.
o TCP delivers messages in the order they were sent. UDP has no ordering mechanisms. In TCP, data is
sent as a stream, while UDP sends data as individual packets.
o UDP is faster than TCP.
o TCP is a connection-oriented protocol, while UDP is connectionless.
o A TCP header is much longer than a UDP header and it has the advantage of UDP over TCP.

Physical/MAC address & logical/IP address:

MAC (Media Access Control) addresses are globally unique addresses that are written into hardware at
the time of manufacture. The MAC address is a unique value associated with a network adapter. MAC
addresses are also known as hardware addresses or physical addresses. Content address Memory (CAM)
or MAC Tables simply refer to a table in a network switch that maps MAC address to ports. It is a unique
identification address in a network.

IP address or Internet Protocol address is the address of a device attached to an IP network (TCP/IP
network). It is a must for every client, server and network device to have a unique IP address for each
network connection (network interface). Every IP packet contains a source IP address and a destination IP
address. As a device moves from one network to another, its IP address changes.

Computers using the TCP/IP for communication are uniquely identified by a 32-bit address called an IP
address. The routers use the IP address information to forward the packet to the destination computer.

IP addresses are categorized as:

Private address: these IP addresses are used exclusively within a private network and not for the public
to see.

Public Address: these are registered IP addresses used for the public.

Each IP address has a network address and a host address. IP addresses are expressed in four sets of three
numbers, separated with dots. Each set is called as an octet because when converted to binary, it denotes

21 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

eight binary. In later chapters, we will learn more about IP addressing, which is very important not only
for passing the exam, but also for real-time job environment.

Chapter 2: Fundamentals of TCP/IP Transport, Applications & Security:

In the previous chapter, we only discussed the TCP/IP model and the meaning of TCP, UDP and IP.
Remember, TCP/IP is a network protocol suite which is used on LANs, WANs and the Internet. But not
everyone who uses it understands how it works. It’s possible to use TCP/IP protocol with less knowledge,
but a better understanding will always give you a clear picture of what is going on in your network.

The objective of this TCP/IP chapter is to explain the key concepts behind the TCP/IP protocol suite.

22 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

TCP/IP stands for Transmission Control Protocol/Internet Protocol. If this leads you to think that it is not
just one protocol, you’re right. In fact, it is not just two protocols either, but a suite of protocols.

Like most network protocols, TCP/IP is a layered protocol. Each layer builds upon the layer below it, adding
new functionality. The lowest level protocol is concerned purely with the business of sending and receiving
data using specific network hardware.

At the top are protocols designed specifically for tasks like transferring files or delivering email. In between
are levels concerned with things like routing and reliability. The benefit is that the layered protocol stack
allows you to run a new network application only using a protocol for that application, so you don’t have
to rewrite the whole stack.

Unlike the OSI layer model, TCP/IP is a four-layer protocol. The lowest level, the Network Interface layer,
is implemented within the network adapter and its device driver. Since Ethernet is the most common type
of network, we will look at it in a bit more detail.

The Ethernet protocol is designed for carrying blocks of data called frames. A frame consists of a header
containing a 48-bit hardware destination and source addresses (which identify specific network adapters),
a 2- byte length field, and some control fields. After that follows the data, and then a trailer, which is
simply a 32- bit cyclic redundancy check (CRC) field. The data portion of an Ethernet frame must be at
least 38 bytes long, so filler bytes are inserted if necessary.

Transportation:

The Transport Layer provides data flow controls and error checking mechanisms, and the reliable arrival
of messages.

23 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Detailed work of Transport Layer protocol in OSI and TCP/IP Model.

At the Transport Layer, there are two methods for transporting data: “connection-oriented”, referring to
TCP, and “connectionless”, referring to UDP. TCP, the connection-oriented packet delivery method,
provides several additional services to prevent lost data:

Flow Control of TCP as Connection oriented

TCP uses a series of acknowledgements to enforce flow control. With flow control, when one router
receives a packet, it sends an acknowledgement, or “ACK”, back to the sender. If the sender does not
receive an acknowledgement for a segment it sent, the segment will be resent and reassembled in the
correct order at the receiver. This prevents the receiver’s buffer from being overburdened, since packets
that are not received due to a full buffer are not acknowledged. (A buffer is a part of the router’s memory
used to hold packets waiting processing.)

The flow diagram of TCP acknowledgement:

24 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

25 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The link layer is called the network layer; the most important protocol at this level is IP, the Internet
Protocol. Its job is to send packets or datagrams - a term which basically means “blocks of data” - from
one point to another. It uses the link layer protocol to achieve this. Both the network layer and the link
layer are concerned with getting data from point A to point B. However, whilst the network layer works
in the world of TCP/IP, the link layer has to deal with the real world. Everything it does is geared towards
the network hardware it uses.

To make this possible, the TCP/IP protocol suite includes link-layer protocols which convert between IP
and hardware addresses. The Address Resolution Protocol (ARP) finds the physical address corresponding
to an IP address. It does this by broadcasting an ARP request on the network.

When a host recognizes an ARP request containing its own IP address, it sends an ARP reply containing its
hardware address. There is also a Reverse ARP (RARP) protocol. This is used by a host to find out its own
IP address if it has no way of doing this except via the network.

26 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Host to Host communication using TCP/IP protocol suite

IP is the bedrock protocol of TCP/IP. Every message and every piece of data sent over any TCP/IP network
is sent as an IP packet. Its job is to enable data to be transmitted across and between networks. Hence
the name: inter-net protocol. In a small LAN, it adds little to what could be achieved if the network
applications talked directly to Ethernet. If every computer is connected to the same Ethernet cable, every
message could be sent directly to the destination computer. Once you start connecting networks
together, however, direct Ethernet communication becomes impractical. At the application level, you may
address a message to a computer on the far side of the world, but your Ethernet card can’t communicate
with the Ethernet card on that computer. Physical Ethernet limitations would prevent it, for a start. It
would, in any case, be undesirable for every computer in the world to be connected to one big network.
Every message sent would have to be heard by every computer, which would be bedlam.

Instead, inter-net communications take place using one or more “hops”. Your Ethernet card will
communicate with another Ethernet device on the route to the final destination. Routing is the important
capability that IP adds to a hardware network protocol. Before we come to it, we will look at some other
features of IP.

An IP packet consists of the IP header and data. The header includes a 4-bit protocol version number, a
header length, a 16-bit total length, some control fields, a header checksum and the 32-bit source and
destination IP addresses. This totals 20 bytes in all. However, the protocol field is important. It identifies
which higher-level TCP/IP protocol sent the data. When data arrives at its destination (either the packet’s

27 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

destination address equals the host’s own IP address, or it is a broadcast address) this field tells IP which
protocol module to pass it on to.

Let’s come to the Application layer that contains the higher-level protocols used by most applications for
network communication. Examples of application layer protocols include File Transfer Protocol (FTP) and
Simple Mail Transfer Protocol (SMTP). Data coded according to application layer protocols are then
encapsulated into one or (occasionally) more transport layer protocols (such as TCP or UDP), which in turn
use lower layer protocols to effect actual data transfer. Application layer protocols are most often
associated with client server applications, and the more common servers have specific ports assigned to
them by the IANA; HTTP has port 80 and Telnet has port 23.

The below table shows TCP/IP applications with their assigned port numbers:

Network Security - Types of Attacks

Denial of Service
Commonly called DoS Attacks.
 Purpose of breaking things.
 Often called destroyers / crashers or flooders.
 The attackers flood the network with packets and requests rendering the network or servers
unusable.

Reconnaissance
 Main goal is to gain information about the network.
 E.g. Learning IP addresses hostnames and device configurations.

Access
 Usually an attempt to steal data.

28 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Mostly done for financial and competitive purposes.

Firewalls
 Firewalls sits between a secure network and an unsecure network (an interface in each).
 Scan ingoing and outgoing traffic for potential threats.
 Usually looks at transport layer port numbers and application layer headers to determine traffic
types.
 Cisco's old firewall appliances: PIX firewall devices.
 New Devices are called Adaptive Security Appliances (ASAs).
 Cisco uses the term Anti-x to refer to all the security tools that prevent problems.

Intrusion Prevention and Detection


 IPS: Intrusion Prevention Systems
 Sit in the packets forwarding path.
 Same function as the IDS but react to the traffic and filter it out.

 IDS: Intrusion Detection Systems


 Typically get sent traffic on a monitoring port (as opposed to the forwarding path)
 It can then rate and report on potential attacks.
 Then potentially take to other devices (routers, firewalls etc.) to stop the attack.

 Both find attacks by looking at trends and patterns in network traffic.

We will discuss more about network security threats in later parts of this book.

Chapter 3: Introduction to WANs

In this chapter, we are going to discuss the concepts of Wide Area Network (WAN). If you are interested
in working in the service provider domain, you need to master WAN technology.

29 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

So let's begin with some basic questions like “What is WAN?” “WAN technology is a Packet switching
(Data Communication) or Circuit Switching (Traditional Telephony) network that operates beyond the
geographic scope of a Local Area Network.” Here in this book, our main area of focus will be on Packet
Switching Technologies. WAN technologies generally function at the lower three layers of the OSI
reference model; the physical layer, the data link layer, and the network layer. One thing to remember
about Traditional Telephony is that in Public Switched Telephone Network (PSTN) used Circuit Switching
Protocol like Integrated Services Digital Network (ISDN) for Wide Area Network connection. ISDN was
the main backbone for carrying voice traffic for more than 100 years, and is still used in legacy
telecommunication networks. If you study Cisco Voice technology, you will get a chance to know more
about it.

WANs are different from LANs in several ways. While a LAN connects computers, peripherals, and other
devices in a single building or other small geographic area, a WAN allows the transmission of data across
greater geographic distances. In addition, an enterprise must subscribe to a WAN service provider to use
WAN carrier network services. LANs are typically owned by the company or organization that uses them
for running their local network.

WANs use facilities provided by a service provider, or carrier, such as a telephone or cable company, to
connect the locations of an organization to each other, to locations of other organizations, to external
services, and to remote users. WANs generally carry a variety of traffic types, such as voice, data, and
video.

Here are the three major characteristics of WANs:


■ WANs generally connect devices that are separated by a broader geographical area than can't be served
by a LAN or MAN.
■ WANs use the services of carriers, such as telephone companies, cable companies, satellite systems,
and network providers.
■ WANs use serial connections of various types to provide access to bandwidth over large geographic
areas.

Why WAN is Necessary for Enterprise Networking:


LAN technologies provide both speed and cost-efficiency for the transmission of data in organizations over
relatively small geographic areas. However, there are other business needs that require communication
among remote sites:
■ People in the regional or branch offices of an organization need to be able to communicate and share
data with the central site.
■ Organizations often want to share information with other organizations across large distances. For
example, software manufacturers routinely communicate product and promotion information to
distributors that sell their products to end-users.
■ Employees who travel on company business frequently need to access information that resides on their
corporate networks.

In addition, home computer users need to send and receive data across increasingly higher distances.
Here are some examples of daily usage of WAN technology:
 It is now common in many households for consumers to communicate with banks, stores, and a
variety of providers of goods and services via computers.

30 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Students do research for classes by accessing library indexes and publications located in other
parts of their country and in other parts of the world.

Since it is obviously not feasible to connect computers across a country or around the world in the same
way that computers are connected in a LAN with cables, different technologies have evolved to support
this need. Increasingly, the Internet is being used as an inexpensive alternative to using an enterprise WAN
for some applications. New technologies are available to businesses to provide security and privacy for
their Internet communications and transactions.

A Point-to-Point WAN Link


A point-to-point link provides a single, pre-established WAN communications path from the customer
premises through a carrier network, such as a telephone company, to a remote network. Point-to-point
lines are usually leased from a carrier and thus are often called leased lines. For a point-to-point line, the
carrier allocates pairs of wire and facility hardware to your line only. These circuits are generally priced
based on bandwidth required and distance between the two connected points. Point-to-point links are
generally more expensive than shared services such as Frame Relay.

Figure 1 illustrates a typical point-to-point link through a WAN connection.

WAN Devices

WANs use numerous types of devices that are specific to WAN environments. WAN switches, access
servers, modems, CSU/DSUs, and ISDN terminal adapters are discussed in the following sections. Other
devices found in WAN environments that are used in WAN implementations include routers, ATM
switches, and multiplexers such as Optical Network Terminal (ONT) and Optical Line Terminal (OLT) in
case of access network of service provider in FTTH scenario.

WAN Switch

A WAN switch is a multiport


internetworking device used in
carrier networks. These devices
typically switch such traffic as
Frame Relay, X.25, and SMDS, and
operate at the data link layer of
the OSI reference model.

Figure 2 illustrates two routers at remote ends of a WAN that are connected by WAN switches

Access Server

An access server acts as a concentration point for dial-in and dial-out connections.

31 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Figure 3 illustrates an access server concentrating dial-out connections into a WAN.

Modem

A modem is a device that interprets digital and analogue signals, enabling data to be transmitted over
voice-grade telephone lines. At the source, digital signals are converted to a form suitable for transmission
over analogue communication facilities. At the destination, these analogue signals are returned to their
digital form.

Figure 4 illustrates a simple modem-to-modem connection through a WAN.

CSU/DSU

A channel service unit/digital service unit (CSU/DSU) is a digital-interface device used to connect a router
to a digital circuit like a T1. The CSU/DSU also provides signal timing for communication between these
devices.

Figure 5 illustrates the placement of the CSU/DSU in a WAN implementation

ISDN Terminal Adapter

32 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

An ISDN terminal adapter is a device used to connect ISDN Basic Rate Interface (BRI) connections to other
interfaces, such as EIA/TIA-232 on a router. A terminal adapter is essentially an ISDN modem, although it
is called a terminal adapter because it does not actually convert analogue to digital signals.

WAN Physical Layer Terminology:

One primary difference between a WAN and a LAN is that a company or organization must subscribe to
an outside WAN service provider to use WAN carrier network services. A WAN uses data links provided
by carrier services to access the Internet and connect the locations of an organization to each other, to
locations of other organizations, to external services, and to remote users.

The WAN access Physical layer describes the physical connection between the company network and the
service provider network. The figure illustrates the terminology commonly used to describe physical WAN
connections, including:

 Customer Premises Equipment (CPE) - The devices and inside wiring located at the Premises of the
subscriber and connected with a telecommunication channel of a carrier. The subscriber either owns
the CPE or leases the CPE from the service provider. A subscriber, in this context, is a company that
arranges for WAN services from a service provider or carrier. ONT is the common CPE present in FTTH
scenario.

 Data Communications Equipment (DCE) - Also called data circuit-terminating equipment, the DCE
consists of devices that put data on the local loop. The DCE primarily provides an interface to connect
subscribers to a communication link on the WAN cloud.

 Data Terminal Equipment (DTE) - The customer devices that pass the data from a customer network
or host computer for transmission over the WAN. The DTE connects to the local loop through the DCE.

 Local Loop- The copper or fibre communication cable that connects the CPE at the subscriber site to
the CO of the service provider. The local loop is also sometimes called the “last-mile” or “Drop Cable”
in the service provider environment.

33 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Let's talk briefly about common packet-switching technologies that are used for enterprise WAN
networks, including MPLS, Frame Relay, ATM, and legacy X.25.

X.25
X.25 was a technology used in WAN and it is a legacy Network layer protocol that provides subscribers
with a network address. Virtual circuits can be established through the network with call request packets
to the target address. The resulting SVC is identified by a channel number. Data packets labelled with the
channel number are delivered to the corresponding address. Multiple channels can be active on a single
connection. Typical X.25 applications are point-of-sale card readers. These readers use X.25 in dialup
mode to validate transactions on a central computer. For these applications, the low bandwidth and high
latency are not a concern, and the low cost makes X.25 affordable. X.25 link speeds vary from 2400 b/s
up to 2 Mb/s. However, public networks are usually low capacity with speeds rarely exceeding above 64
kb/s.

X.25 networks are now in dramatic decline, being replaced by newer Layer 2 technologies such as Frame
Relay, ATM, and ADSL. However, they are still in use in many portions of the developing world, where
there is limited access to newer technologies.

Frame Relay
Although the network layout appears similar to X.25, Frame Relay differs from X.25 in several ways. Most
importantly, it is a much simpler protocol that works at the Data Link layer rather than the Network layer.
Frame Relay implements no error or flow control. The simplified handling of frames leads to reduced
latency, and measures taken to avoid frame build-up at intermediate switches help reduce jitter. Frame
Relay offers data rates up to 4 Mb/s, with some service providers offering even higher rates. Frame Relay
VCs are uniquely identified by a DLCI, which ensures bidirectional communication from one DTE device to
another. Most Frame Relay connections are PVCs rather than SVCs. In a later part of this book, we will
discuss more about Frame Relay.

34 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

ATM:
Asynchronous Transfer Mode (ATM) technology is capable of transferring voice, video, and data through
private and public networks. It is built on a cell-based architecture rather than on a frame-based
architecture. ATM cells are always a fixed length of 53 bytes. The ATM cell contains a 5 byte ATM header
followed by 48 bytes of ATM payload. Small, fixed-length cells are well suited for carrying voice and video
traffic because this traffic is intolerant of delay. Video and voice traffic do not have to wait for a larger
data packet to be transmitted.

ATM was designed to be extremely scalable and can support link speeds of T1/E1 to OC-12 (622Mb/s) and
higher. ATM offers both PVCs and SVCs, although PVCs are more common with WANs. And as with other
shared technologies, ATM allows multiple VCs on a single leased-line connection to the network edge.

Passive Optical Network- GPON Technology: Most of the developed countries have invested heavily in
fiber to home deployment, in which the service provider can use only fibre based Passive Optical Network
and where every Customer will have their own Optical Network Terminal (ONT) as customer premises
equipment. It will be connected directly to the Optical Line Terminal (OLT) located at the central
office/Local Exchange of a service provider network. This solution is very popular in today’s broadband
solutions and can even be used in today’s enterprise networks, including University campuses.

35 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 4: Fundamentals of IPv4 Addressing and Routing

In the computer networking world, there are two types of addressing schemes needed to get the
communication done between two nodes. The first is physical addressing, called MAC address, and the
other is logical addressing, called IP address. In this chapter, we are going to discuss IP version 4 addressing
only; later on in this book, we are going to explore the other type of IP addressing, which is called IPv6.

What is IPv4 addressing?

An IP address is a numeric identifier to each machine on an IP network to specify the location of a device
on the network. IPv4 address is a software-based address, unlike MAC address, which is a physical address
of a host. IPv4 address is a 32-bit binary numbering system and it’s mostly stored as a text file but
displayed as a human understandable concept as a series of numbers, like 128.11.3.1 (a class B IPv4
address).

Below is the binary representation of the class B IP address 128.11.3.31

IPv4 is a connectionless datagram protocol, which means that it is unreliable and works on a best-effort
delivery service. Due to the huge growth of the internet, the IETF standardized a new 128-bit long version
called IPv6 addressing scheme. It will be the new addressing scheme used all over the world in the near
future. (In some parts of the developed world, it has already become the popular choice.)

IP Terms:

Bit: A bit can have only a one-digit value, either 1 or 0.


Byte & Octet: According to IEEE, a Byte is a set of adjacent bits operated on as a group. An octet is made
up of a set of 8 bits, just an ordinary binary number.
Network address: Network address gives network nodes a unique identity to communicate with each
other.
Broadcast address: This is the address used by applications and hosts to send the information to all
nodes on a specific sub network.

I assume that you have an understanding of Binary Number representation schema. If you don't, please
consider additional study, because it is very important for understanding the IP addressing scheme.

36 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Range of IP addresses classes:

Remember, the IP address consists of a 32-bit number that ranges from 0 to 4294967295, meaning
approximately 4.3 billion unique objects. To make such large address blocks easier to handle, it was
divided into four 8-bit numbers or octets. In the diagram below, it shows that 50% of addresses are class
A addresses, and 25% are class B addresses:

IP addressing contains two parts: Network ID and Host ID. Network ID is the network portion of an IP
address. The Host addresses/Host ID is the portion of the address used to identify hosts on the network.
For a Class A network, the first 8 bits refers to the Network ID and other 24 bits is the Host ID. For a Class
B network, the first two 2 octets is the Network ID and the next two octets the Host ID. In a Class C
network, the first 3 octets is the Network ID and the last octet is the Host ID. The figure below shows the
segregation of octets that make up the Network and Host IDs for each network class:

Byte 1 Byte 2 Byte 3 Byte 4

Class A Net-id Host-id

Class B Net-id Host-id

Class C Net-id Host-id

Class D Multicast address

Class E Reserved for Future use


The designers of the IPv4 protocol created classes of networks based on network size. Class A is meant for
a small network device with a large number of hosts, while Class C is meant for a large network ID with a
small number of hosts. The diagram below, you can see that Class A network starts with 0: the first bit of

37 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

the first octet will always be 0 and other 7 bits will change in the Network ID. For Class A network, the
number of networks will be 126.

Characteristics of the IP Address Classes

Bits in Network ID

Number of Hosts\
Address Range

(binary Value)

Bits in Host ID
Identity Bits

Number of
Networks

Network
Class

A 0 ~ 127 1 (0) 7 126 24 167,77,214


B 128 ~ 191 2 (10) 14 16,382 16 5,534
C 192 ~ 223 3 (110) 21 20,97,150 8 254

Classful network & Classless Network:

IP addresses with default CIDR values are considered as classful addresses, whereas IP addresses with
CIDR values other than the default are considered as classless network.
Ex: 192.168.1.0 /24 is a classful network, while 192.168.1.0/25 is a classless network.
Sub network/Subnet:
A sub network/subnet is a logical division of a larger network into a smaller network. By using subnetting
techniques, a network designer can reduce network traffic and manage the network better to enhance its
performance.
Subnet Mask:
A subnet mask is a 32-bit value that allows the recipient of IP packets to distinguish the network ID portion
of the IP address from the host ID portion of the IP address. The first octet of a subnet mask if all are 1
means the binary number 11111111 converts into a decimal number, which is 255.

For that reason, the subnet mask of Class A network address is 255.0.0.0, as seen in above diagram. The
above figure shows why 255 is used.

38 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Public and Private IP address:

Besides the reserved IP addresses (0.0.0.0/8 and 127.0.0.0/8), there are other addresses not used on the
public internet. These addresses are called Private IP addresses, and they are usually used for the internal
network of an enterprise. Network Address Translation (NAT) is needed because private IP addresses are
not routable on the public internet, so they must be translated into public IP addresses before they touch
the Internet.

 10.0.0.0/8 ( 10.0.0.0 to 10.255.255.255.255)


 172.16.0.0/12 ( 172.16.0.0 to 172.31.255.255)
 192.168.0.0/16 ( 192.168.0.0 to 192.168.255.255)
 169.254.0.0/16 ( 169.254.0.0 to 169.254.255.255)

Fundamentals of IP routing:

In this chapter, we will only discuss about some basic principles behind IP routing and how it works in the
computer networking industry. In later parts of this book, we are going to discuss it in detail.
IP routing is required to send data from one network to another network. It’s a layer 3 protocol, which
means a layer 3 device router is needed to enable communication between different nodes.
IP Routing can be classified into two parts:

I. Static Routing: In static routing, the network admin needs to manually add routes to each router’s
routing table. Static Routing is good for very small networks, where only a few routers need to be
configured. But if the network grows it is quite impossible for a network admin to add, modify
and delete the route into each router’s routing table manually.

II. Dynamic Routing: Dynamic routing is when protocols are used to find networks and update
routing tables on a router. Dynamic routing can be classified into two parts: Interior Gateway
Protocol (IGP) and Exterior Gateway Protocol (EGP).

IGP: Interior Gateway protocol is a routing protocol that is used to exchange routing information within
the same autonomous system (AS).

EGP: Exterior Gateway protocol is used to determine network reachability between autonomous systems.
IGP can be divided into two categories: distance-vector routing protocol and link- state routing protocol.

RIP and IGRP is an example of a distance-vector routing protocol, which uses the Bellman-Ford algorithm.
In a distance-vector routing protocol, each router does not possess information about the full network
topology. It advertises its distance vector (DV) calculated from other routers and receives similar
advertisements from other routers. Unless any changes happen in routing advertisement, each router
populates its routing table.

In the next cycle, a router updates its information from its routing table. This process continues until the
routing tables of each router converge in stable values.

The diagram below shows the flow diagram of the different routing options:

39 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Let’s begin with some brief discussion about the most important Distance Vector Routing.

Routing Information Protocol:

 RIP employs hop count as a routing metric.


 The maximum number of hops is 15 and AD is 120, and it retransmits all routing information to
its neighbour every 30 seconds.
 RIP uses UDP as its transport protocol, assigned to the reserved port number 520.

There are two versions of RIP:

RIP V1: Supports only classful routing, lacks support for VLSM, and does not provide any support for router
authentication.

RIPV2: Supports classless Inter-Domain Routing (CIDR) and also supports multicast (multicast at
224.0.0.9). It also allows MD5 authentication, which means it’s more secure than RIPV1.

40 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol invented by Cisco.
It is basically designed to overcome the limitations of RIP. It also exchanges routing data within an
autonomous system.

Enhanced Interior Gateway Routing Protocol (EIGRP):

 EIGRP is a Cisco proprietary hybrid protocol, which means it uses distance vector and a link state
algorithm. It is an IP-based and IP protocol No. 88, and it’s layer 3 protocol.
 Most of the routing optimizations are based on Diffusing Update Algorithm (DUAL), which provide
loop-free operation and fast convergence time. Back up route also uses DUAL algorithm.
 It supports Classless Inter Domain Routing (CIDR), but by default summarization is on, which
means only class full network advertisements can be sent. For that reason, a network
administrator needs to disable auto summarization to use CIDR.
 It sends a query for alternate route if no feasible successor is found.
 By default, maximum hop count for EIGRP is 100, but it can be set from 1 to 255. The hop count
does not need to calculate the best path; it is mainly used for preventing unwanted routing loops.
 It supports equal load balancing up to 4 hops/links and supports unequal load balancing up to 16
hops.
 EIGRP multicasts at 224.0.0.10, and the convergence time of EIGRP is lower than OSPF and RIP
(EIGRP<OSPF<RIP).

Metric values are:

Metric Value Range


Bandwidth 0- 4.2 M
Delay 0- 4.2 M
Load 1-255
Reliability 0-255
MTU 1-65535
In order to maintain neighbor-ship in EIGRP, this point should be fulfilled:

 Hello Packet should be received.


 Primary subnet should be matched.
 Packets should be coming from the same Autonomous System.
 Identical K Values should be matched
 Authentication should be matched.

When neighbor-ship is done, the router sends the full routing table for the first time and after that, only
partial updates are sent to its neighbor. Hello timer of EIGRP is 5 sec and Hold time is 15 sec.

IPX, APPLE TALK, IPV6 also supports EIGRP E.

Open Shortest Path First:

Open Shortest Path First protocol is an open standard IP based routing protocol that uses IP protocol no-
89. It works in Layer 3 of an OSI layered structure network.

OSPF is the largest used IGP protocol used in large enterprise networks.

OSPF is designed to support Variable Length Subnet Mask or CIDR addressing models.

41 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

It multicasts at 224.0.0.5 and 224.0.0.6 IP addresses, hello packets normally send in 224.0.0.5 addresses,
and 224.0.0.6 is used to send message to BR/BDR.

An OSPF domain is divided into different areas; several types of area are defined, such as Backbone Area,
Stub Area, and Non-Stub Area. The diagram below illustrates the router of Area Border Routing (ABR) and
ASBR:

Border Gateway Protocol (BGP):

 Border Gateway routing protocol is a scalable and reliable (security is high) protocol. It’s basically
used in an ISP’s network.
 Millions of routers are connected together using BGP protocol, so it’s very slow to reach
convergence.
 BGP provides manual unicast neighbor ship, but supports IPv4 and IPv6 multicast.
 It works in Layer 7, so it is an application layer routing protocol. It works based on Autonomous
system routing. It works on TCP based protocol no. 179.

BGP message types:

1. Keep alive: maintain neighbor-ship, Hello message timer 60 sec, Hold message time is 180 Sec
2. Update message: network layer reachability information exchange
3. Open message: give formal introduction
4. Notification: bad usage of message type

To establish BGP neighbor-ship, the router needs to check:

 IGP (reachability)
 AS/IP
 Authentication
 Router ID
 Same BGP version

When the Autonomous System (AS) is the same, IBGP is used. Otherwise, EBGP is used.

Tips for CCNA Exams for Part 1: Fundamentals of Computer Networking:

42 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

For examination purposes, you need to have a good understanding of the OSI Layer and the TCP/IP
protocol suite. Try to understand which protocol works in which layer, and have a better understanding
of Network Layer protocols such as TCP and UDP, and other application layer protocols. Most students
and engineers think they know all about TCP/IP, but in reality, they make mistakes when interviewers ask
questions. So prepare well and understand the technology behind the protocol. Then you can answer all
the questions.

Please make sure you understand the fundamentals of computer networking & the communication
industry. It will be a great help if you understand the switching technique of the communications industry.
Today's IP Network has become possible because of the invention made by great scientist and engineer
Alexander Graham Bell. Now, IP network is capable of replacing the old traditional network, thanks in
part to that 19th century invention.

Part 2- IPv4 Subnetting & Variable Length Subnet Mask

Chapter 5- Perspective on IPv4 Subnetting

43 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In the last chapter, we learned about different classes of IPv4 addressing. Earlier, I mentioned briefly about
subnetting, so you know the importance of subnetting in today's network. Without subnetting, it is
impossible to run any enterprise network. Subnetting may be the most important part of this book; if you
don't understand subnetting properly, it will be impossible to learn other advanced concepts in this book,
and, by extension, go further as a Network Engineer. Therefore, we must start from the very beginning,
assuming that you have zero knowledge in this.

Let's begin with the very simple question: what is the meaning of Subnetting? And what are the benefits
of Subnetting in today's network?

Subnetwork/Subnet:

In a simple word, a subnetwork is a logical division of a larger network into smaller networks. From the
definition, we can understand that an enterprise only needs one network address, and creates different
subnetworks as per their requirement.

There are several advantages of subnetting:

 Network Traffic Reduced: By creating a smaller network, a network designer creates more broadcast
domains. Smaller Broadcast domains make less network traffic on each network segment.
 Increased Network Performance: Less network traffic means a more congestion-free network, which
enables better network performance.
 Simplified Network Management: As it breaks large networks into smaller networks, it is easier to
manage and troubleshoot any network problems.
 Connects efficiently smaller networks in a large geographical area. As WAN links are expensive and
slow, this technique gives us an opportunity to enterprise different branches more efficiently.

Subnet Mask:

A Subnet Mask is a binary number (also can be represented in dotted-decimal format) used to separate
network and host parts in a given network. A Subnet Mask is a 32-bit value that allows the recipient of IP
packets to distinguish the network ID portion of the IP addresses from the host ID portion of the IP
addresses.

For instance, if the network mask length is 28 bits (or /28), the binary format of the network mask is
going to be like the illustration below:

11111111. 11111111.11111111.11110000

44 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The first eight bits are all set to one. This translates to the decimal value 255:
128+64+32+16+8+4+2+1=255

This is true for the first 24 bits (3 bytes). The last byte has only four bits set to one which converts to:
128+64+32+16=240

Then the whole network mask number is 255.255.255.240 in the decimal notation.

The number of subnets can be determined according to the following formula, where s= number of subnet
bits.

The number of addresses usable for addressing specific hosts in each network is always 2h-2, where H is
the number of rest field bits.

45 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

If you wonder why we need to decrement two addresses while calculating the number of valid host
addresses, it is because there are two reservations made in every subnet. One address needs to be
subtracted for the identifier of the network/subnet, and the second one will represent all hosts in a given
network/subnet.

Reservation 1

If all host bits of an IP address are set to '0' (zero value), this address is the subnet address or 'wire' address.
It cannot be applied as a host address.

Take a look at example below:

The host bits, like stated before, are the bits of the address which have corresponding bits in network
mask set to '0'. They are all set to '0' value (in yellow). This makes the IP address 172.16.128.0/18 or
172.16.128.0 255.255.192.0 the subnet address. It cannot be applied on a device as a host address (try to
use it on your computer and you will see that it will reject).

Reservation 2

If all host bits the unmasked ones of an IP address are set to '1', this makes the address the broadcast
address in a given subnet (broadcast = all-host identifier). Let us use our 3rd subnet and create broadcast
address in this subnet.

In the above diagram, all host bits (unmasked) are set to '1'. They are marked in yellow. Converted to
decimal, this would be 172.16.191.255/18 or 172.16.191.255 255.255.192.0. Just like in our previous
example, this address is also reserved and cannot be used as the identifier of a device in the network.

Note: In the past, there were limitations to the use of a subnet 0 (all subnet bits are set to zero) and all
ones subnet (all subnet bits set to one). Some devices would not allow the use of these subnets. Now
Cisco devices allow the use of these subnets when the ip subnet zero command is configured.

46 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 6- Analyzing Classful IPv4 Networks

IP addresses, when they were created a few decades ago, used the concept of classes. This architecture
is called classful addressing. In the mid-1990s, a new architecture called classless addressing was
introduced, which eventually superseded the original architecture. However, part of the Internet still uses
classful addressing, though the migration is going very fast.

Originally, a 32-bit IPv4 address was logically subdivided into two: the network number field, which is the
most-significant 8 bits of an address since it specified the particular network a host was attached to; and
the local address, also called rest field (the rest of the address), which uniquely identifies a host connected
to that network. This format was sufficient at a time when only a few large networks existed, such as the
ARPANET which was assigned the network number 10, and before the wide proliferation of local area
networks (LANs). As a consequence of this architecture, the address space supported only a low number
(254) of independent networks, and it became clear very early on that, this would not be enough.

The first class, designated as Class A, contained all addresses in which the most significant bit is zero. The
network number for this class is given by the next 7 bits, therefore accommodating 128 networks in total,
including the zero networks, and including the existing IP networks already allocated.

Class B network was a network in which all addresses had the two most-significant bits set to 1 and 0. For
these networks, the network address was given by the next 14 bits of the address, thus leaving 16 bits for
numbering hosts in a network, for a total of 65,536 addresses per network.

Class C was defined with the 3 high-order bits set to 1, 1, and 0, designating the next 21 bits to number
the networks, leaving each network with 256 local addresses.The leading bit sequence 111 designated an
"escape to extended addressing mode", which was later subdivided into Class D (1110) for multicast
addressing, while leaving as reserved for future use the 1111 block designated as Class E.

The number of addresses usable for addressing specific hosts in each network is always 2H-2, where H is
the number of rest field bits. The subtraction of 2 adjusts for the use of the all-bits-zero host portion for
the network address and the all-bits-one host portion as a broadcast address. Thus, for a Class C address
with 8 bits available in the host field, the number of hosts is 254.

A Classful network is a network-addressing architecture used in the Internet from 1981 until the
introduction of Classless Inter-Domain Routing in 1993. The method divides the address space for Internet

47 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Protocol Version 4 (IPv4) into five address classes. Each class, coded in the first four bits of the address,
defines either a different network size, i.e. number of hosts for unicast addresses (classes A, B, C), or a
multicast network (class D). The fifth class (E) address range is reserved for future or experimental
purposes.

Since its discontinuation, remnants of classful network concepts remain in practice only in limited scope
such as in the default configuration parameters of some network software and hardware components
(e.g. default subnet mask), but the terms are often still used erroneously by people working in IT.

Remember, today's IP addresses are associated with a subnet mask, which is not required in a classful
network because the mask was implicitly derived from the IP address itself. Any networking node would
only need to inspect the first few bits of the IP address to determine the class of the address.

Bit wise representation:

 n indicates a binary slot used for network ID.


 H indicates a binary slot used for host ID.
 X indicates a binary slot (without specified purpose)

Class A
0. 0. 0. 0 = 00000000.00000000.00000000.00000000
127.255.255.255 = 01111111.11111111.11111111.11111111
0nnnnnnn.HHHHHHHH.HHHHHHHH.HHHHHHHH
Class B
128. 0. 0. 0 = 10000000.00000000.00000000.00000000
191.255.255.255 = 10111111.11111111.11111111.11111111
10nnnnnn.nnnnnnnn.HHHHHHHH.HHHHHHHH
Class C
192. 0. 0. 0 = 11000000.00000000.00000000.00000000
223.255.255.255 = 11011111.11111111.11111111.11111111
110nnnnn.nnnnnnnn.nnnnnnnn.HHHHHHHH
Class D
224. 0. 0. 0 = 11100000.00000000.00000000.00000000
239.255.255.255 = 11101111.11111111.11111111.11111111
1110XXXX.XXXXXXXX.XXXXXXXX.XXXXXXXX
Class E
240. 0. 0. 0 = 11110000.00000000.00000000.00000000
255.255.255.255 = 11111111.11111111.11111111.11111111
1111XXXX.XXXXXXXX.XXXXXXXX.XXXXXXXX

For example, 162.22.39.1 is a Class B address because the first octet, 162, lies in the 128-191 range.
Likewise, 10.11.26.1 is a Class A addresses (because the first octet is 10) and 204.10.209.1 is a Class C
(because the first octet is 204). If this seems confusing, convert these addresses into binary and verify for
yourselves that the initial bits correspond to the pattern shown in the diagram illustrated above.

The network engineer would request a Class A, B, or C network upon installing a new Internet connection,
depending on the expected size of the installed network. For example, the U.S. Department of Defence, a

48 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

very large network, was assigned a Class A; the Queens University of Belfast in the United Kingdom, a
typical mid-sized network, was assigned a Class B network; while a small Consulting firm, once I worked
for was assigned a Class C network.

The Internet Assigned Numbers Authority (IANA), only assigns the network bits. For example, a request
for a Class C network might have been met by assigning 192.12.26.0. As a Class C, the first three bytes
were fixed by IANA, and the last byte was assigned by the local network administrator. No attempt was
made to assign the addresses in a hierarchical fashion. The first Class B assigned was 128.1.0.0; the next
was 128.2.0.0, and so on.

Routers process packets according to their classful network. For example, consider a packet addressed to
146.29.55.2. First, the address is determined to be a Class B (its two high bits are 10), then it’s split to
determine its membership in the 146.29.0.0 classful network. The routing table would have an entry for
each classful network, in this case 146.29.0.0, which would determine how the packet should be delivered.

Problems with classful subnetting

The original classful address scheme had a number of problems:

Scenario I: Very few network addresses for large networks

– Class A and Class B addresses are gone, so only Class C will be suitable for this scenario.

Scenario II: Two-layer hierarchy is not appropriate for large networks with Class A and Class B
addresses.

Solution: Subnet the networks.

Scenario III: Assume a company requires 2,000 IP addresses, what would their network engineer do?

– Class A and B addresses are overkill.

– Class C address is insufficient (requires 8 Class C addresses).

Solution: Use Classless Inter-domain Routing (CIDR).

Scenario IV - Exploding Routing Tables: Routing on the backbone Internet needs to have an entry for each
network address. In 1993, the size of the routing tables started to outgrow the capacity of routers.

– Solution: Classless Inter-domain Routing (CIDR)

Scenario V: The Internet is going to outgrow the 32-bit addresses.

– Solution: IP Version 6

So, the overall solution can be achieved by using classless inter-domain routing. The table below describes
how many hosts can be saved with classless networks.

49 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

For example, if we only need two hosts, we can apply /30 CIDR, then 4 hosts are available inclusive of one
network-id and a broadcast-id. We get a total of two valid hosts by using /30 CIDR and there won’t be any
host wastage.

Chapter 7: Converting subnet masks

50 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As we discussed earlier, a subnet mask is a binary number (also usually represented in dotted-decimal
format) that is used to separate network and host parts in an IP address. An IPv4 subnet mask is 32 bits
large. In a valid subnet mask, the network part is represented with "1" from the left side, followed and
ended by host part "0" - 11111111.11111111.11111111.00000000 (binary form), 255.255.255.0 (dotted-
decimal form) or simply "/24", which means that the subnet network part is 24 bits long.

This chapter will cover octal and decimal math with respect to IP subnetting, subnet masks, broadcast
addresses and the like. It's meant to demystify the simple math of IP networking for the novice LAN
administrator. A sound understanding of these concepts is critical for security and general network
stability, and yet even university-level textbooks seem to gloss over this topic.

Brief overview

An IP number has four 8-bit octets. Since each binary bit has two possible values, either on or off (0 or 1),
each octet can represent 28 = 256 decimal numbers (0 to 255). If we count up all 32 bits (4x8=32), we have
an Internet of 256x256x256x256 = 232 = 4,294,967,296 possible addresses. That's too many for any one
network so this number is segmented into more manageable chunks, or subnets, via routing. The network
base address and subnet mask determines what portion of the 32-bit Internet belongs to a given subnet.

A network interface (NIC) card should not waste its processing power looking at IP traffic. We want each
NIC to ignore anything not meant for it. A subnet mask provides a way to quickly and efficiently filter out
anything not meant for our subnet. NICs on hosts, routers, etc., use a combination of network "base"
address and "mask" to determine what to ignore and what to listen to.

The netmask shorthand notation (the /##'s) just specifies how many 1s to keep to determine the network
address of an interface. Each octet has eight 1s. With no masking, that's
"11111111.11111111.11111111.11111111". The netmask would be 0.0.0.0 or just /0, meaning look at all
the ones in all the octets -- the entire Internet. Again, we generally do not want any NIC to listen to the
entire Internet.

The netmask is called a "mask" because it also tells how many 1s on the left-hand side to mask-out when
figuring out a specific host address.

For a "Class C" or "8-bit" subnet (32-24=8), the network interfaces only care about the last octet. So we
use 255.255.255.0, or its shorthand equivalent, /24.

For a Class B or "16-bit" subnet (32-16=16), we need the details of the last two octets. So we use
255.255.0.0, or /16.

You might be aware of Computers love octal math because they're essentially binary in nature (like an
electrical switch that can be either OFF/0 or ON/1) the same way humans like base ten (because we count
on our fingers). Our base ten tendencies cause our eyes to glaze over when presented with octal numbers.
Still, some understanding of the octal number system helps us comprehend IP networking a bit more
clearly.

The eight "places" in 11111111 equate to 128 64 32 16 8 4 2 1.

51 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

IP subnet mask conversion

The old way of IP/Mask notation: 192.168.1.1/255.255.255.0

The new way of IP/Mask notation: 192.168.1.1/24

The new way of specify the mask is a lot simpler and faster and is known as CIDR notation, or Classless
Inter Domain Routing. CIDR is a method that service provider used to allocate IP addresses to a enterprise,
small offices or a home customer. As we discussed in previous chapter that it is introduced to replace the
architecture of classful network. Its goal was to slow the rapid exhaustion of IPv4 addresses. A Net mask
must by definition be moving left to right.

All ones (1) up to a point will then change to become all zeros (0) until the end of the mask. Given this, we
can specify the mask by how many binary 1’s there are.

In-depth details for conversion are as follows:

Binary Representation CIDR Value Subnet Mask

11111111.00000000.00000000.00000000 /8 255.0.0.0

11111111.10000000.00000000.00000000 /9 255.128.0.0

11111111.11000000.00000000.00000000 /10 255.192.0.0

11111111 .11100000 00000000.00000000 /11 255.224.0.0

11111111.11110000.00000000. 00000000 /12 255.240.0.0

11111111 .11111000.00000000.00000000 /13 255.248.0.0

11111111.11111100.00000000.00000000 /14 255.252.0.0

11111111.11111110.00000000.00000000 /15 255.254.0.0

52 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

11111111.11111111.00000000.00000000 /16 255.255.0.0

11111111.11111111.10000000.00000000 /17 255.255.128.0

11111111.11111111.11000000.00000000 /18 255.255.192.0

11111111.11111111.11100000.00000000 /19 255.255.224.0

11111111.11111111.11110000.00000000 /20 255.255.240.0

11111111.11111111.11111000.00000000 /21 255.255.248.0

11111111.11111111.11111100.00000000 /22 255.255.252.0

11111111.11111111.11111110.00000000 /23 255.255.254.0

11111111.11111111.11111111.00000000 /24 255.255.255.0

11111111.11111111.11111111.10000000 /25 255.255.255.128

11111111.11111111.11111111.11000000 /26 255.255.255.192

11111111.11111111.11111111.11100000 /27 255.255.255.224

11111111.11111111.11111111.11110000 /28 255.255.255.240

11111111.11111111.11111111.11111000 /29 255.255.255.248

11111111.11111111.11111111.11111100 /30 255.255.255.252

11111111.11111111.11111111.11111110 /31 255.255.255.254

11111111.11111111.11111111.11111111 /32 255.255.255.252

Ok, now let’s take a sample scenario wherein given a subnet mask of X.X.X.X, how do I determine the
subnet's CIDR notation?

This discussion will assume only classless subnetting (no doubt because some might say I lack class).

1. Write down the subnet mask (e.g. 255.255.255.0).

2. Convert each octet into binary: 1111 1111.1111 1111.1111 1111.0000 0000.

3. Count the number of ones in the last step, starting from left to right.

4. Write down the count from the previous step (e.g. 24).

5. Next write down the IP address of the host or gateway (e.g. 192.168.1.3).

53 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

6. Convert each octet into binary: 1100 0000.1010 1000.0000 0001.0000 0011.

7. Perform a bitwise AND operation on the binary subnet mask and binary IP address:

1111 1111. 1111 1111. 1111 1111. 0000 0000 A (225.255.255.0 i.e. subnet mask)

1100 0000. 1010 1000. 0000 0001. 0000 0011 B (192.168.1.3 i.e. given IP address)

______________________________________

1100 0000.1010 1000.0000 0001.0000 0000 C = A AND B (192.168.1.0 i.e. Network address)

8. Take the answer from the operation above and convert each octet back to decimal (base10) notation.

9. Write down the result of the previous operation: 192.168.1.0.

10. Append the bit count from step #4 (above) to the result of the last operation using CIDR notation (e.g.
192.168.1.0/24).

With this scenario, I hope you got a clear idea about the technique required to convert subnet masks. I
would suggest you to do some practice to master with converting the subnet masks; it is mandatory to
you as a Network Engineer to be able to complete these in your head.

54 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 8: Analyzing Existing Subnet Masks

In the previous chapter, we learned how to convert subnet masks. In this chapter, I am going to try to
make you comfortable with analyzing existing subnet masks; still, you must know how to find the number
of subnets, and the number of hosts per subnet in a class full network that uses a single mask. This process
uses only decimal math, but it relies on the memorization of the nine decimal values that can be used in
a subnet mask as listed in this table:

You can determine several useful facts about a classful network when using a single mask throughout. In
particular, you can find the number of possible subnets and the number of host addresses in each subnet.
This chapter guides you through a binary process to find both facts. For reference:

To begin analyzing subnet masks in depth, we’ll take as example a single Class C network address
(205.50.1.0) and show how a Class C custom subnet mask can be used to determine which subnetwork

55 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

(or subnet) a host is on and to route packets from one subnetwork to another. Remember that with a
Class C network address, the first 3 octets, or 24 bits, are assigned as the network address. This leaves one
octet, or 8 bits, for hosts.
So, each Class C network could have up to 254 hosts:

No. of Hosts = (28 -2) = 256-2=254

Perhaps less than 254 hosts, workstations and servers combined are desired on one network. This could
be for security reasons or to reduce traffic. It can be done by creating two sub networks and separating
them with a router. This will create smaller independent broadcast domains which can improve network
performance and increase security. Doing so is possible because these subnetworks will be separated by
one or more router.

Assume at least two subnetworks will be needed and that there will be at least 50 hosts per subnetwork.
Because there is only one Class C network address, only 8 bits in the fourth octet are available, for a total
of 254 possible hosts. Therefore, a custom subnet mask must be created. The custom subnet mask will be
used to borrow bits from the host portion of the address. The following steps help accomplish this:

1. The first step to subnetting is to determine how many subnets are needed. In this case, it’s two
subnetworks. To see how many bits should be borrowed from the host portion of the network
address, add the bit values from right to left until the total is equal to or greater than the number of
subnets needed. Because two subnets are needed, add the one bit and the two bit, which equals
three. This is greater than the number of subnets needed. To remedy this, borrow at least two bits
from the host address starting from the left side of the octet that contains the host address.

Network address: 205.50.1.0


4th octet Host address bits: 1 1 1 1 1 1 1 1
Host address bit values 128 64 32 16 8 4 2 1
(From right)

Add bits starting from the right side, the 1 and the 2, until the sum is greater than the number of subnets
needed.

Note: An alternative way to calculate the number bits to be borrowed for subnets is to take the number
of bits borrowed to the power of 2. The result must be greater than the number of subnets needed.

As an example, if 2 bits are borrowed in the calculation, it’s two to the second power, which equals four.
Since the number of subnets needed is just two, this should be adequate.

2. After we know how many bits to borrow, we take them from the left side of the host address, the 4th
octet. Every bit borrowed from the host address bit leaves fewer bits for the hosts. Even though the
number of subnets is increased, the number of hosts per subnet is decreased. Because two bits
need to be borrowed from the left side, that new value must be shown in the subnet mask.

The existing default subnet mask was 255.255.255.0 and the new custom subnet mask is
255.255.255.192. The 192 comes from adding the first two bits from the left, 128 + 64 = 192. These
bits now become 1s and are part of the overall subnet mask. This leaves 6 bits for host IP addresses
or 26 = 64 hosts per subnet.

56 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

4th Octet borrowed bits for subnet: 1 1 0 0 0 0 0 0


Subnet bit values: (from left side) 128 64 32 16 8 4 2 1

With this information, the following table can be built. The first two bits are the subnet binary value. The
last 6 bits are the host bits. By borrowing 2 bits from the 8 bits of the host address, 4 subnets with 64
hosts each can be created. The 4 networks created are as follows:
 The 205.50.1.0 network
 The 205.50.1.64 network
 The 205.50.1.128 network
 The 205.50.1.192 network

The 205.50.1.0 network is considered unusable, unless the networking device supports the IOS command
ip subnet-zero, which allows using the first subnet.

Table 3: Notice how the subnet starts.

Notice that the first subnet always starts with 0 and, in this case, increases by 64, which is the number of
hosts on each subnet. One way to determine the number of hosts on each subnet, or the start of each
subnet, is to take the remaining host bits to the power of 2. Because we borrowed two of the 8 bits for
subnets and have 6 bits left, the number of hosts per subnet is 26 or 64.

Another way to figure out the number of hosts per subnet or the increment from one subnet to the next
is to subtract the subnet mask value in decimal, 192 in the fourth octet, from 256, which is the maximum
number of possible combinations of 8 bits. This equals 64. This means we start at 0 for the first network
and add 64 for each additional subnetwork. For example, if the second subnet is used, the 205.50.1.64
network can’t be used for a host ID since the network ID of the 64 subnet has all zeros in the host portion.

Another common way to represent a subnet mask is the use of the “slash/number” (/#) where the #
following the slash is the number of bits used in the mask (network and subnet combined).

As an example, a Class C network address such as 205.50.1.0 with a standard subnet mask (255.255.255.0)
would be written as 205.50.1.0 /24, indicating that 24 bits are used for the mask. The same network, when
subnetted by using two host bits for subnets, would be written as 205.50.1.0 /26. This indicates that 24
bits are used for the network and 2 bits for the subnet. This would represent a custom subnet mask of
255.255.255.192 in dotted decimal format.

57 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

A Class A network of 10.0.0.0 with a standard mask (255.0.0.0) would be written as 10.0.0.0 /8. If 8 bits
(the next octet) were being used for subnets, it would be written as 10.0.0.0 /16. This would represent a
custom subnet mask of 255.255.0.0 in dotted decimal format. The “slash” number after the network
number is an abbreviated method of indicating the subnet mask being used.

Tips:

Apply the described technique to analyze the subnet masks. So, take a pen and paper, make your own
network and apply subnetting according to your requirements. Then go through the whole process and
you will find how all things become easy with these techniques. Try the same practice using different IPs
of different classes.

58 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

59 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 9: Designing Subnet Masks

An IP address is a logical address used in order to uniquely identify a device on an IP network. The address
is made up of 32 bits, which can be divisible into a network portion and host portion with the help of
Subnet mask. In this chapter we are going to learn the designing aspect of subnet masks. The 32 binary
bits are broken into four octets (1 octet = 8 bits). Each octet is converted to decimal and separated by a
period (dot). For this reason, an IP address is said to be expressed in dotted decimal format (for example,
192.168.1.1). The value in each octet ranges from 0 to 255 in decimal, or 00000000 – 11111111 in binary.

Here is how binary octets convert to decimal: The rightmost bit, or least significant bit, of an octet holds
a value of 20. The bit just to the left of that holds a value of 21. This continues until the left-most bit, or
most significant bit, which holds a value of 27. So if all binary bits are a one, the decimal equivalent would
be 255 as shown here:

1 1 1 1 1 1 1 1
128 64 32 16 8 4 2 1 (128+64+32+16+8+4+2+1=255)

Here is a sample octet conversion when not all of the bits are set to 1:

00010001
0 0 0 16 0 0 0 1 (0+0+0+16+0+0+0+1=17)

And this sample shows an IP address represented in both binary and decimal:

10. 1. 1. 17 (decimal)
00001010.00000001.00000001.00010001 (binary)

These octets are broken down to provide an addressing scheme that can accommodate large and small
networks. There are five different classes of networks, A to E. This document focuses on addressing
classes A to C, since classes D and E are reserved and discussing them is beyond the scope of this
document.

Note: The terms Class A, Class B and so on are used in this document to help facilitate the understanding
of IP addressing and subnetting. These terms are rarely used in the industry anymore because of the
introduction of classless inter domain routing (CIDR).

Given an IP address, its class can be determined from the three high-order bits. Fig. 1 shows the
significance of the three high order bits and the range of addresses that fall into each class. For
informational purposes, Class D and Class E addresses are also shown.

Fig. 1

60 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In a Class A address, the first octet is the network portion, so the Class A example in Fig. 1 has a major
network address of 1.0.0.0 - 127.255.255.255. Octets 2, 3, and 4 (the next 24 bits) are for the network
manager to divide into subnets and hosts as they see fit. Class A addresses are used for networks that
have more than 65,536 hosts (actually, up to 16,777,214 hosts!).

In a Class B address, the first two octets are the network portion, so the Class B example in Fig. 1 has a
major network address of 128.0.0.0 - 191.255.255.255. Octets 3 and 4 (16 bits) are for local subnets and
hosts. Class B addresses are used for networks that have between 256 and 65,534 hosts.

In a Class C address, the first three octets are the network portion. The Class C example in Fig. 1 has a
major network address of 192.0.0.0 - 233.255.255.255. Octet 4 (8 bits) is for local subnets and hosts -
perfect for networks with less than 254 hosts.

Class D is used for Multicast and Class E is used for Research & Development. So, we will talk only about
Class A, B and C.

Network Masks

A network mask helps you know which portion of the address identifies the network and which portion
of the address identifies the node. Class A, B, and C networks have default masks, also known as natural
masks, as shown here:

61 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

An IP address on a Class A network that has not been subnetted would have an address/mask pair similar
to: 12.31.1.1 255.0.0.0. To see how the mask helps you identify the network and node parts of the address,
convert the address and mask to binary numbers.

12.31.1.1 = 00001100.00011111.00000001.00000001
255.0.0.0 = 11111111.00000000.00000000.00000000

Once you have the address and the mask represented in binary, then identifying the network and host ID
is easier. Any address bits that have corresponding mask bits set to 1 represent the network ID. Any
address bits that have corresponding mask bits set to 0 represent the node ID.

12.31.1.1 = 00001100.00011111.00000001.00000001
255.0.0.0 = 11111111.00000000.00000000.00000000
---------------------------------------------------------------
Net id | host id

Netid = 00001100 = 12
Hostid = 00011111.00000001.00000001 = 31.1.1

Subnetting Process:
 Determine the number of Required Network-IDs
 Determine the number of Required Host IDs per Subnet
 Define One Subnet Mask Based on Requirements
 Define a Unique Subnet ID for Each Physical
 Segment Based on the Subnet Mask
 Define Valid Host Ids for Each Subnet
 Based on the Subnet ID

Designing Subnet Masks

Subnetting allows you to create multiple logical networks that exist within a single Class A, B, or C network.
If you do not subnet, you are only able to use one network from your Class A, B, or C network, which is
unrealistic.

Each data link on a network must have a unique network ID, with every node on that link being a member
of the same network. If you break a major network (Class A, B, or C) into smaller subnetworks, it allows
you to create a network of interconnecting subnetworks. Each data link on this network would then have
a unique network/subnetwork ID. Any device, or gateway, connecting n networks/subnetworks has n
distinct IP addresses, one for each network/subnetwork that it interconnects.

62 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In order to subnet a network, extend the natural mask using some of the bits from the host ID portion of
the address to create a subnetwork ID. For example, given a Class C network of 201.15.3.0 which has a
natural mask of 255.255.255.0, you can create subnets in this manner:

201.15.3.0 - 11001001.00001111.00000011.00000000
255.255.255.224 - 11111111.11111111.11111111.11100000
------ ------------------------------|sub|----Sub means Subnet mask value

By extending the mask to be 255.255.255.224, you have taken three bits (indicated by "sub") from the
original host portion of the address and used them to make subnets. With these three bits, it is possible
to create eight subnets. With the remaining five host ID bits, each subnet can have up to 32 host
addresses, 30 of which can actually be assigned to a device since host IDs with all zeros or all ones are
not allowed (it is very important to remember this). So, with this in mind, these subnets have been
created.

201.15.3.0 255.255.255.224 host address range 1 to 30


201.15.3.32 255.255.255.224 host address range 33 to 62
201.15.3.64 255.255.255.224 host address range 65 to 94
201.15.3.96 255.255.255.224 host address range 97 to 126
201.15.3.128 255.255.255.224 host address range 129 to 158
201.15.3.160 255.255.255.224 host address range 161 to 190
201.15.3.192 255.255.255.224 host address range 193 to 222
201.15.3.224 255.255.255.224 host address range 225 to 254

Note: There are two ways to denote these masks. First, since you are using three bits more than the
"natural" Class C mask, you can denote these addresses as having a 3-bit subnet mask. Or, secondly, the
mask of 255.255.255.224 can also be denoted as /27 as there are 27 bits that are set in the mask. This
second method is used with CIDR. With this method, one of these networks can be described with the
notation prefix/length. For example, 201.15.3.32/27 denotes the network 201.15.3.32 255.255.255.224.
When appropriate, the prefix/length notation is used to denote the mask throughout the rest of this
document.

The network subnetting scheme in this section allows for eight subnets, and the network might appear
as:

Figure 2

63 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Notice that each of the routers in Fig. 2 is attached to four subnetworks, and one subnetwork is common
to both routers. Also, each router has an IP address for each subnetwork to which it is attached. Each
subnetwork could potentially support up to 30 host addresses.

This brings up an interesting point. The more host bits you use for a subnet mask, the more subnets you
have available. However, the more subnets available, the less host addresses available per subnet. For
example, a Class C network of 201.15.3.0 and a mask of 255.255.255.224 (/27) allows you to have eight
subnets, each with 32 host addresses (30 of which could be assigned to devices). If you use a mask of
255.255.255.240 (/28), the break down is:

201.15.3.0 - 11001001.00001111.00000011.00000000
255.255.255.240 - 11111111.11111111.11111111.11110000
-----------------------------|sub|--- Sub means subnet mask value m

Since you now have four bits to make subnets with, you only have four bits left for host addresses. So in
this case, you can have up to 16 subnets, each of which can have up to 16 host addresses (14 of which can
be assigned to devices).

Take a look at how a Class B network might be subnetted. If you have the network 172.16.0.0, then you
know that its natural mask is 255.255.0.0 or 172.16.0.0/16. Extending the mask to anything beyond
255.255.0.0 means you are subnetting. You can quickly see that you have the ability to create a lot more
subnets compared to a Class C network. If you use a mask of 255.255.248.0 (/21), how many subnets and
hosts per subnet does this allow for?

172.16.0.0 - 10101100.00010000.00000000.00000000
255.255.248.0 - 11111111.11111111.11111000.00000000
-----------------| sub |-----------Sub means subnet mask value

You are using five bits from the original host bits for subnets. This allows you to have 32 subnets (25). After
using the five bits for subnetting, you are left with 11 bits for host addresses. This allows each subnet to
have 2048 host addresses (211), 2046 of which could be assigned to devices.

64 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 10: Variable Length Subnet Masking (VLSM)

In the previous chapter on Subnet Masks, we got an idea about designing and converting different types
of subnetworks. In this chapter, we are going to learn how we can use Variable Length Subnet Mask
(VLSM) in our network design and implementation.

What is VLSM and why do we use it?

Variable Length Subnet Masking (VLSM) is the more realistic way of subnetting a network to make
efficient use of all the bits, allowing you a much tighter control over your addressing scheme.

Remember that when we perform classful subnetting, all subnets have the same number of hosts because
they all use the same subnet mask. This leads to inefficiencies it means lots of hosts are wasted. For
example, if you borrow 4 bits on a Class C network, you end up with 14 valid subnets of 14 valid hosts. A
serial link to another router would only need 2 hosts, but with classic subnetting, you end up wasting 12
of those hosts.

Also, if you use a class C address with a default subnet mask, you end up with one subnet containing 256
addresses. By using VLSM, you can adjust the number of subnets and the number of addresses depending
on the specific needs of your network. The same rules apply to a class A or B addresses. That is why VLSM
is used.

In a simple way, it is the process of “subnetting a subnet” and using different subnet masks for different
networks in your IP plan.

What you have to remember is that you need to make sure that there is no overlap in any of the addresses.
VLSM is supported by all vendor independent routing protocols like RIPv2, OSPF, Dual IS-IS, BGP-4, and
also Cisco proprietary EIGRP. You need to configure your router for Variable Length Subnet Masking by
setting up with one of these routing protocols. Then configure the subnet masks for the various interfaces
by using IP address interface sub-command. Remember To use supernet or route summarization you must
also configure IP classless routes. We will discuss Route Summarization in next chapter.
Classful & Classless Routing:
 Classful (basic subnetting)

Classful routing protocols require that a single network use the same subnet mask.
 Classless (uses FLSM & VLSM)
VLSM allows a single autonomous system to have networks with different subnet masks. This is often
referred to as "subnetting a subnet."
Problem with Fixed Length Subnet Masking:
• There are two problems with using FLSM:
– It wastes addresses if the number of hosts on the subnets varies in size.
– It forces the routers that talk to these subnets to process too much information.
• If we use a subnet mask that provides enough interface addresses for the three networks with 30
hosts, then we waste 28 addresses on all three of the 2 interface networks.

65 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

• Further, the upstream router must maintain six separate network addresses in its routing table.

But the alternative is to use VLSM:


• In this method (VLSM) is an existing subnetwork which is further subnetted.
• The resulting subnets of the subnet are all of a size that best fits the networks in question.
• For example:
If the router on the far left of the diagram on the slide that follows has been assigned the
172.16.32.0/20 network, this network can be further subdivided so as to introduce better IP
address utilization and fewer routes in the far left router’s routing table.
• Notice that the /30 is formed from the space left after the /20 has been formed.
• In other words if we count from the far left of the available 32 bits, 20 bits, this is where the far
left router’s network stops.
• The remaining 12 bits are meant to be used for interface addresses.
• Instead we can use part of this 12 bit space to create new subnets.
• In this example we first subnet at the /26 line, then take one of these /26 networks and subnet it
at the /30 line.

VLSM can be applied on any class of network which may be class A, B or C. Honestly, I can say that, overall,
subnetting is very confusing. Many network administrators with extensive hands on experience in
network engineering might not be able to design a network with VLSM so quickly because it involves many
fundamentals like private/public classes, their respective ranges, and many other things considered when

66 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

one applies VLSM on a network. The tables below may help you visualize the world of VLSM so you can
be comfortable with VLSM for all classes:

When to use VLSM? Why to use VLSM? What is the need of VLSM?

Until now we only discussed about theoretical and mathematical explanation for the benefit of using
VLSM. Now, we’ll take a quick look on the following scenario to answer these above questions in
practically.

67 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In the above scenario, we see that we have a class C pool of IP addresses, i.e. 192.168.1.0/24, and we
subnetted the given network according to our requirements as described below. Go through the whole
scenario then read the next line and look at the IP’s private or public. If you want in-depth classification,
you can read my previous article on IPv4.

After brief examination, I know you will see that there are so many IP addresses made useless or wasted.
Where we need only 2 hosts, there are 30 hosts available, a clear waste of 28 hosts.

In FLSM, all the subnets should be the same and in the given scenario, the network is subnetted by /27.
The described scenario is so small because a class C network only has 254 valid hosts and you can calculate
total wastage of IP’s - approximately 140 hosts out of 210 valid hosts.

Imagine a bigger scenario with the IP range of class A and you’ll realize how many IPs are wasted using
FLSM. Now maybe you got the answers for all the questions above, and it should be clear that the solution
to FLSM’s IP wasting is VLSM.

Now we take a look at another scenario with a VLSM subnetted network which represents the

Fig.2 VLSM subnetted Network example

same scenario as we discussed earlier, with the only difference being the subnetting technique we used
here for VLSM. If you compare fig.1 with fig.2 (FLSM scenario with VLSM scenario) wastage of IP is
decreased by about 90%, though this may vary per specific scenario.

68 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 11: Route Summarization: A Need of Routing Table

In this chapter, we are going to discuss route summarization or Supernetting. Put simply, route
summarization is a method to consolidate a group of networks into a single network with the main
objective of reducing the routing table size and complexity.

There are many millions of routes on the internet. If these routes all had to be stored individually the
internet would have come to a stop many years ago. Route summarization is also known as supernetting
and was proposed in RFC. So make a cup of coffee or tea and concentrate on understanding how to use
Route Summarization technique in your network.

Route Summarization Pre-requisites

In order to use route summarization on your network you need to use a classless protocol such as RIPv2,
EIGRP or OSPF. You also need to design your network in a hierarchical order which will require careful
planning and design. This means that you can't randomly assign networks to various routers or LANs
within your network.

Let's take a look at the example as shown in fig 1 and see the table in fig 2:

69 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

From the above table, you can understand the network id will be 172.16.8.0 with subnet mask
255.255.248.0 (Subnet Mask at /21).

You can only really work out a summary route by converting the IP address into binary. If you don't convert
this then you have no way of knowing if you are advertising the correct summary route which will lead to
problems on your network.

Routing protocols can summarize addresses of several networks into one address so that we need to do
proper manual summarization for specific information of that network as we done for following
example.

This can be called 3 different things:


1. Route Aggregation
2. Route Summarization
3. Super-netting
Without route summarization, R2 has to have specific routes in its routing table to reach the three stub
networks connected to R1. With route summarization, R2 can only have a summary route to reach all R1's
stub networks. R1 will locally determine which interface to use to route the packet. To determine a
summary route use the following procedure:

1. Identify the network with the highest and lowest IP addresses, 8.8.8.32/28 and 8.8.8.0/28 on R1.

2. Covert to binary the octet where the IPs start to differ.

70 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

• 8.8.8.32 -> 8.8.8.0010 0000


• 8.8.8.0 -> 8.8.8.0000 0000

3. Determine up to where both IPs match and convert to decimal considering the remaining bits to the
right equal zero, X=0.
• 8.8.8.00XX XXXX -> 8.8.8.0000 0000 -> 8.8.8.0

4. Count all bits where both IPs match to determine the subnet mask.
• 24 + 2 = 26

5. Create your summarized network, which is composed using step 3 and 4's results.
• 8.8.8.0/26

Let's repeat the procedure for R2:


1. 8.8.9.48/30 and 8.8.8.0/26.
2. 8.8.0000 1001.0011 0000 and 8.8.0000 1000.0000 0000
3. 8.8.0000 100X.XXXX XXXX -> 8.8.0001 0000.0000 0000 -> 8.8.8.0
4. 16 + 7 = 23
5. 8.8.8.0/23

Network 8.8.8.0/23 can be used to summarize all four network behind R2.

Route summarization is very useful. However, there are cases where it might create some problems. For
example, networks connected to R1 are summarized into 8.8.8.0/26. This summary also includes either
network 8.8.8.24/29 or networks 8.8.8.24/30 and 8.8.8.28/30, which actually do not exist on this example.

So, an IP packet with destination address 8.8.8.25 may unnecessary travel all the way to R1 to be
discarded.

This situation is explained below. Good network planning should always be accomplished to help
successful network summarization. Ideally all networks should be continuous or as continuous as possible
like the ones shown on this example. It would be very difficult or unpractical to summarize discontinuous
networks like; 10.1.55.0/24 and 200.26.58.28/30 for instance. The summarized network will include too
many combinations making unpractical to summarize them. The truncated configurations below allow
static routing between R1 and R2 without summarization.

Route Summarization Strategies

The following example illustrates a method of summarize a group of subnets.

10.3.4.0/24
10.3.5.0/24
10.3.6.0/24
10.3.7.0/24

1. Convert the addresses to binary


2. Find the all the common bits from left to right
3. Convert all the bits that are in common back to decimal, and leave all the rest of the bits to zero.

71 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

4. The number of bits that are in common will be their subnet mask

10.3.4.0: 00001010 00000011 00000100 00000000


10.3.5.0: 00001010 00000011 00000101 00000000
10.3.6.0: 00001010 00000011 00000110 00000000
10.3.7.0: 00001010 00000011 00000111 00000000

The bits in red are the common bits. When the bits in red are converted back to decimal, the end result is
10.3.4.0. This is the summary subnet.

To calculate the mask, count all the bits in red. There are 22 bits. Therefore the summary route is

10.3.4.0/22 or subnet mask 255.255.252.0

Manual Route Summarization

Reduces the size of the routing table by aggregating a group of routes into a single route that is advertised
to the other routers. As a result, there is speedier process in routing packets as well as less amount of
processing power is consumed. Needs to be configured in order for it to occur to manually configure
summary route with EIGRP (or RIP v2), use the interface subcommand ip summary-address

R1(config-if)#ip summary-address eigrp 1 10.2.0.0 255.255.0.0


R2(config-if)#ip summary-address eigrp 1 10.3.0.0 255.255.0.0

How to manually calculate a summarized route:

172.1.4.0 /25
172.1.4.128 /25
172.1.5.0 /25
172.1.6.0 /24
172.1.7.0 /24

172.1.(Variation in third octet)

4.0 00000100.00000000
4.128 00000100.10000000
5.0 00000101.00000000
6.0 00000110.00000000
7.0 00000111.00000000

*Notice the 22nd place holder (First 6 Bits are same from third octet so 16+6 =22) is the last in common.
Choose this place.

To find the IP subnet and subnet mask to summarize this route, you use the 22nd placeholder for the
subnet mask (/22). And you keep the number 4 value in the 3rd octet because it is the value for the 22nd
placeholder.

72 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Let’s look at the example below:

Let’s try and summarize Network 10.1.0.0 through 10.5.0.0.

First, list everything into binary:

Firstly, to get the network address, follow and match the binary bits, starting on the left and stop where
the bits do not match from the example above.
Notice that the first octet are matched, the second octet has no matching bits on, so is the third and last.

So, the summary IP will be 10.0.0.0 = Network address.

Finally, to work out the summary subnets mask; we match the 8 bits of the first octet (see above) which
is the network, and five matching zeroes in the second octet which is the subnet.

255.248.0.0

How did we get the 248…?

73 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Remember the bits value = 128 64 32 16 8 4 2 1

1 1 1 1 1 0 0 0

You add the five bits values in the second octet from the left; 128+64+32+16+8 = 248

How did we get /13…?

Count all the matching bits (see above) from the left up to the last matching bit…..you get your CIDR.

I hope, after reading this chapter and doing some hands on practice will be enough for you to understand
route summarization for the CCNA exam. If you can quickly work out the common bits then you should
be able to answer the question quickly and accurately.

Reference & further reading listed for this part of the book:

1. http://www.networkworld.com/cisco
2. Guide to Cisco Certified Network Associate certification by Todd Lammle, Sybex press.
3. Guide to Cisco Certified Network Associate by Richard Deal.
4. Cisco Certified Network Professional-Route by Wendell Odom, Ciscopress.com
5. CCNP- Route Quick reference by Denis Donohue, Ciscopress.com
6. Cisco Certified Internetwork Expert by Wendell Odom and others, Ciscopress.com
7. Cisco Certified Internetwork Expert Quick reference by Brad Ellis, Ciscopress.com
8. Data communication & Computer Networking by Furazon
9. Computer Networking by William Stallings
10. Computer networking fundamentals by Tatenbum.

74 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Part 3: Introduction to Router and Cisco IOS


Chapter 12: Introduction to Routers and their Operation

Before going on to discuss IPv4 routing protocols, in this chapter we will start by analyzing routers in some
depth, specifically about what they do and how they work. I hope you have solid knowledge of the OSI
model, and have a clear understanding of how data is sent across the network medium. If you find the
information a bit too confusing or don't quite understand it, I suggest you go back to first part of this book
and do some reading on the OSI model and protocols.

Routers! What are they and what do they do?

As we discussed briefly in the first chapter, you may be aware that Routers are very common today in
every network area; this is mainly because every network these days connects to some other network,
whether it's the internet or some other remote site. Routers get their name from what they do, which is
to route data from one network to another.

For example, if you have a company that has an office in New York and another one in Chicago, to connect
the two sites you would use a leased line/WAN connection, for which you need to connect a router at
each end. Any traffic that needs to travel from one site to another will be routed via the routers, while all
the other unnecessary traffic is filtered (blocked), thus saving you valuable bandwidth and money.

So, you can say “A router is a device which makes communication possible between two or more different
sets of networks present in different geographical locations.”

You might be thinking, “To make communication possible between two or more different networks
present in the different geographical location, what are the steps to be taken?”

The answer is simple; you have to configure either a software router or implementing the CIDR concept.

There are two types of routers are available in market: 1) Hardware routers 2) Software routers.

So what's the difference?

When people talk about routers, they usually don't use the terms "hardware" or "software" router, but
we are using them for the purpose of distinguishing between the two.

Hardware routers are dedicated hardware that runs special software created by their vendors to give
them the routing capabilities, plus a whole lot more functions. Hardware routers are most common
amongst companies as they are faster and more reliable. In the early days, hardware routers were
expensive; however, their prices today are extremely low for cheaper-brand models. You might have seen
cheap home router, which have wireless capability to connect your entire home network to Internet via
4G LTE technology. Configuring a Home Router is very simple, and it might earn you a few dollars here

75 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

and there, but if you want to make a living out of your skill as Network Engineer then you need to
understand Cisco/Juniper/Alcatel Routers, which are used in enterprise or service provider network.

There are several vendors available who are manufacturing routers, such as Cisco, Juniper, Alcatel, Nortel,
Avaya, HP and other various vendors.

Fig. 2 (source: http://seekingalpha.com/article/109717-sector-overview-networking)

In the above pie chart, it is clear that Cisco has a monopoly in the routers market. If you understand how
a Cisco Router works, then I can guarantee you that you can be able to play with other vendor routers
easily also.

The picture below shows a Cisco 1700, 2600 series modular router that offers a lot more than simple
routing capabilities

76 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Software routers perform similar tasks as the above hardware routers (routing data), but they don't come
in small flashy boxes. A software router could be a Windows, Linux, or Novell NetWare server. All network
servers have built-in routing capabilities. Most people use them for Internet gateways and firewalls but
there is one big difference between the hardware and software routers. You cannot (in most cases) simply
replace the hardware router with a software router. Why? Simply because the hardware router has the
necessary hardware built in to allow it to connect to the special WAN link (frame relay, ISDN, ATM etc),
where your software router (e.g., a NT server) would have a few network cards, one of which connects to
the LAN and the other goes to the WAN via the hardware router.

Cisco divided the router into three layers for hierarchical design purposes:

• Access layer router


• Distribution layer router
• Core layer router

Access layer routers are used by small organizations and Home offices (SOHO) across the world and are
also known as desktop or company layer routers. Examples are router Series 800, 1000, 1600, 1700, and
2500.
Distribution layer routers are used by ISPs and are also known as ISP layer routers. Examples are Router
Series 2600, 3200, 3600, and 3700.
Core layer routers are used by global ISPs and are also known as backbone routers. Examples are router
series 6400, 7200, 7300, 7400, 7500, 7600, 10000, and 12000

77 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Depends upon the hardware, a very popular terms often used by sales engineer, that Fixed Router and

Modular Router. In above table gives you a clear idea about Fixed & Modular Router.
Now, we are going to take a closer look at below diagram of Cisco Router Hardware, which have Serial,
Fast Ethernet, Console, Auxiliary port. So let's start a discussion....

Serial port:
 It is known as a remote administrative port.
 It is generally used for WAN link establishment.
 A serial cable is used for this port with 60 pin/26 pin (smart serial).
Console port:
• It is known as a local administrative port

78 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

• It is generally used for initial configuration, password recovery and local administration of the
router. It is an RJ45 port.
• It is the most delicate port on the router, so you should make less use of the console port.
Auxiliary port:
• It is known as a remote administrative port.
• It is used for remote administration.
• It’s an RJ-45 port.
• A console or a rollover cable is to be used.
Fast Ethernet/Ethernet Ports:
 It's an RJ-45 port
 Normally used to connect internal network switch
 This port is mostly used by network admin to configure the internal network.
 A UTP/STP patch cord/cable is normally used.
Internal Components of Router:
• ROM—A bootstrap program is located here. It is same as the BIOS of the PC. The current version
of the bootstrap program is 15.3.
• Flash—Internetwork Operating System (IOS) developed by Cisco is stored here. IOS has command
line interface, where the network admin do programs the systems.
• NVRAM—Non-volatile RAM, similar to hard disk. It is also known as permanent storage or startup
configuration. Generally, the size of NVRAM is 32 KB.
• RAM—it is also known as temporary storage or running configuration. Minimum size of RAM is
2MB. The size of RAM is greater than NVRAM in the router.
• Processor: speed and capability depends on models.
Depending upon the requirement you can add DSP (PVDM) into your Router to make Voice Enable Router.
In CCNA Voice, you will learn more about it.

Router Boot Process:


Routers have a simple boot process, usually when it gets power on, then it take several steps to switch on
and be enable for user to work in the IOS.

79 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The figure below describes the steps taken by Router, when it get power to boot....

In the table below, router modes at many levels are described:

80 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In the example shown in the diagram below, the workstations see the router as their "gateway."

This means that any machine on this LAN that wants to send a packet (data) to the Internet or anywhere
outside its local area network (LAN) will send the packet via the gateway. The router (gateway) will know
where it needs to send it from there on so it can arrive at its destination. This explains the reason you
need to add an internet protocol (IP) number for a gateway, when you have a LAN at home or in the office,
in your TCP/IP network properties on your windows workstation.

Let's have a look how two offices, one in New York and another one in Chicago, would use routers to
connect them. The routers in the above picture connect using a particular WAN protocol, e.g. frame relay.
In reality, there would be a cable (provided by your service provider) which connects to the WAN interface
of the router and from there the signal goes straight to your service provider's network and eventually
ends up at the other router's WAN interface.

81 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Depending on the type of router you get, it will support one of the most commonly used WAN protocols:
ISDN, frame relay, ATM, HDLC, and PPP. We will discuss these protocols in other articles or you can find
some resources by other writer too.

It's important to note down and remember a few of the main features of a router:

 Routers are Layer 3 devices.


 Routers will not propagate broadcasts message, unless they are programmed.
 Most Cisco routers have their own operating system it's called Cisco IOS.

Routers use special protocols between them to exchange information about each other (not data). This
concludes our first chapter’s introduction to routers and its characteristics. In next chapter we are going
to learn some more about Command Line Interface (CLI).

82 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 12.5- Managing Cisco IOS Licensing

In this sub-section of our introduction to Cisco IOS, we will discuss Cisco IOS licensing and take a closer
look at:

 The old licensing model


 The new licensing model
 Cisco IOS software license activation

The Cisco IOS software is a single file that is downloaded from the Cisco website, copied on the router or
switch and then installed. This hasn’t changed for decades. What has changed is what is found in these
images.

In the IOS context, each version corresponds to a major revision of the IOS software while each release
only includes smaller changes to IOS.

Cisco builds software images separately for each routing and switching family and for each version and
release.

The Old Licensing Model

In the original packaging model, a software image was developed for each feature set combination. A
feature set is a group of features that are related to each other. For instance, the voice feature set has
features related only to voice and it is different from the security feature set.

The reason for having feature sets is that not all customers need all the possible feature sets that Cisco
can provide on that specific platform.

There are a few feature sets that Cisco has support for. IOS software can have one or more feature sets
integrated. This means that there can be multiple combinations to accommodate any customer feature
requests. Then the customer will need to know exactly what feature plans to use to get the right image.
This was the old way of providing the feature sets to customers.

The New Licensing Model

In the new IOS packaging, Cisco built one image that has all the feature sets, though there will still be a
different image for every platform family and for each version and release.

With the introduction of the Integrated Services Routers Generation 2 (ISR G2) series, the use of universal
images with software activation was introduced as well. This means that users can download the universal
image that has the basic feature set already activated. Then if they want to activate the security feature
set, they will still use the same software image, but will need to install a license key to activate the
additional feature set.

83 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

For ISR G2, the following are the four feature sets that can be used, including a short description of what
they contain:

Feature Set Description


ipbasek9 (IP Base) Default feature set
datak9 (Data) MPLS, routing protocols
uck9 (Unified Communications) VoIP
security9k (Security) IOS firewall, IDS, IPsec

The licenses can be applied when the device is ordered so that when the customer receives it, the license
will be already activated. The licenses can also be purchased later and activated when the customer
realizes the need for another feature set.

IOS Software License Activation

There are two ways to manage software licensing on Cisco devices. One is by using Cisco License Manager
and the other is by manually activating the licenses.

Usually, customers who have several devices whose licenses need to be managed use Cisco License
Manager. This software can be installed on different operating systems and can do the following:

 Communicates with Cisco’s Product License Registration Portal


 Communicates with network devices to install licenses and activate the proper feature sets

This is more of a plug-and-play way to manage the licences and also allows you to look at detailed
information about what licenses are installed on which devices.

The other method to install licenses is manually. To do this, you will need information from the device on
which the feature set will be installed.

Each device that supports licensing has a unique identifier called Unique Device Identifier (UDI). The UDI
is composed of the Product ID (PID) and serial number (SN).

Another component that comes into place when a license is installed is the Product Authorization Key
(PAK). This is the proof that the license was purchased and it is used in combination with the UDI to provide
the license file (via email or direct download from the Cisco website).

Basically these are the steps to install a license file:

1. At the Cisco Product License Registration Portal, provide the UDI and the PAK.
2. Download the license file.
3. Copy the license file to the router/switch.
4. Install the license on the router/switch.

84 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

5. Reload the router/switch to activate the license.

You can find the UDI of the device using the command “show license udi”:

R3#show license udi

Device# PID SN UDI

----------------------------------------------------------------------
-------

*0 CISCO2911/K9 FTX1524P9QH
CISCO2911/K9:FTX1524P9QH

R3#

As you can see, this is a Cisco 2911 and you can see from the above output the PID and the SN.

To find out what feature sets you can install on the device, you need to use the command “show
licence feature”:

R3#show license feature

Feature name Enforcement Evaluation Subscription Enabled


RightToUse

ipbasek9 no no no yes no

securityk9 yes yes no no yes

datak9 yes no no no yes

uck9 yes yes no no yes

R3#

As you can see, we only have the ipbasek9 license installed which is the default.

If you want to know more about the license installed, you can use “show license detail”
command to find what type of license it is and for how long you will be able to use it.

85 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R3#show license detail

Index: 1 Feature : ipbasek9 Version:


1.0

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

Store Index: 0

Store Name: Primary License Storage

Index: 2 Feature : securityk9 Version:


1.0

License Type: Evaluation

License State: Inactive

Evaluation total period: 208 weeks 2 days

Evaluation period left: 208 weeks 2 days

Period used: 0 minute 0 second

License Count: Non-Counted

License Priority: None

Store Index: 0

Store Name: Evaluation License Storage


===== output cut =====

R3#

The above output was taken from Packet Tracer, but it is not that much different from the output from a
real device. As you can see, the “security9k” feature set is an evaluation license and it is inactive.

There are two types of licenses: permanent and right to use licenses. Packet Tracer doesn’t support
permanent license installation, not even as a test. The permanent ones are the licenses downloaded from

86 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

the Cisco website and once they are installed, they will never expire. The right to use licenses are
evaluation licenses. This means that you can install them for a predefined period of time so you can test
the features from the feature set before deciding whether or not to purchase the license.

This is how you install a permanent license for the data9k feature set (you will need to have the file copied
on a USB flash drive):

R2# license install usbflash1:FFTX1232R9QG_201504111644563170.lic

Installing...Feature:datak9...Successful:Supported
1/1 licenses were successfully installed
0/1 licenses were existing licenses
0/1 licenses were failed to install

R2#
Apr 12 08:45:40.566: %LICENSE-6-INSTALL: Feature datak9 1.0 was
installed in this device. UDI=CISCO2911/K9:FFTX1232R9QG;
StoreIndex=1:Primary License Storage
Apr 12 22:35:41.608: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL:
Module name = c2900 Next reboot level = datak9 and License = datak9

After a reboot, you should see something similar when you are checking the details for the feature sets:

===== output cut =====


Index 4 Feature: datak9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
===== output cut =====

As you can see, the license is active.

How do you install a right to use license? You will need to use this command and then choose the feature
set that you want to test:

R3(config)#license boot module c2900 technology-package securityk9 ?

disable disable the technology

<cr>

R3(config)#

===== output cut =====

ACCEPT? [yes/no]: yes

87 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

% use 'write' command to make license boot config take effect on next
boot

%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = C2900


Next reboot level = securityk9 and License = securityk9

%LICENSE-6-EULA_ACCEPTED: EULA for feature securityk9 1.0 has been


accepted. UDI=CISCO2911/K9:FTX1524P9QH; StoreIndex=0:Evaluation
License Storage

R3(config)#

The license will be added in the configuration file and it will be active after rebooting the device:

license udi pid CISCO2911/K9 sn FTX1524P9QH

license boot module c2900 technology-package securityk9

After the reboot, you can see that security9k is enabled and that it is an evaluation (right to use) license
and not a permanent one.

R3#show license feature

Feature name Enforcement Evaluation Subscription Enabled


RightToUse

ipbasek9 no no no yes no

securityk9 yes yes no yes yes

datak9 yes no no no yes

uck9 yes yes no no yes

R3#

These are the details about how long the license will be active (remember that this output was taken from
Packet Tracer and the output from a real device might be slightly different).

88 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Index: 2 Feature : securityk9


Version: 1.0
License Type: Evaluation
License State: Active, In Use
Evaluation total period: 208 weeks 2 days
Evaluation period left: 208 weeks 2 days
Period used: 0 minute 0 second
License Count: Non-Counted
License Priority: None
Store Index: 0
Store Name: Evaluation License Storage

One other way to check what licenses are installed on the device is to use “show version” command and
then look for this:

Technology Package License Information for Module:'c2900'

----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

-----------------------------------------------------------------

ipbase ipbasek9 Permanent ipbasek9

security securityk9 Evaluation securityk9

uc None None None

data None None None

And that would be all on managing Cisco IOS licensing. We saw how the old software licensing model
worked and how it differs from the current one. We saw how to install a permanent and right to use
license on a Cisco 2900 platform.

Working with licenses is not a technically complicated job but rather an administrative burden. If you have
many devices where licenses need to be installed, most likely Cisco License Manager will be your friend.
Otherwise, you will have to use the manual approach and install the licenses one by one.

89 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 13- Setting a password in a Router and its Recovery

In last chapter, we learned hardware and software capabilities of the router. In this chapter we are going
to look at some administrative functions that you can configure in your Cisco Router or Switch, such as:

 Providing a Hostname in Router


 Creating a Banner in Router
 Setting a Passwords in Router and it's recovery

Though none of these functions will change the basic feature of Router or Switch, it will make your life
much easier while working for big enterprise or service provider network. In this chapter I will give you a
clear idea about how to create a hostname in your office router, or making a banner in router, but our
main focus in this chapter will be how to set a password in Router and recovery of password.

 Hostname:

In a big enterprise when the network engineer works with several routers, often they find it difficult to
find identification of the Router. Therefore, they use hostnames to identify which router they are working
with. Providing a hostname in router has no significance on how Router performs.
Router (config) #hostname Afaz
Afaz (config) #

Though it is quite tempting to give a Router your name, I would recommend not to give it a production
router. Remember, the above command works for both Switch and Router to provide hostname. .

 Banner:
In a production network, it is common to place banners on Cisco devices, which include legal information
and other warning information for unauthorized individuals attempting to establish a telnet or dial into
your device.

Afaz(config)#banner ?
login Set login banner
motd Set Message of the Day banner
Afaz(config)#banner once an individual has started an EXEC session with the
device.

Login banners are displayed upon an attempting exec session establishment, you can configure a login
banner to be displayed on all connected terminal and this banner is displayed after MOTD banner but
before the login prompts. If you want to disable login banner then you have to delete it by using no banner
log in command in CLI. MOTD banners are shown prior to a login banner and before user authentication.
It gives a message to every person dialling into or connecting to the Router via telnet, or auxiliary and
console port. EXEC banners are shown once an individual has started an EXEC session with the device.
 Configuring Password:
Five passwords (Console, Auxiliary, Telnet, enable and enable secret) are mainly used to secure your
router from unauthorized access. The enable and enable secret password are used to set the password

90 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

that is used to secure privilege mode. In this mode, Router or Switch will ask for a password from the user
when enable command is used. Remember: never use enable password for your production router
because it is easy to crack; that's why it is recommended to configure only enable secret password
because it is encrypted.

The other three passwords are used to configure a password when user mode is accessed via console or
auxiliary port or via telnet. Remember user-mode passwords are assigned by using the line commands.
In the table below, commands works on both routers and switches to configure password.

Router(config)#enable password cisco Sets enable password to cisco


Router(config)#enable secret cisco Sets enable secret password to cisco
Router(config)#line console 0 Enters console line mode
Sets console line mode password to
Router(config-line)#password console
console
Router(config-line)#login Enables password checking at login
Enters vty line mode for all five vty
Router(config)#line vty 0 4
lines
Router(config-line)#password telnet Sets vty password to telnet
Router(config-line)#login Enables password checking at login
Router(config)#line aux 0 Enters auxiliary line mode
Sets auxiliary line mode password to
Router(config-line)#password aux
aux

 Router Password Recovery:


So, we learned how to set up a password in your office Router. In our daily life, we have to remember so
many things like cell numbers, social security number, debit/credit card PINs, Email/Facebook/mobile and
many more passwords to keep things in a flow. But network engineers have to remember the above-
mentioned details and network details, too. They have to keep in mind all the IP schemes, routing-
switching protocol details, and security details of their network devices that they are using currently in an
organization. Routers play a core role in inter-networking; What if you forget the router’s password? Then
your life will become hell, because without the password you are not able to access your router, so if
anything goes wrong within the network you won’t be able to monitor or change it. Don’t be afraid,
though: in this part we are going to learn how to recover the password if it is required. A router’s password
recovery is a very common procedure and should be known by any CCNA without having to refer to
documentation. These passwords protect access to privileged EXEC and configuration modes. The enable
password can be recovered, but the enable secret password is encrypted and must be replaced with a
new password. Use the procedure described in this chapter in order to replace the enable secret
password.

The information in this chapter is based on this hardware version: the Cisco 2600 Series Router, which is
by far the most popular router used in lab environments as well in industry. You also can use the recovery
steps on other Cisco routers as well.

This password recovery procedure works for the following Cisco products: Cisco 806, 827, uBR900,
1003/4/5, 1400, 1600, 1700, 2600, 3600, 3700, 4500, 4700, AS5x00, 6x00, 7000 (RSP7000), 7100, 7200,
7500, uBR7100 series routers.

91 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The passwords for a router are stored in the startup-config file in NVRAM. Recovering the password
involves “breaking in” during the router boot-up process and configuring the configuration register so
that the startup-config file is bypassed. This allows the router to start in an unconfigured state with no
password. From that point, the network administrator again has control of the router and can both
recover configuration information and reset the password.

First, hook up the DB9 end of the standard light blue serial cable to your serial port. The other end of
the cable should plug into the port labelled “Console” on the back of the Cisco router. If you do not
have a serial port, then you'll need to go purchase a USB-to-serial adapter cable and install it on your
computer.

Now that your hardware is connected, establish a serial connection with the router. On Windows, I use
putty for this connection. Yes, putty can be used to make serial connections as well as
telnet/ssh. Hyperterminal works great as well. On Linux, I use minicom and on FreeBSD/OpenBSD, I use
cu (cu -s 9600 -l /dev/cuad0).

Reboot the router and press the Break key to interrupt the boot sequence.

After that, Type confreg 0x2142. This tells the router to bypass NVRAM during bootup. In other words,
your existing configuration won't be loaded. The good news is that it won't be deleted either.

92 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Type reset to reboot the router. Answer No when prompted to run setup.

Type copy start run. This loads your start-up configuration into memory. Now, if you type a show run
config, you'll see the router configuration. Also, you should notice that your router name is now in the
prompt instead of the default “Router”.

Change the enable secret - “enable secret new_password”

Change the register back to 0x2102:


config-register 0x2102

When the router reboots it will load the old configuration with the new password.

Save the password so that it will be persistent during reboots, type copy run start

Reboot the router by typing reload at the enable prompt. I think you now need some practical
information. Shown below is a Cisco 2651XM router that has a console password on the device. With such
a password, you cannot access exec mode without authenticating this password correctly. When buying
routers used, you may commonly be faced with this scenario.

Consider following steps to understand in more convenient way

Step 1. Power cycles the router or power on the router initially. While the router is booting, you’ll need
to break the boot sequence to boot the router into boot ROM; you do this by holding down CTRL and
pressing PAUSE BREAK. Do this repeatedly till you are placed at the boot ROM prompt.

Step 2. Change the configuration register so that the router will ignore the contents of the NVRAM when
booting into Cisco IOS. Set the configuration register to 0×2142 & boot the router.

Step 3 (Option 1) – After the router has booted into Cisco IOS, you’ll be prompted by the initial
configuration dialog; type n here and press enter and you’ll be placed into user mode. Now you’re able to
place yourself into privileged mode by typing enable. Once in privileged mode, you can copy the startup
configuration to the running configuration and then change the passwords manually then saved the
configuration by to NVRAM by typing copy run start.

93 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Step 4 (Option 2) – After the router has booted into Cisco IOS, you’ll be prompted by the initial
configuration dialog; type n here and press enter and you’ll be placed into user mode. Now you’re able to
place yourself into privileged mode by typing enable. Once in privileged mode, you can erase the contents
of NVRAM by issuing the write erase command.

Step 5. Once you’ve performed a password reset or NVRAM sanitation, you’ll need to set the configuration
register back to 0×2102 so the router will boot normally and load the NVRAM contents upon a reboot or
power failure.

Now I will show what I do when I forget the enable password. I enter a guess password three times:

Router>enable
Password:
Password:
Password:

94 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

% Bad secrets (I got this message after entering wrong password three times
again n again)

Then I Reboot the router and press the Break key to interrupt the boot sequence.

rommon 1 > confreg 0x2142

You must reset or power cycle for new config to take effect
rommon 2 > reset
--- System Configuration Dialog --

Self decompressing the image: ###############################


############################### [OK]

Would you like to enter the initial configuration dialog? [Yes/no]: n


--- System Configuration Dialog ---
Router>
Router>enable
Router# copy startup-config running-config
Destination filename [running-config]?
1324 bytes copied in 2.35 secs (662 bytes/sec)
Router#
Router# configure terminal
Router(config)#enable secret < password >
Router(config)#^Z
Router#configure terminal
Router(config)#interface Ethernet0/0
Router(config-if)#no shutdown
Router#copy running-config startup-config

Router#configure terminal
Router(config)#config-register 0x2102
Router(config)#^Z
00:03:20: %SYS-5-CONFIG_I: Configured from console by console

Router#show version
--- System Configuration Dialog ---
Configuration register is 0x2142 (will be 0x2102 at next reload)

Now you can access your router as usual and no need to fear at all when you forget or lose a Cisco router’s
password. Password recovery is a very basic requirement for a CCNA certified engineer, I could have
completed this chapter within 20 lines but I know the importance of password recovery for daily life of
network engineer. That’s why I have given you password recovery method with this much broad
description.

95 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Part 4: IPv4 Routing


Chapter 14- Different Methods of Routing and Routing Protocols

Before discussing different methods of Routing and Routing Protocols, lets discuss the meaning of
Routing. In the last chapter, we discussed some features of routers, and as you may be aware, Routing
means selecting the best possible Route of a network. Routing is performed for many kind of networks,
the most common is in transportation networks, where driver optimize the route using the shortest
available route. But our main focus of routing would be routing methodology used in Packet Switching or
Information Communication Technology domain.

In Packet Switching technology, the term Routing is used for taking a packet from one device or node and
transmitting it through the network to another node on a different network. The logical network address
or IP address of the destination host is basically used to get packets to a network through a routed network
and the hardware address or MAC address of the host is used to deliver the packets from Router to current
destination host. The routing process usually directs packet forwarding on the basis of routing tables,
which maintain a record of routes to various network destination.

In first chapter, we have discussed briefly about the delivery method of routing, and for your reference
we are going to see some of the details of Routing methodology:
 Unicast: In unicast routing methodology, router delivers a message to a single specific node and each
destination address uniquely identifies a single receiver endpoint. The routing of unicast (one-to-one)
IP packets over IP internetworks is a major part of today's internet.
 Broadcast: Broadcast, a one-to-all association, delivers a message or datagram to all nodes in the
network in a single transmission. The network automatically reproduces a datagram as required for
all linked network segment that have eligible receivers.
 Multicast: IP multicast technique is used for one-to-many and many-to-many real communications
over IP infrastructure in a network. It scales to deliver a message to a group of receivers in a single
transmission. Multicast routing schemes are used for streaming video on the internet and private
networks (example such as IPTV).
 Anycast: An Anycast routing scheme (one-to-any) delivers a message to anyone out of group of nodes,
typically the one nearest to source; this is one-to-nearest association of routing. Anycast is usually
implemented by using Border Gateway Protocol (BGP), where sender concurrently announce the
nearest destination IP address range from many different places on the network.
 Geocast: This routing scheme delivers a message or information to a group of hosts in a network
identified as per geo-graphic area. It is a specialized form of Multicast addressing used for mobile-ad
hoc networks.

In the CCNA syllabus, our main focus will be in IP Unicast Routing, as this is the dominant form of datagram
delivery over the internet. Whenever you will be ready to go for CCNP-Routing, then you will learn in
depth about IP Multicast.

96 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As you may be aware, if a network is not connected directly to network to adjacent router, the router
must use static or dynamic routing protocol to learn about the remote network. Before jumping to static
or dynamic routing, let's discuss about default routing.

Default Routing: Default Routing are used to direct packets addressed to default address, when no routing
protocol is available. We use IP default routes where routers do not find matching route and then packet
forwarded to next-node as mentioned in default route. This means it is default route is necessary to send
packets in stub networks where leaning all the more specific network is not desirable, otherwise packets
would have dropped, as there is not a match in the routing table.

A question may come to your mind: what is a stub network, in which a gateway router only knows about
a single path, but does not have any idea about other networks. As an example, you might have
experienced visiting the Caribbean islands, in which a particular ferry takes you on board to your
destination. In this case, the ferry is your logical path to reach the destination, as you are not aware of
other possible routes; same thing for a SOHO router, which is always the default gateway for home
appliances.

The default route in Internet Protocol version 4 (IPv4) is designated as the zero address 0.0.0.0; remember,
it is used only in stub network.

Some basic commands:

 ip default-gateway
 ip default-network

Static Routing:

97 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In above type of Small Office and Home office type of network, static routing is used because router
uses are manually configured by routing only. In this case, network admin will manually configure static
routes by adding entries into a routing table. If the network admin chooses to allow routing access to
certain route (fixed path) only, it gives more security than dynamic routing. Unfortunately, it is
impossible to do manual configuration in a big enterprise network. In today's network, a mixture of
static and dynamic routing is used because it gives more flexibility in taking back up of your network.
Static routing is fixed and does not change its network address if any network hardware changed or
reconfigured. Static routing can be used to define an exit point from a router when no other routes are
available or necessary. This is called the default route.

Remember the command below to write static routing:

ip route destination network address subnet mask next hop address

Dynamic Routing: Unlike Static routing, Dynamic Routing protocol has a great deal of flexibility, because
it can choose another path automatically if the primary path is damaged. This means it has capabilities of
adaptation to allow as many as routes as possible to remain valid, that's why sometimes dynamic routing
is referred as Adaptive Routing. The London Tube Service is the perfect example of Dynamic Routing,
where any passenger can use different route or station if any station is closed for maintenance to reach
their destination.

RIP, EIGRP (Cisco Proprietary), OSPF are examples of dynamic routing protocol, which is used in today's
enterprise network. Another example of Dynamic Routing is Border Gateway Protocol (BGP), which is
beyond the scope of this book.

Before we discuss all Routing Protocols (RIP, EIGRP, OSPF) in depth, we will look at some basic concepts
which we are going to use through all the remaining chapters in this part of book.

Routing Protocol Basics:

98 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Administrative Distance: The most common term you will face in all routing protocols is Administrative
Distance. In simple terms, AD is used to rate the reliability of a routing protocol or routing information
received on a router from adjacent router. An Administration Distance (AD) is a numerical value that
routers use in order to select the best possible track, where two or more separate routes lead to the same
target from two different routing protocols. The integer is valued from 0 to 255, where 0 is the most
reliable and 255 means no communication will be crossed via this route. Remember, when the router
receives two updates listing the same remote network, the router first checks the Administrative Distance
(AD) and selects the lowest metric for routing table. If both of the advertised routes have the same AD as
well as same metrics, then the router needs to do load-balancing to the remote network.

Please look at the table below for the default integer value of Administrative Distance:
Route Source Default Administrative Distance
Connected Interface 0
Static Route 1
EIGRP 90
IGRP 100
OSPF 110
RIP 120
External EIGRP 170

There are three classes of routing protocols, which you can see in your entire Cisco Certifications journey.

Distance Vector:
The distance-vector protocols find the best path to a remote network by judging distance. Each time a
packet goes through a router, that's called a hop. The route with the least number of hops to network is
determined to be the best route.

The vector indicates the direction to the remote network; both RIP and IGRP are distance-vector routing
protocols. They send the entire routing table to directly connected neighbor.

Link-State Protocols:
In Link-State protocols, also called shortest-path first protocols, the routers each create three separate
tables. One of these tables keeps track of directly attached neighbors, one determines the topology of the
entire inter-network, and one is used as the routing table. A link-state routing protocol-used router knows
more about internetwork than any distance-vector routing protocol. OSPF is an IP routing protocol that is
completely link-state. Link protocol sends updates containing the state of their own links to all other
router in the network.

Hybrid:
Hybrid protocols are aspects of both distance vector and link-state routing protocol. A Cisco proprietary
protocol such as EIGRP is the best example of this.

Routing Loops:
Distance-vector routing protocols keep track or any changes to internetwork by broadcasting routing
updates out all active interfaces. This broadcast includes the complete routing table. If a network outage

99 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

happens, then real problems occur due to slow convergence of distance-vector routing protocols,
resulting in inconsistent routing tables and routing loops. Routing loops can happen if every router does
not update simultaneously.

Split Horizon:
To overcome a routing loops problem in Distance Vector Routing Protocol, the split horizon rule is applied.
It means routing information can't be returned back to the direction from which it came; this ensures less
incorrect routing information and routing overhead in Distance Vector Routing Protocol. It means routing
information never advertises back to the same interface, which it received or learned.

Route Poisoning:
Route Poisoning is used by various distance vector protocols to overcome large routing loops (meaning
other routes are no longer reachable) and offers detailed information when a subnet or network is not
accessible. In simple words, it is a method to prevent a router from sending packets to an invalid router.
To accomplish this, this hop count is normally set to one more than the maximum. In case of RIP, the
maximum hop count is 15, so to perform route poisoning, the hop count must need to be set 16, deeming
it is unreachable, and a routing update is sent. Route Poisoning does not break split horizon rules, Split
horizon with poison reverse is route poisoning that is placed on links that split horizon would not normally
allow routing information to flow across. In either case, the result is that failed routes are advertised with
infinite metrics.

100 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 15 - Routing Information Protocol- RIP v2 and RIPv1

In the new CCNA exam syllabus, RIP is excluded, but I am still including this protocol because it’s important
to understand the first widely deployed routing protocol. RIP is a standardized Distance Vector protocol,
designed for use on smaller Networks and is supported on a wide variety of systems. It uses a Bellman-
Ford Distance Vector algorithm. RIP was one of the first true distance vector routing protocols; it employs
the hop count as a routing metric. RIP prevents routing loops by implementing a limit on the number of
hops allowed in a path from the source to a destination. The maximum number of hops allowed for RIP is
15. This hop limit, however, also limits the size of networks that RIP can support. A hop count of 16 is
considered an infinite distance and is used to deprecate inaccessible, inoperable, or otherwise undesirable
routes in the selection process.

RIP implements the split horizon, route poisoning, and hold-down mechanisms to prevent incorrect
routing information from being propagated. These are some of the stability features of RIP. It is also
possible to use the routing information protocol with metric-based topology (RMTI) algorithm to cope
with the count-to-infinity problem. With RMTI, it is possible to detect every possible loop with a very small
computation effort.

RIP Characteristics Summarization:


 RIP adheres to the following Distance Vector characteristics:
o RIP sends out periodic routing updates (every 30 seconds)
o RIP sends out the full routing table every periodic update
o RIP uses a form of distance as its metric (in this case, hop count)
o RIP uses the Bellman-Ford Distance Vector algorithm to determine the best “path” to a
particular destination
 Other characteristics of RIP include:
o RIP supports IP and IPX routing.
o RIP utilizes UDP port 520
o RIP routes have an administrative distance of 120.
o RIP has a maximum hop count of 15 hops.

Let’s look at its technical mechanism:


1. Algorithm: Routing Information Protocol (RIP), based on Bellman-Ford algorithm, routers pass
periodic copies of their routing table to neighboring routers and accumulate cost. RIP uses hop count
as the metric for each link. For example, consider three adjacent routers, A, B and C connected in a
straight line. Router A passes its routing table to Router B; Router B adds one to the metric and
passes the routing table to its other neighbor, Router C. The same step-by-step process occurs in all
directions between direct-neighborrouters.
2. Topology Change: The routing table must be updated whenever the inter-network topology
changes. A table update requires each router to send its routing table to each of the adjacent
neighbours. When a router receives an update, it compares the update with its routing table. It
adds8 the metric of reaching the neighbour router to the path metric reported by the neighbour to
establish a new metric.
3. Problems and Solutions: There are a number of issues relevant to RIP. First, the slow convergence
may cause inconsistent routing entries, occasionally results in routing loops. When there is a link
failure, other routers cannot receive the failure notification before sending their own updates.

101 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Consequently, the network bounces the incorrect routing table and increments the metric. The
metric can eventually approach to infinity. In order to correct this problem, combinations of
solutions have been implemented. By defining 15 to be the maximum number of hops, the infinite
looping problem can be prevented. A second solution uses “split horizon”, which forbids the router
from sending information about a route back in the direction from which the original packet arrived.
Moreover, a hold-down timer can be used. It instructs the router to delay any changes that involves
the defected routes. Finally, the router can send messages as soon as it notices a change in their
routing table (triggered update).
4. Disadvantages: There are several disadvantages to RIP. The network is restricted to the size of 15
hops due to the solution to the “count to infinity” problem. In addition, the periodic broadcast of
the routing table consumes bandwidth. The convergence is slow too.

In the diagram below (figure 1), RIP v2 is configured in GNS software to understand better in a practical
scenario.

I am going to take routers R1 and R2 and configure RIPv2 between them. Two loopback 1.1.1.1/32 &
2.2.2.2/32 are configured on R1 and R2.Let’s look at its routing table in below figure 2....

Figure 2: Routing Table of Router R1 using RIP v2 as routing protocol:

We are getting 2.0.0.0/8 route on R1 as RIP route with AD value of 120 and metric value 1 via 12.1.1.2
interface R2 router’s interface.

There are three versions of the Routing Information Protocol: RIPv1, RIPv2, and RIPng. RIPv1 and RIPv2
are used for IPv4 routing, whereas RIPng (RIP next generation) is designed for IPv6 routing. I hope you get
a brief idea about RIP v2 and RIP v1, so let's go some details to understand when & why to choose RIPv2
over RIPv1.

102 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Significant Differences between RIPv1 and RIPv2:

Message format: The RIPv1 message format contains a number of “must be zero” fields; these fields are
used by RIPv2’s extended functionality. They are routing domain (2 bytes), route tag (2 bytes), subnet
mask (4 bytes) and next hop (4 bytes).

The version field contains a value of 1 for RIPv1 messages and 2 for RIPv2.
Routing per subnet: RIPv1 supported subnet entries only within the subnetted network. This enforces
strict hierarchical routing. RIPv2 allows routing on the subnet outside of the network by passing subnet
mask information in parallel with the address. This also allows support of variable length masks within the
same network or aggregation of several class-C addresses within one address group.
Authentication: RIPv1 is not a secure routing protocol. Any host sending packets from UDP port 520 would
be regarded a router and trusted by its neighbors. RIPv2 includes an authentication procedure, which
specifies that the first entry in a packet be replaced by an “authentication segment.” The packet will
contain a 32-bit command, an “address family identified” of 0xFFFF, an “authentication type” that
identifies the algorithm in use, 16 bytes of authentication data, and then 24 destination-metric pairs.
Routing domains, next hop: RIPv2 supports multiple autonomous systems on the same wire by using a
16-bit “routing domain” number. A route identifies the destination network of a packet by examining this
field. RIPv2 also includes a “next hop” field to indicate the best relay hop for the other logical network on
the same wire.
Multicast: RIPv1 uses a broadcast address to send routing advertisements to all nodes on the same wire.
RIPv2 utilizes a class-D address (224.0.0.9) for periodic multicasts. This effectively prevents other non-
router hosts on the same wire from receiving routing messages.
Now it’s time to check the above described points by taking two routers and, after configuring each router
with the required IP address and loopbacks, we will configure RIP as follows:

103 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Routing protocol configuration occurs in global configuration mode. On Router R1, to configure RIP, we
would type:

R1(config)# router rip


R1(config-router)# network 12.0.0.0
R1(config-router)# network 1.0.0.0

The first command, router rip, enables the RIP process. The networks statements tell RIP which networks
you wish to advertise to other RIP routers. We simply list the networks that are directly connected to our
router. Notice that we specify the networks at their classful boundaries, and we do not specify a subnet
mask.

To configure Router R2:

R2(config)# router rip


R2(config-router)# network 12.0.0.0
R2(config-router)# network 2.0.0.0

R1# show ip route


Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
R 2.0.0.0/8 [120/1] via 12.1.1.2, 00:00:10, Serial2/0
12.0.0.0/30 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial2/0

The routing table on Router R2 will look like:

R2# show ip route


Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
R 1.0.0.0/8 [120/1] via 12.1.1.1, 00:00:10, Serial2/0
12.0.0.0/30 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial2/0

We apply the same configuration with RIPv2 as in below figure:

104 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R1(config)# router rip


R1(config-router)# version 2
R1(config-router)# no auto-summary
R1(config-router)# network 12.1.1.0
R1(config-router)# network 1.1.1.1

The second command, version 2, enables the RIPv2 process. Notice that we specify the networks at their
classless boundaries; by default, summarization is enabled so we get summarized routes. That is why we
don’t need to run auto-summary to get classless routes.

To configure Router R2:

R2(config)# router rip


R2(config-router)# version 2
R1(config-router)# no auto-summary
R2(config-router)# network 12.1.1.0
R2(config-router)# network 2.2.2.2

R1# show ip route


Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
R 2.2.2.2 [120/1] via 12.1.1.2, 00:00:07, Serial2/0
12.0.0.0/30 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial2/0

The routing table on Router R2 will look like:

R2# show ip route


Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
R 1.1.1.1 [120/1] via 12.1.1.1, 00:00:12, Serial2/0
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
12.0.0.0/30 is subnetted, 1 subnets
C 12.1.1.0 is directly connected, Serial2/0

If you look at the output of R1 & R2 in both scenarios, it is clearly stated that with RIPv1 we get class full
route as 2.0.0.0 on R2 whereas using RIPv2 we get classless route as 2.2.2.2 on R1.

105 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R1(config)# key chain cisco


R1(config-keychain)# key 1
R1(config-keychain-key)# key-string ccna
R2(config)# key chain cisco
R2(config-keychain)# key 1
R2(config-keychain-key)# key-string ccna

The first command creates a key chain called cisco. We must associate a key with our keychain.

Then we actually configure the shared key using the key-string command.

We then apply our key chain to the interface connecting to the other router:

R1(config)# interface s2/0


R1(config-if)# ip rip authentication key-chain cisco
R2(config)# interface s2/0
R2(config-if)# ip rip authentication key-chain cisco

The table below makes you more comfortable with understanding both versions.

I hope you understand all basics of Routing Information Protocol (RIP) and also understand when and why
RIPv2 need to use over RIPv1. You can also apply the described scenario to real devices or to Packet
Tracer/GNS3 simulators.

106 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 16 - Enhanced Interior Gateway Routing Protocol (EIGRP)

Enhanced Interior Gateway Routing Protocol (EIGRP) is, as the name says, an enhancement of the Interior
Gateway Routing Protocol (IGRP). EIGRP is a Cisco proprietary hybrid protocol that, while retaining some concepts
introduced with IGRP, is distinctly different from IGRP.

The first question that may come to your mind is Why is EIGRP a Hybrid Protocol? Why not Distance Vector
Routing Protocol or Link State Protocol?

From the name Hybrid Routing, you can understand that it is a combination of distance-vector routing, which
works by sharing its knowledge of the entire network to its neighbors, and link-state routing which works by having
the routers tell every single router in a network about its closest neighbors. In general, it uses distance-vector
protocols for more accurate metrics to determine the best paths for destination networks and report routing
information only when there are any change in the topology networks. It allows rapid convergence like OSPF, but
requires less CPU (processing power) and memory usage compared to link-state routing protocol.

Main Features:
EIGRP is an Interior Gateway Protocol (IGP) designed for routing within a single administrative domain or
autonomous system (AS). It is a classless protocol, which means each route entry in an update includes a subnet
mask as well. The subnet masks sent with each route in updates may be of different length. This feature is called
variable-length subnet masking and it allows for subnetting as well as address aggregation or summarization.
EIGRP packets can also be optionally authenticated using an MD5 checksum, if authentication is configured.
EIGRP uses the Diffusing Update Algorithm (DUAL) to achieve fast convergence while remaining loop-free at all
times. EIGRP updates are not sent at regular intervals; rather, updates are sent only when a metric or topology
change takes place. Also, the updates will include only routes that have changed and not every entry in the routing
table. In other words, EIGRP updates are both non-periodic and partial in contrast to other distance vector
protocols like Routing Information Protocol (RIP). You may recall that RIP sends updates at regular intervals and
includes all routes in the routing table in every update. These characteristics mean that EIGRP uses much less
bandwidth than other distance vector protocols, a feature that is especially useful on low-bandwidth Wide Area
Network (WAN) links.

107 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

EIGRP Packets:
EIGRP uses special packets to run its operations. The Reliable Transport Protocol (RTP) is used to send and receive
EIGRP packets. RTP ensures that packets not only get delivered but are delivered in order. We will go into a bit of
detail about multiple EIGRP packet types, which are all identified by protocol number 88 in the IP packet header.
 Hellos are used for neighbor discovery and recovery after a neighbor is lost. Hello packets are sent as
multicasts to 224.0.0.10. Hellos use unreliable delivery, which means they are not acknowledged.
 Acknowledgements (ACKs) are actually Hello packets but without any data in them. ACKs are sent as
unicasts and use unreliable delivery like Hellos.
 Updates contain the route information including subnets and masks. Unlike RIP and IGRP updates, these
packets contain only the routes that actually change, and are sent only when there are metric or topology
changes to routers that require the information. Updates always use reliable delivery which means they
are always acknowledged using ACKs.
 Queries and Replies are used to ask neighbors about lost routes. Queries can be multicast or unicast, but
replies are always unicast. Queries and replies both use reliable delivery, which means both are
separately acknowledged.

If a Query or Update is reliable multicast but an ACK is not received from a neighbor, the packet will be
retransmitted as a unicast only to the neighbor that failed to respond. If an ACK is not received even after 16 of
these unicast retransmissions, the neighbor will be declared dead.

EIGRP Neighbor Discovery:


EIGRP Hello packets are used to discover and track other EIGRP speaking routers on directly connected networks.
On most networks, Hellos are multicast every five seconds, minus a very small random time to prevent
synchronization. On multipoint Frame relay interfaces with access link speeds of T1 or slower, Hellos are unicast
every 60 seconds. You can change the default Hello interval, on a per interface basis, with the command ip hello-
interval eigrp.

Each Hello packet includes a hold time. When a router receives a Hello packet from a neighbor, the hold time in
the packet tells the router the maximum time it should wait to receive subsequent Hellos. If the hold timer expires
before a Hello is received, the neighbor is declared unreachable. By default, the hold time is three times the Hello
interval. This makes the default value of hold time either 15, or 180 seconds depending on the type of interface.
The default can be changed, on a per interface basis, with the command ip hold-time eigrp.

EIGRP records information about each neighbor in a neighbor table. The neighbors table contains the IP address
of the neighbor and the interface on which the neighbor’s Hellos are received. The neighbor table can be viewed
using the show ip eigrp neighbor command.

Feasible Distance (FD) and Feasibility Condition:


An EIGRP-speaking router uses Hellos to discover neighbors and to identify itself to them. When a neighbor is
discovered, EIGRP will attempt to form an adjacency with that neighbor. An adjacency is a logical association
between two neighbors over which route information can actually be exchanged.

When EIGRP adjacencies have been established, updates will be exchanged with neighbors. The updates will
contain all routes known by the router sending an update and the metrics of those routes as well. The router
receiving EIGRP update will calculate a metric or distance based on the distance advertised by the neighbor and
the cost of the link to that neighbor.

108 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The lowest distance calculated by a router for each destination will become the feasible distance (FD) of that
destination. For example, a router may learn three different routes to subnet 192.168.73.0 and may calculate
metrics of 360832, 886028, and 12348428 for the three routes. 360832 will become the FD because it is the lowest
calculated distance for 192.168.73.0.\

The feasibility condition (FC) is something you would encounter pretty often in any discussion on EIGRP. It is a
condition that is met if the distance advertised by a neighbor for a destination is lower than the router's FD to that
same destination. If a neighbor's advertised distance to a destination meets the FC, the neighbor becomes a
feasible successor for that destination.

For example, if the FD to subnet 192.168.23.0 is 360832 and a neighbor advertises a route to that subnet with a
distance of 355042, the neighbor will become a feasible successor. If the same neighbor advertises a distance of
370289, it will not satisfy the feasibility condition and will not become a feasible successor. These concepts are
central to loop avoidance in EIGRP because installing a route in the routing table with a reported distance higher
than the FD may indicate a route that points back to the router receiving the route.

Topology Table:

The EIGRP topology table contains every destination known to the router for which one or more feasible
successors exist. The topology table contains the following information:
 FD of the destination
 All feasible successors
 Advertised distance of each feasible successor to the destination
 The distance calculated locally to the destination via each feasible successor
 The local interface connected to the network on which each feasible successor is found

You can view the EIGRP topology table using the show ip eigrp topology command.

The ultimate goal of every dynamic routing protocol is to place routes in the routing table. It is, after all, the IP
routing table that is used by the router to route packets. For every destination listed in the EIGRP topology table,
the route with the lowest metric is picked up and placed in the routing table. The neighbor that advertised that
route becomes the successor to which packets for that destination are sent.

The EIGRP operation, as you may have realized, is quite complex, but the complexity is handled by the Cisco IOS
Software behind the scenes. As a result, EIGRP configuration is not that complex. We present to you a scenario
that consists of three routers: R1, R2, and R3, interconnected as shown in Figure 1. We will configure EIGRP on
these three routers in order to achieve reachability from any subnet to any other subnet in the given topology.

Figure 1 Configuring EIGRP

109 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

We start by configuring interface IP addresses on R1.

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface Loopback0
R1(config-if)#ip address 10.10.1.1 255.255.255.0
R1(config-if)#exit
R1(config)#interface FastEthernet0/0
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#end
R1#
Let's now configure IP addresses on R2.

R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#interface Loopback0
R2(config-if)#ip address 10.10.2.2 255.255.255.0
R2(config-if)#exit
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address 192.168.12.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface Serial0/0
R2(config-if)#ip address 192.168.23.1 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#end
R2#

We finally configure R3 to complete IP address configuration.

R3>enable
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface Loopback0
R3(config-if)#ip address 10.10.3.3 255.255.255.0

110 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R3(config-if)#exit
R3(config)#interface Serial0/0
R3(config-if)#ip address 192.168.23.2 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#end
R3#

At this point, IP addresses have all been configured. Let's go to router R1 and try to ping the directly connected
interface of R2.
R1#ping 192.168.12.2

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 192.168.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/29/56 ms
R1#

That's a success, but what if we try to ping the Loopback interface of R2 from R1?

R1#ping 10.10.2.2

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 10.10.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#

That doesn't look very good. Let's have a look at the routing table of R1.

Gateway of last resort is not set

R1#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.12.0/24 is directly connected, FastEthernet0/0


10.0.0.0/24 is subnetted, 1 subnets
C 10.10.1.0 is directly connected, Loopback0

As you can see in the output of show ip route command above, R1 knows only about its directly connected
subnets. It has no knowledge whatsoever about what lies beyond. In order to achieve end-to-end reachability in
our topology, we will use EIGRP to propagate routing information dynamically.

111 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Let's configure EIGRP on the three routers one by one. The router eigrp command entered in global configuration
mode with autonomous-system-number argument creates an EIGRP routing instance. It is the first step in
configuring EIGRP on a router as shown here for R1.

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router eigrp 10
R1(config-router)#no auto-summary
R1(config-router)#

The command no auto-summary is needed to disable automatic route summarization at classful network
boundaries. The next step in configuring EIGRP is to specify which router interfaces are included in EIGRP
using the network command. The router will send EIGRP messages and try to establish adjacencies with
other EIGRP speaking routers off these interfaces. We will enable EIGRP on Loopback0 and
FastEthernet0/0 on R1. You should carefully note the inverse mask used with the network command.

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router eigrp 10
R1(config-router)#no auto-summary
R1(config-router)#network 10.10.1.0 0.0.0.255
R1(config-router)#network 192.168.12.0 0.0.0.255
R1(config-router)#end
R1#

And that completes our EIGRP configuration on R1. Wasn't that simple? Let's proceed and configure EIGRP on R2
and R3 following the same pattern.

R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router eigrp 10
R2(config-router)#no auto-summary
R2(config-router)#network 10.10.2.0 0.0.0.255
R2(config-router)#network 192.168.12.0 0.0.0.255
R2(config-router)#network 192.168.23.0 0.0.0.3
R2(config-router)#end
R2#

R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router eigrp 10
R3(config-router)#no auto-summary
R3(config-router)#network 10.10.3.0 0.0.0.255
R3(config-router)#network 192.168.23.2 0.0.0.3
R3(config-router)#end
R3#

That completes our EIGRP configuration on R1, R2, and R3 and it’s time to verify if our configuration works as
expected. If we configured EIGRP correctly, EIGRP adjacencies should have been established between R1 and R2,
as well as, R2 and R3. Let's see if that's the case using the show ip eigrp neighbor command on R1.

112 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R1#show ip eigrp neighbor


IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 192.168.12.2 Fa0/0 12 00:00:35 32 450 0 10

You can see that R1 has established adjacency with 192.168.12.2, which happens to be the IP address on the R2
interface connected directly to R1. Let's now check if R2 has established an EIGRP adjacency with R3.

R2#show ip eigrp neighbor


IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 192.168.23.2 Se0/0 11 00:08:01 44 396 0 3
0 192.168.12.1 Fa0/0 14 00:09:29 52 312 0 3

You actually see two EIGRP neighbors on R2 indicating that it has established EIGRP adjacencies with both R1 and
R3.

Now that EIGRP adjacencies have been established, we can hope that some routing information would also have
been exchanged between routers. Let's first examine the EIGRP topology table on R1 using the show ip eigrp
topology command.

R1#show ip eigrp topology


IP-EIGRP Topology Table for AS(10)/ID(10.10.1.1)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,


r - reply Status, s - sia Status

P 10.10.1.0/24, 1 successors, FD is 128256


via Connected, Loopback0
P 10.10.2.0/24, 1 successors, FD is 156160
via 192.168.12.2 (409600/128256), FastEthernet0/0
P 10.10.3.0/24, 1 successors, FD is 2300416
via 192.168.12.2 (2323456/2297856), FastEthernet0/0
P 192.168.12.0/24, 1 successors, FD is 281600
via Connected, FastEthernet0/0
P 192.168.23.0/30, 1 successors, FD is 2172416
via 192.168.12.2 (2195456/2169856), FastEthernet0/0
We can see several entries with their successors listed along with the FD for each. Let's examine the routing table
on R1 using the good old show ip route command.

R1#show ip route

C 192.168.12.0/24 is directly connected, FastEthernet0/0


10.0.0.0/24 is subnetted, 3 subnets
C 10.10.1.0 is directly connected, Loopback0
D 10.10.2.0 [90/409600] via 192.168.12.2, 00:12:10, FastEthernet0/0
D 10.10.3.0 [90/2323456] via 192.168.12.2, 00:10:42, FastEthernet0/0
192.168.23.0/30 is subnetted, 1 subnets
D 192.168.23.0 [90/2195456] via 192.168.12.2, 00:11:56, FastEthernet0/0

113 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In addition to the two directly connected subnets, R1 has also learned three subnets through EIGRP. These three
subnets correspond to the Loopback0 of R2, Loopback0 of R3, and the interconnection of R2 and R3. In fact, R1
now has information about all subnets in our topology. Let's try to ping Loopback0 of R3 from R1.

R1#ping 10.10.3.3

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 10.10.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/36 ms

In fact, you will be able to ping any subnet from any router in the topology at this point. I would strongly urge you
to implement this topology in a lab environment. When you implement this topology, you should use the show
commands seen in this article on all your routers, closely examining the output. This would be fun and a great way
to have a better understanding of EIGRP.

EIGRP Practice Lab:

Objective: There must be end-to-end (loopback-to-loopback) reachability between Site-B, Site-C and City-A.

Step 1: Configure IP addressing as per given scenario.


Step 2: Configure EIGRP, you can take the reference from the following set of commands to configure
EIGRP
Site-B(config)#router eigrp 100
Site-B(config-router)#no auto-summary
Site-B(config-router)#network 192.168.2.0 0.0.0.255
Site-B(config-router)#network 10.1.123.0 0.0.0.7
Site-B(config-router)#exit

Site-C(config)#router eigrp 100


Site-C(config-router)#no auto-summary
Site-C(config-router)#network 192.168.3.0 0.0.0.255
Site-C(config-router)#network 10.1.123.0 0.0.0.7
Site-C(config-router)#exit

114 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

HQ(config)#router eigrp 100


HQ(config-router)#no auto-summary
HQ(config-router)#network 10.1.123.0 0.0.0.7
HQ(config-router)#network 10.1.124.0 0.0.0.3
HQ(config-router)#exit

City-A(config)#router eigrp 100


City-A(config-router)#no auto-summary
City-A(config-router)#network 172.16.1.0 0.0.0.255
City-A(config-router)#network 10.1.124.0 0.0.0.3
City-A(config-router)#exit

Step 3: verify above configuration with “show ip eigrp neighbors” command


Step 4: Test the connectivity using “Ping” command

I hope with this above practise lab, you will have enough knowledge and experience to run EIGRP in
your enterprise network.

Chapter 17- Introduction to Open Shortest Path First (OSPF) Protocol:

In this first chapter, we will discuss theoretical notions about OSPF and how to configure a multi-area
OSPF network.

We learned in the introductory chapter that OSPF is one of the most popular IP routing protocols used in
enterprise networks. This is because it is an open standard and mature protocol, making it the preferred
routing protocol in multivendor networks (prefer above Cisco proprietary EIGRP). The protocol operates
at the IP layer using IP protocol number 89.

OSPF routers start exchanging routing information only after there is a neighborship relationship between
them. OSPF routers exchange LSA (Link State Advertisements), which describe the state of the network
links. After the exchange is done, every router from a particular area has the same LSA information. All
LSA data are stored in a database that is used to build the routing table. Before digging further into OSPF,
let's start with some common terminology, which you will encounter in this routing protocol.

ROUTER ID

A requirement for a link state protocol is that each router must be able to uniquely identify itself within
the routing domain. This is the purpose of the OSPF router ID (RID).
OSPF uses a 32-bit number for its RID, represented in the same dotted-decimal format as an IP address.
The RID can be administratively specified in the configuration, or it can be one of the IP addresses
configured on one of the router's interfaces.
Cisco has a prioritized RID selection algorithm:
1. If the RID is administratively configured, then that value is used.

115 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

2. If the RID is not configured, then the IP address found on the loopback interface is used.
3. If there is no IP address configured on the loopback interface, then the value chosen is taken from
a physical interface.
4. If the RID is not administratively configured and there is no IP address configured on any interface,
then OSPF cannot start.

HELLO PROTOCOL

When the OSPF protocol process starts on a router, neighbors must be discovered and adjacencies
established. OSPF sends and listens for Hello messages to discover neighbors. The Hello protocol performs
several functions:
1. Discovers neighboring routers.
2. Ensures bi-directional communication between neighbors.
3. Communicates the information needed to form an adjacency with a neighbour router.
4. Serves as a keep-alive to detect failed neighbours and adjacencies.
Hello packets are sent to multicast IP address 224.0.0.5, which is a multicast address turned on for all
OSPF speaking routers. OSPF routers are listening to this IP address to learn about new neighbors.
Routers learn the following information in a hello packet:
1. Network Mask – the prefix length of the subnet on which the message is sent.
2. Hello Interval – specifies in seconds how often the originating router will send Hellos.
3. Options – any optional capabilities that the originating OSPF router may have.
4. Router Priority – priority used to elect the Designated Router.
5. Router Dead Interval – specifies how long the originating router’s neighbours should wait
before declaring it dead.
6. Designated Router and Backup Designated Router –used in Designated Router election.
7. Neighbour – the RIDs of the OSPF neighbours that the originating router has received Hellos
from on the subnet.
In order for two OSPF routers to become neighbors, the following information must match:
1. Subnet mask used on the subnet
2. Hello interval
3. Dead interval
4. OSPF area ID
5. Authentication keys (if used)
6. Area type
Point 6 refers to stub area flags and might be beyond the scope of the intended audience of this article.
However, keep in mind that area type must be identical for routers to become neighbors.

DESIGNATED ROUTER:

Based on the interface type, OSPF decides if a DR should be used or not. Even though there are many
more interface types, the most important ones are point-to-point and broadcast.
DR is needed only on broadcast interface-type, not on point-to-point.
OSPF elects a Designated Router (DR) on all multi-access links like broadcast. The DR forms an adjacency
with all other OSPF routers on the network. The DR represents the network to the rest of the OSPF area.

To prevent a DR from sending duplicate updates for every adjacency, multicast IP addresses are used. The
DR sends packets to the other routers on the network using a destination address of 224.0.0.5 called All

116 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Shorted Path First (SPF) Routers. The other routers communicate with the DR by sending packets to the
multicast address 224.0.0.6 called Al ID Routers.

For redundancy, OSPF elects a Backup Designated router (BDR). Routers that are not designated routers
form adjacencies with both the DR and the BDR. The DR and BDR are also adjacent, and the BDR
synchronizes with the DR just like the DR Others.
When a DR is required, an election takes place between neighbor routers. All the information needed to
elect the DR is contained in the Hello packets and is based on these criteria:
1. The router with the highest OSPF priority becomes the DR.
2. In case of a tie, the router with the highest RID becomes the DR.
A few things to consider about DR election:
1. A priority of 0 means that the router will not participate in DR election.
2. Priority values are within the range of 0 – 255.
3. If a better candidate joins the broadcast segment after the DR/BDR election occurred, then
the new candidate will not pre-empt any of the existing DR/BDR.

OSPF AREAS AND ROUTER TYPES:

An area is a set of routers that have the same link state database information and is different than the
information that routers from different areas have.

Areas split the network so that routers in one area will know less information about networks in other
areas. This means that with less information, the routers will consume less memory and the SPF algorithm
will run faster.

The backbone area is the area in which all areas must connect. It is always area 0.
There are multiple router types in an OSPF network:
1. Area Border Router (ABR) – a router that has at least one interface in the backbone area and
at least one more in another area.
2. Autonomous System Border Router (ASBR) – a router that connects to routers that do not run
OSPF in order to exchange external routes in and out of OSPF domain.
3. Backbone router – a router that has all of its interfaces in the backbone area.
4. Internal router – a router that has all of its interfaces in an area other than the backbone area.
OSPF CONFIGURATION:
Let's start with some basic OSPF configuration for more details about the following terms that we just
learned. Throughout these forthcoming chapters, we are going to use the topology below:

117 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Each router has a loopback interface and follows this addressing: Rx = x.x.x.x/32. For instance, R1 has a
loopback interface configured with 1.1.1.1/32. All the other IP addressing can be seen on the topology.

As previously discussed, R3 is an ABR because it has at least one interface in Area 0.


A working OSPF configuration on R3 to make it an ABR is this one:

R3#sh running-config | section interface


interface Loopback0
ip address 3.3.3.3 255.255.255.0
interface FastEthernet0/0
ip address 10.10.23.3 255.255.255.0
interface FastEthernet1/0
ip address 10.10.0.3 255.255.255.0
interface Serial2/0
ip address 10.10.35.3 255.255.255.0
R3#showrunning-config | section router
router ospf 3
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.10.0.3 0.0.0.0 area 0
network 10.10.23.3 0.0.0.0 area 1
network 10.10.35.3 0.0.0.0 area 0

When the OSPF protocol is started on a router, a process-id is required as a parameter. This number has
a value only locally and doesn’t have to match on any other neighbour router.

The network command instructs the router to start OSPF on each matched interface, assigns that
interface to the configured area and advertises the connected subnets. The statement matches the
interfaces using an address and a wildcard mask. This wildcard mask works in the same way as an ACL
wildcard mask. With this configuration, using an address and a wildcard mask of 0.0.0.0, all 32 bits must
be compared. The IP address from that interface will then appear in the network statement.

118 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As you can see, the interfaces Loopback0, FastEthernet1/0 and Serial2/0 were placed in Area 0. The
interface FastEthernet0/0 was placed in Area 1. In case of an internal router or a backbone router (any of
these two types has all the interfaces in the same area), you can use this configuration:

The network statement instructs the router to start OSPF on any interface that is up. The drawback of this
approach is that if another interface will be configured and brought up in the future, that interface will be
part of the OSPF routing protocol whether or not the operator wants it to be.
The first approach removes any ambiguity about which interfaces are running OSPF.
OSPF has been configured properly on all the routers from the topology and the network is converged.
Let’s check the neighbor relationship on R3:

R3#show ip ospf interface brief


InterfacePIDAreaIP Address/MaskCostStateNbrs F/C
Se2/03010.10.35.3/2464P2P1/1
Fa1/03010.10.0.3/241BDR2/2
Lo0303.3.3.3/241LOOP0/0
Fa0/03110.10.23.3/241BDR1/1
R3#show ipospfneighbor

Neighbor IDPriStateDead TimeAddressInterface


5.5.5.50FULL/-00:00:3610.10.35.5Serial2/0
4.4.4.41FULL/DROTHER00:00:3110.10.0.4FastEthernet
1/0
5.5.5.51FULL/DR00:00:3110.10.0.5FastEthernet1/0
2.2.2.21FULL/DR00:00:3910.10.23.2FastEthernet0/0
The command ‘show ip ospf interface brief’ shows on which interface OSPF is running and in which areas
they are assigned. Also, you can find the cost of each link, the state of the router on that link, the local IP
address on that interface and the numbers of neighbours on that link. For instance, interface
FastEthernet1/0 is on area 0, has a cost of 1, and is acting as BDR on that broadcast segment. The number
of neighbours on that link is 2.

The following describes the ‘show ip ospf neighbor’ command:


 Neighbor ID – the router ID of the neighbour router.
 Priority –indicates the priority of the neighbour.
 State – indicates the functional state of the neighbour router. FULL means the router is fully
adjacent with this neighbour and DR means that the neighbour is the DR of the broadcast
segment.
 Dead Time – the interval the router waits to receive an OSPF Hello before declaring the
neighbour dead.
 Address - indicates the IP address of the interface to which this neighbour is directly
connected.
 Interface – indicates the interface over which the OSPF neighbour relationship formed.

Let’s check the routing table of R4 and see what OSPF routes have been learned:
R4#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA1.1.1.1 [110/67] via 10.10.0.3, 00:35:05, FastEthernet0/0
2.0.0.0/32 is subnetted, 1 subnets
O IA2.2.2.2 [110/3] via 10.10.0.3, 00:35:05, FastEthernet0/0

119 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

3.0.0.0/32 is subnetted, 1 subnets


O3.3.3.3 [110/2] via 10.10.0.3, 00:35:05, FastEthernet0/0
5.0.0.0/32 is subnetted, 1 subnets
O5.5.5.5 [110/2] via 10.10.0.5, 00:35:05, FastEthernet0/0
10.0.0.0/24 is subnetted, 5 subnets
O IA10.10.12.0 [110/66] via 10.10.0.3, 00:35:05, FastEthernet0/0
O IA10.10.21.0 [110/66] via 10.10.0.3, 00:35:05, FastEthernet0/0
O IA10.10.23.0 [110/2] via 10.10.0.3, 00:35:05, FastEthernet0/0
O10.10.35.0 [110/65] via 10.10.0.5, 00:35:05, FastEthernet0/0
[110/65] via 10.10.0.3, 00:35:05, FastEthernet0/0

Looking at the topology, R4, which is a backbone router, has different types of routes in the routing table.
The ones that start with O are intra area routes, like for instance, the loopback address of R5 (5.5.5.5).
The others that start with O IA are inter-area routes and they belong to an area other than R4, for instance,
the loopback address of R1 (1.1.1.1).You won’t find any inter-area routes on R3 because it’s an ABR; that
is, it belongs to both Area 0 and Area 1.
The following is a summary of what we discussed:

1. OSPF is a link-state protocol that uses area hierarchy to reduce the memory usage and CPU
processing to achieve faster convergence.
2. OSPF exchanges hello packets to discover, establish and maintain neighbor adjacencies between
routers.
3. Each OSPF enabled router must be uniquely identified in the network based on its Router ID(RID).
Use administrative configuration to set this parameter or use a loopback interface to keep the
Router ID unaffected by physical interfaces flaps.
4. The 'show ipospf neighbor' command display information about OSPF neighbors.

In the second part of this OSPF configuration we will see the detailed configuration of how:
1. Router ID can be configured
2. To change hello and dead intervals timers
3. To configure authentication
4. To change cost of the links
5. To configure load-balancing

120 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As previously said in part one, for OSPF to work, it needs a Router ID (RID). The RID can be either
administratively assigned or automatically determined as long as there is at least one interface up.

You can configure the RID like this:


R2(config)#router ospf 2
R2(config-router)#router-id 100.100.100.100
Reload or use "clear ip ospf process" command, for this to take effect
R2(config-router)#end
R2#

As you can see, once the RID chosen, in order to modify it, you need to restart the OSPF process. This
means that all OSPF adjacencies will flap:
R2#
*Mar1 06:22:39.042: %OSPF-5-ADJCHG: Process 2, Nbr 3.3.3.3 on FastEthernet1/0
from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar1 06:22:39.046: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on Serial0/1 from
FULL to DOWN, Neighbor Down: Interface down or detached
*Mar1 06:22:39.046: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on Serial0/0 from
FULL to DOWN, Neighbor Down: Interface down or detached
*Mar1 06:22:39.558: %OSPF-5-ADJCHG: Process 2, Nbr 3.3.3.3 on FastEthernet1/0
from LOADING to FULL, Loading Done
*Mar1 06:22:39.586: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on Serial0/0 from
LOADING to FULL, Loading Done
R2#
*Mar1 06:22:45.190: %OSPF-5-ADJCHG: Process 2, Nbr 1.1.1.1 on Serial0/1 from
LOADING to FULL, Loading Done
R2#

Let’s check the list of the OSPF neighbours on R3 again and confirm that the RID of R2 has changed from
2.2.2.2 to 100.100.100.100:

R3#show ip ospf neighbor

NeighborID PriState Dead Time Address Interface


5.5.5.5 0FULL/- 00:00:37 10.10.35.5 Serial2/0
4.4.4.4 1FULL/DR OTHER 00:00:32 10.10.0.4 FastEthernet1/0
5.5.5.5 1FULL/DR 00:00:32 10.10.0.5 FastEthernet1/0
100.100.100.100 1FULL/BDR 00:00:34 10.10.23.2 FastEthernet0/0

Sometimes it might be necessary to change the OSPF hello and dead timers. If needed, make sure that
you configure the same values on all possible neighbors on a link.

This is how you can check the OSPF timers:


R3#sh ip ospf interface f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 10.10.23.3/24, Area 1
Process ID 3, Router ID 3.3.3.3, Network Type BROADCAST, Cost: 1

121 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Transmit Delay is 1 sec, State DR, Priority 1


Designated Router (ID) 3.3.3.3, Interface address 10.10.23.3
Backup Designated router (ID) 100.100.100.100, Interface address 10.10.23.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:06
Supports Link-local Signaling (LLS)
Index 1/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 5
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacentneighbor count is 1
Adjacent with neighbor 100.100.100.100(Backup Designated Router)
Suppress hello for 0 neighbor(s)

The timers are changed in the interface configuration:

R3(config-router)#int f0/0
R3(config-if)#ip ospf hello-interval 5
R3(config-if)#ip ospf dead-interval 20
R3(config-if)#

Let’s check the new timers:

R3#show ipospf interface f0/0


FastEthernet0/0 is up, line protocol is up
Internet Address 10.10.23.3/24, Area 1
Process ID 3, Router ID 3.3.3.3, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 3.3.3.3, Interface address 10.10.23.3
Backup Designated router (ID) 100.100.100.100, Interface address 10.10.23.2
Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:02
Supports Link-local Signaling (LLS)
Index 1/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 5
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacentneighbor count is 1
Adjacent with neighbor 100.100.100.100(Backup Designated Router)
Suppress hello for 0 neighbor(s)

OSPF calculates the metric for each destination by adding up the cost of the outgoing interface. By default,
OSPF has a parameter called reference-bandwidth, which is used to calculate the cost of each interface.
The formula is reference_bandwidth/interface_bandwidth.

Reference-bandwidth defaults to 100Mbps; therefore, a Fast Ethernet interface will have a cost of 1. In
today’s networks, you will find speeds higher than 100Mbps. If this happens, then the cost will be set to
1, making OSPF treat Fast Ethernet and Gigabit Ethernet interfaces equally.

This is how you can change the reference-bandwidth parameter:

122 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R3(config-router)#auto-cost reference-bandwidth 10000

This changed the parameter to calculate the cost using 10G speed.

The OSPF cost of FastEthernet0/0 on R3 also changed:

R3#show ipospf interface f0/0


FastEthernet0/0 is up, line protocol is up
Internet Address 10.10.23.3/24, Area 1
Process ID 3, Router ID 3.3.3.3, Network Type BROADCAST, Cost: 100
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 3.3.3.3, Interface address 10.10.23.3
Backup Designated router (ID) 100.100.100.100, Interface address 10.10.23.2
Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Supports Link-local Signaling (LLS)
Index 1/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 3, maximum is 5
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacentneighbor count is 1
Adjacent with neighbor 100.100.100.100(Backup Designated Router)
Suppress hello for 0 neighbor(s)

However, you can directly set the cost of an OSPF interface by this command:

R3(config)#int f0/0
R3(config-if)#ip ospf cost 250
R3(config-if)#end
R3#show ipospf interface f0/0
*Mar1 06:45:39.806: %SYS-5-CONFIG_I: Configured from console by console
R3#show ipospf interface f0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 10.10.23.3/24, Area 1
Process ID 3, Router ID 3.3.3.3, Network Type BROADCAST, Cost: 250
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 3.3.3.3, Interface address 10.10.23.3
Backup Designated router (ID) 100.100.100.100, Interface address 10.10.23.2
Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:00
Supports Link-local Signaling (LLS)
Index 1/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 5
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacentneighbor count is 1
Adjacent with neighbor 100.100.100.100(Backup Designated Router)
Suppress hello for 0 neighbor(s)

As you can see, there are two links between R1 and R2. R2 has two next-hops to reach 1.1.1.1:

R2#sh ip route 1.1.1.1

123 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Routing entry for 1.1.1.1/32


Known via "ospf 2", distance 110, metric 65, type intra area
Last update from 10.10.12.1 on Serial0/0, 00:02:06 ago
Routing Descriptor Blocks:
* 10.10.21.1, from 1.1.1.1, 00:02:06 ago, via Serial0/1
Route metric is 65, traffic share count is 1
10.10.12.1, from 1.1.1.1, 00:02:06 ago, via Serial0/0
Route metric is 65, traffic share count is 1

By default, OSPF can install up to four paths to the same destination. The number of the paths that can
be installed can be checked like this:

R2#sh ip protocols
Routing Protocol is "ospf 2"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 100.100.100.100
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
2.2.2.2 0.0.0.0 area 1
10.10.12.2 0.0.0.0 area 1
10.10.21.2 0.0.0.0 area 1
10.10.23.2 0.0.0.0 area 1
Reference bandwidth unit is 100 mbps
Routing Information Sources:
GatewayDistanceLast Update
3.3.3.311000:01:54
1.1.1.111000:01:54
Distance: (default is 110)

Let’s configure R2 to use only one path:


R2#conf t
Enter configuration commands, one per line.End with CNTL/Z.
R2(config)#router ospf 2
R2(config-router)#maximum
R2(config-router)#maximum-paths 1
R2(config-router)#end
R2#sh ip route 1.1.1.1
Routing entry for 1.1.1.1/32
Known via "ospf 2", distance 110, metric 65, type intra area
Last update from 10.10.21.1 on Serial0/1, 00:00:05 ago
Routing Descriptor Blocks:
* 10.10.21.1, from 1.1.1.1, 00:00:05 ago, via Serial0/1
Route metric is 65, traffic share count is 1

Authentication is the most important optional feature of OSPF. Without authentication, an attacker can
connect a router in the network and make all the routers from the network to remove the legitimate
routes and install the routes advertised by this rogue device.
OSPF supports three type of authentication:
1. Type 0 – Null authentication (no authentication)
2. Type 1 – Simple text( the password is sent as clear text)
3. Type 2 – MD5 authentication

124 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Due to the fact that in case of Type 1, the password is sent in clear text, is always recommended to
configure MD5 authentication for security reasons. Once the authentication is configured, then the
neighbour router should be configured with the same authentication type and the same password.
The configuration of authentication requires two commands on the interface: one that specifies the type
of authentication and one that specifies the password.

Let’s configure MD5 authentication between R2 and R3:

R2#show running-config interface f1/0


Building configuration...

Current configuration : 175 bytes


!
interface FastEthernet1/0
ip address 10.10.23.2 255.255.255.0
ipospf authentication message-digest
ipospf message-digest-key 12 md5 cisco
duplex auto
speed auto
end
R2#

R3#show running-config interface f0/0


Building configuration...

Current configuration : 175 bytes


!
interface FastEthernet0/0
ip address 10.10.23.3 255.255.255.0
ipospf authentication message-digest
ipospf message-digest-key 12 md5 cisco
duplex auto
speed auto
end
R3#

Using this configuration, the OSPF adjacency between R2 and R3 is up:

R2#show ipospf interface f1/0


FastEthernet1/0 is up, line protocol is up
Internet Address 10.10.23.2/24, Area 1
Process ID 2, Router ID 2.2.2.2, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 3.3.3.3, Interface address 10.10.23.3
Backup Designated router (ID) 2.2.2.2, Interface address 10.10.23.2
Flush timer for old DR LSA due in 00:01:18
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:04
Supports Link-local Signaling (LLS)
Index 4/4, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 4 msec

125 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Neighbor Count is 1, Adjacentneighbor count is 1


Adjacent with neighbor 3.3.3.3 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 12
R2#

This is the configuration needed to enable simple text authentication:

R1#show running-configint s0/0


Building configuration...

Current configuration : 146 bytes


!
interface Serial0/0
ip address 10.10.12.1 255.255.255.0
ipospf authentication
ipospf authentication-key cisco
serial restart-delay 0
end

R1#

If you have many interfaces in the same area and you don’t want to spend time on configuring each and
every interface with the authentication type, you can enable the authentication at area level.
Let assume that R2 will use MD5 configuration for all interfaces from area 1. Then, instead of going to
each interface and specify that interface will use MD5 authentication, we will just apply commands at
area level:

R2#show running-config | section router


router ospf 2
log-adjacency-changes
area 1 authentication message-digest
network 2.2.2.2 0.0.0.0 area 1
network 10.10.12.2 0.0.0.0 area 1
network 10.10.21.2 0.0.0.0 area 1
network 10.10.23.2 0.0.0.0 area 1

Keep in mind that the command specifying the password should still be configured under each interface.

In this second part of the topic, we saw how we can change some of the OSPF parameters. Remember
that changing few of them (like hello timers or authentication) on one router and not on the other will
lead to OSPF adjacency to go down.

Before changing any default parameters, always try to understand why you need them to be changed.
What will be your benefit and what can be the drawbacks of changing them?

126 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 18: OSPF Areas

In last chapter, we saw how OSPF works, and we also learned some basic configuration. We also learned
some basics about OSPF Area. In this chapter, we are going to learn about OSPF areas in detail. The first
part of the chapter will focus on theoretical knowledge, while the second one will focus on hands-on case
study.

Let's begin with some common terms in OSPF protocol, such as LSA and Area Types:
 LSA types—you will be presented with LSA types used by OSPF and a description of what they do
and where they are used.
 Area types—A description of the area types will be given along with the interaction between an
area type and the LSA types found in each area type.

127 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Why would someone use areas?

Areas are used to control the size of a link state database and to overcome the impact of flooding and the
burn put on router resources, memory, and CPU that are needed to run the SPF calculations.
If areas are used, the routing domain is split into smaller routing domains. The link state database has to
be identical only in these smaller domains.

For communication to happen between two areas, an ABR (area border router) is needed. The ABR seats
between the two areas and runs SPF for both of them. The routing information is passed between the two
areas through the ABR.

One interesting thing results from this behavior. The OSPF protocol is link state only inside an area. The
SPF calculation is done only within on area. When the ABR sends the routing information to area B
regarding area A, the routers from area B just take the information as it is presented by the ABR. This is
more a distance vector behavior.

One question pops up very often: How many routers you should put in one area? There is no correct
answer. This depends very much on the size of the link-state database, the number of prefixes, and the
characteristics of the routers: memory and CPU.

When an IGP has to be deployed, the options are either OSPF or ISIS. OSPF is the preferred one in almost
all cases. This is because multi-area OSPF is easier to deploy and administer than ISIS. Each OSPF area is
identified by a 32-bit Area ID.

Let’s have a quick recap of traffic and router types:


 Intra-area traffic—Traffic between routers in the same area.
 Inter-area traffic—Traffic between routers in different areas.
 External—Traffic between OSPF routers and routers from external routing domain.
 Internal router—A router that has all interfaces in a single area.
 Area border router (ABR)—A router that has interfaces in at least one interface in area 0 and act
as gateway for inter-area traffic.
 Backbone router—A router that has at least one interface in area 0.
 Autonomous system boundary router (ASBR)—A router that is a gateway for external
destinations.
LSA types

Type Code Description


1 Router LSA
2 Network LSA
3 Network Summary LSA
4 ASBR Summary LSA
5 AS External LSA
6 Group Membership LSA
7 NSSA External LSA
8 External Attributes LSA
9 Opaque LSA(link-local LSA)
10 Opaque LSA(area-local LSA)

128 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

11 Opaque LSA(AS LSA)

LSA type 6, used as an improvement for OSPF, is also known as multicast OSPF. This is not supported in
IOS.

LSA type 8 was supposed to be an alternative to Internal BGP to carry BGP information over an OSPF
domain. This is not supported in IOS.

LSA 9, 10, and 11 (opaque) are extensions of OSPF and they are used for specific-application purposes.
This is out of the scope of this article.

Let’s discuss the other LSA types in more detail:


 Router LSA is created by any router. Any router would have at least Router LSA. Inside this LSA there
are all routers’ interfaces, the outgoing cost of each link and any known neighbors on the link. This
LSA is flooded only inside the area where it was originated. The command “show ip ospf database
router” displays the router LSAs from the OSPF link-state database.
 Network LSA is produced by the DR of the multi-access segment. The network LSA include all router
attached to the segment, including the DR. This LSA is flooded only within the area where it was
originated. The command “show ip ospf database network” can be used to see all of the network
LSAs.
 Network summary LSA is originated by the ABR. This LSA is sent to an area to advertise the
destinations outside of the area. It’s a way to tell the internal routers of the area what destinations
the ABR can reach. Also, the destinations from the attached areas to the ABR are advertised inside
the backbone area using the same LSA. Default routes, external to the area but internal to the OSPF
domain, are also advertised using this LSA. The command “show ip ospf database summary” displays
the network summary LSAs.
 ASBR summary LSA is originated by the ABR and it advertises an ASBR. The destination address within
the LSA is a host address with mask being zero. The command “show ip ospf database asbr-summary”
can be used to display the ASBR summary LSAs.
 External LSA is originated by the ASBR. This LSA advertises a destination that is external to the OSPF
domain. Also, a default route that is external to OSPF domain can be advertised using this LSA. This
LSA is advertised throughout the whole OSPF domain. There are few exceptions based on the area
type that we will discuss later. The command “show ip ospf database external” displays the external
LSAs. One thing has to be mentioned here: The external LSAs don’t belong to any area.
 NSSA external LSAs are originated by the ASBR within the NSSA (not-so-stubby area) areas. A NSSA
external LSA advertises an external destination to the OSPF domain. The difference between NSSA
external LSA and an external LSA is that the former one is not advertised throughout the OSPF domain,
but only in the not-so-stubby area where it was originated. The command “show ip ospf database
nssa-external” displays the NSSA external LSAs.

You might wonder what the purpose was of presenting the LSA types when we are discussing areas.
Basically, based on the types of LSAs present in an area, you can figure out what kind of area type is that.
And you should be familiar with the inverse process. Based on the area type, you should know what kind
of LSA you will find there. Most likely, in your life as a network engineer you will be asked what LSA types
do you have in a particular area type, so it’s better to have this well understood.

Area Types

129 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Backbone area is the area where all inter-area traffic originates in, terminates in or passes through.
 Non-backbone area is the area where all the destinations within the OSPF domain are known.
 Stub area is an area where the external LSAs are not flooded. Because the external LSAs are not
present, then ASBR summary LSAs are not needed as well. Along with network summary LSAs
matching the inter-area destinations, there will be a default route advertised by the ABR as network
summary LSAs. In case the internal routers of the stub area cannot match a destination on intra-area
and inter-area routes, then the default route will be used.
 Totally stubby area is the area where Type 4 and Type 5 LSAs are blocked just as in stub areas.
Additionally, all the Type 3 LSAs are blocked as well, except the default route.
 NSSA (not-so-stubby area) is an area that allows external routes to be advertised in the OSPF domain
while the characteristics of a stub area are kept. The router advertising the external routes, the ASBR,
will generate LSA Type 7. These LSAs Type 7 are flooded only inside the NSSA and they are blocked by
the ABR. To propagate the external destinations throughout the whole OSPF domain, the ABR
translates the LSA Type 7 to LSA Type 5.
 Totally not-so-stubby area is a similar area to NSSA with the difference that no network summary LSAs
are advertised, except the one needed for default route.

The following table sums up the LSA types that can be found in each area type:
Area type Type 1 Type 2 Type 3 Type 4 Type 5 Type 7
Backbone Yes Yes Yes Yes Yes No
Non-backbone Yes Yes Yes Yes Yes No
Stub Yes Yes Yes No No No
Totally Stubby Yes Yes No (only No No No
default
route)
NSSA Yes Yes Yes Yes No Yes
Totally NSSA Yes Yes No (only Yes No Yes
default route

Let’s talk a little bit about the options field from the OSPF hello packet. The field is 8 bits long and only 7
bits are used. This is what the field looks like:
+------------------------------------+
| * | O | DC | EA | N/P | MC | E | * |
+------------------------------------+
Actually, the options field can be found in:
 Hello packets
 DD (database description) packets
 LSA
Bit “E” indicates that the router is supporting external routing. If the bit is set to zero, then the originating
router doesn’t support Type-5 LSA. It’s obvious that this bit is zero in case of stub and totally stubby areas,
as they don’t support external routing. In the case that there is a mismatch between the values of this bit
in the hellos of two routers in the same area, then the OSPF adjacency is not established. That’s why all
routers’ interfaces in a stub/totally stubby area have to be configured as stubs.
“N/P” bit is used to support NSSA areas. If the bit “N” is set, then the router indicates that it supports
Type-7 LSAs. If the bit is set, then the “E” bit must be cleared. If two routers in the same area do not have
the same setting of the “N” bit, then the OSPF adjacency between them is not established.
In the first part of this chapter, we discussed the most important LSA types:

130 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

- Type 1 – Router LSA


- Type 2 – Network LSA
- Type 3 – Network summary LSA
- Type 4 – ASBR LSA
- Type 5 – External LSA
- Type 7 – NSSA External LSA
And about the OSPF area types:
- Backbone/non-backbone area
- Stub area
- Totally stubby area
- Not-so-stubby area
- Totally not-so-stubby area

In the second part, we will see what is needed to configure the area types that we talked about, how to
check if they are configured correctly by checking the routing table, and the OSPF link-state database.
We will use the topology below for configuration and verification:

Each router has a loopback interface following this address scheme: Rx=x.x.x.x/32. For instance, R1 has a
loopback interface with the IP address 1.1.1.1/32.
- Area 0 is the backbone area.
- Area 1 is a normal area, non-backbone area.
- Area 2 will be a NSSA area.
- Area 3 will be a stub area.
- Area 2 and Area 3 will be configured initially as non-backbone areas.

Router R6 is not part of OSPF routing domain. We run RIP protocol between R5 and R6 so that the
loopback of R6 will be advertised to R5 and later on be redistributed in OSPF domain by R5.

We already covered how to configure the OSPF protocol to run on specific interfaces and how to configure
backbone/non-backbone areas so we won’t spend too much time on that.

As previously mentioned, Area 3 is a stub area. You might remember from the first part of the article that,
in the case of stub area, all routers have to configure the areas as stub if they have an interface in those
areas, including the ABR.

So let’s see what the configuration of OSPF looks like on R1, which is an internal router:

131 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R1#show running-config | section ospf


router ospf 1
log-adjacency-changes
area 3 stub
network 1.1.1.1 0.0.0.0 area 3
network 10.10.12.1 0.0.0.0 area 3
R1#

R2#show running-config | section ospf


router ospf 1
log-adjacency-changes
area 3 stub
network 2.2.2.2 0.0.0.0 area 0
network 10.10.12.2 0.0.0.0 area 3
network 10.10.23.2 0.0.0.0 area 0

That’s it. To make an area stub, you just have to configure “area X stub” under the OPSF protocol
configuration.

Let’s check what the link-state database contains:

R1#show ip ospf database


OSPF Router with ID (1.1.1.1) (Process ID 1)
Router Link States (Area 3)

Link ID ADV Router Age Seq# Checksum Link count


1.1.1.1 1.1.1.1 689 0x80000041 0x00C5CE 2
2.2.2.2 2.2.2.2 690 0x80000041 0x00AAF4 1

Net Link States (Area 3)

Link ID ADV Router Age Seq# Checksum


10.10.12.2 2.2.2.2 690 0x8000003F 0x00E7DF

Summary Net Link States (Area 3)

Link ID ADV Router Age Seq# Checksum


0.0.0.0 2.2.2.2 698 0x80000001 0x0075C0
2.2.2.2 2.2.2.2 698 0x8000003C 0x00A250
3.3.3.3 2.2.2.2 698 0x8000003C 0x007E6F
4.4.4.4 2.2.2.2 698 0x8000003C 0x005A8E
5.5.5.5 2.2.2.2 238 0x80000001 0x00AC72
7.7.7.7 2.2.2.2 698 0x8000003C 0x00CF0D
10.10.23.0 2.2.2.2 698 0x8000003C 0x0006C9
10.10.34.0 2.2.2.2 699 0x8000003C 0x00962D
10.10.37.0 2.2.2.2 699 0x8000003C 0x00754B
10.10.45.0 2.2.2.2 699 0x8000003C 0x002790

We have two LSAs Type-2 because we have only two routers participating in Area 3. Because we have only
one link between them and the segment is multi-access, which implies that a DR is needed, we have only
one LSA Type-2. Also, we have quite a number of LSAs Type-3. Those are describing the loopback

132 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

interfaces of each router running OSPF (you might have noticed that we don’t have the loopback of R6
because it is not running OSPF) and the links between the routers running OSPF.
As we have seen in earlier, once an area becomes stub, then the ABR generates an additional LSA Type-3,
which is the default route.

Whatever is in OSPF link state database should match what is in the routing table (unless any filtering has
been applied):

R1#show ip route | begin Gateway


Gateway of last resort is 10.10.12.2 to network 0.0.0.0

1.0.0.0/32 is subnetted, 1 subnets


C 1.1.1.1 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/2] via 10.10.12.2, 00:24:58, FastEthernet0/0
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/3] via 10.10.12.2, 00:24:58, FastEthernet0/0
4.0.0.0/32 is subnetted, 1 subnets
O IA 4.4.4.4 [110/4] via 10.10.12.2, 00:24:58, FastEthernet0/0
5.0.0.0/32 is subnetted, 1 subnets
O IA 5.5.5.5 [110/5] via 10.10.12.2, 00:17:29, FastEthernet0/0
7.0.0.0/32 is subnetted, 1 subnets
O IA 7.7.7.7 [110/4] via 10.10.12.2, 00:24:58, FastEthernet0/0
10.0.0.0/24 is subnetted, 5 subnets
C 10.10.12.0 is directly connected, FastEthernet0/0
O IA 10.10.23.0 [110/2] via 10.10.12.2, 00:24:58, FastEthernet0/0
O IA 10.10.34.0 [110/3] via 10.10.12.2, 00:24:58, FastEthernet0/0
O IA 10.10.37.0 [110/3] via 10.10.12.2, 00:24:58, FastEthernet0/0
O IA 10.10.45.0 [110/4] via 10.10.12.2, 00:24:59, FastEthernet0/0
O*IA 0.0.0.0/0 [110/2] via 10.10.12.2, 00:24:59, FastEthernet0/0
R1#

This way, we can reach any loopback interface and the inter-routers’ links.

But how about if we want to shrink the OSPF link-state database and the routing table even more? You
should configure Area 3 as totally stubby. When an area is configured as totally stubby or totally not-so-
stubby, only the ABR has to be configured with additional commands. This is because only the ABR needs
to know that it should filter inter-area LSAs. Of course, putting the same configuration on the internal
routers as well it won’t harm, but it might reveal a weakness in your understanding of the protocol.

The configuration on R2 should change to:


R2#show running-config | section ospf
router ospf 1
log-adjacency-changes
area 3 stub no-summary
network 2.2.2.2 0.0.0.0 area 0
network 10.10.12.2 0.0.0.0 area 3
network 10.10.23.2 0.0.0.0 area 0

Now that we’ve done this, let’s check the link-state and the routing table of R1:

133 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R1#show ip ospf database

OSPF Router with ID (1.1.1.1) (Process ID 1)


Router Link States (Area 3)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 308 0x80000042 0x00C3CF 2
2.2.2.2 2.2.2.2 81 0x80000042 0x00A8F5 1
Net Link States (Area 3)
Link ID ADV Router Age Seq# Checksum
10.10.12.2 2.2.2.2 81 0x80000040 0x00E5E0
Summary Net Link States (Area 3)

Link ID ADV Router Age Seq# Checksum


0.0.0.0 2.2.2.2 59 0x80000003 0x0071C2
R1#

As you can see, we have everything the same in regard to LSA Type-1 and Type-2. However, we have only
one LSA Type-3, which is the default route and the routing table is reflecting this:

R1#show ip route | begin Gateway


Gateway of last resort is 10.10.12.2 to network 0.0.0.0

1.0.0.0/32 is subnetted, 1 subnets


C 1.1.1.1 is directly connected, Loopback0
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.12.0 is directly connected, FastEthernet0/0
O*IA 0.0.0.0/0 [110/2] via 10.10.12.2, 00:02:07, FastEthernet0/0
R1#

Let’s go and configure Area 2 as NSSA. This is the configuration needed on R4 and R5:
R4#show running-config | section ospf
router ospf 1
log-adjacency-changes
area 2 nssa
network 4.4.4.4 0.0.0.0 area 0
network 10.10.34.4 0.0.0.0 area 0
network 10.10.45.4 0.0.0.0 area 2
R4#

R5#show running-config | section ospf


router ospf 1
log-adjacency-changes
area 2 nssa
network 5.5.5.5 0.0.0.0 area 2
network 10.10.45.5 0.0.0.0 area 2
R5#

Again, the configuration change to transform a normal area to a not-so-stubby area is very simple: “area
X nssa”. Let’s check the link-state database:

134 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R5#show ip ospf database

OSPF Router with ID (5.5.5.5) (Process ID 1)


Router Link States (Area 2)
Link ID ADV Router Age Seq# Checksum Link count
4.4.4.4 4.4.4.4 463 0x80000042 0x00B08C 1
5.5.5.5 5.5.5.5 458 0x80000044 0x008E81 2

Net Link States (Area 2)


Link ID ADV Router Age Seq# Checksum
10.10.45.5 5.5.5.5 458 0x80000040 0x0085F0
Summary Net Link States (Area 2)

Link ID ADV Router Age Seq# Checksum


1.1.1.1 4.4.4.4 471 0x80000004 0x00AA71
2.2.2.2 4.4.4.4 471 0x8000003D 0x00FFDF
3.3.3.3 4.4.4.4 471 0x8000003D 0x00C715
4.4.4.4 4.4.4.4 471 0x8000003D 0x008F4A
7.7.7.7 4.4.4.4 471 0x8000003D 0x0019B2
10.10.12.0 4.4.4.4 471 0x8000003D 0x00DCEA
10.10.23.0 4.4.4.4 471 0x8000003D 0x005964
10.10.34.0 4.4.4.4 472 0x8000003D 0x00D5DD
10.10.37.0 4.4.4.4 472 0x8000003D 0x00BEF0
R5#

We have pretty much the same information as in a stub area: the loopback interfaces and IP addresses of
all routers running OSPF and the links between the routers. Let’s check the connectivity between the IP
address from R1’s loopback interface and the IP address of R5’s loopback interface:

R1#ping 5.5.5.5 source 1.1.1.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/97/116 ms

One thing is missing from the link-state database in case of a NSSA: the Type-3 LSA used for default route.
By default, Cisco is not generating a default route when an area is NSSA.

If you need the default route, you have to configure it. This is what is needed on the ABR

R4#show running-config | section ospf


router ospf 1
log-adjacency-changes
area 2 nssa default-information-originate
network 4.4.4.4 0.0.0.0 area 0
network 10.10.34.4 0.0.0.0 area 0
network 10.10.45.4 0.0.0.0 area 2
R4#

Now the routing table will show the default route as “N2”, which means that is a route learned through a
LSA Type-7:

135 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R5#show ip route | i 0.0.0.0


Gateway of last resort is 10.10.45.4 to network 0.0.0.0
10.0.0.0/24 is subnetted, 6 subnets
O*N2 0.0.0.0/0 [110/1] via 10.10.45.4, 00:00:16, FastEthernet0/0
R5#

Let’s configure Area 2 as a totally not-so-stubby area and remove the default route generation from R4.
The change needed on R4 is the following:

R4#show running-config | section ospf


router ospf 1
log-adjacency-changes
area 2 nssa no-summary
network 4.4.4.4 0.0.0.0 area 0
network 10.10.34.4 0.0.0.0 area 0
network 10.10.45.4 0.0.0.0 area 2
R4#

Checking the link-state database of R5, we see:

R5#show ip ospf database


OSPF Router with ID (5.5.5.5) (Process ID 1)

Router Link States (Area 2)

Link ID ADV Router Age Seq# Checksum Link count


4.4.4.4 4.4.4.4 95 0x80000005 0x002B4F 1
5.5.5.5 5.5.5.5 87 0x80000049 0x008486 2

Net Link States (Area 2)

Link ID ADV Router Age Seq# Checksum


10.10.45.5 5.5.5.5 97 0x80000001 0x0004B1

Summary Net Link States (Area 2)

Link ID ADV Router Age Seq# Checksum


0.0.0.0 4.4.4.4 99 0x80000001 0x00C065
R5#

We can see that all LSA Type-3 were removed, except one of them, which the default route is.

Here is the difference between the two cases when a default route is manually generated (as LSA Type-7)
and automatically (as LSA Type-3)
R5#show ip route | i 0.0.0.0
Gateway of last resort is 10.10.45.4 to network 0.0.0.0
10.0.0.0/24 is subnetted, 2 subnets
O*IA 0.0.0.0/0 [110/2] via 10.10.45.4, 00:02:48, FastEthernet0/0
R5#

136 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Next, the RIP protocol was configured between R5 and R6. R6 is advertising its loopback IP address and it
should be learned by R5:

R5#show ip route rip


R 6.0.0.0/8 [120/1] via 10.10.56.6, 00:00:02, FastEthernet1/0

After that, the RIP routes are redistributed in OSPF, in which case they should be learned by R4 as well
and all the other routers that are not internal to stub/NSSA areas. Router R5 is advertising a default route
through RIP so that R6 can reach any destination from the OSPF routing domain.

Let’s check what the link-state database on R5 looks like after the RIP was redistributed in OSPF. We
should see two LSA Type-7, the loopback IP address of R6 and the link between R5 and R6:

R5#sh ip ospf database

OSPF Router with ID (5.5.5.5) (Process ID 1)

Router Link States (Area 2)

Link ID ADV Router Age Seq# Checksum Link count


4.4.4.4 4.4.4.4 611 0x80000005 0x002B4F 1
5.5.5.5 5.5.5.5 46 0x8000004A 0x00887F 2

Net Link States (Area 2)

Link ID ADV Router Age Seq# Checksum


10.10.45.5 5.5.5.5 613 0x80000001 0x0004B1

Summary Net Link States (Area 2)

Link ID ADV Router Age Seq# Checksum


0.0.0.0 4.4.4.4 615 0x80000001 0x00C065

Type-7 AS External Link States (Area 2)

Link ID ADV Router Age Seq# Checksum Tag


6.0.0.0 5.5.5.5 46 0x80000001 0x0069FE 0
10.10.56.0 5.5.5.5 46 0x80000001 0x0052CF 0

As R4 is in the same area as R5, it should have the same number of LSAs Type-
7, originated by R4(4.4.4.4):

Router Link States (Area 2)

Link ID ADV Router Age Seq# Checksum Link count


4.4.4.4 4.4.4.4 601 0x80000005 0x002B4F 1
5.5.5.5 5.5.5.5 38 0x8000004A 0x00887F 2

Net Link States (Area 2)

Link ID ADV Router Age Seq# Checksum


10.10.45.5 5.5.5.5 605 0x80000001 0x0004B1

Summary Net Link States (Area 2)

137 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Link ID ADV Router Age Seq# Checksum


0.0.0.0 4.4.4.4 606 0x80000001 0x00C065

Type-7 AS External Link States (Area 2)

Link ID ADV Router Age Seq# Checksum Tag


6.0.0.0 5.5.5.5 39 0x80000001 0x0069FE 0
10.10.56.0 5.5.5.5 39 0x80000001 0x0052CF 0

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag


6.0.0.0 4.4.4.4 32 0x80000001 0x001C5A 0
10.10.56.0 4.4.4.4 32 0x80000001 0x00052B 0

We can see the same link ID twice, once as LSA Type-7 and once as LSA Typ-5. This is because, R4 as ABR,
will convert the two LSAs Type-7 into LSAs Type-5 and advertise them to backbone area.
Let’s check one of these two LSAs on R2 and confirm that the LSA Type-5 was generated by R4:

R2#show ip ospf database external 6.0.0.0

OSPF Router with ID (2.2.2.2) (Process ID 1)

Type-5 AS External Link States

Routing Bit Set on this LSA


LS age: 774
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 6.0.0.0 (External Network Number)
Advertising Router: 4.4.4.4
LS Seq Number: 80000001
Checksum: 0x1C5A
Length: 36
Network Mask: /8
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 20
Forward Address: 5.5.5.5
External Route Tag: 0

As you’d expect, these LSAs Type-5 won’t be present in area 3 because it’s a totally stubby area.
However, it shouldn’t be any problem to have reach ability between R1 and R6:
R1#ping 6.6.6.6 source 1.1.1.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/109/140 ms
R1#

138 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Now that you have reached this point of this chapter, you should be able to configure all types of OSPF
areas and you should also be familiar with how you can check various sections of the OSPF link-state
database.

By knowing how you can relate the information found in the link-state database and the routing table,
you can predict what one of them would look like without knowing what the other one looks like (in the
normal conditions without any filtering/altering of the link-state database).

Chapter 19: OSPF Troubleshooting

The next step will be to get familiar with OSPF troubleshooting methods and the commands that will be
the most helpful to find the problem which is presented to you. This is useful not only for any CCNA exam
candidate, but also in any situation where you will have to manage a network where OSPF is used as
interior gateway protocol.

Everything is good when you have network connectivity and routing tables looking as you expect. But
what happens when users start to complain that they cannot access various destinations?

Let’s suppose that you are the administrator of a network with the same topology, we are working:
Host 1 --- R1 --- R2 --- R3 --- Host 2

Host 1 then tells you why they cannot reach Host 2.

139 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

What do you do? You start by investigating the routing table of R1 and checking if the Host 2 route is
present there. If it’s there, then the problem is on the segment between Host 1 and the R1 Router.
Otherwise, you jump on R2 Router and check the existence of the Host 2 route.

Let’s suppose that the Host2 route is there, which obviously means there’s a problem between R1 and R2.
What problems can cause the Host2 route to be missing from the R1 table?
1. R1 is not running the routing protocol on the interface towards R2.
2. R1 is running the routing protocol on the interface towards R2, but the adjacency between
them to exchange routes is not formed.
3. The adjacency is formed, but the Host2 route is not sent by R2.
4. The Host2 route is sent by R2, but is not installed in R1 routing table.

All these represent generic steps to be taken when you troubleshoot a routing protocol. Although it’s not
always possible because you might not be in control of all devices, the first step you should take would be
to examine the configuration of the devices. Check the routing protocol configuration and the interface’s
IP addresses to make sure that you’re running the routing problems on the intended interfaces. Often, a
small type in the ‘network’ statement can lead to a lot of time wasted on troubleshooting and can be fixed
quickly by comparing the configuration.

However, knowing the appropriate ‘show’ and ‘debug’ commands specific for each routing protocol will
also help you find the problem and fix it. This part focuses on how to troubleshoot the OSPF protocol using
‘show’ and ‘debug’ commands. To make things more interesting, we’re not allowed to view the
configuration of the routing protocols, unless it’s for verification.

Right after OSPF has been enabled on a particular interface, the router will start to discover neighbors’
and form neighbor relationships with each router with whom it shares a common subnet.
For OSPF to build a neighbor relationship, a few requirements have to be met:

1. Routers must be in the same subnet.


2. Hello and dead timers must match.
3. Router IDs must be unique.
4. Routers must be in the same area.
5. Stub flag must be identical.
6. IP MTU must be identical.
7. Must pass neighbour authentication (if configured).

We will use a topology with five routers as shown below to show how we can check if neighbor
relationship requirements are met by using ‘show’ and ‘debug’ commands.

140 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The routers should have been configured based on how the topology looks like: R1 and R2 are internal
routers to Area 1, R3 is ABR, R4 and R5 are backbone routers. Additionally, the OSPF neighbor relationship
is secured by using MD5 authentication with the key ‘cisco’ and each router has a loopback interface using
this schema addressing: Rx=x.x.x.x/32. For instance, R1 has a loopback interface configured with the IP
address 1.1.1.1/32.

At the end of the troubleshooting scenario, each router will have all the loopback interfaces of the other
routers in the routing table.
Let’s start with R1 and check the OSPF routes from the routing table:

So, we don’t have any OSPF routes. The next step will be to check the OSPF adjacencies:

Now we know why we don’t have any OSPF routes. This is because we don’t have any OSPF adjacency
formed with R2. Though we have one out of two, it is in EXCHANGE state, not in FULL state.
When you see a neighbor relationship which is in EXCHANGE state, then the most probable cause is the
IP MTU mismatch between the two OSPF routers. One way of verifying this is to with the debug command:
debug ip ospf adj.

Here is the output:

141 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The last message from the debug log says that neighbor 2.2.2.2 (which is R2) has a larger MTU. Let’s check
R1 Serial0/0 and R2 Serial0/0 interfaces configuration:

As we suspected, the MTU is different on R1 and R2. By default, the MTU is 1500, so let’s remove the MTU
configuration from R1 Serial0/0:

As you can see, OSPF is now up between R1 S0/0 and R2 S0/0. But we have another interface over which
OSPF is configured. This is Serial0/1 and the Neighbours count shows 0:

142 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

When we initially checked the state of the OSPF neighbors, we saw only one neighbor in EXCHANGE state.
This means that the information present in the hello packet to pass the neighbor relationship requirement
was agreed by the remote router. This is not the case with the OSPF neighbor relationship over Serial0/1,
because it didn’t appear in ‘show ip ospf neighbor’ output.

Therefore, something in the hello packet makes the OSPF adjacency not to come up. ‘show ip ospf
interface’ should give us more information about the OSPF parameters that are configured on an
interface.
Let’s analyze the output from both R1 and R2:

Both interfaces are configured in the same subnet and in the same area. Each router has a different Router
ID. The two lines below let us check the configured hello and dead intervals.

But just a moment: R1 has a hello of 10 seconds and a dead interval of 40 seconds (the default) while R2
has a hello of 5 seconds and a dead interval of 20 seconds. As said in the beginning, hello and dead
intervals must match.

Let’s configure the default values on R2 and see if the OSPF adjacency comes up:

143 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Right just after we changed the configuration, the OSPF adjacency between R1 and R2 over Serial0/1 came
up.
Let’s check if R2 Loopback0 IP address (2.2.2.2) is present in the R1 routing table:

Another way to identify the mismatched hello timers is to enable OSPF hello debug using the command
‘debug ip ospf hello’. Below is the output when there was a mismatch of hello timers:

‘R’ means received, and in this case R1 received a dead interval timer of 20 seconds, while ‘C’ means
configured, which in this case R1 was configured with a dead interval of 40 seconds.

Let’s check the routing table of R2:

144 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R2 has only one OSPF route, the Loopback interface of R1. By checking the neighbours’ status, we see that
OSPF is down between R2 and R3.
As we don’t see the R3 at all in the neighbor list, let’s enable ‘debug ip ospf hello’ and see if there is any
mismatch in the hello packets:

Nothing obvious here. Let’s go further and enable ‘debug ip ospf adj’ and check the output:

We found the problem. It seems that the authentication requirement wasn’t met.
As you should know:
1. Type 0 is no authentication.
2. Type 1 is clear text authentication.
3. Type 2 is MD5 authentication.

In this particular case, it seems that R3 (10.10.23.3) was configured with clear text authentication instead
of MD5 authentication.

One way to check the authentication configured on an interface is using the ‘show ip ospf interface’
command.

On R1, we have configured MD5 (message digest) authentication:

145 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

But on R3, we have configured clear text (simple text) authentication:

Let’s fix the configuration error from R3 and see if OSPF comes up between R2 and R3:

Now that we fixed the authentication problem between R2 and R3, we can see that OSPF adjacency came
up and we should have more OSPF routes in the routing table of R2:

146 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

If you take a look at the topology, you’ll see that we have five routers in the network. Analyzing the routing
table of R2 regarding the OSPF routes, we notice that the R4 Loopback interface IP address (4.4.4.4/32) is
missing.
Let’s check the routing table of R2 one more time:

What just happened? It seems that the R4 Loopback is present now, but the R5 Loopback IP address
(5.5.5.5/32) is missing.
One more time:

Now the R5 Loopback is present, but not the R4 Loopback. As you can see, there is a constant flapping of
the two networks.
For both 4.4.4.4/32 and 5.5.5.5/32, the next-hop IP address is R3 (10.10.23.3). Therefore, we need to
check the OSPF operation and routing table on R3:

147 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

We see the same behaviour here: we cannot have both 4.4.4.4/32 and 5.5.5.5/32 routes in the routing
table at the same time.
Usually, in an OSPF domain, when you are not doing any redistribution and you see this sort of route
flapping in the routing table, you should make sure that Router ID uniqueness is met.
Let’s check the R3 OSPF neighbours:

R3 should have 5.5.5.5 as neighbours over two interfaces: Serial2/0 and FastEthernet1/0, therefore 2
neighbours with Router IDs of 5.5.5.5.
On interface Serial2/0, the IP address of the router with Router ID 5.5.5.5 should be 10.10.35.5 and on
interface FastEthernet1/0, the IP address of the router with Router ID 5.5.5.5 should be 10.10.0.5.
But we have another router with Router ID 5.5.5.5 with the IP address 10.10.0.4, which is R4.

Let’s check the Router ID of both R4 and R5:

148 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As you can see, both of them have the same Router ID: 5.5.5.5 which leads to the problem of route
flapping. Because both of them have the same Router ID, an OSPF adjacency cannot be formed between
the two of them:

Let’s check the OSPF configuration on R4 and modify it:

149 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

All problems have been fixed now and in the routing table of R1, we should see all the Loopback interfaces
of all the routers in the network:

We have seen various situations where the neighbor relationship requirements were not met. Let’s review
all OSPF requirements and how you can check them using ‘show’ and ‘debug’ commands:
1. Routers must be in the same subnet.
- show interfaces, debug ip ospf hello
2. Hello and dead timers must match.
- show ip ospf interface, debug ip ospf hello
3. Router IDs must be unique.
- show ip ospf, show ip ospf interface
4. Routers must be in the same area.
- show ip ospf interface, debug ip ospf adj
5. Stub flag must be identical.
- show ip ospf, debug ip ospf hello

150 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

6. IP MTU must be identical.


- show interfaces, debug ip ospf adj
7. Must pass neighbour authentication (if configured).
- show ip ospf interface, debug ip ospf adj

Chapter 20: Necessity of Route Redistribution

Route redistribution (RR) has become an integral part of IP network design as the result of a growing
need for disseminating certain routes across routing protocol boundaries. While RR is widely used and
resembles BGP in several nontrivial aspects, the networking community has, surprisingly, not
systematically studied its safety. This article presents the analytical model for understanding the effect of
RR on network-wide routing dynamics and evaluating the safety of a specific RR configuration.

We first illustrate how easily inaccurate configurations of RR may cause severe routing instabilities,
including route oscillations and persistent routing loops. At the same time, general observations regarding
the root causes of these instabilities are provided. We then introduce a formal model based on general
observations to represent and study the safety of route redistribution. Using the model, we prove that an
RR configuration allows you to get desired routes from another routing protocol. Given this complexity,
we present a sufficient condition, which can be checked with different scenarios using different routing
protocols

Recent studies show that some enterprise networks rival carrier networks in terms of scale and complexity
of routing design. One may even argue that because of a more dynamic business environment fuelled by
acquisitions and mergers, large enterprise networks may be more difficult to control and manage than
carrier networks.

One source of this difficulty stems from the fact that the routing structure of a large enterprise network
typically consists of multiple domains or routing instances. Routing instances form for many reasons.
Company acquisitions, departments administered by different teams, and multi-vendor equipment’s may

151 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

lead to such situations. Alternatively, network administrators may intentionally create separate routing
instances to filter routes, limit reachability and enforce policies.

Routers within one routing instance typically run the same routing protocol to fully share reachability
information and they by default do not exchange routing information with routers in other routing
instances.

Consider the network depicted in Figure 1 (see below). It consists of two routing instances. Routers in the
RIP instance do not have visibility of the addresses and subnet prefixes in the OSPF instance and vice versa.
To allow the exchange of routing information between different routing instances, router vendors have
introduced a feature called route redistribution. Route redistribution is a configuration.

As such, router vendors introduced RR to address a need from network operations. We recently looked
at the configurations of some large university campus networks and found that RR is indeed widely used.
However, contrary to traditional routing protocols, there is no standard or RFC formally defining the
functionality of RR. Significant efforts are usually associated with the design and analysis of a routing
protocol to ensure its correctness and stability but the specification of RR did not receive as much
attention. Consequently, RR is often misconfigured, leading to sub-optimal routing and even severe
instabilities such as route oscillations and persistent routing loops.

A router running multiple routing processes does not by default redistribute routes among these
processes. Route redistribution must be explicitly configured. In Cisco, route-map allows network
administrators to filter the routes, prioritize the received announcements (by assigning different AD
values) and modify the attributes of the redistributed routes. Below I provide an example of a Cisco
configuration redistributing routes from a RIP process into an OSPF one. The route-map statements filter
the route and modify the attributes of the redistributed routes.

152 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

I’m guessing you all will want some scenarios here. When I was learning Cisco technology, I loved to get
involved with practical scenarios. Let’s look at a scenario where three routers are logically connected and
RIPv2 is running between R1-R2 and OSPF with Area0 configured between R2-3 but R1 is not getting routes
from R3 vice versa (coz R1/R3 running different Routing Protocol).
To get R1-R3 communication, we need to do route redistribution, but first, we have to

Configure all loopback interfaces on the R1 & R3 routers as shown in the diagram.

Configure the serial interfaces with the IP addresses, bring them up, and set a DCE clock rate where
appropriate.

R1 Configuration:

R1(config)# interface Loopback 0


R1(config-if)# ip address 1.1.1.1 255.255.255.255
R1(config)# interface Loopback1
R1(config-if)# ip address 11.11.11.11 255.255.255.255
R1(config)# interface S1/0
R1(config-if)# ip address 12.1.1.1 255.255.255.252
R1(config-if)# no shut R1(config-if)# no shut

R1(config)# router rip


R1(config-router)# version 2
R1(config-router)# network 1.1.1.1
R1(config-router)# network 11.11.11.11
R1(config-router)# network 12.1.1.0
R1(config-router)# no auto-summary

R2 Configuration:

R2(config)# interface Loopback0


R2(config-if)# ip address 2.2.2.2 255.255.255.255
R2(config)# interface S1/0
R2(config-if)# ip address 12.1.1.2 255.255.255.252
R2(config-if)# no shut
R2(config)# interface S1/1
R2(config-if)# ip address 23.1.1.1 255.255.255.252
R2(config-if)# no shut

153 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R2(config)# router rip


R2(config-router)# version 2
R2(config-router)# network 2.2.2.2
R2(config-router)# network 12.1.1.0
R2(config-router)# network 23.1.1.0
R2(config-router)# redistribute ospf 1 metric 10 /* OSPF redistribution under
RIP
R2(config-router)# no auto-summary

R2(config)# router ospf 1


R2(config-router)# network 2.2.2.2 0.0.0.0 area 0
R2(config-router)# network 12.1.1.2 0.0.0.0 area 0
R2(config-router)# network 23.1.1.1 0.0.0.0 area 0
R2(config-router)# redistribute rip subnets /* RIP redistribution under OSPF
process
R3 Configuration:
R3(config)# interface Loopback0
R3(config-if)# ip address 3.3.3.3 255.255.255.255
R3(config)# interface Loopback1
R3(config-if)# ip address 33.33.33.33 255.255.255.255
R3(config)# interface S1/1
R3(config-if)# ip address 23.1.1.2 255.255.255.252
R3(config-if)# no shut

R3(config)# router ospf 1


R3(config-router)# network 3.3.3.3 0.0.0.0 area 0
R3(config-router)# network 33.33.33.33 0.0.0.0 area 0
R3(config-router)# network 23.1.1.2 0.0.0.0 area 0

If we don’t configure redistribution, we will not get OSPF routes on R1 (where RIP is configured) as below
in Fig 2.1 and same for R3, since R3’s routing table does not contain R1/RIP routes as shown on Fig 2.2.

But after configuring mutual redistribution (on R2, because both routing protocols are running on it) for
both routing protocols with their respective metric values:
R2(config)# router rip

154 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R2(config-router)# redistribute ospf 1 metric 10 /* OSPF redistribution under


RIP
R2(config)# router ospf 1
R2(config-router)# redistribute rip subnets /* RIP redistribution under OSPF
process

After we configure mutual redistribution for RIP and OSPF, we get the desired routes, meaning now we
can see OSPF routes (R3 Loopbacks) on R1 as shown in Fig. 2.3:

And we are also getting RIP routes as O E2 in R3 routing table as shown in Fig 2.4:

We have gone through all the conceptual knowledge regarding Route Redistribution for a CCNA
candidate. You will learn how to apply routes/maps/prefix lists/filter list while configuring
redistribution once you go for CCNP, but one thing you should always keep in mind is that practice
makes perfect, so to become
best with redistribution, you
need to try it with different
routing protocols like those
shown in Fig. 3 and 3.1.

155 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Also for static routing, you need to configure and redistribute static subnets under OSPF process, and to
redistribute static route in to RIP you need to write redistribute static metric 10.

Part 5: IPv6 Addressing & Routing


Chapter 21: Fundamentals of IPv6 Addressing & Routing

In our discussion about IPv4 addressing in Chapter 4, we learned that IPv4 addressing is not enough for
connecting all machines and devices into an internetwork. We will soon enter a phase where everything
will be connected by the internet. "Internet of Things/Internet of Everything" are phrases you might have
heard about, and to achieve more than 50 billion connected devices in a worldwide network, you must
have a new and different IP addressing scheme which can provide ample addresses in the coming days.
In this chapter, we are going to discuss another version of logical addressing called IPv6 addressing.

As a reader you might be aware that IPv6 addressing was introduced way back in the mid-1990s by the
Internet Engineering Task Force, starting with RFC 1883. It’s still in a development phase; only 1% of
internet traffic is shared by IPv6 as of late November 2012. By the end of this chapter, you will able to
understand why we need to learn IPv6 addressing, how we can represent it, and what its basic differences
with IPv4 are.

 What is IPv6?

156 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

IPv6 or Internet Protocol version 6 is a next generation layer 3 TCP/IP protocol, held as the future of IP
communication protocols.

Before discussing more about IPv6 addressing, let’s look at the Packet format of IPv6.

Below we can see the detailed architecture of an IPv6 packet.

IPv6 Header
Vision Traffic Class Flow Label

Payload Length Next Header Hop limit

Source Address

Destination Address

The architecture of IPv6 allows existing IPv4 users to transition easily to IPv6 while providing services such
as end-to-end security, quality of service (QoS) and globally unique addresses.

Larger IPv6 address space allows networks to scale and provides global reach ability. The simplified IPv6
packet header format handles packets more efficiently.

IPv6 prefix aggregation, simplified network numbering and IPv6 site multi-homing capabilities create an
addressing hierarchy that allows more efficient routing.

Why do we need to learn IPv6?

Using IPv4 addressing, there were 3.7 billion usable IP addresses out of 4.3 billion available, which is very
few in terms of completing full machine-to-machine communication. Since only 10% of the world’s
population use the Internet directly, we are managing on IPv4 addressing, but new emerging markets like
China, India, and Africa will need a huge number of IP addresses in the near future. In next generation
networks where every electronic device can be managed by a smart phone, to get communications done,
you need to have an IP address assigned to each device.

Previously, IETF provided a temporary solution by giving enterprises a special range of address space such
as Private Address, which anyone could use in a Public Network. To access a Public Network, address
translation was used to convert the private addressing information to a Public address, mainly with static
Network Address Translation (NAT) for internal services and dynamic overloading (Port Address
Translation) for user connection. But due to increased internet usage, there won’t be any Public addresses
left to translate soon.

 IPv6 Addressing & Expressions:

157 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

An IPv6 address has 8 sections separated by columns, and each section carries 4 hexadecimal digits. So
an IPv6 address is something like this:

XXXX:XXXX:XXXX:XXXX :XXXX:XXXX:XXXX:XXXX
(Network Address-64 bit) (Host Address-64 bit)

Each X can have a hexadecimal value from 0 to 9 and a to f. It means there are 16 possible values for each
X. Since X is stored in binary i.e. 0 or 1, it means only two possible values for each bit. The number of bits
per section turns out to be 2*2*2*2 = 16 bits, thus we have now each section with 16 bits per section and
8 sections in total. This turns out to be 16*8 = 128 bits. That’s why an IPv6 address is 128 bits unlike its
counterpart IPv4 address, which is only 32 bits.

Because of its 128 bit size, the possible addresses in IPv6 space is 2^128 = 340 282 366 920 938 464 463
474 607 431 768 211 456 addresses. Chances are there that we will not run out of addresses until the end
of this century.

The most important thing to remember is that in IPv6 addressing, clients are mostly based on /64 subnet
which means the first 64 bits go to the network part while the next 64 bits go to the host part i.e usage
IPv6 addresses which are allocated to end machines.

Shortcut technique:

In IPv6 addressing scheme, decimal notation has been replaced with hexadecimal using 16 characters (0,
1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f), A=10, B=11, C=12, etc. You can use both upper and lower cases to
address your device since the numbers are case sensitive.

Addresses still use the hierarchy in IPv4. They are divided into two parts. The blue one (64 bits) denotes
the network position and the red one, the interface identifier/host addresses.

We can use some shortcut methods to shorten the big address notation:

 Leading zeroes can be omitted.


 Groups of four 0s can be abbreviated as Zero.
 Multiple contiguous groups (2 byte groups) can be abbreviated to double colon (::) but it can only
be once.

Example:

3001:0000:0000:0014:0000:0000:1354:76ab

Using the shortcut technique, the right answer would be 3001::14:0:0:1354:76ab.

Types of IPv6 addresses:

158 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

We are all familiar about IPv4’s unicast, broadcast, and multicast addresses that basically define who or
in how many devices we’re talking about this. By omitting Broadcast address, IPv6 has introduced the new
type address called Anycast, resulting in three main types:

 Gateway Address: The concept of Gateway Address in IPv6 is the same as IPv4, a gateway address
will be designated, how traffic can be routed of the current subnet.
 Anycast: Very different from an IPv4 broadcast with its one-to-the-nearest interface, where many
interfaces can share the same address. An anycast address identifies one or more interface. The
anycast packet is delivered to only one device, actually to the closest one it defined in terms of routing
distance.

As a network admin need to remember following guidelines:

i. Don’t assign anycast addresses to any hosts-only routers.


ii. Don’t put an anycast address in the source of a packet - only the destination.

 Multicast: Similar to a multicast in IPv4, it’s one of a group of devices. Packets addressed to a
multicast address are delivered to all interfaces turned into the multicast address. In IPv6, multicast
address always starts with FF. Multicast address can’t be used as source address.

IPv6 multicast addresses have the format prefix of 1111 1111. An IPv6 address is simple to classify as
multicast because it always begins with ff0::/8, such as example is ffo1:0:0:0:0:0:0:2. Remember, Multicast
addresses cannot be used as source addresses.

11111111 Flag Scope Group ID


(8 bits) (8 bits) (8 bits) (112 bits)

Multicast addresses include additional structure to identify their flags, scope, and multicast group, as
shown above.

 Unicast: IPv6 unicast addresses are assigned to each interface and packets addressed to unicast
addresses. Below are descriptions of the five different types of unicast addresses.

i. Global unicast addresses: Global unicast addresses are typical publicly routable addresses and it’s
same as they are in IPv4. The address starts at 2000:: /3. ISPs summarize these to provide
scalability in the Internet.
ii. Reserved addresses: Like its counterpart IPv4, IPv6 also reserved some ranges of addresses, which
are used to specify types of anycast as well as for future use. Currently about 1/256th of the IPv6
address space is reserved for future use only.

159 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

iii. Private Addresses: Like IPv4, IPv6 also supports private addressing, which is used by devices that
don’t need to access a public network. In private addresses, the first two digits are FE and the
third digit can range from 8 to F (FE80::/10).

There are two kinds of private addresses:

a. Site local: Site local addresses are similar to the RFC 1918 addresses and represent a particular
site or an enterprise network. It starts with FEC:: through FFF::

b. Link local: Link local addresses give the network admin an opportunity to throw a temporary LAN
together for meetings or to create a small LAN that’s not going to be routed but still needs to
share and access files and services locally. These addresses are used on a single link or a non-
routed common access network, such as Ethernet LAN. They do not need to be a unique outside
the link. Link-local address may appear as the source or destination of an IPv6 packet. Routers
must not forward IPv6 packets if the source or destination contains a link local address. It starts
with fe80::/10, example fe80::200:5aee:feaa:20a2, the equivalent link-local address in IPv4 is
169.254.0.0 /16

Using private addresses, a network admin can easily control who is allowed to leave your network and get
returning traffic back by setting up address translation policies for IPv6.

iv. Loopback Address: Same as IPv4 addressing, where the loopback address was 127.0.0.1, which is
dedicated for complete A class block addresses for local testing. This address is used when a host
talks to itself over IPv6; this often happens one program sends Data to another. Here in IPv6, the
address is 0:0:0:0:0:0:0:1 or ::1, this Loopback address is used for local testing functions, and only
one is used in IPv6.
v. Unspecified Address: 0.0.0.0 in IPv4 means an unknown address, but in IPv6 it is represented by
0:0:0:0:0:0:0:0 or :: and it is typically used in the source address field of the packet when an
interface doesn’t have an address and is trying to acquire one dynamically.
vi. IPv4 Mapped Address: These addresses are used to embed IPv4 addresses in an IPv6 addresses.
One use for this is in a dual stack transition scenario where IPv4 addresses can be mapped into an
IPv6 addresses. Example is ::ffff:192.168.10.1, where class c IPv4 addresses embedded into IPv6
addresses.

Below is a short note on these special addresses, which can be a very good drill for memorization:

Special address Value Description


0:0:0:0:0:0:0:0 :: Unspecified Address
0:0:0:0:0:0:0:1 ::1 Equivalent of 127.0.0.1 in IPv4
0:0:0:0:0:0:192.168.100.1 Mixed IPv6/IPv4 network address
2000::/3 Global Unicast address range
FC00::/7 The unique local unicast range
FE80::/10 The link-local unicast range
FF00::/8 The unicast range

160 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

3FFF:FFFF::/32 Reserved for example and documentation


purposes
2001:0DB8::/32 Also reserved for example and documentation
2002::/16 Used with 6 to 4 tunnelling which is an IPv4 to
IPv6 transition system

Transition Capabilities of IPv6:

The Dual stack method allows the successful co-existence of IPv4 and IPv6 when migrating between the
two. With the Dual Stack method, a network admin can allow both protocols to run simultaneously on an
interface of a device.

Another method is tunnelling, which allows you to tunnel IPv6 over IPv4 and vice versa to transmit an IP
version of one type across a network using another type. Using the 2002::/16 address, which is used for
IPv4 to IPv6 tunnelling, the structure allows IPv6 packets to be transmitted over an IPv4 network without
the need to configure explicit tunnels.

Cisco also supports another method, referred to as Network Address Translation-Protocol Translation
(NAT-PT), to translate between IPv4 and IPv6 addresses.

What are the advantages of IPv6 over IPv4?

Listed below are the key advantages of IPv6:

 Larger address spaces: Increased size from 32 bits to 128 bits.


 Streamlined Protocol Header: IPv6 encapsulation is simpler than IPv4’s; it provides faster
forwarding rates and better packet-forwarding efficiency.
 Stateless auto-configuration: The ability for nodes to determine their own addresses.
 Multicast: Increased use of efficient one to many communications than IPv4.
 Network Layer Security: IP security (IPsec) is built into IPv6, so it’s highly secure.
 Quality of Service capabilities: Quality of Service information is built into the IPv6 header, where
a flow label identifies the traffic, making packets and flow labels that help identity priority traffic.

Though it has several advantages over IPv4, IPv6 still has some drawbacks. For example, hexadecimal
expressions are not easy to learn and memorize.

The Future of IPv6: In the near future, all devices will run only on IPv6. So as a network engineer/fresher
enthusiast you need to master this addressing technique. One important thing to keep in mind about IPv6
addressing is that there is a research going on for Subnetting of IPv6 addresses. Before that, you have
plenty of IPv6 addresses to work with.

CCNA Exam Essentials:

In order to pass the CCNA exam, please keep in mind these topics:

161 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Understand why we need IPv6


 Understand Link-local
 Understand Unique local
 Representation of IPv6 addressing
 Special Class range in IPv6 addressing

IPv6 Routing:

Like IPv4 routing, IPv6 routing uses same distance-vector and link-state protocol such as RIP, EIGRP, OSPF.
Though they have lots of similarities, still have some changes in properties. In next chapter or two, we will
see more details about it.

Static Routing: Like IPv4 routing, configuring static route for IPv6 on a router is not a difficult task, but
the only thing you have to remember is that the next hop IPv6 addresses can be any address on your
neighbour, but if you use a link-local address, you will have to specify the outgoing interface as well to
avoid possible mismatch.

RIPng: The basic features of RIPng are almost same as they are in RIPv2. It is still distance vector routing
protocol, has a max hop count of 15 and uses split horizon, with poison reverse used to prevent routing
loops. Unlike RIPv2, it uses UDP port 521 instead of UDP 520.

Like RIPv2 however, it uses multicast to send its updates too, but here in IPv6, it uses FF02::9 for the
transport address.

One of the biggest changes with RIPng (and all IPv6 routing protocols) is that it uses network interface
itself instead of the network command you used to enable the interface in order to route the connected
network.

Router(config-if)#ipv6 rip 1 enable

The 1 you see identifies that RIPng is running and this will start a RIPng operation, so we don't have to go
into configuration mode. In case you want to configure the RIPng operation, you can always go to
configuration mode.

Router (config)#ipv6 router rip 1

RIPng uses FE80::/10 as the link-local source address, and each RIPng routes contains a routing database,
like RIPv2 route entry contains the Destination Address, Next Hop Addresses, Outbound Interface
information, Metric (Cost from local router to destination router), Route Time, Route Tag. Packet
Processing Procedure is used by RIPng is same as RIPv2 or OSPF.

As Static Routing & RIPng is very easy to configure and uses almost the same procedure as IPv4 routing, I
suggest you apply an IPv6 addressing scheme in the same topology which we used to discuss Static Routing
and RIPv2 in an IPv4 routing Part.

162 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 22: OSPF in IPv6(OSPFv3)

This Chapter will be about OSPFv3, which is the OSPF protocol that can be configured for IPv6 as well. At
this point, we will discuss only what is specific to OSPFv3 and the differences between OSPF and OSPFv3.
To get up to speed regarding OSPF in IPv4, we have already discussed these concepts in detail in the IPv4
routing section of this book.

At the end of this chapter, you will know:


 The features of OSPFv3
 How to enable OSPF in IPv6 routing
 How to enable OSPFv3 in multi area network
 How to configure the Router ID
 How to change the OSPFv3 hello timers and cost of the interfaces
 How to configure OSPFv3 authentication

163 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

OSPFv3 is a routing protocol for both IPv6 and IPv4. OSPFv3 is a standard protocol covered by RFC 5340.
OSPFv3 supports what is called Address Family, which means that both IPv4 and IPv6 unicast traffic can
be supported if only OSPFv3 is configured. Using the address family feature, one can configure two routing
processes, with only one process per address family.
OSPFv3 can be configured for either IPv4 or IPv6. The command ‘address-family’ specifies which one of
them will be configured.

Address Family (AF) is supported only starting with IOS 15.1 and to discuss about IOS, it is not within our
scope.

Regarding the differences between OSPF and OSPFv3, here are few of them:
 In OSPFv3 you don’t need to configure the routing process. Once an interface is enabled for OSPFv3,
the routing process is created automatically.
 In OSPFv3, there is no ‘network’ command under routing process configuration. Each interface must
be enabled from the interface configuration stanza.
 In OSPFv3 all IPv6 prefixes configured under the interfaces are added automatically in the routing
process.

There are different type LSA from OSPFv3 like OSPF are:
 Router LSAs (Type 1) – describes the link state of the router’s links
 Network LSAs (Type 2) – describes the link state for all the routers from the broadcast network
 Inter area-prefix LSAs for ABRs (Type 3) – these are internal networks advertised to routers from
other area
 Inter area-router LSAs for ASBRs (Type 4) – describes the ASBR
 Autonomous system external LSAs (Type 5) – external information from the autonomous system
 Link LSAs (Type 8) – provide the link local address of the local router to all the routers from the
same link

OSPFv3 uses IPSEC to authenticate the OSPFv3 packets. If IPv6 AH header is used, the integrity and
authentication is provided to the data. If IPv6 ESP header is used, then integrity, authentication and
encryption are provided to the data.

Authentication can be configured per interface or per area.


We will use this following topology for doing some case study on OSPFv3 protocol:

164 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Each router has a loopback interface and the following is the addressing:
IPv4: Rx = x.x.x.x/32

IPv6: Rx = 2001:1:1:1::x/128

For instance, R3 has a loopback interface configured with IPv4 3.3.3.3/32 and IPv6 2001:1:1:1::3/128. All
the other IPv6 addressing can be seen on the topology.

After coming this far, I am assuming that you know how to configure IPv6 addresses on the interfaces; if
you don't, look at this example below to configure IPv6 address in a router interface:

R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ipv6 unicast-routing
R1(config)#interface FastEthernet0/0
R1(config-if)#ipv6 address 2001:abad:beef::1/64
R1(config-if)#no shut
R1(config-if)#exit

So let's start with the configuration of OSPFv3. This configuration is started by using the command ‘ipv6
router ospf <process_id>’

R1(config)#ipv6 router ospf 1


% IPv6 routing not enabled
R1(config)#

As you can see, in order to configure OSPFv6 or any IPv6 routing protocol, you need to enable IPv6 routing
first.

R1(config)#ipv6 unicast-routing
R1(config)#ipv6 router ospf 1
R1(config-rtr)#

165 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

From this moment on, you can configure any OSPFv6 feature that you would like.
There is no ‘network’ command available under OSPFv6 protocol configuration like it is under OSPF
protocol configuration.

To start OSPFv3 on a particular interface, you need to configure OSPFv3 under that interface.
Based on our topology, this would be a minimal and working OSPFv3 configuration on R1:

R1#show running-config interface s0/0


Building configuration...

Current configuration : 94 bytes


!
interface Serial0/0
no ip address
ipv6 address 2001:1:2:12::1/64
ipv6 ospf 1 area 1
end

R1#show running-config interface s0/1


Building configuration...

Current configuration : 94 bytes


!
interface Serial0/1
no ip address
ipv6 address 2001:1:2:21::1/64
ipv6 ospf 1 area 1
end

R1#show running-config interface loopback0


Building configuration...

Current configuration : 115 bytes


!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ipv6 address 2001:1:1:1::1/128
ipv6 ospf 1 area 1
end

R1#
One other thing that you should be aware when you are configuring OSPFv3 is that you need to either
manually configure the router-id or configure an interface with IPv4 address so that the OSPF process
will use that as router-id.

Here is what happened after I deleted the Loopback0 interface from R3:

R3(config)#no int lo0


R3(config)#
*Mar 1 01:58:40.511: %LINK-5-CHANGED: Interface Loopback0, changed state to
administratively down
*Mar 1 01:58:41.511: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Loopback0, changed state to down

166 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R3(config)#ipv6 router ospf 1


R3(config-rtr)#
*Mar 1 02:00:04.019: %OSPFv3-4-NORTRID: OSPFv3 process 1 could not pick a
router-id,
please configure manually
R3(config-rtr)#

Once the Loopback0 interface is configured on R3 and OSPFv3 is enabled on the interface towards R2,
the OSPFv3 comes up:

R3(config-if)#interface lo0
R3(config-if)#
*Mar 1 02:03:42.375: %LINK-3-UPDOWN: Interface Loopback0, changed state to
up
*Mar 1 02:03:43.375: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Loopback0, changed state to up
R3(config-if)#ip address 3.3.3.3 255.255.255.255
R3(config-rtr)#interface Fas 0/0
R3(config-if)#ipv6 ospf 1 area 0
R3(config-if)#
*Mar 1 02:05:33.523: %OSPFv3-5-ADJCHG: Process 1, Nbr 2.2.2.2 on
FastEthernet0/0 from LOADING to FULL, Loading Done
R3(config-if)#

Regarding verification, almost all the commands that are available for OSPF for IPv4 are valid for
OSPFv3:

R2#show ipv6 ospf ?


<1-65535> Process ID number
border-routers Border and Boundary Router Information
database Database summary
flood-list Link state flood list
interface Interface information
neighbor Neighbor list
request-list Link state request list
retransmission-list Link state retransmission list
summary-prefix Summary-prefix redistribution Information
traffic OSPF traffic information
virtual-links Virtual link information
| Output modifiers
<cr>

R2#show ip ospf ?
<1-65535> Process ID number
border-routers Border and Boundary Router Information
database Database summary
flood-list Link state flood list
interface Interface information
max-metric Max-metric origination information
mpls MPLS related information
neighbor Neighbor list
request-list Link state request list
retransmission-list Link state retransmission list
sham-links Sham link information
statistics Various OSPF Statistics

167 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

summary-address Summary-address redistribution Information


timers OSPF timers information
traffic Traffic related statistics
virtual-links Virtual link information
| Output modifiers
<cr>

R2#

So let’s check a few commands in order to ensure that OSPFv3 converged correctly, all the neighbours
are up and all the routes are exchanged.

‘show ipv6 interface’ command return all interfaces over which the router is trying to establish OSPFv3
adjacencies. Let’s check the output for only one interface, the interface on R2 towards R3:

R2#show ipv6 ospf interface FastEthernet1/0


FastEthernet1/0 is up, line protocol is up
Link Local Address FE80::CE14:9FF:FEB8:10, Interface ID 8
Area 0, Process ID 1, Instance ID 0, Router ID 2.2.2.2
Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 2.2.2.2, local address FE80::CE14:9FF:FEB8:10
Backup Designated router (ID) 3.3.3.3, local address FE80::CE15:9FF:FEB8:0
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:01
Index 1/1/3, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 3.3.3.3 (Backup Designated Router)
Suppress hello for 0 neighbor(s)
R2#

As you can see, the output is very similar to the one for OSPF with the difference that link-local IPv6
addresses are displayed.

From the above output, you can see that the local router-id is 2.2.2.2 and the neighbor router-is id
3.3.3.3 which is consistent with the topology.

Let’s check the OSPFv3 neighbors:


R2#show ipv6 ospf neighbor

Neighbor ID Pri State Dead Time Interface ID Interface


3.3.3.3 1 FULL/BDR 00:00:32 4 FastEthernet1/0
1.1.1.1 1 FULL/ - 00:00:35 5 Serial0/1
1.1.1.1 1 FULL/ - 00:00:32 4 Serial0/0
R2#

As expected, R2 has two neighbors: R1 over two serial interfaces and R3 over Fast Ethernet interface.

168 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Let’s check the IPv6 routing table of R2 to confirm that all inter-router links and all the Loopback
interfaces are present in its routing table:

R2#show ipv6 route ospf


IPv6 Routing Table - 15 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O 2001:1:1:1::1/128 [110/64]
via FE80::FFFF:FE10:45C5, Serial0/1
via FE80::FFFF:FE10:45C5, Serial0/0
O 2001:1:1:1::3/128 [110/1]
via FE80::CE15:9FF:FEB8:0, FastEthernet1/0
O 2001:1:1:1::4/128 [110/2]
via FE80::CE15:9FF:FEB8:0, FastEthernet1/0
O 2001:1:1:1::5/128 [110/2]
via FE80::CE15:9FF:FEB8:0, FastEthernet1/0
O 2001:1:2:35::/64 [110/65]
via FE80::CE15:9FF:FEB8:0, FastEthernet1/0
O 2001:1:2:345::/64 [110/2]
via FE80::CE15:9FF:FEB8:0, FastEthernet1/0
R2#

As you can see, all routes appear as intra area routes (because of the preceding ‘O’ - O - OSPF intra). The
same command on R1 shows all the OSPFv3 routes are inter-area routes. Let’s check how the R2
Loopback0 interface is seen:

R1#show ipv6 route 2001:1:1:1::2/128


IPv6 Routing Table - 14 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
OI 2001:1:1:1::2/128 [110/64]
via FE80::CE14:9FF:FEB8:10, Serial0/0
via FE80::CE14:9FF:FEB8:10, Serial0/1
R1#

The other parameters of OSPFv3 like hello and dead timers, cost and router-id can be changed in the
same manner as OSPF. The difference is that you need to use ‘ipv6’ instead of ‘ip.’

On the above output of ‘show ipv6 ospf interface FastEthernet1/0’ I highlighted the default values of
these parameters.

The below configuration will change the hello and dead intervals to five and 20 seconds, the cost to 10
and the router-id of R2 to 200.200.200.200.

R2#show running-config interface FastEthernet1/0


Building configuration...

169 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Current configuration : 172 bytes


!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
ipv6 address 2001:1:2:23::2/64
ipv6 ospf cost 10
ipv6 ospf hello-interval 5
ipv6 ospf 1 area 0
end

R2#show running-config | section ipv6 router


ipv6 router ospf 1
router-id 200.200.200.200
log-adjacency-changes
R2#

R2#show ipv6 ospf interface FastEthernet1/0


FastEthernet1/0 is up, line protocol is up
Link Local Address FE80::CE14:9FF:FEB8:10, Interface ID 8
Area 0, Process ID 1, Instance ID 0, Router ID 200.200.200.200
Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 3.3.3.3, local address FE80::CE15:9FF:FEB8:0
Backup Designated router (ID) 3.3.3.3, local address FE80::CE15:9FF:FEB8:0
Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 5
Hello due in 00:00:02
Index 1/1/3, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 3, maximum is 7
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 3.3.3.3 (Designated Router)
Suppress hello for 0 neighbor(s)
R2#

The authentication on OSPFv3 is more complex than in OSPF. As I already mentioned it is using IPSEC.

We will configure authentication (only AH) on the Serial0/0 interfaces between R1 and R2 and area
authentication for area0.

This is the configuration needed on R1 and R2 on Serial0/0 interfaces:

R2#show running-config interface s0/0


Building configuration...

Current configuration : 171 bytes


!
interface Serial0/0
no ip address
ipv6 address 2001:1:2:12::2/64
ipv6 ospf 1 area 1
ipv6 ospf authentication ipsec spi 500 md5 ABCDEF1234567890ABCDEF1234567890
end

170 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R2#

Of course, a similar configuration is needed on R1 as well. As you can see below, the
authentication is enabled:
R2#sh ipv6 ospf interface s0/0
Serial0/0 is up, line protocol is up
Link Local Address FE80::CE14:9FF:FEB8:10, Interface ID 4
Area 1, Process ID 1, Instance ID 0, Router ID 200.200.200.200
Network Type POINT_TO_POINT, Cost: 64
MD5 Authentication SPI 500, secure socket state UP (errors: 0)
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:06
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 10, maximum is 10
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 1.1.1.1
Suppress hello for 0 neighbor(s)
R2#

Let’s enable area authentication in area 0. All the configuration is done only under ipv6 router stanza:

R3#show running-config | section ipv6 router


ipv6 router ospf 1
log-adjacency-changes
area 0 authentication ipsec spi 1000 md5 1234567890ABCDEF1234567890ABCDEF
R3#

Let’s check the status of the interface between R3 and R2:

R3#show ipv6 ospf interface f0/0


FastEthernet0/0 is up, line protocol is up
Link Local Address FE80::CE15:9FF:FEB8:0, Interface ID 4
Area 0, Process ID 1, Instance ID 0, Router ID 3.3.3.3
Network Type BROADCAST, Cost: 1
MD5 Authentication (Area) SPI 1000, secure socket state UP (errors: 0)
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 200.200.200.200, local address
FE80::CE14:9FF:FEB8:10
Backup Designated router (ID) 3.3.3.3, local address FE80::CE15:9FF:FEB8:0
Flush timer for old DR LSA due in 00:00:47
Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 5
Hello due in 00:00:04
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 4
Last flood scan time is 0 msec, maximum is 4 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 200.200.200.200 (Designated Router)
Suppress hello for 0 neighbor(s)
R3#

171 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

By reaching this point of this chapter, I hope that you now know:
- The difference between OSPF for IPv4 and IPv6
- How to configure a multi-area OSPFv3 network
- How to configure a few of the most common parameters of OSPFv3
- How to configure OSPFv3 authentication

172 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 23: EIGRP in IPv6

This chapter will be about EIGRP for IPv6, which is the EIGRP protocol that can be configured to route IPv6
traffic. We will discuss only about what is specific to EIGRP for IPv6. To get up to speed regarding EIGRP
in IPv4, please go through my previous chapters on Enhanced Interior Gateway Routing Protocol (EIGRP).

After going through this chapter, you will know:


- The differences between EIGRP for IPv4 and EIGRP for IPv6
- How to enable IPv6 routing
- How to configure basic EIGRP for IPv6
- How to change the router-id
- How to change the EIGRP for IPv6 timers
- How to configure authentication for EIGRP for IPv6
EIGRP for IPv6 is very similar in operational mode to EIGRP for IPv4. Few similarities are:
- DUAL is used for route calculation and the same metrics are used
- Same neighbor, topology and routing tables are used
- Equal and unequal load-balancing can be used
These are a few differences:
- EIGRP for IPv6 is enabled directly under the interface
- ‘ipv6’ addressing (128 bits) is used instead of ‘ipv4' addressing (32 bits).
- There is no ‘network’ statement

We are going to use this below topology for the rest of chapter:

All routers are in AS 100.

Each router has a loopback interface and the following is the addressing:

IPv4: Rx = x.x.x.x/32
IPv6: Rx = 2001:1:1:1:: x/128

For instance, R3 has a loopback interface configured with IPv4 3.3.3.3/32 and IPv6 2001:1:1:1::3/128. All
the other IPv6 addressing can be seen on the topology.

Before going through in details with this case study, please try to learn how to configure IPv6 addresses
on the interfaces and the starting point will be the EIGRP for IPv6 configuration.

173 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As mentioned before, EIGRP for IPv6 is directly configured on the interface, so these steps should be
enough to configure R1 for EIGRP for IPv6:

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface fastEthernet 0/0
R1(config-if)#ipv6 eigrp 100
%IPv6 routing not enabled
R1(config-if)#

So before we enable EIGRP for IPv6, we need first to enable the IPv6 routing:

R1(config)#ipv6 unicast-routing
R1(config)#interface fastEthernet 0/0
R1(config-if)#ipv6 eigrp 100
R1(config-if)#

Also, EIGRP for IPv6 starts in shutdown mode, so you should configure ‘no shutdown’ under routing
protocol stanza. Based on our topology, this would be the configuration needed on R2 to have EIGRP for
IPv6 configured properly:

R2#show running-config interface f0/0


Building configuration...

Current configuration : 121 bytes


!
interface FastEthernet0/0
no ip address
speed auto
duplex auto
ipv6 address 2001:1:2:12::2/64
ipv6 eigrp 100
end

R2#show running-config interface f0/1


Building configuration...

Current configuration : 121 bytes


!
interface FastEthernet0/1
no ip address
speed auto
duplex auto
ipv6 address 2001:1:2:23::2/64
ipv6 eigrp 100
end

R2#show running-config interface loopback 0


Building configuration...

Current configuration : 111 bytes


!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
ipv6 address 2001:1:1:1::2/128

174 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

ipv6 eigrp 100


end

R2#

Always, when you configure EIGRP for IPv6, make sure you either have an interface with an IPv4 address
configured or you configure manually a router-ID. Otherwise you will see this message:

R1(config-rtr)#do sh ipv eig nei


EIGRP-IPv6 Neighbors for AS(100)
% No usable Router-ID found
R1(config-rtr)#

As I already mentioned, the operation and maintenance of EIGRP for IPv6 is almost identical to EIGRP for
IPv4.

So whatever commands you were using for EIGRP, now you can use the same ones with the difference
that you must replace ‘ip’ with ipv6’.

Let’s check if the EIGRPv6 adjacencies, which are the neighbors and the default values for few parameters,
were established:

R2#show ipv6 eigrp interfaces


EIGRP-IPv6 Interfaces for AS(100)
Xmit Queue PeerQ Mean Pacing Time
Multicast Pending
Interface Peers Un/Reliable Un/Reliable SRTT Un/Reliable
Flow Timer Routes
Fa0/0 1 0/0 0/0 138 0/0
552 0
Fa0/1 1 0/0 0/0 85 0/0
368 0
Lo0 0 0/0 0/0 0 0/0
0 0
R2#

As you can see, EIGRP for IPv6 is running on three interfaces and on each of the Fast Ethernet
interfaces, there is one peer.

Let’s see what the EIGRP for IPv6 neighbors are:

R2#show ipv6 eigrp neighbors detail


EIGRP-IPv6 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO
Q Seq
(sec) (ms)
Cnt Num
1 Link-local address: Fa0/1 14 00:22:25 85 510
0 3
FE80::C80A:37FF:FEE4:8
Version 11.0/2.0, Retrans: 1, Retries: 0, Prefixes: 2
Topology-ids from peer - 0

175 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

0 Link-local address: Fa0/0 12 00:24:15 138 828


0 9
FE80::C808:30FF:FED8:8
Version 11.0/2.0, Retrans: 0, Retries: 0, Prefixes: 2
Topology-ids from peer - 0
R2#

Here the neighbors are listed based on the link-local address, this is the address used on the subnet
only. The packets sent to this IPv6 addresses are not routed. These addresses are used for neighbor
relationships.

As you can see, the hold time is 15 seconds and the hello time is five seconds.

Let’s check the EIGRP for IPv6 topology using this command:

R2#show ipv6 eigrp topology


EIGRP-IPv6 Topology Table for AS(100)/ID(2.2.2.2)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
r - reply Status, s - sia Status

P 2001:1:1:1::2/128, 1 successors, FD is 128256


via Connected, Loopback0
P 2001:1:1:1::1/128, 1 successors, FD is 156160
via FE80::C808:30FF:FED8:8 (156160/128256), FastEthernet0/0
P 2001:1:2:23::/64, 1 successors, FD is 28160
via Connected, FastEthernet0/1
P 2001:1:1:1::3/128, 1 successors, FD is 156160
via FE80::C80A:37FF:FEE4:8 (156160/128256), FastEthernet0/1
P 2001:1:2:12::/64, 1 successors, FD is 28160
via Connected, FastEthernet0/0

R2#

Let’s check the IPv6 route table on R1 and see if we can ping the R3 Loopback IPv6 address:

Let’s check the router-ID on R2 and let’s change it afterwards:

R2#show ipv6 protocols


IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "ND"
IPv6 Routing Protocol is "eigrp 100"
EIGRP-IPv6 Protocol for AS(100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 2.2.2.2
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 16
Maximum hopcount 100
Maximum metric variance 1

Interfaces:
FastEthernet0/0

176 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

FastEthernet0/1
Loopback0
Redistribution:
None
R2#

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ipv6 router eigrp 100
R2(config-rtr)#router-id 200.200.200.200
R2(config-rtr)#end
R2#
*Mar 2 22:56:10.343: %SYS-5-CONFIG_I: Configured from console by console
R2#
*Mar 2 22:56:14.479: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor
FE80::C80A:37FF:FEE4:8 (FastEthernet0/1) is down: route configuration changed
*Mar 2 22:56:14.515: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor
FE80::C808:30FF:FED8:8 (FastEthernet0/0) is down: route configuration changed
*Mar 2 22:56:14.703: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor
FE80::C80A:37FF:FEE4:8 (FastEthernet0/1) is up: new adjacency
*Mar 2 22:56:15.195: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor
FE80::C808:30FF:FED8:8 (FastEthernet0/0) is up: new adjacency
R2#show ipv6 protocols
IPv6 Routing Protocol is "connected"
IPv6 Routing Protocol is "ND"
IPv6 Routing Protocol is "eigrp 100"
EIGRP-IPv6 Protocol for AS(100)
Metric weight K1=1, K2=0, K3=1, K4=0, K5=0
NSF-aware route hold timer is 240
Router-ID: 200.200.200.200
Topology : 0 (base)
Active Timer: 3 min
Distance: internal 90 external 170
Maximum path: 16
Maximum hopcount 100
Maximum metric variance 1

Interfaces:
FastEthernet0/0
FastEthernet0/1
Loopback0
Redistribution:
None
R2#

As you can see, once the router-ID is changed, the EIGRP adjacencies are flapping.
In order to configure authentication for EIGRP for IPv6, this configuration is needed on both sides of the
link:

R1#sh run | section key


key chain cisco
key 1
key-string pass_cisco
accept-lifetime 23:00:00 Mar 2 2014 infinite
send-lifetime 23:00:00 Mar 2 2014 infinite

177 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R1#sh run interface f0/0


Building configuration...

Current configuration : 208 bytes


!
interface FastEthernet0/0
no ip address
speed auto
duplex auto
ipv6 address 2001:1:2:12::1/64
ipv6 eigrp 100
ipv6 authentication mode eigrp 100 md5
ipv6 authentication key-chain eigrp 100 cisco
end

R1#

If the other side has the authentication configured, but the local router doesn’t, you will see this
message on the console:

R1#
*Mar 2 22:59:51.035: %DUAL-5-NBRCHANGE: EIGRP-IPv6 100: Neighbor
FE80::C809:30FF:FED8:8 (FastEthernet0/0) is down: Auth failure

Let’s change the hello and hold timers intervals to 10 and 30 seconds:

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int f0/1
R2(config-if)#ipv6 hold-time eigrp 100 30
R2(config-if)#ipv6 hello-interval eigrp 100 10
R2(config-if)#end
R2#show ipv6 eigrp neighbors
EIGRP-IPv6 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q
Seq
(sec)
(ms) Cnt Num
0 Link-local address: Fa0/1 28 00:38:31 157 942 0
10
FE80::C80A:37FF:FEE4:8
R2#

Once you change the hello and hold timers on both routers, as you can above, the new timers are being
used.

I hope after end of this chapter, you get enough idea about:

- The difference between EIGRP for IPv4 and IPv6


- How to configure a network to run EIGRP for IPv6
- How to configure a few of the most common parameters of EIGRP for IPv6
- How to configure authentication for EIGRP for IPv6

178 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Part 6: LAN Switching Technologies


Chapter 24: Introduction to LAN Switching Technologies

Local Area Network (LAN) technology has made a significant impact on almost every industry. The
operations of these industries depend on computers and networking. The data is stored on computers
rather than on paper, and the dependence on networking is so great that banks, airlines, insurance
companies, and many government organizations would stop functioning if there were a network failure.
Since the reliance on networks is so great and the network traffic is increasing, we have to address some
of the bandwidth problems and find ways to tackle them. LAN switching is a form of packet switching used
in local area networks; it is a technology that promises to increase the efficiency of local area networks
and solve the current bandwidth problems. Most business networks today use switches to connect
computers, printers, and servers within a building or campus. Switches are the fundamental part of most
networks; they enable several users to send information over a network. Users can send information at
the same time without slowing each other down. Just as routers allow different networks to communicate
with each other, switches allow different nodes of a network to communicate directly with each other. A
node is a network connection point, typically a computer. Switches allow the nodes to communicate in a
smooth and efficient manner. Effective switching is essential to handle the growing network traffic coming
from video and other bandwidth-intensive applications, more user devices, and more packets headed to
servers and storage in the cloud. Before you begin a cloud service for an organization, don't be surprised
to see that you are pushing out 50% more traffic to the Internet than you had before, so your network
infrastructure must be ready for that, which means properly implemented LAN Switching.

In this chapter, we are going to see how LAN switching works. Why we have used a switch, and not a
bridge?

A LAN switch is a device that provides much higher port density at a lower cost than traditional bridges.
For this reason, LAN switches can accommodate network designs featuring fewer users per segment,
thereby increasing the average available bandwidth per user.

Figure
1
Each user receives instant access to the full bandwidth and does not have to contend for available
bandwidth with other users. As a result, collisions (a normal phenomenon in shared-medium networks

179 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

employing hubs) do not occur, as long as the equipment operates in full-duplex mode. A LAN switch
forwards frames based on either the frame’s Layer 2 address (Layer 2 LAN switch) or, in some cases, the
frame’s Layer 3 address (multilayer LAN switch).

Previously, a switch was used in only L2, but now an L3 switch has the capability of routing too. So we are
going to investigate details about the two different switches, L2 and L3.

L2 Switching:

Layer 2 switching uses the media access control address (MAC address) from the host's Network
Interface Cards (NICs) to decide where to forward frames. Layer 2 switching is hardware-based, which
means that switches use application-specific integrated circuit (ASICs) to build and maintain filter tables
(also known as MAC address tables or CAM tables). One way to think of a Layer 2 switch is as a multiport
bridge.

Layer 2 switching provides the following:

 Hardware-based bridging (MAC)


 Wire speed
 High speed
 Low latency

Layer 2 switching is highly efficient because there is no modification to the data packet, only to the frame
encapsulation of the packet, and only when the data packet is passing through dissimilar media (such as
from Ethernet to FDDI). Layer 2 switching is used for workgroup connectivity and network segmentation
(breaking up collision domains). This allows a flatter network design with more network segments than
traditional 10BaseT shared networks. Layer 2 switching has helped develop new components in the
network infrastructure.

Layer 2 switches have the same limitations as if a network were designed based on the 80/20 rule: users
spend 80% of their time on their local segment. Bridged networks break up collision domains, but the
network remains one large broadcast domain. Similarly, Layer 2 switches (bridges) cannot break up
broadcast domains, which can cause performance issues and also limits the size of your network.
Broadcast and multicasts, along with the slow convergence of spanning tree, can cause major problems
as the network grows. Because of these problems, Layer 2 switches cannot completely replace routers in
the internetwork.

L3 Switching:
The only difference between a Layer 3 switch and a router is the way the administrator creates the
physical implementation. Also, traditional routers use microprocessors to make forwarding decisions, and
the switch performs only hardware-based packet switching. However, some traditional routers can have
other hardware functions in some of the higher-end models. Layer 3 switches can be placed anywhere in
the network because they handle high-performance LAN traffic and can cost-effectively replace routers.
Layer 3 switching is all hardware-based packet forwarding, and all packet forwarding is handled by
hardware ASICs.

180 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Layer 4 switching is considered a hardware-based layer 3 switching technology that can also consider the
application used (for example, Telnet or FTP). Layer 4 switching provides additional routing above Layer 3
by using the port number found in the transport layer header to make routing decisions.

Multi-Layer Switching:
Multi-layer switching combines Layer 2, 3, and 4 switching technologies and provides high-speed
scalability with low latency. It accomplishes this combination of high-speed scalability with low latency by
using huge filter tables based on the criteria designed by the network administrator.

Multi-layer switching can move traffic at wire speed and also provide Layer 3 routing, which can remove
the bottleneck from the network routers. This technology is based on the idea of "route once, switch
many.”

Multi-layer switching can make routing/switching decisions based on the following:

 MAC source/destination address in a data link frame


 IP source/destination address in the network layer header
 Protocol field in the network layer header
 Port source/destination numbers in the transport layer header

There is no performance difference between a Layer 3 and a Layer 4 switch because the routing/switching
is all hardware-based.

Bridging vs. LAN Switching:

It’s true—Layer 2 switches really are pretty much just bridges that give us a lot more ports, but there are
some important differences you should always keep in mind: Bridges are software-based, while switches
are hardware-based because they use ASIC chips to make filtering decisions. ASIC chips enables
Cisco/other vendor Switch to provide speed of a wire, which is maximum speed you can gain in an
electrical wiring environment. A switch can be viewed as a multiport bridge.

There can be only one spanning-tree instance per bridge, while switches can have many. (We will discuss
spanning trees in a bit.) Most switches have a higher number of ports than most bridges. Both bridges and
switches flood Layer 2 broadcasts. Bridges and switches learn MAC addresses by examining the source
address of each frame received. Both bridges and switches make forwarding decisions based on Layer 2
addresses.

Three Distinct Switch Functions at Layer 2


There are three distinct functions of layer 2 switching: address learning, forward/filter decisions, and loop
avoidance.

Address learning—Layer 2 switches and bridges remember the source hardware address of each frame
received on an interface, and they enter this information into a MAC database called a forward/filter table.

181 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Forward/filter decisions—when a frame is received on an interface, the switch looks at the destination
hardware address and finds the exit interface in the MAC database. The frame is only forwarded out an
appropriate destination port.

Loop avoidance—if multiple connections between switches are created for redundancy purposes,
network loops can occur. Spanning Tree Protocol (STP) is used to stop network loops while still permitting
redundancy.

Spanning Tree Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The specification for
STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have
redundant paths in your network. Loops are deadly to a network because they can cause it to broadcast
storm. All the switches exchange information for use in the root switch selection and for subsequent
configuration of the network. Bridge protocol data units (BPDUs) carry this information. Each switch
compares the parameters in the BPDU that the switch sends to a neighbor with the parameters in the
BPDU that the switch receives from the neighbor. In the STP root selection process, less is better. If Switch
A advertises a root ID that is a lower number than the root ID that Switch B advertises, the information
from Switch A is better. Switch B stops the advertisement of its root ID, and accepts the root ID of Switch
A.

Figure 2

182 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Switch ports run in either access or trunk mode. In access mode, the interface belongs to one and only
one VLAN (a VLAN is a virtual LAN; a broadcast domain created by switches means a switch with four
VLANs having four separate broadcast domains). Normally a switch port in access mode attaches to an
end user device or a server. The frames transmitted on an access link look like any other Ethernet frame.
Trunks, on the other hand, multiplex traffic for multiple VLANs over the same physical link. Trunk links
usually interconnect switches, as shown in Fig. 2, and carry multiple VLAN data. However, they may also
attach end devices such as servers that have special adapter cards that participate in the multiplexing
protocol.

Let’s come to LAN switches, which are similar to transparent bridges in functions such as learning the
topology, forwarding, and filtering. These switches also support several new and unique features, such as
dedicated communication between devices through full-duplex operations, multiple simultaneous
conversations.

Full-duplex communication between network devices increases file-transfer throughput. Multiple


simultaneous conversations can occur by forwarding, or switching, several packets at the same time,
thereby increasing network capacity by the number of conversations supported. Full-duplex
communication effectively doubles the throughput while, with media-rate adaption, the LAN switch can
translate between 10 and 100 Mbps, allowing bandwidth to be allocated as needed. Deploying LAN
switches requires no change to existing hubs, network interface cards (NICs), or cabling.

Switch Forwarding:
LAN switches maintain a MAC or CAM Table (as shown in Fig. 3) for making forwarding/filtering decisions.
When a switch is powered on, it has nothing in its MAC/CAM table because the switch only knows the
sender’s MAC, so it makes an entry for the sender in its table and for the destination it uses

Figure 3

ffff, which means broadcast. Once it received data from a host, it broadcasts it to all ports except the
sender’s port; when another host receives the broadcast, then only hosts that want to receive data accept
it and others drop the data because they did not ask for any. Now the switch makes an entry for the
receiver in its MAC table, so next time they can communicate directly; their data will not be broadcast to
others. Error checking is also performed and erroneous frames are discarded. With the cut-through
switching method, latency is reduced by eliminating error checking. With the store-and-forward switching
method, the LAN switch copies the entire frame into its on-board buffers and computes the cyclic
redundancy check (CRC). The frame is discarded if it contains a CRC error or if it is a runt (less than 64

183 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

bytes, including the CRC) or a giant (more than 1518 bytes, including the CRC). If the frame does not
contain any errors, the LAN switch looks up the destination address in its forwarding, or switching, table
and determines the outgoing interface. It then forwards the frame toward its destination.

184 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 26: Installing and Operating Cisco Switches

Cisco has approximately 50-60% of the market-share in the enterprise routing and switching industry.
Cisco provides normal Layer 2 LAN switches to high-end Catalyst switches like Nexus Switches; if you want
to know more about the Cisco switches, visit this link of Cisco's official site
(http://www.cisco.com/en/US/products/hw/switches/index.html#~all-prod).

Whether you are working as a Pre-Sales Consultant/Designer or Procurement Manager, you should know
the basic LAN designing technique to select the perfect switching solution for your client.
The question must be asked: How has Cisco built up so much trust in the market? Why have most
organizations given preference to Cisco over the decades?

In-depth answers can be found by learning about Cisco Switches, so in this chapter, I am going to discuss
some of the features of Cisco Switches.

Please check Cisco's three-layered hierarchical design architecture shown in Fig. 1.

The main purpose of the lower level access layer is to provide a means of connecting devices to the
network and controlling which devices are allowed to communicate on the network.

The distribution layer aggregates the data received from the access layer switches before it is transmitted
to the core layer for routing to its final destination. The distribution layer controls the flow of network
traffic using policies and delineates broadcast domains by performing routing functions between VLANs
defined at the access layer.

The core layer is critical for interconnectivity between distribution layer devices. It can also connect to
Internet resources.

Compared to other network designs, a hierarchical network is easier to manage and expand, and problems
can be solved more quickly. Each layer provides specific functions that define its role within the overall

185 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

network. By separating the various functions that exist on a network, not only is the network more
manageable, the network design becomes modular, which facilitates scalability and performance.

Please note that this three-layer hierarchical design suites are for bigger enterprise networks; for small-
to-medium sized networks where no telecommunication outlets (data, IPT, IPTV, Digital Signage etc) are
less than 5000, core and distribution layer switches are normally converged. Only Access Layer Switch (ex.
Cisco 2960 Series Switch) & Core (ex. Cisco 6500 Series) switch is enough for an enterprise LAN Network.

Intermediate Distribution Main Distribution


IP Phone
Frame (IDF) Frame (MDF)

ATA 187
Desktop

Enterprise Edge
FAX Machine redundant Router

DOME CCTV

` ISP
Media
Player

Redundant Cisco Core Switches


6509 Series with VSS inside Data
IPTV-In room Center
Entertainment,
High Speed
Internet Access Layer Switch-Cisco 2960
Series 24/48 Port s inside IDF
Core/Distribution Layer
with 2*10G links

Video Access Layer


Conference

Media
Player

Time
Attendance Digital Signage

A Typical Five star Hotel LAN Network Infrastructure - using two layer hierarchical Network Design & Architecture

There are many benefits associated with hierarchical network designs:

■ Scalability—the modularity of the design allows you to replicate design elements as the network grows.
Because each instance of the module is consistent, expansion is easy to plan and implement.
■ Redundancy—Access layer switches are connected to two different distribution layer switches.
Distribution layer switches are connected to two or more core layer switches to ensure path availability if
a core switch fails.
■ Performance—Data is sent through aggregated switch port links from the access layer to the
distribution layer at near wire speed in most cases.
■ Security—you have the flexibility to use more advanced policies at the distribution layer. You may apply
access control policies that define which communication protocols are deployed on your network and
where they are permitted to go.
■ Manageability—each layer of the hierarchical design performs specific functions that are consistent
throughout that layer. Consistency between the switches in each layer allows for rapid recovery and
simplified troubleshooting.

186 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

■ Maintainability—because hierarchical networks are modular in nature and scale very easily, they are
easy to maintain.

Operating Cisco IOS and Cisco device start up:

Cisco IOS enables network services in switches and routers, most network engineer spends their most of
the time in working with the IOS.
The Cisco IOS command-line interface (CLI) can be configured through any of the following sources:
 Console Terminal Access via Console Port
 Remote Terminal or Modem access via Auxiliary Port
 Telnet Access via Serial or Fast Ethernet port
 TFTP
 SSH
 Cisco works

Though IOS can be configured from several sources, initially it can be configured using console or remote
terminal connection. In below figure, it shows all ports for accessing the Cisco IOS on a device.

Image source- www.highteck.net

Remember: if you want to establish a connection through a console port, you need a rollover cable to
connect console port of Cisco Switch into your PC or Laptop.

When a Cisco Catalyst Switch or any device starts up, it goes through the following steps-
 Power-on-self test (POST) checks the hardware components.
 A start-up routine finds and loads Cisco IOS software image
 Finds and applies software configuration settings.

Cisco IOS separates EXEC session into two levels-

187 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 User EXEC mode / User mode: Whenever you logged into Cisco IOS, you enter user mode. In this
mode, you can't change any configuration of Cisco switch, as it is mainly used to view the statistics.
 Privileged Mode/Enable Mode: In this mode, you can view and change the configuration of Cisco
devices. If network admin made it password enabled then you need to give password for accessing
this mode of operation. This mode also known as Configuration Mode, changes made in this mode
are saved across system resets if you save your configuration. The below commands are basic
startup in CLI.

Switch#en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#

How does a Cisco switch work?

The switch maintains a MAC table that keeps a record of the host’s MAC address for making forwarding
and filtering decisions. When a switch is powered on, it has nothing in its MAC table, but when the hosts
start communicating, the switch places the source MAC address of each frame in the table along with the
port that the frame’s source address corresponds to.

Let me explain with an example that shows how a MAC table is populated:

1. Assume Host A sends a frame to Host B. Host A’s MAC address is 0000.0b01.0001; Host B’s MAC
address is 0000.0b01.0001.
2. The switch receives the frame on the Fa0/2 interface and places the source address is the MAC
address table.
3. Since the destination address is not in the MAC database, the frame is forwarded to all interfaces,
except the source port.
4. Host B receives the frame and responds to Host A. The switch receives this frame on Interface
Fa0/4 and places the source hardware address in the MAC database.
5. Host A and Host B can now make a point-to-point connection and only the two devices will receive
the frames. Hosts C and D will not see the frames, nor are their MAC addresses found in the
database because they haven’t yet sent a frame to the switch.

If Host A and Host B don’t communicate to the switch again within a certain amount of time (approx. 300
sec,), the switch will flush their entries from the database to keep it as current as possible.

We have talked about switch-to-host communication; what if we connected a switch to another switch?

You may be thinking, what is the purpose of connecting a switch to another switch?

188 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The answer is simple: A switch can


have max 24 or 48 (depends on the
model), but what if you need to
connects 125 hosts? Then you can
take three switches and connect
the hosts per requirement to all
switches and also connect the
switches with each other (as shown
in Fig. 2). Ports connected to hosts
should be access and ports
connected to switches should be
trunk.

To make a port to access/trunk, we


have to write some commands in
config mode:

(config)# int f0/1


(config-if)# switchport mode access / trunk

Switch-to-switch connectivity can make more hosts reachable but, as shown in Fig. 2, a loop can be
generated. By default, a switch will forward a broadcast or multicast to all ports, excluding the port the
broadcast/multicast was sent from. If a host connected to SW-2 broadcasts a frame, first that frame is
broadcast to SW-2, then to SW-1/SW-3, then again to SW-2 and so on. This can cause a problem because
a highly destructive broadcast storm can develop within seconds. Broadcast storms occur when
broadcasts are endlessly switched through the loop, choking off all other traffic. So, STP (spanning tree
protocol) is used to avoid loops in switching.

Let’s take a brief overview of how STP works and the functions of STP.

STP-enabled switches communicate to form a topology of the entire switching network, and they shut
down (or block) a port if a loop exists. The blocked port can be reactivated if another link on the switching
network goes down, thus preserving fault tolerance. Once all switches agree on the topology database,
the switches are considered converged. STP switches send BPDU’s (bridge protocol data units) to each
other to form their topology databases. BPDU’s are sent out all ports every two seconds and are
forwarded to a specific MAC multicast address: 0180.c200.0000.

STP operations
1. Selecting a root bridge—A switch with lowest bridge I becomes the root bridge
2. Determine the least cost paths to the root bridge—Lowest cost to the root bridge (switch with the
least cost to root)
3. Lowest sender bridge ID—Serves as a tie-breaker if multiple upstream switches have equal cost to
root
 Lowest sender port ID—Serves as a tie-breaker if a switch has multiple (non-ether-channel) links
to a single upstream switch, where:
 Bridge ID = priority (16 bits) + ID [MAC address] (48 bits); the default bridge priority is 32768,
and Port ID = priority (4 bits) + ID [Interface number] (12 bits); the default port priority is 128.

189 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

STP is a big concept, so we will explain it in detail in another article. For now, switch-to-switch
connectivity is not an issue but, if you are working with a large number of switches, you need to do all
VLAN configurations to each switch. For example, you need to configure VLANs on all switches. VTP
(VLAN trunking protocol) is the solution; just make a switch a VTP server and remaining as VTP
client/transparent with a config mode command.

(config)# vtp mode server/client/transparent

Now it’s time to tell you little more about VTP; VLAN Trunking Protocol is a Cisco Layer 2 messaging
protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis. VTP
reduces administration in a switched network. When you configure a new VLAN on one VTP server, the
VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN
everywhere. VTP is a Cisco-proprietary protocol that is available on most of the Cisco Catalyst family
switches.

VTP ensures that all switches in the VTP domain are aware of all VLANs. There are occasions, however,
when VTP can create unnecessary traffic. All unknown unicasts and broadcasts in a VLAN are flooded over
the entire VLAN. All switches in the network receive all broadcasts, even in situations where few users are
connected in that VLAN. VTP pruning is a feature used to eliminate (or prune) this unnecessary traffic.

By default, all Cisco Catalyst switches are configured to be VTP servers. This is suitable for small-scale
networks where the size of the VLAN information is small and easily stored in all switches (in NVRAM). In
a large network, a judgment call must be made at some point when the NVRAM storage needed is wasted,
because it is duplicated on every switch. At this point, the network administrator should choose a few
well-equipped switches and keep them as VTP servers.
Everything else participating in VTP can be turned into a client. The number of VTP servers should be
chosen so as to provide the degree of redundancy desired in the network.

Three Modes of Operation:


I. Server Mode
II. Transparent Mode
III. Client Mode

In later chapters, we will discuss more about VLAN and VTP, as these two topics are very important in
today's switching technology.

Catalyst switches can use several methods to forward packets based on Layer 3 and Layer 4 information.
The current generation of Catalyst multilayer switches uses the efficient Cisco Express Forwarding (CEF)
method. Remember Cisco Express Forwarding (CEF) is an advanced Layer 3 IP Switching technology which
optimizes network performance and scalability for networks with large and dynamic pattern, such as
internet. CEF is less CPU-intensive than fast switching route caching.

Power over Ethernet (PoE):


In my opinion, Power over Ethernet is a revolutionary thing; previously, IP Telephone and IP-CCTV were
not able to compete with their traditional competitor because of requirement of additional power. Once
twisted pair cable enabled transmitting power along with data traffic, it reduced the needs of the building

190 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

owner to provide additional electrical wiring. From that day, enterprise, business and building owners
choose an IP-based network as an extra low voltage system cable infrastructure.

Cisco first came with its proprietary PoE protocol, called inline power, but IEEE has created a standard for
PoE is called IEEE 802.3af. This standard describes how a powered device is detected and also defines two
methods of delivering power over Ethernet to that particular powered-device. In-line power previously
dominated in Cisco equipment for powering IP phones from the Cisco Switch.

Some basic commands to enable PoE in Cisco switches,

1. Switch(config)#interface{fastethernet/gigabitethernet} slot/port --------- In


this commands you can selects interface to configure

2. Switch(config-if)# power inline {auto [max milli-watts] /never/static -----


------- the auto keyword sets to interface to automatically detect and supply
power to the powered device. This is default configuration. The static Keyword
sets interface to higher priority than auto. If necessary you can use the max
keyword to specify the maximum wattage allowed on the interface. Use the never
keyword to disable detection and power for the PoE capable interface.

3. Switch(config-if)#end ---------- exits configuration mode

4. Switch# show power inline {fastethernet/gigabitethernet} slot/port--------


Displays the PoE state for the Switch.

Cisco Discovery Protocol:

Cisco Discovery Protocol (CDP) is a Cisco proprietary data link layer protocol. It is used for sharing
information with other connected Cisco devices in a network. CDP message is only passed to directly
connected neighbour, by default Cisco devices such as router and catalyst switch do not forward CDP
message to any other device connected in the network. CDP message contains information about IOS
operation version and IP address of the Cisco devices.

191 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In unified communication infrastructure, Cisco IP phone generates a CDP broadcast message to the
multicast destination address 01:00:cc:cc:cc to learn the Voice VLAN id from the connected Cisco switch.
This Multicast destination address is also used in Cisco proprietary protocol like Virtual Trunking Protocol
(VTP). As CDP protocol can only be applied to Cisco systems devices, CDP spoofing is a very popular attack
method used by hackers across the world, mainly to get access of voice VLAN, and can easily act as a
forged Cisco Unified IP Phone.

By default, CDP version 2 is enabled on all Cisco devices, on all interfaces.

Now that we have some information about CDP and how is it working, it’s time to go further with the
configuration and the monitoring. The most basic command to check the advertisement interval, the
hold time interval and the version of CDP is by using “show cdp”.

To list all the CDP neighbors, altogether with some basic information about them, you can the “show
cdp neighbors’ command.

If you need detailed information about the neighbors, then the command “show cdp entry” will display
the information about all neighbors.

Link Layer Discovery Protocol (LLDP):

IEEE made an international standard named Link Layer Discovery Protocol (LLDP) which can be used my all other vendor systems
and is functionally similar to CDP. This is often used in multi-vendor environment to monitor and manage the applications. For
the purposes of the CCNA exam, you don't need to master the LLDP protocol, which is beyond this book's scope.

Chapter 26- Virtual Local Area Network (VLAN)

Virtual Local Area Network (VLAN) is one of the most important protocols, not only for CCNA but for most
Cisco exams, too. It’s not limited to the routing and switching domain; there is a broad use of VLANs in
Security, Voice, Data Center, and many other modules of Cisco learning, so you can say it is a foundation

192 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

of switching. It’s very much necessary to get a clear understanding over VLANs, not only for exam
perspective, but to build a strong future in Networking.

A Virtual LAN, commonly known as a VLAN, is a group of hosts with a common set of requirements. VLANs
are basically used to divide a single broadcast domain into multiple broadcast domains without changing
IP schemes. It means if two hosts with same network IP and same CIDR value are not in same VLANs, then
they cannot communicate to each other.

VLANs give network administrators a great deal of flexibility in LAN design. VLANs extend the traditional
router bounded broadcast domain to a VLAN-bounded broadcast domain. VLANs make it possible to make
a broadcast domain into any shape that can be defined and bounded by the switches within the local area
network.

A VLAN allows a network administrator to create groups of logically networked devices based on
functions, departments, or project teams. For computers to communicate on the same VLAN, each must
have an IP address and a subnet mask that belong to the same subnet and are consistent for that VLAN.
The switch has to be configured with the VLAN, and each port in the VLAN must be assigned to the VLAN.

A switch port with a singular VLAN configured on it is called an access port. Remember that just because
two computers are physically connected to the same switch does not mean that they can communicate.
Devices on two separate subnets must communicate via a router, whether or not VLANs are used.

In simple terms, a VLAN is a set of workstations within a LAN that can communicate with each other as
though they were on a single, isolated LAN.

What does it mean to say that they “communicate with each other as though they were on a single,
isolated LAN”?

Among other things, it means that:

 Broadcast packets sent by one of the workstations will reach all the others in the same VLAN.
 Broadcasts sent by one of the workstations in the VLAN will not reach any workstations that are
not in the same VLAN.
 Broadcasts sent by workstations that are not in the same VLAN will never reach workstations that
are in the other VLAN.
 The workstations can all communicate with each other without needing to go through a gateway.
For example, IP connections would be established by ARPing for the destination IP and sending
packets directly to the destination workstation—there would be no need to send packets to the
IP gateway to be forwarded on.
 The workstations can communicate with each other using non-routable protocols.

The Purpose of VLANs

The basic reason for splitting a network into VLANs is to reduce congestion on a large LAN. To understand
this problem, we need to look briefly at how LANs have developed over the years. Initially LANs were very
flat—all the workstations were connected to a single piece of coaxial cable, or to sets of chained hubs. In
a flat LAN, every packet that any device puts onto the wire gets sent to every other device on the LAN.

193 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

4th Floor

Access Switch
HR-PC Admin-PC

rd
3 Floor

Access Switch GM-PC VP-PC


2nd Floor

Access Switch Sales PC Marketing


PC

1st Floor

Access Switch Engineering Production


Ground Floor Department

4 Stored- Office Building Access Switch


Logis tics I.T
Department

A typical office building- where each department isolated by using separate VLAN.

As the number of workstations on the typical LAN grew, they started to become hopelessly congested.
There were just too many collisions, because most of the time when a workstation tried to send a packet,
it would find that the wire was already occupied by a packet sent by some other device.

This section describes the three solutions for this congestion that were developed:
 Using routers to segment LANs
 Using switches to segment LANs
 Using VLANs to segment LANs

Earlier, hubs were the most popular L2 devices, but due to congestion they became less popular and have
been largely replaced by L2 switches. This has made the whole concept of a collision domain somewhat
historical. In modern networks, a “collision domain” mostly consists of a single device attached to an L2
switch port, or possibly a PC with something like an IP phone attached to it.
Instead of the LANs corresponding to physical areas divided from each other by routers, there are virtual
LANs distributed across the network. For example, all the devices in the various areas labelled “VLAN A”
all belong to a single virtual LAN—i.e. a single broadcast domain.

Advantages of using VLANs

1. Performance: As mentioned above, routers that forward data in software become a bottleneck as LAN
data rates increase. Doing away with the routers removes this bottleneck.

194 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

2. Greater flexibility: If users move their desks, or just move around the place with their laptops and IP
phones, then, if the VLANs are set up the right way, they can plug their PC and IP Phones in at the new
location, and still be within the same VLAN. This is much harder when a network is physically divided up
by routers. Because workstations can be moved from one VLAN to another just by changing the
configuration on switches, it is relatively easy to put all the people working together on a particular project
into a single VLAN. They can then more easily share files and resources with each other.
3. Ease of partitioning off resources: If there are servers or other equipment to which the network
administrator wishes to limit access, then they can be put into their own VLAN. Then users in other VLANs
can be given access selectively.

So, the primary benefits of using VLANs are:


■ Security
■ Cost reduction
■ higher performance
■ Broadcast storm mitigation
■ Improved IT staff efficiency
■ simpler project or application management

The CCNA exam point of view for VLANs includes the following:

Configure, verify, and troubleshoot a switch with VLANs and inter switch communications, verify network
status and switch operation using basic utilities (including: ping, traceroute, telnet, SSH, ARP, ipconfig),
SHOW and DEBUG commands, and auto negotiation. And so, the main tasks in CCNA exams are:
 Configure, verify, and troubleshoot VLANs
 Configure, verify, and troubleshoot trunking on Cisco switches
 Configure, verify, and troubleshoot interVLAN routing

VLANs are divided numerically into a normal range and an extended range. Normal-range VLANs are
identified by a VLAN ID between 1 and 1005. Configurations are stored within a VLAN database file, called
vlan.dat, which is the Flash memory of the switch. Extended range VLANs are identified by a VLAN ID
between 1006 and 4094 and are saved in the running configuration file. VTP (VLAN Trunking Protocol is a
good topic – no need to worry, we will cover it with another article) does not learn extended range VLANs.
One Cisco Catalyst 2960 switch can support up to 255 VLANs.

A question comes on your mind: why is the number of VLANs that can be configured on a switch limited?

The answer is “the number of VLANs configured affects the performance of the switch hardware.”

VLAN Membership: There are two types of VLAN membership policy you can find in today's network; they
are Static VLAN and Dynamic VLAN.

Static VLANs: From the name itself you can imagine that with static VLAN, the network manager creates
a VLAN individually and then assigns switch ports to the VLAN. As this is a port-based VLAN, it can only
be changed when network admin changes the port assignment. VLAN membership is normally handled in
hardware based (ASIC), so it is much faster because all ports mapping are done at the hardware level, with
no complex tables to look up. In static port-based VLAN, the major drawback is that the end-user gets the

195 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

VLAN membership based on the physical switch port connection, which is not good for an enterprise
environment.

Basic configuration:
Switch(config)#vlan 110
Switch(Config-vlan)#name IPTV_ADMIN
To delete the existing vlan from your switch database, you can use
switch(config)#no vlan 110

Dynamic VLANs: In a dynamic VLAN, the switch automatically assigns the port to a VLAN using information
from the user device like MAC address, IP address etc. When a device is connected to a switch port, the
switch queries a database to establish VLAN membership. A network administrator must configure VLAN
database of a VLAN Membership Policy Server (VMPS).

Dynamic VLANs support instant movability of end devices. When we move a device from a port on one
switch to a port on another switch, the dynamic VLANs will automatically configure the membership of
the VLAN. (Dynamic VLAN is not covered in our CCNA Syllabus.)

VLAN Tagging: VLAN Frame tagging is a technology that is used to identify the VLAN that the packet
belongs to. The VLAN Frame tag is placed on the frame when the frame reaches a switch from an access
port, which is a member of a VLAN. If the switch has a trunk port, the frame can be forwarded out the
trunk link port. This enables each switch to see what VLAN the frame belongs to and can forward the
frame to corresponding VLAN access ports or to another VLAN trunk port. Before forwarding the frame
to a VLAN access port, the switch removes the VLAN identifier and the VLAN membership information is
thus transparent to the end devices.

There are different VLAN frame tagging technologies available:


 Inter-Switch Link (ISL): Cisco proprietary VLAN frame tagging; not much support from other vendors.
 IEEE 802.1Q: IEEE industry standard VLAN frame tagging
 LAN Emulation (LANE): LANE is used to communicate with multiple VLANs over ATM.
 802.10 (FDDI): Protocol for sending VLAN information over FDDI.

Inter-Switch Link (ISL) protocol is a Cisco propriety protocol and Inter-Switch Link (ISL) and is available
and supported on Cisco products only. Inter-Switch Link (ISL) protocol is primarily used for Ethernet media
(Fast Ethernet or Gigabit Ethernet). Cisco has also included provisions to carry Token Ring, FDDI, and ATM
frames over Ethernet ISL. Inter-Switch Link (ISL) protocol encapsulates the entire Ethernet frame (Fast
Ethernet or Gigabit Ethernet) with a 26-byte header and a 4-byte frame check sequence (FCS) for a total
of 30 bytes of overhead. Inter-Switch Link (ISL) frame format is shown below.

IEE 802.1Q: IEEE’s 802.1Q VLAN tagging is the industry standard. If you have networking devices from
different vendors, IEEE’s 802.1Q VLAN tagging must be used for interoperability. IEEE 802.1Q uses an
internal tagging process by inserting the VLAN tagging information inside Ethernet Frame. This method of
tagging is known as internal tagging.

802.1Q trunks support tagged and untagged frames. An untagged frame is a standard unaltered Ethernet
frame. Untagged frames are usually used for native VLAN communication. If a switch receives untagged
frames on a trunk port, they are considered as part of the native VLAN and frames from a native VLAN
access port are not tagged when exiting the switch via a native VLAN trunk port.

196 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

A native VLAN is assigned to an IEEE 802.1Q trunk port, which supports traffic coming from many VLANs
(tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). You assign the
management VLAN an IP address and subnet mask so that the switch can be managed via HTTP, Telnet,
SSH, or SNMP. VLAN 1 would serve as the management VLAN if you did not proactively define a unique
VLAN to serve this purpose. In security best practice, it is always better to define this VLAN to be a VLAN
distinct from all other VLANs defined in the switched LAN.

Ok, it’s time to take you through some configuration on the below scenario.

You are asked to put Host 1 and Host 2 in the same VLAN (VLAN 10) so that they will be able to
communicate. Make sure that the links between the switches can carry traffic for multiple VLANs (use
additional VLAN 20 and VLAN 30) using a standard trunking encapsulation.

Scenario for VLAN configuration

Let’s configure VLAN 10, VLAN 20 and VLAN 30 on SW-1:

197 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

To check if the VLANs were created, you should use the command “show vlan”:

A similar configuration is done on SW-2 and SW-3.

Now it’s time to configure the ports where Host 1 and Host are connected in SW-1 and SW-2 in VLAN 10.

198 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

And for SW-2:

It’s time to configure the links between the switches. Because the task is asking for a standard
encapsulation between 802.1Q and ISL, we have to choose 802.1Q since ISL is Cisco proprietary.

So let’s configure the link between SW-1 and SW-2 as trunk. Before doing that, it’s worth mentioning that
when you configure a trunk interface, you have the option to specify for which VLANs the interface can
carry traffic. You can either configure the trunk to allow all VLANs or you can specify exactly which VLANs
are permitted on the trunk interface. In our case, SW-1 will be configured to allow all VLANs, whereas SW-
2 will be configured to allow only VLAN 10, VLAN 20 and VLAN 30:

199 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The links between SW-1 and SW-3, and SW-2 and SW-3, are configured in a similar way for redundancy.

Now that we have configured the VLANs on the switches, placed the interfaces where the hosts are
connected in the proper VLAN, and configured the links between the switches as trunk, let’s check the
connectivity between the two hosts.

Ping from Host-1 to Host-2 should be successful:

I was talking above about redundancy. If the direct link between SW-1 and SW-2 breaks and the VLANs
are permitted on all trunk interfaces between SW-1, SW-2 and SW-3, then the traffic will take the alternate
path.

How the switches select which path is better to send the traffic between Host-1 and Host-2 is outside the
scope of this article, but as a reference, it is based on Spanning Tree Protocol calculations.

One very useful command that can provide you important information about the operational status of an
interface is “show interface gi X/Y switchport”:

200 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Using this command, you can find out how the interface was configured (Administrative Mode) and how
it is acting (Operational Mode), what the trunking encapsulation is, what the native VLAN is and which
VLANs are permitted on the trunk interface (Trunking VLANs Enabled).As you can remember, on SW-2 we
configured explicitly that only VLANs 10, 20 and 30 will be allowed.

One other useful command is ‘show interfaces trunk’:

This command will tell you which VLANs are permitted on every trunk interface, which are active, and
which are not pruned by VTP.

Sometimes, it’s necessary to tag the native VLAN and change the VLAN ID.

Let’s see how is this done and how can we check it. You will see that the native VLAN changed from VLAN
1 to VLAN 30 (Trunking Native Mode VLAN):

201 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Voice VLAN:

From our last discussion about Cisco Discovery Protocol, you may understand that Cisco IP Phones get the
information about Voice VLAN as soon as they are powered on, which enables access ports to carry IP
voice traffic from the phone.

Voice VLAN
Data VLAN

IP Phone
Enterprise End Router ISP
Desktop Access Layer Switch

A typical home office network-where PC is connected to back of IP Phone. Though Both in


Different VLAN, so their packet is isolated from each other.

Printer

In our case study network, you can see that Cisco IP Phone and Host both are connected to same port of
a switch. So a question may come to your mind: how does a switch understand voice and data traffic
(packets) differently or separately?

For reliability and availability reason, voice traffic always need much more bandwidth than the data traffic,
so Cisco Switch logically separates data and telephone traffic into two different VLANs or IP subnets. Each
VLAN represents a separate logical broadcast domain, therefore voice traffic will always get higher priority
than data traffic even though they are connected with same port of switch. Some people says that it is
always best practice to give Voice VLAN id lower than the Data VLAN Id due to STP convergence, but in
reality, I never paid attention on this, so the choice is yours.

202 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Private VLAN:

Private VLANs are simply known as port isolation, the restricted ports called private ports. Remember that
each private VLAN contains many private ports and only a single up link.

Overview:

To give a high-level overview of private VLANs, we can look into a fairly common business requirement
that might require you to use the private VLAN feature. Let’s say you have a bunch of machines sitting on
a shop floor in a manufacturing facility. All of these machines are currently in the same broadcast domain
– and all of those machines have IPs in the same 10.1.2.0/24 subnet. These machines are absolutely critical
to your business’ ability to make a given product. What would happen if one of those machines picked up
a virus from the Internet, which is unfortunately easy to do. It is a potential that this virus could almost
instantly spread to all machines on that same broadcast domain and cause massive problems. In theory,
as long as you have secured inter subnet communication correctly, this virus should be limited to hosts
on the same broadcast domain.

But can you extend protection beyond that so that the virus would be confined to only the compromised
host? Yes, there are ways to do that. You could put every single host in their own broadcast domain with
their own subnet and use ACLs or some other state full filtering mechanism to control communication
between the hosts. But this approach would be severely limited in its ability to scale, and would require
huge amounts of time to administer and control. The private VLAN feature provides a much more elegant
solution. Basically, private VLANs allow you to restrict communication between hosts in the same
broadcast domain in a way that is manageable and reasonably scalable. As we explore the various terms,
port types, etc., in the following sections, just remember what the private VLAN feature is attempting to
do – that is, to control communication between hosts in the same broadcast domain.

First off, there is no single private VLAN. When you say private VLANs, you are really referring to a set of
VLANs. This set of VLANs interacts with one another to make up a private VLAN domain. Keep repeating
this to yourself, as it is very, very important. Private VLANs is a feature on a switch, not a single VLAN. The
name really is sort of misleading here, as you would think it refers to a single VLAN.

Each VLAN inside of a private VLAN domain can be either a primary VLAN or a secondary VLAN. Each
private VLAN domain can have only a single primary VLAN. However, you can have multiple secondary
VLANs in a private VLAN domain. There are multiple types of secondary VLANs.

Every secondary VLAN is able to communicate with the primary VLAN. What the private VLAN feature
restricts is how communication occurs inside of and between the secondary VLANs of a private VLAN
domain. What communication can occur depends on the type of secondary VLAN it is. There are two types
of secondary VLANs – isolated and community. Hosts in secondary VLANs designated as isolated cannot
talk to other hosts in the same isolated secondary VLAN. On the other hand, hosts in secondary VLANs
designated as community can communicate with other hosts in the same secondary community VLAN
within the private VLAN domain. A single private VLAN domain can have multiple community VLANs. Hosts
in one secondary community VLAN cannot communicate with hosts in a different secondary community
VLAN. You are only allowed to have a single isolated VLAN. And in reality, this makes sense because there
aren’t many scenarios where you would want more than one of those anyway. Hosts in isolated VLANs
are as isolated as they are going to get – putting them in different isolated VLANs isn’t going to further
limit or control who they can communicate with.

203 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

ISP-Cloud

Gateway Router
Primary VLAN connecting to up link
network

Private VLAN Domain

Access Switch Subdomain


Subdomain

Desktop
Server Server

A typical Private VLAN setup -within Primary VLAN

The primary VLAN within a private VLAN domain can communicate with hosts both in isolated and
community VLANs. The primary VLAN is usually the VLAN that provides connectivity to the upstream
network. You can think of the primary VLAN as the point of entry and exit to and from the private VLAN
domain. Anybody can walk into and out of a private VLAN building, but once you’re inside, you have to
follow the rules of the house as to what rooms you are allowed to go into (i.e. secondary VLANs) and who
you are allowed to communicate with within each room type.

Upon completion of this VLAN chapter, you should be able to:


■ Configure VLANs
■ Configure the management interface
■ Configure trunking
■ Assign VLANs to access ports
■ Verify connectivity

In the CCNA exam, remember that you may have to do VLAN Troubleshooting, so here I am going to briefly
explain four common VLAN and trunk configuration errors that you may face in your Cisco exam, even as
high as in the CCIE exam:

204 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

■ Native VLAN mismatches: Trunk ports are configured with different native VLANs. This configuration
error generates console notifications, causes control and management traffic to be misdirected, and poses
a security risk.

■ Trunk mode mismatches: One trunk port is configured with trunk mode “off” and the other with trunk
mode “on.” This configuration error causes the trunk link to stop working.

■ VLANs and IP subnets: User computers, for example, may have been configured with the incorrect IP
addresses or subnet masks or default gateways. The result is loss of connectivity.

■ Allowed VLANs on trunks: The list of allowed VLANs on a trunk has not been updated with the current
VLAN trunking requirements. In this situation, unexpected traffic or no traffic is being sent over the trunk.

205 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 27- Inter VLAN Routing

This chapter will introduce you to the basic inter-VLAN routing concepts, using both traditional Cisco
routers and Cisco Layer 3 switches. You will also learn about multilayer LAN topologies and how a
hierarchical design allows for scalability and a redundant topology.

In present scenario networks are constantly growing, and LAN topologies have evolved from traditionally
single flat broadcast domains into multi-virtual LAN (VLAN) topologies, with inter-VLAN routing required
to enable communications between each VLAN. Multiple VLANs increase network efficiency by reducing
broadcast domain size, as well as providing a mechanism to allow network layer access control to be
applied between VLANs. Finally, segmenting a LAN network into VLANs allows for the isolation of
problems to a smaller segment of network, allowed for reduced impact on the network and easier fault
finding.

All of the above factors are requirement for inter-VLAN routing within LAN networks over the past few
years. Even though this book is primarily explains the traditionally Layer 2 switching, it is important to
understand the basics of inter-VLAN routing. Possessing this knowledge helps you to understand Layer 3
switches, which are becoming cost-effective, high performance alternatives to traditional routers for
routing IP traffic between LAN segments. Possessing a fundamental understanding of inter-VLAN is
important if you are to design multilayer topologies that are stable, available, and scalable.

Within a LAN topology, inter-VLAN routing is used to route packets between different VLANs. Two
common inter-VLAN routing architectures are used in modern LAN networks today:
•using Basic physical connectivity
•Router-on-a-stick
• SVI Method (Using Layer3 Switch)

206 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Inter Vlan routing through physical


connectivity is the most basic method of
inter-VLAN routing. In this architecture, a
router is simply connected to each VLAN
and forwards inter-VLAN traffic between
the appropriate VLANs.
As you can see in Figure 1, the router has
a physical Ethernet interface dedicated for
each VLAN. If IP hosts on VLAN 10 need to
communicate with hosts of VLAN 20, IP
packets with the appropriate source and
destination IP addresses are sent to the
router, which looks up the destination IP
address and forwards to the appropriate
host on the destination VLAN. This
method is simple to understand because
the Layer 2 functions (provided by a
switch) and Layer 3 functions (provided by
a router) are physically separated.

The major issue with this architecture is performance. Because routers are software-based, they cannot
route packets as fast as switches (hardware-based) can switch frames. Even if you are using high-
performance routers, the physical interface connecting each VLAN to the router is a bottleneck because
it can transmit packets only at 10 Mbps, 100 Mbps, or 1 Gbps depending on the interface type.

Another issue with this architecture is the number of routers and physical interfaces required to support
multiple VLANs means if a switch is configured with 50 VLANS then a router requires 50 interfaces as well,
which is not possible. So, a dedicated Ethernet interface is required per VLAN.

Finally, all inter-VLAN traffic must travel via the router. In Figure 1, even though the PCs in VLAN 10 and
VLAN 20 are connected to the same switch, all inter-VLAN traffic between the PCs must be sent through
the router, which is inefficient.

Router-on-a-Stick Using Trunks:

207 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As discussed, previous architecture


has physical limitations based upon a
dedicated physical interface being
required for each VLAN. This
limitation can be removed by using
trunk interfaces, where multiple
VLANs are supported on a single
physical interface by using tagging
technologies such as 802.1Q or ISL.
Rather than using physical interfaces
to attach the router to each VLAN,
virtual or logical interfaces are used to
attach the router to each VLAN.
Figure 2 shows this architecture.
In Figure 2, virtual interfaces (rather
than physical interfaces) are used to
connect the router to each VLAN. A
single physical trunk interface
transports tagged VLAN traffic to the
router, with the tag determining to
which virtual interface a frame should
be forwarded for routing. Apart from
the differences between using
physical interfaces per VLAN as
opposed to virtual interfaces per
VLAN, suffers the same performance limitations means that the router becomes a performance
bottleneck when routing between high-speed VLANs.

Routing Using Layer 3 Switches

A new method of inter-VLAN routing on the LAN has emerged in recent years called Layer 3 switching.
We just have to create SVIs (Switch Virtual Interface) on layer 3 switch to perform inter-VLAN routing as
shown in fig. 3

208 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

With a Layer 3 switch, the


traditionally separated Layer 2
and Layer 3 functions are
combined into a single device,
eliminating the bottleneck
associated with the cable
between a router and switch by
replacing the cable with a high-
speed backplane connection.
Layer 3 switches also typically
perform routing in specially
designed hardware circuitry
rather than software, using
specialized hardware that can
perform routing functions at high
speed. This means that the
performance of Layer 3 switches
is much higher than traditional
router-on-a-stick architectures.

Inter-VLAN Routing Practical Exercise:

In the following practice lab, we are going apply inter-VLAN routing in order to communicate between
different VLANs using the
Router-on-a-Stick method.
Now, in order to
communicate between
different VLANs (vlan 10 &
vlan 20 in our case), we will
have to create sub-
interfaces of the Fast-
Ethernet interface of our
router. Let’s do that. Note:
we will create as many sub-
interfaces as many VLANs
we are using in our
topology. In this case, we
are using 2 VLANs, so we
will create two sub-
interfaces for both VLANs.
We will also apply
encapsulation to the sub-
interface.

Let’s create VLANs and assign those VLANs to switch interfaces, i.e. PCs:

209 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Tasks:
1. You need to configure Specified VLANS for Switch ACS

2. Apply VLANs on switch-ports as per requirements

3. Perform the router-on-a-stick method on “RouterC” for inter-VLAN communication so that hosts H 1.1,
H 1.2 and H 2.1, H 2.2 can successfully ping with each other.

Note: You need to configure only Switch ACS & Router C to complete the task

210 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The following subnets are available to implement this solution:


· 192.168.3.0/27
· 192.168.3.32/27
Hosts H1.1, H1.2 and H2.1, H2.2 are configured with the correct IP address and default gateway. Switch
ACS uses Cisco as the enable password.

But what if we have hundreds of VLANs, then? We have to create hundreds of sub-interfaces, which is not
a feasible solution as it may suffer the same performance limitations, meaning that the router becomes a
performance bottleneck when routing between high-speed VLANs.

The issue can be resolved by creating SVI (Switched Virtual Interface) as we already discussed.

Here is the scenario:

Tasks to perform Inter-VLAN Routing using SVI:

You need to configure illustrated VLANs & SVI on SwitchX so that Hosts H1.1, H1.2 and H2.1, H2.2 can
successfully ping the server S1. To complete this task, you need to configure VLAN port assignments or

create trunk links & don’t try to use static or default routing. All routes must be learned via EIGRP 10
routing protocol.

Note: You do not have access to Route C, as Router C is correctly configured. No need for trunking on
Router C as well.

Hosts H1.1, H1.2 and H2.1, H2.2 are configured with the correct IP address and default gateway.
SwitchX uses Cisco as the enable password; you have to enable IP routing over switch using the
“SwitchX(config)# ip routing” command.

211 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Routing must only be enabled for the specific subnets shown in the diagram. This lab is complete when
you can demonstrate IP connectivity between each of the user VLANs and the external server network,
and between the switch management VLAN and the server network.

Note: For configuring this CCNA Lab, you can use Packet Tracer (Version 5.3 & above). So get the Cisco
packet tracer software and install it.

Chapter 28- Virtual Trunking Protocol (VTP)

Virtual Local Area Network Trunk Protocol, or simply VTP, helps us to maintain the VLAN database
consistency between our networks. Some people just love this technique to manage their VLAN database,
while others may not love it so much. If you ask me about VTP, I will tell you that I use VTP when it is
needed. But always be careful when applying it, because one simple mistake can cause your entire

212 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

network to break down! Well, it won’t be that dramatic, but you can still have a BIG headache with it!
And you may have to spend an entire day to resolve it.

So the first question that comes to mind is, What can VTP do for us? Well, it simply "propagates" the
VLANs created in one switch in the domain (acting as server) to other switches in the same domain (either
acting as server or client). VTP makes adding, deleting, and distributing VLAN databases a lot easier.

The first thing you need to know about VLAN trunking protocol (VTP) is that it is a Cisco proprietary
protocol that propagates the definition of virtual local area networks (VLAN) on the whole local area
network and is available on most of the Cisco Catalyst series switches. VTP advertisements can be sent
over ISL, 802.1Q, IEEE 802.10, and LAN trunks. VTP reduces administration in a switched network. When
you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain.
This reduces the need to configure the same VLAN everywhere and give you more time to spend with
your family, so I’m guessing you are already falling love with this protocol.

VTP Domain

The configuration revision number is a 32−bit number that indicates the level of revision for a VTP packet.
Each VTP device tracks the VTP configuration revision number that is assigned to it. Most VTP packets
contain the VTP configuration revision number of the sender.

This information is used in order to determine whether the received information is more recent than the
current version. Each time that you make a VLAN change in a VTP device, the configuration revision is
incremented by one. In order to reset the configuration revision of a switch, change the VTP domain name,
and then change the name back to the original name.

So we can simply say that a VTP domain is a collection of VTP-aware switches that share VLAN information
with one another. You can specify which domain the switch should be in with a simple vtp domain
<Domain_Name> command. In the example below you will see that we have used cisco.com as a domain
name. Switches will not share VLAN information if they are in different VTP domain.

VTP Modes:
You can configure a switch to operate in any one of these VTP modes:
 Server Mode: In VTP server mode, you can create, modify, and delete VLANs and specify other
configuration parameters, such as VTP version and VTP pruning, for the entire VTP domain. VTP
servers advertise their VLAN configuration to other switches in the same VTP domain and synchronize
their VLAN configuration with other switches based on advertisements received over trunk links. VTP
server is the default mode.
 Client Mode: VTP clients simply get new updates from server about VLAN and forward the
advertisement to others. It synchronizes its database to keep updated.
 Transparent Mode: VTP transparent switches do not participate in VTP. A VTP transparent switch
does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on
received advertisements, but in VTP version 2, transparent switches do forward VTP advertisements
between server and client switches; it does not use the information that passes between server and
client or client to client or whatever it is. Remember it simply manages local VLANs.

213 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

VTP Off mode is configurable only in Cat IOS switches in the three described modes; VTP advertisements
are received and transmitted as soon as the switch enters the management domain state. In the VTP off
mode, switches behave the same as in VTP transparent mode, with the exception that VTP advertisements
are not forwarded. Most of the engineers strongly believe that in Cisco switches VTP should be in off mode
by default and should generate a warning before being enabled.

The below figure shows how


VLANs 1 (i.e., the default
VLAN) 10, and 20 are created
at switch ASW1 for
Configuration A scenario and
two switches, ASW2, ASW4,
all are in transparent mode
and connected between
ASW1 – ASW2. Even then
ASW3 (client switch) is
getting all VLANs that are
configured on ASW1. You can
try the same with packet
tracer; I have mentioned
another scenario, named
Configuration B. You just
need to follow command
listed below for all switches:

(Config)#vtp mode server/client/transparent


(Config)#vtp domain cisco.com
(Config)#vtp password cisco

214 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

VTP Version 2 is not much different than VTP Version 1. The major difference is that VTP V2 introduces
support for token ring VLANs. If you use token ring VLANs, you must enable VTP V2. Otherwise, there is
no reason to use VTP V2. Changing the VTP version from 1 to 2 will not cause a switch to reload.
The table below shows you some basic difference between V1, V2, and V3.

VTP V1 & V2 V3
Mode Server/Client/Transparent Server/Client/Transparent/OFF
VLAN 1 - 1001 for Server/Client
Vlan ID VLAN 1 - 4094 for Transparent
VLAN 1 - 4094 for Transparent
Password Clear Text Encrypted Password

VTP Password:
If you configure a password for VTP, you must configure the password on all switches in the VTP domain.
The password must be the same password on all other switches. The VTP password that you configure is
translated by algorithm into a 16−byte word (MD5 value) that is carried in all summary−advertisement
VTP packets.

And you can view the VTP password using show vtp password; also, to check VLANs, domain, and VTP
mode, you can use show vtp status (as shown below):

VTP Pruning:

215 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

VTP ensures that all switches in the VTP domain are aware of all VLANs. However, there are occasions
when VTP can create unnecessary traffic. All unknown unicasts and broadcasts in a VLAN are flooded over
the entire VLAN. All switches in the network receive all broadcasts, even in situations in which few users
are connected in that VLAN. VTP pruning is a feature that you use in order to eliminate or prune this
unnecessary traffic.

When VTP pruning is enabled on a VTP server, pruning is enabled for the entire management domain.
Making VLANs pruning−eligible or pruning−ineligible affects pruning eligibility for those VLANs on that
trunk only (not on all switches in the VTP domain). VTP pruning takes effect several seconds after you
enable it. VTP pruning does not prune traffic from VLANs that are pruning−ineligible. VLAN 1 and VLANs
1002 to 1005 are always pruning−ineligible; traffic from these VLANs cannot be pruned. Extended−range
VLANs (VLAN IDs greater than 1005) are also pruning−ineligible.

To configure VTP pruning, you just need to write “VTP Pruning”; that’s it, your pruning is configured.

Use VTP in a Network


By default, all switches are configured to be VTP servers. This configuration is suitable for small−scale
networks in which the size of the VLAN information is small and the information is easily stored in all
switches (in NVRAM). In a large network, the network administrator must make a judgment call at some
point, when the NVRAM storage required is wasteful because it is duplicated on every switch. At this
point, the network administrator must choose a few well−equipped switches and keep them as VTP
servers. Everything else that participates in VTP can be turned into a client. The number of VTP servers
should be chosen in order to provide the degree of redundancy that is desired in the network.

Note: If a switch is configured as a VTP server without a VTP domain name, you cannot configure a VLAN
on the switch. It is applicable only for CatOS. You can configure VLAN(s) without having the VTP domain
name on the switch that runs on IOS.
 If a new Catalyst is attached in the border of two VTP domains, the new Catalyst keeps the domain
name of the first switch that sends it a summary advertisement. The only way to attach this switch
to another VTP domain is to manually set a different VTP domain name.
 Dynamic trunking protocol (DTP) sends the VTP domain name in a DTP packet. Therefore, if you
have two ends of a link that belong to different VTP domains, the trunk does not come up if you use
DTP. In this special case, you must configure the trunk mode as on or no-negotiate on both sides in
order to allow the trunk to come up without DTP negotiation agreement.
 If the domain has a single VTP server and it crashes, the best and easiest way to restore the operation
is to change any of the VTP clients in that domain to a VTP server. The configuration revision is still
the same in the rest of the clients, even if the server crashes. Therefore, VTP works properly in the
domain.

Configuration Exercise for VTP

216 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Time to evaluate your VTP skills! Just go through all the described configurations below & upon
completion of this Packet Tracer Exercise, you will be able to:

■ Configure VTP
■ Configure VLANs
■ Configure trunking and verify VTP status (using show vtp status, show vtp password)
■ Assign VLANs to access ports
■ Verify connectivity

Practical Scenario: In this exercise, you will practice configuring VTP and VLANs and establishing trunk
links. In addition, you will assign VLANs to access ports and then test connectivity between devices on
the same VLAN. The PCs are already configured with IP addressing. The switches have a basic
configuration like hostname configuration.

Tasks to perform:

217 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

1. Configure the SW1 switch as a VTP server


2. Configure SW2 VTP Transparent and SW3, SW4, and SW5 should act as VTP client. All links between
switches must be configured as trunk links & links connected to hosts should be in proper VLANs
and must configure as Access.
3. Configure VTP domain name as "intenseschool" and VTP password as "cisco"
4. Configure VLAN 10 with the name "STUDENTS”, configure VLAN 20 with the name "TRAINERS" and
VLAN 50 with the name "SERVERS" on VTP SERVER only means on SW1.
5. Configure VLAN 100 with the name "MARKETING" and VLAN 200 with name "MANAGEMENT" on
Transparent switch only means on SW2
6. Check propagation on client switches of the VTP domain
7. All computers are preconfigured with proper IP address with
N/W 10.1.10.0/24 for Students (VLAN 10)
N/W 10.1.20.0/24 for Trainers (VLAN 20)
N/W 10.1.50.0/24 for Servers (VLAN 50)
N/W 10.1.100.0/24 for Marketing (VLAN 100)
N/W 10.1.200.0/24 for Management (VLAN 200)

Task 1: Configure VTP

Step 1.
Configure VTP on the switches.

Step 2.
On completion check with show vtp status & show vtp password.

Task 2: Configure Trunking and VLANs

218 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Step 1: Configure Trunking and Verify VTP Status

Step 2. Configure VLANs on the VTP Server only.

Step 3. On completion, check with show vlan command on server & clients to verify your
configuration.

Note: VTP advertisements are flooded throughout the intenseschool domain in every 5 minutes
or whenever a change occurs in VLAN configurations.

Task 4: Assign VLANs to Access Ports

Step 1. Configure access ports and assign VLANs for the PCs. Be sure to activate the links.

219 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Step 2. On completion you can verify it with show vlan.

220 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Task 5: Verify Connectivity

All switches should now be able to ping each other. PCs belonging to the same VLAN should be able to
ping each other.

Task 6: Save the Packet Tracer File

Hopefully, you will do this exercise on Packet Tracer software as well as on real devices to gain perfect
understanding of this chapter on VTP.

Chapter 29- Spanning Tree Protocol

High availability is a must in any modern network. Users expect that they can use its services anytime,
anywhere. But technology is sometimes under the influence of Murphy’s Law:" Anything that can go
wrong, will go wrong."

What is the solution? We can use redundancy as an example. Redundancy means using more devices and
more wiring connections than we really need. In below image, you can see Cisco 2960 series switches
stacked together by flex stack cable. In this case, these three switch works as single switch, where switch
1, normally acts as stack master (you can simply made it as stack master by giving the highest priority.

fig source: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-x-series-switches/data_sheet_c78-728232.html

221 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Layer 2 Switching Loop and Broadcast Storm:

In a switched network, redundancy can be achieved by having more connections between switches. When
switches are interconnected, the network will not fail completely even if one connected link fails.

This above design, however, has its disadvantages called physical loops. There can be some unwanted
side effects, such as broadcast storms or duplicated frames. When switches are interconnected for
redundancy as shown below, a broadcast message originated from the workstation connected to Switch
4 for the file server of the office network.

As destination MAC address is not available to Switch 4; it will forward the frame to Switch 2, Switch 3 in
the same time for the destination. After receiving the frame, both switches will forward the frame to
Switch 1, as switch 1 will receive same frames from both the switches and this can lead a switching loop
or it can cause the circulation of broadcasts around the entire network and can consume all available
bandwidth of the above network. This type of network condition is known as a broadcast storm. Broadcast
storms can consume all bandwidth and deny bandwidth for other normal network traffic. Remember,
broadcast storm is a dangerous network problem and it can shut down your entire network operation in
a flash.

Spanning Tree Protocol (or STP for short) was created to solve the kinds of problems that occur in
Switches or Bridges. It effectively eliminates logical loops, while allowing physical loops to still exist. The
specification for STP is IEEE 802.1D and is a link management protocol that provides path redundancy
while preventing undesirable loops in the network. The main purpose of STP is to ensure that you do not
create loops when you have redundant paths in your network. Loops are deadly to a network because
they can cause it to broadcast storm.

Let's discuss some common STP terms that you may encounter in job environment:

Bridge Protocol Data Unit (BPDU):

222 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Bridge Protocol Data Units (BPDUs) are messages or information exchanged between all the switches to
elect root switch and for subsequent configuration of the LAN network. Bridge Protocol Data Units
(BPDUs) frames contain information regarding the Switch ID, originating switch port, MAC address,
switch port priority, switch port cost, etc. In the time for selection, each switch compares all parameters
inside the BPDU fame, which they receive from neighbouring switch to its own BPDU. Remember, if any
of the Switch’s BPDU parameter like (Switch ID/MAC address/Port Priority etc.) is less, then it will wins
because, in computer networking less cost is always better. The Switch in a redundant network unaware
of others around it, so BPDU frames are sent out as multicast messages regularly at multicast destination
MAC address 01:80:c2:00:00:00.

Note, there are three types of Bridge Protocol Data Units (BPDUs) found in a Switched Network:

I. Configuration BPDU (CBPDU), used for Spanning-Tree Computation.


II. Topology Change Notification (TCN) BPDU, used for sending information regarding the changes in
the redundant network.
III. Topology Change Acknowledgment (TCA) BPDU, which gives the acknowledgement to other
switches in the network.

Root Bridge:
Redundant switches in a network first elect the root bridge switch, as it is a special bridge at the top of
the Spanning Tree, basically an inverted tree. Other switches in the Ethernet network then branched out
from the root switch, connecting in a redundant network.

In a network, Layer 2 devices like Switches or Bridges are assigned a value that's called Switch or Bridge
Priority. By default, The Switch Priority is numerical value of 32,768, which was defined by IEE 802.1D
standard. Along with the MAC address of the Switch, Switch Priority is used to find the Switch ID. The
lowest MAC address among all Switches in a network always chooses as the Root Bridge if other switches
have the same Switch Priority in a network.

In our network example below, all switches have default Switch Priority of 32,768. Switch 1 is elected as
Root Switch because it has a lower MAC address than the other switches in the network.

223 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Root-Port:
Once the Root Bridge Switch is elected, every other Switch in the network must select a single port on it
to reach the Root Bridge Switch. In a Switch, the single selected port on a Switch with the least Patch Cost
to the Root Switch is called Root Port. Remember: Root Switch will never have a Root-Port as it is the Root
of network and there is no need to reach out the root.

The above layout of Switches shows that Switch 4 has two ports to reach the Root Bridge. If there are
multiple ports present in a Switch to reach the Root Bridge (Switch), the Spanning Tree Algorithm must
select the best port from them to reach the Root Bridge. Here, the port with least path cost is marked as
the Root Port.

Designated Port: There can be only one Root Port (marked as RP) on a Switch, but a Switch can have
multiple designated ports (marked as DP). The Designated Port is the port that has the lowest Path Cost

224 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

on a particular Local Area Network (LAN) segment. Each segment has a single port that is used to reach
the root called Designated Port.

A Root Port is the port on the Switch with the least cost from the "Switch" to the Root Bridge. A Designated
Port is the port on a "Local Area Network (LAN) segment" with the least cost to the root bridge.

The other end of a Designated Port is called as Non Designated Port (marked as NDP), if it is NOT a Root
Port. Non Designated Port will be always in Blocking State, to avoid Layer 2 Switching loops.

Remember, a Root Port can never be a designated Port and also there cannot be any Root Port on a Root
Bridge (Switch). All the ports on a Root Bridge (Switch) are Designated Ports.

Difference between Root Port & Designated Port:

The following figure shows a network with four Switches. The Root Bridge, Root Ports, Designated Ports
and a Non Designated Port are marked on the figure.
The differences between Root Port and Designated Port are listed below.
 As we learned, Root Port (RP) is a single selected port on a given Switch with least path cost to the
Root Bridge. In the other hand The Designated Port is the port that has the lowest Path Cost on a
particular Local Area Network (LAN) segment.
 There can be ONLY one Root Port on a Layer 2 device (Bridge/Switch). There may be multiple
Designated Ports on a Bridge/Switch.
 In Root Switch, all the ports will be Designated Port (DP).
 A Root Port can NEVER be a Designated Port.
 If one end of a Local Area Network (LAN) segment is a Dedicated Port, the other end is called a Non
Designated Port (marked as NDP), if it is NOT a Root Port. A Non Designated Port will always be in
Blocking State in order to avoid Layer 2 switching loops.

Spanning Tree Port States:

225 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Remember when the Spanning Tree Protocol (STP) is enabled, every switch in the network starts in the
blocking state and later changes to the listening and learning states. The ports on a switch with enabled
Spanning Tree Protocol (STP) are in one of the following five port states:

Spanning Tree Protocol (STP) Port States & Convergence

Blocking State Receive BPDU from connected port of Neighboring


Normally for STP Convergence it take 50 s to complete.

Switch.

Normally it take 20 s from Blocking


State to Listening State

Listening State Directs to Process the Received BPDUs to Switch


System Module

Normally it take 15 s from


Listening State to Learning State

Learning State Starts processing the user frames and update the MAC
Table

Normally it take 15 s from


Learning to Forwarding State

This state is called Normal State where switch forwards


Forwarding State
frames across connected network.

This state is called ISOLOATED STATE when switch does not


Disabled State/ Isolated State participate in frame forwarding or any STP Operation, that s
why called Non-Operational State.

STP/Layer 2 Convergence:

Spanning Tree Protocol (STP) convergence (Layer 2 convergence) happens when bridges and switches
have transitioned to either the forwarding or blocking state. When layer 2 is converged, Root Switch is
elected and Root, Designated and Non-Designated ports in all switches are also selected. At Converged
condition, the Root and Designated are in forwarding state, and all other ports are in blocking state.

The time it usually takes to change from blocking to forwarding state is 50 seconds (Blocking to listening
is 20 seconds; Listening to learning is 15 seconds; Learning to forwarding is 15 seconds), when Spanning
Tree Protocol (STP) timers are in their default values. Until the port reaches forwarding state, no user
traffic is forwarded through the port and the end user may feel that there is no network connectivity.

Spanning Tree Port Fast:

226 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

We can use the feature called Spanning Tree Port Fast to speed up the convergence on ports that are
connected to a workstation or a server. The Port Fast feature should be used only to connect a single
workstation or server to a switch port to avoid layer 2 switching loop. Spanning-tree Port Fast feature
causes a port to enter the forwarding state immediately, bypassing the listening and learning states.

Rapid Spanning Tree Protocol (RSTP):

In modern networks, this convergence time (30-50s) gap is not acceptable and the Rapid Spanning Tree
Protocol (RSTP) IEEE 802.1W standard is available to address the convergence time gap issue. Rapid
Spanning Tree Protocol (RSTP) enables root ports and designated ports to change from the blocking to
forwarding port state in a few seconds, which reduces the convergence time.

Per VLAN Spanning Tree (PVSTP) and Per VLAN Spanning Tree plus (PVSTP+):

Delay in receiving BPDUs is common in large switched Common Spanning Tree (CST) networks. This delay
in receiving BPDUs can cause problems in convergence time.

Per-VLAN Spanning Tree (PVST) is a solution for these problems. It is a Cisco proprietary Spanning Tree
Protocol (STP) which operates a separate instance of STP for each individual VLAN. Per-VLAN Spanning
Tree+ (PVST+) is an extension of the PVST standard. It allows interoperability between CST and PVST in
Cisco switches and supports the IEEE 802.1Q standard.

Multiple Spanning Tree Protocol (MSTP):

The Multiple Spanning Tree Protocol (MSTP), defines an extension to Rapid Spanning Tree Protocol to
further development of virtual LANs (VLANs). Multiple Spanning Tree Protocol configures a separate
Spanning Tree for each VLAN group and blocks. If the network contains more than one VLAN, then the
logical network configured by a single STP would work, but it is possible to make better use of the alternate
paths available by using an alternate spanning tree for different VLANs or groups of VLANs.
MSTP allows formation of MST regions that can run multiple MST instances (MSTI). Multiple regions and
other STP bridges are interconnected using one single common spanning tree (CST).

Configuration exercises for STP

Task 1: SW2’s F0/2 should not be in blocking state, it should be treated as Root port and F0/1 can be
block.

To achieve Task 1, the configuration can only be done on SW1 (root bridge). If a switch has multiple
connections with another switch, it will consider the lowest port-id (port priority+ port MAC - by default,
port priority is 128 and can be configured between 0 to 240 (multiples of 16) ), and if port priority is same,

227 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

it will consider the lowest port MAC. So, let’s change the port-priority on SW1: we can either increase the
port-priority of F0/1 or decrease the priority of F0/2 in multiples of 16 only. Following this set of
commands can be used to achieve the given objective.

SW1(config)#interface f0/1
SW1(config-if)#spanning-tree vlan 1 port-priority 144 /* ports are in VLAN 1

OR
SW1(config)#interface f0/2
SW1(config-if)#spanning-tree vlan 1 port-priority 112

Task 2: SW2 should become Root Bridge.

As we already discussed, in Root Bridge Election STP prefers Lowest Bridge-id (Switch priority + Switch
MAC, if switch priority (by default it is 32768, bridge priority can be set in multiples of 4096 only) is same
only then it will consider lowest MAC among all switches for Root bridge election). We can’t do anything
to the MAC address, so let’s try to manipulate bridge priority with following set of command to achieve
Task 2.

SW1(config)#spanning-tree vlan 1 priority <32768 - 4096>


OR
SW2(config)#spanning-tree vlan 1 priority <32768 + 4096>
OR
SW1(config)#spanning-tree vlan 1 root primary /* this command will set the
priority to 24576

I hope you will do this exercise either in packet tracer or a real device to feel more confident about STP.

Configuring Spanning Tree Protocol

Let’s put some of this theory to work with some hands-on work. In this section, we will discuss how to
check STP operation, how to influence the root bridge election and how to influence the path selection
algorithm. We will focus on configuration examples, “show” outputs and where it will be needed, plus
reminders about theory will also be provided.

228 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Below is our topology, with 2 VLANs configured and two hosts in each VLAN:

In the above topology, everything was left at default with regards to Spanning Tree Protocol. The VLANs
and the interfaces from all switches in the respective VLANs were configured. Also, the interfaces between
all three switches were configured as trunk allowing all VLANs.

If you need to quickly check the current parameters for timers and priority, you can use “show
spanning-tree bridge”:

SW12#show spanning-tree bridge

Hello Max Fwd

Vlan Bridge ID Time Age Dly


Protocol

229 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

---------------- --------------------------------- ----- --- --- ---


-----

VLAN0001 32769 (32768, 1) f4ac.c115.e300 2 20 15 ieee

VLAN0013 32781 (32768, 13) f4ac.c115.e300 2 20 15 ieee

VLAN0024 32792 (32768, 24) f4ac.c115.e300 2 20 15 ieee

SW12#

As you can see, we are running STP for three VLANs: 1, 13 and 24. The timers were left to default along
with the default priority. The type of STP used is IEEE, the Cisco implementation of 802.1D.

So without altering STP, let’s check its current status to find the root bridge and see how the MAC
addresses of the hosts are learned on each switch.

Let’s start with SW12 and check for VLAN 13. The output will be similar for VLAN 24.

SW12#show mac address-table vlan 13

Mac Address Table

Vlan Mac Address Type Ports

---- ----------- -------- -----

13 0050.7966.6804 DYNAMIC Gi0/0

13 0050.7966.6806 DYNAMIC Gi0/2

Total Mac Addresses for this criterion: 2

SW12#

As you can see, the PC1 MAC address is learned from Gi0/0 (directly connected) and the PC3 MAC address
is learned via SW34 over GI0/2.

Let’s check the current operation of STP for VLAN 13:

SW12#show spanning-tree vlan 13

230 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

VLAN0013

Spanning tree enabled protocol ieee

Root ID Priority 32781

Address 0027.0c1a.db80

Cost 4

Port 3 (GigabitEthernet0/2)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32781 (priority 32768 sys-id-ext 13)

Address f4ac.c115.e300

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- -----------------------


---------

Gi0/0 Desg FWD 4 128.1 P2p

Gi0/2 Root FWD 4 128.3 P2p

Gi0/3 Altn BLK 4 128.4 P2p

Gi0/4 Altn BLK 4 128.5 P2p

SW12#

As you can see, the root bridge is a switch that has the bridge ID 0027.0c1a.db80 and the SW12 interface
towards the root bridge is GigabitEthernet0/2 with a cost of 4.

Also, the interface towards SW3 (Gi0/4) is in Alternate role and Blocking state, which means that no MAC
learning or flooding will happen on that interface.

231 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

We will see later what the implications for this are.

SW12 is not the root bridge for VLAN 13 because of the higher Bridge ID that it has. F4ac.c115.e300 is
higher than 0027.0c1a.db80.

So let’s check the current STP status and MAC address table for the same VLAN on SW34:

SW34#show mac address-table vlan 13

Mac Address Table

Vlan Mac Address Type Ports

---- ----------- -------- -----

13 0050.7966.6804 DYNAMIC Gi0/2

13 0050.7966.6806 DYNAMIC Gi0/0

Total Mac Addresses for this criterion: 2

SW34#

Actually, let’s also quickly check the MAC table for VLAN 24 and confirm that we are learning the MAC
addresses for PC2 and PC4 in the same way. We will use it later as comparison after we change the root
bridge for VLAN 24:

SW34#show mac address-table vlan 24

Mac Address Table

Vlan Mac Address Type Ports

---- ----------- -------- -----

24 0050.7966.6805 DYNAMIC Gi0/2

232 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

24 0050.7966.6807 DYNAMIC Gi0/1

Total Mac Addresses for this criterion: 2

SW34#

The MAC of PC1 is learned from SW12 and the MAC of PC3 is learned through the interface directly
connected to PC3.

Let’s check the STP operation for VLAN 13:

SW34#show spanning-tree vlan 13

VLAN0013

Spanning tree enabled protocol ieee

Root ID Priority 32781

Address 0027.0c1a.db80

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32781 (priority 32768 sys-id-ext 13)

Address 0027.0c1a.db80

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- -----------------------


---------

Gi0/0 Desg FWD 4 128.1 P2p

Gi0/2 Desg FWD 4 128.3 P2p

Gi0/3 Desg FWD 4 128.4 P2p

233 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Gi0/4 Desg FWD 4 128.5 P2p

SW34#

As you can see, SW34 is the root bridge, which means that all its interfaces will be in Designated role and
Forwarding state.

In STP, all traffic should pass through the root bridge because MAC learning is done through it. Remember
the above statement with regards to the interface of SW12 towards SW3. The implication of this
statement is that SW3 will learn the MAC addresses of PC1 and PC3 from SW34. Let’s confirm this:

SW3#show mac address-table vlan 13

Mac Address Table

Vlan Mac Address Type Ports

---- ----------- -------- -----

13 0050.7966.6804 DYNAMIC Gi0/1

13 0050.7966.6806 DYNAMIC Gi0/1

Total Mac Addresses for this criterion: 2

SW3#

So SW3 learned the MAC address of PC1 via this path: PC1 – SW12 – SW34 – SW3, although there is direct
link between SW12 and SW3.

As mentioned in the beginning, everything for STP was left at default for both VLANs, hence a very similar
output will be seen on all devices if we check VLAN 24.

This means that SW34 will be the root bridge for both VLANs and even though you can run multiple
instances of STP so that you can elect different root bridges for each VLAN, the current network is working
similar to how the legacy 802.1D is used in the network.

As mentioned, IEEE in the output of “show spanning-tree bridge” stands for Cisco PVST.

Let’s change the current configuration on SW3 and make it the root bridge for VLAN 24, and then see
what is changing when we compare the same outputs as for VLAN 13.

We have two configuration options to make SW3 the root bridge.

234 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

One of them is to explicitly specify the priority of the bridge to a value that is lower than the current
priority of SW34. SW34 is using the default priority, 32768, but it is winning the root bridge election due
to the lower MAC address.

The other configuration option is to use the “primary” macro, which will set the priority to the next
lower bridge priority so that the switch will become the root bridge.

We will see both methods in action. Let’s start with explicitly configuring the priority. As you will see, you
need to configure a priority that is a multiple of 4096. If you don’t know the exact value, you can type
anything there and you will get a list of possible values:

SW3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW3(config)#spanning-tree vlan 24 priority ?

<0-61440> bridge priority in increments of 4096

SW3(config)#spanning-tree vlan 24 priority 24000

% Bridge Priority must be in increments of 4096.

% Allowed values are:

24 4096 8192 12288 16384 20480 24576 28672

32768 36864 40960 45056 49152 53248 57344 61440

SW3(config)#spanning-tree vlan 24 priority 24576

SW3(config)#end

SW3#

Now, let’s check the bridge priority for VLAN 24:

SW3#show spanning-tree bridge

Hello Max Fwd

Vlan Bridge ID Time Age Dly


Protocol

---------------- --------------------------------- ----- --- --- ---


-----

235 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

VLAN0001 32769 (32768, 1) f4ac.c105.d200 2 20 15 ieee

VLAN0013 32781 (32768, 13) f4ac.c105.d200 2 20 15 ieee

VLAN0024 24600 (24576, 24) f4ac.c105.d200 2 20 15 ieee

SW3#

As you can see, the priority for VLAN 24 has changed and SW34 should now see SW3 as the root bridge
for VLAN24 through the interface Gi0/4. Let’s check:

SW34#show spanning-tree vlan 24

VLAN0024

Spanning tree enabled protocol ieee

Root ID Priority 24600

Address f4ac.c105.d200

Cost 4

Port 5 (GigabitEthernet0/4)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32792 (priority 32768 sys-id-ext 24)

Address 0027.0c1a.db80

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- -----------------------


---------

Gi0/1 Desg FWD 4 128.2 P2p

Gi0/2 Desg FWD 4 128.3 P2p

236 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Gi0/3 Desg FWD 4 128.4 P2p

Gi0/4 Root FWD 4 128.5 P2p

SW34#

Remember how the MAC table on SW34 was looking for VLAN24 before we changed the root bridge?
Let’s compare the current status of the MAC table for VLAN 24:

SW34#show mac address-table vlan 24

Mac Address Table

Vlan Mac Address Type Ports

---- ----------- -------- -----

24 0050.7966.6805 DYNAMIC Gi0/4

24 0050.7966.6807 DYNAMIC Gi0/1

Total Mac Addresses for this criterion: 2

SW34#

As you can see, the MAC address of PC2 is now learned via SW3, which is the root bridge.

Let’s now discuss the second method of configuring a switch to become the root bridge. This is how the
“primary” macro is being used:

SW3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW3(config)#

*May 9 21:11:14.645: %SYS-5-CONFIG_I: Configured from console by console

SW3(config)#spanning-tree vlan 24 root ?

primary Configure this switch as primary root for this spanning


tree

secondary Configure switch as secondary root

237 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

SW3(config)#spanning-tree vlan 24 root primary

SW3(config)#end

SW3#

The bridge priority was lowered to 24576:

SW3#show spanning-tree bridge

Hello Max Fwd

Vlan Bridge ID Time Age Dly


Protocol

---------------- --------------------------------- ----- --- --- ---


-----

VLAN0001 32769 (32768, 1) f4ac.c105.d200 2 20 15 ieee

VLAN0013 32781 (32768, 13) f4ac.c105.d200 2 20 15 ieee

VLAN0024 24600 (24576, 24) f4ac.c105.d200 2 20 15 ieee

SW3#

This is because the previous root priority was 32768. As you can see, we can use the “secondary”
macro. If we used that value, the priority would have changed to 28762. This is to ensure that you can
configure a primary root bridge and a secondary root bridge of your choice.

Once you configure the “primary” or the “secondary” macro, the priority is put explicitly in the
configuration in the same way as you would have configured it:

spanning-tree vlan 24 priority 24576

Now let’s get back to VLAN 13 and see how we can modify the cost of an interface to alter the shortest
path to the root bridge.

Remember that SW3 had to use Gi0/1 to reach SW34, the root bridge. The cost was 4. This is because
between SW3 and SW34 there is only one GigabitEthernet link whose cost is 4.

VLAN0013

Spanning tree enabled protocol ieee

238 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Root ID Priority 32781

Address 0027.0c1a.db80

Cost 4

Port 2 (GigabitEthernet0/1)

The spanning tree cost change for an interface is done on the actual interface like this:

SW3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW3(config)#int gi0/1

SW3(config-if)#spanning-tree cost ?

<1-200000000> port path cost

SW3(config-if)#spanning-tree cost 100

SW3(config-if)#end

SW3#

In this case, we configured a cost of 100 for Gi0/1. So the current situation is like this: SW3 can reach
SW34 directly with a cost of 100 or it can reach SW34 through SW12 with a cost of 8. Obviously, the path
with the lowest cost will be chosen and Gi0/0 will be the new root port:

SW3#show spanning-tree vlan 13

VLAN0013

Spanning tree enabled protocol ieee

Root ID Priority 32781

Address 0027.0c1a.db80

Cost 8

Port 1 (GigabitEthernet0/0)

239 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32781 (priority 32768 sys-id-ext 13)

Address f4ac.c105.d200

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 15 sec

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- -----------------------


---------

Gi0/0 Root FWD 4 128.1 P2p

Gi0/1 Altn BLK 100 128.2 P2p

SW3#

As you can see, there are two links between SW12 and SW34 (Gi0/2 and Gi0/3). Based on the shortest
path selection, there is a tie up to the point where the port ID has to be used. The lower the port ID, the
better. In this case, Gi0/2 has a lower port ID than Gi0/3, hence SW12 is using Gi0/2 as root port. But what
if we want to use Gi0/3 as the root port? We can modify the port priority of Gi0/3 to a lower value than
the one from Gi0/2. Both of them are using the default value of 128.

Let’s modify the port priority of Gi0/3 and then confirm that the new root port on SW12 is Gi0/3.
Remember that the configuration has to be done on SW34 so that SW12 will see in the BPDUs received
from SW34 that the port priority has changed:

SW34(config)#int gi0/3

SW34(config-if)#spanning-tree port-priority 64

SW34(config-if)#end

SW34#

Let’s now confirm that the root port on SW12 is Gi0/3:

VLAN0013

Spanning tree enabled protocol ieee

240 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Root ID Priority 32781

Address 0027.0c1a.db80

Cost 4

Port 4 (GigabitEthernet0/3)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Configuring Spanning Tree Protocol and Features, Continued

This is the second part of the series on Spanning Tree Protocol and here we discuss its features that can
enhance its operation. More specifically, we will discuss and configure the following features:

 PortFast
 Root Guard
 Loop Guard
 BPDU Guard
 BPDU Filter

Below is our topology, with 2 VLANs configured and two hosts in each VLAN:

241 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In the above topology, everything was left at default with regards to the Spanning Tree Protocol. The
VLANs and the interfaces from all switches in the respective VLANs were configured. Also, the interfaces
between all three switches were configured as trunk allowing all VLANs.

PortFast

Let’s start with the PortFast feature. PortFast is an STP feature that allows a port on which STP is running
to transition directly from blocking state to forward state without going through listening and learning
states.

To demonstrate this, let’s see what happens when Gi0/0 from SW12 is brought up after it was shut down.
The debugging information is captured by the “debug spanning-tree events” and “debug
spanning-tree general” commands:

*May 10 02:06:11.595: set portid: VLAN0013 Gi0/0: new port id 8001

*May 10 02:06:11.595: Created spanning tree port Gi0/0 (ACFFE034) for


tree VLAN0013 (ADB93CC0)

*May 10 02:06:11.595: Enabling spanning tree port: GigabitEthernet0/0


(ACFFE034)

*May 10 02:06:11.595: STP: VLAN0013 Gi0/0 -> listening

242 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

*May 10 02:06:13.584: %LINK-3-UPDOWN: Interface GigabitEthernet0/0,


changed state to up

*May 10 02:06:14.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface


GigabitEthernet0/0, changed state to up

*May 10 02:06:26.603: STP: VLAN0013 Gi0/0 -> learning

*May 10 02:06:41.610: STP[13]: Generating TC trap for port


GigabitEthernet0/0

*May 10 02:06:41.610: STP: VLAN0013 sent Topology Change Notice on Gi0/3

*May 10 02:06:41.610: STP: VLAN0013 Gi0/0 -> forwarding

As you can see, it takes 30 seconds from the moment the port is brought up until it transitions to a
forwarding state.

Let’s configure PortFast on Gi0/0 before we bring the port up:

SW12(config-if)#spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a


single

host. Connecting hubs, concentrators, switches, bridges, etc... to


this

interface when portfast is enabled, can cause temporary bridging


loops.

Use with CAUTION

%Portfast has been configured on GigabitEthernet0/0 but will only

have effect when the interface is in a non-trunking mode.

SW12(config-if)#

Now let’s bring the port up and see what the debug commands are showing:

*May 10 02:32:48.097: set portid: VLAN0013 Gi0/0: new port id 8001

*May 10 02:32:48.097: Created spanning tree port Gi0/0 (ACFFE034) for


tree VLAN0013 (ADB93CC0)

*May 10 02:32:48.097: Enabling spanning tree port: GigabitEthernet0/0


(ACFFE034)

243 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

*May 10 02:32:48.097: STP: VLAN0013 Gi0/0 ->jump to forwarding from


blocking

*May 10 02:32:50.089: %LINK-3-UPDOWN: Interface GigabitEthernet0/0,


changed state to up

*May 10 02:32:51.093: %LINEPROTO-5-UPDOWN: Line protocol on Interface


GigabitEthernet0/0, changed state to up

You can check if a port has Portfast enabled using this command:

SW12#show spanning-tree interface gi0/0 portfast

VLAN0013 enabled

SW12#

As you can see, the port transitioned right away to forwarding state and once the interface comes up, it
can start transmitting and receiving traffic.

There is an option to enable PortFast on all access ports like so:

SW12(config)#spanning-tree portfast default

%Warning: this command enables portfast by default on all interfaces.


You

should now disable portfast explicitly on switched ports leading to


hubs,

switches and bridges as they may create temporary bridging loops.

SW12(config)#

It is recommended to enable PortFast on all ports where hosts or routers (that don’t run any STP form)
are connected so that they use only the minimum time to wait before traffic can be sent or received.

Before we move on and discuss other STP features, let’s talk about inconsistent ports. An inconsistent
port is a port that was blocked by STP due to an irregularity that was detected by one of the Root Guard,
Loop Guard or BPDU Guard features.

Root Guard

The root guard feature provides the ability to enforce the root bridge placement in the network. It ensures
that the port configured with this feature is a designated port and will not become a root port.

244 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

This feature is useful as a way to prevent users from adding a switch in the network that can become the
root bridge.

Let’s configure the feature on our setup. Right now, SW34 is the root bridge and let’s assume that SW3 is
an unauthorized switch added that has a lower priority than SW34. Without the feature, SW3 will become
the root bridge with undesirable effects on the network.

The feature is configured on SW34 on the interface towards SW3. Also the feature should be configured
on SW12 on the interface towards SW3 as well. The configuration is identical:

SW34#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW34(config)#int gi0/4

SW34(config-if)#spanning-tree guard root

*May 10 04:06:28.478: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard


enabled on port GigabitEthernet0/4.

SW34(config-if)#end

SW34#

Now let’s modify the priority on SW3 for VLAN 13 (the same can be configured for VLAN 24 as well) and
see what is happening on SW34:

SW3(config)#spanning-tree vlan 13 priority 4096

SW3(config)#

Right away, this is detected by SW34 and the port is blocked for VLAN 13:

SW34#

*May 10 04:10:36.879: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking


port GigabitEthernet0/4 on VLAN0013.

SW34#

Also, the port is now in inconsistent state for VLAN 13:

SW34#show spanning-tree vlan 13

===== output cut for brevity =====

245 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Gi0/4 Desg BKN*4 128.5 P2p *ROOT_Inc

===== output cut for brevity =====

SW34#

You can check what ports are in inconsistent state and why using this:

SW34#show spanning-tree inconsistentports

Name Interface Inconsistency

-------------------- ------------------------ ------------------

VLAN0013 GigabitEthernet0/4 Root Inconsistent

Number of inconsistent ports (segments) in the system : 1

SW34#

Once I put back the default priority on SW3, the port is unblocked and removed from inconsistent state:

*May 10 04:16:15.668: %SPANTREE-2-ROOTGUARD_UNBLOCK: Root guard


unblocking port GigabitEthernet0/4 on VLAN0013.

Loop Guard

Let’s move further with another STP feature, Loop Guard. The Loop Guard feature provides additional
protection against Layer 2 loops. If BPDUs are not received on a non-designated port anymore and Loop
Guard is enabled, that port will be moved into the STP loop-inconsistent blocking state. Without the Loop
Guard feature, the port assumes the designated port role. The port then moves to forwarding state and a
loop is created.

We will enable Loop Guard on SW3 on the interface towards SW34:

SW3(config)#int gi0/1

246 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

SW3(config-if)#spanning-tree guard loop

SW3(config-if)#end

SW3#

Now due to a hardware failure on SW34, there are no BPDUs sent for any of the VLANs (1, 13 and 24)
from SW34 to SW3. However, the interface on SW3 is still up and expects BPDUs. This is the moment
when SW3 can induce an L2 loop.

But because Loop Guard is configured, the port is put in inconsistent state for all VLANs:

*May 10 04:52:03.226: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking


port GigabitEthernet0/1 on VLAN0001.

*May 10 04:52:03.342: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking


port GigabitEthernet0/1 on VLAN0013.

*May 10 04:52:03.401: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking


port GigabitEthernet0/1 on VLAN0024.

This is confirmed by checking the STP state for any of the VLANs. This is for VLAN 13:

SW3#show spanning-tree vlan 13

===== output cut for brevity =====

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- ----------------------


----------

Gi0/0 Root FWD 4 128.1 P2p

Gi0/1 Desg BKN*4 128.2 P2p *LOOP_Inc

===== output cut for brevity =====

247 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

SW3#

Also, we can see the reasons why the port went in inconsistent state:

SW3#show spanning-tree inconsistentports

Name Interface Inconsistency

-------------------- ------------------------ ------------------

VLAN0001 GigabitEthernet0/1 Loop Inconsistent

VLAN0013 GigabitEthernet0/1 Loop Inconsistent

VLAN0024 GigabitEthernet0/1 Loop Inconsistent

Number of inconsistent ports (segments) in the system : 3

SW3#

BPDU Guard

The next feature that we will discuss is BPDU Guard. This is a straightforward feature and ensures that the
port will go in errdisable state in case a BPDU is received. This should be configured on ports that should
never receive a BPDU.

Let’s test this on our topology and we will configure SW3 Gi0/1 to drop any BPDU received on that
interface. SW3 is receiving BPDUs from SW34 on that interface because SW34 is the root bridge.

Once this is configured:

SW3#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW3(config)#int gi0/1

SW3(config-if)#spanning-tree bpduguard enable

The port goes down due to errdisable:

248 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

*May 10 06:21:16.677: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port


Gi0/1 with BPDU Guard enabled. Disabling port.

*May 10 06:21:16.677: %PM-4-ERR_DISABLE: bpduguard error detected on


Gi0/1, putting Gi0/1 in err-disable state

*May 10 06:21:17.681: %LINEPROTO-5-UPDOWN: Line protocol on Interface


GigabitEthernet0/1, changed state to down

*May 10 06:21:18.690: %LINK-3-UPDOWN: Interface GigabitEthernet0/1,


changed state to down

If you check the status of the interface, you will see the reason:

SW3# show interfaces gi0/1

GigabitEthernet0/1 is down, line protocol is down (err-disabled)

BPDU Filter

The last STP feature is BPDU Filter. The BPDU Filter feature allows you to supress sending BPDUs on a
specific interface. BPDUs might be sent when the interface comes up and if the other side has BPDU Guard
enabled, it will bring down the interface. To avoid this, it’s advisable to do everything possible so that you
will not send a BPDU.

First let’s confirm that we are sending BPDUs. We will check and configure the feature on SW34 on
interface Gi0/4:

SW34#show spanning-tree interface gi0/4 detail | i BPDU:

BPDU: sent 2604, received 2

BPDU: sent 2604, received 2

BPDU: sent 2604, received 2

SW34#show spanning-tree interface gi0/4 detail | i BPDU:

BPDU: sent 2637, received 2

BPDU: sent 2637, received 2

BPDU: sent 2637, received 2

SW34#

249 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Now let’s configure BPDU Filter on the interface:

SW34#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW34(config)#int gi0/4

SW34(config-if)#spanning-tree bpdufilter enable

SW34(config-if)#end

SW34#

And let’s capture a few times the number of BPDUs sent and received on this interface:

SW34#show spanning-tree interface gi0/4 detail | i BPDU:

BPDU: sent 2674, received 2

BPDU: sent 2674, received 2

BPDU: sent 2674, received 2

SW34#show spanning-tree interface gi0/4 detail | i BPDU:

BPDU: sent 2674, received 2

BPDU: sent 2674, received 2

BPDU: sent 2674, received 2

SW34#show spanning-tree interface gi0/4 detail | i BPDU:

BPDU: sent 2674, received 2

BPDU: sent 2674, received 2

BPDU: sent 2674, received 2

SW34#

Of course, in this moment, STP is broken and SW3 will switch over to SW12 to reach the root bridge,
SW34.

By reaching this point in the chapter with a clear understanding, you should have a good understanding
of STP now, at least configuration-wise, and be better prepared for the CCNA exam.

250 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 30: EtherChannel

EtherChannel is the Cisco term for the technology that enables the bonding of up to eight physical
Ethernet links into a single logical link. EtherChannel technology was invented by Kalpana in the early
1990s. They were acquired by Cisco Systems in 1994. In 2000, the IEEE passed 802.3ad, which is an open
standard version of EtherChannel.

Cisco originally referred to EtherChannel as Fast EtherChannel (FEC), as it was only available on Fast
Ethernet at the time. The technology is also called gigabit EtherChannel (GEC), or more generically, just
port channel. The non-Cisco term used for link aggregation is generally link aggregation, or LAG for short.
EtherChannel is a port link aggregation technology or port-channel architecture used primarily on Cisco
switches. It allows the grouping of several physical Ethernet links to create one logical Ethernet link for
the purpose of providing fault-tolerance and high-speed links between switches, routers, and servers. On
different Cisco switches, it is possible to create logical connections that are made-up of different physical
interface. It is necessary that these interfaces have the same speed. Most Cisco switches support max 64
EtherChannels. These interfaces do not have to be contiguous or even on the same module. Each channel
must be made up of min 2, max 8 interfaces. The best is to use 2, 4, or 8 interfaces. This will give perfect
load-balancing.

An EtherChannel can be created from between two and eight active fast, gigabit or 10-gigabit Ethernet
ports, with an additional one to eight inactive (failover) ports which become active as the other active
ports fail. EtherChannel is primarily used in the backbone network, but can also be used to connect end
user machines as shown in Figs. 1 and 2.

Port Aggregation:

When a switched network spans multiple switches, some method of linking those switches must be used.
A single fast Ethernet or gigabit Ethernet port can be used to uplink between switches, but this introduces
a bottleneck to the flow of traffic. For example, when using a 24-port catalyst switch, imagine having to
pipe the traffic of 23 ports over a single port to reach another switch! Unfortunately, we cannot simply
connect two or more ports from one switch to another switch, as this introduces a switching loop to the
network. The result would be an almost instantaneous broadcast storm.

EtherChannel Protocols:

251 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

EtherChannel can either be configured manually, or can be dynamically negotiated via one of two
protocols:

• PAgP (port aggregation protocol)—Cisco’s proprietary aggregating protocol.

• LACP (link aggregation control protocol)—The IEEE standardized aggregation protocol, otherwise
known as 802.3ad.

Both PAgP and LACP exchange packets between switches in order to form the EtherChannel. However,
when the EtherChannel is manually configured (i.e., set to on), no update packets are exchanged. Thus,
an EtherChannel will not be formed if one switch has a manually configured EtherChannel and the other
switch is configured with a dynamic protocol (PAgP or LACP). Furthermore, PAgP and/or LACP
configuration must be removed from a switch’s interfaces before a manual EtherChannel can be formed.

EtherChannel Requirements:

EtherChannels can be formed with either access or trunk ports. An EtherChannel comprising access ports
provides increased bandwidth and redundancy to a host device, such as a server. The host device must
support a port aggregation protocol, such as LACP. EtherChannels comprised of trunk ports provide
increased bandwidth and redundancy to other switches.

EtherChannel has been a part of the Cisco IOS for many years, so you should find that all your switches
support it with proper configuration. Do not be afraid to enable it on a pair of ports and try it.

When setting up an EtherChannel connection, remember the following points; they can help you avoid
problems during the configuration process:

 You can configure up to eight ports, and all of these ports should be the same type (fast Ethernet,
gigabit Ethernet).
 Set all ports to function at the same speed and duplex settings.
 Ensure that all ports are enabled and that none have been configured using the shutdown command.
 Switchport settings from the first port in EtherChannel are copied to all other ports in the
EtherChannel when the ports are added to the channel group. This is a copy action and not a link, so
if you change the settings after the fact, you need to change the settings on all ports.

All interfaces in an EtherChannel must be configured identically. Specific settings that must be identical
include:

• Speed settings
• Duplex settings
• STP settings: STP path cost, STP port priority, STP PortFast settings
• VLAN membership (for access ports)
• Native VLAN (for trunk ports)
• Allowed VLANs (for trunk ports)
• Trunking Encapsulation (ISL or 802.1Q, for trunk ports)

252 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

When configuring an EtherChannel trunk to another switch, the above configuration should be identical
on both switches. EtherChannels will not form if either dynamic VLANs or port security are enabled on
the participating EtherChannel interfaces.

Understanding Port-Channel Interfaces

You can create an EtherChannel for Layer 2 interfaces differently from Layer 3 interfaces. Both
configurations involve logical interfaces.
•With Layer 3 interfaces, you manually create the logical interface by using the interface port-channel
global configuration command.
•With Layer 2 interfaces, the logical interface is dynamically created.
•With both Layer 3 and 2 interfaces, you manually assign an interface to the EtherChannel by using the
channel-group interface configuration command. This command binds the physical and logical ports
together.

Each EtherChannel has a logical port-channel interface numbered from 1 to 64. The channel groups are
also numbered from 1 to 64.

Cisco’s GigaStack, FlexStack, and other proprietary high speed inter-switch links should never be
configured as part of an EtherChannel because these stacking ports have specific functionality enabled for
stacking functions that is not compatible with EtherChannel. Only use standard connection ports on the
front of your switch for EtherChannel connections.

The basic process for configuring your EtherChannel interfaces is as follows:

1.Connect to the command-line interface (CLI) your switch.This connection may be via SSH, Telnet, or
the console port.

2. Access privileged EXEC mode Switch1> enable

3. Access global configuration mode Switch1# configure terminal

4. Access interface configuration mode.

253 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Switch1(config)# interface range fastethernet0/1 -2

5. Change switchport to trunk or access, but all ports must be in the same VLAN.
Switch1(config-if-range)# switchport mode access
Switch1(config-if-range)# switchport access vlan 10

6. Assign the port to a channel group, which is an integer between 1 and 6. You also configure PAgP or
LCAP at this time by specifying a mode, as listed in the below table.
Switch1(config-if-range)# channel-group 1 mode desirable

7. Use the end command to exit global configuration mode.

EtherChannel Modes:

The following commands are the setup commands you use for configuring one of the switches for
EtherChannel. Notice the keyword "desirable," which means that you will be using the Cisco proprietary
protocol of PAgP. This also means that the switch at the other end of the connections needs to be a Cisco
switch as well.

Switch1> enable
Switch1# configure terminal
Switch1(config)# interface range fasttethernet0/1 -2
Switch1(config-if-range)# switchport mode access
Switch1(config-if-range)# switchport access vlan 10
Switch1(config-if-range)# channel-group 1 mode desirable \* use active to
configure LACP
Switch1(config-if-range)# end

Note that you applied the following configuration on the second switch. Notice that the channel-group
used on this switch is different. Different port groups are allowed because it is simply a local (to the switch)
configuration to keep each port group uniquely identified. Many IT administrators do keep the channel-

254 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

group numbers the same because by matching the port group numbers on either end of the connection,
you can avoid confusion for others.

Switch2> enable
Switch2# configure terminal
Switch2(config)# interface range fasttethernet0/1 -2
Switch2(config-if-range)# switchport mode access
Switch2(config-if-range)# switchport access vlan 10
Switch2(config-if-range)# channel-group 1 mode auto \* use passive to configure
LACP
Switch2(config-if-range)# end

In this configuration, this pair of ports allows you to send data only for VLAN 10 over the EtherChannel
link. To pass traffic for all VLANs, you must configure the switchport as a trunk because access ports will
only send traffic for one VLAN Or you can use:

Switch1(config)# interface range fa0/23 – 24


Switch1(config-if)# channel-protocol pagp
Switch1(config-if)# channel-group 1 mode desirable

Switch2(config)# interface range fa0/23 – 24


Switch2(config-if)# channel-protocol pagp
Switch2(config-if)# channel-group 1 mode auto

EtherChannel Load-Balancing

Data sent across an EtherChannel is not load-balanced equally among all interfaces. EtherChannel utilizes
a load-balancing algorithm, which can be based on several forms of criteria, including:

• Source IP Address (src-ip)


• Destination IP Address (dst-ip)
• Both Source and Destination IP (src-dst-ip)
• Source MAC address (src-mac)
• Destination MAC address (dst-mac)
• Both Source and Destination MAC (src-dst-mac)
• Source TCP/UDP port number (src-port)
• Destination TCP/UDP port number (dst-port)
• Both Source and Destination port number (src-dst-port)

On a Catalyst 3550XL, the default load-balancing method for Layer 2 switching is src-mac. For Layer 3
switching, it’s src-dst-ip.

EtherChannel Load-Balancing Configuration

To configure what load-balancing method to utilize:


Switch(config)# port-channel load-balance TYPE

For example, to switch the load-balancing method to source TCP/UDP port number:
Switch(config)# port-channel load-balance src-port

255 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

To view the currently configured load-balancing method, including the current load on each link: Switch#
show etherchannel port-channel

The example below shows how to create the logical port channel (1) and assign 192.168.20.1 as its IP
address:

Switch# configure terminal


Switch (config)# interface port-channel 1 /*as shown in fig 2
Switch(config-if)# no switchport
Switch(config-if)# ip address 192.168.20.1 255.255.255.0
Switch(config-if)# end

Show commands:

 show interfaces port-channel [channel-group-number]


 show etherchannel [channel-group-number] summary

Verify commands:

 test etherchannel load-balance interface port-channel [#] ip [src] [dst]

I hope you will try to run all of these commands, either on a real device or in packet tracer/GNS3 files in
order to get some hands on experience.

256 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 31: Troubleshooting LAN Switches

In this chapter, our main focus will be on troubleshooting various LAN problems that you might run into
when dealing with Cisco switches. Remember, I have used only “show” commands to find the problems
that keep the hosts from communicating with each other. The configuration will be checked only to
confirm of the configuration errors.

The topology we are going to use in the entire chapter is described below:

Host-1 and Host-2 are in VLAN 10 and Host-3 and Host-4 are in VLAN 20. Our goal is to have
communication between hosts in the same VLAN. Another constraint is to have communication between
the hosts in the same VLAN even if the direct link between the switches where the hosts are connected is
unavailable (the link has problems and cannot be used). For instance, if the link between SW-1 and SW-2
is down, Host-1 should reach Host-2 using the path SW-1 – SW-3 – SW-2.

So, let’s start by checking the communication in VLAN 10 between Host-1 and Host-2 by pinging Host-2
from Host-1:

257 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

We don’t have reachability; it seems that the ICMP packets are not received by Host-2. Or maybe they are
received, but the returning packets are not received by Host-1.

The first step in this scenario will be to make sure that the MAC address of Host-1 is known by SW-1 and
SW-2 and the MAC address of Host-2 is known by SW-1 and SW-2.

Let’s check if MAC address of Host-1 is present in the MAC address table of SW-1 and SW-2:

Let’s check the presence of Host-1 MAC address in SW-2:

We don’t have the MAC address. Now we know why there is no communication between the two hosts.

At this moment, one option that we can think of is that the link between SW-1 and SW-2 is broken.

Our luck is that we have CDP enabled and we can check if both switches are seeing each other as CDP
neighbours:

258 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

We now have the confirmation that the link is working fine, as you can see in the above outputs.

Remember that the hosts are in VLAN 10, therefore the interfaces on both switches should be either in
access mode in VLAN 10 or they should allow VLAN 10 on the interface if they are trunk interfaces.

Let’s check the interface GigabitEthernet 8/3 from SW-1:

So the interface is a trunk interface, allowing ALL vlans.

On SW-2:

259 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

By comparing the “Trunking VLANs Enabled” section of the two outputs, we can conclude that SW-2
doesn’t allow VLAN 10 on the trunk interface towards SW-1.

We have to allow VLAN 10 and see if the MAC address of Host-1 will be present in SW-2 MAC address
table:

260 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Now SW-2 can send traffic to Host-1 as it has the MAC address to which it should send the traffic.

SW-2 should have the MAC address of Host-2 in its MAC address table. Let’s check if we have the MAC
address of Host-2, which is connected on interface gi1/0/23:

The first MAC address is the MAC address of the interface gi8/3 from SW-1.

The second MAC address is the MAC address of Host-1. Because we don’t have any MAC address
learned on this interface, the first step would be to check the status of the interface gi1/0/23:

This output explains clearly why there is no MAC address learned:

“GigabitEthernet1/0/23 is down, line protocol is down (err-disabled)”

The interface is down because an error occurred on the port. The port was brought down automatically.

This is how you can check why the port was err-disabled:

261 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Under Reason you can see “psecure-violation.” This means that a port-security configuration is in place
at that port and the error condition was met.

Let’s use “show port-security interface” command to check the specific configuration of port-security on
gi1/0/23 interface:

How do you read this output?

Port security is activated on this port. In case there is a violation of the expected behavior, then shut
down the port. The maximum number of MACs which is allowed on the port is 1. The last MAC address
seen on the port and the one that activated the port security is 8071.1fcf.fc8e. The VLAN over which the
MAC was learned is 10. You can recover from err-disabled state of the port by using shutdown/no
shutdown on the interface. But if the condition error is still present, then the port will be err-disabled
again.

In this specific case, I intentionally added three devices connected to port gi1/0/23 to trigger the
condition error.

In the logs, you can see that almost at the same time, two additional MACs trigger to have gi1/0/23
disabled:
May 30 08:35:29.154 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
violation occurred, caused by MAC address 8071.1fcf.fc8d on port
GigabitEthernet1/0/23.
May 30 09:39:29.794 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
violation occurred, caused by MAC address 8071.1fcf.fc8e on port
GigabitEthernet1/0/23.
May 30 09:39:30.793 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet1/0/23, changed state to down
May 30 09:39:31.799 CET: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/23,
changed state to down

Let’s check the configuration of gi1/0/23 for confirmation:

262 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As you know, by default the violation mode is shut down and the maximum number of MACs allowed on
the port is 1. This is why you don’t see them explicitly in the configuration.

After shutdown/no shutdown on the interface, we can see that SW-2 now has both Host-1 and Host-2
MAC addresses:

Let’s check also on SW-1:

Everything seems to be in order, so it’s time to check again the connectivity between Host-1 and Host-2:

263 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Now that we are done with the communication between Host-1 and Host-2, it’s time to check the
communication between Host-3 and Host-4:

The two links between SW-2 and SW-3(gi1/0/9 and gi1/0/10) are part of a logical bundle, called Port
channel.

The Etherchannel protocol is LACP.

Let’s quickly, as before, check if the MAC addresses of the two hosts are present on SW-2 and SW-3:

And for SW-3:

So we don’t have any port-security problems on the access ports. Now that we know both MAC
addresses of the hosts, let’s see if the MAC of Host-4 is present in the MAC table of SW-2 in VLAN 20:

264 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The MAC addresses should have been learned over interface Portchannel1, but it was not.

Checking the operational status of the interface Portchannel1 on SW-2 we see that the physical links are
not in the bundle even though they are configured so:

While this command tells us the status of the Portchannel interface, it doesn’t give us too much
information, so we can use the “show etherchannel port” command for detailed information about the
physical interfaces:

265 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As you can see, both gi1/0/9 and gi1/0/10 are configured in similar way.

One thing that you should always remember is the mode of the protocol.

For LACP you have active and passive. If both sides are active, then the Portchannel will be established.
If only one side is active, then the Portchannel will be established. If both sides are passive, then the
Portchannel will not be established.

In our case, SW-2 is configured as passive. This means that we must have the active mode on SW-3.

Let’s use the same command to check the mode:

266 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Busted! SW-3 is configured as passive as well. No wonder the Portchannel didn’t come up.

We will configure SW-2 as active to see if the Portchannel interface will come up:

It’s time to check one more time the connectivity between Host-3 and Host-4:

267 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

So we have connectivity between Host-3 and Host-4.

Right now the path of the traffic between Host-3 and Host-4 is SW-2 – SW-3.

The topology is built in such way that there is redundancy in case the link between any two switches is
failing. The traffic should be rerouted trough the alternate path.

For instance, the traffic between Host-3 and Host-4 should take the path SW-2 – SW-1 – SW-3 if the
Portchannel interface between SW-2 and SW-3 is down.

Let’s simulate the Portchannel1 interface failure on SW-2 and let’s check one more time the connectivity
between Host-3 and Host-4:

Well, this is not good. We don’t have redundancy.

268 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As a side note, the redundancy in this case is accomplished by spanning tree protocol. The range of
problems that one can have with this protocol is very wide and many times advanced troubleshooting
skills are needed. For this article, spanning tree was configured correctly and any issue that might
appear is not related to it.

Coming back to our problem, it seems that there is an issue on the link between SW-1 and SW-3.

Nothing is obviously wrong with the configuration of the interface gi1/0/11 from SW-3.

Let’s check the interface from SW-1:

269 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The problem might not be that obvious, but this is a dynamic trunking protocol problem.

Both interfaces are configured “dynamic auto,” hence a trunk link between SW-1 and SW-3 will not be
formed. This can be verified by looking at “Operational Mode,” which is “static access.”

Remember if one side is configured as “dynamic auto,” then the other one should be configured as
either “on” or “desirable.”

By configuring SW-3 as trunk, we should see the interface on SW-1 operating as trunk as well:

270 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

But it still isn’t:

But while I was configuring the interface on SW-3, this message was logged on SW-1:

271 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

May 30 23:30:21.658 CET: %DTP-SP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port


Gi8/11 because of VTP domain mismatch

This means that the VTP domains are different on SW-1 and SW-3. If this is happening, then, as the
message is saying, the trunk negotiation is not happening.

At this moment you have two choices: either change the VTP domains to be identical on both switches
or force the links to become trunks.

We will go and change the VTP domain on SW-3, but first let’s check it and change it afterwards:

The connectivity between Host-3 and Host-4 should have been restored:

Now we got a fully functional and redundant network.

In this point of the chapter, we have encountered the most common problems that one will see when is
operating Cisco switches.

Always in switched networks, start troubleshooting from the closest point to the user complaining about
connectivity problems.

272 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As a summary you should follow these steps to troubleshoot Cisco Switches:

 Check if you are learning the MAC addresses of the hosts on the closest switch.
 Check on the next switch if the MAC addresses of the hosts were learned.
 Continue to check all the switches on the path between the hosts.
 Make sure that both source/destination MACs are learned on all switches along the path.
 If the MAC is not learned by some switches along the path, then check if the correct VLANs are
configured and if they are allowed on the trunk interface.
 If Etherchannel is used, make sure that you use the same protocol on both sides, LACP or PAGP.
 Make sure that you configure at least one side of the Etherchannel as active or desirable.

273 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 32: Introduction to Wireless LAN

Wired local-area networks (LANs) have been the foundation of enterprise networks for years. They still
are today. However, wireless local-area networks (WLANs) have strongly emerged as the means to extend
the wired network to mobile devices. If you have been into networking, you very likely have set up a
wireless local-area network at home or work. In order to set up a functional wireless network, usually
minimal configuration is needed. Many of the details of wireless theory get overlooked due to this ease
of configuration in smaller deployments. Though in current CCNA syllabus, Wireless technology is not
included, still I believe details are important for more complex enterprise deployments.

For most companies, WLANs started out as a convenient way to let guests have an Internet connection
while doing business on site. But that was the past. The perception was that wired networks were faster
and more secure than WLANs. But continual improvements to WLAN standards and technologies have
largely erased those concerns. Now, WLANs have become a critical resource for employees as well as
guests. In addition to laptops, devices such as smart phones and tablets are being increasingly used to
read emails, manage contacts, and carry documents. Bring-your-own-device (BYOD) is not just a hot
buzzword any more. It is a real trend now. The bottom line is that everyone wants the ability to be
productive whether in the office, at home, or in another country—and they want to be able to do it using
their own devices.

Wireless Transmission:

Wireless LANs use radio waves to send and receive data at Layer 1 of the OSI reference model. Wireless
network-interface cards, access points, and other WLAN devices use a built-in radio transceiver
(transmitter + receiver) and antenna to transmit and receive data encoded in radio waves. The wireless
medium is inherently different from copper or optical media. However, the basic idea of encoding data
by modifying the signal is the same. While wired LANs use electrical signals over copper wires or light over
optical cables, WLANs use radio waves that flow through the surrounding air.

Many electronic devices produce radio waves at varying frequencies, some related to the device's
purpose, such as WLAN NICs, cordless phones, and wireless cameras. In other cases, the radio wave
emission is an undesirable side effect. For example, televisions and kitchen appliances radiate some
energy. Energy radiated by one device can interfere with other devices operating at the same range of
radio frequencies. Wireless LANs also suffer from radio interference from other wireless devices. In
addition, wireless LAN transmission is affected by physical surroundings. Wireless energy is generated by
the antennas of wireless devices and radiates outward in all directions. As it encounters a physical object
like a metal cabinet, wall, floor, or ceiling, part of it gets reflected, scattered, and absorbed while part of
it passes through the obstacle. All these factors are taken into account when designing wireless LANs, as
they directly affect the range of effective wireless transmission.

Comparing Wireless and Wired LANs:

At the most basic level, switched networks use wires for connections, and wireless networks don't. A
traditional Ethernet network is defined by the IEEE 802.3 standards, while wireless LANs are defined by
the IEEE 802.11 standards. Even though wireless LANs are also based on standards, the wireless medium
itself is more challenging to control. When a PC attaches to a wired Ethernet network, it shares that

274 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

network connection with a known number of other devices that are also connected to the same segment.
When the same PC uses a wireless network, it does so over the air. No wires or outlets exist at the access
layer, and other end users are free to use the same air.

The wireless LAN essentially becomes a shared network, where a varying number of hosts compete with
each other for the use of air at any time. As a result, every wireless connection is in half-duplex mode and
collisions are a part of daily life in wireless LANs. IEEE 802.11 WLANs are always half-duplex because
transmitting and receiving stations use the same frequency. Only one station can transmit at any time;
otherwise, collisions occur. To achieve full-duplex operation, all transmitting would have to take place at
one frequency, and all receiving would occur over a different frequency, much like full-duplex Ethernet
links work, where a separate pair of wires is used to transmit and receive. Although it is certainly possible
and practical to achieve full-duplex communication with WLANs, the IEEE 802.11 standards do not permit
full-duplex operation.

How to Avoid Collisions in a WLAN:

When two or more wireless stations attempt to transmit at the same time, their signals become mixed
with each other. Receiving stations can receive the mixed signal but see the result only as garbled data,
noise, or errors. As a matter of fact, no straightforward method exists to determine whether a collision
has occurred. There exists a basic feedback mechanism to alleviate these situations with wireless LANs.
Whenever a wireless station transmits a frame, the receiving stations must send back an
acknowledgement to confirm that the frame was received without any errors. These acknowledgement
frames serve as a basic collision detection tool and are specific to wireless LANs only; there is no such
mechanism for wired Ethernet LANs. However, these acknowledgements do not work to prevent collisions
from occurring in the first place.

The IEEE 802.11 standards use the carrier sense multiple access/collision avoidance (CSMA/CA) method
as compared to the carrier sense multiple access/collision detection (CSMA/CD) method used by wired
IEEE 802.3 networks. In Ethernet LANs built with a hub, the whole network is a single collision domain,
which means only one device can transmit at one point in time. The CSMA/CD mechanism in wired LANs
dictates that a station wanting to transmit must first check if another station is already transmitting. It can
start its own transmission only if no other station is currently transmitting. Wireless LANs are analogous
to wired LANs in this regard. A wireless station must also check to see if another device is already
transmitting on the wireless medium. It can start its own wireless transmission only if no other device is
already transmitting and the wireless medium is free to be used. Collision avoidance works by requiring
all wireless stations to listen before they transmit a frame.

Wireless Access Point (AP):

The primary function of an access point (AP) is to act as a bridge between the wireless medium and the
normal wired network. An access point can accept wireless connections from a number of wireless clients
and it offers them connectivity to the wired LAN, as if the same clients were using wired connections. An
AP is much like a translational bridge, where frames from two dissimilar media are translated and then
bridged at Layer 2.

An AP can also act as a bridge to form a single wireless link to another AP connecting one LAN to another.
Cisco even offers an AP that can bridge WLAN traffic from AP to AP in a daisy-chain manner. This allows a
large outdoor area to be covered with a WLAN without the need to run cables at all.

275 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Access points act as central points to control client access to the WLAN. Any client attempting to use the
WLAN must first establish an association with an AP. The AP can allow open access so that any client can
associate, or it can tighten control by requiring authentication credentials or other criteria before allowing
associations.

An AP can provide wireless connectivity only to the clients within its range. The AP location must be
carefully planned so that its range matches up with the area in which WLAN coverage is desired. The signal
of a wireless router or access point typically extends up to approximately 300 feet. If there is more than
one access point in your wireless LAN, wireless client devices can roam from one access point to another
without losing connectivity.

Figure 1 Wireless LAN

Service Set Identifier (SSID)


In IEEE 802.11 terminology, a group of wireless devices, typically consisting of an AP and wireless clients,
is known as a service set. The devices in a service set must share a common service set identifier (SSID),
which is nothing more than a text string included in every wireless frame sent and received. For two
wireless devices to communicate successfully, the SSIDs must match across the sender and receiver.

Beacons
Beacons are special frames in IEEE 802.11 WLANs that contain all the information about the network
and are transmitted every 100 ms by default. Access points have the responsibility of periodically
sending beacons. Each beacon received by a wireless station identifies the presence of an AP. By default,
wireless network-interface cards (NICs) passively scan all radio frequency (RF) channels and listen for
beacons coming from access points in order to find a suitable access point. When a beacon is found, the
wireless NIC learns a great deal of information such as SSID, supported data rates, and several other
parameters. The network name or SSID can also be hidden by not broadcasting it publicly in beacons. It
is called cloaking and it serves as a weak security measure.

Wireless LAN Standards


The IEEE 802.11 is a set of wireless LAN standards developed and maintained by the Institute of Electrical
and Electronics Engineers (IEEE). The base version of IEEE 802.11 was released in 1997 and has undergone

276 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

several revisions, the most important being 802.11a, 802.11b, 802.11g, and 802.11n. The following table
offers a quick glimpse of various features of these standards.

Table 11-3 WLAN Standards


802.11a 802.11b 802.11g 802.11n

Year 1999 1999 2003 2008

Data Rate 54 Mbps 11 Mbps 54 Mbps 248 Mbps*

Throughput 23 Mbps 4.3 Mbps 19 Mbps 74 Mbps

2.4 and/or 5
Frequency 5 GHz 2.4 GHz 2.4 GHz
GHz

With 802.11a, b,
Compatibility None 802.11g
802.11b and g

Range
35-120 38-140 38-140 70-250
(meters)

No. of
3 Up to 23 3 14
Channels

Transmission OFDM DSSS DSSS/OFDM MIMO


* With 2x2 antennas
Wireless LAN Security
Most vendors ship wireless products with all security features disabled, that is, with an open access policy.
An open access policy is only suitable for public locations such as cafes, but it is definitely not appropriate
for company networks with mission-critical data circulating on the wireless medium. Wireless security
features must be enabled to protect networks from unauthorized access and other threats.
Security concerns have caused many organizations to avoid WLAN network deployments, regardless of
the numerous benefits they provide. Securing a WLAN is not difficult, but proper security solutions have
to be selected and applied.
Here is a list of features and technologies available to secure wireless networks:

Service Set Identifier (SSID)


Service Set Identifier (SSID) is an arbitrary text string or a name for a WLAN that provides a basic access
control mechanism. Normally, wireless APs broadcast their SSID so that wireless clients can learn about
their presence and use the SSID to connect. But this SSID broadcast can be disabled on the AP if SSID is to
be used as a basic security measure. This basic wireless security measure, achieved by hiding the network
name or SSID from being broadcast publicly, is called cloaking. The network administrator can provide the
SSID information to authorized wireless users to allow connection to the AP.

MAC Address Authentication

277 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Another common WLAN security feature is the use of MAC address authentication. MAC authentication
allows network access only to known MAC addresses. MAC authentication is very simple in concept and
is equally simple to configure. MAC authentication is not specified in the IEEE 802.11 standards, but most
vendors of wireless equipment, including Cisco, support this feature.

Wired Equivalent Privacy (WEP)


Wired equivalent privacy (WEP) was part of the original IEEE 802.11 standard in 1997, providing
authentication and encryption services. A static pre-shared key (PSK) composed of only 64 bits had to be
statically configured on the AP and all wireless clients that need to associate with that AP. The short key
values made it possible to predict the key, based on frames sniffed from the WLAN. Now, it is an
established fact that WEP provides only weak authentication and encryption that can be cracked using
easily available tools. Because of this and the fact that later standards provide much better security, WEP
should not be used today.

Wi-Fi Protected Access (WPA)


In view of the vulnerabilities in WEP, the Wi-Fi Alliance stepped forward and created a multivendor WLAN
security standard. This new standard was called Wi-Fi Protected Access (WPA) and it greatly improved
WLAN security compared to WEP. At that time, IEEE was also working on the 802.11i security standard
but it was not final when WAP became available.

WPA2 / IEEE 802.11i


The IEEE 802.11i standard, eventually introduced in 2005, includes the advanced encryption standard
(AES), which is a major improvement over the WPA standard. AES provides even stronger encryption with
longer keys and more secure encryption algorithms. The Wi-Fi Alliance provides product certification
services for 802.11i but likes to call it WPA2 instead of IEEE 802.11i, meaning the second version of WPA.

I hope this much information regarding Wireless Networking will give you better idea about how WLAN
is working. I would request you to find all this terminology by logging into your home wireless router
(DSL).

278 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Part 7: IP Services
Chapter 33- Configuring and Verifying DHCP

In the IP Services section of this book, we are going to learn Dynamic Host Configuration Protocol (DHCP);
Network Redundancy Protocols such as HSRP, GLBP, and VRRP; Simple Network Management Protocol
(SNMP); Network Time Protocol; and Syslog.

Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically
assign an IP address to a computer from a defined range of numbers. I hope you came across this protocol
while setting up your home or office laptop network. In that case, the home router is enabled DHCP to
automatically distribute IP configuration settings for network clients, eliminating the tedious and
burdensome task of manually configuring hosts on TCP/IP based networks.

Without DHCP services, network admin need to configure each individual network client with correct
internet protocol settings, including IP address, subnet mask, default gateway and DNS server. In below
my home network, where I configured manually my LAPTOP IP address as 192.168.100.15, this is not an
issue in a small network. Many organizations manage hundreds or thousands of network client devices,
including smart phones, tablets, desktop computers, and laptops. The DHCP service helps to ensure that
all network clients have correct configuration settings, eliminating fat fingers and other human errors that
may occur when we have to enter the information manually. Network configuration changes can be
updated on the DHCP server without having to change the information directly on each client computer.

Printer Shared in Home Router-


network through this DHCP -DNS
laptop Server address
192.168.100.1

192.168.100.15
192.168.100.10

Remember, there are two main enhancements with DHCP: it allows a client to obtain an IP address
dynamically for a finite period of time, and also retrieve other useful IP information, such as DNS, HTTP,
or SMTP server addresses. DHCP uses UDP protocol for its transportation mechanism.

DHCP Process:

279 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

DHCP was developed as an extension to bootstrap protocol (Bootp). It has a four-step process to deliver
an IP address to a host.

DHCP DHCP
Client Server

DHCP Acknowledgement-Unicast IP address ACK

 DHCP Discover: When a user turns on device and connects to a network as DHCP client. The client
device sends a broadcast packet/request to "discover" the DHCP server on a network. In a enterprise
network, all other servers in the subnet also receives the same request. Normally the router directs
the DISCOVER packet to correct DHCP server. Remember for DHCP work properly, the DHCP server
should be on the same network as DHCP client.

 DHCP Offer: When a DHCP server receives the DISCOVER Packet. Based on the availability and usage
policies set on the server, it responds with an offer message to the client. The message is a unicast
type of message and contains the IP address information. The server also configures the client's DNS
servers, WINS servers, NTP servers and sometimes other services as well. The client accepts the first
offer that it gets.

 DHCP Requests: The client sends a broadcast request (DHCP REQUEST) packets for the particular
offer it received. This broadcast message tells all other servers that it has already offered it an
address that client already has an offer and it no longer interested to receive any offer.

 DHCP Acknowledgment: The server sends a unicast ACK (or DHCP ACK) packet or message,
confirming that the client has given a lease on the address for a server-specified period of time.

Configuring Router as DHCP Server:

For Business like Small and Home Office (SOHO), configuring Router as DHCP server is common and it's
also economical because you don't have to buy additional servers to run DHCP operations.

Configuring Cisco IOS as DHCP server is a very simple process....

280 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

1. Configure an IP address to the router's Ethernet or fast Ethernet port and bring up the interface:
router(config)#interface fast ethernet 0/0
router(config-if)#ip address 192.168.100.1 255.255.255.0
router(config-if)#no shutdown
router(config-if)#exit

2. Then we have to create a DHCP IP address pool that we want to use:


router(config)#ip dhcp pool Intense_School

3. Then we have to specify the network and subnet for the addresses we want to use from the pool:
router(dhcp-config)#network 192.168.100.0 /24

4. Then we have to specify the default gateway router address:


router(dhcp-config)#defult-router 192.168.100.1

5. After that, we have to specify the Domain Name for the clients:
router(dhcp-config)#domain name intenseschool.com

6. Then we have to specify the domain name server; in a small office or home environment, sometimes
the primary and secondary dns server is the same as the Gateway address of the network.
router(dhcp-config)#dns-server 192.168.100.1

7. Then we have to specify the lease duration for the addresses we are using from the pool:
router(dhcp-config)#lease 20

8. Then we use command exit for exiting from pool-configuration mode:


router(dhcp-config)#exit

If you want to exclude some addresses that may be restricted or reserved for server in the network, use
the command below.

router(dhcp-config)#ip dhcp exclude


router(dhcp-config)#ip dhcp excluded-address 192.168.100.1 192.168.100.10

The “ip dhcp excluded-address” command excludes some addresses in the pool from being assigned. In
this example, the router would begin assigning addresses from 192.168.100.11

DHCP SERVER IN HOME ROUTER

MY HOME NETWORK

DHCP Client –
DHCP Server - 192.168.100.11
192.168.100.1

In the above diagram, I configured my home router as DHCP Server using the above command. Please
note that my wireless home router here is DHCP Server as well as DNS server and also Gateway for my

281 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

network. If you are connected to your router now, go to your PC's command line and write ipconfig /all.
You will see your computer IP address, and if your DHCP & DNS is enabled, you will find the addresses as
in my network, my laptop is a DHCP client and the IP address is 192.168.100.11, and my Default Gateway,
DHCP Server, DNS Server is 192.168.100.1.

Router as DHCP client:

192.168.100.0 /24

DHCP CLIENT- DHCP Server-


eneterprise end Service
router Provider end
router
Until now we only discussed a Router working as DHCP Server. What happens if your service provider does
not want to give you static public IP address, but give you instead a dynamic address? You will need to
enable DHCP client in your enterprise router, which is very easy to do. Like in above scenario, where we
are going to configure our enterprise end router as DHCP client, by using "ip address dhcp" command.
The "ip address dhcp" command configures router interface to act as a DHCP client.

DHCP Client & Server in Different Networks:

We discussed the communication between DHCP client and server in the same networks, as until now we
have not seen a scenario where the DHCP client and the server is set up on different networks.

F0/1
F0/0

192.168.101.0 /24
192.168.100.0 /24

DHCP
Desktop Server
In the above diagram, the DHCP Client (Desktop) and DHCP server are on different networks. The DHCP
client's network address is 192.168.100.0 /24, and the DHCP server's network address is
192.168.101.0/24, both the devices connected by a router. Whenever a client requests a DHCP address,
it responds by sending a DHCP discover packet to DHCP Server. As you know, a DHCP discover packet is
broadcast in nature. In this topology, this DHCP discover packet will not reach the DHCP server, as the
router will not forward any kind of broadcast packet. This packet will normally drop in F0/0 interface of
the router, and this would make the DHCP requests fail.

To resolve this issue, we would use IP helper address feature on the router to pass the broadcast signal
to DHCP server. We will configure the F0/0 interface on the router with IP helper address, which will

282 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

enable to find the IP address of the DHCP server. Whenever the "DHCP discover" packets reaches to F0/0
interface of the router, the broadcast message will be converted into unicast and sent to the DHCP server,
ant it will allow the communication successfully.

DHCP Snooping:

As we have seen, DHCP is a big help for a network admin who does not need to configure each and every
device on the network. He can simply run DHCP server and every node of the network will automatically
get IP addressing. But this has a danger: what happens if someone sits beside your office acting as a DHCP
server and can easily get access to your network by attacking the switch? To prevent this, we use a feature
called DHCP Snooping, which is available on switches. By using DHCP snooping, you can prevent rogue
DHCP server attacks. The topology below is a good example of DHCP Snooping features and how it can
protect your network from rogue DHCP attacks.

Rogue
DHCP
Server

Real
DHCP
Desktop Server
LAPTOP

DHCP SNOOPING

In the diagram above, a valid DHCP server is connected to the network. The computers and laptop are
supposed to receive dynamic IP addresses from the valid server in the network. But an intruder implants
a rogue DHCP server on the network, as shown in the diagram.

As the client computer is unaware of the attacker, it will send a broadcast message named DHCP Discover
packet, searching for servers on the network. In this example, both the DHCP server (real & rogue) will
receive the packet and respond to the DHCP discover packet. If the client receives the first packet from
the rogue server, the client computer will use the IP address provided by the rogue DHCP server.

You can easily prevent this by configuring DHCP Snooping on the port of switch, which is connected to a
valid DHCP server. After the configuration completed, the switch will only respond to the real DHCP server,
and the rogue DHCP server will not be allowed to respond to DHCP discover packets.

283 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 34: First Hop Redundancy Protocols (HSRP, VRRP & GLBP)

First Hop Redundancy Protocols (FHRP) are protocols that are used to ensure high availability of the
default gateway on a network. Your device has an IP address and a default gateway that connects it to
other networks and the internet. What happens when that router goes down? If there is no backup, you
have to try to fix it or replace before operations can continue. Even if you have a backup router available,
you would still experience significant downtime while trying to restore normalcy to operations. This is why
FHRP was designed.

There are many kinds of FHRPs. For the CCNA exam, you are required to learn about the three below:

1. Hot Standby Router protocol (HSRP)


2. Virtual Router Redundancy Protocol (VRRP)
3. Gateway Load Balancing Protocol (GLBP)

Hot Standby Redundancy Protocol:

Hot Standby Router Protocol (HSRP) is a Cisco proprietary network redundancy protocol for establishing
a fault-tolerant default gateway, and has been described in detail in RFC 2281.

The protocol establishes a framework that allows host computers on the internet use multiple routers
that act as a single virtual router, maintaining connectivity even if the first hop router fails, other act as a
"hot standby" router and automatically waiting for ready to go. HSRP ensures that only active router is
forwarding on behalf of "group of router or virtual router" at any given time. One router through the
election process, is designated as active router, while other router as designated as standby router. A
standby router is basically backup router and chosen to be ready to become the active router, whenever
the current active router fails.

HSRP Operation:

In the diagram below, you can understand that two routers, Router 1 & Router 2 work as Single Virtual
Routers. HSRP uses a Virtual MAC and IP address for the two routers to represent with hosts as a single
default gateway. For example, the Virtual IP address of 192.168.5.254 and the MAC address is usually in
the format 0000.0c07.acXX where XX is the group number.

0000.0c 07.AC XX

HSRP IP
Cisco Vendor Standby Group
ID Number

284 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Internet Service
Provider

-------------------------------------
-----------------------------------

Active Router Virtual Router Standby Router

Access Layer
Switch

Through the election process, Router 1 elects as the "Active Router," while the other router acts as a
Standby Router. Normally, the "Active Router" is the router with the highest priority in the group of HSRP
router. If any packets send by host to the network, then both active and standby router will listen, but
only the active router can proceed and forwards the packets. In this scenario, Standby Router basically
works as the back-up router; if the active router fails at any time, then it is always ready to take its place
as Active Router. Standby Router communicates by sending “Hello” packets to a multicast address every
3 seconds. The multicast address is 224.0.0.2 (and 224.0.0.102 for version 2).

If the group members do not receive a “hello” packet within 10 seconds (the default hold time), the router
is deemed to be down and the next backup router in line takes over the role of forwarding router. Because
the new forwarding router also uses the same virtual IP and MAC addresses, the host sees no disruption
in communication. The default HSRP timers can be adjusted if you need faster responses.

HSRP States:

The diagram below shows the different states of HSRP Protocol:

285 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

HSRP STATES

Beginning States, normally when device is switch on or


Initial State configuration changes.

In this state, router monitors hello


packets from active router, and work as In this mode All HSRP group of router will be
back up router Listen listening.

In this state, router participates in election process to


be active router
Speak

Router forwards the packets from host and


also sends periodic hello message to back up
router

Standby Active

All routers in an HSRP group go through all of the states above. In a HSRP group, only one Router elects
as active state; the other router acts as standby or back up router.

HSRP Basic Configuration in Packet Tracer Software:

286 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In preparation for the CCNA, we will see how we can set up HSRP operation on a Cisco Router.

In the above scenario, we have a redundant network; Router 1 works as the active router and Router 2
is the standby router. Both the router working in HSRP group and HSRP Standby will be acting as a
gateway for HOST. In this scenario, 192.168.5.1 is the Gateway of the HOST. If the active router goes
down, the standby router automatically forwards the packet to the Internet Gateway. The Host will not
see any differently, as 192.168.5.1 is the single gateway for it.

So let's configure the Router R1,

R1(config)#interface f0/0
R1(config-if)#ip address 192.168.5.2 255.255.255.0
R1(config-if)#standby priority 150
R1(config-if)#standby 1 ip 192.168.5.1
% Address 192.168.5.1 in group 1

After this, we configure Router R2:


R2(config)#interface f0/0
R2(config-if)#ip address 192.168.5.3 255.255.255.0
R2(config-if)#standby 1 ip 192.168.5.1
% Address 192.168.5.1 in group 1

In the above configuration, you can understand that we have configured the interface f0/0 of both routers,
which is connected to the access layer switch. Remember: whenever you are typing standby? command,
you will find the below-mentioned parameter such as group number, and here we give HSRP group 1 for
both of the routers. Remember, you can change the priority of Router (normally by default, the Router
has a priority of 100). Here, I wanted R1 as Active Router, and that's why I give higher priority on this
router, and why R2 Router will have default priority, which is 100. If you don't specify priority, then the
router which has the highest IP address will become the active router.

R1(config-if)#standby ?
<0-4095> group number
ip Enable HSRP and set the virtual IP address
ipv6 Enable HSRP IPv6
preempt Overthrow lower priority Active routers
priority Priority level
track Priority Tracking.

You can check IP and MAC address of Router 1 by typing show ip arp command in enable mode,
and you can see it uses the Group number as we earlier discussed.

R1(config)#do show ip arp


Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.5.1 1 0000.0C7F.F001 ARPA FastEthernet0/0
Internet 192.168.5.2 - 0060.3E5B.AA01 ARPA FastEthernet0/0
R1(config)#

287 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In each router, we defined the IP address of it. Then, we gave them standby IP address of 192.168.5.1
which will act as Gateway. You can check the connectivity from the PC, by using the ping 192.168.5.1
command, and you will see that it's connected. Remember, your PC will also be connected to both the
router’s physical IP addresses.

Now, we want to see which one of our routers is working as Active or Standby Router. You can easily
learn that by using the "show standby" command.

R1#show standby
FastEthernet0/0 - Group 1 (version 2)
State is Active
17 state changes, last state change 00:05:51
Virtual IP address is 192.168.5.1
Active virtual MAC address is 0000.0C7F.F001
Local virtual MAC address is 0000.0C7F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.164 secs
Preemption disabled
Active router is local
Active router is 192.168.5.2, priority 150 (expires in 7 sec)
Priority 150 (default 100)
Group name is hsrp-Fa0/0-1 (default)

You can see that it clearly states that R1 Router state is in Active Mode, and R2 Router is in
Standby Mode.

R2#show standby
FastEthernet0/0 - Group 1 (version 2)
State is Standby
3 state changes, last state change 00:08:31
Virtual IP address is 192.168.5.1
Active virtual MAC address is 0000.0C7F.F001
Local virtual MAC address is 0000.0C7F.F001 (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.088 secs
Preemption disabled
Active router is 192.168.5.3

288 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Standby router is local


Priority 100 (default 100)
Group name is hsrp-Fa0/0-1 (default)
For the purpose of the CCNA exam, this information is sufficient, but if you want more information
about HSRP, please peruse any CCNP-Switch book, and remember that in that case you have to replace a
Layer 3 switch in place of a router.

VRRP: Virtual Router Redundancy Protocol

HSRP is good for Cisco routers or switches, but what happens if your enterprise network is a multi-vendor
environment? How you will achieve network redundancy without changing the default gateway? In 1999,
IETF introduces a new protocol such as VRRP to replace Cisco propriety HSRP. As this came later, it is
advanced from HSRP, and by default its hello timer is only 1 second, and dead timer is only 3 sec. As this
is a multi-vendor standard, not all Cisco switches and routers support it.

Virtual Redundancy Router Protocol


Hot Standby Router Protocol (HSRP)
(VRRP)
Cisco Proprietary Multi-Vendor Standard
Uses Multicast Address 224.0.0.2 or 224.0.0.102 Uses Multicast Address 224.0.0.18
Uses Virtual MAC Address
Uses Virtual Mac address 0000.0c07.acXX
0000.5E00.01XX
Described in RFC 2281 Described in RFC 5798
Preemption Disabled by Default Preemption Enabled by Default
“Hello” Timer Is 3 Seconds but it can be tuned to 1 second
“Hello” Timer Is 1 Second
also

Remember that with VRRP, an IP Address can be either a Virtual one or the actual IP addresses of the
primary router. VRRP also works the same as HSRP, but instead of active and standby mode, here we have
Master and Backup router. The VRRP master router forwards the traffic, and backup router takes over if
master router fails, and there can be multiple backup routers. In the election process, the Master Router
is chosen if it has real IP address or highest priority among group of router.

The Configuration of VRRP almost same as HSRP we did.... We can work on same topology, but take care
that your laboratorial router or switch supports VRRP protocol.

After using same command like HSRP (only changes VRRP to HSRP), you can check your Router status by
using "show vrrp" command in enable mode. You will find it like this:

289 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Notice that pre-emption is enabled in the output and the priority of R1 has been reduced to 80 because
the object being tracked is down.

GLBP: Gateway Load Balancing Protocol:

The Gateway Load Balancing Protocol is a Cisco Proprietary FHRP that was designed to use multiple
physical gateways at the same time. Unlike VRRP and HSRP, all the physical routers in a GLBP group can
be active. This is quite useful in optimizing resources in the network while still ensuring that first hop
redundancy is being maintained. In GLBP, we have the capability of doing load-balancing between
Gateways. We can have equal load balancing between two Gateways or having unequal load balancing.
Remember, when GLBP sets up:
 Single Virtual IP addresses with multiple MAC address.
 Active Virtual Gateway (AVG) works as "Point MAN". Point MAN Router manages all MAC address
in the network.
 Other routers work as A Virtual Forwarder (AVF).
 Hello messages are used to communicate with in the group destined to 224.0.0.102, udp
port 3222 and they will be sent every 3 secs by default.

How would GLBP achieve this?

A GLBP group is configured with one virtual IP address is assigned as the default gateway. The members
of the group would then select an active virtual gateway (AVG) that would listen for that virtual IP address.
Unlike HSRP and VRRP, GLBP does not use a single virtual MAC address for the entire group. Instead, the
AVG assigns different virtual MAC addresses to each of the physical routers in the group.

So what happens when a client needs to send packets to the default gateway? Since it knows the IP
address, it requests the MAC address by sending an ARP (address resolution protocol) request on the
subnet. The AVG responds to these ARP requests with the virtual MAC address of each of the active virtual
forwarders (physical gateways that are still active), based on a load-sharing algorithm.

There are three load-sharing algorithms used by GLBP:

 Round-robin—The AVG responds with the next virtual MAC address in a cycle.
 Host-dependent round-robin—this load sharing ensures that the same virtual forwarder is
assigned to the same host, while the next host gets the next AVF in a round-robin fashion.

290 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Weighted—GLBP can also be designed to achieve weighted load-sharing among physical routers.
This means that, based on their configured weights, different amounts of traffic can be sent to
different physical gateways. This might be important if you have routers with different capacities
in the same group and you want to configure the higher-capacity router to handle more traffic
than the lower-capacity one.

Redundancy is maintained by using priorities. The router with the highest priority is the AVG; if that router
goes down, the next router becomes the new AVG. In terms of AVF, if a physical router goes down (or its
priority goes below a defined threshold), the router with the highest priority among the remaining routers
will be selected as the backup for the AVF. Also, a redirect timer is started on the AVG.

If the AVF does not come back online before the redirect timer expires, the AVG would stop assigning the
virtual MAC address of that AVF to clients. Finally, what happens when a device that failed comes back
online? It will take over its role as the AVG or AVF if pre-emption is configured.

GLBP States:

Like HSRP, GLBP also has several steps while working in a GLBP group.

291 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

GLBP States- For Active Virtual Gateway (AVG)

In this state, Virtual IP address has not been


Disable configured yet but other GLBP configuration exists.

Virtual IP address has been configured or learned


Initial but virtual gateway configuration is not complete.

Virtual gateway is receiving hello packets and is ready to


change to the speak state if the active or standby virtual
Listen
gateway becomes unavailable.

Virtual gateway is attempting to become the active or standby


virtual gateway

Speak

Indicates that the gateway is next in line


to be the active virtual gateway (AVG).

Standby

Indicates that this gateway is the AVG, and that it is


responsible for responding to Address Resolution
Protocol (ARP) requests for the virtual IP address

ACTIVE

For electing Active Virtual Gateway, the above states can be followed. Normally, Active Virtual Gateway
uses its real IP address as Virtual IP address. Below are all the steps for electing Active Virtual Forwarder
(AVF) Gateway Router.

In a GLBP group, some may have multiple Active Virtual Forwarder. Active Virtual Forwarder (AVF)
manages the Virtual MAC addresses, since it has knowledge of all MAC addresses within a network, by
using ARP message.

292 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

GLBP States- For Active Virtual Forwarder (AVF)

Disable Indicates that the virtual MAC address has not been
assigned or learned.

The virtual MAC address is known but virtual forwarder


Initial configuration is not complete.

Virtual forwarder is receiving hello packets and is ready to


change to the active state if the active virtual forwarder
Listen
(AVF) becomes unavailable.

Indicates that this gateway is the AVF, and that it is


responsible for forwarding packets sent to the virtual
ACTIVE forwarder MAC address.

Basic Configuration of GLBP Operation:

Let's see the network diagram below, which is almost identical to HSRP protocol; here in GLBP operation,
it uses only a single virtual IP and multiple virtual MAC addresses. In this scenario, 192.168.2.1 is the
Virtual IP address of the network.

293 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

GATEWAY LOAD BALANCING PROTOCOL

Internet Service
Provider

Virtual IP 192.168.2.1

R1 R2
Virtual MAC: 0007:B400:0101 Virtual MAC: 0007:B400:0102

ACCESS
SWITCH

HOST

We will configure the routers to use GLBP, R1 being the higher priority. We will leave the load-sharing
algorithm as the default (round-robin) for now. The configuration for R1 is shown below:

294 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The virtual IP address assigned to the client is 192.168.2.1. The configuration on R2 is shown below:

Based on this configuration, R1 would be elected as the AVG for the group while R1 and R2 would both
be AVFs. We can see this from the output of the “show glbp” command on R1:

295 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Notice that while R1 is the active AVG, it is in the listen state for Forwarder 2. This is because R2 is the
active forwarder 2. Also, notice the assigned MAC addresses for the AVFS (0007.b400.0101 and
0007.b400.0102). The load balancing method is also left as the default (Round-robin).

Now, let us hop over to the client side and test this out:

As we can see in the output, the default gateway is set to the virtual IP address, 192.168.2.1. Let’s do a
ping and see the MAC address that the client learns from the AVG:

Notice the MAC address is the MAC address for the second forwarder. So while R1 is the AVG, R2 has
been selected as the gateway for this particular instance based on round robin.

Now, what happens when we clear the ARP and try again?

296 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

We can see that the MAC address has changed to the MAC address for AVF1 and, in this case, R1 has
become the first hop for the client.

We can change the load-balancing algorithm using the command “glbp <group-number> load-balancing
<option>.” We can change the algorithm to host dependent load balancing as shown below:

Now we will add some additional features to our GLBP configuration. We would track interface Fa0/1 so
that any of the routers that loses its connection to its ISP will lose its capacity as a forwarder too.

The exact configuration is also repeated on R2.

Note that, since we have changed the load-balancing algorithm to host-dependent, the AVF for our test
client has been unchanged. A quick look up of the ARP table shows that R2 is the AVF:

297 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

What happens when R2 loses its connection to the ISP? When we shut down R2′s interface, we notice
R1 takes over as the active forwarder for forwarder 2.

The “show glbp” command shows that R1 is active for both forwarders and is responding to both MAC
addresses:

What happens when the connection to the ISP (F0/1) is restored on R2? Because pre-emption is enabled
between AVFs, R2 becomes the AVF again and the R1 goes back to the listen state.

You can test other scenarios on your own by tracking different elements and verifying the behaviour of
the AVGs and AVFs in response to your test scenarios. Remember GLBP supports IPv6.

I think this much information is enough for the purpose of the CCNA exam, but remember, FHRP is very
important for enterprise networking.

298 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 35: Network Management Protocol (SNMP, Syslog & NTP)

In this chapter, we are going to learn the remaining IP services (NTP, SNMP & Syslog) topics in the CCNA
syllabus. So let's start with Network Time Protocol (NTP).

Network Time Protocol (NTP):

Network Time Protocol is used for clock synchronization between networking nodes over data networks.
The Network Time Protocol (NTP) was first described in RFC 958

"Time is inherently important to the function of routers and networks. It provides the only frame of
reference between all devices on the network. This makes synchronized time extremely important.
Without synchronized time, accurately correlating information between devices becomes difficult, if not
impossible. When it comes to security, if you cannot successfully compare logs between each of your
routers and all your network servers, you will find it very hard to develop a reliable picture of an incident.
Finally, even if you are able to put the pieces together, unsynchronized times, especially between log files,
may give an attacker with a good attorney enough wiggle room to escape prosecution.” –Thomas Akin,
in Hardening Cisco Routers.

NTP can operate in four different modes—client, server, peer, and broadcast. These
Modes provide NTP with a great amount of flexibility in how you configure synchronization on your
network.

Design steps needed to set NTP Server and Clients in your enterprise router:

 First check the connectivity between all Router using ping commands.
 Configure Time Zone and clock time in NTP Server Router.
 After configuring time zone and clock time, please make sure to configure the NTP Client 1 and
Client 2 Router with the same time zone as router NTP Server.
 Once you configure router NTP server with Stratum 5, NTP Client 1 & Client 2 router will
synchronize their clock with NTP Server Router.

192.168.5.1 /24

NTP Server

192.168.5.2 /24

192.168.5.3 /24

ACCES S
LAYER
SWITCH NTP Client 2
NTP Client 1

299 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Simple Network Management Protocol (SNMP):

The Simple Network Management Protocol (SNMP) is the foundation of network management. It is an
application layer protocol (defined in RFC 1157) for managing and monitoring devices on a network.
Almost all type of networking devices such as Switch, Router, Servers, Workstation, and Printers etc.
supports SNMP. There are three key components in SNMP:

 A Managed Device or SNMP Manager: This is a device that uses SNMP to manage or control devices
on a network. The SNMP Manager in this case is usually a Network Monitoring System.
 SNMP Agent: The SNMP Agent resides within the devices that are being controlled or managed. Cisco
devices support SNMP and, as such, can be monitored by SNMP managers. On most devices, you
need to enable SNMP and configure some parameters before you can have appropriate
communication.
 Network Management Station (NMS): It executes the applications to monitor and control the
managed devices. It provides bulk of processing and memory resources which is required for
simplified network management. Remember, one or more Network Management Station (NMS) can
be exist on any managed network.

Some examples of network monitoring software (in ascending order of cost), you can install for your home
or office network:

 MRTG: Multi-Rate Traffic Grapier. This is an open source NMS developed by Tobias Oetiker. You
can set it up on Windows or Linux from the command line. It is completely free
 PRTG: Paessler’s adaptation of the MRTG with GUI and support.
 Solarwinds Network Monitoring Suite: Solarwinds is more expensive because it provides an
extended suite of features.
 HP Openview: HP Open View, which is now included as part of HP’s Business Technology
Optimization tools, is a large suite of tools used for Network Management.

Note: Although you do not need to know different examples of NMS for the CCNA exam, it is quite relevant
in the real world.

The Management information Base (MIB):

This is the database of objects being managed using SNMP. For every network event, there is an SNMP
object that has been assigned to the event by the number. The object has a unique identifier called the
Object Identifier (OID). The collection of several OIDs is what makes up the Management Information
Base. An example of a network event on a router is the Status of the Line protocol on FastEthernet0/0.
This event is assigned a unique OID and an SNMP manager can poll a client to check the status of the OID.

Now that we have examined the components of SNMP, let us examine the SNMP operations:

I. GET: In a GET operation, an SNMP manager polls a device to check the value of an OID (or a group
of OIDs) and the device responds with the value of that OID. The SNMP manager must have a read
access in order to perform a GET operation
II. SET: In a SET Operation, an SNMP manager changes the value of an object variable. For instance,
you can change the SNMP value of the enable secret of a router (that way, you have changed the

300 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

router’s enable secret). The SNMP manager must have a write access in order to perform a SET
operation.
III. Notifications: In the case of notifications, the SNMP agent sends unsolicited messages to the
manager. When these notifications are sent without a request for confirmation, they are called
traps. If an agent sends a notification with a request for confirmation of receipt, the notification
is called inform.

There are three versions of SNMP supported by the Cisco IOS:

 Version 1: Oldest version of SNMP. It uses community strings as a form of security.


 Version 2c: Enhanced framework to include more protocols and larger MIB. Security is still based on
community strings.
 Version 3: In versions 1 and 2c, security of the SNMP can easily be compromised using a sniffer. This
is because SNMP versions 1 and 2c use a clear text community string.

In SNMP version 3, security has been enhanced by providing 3 key features:

1. Message Integrity
2. Authentication: This is implemented using Message-Digest 5 (MD5) and Secure Hash Algorithms
(SHA).
3. Encryption: This is implemented using a 56-bit encryption algorithm called Data Encryption
Standard (DES).

Now that we’ve got some understanding about SNMP, let's look at a quick example on a scenario-based
solution. Our case study network diagram is very simple. Now that we have learnt the basic theory
behind SNMP, let us look at a quick example. The network Diagram is simple. R1 is connected to a
Network Management System (NMS), as shown below:

192.168.2.0 /24

NMS Router R 1

First, we will configure SNMP on R1 so that the NMS can poll R1 for information.

All SNMP configurations in the IOS start with the snmp-server keyword. You should explore the
features using the context sensitive help in the IOS. When a community string is defined on a router, any
SNMP manager with the right community string can perform GET and SET operations on the device.

I have set up PRTG on the NMS for test purposes and configured monitoring parameters on PRTG.
Remember that the NMS uses OIDs to poll for information from the device. In this case, PRTG is polling

301 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

for different parameters that give an indication of the health of the device. The results after a few minutes
of polling are shown below:

We can see that the NMS has automatically polled for key information about the device and created a
monitoring dashboard for the router. The information can be further analyzed and you can set up alerts
and logs based on device performance. For instance, you can configure the NMS to send you an email
when the CPU process is too high.

Now, we will also configure the router to send some traps (unsolicited messages) to the server. Let us
configure the router to send messages to the server if a link goes up or down.

There is a whole lot of stuff that you can accomplish with SNMP. But for CCNA exam purpose, you got
enough information, but I always encourage you to download trial versions of some network monitoring
software and see for yourself.

Syslog:

Syslog is a protocol used for logging messages on a network device. It is defined in RFC 5524. If you have
ever configured a Cisco device, chances are high that you have encountered a Syslog message.

302 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

All these messages that appear on the console when you are configuring a device, that lets you know the
state of the device, are Syslog messages.

Three key components:

 How the protocol works: Messages are generated from internal programs on a device called facilities.
These messages can be sent to different destinations based on the configuration specified on the
device. When Syslog happens over a network, it uses UDP port 514 for communication between
source and destination.
 Messages can be of various levels: There are 8 severity levels in Syslog. You can specify at which
severity level you want to send your message to a Syslog destination. When you specify a severity
level, messages in that severity level and all the levels below are sent to the destination. For example
if you specify severity level 4, messages in levels 4, 3, 2, 1 and 0 would be sent to the destination. The
severity levels are shown in the table below:

Level System Description


Emergency 0 System unusable messages

Alert 1 Immediate action required messages

Critical 2 Critical condition messages

Error 3 Error condition messages

Warning 4 Warning condition messages

Notification 5 Normal but significant messages

Information 6 Informational messages

Debugging 7 Debugging messages

303 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Destination: The destination of the messages can be set using the CLI. Syslog destinations in the
IOS include:

Console: Logging messages of a particular level are sent to the console. This is turned on by default to
level 7. Messages that are logged onto the console can only be viewed if you are directly connected to the
console. To view the messages via a VTY (telnet) session, you need to issue the “terminal monitor”
command.

Logging buffer: A buffer is a memory location that can be used to store log messages. Sometimes you
might need to turn off console logging and store them temporarily in a buffer. You can do that by issuing
the following commands:

The command tells the router to stop console logging but to send all logs to the buffer. All Syslog
messages with severity levels 7 and below would be sent to the buffer memory. We can test this by
shutting down an interface (this should generate a log) and checking the logging buffer.

Notice that there is no error message sent to the console. However, when we view the logging buffer,
we find that the Syslog messages have been sent to the buffer.

304 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

An external Syslog server:

You can configure logging to an external Syslog server. You do this with 2 commands: logging host
command specifies the IP address of the Syslog server while logging trap command specifies the level of
messages that would be sent to the Syslog server. To configure the router to send Syslog messages with
levels 6 and below to a server located on 192.168.2.6, we can issue the commands as shown below:

I have installed aS server on 192.168.2.6 and we can see the logs from the Syslog server below;

Note: The Syslog server used above (3cDaemon) also has TFTP and FTP features and it is free. Highly
recommended!

305 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Part 8: Network Security


Chapter 36: Introduction to Network Security

When I saw the movie The Matrix in the early 2000s I was wondering how Morpheus and company could
hack into this complex matrix. And how did they bypass the Gatekeeper every time? And how the hell did
Agent Smith get the information about their location every time? Truly speaking, I had no idea about
anything when I first saw the movie; like others, I also loved the action sequence of the movie, but the
other stuff was Greek to me. Like everyone else, some of you who are new to the networking field may
think hacking is just like magic or something only geniuses know. But in reality, a hacker is also a person
like you but who has expert level knowledge of internetworking and can program malware to attack into
a target network.

At the CCNA level, no one will expect you to hack into any network or defend the cyber war against your
organization. But you must have basic understanding of common network security threats and ways you
can mitigate those security threats.

Trust me, Cisco has some cool methods to secure your enterprise network, but remember one thing: you
can only design a secure network, but not necessarily a bulletproof one. So let's begin with discussing
some well-known security threats.

Common Security Threats for Enterprise Networks:


Practically security threats can be natural or human-made, nobody can prevent natural disaster like
hurricanes, earthquake, flooding or any sort of physical damage. But you can take care of these issues
while designing your enterprise network. You should have a plan for disaster recovery-like water leak
detection system, redundant power services by UPS or generator etc. In this chapter, we are only going
to discuss the attacks, which can be caused by Human or Automated Machine only.

Insider or Malicious or Disgruntled Employee:

When we make a network design, we always think of a hacker or cracker sitting outside of our
organization. But we tend to forget that within our organization, there may be some of our disgruntled
employee that can causes the problems by breaching the security levels within our organization.
By definition, an insider attack is a type of malicious attack perpetrated on a network or computer system
by a person with authorized system access. Insiders that perform attacks have a distinct advantage over
external attackers because they have authorized system access and also may be familiar with network
architecture and system policies/procedures. In addition, there may be less security against insider attacks
because many organizations focus on protection from external attacks. Insider attacks can affect all
computer security elements and range from stealing sensitive data to injecting Trojan viruses in a system
or network. Insiders also may affect system availability by overloading computer/network storage or
processing capacity, leading to system crashes.
Internal intrusion detection systems (IDS) protect organizations against insider attacks, but deploying such
systems is not easy. Rules must be established to ensure that unintended attack warnings are not
triggered by employees.

Outside Attackers or Crackers or Hackers:

306 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Application Layer Attack:


These type of attacks is a part of DDOS attacks which performs on the application layer of a network.
Attackers most commonly attack the software, such as web server, to affect the web applications and
it can cause problems in various applications of networks. These type of attacks are very hard to
mitigate because the attacker attacks the enterprise webserver from the rear, then takes down the
well-known applications such as HTTP, Voice over IP or Domain Name System (DNS). In Layer 7 attacks,
computers have to set up a full TCP connection to the victim network, thus it provides a genuine IP
address to the network. That's why the permission level of attacker device is most often in "privilege"
mode, so the hacker can easily access and exploit the machines where applications such as webserver
is running.

 Denial of Services (DOS) and Distributed Denial of Service Attacks:


DoS (Denial of Service) attacks can be generated by sending a flood of data or request to a target
system resulting in a crash of the target system’s resources. The attacker often uses IP spoofing to
conceal his identity when launching a DoS attack

 IP Spoofing:
Another form of SYN flooding attacks uses IP address spoofing, which might be considered more
complex than the method used in a direct attack, in that instead of merely manipulating local firewall
rules, the attacker also needs to be able to form and inject raw IP packets with valid IP and TCP
headers. Today, popular libraries exist to aid with raw packet formation and injection, so attacks based
on spoofing are actually fairly easy. For spoofing attacks, a primary consideration is address selection.
If the attack is to succeed, the machines at the spoofed source addresses must not respond to the
SYN-ACKs that are sent to them in any way. A very simple attacker might spoof only a single source
address that it knows will not respond to the SYN-ACKs, either because no machine physically exists
at the address presently, or because of some other property of the address or network configuration.
Another option is to spoof many different source addresses, under the assumption that some
percentage of the spoofed addresses will be respondent to the SYN-ACKs. This option is accomplished
either by cycling through a list of source addresses that are known to be desirable for the purpose, or
by generating addresses inside a subnet with similar properties

There are other types of known attacks that we have seen, such as:
 Man in the Middle Attacks
 Packet Sniffers
 Password Attacks
 Brute Force Attacks
 Port Dedication attacks
 Trojan Horse attacks and viruses
 Trust Exploitation attacks

Mitigating the Security threats:

As I told you, Cisco has some cool features and techniques to prevent these type of attacks in the network.
We will discuss some of these in the coming chapters of this book. Before that, let's talk about some
common devices known as Firewall and IPS. Cisco Firewall (Ex-ASA 5520) is known as a first level defence

307 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

for small and medium-sized networks. Cisco Intrusion Prevention/Detection Systems are known as
network 2nd level defence.

In the diagram below, I used Cisco 4250 series IDS and Cisco ASA 5520 series as 2nd and first level defence
of our network.

The design above is a secure IP converged enterprise network, this type of solution mainly used in Cisco-
connected real estate solutions. I almost connected every other building services into the IP converged
infrastructure and used the terminology “Internet for everything." This type of solution is very famous in
Smart Building technology.

From the design, you can understand there are lots of data will be travelled through the IP infrastructure
and data is needed to be secure from attackers. In this design, as a network designer you have to assume
that attackers will be coming from outside of enterprise. To prevent this I used redundant Cisco ASA 5520
series firewall as first level defence.

308 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In a normal case, this would have enough for a small network, but in this network, where we are using
the internet for everything, it means lots of data which is very important for managing the property
properly needs to be secured more, so we use Cisco IDS 4250 series as 2nd level of defence for this
network. This means that if any hacker passes through the firewall, even then, IDS will detect the anomaly
in the network and can easily notify to the network admin or prevent it. Remember, Intrusion Prevention
System – also known as IDS – may use sensor base technology to prevent anomaly based or misused based
attacks on the network.

By using Firewall, you can simply block all incoming traffic on your network. By doing this, you might block
also the incoming POP3 port (110). As a network admin, you should always open POP3 Port (110) and for
outgoing email don’t forget to open SMTP Port (25) is open also. If you want to block user accessing the
web, make sure HTTP-egress (outgoing) is blocked.

For CCNA-level exams, this much information is enough for you to pass. But if you are interested in
working as a Network or Information Security Engineer, please get yourself a copy of Network Security
published by Willey Press. Remember, Network Security is very interesting part in ICT industry, and there
will be always demands for this because there would be bad guys everywhere, so if you want to see
yourself as a Cyber Police or Security consultant, go for it.

309 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 37: IP Access Control Lists

Access Control Lists (ACLs) are one of the most used tools by network engineers. It is used to protect
both the data and control plane and has many other applications like VPNs, policy routing, redistributing
routes, NAT and Quality of Service (QoS). After reading this chapter, you will know the different types of
ACLs, where to implement them and how to calculate the Wild Card mask (WC).

What is an access-list?
The access-list is a packet filter that matches on different fields in a packet. Most commonly, ACLs will
match on layer 3 and layer 4 in the OSI model, which is IP and TCP/UDP.

Access lists consist of permit and deny statements and are always processed in a top-down order. As
soon as there is a match, the action is taken and the ACL stops looking for a match. Until the access list
has been applied to an interface, there is no filtering taking place.

Access lists can be applied inbound or outbound on an interface. There can only be one ACL per
direction per interface.

To do this correctly, imagine that you are sitting inside the router and watching the packets flow
through it. This figure describes packet flow when host A is sending traffic to host B and while transiting
two routers.

Host A sends traffic to its gateway, which is then received inbound. As the packet leaves the router, it
leaves outbound on the interface leading to the second router. The second router receives the packet
inbound and then delivers it outbound on the interface connected to Host B.

Types of ACLs:
Cisco devices support two types of ACLs: standard access lists and extended access lists. The standard
ACLs can only filter based on the source IP of the packet, but an extended ACL can match on both source
and destination IP. Access lists are configured with a number or a name, but configuring it with a name

310 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

is the newer way of doing it and it supports more features. Both ways will be shown in this chapter, as
you might still see both syntaxes used.

Standard ACL:
As mentioned above, the standard ACL can only match on the source IP. It also can’t filter based on port
numbers so it is quite a blunt tool, but still, it has its uses. The standard ACL should be placed as close to
the destination as possible because if traffic is filtered close to the source, then traffic to all destinations
could potentially be filtered. To show how to use the standard ACL, take a look at the topology below.

There is a HR server in the 10.10.10.0/24 subnet and only employees in the HR department should be
able to access it. The employees in the sales department must not be able to reach it. We create a
standard ACL that will permit the 10.0.1.0/27 network and deny everything else. Routing has already
been set up so we start by confirming reachability.

311 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

When working with access lists, something called wildcards are used. The wildcard is sometimes called an
inverse mask. The wildcard is similar to a network mask but without the requirement to be contiguous.
The wildcard checks the bits in the IP address and if the wildcard is set to 0 it means “check.” If it is set to
1, it means “don’t care.” So to calculate the wildcard, we start by converting 10.0.1.0 to binary.

0000 1010 0000 00000000 0001 00000000

Because we have a /27 network mask, it means that 27 bits are used for the network and 5 bits are used
for the host. We want to match this with the wildcard so the first 27 bits are set to 0 and the last 5 bits
are set to 1.

0000 00000000000000000000 0001 1111

Then this is converted back to dotted decimal which gives us 0.0.0.31. As we get more comfortable with
wildcards, there are shortcuts we can use. In later chapter we will discuss wild card in more detail. If we
take 255 and subtract the value in the fourth octet (224), we get the value 31 which we calculated above.

Where should we apply the ACL? We should place it close to the destination, so the best place for it is
inbound F1/0 on the HR server.

Standard ACLs are numbered from 1 to 99. The only options we have are permit, deny and remark. The
remark is used to make a comment about an access list rule. Now we create the ACL and apply it. Access
lists are applied with the IP access-group command.

312 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

If the ACL is working, then pings from HR should go through but the ones from Sales should now be
blocked.

As expected, the ping from HR succeeded but the one from Sales did not go through. The U in the output
means that ICMP unreachable were received. These can be seen if we enable debug ip icmp on the Sales
router.

Another way of verifying is using the show ip access-lists command which shows the counters for the ACL.
There should be hits on the permit statement.

There are hits both on the permit and the deny statement, which is expected. Before taking a look at
extended ACLs, the syntax with named ACLs is shown.

The advantage of using a named ACL is that we can easily recognize what the function of an ACL is by its
name. It also supports sequence numbers so that it’s easy to insert statements later if we need to.

Extended ACL
The extended ACL is far more usable in most cases as it can filter based on source and destination IP,
ports, and even options in the IP header. Extended access-lists use the numbers 100-199 and also the

313 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

named syntax. Go for the named ACL whenever you can because it’s the newer syntax and most features
now support named ACLs.

The basic syntax of an extended ACL is like this:

ip access-list extended HR

permit<PROTOCOL><SOURCE NETWORK><WILDCARD><PORT><DESTINATION
NETWORK><WILDCARD><PORT>

Matching on the ports is optional. Usually, matching on ports will be done to destination or source only.
Generally we won’t know which port the client connects from because these ports are ephemeral and
selected by the operating system. The extended access list can also match a range of ports, or ports that
are greater than or less than a port number.

Now it’s time to create an extended ACL. The topology is still the same.

With extended ACLs, we can be much more granular. We will create an ACL based on the following
requirements:

 Only HR may access the HR server (10.10.10.10) at port 80 (HTTP).


 ICMP to 10.10.10.10 is not allowed.
 Only Sales are allowed to access HR server at port 443 (HTTPS).

Something I didn’t mention earlier is that at the end of every access list there is an implicit deny. As soon
as a permit statement has been entered into an ACL, there is an “invisible” deny at the end that will block
everything not previously permitted. What happens if we apply an empty ACL to an interface? Then
everything is permitted. The easiest way to create this ACL is to put the permit statements first and then

314 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

leave the filtering to the implicit deny. In some cases we might have to mix permits and denies depending
on what kind of filtering the ACL has to do.

As you can see, we can filter based on protocols like ICMP, TCP, UDP and OSPF. When we configure
extended ACLs, the first part is which source is allowed. The first line allows traffic from 10.0.1.0/27.
Extended ACLs can match on both source and destination ports. We don’t know what the source port will
be from the client side since it is chosen by the operating system; we only know that the destination port
will be port 80.

Always verify that the ACL is working as expected. How can we see if an ACL is applied to an interface?
Show ip interface will show us that:

We start testing from the HR router. ICMP should not be allowed, and traffic to 443 should also be blocked
but traffic to port 80 should go through. Sending traffic from a router is a good way of testing ACLs. This
is how you do it:

315 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

This is the expected result. With the telnet command from the router, we can simulate sending traffic to
port 80 although the payload is still Telnet.

We must test from the Sales router as well. ICMP should be blocked and traffic to port 80 should not go
through but connecting to port 443 should be working.

This is also working as expected. The extended ACL is very powerful compared to the standard one. In the
next section, we look at how we can edit ACLs.

Editing access lists:


Sometimes we need to edit access lists that are already in place. How do we do that? Every access-list has
sequence numbers that can be seen with show ip access-lists. Remember that access lists are always
processed in a top down order according to the sequence numbers. Using the same ACL as in the previous
example, we will insert a statement at the top to allow ICMP from the HR router.

First we must check what the current sequence numbers are:

The current sequence numbers are 10 and 20 and there is an implicit deny at the end that can’t be seen.
We will insert a statement at sequence number 5 that allows ICMP from the HR network.

The syntax is simple. Just enter the ACL by typing ip access-list extended HR, then enter a number before
the permit or deny statement. This number must be unique because duplicate entries are not allowed.

Now we confirm that the ACL has been edited, but remember that any changes will have effect
immediately after entering the commands.

316 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The ping is now going through. What can we do if we run out of sequence numbers? There could be a
case where you have sequence number 1, 2, 3, 4, 5 and you want to put something at sequence number
3. In this case, we can re-sequence the ACL and put more space between the sequence numbers.

We currently have statements 5, 10 and 20. Let’s make it so that the first statement is 10 and then there
is a gap of 20 between every sequence number. The syntax is ip access-list re-sequence
<ACL_NAME><STARTING_NR><STEP>.

As you can see, the ACL now starts at sequence 10 and then increments by 20.

Access-list logging:

Access-lists are good for filtering and they also have a logging function. This can be useful if you want to
see which traffic is getting blocked. Care must be taken though because enabling logging could affect the
performance of the CPU depending on which router model it’s applied to.

To enable logging, add the log keyword to the end of an ACL statement:

These logging messages can then be sent to a syslog server by configuring logging trap.

Protecting terminal lines:

Cisco routers and switches have something called Virtual Teletype (VTY). The device can be accessed
remotely via VTY through the use of Telnet or SSH. It is important to protect the VTY so that that only
users coming from approved subnets may login.

Let’s create a standard ACL allowing only the Sales network to login to the HRserv router:

Now remote login to the device should only be allowed from the Sales router. As always, we verify:

317 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Now the telnet from the HR router should fail.

The VTY is now protected from non-approved subnets.

I think this much information regarding Access lists is enough for clearing the CCNA exams. Please
remember that understanding access-lists is an important part of the CCNA and CCNA Security curriculum,
so do some hands-on experience either on a real device or in Packet Tracer software.

318 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 39: Understanding Wildcard Masks

After reading this chapter, you should be able to answer the following questions:
- What are wildcard masks?
- Where are they used?
- How do we calculate them?
Also, a few examples will be provided in the context where the wildcard masks are used.

The topic of wildcard masks confuses and poses a lot of problems for CCNA students. Before discussing in
more detail, I believe you have the necessary knowledge about bits and bytes. If you forget or still do not
feel comfortable with these concepts, go back to previous chapters on subnetting.

For the CCNA exam, you will come in contact with wildcard masks when you have to configure OSPF
routing protocol and access control Lists.

Wildcard masks are used in OSPF to specify on which interfaces the OSPF protocol will run and in ACL to
permit or deny hosts, ranges of hosts or subnets.

A wildcard mask offers an opportunity to ignore sections of the addresses when a comparison is
performed. These ignored sections are treated as if they are already a match. One would compare an IP
address to a wildcard mask to see if that IP address matches what the operator is looking for.

A “0” bit in the wildcard mask means that the corresponding bit from the IP address has to match exactly
where “1” bit in the wildcard mask means that the corresponding bit from the IP address can be ignored
or has already matched.

Before we go any further, keep in mind these two rules:


Decimal 0—the octet must be compared.
Decimal 255—the octet can be ignored as it can be safely treated as a match.

So let’s start with some basic examples of IP addresses that have to be matched using wildcard masks.
Example 1: match 192.168.1.1/32

Because we need to match this host IP exactly and only this one, then all bits of the wildcard mask should
be “0,” therefore an ACL that should match only 192.168.1.1 will look like this:

192.168.1.1 0.0.0.0

Example 2: match 192.168.1.0/24

Because the prefix that we are trying to match is a /24, the last octet comparison is ignored. When the
whole octet is ignored, then the wildcard mask will have, as the corresponding octet, the value 255.

So let’s break it down:


192.168.1.0 in binary is
1100000 10101000 00000001 00000000

319 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

And the wildcard mask will be


0000000 00000000 00000000 11111111
Therefore the ACL entry will look like
192.168.1.0 0.0.0.255
Example 3: match 192.168.1.0/26

This example is a combination of the first two examples: it’s neither a host match nor a full octet match.
We have to match any host that falls in the range 192.168.1.0 through 192.168.1.63.

As you can see, we have to play only with the last octet of the subnet.

Let’s break it down.


Step 1: Convert the mask to binary.
Step 2: Reverse the result to get the wildcard bits.
Step 3: Convert the wildcard bits in decimal.

A network mask of /26 means that the mask in decimal is 192, so let’s convert it to binary.
Step 1: 11000000
Step 2: 00111111
Step 3: 63

Basically the ACL entry will look like this:


192.168.1.0 0.0.0.63
Let’s try one more example of this kind.
Match 192.168.1.64/28

A network mask of /28 means that the mask in decimal is 240, so let’s convert it in binary.
Step 1: 11110000
Step 2: 00001111
Step 3: 15

The ACL entry will look like this:


192.168.1.64 0.0.0.15

In many situations, you will need to match all hosts from a subnet. To do that, you can use the following
math: subtract the subnet from 255.255.255.255.

For instance, you are required to find the wildcard mask to match the subnet 192.168.0.0/19.

The wildcard mask will be:


255.255.255.255 -255.255.224. 0 = 0. 0. 31.255

Therefore the ACL entry will be 192.168.0.0 0.0.31.255


You can remember the calculation for the wildcard mask like this:
28-X -1
Where X is the length of continuous bits set to 1 from that octet.
In the previous, example, the length of the subnet was 19, so from the third octet we used three bits set
to 1; therefore, we have:

320 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

28-3-1 = 25-1 = 32 – 1 = 31

It’s better to remember how this is calculated, but you can also use the following table to get the value
quickly.

0 1 2 3 4 5 6 7 8
SM Binary 000000 100000 110000 111000 111100 111110 111111 111111 111111
00 00 00 00 00 00 00 11 11
SM 0 128 192 224 240 248 252 254 255
Decimal
WM 111111 011111 001111 000111 000011 000001 000000 000000 000000
Binary 11 11 11 11 11 11 11 01 00
WM 255 127 63 31 15 7 3 1 0

Let’s continue with a more complex example. We need to match all odd numbered hosts of
192.168.1.0/24.I will list only a few of these hosts here:

321 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

192.168.1.1
192.168.1.3
192.168.1.5
192.168.1.7
192.168.1.9
192.168.1.253
192.168.1.255

Let’s break down each one of them and see what they have in common:

11000000 10101000 00000001 00000001


11000000 10101000 00000001 00000011
11000000 10101000 00000001 00000101
11000000 10101000 00000001 00000111
11000000 10101000 00000001 00001001
11000000 10101000 00000001 11111101
11000000 10101000 00000001 11111111

Because we are dealing with a /24 network, the first three octets will be the same always. Only the fourth
octet will change. If you look at the binary conversion of the fourth octet, you will notice that the first
seven bits are changing and the eighth is always 1. So we can translate this like “ignore the first seven bits
and match the eight one.”

So, going back to our example, we will have this:

11000000 10101000 00000001 00000001


11000000 10101000 00000001 00000011
11000000 10101000 00000001 00000101
11000000 10101000 00000001 00000111
11000000 10101000 00000001 00001001
11000000 10101000 00000001 11111101
11000000 10101000 00000001 11111111
00000000 00000000 00000000 11111110
0. 0. 0. 254

Therefore, the ACL entry will be:


192.168.1.0 0.0.0.254

Let’s try an even more complex example that will combine the wildcard mask calculation along with ACL
logic.

Configure an ACL with the minimum entries that will permit the IP addresses in subnets 192.168.X.0/24,
where X is an even number and is greater or equal to 1 and less than or equal to 6.

Keep in mind the wording of the requirement: “minimum.”

Basically, we should match only 192.168.2.0/24, 192.168.4.0/24, 192.168.6.0/24 subnets.


Because the fourth octet can take any value, we will ignore it and this means that the wildcard mask will
have the value 255 for the fourth octet.

322 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Because the first and the second octets have to be 192 and 168, the wildcard mask will have the value 0
in the corresponding octets.

Therefore, from what we know so far, the wildcard mask will look like this:
192.168.0.0 0.0.X.255

With the X value remaining to be calculated.

Because we have only three possible values, only the last three bits of the third octet can change.
So, let’s convert into binary the octets that we need to match:

2 = 00000010
4 = 00000100
6 = 00000110

As you can see, only bits from the second and third positions (starting from the right) are changing. To
cover all possible combinations, we can put the value “1” at the positions where the bits can change.
Therefore the value of the third octet of the wildcard mask will be:

00000110 = 6

Hence, the ACL will have this configuration:

permit 192.168.0.0 0.0.6.255

However, this is not exactly what we were asked and here the ACL logic comes into play.
The wildcard mask permits the 192.168.0.0/24 subnet as well, so we have to deny it within the ACL
configuration:

deny 192.168.0.0 0.0.0.255


permit 192.168.0.0 0.0.6.255

As you can see, we were able to configure an ACL with only two entries and this is the minimum that we
could have.
The other possibility is to permit each specific subnet and deny everything else afterwards, but this
would be an ACL with four entries.

Let’s see how the wildcard masks are involved in OSPF routing protocol configuration and operation. We
will assume the topology below with the depicted addressing.

Each router has a Loopback interface with the addressing x.x.x.x/32, where x is the router number. For
instance, R1 has a Loopback interface configured with IP address 1.1.1.1/32.

We are required to configure all three routers in OSPF area 0.

323 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Cisco routers use the wildcard masks in OSPF operation as they are used in ACL context. They are used
for matching which networks will be advertised in OSPF and therefore on which interfaces OSPF will run.
R1 and R2 routers have already been configured to run OSPF on all their interfaces:

R1#show running-config | section ospf


router ospf 1
log-adjacency-changes
network 1.1.1.1 0.0.0.0 area 0
network 10.10.0.0 0.0.0.255 area 0
R1#

R3#show running-config | section ospf


router ospf 1
log-adjacency-changes
network 3.3.3.3 0.0.0.0 area 0
network 10.10.0.0 0.0.0.255 area 0

Let’s configure R2 to run OSPF only on FastEthernet1/0 interface:

R2#show running-config interface FastEthernet1/0


Building configuration...
Current configuration : 96 bytes
!
interface FastEthernet1/0
ip address 10.10.0.9 255.255.255.252
duplex auto
speed auto
end’

Which wildcard mask is needed to match only this subnet in order to avoid running OSPF on any other
interface?

Using the information presented in the examples from the beginning of the article, you should be able to
figure this out.

As you can see, the subnet configured is 10.10.0.8/30. So we have to calculate what the fourth octet of
the wildcard mask would be.

We can either convert the mask in binary, reverse the result and convert it back to decimal, or we can use
the formula 28-X -1.

Either way, the wildcard mask would be 10.10.0.8 0.0.0.3.

324 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Let’s configure this and confirm that OSPF will run only on FastEthernet1/0 interface:

R2#show running-config | section ospf


router ospf 1
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 10.10.0.8 0.0.0.3 area 0
R2#show ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Fa1/0 1 0 10.10.0.9/30 1 BDR 1/1
Lo0 1 0 2.2.2.2/24 1 LOOP 0/0
R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface


3.3.3.3 1 FULL/DR 00:00:30 10.10.0.10
FastEthernet1/0
R2#

The next task will be to configure OSPF to run on both interfaces towards R1, using only one statement.

R2#show running-config interface FastEthernet0/0


Building configuration...

Current configuration : 96 bytes


!
interface FastEthernet0/0
ip address 10.10.0.2 255.255.255.252
duplex auto
speed auto
end

R2#show running-config interface FastEthernet2/0


Building configuration...

Current configuration : 96 bytes


!
interface FastEthernet2/0
ip address 10.10.0.6 255.255.255.252
duplex auto
speed auto
end

We have two /30 subnets. This means that they can be summarized in one /29 subnet. Basically, we have
to create a wildcard mask to match the 10.10.0.0/29 subnet. As you have already figured out, the wildcard
mask should be:

R2#show running-config | section ospf


router ospf 1
log-adjacency-changes
network 2.2.2.2 0.0.0.0 area 0
network 10.10.0.0 0.0.0.7 area 0
network 10.10.0.8 0.0.0.3 area 0
R2#show ip ospf interface brief

325 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Interface PID Area IP Address/Mask Cost State Nbrs F/C


Fa2/0 1 0 10.10.0.6/30 1 BDR 1/1
Fa0/0 1 0 10.10.0.2/30 1 BDR 1/1
Fa1/0 1 0 10.10.0.9/30 1 BDR 1/1
Lo0 1 0 2.2.2.2/24 1 LOOP 0/0
R2#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface


10.10.0.5 1 FULL/DR 00:00:32 10.10.0.5
FastEthernet2/0
10.10.0.5 1 FULL/DR 00:00:32 10.10.0.1
FastEthernet0/0
3.3.3.3 1 FULL/DR 00:00:37 10.10.0.10
FastEthernet1/0
R2#

After ending of this chapter, I believe you get the necessary knowledge to feel comfortable with
wildcard mask topics.

However, to master the wildcard masks and to be able to answer quickly to any possible questions during
the CCNA exam, you still need some practice.

326 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 39: NAT/PAT - The Technique behind Private and Public IP


Communication

Network Address Translation (NAT) is the process of modifying IP address information in IPv4 headers
while in transit across a traffic routing device.

If you have experience of reading articles in our Intense School resource page, you were most likely
connected to the Internet and viewing it at the Intense School website. There's a very good chance that
you were using Network Address Translation (NAT).

The internet has grown larger than anyone ever imagined. Although the exact size is unknown, the current
estimate is that there are about 100 million hosts and more than 350 million users active on the Internet.
That is more than the entire population of the United States! In fact, the rate of growth has been such
that the Internet is effectively doubling in size each year.

So what does the size of the internet have to do with NAT? Everything! For a computer to communicate
with other computers and web servers on the Internet, it must have an IP address. An IP address (IP stands
for Internet Protocol) is a unique 32-bit number that identifies the location of your computer on a
network. Basically, it works like your street address - a way to find out exactly where you are and deliver
information to you.

When IP addressing first came out, everyone thought that there were plenty of addresses to cover any
need. Theoretically, you could have 4,294,967,296 unique addresses (232). The actual number of available
addresses is smaller (somewhere between 3.2 and 3.3 billion) because of the way that the addresses are
separated into classes, and because some addresses are set aside for multicasting, testing or other special
uses, which we have discussed in our previous articles on IP addressing/Subnetting.

With the explosion of the Internet and the increase in home and business networks, the number of
available IP addresses is simply not enough. The obvious solution is to redesign the address format to
allow for more possible addresses. This is being developed right now (called IPv6) but it will take several
years to implement because it requires modification of the entire infrastructure of the Internet.
This is where NAT comes to the rescue. Network Address Translation allows a single device, such as a
router, to act as an agent between the Internet ("public network") and a local (or "private") network. This
means that only a single, unique IP address is required to represent an entire group of computers.

But the shortage of IP addresses is only one reason to use NAT. In this article, you will learn more about
how NAT can benefit you. But first, let's take a closer look at NAT and exactly what it can do.

It is common to hide an entire IP address space, usually consisting of private IP addresses, behind a single
IP address, or in some cases a small group of IP addresses, in another (usually public) address space. To
avoid ambiguity in the handling of returned packets, a one-to-many NAT must alter higher level
information such as TCP/UDP ports in outgoing communications and must maintain a translation table so
that return packets can be correctly translated back. RFC 2663 uses the term NAPT (Network Address and
Port Translation) for this type of NAT. Other names include PAT (Port Address Translation), IP
masquerading, NAT Overload and many-to-one NAT. Since this is the most common type of NAT it is often
referred to simply as NAT.

327 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

However, most NAT devices today allow the network administrator to configure translation table entries
for permanent use. This feature is often referred to as "static NAT" or port forwarding, and it allows traffic
originating in the "outside" network to reach designated hosts as shown in Fig.1 below.

In the mid-1990s, NAT became a popular tool for alleviating the consequences of IPv4 address exhaustion.
It has become a common, indispensable feature in routers for home and small-office Internet connections.
Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet
using a single public IP address.
Network address translation has serious drawbacks in terms of the quality of Internet connectivity and
requires careful attention to the details of its implementation. In particular, all types of NAT break the
originally envisioned model of IP end-to-end connectivity across the Internet and NAPT makes it difficult
for systems behind a NAT to accept incoming communications. As a result, NAT traversal methods have
been devised to alleviate the issues encountered.

What Does NAT Do?

NAT is like the receptionist in a large office. Let's say you have left instructions with the receptionist not
to forward any calls to you unless you request it. Later on, you call a potential client and leave a message
for that client to call you back. You tell the receptionist that you are expecting a call from this client and
to put her through.

The client calls the main number to your office, which is the only number the client knows. When the
client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches

328 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

your name with your extension. The receptionist knows that you requested this call, and therefore
forwards the caller to your extension.

Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer) that
sits between an internal network and the rest of the world. NAT has many forms and can work in several
ways:

•Static NAT - Maps an unregistered IP address to a registered IP address on a one-to-one basis. It’s
particularly useful when a device needs to be accessible from outside the network. In dynamic NAT, the
computer with the IP address 192.168.1.10 will translate to the first available address in the range from
202.1.13.10 to 202.1.13.15.

(Config)# ipnat inside source static 192.168.1.10 202.1.13.10/* Static Binding


(Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0
(Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.10 255.255.255.0
(Config-if)# ipnat outside

•Dynamic NAT – Maps an unregistered IP address to a registered IP address from a group of registered
IP addresses.

(Config)# ipnat pool cisco202.1.13.10 202.1.13.15netmask 255.255.255.0


/*created a pool for dynamic allocation
(Config)# ipnat inside source list 1 pool cisco
(Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0
(Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.1255.255.255.0
(Config-if)# ipnat outside
(Config)# access-list 1 permit192.168.1 0.0.0.255

•Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single
registered IP address by using different ports. This is known also as PAT (Port Address Translation), single
address NAT or port-level multiplexed NAT.

(Config)# ipnat pool cisco 202.1.13.10 202.1.13.10 netmask 255.255.255.0


(Config)# ipnat inside source list 1 pool cisco overload
(Config)# interface F0/0
(Config-if)# ip address 192.168.1.10 255.255.255.0
(Config-if)# ipnat inside
(Config)# interface Serial0/0
(Config-if)# ip address 202.1.13.1 255.255.255.0
(Config-if)# ipnat outside
(Config)# access-list 1 permit 192.168.1 0.0.0.255

•Overlapping –

329 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

When the IP addresses used on your internal network are registered IP addresses in use on another
network, the router must maintain a lookup table of these addresses so that it can intercept them and
replace them with registered unique IP addresses. It is important to note that the NAT router must
translate the "internal" addresses to registered unique addresses, as well as translate the "external"
registered addresses to addresses that are unique to the private network. This can be done either through
static NAT or by using DNS and implementing dynamic NAT.

The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A
stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is
local, so it doesn't travel outside the internal network. A stub domain can include both registered and
unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network
Address Translation to communicate with the rest of the world.

NAT Verification:
Router#show ipnat translations’;
Router#debugipnat

You can use clear ipnat translation to clear all entries from the NAT Table.

330 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 40: An Introduction to Virtual Private Network (VPN)

In this chapter, we will study VPN concepts as a required topic for the Cisco CCNA exam. A Virtual Private
Network is a network that allows transmission of data securely over a public network, such as the internet,
by providing access to the intended recipients only. Organizations use VPNs to connect branch and home
offices, partner sites and remote telecommuters to all or portions of their corporate network. All traffic
sent through the public Internet infrastructure is sent encrypted over from one end to the other. Of
course, Layer 2 connections, such as leased lines, could be used, but the technologies for Layer 2
connections are much higher and they do not allow the same mobility as a VPN connection. A VPN
connection can be initiated from wherever you are: home, a hotel where you have a wireless connection
available, and some remote branch offices. On the other side, VPN as a virtual connection routed through
the Internet, provides a limited set of protocols.

Virtual Private Network resists our private network traffic from data hacking and improving internet
standards through quality of service with the help of encryption technologies. This virtual private network
is utilized in intranets, remote access, and extranets also to ensure security. There are many technologies
introduced by virtual private network to protect the flow information in different networks. Among those,
IPsec (Internet Protocol Security) has occupied immense significance that made the internet very standard
for data transmission.

In order to promote security, VPN requires a firewall, and a VPN server is installed on a present firewall
that is available with the company’s network rather making different configurations. This facilitates VPN
serving remote networks for traffic encryption, allows the firewall to restrict inbound access from the
internet and allows the firewall to access the internet at a solo point. There is another opportunity too for
using the firewall with a VPN server that uses both in parallel. In this mode, the firewall in a network will
make packets to be received by VPN machine. This transfer of packets to VPN can be done by placing a
router among these VPN, firewall and network machines. Apart from this, a VPN can be configured with
its own firewall and implemented for the communication network of organization.
Here’s a list of the types:

Site-to-site VPN
Often abbreviated to S2SVPN. It’s a connection between two sites and encrypts all traffic between two
(or multiple) subnets. There are two types of S2SVPN:

•Policy-based: interesting traffic triggers an ACL and is encrypted and sent to the remote VPN peer.
•Routed: traffic is routed into an encrypted tunnel to the remote VPN peer.

DMVPN:
A Dynamic Multipoint VPN is not a protocol, but more a technique using different protocols. One or more
central hub routers are required, but the remote (spoke) routers can have dynamic IPs and more can be
added without having to modify the configuration on the hub router(s), or any other spoke routers. The
routers use a next-hop resolution protocol, combined with a dynamic routing protocol to discover remote
peers and subnets. The VPN itself is an mGRE tunnel (GRE with multiple endpoints), which is encrypted.
This way, traffic between spoke routers does not have to go through the hub router but can be sent
directly from spoke to spoke.

331 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Client VPN:
A client VPN is an encrypted connection from one device towards a VPN router. It makes that one remote
device appear as a member of a local subnet behind the VPN router. Traffic is tunnelled from the device
(usually a computer or laptop of a teleworker) towards the VPN router so that user has access to resources
inside the company. It requires client software that needs to be installed and configured.

SSLVPN:
This VPN works like a client VPN. The difference is that the remote client does not need preconfigured
software, but instead the browser acts as VPN software. The browser needs to support active content,
which every modern browser supports; either directly or through a plug-in. Traffic is tunnelled over SSL
(or TLS) to the SSLVPN router. From a networking perspective, traffic is tunnelled over Layer 4 instead of
Layer 3. The benefit is that the remote user does not need to configure anything and can simply log in to
a web page to start the tunnel.

Advantages of VPN:
 Cost savings: The organizations approaching VPN will exploit universal internet for acquiring the
connectivity of their corporate site to users and all their branches that are located remotely. This
network will evade cost inefficiencies that are spent for wide area network links across the locations
company is present.
 Security: Security is the major and significant feature of virtual private network that assists
organizations to enable secured data transmission over the network irrespective of user, client or
their employee accessing it. The advanced encryption and authentication protocols used in these
private networks will ensure privacy, security of data transfer and accessibility from illicit access.
 Scalability: The virtual private network will assure for flexibility of including new users in network.
This is achieved because VPN make use of internet infrastructure in internet service providers that
allows scalability possible. This feature turns an added benefit for corporate companies to widen their
users scale across network without any additional changes for infrastructure.
 Compatibility with broadband technology: The compatibility with broad technology is another
benefit these private networks are providing. VPN technologies will enable users like mobile workers
accessing their corporate sites connecting remotely. This is made possible because VPN supports
service providers of broad brand through cables or DSL.

VPN enabling technologies and protocols


The following are various technologies used by virtual private network to ensure transmission of data
confidentially.

Internet protocol Security (IPsec):


IP sec is introduced to promise information transfer securely over the internet possessing unprotected IP
arrangement in Layer 3 of OSI. Internet protocol security ensures data integrity, privacy through
encryption, and authentication for accurate authorization in network. All these factors never allow an
intended intruder to hack data and make changes for confidential data transmitted. Authentication
header (AH) and encapsulated security payload (ESP) are two security protocols used by IP sec for
providing its services. Authentication header will look after data packets integrity that is transferred in
network along with authentication restricting hacking. This will not support any encryption and this
authentication header is added in front of every data packet that restrains information sent. ESP acquires

332 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

data privacy besides integrity and packet authentication. This privacy is equipped using algorithms that
are assigned at source and destination hosts. The security of IP through IPsec is done by key management,
which can be automatically set or manually set up.

Point to point tunnelling protocol (PPTP):


PPT protocol is an OSI Layer 2 protocol that is used to acquire connectivity to internet through dial up.
Connection can be established by dialling internet service provider by users through this PPTP. This point-
to-point protocol will provide internet connection for remote users where from each client a virtual
network is organized with the session. The authentication and encryption are mutually provided for this
protocol that includes IP header, GRE header, PPP header and encrypted PPP information. IP header is to
ensure authentication for data transmitted through frames. GRE header controls traffic for carrying PPP
data packets. The data wrapped within packet is subjected to encryption and encrypted codes of PPP
frame as well as GRE header values are stored in IP header along with source and destination addresses.
Once the destine host having PPTP server will detect IP header and GRE to decrypt data encapsulated.

Layer 2 tunnelling protocol (L2TP):


This protocol is enables the PPP frames wrapped to be transmitted through internet protocol or other
networks. This is made possible as multiple connections are allowed over single tunnel and the protocols
that can be used simultaneously on OSI second layer. The authentication of this L2TP is similar to that of
point to point protocol which allows data subjected to encapsulation. As it is combination of both PPTP
and L2F (Layer 2 forwarding) the data of PPP frames are wrapped and stored in PPP header along with
L2TP header. Once again entire information of this L2TP is encapsulated and stored in UDP header along
with source, destination addresses. Finally, all these individual encapsulation are collectively wrapped up
into IP header and in parallel obtaining source, destination IP addresses of VPN server and client.

Secure socket layer or Transport layer protocol (SSL/TLP):


This is a transport layer protocol. This protocol has different cryptographic abilities that assure data
integrity, privacy and security. It requires a web browser that is initiated virtually on every computer that
allows protected channel among network and remote system. The SSL VPN server is only required which
is capable enough to acquire security. The authentication is achieved by this protocol through digital
certificates at time of handshake between client remote system and server. Keys are established in
process of handshake for further encryption that is done in period of remote access. This protocol in
virtual private network is considered as a self-signed digital certificate, which is not enough conviction
capable for web browsers.

Configuration example of IPSec Site-to-Site VPN

333 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

IPSec Site-to-Site VPN can be configure in four steps,

Step 1: Phase 1 (to protect DATA)

crypto isakmp policy <policy number>


encryption <aes|des3| des>
authentication pre-share
group <1 | 2 | 5 >
lifetime <in seconds>
crypto isakmp key cisco address <network-id> <subnet mask>

Step 2: Phase 2 (to protect VPN Tunnel)

crypto ipsec transform-set <transform-set> <encryption method> <hash method>

Step 3: Create Crypto-Map

crypto map <crypto-map name> <sequence number> ipsec-isakmp


set peer <peer ip address>
set transform-set <transform –set name>
match address <ACL number or name> /* to specify traffic transmission

Step 4: Apply Crypto-Map to an interface

interface <interface-id>
crypto map my-map

334 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Part 9- Wide Area Network (WAN


Chapter 41: Point-to-Point WANs

In Chapter 3, we discussed Wide Area Networks. If you decided to skip that chapter earlier, I would
encourage you to go back to Part 1 of this book to learn the fundamentals of WAN technology before
continuing here.

After reading this chapter, you will know:


1. The functions provided by PPP
2. How to identify the LCP features
3. How to configure basic PPP
4. How to configure CHAP/PAP authentication
5. How to configure PPP multilink interfaces

Along with High-Level Data Link protocol (HDLC) and Frame Relay, these three protocols constitute the
foundation over which WAN communication is built on.

All three are currently part of the CCNA curriculum. To improve your chances to pass the CCNA exam, a
good understanding of all three is required.

HDLC is a simple Layer 2 protocol that’s used to connect point-to-point serial devices. Cisco’s version of
HDLC is proprietary because of the protocol type field.

HDLC is the default protocol on all Cisco serial interfaces. If you would check the configuration of a serial
interface, you would see that there is no encapsulation configured.

However, the ‘show interface’ command displays that the encapsulation is HDLC.

335 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Frame Relay is a set of WAN standards that aim to create a more efficient WAN service as compared to
point-to-point links. However, Frame Relay protocols are more complicated and are outside of the scope
of this article.

The PPP is a data link protocol that sets a direct and private connection between two network devices,
which is always two routers.

Point-to-point means:
1. A logical connection that is established between two and only two points.
2. A circuit connecting two points without intermediary devices.

PPP provides the following functions to the two routers connected over a leased line:
1. A protocol type field in the header that allow multiple Layer 3 protocols to pass over the same link.
2. Authentication methods: Password Authentication Protocol (PAP) and Challenge Handshake
Authentication Protocol (CHAP).
3. Control protocols for each upper layer that crosses the PPP link.

The PPP frame structure looks like this:

One of the most important features of the PPP protocol is the protocol field. The protocol field, which is
2 bytes long, identifies the type of the packet that is transported over the link.

The protocol field values can start with 0, 8 and C. If it starts with 0, then it identifies the protocol. If it
starts with 8, then it identifies the control protocol that will negotiate the network protocol used over the
link. If it starts with C, then the protocol field indicates that a LCP Link Control Protocol (LCP) is
encapsulated in the next field of a PPP frame, the Information field. For instance, 0021 means that the
protocol transported is IP.

LCP provides four important features:

336 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

1. Loop detection
This detects if the link is looped and brings down the interface. LCP detects the looped links using the
magic numbers. When PPP is used, the routers on the link send PPP LCP messages. These messages include
a magic number, which is unique for every router. When an interface is looped, whatever a router is
sending over an interface is coming back.

In case of a loop, the router receives the LCP messages containing its own magic number instead of getting
an LCP message with a different magic number, hence a different router. When this happens, the router
knows that the interface is looped and can bring it down.

Bringing down a looped interface quickly might speed up the routing protocols convergence. Instead of
waiting for, let’s say, the OSPF dead interval to expire, the router can bring the interface down right away
and OSPF will recalculate the network topology.

2. Error detection
The purpose of the FCS field in the PPP frame is to check if the frame is correct and, if not, to be dropped
by the router as it’s an erroneous frame. Additionally, the router can monitor the rate of the error frames
and if that rate goes above a threshold over an interface, the interface can be brought down.
Link Quality Monitoring is monitoring the error rate on a PPP link. Each LQM implementation counts the
packets and bytes sent and successfully received. This information is exchanged over the PPP link at
regular time intervals. By comparing the counters in successive messages, a receiver can calculate how
many packets/bytes the other router sent and how many were successfully received.

One thing to note is that there is no reason to bring a link down that has the number of errors above the
configured rate if it’s the only link available. It would make sense to bring down the interface only if there
is an alternate link.

3. PPP Multilink
PPP Multilink is a feature of LCP that allows two routers to signal to each other that they are able to treat
more than one physical link as a logical one, with the bandwidth being the sum of the physical interfaces’
bandwidth.

Multilink PPP load balances the traffic over the links equally, allowing IP routing lookup to treat the
multiple links as just one. When the packet is encapsulated in PPP, the packet is fragmented into smaller
frames that are equally distributed over the links that are part of the multilink.

4. Authentication
As previously said, the two authentication methods for PPP are PAP and CHAP. CHAP is the preferred
method because it uses MD5, whereas PAP sends the passwords over the link in clear text.
Both PAP and CHAP exchange messages across the link between the two routers. If PAP is used, then the
username and password are sent across the link in the first message.

This is what happens during CHAP authentication:


1. When CHAP starts to be negotiated, one of the sides, called the authenticator, will send a
challenge message to the other side, called the peer.
2. The peer replies with a MD5 hash value.

337 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

3. The authenticator calculates what hash value the peer should send. In case they don’t match, the
connection between them is dropped. In case the values are identical, then the peer is
authenticated by the authenticator.

The interesting thing about CHAP authentication is that the authentication is based on secret
information that is known only by the two routers but is never sent between them. Each one calculates
an MD5 value which is compared with what the other router sent. What was explained above is a one
way authentication and should be enough to have a secure link between two routers. There is also a two
way CHAP authentication where each router plays the role of authenticator and peer at a time.

The case study will based on the below topology and addressing as shown on the diagram:

This section will show you how you can configure PPP, PAP/CHAP authentication and multilink interfaces,
including how to check that the PPP is working using ‘show’ and ‘debug’ commands.
To enable PPP on a link, you just have to configure ‘encapsulation ppp’ on both routers on the link. This is
the configuration needed on R1 and same on R2:

338 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

If the link is up and running, you should see a similar output as below:

The highlighted lines show that PPP encapsulation was configured on the link and that the LCP phase has
successfully completed. Also, as you can see, two Control Protocols, IPCP and CDPCP, were enabled.
Suppose that you remove the IP configuration from the PPP link on both routers. IPCP will then be in a
closed state:

So, what are IPCP and CDPCP? For features related to the Layer 3 protocols, PPP uses PPP Control
Protocols (CP). For each PPP link, PPP uses a single instance of LCP and one instance of CP for each Layer
3 protocol configured on the link. In our case, the PPP link is using IP and CDP, therefore we’re seeing a
single instance of LCP, IPCP (for IPv4) and CDPCP (for CDP). As you saw, if we disable the IP configuration,
then IPCP goes into a closed state.

If you want to see the messages exchanged when a PPP link comes up, you can use this debug
command: ‘debug ppp negotiation’.

Below, the interface Serial0/0 from R1 was disabled and the debug was activated. Right after the link is
brought up, R1 starts to exchange messages with R2:

339 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Let’s configure CHAP authentication on the PPP link between R1 and R2.

Before doing that though, let’s see the steps in configuring CHAP authentication:
1. Configure the router’s hostname.
2. Configure the name of the other router and the shared secret password.
3. Enable CHAP authentication on the interface.
This is the configuration needed on R1 to enable CHAP authentication:

340 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

And the configuration on R2:

The steps to configure CHAP authentication and the commands for them are not complicated, but the
problem is that it’s easy to incorrectly configure the hostnames. Each router in the ‘username’
configuration must reference the other router’s hostname. As might seem obvious, the passwords are
case-sensitive, as well as hostnames.

If the authentication was successful, then the interfaces should be in ‘up up’ state:

To debug the authentication, either CHAP or PAP, one could use the command ‘debug ppp
authentication’.

The debug was enabled and the Serial0/0 interface from R1 was brought back up:

341 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As you can see from the output, some lines are starting with ‘O’ and others with ‘I’. This stands for
Output and Input from the point of view of the switch where the debug is enabled. Each router is
authenticating the other one.

Let’s follow the R2 router being authenticated by R1.The authentication starts here with R1 sending the
challenge:
Apr 23 15:33:37.974: Se0/0 CHAP: O CHALLENGE id 11 len 23 from "R1"
R2 sends back the response:
Apr 23 15:33:37.994: Se0/0 CHAP: I RESPONSE id 11 len 23 from "R2"
Because the authentication is successful, R1 sends the success message back to R2:
Apr 23 15:33:37.994: Se0/0 CHAP: O SUCCESS id 11 len 4
Now that we configured CHAP authentication on the link between R1 and R2, let’s configure PAP
authentication between R3 and R4, with R3 requesting R4 to authenticate. If R4 agrees, then it will send
the username and password to R3.
This is the configuration of R3:

342 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

And the configuration on R4:

This is what happens during a PAP authentication:

The last configuration that we will do is the multilink configuration between R2 and R3. We will
configure the two links between R2 and R3 to be part of the same bundle, called a multilink.
Let’s see what the configuration on R2 is:

343 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The configuration on R3 is almost identical.


As previously noted in the introduction about PPP Multilink, any layer 3 configuration will be done on a
Multilink interface. Let’s check the connectivity between R2 and R3:

You can check what interfaces are part of a multilink by using the command ‘show ppp multilink’:

344 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

To troubleshoot a multilink you can use ‘debug ppp multilink events’:

I hope after reaching all this point of the chapter, you:


1. Have a good understanding of the PPP protocol and what it provides;
2. Know what features can be configured on PPP links; and
3. Know how to configure PPP, authentication and multilink interfaces.

345 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 42: Demystifying Frame Relay

Why we should learn Frame Relay?

Frame Relay is a topic that makes us wonder whether we are in the 21st century or not. Why are we still
talking about Frame Relay?

Some people may say, “Because Cisco wants to,” but in fact, there are still companies that are using Frame
Relay services to connect to WAN.

Whether your company still uses Frame Relay or you’re just preparing for an exam, you should still know
the technology. This chapter contains a detailed explanation of the protocol and its configuration.

You may get Frame Relay questions or scenarios to solve during exams, not only because it is still used,
but mostly because Frame Relay puts a lot of difficulties on the higher level protocols and solving these
sometimes complex scenarios will demonstrate not only good understanding of Frame Relay but also of
the technology or protocol that runs on top of it.

Just an example: remember that most of the OSPF network types are best explained in conjunction with
Frame Relay.

In the real world, Frame Relay was mostly replaced by MPLS, but there could still be companies that use
it, probably due to long-time contracts signed with their service providers. Anyway, even in these cases,
it’s almost certain that you will not find an end-to-end Frame Relay connection these days, but rather FR
on the last mile and MPLS in the provider’s core.

What are the Challenges Introduced by Frame Relay?

Frame Relay is a packet switching technology originally designed for use over the ISDN infrastructure,
being governed by several standards, such as ANSI (American National Standards Institute), ITU-T
(International Telecommunication Union Telecommunication Standardization Sector) back in the ‘80s,
and FRF (Frame Relay Forum) and IETF (Internet Engineering Task Force) standards in the ‘90s.

The first challenge with Frame Relay networks is to make sure that the communicating devices follow the
same standards (as you will see later: same encapsulation type, same LMI type, etc.).

Actually, the lack of interoperability in the ‘80s was one of the reasons why Cisco and other companies
formed a consortium called “The Gang of Four” to focus on Frame Relay technology development.

Frame Relay is usually compared with X.25, an older packet-switched technology also governed by
standards issued by ITU-T, but it easily won the contest and was seen as a replacement of X.25, because
it was simpler (compared to complex X.25), faster (by eliminated the error checking procedures that made
X.25 a very slow, but error-free protocol) and also because it was able to dynamically share and allocate
the available bandwidth (as opposed to typical static bandwidth allocation with X.25).

Although it is not really considered a “challenge” due to low error rates in today’s links, you have to
remember that Frame Relay uses a best-effort approach for packet delivery because it eliminated the

346 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

error-checking fields that X.25 had and it relies on the upper layer protocols to do the error corrections.
If Frame Relay detects that something is wrong with a frame such as corrupted bits using a simple cyclic
redundancy check / CRC algorithm, it will just drop it.

Frame Relay is a Non-Broadcast Multi-Access (NBMA) medium. To understand non-broadcast, let’s define
the opposite term broadcast, which is a transmission that is received by all devices on that network
segment, typical to Ethernet technology, by using a destination layer 2 address that is mapped to all nodes
- the MAC address of FFFF:FFFF:FFFF.

Frame Relay does not have a layer 2 address mapped to all devices so it cannot achieve a broadcasting
communication using this method and this is the reason that it is considered a non-broadcast technology.

On the other hand, Frame Relay is a multi-access medium, meaning that there could be multiple devices
on the same physical link that could talk to each other. This is achieved by using multiple logical end-to-
end connections (referred to as virtual circuits) between devices on that medium. We will see later in the
chapter what solutions we have to use Frame Relay for broadcast transmissions.

Another challenge is represented by the difference between the layer 2 connectivity and layer 3 view
(what layer 3 protocols “think” about layer 2), again due to the fact that in the absence of broadcast, it
could be very difficult to discover all the devices connected at layer 2, which is mostly common in partial-
mesh or hub-and-spoke topologies.

For example, all devices connected to the same Ethernet broadcast domain are able to see each other
(using broadcast or multicast) but in case of Frame Relay more devices could be connected to the same
link but they don't necessary have direct connectivity between each other (spoke-to-spoke
communications).

Split horizon is another challenge that needs to be accounted for when using distance vector routing
protocols over Frame Relay, because multiple neighbors may exist on the same interface but they are not
able to directly talk to each other for the same reason mentioned above (see spoke-to-spoke).

Last but not least, in today’s networks, the fact that Frame Relay is commonly present only at the edge of
the provider’s network while the core uses different technologies or protocols, introduces difficulties in
maintaining an end-to-end status of the virtual circuits.

The following sections will describe Frame Relay in detail and will show solutions to the above so-called
“challenges.”

The Basics of the Frame Relay technology:

A typical Frame Relay implementation is the inter-connection of a company’s remote offices:

347 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

There are two types of devices involved in Frame Relay networks: DTE (Data Terminal Equipment) and
DCE (Data Circuit-terminating Equipment):

 DTE devices are typically the routers in each remote office used to connect to the Frame Relay
cloud.
 DCE devices are the telecommunications providers’ equipment that performs the Frame Relay
switching and, more importantly, provides clocking for the links.

In order to send the frames between the DTE devices, virtual paths are created through the Frame Relay
cloud between each pair of devices. These logical paths are called virtual circuits and they could be of two
different types:

 Switched Virtual Circuits (SVC) is a temporary virtual circuit that is set up only when there is need
to transmit data. The usage of SVC involves several phases such as: call setup, data transfer, and
idle period and call termination that follows periods of idleness when no data is transferred.
 Permanent Virtual Circuits (PVC) is a permanent connection that does not require call setup or
termination and DTE devices can begin transferring data whenever they need to. Frame Relay
typically uses PVCs.

Virtual circuits are identified by using a 10-bit identifier called Data Link Connection Identifier (DLCI). Out
of a total of 1024 values (2 at a power of 10), only the values 16 to 991 are available for user data, while
the rest are used for management or control purposes.

These DLCIs have only local significance. You can actually look at them as the link-local addresses used in
IPv6 addressing. DLCI addresses are used by the Frame Relay switches to forward the data from the
sending DTE device all the way to the receiving DTE, as displayed below:

348 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Remember we already said that Frame Relay is a multi-access medium? This is because on the same single
physical link, you can multiplex more virtual circuits using separate DLCI for each of them. A typical Frame
Relay diagram looks like below:

In the above diagram, router R1 has a single physical connection to the Frame Relay cloud but it has a
separate virtual circuit for each neighbor device: DLCI 102 for the PVC to R2, DLCI 103 for the PVC to R3
and DLCI 104 for the PVC to R4.

The topology shown above is a partial-mesh because there are no separate virtual circuits between each
pair of devices connected to the Frame Relay cloud.

Local Management Interface (LMI):

Cisco and 3 other companies created a consortium known as “The Gang of Four” which introduced a set
of enhancements or extensions to the basic Frame Relay specifications in order to make Frame Relay more
popular.

349 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Local Management Interface (LMI) is such an extension that provides a signalling or diagnostic between
the DTE router and the Frame Relay switch, using several types of messages:

 Virtual circuit status messages: keep alive sent between the DTE - DCE devices to inform about
the status of the virtual circuit.
 Global addressing messages: makes the DLCI values globally significant - each DTE router is
assigned a globally unique DLCI address.
 Multicasting messages: add multicast capabilities to Frame Relay.

The DTE devices will learn all the DLCIs on a particular physical link from the LMI messages received from
the Frame Relay switch.

Address Resolution via Dynamic Mapping: Inverse ARP

Each DTE router learns the DLCI via the LMI messages but it does not know what the IP address of the
neighboring device or devices is. The process of discovering the IP address of the remote end is called
Inverse ARP (InARP), thus creating mapping between local DLCI and the remote end's protocol address.
The name “Inverse ARP” comes from the fact that “normal” ARP is used to discover the layer-2 MAC
address having the layer-3 IP address, while in case of Frame Relay, the DLCI (layer-2 address) is already
learnt via LMI but it does not know the layer-3 address (therefore, the “inverse” logic).

Once an IP address is configured on an interface connected to the Frame Relay cloud, InARP messages
containing that IP address are sent on all DLCI on that interface. In the diagram, R1 sends InARP requests
with its IP 192.168.1.1 on both DLCI 102 (towards R2) and DLCI 103 (towards R3) and, based on the
received InARP replies, it will map IP 192.168.1.2 to DLCI 102 and IP 192.168.1.3 to DLCI 103.

350 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

There are several important notes that need to be remembered:


1. Inverse ARP cannot work without LMI, because LMI is the mechanism used to learn about the DLCI
associated with that interface. Without LMI, the router does not learn any DLCI, so it cannot send
InARP messages.
2. All DLCIs learned via LMI are automatically associated with the main interface (we will talk later about
sub-interfaces), so the Inverse ARP requests are generated only by the main interface.
3. By default, Inverse ARP supports broadcasts.
4. Inverse ARP is automatically enable by LMI, unless disabled by static mapping, as we will see below.

Address Resolution via Static Mapping

Inverse ARP is a dynamic mechanism of mapping an IP address to a DLCI, but the same result can be
achieved with static mapping via manual configuration.

A very important note here that’s easily overlooked during exams is that the static mapping disables the
Inverse ARP for the pair (protocol, DLCI) - where the protocol is IP. Suppose that you create static mapping
for IP 192.168.1.2 to DLCI 102 – then, this will automatically disable InARP for the pair (IP, DLCI 102).
Actually, the static mapping does not disable InARP completely, only the InARP requests, but the router
will still reply to the InARP messages!

Broadcast, Non-Broadcast, Pseudo-Broadcast

As mentioned above in the “challenges” introductory section, Frame Relay networks are Non-Broadcast
Multi-Access (NBMA) because there is no Layer-2 address mapped to all nodes in the Frame Relay cloud,
as is the case with Ethernet broadcast MAC address of FFFF:FFFF:FFFF.

Still, another technique called “pseudo broadcast” is used to achieve the same effect of a broadcast
communication, by sending copies of the same packet over more DLCI of the same physical link.

Frame Relay Topologies

You can create one or more sub-interfaces on the physical link that connects to the Frame Relay cloud
and you have the option of choosing one of the following types:
 Point-to-point sub-interfaces: there are only 2 devices on them.
 Multipoint sub-interfaces: there are more devices on them

The physical / main interface is a multipoint interface and all the rules associated with multipoint
connections apply to it.

As a result, you may have several topologies, such as:


 Point-to-point
 Full mesh: there is a virtual circuit for each pair of devices connected to the Frame Relay.
 Partial-mesh
 Hub-and-spoke: a central router (hub = headquarter) connected to all spokes (remote offices).
Spoke to spoke communication is possible only via the hub.

With all the terms defined and explained above, let’s move to the configuration of Frame Relay.

351 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

1. Frame Relay encapsulation

Configuring the encapsulation is the first step of configuring Frame Relay. Cisco routers support two
types of Frame Relay encapsulation: cisco and ietf.

“Cisco” encapsulation is the default type and “ietf” is used when there are non-Cisco devices in the
network.
(config)#int s0/0
(config-if)#encapsulation frame-relay [ietf]

The above snippet shows a common configuration of Frame Relay encapsulation on the main interface,
which will apply to all virtual circuits.

It is possible to configure different encapsulations on a per virtual circuit (or per-DLCI) scheme:
 For a point-to-point sub-interface:

(config)#int s0/1.1 point-to-point


(config-subif)#frame-relay interface-dlci <dlci-number> [cisco | ietf]

 Via static mapping:


(config)#int s0/0
(config-if)#frame-relay map ip <ip-address> <dlci-number> [cisco | ietf]

2. Configuring the LMI type

By default, the LMI is autosensed and is automatically set based on the LMI type received from the Frame
Relay switch, so most of the time you don't have to do anything.

Unlike the encapsulation, the LMI type cannot be configured on a per-DLCI basis and it is set only as a per-
interface command. This applies to all DLCI mapped to that interface / sub-interface:

(config)#int s0/0
(config-if)#frame-relay lmi-type [ cisco | ansi | q9333 ]

There are three standards for LMI type:


 “cisco” uses DLCI 1023 as specified by the “Gang of Four”
 “ansi” uses a DLCI of 0 (specified in ANSI’s T1.617 Annex D standard)
 “q9333” uses a DLCI of 0 (specified in ITU-T’s Q.933 Annex A standard)

352 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As shown above, the Frame Relay encapsulation type needs to match on a per DLCI/end-to-end
virtual circuit, while the LMI type needs to match per (DTE, DCE) pair, between the DTE router
and the DCE Frame Relay switch.

You have the possibility to disable the LMI on an interface by specifying the “no keep alive”
command:
(config)#int s0/0
(config-if)#no keepalive

One scenario when the keepalive/LMI is disabled is the “back-to-back” routers connectivity when same
DLCI is used on both sides. Also, you can change the default keep alive interval of 10 seconds though you
may want to configure the same value on both DTE router and Frame Relay switch in order to avoid
interface flapping.

3. Configuring the IP-to-DLCI Mappings:


a. Dynamic Mapping on Multipoint or Physical

As explained above in the theoretical section, Inverse ARP is automatically enabled by LMI.
The dynamic mappings are easily recognized by the “dynamic” word that appears in the output of the
“show frame-relay map” command:

R1#show frame-relay map


Serial0/0 (up): ip 192.168.1.2 dlci 102(0x66,0x1860), dynamic,
broadcast,
Serial0/0 (up): ip 192.168.1.3 dlci 103(0x67,0x1870), dynamic,
broadcast,

In order to manually clear the dynamic obsolete, use the “clear frame-relay inarp” command.

b. Static Mapping on Multipoint or Physical

Static mappings are configured with the “frame-relay map” command:

(config)#int s0/0
(config-if)#frame-relay map ip <ip-address> <dlci-number> [broadcast] [cisco
| ietf]

353 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Don’t forget to include the “broadcast” keyword in case you need broadcast communication to be sent
on that virtual circuit.

In case of a hub-and-spoke topology, you need to perform the static mapping between the spokes using
the hub DLCI in order to enable spoke-to-spoke connectivity (via the hub, of course).

Below is an example of such configuration. Notice that the FR encapsulation was changed to IETF:

(config)#int s0/0
(config-if)#frame-relay map ip 192.168.1.2 102 broadcast ietf
!
R1#show frame map
Serial0/0 (up): ip 192.168.1.2 dlci 102(0x66,0x1860), static,
Broadcast, IETF, status defined, active

c. Point-to-Point DLCIs
Point-to-point sub-interfaces could only have 2 devices on them so it does not need any mapping. Actually,
such sub-interfaces do not allow the “frame-relay map” command. The only piece of information needed
is the DLCI, which will be used to send all data onto that point-to-point sub-interface:
(config)#int s0/1.1 point-to-point
(config-subif)#frame-relay interface-dlci <dlci-number> [cisco | ietf]
!
sh frame map
Serial0/1.1 (up): point-to-point dlci, dlci 123(0x7B,0x1CB0), broadcast
status active

This option is the most recommended one, especially on the spokes in a hub-and-spoke design, as it
eliminates the need to create static mappings for each spoke-to-spoke communication that could become
a real burden in case of a big number of spokes.

d. Assigning Learnt DLCI to Multipoint Sub-interfaces


By default, all DLCI learned via LMI are automatically assigned to the physical/main interface. In case of
multipoint interfaces, you need to “move” those DLCI from the main interface to the sub-interface using
the same command as in the case of point-to-point sub-interfaces:

(config)#int s0/1.1 point-to-point


(config-subif)#frame-relay interface-dlci <dlci-number> [cisco | ietf]

e. Disabling Inverse ARP

As previously described, InARP is automatically enabled by the LMI and it sends InARP requests as soon
as a protocol address (IP address) is configured on an interface.
You have the following options to disable it:
 “no frame-relay inverse-arp <protocol> <dlci>“ - disables InARP for the specified (protocol,DLCI)
pair.
 using a static mapping: “frame-relay map ip <ip-address> <dlci-number>“ - sdf static mapping
disables sending InARP requests for the specified (protocol,DLCI) pair, but it will reply to received
InARP messages.

354 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As a summary, let’s look at an easy-to-remember or easy-to-reference table regarding mappings on


various types of interfaces/sub-interfaces:

A very good reference containing configuration examples for various topologies (simple Frame Relay,
full-mesh, partial-mesh, hub-and-spoke) can be found on the

In our next chapter, we'll describe various methods of troubleshooting Frame Relay connectivity
problems.

355 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 43: Troubleshooting Frame Relay

In the previous chapter, we had a long journey trying to understand the subtleties of Frame Relay
technology as well as its configuration. For any troubleshooting attempt to be successful, you need to
have a good understanding of the technology, so you may want to spend some time reading the first
article about Frame Relay if you haven’t done so yet.

People get scared of Frame Relay not because troubleshooting is complex, but because they lack the
theoretical knowledge. Actually, troubleshooting can be considered an easy task since there are only a
few commands to be used and they give you all the information needed to solve any problem.

Most Common Troubleshooting Commands for Frame Relay:

Besides the general troubleshooting command “show interface”, you will most commonly use these two
commands when dealing with Frame Relay problems:
 “show frame-relay pvc” –displays statistics about the permanent virtual circuits (PVCs)
 “show frame-relay map” –displays the current Frame Relay map entries

These two commands (together with “show interface”) should be your starting point in your Frame Relay
troubleshooting journey.

Before going into details about other troubleshooting commands, let’s see what kind of information we
get with these two commands.

Show frame-relay pvc [ interface <interface> ] [ <dlci> ]

Run without any arguments, the command shows, in the beginning, a summary of all the PVCs and their
statuses – active, inactive, deleted or static – as well as their usage – local, switched, unused. The rest of
the output contains detailed information about each DLCI, such as input and output packets and bytes,
drops, FECN/BECN/DE packets, broadcasts, 5 minute input and output rates.

The hard part is to interpret the PVC status and DLCI usage. Most of the time, you are not really interested
in the packet or byte count, so a simplified version of this command can be enough:

356 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

show frame-relay map

Important information is revealed with this command, such as:


 Interface and its status (for example: serial0/0 – up)
 Destination IP address (for example: 192.168.1.2) for the multi-access (sub)interfaces
 DLCI used to reach that destination
 How the information was learned – statically or dynamically
 PVC status – active, deleted, etc.

With all this info in our toolbox, let’s dive into some scenarios and also discover some other useful
commands. In the beginning, we will examine two of the most common problems with Frame Relay: PVC
status inactive and deleted. The target is to have an active status for the PVCs; after solving that, you can
move on to troubleshooting higher-level problems.

PVC Status Inactive


The router learns all the DLCI provisioned by the service provider Frame Relay switch through LMI and
then it tries to use them, either on the main physical interface (by default) or on some other sub-interface
according to the configuration. The “inactive” status means that there is a problem with the end-to-end
connectivity and most of the time, it indicates that the problem is not local, but rather on the Frame Relay
switch or on the DTE router on the other end:

357 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In the example above, there is a missing command on the Frame Relay switch on the interface connected
to R1 that has this result:

- R1 does not learn any DLCI from the Frame Relay switch.
- R2 learns DLCI 201 but its status is inactive due to end-to-end connectivity problems.
- FR-SW (Frame Relay switch) also displays an “inactive” status for output DLCI 102 when using
command “show frame-relay route”.

Note: Instead of using pairs of “frame-relay route” commands under each interface on the Frame Relay
switch connected to DTE routers, you can use the global command “connect R1-R2 serial0/0 102 serial0/1
201”.

In the next example, the status of inactive is reported on R2 because of a configuration problem on the
other DTE router R1:

In this example, the LMI type is changed from default to Q933A, which causes a communication problem
between R1 and the switch. As you can see, there are no DLCI learned on that interface since there is a
LMI mismatch between them. This problem on R1 makes R2 report the PVC as inactive.

As a troubleshooting rule: whenever you see PVC status inactive, the problem is most likely on the other
router or on the Frame Relay switch.

PVC Status Deleted


Another common issue is PVC status deleted and it represents a local problem.
Whenever you manually configure a DLCI on a (sub-) interface – via either of these commands: “frame-
relay interface-dlci 222” or “frame-relay map ip <ip_address> 223” – the router expects to learn these
DLCIs (in this example: DLCI 222 and DLCI 223) also from the Frame Relay switch via LMI. If there is a

358 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

mismatch between the locally configured DLCI and the one(s) learnt via LMI, the local DLCI is marked as
DELETED.

In the above output, the only DLCI learnt from the switch via LMI is DLCI 201.
Most of the time, the problem of PVC status DELETED is caused by typos in the configuration on the local
router. In order to fix them, you have to match the list of DLCIs received from the switch to the list of
locally configured DLCIs. Of course, if you know for sure that the locally configured DLCI numbers are
correct, then you need to contact the service provider to provision them on the Frame Relay switch.
Another possible cause for this problem is the lack of LMI communication between router and switch. As
a troubleshooting rule: if you see PVC status deleted, most likely the problem is local on the router.

DLCI Usage Unused


As the word implies, whenever a DLCI learnt from the switch is not usable by the router, it will mark it as
unused. This is usually a configuration problem on the local router:

In the example shown above, the DLCI is unused because there’s no IP address configured on the interface.

DLCI Usage Switched


If you see that the usage of a DLCI is SWITCHED, this will be a clear indication that the device is performing
Frame Relay switching, so it acts as a FR switch. Below is an output taken from a Cisco router that is
configured as a FR switch:

359 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Notice another very useful troubleshooting command applicable to the Frame Relay switches: “show
frame-relay route”.

PVC Status Static


You can configure back-to-back Frame Relay between two routers connected directly via a serial link
without any Frame Relay switch in between. Since there is no switch, there are no PVCs advertised through
LMI so you disable it with the command “no keepalives” and the PVC status will be “static”, meaning that
it is not influenced by LMI.

360 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Remember that the static status means that the LMI is disabled, so if you see it on an interface connected
to a switch (that talks LMI) you should remove the “no keepalive” command.
Mismatched Frame Relay Encapsulation

Whenever a non-Cisco device is involved in a Frame Relay setup, you have to change the default “cisco”
Frame Relay encapsulation type to “ietf”.

The encapsulation mismatch problems can be detected using the command “show frame-relay map” as
indicated in the above output.

NOTE: With Cisco, the configured encapsulation type is used to encapsulate the packets sent onto the
virtual circuit, but the received packets can be de-capsulated no matter if they are “cisco” or “ietf”. As a
result, if the endpoints are two Cisco routers and both are configured with different encapsulation types
(as in the above example), there is no connectivity problem. Of course, if one router is Cisco and the other
is non-Cisco, the encapsulation mismatch will cause connectivity problems.

Mismatched LMI Type


Local Management Interface (LMI) provides signalling and diagnostics between the DTE router and the
Frame Relay switch. The DTE router will learn all the DLCIs on that particular link from these LMI messages.
Cisco routers support 3 standards for LMI type – cisco, ansi and q933a – that are not compatible between
each other, so you have to make sure that local communication between the DTE router and the DCE
switch uses the same standard.

If the LMI type is different, the line protocol of the interface will be down and the best command to
troubleshoot this scenario is “show frame-relay lmi” which will show you the increasing number of LMI
status timeouts, as displayed in the output below:

361 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

As a side note, remember that the encapsulation type needs to match per end-to-end virtual circuit while
the LMI type needs to match per local DTE-DCE pair, as shown below:

362 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Keepalives Not Sent

As explained above in the “PVC Status Static” section, the LMI can be disabled with the command “no
keepalives”. Connectivity problems will occur if this command is improperly used such as on an interface
connected to a Frame Relay switch, as in the example below:

Without LMI, there will be no DLCI learnt from the switch, so the “show frame-relay lmi|pvc|map”
commands will return an empty output.

Note that mismatched keepalive timers between router and switch can also cause connectivity problems.
By default this timer is 10 seconds and it is recommended to match on each side.

When you deal with a Frame Relay problem, you will have to make sure that the status of the PVC is
Active and DLCI Usage is Local. Once this is solved, according to the above troubleshooting sections, you
can move forward if the problem persists. In the next sections we will cover the problems that are not
visible within the PVC status.

Incorrect DLCI Association to (Sub)-Interfaces

By default, all DLCI learnt from the switch via the LMI messages are assigned to the main physical interface.
The PVC status will be active because the end-to-end communication over the virtual circuit is ok – you
will see that InARP messages are successfully exchanged between the routers but the problem may exist
at the layer 3 level/IP addressing.

In the example below, the DLCI 301 is learnt on the interface Serial0/0 and is automatically assigned with
it. The IP addressing between R1 and R3 is: R1 = 192.168.1.1/24 and R3 = 192.168.1.3/24, but this address
on R3 is configured on a separate multipoint sub-interface (serial0/0.13):

363 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

You can see that PVC status is active, as there is a dynamic mapping for IP 192.168.1.1 (R1) to DLCI 301,
but this DLCI is incorrectly used on main Serial0/0 interface (that has an IP address of 3.3.3.3/24) instead
of the s0/0.13 sub-interface.

To correct this problem, the recommended solution is to move DLCI 301 to the sub-interface with the
command “frame-relay interface-dlci 301” under the sub-interface configuration:

364 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Another solution would be to configure a static mapping for IP 192.168.1.1 to DLCI 103 on the sub-
interface:

Note that you will not be able to configure “frame-relay map ip 192.168.1.1 301” on the sub-interface as
long as DLCI 301 is already used on main interface. The router would only report the following error:

R3(config)#int s0/0.13
R3(config-subif)#frame-relay map ip 192.168.1.1 301 broadcast
%PVC already assigned to interface Serial0/0
You will have to make sure that the association of DLCI 301 to the main interface is cleared before using
the above configuration – for example, shutting down the interface ser0/0.

Dynamic InARP Mapping for Different Subnet


The moment you configure an IP address on a Frame Relay interface, Inverse ARP (InARP) messages are
sent over all DLCIs configured and/or learnt on that interface. The router will not check if the destination
IP address from the received InARP messages is in the same subnet as the IP address of the local interface.

In this example, dynamic InARP mapping is done for IP 3.3.3.3 to DLCI 103 on interface Serial0/0 even
though the subnet configured on the interface is different.
To solve this, you have several options:
- Move the incorrect DLCI to a separate sub-interface that does not have an IP address configured.
InARP messages are sent for every IP/DLCI pair so without the IP address, no InARP messages are
sent.

365 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

- Disable Inverse ARP for DLCI 301. Note that disabling InARP (command “no frame-relay inverse-
arp IP 103”) will only disable sending InARP requests but it does not stop from replying to
messages received on DLCI 301.
After you checked that the interface is UP, line protocol is UP, PVC status is Active, DLCI usage is not
unused, the DLCI is assigned to the correct (sub) interface and the mapping is correct, you may still have
problems with the routing protocols running over these Frame Relay links.

Have a look at the next sections to understand the common problems you may face. For this purpose, we
will use the following diagram consisting of 3 routers with R1 used as the HUB and R2 and R3 as SPOKES:

Missing Broadcast keyword


As indicated in the first article, Frame Relay is a non-broadcast technology, so in order to simulate
broadcasting communication, a technique called “pseudo broadcast” is used. This is done by sending
multiple copies of the same packet on the same physical link. We all know that most of the routing
protocols use broadcast or multicast to establish adjacencies between routers.

In the following example, EIGRP is enabled on all interfaces on both R1 and R2, and the two routers can
reach each other but they cannot establish an EIGRP adjacency:

366 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

The easiest way to troubleshoot such issues is to perform a ping to a broadcast address:

As you can see, you can ping the unicast address but not the broadcast one.
Adding the “broadcast” keyword will bring up the EIGRP session: This time we have the EIGRP peering up
and receiving successful replies when pinging the broadcast address. Also, remember that when
configuring multiple mappings for the same DLCI, use the broadcast keyword only once!

367 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Missing Required Mapping in a Hub-and-Spoke Topology


Hub-and-spoke and partial-mesh topologies create an environment for a lot of mistakes and sometimes
the troubleshooting may not be so straightforward. The problems start from the fact that the spokes don’t
have direct Layer 2 connectivity, though they may have IP addresses in the same subnet. In order to have
reachability between the spokes, you need mapping between them using the DLCI towards the hub:

Split Horizon:
Another problem in a hub-and-spoke scenario is split horizon. In case of distance-vector routing protocols,
the hub will not re-advertise a route received from a spoke (R3 in our example) back on the same interface
to other spokes (R2 in our scenario):

368 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In order to receive the routes from the other spokes, you have to disable split horizon for EIGRP under
the multipoint sub-interface, as shown above.

At the end of this chapter, let’s make a summary of the most used commands for troubleshooting Frame
Relay problems:
 show interface
 show frame-relay pvc
 show frame-relay map
 show frame-relay lmi
 debug frame-relay packet
 debug frame-relay lmi

369 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Chapter 44: GRE Tunnels

This chapter will discuss generic routing encapsulation (GRE), which is a type of IP tunnel. GRE is defined
in RFC2784. This RFC defines a new header that is being used together with a new IP header to encapsulate
the original data. In order to bring up a GRE tunnel, the two routers must agree on few parameters. It’s
important to remember that a GRE tunnel doesn’t encrypt the packets. To encrypt the packets another
tunneling protocol/feature has to be used, such as IPsec.

A GRE tunnel is a point-to-point logical connection. If you have multiple devices that need to be connected
using GRE tunnels, then a separate tunnel has to be configured for each pair of devices.

The connection between the two devices through the GRE tunnel is done by means of the tunnel
interfaces. The tunnel interfaces are configured with IP addresses that must be in the same subnet. This
is no different than you would do with a physical interface.

The router between the tunnel is configured to encapsulate the original packet inside a tunnel header and
a new IP header. The below diagram should give you a better understanding of how the router
encapsulates the packet before it is sent through the tunnel interface:

370 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Here the ingress interface is the interface from where the packets are received and the egress interface
is the tunnel interface. As you can see, two new headers are added to the packet.

There can be static routes configured over the tunnel interfaces or even routing protocols can be
configured to run over the tunnel interfaces. As mentioned already, the tunnel interfaces are behaving as
point-to-point interfaces, hence the next-hop for the routes (either static routes or dynamically learned
routes) will be the peer IP address configured on the tunnel interface on the remote router.

When a tunnel interface is being configured, several things are required (except the IP address):

 tunnel source
 tunnel destination
 tunnel mode

All of these are mandatory. Without any of them, the tunnel will not come up. Let’s discuss them.

The tunnel source is the IP address from which the tunnel will be initiated locally. This IP address has to
match with the tunnel destination configured on the other router on the tunnel interface.

The tunnel destination is the IP address from which the tunnel session will be initiated. This IP address has
to match with the tunnel source configured on the other router on the tunnel interface.

The tunnel mode specifies the GRE mode and it can be IPv4, IPv6 or multipoint.

It is crucial that, between the tunnel source and the tunnel destination, there is IP reachability in both
directions. If this condition is not met, then the GRE tunnel will not come up.

As a GRE tunnel can be established over the Internet, over which you don’t have any control, there might
be firewalls in the middle that can drop GRE packets or have some policies that restrict traffic between
your source and destination IP address of the tunnels. That’s why it is important to test reachability from
both sides between the source and destination of the tunnels.

371 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

Let’s discuss our topology.

The tunnel is established between R1 and R3. On each router there is a tunnel interface configured with
an IP address from the same subnet. The source and destination tunnel will be the IP addresses 1.1.1.X.

The goal will be to configure static routes through the tunnel interfaces so that the two hosts can ping
each other.

This is the logical diagram of how R1 and R3 are connected.

In reality, they are connected like this:

As you can see, R1 and R3 are not directly connected. I’m using OSPF so that R1 will know how to reach
the tunnel destination, 1.1.1.3 and R3 will know how to reach its tunnel destination, 1.1.1.1.

Instead of this OSPF area, you could have the Internet.

So let’s check the route table and confirm that we have the IP address that will serve as endpoints for the
tunnel interfaces. On R1:

R1#show ip route ospf


1.0.0.0/32 is subnetted, 3 subnets
O 1.1.1.3 [110/3] via 10.10.12.2, 00:22:58, FastEthernet1/0
O 1.1.1.2 [110/2] via 10.10.12.2, 00:22:58, FastEthernet1/0

372 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

10.0.0.0/24 is subnetted, 2 subnets


O 10.10.23.0 [110/2] via 10.10.12.2, 00:22:58, FastEthernet1/0
R1#

Let’s test if we have reachability between 1.1.1.1 and 1.1.1.3 from R1:

R1#ping 1.1.1.3 source 1.1.1.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 1.1.1.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/42/68
ms
R1#

Everything looks fine, so if we were to configure GRE tunnels between R1 and R3, then should come up.

We explained earlier what is needed to bring up a GRE tunnel interface. This would be the configuration
needed on R1:

R1#show running-config interface Tunnel0


Building configuration...

Current configuration : 115 bytes


!
interface Tunnel0
ip address 172.16.1.1 255.255.255.252
tunnel source 1.1.1.1
tunnel destination 1.1.1.3
end

R1#

As you can see, we configured the IP address, the tunnel source and tunnel destination. By default, the
tunnel mode is “gre ip,” hence is not shown here.

Similarly on R3, just that the tunnel source and destination are reversed:

R3#show running-config interface Tunnel0


Building configuration...

Current configuration : 115 bytes


!
interface Tunnel0
ip address 172.16.1.2 255.255.255.252
tunnel source 1.1.1.3
tunnel destination 1.1.1.1

373 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

end

R3#

Once we have configured them, let’s check if they are up. As you can see below, the tunnel interface is up
and you can see that the mode is GRE/IP:

R1#show interfaces Tunnel0


Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 172.16.1.1/30
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 1.1.1.1, destination 1.1.1.3
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255

Having the tunnel up doesn’t mean necessarily that it can pass traffic. Let’s test if we can ping the IP
address configured on the R3 tunnel interface:

R1#ping 172.16.1.2 source 172.16.1.1

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24
ms
R1#

From the point of view of R1, it is directly connected to R3 through the tunnel interface.

For instance, 1.1.1.1 and 172.16.1.1 are both configured on R1. This is what a traceroute looks like when
the corresponding IP address from R3 is being tested. This is for the loopback interface/tunnel destination
of R3:

R1#traceroute 1.1.1.3 source 1.1.1.1

Type escape sequence to abort.


Tracing the route to 1.1.1.3

1 10.10.12.2 4 msec 24 msec 20 msec


2 10.10.23.3 36 msec 48 msec 24 msec

374 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

R1#

And now the IP address of the tunnel interface:

R1#traceroute 172.16.1.2 source 172.16.1.1

Type escape sequence to abort.


Tracing the route to 172.16.1.2

1 172.16.1.2 28 msec 72 msec 88 msec


R1#

Now let’s configure the two static routes, one on R1 and one on R3, for the two subnets where the hosts
are connected.

This is for R1 to have reachability to 100.100.2.0/24:

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip route 100.100.2.0 255.255.255.0 172.16.1.2
R1(config)#end
R1#sho
*Mar 1 00:38:15.647: %SYS-5-CONFIG_I: Configured from console by
console
R1#show ip route static
100.0.0.0/24 is subnetted, 2 subnets
S 100.100.2.0 [1/0] via 172.16.1.2
R1#

And this is for R3 to have reachability to 100.100.1.0/24:

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip route 100.100.1.0 255.255.255.0 172.16.1.1
R3(config)#end
R3#
*Mar 1 00:38:59.643: %SYS-5-CONFIG_I: Configured from console by
console
R3#show ip route static
100.0.0.0/24 is subnetted, 2 subnets
S 100.100.1.0 [1/0] via 172.16.1.1
R3#

Let’s test if PC1 can reach PC2:

PC1> ping 100.100.2.2


84 bytes from 100.100.2.2 icmp_seq=1 ttl=62 time=54.270 ms

375 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

84 bytes from 100.100.2.2 icmp_seq=2 ttl=62 time=49.945 ms


^C
PC1>

Everything is working as expected, so we solved the tasks.

While PC1 was pinging PC2, I took a packet capture on R1 showing what the packet that is being
encapsulated looks like:

As you can see, the original packet (delimited by the source/destination IP 100.100.1.2/100.100.2.2) is
encapsulated with a GRE header and a new IP header is applied, which has the tunnel source and
destination (1.1.1.1/1.1.1.3).

Below you can see the GRE header:

As a comparison, you can see that when I’m pinging the loopback of R3 sourcing the packets from the
loopback of R1, they are not encapsulated:

376 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

And that would be all about GRE tunnels. This topic is not that complicated and the configuration is pretty
straightforward. You just need to know the exact steps with what needs to be configured.

Of course, things can get complicated if you decide to put IPsec on top of GRE, but careful and organized
configuration can keep you out of problems.

Also, one needs to be making sure that there is IP reachability between the endpoints of the tunnel.

Appendix
 Key Notes related to IP Addressing:

377 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Key diagram related to IP-Routing:

378 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

 Case Study: A 3-Star Hotel Renovation at New Delhi, India

379 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In this section, we are going to learn how to handle a real-life job environment. Suppose you are working
for an ICT & ELV Contracting company and you have awarded a new project, a 3-Star Hotel project
renovation.

Before discussing this in more detail, we must first understand the scope of work (S.O.W) for the Project:

1. Supply & Install new 80 IP CCTV cameras


2. Supply & Install 40 new IP Phones
3. Supply & Install 20 Wireless Access Points
4. Supply & Install necessary ICT-Passive Components for above-mentioned systems.
5. Supply & Install necessary ICT-Active Components for above-mentioned systems.

Remember, hotels have three existing IDFs (Intermediate Distribute Frame or Telecommunication Rooms)
in typical floors and also have one Data Centre/Server room located at Ground Floor.

IP Phone
CAT 6
CAT 6

Firewall First Level Defence


IP-CCTV
Access Layer Switch-
Cisco 2960 Series 48
Ports inside IDF with
2*10G links
Enterprise Edge Gateway Router

ISP

IPhone LAPTOP
CAT 6

Indoor Core Switch-


WAP & PST N
coverage
located at
area Data Center
Access Layer Switch- `
Cisco 2960 Series 48
Ports inside IDF with
2*10G links
Voice Gateway-Cisco 2921 Series Router
Also Configured Call Manger Express On that
Router

Wireless Controller-located at
Data Centre Rack.
Network Video Recorder(CCTV
System)

CAT 6

Access Layer Switch- A Typical Hotel Network with ICT Active & Passive Components-High Level logical Design
DOME CCTV Cisco 2960 Series 24
Ports inside IDF with
2*10G links Design & Drawn by
Afaz

As a CCNA certified networker, your employer will expect that you will identify the ICT Active (Cisco)
components required for the project. As you can see in the above diagram, I used a two-layer hierarchical
design (one is Access Layer) and I merged the Core & Distribution layers together as simply Core layer, as
our network is small enough. We are going to use two Cisco 2960 series 48-port switch & 1 Cisco 2960
series 24 port switch as Access Layer switch, which will be located to three IDFs. All of these switches will
be connected to the Core Switch (located at Data Centre) by a redundant Multimode Fibre Optics link.

380 | P a g e
Intense School CCNA QUAD Cert Training
THE BIG BOOK OF CCNA STUDY

In Data Center, we will install a Cisco 5508 series Wireless Controller system, which will be connected to
a core switch, as all indoor-type wireless access points will be controlled and monitored from a wireless
controller only.

For CCTV systems, each type of CCTV is directly connected to the access layer switch by separate CAT 6
Cables, and then it will be controlled and monitored from the Network Video recorder, which will be
connected to the Core switch.

For IP Phone Systems, each type of IP Phone is also directly connected to the nearest IDFs (access layer
switch) by separate CAT 6 Cable, and then it is routed to outer world by separate voice enable gateway
router (cisco 2921 series). As we are going to install 40 telephones only, we can install Cisco Call Manager
Express inside the Router itself; we don’t need any extra hardware to be installed. Remember, if your
network grows, you might need extra hardware and software (such as Cisco Business Edition or Cisco Call
Manager) depending on your network size.

And for connecting outer world, Cisco 2951 series router is going to be used as Internet Gateway router.
And Cisco 55XX series ASA Firewall will act as a 1st level defence of this network. Any incoming traffic will
be routed through this firewall, so the hotel network will also have its defence systems secured from the
outside world.

Also, remember that at the software level (Cisco IOS), you have to specify a separate VLAN number for
each type of system for separating each type of service. For example, you may need VLAN for CCTV,
Telephone, and Wireless Access Point. And for Telephone and Wireless Access Point, you need separate
VLANs for admin and guest.

For passive components, remember your CAT 6 Cable must not exceed 100 meters, because after this,
your signal will be very weak to work on. If you are also working as an ELV engineer, you must identify
which cable and passive components solutions you are going to use.

I hope this case study gives you a bit of understanding about the real-life job scenarios involved in a
building environment. As I am personally working in Smart Building Engineering services, I suggest you try
to find work in this field, as Internet has already became the 4th utility in building services (after water,
power and HVAC). Maybe in my next book or articles, I will discuss more about Smart Building Technology
and how Cisco’s connected solutions can change our lives within the frameworks of Building or
Community.

I hope you have enjoyed this eBook. Thank you for your time and consideration. I hope to see you at the
Intense School Resources (resources.intenseschool.com) page.

381 | P a g e
Intense School CCNA QUAD Cert Training

You might also like