Flackbox Final - Pagenumber PDF

A (Very) Basic Introduction to Networking
Internet
New York Boston
Wide Area
Network
1
Network Characteristics
Topology
Speed
Cost
Security
Availability
Scalability
Reliability
2
The OSI Open Systems Interconnect Model
The OSI reference model is a standard of the International
Organization for Standardization (ISO).
It is a general-purpose framework that characterises and standardises
how computers communicate with one another over a network.
Its seven-layered approach to data transmission divides the operations
into specific related groups of actions at each layer.
A layer serves the layer above it and is served by the layer below it.
3
OSI Reference Model - Encapsulation
Sender Layer Name Includes Devices Receiver

7
6
5
4
3
2
1
4

7 Application
6
5
4
3
2
1
L7
5

7 Application
6 Presentation
5
4
3
2
1
L6 L7
6

7 Application
6 Presentation
5 Session
4
3
2
1
L5 L6 L7
7

7 Application
6 Presentation
5 Session
4 Transport TCP/UDP, Port
3
2
1
L4 L5 L6 L7
8

7 Application
6 Presentation
5 Session
3 Network IP Address Routers
2
1
L3 L4 L5 L6 L7
9

7 Application
6 Presentation
5 Session
2 Data-Link Ethernet MAC Address Switches
1
L2 L3 L4 L5 L6 L7
10

7 Application
6 Presentation
5 Session
1 Physical Hubs
L2 L3 L4 L5 L6 L7
11
OSI Reference Model – De-encapsulation

7 Application
6 Presentation
5 Session
1 Physical
L2 L3 L4 L5 L6 L7
12

7 Application
6 Presentation
5 Session
1 Physical
L2 L3 L4 L5 L6 L7
13

7 Application
6 Presentation
5 Session
1 Physical
L3 L4 L5 L6 L7
14

7 Application
6 Presentation
5 Session
1 Physical
L4 L5 L6 L7
15

7 Application
6 Presentation
5 Session
1 Physical
L5 L6 L7
16

7 Application
6 Presentation
5 Session
1 Physical
L6 L7
17

7 Application
6 Presentation
5 Session
1 Physical
L7
18
OSI Model Benefits
Engineers do not need to design a technology to work end to end from
top to bottom of the model. They can just focus on their layer of
expertise, and make sure they comply with the standards for the layers
above and below.
This leads to open standards and multi-vendor interoperability.
For example: If you’re an application developer, you can just focus on
the top three layers, the lower layers are the domain of network
engineers.
Troubleshooting is easier because you can analyse a problem in a
logical fashion layer by layer.
19
The OSI Open Systems Interconnect Model
It’s difficult to overstate how important the OSI Model is to computer
networking.
As you become more experienced you will ‘think’ according to the OSI
model when you are troubleshooting or learning a new network
technology.
On the job you will hear technologies and problems being described
according to their OSI layer.
20
OSI Acronyms
The Classic: Please Do Not Throw Sausage Pizza Away
Network Relevant: Please Don’t Need Those Stupid Packets Anyway
Us Relevant: Please Do Not Teach Students Pointless Acronyms
Useful: Please Do Not Take Sales People’s Advice
My Favourite: Please Do Not Touch Superman’s Private Area
21
The TCP/IP Suite
TCP/IP was developed during the 1960s by the US Department of
Defense’s (DoD) Advanced Research Projects Agency (ARPA).
It is a protocol stack which consists of multiple protocols including TCP
(Transmission Control Protocol) and IP (Internet Protocol).
It is the main protocol stack used in computer operations today.
Whereas the OSI Reference Model is conceptual, the TCP/IP stack is
used to transfer data in production networks.
TCP/IP is also layered but does not use all of the OSI layers, though the
layers are equivalent in operation and function.
22
Comparing the OSI Model with the TCP/IP Stack
23
Host Communications Terminology
Data
Protocol
Segment Data Unit
Packet (PDU)
Frame
24
The Upper OSI Layers
Network engineers do not typically work directly with the upper 3
layers of the OSI model… but we still need to know what they do.
They are more relevant to application developers.
In this lecture I will primarily be giving you the Cisco definitions of the
layers.
Information included in the upper layers would include the Message
Body and Subject Line in an email message for example.
25
Layer 7 – The Application Layer
The application layer provides network services to the applications of
the user.
It differs from the other layers in that it does not provide services to
any other OSI layer.
The application layer establishes the availability of intended
communication partners.
It then synchronizes and establishes agreement on procedures for
error recovery and control of data integrity.
26
Layer 6 – The Presentation Layer
The presentation layer ensures that the information that is sent at the
application layer of one system is readable by the application layer of
another system.
The presentation layer can translate among multiple data formats
using a common format (eg computers with different encoding
schemes).
27
Layer 5 – The Session Layer
The session layer establishes, manages, and terminates sessions
between two communicating hosts.
The session layer also synchronizes dialog between the presentation
layers of the two hosts and manages their data exchange.
For example, web servers have many users, so there are many
communication processes open at any given time to track.
It also offers efficient data transfer, CoS, and exception reporting of
upper layer problems.
28
The Lower OSI Layers
Whereas Network engineers are not particularly interested in the
upper OSI layers, we are very concerned with the lower 4 layers of the
OSI model.
Each of these layers have their own dedicated section later and you
will learn much more detailed information about them throughout the
course.
29
Layer 4 – The Transport Layer
The main characteristics of the Transport layer are whether TCP or
UDP transport is used, and the port number.
Definition:
‒ The transport layer defines services to segment, transfer, and
reassemble the data for individual communications between the end
devices.
‒ It breaks down large files into smaller segments that are less likely to
incur transmission problems.
30
Layer 3 – The Network Layer
The most important information at the Network layer is the source and
destination IP address.
Routers operate at Layer 3.
Definition:
‒ The network layer provides connectivity and path selection between
two host systems that may be located on geographically separated
networks.
‒ The network layer is the layer that manages the connectivity of hosts
by providing logical addressing.
31
Layer 2 – The Data-Link Layer
The most important information at the Data-Link layer is the source
and destination layer 2 address.
For example the source and destination MAC address if Ethernet is the
layer 2 technology.
Switches operate at Layer 2.
Definition:
‒ The data link layer defines how data is formatted for transmission and
how access to physical media is controlled.
‒ It also typically includes error detection and correction to ensure a
reliable delivery of the data.
32
Layer 1 – The Physical Layer
The Physical layer concerns literally the physical components of the
network, for example the cables being used.
Definition:
‒ The physical link enables bit transmission between end devices.
‒ It defines specifications needed for activating, maintaining, and
deactivating the physical link between end devices.
‒ For example, voltage levels, physical data rates, maximum transmission
distances, physical connectors etc.
33
A Short History of Cisco Operating Systems
Most people think of Cisco as primarily a routing and switching
company, but they actually started out with just routers in 1984.
IOS is the operating system that has been used on Cisco routers since
their inception.
Cisco Catalyst switches evolved from the acquisition of Crescendo in
1993.
The original Cisco switch operating system was CatOS, which has now
been deprecated.
34
A Short History of Cisco Operating Systems
Cisco firewalls evolved from the acquisition of Network Translation’s
PIX firewall with Finesse operating system in 1995.
Cisco switches and firewalls were ported over to the IOS operating
system over the following years.
35
Other Cisco Operating Systems
IOS remains as the operating system used on the majority of Cisco
enterprise grade network devices.
Other operating systems have been developed for some more recent
router and switch platforms.
36
Other Cisco Operating Systems
The Cisco Nexus and MDS data center switch product lines run on
NX-OS.
The IOS-XR operating system runs on the service provider NCS, CRS,
ASR9000 and XR12000 series routers.
IOS-XE runs on the ASR1000 series service provider routers.
The Command Line Interfaces for the other operating systems are
nearly identical to IOS.
37
Connecting to a Cisco Device
To get to the Command Line Interface for day to day management of a
Cisco device you will use Secure Shell (SSH) to connect to it’s
management IP address.
In enterprise networks, secure login will typically be enforced through
integration with a centralised AAA (Authentication, Authorization and
Accounting) server.
38
Initial Connection to a Cisco Device
We will cover SSH and AAA in later lessons.
Cisco devices do not usually have a default IP address, so we need to
set one up before we can connect to it this way.
We need a way to connect to the device to do the initial configuration
including adding IP addresses. This is where the console connection
comes in.
39
Cisco Device Management Ports
40
The Console Cable (DB9 to RJ45)
41
The New Console Cable (USB to Mini-USB)
42
Out of Band Management
As well as for initial configuration, the console port can be used if the
device’s IP addresses become unresponsive.
It can also be used to troubleshoot the bootup process. You can view
the device booting up from a console connection but this is not
possible with SSH because the system must have booted already
before the IP address will be live.
The console connection can also be used for Out of Band
Management.
This is where you use a different path (other than the production
network) to connect to the device for management.
43
Out of Band Management
You can Production

SSH here Network
Console Connection
You can
SSH here
Terminal
Server Management
Network
44
IOS Command Hierarchy
hostname> User Exec mode
hostname# Privileged Exec mode (‘Enable’)
hostname(config)# Global Configuration mode (‘Configure Terminal’)
hostname(config-if)# Interface Configuration mode (‘Interface x’)
‘Exit’ drops back down a level.
‘End’ drops back to Privileged Exec mode from any level.
45
Command Abbreviation
You can type in a shortened version of a command.
For example, ‘en’ instead of ‘enable’
There must be only one possible match for what you typed for
abbreviation to succeed
46
Context Sensitive Help
You can enter a question mark to access Help
‘sh?’ will show all commands that begin with ‘sh’
‘show ?’ will show all available keyword options for the ‘show’
command
‘show ip ?’ will show all available keyword options for the ‘show ip
command’
47
Moving the Cursor
Backspace deletes the previous character
The arrow keys (˂ and ˃) move the cursor left and right one character
at a time
Ctrl-A moves the cursor to the beginning of the line
Ctrl-U deletes the whole line
See http://etherealmind.com/cisco-ios-cli-shortcuts/ for more
48
Command History
The up and down arrows (˄ and ˅) cycle through previously entered

commands at the same level in the hierarchy.
49
Showing command output
Enter will show ‘show’ command output which scrolls off the end of
the page line by line.
The Spacebar will show it page by page.
Ctrl-C will break out of the show command output and return to the
command prompt.
50
Piped Command Examples
show running-config interface FastEthernet0/0
show running-config | begin FastEthernet0/0
show running-config | include FastEthernet0/0
show running-config |exclude FastEthernet0/0
show running-config | section interface
51
‘Exit’ drops back down a level.
‘End’ drops back to Privileged Exec mode from any level.
52
Command Abbreviation
You can type in a shortened version of a command.
For example, ‘en’ instead of ‘enable’
There must be only one possible match for what you typed for
abbreviation to succeed
53
Context Sensitive Help
You can enter a question mark to access Help
‘sh?’ will show all commands that begin with ‘sh’
‘show ?’ will show all available keyword options for the ‘show’
command
‘show ip ?’ will show all available keyword options for the ‘show ip
command’
54
Moving the Cursor
Backspace deletes the previous character
The arrow keys (˂ and ˃) move the cursor left and right one character
at a time
Ctrl-A moves the cursor to the beginning of the line
Ctrl-U deletes the whole line
See http://etherealmind.com/cisco-ios-cli-shortcuts/ for more
55
Command History
The up and down arrows (˄ and ˅) cycle through previously entered

commands at the same level in the hierarchy.
56
Showing command output
Enter will show ‘show’ command output which scrolls off the end of
the page line by line.
The Spacebar will show it page by page.
Ctrl-C will break out of the show command output and return to the
command prompt.
57
Piped Command Examples
show running-config interface FastEthernet0/0
show running-config | begin FastEthernet0/0
show running-config | include FastEthernet0/0
show running-config |exclude FastEthernet0/0
show running-config | section interface
58
Configuration Storage Locations
The IOS operating system image is stored in Flash.
The Startup Configuration is stored in NVRAM.
The Running Configuration is stored in RAM. (Loaded into RAM from

the Startup Config when the device boots up.)
59
Saving the Configuration
Commands take effect immediately but are not persistent across a

reboot.
Enter ‘copy running-config startup-config’ to make the configuration

persistent.
Enter ‘wr erase’ and then ‘reload’ to delete the starting configuration
and factory reset the device.
60
Layer 4 – The Transport Layer
The Transport layer provides transparent transfer of data between
hosts and is responsible for end-to-end error recovery and flow
control.
Flow control is the process of adjusting the flow of data from the
sender to ensure that the receiving host can handle all of it.
61
Session Multiplexing
Session multiplexing is the process by which a host is able to support

multiple sessions simultaneously and manage the individual traffic
streams over a single link.
62
Session Multiplexing
Receiver
SMTP 25
HTTP 80
Sender SMTP 25 Receiver
63
Layer 4 Port Numbers
The Layer 4 destination port number is used to identify the upper layer
protocol.
For example, HTTP uses port 80, SMTP email uses port 25.
The sender also adds a source port number to the Layer 4 header.
The combination of source and destination port number can be used
to track sessions.
64
Layer 4 Port Numbers
DST: 80 SRC: 1500

Sender Receiver
DST: 1500 SRC: 80
65
TCP
TCP (Transport Control Protocol) and UDP (the User Datagram
Protocol) are the most common Layer 4 protocols.
TCP is connection oriented – once a connection is established, data can
be sent bidirectionally over that connection.
TCP carries out sequencing to ensure segments are processed in the
correct order and none are missing.
TCP is reliable – the receiving host sends acknowledgments back to the
sender. Lost segments are resent.
TCP performs flow control.
66
The TCP Three-Way Handshake
Sender Receiver
SYN
SYN-ACK
ACK
67

7
6
5
4
3
2
1
68

7 Application
6
5
4
3
2
1
L7
69

7 Application
6 Presentation
5
4
3
2
1
L6 L7
70

7 Application
6 Presentation
5 Session
4
3
2
1
L5 L6 L7
71

7 Application
6 Presentation
5 Session
3
2
1
L4 L5 L6 L7
72

7 Application
6 Presentation
5 Session
2
1
L3 L4 L5 L6 L7
73

7 Application
6 Presentation
5 Session
1
L2 L3 L4 L5 L6 L7
74

7 Application
6 Presentation
5 Session
1 Physical Hubs
L2 L3 L4 L5 L6 L7
75
The TCP Header
76
UDP
The User Datagram Protocol sends traffic best effort.
UDP is not connection oriented. There is no handshake connection
setup between the hosts.
UDP does not carry out sequencing to ensure segments are processed
in the correct order and none are missing.
UDP is not reliable – the receiving host does not send
acknowledgments back to the sender.
UDP does not perform flow control.
If error detection and recovery is required it is up to the upper layers
to provide it.
77
The UDP Header
78
TCP vs UDP
Application developers will typically choose to use TCP for traffic which
requires reliability.
Real-time applications such as voice and video can’t afford the extra
overhead of TCP so they use UDP.
Some applications can use both TCP and UDP.
79
Common Applications and Their Destination Ports
TCP UDP
‒ FTP (21) ‒ TFTP (69)
‒ SSH (22) ‒ SNMP (161)
‒ Telnet (23)
‒ HTTP (80) TCP and UDP
‒ HTTPS (443) ‒ DNS (53)
80
Layer 3 – The Network Layer
The Network layer is responsible for routing packets to their
destination and for Quality of Service.
IP (Internet Protocol) is the best known Layer 3 protocol. IPv4 is the
focus of this section.
It is a connectionless protocol with no acknowledgements at Layer 3.
Other Layer 3 protocols include ICMP (Internet Control Message
Protocol) and IPSec.
81
IP Addressing
IP addressing is a logical addressing scheme which is implemented at
Layer 3.
The network designer uses IP addressing to partition the overall
network into smaller ‘subnets’.
This improves performance and security and makes troubleshooting
easier.
Layer 2 MAC addresses use one big flat addressing scheme. There is no
logical separation between networks at Layer 2, it’s done at Layer 3.
82

7
6
5
4
3
2
1
83

7 Application
6
5
4
3
2
1
L7
84

7 Application
6 Presentation
5
4
3
2
1
L6 L7
85

7 Application
6 Presentation
5 Session
4
3
2
1
L5 L6 L7
86

7 Application
6 Presentation
5 Session
3
2
1
L4 L5 L6 L7
87

7 Application
6 Presentation
5 Session
2
1
L3 L4 L5 L6 L7
88

7 Application
6 Presentation
5 Session
1
L2 L3 L4 L5 L6 L7
89

7 Application
6 Presentation
5 Session
1 Physical Hubs
L2 L3 L4 L5 L6 L7
90
The IP Header
91
Unicast, Broadcast and Multicast Traffic
There are 3 main IP traffic types: unicast, broadcast and multicast.
Unicast traffic is to a single destination host.
Broadcast traffic is to all hosts on the subnet.
Multicast traffic is to multiple interested hosts.
92
Unicast Traffic
Sender
93
Broadcast Traffic
Sender
94
Unicast Traffic to Multiple Hosts
Sender
95
Multicast Traffic
Sender
96
Counting in Decimal
Humans are conditioned to count in decimal.
For each ‘column’ in a number we have 10 possible choices, from 0 to
9.
Every time we add a digit, the value is magnified by a power of 10.
We start with a ‘1’ as the furthest right multiplier, then each digit to
the left is multiplied by 10.
236 is six 1’s, three 10’s, and two 100’s.
100’s 10’s 1’s

2 3 6
97
Counting in Binary
Computers work in binary.
Electrical impulses are either on or off, so there’s two choices.
For each ‘column’ in a number we have 2 possible choices, 0 or 1.
Every time we add a digit, the value is magnified by a power of 2.
We start with a ‘1’ as the furthest right digit, then each digit to the left
is multiplied by 2.
236 in binary is 11101100
128 64 32 16 8 4 2 1
1 1 1 0 1 1 0 0
98
Counting up to 7 in Binary
1 4 2 1
0 0 4 1 0 0
1 4 2 1
1 1 5 1 0 1
2 1 4 2 1
2 1 0 6 1 1 0
2 1 4 2 1
3 1 1 7 1 1 1
99
IPv4 Addresses
An IPv4 address is 32 bits long.
It is written as 4 ‘octets’ in dotted decimal format.
For example 192.168.10.15
Each octet is 8 bits long (4 x 8 = 32)
100
Static vs Automatic Addressing
The IP address is usually set manually on servers, printers and network
devices such as routers and switches. It is usually assigned
automatically through the Dynamic Host Configuration Protocol
(DHCP) on desktop computers.
To understand how the logical separation between subnets works, you
need to understand the IP address in binary.
101
IPv4 Address Octets
Each octet in the IP address has a value ranging from 0 to 255
128 64 32 16 8 4 2 1
128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1
102
Converting First Octet to Binary
Let’s convert that 192.168.10.15 address to binary, starting with the
first octet of 192.
Write out the binary columns on a piece of paper to do this
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
192 – 128 = 64
64 – 64 = 0
The first octet is 11000000 in binary
128 + 64 = 192
103
Converting Second Octet to Binary
The second octet of 192.168.10.15 is 168
128 64 32 16 8 4 2 1
1 0 1 0 1 0 0 0
168 – 128 = 40 The first half of the IP address in binary

40 – 64 doesn’t go notation is 11000000.10101000
40 – 32 = 8
8 – 16 doesn’t go
8–8=0
The second octet is 10101000 in binary
128 + 32 + 8 = 168 104
Converting Decimal to Binary
Go ahead and stop the video and work out the last 2 octets if you’re
new to converting IP addresses to binary
You should be able to show the complete IP address 192.168.10.15 in
binary notation
11000000.10101000.x.x
I’ll show you the answer on the next slide
105
Conversion Answer
192.168.10.15 = 11000000.10101000.00001010.00001111
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
128 64 32 16 8 4 2 1
1 0 1 0 1 0 0 0
128 64 32 16 8 4 2 1
0 0 0 0 1 0 1 0
128 64 32 16 8 4 2 1
0 0 0 0 1 1 1 1 106
Subnet Masks
To set the boundary between logical networks (subnets), the IP

address is combined with a subnet mask
You’ll learn about the subnet mask in the next lecture
107
The Subnet Mask
A host can send traffic directly to another host on the same subnet via
switches
For a host to send traffic to another host in a different subnet, it must
be forwarded by a router
The host therefore needs to understand if the destination is on the
same or a different subnet in order to know how to send it
The subnet mask is used for this
The subnet mask is also 32 bits long, and can be written in dotted
decimal or slash notation
108
Network and Host Portion
A host’s IP address is divided into a network portion and a host portion
The subnet mask defines where the boundary is
The easiest way to explain this is through example…
Let’s say the host’s IP address is 192.168.10.15 and its subnet mask is
255.255.255.0
We write the IP address out in binary notation, and then the subnet
mask underneath
109
Subnet ‘Masking’
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
The IP address is compared (‘masked’) with the subnet mask

A ‘1’ in the subnet mask indicates that bit in the IP address is part of
the network address
A ‘0’ indicates the bit is part of the host address
110
The Network Portion
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
In our example, the network address portion is 192.168.10

The host address portion is .15
111
Local Subnet or Routed Traffic
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
If the host wants to communicate with another host with an IP address which
also begins with 192.168.10. (for example 192.168.10.20), it knows it’s on the
same subnet and it can send the traffic directly
If it wants to communicate with another host with any other network address
(for example 192.168.11.20), it knows it has to send the traffic via a router
112
Local Subnet or Routed Traffic
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
For a destination address to be in the same subnet, the network

portion has to be exactly 192.168.10.
Otherwise it’s in a different subnet and traffic must be sent via a router
113
Valid Subnet Masks
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
The subnet mask always begins with contiguous ‘1’s

For example, 11111111.11110000.00000000.00000000 is a legal
subnet mask
11101101.11110000.11100000.00001111 is not
114
The Host Portion
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
The host portion of the address is available to be allocated to the

different hosts on the subnet (eg PCs, Servers, Printers, Router
Interfaces and Switch Management Addresses)
With two exceptions (coming up after the next slide)…
115
Host Addresses
The host portion of the address specifies the individual host and must
be unique on that subnet
Hosts do not have to be numbered sequentially
If the network portion of the address is 10.10.10, you can have a host
with IP address 10.10.10.10 and another host with 10.10.10.20
You can’t have two different hosts both with IP address 10.10.10.10.
That would be a duplicate IP address. Whenever another host sent
traffic to 10.10.10.10, the network wouldn’t know which one to send it
to.
We could have host 10.10.10.10 on one subnet and host 10.10.20.10
on another subnet
116
The Network Address (Network ID)
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
All 0’s in the host portion designates the network address and is not
allowed to be allocated to a host
In our example the network address is 192.168.10.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
117
The Broadcast Address
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 1 1 1 1 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
All 1’s designates the directed broadcast address for the subnet
Traffic with this destination address will be sent to all hosts in the
subnet
In our example the broadcast address is 192.168.10.255
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 1 1 1 1 1 1 1 1
118
Host Addresses
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
That leaves 192.168.10.1 to 192.168.10.254 available to be allocated

to hosts
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0
119
Subnet Mask in Slash Notation
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
Because the subnet mask always begins with contiguous ‘1’s, it will be
1 to 32 bits long counting from left to right
This allows us to write the subnet mask in slash notation which is more
convenient than dotted decimal for network diagrams or in
conversation
120
Subnet Mask in Slash Notation
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
Our example can be written as either 192.168.10.15 255.255.255.0 or

192.168.10.15/24
The network address is 192.168.10.0/24
121
Subnet Mask in Slash Notation Example 2
10.10.10.15 / 255.0.0.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
This example can be written as either 10.10.10.15 255.0.0.0 or

10.10.10.15/8
The network address is 10.0.0.0/8
122
Subnet Size
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
The bigger the host portion of the network, the more hosts we can
have
If the subnet mask is /8, we have 24 bits available to allocate to hosts
If the subnet mask is /24, we only have 8 bits available to allocate to
hosts
123
How Internet Addressing Was Meant to Work
The global coordination of Internet IPv4 addressing is performed by
IANA (Internet Assigned Numbers Authority).
This is the way it was originally supposed to work:
When a company wants to communicate on the internet, they apply
for a range of IP addresses.
If they have 6000 hosts, they ask for a range of IP addresses big
enough to cover that, plus room for growth.
They then allocate their addresses to their hosts in their various
offices.
124
Unfortunately, when IPv4 was created, the designers didn’t realise how big
the internet was going to get, and they didn’t create a big enough address
space – there’s not enough addresses for everyone.
The long term solution to this problem is IPv6 which has a much bigger
address space.
125
Private IP addresses with NAT (Network Address Translation) are currently
deployed in the majority of enterprise networks as a workaround.
You’ll learn all about private addresses, NAT and IPv6 in a later lecture.
To understand the lectures until we get to that point, think about it from
the context of the originally intended IPv4 design, where all hosts which
can communicate on the Internet have a public IP address.
126
Class A
The internet authorities split the IPv4 address space into separate
classes.
Class A addresses are assigned to networks with a very large number
of hosts.
The high-order (first) bit in a class A address is always set to zero.
The default subnet mask is /8
Valid network addresses range from 1.0.0.0 to 126.0.0.0 /8
This allows for 126 networks and 16,777,214 hosts per network.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
15.0.0.0/8 127
Reserved Class A Addresses
0.0.0.0/8 is reserved and signifies ‘this network’
0.0.0.1 to 0.255.255.255 are not valid host addresses
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
127.0.0.0/8 in the Class A space is reserved as the loopback address

for testing the local computer
127.0.0.1 to 127.255.255.255 are not valid host addresses
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 1 1 1 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
This wiped out 33,554,428 addresses from the global address pool –
whoops!
128
Subnetting
Obviously a company wouldn’t put all 16,777,214 hosts into a single
logical network, this would be terrible for performance and security.
They would split their /8 address allocation into smaller subnets and
allocate these to different offices and types of hosts
For example if they received 15.0.0.0/8, they could allocate the subnet
15.0.1.0/24 to sales computers in New York, 15.0.2.0/24 to accounting
PCs and 15.0.9.0/24 to sales computers in Boston.
This is called subnetting and you’ll master it later in this section.
129
Class B
Class B addresses are assigned to medium-sized to large-sized networks.
The two high-order bits in a class B address are always set to binary 1 0.
This allows for 16,384 networks and 65,534 hosts per network.
This would also be subnetted in a real world environment.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 0 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
131.192.0.0/16
130
Class C
Class C addresses are used for small networks.
The three high-order bits in a class C address are always set to binary 1 1 0.
This allows for 2,097,152 networks and 254 hosts per network.
This could be allocated as is for a real world network, or subnetted into
smaller subnets.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 1 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
195.0.192.0/24
131
A Quick Note on Private Addresses
There is also a range of reserved Private Addresses in each class
These are valid to be assigned to hosts but they are not routable on
the public internet
They were originally designed for hosts in a closed private network
with no Internet connectivity
Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
Private addresses will be discussed in a later lecture in this section
132
Address Classes
Classes A, B and C include all the addresses which are valid to be assigned
to hosts
What about 224.0.0.0 to 255.255.255.255?
133
Class D
Class D addresses are reserved for IP multicast addresses.
The four high-order bits in a class D address are always set to binary 1 1 1
0.
These addresses are not allocated to hosts and there is no default subnet
mask
Valid addresses range from 224.0.0.0 to 239.255.255.255
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 0 0 0 1 1 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1
227.1.192.5
134
Unicast Traffic
10.10.20.15
10.10.10.15
SRC: 10.10.10.10 SRC: 10.10.10.10
DST: 10.10.10.15 DST: 10.10.20.15
Sender
10.10.10.10
135
Multicast Traffic
10.10.20.15
10.10.10.15
Sender
10.10.10.10
SRC: 10.10.10.10
DST: 239.0.0.1
136
Class E
Class E addresses are ‘experimental and reserved for future use’.
The high-order bits in a class E address are set to 1111
These addresses are not allocated to hosts and there is no default subnet
mask
Addresses range from 240.0.0.0 to 255.255.255.255
255.255.255.255 is the broadcast address for ‘this network’
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 0 0 1 1 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 1 0 1 0
243.1.192.10
137
IP Address Class Summary
Default Subnet Mask

Class First Octet Dotted
Slash
Decimal
A 1 - 126 /8 255.0.0.0
B 128 - 191 /16 255.255.0.0
C 192 - 223 /24 255.255.255.0
D 224 - 239
E 240 - 255
138
CIDR Classless Inter-Domain Routing
A problem with classful addresses was that if a company had more
than 254 hosts they would need to be assigned a Class B network
They would have much less than the 65,534 hosts allocated, so this
wasted a huge amount of the global address space
Classless Inter-Domain Routing (CIDR) was introduced in 1993 to
alleviate this problem
139
CIDR Classless Inter-Domain Routing
CIDR removed the fixed /8, /16 and /24 requirements for the address
classes, and allowed them to be split or ‘subnetted’ into smaller
networks
For example 175.10.10.0/20
Companies can now be allocated an address range which more closely
matches their needs and does not waste addresses
140
CIDR and Route Summarisation
Another benefit of CIDR is that aggregate blocks of networks can be
advertised on the Internet
ISP A Advertise ISP B

175.10.0.0/24 175.11.0.0/24
175.10.0.0/16
175.10.1.0/24 175.11.1.0/24
Advertise
175.11.0.0/16
175.10.2.0/24 175.11.2.0/24
Etc… 175.10.255.0/24 Etc… 175.11.255.0/24

141
Route Summarisation Benefits
ISP A does not know about all 256 /24 networks reachable in ISP B
It only has the single 175.11.0.0/16 summary route
This reduces the size of ISP A’s routing table and takes up less memory
If an individual link goes down in ISP B, it has no impact on ISP A. The
single summary route does not change
(Routers in ISP B would have to recalculate their routing table if a link
went down)
This restricts issues to the local part of the network and reduces CPU
load
142
Subnetting
To understand this lecture, think about it from the point of view of the
originally intended IPv4 design again, where all hosts which can
communicate on the Internet have a public IP address.
Let’s say we’re the network designer for a small business with four
departments spread over two offices, and we want to manage our
own public address space.
Rather than purchasing separate address ranges for the different
departments, we can purchase a single range and subnet it into
smaller portions.
143
Borrowing Host Bits
Let’s say we’ve been allocated Class C 200.15.10.0/24
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
To subnet the network into smaller subnets, we need to ‘borrow’ host

bits and add them to the network portion of the address
The network address line always moves to the right when we subnet
The further to the right we go, the more subnets we’ll have of that size
but less hosts
144
Calculating the Number of Networks
To calculate the number of available subnets, the formula is 2subnet-bits
If a Class C network uses a /28 subnet mask then we’ve borrowed 4 bits
from the default of /24
24 = 16 available subnets
If a Class B network uses a /28 subnet mask then we’ve borrowed 12 bits
from the default of /16
212 = 4096 available subnets
Hosts on different subnets need to go via a router if they want to
communicate with each other
145
Calculating the Number of Hosts
To calculate the number of available hosts, the formula is 2host-bits minus 2
We subtract 2 because the network address and broadcast address
cannot be assigned to hosts
If a Class C network uses a /28 subnet mask then we have 4 bits left for
hosts
24 - 2 = 14
If a Class B network uses a /28 subnet mask then we have 4 bits left for
hosts
24 - 2 = 14
146
Class C /31 Subnet
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
If we move the line all the way to the right we’re now using /31 (or
255.255.255.254)
This leaves one bit for the host address, with a possible value of 0 or 1
It borrows 7 bits for the network address
This gives us 128 subnets (27) which accommodate 2 hosts each 147
Class C /31 Subnet
Let’s say we’ve been allocated Class C 200.15.10.0/24.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
We subnet using /31. Valid host addresses:

‒ 200.15.10.0 to 200.15.10.1
‒ 200.15.10.2 to 200.15.10.3
‒ Etc., to:
‒ 200.15.10.254 to 200.15.10.255
148
But Wait!
Let’s say we’ve been allocated Class C 200.15.10.0/24.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
What about the network and broadcast address?!

/31 breaks the standard rules of IP addressing.
/31 subnets are supported on Cisco routers for point to point links
(which have no need for a network or broadcast address.)
149
Class C /30 Subnet
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
Let’s move the line back a place. We’re now using /30 (or 255.255.255.252)
This leaves 2 bits for the host address, 22 = 4, minus 2 for the network and
broadcast address = 2 possible hosts
This gives us 64 subnets (26) which accommodate 2 hosts each
150
Class C /30 Subnet
Notice that the line is after the 4. The network address goes up in values of 4.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
Valid host addresses:

‒ 200.15.10.1 to 200.15.10.2 (network .0, broadcast .3)
‒ Etc., to:
151
/31 vs /30
/31 and /30 both accommodate 2 hosts per subnet

/31 supports 128 subnets, /30 only 64
/31 is useful if you need to maximise use of your address space
/30 is more standard and commonly used
For the CCNA exam, use /30 when a subnet to support 2 hosts is
required, unless told to use /31
152
Class C /29 Subnet
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
Let’s move the line back a place. We’re now using /29 (or 255.255.255.248)
This leaves 3 bits for the host address, 23 minus 2 = 6 possible hosts
This gives us 32 subnets (25) which accommodate 6 hosts each
153
Class C /29 Subnet
Notice that the line is after the 8. The network address goes up in values of 8.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
Valid host addresses:

‒ Etc., to:
154
Other Class C Subnet Masks
We can carry on moving the line back a place
/28 (or 255.255.255.240) = 16 networks of 14 hosts each

/24 (or 255.255.255.0) = 1 network of 254 hosts
155
Variable Length Subnet Masks VLSM
Early routing protocols only supported Fixed Length Subnet Masking
(FLSM) where all subnets had to be the same size. You couldn’t have a
subnet with 14 hosts and another subnet with 64 hosts in the same
network.
All modern routing protocols support Variable Length Subnet Masking.
This allows us to size subnets differently according to how many hosts
they have.
156
Subnetting Practice Question
What are the network address, broadcast address, and valid host
addresses for the IP address 198.22.45.173/26?
What is the subnet mask in dotted decimal notation?
Pause the video here and answer the questions.
157
Practice Question Answer
Let’s figure out the subnet mask in dotted decimal notation first
because that’s easy…
/26 borrows the first 2 bits in the last octet
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0
128 + 64 = 192
So the subnet mask is 255.255.255.192
158
Next let’s calculate the address range for this subnet
Write out 198.22.45.173/26
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 1 1 0 0 0 0 1 0 1 1 0 0 0 1 0 1 1 0 1 1 0 1 0 1 1 0 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0
The network portion of the address is the first 26 bits

198.22.45.128 is the network address
The line is after 64, so add 64 to get the network address of the next subnet
The next subnet begins at 198.22.45.192
So the broadcast address is 198.22.45.191
And the valid host addresses are 198.22.45.129 to 198.22.45.190 159
198.22.45.173/26
128 64 32 16 8 4 2 1
1 0 1 0 1 1 0 1
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
Note that when we subnet a Class C address the magic is all going to
happen in the last subnet
So we didn’t really need to write out the 198.22.45 part
160
Variable Length Subnet Masks VLSM
Early routing protocols only supported Fixed Length Subnet Masking
(FLSM) where all subnets had to be the same size. You couldn’t have a
subnet with 14 hosts and another subnet with 64 hosts in the same
network.
All modern routing protocols support Variable Length Subnet Masking.
This allows us to size subnets differently according to how many hosts
they have.
161
Subnetting Considerations
How many locations do we have in the network?
How many hosts are in each location?
What are the IP addressing requirements for each location? (Should
different departments or types of host be in different subnets?)
What size is appropriate for each subnet? (Don’t waste addresses, but
leave room for growth.)
162
Network Topology Diagram
Sales: Sales:
14 Hosts 7 Hosts
New York Boston
The router interfaces
need IP addresses so
count as hosts.
The router interface Point to point link:
+ 13 PCs = 14 hosts 2 Hosts
Eng: Eng:
28 Hosts 28 Hosts
We’ve been allocated the Class C network 200.15.10.0/24

163
Subnetting Design Steps
Find the largest segment and allocate a suitable subnet size for it.
Allocate this subnet at the start of the address space.
Continue going down the list.
In the real world you want a scalable design – you will likely allocate spare
subnets for future growth, and leave space in the subnets for additional
hosts.
In the CCNA exam do exactly what the question asks, don’t worry about
whether it’s best practice or not.
164
Engineering Departments
The Engineering departments in both sites have 28 hosts.
For our example we’ve been told that the departments will not grow and
we need to use the smallest subnets possible to maximise our address
space.
Pause the video here and calculate the optimal subnet mask for the
Engineering departments.
Also determine the network and broadcast addresses that will be allocated
to both Engineering departments, and the range of host addresses.
165
Engineering Departments
We’ve been allocated 200.15.10.0/24
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
/27 (or 255.255.255.224) supports 30 hosts

New York Engineering subnet Boston Engineering subnet
Network Address: 200.15.10.0/27 Network Address: 200.15.10.32/27
Broadcast Address: 200.15.10.31 Broadcast Address: 200.15.10.63
Hosts: 200.15.10.1 to 30 Hosts: 200.15.10.33 to 62
166
New York Sales Department
The next largest subnet is New York Sales which requires 14 hosts.
Pause the video here and calculate the optimal subnet mask.
Also determine the network and broadcast addresses that we will allocate,
and the range of host addresses.
167
New York Sales Department
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0

200.15.10.0 to 200.15.10.63 are already in use by the Engineering
departments, so this network address will start at 200.15.10.64
The network address goes up in values of 16, so the next one is
200.15.10.80
Our broadcast address is 200.15.10.79
Valid host addresses are 200.15.10.65 to 200.15.10.78
168
Boston Sales Department
The next largest subnet is Boston Sales which requires 7 hosts.
169
Boston Sales Department
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0

/29 does not support 8 hosts! Remember to subtract 2 for the network and
broadcast address
200.15.10.0 to 200.15.10.79 are already in use, so this network address will start at
200.15.10.80
The network address goes up in values of 16, so the next one is 200.15.10.96
170
Subnetting
We’re done, right?
Not so fast, don’t forget the links between routers
You also need to allocate address space for your router loopback
interfaces, we’ll talk about those later. (Not required in our example.)
171
New York to Boston Link
The last subnet is the link between the New York and Boston routers.
172
New York to Boston Link
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0

200.15.10.0 to 200.15.10.95 are already in use, so our network
address will be 200.15.10.96
The network address goes up in values of 4, so the next one is
200.15.10.100
173
Revisit the network topology diagram again on the next slide
Update the diagram with the IP addressing information for each subnet
Also enter the IP addresses on the router
The default gateway address should be the first available address in each
subnet
174
Sales: Sales:
14 Hosts 7 Hosts
New York Boston
Point to point link:

2 Hosts
Eng: Eng:
28 Hosts 28 Hosts
We’ve been allocated the Class C network 200.15.10.0/24

175
New York Boston

Sales:
Sales:
200.15.10.64/28
200.15.10.80 /28
.65 200.15.10.96/30 .81
.97 .98
Eng: .1 .33 Eng:
200.15.10.0/27 200.15.10.32/27
176
Subnetting Large Networks
Let’s say we’ve been allocated Class B 135.15.0.0/16
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
177
Example 1 – Class B on 4 Octet
th
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0
If we subnet this into /29 subnets, we have 3 bits for host addressing.
This allows 6 hosts per network (23 - 2) , the same as if we used /29
with a Class C address.
Because we were allocated a Class B /16 address range, we have 13
bits for network addresses
This allows 8192 subnets (213)
178
th
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0
For the IP address 135.15.10.138/29, what is the network address,

broadcast address, and range of valid IP addresses?
Pause the video and provide the answer
179
th
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0

The line is after the 8, so the network address goes up in multiples of 8
Network address = 135.15.10.136
Next network address = 135.15.10.144
Broadcast address = 135.15.10.143
Valid host addresses = 135.15.10.137 to 142
180
The Magic Number Method – Example 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0
For the IP address 135.15.10.138/29, what is the network address, broadcast

address, and range of valid IP addresses?
The subnet mask is 255.255.255.248
Subtract the value in the subnetted octet from 256: 256 – 248 = 8
The network address goes up in multiples of 8
181
Example 2A – Class A on 4 Octet
th
For this example we’re allocated Class A 60.0.0.0/8

128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
If we apply the subnet mask 255.255.255.240, how many subnets do

we have and how many hosts per subnet?
Pause the video and calculate the answer
182
th
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0
255.255.255.240 subnet mask is /28

14 hosts per network (24 - 2)
Because we were allocated a Class A /8 address range, we have 20 bits
for network addresses
This allows 1,048,576 subnets (220)
183
Example 2B – Class A on 4 Octet
th
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0

184
th
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0

185
The Magic Number Method – Example 2B
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0

Subtract the value in the subnetted octect from 256: 256 – 240 = 16
186
rd
For this example we’re allocated Class A 60.0.0.0/8

128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
If we subnet this into /19 networks, how many subnets do we have

and how many hosts per subnet?
Pause the video and calculate the answer
187
rd
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
8190 hosts per network (213 - 2)

Because we were allocated a Class A /8 address range, we have 11 bits
for network addresses
This allows 2048 subnets (211)
188
rd
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0

189
rd
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0

We’re subnetting on the third octet
Valid host addresses = 60.15.0.1 to 60.15.31.254 190
The Magic Number Method – Example 3B
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0

Subtract the value in the subnetted octect from 256: 256 – 224 = 32
Valid host addresses = 60.15.0.1 to 60.15.31.254
191
Subnetting Large Networks – Example 4
You have been asked to subnet the 134.65.0.0 network into six
different networks.
What subnet mask do you use?
192
rd
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 0 0 0 0 1 1 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
134.65.0.0 is a Class B network so we’ll be subnetting on the third octet

to get 6 subnets
3 bits would provide 8 subnets (23)
So the answer is /19 or 255.255.224.0
Network addresses would be 134.65.0.0, 134.65.32.0, 134.65.64.0 etc.
8190 hosts in each subnet (213 -2)
193
Subnetting Question Categories
Given a network requirement of ‘x’ amount of subnets and ‘y’ amount
of hosts per subnet, what network address and subnet mask should be
used for each subnet?
Given a particular IP address and subnet mask, calculate:
‒ The subnet’s network address
‒ The broadcast address
‒ The range of valid host IP addresses
194
Subnetting on the 4th Octet – Written Example
“For the IP address 172.19.216.50 255.255.255.240, what is the network address, broadcast
address and range of valid hosts?”
The first thing to figure out is which octet we are subnetting on.
We can see we are not subnetting on the first 3 octets as the value is 255.
We are subnetting on the 4th octet with a value of 240.
I like to underline the octet I’m working on at this point so that I don’t accidentally confuse the
octets later:
172.19.216.50/28
The 172.19.216 part of the address (the first 3 octets) is never going to change in our example.
Next up let’s figure out the network address.
Write down the 4th octet in binary then add the digits together from the left until they add up to the
‘240’ used in the subnet mask.
4th octet
128 64 32 16 8 4 2 1
x x x x
128 + 64 = 192
192 + 32 = 224
224 + 16 = 240
The first 4 bits in the 4th octet are being borrowed for the network portion of the address and the
remaining 4 bits are used for the host portion.
195
4th octet
128 64 32 16 8 4 2 1
x x x x
We can see that the network portion of the address falls on a ‘16’, so the subnets will go up in
multiples (a block size) of 16 on the 4th octet:
172.19.216.0/28
172.19.216.16/28
172.19.216.32/28
172.19.216.48/28
172.19.216.64/28
Etc…
At this point we can see which subnet the IP address in our example is in. 172.19.216.50 falls in the
range between 172.19.216.48 and 172.19.216.64, so it is in the 172.19.216.48 subnet.
(‘50’ is between ‘48’ and ‘64’.)
172.19.216.48/28 is the network address we are working on.
172.19.216.64/28 is the next network address.
Next we figure out the broadcast address. This is one less than the next network address:
172.19.216.63 is the broadcast address.
(‘63’ is one less than ‘64’.)
The last thing to figure out is the range of valid host addresses. This is everything between the
network address and broadcast address.
172.19.216.49 to 172.19.216.62 is the range of valid host addresses.
(‘49’ is one more than the network address of ‘48’, ‘62’ is one less than the broadcast address of
‘63’.)
196
Subnetting on the 3rd Octet – Written Example
“For the IP address 172.19.216.50/23, what is the network address, broadcast address and range
of valid hosts?”
The first thing to figure out is which octet we are subnetting on.
/1 to /8 = 1st octet
/9 to /16 = 2nd octet
/17 to /24 = 3rd octet
/25 to /31 = 4th octet
The example uses /23 so we’re subnetting on the 3rd octet.
I like to underline the octet I’m working on at this point so that I don’t accidentally confuse the
octets later:
172.19.216.50/23
The 172.19. part of the address (the first 2 octets) is never going to change in our example. Values in
the 3rd and 4th octet can change, but the values in the first 2 octets will always remain the same.
Next up let’s figure out the network address.
When the subnet mask is /23, the first 23 bits are used for the network portion of the address and
the remaining 9 bits are used for the host portion.
Write the octets down in binary and then count along 23 bits.
1st octet
128 64 32 16 8 4 2 1
1 2 3 4 5 6 7 8
2nd octet
128 64 32 16 8 4 2 1
9 10 11 12 13 14 15 16
3rd octet
128 64 32 16 8 4 2 1
17 18 19 20 21 22 23
197
We can see that the 23rd bit falls on a ‘2’, so the subnets will go up in multiples (a block size) of 2 on
the 3rd octet:
172.19.0.0/23
172.19.2.0/23
172.19.4.0/23
172.19.6.0/23
Etc…
172.19.216.0/23 is the network address we are working on.
172.19.218.0/23 is the next network address.
Next we figure out the broadcast address. This is one less than the next network address:
172.19.217.255 is the broadcast address.
172.19.217.255 is one less than the next network address of 172.19.218.0
When subnetting on the 3rd octet, remember the broadcast address will be 255 in the 4th octet –
NOT 0 in the 4th octet (this is a common mistake to make). The broadcast address is 172.19.217.255,
not 172.19.217.0.
(172.19.217.0 is actually a valid address in the range which could be assigned to a PC or other host.)
The last thing to figure out is the range of valid host addresses. This is everything between the
network address and broadcast address.
172.19.216.1 to 172.19.217.254 is the range of valid host addresses.
172.19.216.1 is one more than the network address of 172.19.216.0
172.19.217.254 is one less than the broadcast address of 172.19.217.255 (don’t write
172.19.216.254 by mistake.)
198
RFC 1918 Private Addresses
The Internet Engineering Task Force (IETF) documents standards with
RFC’s (Requests For Comments)
RFC 1918 specifies private IP address ranges which are not routable on
the public internet
199
Sticking with our theme of ‘how IP addressing was meant to work’,
these addresses were originally designed for hosts which should have
no internet connectivity
Public IP addresses cost money.
If an organisation has a part of their network where the hosts need to
communicate with each other over IP, but do not require connectivity
to the Internet, they can assign private IP addresses.
200
There is a range of private addresses in each address class.
10.0.0.0 – 10.255.255.255
‒ 10.0.0.0/8
‒ 10.0.0.0 255.0.0.0
172.16.0.0 – 172.31.255.255
‒ 172.16.0.0/12
‒ 172.16.0.0 255.240.0.0
192.168.0.0 – 192.168.255.255
‒ 192.168.0.0/16
‒ 192.168.0.0 255.255.0.0
201
RFC 1918 Example 1
Bank A Internet
Bank B
Public Public
175.11.0.0/24 196.14.10.0/24
Private Private
10.10.10.0/24 172.18.5.0/24
202
RFC 1918 Example 2
Bank A Internet
Bank B
Public Public
175.11.0.0/24 196.14.10.0/24
Private Private
192.168.10.0/24 192.168.10.0/24
203
The IPv4 Global Address Space Problem
The designers of IPv4 did not envision the explosive growth of its use
4.3 billion addresses seemed more than enough
The protocol is not particularly efficient in its use of the available
space, with many addresses being wasted
204
IPv6
The Internet authorities started to predict address exhaustion in the
late 1980’s, and IPv6 was developed in the 90’s as the long term
solution
IPv6 uses a 128 bit address, compared to IPv4’s 32 bit address
IPv6 provides more than 7.9×1028 times as many addresses as IPv4
205
The IPv6 Problem and NAT
There is not a seamless migration path from IPv4 to IPv6
NAT (Network Address Translation) was implemented as a temporary
workaround to mitigate the lack of IPv4 addresses until organisations
had time to migrate to IPv6
An organisation can use private IP addresses on their inside network,
but still grant their hosts Internet access by translating them to their
outside public IP address
Many hosts on the inside can share a few or a single public IP address
on the outside
206
Private Addresses and NAT
Office A Office B
Internet
Public Public
175.11.0.1/28 196.14.10.25/29
14 Addresses 6 Addresses
Private Private
192.168.10.0/24 192.168.10.0/24
200 Hosts 100 Hosts
207
Today’s Networks
Many industry experts predicted in the early 2000’s that IPv6 would be
ubiquitous within a few years
It hasn’t worked out that way – most enterprises today use RFC 1918
IPv4 addresses with NAT
RFC 1918 has the security benefit of hiding inside hosts by default
(they don’t have a publicly routable IP address), plus network
engineers have more experience with IPv4 than v6
208
Today’s Networks
IPv6 is mostly found in service provider networks, mobile services, and
large countries with later Internet adoption such as India and China
Spare public IPv4 addresses were exhausted in 2011 so IPv6 is still the
future path
209
Today’s Networks
You still need to understand subnetting – modern enterprises subnet
their RFC 1918 addresses to optimise performance and security
You also need to understand and be able to troubleshoot IP
210
Today’s Networks
Because they have the entire private IP address space to work with, it’s
common to see /24 subnets being used for end hosts, /30 for point to
point links, and /32 for loopbacks
Complex VLSM is more common in enterprises which use public IP
addresses on their inside networks and need to maximise their use
211
Contiguous Addresses and Route Summarisation
Region A Region B
10.0.0.0/24 Advertise
10.1.0.0/24
10.0.0.0/16
10.0.1.0/24 10.1.1.0/24
Advertise
10.1.0.0/16
10.0.2.0/24 10.1.2.0/24
Etc… 10.0.255.0/24 Etc… 10.1.255.0/24

212
Non-Contiguous Addresses
Region A Region B
10.0.0.0/24 Cannot Summarise
10.1.0.0/24
10.1.0.0/24 10.0.1.0/24
10.0.2.0/24 10.1.2.0/24
10.1.3.0/24 10.0.3.0/24
213
Sites with Free Subnetting Practice Questions
http://www.subnettingquestions.com/
http://www.subnetting.org/
To check your answers, Google for ‘IP Subnet Calculator’
214
Layer 2 – The Data Link Layer
Frames are encoded and decoded into bits at Layer 2.
Error detection and correction for the Physical Layer can be provided
here.
Ethernet is the Layer 2 medium used on Local Area Networks.
https://en.wikipedia.org/wiki/List_of_network_protocols_(OSI_model)
215
Sender Layer Name Terminology Receiver

7 Application Data
6
5
4
3
2
1
L7
216

7 Application Data
6 Presentation
5
4
3
2
1
L6 L7
217

7 Application Data
6 Presentation
5 Session
4
3
2
1
L5 L6 L7
218

7 Application Data
6 Presentation
5 Session
4 Transport Segment
3
2
1
L4 L5 L6 L7
219

7 Application Data
6 Presentation
5 Session
4 Transport Segment
3 Network Packet
2
1
L3 L4 L5 L6 L7
220

7 Application Data
6 Presentation
5 Session
4 Transport Segment
3 Network Packet
2 Data-Link Frame
1
L2 L3 L4 L5 L6 L7
221
The Ethernet Header
FCS: Frame Check Sequence

222
The Media Access Control MAC Address
Ethernet uses a 48-bit hexadecimal MAC Address.
The first 24 bits is the OUI (Organizationally Unique Identifier) which
uniquely identifies the manufacturer of the Ethernet port. The OUI is
assigned by the IEEE.
The last 24 bits is vendor assigned.
The burned in MAC address on every NIC port in the world is globally
unique.
Example - 00:50:56:C0:00:08
The 48-bit address space contains
potentially 248or 281,474,976,710,656
possible MAC addresses.
223
Layer 1 – The Physical Layer
OSI Layer 1 conveys the bit stream - electrical impulse, light or radio
signals — through the network at the electrical and mechanical level.
It provides the hardware means of sending and receiving data,
including defining cables, interface cards and physical aspects.
224
Layer 1 Connection Types for Ethernet - UTP
Ethernet LAN connections can be carried over coaxial cable (no longer
used), twisted copper pair cable, fiber cable or wireless.
Copper UTP (Unshielded Twisted Pair) cables are commonly used to
connect desktop computers to switches.
Connector type is RJ-45 and maximum length is 100 metres.
https://en.wikipedia.org/wiki/Twisted_pair#Common_types
225
Straight-Through vs Crossover UTP Cable
The receive and transmit wires in a UTP cable can be wired to the RJ-
45 connector as either straight-through or crossover.
Straight-through cables are used to connect an end device such as a
PC or router to a switch.
Crossover cables are used to connect devices together directly. They
are most often used to connect two devices of the same type: e.g. two
computers or two switches to each other.
Modern switches support Auto MDI-X where the receive and transmit
signals are reconfigured automatically to yield the expected result.
226
Fiber Cables
Fiber optic cables can be used to support longer distances or higher
bandwidth requirements.
For example between separate buildings in a campus, or for switch to
switch connections inside a building.
227
Single Mode vs Multi Mode Fiber
Single Mode or Multi Mode Fiber can be used.
Single Mode supports higher bandwidth and longer distances but is
more expensive.
https://en.wikipedia.org/wiki/Multi-mode_optical_fiber
228
Fiber Connectors
229
Hubs and Switches
Hubs and switches perform a similar function.
End hosts in a Local Area Network such as PCs, servers and printers
plug into them with an Ethernet cable.
The end hosts can then communicate with each other through the hub
or switch.
230
Hubs and Switches
231
Hubs – Half-Duplex and Shared Collision Domain
Hubs operate in half-duplex mode.
Attached hosts cannot send and receive data at the same time, they
can only do one or the other.
All hosts share the same collision domain – only one device can
transmit at a time.
If two hosts send at the same time a collision will occur.
Hosts use Carrier-Sense Multiple Access with Collision
Detection (CSMA/CD) to detect collisions and resend.
232
Switches – Full-Duplex and Separate Collision Domains
Switches can operate in either full-duplex or half-duplex mode.

In practice they always operate as full-duplex.
Attached hosts can both send and receive data at the same time.
All hosts have their own dedicated collision domain.
Collision Detection is not required.
233
Cisco Device Functions
Layer Name Includes Devices
7 Application
6 Presentation
5 Session
1 Physical Hubs
234
Hubs operate at OSI Layer 1
Hubs operate at Layer 1 of the OSI model.
They are not MAC address aware.
Whenever a frame is received it is flooded out all ports apart from the
one it was received on.
All attached hosts must process all packets.
235
Switches operate at OSI Layer 2
Switches operate at Layer 2 of the OSI model.
(They also operate at Layer 1.)
They are MAC address aware.
236
Switches operate at OSI Layer 2
Whenever a frame is received the switch will look at the source MAC
address in the Layer 2 Ethernet header.
The learned MAC address will be added to the switch’s MAC address
table, which maps MAC addresses to ports.
If a unicast frame is later received with a known MAC address as the
destination, the switch will send the frame out only the relevant port.
This is better for performance and security as frames only go where
they are required.
Whenever a frame is received for the broadcast address or an
unknown unicast destination (because the switch hasn’t learned the
MAC address yet) it will be flooded out all ports apart from the one it
was received on.
237
Switch Operation
Port 1 Port 2
Port 3
1.1.1 2.2.2
Port MAC Address
3.3.3
238
Switch Operation
Port 1 Port 2
Port 3
S: 1.1.1
1.1.1 D: 2.2.2 2.2.2
Port MAC Address
3.3.3
239
Switch Operation
Port 1 Port 2
Port 3
S: 1.1.1
1.1.1 D: 2.2.2 2.2.2
Port MAC Address

1 1.1.1 3.3.3
240
Switch Operation
Port 1 Port 2
Port 3
S: 1.1.1
1.1.1 D: 2.2.2 2.2.2
Port MAC Address

1 1.1.1 3.3.3
241
Switch Operation
Port 1 Port 2
Port 3
S: 2.2.2
1.1.1 D: 1.1.1 2.2.2
Port MAC Address

1 1.1.1 3.3.3
242
Switch Operation
Port 1 Port 2
Port 3
S: 2.2.2
1.1.1 D: 1.1.1 2.2.2
Port MAC Address

1 1.1.1 3.3.3
2 2.2.2
243
Switch Operation
Port 1 Port 2
Port 3
S: 2.2.2
1.1.1 D: 1.1.1 2.2.2
Port MAC Address

1 1.1.1 3.3.3
2 2.2.2
244
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
3.3.3 4.4.4
245
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 1.1.1
1.1.1 D: 2.2.2 Port 24 2.2.2
Port MAC Address
3.3.3 4.4.4
246
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 1.1.1
1.1.1 D: 2.2.2 Port 24 2.2.2
Port MAC Address
1 1.1.1
3.3.3 4.4.4
247
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 1.1.1
1.1.1 Port 24 D: 2.2.2 2.2.2
Port MAC Address
1 1.1.1
3.3.3 4.4.4
248
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Port MAC Address
1 1.1.1
3.3.3 4.4.4
249
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Port MAC Address
1 1.1.1 24 1.1.1
3.3.3 4.4.4
250
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 Port 24 D: 1.1.1 2.2.2
Port MAC Address
1 1.1.1 24 1.1.1
3.3.3 4.4.4
251
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 Port 24 D: 1.1.1 2.2.2
Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2
3.3.3 4.4.4
252
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 D: 1.1.1 Port 24 2.2.2
Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2
3.3.3 4.4.4
253
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Port MAC Address
1 1.1.1 S: 3.3.3 24 1.1.1
D: 2.2.2
2 2.2.2
3.3.3 4.4.4
254
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Port MAC Address
1 1.1.1 S: 3.3.3 24 1.1.1
D: 2.2.2 1 3.3.3
2 2.2.2
3.3.3 4.4.4
255
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Port MAC Address
1 1.1.1 S: 3.3.3 24 1.1.1
D: 2.2.2 1 3.3.3
2 2.2.2
3.3.3 4.4.4
256
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Port MAC Address
1 1.1.1 S: 3.3.3 24 1.1.1
D: 2.2.2 1 3.3.3
2 2.2.2
24 3.3.3
3.3.3 4.4.4
257
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 3.3.3
1.1.1 Port 24 D: 2.2.2 2.2.2
Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2 1 3.3.3
24 3.3.3
3.3.3 4.4.4
258
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 Port 24 D: 3.3.3 2.2.2
Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2 1 3.3.3
24 3.3.3
3.3.3 4.4.4
259
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 Port 24 D: 3.3.3 2.2.2
Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2 1 3.3.3
24 3.3.3
3.3.3 4.4.4
260
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 Port 24 D: 3.3.3 2.2.2
Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2 1 3.3.3
24 3.3.3 24 2.2.2
3.3.3 4.4.4
261
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Port MAC Address
S: 2.2.2
1 1.1.1 24 1.1.1
D: 3.3.3
2 2.2.2 1 3.3.3
24 3.3.3 24 2.2.2
3.3.3 4.4.4
262
Routers
Routers know the paths to get to the different IP subnets on a
network.
They are required to send traffic from one subnet to another.
Routers operate at Layer 3 of the OSI model.
(They also operate at Layers 2 and 1, and will typically have awareness
up to Layer 7.)
263
Routers vs Switches
Routers are Layer 3 aware and can route traffic between different
networks.
Switches are Layer 2 aware and can switch traffic between hosts on
the Local Area Network.
Routers support many types of interfaces, such as Ethernet, Serial,
ISDN, ADSL etc.
Switches typically only support Ethernet interfaces.
Switches will typically have more ports than routers.
Switches forward broadcast traffic, routers do not by default.
264
Switch Operation
10.10.10.10/24 10.10.10.11/24
10.10.10.12/24 265
Router Operation
10.10.10.10/24 10.10.10.11/24
10.10.11.10/24 266
Layer 3 Switches
Advanced switches are Layer 3 aware and can route traffic between
different IP subnets.
Layer 3 switches will still typically support only Ethernet interfaces and
will have more ports than routers.
267
Layer 3 Switch Operation
10.10.10.10/24 10.10.10.11/24
Wide Area Layer 3 Switch

Network
10.10.11.10/24 268
Security
Cisco ASA (Adaptive Security Appliance) Firewalls

Cisco SourceFire FirePower IPS (Intrusion Prevention System)
269
Wireless
Cisco Wireless LAN Controllers

Cisco Wireless Access Points
270
Collaboration
Cisco Unified Communications Manager

Cisco IP Phones
Cisco TelePresence
Cisco WebEx
271
Data Center
Cisco UCS (Unified Computing System)

Cisco Nexus Switches
272

7
6
5
4
3
2
1
273

7 Application
6
5
4
3
2
1
L7
274

7 Application
6 Presentation
5
4
3
2
1
L6 L7
275

7 Application
6 Presentation
5 Session
4
3
2
1
L5 L6 L7
276

7 Application
6 Presentation
5 Session
3
2
1
L4 L5 L6 L7
277

7 Application
6 Presentation
5 Session
2
1
L3 L4 L5 L6 L7
278
The Domain Name System
The Domain Name System (DNS) resolves a Fully Qualified Domain
Name (FQDN) such as www.cisco.com to an IP address.
Enterprises will typically have an internal DNS server which can resolve
the IP addresses of internal hosts.
Hosts will send their DNS queries to this server.
If the internal DNS server cannot resolve a query, it will forward the
request out to public DNS servers on the Internet.
DNS requests are sent using UDP port 53 (and can fail over to TCP).
279
Router DNS Commands
DNS Client:
ip domain-lookup
ip name-server 172.23.4.1
ip domain-name flackboxA.lab (primary domain name)
ip domain-list flackboxB.lab (additional DNS suffixes to search)
Additional DNS Server Commands:

ip dns server
ip host LinuxA 172.23.4.2
280

7
6
5
4
3
2
1
281

7 Application
6
5
4
3
2
1
L7
282

7 Application
6 Presentation
5
4
3
2
1
L6 L7
283

7 Application
6 Presentation
5 Session
4
3
2
1
L5 L6 L7
284

7 Application
6 Presentation
5 Session
3
2
1
L4 L5 L6 L7
285

7 Application
6 Presentation
5 Session
2
1
L3 L4 L5 L6 L7
286

7 Application
6 Presentation
5 Session
1
L2 L3 L4 L5 L6 L7
287
IP to MAC Address Resolution
The sender needs to know the receiver’s IP address and MAC address
to form the packet it’s going to send
We can point the sender directly at the destination IP address or at a
user friendly FQDN such as www.cisco.com
DNS Domain Name System maintains a mapping of FQDNs to IP
addresses
ARP Address Resolution Protocol is used to map the IP address to MAC
address
288
ARP Address Resolution Protocol
Port 1 Port 2
ARP Request
Sender ‘I’m looking for 172.23.4.2, Receiver
IP Address: 172.23.4.1 What’s your MAC address?’ IP Address: 172.23.4.2
Subnet Mask: 255.255.255.0 Src MAC: 1111.2222.3333 Subnet Mask: 255.255.255.0
MAC: 1111.2222.3333 Dst MAC: FFFF.FFFF.FFFF MAC: 2222.3333.4444
ARP Reply
‘I’m 172.23.4.2,
Here’s my MAC address’
Src MAC: 2222.3333.4444
Dst MAC: 1111.2222.3333
289
Host ARP Commands
ARP replies are saved in a hosts ARP cache so it doesn’t need to send
an ARP request every time it wants to communicate
Windows
View ARP cache: arp -a
Clear ARP cache: netsh interface ip delete arpcache
Linux
View ARP cache: arp -n
Clear ARP cache: ip -s -s neigh flush all
290
Routed Traffic
When the sender and receiver are on different IP subnets, the traffic
must be forwarded by a router
In the following example, 172.23.4.1/24 wants to send a packet to
192.168.10.1/24
291
Routing Traffic
IP Address: 172.23.4.254 IP Address: 192.168.10.254

MAC: 4444.5555.6666 MAC: 4444.5555.7777
Sender Receiver
Subnet Mask: 255.255.255.0 ROUTER Subnet Mask: 255.255.255.0
DG: 172.23.4.254 DG: 192.168.10.254
MAC: 1111.2222.3333 MAC: 2222.3333.4444
292
Routing Traffic

MAC: 4444.5555.6666 MAC: 4444.5555.7777
Sender Receiver
DG: 172.23.4.254 DG: 192.168.10.254
MAC: 1111.2222.3333 ARP Request for 172.23.4.254 MAC: 2222.3333.4444
Src MAC: 1111.2222.3333
Dst MAC: FFFF.FFFF.FFFF
ARP Reply
Src MAC: 4444.5555.6666
Dst MAC: 1111.2222.3333
293
Routing Traffic

MAC: 4444.5555.6666 MAC: 4444.5555.7777
Sender Receiver
DG: 172.23.4.254 DG: 192.168.10.254
MAC: 1111.2222.3333 IP Packet MAC: 2222.3333.4444
Src IP: 172.23.4.1
Dst IP: 192.168.10.1
Src MAC: 1111.2222.3333
Dst MAC: 4444.5555.6666
294
Routing Traffic

MAC: 4444.5555.6666 MAC: 4444.5555.7777
Sender Receiver
DG: 172.23.4.254 DG: 192.168.10.254
MAC: 1111.2222.3333 MAC: 2222.3333.4444
ARP Request for 192.168.10.1
Src MAC: 4444.5555.7777
ARP Reply
Src MAC: 2222.3333.4444
Dst MAC: 4444.5555.7777
295
Routing Traffic

MAC: 4444.5555.6666 MAC: 4444.5555.7777
Sender Receiver
DG: 172.23.4.254 DG: 192.168.10.254
MAC: 1111.2222.3333 MAC: 2222.3333.4444
IP Packet
Src IP: 172.23.4.1
Dst IP: 192.168.10.1
Src MAC: 4444.5555.7777
Dst MAC: 2222.3333.4444
296
Router ARP Commands
View ARP cache: show arp

Clear ARP cache: clear arp-cache
297
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2 1 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.10.10/24 IP Address: 10.10.12.10/24
DG: 10.10.10.1 DG: 10.10.12.1
MAC: 1111.2222.3333 2 MAC: 2222.3333.4444
DNS Server
IP Address: 10.10.100.10/24
DG: 10.10.100.1
MAC: 3333.4444.5555
298
Sender Layer Name Includes Receiver

7
6
5
4
3
2
1
299

7 Application
6
5
4
3
2
1
L7
300

7 Application
6 Presentation
5
4
3
2
1
L6 L7
301

7 Application
6 Presentation
5 Session
4
3
2
1
L5 L6 L7
302

7 Application
6 Presentation
5 Session
4 Transport TCP, Dst. Port 80
3
2
1
L4 L5 L6 L7
303

7 Application
6 Presentation
5 Session
3 Network IP Address?
2
1
L3 L4 L5 L6 L7
304
Host A (10.10.10.10/24) wants to send a packet to the FQDN
www.flackbox.com, but it doesn’t know the destination IP address
It will hold the packet and send a DNS request to its DNS server at
10.10.100.10
Host A compares its IP address and subnet mask to the destination
address of the DNS server and sees it is on a different subnet, so the
DNS request needs to be sent via its default gateway
Host A will hold the DNS request and send a broadcast ARP request for
its default gateway at 10.10.10.1
305
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Request from 10.10.10.10

DNS Server
IP Address: 10.10.100.10/24
‘I’m looking for 10.10.10.1, DG: 10.10.100.1
What’s your MAC address?’ MAC: 3333.4444.5555
Src MAC: 1111.2222.3333
306
The ARP request will be received by Switch 1
Switch 1 will add an entry in its MAC address table mapping Host A’s
MAC address 1111.2222.3333 to Port 1
Switch 1 will flood the broadcast traffic out all ports apart from the
one it was received on
307
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Request from 10.10.10.10 DNS Server

IP Address: 10.10.100.10/24
‘I’m looking for 10.10.10.1, DG: 10.10.100.1
Src MAC: 1111.2222.3333
308
The ARP request will hit Router A’s interface 10.10.10.1
Router A will process the ARP request and see it is for itself
Router A will send a unicast ARP reply to Host A
Router A will add an entry for Host A mapping IP address 10.10.10.10
to MAC address 1111.2222.3333 to its ARP cache
309
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.10.1, DG: 10.10.100.1
Here’s my MAC address’ MAC: 3333.4444.5555
Src MAC: 4444.5555.6666
Dst MAC: 1111.2222.3333
310
Switch 1 will add an entry in its MAC address table mapping Router A’s
Switch 1 will send the ARP reply out only Port 1 which Host A is
plugged into (which it already has in its MAC address table)
311
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.10.1, DG: 10.10.100.1
Src MAC: 4444.5555.6666
Dst MAC: 1111.2222.3333
312
Host A will add an entry for Router A mapping IP address 10.10.10.1 to
MAC address 4444.5555.6666 to its ARP cache
It will use this whenever it needs to send traffic to another IP subnet
Host A will send the DNS request for www.flackbox.com
313
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
DNS Request DNS Server
‘Tell me the IP address of IP Address: 10.10.100.10/24
www.flackbox.com’ DG: 10.10.100.1
Src MAC: 1111.2222.3333 MAC: 3333.4444.5555
Dst MAC: 4444.5555.6666
Src IP: 10.10.10.10
Dst IP: 10.10.100.10 314
Switch 1 will send the DNS request out only Port 2 which Router A is
315
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
Src MAC: 1111.2222.3333 MAC: 3333.4444.5555
Dst MAC: 4444.5555.6666
Src IP: 10.10.10.10
Dst IP: 10.10.100.10 316
Router A will receive the DNS request packet and see that the
destination IP address is 10.10.100.10
Router A has an interface in the subnet 10.10.100.0/24, so it knows
the destination should be available out that port
It doesn’t know the MAC address of 10.10.100.10 so it will hold the
DNS request packet and send an ARP request out of the 10.10.100.1
interface
317
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333

IP Address: 10.10.100.10/24
‘I’m looking for 10.10.100.10, DG: 10.10.100.1
Src MAC: 8888.9999.AAAA
318
Switch 3 will add an entry in its MAC address table mapping Router A’s
MAC address 8888.9999.AAAA to Port 1
319
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333

IP Address: 10.10.100.10/24
‘I’m looking for 10.10.100.10, DG: 10.10.100.1
Src MAC: 8888.9999.AAAA
320
The ARP request will hit the DNS Server’s interface 10.10.100.10
The DNS Server will process the ARP request and see it is for itself
The DNS Server will send a unicast ARP reply to Router A
The DNS Server will add an entry for Router A mapping IP address
10.10.100.1 to MAC address 8888.9999.AAAA to its ARP cache
321
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.100.10, DG: 10.10.100.1
Src MAC: 3333.4444.5555
Dst MAC: 8888.9999.AAAA
322
Switch 3 will add an entry in its MAC address table mapping the DNS
Server’s MAC address 3333.4444.5555 to Port 2
Switch 3 will send the ARP reply out only Port 1 which Router A is
323
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.100.10, DG: 10.10.100.1
Src MAC: 3333.4444.5555
324
Router A will add an entry for the DNS Server mapping IP address
10.10.100.10 to MAC address 3333.4444.5555 to its ARP cache
Router A will send the DNS request it was holding to the DNS Server
325
The source and destination MAC addresses of a packet are updated
hop by hop, the source and destination IP addresses always remain
unchanged end to end
The source and destination MAC addresses will be updated to come
from Router A and go to the DNS Server
The source and destination IP addresses are still Host A 10.10.10.10
and the DNS Server 10.10.100.10
326
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
Src MAC: 8888.9999.AAAA MAC: 3333.4444.5555
Dst MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.100.10 327
Switch 3 will send the ARP reply out only Port 2 which the DNS Server
is plugged into (which it already has in its MAC address table)
328
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
Src MAC: 8888.9999.AAAA MAC: 3333.4444.5555
Dst MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.100.10 329
The DNS Server will receive the DNS request packet and see that the
destination is itself
330

7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data-Link
1 Physical
L2 L3 L4 L5 L6 L7
331

7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data-Link Dst: 3333.4444.5555
1 Physical
L2 L3 L4 L5 L6 L7
332

7 Application
6 Presentation
5 Session
4 Transport
3 Network Dst: 10.10.100.10
2 Data-Link Dst: 3333.4444.5555
1 Physical
L3 L4 L5 L6 L7
333

7 Application
6 Presentation
5 Session
4 Transport UDP Port 53
3 Network Dst: 10.10.100.10
2 Data-Link Dst: 3333.4444.5555
1 Physical
L4 L5 L6 L7
334

7 Application
6 Presentation
5 Session
3 Network Dst: 10.10.100.10
2 Data-Link Dst: 3333.4444.5555
1 Physical
L5 L6 L7
335

7 Application
6 Presentation
5 Session
3 Network Dst: 10.10.100.10
2 Data-Link Dst: 3333.4444.5555
1 Physical
L6 L7
336

7 Application
6 Presentation
5 Session
3 Network Dst: 10.10.100.10
2 Data-Link Dst: 3333.4444.5555
1 Physical
L7
337
The DNS Server will look in its DNS database and see an Address
record for www.flackbox.com at 10.10.12.10
It will send this information to Host A in a DNS response
It knows to send the response to 10.10.10.10 from the source IP
address in the DNS request
It knows to send it via Router A because the destination is in another
subnet
It already has Router A’s MAC address in its ARP cache
338
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
DNS Reply::www.flackbox.com DNS Server

is at 10.10.12.10 IP Address: 10.10.100.10/24
Src MAC: 3333.4444.5555 DG: 10.10.100.1
MAC: 3333.4444.5555
Src IP: 10.10.100.10
Dst IP: 10.10.10.10
339
Switch 3 will receive the DNS response and send it out only Port 1
which Router A is plugged into (which it already has in its MAC address
table)
340
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333

is at 10.10.12.10 IP Address: 10.10.100.10/24
Src MAC: 3333.4444.5555 DG: 10.10.100.1
MAC: 3333.4444.5555
Src IP: 10.10.100.10
Dst IP: 10.10.10.10
341
Router A will receive the DNS response packet and see that the
destination IP address is 10.10.10.10
Router A has an interface in the subnet 10.10.10.0/24, so it knows the
destination is available out that port
Router A already has the MAC address for 10.10.10.10 in its ARP cache
342
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333

is at 10.10.12.10 IP Address: 10.10.100.10/24
Src MAC: 4444.5555.6666 DG: 10.10.100.1
MAC: 3333.4444.5555
Dst MAC: 1111.2222.3333
Src IP: 10.10.100.10
Dst IP: 10.10.10.10
343
Switch 1 will receive the DNS response and send it out only Port 1
which Host A is plugged into (which it already has in its MAC address
table)
344
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333

is at 10.10.12.10 IP Address: 10.10.100.10/24
Src MAC: 4444.5555.6666 DG: 10.10.100.1
MAC: 3333.4444.5555
Dst MAC: 1111.2222.3333
Src IP: 10.10.100.10
Dst IP: 10.10.10.10
345
Host A learns that www.flackbox.com is available at 10.10.12.10
It can now update the packet it was waiting to send to
www.flackbox.com with that destination IP address
Host A sees that www.flackbox.com is not on its own subnet so it
knows any packets it sends there must go via its default gateway
346

7 Application
6 Presentation
5 Session
3 Network IP Address?
2
1
L3 L4 L5 L6 L7
347

7 Application
6 Presentation
5 Session
3 Network Dst: 10.10.12.10
2
1
L3 L4 L5 L6 L7
348

7 Application
6 Presentation
5 Session
3 Network Dst: 10.10.12.10
2 Data-Link Dst: 4444.5555.6666
1
L2 L3 L4 L5 L6 L7
349

7 Application
6 Presentation
5 Session
3 Network Dst: 10.10.12.10
2 Data-Link Dst: 4444.5555.6666
1 Physical
L2 L3 L4 L5 L6 L7
350
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
HTTP Get Request

DNS Server
IP Address: 10.10.100.10/24
Src MAC: 1111.2222.3333 DG: 10.10.100.1
Dst MAC: 4444.5555.6666 MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.12.10
351
Switch 1 will send the packet to Router A which it already has in its
MAC address table
352
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
HTTP Get Request

DNS Server
IP Address: 10.10.100.10/24
Src MAC: 1111.2222.3333 DG: 10.10.100.1
Dst MAC: 4444.5555.6666 MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.12.10
353
Router A will receive the packet with destination IP address
10.10.12.10
Router A does not have any interfaces in the 10.10.12.0/24 subnet
In this case it will need a route to get there
The route can be either statically configured by an administrator or
learned dynamically through a routing protocol
354
In this example the administrator has configured a static route for
10.10.12.0/24 with the next hop address 10.10.11.2
Router A has an Ethernet interface in the 10.10.11.0 subnet
It doesn’t know the MAC address for the next hop address 10.10.11.2
yet
It will hold the HTTP packet and send an ARP request for 10.10.11.2
355
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Request from 10.10.11.1

DNS Server
IP Address: 10.10.100.10/24
‘I’m looking for 10.10.11.2, DG: 10.10.100.1
Src MAC: 5555.6666.7777
356
The ARP request will hit Router B’s interface 10.10.11.2
Router B will process the ARP request and see it is for itself
Router B will send a unicast ARP reply to Router A
Router B will add an entry for Router A mapping IP address 10.10.11.1
to MAC address 5555.6666.7777 to its ARP cache
357
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.11.2, DG: 10.10.100.1
Src MAC: 6666.7777.8888
Dst MAC: 5555.6666.7777
358
Router A will forward the HTTP packet it was holding to Router B
359
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
HTTP Get Request

DNS Server
IP Address: 10.10.100.10/24
Src MAC: 5555.6666.7777 DG: 10.10.100.1
Dst MAC: 6666.7777.8888 MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.12.10
360
Router B will receive the HTTP packet and see that the destination IP
address is 10.10.12.10
Router B has an interface in the subnet 10.10.12.0/24, so it knows the
destination should be available out that port
It doesn’t know the MAC address of 10.10.12.10 so it will hold the
HTTP packet and send an ARP request out of the 10.10.12.1 interface
361
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333

IP Address: 10.10.100.10/24
‘I’m looking for 10.10.12.10, DG: 10.10.100.1
Src MAC: 7777.8888.9999
362
Switch 2 will add an entry in its MAC address table mapping Router B’s
363
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333

IP Address: 10.10.100.10/24
‘I’m looking for 10.10.12.10, DG: 10.10.100.1
Src MAC: 7777.8888.9999
364
The ARP request will hit the Web Server’s interface 10.10.12.10
The Web Server will process the ARP request and see it is for itself
The Web Server will send a unicast ARP reply to Router B
The Web Server will add an entry for Router B mapping IP address
365
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.12.10, DG: 10.10.100.1
Src MAC: 2222.3333.4444
Dst MAC: 7777.8888.9999
366
Switch 2 will add an entry in its MAC address table mapping the Web
Server’s MAC address 2222.3333.4444 to Port 2
Switch 2 will send the ARP reply out only Port 1 which Router B is
367
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.12.10, DG: 10.10.100.1
Src MAC: 2222.3333.4444
Dst MAC: 7777.8888.9999
368
Router B will add an entry for the Web Server mapping IP address
Router B will send the HTTP request it was holding to the Web Server
369
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
HTTP Get Request

DNS Server
IP Address: 10.10.100.10/24
Src MAC: 7777.8888.9999 DG: 10.10.100.1
Dst MAC: 2222.3333.4444 MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.12.10
370
Switch 2 will send the HTTP request out only Port 2 which the Web
Server is plugged into (which it already has in its MAC address table)
371
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
HTTP Get Request

DNS Server
IP Address: 10.10.100.10/24
Src MAC: 7777.8888.9999 DG: 10.10.100.1
Dst MAC: 2222.3333.4444 MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.12.10
372

7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data-Link
1 Physical
L2 L3 L4 L5 L6 L7
373

7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data-Link Dst: 2222.3333.4444
1 Physical
L2 L3 L4 L5 L6 L7
374

7 Application
6 Presentation
5 Session
4 Transport
3 Network Dst: 10.10.12.10
2 Data-Link Dst: 2222.3333.4444
1 Physical
L3 L4 L5 L6 L7
375

7 Application
6 Presentation
5 Session
4 Transport TCP Port 80
3 Network Dst: 10.10.12.10
2 Data-Link Dst: 2222.3333.4444
1 Physical
L4 L5 L6 L7
376

7 Application
6 Presentation
5 Session
3 Network Dst: 10.10.12.10
2 Data-Link Dst: 2222.3333.4444
1 Physical
L5 L6 L7
377

7 Application
6 Presentation
5 Session
3 Network Dst: 10.10.12.10
2 Data-Link Dst: 2222.3333.4444
1 Physical
L6 L7
378

7 Application
6 Presentation
5 Session
3 Network Dst: 10.10.12.10
2 Data-Link Dst: 2222.3333.4444
1 Physical
L7
379
The ARP and MAC addresses tables are already built so subsequent
packets in either direction will flow without any need for ARP requests
or switch flooding
380
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
HTTP Get Request

DNS Server
IP Address: 10.10.100.10/24
Src MAC: 1111.2222.3333 DG: 10.10.100.1
Dst MAC: 4444.5555.6666 MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.12.10
381
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
HTTP Get Request

DNS Server
IP Address: 10.10.100.10/24
Src MAC: 5555.6666.7777 DG: 10.10.100.1
Dst MAC: 6666.7777.8888 MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.12.10
382
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 A B 2
IP Address: 10.10.100.1
Host A MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 MAC: 2222.3333.4444
MAC: 1111.2222.3333
HTTP Get Request

DNS Server
IP Address: 10.10.100.10/24
Src MAC: 7777.8888.9999 DG: 10.10.100.1
Dst MAC: 2222.3333.4444 MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.12.10
383
The Cisco Troubleshooting Methodology
Define Problem
Gather Information
Analyze Information
Eliminate Potential Causes
Propose Hypothesis
Test Hypothesis
Solve Problem and Document Solution

384
Troubleshooting Methods
Top Down Bottom Up Divide and Conquer

Layer Name Layer Name Layer Name
7 Application 7 Application 7 Application
6 Presentation 6 Presentation 6 Presentation
5 Session 5 Session 5 Session
4 Transport 4 Transport 4 Transport
3 Network 3 Network 3 Network
2 Data-Link 2 Data-Link 2 Data-Link
1 Physical 1 Physical 1 Physical
385
Troubleshooting Methods
Compare configurations
Trace the path
Swap out components
386
Connectivity Troubleshooting Methods
Ping
Traceroute
Telnet
387
388
Router IP Addresses
A router provides connectivity between different IP subnets
An IP address must be configured on the interfaces in each subnet
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
no shutdown
!
ip address 192.168.1.1 255.255.255.0
no shutdown
FastEthernet0/1 FastEthernet0/0
192.168.1.1/24 192.168.0.1/24
389
Switch Management IP Address
A Layer 2 Switch is not IP routing aware.

It does however support a single IP address for management.
The IP address and subnet mask is configured on the Switched Virtual
Interface (SVI) for the default VLAN 1
A default gateway also needs to be configured to allow connectivity to
other subnets
390
Management IP Address
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.0.10 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# ip default-gateway 192.168.0.1
Additional commands need to be entered to allow Telnet or SSH (Secure

Shell) access, we’ll cover these in the ‘Securing Cisco Devices’ section
391
Lab Example
VLAN 1 SVI:
192.168.0.10
192.168.0.1
LAN R1 B
SW1
FE0/0 FE0/1
392
Hostname
A descriptive hostname makes it easier to identify the device.

Eg. NY-F1-SW1
Switch(config)# hostname SW1

SW1(config)#
393
Interface Descriptions
Interface descriptions can aid troubleshooting
SW1(config)# interface FastEthernet 0/1

SW1(config-if)# description Link to R1
394
Interface Speed and Duplex
Interface speed and duplex is set to ‘auto’ by default

Both sides of a link should auto-negotiate to full duplex and the fastest
available speed
Best practice is to manually set the speed and duplex on ports which are
connected to another network infrastructure device or server
It is very important to set matching speed and duplex settings on both
sides of the link
395
Interface Speed and Duplex
SW1(config)# interface FastEthernet 0/1

SW1(config-if)# duplex full
SW1(config-if)# speed 100
396
Verification Commands
SW1# show running-config

SW1# show ip interface brief
SW1# show run interface vlan 1
SW1# show interface vlan 1
SW1# show version
397
CDP Cisco Discovery Protocol
Cisco Discovery Protocol (CDP) is a Cisco proprietary Layer 2 protocol.

It is used to share information with other directly connected Cisco
equipment, such as the operating system version and IP address.
This aids in troubleshooting by allowing administrators to map out how
Cisco devices are connected to each other.
It is enabled by default on most Cisco equipment.
It works at Layer 2 so it is not necessary for the device to have an IP
address.
398
CDP Cisco Discovery Protocol
Switch(config)# cdp run
Switch(config)# no cdp run
Switch(config-if)# no cdp enable
Switch# show cdp
Switch# show cdp neighbors
Switch# show cdp neighbors detail
399
LLDP Link Layer Discovery Protocol
LLDP (Link Layer Discovery Protocol) is an open standard protocol which
provides similar information to CDP.
It is a newer protocol and only supported on newer devices.
Switch(config)# lldp run

Switch(config)# no lldp run
Switch(config-if)# no lldp transmit
Switch(config-if)# no lldp receive
Switch# show lldp
Switch# show lldp neighbors
Switch# show lldp neighbors detail
400
Layer 1 Troubleshooting
Basic switch troubleshooting involves checking for Layer 1 and Layer 2

issues
Copper and Fibre cables are liable to break if not handled correctly
401
Layer 1 Troubleshooting
Common Layer 1 problems include:
The interface is administratively shut down
The cable is disconnected on either or both ends
The device on the other end of the cable is powered off
Broken connectors which cause loose connections
Bent or stretched cables which lead to broken wires or fibres
Electro-Magnetic Interference (EMI) sources such as motors or
microwaves which cause errors in transmission (newer cable is less
susceptible to this)
402
Layer 1 Troubleshooting Commands
Switch# show ip interface brief
‘administratively down’ – Issue ‘no shutdown’

‘down/down’ – This indicates a Layer 1 issue. Check the interface is
cabled at both ends and the device on the other side is powered on
‘up/down’ – This indicates a Layer 2 issue or speed mismatch. Check the
interface configuration matches on both sides of the link
403
Show ip interface brief
SW1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset administratively down down
FastEthernet0/2 unassigned YES unset down down
FastEthernet0/2 unassigned YES unset up down
404
Show Interface
Switch# show interface
If the interface is reporting an excessive amount of errors it could be

either a Layer 1 or Layer 2 problem
Check the integrity of the cable
Check the configuration matches on both sides of the link
405
Show Interface
SW1#show interface fastEthernet 0/2
FastEthernet0/2 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0014.6a8c.2884 (bia 0014.6a8c.2884)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:15, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
367 packets input, 41739 bytes, 0 no buffer
Received 60 broadcasts (58 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 58 multicast, 0 pause input
0 input packets with dribble condition detected
1894 packets output, 150623 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
406
Speed and Duplex Mismatches
A possible error is speed and/or duplex mismatches

Incorrect speed settings can cause the interface to operate below its
maximum speed
Speed mismatches will typically bring the interface down
The interface will typically stay up with duplex mismatches but
performance will be terrible because of collisions
The show interface command will report an excessively high
number of errors in this case
407
Speed and Duplex Mismatches
Both sides of a link must be set the same, as either auto or manually
configured
Cisco devices default to auto
If one side is set to auto, and the other is manually configured, this will
often result in a mismatch
Best practice is to manually configure ports attached to other network
infrastructure devices or servers
Remember to manually configure both sides of the link!
If a device has issues with auto negotiating speed or duplex, manually
configuring both sides will normally solve the problem
408
Speed and Duplex Mismatches - CDP
CDP should detect a duplex mismatch
%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on

FastEthernet0/0 (not half duplex)
409
Cisco Device Memory
Cisco routers and switches have 4 built-in memory locations:
ROM – Read Only Memory
Flash – newer devices use removable CompactFlash
NVRAM – Non-Volatile RAM
RAM – Random Access Memory
An external USB device can also be used
410
ROM Read Only Memory
When the device is powered on, it will first load from ROM
Two main functions are performed:
1) Power On Self Test (POST)
2) Load bootstrap
The bootstrap will look in Flash for an IOS software image to load
411
ROM Read Only Memory
If an IOS image cannot be found the device will show the ROMMON
prompt at the command line
The ROM Monitor can be used to recover a missing or corrupted
software image
In this case you can boot from USB or an external TFTP (Trivial File
Transfer Protocol) server
Search for ‘Cisco ROMMON Recovery’ for your device model
412
Flash Memory
The system will load the first IOS image found in Flash by default
You can override this with the boot system command
You can copy additional IOS system images to Flash via TFTP or USB
413
NVRAM Non-Volatile RAM Memory
When the system has finished loading the IOS system image from Flash,
it will load the startup-config configuration file from NVRAM
The saved startup-config becomes the current running-config in RAM
If no startup-config file is found, the device will load the Setup Wizard
414
NVRAM Non-Volatile RAM Memory
Whenever you enter a command in IOS it takes effect immediately and
goes into the running-config
To make your changes permanent across a reboot:
copy running-config startup-config
415
RAM Random Access Memory
The IOS system image and startup-config are loaded from Flash and
NVRAM into RAM during bootup
RAM is used as the normal working memory of the device
ROM, Flash and NVRAM are permanent memory, their contents are not
lost when the device is powered off or rebooted
RAM is volatile memory, its contents are lost when the device is powered
off
416
The VLAN Database
On a switch, the VLAN database (vlan.dat) is saved in either Flash or

NVRAM, depending on the model of switch
417
Booting from TFTP
The system can also load a system image and/or startup-config from
an external TFTP server instead of Flash/NVRAM
This is not recommended because the device will not be able to boot
if it loses connectivity to the server. It is usually only used where the
device does not have enough capacity in Flash to save the system
image
418
Lab Example
419
Factory Reset
To factory reset a router or switch:
write erase
This will erase the startup-config

Reload to boot up with a blank configuration
The Setup Wizard will run
420
The Config Register
The configuration register can be used to change the way the router
boots
Use the config-register command in global configuration mode or
confreg at the rommon prompt
Eg config-register 0x2142
0x2102: boot normally (default)

0x2120: boot into rommon
0x2142: ignore contents of NVRAM (startup-config)
421
Router Password Recovery Procedure
Press the break sequence (Ctrl-Break) at power on to break into rommon
prompt
confreg 0x2142 to ignore the startup-config on boot
The startup-config is still there with the full configuration including the
unknown enable secret, but the router does not use it when it boots
reset to reload
The router will bootup with no configuration. Type no to bypass the setup
wizard
Enter enable mode. You will not be prompted for the enable secret as it is not
in the running configuration
422
Router Password Recovery Procedure
Copy the startup config to the running config
This will copy the entire previous configuration into the running config
including the unknown enable secret. You are already in enable mode so you
do not need to know what it is.
Enter a new enable secret in global configuration mode to overwrite the
old one. This will go into the running config
config-register 0x2102 so the router will boot normally on the next
restart
copy run start to save the configuration. This will merge the new
enable password into the existing startup-config
423
Switch Password Recovery Procedure
The switch password recovery procedure is very similar, but you may
have to physically press the ‘Mode’ button on the front of the switch to
break into the switch loader
Search for ‘Cisco password recovery’ for your model of switch for full
instructions
424
Backing up the System Image and Config
Copies of the device’s IOS system image and configuration can be saved
to Flash, FTP, TFTP or USB
If you copy a config file into the running-config, it will be merged with the
current configuration
To replace a configuration, factory reset and then copy the new
configuration into the startup-config
copy flash tftp

copy running-config tftp
copy startup-config usb
425
Lab Example
426
Upgrading the IOS System Image
IOS software images can be downloaded from:
https://software.cisco.com/
After downloading the software, copy to the device’s Flash using TFTP:
copy tftp flash
Delete the old system image or use the boot system command
427
Lab Example
428
Router IOS Licensing
Prior to IOS 15.0, different IOS system images were available for
different feature sets, such as Security or Telephony
Licensing was not enforced
A universal system image is provided from IOS 15.0
License codes must be entered to activate the Technology Packages
429
Licensing Procedure
When you purchase a license you will be provided with a Product
Activation Key (PAK) code
The license will be tied to an individual device. To get the device’s
Unique Device Identifier (UDI) enter show license udi
Go the the Cisco License Portal http://www.cisco.com/go/license and
enter the PAK code and UDI to generate the license
Copy the license to Flash on the router
license install flash:
license show
430
Router Functions
A router has two main functions:

Determining the best path to available networks
Forwarding traffic to those networks
431
The Routing Table
The best available path or paths to a destination network are listed in

a router’s routing table and will be used for forwarding traffic
A routing table consists of directly connected networks and routes
configured statically by the administrator or dynamically learned
through a routing protocol.
432
Connected and Local Routes
The administrator configures IP addresses on the router’s interfaces
ip address 10.0.0.1 255.255.255.0
ip address 10.0.1.1 255.255.255.0
ip address 10.0.2.1 255.255.255.0
FastEthernet1/0
FastEthernet0/0 10.0.1.1/24
10.0.0.1/24
FastEthernet2/0
10.0.2.1/24 433
show ip route - Connected Routes
This will automatically enter connected routes into the routing table:
R1#sh ip route
C 10.0.0.0/24 is directly connected, FastEthernet0/0
If any traffic for the 10.0.0.0/24 network is received in another interface on the
router, it will forward it out interface FastEthernet0/0
FastEthernet1/0
10.0.0.1/24
FastEthernet2/0
10.0.2.1/24 434
show ip route - Local Routes
From IOS 15, local routes will also be added to the routing table
Local routes always have a /32 mask and show the IP address configured on the
interface
R1#sh ip route
L 10.0.0.1/32 is directly connected, FastEthernet0/0
FastEthernet1/0
10.0.0.1/24
FastEthernet2/0
10.0.2.1/24 435
Lab
436
Static Routes
If a router receives traffic for a network which it is not directly attached to,
it needs to know how to get there in order to forward the traffic
An administrator can manually add a static route to the destination, or the
router can learn it via a routing protocol
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.2.0 255.255.255.0 10.0.0.1
10.0.1.1/24
10.0.0.0/24 F1/0
10.1.0.2/24 .2 .1
R2 R1
F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
ip route 10.1.0.0 255.255.255.0 10.0.0.2

437
Static Routes
ip route 10.1.1.0 255.255.255.0 10.1.0.1
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.2.0 255.255.255.0 10.0.0.1
ip route 10.0.0.0 255.255.255.0 10.1.0.2

ip route 10.0.1.0 255.255.255.0 10.1.0.2
ip route 10.0.2.0 255.255.255.0 10.1.0.2
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
ip route 10.1.0.0 255.255.255.0 10.0.0.2

ip route 10.1.1.0 255.255.255.0 10.0.0.2
438
Lab
439
Static Routes
Routes on R1:
ip route 10.1.0.0 255.255.255.0 10.0.0.2
ip route 10.1.1.0 255.255.255.0 10.0.0.2
ip route 10.1.2.0 255.255.255.0 10.0.0.2
FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
10.0.2.1/24
440
Summary Routes
For static routing, summary routes lessen administrative overhead and
memory usage on the routers
Routes on R1:
ip route 10.1.0.0 255.255.0.0 10.0.0.2
FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
10.0.2.1/24
441
Summary Routes
Summarisation doesn’t have to be on classful boundaries
To summarise the range 10.1.0.0 to 10.1.3.0:
ip route 10.1.0.0 255.255.252.0 10.0.0.2
FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
10.0.2.1/24
442
Longest Prefix Match
When there are overlapping routes, the longest prefix will be selected
ip route 10.1.0.0 255.255.0.0 10.0.0.2
ip route 10.1.3.0 255.255.255.0 10.0.3.2
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
443
Load Balancing
When multiple equal length routes are added for the same destination, the
router will add them all to the routing table and load balance between them
R1(config)# ip route 10.1.0.0 255.255.0.0 10.0.0.2
R1(config)# ip route 10.1.0.0 255.255.0.0 10.0.3.2
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
444
Default Route (Gateway of Last Resort)
ip route 10.1.0.0 255.255.0.0 10.0.0.2
ip route 10.1.3.0 255.255.255.0 10.0.3.2
ip route 0.0.0.0 0.0.0.0 203.0.113.2
Internet
FE1/0
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 203.0.113.1 .2
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
445
Lab
446
Dynamic Routing Protocols
When a routing protocol is used, routers automatically advertise their

best paths to known networks to each other.
Routers use this information to determine their own best path to the
known destinations.
When the state of the network changes, such as a link going down or a
new subnet being added, the routers update each other.
Routers will automatically calculate a new best path and update the
routing table if the network changes.
447
You can get to these

networks via me:
10.0.1.0/24
10.0.2.0/24
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

10.1.1.2/24 .2 .1 FE1/0
.1 .2 R1
R3 R2
FE0/0 FE1/0 FE0/0 FE0/0 10.0.2.1/24
FE1/0
FE2/0
448
Routing Table:
10.0.0.0/24 Connected FE0/0
10.0.1.0/24 10.0.0.1 FE0/0
10.0.2.0/24 10.0.0.1 FE0/0
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 FE1/0
10.1.1.2/24 .1 .2 R1
R3 R2
FE0/0 FE1/0 FE0/0 FE0/0 10.0.2.1/24
FE1/0
FE2/0
449
networks via me:
10.0.0.0/24
10.0.1.0/24
10.0.2.0/24
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 FE1/0
10.1.1.2/24 .1 .2 R1
R3 R2
FE0/0 FE1/0 FE0/0 FE0/0 10.0.2.1/24
FE1/0
FE2/0
450
Routing Table:
10.0.0.0/24 10.1.0.2 FE1/0
10.0.1.0/24 10.1.0.2 FE1/0
10.0.2.0/24 10.1.0.2 FE1/0
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 FE1/0
10.1.1.2/24 .1 .2 R1
R3 R2
FE0/0 FE1/0 FE0/0 FE0/0 10.0.2.1/24
FE1/0
FE2/0
451
Summary Routes

networks via me:
10.0.0.0/16
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 FE1/0
10.1.1.2/24 .1 .2 R1
R3 R2
FE0/0 FE1/0 FE0/0 FE0/0 10.0.2.1/24
FE1/0
FE2/0
452
Summary Routes
Summary routes lead to less memory usage in routers as their routing

tables contain less routes
They also lead to less CPU usage as changes in the network only affect
other routers in the same area
For example, if the link on R1 to the 10.0.1.1/24 network goes down, R2
will lose its route there and try to compute a new path
R3 will not be affected as its summary route to 10.0.0.0/16 is unchanged
453
Dynamic Routing Protocols vs Static Routes
Routing protocols are more scalable than administrator defined static

routes.
Using purely static routes is only feasible in very small environments.
454
Dynamic Routing Protocol Advantages
The routers automatically advertise available subnets to each other

without the administrator having to manually enter every route on every
router.
If a subnet is added or removed the routers will automatically discover
that and update their routing tables.
If the best path to a subnet goes down routers automatically discover
that and will calculate a new best path if one is available.
455
Dynamic Routing Protocols vs Static Routes
Using a combination of a dynamic routing protocol and static routes is

very common in real world environments.
In this case the routing protocol will be used to carry the bulk of the
network information.
Static routes can also be used on an as needed basis. For example for
backup purposes or for a static route to the Internet (which will typically
be injected into the dynamic routing protocol and advertised to the rest
of the routers.)
456
Lab
100 Mbps 100 Mbps 100 Mbps FE1/0

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
457
Routing Protocol Types
Routing protocols can be split into two main types:
Interior gateway protocols (IGPs)
Exterior gateway protocols (EGPs)
Interior gateway protocols are used for routing within an organisation

Exterior gateway protocols are used for routing between organisations
over the Internet
The only EGP in use today is BGP (Border Gateway Protocol)
458
Interior Gateway Protocols
Interior gateway protocols can be split into two main types:
Distance Vector routing protocols
Link State routing protocols
459
Distance Vector Routing Protocols
In Distance Vector protocols, each router sends its directly connected
neighbours a list of all its known networks along with its own distance to
each of those networks
Distance vector routing protocols do not advertise the entire network
topology
A router only knows its directly connected neighbours and the lists of
networks those neighbours have advertised. It doesn’t have detailed
topology information beyond its directly connected neighbours
Distance Vector routing protocols are often called ‘Routing by rumour’
460
Link State Routing Protocols
In Link State routing protocols, each router describes itself and its
interfaces to its directly connected neighbours
This information is passed unchanged from one router to another
Every router learns the full picture of the network including every router,
its interfaces and what they connect to
461
Interior Gateway Protocols (IGPs) Exterior Gateway Protocols (EGPs)
Distance Vector Link State Path Vector

Routing Protocol Routing Protocol Routing Protocol
Advanced
RIP EIGRP OSPF IS-IS BGP
RIP: Routing Information Protocol

EIGRP: Enhanced Interior Gateway Routing Protocol
OSPF: Open Shortest Path First
IS-IS: Intermediate System – Intermediate System
BGP: Border Gateway Protocol 462
Interior Gateway Protocols
All of the IGPs do the same job, which is to advertise routes within an
organisation and determine the best path or paths
An organisation will typically pick one of the IGPs
If an organisation has multiple IGPs in effect (for example because of a
merger), information can be redistributed between them. This should
generally be avoided if possible
463
Lab

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
464
Metric
A router may receive multiple possible paths to get to a destination

network
Only the best path will make it into the routing table and be used
The different IGPs use different methods to calculate the best path to a
destination network
465
Metric
Each possible path will be assigned a ‘metric’ value by the routing
protocol which indicates how preferred the path is
The lowest metric value is preferred
Distance Vector routers advertise to each other the networks they know
about, and their metric to get to each of them
Link State routers advertise all the links in their area of the network to
each other
Each router will take this information and then make an independent
calculation of its own best path to get to each destination
466
Metric
If the best path to a destination is lost (for example because a link went
down) it will be removed from the routing table and replaced with the
next best route
467
RIP Metric – Hop Count
RIP uses Hop Count as the metric
The maximum hop count by default is 15. Paths which are more than 15
hops away are marked as unreachable
Path R4>5>1 will be preferred for 10.0.1.0/24 in the example below
RIP is typically used only in small or test environments

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
468
RIP uses Hop Count as the metric R1: “You can get to these networks via
me”:
10.0.1.0/24 – 1 hop
10.0.2.0/24 – 1 hop
10.0.3.0/24 – 1 hop
10.1.3.0/24 – 2 hops
10.1.2.0/24 – 3 hops
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0
10.0.1.1/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
469
R2: “You can get to these networks via
me”:
10.0.0.0/24 – 1 hop
10.0.1.0/24 – 2 hops
10.0.2.0/24 – 2 hops
10.0.3.0/24 – 2 hops
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
470
me”:
10.0.0.0/24 – 2 hops
10.0.1.0/24 – 3 hops
10.0.2.0/24 – 3 hops
10.1.0.0/24 – 1 hop
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
471
me”:
10.0.0.0/24 – 2 hops
10.0.1.0/24 – 3 hops
10.0.2.0/24 – 3 hops
10.1.0.0/24 – 1 hop
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
472
me”:
10.0.0.0/24 – 1 hop
10.0.1.0/24 – 1 hop
10.0.2.0/24 – 1 hop
10.1.0.0/24 – 2 hops
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
473
me”:
10.0.0.0/24 – 2 hops
10.0.1.0/24 – 2 hops
10.0.2.0/24 – 2 hops
10.0.3.0/24 – 1 hops
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
474
me”:
10.0.0.0/24 – 2 hops
10.0.1.0/24 – 2 hops
10.0.2.0/24 – 2 hops
10.0.3.0/24 – 1 hops
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
475
R4: I learned 2 possible routes to get to the 10.0.1.0/24 network:
3 hops via 10.1.1.2 out FE0/0
2 hops via 10.1.3.2 out F2/0
I’ll put the best one in my routing table
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
476
R4#sh ip route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks

R 10.0.0.0/24 [120/2] via 10.1.3.2, 00:00:06, FastEthernet2/0
[120/2] via 10.1.1.2, 00:00:16, FastEthernet0/0
477
OSPF Metric – Cost
OSPF uses ‘Cost’ as the metric, which is automatically derived from
interface bandwidth by default
You can manually configure the cost of links if you want to manipulate
the path
Path R4>3>2>1 will be preferred for 10.0.1.0/24 in the example below
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
478
OSPF Metric – Cost
R4#sh ip route
O 10.0.0.0/24 [110/3] via 10.1.1.2, 00:03:57, FastEthernet0/0
479
IS-IS Metric – Cost
IS-IS also uses ‘Cost’ as the metric, but it is not automatically derived from
interface bandwidth. All links have an equal cost by default
You can manually configure the cost of links if you want to manipulate the path
If you do not manually set the link costs then the path with the lowest hop
count will be used
Path R4>5>1 will be preferred for 10.0.1.0/24 in the example below
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
480
EIGRP Metric
EIGRP uses the bandwidth and delay of links to calculate the metric
(Load and reliability can also be considered but are ignored by default)
A fixed delay value is used based on the interface bandwidth, the protocol does
not dynamically measure current delay
You can manually configure the delay on links if you want to manipulate the path
Path R4>3>2>1 will be preferred for 10.0.1.0/24 in the example below
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
481
Choosing a Routing Protocol
RIP uses hop count and has a default maximum metric of 15. It is not
usually used in production networks because of its scalability limitations.
EIGRP is very simple to maintain, calculates changes very quickly and its
metric calculation will normally choose the best path by default. It is
typically only supported on Cisco routers however.
OSPF’s metric calculation will typically choose the best path by default. It
is an open standard which is supported by all vendor’s routers and is the
most commonly deployed IGP today. It is however more complicated to
maintain than EIGRP.
IS-IS links need to be manually configured or it will use hop count to
determine the best path. It is typically only used in Service Provider
networks or large organisations with their own MPLS network who
choose it because of its scalability.
482
Lab

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
483
Equal Cost Multi Path (ECMP)
If multiple paths to a destination have an equal metric, the router will

enter all of the paths into the routing table
Equal Cost Multi Path will load balance the outbound traffic to the
destination over the different paths
All IGP routing protocols will perform ECMP by default
EIGRP is the only routing protocol which is capable of UnEqual Cost Multi
Path. It must be manually configured to support this.
484
Equal Cost Multi Path
Both routes to 10.0.1.0/24 will be installed in Router 4’s routing table

Half the traffic will take path R4>3>2>1
Half the traffic will take path R4>5>6>1

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
100 Mbps 100 Mbps
R5 .1 .2 R6
FE2/0 FE3/0
10.1.3.2/24 100 Mbps 10.0.3.2/24
10.1.4.0/24
485
Equal Cost Multi Path
You can also achieve load balancing with static routes

R4(config)# ip route 10.0.1.0 255.255.255.0 10.1.1.2
R4(config)# ip route 10.0.1.0 255.255.255.0 10.1.3.2

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
100 Mbps 100 Mbps
R5 .1 .2 R6
FE2/0 FE3/0
10.1.3.2/24 100 Mbps 10.0.3.2/24
10.1.4.0/24
486
Lab

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
487
Lab

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 100 Mbps
R5 .1 .2 R6
FE2/0 FE3/0
10.1.3.2/24 FE3/0 FE0/0 10.0.3.2/24
10 Mbps
10.1.4.0/24
488
Metric
A router will typically only learn routes to a particular destination from a

single routing protocol
When multiple routes to a destination are learned through a routing
protocol, the router will install the path or paths with the best (lowest)
metric into the routing table
Different routing protocols use different methods to calculate the metric
489
Metric
For example in RIP, path A>B>C>D has a hop count of 3, path A>B>D has a
hop count of 2, so A>B>D would be preferred
In OSPF, if path A>B>C>D has a cost of 60, and path A>B>D has a cost of
100, then A>B>C>D would be used
490
Administrative Distance
If paths to the same destination are received from different routing
protocols, their metrics cannot be compared
For example, a RIP hop count of 5 cannot be compared to an OSPF cost of
60. The comparison would be meaningless because the routing protocols
calculate the metric in completely different ways
The router must use a different method to choose when routes to the
same destination are received from different routing protocols
The Administrative Distance (AD) is used for this
491
Administrative Distance
The Administrative Distance is a measure of how trusted the routing

protocol is
If routes to the same destination are received via different routing
protocols, the protocol with the best (lowest) AD wins
492
Default Administrative Distance
Route Source Default AD

Connected Interface 0
Static Route 1
External BGP 20
EIGRP 90
OSPF 110
IS-IS 115
RIP 120
493
Administrative Distance and Metric
Administrative Distance is used to choose between multiple paths

learned via different routing protocols
Metric is used to choose between multiple paths learned via the same
protocol
The Administrative Distance is considered first to narrow the choice
down to the single best routing protocol
The Metric is then considered to choose the best path or paths which
make it into the routing table
494
Show ip route
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override Connected interfaces
have an AD of 0

Administrative Distance Metric 495

Administrative Distance Example
Example: A router receives multiple routes to the 10.10.10.0/24 network

from both OSPF and RIP
When paths to the same destination are received from multiple routing
protocols, the Administrative Distance is considered first
OSPF has a better AD than RIP so the RIP routes will be discarded
496
Administrative Distance Example
The router will then compare the routes received via OSPF and install the
one with the lowest cost in the routing table
If multiple equal cost paths are received via OSPF they will all be installed
in the routing table and the router will load balance outbound traffic to
the destination between them
497
Floating Static Routes
If the best path to a destination is lost (for example because a link went
down) it will be removed from the routing table and replaced with the
next best route
We might want to configure a static route as a backup for the route
learned via a routing protocol
A problem is that static routes have a default Administrative Distance of 1
which will always be preferred over routes learned via an IGP
498
Floating Static Routes – OSPF
We can change the Administrative Distance of a static route to make it
act as the backup (rather than the preferred) route
Floating static route for OSPF example
R4(config)#ip route 10.0.1.0 255.255.255.0 10.1.3.2 115

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
NO OSPF SUPPORT
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
499
Floating Static Routes – Static Routes
Floating static routes can also be used where we are using purely static
routing
ip route 10.0.1.0 255.255.255.0 10.1.1.2
ip route 10.0.1.0 255.255.255.0 10.1.3.2 5

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
500
Lab

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
501
Loopback Interfaces
Loopback interfaces are logical interfaces

They allow you to assign an IP address to a router or L3 switch, which is
not tied to a physical interface
Because they don’t have any physical attributes which can fail, loopback
interfaces never go down
Loopbacks are logical so they cannot be physically in the same subnet as
other devices, so they are usually assigned a /32 subnet mask to avoid
wasting IP addresses
502
Loopback Interface Uses
It is best practice to assign a loopback interface to your routers

The loopback is commonly used for traffic that terminates on the router
itself
This could be management traffic, Voice over IP, BGP peering etc.
This provides redundancy if there are multiple paths to the router
The loopback is also used to identify the router (Router ID) in OSPF
503
Loopback Interface Uses
The same loopback interface is usually used for multiple tasks (for
example management and BGP)
Multiple loopbacks can be configured. This is not common and only
usually done where another, separate loopback is required for a special
use case
504
Loopback Interfaces
For example, my PC is on the 10.1.2.0 subnet and I want to connect to R1
to manage it
If the top path goes down, I cannot connect to 10.0.0.1
If the bottom path goes down, I cannot connect to 10.0.3.1

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
505
Loopback Interfaces
I add interface Loopback 0 with the IP address 192.168.1.1/32
I advertise 192.168.1.1/32 in my routing protocol
R4 learns the two paths to 192.168.1.1
I can still connect to 192.168.1.1 even if either path goes down
Loopback0
192.168.1.1/32 10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
506
Lab
Loopback0
100 Mbps 100 Mbps 100 Mbps 192.168.1.1/32 FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
507
Adjacencies
IGP routing protocols are configured under global configuration mode

and then enabled on individual interfaces
When the routing protocol is enabled on an interface the router will look
for other devices on the link which are also running the routing protocol
The router does this by sending out and listening for hello packets
When a matching peer is found, the routers will form an adjacency with
each other
They will then exchange routing information
508
Adjacencies
Modern routing protocols use multicast for the hello packets

This is more efficient than broadcast which was used by earlier protocols
Only routers which are running the same routing protocol will process
the packet
509
Adjacency Example
The IP subnets configured on the interfaces which are enabled for the
routing protocol will be included in its updates
For example, R1 has a routing protocol enabled on the Loopback0
interface and FastEthernet0/0 and 1/0
The routing protocol is not enabled on FastEthernet2/0
RC belongs to a partner organisation we do not want to send internal
network information to
10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA
Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
510
Adjacency Example
R1 will send out and listen for hello packets on the Loopback0 interface
and FastEthernet0/0 and 1/0
It will form adjacencies with any routers running the same protocol on
those links – RA and RB
It will not send out or listen for hello packets on FastEthernet2/0
It will not form an adjacency with RC
(We will use static routes for the extranet traffic with RC)
10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA
Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
511
Adjacency Example
R1 will advertise IP subnets to RA and RB:
10.0.0.0/24
10.0.1.0/24
192.168.1.1/32
It will not advertise 10.0.2.0/24
RA and RB will not learn routes to 10.0.2.0/24
10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA
Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
512
Passive Interfaces
Passive interfaces allow you to include an IP subnet in the routing

protocol without sending updates out of the interface
If FastEthernet2/0 is configured as a passive interface, RA and RB will
learn routes to 10.0.2.0, but internal network information will not be
sent to RC
10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA
Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
513
Passive Interfaces
It is best practice to configure loopback interfaces as passive interfaces

It is impossible to form an adjacency on a loopback interface because
they are not physical interfaces
Making the loopback passive means that it will be advertised by the
routing protocol but it will not waste resources sending out and listening
for hello packets
10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA
Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
514
Passive Interface Use Cases
Passive interfaces are used on:

Loopback interfaces
Physical interfaces where the device on the other side belongs to
another organisation. We do not want to send routing information
out but we do want our internal devices to know about the link
515
Lab
Loopback0
192.168.1.1/32 FE1/0
100 Mbps 100 Mbps 100 Mbps 10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE2/0
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0
10.0.2.1/24
FE2/0 FE3/0
10.1.3.1/24 10.0.3.1/24 FE2/0
10.0.2.2/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0 R6
10.1.3.2/24 10.0.3.2/24
516
Ping
ICMP: Internet Control Message Protocol
ICMP Echo Request

SRC IP: 10.0.0.1
DST IP: 10.1.0.1
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
517
Ping
ICMP: Internet Control Message Protocol
ICMP Echo Reply

SRC IP: 10.1.0.1
DST IP: 10.0.0.1
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
518
Ping Responses
If the ping is successful:
R1#ping 10.1.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2
seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max =
68/322/1076 ms
519
Ping Responses
If the router does not have a corresponding route or the destination IP
address does not respond:
R1#ping 172.16.1.1
seconds:
.....
Success rate is 0 percent (0/5)
520
Ping Responses
If the router discards the packet (for example it is blocked by an Access
Control List):
R1#ping 172.16.1.1
seconds:
UUUUU
521
Extended Ping
Scenario: The user on PC1 complains that he can’t access services on PC3
The problem is R4 does not have a route to 10.0.1.0/24
Traffic which originates from a router always uses the IP address on the
outgoing interface as the source address
A ping from R1 to 10.1.2.10 will succeed because R4 has a route to
10.0.0.1
522
Extended Ping
PC1> ping 10.1.2.10
10.1.2.10 icmp_seq=1 timeout
R1#ping 10.1.2.10
seconds:
!!!!!
523
Extended Ping
R1#ping
Protocol [ip]:
Target IP address: 10.1.2.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.0.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Sending 5, 100-byte ICMP Echos to 10.1.2.10, timeout is 2 seconds:
Packet sent with a source address of 10.0.1.1
.....
524
Traceroute
ICMP Echo Request

SRC IP: 10.0.0.1
DST IP: 10.1.0.1
TTL
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
525
Traceroute
ICMP Echo Request

SRC IP: 10.0.0.1
DST IP: 10.1.0.1
TTL: 1
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
526
Traceroute
ICMP Time Exceeded

SRC IP: 10.0.0.2
DST IP: 10.0.0.1
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
527
Traceroute
ICMP Echo Request

SRC IP: 10.0.0.1
DST IP: 10.1.0.1
TTL: 2
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
528
Traceroute
ICMP Echo Reply

SRC IP: 10.1.0.1
DST IP: 10.0.0.1
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
529
Traceroute Responses
Successful Traceroute:
R1#traceroute 10.1.2.1
Tracing the route to 10.1.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.2 20 msec 16 msec 16 msec
2 10.1.0.1 36 msec 40 msec 40 msec
3 10.1.1.1 60 msec 64 msec 60 msec
530
Traceroute Responses
The packet is getting as far as 10.1.0.1. Start troubleshooting there.
Press Ctrl-Shift-6 to abort
R1#traceroute 10.1.2.1
Tracing the route to 10.1.2.10
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.2 28 msec 16 msec 16 msec
2 10.1.0.1 36 msec 36 msec 40 msec
3 * * *
4 * * *
531
Other Tools – Layer 1
Show ip interface brief
Show interface
532
Show arp
Show mac address-table
533
Telnet
534
Other Tools – DNS
nslookup
Ping by FQDN
535
RIP Characteristics
The Routing Information Protocol (RIP) is a Distance Vector
routing protocol
It uses hop count as its metric
The maximum hop count is 15
It will perform Equal Cost Multi Path, for up to 4 paths by default
536
RIPv2 vs RIPv1
RIPv1 is a legacy protocol which is not typically used anymore
(although it is still supported on Cisco routers)
RIPv1 does not send subnet mask information with routing
updates so Variable Length Subnet Masking (VLSM) is not
supported. RIPv2 does support VLSM.
RIPv1 updates are sent every 30 seconds as broadcast traffic.
RIPv2 uses multicast address 224.0.0.9
RIPv2 supports authentication, RIPv1 does not.
537
RIPng
RIPng (RIP next generation) supports IPv6 networks
It is not covered on the CCNA exam
538
RIPv2 Configuration
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#network 10.0.0.0
The ‘network’ command should reference a classful network. No subnet

mask is specified.
539
Auto-Summary
RIP will automatically summarise routes to the classful boundary by
default
For example, 192.168.10.1/30 will be advertised as 192.168.10.0/24
172.16.10.1/30 will be advertised as 172.16.0.0/16
This is almost never desirable
R1(config-router)#no auto-summary
540
Manual Summarization
Manual summarisation gives you control of exactly how you summarise
The individual summarised routes are not advertised - only their summary
route
R2(config-router)#interface f1/0
R2(config-if)#ip summary-address rip 10.0.0.0 255.255.0.0
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
541
RIPv2 Verification – show ip protocols
R1#show ip protocols
*** IP Routing is NSF aware ***
Routing Protocol is "rip"

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Sending updates every 30 seconds, next due in 27 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
Default version control: send version 2, receive version 2
Interface Send Recv Triggered RIP Key-chain
FastEthernet0/0 2 2
FastEthernet1/0 2 2
FastEthernet2/0 2 2
FastEthernet3/0 2 2
Automatic network summarization is not in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
Routing Information Sources:
Gateway Distance Last Update
10.0.0.2 120 00:00:12
10.0.3.2 120 00:00:01
Distance: (default is 120)
542
RIPv2 Verification – show run | section rip
R1#sh run | section rip
router rip
version 2
network 10.0.0.0
no auto-summary
543
RIPv2 Verification – show ip route
R1#show ip route
+ - replicated route, % - next hop override

544
RIPv2 Verification – show ip rip database
R1#show ip rip database
10.0.0.0/8 auto-summary
10.0.0.0/24 directly connected, FastEthernet0/0
10.1.0.0/24
[1] via 10.0.0.2, 00:00:12, FastEthernet0/0
10.1.1.0/24
10.1.2.0/24
10.1.3.0/24
545
Passive Interfaces
Passive interfaces work differently in RIP than other routing protocols
With other routing protocols, a passive interface will not send out or listen
for routing updates
The network configured on the interface will be advertised to other peer
routers running the routing protocol
In RIP, a passive interface does not send out updates but it does listen to
incoming updates from other RIP speaking neighbors
The router can receive updates on the passive interface and use them in
the routing table.
546
Passive Interface Configuration
Loopback0
192.168.1.1/32 FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE2/0
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0
10.0.2.1/24
FE2/0 FE3/0
10.1.3.1/24 10.0.3.1/24 FE2/0
10.0.2.2/24
R5
FE2/0 FE3/0 R6
10.1.3.2/24 10.0.3.2/24
R1(config-router)#passive-interface loopback 0
R1(config-router)#passive-interface f2/0
547
Passive Interface Configuration
Loopback0
192.168.1.1/32 FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE2/0
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0
10.0.2.1/24
FE2/0 FE3/0
10.1.3.1/24 10.0.3.1/24 FE2/0
10.0.2.2/24
R5
FE2/0 FE3/0 R6
10.1.3.2/24 10.0.3.2/24
R1(config-router)#passive-interface default
R1(config-router)#no passive-interface f0/0
548
Default Route Injection
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0
10.0.1.1/24
FE1/0 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE3/0 FE3/0 10.0.2.1/24
203.0.113.1 10.0.3.1/24
203.0.113.2
R5
FE2/0 FE3/0
Internet 10.1.3.2/24 10.0.3.2/24
R4(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.2

R4(config-router)#default-information originate
549
Default Route Injection Verification
R1#sh ip route
+ - replicated route, % - next hop override
Gateway of last resort is 10.0.3.2 to network 0.0.0.0
R* 0.0.0.0/0 [120/2] via 10.0.3.2, 00:00:25, FastEthernet3/0

192.168.1.0/32 is subnetted, 1 subnets
C 192.168.1.1 is directly connected, Loopback0
550
RIP Default Timers
Update: The router sends updates every 30 seconds.
Invalid: After no updates for 180 seconds the route becomes
invalid.
Hold Down: The hold down timer is used to stabilize the
network, it starts when the invalid timer completes. When a
route enters hold down, it can't be installed even if there is a new
route with a better metric. 180 seconds by default.
Flush: 240 seconds from the last update the route is flushed.
551
RIP Default Timers
The timers can be changed to achieve faster convergence times.
Be careful with this as it can introduce instability if the timers are
set too low.
All routers in the network should have the same timer settings.
The update timer must be lower than the other timers.
R2(config-router)#timers basic 10 90 90 120
552
Lab
553
Campus Design - Access, Distribution and Core Layers
The campus LAN should be designed for scalability, performance and

security
To aid in a best practice design process, the network topology is split
into access, distribution and core layers
The layers have their own design principles and characteristics
554
Campus Design – Access Layer
Access Layer
Main Building Building 1 555

The Access Layer
End hosts such as desktop computers, servers and IP phones connect
into the network at the access layer
It is designed to have a high port count at an affordable cost
Desktops typically have only one Network Interface Card (NIC) so they
connect into one switch or Wireless Access Point
Servers will often have dual NICs and connect to a pair of redundant
switches
Client access security measures are enabled at the Access Layer
556
Campus Design - Distribution Layer
Distribution Layer
Access Layer

The Distribution Layer
Access Layer switches uplink to Distribution Layer switches

The Distribution Layer switches serve as an aggregation point for the
Access Layer and provide scalability
Distribution Layer switches are typically deployed in redundant pairs,
with downstream Access Layer switches connected to both
End hosts are not typically connected here
Most software policy such as QoS is enabled at this layer
558
Campus Design - Core Layer
Wide Area
Network
Core Layer
Distribution Layer
Access Layer

The Core Layer
Distribution Layer switches uplink to Core Layer switches

Core Layer switches are typically deployed in redundant pairs, with
downstream Distribution Layer switches connected to both
Traffic between different parts of the campus travels through the core
so it is designed for speed and resiliency
Software policy slows the switch down so should be avoided in the
Core Layer
560
Collapsed Distribution and Core
Smaller campuses do not need the scalability of three separate layers

In these cases a Collapsed Distribution and Core layer is used, where
the Distribution and Core layer functions are performed on the same
hardware device
561
Collapsed Distribution and Core
Wide Area
Network
Distribution/Core Layer
Access Layer
Main Building
562
Router Operations
Routers operate at Layer 3 of the OSI stack

Hosts in separate IP subnets must send traffic via a router to
communicate
Security rules on routers or firewalls can be used to easily control what
traffic is allowed between different IP subnets at Layer 3
Routers do not forward broadcast traffic by default
They provide performance and security by splitting networks into
smaller domains at Layer 3
563
Switch Operations
Switches operate at Layer 2 of the OSI stack

They do forward broadcast traffic by default
By default a campus switched network is one large broadcast domain
Switches flood broadcast traffic everywhere, including between
different IP subnets
This raises performance and security concerns
564
LAN Networks
ROUTER
Wide Area
Network
ENG Default Gateway SALES Default Gateway
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch
ENG PC1 ENG PC2 SALES PC1 SALES PC2

565
Unicast Traffic within same IP subnet
ROUTER
Wide Area
Network
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch

566
Unicast Traffic between different IP subnets
ROUTER
You can implement security
Wide Area
policies on the router to limit
Network
traffic between IP subnets ENG Default Gateway SALES Default Gateway
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch

567
Broadcast Traffic
ROUTER
Wide Area
Network
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch

568
The Problem
Switches flood broadcast traffic everywhere, including between

different IP subnets
This affects security because the traffic bypasses router or firewall
Layer 3 security policies
It affects performance because every end host has to process the
traffic
It also affects performance by using bandwidth on links where the
traffic is not required
569
Broadcast Traffic
ACCOUNTS PC1 ACCOUNTS PC2

IP Address: 10.10.30.11
IP Address: 10.10.30.11
ENG PC3
IP Address: 10.10.10.12

570
VLAN Virtual Local Area Networks
We can increase performance and security in the LAN by implementing

VLANs on our switches
VLANs segment the LAN into separate broadcast domains at Layer 2
There is typically a one-to-one relationship between an IP subnet and
a VLAN
571
VLAN Virtual Local Area Networks
ROUTER
ENG VLAN Wide Area
SALES VLAN ENG Default Gateway SALES Default Gateway
Network
ENG PC3
IP Address: 10.10.10.12
Switches only
F0/3 F0/1 F0/2 Ethernet Switch allow traffic within
F0/4
F0/6
F0/7 the same VLAN
F0/5

572
ROUTER
ENG VLAN Wide Area
Network
ENG PC3
IP Address: 10.10.10.12
F0/3 F0/1 F0/2 Ethernet Switch

F0/4 F0/7
F0/5 F0/6

573
Unicast Traffic between different IP subnets
ROUTER
ENG VLAN Wide Area
Network
ENG PC3
IP Address: 10.10.10.12

F0/4 F0/7
F0/5 F0/6

574
Broadcast Traffic
ROUTER
ENG VLAN Wide Area
Network
ENG PC3
IP Address: 10.10.10.12

F0/4 F0/7
F0/5 F0/6

575
VLAN Access Ports
VLAN access ports are configured on switch interfaces where end hosts
are plugged in
Access ports are configured with one specific VLAN
The configuration is all on the switch, the end host is not VLAN aware
Switches only allow traffic within the same VLAN
576
ROUTER
ENG VLAN Wide Area
Network
ENG PC3
IP Address: 10.10.10.12

F0/4 F0/7
F0/5 F0/6

577
Misconfigured VLAN
ROUTER
ENG VLAN Wide Area
Network
ENG PC3
IP Address: 10.10.10.12

F0/4 F0/7
F0/5 F0/6

578
The Default VLAN - VLAN 1
ROUTER
All ports are in VLAN 1 by default Wide Area
Network
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch

579
Access Port Configuration – Eng VLAN
SW1(config)#vlan 10
SW1(config-vlan)#name Eng
SW1(config)#interface FastEthernet 0/1

SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config)#interface range FastEthernet 0/3 - 5
580
Access Port Configuration – Sales VLAN
SW1(config)#vlan 20
SW1(config-vlan)#name Sales

SW1(config)#interface range FastEthernet 0/6 - 7
581
Verification – show vlan brief
SW1#show vlan brief
VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gig0/1, Gig0/2
10 Eng active Fa0/1, Fa0/3, Fa0/4, Fa0/5
20 Sales active Fa0/2, Fa0/6, Fa0/7
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
582
Verification – show interface switchport
SW1#show interface FastEthernet 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Eng)
Trunking Native Mode VLAN: 1 (default)
! truncated
583
VLAN Lab
584
VLAN Access Ports
ROUTER
ENG VLAN Wide Area
Network
ENG PC3
IP Address: 10.10.10.12

F0/4 F0/7
F0/5 F0/6

585
What about the links between switches?
ROUTER
ENG VLAN Wide Area
ENG Default Gateway
SALES VLAN IP Address: 10.10.10.10 SALES Default Gateway
Network
IP Address: 10.10.20.1
ENG PC3
IP Address: 10.10.10.12
ENG PC1 SALES PC1

Ethernet Switch
SALES PC2 ENG PC2

IP Address: 10.10.20.10 IP Address: 10.10.10.11 586
What about the links between switches?
ROUTER
ENG VLAN Wide Area
ENG Default Gateway
Network
IP Address: 10.10.20.1
ENG PC3
IP Address: 10.10.10.12
ENG PC1 SALES PC1

Ethernet Switch
SALES PC2 ENG PC2

Dot1Q Trunks
ROUTER
ENG VLAN Wide Area
ENG Default Gateway
Network
TRUNK IP Address: 10.10.20.1

ENG PC3
IP Address: 10.10.10.12
ENG PC1 SALES PC1

Ethernet Switch
SALES PC2 ENG PC2

Dot1Q Trunks
An access port carries traffic for one specific VLAN

Dot1Q trunks are configured on the links between switches where we
need to carry traffic for multiple VLANs
ISL (Inter-Switch Link) was a Cisco proprietary trunking protocol which
is now obsolete
589
Dot1Q Trunks
When the switch forwards traffic to another switch, it tags the layer 2
Dot1Q header with the correct VLAN
The receiving switch will only forward the traffic out ports that are in
that VLAN
The switch removes the Dot1Q tag from the Ethernet frame when it
sends it to the end host
590
Dot1Q Format
Ethernet frame received from host
Switch inserts Dot1Q tag when

sending out a trunk port
A receiving switch will remove the Dot1Q tag when forwarding the frame out an access port
591
Dot1Q Trunks
ROUTER
ENG VLAN Wide Area
ENG Default Gateway
Network
TRUNK IP Address: 10.10.20.1

ENG PC3
IP Address: 10.10.10.12
Strip Dot1q tag
Strip Dot1q tag
ENG PC1 3 Sales VLAN SALES PC1

IP Address: 10.10.10.10 Sales VLAN IP Address: 10.10.20.11
2 4
Dot1q tag: Sales VLAN Ethernet Switch
Sales VLAN
1 5
SALES PC2 ENG PC2
Hypervisors - VLAN Aware Hosts
End hosts are typically members of only one VLAN and are not VLAN
aware
A special case is virtualized hosts, where there are virtual machines in
different IP subnets on the host
In this case we need to trunk the VLANs down to the host
593
Hypervisors - VLAN Aware Hosts
ROUTER
ENG VLAN Wide Area
Network
TRUNK IP Address: 10.10.10.1 IP Address: 10.10.20.1
Physical
Ethernet Switch
Trunk F0/1
Virtual Switch
ENG VM SALES VM
VMware Host 594

Trunk Port Configuration
SW1(config-interface)#description Trunk to SW2
SW1(config-interface)#switchport trunk encapsulation dot1q
SW1(config-interface)#switchport mode trunk
595
The Native VLAN
The switch needs to know which VLAN to assign to any traffic which
comes in untagged on a trunk port
This used to be required for when a switch was connected to a hub.
Hubs are Layer 1 devices so are not VLAN aware
The Native VLAN is used for this
The default Native VLAN is VLAN 1
There are some security issues with using VLAN 1 as the Native VLAN so
best practice is to change it to an unused VLAN
The Native VLAN must match on both sides of a trunk for it to come up
596
Native VLAN Configuration
SW1(config)#vlan 199
SW1(config-vlan)#name Native
SW1(config)#interface GigabitEthernet 0/1

SW1(config-interface)#description Trunk to SW2
SW1(config-interface)#switchport trunk encapsulation dot1q
SW1(config-interface)#switchport mode trunk
SW1(config-interface)#switchport trunk native vlan 199
597
Verification – show interface switchport
SW1#show interface gig0/1 switchport
Name: Gig0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 199 (Inactive)
Voice VLAN: none
truncated
598
Limiting Allowed VLANs
ACCOUNTS PC1 ENG PC3

IP Address: 10.10.10.12
IP Address: 10.10.30.10
ACCOUNTS PC2
IP Address: 10.10.30.11

599
Allowed VLAN Configuration
SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#switchport trunk allowed vlan 10,30
600
VLAN Lab
601
VLANs and IP subnets in the LAN
There is typically a one-to-one relationship between an IP subnet and

a VLAN in the LAN campus
For example Engineering hosts are in IP subnet 10.10.10.0/24 and
VLAN 10, and Sales hosts are in IP subnet 10.10.20.0/24 and VLAN 20
Hosts are segregated at Layer 3 by being in different IP subnets, and at
Layer 2 by being in different VLANs
Hosts in different IP subnets need to send traffic via a router to
communicate with each other
602
Option 1: Router with separate interfaces
F0/3
ENG VLAN 203.0.113.1/24 Wide Area
SALES VLAN F0/1 F0/2
Network

ENG PC3
IP Address: 10.10.10.12

F0/4 F0/7
F0/5 F0/6

603
Option 1 Configuration
R1(config)#interface FastEthernet 0/1
R1(config-interface)#ip address 10.10.10.1 255.255.255.0
R1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.2

604
Router with separate interfaces - Disadvantages
You need a separate physical interface for every VLAN – you are liable
to run out of interfaces
Traffic being routed within the campus has to go up and down physical
Ethernet cables to the router
605
Inter-VLAN Routing Lab
606
Option 2: Router on a Stick
F0/2
SALES VLAN Network
F0/1.10 F0/1.20
ENG PC3 IP Address: 10.10.10.1 IP Address: 10.10.20.1
IP Address: 10.10.10.12
F0/3 F0/1
F0/4 F0/7
F0/5 F0/6

607
Option 2 Configuration
R1(config-interface)#no ip address
R1(config-interface)#no shutdown
R1(config)#interface FastEthernet 0/1.10
R1(config)#encapsulation dot1q 10
R1(config)#interface FastEthernet 0/1.20
R1(config)#encapsulation dot1q 20
R1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.2

SW1(config-if)#switchport mode trunk
608
Router on a Stick Considerations
You do not need a separate physical interface for every VLAN – you are
less likely to run out of interfaces
Traffic being routed within the campus has to go up and down the
same physical Ethernet cable to the router – there is more contention
for bandwidth than when using separate interfaces
609
Inter-VLAN Routing Lab
610
Option 3: Layer 3 Switch
ROUTER F0/2
SALES VLAN Network
F0/1
10.10.100.2/24
ENG PC3 Interface VLAN 10
IP Address: 10.10.10.12
ENG Default Gateway
10.10.100.1/24 IP Address: 10.10.10.1 SVI
F0/1 Switched Virtual
F0/3 Interface VLAN 20 Interfaces
F0/4 F0/7 SALES Default Gateway
F0/5 F0/6 IP Address: 10.10.20.1

611
Option 3 Inter-VLAN Routing Configuration
SW1(config)#ip routing
SW1(config)#interface vlan 10
SW1(config-if)#ip address 10.10.10.1 255.255.255.0
SW1(config)#interface vlan 20
612
Option 3 WAN Routing Configuration
SW1(config-if)#no switchport
SW1(config)#ip route 0.0.0.0 0.0.0.0 10.10.100.2

R1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.2
R1(config)#ip route 10.10.0.0 255.255.0.0 10.10.100.1
613
Layer 3 Switch Considerations
Traffic being routed within the campus is routed across the switch
backplane, it does not need to travel over physical cables to an
external router
You may still need an external router for WAN connectivity and
services
614
Layer 3 Switch Lab
615
DHCP – Dynamic Host Configuration Protocol
DHCP is a client/server protocol that automatically provides a host

with its IP address and other related configuration information such as
the subnet mask and default gateway.
DHCP clients obtain their IP configuration information from a DHCP
server, rather than being manually configured.
616
617
DHCP Benefits – Reduced Network Admin
Centralized and automated IP configuration, rather than manually

assigning an IP address to every host.
Can assign additional IP configuration values by means of DHCP
options.
Efficient handling of clients that must be updated frequently, such as
laptops that move to different locations on a wireless network.
The forwarding of initial DHCP messages by using a DHCP relay agent,
which eliminates the need for a DHCP server on every subnet.
618
DHCP Benefits - Reliable IP address configuration
DHCP minimizes configuration errors caused by manual IP address

configuration, such as typos, or address conflicts caused by the
assignment of an IP address to more than one computer at the same
time.
619
DHCP Clients
Desktop PCs are good candidates to be DHCP clients because there will
typically be many of them in an office. Using DHCP saves a lot of admin
work that would be necessary if manually configuring IP addresses.
They do not accept incoming connections so it does not matter if their
IP address changes.
620
DHCP Clients
Servers and network infrastructure devices such as routers and

switches will not typically be DHCP clients.
They are mission critical devices which do not move and are required
for the network and its services to function.
Their IP addresses are manually configured to ensure they will not
change and are not dependant on DHCP.
621
DHCP is a client/server protocol that automatically provides a host

with its IP address and other related configuration information such as
the subnet mask and default gateway.
DHCP clients obtain their IP configuration information from a DHCP
server, rather than being manually configured.
622
623
DHCP Benefits – Reduced Network Admin
Centralized and automated IP configuration, rather than manually

assigning an IP address to every host.
Can assign additional IP configuration values by means of DHCP
options.
Efficient handling of clients that must be updated frequently, such as
laptops that move to different locations on a wireless network.
The forwarding of initial DHCP messages by using a DHCP relay agent,
which eliminates the need for a DHCP server on every subnet.
624
DHCP Benefits - Reliable IP address configuration
DHCP minimizes configuration errors caused by manual IP address

configuration, such as typos, or address conflicts caused by the
assignment of an IP address to more than one computer at the same
time.
625
DHCP Clients
Desktop PCs are good candidates to be DHCP clients because there will
typically be many of them in an office. Using DHCP saves a lot of admin
work that would be necessary if manually configuring IP addresses.
They do not accept incoming connections so it does not matter if their
IP address changes.
626
DHCP Clients
Servers and network infrastructure devices such as routers and

switches will not typically be DHCP clients.
They are mission critical devices which do not move and are required
for the network and its services to function.
Their IP addresses are manually configured to ensure they will not
change and are not dependant on DHCP.
627
Option 1: Cisco DHCP Server Configuration
628
Option 1: Cisco DHCP Server Configuration
R1(config)#ip dhcp excluded-address 10.10.10.1 10.10.10.10
R1(config)#ip dhcp pool 10.10.10.0_Clients
R1(dhcp-config)#network 10.10.10.0 255.255.255.0
R1(dhcp-config)#default-router 10.10.10.1
R1(dhcp-config)#dns-server 10.10.20.10
629
Verification – show ip dhcp pool
R1#show ip dhcp pool
Pool 10.10.10.0_Clients :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 2
Excluded addresses : 1
Pending event : none
1 subnet is currently in the pool

Current index IP address range Leased/Excluded/Total
10.10.10.1 10.10.10.1 - 10.10.10.254 2 / 1 / 254
630
Verification – show ip dhcp binding
631
Lab
632
Option 2: External DHCP Server Configuration
DHCP Request (broadcast)
633
Option 2: External DHCP Server Configuration
R1(config)#interface f0/1
R1(config-if)#ip helper-address 10.10.20.10
634
Configuring a Cisco Router as a DHCP Client
Cisco routers are typically manually configured with static IP addresses

An exception to this is where an office is connected to the Internet but
has not bought static public IP addresses (because it does not contain
any publicly available servers which would need a fixed IP address for
incoming connections)
The office still requires a public IP address to allow internal hosts
outbound connectivity to the Internet through NAT
In this case the router will receive the public IP address on its outside
interface from the Internet service provider via DHCP
635
Configuring a Cisco Router as a DHCP Client
R1(config-if)#ip address dhcp
R1(config-if)#no shutdown
636
Verification – show dhcp lease
R1#show dhcp lease
Temp IP addr: 203.0.113.2 for peer on Interface: FastEthernet0/0
Temp sub net mask: 255.255.255.0
DHCP Lease server: 203.0.113.1 , state: Bound
DHCP Transaction id: 64B8EE07
Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs
Temp default-gateway addr: 203.0.113.1
Next timer fires after: 11:53:13
Retry count: 0 Client-ID:cisco-0001.63C2.9701-Fa0/0
Client-ID hex dump: 636973636F2D303030312E363343322E
93730312D4661302F30
Hostname: R1
637
Access Layer Switch Security Mechanisms
DHCP Snooping
DAI Dynamic ARP Inspection
802.1X Identity Based Networking
Port Security
638
External DHCP Server Configuration
R1(config-if)#ip helper-address 10.10.20.10
639
Rogue DHCP Server
640
DHCP Snooping
SW1(config)#ip dhcp snooping

SW1(config)#ip dhcp snooping vlan 10
SW1(config)#int f0/1
SW1(config)#ip dhcp snooping trust
When DHCP Snooping is enabled, DHCP Server responses are

dropped if they don’t arrive on a trusted port.
641
ARP Request: I’m looking for 10.10.10.1,
what’s your MAC address?
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
642
I’m 10.10.10.1, my MAC
address is 2.2.2
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2
643
10.10.10.10 > 10.10.10.1
1.1.1 > 2.2.2
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2
644
10.10.10.1 > 10.10.10.10
2.2.2 > 1.1.1
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2
645
Man in the Middle ARP Spoofing
Gratuitous ARP: ‘I am 10.10.10.1, my MAC address is 3.3.3’
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
646
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 3.3.3 Attacker
10.10.10.100/24
MAC: 3.3.3
647
Gratuitous ARP: ‘I am 10.10.10.10, my MAC address is 3.3.3’
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 3.3.3 Attacker
10.10.10.100/24
MAC: 3.3.3
648
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 3.3.3
ARP Cache
10.10.10.1 = 3.3.3 Attacker
10.10.10.100/24
MAC: 3.3.3
649
10.10.10.10 > 10.10.10.1
1.1.1 > 3.3.3
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
650
10.10.10.10 > 10.10.10.1
3.3.3 > 2.2.2
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
651
10.10.10.1 > 10.10.10.10
2.2.2 > 3.3.3
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
652
10.10.10.1 > 10.10.10.10
3.3.3 > 1.1.1
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
653
Dynamic ARP Inspection DAI
When you enable DHCP snooping, the switch inspects the DHCP traffic
and keeps track of which IP addresses were assigned to which MAC
addresses
For example, PC1 with MAC address 1.1.1 was assigned IP address
10.10.10
If invalid ARP traffic tries to pass through the switch, for example 3.3.3
saying it is 10.10.10, the switch drops the traffic
654
DAI Configuration
SW1(config-if)#ip arp inspection trust
!
SW1(config)#ip arp inspection vlan 10
DAI is not performed on trusted ports.

Enable this for non DHCP clients.
655
Dynamic ARP Inspection DAI
SBH-SW2(config)#int g1/0/23
SBH-SW2(config-if)#ip arp inspection trust
!
SBH-SW2(config)#ip arp inspection vlan 12
656
When 802.1X is enabled, only authentication traffic is allowed on

switch ports until the host and user are authenticated
When the user has entered a valid username and password, the switch
port transitions to a normal access port in the relevant VLAN
657
658
Shut Down Unused Interfaces
Best practice is to administratively shut down unused switch ports

This stops somebody getting access to the network if they physically
connect to the port
SW1(config-if)#shutdown
659
Port Security
Port Security enables an administrator to specify which MAC address

or addresses can send traffic in to an individual switch port.
This can be used to lock a port down to a particular host or hosts
f0/2
PC1 Allowed MAC: 1.1.1
MAC: 1.1.1
660
Port Security
f0/2
MAC: 1.1.1
661
Port Security
f0/2
MAC: 2.2.2
662
Port Security
It is easy to spoof a MAC address, so locking ports down to a specific
host is not usually Port Security’s main role in production networks
Port Security can also configure individual switch ports to allow only a
specified number of source MAC addresses to send traffic in to the
port
It can learn connected MAC addresses
f0/2
PC1 Allow 1 MAC address
MAC: 1.1.1 Learned MAC: 1.1.1
663
Port Security
This is useful to prevent users from adding Wireless Access Points or
other shared devices
PC2
MAC: 2.2.2
f0/2
Allow 1 MAC address
Learned MAC: 1.1.1
PC1
MAC: 1.1.1
664
Port Security Configuration
SW1(config-if)#switchport port-security
665
Port Security Default Behaviour
If you configure Port Security with no additional parameters then only

one MAC address is allowed to transmit on the port
The current MAC address can be disconnected and replaced. The port is
not locked down to a particular MAC address
If a shared device is connected and multiple hosts try to transmit the port
will be shut down
666
Port Security Verification - Defaults
SW1#show port-security interface f0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0CA0.A359:1
Security Violation Count : 0
667
Security Violation Actions
You have three options when an unauthorised MAC address sends traffic
in to the port:
Shutdown (Default): The interface is placed into the error-disabled
state, blocking all traffic
Protect: Traffic from unauthorised addresses is dropped. Traffic from
allowed addresses is forwarded
Restrict: Traffic from unauthorised addresses is dropped, logged and the
violation counter incremented. Traffic from allowed addresses is
forwarded
668
Violation Action Configuration
SW1(config-if)# switchport port-security violation protect
SW1(config-if)# switchport port-security violation restrict
669
Error-Disabled Interfaces
If the Violation Action is set to Shutdown and a violation occurs, the

port will move to an error-disabled state
To bring an error-disabled interface back into service:
Physically remove the host with the offending MAC address
Manually shutdown then no shutdown the interface
670
Auto-Recovery
You can bring error disabled ports back into service automatically after
they have been disabled for a configurable period of time (in seconds)
SW1(config)# errdisable recovery cause psecure-violation

SW1(config)# errdisable recovery interval 600
671
Maximum MAC Addresses
When Port Security is enabled the maximum number of MAC addresses
allowed to send traffic into the interface is one by default
This can be increased if multiple hosts share the port, for example an IP
phone with a PC plugged into the back of it
SW1(config)# interface f0/2

SW1(config-if)# switchport port-security maximum 2
672
Maximum MAC Addresses
SW1#show port-security int f0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0CA0.A359:1
Security Violation Count : 0
673
Manually Adding MAC Addresses
You can statically configure allowed MAC addresses if you want to lock
the port down to a particular host:

SW1(config-if)# switchport port-security
SW1(config-if)#switchport port-security mac-address
1111.2222.3333
SW1(config-if)# switchport port-security maximum 1
674
MAC Address Learning
Scenario: You have 1000 authorised hosts connected to the network. You
want to lock the ports down to these particular hosts
Manually adding the MAC addresses is not a scalable solution
Sticky MAC addresses add the learned MAC address to the running
configuration. Save to the startup config to make them permanent
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security mac-address sticky
675
Verify Port Security Addresses
676
View Summary Information
677
Access Control Lists
An ACL identifies traffic based on characteristics of the packet such as

source IP address, destination IP address, port number
The router or switch can take an action based on the result of the ACL
ACL’s are supported on both routers and switches. I will refer to
‘routers’ throughout this section
678
Access Control Lists for Security
The original use of ACLs was as a security feature to decide if traffic

should be allowed to pass through the router
By default a router will allow all traffic to pass between its interfaces
When ACLs are applied the router identifies traffic and then decides if
it will be allowed or not
679
Access Control Lists
ACL’s are also used in other software policies when traffic has to be
identified, for example:
Identify traffic to give better service to in a QoS Quality of Service
policy
Identify traffic to translate to a different IP address in a NAT
Network Address Translation policy
680
ACE Access Control Entries
Access Control Lists are made up of Access Control Entries which are a
series of permit or deny rules
Each ACE is written in a separate line
681
ACE Access Control Entry Example
R2(config)# Source Destination
access-list 100 deny tcp 10.10.30.0 0.0.0.255 gt 49151 10.10.20.1 0.0.0.0 eq 23

No. Action Protocol IP Wildcard Qual. Port IP Wildcard Qual. Port
682
Access Control List Example
R1(config)# access-list 100 deny tcp 10.10.10.10 0.0.0.0
gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 permit tcp 10.10.10.0
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq 23
gt 49151 10.10.50.10 0.0.0.0 eq 23
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq 23
683
ACE Access Control Entry Example
R2(config)# Source Destination
access-list 100 deny tcp 10.10.30.0 0.0.0.255 gt 49151 10.10.20.1 0.0.0.0 eq 23

No. Action Protocol IP Wildcard Qual. Port IP Wildcard Qual. Port
684
Standard vs Extended ACLs
R1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1300-1999> IP standard access list (expanded range)
<2000-2699> IP extended access list (expanded range)
! truncated
685
Original Implementation: Standard vs Extended ACLs
Standard ACLs reference the source address only

Extended ACLs check based on the protocol, source address,
destination address, and port number
Standard ACL Range: 1 – 99

Extended ACL Range: 100 - 199
686
ACL Improvement: Expanded Ranges
Cisco expanded the original ACL Ranges

Standard: 1-99, 1300-1999
Extended: 100-199, 2000-2699
687
Standard Access List Example
R1(config)# access-list 1 deny 10.10.10.10 0.0.0.0
R1(config)# access-list 1 permit 10.10.10.0 0.0.0.255
688
Standard Access List Example
The default wildcard mask for a Standard ACL is 0.0.0.0, meaning an individual host
address.
R1(config)# access-list 1 deny 10.10.10.10
Do not forget to enter the wildcard when specifying an IP subnet

R1(config)# access-list 1 deny 10.10.10.0
689
Extended Access List Example
gt 49151 10.10.50.10 0.0.0.0 eq 23
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
690
There is no default wildcard mask for Extended ACLs
R1(config)#access-list 150 deny tcp 10.10.10.10 ge 1024 10.10.50.10 eq 23

^
% Invalid input detected at '^' marker.
691
ACL Improvement: Named ACLs
You can now reference ACLs by number or by a name
Named ACLs begin with the command ‘ip access-list’ instead of
‘access-list’
R1(config)#ip access-list ?
extended Extended Access List
standard Standard Access List
! truncated
692
Named ACL Syntax
R1(config)#ip access-list standard Flackbox-Demo
R1(config-std-nacl)#deny 10.10.10.10 0.0.0.0
R1(config-std-nacl)#permit 10.10.10.0 0.0.0.255
693
gt 49151 10.10.50.10 0.0.0.0 eq 23
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
694
ACL Action
R1(config)#access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
! Truncated
695
ACL Protocol
R1(config)#access-list 100 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
! truncated
696
ACL Protocol
Use TCP or UDP if you want the ACE to apply to traffic for a particular
application between a source and destination address
R1(config)#access-list 100 deny tcp 10.10.10.0 0.0.0.255 10.10.50.0

0.0.0.255 eq 80
697
ACL Protocol
Use IP if you want the ACE to apply to all traffic between a source and
destination address
R1(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.50.0

0.0.0.255
698
ACL Source
R1(config)#access-list 100 permit tcp ?
A.B.C.D Source address
any Any source host
host A single source host
699
Wildcards
Wildcards save you typing out the wildcard mask
These examples mean the same thing:
R1(config)#access-list 100 permit tcp 10.10.10.10 0.0.0.0

R1(config)#access-list 100 permit tcp host 10.10.10.10
R1(config)#access-list 100 permit tcp 0.0.0.0 255.255.255.255

R1(config)#access-list 100 permit tcp any
700
Source Port Number
Specifying the source port number is optional, it defaults to any port
R1(config)#access-list 100 permit tcp 10.10.10.0 0.0.0.255 ?

A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
701
Destination Address
The destination address uses the same format as the source address
R1(config)#access-list 100 permit tcp host 10.10.10.10 10.10.20.0

0.0.0.255
702
Final Options
Additional options are available after entering the destination address such as destination port,
TCP flags and logging.
R1(config)#access-list 100 permit tcp host 10.10.10.10 10.10.20.0 0.0.0.255 ?

ack Match on the ACK bit
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
urg Match on the URG bit
703
Complete ACE Example
R1(config)#access-list 100 deny tcp host 10.10.10.10 10.10.20.0
0.0.0.255 eq www log
704
Verification – show access-lists
R2#sh access-lists 100
Extended IP access list 100
permit tcp host 10.10.30.10 host 10.10.20.1 eq telnet (13 match(es))
deny tcp 10.10.30.0 0.0.0.255 host 10.10.20.1 eq telnet (4 match(es))
The ‘log’ keyword is not required to log hit counts. It is used to log to the console
or an external monitoring server
705
Access Groups
ACLs are applied at the interface level with the Access-Group command
ACLs can be applied in the inbound or outbound direction
You can have a maximum of one ACL per interface per direction
You can have both an inbound and an outbound ACL on the same
interface, but not 2 inbound or outbound ACLs
An interface can have no ACL applied, an inbound ACL only, an
outbound ACL only, or ACLs in both directions
706
Access-Group Configuration
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip access-group 100 out
R1(config-if)# ip access-group 101 in
707
Access-Group Configuration – show ip interface
R3#show ip interface f1/0 | include access list
Outgoing access list is 100
Inbound access list is 101
(‘not set’ if ACL is not applied)
708
Access Control Entry Order
The ACL is read by the router from top to bottom

As soon as a rule matches the packet, the permit or deny action is
applied and the ACL is not processed any further
The order of rules is important
709
Access Control Entry Order
This will deny 10.10.10.10 but permit the rest of the 10.10.10.0/24 subnet
R1(config)# access-list 1 deny host 10.10.10.10
This will permit all of the 10.10.10.0/24 subnet including 10.10.10.10

R1(config)# access-list 1 deny host 10.10.10.10
710
Injecting ACEs in an Existing ACL
ACEs are automatically numbered in increments of 10

10 deny tcp host 10.10.10.10 host 10.10.50.10 eq telnet
20 permit tcp 10.10.10.0 0.0.0.255 host 10.10.50.10 eq telnet
711
Injecting ACEs in an Existing ACL
Support for injecting ACEs in an existing ACL started in Named ACLs but is
also supported in Numbered ACLs now
R1(config)#ip access-list extended 110

R1(config-ext-nacl)#15 deny tcp host 10.10.10.11 host 10.10.50.10 eq telnet

712
Implicit Deny All
There is an implicit ‘deny any any’ rule at the bottom of ACLs

If an ACL is not applied to an interface, all traffic is allowed
If an ACL is applied, all traffic is denied except what is explicitly allowed
Traffic from 10.10.10.0/24 will be permitted, everything else is denied

713
Explicit Deny All
Many organisations include an explicit deny all at the end of ACLs to

log illegal traffic

R1(config)# access-list 1 deny any log
714
Explicit Permit All
If an ACL is applied, all traffic is denied except what is explicitly allowed

If you want to reverse this so that all traffic is permitted except what is
explicitly denied, add a permit all statement to the end of the ACL
Traffic from 10.10.10.0/24 is denied, everything else is permitted

R1(config)# access-list 1 deny 10.10.10.0 0.0.0.255
R1(config)# access-list 1 permit any
715
Traffic Sourced from Router
ACL’s applied to an interface do not apply to traffic which originates from
the router itself
The hosts in the 10.1.1.0/24 subnet cannot Telnet to R2
An administrator can Telnet to R2 from the CLI on R1
R1(config)# access-list 100 deny tcp any any eq 23
R1(config)# interface f1/0
R1(config)# ip access-group 100 out
10.1.0.0/24
10.1.1.1/24 .1 .2
10.1.1.10 R1 R2
F0/0 F1/0 F1/0
10.1.1.11
716
How Stateful Firewalls Work
Stateful firewalls maintain a connection table which tracks the two-way
‘state’ of traffic passing through the firewall
Return traffic is permitted by default
Firewall rules example:
Deny all traffic from outside to inside
Permit outbound web traffic from 10.10.10.0/24
Inside Outside
10.10.10.10 203.0.113.10
717
Inside Outside
10.10.10.10 203.0.113.10
Traffic is allowed by ‘Permit outbound web traffic from 10.10.10.0/24’

rule
Connection table: 10.10.10.10:49160 > 203.0.113.10:80
718
Inside Outside
10.10.10.10 203.0.113.10
Traffic from 203.0.113.10:80 > 10.10.10.10:49160 is permitted because it is

valid return traffic for a connection in the connection table
This overrides the ‘Deny all traffic from outside to inside’ rule
719
Inside Outside
10.10.10.10 203.0.113.10
In this example the connection has not been initiated from the host on the
inside
Traffic from 203.0.113.10:80 > 10.10.10.10:49160 is dropped according to
the ‘deny all traffic from outside to inside’ rule
720
How Packet Filters Work
An Access Control List security policy is a packet filter

Packet filters do not maintain a connection table
They affect traffic in one direction only and do not track the state of
two way connections going through the router
721
If you have an ACL applied on the way out only, the return traffic will
be allowed because all traffic is allowed when an ACL is not applied
If you have ACLs applied in both directions, you will need explicit
entries to allow both the outbound and the return traffic
722
Access Control List example:
Inbound ACL on outside interface: Deny all traffic
Inbound ACL on inside interface: Permit web traffic from 10.10.10.0/24
Inside Outside
10.10.10.10 203.0.113.10
723
Inside Outside
10.10.10.10 203.0.113.10
Inbound ACL on inside interface: Permit web traffic from

10.10.10.0/24 allows traffic out to the web server
The connection is not tracked in a connection table
724
Inside Outside
10.10.10.10 203.0.113.10
Traffic from 203.0.113.10:80 > 10.10.10.10:49160 is dropped because

of Inbound ACL on outside interface: Deny all traffic
725
Inside Outside
10.10.10.10 203.0.113.10
To allow the return traffic you need to remove the ‘deny all traffic from
outside to inside’ ACL on the outside interface
Or add ‘permit tcp any eq 80 10.10.10.0 0.0.0.255 range 49152 65535’
Neither is a secure option for a router connected to the Internet
726
Stateful Firewalls and Packet Filters
ACL packet filters on routers can add to an overall defence in depth
strategy
Standard practice is to use firewalls on major security boundaries, and
augment this with internal ACLs
Inside Outside
10.10.10.10 203.0.113.10
727
The ‘Established’ Keyword
The Established keyword in an ACL only checks for the ‘Ack’ flag in return traffic
This does not make the router a stateful firewall and it still does not keep a
connection table!
R1(config)#access-list 100 permit tcp any eq 80 10.10.10.0 0.0.0.255

established
728
IOS Firewall
You can configure a router as a stateful firewall with the IOS Firewall
feature set
This uses different commands than ACLs
729
The Internet Engineering Task Force (IETF) documents standards with
RFC’s (Requests For Comments)
RFC 1918 specifies private IP address ranges which are not routable on
the public internet
730
Private addresses were originally designed for hosts which should have
no internet connectivity
Public IP addresses cost money
If an organisation has a part of their network where the hosts need to
communicate with each other over IP, but do not require connectivity
to the Internet, they can assign private IP addresses
731
There is a range of private addresses in each address class.
10.0.0.0 – 10.255.255.255
‒ 10.0.0.0/8
‒ 10.0.0.0 255.0.0.0
172.16.0.0 – 172.31.255.255
‒ 172.16.0.0/12
‒ 172.16.0.0 255.240.0.0
192.168.0.0 – 192.168.255.255
‒ 192.168.0.0/16
‒ 192.168.0.0 255.255.0.0
732
The IPv4 Global Address Space Problem
The designers of IPv4 did not envision the explosive growth of its use
4.3 billion addresses seemed more than enough
The protocol is not particularly efficient in its use of the available
space, with many addresses being wasted
733
IPv6
The Internet authorities started to predict address exhaustion in the
late 1980’s, and IPv6 was developed in the 90’s as the long term
solution
IPv6 uses a 128 bit address, compared to IPv4’s 32 bit address
734
There is not a seamless migration path from IPv4 to IPv6
NAT (Network Address Translation) was implemented as a temporary
workaround to mitigate the lack of IPv4 addresses until organisations
had time to migrate to IPv6
735
An organisation can use private IP addresses on their inside network,
but still grant their hosts Internet access by translating them to their
outside public IP addresses
Many hosts on the inside can share a few or a single public IP address
on the outside
736
Private Addresses and NAT
Office A Office B
Internet
Public Public
203.0.113.1/28 203.0.113.16/29
14 Addresses 6 Addresses
Private Private
192.168.10.0/24 192.168.10.0/24
200 Hosts 100 Hosts
737
Today’s Networks
Many industry experts predicted in the early 2000’s that IPv6 would be
ubiquitous within a few years
It hasn’t worked out that way – most enterprises today use RFC 1918
IPv4 addresses with NAT
RFC 1918 has the security benefit of hiding inside hosts by default
(they don’t have a publicly routable IP address), plus network
engineers have more experience with IPv4 than v6
738
NAT Types
Static NAT – permanent one-to-one mapping usually between a
public and private IP address. Used for servers which must accept
incoming connections.
Dynamic NAT – uses a pool of public addresses which are given out on
an as needed first come first served basis. Usually used for internal
hosts which need to connect to the Internet but do not accept
PAT (Port Address Translation)– allows the same IP address to be
reused.
739
NAT Lab
740
Static NAT Scenario
We have bought the range of public IP addresses 203.0.113.0/28 from
our service provider
203.0.113.2 is used on the outside interface on our Internet edge
router R1
203.0.113.1 is used as the default gateway address. It is the SP1 router
on the other side of the link
203.0.113.3 – 203.0.113.14 remain available
741
Static NAT Scenario
Int-S1 at 10.0.1.10 is an internal web server which needs to accept
incoming connections from the Internet
We need to assign a fixed public IP address to accept incoming
connections. We will use the first available address 203.0.113.3
A static NAT translation is required to translate the public IP address
203.0.113.3 on F0/0 to 10.0.1.10 on F1/0 for incoming connections
The translation is bidirectional so will also translate 10.0.1.10 to
203.0.113.3 for outbound traffic from the server
742
Static NAT Configuration
R1(config)#int f0/0
R1(config-if)#ip nat outside
R1(config)#int f1/0
R1(config-if)#ip nat inside
R1(config)#ip nat inside source static 10.0.1.10 203.0.113.3
743
NAT Verification – show ip nat translation
R1#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 203.0.113.3:1 10.0.1.10:1 203.0.113.20:1 203.0.113.20:1
tcp 203.0.113.3:80 10.0.1.10:80 203.0.113.20:45849 203.0.113.20:45849
--- 203.0.113.3 10.0.1.10 --- ---
744
R1#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 203.0.113.3:1 10.0.1.10:1 203.0.113.20:1 203.0.113.20:1
tcp 203.0.113.3:80 10.0.1.10:80 203.0.113.20:45849 203.0.113.20:45849
--- 203.0.113.3 10.0.1.10 --- ---
745
NAT Definitions
Inside local address—The IP address actually configured on the inside
host’s Operating System.
Inside global address— The NAT’d address of the inside host as it will
be reached by the outside network.
Outside local address—The IP address of the outside host as it
appears to the inside network.
Outside global address—The IP address assigned to the host on the
outside network by the host’s owner.
746
Outside Local vs Outside Global
Router R1 in our example knows one address to reach the outside host
(203.0.113.20) and does not translate that address.
For one way NAT, the Outside Local and Outside Global addresses will
be reported as being the same.
747
Two Way NAT
Company A Company B
A1 B1
R1
10.10.10.0/24 10.10.10.0/24
NAT: 10.10.20.0/24 NAT: 10.10.30.0/24
Translate the source address from 10.10.10.10 to 10.10.20.10

Translate the destination address from 10.10.30.10 to 10.10.10.10
748
Two Way NAT
Company A Company B
A1 B1
R1
10.10.10.0/24 10.10.10.0/24
Inside Local Inside Global Outside Local Outside Global

Source IP Source IP Destination IP Destination IP
10.10.10.10 10.10.20.10 10.10.30.10 10.10.10.10
749
NAT Types
Static NAT – permanent one-to-one mapping usually between a public
and private IP address. Used for servers which must accept incoming
connections.
Dynamic NAT – uses a pool of public addresses which are given out
on an as needed first come first served basis. Usually used for
internal hosts which need to connect to the Internet but do not
accept incoming connections.
reused.
750
NAT Lab
751
Dynamic NAT Scenario
We have bought the range of public IP addresses 203.0.113.0/28 from our
service provider
203.0.113.2 is used on the outside interface on our Internet edge router R1
203.0.113.1 is used as the default gateway address. It is the SP1 router on
the other side of the link
203.0.113.3 is used for a static NAT translation for the 10.0.1.10 web server
203.0.113.4 – 203.0.113.14 remain available
752
The hosts in the 10.0.2.0/24 network do not accept incoming connections
so they don’t need a fixed public IP address with a static NAT translation
They do need outbound connectivity to the Internet so need to be
translated to a public IP address
We will use the remaining public addresses 203.0.113.4 - 14 as a NAT pool
The inside hosts will be translated to the public IP addresses on a first come
first served basis when they send traffic out
The first host to send traffic out will be translated to 203.0.113.4, the
second host to 203.0.113.5 etc., up to 203.0.113.14 at the end of the pool
753
With standard dynamic NAT you need a public IP address for every
inside host which needs to communicate with the outside
If you have 30 hosts, you need 30 public IP addresses
When all the addresses in the pool have been used, new outbound
connections from other inside hosts will fail because there will be no
addresses left to translate them to
These hosts would have to wait for existing connections to be torn
down and the translations to be released back into the pool when they
time out
754
Dynamic NAT Configuration
R1(config)#int f0/0
R1(config)#int f2/0
Configure the pool of global addresses.

R1(config)#ip nat pool Flackbox 203.0.113.4 203.0.113.14 netmask 255.255.255.240
Create an access list which references the internal IP addresses we want to translate.
R1(config)#access-list 1 permit 10.0.2.0 0.0.0.255
Associate the access list with the NAT pool to complete the configuration.
R1(config)#ip nat inside source list 1 pool Flackbox
755
756
clear ip nat translation
R1#clear ip nat translation can be used to remove
translations from the translation table
This can be useful when troubleshooting
It is also often required if you want to edit your NAT configuration –
the router will not allow changes when there are active translations
clear ip nat translation * will remove all dynamic
translations
757
NAT Verification – show ip nat statistics
R1#show ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet2/0
Hits: 148 Misses: 0
CEF Translated packets: 148, CEF Punted packets: 0
Expired translations: 7
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 1 interface FastEthernet0/0 refcount 2
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
758
NAT Types
Static NAT – permanent one-to-one mapping usually between a public
and private IP address. Used for servers which must accept incoming
connections.
Dynamic NAT – uses a pool of public addresses which are given out on
an as needed first come first served basis. Usually used for internal
hosts which need to connect to the Internet but do not accept
reused.
759
Dynamic NAT Address Exhaustion
With standard dynamic NAT the inside hosts are translated to public IP
addresses on a first come first served basis when they send traffic out
This requires a public IP address for every inside host which
communicates with the outside network
When all the addresses in the pool have been used, new outbound
connections from other inside hosts will fail because there will be no
addresses left to translate them to
760
PAT Port Address Translation
Port Address Translation (PAT) is an extension to NAT that permits
multiple devices to be mapped to a single public IP address
With PAT you do not need a public IP address for every inside host
The router tracks translations by IP address and Layer 4 port number
Because different inside hosts are assigned different port numbers, the
router knows which host to send return traffic to, even when the
public IP address is the same
761
NAT Lab
762
Dynamic NAT with Overload
Dynamic NAT with Overload uses PAT to allow more clients to be
translated than IP addresses are available in the NAT pool
If the NAT pool is 203.0.113.4 to 203.0.113.6 for example, the first 2
hosts which initiate outbound connections will be translated to
203.0.113.4 and 203.0.113.5
763
The 3rd host will be translated to 203.0.113.6 and the router will track
which source port number was used in the translation table
The 4th and 5th etc. hosts will also be translated to 203.0.113.6 but
with different source port numbers
When the return traffic is sent back the router checks the destination
port number to see which host to forward it to
764
10.10.10.10 203.0.113.4:4096 > 203.0.113.10:80
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
10.10.10.13

Source Source Destination Destination
10.10.10.10:49165 203.0.113.4:4096 203.0.113.10:80 203.0.113.10:80
765
10.10.10.10 203.0.113.4:4096 < 203.0.113.10:80
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
10.10.10.13

10.10.10.10:49165 203.0.113.4:4096 203.0.113.10:80 203.0.113.10:80
766
10.10.10.10
203.0.113.5:4097 > 203.0.113.10:80 203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
10.10.10.13

10.10.10.11:49158 203.0.113.5:4097 203.0.113.10:80 203.0.113.10:80
767
10.10.10.10
203.0.113.5:4097 < 203.0.113.10:80 203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
10.10.10.13

10.10.10.11:49158 203.0.113.5:4097 203.0.113.10:80 203.0.113.10:80
768
10.10.10.10
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
203.0.113.6:4098 > 203.0.113.11:80
10.10.10.13

10.10.10.12:49152 203.0.113.6:4098 203.0.113.11:80 203.0.113.11:80
769
10.10.10.10
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
203.0.113.6:4098 < 203.0.113.11:80
10.10.10.13

10.10.10.12:49152 203.0.113.6:4098 203.0.113.11:80 203.0.113.11:80
770
10.10.10.10
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
10.10.10.13 203.0.113.6:4099 > 203.0.113.11:80

10.10.10.13:49152 203.0.113.6:4099 203.0.113.11:80 203.0.113.11:80
771
10.10.10.10
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
10.10.10.13 203.0.113.6:4099 < 203.0.113.11:80

10.10.10.13:49152 203.0.113.6:4099 203.0.113.11:80 203.0.113.11:80
772
Standard Dynamic NAT Configuration
R1(config)#int f0/0
R1(config)#int f2/0

R1(config)#ip nat inside source list 1 pool Flackbox
773
Dynamic NAT with Overload Configuration
R1(config)#int f0/0
R1(config)#int f2/0

R1(config)#ip nat inside source list 1 pool Flackbox overload
774
PAT with Single IP Address
The last NAT scenario to cover is a small office which has not
purchased a range of public IP addresses
In this case the outside interface will most likely get its IP address via
DHCP from the service provider
PAT can be used to allow multiple inside hosts to share the single
outside public IP address
775
PAT with Single IP Address
The configuration is very similar to Dynamic NAT with Overload but
translates to the outside interface address rather than a pool of
addresses
You must translate to the outside interface rather than a specific IP
address because a DHCP address can change
776
PAT with Single IP Address Configuration
R1(config)#int f0/0
R1(config-if)#ip address dhcp
R1(config)#int f1/0
R1(config)#ip nat inside source list 1 interface f0/0 overload
777
778
NAT Verification – debug ip nat
R1#debug ip nat
Outbound
*Aug 21 23:52:55.739: NAT*: TCP s=52670->4097, d=23
*Aug 21 23:52:55.739: NAT*: s=10.0.2.11->203.0.113.13, d=203.0.113.20
[34332]
Return Traffic
*Aug 21 23:52:55.763: NAT*: TCP s=23, d=4097->52670
*Aug 21 23:52:55.763: NAT*: s=203.0.113.20, d=203.0.113.13->10.0.2.11
[45975]
779
Problems with NAT
NAT breaks the end to end IP model
This can cause issues with security and with some applications
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
780
NAT Problem Example
10.0.0.10 > 10.0.0.100 : ‘I’d like to call 11-2001 please’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
781
NAT Problem Example
CUCM-A Dial Plan : 11-xxxx is available at 203.0.113.20
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
782
NAT Problem Example
10.0.0.100 > 203.0.113.20 : ‘Call for 11-2001 from 10.0.0.10’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
783
NAT Problem Example
Router A NATs source address 10.0.0.100 to 203.0.113.3
Router B NATs destination address 203.0.113.20 to 10.0.10.100
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
784
NAT Problem Example
10.0.10.100 > 10.0.10.10: ‘Call for you, please ring’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
785
NAT Problem Example
10.0.10.10 > 10.0.10.100: ‘User picked up, ready for call’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
786
NAT Problem Example
10.0.10.100 > 203.0.113.3 : ‘Ext 11-2001 is ready for call at 10.0.10.10’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
787
NAT Problem Example
Router B NATs source address 10.0.10.100 to 203.0.113.20
Router A NATs destination address 203.0.113.3 to 10.0.0.100
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
788
NAT Problem Example
CUCM-A to Phone A: ‘Stream your voice to 10.0.10.10’
CUCM-B to Phone B: ‘Stream your voice to 10.0.0.10’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
789
NAT Problem Example
The phones only have connectivity to each other on their NAT’d public IP
addresses, not via internal private addresses, so the call fails
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
790
NAT Problem
Devices such as application layer firewalls, traversal servers and proxy
servers can help with these issues
It would be a cleaner solution if IP supported an addressing scheme
which was big enough to give all devices in the world a publicly reachable
address
… Enter IPv6. It uses a 128 bit address, compared to IPv4’s 32 bit address
791
Other IPv6 Enhancements
In addition to the larger address space, IPv6 was designed to support
built-in security and host mobility
792
Dual Stack
IPv4 and IPv6 does not have to be an ‘either or’ decision
In a ‘dual stack’ implementation a network interface can have both an
IPv4 and an IPv6 address at the same time
It can then communicate using either protocol
Dual stack can be enabled long term to support both IPv4 and IPv6
applications or as an IPv4 to IPv6 transition strategy
793
IPv6 Addressing Format
IPv6 uses a 128 bit address compared to IPv4’s 32 bit address
The address is written as X:X:X:X:X:X:X:X
Each ‘X’ is a 16 bit hexadecimal field (hex values are 0-9,A-F)
Eg. 2001:0DB8:0000:0001:0000:0000:0000:0001
794
IPv6 Address Part Naming
IPv4 addresses are 32 bits long, written as x.x.x.x
Each segment is 8 bits so they are known as ‘octets’
IPv6 addresses 128 bits long, written as X:X:X:X:X:X:X:X
Each segment is 16 bits but there isn’t an official name for them
(‘hexadectet’ is too hard to pronounce)
They are sometimes called ‘hextets’, ‘pieces’ or ‘quartets’
795
Address Shortening
The IPv6 address is very long. There are a couple of ways we can
shorten it to make things more convenient
Address shortening is a standard convention and supported by all
vendor’s devices
Leading zeros in each field can be removed

2001:0DB8:0000:0001:0000:0000:0000:0001 can be written as
2001:DB8:0:1:0:0:0:1
796
Address Shortening
Successive all zero fields can be shortened to ‘::’

2001:0DB8:0000:0001:0000:0000:0000:0001 can be written as
2001:DB8:0:1:0:0:0:1 (leading zeros removed)
And 2001:DB8:0:1:0:0:0:1 can be written as 2001:DB8:0:1::1
797
Address Shortening
Successive all zero fields can be shortened only once in an address to
avoid confusion
2001:0:0:1:0:0:0:B can be shortened to
2001::1:0:0:0:B or
2001:0:0:1::B
It can’t be shortened to 2001::1::B
798
IPv6 Address Types
Global Unicast
Unique Local
Link Local
799
IPv6 Address Types: Global Unicast Addresses
Global Unicast Addresses are similar to IPv4 public addresses
They are assigned to an individual host and have global reachability
(unless blocked by security policy such as on a firewall)
They are assigned from the range 2000::/3
800
Internet authorities assign blocks from the overall 2000::/3 range to
organisations
A common assignment for a company is a /48 block, eg
2001:10:10::/48
A smaller or larger size block can be assigned depending on the size of
the company
801
IPv6 standards state that addresses assigned to individual hosts should
use a /64 mask
The IPv6 address is 128 bits so /64 splits it in half for the network and
host portions of the address
X:X:X:X:X:X:X:X
Network Host
802
If a company is assigned a /48 address by the Internet authorities and
uses /64 host addresses, that leaves 16 bits the company can assign to
its internal subnets
For example, if the company was assigned 2001:10:10::/48 by the
Internet authorities, it can assign subnets 2001:10:10:0::/64 to
2001:10:10:FFFF::/64 to its internal network segments
16 bits = 65,535 possible subnets
64 bits left over = 18,446,744,073,709,551,616 hosts per subnet
X:X:X:X:X:X:X:X
Company Host
Subnet
803
In this example the company has been assigned 2001:DB8:0::/48 by
the Internet authorities
Subnet 2001:DB8:0:1::/64 Subnet 2001:DB8:0:2::/64
804
IPv6 Address 2001:DB8:0:1:0:0:0:1/64
IPv6 Address 2001:DB8:0:2:0:0:0:1/64
805
IPv6 Address 2001:DB8:0:1::1/64
IPv6 Address 2001:DB8:0:2::1/64
806
Using a /64 for all network subnets including point-to-point links and
loopback addresses can seem wasteful, but the official declaration is
that the IPv6 address space is so large that it does not create a
problem
Using /64 everywhere simplifies the addressing and enables the use of
EUI-64 addresses
807
Global Unicast Address Configuration
Enable IPv6 routing first
R1(config)#ipv6 unicast-routing
R1(config-if)#int f0/0
R1(config-if)#ipv6 add 2001:db8:0:1::1/64
808
Broadcast and Multicast
IPv4 supports broadcast to all hosts on 255.255.255.255
Routers do not forward broadcast traffic so this stays on the local subnet
IPv6 does not support broadcast traffic
It does however support multicast to all hosts on the local subnet (ff02::1)
which is functionally equivalent
Many services which use broadcast to 255.255.255.255 in IPv4 use more
specific multicast addresses in IPv6 (eg ff05::1:3 for all DHCP servers)
809
Global Unicast Address Configuration
Enable IPv6 routing first
810
Global Unicast Address Verification
R1#sh ipv6 interface brief
FastEthernet0/0 [up/up]
2001:DB8:0:1::1
2001:DB8::1
! truncated
811
Lab
812
EUI-64 Addresses
A Cisco router can generate full IPv6 addresses for itself when given
the interface and /64 network to use
The host portion of the address is derived from the interface’s MAC
address, which is guaranteed to be globally unique
A MAC address is a /48 address compared to the /64 host portion of
the IPv6 address
FF:FE is injected in the middle of the /48 MAC address to bring it up to
64 bits. Also, the 7th bit is inverted
813
EUI-64 Addresses
814
EUI-64 Address Configuration
R1(config)#int f0/0
R1(config-if)#ipv6 address 2001:db8:0:1::/64 eui-64
R1(config)#int f2/0
R1(config-if)#ipv6 address 2001:db8:0::/64 eui-64
815
EUI-64 Address Verification
R1#sh int f0/0
Hardware is DEC21140, address is ca01.2f24.0000
R1#sh int f2/0
Hardware is DEC21140, address is ca01.2f24.0038

2001:DB8:0:1:C801:2FFF:FE24:0
2001:DB8::C801:2FFF:FE24:38
! truncated
816
EUI-64 Addresses
The router will borrow the MAC address from the first Ethernet port
for non-Ethernet interfaces such as Serial ports
It is not recommended to use EUI-64 on router interfaces. It is better
to use a memorable address such as 2001:db8:0:1::1
817
Lab
818
IPv6 Address Types: Unique Local Addresses
Unique Local Addresses are similar to IPv4 RFC 1918 private addresses
They are not publicly reachable
They are assigned from the range FC00::/7
Hosts should be assigned /64 addresses
819
IPv6 Address Types: Link Local Addresses
Link local addresses are valid for communications on that link only
They are assigned from the range FE80::/10 – FEB0::/10
Hosts should be assigned /64 addresses
820
Link Local Connectivity
A, B and C have connectivity to each other via the FE80::1, FE80::2 and
FE80::3 link local addresses on the same segment
B and D have connectivity to each other via the FE80::4 and FE80::5
link local addresses on the same segment
FE80::1, FE80::2 and FE80::3 do not have connectivity to FE80::4 or
FE80::5
FE80::1/64 FE80::2/64 FE80::4/64 FE80::5/64

A B D
FE80::3/64
C
821
Link local addresses can be used for communications which should not
be forwarded beyond the local link, like routing protocol hello packets
and updates
They are mandatory on IPv6 enabled Cisco router interfaces
822
Link Local addresses are automatically generated with EUI-64
addresses on IPv6 enabled Cisco router interfaces
The EUI-64 address can be overridden with manual configuration
823
Link Local Address Auto Generation
New router with no IPv6 configuration:
R1#sh ipv6 int brief
unassigned
FastEthernet1/0 [administratively down/down]
unassigned
unassigned
unassigned
824
Configuring a global unicast address enables IPv6 on the interface
R1(config)#int f0/0
825
EUI-64 Link Local addresses are automatically generated

FE80::C801:2FFF:FE24:0
2001:DB8:0:1::1
unassigned
FE80::C801:2FFF:FE24:38
2001:DB8::1
unassigned
826
Manual Link Local Address Configuration
Link local addresses are valid on the local link only so you can use the
same address on multiple interfaces
R1(config)#int f0/0
R1(config-if)#ipv6 address fe80::1 link-local
R1(config-if)#ipv6 address fe80::1 link-local
827
Multiple IPv4 Addresses
R1(config)#int f0/0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1#sh run int f0/0
ip address 192.168.10.1 255.255.255.0
R1(config)#int f0/0
R1(config-if)#ip address 172.16.0.1 255.255.255.0 secondary
R1#sh run int f0/0
ip address 172.16.0.1 255.255.255.0 secondary
ip address 192.168.10.1 255.255.255.0
828
Multiple IPv6 Addresses
R1(config)#int f0/0
R1(config-if)#ipv6 address FE80::1 link-local
R1#sh run int f0/0

ip address 172.16.0.1 255.255.255.0 secondary
ip address 192.168.10.1 255.255.255.0
ipv6 address FE80::1 link-local
ipv6 address 2001:DB8::1/64
ipv6 address 2001:DB8:0:1::1/64
829
Multiple IPv6 Addresses Summary
Link local addresses are mandatory on IPv6 enabled interfaces
Global unicast and Unique local addresses are optional
You can have multiple addresses on the same interface
One link local address for routing protocol traffic and one global
unicast address for normal routing is typical
830
Lab
831
Stateless Address AutoConfiguration (SLAAC)
Hosts can be assigned IPv6 addresses through static addressing, DHCPv6,
or SLAAC
DHCP servers track their MAC address to IP address assignments, so this
is ‘stateful’ addressing
832
With SLAAC, hosts learn the /64 subnet their interface is on from their
local router and then use this information to generate their own IPv6 EUI-
64 address
(Modern Operating Systems randomise the host portion of the address
rather than using standard EUI-64 for privacy reasons)
The router does not track which hosts have which IP address so this is
‘stateless’ addressing
833
SLAAC – Router Advertisements
When a global unicast IPv6 address is configured on an interface then
Router Advertisements advertising the network prefix are sent out by
default
These ICMP messages are sent to the ‘All Nodes’ multicast address from
the interface’s link-local address
Hosts can also send a ‘Router Solicitation’ message to request the
information
834
As well as telling the hosts which subnet to generate their IP address on,
the router tells the hosts to use itself as their default gateway
The original implementation did not support any information other than
the default gateway address
835
836
In practice a DHCP server is still required to give out information such as
DNS server
If the IP address is assigned by SLAAC and the DNS server is assigned by
DHCP this results in a stateless configuration, where the DHCP server
does not retain information about the hosts
837
The Unspecified Address
:: is the Unspecified address or Unknown address
An IPv6 route to ::/0 is a default route equivalent to 0.0.0.0 0.0.0.0 in IPv4
Also, :: is used as the source when an interface is trying to acquire an
address
838
Neighbor Discovery
Neighbor Discovery is the IPv6 version of ARP and works in the same way
Rather than using ARP requests and replies, Neighbor Discovery uses
ICMP Neighbor Solicitations and Neighbor Advertisements
Neighbor Solicitation messages are sent to the Solicited-Node multicast
address which reaches all hosts on the subnet
839
Verification – show ipv6 neighbors
840
Verification – show ipv6 neighbors
R2#show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
FE80::C801:2FFF:FE24:0 0 ca01.2f24.0000 STALE Fa0/0
FE80::C803:2DFF:FEB0:1C 0 ca03.2db0.001c STALE Fa1/0
R2#ping 2001:db8:0:1::1
Sending 5, 100-byte ICMP Echos to 2001:DB8:0:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/88 ms
R2#show ipv6 neighbors

IPv6 Address Age Link-layer Addr State Interface
FE80::C801:2FFF:FE24:0 0 ca01.2f24.0000 STALE Fa0/0
2001:DB8:0:1::1 0 ca01.2f24.0000 REACH Fa0/0
FE80::C803:2DFF:FEB0:1C 0 ca03.2db0.001c STALE Fa1/0
841
IPv6 Routing
IPv6 routing works the same way as IPv4 routing, but the processes are
separate, and there are separate IPv4 and IPv6 routing tables
If a router receives an IPv4 packet, it will route it according to its IPv4
routing table
If a router receives an IPv6 packet, it will route it according to its IPv6
routing table
The routing tables are built in the same way, through static routes or
dynamic routing protocols
842
IPv6 Routing
IPv4 routing is enabled by default on a Cisco IOS router

IPv6 routing is disabled by default
Enter the command ‘ipv6 unicast-routing’ to enable it
You can still configure IPv6 addresses on a router without ipv6 unicast-
routing enabled and send and receive IPv6 traffic, but the router will not
forward IPv6 traffic to other networks
843
Connected and Local Routes
The administrator configures IP addresses on the router’s interfaces
R1#show run
ip address 10.10.1.1 255.255.255.0
duplex full
ipv6 address 2001:DB8:0:1::1/64
!
ip address 10.10.0.1 255.255.255.0
duplex full
ipv6 address 2001:DB8::1/64
844
show ip route – IPv4 Routes
This will automatically enter connected and local routes in the routing table.
Local IPv4 routes always have a /32 mask and show the IP address configured
on the interface
R1#show ip route
! truncated
845
show ipv6 route - Connected Routes
Local routes always have a /128 mask and show the IP address
configured on the interface
R1#show ipv6 route
C 2001:DB8::/64 [0/0]
via FastEthernet2/0, directly connected
C 2001:DB8:0:1::/64 [0/0]
via FastEthernet0/0, directly connected
L 2001:DB8::1/128 [0/0]
via FastEthernet2/0, receive
L 2001:DB8:0:1::1/128 [0/0]
via FastEthernet0/0, receive
! truncated
846
Routing
If a router receives traffic for a network which it is not directly attached

to, it needs to know how to get there in order to forward the traffic
An administrator can manually add a static route to the destination, or
the router can learn it via a routing protocol
847
IPv4 Static Routes
ip route 10.0.1.0 255.255.255.0 10.0.0.1

ip route 10.0.2.0 255.255.255.0 10.0.0.1
10.0.1.1/24
10.0.0.0/24 F1/0
10.1.0.2/24 .2 .1
R2 R1
F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
ip route 10.1.0.0 255.255.255.0 10.0.0.2
848
IPv6 Static Routes
ipv6 route 2001:DB8:0:2::/64 2001:DB8:0:1::1

ipv6 route 2001:DB8:0:3::/64 2001:DB8:0:1::1
2001:DB8:0:2::/64
2001:DB8:0:1::/64 F1/0
2001:DB8:0:0::/64 :2 :1
R2 R1
F1/0 F0/0 F0/0 2001:DB8:0:3::/64
F2/0
ipv6 route 2001:DB8::/64 2001:DB8:0:1::2
849
IPv4 Summary and Default Route
ip route 10.1.0.0 255.255.0.0 10.0.0.2
ip route 10.1.3.0 255.255.255.0 10.0.3.2
ip route 0.0.0.0 0.0.0.0 203.0.113.2
Internet
FE1/0
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 203.0.113.1 .2
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
850
IPv6 Summary and Default Route
ipv6 route 2001:DB8:0::/48 2001:DB8:0::2
ipv6 route 2001:DB8:1:1::/64 2001:DB8:1::2 Internet
ipv6 route ::/0 2001:DB8:3::2 :2
FE1/0
2001:DB8:0:2::/64 2001:DB8:0:1::/64 2001:DB8:0:0::/64
:1 :2 :1 2001:DB8:3:0::1/64
:1 :2 :2 R1
R4 R3 R2
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 2001:DB8:2:0::1/64
2001:DB8:1:1::1/64 2001:DB8:1:0::1/64
R5
FE2/0 FE3/0
2001:DB8:1:1::2/64 2001:DB8:1:0::2/64
851
Lab
852
IOS Security
When a Cisco router or switch is received from the factory no security is
configured
You can access the command line via a console cable with no password
required
One of the first tasks is to configure security to ensure that only
authorised administrators can access the device
853
854
Basic Line Level Security
Minimal password security can be configured through the use of static,
locally defined passwords at three different levels:
Console line – accessing User Exec mode when connecting via a
console cable
Virtual terminal VTY line – accessing User Exec mode when
connecting remotely via Telnet or SSH Secure Shell
Privileged Exec Mode – entering the ‘enable’ command
855
The levels can be used independently or in combination with
each other.
They can use the same or different passwords.
856
Basic Console Security
Only one administrator can connect over a console cable at a time so the
line number is always 0.
‘Login’ with no following keywords requires the administrator to enter
the password configured at the line level to log in
R1(config)#line console 0
R1(config-line)#password Flackbox1
R1(config-line)#login
857
Basic Console Security
R1 con0 is now available

Press RETURN to get started.
User Access Verification

Password: <wrong password>
Password: <correct password>
R1>
858
Basic Telnet Security
An administrator can use Telnet to connect to the CLI of a router or

switch remotely over an IP connection
IOS devices do not accept incoming Telnet sessions by default
An IP address and virtual terminal VTY line access must be configured
859
A Layer 2 Switch is not IP routing aware

It does however support a single IP address for management
A default gateway also needs to be configured to allow connectivity to
other subnets
860
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.0.10 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# ip default-gateway 192.168.0.1
861
Multiple administrators can connect at the same time. Lines are

allocated on a first come first served basis
If all configured lines are in use then additional administrators will not
be able to login
R1(config)#line vty 0 15
862
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
Password:<wrong password>
Password:<correct password>
R1>
863
Exec Timeout
An administrator will be logged out after 10 minutes of inactivity by

default. This applies to both the console and VTY lines
You can edit this value with the exec-timeout command
no exec-timeout or exec-timeout 0 allows an administrator to
stay logged in indefinitely
R1(config)#line con 0
R1(config-line)#exec-timeout 15
R1(config-line)#exec-timeout 5 30
864
Securing VTY Lines with Access Lists
You can apply an Access List to control access to the VTY lines
This can be used to limit Telnet and SSH access to only your
administrator workstations
R1(config)#access-list 1 permit host 10.0.0.10
R1(config-line)#access-class 1 in
865
Securing VTY Lines with Access Lists
Unauthorised source IP address:
C:\> telnet 10.0.0.1

Trying 10.0.0.1 …
% Connection refused by remote host
866
Basic Privileged Exec Security
When you connect over the console or a VTY line you will land at the
User Exec prompt which has a very limited set of commands available
To get superuser access you use the ‘enable’ command to invoke
Privileged Exec mode
This can be secured with a password
R1(config)#enable password Flackbox3
867
Basic Privileged Exec Security
R1>enable
Password: <correct password>
R1#
868
Enable Password
The enable password can be viewed in plain text in the running

configuration by default. This can be a security concern.
R1#show run
Building configuration...
!
enable password Flackbox3
!
truncated
869
Enable Secret
An enable secret performs the same function as the enable password

The enable secret is always shown in an encrypted format in the running
configuration
If both an enable password and enable secret are configured, the enable
secret supersedes the enable password which is no longer used
Best practice is to configure an enable secret but not an enable
password
870
Enable Secret
R1(config)#enable secret Flackbox3
The enable secret you have chosen is the same as your
enable password.
This is not recommended. Re-enter the enable secret.
R1(config)#enable secret Flackbox4
R1#show run
!
enable secret 5 $1$mERr$ABB9Y2Fk
!
871
Encrypting Passwords
Line level passwords can also be viewed in plain text in the
running configuration by default.
R1#show run
!
enable secret 5 $1$mERr$ABB9Y2FkwbWuPLfUgLUxf1
!
line con 0
password Flackbox1
login
!
line vty 0 4
password Flackbox2
login
line vty 5 15
password Flackbox2
login
872
Service Password-Encryption
The service password encryption command encrypts all passwords in

the running configuration
It is best practice to enable this
R1(config)#service password-encryption
873
Service Password-Encryption
R1#show run
!
service password-encryption
!
enable secret 5 $1$mERr$ABB9Y2FkwbWuPLfUgLUxf1
enable password 7 0807404F0A1207180A58
!
line con 0
password 7 0807404F0A1207180A5A
login
!
line vty 0 4
password 7 0807404F0A1207180A59
login
line vty 5 15
password 7 0807404F0A1207180A59
login
874
Lab
Console Cable
875
With line level security all administrators log in with the same password
R1(config-line)#login (use line level password)
876
Username Level Security
More granular security can be provided by configuring individual
usernames and passwords for different administrators
R1(config)#username admin1 secret Flackbox1

R1(config-line)#login local (use local usernames)
R1(config-line)#login local
877
C:\>telnet 10.0.0.1
Username: admin1
Password: <Flackbox1>
R1>
878
Privilege Levels
There are 16 privilege levels of admin access (0-15) available on a Cisco
router or switch
Usernames can be assigned a privilege level. The default level is 1.
You can also configure different passwords for direct access to the
different privilege levels
Each available command in IOS can be assigned a privilege level. An
administrator must be logged in with that privilege level or higher to run
the command
879
Privilege Levels
By default, three levels of privilege are used - zero, user, and privileged.
All commands are at one of these three levels by default
Zero-level access allows only five commands—logout, enable, disable,
help, and exit.
User level (level 1) provides very limited read-only access to the router.
When you enter User Exec Mode you’re at Privilege Level 1 by default
Privileged level (level 15) provides complete control over the router.
When you enter Privileged Exec Mode with the ‘enable’ command
you’re at Level 15 by default
880
R1(config)#username admin2 privilege 15 secret
Flackbox2
881
Username Level Security – Admin1
C:\>telnet 10.0.0.1
Username: admin1
R1>
R1>show privilege
Current privilege level is 1
882
Username Level Security – Admin2
C:\>telnet 10.0.0.1
Username: admin2
R1#
R1#show privilege
Current privilege level is 15
883
Configuring Command Privilege Levels Example
Flackbox2
Flackbox3
884
C:\>telnet 10.0.0.1
Username: admin1
R1>show ip interface brief

GigabitEthernet0/0 10.0.0.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down down
Vlan1 unassigned YES unset administratively down down
R1>show run
^
885
C:\>telnet 10.0.0.1
Username: admin3
R1>show ip interface brief

GigabitEthernet0/2 unassigned YES unset administratively down down
Vlan1 unassigned YES unset administratively down down
R1>show run
^
886
C:\>telnet 10.0.0.1
Username: admin2
R1#sh run
Current configuration : 1380 bytes
version 15.1
!
R1#configure terminal
R1(config)#
887
R1(config)#privilege exec level 5 show running-
config
888
C:\>telnet 10.0.0.1
Username: admin1
R1>show run
^
889
C:\>telnet 10.0.0.1
Username: admin3
R1#sh run
version 15.1
!
R1#configure terminal
^
890
R1(config)#enable secret secret1 (sets password for
privilege level 15)
R1(config)#enable secret level 5 secret2 (sets
password for privilege level 5)
891
C:\>telnet 10.0.0.1
Username: admin1
R1>show run
^
R1>enable 5
Password: <secret2>
R1#show run

!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
892
Telnet vs SSH
All Telnet communications cross the network in plain text
If somebody sniffs the traffic using a tool such as Wireshark they can see
all the commands you enter including your username and password
All SSH Secure Shell traffic is encrypted
If somebody sniffs the traffic they cannot read it
Best practice is to disable Telnet and only allow SSH for administrator CLI
access
893
Enable SSH
A digital certificate with a key length of at least 768 bits must be
generated to enable SSH encryption
R1(config)#ip domain-name flackbox.com

R1(config)#crypto key generate rsa
The name for the keys will be: R1.flackbox.com
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys. Choosing a key modulus greater
than 512 may take a few minutes.
How many bits in the modulus [512]: 768

% Generating 768 bit RSA keys, keys will be non-
exportable...[OK]
894
Disable Telnet
VTY lines are used for both Telnet and SSH connections
Access is allowed for both by default
A username is required for SSH access (line level passwords are not
supported)
R1(config)#username Flackbox secret Flackbox1

R1(config-line)#transport input ssh (telnet not added)
R1(config-line)#login local (use local usernames)
R1(config-line)#exit
R1(config)#ip ssh version 2 (limit SSH to v2)
895
SSH Access
C:\> ssh –l Flackbox 10.0.0.1
Open
Password: Flackbox1
R1>
896
Lab
897
Login and Exec Banners
Messages can be displayed in the CLI before and/or after an
administrator logs in to a Cisco IOS device
This is most commonly used to display security warnings
898
R1(config)#banner login “ (hit enter here)

Enter TEXT message. End with the character '"'.
Authorized users only“
R1(config)#banner exec "

Enter TEXT message. End with the character '"'.
Please log out immediately if you are not an authorized
administrator"
899
C:\> telnet 10.0.0.1

Trying 10.0.0.1 …Open
Authorized users only

Password: Flackbox3
Please log out immediately if you are not an authorized
administrator
R1>enable
900
Disable Unused Services
It is best practice to disable unused services
This reduces the attack surface and also the load on the device
HTTPS is sometimes used by GUI administration tools but HTTP should
be disabled
CDP should also be disabled in highly secure environments
R1(config)#no ip http server

R1(config)#no cdp run
901
Time Synchronisation
All servers and infrastructure devices in your network should be
synchronised to the same time
This aids in troubleshooting as logs will report the correct time that
events occurred
It is also required by several security features such as Kerberos
authentication and digital certificates
902
NTP Network Time Protocol
Servers and infrastructure devices can use their own internal clock or
synchronise with an external NTP server
An NTP server should be used to ensure all devices have the same time
A Cisco router can function as an NTP server and/or client
903
NTP Configuration
R1(config)#clock timezone PST -8
R1(config)#ntp server 10.0.1.100 (configures router to be NTP client)
R1(config)#ntp master (configures router to be NTP server)
R1#show clock
16:19:36.51 PST Mon Oct 2 2017
R1#show ntp status

Clock is synchronized, stratum 2, reference is 10.0.1.100
nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**19
reference time is DD53255C.0000039C (00:16:28.924 UTC Tue Jan 2 2018)
clock offset is 0.00 msec, root delay is 0.00 msec
root dispersion is 0.02 msec, peer dispersion is 0.02 msec.
904
Lab
905
Lab
906
Syslog
Logging messages on Cisco devices comply with the Syslog standard

A Syslog message is generated when something happens on the device,
such as an interface going down or an OSPF neighbour adjacency coming
up
907
Syslog Format
The format of the messages is:
seq no:time stamp: %facility-severity-MNEMONIC:description
Example:
*Oct 3 00:44:12.627: %LINK-5-CHANGED: Interface
FastEthernet0/0, changed state to administratively down
908
Syslog Format
seq no (optional)
909
Syslog Format
seq no:time stamp
*Oct 3 00:44:12.627
910
Syslog Format
seq no:time stamp: %facility
*Oct 3 00:44:12.627: %LINK
911
Syslog Format
seq no:time stamp: %facility-severity
*Oct 3 00:44:12.627: %LINK-5
912
Syslog Format
seq no:time stamp: %facility-severity-MNEMONIC
*Oct 3 00:44:12.627: %LINK-5-CHANGED
913
Syslog Format
seq no:time stamp: %facility-severity-MNEMONIC:description
*Oct 3 00:44:12.627: %LINK-5-CHANGED: Interface

FastEthernet0/0, changed state to administratively down
914
Syslog Severity Levels
Value Severity Description
0 Emergency System is unusable. A panic condition.
A condition that should be corrected immediately, such as a
1 Alert
corrupted system database.
2 Critical Critical conditions, such as hard device errors.
3 Error Error conditions.
4 Warning Warning conditions.

Normal but significant conditions. Not errors, but may
5 Notice
require special handling.
6 Informational Informational messages.
Messages that contain information normally of use only
7 Debug
when debugging a program.
915
Logging Locations
Syslog messages can be logged to various locations:
Console line - events will be shown in the CLI when you are logged in
over a console connection. All events logged by default
VTY Terminal lines - events will be shown in the CLI when you are
logged in over a Telnet or SSH session. Not enabled by default
The logging buffer – events saved in RAM memory, you can view
them with the ‘show logging’ command. All events logged by default
External Syslog servers
916
Logging Locations
You can specify the same or different severity levels to log for each
location
All messages of that severity level and higher will be logged
For example, if you set a logging level of 3 for the console, events with
severity levels 0, 1, 2 and 3 will be logged there
If you set a logging level of 7 for an external Syslog server, events from
all severity levels 0–7 will be logged there
917
Internal Logging Locations Configuration
R1(config)#no logging console (disables logging to the

console line)
R1(config)#logging monitor 6 (events with severity level
informational and higher will be logged to the VTY lines)
R1(config)#logging buffered debugging (events with
severity level 7 and higher will be logged to the buffer)
918
Logging to an External Syslog Server
You can log to an external Syslog server to centralise event reporting
You will typically set verbose logging to provide detailed troubleshooting
information
R1(config)#logging 10.0.0.100
R1(config)#logging trap debugging
919
External Syslog Server
920
SIEM Security Information and Event Management
A basic Syslog server provides a centralised location for Syslog logging

messages.
A Security Information and Event Management (SIEM) system provides a
centralised location for all logging messages and will typically provide
advanced analysis and correlation of events.
921
View Log Buffer and Configuration
R1#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns,
xml disabled, filtering disabled)
Console logging: level error, 42 messages logged, xml disabled,

filtering disabled
Monitor logging: level warning, 38 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 87 messages logged, xml disabled,
filtering disabled
Trap logging: level debugging, 27 message lines logged

Logging to 10.0.0.100 (udp port 514, audit disabled,
link up),
Log Buffer (8192 bytes):
*Nov 12 21:17:08.015: %IFMGR-7-NO_IFINDEX_FILE: Unable to open nvram:/ifIndex-table No such

file or directory
*Nov 12 21:17:08.299: %DEC21140-1-INITFAIL: Unsupported PHY brand timed out, csr5=0x0
*Nov 12 21:17:14.075: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Nov 12 21:17:14.115: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
922
Logging Synchronous
When working in a CLI session, by default any syslog messages will be
printed into the middle of any commands you are currently typing
R1(config-if)#shutdown
R1(config-if)#do show ip interf
*Nov 12 20:27:00.727: %LINK-5-CHANGED: Interface
FastEthernet3/0, changed state to administratively downace br
923
Logging Synchronous
You can override this with the logging synchronous command
This causes a new line to be printed where you were in the command
R1(config)#line con 0
R1(config-line)#logging synchronous
R1(config-line)#interface f3/0
R1(config-if)#no shutdown
*Nov 12 20:29:48.787: %LINK-3-UPDOWN:
Interface FastEthernet3/0, changed state to up
924
Debug and Terminal Monitor
Show and Debug commands can be used to view specific information
over and above the standard Syslog messages
Show output shows a static point in time state
Debug output dynamically updates in real time
Be careful with debug commands in production environments, a large
amount of output can overwhelm the device
Debug output is logged to the console line and buffer by default
Use the R1#terminal monitor command to enable debug output to
the VTY lines
925
Lab
926
Lab
927

Flackbox Final - Pagenumber PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Flackbox Final - Pagenumber PDF

Uploaded by

Copyright:

Available Formats

A (Very) Basic Introduction to Networking

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

Sender Layer Name Includes Devices Receiver

The Classic: Please Do Not Throw Sausage Pizza Away

Network Relevant: Please Don’t Need Those Stupid Packets Anyway

Us Relevant: Please Do Not Teach Students Pointless Acronyms

Useful: Please Do Not Take Sales People’s Advice

My Favourite: Please Do Not Touch Superman’s Private Area

You can Production

hostname> User Exec mode

hostname# Privileged Exec mode (‘Enable’)

hostname(config)# Global Configuration mode (‘Configure Terminal’)

hostname(config-if)# Interface Configuration mode (‘Interface x’)

‘Exit’ drops back down a level.

‘End’ drops back to Privileged Exec mode from any level.

You can type in a shortened version of a command.

For example, ‘en’ instead of ‘enable’

You can enter a question mark to access Help

‘sh?’ will show all commands that begin with ‘sh’

Backspace deletes the previous character

Ctrl-A moves the cursor to the beginning of the line

Ctrl-U deletes the whole line

See http://etherealmind.com/cisco-ios-cli-shortcuts/ for more

The up and down arrows (˄ and ˅) cycle through previously entered

The Spacebar will show it page by page.

show running-config interface FastEthernet0/0

show running-config | begin FastEthernet0/0

show running-config | include FastEthernet0/0

show running-config |exclude FastEthernet0/0

show running-config | section interface

hostname> User Exec mode

hostname# Privileged Exec mode (‘Enable’)

hostname(config)# Global Configuration mode (‘Configure Terminal’)

hostname(config-if)# Interface Configuration mode (‘Interface x’)

‘Exit’ drops back down a level.

‘End’ drops back to Privileged Exec mode from any level.

You can type in a shortened version of a command.

For example, ‘en’ instead of ‘enable’

You can enter a question mark to access Help

‘sh?’ will show all commands that begin with ‘sh’

Backspace deletes the previous character

Ctrl-A moves the cursor to the beginning of the line

Ctrl-U deletes the whole line

See http://etherealmind.com/cisco-ios-cli-shortcuts/ for more

The up and down arrows (˄ and ˅) cycle through previously entered

The Spacebar will show it page by page.

show running-config interface FastEthernet0/0

show running-config | begin FastEthernet0/0

show running-config | include FastEthernet0/0