Flackbox Final - Pagenumber PDF
Flackbox Final - Pagenumber PDF
Internet
New York Boston
Wide Area
Network
1
Network Characteristics
Topology
Speed
Cost
Security
Availability
Scalability
Reliability
2
The OSI Open Systems Interconnect Model
The OSI reference model is a standard of the International
Organization for Standardization (ISO).
It is a general-purpose framework that characterises and standardises
how computers communicate with one another over a network.
Its seven-layered approach to data transmission divides the operations
into specific related groups of actions at each layer.
A layer serves the layer above it and is served by the layer below it.
3
OSI Reference Model - Encapsulation
4
OSI Reference Model - Encapsulation
L7
5
OSI Reference Model - Encapsulation
L6 L7
6
OSI Reference Model - Encapsulation
L5 L6 L7
7
OSI Reference Model - Encapsulation
L4 L5 L6 L7
8
OSI Reference Model - Encapsulation
L3 L4 L5 L6 L7
9
OSI Reference Model - Encapsulation
L2 L3 L4 L5 L6 L7
10
OSI Reference Model - Encapsulation
L2 L3 L4 L5 L6 L7
11
OSI Reference Model – De-encapsulation
L2 L3 L4 L5 L6 L7
12
OSI Reference Model – De-encapsulation
L2 L3 L4 L5 L6 L7
13
OSI Reference Model – De-encapsulation
L3 L4 L5 L6 L7
14
OSI Reference Model – De-encapsulation
L4 L5 L6 L7
15
OSI Reference Model – De-encapsulation
L5 L6 L7
16
OSI Reference Model – De-encapsulation
L6 L7
17
OSI Reference Model – De-encapsulation
L7
18
OSI Model Benefits
Engineers do not need to design a technology to work end to end from
top to bottom of the model. They can just focus on their layer of
expertise, and make sure they comply with the standards for the layers
above and below.
This leads to open standards and multi-vendor interoperability.
For example: If you’re an application developer, you can just focus on
the top three layers, the lower layers are the domain of network
engineers.
Troubleshooting is easier because you can analyse a problem in a
logical fashion layer by layer.
19
The OSI Open Systems Interconnect Model
It’s difficult to overstate how important the OSI Model is to computer
networking.
As you become more experienced you will ‘think’ according to the OSI
model when you are troubleshooting or learning a new network
technology.
On the job you will hear technologies and problems being described
according to their OSI layer.
20
OSI Acronyms
21
The TCP/IP Suite
TCP/IP was developed during the 1960s by the US Department of
Defense’s (DoD) Advanced Research Projects Agency (ARPA).
It is a protocol stack which consists of multiple protocols including TCP
(Transmission Control Protocol) and IP (Internet Protocol).
It is the main protocol stack used in computer operations today.
Whereas the OSI Reference Model is conceptual, the TCP/IP stack is
used to transfer data in production networks.
TCP/IP is also layered but does not use all of the OSI layers, though the
layers are equivalent in operation and function.
22
Comparing the OSI Model with the TCP/IP Stack
23
Host Communications Terminology
Data
Protocol
Segment Data Unit
Packet (PDU)
Frame
24
The Upper OSI Layers
Network engineers do not typically work directly with the upper 3
layers of the OSI model… but we still need to know what they do.
They are more relevant to application developers.
In this lecture I will primarily be giving you the Cisco definitions of the
layers.
Information included in the upper layers would include the Message
Body and Subject Line in an email message for example.
25
Layer 7 – The Application Layer
The application layer provides network services to the applications of
the user.
It differs from the other layers in that it does not provide services to
any other OSI layer.
The application layer establishes the availability of intended
communication partners.
It then synchronizes and establishes agreement on procedures for
error recovery and control of data integrity.
26
Layer 6 – The Presentation Layer
The presentation layer ensures that the information that is sent at the
application layer of one system is readable by the application layer of
another system.
The presentation layer can translate among multiple data formats
using a common format (eg computers with different encoding
schemes).
27
Layer 5 – The Session Layer
The session layer establishes, manages, and terminates sessions
between two communicating hosts.
The session layer also synchronizes dialog between the presentation
layers of the two hosts and manages their data exchange.
For example, web servers have many users, so there are many
communication processes open at any given time to track.
It also offers efficient data transfer, CoS, and exception reporting of
upper layer problems.
28
The Lower OSI Layers
Whereas Network engineers are not particularly interested in the
upper OSI layers, we are very concerned with the lower 4 layers of the
OSI model.
Each of these layers have their own dedicated section later and you
will learn much more detailed information about them throughout the
course.
29
Layer 4 – The Transport Layer
The main characteristics of the Transport layer are whether TCP or
UDP transport is used, and the port number.
Definition:
‒ The transport layer defines services to segment, transfer, and
reassemble the data for individual communications between the end
devices.
‒ It breaks down large files into smaller segments that are less likely to
incur transmission problems.
30
Layer 3 – The Network Layer
The most important information at the Network layer is the source and
destination IP address.
Routers operate at Layer 3.
Definition:
‒ The network layer provides connectivity and path selection between
two host systems that may be located on geographically separated
networks.
‒ The network layer is the layer that manages the connectivity of hosts
by providing logical addressing.
31
Layer 2 – The Data-Link Layer
The most important information at the Data-Link layer is the source
and destination layer 2 address.
For example the source and destination MAC address if Ethernet is the
layer 2 technology.
Switches operate at Layer 2.
Definition:
‒ The data link layer defines how data is formatted for transmission and
how access to physical media is controlled.
‒ It also typically includes error detection and correction to ensure a
reliable delivery of the data.
32
Layer 1 – The Physical Layer
The Physical layer concerns literally the physical components of the
network, for example the cables being used.
Definition:
‒ The physical link enables bit transmission between end devices.
‒ It defines specifications needed for activating, maintaining, and
deactivating the physical link between end devices.
‒ For example, voltage levels, physical data rates, maximum transmission
distances, physical connectors etc.
33
A Short History of Cisco Operating Systems
Most people think of Cisco as primarily a routing and switching
company, but they actually started out with just routers in 1984.
IOS is the operating system that has been used on Cisco routers since
their inception.
Cisco Catalyst switches evolved from the acquisition of Crescendo in
1993.
The original Cisco switch operating system was CatOS, which has now
been deprecated.
34
A Short History of Cisco Operating Systems
Cisco firewalls evolved from the acquisition of Network Translation’s
PIX firewall with Finesse operating system in 1995.
Cisco switches and firewalls were ported over to the IOS operating
system over the following years.
35
Other Cisco Operating Systems
IOS remains as the operating system used on the majority of Cisco
enterprise grade network devices.
Other operating systems have been developed for some more recent
router and switch platforms.
36
Other Cisco Operating Systems
The Cisco Nexus and MDS data center switch product lines run on
NX-OS.
The IOS-XR operating system runs on the service provider NCS, CRS,
ASR9000 and XR12000 series routers.
IOS-XE runs on the ASR1000 series service provider routers.
The Command Line Interfaces for the other operating systems are
nearly identical to IOS.
37
Connecting to a Cisco Device
To get to the Command Line Interface for day to day management of a
Cisco device you will use Secure Shell (SSH) to connect to it’s
management IP address.
In enterprise networks, secure login will typically be enforced through
integration with a centralised AAA (Authentication, Authorization and
Accounting) server.
38
Initial Connection to a Cisco Device
We will cover SSH and AAA in later lessons.
Cisco devices do not usually have a default IP address, so we need to
set one up before we can connect to it this way.
We need a way to connect to the device to do the initial configuration
including adding IP addresses. This is where the console connection
comes in.
39
Cisco Device Management Ports
40
The Console Cable (DB9 to RJ45)
41
The New Console Cable (USB to Mini-USB)
42
Out of Band Management
As well as for initial configuration, the console port can be used if the
device’s IP addresses become unresponsive.
It can also be used to troubleshoot the bootup process. You can view
the device booting up from a console connection but this is not
possible with SSH because the system must have booted already
before the IP address will be live.
The console connection can also be used for Out of Band
Management.
This is where you use a different path (other than the production
network) to connect to the device for management.
43
Out of Band Management
Console Connection
You can
SSH here
Terminal
Server Management
Network
44
IOS Command Hierarchy
45
Command Abbreviation
There must be only one possible match for what you typed for
abbreviation to succeed
46
Context Sensitive Help
‘show ?’ will show all available keyword options for the ‘show’
command
‘show ip ?’ will show all available keyword options for the ‘show ip
command’
47
Moving the Cursor
The arrow keys (˂ and ˃) move the cursor left and right one character
at a time
48
Command History
49
Showing command output
Enter will show ‘show’ command output which scrolls off the end of
the page line by line.
Ctrl-C will break out of the show command output and return to the
command prompt.
50
Piped Command Examples
51
IOS Command Hierarchy
52
Command Abbreviation
There must be only one possible match for what you typed for
abbreviation to succeed
53
Context Sensitive Help
‘show ?’ will show all available keyword options for the ‘show’
command
‘show ip ?’ will show all available keyword options for the ‘show ip
command’
54
Moving the Cursor
The arrow keys (˂ and ˃) move the cursor left and right one character
at a time
55
Command History
56
Showing command output
Enter will show ‘show’ command output which scrolls off the end of
the page line by line.
Ctrl-C will break out of the show command output and return to the
command prompt.
57
Piped Command Examples
58
Configuration Storage Locations
59
Saving the Configuration
Enter ‘wr erase’ and then ‘reload’ to delete the starting configuration
and factory reset the device.
60
Layer 4 – The Transport Layer
The Transport layer provides transparent transfer of data between
hosts and is responsible for end-to-end error recovery and flow
control.
Flow control is the process of adjusting the flow of data from the
sender to ensure that the receiving host can handle all of it.
61
Session Multiplexing
62
Session Multiplexing
Receiver
SMTP 25
HTTP 80
Sender SMTP 25 Receiver
63
Layer 4 Port Numbers
The Layer 4 destination port number is used to identify the upper layer
protocol.
For example, HTTP uses port 80, SMTP email uses port 25.
The sender also adds a source port number to the Layer 4 header.
The combination of source and destination port number can be used
to track sessions.
64
Layer 4 Port Numbers
65
TCP
TCP (Transport Control Protocol) and UDP (the User Datagram
Protocol) are the most common Layer 4 protocols.
TCP is connection oriented – once a connection is established, data can
be sent bidirectionally over that connection.
TCP carries out sequencing to ensure segments are processed in the
correct order and none are missing.
TCP is reliable – the receiving host sends acknowledgments back to the
sender. Lost segments are resent.
TCP performs flow control.
66
The TCP Three-Way Handshake
Sender Receiver
SYN
SYN-ACK
ACK
67
OSI Reference Model - Encapsulation
68
OSI Reference Model - Encapsulation
L7
69
OSI Reference Model - Encapsulation
L6 L7
70
OSI Reference Model - Encapsulation
L5 L6 L7
71
OSI Reference Model - Encapsulation
L4 L5 L6 L7
72
OSI Reference Model - Encapsulation
L3 L4 L5 L6 L7
73
OSI Reference Model - Encapsulation
L2 L3 L4 L5 L6 L7
74
OSI Reference Model - Encapsulation
L2 L3 L4 L5 L6 L7
75
The TCP Header
76
UDP
The User Datagram Protocol sends traffic best effort.
UDP is not connection oriented. There is no handshake connection
setup between the hosts.
UDP does not carry out sequencing to ensure segments are processed
in the correct order and none are missing.
UDP is not reliable – the receiving host does not send
acknowledgments back to the sender.
UDP does not perform flow control.
If error detection and recovery is required it is up to the upper layers
to provide it.
77
The UDP Header
78
TCP vs UDP
Application developers will typically choose to use TCP for traffic which
requires reliability.
Real-time applications such as voice and video can’t afford the extra
overhead of TCP so they use UDP.
Some applications can use both TCP and UDP.
79
Common Applications and Their Destination Ports
TCP UDP
‒ FTP (21) ‒ TFTP (69)
‒ SSH (22) ‒ SNMP (161)
‒ Telnet (23)
‒ HTTP (80) TCP and UDP
‒ HTTPS (443) ‒ DNS (53)
80
Layer 3 – The Network Layer
The Network layer is responsible for routing packets to their
destination and for Quality of Service.
IP (Internet Protocol) is the best known Layer 3 protocol. IPv4 is the
focus of this section.
It is a connectionless protocol with no acknowledgements at Layer 3.
Other Layer 3 protocols include ICMP (Internet Control Message
Protocol) and IPSec.
81
IP Addressing
IP addressing is a logical addressing scheme which is implemented at
Layer 3.
The network designer uses IP addressing to partition the overall
network into smaller ‘subnets’.
This improves performance and security and makes troubleshooting
easier.
Layer 2 MAC addresses use one big flat addressing scheme. There is no
logical separation between networks at Layer 2, it’s done at Layer 3.
82
OSI Reference Model - Encapsulation
83
OSI Reference Model - Encapsulation
L7
84
OSI Reference Model - Encapsulation
L6 L7
85
OSI Reference Model - Encapsulation
L5 L6 L7
86
OSI Reference Model - Encapsulation
L4 L5 L6 L7
87
OSI Reference Model - Encapsulation
L3 L4 L5 L6 L7
88
OSI Reference Model - Encapsulation
L2 L3 L4 L5 L6 L7
89
OSI Reference Model - Encapsulation
L2 L3 L4 L5 L6 L7
90
The IP Header
91
Unicast, Broadcast and Multicast Traffic
92
Unicast Traffic
Sender
93
Broadcast Traffic
Sender
94
Unicast Traffic to Multiple Hosts
Sender
95
Multicast Traffic
Sender
96
Counting in Decimal
Humans are conditioned to count in decimal.
For each ‘column’ in a number we have 10 possible choices, from 0 to
9.
Every time we add a digit, the value is magnified by a power of 10.
We start with a ‘1’ as the furthest right multiplier, then each digit to
the left is multiplied by 10.
236 is six 1’s, three 10’s, and two 100’s.
97
Counting in Binary
Computers work in binary.
Electrical impulses are either on or off, so there’s two choices.
For each ‘column’ in a number we have 2 possible choices, 0 or 1.
Every time we add a digit, the value is magnified by a power of 2.
We start with a ‘1’ as the furthest right digit, then each digit to the left
is multiplied by 2.
236 in binary is 11101100
128 64 32 16 8 4 2 1
1 1 1 0 1 1 0 0
98
Counting up to 7 in Binary
1 4 2 1
0 0 4 1 0 0
1 4 2 1
1 1 5 1 0 1
2 1 4 2 1
2 1 0 6 1 1 0
2 1 4 2 1
3 1 1 7 1 1 1
99
IPv4 Addresses
An IPv4 address is 32 bits long.
It is written as 4 ‘octets’ in dotted decimal format.
For example 192.168.10.15
Each octet is 8 bits long (4 x 8 = 32)
100
Static vs Automatic Addressing
The IP address is usually set manually on servers, printers and network
devices such as routers and switches. It is usually assigned
automatically through the Dynamic Host Configuration Protocol
(DHCP) on desktop computers.
To understand how the logical separation between subnets works, you
need to understand the IP address in binary.
101
IPv4 Address Octets
Each octet in the IP address has a value ranging from 0 to 255
128 64 32 16 8 4 2 1
128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1
102
Converting First Octet to Binary
Let’s convert that 192.168.10.15 address to binary, starting with the
first octet of 192.
Write out the binary columns on a piece of paper to do this
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
192 – 128 = 64
64 – 64 = 0
The first octet is 11000000 in binary
128 + 64 = 192
103
Converting Second Octet to Binary
The second octet of 192.168.10.15 is 168
128 64 32 16 8 4 2 1
1 0 1 0 1 0 0 0
105
Conversion Answer
192.168.10.15 = 11000000.10101000.00001010.00001111
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
128 64 32 16 8 4 2 1
1 0 1 0 1 0 0 0
128 64 32 16 8 4 2 1
0 0 0 0 1 0 1 0
128 64 32 16 8 4 2 1
0 0 0 0 1 1 1 1 106
Subnet Masks
107
The Subnet Mask
A host can send traffic directly to another host on the same subnet via
switches
For a host to send traffic to another host in a different subnet, it must
be forwarded by a router
The host therefore needs to understand if the destination is on the
same or a different subnet in order to know how to send it
The subnet mask is used for this
The subnet mask is also 32 bits long, and can be written in dotted
decimal or slash notation
108
Network and Host Portion
A host’s IP address is divided into a network portion and a host portion
The subnet mask defines where the boundary is
The easiest way to explain this is through example…
Let’s say the host’s IP address is 192.168.10.15 and its subnet mask is
255.255.255.0
We write the IP address out in binary notation, and then the subnet
mask underneath
109
Subnet ‘Masking’
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
110
The Network Portion
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
111
Local Subnet or Routed Traffic
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
If the host wants to communicate with another host with an IP address which
also begins with 192.168.10. (for example 192.168.10.20), it knows it’s on the
same subnet and it can send the traffic directly
If it wants to communicate with another host with any other network address
(for example 192.168.11.20), it knows it has to send the traffic via a router
112
Local Subnet or Routed Traffic
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
113
Valid Subnet Masks
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
114
The Host Portion
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
115
Host Addresses
The host portion of the address specifies the individual host and must
be unique on that subnet
Hosts do not have to be numbered sequentially
If the network portion of the address is 10.10.10, you can have a host
with IP address 10.10.10.10 and another host with 10.10.10.20
You can’t have two different hosts both with IP address 10.10.10.10.
That would be a duplicate IP address. Whenever another host sent
traffic to 10.10.10.10, the network wouldn’t know which one to send it
to.
We could have host 10.10.10.10 on one subnet and host 10.10.20.10
on another subnet
116
The Network Address (Network ID)
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
All 0’s in the host portion designates the network address and is not
allowed to be allocated to a host
In our example the network address is 192.168.10.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
117
The Broadcast Address
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
All 1’s designates the directed broadcast address for the subnet
Traffic with this destination address will be sent to all hosts in the
subnet
In our example the broadcast address is 192.168.10.255
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 1 1 1 1 1 1 1 1
118
Host Addresses
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0
119
Subnet Mask in Slash Notation
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
Because the subnet mask always begins with contiguous ‘1’s, it will be
1 to 32 bits long counting from left to right
This allows us to write the subnet mask in slash notation which is more
convenient than dotted decimal for network diagrams or in
conversation
120
Subnet Mask in Slash Notation
192.168.10.15 / 255.255.255.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0 1 0 1 0 1 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
121
Subnet Mask in Slash Notation Example 2
10.10.10.15 / 255.0.0.0
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
122
Subnet Size
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
The bigger the host portion of the network, the more hosts we can
have
If the subnet mask is /8, we have 24 bits available to allocate to hosts
If the subnet mask is /24, we only have 8 bits available to allocate to
hosts
123
How Internet Addressing Was Meant to Work
The global coordination of Internet IPv4 addressing is performed by
IANA (Internet Assigned Numbers Authority).
This is the way it was originally supposed to work:
When a company wants to communicate on the internet, they apply
for a range of IP addresses.
If they have 6000 hosts, they ask for a range of IP addresses big
enough to cover that, plus room for growth.
They then allocate their addresses to their hosts in their various
offices.
124
How Internet Addressing Was Meant to Work
Unfortunately, when IPv4 was created, the designers didn’t realise how big
the internet was going to get, and they didn’t create a big enough address
space – there’s not enough addresses for everyone.
The long term solution to this problem is IPv6 which has a much bigger
address space.
125
How Internet Addressing Was Meant to Work
Private IP addresses with NAT (Network Address Translation) are currently
deployed in the majority of enterprise networks as a workaround.
You’ll learn all about private addresses, NAT and IPv6 in a later lecture.
To understand the lectures until we get to that point, think about it from
the context of the originally intended IPv4 design, where all hosts which
can communicate on the Internet have a public IP address.
126
Class A
The internet authorities split the IPv4 address space into separate
classes.
Class A addresses are assigned to networks with a very large number
of hosts.
The high-order (first) bit in a class A address is always set to zero.
The default subnet mask is /8
Valid network addresses range from 1.0.0.0 to 126.0.0.0 /8
This allows for 126 networks and 16,777,214 hosts per network.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
15.0.0.0/8 127
Reserved Class A Addresses
0.0.0.0/8 is reserved and signifies ‘this network’
0.0.0.1 to 0.255.255.255 are not valid host addresses
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
0 1 1 1 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 1 1 1
This wiped out 33,554,428 addresses from the global address pool –
whoops!
128
Subnetting
Obviously a company wouldn’t put all 16,777,214 hosts into a single
logical network, this would be terrible for performance and security.
They would split their /8 address allocation into smaller subnets and
allocate these to different offices and types of hosts
For example if they received 15.0.0.0/8, they could allocate the subnet
15.0.1.0/24 to sales computers in New York, 15.0.2.0/24 to accounting
PCs and 15.0.9.0/24 to sales computers in Boston.
This is called subnetting and you’ll master it later in this section.
129
Class B
Class B addresses are assigned to medium-sized to large-sized networks.
The two high-order bits in a class B address are always set to binary 1 0.
The default subnet mask is /16
Valid network addresses range from 128.0.0.0 to 191.255.0.0 /16
This allows for 16,384 networks and 65,534 hosts per network.
This would also be subnetted in a real world environment.
1 0 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
131.192.0.0/16
130
Class C
Class C addresses are used for small networks.
The three high-order bits in a class C address are always set to binary 1 1 0.
The default subnet mask is /24
Valid network addresses range from 192.0.0.0 to 223.255.255.0 /24
This allows for 2,097,152 networks and 254 hosts per network.
This could be allocated as is for a real world network, or subnetted into
smaller subnets.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 0 1 1 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0
195.0.192.0/24
131
A Quick Note on Private Addresses
There is also a range of reserved Private Addresses in each class
These are valid to be assigned to hosts but they are not routable on
the public internet
They were originally designed for hosts in a closed private network
with no Internet connectivity
Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
Private addresses will be discussed in a later lecture in this section
132
Address Classes
Classes A, B and C include all the addresses which are valid to be assigned
to hosts
133
Class D
Class D addresses are reserved for IP multicast addresses.
The four high-order bits in a class D address are always set to binary 1 1 1
0.
These addresses are not allocated to hosts and there is no default subnet
mask
Valid addresses range from 224.0.0.0 to 239.255.255.255
1 1 1 0 0 0 1 1 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1
227.1.192.5
134
Unicast Traffic
10.10.20.15
10.10.10.15
SRC: 10.10.10.10 SRC: 10.10.10.10
DST: 10.10.10.15 DST: 10.10.20.15
Sender
10.10.10.10
135
Multicast Traffic
10.10.20.15
10.10.10.15
Sender
10.10.10.10
SRC: 10.10.10.10
DST: 239.0.0.1
136
Class E
Class E addresses are ‘experimental and reserved for future use’.
The high-order bits in a class E address are set to 1111
These addresses are not allocated to hosts and there is no default subnet
mask
Addresses range from 240.0.0.0 to 255.255.255.255
255.255.255.255 is the broadcast address for ‘this network’
1 1 1 1 0 0 1 1 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 0 1 0 1 0
243.1.192.10
137
IP Address Class Summary
138
CIDR Classless Inter-Domain Routing
A problem with classful addresses was that if a company had more
than 254 hosts they would need to be assigned a Class B network
They would have much less than the 65,534 hosts allocated, so this
wasted a huge amount of the global address space
Classless Inter-Domain Routing (CIDR) was introduced in 1993 to
alleviate this problem
139
CIDR Classless Inter-Domain Routing
CIDR removed the fixed /8, /16 and /24 requirements for the address
classes, and allowed them to be split or ‘subnetted’ into smaller
networks
For example 175.10.10.0/20
Companies can now be allocated an address range which more closely
matches their needs and does not waste addresses
140
CIDR and Route Summarisation
Another benefit of CIDR is that aggregate blocks of networks can be
advertised on the Internet
142
Subnetting
To understand this lecture, think about it from the point of view of the
originally intended IPv4 design again, where all hosts which can
communicate on the Internet have a public IP address.
Let’s say we’re the network designer for a small business with four
departments spread over two offices, and we want to manage our
own public address space.
Rather than purchasing separate address ranges for the different
departments, we can purchase a single range and subnet it into
smaller portions.
143
Borrowing Host Bits
Let’s say we’ve been allocated Class C 200.15.10.0/24
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
144
Calculating the Number of Networks
To calculate the number of available subnets, the formula is 2subnet-bits
If a Class C network uses a /28 subnet mask then we’ve borrowed 4 bits
from the default of /24
24 = 16 available subnets
If a Class B network uses a /28 subnet mask then we’ve borrowed 12 bits
from the default of /16
212 = 4096 available subnets
Hosts on different subnets need to go via a router if they want to
communicate with each other
145
Calculating the Number of Hosts
To calculate the number of available hosts, the formula is 2host-bits minus 2
We subtract 2 because the network address and broadcast address
cannot be assigned to hosts
If a Class C network uses a /28 subnet mask then we have 4 bits left for
hosts
24 - 2 = 14
If a Class B network uses a /28 subnet mask then we have 4 bits left for
hosts
24 - 2 = 14
146
Class C /31 Subnet
Let’s say we’ve been allocated Class C 200.15.10.0/24
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
If we move the line all the way to the right we’re now using /31 (or
255.255.255.254)
This leaves one bit for the host address, with a possible value of 0 or 1
It borrows 7 bits for the network address
This gives us 128 subnets (27) which accommodate 2 hosts each 147
Class C /31 Subnet
Let’s say we’ve been allocated Class C 200.15.10.0/24.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
Let’s move the line back a place. We’re now using /30 (or 255.255.255.252)
This leaves 2 bits for the host address, 22 = 4, minus 2 for the network and
broadcast address = 2 possible hosts
It borrows 6 bits for the network address
This gives us 64 subnets (26) which accommodate 2 hosts each
150
Class C /30 Subnet
Notice that the line is after the 4. The network address goes up in values of 4.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
152
Class C /29 Subnet
Let’s say we’ve been allocated Class C 200.15.10.0/24
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
Let’s move the line back a place. We’re now using /29 (or 255.255.255.248)
This leaves 3 bits for the host address, 23 minus 2 = 6 possible hosts
It borrows 5 bits for the network address
This gives us 32 subnets (25) which accommodate 6 hosts each
153
Class C /29 Subnet
Notice that the line is after the 8. The network address goes up in values of 8.
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
155
Variable Length Subnet Masks VLSM
Early routing protocols only supported Fixed Length Subnet Masking
(FLSM) where all subnets had to be the same size. You couldn’t have a
subnet with 14 hosts and another subnet with 64 hosts in the same
network.
All modern routing protocols support Variable Length Subnet Masking.
This allows us to size subnets differently according to how many hosts
they have.
156
Subnetting Practice Question
What are the network address, broadcast address, and valid host
addresses for the IP address 198.22.45.173/26?
What is the subnet mask in dotted decimal notation?
Pause the video here and answer the questions.
157
Practice Question Answer
Let’s figure out the subnet mask in dotted decimal notation first
because that’s easy…
/26 borrows the first 2 bits in the last octet
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0
128 + 64 = 192
So the subnet mask is 255.255.255.192
158
Practice Question Answer
Next let’s calculate the address range for this subnet
Write out 198.22.45.173/26
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 0 1 1 0 0 0 0 1 0 1 1 0 0 0 1 0 1 1 0 1 1 0 1 0 1 1 0 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0
198.22.45.173/26
128 64 32 16 8 4 2 1
1 0 1 0 1 1 0 1
128 64 32 16 8 4 2 1
1 1 0 0 0 0 0 0
Note that when we subnet a Class C address the magic is all going to
happen in the last subnet
So we didn’t really need to write out the 198.22.45 part
160
Variable Length Subnet Masks VLSM
Early routing protocols only supported Fixed Length Subnet Masking
(FLSM) where all subnets had to be the same size. You couldn’t have a
subnet with 14 hosts and another subnet with 64 hosts in the same
network.
All modern routing protocols support Variable Length Subnet Masking.
This allows us to size subnets differently according to how many hosts
they have.
161
Subnetting Considerations
How many locations do we have in the network?
How many hosts are in each location?
What are the IP addressing requirements for each location? (Should
different departments or types of host be in different subnets?)
What size is appropriate for each subnet? (Don’t waste addresses, but
leave room for growth.)
162
Network Topology Diagram
Sales: Sales:
14 Hosts 7 Hosts
New York Boston
The router interfaces
need IP addresses so
count as hosts.
The router interface Point to point link:
+ 13 PCs = 14 hosts 2 Hosts
Eng: Eng:
28 Hosts 28 Hosts
In the real world you want a scalable design – you will likely allocate spare
subnets for future growth, and leave space in the subnets for additional
hosts.
In the CCNA exam do exactly what the question asks, don’t worry about
whether it’s best practice or not.
164
Engineering Departments
The Engineering departments in both sites have 28 hosts.
For our example we’ve been told that the departments will not grow and
we need to use the smallest subnets possible to maximise our address
space.
Pause the video here and calculate the optimal subnet mask for the
Engineering departments.
Also determine the network and broadcast addresses that will be allocated
to both Engineering departments, and the range of host addresses.
165
Engineering Departments
We’ve been allocated 200.15.10.0/24
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
167
New York Sales Department
We’ve been allocated 200.15.10.0/24
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
169
Boston Sales Department
We’ve been allocated 200.15.10.0/24
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
You also need to allocate address space for your router loopback
interfaces, we’ll talk about those later. (Not required in our example.)
171
New York to Boston Link
The last subnet is the link between the New York and Boston routers.
Pause the video here and calculate the optimal subnet mask.
Also determine the network and broadcast addresses that we will allocate,
and the range of host addresses.
172
New York to Boston Link
We’ve been allocated 200.15.10.0/24
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
1 1 0 0 1 0 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
174
Network Topology Diagram
Sales: Sales:
14 Hosts 7 Hosts
New York Boston
176
Subnetting Large Networks
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
177
Example 1 – Class B on 4 Octet
th
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0
If we subnet this into /29 subnets, we have 3 bits for host addressing.
This allows 6 hosts per network (23 - 2) , the same as if we used /29
with a Class C address.
Because we were allocated a Class B /16 address range, we have 13
bits for network addresses
This allows 8192 subnets (213)
178
Example 1 – Class B on 4 Octet
th
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0
179
Example 1 – Class B on 4 Octet
th
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0
0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
182
Example 2A – Class A on 4 Octet
th
0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0
183
Example 2B – Class A on 4 Octet
th
0 0 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0
184
Example 2B – Class A on 4 Octet
th
0 0 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0
0 0 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0
0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
187
Example 3A – Class A on 3 Octet
rd
0 0 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
188
Example 3B – Class A on 3 Octet
rd
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
189
Example 3B – Class A on 3 Octet
rd
0 0 1 1 1 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
1 0 0 0 0 1 1 1 0 0 0 0 1 1 1 1 0 0 0 0 1 0 1 0 0 1 0 0 1 0 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
192
Example 4 – Class B on 3 Octet
rd
1 0 0 0 0 1 1 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
193
Subnetting Question Categories
Given a network requirement of ‘x’ amount of subnets and ‘y’ amount
of hosts per subnet, what network address and subnet mask should be
used for each subnet?
Given a particular IP address and subnet mask, calculate:
‒ The subnet’s network address
‒ The broadcast address
‒ The range of valid host IP addresses
194
Subnetting on the 4th Octet – Written Example
“For the IP address 172.19.216.50 255.255.255.240, what is the network address, broadcast
address and range of valid hosts?”
The first thing to figure out is which octet we are subnetting on.
We can see we are not subnetting on the first 3 octets as the value is 255.
I like to underline the octet I’m working on at this point so that I don’t accidentally confuse the
octets later:
172.19.216.50/28
The 172.19.216 part of the address (the first 3 octets) is never going to change in our example.
Write down the 4th octet in binary then add the digits together from the left until they add up to the
‘240’ used in the subnet mask.
4th octet
128 64 32 16 8 4 2 1
x x x x
128 + 64 = 192
192 + 32 = 224
224 + 16 = 240
The first 4 bits in the 4th octet are being borrowed for the network portion of the address and the
remaining 4 bits are used for the host portion.
195
4th octet
128 64 32 16 8 4 2 1
x x x x
We can see that the network portion of the address falls on a ‘16’, so the subnets will go up in
multiples (a block size) of 16 on the 4th octet:
172.19.216.0/28
172.19.216.16/28
172.19.216.32/28
172.19.216.48/28
172.19.216.64/28
Etc…
At this point we can see which subnet the IP address in our example is in. 172.19.216.50 falls in the
range between 172.19.216.48 and 172.19.216.64, so it is in the 172.19.216.48 subnet.
Next we figure out the broadcast address. This is one less than the next network address:
The last thing to figure out is the range of valid host addresses. This is everything between the
network address and broadcast address.
(‘49’ is one more than the network address of ‘48’, ‘62’ is one less than the broadcast address of
‘63’.)
196
Subnetting on the 3rd Octet – Written Example
“For the IP address 172.19.216.50/23, what is the network address, broadcast address and range
of valid hosts?”
The first thing to figure out is which octet we are subnetting on.
/1 to /8 = 1st octet
I like to underline the octet I’m working on at this point so that I don’t accidentally confuse the
octets later:
172.19.216.50/23
The 172.19. part of the address (the first 2 octets) is never going to change in our example. Values in
the 3rd and 4th octet can change, but the values in the first 2 octets will always remain the same.
When the subnet mask is /23, the first 23 bits are used for the network portion of the address and
the remaining 9 bits are used for the host portion.
Write the octets down in binary and then count along 23 bits.
1st octet
128 64 32 16 8 4 2 1
1 2 3 4 5 6 7 8
2nd octet
128 64 32 16 8 4 2 1
9 10 11 12 13 14 15 16
3rd octet
128 64 32 16 8 4 2 1
17 18 19 20 21 22 23
197
We can see that the 23rd bit falls on a ‘2’, so the subnets will go up in multiples (a block size) of 2 on
the 3rd octet:
172.19.0.0/23
172.19.2.0/23
172.19.4.0/23
172.19.6.0/23
Etc…
Next we figure out the broadcast address. This is one less than the next network address:
When subnetting on the 3rd octet, remember the broadcast address will be 255 in the 4th octet –
NOT 0 in the 4th octet (this is a common mistake to make). The broadcast address is 172.19.217.255,
not 172.19.217.0.
(172.19.217.0 is actually a valid address in the range which could be assigned to a PC or other host.)
The last thing to figure out is the range of valid host addresses. This is everything between the
network address and broadcast address.
172.19.217.254 is one less than the broadcast address of 172.19.217.255 (don’t write
172.19.216.254 by mistake.)
198
RFC 1918 Private Addresses
The Internet Engineering Task Force (IETF) documents standards with
RFC’s (Requests For Comments)
RFC 1918 specifies private IP address ranges which are not routable on
the public internet
199
RFC 1918 Private Addresses
Sticking with our theme of ‘how IP addressing was meant to work’,
these addresses were originally designed for hosts which should have
no internet connectivity
Public IP addresses cost money.
If an organisation has a part of their network where the hosts need to
communicate with each other over IP, but do not require connectivity
to the Internet, they can assign private IP addresses.
200
RFC 1918 Private Addresses
There is a range of private addresses in each address class.
10.0.0.0 – 10.255.255.255
‒ 10.0.0.0/8
‒ 10.0.0.0 255.0.0.0
172.16.0.0 – 172.31.255.255
‒ 172.16.0.0/12
‒ 172.16.0.0 255.240.0.0
192.168.0.0 – 192.168.255.255
‒ 192.168.0.0/16
‒ 192.168.0.0 255.255.0.0
201
RFC 1918 Example 1
Bank A Internet
Bank B
Public Public
175.11.0.0/24 196.14.10.0/24
Private Private
10.10.10.0/24 172.18.5.0/24
202
RFC 1918 Example 2
Bank A Internet
Bank B
Public Public
175.11.0.0/24 196.14.10.0/24
Private Private
192.168.10.0/24 192.168.10.0/24
203
The IPv4 Global Address Space Problem
The designers of IPv4 did not envision the explosive growth of its use
4.3 billion addresses seemed more than enough
The protocol is not particularly efficient in its use of the available
space, with many addresses being wasted
204
IPv6
The Internet authorities started to predict address exhaustion in the
late 1980’s, and IPv6 was developed in the 90’s as the long term
solution
IPv6 uses a 128 bit address, compared to IPv4’s 32 bit address
IPv6 provides more than 7.9×1028 times as many addresses as IPv4
205
The IPv6 Problem and NAT
There is not a seamless migration path from IPv4 to IPv6
NAT (Network Address Translation) was implemented as a temporary
workaround to mitigate the lack of IPv4 addresses until organisations
had time to migrate to IPv6
An organisation can use private IP addresses on their inside network,
but still grant their hosts Internet access by translating them to their
outside public IP address
Many hosts on the inside can share a few or a single public IP address
on the outside
206
Private Addresses and NAT
Office A Office B
Internet
Public Public
175.11.0.1/28 196.14.10.25/29
14 Addresses 6 Addresses
Private Private
192.168.10.0/24 192.168.10.0/24
200 Hosts 100 Hosts
207
Today’s Networks
Many industry experts predicted in the early 2000’s that IPv6 would be
ubiquitous within a few years
It hasn’t worked out that way – most enterprises today use RFC 1918
IPv4 addresses with NAT
RFC 1918 has the security benefit of hiding inside hosts by default
(they don’t have a publicly routable IP address), plus network
engineers have more experience with IPv4 than v6
208
Today’s Networks
IPv6 is mostly found in service provider networks, mobile services, and
large countries with later Internet adoption such as India and China
Spare public IPv4 addresses were exhausted in 2011 so IPv6 is still the
future path
209
Today’s Networks
You still need to understand subnetting – modern enterprises subnet
their RFC 1918 addresses to optimise performance and security
You also need to understand and be able to troubleshoot IP
210
Today’s Networks
Because they have the entire private IP address space to work with, it’s
common to see /24 subnets being used for end hosts, /30 for point to
point links, and /32 for loopbacks
Complex VLSM is more common in enterprises which use public IP
addresses on their inside networks and need to maximise their use
211
Contiguous Addresses and Route Summarisation
Region A Region B
10.0.0.0/24 Advertise
10.1.0.0/24
10.0.0.0/16
10.0.1.0/24 10.1.1.0/24
Advertise
10.1.0.0/16
10.0.2.0/24 10.1.2.0/24
Region A Region B
10.0.0.0/24 Cannot Summarise
10.1.0.0/24
10.1.0.0/24 10.0.1.0/24
10.0.2.0/24 10.1.2.0/24
10.1.3.0/24 10.0.3.0/24
213
Sites with Free Subnetting Practice Questions
http://www.subnettingquestions.com/
http://www.subnetting.org/
214
Layer 2 – The Data Link Layer
Frames are encoded and decoded into bits at Layer 2.
Error detection and correction for the Physical Layer can be provided
here.
Ethernet is the Layer 2 medium used on Local Area Networks.
https://en.wikipedia.org/wiki/List_of_network_protocols_(OSI_model)
215
OSI Reference Model - Encapsulation
L7
216
OSI Reference Model - Encapsulation
L6 L7
217
OSI Reference Model - Encapsulation
L5 L6 L7
218
OSI Reference Model - Encapsulation
L4 L5 L6 L7
219
OSI Reference Model - Encapsulation
L3 L4 L5 L6 L7
220
OSI Reference Model - Encapsulation
L2 L3 L4 L5 L6 L7
221
The Ethernet Header
224
Layer 1 Connection Types for Ethernet - UTP
Ethernet LAN connections can be carried over coaxial cable (no longer
used), twisted copper pair cable, fiber cable or wireless.
Copper UTP (Unshielded Twisted Pair) cables are commonly used to
connect desktop computers to switches.
Connector type is RJ-45 and maximum length is 100 metres.
https://en.wikipedia.org/wiki/Twisted_pair#Common_types
225
Straight-Through vs Crossover UTP Cable
The receive and transmit wires in a UTP cable can be wired to the RJ-
45 connector as either straight-through or crossover.
Straight-through cables are used to connect an end device such as a
PC or router to a switch.
Crossover cables are used to connect devices together directly. They
are most often used to connect two devices of the same type: e.g. two
computers or two switches to each other.
Modern switches support Auto MDI-X where the receive and transmit
signals are reconfigured automatically to yield the expected result.
226
Fiber Cables
Fiber optic cables can be used to support longer distances or higher
bandwidth requirements.
For example between separate buildings in a campus, or for switch to
switch connections inside a building.
227
Single Mode vs Multi Mode Fiber
Single Mode or Multi Mode Fiber can be used.
Single Mode supports higher bandwidth and longer distances but is
more expensive.
https://en.wikipedia.org/wiki/Multi-mode_optical_fiber
228
Fiber Connectors
229
Hubs and Switches
Hubs and switches perform a similar function.
End hosts in a Local Area Network such as PCs, servers and printers
plug into them with an Ethernet cable.
The end hosts can then communicate with each other through the hub
or switch.
230
Hubs and Switches
231
Hubs – Half-Duplex and Shared Collision Domain
Hubs operate in half-duplex mode.
Attached hosts cannot send and receive data at the same time, they
can only do one or the other.
All hosts share the same collision domain – only one device can
transmit at a time.
If two hosts send at the same time a collision will occur.
Hosts use Carrier-Sense Multiple Access with Collision
Detection (CSMA/CD) to detect collisions and resend.
232
Switches – Full-Duplex and Separate Collision Domains
233
Cisco Device Functions
Layer Name Includes Devices
7 Application
6 Presentation
5 Session
4 Transport TCP/UDP, Port
3 Network IP Address Routers
2 Data-Link Ethernet MAC Address Switches
1 Physical Hubs
234
Hubs operate at OSI Layer 1
Hubs operate at Layer 1 of the OSI model.
They are not MAC address aware.
Whenever a frame is received it is flooded out all ports apart from the
one it was received on.
All attached hosts must process all packets.
235
Switches operate at OSI Layer 2
Switches operate at Layer 2 of the OSI model.
(They also operate at Layer 1.)
They are MAC address aware.
236
Switches operate at OSI Layer 2
Whenever a frame is received the switch will look at the source MAC
address in the Layer 2 Ethernet header.
The learned MAC address will be added to the switch’s MAC address
table, which maps MAC addresses to ports.
If a unicast frame is later received with a known MAC address as the
destination, the switch will send the frame out only the relevant port.
This is better for performance and security as frames only go where
they are required.
Whenever a frame is received for the broadcast address or an
unknown unicast destination (because the switch hasn’t learned the
MAC address yet) it will be flooded out all ports apart from the one it
was received on.
237
Switch Operation
Port 1 Port 2
Port 3
1.1.1 2.2.2
3.3.3
238
Switch Operation
Port 1 Port 2
Port 3
S: 1.1.1
1.1.1 D: 2.2.2 2.2.2
3.3.3
239
Switch Operation
Port 1 Port 2
Port 3
S: 1.1.1
1.1.1 D: 2.2.2 2.2.2
240
Switch Operation
Port 1 Port 2
Port 3
S: 1.1.1
1.1.1 D: 2.2.2 2.2.2
241
Switch Operation
Port 1 Port 2
Port 3
S: 2.2.2
1.1.1 D: 1.1.1 2.2.2
242
Switch Operation
Port 1 Port 2
Port 3
S: 2.2.2
1.1.1 D: 1.1.1 2.2.2
243
Switch Operation
Port 1 Port 2
Port 3
S: 2.2.2
1.1.1 D: 1.1.1 2.2.2
244
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
3.3.3 4.4.4
245
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 1.1.1
1.1.1 D: 2.2.2 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
3.3.3 4.4.4
246
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 1.1.1
1.1.1 D: 2.2.2 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1
3.3.3 4.4.4
247
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 1.1.1
1.1.1 Port 24 D: 2.2.2 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1
3.3.3 4.4.4
248
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1
3.3.3 4.4.4
249
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 24 1.1.1
3.3.3 4.4.4
250
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 Port 24 D: 1.1.1 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 24 1.1.1
3.3.3 4.4.4
251
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 Port 24 D: 1.1.1 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2
3.3.3 4.4.4
252
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 D: 1.1.1 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2
3.3.3 4.4.4
253
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 S: 3.3.3 24 1.1.1
D: 2.2.2
2 2.2.2
3.3.3 4.4.4
254
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 S: 3.3.3 24 1.1.1
D: 2.2.2 1 3.3.3
2 2.2.2
3.3.3 4.4.4
255
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 S: 3.3.3 24 1.1.1
D: 2.2.2 1 3.3.3
2 2.2.2
3.3.3 4.4.4
256
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 S: 3.3.3 24 1.1.1
D: 2.2.2 1 3.3.3
2 2.2.2
24 3.3.3
3.3.3 4.4.4
257
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 3.3.3
1.1.1 Port 24 D: 2.2.2 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2 1 3.3.3
24 3.3.3
3.3.3 4.4.4
258
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 Port 24 D: 3.3.3 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2 1 3.3.3
24 3.3.3
3.3.3 4.4.4
259
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 Port 24 D: 3.3.3 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2 1 3.3.3
24 3.3.3
3.3.3 4.4.4
260
Switch Operation
Switch 1
Port 1 Port 2
Port 24
S: 2.2.2
1.1.1 Port 24 D: 3.3.3 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
1 1.1.1 24 1.1.1
2 2.2.2 1 3.3.3
24 3.3.3 24 2.2.2
3.3.3 4.4.4
261
Switch Operation
Switch 1
Port 1 Port 2
Port 24
1.1.1 Port 24 2.2.2
Switch 1 Switch 2 Switch 2
Port MAC Address
Port 1 Port 2 Port MAC Address
S: 2.2.2
1 1.1.1 24 1.1.1
D: 3.3.3
2 2.2.2 1 3.3.3
24 3.3.3 24 2.2.2
3.3.3 4.4.4
262
Routers
Routers know the paths to get to the different IP subnets on a
network.
They are required to send traffic from one subnet to another.
Routers operate at Layer 3 of the OSI model.
(They also operate at Layers 2 and 1, and will typically have awareness
up to Layer 7.)
263
Routers vs Switches
Routers are Layer 3 aware and can route traffic between different
networks.
Switches are Layer 2 aware and can switch traffic between hosts on
the Local Area Network.
Routers support many types of interfaces, such as Ethernet, Serial,
ISDN, ADSL etc.
Switches typically only support Ethernet interfaces.
Switches will typically have more ports than routers.
Switches forward broadcast traffic, routers do not by default.
264
Switch Operation
10.10.10.10/24 10.10.10.11/24
10.10.10.12/24 265
Router Operation
10.10.10.10/24 10.10.10.11/24
10.10.11.10/24 266
Layer 3 Switches
Advanced switches are Layer 3 aware and can route traffic between
different IP subnets.
Layer 3 switches will still typically support only Ethernet interfaces and
will have more ports than routers.
267
Layer 3 Switch Operation
10.10.10.10/24 10.10.10.11/24
10.10.11.10/24 268
Security
269
Wireless
270
Collaboration
271
Data Center
272
OSI Reference Model - Encapsulation
273
OSI Reference Model - Encapsulation
L7
274
OSI Reference Model - Encapsulation
L6 L7
275
OSI Reference Model - Encapsulation
L5 L6 L7
276
OSI Reference Model - Encapsulation
L4 L5 L6 L7
277
OSI Reference Model - Encapsulation
L3 L4 L5 L6 L7
278
The Domain Name System
The Domain Name System (DNS) resolves a Fully Qualified Domain
Name (FQDN) such as www.cisco.com to an IP address.
Enterprises will typically have an internal DNS server which can resolve
the IP addresses of internal hosts.
Hosts will send their DNS queries to this server.
If the internal DNS server cannot resolve a query, it will forward the
request out to public DNS servers on the Internet.
DNS requests are sent using UDP port 53 (and can fail over to TCP).
279
Router DNS Commands
DNS Client:
ip domain-lookup
ip name-server 172.23.4.1
ip domain-name flackboxA.lab (primary domain name)
ip domain-list flackboxB.lab (additional DNS suffixes to search)
280
OSI Reference Model - Encapsulation
281
OSI Reference Model - Encapsulation
L7
282
OSI Reference Model - Encapsulation
L6 L7
283
OSI Reference Model - Encapsulation
L5 L6 L7
284
OSI Reference Model - Encapsulation
L4 L5 L6 L7
285
OSI Reference Model - Encapsulation
L3 L4 L5 L6 L7
286
OSI Reference Model - Encapsulation
L2 L3 L4 L5 L6 L7
287
IP to MAC Address Resolution
The sender needs to know the receiver’s IP address and MAC address
to form the packet it’s going to send
We can point the sender directly at the destination IP address or at a
user friendly FQDN such as www.cisco.com
DNS Domain Name System maintains a mapping of FQDNs to IP
addresses
ARP Address Resolution Protocol is used to map the IP address to MAC
address
288
ARP Address Resolution Protocol
Port 1 Port 2
ARP Request
Sender ‘I’m looking for 172.23.4.2, Receiver
IP Address: 172.23.4.1 What’s your MAC address?’ IP Address: 172.23.4.2
Subnet Mask: 255.255.255.0 Src MAC: 1111.2222.3333 Subnet Mask: 255.255.255.0
MAC: 1111.2222.3333 Dst MAC: FFFF.FFFF.FFFF MAC: 2222.3333.4444
ARP Reply
‘I’m 172.23.4.2,
Here’s my MAC address’
Src MAC: 2222.3333.4444
Dst MAC: 1111.2222.3333
289
Host ARP Commands
ARP replies are saved in a hosts ARP cache so it doesn’t need to send
an ARP request every time it wants to communicate
Windows
View ARP cache: arp -a
Clear ARP cache: netsh interface ip delete arpcache
Linux
View ARP cache: arp -n
Clear ARP cache: ip -s -s neigh flush all
290
Routed Traffic
When the sender and receiver are on different IP subnets, the traffic
must be forwarded by a router
In the following example, 172.23.4.1/24 wants to send a packet to
192.168.10.1/24
291
Routing Traffic
292
Routing Traffic
ARP Reply
Src MAC: 4444.5555.6666
Dst MAC: 1111.2222.3333
293
Routing Traffic
294
Routing Traffic
ARP Reply
Src MAC: 2222.3333.4444
Dst MAC: 4444.5555.7777
295
Routing Traffic
IP Packet
Src IP: 172.23.4.1
Dst IP: 192.168.10.1
Src MAC: 4444.5555.7777
Dst MAC: 2222.3333.4444
296
Router ARP Commands
297
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2 1 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.10.10/24 IP Address: 10.10.12.10/24
DG: 10.10.10.1 DG: 10.10.12.1
MAC: 1111.2222.3333 2 MAC: 2222.3333.4444
DNS Server
IP Address: 10.10.100.10/24
DG: 10.10.100.1
MAC: 3333.4444.5555
298
OSI Reference Model - Encapsulation
299
OSI Reference Model - Encapsulation
L7
300
OSI Reference Model - Encapsulation
L6 L7
301
OSI Reference Model - Encapsulation
L5 L6 L7
302
OSI Reference Model - Encapsulation
L4 L5 L6 L7
303
OSI Reference Model - Encapsulation
L3 L4 L5 L6 L7
304
The Life of a Packet
Host A (10.10.10.10/24) wants to send a packet to the FQDN
www.flackbox.com, but it doesn’t know the destination IP address
It will hold the packet and send a DNS request to its DNS server at
10.10.100.10
Host A compares its IP address and subnet mask to the destination
address of the DNS server and sees it is on a different subnet, so the
DNS request needs to be sent via its default gateway
Host A will hold the DNS request and send a broadcast ARP request for
its default gateway at 10.10.10.1
305
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
307
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
309
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.10.1, DG: 10.10.100.1
Here’s my MAC address’ MAC: 3333.4444.5555
Src MAC: 4444.5555.6666
Dst MAC: 1111.2222.3333
310
The Life of a Packet
Switch 1 will add an entry in its MAC address table mapping Router A’s
MAC address 4444.5555.6666 to Port 2
Switch 1 will send the ARP reply out only Port 1 which Host A is
plugged into (which it already has in its MAC address table)
311
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.10.1, DG: 10.10.100.1
Here’s my MAC address’ MAC: 3333.4444.5555
Src MAC: 4444.5555.6666
Dst MAC: 1111.2222.3333
312
The Life of a Packet
Host A will add an entry for Router A mapping IP address 10.10.10.1 to
MAC address 4444.5555.6666 to its ARP cache
It will use this whenever it needs to send traffic to another IP subnet
Host A will send the DNS request for www.flackbox.com
313
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
DNS Request DNS Server
‘Tell me the IP address of IP Address: 10.10.100.10/24
www.flackbox.com’ DG: 10.10.100.1
Src MAC: 1111.2222.3333 MAC: 3333.4444.5555
Dst MAC: 4444.5555.6666
Src IP: 10.10.10.10
Dst IP: 10.10.100.10 314
The Life of a Packet
Switch 1 will send the DNS request out only Port 2 which Router A is
plugged into (which it already has in its MAC address table)
315
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
DNS Request DNS Server
‘Tell me the IP address of IP Address: 10.10.100.10/24
www.flackbox.com’ DG: 10.10.100.1
Src MAC: 1111.2222.3333 MAC: 3333.4444.5555
Dst MAC: 4444.5555.6666
Src IP: 10.10.10.10
Dst IP: 10.10.100.10 316
The Life of a Packet
Router A will receive the DNS request packet and see that the
destination IP address is 10.10.100.10
Router A has an interface in the subnet 10.10.100.0/24, so it knows
the destination should be available out that port
It doesn’t know the MAC address of 10.10.100.10 so it will hold the
DNS request packet and send an ARP request out of the 10.10.100.1
interface
317
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
319
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
321
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.100.10, DG: 10.10.100.1
Here’s my MAC address’ MAC: 3333.4444.5555
Src MAC: 3333.4444.5555
Dst MAC: 8888.9999.AAAA
322
The Life of a Packet
Switch 3 will add an entry in its MAC address table mapping the DNS
Server’s MAC address 3333.4444.5555 to Port 2
Switch 3 will send the ARP reply out only Port 1 which Router A is
plugged into (which it already has in its MAC address table)
323
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.100.10, DG: 10.10.100.1
Here’s my MAC address’ MAC: 3333.4444.5555
Src MAC: 3333.4444.5555
Dst MAC: 8888.9999.AAAA
324
The Life of a Packet
Router A will add an entry for the DNS Server mapping IP address
10.10.100.10 to MAC address 3333.4444.5555 to its ARP cache
Router A will send the DNS request it was holding to the DNS Server
325
The Life of a Packet
The source and destination MAC addresses of a packet are updated
hop by hop, the source and destination IP addresses always remain
unchanged end to end
The source and destination MAC addresses will be updated to come
from Router A and go to the DNS Server
The source and destination IP addresses are still Host A 10.10.10.10
and the DNS Server 10.10.100.10
326
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
DNS Request DNS Server
‘Tell me the IP address of IP Address: 10.10.100.10/24
www.flackbox.com’ DG: 10.10.100.1
Src MAC: 8888.9999.AAAA MAC: 3333.4444.5555
Dst MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.100.10 327
The Life of a Packet
Switch 3 will send the ARP reply out only Port 2 which the DNS Server
is plugged into (which it already has in its MAC address table)
328
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
DNS Request DNS Server
‘Tell me the IP address of IP Address: 10.10.100.10/24
www.flackbox.com’ DG: 10.10.100.1
Src MAC: 8888.9999.AAAA MAC: 3333.4444.5555
Dst MAC: 3333.4444.5555
Src IP: 10.10.10.10
Dst IP: 10.10.100.10 329
The Life of a Packet
The DNS Server will receive the DNS request packet and see that the
destination is itself
330
OSI Reference Model – De-encapsulation
L2 L3 L4 L5 L6 L7
331
OSI Reference Model – De-encapsulation
L2 L3 L4 L5 L6 L7
332
OSI Reference Model – De-encapsulation
L3 L4 L5 L6 L7
333
OSI Reference Model – De-encapsulation
L4 L5 L6 L7
334
OSI Reference Model – De-encapsulation
L5 L6 L7
335
OSI Reference Model – De-encapsulation
L6 L7
336
OSI Reference Model – De-encapsulation
L7
337
The Life of a Packet
The DNS Server will look in its DNS database and see an Address
record for www.flackbox.com at 10.10.12.10
It will send this information to Host A in a DNS response
It knows to send the response to 10.10.10.10 from the source IP
address in the DNS request
It knows to send it via Router A because the destination is in another
subnet
It already has Router A’s MAC address in its ARP cache
338
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
340
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
342
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
344
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
346
OSI Reference Model - Encapsulation
L3 L4 L5 L6 L7
347
OSI Reference Model - Encapsulation
L3 L4 L5 L6 L7
348
OSI Reference Model - Encapsulation
L2 L3 L4 L5 L6 L7
349
OSI Reference Model - Encapsulation
L2 L3 L4 L5 L6 L7
350
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
352
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
354
The Life of a Packet
In this example the administrator has configured a static route for
10.10.12.0/24 with the next hop address 10.10.11.2
Router A has an Ethernet interface in the 10.10.11.0 subnet
It doesn’t know the MAC address for the next hop address 10.10.11.2
yet
It will hold the HTTP packet and send an ARP request for 10.10.11.2
355
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
357
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.11.2, DG: 10.10.100.1
Here’s my MAC address’ MAC: 3333.4444.5555
Src MAC: 6666.7777.8888
Dst MAC: 5555.6666.7777
358
The Life of a Packet
Router A will forward the HTTP packet it was holding to Router B
359
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
361
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
363
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
365
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.12.10, DG: 10.10.100.1
Here’s my MAC address’ MAC: 3333.4444.5555
Src MAC: 2222.3333.4444
Dst MAC: 7777.8888.9999
366
The Life of a Packet
Switch 2 will add an entry in its MAC address table mapping the Web
Server’s MAC address 2222.3333.4444 to Port 2
Switch 2 will send the ARP reply out only Port 1 which Router B is
plugged into (which it already has in its MAC address table)
367
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
ARP Reply
DNS Server
IP Address: 10.10.100.10/24
‘I’m 10.10.12.10, DG: 10.10.100.1
Here’s my MAC address’ MAC: 3333.4444.5555
Src MAC: 2222.3333.4444
Dst MAC: 7777.8888.9999
368
The Life of a Packet
Router B will add an entry for the Web Server mapping IP address
10.10.12.10 to MAC address 2222.3333.4444 to its ARP cache
Router B will send the HTTP request it was holding to the Web Server
369
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
371
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
L2 L3 L4 L5 L6 L7
373
OSI Reference Model – De-encapsulation
L2 L3 L4 L5 L6 L7
374
OSI Reference Model – De-encapsulation
L3 L4 L5 L6 L7
375
OSI Reference Model – De-encapsulation
L4 L5 L6 L7
376
OSI Reference Model – De-encapsulation
L5 L6 L7
377
OSI Reference Model – De-encapsulation
L6 L7
378
OSI Reference Model – De-encapsulation
L7
379
The Life of a Packet
The ARP and MAC addresses tables are already built so subsequent
packets in either direction will flow without any need for ARP requests
or switch flooding
380
The Life of a Packet
IP Address: 10.10.10.1 IP Address: 10.10.11.1 IP Address: 10.10.11.2 IP Address: 10.10.12.1
MAC: 4444.5555.6666 MAC: 5555.6666.7777 MAC: 6666.7777.8888 MAC: 7777.8888.9999
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
1 2
1
1 2
A B 2
IP Address: 10.10.100.1
Host A 1 MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 2 MAC: 2222.3333.4444
MAC: 1111.2222.3333
1 A B 2
IP Address: 10.10.100.1
Host A MAC: 8888.9999.AAAA www.flackbox.com
IP Address: 10.10.12.10/24
IP Address: 10.10.10.10/24
DG: 10.10.10.1
3 DG: 10.10.12.1
DNS: 10.10.100.1 MAC: 2222.3333.4444
MAC: 1111.2222.3333
Gather Information
Analyze Information
Propose Hypothesis
Test Hypothesis
385
Troubleshooting Methods
Compare configurations
Trace the path
Swap out components
386
Connectivity Troubleshooting Methods
Ping
Traceroute
Telnet
387
388
Router IP Addresses
A router provides connectivity between different IP subnets
An IP address must be configured on the interfaces in each subnet
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
no shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no shutdown
FastEthernet0/1 FastEthernet0/0
192.168.1.1/24 192.168.0.1/24
389
Switch Management IP Address
390
Management IP Address
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.0.10 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# ip default-gateway 192.168.0.1
391
Lab Example
VLAN 1 SVI:
192.168.0.10
192.168.0.1
LAN R1 B
SW1
FE0/0 FE0/1
392
Hostname
393
Interface Descriptions
394
Interface Speed and Duplex
395
Interface Speed and Duplex
396
Verification Commands
397
CDP Cisco Discovery Protocol
398
CDP Cisco Discovery Protocol
Switch(config)# cdp run
Switch(config)# no cdp run
Switch(config-if)# no cdp enable
Switch# show cdp
Switch# show cdp neighbors
Switch# show cdp neighbors detail
399
LLDP Link Layer Discovery Protocol
LLDP (Link Layer Discovery Protocol) is an open standard protocol which
provides similar information to CDP.
It is a newer protocol and only supported on newer devices.
400
Layer 1 Troubleshooting
401
Layer 1 Troubleshooting
Common Layer 1 problems include:
The interface is administratively shut down
The cable is disconnected on either or both ends
The device on the other end of the cable is powered off
Broken connectors which cause loose connections
Bent or stretched cables which lead to broken wires or fibres
Electro-Magnetic Interference (EMI) sources such as motors or
microwaves which cause errors in transmission (newer cable is less
susceptible to this)
402
Layer 1 Troubleshooting Commands
Switch# show ip interface brief
403
Show ip interface brief
SW1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset administratively down down
FastEthernet0/2 unassigned YES unset down down
FastEthernet0/2 unassigned YES unset up down
404
Show Interface
Switch# show interface
405
Show Interface
SW1#show interface fastEthernet 0/2
FastEthernet0/2 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0014.6a8c.2884 (bia 0014.6a8c.2884)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:15, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
367 packets input, 41739 bytes, 0 no buffer
Received 60 broadcasts (58 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 58 multicast, 0 pause input
0 input packets with dribble condition detected
1894 packets output, 150623 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
406
Speed and Duplex Mismatches
407
Speed and Duplex Mismatches
Both sides of a link must be set the same, as either auto or manually
configured
Cisco devices default to auto
If one side is set to auto, and the other is manually configured, this will
often result in a mismatch
Best practice is to manually configure ports attached to other network
infrastructure devices or servers
Remember to manually configure both sides of the link!
If a device has issues with auto negotiating speed or duplex, manually
configuring both sides will normally solve the problem
408
Speed and Duplex Mismatches - CDP
409
Cisco Device Memory
Cisco routers and switches have 4 built-in memory locations:
ROM – Read Only Memory
Flash – newer devices use removable CompactFlash
NVRAM – Non-Volatile RAM
RAM – Random Access Memory
410
ROM Read Only Memory
When the device is powered on, it will first load from ROM
Two main functions are performed:
1) Power On Self Test (POST)
2) Load bootstrap
The bootstrap will look in Flash for an IOS software image to load
411
ROM Read Only Memory
If an IOS image cannot be found the device will show the ROMMON
prompt at the command line
The ROM Monitor can be used to recover a missing or corrupted
software image
In this case you can boot from USB or an external TFTP (Trivial File
Transfer Protocol) server
Search for ‘Cisco ROMMON Recovery’ for your device model
412
Flash Memory
The system will load the first IOS image found in Flash by default
You can override this with the boot system command
You can copy additional IOS system images to Flash via TFTP or USB
413
NVRAM Non-Volatile RAM Memory
When the system has finished loading the IOS system image from Flash,
it will load the startup-config configuration file from NVRAM
The saved startup-config becomes the current running-config in RAM
If no startup-config file is found, the device will load the Setup Wizard
414
NVRAM Non-Volatile RAM Memory
Whenever you enter a command in IOS it takes effect immediately and
goes into the running-config
To make your changes permanent across a reboot:
copy running-config startup-config
415
RAM Random Access Memory
The IOS system image and startup-config are loaded from Flash and
NVRAM into RAM during bootup
RAM is used as the normal working memory of the device
ROM, Flash and NVRAM are permanent memory, their contents are not
lost when the device is powered off or rebooted
RAM is volatile memory, its contents are lost when the device is powered
off
416
The VLAN Database
417
Booting from TFTP
The system can also load a system image and/or startup-config from
an external TFTP server instead of Flash/NVRAM
This is not recommended because the device will not be able to boot
if it loses connectivity to the server. It is usually only used where the
device does not have enough capacity in Flash to save the system
image
418
Lab Example
419
Factory Reset
To factory reset a router or switch:
write erase
420
The Config Register
The configuration register can be used to change the way the router
boots
Use the config-register command in global configuration mode or
confreg at the rommon prompt
Eg config-register 0x2142
421
Router Password Recovery Procedure
Press the break sequence (Ctrl-Break) at power on to break into rommon
prompt
confreg 0x2142 to ignore the startup-config on boot
The startup-config is still there with the full configuration including the
unknown enable secret, but the router does not use it when it boots
reset to reload
The router will bootup with no configuration. Type no to bypass the setup
wizard
Enter enable mode. You will not be prompted for the enable secret as it is not
in the running configuration
422
Router Password Recovery Procedure
Copy the startup config to the running config
This will copy the entire previous configuration into the running config
including the unknown enable secret. You are already in enable mode so you
do not need to know what it is.
Enter a new enable secret in global configuration mode to overwrite the
old one. This will go into the running config
config-register 0x2102 so the router will boot normally on the next
restart
copy run start to save the configuration. This will merge the new
enable password into the existing startup-config
423
Switch Password Recovery Procedure
The switch password recovery procedure is very similar, but you may
have to physically press the ‘Mode’ button on the front of the switch to
break into the switch loader
Search for ‘Cisco password recovery’ for your model of switch for full
instructions
424
Backing up the System Image and Config
Copies of the device’s IOS system image and configuration can be saved
to Flash, FTP, TFTP or USB
If you copy a config file into the running-config, it will be merged with the
current configuration
To replace a configuration, factory reset and then copy the new
configuration into the startup-config
425
Lab Example
426
Upgrading the IOS System Image
IOS software images can be downloaded from:
https://software.cisco.com/
After downloading the software, copy to the device’s Flash using TFTP:
copy tftp flash
Delete the old system image or use the boot system command
427
Lab Example
428
Router IOS Licensing
Prior to IOS 15.0, different IOS system images were available for
different feature sets, such as Security or Telephony
Licensing was not enforced
A universal system image is provided from IOS 15.0
License codes must be entered to activate the Technology Packages
429
Licensing Procedure
When you purchase a license you will be provided with a Product
Activation Key (PAK) code
The license will be tied to an individual device. To get the device’s
Unique Device Identifier (UDI) enter show license udi
Go the the Cisco License Portal http://www.cisco.com/go/license and
enter the PAK code and UDI to generate the license
Copy the license to Flash on the router
license install flash:
license show
430
Router Functions
431
The Routing Table
432
Connected and Local Routes
The administrator configures IP addresses on the router’s interfaces
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
interface FastEthernet1/0
ip address 10.0.1.1 255.255.255.0
interface FastEthernet2/0
ip address 10.0.2.1 255.255.255.0
FastEthernet1/0
FastEthernet0/0 10.0.1.1/24
10.0.0.1/24
FastEthernet2/0
10.0.2.1/24 433
show ip route - Connected Routes
This will automatically enter connected routes into the routing table:
R1#sh ip route
C 10.0.0.0/24 is directly connected, FastEthernet0/0
C 10.0.1.0/24 is directly connected, FastEthernet1/0
C 10.0.2.0/24 is directly connected, FastEthernet2/0
If any traffic for the 10.0.0.0/24 network is received in another interface on the
router, it will forward it out interface FastEthernet0/0
FastEthernet1/0
FastEthernet0/0 10.0.1.1/24
10.0.0.1/24
FastEthernet2/0
10.0.2.1/24 434
show ip route - Local Routes
From IOS 15, local routes will also be added to the routing table
Local routes always have a /32 mask and show the IP address configured on the
interface
R1#sh ip route
L 10.0.0.1/32 is directly connected, FastEthernet0/0
L 10.0.1.1/32 is directly connected, FastEthernet1/0
L 10.0.2.1/32 is directly connected, FastEthernet2/0
FastEthernet1/0
FastEthernet0/0 10.0.1.1/24
10.0.0.1/24
FastEthernet2/0
10.0.2.1/24 435
Lab
436
Static Routes
If a router receives traffic for a network which it is not directly attached to,
it needs to know how to get there in order to forward the traffic
An administrator can manually add a static route to the destination, or the
router can learn it via a routing protocol
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.2.0 255.255.255.0 10.0.0.1
10.0.1.1/24
10.0.0.0/24 F1/0
10.1.0.2/24 .2 .1
R2 R1
F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
439
Static Routes
Routes on R1:
ip route 10.1.0.0 255.255.255.0 10.0.0.2
ip route 10.1.1.0 255.255.255.0 10.0.0.2
ip route 10.1.2.0 255.255.255.0 10.0.0.2
FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
10.0.2.1/24
440
Summary Routes
For static routing, summary routes lessen administrative overhead and
memory usage on the routers
Routes on R1:
ip route 10.1.0.0 255.255.0.0 10.0.0.2
FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
10.0.2.1/24
441
Summary Routes
Summarisation doesn’t have to be on classful boundaries
To summarise the range 10.1.0.0 to 10.1.3.0:
ip route 10.1.0.0 255.255.252.0 10.0.0.2
FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
10.0.2.1/24
442
Longest Prefix Match
When there are overlapping routes, the longest prefix will be selected
ip route 10.1.0.0 255.255.0.0 10.0.0.2
ip route 10.1.3.0 255.255.255.0 10.0.3.2
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
443
Load Balancing
When multiple equal length routes are added for the same destination, the
router will add them all to the routing table and load balance between them
R1(config)# ip route 10.1.0.0 255.255.0.0 10.0.0.2
R1(config)# ip route 10.1.0.0 255.255.0.0 10.0.3.2
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
444
Default Route (Gateway of Last Resort)
ip route 10.1.0.0 255.255.0.0 10.0.0.2
ip route 10.1.3.0 255.255.255.0 10.0.3.2
ip route 0.0.0.0 0.0.0.0 203.0.113.2
Internet
FE1/0
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 203.0.113.1 .2
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
445
Lab
446
Dynamic Routing Protocols
447
Dynamic Routing Protocols
448
Dynamic Routing Protocols
Routing Table:
10.0.0.0/24 Connected FE0/0
10.1.0.0/24 Connected FE1/0
10.0.1.0/24 10.0.0.1 FE0/0
10.0.2.0/24 10.0.0.1 FE0/0
449
Dynamic Routing Protocols
You can get to these
networks via me:
10.0.0.0/24
10.0.1.0/24
10.0.2.0/24
450
Dynamic Routing Protocols
Routing Table:
10.1.1.0/24 Connected FE0/0
10.1.0.0/24 Connected FE1/0
10.0.0.0/24 10.1.0.2 FE1/0
10.0.1.0/24 10.1.0.2 FE1/0
10.0.2.0/24 10.1.0.2 FE1/0
451
Summary Routes
452
Summary Routes
453
Dynamic Routing Protocols vs Static Routes
454
Dynamic Routing Protocol Advantages
455
Dynamic Routing Protocols vs Static Routes
456
Lab
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
457
Routing Protocol Types
Routing protocols can be split into two main types:
Interior gateway protocols (IGPs)
Exterior gateway protocols (EGPs)
458
Interior Gateway Protocols
Interior gateway protocols can be split into two main types:
Distance Vector routing protocols
Link State routing protocols
459
Distance Vector Routing Protocols
In Distance Vector protocols, each router sends its directly connected
neighbours a list of all its known networks along with its own distance to
each of those networks
Distance vector routing protocols do not advertise the entire network
topology
A router only knows its directly connected neighbours and the lists of
networks those neighbours have advertised. It doesn’t have detailed
topology information beyond its directly connected neighbours
Distance Vector routing protocols are often called ‘Routing by rumour’
460
Link State Routing Protocols
In Link State routing protocols, each router describes itself and its
interfaces to its directly connected neighbours
This information is passed unchanged from one router to another
Every router learns the full picture of the network including every router,
its interfaces and what they connect to
461
Dynamic Routing Protocols
Advanced
All of the IGPs do the same job, which is to advertise routes within an
organisation and determine the best path or paths
An organisation will typically pick one of the IGPs
If an organisation has multiple IGPs in effect (for example because of a
merger), information can be redistributed between them. This should
generally be avoided if possible
463
Lab
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
464
Metric
465
Metric
Each possible path will be assigned a ‘metric’ value by the routing
protocol which indicates how preferred the path is
The lowest metric value is preferred
Distance Vector routers advertise to each other the networks they know
about, and their metric to get to each of them
Link State routers advertise all the links in their area of the network to
each other
Each router will take this information and then make an independent
calculation of its own best path to get to each destination
466
Metric
If the best path to a destination is lost (for example because a link went
down) it will be removed from the routing table and replaced with the
next best route
467
RIP Metric – Hop Count
RIP uses Hop Count as the metric
The maximum hop count by default is 15. Paths which are more than 15
hops away are marked as unreachable
Path R4>5>1 will be preferred for 10.0.1.0/24 in the example below
RIP is typically used only in small or test environments
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
468
RIP Metric – Hop Count
RIP uses Hop Count as the metric R1: “You can get to these networks via
me”:
10.0.1.0/24 – 1 hop
10.0.2.0/24 – 1 hop
10.0.3.0/24 – 1 hop
10.1.3.0/24 – 2 hops
10.1.2.0/24 – 3 hops
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0
10.0.1.1/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
469
RIP Metric – Hop Count
R2: “You can get to these networks via
me”:
10.0.0.0/24 – 1 hop
10.0.1.0/24 – 2 hops
10.0.2.0/24 – 2 hops
10.0.3.0/24 – 2 hops
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
470
RIP Metric – Hop Count
R3: “You can get to these networks via
me”:
10.0.0.0/24 – 2 hops
10.0.1.0/24 – 3 hops
10.0.2.0/24 – 3 hops
10.1.0.0/24 – 1 hop
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
471
RIP Metric – Hop Count
R3: “You can get to these networks via
me”:
10.0.0.0/24 – 2 hops
10.0.1.0/24 – 3 hops
10.0.2.0/24 – 3 hops
10.1.0.0/24 – 1 hop
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
472
RIP Metric – Hop Count
R1: “You can get to these networks via
me”:
10.0.0.0/24 – 1 hop
10.0.1.0/24 – 1 hop
10.0.2.0/24 – 1 hop
10.1.0.0/24 – 2 hops
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
473
RIP Metric – Hop Count
R5: “You can get to these networks via
me”:
10.0.0.0/24 – 2 hops
10.0.1.0/24 – 2 hops
10.0.2.0/24 – 2 hops
10.0.3.0/24 – 1 hops
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
474
RIP Metric – Hop Count
R5: “You can get to these networks via
me”:
10.0.0.0/24 – 2 hops
10.0.1.0/24 – 2 hops
10.0.2.0/24 – 2 hops
10.0.3.0/24 – 1 hops
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
475
RIP Metric – Hop Count
R4: I learned 2 possible routes to get to the 10.0.1.0/24 network:
3 hops via 10.1.1.2 out FE0/0
2 hops via 10.1.3.2 out F2/0
I’ll put the best one in my routing table
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
476
RIP Metric – Hop Count
R4#sh ip route
Gateway of last resort is not set
477
OSPF Metric – Cost
OSPF uses ‘Cost’ as the metric, which is automatically derived from
interface bandwidth by default
You can manually configure the cost of links if you want to manipulate
the path
Path R4>3>2>1 will be preferred for 10.0.1.0/24 in the example below
100 Mbps 100 Mbps 100 Mbps FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
478
OSPF Metric – Cost
R4#sh ip route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 11 subnets, 2 masks
O 10.0.0.0/24 [110/3] via 10.1.1.2, 00:03:57, FastEthernet0/0
O 10.0.1.0/24 [110/4] via 10.1.1.2, 00:03:57, FastEthernet0/0
O 10.0.2.0/24 [110/4] via 10.1.1.2, 00:03:57, FastEthernet0/0
O 10.0.3.0/24 [110/13] via 10.1.1.2, 00:03:57, FastEthernet0/0
O 10.1.0.0/24 [110/2] via 10.1.1.2, 00:03:57, FastEthernet0/0
C 10.1.1.0/24 is directly connected, FastEthernet0/0
L 10.1.1.1/32 is directly connected, FastEthernet0/0
C 10.1.2.0/24 is directly connected, FastEthernet1/0
L 10.1.2.1/32 is directly connected, FastEthernet1/0
C 10.1.3.0/24 is directly connected, FastEthernet2/0
L 10.1.3.1/32 is directly connected, FastEthernet2/0
203.0.113.0/24 is variably subnetted, 2 subnets, 2 masks
C 203.0.113.0/24 is directly connected, FastEthernet3/0
L 203.0.113.1/32 is directly connected, FastEthernet3/0
479
IS-IS Metric – Cost
IS-IS also uses ‘Cost’ as the metric, but it is not automatically derived from
interface bandwidth. All links have an equal cost by default
You can manually configure the cost of links if you want to manipulate the path
If you do not manually set the link costs then the path with the lowest hop
count will be used
Path R4>5>1 will be preferred for 10.0.1.0/24 in the example below
100 Mbps 100 Mbps 100 Mbps FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
480
EIGRP Metric
EIGRP uses the bandwidth and delay of links to calculate the metric
(Load and reliability can also be considered but are ignored by default)
A fixed delay value is used based on the interface bandwidth, the protocol does
not dynamically measure current delay
You can manually configure the delay on links if you want to manipulate the path
Path R4>3>2>1 will be preferred for 10.0.1.0/24 in the example below
100 Mbps 100 Mbps 100 Mbps FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
481
Choosing a Routing Protocol
RIP uses hop count and has a default maximum metric of 15. It is not
usually used in production networks because of its scalability limitations.
EIGRP is very simple to maintain, calculates changes very quickly and its
metric calculation will normally choose the best path by default. It is
typically only supported on Cisco routers however.
OSPF’s metric calculation will typically choose the best path by default. It
is an open standard which is supported by all vendor’s routers and is the
most commonly deployed IGP today. It is however more complicated to
maintain than EIGRP.
IS-IS links need to be manually configured or it will use hop count to
determine the best path. It is typically only used in Service Provider
networks or large organisations with their own MPLS network who
choose it because of its scalability.
482
Lab
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
483
Equal Cost Multi Path (ECMP)
484
Equal Cost Multi Path
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
487
Lab
488
Metric
489
Metric
For example in RIP, path A>B>C>D has a hop count of 3, path A>B>D has a
hop count of 2, so A>B>D would be preferred
In OSPF, if path A>B>C>D has a cost of 60, and path A>B>D has a cost of
100, then A>B>C>D would be used
490
Administrative Distance
If paths to the same destination are received from different routing
protocols, their metrics cannot be compared
For example, a RIP hop count of 5 cannot be compared to an OSPF cost of
60. The comparison would be meaningless because the routing protocols
calculate the metric in completely different ways
The router must use a different method to choose when routes to the
same destination are received from different routing protocols
The Administrative Distance (AD) is used for this
491
Administrative Distance
492
Default Administrative Distance
494
Show ip route
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override Connected interfaces
Gateway of last resort is not set
have an AD of 0
496
Administrative Distance Example
The router will then compare the routes received via OSPF and install the
one with the lowest cost in the routing table
If multiple equal cost paths are received via OSPF they will all be installed
in the routing table and the router will load balance outbound traffic to
the destination between them
497
Floating Static Routes
If the best path to a destination is lost (for example because a link went
down) it will be removed from the routing table and replaced with the
next best route
We might want to configure a static route as a backup for the route
learned via a routing protocol
A problem is that static routes have a default Administrative Distance of 1
which will always be preferred over routes learned via an IGP
498
Floating Static Routes – OSPF
We can change the Administrative Distance of a static route to make it
act as the backup (rather than the preferred) route
Floating static route for OSPF example
R4(config)#ip route 10.0.1.0 255.255.255.0 10.1.3.2 115
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
500
Lab
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
501
Loopback Interfaces
502
Loopback Interface Uses
503
Loopback Interface Uses
The same loopback interface is usually used for multiple tasks (for
example management and BGP)
Multiple loopbacks can be configured. This is not common and only
usually done where another, separate loopback is required for a special
use case
504
Loopback Interfaces
For example, my PC is on the 10.1.2.0 subnet and I want to connect to R1
to manage it
If the top path goes down, I cannot connect to 10.0.0.1
If the bottom path goes down, I cannot connect to 10.0.3.1
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
505
Loopback Interfaces
I add interface Loopback 0 with the IP address 192.168.1.1/32
I advertise 192.168.1.1/32 in my routing protocol
R4 learns the two paths to 192.168.1.1
I can still connect to 192.168.1.1 even if either path goes down
Loopback0
100 Mbps 100 Mbps 100 Mbps FE1/0
192.168.1.1/32 10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
506
Lab
Loopback0
100 Mbps 100 Mbps 100 Mbps 192.168.1.1/32 FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
507
Adjacencies
508
Adjacencies
509
Adjacency Example
The IP subnets configured on the interfaces which are enabled for the
routing protocol will be included in its updates
For example, R1 has a routing protocol enabled on the Loopback0
interface and FastEthernet0/0 and 1/0
The routing protocol is not enabled on FastEthernet2/0
RC belongs to a partner organisation we do not want to send internal
network information to
10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA
Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
510
Adjacency Example
R1 will send out and listen for hello packets on the Loopback0 interface
and FastEthernet0/0 and 1/0
It will form adjacencies with any routers running the same protocol on
those links – RA and RB
It will not send out or listen for hello packets on FastEthernet2/0
It will not form an adjacency with RC
(We will use static routes for the extranet traffic with RC)
10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA
Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
511
Adjacency Example
R1 will advertise IP subnets to RA and RB:
10.0.0.0/24
10.0.1.0/24
192.168.1.1/32
It will not advertise 10.0.2.0/24
RA and RB will not learn routes to 10.0.2.0/24
10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA
Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
512
Passive Interfaces
10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA
Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
513
Passive Interfaces
10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA
Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
514
Passive Interface Use Cases
515
Lab
Loopback0
192.168.1.1/32 FE1/0
100 Mbps 100 Mbps 100 Mbps 10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE2/0
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0
10.0.2.1/24
FE2/0 FE3/0
10.1.3.1/24 10.0.3.1/24 FE2/0
10.0.2.2/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0 R6
10.1.3.2/24 10.0.3.2/24
516
Ping
ICMP: Internet Control Message Protocol
517
Ping
ICMP: Internet Control Message Protocol
518
Ping Responses
If the ping is successful:
R1#ping 10.1.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2
seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max =
68/322/1076 ms
519
Ping Responses
If the router does not have a corresponding route or the destination IP
address does not respond:
R1#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2
seconds:
.....
Success rate is 0 percent (0/5)
520
Ping Responses
If the router discards the packet (for example it is blocked by an Access
Control List):
R1#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2
seconds:
UUUUU
Success rate is 0 percent (0/5)
521
Extended Ping
Scenario: The user on PC1 complains that he can’t access services on PC3
The problem is R4 does not have a route to 10.0.1.0/24
Traffic which originates from a router always uses the IP address on the
outgoing interface as the source address
A ping from R1 to 10.1.2.10 will succeed because R4 has a route to
10.0.0.1
522
Extended Ping
PC1> ping 10.1.2.10
10.1.2.10 icmp_seq=1 timeout
10.1.2.10 icmp_seq=2 timeout
10.1.2.10 icmp_seq=3 timeout
10.1.2.10 icmp_seq=4 timeout
10.1.2.10 icmp_seq=5 timeout
R1#ping 10.1.2.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.10, timeout is 2
seconds:
!!!!!
523
Extended Ping
R1#ping
Protocol [ip]:
Target IP address: 10.1.2.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.0.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.10, timeout is 2 seconds:
Packet sent with a source address of 10.0.1.1
.....
Success rate is 0 percent (0/5)
524
Traceroute
525
Traceroute
526
Traceroute
527
Traceroute
528
Traceroute
529
Traceroute Responses
Successful Traceroute:
R1#traceroute 10.1.2.1
Type escape sequence to abort.
Tracing the route to 10.1.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.2 20 msec 16 msec 16 msec
2 10.1.0.1 36 msec 40 msec 40 msec
3 10.1.1.1 60 msec 64 msec 60 msec
530
Traceroute Responses
The packet is getting as far as 10.1.0.1. Start troubleshooting there.
Press Ctrl-Shift-6 to abort
R1#traceroute 10.1.2.1
Type escape sequence to abort.
Tracing the route to 10.1.2.10
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.2 28 msec 16 msec 16 msec
2 10.1.0.1 36 msec 36 msec 40 msec
3 * * *
4 * * *
531
Other Tools – Layer 1
Show ip interface brief
Show interface
532
Other Tools – Layer 2
Show arp
Show mac address-table
533
Other Tools – Layer 4
Telnet
534
Other Tools – DNS
nslookup
Ping by FQDN
535
RIP Characteristics
The Routing Information Protocol (RIP) is a Distance Vector
routing protocol
It uses hop count as its metric
The maximum hop count is 15
It will perform Equal Cost Multi Path, for up to 4 paths by default
536
RIPv2 vs RIPv1
RIPv1 is a legacy protocol which is not typically used anymore
(although it is still supported on Cisco routers)
RIPv1 does not send subnet mask information with routing
updates so Variable Length Subnet Masking (VLSM) is not
supported. RIPv2 does support VLSM.
RIPv1 updates are sent every 30 seconds as broadcast traffic.
RIPv2 uses multicast address 224.0.0.9
RIPv2 supports authentication, RIPv1 does not.
537
RIPng
RIPng (RIP next generation) supports IPv6 networks
It is not covered on the CCNA exam
538
RIPv2 Configuration
R1(config)#router rip
R1(config-router)#version 2
R1(config-router)#network 10.0.0.0
539
Auto-Summary
RIP will automatically summarise routes to the classful boundary by
default
For example, 192.168.10.1/30 will be advertised as 192.168.10.0/24
172.16.10.1/30 will be advertised as 172.16.0.0/16
This is almost never desirable
R1(config)#router rip
R1(config-router)#no auto-summary
540
Manual Summarization
Manual summarisation gives you control of exactly how you summarise
The individual summarised routes are not advertised - only their summary
route
R2(config-router)#interface f1/0
R2(config-if)#ip summary-address rip 10.0.0.0 255.255.0.0
541
RIPv2 Verification – show ip protocols
R1#show ip protocols
*** IP Routing is NSF aware ***
542
RIPv2 Verification – show run | section rip
R1#sh run | section rip
router rip
version 2
network 10.0.0.0
no auto-summary
543
RIPv2 Verification – show ip route
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
544
RIPv2 Verification – show ip rip database
R1#show ip rip database
10.0.0.0/8 auto-summary
10.0.0.0/24 directly connected, FastEthernet0/0
10.0.1.0/24 directly connected, FastEthernet1/0
10.0.2.0/24 directly connected, FastEthernet2/0
10.0.3.0/24 directly connected, FastEthernet3/0
10.1.0.0/24
[1] via 10.0.0.2, 00:00:12, FastEthernet0/0
10.1.1.0/24
[2] via 10.0.3.2, 00:00:00, FastEthernet3/0
[2] via 10.0.0.2, 00:00:12, FastEthernet0/0
10.1.2.0/24
[2] via 10.0.3.2, 00:00:00, FastEthernet3/0
10.1.3.0/24
[1] via 10.0.3.2, 00:00:00, FastEthernet3/0
545
Passive Interfaces
Passive interfaces work differently in RIP than other routing protocols
With other routing protocols, a passive interface will not send out or listen
for routing updates
The network configured on the interface will be advertised to other peer
routers running the routing protocol
In RIP, a passive interface does not send out updates but it does listen to
incoming updates from other RIP speaking neighbors
The router can receive updates on the passive interface and use them in
the routing table.
546
Passive Interface Configuration
Loopback0
192.168.1.1/32 FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE2/0
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0
10.0.2.1/24
FE2/0 FE3/0
10.1.3.1/24 10.0.3.1/24 FE2/0
10.0.2.2/24
R5
FE2/0 FE3/0 R6
10.1.3.2/24 10.0.3.2/24
R1(config)#router rip
R1(config-router)#passive-interface loopback 0
R1(config-router)#passive-interface f2/0
547
Passive Interface Configuration
Loopback0
192.168.1.1/32 FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE2/0
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0
10.0.2.1/24
FE2/0 FE3/0
10.1.3.1/24 10.0.3.1/24 FE2/0
10.0.2.2/24
R5
FE2/0 FE3/0 R6
10.1.3.2/24 10.0.3.2/24
R1(config)#router rip
R1(config-router)#passive-interface default
R1(config-router)#no passive-interface f0/0
R1(config-router)#no passive-interface f1/0
R1(config-router)#no passive-interface f3/0
548
Default Route Injection
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0
10.0.1.1/24
FE1/0 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE3/0 FE3/0 10.0.2.1/24
203.0.113.1 10.0.3.1/24
203.0.113.2
R5
FE2/0 FE3/0
Internet 10.1.3.2/24 10.0.3.2/24
549
Default Route Injection Verification
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
551
RIP Default Timers
The timers can be changed to achieve faster convergence times.
Be careful with this as it can introduce instability if the timers are
set too low.
All routers in the network should have the same timer settings.
The update timer must be lower than the other timers.
R2(config)#router rip
R2(config-router)#timers basic 10 90 90 120
552
Lab
553
Campus Design - Access, Distribution and Core Layers
554
Campus Design – Access Layer
Access Layer
556
Campus Design - Distribution Layer
Distribution Layer
Access Layer
558
Campus Design - Core Layer
Wide Area
Network
Core Layer
Distribution Layer
Access Layer
560
Collapsed Distribution and Core
561
Collapsed Distribution and Core
Wide Area
Network
Distribution/Core Layer
Access Layer
Main Building
562
Router Operations
563
Switch Operations
564
LAN Networks
ROUTER
Wide Area
Network
ENG Default Gateway SALES Default Gateway
IP Address: 10.10.10.1 IP Address: 10.10.20.1
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch
569
Broadcast Traffic
571
VLAN Virtual Local Area Networks
ROUTER
ENG VLAN Wide Area
SALES VLAN ENG Default Gateway SALES Default Gateway
Network
ENG PC3
IP Address: 10.10.10.12
Switches only
F0/3 F0/1 F0/2 Ethernet Switch allow traffic within
F0/4
F0/6
F0/7 the same VLAN
F0/5
ENG PC3
IP Address: 10.10.10.12
ENG PC3
IP Address: 10.10.10.12
ENG PC3
IP Address: 10.10.10.12
VLAN access ports are configured on switch interfaces where end hosts
are plugged in
Access ports are configured with one specific VLAN
The configuration is all on the switch, the end host is not VLAN aware
Switches only allow traffic within the same VLAN
576
Unicast Traffic within same IP subnet
ROUTER
ENG VLAN Wide Area
SALES VLAN ENG Default Gateway SALES Default Gateway
Network
ENG PC3
IP Address: 10.10.10.12
ENG PC3
IP Address: 10.10.10.12
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch
580
Access Port Configuration – Sales VLAN
SW1(config)#vlan 20
SW1(config-vlan)#name Sales
581
Verification – show vlan brief
SW1#show vlan brief
582
Verification – show interface switchport
SW1#show interface FastEthernet 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 10 (Eng)
Trunking Native Mode VLAN: 1 (default)
! truncated
583
VLAN Lab
584
VLAN Access Ports
ROUTER
ENG VLAN Wide Area
SALES VLAN ENG Default Gateway SALES Default Gateway
Network
ENG PC3
IP Address: 10.10.10.12
IP Address: 10.10.20.1
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch
IP Address: 10.10.20.1
ENG PC3
IP Address: 10.10.10.12
Ethernet Switch
Ethernet Switch
589
Dot1Q Trunks
When the switch forwards traffic to another switch, it tags the layer 2
Dot1Q header with the correct VLAN
The receiving switch will only forward the traffic out ports that are in
that VLAN
The switch removes the Dot1Q tag from the Ethernet frame when it
sends it to the end host
590
Dot1Q Format
A receiving switch will remove the Dot1Q tag when forwarding the frame out an access port
591
Dot1Q Trunks
ROUTER
ENG VLAN Wide Area
ENG Default Gateway
SALES VLAN IP Address: 10.10.10.10 SALES Default Gateway
Network
2 4
Dot1q tag: Sales VLAN Ethernet Switch
Sales VLAN
1 5
SALES PC2 ENG PC2
IP Address: 10.10.20.10 IP Address: 10.10.10.11 592
Hypervisors - VLAN Aware Hosts
End hosts are typically members of only one VLAN and are not VLAN
aware
A special case is virtualized hosts, where there are virtual machines in
different IP subnets on the host
In this case we need to trunk the VLANs down to the host
593
Hypervisors - VLAN Aware Hosts
ROUTER
ENG VLAN Wide Area
SALES VLAN ENG Default Gateway SALES Default Gateway
Network
Physical
Ethernet Switch
Trunk F0/1
Virtual Switch
ENG VM SALES VM
IP Address: 10.10.10.10 IP Address: 10.10.20.11
595
The Native VLAN
The switch needs to know which VLAN to assign to any traffic which
comes in untagged on a trunk port
This used to be required for when a switch was connected to a hub.
Hubs are Layer 1 devices so are not VLAN aware
The Native VLAN is used for this
The default Native VLAN is VLAN 1
There are some security issues with using VLAN 1 as the Native VLAN so
best practice is to change it to an unused VLAN
The Native VLAN must match on both sides of a trunk for it to come up
596
Native VLAN Configuration
SW1(config)#vlan 199
SW1(config-vlan)#name Native
597
Verification – show interface switchport
SW1#show interface gig0/1 switchport
Name: Gig0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 199 (Inactive)
Voice VLAN: none
truncated
598
Limiting Allowed VLANs
600
VLAN Lab
601
VLANs and IP subnets in the LAN
602
Option 1: Router with separate interfaces
F0/3
ENG VLAN 203.0.113.1/24 Wide Area
SALES VLAN F0/1 F0/2
Network
604
Router with separate interfaces - Disadvantages
You need a separate physical interface for every VLAN – you are liable
to run out of interfaces
Traffic being routed within the campus has to go up and down physical
Ethernet cables to the router
605
Inter-VLAN Routing Lab
606
Option 2: Router on a Stick
F0/2
ENG VLAN 203.0.113.1/24 Wide Area
SALES VLAN Network
F0/1.10 F0/1.20
ENG Default Gateway SALES Default Gateway
ENG PC3 IP Address: 10.10.10.1 IP Address: 10.10.20.1
IP Address: 10.10.10.12
F0/3 F0/1
F0/4 F0/7
F0/5 F0/6
608
Router on a Stick Considerations
You do not need a separate physical interface for every VLAN – you are
less likely to run out of interfaces
Traffic being routed within the campus has to go up and down the
same physical Ethernet cable to the router – there is more contention
for bandwidth than when using separate interfaces
609
Inter-VLAN Routing Lab
610
Option 3: Layer 3 Switch
ROUTER F0/2
ENG VLAN 203.0.113.1/24 Wide Area
SALES VLAN Network
F0/1
10.10.100.2/24
ENG PC3 Interface VLAN 10
IP Address: 10.10.10.12
ENG Default Gateway
10.10.100.1/24 IP Address: 10.10.10.1 SVI
F0/1 Switched Virtual
F0/3 Interface VLAN 20 Interfaces
F0/4 F0/7 SALES Default Gateway
F0/5 F0/6 IP Address: 10.10.20.1
612
Option 3 WAN Routing Configuration
SW1(config)#interface FastEthernet 0/1
SW1(config-if)#no switchport
SW1(config-if)#ip address 10.10.100.1 255.255.255.0
SW1(config)#ip route 0.0.0.0 0.0.0.0 10.10.100.2
613
Layer 3 Switch Considerations
Traffic being routed within the campus is routed across the switch
backplane, it does not need to travel over physical cables to an
external router
You may still need an external router for WAN connectivity and
services
614
Layer 3 Switch Lab
615
DHCP – Dynamic Host Configuration Protocol
616
DHCP – Dynamic Host Configuration Protocol
617
DHCP Benefits – Reduced Network Admin
618
DHCP Benefits - Reliable IP address configuration
619
DHCP Clients
Desktop PCs are good candidates to be DHCP clients because there will
typically be many of them in an office. Using DHCP saves a lot of admin
work that would be necessary if manually configuring IP addresses.
They do not accept incoming connections so it does not matter if their
IP address changes.
620
DHCP Clients
621
DHCP – Dynamic Host Configuration Protocol
622
DHCP – Dynamic Host Configuration Protocol
623
DHCP Benefits – Reduced Network Admin
624
DHCP Benefits - Reliable IP address configuration
625
DHCP Clients
Desktop PCs are good candidates to be DHCP clients because there will
typically be many of them in an office. Using DHCP saves a lot of admin
work that would be necessary if manually configuring IP addresses.
They do not accept incoming connections so it does not matter if their
IP address changes.
626
DHCP Clients
627
Option 1: Cisco DHCP Server Configuration
628
Option 1: Cisco DHCP Server Configuration
R1(config)#ip dhcp excluded-address 10.10.10.1 10.10.10.10
R1(config)#ip dhcp pool 10.10.10.0_Clients
R1(dhcp-config)#network 10.10.10.0 255.255.255.0
R1(dhcp-config)#default-router 10.10.10.1
R1(dhcp-config)#dns-server 10.10.20.10
629
Verification – show ip dhcp pool
R1#show ip dhcp pool
Pool 10.10.10.0_Clients :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 2
Excluded addresses : 1
Pending event : none
630
Verification – show ip dhcp binding
631
Lab
632
Option 2: External DHCP Server Configuration
633
Option 2: External DHCP Server Configuration
R1(config)#interface f0/1
R1(config-if)#ip helper-address 10.10.20.10
634
Configuring a Cisco Router as a DHCP Client
635
Configuring a Cisco Router as a DHCP Client
R1(config)#interface f0/0
R1(config-if)#ip address dhcp
R1(config-if)#no shutdown
636
Verification – show dhcp lease
R1#show dhcp lease
Temp IP addr: 203.0.113.2 for peer on Interface: FastEthernet0/0
Temp sub net mask: 255.255.255.0
DHCP Lease server: 203.0.113.1 , state: Bound
DHCP Transaction id: 64B8EE07
Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs
Temp default-gateway addr: 203.0.113.1
Next timer fires after: 11:53:13
Retry count: 0 Client-ID:cisco-0001.63C2.9701-Fa0/0
Client-ID hex dump: 636973636F2D303030312E363343322E
93730312D4661302F30
Hostname: R1
637
Access Layer Switch Security Mechanisms
DHCP Snooping
DAI Dynamic ARP Inspection
802.1X Identity Based Networking
Port Security
638
External DHCP Server Configuration
R1(config)#interface f0/1
R1(config-if)#ip helper-address 10.10.20.10
639
Rogue DHCP Server
640
DHCP Snooping
641
ARP Address Resolution Protocol
ARP Request: I’m looking for 10.10.10.1,
what’s your MAC address?
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
642
ARP Address Resolution Protocol
I’m 10.10.10.1, my MAC
address is 2.2.2
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2
643
ARP Address Resolution Protocol
10.10.10.10 > 10.10.10.1
1.1.1 > 2.2.2
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2
644
ARP Address Resolution Protocol
10.10.10.1 > 10.10.10.10
2.2.2 > 1.1.1
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2
645
Man in the Middle ARP Spoofing
Gratuitous ARP: ‘I am 10.10.10.1, my MAC address is 3.3.3’
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
646
Man in the Middle ARP Spoofing
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 3.3.3 Attacker
10.10.10.100/24
MAC: 3.3.3
647
Man in the Middle ARP Spoofing
Gratuitous ARP: ‘I am 10.10.10.10, my MAC address is 3.3.3’
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 3.3.3 Attacker
10.10.10.100/24
MAC: 3.3.3
648
Man in the Middle ARP Spoofing
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 3.3.3
ARP Cache
10.10.10.1 = 3.3.3 Attacker
10.10.10.100/24
MAC: 3.3.3
649
Man in the Middle ARP Spoofing
10.10.10.10 > 10.10.10.1
1.1.1 > 3.3.3
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
650
Man in the Middle ARP Spoofing
10.10.10.10 > 10.10.10.1
3.3.3 > 2.2.2
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
651
Man in the Middle ARP Spoofing
10.10.10.1 > 10.10.10.10
2.2.2 > 3.3.3
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
652
Man in the Middle ARP Spoofing
10.10.10.1 > 10.10.10.10
3.3.3 > 1.1.1
R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
653
Dynamic ARP Inspection DAI
When you enable DHCP snooping, the switch inspects the DHCP traffic
and keeps track of which IP addresses were assigned to which MAC
addresses
For example, PC1 with MAC address 1.1.1 was assigned IP address
10.10.10
If invalid ARP traffic tries to pass through the switch, for example 3.3.3
saying it is 10.10.10, the switch drops the traffic
654
DAI Configuration
SW1(config)#int f0/1
SW1(config-if)#ip arp inspection trust
!
SW1(config)#ip arp inspection vlan 10
655
Dynamic ARP Inspection DAI
SBH-SW2(config)#int g1/0/23
SBH-SW2(config-if)#ip arp inspection trust
!
SBH-SW2(config)#ip arp inspection vlan 12
656
802.1X Identity Based Networking
657
802.1X Identity Based Networking
658
Shut Down Unused Interfaces
SW1(config)#int f0/2
SW1(config-if)#shutdown
659
Port Security
f0/2
PC1 Allowed MAC: 1.1.1
MAC: 1.1.1
660
Port Security
f0/2
PC1 Allowed MAC: 1.1.1
MAC: 1.1.1
661
Port Security
f0/2
PC2 Allowed MAC: 1.1.1
MAC: 2.2.2
662
Port Security
It is easy to spoof a MAC address, so locking ports down to a specific
host is not usually Port Security’s main role in production networks
Port Security can also configure individual switch ports to allow only a
specified number of source MAC addresses to send traffic in to the
port
It can learn connected MAC addresses
f0/2
PC1 Allow 1 MAC address
MAC: 1.1.1 Learned MAC: 1.1.1
663
Port Security
This is useful to prevent users from adding Wireless Access Points or
other shared devices
PC2
MAC: 2.2.2
f0/2
Allow 1 MAC address
Learned MAC: 1.1.1
PC1
MAC: 1.1.1
664
Port Security Configuration
SW1(config)#int f0/2
SW1(config-if)#switchport port-security
665
Port Security Default Behaviour
666
Port Security Verification - Defaults
SW1#show port-security interface f0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0CA0.A359:1
Security Violation Count : 0
667
Security Violation Actions
You have three options when an unauthorised MAC address sends traffic
in to the port:
Shutdown (Default): The interface is placed into the error-disabled
state, blocking all traffic
Protect: Traffic from unauthorised addresses is dropped. Traffic from
allowed addresses is forwarded
Restrict: Traffic from unauthorised addresses is dropped, logged and the
violation counter incremented. Traffic from allowed addresses is
forwarded
668
Violation Action Configuration
SW1(config)#int f0/2
SW1(config-if)# switchport port-security violation protect
669
Error-Disabled Interfaces
670
Auto-Recovery
You can bring error disabled ports back into service automatically after
they have been disabled for a configurable period of time (in seconds)
671
Maximum MAC Addresses
When Port Security is enabled the maximum number of MAC addresses
allowed to send traffic into the interface is one by default
This can be increased if multiple hosts share the port, for example an IP
phone with a PC plugged into the back of it
672
Maximum MAC Addresses
SW1#show port-security int f0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0CA0.A359:1
Security Violation Count : 0
673
Manually Adding MAC Addresses
You can statically configure allowed MAC addresses if you want to lock
the port down to a particular host:
674
MAC Address Learning
Scenario: You have 1000 authorised hosts connected to the network. You
want to lock the ports down to these particular hosts
Manually adding the MAC addresses is not a scalable solution
Sticky MAC addresses add the learned MAC address to the running
configuration. Save to the startup config to make them permanent
SW1(config)# interface f0/2
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security mac-address sticky
675
Verify Port Security Addresses
676
View Summary Information
677
Access Control Lists
678
Access Control Lists for Security
679
Access Control Lists
ACL’s are also used in other software policies when traffic has to be
identified, for example:
Identify traffic to give better service to in a QoS Quality of Service
policy
Identify traffic to translate to a different IP address in a NAT
Network Address Translation policy
680
ACE Access Control Entries
Access Control Lists are made up of Access Control Entries which are a
series of permit or deny rules
Each ACE is written in a separate line
681
ACE Access Control Entry Example
682
Access Control List Example
R1(config)# access-list 100 deny tcp 10.10.10.10 0.0.0.0
gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 permit tcp 10.10.10.0
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 deny tcp 10.10.20.10 0.0.0.0
gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 permit tcp 10.20.10.0
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq 23
683
ACE Access Control Entry Example
684
Standard vs Extended ACLs
R1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1300-1999> IP standard access list (expanded range)
<2000-2699> IP extended access list (expanded range)
! truncated
685
Original Implementation: Standard vs Extended ACLs
686
ACL Improvement: Expanded Ranges
687
Standard Access List Example
R1(config)# access-list 1 deny 10.10.10.10 0.0.0.0
R1(config)# access-list 1 permit 10.10.10.0 0.0.0.255
688
Standard Access List Example
The default wildcard mask for a Standard ACL is 0.0.0.0, meaning an individual host
address.
R1(config)# access-list 1 deny 10.10.10.10
689
Extended Access List Example
R1(config)# access-list 100 deny tcp 10.10.10.10 0.0.0.0
gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 permit tcp 10.10.10.0
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
690
Extended Access List Example
There is no default wildcard mask for Extended ACLs
691
ACL Improvement: Named ACLs
You can now reference ACLs by number or by a name
Named ACLs begin with the command ‘ip access-list’ instead of
‘access-list’
R1(config)#ip access-list ?
extended Extended Access List
standard Standard Access List
! truncated
692
Named ACL Syntax
R1(config)#ip access-list standard Flackbox-Demo
R1(config-std-nacl)#deny 10.10.10.10 0.0.0.0
R1(config-std-nacl)#permit 10.10.10.0 0.0.0.255
693
Extended Access List Example
R1(config)# access-list 100 deny tcp 10.10.10.10 0.0.0.0
gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 permit tcp 10.10.10.0
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
694
ACL Action
R1(config)#access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
! Truncated
695
ACL Protocol
R1(config)#access-list 100 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
! truncated
696
ACL Protocol
Use TCP or UDP if you want the ACE to apply to traffic for a particular
application between a source and destination address
697
ACL Protocol
Use IP if you want the ACE to apply to all traffic between a source and
destination address
698
ACL Source
R1(config)#access-list 100 permit tcp ?
A.B.C.D Source address
any Any source host
host A single source host
699
Wildcards
Wildcards save you typing out the wildcard mask
These examples mean the same thing:
700
Source Port Number
Specifying the source port number is optional, it defaults to any port
701
Destination Address
The destination address uses the same format as the source address
702
Final Options
Additional options are available after entering the destination address such as destination port,
TCP flags and logging.
703
Complete ACE Example
R1(config)#access-list 100 deny tcp host 10.10.10.10 10.10.20.0
0.0.0.255 eq www log
704
Verification – show access-lists
R2#sh access-lists 100
Extended IP access list 100
permit tcp host 10.10.30.10 host 10.10.20.1 eq telnet (13 match(es))
deny tcp 10.10.30.0 0.0.0.255 host 10.10.20.1 eq telnet (4 match(es))
The ‘log’ keyword is not required to log hit counts. It is used to log to the console
or an external monitoring server
705
Access Groups
ACLs are applied at the interface level with the Access-Group command
ACLs can be applied in the inbound or outbound direction
You can have a maximum of one ACL per interface per direction
You can have both an inbound and an outbound ACL on the same
interface, but not 2 inbound or outbound ACLs
An interface can have no ACL applied, an inbound ACL only, an
outbound ACL only, or ACLs in both directions
706
Access-Group Configuration
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip access-group 100 out
R1(config-if)# ip access-group 101 in
707
Access-Group Configuration – show ip interface
R3#show ip interface f1/0 | include access list
Outgoing access list is 100
Inbound access list is 101
708
Access Control Entry Order
709
Access Control Entry Order
This will deny 10.10.10.10 but permit the rest of the 10.10.10.0/24 subnet
R1(config)# access-list 1 deny host 10.10.10.10
R1(config)# access-list 1 permit 10.10.10.0 0.0.0.255
710
Injecting ACEs in an Existing ACL
711
Injecting ACEs in an Existing ACL
Support for injecting ACEs in an existing ACL started in Named ACLs but is
also supported in Numbered ACLs now
712
Implicit Deny All
713
Explicit Deny All
714
Explicit Permit All
715
Traffic Sourced from Router
ACL’s applied to an interface do not apply to traffic which originates from
the router itself
The hosts in the 10.1.1.0/24 subnet cannot Telnet to R2
An administrator can Telnet to R2 from the CLI on R1
R1(config)# access-list 100 deny tcp any any eq 23
R1(config)# interface f1/0
R1(config)# ip access-group 100 out
10.1.0.0/24
10.1.1.1/24 .1 .2
10.1.1.10 R1 R2
F0/0 F1/0 F1/0
10.1.1.11
716
How Stateful Firewalls Work
Stateful firewalls maintain a connection table which tracks the two-way
‘state’ of traffic passing through the firewall
Return traffic is permitted by default
Firewall rules example:
Deny all traffic from outside to inside
Permit outbound web traffic from 10.10.10.0/24
Inside Outside
10.10.10.10 203.0.113.10
717
How Stateful Firewalls Work
Inside Outside
10.10.10.10 203.0.113.10
718
How Stateful Firewalls Work
Inside Outside
10.10.10.10 203.0.113.10
719
How Stateful Firewalls Work
Inside Outside
10.10.10.10 203.0.113.10
In this example the connection has not been initiated from the host on the
inside
Traffic from 203.0.113.10:80 > 10.10.10.10:49160 is dropped according to
the ‘deny all traffic from outside to inside’ rule
720
How Packet Filters Work
721
How Packet Filters Work
If you have an ACL applied on the way out only, the return traffic will
be allowed because all traffic is allowed when an ACL is not applied
If you have ACLs applied in both directions, you will need explicit
entries to allow both the outbound and the return traffic
722
How Packet Filters Work
Access Control List example:
Inbound ACL on outside interface: Deny all traffic
Inbound ACL on inside interface: Permit web traffic from 10.10.10.0/24
Inside Outside
10.10.10.10 203.0.113.10
723
How Packet Filters Work
Inside Outside
10.10.10.10 203.0.113.10
724
How Packet Filters Work
Inside Outside
10.10.10.10 203.0.113.10
725
How Packet Filters Work
Inside Outside
10.10.10.10 203.0.113.10
To allow the return traffic you need to remove the ‘deny all traffic from
outside to inside’ ACL on the outside interface
Or add ‘permit tcp any eq 80 10.10.10.0 0.0.0.255 range 49152 65535’
Neither is a secure option for a router connected to the Internet
726
Stateful Firewalls and Packet Filters
ACL packet filters on routers can add to an overall defence in depth
strategy
Standard practice is to use firewalls on major security boundaries, and
augment this with internal ACLs
Inside Outside
10.10.10.10 203.0.113.10
727
The ‘Established’ Keyword
The Established keyword in an ACL only checks for the ‘Ack’ flag in return traffic
This does not make the router a stateful firewall and it still does not keep a
connection table!
728
IOS Firewall
You can configure a router as a stateful firewall with the IOS Firewall
feature set
This uses different commands than ACLs
729
RFC 1918 Private Addresses
The Internet Engineering Task Force (IETF) documents standards with
RFC’s (Requests For Comments)
RFC 1918 specifies private IP address ranges which are not routable on
the public internet
730
RFC 1918 Private Addresses
Private addresses were originally designed for hosts which should have
no internet connectivity
Public IP addresses cost money
If an organisation has a part of their network where the hosts need to
communicate with each other over IP, but do not require connectivity
to the Internet, they can assign private IP addresses
731
RFC 1918 Private Addresses
There is a range of private addresses in each address class.
10.0.0.0 – 10.255.255.255
‒ 10.0.0.0/8
‒ 10.0.0.0 255.0.0.0
172.16.0.0 – 172.31.255.255
‒ 172.16.0.0/12
‒ 172.16.0.0 255.240.0.0
192.168.0.0 – 192.168.255.255
‒ 192.168.0.0/16
‒ 192.168.0.0 255.255.0.0
732
The IPv4 Global Address Space Problem
The designers of IPv4 did not envision the explosive growth of its use
4.3 billion addresses seemed more than enough
The protocol is not particularly efficient in its use of the available
space, with many addresses being wasted
733
IPv6
The Internet authorities started to predict address exhaustion in the
late 1980’s, and IPv6 was developed in the 90’s as the long term
solution
IPv6 uses a 128 bit address, compared to IPv4’s 32 bit address
IPv6 provides more than 7.9×1028 times as many addresses as IPv4
734
The IPv6 Problem and NAT
There is not a seamless migration path from IPv4 to IPv6
NAT (Network Address Translation) was implemented as a temporary
workaround to mitigate the lack of IPv4 addresses until organisations
had time to migrate to IPv6
735
The IPv6 Problem and NAT
An organisation can use private IP addresses on their inside network,
but still grant their hosts Internet access by translating them to their
outside public IP addresses
Many hosts on the inside can share a few or a single public IP address
on the outside
736
Private Addresses and NAT
Office A Office B
Internet
Public Public
203.0.113.1/28 203.0.113.16/29
14 Addresses 6 Addresses
Private Private
192.168.10.0/24 192.168.10.0/24
200 Hosts 100 Hosts
737
Today’s Networks
Many industry experts predicted in the early 2000’s that IPv6 would be
ubiquitous within a few years
It hasn’t worked out that way – most enterprises today use RFC 1918
IPv4 addresses with NAT
RFC 1918 has the security benefit of hiding inside hosts by default
(they don’t have a publicly routable IP address), plus network
engineers have more experience with IPv4 than v6
738
NAT Types
Static NAT – permanent one-to-one mapping usually between a
public and private IP address. Used for servers which must accept
incoming connections.
Dynamic NAT – uses a pool of public addresses which are given out on
an as needed first come first served basis. Usually used for internal
hosts which need to connect to the Internet but do not accept
incoming connections.
PAT (Port Address Translation)– allows the same IP address to be
reused.
739
NAT Lab
740
Static NAT Scenario
We have bought the range of public IP addresses 203.0.113.0/28 from
our service provider
203.0.113.2 is used on the outside interface on our Internet edge
router R1
203.0.113.1 is used as the default gateway address. It is the SP1 router
on the other side of the link
203.0.113.3 – 203.0.113.14 remain available
741
Static NAT Scenario
Int-S1 at 10.0.1.10 is an internal web server which needs to accept
incoming connections from the Internet
We need to assign a fixed public IP address to accept incoming
connections. We will use the first available address 203.0.113.3
A static NAT translation is required to translate the public IP address
203.0.113.3 on F0/0 to 10.0.1.10 on F1/0 for incoming connections
The translation is bidirectional so will also translate 10.0.1.10 to
203.0.113.3 for outbound traffic from the server
742
Static NAT Configuration
R1(config)#int f0/0
R1(config-if)#ip nat outside
R1(config)#int f1/0
R1(config-if)#ip nat inside
743
NAT Verification – show ip nat translation
R1#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 203.0.113.3:1 10.0.1.10:1 203.0.113.20:1 203.0.113.20:1
tcp 203.0.113.3:80 10.0.1.10:80 203.0.113.20:45849 203.0.113.20:45849
--- 203.0.113.3 10.0.1.10 --- ---
744
NAT Verification – show ip nat translation
R1#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 203.0.113.3:1 10.0.1.10:1 203.0.113.20:1 203.0.113.20:1
tcp 203.0.113.3:80 10.0.1.10:80 203.0.113.20:45849 203.0.113.20:45849
--- 203.0.113.3 10.0.1.10 --- ---
745
NAT Definitions
Inside local address—The IP address actually configured on the inside
host’s Operating System.
Inside global address— The NAT’d address of the inside host as it will
be reached by the outside network.
Outside local address—The IP address of the outside host as it
appears to the inside network.
Outside global address—The IP address assigned to the host on the
outside network by the host’s owner.
746
Outside Local vs Outside Global
Router R1 in our example knows one address to reach the outside host
(203.0.113.20) and does not translate that address.
For one way NAT, the Outside Local and Outside Global addresses will
be reported as being the same.
747
Two Way NAT
Company A Company B
A1 B1
R1
10.10.10.0/24 10.10.10.0/24
NAT: 10.10.20.0/24 NAT: 10.10.30.0/24
748
Two Way NAT
Company A Company B
A1 B1
R1
10.10.10.0/24 10.10.10.0/24
749
NAT Types
Static NAT – permanent one-to-one mapping usually between a public
and private IP address. Used for servers which must accept incoming
connections.
Dynamic NAT – uses a pool of public addresses which are given out
on an as needed first come first served basis. Usually used for
internal hosts which need to connect to the Internet but do not
accept incoming connections.
PAT (Port Address Translation)– allows the same IP address to be
reused.
750
NAT Lab
751
Dynamic NAT Scenario
We have bought the range of public IP addresses 203.0.113.0/28 from our
service provider
203.0.113.2 is used on the outside interface on our Internet edge router R1
203.0.113.1 is used as the default gateway address. It is the SP1 router on
the other side of the link
203.0.113.3 is used for a static NAT translation for the 10.0.1.10 web server
203.0.113.4 – 203.0.113.14 remain available
752
Dynamic NAT Scenario
The hosts in the 10.0.2.0/24 network do not accept incoming connections
so they don’t need a fixed public IP address with a static NAT translation
They do need outbound connectivity to the Internet so need to be
translated to a public IP address
We will use the remaining public addresses 203.0.113.4 - 14 as a NAT pool
The inside hosts will be translated to the public IP addresses on a first come
first served basis when they send traffic out
The first host to send traffic out will be translated to 203.0.113.4, the
second host to 203.0.113.5 etc., up to 203.0.113.14 at the end of the pool
753
Dynamic NAT Scenario
With standard dynamic NAT you need a public IP address for every
inside host which needs to communicate with the outside
If you have 30 hosts, you need 30 public IP addresses
When all the addresses in the pool have been used, new outbound
connections from other inside hosts will fail because there will be no
addresses left to translate them to
These hosts would have to wait for existing connections to be torn
down and the translations to be released back into the pool when they
time out
754
Dynamic NAT Configuration
R1(config)#int f0/0
R1(config-if)#ip nat outside
R1(config)#int f2/0
R1(config-if)#ip nat inside
Create an access list which references the internal IP addresses we want to translate.
R1(config)#access-list 1 permit 10.0.2.0 0.0.0.255
Associate the access list with the NAT pool to complete the configuration.
R1(config)#ip nat inside source list 1 pool Flackbox
755
NAT Verification – show ip nat translation
756
clear ip nat translation
R1#clear ip nat translation can be used to remove
translations from the translation table
This can be useful when troubleshooting
It is also often required if you want to edit your NAT configuration –
the router will not allow changes when there are active translations
clear ip nat translation * will remove all dynamic
translations
757
NAT Verification – show ip nat statistics
R1#show ip nat statistics
Total active translations: 2 (0 static, 2 dynamic; 2 extended)
Outside interfaces:
FastEthernet0/0
Inside interfaces:
FastEthernet2/0
Hits: 148 Misses: 0
CEF Translated packets: 148, CEF Punted packets: 0
Expired translations: 7
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 1 interface FastEthernet0/0 refcount 2
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
758
NAT Types
Static NAT – permanent one-to-one mapping usually between a public
and private IP address. Used for servers which must accept incoming
connections.
Dynamic NAT – uses a pool of public addresses which are given out on
an as needed first come first served basis. Usually used for internal
hosts which need to connect to the Internet but do not accept
incoming connections.
PAT (Port Address Translation)– allows the same IP address to be
reused.
759
Dynamic NAT Address Exhaustion
With standard dynamic NAT the inside hosts are translated to public IP
addresses on a first come first served basis when they send traffic out
This requires a public IP address for every inside host which
communicates with the outside network
When all the addresses in the pool have been used, new outbound
connections from other inside hosts will fail because there will be no
addresses left to translate them to
760
PAT Port Address Translation
Port Address Translation (PAT) is an extension to NAT that permits
multiple devices to be mapped to a single public IP address
With PAT you do not need a public IP address for every inside host
The router tracks translations by IP address and Layer 4 port number
Because different inside hosts are assigned different port numbers, the
router knows which host to send return traffic to, even when the
public IP address is the same
761
NAT Lab
762
Dynamic NAT with Overload
Dynamic NAT with Overload uses PAT to allow more clients to be
translated than IP addresses are available in the NAT pool
If the NAT pool is 203.0.113.4 to 203.0.113.6 for example, the first 2
hosts which initiate outbound connections will be translated to
203.0.113.4 and 203.0.113.5
763
Dynamic NAT with Overload
The 3rd host will be translated to 203.0.113.6 and the router will track
which source port number was used in the translation table
The 4th and 5th etc. hosts will also be translated to 203.0.113.6 but
with different source port numbers
When the return traffic is sent back the router checks the destination
port number to see which host to forward it to
764
Dynamic NAT with Overload
10.10.10.10 203.0.113.4:4096 > 203.0.113.10:80
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
10.10.10.13
765
Dynamic NAT with Overload
10.10.10.10 203.0.113.4:4096 < 203.0.113.10:80
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
10.10.10.13
766
Dynamic NAT with Overload
10.10.10.10
203.0.113.5:4097 > 203.0.113.10:80 203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
10.10.10.13
767
Dynamic NAT with Overload
10.10.10.10
203.0.113.5:4097 < 203.0.113.10:80 203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
10.10.10.13
768
Dynamic NAT with Overload
10.10.10.10
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
203.0.113.6:4098 > 203.0.113.11:80
10.10.10.13
769
Dynamic NAT with Overload
10.10.10.10
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
203.0.113.6:4098 < 203.0.113.11:80
10.10.10.13
770
Dynamic NAT with Overload
10.10.10.10
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
771
Dynamic NAT with Overload
10.10.10.10
203.0.113.10
10.10.10.11
10.10.10.12 203.0.113.11
772
Standard Dynamic NAT Configuration
R1(config)#int f0/0
R1(config-if)#ip nat outside
R1(config)#int f2/0
R1(config-if)#ip nat inside
Create an access list which references the internal IP addresses we want to translate.
R1(config)#access-list 1 permit 10.0.2.0 0.0.0.255
Associate the access list with the NAT pool to complete the configuration.
R1(config)#ip nat inside source list 1 pool Flackbox
773
Dynamic NAT with Overload Configuration
R1(config)#int f0/0
R1(config-if)#ip nat outside
R1(config)#int f2/0
R1(config-if)#ip nat inside
Create an access list which references the internal IP addresses we want to translate.
R1(config)#access-list 1 permit 10.0.2.0 0.0.0.255
Associate the access list with the NAT pool to complete the configuration.
R1(config)#ip nat inside source list 1 pool Flackbox overload
774
PAT with Single IP Address
The last NAT scenario to cover is a small office which has not
purchased a range of public IP addresses
In this case the outside interface will most likely get its IP address via
DHCP from the service provider
PAT can be used to allow multiple inside hosts to share the single
outside public IP address
775
PAT with Single IP Address
The configuration is very similar to Dynamic NAT with Overload but
translates to the outside interface address rather than a pool of
addresses
You must translate to the outside interface rather than a specific IP
address because a DHCP address can change
776
PAT with Single IP Address Configuration
R1(config)#int f0/0
R1(config-if)#ip address dhcp
R1(config-if)#ip nat outside
R1(config)#int f1/0
R1(config-if)#ip nat inside
777
NAT Verification – show ip nat translation
778
NAT Verification – debug ip nat
R1#debug ip nat
Outbound
*Aug 21 23:52:55.739: NAT*: TCP s=52670->4097, d=23
*Aug 21 23:52:55.739: NAT*: s=10.0.2.11->203.0.113.13, d=203.0.113.20
[34332]
Return Traffic
*Aug 21 23:52:55.763: NAT*: TCP s=23, d=4097->52670
*Aug 21 23:52:55.763: NAT*: s=203.0.113.20, d=203.0.113.13->10.0.2.11
[45975]
779
Problems with NAT
NAT breaks the end to end IP model
This can cause issues with security and with some applications
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
780
NAT Problem Example
10.0.0.10 > 10.0.0.100 : ‘I’d like to call 11-2001 please’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
781
NAT Problem Example
CUCM-A Dial Plan : 11-xxxx is available at 203.0.113.20
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
782
NAT Problem Example
10.0.0.100 > 203.0.113.20 : ‘Call for 11-2001 from 10.0.0.10’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
783
NAT Problem Example
Router A NATs source address 10.0.0.100 to 203.0.113.3
Router B NATs destination address 203.0.113.20 to 10.0.10.100
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
784
NAT Problem Example
10.0.10.100 > 10.0.10.10: ‘Call for you, please ring’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
785
NAT Problem Example
10.0.10.10 > 10.0.10.100: ‘User picked up, ready for call’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
786
NAT Problem Example
10.0.10.100 > 203.0.113.3 : ‘Ext 11-2001 is ready for call at 10.0.10.10’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
787
NAT Problem Example
Router B NATs source address 10.0.10.100 to 203.0.113.20
Router A NATs destination address 203.0.113.3 to 10.0.0.100
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
788
NAT Problem Example
CUCM-A to Phone A: ‘Stream your voice to 10.0.10.10’
CUCM-B to Phone B: ‘Stream your voice to 10.0.0.10’
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
789
NAT Problem Example
The phones only have connectivity to each other on their NAT’d public IP
addresses, not via internal private addresses, so the call fails
Company A Company B
CUCM-A CUCM-B
10.0.0.100 10.0.10.100
NAT: 203.0.113.3/28 NAT: 203.0.113.20/28
A B
Ext 10-1001 Ext 11-2001
10.0.0.10 10.0.10.10
NAT: 203.0.113.10/28 NAT: 203.0.113.21/28
790
NAT Problem
Devices such as application layer firewalls, traversal servers and proxy
servers can help with these issues
It would be a cleaner solution if IP supported an addressing scheme
which was big enough to give all devices in the world a publicly reachable
address
… Enter IPv6. It uses a 128 bit address, compared to IPv4’s 32 bit address
IPv6 provides more than 7.9×1028 times as many addresses as IPv4
791
Other IPv6 Enhancements
In addition to the larger address space, IPv6 was designed to support
built-in security and host mobility
792
Dual Stack
IPv4 and IPv6 does not have to be an ‘either or’ decision
In a ‘dual stack’ implementation a network interface can have both an
IPv4 and an IPv6 address at the same time
It can then communicate using either protocol
Dual stack can be enabled long term to support both IPv4 and IPv6
applications or as an IPv4 to IPv6 transition strategy
793
IPv6 Addressing Format
IPv6 uses a 128 bit address compared to IPv4’s 32 bit address
The address is written as X:X:X:X:X:X:X:X
Each ‘X’ is a 16 bit hexadecimal field (hex values are 0-9,A-F)
Eg. 2001:0DB8:0000:0001:0000:0000:0000:0001
794
IPv6 Address Part Naming
IPv4 addresses are 32 bits long, written as x.x.x.x
Each segment is 8 bits so they are known as ‘octets’
IPv6 addresses 128 bits long, written as X:X:X:X:X:X:X:X
Each segment is 16 bits but there isn’t an official name for them
(‘hexadectet’ is too hard to pronounce)
They are sometimes called ‘hextets’, ‘pieces’ or ‘quartets’
795
Address Shortening
The IPv6 address is very long. There are a couple of ways we can
shorten it to make things more convenient
Address shortening is a standard convention and supported by all
vendor’s devices
796
Address Shortening
797
Address Shortening
Successive all zero fields can be shortened only once in an address to
avoid confusion
2001:0:0:1:0:0:0:B can be shortened to
2001::1:0:0:0:B or
2001:0:0:1::B
It can’t be shortened to 2001::1::B
798
IPv6 Address Types
Global Unicast
Unique Local
Link Local
799
IPv6 Address Types: Global Unicast Addresses
Global Unicast Addresses are similar to IPv4 public addresses
They are assigned to an individual host and have global reachability
(unless blocked by security policy such as on a firewall)
They are assigned from the range 2000::/3
800
IPv6 Address Types: Global Unicast Addresses
Internet authorities assign blocks from the overall 2000::/3 range to
organisations
A common assignment for a company is a /48 block, eg
2001:10:10::/48
A smaller or larger size block can be assigned depending on the size of
the company
801
IPv6 Address Types: Global Unicast Addresses
IPv6 standards state that addresses assigned to individual hosts should
use a /64 mask
The IPv6 address is 128 bits so /64 splits it in half for the network and
host portions of the address
X:X:X:X:X:X:X:X
Network Host
802
IPv6 Address Types: Global Unicast Addresses
If a company is assigned a /48 address by the Internet authorities and
uses /64 host addresses, that leaves 16 bits the company can assign to
its internal subnets
For example, if the company was assigned 2001:10:10::/48 by the
Internet authorities, it can assign subnets 2001:10:10:0::/64 to
2001:10:10:FFFF::/64 to its internal network segments
16 bits = 65,535 possible subnets
64 bits left over = 18,446,744,073,709,551,616 hosts per subnet
X:X:X:X:X:X:X:X
Company Host
Subnet
803
IPv6 Address Types: Global Unicast Addresses
In this example the company has been assigned 2001:DB8:0::/48 by
the Internet authorities
Subnet 2001:DB8:0:1::/64 Subnet 2001:DB8:0:2::/64
804
IPv6 Address Types: Global Unicast Addresses
In this example the company has been assigned 2001:DB8:0::/48 by
the Internet authorities
IPv6 Address 2001:DB8:0:1:0:0:0:1/64
IPv6 Address 2001:DB8:0:2:0:0:0:1/64
805
IPv6 Address Types: Global Unicast Addresses
In this example the company has been assigned 2001:DB8:0::/48 by
the Internet authorities
IPv6 Address 2001:DB8:0:1::1/64
IPv6 Address 2001:DB8:0:2::1/64
806
IPv6 Address Types: Global Unicast Addresses
Using a /64 for all network subnets including point-to-point links and
loopback addresses can seem wasteful, but the official declaration is
that the IPv6 address space is so large that it does not create a
problem
Using /64 everywhere simplifies the addressing and enables the use of
EUI-64 addresses
807
Global Unicast Address Configuration
Enable IPv6 routing first
R1(config)#ipv6 unicast-routing
R1(config-if)#int f0/0
R1(config-if)#ipv6 add 2001:db8:0:1::1/64
R1(config-if)#int f2/0
R1(config-if)#ipv6 add 2001:db8:0:0::1/64
808
Broadcast and Multicast
IPv4 supports broadcast to all hosts on 255.255.255.255
Routers do not forward broadcast traffic so this stays on the local subnet
IPv6 does not support broadcast traffic
It does however support multicast to all hosts on the local subnet (ff02::1)
which is functionally equivalent
Many services which use broadcast to 255.255.255.255 in IPv4 use more
specific multicast addresses in IPv6 (eg ff05::1:3 for all DHCP servers)
809
Global Unicast Address Configuration
Enable IPv6 routing first
R1(config)#ipv6 unicast-routing
R1(config-if)#int f0/0
R1(config-if)#ipv6 add 2001:db8:0:1::1/64
R1(config-if)#int f2/0
R1(config-if)#ipv6 add 2001:db8:0:0::1/64
810
Global Unicast Address Verification
R1#sh ipv6 interface brief
FastEthernet0/0 [up/up]
2001:DB8:0:1::1
FastEthernet2/0 [up/up]
2001:DB8::1
! truncated
811
Lab
812
EUI-64 Addresses
A Cisco router can generate full IPv6 addresses for itself when given
the interface and /64 network to use
The host portion of the address is derived from the interface’s MAC
address, which is guaranteed to be globally unique
A MAC address is a /48 address compared to the /64 host portion of
the IPv6 address
FF:FE is injected in the middle of the /48 MAC address to bring it up to
64 bits. Also, the 7th bit is inverted
813
EUI-64 Addresses
814
EUI-64 Address Configuration
R1(config)#int f0/0
R1(config-if)#ipv6 address 2001:db8:0:1::/64 eui-64
R1(config)#int f2/0
R1(config-if)#ipv6 address 2001:db8:0::/64 eui-64
815
EUI-64 Address Verification
R1#sh int f0/0
Hardware is DEC21140, address is ca01.2f24.0000
R1#sh int f2/0
Hardware is DEC21140, address is ca01.2f24.0038
816
EUI-64 Addresses
The router will borrow the MAC address from the first Ethernet port
for non-Ethernet interfaces such as Serial ports
It is not recommended to use EUI-64 on router interfaces. It is better
to use a memorable address such as 2001:db8:0:1::1
817
Lab
818
IPv6 Address Types: Unique Local Addresses
Unique Local Addresses are similar to IPv4 RFC 1918 private addresses
They are not publicly reachable
They are assigned from the range FC00::/7
Hosts should be assigned /64 addresses
819
IPv6 Address Types: Link Local Addresses
Link local addresses are valid for communications on that link only
They are assigned from the range FE80::/10 – FEB0::/10
Hosts should be assigned /64 addresses
820
Link Local Connectivity
A, B and C have connectivity to each other via the FE80::1, FE80::2 and
FE80::3 link local addresses on the same segment
B and D have connectivity to each other via the FE80::4 and FE80::5
link local addresses on the same segment
FE80::1, FE80::2 and FE80::3 do not have connectivity to FE80::4 or
FE80::5
FE80::3/64
C
821
IPv6 Address Types: Link Local Addresses
Link local addresses can be used for communications which should not
be forwarded beyond the local link, like routing protocol hello packets
and updates
They are mandatory on IPv6 enabled Cisco router interfaces
822
IPv6 Address Types: Link Local Addresses
Link Local addresses are automatically generated with EUI-64
addresses on IPv6 enabled Cisco router interfaces
The EUI-64 address can be overridden with manual configuration
823
Link Local Address Auto Generation
New router with no IPv6 configuration:
R1#sh ipv6 int brief
FastEthernet0/0 [up/up]
unassigned
FastEthernet1/0 [administratively down/down]
unassigned
FastEthernet2/0 [up/up]
unassigned
FastEthernet3/0 [administratively down/down]
unassigned
824
Link Local Address Auto Generation
Configuring a global unicast address enables IPv6 on the interface
R1(config)#ipv6 unicast-routing
R1(config)#int f0/0
R1(config-if)#ipv6 add 2001:db8:0:1::1/64
R1(config-if)#int f2/0
R1(config-if)#ipv6 add 2001:db8:0:0::1/64
825
Link Local Address Auto Generation
EUI-64 Link Local addresses are automatically generated
826
Manual Link Local Address Configuration
Link local addresses are valid on the local link only so you can use the
same address on multiple interfaces
R1(config)#int f0/0
R1(config-if)#ipv6 address fe80::1 link-local
R1(config-if)#int f2/0
R1(config-if)#ipv6 address fe80::1 link-local
827
Multiple IPv4 Addresses
R1(config)#int f0/0
R1(config-if)#ip address 10.10.10.1 255.255.255.0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1#sh run int f0/0
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
R1(config)#int f0/0
R1(config-if)#ip address 172.16.0.1 255.255.255.0 secondary
R1#sh run int f0/0
interface FastEthernet0/0
ip address 172.16.0.1 255.255.255.0 secondary
ip address 192.168.10.1 255.255.255.0
828
Multiple IPv6 Addresses
R1(config)#int f0/0
R1(config-if)#ipv6 address FE80::1 link-local
R1(config-if)#ipv6 add 2001:db8:0:0::1/64
R1(config-if)#ipv6 add 2001:db8:0:1::1/64
829
Multiple IPv6 Addresses Summary
Link local addresses are mandatory on IPv6 enabled interfaces
Global unicast and Unique local addresses are optional
You can have multiple addresses on the same interface
One link local address for routing protocol traffic and one global
unicast address for normal routing is typical
830
Lab
831
Stateless Address AutoConfiguration (SLAAC)
Hosts can be assigned IPv6 addresses through static addressing, DHCPv6,
or SLAAC
DHCP servers track their MAC address to IP address assignments, so this
is ‘stateful’ addressing
832
Stateless Address AutoConfiguration (SLAAC)
With SLAAC, hosts learn the /64 subnet their interface is on from their
local router and then use this information to generate their own IPv6 EUI-
64 address
(Modern Operating Systems randomise the host portion of the address
rather than using standard EUI-64 for privacy reasons)
The router does not track which hosts have which IP address so this is
‘stateless’ addressing
833
SLAAC – Router Advertisements
When a global unicast IPv6 address is configured on an interface then
Router Advertisements advertising the network prefix are sent out by
default
These ICMP messages are sent to the ‘All Nodes’ multicast address from
the interface’s link-local address
Hosts can also send a ‘Router Solicitation’ message to request the
information
834
Stateless Address AutoConfiguration (SLAAC)
As well as telling the hosts which subnet to generate their IP address on,
the router tells the hosts to use itself as their default gateway
The original implementation did not support any information other than
the default gateway address
835
Stateless Address AutoConfiguration (SLAAC)
836
Stateless Address AutoConfiguration (SLAAC)
In practice a DHCP server is still required to give out information such as
DNS server
If the IP address is assigned by SLAAC and the DNS server is assigned by
DHCP this results in a stateless configuration, where the DHCP server
does not retain information about the hosts
837
The Unspecified Address
:: is the Unspecified address or Unknown address
An IPv6 route to ::/0 is a default route equivalent to 0.0.0.0 0.0.0.0 in IPv4
Also, :: is used as the source when an interface is trying to acquire an
address
838
Neighbor Discovery
Neighbor Discovery is the IPv6 version of ARP and works in the same way
Rather than using ARP requests and replies, Neighbor Discovery uses
ICMP Neighbor Solicitations and Neighbor Advertisements
Neighbor Solicitation messages are sent to the Solicited-Node multicast
address which reaches all hosts on the subnet
839
Verification – show ipv6 neighbors
840
Verification – show ipv6 neighbors
R2#show ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
FE80::C801:2FFF:FE24:0 0 ca01.2f24.0000 STALE Fa0/0
FE80::C803:2DFF:FEB0:1C 0 ca03.2db0.001c STALE Fa1/0
R2#ping 2001:db8:0:1::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:0:1::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/88 ms
841
IPv6 Routing
IPv6 routing works the same way as IPv4 routing, but the processes are
separate, and there are separate IPv4 and IPv6 routing tables
If a router receives an IPv4 packet, it will route it according to its IPv4
routing table
If a router receives an IPv6 packet, it will route it according to its IPv6
routing table
The routing tables are built in the same way, through static routes or
dynamic routing protocols
842
IPv6 Routing
843
Connected and Local Routes
The administrator configures IP addresses on the router’s interfaces
R1#show run
interface FastEthernet0/0
ip address 10.10.1.1 255.255.255.0
duplex full
ipv6 address 2001:DB8:0:1::1/64
!
interface FastEthernet2/0
ip address 10.10.0.1 255.255.255.0
duplex full
ipv6 address 2001:DB8::1/64
844
show ip route – IPv4 Routes
This will automatically enter connected and local routes in the routing table.
Local IPv4 routes always have a /32 mask and show the IP address configured
on the interface
R1#show ip route
C 10.10.0.0/24 is directly connected, FastEthernet2/0
C 10.10.1.0/24 is directly connected, FastEthernet0/0
L 10.10.0.1/32 is directly connected, FastEthernet2/0
L 10.10.1.1/32 is directly connected, FastEthernet0/0
! truncated
845
show ipv6 route - Connected Routes
Local routes always have a /128 mask and show the IP address
configured on the interface
R1#show ipv6 route
C 2001:DB8::/64 [0/0]
via FastEthernet2/0, directly connected
C 2001:DB8:0:1::/64 [0/0]
via FastEthernet0/0, directly connected
L 2001:DB8::1/128 [0/0]
via FastEthernet2/0, receive
L 2001:DB8:0:1::1/128 [0/0]
via FastEthernet0/0, receive
! truncated
846
Routing
847
IPv4 Static Routes
848
IPv6 Static Routes
849
IPv4 Summary and Default Route
ip route 10.1.0.0 255.255.0.0 10.0.0.2
ip route 10.1.3.0 255.255.255.0 10.0.3.2
ip route 0.0.0.0 0.0.0.0 203.0.113.2
Internet
FE1/0
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 203.0.113.1 .2
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
850
IPv6 Summary and Default Route
ipv6 route 2001:DB8:0::/48 2001:DB8:0::2
ipv6 route 2001:DB8:1:1::/64 2001:DB8:1::2 Internet
FE1/0
2001:DB8:0:2::/64 2001:DB8:0:1::/64 2001:DB8:0:0::/64
:1 :2 :1 2001:DB8:3:0::1/64
:1 :2 :2 R1
R4 R3 R2
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 2001:DB8:2:0::1/64
2001:DB8:1:1::1/64 2001:DB8:1:0::1/64
R5
FE2/0 FE3/0
2001:DB8:1:1::2/64 2001:DB8:1:0::2/64
851
Lab
852
IOS Security
When a Cisco router or switch is received from the factory no security is
configured
You can access the command line via a console cable with no password
required
One of the first tasks is to configure security to ensure that only
authorised administrators can access the device
853
IOS Command Hierarchy
854
Basic Line Level Security
Minimal password security can be configured through the use of static,
locally defined passwords at three different levels:
Console line – accessing User Exec mode when connecting via a
console cable
Virtual terminal VTY line – accessing User Exec mode when
connecting remotely via Telnet or SSH Secure Shell
Privileged Exec Mode – entering the ‘enable’ command
855
Basic Line Level Security
The levels can be used independently or in combination with
each other.
They can use the same or different passwords.
856
Basic Console Security
Only one administrator can connect over a console cable at a time so the
line number is always 0.
‘Login’ with no following keywords requires the administrator to enter
the password configured at the line level to log in
R1(config)#line console 0
R1(config-line)#password Flackbox1
R1(config-line)#login
857
Basic Console Security
R1>
858
Basic Telnet Security
859
Switch Management IP Address
860
Switch Management IP Address
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.0.10 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# ip default-gateway 192.168.0.1
861
Basic Telnet Security
R1(config)#line vty 0 15
R1(config-line)#password Flackbox2
R1(config-line)#login
862
Basic Telnet Security
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
Password:<wrong password>
Password:<correct password>
R1>
863
Exec Timeout
R1(config)#line con 0
R1(config-line)#exec-timeout 15
R1(config)#line vty 0 15
R1(config-line)#exec-timeout 5 30
864
Securing VTY Lines with Access Lists
You can apply an Access List to control access to the VTY lines
This can be used to limit Telnet and SSH access to only your
administrator workstations
R1(config)#line vty 0 15
R1(config-line)#login
R1(config-line)#password Flackbox3
R1(config-line)#access-class 1 in
865
Securing VTY Lines with Access Lists
866
Basic Privileged Exec Security
When you connect over the console or a VTY line you will land at the
User Exec prompt which has a very limited set of commands available
To get superuser access you use the ‘enable’ command to invoke
Privileged Exec mode
This can be secured with a password
867
Basic Privileged Exec Security
R1>enable
Password: <correct password>
R1#
868
Enable Password
R1#show run
Building configuration...
!
enable password Flackbox3
!
truncated
869
Enable Secret
870
Enable Secret
R1(config)#enable secret Flackbox3
The enable secret you have chosen is the same as your
enable password.
This is not recommended. Re-enter the enable secret.
R1(config)#enable secret Flackbox4
R1#show run
!
enable secret 5 $1$mERr$ABB9Y2Fk
enable password Flackbox3
!
871
Encrypting Passwords
Line level passwords can also be viewed in plain text in the
running configuration by default.
R1#show run
!
enable secret 5 $1$mERr$ABB9Y2FkwbWuPLfUgLUxf1
enable password Flackbox3
!
line con 0
password Flackbox1
login
!
line vty 0 4
password Flackbox2
login
line vty 5 15
password Flackbox2
login
872
Service Password-Encryption
R1(config)#service password-encryption
873
Service Password-Encryption
R1#show run
!
service password-encryption
!
enable secret 5 $1$mERr$ABB9Y2FkwbWuPLfUgLUxf1
enable password 7 0807404F0A1207180A58
!
line con 0
password 7 0807404F0A1207180A5A
login
!
line vty 0 4
password 7 0807404F0A1207180A59
login
line vty 5 15
password 7 0807404F0A1207180A59
login
874
Lab
Console Cable
875
Basic Line Level Security
With line level security all administrators log in with the same password
R1(config)#line console 0
R1(config-line)#password Flackbox1
R1(config-line)#login (use line level password)
R1(config)#line vty 0 15
R1(config-line)#password Flackbox1
R1(config-line)#login
876
Username Level Security
More granular security can be provided by configuring individual
usernames and passwords for different administrators
877
Username Level Security
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
Username: admin1
Password: <Flackbox1>
R1>
878
Privilege Levels
There are 16 privilege levels of admin access (0-15) available on a Cisco
router or switch
Usernames can be assigned a privilege level. The default level is 1.
You can also configure different passwords for direct access to the
different privilege levels
Each available command in IOS can be assigned a privilege level. An
administrator must be logged in with that privilege level or higher to run
the command
879
Privilege Levels
By default, three levels of privilege are used - zero, user, and privileged.
All commands are at one of these three levels by default
Zero-level access allows only five commands—logout, enable, disable,
help, and exit.
User level (level 1) provides very limited read-only access to the router.
When you enter User Exec Mode you’re at Privilege Level 1 by default
Privileged level (level 15) provides complete control over the router.
When you enter Privileged Exec Mode with the ‘enable’ command
you’re at Level 15 by default
880
Username Level Security
R1(config)#username admin1 secret Flackbox1
R1(config)#username admin2 privilege 15 secret
Flackbox2
R1(config)#line console 0
R1(config-line)#login local
R1(config)#line vty 0 15
R1(config-line)#login local
881
Username Level Security – Admin1
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
Username: admin1
Password: <Flackbox1>
R1>
R1>show privilege
Current privilege level is 1
882
Username Level Security – Admin2
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
Username: admin2
Password: <Flackbox2>
R1#
R1#show privilege
Current privilege level is 15
883
Configuring Command Privilege Levels Example
R1(config)#username admin1 secret Flackbox1
R1(config)#username admin2 privilege 15 secret
Flackbox2
R1(config)#username admin3 privilege 5 secret
Flackbox3
884
Configuring Command Privilege Levels Example
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
User Access Verification
Username: admin1
Password: <Flackbox1>
R1>show run
^
% Invalid input detected at '^' marker.
885
Configuring Command Privilege Levels Example
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
User Access Verification
Username: admin3
Password: <Flackbox3>
R1>show run
^
% Invalid input detected at '^' marker.
886
Configuring Command Privilege Levels Example
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
User Access Verification
Username: admin2
Password: <Flackbox3>
R1#sh run
Building configuration...
Current configuration : 1380 bytes
version 15.1
!
R1#configure terminal
R1(config)#
887
Configuring Command Privilege Levels Example
R1(config)#privilege exec level 5 show running-
config
888
Configuring Command Privilege Levels Example
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
User Access Verification
Username: admin1
Password: <Flackbox1>
R1>show run
^
% Invalid input detected at '^' marker.
889
Configuring Command Privilege Levels Example
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
User Access Verification
Username: admin3
Password: <Flackbox3>
R1#sh run
Building configuration...
Current configuration : 1380 bytes
version 15.1
!
R1#configure terminal
^
% Invalid input detected at '^' marker.
890
Configuring Command Privilege Levels Example
R1(config)#enable secret secret1 (sets password for
privilege level 15)
R1(config)#enable secret level 5 secret2 (sets
password for privilege level 5)
891
Configuring Command Privilege Levels Example
C:\>telnet 10.0.0.1
Trying 10.0.0.1 ...Open
User Access Verification
Username: admin1
Password: <Flackbox1>
R1>show run
^
% Invalid input detected at '^' marker.
R1>enable 5
Password: <secret2>
R1#show run
Building configuration...
892
Telnet vs SSH
All Telnet communications cross the network in plain text
If somebody sniffs the traffic using a tool such as Wireshark they can see
all the commands you enter including your username and password
All SSH Secure Shell traffic is encrypted
If somebody sniffs the traffic they cannot read it
Best practice is to disable Telnet and only allow SSH for administrator CLI
access
893
Enable SSH
A digital certificate with a key length of at least 768 bits must be
generated to enable SSH encryption
894
Disable Telnet
VTY lines are used for both Telnet and SSH connections
Access is allowed for both by default
A username is required for SSH access (line level passwords are not
supported)
896
Lab
897
Login and Exec Banners
Messages can be displayed in the CLI before and/or after an
administrator logs in to a Cisco IOS device
This is most commonly used to display security warnings
898
Login and Exec Banners
899
Login and Exec Banners
900
Disable Unused Services
It is best practice to disable unused services
This reduces the attack surface and also the load on the device
HTTPS is sometimes used by GUI administration tools but HTTP should
be disabled
CDP should also be disabled in highly secure environments
901
Time Synchronisation
All servers and infrastructure devices in your network should be
synchronised to the same time
This aids in troubleshooting as logs will report the correct time that
events occurred
It is also required by several security features such as Kerberos
authentication and digital certificates
902
NTP Network Time Protocol
Servers and infrastructure devices can use their own internal clock or
synchronise with an external NTP server
An NTP server should be used to ensure all devices have the same time
A Cisco router can function as an NTP server and/or client
903
NTP Configuration
R1(config)#clock timezone PST -8
R1(config)#ntp server 10.0.1.100 (configures router to be NTP client)
R1(config)#ntp master (configures router to be NTP server)
R1#show clock
16:19:36.51 PST Mon Oct 2 2017
904
Lab
905
Lab
906
Syslog
907
Syslog Format
The format of the messages is:
seq no:time stamp: %facility-severity-MNEMONIC:description
Example:
*Oct 3 00:44:12.627: %LINK-5-CHANGED: Interface
FastEthernet0/0, changed state to administratively down
908
Syslog Format
The format of the messages is:
seq no (optional)
909
Syslog Format
The format of the messages is:
seq no:time stamp
*Oct 3 00:44:12.627
910
Syslog Format
The format of the messages is:
seq no:time stamp: %facility
911
Syslog Format
The format of the messages is:
seq no:time stamp: %facility-severity
912
Syslog Format
The format of the messages is:
seq no:time stamp: %facility-severity-MNEMONIC
913
Syslog Format
The format of the messages is:
seq no:time stamp: %facility-severity-MNEMONIC:description
914
Syslog Severity Levels
Value Severity Description
0 Emergency System is unusable. A panic condition.
A condition that should be corrected immediately, such as a
1 Alert
corrupted system database.
2 Critical Critical conditions, such as hard device errors.
915
Logging Locations
Syslog messages can be logged to various locations:
Console line - events will be shown in the CLI when you are logged in
over a console connection. All events logged by default
VTY Terminal lines - events will be shown in the CLI when you are
logged in over a Telnet or SSH session. Not enabled by default
The logging buffer – events saved in RAM memory, you can view
them with the ‘show logging’ command. All events logged by default
External Syslog servers
916
Logging Locations
You can specify the same or different severity levels to log for each
location
All messages of that severity level and higher will be logged
For example, if you set a logging level of 3 for the console, events with
severity levels 0, 1, 2 and 3 will be logged there
If you set a logging level of 7 for an external Syslog server, events from
all severity levels 0–7 will be logged there
917
Internal Logging Locations Configuration
918
Logging to an External Syslog Server
You can log to an external Syslog server to centralise event reporting
You will typically set verbose logging to provide detailed troubleshooting
information
R1(config)#logging 10.0.0.100
R1(config)#logging trap debugging
919
External Syslog Server
920
SIEM Security Information and Event Management
921
View Log Buffer and Configuration
R1#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns,
xml disabled, filtering disabled)
922
Logging Synchronous
When working in a CLI session, by default any syslog messages will be
printed into the middle of any commands you are currently typing
R1(config)#interface f3/0
R1(config-if)#shutdown
R1(config-if)#do show ip interf
*Nov 12 20:27:00.727: %LINK-5-CHANGED: Interface
FastEthernet3/0, changed state to administratively downace br
923
Logging Synchronous
You can override this with the logging synchronous command
This causes a new line to be printed where you were in the command
R1(config)#line con 0
R1(config-line)#logging synchronous
R1(config-line)#interface f3/0
R1(config-if)#no shutdown
R1(config-if)#do show ip interf
*Nov 12 20:29:48.787: %LINK-3-UPDOWN:
Interface FastEthernet3/0, changed state to up
R1(config-if)#do show ip interf
924
Debug and Terminal Monitor
Show and Debug commands can be used to view specific information
over and above the standard Syslog messages
Show output shows a static point in time state
Debug output dynamically updates in real time
Be careful with debug commands in production environments, a large
amount of output can overwhelm the device
Debug output is logged to the console line and buffer by default
Use the R1#terminal monitor command to enable debug output to
the VTY lines
925
Lab
926
Lab
927