86
CCENT & CCNA Exam Prep Chapter 1. Standard Internetworking Models 4 Internetwork 4 OSI model 4 TCP/IP model 7 Cisco 3-layer hierarchical model 8 Chapter 2. Physical Layer Networking Concepts 10 Network Media 10 Physical layer devices 11 Chapter 3. Data Link Networking Concepts 13 Ethernet 13 Data Link Layer Devices 14 Chapter 4. General Network Security 16 Network attacks 16 Solutions and preventions 17 Chapter 5. IP At The Network Layer 18 IPv4 and IPv6 18 Network layer devices 19 Chapter 6. Introduction to Cisco Routers and Switches 21 LAN interfaces 21 WAN interfaces 21 Memory components 22 Cisco Internetworking Operating System(IOS) 23 Chapter 7. Foundation of Cisco IOS Operations 24 Router/Switch startup procedure 24 EXEC sessions 25 Chapter 8. Foundation Cisco Configuration 28 1

Ccent & Ccna Exam Prep

Embed Size (px)

Citation preview

Page 1: Ccent & Ccna Exam Prep

CCENT & CCNA Exam Prep

Chapter 1. Standard Internetworking Models 4

Internetwork 4

OSI model 4

TCP/IP model 7

Cisco 3-layer hierarchical model 8

Chapter 2. Physical Layer Networking Concepts 10

Network Media 10

Physical layer devices 11

Chapter 3. Data Link Networking Concepts 13

Ethernet 13

Data Link Layer Devices 14

Chapter 4. General Network Security 16

Network attacks 16

Solutions and preventions 17

Chapter 5. IP At The Network Layer 18

IPv4 and IPv6 18

Network layer devices 19

Chapter 6. Introduction to Cisco Routers and Switches 21

LAN interfaces 21

WAN interfaces 21

Memory components 22

Cisco Internetworking Operating System(IOS) 23

Chapter 7. Foundation of Cisco IOS Operations 24

Router/Switch startup procedure 24

EXEC sessions 25

Chapter 8. Foundation Cisco Configuration 28

1

Page 2: Ccent & Ccna Exam Prep

Global Configuration 28

Line Configurations 29

Interface configuration 29

More configurations 30

Troubleshooting and Backup Commands 32

Chapter 9. Understanding the Cisco SDM 35

Chapter 10. Introduction to Routing and Routing Protocols 36

Routing table and types of routes 36

Types of routing protocols 37

Chapter 11. Distance Vector Routing Protocols 39

Routing loops, its solution, and other methods of convergence 39

Distance-vector protocols, RIP 40

Chapter 12. Link-State and Hybrid Routing Protocols 43

Link-State Routing Protocols and OSPF 43

OSPF 43

Area, AS and OSPF topology 43

Configuring OSPF 45

Balanced Hybrid Operations 46

Configure EIGRP 47

Chapter 13. Foundation Switching Operations 49

Switch operation 49

Switch loops 49

Switch Configuration and Troubleshooting 51

Chapter 14. Enhanced Switching Operations 52

PortFast, UplinkFast, and BackboneFast 52

RSTP and PVST 52

Chapter 15. Virtual LAN 54

2

Page 3: Ccent & Ccna Exam Prep

Chapter 16. Implementing Switch Security 57

Physical and Basic Logical Security 57

Switchport port-security 57

VLAN security 58

Chapter 17. Understanding Wireless Networking 59

IEEE 802.11 standard 60

Chapter 18. Wireless Security and Implementation Considerations 61

Wireless attacks 61

Wireless security: encryption, detection, and authentication 61

Wireless topology 62

Troubleshooting 63

Chapter 19. Using Access Lists 64

Chapter 20. Enabling Internet Connectivity with NAT 67

Types of NAT 67

Configure NAT at ICND1 68

Chapter 21. Command-Line NAT implementation 70

Chapter 22. Wide Area Network Connections 72

WAN options 72

WAN link data encapsulation 73

PPP 74

4 features of LCP 74

PPP configuration and troubleshooting 76

Chapter 23. Frame Relay 77

Chapter 24. Understanding VPN connectivity 82

3

Page 4: Ccent & Ccna Exam Prep

Chapter 1. Standard Internetworking Models

Internetwork

Internetwork, or internet with lowercase i, refers to a big network made up of smaller, connecting networks. Internet with the uppercase i, on the other hand, is the biggest internetwork or internet. Examples of internetwork includes MAN, WAN, VPN, etc.

Ethernet is the most pervasive LAN architecture used today, other technologies include FDDI and Token Ring. LAN may contain switches, bridges, repeaters, or routers to connect to a WAN or MAN.

WAN is made up of smaller networks connected using routers, the connectivity from router to router is a circuit leased from a telephone or communications company.

Storage Area Network (SAN) is a subnetwork or a network that allow users on a larger network to connect various data storage devices using clusters of data servers and special channels such as Fibre Channel or SCSI. SAN can be created using Cisco MDS 9000 series Multilayer SAN switches.

VPN is a private network that can access public networks remotely. VPN uses encryption and security protocols to retain privacy while accesses outside resources. When employed on a network, VPN enables an end user to create a virtual tunnel to a remote location. For instance, telecommuters use VPN to log into company networks from home.

OSI model

For the OSI model, every layer communicates with its adjacent layers and the corresponding layer on another system. Upper layers refers to layers of OSI model that communicate between applications, this include Application(7), Presentation(6), and Session(5). Lower layers, on the other hand, is concerned with the transportation of data over a physical device, these layers are Transport(4), Network(3), Data link(2), and Physical(1).

Application layer:• Provides interface between hostʼs communication software and other applications• Evaluate what resources are needed to establish communication and their availability• Synchronizes data between client/server applications• Manage error control and data integrity between applications• Provide system-independent processes to a host• Some protocols supported in this layer: HTTP, HTTPS, FTP, TFTP SFTP, DNS, NTP, NNTP, SMTP, POP3, IMAP4, SNMP, DHCP, NFS(allow files from different operating system to be shared), and Telnet(provides terminal emulation to a remote host by creating a virtual terminal).

4

Page 5: Ccent & Ccna Exam Prep

Presentation layer is responsible for encryption, decryption, compression, and decompression. Some protocols include: JPEG, ASCII, EBCDIC, TIFF, GIF, PCT, MPEG, MIDI, RTF, QuickTime, etc.

Session layer is primarily concerned with dialog control, or session among devices. It also functions as an intermediary for applications that need to manage sessions.

Session Layer Protocol Function Description

Network File System (NFS) Accesses remote resources transparently, represents files and directories as if local to the user system. Developed by SUN and used on Unix workstations.

Structured Query Language (SQL)

A query language that requests, updates, and manages databases. Developed by IBM, compatible with XML and HTML.

Remote Procedure Call (RPC)

Basis for client/server communications. Calls are created on the client and then carried out on the server.

AppleTalk Session Protocol (ASP)

Like RPC but used for AppleTalk client and server services

X Window Communicates with remote Unix machines and enables the user to operate the device as if attached locally.

Digital Network Architecture Session Control Protocol (DNA SCP)

Proprietary to Digital Equipment Corporation Networking (DECnet) protocol, also known as DECnet session.

Transport layer is responsible for end-to-end connections and data delivery between two hosts. Its main function is to segment and reassemble data to travel in the network transparently for the upper layers. Other functions include 1) fault detection, 2) error recovery, and 3) establishing, maintaining and disconnecting virtual circuits.

TCP, UDP and SPX(connection-oriented) operate in this layer. This layer provide reliable data transmission through:• Acknowledgments—Delivered segments are acknowledged to the sender using acknowledge packets. If they are not acknowledged, the sender will retransmit.• Sequencing numbers are assigned to data segments to place in the right order• Flow Control—Provides buffer controls that prevent packet flooding to the destination host. Buffers store bursts of data for processing when the transmission is complete.

5

Page 6: Ccent & Ccna Exam Prep

Network layer is where packet path called route is determined. Routers and layer 3 switch are implemented in the layer, along with IP, IPX, and AppleTalk DDP, Appleʼs datagram delivery protocol. 2 types of packets are used in layer 3:• Data Packets contain data and are used to transport across the internetwork; supported by IP and IPX protocols.• Route Update Packets send updates to neighbor routers about its routing entries; supported by routing protocols such as RIP, EIGRP, and OSPF.

A router at the Network layer follows these steps:1. Router checks the destination IP address of the incoming packet on its interface.2. Packets destined for that router are processed, whereas packets destined for another

router must be looked up in the routing table.3. The router determines an exit interface based on the routing table and sends the

packet to the interface for framing and forwarding. If there is no route in the routing table, the packet is dropped by the router.

Data link layer ensures reliable data transfer between Network and Physical layers using 2 domains:• Broadcast Domain is a group of nodes that can receive each otherʼs broadcast messages and are segmented by routers. (MAC address:FFFF FFFF FFFF)• Collision (Multicast) Domain is group of nodes that share the same media and are segmented by switches. A collision occurs if two nodes attempt a simultaneous transmission. Carrier Sense Multiple Access Collision Detection (CSMA/CD) is an access method that sends a jam signal to notify the devices that there has been a collision. The devices then halt transmission for a random back-off time.

Data Link Layer contains MAC and LLC sub-layers, with MAC referring to the physical MAC address on every network device. LLC, on the other hand, is responsible for framing, error, and flow control. As data pass through LLC sub-layer, a Source Server Access Point(SSAP) and a Destination Server Access Point(DSAP) field, each 1 byte long, is added to the 802.3 frame (Ethernet frame uses Type field instead). These fields indicate which upper layer protocol send and will receive the data. Devices used at Data Link layer:• Bridges connect two segments in a single network or two networks together. They forward data in the software.• Switches are multi-port bridges that utilize Application Specific Integrated Circuit (ASIC) hardware to forward frames. Each port of the switch has a dedicated bandwidth.Note: Although both devices create a separate collision domain for each connected device, all the devices connected to either are a part of the same broadcast domain. Remember that broadcast domains are segmented at the Network layer by routers.

Layer 1 moves bits between nodes. Electrical, mechanical, procedural, and functional requirements are defined at the Physical layer to assist with the activation, maintenance, and deactivation of physical connectivity between devices. Layer 1 also include the 1) Specification of voltage, wire speed, and pin-out cables, 2) Capability to

6

Page 7: Ccent & Ccna Exam Prep

receive and transmit a data signal, and 3) Identification of the interface used to set up data terminal equipment (DTE) and data communication equipment (DCE). DCE is typically found at the service provider. DTE services can be accessed with either a model or a channel service unit/data service unit (CSU/DSU). All Cisco routers are DTE devices by default, but you can made them to act as DCE in a lab using ʻclock rateʼ command. When you are connected to a CSU/DSU, the router is also configured with ʻclock rateʼ command, but it will be ignored.

Cisco routers have a default ʻbandwidthʼ of 1544, ISR have default bandwidth of ʻ2000000ʼ.

TCP/IP model

TCP/IP model was created by the Department of Defense(DoD) for data communication in event of a disaster. This model has Application, Transport, Internet and Network Access layers. Application (Process/Application) layer is equivalent to the upper layers of OSI model.

Transport, or Host-to-Host layer, includes TCP and UDP.TCP fills the ʻSequence Numberʼ, ʻAcknowledgement numberʼ, and ʻWindowʼ to ensure reliability, and implements Positive Acknowledgement and Retransmission(PAR):• The source device begins a timer when a segment is sent and retransmits if the timer runs out before an acknowledgment is received.• The source device keeps track of segments that are sent and requires an acknowledgment for each segment.• The destination device acknowledges when a segment is received by sending a packet to the source iterating the next sequence number from the source.

Windowing is a method for traffic congestion control where a window is determined by the receiving system to limit the number of data segments (bytes) that can be sent by the source device without an acknowledgment from the recipient. Window sizes vary and can change throughout the duration of a connection. Increasing a window size enables more data segments to be transmitted to the recipient before acknowledgment.

When using TCP, a connection-oriented communication session is established using call setup or three-way handshake, which involves:1) A “connection agreement” segment (SYN packet) is sent to the recipient asking to

synchronize systems.2) The second and third segments acknowledge the request of 2-way connection and

determine the rules of engagement. Sequencing synchronization is requested of the receiving device. This step is associated with the term SYN-ACK packet.

3) A final segment (ACK packet) is sent as an acknowledgment that the rules have been accepted and a connection has been formed.

7

Page 8: Ccent & Ccna Exam Prep

Both TCP and UDP use port numbers to identify their application. Public applications are assigned port numbers below 256. Numbers 256-1023 are allocated to companies. Numbers above 1023 are dynamically assigned by an application. Access lists can use port numbers to filter traffic, these are TCP ports: FTP(20, 21) Telnet(23) SMTP(25) DNS(53) HTTP(80) POP3(110) NNTP(119) HTTPS(443)

UDP is connectionless and its header has only ʻSource Portʼ, ʻDestination Portʼ, ʻLengthʼ, and ʻChecksumʼ. Here are some of its port numbers:DNS(53) DHCP(67, 68) TFTP(69) NTP(123) SNMP(161)

Internet layer is where IP, ICMP, ARP(Layer 2 and 3), RARP, and Proxy ARP operate.IP locates a device with logical or virtual addressing allocated by the Internet Assigned Numbers Authority (IANA).• ICMP is used in ʻpingʼ and ʻtracerouteʼ utilities to send echo requests. The L3 protocol doesnʼt have to be IP, you can check what are available by ʻping ?ʼ. To find a network address other than its IP address, use ʻshow cdp entry * protocolʼ to get it. Traceroute can do the same• The Address Resolution Protocol (ARP) maps a known IP address to a MAC address. To find an MAC address on the same subnet, send an ARP request in the broadcast domain; if device is present, it will reply with its MAC address. Gratuitous ARP send an ARP broadcast looking for its IP address so every host know it is alive.• Reverse Address Resolution Protocol (RARP) maps a MAC address to an IP address.• Proxy Address Resolution Protocol (Proxy ARP) can be used when device A is looking for device B, assuming device B is on the same subnet as it is. In reality, device B is not physically present on the subnet, but device C (usually router) knows how to reach device A. Thus, when ARP request for device B is broadcasted, device C answers and reply with its own MAC address. Some Unix machines (especially Solaris) rely on Proxy ARP versus default gateways.

Network Interface layer manages hardware addressing and physical data transfer.

Cisco 3-layer hierarchical model

This model is most effective when you plan to implement a small- to moderate-sized network, which is sub-grouped into access, distribution, and core layer.

Access, or desktop layer, is where end users and Layer 2 switches are located. Virtual LAN (VLAN) workgroups are defined by virtual access lists or filter lists to allow for a continuation of the policies implemented at the Distribution layer. Users may access locally available resources at this level or they may be directed to the Distribution layer to access remotely available resources.

Distribution, or workgroup layer implement various policies to provide network management and security. This layer performs 1) determine the best path for a packet(routing), 2) routing between VLAN, 3) filtering using NAT, QoS, filtering, etc. 4)

8

Page 9: Ccent & Ccna Exam Prep

access WAN, 5) defining broadcast and multicast domains, 6) translating between different types of media. Policies implemented in this layer should not occur at the Core Layer

Core layer is foundation of the network, Cisco Catalyst 6500 or 7000 series operate here. This layer is concerned with speed and ensures reliable delivery of packets.

Cisco also have Enterprise Composite Network Model(ECNM) for larger-scale network implementation.

9

Page 10: Ccent & Ccna Exam Prep

Chapter 2. Physical Layer Networking Concepts

Topology can be defined as either the physical or logical layout of a network. Physical topology consists of the cables, workstations, and other peripheral devices. A logical topology refers to how the network actually communicates.

Bus, or linear bus network topology refers to the design in which network devices are connected to one single cable called trunk or backbone using T-connectors. Electrical signals are sent from one end of the cable to the other, and all connected devices receive that electrical signal transmission (data is not secure). Both ends of the cable require a terminator to stop the electrical signal from echoing back down the cable. This topology is easy to implement and requires a general low cost. However, it does not have any redundancy, meaning a cable break causes the entire network to go down.

A ring network topology is set up so that one device is directly connected to two other devices on the same network. When a device emits a data signal transmission, the transmission is sent in a single direction to the next connected device. Dual ring may be implemented to provide redundancy.

Star network topology is the most popular today, in which all network devices are connected to the central device. If the central device is hub, a logical bus will be created; the logical topology is also known as hub-and-spoke.

Mesh, or partial mesh network topology is designed to provide redundancy; itʼs usually more expensive than other topologies.

Network Media

Crosstalk is an electrical or magnetic field originating from one communications signal that can affect the signal in a nearby circuit. There are Near End crosstalk(NEXT) and Far-End crosstalk(FEXT). NEXT is crosstalk measured at the transmitting end of a cable. FEXT is crosstalk measured at the far end of the cable from where the transmission was sent. Note: when talking about network speed, bandwidth refers to speed of an analog communication, while in digital environment itʼs data rate. When talking about bandwidth along with throughput, bandwidth refers to ideal rate at which data can transfer, while throughput is the actual rate at which data travel. If each signal event represent exactly one bit, then baud rate = data rate. However, if not, data rate = change in signal event * baud rate

Coaxial cable consist of a single copper wire surrounded by a plastic insulation cover and a braided copper shield. There are:Thin coax, or thinnet: < 185 m, .25 inches in diameter, BNC connectors, 10Base2;Thick coax, or thicknet: < 500 m, AUI adapters, vampire taps, 10Base5

Twisted pair cabling include UTP and STP, where STP has an additional shield.

10

Page 11: Ccent & Ccna Exam Prep

UTP: < 100 m, EMI and crosstalk, 8 wires twisted into 4 pairs, RJ-45. There are:★ CAT 1 is used for telephony purposes★ CAT 2 can handle data up to 4 Mbps★ CAT 3 has bandwidth of 10 Mbps★ CAT 4 speeds up to 16 Mbps, designed to use with Token Ring★ CAT 5 speeds up to 100 Mbps, most popular choice today★ CAT 5e has bandwidth of 1 Gbps for Gigabit Ethernet network★ CAT 6 has speed exceed 1 Gbps Pinout describe the purpose of each pin in a connector. Straight-though cable use 4 wires, located on pin 1, 2, 3, and 6. Crossover cable also use these 4 wires located on pin 1, 2, 3, and 6; pin 1 and 3 are exchanged, so are pin 2 and 6. This cable is used to connect like devices. Rollover, rolled, or console cable use 8 wires to connect from a host to a console serial communications (COM) port to a router. This cable is usually coated light blue.

Fiber optics, or optical cabling can be either multimode(MM) or single-mode(SM) and use SC, ST, or MT-RJ connectors; they can be made of plastic or glass.★ Multimode (MM) is generally used for shorter distances and is ideal for a campus-sized network. MM also has a larger diameter of optical fiber than SM fiber.★ Single-mode (SM) is used to span longer distances. SM also allows for a higher data rate than MM and faster data transmission speeds.

Wireless LAN are networks that use Radio Frequency(RF) to transfer data, this include Wireless Fidelity(Wi-Fi), Infrared, and Bluetooth. Spread Spectrum WLANs determine how data traverse RF media. There are 2 types of spread spectrum: Direct Sequencing Spread Spectrum(DSSS) and Frequency-Hopping Spread Spectrum(FHSS).

Standard, RF range 802.11a, 5GHz 802.11b, 2.4 GHz 802.11g, 2.4 GHz

Speed

Transmission Range

< 54 Mbps < 11 Mbps < 54 Mbps

Lower than g Greater than a and g Lower than bInfrared is used in short distance applications and transmit less than 16 Mbps; it is easily refracted or reflected.Bluetooth, on the other hand, uses 2.4 GHz range of a 720 Kbps/channel with 10 m distance range. It has 2 power levels for different need of distance.

Physical layer devices

Repeaters are transceiver that amplifies the message when it receives one; outdated A hub can be defined as a multiple port repeater. A hub consists of 2 to 24 ports and may be called a workgroup hub. There are active and passive hubs. Active hubs have a separate power supply to assist with the gain(increase) of a signal before it is forwarded out all connected ports. A power signal increased by a factor of 10 would indicate a gain of 10. Passive hubs do not regenerate the incoming signal.

11

Page 12: Ccent & Ccna Exam Prep

A switch creates a separate collision domain for each network segment, therefore increasing the number of collision domains.

Network Interface Card(NIC) provides connectivity and status of the network.

12

Page 13: Ccent & Ccna Exam Prep

Chapter 3. Data Link Networking Concepts

Token Ring technology is defined in IEEE 802.5, which utilizes a token-passing media access method to create a logical ring topology for a physical star or ring. With token-passing, a three-byte token (or special bit pattern) is inserted in a frame and passed in a single direction from one node to another until it forms a complete loop. The node that has possession of the token is the only one that can send data at any given time on that LAN. Because only one node can send data at a time, collisions are avoided. Token Ring can run at 4 or 16 Mbps, has high overhead and more expensive than Ethernet.

The MAU has Ring In (RI) and Ring Out (RO) ports. The RO of the first MAU is connected to the RI of the next MAU. This continues until the final MAU, which connects back to the first MAU RI port via its own RO port.

FDDI implements a token ring technology on a dual ring. This protocol is created by American National Standards Institute(ANSI) under ANSI X3T9.5 specification. This protocol uses fiber optic cables and run at 100 Mbps. Currently used as backbone Failure detection is detected by beaconing, which signals at every device that it can reach. As it travels around the loop, if beaconing stops at some point for an extensive period of time, this indicates a break in the network.

Copper Distributed Data Interface (CDDI) is a 100 Mbps token-passing protocol that runs over copper wire rather than fiber-optic cable.

Ethernet

Ethernet is the most popular networking technology in todayʼs world. It started in 1970s by Xerox, Digital Equipment Corp(DEC) and Intel, it was called DIX Ethernet. It is defined in IEEE 802.3 and further divided into Fast Ethernet(100 Mbps), Gigabit Ethernet(1000 Mbps/1 Gbps), 10 Gigabit Ethernet(10 Gbps), and Long Reach Ethernet.

Ethernet direct data to devices based on its MAC address. All addressing used in Ethernet LAN is either individual(unicast) or group (multicast and broadcast) addresses. Individual addresses, identifies the MAC address of an individual LAN or NIC card. Group addresses can be:✴ Multicast addresses always begin with 0100.5E in its MAC address✴ Broadcast packets are sent to all devices on the segment of the LAN, which has address value of FFFF.FFFF.FFFF

Framing is the process of interpreting data that is either received or sent out across the network. A frame can be broken down into 3 sections:✴ The Data Link header portion of the frame contains the destination MAC address (6 bytes), source MAC address (6 bytes), and data length (2 bytes).

13

Page 14: Ccent & Ccna Exam Prep

✴ The Logical Link Control portion of the frame contains Destination Service Access Point (DSAP), Source Service Access Point (SSAP), and control information. All three are 1 byte long. The Service Access Point (SAP) identifies an upper-layer protocol. As more and more protocols became available, the identifier needs more space, which is located in subnetwork access protocol(SNAP) header.✴ The data field can be anywhere from 43 to 1497 bytes long. Data-link trailer, also known as data and cyclical redundancy check (CRC) portion contains FCS (frame check sequence, 4 bytes) and CRC to provide error detection.

10Base2 are connected with RG-58 coaxial cable using BNC connectors. It uses no connectivity devices, other 10Base standards using a hub must have CSMA/CD enabled. 10Base5 also uses coaxial cable and no connectivity devices.

10BaseT has length of 100 m and used with CAT 3, 4, 5 UTP or STP cables.

10BaseFL uses fiber-optic(with SC or ST connector), has a maximum length of 2 km.

Fast Ethernet, or 100Base-X, is defined in 802.3u, and include:✴ 100BaseTX is used with CAT 5 UTP or STP at 100 meters.✴ 100BaseT4 can use CAT 3, 4, 5 UTP or STP cable at a maximum distance of 100 m.✴ 100BaseFX is used for fiber optic medium with SC or ST connectors, distance range from 412 m to 10,000 m.

Gigabit Ethernet refers to the combination of standards in IEEE 802.3ab and 802.3z. 802.3ab refers to 1000Base-T and 1000Base-TX uses UTP greater than CAT 5, at a maximum distance of 75 m. 802.3z refers to Gigabits standard not using UTP, these include:✴ 1000Base-CX uses STP with 9-pin shielded connector with 25 m range.✴ 1000Base-LX transmits using long wavelength laser, used with both SM and MM(both 50 and 62.5 micron can be used). Half-duplex with a range of 316 m and full duplex with at range of 5 km.✴ 1000Base-SX transmits using short wavelength laser, used only with MM, both 50 and 62.5 micron diameter. [(Half-duplex, 62.5-micron, 275m), (Half-duplex, 50-micron, 316m), (Full-duplex, 62.5-micron, 275m), (Full-duplex, 50-micron, 550m)].

802.3ae, or 10 Gigabit Ethernet(10GbE), uses fiber-optic cable to reach the staggering speed of 10,000 Mbps.

Cisco Long Reach Ethernet (LRE) was developed to provide broadband service over existing telephone-grade or Category 1, 2, or 3 wiring. Speeds vary between 5 - 15 Mbps and can reach a maximum segment length of up to 5000 m.

Data Link Layer Devices

14

Page 15: Ccent & Ccna Exam Prep

Devices at this layer logically segment the network can create new collision domains, which are groups of nodes that share the same media and are segmented by switches or bridges. Switches and bridges:✴ Learn all the MAC addresses in its segment and MAC addresses of the source device that send the packets✴ Eliminating loops caused by redundant connections using STP

Transparent bridges are not known to other network devices. If the frameʼs destination MAC address is on a different segment of that LAN, the device forwards the frame to that segment. If the frameʼs destination MAC address is on the same segment as the source MAC address, the device filters the frame. That frame reaches its destination without the assistance of a bridge or switch.

Layer 2 switches are multi-port bridges. Switches utilize (ASIC) hardware chips to forward frames. Also, each port of the switch has a dedicated bandwidth. A popular ethernet switch port is the 10/100 ethernet port, where you can set the port to pass traffic at 10 Mbps or 100 Mbps.

Hubs are set to half-duplex by default, it has a higher overhead than Layer 2 devices. Collision occur on half-duplex may chew as many as 50 - 60% of bandwidth. Full-duplex is available with dedicated switch port connections to a single device. If a switch port connection is configured for full-duplex, the CSMA/CD algorithm must be disabled. An ethernet connection set for full-duplex allows for 100% transmission speeds in both directions.

Microsegmentation occurs when a switch creates a dedicated path for sending and receiving transmissions with each connected host. Each host then has a separate collision domain and a dedicated bandwidth.

15

Page 16: Ccent & Ccna Exam Prep

Chapter 4. General Network Security

Network attacks

In todayʼs network, attacks are everywhere. They are generally 3 classes of attacks, 1) access attacks, 2) reconnaissance attacks, and 3) Denial of Service(DoS) attacks.

Access attacks are attempts to access another user account or network device through improper means or bypass the authentication process, there are: 1) password attacks, 2) trust exploitation, 3) port redirection, and 4) man-in-the-middle attack.

An alternative to using password is Terminal Access Controller Access Control System (TACACS) or Remote Authentication Dial-In User Services (RADIUS).

Trust exploitation can occur in 1) Reliance on the trust a client has in a server, or 2) Reliance on the trust the server has in the client. Based on these trust relationships, if client or server is compromised, all information in the network are compromised as well.

Port redirection is a form of trust exploitation in which the untrustworthy source uses a machine with access to the internal network to pass traffic through a port on the firewall or access control list (ACL). The port in question normally denies traffic, but with redirection, attacker can bypass security measures, open a tunnel for communication.

Man-in-the-middle attack happens when the attacker places him/herself between the 2 communicating hosts and intercept the messages during the session. The attacker can also reformat the data to do further damages.

Reconnaissance attacks are used to gather network information for a future attack. There are 1) packet sniffers (also known as network monitors), 2) ping sweeps, 3) port scanners, and 4) information queries.

Packet sniffer, network analyzer, packet analyzer, Ethernet sniffers are all names for a software program (or a piece of hardware with software installed on in) that captures traffic sent over the network, which is then decoded and analyzed by the sniffer. Monitoring software, such as WireShark, can be installed to prevent this.

Ping sweeps send an echo request to numerous hors IP addresses at the same time to see which hosts respond with an echo reply.

A port scanner is a software program that surveys a host network for open ports. The programs can be utilized by administrator or hacker, depending on their purpose.

Information queries can be done with utilities like ʻnslookupʼ, which send requests via the Internet to resolve hostnames from IP addresses or vice versa.

16

Page 17: Ccent & Ccna Exam Prep

DoS are implemented to deny services that are normally available to clients, there are 1) distributed DoS(DDoS) attack, 2) TCP SYN attack, and 3) smurf attacks.

DDoS attack is performed by compromising client systems to send a DoS attack to the target; these systems are known as zombies or slaves.

TCP SYN attacks are performed by flooding a device with SYN requests from a nonexistent address until the system fills up and stops reacting. TCP intercept can be configured on a router to block a TCP SYN attack. This enables the router to terminate any sessions that have not been established within an allotted time frame.

With a smurf attack, multiple broadcast ping requests are sent to a single target from a spoofed IP address. Adding the ʻno ip directed-broadcastʼ command to a router might help mitigate a potential smurf attack.

Solutions and preventions

AAA, or triple A, is a group of 3 services that are used to increase network security.✤ Authentication: Identifies a user by login and password.✤ Authorization: Determines what a user is allowed to do.✤ Accounting: Assembles and sends usage information (such as logging).Note: AAA works in conjunction with TACACS or RADIUS to log network activities.

Access Control List(ACL) is a list of allow and deny addresses that can block these attacks: IP spoofing, TCP SYN attacks, smurf attacks, ICMP and traceroute.

Protocols such as SSH, SNMP, Syslog, and NTP can be used to provide further security. SSH provide strong authentication and encryption (UDP port 22) to ensure secure communications between an SSH client and SSH server. SNMP is a management protocol that monitors the network and collects statistics to analyze network performance and ensure network security. Itʼs best to use SNMP version 3, which provides cryptographic authentication and management traffic encryption. SNMP uses UDP port number 161 for connectivity. With syslog, log messages are collected from the Cisco device and are sent to a syslog server to keep record of any network occurrences. For syslog to work properly, NTP must be configured. Each logged message has an associated severity level, ranging from 0 to 7 (0 = emergency). Syslog uses UDP port 514 for connectivity.

Encryption protocols should be used to prevent easy access to sensitive data. These protocols include SSH, IPsec (layer 3), and SSL (security for layer 7, use asymmetric encryption and certificates to exchange a session key for encryption data along a block decipher).

Security systems such as firewalls, IPS and IDS can be implemented to lessen risks.

17

Page 18: Ccent & Ccna Exam Prep

Chapter 5. IP At The Network Layer

The network layer1) determines the fastest path to send a packet based on its destination address. 2) handles ICMP, ARP and proxy ARP requests.

IPv4 and IPv6

IPv4 is the current version of IP address used; it has a network ID of 0.0.0.0, and a broadcast IP address of 255.255.255.255.Class A has first octet from 1-126, with 126 networks and 16,777,214 hosts.Class B has first octet from 128-191, with 16,382 networks and 65,534 hosts.Class C has first octet from 192-223, with 2,097,150 networks and 254 hostsClass E is for research purposes(240-255), and class D is for multicast(224-239).

When calculating the total number of class A, B, or C hosts available, you subtract 2 from the total because one address is used as network ID and another as broadcast IP. The network, or subnet ID, is the IP address with all host bits turned off(0), it is used to represent the network. Broadcast IP is the address in which the message will be sent to all devices on the network.

To alleviate the use of IP addresses, RFC 1918, NAT, and PAT are implemented. RFC defines private IP address space. PAT is usually used after NAT is exhausted.

Variable-length subnet masking(VLSM) is subnetting within a subnet. It just makes IP addresses more manageable. The CIDR(/8, /16, etc) indicate the bits used for subnet.

Binary Dec. Subnet CIDR Host-C CIDR Host-B CIDR Host-A

10000000 128 2 /25 128-2 /17 512-2 /9 131072-2

11000000 192 4 /26 64-2 /18 1024-2 /10 262144-2

11100000 224 8 /27 32-2 /19 2048-2 /11 524288-2

11110000 240 16 /28 16-2 /20 4096-2 /12 1048576-2

11111000 248 32 /29 8-2 /21 8192-2 /13 2097152-2

11111100 252 64 /30 4-2 /22 16384-2 /14 4194304-2

11111110 254 128 /31 2-2 /23 32768-2 /15 8388608-2In a packet, subnet mask is not presented.

IPv6 has 3 types of addresses: unicast, multicast, and anycast. Anycast can be described as one-to-closest communication. With anycast, you assign the same IP

18

Page 19: Ccent & Ccna Exam Prep

address to multiple devices. So, when a packet is destined for this IP address, the path to the closest destination device is chosen. There are also 4 types of addresses: link-local, unique/site-local, global, and multicast.

Link-local start with FE80. Itʼs local identifier is 64 bit long, consist of the MAC address of the device FFFE placed right in between. If the MAC address is 0017:C101:DCF6, the local identifier is 0017:C1FF:FE01:DCF6.

Unique/site-local is defined in RFC 3513 and RFC 4193; they are private address. It has the first 7 bits as 1111 110, thus depending on the eighth bit, private address can start with FC or FD.

Global address has global routing prefix (48 bits or less) and the first 3 bits are 001. The subnet ID is made up of the remaining bits after the prefix. This type of address start with 2001 and has CIDR of 16. Remember the interface ID or local identifier make up the last 64 bits of the address.

Multicast address has first 8 bits of FF. The next 4 bits or flag bits each have their own meaning, which can be determined using the abbreviation 0RPT:0 indicates an unassigned bit. R indicates whether the bit is a rendezvous point.P indicates whether the bit is based on a unicast address.T can be either a 0 for a permanently assigned address or 1 if not. The scope field indicates how far the multicast address will travel. This bit is defined by one of the following seven hexadecimal digits:1 = Interface 2 = Link 3 = Subnet 4 = Admin5 = Site 8 = Organization E = Global

IPv6 works with DHCPv6, a stateful protocol. With a stateful protocol, a dedicated server maintains a table of the information that was gathered. IPv6 also supports a stateless protocol for auto-configuration. This means that a dedicated server is no longer required.

IPv6 and IPv4 can integrate together with dual-stack, tunneling, or translation. Dual-stack can support 1) IPv4-only when IPv6 is disabled, 2) IPv6-only when IPv4 is disabled, or 3) IPv4 and IPv6 concurrently. There are manual and automatic tunneling. Manual tunneling requires that the network administrator configure a point-to-point tunnel by hand. Automatic tunneling uses a different address type such as 6to4 to set up a dynamic tunnel.

Other functions that work with IPv6 is ICMPv6 to perform ping and traceroute on IPv6.

Network layer devices

Both routers and Layer 3 switches operate at network layer, they:❖ Suppress broadcasts or multicasts

19

Page 20: Ccent & Ccna Exam Prep

❖ Determine the best path for data transfer (routing)❖ Strip down/add to Data Link layer frames (encapsulation/decapsulation)❖ Implement access lists for packet filtering (permit/deny statements)❖ Set up quality of service (QoS) qualifiers to measure network performance

Routers join 2 networks to create an internetwork or WAN by creating new broadcast domains, which is a group of nodes that can receive one anotherʼs broadcast messages. When a packet from an internal segment of the network (connected with the router) sends a packet to a remote segment, the router acts as the default gateway and changes the source address to its own address. Routers maintain routing tables so it know where to send the packets, the routing table contains:❖ Network Address❖ Interface: Exit interface used to forward packets❖ Metric: Distance to reach a remote networkRouters provide packet switching between networks and can provide packet filtering based on a network address or application layer port level. Routers use❖ Route update packets, supported by routing protocols(such as RIP, EIGRP, and OSPF), to update its routing table.❖ Data packets send to different places, supported by routed protocols (IP and IPX)

Layer 3 switches also perform the listed functions and differ from routers in 1) they can process traffic faster than routers, 2) use ASIC hardware instead of microprocessors (used by routers), and 3) layer 3 switches are recommended to use in a Campus Area Network(CAN). An example is Cisco Catalyst 8500 series.

20

Page 21: Ccent & Ccna Exam Prep

Chapter 6. Introduction to Cisco Routers and Switches

Communication line connect physical devices using hardware interfaces and modules. Interfaces provide a physical point of interaction between two networks, this includes the cable, plug, socket, or signal that sync up together to communicate among devices. Modules, on the other hand, are self-contained components that can be added to devices for expansion purposes; modular router is one such device. However, fixed-port routers have no room for future modules.

LAN interfaces

Local area network (LAN) interfaces are used to provide a point of interconnection between Cisco switches and other network devices. Cisco provides a wide selection of switches that can be implemented on a LAN and offer end-user connectivity.

The Cisco 2950 series switches include 2950-12, which offers 12 built-in ethernet ports, whereas the 2950-24 has 24 built-in ethernet ports; some switches even offer Gigabit Ethernet slots, which would be located to the right of other ports. The normal Ethernet ports that are labeled 10/100 allow for either a 10 Mbps or 100 Mbps connection speed, connected using RJ-45 connector. The ports are hot-swappable. Back panel of the switch contains the power output and console port, which is connected to a terminal with a rollover cable for initial cable configuration.

The Gigabit Ethernet slots are available for Gigabit Interface Converters (GBICs). A GBIC interface module can be inserted into the Gigabit Ethernet slot to allow for different media connections to that port. The physical media can range from copper to single-mode fiber.

The naming convention for the ports is simple, each interface begins with a 0/#, where # equals the port number on the switch. Top-left port is 1, bottom left is 2, and so on.

WAN interfaces

WAN interfaces are used to provide communications between different networks, they are: BRI, Synchronous Serial, Asynchronous Serial, High-Speed Serial Interface (HSSI), and T1 Controller Card.

BRI is an ISDN service that consists of two Bearer(B) running 64 Kbps channel each and one Delta(D) channel running at 16 Kbps. Voice, video, and data can be carried over the B-channels. Combination of data is used on the D-channel. Cisco offers an 8-port ISDN-BRI with a built-in Network Termination Type 1(NT-1) Network Module that contains a BRI U interface. It doesnʼt need a separate NT-1 device.

21

Page 22: Ccent & Ccna Exam Prep

A synchronous serial interface synchronizes clocks for the bit stream of both the sending and receiving end of a serial link (adjusting data rate). This way, both ends of a serial link are functioning at the same speed. Asynchronous serial interface does not provide adjustment for data rate. Cisco offers 4-port asynchronous/synchronous serial network module that can set 4 ports as synchronous or asynchronous.

High-speed serial interfaces offer up to 52 Mbps transmission rates to the WAN from the Ciscoʼs 2-port HSSI port adapter.

T1, also known as Digital Signal Level 1(DS1), offers 1.544 Mbps bandwidth that consists of 24 digital signal level 0(DS0) channels that are 64 Kbps each and an additional 8 Kbps reserved for management overhead. A T1 controller card can be installed in a routerʼs T1 slot to communicate with and control the 24 DS0 channels.

Data Communications Equipment or Data Circuit-Terminating Equipment (DCE) is a device that connects the Data Terminal Equipment(DTE) to a service providerʼs communications line. The DCE side of a connection sets the clock speed for a serial connection. DCE may be:❖ Modem that converts between analog and digital signals of the phone and computer.❖ Channel Service Unit/Data Service Unit (CSU/DSU) serves as the intermediary between the service provider and the WAN router. In most cases, the CSU/DSU provides the clock speed for the router. A CSU/DSU may be a separate unit or it could be incorporated into a WAN interface card (WIC).❖ BRI NT-1 is a separated hardware as termination point for the communications line.

Data Terminal Equipment(DTE) is a device that connects to the service provider via the DCE. DTE is a Customer-Premises Equipment(CPE), it can be a router, PC, or server. If CSU/DSU functions as WIC, you use a CAT 5 or 6 with two RJ-45 connectors. If CSU/DSU is not a WIC, a DB-60 connector is used with the router while CSU/DSU uses EIA/TIA (232, 449, or 530), or V.35 and X.21 (developed by ITU)

Note: In US, the demarcation point is located between ISP and DCE, while in most other countries, the point is located between DCE and DTE.

Memory components

Read-only memory (ROM) is also called EPROM contains Power on Self Test (POST), ROM Monitor (ROMmon), bootstrap, and RXBOOT. ROM is non-volatile.

Flash is installed on either an electrically erasable, programmable, read-only memory (EEPROM), SIMMs or Personal Computer Memory Card International Association (PCMCIA) card. Flash memory contains the Cisco Internetworking Operating System (IOS) image. Data is retained when device reloads.

22

Page 23: Ccent & Ccna Exam Prep

RAM, also known as DRAM, contains running IOS, running-configuration, routing table and ARP cache that are erased when the device shut down or reloads. Run-From-Flash (RFF) routers executes IOS image file from Flash without RAM.

Nonvolatile random-access memory (NVRAM) stores the startup configuration and configuration register. This is the configuration that is loaded when the machine is booted.

Cisco Internetworking Operating System(IOS)

Cisco IOS is the operating system for Cisco devices. IOS is a package of routing, switching, internetworking and telecommunications functions built into a multitask operating system that receive commands through command line interface(CLI).

A feature set is a package of the features that is offered in addition to the basic IOS functions of an IOS software release. You can select more than one feature set per release, which may be identified as standard, enhanced, or advanced. The name of a file located on IOS shows many information, for instance, in c2600-ipbase-1.122-1.T.bin: [c2600—Hardware platform (Cisco 2600 router)], [ipbase—Feature set], [1 —File format (compressed re-locatable)], [122—IOS version number], [1 —Maintenance release number], [T—Train identifier](T for Technology, S for Service Provider, E for Enterprise).

Cisco switches support PoE, originally called “inline power”, now defined by IEEE 802.3af.

23

Page 24: Ccent & Ccna Exam Prep

Chapter 7. Foundation of Cisco IOS Operations

A router can be configured through Console Port, Auxiliary Port, SSH, Telnet and HTTP. Out-of-band refers to connecting the device without have IP connectivity and uses an interface used specifically for this purpose. In-band, on the other hand, refers to connecting a device over the same path and interface as data stream; it can have IP connectivity to the device.

Console port is an out-of-band port used to gain access to CLI of IOS through a rollover cable, which has all the wires flipped over on the other side (1 - 8, 2 - 7, etc). The cable connects using two RJ-45 connectors(and a DB-9 adapter, in case your PC has no extra port), or one DB-9 connector(for the COM port) at one end of the cable. You must have 1) an ASCII terminal emulation (tty) software program such as HyperTerminal running, and 2) if connect using COM port, set COM configuration to 9600 baud, 8 data bits, no parity bits, 1 stop bit, and no flow control.

Auxiliary port(AUX), like console port, also provide session access using rollover cable. However, it has flow control capability, meaning you can connect an external modem to this port, and dial into the modem remotely to access EXEC session.

Telnet is used to access EXEC session in-band, in other words, you need to have IP connectivity to the device you are connecting; at least 5 Telnet EXEC sessions are allowed on most devices. Some configuration is required.

HTTP and HTTPS uses in-band management communication method that has a graphical interface. The HTTP EXEC session is made possible by a HTTP server service that can run if configured on the Cisco device. For security purposes, some Cisco routers do not have this functionality enabled by default.

SSH is a more secure way to tele-communicate, thus its in-band configuration can provide encrypted data to prevent compromise of data. Some previous configuration is required, and the terminal application must support SSH to connect with the device.

Router/Switch startup procedure

During POST, ROM perform a series of tests for critical hardware components for startup and basic operation. ROM are hard-coded with their program (do not require constant source of power). If a failure occurs, the result can range from a non-functioning interface to complete device failure.

After POST is performed, another ROM runs bootstrap code, which searches for configuration register(2 byte) code used to located IOS image. This code can have several values, ranging from:✓ 0x2100, boot directly into ROM and load ROMmon.

24

Page 25: Ccent & Ccna Exam Prep

✓ 0x2102-0x210F, device boot normally and search for IOS image location in NVRAM. The default value is 0x2102.✓ In old devices, 0x2101 boot a mini IOS in ROM known as Rxboot (command that looks like Router(boot) > or Switch(boot) >). This IOS can allow you to reach a TFTP server and download a working IOS to the device.

You may want to change the configuration register due to:To force the system into the ROM monitor modeTo select a boot source and default boot filenameTo enable or disable the Break functionTo control broadcast addressesTo set the console terminal baud rateTo load operating software from ROMTo enable booting from a Trivial File Transfer Protocol (TFTP) server

ROMmon stands for ROM monitor, is the state a device would enter when major failure occurs. This mode enables you to perform elementary functions to manually get the device back to a functioning state. You can copy a new IOS file to the Cisco device over the console port or a TFTP server. This utility is used in password recovery. ROMmon can be entered by sending a break sequence (Ctrl+Break in HyperTerminal) in the terminal session in the first 60 seconds of bootup. It has a prompt that looks like (rommon 1 >).NOTE: when downloading IOS, itʼs better to increase console speed, otherwise, it will take a very long time.

During bootstrap, the device decides where to boot next. Normally (0x2102-0x210F), the device looks for “boot system” command in startup-config in NVRAM. If this command is not found, the device boots the first file found in Flash. If no file is found in Flash, the device broadcast to its connected segment, hoping to find a TFTP server with IOS image.

When IOS image has being loaded, configuration parameters must be applied. The default location of configuration file is startup-config in NVRAM. If not found, the device looks for startup-config in TFTP server if there is one. Usually, startup-config in TFTP would provide enough parameters for you so you can enter Telnet and finish the rest of the configuration. However, if this step is not present, the device enters Setup Mode. Setup Mode can also be entered by configuration register 0x2142, you can exit by answering ʻnoʼ when asked to continue with Setup Mode or when asked to save the configuration; you can also exit at any time with ʻCtrl+Cʼ.

A Cisco router can become a TFTP server host for a router system image thatʼs run in flash memory. The global configuration command is tftp-server flash: ios_name.

EXEC sessions

25

Page 26: Ccent & Ccna Exam Prep

User EXEC is for lower level personnel to access the device with limited command and power to perform functions such as troubleshooting and statistical display. You can find out the list of commands available by entering ʻ?ʼ at device-name >.

Privileged EXEC contain more command to perform more functions, these functions may include debugging, editing and much more privileged operations (including “show running-config” and “show startup-config”). To enter this mode, type ʻenableʼ and the > sign changes to #. To exit, type ʻdisableʼ.

When you type ʻconfigure terminalʼ in privileged mode, you enter global configuration mode. This mode contains other modes such as interfaces, sub-interfaces, routing protocols, and controller. The command prompt would look like Router/Switch(config) #. Remember that any command applied is immediately saves in running-config.

From Global Configuration, you can configure interface-specific commands that apply to only one interface. To configure, you must enter interface configuration mode by specifying the interface you want to configure. If you have a fixed-device(non-modular), you specify an interface by “interface” command followed by interface type and interface number (and remember Cisco routers start their numbering schema with 0). With modular device, the naming convention is different. “interface” command followed by interface type, then by module-number/interface-number.

Line configurations are specific to those EXEC lines through which a user can gain access to the Cisco device. Specifically, you can configure options such as logins and passwords for a user trying to gain User EXEC access to the console and auxiliary ports, as well as the 5 vty (virtual teletype) Telnet lines into a router or switch. From Global Configuration, you must utilize the keyword, “line”, followed by the EXEC line number you want to configure(which is console or auxiliary followed by the interface number starting from 0). The prompt changes to Router (config-line)#, regardless of the line you are configuring.

Other than global configuration, you can change the startup-config using ʻ#configure memoryʼ; this command merges startup-config and running-config. Likewise, ʻ#configure networkʼ also merge the configuration, but itʼs used for managing TFTP server where you store your router configuration.

Some shortcut to the Cisco CLI are:At any level, you can find a list of corresponding commands using ?, and search for a certain command using l? For commands starting with l. With enough keystrokes, you can press ʻtabʼ for the system to autocomplete for you.Key Sequence DescriptionCtrl-A Moves the cursor to the beginning of the current lineCtrl-R Redisplays a line

26

Page 27: Ccent & Ccna Exam Prep

Ctrl-U Erases a lineCtrl-W Erases a wordCtrl-Z Ends configuration mode and returns to privileged EXEC modeTab Finishes a partial commandBackspace Removes one character to the left of the cursorCtrl-P or Up Arrow Allows you to scroll forward through former commandsCtrl-N or Down Arrow Allows you to scroll backward through former commandsCtrl-E Moves the cursor to the end of the current lineCtrl-F or right arrow Moves forward one characterCtrl-B or left arrow Moves back one characterEsc+B Moves back one wordEsc+F Moves forward one word “exit” command allow you to leave the current mode and go back to the last mode, while Ctrl+Z or “end” brings you back to Privilege EXEC, regardless of the current mode

Some common syntax errors:✓ Ambiguous Command is displayed when several commands start with those same characters, and you must type more letters of the command for the IOS to recognize your particular command.✓ Incomplete Command is the keyword syntax error, you need to add more keywords to tell the IOS what you want to do with this command.✓ Invalid Input, also known as the “fat finger”, is displayed when you mistype a command. The IOS displays a caret mark (^) at the point up to which the IOS could not understand your command.

27

Page 28: Ccent & Ccna Exam Prep

Chapter 8. Foundation Cisco Configuration

Global Configuration

ʻconfig - registerʼ enable you to change the default operations of the router or switch by setting the configuration register. This is done by typing the command followed by the configuration register number (in hexadecimal, preceded by 0x). However, playing with the register is dangerous since you have no idea what it will do. If you accidentally did something to the change the register, you can change it back by booting into ROMmon and enter ʻconfreg 0x2102ʼ.

ʻboot systemʼ can set the location where the IOS file will be stored. E.g the following code save file c2600-do3s-mz.120-5.T1 at TFTP server (located at 172.16.1.1).“Router(config) #boot system tftp c2600-do3s-mz.120-5.T1 172.16.1.1”

To change the hostname of the device (Router or Switch by default), use ʻhostnameʼ command followed by the new name, separated by a space.

To provide a login banner (also known as message of the day) to notice or say anything to users, use ʻbanner motdʼ command followed by the message enclosed in 2 identical delimiter (which can be any key, or keys).

You can set the password for privileged EXEC using ʻenable passwordʼ or ʻenable secretʼ command followed by the wanted password. The ʻenable secretʼ password is secure because it utilizes a non-reversible one-way MD5 (Message Digest 5) cryptographic hash of the password. On the other hand, the ʻenable passwordʼ command is in clear text. When used together, ʻenable secretʼ overrides the password set in ʻenable passwordʼ. To disable, use ʻno enable secretʼ or ʻno enable passwordʼ command followed by the original password. The ʻservice password-encryptionʼ command encrypts all clear text passwords in the configuration with a Cisco proprietary encryption. It is still recommended that you use ʻenable secretʼ for stronger security.

Cisco router/switch dynamically/statically support domain name resolution by default (converts between host names and IP addresses). To set up statically, uses ʻip hostʼ command followed by host name and then IP addresses, each separated by a space.

If you use DNS server, you can specify it by ʻip name-serverʼ followed by the IP address of the DNS servers (up to 6). Domain resolution is enabled automatically on a device, to disable it, use ʻno ip domain lookupʼ command. To assign your Cisco device to IP domain, use ʻip domain-nameʼ command followed by the domain name.

SSH is a secure method of remote access to Cisco devices because RSA public key cryptography for authentication and encryption prevent compromise of data. To use this

28

Page 29: Ccent & Ccna Exam Prep

service, you need to have 1) IPSec(DES or 3DES) IOS feature-set and 2) SSH-supported terminal client such as Putty. Then, you configure a host name other than its default and assign the device to the domain. It generates an RSA key whose default length is 512 bits, but itʼs suggested to use one greater than 1024 bits. To generate the key, use ʻcrypto key generate rsaʼ, then the command will prompt you to enter a size, in bits, for the password; at the end of the process, SSH is automatically enabled. To define a username and password for SSH client, use ʻ(config)#username username-you-want password password-you-wantʼ.

Line Configurations

To set password for console user EXEC at line configurations, enter the mode by ʻline consoleʼ followed by the interface number and followed by ʻloginʼ and ʻpasswordʼ followed by the password you want. To set a time-out, use ʻexec-timeoutʼ followed by the number of minutes and the number of seconds separated by a space (10 minutes by default).

The IOS sends all alerts and notification messages to the console port by default. To mitigate the situation, use the ʻlogging synchronousʼ command. Now, IOS still send a notification to the terminal session, but returns a new line to the user with the information user was working with.

You can also set passwords for users communicating through the auxiliary port. This can be done in line configuration starting at ʻline auxiliaryʼ followed by the interface number. Then ʻloginʼ, ʻpasswordʼ, and ʻexec-timeoutʼ are used like the console port.

Establishing EXEC session on your device through Telnet and SSH is very insecure and itʼs strongly recommended that you add a vty password since any user can access User EXEC. An ʻenable passwordʼ must be set to access Privileged EXEC over all Telnet or SSH session. For Telnet, when you assign password to all vty lines, you must specify the range of those lines. Remember that Telnet allow a maximum of 5 sessions to be established the same time, these session lie on vty line 0 to 4. ʻline vtyʼ followed by the line to start with and then the line to end with, separated by a space. Then, you go on with the ʻloginʼ ʻpasswordʼ, and ʻexec-timeoutʼ command.Note: itʼs possible to set a password for each line, but users have no idea what line they are connected to, they need to guess the passwords. IOS allows only 3 tries.

Interface configuration

Interface configuration session should be entered by ʻinterfaceʼ followed by serial or parallel depending on the device, then the interface number (for modular devices, itʼs usually 0/0, while for fixed interface, itʼs usually 0).

29

Page 30: Ccent & Ccna Exam Prep

To assign an IP address and a subnet mask to this device, you use ʻip addressʼ command followed by the IP address and the subnet mask separated by a space. Remember that you can not use the same network address for 2 routers, since routers can not be in the same network; this will cause an IP address overlap.

You can also provide a description for the interface using ʻdescriptionʼ command followed by the description (after a space).

All router interfaces are in a disabled, or ʻshutdownʼ state by default; it can only be enabled using ʻno shutdownʼ command in the wanted interface. You can also use the ʻno keepalivesʼ command if your router is not connected with any layer 2 device (Switches or bridges). A keepalive is a mechanism that the IOS uses to send messages to itself or to the other end to ensure a network interface is alive.

Most LAN interfaces are able to auto-sense and negotiate speed, but you can manually set them using interface configuration. Enter the interface you want, then use ʻspeedʼ followed by the number of data rate in Mbps (without writing Mbps), and ʻduplexʼ command followed by half/full/auto.

Here are some settings you can apply to WAN interfaces. Sometimes, when you have a serial cross-over cable between two routersʼ serial interfaces in a lab environment, the serial interface with the DCE cable attached to it has to provide timing for the network for data to be recognized on this link. To provide this synchronous timing, use ʻclock rateʼ command, followed by the speed in bps. Another command for WAN is ʻbandwidthʼ, used to redefine bandwidth other than the default value. Assuming a T1 circuit (1.544 Mbps), if you are using a different bandwidth, enter it after ʻbandwidthʼ in Kbps (without writing Kbps).

If you want to return your router or switch to its default configuration, you can use the Privileged EXEC command, “erase startup-config”, and reboot the device with the “reload” command. After the router or switch reboots, you should enter into Setup Mode because the configuration in NVRAM was erased.

More configurations

All the work have to be saved in the end (into NVRAM), use ʻcopyʼ command, while can be followed by running-config, startup-config, flash, or tftp. (interface configuration)

ʻshowʼ command is one of the most important commands and shows all the commands in the file you specified. For instance, you can open ʻshow running-configʼ to see all the details in running-config. A sample of ʻshow running-configʼ is shown below:

ʻshow controllerʼ command contains a lot of technical notes. However, ʻshow controller serialʼ identifies whether a DTE or DCE cable is attached to the serial interface. This is useful to check the status of clocking and whether it needs configuration.

30

Page 31: Ccent & Ccna Exam Prep

To backup your IOS to a TFTP server or download a newer version to your router or switch, you must identify 1) the amount of Flash memory available, 2) IOS filename located in Flash, and 3) current IOS version running. To see status of your flash, use ʻshow flashʼ. However, to see configuration information about the current version, use ʻshow versionʼ. This command contains current IOS version, IOS image location, available interfaces, Flash memory, uptime, and configuration register.

Except ʻshow running-configʼ and ʻshow startup-configʼ are used only in privileged EXEC, the rest of the show commands are both used in Privilege and User EXEC.

There is also ʻshow interfacesʼ that show details about the interface. A sample output is shown on the next page:

Txload and rxload check if link is congested Line protocol up means the keepalives are received successfully. Subnet zero is on by default in new IOS. Hardware is the make and MAC address of router. MTU is the Maximum Transmission Unit (max data a packet can contain), logical bandwidth, cumulative delay, inbound and outbound load. Loopback and keepalives are not set.

31

CCNA1720#show running-configBuilding configuration. . .Current configuration:version 12.4service timestamps debug uptimeservice timestamps log uptimeservice password-encryptionhostname CCNA1720enable secret 5$1$nLCr$gNidpLSZvMnm2wFW6ACLm0enable password 714120A0A0107382A29boot-start-markerboot-end-markermemory-size iomem 15no aaa new-modelip subnet-zeroip host corerouter 172.16.1.1ip name-server 172.16.1.254ip cefinterface FastEthernet0ip address 172.16.1.1 255.255.0.0no ip directed-broadcastfull-duplexinterface Serial 0/0bandwidth 64ip address 192.168.1.1 255.255.255.0no ip directed-broadcastno fair-queueip classlessip http serverbanner motd ^C This is a private system and may be accessed only by authorized users. 3Unauthorized access is strictly prohibited and will be enforced to the full 3 extent of the law. ^Cline con 0exec-timeout 1 30password 7045802150C2Eloginline vty 0 4exec-timeout 1 30password 702050D480809loginEnd

Layer 1

Layer 2

Possible symptoms

Up Up Interface is functional

Up Down Encapsulation mismatch; lack of clocking on serial interfaces; missing keepalives

Down Down Cable is disconnected or attached to a shutdown interface

Down Down Local interface was not enabled with ʻno shutdownʼ command

Page 32: Ccent & Ccna Exam Prep

Encapsulation is layer 2 encapsulation frame Received is the data received, runt is smaller than MTU, giants are larger than MTU. Collision packets and other packets are also reported.

If you are troubleshooting, the second line tells you the connection status of the interface and its layer 2 protocol status. Use this chart.

ʻshow ip interface briefʼ gives a short report of the statistics. Columns include ʻinterfaceʼ, ʻip addressʼ, ʻOK?ʼ, ʻmethodʼ, ʻstatusʼ, and ʻprotocolʼ.

Troubleshooting and Backup Commands

ʻclear countersʼ reset the statistics of the show commands so you can view current up-to-date data.

ʻpingʼ can be used in user or privilege EXEC by typing ʻpingʼ followed by the IP address or the domain name. The response is composed of ʻ.ʼ and ʻ!ʼ, where ʻ!ʼ indicate a successful ping, and ʻ.ʼ indicate a timeout has occurred for the packet. A ʻUʼ indicate a ʻDestination Unreachableʼ message; this is sent when the device does not know how to reach the destination network. NOTE that the first packet is likely to be unsuccessful. Using just ʻpingʼ will allow you to send a customized ping by answering a few question.

ʻtracerouteʼ command sends an ICMP message and record every router on the way so you can see how long it takes to reach a certain destination. This utility can also be used to troubleshoot if you suspect one of the routers on the route is malfunctioning.

ʻdebugʼ command is another troubleshooting utility that can display real-time information such as routing updates, packet forwarding, etc. However, this utility consumes a lot of processor CPU to produce a lot of results and testings, thus, not recommended for daily use. Before using the ʻdebugʼ mode, you can use ʻshow

32

Router#show interfaces FastEthernet 0/0FastEthernet0/0 is up, line protocol is upHardware is Gt96k FE, address is 001a.2f66.fa1a (bia 001 a.2f66.fa1a)Internet address is 172.16.0.1/16MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,reliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPA, loopback not setKeepalive not setFull-duplex, 100Mb/s, 100Base-TX/FXARP type: ARPA, ARP Timeout 04:00:00Last input 00:00:10, output 00:00:10, output hang neverLast clearing of “ show interface” counters neverInput queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0Queueing strategy: fifoOutput queue: 0/40 (size/max)5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec322 packets input, 70336 bytesReceived 322 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored0 watchdog0 input packets with dribble condition detected343 packets output, 72188 bytes, 0 underruns0 output errors, 0 collisions, 3 interface resets0 babbles, 0 late collision, 0 deferred0 lost carrier, 0 no carrier0 output buffer failures, 0 output buffers swapped out

Page 33: Ccent & Ccna Exam Prep

processesʼ command to check whether it is suitable to do so. If your CPU is utilized at over 60% for any of the fields, DO NOT use the ʻdebugʼ command. When you are done with this utility, turn it off with ʻno debug allʼ or ʻundebug allʼ. To see accurate timestamps for your debug messages, it is highly recommended that you configure the clock to reflect the correct date and time by using the clock command in Privileged EXEC. In addition, to add a timestamp to the debug output, use the “(config)#service timestamp”.

To backup your IOS configuration file or images, you need to create a copy at the TFTP server. Before you start copying, you need to:1) TFTP server must have the TFTP service running. You can search the Internet for

evaluation TFTP servers from companies such as SolarWinds and FutureSoft.2) Your device must be cabled correctly. If youʼre using a switch, plug the TFTP server

into the switch with a straight-through ethernet cable. If youʼre going directly between a router and the TFTP server, use a cross-over cable.

3) You must have IP connectivity to the server. In other words, your interface should be on the same subnet as the server.

4) There must be enough room on the TFTP server and your deviceʼs memory to store these files. If your Flash memory cannot store two files, the IOS erases the old file.

After you have these done, you can start copying using ʻcopy flash tftpʼ, where flash is the original location of the file. The prompt will ask a few questions. Successful tries are displayed as ʻ!ʼ.

You need to reboot the system with ʻreloadʼ (Privilege EXEC) for new file to take place. Before the device reboots, it will ask you if you want to save the changes (if modification occur), or you can save files configuration with ʻcopyʼ command yourself. The ʻcopyʼ command is also used for backup and recovery. DO remember to add the ʻunwrittenʼ commands such as ʻno shutdownʼ. In Unix and DOS, running-config is referred by system:running-config, startup-config by nvram:startup-config, tftp 172.16.1.16 by tftp://172.16.1.16/file-name, and flash by flash:file-name.

Cisco discovery protocol(CDP) is used to gather information of directly connected Cisco neighbors using multicast (0100:0CCC:CCCC) every 60 seconds (on all connected functional interfaces. CDP is a Cisco proprietary, layer 2 protocol that works independent of media and layer 3 protocols used. Use the ʻshow cdp neighborsʼ command to list connecting neighbors and their status (1. Device ID, 2. Local Interface, 3. Hoodlum, 4. Capability, 5. Platform, 6. Port ID).

ʻshow cdp neighbors detailʼ or ʻshow cdp entry *ʼ will show information in ʻshow cdp neighborsʼ plus layer 3 information and IOS version of connecting devices. Note that CDP is on by default, to disable it globally, enter ʻ(config)#no cdp runʼ. To disable it on a particular interface, ʻ(config-if)#no cdp enableʼ.

33

Page 34: Ccent & Ccna Exam Prep

Telnet remote session can be established by using ʻtelnetʼ command followed by the IP address of the router. As previously said, you also need to have a vty password. You can verify the session opened using ʻshow sessionsʼ command and limit unwanted access by using an access control list(ACL). You can temporarily suspend the Telnet session(it is still running) by Ctrl+Shift+6 followed by ʻxʼ key. And resuming is simply pressing ʻenterʼ key with no commands entered. You can also use ʻresumeʼ command, followed by the connection number found in ʻshow sessionsʼ. The entry with asterisk indicate the last paused session. To leave a Telnet session, you can enter ʻexitʼ or ʻlogoutʼ at the router, or ʻdisconnectʼ followed by the connection number (at the user end).

You can monitor the activity of one device on a PC using ʻterminal monitorʼ command typed in privileged EXEC.

Cisco routers can also serve as a DHCP server for a LAN, but it needs to have an assigned IP address for the interface connecting the LAN. First, you enter the DHCP session by ʻip dhcp pool pool-nameʼ where pool-name is the name for the DHCP pool. This command is entered in global configurations, and looks like Router(dhcp-config)#. Once in the session, you can use ʻnetworkʼ command, followed by the network address and the subnet mask separated by a space, or you can have the network address followed by a CIDR, separated by a space. ʻdefault-routerʼ is followed by the IP address of the default gateway. ʻdns-serverʼ is followed by the IP address of the DNS server. ʻdomain-nameʼ command is followed by the domain name of the network. ʻleaseʼ command is followed by the number of days, hours, and minutes of the lease. ʻexitʼ command allow you to leave the session. ʻip dhcp excluded-addressʼ can be followed by one or two IP addresses. If followed by one IP address, it excludes the address from the pool of available IP addresses. If followed by two IP addresses, the server exclude all the addresses within the specified range (established by the 2 addresses) of IP addresses. ʻshow ip dhcp bindingʼ show a list of devices using the DHCP server.

Router can implement DHCP service to dynamically assigned an IP address using ʻip address dhcpʼ command at the interface you want. All connecting client will utilize DHCP service. Entering command ʻshow dhcp leaseʼ at privileged EXEC will allow you to view the DHCP configuration on all your interfaces.

When enabling DHCP in a large network, your router has to deal with all the processes, thus, may run out of memory and create router amnesia. Best advice is to keep lease short.

34

Page 35: Ccent & Ccna Exam Prep

Chapter 9. Understanding the Cisco SDM

Cisco offers Security Device Manager(SDM) in addition to CLI, which is used to configure options for software-based router. Note that this service is only offered in ISR. To check whether or not you have a SDM, open your web browser and type http://Router-IP-Address, to see if the SDM page loads. However, for this to work, you need to have an interface in the administratively up/up state, router IP and subnet mask set up, ʻip httpsʼ command set for browser https port, and this port is not blocked, java plugins installed, and all other sorts of things.

When you insert the SDM CD, a wizard shows up, guiding the installation process. You can choose either First-Time Router Setup or Install SDM. The SDM contains much information about your device spread across different sections. In ʻHomeʼ tab, ʻAbout Your Routerʼ and ʻConfiguration Overviewʼ can be used in troubleshooting (ʻView Running Configʼ shows the configuration document), whereas ʻConfigureʼ is used to set configurations of the device. To change any configurations, click ʻAdditional Tasksʼ at left and find the configuration you want (located under different headings). Double clicking any configuration will open a smaller window where you can change the setting.

In ʻConfigureʼ tab, Router Properties, you can set up ʻhostnamesʼ, ʻDomain Nameʼ, ʻBannerʼ, and ʻEnable Secretʼ. In Router Access from Additional Task, you can also configure router username and password, as well as accounts for Telnet and SSH clients.

DNS and DHCP information can be configured in Additional Task.

To configure router interface, click the ʻConfigureʼ tab and select ʻInterfaces and Connectionsʼ from Tasks. Here, you can ʻCreate Connectionʼ and ʻEdit Interface/Connectionʼ. Double-click the interface name brings up a list of settings you can alter in a smaller window. Enable or disable the connections using the button on the tab.

The system can be monitored using ʻMonitorʼ tab, Tasks listed are: Logging, NAC Status, QoS Status, VPN status, Firewall Status, Interface Status, and Overview. These can be used to monitor CPU, Memory and Flash usage.

35

Page 36: Ccent & Ccna Exam Prep

Chapter 10. Introduction to Routing and Routing Protocols

To send some data to a host on the same network, your PC broadcast ARP request (for that host) and send the data when destination MAC address is returned. To send some data to a host on a remote network, your PC broadcast ARP request for local default gateway (router) MAC address, and send the data to router A (MAC SA = your PC, MAC DA = router A, IP SA = your PC, IP DA = remote PC). Router A looks at destination IP address and search in its routing table for a route, once found, router A sends ARP for router B, the next hop (SA = router A, DA = router B, IP SA = your PC, IP DA = remote PC). Router B looks at the destination IP address and know itʼs a packet in its network, so it send an ARP broadcast, looking for certain PC with the destination IP address and forward the packet once MAC address is replied. (SA = router B, DA = remote PC, IP SA = your PC, IP DA = remote PC)

When troubleshooting, check the configuration information in for your network. Make sure your computer is connected to the interface, you can even check the correct MAC IP addresses for the default gateway by using ʻarp -aʼ command (displays computerʼs ARP table). This ARP entry will continue to remain in the computerʼs volatile memory as long as it keeps getting used (before every 5 minutes). To delete an ARP entry, use ʻarp -dʼ command or all entries using ʻarp *ʼ. Know that if you can not ping an IP address, check your configuration information, make sure all cables are connected, ping internal addresses to make sure it isnʼt your routerʼs fault.

Routing table and types of routes

The routing table is a list of all reachable network stored in RAM. The table is generated by using ʻshow ip routeʼ in User EXEC and comes from 3 sources:➡ Connected interfaces: As soon as you assign an IP address to a working (up/up) interface, the router associates all IP addresses in that subnet to the entry; entry remain in the table as long as interface is active.➡ Static routes are manual entries that specify the destination network and the next hop (router). These routes remain in the routing table as long as itʼs not deleted. Static routes allow a maximum of 16 equal cost routes to be used in load balancing. For routing table entry, [AD/hop] where AD, by default, is 1➡ Routing protocols: Protocols that dynamically advertise networks. Remain in the table as long as the next hop is valid and hello packets are being received.

When conflict arises between multiple routes, administrative distance decide which route has higher priority. It ranges from 0 to 255; smaller the value, higher the priority.

Routed Source

Default Distance

Connected

Static BGP (ext)

EIGRP(int)

OSPF RIPv1,v2

EIGRP(ext)

BGP (int)

0 1 20 90 110 120 170 200

36

Page 37: Ccent & Ccna Exam Prep

A routing table entry can be “C 10.1.0.0/16 [90/2297856] via 192.168.1.10, Serial 0/0/0”, where administrative distance=90/metric=2297856 exited on Serial 0/0/0. This route is directly connected, and packets for 10.1.0.0/16 will be sent to 192.168.1.10. Packets with no match entries are sent using default route. If this route canʼt reach the destination, packet is dropped and DU error message generate. The longest match rule states that when a packet has multiple possible network entries to use, the more specific subnet is used over the less specific. In other words, the longer the number of bits in the subnet mask (thus the smaller subnet), the more chance it has of being the chosen network. Longest match rule always prioritize AD.

Stub network describes a network whose router is connected to only one other router. In this case, using static route is a good idea. To configure a static route, use the ʻip routeʼ command followed by the destination network address, destination subnet mask, and the IP address of next hop (router) in the path. Instead of next hop address, the command can be followed by an interface name, which must contain only one link. If an administrative distance is not specified, the default is 1(value for static routes).

You can force the static route to remain even if the next hop is down using ʻpermanentʼ after ʻip routeʼ command. An administrative distance value greater than 1 can be added after the command to specify a backup or alternate route; these routes are known as floating static routes. They are not placed in the routing table if the subnet currently has another route with a lower administrative distance.

Another type of route is called default route, used if a destination IP address does not have a network entry in the routing table. The command is ʻip route 0.0.0.0 0.0.0.0ʼ followed by the IP address of the next hop or the name of the local interface. To define a default route for layer 2 switch, use ʻip default-gatewayʼ command instead. Notice that the default route will readily configured if you use DHCP service.

Configuring static and default route using SDM is very easy. Open ʻConfigureʼ tab, select ʻRoutingʼ from Tasks and under ʻStatic Routingʼ, click ʻAddʼ button. A smaller window will show up and you can enter information as needed. You can make it floating route or permanent, depending on your configuration.

To double-check the routes, use ʻshow ip routeʼ command in User EXEC. To see routing entry for a specific route, follow the above command with network address. To remove a route, use ʻclear routeʼ command followed by the IP address of the route in Privileged EXEC, or remove the current routing table using ʻclear route *ʼ

Types of routing protocols

Routed protocols are protocols such as those in the IP protocol suite that are used to carry the data across our network. Routing protocols are exchanged between routing devices to determine the optimal path to route the routed protocols. Implementing routing protocols is a good solution for internetwork with many hosts and paths. Routing protocols use these to calculate the metric, value assigned to routes.

37

Page 38: Ccent & Ccna Exam Prep

➡ Hop count: the number of routers that packet must travel before reaching destination➡ Bandwidth: The cumulative bandwidth of the links to the destination in Kbps.➡ Delay is the time (in microseconds) a packet takes from source to destination.➡ Reliability is the consistency of the links and paths based on interfaces error rates.➡ Load: The cumulative amount of congestion of the links toward the destination.➡ MTU: The maximum frame size that is allowed to traverse the links to the destination.➡ Cost: An arbitrary number typically based on the bandwidth of the link.

Routing protocols can be classful or classless. Itʼs not good to use classful routing protocols with VLSM networks because classful protocols automatically summarize the subnets. However, if you must use subnets with classful protocol, implement same subnet mask for the networks, this is Fixed-Length Subnet Mask(FLSM). On the other hand, classless routing protocols are good at different subnet with different subnet mask, design known as Variable-Length Subnet Mask(VLSM). With classless routing protocols, you can also summarize like you do with classful protocols.

Networks under 1 administrative domain is known as an autonomous system(AS). Routing protocols route within an AS are Interior Gateway Protocols(IGPs), while routing protocols that route between ASs are known as Exterior Gateway Protocols(EGPs).

In addition to classful/classless, IGP/EGP, routing protocols can also be Distance Vector, Link State, or Advance Distance Vector/Hybrid.➡ Distance vector, or routing by rumor, update (entire routing table) to connected routers every period. When router receives them, it extract the new information and send to other routers along with its own routing table.➡ Link-state, each router know the states and metrics of all links in its area(for the same destination). However, it consumes much memory and CPU of the router as it keeps 1) neighbor table of all discovered neighbors, 2) topology table of all possible routes to reachable networks, and 3) routing table that contains the best route based on the lowest metric calculated from the topology table. Link-state routing protocol sends update 1) over very long period, or 2) whenever there is a topology change.➡ Advance Distance Vector, or Hybrid (Balanced Hybrid) is the combined, better version of distance vector and link-state routing protocols.

In case where multiple protocols are used in a domain, you need to transfer network information from one routing protocol to another with redistribution, which occurs in:➡ One-way redistribution: Networks from an edge protocol are injected into a core routing protocol (one way). This method is the safest way to perform redistribution.➡ Two-way redistribution: Networks from each routing protocol are injected into the other. This is the less preferred method since it may create routing loops as a result of difference in convergence times when a topology change occurs.

38

Page 39: Ccent & Ccna Exam Prep

Chapter 11. Distance Vector Routing Protocols

Distance-vector protocols operations, also known as routing by rumor, are legacy routing protocols that uses Bellman-Ford algorithm. A router update its own routing table (every 30 seconds, default), whether or not the table has changed. The recipient routers then extract useful information, along with its routing table, send the update to its neighbors. Routers in such a domain maintain a flat relationship with one another.

If a new route to the same destination (as one of the old route) exist, the metric value is checked. If the new route has a higher metric than the older route, it is discarded. If 2 routes has equal metric (equal network, equal cost, and equal method), both are used to perform load balancing (4 routes by default, 6 routes max). On the other side, if the new route has less metric, it replaces the old route in the routing table. As the update passes one router, it increases its hop count by one.

Routing loops, its solution, and other methods of convergence

Routing loops are very troublesome, and in case they occur, one of indicators is a high (infinity) hop count of a particular route. To mitigate the loops, some measures are integrated within the routing protocol and most of them canʼt be disabled.

Counting to infinity is a routing loops that saturate network bandwidth while continuously loop between 2 or more routers. To deal with this, most routing protocols have a maximum hop count, so when routes continuously increase the hop count, it will reach infinity (1+max hop count) hop count so the route is dropped.[ RIPv1,v2 (distance vector) -> max hop count = 15; EIGRP (hybrid) -> max hop count = 224, OSPF (link state) -> no max hop count ]

Another solution is split horizon, which prevents routers advertise routes back to the router from which they learned from, thus eliminating possible loops. Remember that split horizon is one of the things you can manually disable if necessary.

Route poisoning, is the way the router send a route with an infinite hop count when the router detects a failure in the route.

With poison reverse, the routers override the split horizon rule and send an update back to the source router, showing a failure has been acknowledged. While other routers put the network in a “possible down” state with hold-down timer.

Hold-down timers are activated when a router receives a poisoned update. During this time, router ignores updates regarding the remote route(now in “possible-down” state) until the hold-down timer expires, especially those that has a lower metric. However, if a new route with a lower metric is shown, that route will be implemented. This way, distance vector routing protocol is the slowest protocol to converge.

39

Page 40: Ccent & Ccna Exam Prep

Flash, or triggered updates send update packets to other routers when a topological change occurs, rather than waiting for a period of time.

Invalid, or dead timer, is set every time a router receive updates from another router, if another update fails to be sent during the timer, it is considered dead and the router use router poisoning to inform others about this failure. Default value is 180 seconds To manually clear all routes, use ʻclear ip route *ʼ, or clear a route by using its network address instead of *.

Distance-vector protocols, RIP

RIP for IP is defined under RFC 1058. It is a simple routing protocols with hop count as its metric. RIP is classful and automatically summarize subnetted networks to their default classful boundaries. You can only advertise directly connected and classful network when configuring RIP.

RIP requires manual redistribution to advertise networks from a different routing source and other RIP-learned networks. When configuring a static default route in a RIP router, use ʻdefault-information originateʼ to redistribute the default route in its routing updates to its neighbors. The neighbors receive these updates set that router as their default gateway, if a static default with a lower administrative distance is not found. The routing table subsequently displays the learned 0.0.0.0/0 subnet as a RIP-learned network.

To configure for RIP, enter Global Configuration, and type ʻrouter ripʼ, then ʻnetworkʼ command followed by the local network address with no subnet mask. Remember: any subnetted networks will be updated as though they are one (major) network. To remove a network entry, use ʻno networkʼ followed by the network address you want to remove. To set a different number of paths for load balancing, use ʻmaximum-pathsʼ followed by the number of paths. To disable load balancing, set max-paths to 1.

You can set an interface as passive (using ʻpassive-interfaceʼ followed by name of the interface in ʻrouter ripʼ mode) so that it stops sending updates, this way, bandwidth is not wasted sending updates to computers.

RIPv2 is created with the following improvements:- Multicast updates: RIPv2 uses a reserved multicast address of 224.0.0.9 to communicate with other RIPv2 neighbors.- Classless support: RIPv2 support both classful and classless routing. This means RIPv2 can support VLSM and discontiguous networks by ʻno auto-summaryʼ command.- Authenticated updates: RIPv2 authenticate routers. Configuration: Keychain name is defined after ʻkey chainʼ command in global configuration. Then, identify key with a number after ʻkeyʼ and define password following ʻkey-stringʼ. Back to global-config, keychain name after ʻip rip authentication key-chainʼ and ʻip rip authentication mode md5ʼ for MD 5 encryption; both commands entered in interface configuration mode.

40

Page 41: Ccent & Ccna Exam Prep

Enter RIPv2 with ʻrouter ripʼ, then ʻversion 2ʼ. By default, RIP is configured to send v1 and accept v1 and v2 updates (ignore subnet mask and authentication when processing v2 updates). To revert back to RIPv1, use ʻversion 1ʼ or ʻdefault versionʼ. These commands tell the router to receive only v1 updates, and ignore v2 updates.

To configure RIP in SDM, ʻConfigureʼ -> ʻRoutingʼ -> ʻDynamic Routingsʼ section -> ʻEditʼ button.

To verify RIP, you can use ʻshow running-configʼ. Another command is ʻshow ip routeʼ, where RIP is indicated by R. The routing entry should contain administrative-distance/metric(less than 15). ʻshow ip protocolsʼ shows detailed information about IP routing protocols used and their status. All commands are entered in privileged EXEC.

To troubleshoot RIP, you can use ʻdebug ip ripʼ command to see a list of real-time updates. If you donʼt know what debug command to use, you can find a list of these in ʻshow debugʼ command.

A possible problem with RIP occurs when multiple paths (with equal cost) to the same network has different speed. However, RIP only cares about hop counts, when load-balance between these links, the situation is called pinhole congestion.

RIP uses the following 4 timers to regulate its routing process:- Route update timer: time to send a complete copy of its routing table, default to 30 s- Route invalid timer: time unheard to declare route invalid, initiate route poisoning,

default to 180 seconds- Holddown timer: time to allow route come back up, default to 180 seconds- Route flush timer: after a route is declared invalid, if not heard before this timer

expires, the route is flushed (default 240 seconds).So a route takes at least 7 minutes to flush a route

Here is a comparison between different routing protocols:RIPv1 RIPv2 IGRP EIGRP ISIS OSPF

Distance Vector

Link State

Route auto-summary

Manual route summary

VLSM

Yes Yes Yes Yes No No

No No No No Yes Yes

Yes Yes Yes Yes No No

No Yes Yes Yes Yes Yes

No Yes No Yes Yes Yes

41

Page 42: Ccent & Ccna Exam Prep

RIPv1 RIPv2 IGRP EIGRP ISIS OSPF

Cisco proprietary

Convergence

Size of Network

Network staff support

No No Yes Yes No No

Slow Slow Slow Very fast

Fast Fast

Small Small Large Large Very Large Large

Poor Poor Good Poor Fair

42

Page 43: Ccent & Ccna Exam Prep

Chapter 12. Link-State and Hybrid Routing Protocols

Link-State Routing Protocols and OSPF

Subnets, status of links, and metric of subnets are all included in the LSA (Link-State Advertisement), which are sent to neighbors when a router first comes alive. Smaller, Hello packets are sent (every 30 minutes by default) to inform others the link is alive. In event of topology change, a Link-State Update(LSU) is flooded to all connected routers, these routers then flood the update to its neighbors, then recalculate the routing table using Shortest Path First(SPF) algorithm. This way, routing loops are prevented.

Link-State routing protocol maintain 3 tables, which is CPU and memory consuming:- Topology table, or database, contains information received by LSA for this area.- Neighbor, or adjacency table, is a list of all active neighbors- Routing table is a list of best routes determined by SPF algorithm, these routes come from the topology table.

OSPF

Open Shortest Path First, OSPF is a link-state routing protocol defined in IETF. OSPF is classless by default, all networks must be known with its subnet mask. Link-state protocol speed up convergence and perform route summarization.

OSPF metric = 108/network-bandwidth, this means the smaller the value, the faster the route. 56 Kbps: metric = 1785, 64 Kbps: metric = 1562, T1: metric = 64, E1: metric = 48, 10 Mbps: metric = 10, 100 Mbps: metric = 1, 1 Gbps: metric = 1. For bandwidth over 100 Mbps, the metric will always be 1 unless you change 108 to something bigger.

OSPF router identify each other with unique 32-bit Router ID. This is the highest (regardless of class) IP address assigned to an active logical interface called loopback interface; these interfaces canʼt go down unless the router is malfunctioning or turned off. It is recommended that you configure a loopback IP address (NOT 127.0.0.0/8). If no logical interface is present, the highest IP address of an active physical interface will be the Router ID. If there is a logical interface, logical IP address overrides any physical IP address, even if it has a lower value.

Area, AS and OSPF topology

Area is a logical grouping of networks in Link-State protocols, routers in different area maintain different topology database, while routers in the same area have identical topology database. The area border routers(ABR) send information between areas and automatically summarize the subnets located inside the area to the rest of the AS.

Area 0, or backbone area, handles traffic from one area to another. If a network need only one area, itʼd be area 0. All areas must be connected to this area. This area consists of very fast backbone routers, which must be either an ABR or inside area 0.

43

Page 44: Ccent & Ccna Exam Prep

To simplify a big network, you can divide an autonomous system(AS) into different areas. If a link goes down within the area, only devices within that area need to be notified, because the rest of the OSPF AS is aware of only the summarized route.

Area number ranges from 0 to 4,294,967,295.

Stub network has router connect to only one router, so stub area has only one path in or out of an area (one ABR), which is also the default gateway and the default route. A backbone area can never be configured as a stub area.

Different OSPF interfaces can have different topologies:- Broadcast multiaccess: multiple devices share the same network medium. Broadcasts and multicasts are heard by all devices sharing that medium (such as Ethernet).- Non-broadcast multiaccess(NBMA): multiple devices share the same network medium. Devices cannot hear broadcasts because the medium is separated by other routers, such as with Frame Relay. This topology has slower links, thus longer timer.- Point-to-point: has only two devices on a shared network link.

OSPF elect a Designated Router (DR) and a Backup Designated Router (BDR) in broadcast and NMBA topologies. These routers reduce update overhead by sending the broadcast or multicast to DR or BDR (BDR replaces DR in case of DR failure). If routers come alive at different times, the first alive will the be DR and the second is the BDR. However, if all routers comes alive together, an election will take place, which is based on 1) priority, default value is 1 (priority = 0 -> ineligible), higher priority wins. 2) if priority is tied, router ID is compared, higher ID wins. NOTE: first winner is DR, second is BDR. When a topology change occur, LSU is sent to the DR and BDR on 224.0.0.6. DR then multicast this change to all routers in the are using 224.0.0.5, the same channel Hello packets use.

When an OSPF router first come alive, it multicast a Hello message to all OSPF interface through 224.0.0.5. Information contained in the hello messages includes: router ID, hello/dead intervals, known neighbors, area ID, priority, DR address, BDR address, authentication password (similar to RIPv2), and stub area flags (if the area is configured as a stub area). A router that receives this hello message adds that neighbor to its neighbor table only if the configuration match its own.

No update information has been exchanged at this point. If the topology has a DR elected (indicated in hello messages), this router synchronizes its topology table with DR because the DR always has the latest information. If the topology is point-to-point, the two routers synchronize with the neighbor on the other side of the link. Now, the device is said to have formed an adjacency. Now the router runs SPF algorithm to calculate the best routes to each subnet.

44

Page 45: Ccent & Ccna Exam Prep

Configuring OSPF

First step is to configure loopback interfaces with ʻ(config)#interface loopbackʼ followed by an identifying number. Then, use ʻip addressʼ, note the subnet, or host mask is 255.255.255.255. This mask is used since this interface doesnʼt connect anything.

Enter OSPF session by ʻrouter ospfʼ following a process ID, an arbitrary value ranging from 1 to 65535, for tracking different OSPF. This number remains local and does not have to be equal in all router configuration.

OSPF uses wildcard, or inverse mask to tell IOS about its subnet. Every octet in wildcard mask complements every octet in the subnet mask; they add up to 255. Enter ʻnetworkʼ command followed by IP network address -> inverse mask -> ʻareaʼ followed by area number. Here are some other ways you can specify the subnetworks.

Command Description

network 192.168.1.1 0.0.0.0 area 0 The interface with the IP address of 192.168.1.1 and its subnet are advertised in OSPF

network 192.168.0.0 0.0.255.255 area 0 Interfaces and their subnets starting with 192.168 are advertised in OSPF

network 192.0.0.0 0.255.255.255 area 0 Interfaces and their subnets starting with 192 are advertised in OSPF

network 0.0.0.0 255.255.255.255 area 0 All interfaces and their subnets are advertised in OSPF

The above are necessary configurations, while these are optional configurations.• To configure an area as stub, use ʻarea area-number stubʼ• To automatically summarize a set of networks, use ʻarea area-number rangeʼ followed by IP network address and the subnet mask of the summarized network.• To redistribute the default route into OSPF to be learned dynamically by other OSPF routers, use ʻdefault-information originateʼ command.• To manually change the cost of a route, enter cost follows ʻ(config-if)#ip ospf costʼ. To manually override the priority, follow it by ʻ(config-if)#ip ospf priorityʼ.

To set loopback interface in SDM, ʻConfigureʼ -> ʻInterfaces and Connectionsʼ -> ʻEdit Interface/Connectionʼ tab -> ʻAddʼ button -> ʻNew Logical Interfaceʼ -> ʻLoopbackʼ. To configure OSPF parameters, ʻConfigureʼ -> ʻRoutingʼ -> ʻDynamic Routingʼ section -> ʻEditʼ button.

45

Page 46: Ccent & Ccna Exam Prep

To verify your configuration, ʻshow running-configʼ ʻshow ip protocolsʼ and ʻshow ip routeʼ commands can be used to view status of OSPF and its routing table. Routes with O IA in front means it is a route learned from ABR. To see the neighbor table, use ʻshow ip ospf neighborʼ command. In the result, Neighbor ID is the neighborʼs router ID, Pri = priority, state = DR, BDR, or DROTHER. To see the topological database, use ʻshow ip ospf database summaryʼ. From the output, you can see that Link State ID is the network address of the current network and Advertising Routing is the ABR. ʻshow ip ospf interfaceʼ command reveal information about all the information you need to know about OSPF in all interfaces running OSPF.NOTE: both ʻshow ip ospf neighborʼ and ʻshow ip ospf interfaceʼ show DR/BDR router.

To debug OSPF events, use ʻdebug ip ospf eventsʼ command, you would be able to see a list of hello LSAs. Note that real routing information is not included in LSAs. There is also ʻdebug ip ospf packetsʼ.

Balanced Hybrid Operations

The most popular hybrid routing protocol (Cisco proprietary) is EIGRP, an enhanced version of IGRP. It uses a 32-bit cumulative composite metric made up of bandwidth and delay (each multiplied by 255). These values are automatically assigned to an interface, whether or not a routing protocol is used. Optional metric factors include reliability, load and MTU. (“BW”, “DLY”, “reliability”, and “txload” in ʻ#show interfaceʼ)

EIGRP offers load balancing up to 6 unequal paths (4 by default), and has a maximum hop count of 224. EIGRP has neighbor, topology, and routing table and multicast at 224.0.0.10. For different topologies, there are different timers. Specifically, point-to-point and broadcast topologies have a 5-second hello interval and 15-second dead timer, whereas NBMA topologies such as Frame Relay have a 60-second hello interval and 180-second dead timer (different from OSPF).

EIGRP develop a new algorithm called Diffusing Update Algorithm(DUAL) to prevent loops and promote fast convergence. EIGRP can route in IP, IPX, and AppleTalk. Remember that for different protocols, EIGRP maintain different tables. If you use all 3 protocols at one time, EIGRP will maintain 9 tables.

EIGRP can automatically perform redistribution since external(AD = 170) networks are tagged, while internal(AD = 90) are not. EIGRP support classful(default) and classless.

Advertised distance is the metric to a destination network of the next-hop router. Feasible distance is the metric of local router to the destination network; feasible distance = advertised distance + local router metric. The route with the smallest feasible distance is the successor routes. Equal metric routes are all called successor routes, while all other possible routes to the said remote network are feasible successors. Feasible successors are meant to replace successors

46

Page 47: Ccent & Ccna Exam Prep

when they fail; these routes are chosen only if 1) the route will not cause a loop and 2) if advertised distance from the next hop is less than the successorʼs feasible distance.NOTE: successor routes -> routing table, feasible successor -> topology table.

If a destination network does not have a feasible successor, it is in a passive state. When the successor fails, the network is in active state since it actively queries directly connected neighbors for routes to the remote network. When a new route is found, it becomes the successor; the current router has to wait until response from all routers are received (stuck in active, SIA timer = 180 seconds) to prevent loops.

Stub routing is implemented in EIGRP for hub-and-spoke topology. If the spoke networks become inaccessible, the router (configured as stub) connecting the down network immediately deny access, thus speeding up convergence. To configure, use ʻ(config-router)#eigrp stubʼ.

EIGRP can support IPv6 using protocol-dependent modules

Configure EIGRP

To configure EIGRP, you must first assign an unique AS number (from 1 to 65535) to all routers running EIGRP in the same administrative domain (number must match), by ʻ(config)#router eigrpʼ followed by the AS number. ʻ(config-router)#networkʼ followed by major network address(EIGRP is classful by default). Then, follow the network address by the wildcard mask (NOT subnet mask). To enter classless, use ʻno auto-summaryʼ. This supports VLSM, discontiguous networks, and route summarization at any bit level. If auto summarization is not turned on, you must manually configure route summaries with ʻ(config-if)#ip summary-address eigrpʼ followed by the network address then the subnet mask.

All WAN connection are assumed to have 1544 Kbps speed at a serial interface, to change this (if you are using another speed), use ʻbandwidthʼ following the speed you want at an interface configuration mode.

To use unequal load balancing with ʻvarianceʼ, follow it with a number from 1 to 128 (1 = equal load balancing). The number “n” means load balancing between 2 destinations is shared between routes1) That has a metric <= n * metric-of-successor-route.2) Exception: if next hop router (of a feasible successor) has a advertised distance

greater than feasible distance of the current successor route, the route will not be used in unequal load balancing and stay in topology table.

To use the 192.168.1.0 network in your routing table as a gateway of last resort, use ʻip default-network 192.168.1.0ʼ.

47

Page 48: Ccent & Ccna Exam Prep

ʻshow ip protocolsʼ, ʻshow ip routeʼ, ʻshow ip eigrp neighborsʼ, and ʻshow ip eigrp topologyʼ can be used to display configuration about EIGRP. In ʻshow ip routeʼ, D EX refers to route learned through another routing source redistributed into EIGRP.

Troubleshoot with ʻdebug ip eigrpʼ

48

Page 49: Ccent & Ccna Exam Prep

Chapter 13. Foundation Switching Operations

Switch Ethernet interfaces = ports. Half-duplex (1x data rate) utilizes 50 - 60% of bandwidth (due to collision) and use CSMA/CD, while full-duplex (2x data rate) doesnʼt uses CSMA/CD but utilize 100% of bandwidth (wires used for collision detection). You can only run half duplex using hub.

Switch operation

Switches forward frames to its destination based on the destination MAC address stored in Content Addressable Memory (CAM) table. These entries are gathered by source MAC addresses of outgoing frames. When a frame arrives, switch checks its CAM table for destination MAC address. If match, frame is sent to that client; this is filtering (no excess traffic). If no match found, [ or if the destination MAC address is a broadcast (FFFF.FFFF.FFFF) or multicast (0100.5E00.0000-5E7F.FFFF) address, ] frame is send to all connected device (except the sending device); this is flooding.

MAC entries in CAM table are deleted after 300 seconds of inactivity (no sending or receiving) except static MAC address (configured on a port-to-port basis).

Switches differ in the way they process and forward frames, here are some methods:‣ Store-and-Forward: buffers the entire frame and check Cyclic Redundancy Check (CRC) and Frame Check Sequence (FCS). If the result of CRC frame is fine, it will be forwarded to the destination, if not, frame is dropped. This method may add some work load on the switch (latency or delay varying), but for fast switches, itʼs not a problem.‣ Cut-through: switch wait for enough bits to send the frame based on the destination MAC address. It does not contain any error-checking mechanisms. This is implemented in latency-sensitive situations, where low-processing power switches are used.‣ Fragment-free is a hybrid of the above transmission methods. It buffers the first 64 bytes of the data (where all collisions occur). It blocks invalid frames by making sure the frames are not involved in a collision.

A frame is made up of: Preamble (7) -> start of frame (1) -> destination address (6) -> source address (6) -> frame length (2) -> data (< 1500) -> CRC and FCS (4)

Switch loops

A switch loop can occur when there are more than 1 switch (to form a redundant network) on the network. When switching loop occurs, unwanted effects such as broadcast storm form and fill up the bandwidth. This can be avoided with Spanning Tree Protocol (STP), a once-proprietary protocol from DEC, now defined in 802.1d.

49

Page 50: Ccent & Ccna Exam Prep

STP works in LLC sublayer, and is enabled by default. STP forms non-looping paths throughout the network by performing an election and calculations, which dictate what ports will remain in a blocking state. STP provide redundant links when primary link fails.

Every device assume it is the Root Bridge when they start up. An election is performed (when network topology changes) by comparing devicesʼ Bridge ID, which is composed of the administrative bridge priority and bridge MAC address. Priority is examined first, which is an arbitrary number ranging from 0 to 61440 (by increment of 4096), with default set to 32768 (0x8000); it is written before the MAC address and separated using :. The device with the lowest bridge ID becomes the Root Bridge.

Bridge IDs are advertised to bridges/switches by the Root Bridge (most of the time) using Bridge Protocol Data Units (BPDUs) every 2 seconds. BPDU also contain the cost of a route (main factor in port decision, mechanism that decides which port is Root/Blocked/Designated). Cumulative cost is the inverse of bandwidth of a link. The lower the cumulative cost, the faster the path. Cost for 10 Gbps is 2, 1 Gbps is 4, 100 Mbps is 19, and 10 Mbps is 100. Costs of different segments are added together for remote destinations.

After Root Bridge is determined, each non-Root Switch/Bridge communicates with the Root Bridge using the fastest port, or Root Port(1 per device). Designated port, is used to communicates with other switches, all ports on Root Bridge are designated port.

To prevent loops, every port that is not designated or root is blocked, or in a state of not forwarding data; the port can still receive BPDU. This port is located on switches with the largest Bridge ID.

All Root/Designated ports are determined by1. The port with a switch advertising the lowest Bridge ID.2. If the same Bridge ID (parallel links to the same switch), the lowest port priority is used. The port priority is an arbitrary number assigned to an interface that can be administratively set to choose one link over another. The default value is 128.3. If port priority is equal, the lowest interface number is chosen.

If a port doesnʼt hear from its connected neighbors in 20 seconds (max age timer), the neighbor is considered dead (topology change). The switch this port belongs to sends a special BPDU called Topology Change Notification (TCN) to the Root Bridge. When it arrives, the Root Bridge broadcast a special BPDU to all switches telling them to remove MAC addresses not active for 37.5 seconds.

In a network, a port can be in either disabled, blocking, listening, learning, and forwarding states. Disabled means an interface is shut down. In the listening state, the port listens to BPDUs but does not send data. Learning state builds CAM table based on MAC addresses learned; doesnʼt send data. Both listening

50

Page 51: Ccent & Ccna Exam Prep

and learning state take 15 seconds to transition, while blocking state take somewhere from 0 to 20 seconds. The ports switch to listening state then learning state, this process takes a total of 30 seconds and is called forward delay. So, STP topology change can take up from 30 to 50 seconds.

The max age(20 s) and forward delay timers(30 s) are based on a network diameter of 7 switches including the root bridge (7 switches between host A and host B). These timers are dictated by Root Bridge by default. To change the timers, you configure the changes only on Root Bridge. A very small diameter could cause switching loops when you add more switches to the network and didnʼt increase the timers.

Switch Configuration and Troubleshooting

Switches can be configured remotely by assigning IP address to VLAN. Enter interface Configuration mode and type ʻip addressʼ followed by IP address of switch and the subnet mask (or ʻip address dhcpʼ, and show DHCP info with ʻshow dhcp leaseʼ) then ʻno shutdownʼ. To configure remotely, you also need ʻip default-gatewayʼ followed by the default gateway address in the Global Config.

You can configure multiple switch interfaces using ʻinterface rangeʼ followed by the type of interface (Gigabit Ethernet, etc), first interface number ʻ-ʼ last interface number.

To set the priority, use ʻ(config)#spanning-tree vlan VLAN-number priorityʼ following priority. To automatically assign a switch to be the Root Bridge, use ʻspanning-tree vlan VLAN-number root primaryʼ; above command are used in Global Config. ʻ(config)# spanning-tree vlanʼ + VLAN.no, you can change Hello and dead. To change the default cost, use ʻspanning-tree costʼ followed by the cost at the interface configuration mode.

To verify your STP, use ʻshow spanning-treeʼ command; to view its current status, use ʻdebug spanning-treeʼ command.

If you canʼt connect console, 1) switch power on and operate correctly? 2) terminal application with correct settings? 3) did someone changed your password?

If you canʼt connect remotely, 1) switch power on and operate correctly? 2) use ʻpingʼ and ʻtracerouteʼ to make sure routers are working well, also check default gateway 3) did someone changed your password?

If switch canʼt forward frames, 1) switch power on and ports operate correctly? 2) ʻshow interfaceʼ command tell you if an interface is administratively shut down (down/down), incorrect speed and duplex(interface bounce up and down), in up/down (excessive collision).

If switch work intermittently, 1) check if STP is running by ʻdebug spanning-treeʼ

51

Page 52: Ccent & Ccna Exam Prep

Chapter 14. Enhanced Switching Operations

PortFast, UplinkFast, and BackboneFast

STP provide loop-free environment in as much as 50 seconds, but there are ways to reduce it. One of them is PortFast, which enables a port to directly enter forward state to enable instant data transfer. You must not plug a switch to an interface and enable PortFast on that interface since this may create a loop. BPDU Guard watch ports with PortFast on, and shut it down when a BPDU is received on that port (since the interface is not suppose to be part of STP). To configure PortFast and BPDU Guard, ʻ(config-if)#spanning-tree portfastʼ and ʻ(config-if)#spanning-tree bpduguard enableʼ. OR, ʻ(config)#spanning-tree portfast bpduguard defaultʼ and ʻ(config)#spanning-tree portfast defaultʼ

If you have switches in both access and distribution layer with the Root Bridge at the distribution layer. When the Root Bridge fails, you may want to replace it with another switch quickly, this can be done by UpLinkFast. For UplinkFast to work, the access layer switch must have 1) direct knowledge of link failure (link to the switch), 2) it must have one port in a blocking state, and 3) the link failure must be on the root port. To enable, ʻspanning-tree uplinkfastʼ at Global Configuration.

If you have a failure between switches in the distribution layer, where all of these switches connect to the Access Layer switch. The non-Root Bridge communicate with the access Layer switch to reach the Root Bridge instead of advertising itself as the new Root Bridge. This case is called BackboneFast. ʻ(config)#ʻspanning-tree backbonefastʼ

To verify, use ʻ#show spanning-tree summaryʼ. NOTE: the above features can only be implemented in network which all routers are Cisco router.

EtherChannel bundle individual physical links to form a single logical link. Even if a link fails, backup link can come up quickly and load balance new stream. To configure, ʻ(config-if-range)#channel-groupʼ + group-number + “mode on”ʼ, this configure a new logical interface that can be accessed by ʻ(config)#interface Port-channelʼ following group-number.

RSTP and PVST

To enable fast convergence in non-Cisco networks, use Rapid STP(RSTP) in 802.1w; it is backward-compatible (can interoperate) with 802.1d.In RSTP, port roles: disabled, discarding(blocking + listening), learning, and forwarding.There are also Alternate (blocking port that becomes the root port if failed; immediately begin forwarding once root port fails) and Backup ports (discarding port that becomes designated port if failed; immediately begin forwarding once designated port fails).

52

Page 53: Ccent & Ccna Exam Prep

In RSTP, device connecting switches in full-duplex is link-type point-to-point (such as another switch), and half duplex is called link-type shared (such as a hub). Non-switch/hub devices are edge connections (such as computers). RSTP manage to converge link-type point-to-point and edge-type faster than link-type shared.

Each switch generate its own BPDU messages passed to the next switch. These messages let other switches know itʼs alive; 3 misses will be considered down. If RSTP switch received BPDU from 802.1d STP switch, only STP BPDU is sent back. When a topology change is detected, TCN is broadcast to all switches (from the switch that detect the anomaly) instead of going through the Root Bridge.

For edge connections, PortFast is configured. If BPDU is received, it immediately transit to link-type point-to-point. When a point-to-point link comes up between two switches, a handshake occurs between two switches using BPDUs to establish their local port roles.

To transit port to a forwarding state in RSTP, you use proposal/agreement handshake. When switch A (receives a BPDU) calculates a local port to be the designated port for a segment, it immediately sends a proposal to its neighbor to transit to forwarding state. When RSTP switches receive proposals, they determines the Root Port (port received the proposal), and put all non-edge ports in discarding state to avoid loop. The process of blocking all non-edge point-to-point link is called synchronization or sync. However, if the port is in a blocking state, no messages will be replied back, and the other port remain in discarding state.

When switch B has successfully synced all its ports, it sends an agreement back to the switch A to allow forwarding(from the Root Port and start learning MAC addresses). When switch A receives the agreement message on its designated port, it immediately begins forwarding and learning MAC addresses as well.

53

Page 54: Ccent & Ccna Exam Prep

Chapter 15. Virtual LAN

Each VLAN represent a separate broadcast domain in which only devices within the same VLAN can communicate with each other. In other words, there is a separate STP running for each VLAN, this is called per VLAN STP, or PVST.

VLAN can be assigned statically, dynamically, or protocol-based (voice VLAN). Static-assigned switch ports (to VLAN) are called access ports. When multiple VLANs are assigned to a port, the port receives and send traffic that traverse only within those VLANs. This method takes a lot of work and is subject to human errors. Dynamic-assigned VLAN membership requires VLAN membership policy server (VMPS), this can be a server or a high-end switch that associate every MAC with a VLAN; this method takes a lot of initial setup and database maintenance.

You switch has a default native VLAN, VLAN 1, that is used to manage access ports. Remember that you can not assign an IP address to a switch, but you can assign an IP address to a VLAN to remotely manage your switch. If you change the VLAN on the port in which your management station or your router (if managing it remotely) is connected, you lose the ability to manage the switch with Telnet, SSH, HTTP, or SNMP.

To create a VLAN, assign it a number between 2 and 1001 and place it after ʻ(config)#vlanʼ. Other than a numeric identifier, you may choose to assign the VLAN a name by placing it after ʻ(config-vlan)#nameʼ. By default, if you do not assign a VLAN name, itʼs going to look like VLAN+VLAN-ID. Finally, you assign it to a switch port. VLAN-specific configurations are permanently stored in (vlan.dat) Flash. To statically assign a VLAN to a port, use ʻ(config-if)#switchport access vlanʼ followed by the VLAN number. These will not be displayed in running or startup-config. To verify them, use ʻshow vlanʼ.

VLAN can span multiple interconnected switches; the traffic are carried over interfaces called trunks. The trunk links need to be at least 100 Mbps since they carry all the traffic between 2 switches. As frames leave one switch, a VLAN identifier is added to the frame header, as the frames get received by another, the VLAN identifier helps the switch to forward the frame to the correct VLAN and the identifier is removed so the process is transparent to the end user. This process of sending multiple messages destined for different users is called multiplexing.

One trunking method is interswitch link (ISL, Cisco-proprietary), which encapsulate original frame and add 26-byte header and 4-byte CRC trailer; exceed MTU and is dropped unless other switch supports ISL (recognize this giant). Switches supporting ISL also have to be point-to-point. (no IP address on sub-interface)

On the other hand, 802.1Q (IEEE standard) trunk inserts a 4-byte VLAN identifier in the frame header (after source address). This does not increase the frame size a lot, thus, can pass other non-802.1Q intermediary devices without being dropped. Since the header is changed, FCS (error checking) field must be recalculated.

54

Page 55: Ccent & Ccna Exam Prep

802.1Q also assigns a native VLAN, this means a frame can go untagged from one switch to another if both switches had configured the same native VLAN. Thus, there is no need to insert the VLAN identifier and there is no need to recalculate FCS field. However, native VLAN must be the same on both switches or information will be leaked to other, unwanted VLANs. By default, the native VLAN is VLAN 1.

To configure trunking, first select the method you want to use. Enter an interface configuration mode (that is already assigned a VLAN), then use ʻswitchport trunk encapsulationʼ followed by isl or dot1q. Now, to enable the access port to start trunking, use ʻswitchport mode trunkʼ.

Dynamic Trunking Protocol(DTP) dynamically enable the trunking process (discussed above). It is a Cisco proprietary protocol that has a default state of desirable. There are:• Access: doesnʼt trunk, contain single VLAN.• Trunk: permanently trunks and negotiate trunking• Dynamic Desirable: negotiate trunking if other side is trunk, desirable, or auto.• Dynamic Auto: negotiate trunking if other side is trunk or desirable.• Nonegotiate: do not use DTP but permanently trunks (to connect to non-Cisco switch)

ʻshow interface trunkʼ shows the status of the interface running trunk. This interface will not be shown in the output of ʻshow vlanʼ since it is no longer an access port.

Cisco proprietary VLAN Trunking Protocol(VTP) makes configuring VLAN a lot easier within an established VTP domain; these messages multicast at 0100:0CCC:CCCC. Switches using VTP can be:• Client listens to server configurations but can not add, remove or change configurations. These switches also propagate to other switches to ensure the advertisement is heard across the entire VTP domain. However, client switches do not permanently store VLAN information in their VLAN database; these switches forget about the configurations once they are shut down.• Server can add, remove and change configurations propagated throughout the network. All switches are in server mode by default. After changes are made to the configuration, they are multicasted out (along with the revision number) to all switches which use the new configuration (if the revision number is higher than the current revision number) and store them in vlan.dat in Flash. If the revision number equal or less, switches do not accept the new configuration.• Transparent are allowed to modify their local configuration without broadcasting the updates in the domain; these switches do not use the configurations provided by server. These configuration are stored in their VLAN database. However, if this switch connects other client switches, and the server switches send updates, the transparent switch will help to deliver the updates from the server to the client. In this mode, you need to use extended range VLAN number (support 802.1Q) of 1006 to 4094 (these VLANs are not recognized by VTP, thus, transparent to them). Information in this mode is shown in running and startup-config, revision number = 0

55

Page 56: Ccent & Ccna Exam Prep

VTP pruning determine whether or not a frame for VLAN is forwarded to a particular switch.

To configure VTP, enter domain name by ʻ(config)#vtp domainʼ followed by the domain name. ʻ(config)#vtp passwordʼ followed by password (must be the same for the same domain). ʻ(config)#vtp modeʼ followed by transparent/server/client.

ʻshow vtp statusʼ displays the revision number of the VTP updates from the server, the operating mode, domain name, pruning status, and the MD5 digest of the password.

To route between VLAN, you either need a Layer 3 switch or configure a router-on-a-stick (most effective). In Router-on-a-stick, the router can see all the VLAN traffic over a single link (trunk link) by dividing one physical interface into several logical sub-interfaces, each interface connecting one VLAN. To create a sub-interface, use ʻ(config)#interfaceʼ followed by the interface name slot-number/module-number.sub-interface-number. It is good practice to use the sequential number(this number is only used on router side), you do not need ʻno shutdownʼ command since it is not a physical interface. Note the physical interface used must be at least a Fast Ethernet for efficient trunking to occur; since there is one physical interface involves, the router connects to only one switch. IP address assigned to the sub-interface becomes the default gateway for that VLAN. You also need to specify the encapsulation type with ʻencapsulationʼ command following isl or dot1q and followed by the VLAN number.

Layer 3 switch is another option, but it is less common because it does not have a serial interface; it offers more routing options instead. If you decide to perform interVLAN routing with layer 3 switch, the result is called switched virtual interfaces (SVI). In this case, the configuration becomes easier as you only need to 1) create VLAN interface with ʻ(config)#interface vlanʼ following the VLAN number, and 2) assign an IP address to use on the VLAN.

Cisco IP phone connect to switches and send IP traffic over LAN to a gateway device that connects it to a traditional voice network. You can group these devices into a VLAN so their traffic does not collide with traffic from other VLAN(separate broadcast domain). Voice VLAN or auxiliary VLAN, is a VLAN assigned for Voice over IP. Using these ports, you can configure QoS and other methods to differentiate voice traffic differently from the data. By giving the voice traffic higher priority over the data traffic, you are minimizing the possibility that your data traffic will impede the voice packets from reaching their destination and deteriorate voice quality. To configure voice CLAN, enter interface config, ʻswitchport access vlanʼ followed by the access VLAN number, then ʻswitchport voice vlanʼ followed by voice VLAN number.

Separate VLAN = different broadcast domain = different subnet

56

Page 57: Ccent & Ccna Exam Prep

Chapter 16. Implementing Switch Security

Physical and Basic Logical Security

The first step in any policy is ensuring the physical access of the device by placing it into a safe cool place where only authorized personnel are allowed access. Then, you should to secure the logical access to the device.

Start with the console and auxiliary port, 1) implement a strong password. 2) Use login with username and password at global configuration, and ʻlogin localʼ at the line configuration so user is prompted for username and password when s/he tries to log in. An alternative to ʻusername wanted-username password wanted-passwordʼ is ʻusername wanted-username secret wanted-passwordʼ, which creates a MD5 hash.

Another way to secure your switch is by using SSH instead of Telnet to remotely access the switch. First, give a name to your device and a domain name which it belongs by ʻip domain-nameʼ command. Generate the RSA key (at least 1024-bit) with ʻcrypto key generate rsaʼ command, then create a username and password (remember to use ʻlogin localʼ) at line-config. A recommended step is ʻtransport input SSHʼ, (use only SSH as remote access) which should occur before creating an account. You can also limit remote access by implementing ACL. Other things you should do include: disable EXEC access on unused terminal access ports by ʻno execʼ at line configuration.

Switchport port-security

To secure your MAC addresses, limit them to a maximum number following ʻswitchport port-security maximumʼ (default is 1). This command disables an interface if a maximum number of MAC addresses is exceeded. You are re-enable it by administratively shut it down then enable the interface with ʻshutdownʼ and ʻno shut downʼ.

ʻswitchport port-security violationʼ followed by restrict/protect/shutdown. This command allow you to perform some action against violations in the network, the default action is to shut down the interface. Restrict increase a violation counter and alert the administrator using SNMP trap. Protect keyword only allows traffic from the secure port; packets are dropped until the number of MAC addresses drops below the maximum.

You can also specify which MAC address gets access to the port (default is 1) by specifying it with ʻswitchport port-security mac-addressʼ command. This command has to be entered in interface configuration, after ʻswitchport port-securityʼ command. Instead of a MAC address, you can specify ʻstickyʼ keyword to dynamically learn.

ʻshow port-security interfaceʼ followed by the interface number or nothing, you will get information about the selected interface or all interfaces. ʻshow port-security addressʼ will display a list of secure MAC address you have configured. Note that sticky MAC

57

Page 58: Ccent & Ccna Exam Prep

address will show a type of ʻSecureDynamicʼ while static MAC address you secured are shown as ʻSecureConfiguredʼ.

VLAN security

VLAN security can be compromised when the attacker figures out the IP address of management VLAN (by default, is VLAN 1); this logical interface is responsible for PVST, VTP, CDP running on the VLAN. You can prevent a potential attack by 1) administratively shut down all unused interfaces and put unused ports into a dummy VLAN. 2) Set other VLANs as management VLAN.

By default, all VLAN traffic goes through the trunk. You can limit the amount of data travel through the trunk by ʻswitchport trunk allowed vlanʼ followed by the VLAN list such as 1-50, 60, 70. Verify this with ʻshow interfaces trunkʼ command (STP and active VLAN will reflect your previous selection). You can further edit the VLAN list with ʻswitchport trunk allowed vlan addʼ, ʻswitchport trunk allowed vlan removeʼ, or ʻswitchport trunk allowed vlan exceptʼ commands.

CDP, or Cisco Discovery Protocol, should be disabled whenever possible (mostly, on switches connected to end devices) by configure ʻno cdp enableʼ on individual interfaces in privileged EXEC or disable it globally by ʻno cdp runʼ in global configuration.

You can increase security in VTP by using ʻ(config)#vtp passwordʼ followed by password you want.

58

Page 59: Ccent & Ccna Exam Prep

Chapter 17. Understanding Wireless Networking

LAN can operate in Ethernet or Token Ring. However, Ethernet stand out as the winner even though Token Ring has no collision, this is because Ethernet is faster.

Wireless LAN(WLAN) is defined and standardized by:๏ International Telecommunication Union-Radiocommunication Sector (ITU-R): Regulates the radio frequencies (RF) used for wireless transmission๏ Institute of Electrical and Electronic Engineers (IEEE): Maintains the 802.11 wireless transmission standards๏ Wi-Fi Alliance: Ensures certified interoperability between 802.11 wireless vendors

Devices connect to Wireless AP(WAP) operates in half-duplex using CSMA/CA since it has no collision detection. WLAN also suffers from wireless range and signal interference, but the degradation of most RF signals are made due to the path which the signal is on. Every object the signal must pass through can degrade the signal in some way. Reflective surfaces, such as metal or glass, cause RF waves to bounce off. Uneven surfaces, such as a gravel road, piles of merchandise in a warehouse, a desk, or a cubicle can cause the signal to reflect and scatter in many directions. Finally, as wireless signals pass through physical objects, they are absorbed. This absorption rate differs depending on the type of material the signal passes through. There is also interference.

WLAN runs in the unlicensed wireless bands established by US Federal Communications Commission(FCC) but free of regulation; this means a wireless device can run without licensing fee to pay to FCC. Industrial, Scientific, and Medical bands operate at 902 - 928 MHz, 2.4 - 2.483 GHz, 5.15 - 5.3 GHz, and 5.725 - 5.825 GHz. Companies that do not want to pay to FCC are forced to share the unlicensed band, causing interference. Key facts about RF:1) Higher frequencies allow for higher data rates.2) Higher frequencies have shorter transmission distances (range).3) Shorter distances can be compensated for by using high-powered antennas.4) Every country has its own restrictions on how powerful your radio transmission can

be for the unlicensed bands.If signal is not powerful enough, you may consider implementing several AP.

An overlap (use of different channels) of 10 - 15% is a good WLAN design.Channel

Range

Channel

Range

1 2 3 4 5 6

2401-23 2406-28 2411-33 2416-38 2421-43 2426-48

7 8 9 10 11 12 13

2431-53 2436-58 2441-63 2446-68 2451-73 2456-78 2461-83

59

Page 60: Ccent & Ccna Exam Prep

Each channel consists of 22 MHz frequency bandwidth(range), and overlap with adjacent channels. Thus the only channels commonly used are 1, 6, 11 since they donʼt overlap each other. Devices adjacent to each other must have non-overlapping channels so signals donʼt interfere. This is one possible solution to interference. Remember the 5 GHz band have up to 23 non-overlapping channels.

IEEE 802.11 standard

802.11a is clearly better than 802.11b, but didnʼt became popular because the silicon chip for 802.11a was in a shortage. 802.11g is backward compatible with 802.11b. 802.11n adds Multiple Input Multiple Output(MIMO) technology, which utilizes multiple antennas to send and receive between devices to increase throughput.

802.11a 802.11b 802.11g 802.11n

RF band

Bandwidth

Channels

Outdoor Range

Indoor Range

Release Date

Technology

5 GHz 2.4 GHz 2.4 GHz 2.4 &/ 5 GHz

54 Mbps 11 Mbps 54 Mbps 248 Mbps

Up to 23 3 3 Unknown

≈ 75 m ≈ 100 m ≈ 95 m ≈ 160 m

≈ 25 m ≈ 45 m ≈ 40 m ≈ 70 m

1999 1999 2003 2008

OFDM DSSS DSSS&OFDM DSSS&OFDM

60

Page 61: Ccent & Ccna Exam Prep

Chapter 18. Wireless Security and Implementation Considerations

Wireless attacks

Wireless network is the most dangerous and insecure, not only it has plain data lay in sight, encryptions are no as secure as you think it would. There are commonly 3 types of security holes in wireless networks, war driving, direct hacking, and employee ignorance.

War driving is a technique of discovering wireless networks by driving through a particular location with 802.11 compatible wireless antenna and a GPS device. This way, exact location of the network can be pinpointed even though the network may be encrypted, hidden or authenticated.

Direct hacking is the next step to hack the network after a complete scan is finished. This step can come in many forms:• Breaking into the WLAN: attacker start breaking the authentication or encryption as soon as the scan is finished. If successful, attacker joins the wireless network and begins scanning the internal network of your organization to find available resources.• Decrypting data: data transmitted in the air can be easily intercepted and decrypted after the attacker decode the key.• Attempting a wireless DoS attack: If the intruder is successful, the wireless access point that he attacks is rendered inoperable to your company. This is not uncommon, though most people ignore it and have no idea what valuable information is lost.

Another possible threat is employee ignorance in the danger of using their own wireless AP in the company, where there is already network access. This can easily allow access to the company data without the need to bypass all the security set by the network administrator.

Wireless security: encryption, detection, and authentication

Wireless security can be broken down into 3 major categories: encryption, detection and authentication.

Wired Equivalent Privacy(WEP) is the first measure of security released for wireless networking. It uses the static preshared keys(PSKs) to generate an encryption algorithm. WEP uses an encryption formula called RC4 that takes every piece of data and scramble it with PSK. When received, the reverse formula is used to decrypt the data. Both client and the WAP must have the PSK entered manually.

The number of bits of encryption determines the complexity and scrambling of data. The more bits there are, the more complex your data will be, and the longer it will take to decrypt it. WEP2, is 128-bit version of WEP released in 2002. Although it makes the algorithm slightly more difficult to break, the flaws in the standard cause it to crumble.

61

Page 62: Ccent & Ccna Exam Prep

Wi-Fi Protected Access(WPA) uses another encryption algorithm called Temporal Key Integrity Protocol (TKIP) with 128 bit key. It is compatible with hardware that WEP uses.

Another standard, called WPA2, also known as 802.11i, is proposed in 2004, operates on different hardware than WEP, WEP2, and WPA. It uses Advanced Encryption Standard(AES), which is much stronger than the previous standards. It is backward compatible with WEP, WEP2, and WPA, but does not support the old hardwares.

Wireless authentication can be implemented using 802.1x (a port-based access control), which designates 3 network devices that participate in network authentication: the supplicant, the authenticator, and the authentication server.

When the user want to access the network, he must first send his authentication credentials (such as a username and password) to the authenticator, which forwards them to the authentication server. When the authentication server receives the credentials, it checks them against its database and then tell the authenticator whether the device has passed authentication. If the device fails authentication, its access to the network is terminated or severely limited, depending on how you (as the administrator) decide to restrict the device. If the device passes authentication, the supplicant and authentication server generate a dynamic encryption key known as the session key. This provides the same security as PSK but does not needed to be entered statically.

A preventive measure (Detection) you can take against employee ignorance is Wireless IPS. This system sets up various sensors that detect when a policy is violated. The minute a rogue access point shows up in the network, the system can alert you, pinpointing the location of the access point on a map of your campus. Other events can also be set to determine other types of security breach.

Wireless topology

Wireless technology can be implemented in ad hoc or infrastructure mode. Ad hoc uses Independent Basic Service Set (IBSS) topology; each wireless device independently manages the wireless network. Data from this type of network originates from and forwards to the wireless device. Ad hoc networks typically are very limited in range and has security holes. Infrastructure is more common and implement the use of WAP (Wireless AP); there are Basic Service Set (BSS) or Extended Service Set (ESS). BSS contains a single WAP while ESS has 2 or more WAP to cover the area (allow roaming).

A wireless network will run at the speed of the slowest client, and speed is slower as the client moves farther from the WAP. For 802.11b, the steps goes from 11 Mbps -> 5.5

62

Page 63: Ccent & Ccna Exam Prep

Mbps -> 2 Mbps -> 1 Mbps. For 802.11a/g, the steps are 54 Mbps -> 48 Mbps -> 36 Mbps -> 24 Mbps -> 18 Mbps -> 12 Mbps -> 9 Mbps -> 6 Mbps. These numbers give you an idea of the amount of interference in an area and your proximity to the AP.

Troubleshooting

To generally troubleshoot, follow these steps:• Ensure hardwired operations• Install WAP in tested switch ports• Configure basic network (with no security) and test• Configure secured network and test

To troubleshoot the client side, follow these:• Verify the wireless card is enabled• Move to a “known good” region of the building• Verify that client can identify the wireless network with their wireless utility• Ensure the wireless client has the correct wireless security information and supports your security standards. (if you use WEP, your client MUST support WEP)

Here are steps to troubleshoot WAP:• Verify that the wireless access point is running the latest firmware version• Test the wireless reception radius at different times of the day• Verify your wireless channel configuration.• Consider the materials around and close to the access point.

63

Page 64: Ccent & Ccna Exam Prep

Chapter 19. Using Access Lists

An access list is a list of permit and deny statements that the device queries for permitted entry. Unless data is explicitly permitted, all data are implicitly denied. The order of the statements specify its priority, a statement located upper in the ACL is queried before lower statements and device stop query once a permit statement is found.

Deny statements, on the other hand, often occur at the end of ACL and never displayed through any show command.

In older IOS, the access list is arranged exactly as you entered; you can not rearrange entries unless you completely remove them all. In newer versions, sequence number is assigned to each entry, so you can manipulate each entry. In the CCNA exam, you will be using an old IOS ACL.

How you apply your ACL dictates what function the ACL really serves. A few functions you have to know for the CCNA exam are:1) Packet filtering, filters inbound or outbound traffic at the network layer. You can filter

based on source IP address (standard) or along with destination address, protocol number, and port number (extended). Note that too many criteria may cause your router to have significant CPU load.

2) Quality of Service(QoS) separate different data streams and prioritize them so the more important, or latency-sensitive data (VoIP) come through faster. In other words, prioritized traffic (permitted) leave first, while other data (denied) leave later. However, in traffic policing (a QoS method), you can limit the bandwidth of the applications you placed on the permitted list, while denied applications are not restricted of bandwidth.

3) Dial-on-Demand Routing(DDR) is a technique in which a host or router automatically initiate a dial-up (not-always-on) connection over an ISDN or public network. This method reduces network usage by closing the connection once no more data needs to be transmitted or received.

4) Network Address Translation(NAT) ACL determines whether a host is permitted to translate with NAT. A denial does not prevent data from being sent, but it denies the host from being translated with NAT before it is sent.

5) Router filtering uses what is known as distribute list, which is applied in protocol configuration mode to limit networks that can reached and receive traffic from. The command is ʻ(config-router)#distribute-listʼ followed by ACL number and “in” or “out”

NOTE: an inbound traffic refers to traffic coming into an interface. An outbound traffic refers to traffic going out of an interface.

To configure an ACL, first enter ʻaccess-list ?ʼ to see the list of available ACL number you can use (this list also point out what routed protocol you are using). Know that standard ACL has number from 1 to 99, while extended ACL has number from 100 to 199. In case these are not enough, you can use the backup range of 1300-1999 (standard), or 2000-2699 (extended).

64

Page 65: Ccent & Ccna Exam Prep

ʻaccess-list ACL_numberʼ can be followed by deny/permit/remark, where remark is a comment you can enter for an entry. Deny/permit is harder, letʼs experiment with permit. ʻaccess-list ACL_No permitʼ can be followed by IP address then wildcard mask (a 0.0.0.0 means an entry must match the exact address completely). To match a single IP address, you can follow the above command with ʻhostʼ keyword, then the IP address without the inverse mask. Optional ʻlogʼ keyword can be added so every time a match shows, it is logged into a file in the router. You can permit any IP address to enter your network by ʻaccess-list ACL_No permit 0.0.0.0 255.255.255.255ʼ or ʻaccess-list ACL_No permit anyʼ You can verify your ACL with ʻ#show ip access-listsʼ or ʻ#show running-configʼ.

Only one access list can be implemented for a protocol in an interface; you can apply one for inbound and one for outbound traffic. These lists goes into effect immediately when applied, so check them carefully (one last time) before you implement it. One common mistake is to list all the unwanted networks as denied, then apply, forgetting about the implicit denial and cause the entire network to go down. Another common fault is making changes to an ACL while applied to an interface. Although this may be successful, it is not recommended.

To apply ACL at an interface, use ʻ(config-if)#ip access-groupʼ + ACL_No + in/out. The best practice of standard access lists is to apply them on the interface closest to the destination.

To remove (clear all entry) of an access list, use ʻno access-listʼ + ACL_No. However, this list still applies (if you apply it to any interface) for the ʻaccess-groupʼ command (disable an ACL to an interface by ʻno ip access-group ACL_Noʼ + in/out); right now, this ACL allows all traffic to come through. When any line is added to the ACL, implicit deny start working AGAIN.NOTE:ʻno access-listʼ does NOT delete the ACL; it empties the entries you can re-enter.

You can also configure ACL in VTY lines, with ʻ(config-line)#access-classʼ + ACL_No + “in”/“out”

If you are configuring access lists on your router remotely, be sure to allow your remote Telnet session access into the router in the access list. It is a very common mistake to create an access list that kills the remote Telnet session and requires the administrator to drive to the site (or contact someone on-site) to reconfigure the router through the console port. It is, therefore, a good practice to issue the following command before applying an access list remotely: ʻRouter# reload in 5ʼ This instructs the router to reboot itself in 5 minutes if there is no administrative intervention. This way, if you lock yourself out of the router, it reboots and sets its configuration back to what it was before you applied the access list. If the access list applies successfully without limiting remote access, be sure to issue the ʻreload cancelʼ command to stop the automatic reboot countdown.

65

Page 66: Ccent & Ccna Exam Prep

Extended ACL has a more complex syntax than standard ACL. Generally, the command should be ʻaccess-listʼ + (100-199) + (protocol) + (source_information) + (destination_information). ʻaccess-list ACL_Noʼ can be followed by deny/permit/dynamic/remark, where dynamic is a way in which a temporary entry is dynamically entered in the ACL (like ʻstickyʼ) when the user successfully authenticates to the router; this entry is removed after a certain period of time but this is not in the scope of CCNA exam. Following the above command is the protocol information, which can be specified numerically (0-255, SAP field in IP header) or alphabetically; there is an extensive range of protocols you can apply ACL to. In the CCNA exam, you need to know IP, TCP, UDP, and ICMP. The protocol information is followed by IP address as discussed in previous section. Note additional source and destination information must also be added to the command. For a PC, a source port (in an application) is a randomly generated port in the registered port range (1024-49151), while destination port is the destination service used. Thus, you usually DO NOT know the source port (use ʻanyʼ), but you can specify destination protocol information (if this is an outbound ACL). As for the destination, you are most likely to use eq (equal), such as ʻ(config)#access-list 150 permit tcp host 10.1.1.5 any eq 80ʼ to enable HTTP port.

Extended ACL are applied just like standard ACL with ʻip access-groupʼ or ʻaccess-commandʼ. However, it is recommended to implement extended ACL closer tot eh source of the network traffic. Remember that to set the network to be able to use the rest of the connections, the only protocol that encompasses ALL TCP/IP traffic is the IP protocol. So, the command should look like ʻaccess-list 125 permit ip any anyʼ.

To ensure security, one possible measure you can enable ʻaccess-list ACL_No permit tcp any any establishedʼ. This way, (data from Internet) only data with corresponding established session are exchanged. Cisco created Context Based Access Control (CBAC), implemented in firewall feature-set IOS versions.

Named ACL allow ACL to be created with names and perform some simple editing, this is done with ʻip access-listʼ + standard/extended/resequence, now you enter (config-std-nacl) mode where you can add and remove entries separately. Entries can be numbered (at the beginning) to mark a sequence number (you donʼt have to be sequential, so you can add more entries between them). These entries are listed by their sequence number, the larger number, the higher in the ACL (more priority). To remove an entry, ʻnoʼ command followed by the sequence number. ʻip access-list sequence 10 30ʼ moves entry with sequence number 10 to sequence number 30

ʻshow access-listsʼ output all configured ACL. ʻshow running-configʼ, and ʻshow ip interfaceʼ (show only the ACL number). ʻshow ip access-listsʼ (list matches found)

66

Page 67: Ccent & Ccna Exam Prep

Chapter 20. Enabling Internet Connectivity with NAT

Theoretically, a router running NAT(Network Address Translation) is capable of allowing 65,536 (number of hosts on a Class B network) devices to share a single Internet-valid IP address.

It is commonly known that private addresses are non-routable, however, this is not true as ISP blocked private addresses in the ACL to prevent duplicated address. Networks connected to the Internet typically use these private IP addresses internally and then translate them when attempting to access the Internet.

Types of NAT

Static NAT maps IP address in a one-to-one relationship. It is common to map a private IP address with a public one anything going to the public address will be received in the private address and anything sent out will be seen as that public address. Although static NAT does not allow sharing of a single address, it does eliminate end-to-end traceability and enables servers to be accessed from the Internet. Static NAT can also be configured to statically translate individual TCP or UDP ports to the same host or many different hosts. This way, NAT can act as a type of firewall and offer different services through a single IP address. In some cases, you can even redirect port numbers.

Dynamic NAT is used in situations where there are many entries that needed to be configured one-to-one mappings. You provide the list of addresses devices currently use and then a list of addresses to be mapped to.

NAT overload, or PAT (Port Address Translation), enable a single IP address to support many internal clients. By generating different source port number, PAT can track what data is for which device, therefore, representing many devices with 1 IP address. A source socket (IP address + source port) is used to identify a piece of data. Request for data is replied back in the source socket, which is translated by the NAT table to be forwarded to the correct device. However, if 2 devices are generated the same source port, a device session MUST be reset and a different number is chosen. NAT address can be described in these terms:- Inside/outside: refers to where a device is physically located. If a device is “inside,” it is in your network. If a device is “outside,” it is outside of your network.- Local/global: refers to where an IP address is located to a NAT device, a device whose address is translated by a NAT router (private to public). If the IP address is considered “local,” it is seen as a device on the local subnet from the perspective of a NAT device (this may or may not be true). If the IP address is considered “global,” it is seen as not on the local subnet from the perspective of a NAT device. Together, NAT addresses can be- Inside local address refers to everything inside your network; itʼs the private IP addresses. If an inside local address were to communicate with another inside local address, this is standard LAN connectivity.

67

Page 68: Ccent & Ccna Exam Prep

- Inside global address is address located in your network, but connects with the outside. In other words, it is a public IP address assigned to a network in NAT overload.- Outside global addresses refer to the standard public IP addresses that are outside of your network.- Outside local addresses: The IP address of an outside host as it appears to the inside network. These addresses can be allocated from the RFC 1918 space if desired. These addresses get translated by NAT.

Configure NAT at ICND1

NAT overload is known as “basic NAT” in SDM. You access this service by opening ʻConfigureʼ tab and choose NAT from sidebar. Click ʻBasic NATʼ radio button and then ʻLaunch the selected taskʼ. You need to choose an interface connected to the ISP in the wizard. The range of IP addresses that you select using the checkbox represents internal IP address ranges. This means any device using the said IP address ranges will use the public IP address that is assigned to the said interface. Then, you are done. To verify, use ʻshow running-configʼ (inside, outside interface + access list used)

The above method enable Internet access to the Internet, but to obtain access FROM the Internet, you need static NAT mappings through Advanced NAT or Edit NAT configurations in SDM. You can select Advance NAT instead of Basic NAT in SDM; after outside interface, the screen asks you to enter any additional public IP addresses. These addresses are for other purposes, such as obtaining connection FROM the Internet. Then, enter networks connecting you internal networks; itʼll be listed as ʻDesignatedʼ if you already have one. Click ʻNextʼ, you enter a window that configures static NAT mappings. Click ʻaddʼ button to add a new connection, where you enter the private IP address to map and then select the public IP address from drop-down list. This method maps a full public IP address to a private IP address(or network), every port entry of the device(or network) corresponds to the public addressʼ entry. The Cisco router supports only individual NAT port mappings for the IP address assigned to the outside interface. You cannot fully map the outside interface IP address to an internal server because it is partially used for communication by the Cisco router.

Port mappings allow you to map individual ports on public IP addresses to individual ports on private IP addresses. Port mapping allow you to map a single public address to different ports on different devices, so data destined for different ports goes to different devices using one public IP address. ʻAddʼ button -> select private and public address -> choose type of device under Additional Information. If you choose ʻOtherʼ, you may specify an alternative port to forward the data to (data comes into x port in public address, but goes to y port in private address).

68

Page 69: Ccent & Ccna Exam Prep

Another way of configuring static NAT mapping is using ʻEdit NAT Configurationʼ tab (another tab under NAT in Configure) in SDM. This is most conveniently when you already have Basic NAT set up. You can choose to use:- Designate NAT Interfaces: allocate or reallocate which interfaces on your router connect to the inside or outside networks.- Address Pool: create one or more pools of IP addresses to use for dynamic NAT.- Translation Timeouts: let you set time limits for memory-resident idle NAT entries, after the time limit the idle entry is deleted. The default is 86400 seconds (4 days).- Add: Opens a window allowing you to add static or dynamic NAT mappings.- Edit: Opens a window allowing you to edit the selected NAT mapping.- Delete: Removes the selected NAT mapping.ʻClone selected Entry on Addʼ option prepopulates the new NAT entry window (opened by clicking the Add button) with whatever entry you have selected. This option allow you to use 2 same servers in a network using the same port without port redirection. Some other options are included here:- Static/Dynamic: Choose the style of NAT you want to apply.- Direction: is ʻFrom inside to outsideʼ and ʻFrom outside to insideʼ. Regardless of the choice, 2-way translation always occur, but this option gives you more flexibility in dynamic NAT.- Inside IP Address/Network Mask: inside address(es) you want to translate.- Outside Interface(s)/Type: enter the individual IP address or interface you want to translate. If the Type drop-down box has the IP address selected, the IP address field and the Interface field can be modified.- Redirect Port/Original Port/Translated Port: choose protocol & port numbers to translate.

To check if NAT is working, use ʻshow ip interface briefʼ command. ʻshow ip nat statisticsʼ gives you some information about the NAT running in your network. There will be hits and misses; the number of hits defines how many packets match an existing NAT mapping. Misses are packets sent before a session is established between the 2. The other command is ʻshow ip nat translationsʼ, which shows a list of IP addresses separated in to 4 columns, inside/outside local/global addresses. This command will tell you which device has access and is NATted into what address in the first section, which is followed by a list of addresses that access the internal addresses and other stuffs. This command also support many filtering options as viewing just one website can generate many entries (all the DNS lookups and files).

To troubleshoot, the first thing you can determine is by looking at the interfaces using ʻshow running-config interfaceʼ command followed by the interface name and number. Then, you can test connectivity by ping the NAT server from internal clients; use the IP address to prevent any DNS problems. In the last step, you can delete all the entries in the NAT table using ʻclear ip nat translations *ʼ, and the server will rebuild the table.

69

Page 70: Ccent & Ccna Exam Prep

Chapter 21. Command-Line NAT implementation

To configure NAT on command line interface (CLI), first step is to identify inside and outside interfaces with ʻip nat insideʼ and ʻip nat outsideʼ at the appropriate interface.

Then, it is show time for ʻip natʼ command. This command can be followed by ʻinside/outside/log/pool/service/translationʼ; the most important keywords are inside and outside. You can choose to use any one of them, but it is a good idea to stick with one to prevent from getting confused.

If you go with inside, the next keyword you need is ʻsourceʼ or ʻdestinationʼ. ʻip nat inside sourceʼ means you want to convert a private IP address from inside of your network to something else, this something else can be ʻlist/route-map/staticʼ where list means dynamic NAT and static is static NAT. Thus, to convert 192.168.1.50 to 5.1.1.10 statically using CLI, use ʻ(config)# ip nat inside source static 192.168.1.50 5.1.1.10ʼ. This command can be followed by ʻextendableʼ, which enables you to have multiple inside global address mapped to the same inside local address. It can also be followed by ʻno-aliasʼ. to set up a one-way NAT mapping from the inside to outside. (The outside interface does not pass requests through to the inside host, but the inside host is translated to the outside.)

Remember in ʻshow ip nat translationsʼ, static entries should have only entries in “inside local” and “inside global” if it does not intend to forward traffic to the outside.

To configure NAT to allow all traffic from TCP port 25 (SMTP) to go to the local email server at 192.168.1.100 (inside global address = 5.1.1.10), you configure ʻip nat inside source static tcp 192.168.1.100 25 5.1.1.10 25ʼ. Instead of a destination address, you can also enter ʻinterfaceʼ followed by the interface name and number, end the command with the port number.

On the other hand, to configure dynamic NAT, you need to create a pool of address instead of specifying one. Scenario: there are 2 networks, 192.168.1.0/24 and 192.168.2.0/24, each need communication with one another (router sits in between). 192.168.2.0/24 wants to represent itself as 192.168.1.200 - 255/24 (to 192.168.1.0/24), while 192.168.1.0 wants to represent itself as 192.168.2.200 - 255/24 (to 192.168.2.0/24).

1) Assign inside and outside interfaces2) To create a NAT pool named NETWORK1 with address range from 192.168.1.200/24

to 192.168.1.255/24, use ʻ(config)#ip nat pool NETWORK1 192.168.1.200 192.168.1.255 prefix-length 24ʼ

3) To create a NAT pool named NETWORK2 with address range from 192.168.2.200/24 to 192.168.2.255/24, use ʻ(config)#ip nat pool NETWORK2 192.168.2.200 192.168.2.255 prefix-length 24ʼ

70

Page 71: Ccent & Ccna Exam Prep

4) Create ACL for traffic to go through by ʻaccess-list 50 permit 192.168.1.0 0.0.0.255ʼ and ʻaccess-list 51 permit 192.168.2.0 0.0.0.255ʼ

5) Implement ʻip nat inside source list 50 pool NETWORK2ʼ (allow 192.168.1.0/24 to enter 192.168.2.0/24 as 192.168.2.200-255/24). This command can be followed by optional keyword ʻoverloadʼ, use in PAT configuration. Implement ʻip nat inside source list 51 pool NETWORK1ʼ (allow 192.168.2.0/24 to enter 192.168.1.0/24 as 192.168.2.200-255/24).

To configure NAT overload (PAT), imagine a scenario when 172.16.0.0/16 network (using Ethernet 0 interface) has a web server located in 172.16.1.80. Inside global address is not known, but we will use interface Serial 0.1) define inside and outside interface2) Create ACL for internal network on ʻaccess-list 75 permit 172.16.0.0 0.0.255.255ʼ3) ʻip nat inside source list 75 interface Serial 0 overloadʼ configure ACL from

172.16.0.0/16 to go to interface Serial 0 and overload into the public IP address used by that interface. (if your inside global IP address is 198.222.16.32, use it instead of interface Serial 0)

4) Since you also have to configure the web server, here is what your command should look like: ʻip nat inside source static tcp 172.16.1.80 80 interface Serial 0 80ʼ.

Note: you can also configure a pool of inside global addresses, thus, if one address has all the ports used (said to be maxed out), another address can come to the rescue.

ʻshow running-configʼ show what commands you have entered into your router to get NAT running, ʻshow ip nat translationsʼ a snapshot view of current NAT translations active on your router. ʻshow ip nat statisticsʼ, show how many translations are currently active, how many total translations have occurred, and how much of your NAT pool is being used (if performing dynamic NAT). Remember that the number of “hits” and “misses” does not reflect how many NAT translations have been successful or unsuccessful. Rather, it reflects how many times a packet matches an existing translation in the table (a hit) and how many times a new translation needed to be created (a miss).

Remember, if you are using a router-on-a-stick configuration to route between VLANs, the ʻip nat insideʼ command needs to be on each subinterface for NAT to translate correctly and not only on the physical interface. That rule goes for any configuration that uses subinterfaces, including Frame Relay. A tip in testing is ʻtelnet 4.2.2.2 53ʼ

You can debug NAT with ʻdebug ip natʼ command, which of course, needs to take place when the router is not very busy, remember to use ʻshow processesʼ before that.

You can also use ʻclear ip nat translations *ʼ to wipe out your NAT table. This doesnʼt adversely effect your network in any way, but certainly rules out problem for bad NAT translations

71

Page 72: Ccent & Ccna Exam Prep

Chapter 22. Wide Area Network Connections

CCNA exam focuses on leased line and frame relay WAN technology (Layer 1 & 2).

Broadband enable you to send multiple signal over the wire at a time, most small offices use this method; broadband is yet the more reliable way. Baseband only send one signal at a time.

WAN options

A WAN technology needs a switching technology to complement the connection, there are circuit-switching, packet-switching, cell-switching, and dedicated leased line.

Circuit-switching, also known as dial-on-demand connection, need a dedicated (physical) channel or circuit during the transmission, which tears down when transmission is complete, an example is the telephone system. Circuit-switched network are connection-oriented (for reliable data delivery), some (especially ISDN), may be charged in per-user or per-minute basis. E.g ISDN, POTS

Packet-switching enable the service provider to create a large pool of bandwidth for their clients, rather than dedicate specific amounts of bandwidth to each client (as in leased lines). The client can then dictate what circuits they would like established through the service provider network between their sites (these are called permanent virtual circuits), providing an end-to-end connection. However, the delivery of data is not guaranteed, nor is the delay time. E.g ATM and Frame Relay

Leased line is the most expensive WAN technology because the user becomes the temporary owner of the line. It is most appropriate for services like VoIP. The actual cost is effected by the length of the line, and the amount of bandwidth required. E.g T1

VPN is not a type of WAN connection, but often used to accomplish the same purpose. By purchasing a connection at each site, and form a full mesh between sites, you can have a secure path to a remote network by implementing encryption algorithms. Since the algorithm is very strong and require intense processing, you may need a router VPN card, a PIX firewall (Ciscoʼs firewall platform), or a VPN concentrator (a specific device manages and maintains many VPN connections) in addition to your router.

Metro ethernet technology is another alternative to WAN connections. It comprises of a large network of fiber-optic lines that were abandoned due to the economic downturn. This fiber is owned by ISP and provide speeds of 1000 Mbps or greater, all at much less cost than a standard T1 line. WAN link can even terminate onto a standard Category 5E/6 UTP copper cable and plug directly into a switch using a fiber to copper converter. This enables the WAN connections to be managed completely through VLANs with no dedicated router hardware in place. Metro Ethernet is beginning to stretch between cities, to provide service between major metropolitan areas. Metro ethernet is becoming

72

Page 73: Ccent & Ccna Exam Prep

quite popular in government organizations that have many locations in the same general geographic region.

Channel Service Unit/Data Service Unit (CSU/DSU) often acts as a demarcation point, where service providerʼs WAN and your LAN meets (your router connects to CSU/DSU); CSU/DSU uses serial interface. You router DC-60 (60 pins) or Smart Interface to connect to CSU/DSU; the latter interface is more efficient since it uses less space on WAN Interface Card, WIC; WIC interface can be installed into a Cisco router. CSU/DSU requires a cable that converts from router interface (DB-60 or Smart Serial) to a CSU/DSU interface. Connectors for CSU/DSU include V.35, X.21, EIA/TIA-232, 449, and 530. Another type of interface on CSU/DSU is T1, which uses RJ-48 connector. RJ-48 looks just like RJ-45, but it uses STP and has different properties than RJ-45.

WAN link data encapsulation

WAN link also need to have a data link encapsulation, which both sides (routers) have to support and use. Frame Relay and ATM both use its own encapsulation, whereas T1 can use SLIP, PPP, or Ciscoʼs HDLC data link encapsulation.

Serial Line Internet Protocol(SLIP) is a standards-based protocol for point-to-point serial connections that use only TCP/IP. This was primarily used for dial-up connections to the Internet back then; it has been widely replaced by PPP.

Point-to-Point Protocol(PPP) is an improvement to SLIP and added support for non-TCP/IP protocols and encrypted authentication (among many other features). PPP is the most popular protocol for connecting point-to-point WAN over different vendors.

Cisco High-Level Data Link Control(HDLC) comes in 2 versions, open and proprietary. Open version support only one protocol at a time (TCP/IP, IPX/SPX, or AppleTalk), where as proprietary supported more than 1 protocol and was more efficient with a smaller overhead. You can enable DHLC by entering serial interface ʻ(config-if)#encapsulation hdlcʼ.

X.25 Link Access Procedure, Balanced(LAPB) is the base of Frame Relay and currently used in not-so-technologically-advanced countries.

Frame Relay is faster than X.25, by removing old error correction technologies (reducing overhear) and is used in many well-developed areas today.

Asynchronous Transfer Mode(ATM) chops data into cells (each 53 bytes long). ATM is very similar to Frame Relay and can operate over fiber-optics.

73

Page 74: Ccent & Ccna Exam Prep

PPP over Ethernet (PPPoE) and PPP over ATM (PPPoA) are implemented to use PPP on Ethernet or ATM; it is primarily used on DSL.

PPP

PPP is a protocol suite made up of Network Control Protocol (NCP), Link Control Protocols (LCP), and ISO DHLC at LLC sublayer to provide different features. PPP can function over nearly any type of WAN connection that does not implement its own, specific mechanism for transporting data (such as frame relay and ATM). This means you can use PPP to connect if you are using an asynchronous (modem-like) connection or a synchronous (high-speed) point-to-point serial connection.

The first layer is ISO HDLC, which allow PPP to support multiple devices with basic communications.

The second layer is LCP, which negotiates with the device for the features given to it. These features include ʻAuthenticationʼ, ʻCallbackʼ, ʻCompressionʼ, and ʻMultilinkʼ.

The third layer is the NCP, which is responsible for supporting multiple protocols. It has open-sourced, network-layer that can connect to any suitable protocols, examples include IPCP, IPXCP, and CDPCP (Ciscoʼs CDP).

4 features of LCP

This sections talks about the features included in PPP. Authentication requires a username and password for the connecting device to bring up the WAN connection. This is not very useful in point-to-point connection, but a good security measure for PSTN. The Password Authentication Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP) are 2 authentications supported by PPP.

PAP is an early authentication, and authentication time is decided by the client:1. Client dials up to a router running PPP.2. After the link (connection) is established, the client sends its username and password at the LCP (feature) layer.3. The PPP router checks the username and password against its user database and allows or denies the client.This method is not secure, and should only be used with old equipment since it can suffer from play-back attacks and packet sniffing. A hacker captures (sniff) packets from a conversation and then send a similar packet to mirror the connection. Authentication of PAP is also done in clear text, which makes it even more vulnerable to intruders.

CHAP is more secure than PAP, it goes through:1. Client dials up to a router running PPP.2. The router sends a challenge message to the client.3. The client responds with the hash of the password it is configured to use.

74

Page 75: Ccent & Ccna Exam Prep

4. If the hash from client matches the router hash, the client is allowed into the network.5. After the client is authenticated, the router sends re-authentication messages at

random intervals, requiring the client to send the password hash whenever prompted.In CHAP, the router/server is control of the process and demand the password to be sent; in this case, playback attack is difficult to implement. Even if succeeded, the connection will not be long. Hash, notice, is different than encryption because it is identical on the router and client. It is the result of an irreversible mathematical algorithm of the original password. The router doesnʼt decrypt the hash either, it just compares the sent hash with the hash on it. This particular hash, is called MD5 hash. The client and server must have identical password or authentication fails.

Another feature is callback, which enables a dial-up server/router running PPP to use a predefined number to call the person initially dialed. This feature is very secure as it requires the dial-up user to authenticate and then be present at the predefined phone number to be able to receive the return call. The other advantage is the toll consolidation, or simply lowers the long distance charges. Callback is performed in:1) A user dials into a router using PPP and authenticates.2) Upon a successful authentication, the router terminates the connection (typically

without any notification) and dials the user back at the predefined number configured by the administrator.

3) Upon reconnect, the user authenticates a second time.4) Upon a successful authentication, the user is granted network access.

The third feature is the Compression, which is designed to make your WAN to run faster. However, this requires a little contribution from the routerʼs CPU and processor, and by how much depends on the type of compression algorithm you use.

One of the compression type is called Stacker, or Lemped-Ziv. For every packet, it look up the character stream in the dictionary, replace the characters with codes, and begin again. This process is applied to every packet, and is suitable for stream with constantly varying data types, since the same technique applies. The CPU resources are heavily relied, but has less effect on the router memory resources.

Another type is called predator, which attempts to predict the next character stream that will be sent based on the index file. This method works well on stream with similar traffic patterns, it uses more memory resources than routerʼs CPU (as long as the index file is not very big).

Microsoftʼs proprietary Point-to-Point Compression (MPPC) offers slightly better CPU and memory usage. This is a proprietary version, but there is another version, defined under RFC 2118, that allow other devices to connect to a MPPC client (but not using it).

75

Page 76: Ccent & Ccna Exam Prep

The final feature of the quartet is multilink (MLPPP), which enable you to convert multiple WAN connections into a single, logical connection (this can be two 33.6 Kbps modems or four T1 lines). You can assign an IP address, configure authentication, or optimize the line with compression. This way, several physical entities can be managed centrally and exact load balancing is performed (although this may slightly add to the processor and memory usage).

PPP configuration and troubleshooting

To enable PPP, you need ʻ(config-if)#encapsulation pppʼ command set (enabled on both DCE and DTE).

In CCNA exam, two-way configuration in router is used, this means when 2 routers connect each other, both have to authenticate to another. To setup two-way authentication using CHAP, you 1) turn on PPP authentication, 2) configure hostname (serves as the PPP username; isnʼt same) for the authenticating router, 3) create user account on each side, and 4) turn on CHAP PPP.

As first 2 steps have been discussed, we move on to the third step. To set up an username and password, enter Global Configuration, and use ʻusername other-router-username password other-router-passwordʼ command. In case of implementing CHAP, password created on both routers have to be the same.

To set the compression type of the session, enter the interface session, type ʻcompressʼ followed by the name of the compression algorithm, which can be found using ʻcompress ?ʼ command. Again, the same thing must be set for both routers.

You can verify your configuration using ʻshow interface briefʼ or ʻshow interfaceʼ command followed by the interface name/number. If the router negotiated Link Control Protocol (LCP) options, the state will be LCP Open. If the LCP negotiations had failed (most likely because of an authentication problem), the LCP state would rotate between Listen, ACKSent, or TERMSent. In the line below LCP Open, you can verify all the Network layer communication occurring across the PPP link; note CDP is used here as a network layer protocol. You can also check your compression statistics using ʻshow compressʼ. Note that all traffic sent over PPP (generated by routers) are not compressed.

Troubleshooting can be done in utilize of ʻdebug ppp negotiationʼ command, which show the list of PPP actions, another useful command is ʻdebug ppp authenticationʼ.

76

Page 77: Ccent & Ccna Exam Prep

Chapter 23. Frame Relay

Virtual circuits are logical links through service provider networks that give routers the impression that they are linked directly together. If you perform a traceroute, you will find that the distance between the router at one side and the router at the other side is 1 hop only, when the truth is, they may be far, far apart.

You do not have to know what is performed by the service provider as a network administrator, but you do know that you purchase these virtual circuits they can connect distant networks in one hop.

Frame relay is less expensive than T1 lines, and unlike other WAN technology, it is not point-to-point. If you wish, one router can connect to 5 routers at the same time.

Here are 3 designs of frame relay:• Hub and spoke: one main, central router (HQ) will be the hub, while branch office router will be the spoke. In this situations, the branch offices rarely communicate with each other, but they often access resources at the HQ. When branch offices need to communicate with each other, the data must go through HQ (hub); this is tandem switching. This presents a challenge for companies that use VoIP, the delay makes the phone call sound bad. Also, if HQ router (hub) fails, the entire network go down.• Partial mesh: sits between hub and spoke and full mesh. At critical sites, multiple virtual circuits are established to maintain redundancy, while at not-so-important sites, only one virtual circuit may be implemented.• Full mesh: gives network maximum redundancy while minimum packet latency. However, this is also the most costly option.

There are permanent virtual circuit(PVC) and switched virtual circuit(SVC). A permanent virtual circuit (PVC) is a permanently established circuit through the Frame Relay service provider network. It enables the routers at each end to communicate with each other without any setup process. A PVC closely emulate a leased-line connection between your devices. A SVC is also connected end-to-end between routers, and they may bill on a usage basis; these connections have largely decreased over the year.

Your router communicate with you ISP using local management interface(LMI). In older version of IOS, you need to manually set your router to the type of LMI your ISP uses. In newer versions, your router can automatically detect and set LMI.

Like MAC addresses are used in LAN to identify devices, a number called data link connection identifier (DLCI) is used in Frame Relay (WAN) to identify routers. However, unlike MAC addresses that contain source and destination address in a frame, DLCI ONLY identifies the PVC source device used in its encapsulation. Also, DLCI are locally unique, where as the range of a location is defined by ISP. This means that DLCI may be the same on both receiving and sending router, when they represent entirely different, unique routers.

77

Page 78: Ccent & Ccna Exam Prep

Local access rate, also known as line speed, is the maximum physical speed at which your Frame Relay connection may be; about 44 Mbps. However, your actual throughput can never exceed line speed.

How fast your virtual circuit can travel is determined by Committed Information Rate (CIR). Each virtual circuit come with a standard called CIR, is the minimum speed of virtual circuit promised by the ISP; most of the time, you are gonna get speed higher than that. If everyone is using the bandwidth, the ISP may decide to cut back and reduce your bandwidth. Line speed is the bottleneck at which your total amount of CIR should not exceed since that is the maximum speed your ISP will provide you no matter how much virtual circuits you purchased. There are virtual circuits with 0 Kbps of CIR, when purchasing this, you need to consider the reputation of the ISP, otherwise, you may end up with no bandwidth at all.

Discard eligible is the state of traffic when you have speed above CIR you purchased; these traffic are automatically tagged as De (by the ISP), meaning that it will be the packets dropped when the line gets busy.

Other than special configuration, your PVC should run at the maximum speed, or line speed. If the difference between your CIR and Local Access Rate vary greatly, your PVC will soon begin to become congested (one is slower than the other). The service provider will send messages to the router sending the large amount of traffic attempting to tell it to slow down using Backwards Explicit Congestion Notification(BECN) and Forwards Explicit Congestion Notification(FECN) message.

When a router is sending a large file at a speed faster than the receiving router can perform, ACK field change to BECN, telling sending router that it need to slow down. By default, your Cisco router ignores the BECN message since it is a Frame Relay Traffic Shaping. If your router doesnʼt slow down, ISP may liquidate your traffic and cause dramatic performance reduction. FECN actually donʼt tell the receiving router to slow down. In situation where the traffic is not using TCP (thus no ACK field). ISP tags some traffic heading called FECN (same as BECN, just send the other way) to the receiver. If the receiving router is configured to support FECNs, it generates some “junk” (called a Q.922 test frame), puts it in a frame, and sends it back to the sender. The junk in the packet is really junk. The sending router in Arizona drops it after it is received.

Frame relay is a non-broadcast mutiaccess(NBMA) network, this means frame relay can be connected to several devices, but no broadcast is permitted between these devices (split horizon is working). However, for hub and spoke designs, if one spoke would like to let all other know about something, split horizon in hub will prevent so; this

78

Page 79: Ccent & Ccna Exam Prep

is especially true when routers use distance vector routing protocol. The solutions are 1) disable split horizon, 2) use sub-interfaces.

Sub-interfaces enable you to break your single, physical interface into multiple, logical interfaces. You still have only a single physical connection to the Frame Relay service provider, however, your router sees it as multiple connections. There are two categories of Frame Relay sub-interfaces: point-to-point and multipoint. Only the point-to-point interface type is designed to fix the split-horizon issue by creating a sub-interface for each PVC connection.

Multipoint means you have multiple PVCs terminating under a single, logical interface. Point-to-point means you connect a remote router to a local logical interface called sub-interface without the need to violate the split-horizon rule, thus ensure that you will not have routing loop. IP address is configured here.

Frame Relay works in Data link layer, but to perform routing, a router needs to know the Layer 3 address; there are 2 ways to do this: inverse ARP and static mapping.

Inverse ARP operate by:1) Connect your router to ISP through serial interface2) Your service provider uses LMI to identify your router and send your router a list of

DLCIs it can use to reach your remote site3) Router sends a inverse ARP message to one the DLCI, this message tells the remote

router to send its IP address back.4) Once replied, your router maps DLCI number and IP address for future record.NOTE: inverse ARP does not operate on sub-interfaces. For Inverse ARP to function properly, you must leave all assigned DLCIs under the physical interface, which causes this interface to become a multipoint interface (if you have multiple DLCI numbers).

Static mapping, you can manually enter the DLCI to IP address mapping for each PVC. This gives you complete control over the mapping process and enables you to have more than one interface (unlike Inverse ARP). DLCI is a number that start from 16.

There are 3 Frame Relay situations you can configure:

Your router is connected to another router in a point-to-point fashion; it is the easiest configuration since configuration occur automatically. To start up your Cisco proprietary Frame Relay, use ʻ(config-if)#encapsulation frame-relayʼ. However, to use IETF standard, ʻ(config-if)#encapsulation frame-relay ietfʼ.

To verify, use ʻ#show frame-relay lmiʼ. Note, sent and received messages should be about equal and increase on a steady basis. If something is wrong, ʻNum Status Timeoutsʼ field increment steadily.

79

Page 80: Ccent & Ccna Exam Prep

Continue verifying with ʻ#show frame-relay pvcʼ (if you are using svc, use something else) see all the PVC connection. The line below the table is important, it shows you the DLCI of your connection and status of your PVC, which can be active/inactive/deleted/static. Active: successfully connected through between the two endpoints (routers). This is the normal state if everything is working properly. Inactive: working properly on your end of the connection (the local side); however, the other side of the connection is either not configured or offline. Deleted: having problems at your side (local side) of the connection. Most likely, you are attempting to use a DLCI number that the service provider has not configured. Static: PVC has been manually entered by you (the administrator) rather than dynamically discovered from the service provider.

ʻ#show frame-relay mapʼ show the DLCI and corresponding IP address for all the connections; it also show the status of the PVC connection.

Also, note we previously discussed that old IOS can not automatically detect the type of LMI used by ISP, thus you need to issue ʻ(config-if)#frame-relay lmi-typeʼ followed by cisco/ansi/q933a. Of course, you would need to know the LMI used by ISP before doing this.

Your routers can also be configured using sub-interfaces, this is a hub and spoke using point-to-multipoint design. Multipoint design can be accomplished by 1) placing the configuration under the physical interface itself or 2) use a sub-interface. To create a sub-interface, just use ʻ(config)#interface serial 0.ʼ followed by a number from 0 to 4294967295. Then, follow the number by ʻpoint-to-pointʼ or ʻmultipointʼ. Remember, multipoint is configured on the hub, while ʻpoint-to-pointʼ is configured on spokes. In this situation, you need to configure for tandem switching, especially static maps, for the spokes to communicate with each other. It is recommended to integrate your network to use only one mapping method, either inverse ARP or static map. For instance, ʻ(config-if)#frame-relay map ip 192.168.5.2 503 broadcastʼ stand for “if you want to reach remote router at 192.168.5.2, use local DLCI 503”. ʻbroadcastʼ keyword is added to end for the configuration violate split horizon and send the message out to all devices (so the spokes know each otherʼs existence). Remember the configuration mapping for the spoke have to contain static mapping to other spokes and the hub using the same DLCI.

Note, other than WAN connection, you also need to configure routing to the remote network using a routing protocol to make sure that you can send your data between. Verify with ʻ#show ip routeʼ.

Also know that since split horizon is working, spoke will not have other spokesʼ network entry in their routing table. To overcome this, you can either 1) move to point-to-point connection, or 2) implement ʻno ip split horizonʼ at the hubs.

80

Page 81: Ccent & Ccna Exam Prep

Point-to-point design requires you to create a logical sub-interface for each PVC coming out of your locations. This actually means you create 2 logical sub-interfaces (belong to the same physical interface), each with a DIFFERENT IP address, thus, spoke know other spokes and can have their network entries in their routing table. After you create the sub-interfaces, the router sees them as completely independent connections. The only disadvantage of a point-to-point configuration is that you must configure a separate subnet for each PVC, whereas the multipoint allowed all routers to share a common subnet.

To configure a point-to-point design, follow this command (ʻ(config)#interface serial 0.ʼ followed by a number from 0 to 4294967295. Then, follow the number by ʻpoint-to-pointʼ or ʻmultipointʼ.) by ʻpoint-to-pointʼ instead of ʻmultipointʼ. Then, use ʻip addressʼ command to assign the IP address and ʻframe-relay interface-dlciʼ to assign DLCI number. In the case of point-to-point design, your logical interfaces are actually listed in ʻshow ip interface briefʼ.

To troubleshoot, ʻdebug frame-relay lmiʼ focuses on your direct communication with the service provider. When ʻmyseqʼ field increments, you LMI language is likely to be incorrect. To fix this, ʻshow frame-relay lmiʼ shows the current LMI you are using, then change it to match the LMI supported by your service provider.Status of 0x0 = inactive; status of 0x2 = active; status of 0x4 = deleted.

81

Page 82: Ccent & Ccna Exam Prep

Chapter 24. Understanding VPN connectivity

VPN can be an alternative to WAN, although it is not a WAN. VPN is:• Cheaper than WAN, and establish more meshed topology.• Remote-access connections is easier since you no longer need to dial with modem.• Scalability allow the company to grow easily without serious cost to add significant infrastructure.

However, with the good, there is also the bad:• VPN is not secure itself, since you are moving data over the Internet. Encryption protocols may be implemented.• Higher overhead due to the encryption and authentication and in VPN itself.• When using VPN, there is no guarantee of arrival, especially, the delay time is uncertain, making latency-sensitive applications such as VoIP difficult to implement.

VPN connections comes in site-to-site and remote-access; VPN connections are often represented as logical tunnels.Site-to-site VPNs are the direct replacement for private-line WAN connections. They allow offices to maintain permanent or semipermanent connections between each other through the Internet.

VPN connection can be permanent or semipermanent. Using a permanent VPN connection, whenever you transmit data between the two locations, it immediately passes through without delay. The drawback is that router or firewall resources are always being consumed to maintain the VPN connection. Semipermanent connections are an “on-demand” style of VPN. When the VPN is needed, the router or firewall establishes the VPN connection. When the VPN is no longer required (data is no longer attempting to pass between offices), the router or firewall tears down the tunnel. Because the router or firewall does not need to maintain idle VPN connections, a semipermanent connection allows you to maximize your resources. On the flip side, VPN connections take a moment to establish when data needs to be transmitted. This may result in the initial connection attempt between offices experiencing delay or failure while the VPN tunnel is formed.

Remote-access VPNs typically are used to allow telecommuting or mobile workers to connect to the corporate network from home or hotel-like location. This connection is always semi-permanent. Remote VPN can be configured through a system called Cisco Easy VPN. An alternative is SSL VPN, which basically enable you to remotely log into your network using a web browser (eliminating the need for another software).

SSL VPN can come in clientless and thin client. Clientless allow you to create a web page listing the resources that the user can access after he or she has successfully authenticated to the VPN. The clientless VPN does not allow users to use applications on their own PC over the VPN.

82

Page 83: Ccent & Ccna Exam Prep

Thin client ask to install and ActiveX or Java-based plug-in program after user successfully authenticate to VPN. This program will be responsible for the user connection to the remote network, right now, only TCP-application can be utilized.

To run a VPN connection, you must have a router or firewall that supports VPN connectivity (such as the Cisco ISR or ASA Firewall) and a VPN client (only if you are deploying a remote-access VPN). Integrated service routers(ISR) are considered business class routers that can manage site-to-site and remote-access VPN connectivity. ASA firewalls (PIX firewall) are used to handle many security aspects of network and also support both VPN methods. ISRs are designed to handle routing as their primary function (which they do quite well) and handle VPNs as a secondary function (which they do fairly well). The ASA is designed to handle VPNs and other firewall processes as its primary function (which it does quite well) and routing as a secondary function (which it does fairly well). If you are managing a site-to-site connection, two routers or two ASA firewalls are all that will be required. If you are managing remote-access VPN connections, you will also need to consider a VPN client.

Cisco VPN client: If you purchase a Cisco SmartNET agreement (Ciscoʼs fancy name for an extended support and warranty agreement) with your ISR router or ASA firewall, you can download the latest versions of the Cisco VPN client. This provides the most compatibility (supports many features) when used with the Cisco VPN solution. For example, you can enable a VPN-triggered firewall that begins working as soon as the user connects to the VPN. This firewall can protect the client from being compromised by Internet-based attacks while connected to the VPN. When the user disconnects from the VPN, the firewall disables itself to allow unfiltered Internet and local network access. The rules of this firewall can be controlled by the Cisco administrator (thatʼs you!). Certicom client: The Certicom client is a widely supported VPN client that can be installed on portable devices such as a PDA. This allows the user to connect to the corporate VPN from the PDA device and perform tasks such as checking corporate email. Cisco VPN 3002 hardware client: You can install this lower-cost device in a small office/home office (SOHO) environment. It establishes on-demand VPN connections when data that needs to cross the VPN is sent. This can be done without installing any software on the client PCs or requiring extra training on the use of VPN software. Although this product is considered end of life (EOL—no longer manufactured by Cisco), other products like this are manufactured by third-party companies that are compatible with the Cisco VPN solution.. Third-party IPsec VPN software: The industry-standard IPsec protocol is supported in many other VPN clients. So, if you or your company has purchased some other non-Cisco, IPsec-compatible VPN software, chances are you can make it work with the Cisco VPN solution. It may just take a little more work!

IPsec (layer 3) stands for IP security, a suite of sub-protocols that is used to protect data (TCP/UDP data) crossing a network. IPsec is better suited in describing a

83

Page 84: Ccent & Ccna Exam Prep

framework of protocols, IPsec itself DOES NOT actually provide any direct security. What this means is that IPsec describe what combination of different protocols would work best to secure data, but it does not actual secure the data itself. IPsec framework include IPsec protocol, encryption, authentication, and DH.

Encryption is officially called data confidentiality. Its function is to make any data that you send unreadable to unauthorized devices and yet understandable to authorized devices. Each device that wants to encrypt or decrypt data needs the appropriate key. A key is an extremely advanced mathematical formula that is designed to scramble data when it is sent between devices. The basic steps for symmetric encryption are:1. Clear-text (unencrypted) data is sent to the encryption algorithm (key). The key runs

the data through a sophisticated mathematical formula that renders the data unreadable.

2. The encrypted data is transmitted across the potentially unsecured network and is received by the destination device.

3. The destination device uses the same key to decrypt the scrambled data, returning it to its original, clear-text form

There are DES, 3DES and AES.DES: It was originally developed by IBM to support a 56-bit key (the longer the key, the more secure the algorithm). By todayʼs standards, DES is considered a relatively weak encryption method.3DES ran the DES algorithm three times with different encryption keys (thus the name 3DES). This significantly improved the strength of the original DES algorithm.AES: offers the strongest encryption at 128, 192 and 256 bit encryption.

The Diffie-Hellman (DH) key exchange algorithm addresses a gigantic missing piece of the symmetric encryption systems we just talked about. Again, the symmetric encryption algorithms (including DES, 3DES, and AES) use a “shared key” approach in which the same key can encrypt and decrypt data. This is very efficient on processing cycles, but it raises a question. If the same key encrypts and decrypts data, how do both of the devices get the key? Simple! The devices just send the key to each other over the network. So, next question: If they just send the key to each other over the network, couldnʼt someone intercept the key and use it to decode all the transmissions? Ah, now that is the problem, and this is where the DH key exchange algorithm comes in. The goal of the DH algorithm is to give devices a way to securely exchange the shared key over a public network. To accomplish this, it uses an advanced process in which both endpoints exchange results to a mathematical formula over a clear network. Using these results, each VPN endpoint can determine a shared secret value that is used to generate symmetrical encryption keys (which are much easier for the devices to process) to use for the VPN session. The DH key exchange algorithm uses monstrously huge numbers (some more than 300 digits long) to accomplish its mathematical cryptographic process. Although DH is much more secure than symmetric encryption, it is much harder on the deviceʼs processor. This is why DH cryptography is used only briefly at the start of the session to generate symmetric encryption keys.

84

Page 85: Ccent & Ccna Exam Prep

Although the Diffie-Hellman algorithm has long been used to secure symmetric encryption key exchange over a public network, SSL is a cryptographic protocol that provides secure communications over the Internet for things such as web browsing, instant messaging, and email. It is discussed here because SSL VPNs are continuing to increase in popularity. As with Diffie-Hellman, the goal of SSL is to provide secure communications over a public network. To accomplish this, SSL uses a dual-key approach. Each device uses a public and private key system. These keys are reverse mathematical formulas to each other. In other words, anything that the public key encrypts, the private key can decrypt. Anything that the private key encrypts, the public key can decrypt. The public and private keys use mathematical algorithms that are so complex that it is impossible for someone who has one key to generate the opposite. For example, if you have a public key, it is feasibly impossible to figure out what the private key is, and vice versa.

The SSL key exchange goes through the following steps:1. PC1 and PC2 send each other their respective public key encryption formula.2. One of the devices (PC1 in this example) generates a shared-secret key (symmetricencryption) that will be used to encrypt and decrypt data for the session.3. PC1 encrypts the shared-secret key using the public key of PC2 and transmits the key to PC2.4. PC2 decrypts the shared-secret key using its private key. Now that both PC1 and PC2 have the same shared-secret key, it can and will be used to encrypt and decrypt allcommunication for the secured session. SSL uses asymmetric encryption (public and private keys) at the start of the conversation to provide a secure exchange of a shared secret key. As soon as the devices have the shared secret key, the SSL session converts to using symmetric encryption because it is much more efficient on the deviceʼs processors.

When many IT people think of authentication, they equate it to entering a username and password to log on to a PC. This form of authentication is designed to verify that the person using the computer is who he says he is. Authentication as it applies to IPsec performs a similar, but not identical, job. When sending data over an unsecured network, you must ensure that the data received is exactly the same as the data sent and that the data is received from a trusted source. If the data changed somewhere between the sending and receiving devices, the security protocol should detect the change and reject the data. Authentication is often used synonymously with the terms data integrity and hashing in the IPsec world. Technically speaking, authentication verifies that the device sending the data is the “true” device (not a fake). Data integrity ensures that the data does not change from one end to the other.The process to accomplish data integrity is similar to encryption, but with a slightly different angle. As with encryption, hashing passes all the data contained in the packet (above Layer 3) through a mathematical algorithm. However, the job of this mathematical algorithm is not to scramble the data, but rather to come up with a result, which is known as the hash. As an example, the mathematical algorithm might say something like “Add up all the vowels in this data packet,” and the result might be 96.

85

Page 86: Ccent & Ccna Exam Prep

This result (known as the hash) is then appended to the end of the data and is sent to the receiver.The step-by-step hashing process goes like this:1. The sending device passes the data to be transferred through a hashing algorithm and comes up with a result (the hash).2. The hash is appended to the data and is sent to the receiving device.3. The receiving device receives the data and runs it through the same hashing

algorithm to generate a result. The result is then compared to the result that was originally appended to the data. If the hashed values are the same, the receiving device is assured that the data did not change during transmission. If the values are different, the data did change, and the receiving device discards it.

There are 2 popular hashing: MD5 (128-bit) and SHA-1(160-bit)

Right now, there are 2 engines that IPsec runs:Authentication Header (AH): The AH protocol was the first IPsec engine to bereleased. It supported only authentication (verifying the sending and receiving devices)and data integrity (ensuring that data does not change in transmission). AH does notsupport any encryption.. Encapsulating Security Payload (ESP): The ESP protocol was the second IPsecengine to be released. It filled in the massive missing piece of AH: encryption. TheESP protocol supports all three pieces of the IPsec framework: authentication, dataintegrity, and encryption. Because of this, it is by far the more popular of the two IPsecengines.

86