Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise

1 Networking in the Enterprise
1.0 Chapter Introduction
1.0.1 Introduction Page 1:

1.0.1 - Introduction Enterprise networks provide application and resource support to local and remote users anywhere and at any time. Intranets and extranets form the structure of a large enterprise network. Internal and external traffic patterns affect security and network performance. Advanced security and networking technology supports telecommuters so they can work productively away from the office. After completion of this course, you should be able to: Describe an enterprise. Identify traffic flows through an enterprise, and describe the importance of an intranet and extranet. Describe the different types and handling of traffic in the enterprise. Define the role and importance of a telecommuter. Describe the function and importance of VPN's.

1.1 Describing the Enterprise Network

1.1.1 Supporting the Business Enterprise Page 1: As businesses grow and evolve, so do their networking requirements. A large business environment with many users and locations, or with many systems, is referred to as an enterprise. Common examples of enterprise environments include:

Manufacturers Large retail stores

Restaurant and service franchises Utilities and government agencies Hospitals School systems

The network that is used to support the business enterprise is called an enterprise network. Enterprise networks have many common characteristics, some of which are:

Support for critical applications Support for converged network traffic Need for centralized control Support for diverse business requirements

An enterprise network must support the exchange of various types of network traffic, including data files, email, IP telephony, and video applications for multiple business units.

1.1.1 - Supporting the Business Enterprise The animation depicts the growth of a business into an enterprise. The concept being communicated by the animation is that of a small business expanding, first with a connection to the Internet, and then the establishment of a branch network in the same city. Branches that are in two additional cities are connected back to the head office via the Internet. Home users, known as teleworkers, are added. Finally, an international office is connected. The animation begins by showing a small, single-location company. The company then expands by increasing its number of employees and connecting to the Internet. Next, the company grows to multiple locations in the same city. At this point, the animation shows two locations in New York, both interconnected through the Internet. Next, the company, now an enterprise, grows to multiple cities. The two locations in New York are now connected through the Internet to new locations in Orlando and Boston. Next, the enterprise hires teleworkers. The animation shows home users added in various cities. The enterprise expands to other countries, depicted by a connection to Osaka. In the final animation, the enterprise centralizes network management in a network operations center (NOC) located in the home office, New York. Note: Not all enterprise networks are international.

Page 2: Businesses increasingly rely on their network infrastructure to provide mission-critical services. Outages in the enterprise network prevent the business from performing its normal activities, which can cause lost revenue and lost customers. Users expect enterprise networks to be up 99.999% of the time.

To obtain this level of reliability , high-end equipment is commonly installed in the enterprise network. Enterprise class equipment is designed for reliability, with features such as redundant power supplies and failover capabilities. Designed and manufactured to more stringent standards than lower end devices, enterprise equipment moves large volumes of network traffic.

Purchasing and installing enterprise class equipment does not eliminate the need for proper network design. One objective of good network design is to prevent any single point of failure. This is accomplished by building redundancy into the network.

Other key factors in network design include optimizing bandwidth utilization, ensuring security and network performance.

1.1.1 - Supporting the Business Enterprise The diagram depicts redundant connections in a network. Multiple hosts are connected to switches. The switches also have connections between them. The same switches are connected to routers that, in turn, connect to the Internet. A redundant link occurs between the two routers. There are speech bubbles in the diagram, as follows: I have redundant routes to the Internet. I have redundant routes to the Server Farm.

1.1.2 Traffic Flow in the Enterprise Network Page 1: To optimize bandwidth on an enterprise network, the network must be organized so that traffic stays localized and is not propagated onto unnecessary portions of the network. Using the three-layer hierarchical design model helps organize the network. This model divides the network functionality into three distinct layers: Access Layer, Distribution Layer, and Core Layer. Each layer is designed to meet specific functions.

The access layer provides connectivity for the users. The distribution layer is used to forward traffic from one local network to another. Finally, the core layer represents a high-speed backbone layer between dispersed end networks. User traffic is initiated at the access layer and passes through the other layers if the functionality of those layers is required.

Even though the hierarchical model has three layers, some enterprise networks use the Core Layer services offered by an ISP to reduce costs.

1.1.2 - Traffic Flow in the Enterprise Network The diagram depicts the three layers of a hierarchical design model. The Access Layer contains three switches. Connected to these switches are eight computers, five IP telephones, one server, and one network printer. The Distribution Layer consists of three routers, one switch, one web server, a DNS server, and an email server. The Core Layer has the high speed concentrator links to the internet cloud. Brief descriptions of the hierarchical design model layers are included, as follows: Access Layer Provides a connection point for end-user devices to the network Allows multiple hosts to connect to other hosts through a network device such as a switch Exists on the same logical network Forwards traffic to other hosts on the same logical network Passes traffic to the Distribution Layer for delivery if the message is destined for a host on another network Distribution Layer Provides a connection point for separate local networks Controls the flow of information between local networks Ensures that traffic between hosts on the same local network stays local Passes on traffic that is destined for other networks Filters incoming and outgoing traffic for security and traffic management purposes Contains more powerful switches and routers than the Access Layer Passes data to the Core Layer for delivery to a remote network if the local network is not directly connected Core Layer Provides a high-speed backbone layer with redundant (backup) connections Transports large amounts of data between multiple end networks Includes very powerful high-speed switches and routers

Page 2: The Cisco Enterprise Architectures divides the network into functional components while still maintaining the concept of Core, Distribution, and Access layers. The functional components are:

Enterprise Campus: Consists of the campus infrastructure with server farms and network management Enterprise Edge: Consists of the Internet, VPN, and WAN modules connecting the enterprise with the service provider's network Service Provider Edge: Provides Internet, Public Switched Telephone Network (PSTN), and WAN services

All data that enters or exits the Enterprise Composite Network Model (ECNM) passes through an edge device. This is the point that all packets can be examined and a decision made if the packet should be allowed on the enterprise network. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) can also be configured at the enterprise edge to prevent against malicious activity.

1.1.2 - Traffic Flow in the Enterprise Network The diagram depicts the Cisco Enterprise Architectures with three sub-blocks, labeled Enterprise Campus,

Enterprise Edge, and Service Provider Edge. There are also two smaller blocks, labeled Enterprise Branch and EnterpriseTeleworker. The following information is included for each block: Cisco Enterprise Architectures Enterprise Campus Building Access - Two Layer 3 switches This Access Layer module contains Layer 2 or Layer 3 switches to provide the required port density. Implementation of V LAN's and trunk links to Building Distribution Layer occurs here. Redundancy to Building Distribution switches is important. Building Distribution - Two Layer 2 / 3 distribution switches This Distribution Layer module aggregates building access using Layer 3 devices. Routing, access control, and Q o S are performed at this layer. It is critical to provide redundancy in this area. Campus Core - Two Layer 2 / 3 distribution switches, directly connected with multiple links. This Core Layer module provides high-speed interconnectivity between Distribution Layer modules, data center server farms, and the Enterprise Edge. Redundancy, fast convergence, and fault tolerance are the focus of the design in this area. Server Farm and Data Center - Two servers and a single computer, Network Management takes place here. This module provides high-speed connectivity and protection for servers. It is critical to provide security, redundancy, and fault tolerance in this area. Management - This critical area monitors performance by monitoring device and network availability. Enterprise Edge E-Commerce - One departmental server and router Internet Connectivity - One departmental server and router WAN and Metro Ethernet Site-to-Site VPN - One router Remote Access and VPN - One bridge and one switch This module extends the enterprise services to remote sites and enables the enterprise to use Internet and partner resources. It provides Q o S, policy enforcement, service levels, and security. Service Provider Edge ISP A - Defined as multiple networking devices ISP B - Defined as multiple networking devices Frame Relay / A T M /Metro Ethernet - Defined as multiple networking devices PSTN - Defined as multiple networking devices Enterprise Connection Enterprise Branch - One Layer 2 / 3 distribution switch Enterprise Teleworker - One desktop computer

Page 3: A well-designed network not only controls traffic but also limits the size of failure domains. A failure domain is the area of a network impacted when a key device or service experiences problems.

The function of the device that initially fails determines the impact of a failure domain. For example, a malfunctioning switch on a network segment normally impacts only hosts on that segment. However, if the router that connects this segment to others fails, the impact is much greater.

The use of redundant links and reliable enterprise-class equipment minimize the chance of disruption in a network. Smaller failure domains reduce the impact of a failure on company productivity. They also simplify the troubleshooting process, thereby shortening the downtime for all users.

1.1.2 - Traffic Flow in the Enterprise Network The concept being communicated in this diagram is the impact of failure domains. An edge router connects to the Internet and to two switches. Switch 1 has a small network attached. Switch 2 has one hub and one switch attached, with several computers connected to each. If the router fails, the entire network fails. If Switch 1 fails, only its attached network fails. If Switch 2 fails, both of the attached networks fail. If the hub or Switch 3 fails, only their individually attached networks fail.

Page 4: Packet Tracer Activity

Observe the flow of traffic through an enterprise network.

Click the Packet Tracer icon to begin.

1.1.2 - Traffic Flow in the Enterprise Network Link to Packet Tracer Exploration: Observing Traffic Flow in an Enterprise Network Observe the flow of traffic through an enterprise network.

1.1.3 Enterprise LANs and WAN Page 1: Enterprise networks incorporate both traditional LAN and WAN technologies. In a typical enterprise network, multiple local networks at a single campus interconnect at either the Distribution Layer or the Core Layer to form a LAN. These local LANs interconnect with other sites which are more geographically dispersed to form a WAN.

LANs are private and under the control of a single person or organization. The organization installs, manages, and maintains the wiring and devices that are the functional building blocks of the LAN.

Some WANs are privately owned; however, because the development and maintenance of a private WAN is expensive, only very large organizations can afford to maintain a private WAN. Most companies purchase WAN connections from a service provider or ISP. The ISP is then responsible for maintaining the back end network connections and network services between the LANs.

When an organization has many global sites, establishing WAN connections and service can be complex. For example, the major ISP for the organization may not offer service in every location or country in which the organization has an office. As a result, the organization must purchase services from multiple ISPs. Using multiple ISPs often leads to differences in the quality of services provided. In many emerging countries, for example, network designers will find differences in equipment availability, WAN services offered, and encryption technology for security. To support an enterprise network, it is important to have uniform standards for equipment, configuration, and services.

1.1.3 - Enterprise LANs and WANs The diagram depicts a cloud labeled Public WAN that has four links extending out of it. The first link has an ISP connected, located in North America. The second link has an ISP connected, located in Europe. The third link is to a private WAN, located in South America. The fourth link is to a private WAN, located in Australia.

Page 2: Features of a LAN:

The organization has the responsibility of installing and managing the infrastructure. Ethernet is the most common technology used. The focus of the network is in the Access and Distribution Layers. The LAN connects users, provides support for localized applications and server farms. Connected devices are usually in the same local area, such as a building or a campus.

Features of a WAN:

Connected sites are usually geographically dispersed. Connectivity to the WAN requires a device such as a modem or CSU/DSU to put the data in a form acceptable to the network of the service provider. Services are provided by an ISP. WAN services include T1/T3, E1/E3, DSL, Cable, Frame Relay, and ATM. The ISP has the responsibility of installing and managing the infrastructure. The edge devices modify the Ethernet encapsulation to a serial WAN encapsulation.

1.1.3 - Enterprise LANs and WANs The diagram depicts two buildings labeled Paris and Hong Kong. Paris has the following network hardware: a router, R1, connected to a CSU/DSU connecting directly to the CSU/DSU, then connecting to a router, R2 located inside Paris. Directly connected to router R1 is a small switched LAN. The CSU/DSU forms the link to the WAN, which can use a myriad of protocols to connect

to the Hong Kong business. The common protocols implemented are HDLC, P P P, Frame Relay, and A T M. The CSU/DSU at the Hong Kong business location receives the transmission from the Paris business, and forwards it to the relevant client located within its premises.

Page 3:

1.1.3 - Enterprise LANs and WANs The diagram depicts an activity in which you must classify the terms as either a LAN technology or WAN technology. One.Frame Relay. Two.100Mb U T P. Three.T 1/E 1. Four.Services provided by ISP. Five.Access Layer. Six.POP. Seven.Services provided by enterprise. Eight.Ethernet. Nine.Distribution Layer switches. Ten.CSU/DSU. Eleven.A T M.

1.1.4 Intranets and Extranets Page 1: Enterprise networks contain both WAN and LAN technologies. These networks provide many of the services associated with the Internet, including:

Email Web FTP Telnet/SSH Discussion forums

Many companies use this private network or intranet to provide access for local and remote employees using LAN and WAN technologies.

Intranets may have links to the Internet. If connected to the Internet, firewalls control the traffic that enters and exits the intranet.

1.1.4 - Intranets and Extranets The diagram depicts a map of the world with people spread out over large distances. People from around the world are connected to each other through the Enterprise Intranet, accessed through the Internet. Depicted here is a large Enterprise Intranet that employees may access from multiple locations around the world.

Page 2: Intranets contain confidential information and are designed for company employees only. The intranet should be protected by a firewall. Remote employees who are not connected to the enterprise LAN must authenticate before gaining access.

In some situations, businesses extend privileged access to their network to key suppliers and customers. Common methods for doing this are:

Direct WAN connectivity Remote logins to key application systems VPN access into a protected network

An intranet that allows external connections to suppliers and contractors is an extranet. An extranet is a private network (intranet) that allows controlled access to individuals and companies outside the organization. An extranet is not a public network.

1.1.4 - Intranets and Extranets The diagram depicts preferred external suppliers and customers with approved access to the company intranet. Company A B C is connected to two suppliers that are geographically separated. The two partners and the two customers are also connected to Company A B C, defined as a Large Enterprise Extranet.

1.2 Identifying Enterprise Applications

1.2.1 Traffic Flow Patterns Page 1: A properly designed enterprise network has defined and predictable traffic flow patterns. In some circumstances traffic stays on the LAN portion of the enterprise network and at other times it traverses the WAN links.

When determining how to design the network it is important to consider the amount of traffic destined for a specific location and where that traffic most often originates. For example, traffic that should typically remain local to users on the network includes:

File sharing Printing Internal backup and mirroring Intra-campus voice

Traffic types which are typically seen on the local network but are also commonly sent across the WAN include:

System updates Company email Transaction processing

In addition to WAN traffic, external traffic is traffic that originates from or is destined to the Internet. VPN and Internet traffic is considered external traffic flow.

Controlling the flow of traffic on a network optimizes bandwidth and introduces a level of security through monitoring. By understanding traffic patterns and flows, the network administrator can predict the types and amount of traffic to expect. When traffic is detected in an area of the network where it is unexpected, that traffic can be filtered and the source of the traffic investigated.

1.2.1 - Traffic Flow Patterns The animation depicts the different traffic flows within a LAN and a WAN, including external traffic flow. When a packet is sent to the local-area network (LAN), it only travels through the local switches and to the destination. When a packet is sent to a user on another network (WAN), it is routed through the sending and receiving routers. External traffic is sent to the Internet via the edge routers.

Page 2:

1.2.1 - Traffic Flow Patterns The diagram depicts an activity in which you must identify the flow pattern for each type of traffic. If the traffic has more than one flow pattern, select the pattern with highest coverage. The flow patterns choices are LAN, WAN, or External. Traffic type

One.Company Email. Two.File Sharing. Three.Off-site Data Backup and Recovery. Four.Internal Backup and Restore Operations. Five.System Update. Six.Printing. Seven.On-line Transaction Processing. Eight.Internet Traffic. Nine.VPN. Ten.Intra-campus Voice.

1.2.2 Applications and Traffic on an Enterprise Network Page 1: At one time, voice, video, and data each traveled on separate networks. Now technology supports a converged network, where voice, video, and data flow across the same medium.

This convergence presents many design and bandwidth management challenges. Enterprise networks must support the business enterprise by allowing traffic from a variety of applications, including:

Database transaction processing Mainframe or data center access File and print sharing Authentication Web services Email and other communications VPN services Voice calls and voicemail Video and video conferencing

Network management and the control processes required for the underlying operation of the network also need support.

1.2.2 - Applications and Traffic on an Enterprise Network The diagram depicts people working in a call center environment. The caption reads, New technologies support voice and data on a converged network.

Page 2: When trying to determine how to manage network traffic, it is important to understand the type of traffic that is crossing the network as well as the current traffic flow. If the types of traffic are unknown, a packet sniffer can be used to capture traffic for analysis.

To determine traffic flow patterns, it is important to:

Capture traffic during peak utilization times to get a good representation of the different traffic types. Perform the capture on different network segments, because some traffic will be local to a particular segment.

Using the information obtained from the packet sniffer, network technicians can determine traffic flows. Technicians analyze this information based on the source and destination of the traffic as well as the type of traffic being sent. This analysis can be used to make decisions on how to manage the traffic more efficiently. This can be done by reducing unnecessary traffic flows or changing flow patterns altogether by moving a server.

Sometimes, simply relocating a server or service to another network segment improves network performance. At other times, optimizing the network performance requires major redesign and intervention.

1.2.2 - Applications and Traffic on an Enterprise Network The diagram depicts a screen shot of a Packet Sniffer Application window. The window is showing packet transmission information. The packet contains information relating to the In-and-Out Layers of the O S I Reference Model.

Page 3: Lab Activity

Use a packet capture program to analyze network traffic.

Click the lab icon to begin.

1.2.2 - Applications and Traffic on an Enterprise Network Link to Hands-on Lab: Capturing and Analyzing Network Traffic Use a packet capture program to analyze network traffic.

1.2.3 Network Traffic Prioritization

Page 1: Not all types of network traffic have the same requirements or behave in the same manner.

Data Traffic

Most network applications utilize data traffic. Some types of online applications transmit data that is sporadic. Other types, such as data storage applications, transmit high volumes of traffic for a sustained period of time.

Some data applications are more concerned about time-sensitivity than reliability, and most data applications can tolerate delays. For this reason, data traffic usually employs Transmission Control Protocol (TCP). TCP uses acknowledgments to determine when lost packets must be retransmitted and therefore guarantees delivery. While the use of acknowledgements makes TCP a more reliable delivery protocol, it also incurs a delay.

Voice and Video Traffic

Voice traffic and video traffic are different from data traffic. Voice and video applications require an uninterrupted stream of data to ensure high quality conversations and images. The acknowledgement process in TCP introduces delays, which break these streams and degrade the quality of the application. Therefore, voice and video applications employ User Datagram Protocol (UDP) instead of TCP. Since UDP does not have mechanisms for retransmitting lost packets, it minimizes delays.

1.2.3 - Network Traffic Prioritization The diagram depicts an airport environment with differing types of traffic being generated, as well as their specific characteristics, as follows. FTP or Email Traffic - High volume sustained data traffic; tolerates delays Online or Transaction Delays - Sporadic and bursty; tolerates delays Mobile Voice Traffic - Sporadic conversation; delays cause interrupted or dropped conversations V o IP Traffic - Requires uninterrupted stream of data; does not tolerate delays Video Traffic - High volume uninterrupted video traffic; does not tolerate delays

Page 2: In addition to understanding the delays of TCP versus UDP, it is also necessary to understand the delay, or latency, caused by the networking devices that must process the traffic on its path to the destination. OSI

Layer 3 devices create more delay than Layer 2 devices due to the number of headers they have to process. Therefore, routers introduce a longer delay than switches.

Jitter, caused by network congestion, is the variation in time of the packets arriving at their destination.

It is important to reduce the impact of delay, latency, and jitter on time-sensitive traffic.

Quality of Service (QoS) is a process used to guarantee a specified data flow. QoS mechanisms sort traffic into queues, based on priority. For example, voice traffic has priority over ordinary data.

1.2.3 - Network Traffic Prioritization The animation depicts each step in processing traffic using Q o S. The queue-ing process is shown as data from different applications traveling toward an interface. One.Classification - Data from different applications moving toward output router interface. Two.Pre-Queue-ing - Data classified based on application, such as voice traffic, video traffic, FTP traffic, and so on. Red items represent unwanted traffic being filtered from the group. Three.Queue-ing and Scheduling - Traffic is placed into queues based on pre-configured priority. Traffic in the higher priority queues, such as P 1 or P 2, is sent before lower priority traffic, such as P 5 or P 6. Example: Voice traffic does not tolerate delays, so it is placed into the highest priority queue and sent first. Following the steps in the queue-ing process, the packets are sent one at a time, in order of priority.

Page 3:

1.2.3 - Network Traffic Prioritization The diagram depicts an activity in which you must match the term with its corresponding definition. Terms A: U D P B: Q o S C: jitter D: delay E: queue F: TCP G: voice H: latency Definitions One.Protocol used for time-sensitive traffic. Two.Sorts traffic into queues. Three.Variation in arrival time caused by network congestion.

Four.Same meaning as latency. Five.Line of traffic ordered based on priority. Six.Protocol that retransmits packets. Seven.Type of traffic that is time-sensitive. Eight.Time delay based on packets going through network devices.

1.3 Supporting Remote Workers

1.3.1 Teleworking Page 1: The development of enterprise networks and remote connection technology has changed the way we work.

Teleworking, also referred to as telecommuting and e-commuting, allows employees to use telecommunications technology to work from their homes or other remote locations. The remote worker using the technology is called a teleworker or telecommuter.

An increasing number of companies encourage their employees to consider teleworking. Teleworking provides many advantages and opportunities for both employer and employee. From the employer perspective, when employees work from home, the company does not have to provide them with dedicated physical office space. A single office space can be set up for shared use by employees who need to spend time in the physical office. This arrangement reduces real estate costs and the associated support services.

Some companies have even reduced the expense of air travel and hotel accommodations to bring their employees together by using teleconferencing and collaboration tools. People from all over the world can work together as if they were in the same physical location.

1.3.1- Teleworking The diagram depicts an office building with a sign in front of it that reads: FOR LEASE RETAIL / OFFICE PREMISES 144.25 sq m (1,553 sq ft)

Page 2: Both the employer and the employee benefit from teleworking.

Employees save time and money, and reduce stress, by eliminating the daily travel to and from the office. Employees can dress casually at home, therefore saving money on business attire. Working from home allows employees to spend more time with their families.

Reduced travel for employees also has a very favorable effect on the environment. Less airplane and automobile traffic means less pollution.

Teleworkers need to be self-directed and disciplined. Some teleworkers miss the social environment of an office setting and find it difficult to work in physical isolation.

Not all jobs can take advantage of teleworking. Some positions require a physical presence in the office during a set period of time. However, more enterprises are taking advantage of technology to increase the frequency of telecommuting.

1.3.1- Teleworking The diagram depicts a woman wearing a telephone headset. She is working on her laptop from home.

Page 3: Telecommuters need various tools to work efficiently. Some available teleworker tools include:

Email Chat Desktop and application sharing FTP Telnet VoIP Video conferencing

1.3.1- Teleworking The diagram depicts a teleworker working on a laptop outdoors. Other information in the diagram includes the following: Email Delivers a written message to a remote user for reply and response at a later point in time. Chat Delivers a written message to a user in real time for reply and response immediately. FTP Transfers files between computers. Telnet

Connects and starts a terminal session on a remote device. Application Sharing Allows multiple users to view the same application simultaneously. V o IP Allows real time voice communications between users over the Internet. Video Conferencing Allows users to communicate face-to-face over video with participants at multiple locations.

Page 4: Application and screen sharing tools have improved, and it is now possible to integrate both voice and video into these applications.

New technology has enabled more sophisticated levels of online collaboration. Using the enterprise network, this technology creates an environment in which individuals from remote locations meet as though they were in the same room. By combining large video displays and high quality audio in speciallydesigned rooms, it appears as if all participants, regardless of their physical location, are sitting across the boardroom table from each other.

In the graphic, only the five people in the foreground are physically in the room. The other four people displayed on the screens are located in three other locations.

1.3.1- Teleworking The diagram depicts a group of employees sitting at a boardroom table.

Page 5:

1.3.1- Teleworking The diagram depicts an activity in which you must identify scenarios appropriate for telecommuting. Decide, using Yes or No, if the scenario represents a telecommuting opportunity. Scenarios One.Paula, Tyler, and Bobby are developing a new e-learning course. They all live in different cities and are very self-directed. Two.Josh manages the I T Help desk at a small company. He is responsible for answering questions over the phone and for providing on-site hardware and software support for all company computers. Three.Carlos is the receptionist at a small publishing company. He is responsible for answering the phones, completing correspondence, and greeting walk-in customers. Four.Tabitha has a company that develops interactive websites for real estate agents. She meets with her clients over the phone and uses collaboration software to show them her work.

1.3.2 Virtual Private Networks Page 1: One obstacle that teleworkers must overcome is the fact that most of the tools available for working remotely are not secure. Using nonsecure tools allows data to be intercepted or altered during transmission.

One solution is to always use the secure forms of applications, if they exist. For example, instead of using Telnet, use SSH. Unfortunately, secure forms of all applications may not be available. A much easier choice is to encrypt all traffic moving between the remote site and the enterprise network using Virtual Private Networks (VPNs).

VPNs are often described as tunnels. Consider the analogy of an underground tunnel versus an open road way between two points. Anything that uses the underground tunnel to travel between the two points is surrounded and protected from view. The underground tunnel represents the VPN encapsulation and virtual tunnel.

1.3.2 - Virtual Private Networks A diagram depicts two buildings. Between the buildings are a road and a tunnel. The car above ground represents unencrypted traffic. The car in the tunnel represents encrypted traffic.

Page 2: When using a VPN, a virtual tunnel is created by linking the source and destination addresses. All data flow between the source and destination is encrypted and encapsulated using a secure protocol. This secure packet is transmitted across the network. When it arrives at the receiving end, it is de-encapsulated and unencrypted.

VPNs are a client/server application; therefore, telecommuters must install the VPN client on their computers in order to form a secure connection with the enterprise network.

When telecommuters are connected to the enterprise network through a VPN, they become part of that network and have access to all services and resources that they would have if they were physically attached to the LAN.

1.3.2 - Virtual Private Networks The animation depicts the VPN encapsulation protocol process.

A simple network with three hosts, H1, H2, and H3, is connected to a router (R1) via a switch (S1). R1 is connected to the router (R2) over the Internet. R2 is connected to H4. H2 sends an unencrypted packet to H4. The packet travels via S1 to R1, where it is encrypted using IP Sec, and sent over the Internet to R2, where it is de-crypted and forwarded to H4. More Information Popup One of the most common encapsulation protocols for VPN's is IP Sec, which is short for IP Security. IP Sec is actually a suite of protocols that provide many services, including the following: Data encryption Integrity validation Peer authentication Key management

1.4 Chapter Summary

1.4.1 Summary Page 1:

1.4.1 - Summary Diagram 1, Image The diagram depicts an enterprise network. Diagram 1 text A large business environment with many users and locations or many systems is referred to as an enterprise. The enterprise network supports mission critical applications, network traffic, centralized control, and diverse business needs. The enterprise network: Provides 99.99% up time. Uses both LAN and WAN components. Utilizes many different types of technology. Makes uses of services of ISPs. Carries many types of traffic including voice, video, and data. Diagram 2, Image The diagram depicts the Cisco Enterprise Architecture with three sub-blocks labeled Enterprise Campus, Enterprise Edge, WAN and Internet, as well as two smaller blocks labeled Enterprise Branch and Teleworker. Diagram 2 text Enterprise Campus - Consists of the campus infrastructure with server farms and network management. Enterprise Edge - Consists of the Internet, VPN, and WAN modules connecting the enterprise with the service providers network. Service Provider Edge - Provides Internet, Public Switched Telephone Network (PSTN), and WAN services.

Failure Domain - Describes the devices impacted on a portion of a network when a key device or service experiences problems. Diagram 3, Image The diagram depicts intranets and extranets. Diagram 3 text An intranet is a private network that utilizes TCP/IP and other services to provide private services for company employees. If vendors and customers, and other outside individuals, access the intranet, it is known as an extranet. Confine network traffic only to the segment where it is required. Some traffic moves through the enterprise WAN, and other traffic moves external to the enterprise network. Q o S allows some traffic to be given preferential treatment over other traffic, such as voice and video traffic over data traffic. Diagram 4, Image The diagram depicts a woman that is teleworking. Diagram 4 text Teleworking is the use of technology to replace business travel. Teleworking has many advantages for the employer, the employee, and the environment. As technology advances, the numbers of jobs suit-ed for telecommuting are increasing. Teleworkers use tools like email, chat, desktop and application sharing, FTP, Telnet, V o IP, and video conferencing to make their jobs easier. VPNs address the security needs of teleworkers by creating an encrypted tunnel between the sites.

1.5 Chapter Quiz

1.5.1 Quiz Page 1: Take the chapter quiz to check your knowledge.

Click the quiz icon to begin.

1.5.1 - Quiz Chapter 1 Quiz: Networking in the Enterprise 1.What are two benefits of using VPN? (Choose two.) A.They allow precise configuration of which ports are forwarded to the internal office servers. B.They allow a remote worker to have access to network resources as if they were physically located in the office.

C.They provide a faster connection to the office by providing direct access to the internal network. D.They encrypt all communications between the remote worker and internal network resources. E.They block unsolicited traffic that does not have the proper tunneling protocol. F.They reduce malicious attacks by identifying them when they hit the VPN. 2.When planning to identify traffic flows and network applications that run on an enterprise network, why is it best for a network engineer to sample traffic during times of peak utilization? A.During peak utilization times, most traffic is localized in a single segment and can be more easily analyzed. B.The network engineer does not want to confuse traffic from network backups done at night with normal business traffic. C.The network is busiest and the most critical business applications are in use, providing an accurate sampling of network activities. D.The network is slowest during this time and the sampling will not interfere with the normal business traffic 3.What are two resources to analyze multiple network segments when identifying network traffic? (Choose two.) A.Network segments may have varying traffic patterns exclusive to that segment. B.Network traffic should always be monitored on a core device because all network traffic needs to pass through it. C.Network traffic that passes between segments may be reduced if a server accessed primarily by on segment is relocated to that segment. D.Network traffic on a single segment is not important because traffic on a local segment does not affect the network traffic as a whole. E.Network traffic on a single segment does not consume much bandwidth within that segment and can be overloaded. 4.Why do V o IP and video network traffic use UDP instead of TCP? A.Voice and video applications require receipt of all packets regardless of delay. B.The three-way handshake used in UDP speeds up the voice and video streams. C.Voice and video applications cannot tolerate the delay caused by retransmissions. D.UDP allows for segment receipt and acknowledgement, ensuring guaranteed segment delivery. 5.This question depicts a network topology as explained below: One Router, RTA, is connected to two Switches, SW1 and SW2. RTA connects to SW1 and SW2. SW1 has Hosts A and B connected to it. SW2 has Hosts C, D and a server connected to it. Based on this topology, if SW1 stops working, which statement will be true? A.Hosts A and B will not be able to reach each other or hosts C, D, and the server. B.Hosts A and B will be able to reach each other, but not hosts C, D, or the server. C.Hosts A, B, C, and D will be able to reach each other, but not the server. D.All hosts will still be able to reach each other. 6.Match each Cisco Enterprise Architecture to its corresponding definition (Not all definitions will be uses) Cisco Enterprise Architectures Enterprise Campus Enterprise Edge Service Provider Edge Definitions consists of Internet, VPN, and WAN modules consists of remote users and branch offices consists of the campus infrastructure with server farms provides Internet, WAN, and PSTN services 7.Which two technologies enhance the ability of remote workers to connect securely to internal company

resources? (Choose two.) A.Telnet B.SSH C.VPN D.FTP E.HTTP 8.A company has hired a new employee who will be working remotely. What should the I T administrator do so that the employee can connect to the internal network using the existing VPN infrastructure of the company? A.Configure the WAN router to allow incoming connections. B.Allow tunnelling within the Intrusion Prevention System (I P S). C.Add the credentials of the user to the DMZ. D.Configure the VPN client application on the laptop of the remote employee. 9.A remote I T engineer needs to simultaneously demonstrate how to operate a software application to multiple people. Which tool can be used to perform the task? A.FTP B.e-mail C.Telnet D.desktop sharing 10.Match the network types with their corresponding description. Network Types LAN WAN intranet extranet Internet Descriptions provides Internet-like services for company employees only global public network that operates using a common set of communication protocols private network that allows access by specified external users like contractors and suppliers private network that connects geographically dispensed sites using public or private services private network controlled by a single organization usually limited to a single campus 11.Which statement is true about the three-layer hierarchical design mode? A.Core and access layer functions can be combined. B.Smaller networks can use the core layer services offered by their ISP. C.The distribution layer consists of high-end routers that interconnect geographically dispensed locations. D.The access layer can be spread across multiple geographical locations. 12.When designing a network based on the Cisco Enterprise Architecture, which two items would be included in the enterprise edge functional component? (Choose two.) A.internal web servers B.core layer routers C.VPN servers D.server farm E.intrusion detection system

Go To Next Go To Previous

Scroll To Top

http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.C CServlet/LMS_ID=CNAMS,Theme=ccna3theme,Style=ccna3,Language=en,Version=1, RootID=knet lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About

Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise

2 Exploring the Enterprise Network Infrastructure
2.0 Chapter Introduction
2.0.1 Introduction Page 1:

2.0.1 - Introduction Enterprise networks contain hundreds of sites and support thousands of users worldwide. A well-managed network allows users to work reliably. Network documentation is crucial for maintaining the required 99.999% up time. All Internet traffic flows through the enterprise edge making security considerations necessary. Routers and switches provide connectivity, security and redundancy while controlling broadcasts and failure domains. After completion of this chapter, you should be able to: Interpret network documentation. Describe the equipment located In the Network Operations Center. Describe the Point-of-Presence for service delivery. Identify security considerations and equipment at the enterprise edge. Identify router and switch hardware characteristics and use router C L I configuration and verification commands.

2.1 Describing the Current Network

2.1.1 Enterprise Network Documentation Page 1: One of the first tasks for a new network technician is to become familiar with the current network structure. Enterprise networks can have thousands of hosts and hundreds of networking devices, all of which are interconnected by copper, fiber-optic, and wireless technologies. End-user workstations, servers, and networking devices, such as switches and routers, must all be documented. Various types of documentation show different aspects of the network.

Network infrastructure diagrams, or topology diagrams, keep track of the location, function, and status of devices. Topology diagrams represent either the physical or logical network.

A physical topology map uses icons to document the location of hosts, networking devices, and media. It is important to maintain and update physical topology maps to aid future installation and troubleshooting efforts.

A logical topology map groups hosts by network usage, regardless of physical location. Host names, addresses, group information, and applications can be recorded on the logical topology map. Connections between multiple sites may be shown but do not represent actual physical locations.

Enterprise network diagrams may also include control plane information. Control plane information describes failure domains and defines the interfaces where different network technologies intersect.

2.1.1 - Enterprise Network Documentation The diagram depicts the difference between a physical topology and a logical topology. The physical topology is a map of physical network devices, such as PC's, admin hubs, switches, routers, as well as file, web, and mail servers. It shows the way these devices are physically connected to one another. The logical topology is more concerned with the grouping of these devices in regard to their network usage, addressing, and security.

Page 2: It is crucial that network documentation remain current and accurate. Network documentation is usually accurate at the installation of a network. As the network grows or changes however, the documentation is not always updated.

Network topology maps are frequently based on original floor plans. The current floor plans may have changed since the construction of the building. Blueprints can be marked up, or redlined, to show the changes. The modified diagram is known as an as-built. An as-built diagram documents how a network was actually constructed which may differ from the original plans. Always ensure that the current documentation reflects the as-built floor plan and all network topology changes.

Network diagrams are commonly created using graphical drawing software. In addition to being a drawing tool, many network diagramming tools are linked to a database. This feature allows the network support staff to develop detailed documentation by recording information about hosts and networking devices, including manufacturer, model number, purchase date, warranty period, and more. Clicking a device in the diagram opens an entry form with device data listed.

2.1.1 - Enterprise Network Documentation The diagram depicts a close up of a person designing a network with pencil and paper.

Page 3: In addition to network diagrams, several other important types of documentation are used in the enterprise network.

Business Continuity Plan:

The Business Continuity Plan (BCP) identifies the steps to be taken to continue business operation in the event of a natural or man-made disaster.

Business Security Plan:

The Business Security Plan (BSP) includes physical, system, and organizational control measures. The overall security plan must include an IT portion that describes how an organization protects its network and information assets.

Network Maintenance Plan:

The Network Maintenance Plan (NMP) ensures business continuity by keeping the network up and running efficiently. Network maintenance must be scheduled during specific time periods, usually nights and weekends, to minimize the impact on business operations.

Service Level Agreement:

A Service Level Agreement (SLA) is a contractual agreement between the customer and a service provider or ISP, specifying items such as network availability and service response time.

2.1.1 - Enterprise Network Documentation The diagram depicts a filing cabinet with four drawers, labeled B C P, B S P, N M P, and SLA. The following are brief descriptions of each: Business Continuity Plan (B C P) Ensures business operations by defining procedures that must take place in the event of a disaster. I T support may include the following: Off-site storage of backup data Alternate I T processing centers Redundant communication links Business Security Plan (B S P) Prevents unauthorized access to organizational resources and assets by defining security policies. The I T security plan can contain policies related to the following: User authentication Permissible software Remote access Intrusion monitoring Incident handling Network Maintenance Plan (N M P) Minimizes downtime by defining hardware and software maintenance procedures. The maintenance plan can contain the following: Maintenance windows Scheduled downtime Staff on-call responsibility Equipment and software to be maintained, such as O S, I O S, and services Network performance monitoring Service Level Agreement (SLA) Ensures service parameters by defining required service provider level of performance. An SLA can include the following: Connection speeds / bandwidth Network uptime Network performance monitoring Problem resolution response time On-call responsibilities

Page 4:

2.1.1 - Enterprise Network Documentation The diagram depicts an activity in which you must identify the network documentation where the information would most likely be found for each scenario. Network Documentation A: B C P = Business Continuity Plan B: B S P = Business Security Plan C: N M P = Network Maintenance Plan D: S L A = Service Level Agreements

Scenarios

One.Redundant communication links. Two.O S and I O S upgrade. Three.ISP connection bandwidth. Four.Local network scheduled downtime. Five.Off-site storage of backup data. Six.User authentication. Seven.Service provider problem response time. Eight.Intrusion monitoring.

2.1.2 Network Operations Center (NOC) Page 1: Most enterprise networks have a Network Operations Center (NOC) that allows for central management and monitoring of all network resources. The NOC is sometimes referred to as a Data Center.

Employees in a typical enterprise NOC provide support for both local and remote locations, often managing both local and wide area networking issues. Larger NOCs may be multi-room areas of a building where network equipment and support staff are concentrated.

The NOC usually has:

Raised floors to allow for cabling and power to run under the floor to the equipment High performance UPS systems and air conditioning equipment to provide a safe operating environment for equipment Fire suppression systems integrated into the ceiling Network monitoring stations, servers, backup systems, and data storage Access layer switches and distribution layer routers, if it serves as a Main Distribution Facility (MDF) for the building or campus where it is located

2.1.2 - Network Operations Center (NOC) Image of a network operation center surrounded by small images with the following labels: Network monitor - technician monitoring network Backup Systems Power Conditioning (U P S) Environment Controls Raised Floors Fire Suppression Switches Router Data Storage Server

Page 2:

In addition to providing network support and management, many NOCs also provide centralized resources such as servers and data storage.

Servers in the NOC are usually clustered together, creating a server farm. The server farm is frequently considered as a single resource but, in fact, provides two functions: backup and load balancing. If one server fails or becomes overloaded, another server takes over.

The servers in the farm may be rack-mounted and interconnected by very high-speed switches (Gigabit Ethernet or higher). They may also be blade servers mounted in a chassis and connected by a high-speed backplane within the chassis.

Another important aspect of the enterprise NOC is high-speed, high-capacity data storage. This data storage, or network attached storage (NAS), groups large numbers of disk drives that are directly attached to the network and can be used by any server. A NAS device is typically attached to an Ethernet network and is assigned its own IP address.

A more sophisticated version of NAS is Storage Area Network (SAN). A SAN is a high-speed network that interconnects different types of data storage devices over a LAN or WAN.

2.1.2 - Network Operations Center (NOC) The diagram depicts two images: a Server Farm with a rack of servers, and a Network Attached Storage (NAS) with a rack of network storage.

Page 3: Equipment in the enterprise NOC is usually mounted in racks. In large NOCs, racks are usually floor-toceiling mounted and may be attached to each other. When mounting equipment in a rack, ensure there is adequate ventilation and access from front and back. Equipment must also be attached to a known good ground.

The most common rack width is 19 inches (48.26 cm). Most equipment is designed to fit this width. The vertical space that the equipment occupies is measured in Rack Units (RUs). A Unit equals 1.75 inches (4.4cm). For example, a 2U chassis is 3.5 inches (8.9 cm) high. The lower the RU number the less space a device needs therefore more devices can fit into the rack.

Another consideration is equipment with many connections, like switches. They may need to be positioned near patch panels and close to where the cabling is gathered into cable trays.

2.1.2 - Network Operations Center (NOC) The diagram depicts a rack of equipment, identifying a 1 R U rack mountable component and a 2 R U rack mountable component.

Page 4: In an enterprise NOC, thousands of cables may enter and exit the facility. Structured cabling creates an organized cabling system that is easily understood by installers, network administrators, and any other technicians who work with cables.

Cable management serves many purposes. First, it presents a neat and organized system that aids in isolating cabling problems. Second, best cabling practices protect the cables from physical damage and EMI, which greatly reduces the number of problems experienced.

To assist in troubleshooting:

All cables should be labelled at both ends, using a standard convention that indicates source and destination. All cable runs should be documented on the physical network topology diagram. All cable runs, both copper and fiber, should be tested end-to-end by sending a signal down the cable and measuring loss.

Cabling standards specify a maximum distance for all cable types and network technologies. For example, the IEEE specifies that, for Fast Ethernet over unshielded twisted pair (UTP), the cable run from switch to host cannot be greater than 100 meters (approximately 328 ft). If the cable run is greater than the recommended length problems could occur with data communications, especially if the terminations at the ends of the cable are poorly completed.

Documentation of the cable plan and testing are critical to network operations.

2.1.2 - Network Operations Center (NOC) The diagram depicts a bundle of network cabling on a switch or patch panel. The cabling should be neat, untangled, and clearly labeled.

2.1.3 Telecommunication Room Design and Considerations Page 1:

The NOC is the central nervous system of the enterprise. In practice, however, most users connect to a switch in a telecommunications room, which is some distance from the NOC. The telecommunications room is also referred to as a wiring closet or intermediate distribution facility (IDF). It contains the Access Layer networking devices and ideally maintains environmental conditions similar to the NOC, such as air conditioning and UPS.

Users working with wired technology connect to the network through Ethernet switches or hubs. Users working with wireless technology connect through an access point (AP). Access Layer devices such as switches and APs are a potential vulnerability in network security. Physical and remote access to this equipment should be limited to authorized personnel only. Network personnel can also implement port security and other measures on switches, as well as various wireless security measures on APs.

Securing the telecommunications room has become even more important because of the increasing occurrence of identity theft. New privacy legislation results in severe penalties if confidential data from a network falls into the wrong hands. Modern networking devices offer capabilities to help prevent these attacks and protect data and user integrity.

2.1.3 - Telecommunication Room Design and Considerations The diagram depicts a network technician undertaking an audit on a rack of equipment.

Page 2: Many IDFs connect to a Main Distribution Facility (MDF) using an extended star design. The MDF is usually located in the NOC or centrally located within the building.

MDFs are typically larger than IDFs. They house high-speed switches, routers, and server farms. The central MDF switches may have enterprise servers and disk drives connected using gigabit copper links.

IDFs contain lower-speed switches, APs, and hubs. The switches in the IDFs typically have large numbers of Fast Ethernet ports for users to connect at the Access Layer.

The switches in the IDF usually connect to the switches in the MDF with Gigabit interfaces. This arrangement creates backbone connections, or uplinks. These backbone links, also called vertical cabling, may be copper or fiber-optic. Copper Gigabit or Fast Ethernet links are limited to a maximum of 100 meters and should use CAT5e or CAT6 UTP cable. Fiber-optic links can run much greater distances. Fiberoptic links commonly interconnect buildings and because they do not conduct electricity, they are immune to lightning strikes, EMI, RFI, and differential grounds.

2.1.3 - Telecommunication Room Design and Considerations The diagram depicts a main distribution facility (MDF) connected in an extended star topology. Either fiber-optic or U T P cable is used to connect a number of intermediate distribution facility (I DF) units within Building A. Only fiber-optic cable is used to connect two other I DF units, Building B and Building C. MDF POP Routers Gigabit switches Gigabit links to I DF's Servers Disk Storage I DF Fast Ethernet switches Gigabit link to MDF Wireless A P's

Page 3: In addition to providing basic network access connectivity, it is becoming more common to provide power to end-user devices directly from the Ethernet switches in the telecommunications room. These devices include IP phones, access points, and surveillance cameras.

These devices are powered using the IEEE 802.3af standard, Power over Ethernet, or PoE. PoE provides power to a device over the same twisted pair cable that carries data. This allows an IP phone, for instance, to be located on a desk without the need for a separate power cord or a power outlet. In order to support PoE devices such as the IP phone, the connecting switch must have PoE capability.

PoE can also be provided by power injectors or PoE patch panels for those switches which do not support PoE. Panduit and other suppliers produce PoE patch panels that allow non PoE capable switches to participate in PoE environments. Legacy switches connect into the PoE patch panel which then connects to the PoE capable device.

2.1.3 - Telecommunication Room Design and Considerations The diagram depicts a telecommunications room with a Power over Ethernet (P o E) switch distributing P o E to the following devices: Access point IP-based camera IP phone

Page 4:

2.1.3 - Telecommunication Room Design and Considerations The diagram depicts an activity in which you must decide whether the location in each scenario is suitable for an MDF or I DF. Also identify the appropriate cables to connect them, either fiber-optic or U T P. Scenarios One.Switch at center of a star topology. Two.One of the links coming from the center switch of the star topology connecting to another switch in the same building. Three.Another link coming from the center switch of the star topology connecting to another switch in the same building. Four.A switch at the end of the star topology in the same building as the center switch. Five.Another switch at the end of the star topology in the same building as the center switch. Six.A link connecting the center switch of the star topology to a switch in another building. Seven.Another link connecting the center switch of the star topology to a switch in another building. Eight.A switch at the end of a cable in a separate building to the center switch. Nine.Another switch at the end of a cable in a separate building to the center switch.

2.2 Supporting the Enterprise Edge

2.2.1 Service Delivery at the Point-of-Presence Page 1: At the outer edge of the enterprise network is the Point-of-Presence (POP) which provides an entry point for services to the enterprise network. Externally-provided services coming in through the POP include Internet access, wide area connections, and telephone services (PSTN).

The POP contains a point of demarcation, or the demarc. The demarc provides a boundary that designates responsibility for equipment maintenance and troubleshooting between the service provider (SP) and customer. Equipment from the service provider up to the point of demarcation is the responsibility of the provider; anything past the demarc point is the responsibility of the customer.

In an enterprise, the POP provides links to outside services and sites. The POP may provide a direct link to one or more ISPs, which allows internal users the required access to the Internet. The remote sites of an enterprise are also interconnected through the POPs. The service provider establishes the wide area links between these remote sites.

The location of the POP and the point of demarcation vary in different countries. While they are often located within the MDF of the customer, they may also be located at the ISP.

2.2.1 - Service Delivery at the Point-of-Presence The diagram depicts a WAN, consisting of four schools and a School District Main Office. All of the POPs of the schools and the Main Office are connected by a T1 link to the central WAN link. The Main Office is

connected to a PSTN and the Internet via T 1 link. All of the schools connect to the Internet via the Main Office. Traffic from the Main Office to the Internet travels through a T 3 link.

2.2.2 Security Considerations at the Enterprise Edge Page 1: Large enterprises usually consist of multiple sites that interconnect. Multiple locations may have edge connections at each site connecting the enterprise to other individuals and organizations.

The edge is the point of entry for outside attacks and is a point of vulnerability. Attacks at the edge can affect thousands of users. For example, Denial of Service (DoS) attacks prevent access to resources for legitimate users inside or outside the network, affecting productivity for the entire enterprise.

All traffic in or out of the organization goes through the edge. Edge devices must be configured to defend against attacks and provide filtering based on website, IP address, traffic pattern, application, and protocol.

An organization can deploy a firewall, and security appliances with intrusion detection system (IDS) and intrusion prevention system (IPS) at the edge to protect the network.

External network administrators require access for internal maintenance and software installation. Virtual private networks (VPNs), access control lists (ACLs), user IDs, and passwords provide that access. VPNs also allow remote workers access to internal resources.

2.2.2 - Security Considerations at the Enterprise Edge The diagram depicts a network of four buildings, H Q which is the edge, Site A, Site B, and Site C. All buildings in the network are exposed to outside attacks. These attacks include F W, I D S, ACL, D M Z, VPN, and I P S attacks.

2.2.3 Connecting the Enterprise Network to External Services Page 1: The network connection services commonly purchased by an enterprise include leased lines, T1/E1 or business class, Frame Relay, and ATM. Physical cabling brings these services to the enterprise using copper wires, as in the case of T1/E1, or fiber-optic cable for higher-speed services.

The POP must contain certain pieces of equipment to obtain whichever WAN service is required. For example, to obtain T1/E1 service, the customer may require a punchdown block to terminate the T1/E1

circuit, as well as a Channel Service Unit / Data Service Unit (CSU/DSU) to provide the proper electrical interface and signaling for the service provider. This equipment may be owned and maintained by the service provider or may be owned and maintained by the customer. Regardless of ownership, all equipment located within the POP at the customer site is referred to as Customer Premise Equipment (CPE).

2.2.3 - Connecting the Enterprise Network to External Services The diagram depicts a connection from an ISP to a host (end user). The host is connected to an internal switch (MDF/I DF). The internal switch is connected to an internal router. The internal router is connected to a D M Z switch, which is connected to a D M Z router/firewall. The D M Z router is connected to a CSU/DSU. The CSU/DSU is connected to a punchdown block, or de-marc. The punchdown block is connected to the ISP web server via a T 1 circuit. De-marc says The point of demarcation can vary depending on the SLA with the service provider.

Page 2:

2.2.3 - Connecting the Enterprise Network to External Services The diagram depicts an activity in which you must specify the components, in order, needed to connect a service from the edge to the internal network. Begin with the component needed to connect to the service provider, and end with the end user. Components D M Z Switch Punchdown block Internal switch D M Z router T 1 circuit CSU/DSU Internal router

2.3 Reviewing Routing and Switching

2.3.1 Router Hardware Page 1: One important device in the Distribution Layer of an enterprise network is a router. Without the routing process, packets could not leave the local network.

The router provides access to other private networks as well as to the Internet. All hosts on a local network specify the IP address of the local router interface in their IP configuration. This router interface is the default gateway.

Routers play a critical role in networking by interconnecting multiple sites within an enterprise network, providing redundant paths, and connecting ISPs on the Internet. Routers can also act as a translator between different media types and protocols. For example, a router can re-encapsulate packets from an Ethernet to a Serial encapsulation.

Routers use the network portion of the destination IP address to route packets to the proper destination. They select an alternate path if a link goes down or traffic is congested.

Routers also serve other beneficial functions:

Provide broadcast containment Connect remote locations Group users logically by application or department Provide enhanced security (using NAT and ACLs)

With the enterprise and the ISP, the ability to route efficiently and recover from network link failures is critical to delivering packets to their destination.

2.3.1 - Router Hardware The diagram depicts four boxes, each housing a different network topology configuration. The four boxes are labeled Broadcast Containment, Security, Locations, and Logical Grouping. A brief description of each is given. Broadcast Containment Routers in the Distribution Layer limit broadcasts to the local network where they need to be heard. Although broadcasts are necessary, too many hosts connected on the same local network generate excessive broadcast traffic and slow down the network. The Broadcast Containment box in the diagram displays one distribution router connected to two switches with four computers directly connected to each switch. Security Routers in the Distribution Layer separate and protect certain groups of computers where confidential information resides. Routers also hide the addresses of internal computers from the outside world to help prevent attacks, and control who gets into or out of the local network The Security box in the diagram displays a distribution router and two directly connected switches. Four computers are connected per switch. Locations Routers in the Distribution Layer can interconnect local networks at various locations of an organization, some of which maybe geographically separated. The Location box in the diagram displays two sites labeled A and B, each housing a small corporate

network. The routers in both these sites have been linked by a virtual link to indicate communication between them. Logical Grouping Routers in the Distribution Layer logically group users, such as departments within a company, who have common needs or require access to the same resources. The Logical Grouping box in the diagram displays two logical blocks, each having a dedicated network. The individual networks have been labeled Accounting and Engineering. Each are connected to the same distribution router. This router is directly connected to the two switches, Accounting and Engineering. Each switch is directly connected to four computers.

Page 2: Routers come in many shapes and sizes called form factors. Network administrators in an enterprise environment should be able to support a variety of routers and switches, from a small desktop to a rackmounted or blade model.

Routers can also be categorized as fixed configuration or modular. With the fixed configuration, the desired router interfaces are built-in. Modular routers come with multiple slots that allow a network administrator to change the interfaces on the router. As an example, a Cisco 1841 router comes with two Fast Ethernet RJ-45 interfaces built-in, and two slots that can accommodate many different network interface modules.

Routers come with a variety of different interfaces, such as Fast Ethernet, Gigabit Ethernet, Serial, and Fiber-Optic. Router interfaces use the controller/interface or controller/slot/interface conventions. For example, using the controller/interface convention, the first Fast Ethernet interface on a router is numbered as Fa0/0 (controller 0 and interface 0). The second is Fa0/1. The first serial interface on a router uses controller/slot/interface is S0/0/0.

2.3.1 - Router Hardware The diagram depicts different types of Cisco networking hardware, as well as three enterprise levels at which the device is aimed. The Cisco networking devices and their market groups are listed below. Small Office, Teleworker - Hardware types: 800 Series, Linksys devices Branch Offices and Small to Medium-size Business - Hardware types: 1800 Series, 2800 Series, 3800 Series Head Office / WAN Aggregation - Hardware types: 7600 Series, Catalyst 6500 Series, 7200 Series

Page 3: Two methods exist for connecting a PC to a network device for configuration and monitoring tasks: out-ofband and in-band management.

Out-of-band management is used for initial configuration or when a network connection is unavailable. Configuration using out-of-band management requires:

Direct connection to console or AUX port Terminal emulation client

In-band management is used to monitor and make configuration changes to a network device over a network connection. Configuration using in-band management requires:

At least one network interface on the device to be connected and operational Telnet, SSH, or HTTP to access a Cisco device

2.3.1 - Router Hardware The diagram depicts two types of connections for configuration, out-of-band and in-band router configuration, described below Out-of-band Router Configuration The connection is accomplished by a host connecting to a client through the console port of a router or the router A U X port connected to a modem through the PSTN network to modem and client computers. In-band Router Configuration The connection is accomplished via the Ethernet interface on the router connected to a PC. The second part of this image depicts a router connected to a PC via an IP network.

2.3.2 Basic Router CLI Show Commands Page 1: Here are some of the most commonly used IOS commands to display and verify the operational status of the router and related network functionality. These commands are divided into several categories.

General Use:

show running-config show startup-config show version

Routing Related:

show ip protocols show ip route

Interface Related:

show interfaces show ip interface brief show protocols

Connectivity Related:

show cdp neighbors show sessions show ssh ping traceroute

2.3.2 - Basic Router C L I show Commands The diagram depicts a table of the commonly used Show commands for router information display. The table headings include Full Command, Abbreviation, and Purpose / Information Displayed, listed below from left to right. The commands are categorized by General Use, Routing Related, Interface Related, and Connectivity Related. Full Command Abbreviation Purpose / Information Displayed General Use show running-config sh run Displays current config running in RAM. Includes host name, passwords, interface IP addresses, routing protocol activated, DHCP, and NAT configuration. Must be issued in EXEC mode. show startup-config sh star Displays backup config in NV RAM. May be different if running config has not been copied to backup. Must be issued in EXEC mode. show version sh ve Displays I O S version, ROM version, router uptime system image file name, boot method, number and type of interfaces installed, amount of RAM, NV RAM and flash, and configuration register value. Routing Related

show ip protocols sh ip pro Displays information for routing protocols configured including timer settings, version numbers, update intervals, active interfaces, and networks advertised. show ip route sh ip ro Displays routing table information including routing code, networks known, admin distance and metric, how they were learned, last update next hop, interface learned via, and any static routes (including default) routes configured. Interface Related Show interfaces (type#)sh int f 0 /0 Displays one or all interfaces with line (protocol) status, bandwidth, delay, reliability, encapsulation, duplex, and I/O statistics. Show ip interface brief sh ip int br Displays all interfaces with IP address with interface status (up/down/admin down) and line protocol status (up/down) Show protocols sh prot Displays information for routing protocols configured including timer settings, version numbers, update intervals, active interfaces, and networks advertised. Connectivity Related Show cdp neighbors detail sh cdp ne Displays information on directly connected devices including Device ID (host name). Local interface where device is connected, capability (R=router), S=switch), platform (eg.2620XM) and port I D or remote device. The details option provides the IP address of the other device as well as the I O S version. Show sessions sh ses Displays telnet sessions (V T Y) with remote hosts. Displays session number, host name, and address. Show ssh sh ssh Displays s s h server connections with remote hosts. Ping (IP or Hostname)PSends five ICMP echo requests to an IP address or host name (if DNS is available) and displays min and max and average time to respond. Traceroute (IP or host)TrSends echo request with varying T T L. Lists routes (hops) in path and time to respond.

Page 2:

2.3.2 - Basic Router C L I show Commands The diagram depicts the show commands and the outputs to the screen when a command is issued. The physical topology shows H1 client connected to the switch, S1, and the network address of 192.168.1.0 / 24. Also directly connected to switch, S1, is Router, R1. The Fast Ethernet port Fa 0 /0 is in use for this network. The routers serial port S 0 /0 is in use and has the D C E clock rate configured. A serial link has been established between R1 and R2. R2's serial port S 0 /0 /0 is in use. R2's Fast Ethernet port F a 0 /0 is directly connected to the H2 client. The network address for this network is 192.168.3.0 /24. The commands used to show router configuration information are listed below with their associated outputs.

***show running - config*** Building configuration... Current configuration : 422 bytes version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Router ip subnet-zero interface FastEthernet0 no ip address shutdown speed auto interface Serial0 no ip address shutdown no fair-queue interface Serial1 no ip address shutdown ip classless no ip http server line con 0 line aux 0 line vty 0 4 no scheduler allocate end Router# ***show startup-config*** Using 831 out of 245752 bytes version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname Router boot-start-marker boot-end-marker enable secret 5 $1$jX.P$R5n.pyoUSgEgZgJz9otjd1 enable password cisco no aaa new-model resource policy ip subnet-zero ip cef interface FastEthernet0/0 ip address 192.168.0.1 255.255.255.0 duplex auto speed auto interface FastEthernet0/1 no ip address shutdown duplex auto speed auto interface Serial0/0/0 ip address 192.168.15.2 255.255.255.252 no fair-queue

clock rate 64000 interface Serial0/0/1 no ip address shutdown clock rate 125000 ip classless ip http server control-plane line con 0 password cisco login line aux 0 line vty 0 4 password cisco login scheduler allocate 20000 1000 end ***show version*** Cisco Internetwork Operating System Software IOS (tm) C1700 Software (C1700-Y-M), Version 12.2(4)YB, EARLYDEPLOYMENT RELEASE SOFTWARE (fc1) Synched to technology version 12.2(6.8)T2 TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Fri 15-Mar-02 20:32 by ealyon Image text-base: 0x80008124, data-base: 0x807D8744 ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1) ROM: C1700 Software (C1700-Y-M), Version 12.2(4)YB, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Router uptime is 3 minutes System returned to ROM by power-on System image file is "flash:C1700-Y-MZ.122-4.YB.bin" cisco 1721 (MPC860P) processor (revision 0x100) with 29492K/3276K bytes of memory. Processor board ID FOC070701ZH (2882989793), with hardware revision 0000 MPC860P processor: part number 5, mask 2 Bridging software. X.25 software, Version 3.0.0. 1 FastEthernet/IEEE 802.3 interface(s) 2 Low-speed serial(sync/async) network interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 ***show ip protocols*** Routing Protocol is "ospf 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 192.168.15.2 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 192.168.0.0 0.0.0.255 area 0 192.168.15.0 0.0.0.3 area 0 Routing Information Sources: Gateway Distance Last Update

192.168.15.1 110 00:42:45 Distance: (default is 110) ***show ip route*** Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set ***show interfaces*** FastEthernet0 is administratively down, line protocol is down Hardware is PQUICC_FEC, address is 000b.be96.3445 (bia 000b.be96.3445) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 252/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, 10Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:07:54, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 11 packets output, 2334 bytes, 0 underruns 11 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 11 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Serial0 is administratively down, line protocol is down Hardware is PowerQUICC Serial MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters 00:07:57 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=down DSR=down DTR=down RTS=down CTS=down Serial1 is administratively down, line protocol is down Hardware is PowerQUICC Serial MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/32 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 96 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=down DSR=down DTR=down RTS=down CTS=down Router# ***show ip interfaces brief*** InterfaceIP-AddressOK?MethodStatusProtocol FastEthernet0/0 192.168.1.1YESNVRAMupup Serial0/0/0192.168.2.1YESNVRAMupup BRI0/0unassignedYESNVRAMadministratively down down BRI0/0:1unassignedYESNVRAMadministratively down down BRI0/0:2unassignedYESNVRAMadministratively down down FastEthernet0/1 unassignedYESNVRAMadministratively down down Serial0/0/1unassignedYESNVRAMadministratively down down ***show protocols*** Global values: Internet Protocol routing is enabled FastEthernet0 is administratively down, line protocol is down Serial0 is administratively down, line protocol is down Serial1 is administratively down, line protocol is down Router# ***show cdp neighbors*** Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID Router#

Page 3:

2.3.2 - Basic Router C L I show Commands The diagram depicts an activity in which you must match the command with the scenario that best describes it. Commands 1.show sessions 2.show startup-config 3.show ip interface brief 4.show interfaces s 0 /0 /0 5.show protocols 6.show ip route 7.show ip protocols 8.show running-config 9.show cdp neighbors detail 10.show version Scenario One.You suspect there is a problem with the current router configuration and want to see the backup configuration to compare it. Two.You are on a call with Cisco tech support and you need to tell them the name of the router I O S system image file. You also need to know the amount of RAM, NV RAM, and flash in the router. Three.You are running RIP routing protocols and need to know the timer settings, update intervals and what active interfaces and networks are currently being advertised. Four.Your users cannot get to a particular network. You need to know if the router has a route to that network and how it was learned. Five.You suspect there is a problem with a serial interface on the router. You want to see the bandwidth, encapsulation, and I / O statistics. Six.You need to get a quick list of interfaces on the router with their IP addresses and status. You do not need to see the subnet mask. Seven.You think the serial interface of the router at a remote site has incorrectly configured IP address. You want to find out the model number of the router, the I O S version the router is running, and the I P address of the remote interface. Eight.You have used Telnet to connect to several different routers and wish to see what connections you have open.

2.3.3 Basic Router Configuration Using CLI Page 1: A basic router configuration includes the hostname for identification, passwords for security, and assignment of IP addresses to interfaces for connectivity. Verify and save configuration changes using the copy running-config startup-config command. To clear the router configuration, use the erase startupconfig command and then the reload command.

Configuration Management:

enable configure terminal copy running-config startup-config erase startup-config reload

Global Settings:

hostname banner motd enable password enable secret

Line Settings:

line con line aux line vty login and password

Interface Settings:

interface type/number description ip address no shutdown clock rate encapsulation

Routing Settings:

router network ip route

2.3.3 - Basic Router Configuration Using CLI The diagram depicts the general commands that are entered to configure the router. The commands are listed below as they would be entered into the C L I. Configuration Commands Router> enable Router# configure terminal Router(config)# hostname R1 R1(config)# banner motd %Unauthorised access prohibited% R1(config)# enable password cisco R1(config)# enable secret class R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# login R1(config-line)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login R1(config-line)# interface fastethernet 0/0 R1(config-if)# ip address 192.168.1.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# interface serial 0/0/0 R1(config-if)# ip address 192.168.2.1 255.255.255.0 R1(config-if)# clockrate 64000 R1(config-if)# no shutdown R1(config-if)# description WAN link to R2 R1(config-if)# encapsulation ppp R1(config-if)# router rip R1(config-router)# version 2 R1(config-router)# network 192.168.1.0 R1(config-router)# network 192.168.2.0 R1(config-router)# exit R1(config)# ip route 0.0.0.0 0.0.0.0 192.168.2.2 R1(config)# end R1# Aug 9 16:09:25.423: %SYS-5-CONFIG_I: Configured by console from console R1# copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] R1# The command show running-config is entered and the output is as follows: R1# show running-config (Note: Some output is omitted) Building configuration... Current configuration: 1177 bytes Version 12.4 Hostname R1 Enable secret 5 $drgadgr$dfjladflkj$dfsdfsdfsdf/vsdfgd Enable password cisco Interface fastethernet0/0 Ip address 192.168.1.1 255.255.255.0 Duplex auto Speed auto Interface serial0/0/0 Description WAN link to R2

Ip address 192.168.2.1 255.255.255.0 Encapsulation ppp Router rip Version 2 Network 192.168.1.0 Network 182.168.2.0 Ip route 0.0.0.0 0.0.0.0 192.168.2.2 Banner motd %Unauthorised access prohibited% Line con 0 Password cisco login line aux 0 Line vty 0 4 Password cisco Login

Page 2: Packet Tracer Activity

Practice basic router configuration and verification commands.

Click the Packet Tracer icon to begin.

2.3.3 - Basic Router Configuration Using CLI Link to Packet Tracer Exploration: Basic Router Configuration Using C L I Practice basic router configuration and verification commands.

2.3.4 Switch Hardware Page 1: Although all three layers of the hierarchical design model contain switches and routers, the Access Layer generally has more switches. The main function of switches is to connect hosts such as end user workstations, servers, IP phones, web cameras, access points and routers. This means that there are many more switches in an organization than routers.

Switches come in many form factors:

Small standalone models sit on a desk or mount on a wall.

Integrated routers include a switch built into the chassis that is rack mounted. High-end switches mount into a rack and are often a chassis and blade design to allow more blades to be added as the number of users increases.

2.3.4 - Switch Hardware The diagram depicts a graph plotting the Hierarchical Design Model against Organization Size Density. Listed below is the Organization Size and the switching devices at each level. Also listed at each organization size density is the Hierarchical Design model reference. Small Business - Wiring Closet Devices: Catalyst Express 500, Catalyst 2960 Medium-Sized - Wiring Closet Devices: Catalyst 3560, Catalyst 3560-E, Catalyst 3750, Catalyst 3750=E Large-Sized - Wiring Closet Devices: Catalyst 4500, Catalyst 6500 Small Business - Data Center Access Devices: Blade switches Medium-Sized- Data Center Access Devices: Catalyst 4948 Large-Sized - Data Center Access Devices: Catalyst 6500 Small to Medium Sized - Distribution Core Devices: Catalyst 4500 Large Organization - Distribution Core Devices: Catalyst 6500

Page 2: High-end enterprise and service provider switches support ports of varying speeds, from 100 MB to 10 GB.

An enterprise switch in an MDF connects other switches from IDFs using Gigabit fiber or copper cable. An IDF switch typically needs both RJ-45 Fast Ethernet ports for device connectivity and at least one Gigabit Ethernet port (copper or fiber) to uplink to the MDF switch. Some high-end switches have modular ports that can be changed if needed. For example, it might be necessary to switch from multimode fiber to single mode fiber, which would require a different port.

Like routers, switch ports are also designated using the controller/port or controller/slot/port conventions. For example, using the controller/port convention, the first Fast Ethernet port on a switch is numbered as Fa0/1 (controller 0 and port 1). The second is Fa0/2. The first port on a switch that uses controller/slot/port is Fa0/0/1. Gigabit ports are designated as Gi0/1, Gi0/2 etc.

Port density on a switch is an important factor. In an enterprise environment where hundreds or thousands of users need switch connections, a switch with a 1RU height and 48-ports has a higher port density than a 1RU 24-port switch.

2.3.4 - Switch Hardware The diagram depicts a switch. The switch is a 48-port managed device with ports capable of operating at speeds of 10 /100 /1000 Mbps. There are also two 10 GB fiber-optic ports used as up links to other local network segments.

2.3.5 Basic Switch CLI Commands Page 1: Switches make use of common IOS commands for configuration, to check for connectivity and to display current switch status. These commands can be divided into several categories, as follows:

General Use:

show running-config show startup-config show version

Interface / Port Related:

show interfaces show ip interface brief show port-security show mac-address-table

Connectivity Related:

show cdp neighbors show sessions show ssh ping

traceroute

The same in-band and out-of-band management techniques that apply to routers also applies to switch configuration.

2.3.5 - Basic Switch C L I Commands The diagram depicts a table of the basic switch commands. The table headings include Full Command, Abbreviation, and Purpose / Information Displayed, listed below from left to right. The commands are categorized by General Use, Interface/Port Related, and Connectivity Related. Full CommandAbbreviationPurpose/Information Displayed General Use show running-configsh runDisplays current config running in RAM. Includes hostname, passwords, interface IP addresses, routing protocol activated, DHCP and NAT configuration. Must be issued in EXEC mode. show startup-configsh starDisplays backup config in NV RAM. May be different if running config has not been copied to backup. Must be issued in EXEC mode. show versionsh veDisplays I O S version, ROM version, router uptime system image file name, boot method, number and type of interfaces installed, amount of RAM, NV RAM and flash, and configuration register value. Interface/Port Related show interfaces (type#)sh int f 0 /0 Displays one or all interfaces with line (protocol) status, bandwidth, delay, reliability, encapsulation, duplex, and I / O statistics. show ip interface briefsh ip int br Displays all interfaces with IP address with interface status (up/down/admin down) and line protocol status (up/down) show port-security sh por Show any ports where security has been activated along with max address allowed, current count, security violation count, and action to take (usually shutdown). show mac-address-table sh mac-a Displays all MAC addresses the switch has learned, how learned (dynamic or static) the port number and the V LAN the port is in. Connectivity Related show cdp neighbors (detail)sh cdp ne Displays information on directly connected devices including Device ID (host name). Local interface where device is connected, capability (R=router), S=switch), platform (eg.2620XM), and port ID or remote device. The details option provides the I P address of the other device as well as the I O S version. show sessionssh sesDisplays telnet sessions (V T Y) with remote hosts. Displays session number, host name, and address. show s s h sh s s h Displays s s h server connections with remote hosts. ping (ip or hostname)PSends 5 ICMP echo requests to an IP address or host name (if DNS is available) and displays min and max and average time to respond. traceroute (ip or hostname)TrSends echo request with varying T T L. Lists routes (hops) in path and time to respond. Note that router interfaces start numbering at 0, while switch interfaces start at 1. For example, a fast Ethernet interface on a router would start at fa 0 /0, whereas the first port on a switch would be referenced as fa 0 /1.

Page 2:

2.3.5 - Basic Switch C L I Commands The diagram depicts the show commands and the outputs to the screen when a command is issued. The physical topology has PC1 client connected to the switch, S1, and the network address of 192.168.1.0 / 24. Also directly connected to S1 is Router, R1. The Fast Ethernet port Fa 0 /0 is in use for this network. R1s serial port S 0 /0 is in use and has the D C E clock rate configured. A serial link has been established between R1 and R2. R2's serial port S 0 /0 /0 is in use. R2s Fast Ethernet port Fa 0 /0 is directly connected to the PC2 client. The network address for this network is 192.168.3.0 / 24. The commands used to show router configuration information are listed below with their associated outputs. ***show running - config*** Building configuration... Current configuration : 422 bytes version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Router ip subnet-zero interface FastEthernet0 no ip address shutdown speed auto interface Serial0 no ip address shutdown no fair-queue interface Serial1 no ip address shutdown ip classless no ip http server line con 0 line aux 0 line vty 0 4 no scheduler allocate end Router# ***show startup-config*** Using 831 out of 245752 bytes version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname Router boot-start-marker boot-end-marker enable secret 5 $1$jX.P$R5n.pyoUSgEgZgJz9otjd1 enable password cisco no aaa new-model resource policy ip subnet-zero ip cef interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0 duplex auto speed auto interface FastEthernet0/1 no ip address shutdown duplex auto speed auto interface Serial0/0/0 ip address 192.168.15.2 255.255.255.252 no fair-queue clock rate 64000 interface Serial0/0/1 no ip address shutdown clock rate 125000 ip classless ip http server control-plane line con 0 password cisco login line aux 0 line vty 0 4 password cisco login scheduler allocate 20000 1000 end

***show version*** Cisco Internetwork Operating System Software IOS (tm) C1700 Software (C1700-Y-M), Version 12.2(4)YB, EARLYDEPLOYMENT RELEASE SOFTWARE (fc1) Synched to technology version 12.2(6.8)T2 TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Fri 15-Mar-02 20:32 by ealyon Image text-base: 0x80008124, data-base: 0x807D8744 ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1) ROM: C1700 Software (C1700-Y-M), Version 12.2(4)YB, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Router uptime is 3 minutes System returned to ROM by power-on System image file is "flash:C1700-Y-MZ.122-4.YB.bin" cisco 1721 (MPC860P) processor (revision 0x100) with 29492K/3276K bytes of memory. Processor board ID FOC070701ZH (2882989793), with hardware revision 0000 MPC860P processor: part number 5, mask 2 Bridging software. X.25 software, Version 3.0.0. 1 FastEthernet/IEEE 802.3 interface(s) 2 Low-speed serial(sync/async) network interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102

Gateway of last resort is not set ***show interfaces*** FastEthernet0 is administratively down, line protocol is down Hardware is PQUICC_FEC, address is 000b.be96.3445 (bia 000b.be96.3445) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 252/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, 10Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:07:54, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 11 packets output, 2334 bytes, 0 underruns 11 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 11 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Serial0 is administratively down, line protocol is down Hardware is PowerQUICC Serial MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never Last clearing of "show interface" counters 00:07:57 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=down DSR=down DTR=down RTS=down CTS=down Serial1 is administratively down, line protocol is down Hardware is PowerQUICC Serial MTU 1500 bytes, BW 128 Kbit, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation HDLC, loopback not set Keepalive set (10 sec) Last input never, output never, output hang never

Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/0/32 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 96 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=down DSR=down DTR=down RTS=down CTS=down Router# ***show port-security*** S1# show port-security Secure PortMax Secure AddressCurrent Address Security Violation Security Action Total addresses in system(excluding one mac per port) Max addresses limit in system (excluding one mac per port)

***show mac-address-table*** MAC Address Table VLANMAC AddressType Ports All0014.6954.2480StaticCPU All0100.0ccc.ccccStaticCPU All0100.0ccc.cccdStaticCPU All0100.0cdd.ddddStatic CPU 1000b.be02.a841DynamicFa0/1 1000c.2999.758eDynamicFa0/2 1000c.29c4.9e26DynamicFa0/3 1000c.29ff.0744DynamicFa0/1 10014.6a46.e1c8DynamicFa0/2 10014.6a46.e1c9DynamicFa0/3 10016.763f.935dDynamicFa0/3 Total MAC addresses for this criterion: 11 ***show ip interface brief*** InterfaceIP-AddressOK?MethodStatusProtocol FastEthernet0/1unassignedYESmanualupup FastEthernet0/2unassignedYESmanualupup FastEthernet0/3unassignedYESmanualdowndown FastEthernet0/4unassignedYESmanualdowndown FastEthernet0/5unassignedYESmanualdowndown FastEthernet0/6unassignedYESmanualdowndown FastEthernet0/7unassignedYESmanualdowndown FastEthernet0/8unassignedYESmanualdowndown FastEthernet0/9unassignedYESmanualdowndown

FastEthernet0/10unassignedYESmanualdowndown FastEthernet0/11unassignedYESmanualdowndown FastEthernet0/12unassignedYESmanualdowndown FastEthernet0/13unassignedYESmanualdowndown FastEthernet0/14unassignedYESmanualdowndown FastEthernet0/15unassignedYESmanualdowndown FastEthernet0/16unassignedYESmanualdowndown FastEthernet0/17unassignedYESmanualdowndown FastEthernet0/18unassignedYESmanualdowndown FastEthernet0/19unassignedYESmanualdowndown FastEthernet0/20unassignedYESmanualdowndown FastEthernet0/21unassignedYESmanualdowndown FastEthernet0/22unassignedYESmanualdowndown FastEthernet0/23unassignedYESmanualdowndown FastEthernet0/24unassignedYESmanualdowndown GigabitEthernet1/1unassignedYESmanualdowndown GigabitEthernet1/2unassignedYESmanualdowndown Vlan1unassignedYESmanualadministratively downdown

***show cdp neighbors*** Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater Device ID Local Intrfce Holdtme Capability Platform Port ID Router#

Page 3: A basic switch configuration includes the hostname for identification, passwords for security, and assignment of IP addresses for connectivity. In-band access requires the switch to have an IP address.

Verify and save the switch configuration using the copy running-config startup-config command. To clear the switch configuration, use the erase startup-config command and then the reload command. It may also be necessary to erase any VLAN information using the command delete flash:vlan.dat.

Configuration Management:

enable configure terminal copy running-config startup-config erase startup-config delete flash:vlan.dat reload

Global Settings:

hostname banner motd enable password enable secret ip default-gateway

Line Settings:

line con line vty login and password

Interface Settings:

interface type/number (vlan1) ip address speed / duplex switchport port-security

2.3.5 - Basic Switch C L I Commands The diagram depicts the basic commands issued from the C L I to the switch used to configure it for network traffic. The configuration command statements and the output from the show running-config command are as follows. Configuration Commands ***some output has been omitted*** Switch> enable Switch# configure terminal Enter configuration commands, one per line. Switch(config)# hostname S1 S1(config)#banner motd %Unauthorised access prohibited% S1(config)# enable password cisco S1(config)# enable secret class S1(config)#line con 0 S1(config-line)#password cisco S1(config-line)# login S1(config-line)# line vty 0 4 S1(config0line)#password cisco S1(config-line)# login S1(config-line)# interface vlan 1 S1(config-if)# ip address 192.168.1.5 255.255.225.0

S1(config-if)# no shutdown S1(config-if)# ip default-gateway 192.168.1.1 S1(config)# interface f0/2 S1(config-if)# switchport mode access S1(config-if)# switchport port-security S1(config-if)# interface f0/3 S1(config-if)# speed 10 S1(config-if)# duplex half S1(config)# end Configured from console by console S1# S1# copy running-config startup-config Destination filenane [startup-config]? Building configuration... [ok] S1# The command "show running-config" is typed and output of this command is listed below: ***some output is omitted*** show running-config S1#show running-config (**output omitted**) Building configuration... Current configuration : 1374 bytes ! Hostname S1 ! enable secret 5 $1$Yp!J$GKRD7WVFS.ShOSf2I5Pam/ enable password cisco ! interface FastEthernet0/1 ! interface FastEthernet0/2 switchport mode access switchport port-security interface FastEthernet0/3 speed 10 duplex half interface FastEthernet0/24 ! Interface Vlan1 Ip address 192.168.1.5 255.255.255.0 ! Ip default-gateway 192.168.1.1 Banner motd ^CUnauthorized access prohibited^C ! line con 0 password cisco login line vty 0 4 password cisco login

line vty 5 15 login end

Page 4: Packet Tracer Activity

Configure a switch in a switching environment.

Click the Packet Tracer icon to begin.

2.3.5 - Basic Switch C L I Commands Link to Packet Tracer Exploration: Basic Switch Configuration Using C L I Configure a switch in a switching environment.

Page 5: Lab Activity

Connect and configure a multi-router network.

2.3.5 - Basic Switch C L I Commands Link to Hands-on Lab: Configuring Basic Routing and Switching Connect and configure a multi-router network.

2.4 Chapter Summary

2.4.1 Summary Page 1:

2.4.1 - Summary Diagram 1, Image The diagram depicts a network with three buildings, Building A, Building B, and Building C. Building A is connected to Building B via fiber-optic cable.

Building A is connected to Building C via fiber optic cable. Building A has an MDF which is connected to two switches (I DF-A2, I DF-A1) via fiber-optic or U T P Cable. I DF-A1 has four hosts connected, I DF-A2 has 3 hosts connected. Building B has an I DF (I DF-B1) with three hosts connected. Building C has an I DF (I DF-C1) with three hosts connected. Diagram 1 text Network infrastructure diagrams document devices in a network. Network documentation includes the Business Continuity plan, Business Security plan, Network Maintenance plan, and Service Level Agreements. The enterprise NOC manages and monitors all network resources. End-users connect to the network via Access Layer switches and wireless A P's in the IDF. P o E provides power to devices over the same U T P cable that carries data.

Diagram 2, Image The diagram depicts a network of four buildings, HQ, Site A, Site B, and Site C. The network is exposed to outside attacks. These attacks include F W, I D S, A C L, D M Z, VPN, and I P S attacks. Diagram 2 text The enterprise edge provides Internet access and service for users inside the organization. The POP provides a direct link to an I S P and connects remote sites. The POP contains a de-marc line of responsibility, between the service provider and customer. Edge devices provide security against attacks. Services are brought to the enterprise by copper wires or fiber-optic cable.

Diagram 3, Image The diagram depicts a 48 port 10 /100 /1000 Cisco Gigabit Ethernet switch, which has had the two 10 Gigabit fiber-optic uplink ports removed from the switch. Diagram 3 text Access Layer switches provide connectivity to end users. Distribution Layer routers move packets between locations and the Internet. Routers and switches use in-band and out-of-band management. Routers can control broadcasts.

2.5 Chapter Quiz

2.5.1 Quiz Page 1: Take the chapter quiz to check your knowledge.

Click the quiz icon to begin.

2.5.1 - Quiz Chapter 2 Quiz: Exploring the Enterprise Network Infrastructure 1.Match each term to its correct description. (Not all options are used.) Terms POP VPN DoS CPE DMZ demarc Descriptions maliciously prevents access to network resources by legitimate users boundary that designates responsibility for equipment maintenance and troubleshooting physical link to outside networks at the enterprise edge equipment located at the customer facilityallows remote workers to access the internal network securely allows remote workers to access the internal network securely 2.What information can be found by using the command show mac-address-table on a Cisco Catalyst switch? A.The MAC addresses of the ports on the Catalyst switch B.The port the switch will use to forward frames to a host C.The IP addresses of directly connected network devices D.The mapping between MAC address and IP address for network hosts 3.While trouble shooting a network problem, the network administrator issues the show version command on a router. What information can be found using this command? A.the amount of NV RAM, DRAM, and flash memory installed on the router B.bandwidth, encapsulation, and I/O statistics on the interfaces C.differences between the backup configuration and the current running configuration D.the version of the routing protocols running on the router 4.After gathering a thorough list of network applications, the traffic generated by these applications, and the priority of this traffic, a network engineer wishes to integrate this information into a single document for analysis. How can this be accomplished? A.Create a physical topology map of the network and annotate it with the network application data. B.Create a logical topology map of the network and annotate it with the network application data. C.Create a blueprint of the facility, including network cabling and telecommunication rooms and annotate it with the network application data. D.Take a photograph of the facility and annotate it with the network application data. 5.One evening a network administrator attempted to access a recently deployed website and received a "page not found" error. The next day the administrator checked the web server logs and noticed that during the same hour that the site failed to load, there were hundreds of requests for the website home page. All of the requests originated from the same IP address. Given this information, what might the network administrator conclude? A.It is normal web surfing activity. B.It is likely that someone attempted a D o S attack. C.The link to the website does not have enough capacity and needs to be increased. D.The web server was turned off and not able to service requests. 6.What type of media typically connects a MDF switch to an IDF switch in another building? A.fiber-optic

B.coaxial-cable C.unshielded twisted pair D.shielded twisted pair 7.Which three devices can receive power over the same twisted pair Ethernet cable that carries data? (Choose three) A.wireless access point B.monitors C.web camera D.IP Phone E.network switches F.laptops 8.Match the hardware characteristics to the hardware type. Identify if each characteristic relates to a router or a switch. (Three characteristics relate to a router and three characteristics relate to a switch.) Hardware Characteristics define broadcast domains connect IP Phones and access points to the network enhance security with ACL's interconnect networks appear more commonly at the access layer connect hosts to the network Hardware Type router switch 9.Which two protocols can be used to access a Cisco router for in-band management? (Choose two) A.ARP B.S S H C.FTP D.SMTP E.Telnet 10.A network analyst is documenting the existing network at ABC Corporation. The analyst decides to start at the core router to identify and document the Cisco network devices attached to the core. Which command executed on the core router provides the required information? A.show version B.show ip route C.show tech-support D.show running-config E.show C D P neighbors detail

Go To Next Go To Previous Scroll To Top

http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.C CServlet/LMS_ID=CNAMS,Theme=ccna3theme,Style=ccna3,Language=en,Version=1, RootID=knet lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them

e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About

Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise

3 Switching in an Enterprise Network
3.0 Chapter Introduction
3.0.1 Introduction Page 1:

3.0.1 - Introduction Enterprise networks rely on switches in the Access, Distribution, and Core Layers to provide network segmentation and high-speed connectivity. Spanning Tree Protocol is used in a hierarchical network to prevent switching loops. Virtual LAN's logically segment networks and contain broadcasts to improve network security and performance. Switches configured with trunking enable V LAN's to span multiple geographic locations. Virtual Trunking Protocol is used to simplify the configuration and management of V LAN's in a complex enterprise level switched network. After completion of this chapter, you should be able to: Compare the types of switches used in an enterprise network. Explain how Spanning Tree Protocol prevents switching loops. Describe and configure V LAN's on a Cisco switch. Describe and configure trunking and Inter-V LAN routing. Maintain V LAN's in an enterprise network.

3.1 Describing Enterprise Level Switching

3.1.1 Switching and Network Segmentation Page 1:

Although both routers and switches are used to create an enterprise network, the network design of most enterprises relies heavily on switches. Switches are cheaper per port than routers and provide fast forwarding of frames at wire speed.

A switch is a very adaptable Layer 2 device. In its simplest role, it replaces a hub as the central point of connection for multiple hosts. In a more complex role, a switch connects to one or more other switches to create, manage, and maintain redundant links and VLAN connectivity. A switch processes all types of traffic in the same way, regardless of how it is used.

A switch moves traffic based on MAC addresses. Each switch maintains a MAC address table in highspeed memory, called content addressable memory (CAM). The switch recreates this table every time it is activated, using both the source MAC addresses of incoming frames and the port number through which the frame entered the switch.

3.1.1 - Switching and Network Segmentation The diagram depicts a switch that is connected to four PC's and builds a MAC address table from information gathered from these PC's. The PC's are labeled H1 to H4. MAC Address Table H1 Port Number: F A 0 /1 MAC Address: 260d.8c01.0000 H2 Port Number: F A 0 /2 MAC Address: 260d.8c01.1111 H3 Port Number: F A 0 /3 MAC Address: 260d.8c01.2222 H4 Port Number: F A 0 /4 MAC Address: 260d.8c01.3333

Page 2: The switch deletes entries from the MAC address table if they are not used within a certain period of time. The name given to this period of time is the aging timer; removal of an entry is called aging out.

As a unicast frame enters a port, the switch finds the source MAC address in the frame. It then searches the MAC table, looking for an entry that matches the address.

If the source MAC address is not in the table, the switch adds a MAC address and port number entry and sets the aging timer. If the source MAC address already exists, the switch resets the aging timer.

Next, the switch checks the table for the destination MAC address. If an entry exists, the switch forwards the frame out the appropriate port number. If the entry does not exist, the switch floods the frame out every active port except the port upon which it was received.

3.1.1 - Switching and Network Segmentation This animation depicts a MAC address table and the aging process on one port. The switch, S1, is connected to H1 on F A 0 /1, H2 on F A 0/ 2, and H3 on F A 0 /3. H1 sends a packet to H2. As it passes through the switch, the aging timer resets and the switch says, I already have this MAC entry for port F A 0 /1. I will reset the aging timer on the port. The F A 0 /1 port aging timer expired and the switch says, I have not heard from the host of F A 0 /1 and the aging timer has expired. I will remove the MAC address from my table. H1 sends another packet. As it passes through the switch, the switch says, I do not have a MAC address in the table for this port. I will add the MAC address and start the aging timer.

Page 3: In an enterprise, high availability, speed and throughput of the network are critical. The size of broadcast and collision domains affect the flow of traffic. In general, larger broadcast and collision domains impact these mission-critical variables.

If a switch receives a broadcast frame, the switch floods it out every active interface, just as it does for an unknown destination MAC address. All devices that receive this broadcast make up the broadcast domain. As more switches are connected together, the size of the broadcast domain increases.

Collision domains create a similar problem. The more devices participating in a collision domain, the more collisions occur.

Hubs create large collision domains. Switches, however, use a feature called microsegmentation to reduce the size of collision domains to a single switch port.

3.1.1 - Switching and Network Segmentation The switch, S1, is connected to four hosts labeled H1 to H4. The switch, S2, is connected to four hosts labeled H5 to H8. S1 is connected to S2.

H1 sends a packet to destination MAC address: FFFF.FFFF.FFFF. When S1 receives the packet, it looks for the destination MAC address. It is a broadcast, so the packet is forwarded to all ports except the port on which the packet originally traveled. When S2 receives the packet that S1 has broadcast, it sees it is a broadcast, so the packet is forwarded to all ports except the port on which the packet originally traveled.

Page 4: When a host connects to a switch port, the switch creates a dedicated connection. When two connected hosts communicate with each other, the switch consults the switching table and establishes a virtual connection, or microsegment, between the ports.

The switch maintains the virtual circuit (VC) until the session terminates. Multiple virtual circuits are active at the same time. Microsegmentation improves bandwidth utilization by reducing collisions and by allowing multiple simultaneous connections.

Switches can support either symmetric or asymmetric switching. Switches that have ports of all the same speeds are termed symmetric. Many switches, however, have two or more high-speed ports. These highspeed, or uplink ports, connect to areas that have a higher demand for bandwidth. Typically, these areas include:

Connections to other switches Links to servers or server farms Connections to other networks

Connections between ports of different speeds use asymmetric switching. If necessary a switch stores information in memory to provide a buffer between ports of different speeds. Asymmetric switches are common in the enterprise environment.

3.1.1 - Switching and Network Segmentation The diagram depicts the difference between a shared segment that has hosts connected to a hub, and microsegmentation with hosts connected to a switch. In the shared segment scenario, the traffic on a shared segment is shown as a hub with eight hosts all sharing the same network media. All traffic is visible on the network segment. In the microsegmentation scenario, the traffic on multiple paths is shown as a switch with eight hosts connected, utilizing four different network segments of two hosts each. The network segment has been divided, or segmented, creating four traffic paths within the switch.

Page 5:

3.1.1 - Switching and Network Segmentation The diagram depicts an activity in which you must determine how the switch forwards a frame based on the Source MAC and Destination MAC addresses, and information in the switch MAC table. Help Popup This activity quizzes you on your knowledge of how a frame is forwarded on a switch. You are given the physical topology and the MAC address table of the switch. You are also given a frame that consists of a source and destination MAC address. The computer-generated activities will have a source and destination pair using one of the addresses shown on the topology. One.Your goal is to determine how the switch will handle this frame given the MAC addresses table shown. Two.You will select the port numbers to indicate where, if any, the switch will forward the frame. Three.Then you will indicate how the switch will handle the frame. For example, flooded to all ports or dropped. Additional Help: FF is a broadcast MAC address and is forwarded to all ports, with the exception of the origin port. A frame is flooded to all ports, except the origin, only if the switch does not have the destination MAC within the MAC table. The switch will only add a new MAC address to the MAC table based on the source MAC address. If the source MAC address is already in the table, nothing is added or learned. If the source MAC address is not in the table, the address will be added. A switch will drop a frame if the destination and source devices are both connected to the same port and the switch has the destination MAC address in the MAC table. In this activity, this occurs on the single port connected to the hub with two host devices. The activity is dynamic and it is possible to create new practice problems. An example is presented below. Determine how the switch forwards a frame based on the Source MAC and Destination MAC addresses and information in the switch MAC table. Answer the questions using the information provided below. The switch is connected to four hosts. Host 0A is connected to port F A 1. Host 0B is connected to port F A 3. Host 0C is connected to port F A 5, and host 0D is connected to port F A 7. Port F A 9 is connected to a hub. The hub is connected to host 0E and host 0F. Information about the frame: Preamble: blank. Destination MAC: 0D. Source MAC: 0A. Length: blank. Encapsulate: blank. End of frame: blank. The MAC table for the switch is as follows: F A 3 is connected to 0B. F A 7 is connected to 0D. F A 9 is connected to 0E. All the other ports have blank entries.

One.Where will the switch forward the frame? (Choices: F A 1 to F A 12) Two.When the switch forwards the frame, which of the following statements are true? A. Switch adds the source MAC address to the MAC table. B. Frame is a broadcast frame and will be forwarded to all ports. C. Frame is a unicast frame and will be sent to specific ports only. D. Frame is a unicast frame and will be flooded to all ports. E. Frame is a unicast frame but it will be dropped at the switch.

3.1.2 Multilayer Switching Page 1: Traditionally, networks have been composed of separate Layer 2 and Layer 3 devices. Each device uses a different technique for processing and forwarding traffic.

Layer 2

Layer 2 switches are hardware-based. They forward traffic at wire-speeds, using the internal circuits that physically connect each incoming port to every other port. The forwarding process uses the MAC address and the existence of the destination MAC address in the MAC table. A Layer 2 switch limits the forwarding of traffic to within a single network segment or subnet.

Layer 3

Routers are software-based and use microprocessors to execute routing based on IP addresses. Layer 3 routing allows traffic to be forwarded between different networks and subnets. As a packet enters a router interface, the router uses software to find the destination IP address and select the best path toward the destination network. The router then switches the packet to the correct output interface.

3.1.2 - Multilayer Switching The diagram depicts the O S I stack with the router attached to Layer 3, the Network Layer, and the switch attached to Layer 2, the Data Link Layer. Layer 2 Switching Hardware-based switching Wire-speed performance High-speed scalability Low latency Uses MAC address Low cost

Layer 3 Routing Software based packet forwarding Higher latency Higher per interface cost Uses IP address Security QoS

Page 2: Layer 3 switching, or multilayer switching, combines hardware-based switching and hardware-based routing in the same device.

A multilayer switch combines the features of a Layer 2 switch and a Layer 3 router. Layer 3 switching occurs in special application-specific integrated circuit (ASIC) hardware. The frame and packet forwarding functions use the same ASIC circuitry.

Multilayer switches often save, or cache, source and destination routing information from the first packet of a conversation. Subsequent packets do not have to execute a routing lookup, because they find the routing information in memory. This caching feature adds to the high performance of these devices.

3.1.2 - Multilayer Switching The diagram depicts a stack of Cisco 2960 switches, which are Layer 2 switches, and a stack of Cisco 3560 switches, which are Layer 3 switches.

3.1.3 Types of Switching Page 1: When switching was first introcuded, a switch could support one of two major methods to forward a frame from one port to another. The two methods are store and forward and cut-through switching. Each of these methods has distinct advantages as well as some disadvantages.

Store and Forward

In this type of switching, the entire frame is read and stored in memory before being sent to the destination device. The switch checks the integrity of the bits in the frame by recalculating the cyclic redundancy check (CRC) value. If the calculated CRC value is the same as the CRC field value in the frame, the switch forwards the frame out the destination port. The switch does not forward frames if the CRC values do not match. The CRC value is located within the frame check sequence (FCS) field of an Ethernet frame.

Although this method keeps damaged frames from being switched to other network segments, it introduces the highest amount of latency. Due to the latency incurred by the store and forward method, it is typically only used in environments where errors are likely to occur, such as environments that have a high probability of EMI.

3.1.3 - Types of Switching This diagram depicts the store-and-forward switching process and the validation of C R C. The diagram depicts a switch connected to three hosts and a server. Two of the hosts are labeled Source and Destination. The Source host sends a frame to the Destination host. The switch thinks, I am recalculating the C R C value. Incoming frame C R C value: 435869123 Recalculated C R C value: 435869123 These values are identical. The switch says, The C R C value is correct. I will forward the frame. The frame is forwarded to the Destination host.

Page 2: Cut-through Switching

The other major method of switching is cut-through switching. Cut-through switching subdivides into two other methods: fast-forward and fragment-free. In both of these methods the switch forwards the frame before all of it is received. Because the switch does not calculate or check the CRC value, damaged frames can be switched.

Fast-forward is the fastest method of switching. The switch forwards the frames out the destination port as soon as it reads the destination MAC address. This method has the lowest latency but also forwards collision fragments and damaged frames. This method of switching works best in a stable network with few errors.

In fragment-free switching, the switch reads the first 64 bytes of the frame before it begins to forward it out the destination port. The shortest valid Ethernet frame is 64 bytes. Smaller frames are usually the result of a collision and are called runts. Checking the first 64 bytes ensures that the switch does not forward collision fragments.

Store and forward has the highest latency and fast-forward has the lowest. Fragment-free latency is in the middle of these other methods. The fragment-free switching method works best in an environment where many collisions occur. In a properly constructed switched network, collisions are not a problem; therefore, fast-forward switching would be the preferred method.

3.1.3 - Types of Switching This animation depicts two types of switching methods of forwarding a frame, Fast-forward and Fragmentfree. Fast-forward The switch is connected to three hosts and a server. One host sends a frame to another host via the switch. When the switch receives the packet, it thinks, I am receiving a frame. I will forward it immediately based on the destination MAC address. Fragment-free The switch is connected to three hosts and a server. One host sends a frame to another host via the switch. When the switch receives the packet, it thinks, I am receiving a frame. I will check the first 64 bytes of the frame to ensure this is a valid Ethernet frame. Once the switch completes the check, it thinks, This is a valid frame. I will forward it based on the destination MAC address.

Page 3: Today, most Cisco LAN switches rely on the store-and-forward method for switching. This is because with newer technology and faster processing times, switches are able to store and process the frames almost as quickly as cut-through switching, without the issue of errors. Additionally, many of the higher end features, such as multilayer switching, require the use of the store-and-forward method.

There are also some newer Layer 2 and Layer 3 switches that can adapt their switching method to changing network conditions.

These switches begin by forwarding traffic using the fast-forward method to achieve the lowest latency possible. Even though the switch does not check for errors before forwarding the frame, it recognized the errors and stores an error counter in memory. It compares the number of errors found to a predefined threshold value.

If the number of errors exceeds the threshold value, the switch has forwarded an unacceptable number of errors. In this situation, the switch modifies itself to perform store and forward switching. If the number of errors drops back below the threshold, the switch reverts back to fast-forward mode. This is known as Adaptive Cut-through switching.

3.1.3 - Types of Switching The diagram depicts store-and-forward and cut-through switching. The switch is performing store-and-

forward switching when the number of errors is increasing. This method checks for errors. The switch is performing cut-through switching when the errors are decreasing. This method does not check for errors.

3.1.4 Switch Security Page 1: Keep your network secure, regardless of the switching method used. Network security often focuses on routers and blocking traffic from the outside. Switches are internal to the organization, and designed to allow ease of connectivity, therefore only limited or no security measures are applied.

Apply the following basic security features to switches to ensure that only authorized people access the devices:

Physically secure the device Use secure passwords Enable SSH access Monitor access and traffic Disable http access Disable unused ports Enable port security Disable Telnet

3.1.4 - Switch Security The diagram depicts a stack of switches labeled with various security measures. A brief description is given for each security measure. Physical Security Switches are a critical link in the network. Secure them physically by mounting them on a rack and installing the rack in a secure room. Limit access to authorized network staff. Secure Passwords Configure all passwords (user mode, privilege mode, and v t y access) with a minimum of six nonrepeating characters. Change passwords on a regular basis. Never use words found in a dictionary. Use the enable secret command for privileged level password protection, since it uses advanced encryption techniques. Encrypt all passwords in the display of the running configuration file using the I O S command: service password-encryption. Enable S S H for Secure Remote V T Y Access S S H is a client server protocol used to log into another device over a network. It provides strong authentication and secure communication over insecure channels. SSH encrypts the entire login session, including password transmission. Monitor Access and Traffic Monitor all traffic passing through a switch to ensure that it complies with company policies. Additionally, record the MAC address of all devices connecting to a specific switch port and all login attempts on the switch. If the switch detects malicious traffic or unauthorized access, take action according to the security

policy of the organization. Disable http Access Disable http access so that no-one enters the switch and modifies the configuration via the web. The command to disable http access is no ip http server. Disable Unused Ports Disable all unused ports on the switch to prevent unknown PCs or wireless access points from connecting to an available port on the switch. Accomplish this by issuing a shutdown command on the interface. Enable Port Security Port security restricts access to a switch port to a specific list of MAC addresses. Enter the MAC addresses manually or have the switch learn them dynamically. The specific switch port associates with the MAC addresses allowing only traffic from those devices. If a device with a different MAC address plugs into the port, the switch automatically disables the port. Disable Telnet A Telnet connection sends data over the public network in clear text. This includes usernames, passwords, and data. Disable Telnet access to all networking devices by not configuring a password for any V T Y sessions at login.

Page 2: Lab Activity

Enable basic switch security.

Click the lab icon to begin.

3.1.4 - Switch Security Link to Hands-on Lab: Applying Basic Switch Security Enable basic switch security.

3.2 Preventing Switching Loops

3.2.1 Redundancy in a Switched Network Page 1: Modern enterprises rely more and more on their networks for their very existence. The network is the lifeline of many organizations. Network downtime translates into potentially disastrous loss of business, income, and customer confidence.

The failure of a single network link, a single device, or a critical port on a switch causes network downtime. Redundancy is required in the network design in order to maintain a high degree of reliability and eliminate any single point of failure. Redundancy is accomplished by installing duplicate equipment and network links for critical areas.

Sometimes, providing complete redundancy of all links and devices in a network becomes very expensive. Network engineers are often required to balance the cost of redundancy with the need for network availability.

3.2.1 - Redundancy in a Switched Network The diagram depicts three separate blocks, each labeled Wiring Closet, Backbone with Redundant Links, and Server Farm. The Wiring Closet has two switches labeled S1 and S5, located inside the block. The two switches in the wiring closet are directly linked to the next block, which is labeled Backbone with Redundant Links. Housed within this block are four switches, labeled S2, S3, S6, and S7. S1 is linked to S2. S2 is linked to S3. S5 is linked to S6. S6 is linked to S7. There are redundant links between all six switches. S3 and S7 are linked to S4 and S8 in the Server Farm. These are also redundant links. Switches S4 and S8 are linked to seven servers located within the server farm.

Page 2: Redundancy refers to having two different pathways to a particular destination. Examples of redundancy in non-networking environments include two roads into a town, two bridges to cross a river, or two doors to exit a building. If one way is blocked, another is still available.

Achieve redundancy in switches by connecting them with multiple links. Redundant links in a switched network reduce congestion and support high availability and load balancing.

Connecting switches together, however, can cause problems. For example, the broadcast nature of Ethernet traffic creates switching loops. The broadcast frames go around and around in all directions, causing a broadcast storm. Broadcast storms use up all of the available bandwidth and can prevent network connections from being established as well as causing existing network connections to be dropped.

3.2.1 - Redundancy in a Switched Network The animation depicts the development of a broadcast storm. The diagram depicts a server and two PC's, labeled H1 and H3, that are connected to a switch. The switch, S1, is connected by dual links to the switch, S2. S2 is connected to a router labeled R1 and two PC's labeled H2 and H4. The router has a serial link in use. The server that is connected to S1 sends a broadcast message out to S1. S1 sends the message out to all ports except the originating port that sent the message. S2 receives the message and sends it to all connected clients, including S1 on both links. S1 receives the

message and sends it back to the hosts that are directly connected to it, including S2. This is commonly known as a broadcast storm.

Page 3: Broadcast storms are not the only problem created by redundant links in a switched network. Unicast frames sometimes produce problems, such as multiple frame transmissions and MAC database instability.

Multiple Frame Transmissions

If a host sends a unicast frame to a destination host and the destination MAC address is not included in any of the connected switch MAC tables, then every switch floods the frame out all ports. In a looped network, the frame could be sent back to the initial switch. The process repeats, creating multiple copies of the frame on the network.

Eventually the destination host receives multiple copies of the frame. This causes three problems: wasted bandwidth, wasted CPU time, and potential duplication of transaction traffic.

MAC Database Instability

It is possible for switches in a redundant network to learn the wrong information about the location of a host. If a loop exists, one switch may associate the destination MAC address with two separate ports. This causes confusion and suboptimal of frame forwarding.

3.2.1 - Redundancy in a Switched Network The animation depicts two problem scenarios that a unicast frame creates in a looped environment when multiple frames are transmitted or there is instability in the MAC database of a switch. The diagram depicts a server and two PCs, labeled H1 and H3, connected to a switch, S1. S1 is connected by dual links to the switch, S2. S2 is connected to a router, labeled R1, and to two PC's, labeled H2 and H4. Multiple Frame Transmission In the first scenario, the H2 client sends a message to S2. S2 says, I do not see the server in my MAC table. I will send this frame out all active ports. S2 sends the message out to all connected devices, except the originating port. The dual links between S1 and S2 mean that the intended client receives two of the same message. This is known as Multiple Frame Transmission. MAC Database Instability In the second scenario, the server connected to S1 sends a message to client H4 on the other side of S2. S1

looks in its MAC table for the MAC address for client H4, but does not find an entry. Two messages propagate forward to S2 and back to the two clients connected to S1. S2 realizes the message is destined for the client H4 and says, I will update my MAC table with information for the originating server. S2 forwards the message to client H4.

Page 4: Packet Tracer Activity

Disable redundant links to avoid switching loops in the network provided.

Click the Packet Tracer icon to begin.

3.2.1 - Redundancy in a Switched Network Link to Packet Tracer Exploration: Disabling Redundant Links to Avoid Switching Loops Disable redundant links to avoid switching loops in the network provided.

3.2.2 Spanning Tree Protocol (STP) Page 1: Spanning Tree Protocol (STP) provides a mechanism for disabling redundant links in a switched network. STP provides the redundancy required for reliability without creating switching loops.

STP is an open standard protocol, used in a switched environment to create a loop-free logical topology.

STP is relatively self-sufficient and requires little configuration. When switches are first powered up with STP enabled, they check the switched network for the existence of loops. Switches detecting a potential loop block some of the connecting ports, while leaving other ports active to forward frames.

3.2.2 - Spanning Tree Protocol (S T P) The diagram depicts the difference between using and not using S T P. Four switches arranged in a square topology with computers connected to two of the switches. There are dual links between the four switches, indicating the flow of data from switch 1 to switch 2 to switch 3, and then switch 4. No S T P When the configuration has no S T P in use, the switching loop is evident.

With S T P When S T P is implemented, the link between two switches is blocked by removing access to the port. The link ceases to exist, thereby eliminating the loop.

Page 2: STP defines a tree that spans all the switches in an extended star switched network. Switches are constantly checking the network to ensure that there are no loops and that all ports function as required.

To prevent switching loops, STP:

Forces certain interfaces into a standby or blocked state Leaves other interfaces in a forwarding state Reconfigures the network by activating the appropriate standby path, if the forwarding path becomes unavailable

In STP terminology, the term bridge is frequently used to refer to a switch. For example, the Root Bridge is the primary switch or focal point in the STP topology. The root bridge communicates with the other switches using Bridge Protocol Data Units (BPDUs). BPDUs are frames that multicast every 2 seconds to all other switches. BPDUs contain information such as:

Identity of the source switch Identity of the source port Cumulative cost of path to root bridge Value of aging timers Value of the hello timer

3.2.2 - Spanning Tree Protocol (S T P) The diagram depicts a table of Bridge Protocol Data Unit (BPDU) Structure and the composition of the specific components of the BPDU. Information for each field is available. Protocol Identifier: Always 0 Version: Always 0 Message Type: Identifies the type of BPDU (configuration or topology change notification) the frame contains Flags: Used to handle changes in the topology Root ID: Contains the bridge ID of the root bridge Contains the same value after convergence as all BPDU's in the bridged network Root Path Cost: The cumulative cost of all links leading to the Root Bridge Bridge ID: The B I D of the bridge that created the current BPDU

Port ID: Contains a unique value for every port Contains the value 0x8001 in Port 1 / 1, whereas Port 1 / 2 contains 0x8002, etcetera Message Age: Records the time since the Root Bridge originally generated the information from which the current BPD is derived Max Age: Maximum time that a BPDU is saved Influences the bridge table aging timer during the topology change notification process Hello Time: Time between periodic configuration BPDU's Forward Delay: The time spent in the Listening and Learning state Influences timers during the topology change notification process

Page 3: As a switch powers on, each port cycles through a series of four states: blocking, listening, learning, and forwarding. A fifth state, disabled, indicates that the administrator has shut down the switch port.

As the port cycles through these states, the LEDs on the switch change from flashing orange to steady green. It can take as long as 50 seconds for a port to cycle through all of these states and be ready to forward frames.

When a switch powers on, it first goes into a blocking state to immediately prevent the formation of a loop. It then changes to listening mode, so that it receives BPDUs from neighbor switches. After processing this information the switch determines which ports can forward frames without creating a loop. If the port can forward frames, it changes to learning mode, and then to forwarding mode.

Access ports do not create loops in a switched network and always transition to forwarding if they have a host attached. Trunking ports potentially create a looped network and transition to either a forwarding or blocking state.

3.2.2 - Spanning Tree Protocol (S T P) The diagram depicts a Layer 2 switch with the switch port transitioning through the states of S T P. The states are listed below with a description of each state. Blocking: Steady amber Receive BPDU Discard data frames Does not learn addresses Takes up to 20 seconds to change to listening state

Listening: Blinking Amber Listens for BPDU Does not forward frames Does learn MAC addresses Determine if switch has more than one trunking port that might create a loop If loop - returns to the blocking state If no loops - returns to learning state Takes 15 seconds to transition to learning state, also called forward delay Learning: Blinking Amber Processes BPDU Learns MAC addresses from traffic received Does not forward frames Takes 15 seconds to transition to forwarding Forwarding: Blinking Green Processes BPDU Learns MAC addresses Forwards frames

Page 4:

3.2.2 - Spanning Tree Protocol (S T P) Associate the processes with one of the following spanning tree processes: Blocking, Listening, Learning, or Forwarding. One.Processes BPDU. Two.Learns MAC addresses. Three.Discards frames. Four.Forwards frames. Five.Does not forward frames. Six.Receives BPDU. Seven.Does not learn MAC addresses.

3.2.3 Root Bridges Page 1: For STP to function, the switches in the network determine a switch that is the focal point in that network. STP uses this focal point, called a root bridge or root switch, to determine which ports to block and which ports to put into forwarding state. The root bridge sends out BPDUs containing network topology information to all other switches. This information allows the network to reconfigure itself in the event of a failure.

There is only one root bridge on each network, and it is elected based on the bridge ID (BID). The bridge priority value plus the MAC address creates the BID.

Bridge priority has a default value of 32,768. If a switch has a MAC address of AA-11-BB-22-CC-33, the BID for that switch would be: 32768: AA-11-BB-22-CC-33.

3.2.3 - Root Bridges The diagram depicts the bridge ID (B I D) of eight bytes. The B I D is broken down into a Bridge Priority of 2 bytes with a range of 0-65535 and a default of 32768. The next six bytes are the MAC address derived from the backplane/supervisor.

Page 2: The root bridge is based on the lowest BID value. Since switches typically use the same default priority value, the switch with the lowest MAC address becomes the root bridge.

As each switch powers on, it assumes that it is the root bridge, and sends out BPDUs containing its BID. For example, if S2 advertises a root ID that is a lower number than S1, S1 stops the advertisement of its root ID and accepts the root ID of S2. S2 is now the root bridge.

STP designates three types of ports: root ports, designated ports, and blocked ports.

Root Port

The port that provides the least cost path back to the root bridge becomes the root port. Switches calculate the least cost path using the bandwidth cost of each link required to reach the root bridge.

Designated Port

A designated port is a port that forwards traffic toward the root bridge but does not connect to the least cost path.

Blocked Port

A blocked port is a port that does not forward traffic.

3.2.3 - Root Bridges The diagram depicts three switches, S1, S2, and S3. S1 is connected to S2, S2 to S3, and S3 back to S1. The interface for S1, 1 / 1, has been assigned the root port. The interface 1 / 2 has been assigned the designated port. The interface for S2, 1 / 1, has been assigned the designated port, and this switch is the Root Bridge. The second interface for S2, 1 / 2, is also a designated port. The interface for S3, 1 / 1, has been designated as the root port, and its interface 1 / 2 has been blocked.

Page 3: Before configuring STP, the network technician plans and evaluates the network in order to select the best switch to become the root of the spanning tree. If the root switch goes to the lowest MAC address, forwarding might not be optimal.

A centrally-located switch works best as the root bridge. A blocked port situated at the extreme edge of the network might cause traffic to take a longer route to get to the destination than if the switch is centrally located.

To specify the root bridge, the BID of the chosen switch is configured with the lowest priority value. The bridge priority command is used to configure the bridge priority. The range for the priority is from 0 to 65535, but values are in increments of 4096. The default value is 32768.

To set priority:

S3(config)#spanning-tree vlan 1 priority 4096

To restore priority to default:

S3(config)#no spanning-tree vlan 1 priority

3.2.3 - Root Bridges The diagram depicts four switches arranged in a square topology with all switches connected to each other. The switches are labeled S1, S2, S3, and S4. S3 has been labeled the root bridge, and has the lowest priority

number of 4096. S2 has a priority number of 32768, while S1 has a priority number of 32768, and S4 has a priority number of 8192.

Page 4: Lab Activity Configure the BID on a switch to control which one becomes the root bridge. Observe the spanning tree and traffic flow patterns as different switches are configured as root.

Click the lab icon to begin.

3.2.3 - Root Bridges Link to Hands-on Lab: Building a Switched Network with Redundant Links Configure the B ID on a switch to control which one becomes the root bridge. Observe the spanning tree and traffic flow patterns as different switches are configured as root.

3.2.4 Spanning Tree in a Hierarchical Network Page 1: After establishing the root bridge, root ports, designated ports, and blocked ports, STP sends BPDUs throughout the switched network at 2-second intervals. STP continues to listen to these BPDUs to ensure that no links fail and no new loops appear.

If a link failure occurs, STP recalculates by:

Changing some blocked ports to forwarding ports Changing some forwarding ports to blocked ports Forming a new STP tree to maintain the loop-free integrity of the network

STP is not instantaneous. When a link goes down, STP detects the failure and recalculates the best paths across the network. This calculation and transition period takes about 30 to 50 seconds on each switch. During this recalculation, no user data passes through the recalculating ports.

Some user applications time out during the recalculation period, which can result in lost productivity and revenue. Frequent STP recalculations negatively impact uptime.

3.2.4 - Spanning Tree in Hierarchical Network The animation depicts the recalculation of spanning tree. Four switches are connected in a square topology arrangement with a client connected to one switch, we will call Switch 1, and a server connected to another switch, we will call Switch 3. The server sends a message to the client, H1, which passes through three of the switches to get to H1. The message reaches H1. The link between Switch 2 and Switch 3 goes down. Now all four switches become busy recalculating the STP. The server tries to send another message, and the switch that it is directly connected to the server, Switch 3, announces, "I need a new root port." Switch 4 announces, "My blocked port is now ready to forward traffic." Switch 1 announces, "My root port remains the same." Switch 2 is assigned as the Root Bridge and announces, "I can still see connectivity to all the switches." The server that is directly connected to Switch 3 sends a message and it travels from Switch 3 to Switch 4 to Switch 1 and then to the client H1, this time bypassing the broken link through Switch 2.

Page 2: A high volume, enterprise server is connected to a switch port. If that port recalculates because of STP, the server is down for 50 seconds. It would be difficult to imagine the number of transactions lost during that timeframe.

In a stable network, STP recalculations are infrequent. In an unstable network, it is important to check the switches for stability and configuration changes. One of the most common causes of frequent STP recalculations is a faulty power supply or power feed to a switch. A faulty power supply causes the device to reboot unexpectedly.

3.2.4 - Spanning Tree in Hierarchical Network The diagram depicts a man sitting in front of his laptop computer with a timer next to the laptop, indicating that the man is waiting an undetermined amount of time for the process to be complete.

Page 3: Several enhancements to STP minimize the downtime incurred during an STP recalculation.

PortFast

STP PortFast causes an access port to enter the forwarding state immediately, bypassing the listening and learning states. Using PortFast on access ports that are connected to a single workstation or server allows those devices to connect to the network immediately, instead of waiting for STP to converge.

UplinkFast

STP UplinkFast accelerates the choice of a new root port when a link or switch fails or when STP reconfigures itself. The root port transitions to the forwarding state immediately without going through the listening and learning states, as it would do with normal STP procedures.

BackboneFast

BackboneFast provides fast convergence after a spanning tree topology change occurs. It quickly restores backbone connectivity. BackboneFast is used at the Distribution and Core Layers, where multiple switches connect.

PortFast, UplinkFast, and BackboneFast are Cisco proprietary; therefore, they can not be used if the network includes switches from other vendors. In addition, all of these features require configuration.

3.2.4 - Spanning Tree in Hierarchical Network The animation depicts the benefits of PortFast. There are two scenarios, S T P with PortFast configured, and S T P without PortFast configured. The diagram is indicating that the time taken to send a message with PortFast configured is about 15 seconds, whereas the message sent without PortFast configured has taken about 45 seconds to complete.

Page 4: There are several useful commands used to verify spanning tree operation.

show spanning-tree - Displays root ID, bridge ID, and port states

show spanning-tree summary - Displays a summary of port states

show spanning-tree root - Displays the status and configuration of the root bridge

show spanning-tree detail - Displays detailed port information

show spanning-tree interface - Displays STP interface status and configuration

show spanning-tree blockedports - Displays blocked ports

3.2.4 - Spanning Tree in Hierarchical Network The diagram depicts the outputs for the commands listed below. For the output of these commands, the S T P protocol must be configured. ***show spanning-tree*** ***show spanning-tree root*** ***show spanning-tree interface*** ***show spanning-tree summary*** ***show spanning-tree detail*** ***show spanning-tree blockedports***

Page 5: Lab Activity Use various show commands to verify STP operation.

Click the lab icon to begin.

3.2.4 - Spanning Tree in Hierarchical Network Link to Hands-on Lab: Verifying S TP with show Commands Use various show commands to verify S T P operation.

3.2.5 Rapid Spanning Tree Protocol (RSTP) Page 1: When IEEE developed the original 802.1D Spanning Tree Protocol (STP), recovery time of 1 to 2 minutes was acceptable. Today, Layer 3 switching and advanced routing protocols provide a faster alternative path to the destination. The need to carry delay-sensitive traffic, such as voice and video, requires that switched networks converge quickly to keep up with the new technology.

Rapid Spanning Tree Protocol (RSTP), defined in IEEE 802.1w, significantly speeds the recalculation of the spanning tree. Unlike PortFast, UplinkFast, and BackboneFast, RSTP is not proprietary.

RSTP requires a full-duplex, point-to-point connection between switches to achieve the highest reconfiguration speed. Reconfiguration of the spanning tree by RSTP occurs in less than 1 second, as compared to 50 seconds in STP.

RSTP eliminates the requirements for features such as PortFast and UplinkFast. RSTP can revert to STP to provide services for legacy equipment.

To speed up the recalculation process, RSTP reduces the number of port states to three: discarding, learning and forwarding. The discarding state is similar to three of the original STP states: blocking, listening, and disabled.

RSTP also introduces the concept of active topology. All ports that are not discarding are part of the active topology and will immediately transition to the forwarding state.

3.2.5 - Rapid Spanning Tree Protocol (R S T P) The animation depicts the difference between Spanning Tree Protocol (S T P) and Rapid Spanning Tree Protocol (R S T P) implementations. In the S T P scenario, at first the light on the front of the switch is amber, indicating the switch is blocking. Next, the light begins blinking amber, indicating that the switch is listening/learning. Finally, the blinking green light flashes and forwarding begins. The process takes approximately 50 seconds. In the R S T P scenario, the time taken from the amber-blocking phase to the blinking green forwarding phase is one second.

3.3 Configuring VLANs

3.3.1 Virtual LAN Page 1: Hosts and servers that are connected to Layer 2 switches are part of the same network segment. This arrangement poses two significant problems:

Switches flood broadcasts out all ports, which consumes unnecessary bandwidth. As the number of devices connected to a switch increases, more broadcast traffic is generated and more bandwidth is wasted. Every device that is attached to a switch can forward and receive frames from every other device on that switch.

As a network design best practice, broadcast traffic is contained to the area of the network in which it is required. There are business reasons why certain hosts access each other while others do not. As an example, members of the accounting department may be the only users who need to access the accounting server. In a switched network, virtual local area networks (VLANs) are created to contain broadcasts and group hosts together in communities of interest.

A VLAN is a logical broadcast domain that can span multiple physical LAN segments. It allows an administrator to group together stations by logical function, by project teams, or by applications, without regard to physical location of the users.

3.3.1 - Virtual LAN The diagram depicts a router is connected to three switches, one each on Floor 1, Floor 2, and Floor 3. The switch on Floor 3 is connected to three servers. The switch on Floor 2 is connected to three clients. The switch on Floor 1 is connected to three clients. The Accounting V LAN comprises one server from Floor 3, one client from Floor 2, and one client from Floor 1. The Marketing V LAN comprises one server from Floor 3, one client from Floor 2, and one client from Floor 1. The Engineering V LAN comprises one server from Floor 3, one client from Floor 2, and one client from Floor 1.

Page 2: The difference between a physical network and a virtual, or logical, network can be shown in the following example:

The students in a school are divided into two groups. In the first group, each student is given a red card, for identification. In the second group, each student is given a blue card. The principal announces that students with red cards can only speak to other students with red cards and that students with blue cards can only speak to other students with blue cards. The students are now logically separated into two virtual groups, or VLANs.

Using this logical grouping, a broadcast goes out only to the red card group, even though both the red card group and the blue card group are physically located within the same school.

This example also shows another feature of VLANs. Broadcasts do not forward between VLANs, they are contained within the VLAN.

3.3.1 - Virtual LAN The animation depicts V LAN broadcast traffic. A router is connected to three switches, one each on Floor 1, Floor 2, and Floor 3. The switch on Floor 3 is connected to three servers. The switch on Floor 2 is connected to three clients. The switch on Floor 1 is connected to three clients. The Accounting V LAN comprises one server from Floor 3, one client from Floor 2, and one client from Floor 1. The Marketing V LAN comprises one server from Floor 3, one client from Floor 2, and one client from Floor 1. The Engineering V LAN comprises one server from Floor 3, one client from Floor 2, and one client from Floor 1. When packets travel from the router to the switches, they are switched and traverse to the destined V LAN.

Page 3: Each VLAN functions as a separate LAN. A VLAN spans one or more switches, which allows host devices to behave as if they were on the same network segment.

A VLAN has two major functions:

A VLAN contains broadcasts. A VLAN groups devices. Devices located on one VLAN are not visible to devices located on another VLAN.

Traffic requires a Layer 3 device to move between VLANs.

In a switched network, a device can be assigned to a VLAN based on its location, MAC address, IP address, or the applications that the device most frequently uses. Administrators assign membership in a VLAN either statically or dynamically.

Static VLAN membership requires an administrator to manually assign each switch port to a specific VLAN. As an example, port fa0/3 may be assigned to VLAN 20. Any device that plugs into port fa0/3 automatically becomes a member of VLAN 20.

This type of VLAN membership is the easiest to configure and is also the most popular, however, it requires the most administrative support for adds, moves and changes. For example, moving a host from one VLAN to another requires either the switch port to be manually reconfigured to the new VLAN or the workstation cable to be plugged into a different switchport on the new VLAN.

Membership in a specific VLAN is totally transparent to the users. Users working on a device plugged into a switch port have no knowledge that they are members of a VLAN.

3.3.1 - Virtual LAN This image depicts two switches connected via a trunk. Selecting each of the four port-based V LAN buttons, V LAN 1, V LAN 8, V LAN 12, and V LAN 5 shows each associated host and port used.

Page 4: Dynamic VLAN membership requires a VLAN management policy server (VMPS). The VMPS contains a database that maps MAC addresses to VLAN assignments. When a device plugs into a switch port, the VMPS searches the database for a match of the MAC address and temporarily assigns that port to the appropriate VLAN.

Dynamic VLAN membership requires more organization and configuration but creates a structure with much more flexibility than static VLAN membership. In dynamic VLAN, moves, adds, and changes are automated and do not require intervention from the administrator.

Note: Not all Catalyst switches support the use of VMPSs.

3.3.1 - Virtual LAN The animation depicts the process of a host joining a dynamic V LAN. A new host connects to the LAN. It sends out a packet that says, "00:07:B3:11:12:13 is requesting membership in a V LAN." The packet reaches the V LAN management server which says, "00:07:B3:11:12:13 is in my database. Assign that port to V LAN 18." The packet is returned to the switch port that the requesting host is connected to. The switch says, "I am assigning this port to V LAN 18."

Page 5:

3.3.1 - Virtual LAN The diagram depicts an activity in which you must decide which problems are solved by implementing a V LAN. Answer yes or no. One.Users in the warehouse are accessing records in the payroll department. Management has asked you to isolate the payroll department from the rest of the network. (Yes or No) Two.Staff in the sales department continually join the network and then leave. This causes quite a bit of broadcast traffic as machines try to discover each other. These broadcasts slow down network performance in the graphics department. (Yes or No) Three.During the execution of a large project, members of the Marketing, Sales, and Public relations departments collaborate on different parts of the project. The Network administrator is concerned about response time on the collaboration server. (Yes or No) Four.The company plans on installing a V o IP system, but worries that voice traffic will be unusable due to the large amount of data on the network. (Yes or No)

3.3.2 Configuring a Virtual LAN Page 1: Whether VLANs are created statically or dynamically, the maximum number of VLANs depends on the type of switch and the IOS. By default, VLAN1 is the management VLAN.

An administrator will use the IP address of the management VLAN to configure the switch remotely. When accessing the switch remotely, the network administrator can configure and maintain all VLAN configurations.

Additionally, the management VLAN is used to exchange information, such as Cisco Discovery Protocol (CDP) traffic and VLAN Trunking Protocol (VTP) traffic, with other networking devices.

When a VLAN is created, it is assigned a number and a name. The VLAN number is any number from the range available on the switch, except for VLAN1. Some switches support approximately 1000 VLANs; others support more than 4000. Naming a VLAN is considered a network management best practice.

3.3.2 - Configuring a Virtual LAN The diagram depicts of a switch with a workstation connected to one of the ports. The man working at the workstation says, I am going to configure V LAN's. The port that the workstation is connected to is labeled V LAN 1 Management V LAN.

Page 2: Use the following commands to create a VLAN using global configuration mode:

Switch(config)#vlan vlan_number Switch(config-vlan)#name vlan_name Switch(config-vlan)#exit

Assign ports to be members of the VLAN. By default, all ports are initially members of VLAN1. Assign ports one at a time or as a range.

Use the following commands to assign individual ports to VLANs:

Switch(config)#interface fa0/port_number Switch(config-if)#switchport access vlan vlan_number Switch(config-if)# exit

Use the following commands to assign a range ports to VLANs:

Switch(config)#interface range fa0/start_of_range - end_of_range Switch(config-if)#switchport access vlan vlan_number Switch(config-if)#exit

3.3.2 - Configuring a Virtual LAN The diagram depicts of man sitting at a workstation configuring a V LAN. The following is the command output. Switch(config)# configure terminal Switch(config)# V LAN 27 Switch(config-V LAN)# name accounting Switch(config-V LAN)# exit Switch(config)# interface F A 0 /13 Switch(config-if)# switchport access V LAN 27 Switch(config-if)# exit Switch(config)# V LAN 28 Switch(config-V LAN) # name engineering Switch(config-V LAN) # exit Switch(config)# interface F A 0 /6-12 Switch(config-if)# switchport access V LAN 28 Switch(config-if)# end Switch # show V LAN The command shows the setup of the V LAN. The headings for the show command are V LAN, Name,

Status, and Ports. Examine the setup further in the Hands-on Lab, Configuring, Verifying, and Troubleshooting V LAN's.

Page 3: To verify, maintain, and troubleshoot VLANs, it is important to understand the key show commands that are available in the Cisco IOS.

The following commands are used to verify and maintain VLANs:

show vlan

Displays a detailed list of all of the VLAN numbers and names currently active on the switch, along with the ports associated with each one Displays STP statistics if configured on a per VLAN basis

show vlan brief

Displays a summarized list showing only the active VLANs and the ports associated with each one

show vlan id id_number

Displays information pertaining to a specific VLAN, based on ID number

show vlan name vlan_name

Displays information pertaining to a specific VLAN, based on name

3.3.2 - Configuring a Virtual LAN The diagram depicts command output, as follows. The show V LAN command gives the following information: V LAN, Name, Status, and Ports. The show V LAN ID command gives the following information: V LAN, Name, Status, and Ports, as well as the V LAN, Type, S A I D, M T U, Parent, Ring No, BridgeNo, Stp, BrdgMode, Tran1, and Tran2. The show V LAN brief command gives the following information: V LAN, Name, Status, and Ports. The show V LAN Name command gives the following information: V LAN, Type, S A I D, M T U, Parent, Ring No, NoBridgeNo, Stp, BrdgMode, and Tran 1. Examine the output further in the Hands-on-Lab, Configuring, Verifying, and Troubleshooting V LAN's.

Page 4: In an organization, employees are frequently added, removed, or moved to a different department or project. This constant movement requires VLAN maintenance, including removal or reassignment to different VLANs.

The removal of VLANs and the reassignment of ports to different VLANs are two separate and distinct functions. When a port is disassociated from a specific VLAN, it returns to VLAN1. When a VLAN is removed, any associated ports are deactivated because they are no longer associated with any VLAN.

To delete a VLAN:

Switch(config)#no vlan vlan_number

To disassociate a port from a specific VLAN:

Switch(config)#interface fa0/port_number Switch(config-if)#no switchport access vlan vlan_number

3.3.2 - Configuring a Virtual LAN The animation depicts a man sitting at a workstation. The man says I am deleting V LAN 27. I am also disassociating port 8 from V LAN 28. Switch(config) # interface F A 0 /8 Switch(config-if)# no switchport access V LAN 28

Switch(config-if)# exit Switch(config)# no V LAN 27 Switch(config)# end Switch # show V LAN The output shows the V LAN, Name, Status, and Ports.

Page 5: Lab Activity

Configure, verify, and troubleshoot VLAN configuration on a Cisco switch.

Click the Lab icon to begin.

3.3.2 - Configuring a Virtual LAN Link to Hands-on-Lab: Configuring, Verifying, and Troubleshooting V LAN's Configure, verify, and troubleshoot V LAN configuration on a Cisco switch.

3.3.3 Identifying VLANs Page 1: Devices connected to a VLAN only communicate with other devices in the same VLAN, regardless of whether those devices are on the same switch or different switches.

A switch associates each port with a specific VLAN number. As a frame enters that port, the switch inserts the VLAN ID (VID) into the Ethernet frame. The addition of the VLAN ID number into the Ethernet frame is called frame tagging. The most commonly used frame tagging standard is IEEE 802.1Q.

3.3.3 - Identifying V LANs The animation depicts V LAN interaction. Two switches are connected together. Client H1 on V LAN 2 says, I have to send a message to H3. It then sends the message to H3, also on V LAN 2. H1 on V LAN 2 says, I have to send a message to H6. H6 is on V LAN 3. H1 and H6 are unable to communicate because they are on different V LAN's. Traffic cannot move between V LAN's without the assistance of a router.

Page 2: The 802.1Q standard, sometimes abbreviated to dot1q, inserts a 4-byte tag field into the Ethernet frame. This tag sits between the source address and the type/length field.

Ethernet frames have a minimum size of 64 bytes and a maximum size of 1518 bytes, however a tagged Ethernet frame can be up to 1522 bytes in size.

Frames contain fields such as:

The destination and source MAC address The length of the frame The payload data The frame check sequence (FCS)

The FCS field provides error checking to ensure the integrity of all of the bits within the frame.

This tag field increases the minimum Ethernet frame from 64 to 68 bytes. The maximum size increases from 1518 to 1522 bytes. The switch recalculates the FCS because the number of bits in the frame has been modified.

If an 802.1Q-compliant port is connected to another 802.1Q-compliant port, the VLAN tagging information passes between them.

If the connecting port is not 802.1Q-compliant, the VLAN tag is removed before the frame is placed on the media.

If a non-802.1Q-enabled device or an access port receives an 802.1Q frame, the tag data is ignored, and the packet is switched at Layer 2 as a standard Ethernet frame. This allows for the placement of Layer 2 intermediate devices, such as other switches or bridges, along the 802.1Q trunk path. To process an 802.1Q tagged frame, a device must allow an MTU of 1522 or higher.

3.3.3 - Identifying V LANs The diagram depicts the insertion of a 802.1q tag into a frame. After the insertion the frame receives a new FCS value. A brief description of the fields is given. TPID The Tag Protocol Identifier is a 16-bit field. It is set to a value of 0x8100 in order to identify the frame as an IEEE 802.1 Q tagged frame. PRIORITY It is known as user priority. This 3-bit field refers to the IEEE 802.1Q priority. The field indicates the frame priority level used for the prioritization of traffic. The field can represent 8 levels (0 through 7). C F ID The Canonical Format Indicator is a 1-bit field. If the value of this field is 1, the MAC address is in no canonical format. If the value is 0, the MAC address is in canonical format. V ID The V LAN Identifier is a 12-bit field. It uniquely identifies the V LAN to which the frame belongs. The field has a value between 0 and 4095.

Page 3:

3.3.3 - Identifying V LAN's The diagram depicts an activity in which you must decide whether to deliver each inbound frame to the destination host based on the port configurations. Select Delivered or Not Delivered based on the size of the frame, the V LAN #, and the trunking protocols.

3.4 Trunking and Inter-VLAN Routing

3.4.1 Trunk Ports Page 1: A VLAN has three major functions:

Limits the size of broadcast domains Improves network performance Provides a level of security

To take full advantage of the benefits of VLANs, they are extended across multiple switches.

Switch ports can be configured for two different roles. A port is classified as either an access port or a trunk port.

Access Port

An access port belongs to only one VLAN. Typically, single devices such as PCs or servers connect to this type of port. If a hub connects multiple PCs to the single access port, each device connected to the hub is a member of the same VLAN.

Trunk Port

A trunk port is a point-to-point link between the switch and another networking device. Trunks carry the traffic of multiple VLANs over a single link and allow VLANs to reach across an entire network. Trunk ports are necessary to carry the traffic from multiple VLANs between devices when connecting either two switches together, a switch to a router, or a host NIC that supports 802.1Q trunking.

3.4.1 - Trunk Ports The diagram depicts the use of Trunk Ports and Access Ports in a network. There are three V LAN's, which are connected via Access Ports to two Switches. The switches are then linked to each other and the Router via Trunk Port. Network One Router (R1) Two Switches (S1, S2) Three V LAN's (V LAN 100, V LAN 200, V LAN 300) R1 connects to S1 via Trunk Port R1 connects to S2 via Trunk Port S1 connects to S2 via Trunk Port V LAN100 has two Hosts (H1, H2), and one Server, which are connected to S1 via Access Ports. V LAN 200 has two Hosts (H3, H4), which are all connected to S1 via Access Ports. V LAN 300 has one Host (H5), which is connected to S1 via Access Port. V LAN 300 has two Hosts (H6, H7), and one Server, which are connected to S2 via Access Ports.

Page 2: Without trunk ports, each VLAN requires a separate connection between switches. For example, an enterprise with 100 VLANs requires 100 connecting links. This type of arrangement does not scale well and is very expensive. Trunk links provide a solution to this problem by transporting traffic from multiple VLANs on the same link.

When multiple VLANs travel on the same link, they need VLAN identification. A trunk port supports frame tagging. Frame tagging adds VLAN information to the frame.

IEEE 802.1Q is the standardized and approved method of frame tagging. Cisco developed a proprietary frame tagging protocol called Inter-Switch Link (ISL). Higher-end switches, such as the Catalyst 6500 series, still support both tagging protocols; however, most LAN switches, such as the 2960, support only 802.1Q.

3.4.1 - Trunk Ports The animation depicts the traffic flow when Trunking or No Trunking is used between switches. No Trunking Two Switches (S1, S2) Three V LAN's (V LAN 1, V LAN 2, V LAN 3) Six Hosts (H1, H2, H3, H4, H5, H6) V LAN 1 has H5, H3 V LAN 2, has H6, H2 V LAN 3 has H1, H4 S1 is connected to S2 via three links (All V LAN's have a separate link.) S1 has H1, H5, H6 connected S2 has H2, H3, H4 connected H5 (V LAN 1), H6 V LAN 2, H1 (V LAN 3) send information to H3(V LAN 1), H 2 (V LAN 2), H4 (V LAN 3). As each V LAN has its own link from S1 to S2 the information is sent on the corresponding V LAN's link from S1 to S2. Trunking Two Switches (S1, S2). Three V LAN's (V LAN 1, V LAN 2, V LAN 3). Six Hosts (H1, H2, H3, H4, H5, H6). V LAN 1 has H5, H3. V LAN 2 has H6, H2. V LAN 3 has H1, H4. S1 is connected to S2 via trunk (All V LAN's share a link.). S1 has H1, H5, H6 connected. S2 has H2, H3, H4 connected. H5 (V LAN 1), H6 (V LAN 2, H1 (V LAN 3) send information to H 3 (V LAN 1), H2 (V LAN 2), H4 (V LAN 3). As each V LAN shares the trunk, the information is sent one after another across the link from S1 to S2.

Page 3: Switch ports are access ports by default. To configure a switch port as a trunk port, use the following commands:

Switch(config)#interface fa0/port_number

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport trunk encapsulation {dot1q | isl | negotiate}

Switches that support both 802.1Q and ISL require the last configuration statement. The 2960 switch does not require that statement because it only supports 802.1Q.

The negotiate parameter is the default mode on many Cisco switches. This parameter automatically detects the encapsulation type of the neighbor switch.

3.4.1 - Trunk Ports The diagram depicts two switches, S1 and S2, connected via trunk link. S1 is showing a screen shot of the Command Line. The text displayed is as follows: Switch (config)# interface F A 0 /24 Switch (config-if)# switchport mode trunk Switch (config-if)# switchport trunk encapsulation dot 1 q

Page 4: Newer switches have the capability to detect the type of link configured at the other end. Based on the attached device, the link configures itself as either a trunk port or an access port.

Switch(config-if)#switchport mode dynamic {desirable | auto}

In desirable mode, the port becomes a trunk port if the other end is set to either trunk, desirable, or auto.

In auto mode, the port becomes a trunk port if the other end is set to either trunk or desirable.

To return a trunk port to an access port, issue either of the following commands:

Switch(config)#interface fa0/port_number

Switch(config-if)#no switchport mode trunk

or

Switch(config-if)#switchport mode access

3.4.1 - Trunk Ports The diagram depicts two switches, S1 and S2, connected via a trunk link. Both switches are showing a screen capture of the Command Line. The text displayed is as follows: S1 S1 (config) # interface F A 0/1 S1 (config-if)# switchport mode dynamic desirable S2 S2 (config) # interface F A 0/1 S2 (config-if) # switchport mode dynamic desirable

Page 5: Lab Activity

Create VLANs and assign them individual ports.

Click the lab icon to begin.

3.4.1 - Trunk Ports Link to Hands-on Lab: Creating V LAN's and Assigning Ports Create V LANs and assign them individual ports.

3.4.2 Extending VLANs across Switches Page 1:

Trunking enables VLANs to forward traffic between switches using only a single port.

A trunk link configured with 802.1Q on both ends allows traffic that has a 4-byte tag field added to the frame. This frame tag contains the VLAN ID.

When a switch receives a tagged frame on a trunk port, it removes the tag before sending it out an access port. The switch forwards the frame only if the access port is a member of the same VLAN as the tagged frame.

Some traffic however, needs to cross the 802.1Q configured link without VLAN ID. Traffic with no VLAN ID is called untagged. Examples of untagged traffic are Cisco Discovery Protocol (CDP), VTP, and certain types of voice traffic. Untagged traffic minimizes the delays associated with inspection of the VLAN ID tag.

3.4.2 - Extending V LAN's across Switches The animation illustrates the insertion of tags and the calculation of a new F C S as the frame is sent from one switch to another over a trunk port. Tagging is removed and the F C S recalculated at the access port of the destination switch.

Page 2: To accommodate untagged traffic, a special VLAN called a native VLAN is available. Untagged frames received on the 802.1Q trunk port will become members of the native VLAN. On Cisco Catalyst switches, VLAN 1 is the native VLAN by default.

Any VLAN can be configured as the native VLAN. Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk line. If they are different, spanning-tree loops might result.

On an 802.1Q trunk, use the following command to assign the native VLAN ID on a physical interface:

Switch(config-if)#dot1q native vlan vlan-id

3.4.2 - Extending V LANs across Switches The diagram depicts a network with a single V LAN. There are two switches, labeled S1 and S2, each with one host labeled Source and Destination. S1 is connected to S2 via Trunk Ports. The source host is

connected to S1 via an Access Port. The destination Host is connected to S2 via an Access Port. H1 and H2 are both on V LAN 3 (Native). The Source Host is going to send information to the Destination Host. S1 says, V LAN 3 is the native V LAN. Do not tag traffic. S2 says, Traffic is untagged. It is a member of the native V LAN. S1 is showing a screen shot of the command line: S1 (config-if)# dot 1 q native V LAN V LAN 3

Page 3: Lab Activity

Configure trunk ports to connect switches and verify connectivity across the trunk link.

Click the lab icon to begin.

3.4.2 - Extending V LAN's across Switches Link to Hands-on Lab: Configuring a Trunk Port to Connect Switches Configure trunk ports to connect switches and verify connectivity across the trunk link.

3.4.3 Inter-VLAN Routing Page 1: Although VLANs extend to span multiple switches, only members of the same VLAN can communicate.

A Layer 3 device provides connectivity between different VLANs. This arrangement enables the network administrator to strictly control the type of traffic that flows from one VLAN to another.

One method of accomplishing the inter-VLAN routing requires a separate interface connection to the Layer 3 device for each VLAN.

3.4.3 - Inter-V LAN Routing The diagram depicts the use of a Layer 3 device, a router, to establish communication between multiple V LAN's. There are two V LAN's, V LAN 1 and V LAN 200, each with its own link to the router. There is a caption, which reads, V LAN 1 can communicate with V LAN 200 if each has dedicated connection to the router.

Network One Router (R1). One Switch (S1). S1 is connected to R1 via two links (one for each V LAN). S1 has two V LANs (V LAN 1, V LAN 200). S1 has two hosts attached (H1, H2). H1 is on V LAN 1. H2 is on V LAN 200.

Page 2: Another method for providing connectivity between different VLANs requires a feature called subinterfaces. Subinterfaces logically divide one physical interface into multiple logical pathways. Configure one pathway or subinterface for each VLAN.

To support inter-VLAN communication using subinterfaces requires configuration on both the switch and the router.

Switch Configure the switch interface as an 802.1Q trunk link.

Router Select a router interface with a minimum of a 100Mbps FastEthernet Configure subinterfaces that support 802.1Q encapsulation. Configure one subinterface for each VLAN.

A subinterface allows each VLAN to have its own logical pathway and default gateway into the router.

3.4.3 - Inter-V LAN Routing The diagram depicts the use of a subinterface to establish communication between multiple V LANs. There are three V LAN's, V LAN 1, V LAN 15, and V LAN 35, each represented by a different colored circle. All three V LAN's connect to the router via a single link (subinterface). Network One Router (R1). One Switch (S1). R1 is connected to S1 via single link. S1 has three V LAN's (V LAN 1, V LAN 15, V LAN 35). V LAN 1 has one Host.

V LAN 15 has two Hosts V LAN 35 has one Host

Page 3: The host from the sending VLAN forwards traffic to the router using the default gateway. The subinterface for the VLAN specifies the default gateway for all hosts in that VLAN. The router locates the destination IP address and does a routing table lookup.

If the destination VLAN is on the same switch as the source VLAN, the router forwards the traffic back down to the source switch using the subinterface parameters of the destination VLAN ID. This type of configuration is often referred to as a router-on-a-stick.

If the exit interface of the router is 802.1Q-compatible, the frame retains its 4-byte VLAN tag. If the outbound interface is not 802.1Q-compatible, the router strips the tag from the frame and returns the frame to its original Ethernet format.

3.4.3 - Inter-V LAN Routing The animation depicts inter-V LAN routing. A subinterface is used to establish communication between multiple V LANs. There are three V LAN's, V LAN 1, V LAN 15, and V LAN 35, each represented by a different colored circle. All three V LAN's connect to the Router via a single link (subinterface). The link has been divided up into three logical pathways (one per V LAN). Network One Router (R1). One Switch (S1). R1 is connected to S1 via a single link, F A 0 / 0, using three subinterfaces: F A 0 / 0.1 for V LAN 1, F A 0 / 0.15 for V LAN 15, and F A 0/0.35 for V LAN 35. S1 has three V LAN's (V LAN 1, V LAN 15, V LAN 35). V LAN 1 has one Host V LAN 15 has two Hosts V LAN 35 has one Host

Page 4: To configure inter-VLAN routing, use the following steps:

1. Configure a trunk port on the switch.

Switch(config)#interface fa0/2

Switch(config-if)#switchport mode trunk

2. On the router, configure a FastEthernet interface with no IP address or subnet mask.

Router(config)#interface fa0/1

Router(config-if)#no ip address

Router(config-if)#no shutdown

3. On the router, configure one subinterface with an IP address and subnet mask for each VLAN. Each subinterface has an 802.1Q encapsulation.

Router(config)#interface fa0/0.10

Router(config-subif)#encapsulation dot1q 10

Router(config-subif)#ip address 192.168.10.1 255.255.255.0

4. Use the following commands to verify the inter-VLAN routing configuration and functionality.

Switch#show trunk

Router#show ip interfaces

Router#show ip interfaces brief

Router#show ip route

3.4.3 - Inter-V LAN Routing The diagram depicts the use of a subinterface to establish communication between multiple V LAN's. There are three V LAN's, V LAN 1, V LAN 15, and V LAN 35, each represented by a different colored circle. All three V LAN's connect to the router via a single link (subinterface). Network One Router (R1). One Switch (S1). R1 is connected to S1 via single link F A 0 /1, using three subinterfaces: F A 0 / 1.1 for V LAN1, F A 0 / 1.15 for V LAN 15, F A 0 / 1.35 for V LAN 35. S1 has three V LAN's (V LAN 1, V LAN 15, V LAN 35). V LAN 1 has one Host V LAN 15 has two Hosts V LAN 35 has one Host The diagram shows a screen shot of both the Switch and Routers Command line, displaying the Inter-V LAN Routing Configuration output R1 ---output omitted--exclamation mark interface FastEthernet 0 / 1 no Ip address duplex auto speed auto no shutdown ! interface FastEthernet 0 / 1.1 Encapsulation dot1q 1 native Ip address 10.20.1.1 255.255.255.0 No shutdown ! interface FastEthernet 0 / 1.15 encapsulation dot1q 15 Ip address 10.20.15.1 255.255.255.0 no shutdown ! interface FastEthernet 0 / 1.35 encapsulation dot1q 35 Ip address 10.20.15.1 255.255.255.0 no shutdown ! ---output omitted--S1 ---output omitted---

interface FastEthernet 0 / 1 switchport mode trunk no Ip address no shutdown ! interface FastEthernet 0 / 2 no Ip address no shutdown ! interface FastEthernet 0 / 3 no Ip address no shutdown ! interface FastEthernet 0 / 4 no Ip address no shutdown ! interface FastEthernet 0 / 5 no Ip address no shutdown ! interface FastEthernet 0 / 6 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 7 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 8 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 9 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 10 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 11 switchport access V LAN 15 no Ip address no shutdown ! interface FastEthernet 0 / 12 switchport access V LAN 15 no Ip address no shutdown !

interface FastEthernet0 / 13 switchport access V LAN 35 no Ip address no shutdown ! interface FastEthernet 0 / 14 switchport access V LAN 35 no Ip address no shutdown ! interface FastEthernet 0 / 15 switchport access V LAN 35 no Ip address no shutdown ! interface FastEthernet 0 / 16 switchport access V LAN 35 no Ip address no shutdown ! interface FastEthernet 0 / 17 switchport access V LAN 35 no Ip address no shutdown ! interface FastEthernet 0 / 18 no Ip address no shutdown ! interface FastEthernet 0 / 19 no Ip address no shutdown ! interface FastEthernet 0 / 20 no Ip address no shutdown ! interface FastEthernet 0 / 21 no ip address no shutdown ! interface FastEthernet 0 / 22 no Ip address ! interface FastEthernet 0 / 23 no Ip address ! interface FastEthernet 0 / 24 no Ip address !

Page 5: Lab Activity

Configure inter-VLAN routing.

A secondary version of this lab is also available.

Click the lab icon to begin.

3.4.3 - Inter-V LAN Routing Link to Hands-on Lab: Configuring Inter-V LAN Routing Configure inter-V LAN routing. There is a link to a secondary version of this lab on this page.

3.5 Maintaining VLANs on an Enterprise Network

3.5.1 VLAN Trunking Protocol (VTP) Page 1: As networks grow in size and complexity, centralized management of the VLAN structure becomes crucial. VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that provides a method for the distribution and management of the VLAN database from a centralized server in a network segment. Routers do not forward VTP updates.

If there is no automated way to manage an enterprise network with hundreds of VLANs, manual configuration of each VLAN on each switch is necessary. Any change to the VLAN structure requires further manual configuration. One incorrectly keyed number causes inconsistencies in connectivity throughout the entire network.

To resolve this issue, Cisco created VTP to automate many of the VLAN configuration functions. VTP ensures that VLAN configuration is consistently maintained across the network and reduces the task of VLAN management and monitoring.

3.5 1- Maintaining V LAN's on the Enterprise Network This animation depicts the difference between managing switches using VTP and not using V T P management. The network has five switches connected in a series. Without VTP Without VTP configured, the network administrator must manually add, delete, and rename V LANs.

With VTP With VTP configured, the network administrator must manually add, delete, and rename V LAN's on the first switch only. Then the first switch sends a message to the other switches further down the link to automatically add, delete, or rename the V LAN's. This process occurs with each switch connected.

Page 2: VTP is a client/server messaging protocol that adds, deletes, and renames VLANs in a single VTP domain. All switches under a common administration are part of a domain. Each domain has a unique name. VTP switches only share VTP messages with other switches in the same domain.

Two different versions of VTP exist: Version 1 and Version 2. Version 1 is the default and it is not compatible with Version 2. All switches must be configured with the same version.

VTP has three modes: server, client, and transparent. By default, all switches are servers. It is a good practice to have at least two switches configured as servers on a network, to provide backup and redundancy.

3.5 1- Maintaining V LANs on the Enterprise Network The diagram depicts three VTP modes of switches, client, server, and transparent. The information pertaining to each VTP mode is listed below: Transparent Forwards VTP advertisements Ignores information in the VTP message Does not modify its database when receiving updates Does not send out an update that indicates a change of its own V LAN database Server Creates, modifies, and deletes V LAN's and V LAN configuration parameters for the entire domain Saves V LAN configuration information in the switches NV RAM Sends VTP out to all trunk ports Client Does not create of modify or delete V LAN information Modifies its own database with any V LAN changes sent from the server Sends VTP message out all trunk ports

Page 3: With VTP, each switch advertises messages on its trunk ports. Messages include the management domain, configuration revision number, known VLANs, and parameters for each VLAN. These advertisement frames are sent to a multicast address so that all neighbor devices receive the frames.

Each VTP switch saves a VLAN database in NVRAM that contains a revision number. If a VTP receives an update message that has a higher revision number than the one stored in the database, the switch updates its VLAN database with this new information.

The VTP configuration revision number begins at zero. As changes occur, the configuration revision number increases by one. The revision number continues to increment until it reaches 2,147,483,648. When it reaches that point, the counter resets back to zero. Rebooting the switch also resets the revision number to zero.

A problem situation can occur related to the revision number if someone inserts a switch with a higher revision number into the network. Since a switch is a server by default, this results in new, but incorrect, information overwriting the legitimate VLAN information on all of the other switches.

Another way to protect against this critical situation, is to configure a VTP password to validate the switch. In addition, when adding a switch and there is already a server switch, make sure the new switch is configured in client or transparent mode.

3.5 1- Maintaining V LAN's on the Enterprise Network The diagram depicts three switches configured in a triangular configuration. The switches are labeled Server, Client, and Client. They are all linked together. Updates to the V LAN database are sent from the server switch to both client switches through the network as revision number 5.

Page 4: VTP messages come in three varieties: summary advertisements, subset advertisements, and advertisement requests.

Summary Advertisements

Catalyst switches issue summary advertisements every 5 minutes or whenever a change to the VLAN database occurs. Summary advertisements contain the current VTP domain name and the configuration revision number.

If VLANs are added, deleted, or changed, the server increments the configuration revision number and issues a summary advertisement.

When a switch receives a summary advertisement packet, it compares the VTP domain name to its own VTP domain name. If the domain name is the same, the switch compares the configuration revision number to its own number. If it is lower or equal, the switch ignores the packet. If the revision number is higher, an advertisement request is sent.

Subset Advertisements A subset advertisement follows the summary advertisement. A subset advertisement contains a list of VLAN information.

The subset advertisement contains the new VLAN information based on the summary advertisement. If there are several VLANs, they require more than one subset advertisement.

Advertisement Requests

Catalyst switches use advertisement requests to ask for VLAN information. Advertisement requests are required if the switch has been reset or the VTP domain name has been changed. The switch receives a VTP summary advertisement with a higher configuration revision number than its own.

3.5 1- Maintaining V LAN's on the Enterprise Network The animation depicts how switches exchange VTP information. Three switches are linked in a triangular configuration. The switches are labeled Server, Client and Transparent. Each device has specific information attached, as follows. Transparent VTP domain, Name: null, Mode:transparent, Revision # 1, V LAN's: null Client VTP domain, Name: cisco, Mode: client, Revision # 1, V LAN's: 1 Server VTP domain, Name: cisco, Mode: server, Revision # 1, V LAN'S: 1 The Server notes, Two new V LANs have been added. I must change my revision number and send a summary advertisement. The Server sends a Summary Advertisement to both the Client and Transparent switches. VTP Domain Name = Cisco, Configuration Revision Name = 2 The Client notes, My revision number is lower than the summary advertisement. I must request more information. The Client then sends an Advertisement Request back to the Server. The Server notes, I received an advertisement request, I will send more information. The Server then sends a Subset Advertisement of V LANs = 1,2,3 to the Client.

The Client notes, I have updated my V LAN information and configuration revision number.

Page 5:

3.5 1- Maintaining V LAN's on the Enterprise Network The diagram depicts an activity in which you must select the characteristics of the server, client, and transparent VTP modes. Modes VTP Client Mode. VTP Server Mode. VTP Transparent Mode. Characteristics One.V LAN's are local only. Two.Issues advertisement requests. Three.Uses VTP advertisements to update V LAN database. Four.Can create, modify or delete V LAN information for the entire domain. Five.Ignores VTP advertisements. Six.Default mode for Cisco switches.

3.5.2 Configuring VTP Page 1: Switches are servers by default. If a switch in server mode issues an update with a higher revision number than the number currently in place, all switches will modify their databases to match the new switch.

When adding a new switch to an existing VTP domain, use the following steps:

Step 1: Configure VTP off-line (version 1)

Step 2: Verify the VTP configuration.

Step 3: Reboot the switch.

3.5.2 - Configuring VTP The diagram depicts a terminal window with a console session in progress to a switch. The steps listed below are used to add a new switch to an existing VTP domain.

Step 1. Switch(config)# vtp domain domain name Switch(config)# vtp mode server | client | transparent Switch(config)# vtp password password Switch(config)# end Switch # copy running-config startup-config Step 2. Switch # show vtp status2 VTP version 3 Configuration Revision64 Maximum V LAN'S supported locally8 Number of existing V LAN'S Server VTP Operating ModeCisco VTP Domain NameDisabled VTP Pruning modeDisabled VTP V2 ModeDisabled VTP Traps GenerationOmitted MDS DigestOmitted Configuration last modified byOmitted Local Updater ID isOmitted Step 3 Switch # reload Switch # show vtp password Switch # show vtp counters

Page 2: Packet TracerActivity

Build and test a VTP domain.

Click the Packet Tracer icon to begin.

3.5.2 - Configuring VTP Link to Packet Tracer Exploration: Configuring a VTP Domain Build and test a VTP domain.

Page 3: Packet Tracer Activity

Add a new switch into an existing VTP domain.

Click the Packet Tracer icon to begin.

3.5.2 - Configuring VTP Link to Packet Tracer Exploration: Adding a Switch to a VTP Domain Add a new switch into an existing VTP domain.

3.5.3 VLAN Support for IP Telephony and Wireless Page 1: The main purpose of VLANs is to separate traffic into logical groups. Traffic from one VLAN will not impact traffic from another VLAN. A VLAN environment is ideal for traffic that is sensitive to time delays, such as voice.

Voice traffic must be given priority over normal data traffic to avoid jerky or jittery conversations. Providing a dedicated VLAN for voice traffic prevents voice traffic from having to compete with data for available bandwidth.

An IP phone usually has two ports, one for voice and one for data. Packets traveling to and from the PC and the IP phone share the same physical link to the switch and the same switch port. To segment the voice traffic, enable a separate voice VLAN on the switch.

3.5.3 - V LAN Support for IP Telephony and Wireless The diagram depicts a woman sitting in front of her laptop with a video call and an IP telephone communication in progress.

Page 2: Wireless is another type of traffic that benefits from VLANs. Wireless is, by nature, very insecure and prone to attacks by hackers. VLANs created for wireless traffic isolate some of the problems that may occur. A compromise to the integrity of the wireless VLAN has no effect on any other VLAN within the organization.

Most wireless deployments place the user in a VLAN on the outside of the firewall for added security. Users have to authenticate to gain entry into the internal network from the wireless network.

In addition, many organizations provide guest access to their wireless network. Guest accounts provide anyone, within a limited range, temporary wireless services such as web access, e-mail, ftp, and SSH. Guest accounts are either included in the wireless VLAN or reside in a VLAN of their own.

3.5.3 - V LAN Support for IP Telephony and Wireless The diagram depicts a router, labeled R1, at the top of a star topology with two switches, labeled S1 and S2. Directly connected to S1 are the following devices: V LAN 18 - DATA, V LAN 17 - VOICE, V LAN 35 Wireless. Directly connected to S2 are the following devices: V LAN 18 - DATA, V LAN 17 - VOICE, V LAN 35 Wireless.

Page 3: Packet Tracer Activity

Build an enterprise-class LAN with voice, wireless, and wired clients. Create separate VLANs that would isolate voice and wireless traffic.

Click the Packet Tracer icon to begin.

3.5.3 - V LAN Support for IP Telephony and Wireless Link to Packet Tracer Exploration: Configuring Wireless and Voice V LAN's Build an enterprise-class LAN with voice, wireless, and wired clients. Create separate V LAN'S that would isolate voice and wireless traffic.

3.5.4 VLAN Best Practices Page 1: When carefully planned and designed, VLANs provide security, conserve bandwidth, and localize traffic on an enterprise network. All of these features combine to improve network performance.

Some best practices for configuring VLANs in an enterprise network are:

Organizing server placement Disabling unused ports Configuring the management VLAN as a number other than 1 Using VLAN Trunking Protocol Configuring VTP Domains Reboot any new switch entering an established network

VLANs, however, are not the answer to every problem.

If VLANs are not correctly implemented, they can overly complicate a network, resulting in inconsistent connectivity and slow network performance.

VLANs isolate certain types of traffic for reasons of security. To move traffic between VLANs requires a Layer 3 device, which increases the cost of implementation and introduces an increased level of latency into the network.

3.5.4 - V LAN Best Practice The diagram depicts the six best practice methods for setting up V LAN'S. Information about each method is given below. Server Placement Ensure all servers required by a particular group are members of the same V LAN Unused Ports Disable unused ports Put unused ports in an unused V LAN Stop unauthorized access by not granting connectivity or by placing a device into an unused V LAN Management V LAN By default, the management V LAN and the native V LAN are V LAN 1 Do not use V LAN 1 for in-band management traffic Select a different, dedicated V LAN to keep management traffic separate from user, data, and protocol traffic V LAN Trunking Protocol Standardizes the V LAN configuration across the enterprise Provides for easy V LAN management and maintenance Reduces the time required for V LAN administration and maintenance VTP Domains Minimizes misconfiguration Propagates and synchronizes V LAN information across member switches Provides extra security when combined with a VTP password

VTP Revision Number Ensure that any new switch added to the network has a revision number of zero Reset the revision number by either of the following: One.Set the new switch to transparent mode then switch it back to client or server. Two.Change the domain name to something else. Change it back.

Page 2: Packet Tracer Activity

Plan and build a switched network to meet client specifications.

Click the Packet Tracer icon to begin.

3.5.4 - V LAN Best Practice Link to Packet Tracer Exploration: Planning and Building an Enterprise Network Plan and build a switched network to meet client specifications.

3.6 Chapter Summary

3.6.1 Summary Page 1:

3.6.1 - Summary Diagram 1, Image The diagram depicts the use of Store-and-Forward and Cut-Through Switching. The diagram also shows how using Store-and-Forward Switching is a better solution because there will be a decrease in the number of errors. Diagram 1 text Switches use microsegmentation to create single port collision domains Layer 3 switching takes place in special A S I C hardware. Switches forward traffic using store-and-forward or cut-through techniques. Basic security features should be applied to switches to ensure that only authorized personnel access the devices.

Diagram 2, Image The diagram depicts a network where there are four looped switches. The last switch connects to first. One port has been blocked by S T P to eliminate the loop.

Diagram 2 text Spanning Tree Protocol shuts down redundant links to prevent switching loops. A root bridge is at the top of the spanning tree and it is elected based on the lowest bridge I D. Spanning Tree recalculation can take up to 50 seconds to complete during which time the network has limited functionality. Rapid Spanning Tree has evolved to shorten the convergence time. Diagram 3, Image The diagram depicts a building with a network on three floors. There are three different colored ovals which represent three V LAN's. The V LAN's are spread over three floors. Diagram 3 text A V LAN is a collection of hosts that are on the same local area network even though they may be physically separated from each other. V LAN 1 is the management V LAN by default. Frame tagging applies the V LAN I D to the Ethernet frame so the switch can identify the source V LAN. IEEE 802.1 Q is the open standard frame tagging protocol that inserts a 4-byte tag into the Ethernet frame.

Diagram 4, Image The diagram depicts the use of a subinterface to establish communication between multiple V LAN's. There are three V LAN's each represented by a different colored circle. All three V LAN's connect to the router via a single link (subinterface) on the F A 0 / 0 Interface. Diagram 4 text An access port connects a device to a switch and is a member of one V LAN. A trunk port connects two switches or a switch and a router, and forwards tagged frames from multiple V LAN's. Untagged frames are forwarded using the native V LAN. A Layer 3 device is required to move traffic between different V LAN's. A router interface is configured using subinterfaces to support multiple V LAN's.

Diagram 5, Image The diagram depicts a network shown with three different colored circles. Each circle represents a different V LAN. Diagram 5 text V LAN Trunking Protocol provides a method for the centralized control, distribution, and maintenance of the enterprise V LAN database. Switches are either servers, clients, or transparent. A server issues a VTP update by having a higher revision number than the other switches. V LAN's are suit-ed for time sensitive traffic such as voice. Best practices, such as consistent VTP domain name and revision number control increase network efficiency.

3.7 Chapter Quiz

3.7.1 Quiz Page 1: Take the chapter quiz to check your knowledge.

Click the quiz icon to begin.

3.7.1 - Quiz Chapter 3 Quiz: Switching in an Enterprise Network 1.Which devices can be connected to a V LAN trunk? (Choose three.) A.a switch B.a hub C.a router D.a server with a special NIC E.a CSU/DSU F.a repeater 2.What happens when there is a topology change on a network that utilizes S T P? (Choose two) A.User traffic is disrupted until recalculation is complete B.The switch recomputes the Spanning Tree topology after the network recovers. C.All ports are placed in learning state until convergence has occurred. D.A delay of up to 50 seconds is incurred for convergence of the new spanning tree topology. E.User data is forwarded while BPDU's are exchanged to recompute the topology. 3.This question refers to a network topology. Use this topology to answer the question. Network Topology Router R1's F A 0 /0 is connected to Switch SW_1. SW_1 is connected to two hosts. One host is on V LAN 30 and one host is on V LAN 40. Which set of commands should be used for configure the router to provide communication between the two hosts connected to the switch? A. R_1(config)# interface v lan 30 R_1(config-if)# switchport mode trunkdot1q R_1(config-if)# interface v lan 40 R_1(config-if)# switchport mode trunkdot1q B. R_1(config)# interface fastethernet 0/0 R_1(config-if)# mode trunkdot1q 30 40 R_1(config-if)# ip address 192.168.1.1 255.255.255.0 C. R_1(config)# interface v lan 30 R_1(config-if)# ip address 192.168.30.1 255.255.255.0 R_1(config-if)# no shutdown R_1(config-if)# interface v lan 40 R_1(config-if)# ip address 192.168.40.1 255.255.255.0 R_1(config-if)# no shutdown

D. R_1(config)# interface fastethernet 0/0 R_1(config-if)# no shutdown R_1(config-if)# interface fastethernet 0/0.3 R_1(config-if)# encapsulationdot1q 30 R_1(config-if)# ip address 192.168.30.1 255.255.255.0 R_1(config-if)# interface fastethernet 0/0.4 R_1(config-if)#encapsulationdot1q 40 R_1(config-if)#ip address 192.168.40.1 255.255.255.0 4.How do Layer 3 switches differ from traditional routers? A.Layer 3 switches are used in LAN's, while routers are used in WAN's. B.Layer 3 switches use A S I C'S for routing , while routers are software based. C.Layer 3 switches never perform routing lookups, while routers must always perform them. D.Layer 3 switches forward packets based on MAC address only, while routers use IP addresses for forwarding. 5.Match the switching method to the description. (Not all options are used.) Switching Methods store and forward fragment-free multilayer cut-through adaptive cut-through fast-forward Descriptions recalculates the C R C value subdivides into two other methods low cost latency but may forward collision fragments reads the first 64 bytes of the frame before forwarding compares the number of errors found to a threshold value 6.Which two problems are caused by redundant links in a switched network? (Choose two.) routing table corruption switching loops broadcast storms routing loops corrupt forwarding information base 7.This question refers to a network topology. Use this topology to answer the question. Network Topology This network topology consists of four switches connected to one another in a row. Switch 1 is functioning in server mode. Switch 2 is functioning in client mode. Switch 3 is functioning in transparent mode. Switch 4 is functioning in server mode. The switches in the network topology are interconnected by trunked links and are configured with the VTP modes shown. A new V LAN is added to Switch1. Which three actions will occur? (Choose three.) A.Switch 1 will not add the V LAN to its V LAN database and will pass the updates to Switch 2. B.Switch3 will pass the VTP update to Switch 4. C.Switch3 will add the V LAN to its V LAN database. D.Switch4 will add the V LAN to its V LAN database. E.Switch4 will not receive the update. F.Switch2 will add the V LAN to its V LAN database and pass the update to Switch 3. 8.What two criteria does S T P use to elect the route bridge in a redundantly switched network? (Choose

two.) A.amount of switch RAM B.bridge priority C.switching speed D.number of switch ports E.switch MAC address F.switch location 9.Following a link failure, when does R S T P allow ports to move to the forwarding state? A.in less than a second B.in two seconds C.in 30 seconds D.in 50 second E.in 90 seconds 10.In what two ways does the use of V LAN's benefit an organization? (Choose two.) A.by centralizing departmental staff and network resources together in a single physical area B.by allowing organization flexibility grouping users together by function instead of physical location C.by allowing logical separation of voice and other critical traffic from the rest of the data traffic D.by reducing the number of broadcast domains in an enterprise network E.by reducing network management costs by replacing many Layer 2 devices with a few Layer 3 devices F.by eliminating the need for routing traffic in large networks 11.Access 1 is a new switch that is to be connected as a VTP client to the network once it has been configured. Given the output generated by the VTP server switch Dist-2, which series of configuration commands would successfully introduce the client switch into the VTP domain? Use the output below to answer this question. Dist-2# show vtp status VTP version : 2 Configuration Revision: 11 Maximum V LAN's supported locally : 250 Number of existing V LAN's: 10 VTP Operating Mode : Server VTP Domain Name : MYCORP VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MDS digest: 0x0B 0xA5 0xDF 0xA7 0x52 0xBD 0x93 0x4D Configuration last modified by 172.16.0.32 at 3-1-93 03:56:18 Local updater ID is 172.16.0.22.on interface V11 (lowest number V LAN interface 4) Dist-2# show vtp password VTP Password: ITrustYou Dist-2# A. Access1(config)# vtp mode client Access1(config)# vtp domain mycorp Access1(config)# vtp password ITrustYou B. Access1(config)# vtp mode client Access1(config)# vtp domain MYCORP Access1(config)# vtp version 2 Access1(config)# vtp password ITrustYou

C. Access1(config)# vtp mode client Access1(config)# vtp domain mycorp Access1(config)# vtp password ITrustYou D. Access1(config)# vtp mode client Access1(config)# vtp domain Mycorp Access1(config)# vtp version 2 Access1(config)# vtp password ITrustYou 12.What elements will exist in a converged switched network running spanning tree? (Choose two.) A.all non-designated ports forwarding B.one root bridge per network C.one root port per non-route bridge D.multiple designated ports per segment E.one designated port per network 13.How often are spanning-tree BPDU's sent by default? A.every second B.every two seconds C.every three seconds D.every four seconds 14.A router is configured to connect to a trunked uplink as shown. A packet is received on the FastEthernet 0/ 1 physical interface from V LAN 1. The packet destination address is 192.168.1.85. What will the router do with the packet? Use the output below to answer this question. RA(config)# interface fastethernet 0/1 RA(config-if)# no shutdown RA(config-if)# interface fastethernet 0/1.1 RA(config-subif)# encapsulation dot1q 1 RA(config-subif)# ip address 192.168.1.62 255.255.255.224 RA(config-if)# interface fastethernet 0/1.2 RA(config-subif)# encapsulation dot1q 2 RA(config-subif)# ip address 192.168.1.94 255.255.255.224 RA(config-if)# interface fastethernet 0/1.3 RA(config-subif)# encapsulation dot1q 3 RA(config-subif)# ip address 192.168.1.126 255.255.255.224 RA(config-subif)# exit A.The router will ignore the packet because the source and destination are on the same broadcast domain. B.The router will forward the packet out interface FastEthernet 0 /1.1. C.The router will forward the packet out interface FastEthernet 0 /1.2. D.The router will forward the packet out interface FastEthernet 0 /1.3. E.The router will drop the packet because no network that includes the destination address is attached to the router.

Go To Next Go To Previous Scroll To Top

http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.C CServlet/LMS_ID=CNAMS,Theme=ccna3theme,Style=ccna3,Language=en,Version=1, RootID=knet lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About

Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise

4 Addressing in an Enterprise Network
4.0 Chapter Introduction
4.0.1 Introduction Page 1:

4.0.1 - Introduction Well-designed enterprise networks with many locations and users employ a logical addressing hierarchy. The use of classless addresses and Variable Length Subnet Masks (VLSM) facilitates network scalability. Classless routing and Classless Inter-Domain routing (C I D R) address the problem of route summarization. Private addressing and Network Address Translation (NAT) preserve IP version 4 addresses, providing flexibility and security in network design. After completion of this chapter, you should be able to: Analyze the features and benefits of a hierarchical IP addressing structure. Plan and implement a VLSM IP addressing scheme. Plan a network using classless routing and C I D R. Configure and verify both static and dynamic NAT.

4.1 Using a Hierarchical IP Network Address Scheme

4.1.1 Flat and Hierarchical Networks Page 1: Implementing switches reduces the number of collisions that occur within a local network. However, having an all-switched network often creates a single broadcast domain. In a single broadcast domain, or flat network, every device is in the same network and receives each broadcast. In small networks, a single broadcast domain is acceptable.

With large numbers of hosts, a flat network becomes less efficient. As the number of hosts increases in a switched network, so do the number of broadcasts sent and received. Broadcast packets take up a lot of bandwidth, causing traffic delays and timeouts.

Creating VLANs provides one solution to a large, flat network. Each VLAN is its own broadcast domain.

Implementing a hierarchical network using routers is another solution.

4.1.1 - Flat Hierarchical Networks The animation depicts the difference between a flat network and a hierarchical network topology. The animation begins with an image of a flat network showing three switches directly connected to each other, with five computers directly connected to each switch. The flat network topology represents one large broadcast domain. Next, the topology changes to a hierarchical model with the switched network (Access Layer) connecting to a router at the Distribution Layer. The Distribution Layer router connects to the Core Layer router, which in turn connects to the network cloud. This hierarchical network represents three separate broadcast domains.

4.1.2 Hierarchical Network Addressing Page 1: Enterprise networks are large, and benefit from a hierarchical network design and address structure. A hierarchical addressing structure logically groups networks into smaller subnetworks.

An effective hierarchical address scheme consists of a classful network address in the Core Layer that is subdivided into successively smaller subnets in the Distribution and Access Layers.

It is possible to have a hierarchical network without hierarchical addressing. Although the network still functions, the effectiveness of the network design decreases and certain routing protocol features, such as route summarization, do not work properly.

In enterprise networks with many geographically separate locations, a hierarchical network design and address structure simplifies network management and troubleshooting and also improves scalability and routing performance.

4.1.2 - Hierarchical Network Addressing The diagram depicts two scenarios representing non-hierarchical and hierarchical addressing. The scenarios use the same topology. Only the addressing scheme changes. Switched LAN's at the Access Layer connect to a Distribution Layer router, which connects to a Core Layer router, which in turn connects to the network cloud. In the non-hierarchical addressing scheme, each network has non-related IP addresses, as follows: Connection to cloud: 192.168.100.0 Core to Distribution Layer: 192.168.5.0 LAN 1: 192.168.1.0 LAN 2: 10.22.5.0 LAN 3: 172.16.8.0. In the hierarchical addressing scheme, a logical grouping of networks exists, as follows: Connection to cloud: 10.1.0.0 /16 Core to Distribution Layer: 10 .1 .1 .0 /24 LAN 1: 10 .1 .1 .32 /27 LAN 2: 10 .1 .1 .64 /27 LAN 3: 10 .1 .1 .96 /27. Note that the subnet masks are now included in the addressing.

4.1.3 Using Subnetting to Structure the Network Page 1: There are many reasons to divide the network into subnets, including:

Physical location Logical grouping Security Application requirements Broadcast containment Hierarchical network design

For example, if an organization uses a 10.0.0.0 network for the enterprise, they might use an addressing scheme such as 10.X.Y.0, where X represents a geographical location and Y represents a building or floor within that location. This addressing scheme allows for:

255 different geographical locations 255 buildings in each location 254 hosts within each building

4.1.3 - Using Sub-netting to Structure the Network The diagram depicts four boxes describing reasons to divide a network into subnets. One.Broadcast Containment. A red line between the Distribution Layer router and the Access Layer switches marks the point of broadcast containment. Two.Security. A red line between the Access Layer switch and the Distribution Layer router marks the security demarcation point. The router offers security features. Three.Location. There are two sites labeled Site A and Site B depicted, with a serial link between them. Four.Logical Grouping. Two Access Layer LAN's (switched) are shown connected to another switch. The demarcation line is between this switch and the Distribution Layer router. The LAN's are labeled Engineering and Accounting.

Page 2:

4.1.3 - Using Sub-netting to Structure the Network The diagram depicts an activity in which you must indicate whether a hierarchical addressing scheme using subnets should be used to structure the network. Answer yes or no to the scenarios below. One.A small business that has 10 employees uses a 12 port switch to connect to a router to access the ISP. Two.A large organization wants to break up some of their larger LAN's to limit broadcasts and improve network performance. They do not want to purchase additional IP addresses from their ISP. Three.An organization has five locations in different states. All sites need to be connected. They have been assigned five IP addresses by their ISP but wish to separate users at each location based on the type of application they use at each location. Four.An organization has been assigned a single IP address and wants to break up the addresses into smaller chunks to be used by different departments within the organization. Five.A home user purchases a Linksys WRT300N with integrated router, 4-port switch, and wireless access point. One computer will connect to the switch and other users will access the Linksys via wireless.

4.2 Using VLSM

4.2.1 Subnet Mask Page 1: To use subnetting to create a hierarchical design, it is crucial to have a clear understanding of the structure of the subnet mask.

The subnet mask indicates whether hosts are in the same network. The subnet mask is a 32-bit value that distinguishes between the network bits and the host bits. It consists of a string of 1s followed by a string of 0s. The 1 bits represent the network portion and the 0 bits represent the host portion.

Class A addresses use a default subnet mask of 255.0.0.0 or a slash notation of /8 Class B addresses use a default mask of 255.255.0.0 or /16

Class C addresses use a default mask of 255.255.255.0 or /24

The /x refers to the number of bits in the subnet mask that comprise the network portion of the address.

In an enterprise network, subnet masks vary in length. LAN segments often contain varying numbers of hosts; therefore, it is not efficient to have the same subnet mask length for all subnets created.

4.2.1 - Subnet Mask The diagram depicts a chart labeled Subnet Mask Notation and Number of Possible Hosts. NOTE: The number of usable hosts is calculated by taking the number 2 to the power of the number of host bits available and then subtracting 2. Dotted Decimal Subnet Mask: 255.0.0.0 Binary Subnet Mask: 11111111.00000000.00000000.00000000 Slash Notation: /8 Number of host bits: 24 Hosts Possible, 2 to the power of n minus 2: 16777214 Dotted Decimal Subnet Mask: 255.128.0.0 Binary Subnet Mask: 11111111.10000000.00000000.00000000 Slash Notation: /9 Number of host bits: 23 Hosts Possible, 2 to the power of n minus 2: 8388606 Dotted Decimal Subnet Mask: 255.192.0.0 Binary Subnet Mask: 11111111.11000000.00000000.00000000 Slash Notation: /10 Number of host bits: 22 Hosts Possible, 2 to the power of n minus 2: 4194302 Dotted Decimal Subnet Mask: 255.224.0.0 Binary Subnet Mask: 11111111.11100000.00000000.00000000 Slash Notation: /11 Number of host bits: 21 Hosts Possible, 2 to the power of n minus 2: 2097150 Dotted Decimal Subnet Mask: 255.240.0.0 Binary Subnet Mask: 11111111.11110000.00000000.00000000 Slash Notation: /12 Number of host bits: 20 Hosts Possible, 2 to the power of n minus 2: 1048574 Dotted Decimal Subnet Mask: 255.248.0.0 Binary Subnet Mask: 11111111.11111000.00000000.00000000> Slash Notation: /13 Number of host bits: 19 Hosts Possible, 2 to the power of n minus 2: 524286 Dotted Decimal Subnet Mask: 255.252.0.0

Binary Subnet Mask: 11111111.11111100.00000000.00000000 Slash Notation: /14 Number of host bits: 18 Hosts Possible, 2 to the power of n minus 2: 262142 Dotted Decimal Subnet Mask: 255.254.0.0 Binary Subnet Mask: 11111111.11111110.00000000.00000000 Slash Notation: /15 Number of host bits: 17 Hosts Possible, 2 to the power of n minus 2: 131070 Dotted Decimal Subnet Mask: 255.255.0.0 Binary Subnet Mask: 11111111.11111111.00000000.00000000 Slash Notation: /16 Number of host bits: 16 Hosts Possible, 2 to the power of n minus 2: 65534 Dotted Decimal Subnet Mask: 255.255.128.0 11111111.11111111.10000000.00000000 Slash Notation: /17 Number of host bits: 15 Hosts Possible, 2 to the power of n minus 2: 32766 Dotted Decimal Subnet Mask: 255.255.192.0 11111111.11111111.11000000.00000000 Slash Notation: /18 Number of host bits: 14 Hosts Possible, 2 to the power of n minus 2: 16382 Dotted Decimal Subnet Mask: 255.255.224.0 Binary Subnet Mask: 11111111.11111111.11100000.00000000 Slash Notation: /19 Number of host bits: 13 Hosts Possible, 2 to the power of n minus 2: 8190 Dotted Decimal Subnet Mask: 255.255.240.0 Binary Subnet Mask: 11111111.11111111.11110000.00000000 Slash Notation: /20 Number of host bits: 12 Hosts Possible, 2 to the power of n minus 2: 4094 Dotted Decimal Subnet Mask: 255.255.248.0 Binary Subnet Mask: 11111111.11111111.11111000.00000000 Slash Notation: /21 Number of host bits: 11 Hosts Possible, 2 to the power of n minus 2: 2046 Dotted Decimal Subnet Mask: 255.255.252.0 Binary Subnet Mask: 11111111.11111111.11111100.00000000 Slash Notation: /22 Number of host bits: 10 Hosts Possible, 2 to the power of n minus 2: 1022 Dotted Decimal Subnet Mask: 255.255.254.0 Binary Subnet Mask: 11111111.11111111.11111110.00000000 Slash Notation: /23

Number of host bits: 9 Hosts Possible, 2 to the power of n minus 2: 510 Dotted Decimal Subnet Mask: 255.255.255.0 Binary Subnet Mask: 11111111.11111111.11111111.00000000 Slash Notation: /24 Number of host bits: 8 Hosts Possible, 2 to the power of n minus 2: 254 Dotted Decimal Subnet Mask: 255.255.255.128 Binary Subnet Mask: 11111111.11111111.11111111.10000000 Slash Notation: /25 Number of host bits: 7 Hosts Possible, 2 to the power of n minus 2: 126 Dotted Decimal Subnet Mask: 255.255.255.192 Binary Subnet Mask: 11111111.11111111.11111111.11000000 Slash Notation: /26 Number of host bits: 6 Hosts Possible, 2 to the power of n minus 2: 62 Dotted Decimal Subnet Mask: 255.255.255.224 Binary Subnet Mask: 11111111.11111111.11111111.11100000 Slash Notation: /27 Number of host bits: 5 Hosts Possible, 2 to the power of n minus 2: 30 Dotted Decimal Subnet Mask: 255.255.255.240 Binary Subnet Mask: 11111111.11111111.11111111.11110000 Slash Notation: /28 Number of host bits: 4 Hosts Possible, 2 to the power of n minus 2: 14 Dotted Decimal Subnet Mask: 255.255.255.248 Binary Subnet Mask: 11111111.11111111.11111111.11111000 Slash Notation: /29 Number of host bits: 3 Hosts Possible, 2 to the power of n minus 2: 6 Dotted Decimal Subnet Mask: 255.255.255.252 Binary Subnet Mask: 11111111.11111111.11111111.11111100 Slash Notation: /30 Number of host bits: 2 Hosts Possible, 2 to the power of n minus 2: 2

Page 2:

4.2.1 - Subnet Mask The diagram depicts an activity in which you must determine the slash notation, number of host bits, and number of hosts possible for the following subnet masks. A.255.255.255.224. B.255.255.255.248. C.255.255.255.252.

D.255.255.128.0. E.255.255.255.128. F.255.255.252.0. G.255.255.255.192. H.255.255.192.0. I.255.255.224.0. J.255.255.255.240. K.255.255.254.0. L.255.255.255.0. M.255.255.248.0. N.255.255.240.0.

4.2.2 Calculating Subnets Using Binary Representation Page 1: When one host needs to communicate with another, it determines its network address and the destination network address by applying its subnet mask to both its IPv4 address and to the destination IPv4 address. This is done to determine if the two addresses are on the same local network.

The subnet mask is a 32 bit value used to distinguish between the network bits and the host bits of the IP address. The subnet mask is made up of a string of 1s followed by a string of 0s. The 1s indicate the number of network bits and the 0s indicate the number of host bits within the IP address. The network bits are compared between the source and destination. If the resulting networks are the same, the packet can be delivered locally. If they do not match, the packet is sent to the default gateway.

For example, assume that H1, with the IP address of 192.168.1.44 and subnet mask of 255.255.255.0, or /24, needs to send a message to H2, with the IP address of 192.168.1.66 and a subnet mask of 255.255.255.0. In this instance, both hosts have a default subnet mask of 255.255.255.0, which means the network bits end on the octet boundary, the third octet. Both hosts have the same network bits of 192.168.1, and therefore are on the same network.

4.2.2 - Calculating Subnets Using Binary Representation The animation depicts the process of anding the IP address and Subnet Mask to determine whether the destination Host is on the same network, or a different network. There are two hosts, H1 and H2, connected to a switch. H1 sends H2 a message. The switch checks to see if H2 is on the same network as H1. The network is determined by comparing the IP address to the Subnet Mask. H2 is on the same network, so the switch sends the message to H2. The IP Address, Subnet Mask, and Network Address for each configuration, as well as the corresponding binary equivalent, are listed below. H1 Configuration IP Address - 192.168.1.44, 11000000.10101000.00000001.00101100 Subnet Mask - 255.255.255.0, 11111111.11111111.11111111.00000000 Network - 192.168.1.0, 11000000.10101000.00000001.00000000

H2 Configuration IP Address - 192.168.1.66, 11000000.10101000.000000001.01000010 Subnet Mask - 255.255.255.0, 11111111.11111111.11111111.00000000 Network 192.168.1.0, 11000000.10101000.00000001.00000000 The animation concludes by highlighting that both H1 and H2 are on the same network: 192.168.1.0.

Page 2: While it is fairly easy to see the network and host portion of an IP address when the subnet mask ends on the network boundary, the process of determining the network bits is the same even when the network portion does not take up the entire octet. For example, H1 has an IP address of 192.168.13.21 with a subnet mask of 255.255.255.248, or /29. This means out of 32 bits, 29 of them make up the network portion. The network bits take up all of the first three octets and extend into the fourth octet. In this instance, the value of the network ID is 192.168.13.16.

If H1, with the IP address of 192.168.13.21/29 address needed to communicate with another host, H2, with the address of 192.168.13.25/29, the network portion of the two hosts must be compared to determine if the two are on the same local network. In this case, H1 has a network value of 192.168.13.16, whereas H2 has a network value of 192.168.13.24. H1 and H2 are not on the same network and require the use of a router to communicate.

4.2.2 - Calculating Subnets Using Binary Representation The diagram illustrates the process of comparing the IP address and subnet mask of two hosts to determine if they reside on the same subnet. There are two hosts, H1 and H2. The subnet is determined by comparing the last octet of both the IP address and subnet mask. The IP address subnet mask, subnet, and the corresponding binary equivalent are listed below. H1 Configuration IP Address: 192.168.13.21 /29, 11000000.10101000.00001101.00010101 Subnet Mask - 255.255.255.248, 11111111.11111111.11111111.11111000 Subnet: 192.168.13.16 Last Octet (00010000) H1 is on subnetwork 192.168.13.16 H2 Configuration IP Address: 192.168.13.25/29, 11000000.10101000.00001101.00011001 Subnet Mask: 255.255.255.248, 11111111.11111111.11111111.11111000 Subnet: 192.168.13.24 Last Octet (00011000) H2 is on subnetwork 192.168.13.24

Page 3:

4.2.2 - Calculating Subnets Using Binary Representation The diagram depicts an activity in which you must determine whether the two hosts are on the same network.

Host: Host 1 IP Address: 172.16.5.72 Subnet Mask: 255.255.255.0 Slash Format: /24 Host: Host 2 IP Address: 172.16.5.79 Subnet Mask: 255.255.255.0 Slash Format: /24 Host: Host 1 IP Address: 192.168.19.35 Subnet Mask: 255.255.255.224 Slash Format: /27 Host: Host 2 IP Address: 192.168.19.48 Subnet Mask: 255.255.255.224 Slash Format: /27 Host: Host 1 IP Address: 10.128.14.14 Subnet Mask: 255.255.255.240 Slash Format: /28 Host: Host 2 IP Address: 10.128.14.19 Subnet Mask: 255.255.255.240 Slash Format: /28 Host: Host 1 IP Address: 192.168.3.68 Subnet Mask: 255.255.255.248 Slash Format: /29 Host: Host 2 IP Address: 192.168.3.74 Subnet Mask: 255.255.255.248 Slash Format: /29

4.2.3 Basic Subnetting Process Page 1: Using a hierarchical addressing scheme, much information can be determined by looking at only an IP address and slash notation (/x) subnet mask. For example, an IP address of 192.168.1.75 /26 shows the following information:

Decimal subnet mask

The /26 translates to a subnet mask of 255.255.255.192.

Number of subnets created

Assuming we started with the default /24 subnet mask, we borrowed 2 additional host bits for the network. This creates 4 subnets (2^2 = 4).

Number of usable hosts per subnet

Six bits are left on the host side creating 62 hosts per subnet (2^6 = 64 - 2 = 62).

Network address

Using the subnet mask to determine the placement of network bits, the value of the network address is given. In this example, the value is 192.168.1.64.

First usable host address

A host cannot have all 0s within the host bits, because that represents the network address of the subnet. Therefore, the first usable host address within the .64 subnet is .65

Broadcast address

A host cannot have all 1s within the host bits because that represents the broadcast address of the subnet. In this cast, the broadcast address is .127. 128 starts the network address of the next subnet.

4.2.3 - Basic Subnetting Process Subnet: 0 Network address: 192.168.1.0 /26 Host range: 192.168.1.1 to 192.168.1.62 Broadcast address: 192.168.1.63 Subnet: 1

Network address: 192.168.1.64 /26 Host range: 192.168.1.65 to 192.168.1.126 Broadcast address: 192.168.1.127 Subnet: 2 Network address: 192.168.1.128 /26 Host range: 192.168.1.129 to 192.168.1.190 Broadcast address: 192.168.1.191 Subnet: 3 Network address: 192.168.1.192 /26 Host range: 192.168.1.193 to 192.168.1.254 Broadcast address: 192.168.1.255

Page 2: Lab Activity

Design and apply an IP addressing subnet scheme for a given topology.

Click the lab icon to begin.

4.2.3 - Basic Subnetting Process Link to Hands-on Lab: Designing and Applying an IP Addressing Scheme Design and apply an IP addressing subnet scheme for a given topology.

4.2.4 Variable Length Subnet Masks (VLSM) Page 1: Basic subnetting is sufficient for smaller networks but does not provide the flexibility needed in larger enterprise networks.

Variable Length Subnet Masks (VLSM) provide for efficient use of address space. It also allows for hierarchal IP addressing which allows routers to take advantage of route summarization. Route summarization reduces the size of routing tables in distribution and core routers. Smaller routing tables require less CPU time for routing lookups.

VLSM is the concept of subnetting a subnet. It was initially developed to maximize addressing efficiency. With the advent of private addressing, the primary advantage of VLSM now is organization and summarization.

Not all routing protocols support VLSM. Classful routing protocols, such as RIPv1, do not include a subnet mask field with a routing update. A router with a subnet mask assigned to its interface assumes that all packets within that same class have the same subnet mask assigned.

Classless routing protocols support the use of VLSM because the subnet mask is sent with all routing update packets. Classless routing protocols include RIPv2, EIGRP, and OSPF.

Benefits of VLSM:

Allows efficient use of address space Allows the use of multiple subnet mask lengths Breaks up an address block into smaller blocks Allows for route summarization Provides more flexibility in network design Supports hierarchical enterprise networks

4.2.4 - Variable Length Subnet Masks (VLSM) The diagram depicts the use of VLSM to break up a subnet into smaller portions for use on serial links. There are four routers, R1, R2, R3, and R4. R1 is connected to R2 via Serial link (Subnet Address: 192.168.20.192 /30). R2 is connected to R3 via Serial link (Subnet Address: 192.168.20.196 /30). R3 is connected to R4 via Serial link (Subnet Address: 192.168.20.200 /30). LAN network addresses R1 network address: 192.168.20.0 /27. R2 network address: 192.168.20.32 /27. R3 network address: 192.168.20.64 /27. R4 network address: 192.168.20.96 /27. The following tables give a list of available subnets, and a list of Variable Length Subnets for the above network. Subnets of 192.168.20.0 Subnet Number: 0 Subnet Address: 192.168.20.0 /27 Subnet Number: 1 Subnet Address: 192.168.20.32 /27 Subnet Number: 2 Subnet Address: 192.168.20.64 /27

Subnet Number: 3 Subnet Address: 192.168.20.96 /27 Subnet Number: 4 Subnet Address: 192.168.20.128 /27 Subnet Number: 5 Subnet Address: 192.168.20.160 /27 Subnet Number: 6 Subnet Address: 192.168.20.192 /27 Subnet Number: 7 Subnet Address: 192.168.20.224 /27 Subnets of 192.168.20.192 Subnet Number: 0 Subnet Address: 192.168.20.192 /30 Subnet Number: 1 Subnet Address: 192.168.20.196 /30 Subnet Number: 2 Subnet Address: 192.168.20.200 /30 Subnet Number: 3 Subnet Address: 192.168.20.204 /30 Subnet Number: 4 Subnet Address: 192.168.20.208 /30 Subnet Number: 5 Subnet Address: 192.168.20.212 /30 Subnet Number: 6 Subnet Address: 192.168.20.216 /30 Subnet Number: 7 Subnet Address: 192.168.20.220 /30

Page 2: VLSM allows the use of different masks for each subnet. After a network address is subnetted, further division of those subnets creates sub-subnets.

For example, network 10.0.0.0/8 with a subnet mask of /16 subdivides into 256 subnets, each capable of addressing 16,382 hosts.

10.0.0.0/16

10.1.0.0/16

10.2.0.0/16 up to 10.255.0.0/16

Applying a subnet mask of /24 to any one of these /16 subnets, such as 10.1.0.0/16, results in a subdivision of 256 subnets. Each one of these new subnets is capable of addressing 254 hosts.

10.1.1.0/24

10.1.2.0/24

10.1.3.0/24 up to 10.1.255.0/24

Applying a subnet mask of /28 to any one of these /24 subnets, such as 10.1.3.0/28, results in a subdivision of 16 subnets. Each one of these new subnets is capable of addressing 14 hosts.

10.1.3.0/28

10.1.3.16/28

10.1.3.32/28 up to 10.1.3.240/28

4.2.4 - Variable Length Subnet Masks (VLSM) The diagram depicts three steps, which show how to apply VLSM to a network given the IP address 10.0.0.0 /8. Step 1 10.0.0.0 /8 has been subnetted using the subnet mask /16. There are five routers labeled R1, R2, R3, R4, and R5, which have been connected in a star topology. R1 is in the middle of the topology and is connected to R2, R3, R4, and R5. R2 network address: 10.1.0.0 /16 R3 network address: 10.2.0.0 /16 R4 network address: 10.3.0.0 /16 R5 network address: 10.4.0.0 /16 Step 2 Any of the /16 subnets can be subnetted further. In this example, 0.3.0.0 /16 has been subnetted using the /24 mask. There are seven routers labeled R1, R2, R3, R4, R5, R6, and R7. R1 through R5 appear the same as in the

previous star topology. There are three switches labeledS1, S2, and S3. R4 is connected to S1. S1 is connected to R6 and R7. R6 is connected to S2. R7 is connected to S3. R2 network address: 10.1.0.0 /16 R3 network address: 10.2.0.0 /16 R4 network address: 10.3.0.0 /16 R6 network address: 10.3.1.0 /24 R7 network address: 10.3.2.0 /24 R5 network address: 10.4.0.0 /16 Step 3 In this example 10.3.2.0 /24 has been subnetted using the /28 mask. There are eight routers labeled R1, R2, R3, R4, R5, R6, R7, and R8. There are six switches labeled S1, S2, S3, S4, S5, and S6. R1 is connected to R2, R3, R4, and R5. R4 is connected to S1. S1 is connected to R6 and R7. R6 is connected to S2. R7 is connected to S3 and S4. S4 is connected to R8. R8 is connected to S5 and S6. R2 network address: 10.1.0.0 /16 R3 network address: 10.2.0.0 /16 R4 network address: 10.3.0.0 /16 R6 network address: 10.3.1.0 /24 R7 network address: 10.3.2.0 /24 S3 network address: 10.3.2.16 /28 S4 network address: 10.3.2.32 /28 S5 network address: 10.3.2.48 /28 S6 network address: 10.3.2.64 /28 R5 network address: 10.4.0.0 /16

Page 3:

4.2.4 - Variable Length Subnet Masks (VLSM) The diagram depicts an activity in which you must determine the slash format of the subnet mask necessary to accommodate the required number of hosts. Number of Hosts A. 25 B. 100 C. 1000 D. 5 E. 45 F. 400 G. 12 H. 2

4.2.5 Implementing VLSM Addressing Page 1: Designing an IP addressing scheme with VLSM takes practice and planning. As a practice example, a network has the following requirements:

Atlanta HQ = 58 host addresses Perth HQ = 26 host addresses Sydney HQ = 10 host addresses Corpus HQ = 10 host addresses WAN links = 2 host addresses (each)

A subnet of /26 is required to accommodate the largest network segment of 58 hosts. Using a basic subnetting scheme is not only wasteful, but creates only four subnets. This is not enough to address each of the required seven LAN/WAN segments. A VLSM addressing scheme resolves this problem.

4.2.5 - Implementing VLSM Addressing The diagram depicts WAN links and network addressing inefficiencies. A table with the head-ers, Headquarters, Actual Requirements, and Total Wasted Addresses is also included in the diagram. The network has not had a VLSM addressing scheme applied. There are four routers, labeled Atlanta HQ, Perth HQ, Sydney HQ, and Corpus HQ. There are four switches, labeled S1, S2, S3, and S4, each with three hosts attached. Atlanta HQ is connected to S1. Atlanta HQ is connected to Sydney HQ via Serial link. Sydney HQ is attached to S2. Sydney HQ is attached to Corpus HQ via Serial link. Sydney HQ is attached to Perth HQ via Serial link. Perth HQ is attached to S3. Corpus HQ is attached to S4. Network Inefficiencies Table Contents Headquarters: Atlanta HQ Actual Requirements: 58 host addresses Total Wasted Addresses: 4 addresses Headquarters: Perth HQ Actual Requirements: 26 host addresses Total Wasted Addresses: 36 addresses Headquarters: Sydney HQ Actual Requirements: 10 host addresses Total Wasted Addresses: 52 addresses Headquarters: Corpus HQ Actual Requirements: 10 host addresses Total Wasted Addresses: 52 addresses Headquarters: WAN Links Actual Requirements: 2 host addresses (each) Total Wasted Addresses: 60 addresses

Page 2: When implementing a VLSM subnetting scheme, always allow for some growth in the number of hosts when planning subnet requirements.

4.2.5 - Implementing VLSM Addressing The diagram depicts five steps that are used to calculate and apply a VLSM addressing scheme. Step 1 List the network requirements from largest to smallest.

Name/Required addresses: Atlanta HQ - 58. Name/Required addresses: Perth HQ - 28. Name/Required addresses: Sydney HQ - 10. Name/Required addresses: Corpus HQ - 10. Name/Required addresses: WAN 1 - 2. Name/Required addresses: WAN 2 - 2. Name/Required addresses: WAN 3 - 2. The three point-to-point WAN links require two addresses each.

Step 2 The largest LAN, Atlanta HQ, requires 58 hosts. Borrow 2 bits to use /26. This creates four subnets: 192.168.15.0 192.168.15.64 192.168.15.128 192.168.15.192 Name/Required addresses: Atlanta HQ - 58. Subnet address: 192.168.15.0 Address range: .1 to .62 Broadcast address: .63 Network/Prefix: 192.168.15.0 /26 Name/Required addresses: Perth HQ - 28 Name/Required addresses: Sydney HQ - 10 Name/Required addresses: Corpus HQ - 10 Name/Required addresses: WAN 1 - 2 Name/Required addresses: WAN 2 - 2 Name/Required addresses: WAN 3 - 2 Step 3 Perth HQ LAN requires 28 host addresses. Use the next available address of 192.168.15.64 /26 Borrow one more bit to create an address block of /27 This creates two subnets: 192.168.15.64 192.168.15.96

Use 192.168.15.64 /27 for Perth HQ. Name/Required addresses: Atlanta HQ - 58. Subnet address: 192.168.15.0 Address range: .1 to .62 Broadcast address: .63 Network/Prefix: 192.168.15.0 /26 Name/Required addresses: Perth HQ - 28. Subnet address: 192.168.15.64 Address range: .65 to .94 Broadcast address: .95 Network/Prefix: 192.168.15.64 /27 Name/Required addresses: Sydney HQ - 10. Name/Required addresses: Corpus HQ - 10. Name/Required addresses: WAN 1 - 2. Name/Required addresses: WAN 2 - 2. Name/Required addresses: WAN 3 - 2. Step 4 Sydney HQ and Corpus HQ LAN's require ten host addresses each. Use the next available address of 192.168.15.96 /27 Borrow another bit to extend the mask to /28. This creates two subnets: 192.168.15.96 192.168.15.112 Use both subnets, one for Sydney HQ, one for Corpus HQ. Name/Required addresses: Atlanta HQ - 58. Subnet address: 192.168.15.0 Address range: .1 to .62 Broadcast address: .63 Network/Prefix: 192.168.15.0 /26 Name/Required addresses: Perth HQ - 28. Subnet address: 192.168.15.64 Address range: .65 to .94 Broadcast address: .95 Network/Prefix: 192.168.15.64 /27 Name/Required addresses: Sydney HQ - 10. Subnet address: 192.168.15.96 Address range: .97 to .110 Broadcast address: .111 Network/Prefix: 192.168.15.96 /28 Name/Required addresses: Corpus HQ - 10. Subnet address: 192.168.15.112 Address range: .113 to .126 Broadcast address: .127 Network/prefix: 192.168.15.112 /28 Name/Required addresses: WAN 1 - 2. Name/Required addresses: WAN 2 - 2. Name/Required addresses: WAN 3 - 2. Step 5 Three point-to-point WAN links require two addresses each. Use the next available address 192.168.15.128 /28 Borrow 2 more bits with a /30 mask.

This creates three subnets: 192.168.15.128 192.168.15.132 192.168.15.136 Use all three subnets, one for each WAN. Name/Required addresses: Atlanta HQ - 58. Subnet address: 192.168.15.0 Address range: .1 to .62 Broadcast address: .63 Network/Prefix: 192.168.15.0 /26 Name/Required addresses: Perth HQ - 28. Subnet address: 192.168.15.64 Address range: .65 to .94 Broadcast address: .95 Network/Prefix: 192.168.15.64 /27 Name/Required addresses: Sydney HQ - 10. Subnet address: 192.168.15.96 Address range: .97 to .110 Broadcast address: .111 Network/Prefix: 192.168.15.96 /28 Name/Required addresses: Corpus HQ - 10. Subnet address: 192.168.15.112 Address range: .113 to .126 Broadcast address: .127 Network/Prefix: 192.168.15.112 /28 Name/Required addresses: WAN 1 - 2. Subnet address: 192.168.15.128 Address range: .129 to .130 Broadcast address: .131 Network/Prefix: 192.168.15.128 /30 Name/Required addresses: WAN 2 - 2 Subnet Address: 192.168.15.132 Address range: .133 to .134 Broadcast address: .135 Network/Prefix: 192.168.15.132 /30 Name/Required addresses: WAN 3 - 2. Subnet address: 192.168.15.136 Address range: .137 to .138. Broadcast address: .139 Network/Prefix: 192.168.15.136 /30

Page 3: Multiple tools exist to assist with address planning.

VLSM Chart

One method uses a VLSM chart to identify which blocks of addresses are available and which ones are already assigned.

VLSM Circle

Another method uses a circle approach. The circle is cut into increasingly smaller segments, representing the smaller subnets.

These methods prevent assigning addresses that are already allocated. It also helps to avoid assigning address ranges that overlap.

4.2.5 - Implementing VLSM Addressing The diagram depicts a pie chart divided into six different piece, labeled P1 through P6, representing the network address 192.168.1.0 /24, broken into six variable length subnets. P1 Network Address: 192.168.1.0 /25 Hosts: 126 Range: .1 to .127 P2 Network Address: 192.168.1.128 /26 Hosts: 62 Range: .129 to .191 P3 Network Address: 192.168.1.192 /28 Hosts: 14 Range: .193 to .207 P4 Network Address: 192.168.1.208 /28 Hosts: 14 Range: .209 to .223 P5 Network Address: 192.168.1.224 /30 Hosts: 2 Range: .225 to .227 P6 Network Address: Unused.

Page 4:

4.2.5 - Implementing VLSM Addressing The diagram depicts an activity in which you must create an addressing scheme for the given requirements in each of the following three scenarios. Scenario One IP Address: 172.16.66.0 /24 The first subnet is given.

Subnet 2 requires 25 Hosts. Subnet 3 requires 25 Hosts. Subnet 4 requires 12 Hosts. Subnet 5 requires 6 Hosts. Subnet 6 requires 2 Hosts. Subnet 1. Host Requirements: 25. /Slash: /27. # of hosts: 30 Subnet: 172.16.6.0 Host Range: .1 to .30 Broadcast: .31 Scenario Two I P Address: 192.168.5.0 /24 The first subnet is given. Subnet 2 requires 30 Hosts. Subnet 3 requires 25 Hosts. Subnet 4 requires 10 Hosts. Subnet 5 requires 2 Hosts. Subnet 6 requires 2 Hosts. Subnet 1. Host Requirements: 60. /Slash: /26 # of hosts: 62 Subnet: 192.168.5.0 Host Range: .1 to .62 Broadcast: .63 Scenario Three I P Address: 10.33.19.0 /24 The first subnet is given. Subnet 2 requires 55 Hosts. Subnet 3 requires 30 Hosts. Subnet 4 requires 12 Hosts. Subnet 5 requires 2 Hosts. Subnet 6 requires 2 Hosts. Subnet 1. Host Requirements: 100. /Slash: /25 # of hosts: 126 Subnet: 10.33.19.0 Host Range: .1 to .126 Broadcast: .127

Page 5: Lab Activity

Use VLSM to provide the IP addressing for a given topology.

Click the lab icon to begin.

4.2.5 - Implementing VLSM Addressing Link to Hands-on Lab: Calculating a VLSM Addressing Scheme Use VLSM to provide the IP addressing for a given topology.

4.3 Using Classless Routing and CIDR

4.3.1 Classful and Classless Routing Page 1: Technology such as VLSM enables the classful IPv4 addressing system to evolve into a classless system. Classless addressing has made the exponential growth of the Internet possible.

Classful addresses consist of the three major classes of IP addresses and an associated default subnet mask:

Class A (255.0.0.0 or /8) Class B (255.255.0.0 or /16) Class C (255.255.255.0 or /24)

A company with a Class A network address has over 16 million host addresses available, with a Class B network address, over 65,000 hosts, and with a Class C, only 254 hosts. Since there is a limited number of Class A and Class B addresses in circulation, many companies purchased multiple Class C addresses in order to obtain enough addresses to satisfy their network requirements.

As a result, purchasing multiple Class C addresses has used up the Class C address space more quickly than originally planned.

4.3.1 - Classful and Classless Routing The diagram depicts two separate tables describing the number of networks and hosts per network for each class. Table 1

Class A. First Octet: Network. Second Octet: Host. Third Octet: Host. Fourth Octet: Host. Subnet Mask: 255.0.0.0 or /8. Class B. First Octet: Network. Second Octet: Network. Third Octet: Host. Fourth Octet: Host. Subnet Mask: 255.255.0.0 or /16. Class C First Octet: Network. Second Octet: Network. Third Octet: Network. Fourth Octet: Host Subnet Mask: 255.255.255.0 or /24. Table 2 Address Class: Class A. First Octet Range: 0 to 127. Number of Possible Networks: 128 (2 are reserved). Number of Hosts per Network: 16,777,214. Address Class: Class B. First Octet Range: 128 to 191. Number of Possible Networks: 16,348. Number of Hosts per Network: 65,534. Address Class: Class C. First Octet Range: 192 to 223. Number of Possible Networks: 2,097,152. Number of Hosts per Network: 254.

Page 2: In classful IP addresses, the value of the first octet, or the first three bits, determines whether the major network is a Class A, B, or C. Each major network has a default subnet mask of 255.0.0.0, 255.255.0.0, or 255.255.255.0 respectively.

Classful routing protocols, such as RIPv1, do not include the subnet mask in routing updates. Since the subnet mask is not included, the receiving router makes certain assumptions.

Using a classful protocol, if a router sends an update about a subnetted network, such as 172.16.1.0/24, to a router whose connecting interface is on the same major network as that in the update, such as 172.16.2.0/24 then:

The sending router advertises the full network address but without a subnet mask. In this case, the network address is 172.16.1.0. The receiving router, with a configured interface of 172.16.2.0/24, adopts the subnet mask of the configured interface and applies it to the advertised network. Therefore, in the example, the receiving router assumes the subnet mask of 255.255.255.0 applies to the 172.16.1.0 network.

If the router sends an update about a subnetted network, such as 172.16.1.0/24, to a router whose connecting interface is in a different major network, such as 192.168.1.0/24:

The sending router advertises the major classful network address only, not the subnetted address. In this case, the address advertised is 172.16.0.0. The receiving router assumes the default subnet mask for this network. The default subnet mask for a class B address is 255.255.0.0.

4.3.1 - Classful and Classless Routing The diagram depicts classful routing updates between two routers. Router, R1, is connected from its S 0 /0 /0 port via serial connection to S 0 /0 /0 port of the router, R2. The network address of the serial connection 172.16.2.0 /24. R2 is connected from its S 0 /0 / 1 port via serial connection to S 0 /0 / 1 port of the router, R3. The network address of the serial connection 192.168.1.0 /24. R1 is connected via F A 0 /0 to a switch on the network 172.16.1.0 /24. R2 is connected via F A 0 /0 to a switch on the network 172.16.3.0 /24. R3 is connected via F A 0 /0 to a switch on the network 10.1.0.0 /16. When R1 sends an update to R2, R2 applies its serial 0 /0 /0 /24 mask to the 172.16.1.0 routing updates from R1. When R2 sends an update to R3, R3 applies the classful /16 mask to the 172.16.0.0 routing update from R2.

Page 3: With the rapid depletion of IPv4 addresses, the Internet Engineering Task Force (IETF) developed Classless Inter-Domain Routing (CIDR). CIDR uses IPv4 address space more efficiently and for network address aggregation or summarizing, which reduces the size of routing tables.

The use of CIDR requires a classless routing protocol, such as RIPv2 or EIGRP or static routing. To CIDRcompliant routers, address class is meaningless. The network subnet mask determines the network portion of the address. This is also known as the network prefix, or prefix length. The class of the address no longer determines the network address.

ISPs assign blocks of IP addresses to a network based on the requirements of the customer, ranging from a few hosts to hundreds or thousands of hosts. With CIDR and VLSM, ISPs are no longer limited to using prefix lengths of /8, /16 or /24.

4.3.1 - Classful and Classless Routing The diagram depicts an example of classless subnet masks used by two companies. Company 1 has 1000 employees. Its network address is 172.16.0.0 /22 (1022 Hosts). It is connected via router (Company 1) which is connected to an ISP. The ISP network address is 172.16.0.0 /16 (65,534 Hosts). Company 2 has 500 employees. Its network address is 172.16.20.0 /23 (510 Hosts). It is connected via router (Company 2) which is connected to the same ISP as Company 1.

Page 4: Classless routing protocols that can support VLSM and CIDR include interior gateway protocols (IGPs) RIPv2, EIGRP, OSPF, and IS-IS. ISPs also use exterior gateway protocols (EGPs) such as Border Gateway Protocol (BGP).

The difference between the classful routing protocols and classless routing protocols is that the classless routing protocols include subnet mask information with the network address information in the routing updates. Classless routing protocols are necessary when the mask cannot be assumed or determined by the value of the first octet.

In a classless protocol, if a router sends an update about a network, such as 172.16.1.0, to a router whose connecting interface is on the same major network as that in the update, such as 172.16.2.0/24 then:

The sending router advertises all subnetworks with subnet mask information.

If the router sends an update about a subnetted network, such as 172.16.1.0/24, to a router whose connecting interface is in a different major network, such as 192.168.1.0/24 then:

The sending router, by default, summarizes all of the subnets and advertises the major classful network along with the summarized subnet mask information. This process is often referred to as summarizing on a network boundary. While most classless routing protocols enable summarization on the network boundary by default, the process of summarizing can be disabled. When summarization is disabled, the sending router advertises all subnetworks with subnet mask information.

4.3.1 - Classful and Classless Routing The animation depicts an example of how a classless routing protocol is summarized when advertised to other networks. Router, R1, is connected from its S 0 /0 /0 port via serial connection to S 0/ 0 /0 port of router, R2. The network address of the serial connection 172.16.3.0 /24. R2 is connected from its S 0 /0 /1 port via serial connection to S0 /0 /1 port of router, R3. The network address of the serial connection is 192.168.1.0 /24. R1 is connected via F A 0 / 0 to a switch on the network 172.16.1.0 /24. R1 connected via F A 0 /1 to another switch with the network address 172.16.2.0 /24. R2 is connected via F A 0 /0 to a switch on the network 172.16.0.0 /24. R3 is connected via F A 0 /0 to a switch on the network 10.1.0.0 /16. R1 says I must advertise out my route information. R1 sends an update packet to all networks which it is directly connected to 172.16.1.0 /24, 172.16.2.0 /24 and 172.16.3.0 /24. When R2 receives the update, it says I will summarize all routes from R1, and my 172.16.0.0 route, and will send it to R3. R2 sends a summary route to R3 with the 172.16.0.0 /22 information.

4.3.2 CIDR and Route Summarization Page 1: The rapid growth of the Internet has caused the number of routes to networks around the world to increase dramatically. This growth results in heavy loads on Internet routers. A VLSM addressing scheme allows for route summarization, which reduces the number of routes advertised.

Route summarization groups contiguous subnets or networks using a single address. Route summarization is also known as route aggregation and occurs at a network boundary on a boundary router.

Summarization decreases the number of entries in routing updates and lowers the number of entries in local routing tables. It also reduces bandwidth utilization for routing updates and results in faster routing table lookups.

Route summarization is synonymous with the term supernetting. Supernetting is the opposite of subnetting. Supernetting joins multiple smaller contiguous networks together.

If the network bits are greater than the default value for that class, this represents a subnet. An example is 172.16.3.0/26. For a Class B address, any network prefix value greater than /16 is a subnet.

If the network bits are less than the default value for the class value, this represents a supernet. An example is 172.16.0.0/14. For a Class B address, any network prefix less than /16 represents a supernet.

4.3.2 - C I D R and Route Summarization The diagram depicts an example of route summarization. Router, R1, is associated with the networks 192.168.48.0 /24, 192.168.49.0 /24, 192.168.50.0 /24, and 192.168.51.0 /24. Router, R2, is associated with the networks 192.168.52.0 /24, 192.168.53.0 /24, 192.168.54.0 /24, and 192.168.55.0 /24. Router, R3, is associated with the network 192.168.56.0 /24 and 192.168.57.0 /24 to 192.168.63.0 /24. When the networks associated with each router are advertised to the next hop router, one summarized network address is sent rather than multiple individual network addresses. R1 is connected to router R4 via a serial link with the network address 192.168.48.0 /22. R2 is connected to R4 via a serial link with the network address 192.168.52.0 /22. R3 is connected to R4 via a serial link with the network address 192.168.56.0 /21. R4 is connected to an ISP via serial connection with the network address of 192.168.48.0 /20.

Page 2: A border router advertises all of the known networks within an enterprise to the ISP. If there are eight different networks, the router would have to advertise all eight. If every enterprise followed this pattern, the routing table of the ISP would be huge.

Using route summarization, a router groups the networks together, if they are contiguous, and advertises them as one large group. For example, a company has a single listing in the phone book for their main office, even though you can dial individual employee extensions directly.

It is easier to perform summarization if the addressing scheme is hierarchical. Assign similar networks to the same enterprise so that grouping them using CIDR is possible.

4.3.2 - C I D R and Route Summarization The diagram depicts route summarization between multiple networks. Two routers are connected to a third router, which connects to a fourth router within an ISP cloud. The networks connected to the first two routers are 192.168.4.0 /24 and 192.168.6.0 /24 respectively. The addresses of their links to the third router are 192.168.5.0 /24 and 192.168.7.0 /24 respectively. The connection between the third and fourth routers is the summary route 192.168.4.0 /22. Summary Route

All of these four networks have the first 22 bits in common: 192.168.4.0 = 11000000 10101000 000001 00 00000000 192.168.5.0 = 11000000 10101000 000001 01 00000000 192.168.6.0 = 11000000 10101000 000001 10 00000000 192.168.7.0 = 11000000 10101000 000001 11 00000000 These four networks are advertised as 192.168.4.0 /22 or 192.168.4.0 255.255.252.0.

Page 3:

4.3.2 - C I D R and Route Summarization The diagram depicts an activity in which you must determine if the IP address with the C I D R information is a Subnet or a Route Summary, based on the IP address provided. A.172.24.0.0 /14. B.192.168.17.192 /26. C.10.24.0.0 /16. D.172.17.4.0 /24. E.10.0.100. 0/24. F.172.128.0.0 /12. G.192.168.0.0 /23.

4.3.3 Calculating Route Summarization Page 1: To calculate a route summary requires summarizing networks into a single address. This process is performed in three steps.

Step 1

List the networks in binary format.

Step 2

Count the number of left-most matching bits to determine the mask for the summary route. This number represents the network prefix or subnet mask for the summarized route. An example is /14 or 255.252.0.0.

Step 3

Determine the summarized network address. Copy the matching bits and then add 0 bits to the end. A quicker method is to use the lowest network value.

If a contiguous hierarchical addressing scheme is not used, it may not be possible to summarize routes. If the network addresses do not have common bits from left to right, a summary mask cannot be applied.

4.3.3 - Calculating Route Summarization The diagram depicts the steps in the summarization process. Step 1 List the IP addresses you want to summarize. 172.20.0.010101100.00010100.00000000.00000000 172.21.0.010101100.00010101.00000000.00000000 172.22.0.010101100.00010110.00000000.00000000 172.23.0.010101100.00010111.00000000.00000000 Step 2 The first 14 bits of each of these addresses are the same. The number of matching bits equals 14. Step 3 Copy the matching bits and add zero bits to determine the network address. 172.20.0.010101100.00010100.00000000.00000000

Page 2:

4.3.3 - Calculating Route Summarization The diagram depicts an activity in which you must select the best summary route for each of the contiguous address groups shown. Select the answer that represents a summarization of each group of networks. Group 1 192.168.0.0 /24 192.168.1.0 /24 192.168.2.0 /24 192.168.3.0 /24 Which of the following addresses does Group 1 summarize to? a.192.168.4.0 /22. b.192.168.1.0 /26. c.192.168.4.0 /26. d.192.168.0.0 /22. Group 2 172.16.0.0 /16 172.17.0.0 /16

Which of the following addresses does Group 2 summarize to? a.172.16.0.0 /15 b.172.16.0.0 /17 c.172.17.0.0 /15 d.172.17.0.0 /17 Group 3 10.3.5.0 /27 10.3.5.3 2 /27 10.3.5.6 4 /27 10.3.5.9 6 /27 10.3.5.1 28 /27 10.3.5.1 60 /27 10.3.5.1 92 /27 10.3.5.2 24 /27 Which of the following addresses does Group 3 summarize to? a.10.3.5.0 /28 b.10.3.5.0 /25 c.10.3.5.0 /24 d.10.3.5.0 /26

Page 3: Lab Activity

Determine summarized routes to reduce the number of entries in routing tables.

Click the lab icon to begin.

4.3.3 - Calculating Route Summarization Link to Hands-on Lab: Calculating Route Summarization Determine summarized routes to reduce the number of entries in routing tables.

4.3.4 Discontiguous Subnets Page 1: Either an administrator configures route summarization manually or certain routing protocols perform the same function automatically. RIPv1 and EIGRP are examples of routing protocols that perform automatic summarization. It is important to control the summarization so that routers do not advertise misleading networks.

Suppose that three routers each connect to Ethernet interfaces with addresses using subnets from a Class C network, such as 192.168.3.0. The three routers also connect to each other via serial interfaces configured using another major network, such as 172.16.100.0/24. Classful routing results in each router advertising the major Class C network without a subnet mask. As a result, the middle router receives advertisements about the same network from two different directions. This scenario is called a discontiguous network.

Discontiguous networks cause unreliable or suboptimal routing. To avoid this condition, an administrator can:

Modify the addressing scheme, if possible Use a classless routing protocol, such as RIPv2 or OSPF Turn automatic summarization off Manually summarize at the classful boundary

4.3.4 - Discontiguous Subnets The diagram depicts an example of a discontiguous network. Router, R1, is connected from its S 0 /0 /0 port to S 0 /0 /0 port of router, R2. The network address of the serial connection is 172.16.100.4 /30. R2 is connected from its S 0 /0 /1 port to S 0 /0 /1 port of router, R3. The network address of the serial connection is 172.16.100.8 /30. R1 is connected via F A 0 /1 to switch, S1, on the network, 192.168.3.0 /26. R2 is connected via F A 0 /0 to switch, S2, on the network, 192.168.2.0 /24. R3 is connected via F A 0 /0 to switch, S4, on the network, 192.168.3.64 /26. R3 is connected via F A 0 /1 to switch, S3, on the network, 192.168.3.128 /26.

Page 2: Even after careful planning, it is still possible to have a situation in which a discontiguous network exists. The following traffic and routing patterns help to identify this situation:

One router does not have any routes to the LANs attached to another router, even though it is configured to advertise them. A middle router has two equal-cost paths to a major network, although the subnets are separated on several network segments. A middle router is load balancing traffic destined for any subnet of a major network. A router appears to be receiving only half of the traffic.

4.3.4 - Discontiguous Subnets The animation depicts the effects of discontiguous networks. Router, R1, is connected from its S 0 /0 port which is addressed 172.16.100.5 via serial connection to S 0 /0

port of router, R2. The network address of the serial connection is 172.16.100.4 /30. R2 is connected from its S 0 /1 port via serial connection to S 0 /1 port of router, R3, which is addressed 172.16.100.10. The network address of the serial connection is 172.16.100.8 /30. R1 is connected via F A 0 /1 to a switch on the network, 192.168.3.0 /26. R2 is connected via F A 0 /0 to a switch on the network, 192.168.2.0 /24. R3 is connected via F A 0 /0 to a switch on the network, 192.168.3.64 /26. R3 is connected via F A 0 /1 to a switch on the network, 192.168.3.128 /26. There is a host, H1, connected to the switch that is connected to R2. There is also a host H2, connected to the switch that comes from the F A 0 /1 port of R3. Its address is 192.168.3.130. R2 Routing Table Gateway of last resort is not set. 172.16.0.0 /30 is subnetted, 2 subnets. C: 172.16.100.8 is directly connected, Serial 0 /1. C: 172.16.100.4 is directly connected, Serial 0 /0. C: 192.168.2.0 /24 is directly connected, FastEthernet 0 /0. R: 192.168.3.0 /24 [120 / 1] via 172.16.100.10, 00:00:05, Serial 0 /1 [120 / 1] via 172.16.100.5, 00:00:18, Serial 0 /0. H1 says, I am sending a message to 192.168.3.130. H1 sends out its packets, which are propagated through the network and dropped at R1, but forwarded by R3 to H2 on the 192.168.3.128 /26 network.

Page 3: Lab Activity

Configure a LAN with discontiguous networks to view the results.

Click the lab icon to begin.

4.3.4 - Discontiguous Subnets Link to Hands-on Lab: Configuring a LAN with Discontiguous Subnets Configure a LAN with discontiguous networks to view the results.

4.3.5 Subnetting and Addressing Best Practices Page 1: Properly implementing a VLSM addressing scheme is essential for creating a hierarchical network. When creating a VLSM addressing scheme, follow these basic guidelines:

Use newer routing protocols that support VLSM and discontiguous subnets. Disable auto-summarization if necessary. Use the same routing protocol throughout the network. Keep the router IOS up-to-date to support the use of subnet zero. Avoid intermixing private network address ranges in the same internetwork. Avoid discontiguous subnets where possible. Use VLSM to maximize address efficiency. Assign VLSM ranges based on requirements from the largest to the smallest. Plan for summarization using hierarchical network design and contiguous addressing design. Summarize at network boundaries. Use /30 ranges for WAN links. Allow for future growth when planning for the number of subnets and hosts supported.

4.3.5 - Subnetting and Addressing Best Practices The diagram depicts an example of a hierarchical addressing scheme created using best practices. The core router is connected to four routers with /16 networks. These then connect to complex networks using the best practice hierarchical addressing schemes. Router 10.1.0.0 /16 is connected to networks: 10.1.1.0 /24 10.1.2.0 /24 10.1.3.0 /24 10.1.4.0 /24 Router 10.2.0.0 /16 is connected to networks: 10.2.1.0 /24 10.2.2.0 /24 10.2.3.0 /24 10.2.4.0 /24 10.2.5.0 /24 10.2.6.0 /24 Router 10.3.0.0 /16 is connected to networks: 10.3.0.16 /28 10.3.0.32 /28 10.3.0.48 /28 10.3.0.64 /28 Router 10.4.0.0 /16 is connected to networks: 10.4.1 6.0 /20 10.4.3 2.0 /20 10.4.4 8.0 /20 10.4.6 4.0 /20

4.4 Using NAT and PAT

4.4.1 Private IP Address Space Page 1:

In addition to VLSM and CIDR, the use of private addressing and Network Address Translation (NAT) further improved the scalability of the IPv4 address space.

Private addresses are available for anyone to use in their enterprise networks because private addresses route internally, they never appear on the Internet.

RFC 1918 governs the use of the private address spacing.

Class A: 10.0.0.0 - 10.255.255.255 Class B: 172.16.0.0 - 172.31.255.255 Class C: 192.168.0.0 - 192.168.255.255

Using private addressing has these benefits:

It alleviates the high cost associated with the purchase of public addresses for each host. It allows thousands of internal employees to use a few public addresses. It provides a level of security, because users from other networks or organizations cannot see the internal addresses.

4.4.1 - Private IP Address Space The diagram depicts the use of private network addressing for Classes A, B, and C. Three network clouds each have a dedicated router. Each edge router is connected to one of three other routers that form the Internet cloud. The first cloud has 192.168.1.0 Class C Private Network addresses. The second cloud has 10.0.0.0 Class A Private Network addresses and the third cloud has 172.16.0.0 Class B Private Network addresses. The first cloud has a switch and three computers connected. The second cloud has three switches and 10 computers connected. The third cloud has two switches and seven computers connected.

Page 2: When implementing a private addressing scheme for the internal network, apply the same hierarchical design principles that are associated with VLSM.

Although private addresses are not routed on the Internet, they are frequently routed in the internal network. Problems associated with discontiguous networks still occur when using private addresses; therefore, carefully design the addressing scheme.

Be sure that the addresses are properly distributed according to the concepts of VLSM. Also, use valid boundaries and hierarchical IP addressing best practices for effective use of address summarization.

4.4.1 - Private IP Address Space The diagram depicts the use of private addresses using VLSM showing four routers connected in a star topology configuration. R1 is connected to R2 via the network address 10.1.0.0 /16. R1 is also connected to R3 via the network address 10.2.0.0 /16. R1 is also connected to R4 on network address 10.3.0.0 /16. R1 is directly connected to a network cloud with the network address 10.0.0.0 /8.

Page 3:

4.4.1 - Private IP Address Space The diagram depicts an activity in which you must determine if the IP address is public or private. A.172.16.35.2. B.209.165.200.226. C.192.168.3.5. D.10.168.21.3. E.209.165.202.130. F.209.165.201.30. G.192.168.11.5.

4.4.2 NAT at the Enterprise Edge Page 1: Many organizations want the benefits of private addressing while connecting to the Internet. Organizations create huge LANs and WANs with private addressing and connect to the Internet using Network Address Translation (NAT).

NAT translates internal private addresses into one or more public addresses for routing onto the Internet. NAT changes the private IP source address inside each packet to a publicly registered IP address before sending it out onto the Internet.

Small to medium organizations connect to their ISPs through a single connection. The local boundary router configured with NAT connects to the ISP. Larger organizations may have multiple ISP connections, and the boundary router at each of these locations performs NAT.

Using NAT on boundary routers improves security. Internal private addresses translate to different public addresses each time. This hides the actual address of hosts and servers in the enterprise. Most routers that

implement NAT also block packets coming from outside the private network unless they are a response to a request from an inside host.

4.4.2 - NAT at the Enterprise Edge The diagram depicts the configuration of NAT at the border router connected to the ISP router. Router, R1, and a switch, S1, directly connected. Connected to the switch are two computers, labeled H1 and H3. H1 is the source and has the IP address 192.168.1.106 which is part of the Inside Global Addressing scheme. R1 is the border router for this network. It is connected via a serial link to the ISP router (cloud). On the other side of the cloud is the destination H2 with an IP address 209.165.200.226. This network is part of the Outside Global Addressing scheme. The address for H1 before the translation is the private address 192.168.1.106. After the translation the address for H1 is translated to the public address 209.165.202.129.

4.4.3 Static and Dynamic NAT Page 1: NAT can be configured statically or dynamically.

Static NAT maps a single inside local address to a single global, or public address. This mapping ensures that a particular inside local address always associates with the same public address. Static NAT ensures that outside devices consistently reach an internal device. Examples include Web and FTP servers accessible to the public.

Dynamic NAT uses an available pool of Internet public addresses and assigns them to inside local addresses. Dynamic NAT assigns the first available IP address in the pool of public addresses to an inside device. That host uses the assigned global IP address throughout the length of the session. Once the session ends, the outside global address returns to the pool for use by another host.

The address that one internal host uses to connect to another internal host is the inside local address. The public address assigned to the organization is called the inside global address. The inside global address is sometimes used as the address of the external interface of the border router.

The NAT router manages the translations between the inside local addresses and the inside global addresses by maintaining a table that lists each address pair.

4.4.3 - Static and Dynamic NAT The animation depicts the addressing configuration using two processes, Static NAT and Dynamic NAT.

Host H3, within a cloud, has been configured with a public IP address 200.165.202.130. H3 connects via a serial link in the cloud to router R1. R1 has a switch directly connected. Two computers H1 and H2 are connected to the switch. H1 and H2 have been configured with the private IP addresses 192.168.2.18 and 192.168.2.19 respectively. Also connected to R1 is the web server with the private IP address 192.168.1.200. In the Static NAT process, H3 sends a message out to R1 using the source IP address 209.165.202.130 and the destination IP address 209.165.200.225, which is the Inside Global address of R1. R1 references its NAT Table and changes the destination IP to the Inside Local address of 192.168.1.200 (web server). The web server responds with a destination IP address of H3, the original requester, 209.165.202.130 and a source address of the inside local address (web server) 192.168.1.200, R1 maps the Inside Local address of 192.168.1.200 to the Inside Global address 209.165.200.225, which becomes the new source address. Static NAT is configured manually and remains permanently in the table. In the Dynamic NAT process, H2 sends a message to R1 using the source IP address 192.168.2.19 and the destination IP address for H3, which is 209.165.202.130. R1 references its NAT Table and changes the Inside Local Source IP address of 192.168.2.19 to a public address 209.165.200.226, which is derived from its pool of public IP's 209.165.200.224 /27. H3 responds to H2 using the Inside Global public IP 209.165.200.226. R1 references its NAT Table and sees that the Inside Global address 209.165.200.226 maps to the Inside Local address 192.168.2.19. When H2 receives the response and the session is complete, the NAT entry is removed from the NAT Table of R1.

Page 2: When configuring either static or dynamic NAT.

List any servers that require a permanent outside address. Determine which internal hosts require translation. Determine which interfaces source the internal traffic. These will become the inside interfaces. Determine which interface sends traffic to the Internet. This will become the outside interface. Determine the range of public addresses available.

Configuring Static NAT

1. Determine the public IP address that outside users should use to access the inside device/server. Administrators tend to use addresses from either the beginning or end of the range for static NAT. Map the inside, or private address to the public address.

2. Configure the inside and outside interfaces.

Configuring Dynamic NAT

1. Identify the pool of public IP addresses available for use.

2. Create an access control list (ACL) to identify hosts that require translation.

3. Assign interfaces as either inside or outside.

4. Link the access list with the address pool.

An important part of configuring dynamic NAT is the use of the standard access control list (ACL). The standard ACL is used to specify the range of hosts that require translation. This is done in the form of a permit or deny statement. The ACL can include an entire network, a subnet or just a specific host. The ACL can range from a single line to several permit and deny statements.

4.4.3 - Static and Dynamic NAT The diagram depicts sample configurations of two scenarios using Static NAT and the Dynamic NAT. In the Static Nat scenario, a man is sitting at his desk in front of a computer. The man says, Static NAT maps a single private address to a specific public address." In the dynamic NAT scenario, a man is sitting at his desk in front of a computer. The man says, Dynamic NAT maps multiple private addresses to multiple public addresses. Static NAT output: R1# show running-config (*** output omitted ***) IP nat inside source static 172.31.232.14 209.165.202.130 interface fastethernet 0 /0 IP address 172.31.252.182 255.255.225.0 IP nat inside interface serial 0 /0 /0 IP address 209.165.202.1 255.255.255.0 IP nat outside Dynamic NAT R1# show running-config (*** output omitted ***) access-list 1 permit 172.31.232.0 0.0.0.255

IP nat pool pub - ADDR 209.165.202.131 209.165.202.140 netmask 255.225.255.0 IP nat inside source list 1 pool pub - ADDR interface fastethernet 0 /0 IP address 172.31.202.182 255.255.255.0 IP nat inside interface serial 0 /0 /0 IP address 209.165.202.1 255.255.255.0 IP nat outside

Page 3: Lab Activity

Configure and verify static NAT.

Click the lab icon to begin.

4.4.3 - Static and Dynamic NAT Link to Hands-on Lab: Configuring and Verifying Static NAT Configure and verify static NAT.

Page 4: Lab Activity

Configure and verify dynamic NAT.

Click the lab icon to begin.

4.4.3 - Static and Dynamic NAT Link to Hands-on Lab: Configuring and Verifying Dynamic NAT Configure and verify dynamic NAT.

4.4.4 Using PAT

Page 1: One of the more popular variations of dynamic NAT is known as Port Address Translation (PAT), also referred to as NAT Overload. PAT dynamically translates multiple inside local addresses to a single public address.

When a source host sends a message to a destination host, it uses an IP address and port number combination to keep track of each individual conversation. In PAT, the gateway router translates the local source address and port number combination to a single global IP address and a unique port number above 1024.

A table in the router contains a list of the internal IP address and port number combinations that are translated to the external address. Although each host translates into the same global IP address, the port number associated with the conversation is unique.

Since over 64,000 ports are available, a router is unlikely to run out of addresses.

Both enterprise and home networks take advantage of PAT functionality. PAT is built into integrated routers and is enabled by default.

4.4.4 - Using PAT The animation depicts the PAT process. A web server within a network cloud is connected via serial link to router R1. R1 is connected to a switch which is connected to two computers, H1 and H2. H2 sends a HTTP message with the source IP port address of 192.168.2.19 and source port number of 3012. The destination IP address is 209.165.202.130 using the destination port number of 80. R1 references the request of H2, as follows: Inside Local address is 192.168.2.19:3012, and the Inside Global address is 209.165.202.2. Outside Global address is 209.165.201.130:80, and the Outside Local address is 209.165.201.130:80. The unique public address consists of the serial interface IP address plus a port number. The Inside Global address adds a port number following the address as 209.165.202.2:3012. H1 sends an http message. The source IP port address is 192.168.2.18 and the source port number is 4177. The destination IP address is 209.165.202.130 and the destination port number is 80. The inside local address is 192.168.2.18 and the inside global address is 209.165.202.2:4177. The outside global address is 209.165.201.130:80 and the outside local address is 209.165.201.130:80.

Page 2: Configuring PAT requires the same basic steps and commands as configuring NAT. However, instead of translating to a pool of addresses, PAT translates to a single address. The following command translates the inside addresses to the IP address of the serial interface:

ip nat inside source list 1 interface serial 0/0/0 overload

Verfiy NAT and PAT functionality with the following commands.

show ip nat translations

This command displays active translations. If the translation is not used, it ages out after a period of time. Static NAT entries remain in the table permanently. A dynamic NAT entry requires some action from the host to a destination on the outside of the network. If configured correctly, a simple ping or trace creates an entry in the NAT table.

show ip nat statistics

This command displays translation statistics, including the number of addresses used and the number of hits and misses. The output also includes the access list that specifies internal addresses, the global address pool, and the range of addresses defined.

4.4.4 - Using PAT The diagram displays a configuration output example of Dynamic PAT and an example of output seen when verifying PAT. Dynamic PAT The output from the show running-config command is listed below: R1# show running-config (*** output omitted ***) access-list 1 permit 172.31.232.0 0.0.0.255 IP nat inside source list 1 interface serial 0 /0 /0 overload interface fastethernet 0 /0

IP address 172.31.252.182 255.255.255.0 IP nat inside interface serial 0 /0 /0 IP Address 209.165.202.1 255.255.255.0 IP nat outside A man sitting at a desk in front of a computer says, I have to configure PAT since we are converting all of our private addresses into one public address. When the Verifying PAT button is selected, the output on router R1 is seen as follows: R1# show IP nat translation ProInside GlobalInside Local ---209.165.202.130172.31.252.14 ICMP 209.165.202.131:512172.31.232.1:512 UDP 209.165.202.131:1067172.31.232.2:1067 TCP 209.165.202.131:1028172.31.232.3:1028 Outside Global Outside Global -----209.465.202.1:512209.65.202.1:51 209.165.202.2:53209.165.202.2:53 209.165.202.3:80209.165.202.3:80 R1# sho IP nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: Serial 0 /0 /0 Inside interfaces: FastEthernet 0 /0 Hits: 47 Misses: 0 Expired translations: 5 Dynamic mappings: --Inside Source [Id: 1] access-list 1 pool pub-addr refcount 4 pool pub-addr: netmask 255.255.255.0 start 209.165.202.131 end 209.165.202.140 type generic, total addresses 10, allocated 2 (20%), misses 0

Page 3: Lab Activity

Configure and verify PAT.

Click the lab icon to begin.

4.4.4 - Using PAT Link to Hands-on Lab: Configuring and verifying PAT Configure and verify PAT.

4.5 Chapter Summary

4.5.1 Summary Page 1:

4.5.1 - Summary Diagram 1, Image The diagram depicts a hierarchical network with three separate LAN's are connected to routers which converge to a single router before connecting to the network cloud. Diagram 1 text A single broadcast domain is a non-hierarchical or flat network. A hierarchical addressing structure logically groups networks into smaller sub-networks. A hierarchical network design simplifies network management and improves scalability and performance. Diagram 2, Image The diagram depicts a network 10.3.2.0 /24 that has been subnetted using the /28 mask. Diagram 2 text With basic or standard subnetting, each subnet is the same size and has the same number of hosts. Variable Length Subnet Masking (VLSM) enables routers to use route summarization to reduce the size of routing tables. Variable Length Subnet Masking (VLSM) enables different masks for each subnet. A subnet can be further subnetted, creating sub-subnets. VLSM requires classless routing protocols. When implementing VLSM, ensure room for growth in the number of subnets and hosts available. Diagram 3, Image The diagram depicts how known networks are summarized into a summary route. Diagram 3 text Classful IP addressing determines the subnet mask of a network address by the value of the first octet. With C I D R, the network address is not determined by the class of the address. Instead it is determined by the prefix length. Route summarization groups contiguous subnets using a single address and shorter mask to reduce the number of routes advertised. Route summarization, route aggregation, or supernetting are done at network boundaries on a boundary router. The use of classful routing protocols can create the issue of discontiguous networks. Diagram 4, Image

The diagram depicts how routers use NAT translation to forward packets. Diagram 4 text Private addresses are used and routed internally, but are not routed on the Internet. NAT translates private addresses into public addresses that route into the Internet. Static NAT maps a single inside local address to a single inside global (public) address. Dynamic NAT uses an available pool of public addresses and assigns them to inside local addresses. PAT translates multiple local addresses to a single global IP address.

4.6 Chapter Quiz

4.6.1 Quiz Page 1: Take the chapter quiz to check your knowledge.

Click the quiz icon to begin.

4.6.1 - Quiz Chapter 4 Quiz: Addressing in an Enterprise Network 1.What is the best route summarization for the following list of networks? Networks 209.48.200.0 209.48.201.0 209.48.202.0 209.48.203.0 A.209.48.200.0 /20 B.209.48.200.0 /22 C.209.48.201.0 /20 D.209.48.201.0 /21 2.Given a host with the IP address 172.32.65.13 and a default subnet mask, to which network does the host belong? A.172.32.65.0 B.172.32.65.32 C.172.32.0.0 D.172.32.32.0 3.A Class C network address has been subnetted into eight subnetworks. Using VLSM, the last subnet will be divided into eight smaller subnetworks. What bit mask must be used to create eight smaller subnetworks, each having two usable host addresses? A./26 B./27 C./28

D./29 E./30 F./31 4.Which address is a valid subnet if a 26 bit mask is used for subnetting? A.172.16.43.16 B.172.16.128.32 C.172.16.243.64 D.172.16.157.96 E.172.16.47.224 F.172.16.192.252 5.A network technician is trying to determine the correct IP address configuration for Host A. What is a valid configuration for Host A? To answer this question refer to the network topology described below. Network Topology The network consists of two routers, named Router 1 and Router 2, and one switch, named Switch. Router 1 connects to Router 2 via a serial link through Router 1's IP: 192.168.1.1 /24 and Router 2's IP: 192.168.1.2 /24. Router 2 connects to the ISP via a serial link using Router 2's IP 10.1.1.5 /30. Router 1 connects to Switch through Router 1's IP 192.168.100.17/28, and Switch's IP 192.168.100.18 /28. Host A is connected to Switch. A.IP address: 192.168.100.19; Subnet Mask: 255.255.255.248; Default Gateway: 192.16.1.2 B.IP address: 192.168.100.20; Subnet Mask: 255.255.255.240; Default Gateway: 192.168.100.17 C.IP address: 192.168.100.21; Subnet Mask: 255.255.255.248; Default Gateway: 192.16.100.18 D.IP address: 192.168.100.22; Subnet Mask: 255.255.255.240; Default Gateway: 10.1.1.5 E.IP address: 192.168.100.30; Subnet Mask: 255.255.255.240; Default Gateway: 192.168.1.1 F.IP address: 192.168.100.31; Subnet Mask: 255.255.255.240; Default Gateway: 192.168.100.18 6.What is true regarding the differences between NAT and PAT? A.PAT uses the word overload at the end of the access-list statement to share a single registered address. B.Static NAT allows an unregistered address to map to multiple registered addresses. C.Dynamic NAT allows hosts to receive the same global address each time external access is required. D.PAT uses unique source port numbers to distinguish between translations. 7.Determine which characteristics correspond to the associated NAT techniques. There will be two characteristics per NAT technique. Characteristics provides one-to-one fixed mappings of local and global addresses assigns the translated addresses of IP hosts from a pool of public addresses can map multiple addresses to a single address of the external interface assigns unique source port numbers of an inside global address on a session-by-session basis allows external hosts to establish sessions with an internal host defines translations on a host-to-host basis NAT Techniques Dynamic NAT NAT with Overload Static NAT 8.Which address is an inside global address? To answer this question refer to the network topology described below. Network Topology The network consists of two routers named RTR1 and RTR2, and two switches. RTR1 is connected to RTR2 via a serial link through RTR1's S 0 /0 and RTR2's S 0 /0 with the network IP address of 10.10.30.1 /30.

RTR1 is connected to a switch via RTR1's F a 0 /0 with the network IP address of 10.10.10.0 /24. This switch is connected to a host depicted by a man sitting at a computer. RTR2 is connected to a switch via RTR2's Fa 0 /0 with the network IP address of 10.10.20.1 /24. This switch is connected to a server with an IP network address of 10.10.20.5 /24. RTR2 is connected to the Internet via RTR2's S 0 /0 with the network IP: address of 209.13.24.3 /24. A.10.10.20.1 B.10.10.20.5 C.10.10.30.1 D.209.13.24.3 9.The command show ip nat translations has been issued. Which type of NAT translation is being performed? Use the output below to answer this question. Pro... - tcp Inside global... - 192.168.3.1:1098 Inside local. - 10.1.0.1:1098 Outside local.. - 209.4.5.6:23 Outside global - 209.4.5.6:23 Pro... - tcp Inside global... - 192.168.3.1:1345 Inside local. - 10.1.0.2:1345 Outside local.. - 209.4.5.6:23 Outside global - 209.4.5.6:23 Pro... - tcp Inside global... - 192.168.3.1:1989 Inside local. - 10.1.0.3:1989 Outside local.. - 209.4.5.7:21 Outside global - 209.4.5.7:21 A.NAT static configuration B.NAT simple configuration C.NAT overloading configuration D.NAT overlapping configuration 10.What is the purpose of a subnet mask in a network? A.A subnet mask is necessary when a default gateway is not specified. B.A subnet mask is required only when bits are borrowed on a network. C.A subnet mask is used to identify the network portion of an IP address. D.A subnet mask is used to separate the 48-bit address into the OUI and the vendor serial number. 11.How many addresses will be available for dynamic NAT translation when a router is configured with the following commands? Commands Router(config)# ip nat pool TAME 10.186.2.24 10.186.2.30 netmask 255.255.255.224 Router(config)# ip nat inside source list 9 pool TAME A.6 B.7 C.8 D.9 E.10

Go To Next Go To Previous Scroll To Top

http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.C CServlet/LMS_ID=CNAMS,Theme=ccna3theme,Style=ccna3,Language=en,Version=1, RootID=knet lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About

Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise

5 Routing with a Distance Vector Protocol
5.0 Chapter Introduction
5.0.1 Introduction Page 1:

5.0.1 - Introduction Workers today collaborate, communicate, and interact within large companies with complex networks. Network engineers design enterprise networks to provide reliable high-speed communication channels between remote sites. Data moves through the enterprise hierarchy based on the IP address of the remote network. Routing protocols continually exchange information on the best path through the network. After completion of this chapter, you should be able to: Compare and contrast a flat network and a hierarchical routed topology. Configure a network using RIP v2. Describe and plan a network using EIGRP. Design and configure a network using EIGRP .

5.1 Managing Enterprise Networks

5.1.1 Enterprise Networks Page 1: Hierarchical enterprise networks facilitate the flow of information. Information flows between mobile workers and branch offices. These branch offices connect to corporate offices in cities and countries around the world. The organization must create a hierarchy to meet the different network requirements of each part of the company.

Crucial information and services typically reside near the top of the hierarchy, in secured server farms or on storage area networks. The structure expands into many different departments that are spread across the lower part of the hierarchy.

Communication between different levels of the hierarchy requires a combination of LAN and WAN technologies. As the company grows or adds e-commerce operations, a DMZ may be required to house the various servers.

5.1.1 - Enterprise Networks The diagram depicts several enterprise networks and some of the features they may have, such as connections for mobile workers and branch offices, as well as connections to corporate offices, which all connect to the internet in a hierarchical topology. Also shown is a NOC, a SAN, and two DMZ's.

Page 2: Traffic control is essential in an enterprise network. Without it, these networks could not function.

Routers forward traffic and prevent broadcasts from clogging the main channels to crucial services. They control the flow of traffic between LANs, allowing only the required traffic to pass through the network.

Enterprise networks provide a high level of reliability and services. To ensure this, network professionals:

Design networks to provide redundant links to use in case a primary data path fails. Deploy Quality of Service (QoS) to ensure critical data receives priority treatment. Use packet filtering to deny certain types of packets, maximize available bandwidth, and protect the network from attacks.

5.1.1 - Enterprise Networks The diagram depicts a corporate network where routers are used to control traffic flows between end users, DMZ's, server farms, and the Internet. One worker sitting at his workstation thinks to himself, "My data connection is very fast!" Another worker sitting at her workstation is thinking, "The quality of this V o IP call is really good!" A sinister-looking character trying to access the network via the Internet thinks to himself, "Why can I not get into this network?"

5.1.2 Enterprise Topologies

Page 1: Choosing the right physical topology allows a company to expand its networked services without losing reliability and efficiency. Network designers base their topology decisions upon the enterprise requirements for performance and reliability. The star and mesh topologies are normally deployed in enterprise environments.

Star Topology

One popular physical topology is the star. The center of the star corresponds to the top of the hierarchy, which could be the corporate headquarters or head office. Branch offices at multiple locations connect to the center, or hub, of the star.

A star topology provides centralized control of the network. All crucial services and technical staff can be located in one place. Star topologies are scalable. Adding a new branch office simply requires one more connection to the central point of the star. If an office adds several branches to its territory, each branch office can connect to a center hub in its own area, which then connects back to the main central point at the central office. In this way, a simple star can grow into an extended star, with smaller stars radiating out from the main branch offices.

5.1.2 - Enterprise Topologies The diagram depicts the development of an extended star topology. The routers at the Head Office are connected in star topology to a core router. One of the routers on the edge of the topology connects to Branch 1 and Branch 2, whose networks are also organized in a star topology. This creates an extended star topology for the network.

Page 2: The star and extended star topologies create a single point of failure. Mesh topologies eliminate this problem.

Mesh Topologies

Each additional link provides an alternate pathway for data and adds reliability to the network. With the addition of links, the topology becomes a mesh of interconnected nodes. Each additional link adds cost and overhead. It also adds to the complexity of managing the network.

Partial Mesh

Adding redundant links only to a specific area of an enterprise creates a partial mesh. This topology meets uptime and reliability requirements for critical areas like server farms and SANs, while minimizing additional expenses. The other areas of the network are still vulnerable to failures. Therefore, it is essential to place the mesh where it provides the most benefit.

Full Mesh

When no downtime is acceptable, the network requires a full mesh. Each node in a full mesh topology connects to every other node in the enterprise. This is the most failure-proof topology, but it is also the most expensive to implement.

5.1.2 - Enterprise Topologies The diagram depicts the development of a full mesh topology. Router, R5, connects to four routers, R1 to R4, in a star topology. The edge routers of the star topology begin to interconnect, creating a partial mesh, until each of the routers has a connection to all of the other routers. This topology has become a full mesh topology.

Page 3: The Internet is an excellent example of a meshed network. Devices on the Internet are not under the control of any one individual or organization. As a result, the topology of the Internet is constantly changing, with some links going down and others coming online. Redundant connections balance the traffic and ensure that there is a reliable path to the destination.

Enterprise networks face some of the same issues as the Internet. Therefore, processes are put in place that allow devices to adapt to these constantly changing conditions and reroute traffic as appropriate.

5.1.2 - Enterprise Topologies The diagram depicts a constantly changing network environment. A large meshed network topology with the Internet at its core is displayed. Links in various areas of the network go down occasionally and this network is able to adapt to constant changes.

Page 4: Lab Activity Interconnect network nodes with redundant links to provide reliability at minimal cost.

Click the lab icon to begin.

5.1.2 - Enterprise Topologies Link to Hands-on Lab: Designing and Creating a Redundant Network

5.1.3 Static and Dynamic Routing Page 1: The physical topology of an enterprise network provides the structure for forwarding data. Routing provides the mechanism that makes it work. Finding the best path to the destination becomes very difficult in an enterprise network, because a router can have many sources of information from which to build its routing table.

A routing table is a data file that exists in RAM and stores information about directly connected and remote networks. The routing table associates each network with either an exit interface or a next hop.

The exit interface is the physical path that the router uses to move the data closer to the destination. The next hop is an interface on a connected router that moves the data closer to the final destination.

The table also attaches a number to each route that represents the trustworthiness or accuracy of the source of the routing information. This value is the administrative distance. Routers maintain information about directly connected, static, and dynamic routes.

5.1.3 - Static and Dynamic Routing The diagram depicts a small network. A host is connected to a switch with the network address of 192.168.1.0 /24. This switch is also connected to the F A 0 /0 interface of a router. The router is then connected to a second router via a serial link from its S0/0/0 port with the address 192.168.2.1 /24 to the S0/0/0 port of the second router, which has the address 192.168.2.2 /24. The second router is connected to two hosts via F A 0 /0 with the network address 192.168.3.0 /24, and F A 0/1 with the network address 192.168.4.0 /24. When the show IP route command is entered on the first router, the following output is given: R1 # show IP route Codes: C - connected, S - static, I - IGRP, R - RIP, M - Mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter-area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 lower case I - I S-I S, lower case s u - I S-I S summary, L1 - I S-I S level-1, L2 - I S-I S level-2

lower case IA - I S-I S inter-area, * - candidate default, U - per-user static route lower case o - ODR, P - periodic downloaded static route Gateway of last resort is not set. R192.168.4.0 /24 [120 /1] via 192.168.2.2, 0 0:0 0:2 6, Serial0/0/0. C192.168.1.0 /24 is directly connected, FastEthernet0 /0. C192.168.2.0 /24 is directly connected, Serial0/0/0. S192.168.3.0 /24 [1 /0] via 192.168.2.2. Routing Information Source In the above output, the R in the first routing table entry is highlighted. This indicates how the route was learned. Routes might be directly connected, manually entered, or learned from a dynamic routing protocol. Destination Network Address and Subnet Mask In the above output, network address 192.168.4.0 /24 in the first routing table entry is highlighted. This is the address and subnet mask of the destination network. Next Hop In the above output, IP address 192.168.2.2 in the fourth routing table entry is highlighted. This is the address of the interface on the next router. The information forwarded to this interface moves closer to its final destination. Exit Interface In the above output, interface Serial0/0/0 in the first routing table entry is highlighted. This is the exit interface on the router used to move information closer to the final destination. Administrative Distance and Hop Count In the above output, [120 /1] in the first routing table entry and [1 /0] in the fourth routing table entry are highlighted. This is the administrative distance and metric associated with the route. The administrative distance represents the accuracy or trustworthiness of the metric used for cost calculations. The metric is the value used to calculate the cost to reach the destination.

Page 2: Directly Connected Routes

A directly connected network attaches to a router interface. Configuring the interface with an IP address and subnet mask allows the interface to become a host on the attached network. The network address and subnet mask of the interface, along with the interface type and number, appear in the routing table as a directly connected network. The routing table designates directly connected networks with a C.

Static Routes

Static routes are routes that a network administrator manually configures. A static route includes the network address and subnet mask of the destination network, along with the exit interface or the IP address

of the next hop router. The routing table designates static routes with an S. Static routes are more stable and reliable than routes learned dynamically which results in a lower administrative distance compared to the dynamic routes.

Dynamic Routes

Dynamic routing protocols also add remote networks to the routing table. Dynamic routing protocols enable routers to share information about the reachability and status of remote networks through network discovery. Each protocol sends and receives data packets while locating other routers and updating and maintaining routing tables. Routes learned through a dynamic routing protocol are identified by the protocol used. For example, R for RIP and D for EIGRP. They are assigned the administrative distance of the protocol.

5.1.3 - Static and Dynamic Routing The diagram depicts a host labeled H2 that is connected to a switch with the network address 172.16.1.0 /24. This switch is connected to the F A 0 /0 port of a router with the address 172.16.1.1 /24. The router is connected via a serial connection from its port S0/0/1 with the address 172.16.2.2 /24 to the S0/0/0 port of router, R1, with the address 172.16.2.1 /24. R1 is then connected to a switch from its F A 0 /0 port with the address 172.16.3.1 /24. The switch is then connected to host, H1. The first router is connected to a third router from its S0/0/0 port with the address 192.168.1.2 /24 to the third routers S0/0/1 port with the address 192.168.1.1 /24. This third router is connected to a switch on its F A 0 /0 port with the address 192.168.2.1 /24. The switch is connected to host, H3. R1 # show IP route Gateway of last resort is not set 172.16.0.0/16 is subnetted, 3 subnets R172.16.1.0 /24 [120 /1] via 172.16.2.2, 00:00:07, Serial0/0/0 C172.16.2.0 is directly connected, Serial0/0/0 C172.16.3.0 is directly connected, FastEthernet0/0 R192.168.1.0 /24 [120 /1] via 172.16.2.2, 00:00:07, Serial0/0/0 S192.168.2.0/14 [1 /0] via 172.16.2.2 Connected C172.16.2.0 is directly connected, Serial0/0/0 C172.16.3.0 is directly connected, FastEthernet0/0 Static S192.168.2.0 /14 [1 /0] via 172.16.2.2 Dynamic R172.16.1.0 /24 [120 /1] via 172.16.2.2, 00:00:07, Serial0/0/0 R192.168.1.0 /24 [120 /1] via 172.16.2.2, 00:00:07, Serial0/0/0

Page 3: Packet Tracer Activity Investigate a fully-converged network with connected, static, and dynamic routing.

Click the Packet Tracer icon to begin.

5.1.3 - Static and Dynamic Routing Link to Packet Tracer Exploration: Investigating Connected, Static, and Dynamic Routing

Page 4: Typically, both static and dynamic routes are employed in an enterprise network. Static routing addresses specific network needs. Depending on the physical topology, a static route can be used to control the traffic flow.

Limiting traffic to a single point of entrance/exit creates a stub network. In some enterprise networks, small branch offices have only one possible path to reach the rest of the network. In this situation, It is not necessary to burden the stub router with routing updates and increased overhead by running a dynamic routing protocol, therefore static routing is beneficial

Based on their placement and function, specific enterprise routers may also require static routes. Border routers use static routes to provide secure, stable paths to the ISP. Other routers within the enterprise use either static routing or dynamic routing protocols as necessary to meet their needs.

5.1.3 - Static and Dynamic Routing The diagram depicts the topology of a small enterprise network. The ISP router (cloud) connects to the enterprise router via a static route. The enterprise edge router also connects to three internal routers, one of which is connected to a stub network. Static routes are also used to and from the stub network.

Page 5: Routers in an enterprise network use bandwidth, memory, and processing resources to provide NAT/PAT, packet filtering, and other services. Static routing provides forwarding services without the overhead associated with most dynamic routing protocols.

Static routing provides more security than dynamic routing, because no routing updates are required. A hacker could intercept a dynamic routing update to gain information about a network.

However, static routing is not without problems. It requires time and accuracy from the network administrator, who must manually enter routing information. A simple typographical error in a static route can result in network downtime and packet loss. When a static route changes, the network may experience routing errors and problems during manual reconfiguration. For these reasons, static routing is impractical for general use in a large enterprise environment.

5.1.3 - Static and Dynamic Routing The diagram depicts a table with the following routing information: Configuration Complexity. Static Routing: Increase with network size. Dynamic Routing: Generally independent of the network size. Topology Changes. Static Routing: Administrator intervention required. Dynamic Routing: Automatically adapts to topology changes. Scaling. Static Routing: Suitable for simple topologies. Dynamic Routing: Suitable for simple and complex topologies. Security. Static Routing: More secure. Dynamic Routing: Less secure. Resource Usage. Static Routing: No extra resources needs. Dynamic Routing: User CPU, memory, link bandwidth. Predictability. Static Routing: Route to destination is always the same. Dynamic Routing: Route depends on the current topology.

5.1.4 Configuring Static Routes Page 1: The global command for configuring most static routes is ip route, followed by the destination network, the subnet mask, and the path used to reach it. The command is:

Router(config)#ip route [network-address] [subnet mask] [address of next hop OR exit interface]

Using the next-hop address or the exit interface forwards traffic to the proper destination. However, these two parameters behave very differently.

Before a router forwards any packet, the routing table process determines which exit interface to use. Static routes configured with exit interfaces require a single routing table lookup. Static routes configured with the next-hop parameter must reference the routing table twice to determine the exit interface.

In an enterprise network, static routes configured with exit interfaces are ideal for point-to-point connections like those between a border router and the ISP.

5.1.4 - Configuring Static Routes The diagram depicts a static route configuration. A host is connected to a switch, which is connected to router R1 on the 192.168.1.0 network. R1 is connected via its S0/0/0 port with the address 192.168.2.1 to the S0/0/1 port of R2 with the address 192.168.2.2. R2 is connected to a switch, which is also connected to a host on the 192.168.3.0 network. Exit Interface R1 (config) #IP route 192.168.3.0 255.255.255.0 S0/0/0 Next Hop Address R1 (config) #IP route 192.168.3.0 255.255.255.0 192.168.2.2

Page 2: Static routes configured with a next hop interface require two steps to determine the exit interface. This is called a recursive lookup. In a recursive loopkup:

The router matches the destination IP address of a packet to the static route. It matches the next hop IP address of the static route to entries in its routing table to determine which interface to use.

If an exit interface is disabled, static routes disappear from the routing table. The routing table reinstalls the routes when the interface is re-enabled.

5.1.4 - Configuring Static Routes The diagram depicts a static route configuration. A host, H1, with the address 192.168.1.5, is connected to a switch that is connected to router, R1. R1 is connected via its S0/0/0 port with the address 192.168.2.1 /24 to router, R2, with the address 192.168.2.2 /24. R2 is connected to a switch, which is then connected to host H2 on the address 192.168.3.8. The network between H1 and R1 is 192.168.1.0 /24, and the network between R2 and H2 is 192.168.3.0 /24.

The routing table for R1, when the static route is set as an Exit Interface Route, is as follows: R 192.168.4.0 /24 [120 /1] via 192.168.2.2, 00:00:05, Serial0/0/0 C 192.168.1.0 /24 is directly connected, FastEthernet0 /0 C 192.168.2.0 /24 is directly connected, Serial0/0/0 S 192.168.3.0 /24 is directly connected, Serial0/0/0 In the animation, H1 sends a packet to H2. When the packet reaches R1, R1 searches its routing table. When it finds the static route within the routing table, S 192.168.3.0 /24 is directly connected to Serial0/0/0. It then knows what port the packet is to be sent out of and forwards it to H2 via that port. The routing table for R1, when the static route is set as a Next Hop Interface Route, is as follows: R 192.168.4.0 /24 [120 /1] via 192.168.2.2, 00:00:26, Serial0/0/0 C 192.168.1.0 /24 is directly connected, FastEthernet0 /0 C 192.168.2.0 /24 is directly connected, Serial0/0/0 S 192.168.3.0 /24 [1 /0] via 192.168.2.2 In the animation, H1 sends a packet to H2. When the packet reaches R1, R1 searches its routing table. When it finds the static route within the routing table, S 192.168.3.0 /24 [1 /0] via 192.168.2.2, it then recycles through the routing table until it finds which port is connected via the 192.168.2.0 network.

Page 3: Summarizing several static routes as a single entry reduces the size of the routing table and makes the lookup process more efficient. This process is called route summarization.

A single static route summarizes multiple static routes if:

The destination networks summarize into a single network address. All of the static routes use the same exit interface or next-hop IP address.

Without summary routes, routing tables within Internet core routers become unmanageable. Enterprise networks encounter the same problem. Summary static routes are an indispensable solution for managing routing table size.

5.1.4 - Configuring Static Routes The diagram depicts a table containing summary route information, as follows: Route that can be summarized: 172.16.4.0 Summary Boundary /22 10101100.00010000.000001|00.00000000 Route that can be summarized: 172.16.5.0

Summary Boundary /22 10101100.00010000.000001|01.00000000 Route that can be summarized: 172.16.6.0 Summary Boundary /22 10101100.00010000.000001|10.00000000 Route that can be summarized: 172.16.7.0 Summary Boundary /22 10101100.00010000.000001|11.00000000 The above routes can be summarized to one route as follows: 172.16.4.0 Subnet Mask: 255.255.252.0 Summary Boundary /22 10101100.00010000.000001|00.00000000 Summary Boundary /22 Subnet Mask 11111111.11111111.111111|00.00000000 To summarize into one route: Router (config) # IP route 172.16.4.0 255.255.252.0 serial0/0/1

Page 4: Packet Tracer Activity Create static routes.

Click the Packet Tracer icon to begin.

5.1.4 - Configuring Static Routes Link to Packet Tracer Exploration: Configuring Static Routes

Page 5: Depending on the WAN services used in the enterprise, static routes provide a backup service when the primary WAN link fails. A feature called floating static routes can be used to provide this backup service.

By default, a static route has a lower administrative distance than the route learned from a dynamic routing protocol. A floating static route has a higher administrative distance than the route learned from a dynamic routing protocol. For that reason, a floating static route does not display in the routing table. The floating static route entry appears in the routing table only if the dynamic information is lost.

To create a floating static route, add an administrative distance value to the end of the ip route command:

Router(config)#ip route 192.168.4.0 255.255.255.0 192.168.9.1 200

The administrative distance specified must be greater than the AD assigned to the dynamic routing protocol. The router uses the primary route as long as it is active. If the primary route is down, the table installs the floating static route.

5.1.4 - Configuring Static Routes Four routers are connected in a ring. R1 is connected via 10.2 0.10.1 /30 to 10.2 0.10.2 /30 of R2. R2 is connected via 10.2 0.20.1 /30 to 10.2 0.20.2 /30 of R3. R3 is connected to R4. The network address for this connection is 1 0.20.40.0 /30. R3 is connected to the network cloud on the network 209.165.201.0 /27. R1 routing table R1 209.165.201.0/27 [120/2] via 10.2 0.30.2 R1 - Backup Floating Static Route IP route 209.165.201.0 255.255.255.224 10.2 0.10.2 150 In the animation, R1 sends a packet to 209.165.201.0 /27 using the dynamic route within its routing table. The packet is routed via R4, and then to R3 before going on to the network cloud. The link between R1 and R4 then fails. The routing table of R1 is then updated with the backup floating static route. R1 sends another packet to 209.165.201.0 /27. It checks its routing table and sends the packet via R2, then onto R3 before going on to the network cloud.

5.1.5 Default Routes Page 1: Routing tables cannot contain routes to every possible Internet site. As routing tables grow in size, they require more RAM and processing power. A special type of static route, called a default route, specifies a gateway to use when the routing table does not contain a path to a destination. It is common for default routes to point to the next router in the path toward the ISP. In a complex enterprise, default routes funnel Internet traffic out of the network.

The command to create a default route is similar to the command used to create either an ordinary or a floating static route. The network address and subnet mask are both specified as 0.0.0.0, making it a quad zero route. The command uses either the next-hop address or the exit interface parameters.

The zeroes indicate to the router that no bits need to match in order to use this route. As long as a better match does not exist, the router uses the default static route.

The final default route, located on the border router, sends the traffic to the ISP. This route identifies the last stop within the enterprise as the Gateway of Last Resort for packets that cannot be matched. This information appears in the routing tables of all routers.

If the enterprise uses a dynamic routing protocol, the border router can send a default route to the other routers as part of a dynamic routing update.

5.1.5 - Default Routes The diagram depicts H1 connected to switch S1, which is connected to F A 0 /0 of router, R1. This is the stub network with the network address 172.16.3.0 /24. R1, the stub router, is connected to S0/0/0 of router R2 on the network. The link from R1 to R2 is a default route; the link from R2 to R1 is a static route. R1 (config) # IP route 0.0.0.0 0.0.0.0 s0/0/0 R1 (config) # end R1 # show IP route [output omitted] Gateway of last resort is 0.0.0.0 to network 0.0.0.0 172.16.0.0 /24 is subnetted, 2 subnets C172.16.2.0 is directly connected, Serial0/0/0 C172.16.3.0 is directly connected, FastEthernet0/0 S0.0.0.0 /0 is directly connected, Serial0/0/0

Page 2: Packet Tracer Activity Configure a default route to forward traffic from the enterprise routers to the ISP.

Click the Packet Tracer icon to begin.

5.1.5 - Default Routes Link to Packet Tracer Exploration: Configuring Default Routes

5.2 Routing Using the RIP Protocol

5.2.1 Distance Vector Routing Protocols Page 1:

Dynamic routing protocols are classified into two major categories: distance vector protocols and link-state protocols.

Routers running distance vector routing protocols share network information with directly connected neighbors. The neighbor routers then advertise the information to their neighbors, until all routers in the enterprise learn the information.

A router running a distance vector protocol does not know the entire path to a destination; it only knows the distance to the remote network and the direction, or vector. Its knowledge comes through information from directly connected neighbors.

Like all routing protocols, distance vector protocols use a metric to determine the best route. Distance vector protocols calculate the best route based on the distance from a router to a network. An example of a metric used is hop count, which is the number of routers, or hops, between the router and the destination.

5.2.1 - Distance Vector Routing Protocol The diagram depicts two routers labeled R1 and R2 that are linked by a serial link. The following two equations are stated in the diagram: Distance = How Far Vector = Direction There is an arrow pointing in the direction of R2. R2 has a network connected and configured with the network address 172.16.3.0 /24. For R1, 172.16.3.0 /24 is one hop away (distance). It can be reached via S0/0/0 and through R2.

Page 2: Distance vector protocols usually require less complicated configurations and management than link-state protocols. They can run on older, less powerful routers and require lower amounts of memory and processing.

Routers using distance vector protocols broadcast or multicast their entire routing table to their neighbors at regular intervals. If a router learns more than one route to a destination, it calculates and advertises the route with the lowest metric.

This method of moving routing information through large networks is slow. At any given moment, some routers may not have the most current information about the network. This limits the scalability of the protocols and causes issues such as routing loops.

RIP versions 1 and 2 are true distance vector protocols, whereas EIGRP is actually a distance vector protocol with advanced capabilities. RIPng, the newest version of RIP was specifically designed to support IPv6.

5.2.1 - Distance Vector Routing Protocol The diagram depicts the advantages and disadvantages of distance vector routing protocols, as follows: Advantages Simple implementation and maintenance Low resource requirements Disadvantages Slow convergence Limited scalability Routing loops

5.2.2 Routing Information Protocol (RIP) Page 1: Routing Information Protocol (RIP) was the first IP distance vector routing protocol to be standardized in a RFC (RFC1058 in 1988). The first version of RIP is now often called RIPv1 to distinguish it from the later improved version, RIPv2; and from the IPv6 version, RIPng.

By default RIPv1 broadcasts its routing updates out all active interfaces every 30 seconds.

RIPv1 is a classful routing protocol. It automatically summarizes subnets to the classful boundary and does not send subnet mask information in the update. Therefore RIPv1 does not support VLSM and CIDR. A router configured with RIPv1 either uses the subnet mask configured on a local interface, or applies the default subnet mask based on the address class. Due to this limitation, the subnets of the networks that RIPv1 advertises should not be discontiguous if correct routing is to occur.

For example, a router configured with interfaces as the gateways for the 172.16.1.0/24 and 172.16.4.0/24 subnets will advertise only the 172.16.0.0 Class B network with RIPv1. Another router receiving this update will therefore list the 172.16.0.0 network in its routing table. This means packets with an actual destination subnet address of 172.16.3.0 could mistakenly be forwarded to the advertising router and therefore not arrive at the correct destination subnet.

5.2.2 - Routing Information Protocol (RIP) The diagram depicts a small network. Two routers are connected via serial link on network 172.16.4.0 /24. There is a network connected to F A 0 /0 of R1, with the network address 172.16.1.0. The following commands are an attempt to configure RIP v1 to advertise subnets:

R1 (config) # router rip R1 (config-router) # network 172.16.1.0 R1 (config-router) # network 172.16.4.0 Actual configuration showing summarized network to be advertised R1 # show running-config [output omitted] ! interface FastEthernet0/0 IP address 172.16.1.1 255.255.255.0 ! [output omitted] ! interface Serial0/0/0 IP address 172.16.4.1 255.255.255.0 ! [output omitted] ! Router rip Network 172.16.0.0 Note: Summarized network Class B advertised, not separate subnets

Page 2: RIP v2 has many of the features of RIPv1. It also includes important enhancements. RIPv2 is a classless routing protocol that supports VLSM and CIDR. A subnet mask field is included in v2 updates, which allows the use of discontiguous networks. RIPv2 also has the ability to turn off automatic summarization of routes.

Both versions of RIP send their entire routing table out all participating interfaces in updates. RIP v1 broadcasts these updates to 255.255.255.255. This requires all devices on a broadcast network like Ethernet to process the data. RIP v2 multicasts its updates to 224.0.0.9. Multicasts take up less network bandwidth than broadcasts. Devices that are not configured for RIPv2 discard multicasts at the Data Link Layer.

Attackers often introduce invalid updates to trick a router into sending data to the wrong destination or to seriously degrade network performance. Invalid information can also end up in the routing table due to poor configuration or a malfunctioning router. Encrypting routing information hides the content of the routing table from any routers that do not possess the password or authentication data. RIPv2 has an authentication mechanism, whereas RIPv1 does not.

5.2.2 - Routing Information Protocol (RIP) The diagram depicts a small network. Two routers are connected via serial link on network 192.168.2.0 /24. There is a network connected to F A 0 /0 of R1, with the network address 192.168.1.0. Two networks are also connected to F A 0 /0 and F A 0 /1 of R2, 192.168.3.0 and 192.168.4.0.

The diagram contains the console output of R1. Attention is drawn to the lines that show the two versions of RIP being used. One is multicast, RIP version 2, marked with three asterisks, ***. The other is broadcast, RIP version 1, marked with three number signs, # # #. *** Aug 30 04:37:11:115: RIP sending V2 updates to 224.0.0.9 via FastEthernet 0/0 (192.168.1.1) Aug 30 04:37:11:115: RIP: build update entries Aug 30 04:37:11:115: 192.168.2.0 /24 via 0.0.0.0, metric 1, tag 0 Aug 30 04:37:11:115: 192.168.4.0 /24 via 0.0.0.0, metric 1, tag 0 R1 # # # # Aug 30 04:37:11:115: RIP: sending V1 update to 255.255.255.255 via Serial 0/0/0 (192.168.2.1) Aug 30 04:37:11:115: RIP building update entries Aug 30 04:37:11:115: network 192.168.1.0 metric 1 Aug 30 04:37:11:115: RIP: sending v2 update to 224.0.0.9 via Serial 0/0/0 (192.168.2.1)

Page 3: Although RIPv2 provides many enhancements, it is not an entirely different protocol. RIPv2 shares many of the features found in RIPv1, such as:

Hop-count metric 15-hop maximum TTL equals 16 hops Default 30-second update interval Route poisoning, poisoned reverse, split horizon, and holddowns to avoid loops Updates using UDP port 520 Administrative distance of 120 Message header containing up to 25 routes without authentication

When a router starts up, each RIP-configured interface sends out a request message. This message requests that all RIP neighbors send their complete routing tables. RIP-enabled neighbors send a response message that includes known network entries. The receiving router evaluates each route entry based on the following criteria:

If a route entry is new, the receiving router installs the route in the routing table. If the route is already in the table and the entry comes from a different source, the routing table replaces the existing entry if the new entry has a better hop count. If the route is already in the table and the entry comes from the same source, it replaces the existing entry even if the metric is not better.

The startup router then sends a triggered update out all RIP-enabled interfaces containing its own routing table. RIP neighbors are informed of any new routes.

5.2.2 - Routing Information Protocol (RIP) The diagram depicts three routers labeled R1, R2, and R3. The routers are directly connected to each other through serial links. R1 has its Fast Ethernet port in use and configured with the network address 10.1.0.0. The serial link between R1 and R2 is on the network address 10.2.0.0. The serial link between R2 and R3 is on the network address 10.3.0.0. R3 has its fast Ethernet port in use and is assigned the network address 10.4.0.0. All three routers send requests out of all ports to all hosts connected on the network. The routers take note of the source I P address and the hop count metric used to get to the destination networks. On response to the request message, the router recalculates the hop count looking at the shortest path to the intended destination, and forwards based on that hop count to network required.

Page 4: As long as routers send and process the correct versions of routing updates, RIPv1 and RIPv2 are completely compatible. By default, RIPv2 sends and receives only version 2 updates. If a network must use both versions of RIP, the network administrator configures RIPv2 to send and receive both versions 1 and 2. By default, RIPv1 sends version 1 updates, but receives both versions 1 and 2.

Within an enterprise, it may be necessary to use both versions of RIP. For example, part of the network may be migrating to RIPv2, whereas another part may be staying with RIPv1. Overriding the global RIP configuration with interface-specific behavior allows routers to support both versions of RIP.

To customize the global configuration of an interface, use the following interface configuration commands:

ip rip send version <1 | 2 | 1 2> ip rip receive version <1 | 2 | 1 2>

5.2.2 - Routing Information Protocol (RIP) The diagram depicts the same network as previously described in Diagram 2 of this section. The command show IP protocols is executed and the output of this command is given below. Items of interest in this diagram are marked with three asterisks. R1 # show IP protocols Routing Protocol is "rip" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Sending updates every 30 seconds, next due in 16 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Redistributing: rip Default version control: sending version 2, receive version 2, *** Interface,Send,Recv, Triggered,RIP,Key-chain *** Fastethernet0 /02 (send)2 (recv) *** Serial0/0/012 (send)2 (recv) Automatic network summarization is in effect Maximum path: 4 Routing for Network

192.168.1.0 192.168.2.0 Routing Information Sources GatewayDistanceLast Update 192.168.2.212000:00:03 Distance: default 120

Page 5:

5.2.2 - Routing Information Protocol (RIP) The diagram depicts an activity in which you must decide whether the characteristics listed below are applicable to RIP v1, RIP v2, or both. One. Automatic route summarization. Two. No authentication. Three. Hop-count metric. Four. Default 30 second update interval. Five. Administrative distance of 120. Six. Supports VLSM. Seven. Sends subnet mask in routing updates. Eight. Uses route poisoning, poison reverse, split horizon, and holddowns to avoid loops. Nine. Broadcast updates.

5.2.3 Configuring RIPv2 Page 1: Before configuring RIPv2, assign IP addresses and masks to all interfaces that participate in routing. Set the clock rate where necessary on serial links. After the basic configurations are complete, configure RIPv2.

The basic RIPv2 configuration consists of three commands:

Router(config)#router rip

Enables the routing protocol

Router(config)#version 2

Specifies the version

Router(config-router)#network [network address]

Identify each directly connected network that should be advertised by RIP

By default, RIPv2 will summarize each network to be advertised to its classful boundary as the graphic shows.

RIPv2 updates can be configured to be authenticated.

RIPv2 propagates a default route to its neighbor routers as part of its routing updates. To accomplish this, create the default route and then add redistribute static to the RIPv2 configuration.

5.2.3 - Configuring RIP v2 The diagram depicts three routers named, R1, R2, and R3. R1 has a single network connected and the network address for this network is 192.168.10.0 /24. The serial interface of R1 is connected by serial link to R2 on network address 10.1 0.10.0 /30. R2 has a network connected to its Fast Ethernet port and this network address is 172.27.20.0 /24. R2 connects to R3 via serial ports with the network address 10.1 0.10.4 /30. R3 has all three of its Fast Ethernet ports in use with network addresses: 10.2 0.30.0 /24, 10.2 0.10.0 /24, and 10.2 0.20.0 /24. The RIP configuration statements for each router are as follows: Router R1 R1 (config) # router rip R1 (config-router) # version 2 R1 (config-router) # network 192.168.10.0 R1 (config-router) # network 10.0.0.0 Router R2 R2 (config) # router rip R2 (config-router) # version 2 R2 (config-router) # network 172.27.0.0 R2 (config-router) # network 10.0.0.0 Router R3 R3 (config) # router rip R3 (config-router) # version 2 R3 (config-router) # network 10.0.0.0

Page 2:

Lab Activity Configuring RIPv2 with VLSM addressing scheme and a default route.

Click the lab icon to begin.

5.2.3 - Configuring RIP v2 Link to Hands-on Lab: Configuring RIP v2 with VLSM and Default Route Propagation

5.2.4 Problems with RIP Page 1: Various performance and security issues arise when using RIP. The first issue concerns routing table accuracy.

Both versions of RIP automatically summarize subnets on the classful boundary. This means that RIP recognizes subnets as a single Class A, B, or C network. Enterprise networks typically use classless IP addressing and a variety of subnets, some of which are not directly connected to each other, which creates discontiguous subnets.

Unlike RIPv1, with RIPv2 the automatic summarization feature can be disabled. When disabled, RIPv2 will report all subnets with subnet mask information. This is done to ensure a more accurate routing table. To accomplish this, add the no auto-summary command to the RIPv2 configuration.

Router(config-router)#no auto-summary

5.2.4 - Problems with RIP The diagram depicts three routers arranged in a triangular topology. At the top of the triangle is router R2 with a switch directly connected, and the network address of 10.1.1.0 /16 assigned. The two serial ports of R2 are in use and are connected by serial link to R1 and R3. The two serial links to R2 show incoming messages from R1 and R3 to R2 as RIP updates. These updates advertise the two directly connected networks that are connected to switches on both R1 and R3. The RIP update from R1 says, "172.30.1.0 /24, 1 hop." The RIP update from R3 says, "172.30.100.0 /24, 1 hop." Since this is RIP v2 and automatic summarization is disabled, each router advertises the 24-bit subnet instead of the summarized Class B network 172.30.0.0 /16.

Page 2: Another issue to consider is the broadcast nature of RIP updates. As soon as the RIP configuration lists a network command for a given network, RIP immediately begins to send advertisements out all interfaces that belong to that network. These updates may not be needed on all portions of a network. For example, an Ethernet LAN interface passes these updates to every device on its network segment, which produces unnecessary traffic. The routing update could also be intercepted by any device. This makes the network less secure.

The passive-interface command, issued in interface mode, disables routing updates on specified interfaces.

Router(config-router)#passive-interface interface-type interface-number

In complex enterprise networks running more than one routing protocol, the passive-interface command defines which routers learn RIP routes. When the number of interfaces advertising RIP routes is limited, security and traffic control increase.

5.2.4 - Problems with RIP The diagram depicts three routers labeled R1, R2, and R3. They are arranged in a triangular configuration with serial links from R1 to R2, R2 to R3, and R3 to R1. The interfaces connecting the link between R1 and R2 are set to be passive, so no routing table updates are sent between R1 and R2. The RIP updates from all routers pass between the link between R1 and R3, and R3 and R2.

Page 3: A network running RIP needs time to converge. Some routers may contain incorrect routes in their routing tables until all routers have updated and have the same view of the network.

Erroneous network information may cause routing updates and traffic to loop endlessly as they count to infinity. In the RIP routing protocol, infinity occurs when the hop count is 16.

Routing loops negatively affect network performance. RIP contains several features designed to combat this impact. These features are often used in combination:

Poisoned reverse

Split horizon Holddown timer Triggered updates

Poisoned reverse sets the metric for a route to 16, making it unreachable. Because RIP defines infinity as 16 hops, any network further away than 15 hops is unreachable. If a network is down, a router changes the metric for that route to 16 so that all other routers see it as unreachable. This feature prevents the routing protocol from sending information via poisoned routes.

5.2.4 - Problems with RIP The diagram depicts three routers labeled R1, R2, and R3 that are linked via serial link with network address 10.2.0.0. The second serial connection of R2 is linked to R3 by serial port with the network address 10.3.0.0. R1 F A 0 /0, with the network address 10.1.0.0, is connected to a LAN. The F A 0 /0 port of R3 has the network address 10.4.0.0 connected to a LAN. The routing tables for each router are listed below, with the following column head-ers: Network, Interface, and Hop. R1 Routing Table Network Interface Hop 10.1.0.0 F A 0 /0 0 10.2.9.9 S0/0/0 0 10.3.0.0 S0/0/0 1 10.4.0.0 S0/0/0 2 R2 Routing Table Network Interface Hop 10.1.0.0 F A 0/0 1 10.2.9.9 S0/0/0 0 10.3.0.0 S0/0/0 0 10.4.0.0 S0/0/0 1 R3 Routing Table Network Interface Hop 10.1.0.0 F A 0 /0 2 10.2.9.9 S0/0/0 1 10.3.0.0 S0/0/0 0 10.4.0.0 S0/0/0 0 Routing Loop Network 10.4.0.0 goes down on R3 Before R3 can send updates to R2, R2 sends an update to R3. R1 sends data packet to 10.4.0.0 network Packet bounces between R2 and R3 because of incorrect routing table information

Count to Infinity Network 10.4.0.0 goes down on R3 Before R3 can send updates to R3, R2 sends update to R3 R2 sends an update to R2 R2 sends and update to R1 R1 sends an update to R2 R2 sends an update to R3

R3 sends an update to R2 R2 sends an update to R1 R1 sends an update to R2 R2 sends an update to R3 R1 sends an update to R2 R2 sends an update to R1 R1 sends an update to R2 R2 sends an update to R3 R3 sends an update to R2 R2 sends an update to R1 Network 10.4.0.0 is unreachable, exceeds 16 hops

Page 4: The anti-loop features of RIP add stability to the protocol, but also add to convergence time.

Split horizon prevents the formation of loops. When multiple routers advertise the same network routes to each other, routing loops may form. Split horizon dictates that a router receiving routing information on an interface cannot send an update about that same network back out the same interface.

The holddown timer stabilizes routes. The holddown timer refuses to accept route updates with a higher metric to the same destination network for a period after a route goes down. If, during the holddown period, the original route comes back up or the router receives route information with a lower metric, the router installs the route in the routing table and immediately begins to use it.

The default holddown time is 180 seconds, six times the regular update period. The default can be changed. However, any holddown period increases the convergence time and has a negative impact on network performance.

When a route fails, RIP does not wait for the next periodic update. Instead, RIP sends an immediate update, called a triggered update. It advertises the failed route by increasing the metric to 16, effectively poisoning the route. This update places the route in holddown status while RIP attempts to locate an alternate route with a better metric.

5.2.4 - Problems with RIP The diagram depicts two routers labeled R1 and R2. They are linked by serial link with the network address 192.168.3.0. R1 has a network connected to its Fast Ethernet interface, network address 192.168.1.0. R2 has a network connected to its Fast Ethernet interface, network address 192.168.2.0. Split Horizon Update to networks 192.168.1.0 and 192.168.3.0 just received. Only send Update for 192.168.2.0

Hold-down Timer Network 192.168.2.0 goes down. R2 starts a holddown timer. R1 sends an update to R2 showing network 192.168.2.0 as still reachable but at a higher metric than what R2 has. R2 will not update its routing table because the hold down timer has not expired.

Page 5: Packet Tracer Activity

Route between discontiguous networks with RIP.

Click the Packet Tracer icon to begin.

5.2.4 - Problems with RIP Link to Packet Tracer Exploration: Routing Between Discontiguous Networks

5.2.5 Verifying RIP Page 1: RIPv2 is a simple protocol to configure. However, errors and inconsistencies can occur on any network. There are many show commands to assist the technician in verifying a RIP configuration and troubleshooting RIP functionality.

The show ip protocols and show ip route commands are important for verification and troubleshooting on any routing protocol.

The following commands specifically verify and troubleshoot RIP:

show ip rip database: Lists all the routes known by RIP debug ip rip or debug ip rip {events}: Displays RIP routing updates as sent and received in real time

The output of this debug command displays the source address and interface of each update, as well as the version and the metric.

Do not use the debug commands more than necessary. Debugging consumes bandwidth and processing power, which slows network performance.

The ping command can be used to test for end-to-end connectivity. The show running-config command provides a convenient method of verifying that all commands were entered correctly.

5.2.5 - Verifying RIP The diagram depicts a man sitting in front of his computer at his desk. The man says, "I want to view the rip updates as they happen." The debug IP rip command is issued and displays the output below: Aug 30 04:37:11:115: RIP sending v1 update to 255.255.255.255 via F A 0 /0. Aug 30 04:37:11:115: RIP: build update entries. Aug 30 04:37:11:115: subnet 172.16.1.0 metric 2. Aug 30 04:37:11:115: subnet 172.16.2.0 metric 1. Aug 30 04:37:11:115: subnet 192.168.1.0 metric 1. Aug 30 04:37:11:115: RIP sending v1 update to 255.255.255.255 via Serial0/0/0. Aug 30 04:37:11:115: RIP building update entries. Aug 30 04:37:11:115: subnet 172.16.3.0 metric 1. Aug 30 04:37:11:115:RIP: sending v2 update to 224.0.0.9 via Serial 0/0/0 (172.16.2.1). Aug 30 04:37:11:115: RIP: build update entries. Aug 30 04:37:11:115: 172.16.5.0 /24 via 0.0.0.0 metric 1, tag 0. Aug 30 04:37:11:115: RIP: received v1 update from 172.16.2.2 on Serial0/0/0. Aug 30 04:37:11:115: 172.16.1.0 in 1 hops. Aug 30 04:37:11:115: 192.168.1.0 in 1 hops. Aug 30 04:37:11:115: RIP: received v2 update from 172.16.2.2 on Serial0/0/0. Aug 30 04:37:11:115:172.16.1.0 /24 via 0.0.0.0 in 1 hop. Aug 30 04:37:1 1:115:192.168.1.0 /24 via 0.0.0.0 in 1 hop.

Page 2: Packet Tracer Activity

Troubleshoot and correct RIPv2 problems.

Click the Packet Tracer icon to begin.

5.2.5 - Verifying RIP Link to Packet Tracer Exploration: Troubleshoot RIP v2

5.3 Routing Using the EIGRP Protocol

5.3.1 Limitations of RIP Page 1: The RIP distance vector routing protocol is easy to configure and requires minimal amounts of router resources in order to function.

However, the simple hop count metric used by RIP is not an accurate way to determine the best path in complex networks. Additionally, the RIP limitation of 15 hops can mark distant networks as unreachable.

RIP issues periodic updates of its routing table, which consumes bandwidth, even when no network changes have occurred. Routers must accept these updates and process them to see if they contain updated route information.

Updates passed from router to router take time to reach all areas of the network. As a result, routers may not have an accurate picture of the network. Routing loops can develop due to slow convergence time, which wastes valuable bandwidth.

These characteristics limit the usefulness of the RIP routing protocol within the enterprise environment.

5.3.1 - Limitations of RIP The diagram depicts two hosts connected to each other via a chain of 17 routers. The first host sends a packets to the second host. When the hop count on the packet reaches 15, the maximum hop count, it is discarded and not forwarded to the next router. The router where the packet was discarded sends a message back to the sending host that says, "Destination unreachable."

5.3.2 Enhanced Interior Gateway Routing Protocol (EIGRP) Page 1:

The limitations of RIP led to the development of more advanced protocols. Networking professionals required a protocol that would support VLSM and CIDR, scale easily, and provide faster convergence in complex enterprise networks.

Cisco developed EIGRP as a proprietary distance vector routing protocol. It has enhanced capabilities that address many of the limitations of other distance vector protocols. EIGRP shares some of features of RIP, while employing many advanced features.

Although configuring EIGRP is relatively simple, the underlying features and options are complex. EIGRP contains many features that are not found in any other routing protocols. All of these factors makes EIGRP an excellent choice for large, multi-protocol networks that employ primarily Cisco devices.

5.3.2 - Enhanced Interior Gateway Routing Protocol (EIGRP) The diagram depicts a list of EIGRP characteristics. EIGRP characteristics Supports VLSM and classless routing Uses a composite metric Uses the DUAL algorithm to prevent routing loops Uses bounded updates for fast convergence Maintains multiple tables Forms neighbor adjacencies Maintains successor and feasible successor routes Accommodates equal and unequal cost load balancing Uses multiple packet types for stability and fast convergence Supports multiple network layer protocols Uses RTP for Layer 4 support

Page 2: The two main goals of EIGRP are to provide a loop-free routing environment and rapid convergence. To achieve these goals, EIGRP uses a different method than RIP for calculating the best route. The metric used is a composite metric that primarily considers bandwidth and delay. This metric is more accurate than hop count in determining the distance to a destination network.

The Diffusing Update Algorithm (DUAL) used by EIGRP guarantees loop-free operation while it calculates routes. When a change occurs in the network topology, DUAL synchronizes all affected routers simultaneously. For these reasons, the administrative distance of EIGRP is 90, whereas the administrative distance of RIP is 120. The lower number reflects the increased reliability of EIGRP and the increased accuracy of the metric. If a router learns routes to the same destination from both RIP and EIGRP, it chooses the EIGRP route over the route learned through RIP.

EIGRP tags routes learned from another routing protocol as external. Because the information used to calculate these routes is not as reliable as the metric of EIGRP, it attaches a higher administrative distance to the routes.

5.3.2 - Enhanced Interior Gateway Routing Protocol (EIGRP) The diagram depicts a table with administrative distance information for each route source, as follows: Route Source: Connected. Administrative Distance: 0. Route Source: Static. Administrative Distance: 1. Route Source: EIGRP summary route. Administrative Distance: 5. Route Source: External BGP. Administrative Distance: 20. Route Source: Internal EIGRP. Administrative Distance: 90. Route Source: IGRP. Administrative Distance: 100. Route Source: OSPF. Administrative Distance: 110. Route Source: I S-I S. Administrative Distance: 115. Route Source: RIP. Administrative Distance: 120. Route Source: External EIGRP. Administrative Distance: 170. Route Source: Internal BGP. Administrative Distance: 200.

Page 3: EIGRP is a good choice for complex enterprise networks that are composed primarily of Cisco routers. Its maximum hop count of 255 supports large networks. EIGRP can display more than one routing table because it can collect and maintain routing information for a variety of routed protocols, such as IP and IPX. The EIGRP routing table reports routes learned both inside and outside the local system.

Unlike other distance vector protocols, EIGRP does not send complete tables in its updates. EIGRP multicasts partial updates about specific changes to only those routers that need the information, not to all routers in the area. These are called bounded updates because they reflect specific parameters.

Instead of sending periodic routing updates, EIGRP sends small hello packets to maintain knowledge of its neighbors. Since they are limited in size, both bounded updates and hello packets save bandwidth while keeping network information fresh.

5.3.2 - Enhanced Interior Gateway Routing Protocol (EIGRP) The diagram depicts router, R1, connected to network 10.1.0.0 via port F A 0 /0. R1 is also connected via S0/0/0 to S0/0/0 port of R2 on network 10.2.0.0. R2 is connected via S0/0/1 to router the S0/0/1 port of R3 on network 10.3.0.0. R3 is connected via F A 0 /0 to network 10.4.0.0. R1 Routing Table C10.1.0.0 /24F A 0 /0 C10.2.0.0 /24 S0/0/0 D10.3.0.0 /24S0/0/0 D10.4.0.0 /24S0/0/0 R2 Routing Table D10.1.0.0 /24S0/0/0 C10.2.0.0 /24S0/0/0 C10.3.0.0 /24S0/0/1 D10.4.0.0 /24S0/0/1 R3 Routing Table D10.1.0.0 /24S0/0/1 D10.2.0.0 /24S0/0/1 C10.3.0.0 /24S0/0/1 C10.4.0.0 /24F A 0 /0 EIGRP sends a bounded update to alert neighbors that 10.1.0.0 is down. Hello packets continue to maintain neighbor relationships.

Page 4:

5.3.2 - Enhanced Interior Gateway Routing Protocol (EIGRP) The diagram depicts an activity in which you must decide if the following features belong to RIP or EIGRP. One.Uses only the hop count metric Two.Maximum limit of 15 hops Three.Has an administrative distance of 120 Four.Broadcast or multicasts updates every 30 seconds Five.Only version 2 supports VLSM and classless routing Six.Uses a composite metric Seven.Sends hello packets Eight.Maintains multiple tables Nine.Maximum limit of 255 hops Ten.Forms neighbor adjacencies

5.3.3 EIGRP Terminology and Tables

Page 1: To store network information from the updates and support rapid convergence, EIGRP maintains multiple tables. EIGRP routers keep route and topology information readily available in RAM so that they can react quickly to changes. EIGRP maintains three interconnected tables:

Neighbor table Topology table Routing table

Neighbor Table The neighbor table lists information about directly connected neighbor routers. EIGRP records the address of a newly discovered neighbor and the interface that connects to it.

When a neighbor sends a hello packet, it advertises a hold time. The hold time is the length of time that a router treats a neighbor as reachable. If a hello packet is not received within the hold time, the timer expires and DUAL recalculates the topology.

Since fast convergence depends on accurate neighbor information, this table is crucial to EIGRP operation.

5.3.3 - EIGRP Terminology and Tables The diagram depicts a router, R1, Ethernet network on interface F A 0/0. R1 is also connected via S0/0/0 to the S0/0/0 port of R2. R2 is connected via S0/0/1 to router the S0/0/1 port of R3. R3 Ethernet network is on interface F A 0/0. Hello packets are sent at regular intervals between EIGRP neighbors to maintain adjacency. R3 stops sending Hello packets to R2. R2 thinks, "My neighbor has not sent a hello for 15 seconds. My hold timer has expired." When the timer expires, R2 thinks, "R3 must be down. R3 is no longer my neighbor. DUAL needs to recalculate routes I learned from R3."

Page 2: Topology table The topology table lists all routes learned from each EIGRP neighbor. DUAL takes the information from the neighbor and topology tables and calculates the lowest cost routes to each network.

The topology table identifies up to four primary loop-free routes for any one destination. These successor routes appear in the routing table. EIGRP load balances, or sends packets to a destination using more than one path. It load balances using successor routes that are both equal cost and unequal cost. This feature avoids overloading any one route with packets.

Backup routes, called feasible successors, appear in the topology table but not in the routing table. If a primary route fails, a feasible successor becomes a successor route. This backup occurs as long as the feasible successor has a lower reported distance than the feasible distance of the current successor distance to the destination.

5.3.3 - EIGRP Terminology and Tables The diagram depicts the output of various recorded routes and a brief description of each field. R 2# show IP EIGRP topology IP-EIGRP Topology Table for AS (1) /ID(192.168.10.9) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, lower case r - reply Status, lower case s - sia Status P 172.16.1.0 /24, 1 successors, FD is 20514560 via 172.16.3.1 (20514560 /28160), Serial0/0/0 via 192.168.10.10 (21026560 /10514432), Serial0/0/1 P 192.168.10.4 /30, 2 successors, FD is 21024000 via 192.168.10.10 (21024000 /10511872), Serial0/0/1 via 172.16.3.1 (21024000 /20512000), Serial0/0/0/1 P 192.168.1.0 /24, 1 successors, FD is 20514560 via 192.168.10.10 (20514560 /28160), Serial0/0/1 P 192.168.10.8/30, 1 successors, FD is 20512000 via Connected, Serial0/0/1 P 192.168.2.0 /24, 1 successors, FD is 28160 via Connected, FastEthernet0/0 P 172.16.3.0 /30, 1 successors, FD is 20512000 via Connected, Serial0/0/0 via 192.168.10.10 (21536000/11023872), Serial0/0/1 Route Status Whether the route is stable and ready for use (passive) or being recalculated by DUAL (active). Feasible Distance. The lowest calculated metric to the destination. Reported Distance. The distance to the destination as reported by a neighbor. Destination Network. Address of the destination network.

Number of Successors. Number of equal cost paths with the lowest metric to the destination. Next hop Address of Successor. IP address of the next hop interface. Next hop Address or Feasible Successor. IP address of the next hop interface for the feasible successor. Feasible Distance of Feasible Successor. The calculate metric to the destination via the feasible successor route. Reported Distance of the Feasible Successor. The distance to the destination as reported by a neighbor. Outbound Interfaces. Interface that the traffic uses to exit the router towards that destination.

Page 3: Routing Table

Whereas the topology table contains information about many possible paths to a network destination, the routing table displays only the best paths called the successor routes.

EIGRP displays information about routes in two ways:

The routing table designates routes learned through EIGRP with a D. EIGRP tags dynamic or static routes learned from other routing protocols or from outside the EIGRP network as D EX or external, because they did not originate from EIGRP routers within the same AS.

5.3.3 - EIGRP Terminology and Tables The diagram depicts R1 connected to network 172.16.1.0 /24 via port F A 0 /0 with the address 172.16.1.1 /24. R1 is connected via S/0/0/0 with the address 172.16.3.1 /30 to port S0/0/0 of R2 with the address 172.16.3.2 /30. R2 is connected to network 192.168.2.0 /24 via port F A 0 /0 with the address 192.168.2.1 /24. R2 is connected via port S0/0/1 with the address 192.168.10.9 /30 to S0/0/1 of R3 with the address 192.168.10.10 /30. R3 is connected to network 192.168.1.0 /24 via port F A 0 /0 with the address 192.168.1.1 /24, and to R1 S0/0/1 via S0/0/1 on network 192.168.10.4 /30. The EIGRP routing tables for these three routers, as displayed by the show IP route command, follows: R1 192.168.10.0 /24 is variably subnetted, 3 subnets, 2 masks

D192.168.10.0 /24 is a summary, 00:04:22, Null0 C192.168.10.4 /30 is directly connected, Serial0/0/1 D192.168.10.8 /30 [90 /21024000] via 172.16.3.2, 00:0 4:2 2, Serial0/0/0 172.16.0.0 /16 is variably subnetted, 3 subnets, 3 masks D172.16.0.0 /16 is a summary, 00:040 :2 2, Null0 C172.16.1.0 /24 is directly connected, FasthEthernet0/0 C172.16.3.0 /30 is directly connected, Serial0/0/0 D192.168.1.0 /24 [90 /20514560] via 192.168.10.6, 00:0 4:2 3, Serial0/0/1 D EX 192.168.2.0 /24 [170/20514560] via 172.16.3.2, 0 0:4:2 3, Serial0/0/0 R2 192.168.10.0 /24 is variably subnetted, 2 subnets, 2 masks D192.168.10.0 /24 [90 /21024000] via 172.16.3.1, 00:1 4:4 8, Serial0/0/0 C192.168.10.8 /30 is directly connected, Serial0/0/1 172.16.0.0/16 is variably subnetted, 2 subnets, 3 masks D192.168.10.8 /30 [90 /21514560] via 172.16.3.1, 00:2 4:1 0, Serial0/0/0 C172.16.3.0 /30 is directly connected, Serial0/0/0 D192.168.1.0 /24 [90 /21026560] via 172.16.3.1, 00:1 9:0 0, Serial0/0/1 C192.168.2.0 /24 is directly connected, FasthEthernet0/0

R3 192.168.10.0 /24 is variably subnetted, 3 subnets, 2 masks D192.168.10.0 /24 is a summary, 00:1 3:4 6, Null0 C192.168.10.4 /30 is directly connected, Serial0/0/0 C192.168.10.8 /30 is directly connected, Serial0/0/1 D172.16.0.0 /16 [90 /20514560] via 192.168.10.5, 00:1 3:4 4, Serial0/0/0 C192.168.1.0 /24 is directly connected, FasthEthernet0/0 D EX 192.168.2.0 /24 [170 /21026560] via 192.168.10.5, 0 0:0 2:1 1, Serial0/0/0

Page 4:

5.3.3 - EIGRP Terminology and Tables The diagram depicts an activity in which you must determine which EIGRP table, Neighbor, Topology, or Routing, would be the most appropriate to find the specified information. One.Interface connected to neighbor device. Two.Next hop address for the feasible successor. Three.Amount of time since an adjacency was established. Four.State that DUAL has calculated the route. Five.IP address of neighbor devices. Six.The successors advertised distance. Seven.The route was learned from an external routing process. Eight.The administrative distance associated with the route.

5.3.4 EIGRP Neighbors and Adjacencies Page 1: Before EIGRP can exchange packets between routers, it must first discover its neighbors. EIGRP neighbors are other routers running EIGRP on shared, directly connected networks.

EIGRP routers use hello packets to discover neighbors and establish adjacencies with neighbor routers. By default, hello packets are multicast every 5 seconds on links greater than a T1 and every 60 seconds on T1 or slower links.

On IP networks, the multicast address is 224.0.0.10. The hello packet contains information about the router interfaces and the interface addresses. An EIGRP router assumes that as long as it is receiving hello packets from a neighbor, the neighbor and its routes are reachable.

The hold time is the period that EIGRP waits to receive a hello packet. Generally, the hold time is three times the duration of the hello interval. When the hold time expires and EIGRP declares the route as down, DUAL re-evaluates the topology and refreshes the routing table.

Information discovered through the hello protocol provides the information for the neighbor table. A sequence number records the number of the last received hello from each neighbor and time-stamps the time that the packet arrived.

5.3.4 - EIGRP Neighbors and Adjacencies The diagram depicts R1, R2, and R3 connected in a triangular topology. Routers sends hello packet to each other. A table contains the following information regarding hello intervals and default hold times based on link bandwidth and type. Bandwidth: 1.544 Mbps. Example Link: Multipoint Frame Relay. Hello Interval: 60 seconds. Default Hold Time: 180 seconds. Bandwidth: Greater than 1.544 Mbps . Example Link: T1, Ethernet. Hello Interval: 5 seconds. Default Hold Time: 15 seconds.

Page 2: When a neighbor adjacency is established, EIGRP uses various types of packets to exchange and update routing table information. Neighbors learn about new routes, unreachable routes, and rediscovered routes through exchange of these packets:

Acknowledgement

Update Query Reply

When a route is lost, it moves to an active state and DUAL searches for a new route to the destination. When a route is found, it is moved to the routing table and placed in a passive state.

These various packets help DUAL gather the information it requires to calculate the best route to the destination network.

5.3.4 - EIGRP Neighbors and Adjacencies The diagram depicts R1, R2, and R3 connected in a triangular topology. R2 sends an update to R1, R1 sends an ack to R2. R3 sends a query to R2 and R2 sends a reply to R3. R3 sends a hello to R1. Information on each type of packet is detailed below. Update If new neighbor found - unicast To indicate routing change - multicast Acknowledgement Unicast hello packets with no data Response to reliable packet transfer, update, request, reply Query To request specific info about a neighbor or multicast looking for new successor Can be multicast or unicast Reply Response to a query Always a unicast Hello Discover and verify neighbors Discover timer values Multicast address: 224.0.0.10 Unreliable transfer method

Page 3: An acknowledgement packet indicates the receipt of an update, query, or reply packet. Acknowledgement packets are small hello packets without any data. These types of packets are always unicast.

An update packet sends information about the network topology to its neighbor. That neighbor then updates its topology table. Several updates are often required to send all the topology information to the new neighbor.

Whenever DUAL places a route in the active state, the router must send a query packet to each neighbor. Neighbors must send replies, even if the reply states that no information on the destination is available. The information contained in each reply packet helps DUAL to locate a successor route to the destination network. Queries can be multicast or unicast. Replies are always unicast.

EIGRP packet types use either a connection-oriented service similar to TCP or a connectionless service similar to UDP. Update, query, and reply packets use the TCP-like service. Acknowledgements and hello packets use the UDP-like service.

5.3.4 - EIGRP Neighbors and Adjacencies The diagram depicts the basic operation of DUAL. R1, R2, and R3 are connected in a triangular topology. R2 sends an update alerting its neighbors that a network is down. R1 and R2 respond with an acknowledgment. R2 sends a request asking for another route to the network that is down. R1 and R3 acknowledge the request and then reply that there is no other known route. The network remains unreachable

Page 4: As a routing protocol, EIGRP operates independently of the Network Layer. Cisco designed Reliable Transport Protocol (RTP) as a proprietary Layer 4 protocol. RTP guarantees delivery and receipt of EIGRP packets for all Network Layer protocols. Because large, complex networks may use a variety of Network Layer protocols, this protocol makes EIGRP flexible and scalable.

RTP can be used as both a reliable and best effort transport protocol, similar to TCP and UDP. Reliable RTP requires an acknowledgement packet from the receiver to the sender. Update, query, and reply packets are sent reliably; hello and acknowledgement packets are sent best effort and do not require an acknowledgement. RTP uses both unicast and multicast packets. Multicast EIGRP packets use the reserved multicast address of 224.0.0.10.

Each Network Layer protocol works through a Protocol Dependent Module (PDM) responsible for the specific routing task. Each PDM maintains three tables. For example, a router running IP, IPX, and AppleTalk has three neighbor tables, three topology tables, and three routing tables.

5.3.4 - EIGRP Neighbors and Adjacencies The diagram depicts a Neighbor Table with three different network protocols supported by EIGRP: Apple Talk, Neighbor Table - IPX, and Neighbor Table-IP, all of which show neighbor adjacency information.

The diagram also shows Topology Table-Apple Talk, Topology Table-IPX, and Topology-IP, all of which list every router to every destination. Lastly the diagram shows Routing Table-Apple Talk, Routing Table-IPX, and Routing Table-IP. All of these tables show successor routes.

Page 5:

5.3.4 - EIGRP Neighbors and Adjacencies The diagram depicts an activity in which you must match the EIGRP packet type with the appropriate definition. Definitions One.Sent to neighbors when DUAL places route in active state. Two.Used to give DUAL information about the destination network. Three.Used to form neighbor adjacencies. Four.Indicates receipt of a packet when RTP is used. Five.Unicasts information about the network to a new neighbor. Types of EIGRP Packets. A.Hello Packet. B.Update Packet. C.Query Packet. D.Reply Packet. E.Acknowledgement Packet.

5.3.5 EIGRP Metrics and Convergence Page 1: EIGRP uses a composite metric value to determine the best path to a destination. This metric is determined from the following values:

Bandwidth Delay Reliability Load

Maximum Transmission Unit (MTU) is another value included in routing updates, but is not a routing metric.

The composite metric formula consists of K values: K1 through K5. By default, K1 and K3 are set to 1. K2, K4, and K5 are set to 0. The value of 1 designates that bandwidth and delay have equal weight in the composite metric calculation.

Bandwidth

The bandwidth metric is a static value and is displayed in kbps. Most serial interfaces use the default bandwidth value of 1544 kbps. This metric reflects the bandwidth of a T1 connection.

Sometimes the bandwidth value may not reflect the actual physical bandwidth of the interface. Bandwidth influences the metric calculation and, as a result, the EIGRP path selection. If a 56 kbps link is advertised with a 1544 kbps value, it could interfere with convergence as it struggles to cope with the traffic load.

5.3.5 - EIGRP Metrics and Convergence The diagram depicts R1 connected to network 172.16.1.16 /28 via port F A 0 /0 with the address 172.16.1.17 /24. R1 is connected via S/0/0/0 with the address 172.16.3.1/30 to port S0/0/0 of R2 with the address 172.16.3.2 /30. R2 is connected to network 172.16.2.0 /24 via port F A 0 /0 with the address 172.16.2.1 /24. R2 is connected via port S0/0/1 with the address 192.168.10.9 /30 to S0/0/1 of R3 with the address 192.168.10.10 /30. R3 is connected to network 192.168.1.0 /24 via port F A 0 /0 with the address 192.168.1.1 /24. R3 is connected via S0/0/1 with the address 192.168.10.6 /30 to the S0/0/1 port of S1, with the address 192.168.10.5/30/ R2 is connected to the ISP on the network 10.1.1.0 /30. Highlighted in the console output from the show interfaces command is a line, BW 64 Kbit, for interface S0/0/0 and a line, BW 1544 Kbit, for interface S0/0/1. This depicts the difference in bandwidth, which is one of the metrics used by EIGRP to determine best path to a destination. R1 # show int s0/0/0 Serial0/0/0 is up, line protocol is up Hardware is Power QUICC Serial Internet address is 172.16.3.1 30 MTU 1500 bytes, BW 64 K bit, DLY 20000 usec, reliability 255 /255, tx load 1 /255, rx load 1 /255 R1 # show Int s0/0/1 Serial0/0/1 is up, line protocol is up Hardware is Power QUICC Serial Internet address is 192.168.10.5/30 MTU 1500 bytes, BW 1544 K bit, DLY 20000 usec, reliability 255 /255, tx load 1/255, rx load 1 /255

The show IP protocols command displays information about the EIGRP routing protocol process. EIGRP metric weights are highlighted in the output. R1 # show IP protocol Routing Protocol is "EIGRP 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set

Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=O EIGRP maximum hopcount 100. More Information Popup IGRP uses these scaled values to determine the total metric cost to the network: metric = [K1 * bandwidth + (K2 * bandwidth) / (256 minus load) + K3 * delay] * [K5 / (reliability + K4)]

Page 2: The other metrics used by EIGRP to calculate the cost of a link are delay, reliability, and load.

The delay metric is a static value that is based on the type of exit interface. The default value is 20,000 microseconds for Serial interfaces and 100 microseconds for Fast Ethernet interfaces.

The delay metric does not represent the actual amount of time packets take to reach the destination. Changing the delay value associated with a specific interface alters the metric but does not physically affect the network.

Reliability measures how often the link has experienced errors. Unlike delay, reliability updates automatically, depending on the link conditions. It has a value of between 0 and 255. A reliability of 255/255 represents a 100 percent reliable link.

Load reflects the amount of traffic using the link. A lower load value is more desirable than a higher value. As an example, 1/255 would be a minimally loaded link, and 255/255 would be a link that is 100 percent utilized.

5.3.5 - EIGRP Metrics and Convergence The diagram depicts a table of delays for various media. Media: 100M ATM Delay: 100 microseconds Media: Fast Ethernet Delay: 100 microseconds Media: FDDI Delay: 100 microseconds Media: IHSSI Delay: 20,000 microseconds

Media: 16M Token Ring Delay: 630 microseconds Media: Ethernet Delay: 1000 microseconds Media: T1 (Serial Default) Delay: 20,000 microseconds Media: 512K Delay: 20,000 microseconds Media: DSO Delay: 20,000 microseconds Media: 56K Delay: 20,000 microseconds Media: Internal BGP Delay: 200 microseconds

Page 3: The EIGRP topology table uses metrics to maintain values for feasible distance (FD) and advertised distance (AD), or reported distance (RD). DUAL uses these values to determine successors and feasible successors.

Feasible distance is the best EIGRP metric along the path to the destination from the router.

Advertised distance is the best metric reported by a neighbor.

The loop-free route with the lowest feasible distance becomes a successor. There can be multiple successors for a destination, depending on the actual topology. A feasible successor is a route with an advertised distance that is less than the feasible distance of a successor.

DUAL converges quickly after a change in the topology. DUAL keeps feasible successors in the topology table and promotes the best one to the routing table as a successor route if the original . If no feasible successor exists, the original route moves into active mode, and queries are sent to find a new successor.

5.3.5 - EIGRP Metrics and Convergence The diagram depicts R1 is connected to R2 with a serial link that has a cost of 10. R2 is connected to

Network Z with a serial link, and has an AD of 5. R1 is also connected to R3 with a Fast Ethernet connection, with a cost of 14. R3 is connected to Network Z with a serial link, and has an AD of 6. Lastly R1 is connected to R4, with a serial link that has a cost of 10. R4 is connected to Network Z, with a serial link and has an AD of 5. R1 EIGRP Topology Table R2 is successor to Network Z, FD = 15, AD = 5. R3 is feasible successor to Network Z, FD = 20, AD = 6. R4 is successor to Network Z, FD = 15, AD = 5. Feasible Distance (FD) The minimum distance (metric) along a path from the router to a destination network. Advertised Distance (AD) or Reported Distance (RD) The distance (metric) towards a destination as advertised by an upstream neighbor. In italics: The neighbor routers distance. More Information Popup In an EIGRP routing table entry, the word via precedes the address of the successor. The feasible distance is the metric listed after the administrative distance of 90. In the entry below, the best path to the 192.168.1.0 /24 network is through the next-hop interface of the successor, 192.168.10.10, and that the feasible distance is 3014400: D 192.168.1.0 /24 [90 /3014400] via 192.168.10.10, 00:00:31, Serial0/0/1

Page 4:

5.3.5 - EIGRP Metrics and Convergence The diagram depicts an activity in which you must examine the network diagram and answer questions about the feasible distance (FD), advertised distance (AD), and the successor route for specified routes. The following is a description of the network. Network A is connected to R1 and has a cost of 1. Network B is connected to R2. R1 is connected to R2. R2 is connected to R4 and has a cost of 1. R3 is connected to R2 with a cost of 2. R3 is also connected to R4 with a cost of 2. R5 is connected to R4 with a cost of 1. R5 is also connected to R3 with a cost 2. One.What is the feasible distance to network A from R5 via R3? 1, 2, 5, or 6 Two.What is the advertised distance to network A from R5 via R3? 1, 2, 3, or 4 Three.What is the feasible distance to network A from R5 via R4? 2, 3, 5, or 6 Four.What is the advertised distance to network A from R5 via R4? 2, 3, 5, or 6 Five.What is the successor router from R5 to get to network A? Via R3 or Via R4 Six.What is the feasible distance to network B from R4 via R5? 1, 2, 5, or 6

5.4 Implementing EIGRP

5.4.1 Configuring EIGRP Page 1: Basic EIGRP is relatively simple to configure. It has many similarities to RIPv2.

To begin the EIGRP routing process, use two steps:

Step 1

Enable the EIGRP routing process.

Enabling the EIGRP process requires an autonomous system parameter. This AS parameter can be assigned any 16-bit value and identifies all of the routers belonging to a single company or organization. Although EIGRP refers to the parameter as an autonomous system number, it actually functions as a process ID. This AS number is locally significant only and is not the same as the autonomous system number issued and controlled by the Internet Assigned Numbers Authority (IANA).

The AS number in the command must match on all routers that work within the EIGRP routing process.

Step 2

Include network statements for each network to be advertised.

The network command tells EIGRP which networks and interfaces participate in the EIGRP process.

5.4.1 - Configuring EIGRP The diagram depicts eight routers configured in two diamond topologies linked by one router to each diamond. The following are the commands issued to configure EIGRP. Step 1 R1 (config) # router EIGRP <1-65535> Autonomous System number R1 (config) # router EIGRP 1

Step 2 R1 (config-router) # network 172.16.0.0 More Information Popup The process ID references an instance of the EIGRP protocol running in a router. If there were two instances of EIGRP running on the same router at the same time, the process ID, or instance number, would separate and identify each individual process.

Page 2: To configure EIGRP to advertise only certain subnets, include a wildcard mask after the network number. To determine the wildcard mask, subtract the subnet mask from 255.255.255.255.

Some versions of the Cisco IOS allow the subnet mask to be specified instead of using the wildcard mask. Even if the subnet mask is used, the show running-config command displays the wildcard mask in its output.

Two additional commands complete the typical basic EIGRP configuration.

Add eigrp log-neighbor-changes command to view changes in neighbor adjacencies. This feature helps the administrator monitor the stability of the EIGRP network.

On serial links that do not match the default EIGRP bandwidth of 1.544 Mbps, add the bandwidth command followed by the actual speed of the link expressed in kbps. Inaccurate bandwidth interferes with choosing the best route.

5.4.1 - Configuring EIGRP The diagram depicts three routers connected to each other by serial links, and arranged in a triangular topology. The following are the EIGRP configuration commands for each router. R1 Router R1 (config) # router EIGRP 1 R1 (config-router) # network 172.16.0.0 R1 (config-router) # network 192.168.10.0 R1 (config-router) # exit R2 Router R2 (config) # router EIGRP 1 R2 (config-router) # network 10.0.0.0 R2 (config-router) # network 192.158.8.0 0.0.0.3

Console message displayed upon neighbor discovery: *Mar 1 07:05:56.457: **Dual -5-N B R CHANGE: IP -EIGRP(0)1 Neighbor 172.16.3.1 (Serial 0/0/0) is up: new adjacency

R3 Router R3 (config) # router EIGRP 1 R3 (config-router) # network 192.168.10.0 R3 (config-router) # network 192.168.1.0 Console message displayed upon neighbor discovery: 192.168.10.5 (Serial 0 /0) is up new adjacency 192.168.10.9 (Serial 0 /1) is up new adjacency

Page 3: Once EIGRP is enabled, any router configured with EIGRP and the correct autonomous system number can enter the EIGRP network. This means routers with different or conflicting route information can affect and possibly corrupt the routing tables. To prevent this, it is possible to enable authentication within the EIGRP configuration. Once neighbor authentication is configured, the router authenticates the source of all routing updates before accepting them.

EIGRP authentication requires the use of a pre-shared key. EIGRP allows an administrator to manage the keys though a keychain. The configuration of EIGRP authentication consists of two steps: creating the key and enabling authentication to use the key.

Key Creation

To create the key perform the following commands:

key chain name-of-chain

Global configuration command. Specifies the name of the keychain and enters the configuration mode for the keychain.

key key-id

Identifies the key number and enters the configuration mode for that key-id.

key-string text

Identifies the key string or password. This must be configured to match on all EIGRP routers.

Enabling Authentication

The key is used to enable MD5 authentication for EIGRP with the following interface configuration commands:

ip authentication mode eigrp md5

Specifies that MD5 authentication is required for the exchange of EIGRP packets.

ip authentication key-chain eigrp AS name-of-chain

AS specifies the autonomous system of the EIGPR configuration.

Name-of-chain parameter specifies the keychain that was previously configured.

5.4.1 - Configuring EIGRP The diagram depicts two routers, R1 and R2. They are connected via serial link with the network address 192.168.1.0 /24. R1 has a network connected to its Fast Ethernet port, network address 192.168.2.0 /24. R2 has a network connected to its Fast Ethernet port with the network address 192.168.3.0 /24. Each router has the show running-config command issued and the output is listed which includes MD5 authentication. You will encounter the output of this command with EIGRP implemented in future labs. More Information Popup Optional parameters can be configured as part of the keychain. Optional parameters include the date when the key is required, and the lifetime of the key or end date of the key. To configure the optional parameters,

you must be in the key configuration mode. accept-lifetime start-time {infinite | end-time | duration seconds} Specifies when the key is accepted for received packets Start time is generally shown in hh:mm:ss month date years send-lifetime start-time {infinite | end-time | duration seconds} Specifies when the key can be used for sending packets

Page 4: Lab Activity

Configure EIGRP with MD5 authentication.

Click the lab icon to begin.

5.4.1 - Configuring EIGRP Link to Hands-on Lab: Implementing EIGRP

5.4.2 EIGRP Route Summarization Page 1: Like RIP, EIGRP automatically summarizes subnetted networks on the classful boundary. EIGRP creates only one entry in the routing table for the summary route. A best path or successor route is associated with the summary route. As a result, all traffic destined for the subnets travels across that one path.

In an enterprise network, the path chosen to reach the summary route may not be the best choice for the traffic that is trying to reach each individual subnet. The only way that all routers can find the best routes for each individual subnet is for neighbors to send subnet information.

When default summarization is disabled, updates include subnet information. The routing table installs entries for each of the subnets and also an entry for the summary route. The summary route is called the parent route and the subnet routes are called the child routes.

EIGRP installs a Null0 summary route in the routing table for each parent route. The Null0 interface indicates that this is not an actual path, but a summary for advertising purposes. If a packet matches one of the child routes, it forwards out the correct interface. If the packet matches the summary route but does not match one of the child routes, it is discarded.

Using default summarization results in smaller routing tables. Turning off the summarization produces larger updates and larger tables. Consideration of the overall network performance and traffic patterns determines if auto summarization is appropriate.

Use the no auto-summary command to disable the default summarization.

5.4.2 - EIGRP Route Summarization The diagram depicts three routers, R1, R2, and R3 in a triangular topology with serial links between all three router serial ports. The serial link between R1 and R2 is on network address 172.16.3.0 /30 at 64Kbps. The serial link between R1 and R3 is on network address 192.168.10.4 /30 at 1544Kbps. The serial link between R2 and R3 on network address 192.168.10.8 /30 at 1024Kbps. All three routers have networks connected to their FastEthernet ports and the network addresses for these networks are as follows, 172.16.1.0 /24, 172.16.2.0 /24 and 192.168.1.0 /24. The show IP route command is issued and the corresponding output is displayed. The line with "Null0" is highlighted as an example of a summary route. R1 # show IP route

Gateway of last resort is not set 192.168.10.0 /24 is variably subnetted 3 subnets and 2 masks D 192.168.10.0 /24 is a summary, 0 0:4 5:0 9, Null0 C 192.168.10.4/30 is directly connected, Serial 0/0/0 S 192.168.10.8/30 [90 /3523840] via 192.168.10.6, 0 0:4 4:5 6, Serial 0/0/1 172.16.0.0/16 is variably subnetted, 4 subnets and 3 masks D 172.16.0.0/16 is a summary, 0 0:4 6:1 0, Null0 C 172.16.1.0 /24 is directly connected, FastEthernet 0/0 D 172.16.2.0 /24 [90 /40514560] via 172.16.3.2, 0 0:4 5:0 9, Serial 0/0/0 C 172.16.3.0 /24 is directly connected to Serial 0/0/0 D 192.168.1.0 /24 [90 /2172416] via 192.168.10.6, 0 0:4 4:5 5, Serial 0/0/1

Page 2: With auto summarization disabled, all subnets are advertised. An administrator may have a situation in which some of the subnets need to be summarized and some do not. The decision to summarize depends on the placement of the subnets. As an example, four contiguous subnets terminating on the same router are good candidates for summarization.

Manual summarization provides a more precise control of EIGRP routes. Using this feature, the administrator determines which subnets on which interfaces are advertised as summary routes.

Manual summarization is done on a per-interface basis and gives the network administrator complete control. A manually summarized route appears in the routing table as an EIGRP route sourced from a logical, not physical, interface:

D 192.168.0.0/22 is a summary, Null0

5.4.2 - EIGRP Route Summarization The diagram depicts three routers, labeled R1, R2, and R3. R3 has both of its Serial Interfaces connected to R1 and R2. The network addresses for these links are as follows: R3 to R1 = 192.168.0.0 /22 R3 to R2 = 192.168.0.0 /22 R3 has the following four FastEthernet ports connected to networks: F A 0 /0: 192.168.3.0 /24 F A 0 /1: 192.168.2.0 /24 F A 0 /2: 192.168.1.0 /24 F A 0 /3: 192.168.0.0 /24 The output to the screen for route summarization by individual interfaces is as below: R3 (config)# interface serial 0/0/0 R3 (config-if) # IP summary-address EIGRP 1 192.168.0.0 255.255.252.0 R3 (config-if) # interface serial 0/0/1 R3 (config-if) # IP summary-address EIGRP 192.168.0.0 255.255.252.0

Page 3: Packet Tracer Activity

Configure and verify EIGRP and EIGRP summary routes.

Click the Packet Tracer icon to begin.

5.4.2 - EIGRP Route Summarization Link to Packet Tracer Exploration: Configuring EIGRP and EIGRP Summary Routes

Page 4: Lab Activity

Configure automatic and manual route summarization with EIGRP.

Click the lab icon to begin.

5.4.2 - EIGRP Route Summarization Link to Hands-on Lab: EIGRP Configuring Automatic and Manual Route Summarization and Discontiguous Subnets

5.4.3 Verifying EIGRP Operation Page 1: Although EIGRP is a relatively simple protocol to configure, it employs sophisticated technologies to overcome the limitations of distance vector routing protocols. It is important to understand these technologies in order to properly verify and troubleshoot a network configuration that utilizes EIGRP. Some of the verification commands available include:

show ip protocols

Verifies that EIGRP is advertising the correct networks Displays the autonomous system number and administrative distance

show ip route

Verifies that the EIGRP routes are in the routing table Designates EIGRP routes with a D or a D EX Has a default administrative distance of 90 for internal routes

show ip eigrp neighbors detail

Verifies the adjacencies EIGRP forms Displays the IP addresses and interfaces of neighbor routers

show ip eigrp topology

Displays successors and all feasible successors Displays feasible distance and reported distance

show ip eigrp interfaces detail

Verifies the interfaces using EIGRP

show ip eigrp traffic

Displays the number and types of EIGRP packets sent and received

One of the primary uses of these show commands is to verify the successful formation of EIGRP adjacencies and the successful exchange of EIGRP packets between routers. EIGRP cannot work without forming adjacencies, therefore this should be verified prior to any other troubleshooting efforts.

5.4.3 - Verifying EIGRP Operation The diagram depicts three routers, labeled R1, R2, and R3.They are configured in a triangular topology with serial links between all three router serial ports. The serial link between R1 and R2 uses the network address 172.16.3.0 /30. It is a 64 kbps link. The serial link between R1 and R3 is on network address 192.168.10.4 /30. It is a 1544 kbps link. The serial link between R2 and R3 uses the network address 192.168.10.8/30. It is a 1024 kbps link. All three routers have networks connected to FastEthernet ports. The network addresses are as follows: 172.16.1.0 /24 172.16.2.0 /24 192.168.1.0 /24 The commands listed below will be available for output testing in future labs. Once EIGRP has been implemented, the commands listed below will reflect the addition of EIGRP. ***show IP protocols*** ***show IP EIGRP topology*** ***show IP route***

***show IP EIGRP interface detail*** ***show IP EIGRP neighbors detail*** ***show IP EIGRP traffic***

Page 2: If adjacencies appear normal but problems still exist, an administrator should begin troubleshooting using debug commands to view real-time information on the EIGRP activities occurring on a router.

debug eigrp packet

displays transmission and receipt of all EIGRP packets

debug eigrp fsm

displays feasible successor activity to determine whether routes are discovered, installed, or deleted by EIGRP

Debugging operations use large amounts of bandwidth and router processing power, particularly when debugging a very complex protocol like EIGRP. These commands provide details that can pinpoint the source of a lost EIGRP route or missing adjacency; however, the use of these commands can also degrade network performance.

5.4.3 - Verifying EIGRP Operation The diagram depicts the output for the commands, debug EIGRP packet and debug EIGRP fsm. The output of these two commands can be examined in detail when the EIGRP protocol is implemented in future labs.

Page 3:

5.4.3 - Verifying EIGRP Operation The diagram depicts an activity in which you must match the output requirements with the appropriate command. Command. A.Debug EIGRP packet.

B.Debug EIGRP fsm. C.Debug IP EIGRP neighbors details. D.Show IP EIGRP topology. E.Show IP EIGRP interfaces details. F.Show IP EIGRP traffic. Output Requirements. One.Verifies adjacencies. Two.Displays successful and feasible successors. Three.Show transmission and receipt of EIGRP packets. Four.Verifies the interface that are using EIGRP. Five.Shows feasible successor activity. Six.Show the number and types of EIGRP packets sent and received.

Page 4: Packet Tracer Activity

Explore the various EIGRP verification and troubleshooting commands.

Click the Packet Tracer icon to begin.

5.4.3 - Verifying EIGRP Operation Link to Packet Tracer Exploration: Verifying and Troubleshooting EIGRP Operation

5.4.4 Issues and Limitations of EIGRP Page 1: Although EIGRP is a powerful and sophisticated routing protocol, several considerations limit its use:

Does not work in a multi-vendor environment because it is a Cisco proprietary protocol Works best with a flat network design Must share the same autonomous system among routers and cannot be subdivided into groups Can create very large routing tables, which requires large update packets and large amounts of bandwidth Uses more memory and processor power than RIP Works inefficiently when left on the default settings Requires administrators with advanced technical knowledge of the protocol and the network

EIGRP offers the best of distance vector routing, while using additional features typically associated with link-state routing protocols, including bounded updates and neighbor adjacencies. Successful implementation of the many features of EIGRP requires careful configuration, monitoring, and troubleshooting.

5.4.4 - Issues and Limitations of EIGRP The diagram depicts several network environments geographically located around the city and across the world. These separate networks form part of the larger network shown as a cloud to which they are all connected. Situated on the outside of these corporate networks are single tele-commuters. A network administrator is sitting on the outside of this large network of networks and he is asking himself the question, "What can I do to make EIGRP run better?"

5.5 Chapter Summary

5.5.1 Summary Page 1:

5.5.1 - Summary Diagram 1, Image The diagram depicts a static route topology. Diagram 1 text Enterprise networks are hierarchical in order to facilitate the flow of information. Different topologies exist in enterprise networks including star, extended star, and mesh. Networks use both static and dynamic routing to move information. Static routes are manually configured and enhance network security and reduce the burden on routers. Dynamic routes are learned and exchanged through routing protocols, and automate the tasks of providing the best route to a destination. A default route forwards information that has no route in the routing table. Diagram 2, Image The diagram depicts hop count, and distance between routes. Diagram 2 text 1.Dynamic routing protocols are classified as either distance vector or link state. 2.RIP is a distance vector routing protocol. 3.RIPv1 broadcasts the entire routing table to connected routers every 30 seconds. 4.RIP v2 multicasts its routing table. 5.RIP is very easy to configure and manage but does not scale well and is slow to converge. 6.Distance vector routing protocols are prone to the formation of routing loops.

Diagram 3, Image The diagram depicts a list of E I G R P features.

Diagram 3 text EIGRP is a Cisco proprietary distance vector routing protocol with many advanced features. It is fast to converge and uses a composite metric for more reliable routing information EIGRP multicasts only partial bounded updates using less bandwidth. RIP v2 multicasts its routing table to 224.0.0.9 every 30 seconds. Routing loops are prevented by using the DUAL algorithm. EIGRP uses multiple packet types to maintain the neighbor, topology, and routing tables. EIGRP maintains information on both successors and feasible successors allowing it to rapidly recover if a route goes down. Diagram 4, Image The diagram depicts an EIGRP network.

Diagram 4 text EIGRP uses autonomous systems, which are process IDs. EIGRP supports both equal and unequal cost load balancing. EIGRP automatically summarizes routes; however this feature can be turned off, and instead done manually for better control of routing. EIGRP is easy to configure but difficult to maintain and optimize.

5.5.2 Critical Thinking Page 1:

5.5.2 - Critical Thinking The diagram depicts an activity in which you must answer questions regarding routing based on an EIGRP network topology diagram. Network Topology: Five routers, R1, R2, R3, R4 and R5 are connected in an EIGRP routing environment. The following connections are present: Router R1. is connected to stub network LAN2 with a metric of One. Router R1 is connected to Router R2 with a metric of Three. Router R2 is connected to Router R3 with a metric of Two. Router R2 is connected to Router R4 with a metric of One. Router R3 is connected to Router R4 with a metric of One. Router R3 is connected to Router R5 with a metric of One. Router R4 is connected to Router R5 with a metric of Three. Router R4 is connected to stub network LAN1 with a metric of One. Questions: Question One. What is the advertised distance to LAN1 from R2 via R4? A.One B.Two C.Three D.Four Question Two. What is the feasible distance to LAN2 from R3 via R2? A.Two B.Three

C.Four D.Five E.Six Question Three. What is the feasible distance to LAN2 from R5 via R4? A.Three B.Four C.Five D.Six E.Seven F.Eight Question Four. What is the advertised distance to LAN1 from R5 via R4? A.One B.Two C.Three D.Four Question Five. What is the best route to take to reach LAN2 from R5? A.R4 - R2 - R1 B.R3 - R2 - R1 C.R4 - R3 - R2 - R1 D.R3 - R4 - R2 - R1 Question Six. Which statement is true about the path to LAN2 from R5 via R4 - R2 - R1? A.This route is the successor. B.This route is used as the feasible successor. C.This route is placed in the routing table. D.This route is placed in the neighbor table.

5.6 Chapter Quiz

5.6.1 Quiz Page 1: Take the chapter quiz to check your knowledge.

Click the quiz icon to begin.

5.6.1 - Quiz Chapter 5 Quiz: Routing with a Distance Vector Protocol 1.How do RIP v1 and RIP v2 differ? A.Only RIP v1 provides authentication in its updates. B.Only RIP v1 uses spilt horizon to prevent routing loops. C.Only RIP v2 uses 16 hops as the metric value for infinite distance. D.Only RIP v2 sends subnet mask information with its routing updates.

2.RouterA and RouterB are exchanging RIP v2 updates. RouterB has not received an update from RouterA in the prescribed time. Assuming default timer settings, how many second will RouterB wait before it marks the routes served by RouterA as invalid? A.90 seconds B.120 seconds C.150 seconds D.180 seconds E.240 seconds 3.What are three advantages of using EIGRP instead of RIP v1? (Choose three.) A.EIGRP supports VLSM and CIDR. B.EIGRP requires less memory and CPU time. C.EIGRP supports a higher hop count. D.EIGRP has no hop count limit because it is based on path cost. E.EIGRP is a link-state protocol which has faster convergence than distance-vector protocols. F.EIGRP uses RTP, a protocol independent transport layer to guarantee delivery of routing information. 4.According to the router output from the show ip route command, which of the following statements are true? (Choose two.) labb#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - Mobile, B - BGP D - EIGRP, EX - EIGRP, external, O - OSPF, IA - OPSF inter area N1 OSPF NSSA external true 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - I S-I S, L1 - I S-I S level-1, L2 - I S-I S level-2, * - candidate default, U - per-user static route, o - ODR Gateway of last resort is not set R192.168.8.0/24 [120/2] via 192.168.5.2, 00:00:24, Serial0 R192.168.2.0/24 [120/1] via 192.168.3.1, 00:00:03, Serial1 C192.168.4.0/24 is directly connected, Ethernet0 C192.168.5.0/24 is directly connected, Serial0 R192.168.7.0/24 [120/1] via 192.168.5.2, 00:00:24, Serial0 R192.168.1.0/24 [120/1] via 192.168.3.1, 00:00:03, Serial1 R192.168.6.0/24 [120/1] via 192.168.5.2, 00:00:24, Serial0 C192.168.3.0/24 is directly connected, Serial1 A.The metric to network 192.168.8.0 is 24. B.The hop count to a device on network 192.168.8.0 is 2. C.The total path cost to network 192.168.4.0 is the default value of 16. D.The logical address of the next router for network 192.168.1.0 is 192.168.3.1. E.The devices on network 192.168.5.0 cannot be reached as indicated by the 'C' label. 5.If EIGRP routing is employed and the successor route to a destination becomes unreachable or unreliable, which of the following would be used as a replacement? A.the route flagged as active in the topology table B.the feasible successor route in the topology table C.the default gateway in the neighbor table D.the primary designated route in the topology table E.the backup designated router in the routing table 6.If an EIGRP route goes down and a feasible successor is not found in the topology table, how does DUAL flag the route that has failed?

A.recomputed B.passive C.active D.down E.unreachable F.successor 7.Which of the following tables does DUAL use to calculate the lowest cost routes to each destination? A.routing table and topology table B.neighbor table and routing table C.neighbor table and topology table D.neighbor table and adjacency table 8.What is the advantage of routers forming adjacencies when using EIGRP? (Choose three.) A.Neighbor routers can quickly take over for a router that is in passive mode. B.New routers and their routes can quickly be discovered by neighbor routers. C.A router can share routing loads with neighbor routers. D.A router can quickly discover when a neighbor router is no longer available. E.Changes in network topology can quickly be shared with neighbor routers. F.Neighbor routers can save overhead by sharing the DUAL database. 9.You have configured EIGRP route summarization on a serial interface to summarize routes learned from an ethernet interface. What route will show in the routing table? A.A summary route pointing to a Serial0 interface. B.A summary route pointing to the Loopback0 interface. C.A summary route pointing to an Ethernet interface. D.A summary route pointing to the Null0 interface. 10.What are two attributes of EIGRP? (Choose two.) A.It uses link-state advertisements. B.It is a distance-vector routing protocol. C.It supports CIDR. D.It is link-state routing protocol. E.It is a classful routing protocol. 11.What are two advantaged of static routing over dynamic routing? (Choose two.) A.The static route configuration is less prone to errors. B.Static routing is more secure because routers do not advertise routes. C.Static routing keeps the network scalable. D.CPU utilization is lower with static routes. E.Administration of the configuration is easier. 12.Examine the following router configuration: interface Serial0/0 ip address 10.10.1.2 255.255.255.0 interface Serial0/1 ip address 10.11.1.2 255.255.255.0 router eigrp 75 network 10.0.0.0 no auto-summary Which command set would summarize the 10.10.0.0/16 network when it is sent out interface S0/1? A.router eigrp 75 ip summary-address S0/1 10.10.0.0 255.255.0.0 B.router eigrp 75

ip summary-address 10.10.0.0 255.255.0.0 S0/1 C.interface S0/1 ip summary-address eigrp 10.10.0.0 255.255.0.0 D.interface S0/1 ip summary-address eigrp 75 10.10.0.0 255.255.0.0

Go To Next Go To Previous Scroll To Top

http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.C CServlet/LMS_ID=CNAMS,Theme=ccna3theme,Style=ccna3,Language=en,Version=1, RootID=knet lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About

Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise

6 Routing with a Link-State Protocol
6.0 Chapter Introduction
6.0.1 Introduction Page 1:

6.0.1 - Introduction Enterprise networks need a reliable and scalable routing protocol to maintain communications, and select the best path. Link-state routing protocols such as OSPF are ideally suited to the needs of enterprise networks. Network technicians configure and verify OSPF to support basic routing functionality and authentication. Network engineers configure a hierarchical design for OSPF to access the Internet, and for improved routing efficiency. After completion of this chapter, you should be able to: Describe and plan a network using OSPF Design and configure a network using single-area OSPF Work with multi-protocol environments

6.1 Routing Using the OSPF Protocol

6.1.1 Link-State Protocol Operation Page 1: Enterprise networks and ISPs use link-state protocols because of their hierarchical design and ability to scale for large networks. Distance vector routing protocols are usually not the right choice for a complex enterprise network.

Open Shortest Path First (OSPF) is an example of a link-state routing protocol. OSPF is an open standard routing protocol, developed by the Internet Engineering Task Force (IETF) to support IP traffic.

OSPF is a classless interior gateway protocol (IGP). It divides the network into different sections, which are referred to as areas. This division allows for greater scalability. Working with multiple areas allows the network administrator to selectively enable route summarization and to isolate routing issues within a single area.

Link-state routing protocols, such as OSPF, do not send frequent periodic updates of the entire routing table. Instead, after the network converges, a link-state protocol sends an update only when a change in the topology occurs, such as a link going down. In addition, OSPF performs a full update every 30 minutes.

6.1.1 - Link-state Protocol Operation This animation depicts two scenarios of routers converging when using each type of routing protocol operation: Distance Vector and Link-State. The physical topology includes four routers. R2 sits at the center of the network. R1, R3, and R4 are directly connected to R2 via serial links. Distance Vector R1 decides to send a message regarding its routes from its routing table. The message passes to all R1 routes. Distance Vector protocols periodically pass the entire routing table. R2 receives the routing table information of R1 and sends a copy of an amended version of its own routing table to R1, R3, and R4. R3 forwards its routing table to all R3 routes and back to R2. Link-State R1 is notified that the link to 172.16.3.0 /24 is down. The Link-State protocol passes updates when a link changes state. The link update message of R1 is passed on to R2. R2 then makes amendments to its own routing table and forwards a copy of its routing table to R3 and R4. R3 forwards its routing table to all connected routes.

Page 2: Link-state routing protocols like OSPF work well for larger hierarchical networks where fast convergence is important.

Compared with distance vector protocols, link-state routing protocols:

Requires more complex network planning and configuration Requires increased router resources Requires more memory for storing multiple tables Requires more CPU and processing power for the complex routing calculations

With the high performance of routers available today, however, these requirements are usually not a problem.

Routers running RIP receive updates from their immediate neighbors, but with no details about the network as a whole. Routers running OSPF generate a complete map of the network from their own viewpoint. This map allows them to quickly determine loop-free alternate paths in the case of a network link failure.

OSPF does not automatically summarize at major network boundaries. Additionally, Cisco's implementation of OSPF uses bandwidth to determine the cost of a link. This cost metric is used by OSPF to determine the best path. A link with higher bandwidth results in a lower cost. The lowest cost route to a destination is the most desirable path.

The router trusts a metric based on bandwidth more than one based on hop count to establish the shortest path. The administrative distance of OSPF is 110, lower than RIP, because of the trustworthiness, or accuracy, of the metric.

6.1.1 - Link-state Protocol Operation The animation depicts three routers connected in a triangular design with serial links between R1, R2, and R3. R1 has a directly connected network with the address 172.16.1.0 /24 represented by H1. R2 has a directly connected network with the address 172.16.1.0 /24, represented by H2. R1 and R2 are connected via a 56 kbps link. R2 and R3 are connected via a T1, 1.544 Mbps, link. The link between R1 and R3 is a T1, 1.544 Mbps, link. H1 sends a RIP packet out to R1. R1 then forwards the update to R2. The RIP update traverses the network until it reaches H2 connected to R2. RIP chooses the shortest path from H1 to H2 based on hop count. Next, H1 sends an OSPF packet out to R1. Instead of going to R2 this time, the packet goes to R3. Since the packet is using OSPF, the packet goes out of R1, to R3, then R2, and to the destination host of H2. It chooses this path to H2 because OSPF chooses the shortest path based on bandwidth. When comparing the OSPF and RIP packets, the animation shows the OSPF packet reaching the destination first, as it uses the fastest links to the intended host.

Page 3:

6.1.1 - Link-state Protocol Operation The diagram depicts an activity in which you must indicate whether the characteristic describes RIP or OSPF. One.Periodically sends the entire routing table to all directly connected neighbors. Two.Works well for larger hierarchical networks. Three.Appropriate for smaller simpler networks. Four.Provides fast convergence. Five.Generates a map of the network from the viewpoint of the router.

Six.Hop count metric is used to determine best path. Seven.Fairly simple to configure Eight.Requires more router system resources. Nine.Link cost metric used to determine hest path.

6.1.2 OSPF Metrics and Convergence Page 1: OSPF bases the cost metric for an individual link on its bandwidth or speed. The metric for a particular destination network is the sum of all link costs in the path. If there are multiple paths to the network, the path with the lowest overall cost is the preferred path and is placed in the routing table.

The equation used to calculate the cost of an OSPF link is:

Cost = 100,000,000 / bandwidth of link in bps

The configured bandwidth on an interface provides the bandwidth value for the equation. Determine the bandwidth of an interface using the show interfaces command.

Using this equation presents a problem with link speeds 100 Mbps or greater, such as Fast Ethernet and Gigabit Ethernet. Regardless of the difference in speed between these two links, they both calculate to a value of 1, therefore will be treated equally even though they are very different. To compensate for this, configure the interface cost value manually with the ip ospf cost command.

6.1.2 - OSPF Metrics and Convergence The diagram depicts a table of interface type, and the average cost that associated OSPF uses when calculating the cost of a link. The following table has the headers Interface Type and 10 to the power of 8 / bps = Cost. Interface Type 10 to the power of 8 /bps = Cost Fast Ethernet and faster10 to the power of 8 /100,000,000 bps = 1 Ethernet10 to the power of 8 /10,000,000 bps = 10 E110 to the power of 8 /2,048,000 bps = 48 T110 to the power of 8 /544,000 bps = 64 128Kbps10 to the power of 8 /128,000 bps = 781 64Kbps10 to the power of 8 /64,000 bps = 1562 56Kbps10 to the power of 8 /56,000 bps = 1785

Page 2:

OSPF routers within a single area advertise information about the status of their links to their neighbors. Messages called Link State Advertisements (LSAs) are used to advertise this status information.

Once an OSPF router receives LSAs describing all of the links within an area, it uses the SPF algorithm, also called Dijkstra's Algorithm, to generate a topological tree, or map of the network. Each router running the algorithm identifies itself as the root of its own SPF tree. Starting from the root, the SPF tree identifies the shortest path to each destination and the total cost of each path.

The OSPF link-state or topology database stores the SPF tree information. The router installs the shortest path to each network in the routing table.

Convergence occurs when all routers:

Receive information about every destination on the network Process this information with the SPF algorithm Update their routing tables

6.1.2 - OSPF Metrics and Convergence The diagram depicts R1 directly connected to three routers, R2, R3, and R4. All three routers have networks connected to them, labeled network A, B, and C respectively. The link cost between R1 and R2 is 20. The link cost between R1 and R3 is 5. The link cost between R1 and R4 is 20. The link cost between R3 and R4 is 10. The SPF tree and path for each network from R1. Destination Network A: Path from R1 to R2 has a cost of 20 (Least Cost Path). Destination Network B: Path from R1 to R3 has a cost of 5 (Least Cost Path), Path from R1 to R4 to R3 has a cost of 25. Destination Network C: Path from R1 to R3 to R4 has a cost of 15 (Least Cost Path), Path from R1 to R4 has a cost of 20. The SPF tree and path for each network from R2. Destination Network A. It is directly connected, therefore, it has a cost of 0 (Least Cost Path). Destination Network B. Path from R2 to R1 to R3 has a cost of 25 (Least Cost Path), Path from R2 to R1 to R4 to R3 has a cost of 50. Destination Network C. Path from R2 to R1 to R3 to R4 has a cost of 35 (Least Cost Path), Path from R2 to R1 to R4 has a cost of 20. The SPF tree and path for each network from R3. Destination Network A. Path from R3 to R1 to R2 has a cost of 25 (Least Cost Path), Path from R3 to R4 to R1 to R2 has a cost of 50.

Destination Network B. It is directly connected, therefore, it has a cost of 0 (Least Cost Path). Destination Network C. Path from R3 to R4 has a cost of 10 (Least Cost Path), Path from R3 to R2 to R4 has a cost of 25. The SPF tree and path for each network from R4. Destination Network A. Path from R4 to R3 to R1 to R2 has a cost of 35 (Least Cost Path), Path from R4 to R1 to R2 has a cost of 40. Destination Network B. Path from R4 to R3 has a cost 10 (Least Cost Path), Path from R4 to R1 to R3 has a cost 25. Destination Network C. It is directly connected, therefore, it has a cost of 0 (Least Cost Path).

Page 3:

6.1.2 - OSPF Metrics and Convergence The diagram depicts an activity in which you must use the following scenario to identify the path that packets will take when originating at H1, which is the LAN directly connected to R1, and destined for H2, which is the LAN directly connected to R5, while traversing in an OSPF network using the associated link cost. Arrange four routers in order according to the Least Cost Path from first router to second router to third router to fourth router. The following is a description of the scenario: Five routers are arranged in a pentagon type format where R1 is directly connected to all other routers, R2, R3, R4, R5, and is also connected to a LAN with host H1. R1 is connected to R2 via an Ethernet link. R1 is connected to R3 via an Ethernet link. R1 is connected to R4 via an E1 link. R1 is connected to R5 via a T1 link. R2 is directly connected to R1 and R5. R2 is connected to R1 via an Ethernet link. R2 is connected to R5 via a T1 link. R3 is directly connected to R1 and R4. R3 is connected to R1 via an Ethernet link. R3 is connected to R4 via a FastEthernet link. R4 is directly connected to R3, R1, and R5. R4 is connected to R3 via a FastEthernet link. R4 is connected to R1 via an E1 link. R5 is connected to R5 via an E1 link. R5 is directly connected to R4, R1, R2, and is also connected to a LAN with host H2. R5 is connected to R4 via an E1 link. R5 is connected to R1 via a T1 link. R5 is connected to R2 via a T1 link. Included in this activity is a table listing the Interface Link Type and the associated OSPF cost. Link Type and OSPF Cost. Fast Ethernet = 1. Ethernet = 10.

E1 = 48. T1 = 64.

6.1.3 OSPF Neighbors and Adjacencies Page 1: With OSPF, link state updates are sent when network changes occur. But how does a router know when a neighboring router fails? OSPF routers establish and maintain neighbor relationships, or adjacencies, with other connected OSPF routers. Adjacency is an advanced form of neighborship between routers that are willing to exchange routing information. When routers initiate an adjacency with neighbors, an exchange of link-state updates begins. Routers reach a FULL state of adjacency when they have synchronized views on their link-state database.

The router goes through several state changes before becoming fully adjacent with its neighbor.

Init 2-Way Exstart Exchange Loading Full

The OSPF Hello protocol is used to initially establish and maintain adjacencies. The hello protocol sends very small hello packets to directly connected OSPF routers on the multicast address of 224.0.0.5. The packets are sent every 10 seconds on Ethernet and broadcast links and every 30 seconds for non-broadcast links. Router settings are also included in the hello packets. The settings include the hello interval, dead interval, and network type, as well as the authentication type and authentication data if configured. For any two routers to form an adjacency, all settings must match. The router records neighbor adjacencies discovered in an OSPF adjacencies database.

6.1.3 - OSPF Neighbors and Adjacencies The diagram depicts a table with the column headings, State and Definitions. The information explains the changes that a router goes through before becoming fully adjacent. State.Definition. Init. The router receives an initial hello packet from its neighbor. When a router receives a hello packet from a neighbor, it lists the sending router ID in its own hello packet as an acknowledgment. 2-way.Bi-directional communication is established in that each router has seen the hello packet from each other. This state is attained when the router receiving the hello packet sees its own Router ID within the neighbor field of the hello packet. At this state, a router decides whether to become fully adjacent with this neighbor. Exstart. The routers establish a master-slave relationship and choose the initial sequence number for

adjacency formation. Between two routers, the router with the higher router ID becomes the master and starts the exchange. Exchange. OSPF routers exchange database descriptions (DBD) packets that contain link-state advertisement (LSA) headers only. The DBD describes the contents of the entire link-state database. Each DBD packet has a sequence number which can be incremented only by the master. Loading. Based on the information provided by the DBD's, routers send link-state request packets for more specific information. The neighbor provides the requested link-state information in link-state update packets. Full. All the router and network LSA's are exchanged and the router databases are fully synchronized.

Page 2: Full is the normal state for an OSPF router. If a router is stuck in another state, this is an indication of a problem such as mismatched settings. The only exception to this is the 2-way state. In a broadcast environment, a router will only achieve a full state with a designated router (DR) and a backup designated router (BDR). All other neighbors will be viewed in the 2-way state.

The purpose of the DR and BDR is to reduces the number of updates sent, unnecessary traffic flow, and processing overhead on all routers. This is accomplished by requiring all routers to accept updates from the DR only. On broadcast network segments there is only one DR and BDR. All other routers must have a connection to the DR and BDR. When a link fails, the router with information about the link sends the information to the DR, using the multicast address 224.0.0.6. The DR is responsible for distributing the change to all other OSPF routers, using multicast 224.0.0.5. In addition to reducing the number of updates sent across the network, this process also ensures that all routers receive the same information at the same time from a single source.

The BDR ensures that there is no single point of failure. Like the DR, the BDR listens to 224.0.0.6 and receives all updates that are sent to the DR. If the DR fails, the BDR immediately takes over as DR, and a new BDR is elected. Any router not elected as the DR or BDR is known as a DROther.

6.1.3 - OSPF Neighbors and Adjacencies This animation depicts the role of the designated router. A switch at the center of a star topology has five routers directly connected, labeled R1 through R5. R2 and R3 are also labeled DR and BDR, respectively. R1 forms an adjacency with the DR and BDR only. R1 forwards all route information to the DR and BDR using an LSA. The DR (R2) and BDR (R3) receive the LSA from R1. The DR forwards LSA's containing the route information provided by R1 to all other routers. The DR (R2) sends out LSA to routers R3 (BDR), R4, R5, and R1.

Page 3: Within a local network, the router with the highest router ID is elected the DR. The second highest is elected as the BDR.

The router ID is an IP address that is determined by:

1. The value configured with the router-id command

2. If no value is set with the router-id command, the highest configured IP address on any loopback interface

3. If no loopback interface is configured, the highest IP address on any active physical interface

The router ID can be viewed using the following show commands:

show ip protocols, show ip ospf, or show ip ospf interface commands.

In some cases, an administrator may want specific routers to be the DR and BDR. These might be routers with more processing power or lighter traffic load. An administrator can force the DR and BDR election by configuring a priority using the interface configuration command:

ip ospf priority number

By default, OSPF routers have a priority value of 1. If the priority value is changed on a router, the highest priority setting will win the election for DR, regardless of highest router ID. The highest value that can be set for router priority is 255. A value of 0 signifies that the router is ineligible to be DR or BDR.

6.1.3 - OSPF Neighbors and Adjacencies The diagram depicts a switch at the center of a star topology with four routers, R1, R2, R3, and R4 directly connected. R1 says, "My priority is 0. I will not participate in the election. I am the DR other." R2 says, "My priority is the default value of 1. I am a DR other." R3 says, "My priority is 10. I am the DR." R4 says, "My priority is 5, I am the BDR."

Page 4: Not all link types require a DR and BDR. Link types identified by OSPF include:

Broadcast Networks

Ethernet

Point-to-point (PPP) Networks

Serial T1/E1

Non-Broadcast Multi-Access (NBMA) Networks

Frame Relay ATM

On broadcast multi-access networks, such as Ethernet, the number of neighbor relationships can become large, and therefore a DR election is required.

On point-to-point networks, the establishment of full adjacencies is not an issue because, by definition, there can only be two routers on the link. The DR election is not necessary and does not apply.

On NBMA networks, OSPF can run in two modes:

Simulated broadcast environment: An administrator can define the network type as broadcast and the network simulates a broadcast model by electing a DR and a BDR. In this environment, it is generally recommended that the administrator choose the DR and BDR by configuring the priority

of the router. This ensures that the DR and BDR have full connectivity to all other neighboring routers. Neighboring routers are also statically defined using the neighbor command in the OSPF configuration mode. Point-to-multipoint environment: In this environment, each non-broadcast network is treated as a collection of point-to-point links and a DR is not elected. This environment also requires that neighboring routers are statically defined.

6.1.3 - OSPF Neighbors and Adjacencies The diagram depicts three examples of network topology, Broadcast Multi-Access, Point to Point, and Non-Broadcast Multi-Access. Each topology is described below: Broadcast Multi-Access A switch is at the center of four routers, which are directly connected to the switch. Point-to-Point Two routers labeled R1 and R2 are directly connected through a serial link from S0/0/0 on R1 and S0/0/0 on R2. Both routers have networks connected to their FastEthernet ports of F A 0 /0. Non-Broadcast Multi-Access The broadcast cloud lies at the center of four routers, which are directly connected to the broadcast cloud by serial links.

Page 5:

6.1.3 - OSPF Neighbors and Adjacencies The diagram depicts an activity in which you must determine the router ID for each router, and the designated router for each network. The following is a description of the topology. Router RTF is connected via a serial link to router RTB. Routers RTB, RTA, RTC, RTD, and RTE are all connected to the same network segment. The IP addresses for each router interface are as follows: Router RTA. S0: 10.1.1 6.2 /30. E0: 10.1.1 0.4 /24. E1: 10.1.1 9.1 /24. Lo0: 192.168.10.5 /32. Router RTB. S0: 209.165.201.1.1 /27. E0: 10.1.1 0.3 /24. Router RTC. E1: 10.1.1 0.1 /24. Router RTD. E0: 10.1.1 3.1 /24. Lo0: 192.168.10.3 /32. Router RTE. S0: 10.1.1 6.1 /30. E0: 10.1.1 3.2 /24.

Lo0 - 192.168.10.1 /32. Router RTF. S0: 209.165.201.2 /27. Part 1 Use the information above to determine the IP address that will be used as the router ID for each of the following routers. Match the host name and the router ID. Host names One.RTA Two.RTB Three.RTC Four.RTD Five.RTE Six.RTF Part 2 For each network, select the router that will be elected as the designated router. Match the network ID to the Host name. Network ID's. A.10.1.1 0.0. B.10.1.1 3.0. C.10.1.1 6.9. D.10.1.1 9.0. E.209.165.201.0.

6.1.4 OSPF Areas Page 1: All OSPF networks begin with Area 0, also called the backbone area. As the network is expanded, other areas can be created that are adjacent to Area 0. These other areas can be assigned any number, up to 65,535.

OSPF has a two-layer hierarchical design. Area 0, also referred to as the backbone area, exists at the top and all other areas are located at the next level. All non-backbone areas must directly connect to area 0. This group of areas creates an OSPF Autonomous System (AS).

The operation of OSPF within an area is different from operation between that area and the backbone area. Summarization of network information usually occurs between areas. This helps to decrease the size of routing tables in the backbone. Summarization also isolates changes and unstable, or flapping, links to a specific area in the routing domain. When using summarization, when there is a change in the topology, only those routers in the affected area receive the LSA and run the SPF algorithm.

A router that connects an area to the backbone area is called an Area Border Router (ABR). A router that connects an area to a different routing protocol, such as EIGRP, or redistributes static routes into the OSPF area is called an Autonomous System Border Router (ASBR).

6.1.4 - OSPF Areas The diagram depicts four areas labeled Area 1, Area 0, Area 51, and the area encompassing the EIGRP router. Area 1 has four routers and a boundary router, labeled A. BR. Area 0 has four routers inside the cloud and two A. BR routers, one belonging to the Area 0 and one belonging to Area 51. One of the routers for Area 0 is acting as the A. SBR which then links to the EIGRP router in the separate cloud. Area 51 has four routers. A fifth router acting as the A. BR is sitting on the boundary of Area 0 and 51.

Page 2:

6.1.4 - OSPF Areas The diagram depicts an activity in which you must match the term to the best description. Terms. A.Backbone area B.Non-backbone area C.Router between Area 0 and another OSPF area D.Router between Area 0 and another A S E.Using multiple OSPF areas F.All OSPF areas that make up an enterprise network G.Formula that helps determine the best path Descriptions One.Hierarchical network Two.Area 51 Three.A BR Four.A SBR Five.Area 0 Six.SPF algorithm Seven.AS

6.2 Implementing Single-Area OSPF

6.2.1 Configuring Basic OSPF in a Single Area Page 1: Configuration of basic OSPF is not a complex task, it requires only two steps. The first step enables the OSPF routing process. The second step identifies the networks to advertise.

Step 1: Enable OSPF

router(config)#router ospf <process-id>

The process ID is chosen by the administrator and can be any number from 1 to 65535. The process ID is only locally significant and does not have to match the ID of other OSPF routers.

Step 2: Advertise networks

Router(config-router)#network <network-address> <wildcard-mask> area <area-id>

The network command has the same function as it does in other IGP routing protocols. It identifies the interfaces that are enabled to send and receive OSPF packets. This statement identifies the networks to include in OSPF routing updates.

The OSPF network command uses a combination of network address and wildcard mask. The network address, along with the wildcard mask, specifies the interface address, or range of addresses, that will be enabled for OSPF.

The area ID identifies the OSPF area to which the network belongs. Even if there are no areas specified, there must be an Area 0. In a single-area OSPF environment, the area is always 0.

6.2.1 - Configuring Basic OSPF in a Single Area The diagram depicts a network showing all three interconnected routers, R1, R2, and R3. R1 is connected to R2 via Serial link (R1: 192.168.10.1 /30 S0/0/0, R2: 192.168.10.2 S0/0/0 ). R1 is connected to R3 via Serial link (R1: 192.168.10.5 /30 S0/0/1, R2: 192.168.10.6 S0/0/0 ). R1 has the network 172.16.1.16 /28 attached to F A 0 /0 (F A 0 /0 I P: 172.1 6.1.1 7 ). R2 is connected to R3 via Serial link (R2: 192.168.10.9 S0/0/1, R3: 192.168.10.10 S0/0/1 ). R2 has the network 10.1 0.10.0 /24 attached to F A 0 /0 (F A 0 /0 I P: 10.10.1 0.1 ). R3 has the network 172.16.1.3 2 /29 attached to F A 0 /0 (F A 0 /0 I P: 172.17.1.3 3 /29). Command lined for R1, R2, and R3 are as follows: R1 R1 (config)# router OSPF 1 R1 (config-router)# network 172.1 6.1.1 6 0.0.0.15 area 0 R1 (config-router)# network 192.168.10.0 0.0.0.3 area 0 R1 (config-router)# network 192.168.10.4 0.0.0.3 area 0 R2 R2 (config)#router OSPF 1

R2 (config-router)# network 10.1 0.1 0.0 0.0.0.255 area 0 R2 (config-router)# network 192.168.10.0 0.0.0.3 area 0 R2 (config-router)# network 192.168.1 0.8 0.0.0.3 area 0 R3 R3 (config) # router OSPF 1 R3 (config-router) # network 172.16.1.3 2 0.0.0.7 area 0 R3 (config-router) # network 192.168.10.4 0.0.0.3 area 0 R3 (config-router )# network 192.168.10.8 0.0.0.3 area 0

Page 2: The OSPF network statement requires the use of the wildcard mask. When used for network summarization, or supernetting, the wildcard mask is the inverse of the subnet mask.

To determine the wildcard mask for a network or subnet, simply subtract the decimal subnet mask for the interface from the all 255s mask (255.255.255.255).

As an example, an administrator wants to advertise the 10.10.10.0/24 subnet in OSPF. The subnet mask for this Ethernet interface is /24 or 255.255.255.0. Subtract the subnet mask from the all 255s mask to get the wildcard mask.

All 255s mask: 255.255.255.255

Subnet mask: -255.255.255.0

-----------------------

Wildcard mask: 0 . 0 . 0 .255

The resulting OSPF network statement is:

Router(config-router)#network 10.10.10.0 0.0.0.255 area 0

6.2.1 - Configuring Basic OSPF in a Single Area Network command: R2 (config-router) # network 172.1 6.4.0 0.0.0.255 area 0 Example 1: Network - 172.16.4.0 /24 All 255s mask - 255.255.255.255 Subnet mask - 255.255.255.0 Wildcard mask - 0.0.0.255 Network command: R1 (config-router) # network 172.16.1.16 0.0.0.15 area 0 Example 3: Network - 172.16.1.16 /28 All 255s mask - 255.255.255.255 Subnet mask - 255.255.255.240 Wildcard mask - 0.0.0.15 Network command: R3 (config-router) # network 192.168.10.4 0.0.0.3 area 0 Example 3: Network - 192.168.10.4 /30 All 255s mask - 255.255.255.255 Subnet mask - 255.255.255.252 Wildcard mask - 0.0.0.3 More information Instead of specifying a range of addresses that coincide with the subnet, you may specify the interface (host) IP address and use a 0.0.0.0 wildcard mask in the network statement. This limits OSPF advertisements to that specific interface and address, since all 32 bits of the address must match. Example: Router(config-router) # network 10.1 0.10.1 0.0.0.0 area 0

Page 3:

6.2.1 - Configuring Basic OSPF in a Single Area The diagram depicts an activity in which you must determine the required subnet mask and wildcard mask for the specified network. A.10.0.0.0 /8 B.192.168.100.0 /24 C.192.168.226.96 /27 D.172.24.4.0 /23 E.192.168.200.128 /20 F.10.100.200.53 /30 G.172.17.2.1 28 /25 H.172.30.0.0 /16 I.10.1.1.1 6 /28 J.10.0.0.0 /8 K.172.24.4.0 /23 L.192.168.100.0 /24 M.192.168.14.64 /26

Page 4:

Lab Activity Configure basic single area point-to-point OSPF and verify connectivity.

Click the lab icon to begin.

6.2.1 - Configuring Basic OSPF in a Single Area Link to Hands-on Lab: Configuring and Verifying Single Area OSPF Configure basic single area point-to-point OSPF and verify connectivity.

6.2.2 Configuring OSPF Authentication Page 1: Like other routing protocols, the default configuration of OSPF exchanges information between neighbors in plain text. This poses potential security threats to a network. A hacker on a network could use packet sniffing software to capture and read OSPF updates and determine network information.

To eliminate this potential security problem, configure OSPF authentication between routers. When authentication is enabled in an area, routers will only share information if the authentication information matches.

With simple password authentication, configure each router with a password, called a key. This method provides only a basic level of security because the key passes between routers in plain text form. It is just as easy to view the key as it is the plain text.

A more secure method of authentication is Message Digest 5 (MD5). It requires a key and a key ID on each router. The router uses an algorithm that processes the key, the OSPF packet, and the key ID to generate an encrypted number. Each OSPF packet includes that encrypted number. A packet sniffer cannot be used to obtain the key because it is never transmitted.

6.2.2 - Configuring OSPF Authentication The diagram depicts three routers, R1, R2, and R3, all interconnected via serial links. R1 is connected to R2, R1 is connected to R3, and R2 is connected to R3. All OSPF packets from all three routers are encrypted. There are screen captures of MD5 encryption configuration from R1, R2, R3, which are as follows: R1

R1 (config) # router OSPF 18 R1 (config-router) # network 10.0.0.0 0.0.0.255 area 0 R1 (config-router) # area 0 authentication message-digest R1 (config) # interface serial0/0/0 R1 (config-if) # IP address 10.0.0.1 255.255.255.0 R1 (config-if) # IP OSPF message-digest-key 10 md5 areapassword R2 R2 (config) # router OSPF 10 R2 (config-router) # network 10.0.1.0 0.0.0.255 area 0 R2 (config-router) # network 10.0.0.0 0.0.0.255 area 0 R2 (config-router) # area 0 authentication message-digest R2 (config) # interface serial0/0/0 R2 (config-if) # IP address 10.0.0.2 255.255.255.0 R2 (config-if) # IP OSPF message-digest-key 10 md5 areapassword R2 (config) #interface serial0/0/1 R2 (config-if) # IP address 10.0.1.2 255.255.255.0 R2 (config-if) # IP OSPF message-digest-key 10 md5 areapassword R3 R3 (config) # router OSPF 10 R3 (config-router) # network 10.0.1.0 0.0.0.255 area 0 R3 (config-router) # area 0 authentication message-digest R3 (config) # interface serial0/0/0 R3 (config-if) # IP address 10.0.1.1 255.255.255.0 R3 (config-if) # IP OSPF message-digest-key 10 md5 areapassword

Page 2: Lab Activity Configure single-area point-to-point OSPF authentication using MD5.

Click the lab icon to begin.

6.2.2 - Configuring OSPF Authentication Link to Hands-on Lab: Configuring OSPF Authentication Configure single-area point-to-point OSPF authentication using MD5.

6.2.3 Tuning OSPF Parameters Page 1: In addition to performing the basic configuration of OSPF, administrators often need to modify, or tune, certain OSPF parameters.

An example is when a network administrator needs to specify which routers become the DR and the BDR. Setting the interface priority or the router ID on specific routers accomplishes this requirement.

The router selects the DR based on the highest value of any one of the following parameters, in the sequence listed:

1. Interface Priority: The interface priority is set with the priority command.

2. Router ID: The router ID is set with the OSPF router-id configuration command.

3. Highest Loopback Address: The loopback interface with the highest IP address is used as the router ID by default. OSPF favors loopback interfaces since they are logical interfaces and not physical interfaces. Logical interfaces are always up.

4. Highest Physical Interface Address: The router uses the highest active IP address from one of its interfaces as the router ID. This option poses a problem if interfaces go down or are reconfigured.

After changing the ID of a router or interface priority, reset neighbor adjacencies. Use the clear ip ospf process command. This command ensures that the new values take effect.

6.2.3 - Turning OSPF Parameters The diagram depicts three routers, R1, R2, and R3, all connected to a switch S1. R1 IP: 192.168.1.1 R2 IP: 192.168.1.2 R3 IP: 192.168.1.3 There are three sets of OSPF configuration commands listed, which are as follows: Priority R1 (config) #interface fastethernet 0 /0 R1 (config-if) # IP OSPF priority 50 Router ID R1 (config) # router OSPF 1 R1 (config-router) # router-id 10.1.1.1 Loopback interface R1 (config) #interface loopback 1 R1 (config-if) # IP address 10.1.1.1 255.255.255.255

Page 2: Lab Activity

Configure OSPF loopback addresses in a multi-access topology to control DR/BDR election.

Click the lab icon to begin.

6.2.3 - Turning OSPF Parameters Link to Hands-on Lab: Controlling a DR/BDR Election Configure OSPF loopback addresses in a multi-access topology to control DR/BDR election.

Page 3: Bandwidth is another parameter that often requires modification. On Cisco routers, the bandwidth value on most serial interfaces defaults to 1.544 Mbps, the speed of a T1. This bandwidth value determines the cost of the link but does not actually affect the speed of the link.

In some circumstances, an organization receives a fractional T1 from the service provider. One-fourth of a full T1 connection is 384 Kbps and is an example of a fractional T1. The IOS assumes a T1 bandwidth value on serial links even though the interface is actually only sending and receiving at 384 Kbps. This assumption results in improper path selection, because the routing protocol determines that the link is faster than it is.

When a serial interface is not actually operating at the default T1 speed, the interface requires manual modification. Configure both sides of the link to have the same value.

In OSPF, modification using the bandwidth interface command or the ip ospf cost interface command achieves the same result. Both commands specify an accurate value for use by OSPF to determine the best route.

The bandwidth command modifies the bandwidth value used to calculate the OSPF cost metric. To directly modify the cost of an interface, use the ip ospf cost command.

6.2.3 - Turning OSPF Parameters The diagram depicts a network, identifying bandwidth and OSPF cost configuration commands. The network topology consists of three routers, R1, R2, and R3. R1 is connected to R2 via a serial link (R1: 192.168.10.1 /30 S0/0/0, R2: 192.168.10.2 S0/0/0) R1 is connected to R3 via a serial link (R1: 192.168.10.5 /30 S0/0/1, R2: 192.168.10.6 S0/0/0) R2 is connected to R3 via Serial link (R2: 192.168.10.9 S0/0/1, R3: 192.168.10.10 S0/0/1) R1 has the network 172.16.1.16 /28 attached to F A 0 /0 (F A 0 /0 IP: 172.16.1.17) R2 has the network 10.1 0.10.0 /24 attached to F A 0 /0 (F A 0 /0 IP: 10.1 0.10.1) R3 has the network 172.16.1.32 /29 attached to F A 0 /0 (F A 0 /0 IP: 172.16.1.33 /29) The bandwidth on the link between R1 and R2 is 64 kbps. The bandwidth on the link between R1 and R3 is 256 kbps. The bandwidth on the link between R2 and R3 is 128 kbps. There are screen shots of R1 and R3, showing the bandwidth and OSPF cost command configurations used when calculating the OSPF cost metric. These commands are shown, as follows: R1 R1 (config) # interface serial0/0/0 R1 (config-if) # bandwidth 64 R1 (config-if) # interface serial0/0/1 R1 (config-if) # bandwidth 256 R1 (config-if) # end The bandwidth 64 is highlighted and there is a section at the bottom, which says "10 /64,000 bps = 1562" R3 R3 (config) # interface serial0/0/0 R3 (config-if) # IP OSPF cost 1562

Page 4: Another parameter related to the OSPF cost metric is the reference bandwidth, which is used to calculate interface cost, also referred to as the link cost.

The bandwidth value calculation of each interface uses the equation 100,000,000/bandwidth. 100,000,000, or 10^8, is known as the reference bandwidth.

A problem exists with links of higher speeds, such as Gigabit Ethernet and 10Gbit Ethernet links. Using the default reference bandwidth of 100,000,000 results in interfaces with bandwidth values of 100 Mbps and higher having the same OSPF cost of 1.

To obtain more accurate cost calculations, it may be necessary to adjust the reference bandwidth value. The reference bandwidth is modified using the OSPF command auto-cost reference-bandwidth.

When this command is necessary, use it on all routers so that the OSPF routing metric remains consistent. The new reference bandwidth is specified in terms of Mbps. To set the reference bandwidth to 10-Gigabit speed, use the value of 10,000.

6.2.3 - Turning OSPF Parameters The diagram depicts a drawing of a flowchart to aid in problem solving. Problem: New 10 Gigabit Link to the ISP not performing as well as expected. Solution: Modify the reference bandwidth - default bandwidth only 1.544Mbps

Page 5: Lab Activity Configure OSPF link cost in a point-to-point topology to influence routing decisions.

Click the lab icon to begin.

6.2.3 - Turning OSPF Parameters Link to Hands-on Lab: Configuring OSPF Parameters Configure OSPF link cost in a point-to-point topology to influence routing decisions.

6.2.4 Verifying OSPF Operation Page 1: Once configured, OSPF has several commands available that verify proper operation.

When troubleshooting OSPF networks, the show ip ospf neighbor command is used to verify that the router has formed an adjacency with its neighboring routers.

If the router ID of the neighboring router is not displayed, or if it does not show a state of FULL, the two routers have not formed an OSPF adjacency. If a router is a DROther, adjacency occurs if the state is FULL or 2WAY.

If this is a multi-access Ethernet network, DR and BDR labels display after FULL/ in the State column.

Two routers may not form an OSPF adjacency if:

The subnet masks do not match, causing the routers to be on separate networks OSPF hello or dead timers do not match OSPF network types do not match There is a missing or incorrect OSPF network command

6.2.4 - Verifying OSPF Operation The diagram depicts three routers, R1, R2, and R3, all connected to a switch with the following IP configurations: R1 IP: 192.168.1.1 R1 has network 10.10.3.1 on Loopback 0 R2 IP: 192.168.1.2 R2 has network 10.10.5.5 on Loopback 0 R3 IP: 192.168.1.3 R3 has network 10.10.1.6 The diagram depicts a table with the results of the show IP OSPF neighbor command, which is shown from the R1 command prompt as follows: R1 #show IP OSPF neighbor Neighbor ID - 10.10.5.5 Pri - 1 State - FULL/D R Dead Time - 00:00:37 Address - 192.168.1.2 Interface - FastEthernet0 /0 Neighbor ID - 10.10.1.6 Pri - 1 State - 2WAY/D R Other Dead Time - 00:00:15 Address - 192.168.1.2 Interface - FastEthernet\0 /0 Explanations of various fields of the show IP neighbor command is shown as follows: Neighbor ID - The router ID of the neighbor Priority - The priority of the router interface State - The state of the neighbor relationship Dead Time - The amount of time remaining before the router will declare the neighbor dead without receiving a Hello packet. Address - The IP address of the interface of the neighbor. Interface - The interface of this router that formed the adjacency with the neighbor.

Page 2: Several show commands are also useful in verifying OSPF operation.

show ip protocols

Displays information such as the router ID, the networks that OSPF is advertising, and the IP addresses of adjacent neighbors.

show ip ospf

Displays the router ID and details about the OSPF process, timers, and area information. It also shows the last time the SPF algorithm executed.

show ip ospf interface

Displays information such as router ID, network type cost, and timer settings.

show ip route

Verifies that each router is sending and receiving routes via OSPF.

6.2.4 - Verifying OSPF Operation A network topology is shown as follows: Three Routers, R1, R2, and R3, R1 is connected to R2 via a serial link (R1: 192.168.10.1 /30 S0/0/0, R2: 192.168.10.2 S0/0/0) R1 is connected to R3 via a serial link (R1: 192.168.10.5 /30 S0/0/1, R2: 192.168.10.6 S0/0/0) R2 is connected to R3 via a serial link (R2: 192.168.10.9 S0/0/1, R3: 192.168.10.10 S0/0/1) R1 has the network 172.16.1.16 /28 attached to F A 0 /0 (F A 0 /0 IP: 172.16.1.17) Lo0: 10.1.1.1 /32 R2 has the network 10.1 0.10.0 /24 attached to F A 0 /0 (F A 0 /0 IP: 10.1 0.10.1) Lo0: 10.2.2.2 /32 R3 has the network 172.16.1.32 /29 attached to F A 0 /0 (F A 0 /0 IP: 172.16.1.33 /29) Lo0: 10.3.3.3 /32

There are OSPF show command outputs as follows: show IP protocols R1 #show IP protocols Routing protocol is "OSPF 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 10.1.1.1 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for networks: 172.16.1.16 0.0.0.15 area 0 192.168.10.0 0.0.0.3 area 0 192.168.10.4 0.0.0.3 area 0 Reference bandwidth unit is 100 mbps Routing Information Sources: GatewayDistanceLast Update 10.2.2.211011:29:29 10.3.3.3 110 11:29:29 Distance: (default is 110) show IP OSPF R1 #show IP OSPF [some output omitted] Routing Process "OSPF 1" with ID 10.1.1.1 Start time: 00:00:19.540, Time elapsed: 11:31:15.776 Supports only single TOS (TOS 0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transmit capability Router is not originating router-LSA with maximum metric Initial SPF scheduled delay 5000 millisecs Minimum hold time between two consecutive SPFs 10000 millisecs Maximum wait time between two consecutive SPFs 10000 millisecs Incremental-SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 millisecs Area BACKBONE(0) Number of interfaces in this area is 3 Area has no authentication SPF algorithm last executed 11:30:31.628 ago SPF algorithm executed 5 times Area ranges are [output omitted] show IP OSPF interface R1 #show IP OSPF interface serial0/0/0 Serial0/0/0 is up, line protocol is up Internet Address 192.168.10.1 /30, Area 0 Process ID 1, Router ID 10.1.1.1, Network Type POINT_TO_POINT, Cost: 64 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait, 40, Retransmit 5 cob-re-sync time-out 40 Hello due in 00:00:07 Supports link-local Signaling (LLS)

Index 2 /2, flood queue length 0 Next 0x0(0) /0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 millisec maximum is 4 millisec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.2.2.2 Suppress hello for 0 neighbor(s) show IP route R1 #show IP route Codes: [output omitted] Gateway of last resort is 192.168.10.2 to network 0.0.0.0 192.168.10.0 /30 is subnetted, 3 subnets C192.168.10.0 is directly connected, Serial0/0/0 C192.168.10.4 is directly connected, Serial 0/0/1 O192.168.10.8 [110 /1562] via 192.168.10.6, 00:01:34, Serial0/0/1 [110 /1562] via 192.168.10.2, 00:01:34, Serial0/0/0 172.16.0.0 /16 is variably subnetted, 2 subnets, 2 masks O172.16.1.32 /29 [110 /782] via 192.168.10.6, 00:01:34, Serial0/0/1 C172.16.1.16 /28 is directly connected, FastEthernet0 /0 10.0.0.0 /24 is subnetted, 2 subnets O10.1 0.10.0 [110 /782] via 192.168.10.2, 00:01:35, Serial0/0/0 C10.1.1.0 is directly connected, Loopback0 O*E2 0.0.0.0 /0 [110 /1] via 192.168.10.2, 00:01:35, Serial0/0/0

Page 3:

6.2.4 - Verifying OSPF Operation The diagram depicts an activity in which you must answer the questions based on the output from the show IP route command of R2, which appears as follows: R2 #show IP route [output omitted] Gateway of last resort is not set 192.168.10.0 /30 is subnetted, 3 subnets C192.168.10.0 is directly connected, Serial0/0/0 O192.168.10.4 [110 /128] via 192.168.10.10, 00:08:22, Serial0/0/1 C192.168.10.8 is directly connected, Serial0/0/1 172.16.0.0 /16 is variably subnetted, 2 subnets, 2 masks O172.16.1.3 2 /29 [110 /65] via 192.168.10.1 0, 00:08:22, Serial0/0/1 O172.16.1.1 6 /28 [110 /129] via 192.168.10.1 0, 00:08:22, Serial0/0/1 10.0.0.0 /8 is variably subnetted, 2 subnets, 2 masks C10.2.2.2 /32 is directly connected, Loopback0 C10.10.1 0.0 /24 is directly connected, FastEthernet 0 /0

One.How many networks were learned by OSPF? 6, 5, 4, or 3 Two.What is the administrative distance for OSPF routes? 1, 65, 110, or 128. Three.How many subnets are there for the 172.16.0.0 network? 0, 1, 2, or 3. Four.What is the metric for the path to the 192.168.10.4 network? 1, 30, 65, or 128. Five.What is the router ID for R2?.

A.10.1 0.10.0. B.10.2.2.2. C.192.168.10.2. D.192.168.10.9.

Page 4: Lab Activity

Configure and verify point-to-point and multi-access OSPF networks, including tuning parameters.

Click the lab icon to begin.

6.2.4 - Verifying OSPF Operation Link to Hands-on Lab: Configuring and Verifying Point-to-Point and Multi-Access OSPF Configure and verify point-to-point and multi-access OSPF networks, including tuning parameters.

6.3 Using Multiple Routing Protocols

6.3.1 Configuring and Propagating a Default Route Page 1: Most networks connect to other networks through the Internet. OSPF provides routing information about networks within an AS. OSPF must also provide information about reaching networks outside of the AS.

Sometimes administrators configure static routes on certain routers to provide information that is not received via a routing protocol. Configuring static routes on all routers in a large network is cumbersome. An easier method is to configure a default route that points to the Internet connection for a network.

With OSPF, an administrator configures this route on an Autonomous System Boundary Router (ASBR). The ASBR is also often called the Autonomous System Border Router. The ASBR connects the OSPF network to an outside network. As soon as the default route is entered in the routing table of the ASBR, it can be configured to advertise that pathway to the rest of the OSPF network. This process informs every router within the AS of the default route and spares the administrator the work of configuring static routes on every router in the network.

6.3.1 - Configuring and Propagating a Default Route The diagram depicts six routers connected in a pentagonal-shaped topology. R3 is at the center of the topology. R1 is labeled as the ASBR and there is a dedicated serial link from R1 to the ISP . This network forms an Enterprise A S. R1 announces, "I have a default route to the ISP . I will send it to the other routers within my A S."

Page 2: To configure a router to distribute a default route into the OSPF network, follow these two steps.

Step 1

Configure the ASBR with a default route.

R1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0

The default static route statement can specify an interface or the next hop IP address.

Step 2

Configure the ASBR to propagate the default route to other routers. By default, OSPF does not inject the default route into its advertisements even when the route exists in its routing table.

R1(config)#router ospf 1 R1(config-router)#default-information originate

The routing tables of the other routers in the OSPF domain should now have a gateway of last resort and an entry to the 0.0.0.0 /0 network in their routing tables. The default route injects into the OSPF domain so that it appears as an external type route (E2) in the routing tables of the other routers.

6.3.1 - Configuring and Propagating a Default Route The diagram depicts R1 and R2 directly connected by serial link to each other using the network address

192.168.10.0 /30, R1 S0/0/0 IP address 192.168.10.1, R2 S0/0/0 IP address 192.168.10.2. R2 has a network connected to its FastEthernet interface using the network address 10.1 0.10.0 /24. R1 is connected by a serial link to the ISP with and the network address is 209.165.200.224 /27. R1 says, "I have nowhere to forward unknown traffic." R2 says," I have nowhere to forward unknown traffic." Various outputs from R1 and R2 are shown when the following situations occur: When there is no default route configured Configuration commands to create and propagate a default route When there is a default route configured No Default Route R1 and R2 output is displayed when the command, "show IP route" is issued. Note: some of the output is omitted. R1# show IP route Gateway of last resort is not set [output omitted] R2# show IP route Gateway of last resort is not set [output omitted] Creation and Propagation of Default Route R1 (config) # IP route 0.0.0.0 0.0.0.0 serial 0/0/1 R1 (config) # router OSPF 1 R1 (config-router) # default-information originate With Default Route R1# show IP route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 [output omitted] S* 0.0.0.0 is directly connected, Serial0/0/1 R2# show IP route Gateway of last resort is 192.168.10.1 to network 0.0.0.0 [output omitted] O*E2 0.0.0.0 /0 (110 /1) via 192.168.10.1, 00:37:23. Serial0/0/0

Page 3: Lab Activity Configure an OSPF default route and propagate it to other routers in the OSPF area through the routing protocol.

Click the lab icon to begin.

6.3.1 - Configuring and Propagating a Default Route Link to Hands-on Lab: Configuring and Propagating an OSPF Default Route Configure an OSPF default route and propagate it to other routers in the OSPF area through the routing protocol.

6.3.2 Configuring OSPF Summarization Page 1: One method that reduces the number of routing updates and the size of the OSPF routing tables is route summarization. Routes can be summarized into OSPF or between areas within the same OSPF network.

To facilitate OSPF summarization, group together IP addresses in a network area. For example, in a single OSPF area, allocate four contiguous network segments, such as:

192.168.0.0/24 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24

It is possible to summarize and advertise the four networks as one supernet of 192.168.0.0 /22. Doing this reduces the number of networks that advertise throughout the OSPF domain. It also reduces memory requirements and the number of entries in the router updates.

Additionally, summary routes reduce the issue of flapping routes. Flapping refers to a route that consistently goes up and down. By default, every time a route flaps, a link-state update is propagated throughout the entire domain. This can create a lot of traffic and processing overhead.

When a router is using a summary route, it uses a single, supernet address to represent several routes. Only one of the routes included within the summary must actually be up in order for the router to advertise the summary route. If one or more of the routes is flapping, the router will continue to advertise the more stable summary route only. It does not forward updates about the individual routes. Any packets forwarded to the flapping route while the route is down will simply be dropped at the summarizing router.

To configure an OSPF ABR router to summarize these networks to another OSPF area, issue the following command in router configuration mode:

area area-id range ip-address ip-address-mask

Specify the area in which the networks are summarized as well as the starting network number and summary mask.

6.3.2 - Configuring OSPF Summarization The diagram depicts five routers in a cloud labeled Area 0. Four routers within the cloud have individual networks connected to them. R1 has network 192.168.0.0 /24 connected. R2 has network 192.168.1.0 /24. R3 has the network 192.168.2.0 /24. Router R4 has the network 192.168.3.0 /24. The ASBR router is connected to R1, R2, R3, and R4 via serial links that are all within Area 0. The ASBR router has a serial link to the ISP router, which is situated outside the cloud. The summary route for Area 0 is 192.168.0.0 /22. More Information Popup Inter-area route summarization is configured on Area Border Routers (ABR's) and applies to routes from within the A S. In order to take advantage of summarization. Network numbers in areas should be assigned in a contiguous way to be able to combine these addresses into one range. Summary routes between autonomous systems are configured on the Autonomous System Border Router (ASBR).

Page 2: Lab Activity Configure OSPF summarization to reduce routing updates.

Click the lab icon to begin.

6.3.2 - Configuring OSPF Summarization Link to Hands-on Lab: Configuring OSPF Summarization Configure OSPF summarization to reduce routing updates.

6.3.3 OSPF Issues and Limitations Page 1: OSPF is a scalable routing protocol. It has the ability to converge quickly and operate within very large networks. There are however, some issues to consider when using it.

OSPF must maintain multiple databases and therefore requires more router memory and CPU capabilities than distance vector routing protocols.

The Dijkstra Algorithm requires CPU cycles to calculate the best path. If the OSPF network is complex and unstable, the algorithm consumes significant resources when recalculating frequently. Routers running OSPF are typically more powerful and more expensive.

To avoid excessive use of router resources, employ a strict hierarchical design to divide the network into smaller areas. All areas must maintain connectivity to Area 0. If not, they may lose connectivity to other areas.

OSPF can be challenging to configure if the network is large and the design is complex. In addition, interpreting the information contained in the OSPF databases and routing tables requires a good understanding of the technology.

During the initial discovery process, OSPF can flood the network with LSAs and severely limit the amount of data that the network can transport. Flooding in large networks with many routers and low bandwidth noticeably decreases network throughput.

Despite the issues and limitations of OSPF, it is still the most widely used link-state routing protocol within an enterprise.

6.3.3 - OSPF Issues and Limitations The diagram depicts the advantages and disadvantages of using OSPF as a routing protocol. Advantages Uses bandwidth as a metric Converges quickly using triggered updates Limits routing loops through consistent view of network topology Routing decisions based on latest information Minimizes link-state database - fewer SPF calculations Converges faster Supports CIDR and VLSM Designed hierarchically using areas Disadvantages Requires more memory and processor power Requires more complex and expensive implementation Requires an administrator who understands the protocol Floods the network initially with LSA noticeably degrading network performance

6.3.4 Using Multiple Protocols in the Enterprise

Page 1: For various reasons, organizations might choose different routing protocols.

A network administrator may choose different routing protocols for different sections of a network, based on legacy equipment or available resources. Two companies that merge may have configured their networks using different routing protocols and still need to communicate with each other.

When multiple routing protocols exist on a single router, there is the possibility of that router learning of a destination from multiple sources. There must be a predictable method for the router to choose which route to view as the most desirable pathway and place it in the routing table.

6.3.4 - Using Multiple Protocols in the Enterprise The diagram depicts the merging of traffic between two organizations, A. and B, each on a network cloud, running two different routing protocols. Organization B has four routers as part of its network. Three of the routers have networks connected to the BR, which is the fourth router, via serial links. The routing protocol in use is RIP v2. The BR in B is directly connected to the ABR of Organization A. Directly connected to ABR of Organization A. are four routers, each connected to their own networks. The cloud surrounding Organization A uses the OSPF routing protocol, sending OSPF updates out of the ABR to the BR in Organization B. The BR in Organization B sends RIP updates to Organization A. The border routers BR and ABR are running both routing protocols RIP v2 and OSPF. This enables traffic to traverse across both networks.

Page 2: When a router learns of a single network from multiple sources, it uses the administrative distance (AD) to determine which route it prefers. The Cisco IOS assigns all routing information methods an AD.

If a router learns of a particular subnet by way of RIP and OSPF, the OSPF-learned route is the one that it chooses for the routing table. Its AD is lower and, therefore, more desirable. The code at the beginning of the routing table entry indicates the source of the route, or how it was learned. Each code associates with a specific AD.

6.3.4 - Using Multiple Protocols in the Enterprise The diagram depicts a comparison of various routing information from different protocols and router sources. The information below appears in a table. The column headers are Route Source, Administrative Distance,

and Default Metric. Route SourceAdministrative DistanceDefault Metric Connected00 Static10 EIGRP Summary Route50 External BGP20Bandwidth, Delay Internal EIGRP 90Link cost (bandwidth) IGRP 100Link cost (bandwidth) OSPF110Hop count I S-I S 115Value assigned by a d m RIP 120 External EIGRP 170 Internal BGP200

Page 3:

6.3.4 - Using Multiple Protocols in the Enterprise The diagram depicts an activity in which you must analyze the routing table and determine the route source, the A D, and the metric. Routing Table Information Console output Gateway of last resort is not set 10.0.0.0 /16 is subnetted, 1 subnet S10.4.0.0 is directly connected, Serial0/0/0 172.16.0.0 /24 is subnetted, 3 subnets C172.16.1.0 is directly connected, FastEthernet0 /0 C172.16.2.0 is directly connected, Serial0/0/0 D172.16.3.0 [90 /2172416] via 172.16.2.1, 00:00:18, Serial0/0/0 C192.168.1.0 /24 is directly connected, Serial 0/0/1 O192.168.100.0 /24 [110 /65] via 172.16.2.1, 00:00:03, Serial0/0/0 O192.168.110.0 /24 [110 /65] via 172.16.2.1, 00:00:03, Serial0/0/0 R192.168.120.0 /24 [120 /65] via 172.16.2.1, 00:00:18, Serial0/0/0 Router. A.10.4.0.0 /16. B.172.16.2.0 /24. C.172.16.3.0 /24. D.192.168.110.0 /24. E.192.168.120.0 /24. Options. One.SPF Two.O D R Three.BGP Four.Static Five.Connected Six.0 Seven.110 Eight.90 Nine.120

Ten.2172416 Eleven.EIGRP Twelve.RIP Thirteen.1 Fourteen.65

Page 4: If two networks have the same base address and subnet mask, a router views them as identical. It considers a summarized network, as well as an individual network that is part of that summary, as different networks.

The summarized network 192.168.0.0/22 and the individual network 192.168.1.0 /24 are different entries, even though the summarization includes the individual network. When this situation occurs, both networks are placed in the routing table. The decision of which route to use falls to the entry with the closest, or longest, prefix match.

As an example, a router receives a packet with a destination IP address of 172.16.0.10. Three possible routes match this packet: 172.16.0.0/12, 172.16.0.0/18, and 172.16.0.0/26. Of the three routes, 172.16.0.0/26 has the longest match. For any of these routes to be considered a match, there must be at least the number of matching bits indicated by the subnet mask of the route.

6.3.4 - Using Multiple Protocols in the Enterprise The diagram depicts three tables, each containing a single destination IP address, with the corresponding routes, appearing in the routing table. Highlighted is the route with the longest match to the IP packet destination. The table helps explain that when a router has multiple routes in its routing table for a destination IP address, the router will choose the single route with the longest bit match, thus identifying the network of the destination IP address. In the tables, each IP address has information for their Route 1, Route 2, or Route 3. The table lists the destination IP address along with each destination route appearing as follows. Consider looking at the binary representation of each group of IP addresses and the highlighted matches. Destination192.168.1.15 Route 1O 192.168.0.0 /22 [110 /65] via 192.168.0.1, serial 0/0/0 Route 2O 192.168.1.0 /24 [110 /65] via 192.168.1.1, serial 0/0/1 Destination11000000.10101000.00000001.00001111 Route 111000000.10101000.00000000.00000000 Route 211000000.10101000.00000001.00000000 (The highlighted area shows the longest match to the IP Packet destination.) Destination192.168.3.23 Route 1O 192.168.0.0 /22 [110 /65] via 192.168.0.1, serial 0/0/0 Route 2O 192.168.1.0 /24 [110 /65] via 192.168.1.1, serial 0/0/1 Destination11000000.10101000.00000011.00010111 Route 111000000.10101000.00000000.00000000 Route 211000000.10101000.00000001.00000000 (The highlighted area shows the longest match to the IP Packet destination.)

Destination172.168.0.10 Route 1O 172.16.0.0 /12 [110 /65] via 192.168.0.1, serial 0/0/0 Route 2O 172.16.0.0 /18 [110 /65] via 192.168.1.1, serial 0/0/1 Route 3O 172.16.0.0 /26 [110 /65] via 192.168.1.1, serial 0/0/1 Destination10101100.00010000.00000000.00001010 Route 110101100.00010000.00000000.00000000 Route 210101100.00010000.00000000.00000000 Route 310101100.00010000.00000000.00000000 (The highlighted area shows the longest match to the IP Packet destination.)

Page 5:

6.3.4 - Using Multiple Protocols in the Enterprise The diagram depicts an activity in which you must answer the questions below One. Select the route the packet will take if the destination network is 192.168.1.133. Option 1. O 192.168.1.0 /24 [110 /65] via 192.168.2.2, Serial 0/0/0. Option 2. R 192.168.1.0 /24 [120 /1] via 192.168.3.2, FastEthernet 0 /0. Option 3. D 192.168.1.0 /24 [90 /21765] via 192.168.4.2, Serial 0/0/1. Two. Select the route the packet will take if the destination network is 192.168.1.228. Option 1. C 192.168.1.0 /24 is directly connected FastEthernet 0 /0 Option 2. O 192.168.1.0 /24 [110 /65] via 192.168.2.2, Serial 0/0/0 Option 3. D 192.168.1.0 /24 [90 /21765] via 192.168.3.2, Serial 0/0/1 Three. Select the route the packet will take if the destination network is 10.1 0.10.5 Option 1. R 10.1 0.10.0 /16 [120 /1] via 192.168.2.2, Serial 0/0/0 Option 2. D 10.1 0.10.0 /16 [90 /21765] via 192.168.3.2, Serial 0/0/1 Option 3. S 10.1 0.10.0 /16 [1 /0] via 192.168.4.2 Four. Select the route the packet will take if the destination network is 172.16.0 /48 Option 1. O 172.16.0.0 /16 [110 /65] via 192.168.2.2, Serial 0/0/0 Option 2. O 172.16.0.0 /24 [110 /65] via 192.168.3.2, FastEthernet 0 /0 Option 3. O 172.16.0.0 /20 [110 /65] via 192.168.4.2, Serial 0/0/1 Five. Select the route the packet will take if the destination network is 192.168.1.55. Option 1. R 192.168.1.0 /26 [120 /1] via 192.168.2.2, Serial 0/0/0 Option 2. R 192.168.1.0 /24 [120 /1] via 192.168.3.2, FastEthernet 0 /0 Option 3. R 192.168.1.0 /25 [120 /1] via 192.168.4.2, Serial 0/0/1

6.4 Chapter Summary

6.4.1 Summary Page 1:

6.4.1 - Summary Three Diagrams, Slider Graphic Diagram 1, Image

The diagram depicts four areas encompassing the EIGRP router. Diagram 1 text OSPF is a classless interior link-state routing protocol used in enterprise networks. OSPF offers scalability, route summarization, and isolates routing issues. OSPF uses bandwidth to generate the cost metric. OSPF routers within an area advertise information about the status of links to their neighbors using LSA. OSPF routers use their router ID to elect a DR and BDR on multi-access networks. An OSPF A S design starts with the backbone area or Area 0. Other areas created are all adjacent to Area 0. An ABR connects an area to the backbone area. An ASBR connects the entire OSPF A S to another A S. Diagram 2, Image The diagram depicts three routers interconnected via serial links. The OSPF packets from all three routers are encrypted to increase security. Diagram 2 text The OSPF network command uses a combination of network address and wildcard mask. It specifies the interface address or range of addresses enabled for OSPF. To ensure the security of OSPF updates, configure authentication between routers. The most secure method of authentication is MD5. A network administrator can dictate which routers become the DR and the BDR by setting the priority or router ID on the routers. The bandwidth interface command and the IP OSPF cost interface command ensure that OSPF uses an actual cost to determine the best route. Several show commands verify OSPF operation including show IP protocols, show IP OSPF, or show IP OSPF interface, show IP route and show IP OSPF neighbor. Diagram 3, Image The diagram depicts six routers connected in a pentagonal-shaped topology. Diagram 3 text An administrator configures a default route on an ASBR and then configures it to advertise the default route into the rest of the OSPF network. Inter-area route summarization is configured on an ABR and applies to routes from within the A S. Summary routes between autonomous systems are configured on the ASBR. OSPF requires more router memory and CPU resources which means more powerful and more expensive routers. Route redistribution allows routes from one routing protocol or static routes to be imported into another routing protocol. AD and longest prefix match determines the preferred route to a network.

6.4.2 Critical Thinking Page 1:

6.4.2 - Critical Thinking The diagram depicts an activity in which you must answer the questions based on the information contained in the exhibit.

Exhibit The exhibit depicts the output following the show IP route command of RTR1. RTR1# sh IP route [output omitted] Gateway of last resort is not set 10.0.0.0 /8 is variably subnetted 3 subnets, 2 masks R10.1 0.4.0 /24 [120 /1] via 10.1 0.1 0.1, 00:0 0:1 2, FastEthernet1 /0 C10.1 0.10.0 /24 is directly connected, FastEthernet0 /1 S10.1 0.4.16 /29 is directly connected, Serial0/2/1 192.168.16.0 /30 is subnetted, 1 subnets C192.168.16.0 is directly connected, Serial0/2/1 S*0.0.0.0 /0 is directly connected, FastEthernet0 /0 One.A packet is destined for 10.10.4.3 /24. From which interface will the packet leave? Option 1.FastEthernet 1 /0 Option 2.FastEthernet 0 /1 Option 3.Serial 0/2/1 Option 4.FastEthernet 0 /0 Two.A packet is destined for 10.10.4.17 /29. Out of which interface does the packet leave? Option 1.FastEthernet 1 /0 Option 2.FastEthernet 0 /1 Option 3.Serial0/2/1 Option 4.FastEthernet 0 /0 Three.A packet is destined for 10.10.20.3 /24. Out of which interface does the packet leave? Option 1.FastEthernet 1 /0 Option 2.FastEthernet 0 /1 Option 3.Serial0/2/1 Option 4.FastEthernet 0 /0 Four.A packet is destined for 10.1 0.10.3 /24. Out of which interface does the packet leave? Option 1.FastEthernet 1 /0 Option 2.FastEthernet 0 /1 Option 3.Serial 0/2/1 Option 4.FastEthernet 0 /0

6.5 Chapter Quiz

6.5.1 Quiz Page 1: Take the chapter quiz to check your knowledge.

Click the quiz icon to begin.

6.5.1 - Quiz Chapter 6 Quiz: Routing with a Link-State Protocol 1.What attribute is associated with link-state routing protocols? A.split horizon B.poison reverse C.low processor overhead D.shortest-path first calculations 2.If OSPF is configured in the network using the costs, as described in the Network Topology and Table of OSPF Costs, which path will a packet taken from H1 to H2? To answer this question refer to the description of the Network Topology and the Table of OSPF Costs. Network Topology Host H1 is connected via an Ethernet cable to router R1. R1 is connected via Ethernet cable to router R2. R2 is connected via a T1 serial link to router R5. R1 is also connected via an Ethernet cable to R5. R1 is also connected via a T1 serial link to R4. R4 is connected via a GigEthernet link to R5. R1 is also connected via a T3 serial link to R3. R3 is connected via a FastEthernet link to R4. Finally R5 is connected via an Ethernet link to host H2. Table of OSPF Costs GigabitEthernet link = OSPF cost of 1 FastEthernet link = OSFP cost of 10 T3 link = OSFP cost of 20 Ethernet link= OSFP cost of 100 T1 link = OSFP cost of 800 A.R1 - R5 B.R1 - R2 - R5 C.R1 - R4 - R5 D.R1 - R3 - R4 - R5 3.To answer this question refer to the information regarding the Destination IP address and the Learned Routes. Destination IP address: 192.168.1.143 Learned Routes: O 192.168.1.0/24 (110/65) via 192.168.2.2, 00:00:05, Serial 0/0/0 R 192.168.1.0/24 (120/1) via 192.168.3.2, 00:00:05, FastEthernet 0/0 D 192.168.1.0/24 (90/21765) via 192.168.4.2, 00:00:05, Serial 0/0/1 The router learned three different routes to the subnet 192.168.1.0. What action will the router take to forward a packet to the destination of 192.168.1.143? A.The packet will be dropped by the router. B.The packet will be load-balanced across the three routes. C.The packet will be forwarded to the next hop of 192.168.4.2. D.The packet will exit the router through the FastEthernet 0/0 interface. 4.To answer this question refer partial output from the show running-config command on RouterA. With all interfaces on RouterA active, the network administrator modifies the configuration of the router by issuing the command no router-id 18.20.20.172. The configuration is then saved and the router restarted. What will be the router ID for RouterA when OSPF is re-established? RouterA# show running-config

interface Loopback0 IP address 192.168.30.1 255.255.255.0 ! interface Loopback1 IP address 192.168.70.18 255.255.255.252 ! interface FastEthernet0/0 IP address 192.168.102.1 255.255.255.0 ! interface FastEthernet0/1 IP address 192.168.90.1 255.255.255.0 ! interface Serial0/0/0 IP address 172.20.20.18 255.255.255.252 ! router ospf 100 router-id 18.20.20.172 A.10.190.102.1 B.172.20.20.18 C.192.168.30.1 D.192.168.70.18 E.192.168.90.1 5.To answer this question refer to the Network Topology. Network Topology A switch at the core of a star topology is connected to routers A, B, C and D. RouterA is connected to the core switch via F a 0/0 with the IP address 172.16.5.1/24. RouterA has a Loopback0 address 172.16.4.3/32. RouterB is connected to the core switch via F a 0/0 with the IP address 172.16.5.2/24. RouterB has a Loopback0 address 172.16.4.2/32. RouterC is connected to the core switch via F a 0/0 with the IP address 172.16.5.3/24. RouterC has a Loopback0 address 172.16.4.1/32. RouterD is connected to the core switch via Fa0/0 with the IP address 172.16.5.4/24. RouterD has a Loopback0 address 172.16.4.4/32. RouterA, RouterB, and RouterC in the network topology are running OSPF on their Ethernet interfaces. RouterD was just added to the network. Routers are configured with the loopback interfaces (Lo 0). What happens to the OSPF DR/BDR after RouterD is added to the network? A.RouterB takes over as DR and RouterD becomes the BDR. B.RouterD becomes the BDR and RouterA remains the DR. C.RouterD becomes the DR and RouterA remains the BDR. D.RouterC acts as the DR until election process is complete. E.RouterD becomes the DR and RouterB remains the BDR. F.There is no change in the DR and BDR until either current DR or BDR goes down. 6.To answer this question refer to the Network Topology. Network Topology Router A is connected to a LAN addressed 192.168.10.64/26. Router A is also connected to Router B via a serial link, IP address 192.168.10.192/30. Router B is connected to a LAN addressed 192.168.10.128/27. All networks from Router A and Router B are part of OSPF Area 0. What network commands will configure Router A to properly advertise the OSPF routes?

A.network 192.168.10.0 0.0.0.63 area 0 network 192.168.10.128 0.0.0.63 area 0 B.network 192.168.10.64 0.0.0.63 area 0 network 192.168.10.192 0.0.0.3 area 0 C.network 192.168.10.0 255.255.255.252 area 0 network 192.168.10.128 255.255.255.252 area 0 D.network 192.168.10.64 255.255.255.252 area 0 network 192.168.10.192 255.255.255.252 area 0 7.Which two statements are true regarding the cost calculation for a link in OSPF? (Choose two.) A.It can be set with the IP OSPF cost command. B.It is set to 1544 by default for all OSPF interfaces. C.The configured loopback addresses map to link costs. D.It may be calculated using the formula reference bandwidth/bandwidth. E.It is calculated proportionally to observed throughput capacity of the router. 8.To answer this question refer to the Network Topology. Network Topology This network topology consists of three routers. Router A is connected to a LAN with the IP address 192.168.10.64/26. Router A is connected to router B via a serial link with the IP address 192.168.10.0/30. Router B is connected to a LAN with the IP address 192.168.10.128/26. Router B is connected to router C via a serial link with the IP address 192.168.10.4/30. Router C is connected to a LAN with the IP address 192.168.10.192/26. OSPF routing protocol is configured for the routers, however, router A is not receiving any OSPF routed from the other routers. Based on the information given in the Network Topology, what is the problem with the router A configuration? A# show IP protocols Routing Protocol is "OSPF 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 192.168.10.65 Number of areas in this router is 1. 1normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 192.168.10.64 0.0.0.63 area 0 192.168.10.128 0.0.0.63 area 0 Routing Information Sources: GatewayDistanceLast Update 192.168.10.6511000:00:28 Distance: (default is 110) A.None of the interfaces are enabled. B.OSPF has an improper process ID. C.One of the network statements is wrong. D.Auto-summarization needs to be disabled. 9.To answer this question refer to the Network Topology. Network Topology Router HQ has a serial link to the Internet. HQ has serial links to routers North, South, East and West similar to a hub and spoke type network. HQ(config)# IP route 0.0.0.0 0.0.0.0 serial 1/0 HQ(config)# IP router OSPF 1 HQ(config-router) #default-information originate

HQ(config)# exit A network administrator is implementing OSPF between headquarters and multiple branch offices. All branch offices are connected to the Internet through the headquarters router. What effect will the commands entered on the headquarters router have? A.The command will only affect the local router. B.The command must be applied to all routers in order for the default route to be propagated. C.The default will be propagated to all routers participating in the same OSPF area. D.The default route will only be learned by the OSPF adjacent neighbors. 10.For what two reasons would a network administrator choose to enable authentication for OSPF exchanges? (Choose two.) A.to prevent routing information from being falsified B.to reduce OSPF information exchange overhead C.to keep routing information being captured D.to encrypt routing tables to prevent unauthorized viewing E.to ensure the OSPF routing information takes priority over RIP and EIGRP updates.

Go To Next Go To Previous Scroll To Top

http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.C CServlet/LMS_ID=CNAMS,Theme=ccna3theme,Style=ccna3,Language=en,Version=1, RootID=knet lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About

Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise

7 Implementing Enterprise WAN Links
7.0 Chapter Introduction
7.0.1 Introduction Page 1:

7.0.1 - Introduction Connecting remote sites together by an enterprise WAN allows users to access network resources and information. As information traverses the WAN, the Layer 2 encapsulation adapts to match the technology. A popular WAN technology that uses packet-switching is Frame Relay. After completion of this chapter, you should be able to: Describe the features and benefits of common WAN connectivity options. Compare common WAN encapsulations and configure PPP. Describe Frame Relay.

7.1 Connecting the Enterprise WAN

7.1.1 WAN Devices and Technology Page 1: As companies grow, they often expand from a single location to multiple remote locations. This expansion requires that the business network expand from a local area network (LAN) to a wide area network (WAN).

Within a LAN, a network administrator has physical control over all cabling, devices, and services. Although some larger companies maintain their own WANs, most organizations purchase WAN services from a service provider. Service providers charge for the use of their network resources. ISPs allow users to

share resources among remote locations without incurring the expense of building and maintaining their own network.

Control of network resources is not the only difference between a LAN and a WAN. The technologies also differ. The most common LAN technology is Ethernet. WAN technologies are serial transmissions. Serial transmissions enable reliable, long-range communications at slower speeds than a LAN.

7.1.1 - WAN Devices and Technology The animation depicts the evolution of a WAN. A companys network expands from a LAN in a single location to LAN's in multiple locations, including the cities of New York, Osaka, Boston, and Orlando. All locations are connected together, forming a WAN.

Page 2: When implementing a WAN, the WAN technology used determines the type of devices required by an organization. For example, a router used as a gateway to connect to the WAN translates the data into a format that is acceptable to the service provider network. A translation device, such as a modem, prepares the data for transmission across the service provider network.

Preparing the data for transmission on the WAN using digital lines requires a channel service unit (CSU) and a data service unit (DSU). These two devices are often combined into a single piece of equipment called the CSU/DSU. This device integrates into the interface card in the router. When using an analog connection, a modem is necessary.

When a business subscribes to WAN services through an ISP, the ISP owns and maintains most of the equipment. In certain environments, the subscriber may own and maintain some of the connection equipment. The point at which the control and responsibility of the customer ends and the control and responsibility of the service provider begins is known as the demarcation point, or demarc. For example, the demarc might exist between the router and the translating device or between the translating device and the central office (CO) of the service provider. Regardless of ownership, service providers use the term customer premise equipment (CPE), to describe equipment located at the customer site.

7.1.1 - WAN Devices and Technology The diagram depicts a network cloud containing a WAN network, switches, and a trunk. On the edge of the cloud, a C O switch is connected to a corporate network via a CSU/DSU that is owned by the customer.

Page 3: The CO is the location where the service provider stores equipment and accepts customer connections. The physical line from the CPE connects into a router or WAN switch at the CO using copper or fiber cabling.

This connection is called the local loop, or last mile. From the customer perspective, it is the first mile, because it is the first part of the medium leading from the location of the customer.

The CSU/DSU or modem controls the rate at which data moves onto the local loop. It also provides the clocking signal to the router. The CSU/DSU is data communications equipment (DCE). The router, which is responsible for passing the data to the DCE, is data terminal equipment (DTE).

The DTE/DCE interface uses various Physical Layer protocols, such as X.21 and V.35. These protocols establish the codes and electrical parameters that the router and the CSU/DSU use to communicate with each other.

7.1.1 - WAN Devices and Technology The diagram depicts the Layer 1 WAN protocols and a brief description of each. In the diagram, a Data Terminal Equipment (DTE) interface to a WAN link is connected to the Data Communication Equipment (DCE) end of a service providers communication facility. The DCE is connected to the ISP . The following protocols may be used in a DTE and DCE connection. EIA /T I A - 232 Allows signal speeds of up to 64 Kbps on a 25 pin D connector over short distances Formerly known as RS-232 Same as I T U-T V.24 specification EIA /T I A - 449/530 Faster (up to 2 Mbps) version of EIA /T I A-232 Uses a 36 pin D connector and is capable of longer cable runs Also known as RS-422 and RS-423 EIA /T I A - 612/613 Provides access to services of up to 52 Mbps on a 60 pin D connector V.35 An I T U-T standard for synchronous communications between a network access device and a packet network at speeds up to 48 Kbps Uses a 34 pin rectangular connector X.21 An I T U-T standard for synchronous digital communications Uses a 15 pin D connector

Page 4: Technology continuously develops and improves signaling standards that enable increased speed and traffic.

When choosing a WAN technology, it is important to consider the link speed. The first digital networks created for WAN implementations provided support for a 64 kbps connection across a leased line. The term digital signal level 0 (DS0) refers to this standard.

As technology improved, service providers supplied subscribers with specific increments of the DS0 channel. For example, in North America, a DS1 standard, also called a T1 line, defines a single line that supports 24 DS0s, plus an 8 kbps overhead channel. This standard enables speeds of up to 1.544 Mbps. A T3 line uses a DS3 standard, which supports 28 DS1s and speeds of up to 44.736 Mbps.

Other parts of the world use different standards. For example, Europe offers lines such as E1s, which support 32 DS0s for a speed of up to 2.048 Mbps, and E3s, which support 16 E1s for a speed of up to 34.064 Mbps.

7.1.1 - WAN Devices and Technology The diagram depicts a chart with the column headers Line Type, Signal Standard, and Bit Rate Capacity associated with each WAN Technology. Line Type: 56. Signal Standard: DS0. Bit rate Capacity: 56 Kbps. Line Type: 64. Signal Standard: DS0. Bit rate Capacity: 64 Kbps. Line Type: T1. Speed Standard: DS1. Bit rate Capacity: 1.544 Mbps. Line Type: E1. Signal Standard: ZM. Bit rate Capacity: 2.048 Mbps. Line Type: E3. Signal Standard: M3. Bit rate Capacity: 34.064 Mbps. Line Type: J1. Signal Standard: Y1. Bit rate Capacity: 2.048 Mbps. Line Type: T3. Signal Standard: DS3. Bit rate Capacity: 44.736 Mbps. Line Type: O C-1. Signal Standard: SONET. Bit rate Capacity: 51.84 Mbps.

Line Type: O C-3. Signal Standard: SONET. Bit rate Capacity: 155.54. Line Type: O C-9. Signal Standard: SONET. Bit rate Capacity: 466.56 Mbps. Line Type: O C-12. Signal Standard: SONET. Bit rate Capacity: 622.08 Mbps. Line Type: O C-18. Signal Standard: SONET. Bit rate Capacity: 933.12 Mbps. Line Type: O C-24. Signal Standard: SONET. Bit rate Capacity: 1244.16 Mbps. Line Type: O C-36. Signal Standard: SONET. Bit rate Capacity: 1866.24 Mbps. Line Type: O C-48. Signal Standard: SONET. Bit rate Capacity: 2488.32 Mbps.

Page 5:

7.1.1 - WAN Devices and Technology The diagram depicts an activity in which you must match the WAN term to the definition. WAN Terms A.de-marc B.CPE C.DTE D.DCE E.C O F.local loop G.CSU/DSU H.modem Definitions One.The location where the service provider takes over control of the WAN link. Two.Equipment located at the site of the customer. Three.The local router is this type of equipment. Four.The CSU/DSU is this type of equipment. Five.The location where the service provider houses equipment and accepts connections from customer networks. Six.The portion of media that connects the end user with the C O. Seven.The device that formats the WAN traffic into a format acceptable to the ISP's network. Eight.The device required to use an analog connection into the WAN.

7.1.2 WAN Standards Page 1: Designing a network based on specific standards ensures that all of the different devices and technologies found in a WAN environment work together.

WAN standards describe the Physical Layer and Data Link Layer characteristics of data transportation. Data Link Layer WAN standards include parameters such as physical addressing, flow control, and encapsulation type, as well as how the information moves across the WAN link. The type of WAN technology employed determines the specific Data Link Layer standards used. Some examples of Layer 2 WAN protocols are:

Link Access Procedure for Frame Relay (LAPF) High-level Data Link Control (HDLC) Point-to-Point Protocol (PPP)

Several organizations are responsible for managing both the Physical Layer and Data Link Layer WAN standards. These include:

International Telecommunications Union Telecommunications Standardization Sector (ITU-T) International Organization for Standardization (ISO) Internet Engineering Task Force (IETF) Electronics Industry Alliance (EIA) Telecommunications Industry Association (TIA)

7.1.2 - WAN Standards The diagram depicts the layers of the O S I Model, with the focus on Layer 2, the Data Link Layer. Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical addressing Flow control Encapsulation type LAPF for Frame Relay HDLC PPP

Physical Layer

Page 2:

7.1.2 - WAN Standards The diagram depicts an activity in which you must determine whether the standards belong to Layer 1 or Layer 2. Standards One.VTP Transport Mode Two.PPP Three.X.21 Four.E I A /T I A-232 Five.V.35 Six.LAPF Seven.HDLC

7.1.3 Accessing the WAN Page 1: WAN links use either digital or analog technology. With analog connections, the data is encoded, or modulated, onto a carrier wave. The modulated signal then carries the information across the medium to the remote site. At the remote site, the signal is demodulated and the receiver extracts the information.

A modem encodes the information onto that carrier wave before transmission and then decodes it at the receiving end. The modem gets its name from its task of modulation and demodulation of the carrier signal.

Modems enable remote sites to communicate through the plain old telephone system (POTS). They also enable end users to connect to service provider networks through DSL or cable connections.

7.1.3 - Accessing the WAN The diagram depicts a client communicating with a host. The client uses the EIA/T I A - 232 protocol to connect to a modem. The modem connects to a POTS cloud. The POTS cloud connects to a second modem, which connected to the host, also using the EIA/T I A -232 protocol. The signals sent between the computer (client/host) and the modem are digital signal. The signals sent between the modem and the telephone network (POTS) are analog signals.

Page 2:

Companies often purchase connectivty using dedicated links between their location and the ISP. These services are often obtained using leased lines for which the companies pay monthly for these services. These lines carry large amounts of data. For example, a T1 link carries 1.544 Mbps of traffic and an E1 link carries 2.048 Mbps of traffic. Often this bandwidth is larger than the amount that the organization actually requires. A T1 can be split into 24 DS0s of 64 Kbps each. In this case, the customer is ordering part of a T1/E1, or a fractional T1 or fractional E1.

High-bandwidth connections are split up into several DS0s. The ISP assigns each DS0 to a different conversation or end user. Organizations purchase one or more DS0 channels. A DS0 is not a separate physical entity but rather a time slice of the physical bandwidth on one wire. Each fractional connection enables full use of the media by the organization for part of the total time. There are two techniques in which information from multiple channels can be allocated bandwidth on a single cable based on time: Time Division Multiplexing (TDM) and Statistical-Time Division Multiplexing (STDM).

7.1.3 - Accessing the WAN The diagram depicts Site A connected to the Service Provider via a T1-1.544 Mbps link. Site B is connected to the service provider via a Fractional T1 128 Kbps link. Site C is connected to the service provider via a Fractional T1 64 Kbps link.

Page 3: Time Division Multiplexing (TDM) allocates bandwidth based on pre-assigned time slots. Each of these time slices are then assigned to individual conversations. Each time slice represents a period of time during which a conversation has complete use of the physical media. Bandwidth is allocated to each channel or time slot regardless of whether the station using the channel has data to transmit. Therefore, with standard TDM, if a sender has nothing to say, its time slice goes unused, wasting valuable bandwidth.

Statistical Time Division Multiplexing (STDM) is similar to TDM except that it keeps track of conversations that require extra bandwidth. It then dynamically reassigns unused time slices on an asneeded basis. In this way, STDM minimizes wasted bandwidth.

7.1.3 - Accessing the WAN The animation depicts the difference in bandwidth utilization when using a multiplexor that is implementing TDM and a multiplexor that is implementing STDM. TDM The animation shows four hosts sending input into a multiplexor. Each host inputs three time slices. There are three unused time slices between the four hosts. Using TDM, 12 time slices are used to deliver nine time slices. STDM The animation shows four hosts sending input into a multiplexor. Each host inputs three time slices. There are three unused time slices between the four hosts. Using STDM, nine time slices are used to deliver nine time slices.

Page 4:

7.1.3 - Accessing the WAN The diagram depicts an activity in which you must organize the data blocks into the correct order to show how TDM and STDM uses bandwidth. Input Host A: unused, A, unused Host B: B, B, unused Host C: C, C, C Host D: unused, unused, D Output TDM: Insert the output in order to fill all 12 time slices. STDM: Insert the output in order to fill all 7 time slices.

7.1.4 Packet and Circuit Switching Page 1: An enterprise connects to WAN services in various ways.

Dedicated Leased Line

One type of connection is a point-to-point serial link between two routers using a dedicated leased line. This enables a one-to-one connection for the basic function of data delivery across a link. Each link requires a separate physical interface and a separate CSU/DSU. As an organization grows to multiple locations, supporting a dedicated leased line between each location becomes very expensive.

Circuit Switching

Circuit switching establishes a circuit between end nodes before forwarding any data. A standard telephone call uses this type of connection. While the circuit is in place, it provides dedicated bandwidth between the two points. Completion of the conversation releases the circuit. No other organizations use the circuit until it releases. This method provides a level of security not available in packet switching or cell switching technology.

With circuit switching, the service provider assigns links to different connections as the need arises. Costs are incurred for the link only when the connection is active. The cost for circuit switching varies based on usage time and can become quite expensive if the circuit is used often.

7.1.4. - Packet and Circuit Switching The animation depicts the process involved in a circuit-switched call. Two modems are connected to a PSTN cloud containing a network of switches. The first modem says "I am initiating a call." For the duration of the call the line is dedicated to the sender and receiver. A circuit is established between switches in the PSTN cloud connecting the modems. The other modem says "I am accepting a call." At the end of the call, the second modem says "I am terminating the call." Once the call has ended, the dedicated connection disappears.

Page 2: Packet Switching

Packet switching uses bandwidth more efficiently than other types of switching. The data is segmented into packets, with an identifier on each packet. The data is then released into the service provider network. The service provider accepts the data and switches the packet from one node to another until the packet reaches its final destination. The circuit, or pathway, between the source and destination is often a preconfigured link, but it is not an exclusive link. The service provider switches packets from multiple organizations over the same links. Frame Relay is an example of packet switching technology.

Cell Switching

Cell switching is a variation of packet switching. It is capable of transferring voice, video, and data through private and public networks at speeds in excess of 155 Mbps. Asynchronous Transfer Mode (ATM) uses fixed length, 53-byte cells that have 48-bytes of data and a 5-byte header. The small, uniform size of the cells allows them to be switched quickly and efficiently between nodes. An advantage of ATM is that it prevents small messages from being held up behind larger messages. However, for networks handling mainly segmented data, ATM introduces a large amount of overhead and actually slows network performance.

7.1.4. - Packet and Circuit Switching The animation depicts the flow of traffic in a packet-switched network. Site A, Site B, Site C, and Site D are in separate locations connected to a cloud of switches. Site A and Site B are both sending packets into

the cloud. Traffic from two virtual circuits share the same links. The packets traverse the cloud and reach their destinations at Site C and Site D.

Page 3: Virtual Circuits

When using packet switching technology, the service provider establishes virtual circuits (VCs). Virtual circuits share the link between devices with traffic from other sources. As a result, the medium is not private during the duration of a connection. There are two types of virtual circuits: switched and permanent.

Switched Virtual Circuit

A switched virtual circuit (SVC) is dynamically established between two points when a router requests a transmission. The circuit is set up on demand and torn down when transmission is complete, such as after a file has been downloaded. When establishing an SVC, call set-up information must be sent before transmitting any data. Call clearing information tears down the connection after it is no longer required. This process introduces delays in the network as SVCs are built up and torn down for each conversation.

Permanent Virtual Circuit

A permanent virtual circuit (PVC) provides a permanent path to forward data between two points. The service provider must preconfigure the PVCs and they are very seldom broken or disconnected. This eliminates the need for call setup and clearing. They speed the flow of information across the WAN. PVCs also provide the ISP with much greater control over the data-flow patterns and management of their network. PVCs are more popular than SVCs and usually service sites with high-volume, constant flows of traffic. Frame Relay typically uses PVCs.

7.1.4. - Packet and Circuit Switching The diagram depicts networks connected via a Switched Virtual Circuit (SVC) and via a Permanent Virtual Circuit (PVC). An enterprise network connects via a CSU/DSU to another enterprise network that also uses a CSU/DSU.. Between the two networks is a network cloud. The connection through the network is an SVC. An SVC is built up and torn down as required. An enterprise network connects via a CSU/DSU to another enterprise network that also uses a CSU/DSU. Between the two networks is a network cloud. The connection through the network is a PVC. PVC is configured by the network administrator and loaded at switch startup.

Page 4:

7.1.4. - Packet and Circuit Switching The diagram depicts an activity in which you must identify the best WAN convention to support the scenario. The options are leased line, circuit-switched, packet-switched, or cell-switched WAN conventions. One. Remote offices connect once a day to upload sales orders. Two. A company WAN supports voice, video, and data connections. Three. An organization connects to multiple remote sites, but only has one serial interface on their router. Four. A company connects to their branch offices and securely transfers classified technical drawings. Five. A small real estate company provides support to their sales staff to pick up email from their home offices.

7.1.5 Last Mile and Long Range WAN Technologies Page 1: ISPs use several different WAN technologies to connect their subscribers. The connection type used on the local loop, or last mile, may not be the same as the WAN connection type employed within the ISP network or between various ISPs.

Some common last mile technologies are:

Analog dialup Integrated Services Digital Network (ISDN) Leased line Cable Digital Subscriber Line (DSL) Frame Relay Wireless

Each of these technologies provides advantages and disadvantages for the customer. Not all technologies are available in all locations.

When a service provider receives data, it must forward this data to other remote sites for final delivery to the recipient. These remote sites connect either to the ISP network or pass from ISP to ISP to the recipient. Long-range communications are usually those connections between ISPs or between branch offices in very large companies.

Many different WAN technologies exist that allow the service provider to reliably forward data over great distances. Some of these include ATM, satellite, Frame Relay, and leased lines.

7.1.5 - Last Mile and Long Range WAN Technologies The diagram depicts several Enterprise networks using a variety of devices and connections that are linked to the ISP, as follows: Dialup using the telephone line to connect to the ISP. DSL using the telephone line to connect to the ISP. Cable modem using coaxial cable to connect to the ISP. Wireless bridge using a wireless signal to connect to the ISP. T1 Leased Line to connect to the ISP. Satellite modem connecting to a satellite that connects to the ISP.

Page 2: Enterprises are becoming larger and more dispersed. As a result, applications require more and more bandwidth. This growth requires technologies that support high-speed and high-bandwidth transfer of data over even greater distances.

Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH) are standards that allow the movement of large amounts of data over great distances through fiber-optic cables. Both SONET and SDH encapsulate earlier digital transmission standards and support either ATM or Packet over SONET/SDH (POS) networking. SDH and SONET are used for moving both voice and data.

One of the newer developments for extremely long-range communications is dense wavelength division multiplexing (DWDM). DWDM assigns incoming optical signals to specific frequencies or wavelengths of light. It is also capable of amplifying these wavelengths to boost the signal strength. DWDM can multiplex more than 80 different wavelengths or channels of data onto a single piece of fiber. Each channel is capable of carrying a multiplexed signal at 2.5 Gbps.

De-multiplexed data at the receiving end allows a single piece of fiber to carry many different formats at the same time and at different data rates. For example, DWDM can carry IP, SONET, and ATM data concurrently.

7.1.5 - Last Mile and Long Range WAN Technologies The diagram depicts a map of the world with enterprise networks super-imposed over Asia, North America, and South Africa. They all connect to a DWDM network cloud.

Page 3:

7.1.5 - Last Mile and Long Range WAN Technologies The diagram depicts an activity in which you must match the technology to the description. Technologies One.DS Two.Cable Three.Satellite Four.DWDM Five.ATM Six.Dial Up Seven.Leased Line Eight.SONET Descriptions. A.High speed internet service over existing copper phone cables. B.Always-on, last mile connectivity using same cable for TV and data. C.Internet access for remote locations. D.80 channels on existing strand of fiber for extremely long range network. E.Transfer of fixed length cells at 155 Mbps. F.Connectivity to office in old hotel that has no high speed service. G.Dedicated connectivity for new company selling on-line shopping service. H.Long-range technology to move voice, video, and data over fiber cable.

7.2 Comparing Common WAN Encapsulations

7.2.1 Ethernet and WAN Encapsulations Page 1: Encapsulation occurs before data travels across a WAN. The encapsulation conforms to a specific format based on the technology used on the network. Before converting data into bits for transmission across the media, Layer 2 encapsulation adds addressing and control information.

Layer 2 adds header information that is specific to the type of physical network transmission. Within a LAN environment, Ethernet is the most common technology. The Data Link Layer encapsulates the packet into Ethernet frames. The frame headers contain information such as the source and destination MAC addresses, and specific Ethernet controls, like the frame size and timing information.

Similarly, the encapsulation of frames destined for transmission across a WAN link match the technology in use on the link. For example, if using Frame Relay on the link, the type of encapsulation required is Frame Relay-specific.

7.2.1 - Ethernet and WAN Encapsulation The animation depicts how the frame format changes as it travels across the network. The diagram depicts a man, labeled Source, sitting at one end of a network using an Ethernet connection.

A woman, labeled Destination, is sitting at the other end of the network using an Ethernet connection. Network devices and connection types that make up the network are between the source and destination. Connected to the network is a server farm, a DMZ, and the ISP . Protocols that may be in use during the transmission of the message from the source to the destination include HDLC, PPP, and ATM. As the message traverses the network, the frame format changes to accommodate the different protocols implemented within the networks the message travels through. The frame format begins from the source as Ethernet, then changes to formats HDLC, PPP, ATM, HDCL, PPP, and back to Ethernet at the destination.

Page 2: The type of Data Link Layer encapsulation is separate from the type of Network Layer encapsulation. As data moves across a network, the Data Link Layer encapsulation may change continuously, whereas the Network Layer encapsulation will not. If this packet must move across the WAN on its way to the final destination, the Layer 2 encapsulation changes to match the technology in use.

Packets exit the LAN by way of the default gateway router. The router strips off the Ethernet frame and then re-encapsulates that data into the correct frame type for the WAN. Conversion of frames received on the WAN interface into the Ethernet frame format occurs before placement on the local network. The router acts as a media converter, by adapting the Data Link Layer frame format to a format that is appropriate to the interface.

The encapsulation type must match on both ends of a point-to-point connection. A Data Link Layer encapsulation includes the following fields:

Flag

Marks the beginning and end of each frame

Address

Depends on the encapsulation type Not required If the WAN link is point-to-point

Control

Used to indicate the type of frame

Protocol

Used to specify the type of encapsulated network layer protocol Not present in all WAN encapsulations

Data

Used as Layer 3 data and IP datagram

Frame Check Sequence (FCS)

Provides a mechanism to verify that the frame was not damaged in transit

7.2.1 - Ethernet and WAN Encapsulation The animation depicts the Layer 2 encapsulation process. A computer, H1, is connected to a switch, S1, which is connected to a router, R1. There is a serial link connecting R1 and a router, R2. R2 is connected to a switch, S2, which is connected to a computer, H2. H1 sends a message out. The header is marked as an Ethernet header. Once the message reaches R1, the protocol changes, requiring the header to change to a PPP header using the IP protocol. This will enable the message to travel through the network. As the message reaches the LAN side of R2, the header is changed back to an Ethernet header, so the message can traverse the Ethernet network and finally reach H2.

Page 3:

7.2.1 - Ethernet and WAN Encapsulation The diagram depicts an activity in which you must match the Layer 2 encapsulation term with its definition. Terms A.Address B.Control

C.Protocol D.Flag E.Data F.FCS Definitions. One.Provides a mechanism to verify that the frame was not damaged in transit. Two.Used to specify the type of encapsulation Network Layer protocol. Three.Not present in all WAN encapsulations. Four.Used to indicate the type of frame. Five.Used as Layer 3 data and IP datagram. Six.Marks the beginning and end of each frame. Seven.Depends on the encapsulation type. Eight.Not required if the WAN link is point to point.

7.2.2 HDLC and PPP Page 1: Two of the most common serial line Layer 2 encapsulations are HDLC and PPP.

High-level Data Link Control (HDLC) is a standard bit-oriented Data Link Layer encapsulation. HDLC uses synchronous serial transmission, which provides error-free communication between two points. HDLC defines a Layer 2 framing structure that allows for flow control and error control using acknowledgments and a windowing scheme. Each frame has the same format, whether it is a data frame or a control frame.

The standard HDLC frame does not contain a field that identifies the type of protocol carried by the frame. For that reason, standards-based HDLC cannot handle multiple protocols across a single link.

Cisco HDLC incorporates an extra field, known as the Type field, which allows multiple Network Layer protocols to share the same link. Use Cisco HDLC encapsulation only when interconnecting Cisco equipment. Cisco HDLC is the default Data Link Layer encapsulation type on Cisco serial links.

7.2.2 - HDLC and PPP The diagram depicts the Open Standard HDLC Frame and the Cisco HDLC Frame. The composition of these frames is listed below. Note that the Cisco HDLC frame has a unique type not present in the Open Standard HDLC frame. Open Standard HDLC Frame Flag: 8 bits Address: 8 bits Control: 8 or 16 bits Information: Variable length 0, or more bits, multiples of 8 FCS: 16 or 32 Flag: 8 bits

Cisco HDLC Frame Flag: 8 bits Address: 8 bits Control: 8 bits Type (Protocol Code): 16 bits Information: Variable length, 0 or more bits, multiples of 8 FCS: 16 bits Flag: 8 bits

Page 2: Like HDLC, Point-to-Point Protocol (PPP) is a Data Link Layer encapsulation for serial links. It uses a layered architecture to encapsulate and carry multi-protocol datagrams over a point-to-point link. Because PPP is standards-based, it enables communication between equipment of different vendors.

The following interfaces can support PPP:

Asynchronous serial Synchronous serial High-Speed Serial Interface (HSSI) Integrated Services Digital Network (ISDN)

PPP has two sub-protocols:

Link Control Protocol - responsible for establishing, maintaining and terminating the point-topoint link. Network Control Protocol - provides interaction with different Network layer protocols.

7.2.2 - HDLC and PPP The diagram depicts the three lower layers of the O S I model, with the focus on PPP in Layer 2, the Data Link Layer. The lowest level is the Physical Layer that deals with synchronous or asynchronous media. PPP is at the Data Link Layer, where there are two sub-protocols: Link Control Protocol and Network Control Protocol. Link Control Protocol is responsible for authentication and other options. The Network Control Protocol is involved in the interaction between the Data Link Layer and various Network Layer protocols: IP, IPX, IPCP, IPXCP, and many others.

Page 3:

Link Control Protocol

PPP uses the Link Control Protocol (LCP) to establish, maintain, test, and terminate the point-to-point link. Additionally, LCP negotiates and configures control options on the WAN link. Some of the options that LCP negotiates include:

Authentication Compression Error detection Multilink PPP Callback

LCP also:

Handles varied packet sizes Detects common misconfiguration errors Determines when a link is functioning properly and when it is failing

Network Control Protocol

PPP uses the Network Control Protocol (NCP) component to encapsulate multiple Network Layer protocols, so that they operate on the same communications link.

Every Network Layer protocol carried on the PPP link requires a separate NCP. For example, IP uses the IP Control Protocol (IPCP), and IPX uses the IPX Control Protocol (IPXCP). NCPs include fields containing codes that indicate the Network Layer protocol.

7.2.2 - HDLC and PPP The diagram depicts the various options of the LCP negotiation process. Each process and a description of some devices used during the process are listed below. Authentication The diagram depicts a switch that is linked to the CSU/DSU, or modem, that is linked by a serial connection to the network cloud. The network cloud is linked by a serial connection to a second CSU/DSU, or modem, and then to a computer. The flow of information is from the CSU/DSU, or modem, to the computer.

For authentication, the calling side of the link is required to enter specific information to ensure that the caller has the permission to make the call. Peer routers exchange authentication messages. Two authentication options are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Callback The diagram depicts a switch that is linked to a CSU/DSU, or modem, that is linked by a serial connection to the network cloud. The network cloud is linked by a serial connection to a second CSU/DSU, or modem, and then to a computer. With this LCP, a Cisco router can act as a callback client or as a callback server. The client makes the initial call requests that it be called back, and terminates its initial call. The callback router answers the initial call and makes the return call to the client based on information configured in its memory. Compression The diagram depicts two switches at the opposite ends of a network. Between the switches are two compression devices that compress information on the fly between the networks. The flow of information in the diagram is in both directions through the network. Compression options increase the effective throughput on PPP connections by reducing the amount of data in the frame that travels across the link. The protocol decompresses the frame at its destination. Two compression protocols available in Cisco routers are Stacker and Predictor. Multilink The diagram depicts three computers directly connected to a switch and then to a multilink device that provides load balancing over the PPP router interfaces.

Page 4: PPP sessions progress through three phases: link establishment, authentication (optional), and Network Layer protocol.

Link-Establishment Phase

PPP sends LCP frames to configure and test the data link. LCP frames contain a configuration option field that negotiates options such as maximum transmission unit (MTU), compression, and link-authentication. If a configuration option is missing, it assumes the default value. Link authentication and link-quality determination tests are optional parameters within the link-establishment phase. A link-quality determination test determines whether the link quality is good enough to bring up Network Layer protocols. Optional parameters, such as these, must be complete before the receipt of a configuration acknowledgment frame. Receipt of the configuration acknowledgement frame completes the Link-Establishment phase.

Authentication Phase (optional)

The authentication phase provides password protection to identify connecting routers. Authentication occurs after the two routers agree to the set parameters but before the NCP Negotiation Phase can begin.

NCP Negotiation Phase

PPP sends NCP packets to choose and configure one or more Network Layer protocols, such as IP or IPX. If LCP closes the link, it informs the Network Layer protocols so that they can take appropriate action. The show interfaces command reveals the LCP and NCP states.

When established, the PPP link remains active until the LCP or NCP frames close the link or until an activity timer expires. A user can also terminate the link.

7.2.2 - HDLC and PPP The animation depicts the negotiate phases of a PPP link, Link Establishment Phase, Authentication Phase, and Network Layer Protocol Phase. Link Establishment Phase The diagram depicts Router, R1, connected by serial link to Router, R2. R1 says, "I want to form a PPP connection with you. Can we agree to communicate using PPP with PAP authentication and compression?" R2 receives the message and replies, "I can form the PPP connection and can use PAP authentication, but I cannot support compression." R2 sends a message back to R1 with this information included in the message. R1 responds, "Can we agree to communicate using PPP with PAP authentication and no compression?" Authentication Phase R2 replies, "We can communicate using PPP with PAP authentication and no compression." R1 receives this message and replies, "My name is R1 and my password is cisco." R2 looks in its table of users, references the username, and compares the password to the one given by R1. R2 replies, "The password matches so I am now ready to form the connection." Network Layer Protocol Phase R1 replies, "I only have IP traffic so we only need to bring up IPCP. I am starting it now." R2 replies, "I have also started IPCP. We can now move IP traffic."

Page 5:

7.2.2 - HDLC and PPP Identify the correct layer and phase with the correct PPP components.

Layer and Phase A. Data Link Layer B. Physical Layer C. Phase 3 D. Phase 2 E. Phase 1 PPP Component One. Link Establishment Two. Authentication, other options, Link Control Protocol Three. Synchronous or Asynchronous Physical Media Four. NCP Negotiation Five. Network Control Protocol

7.2.3 Configuring PPP Page 1: On Cisco routers, HDLC is the default encapsulation on serial links. To change the encapsulation and use the features and functions of PPP, use the following command:

encapsulation ppp

Enables PPP encapsulation on a serial interface.

Once PPP is enabled, optional features such as compression and load balancing can be configured.

compress [predictor | stac]

Enables compression on an interface using either predictor or stacker.

ppp multilink

Configures load balancing across multiple links.

Compressing data sent across the network can improve network performance. Predictor and stacker are software compression techniques that vary in the way compression is handled. Stacker compression is more CPU-intensive and less memory-intensive. Predictor is more memory-intensive and less CPU-intensive. For this reason, generally use stacker if the bottleneck is due to line bandwidth issues and predictor if the bottleneck is due to excessive load on the router.

Only use compression if network performance issues exist because enabling it will increase router processing times and overhead. Also, do not use compression if the majority of traffic crossing the network is already-compressed files. Compressing an already-compressed file often increases its size.

Enabling PPP multilink allows for multiple WAN links to be aggregated into one logical channel for the transport of traffic. It enables the load-balancing of traffic from different links and allows some level of redundancy in case of a line failure on a single link.

7.2.3 - Configuring PPP The diagram depicts basic PPP configuration. Two routers, R1 and R2, are connected to each other via a serial link. The commands entered at the console terminal window are as follows: R1 R1 (config)# encapsulation ppp with R1 (config)# encapsulation ppp R2 R2 (config)# encapsulation ppp with R2 (config)# encapsulation ppp

Page 2: The following commands are used to verify and troubleshoot HDLC and PPP encapsulation:

show interfaces serial

Displays the encapsulation and the states of the Link Control Protocol (LCP).

show controllers

Indicates the state of the interface channels and whether a cable is attached to the interface.

debug serial interface

Verifies the incrementation of keepalive packets. If packets are not incrementing, a possible timing problem exists on the interface card or in the network.

debug ppp

Provides information about the various stages of the PPP process, including negotiation and authentication.

7.2.3 - Configuring PPP The diagram depicts router output from various commands. Two routers are connected to each other via a serial link. The network address is 192.168.2.0, and both routers have LANs connected to them. Router, R1, has network 192.168.1.0 connected to F A 0 /0. R2 has network 192.168.3 /0 connected to F A 0 /0. The diagram has buttons that can be pushed to highlight commands, show interfaces serial, show controllers, debug serial interface, and debug PPP. The outputs for these commands can be viewed in greater detail in the labs at the end of the module.

Page 3: Lab Activity

Configure and verify a PPP connection between two routers.

Click the lab icon to begin.

7.2.3 - Configuring PPP Link to Hands-on Lab: Configuring and Verifying a PPP Link Configure and verify a PPP connection between two routers.

7.2.4 PPP Authentication Page 1:

Authentication on a PPP link is optional. If configured, authentication occurs after establishment of the link but before the Network Layer protocol configuration phase begins. Two possible types of authentication on a PPP link are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

PAP provides a simple method for a remote device to establish its identity. PAP uses a two-way handshake to send its username and password. The called device looks up the username of the calling device and confirms that the sent password matches what it has stored in its database. If the two passwords match, authentication is successful.

PAP sends the username/password pair across the link repeatedly in clear text until acknowledgement of the authentication or termination of the connection. This authentication method does not protect the username and password from being stolen using a packet sniffer.

Additionally, the remote node is in control of the frequency and timing of the login attempts. Once authenticated, no further verification of the remote device occurs. Without ongoing verification, the link is vulnerable to hijacking of the authenticated connection and the possibility of a hacker gaining illegal authorized access to the router using a replay attack.

7.2.4 - PPP Authentication The diagram depicts two routers, R1 and R2, in the process of a PAP two-way handshake. The R1 username is Santa Cruz and the password is boardwalk. R1 sends the information to R2 to authenticate. R2 looks at its table for the username and password and accepts or rejects based on this authentication procedure.

Page 2: Another form of PPP authentication is Challenge Handshake Authentication Protocol (CHAP).

Challenge Handshake Authentication Protocol

CHAP is a more secure authentication process than PAP. CHAP does not send the password across the link. Authentication occurs both during initial link establishment and repeatedly during the time the link is active. The called device is in control of the frequency and timing of the authentication, making a hijack attack extremely unlikely.

CHAP uses a three-way handshake.

1. PPP establishes the link phase.

2. Local router sends a challenge message to the remote router.

3. Remote router uses the challenge and a shared secret password to generate a one-way hash.

4. Remote router sends back one-way hash to the local router.

5. Local router checks the response against its own calculation, using the challenge and the same shared secret.

6. Local router acknowledges authentication if values match.

7. Local router immediately terminates connection if the values do not match.

CHAP provides protection against playback attack through a variable challenge value. Because the challenge is unique and random, the resulting hash value is also unique and random. The use of repeated challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.

7.2.4 - PPP Authentication The animation depicts the CHAP authentication process. Two routers, R1 and R2, are linked by a serial connection. R1 sends a message to R2 and states, "Run PPP", indicating it wants to run PPP. R2 says, "Use CHAP", and sends the message, "Here is my Challenge information. Send me your username and password." R1 calculates a special value using the secret password and the challenge value. The one way hash is 6G4 # 9P4. Router R1 sends a message back to R2 with the username R1 and the password 6G4 # 9P4.

R2 calculates 6G4 # 9P4 using the same secret password. R2 states "Accept". R1 randomly challenges the remote router to verify authentication. R2 sends a message back to R1, "Here is a different Challenge value. Send me your username and password again to make sure its still you."

Page 3:

7.2.4 - PPP Authentication The diagram depicts an activity in which you must determine which of the following characteristics belongs to either PAP or CHAP. Characteristic Password never sent across link. Uses two-way handshake. Uses three-way handshake. Single authentication when link formed. Authentication occurs at configuration intervals. Password sent in clear text. Uses shared secret. Immune to replay attack. Username/Password easily sniffed from wire.

7.2.5 Configuring PAP and CHAP Page 1: To configure authentication on a PPP link, use the global configuration commands:

username name password password

Global configuration command. Creates a local database that contains the username and password of the remote device. The username must match the hostname of the remote router exactly and is case sensitive.

ppp authentication {chap | chap pap | pap chap | pap}

Interface configuration command. Specifies the type of authentication on each interface, such as PAP or CHAP. If more than one type is specified, example chap pap, the router attempts the first type listed and will only attempt the second if the remote router suggests it.

For CHAP authentication, no other configuration commands are required. However, in Cisco IOS version 11.1 or later, PAP is disabled on the interface by default. This means that the router will not send its own username and password combination just because PAP authentication is enable. Therefore, additional commands are required for PAP:

ppp pap sent-username name password password

Interface configuration command. Specifies the local username and password combination that should be sent to the remote router. This must match what the remote router has configured in the local username and password database.

7.2.5 - Configuring PAP and CHAP The diagram depicts two routers connected to a service provider by serial links. The commands used to configure PAP and CHAP on both routers can be viewed in greater detail in the labs attached to this module.

Page 2: With two-way authentication configured, each router authenticates the other. Use debug commands on both routers to display the exchange sequence as it occurs.

debug ppp {authentication | packet | error | negotiation | chap }

Authentication

Displays the authentication exchange sequence

Packet

Displays PPP packets sent and received

Negotiation

Displays packets transmitted during PPP startup, where PPP options are negotiated

Error

Displays protocol errors and statistics associated with PPP connection and negotiation

Chap

Displays CHAP packet exchanges

To turn off debug, use the no format of each command.

7.2.5 - Configuring PAP and CHAP The diagram depicts two routers connected by serial link. The output of the debug ppp command is listed. The different phases of the authentication process can be viewed by using this command. The different states can be defined as Challenge, Response, Successful Authentication, and Unsuccessful Authentication. The phases can be viewed more clearly when the command is entered by the student after PAP and CHAP are configured.

Page 3: Lab Activity

Configure and verify PAP and CHAP authentication on a PPP link.

Click the lab icon to begin.

7.2.5 - Configuring PAP and CHAP Link to Hands-on Lab: Configuring and Verifying PAP and CHAP Authentication

Configure and verify PAP and CHAP authentication on a PPP link.

7.3 Using Frame Relay

7.3.1 Overview of Frame Relay Page 1: A common Layer 2 WAN encapsulation is Frame Relay. Frame Relay networks are multi-access networks similar to Ethernet except that they do not forward broadcast traffic. Frame Relay is a nonbroadcast multiaccess network (NBMA).

Frame Relay uses packet switching technology with variable length packets. It also makes use of STDM for optimum use of the available bandwidth.

The router, or DTE device, normally connects to the service provider via a leased line. It connects via a Frame Relay switch, or DCE device, to the nearest point-of-presence of the service provider. This connection is an access link.

The remote router at the destination end of the network is also a DTE device. The connection between the two DTE devices is a virtual circuit (VC).

The virtual circuit is typically established using PVCs that the service provider preconfigures. Most service providers discourage or even disallow the use of SVCs in a Frame Relay network.

7.3.1 - Overview of Frame Relay The diagram depicts a network cloud with ten interconnected switches inside. Around the outside of the cloud are four building sites, Site A, Site B, Site C, Site D, that are connected to the switches inside the cloud via routers at each site. As information is sent from Site A to Site D, a virtual circuit path that the packets travel along is established between the sites.

7.3.2 Frame Relay Functionality Page 1: In an NBMA network, each virtual circuit requires a Layer 2 address for identification. In Frame Relay, this address is the data-link connection identifier (DLCI).

The DLCI identifies the VC that data uses to reach a particular destination. The DLCI is stored in the address field of every frame transmitted. The DLCI usually has only local significance and may be different at each end of a VC.

The Layer 2 DLCI is associated with the Layer 3 address of the device at the other end of the VC. Mapping the DLCI to a remote IP address can occur manually or dynamically using a process known as Inverse ARP.

Establishing a mapping of DLCI to remote IP address occurs in the following steps:

1. The local device announces its presence by sending its Layer 3 address out on the VC.

2. The remote device receives this information and maps the Layer 3 IP address to the local Layer 2 DLCI.

3. The remote device announces its IP address on the VC.

4. The local device maps the Layer 3 address of the remote device to the local DLCI on which it received the information.

7.3.2 - Frame Relay Functionality The animation depicts how inverse ARP maps a Layer 2 DLCI to a remote IP address. There is a frame relay cloud has two switches, S1 and S2, inside. There are two routers, R1 and R2. R1 is connected to S1 via Serial link on interface S0/0/0 I P:209.165.200.225 DLCI 16. R2 is connected to S2 via Serial link on interface S0/0/0 I P: 209.165.200.226 DLCI 20. S1 is connected to S2 by Frame Relay. S1 states, "DLCI 16 is active." R1 sends a DLCI request to R2. R2 sends a response to R1 with its IP address information. R1 states, "DLCI 16 is active. I will send an Inverse ARP request to learn the I P address of the remote router." The request is sent from R1 over the Frame Relay network to R2. R2 states, "I have received an Inverse ARP request on DLCI 20 from 209.165.200.225." R2 references its Frame Relay Map that shows DLCI 20=209.165.200.225. R2 states "Inverse ARP response from 209.165.200.226" and sends a response back to R1. R1 references its Frame Relay Map that shows DLCI 16 = 209.165.200.226.

Page 2: Local Management Interface (LMI) is a signaling standard between the DTE and the Frame Relay switch. LMI reports the status of PVCs between devices.

LMI messages provide communication and synchronization between the network and the user device. They periodically report the existence of new PVCs and the deletion of existing PVCs. They also provide information about PVC integrity. VC status messages prevent data being sent to PVCs that no longer exist.

LMI provides VC connection status information that appears in the Frame Relay map table:

Active State

The connection is active and routers can exchange data.

Inactive State

The local connection to the FR switch is working but the remote connection to the FR switch is not.

Deleted State

The local connection receives no LMI messages from the FR switch or there is no service between the CPE router and the FR switch.

7.3.2 - Frame Relay Functionality The diagram depicts the use of LMI. There are three routers, R1, R2, and R3, and three switches, S1, S2, and S3. R1 is connected to the CSU/DSU. All switches are inside a cloud. S1 is connected to the CSU/DSU, S2, and S3. S2 is connected to S1, S3, and R2. S3 is connected to S1, S2, and R3. R2 is connected to S2. R3 is connected to S3. There is a double-sided arrow with an X through it from R1 to R2 symbolizing the connection from R1 to

R2 (DLCI = 400) is down. There is a double-sided arrow from R1 to R3 symbolizing the connection from R1 to R3 (DLCI = 500) is up. A keep-alive is sent to R3, which says (LMI, 500 = Active, 400 = Inactive).

Page 3: When an end user subscribes to a Frame Relay service, the user negotiates certain service parameters with the provider.

One parameter is the committed information rate (CIR). The CIR is the minimum bandwidth rate guaranteed by the provider for data on a VC.

The service provider calculates the CIR as the average amount of data transmitted over a period of time. The calculated time interval is the committed time (Tc). The number of committed bits within the Tc is the committed burst (Bc). The cost of the Frame Relay service depends on the speed of the link and the CIR.

The CIR defines the minimum rate provided; however, if there is no congestion on the links, the service provider boosts or bursts the bandwidth up to a second agreed-upon bandwidth.

The excess information rate (EIR) is the average rate above the CIR that a VC can support when no network congestion exists. Any extra bits above the committed burst, up to the maximum speed of the access link, is known as the excess burst (Be).

Frames transmitted above the speed of the CIR are uncommitted, but are forwarded if the network supports it. These extra fames are marked as discard eligible (DE). If congestion occurs, the provider first drops frames with the DE bit set.

Users often pay for a lower CIR, counting on the fact that the service provider supplies higher bandwidth and bursts their traffic when there is no congestion.

7.3.2 - Frame Relay Functionality The diagram depicts the use of C I R within Frame Relay parameters. There is a cloud, Service Provider, which is connected to the Site A router via link, Local Access Loop = T1. The Site B router via link, Local Access Loop = 1544Kbps link. Site A sends information to Site B, stating, "My provider guarantees bandwidth of 768Kbps, 768Kbps is

my C I R." A caption on the cloud states, "The network is not congested so we are going to burst your speed to 1.544 Mbps. All packets above your C I R are Discard Eligible". Frames continue to transmit to Site B until all information is sent.

Page 4: The forward explicit congestion notification (FECN) is a single-bit field that can be set to a value of 1 by a switch. It indicates to an end DTE device that the network is congested ahead.

The backward explicit congestion notification (BECN) is a single-bit field that, when set to a value of 1 by a switch, indicates that the network is congested in the opposite direction.

FECN and BECN allow higher-layer protocols to react intelligently to these congestion indicators. For example, the sending device uses BECNs to slow its transmission rate.

7.3.2 - Frame Relay Functionality The diagram depicts a bottleneck. There is a Frame Relay Cloud which is connected to the Branch Office Router via 56 Kbps link, and to the Central Site router via T1 link. The Central Site says, "I have received a lot of BECN's. The network must be congested. I need to reduce the pace at which I send packets."

Page 5:

7.3.2 - Frame Relay Functionality The diagram depicts an activity in which you must match the terms to their corresponding definition. Terms One.BECN Two.DLCI Three.FECN Four.C I R Five.D E Six.SVC Seven.PVC Definitions. A.The type of VC most service providers will not permit. B.Used to inform a receiving device that congestion was experienced. C.The type of virtual circuit most often used by Frame Relay. D.The Layer 2 address used by Frame Relay. E.The contracted data rate that the service provider agrees to transfer.

F.Used to inform a sending device that congestion has occurred. G.Marks a frame as being less important on a network.

7.4 Chapter Summary

7.4.1 Summary Page 1:

7.4.1 - Summary Diagram 1, Image The diagram depicts enterprises connecting to a cloud and shows traffic from two virtual circuits share the same links. Diagram 1 text A WAN uses many different technologies, each offering distinct advantages. Depending on the technology in use, converting the data format into an acceptable one requires a modem, or a CSU/DSU. WAN technologies divide into circuit switching, packet switching, and cell switching. Circuit switching technologies create a physical circuit between end devices before sending information. Packet and cell switching technologies use either a PVC or SVC to send information across the network. WAN technologies are either last mile, which connects the ISP to the customer, or long range which interconnects ISP's. Diagram 2, Image The diagram depicts two users communicating across a complex network topology. Diagram 2 text HDLC is the default Layer 2 serial line encapsulation on Cisco routers. Cisco HDLC incorporates an extra field to allow it to carry multiple Layer 3 protocols. The Layer 2 encapsulation changes as frames are moved across the WAN. PPP allows the negotiation of many advanced features including authentication, load balancing, call back, and compression. PPP supports both PAP and CHAP authentication. PAP authentication sends the username/password in clear text and is subject to sniffing and replay attacks. CHAP issues challenges at configurable intervals and forces the connected device to re-authenticate. Diagram 3, Image The diagram depicts the bottleneck when a branch office connects using a 56 kbps connection to connect via the frame relay cloud to the central site which is using a T1 connection.

Diagram 3 text Frame Relay is a packet-switched technology. Frame Relay uses virtual circuits to connect a specific source to a destination. Virtual circuits can be switched or permanent. Use FECN's and BECN's to inform the receiving and sending devices that the network is congested so that routers can take appropriate actions. Frame Relay uses parameters such as C I R to establish the bandwidth used on each VC.

7.5 Chapter Quiz

7.5.1 Quiz Page 1: Take the chapter quiz to check your knowledge.

Click the quiz icon to begin.

7.5.1 - Quiz Chapter 7 Quiz: Implementing Enterprise WAN Links 1.What three parameters are defined by WAN standards? (Choose three.) A.flow control B.vendor C.IP addressing D.encapsulation E.physical addressing F.routing protocol 2.Which two layers of the O S I model describe WAN standards? (Choose two.) A.Session B.Network C.Physical D.Transport E.Data Link F.Application 3.What are two characteristics of a CSU/DSU? (Choose two.) A.used for digital transmission B.used for wireless transmission C.installed at central office D.often integrated into router's interface card E.part of an integrated services router 4. Match the WAN connection term to the correct definition. WAN Connection Terms packet Switching circuit Switching cell switching SVC PVC Definitions virtual circuit that is dynamically established between two points when a router requests a transmission. establishes a connection between end nodes before forwarding data and ensures dedicated bandwidth

through the length of transmission virtual circuit that provides a permanent path to forward data between two points packets from multiple organizations are switched over the same links 5.What two statements describe the Cisco implementation of High-Level Data Link Control protocol? (Choose two.) A.is a data link layer protocol B.provides retransmission and windowing C.supports multiple protocols on a single link D.uses the same frame format as standard HDLC E.is the default encapsulation on Cisco LAN interfaces 6.What two services allow the router to map data link layer addresses to network layer addresses in a Frame Relay network? (Choose two.) A.ARP B.ICMP C.Proxy ARP D.Inverse ARP E.LMI status messages 7.What is used to identify a destination for a frame in a Frame Relay network? A.C I R B.DLCI C.FECN D.BECN Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise

7 Implementing Enterprise WAN Links
7.0 Chapter Introduction
7.0.1 Introduction Page 1:

7.0.1 - Introduction Connecting remote sites together by an enterprise WAN allows users to access network resources and information. As information traverses the WAN, the Layer 2 encapsulation adapts to match the technology.

A popular WAN technology that uses packet-switching is Frame Relay. After completion of this chapter, you should be able to: Describe the features and benefits of common WAN connectivity options. Compare common WAN encapsulations and configure PPP. Describe Frame Relay.

7.1 Connecting the Enterprise WAN

7.1.1 WAN Devices and Technology Page 1: As companies grow, they often expand from a single location to multiple remote locations. This expansion requires that the business network expand from a local area network (LAN) to a wide area network (WAN).

Within a LAN, a network administrator has physical control over all cabling, devices, and services. Although some larger companies maintain their own WANs, most organizations purchase WAN services from a service provider. Service providers charge for the use of their network resources. ISPs allow users to share resources among remote locations without incurring the expense of building and maintaining their own network.

Control of network resources is not the only difference between a LAN and a WAN. The technologies also differ. The most common LAN technology is Ethernet. WAN technologies are serial transmissions. Serial transmissions enable reliable, long-range communications at slower speeds than a LAN.

7.1.1 - WAN Devices and Technology The animation depicts the evolution of a WAN. A companys network expands from a LAN in a single location to LAN's in multiple locations, including the cities of New York, Osaka, Boston, and Orlando. All locations are connected together, forming a WAN.

Page 2: When implementing a WAN, the WAN technology used determines the type of devices required by an organization. For example, a router used as a gateway to connect to the WAN translates the data into a format that is acceptable to the service provider network. A translation device, such as a modem, prepares the data for transmission across the service provider network.

Preparing the data for transmission on the WAN using digital lines requires a channel service unit (CSU) and a data service unit (DSU). These two devices are often combined into a single piece of equipment called the CSU/DSU. This device integrates into the interface card in the router. When using an analog connection, a modem is necessary.

When a business subscribes to WAN services through an ISP, the ISP owns and maintains most of the equipment. In certain environments, the subscriber may own and maintain some of the connection equipment. The point at which the control and responsibility of the customer ends and the control and responsibility of the service provider begins is known as the demarcation point, or demarc. For example, the demarc might exist between the router and the translating device or between the translating device and the central office (CO) of the service provider. Regardless of ownership, service providers use the term customer premise equipment (CPE), to describe equipment located at the customer site.

7.1.1 - WAN Devices and Technology The diagram depicts a network cloud containing a WAN network, switches, and a trunk. On the edge of the cloud, a C O switch is connected to a corporate network via a CSU/DSU that is owned by the customer.

Page 3: The CO is the location where the service provider stores equipment and accepts customer connections. The physical line from the CPE connects into a router or WAN switch at the CO using copper or fiber cabling.

This connection is called the local loop, or last mile. From the customer perspective, it is the first mile, because it is the first part of the medium leading from the location of the customer.

The CSU/DSU or modem controls the rate at which data moves onto the local loop. It also provides the clocking signal to the router. The CSU/DSU is data communications equipment (DCE). The router, which is responsible for passing the data to the DCE, is data terminal equipment (DTE).

The DTE/DCE interface uses various Physical Layer protocols, such as X.21 and V.35. These protocols establish the codes and electrical parameters that the router and the CSU/DSU use to communicate with each other.

7.1.1 - WAN Devices and Technology The diagram depicts the Layer 1 WAN protocols and a brief description of each. In the diagram, a Data Terminal Equipment (DTE) interface to a WAN link is connected to the Data Communication Equipment (DCE) end of a service providers communication facility. The DCE is connected to the ISP . The following protocols may be used in a DTE and DCE connection. EIA /T I A - 232 Allows signal speeds of up to 64 Kbps on a 25 pin D connector over short distances Formerly known as RS-232 Same as I T U-T V.24 specification EIA /T I A - 449/530

Faster (up to 2 Mbps) version of EIA /T I A-232 Uses a 36 pin D connector and is capable of longer cable runs Also known as RS-422 and RS-423 EIA /T I A - 612/613 Provides access to services of up to 52 Mbps on a 60 pin D connector V.35 An I T U-T standard for synchronous communications between a network access device and a packet network at speeds up to 48 Kbps Uses a 34 pin rectangular connector X.21 An I T U-T standard for synchronous digital communications Uses a 15 pin D connector

Page 4: Technology continuously develops and improves signaling standards that enable increased speed and traffic.

When choosing a WAN technology, it is important to consider the link speed. The first digital networks created for WAN implementations provided support for a 64 kbps connection across a leased line. The term digital signal level 0 (DS0) refers to this standard.

As technology improved, service providers supplied subscribers with specific increments of the DS0 channel. For example, in North America, a DS1 standard, also called a T1 line, defines a single line that supports 24 DS0s, plus an 8 kbps overhead channel. This standard enables speeds of up to 1.544 Mbps. A T3 line uses a DS3 standard, which supports 28 DS1s and speeds of up to 44.736 Mbps.

Other parts of the world use different standards. For example, Europe offers lines such as E1s, which support 32 DS0s for a speed of up to 2.048 Mbps, and E3s, which support 16 E1s for a speed of up to 34.064 Mbps.

7.1.1 - WAN Devices and Technology The diagram depicts a chart with the column headers Line Type, Signal Standard, and Bit Rate Capacity associated with each WAN Technology. Line Type: 56. Signal Standard: DS0. Bit rate Capacity: 56 Kbps. Line Type: 64. Signal Standard: DS0. Bit rate Capacity: 64 Kbps.

Line Type: T1. Speed Standard: DS1. Bit rate Capacity: 1.544 Mbps. Line Type: E1. Signal Standard: ZM. Bit rate Capacity: 2.048 Mbps. Line Type: E3. Signal Standard: M3. Bit rate Capacity: 34.064 Mbps. Line Type: J1. Signal Standard: Y1. Bit rate Capacity: 2.048 Mbps. Line Type: T3. Signal Standard: DS3. Bit rate Capacity: 44.736 Mbps. Line Type: O C-1. Signal Standard: SONET. Bit rate Capacity: 51.84 Mbps. Line Type: O C-3. Signal Standard: SONET. Bit rate Capacity: 155.54. Line Type: O C-9. Signal Standard: SONET. Bit rate Capacity: 466.56 Mbps. Line Type: O C-12. Signal Standard: SONET. Bit rate Capacity: 622.08 Mbps. Line Type: O C-18. Signal Standard: SONET. Bit rate Capacity: 933.12 Mbps. Line Type: O C-24. Signal Standard: SONET. Bit rate Capacity: 1244.16 Mbps. Line Type: O C-36. Signal Standard: SONET. Bit rate Capacity: 1866.24 Mbps. Line Type: O C-48. Signal Standard: SONET. Bit rate Capacity: 2488.32 Mbps.

Page 5:

7.1.1 - WAN Devices and Technology The diagram depicts an activity in which you must match the WAN term to the definition. WAN Terms A.de-marc B.CPE C.DTE D.DCE E.C O F.local loop G.CSU/DSU H.modem Definitions One.The location where the service provider takes over control of the WAN link. Two.Equipment located at the site of the customer. Three.The local router is this type of equipment. Four.The CSU/DSU is this type of equipment. Five.The location where the service provider houses equipment and accepts connections from customer networks. Six.The portion of media that connects the end user with the C O. Seven.The device that formats the WAN traffic into a format acceptable to the ISP's network. Eight.The device required to use an analog connection into the WAN.

7.1.2 WAN Standards Page 1: Designing a network based on specific standards ensures that all of the different devices and technologies found in a WAN environment work together.

WAN standards describe the Physical Layer and Data Link Layer characteristics of data transportation. Data Link Layer WAN standards include parameters such as physical addressing, flow control, and encapsulation type, as well as how the information moves across the WAN link. The type of WAN technology employed determines the specific Data Link Layer standards used. Some examples of Layer 2 WAN protocols are:

Link Access Procedure for Frame Relay (LAPF) High-level Data Link Control (HDLC) Point-to-Point Protocol (PPP)

Several organizations are responsible for managing both the Physical Layer and Data Link Layer WAN standards. These include:

International Telecommunications Union Telecommunications Standardization Sector (ITU-T)

International Organization for Standardization (ISO) Internet Engineering Task Force (IETF) Electronics Industry Alliance (EIA) Telecommunications Industry Association (TIA)

7.1.2 - WAN Standards The diagram depicts the layers of the O S I Model, with the focus on Layer 2, the Data Link Layer. Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data Link Layer Physical addressing Flow control Encapsulation type LAPF for Frame Relay HDLC PPP Physical Layer

Page 2:

7.1.2 - WAN Standards The diagram depicts an activity in which you must determine whether the standards belong to Layer 1 or Layer 2. Standards One.VTP Transport Mode Two.PPP Three.X.21 Four.E I A /T I A-232 Five.V.35 Six.LAPF Seven.HDLC

7.1.3 Accessing the WAN Page 1: WAN links use either digital or analog technology. With analog connections, the data is encoded, or modulated, onto a carrier wave. The modulated signal then carries the information across the medium to the remote site. At the remote site, the signal is demodulated and the receiver extracts the information.

A modem encodes the information onto that carrier wave before transmission and then decodes it at the receiving end. The modem gets its name from its task of modulation and demodulation of the carrier signal.

Modems enable remote sites to communicate through the plain old telephone system (POTS). They also enable end users to connect to service provider networks through DSL or cable connections.

7.1.3 - Accessing the WAN The diagram depicts a client communicating with a host. The client uses the EIA/T I A - 232 protocol to connect to a modem. The modem connects to a POTS cloud. The POTS cloud connects to a second modem, which connected to the host, also using the EIA/T I A -232 protocol. The signals sent between the computer (client/host) and the modem are digital signal. The signals sent between the modem and the telephone network (POTS) are analog signals.

Page 2: Companies often purchase connectivty using dedicated links between their location and the ISP. These services are often obtained using leased lines for which the companies pay monthly for these services. These lines carry large amounts of data. For example, a T1 link carries 1.544 Mbps of traffic and an E1 link carries 2.048 Mbps of traffic. Often this bandwidth is larger than the amount that the organization actually requires. A T1 can be split into 24 DS0s of 64 Kbps each. In this case, the customer is ordering part of a T1/E1, or a fractional T1 or fractional E1.

High-bandwidth connections are split up into several DS0s. The ISP assigns each DS0 to a different conversation or end user. Organizations purchase one or more DS0 channels. A DS0 is not a separate physical entity but rather a time slice of the physical bandwidth on one wire. Each fractional connection enables full use of the media by the organization for part of the total time. There are two techniques in which information from multiple channels can be allocated bandwidth on a single cable based on time: Time Division Multiplexing (TDM) and Statistical-Time Division Multiplexing (STDM).

7.1.3 - Accessing the WAN The diagram depicts Site A connected to the Service Provider via a T1-1.544 Mbps link. Site B is connected to the service provider via a Fractional T1 128 Kbps link. Site C is connected to the service provider via a Fractional T1 64 Kbps link.

Page 3: Time Division Multiplexing (TDM) allocates bandwidth based on pre-assigned time slots. Each of these time slices are then assigned to individual conversations. Each time slice represents a period of time during which a conversation has complete use of the physical media. Bandwidth is allocated to each channel or time slot regardless of whether the station using the channel has data to transmit. Therefore, with standard TDM, if a sender has nothing to say, its time slice goes unused, wasting valuable bandwidth.

Statistical Time Division Multiplexing (STDM) is similar to TDM except that it keeps track of conversations that require extra bandwidth. It then dynamically reassigns unused time slices on an asneeded basis. In this way, STDM minimizes wasted bandwidth.

7.1.3 - Accessing the WAN The animation depicts the difference in bandwidth utilization when using a multiplexor that is implementing TDM and a multiplexor that is implementing STDM. TDM The animation shows four hosts sending input into a multiplexor. Each host inputs three time slices. There are three unused time slices between the four hosts. Using TDM, 12 time slices are used to deliver nine time slices. STDM The animation shows four hosts sending input into a multiplexor. Each host inputs three time slices. There are three unused time slices between the four hosts. Using STDM, nine time slices are used to deliver nine time slices.

Page 4:

7.1.3 - Accessing the WAN The diagram depicts an activity in which you must organize the data blocks into the correct order to show how TDM and STDM uses bandwidth. Input Host A: unused, A, unused Host B: B, B, unused Host C: C, C, C Host D: unused, unused, D Output TDM: Insert the output in order to fill all 12 time slices. STDM: Insert the output in order to fill all 7 time slices.

7.1.4 Packet and Circuit Switching Page 1: An enterprise connects to WAN services in various ways.

Dedicated Leased Line

One type of connection is a point-to-point serial link between two routers using a dedicated leased line. This enables a one-to-one connection for the basic function of data delivery across a link. Each link requires a separate physical interface and a separate CSU/DSU. As an organization grows to multiple locations, supporting a dedicated leased line between each location becomes very expensive.

Circuit Switching

Circuit switching establishes a circuit between end nodes before forwarding any data. A standard telephone call uses this type of connection. While the circuit is in place, it provides dedicated bandwidth between the two points. Completion of the conversation releases the circuit. No other organizations use the circuit until it releases. This method provides a level of security not available in packet switching or cell switching technology.

With circuit switching, the service provider assigns links to different connections as the need arises. Costs are incurred for the link only when the connection is active. The cost for circuit switching varies based on usage time and can become quite expensive if the circuit is used often.

7.1.4. - Packet and Circuit Switching The animation depicts the process involved in a circuit-switched call. Two modems are connected to a PSTN cloud containing a network of switches. The first modem says "I am initiating a call." For the duration of the call the line is dedicated to the sender and receiver. A circuit is established between switches in the PSTN cloud connecting the modems. The other modem says "I am accepting a call." At the end of the call, the second modem says "I am terminating the call." Once the call has ended, the dedicated connection disappears.

Page 2: Packet Switching

Packet switching uses bandwidth more efficiently than other types of switching. The data is segmented into packets, with an identifier on each packet. The data is then released into the service provider network. The service provider accepts the data and switches the packet from one node to another until the packet reaches its final destination. The circuit, or pathway, between the source and destination is often a preconfigured link, but it is not an exclusive link. The service provider switches packets from multiple organizations over the same links. Frame Relay is an example of packet switching technology.

Cell Switching

Cell switching is a variation of packet switching. It is capable of transferring voice, video, and data through private and public networks at speeds in excess of 155 Mbps. Asynchronous Transfer Mode (ATM) uses fixed length, 53-byte cells that have 48-bytes of data and a 5-byte header. The small, uniform size of the cells allows them to be switched quickly and efficiently between nodes. An advantage of ATM is that it prevents small messages from being held up behind larger messages. However, for networks handling mainly segmented data, ATM introduces a large amount of overhead and actually slows network performance.

7.1.4. - Packet and Circuit Switching The animation depicts the flow of traffic in a packet-switched network. Site A, Site B, Site C, and Site D are in separate locations connected to a cloud of switches. Site A and Site B are both sending packets into the cloud. Traffic from two virtual circuits share the same links. The packets traverse the cloud and reach their destinations at Site C and Site D.

Page 3: Virtual Circuits

When using packet switching technology, the service provider establishes virtual circuits (VCs). Virtual circuits share the link between devices with traffic from other sources. As a result, the medium is not private during the duration of a connection. There are two types of virtual circuits: switched and permanent.

Switched Virtual Circuit

A switched virtual circuit (SVC) is dynamically established between two points when a router requests a transmission. The circuit is set up on demand and torn down when transmission is complete, such as after a file has been downloaded. When establishing an SVC, call set-up information must be sent before transmitting any data. Call clearing information tears down the connection after it is no longer required. This process introduces delays in the network as SVCs are built up and torn down for each conversation.

Permanent Virtual Circuit

A permanent virtual circuit (PVC) provides a permanent path to forward data between two points. The service provider must preconfigure the PVCs and they are very seldom broken or disconnected. This eliminates the need for call setup and clearing. They speed the flow of information across the WAN. PVCs also provide the ISP with much greater control over the data-flow patterns and management of their network. PVCs are more popular than SVCs and usually service sites with high-volume, constant flows of traffic. Frame Relay typically uses PVCs.

7.1.4. - Packet and Circuit Switching The diagram depicts networks connected via a Switched Virtual Circuit (SVC) and via a Permanent Virtual Circuit (PVC). An enterprise network connects via a CSU/DSU to another enterprise network that also uses a CSU/DSU.. Between the two networks is a network cloud. The connection through the network is an SVC. An SVC is built up and torn down as required. An enterprise network connects via a CSU/DSU to another enterprise network that also uses a CSU/DSU. Between the two networks is a network cloud. The connection through the network is a PVC. PVC is configured by the network administrator and loaded at switch startup.

Page 4:

7.1.4. - Packet and Circuit Switching The diagram depicts an activity in which you must identify the best WAN convention to support the scenario. The options are leased line, circuit-switched, packet-switched, or cell-switched WAN conventions. One. Remote offices connect once a day to upload sales orders. Two. A company WAN supports voice, video, and data connections. Three. An organization connects to multiple remote sites, but only has one serial interface on their router. Four. A company connects to their branch offices and securely transfers classified technical drawings. Five. A small real estate company provides support to their sales staff to pick up email from their home offices.

7.1.5 Last Mile and Long Range WAN Technologies Page 1: ISPs use several different WAN technologies to connect their subscribers. The connection type used on the local loop, or last mile, may not be the same as the WAN connection type employed within the ISP network or between various ISPs.

Some common last mile technologies are:

Analog dialup Integrated Services Digital Network (ISDN) Leased line

Cable Digital Subscriber Line (DSL) Frame Relay Wireless

Each of these technologies provides advantages and disadvantages for the customer. Not all technologies are available in all locations.

When a service provider receives data, it must forward this data to other remote sites for final delivery to the recipient. These remote sites connect either to the ISP network or pass from ISP to ISP to the recipient. Long-range communications are usually those connections between ISPs or between branch offices in very large companies.

Many different WAN technologies exist that allow the service provider to reliably forward data over great distances. Some of these include ATM, satellite, Frame Relay, and leased lines.

7.1.5 - Last Mile and Long Range WAN Technologies The diagram depicts several Enterprise networks using a variety of devices and connections that are linked to the ISP, as follows: Dialup using the telephone line to connect to the ISP. DSL using the telephone line to connect to the ISP. Cable modem using coaxial cable to connect to the ISP. Wireless bridge using a wireless signal to connect to the ISP. T1 Leased Line to connect to the ISP. Satellite modem connecting to a satellite that connects to the ISP.

Page 2: Enterprises are becoming larger and more dispersed. As a result, applications require more and more bandwidth. This growth requires technologies that support high-speed and high-bandwidth transfer of data over even greater distances.

Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy (SDH) are standards that allow the movement of large amounts of data over great distances through fiber-optic cables. Both SONET and SDH encapsulate earlier digital transmission standards and support either ATM or Packet over SONET/SDH (POS) networking. SDH and SONET are used for moving both voice and data.

One of the newer developments for extremely long-range communications is dense wavelength division multiplexing (DWDM). DWDM assigns incoming optical signals to specific frequencies or wavelengths of

light. It is also capable of amplifying these wavelengths to boost the signal strength. DWDM can multiplex more than 80 different wavelengths or channels of data onto a single piece of fiber. Each channel is capable of carrying a multiplexed signal at 2.5 Gbps.

De-multiplexed data at the receiving end allows a single piece of fiber to carry many different formats at the same time and at different data rates. For example, DWDM can carry IP, SONET, and ATM data concurrently.

7.1.5 - Last Mile and Long Range WAN Technologies The diagram depicts a map of the world with enterprise networks super-imposed over Asia, North America, and South Africa. They all connect to a DWDM network cloud.

Page 3:

7.1.5 - Last Mile and Long Range WAN Technologies The diagram depicts an activity in which you must match the technology to the description. Technologies One.DS Two.Cable Three.Satellite Four.DWDM Five.ATM Six.Dial Up Seven.Leased Line Eight.SONET Descriptions. A.High speed internet service over existing copper phone cables. B.Always-on, last mile connectivity using same cable for TV and data. C.Internet access for remote locations. D.80 channels on existing strand of fiber for extremely long range network. E.Transfer of fixed length cells at 155 Mbps. F.Connectivity to office in old hotel that has no high speed service. G.Dedicated connectivity for new company selling on-line shopping service. H.Long-range technology to move voice, video, and data over fiber cable.

7.2 Comparing Common WAN Encapsulations

7.2.1 Ethernet and WAN Encapsulations Page 1: Encapsulation occurs before data travels across a WAN. The encapsulation conforms to a specific format based on the technology used on the network. Before converting data into bits for transmission across the media, Layer 2 encapsulation adds addressing and control information.

Layer 2 adds header information that is specific to the type of physical network transmission. Within a LAN environment, Ethernet is the most common technology. The Data Link Layer encapsulates the packet into Ethernet frames. The frame headers contain information such as the source and destination MAC addresses, and specific Ethernet controls, like the frame size and timing information.

Similarly, the encapsulation of frames destined for transmission across a WAN link match the technology in use on the link. For example, if using Frame Relay on the link, the type of encapsulation required is Frame Relay-specific.

7.2.1 - Ethernet and WAN Encapsulation The animation depicts how the frame format changes as it travels across the network. The diagram depicts a man, labeled Source, sitting at one end of a network using an Ethernet connection. A woman, labeled Destination, is sitting at the other end of the network using an Ethernet connection. Network devices and connection types that make up the network are between the source and destination. Connected to the network is a server farm, a DMZ, and the ISP . Protocols that may be in use during the transmission of the message from the source to the destination include HDLC, PPP, and ATM. As the message traverses the network, the frame format changes to accommodate the different protocols implemented within the networks the message travels through. The frame format begins from the source as Ethernet, then changes to formats HDLC, PPP, ATM, HDCL, PPP, and back to Ethernet at the destination.

Page 2: The type of Data Link Layer encapsulation is separate from the type of Network Layer encapsulation. As data moves across a network, the Data Link Layer encapsulation may change continuously, whereas the Network Layer encapsulation will not. If this packet must move across the WAN on its way to the final destination, the Layer 2 encapsulation changes to match the technology in use.

Packets exit the LAN by way of the default gateway router. The router strips off the Ethernet frame and then re-encapsulates that data into the correct frame type for the WAN. Conversion of frames received on the WAN interface into the Ethernet frame format occurs before placement on the local network. The router acts as a media converter, by adapting the Data Link Layer frame format to a format that is appropriate to the interface.

The encapsulation type must match on both ends of a point-to-point connection. A Data Link Layer encapsulation includes the following fields:

Flag

Marks the beginning and end of each frame

Address

Depends on the encapsulation type Not required If the WAN link is point-to-point

Control

Used to indicate the type of frame

Protocol

Used to specify the type of encapsulated network layer protocol Not present in all WAN encapsulations

Data

Used as Layer 3 data and IP datagram

Frame Check Sequence (FCS)

Provides a mechanism to verify that the frame was not damaged in transit

7.2.1 - Ethernet and WAN Encapsulation The animation depicts the Layer 2 encapsulation process. A computer, H1, is connected to a switch, S1, which is connected to a router, R1. There is a serial link connecting R1 and a router, R2. R2 is connected to a switch, S2, which is connected to a computer, H2. H1 sends a message out. The header is marked as an Ethernet header. Once the message reaches R1, the protocol changes, requiring the header to change to a PPP header using the IP protocol. This will enable the message to travel through the network. As the message reaches the LAN side of R2, the header is changed back to an Ethernet header, so the message can traverse the Ethernet network and finally reach H2.

Page 3:

7.2.1 - Ethernet and WAN Encapsulation The diagram depicts an activity in which you must match the Layer 2 encapsulation term with its definition. Terms A.Address B.Control C.Protocol D.Flag E.Data F.FCS Definitions. One.Provides a mechanism to verify that the frame was not damaged in transit. Two.Used to specify the type of encapsulation Network Layer protocol. Three.Not present in all WAN encapsulations. Four.Used to indicate the type of frame. Five.Used as Layer 3 data and IP datagram. Six.Marks the beginning and end of each frame. Seven.Depends on the encapsulation type. Eight.Not required if the WAN link is point to point.

7.2.2 HDLC and PPP Page 1: Two of the most common serial line Layer 2 encapsulations are HDLC and PPP.

High-level Data Link Control (HDLC) is a standard bit-oriented Data Link Layer encapsulation. HDLC uses synchronous serial transmission, which provides error-free communication between two points. HDLC defines a Layer 2 framing structure that allows for flow control and error control using acknowledgments and a windowing scheme. Each frame has the same format, whether it is a data frame or a control frame.

The standard HDLC frame does not contain a field that identifies the type of protocol carried by the frame. For that reason, standards-based HDLC cannot handle multiple protocols across a single link.

Cisco HDLC incorporates an extra field, known as the Type field, which allows multiple Network Layer protocols to share the same link. Use Cisco HDLC encapsulation only when interconnecting Cisco equipment. Cisco HDLC is the default Data Link Layer encapsulation type on Cisco serial links.

7.2.2 - HDLC and PPP The diagram depicts the Open Standard HDLC Frame and the Cisco HDLC Frame. The composition of these frames is listed below. Note that the Cisco HDLC frame has a unique type not present in the Open Standard HDLC frame. Open Standard HDLC Frame Flag: 8 bits Address: 8 bits Control: 8 or 16 bits Information: Variable length 0, or more bits, multiples of 8 FCS: 16 or 32 Flag: 8 bits Cisco HDLC Frame Flag: 8 bits Address: 8 bits Control: 8 bits Type (Protocol Code): 16 bits Information: Variable length, 0 or more bits, multiples of 8 FCS: 16 bits Flag: 8 bits

Page 2: Like HDLC, Point-to-Point Protocol (PPP) is a Data Link Layer encapsulation for serial links. It uses a layered architecture to encapsulate and carry multi-protocol datagrams over a point-to-point link. Because PPP is standards-based, it enables communication between equipment of different vendors.

The following interfaces can support PPP:

Asynchronous serial Synchronous serial High-Speed Serial Interface (HSSI) Integrated Services Digital Network (ISDN)

PPP has two sub-protocols:

Link Control Protocol - responsible for establishing, maintaining and terminating the point-topoint link. Network Control Protocol - provides interaction with different Network layer protocols.

7.2.2 - HDLC and PPP The diagram depicts the three lower layers of the O S I model, with the focus on PPP in Layer 2, the Data Link Layer. The lowest level is the Physical Layer that deals with synchronous or asynchronous media. PPP is at the Data Link Layer, where there are two sub-protocols: Link Control Protocol and Network Control Protocol. Link Control Protocol is responsible for authentication and other options. The Network Control Protocol is involved in the interaction between the Data Link Layer and various Network Layer protocols: IP, IPX, IPCP, IPXCP, and many others.

Page 3: Link Control Protocol

PPP uses the Link Control Protocol (LCP) to establish, maintain, test, and terminate the point-to-point link. Additionally, LCP negotiates and configures control options on the WAN link. Some of the options that LCP negotiates include:

Authentication Compression Error detection Multilink PPP Callback

LCP also:

Handles varied packet sizes Detects common misconfiguration errors Determines when a link is functioning properly and when it is failing

Network Control Protocol

PPP uses the Network Control Protocol (NCP) component to encapsulate multiple Network Layer protocols, so that they operate on the same communications link.

Every Network Layer protocol carried on the PPP link requires a separate NCP. For example, IP uses the IP Control Protocol (IPCP), and IPX uses the IPX Control Protocol (IPXCP). NCPs include fields containing codes that indicate the Network Layer protocol.

7.2.2 - HDLC and PPP The diagram depicts the various options of the LCP negotiation process. Each process and a description of some devices used during the process are listed below. Authentication The diagram depicts a switch that is linked to the CSU/DSU, or modem, that is linked by a serial connection to the network cloud. The network cloud is linked by a serial connection to a second CSU/DSU, or modem, and then to a computer. The flow of information is from the CSU/DSU, or modem, to the computer. For authentication, the calling side of the link is required to enter specific information to ensure that the caller has the permission to make the call. Peer routers exchange authentication messages. Two authentication options are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Callback The diagram depicts a switch that is linked to a CSU/DSU, or modem, that is linked by a serial connection to the network cloud. The network cloud is linked by a serial connection to a second CSU/DSU, or modem, and then to a computer. With this LCP, a Cisco router can act as a callback client or as a callback server. The client makes the initial call requests that it be called back, and terminates its initial call. The callback router answers the initial call and makes the return call to the client based on information configured in its memory. Compression The diagram depicts two switches at the opposite ends of a network. Between the switches are two compression devices that compress information on the fly between the networks. The flow of information in the diagram is in both directions through the network. Compression options increase the effective throughput on PPP connections by reducing the amount of data in the frame that travels across the link. The protocol decompresses the frame at its destination. Two compression protocols available in Cisco routers are Stacker and Predictor. Multilink The diagram depicts three computers directly connected to a switch and then to a multilink device that provides load balancing over the PPP router interfaces.

Page 4: PPP sessions progress through three phases: link establishment, authentication (optional), and Network Layer protocol.

Link-Establishment Phase

PPP sends LCP frames to configure and test the data link. LCP frames contain a configuration option field that negotiates options such as maximum transmission unit (MTU), compression, and link-authentication. If a configuration option is missing, it assumes the default value. Link authentication and link-quality determination tests are optional parameters within the link-establishment phase. A link-quality determination test determines whether the link quality is good enough to bring up Network Layer protocols. Optional parameters, such as these, must be complete before the receipt of a configuration acknowledgment frame. Receipt of the configuration acknowledgement frame completes the Link-Establishment phase.

Authentication Phase (optional)

The authentication phase provides password protection to identify connecting routers. Authentication occurs after the two routers agree to the set parameters but before the NCP Negotiation Phase can begin.

NCP Negotiation Phase

PPP sends NCP packets to choose and configure one or more Network Layer protocols, such as IP or IPX. If LCP closes the link, it informs the Network Layer protocols so that they can take appropriate action. The show interfaces command reveals the LCP and NCP states.

When established, the PPP link remains active until the LCP or NCP frames close the link or until an activity timer expires. A user can also terminate the link.

7.2.2 - HDLC and PPP The animation depicts the negotiate phases of a PPP link, Link Establishment Phase, Authentication Phase, and Network Layer Protocol Phase. Link Establishment Phase The diagram depicts Router, R1, connected by serial link to Router, R2. R1 says, "I want to form a PPP connection with you. Can we agree to communicate using PPP with PAP authentication and compression?" R2 receives the message and replies, "I can form the PPP connection and can use PAP authentication, but I cannot support compression." R2 sends a message back to R1 with this information included in the message. R1 responds, "Can we agree to communicate using PPP with PAP authentication and no compression?" Authentication Phase

R2 replies, "We can communicate using PPP with PAP authentication and no compression." R1 receives this message and replies, "My name is R1 and my password is cisco." R2 looks in its table of users, references the username, and compares the password to the one given by R1. R2 replies, "The password matches so I am now ready to form the connection." Network Layer Protocol Phase R1 replies, "I only have IP traffic so we only need to bring up IPCP. I am starting it now." R2 replies, "I have also started IPCP. We can now move IP traffic."

Page 5:

7.2.2 - HDLC and PPP Identify the correct layer and phase with the correct PPP components. Layer and Phase A. Data Link Layer B. Physical Layer C. Phase 3 D. Phase 2 E. Phase 1 PPP Component One. Link Establishment Two. Authentication, other options, Link Control Protocol Three. Synchronous or Asynchronous Physical Media Four. NCP Negotiation Five. Network Control Protocol

7.2.3 Configuring PPP Page 1: On Cisco routers, HDLC is the default encapsulation on serial links. To change the encapsulation and use the features and functions of PPP, use the following command:

encapsulation ppp

Enables PPP encapsulation on a serial interface.

Once PPP is enabled, optional features such as compression and load balancing can be configured.

compress [predictor | stac]

Enables compression on an interface using either predictor or stacker.

ppp multilink

Configures load balancing across multiple links.

Compressing data sent across the network can improve network performance. Predictor and stacker are software compression techniques that vary in the way compression is handled. Stacker compression is more CPU-intensive and less memory-intensive. Predictor is more memory-intensive and less CPU-intensive. For this reason, generally use stacker if the bottleneck is due to line bandwidth issues and predictor if the bottleneck is due to excessive load on the router.

Only use compression if network performance issues exist because enabling it will increase router processing times and overhead. Also, do not use compression if the majority of traffic crossing the network is already-compressed files. Compressing an already-compressed file often increases its size.

Enabling PPP multilink allows for multiple WAN links to be aggregated into one logical channel for the transport of traffic. It enables the load-balancing of traffic from different links and allows some level of redundancy in case of a line failure on a single link.

7.2.3 - Configuring PPP The diagram depicts basic PPP configuration. Two routers, R1 and R2, are connected to each other via a serial link. The commands entered at the console terminal window are as follows: R1 R1 (config)# encapsulation ppp with R1 (config)# encapsulation ppp R2 R2 (config)# encapsulation ppp with R2 (config)# encapsulation ppp

Page 2:

The following commands are used to verify and troubleshoot HDLC and PPP encapsulation:

show interfaces serial

Displays the encapsulation and the states of the Link Control Protocol (LCP).

show controllers

Indicates the state of the interface channels and whether a cable is attached to the interface.

debug serial interface

Verifies the incrementation of keepalive packets. If packets are not incrementing, a possible timing problem exists on the interface card or in the network.

debug ppp

Provides information about the various stages of the PPP process, including negotiation and authentication.

7.2.3 - Configuring PPP The diagram depicts router output from various commands. Two routers are connected to each other via a serial link. The network address is 192.168.2.0, and both routers have LANs connected to them. Router, R1, has network 192.168.1.0 connected to F A 0 /0. R2 has network 192.168.3 /0 connected to F A 0 /0. The diagram has buttons that can be pushed to highlight commands, show interfaces serial, show controllers, debug serial interface, and debug PPP. The outputs for these commands can be viewed in greater detail in the labs at the end of the module.

Page 3: Lab Activity

Configure and verify a PPP connection between two routers.

Click the lab icon to begin.

7.2.3 - Configuring PPP Link to Hands-on Lab: Configuring and Verifying a PPP Link Configure and verify a PPP connection between two routers.

7.2.4 PPP Authentication Page 1: Authentication on a PPP link is optional. If configured, authentication occurs after establishment of the link but before the Network Layer protocol configuration phase begins. Two possible types of authentication on a PPP link are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

PAP provides a simple method for a remote device to establish its identity. PAP uses a two-way handshake to send its username and password. The called device looks up the username of the calling device and confirms that the sent password matches what it has stored in its database. If the two passwords match, authentication is successful.

PAP sends the username/password pair across the link repeatedly in clear text until acknowledgement of the authentication or termination of the connection. This authentication method does not protect the username and password from being stolen using a packet sniffer.

Additionally, the remote node is in control of the frequency and timing of the login attempts. Once authenticated, no further verification of the remote device occurs. Without ongoing verification, the link is vulnerable to hijacking of the authenticated connection and the possibility of a hacker gaining illegal authorized access to the router using a replay attack.

7.2.4 - PPP Authentication The diagram depicts two routers, R1 and R2, in the process of a PAP two-way handshake. The R1 username is Santa Cruz and the password is boardwalk. R1 sends the information to R2 to authenticate. R2 looks at its table for the username and password and accepts or rejects based on this authentication procedure.

Page 2:

Another form of PPP authentication is Challenge Handshake Authentication Protocol (CHAP).

Challenge Handshake Authentication Protocol

CHAP is a more secure authentication process than PAP. CHAP does not send the password across the link. Authentication occurs both during initial link establishment and repeatedly during the time the link is active. The called device is in control of the frequency and timing of the authentication, making a hijack attack extremely unlikely.

CHAP uses a three-way handshake.

1. PPP establishes the link phase.

2. Local router sends a challenge message to the remote router.

3. Remote router uses the challenge and a shared secret password to generate a one-way hash.

4. Remote router sends back one-way hash to the local router.

5. Local router checks the response against its own calculation, using the challenge and the same shared secret.

6. Local router acknowledges authentication if values match.

7. Local router immediately terminates connection if the values do not match.

CHAP provides protection against playback attack through a variable challenge value. Because the challenge is unique and random, the resulting hash value is also unique and random. The use of repeated

challenges limits the time of exposure to any single attack. The local router or a third-party authentication server is in control of the frequency and timing of the challenges.

7.2.4 - PPP Authentication The animation depicts the CHAP authentication process. Two routers, R1 and R2, are linked by a serial connection. R1 sends a message to R2 and states, "Run PPP", indicating it wants to run PPP. R2 says, "Use CHAP", and sends the message, "Here is my Challenge information. Send me your username and password." R1 calculates a special value using the secret password and the challenge value. The one way hash is 6G4 # 9P4. Router R1 sends a message back to R2 with the username R1 and the password 6G4 # 9P4. R2 calculates 6G4 # 9P4 using the same secret password. R2 states "Accept". R1 randomly challenges the remote router to verify authentication. R2 sends a message back to R1, "Here is a different Challenge value. Send me your username and password again to make sure its still you."

Page 3:

7.2.4 - PPP Authentication The diagram depicts an activity in which you must determine which of the following characteristics belongs to either PAP or CHAP. Characteristic Password never sent across link. Uses two-way handshake. Uses three-way handshake. Single authentication when link formed. Authentication occurs at configuration intervals. Password sent in clear text. Uses shared secret. Immune to replay attack. Username/Password easily sniffed from wire.

7.2.5 Configuring PAP and CHAP Page 1: To configure authentication on a PPP link, use the global configuration commands:

username name password password

Global configuration command. Creates a local database that contains the username and password of the remote device. The username must match the hostname of the remote router exactly and is case sensitive.

ppp authentication {chap | chap pap | pap chap | pap}

Interface configuration command. Specifies the type of authentication on each interface, such as PAP or CHAP. If more than one type is specified, example chap pap, the router attempts the first type listed and will only attempt the second if the remote router suggests it.

For CHAP authentication, no other configuration commands are required. However, in Cisco IOS version 11.1 or later, PAP is disabled on the interface by default. This means that the router will not send its own username and password combination just because PAP authentication is enable. Therefore, additional commands are required for PAP:

ppp pap sent-username name password password

Interface configuration command. Specifies the local username and password combination that should be sent to the remote router. This must match what the remote router has configured in the local username and password database.

7.2.5 - Configuring PAP and CHAP The diagram depicts two routers connected to a service provider by serial links. The commands used to configure PAP and CHAP on both routers can be viewed in greater detail in the labs attached to this module.

Page 2: With two-way authentication configured, each router authenticates the other. Use debug commands on both routers to display the exchange sequence as it occurs.

debug ppp {authentication | packet | error | negotiation | chap }

Authentication

Displays the authentication exchange sequence

Packet

Displays PPP packets sent and received

Negotiation

Displays packets transmitted during PPP startup, where PPP options are negotiated

Error

Displays protocol errors and statistics associated with PPP connection and negotiation

Chap

Displays CHAP packet exchanges

To turn off debug, use the no format of each command.

7.2.5 - Configuring PAP and CHAP The diagram depicts two routers connected by serial link. The output of the debug ppp command is listed. The different phases of the authentication process can be viewed by using this command. The different states can be defined as Challenge, Response, Successful Authentication, and Unsuccessful Authentication.

The phases can be viewed more clearly when the command is entered by the student after PAP and CHAP are configured.

Page 3: Lab Activity

Configure and verify PAP and CHAP authentication on a PPP link.

Click the lab icon to begin.

7.2.5 - Configuring PAP and CHAP Link to Hands-on Lab: Configuring and Verifying PAP and CHAP Authentication Configure and verify PAP and CHAP authentication on a PPP link.

7.3 Using Frame Relay

7.3.1 Overview of Frame Relay Page 1: A common Layer 2 WAN encapsulation is Frame Relay. Frame Relay networks are multi-access networks similar to Ethernet except that they do not forward broadcast traffic. Frame Relay is a nonbroadcast multiaccess network (NBMA).

Frame Relay uses packet switching technology with variable length packets. It also makes use of STDM for optimum use of the available bandwidth.

The router, or DTE device, normally connects to the service provider via a leased line. It connects via a Frame Relay switch, or DCE device, to the nearest point-of-presence of the service provider. This connection is an access link.

The remote router at the destination end of the network is also a DTE device. The connection between the two DTE devices is a virtual circuit (VC).

The virtual circuit is typically established using PVCs that the service provider preconfigures. Most service providers discourage or even disallow the use of SVCs in a Frame Relay network.

7.3.1 - Overview of Frame Relay The diagram depicts a network cloud with ten interconnected switches inside. Around the outside of the cloud are four building sites, Site A, Site B, Site C, Site D, that are connected to the switches inside the cloud via routers at each site. As information is sent from Site A to Site D, a virtual circuit path that the packets travel along is established between the sites.

7.3.2 Frame Relay Functionality Page 1: In an NBMA network, each virtual circuit requires a Layer 2 address for identification. In Frame Relay, this address is the data-link connection identifier (DLCI).

The DLCI identifies the VC that data uses to reach a particular destination. The DLCI is stored in the address field of every frame transmitted. The DLCI usually has only local significance and may be different at each end of a VC.

The Layer 2 DLCI is associated with the Layer 3 address of the device at the other end of the VC. Mapping the DLCI to a remote IP address can occur manually or dynamically using a process known as Inverse ARP.

Establishing a mapping of DLCI to remote IP address occurs in the following steps:

1. The local device announces its presence by sending its Layer 3 address out on the VC.

2. The remote device receives this information and maps the Layer 3 IP address to the local Layer 2 DLCI.

3. The remote device announces its IP address on the VC.

4. The local device maps the Layer 3 address of the remote device to the local DLCI on which it received the information.

7.3.2 - Frame Relay Functionality The animation depicts how inverse ARP maps a Layer 2 DLCI to a remote IP address. There is a frame relay cloud has two switches, S1 and S2, inside. There are two routers, R1 and R2. R1 is connected to S1 via Serial link on interface S0/0/0 I P:209.165.200.225 DLCI 16. R2 is connected to S2 via Serial link on interface S0/0/0 I P: 209.165.200.226 DLCI 20. S1 is connected to S2 by Frame Relay. S1 states, "DLCI 16 is active." R1 sends a DLCI request to R2. R2 sends a response to R1 with its IP address information. R1 states, "DLCI 16 is active. I will send an Inverse ARP request to learn the I P address of the remote router." The request is sent from R1 over the Frame Relay network to R2. R2 states, "I have received an Inverse ARP request on DLCI 20 from 209.165.200.225." R2 references its Frame Relay Map that shows DLCI 20=209.165.200.225. R2 states "Inverse ARP response from 209.165.200.226" and sends a response back to R1. R1 references its Frame Relay Map that shows DLCI 16 = 209.165.200.226.

Page 2: Local Management Interface (LMI) is a signaling standard between the DTE and the Frame Relay switch. LMI reports the status of PVCs between devices.

LMI messages provide communication and synchronization between the network and the user device. They periodically report the existence of new PVCs and the deletion of existing PVCs. They also provide information about PVC integrity. VC status messages prevent data being sent to PVCs that no longer exist.

LMI provides VC connection status information that appears in the Frame Relay map table:

Active State

The connection is active and routers can exchange data.

Inactive State

The local connection to the FR switch is working but the remote connection to the FR switch is not.

Deleted State

The local connection receives no LMI messages from the FR switch or there is no service between the CPE router and the FR switch.

7.3.2 - Frame Relay Functionality The diagram depicts the use of LMI. There are three routers, R1, R2, and R3, and three switches, S1, S2, and S3. R1 is connected to the CSU/DSU. All switches are inside a cloud. S1 is connected to the CSU/DSU, S2, and S3. S2 is connected to S1, S3, and R2. S3 is connected to S1, S2, and R3. R2 is connected to S2. R3 is connected to S3. There is a double-sided arrow with an X through it from R1 to R2 symbolizing the connection from R1 to R2 (DLCI = 400) is down. There is a double-sided arrow from R1 to R3 symbolizing the connection from R1 to R3 (DLCI = 500) is up. A keep-alive is sent to R3, which says (LMI, 500 = Active, 400 = Inactive).

Page 3: When an end user subscribes to a Frame Relay service, the user negotiates certain service parameters with the provider.

One parameter is the committed information rate (CIR). The CIR is the minimum bandwidth rate guaranteed by the provider for data on a VC.

The service provider calculates the CIR as the average amount of data transmitted over a period of time. The calculated time interval is the committed time (Tc). The number of committed bits within the Tc is the committed burst (Bc). The cost of the Frame Relay service depends on the speed of the link and the CIR.

The CIR defines the minimum rate provided; however, if there is no congestion on the links, the service provider boosts or bursts the bandwidth up to a second agreed-upon bandwidth.

The excess information rate (EIR) is the average rate above the CIR that a VC can support when no network congestion exists. Any extra bits above the committed burst, up to the maximum speed of the access link, is known as the excess burst (Be).

Frames transmitted above the speed of the CIR are uncommitted, but are forwarded if the network supports it. These extra fames are marked as discard eligible (DE). If congestion occurs, the provider first drops frames with the DE bit set.

Users often pay for a lower CIR, counting on the fact that the service provider supplies higher bandwidth and bursts their traffic when there is no congestion.

7.3.2 - Frame Relay Functionality The diagram depicts the use of C I R within Frame Relay parameters. There is a cloud, Service Provider, which is connected to the Site A router via link, Local Access Loop = T1. The Site B router via link, Local Access Loop = 1544Kbps link. Site A sends information to Site B, stating, "My provider guarantees bandwidth of 768Kbps, 768Kbps is my C I R." A caption on the cloud states, "The network is not congested so we are going to burst your speed to 1.544 Mbps. All packets above your C I R are Discard Eligible". Frames continue to transmit to Site B until all information is sent.

Page 4: The forward explicit congestion notification (FECN) is a single-bit field that can be set to a value of 1 by a switch. It indicates to an end DTE device that the network is congested ahead.

The backward explicit congestion notification (BECN) is a single-bit field that, when set to a value of 1 by a switch, indicates that the network is congested in the opposite direction.

FECN and BECN allow higher-layer protocols to react intelligently to these congestion indicators. For example, the sending device uses BECNs to slow its transmission rate.

7.3.2 - Frame Relay Functionality The diagram depicts a bottleneck. There is a Frame Relay Cloud which is connected to the Branch Office Router via 56 Kbps link, and to the Central Site router via T1 link. The Central Site says, "I have received a lot of BECN's. The network must be congested. I need to reduce the pace at which I send packets."

Page 5:

7.3.2 - Frame Relay Functionality The diagram depicts an activity in which you must match the terms to their corresponding definition. Terms One.BECN Two.DLCI Three.FECN Four.C I R Five.D E Six.SVC Seven.PVC Definitions. A.The type of VC most service providers will not permit. B.Used to inform a receiving device that congestion was experienced. C.The type of virtual circuit most often used by Frame Relay. D.The Layer 2 address used by Frame Relay. E.The contracted data rate that the service provider agrees to transfer. F.Used to inform a sending device that congestion has occurred. G.Marks a frame as being less important on a network.

7.4 Chapter Summary

7.4.1 Summary Page 1:

7.4.1 - Summary Diagram 1, Image The diagram depicts enterprises connecting to a cloud and shows traffic from two virtual circuits share the same links. Diagram 1 text A WAN uses many different technologies, each offering distinct advantages. Depending on the technology in use, converting the data format into an acceptable one requires a modem, or a CSU/DSU. WAN technologies divide into circuit switching, packet switching, and cell switching. Circuit switching technologies create a physical circuit between end devices before sending information. Packet and cell switching technologies use either a PVC or SVC to send information across the network. WAN technologies are either last mile, which connects the ISP to the customer, or long range which interconnects ISP's. Diagram 2, Image The diagram depicts two users communicating across a complex network topology. Diagram 2 text HDLC is the default Layer 2 serial line encapsulation on Cisco routers. Cisco HDLC incorporates an extra field to allow it to carry multiple Layer 3 protocols. The Layer 2 encapsulation changes as frames are moved across the WAN. PPP allows the negotiation of many advanced features including authentication, load balancing, call back,

and compression. PPP supports both PAP and CHAP authentication. PAP authentication sends the username/password in clear text and is subject to sniffing and replay attacks. CHAP issues challenges at configurable intervals and forces the connected device to re-authenticate. Diagram 3, Image The diagram depicts the bottleneck when a branch office connects using a 56 kbps connection to connect via the frame relay cloud to the central site which is using a T1 connection.

Diagram 3 text Frame Relay is a packet-switched technology. Frame Relay uses virtual circuits to connect a specific source to a destination. Virtual circuits can be switched or permanent. Use FECN's and BECN's to inform the receiving and sending devices that the network is congested so that routers can take appropriate actions. Frame Relay uses parameters such as C I R to establish the bandwidth used on each VC.

7.5 Chapter Quiz

7.5.1 Quiz Page 1: Take the chapter quiz to check your knowledge.

Click the quiz icon to begin.

7.5.1 - Quiz Chapter 7 Quiz: Implementing Enterprise WAN Links 1.What three parameters are defined by WAN standards? (Choose three.) A.flow control B.vendor C.IP addressing D.encapsulation E.physical addressing F.routing protocol 2.Which two layers of the O S I model describe WAN standards? (Choose two.) A.Session B.Network C.Physical D.Transport E.Data Link F.Application 3.What are two characteristics of a CSU/DSU? (Choose two.)

A.used for digital transmission B.used for wireless transmission C.installed at central office D.often integrated into router's interface card E.part of an integrated services router 4. Match the WAN connection term to the correct definition. WAN Connection Terms packet Switching circuit Switching cell switching SVC PVC Definitions virtual circuit that is dynamically established between two points when a router requests a transmission. establishes a connection between end nodes before forwarding data and ensures dedicated bandwidth through the length of transmission virtual circuit that provides a permanent path to forward data between two points packets from multiple organizations are switched over the same links 5.What two statements describe the Cisco implementation of High-Level Data Link Control protocol? (Choose two.) A.is a data link layer protocol B.provides retransmission and windowing C.supports multiple protocols on a single link D.uses the same frame format as standard HDLC E.is the default encapsulation on Cisco LAN interfaces 6.What two services allow the router to map data link layer addresses to network layer addresses in a Frame Relay network? (Choose two.) A.ARP B.ICMP C.Proxy ARP D.Inverse ARP E.LMI status messages 7.What is used to identify a destination for a frame in a Frame Relay network? A.C I R B.DLCI C.FECN D.BECN 8.Which three statements are true regarding LCP? (Choose three.) A.It is responsible for negotiating link establishment. B.It negotiates options for Layer 3 protocols running over PPP. C.It uses MD5 encryption while negotiating link establishment parameters. D.It terminates the link upon user request or the expiration of an inactivity timer. E.It can test the link to determine if link quality is sufficient to bring up the link. F.It monitors the link for congestion and dynamically adjusts the acceptable window size. 9.To answer this question refer to the Network Topology and router output. Network Topology Router RTR_A is linked to router RTR_B via a serial link. The output from both routers appears as follows:

Router A hostname RTR_A ! enable gateway username RTR_B password fortress ! interface serial 0/0/0 IP address 10.10.10.1 255.255.255.252 encapsulation ppp ppp authentication chap Router B hostname RTR_B ! enable fortress interface serial 0/0/0 IP address 10.10.10.2 255.255.255.252 encapsulation ppp ppp authentication chap Which command must be added to router RTR_B to allow router RTP_A to authenticate using CHAP? A.RTR_B(config)# enable secret gateway B.RTR_B(config)# enable secret fortress C.RTR_B(config)# username RTR_B password fortress D.RTR_B(config)# username RTR_A password fortress E.RTR_B(config)# username RTR_B password gateway 10.What are two features of the CHAP protocol? (Choose two.) A.exchanges random challenge number during the session to verify identity B.disconnects the PPP session if authentication fails C.sends authentication password to verify identity D.requires different passwords on each device E.initiates a two-way handshake

Go To Next Go To Previous Scroll To Top

http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.C CServlet/LMS_ID=CNAMS,Theme=ccna3theme,Style=ccna3,Language=en,Version=1, RootID=knet lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About

8.Which three statements are true regarding LCP? (Choose three.) A.It is responsible for negotiating link establishment. B.It negotiates options for Layer 3 protocols running over PPP. C.It uses MD5 encryption while negotiating link establishment parameters. D.It terminates the link upon user request or the expiration of an inactivity timer. E.It can test the link to determine if link quality is sufficient to bring up the link. F.It monitors the link for congestion and dynamically adjusts the acceptable window size. 9.To answer this question refer to the Network Topology and router output. Network Topology Router RTR_A is linked to router RTR_B via a serial link. The output from both routers appears as follows: Router A hostname RTR_A ! enable gateway username RTR_B password fortress ! interface serial 0/0/0 IP address 10.10.10.1 255.255.255.252 encapsulation ppp ppp authentication chap Router B hostname RTR_B ! enable fortress interface serial 0/0/0 IP address 10.10.10.2 255.255.255.252 encapsulation ppp ppp authentication chap Which command must be added to router RTR_B to allow router RTP_A to authenticate using CHAP? A.RTR_B(config)# enable secret gateway B.RTR_B(config)# enable secret fortress C.RTR_B(config)# username RTR_B password fortress D.RTR_B(config)# username RTR_A password fortress E.RTR_B(config)# username RTR_B password gateway 10.What are two features of the CHAP protocol? (Choose two.) A.exchanges random challenge number during the session to verify identity B.disconnects the PPP session if authentication fails C.sends authentication password to verify identity D.requires different passwords on each device E.initiates a two-way handshake

Go To Next Go To Previous Scroll To Top

http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.C CServlet/LMS_ID=CNAMS,Theme=ccna3theme,Style=ccna3,Language=en,Version=1, RootID=knet

lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About

Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise

8 Filtering Traffic Using Access Control Lists
8.0 Chapter Introduction
8.0.1 Introduction Page 1:

8.0.1 - Introduction Enterprise networks need security to ensure that only authorized users access the network. Traffic filtering tools, like Access Control Lists, are an important component of enterprise network security. ACL's permit and deny specific types of inbound and outbound traffic. Network engineers and technicians plan, configure, and verify ACL's on routers and other networking devices. After completion of this chapter, you should be able to: Describe traffic filtering. Explain how Access Control Lists (ACL's) can filter traffic at router interfaces. Analyze the use of wild-card masks. Configure and implement ACL's. Create and apply ACL's to control specific types of traffic. Log ACL activity and ACL best practices.

8.1 Using Access Control Lists

8.1.1 Traffic Filtering Page 1: Security within an enterprise network is extremely critical. It is important to prevent access by unauthorized users and protect the network from various attacks, such as DoS attacks. Unauthorized users

can modify, destroy, or steal sensitive data on servers. DoS attacks prevent valid users from accessing facilities. Both of these situations cause a business to lose time and money.

Through traffic filtering, an administrator controls traffic in various segments of the network. Filtering is the process of analyzing the contents of a packet to determine if the packet should be allowed or blocked.

Packet filtering can be simple or complex, denying or permitting traffic based on:

Source IP address Destination IP address MAC addresses Protocols Application type

Packet filtering can be compared to junk email filtering. Many email applications allow the user to adjust the configuration to automatically delete email from a particular source address. Packet filtering can be done in the same way by configuring a router to identify unwanted traffic.

Traffic filtering improves network performance. By denying unwanted or restricted traffic close to its source, the traffic does not travel across a network and consume valuable resources.

8.1.1 - Traffic Filtering The diagram depicts the use of traffic filtering. There is a circle with an internal network inside; the internal network contains four hosts connected to a switch. The switch is connected to a router which connects the internal network to external networks. The router is receiving four external packets. The packets labeled HTTP Protocol and Network 172.16.0.0 are allowed access into the network. The packets labeled IP Address 192.168.1.5 and Telnet are being blocked from accessing the network. The internal network uses MAC Address filtering. One of the four hosts is blocked from using the network.

Page 2: Devices most commonly used to provide traffic filtering are:

Firewalls built into integrated routers Dedicated security appliances Servers

Some devices only filter traffic that originates from the internal network. More sophisticated security devices recognize and filter known types of attacks from external sources.

Enterprise routers recognize harmful traffic and prevent it from accessing and damaging the network. Nearly all routers filter traffic based on the source and destination IP addresses of packets. They also filter on specific applications and on protocols such as IP, TCP, HTTP, FTP, and Telnet.

8.1.1 - Traffic Filtering The diagram depicts four traffic filtering devices: Cisco Security Appliances. Server-Based Firewall. Linksys Wireless Router with Integrated Firewall. Cisco Router with I O S Firewall.

8.1.2 Access Control Lists Page 1: One of the most common methods of traffic filtering is the use of access control lists (ACLs). ACLs can be used to manage and filter traffic that enters a network, as well as traffic that exits a network.

An ACL ranges in size from one statement that allows or denies traffic from one source, to hundreds of statements that allow or deny packets from multiple sources. The primary use of ACLs is to identify the types of packets to accept or deny.

ACLs identify traffic for multiple uses such as:

Specifying internal hosts for NAT Identifying or classifying traffic for advanced features such as QoS and queuing Restricting the contents of routing updates Limiting debug output Controlling virtual terminal access to routers

The following potential problems can result from using ACLs:

The additional load on the router to check all packets means less time to actually forward packets. Poorly designed ACLs place an even greater load on the router and might disrupt network usage. Improperly placed ACLs block traffic that should be allowed and permit traffic that should be blocked.

8.1.2 - Access Control Lists The diagram depicts the placement of Access Control Lists. Two ACL's that are placed strategically on the network are used to block specific traffic from accessing parts of the network.

8.1.3 Types and Usage of ACLs Page 1: When creating access control lists, a network administrator has several options. The complexity of the design guidelines determines the type of ACL required.

There are three types of ACLs:

Standard ACLs

The Standard ACL is the simplest of the three types. When creating a standard IP ACL, the ACLs filter based on the source IP address of a packet. Standard ACLs permit or deny based on the entire protocol, such as IP. So, if a host device is denied by a standard ACL, all services from that host are denied. This type of ACL is useful for allowing all services from a specific user, or LAN, access through a router while denying other IP addresses access. Standard ACLs are identified by the number assigned to them. For access lists permitting or denying IP traffic, the identification number can range from 1 to 99 and from 1300 to 1999.

Extended ACLs

Extended ACLs filter not only on the source IP address but also on the destination IP address, protocol, and port numbers. Extended ACLs are used more than Standard ACLs because they are more specific and provide greater control. The range of numbers for Extended ACLs is from 100 to 199 and from 2000 to 2699.

Named ACLs

Named ACLs (NACLs) are either Standard or Extended format that are referenced by a descriptive name rather than a number. When configuring named ACLs, the router IOS uses a NACL subcommand mode.

8.1.3 - Types and Usage of ACL's The diagram depicts a table of information about I O S Access Control Lists. The column head-ers include Type of ACL, Sample ACL Command/Statement, and Purpose of Statement. The type of ACL's described are Standard, Extended, and Named. Type of ACL: Standard Sample ACL Command/Statement: Router (config)# access-list 1 permit host 172.16.2.88 Purpose of statement: Permits a specific IP address. Type of ACL: Extended Sample ACL Command/Statement: Router (config)# access-list 100 deny tcp 172.16.2.0 0.0.0.255 any eq telnet Purpose of statement: Denies access from the 172.16.2.0 /24 subnet to any other host if they are attempting to use telnet. Type of ACL: Named Sample ACL Command/Statement: Router (config)# IP access-list standard permit-IP Router (config-ext-n ACL) # permit host 192.168.5.47 Purpose of statement: Creates a standard access list named permit-IP Allows access from IP address 192.168.5.47 The first command puts the router into N ACL sub-command mode

Page 2:

8.1.3 - Types and Usage of ACL's The diagram depicts an activity in which you must decide if each of the following characteristics belongs to a Standard, Extended, or Named ACL. One.Simplest type of ACL. Two.Uses a special sub-configuration mode. Three.Uses a numeric identifier and can filter on protocol and port numbers. Four.Can create both standard and extended access lists. Five.Identified by number range from 100-199. Six.Can only filter on source IP address or range. Seven.Uses a numeric identifier and can filter on source or destination IP address. Eight.Identified by number range from 1-99 Nine.Can be assigned a meaningful descriptive identifier.

8.1.4 ACL Processing Page 1:

Access control lists consist of one or more statements. Each statement either permits or denies traffic based on specified parameters. Traffic is compared to each statement in the ACL sequentially until a match is found or until there are no more statements.

The last statement of an ACL is always an implicit deny. This statement is automatically inserted at the end of each ACL even though it is not physically present. The implicit deny blocks all traffic. This feature prevents the accidental entry of unwanted traffic.

After creating an access control list, apply it to an interface for it to become effective. The ACL targets traffic that is either inbound or outbound through the interface. If a packet matches a permit statement, it is allowed to enter or exit the router. If it matches a deny statement, it goes no further. An ACL that does not have at least one permit statement blocks all traffic. This is because at the end of every ACL is an implicit deny. Therefore an ACL will deny all traffic not specifically permitted.

8.1.4 - ACL Processing The animation depicts the use of ACL's to limit traffic on a network. Network Topology There is a network cloud with two hosts, H1 and H2. The H1 IP address is 192.168.1.1. The H2 IP address is 192.168.1.5. There is a router, R1, attached to the cloud via S0/0/0. A switch, S1, is connected to R1 via S0/0/1. S1 is connected to two hosts, H3 and H4. A packet is sent from H1 to R1 via S0/0/0. R1 has an ACL on the inbound interface S0/0/0, as follows: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) The IP address in the ACL statement matches the source IP in the packet so the packet is forwarded. A packet is sent from H2 to R1 via S0/0/0. R1 has an ACL on the inbound interface S0/0/0, as follows: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) This time the IP address in the ACL does not match the source IP in the packet. The packet is denied from being forwarded, receiving the Implicit Deny statement.

Page 2: An administrator applies either an inbound or outbound ACL to a router interface. The inbound or outbound direction is always from the perspective of the router. Traffic coming in an interface is inbound and traffic going out an interface is outbound.

When a packet arrives at an interface, the router checks the following parameters:

Is there an ACL associated with the interface? Is the ACL inbound or outbound? Does the traffic match the criteria for permitting or denying?

An ACL applied outbound to an interface has no effect on traffic inbound on that same interface.

Each interface of a router can have one ACL per direction for each network protocol. For the IP protocol, one interface can have one ACL inbound and one ACL outbound at the same time.

ACLs applied to an interface add latency to the traffic. Even one long ACL can affect router performance.

8.1.4 - ACL Processing The animation depicts how inbound and outbound ACL's process traffic. Network Topology There is a network cloud with a host, H1, with the IP address 192.168.1.1. Router, R1, is connected to the cloud via S0/0/0. R1 is connected to switch S1 via F A 0 /0. S1 is connected to two hosts, H2, I' P address 172.22.4.1, and H3, IP address 172.22.4.2. Inbound Traffic A packet is sent from H1 to R1. R1 says, "I have an ACL associated with the S0/0/0 interface." The packet reaches R1 where the ACL is applied to Interface S0/0/0 inbound. R1 says, "I have to filter traffic inbound. You match the permit statement of the ACL therefore move ahead." The ACL has the following information: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) The packet is forwarded to its destination. Outbound Traffic A packet is sent from H1 to R1. R1 says, "I will switch you to the F A 0 /0 interface to reach your destination." The packet reaches R1. R1 says, "I have an ACL associated with the F A 0 /0 interface." The ACL is applied to Interface F A 0 /0 outbound. R1 says, "I have to filter traffic outbound. You match the permit statement of the ACL therefore move ahead."

The ACL has the following information: access-list 1 permit host 192.168.1.1 access-list 1 deny any (implied) The packet is forwarded to its destination.

Page 3:

8.1.4 - ACL Processing The diagram depicts an activity in which you must determine if the packet will be permitted or denied, based on the given Source IP Address. One.Source IP Address: 192.168.1.133 ACL Statements: access-list 1 permit host 192.168.1.33 access-list 1 permit host 192.168.1.233 Two.Source IP Address: 192.168.1.228 ACL Statements: access-list 2 permit host 192.168.1.215 Three.Source IP Address: 10.1 0.10.5 ACL Statements: access-list 3 permit host 10.1 0.10.5 access-list 3 deny host 172.22.4.1 Four.Source IP Address: 172.22.4.1 ACL Statements: access-list 4 deny host 172.22.4.1 access-list 4 permit host 172.22.4.2 Five.Source IP Address: 172.22.4.1 ACL Statements: access-list 5 permit host 10.1 0.10.5 access-list 5 permit host 172.22.4.1 Six.Source IP Address: 172.22.4.3 ACL Statements: access-list 6 deny host 172.22.4.3

8.2 Using a Wildcard Mask

8.2.1 ACL Wildcard Mask Purpose and Structure Page 1: Simple ACLs specify only one permitted or denied address. Blocking multiple addresses or ranges of addresses requires using either multiple statements or a wildcard mask. Using an IP network address with a wildcard mask allows much more flexibility. A wildcard mask can block a range of addresses or a whole network with one statement.

A wildcard mask uses 0s to indicate the portion of an IP address that must match exactly and 1s to indicate the portion of the IP address that does not have to match a specific number.

A wildcard mask of 0.0.0.0 requires an exact match on all 32 bits of the IP address. This mask equates to the use of the host parameter.

8.2.1 - ACL Wild-card Mask Purpose and Structure The diagram depicts a person sitting at a workstation with the following information displayed on the monitor: Wild-card masks that permit a single host: 172.16.22.87 0.0.0.0 host 172.2 2.8.17 Wild-card mask that permits a range of hosts for a /24 network: 172.16.22.0 0.0.0.255 Wild-card mask that permits an entire /16 network: 172.16.0.0 0.0.255.255 Wild-card mask that permits an entire /8 network: 10.0.0.0 0.255.255.255

Page 2: The wildcard mask used with ACLs functions like the one used in the OSPF routing protocol. However, the purpose of each mask is different. With ACL statements, the wildcard mask specifies a host or range of addresses to be permitted or denied.

When creating an ACL statement, the IP address and wildcard mask become the comparison fields. All packets that enter or exit an interface are compared to each statement of the ACL to determine if there is a match. The wildcard mask determines how many bits of the incoming IP address match the comparison address.

As an example, the following statement permits all hosts from the 192.168.1.0 network and blocks all others:

access-list 1 permit 192.168.1.0 0.0.0.255

The wildcard mask specifies that only the first three octets must match. Therefore, if the first 24 bits of the incoming packet match the first 24 bits of the comparison field, the packet is permitted. Any packet with a source IP address in the range of 192.168.1.1 to 192.168.1.255 matches the example comparison address and mask combination. All other packets are denied by the ACL implicit deny any statement.

8.2.1 - ACL Wild-card Mask Purpose and Structure The diagram depicts the steps involved to create an ACL with the following information: R1 (config) # access-list 1 permit 192.168.1.0 0.0.0.255 Steps. Step 1.Convert the decimal comparison to binary. Comparison Address: Decimal equivalent: 192.168.1.0 Binary equivalent: 11000000.10101000.00000001.00000000 Step 2.Convert the decimal wild-card mask to binary. Wild-card Mask: Decimal equivalent: 0.0.0.255 Binary equivalent: 00000000.00000000.00000000.11111111 Step 3.Compare the wild-card mask match bits (24 zeros) with comparison address bits. Comparison Address bits to match: Decimal equivalent: 192.168.1.X Binary equivalent: 11000000.10101000.00000001.XXXXXXXX Step 4.Compare the first 24 bits of an incoming packet IP address to the first 24 bits of the comparison address. Incoming Packet Address: Decimal equivalent: 192.168.1.27 Binary equivalent: 11000000.10101000.00000001.00011011 Step 5.Incoming packet IP address is a match with comparison address and wild-cards. If the bits match, the packet is permitted by the ACL.

Page 3:

8.2.1 - ACL Wild-card Mask Purpose and Structure The diagram depicts an activity in which you must determine the wild-card mask for each of the following ACL statement objectives. A.CL Statement Objective One.Deny all hosts from the 192.168.55.0 /24 network Two.Permit all hosts from the 172.20.4.0 /24 subnet Three.Permit only host 10.1 0.10.1 Four.Deny only host 192.168.93.240 Five.Deny all hosts from the 172.30.0.0 /16 network Six.Deny all hosts from the 172.25.0.0 /16 network Seven.Permit all hosts from the 10.0.0.0 /8 network Eight.Deny all hosts from the 10.0.0.0 /16 network

8.2.2 Analyzing the Effects of the Wildcard Mask Page 1: When creating an ACL, there are two special parameters that can be used in place of a wildcard mask: host and any.

Host parameter

To filter a single, specific host, use either the wildcard mask 0.0.0.0 after the IP address or the host parameter prior to the IP address.

R1(config)#access-list 9 deny 192.168.15.99 0.0.0.0

Is the same as:

R1(config)#access-list 9 deny host 192.168.15.99

Any parameter

To filter all hosts, use the all 1s parameter by configuring a wildcard mask of 255.255.255.255. When using a wildcard mask of 255.255.255.255 all bits are considered matches, therefore, the IP address is typically represented as 0.0.0.0. Another way to filter all hosts is to use the any parameter.

R1(config)#access-list 9 permit 0.0.0.0 255.255.255.255

Is the same as:

R1(config)#access-list 9 permit any

Consider the following example that denies a specific host and permits all others:

R1(config)#access-list 9 deny host 192.168.15.99

R1(config)#access-list 9 permit any

The permit any command permits all traffic not specifically denied in the ACL. When this is configured, no packets will reach the implicit deny any at the end of the ACL.

8.2.2 - Analyzing the Effects of the Wild-card Mask The diagram depicts a router connected to a switch with the following ACL inbound on F A 0 /0: access-list 9 deny host 192.168.15.99 access-list 9 permit any Network Topology Four hosts are connected to the switch. Three of the hosts with the following IP addresses can transmit ok: 192.168.15.77, 192.168.15.22, and 192.168.15.33. The host with the IP address 192.168.15.99 cannot transmit.

Page 2: In an enterprise network with a hierarchical IP addressing scheme, it is often necessary to filter subnet traffic.

If 3 bits are used for subnetting the 192.168.77.0 network, the subnet mask is 255.255.255.224. Subtracting the subnet mask from the all 255s mask results in a wildcard mask of 0.0.0.31. To permit the hosts on the 192.168.77.32 subnet, the ACL statement is:

access-list 44 permit 192.168.77.32 0.0.0.31

The first 27 bits of each packet match the first 27 bits of the comparison address. The overall range of addresses that this statement permits is from 192.168.77.33 to 192.168.77.63, which is the range of all addresses on the 192.168.77.32 subnet.

8.2.2 - Analyzing the Effects of the Wild-card Mask The diagram depicts a subnet mask chart with the following explanation. Subnet address: 192.168.77.32 255.255.255.224. Comparison/Base Address: 192.168.77.32 0.0.0.31. Bit value, for one octet: 128, 64, 32, 16, 8, 4, 2, and 1. All 1s, for binary octet: 1, 1, 1, 1 1, 1, 1, and 1 gives a decimal value of 255. Subnet Mask: 1, 1, 1, 0, 0, 0, 0, and 0 gives a decimal value of 224. Wild-card Mask: 0, 0, 0, 1, 1, 1, 1, and 1 gives a decimal value of 224. Match Bits: First three bits of the above octet. Non-Match Bits: Last five bits of the above octet. More Information Popup A network that is a full Class A, B, or C has a subnet mask and a wild-card mask that divide evenly at an octet boundary. Subnets that do not break on an octet boundary produce a different wild-card mask value. An octet boundary is a place between the first and second or second and third octet. Example: A default Class A subnet falls between bit positions 8 and 9. This breaks at the end of one octet and the beginning of the next is the boundary of the next octet.

Page 3: Creating accurate wildcard masks for ACL statements provides the control required to fine-tune traffic flow. Filtering different subnet traffic is the most difficult concept for beginners.

The 192.168.77.0 network, with a subnet mask of 255.255.255.192 or /26, creates the following four subnets:

192.168.77.0/26

192.168.77.64/26

192.168.77.128/26

192.168.77.192/26

To create an ACL to filter any of these four subnets, subtract the subnet mask 255.255.255.192 from the all 255s mask resulting in a wildcard mask of 0.0.0.63. To permit traffic from the first two of these subnets, use two ACL statements:

access-list 55 permit 192.168.77.0 0.0.0.63 access-list 55 permit 192.168.77.64 0.0.0.63

The first two networks also summarize to 192.168.77.0/25. Subtracting the summarized subnet mask of 255.255.255.128 from the all 255s mask results in a wildcard mask of 0.0.0.127. Using this mask groups these two subnets together into one ACL statement instead of two.

access-list 5 permit 192.168.77.0 0.0.0.127

8.2.2 - Analyzing the Effects of the Wild-card Mask The diagram depicts the effects of the wild-card mask. Network Topology A router has an ACL outbound on S0/0/0. This router is connected to four networks on Fast Ethernet ports. Networks 192.168.77.192 /26 and 192.168.77.128 /26 are blocked. Networks 192.168.77.64 /26 and 192.168.77.0 /26 are ok. OPTION A access-list 55 permit 192.168.77.0 0.0.0.63 access-list 55 permit 192.168.77.64 0.0.0.63 (implied deny any) OPTION B access-list 5 permit 192.168.77.0 0.0.0.127 (implied deny any)

Page 4:

8.2.2 - Analyzing the Effects of the Wild-card Mask The diagram depicts an activity in which you must analyze the comparison address and wild-card mask. Decide whether each packet will be permitted or denied based on the information. One. ACL Statements: access-list 66 permit 192.168.122.128 0.0.0.63 IP Packet Address 192.168.122.195 Two. ACL Statements: access-list 66 permit 192.168.223.64 0.0.0.31 IP Packet Address: 192.168.223.27

Three. ACL Statements: access-list 66 permit 192.168.223.32 0.0.0.31 IP Packet Address: 192.168.223.60 Four. ACL Statements: access-list 66 permit 192.168.155.0 0.0.0.255 IP Packet Address: 192.168.155.245 Five. ACL Statements: access-list 66 permit 10.93.76.8 0.0.0.3 IP Packet Address: 10.93.76.10 Six. ACL Statements: access-list 66 permit 192.168.155.0 0.0.0.255 IP Packet Address: 192.168.156.245 Seven. ACL Statements: access-list 66 permit 172.16.0.0 0.0.255. IP Packet Address: 255 172.17.0.5

8.3 Configuring Access Control Lists

8.3.1 Placing Standard and Extended ACLs Page 1: Properly designed access control lists have a positive impact on network performance and availability. Plan the creation and placement of access control lists to maximize this effect.

Planning involves the following steps:

1. Determine the traffic filtering requirements

2. Decide which type of ACL best suits the requirements

3. Determine the router and the interface on which to apply the ACL

4. Determine in which direction to filter traffic

Step 1: Determine Traffic Filtering Requirements

Gather traffic filtering requirements from stakeholders from within each department of an enterprise. These requirements differ from enterprise to enterprise and are based on customer needs, traffic types, traffic loads, and security concerns.

8.3.1 - Placing Standard and Extended ACL's The diagram depicts a boardroom environment with several people sitting at the boardroom table. The people are viewing a graphic on the overhead projector.

Page 2: Step 2: Decide Type of ACL to Suit Requirements The decision to use a Standard ACL or an Extended ACL depends on the filtering requirements of the situation. The choice of ACL type can affect the flexibility of the ACL, as well as the router performance, and network link bandwidth.

Standard ACLs are simple to create and implement. However, standard ACLs only filter based on the source address and will filter all traffic without regard to the type or the destination of the traffic. With routes to multiple networks, a standard ACL placed too close to the source may unintentionally block traffic that should be permitted. Therefore, it is important to place standard ACLs as close to the destination as possible.

When filtering requirements are more complex, use an Extended ACL. Extended ACLs offer more control than Standard ACLs. They filter on source and destination addresses. They also filter by looking at the network layer protocol, transport layer protocol, and port numbers if required. This increased filtering detail allows a network administrator to create ACLs that meet the specific needs of a security plan.

Place an Extended ACL close to the source address. By looking at both the source and destination address, the ACL blocks packets intended for a specific destination network before they leave the source router. The packets are filtered before they cross the network, which helps conserve bandwidth.

8.3.1 - Placing Standard and Extended ACL's The diagram depicts two scenarios that include a description and an example of Standard ACL Placement and Extended ACL Placement. Four routers are directly connected in a circle by a serial link. Each of the routers, R1 through R4, has a FastEthernet port in use. The network addresses for each connected network are as follows: R1: 192.168.1.0 /24 R2: 192.168.2.0 /24 R3: 192.168.3.0 /24 R4: 192.168.4.0 /24

Network Topology R1 and R4 are opposite each other. There are blocks at R1 and R4 between the router and its FastEthernet port. These blocks indicate where an ACL may be placed. Scenario 1: Standard ACL Placement ACL access-list 9 deny 192.168.1.0 0.0.0.255 access-list 9 permit any Requirements: Prevents traffic from the 192.168.1.0 network from entering the 192.168.4.0 network. Allow 192.168.1.0 to reach other networks. Bad Location: Meets some of the requirements. Prevents traffic from 192.168.1.0 network from reaching networks 192.168.2.0 and 192.168.3.0. Good Location: Meets all requirements. Scenario 2: Extended ACL Placement ACL access-list 109 deny IP 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 109 permit any any Requirements: Use extended ACL to prevent traffic from the 192.168.1.0 network from entering the 192.168.4.0 network, but allow the 192.168.1.0 network to reach other networks. Good Location: Extended ACL is placed closest to source which prevents traffic from 192.168.1.0 network from reaching 192.168.4.0 but also allows it to reach other networks.

Page 3: Step 3: Determine Router and Interface for ACL Place ACLs on routers in either the Access or Distribution Layer. A network administrator must have control of these routers and be able to implement a security policy. A network administrator who does not have access to a router cannot configure an ACL on it.

Selection of the appropriate interface depends on the filtering requirements, the ACL type, and the location of the designated router. It is best to filter traffic before it advances onto a lower bandwidth serial link. The interface selection is usually obvious once the router is chosen.

Step 4: Determine Direction to Filter Traffic When determining the direction in which to apply an ACL, visualize the traffic flow from the perspective of the router.

Inbound traffic is traffic that is coming into a router interface from outside. The router compares the incoming packet to the ACL before looking up the destination network in the routing table. Packets discarded at this point save the overhead of routing lookups. This makes the inbound access control list more efficient for the router than an outbound access list.

Outbound traffic is inside the router and leaves through an interface. For an outbound packet, the router has already done a routing table lookup and has switched the packet to the correct interface. The packet is compared to the ACL just before leaving the router.

8.3.1 - Placing Standard and Extended ACL's This animation depicts the process of determining the type and placement of an ACL. Network Topology Router, R1, is connected to routers R2 and R3 via serial links. The following are the network address assignments for each router: R1: F A 0 /1: 192.168.4.0 /24 F A 0 /0: 192.168.1.0 /24 R2: F A 0 /0: 192.168.2.0 /24 R3: F A 0 /0: 192.168.3.0 /24 The requirements given in the diagram are as follows: "We need to prevent traffic from the 192.168.1.0 network from entering the 192.168.2.0 network but allow it to reach other networks." The Standard ACL and Extended ACL commands are listed below: Standard ACL access-list 1 deny 192.168.1.0 access-list 1 permit any Extended ACL access-list 101 deny 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 101 permit IP any any The following are questions included in the diagram. One.What kind of ACL? Answer: Extended ACL. Two.On which router? Answer: R1. Three.On which interface? Answer: F A 0 /0. Four.In which direction? Answer: Inbound. The extended ACL is placed on the interface F A 0/0 on R1 to control access to the 192.168.1.0 network.

Page 4:

8.3.1 - Placing Standard and Extended ACL's The diagram depicts an activity in which you must match the correct router, interface, and direction for the placement of the ACL in each of the following two scenarios. Scenario 1 Requirement: You have an extended ACL that prevents traffic from the 172.16.1.0 network from reaching the 172.16.3.0 network, but allows it to reach 172.16.2.0 network and the ISP. You need to minimize traffic on the WAN links and can only place the ACL on one interface. ACL access-list 101 deny IP 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255 access-list 101 permit IP any any Scenario 2 Requirement: You have a standard ACL that permits all traffic from any 172.16.0.0 network to reach the ISP network but blocks all other traffic. ACL access-list permit 172.16.0.0 0.0.255.255 Network Topology The diagram depicts three routers, R1, R2, and R3, that are directly connected by serial link to each other. The networks connected to the FastEthernet ports of each of the routers are listed below: R1 F A 0 /0: 172.16.1.0 /24. R2: F A 0 /0: 172.16.2.0 /24. R3 F A 0 /0: 172.16.3.0 /24. The following are the router, interface, and direction options. Decide which ones belong to each scenario. Option 1.S0/0/1 Option 2.R3 Option 3.S0/0/0 Option 4.R2 Option 5.S0/1/0 Option 6.OUT Option 7.IN Option 8.R1 Option 9.F A 0 /0

8.3.2 Basic ACL Configuration Process Page 1:

After capturing the requirements, planning the access control list, and determining the location, configure the ACL.

Each ACL requires a unique identifier. This identifier can be either a number or a descriptive name.

In numbered access control lists, the number identifies the type of ACL created:

Standard IP ACLs have numbers in the ranges from 1 to 99 and from 1300 to 1999. Extended IP ACLs have numbers in the ranges from 100 to 199 and from 2000 to 2699.

It is also possible to create AppleTalk and IPX ACLs.

The limit for any one router interface is one ACL per protocol per direction. If a router is running IP exclusively, each interface handles a maximum of two ACLs: one inbound and one outbound. Since each ACL compares every packet passing through an interface, ACLs add to latency.

8.3.2 - Basic ACL Configuration Process The diagram depicts the following guidelines for ACL Processing and Creation. ACL Processing and Creation Guidelines Configuring only one access list per protocol per direction. Apply standard access lists closest to the destination. Apply extended access lists closest to the source. Use the correct number range for the type of list. Determine the inbound or outbound direction looking at the port from inside the router. Process statements sequentially from the top of the list to the bottom. Deny packet if no match is found. Enter the Access list statements in order from specific to general. Configure an ACL with a permit statement or all traffic will be denied. More Information Popup Rejected packets cause an IP access list to send an ICMP host unreachable message to the sender and discards the packet. Outbound filters do not affect traffic that originates from the local router. An implicit deny any is at the end of all access lists (does not appear in the listing). Create your ACL's in a text editor to make it easier to edit them. You can copy and paste ACL statements into the router.

Page 2:

Configuring an access control list requires two steps: creation and application.

ACL Creation

Enter global configuration mode. Using the access-list command, enter the access control list statements. Enter all statements with the same ACL number until the access control list is complete.

The syntax for the Standard ACL statement is:

access-list [access-list-number] [deny|permit] [source address] [source-wildcard][log]

Since every packet is compared to every ACL statement until a match is found, the order that statements are placed within the ACL can effect the latency introduced. Therefore, order the statements so that the more common conditions appear in the ACL before the less common ones. For example, statements that find a match for the highest amount of traffic should be placed toward the beginning of the ACL.

Keep in mind, however, that once a match is found, the packet is no longer compared to any other statements within the ACL. This means that if one line permits a packet, but a line further down the ACL denies it, the packet will be permitted. For this reason, plan the ACL so that the more specific requirements appear before more general ones. In other words, deny a specific host of a network before permitting the remainder of the entire network.

Document the function of each section or statement of the ACL using the remark command:

access-list [list number] remark [text]

To delete an ACL, use the command:

no access-list [list number]

It is not possible to delete a single line from a standard or extended ACL. Instead, the ACL as a whole is deleted and must be replaced in its entirety.

8.3.2 - Basic ACL Configuration Process The diagram depicts an ACL configuration process. Network Topology Two routers, R1 and R2, are directly connected to each other via a serial link. R1 has its two FastEthernet ports in use. The network addresses assigned to these networks are 192.168.1.0 /24 and 192.168.2.0 /24. R2 has its two FastEthernet ports in use. The assigned network addresses for these networks are 192.168.3.0 /24 and 192.168.4.0 /24. There is a server connected with the address 192.168.3.200, and a client computer connected with the address 192.168.4.12. The ACL commands are listed below for the placement on R2 on FastEthernet F A 0 /0. R2 (config) # access-list 3 remark to departmental server R2 (config) # access-list 3 deny host 192.168.4.12 R2 (config) # access-list 3 permit 192.168.4.0 0.0.0.255 R2 (config) # access-list 3 permit 192.168.1.66 Note: access-list 3 deny host 192.168.4.12 is specific. access-list 3 permit 192.168.4.0 0.0.0.255 is general.

8.3.3 Configuring Numbered Standard ACLs Page 1: An ACL does not filter traffic until it has been applied, or assigned, to an interface.

ACL Application

Assign an ACL to one or more interfaces, specifying either inbound traffic or outbound traffic. Apply a standard ACL as close to the destination as possible.

R2(config-if)#ip access-group access list number [in | out]

The following commands place access-list 5 on the R2 Fa0/0 interface filtering inbound traffic:

R2(config)#interface fastethernet 0/0 R2(config-if)#ip access-group 5 in

The default direction for an ACL applied to an interface is out. Even though out is the default, it is very important to specify the direction to avoid confusion and to ensure that traffic filters in the correct direction.

To remove an ACL from an interface while leaving the ACL intact, use the no ip access-group interface command.

8.3.3 - Configuring Numbered Standard ACL's The animation depicts the application of an ACL to an interface. Network Topology Two routers connected by a serial link. There is a server and computer connected to each FastEthernet port of R2. One computer is connected to the FastEthernet port of R1. The commands for configuring the ACL are listed below: R2 (config) # access-list 3 remark to departmental server R2 (config) # access-list 3 deny host 192.168.4.12 R2 (config) # access-list 3 permit 192.168.4.0 0.0.0.255 R2 (config) # access-list 3 permit 192.168.1.66 After the ACL is configured on R2, packets still travel freely across the network. The commands for applying the ACL are listed below: R2 (config) # interface F A 0 /0 R2 (config) # IP access-group 3 out Once the ACL is applied to the F A 0 /0 interface of R2 the appropriate traffic from 192.168.4.12 is denied.

Page 2: Several ACL commands evaluate the proper syntax, order of statements, and placement on interfaces.

show ip interface

Displays IP interface information and indicates any assigned ACLs.

show access-lists [access list number]

Displays the contents of all ACLs on the router. It also displays the number of matches for each permit or deny statement since application of the ACL. To see a specific list, add the ACL name or number as an option for this command.

show running-config

Displays all configured ACLs on a router, even if they are not currently applied to an interface.

If using numbered ACLs, statements entered after the initial creation of the ACL are added to the end. This order may not yield the desired results. To resolve this issue, remove the original ACL and recreate it.

It is often recommended to create ACLs in a text editor. This allows the ACL to be easily edited and pasted into the router configuration. However, keep in mind when coping and pasting the ACL that it is important to remove the currently applied ACL first, otherwise all statements will be pasted to the end.

8.3.3 - Configuring Numbered Standard ACL's The diagram depicts sample output for the following show commands on R2: show IP interface, show access-lists, and show running-config. Network Topology Two routers, R1 and R2, are connected by serial link. A server and computer are connected to each FastEthernet port of R2 and one computer is connected to the FastEthernet port of R1. In the diagram, selecting the buttons show IP interface, show access-list, and show running-config shows how adding an ACL to a configuration affects the output. Applying ACL's is covered in the labs and the outputs to these commands are available once the ACL has been placed.

Page 3:

8.3.3 - Configuring Numbered Standard ACL's The diagram depicts an activity in which you must determine the correct sequence of commands to configure and apply a standard ACL that will control entry into the 192.168.1.0 LAN. Network Topology R1 is connect to R2 via a serial link. R1 is connected to the following: LAN1 192.168.1.0 /24 via F A 0 /0 LAN2 192.168.2.0 /24 via F A 0 /1 R2 is connected to the following: LAN3 192.168.3.0 /24 via F A 0 /0 LAN4 192.168.4.0 /24 via F A 0 /1

The 192.168.3.77 host should not be able to access 192.168.1.0 LAN but all other hosts on the 192.168.3.0 and 192.168.4.0 network should be permitted access. The list of commands stated below are not in the correct order. A.access-list 44 deny any. B.IP access-group 44 out. C.access-list 44 permit 192.168.4.0 0.0.0.255. D.interface F A 0 /0. E.access-list 44 deny 192.168.3.77 0.0.0.0. F.access-list 44 permit 192.168.3.0 0.0.0.255.

Page 4: Lab Activity Configure and verify a Standard ACL.

Click the lab icon to begin.

8.3.3 - Configuring Numbered Standard ACL's Link to Hands-on Lab: Configuring and Verifying Standard ACL's Configure and verify a standard ACL.

8.3.4 Configuring Numbered Extended ACLs Page 1: Extended ACLs provide a greater range of control than Standard ACLs. The Extended ACL permits or denies access based on source IP address, destination IP address, protocol type, and port numbers. Since Extended ACLs can be very specific, they tend to grow in size quickly. The more statements that an ACL contains, the more difficult it is to manage.

Extended ACLs use an access-list number in the ranges 100 to 199 and 2000 to 2699. The same rules that apply to Standard ACLs also apply to Extended ACLs :

Configure multiple statements in one ACL. Assign the same ACL number to each statement. Use the host or any keywords to represent IP addresses.

A key difference in the Extended ACL syntax is the requirement to specify a protocol after the permit or deny condition. This protocol can be IP, indicating all IP traffic, or it can indicate filtering on a specific IP protocol such as TCP, UDP, ICMP, and OSPF.

8.3.4 - Configuring Numbered ACL's The diagram depicts an ACL A brief description of each of the fields of the ACL is given. The following is the ACL. R2 (config) # access-list 105 permit tcp 192.168.5.0 0.0.0.255 host 172.1 6.5.254 eq http ACL Fields Destination IP Address - host 172.1 6.5.254 Identifies the IP address of the destination of the packets. This value can be: An individual host address A range of host addresses The host parameter The any parameter Matching Condition - eq Determines whether certain fields must match the application equally, greater than, less than, and so on. Condition - permit Identifies whether a packet is to be permitted or denied. Source IP Address - 192.168.5.0 0.0.0.255 Identifies the IP address of the source of the packet. This value can be: An individual host address A range of host addresses The host parameter The any parameter ACL Number - 105 Identifies an ACL with a unique number. A standard ACL uses numbers in the range of 1 to 99, and 1300 to 1999. Extended ACL's use numbers in the range of 100 to 199, and 2000 to 2699. Protocol - tcp Identifies Layer 3 / 4 protocols. Common options include: EIGRP - Ciscos EIGRP routing protocol ESP - Encapsulation Security Payload GRE - Ciscos GRE tunneling ICMP - Internet Control Message Protocol IGMP - Internet Gateway Message Protocol IP - Any Internet Protocol TCP Application - http Identifies the application either by port number or acronym.

Page 2: There are often many different ways to meet a set of requirements.

For example, a company has a server with the address of 192.168.3.75. It has the following requirements:

Allow access to hosts on the 192.168.2.0 LAN. Allow access to host 192.168.1.66. Deny access to hosts on 192.168.4.0 LAN. Permit access to everyone else in the enterprise.

There are at least two possible solutions that satisfy these requirements. When planning the ACL, try to minimize statements where possible.

Some ways to minimize statements and reduce the processing load of the router include:

Match high volume traffic and deny blocked traffic early in the ACL. This approach ensures that packets do not compare to later statements. Consolidate multiple permit and deny statements into a single statement using ranges. Consider denying a particular group rather than permitting a larger, opposite group.

8.3.4 - Configuring Numbered ACL's The diagram depicts numbered extended ACL configuration. Network Topology Two routers directly are connected by serial link. Two LAN's, LAN3 and LAN4, are directly connected to each of the FastEthernet ports of R2. LAN3 has one server connected. Two LAN's, LAN1 and LAN2, are directly connected to the FastEthernet ports of R1. LAN1 has one computer connected. In this topology, all traffic from the 192.168.4.0 /24 network should not be able to access the server 192.168.3.75. However, all other traffic should be allowed. Below are two options that can be used to configure this ACL. Both options achieve the same results. Option A R2 (config) # access-list 103 permit IP 192.168.2.0 0.0.0.255 host 192.168.3.75 R2 (config) # access-list 103 permit IP host 192.168.1.66 host 192.168.3.75 R2 (config) # access-list 103 deny IP 192.168.4.0 0.0.0.255 host 192.168.3.75 R2 (config) # access-list 103 permit IP any any R2 (config) # interface F A 0 /0 R2(config-if)# IP access-group 103 out Option B R2 (config) # access-list 103 deny 192.168.4.0 0.0.0.255 host 192.168.3.75 R2 (config) # access-list 103 permit any any R2 (config) # interface F A 0 /0 R2(config-if)# IP access-group 103 out

Page 3:

8.3.4 - Configuring Numbered ACL's The diagram depicts an activity in which you must determine if packets will be permitted or denied, based on the ACL listed below. Network Topology There are two routers, R1 and R2. Host 192.168.1.66 connects to R1 via F A 0 /0. Network 192.168.2.0 /24 connects to R1 via F A 0 /1. R1 connects to R2 via S0/0/0, 172.16.1.0 /30. R2 connects to LAN 192.168.4.0 /24, where the host, 192.169.4.12, is connected, via F A 0 /1. R2 connects to server 192.168.3.200 /24 via F A 0 /0. ACL Statement ACL 103 Applied to R1 interface F A 0 /0 - Inbound Access-list 103 permit IP host 192.168.1.66 host 192.168.3.75 Access-list 103 permit IP host 192.168.1.77 host 192.168.3.75 Access-list 103 deny IP 192.168.1.0 0.0.0.255 host 192.168.3.75 Access-list 103 deny IP 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 Access-list 103 permit IP 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 Access-list 103 deny any any (implied) Source IP: 192.168.1.66 Destination IP: 192.168.3.51 Source IP: 192.168.1.66 Destination IP: 192.168.3.75 Source IP: 192.168.1.88 Destination IP: 192.168.2.51 Source IP: 192.168.1.88 Destination IP: 192.168.3.75 Source IP: 192.168.1.77 Destination IP: 192.168.3.75 Source IP: 192.168.1.33 Destination IP: 192.168.2.34

Page 4: Lab Activity Plan, configure, and verify an Extended ACL.

Click the lab icon to begin.

8.3.4 - Configuring Numbered ACL's Link to Hands-on Lab: Planning, Configuring, and Verifying Extended ACL's Plan, configure, and verify an Extended ACL.

8.3.5 Configuring Named ACLs Page 1: Cisco IOS versions 11.2 and higher can create Named ACLs (NACLs). In an NACL, a descriptive name replaces the numerical ranges required for Standard and Extended ACLs. Named ACLs offer all the functionality and advantages of Standard and Extended ACLs; only the syntax for creating them is different.

The name given to an ACL is unique. Using capital letters in the name makes it easier to recognize in router command output and troubleshooting.

A Named ACL is created with the command:

ip access-list {standard | extended} name

After issuing this command, the router switches to NACL configuration subcommand mode. After the initial naming command, enter all permit and deny statements, one at a time. NACLs use Standard or Extended ACL command syntax starting with the permit or deny statement.

Apply a Named ACL to an interface in the same manner as applying a Standard or Extended ACL.

The commands that help with evaluating Named ACLs for proper syntax, order of statements, and placement on interfaces are the same as the commands for Standard ACLs.

8.3.5 - Configuring Named ACL's The diagram depicts a person configuring a router. The commands used to configure the router are listed below: R1 (config) # IP access-list extended SALES-ONLY R1 (config-ext-n ACL) # permit IP 192.168.1.66 0.0.0.0 any R1 (config-ext-n ACL) # permit IP 192.168.1.77 0.0.0.0 any

R1 (config) #interface F A 0 /0 R1 (config-if) # IP access-group SALES-ONLY in

Page 2: Editing ACLs with older versions of IOS make it necessary to:

Copy the ACL to a text editor. Remove the ACL from the router. Recreate and apply the edited version.

Unfortunately, this process allows all traffic to flow through the interface during the editing cycle, thereby leaving the network open to potential security breaches.

With current versions of the IOS, edit numbered and Named ACLs using the ip access-list command. ACLs display with the lines numbered as 10, 20, 30, and so forth. To see the line numbers, use the command:

show access-lists

To edit an existing line:

Remove the line using the no line number command. Re-add the same line using its line number.

To insert a new line between existing lines 20 and 30:

Issue the new ACL statement, starting with a number between the two existing lines, such as 25.

Issue the show access-lists command to display the lines re-sorted and renumbered by 10s.

8.3.5 - Configuring Named ACL's The diagram depicts two editing techniques: Delete/Change and Insert. The commands used in these techniques are listed below: Delete/Change R1 (config) # IP access-list extended SERVER-ACCESS R1 (config-ext-n ACL)# no 20 R1 (config-ext-n ACL) # 20 permit IP host 192.168.1.77 any R1 (config-ext-n ACL) #end R1 # show access-lists Extended IP access list SERVER-ACCESS 10 permit IP host 192.168.1.66 host 192.168.3.75 20 permit IP host 192.168.1.77 any 30 deny IP 192.168.1.0 0.0.0.255 host 192.168.3.75 Insert R1 (config) # IP access-list extended SERVER-ACCESS R1 (config-ext-n ACL) # 25 deny IP host 192.168.1.88 any R1 (config-ext-n ACL) # end R1 # show access-lists Extended IP access-list SERVER-ACCESS 10 permit IP host 192.168.1.66 host 192.168.3.75 20 permit IP host 192.168.1.77 any 25 deny IP host 192.168.1.88 any 30 deny IP 192.168.1.0 0.0.0.255 host 192.168.3.75

Page 3: Packet Tracer Activity Configure and verify a Standard Named ACL.

Click the Packet Tracer icon to begin.

8.3.5 - Configuring Named ACL's Link to Packet Tracer Exploration: Configuring and Verifying Standard Named ACL's Configure and verify a Standard Named ACL.

Page 4: Lab Activity Configure and verify an Extended Named ACL.

Click the lab icon to begin.

8.3.5 - Configuring Named ACL's Link to Hands-on Lab: Configuring and Verifying Extended Named ACL's Configure and verify an Extended Named ACL.

8.3.6 Configure Router VTY Access Page 1: Network administrators often need to configure a router located at a remote location. To log into the remote router, they use a program such as Telnet or a Secure Shell (SSH) client. Telnet transmits username and password in plain text and, therefore, is not very secure. SSH transmits the username and password information in an encrypted format.

When a network administrator connects to a remote router using Telnet, the router initiates an inbound session. Telnet and SSH are in-band network management tools and require the IP protocol and a network connection to the router.

The purpose of restricting virtual teletype terminal (VTY) access is to increase network security. Outside intruders may attempt to gain access to a router. If an access control list is not in place on the router virtual port, anyone who can determine the Telnet username and password can gain entry. If an ACL is applied to the router vty port that permits only specific IP addresses, anyone trying to telnet to the router from an IP address not permitted in the ACL will be denied access. Keep in mind, however, that this can create issues if the administrator must connect to the router from different locations using different IP addresses.

8.3.6 - Configure Router VTY Access The diagram depicts router vty access configuration. Network Topology An Internet cloud is directly connected to a router, labeled 01234, by serial link. Also connected to the Internet cloud is a network administrator who telnets from a local machine with the IP address 209.165.202.130 to the address 209.165.200.225. The last connection is from a hacker located outside the Internet cloud. The IP address of the hacker is 209.165.201.5. The hacker telnets to the address 209.165.200.225 for router 01234. The router has the following commands entered at the console session: R1 (config) # access-list 3 permit host 209.165.202.130 R1 (config) # line vty 0 4 R1 (config-line) # access-class 3 in The network administrator is permitted Telnet access to router 01234, while the hacker's request to a Telnet session is denied.

Page 2: The process used to create the VTY access control list is the same as for an interface. However, applying the ACL to a VTY line uses a different command. Instead of using the ip access-group command, use the access-class command.

Follow these guidelines when configuring access lists on VTY lines:

Apply a numbered ACL, not a Named ACL, to the VTY lines. Place identical restrictions on all VTY lines, because it is not possible to control the line on which a user may connect.

VTY sessions are established between the Telnet client software and the destination router. The network administrator establishes a session with the destination router, enters a username and password, and makes configuration changes.

8.3.6 - Configure Router VTY Access The diagram depicts the configuration of the Standard Numbered ACL and the VTY Lines, and applying the ACL. Network Topology Two routers, R1 and R2, are directly connected by serial link to each other. The network address bound to this link is 192.168.2.0. Connected to the FastEthernet F A 0 /0 of R2 is the network 192.168.3.0. The network connected to the FastEthernet port of R1 is 192.168.1.0. Within this network, connected to R1, is the client 192.168.1.23. The client announces, "I need to configure a Standard Numbered ACL, so that only I can configure the router remotely." The following command is used to configure access to the R1: R1 (config) # access-list 2 permit host 192.168.1.23 The client then announces, "I need to configure the VTY Lines and apply the ACL." The client then enters the commands listed below: R1 (config) # line vty 0 4 R1 (config-line) # login R1 (config-line) # password its a secret R1 (config-line) # access-class 2 IN

Page 3:

Lab Activity Configure and verify router VTY restrictions.

Click the lab icon to begin.

8.3.6 - Configure Router VTY Access Link to Hands-on Lab: Configuring and Verifying VTY Restrictions Configure and verify router VTY restrictions.

Page 4: Packet Tracer Activity Plan, configure, and verify Standard, Extended, and Named ACLs.

Click the Packet Tracer icon to begin.

8.3.6 - Configure Router VTY Access Link to Packet Tracer Exploration: Planning, Configuring, and Verifying Standard, Extended, and Named ACL's Plan, configure, and verify Standard, Extended, and Named ACL's.

8.4 Permitting and Denying Specific Types of Traffic

8.4.1 Configuring ACLs for Application and Port Filtering Page 1: Extended ACLs filter on source and destination IP addresses. It is often desirable to filter on even more specific packet details. OSI Layer 3 network protocol, Layer 4 transport protocols and application ports provide this capability.

Some of the protocols available to use for filtering include IP, TCP, UDP, and ICMP.

Extended ACLs also filter on destination port numbers. These port numbers describe the application or service required by the packet. Each application has a registered port number assigned.

The router must investigate the Ethernet frame to extract all of the IP addresses and port number information required for comparison with ACLs.

In addition to entering port numbers, it is necessary to specify a condition before the statement is matched. The abbreviations most commonly used are:

eq - equals gt - greater than lt - less than

Consider the following example:

R1(config)#access-list 122 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.89 eq 80

This ACL statement permits traffic from 192.168.1.0 that is requesting HTTP access using port 80. If a user attempts to telnet or FTP into host 192.168.2.89, the user is denied due to the implicit deny statement assumed at the end of every access list.

8.4.1 - Configuring ACL's for Application and Port Filtering The diagram depicts a frame head-er with the Source IP, the Destination IP, and the Destination Port Number highlighted for the following ACL: access-list 101 permit tcp host 192.168.1.5 host 192.168.3.7 e q 80

Page 2: Filtering based on a particular application requires knowledge of the port number for that application. Applications are associated with both a port number and a name. An ACL can reference port 80 or HTTP.

If neither the port number nor the name is known for an application, try these steps for locating that information:

1. Research one of the IP addressing registry sites on the web, such as http://www.iana.org/

2. Refer to the software documentation.

3. Refer to the website of the application vendor.

4. Use a packet sniffer and capture data from the application.

5. Use the ? option in the access-list command. The list includes well-known port names and numbers for the TCP protocol.

Some applications use more than one port number. For example, FTP data transmits using port 20, but the session control that makes FTP possible uses port 21. To deny all FTP traffic, deny both ports.

To accommodate multiple port numbers, Cisco IOS ACLs filter a range of ports. Use the gt, lt, or range operators in the ACL statement to accomplish this. For example, two FTP ACL statements can filter into one with the command:

R1(config)#access-list 181 deny tcp any 192.168.77.0 0.0.0.255 range 20 21

8.4.1 - Configuring ACL's for Application and Port Filtering The diagram depicts a list of types of TCP protocols and port numbers for the following command: R1 (config) # access-list 101 permit tcp host 192.168.1.1 host 192.168.2.89 eq? The computer user says, I need to filter email traffic. What port numbers should I filter? The following protocols are highlighted: pop3 Post Office Protocol v3 (110) smtp Simple Mail Transport Protocol (25)

Page 3: Packet Tracer Activity

Configure and verify Extended ACLs that filter on port numbers.

Click the Packet Tracer icon to begin.

8.4.1 - Configuring ACL's for Application and Port Filtering Link to Packet Tracer Exploration: Configuring and Verifying Extended ACL's Configure and verify Extended ACL's that filter on port numbers.

8.4.2 Configuring ACLs to Support Established Traffic Page 1: ACLs are often created to protect an internal network from outside sources. However, while protecting the internal network, it should still allow internal users access to all resources. When internal users access external resources, those requested resources must pass through the ACL. For example, should an internal user wish to establish a connection with an external web server, the ACL must permit the requested html packets. Due to the ACLs use of implicit deny, resources must be specifically permitted by the ACL. Individual permit statements for all possible requested resources can result in a long ACL and leave security holes.

To resolve this issue, it is possible to create a single statement that permits internal users to establish a TCP session with external resources. Once the TCP three-way handshake is accomplished and the connection is established, all packets sent between the two devices will be permitted. To accomplish this, use the keyword: established.

access-list 101 permit tcp any any established

Using this statement, all external tcp packets will be permitted under the condition that they are responses to internal requests. Permitting the incoming responses to established communications is a form of Stateful Packet Inspection (SPI).

In addition to established traffic, it may be necessary for an internal user to ping external devices. It is not desirable, however, to allow external users to ping or trace a device on the inside network. In this case, a statement using the keywords echo-reply and unreachable can be written to permit ping responses and unreachable messages. A ping originating from external sources, however, will be denied unless specifically permitted in another statement.

8.4.2 - Configuring ACL's to Support Established Traffic The animation shows how an ACL is used to filter specific traffic from entering an internal network, but allow the same traffic access from the internal network. Network Topology An internal network has hosts, H1 and H2, connected by a switch to router, R1. R1 is connected to router, R2, via a serial connection. R2 is part of the ISP cloud, which also includes a web server. A foreign network with host, H3, is also connected to the ISP . H1 sends a request to the web server. The packet successfully travels across the network to the web server. The web server sends a response. When the response reaches the F A 0 /0 of R1, the following ACL command is matched and the packet is allowed access to H1. access-list 101 permit tcp any any established Next, H2 sends a ping, also known as an echo request, to R2. R2 sends a ping, echo reply, back to H2. When the ping reaches the F A 0 /0 of R1, the following ACL command is matched and the packet is allowed access to H2. access-list 101 permit icmp any any echo-reply Finally, H3, located on the foreign network, sends a ping, echo request, to the internal network. When the ping reaches the F A 0 /0 of R1, the following ACL command is matched and the packet is denied. access-list 101 deny any any The output of R1's command prompt is as follows: R1 (config) # access-list 101 permit tcp any any established R1 (config) # access-list 101 permit icmp any any echo-reply R1 (config) # access-list 101 permit icmp any any unreachable R1 (config) # access-list 101 deny any any R1 (config) # interface F A 0 /0 R1 (config-if) # ip access-group 101 out

Page 2:

8.4.2 - Configuring ACL's to Support Established Traffic The diagram depicts an activity in which you must determine whether the packets will be permitted or denied, based on Source and Destination addresses in the following ACL statements. ACL Statement R1 (config) # access-list 101 permit tcp any any established R1 (config) # access-list 101 permit icmp any 192.168.3.0 0.0.0.255 echo-reply R1 (config) # interface S0/0/0 R1 (config-if) # IP access-group 101 In Network Topology There are two routers, R1and R2. R1 is connected to R2 via serial link, S0/0/0. R1 has networks 192.168.2.0 and 192.168.3.0 attached. R2 has network 192.168.1.0 attached to interface F A 0 /0.

Packet Information Source IP: 192.168.1.77 Destination IP: 192.168.3.75 Packet type: echo-reply Source IP: 192.168.1.77 Destination IP: 192.168.2.75 Packet type: echo-request Source IP: 192.168.1.15 Destination IP: 192.168.2.44 Packet type: FTP response Source IP: 192.168.1.25 Destination IP: 192.168.3.44 Packet type: Web response Source IP: 192.168.1.66 Destination IP: 192.168.3.12 Packet type: Web request Source IP: 192.168.1.66 Destination IP: 192.168.2.12 Packet type: echo-reply

8.4.3 Effects of NAT and PAT on ACL Placement Page 1: Implementing NAT and PAT may create a problem when planning ACLs. Network administrators need to account for the address translation when creating and applying ACLs to interfaces where NAT occurs.

When using NAT with ACLs, it is important to know how they interact in the router.

1. If the packet comes inbound into a NAT outside interface, the router:

Applies the inbound ACL Translates the destination address from outside to inside, or global to local Routes the packet

2. If the packet goes outbound through a NAT outside interface, the router:

Translates the source address from inside to outside, or local to global Applies outbound ACL

Plan the ACL so that it filters either the private or public addresses, depending on the relationship with NAT. If traffic is inbound or outbound on a NAT outside interface, the addresses to filter are the public ones.

8.4.3 - Effects of NAT and PAT on ACL Placement The animation depicts a conflict between NAT and an ACL statement that has been implemented. Users from outside the 10.1.0.0 /16 network have been given access to a server in an ACL statement, however NAT has blocked the traffic from entering the network. ACL Statement R1 (config) # access-list 101 permit 10.1.0.0 0.0.255.255 host 209.165.200.230 R1 (config) # interface S0/0/0 R1 (config-if) # IP access-group 101 out Network Topology There are two routers, R1 and R2. R1 is connected to R2 via serial link, S0/0/0. R1 has network 10.1.0.0 /16 attached on its F A 0 /0 interface. R2 is connected to an ISP cloud containing a web server 209.165.200.230. A packet from the 10.1.0.0 /16 network is sent to the server 209.165.200.230. When the packet reaches the S0/0/0 of R1, the NAT, enabled on R1, translates the source address from the private address of 10.1.0.0 /16 to a public address of 209.165.200.226. The ACL is unable to match this newly translated address, so the packet is denied. The computer user in the diagram asks, "Why cant the users on the 10.1.0.0 network access the server?"

Page 2: Lab Activity

Configure an ACL with NAT.

Click the lab icon to begin.

8.4.3 - Effects of NAT and PAT on ACL Placement Link to Hands-on Lab: Configure an ACL with NAT

8.4.4 Analyzing Network ACLs and Placement

Page 1: Network administrators evaluate the effect of every statement in an ACL prior to implementation. An improperly designed ACL can immediately cause problems when it is applied to an interface. These problems range from a false sense of security to an unnecessary load on a router or even a non-functioning network.

Administrators need to examine the ACL, one line at a time, and answer the following questions:

What service does the statement deny? What is the source and what is the destination? What port numbers are denied? What would happen if the ACL was moved to another interface? What would happen if the ACL filtered traffic in a different direction? Is NAT an issue?

When evaluating an Extended ACL, it is important to remember these key points:

The keyword tcp permits or denies protocols like FTP, HTTP, Telnet, and so on. The key phrase permit ip is used to permit all IP, including any TCP, UDP, and ICMP protocols.

8.4.4 - Analyzing Network ACL's and Placement The diagram depicts the placement and use of ACL's to filter traffic to and from specific parts of a network. Network Topology There are four routers, Main, Sales, HQ, and R1. HQ is attached to Main and Sales via Serial link. Main is attached to Sales via Serial link. HQ is attached to R1 via Serial link, HQ: S0/0/0. HQ has Network 192.168.1.0 /24 connected to interface FA0/0. Network 192.168.1.0 /24 has a Server Farm with three servers, IP: 192.168.1.3 - .15, as well as two hosts, Net Admin, 192.168.1.2, and H1, 192.168.1.30.

Main has Network 192.168.5.0 /24 connected to interface FA0/0, attached to the Payroll Server, server IP: 192.168.5.57. Sales has Network 192.168.3.0 /24 attached on Interface FA0/0, attached to the File Server, server IP: 192.168.3.39. There are ACL's on the FA0/0 interface of the HQ, Main, and Sales Routers. There is an ACL on the S0/0/0 interface of HQ.

The ACL's and the functions of each are as follows: HQ S0/0/0 ACL HQ - Extended ACL 105 - Interface S0/0/0 IN Access-list 105 permit icmp any any echo-reply - allow pings from inside to return from Internet Access-list 105 permit icmp any any unreachable - Allow error messages to return from Internet Access-list 105 permit tcp any any established - Allow established TCP sessions from Internet HQ F A 0 /0 ACL HQ - Extended ACL 100 - Interface FA0/0 IN Access-list 100 permit IP 192.168.1.0 0.0.0.15 any - Allow Net Admin and Server Farm full access Access-list 100 deny tcp 192.168.1.0 0.0.0.255 eq 23 - Deny user PC's Telnet access Access-list 100 permit IP any any - Allow all other traffic Sales F A 0 /0 ACL Sales - Extended ACL 122 - Interface FA0/0 IN Access-list 122 deny IP 192.168.3.0 0.0.0.255 host 192.168.5.57 - Deny access from this net to Payroll Server Access-list 122 permit udp 192.168.3.0 0.0.0.255 any range 20 21 - Allow all users on this net access to FTP Data and FTP session control Access-list 122 permit udp 192.168.3.0 0.0.0.255 any eq 53 - Allow all users on this net access to remote DNS Access-list 122 permit tcp 192.168.3.0 0.0.0.255 any eq 80 - Allow all users on this net access to Web services Main F A 0 /0 ACL Main - Extended ACL 111 - Interface FA0/0 IN Access-list 111 permit IP host 192.168.5.57 any - Allow Payroll server access to anywhere Access-list 111 permit udp 192.168.5.0 0.0.0.255 any eq 53 - Allow all users on this net access to remote DNS Access-list 111 permit tcp 192.168.5.0 0.0.0.255 any eq 80 - Allow all users on this net access to Web services

Page 2:

8.4.4 - Analyzing Network ACL's and Placement The diagram depicts an activity in which you must create an extended ACL given the following requirements and Network Topology. Some components will not be used. Network Topology There are two routers, R1 and R2. R1 is connected to R2 via serial link (R1: S0/0/0, R2: S0/0/0). R2 has network 10.1.1.0 /24 attached to interface F A 0 /0. R2 has network 10.1.2.0 /24 attached to interface F A 0 /1. R1 has network 182.168.1.0 /25 attached to interface F A 0 /0. R1 has Web Server attached to interface F A 0 /0 (Web Server IP: 192.168.1.84) Create the Numbered Extended ACL statement that will only allow users on network 10.1.1.0 /24 HTTP access to Web Server on network 192.168.1.0. The ACL will be applied to the R2 S0/0/0 interface outbound. Select from the following fields to populate nine fields for the numbered extended ACL. Components Choice 1.99

Choice 2.IP Choice 3.192.168.1.0 Choice 4.deny Choice 5.0.0.255.255 Choice 6.access-list Choice 7.10.1.2.0 Choice 8.192.168.1.84 Choice 9.permit Choice 10.10.1.1.0 Choice 11.udp Choice 12.eq 80 Choice 13.0.0.0.255 Choice 14.101 Choice 15.eq 21 Choice 16.Host Choice 17.Any Choice 18.tcp

8.4.5 Configuring ACLs with Inter-VLAN Routing Page 1: When routing between VLANs in a network, it is sometimes necessary to control traffic from one VLAN to another using ACLs.

Apply ACLs directly to VLAN interfaces or subinterfaces on a router just as with physical interfaces.

Enterprise networks typically have servers on a different VLAN than user groups. In such cases, access to the server VLAN requires filtering.

All rules and guidelines for creation and application are the same for ACLs on subinterfaces as they are for physical interfaces.

8.4.5 - Configuring ACL's with Inter-V LAN Routing The diagram depicts the use of V LAN's to separate network devices. Network Topology There are two V LAN's. V LAN1 contains three servers, and V LAN2 contains three hosts. Both V LAN's are connected through a switch, S1, which is connected to a router, R1.

Page 2: Lab Activity

Configure and verify ACLs to filter inter-VLAN traffic.

Click the lab icon to begin.

8.4.5 - Configuring ACL's with Inter-V LAN Routing Link to Hands-on Lab: Configuring and Verifying ACL's to filter Inter-V LAN Traffic Configure and verify ACL's to filter inter-V LAN traffic.

Page 3: Packet Tracer Activity Configure and verify an Extended ACL that creates a DMZ and protects the corporate network.

Click the Packet Tracer icon to begin.

8.4.5 - Configuring ACL's with Inter-V LAN Routing Link to Packet Tracer Exploration: Configuring and Verifying Extended ACL's with a DMZ Configure and verify an Extended ACL that creates a DMZ and protects the corporate network.

8.5 Filtering Traffic Using Access Control Lists

8.5.1 Using Logging to Verify ACL Functionality Page 1: After writing an ACL and applying it to an interface, a network administrator evaluates the number of matches. When the fields of an incoming packet are equal to all ACL comparison fields, this is a match. Viewing the number of matches helps to identify whether the ACL statements are having the desired effect.

By default, an ACL statement captures the number of matches and displays them at the end of each statement. View the matches using the following command:

show access-list

The basic match counts that are displayed with the show access-list command provide the number of ACL statements matched and the number of packets processed. The output does not indicate the source or destination of the packet or the protocols in use.

For additional details on packets permitted or denied, activate a process called logging. Logging activates for individual ACL statements. To activate this feature, add the log option to the end of each ACL statement to be tracked.

Use logging for a short time only to complete testing of the ACL. The process of logging events places an additional load on the router.

8.5.1 - Using Logging to Verify ACL Functionality This animation depicts the different methods of viewing ACL matches, default and logging. Default Network Topology Host, H1, has the IP address 192.168.1.2. Host, H2 has the IP address 192.168.1.3. Both hosts are connected to the F A 0 /0 of R1. The ACL has been placed on F A 0 /0. R1 connects via S0/0/0 to the S0/0/0 port of router R2. The link between the two routers is on the network 192.168.2.0. R2 is connected via F A 0 /0 to H3. Host, H3 has the address 192.168.3.11. The ACL configuration is listed, as follows: R1 (config) # access-list 123 deny tcp host 192.168.1.2 host 192.168.3.11 e q 23 R1 (config) # access-list 123 permit IP host 192.168.1.0 0.0.0.255 any R1 (config) # R1 (config) # Int F A 0 /0 R1(config-if)# IP access-group 123 in R1 (config) # end R1# show access-list 123 Extended IP Access list 123 10 deny tcp host 192.168.1.2 host 192.168.3.11 eq telnet (1 matches) 20 permit IP 192.168.1.0 0.0.0.255 any (1 matches) H1 sends a packet onto the network. When the packet reaches the F A 0 /0 of R1, the packet is denied, as highlighted in the ACL output. R1# show access-list 123 Extended IP Access list 123 10 deny tcp host 192.168.1.2 host 192.168.3.11 eq telnet (1 matches) 20 permit IP 192.168.1.0 0.0.0.255 any (1 matches) Next, H2 sends a packet onto the network. When the packet reaches the F A 0 /0 of R1, the packet is allowed as highlighted in the ACL output. R1 # show access-list 123 Extended IP Access list 123 10 deny tcp host 192.168.1.2 host 192.168.3.11 eq telnet (1 matches) 20 permit IP 192.168.1.0 0.0.0.255 any (1 matches)

By looking at the text taken from the end of the following router config and subsequent show access list command you can see where matches were made and if the matches were denied or permitted. Logging Network Topology H1 has the IP address 192.168.1.2. H1 connects to F A 0 /0 of router R1. R1 connects via S0/0/0 to the S0/0/0 port of router R2. The link between these two routers is on the network 192.168.2.0. R2 is connected via F A 0 /0 to host H2. H2 has the address 192.168.3.11. The ACL configuration is listed, as follows: R1 (config) # no access-list 123 R1 (config) # access-list 123 deny tcp host 192.168.1.2 host 192.168.3.11 eq 23 log R1 (config) # access-list 123 permit IP host 192.168.1.0 0.0.0.255 any log R1 (config) # access-list 123 deny IP R1 (config) # end R1 # H1 sends three packets onto the network. The following logged entries from the router configuration describe the outcome. H1 sends the first packet using its IP address as the source 192.168.1.2, destination 192.168.3.11 using port 30. *Sep 9 20:02:11.979: %SEC-6-IP ACCESS LOG P: list 123 permitted udp 192.168.1.2(2138) 192.168.3.11(30), 1 packet H1 sends the second packet using its IP address as the source 192.168.1.2, destination 192.168.3.11 using port 23. *Sep 9 20:02:53.067: %SEC-6-IP ACCESS LOG P: list 123 denied tcp 192.168.1.2(1141) 192.168.3.11(23), 1 packet H1 sends the third packet using its IP address as the source 192.168.1.2, destination 192.168.3.20 using the protocol CMP. *Sep 9 20:03:48.279: %SEC-6-IP ACCESS LOG P: list 123 denied icmp 192.168.1.2 192.168.3.20(8 /0), 1 packet

Page 2: Logging to the console uses router memory, which is a limited resource. Instead, configure a router to send logging messages to an external server. These messages, called syslog messages, allow the user to view them both, in real time or at a later date.

The message types include eight message severity levels. The levels range from 0, representing an emergency or an unusable system, to level 7, representing informational messages such as debugging.

ACL logging generates an informational message that contains:

ACL number Packet permitted or denied Source and destination addresses Number of packets

The message generates for the first packet that matches and then at 5-minute intervals.

To turn off logging, use:

no logging console

To turn off all debugging, use:

undebug all

To turn off specific debugging, such as ip packet, use:

no debug ip packet

8.5.1 - Using Logging to Verify ACL Functionality The diagram depicts a desktop PC with a large red alert sign displayed on the screen. More Information Popup Logging Levels: alerts - Immediate action needed. Severity Level: (severity =1). Logging Levels: critical - Critical conditions. Severity Level: (severity =2). Logging Levels: debugging - debugging messages. Severity Level: (severity =7). Logging Levels: emergencies - System is unusable. Severity Level: (severity =0). Logging Levels: errors - Error conditions. Severity Level: (severity =3). Logging Levels: filtered - Enable filtered logging.

Severity Level: not available Logging Levels: guaranteed - Guarantee console messages Severity Level: not available Logging Levels: informational - Informational messages Severity Level: (severity =6) Logging Levels: notifications - Normal but significant conditions Severity Level: (severity =5) Logging Levels: warnings - Warning conditions Severity Level: (severity =4) Logging Levels: xml - Enable logging in XML Severity Level: not available

Page 3: Lab Activity Configure ACLs and verify using the show access-lists command and console logging.

Click the lab icon to begin.

8.5.1 - Configuring ACL's and Verifying with Console Logging Link to Hands-on Lab: Configuring ACL's and Verifying with Console Logging Configure ACL's and verify using the show access-lists command and console logging.

8.5.2 Analyzing Router Logs Page 1: Logging to the console uses router memory, which is a limited resource. Instead, configure a router to send logging, sometimes called syslog messages, to an external server. This method allows viewing the messages in real time and also at a later time.

Types of reported events include the status of:

Router interfaces Protocols in use Bandwidth usage ACL messages Configuration events

It is advisable to include the option to notify a network administrator by email, pager, or cell phone when a critical event occurs.

Other configurable options include:

Providing notification of new messages received Sorting and grouping messages Filtering messages by severity Removal of all or selected messages

Syslog software is available from many resources. The level of reporting and ease of use vary with the price, but there are also several free programs available on the Internet.

Syslog is a protocol supported by all network equipment, including switches, routers, firewalls, storage systems, modems, wireless devices, and UNIX hosts.

8.5.2 - Analyzing Router Logs The diagram depicts a man on his cellular phone, thinking, "The router is alerting me to an emergency on the network." In the diagram, a router is sending out an emergency message to the man.

Page 2: To use a syslog server, install the software on a Windows, Linux, UNIX, or MAC OS server and configure the router to send logged events to the syslog server.

A sample of the command that specifies the IP address of the host where the syslog server is installed is:

logging 192.168.3.11

When troubleshooting a problem, always set the service timestamps for logging. Be sure the router date and time are set correctly so that log files display the proper time stamp.

Use the show clock command to check the date and time setting.

R1>show clock *00:03:45.213 UTC Mon Mar 1 2007

To set the clock, first set the time zone. Base the time zone on Greenwich Mean Time (GMT) and then set the clock. Note that the clock set command is not used in configuration mode.

To set the time zone:

R1(config)#clock timezone CST -6

To set the clock:

R1#clock set 10:25:00 Sep 10 2007

8.5.2 - Analyzing Router Logs The diagram depicts a map of the world with a vertical line that passes through Greenwich England, indicating Greenwich Mean Time (GMT).

Page 3: Lab Activity Configure ACLs and download a syslog server to record ACL activity.

Click the lab icon to begin.

8.5.2 - Analyzing Router Logs Link to Hands-on Lab: Configuring ACL's and Recording Activity to a Syslog Server Configure ACL's and download a syslog server to record ACL activity.

8.5.3 ACL Best Practices Page 1: ACLs are a very powerful filtering tool. They are active immediately after application onto an interface.

It is far better to spend extra time planning and troubleshooting before applying an ACL, than trying to troubleshoot after applying the ACL.

Always test basic connectivity before applying ACLs. If pinging a host is unsuccessful because of a bad cable or an IP configuration problem, the ACL can compound the problem and make it harder to troubleshoot.

When logging, add the deny ip any statement to end of ACL. This statement allows tracking the number of matches for packets denied.

Use the reload in 30 command when working with remote routers and testing ACL functionality. If a mistake in an ACL blocks access to the router, remote connectivity may be denied. Using this command, the router reloads in 30 minutes and reverts to the startup configuration. When satisfied with how the ACL is functioning, copy the running configuration to the startup configuration.

8.5.3 - ACL Best Practices The diagram depicts a list of Best Practices. Best Practices Create and edit ACL's in a text editor, such as notepad, do not edit a live ACL. Always test basic connectivity before applying ACL's. When logging, add the deny IP any any statement to end of ACL. Use the reload in 30 command when working with remote routers and testing ACL functionality.

8.6 Chapter Summary

8.6.1 Summary Page 1:

8.6.1 - Summary Diagram 1, Image

The diagram depicts a router directly connected to a switch. The switch is connected to four computers on an internal network. Diagram 1 text Traffic filtering is the process of analyzing the contents of a packet to determine if the packet should be allowed or blocked. ACL's enable management of traffic and security access to and from a network and its resources. There are three types of ACL's: Standard, Extended, and Named ACL. ACL's filter traffic based on source and destination IP address, application, and protocol. Apply an ACL to a router interface to examine packets that are inbound or outbound. Diagram 2, Image The diagram depicts four lines of information as listed below. Wild-card masks that permit a single host 172.16.22.87 0.0.0.0 host 172.22.8.17 Wild-card mask that permits a range of hosts for a /24 network: 172.16.22.0 0.0.0.255 Wild-card mask that permits an entire /16 network: 172.16.0.0 0.0.255.255 Wild-card mask that permits an entire /8 network: 10.0.0.0 0.255.255.255 Diagram 2 text Using a wild-card mask provides flexibility, and can block a range of addresses or whole networks with one statement. The wild-card mask compares the incoming address to a comparison address to determine which bits match. To determine the wild-card mask, subtract the decimal subnet mask for an address or range from the all255s mask (255.255.255.255). There is implied deny any statement at end of the ACL. The keyword any refers to all hosts and the keyword host refers to an individual IP address. Diagram 3, Image The diagram depicts ACL Processing and Creation Guidelines. Standard ACL's filter on source IP address, and are placed as close to the destination as possible. Extended ACL's can filter on source and destination addresses, as well as on protocol and port number, and should be placed as close to the source as possible. Decide placement of ACL's based on type of ACL and requirements. Each interface supports one ACL per direction per protocol. Create an ACL using a unique identifier and apply either inbound or outbound on an interface using the IP access-group command. The show IP interface, show access-lists and show running-config commands allow a network administrator to view all ACL's that have been configured on a router. Named ACL's offer all the functionality and advantages of Standard and Extended ACL's. ACL's restrict VTY access to increase network security. The access-class command is used to apply VTY ACL.

Diagram 3 text Configuring only one access list per protocol per direction. Apply standard access lists closest to the destination. Apply extended access lists closest to the source. Use the correct number range for the type of list. Determine the inbound or outbound direction looking at the port from inside the router. Process statements sequentially from the top of the list to the bottom. Deny packet if no match is found. Enter the Access list statements in order from specific to general. Configure an ACL with a permit statement or all traffic will be denied. Diagram 4, Image

The diagram depicts the image of an Ethernet frame. The frame consists of the following: MAC address head-er IP head-er addresses TCP head-er ports Data FCS Diagram 4 text Extended ACL's filter source and destination IP addresses, protocol, and the destination application port numbers in a frame. ACL's filter a range of ports using gt, lt, or range operators. Use the established parameters to filter traffic that is a response to a request. The order in which the statements are written has an impact on how the router performs. There are different ways to approach writing ACL's: permit specific traffic first and then deny general traffic or deny specific traffic first then permit general traffic. Network administrators account for NAT when creating and applying ACL's. Apply ACL's directly to V LAN interfaces just as with physical interfaces. Diagram 5, Image The image depicts a map of the world focused on GMT, Greenwich Mean Time. The relevant information is shown in a summary: Diagram 5 text An ACL statement captures the number of matches and displays them at the end of each statement matched. Logging gives additional details on packets permitted or denied. To activate logging add the log option to the end of each ACL statement. Add the deny IP any any log to monitor the number of packets that are not matched by previous ACL statements. The process if logging events, places an additional load on the router. The log contents can be sent to an external syslog server. Always set the service timestamp for logging and be sure the router date and time are set correctly, so that Log files display the proper stamp.

8.6.2 Critical Thinking

Page 1:

8.6.2 - Critical Thinking The diagram depicts an activity in which you must answer questions regarding Access Controls Lists based on specified requirements and a network topology diagram. Network Topology: Three routers, RTA, RTB and RTC are connected with each supporting a LAN. Router RTA interface S0/0/1 is connected to RTB interface S0/2/0 using subnetwork number 192.168.10.0 /30. Router RTA interface S0/2/0 is connected to RTC interface S0/1/0 using a serial link. Router RTA interface Fa0/0/1 is connected to a LAN switch and two PCs using subnetwork number 10.10.20.0 /24. Router RTB interface Fa0/0/1 is connected to a LAN switch and an FTP Server and PC using subnetwork number 10.10.30.0 /24. The FTP Server IP address is 10.10.30.1. The PC IP address is 10.10.30.2. Router RTB interface S0/1/0 is connected to the Internet cloud. Router RTC interface Fa0/0/1 is connected to a LAN switch and one PC using network number 10.10.1.0 /24. The PC IP address is 10.10.1.1. Scenario: A single access list needs to be created to deny the 10.10.1.0 /24 subnet and the 10.10.20.0 /24 subnet from reaching the 10.10.30.0 /24 subnet. Host computer 10.10.1.1 should have access to the FTP Server only. The rest of the 10.0.0.0 network should have access to the 10.10.30.0 /24 network. All users should be able to access the Internet. Questions: Question One. What should be the first line of the access list? A.Router(config)# access-list 10 permit 10.10.1.1 0.0.0.0 B.Router(config)# access-list 10 deny 10.10.1.0 0.0.0.255 C.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.1 0.0.0.0 D.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.0 0.0.0.255 E.Router(config)# access-list 101 deny IP 10.10.1.0 0.0.0.255 10.10.30.0 0.0.0.255 Question Two. What should the second line of the access list be? A.Router(config)# access-list 10 permit 10.10.1.1 0.0.0.0 B.Router(config)# access-list 10 deny 10.10.1.0 0.0.0.255 C.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.1 0.0.0.0 D.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.0 0.0.0.255 E.Router(config)# access-list 101 deny IP 10.10.1.0 0.0.0.255 10.10.30.0 0.0.0.255 F.Router(config)# access-list 101 deny IP 10.10.1.0 0.0.0.255 any Question Three. What should the third line of the access list be? A.Router(config)# access-list 10 permit 10.10.1.1 0.0.0.0 B.Router(config)# access-list 10 deny 10.10.1.0 0.0.0.255 C.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.1 0.0.0.0 eq ftp D.Router(config)# access-list 101 permit IP 10.10.1.1 0.0.0.0 10.10.30.0 0.0.0.255 eq any E.Router(config)# access-list 101 deny IP 10.10.20.0 0.0.0.255 10.10.30.0 0.0.0.255 eq any F.Router(config)# access-list 101 deny IP 10.10.20.0 0.0.0.255 any Question Four. What should the fourth line of the access list be? A.Router(config)# access-list 10 permit 10.10.1.1 0.0.0.0 B.Router(config)# access-list 10 permit 10.0.0.0 0.0.0.255 C.Router(config)# access-list 101 permit IP 10.0.0.0 0.0.0.0 10.10.30.0 0.0.0.0.255 D.Router(config)# access-list 101 permit IP 10.0.0.0 0.255.255.255 any E.Router(config)# access-list 101 deny IP 10.10.1.0 0.0.0.255 10.10.30.0 0.0.0.255 eq any

Question Five. Where should the access list be placed to ensure it is effective? A.S0/2/0 on RTB as an outbound ACL B.S0/2/0 on RTB as an inbound ACL C.Fa0/0/1 on RTB as an inbound ACL D.S0/1/0 in RTB as an outbound list E.S0/0/1 on RTA as an outbound list F.S0/2/0 on RTA as an inbound list

8.7 Chapter Quiz

8.7.1 Quiz Page 1: Take the chapter quiz to check your knowledge.

Click the quiz icon to begin.

8.7.1 - Quiz Chapter 8 Quiz: Filtering Traffic Using Access Control Lists 1.An administrator has been asked to explain ACL's to a trainee. What are some of the suggested uses for ACL's that the trainee should learn? (Choose three.) A.limit network traffic and increase performance B.notify downstream devices in the event of increased traffic or congestion C.determine whether interfaces are active or shutdown during peak usage D.provide traffic flow control E.provide a basic level of security for network access F.open additional links when paths become saturated 2.What statements are true regarding the meaning of the access control list wildcard mask 0.0.0.15? (Choose two.) A.The first 28 bits of a supplied IP address will be ignored. B.The last four bits of a supplied IP address will be ignored. C.The first 32 bits of a supplied IP address will be matched. D.The first 28 bits of a supplied IP address will be matched. E.The last five bits of a supplied IP address will be ignored. F.The last four bits of a supplied IP address will be matched. 3.What IP address and wildcard mask pairs will test for only addresses of a subnet containing a host configured with 192.168.12.6 255.255.255.248? A.192.168.12.0 0.0.0.7 B.192.168.12.0 0.0.0.8 C.192.168.12.6 0.0.0.15 D.192.168.12.6 0.0.0.255 4.Once an ACL has been created, it must be applied in the proper location to have the desired effect. What rules should be observed when applying ACL's? (Choose two.)

A.Standard ACL's should be applied as close to the source as possible. B.Outbound filters do not affect traffic that originates within the local router. C.The inbound and outbound interface should be referenced as if looking from the outside of a router. D.Extended ACL's should be applied closest to the source. E.All ACL statements are processed for each packet through the interface. 5.A network administrator is writing a standard ACL that will deny any traffic from the 172.16.0.0/16 network, but permit all other traffic. Which two commands should be used? (Choose two.) A.Router(config)# access-list 95 deny any B.Router(config)# access-list 95 deny 172.16.0.0 0.0.255.255 C.Router(config)# access-list 95 deny 172.16.0.0 255.255.0.0 D.Router(config)# access-list 95 permit any E.Router(config)# access list 95 host 172.16.0.0 F.Router(config)# access-list 95 172.16.0.0 255.255.255.255 6.What can be concluded from the output shown below? (Choose two.) Router# show running-config Building configuration... Current configuration 1084 bytes ! version 12.1 [some output text omitted] interface Serial0/1 IP address 192.168.1.1 255.255.255.0 IP access-group 99 in no fair-queue clockrate 56000 ! IP classless no IP http server ! access-list 99 deny 10.213.177.76 access-list 99 permit any ! [some output text omitted] A.This is an extended IP access list. B.The keyword host is implied in the command line access-list 99 deny 10.213.177.76. C.The wildcard mask must be configured for this access list to function properly. D.Host 10.213.177.100 will be allowed access to the Serial0/1 interface. E.This access control list will not limit any traffic through the router. 7.The new security policy for the company allows all IP traffic from the Engineering LAN to the Internet while only web traffic from the Marketing LAN is allowed to the Internet. Which ACL can be applied in the outbound direction of Serial 0/0/1 on the Marketing router to implement the new security policy? To answer this question refer to the network topology below. Network Topology This topology consists of two routers, one named Marketing, and one named Engineering. These two routers are connected to each other via a serial link Marketing IP 198.18.106.1/24 S0/0/0 and Engineering 198.18.106.2/24 S0/0/0. The Marketing router is connected to a switch via interface F A 0 /0 on the Marketing router, 198.18.112.0/24. This network is called the Marketing LAN. The Engineering router is connected to a switch via interface F A 0 /0 on the Engineering router, 192.0.2.0/24. This network is called

the Engineering LAN. The S0/0/1 interface on the Marketing Router is attached to the Internet with the IP address 198.18.114.1/24. A.access-list 197 permit IP 192.0.2.0 0.0.0.255 any access-list 197 permit IP 198.18.112.0 0.0.0.255 any eq www B.access-list 165 permit IP 192.0.2.0 0.0.0.255 any access list 165 permit tcp 198.18.112.0 0.0.0.255 any eq www access-list 165 permit IP any any C.access-list 137 permit IP 192.0.2.0 0.0.0.255 any access-list 137 permit tcp 198.18.112.0 0.0.0.255 any eq www D.access-list 89 permit TCP 192.0.2.0 0.0.0.255 any access-list 89 permit IP 198.18.112.0 0.0.0.255 any eq www 8.Which two statements are correct based on the set of commands shown in the output below? (Choose two.) Router(config)# IP access-list extended Server1Access Router(config-ext-nacl)# deny IP 10.128.114.0 0.0.0.255 any Router(config-ext-nacl)# deny tcp 192.168.85.0 0.0.0.255 host 172.25.0.26 eq 23 Router(config-ext-nacl)# permit IP any any Router(config-ext-nacl)# exit Router(config)# interface F A 0 /0 Router(config-if)# IP access-group Server1Access out A.Host 10.128.114.76 will be able to establish a Telnet session with host 172.25.0.26. B.Host 10.128.114.76 will not be able to establish an FTP session with available hosts on the 172.25.0.0/16 network. C.Host 192.168.85.76 will be able to establish a Telnet session with host 172.25.0.26. D.Host 192.168.85.76 will be able to establish an FTP session with available hosts on the 172.25.0.0 network. E.Host 172.25.0.26 will not be able to establish a Telnet session with available hosts on the 192.168.85.0/24 network. 9.A network engineer wants to ensure that only users of the network management host can access the vty lines of R1. Place the commands in the order, which they would be entered into the router using the three router prompts listed below. (Not all commands will be used.) A.line vty 0 4 B.access-class 1 in C.IP access-group 1 in D.access-list 1 deny any E.access-list 1 deny IP any any F.access-list 1 permit host 10.0.0.1 1.First command is R1(config)# prompt 2.Second command is R1(config)# prompt 3.Third command is R1(config-line)# prompt 10.What are two purposes of IP access control lists? (Choose two.) A.ACL's control host access to a network or to another host. B.Standard ACL's can restrict access to specific applications and ports. C.ACL's provide a basic level of security for network access. D.ACL's can permit or deny traffic based upon the MAC address originating on the router.

E.ACL's can be applied to only one interface. 11. Access list 101 is applied as an inbound ACL on the interface Serial 0 of Router RTA and should permit telnet access to the 172.16.28.3 host. However, telnet access fails when host 10.10.10.3 attempts to connect to host 172.16.28.3. What could be the cause? To answer this question refer to the network topology below. Network Topology This topology consists of two routers named RTA and RTB. RTA is connected to the Internet via its S0 interface. RTB is connected to the Internet via its S0 interface. RTA has a host connected via its Fa0 interface with a host addressed as 172.16.28.3/24. RTB has a host connected via its Fa0 interface with a host addressed as 10.10.10.3. Output from RTAs command line is shown as follows: hostname RTA ! access-list 101 permit tcp 10.10.10.0 0.0.0.255 any host eq 23 access-list 101 deny IP any any A.The line access-list 101 permit tcp any any established should be added before the permit statement. B.The line access-list 101 permit tcp any any established should be added after the permit statement. C.The port number is incorrect for the access list. D.The access list should be on the outbound interface of FastEthernet 0. 12.A network administrator is interested in tracing all packets that do not match any statement in a standard ACL. What must the network administrator do to allow tracking? A.Enter the command debug ACL deny from global configuration mode. B.Add permit IP any log to the end of the ACL statements. C.Enter the syslog command in global configuration mode. D.Nothing, logging of denied packets happens automatically.

Go To Next Go To Previous Scroll To Top

http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.C CServlet/LMS_ID=CNAMS,Theme=ccna3theme,Style=ccna3,Language=en,Version=1, RootID=knet lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About

Search | Glossary

Course Index:

CCNA Discovery - Introducing Routing and Switching in the Enterprise

9 Troubleshooting an Enterprise Network
9.0 Chapter Introduction
9.0.1 Introduction Page 1:

9.0.1 Introduction Enterprise networks can have problems that range from poor performance to unreachable resources. Network monitoring, proactive maintenance, effective troubleshooting methods and an awareness of failure domains can help to minimize network downtime. Network problems can involve a variety of technologies including LAN switching, routing protocols, WAN links, and ACL's. After completion of this chapter, you should be able to: Explain the importance of uptime and the types of issues that cause failure. Isolate and correct switching problems. Isolate and correct routing issues. Isolate and correct WAN configurations. Isolate and correct ACL issues.

9.1 Understanding the Impact of Network Failure

9.1.1 Enterprise Network Requirements Page 1: Most enterprises rely on their networks to provide consistent and reliable access to shared resources. Network uptime is the time that the network is available and functioning as expected. Network downtime is any time that the network is not performing as required. A reduction in the performance level of the network may have a negative impact on the business.

Without a reliable network, many organizations lose access to customer databases and accounting records that employees need to perform their daily activities. Network outages also prevent customers from placing orders or obtaining the information they require. Downtime results in lost productivity, customer frustration, and often the loss of customers to competitors.

9.1.1 - Enterprise Network Requirements The diagram depicts a silhouette of a group of people.

Page 2: Many different metrics are used to determine the cost of downtime to an enterprise. The actual cost to a company varies depending on the day, date, and time.

Large enterprises generally span many different time zones and have employees, customers, and suppliers accessing their network around the clock. For these organizations, any downtime is extremely costly. Many factors cause network downtime. These include:

Weather and natural disasters Security breaches Man-made disasters Power surges Virus attacks Equipment failure Misconfiguration of devices Lack of resources

9.1.1 - Enterprise Network Requirements The diagram depicts a satellite image of the earth, showing a storm.

Page 3: A well-planned network design and implementation are crucial for meeting uptime requirements.

To ensure the proper and efficient flow of traffic, a good design includes redundancy of all critical components and data paths. This redundancy eliminates single points of failure.

The three-layer hierarchical network design model separates the functionality of the various networking devices and links. This separation ensures efficient network performance. In addition, the use of enterprise class equipment provides a high degree of reliability.

Even with proper network design, some downtime is inevitable. To keep downtime to a minimum and ensure rapid recovery requires additional considerations.

To guarantee service levels, an enterprise should have service level agreements (SLAs) with key suppliers. An SLA clearly documents network expectations in terms of level of service. These expectations include the acceptable level of downtime as well as the recovery period. SLAs often specify the penalty associated with any loss of service.

9.1.1 - Enterprise Network Requirements The diagram depicts a network design showing three layered hierarchical leveled network structure including the Core, Distribution, and Access Layers, which incorporates good design characteristics, such as redundancy.

Page 4: Outages are not only associated with loss of service from ISPs. Quite often, the problem stems from the failure of a key piece of equipment that is part of the local network. To minimize this type of downtime requires warrantees on all critical pieces of equipment. Warrantees provide for rapid replacement of mission-critical components.

Business continuity plans provide a detailed plan of action in case of unexpected man-made or natural disasters such as power failures or earthquakes. Business continuity plans provide the details on how the business continues or resumes operations, with minimal disruption to its clients, after the disaster. They clearly specify how the network re-establishes functionality in the event of a catastrophic failure. One way to ensure functionality is to have a redundant backup site at another location, in case of failure at the primary site.

9.1.1 - Enterprise Network Requirements The diagram depicts a network with a headquarters and a backup site.

9.1.2 Monitoring and Proactive Maintenance Page 1: One way of ensuring uptime is to monitor current network functionality and perform proactive maintenance.

The purpose of network monitoring is to watch network performance in comparison to a predetermined baseline. Any observed deviations from this baseline indicate potential problems with the network and

require investigation. As soon as the network administrator determines the cause of degraded performance, corrective actions can be taken to prevent a serious network outage.

Several groups of tools are available for monitoring network performance levels and gathering data. These tools include:

Network utilities Packet sniffing tools SNMP monitoring tools

Each of these groups of tools has different capabilities and provides different types of information. Using these tools in combination provides comprehensive information on current network performance.

A network administrator performs proactive maintenance on a regular basis to verify and service equipment. By doing this, the administrator can detect weaknesses prior to a critical error that could bring down the network. Like regular servicing on a car, proactive maintenance extends the life of a network device.

9.1.2 - Monitoring and Proactive Maintenance The diagram depicts a technician working on a rack of equipment.

Page 2: Network monitoring tools, techniques, and programs rely on the availability of a complete set of accurate and current network documentation. This documentation includes:

Physical and logical topology diagrams Configuration files of all network devices A baseline performance level

It is best practice to determine baseline network performance levels when the network is first installed and then again after any major changes or upgrades occur. Network administrators perform baseline testing of the network under normal load levels, using the protocols and applications that are normally encountered on the network.

Many complex tools and procedures exist to determine performance baselines. Some programs perform many different tests with different types of traffic. The tests determine the network performance under very accurately defined loads and conditions. Others, such as a simple ping, are less accurate but often provide sufficient information to alert the administrator to a problem.

9.1.2 - Monitoring and Proactive Maintenance The diagram depicts the following screen captures of the ping command. Baseline On FEB 2, 2007 08:14:43 a ping command to the following IP was made 10.66.254.159. The delay times for the ping were all 1 millisecond. Congestion problems? On MAR 17, 2007 14:41:06 a ping command to the following IP was made 10.66.254.159. The delay times for the ping were all 6 millisecond.

Page 3: Simple network utilities, like ping and tracert, provide information on the performance of the network or network link. Performing these commands at multiple times shows the difference in time required for a packet to travel between two locations. Using these commands, however, does not provide a reason for the difference in times.

Packet sniffing tools monitor the types of traffic on various parts of the network. These tools indicate if there is an excessive amount of a particular traffic type. They examine the contents of the packets, which provides a quick way of locating the source of this traffic.

These tools may also be able to remedy the situation before network congestion becomes critical. For example, traffic sniffing can detect whether a type of traffic or a particular transaction occurring on the network is unexpected. This detection might stop a potential denial of service attack before it impacts network performance.

9.1.2 - Monitoring and Proactive Maintenance The diagram depicts a user connected to a small network of three routers. He thinks to himself, "Should I use ping? tracert? Packet Sniffing?"

Page 4: Simple Network Management Protocol (SNMP) allows monitoring of individual devices on the network. SNMP-compliant devices use agents to monitor a number of predefined parameters for specific conditions. These agents collect information and store it in a database known as the management information base (MIB).

SNMP polls devices at regular intervals to collect information about managed parameters. SNMP also traps certain events that exceed a predefined threshold or condition.

For example, SNMP monitors a router interface for errors. The network administrator defines a specific level of acceptable errors for that interface. If the errors exceed the threshold level, SNMP traps the condition and sends it to a network management station (NMS). The NMS alerts the network administrator. Some SNMP systems trigger events, such as the automatic reconfiguration of a device, to eliminate the problem. Most enterprise class network management systems use SNMP.

A number of freeware and commercial proactive network monitoring tools exist. These tools monitor traffic type, traffic load, server configurations, traffic patterns, and a multitude of other conditions. A proper Network Monitoring Plan and the use of proper tools help a network administrator evaluate the health of the network and detect any problem situations.

9.1.2 - Monitoring and Proactive Maintenance The diagram depicts a man sitting at a workstation, labeled Management Station, Network Management Protocol. The workstation is connected to a small network. The following are monitoring tools on the network: a router labeled Management Agent and Router MIB, a switch labeled Management Agent and Switch MIB, and a server labeled Central MIB.

Page 5: Packet Tracer Activity

Design a network and create a baseline.

Click the Packet Tracer icon to begin.

9.1.2 - Monitoring and Proactive Maintenance Link to Packet Tracer Exploration: Creating a Baseline Design a network and create a baseline.

9.1.3 Troubleshooting and the Failure Domain Page 1:

The objective of any troubleshooting effort is to return functionality quickly and with little disruption to the end users. Achieving this objective often means postponing an extensive or prolonged process for determining the cause of a problem in favor of quickly re-establishing functionality.

In some situations, putting a temporary solution into place allows investigation and correction of the problem under a less critical time constraint.

Redundancy is a key design element for enterprise networks. In a redundant environment, if one link goes down, traffic diversion to the redundant link occurs immediately. This temporary solution allows the network to maintain functionality and gives the administrator time to diagnose and correct the problem with the failed link. If problems occur with a specific device or configuration, having backup copies of the configuration files or spare devices allows quick restoration of connectivity.

9.1.3- Troubleshooting and the Failure Domain The diagram depicts a corporate network and a number of Hot Swappable Spares, including a server, router, and switches, that are used for rapid restoration of network functionally.

Page 2: Quick solutions are not always possible or appropriate. The security of the network and the resources that it houses must always be the highest priority. If a quick fix compromises this security, take the time to investigate an alternative solution that is more appropriate.

Detail security concerns in the business continuity plan. The plan includes:

Documentation of potential problems Description of the appropriate course of action in the event of problems Details of the security policy of the company Details of the security risks of the actions

When designing an enterprise network limit the size of a failure domain. The failure domain is the area of the network that is impacted by the failure or misconfiguration of a network device. The actual size of the domain depends on the device and the type of failure or misconfiguration. When troubleshooting a network, determine the scope of the issue and isolate the issue to a specific failure domain.

9.1.3- Troubleshooting and the Failure Domain The animation depicts the importance of maintaining security.

A hacker sends a packet through the Internet to an enterprise network, but it is stopped by the firewall. The hacker thinks to himself, "The firewall is stopping me from entering the company." Someone within the enterprise thinks to himself, "The firewall just went down. To get the network up quickly, we will replace the firewall with a router." The hacker sends another packet through the Internet to the enterprise and thinks to himself, "The firewall must be down. I can access the network easily now." The hacker then has access to the network.

Page 3: If both a Layer 2 switch and a border router fail at the same time, they affect different failure domains.

The failure of a Layer 2 switch on a LAN segment only affects user in the broadcast domain. It has no affect on other regions of the network. Failure of a border router, however, prevents all users in the company from connecting to network resources outside of their local network.

The router has a larger impact on the network, it has a larger failure domain. Under normal circumstances, troubleshoot resources with the larger failure domains first.

In some circumstances, the size of the failure domain is not the deciding factor in troubleshooting. If a business critical server is connected to a failed switch, correction of this issue may take precedence over the border router.

9.1.3- Troubleshooting and the Failure Domain The diagram depicts the different effects that the failure of a Layer 2 switch and a Layer 3 router have on a network. The Layer 2 switch failure shows a small failure domain of only the two hosts connected to it. The Layer 3 router failure shows a much larger failure domain, which includes all devices in the network located behind the ISP connection.

Page 4:

9.1.3- Troubleshooting and the Failure Domain The diagram depicts an activity in which you must determine how many hosts will be unable to connect to the Internet when each router fails. Network Topology The Internet connects to router, R1, which connects to router, R2. R2 connects to routers, R3 and R5. R3 connects to two switches. Each switch connects to two hosts. R3 also connects back to router, R5. R5 connects to routers, R4 and R6. R4 connects to three switches. R6 connects to three switches. R4 and R6

each connect to three switches. Each switch is connected to two hosts. Outcome when each router fails. R1: Number of hosts unable to connect? (2, 4, 6, 10, 12, or 16.) R2: Number of hosts unable to connect? (2, 4, 6, 10, 12, or 16.) R3: Number of hosts unable to connect? (2, 4, 6, 10, 12, or 16.) R4: Number of hosts unable to connect? (2, 4, 6, 10, 12, or 16.) R5: Number of hosts unable to connect? (2, 4, 6, 10, 12, or 16.) R6: Number of hosts unable to connect? (2, 4, 6, 10, 12, or 16.)

9.1.4 Troubleshooting Process Page 1: When a problem occurs on an enterprise network, troubleshooting that problem quickly and efficiently is very important to avoid extended periods of downtime. Many different structured and unstructured problem-solving techniques are available to the network technician. These include:

Top-down Bottom-up Divide-and-conquer Trial-and-error Substitution

Most experienced network technicians rely on the knowledge gained from past experience and start the troubleshooting process using a trial-and-error approach. Correcting the problem in this manner saves a great deal of time.

Unfortunately, less experienced technicians cannot rely solely on previous experience. Additionally, many times the trial-and-error approach does not provide a solution. Both of these cases require a more structured approach to troubleshooting.

9.1.4 - Troubleshooting Process The diagram depicts a man deep in thought.

Page 2: When a situation requires a more structured approach, most network personnel use a layered process based on the OSI or TCP/IP models. The technician uses previous experience to determine if the issue is associated with the lower layers of the OSI model or the upper layers. The layer dictates whether a topdown or bottom-up approach is appropriate.

When approaching a problem situation, follow the generic problem-solving model, regardless of the type of troubleshooting technique used.

Define the problem Gather facts Deduce possibilities and alternatives Design plan of action Implement solution Analyze results

If the first pass through this procedure does not determine and correct the problem, repeat the process as necessary.

Document the initial symptoms and all attempts at finding and correcting the cause. This documentation serves as a valuable resource should the same or similar problem occur again. It is important to document even failed attempts, to save time during future troubleshooting activities.

9.1.4 - Troubleshooting Process The diagram depicts the O S I Model and examples of common problems that can exist at each layer. O S I Model Application Layer, Layer 7. Associated with specific services such as FTP and DNS. If resources are unreachable or unusable, while the Physical, Data Link, Network, and Transport Layers are functional, the problem is associated with this layer. Presentation Layer, Layer 6. Responsible for data representation. Includes compression and encryption. If data is being reliably transmitted across the network but is unreadable on the receiving end, suspect the Presentation Layer. Verify that any encryption keys match and are properly configured. Session Layer, Layer 5. Responsible for establishing, maintaining, and terminating end-to-end communication sessions between applications. Related to synchronization and flow control. An application server failing during a communication session, could generate problems at the Session Layer. Transport Layer, Layer 4. Uses port numbers to identify the type of traffic being carried in the conversation. Misconfigured ACL's are a common problem at the Transport Layer. Network Layer, Layer 3.

Involved with logical addressing and best path determination. Layer 3 addressing and routing problems are associated with the Network Layer. The most common problems are improperly configured addresses and improper routing information. Misconfigured ACL's are an issue at the Network Layer. Data Link Layer, Layer 2. Concerned mainly with the encapsulation of data. Mismatched encapsulation is one of the most common issues at the Data Link Layer. Includes improper conversion of Layer 2 encapsulation as the frames move across the network. Improperly configured switch ports and Layer 2 addressing issues are also common. Misconfigured V LAN's can generate problems at Layer 2, Data Link Layer. Physical Layer, Layer 1. Concerned with physical connectivity. Common issues include damaged or improper cabling, physical damage to ports and power issues. In wireless networks, antennas are physical layer devices as is the RF medium. Any loss in signal strength or interference is considered a Layer 1, Physical Layer, problem.

Page 3:

9.1.4 - Troubleshooting Process The diagram depicts an activity in which you must match each problem to the O S I model layer with which it is best associated. Layer Choices A.Network B.Physical C.Application D.Data Link E.Transport Problem Scenarios One.Vida is unable to connect to a web server even though she is able to ping and tracert to the same address. Two.Carlos misconfigures an ACL to filter DNS traffic when he meant to filter FTP traffic. Three.Gustavo configures PPP encapsulation on one end of the serial link to the ISP and the link goes down. Four.Tyrone checks the MAC address table on the switch and notices that the value for one of the connected hosts is not correct. Five.Suresh mistypes the IP address on the router interface. Six.Rebecca installs the wrong type of antenna on the AP.

9.2 Troubleshooting Switching and Connectivity Issues

9.2.1 Troubleshooting Basic Switching Page 1: Switches are currently the most commonly used Access Layer networking device. Workstations, printers, and servers connect into the network through switches. Faults with the switch hardware or configuration prevent connection between these local and remote devices.

The most common problems with switches occur at the Physical Layer. If a switch is installed in an unprotected environment, it can suffer damage such as dislodged or damaged data or power cables. Ensure that switches are placed in a physically secure area.

If an end device cannot connect to the network and the link LED is not illuminated, the link or the switch port is defective or shutdown, perform the following steps:

Ensure that the power LED is illuminated. Ensure that the correct type of cable connects the end device to the switch. Reseat the cables at both the workstation and the switch end. Check the configuration to ensure that the port is in a no shutdown state.

If a connectivity problem exists, and if the link LED is illuminated, the switch configuration is the most likely problem.

9.2.1 - Troubleshooting Basic Switching The diagram depicts two rack mount switches that have connections stemming out of the RJ-45 ports. One of the switches has 16 connections to individual client computers. The other switch only has one RJ-45 port utilized.

Page 2: If a switch port fails or malfunctions, the easiest way to test it is to move the physical connection to another port and see if this corrects the problem.

Ensure that switch port security has not disabled the port. Confirm this using the following commands:

show running-config

show port-security interface interface_id

If the switch security settings are disabling the port, review the security policy to see if altering the security is acceptable.

Switches function at Layer 2 and keep a record of the MAC address of all connected devices. If the MAC address in this table is not correct, the switch forwards information to the wrong port and communication does not occur.

To display the MAC address of the device connected to each switch port, use:

show mac-address-table

To clear the dynamic entries in the table, issue the command:

clear mac-address-table dynamic

The switch then repopulates the MAC address table with updated information.

9.2.1 - Troubleshooting Basic Switching The diagram depicts a topology with a switch that fails. Network Topology Two switches, S1 and S2, are directly connected to each other by an Ethernet link from F A 0 /2 on both switches. S1 has F A 0 /4 and F A 0 /6 in use. S2 has its F A 0 /1 port in use. An Ethernet link between S2 and R1 has been established. R1 has a serial link to the WAN cloud. The command "show mac-address-table" has been issued. The following is the output. The table headers include the following: V LAN, MAC Address, Type, and Ports. S1# show mac-address-table MAC Address Table V LAN MAC AddressTypePorts All000.d.6563.bd00StaticCPU All0100.0ccc.ccccStaticCPU All0100.0ccc.cccdStaticCPU All 0100.0ccc.ddddStaticCPU 1000d.29a0.88e0Dynamic F A 0 /2 1000d.6563.0582Dynamic F A 0 /2 10010.a4fa.b23eDynamic F A 0 /6 100b0.d04d.01f7Dynamic F A 0 /4 101000d.29a0.88e0Dynamic F A 0 /2

101000d.6563.0582Dynamic F A 0 /2 102000d.29a0.88e0Dynamic F A 0 /2 102000d.6563.0582Dynamic F A 0 /2 103000d.29a0.88e0Dynamic F A 0 /2 103000d.6563,0582Dynamic F A 0 /2 Total MAC addresses in this criterion: 14

Page 3: Although automatically detected on many devices, mismatched speed or duplex settings can prevent the link between the switch and end device from functioning. Some switches do not properly detect the speed and duplex of the connected device. If this is the suspected problem, lock down the values on the switch port to match the host device using the interface speed and duplex commands.

To display both the speed and duplex settings of the port, use the command:

show interface interface_id

Switching loops are another potential source of connectivity issues. STP prevents bridging loops and broadcast storms by shutting down redundant paths in a switched network. If STP bases its decisions on inaccurate information, loops may occur.

Indicators that a loop is present in a network include:

Loss of connectivity to, from, and through affected network regions High CPU utilization on routers connected to affected segments High link utilization up to 100% High switch backplane utilization as compared to the baseline utilization Syslog messages indicating packet looping, constant address relearning, or MAC address flapping messages Increasing number of output drops on many interfaces

9.2.1 - Troubleshooting Basic Switching The diagram depicts the speed and duplex settings of a switch. Network Topology A switch, S1, with the Fast Ethernet ports F A 0 /4, F A 0 /2, and F A 0 /6 in use. F A 0 /2 on S1 is directly connected to the F A 0 /2 of switch, S2. F A 0 /1 of S2 is directly connected to the F A 0 /0 of router, R1. The serial interface S0 /1 of R1 is connected by serial link to the WAN cloud.

Items of interest are highlighted in the following output of S1: S1 # show interface FA0/6 Fast Ethernet0/6 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 000d.6563.bd06 (b I a 000d.6563.bd06) {output omitted} Full-duplex, 100Mb/s

Page 4: A loop develops when the switch does not receive BPDUs or is unable to process them. This problem could be due to:

Misconfigurations Defective transceivers Hardware and cabling issues Overloaded processors

Overloaded processors disrupt STP and prevent the switch from processing the BPDUs. A port that is flapping causes multiple transitions to occur. These multiple transitions can overload the processors. This should be a rare occurrence in a properly configured network. To remedy this type of problem, remove as many of the redundant links as possible.

Another troubleshooting issue is suboptimal switching. Left to default values, STP does not always identify the best root bridge or root ports. Changing the priority value on a switch can force the selection of the root bridge. The root bridge should normally be at the center of the network to provide for optimum switching.

When troubleshooting STP, use the following commands:

To provide information about the STP configuration:

show spanning-tree

To provide information about the STP state of an individual port:

show spanning-tree interface interface_id

9.2.1 - Troubleshooting Basic Switching The diagram depicts the output of the show spanning-tree command. Network Topology A switch, S1, with the Fast Ethernet ports F A 0 /4, F A 0 /2, and F A 0 /6 in use. F A 0 /2 on S1 is directly connected to the F A 0 /2 of switch, S2. F A 0 /1 of S2 is directly connected to the F A 0 /0 of router, R1. The serial interface S0 /1 of R1 is connected by serial link to the WAN cloud. The command, show spanning-tree, is entered and executed for each of the switches, S1 and S2. S1# show spanning-tree V LAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000d.6563.0580 Cost 19 Port 2 (FastEthernet 0/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-ID-ext 1) Address 000d.6563.bd00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------F A 0 /2 Root FWD 19 128.2 P 2 p F A 0 /4 D e s g FWD 19 128.4 P 2 p F A 0 /6 D e s g FWD 19 128.6 Shr S2# show spanning-tree V LAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000d.6563.0580 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-ID-ext 1) Address 000d.6563. 0580 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------F A 0 /1 D e s g FWD 19 128.1 P 2 p F A 0 / 2 D e s g FWD 19 128.2 P 2 p

Page 5: Packet Tracer Activity

Troubleshoot host connectivity on a switch.

Click the Packet Tracer icon to begin.

9.2.1 - Troubleshooting Basic Switching Link to Packet Tracer Exploration: Troubleshooting Host Connectivity on a Switch Troubleshoot host connectivity on a switch.

9.2.2 Troubleshooting VLAN Configuration Issues Page 1: If the Physical Layer is functioning correctly and communication is still not occurring between end devices, check the VLAN configuration.

If the non-functioning ports are in the same VLAN, the hosts must have IP addresses on the same network or subnet in order to communicate. If the non-functioning ports are in different VLANs, communication is only possible with the aid of a Layer 3 device, such as a router. If information is required on a specific VLAN, use the following command show vlan id vlan_number to display the ports assigned to each VLAN.

If inter-VLAN routing is required, verify the following configurations:

One port from each VLAN connects into a router interface or subinterface. Both the switch port and the router interface are configured with trunking. Both the switch and router interface are configured with the same encapsulation.

Newer switches default to 802.1Q, but some Cisco switches support both 802.1Q and Cisco proprietary Inter-Switch Link (ISL) format. IEEE 802.1Q should be used whenever possible, because it is the de facto standard and 802.1Q and ISL are not compatible.

9.2.2 - Troubleshooting V LAN Configuration Issues The diagram depicts V LAN configuration issues. Below is the output when commands show v lan, show v lan brief, and show v lan id 101 are applied to S2. Network Toplogy Switch, S1, is directly connected to switch, S2, with the connection established between the two FastEthernet ports, F A 0 /2, on both switches. S2 has its FastEthernet F A 0 /1 directly connected to the F A 0 /0 of router, R1. R1 has its serial interface S0 /1 connected by serial link to the WAN cloud.

S2 # show v lan V LAN Name Status Ports ---- -------------------------------- --------- --------1 default active F A 0 /3, F A 0 /4, F A 0 /17, F A 0 /18, F A 0 /19, F A 0 /20, F A 0 /21, F A 0 /22 F A 0 /23, F A 0 /24 101 V LAN0101 active F A 0 /5, F A 0 /7, F A 0 /8 102 V LAN0102 active F A 0 /9, F A 0 /10, F A 0 /11, F A 0 /12 103 V LAN0103 active F A 0 /13, F A 0 /14, F A 0 /15, F A 0 /16 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active V LAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- 1 e net 100001 1500 0 0 101 e net 100101 1500 0 0 102 e net 100102 1500 0 0 103 e net 100103 1500 0 0 1002 e net 101002 1500 - 0 0 1003 e net 101003 1500 0 0 1004 e net 101004 1500 - 0 0 1005 e net 101005 1500 0 0 S2# show v lan brief V LAN Name Status Ports ---- -------------------------------- --------- --------1 default active F A 0 /3, F A 0 /4, F A 0 /17, F A 0 /18, F A 0 /19, F A 0 /20, F A 0 /21, F A 0 /22 F A 0 /23, F A 0 /24 101 V LAN0101 active F A 0 /5, F A 0 /7, F A 0 /8 102 V LAN0102 active F A 0 /9, F A 0 /10, F A 0 /11, F A 0 /12 103 V LAN0103 active F A 0 /13, F A 0 /14, F A 0 /15, F A 0 /16 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active S2#sh v lan id 101

V LAN Name Status Ports ---- -------------------------------- --------- --------101 V LAN0101 active F A 0 /5, F A 0 /7, F A 0 /8 V LAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- 101 e net 100101 1500 0 0

Page 2: When troubleshooting inter-VLAN issues, ensure that there is no IP address on the physical interface of the router. The interface must be active.

To verify the interface configuration, use:

show ip interface brief

The network associated with each VLAN should be visible in the routing table. If not, recheck all physical connections and trunk configuration on both ends of the link. If it is not directly connected to the VLAN subnets, check the configuration of the routing protocol to verify that there is a route to each of the VLANs. Use the command:

show ip route

9.2.2 - Troubleshooting V LAN Configuration Issues The diagram depicts the output of the commands, show IP interface brief and show IP route when applied to R1. Network Topology Switch, S1, is directly connected to switch, S2, with the connection established between the two FastEthernet ports F A 0 /2 on both switches. S2 has its FastEthernet F A 0 /1 directly connected to the F A 0 /0 of router, R1. R1 has its serial interface S0 /1 connected by serial link to the WAN cloud. R1#sh ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0 /0 unassigned YES manual up up FastEthernet0 /0.100 10.200.100.1 YES manual up up FastEthernet0 /0.101 10.2 0.101.1 YES manual up up FastEthernet0 /0.102 10.2 0.102.1 YES manual up up FastEthernet0 /0.103 10.2 0.103.1 YES manual up up

FastEthernet0 /1 unassigned YES unset administratively down down Serial0/0/1 10.2 0.30.1 YES manual up up R1 # show ip route Codes: C = connected, S = static, I = IGRP, R = RIP, M = mobile, B = BGP D = EIGRP, EX = EIGRP external, O = OSPF, I A = OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area * = candidate default, U = per-user static route, o = ODR P = periodic downloaded static route Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks C 10.2 0.30.0 /24 is directly connected, Serial0/0/1 C 10.2 0.30.2 /32 is directly connected, Serial0/0/1 C 10.2 0.102.0 /24 is directly connected, FastEthernet0 /0.102 C 10.2 0.103.0 /24 is directly connected, FastEthernet0 /0.103 C 10.2 0.100.0 /24 is directly connected, FastEthernet0 /0.100 C 10.2 0.101.0 /24 is directly connected, FastEthernet0 /0.101

Page 3: Access or Trunk Port

Each switch port is either an access port or a trunk port. On some switch models, other switch port modes are available and the switch automatically configures the port to the appropriate status. It is sometimes advisable to lock the port into either access or trunk status to avoid potential problems with this detection process.

Native and Management VLANs

The native VLAN and management VLAN are VLAN1 by default. Untagged frames sent across a trunk are assigned to the native VLAN of the trunk line. If the native VLAN assignment is changed on a device, each end of the 802.1Q trunk should be configured with the same native VLAN number. If one end of the trunk is configured for native VLAN10 and the other end is configured for native VLAN14, a frame sent from VLAN10 on one side is received on VLAN14 on the other. VLAN10 "leaks" into VLAN14. This can create unexpected connectivity issues and increase latency.

For smoother, quicker transitions, verify that the native VLAN assignment is the same on all devices throughout the network.

9.2.2 - Troubleshooting V LAN Configuration Issues The animation depicts how V LAN traffic travels across a network. Network Topology A user is sitting at a desktop computer, which is directly connected to switch, S1. S1 is acting as the Access Port and has a Native V LAN 10. S1 is connected to S2 and has a Native V LAN 14. The connection between S1 and S2 use Trunk Ports. The user issues the command, show CDP neighbors, which is sent across V LAN10 from S1 to S2. When the message reaches S2, it is re-labeled as V LAN 14.The response starts out from S2 labeled V LAN 14 and is re-labeled at S1 with V LAN 10.

Page 4: Packet Tracer Activity

Troubleshoot inter-VLAN routing issues.

Click the Packet Tracer icon to begin.

9.2.2 - Troubleshooting V LAN Configuration Issues Link to Packet Tracer Exploration: Troubleshooting Inter-V LAN Routing Issues Troubleshoot inter-V LAN routing issues.

9.2.3 Troubleshooting VTP Page 1: VTP simplifies the distribution of VLAN information to multiple switches in a domain. Switches that participate in VTP operate in one of three modes: server, client, or transparent. Only the server adds, deletes, and modifies VLAN information.

When troubleshooting VTP on a network, ensure that:

All participating devices have the same VTP domain name. Two VTP servers exist in every domain, in case one fails. All servers have the same information. The revision numbers are the same on all devices. All devices use the same VTP version.

To display the VTP version in use on a device, the VTP domain name, the VTP mode, and the VTP revision number, issue the command:

show vtp status

To modify the VTP version number, use:

vtp version <1 | 2>

9.2.3 - Troubleshooting VTP The diagram depicts the outputs of the command, show vtp status, when applied to S2 and S1. Network Topology S1 with its three FastEthernet ports F A 0 /4, F A 0 /6, and F A 0 /2 in use. S2 is connected to S1 via F A 0 /2 on both switches. S2 has its F A 0 /1 in use and is connected to the F A 0 /0 of R1. The serial interface of R1, S0 /1, is in use and connected to the WAN cloud. The following outputs for the show vtp status command for each switch can be viewed in its entirety by configuring VTP and then using to the show command to view the configuration changes in the lab attached to this module. S2# show vtp status VTP Version : 2 Configuration Revision : 5 Maximum V LAN's supported locally : 64 Number of existing V LAN's : 8 VTP Operating Mode : Server VTP Domain Name : Toronto VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x7D 0x5A 0xA6 0x0E 0x9A 0x72 0xA0 0x3A Configuration last modified by 10.2 0.100.2 at 9-17-07 20:26:40 Local updater ID is 10.2 0.100.2 on interface V11 (lowest numbered V LAN interface found) S1# show vtp status VTP Version : 2 Configuration Revision : 5 Maximum V LAN's supported locally : 64 Number of existing V LAN's : 8 VTP Operating Mode : Client VTP Domain Name : Toronto VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled

MD5 digest : 0x7D 0x5A 0xA6 0x0E 0x9A 0x72 0xA0 0x3A Configuration last modified by 10.2 0.100.2 at 9-17-07 20:26:40

Page 2: VTP clients and servers use the VTP revision number to decide if they should update their VLAN information. If the revision number of the update is higher than the revision number currently in use, the client and server use the information to update the configuration.

Always check the VTP revision information and mode on any switch before allowing it to join the network. The revision number is stored in NVRAM and erasing the start-up configuration on the switch does not reset this value. To reset the revision number, either set the switch mode to transparent or change the VTP domain name.

It is also a problem if a rogue switch joins the domain and modifies VLAN information. To prevent this situation, it is important to configure a password on the VTP domain. To set a VTP password for the domain, use the global configuration command:

vtp password password

When configured, the authentication password must be the same on all devices in the VTP domain. If updates are not propagating to a new switch in the VTP domain, suspect the password. To verify the password, use the command:

show vtp password

9.2.3 - Troubleshooting VTP The animation depicts a new switch updating a VTP domain during the following two scenarios; without a VTP password, and with a VTP password. Network Topology The server, S2, connects to the client S1. The F A 0 /2 of S1 connects to the server S2 Fa0/2. S2 Fa0/1 connects to the F A 0 /0 of R1. R1 S0 /1 connects via serial link to the WAN cloud. No VTP Password S2 sends a message to the client switch, S1, about V LAN's, "I must tell the clients about V LAN 100, 101,102 and 103. I will send out revision 5 to let them know." After the message is received by S1, it responds by stating, "Thank you for revision 5. I now know about these V LAN 100, 101, 102, and 103."

The VTP Server switch, S3, is added, and states, "I have information about V LAN 17, 23, and 168 from an old configuration. Now that I am connected to the other switches, I must tell them what I know. I will send out revision 17 to let everyone know." S3, now sends this message to S1. When S1 receives the update, it states, "Revision 17 is higher than revision 5 so it must have newer information." This message is sent to S2, which states, "I now know about V LAN 17, 23, and 168 while S1 states, "I now know about V LAN 17, 23, and 168." VTP password S2 states, "I must tell the clients about V LAN 100, 101, 102, and 103. I will send out revision 5 to let them know. So they know it is from me, I will use the VTP domain password cisco." S2 sends the message to S1. S1 states, "Thank you for revision 5. The password is correct, so I will accept the information." S1 sends a message back to S2 stating, "I now know about V LAN's 100, 101, 102, and 103." The VTP Server switch, S3, appears and states, "I have information about V LAN 17, 23, and 168 from an old configuration. Now that I am connected to the other switches, I must tell them what I know. I will send out revision 17 to let everyone know." S3 now sends this message to S1. When S1 receives the update, it states, "Sorry. Since you do not have the correct password. I will not accept your update." Since the S1 did not recognize the password that accompanied the revision number information, it rejects the update.

Page 3: Packet Tracer Activity

Troubleshoot and correct VTP Issues.

Click the Packet Tracer icon to begin.

9.2.3 - Troubleshooting VTP Link to Packet Tracer Exploration: Troubleshooting VTP Issues Troubleshoot and correct VTP issues.

9.3 Troubleshooting Routing Issues

9.3.1 RIP Issues Page 1: Many tools exist for troubleshooting routing issues. These include IOS show commands, debug commands and TCP/IP utilities such as ping, traceroute and telnet.

The show commands display a snapshot of a configuration or of a particular component. The debug commands are dynamic and provide real-time information on traffic movement and the interaction of protocols. Use TCP/IP utilities such as ping for verifying connectivity.

The show commands are important tools for understanding the status of a router, detecting neighboring routers, isolating problems in the network, and monitoring the network in general. Use a combination of show commands and debug commands to troubleshoot RIP routing protocol issues.

Before using the debug command, narrow the problems to a likely subset of causes. Use debug commands to isolate problems, not to monitor normal network operation.

9.3.1 - RIP Issues The diagram depicts a network, and shows a screen capture of some of the various show commands. Network Topology There are two routers, R1 and R2. R1 is connected to R2 via serial link (R1: S0/0/0 to R2: S0/0/0, network: 172.20/1.0 /30). R1 has network 192.168.1.0 /24 on interface F A 0 /0. R2 has network 192.168.2.0 /24 on interface F A 0 /0. Only sections of each command are shown below. All other output from the commands is omitted. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities. R1# show IP protocols Default version control: send version 2, receive version 2 Routing for Networks: 172.20.0.0 192.168.1.0 R1# show running-config interface FastEthernet0/0 description LAN gateway for 192.168.1.0 IP address 192.168.1.1 255.255.255.0 interface Serial0/0/0 description WAN link to R2 IP address 172.20.1.1 255.255.255.252 router rip

version 2 passive-interface FastEthernet0/0 network 172.20.0.0 network 192.168.1.0 R1# show interfaces MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, Auto-duplex, Auto Speed, 100BaseTX/FX R1# show IP interface FastEthernet 0 /0 is up, line protocol up Multicast reserved groups joined: 224.0.0.9 Serial0/0/0 is up, line protocol up Multicast reserved groups joined: 224.0.0.9 R1# show IP route (No output is highlighted here for this command.) R1# debug IP rip *Sep 12 21:09:16 399: RIP: received v2 update from 172.20.1.2 on Serial0/0/0

Page 2: RIP is a fairly basic and simple protocol to configure. However, some common issues can arise when configuring RIP routers.

Compatibility issues exist between RIPv1 and RIPv2. If the RIP routes are not being advertised, check for the following problems:

Layer 1 or Layer 2 connectivity issues Requirements for VLSM subnetting but using RIPv1 RIPv1 and RIPv2 routing configurations mismatched Network statements missing or incorrect Interface IP addressing incorrect Outgoing interface is down Advertised network interface is down Passive interface misconfigurations

When testing with the show ip route command, it is a good idea to clear the routing tables using the clear ip route * command.

In addition to the issues identified here, it is always important is remember that RIP has a hop count limit of 15 hops. This limitation alone can be a problem in a large enterprise network.

9.3.1 - RIP Issues The diagram depicts a network, and a screen capture of some of the various show commands. Network Topology There are two routers, R1 and R2. R1 is connected to R2 via serial link (R1: S0/0/0 to R2: S0/0/0, network: 172.20/1.0 /30). R1 has network 192.168.1.0 /24 on interface F A 0 /0. R2 has network 192.168.2.0 /24 on interface F A 0 /0. Only sections of each command are shown below. All other output from the commands is omitted. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities. R1# show IP protocol Default version control: send version 2, receive version 2 Interface SendRecv Triggered RIP Key-chain Serial0/0/0 2 2 R2# show IP protocol Default version control: send version 2, receive version 2 Interface SendRecv Triggered RIP Key-chain Serial0/0/0 1 1 2 R1 debug IP rip *Sep 12 22:09:08.147: RIP:sending v2 update to 224.0.0.9 via Serial0/0/0 (172.20.1.1) *Sep 12 22:09:08.223: RIP:ignored v1 packet from 172.20.1.2 (illegal version) R1# show IP route (No output is highlighted here for this command.)

Page 3: Packet Tracer Activity

Troubleshoot RIP using show and debug commands.

Click the Packet Tracer icon to begin.

9.3.1 - RIP Issues Link to Packet Tracer Exploration: Troubleshooting RIP Troubleshooting RIP using show and debug commands.

Page 4:

Lab Activity

Troubleshoot RIPv2 routing issues.

Click the lab icon to begin.

9.3.1 - RIP Issues Link to Hands-on Lab: Troubleshooting RIP v2 Routing Issues Troubleshoot RIP v2 routing issues.

9.3.2 EIGRP Issues Page 1: A number of IOS show commands and debug commands are the same for troubleshooting EIGRP routing issues as they are for RIP. Commands specific to troubleshooting EIGRP include:

show ip eigrp neighbors

Displays neighbor IP addresses and the interface on which they were learned.

show ip eigrp topology

Displays the topology table of known networks with successor routes, status codes, feasible distance, and interface.

show ip eigrp traffic

Displays EIGRP traffic statistics for the AS configured, including hello packets sent/received, updates, and so on.

debug eigrp packets

Displays real-time EIGRP packet exchanges between neighbors.

debug ip eigrp

Displays real-time EIGRP events, such as link status changes and routing table updates.

9.3.2 - EIGRP Issues The diagram depicts a network, and shows a screen capture of some of the show commands. Network Topology There are three routers, R1, R2, and R3. R1 is connected to R2 via Serial link (R1: S0/0/0, R2: S0/0/0, Network: 172.20.1.0 /30). R1 is connected to R3 via Serial link (R1: S0/0/1, R3: S0/0/1, Network: 172.20.1.4 /30). R2 is connected to R3 via Serial link (R2: S0/0/1, R3: S0/0/0, Network: 172.20.1.8 /30). R1 has network 192.168.1.0 /24 attached to the F A 0 /0 interface. R2 has network 192.168.2.0 /24 attached to the F A 0 /0 interface. R3 has network 192.168.3.0 /24 attached to the F A 0 /0 interface. Only sections of each command are shown below. All other output from the commands is omitted. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities. R1# show IP route D 192.168.2.0 /24 [90 /2172416] via 172.20.1.2, 00:11:53, Serial0/0/0 D 192.168.3.0 /24 [90 /2172416] via 172.20.1.6, 00:11:53, Serial0/0/1 R1# show IP protocols Redistributing: EIGRP 101 Routing for Networks: 172.20.1.0 /30 172.20.1.4 /30 192.168.1.0 R1# show IP interface Multicast reserved groups joined: 224.0.0.10 R1# show running config interface FastEthernet0 /0 description LAN gateway for 192.168.1.0 net IP address 192.168.1.1 255.255.255.0 interface Serial0/0/0 description WAN link to R2 IP address 172.20.1.1 255.255.255.252

interface Serial0/0/1 description WAN link to R3 IP address 172.20.1.5 255.255.255.252 router EIGRP 101 network 172.20.1.0 0.0.0.3 network 172.20.1.4 0.0.0.3 network 192.168.1.0 no auto-summary R1# show IP EIGRP neighbors H-1 Address - Num - 172.20.1.2 Interface - S e0/0/0 Hold - 10 Uptime - 00:13:59 SRTT - 1 RTO - 200 Q-0 Seq - 18 H-0 Address - 172.20.1.6 Interface - S e0/0/1 Hold - 12 Uptime - 00:15:29 SRTT - 1 RTO - 200 Q-0 Seq - 21 R1# show IP EIGRP topology (No output is highlighted here for this command.) R1# show IP EIGRP traffic Hellos sent/received: 1102 /469 Updates sent/received: 10 /19 Queries sent/received: 0 /5 Replies sent/received: 5 /0 Acks sent/received: /11 R1# debug EIGRP packets (No output is highlighted here for this command.) R1# debug IP EIGRP (No output is highlighted here for this command.)

Page 2: Certain issues commonly occur when configuring the EIGRP protocol. Possible reasons why EIGRP may not be working are:

Layer 1 or Layer 2 connectivity issues exist. An interface has incorrect addressing or subnet mask. AS numbers on EIGRP routers are mismatched. The wrong network or incorrect wildcard mask is specified in the routing process. The link may be congested or down. The outgoing interface is down. The interface for an advertised network is down.

If auto-summarization is enabled on routers with discontiguous subnets, routes may not be advertised correctly.

9.3.2 - EIGRP Issues The diagram depicts a network, and shows a screen capture of some of the EIGRP related show commands. Network Topology There are three routers, R1, R2, and R3. R1 is connected to R2 via Serial link (R1: S0/0/0, R2:S0/0/0, Network: 172.20.1.0 /30). R1 is connected to R3 via Serial link (R1: S0/0/1, R3: S0/0/1, Network: 172.20.1.4 /30). R2 is connected to R3 via Serial link (R2: S0/0/1, R3: S0/0/0, Network: 172.20.1.8 /30). R1 has network 192.168.1.0 /24 attached to the F A 0 /0 interface. R2 has network 192.168.2.0 /24 attached to the F A 0 /0 interface. R3 has network 192.168.3.0 /24 attached to the F A 0 /0 interface. Only sections of each command are shown below. All other output from the commands is omitted. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities. R1# show IP route NOTE: Missing route 192.168.2.0 /24 in the routing table. R2# show IP route NOTE: No routes learned from other EIGRP routers. Check EIGRP configuration on R1 and R3. R1# show IP EIGRP neighbors IP-EIGRP neighbors for process 101 NOTE: Using A S # / process 101, the only neighbor adjacency formed is with R3. R2# show IP EIGRP neighbors IP-EIGRP neighbors for process 11 NOTE: Using A S # / process 11, no neighbor adjacencies have formed. R2 is configured with the wrong A S number.

Page 3: Packet Tracer Activity Troubleshoot common EIGRP issues using show and debug commands.

Click the Packet Tracer icon to begin.

9.3.2 - EIGRP Issues Link to Packet Tracer Exploration: Troubleshooting Common EIGRP Issues Troubleshoot common EIGRP issues using show and debug commands.

9.3.3 OSPF Issues Page 1: The majority of problems encountered with OSPF relate to the formation of adjacencies and the synchronization of the link-state databases.

OSPF Troubleshooting Issues

Neighbors must be part of the same OSPF area. Interfaces for neighbors must have compatible IP addresses and subnet masks. Routers in an area should have the same OSPF hello interval and dead interval. The routers must advertise the correct networks for interfaces to participate in the OSPF process. The appropriate wildcard masks must be used to advertise the correct IP address ranges. Authentication must be correctly configured on routers for communication to occur.

In addition to the standard show and debug commands, the following commands assist troubleshooting OSPF issues:

show ip ospf show ip ospf neighbor show ip ospf interface debug ip ospf events debug ip ospf packet

9.3.3 - OSPF Issues The diagram depicts a network, and shows a screen capture of several OSPF show commands. Network Topology There are three routers, R1, R2, and R3. R1 is connected to R2 via Serial link (R1: S0/0/0, R2:S0/0/0, Network: 172.20.1.0 /30) R1 is connected to R3 via Serial link (R1: S0/0/1, R3: S0/0/1, Network: 172.20.1.4 /30) R2 is connected to R3 via Serial link (R2: S0/0/1, R3: S0/0/0, Network: 172.20.1.8 /30)

R1 has network 192.168.1.0 /24 attached to the F A 0 /0 interface R2 has network 192.168.2.0 /24 attached to the F A 0 /0 interface R3 has network 192.168.3.0 /24 attached to the F A 0 /0 interface Only the highlighted parts of each command from R1 are shown below. All other output from the commands is omitted. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities. show IP OSPF Displays information about the OSPF routing process, areas, number of interfaces, authentication, and how often the SPF algorithm executes. SPF executions indicate a change in the topology, such as a router being added or a network link going down. R1# show IP OSPF Routing Process "OSPF1" with ID 192.168.1.1 Area BACKBONE (0) Number of interfaces in this area is 3 Area has no authentication SPF algorithm last executed 00:08:48.240 ago SPF algorithm executed 6 times show IP OSPF neighbor Displays neighbor ID, the IP addresses of the neighbor interfaces, and the interface on which they were learned. Useful for troubleshooting adjacency problems. R1# show IP OSPF neighbor Neighbor ID - 192.168.3.1 Pri - 0 State - FULL/ Dead Time - 00:00:31 Address - 172.20.1.6 Interface - Serial0/0/1 Neighbor ID - 192.168.2.1 Pri - 0 State - FULL/ Dead Time - 00:00:37 Address - 172.20.1.2 Interface - Serial0/0/0 show IP OSPF interface Displays Router ID, Network Type, link cost, State, Interface priority, DR ID, Timer intervals configured, and Neighbor adjacency information. R1# show IP OSPF interface FastEthernet 0 /0 is up, line protocol is up Internet Address 192.168.1.1 /24, Area 0 Process ID 1, Router ID 192.168.1.1, Network Type Broadcast, Cost: 1 Neighbor Count is 0, Adjacent neighbor count is 0 Serial0/0/1 is up, line protocol is up Process ID 1, Router ID 192.1668.1.1, Network Type POINT_TO_POINT, Cost: 6 debug IP OSPF events Displays real-time OSPF exchanges between neighbors, including hellos and LSA R1# debug IP OSPF events *Sep 14 17:23:00.351: OSPF: Send hello to 224.0.0.5 area 0 on Serial0/0/1 from 172.20.1.5 *Sep 14 17:23:00.655: OSPF: Rcv hello from 192.168.3.1 area 0 from Serial0/0/1 1

debug IP OSPF packet Displays real-time information for each OSPF packet received. R1# debug IP OSPF packet (No output is highlighted here for this command.)

Page 2:

9.3.3 - OSPF Issues The diagram depicts an activity in which you must determine whether the statements are True or False for each scenario, using the network topology below. Network Topology There are three routers, R1, R2, and R3. R1 is connected to R2 via Serial link (R1: S0/0/0, R2:S0/0/0, Network: 172.20.1.0 /30). R1 is connected to R3 via Serial link (R1: S0/0/1, R3: S0/0/1, Network: 172.20.1.4 /30). R2 is connected to R3 via Serial link (R2: S0/0/1, R3: S0/0/0, Network: 172.20.1.8 /30). R1 has network 192.168.1.0 /24 attached to the F A 0 /0 interface. R2 has network 192.168.2.0 /24 attached to the F A 0 /0 interface. R3 has network 192.168.3.0 /24 attached to the F A 0 /0 interface. Scenario 1 R1# show IP protocols Routing Protocol is "OSPF1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 192.168.1.1 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 172.20.1.0 0.0.0.3 area 0 Reference bandwidth unit is 100 mbps Routing Information Sources: Gateway Distance Last Update 192.168.3.1 110 01:44:03 192.168.2.1 110 01:44:03 Distance: (default is 110) Statements. True or False. One.The highest numbered interface IP address on this router is 192.168.3.1. Two.This router has 3 network statements defined in the OSPF routing process. Three.Network 172.20.1.4 0.0.0.3 has 4 IP addresses in it. Four.The OSPF Administrative Distance is 100. Five.When calculating link cost on this router the reference bandwidth of 100,000,000 is divided by the bandwidth of the interface. Scenario 2 R1 # show IP OSPF ***Some output omitted *** Routing Process "OSPF 1" with ID 192.168.1.1 Start time: 00:08:40.340, Time elapsed: 00:17:56.552 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Number of areas transit capable is 0 External flood list length 0

Area BACKBONE (0) Number of interface in this area is 3 Area has no authentication SPF algorithm last executed 00:08:00.000 ago SPF algorithm executed 6 times Statements. True or False. One.This router is a border router between Area 0 and Area 1. Two.Other routers must authenticate with this router to form an adjacency. Three.No topology changes involving this router have taken place in the last 24 hours. Four.This router has three OSPF interfaces that are up. Five.The OSPF process ID for this router is 192.168.1.1. Scenario 3 R1 # show IP OSPF interface [output omitted] FastEthernet0/0 is up, line protocol is up Internet Address 192.168.1.1 /24, Area 0 Process ID 1, Router ID 192.168.1.1, Network Type BROADCAST, Cost: 1 Transit Delay is 1 sec, State D R, Priority 1 Designated Router (ID) 192.168.1.1, Interface address 192.168.1.1 No backup designated router on this network Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Neighbor Count is 0, Adjacent neighbor count is 0 Serial0/0/1 is up, line protocol is up Internet Address 172.20.1.5 /30, Area 0 Process ID 1, RouterID 192.168.1.1, Network Type POINT_To_POINT, Cost:64 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.3.1 Serial0/0/0 is up, line protocol is up Internet Address 172.20.1.1 /30, Area 0 Process ID 1, RouterID 192.168.1.1, Network Type POINT_To_POINT,Cost:64 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.2.1 Statements. True or False. One.This router has 3 OSPF interfaces. Two.This router is a Designated Router (DR) for the 192.168.1.0 network. Three.Link S0/0/1 is point-to-point with a cost 64 indicating it is a T1. Four.The OSPF network type for interface S0/0/0 is Broadcast. Five.This router has only one adjacent neighbor. Scenario 4 R1 # show IP route [output omitted] Gateway of last resort is not set 172.20.0.0 /30 is subnetted, 3 subnets O 172.20.1.8 [110/128] via 172.20.1.6, 00:02:55, Serial0/0/1 [110/128] via 172.20.1.2, 00:02:55, Serial0/0/0 O 172.20.1.0 is directly connected, Serial0/0/0 O 172.20.1.4 is directly connected, Serial0/0/1

O 192.168.1.0 /24 is directly connected, FastEthernet0/0 O 192.168.2.0 /24 [110/65] via 172.20.1.2, 00:02:55, Serial0/0/0 O 192.168.3.0 /24 [110/65] via 172.20.1.6, 00:02:55, Serial0/0/1 Statements. True or False. One.There are two equal-cost routes to the 172.20.1.8 network from this router. Two.The OSPF cost of the route to the 192.168.3.0 network is 128. Three.The IP address for the next hop interface for network 192.168.2.0 is 172.20.1.6. Four. R1 receives updates from R3 on FastEthernet 0/0. Five.This router learned about network 192.168.3.0 from R3. Scenario 5 R1#debug IP OSPF packet OSPF packet debugging is on R1# *Sep 14 17:26:36.475: OSPF: rcv. v:2 t:1 1:48 rid:192.168.2.1 aid:0.0.0.0 chk:674B aut:0 auk: from Serial0/0/0 *Sep 14 17:26:40.651: OSPF: rcv. v:2 t:1 1:48 rid:192.168.3.1 aid:0.0.0.0 chk:664B aut:0 auk: from Serial0/0/1 *Sep 14 17:26:46.475: OSPF: rcv. v:2 t:1 1:48 rid:192.168.2.1 aid:0.0.0.0 chk:674B aut:0 auk: from Serial0/0/0 *Sep 14 17:26:50.651: OSPF: rcv. v:2 t:1 1:48 rid:192.168.3.1 aid:0.0.0.0 chk:664B aut:0 auk: from Serial0/0/1 Statements. True or False. One.The router is receiving OSPF version 2 packets. Two.The router is receiving OSPF packets from two other routers. Three.The packet type being received is Hello packets. Four.MD5 authentication is being used on this router. Five.This router is receiving packets from R2 on S0/0/1.

Page 3: Lab Activity

Troubleshoot OSPF routing issues.

Click the lab icon to begin.

9.3.3 - OSPF Issues Link to Hands-on Lab: Troubleshooting OSPF Routing Issues Troubleshoot OSPF routing issues.

9.3.4 Route Redistribution Issues

Page 1: Configuring a static default route on an edge router provides a gateway of last resort for packets destined for IP addresses outside the network.

Although this configuration provides a solution for the edge router, it does not provide a way out of the internal network for other internal routers. One solution is to configure a default route on each internal router that points to the next hop or edge router. However, this method does not scale well with large networks. A better solution uses the routing protocol to propagate the default route on the edge router to other internal routers. All routing protocols, including RIP, EIGRP and OSPF, provide mechanisms to accomplish this.

With each routing protocol, configure a default quad 0 static route on the edge router.

ip route 0.0.0.0 0.0.0.0 S0/0/0

Next, configure the edge router to send or propagate its default route to the other routers. With RIP and OSPF, enter router configuration mode and use the command default-information originate. EIGRP redistributes default routes directly; the redistribute static command can also be used.

Failure to properly implement default route redistribution prevents users that are connected to internal routers from accessing external networks.

9.3.4 - Route Redistribution Issues The diagram depicts a network, and shows screen captures of some of the various commands used for RIP, EIGRP, OSPF. Network Topology There are three routers, R1, R2, and ISP. R1 is connected to R2 via Serial link (R1: S0/0/0, R2: S0/0/0, Network: 172.20.1.0 /30). R2 is connected to ISP via Serial link (R2: S0/0/1, ISP: S0/0/0, Network: 209.165.220.224 /30). R1 has network 192.168.1.0 /24 attached on the F A 0 /0 interface. R2 has network 192.168.2.0 /24 attached on the F A 0 /0 interface. I S P has network 10.1.1.0 /24 attached on Lo0. Only sections of each output from R1 and R2 are shown below. All other output from the commands is omitted. Complete outputs are available in the Hands-on Labs or Packet Tracer Activities. RIP R2# show running-config

(No output is highlighted here for this command.) R2# show IP route Gateway of last resort is 209.165.200.226 to network 0.0.0.0 S* 0.0.0.0 /0 [1 /0] via 209.165.200.226 EIGRP R1# show IP route Gateway of last resort is 209.165.200.226 to network 0.0.0.0 S* 0.0.0.0 /0 [1 /0] via 209.165.200.226 R2# show running-config (No output is highlighted here for this command.) OSPF R2# show running-config (No output is highlighted here for this command.) R2# show IP route Gateway of last resort is 209.165.200.226 to network 0.0.0.0 S* 0.0.0.0 /0 [1 /0] via 209.165.200.226

Page 2: Lab Activity Troubleshoot default route redistribution with EIGRP.

Click the lab icon to begin.

9.3.4 - Route Redistribution Issues Link to Hands-on Lab: Troubleshooting EIGRP Default Route Redistribution Troubleshoot default route redistribution with EIGRP.

Page 3: Lab Activity Troubleshoot OSPF router configurations to determine why a default route is not being redistributed.

Click the lab icon to begin.

9.3.4 - Route Redistribution Issues Link to Hands-on Lab: Troubleshooting OSPF Default Route Redistribution Troubleshoot OSPF router configurations to determine why a default route is not being redistributed.

9.4 Troubleshooting WAN Configurations

9.4.1 Troubleshooting WAN Connectivity Page 1: When configuring WAN interfaces, a number of potential problem areas can surface. Some of these problems are unavoidable if the network administrator only has control over one end of the link and the ISP controls the other end. In this case, the network administrator uses the configuration information provided by the ISP to ensure connectivity.

At the Physical Layer, the most common problems involve clocking, cable types, and loose or faulty connectors. Serial line connections link a DCE device to a DTE device. Two different types of cables exist for connecting devices: DTE and DCE. Usually the DCE device at the service provider provides that clocking signal.

Visually check each cable for loose connections or faulty connectors. If a cable cannot be correctly connected, swap the current cable with one known to work.

To display the type of cable and the detection and status of DTE, DCE, and clocking, use the following command:

show controllers <serial_port>

9.4.1 - Troubleshooting WAN Connectivity The diagram depicts the DCE router, R1, connected to the D T E router, R2. The show controllers command is issued on R1. The following line is highlighted in the show command output: R1# show controllers s0/0/1 DCE V.35, clock rate 56000 The show controllers command is issued on R2. The following line is highlighted in the show command output:

R2# show controllers s0/0/1 D T E V.35 TX and RX clocks detected

Page 2: For a serial link to come up, the encapsulation format on both ends of the link must match. The default serial line encapsulation used on Cisco routers is HDLC. Since Cisco HDLC and open standard HDLC are not compatible, do not use the Cisco default encapsulation when connecting to a non-Cisco device.

Some Layer 2 encapsulations have more than one form. For example, Cisco routers support both the proprietary Cisco Frame Relay format as well as the industry-standard IETF format. These formats are not compatible. The default format on Cisco devices is Cisco Frame Relay format.

To see the encapsulation in use on a serial line, use the command:

show interfaces <serial_port>

Layer 3 configurations can also prevent data from moving across a serial link. Although it is not necessary to use an IP address on a serial link, if one is used, both ends of the link must be on the same network or subnet.

9.4.1 - Troubleshooting WAN Connectivity The diagram depicts the DCE router, R1, connected to the DTE router, R2. The show interfaces command is issued on R1 The following line is highlighted in the show interfaces output. R1# show interfaces s0/0/1 Encapsulation PPP The show interfaces command is issued on R2. The following line is highlighted in the show interfaces output. R2# show interfaces s0/0/1 Encapsulation PPP

Page 3: A process known as serial line address resolution protocol (SLARP) assigns an address to the end point of a serial link if the other end is already configured. SLARP assumes that each serial line is a separate IP subnet, and that one end of the line is host number 1 and the other end is host number 2. As long as one end of the serial link is configured, SLARP automatically configures an IP address for the other end.

The IP address configured on an interface and the status of the port and line protocol is viewable with the command:

show ip interface brief

Before Layer 3 information moves across the link, both the interface and the protocol must be up. If the interface is down, there is a problem with the interface itself.

If the interface is up but the line protocol is down, check that the proper cable is connected and is firmly attached to the port. If this step still does not correct the problem, replace the cable.

If the status of an interface is administratively down, the most probable cause is that the no shutdown command was not entered on the interface. Interfaces are shutdown by default.

9.4.1 - Troubleshooting WAN Connectivity The diagram depicts the output when troubleshooting a WAN topology. Network Topology Switch, S1, is connected to switch, S2. S2 is connected to the F A 0 /0 of router, R1. R1 connects to the WAN cloud via its S0/0/1 port. The following is the output the show IP interface brief command. R1 # show IP interface brief InterfaceIP-AddressOK?MethodStatusProtocol FastEthernet0/0unassignedYesmanualupup FastEthernet0/0.10010.2 0.100.1Yesmanualupup FastEthernet0/0.10110.20.101.1Yesmanualupup FastEthernet0/0.10210.20.102.1Yesmanualupup FastEthernet0/0.10310.20.103.1Yesmanualupup Serial0/0/0unassignedYESmanualupup FastEthernet0/1unassignedYESunset administrativelydowndown Serial0/0/110.20.30.1YESmanualupup

Page 4: The PPP process involves both the LCP and NCP phases. LCP establishes the link and verifies that it is of sufficient quality to bring up the Layer 3 protocols. NCP allows Layer 3 traffic to move across the link. There is an optional authentication field between the LCP and NCP phases.

Each phase has to complete successfully before the other begins.

When troubleshooting PPP connectivity, verify that:

LCP phase is complete Authentication has passed, if configured NCP phase is complete

Commands are available that assist in troubleshooting PPP. To show the status of the LCP and NCP phase, use:

show interface

To display PPP packets transmitted during the startup phase where PPP options are negotiated, use:

debug ppp negotiation

To display real-time PPP packet flow, use:

debug ppp packet

9.4.1 - Troubleshooting WAN Connectivity The diagram depicts the output for router, R1, when R1 is connected to router, R2, via a serial connection, and the following commands are used: show interfaces s/0/0/1, debug ppp negotiation, and debug ppp packet. The following is the show interfaces s0/0/1 command output: R1 # show interfaces s0/0/1 Encapsulation PPP LCP Open Open: IPCP, CDPCP The following is the debug ppp negotiation command output: R1 # debug ppp negotiation

1d05h: S e0/0/1 LCP: AuthProto CHAP (0x0305c22305) 1d05h: S e0/0/1 LCP: Lower layer not up, Fast Starting 1d05h: S e0/0/1 PPP: Treating connection as dedicated line 1d05h: S e0/0/1 PPP: Phase is ESTABLISHING, Active Open 1d05h: S e0/0/1 LCP: AuthProto CHAP (0x0305c22305) 1d05h: S e0/0/1 LCP: State is Open 1d05h: S e0/0/1 PPP: Phase is AUTHENTICATING, by both 1d05h: S e0/0/1 CHAP: O CHALLENGE id 146 len 28 from "R1" 1d05h: S e0/0/1 CHAP: I CHALLENGE id 148 len 27 from "R2" 1d05h: S e0/0/1 CHAP: Using hostname from configured hostname 1d05h: S e0/0/1 CHAP: O CHALLENGE id 146 len 28 from "R1" 1d05h: S e0/0/1 CHAP: Using password from AAA 1d05h: S e0/0/1 CHAP: O RESPONSE id 146 len 28 from "R1" 1d05h: S e0/0/1 CHAP: I RESPONSE id 148 len 27 from "R2" 1d05h: S e0/0/1 PPP: Phase is AUTHENTICATING, Unauthenticated User 1d05h: S e0/0/1 CHAP: I SUCCESS id 148 len 4 1d05h: S e0/0/1 PPP: Phase is AUTHENTICATING, Authenticated User 1d05h: S e0/0/1 CHAP: O SUCCESS id 146 4 1d05h: S e0/0/1 PPP: Phase is UP 1d05h: S e0/0/1 IPCP: State is Open 1d05h: S e0/0/1 CDCP: State is Open 1d05h: %LINEPRONTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up The following is the debug ppp packet command output: R1 #debug ppp packet PPP packet diplay debugging is on R1 # 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 1 l e n 12 magic 0x136F1E39 1d05h: S e0/0/1 PPP: I pkt type 0xC021, datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 1 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: Received is 1, sent id 1, line up 1d05h: S e0/0/1 PPP: I pkt type 0xC021, datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 1 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 1 l e n 12 magic 0x136F1E39 1d05h: S e0/0/1 PPP: 0 pkt type 0x0021, datagramsize 116 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 2 l e n 12 magic 0x136F1E39 1d05h: S e0/0/1 PPP: I pkt type 0xC021, datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 2 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: Received id 2, sent id 2, line up 1d05h: S e0/0/1 PPP: I pkt type 0xC021, datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 2 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 2 l e n 12 magic 0x136F1E39 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 3 l e n 12 magic 0x136F1E39 1d05h: S e0/0/1 PPP: I pkt type 0xC021, datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 3 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: Received I d 3, sent I d 3, line up 1d05h: S e0/0/1 PPP: I pkt type 0xC021, datagramsize 16 1d05h: S e0/0/1 LCP: I ECHO-REQ [Open] i d 3 l e n 12 magic 0x13663C01 1d05h: S e0/0/1 LCP: O ECHO-REQ [Open] i d 3 l e n 12 magic 0x136F1E39

Page 5: Packet Tracer Activity

Troubleshoot WAN connectivity issues.

Click the Packet Tracer icon to begin.

9.4.1 - Troubleshooting WAN Connectivity Link to Packet Tracer Exploration: Troubleshooting WAN Connectivity Troubleshoot WAN connectivity issues.

9.4.2 Troubleshooting WAN Authentication Page 1: PPP offers many advantages over the default HDLC serial line encapsulation. Among these features is the ability to use either PAP or CHAP to authenticate end devices. Authentication occurs as an optional phase after the establishment of the link with LCP but before the NCPs allow the movement of Layer 3 traffic.

If the LCP is not able to connect, negotiation of the optional parameters, including authentication, cannot occur. The absence of active NCPs indicates a failed authentication.

When troubleshooting PPP authentication, determine if authentication is the problem by examining the status of the LCP and NCPs using the show interface command.

If both the LCP and NCPs are open, authentication has been successful and the problem is elsewhere.

If the LCP is not open, the problem exists with the physical link between the source and destination.

If the LCP is open and the NCPs are not, authentication is suspect.

9.4.2 - Troubleshooting WAN Authentication The diagram depicts the four steps used when debugging PPP. A man is on a host computer, that is connected to a simple two router network. The host is connected to R1. R1 is connected to R2 via a serial link.

The man thinks, "I cannot connect to R2." Step 1. Identify the problem. Step 2. Use the debug ppp negotiation command. Step 3. Use the debug ppp negotiation command. Step 4. Once the problem has been identified implement a solution. The man thinks, "I see the error, I will change the R2 to CHAP and try again."

Page 2: Authentication can be either one-way or two-way. For enhanced security, use two-way or mutual authentication. Two-way authentication requires that each end device authenticate to the other.

On both ends of the link, verify that a user account exists for the remote device and that the password is correct. If uncertain, remove the old user account statement and recreate it. The configuration on both ends of the link must specify the same type of authentication.

The most common problem with authentication is either forgetting to configure an account for the remote router or misconfiguring the username and password. By default, the username is the name of the remote router. Both the username and the password are case-sensitive.

If using PAP authentication on a current version of the IOS, activate it with the command:

ppp pap sent-username username password password

Debugging the authentication process provides a quick method of determining what is wrong. To display packets involved in the authentication process as they are exchanged between end devices, use the command:

debug ppp authentication

9.4.2 - Troubleshooting WAN Authentication The diagram depicts the output of the debug ppp authentication command when the following conditions occur: proper configuration, no user account, and wrong password. Router, R1, is connected via a serial connection to router, R2. Proper Configuration 03:03:35: S e0/0/1 PPP: Received LOGIN Response from AAA = PASS 03:03:36: %LINEPRONTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changes state to up No User Account 03:21:43: S E0/0/1 CHAP: Unable to authenticate for peer Wrong Password 03:17:47: S E0/0/1 PPP: Received LOGIN Response from AAA = FAIL

Page 3: Packet Tracer Activity

Troubleshoot PPP authentication using CHAP.

Click the Packet Tracer icon to begin.

9.4.2 - Troubleshooting WAN Authentication Link to Packet Tracer Exploration: Troubleshooting PPP Authentication Using CHAP Troubleshoot PPP authentication using CHAP.

Page 4: Lab Activity

Troubleshoot WAN and PPP connectivity.

Click the lab icon to begin.

9.4.2 - Troubleshooting WAN Authentication Link to Hands-on Lab: Troubleshooting WAN and PPP Connectivity

Troubleshoot WAN and PPP connectivity.

9.5 Troubleshooting ACL Issues

9.5.1 Determining if an ACL is the Issue Page 1: ACLs add a level of complexity to troubleshooting network issues. Therefore, it is important to verify basic network connectivity before applying an ACL.

When networks or hosts become unreachable and ACLs are in use, it is critical to determine if the ACL is the problem. Ask the following questions to help to isolate the problem:

Is an ACL applied to the problem router or interface? Has it been applied recently? Did the issue exist before the ACL was applied? Is the ACL performing as expected? Is the problem with all hosts connected to the interface or only specific hosts? Is the problem with all protocols being forwarded or only specific protocols? Are the networks appearing in the routing table as expected?

One way to determine the answer to several of these questions is to enable logging. Logging shows the effect that ACLs are having on various packets. By default, the number of matches display with the show access-list command.

To display details about packets permitted or denied, add the log keyword to the end of ACL statements.

9.5.1 - Determining if an ACL is the Issue The diagram depicts the output when examining an ACL on a network. Network Topology Two hosts with the following IP addresses, 192.168.1.2 and 192.168.1.3 are on the 192.168.1.0 /24 network. A switch is connected to the R1 F A 0 /0. This interface has an ACL applied (ACL 123 inbound). Router, R1, S0/0/0 is connected to the S0/0/0 of router, R2, with a of network address 172.20.0.1 /30. The R2 F A 0 /0 is connected to another switch with a network address of 192.168.2.0 /24. A server is connected to the switch with an IP address of 192.168.2.2. The configuration commands for placing the ACL are listed below. Output R1 (config)# access-list 123 deny tcp host 192.168.1.2 host 192.168.2.2 eq 23 log

R1 (config)# access-list 123 permit IP 192.168.1.0 0.0.0.255 any log R1 (config)# access-list 123 deny IP any any log R1 (config)# int FA0/0 R1 (config-if)# IP access-group 123 In ACL Console Logging *Sep 12:34:35:54.067: *SEC - 6 -IPACCESSLOGP: list 123 denied tcp 192.168.1.2(1141) 192.168.2.2(23), 1 packet R1# *Sep 12:34:35:54.067: *SEC - 6 -IPACCESSLOGP: list 123 permitted icmp 192.168.1.3 192.168.2.2 (8 /0), 1 packet

Page 2: A number of commands help to determine if ACLs are configured and applied correctly.

To display all ACLs configured on the router, whether applied to an interface or not, use the following command:

show access-lists

To clear the number of matches for each ACL statement, use:

clear access-list counters

To display the source and destination IP address for each packet received or sent by any interface on the router, use:

debug ip packet

The debug ip packet command shows packets whose source or destination is a router interface. This command includes packets that are denied by an ACL at the interface. Examples of traffic that create a debug message include:

RIP updates to or from a router interface

Telnet from an external source to an external destination blocked by an ACL on the interface

If the packets are simply passing through and the ACL does not block a packet from this IP address, no debug message is generated.

9.5.1 - Determining if an ACL is the Issue The diagram depicts the output when examining an ACL on a network. The following commands are used: R1# show running-config, R1# debug IP packet, R1# show IP interface, and R1# show access-lists. Network Topology Two hosts are connected to a switch. The two hosts have the IP addresses 192.168.1.2 and 192.168.1.3, and are part of the 192.168.1.0 /24 network. A switch is connected to the router, R1 F A 0 /0. This interface has an ACL applied (ACL 123 inbound). R1 S0/0/0 is connected to the S0/0/0 of router, R2, with a network address of 172.20.0.1 /30. R2 F A 0 /0 is connected to another switch on the 192.168.2.0 /24 network. A server is connected to the switch with an IP address of 192.168.2.2. Output R1 # show running-config IP address 192.168.1.1 255.255.255.0 IP access-group 123 in [output omitted] access-list 123 deny tcp host 192.168.1.2. host 192.168.2.2 eq telnet access-list 123 permit IP 192.168.1.0 0.0.0.255 any R1 # debug IP packet *Sep 19 ...omitted... IP: s=192.168.1.2(fastethernet0/0), d=192.168.2.2, len 48, access denied R1 # show IP interface Outgoing access list is not set Inbound access list is 123 R1 # show access-lists Extended IP access list 123 10 deny host 192.168.1.2 host 192.168.2.2 eq telnet (9 matches) 20 permit IP 192.168.1.0 0.0.0.255 any (24 matches) 30 deny IP any any (3 matches)

Page 3:

9.5.1 - Determining if an ACL is the Issue The diagram depicts an activity in which you must analyze the network topology and router command output. Indicate whether the statements regarding ACL's and their effects are True or False. Network Topology The diagram depicts two hosts connected to a switch. The two hosts have the IP addresses 192.168.1.2 and 192.168.1.3, and are part of the 192.168.1.0 /24 network. The switch is connected to the router, R1, via F A 0 /0. This interface has an ACL applied (ACL 123 inbound). R1 S0/0/0 is connected to router, R2, with a network address of 172.20.0.1 /30. R2 F A 0 /0 is connected to another switch on the 192.168.2.0 /24 network. A server is connected to the switch with an IP address of 192.168.2.2.

Scenario 1 The following is the router output for the command show running-config. R1# show running-config Building Configuration... (**output omitted**) hostname R1 interface Fast Ethernet 0 /0 description LAN gateway for 192.168.1.0 net IP address 192.168.1.1 255.255.255.0 IP access-group 123 in duplex auto speed auto interface FastEthernet 0 /1 no IP address shutdown duplex auto speed auto interface Serial0/0/0 description WAN link to R2 IP address 172.20.1.1 255.255.255.252 no fair-queue interface Serial0/0/1 no IP address shutdown router rip version 2 passive-interface FastEthernet 0/0 network 172.20.0.0 network 192.168.1.0 no auto-summary access-list 123 permit tcp host 192.168.1.2 any eq telnet access-list 123 permit tcp host 192.168.1.2 any range ftp-data ftp access-list 123 deny tcp any any eq telnet access-list 123 tcp any any range ftp-data ftp access-list 123 permit IP 192.168.1.0 0.0.0.255 any access-list 123 deny IP any any Determine if the statements below are True or False. One.This router is configured with a standard ACL. Two.If a telnet packet from 192.168.1.5 enters F A 0 /0 it will be permitted. Three.Host 192.168.1.2 is permitted to transfer files to and from any FTP server. Four.This ACL is applied to F A 0 /0 inbound. Five.If an HTTP packet from a host on network 192.168.1.0 is received on F A 0 /0 inbound it will permitted. Scenario 2

The following is the router output for the command show access-list. R1 # show access-list Extended IP access-list 123 permit tcp host 192.168.1.2 any eq telnet (24 matches) permit tcp host 192.168.1.2 any range ftp-data ftp deny tcp any any eq telnet (8 matches) deny tcp any any range ftp-data ftp (12 matches) permit IP 192.168.1.0 0.0.0.255 any (250 matches) deny IP any any (22 matches) Determine if the statements below are True or False. One.This router ACL allows an administrator PC (192.168.1.2) to Telnet and FTP to any location. Two.The administrator has been using FTP extensively. Three.PC's other than 192.168.1.2 on the 192.168.1.0 network have attempted to telnet to other networks. Four.This ACL prevents transferring a file using using FTP from PC 192.168.1.3 to PC 192.168.1.5 Five.Most hosts have used IP protocols other than FTP and Telnet (e.g. HTTP) to connect to other networks. Scenario 3 The following is the router output for the command debug IP packet. R1# debug IP packet IP packet debugging is on R1# *Sep 19 17:09:25.555: IP: s=192.168.1.3 (FastEthernet 0 /0),d=192.168.2.2, len 48, access denied *Sep 19 17:09:26.555: IP: tableid=0, s=192.168.1.1 (local),d=192.168.1.3 (FastEthernet 0 /0) routed via FIB *Sep 19 17:11:34:555: IP: s=172.20.1.2 (Serial 0/0/0), d= 224.0.0.9, len 52, recvd 2 *Sep 19 17:11:45.119: IP: s=172.20.1.1 (local), d=224.0.0.9 (Serial0/0/0), len 52, sending broadcast/multicast R1# *Sep 19 17:09:25.555: IP: s=192.168.1.5 (FastEthernet 0/0),d=192.168.2.2, len 48, access denied *Sep 19 17:09:26.555: IP: tableid=0, s=192.168.1.1 (local, d=192.168.1.5 (FastEthernet 0 /0) routed via FIB Determine if the statements below are True or False. One.All packets from host 192.168.1.5 have been permitted by this router and ACL. Two.This router is running only the EIGRP routing protocol. Three.Packets from host 192.168.1.3 may be permitted by this router and ACL depending on the protocol they are using. Four.Routing updates to multicast addresses 224.0.0.9 are being blocked by the ACL on this router. Five.The IP address of the S0/0/0 interface on this router is 172.20.1.2

Page 4: Packet Tracer Activity

Troubleshoot ACL issues using show and debug commands.

Click the Packet Tracer icon to begin.

9.5.1 - Determining if an ACL is the Issue Link to Packet Tracer Exploration: Troubleshooting ACL Issues Troubleshoot ACL issues using show and debug commands.

9.5.2 ACL Configuration and Placement Issues Page 1: Issues such as slow performance and unreachable network resources result from an incorrectly configured ACL. In some cases, the ACL may permit or deny the intended traffic but can also have unintended effects on other traffic. If it appears that the ACL is the problem, there are several issues to check.

If the ACL statements are not in the most efficient order to permit the highest volume traffic early in the ACL, check the logging results to determine a more efficient order.

The implicit deny may be having unintended effects on other traffic. If so, use an explicit deny ip any any log command so that packets that do not match any of the previous ACL statements can be monitored.

Use logging to determine if the ACL is optimized or working as expected.

9.5.2 - ACL Configuration and Placement The diagram depicts output when using the following commands: R1# show IP route, R1# debug IP rip, R2# show IP route, R2# (console logging on), R2# debug IP rip, R2# show access-lists, and R2# show IP interface s0/0/0. Network Topology Two hosts are directly connected to a switch. The two hosts have the IP addresses 192.168.1.2 and 192.168.1.3, and are part of the 192.168.1.0 /24 network. The switch is connected to the router, R1. R1 S0/0/0 is connected to router, R2, S0/0/0, and are part of the 172.20.1.0 /30 network. An ACL (123) has been placed on the serial interface S0/0/0 inbound on R2. R2 F A 0 /0 is connected to another switch, 192.168.2.0 /24. A server is connected to the switch with an IP address of 192.168.2.2. Only sections of each command are shown below. All other output from the commands is omitted. Complete outputs may be seen in the Hands-on Labs or Packet Tracer Activities. R1 # show IP route R 192.168.2.0 /24 [120 /1] via 172.20.1.2, 00:00:06, Serial 0/0/0 R1 # debug IP rip *Sep 19 21:12:59622: RIP: received v2 update from 172.20.1.2 on Serial0/0/0

*Sep 19 21:12:59622: 192.168.2.0 /24 via 0.0.0.0. in 1 hops *Sep 19 21:12:59622: RIP: sending v2 update to 224.0.0.9 via Serial0/0/0 (172.20.1.1) R2 # show IP route (No output is highlighted here for this command.) R2 # (console logging on) *Sep 19 20:21:28.139: %SEC-6 IP ACCESS LOG N P: list 1 denied 0 172.20.1.1 -> 224.0.0.9 R2 # debug IP rip (No output is highlighted here for this command.) R2 # show access-lists 20 deny any (matches) R2 # show IP interface s0/0/0 Outgoing access list is not set Inbound access list is 1

Page 2: In addition to determining whether the ACL is correctly configured, it is also important to apply the ACL to the right router or interface, and in the appropriate direction. A correctly configured ACL that is incorrectly applied is one of the most common errors when creating ACLs.

Standard ACLs filter only on the source IP address; therefore, place them as close to the destination as possible.

Placing a Standard ACL close to the source may unintentionally block traffic to networks that should be allowed.

Placing the ACL close to the destination unfortunately allows traffic to flow across one or more network segments prior to being denied. This is a waste of valuable bandwidth.

Using an Extended ACL resolves both of these issues.

Packets destined for networks other than the one being blocked are unaffected. The routers along the potential path never see the denied packets, which helps to conserve bandwidth.

9.5.2 - ACL Configuration and Placement This diagram compares the use of a standard ACL with an extended ACL to prevent network 192.168.1.0 traffic from entering the 192.168.4.0 network. Traffic should be allowed to reach all other networks. Network Topology The diagram depicts four routers, R1, R2, R3, and R4, connected by serial links to each other. On R1 there is an extended ACL placed on F A 0 /0 which connects network 192.168.1.0 /24 to R1. The extended ACL information appears as follows: Extended ACL Place closest to source Denies traffic from 192.168.1.0 network from reaching 192.168.4.0 Allows it to reach other networks and saves bandwidth ACL commands access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255 access-list 101 permit ip any any Network Topology Continued R2 is connected to network 192.168.2.0 /24 and is also connected to R4. Router R3 connects to both R1 and R4. R3 is connected to network 192.168.3.0 /24. Router R4 has its FastEthernet F A 0 /0 O U T in use and connected to network 192.168.4.0 /24. There is a Standard ACL placed between the 192.168.4.0 /24 network and the interface. The Standard ACL information is as follows: Standard ACL Place closest to the destination Denies 192.168.1.0 traffic to 192.168.4.0 Wastes bandwidth ACL commands access-list 1 deny 192.168.1.0 0.0.0.255 access-list 1 permit any

Page 3: Packet Tracer Activity

Troubleshoot the placement and direction of an ACL.

Click the Packet Tracer icon to begin.

9.5.2 - ACL Configuration and Placement Link to Packet Tracer Exploration: Troubleshooting ACL Placement

Troubleshoot the placement and direction of an ACL.

Page 4: Lab Activity

Troubleshoot ACL configuration and placement issues.

Click the lab icon to begin.

9.5.2 - ACL Configuration and Placement Link to Hands-on Lab: Troubleshooting ACL Configuration and Placement Troubleshoot ACL configuration and placement issues.

9.6 Chapter Summary

9.6.1 Summary Page 1:

9.6.1 Summary Diagram 1, Image The diagram depicts a hierarchal network design. Diagram 1 text Adherence to the three-layer hierarchical network design model assists in troubleshooting efforts. Network monitoring tools include: network utilities, packet sniffing tools, and SNMP monitoring tools. SNMP enables monitoring the performance of individual devices on the network using agents and a MIB. Backups of the configuration files, spare devices, or backup sites enable quick restoration of connectivity. The business continuity plan details the security policy and disaster recovery plan. When troubleshooting a network, determine the scope of the problem, and isolate the issue to a specific failure domain. Diagram 2, Image The diagram depicts two rack mounted switches and RJ-45 connections. Diagram 2 text The most common problems with switches occur at the Physical Layer.

Visually checking L E D's and cable connections assist in troubleshooting Physical Layer problems. Change the priority value on a switch to force the selection of the root bridge. The route bridge should be centrally located within the network. Ensure there are two VTP servers in one domain to provide backup. Ensure all devices sharing V LAN information have the same VTP domain name. Check the VTP revision information and mode before enabling a switch to join the network. Diagram 3, Image The diagram depicts a simple two router network and various output. Diagram 3 text Many tools exist for troubleshooting routing issues include I O S show commands, debug commands and TCP/IP utilities. Use debug commands to isolate problems, not to monitor normal network operation. Problems with RIP v1 include lack of VLSM support and intermixing RIP v1 and RIP v2 devices. Common issues with EIGRP include: mismatched A S numbers, incorrect wildcard mask, and autosummarization issues with discontiguous subnets. The majority of OSPF problems relate to the formation of adjacencies and the synchronization of the linkstate databases. Diagram 4, Image The diagram depicts the show controllers command from a DCE and a DTE end of two connecting routers. Diagram 4 text The most common physical layer WAN problems are not specifying a clock rate on the link or using the wrong type of cable. SLARP assigns an IP address to the end point of a serial link if the other end is already configured. Ensure that the encapsulation is the same on both sides of the serial link. If an IP address is used both ends of the link must be on the same network or subnet. When troubleshooting PPP connectivity verify that the LCP has been opened, authentication, and NCP completed. For enhanced security, use mutual authentication. On both ends of the link, verify that a user account exists for the remote device and that the password is correct. By default, the username used during the authentication process, is the name of the remote router. Both the username and the password are case sensitive. Diagram 5, Image The diagram depicts a network with an ACL applied. Diagram 5 text ACL's can create complications in troubleshooting network issues. Always verify basic network connectivity before applying an ACL. Enable logging to determine the effect that ACL's have on traffic. ACL needs to be applied to the correct router and interface and in the correct direction. Standard ACL's filter only on one source IP address so they are normally placed as close to the destination as possible. An Extended ACL filters on source and destination as well as protocols and port numbers. Placing an extended ACL close to a source can deny traffic before it passes though the router and before it traverses the WAN link.

An ACL placed on the wrong interface or in the wrong direction can block traffic that should not be blocked, or permit traffic that should not be permitted.

9.6.2 Critical Thinking Page 1:

9.6.2 - Critical Thinking Critical Thinking Answer the following questions based on the exhibit. Exhibit Network Topology There are two routers, R2 and R3. There are two switches, S1 and S2. R2 is connected to R3 via serial link (network: 192.168.16.0 /30). R2 has S1 attached (network: 10.1 0.4.0 /24). R3 has S2 attached (network: 10.1 0.3.0 /24). S1 has one host attached (Host IP: 10.1 0.4.63 /24). S2 has one host attached (Host IP: 10.1 0.3.75 /24). There is a screen capture of the output of R2 which appears, as follows: hostname R2 [output omitted] interface F A 0 /0 IP address 10.10.4.1 255.255.255.0 interface s0/0 IP address 192.168.16.1 255.25.255.252 ! router rip network 192.168.16.0 network 10.0.0.0 [output omitted] One. Which route advertisements does R3 receive from R2? a.10.0.0.0 /24. b.10.10.4.0 /24. c.10.0.0.0 /8. d.10.0.0.0 /8 and 10.10.4.0 /24. e.10.0.0.8, 10.0.0.0 /24 and 10.10.4.0 /24. Two. If host 10.10.3.75 attempts to ping host 10.1 0.4.63, what will the results be? a.All packets will be dropped. b.Some packets will be dropped. c.All packets will reach the destination and network applications will have connectivity. d.All packets will reach the destination but network applications will not have connectivity. Three. What must an administrator do on R3 to ensure that update packets are sent with subnet mask information? a.Add the command: R2 (config-router) # no version 2. b.Add the command: R3 (config-router) # version 2, R3 (config-router) # no auto-summary. c.Change the network statement on Router 3: R3(config)# network 10.1 0.4.0. d.Add the command: R3 (config ) # IP route 0.0.0.0 0.0.0.0 s0/0.

Four. R1 and R3 is configured with the commands: version 2 no auto-summary Which two statements are true? (Choose two.) a.A ping command will be successful between host 10.1 0.3.75 and host 10.1 0.4.63. b.R2 is able to send and receive RIP v1 and RIP v2 update packets. c.R2 is able to receive RIP v1 and RIP v2 update packets. d.A ping command will fail between host 10.1 0.3.75 and host 10.1 0.4.63.

9.7 Chapter Quiz

9.7.1 Quiz Page 1: Take the chapter quiz to check your knowledge.

Click the quiz icon to begin.

9.7.1 - Quiz Chapter 9 Quiz: Troubleshooting an Enterprise Network 1.All IP addresses have been correctly configured and all interfaces are up. Based on the network topology and router output described below, which two statements describe what will occur while testing the network? (Choose two.) Network Topology In this topology, router RTA is connected via its S0/0 to router RTB's S0/0 port on the network 192.168.10.0/24. RTA is connected to two switches on the following networks 192.168.30.0/24 and 192.168.80.0/24. RTB is connected to two switches on the following networks 192.168.50.0/24 and 192.168.20.0/24. The following output is displayed from RTA's configuration: hostname RTA ! router rip network 192.168.30.0 network 192.168.80.0 The following output is displayed from RTB's configuration: hostname RTB ! router rip network 192.168.50.0 network 192.168.20.0 A.RTA and RTB are able to ping each others serial interfaces. B.RTA and RTB do not learn any routes from each other through the RIP process.

C.RTB has all five of the networks listed in the routing table. D.RTA has all five of the networks listed in the routing table. E.RTA and RTB will have three entries in the route table found via RIP. 2.Which utility is able to detect and monitor different types of traffic on a network and trigger an alarm when an excessive amount of a specified packet type is seen? A.ping B.SNMP C.tracert D.packet sniffer 3.Answer this question based on the network topology and router output below. The network administrator configured the ACL to deny the LAN access to a web server with known viruses. However, the users can still reach this server. What could be the cause of the problem? Network Topology A switch on network 192.168.1.0/24 is connected to the Fa0/0 of router RTA. RTA is connected via its Fa0/1 to another switch which connects to a server with the address 172.16.5.5/24. RTA's ACL's are shown as follows: RTA(config)# access-list 100 deny ip 192.168.1.0 0.0.0.255 host 172.16.5.5 RTA(config)# access-list 100 permit ip any any RTA(config)# interface fa0/0 RTA(config)# ip access-group 100 out A.The access list should specifically deny TCP port 80. B.The access list should be applied inbound on the interface instead of outbound. C.The access list should be a standard access list instead of and extended. D.The access list has the source address and destination address reversed. 4.Answer this question based on the switch output below. An administrator has been adding new V LAN's to Sw-2 and notices that the new information is not recognized by Sw-3. Given the output of the show vtp status command, what is the reason why information is not shared in this VTP domain? Sw-1#show vtp status VTP Version:2 Configuration Revision: 247 Maximum VLANs supported locally: 1005 Number of existing VLANs:40 VTP Operating Mode:Client VTP Domain Name:Lab_Network VTP Pruning Mode:Enabled VTP V2 Mode:Disabled VTP Traps Generation:Disabled MD5 digest: 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 10.10.12.1 at 8-12-08 12:04:42 Sw-2#show vtp status VTP Version:2 Configuration Revision: 247 Maximum VLANs supported locally: 1005 Number of existing VLANs:40 VTP Operating Mode:Server VTP Domain Name:Lab_Network VTP Pruning Mode:Enabled VTP V2 Mode:Disabled VTP Traps Generation:Disabled

MD5 digest: 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 10.10.12.1 at 8-12-08 12:08:52 Sw-3#show vtp status VTP Version:2 Configuration Revision: 247 Maximum VLANs supported locally: 1005 Number of existing VLANs:25 VTP Operating Mode:Transparent VTP Domain Name:Lab_Network VTP Pruning Mode:Enabled VTP V2 Mode:Disabled VTP Traps Generation:Disabled MD5 digest: 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49 0x80 Configuration last modified by 10.10.12.1 at 8-12-08 13:34:49 A.The VTP domain is not the same between the switches. B.Sw-3 is configured for transparent mode. C.VTP version 2 has been disabled. D.VTP traps have been disabled. 5.Answer this question based on the router output below. Two neighboring routers are not able to establish connectivity. Based on the output of the debug ppp authentication command, which statement is true? 03:17:47: Se0/1 PPP: Authorization NOT required 03:17:47: Se0/1 CHAP: O CHALLENGE id 15 len 28 from "R1" 03:17:47: Se0/1 CHAP: I CHALLENGE id 17 len 27 from "R2" 03:17:47: Se0/1 CHAP: Using hostname from configured hostname 03:17:47: Se0/1 CHAP: Using password from AAA 03:17:47: Se0/1 CHAP: O RESPONSE id 17 len 28 from "R1" 03:17:47: Se0/1 CHAP: I RESPONSE id 15 len 27 from "R2" 03:17:47: Se0/1 PPP: Sent CHAP LOGIN Request to AAA 03:17:47: Se0/1 PPP: Received LOGIN Response from AAA=FAIL 03:17:47: Se0/1 CHAP: O FAILURE id 15 len 26 msg is "Authentication failure" E.only one side required authentication F.an incorrect hash string is received from the remote router G.the remote location is configured with PAP authentication instead of CHAP H.the authentication methods are incompatible 6.Answer this question based on the network topology and the switch output below. The ACME Company implements V LAN's across its network infrastructure to further control the network traffic. The network administrator issued the show vlan command on SW2 to verify the V LAN configuration. Which statement is true? Network Topology Router RTA is connected to switch SW2. SW2 is connected to switches SW1 and SW3. Engineering is V LAN 10. Support is V LAN 20, and Sales is V LAN 30. SW2# show vlan VLANNameStatusPorts 1defaultactiveFa0/3, Fa0/4, Fa0/21, Fa0/22, Fa0/23, Fa0/24 10EngineeringactiveFa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9 20SupportactiveFa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15

30SalesactiveFa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/20 A.All ports will be participating in V LAN1. B.Traffic in each V LAN will not be seen in other V LAN's. C.The status "active" indicated there are 22 devices currently connected to SW2. D.Since V LAN 1 is the management V LAN, RTA can connect to any port in V LAN 1 to route between different V LAN's. 7.What is one way to limit the size of a failure domain? A.implement a classless routing protocol B.create redundant paths wherever possible C.backup configuration files D.ensure devices are not-swappable 8.Answer this question based on the network topology below. The server was just added to the network and no hosts are able to connect to it. What could be the problem? Network Topology Router RTA is connected via Fa0/0 to a switch. The switch is connected to two hosts on the 10.10.10.0/24 network with the following IP addresses, 192.168.102.50/27 and 192.168.102.34/27. RTB is connected via Fa0/0 to a switch. The switch is connected to a host with the IP address 192.168.102.99/27 and a server with the IP address 192.168.102.127/27. RTA has a serial connection port S0/0 to RTB port S0/0. A.The IP address of the server should be dynamic instead of static. B.The IP address assigned to the server is the network address for this subnetwork. C.The IP address assigned to the server is the broadcast address for this subnetwork. D.The network is not subnetted correctly. 9.A technician is troubleshooting a loss of connectivity and suspects that and incorrectly configured ACL is the cause. Which two commands can the technician use to verify that the ACL is incorrectly configured? (Choose two.) A.show protocols B.show running-config C.show ip route D.show access-lists E.show ip interface 10.To answer this question, refer to the router output below. Why is neighboring 192.168.199.137 not a DROTHER? Neighbor IDPriStateDead TimeAddressInterface 172.16.40.15Full/DR0:00:31172.16.48.1Ethernet0 172.16.50.11Full/DROTHER0:00:33172.16.48.10Ethernet0 172.16.60.11Full/BDR0:00:33172.16.48.200Ethernet0 192.168.199.1371Full/-0:00:33192.168.1.2Serial0/1 A.It is participating in OSPF over a point interface. B.The network commence if misconfigured on the local router. C.The network commence if misconfigured on the neighbouring router. D.OSPF authentication has been enabled on the local router but not on the neighboring route.

Go To Next

Go To Previous Scroll To Top

http://curriculum.netacad.net/virtuoso/servlet/org.cli.delivery.rendering.servlet.C CServlet/LMS_ID=CNAMS,Theme=ccna3theme,Style=ccna3,Language=en,Version=1, RootID=knet lcms_discovery3_en_40,Engine=static/CHAPID=null/RLOID=null/RIOID=null/them e/hybrid/theme_onepage/main.html?level=chapter&css=blackonwhite.css&mediap res=transbrief&cid=1100000000&l1=en&l2=none&chapter=intro

All contents copyright 2007-2008 Cisco Systems, Inc. All | Translated by the Cisco Networking Academy. About