Uploaded by Adic Ted

1.1 Cisco CCNA 200-301 Training Book

advertisement
Cisco CCNA
Network Training
Yavuz BULUT
Network Consultant and Instructor
Chapter-1
Introduction
I Introduction
I About the Instructor
I Educational content
I Cisco Certifications
I Welcome to CCNA Training
In this training, I will tell you about the basics of wired and wireless
networks, how Cisco Routers and Switches are configured, how to design a
wired and wireless network, and how to secure the networks we set up.
Cisco is one of the leading companies in the world in the field of networking.
There are not only network products, but all end-to-end IT products. By
obtaining this certificate, you can easily find a job in the IT sector. When
you look at job postings, Cisco Certificates are required even if there are no
Cisco devices in the infrastructure of their companies.
Because in this training, you will learn not only Cisco products but also
general network technologies. Other brands often have similar structures to
Cisco.
I About the Instructor
By establishing Ses Telekom company in Malatya in 2001, I
Between 2013 and 2016, I worked as a project manager in a company that
continued sales and installation activities of telephone exchanges in
is a Cisco Gold Partner in Istanbul. After 2016, I started to give
Malatya until 2009 and in Istanbul from 2009 to 2011.
networking lessons and share free training videos on Youtube. In 2017, I
After I closed Ses Telekom at the end of 2011, my work started to be
Network-based, so I entered the world of Networking by taking Cisco
training.
I received my first Cisco CCNA certification in 2013, and I got CCNA
Security in 2014, CCNA Voice in 2015, CCNP Routing and
Switching in 2016, CCNA Collaboration 2018, Cisco Video Network
Specialist in 2018, and CCNP Enterprise in 2020.
continued to give training by establishing ICT Academy. As the
trainings started to slowly shift towards online education, I decided to
publish all of the trainings I gave through ICT Academy on Udemy as of
2020.
Currently, I continue to give trainings and consultancy services to
corporate companies through Udemy.
I Training Content
The training content has been prepared according to the curriculum of the
Official book prepared by Cisco for the CCNA 200-301 training. Includes
all CCNA 200-301 exam topics. It consists of a total of 14 chapters and
nearly 50 main topics and sub-titles. You can download the Turkish
document I prepared for each section under the first lesson of the section.
Chapter-5 IPv4 Addressing and Subnetting
Looking at Subnetting, Analyzing Classful IPv4 Networks
Analyzing Subnet Masks, Analyzing Existing Subnets
Chapter-6 IPv4 Routing
Router Management, Static Routes, IPv4 Routing and Troubleshooting
Chapter-1 Introduction
Introduction, About Instructor, Training Content, and Cisco Certifications
Chapter-7 OSPF
OSPF Concepts , OSPF Applications, OSPF Network Types
Chapter-2 Network Communication
Introduction to TCP/IP, Ethernet Fundamentals, WAN and IP Routing
Chapter-8 IP Version 6
IPv6 Fundamentals, IPv6 Address and Subnet, IPv6 Applications
Chapter-3 Switch Applications in Network
CLI Usage, Switches Overview, Basic Sw Configuration
Chapter-9 Wireless LANs
Wireless Fundamentals, Wireless Architecture, Wireless Security
Chapter-4 VLAN and STP Applications
VLANs, Spanning Tree Protocol, RSTP and EtherChannel Configuration
Chapter-10 Access Control List
TCP/IP Transport and Applications, Basic ACL, Advanced ACL
I Training Content
Chapter-11 Network Security
Security Architecture, Securing Network Devices
Switch Port Security, DHCP, DHCP Snooping and ARP Inspection
Chapter-12 IP Services
Device Management Protocols, NAT, QoS and Various IP Services
Chapter-13 Network Architecture
LAN Architecture, WAN Architecture, Cloud Architecture
Chapter-14 Network Automation
Controller-Based Networking, SDA, Rest-Json, Ansible, Puppet, Chef
I About Cisco Certifications and Exam
Before 2020
After 2020
Chapter-2
Network Fundamentals
I Network Communication
I Introduction to TCP/IP
I Ethernet Basics
I Wan and IP Routing
I Network Communication
Network Communication
This first Chapter will help you understand how networks are
There have been rapid developments in our networks in order to meet
interconnected and how networks are connected to each other using Cisco
many more demands such as video sharing and movie watching
routers and switches. When we connect two or more LANs or WANs
platforms. Considering that nowadays people who need to share network
together through a router and create a logical network addressing plan
resources are not in the same office environment (an increasing
with a protocol such as IP, we create a network community.
situation), what needs to be done is to connect many networks together
Fundamentals of Network Communication
so that all users can use these network resources.
Networking operations have been growing very rapidly for the last 30-35
years. Although these started with basic indispensable user needs such as
data and printer sharing, they are now also used as video conferencing.
In some cases we may have to split a large network into several smaller
ones to reduce user response time. Because as the network grows, it will
get heavier. With all this growth, congestion on the LAN will rise to very
high levels. The solution to this is to divide really large networks into
smaller networks, called network segmentation. We can do this using
devices such as routers and switches.
Network connection example for home users.
I Network Communication
The main causes of traffic congestion in the LAN are;
The four router functions in your network are as follows:
• Having many users in a broadcast domain
• Packet switching
• Broadcast storm
• Packet filtering
• Multicasting
• network communication
• low bandwidth
• Path selection
• Adding a hub to connect to the network
Layer 2 switches perform packet switching using frame packets.
• Heavy ARP traffic
Routers, unlike Layer 2 switches, provide packet switching using
Today, routers are used to interconnect networks and forward data
packets from one network to another.
logical addressing in Layer 3. Routers can also provide packet
filtering using access lists. Routers use logical addressing (IPv4 or
IPv6) when they connect two or more networks. We call this formation
There are two advantages to using a router in our network:
a community of networks. Finally, routers use a routing table (a map
• By default, they cannot forward broadcasts.
of the ensemble of networks) for route selection and routing packets to
• They can filter packets with Layer 3 information such as IP
remote networks.
address.
I Network Communication
Switches, in contrast, are not used to create a community of networks (they do
not create broadcast domains by default); they are used to add functionality to
a network. The main task of a switch is to make a LAN work better by
providing higher bandwidth to LAN users and increasing their performance.
Switches do not forward packets to other networks as routers do. Instead, they
forward packets by switching from one port to another.
Enterprise network connection example.
I TCP/IP Networking Model
I History to TCP/IP
Introduction to TCP/IP
I Overview of the TCP/IP Networking Model
I TCP/IP and DoD Model
I TCP/IP Layers
I Data Encapsulation
I Osi Reference Model
I Introduction to TCP/IP
TCP/IP Networking Model
The Transmission Control Protocol/Internet Protocol (TCP/IP) family
In the late 1970s, the Open Systems Interconnection (OSI) reference
was developed by the Department of Defense (DoD) to both ensure data
model was created by the International Organization for
integrity and protect and maintain communication in the event of a
Standardization (ISO) to remove this limitation.
war. Therefore, if designed and implemented correctly, a TCP/IP network
The OSI model was developed so that different vendor networks could
can be truly reliable and flexible.
work together.
History to TCP/IP
The OSI model is a primary architectural model for networks. OSI
Today, TCP/IP Networking model is used in networks. But there weren't
describes how to transfer data and network information from an
many network protocols before, including TCP/IP. Manufacturers
application on one computer to an application on another computer,
created their own network protocols, and these protocols only supported
across the network environment.
computers they produced.
For example, IBM, the computer company that had the largest market
share in the 1970s and 1980s, released its System Network Architecture
(SNA) network model in 1974. Other vendors have also created their own
custom network models. If your company purchased computers from
three suppliers, communication was achieved by creating three different
networks and then connecting those networks together.
I Introduction to TCP/IP
Overview of TCP/IP Networking Model
The TCP/IP model is a broad protocol model that allows computers to
Many series of protocols come together in the Process/Application layer of
communicate, it uses Requests For Comments (RFC) documents to describe
the DoD model to complete the various activities and tasks that OSI's top
these protocols. (You can find these RFCs using any online search engine.)
three layers (Application, Presentation, and Session) describe.
Another institution is the IEEE, the Institute of Electrical and Electronic
Process/ Application Layer: defines node-to-node application
Engineers (IEEE), which also sets the Ethernet standards. RFC specifies
protocols. IEEE, on the other hand, sets the ethernet standards.
communication and also controls user-interface arrangements.
Host-to-host Layer: Parallels the functions of OSI's Transport layer, it
deals with issues such as establishing secure end-to-end communication
and error-free transmission of data.
TCP/IP and DoD Model
Internet Layer: It corresponds to the Network layer of OSI. It defines
The DoD model is basically a condensed version
protocols for the logical transmission of packets across the entire network,
deals with IP addressing of user machines, and functions such as routing
of the OSI model.
packets across multiple networks.
It consists of four layers instead of seven:
Network Access Layer: monitors the information circulating between the
• Process/Application layer
user machine and the network. It corresponds to the Data Link layer and
• Host-to-Host layer
the Physical layer in the OSI model. The Network Access layer controls
• Internet layer
hardware addressing and defines protocols for physical transmission of
• Network Access layer
DoD model and OSI reference model
shows a comparison.
data.
I Introduction to TCP/IP
TCP/IP Application Layer 5 (5-6-7)
HTTP Protocol Mechanisms
The Application layer specifies where users actually communicate with
When we take a closer look at the example below, we can see how
the computer. This layer only comes into play when access to the network
applications on the computer (especially the web browser application and
is required within a short period of time. TCP/IP is like a NIC card. You
the web server application) use the TCP / IP Application layer.
can remove all network card components from the system, but you can
Applications use Hypertext Transfer Protocol (HTTP) to request a web
still use a web browser to browse the local HTML pages. But if you try to
page and retrieve the web page's content.
do things like browse an HTML page that needs to be retrieved using
HTTP or download a file with FTP or TFTP, the web browser will try to
access the application layer and respond to such requests.
The Application layer is also responsible for identifying the appropriate
communication partner and determining whether it has sufficient
resources. Sometimes these tasks are important because their applications
require more than just desktop resources. Examples are file transfers and
e-mail. These applications will require remote access, network
management activities, and client/server operations.
It shows a simple web page request in the application layer.
I Introduction to TCP/IP
TCP/IP Transport Layer (4)
The services in the transport layer divide the data coming from the
application layer, reassemble it and combine it in the same data flow. It
provides end-to-end data transfer services and can establish a logical
The following sections describe the two protocols in this layer.
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
connection between the sender and the destination in a network
community.
TCP and UDP protocols work at the Transport layer, we can say that TCP
is a reliable service and UDP is an unreliable service. That is, application
developers have a choice between the two protocols when working with TCP/
IP.
Port examples for TCP and UDP.
The transport layer is responsible for providing mechanisms for
multiplexing upper-layer applications, creating sessions, and closing
virtual circuits. It also hides the details of network-related information
from the upper layers by providing transparent data traffic.
I Introduction to TCP/IP
An Example for TCP and UDP
To help you understand how TCP works, we can provide an example of a
Using UDP is similar to sending a postcard. You don't need to first
telephone conversation. We know that before we can talk to someone on
contact the other party to do this. You simply write your message,
the phone, we must first establish a connection with the person in front of
specify the address for the postcard, and mail it. This is similar to the
us. This is similar to a virtual circuit set up with the TCP protocol. If
connectionless orientation of UDP. Since the message on the postcard is
you're giving someone important information during your interview,
not a matter of life and death, you do not need confirmation from the
say, "You know what? he might say, or “You got that, right?” we may
sender. Therefore, UDP does not require acknowledgment.
ask. Saying such things is like many TCP acknowledgments designed
to verify you. Sometimes (especially in a phone call) people also ask,
“Are you still there?” they ask. They end the call by saying "Bye" at the
end of their conversation. Functions similar to this worked in TCPrır.
I Introduction to TCP/IP
TCP/IP Network Layer (3)
The network layer (known as layer 3) manages device addressing,
Data packets: Used to transfer user data across the network community.
monitors the location of devices on the network, and determines the best
Protocols used to support data traffic are referred to as routed protocols;
path for data to be transported. In other words, the Network layer is
IPv4 and IPv6 are examples of routed protocols.
responsible for transferring traffic between devices that are not locally
Route update packets: Used to update network information on
connected to each other. Routers (layer 3 devices) work at the Network
neighboring routers connected to all routers in the network community.
layer and provide routing services in a network community.
Protocols that send route update packets are specified as routing
First, when it receives a packet from the router interface, it checks the
Destination IP address and checks whether there is a route for this address
in the routing table, if there is a route in the routing table for this address,
protocols; Commonly used routing protocols are RIP, RIPv2, EIGRP and
OSPF. Route update packages are used to help create and maintain
routing tables on each router.
it frames this packet to the output interface. If there is no record in the
routing table for the destination address of the packet, the router cancels
the packet.
Two types of packets are used at the network layer:
1-Data Packages, 2-Route Update Packages
A simple IP Routing example.
I Introduction to TCP/IP
TCP/IP Data Link Layer (2)
The data link layer provides the physical transfer of data. It also handles
functions such as error reporting, network topology, and flow control. The
Data Link layer is responsible for transporting packets of a device using
a hardware address in the network and converting messages from the
Network layer into bits for the Physical layer.
In the Data Link layer, users use Mac addresses to send packets to other
devices on the local network and transfer packets between routers.
TCP/IP Physical Layer (1)
Finally, when we come to the bottom layer, the Physical layer has two
tasks: It sends and receives bits. Bits come and go in values of 1 and 0,
with just a numeric Morse code.
Step 1: Larry creates an Ethernet frame by encapsulating the IP packet
between an Ethernet header and an Ethernet trailer.
Example of sending an Ethernet frame to the IP packet by adding an Ethernet frame in Layer 2
Step 2: Larry physically transmits these Ethernet frame bits using
electricity flowing over Ethernet cables.
Step 3: R1 physically receives the electrical signal over a wire and
interprets the meaning of the electrical signals, recreating the same
bits.
Step 4: R1 extracts the Ethernet header and trailer and separates the IP
packet from the Ethernet frame.
I Introduction to TCP/IP
Data Encapsulation
As you can understand from what we have explained about how all
Step 3 Encapsulate the data provided by the transport layer within a
Layers do their jobs, when sending data, we can refer to the process of
network layer (IP) header. IP defines IP addresses that uniquely
adding its own header information to the data provided by each Layer as
identify each computer.
the Data Encapsulation process.
Step 4 Encapsulate the data provided by the network layer within the
In TCP/IP, hosts send data as a five-step process. The first four steps relate
data layer header and fragment. This layer uses both the title and
to encapsulation by the TCP/IP layer, the final step is the physical
fragment.
transmission of data by the host.
Step 5 Transmit the bits. The physical layer encodes a signal to the
Step 1 Create and encapsulate application data with required application
medium to transmit the frame.
layer headers. For example, the HTTP OK message might be returned in
an HTTP header followed by some of the content of a web page.
Step 2 Encapsulate the data provided by the application layer into a
transport layer header. A TCP or UDP header is often used for end-user
applications.
It shows Data Encapsulation in TCP/IP in 5 steps.
I OSI Referans Model
OSI Referans Model
One of the best functions of OSI regulations is that it helps transfer data
None of the upper layers (Layer 7-6-5) know anything about network
between completely different user machines. For example, they allow us to
setup and network addresses, this TCP/IP grandfather is the same. These
transfer data between a Unix host, a PC or a Mac.
are the responsibility of the lower four layers.
However, OSI is not a physical model. Rather, it is a set of rules that
application developers can use to build and complete applications
running on a network. It also provides a framework for creating and
completing networking standards, devices, and inter-network
communication plans. OSI has seven layers, divided into two groups. The
When we look at the figure below, you can see the operation of the four
layers, which explains how data is transferred with the help of switches
and routers or over a physical cable. These lower layers also determine
how a data stream from the source host is regenerated in the destination
host's application.
top three layers describe how applications on end stations communicate
with each other and with users. The bottom four layers describe how to
transfer data from end to end.
The Application Layer is responsible for the communication of the
applications between the computers and the user interfaces, as well as the
upper layers, the user machines.
Osi Referans Model Layer 4-3-2-1
Osi Reference Model vs. TCP/IP Model
I OSI Referans Model
OSI Reference Model Layers
I Overview of Lans
I SOHO and Enterprise LANs
I Ethernet Standards in Layer 1
Ethernet Fundamentals
I Ethernet Cabling
I Copper Cable Types
I Fiber Cable Types
I Sending Data on Ethernet
I Ethernet Addressing
I Half and Full Duplex Ethernet
I Ethernet Fundamentals
Overview of LANs
Simple Enterprise LANs
Simple SOHO LANs
Corporate networks have similar aspects to a SOHO network, For example,
Small Office / Home Office (SOHO) networks require a device called a Switch,
corporate networks start when plugged into a LAN Switch in a cable closet
which provides a physical port to which many cables can be connected. The
behind a locked door on each floor of a building. Electricians install Ethernet
switch uses Ethernet cables to connect different Ethernet devices or switches to
cables from this cable locker into cabinets and conference rooms where devices
one of the Ethernet ports.
may need to be connected to the LAN. At the same time, most businesses
The figure on the left shows a single switch, and its connected devices: three
support wireless LANs in the same area, allowing people to move around and
PCs, a printer, and a router. (The router connects the LAN to the WAN, in this
still work, and support an increasing number of devices without Ethernet
case the Internet.)
LAN interfaces.
A simple SOHO LAN
A simple Enterprise LAN
I Ethernet Fundamentals
Ethernet Standards at the Physical Layer
Ethernet was first standardized by a group known as DIX (Digital, Intel
and Xerox). This group established IEEE to create the first Ethernet
standard. The first ethernet standard was a 10 Mbps ethernet standard
running on 802.3 coaxial cable and later on a spiral-pair and fiber
environment.
Later, in parallel with the developing technologies, the following new IEEE
Example of sending data between different Ethernet standards.
ethernet standards were created.
Although Ethernet includes many physical layer standards, Ethernet
acts as a single LAN technology because it uses the same data link
layer standard over all types of Ethernet physical links. This standard
defines a common Ethernet header. Regardless of whether data flows over
a UTP cable or any fiber cable, the data link uses the same ethernet
Frame format.
Ethernet Types
While physical layer standards focus on sending bits over a cable,
Ethernet focuses on sending the frame.
I Ethernet Fundamentals
The IEEE Ethernet 802.3 standards that we use frequently today are:
1000BaseT (IEEE 802.3ab): Category 5-6-7, up to 100 meters, quad-pair UTP
cabling.
1000BaseSX (IEEE 802.3z): MMF using 62.5 and 50-micron cores; It uses an
850 nanometer laser and can reach up to 220 meters with 62.5 microns and
10 Mbps ve 100 Mbps düz kablo pinout örneği.
550 meters with 50-microns.
1000BaseLX: 9-micron core, single-mode fiber that delivers a 1300 nano-meter
laser and can travel from 3km to 10km.
Ethernet Cabling
Crossover Cable
The crossover cable is used to connect.
- Switch to switch
Ethernet cabling is an important topic, especially if you plan to take Cisco
- hub to hub
exams. There are three types of Ethernet cables:
- host to host
- Straight-through cable
- Hub to switch
- Crossover cable
- rollover cable
Straight-Through Cable
Straight cable is used to connect:
Example of 10 Mbps and 100 Mbps Cross cable pinout.
- Host to switch or hub
- Router to switch or hub
Note: Normally, the switches are connected with a cross cable when connecting to each other,
but generally flat cables are used when applying in the field, thanks to the auto-mdix feature
in the switches, we can connect them with a flat cable without any problems.
I Ethernet Fundamentals
Copper Cable Types
The cable is one of the most important components in horizontal cabling in
terms of the performance of the entire connection, both in terms of product
quality and convenience of installation. Cable installation errors will
seriously compromise installation performance.
For structured cabling systems, standard Cat 5e, 6 and 6A (100 MHz, 250
MHz and 500 MHz, respectively) require the use of twisted symmetrical 4-pair
cables with 100 Ω impedance.
The cable can be one of the following types:
✓ Unshielded U/UTP (Unshielded Twisted Pairs)
Data transmission cables consist of four pairs arranged in a sheath
✓ Shielded F/UTP (Foiled Twisted Pairs)
according to a certain arrangement necessary to reduce power loss and
✓ Dual screen SF/UTP or S/FTP.
crosstalk problems. This arrangement consists of separately twisting
NOTE: Category 7 has not been widely used to date, despite being standardized
pairs of conductors. These pairs are identified by standard colors. Each
and offering high levels of performance. The form factor is used where there are
of the pairs has a different area and is alternately twisted differently
installation difficulties for cost reasons.
inside the outer sheath. The conductor size allowed by the standards is
between 22 and 26 AWG: 23 AWG is most commonly used in any
case.
I Ethernet Fundamentals
Cable Examples
Cat 5e U/UTP
Cat 6 U/UTP
Cat 6 F/UTP
Cat 6 U/FTP
Cat 6 F/FTP
Cat 6A S/FTP
Cat5 and Cat6 Cable Examples.
I Ethernet Fundamentals
UTP Cable 1000 BaseT (IEEE 802.3ab) Pinouts
Multi Mode Fiber Cable
Category 5-6-7, up to 100 meters, quad-pair UTP cabling.
Multi-mode fiber (MM) is a type of fiber optic cable used over short
1000BASE-T (Gigabit Ethernet) differs from 10BASE-T and 100BASE-
distances, for example inside a building or campus. Multi mode fiber
T according to cable and pinouts. Four wire pairs are required for
optic cable has a 50 or 62.5 micron core that allows multiple light modes
1000BASE-T. and the pins must match.
to be emitted. Therefore, more data can pass through the Multi mode fiber
core at any given time. The maximum transmission distance for MM
cable is around 550m at 10Git/s, it goes to 2km at 100Mb/s, it can go
more distance at lower data rates. Multi mode fiber optic cables defined
by the ISO 11801 standard can be classified as OM1 fiber, OM2 fiber,
OM3 fiber, OM4 fiber and OM5 fiber.
Example of 1000 Mbps Straight and Cross cable pinout.
Multi Mode Fiber Cable Example.
I Ethernet Fundamentals
MM OM1 Fiber
MM OM3 Fiber
OM1 cables come with an orange sheath. It has a core size of 62.5 µm. It can
OM3 fiber comes in Aqua or Turquoise. Like the OM2, the core size is 50 µm,
support 10 Gigabit Ethernet up to 33 meters long. Mostly used for 100 Megabit
but the cable is optimized for laser-based equipment. OM3 supports 10 Gigabit
Ethernet applications. The OM1 usually uses an LED light source.
Ethernet up to 300 meters. Also, OM3 can support 40 Gigabit and 100 Gigabit
MM OM2 Fiber
Ethernet up to 100 meters, it is commonly used for 1 and 10 Gigabit Ethernet.
The OM2 comes with an orange casing similar to the OM1 and uses an LED
MM OM4 Fiber
light source, but with a smaller core size of 50 µm. This supports 10 Gigabit
Ethernet up to 82 meters, but is more commonly used for 1 Gigabit Ethernet
applications.
The OM4, on the other hand, is fully backward compatible with OM3 fiber and
uses the same aqua outer sheath. The OM4 is specially developed for VSCEL
laser transmission. It can transmit 10 Gig/s link speed up to 550m. And it
can run 40/100GB up to 150 meters using an MPO connector.
MM OM5 Fiber
OM5 fiber, also known as WBMMF (wideband multimode fiber), is the newest
type of multimode fiber and is backward compatible with OM4. OM2 has the
same core size as OM3 and OM4. The color of the OM5 fiber sheath was chosen
as lime green. It is designed and specified to support at least four WDM
channels at a rate of at least 28 Gbps per channel through the 850-953 nm
window.
Multi Mode Fiber Cable Types History Chart
I Ethernet Fundamentals
Single Mode Fiber Cable
In fiber optic technology, single mode fiber (SM) or mono mode fiber is an
OS1 fiber is a tightly buffered cable designed for use in indoor applications
optical fiber designed to propagate a single mode of light as a carrier.
(such as campuses or data centers) where the maximum distance is 10 km.
Generally, single mode cable has a narrow core diameter of 8 to 10 µm
OS2 fiber is a loose conduit cable designed for use where the maximum
(micrometers), which can travel at wavelengths of 810 nm and 1550 nm. The
distance is up to 200 km (such as street, underground and graveyard). Both
small single-mode fiber core size virtually eliminates any distortion from
OS1 and OS2 fiber optic cable allow 10G Ethernet. In addition, OS2 fiber can
overlapping light jumps. Therefore, single mode fiber optic cable provides the
support 40G and 100G Ethernet.
least signal attenuation and the highest transmission rates. For these reasons,
single mode optical fiber is the best choice for long-distance data transmission.
SMF fiber types can be categorized as OS1
and OS2. OS1 and OS2 are standard
Single and Mode Fiber Cable Core
single mode optical cables used at 1310nm
Single Mode Advantages
and 1550 nm w ave len gt h s with a
✓ Longer transmission distance
maximum derating of 1 dB/km and 0.4
✓ Larger Bandwidth Capacity
dB/km respectively.
✓ Increased Transmission Speed
✓ Limited Data Distribution and External Noise
✓ Low Signal Attenuation
Single Mode Fiber Cable Core
I Ethernet Fundamentals
Sending Data on Ethernet
Ethernet Frames
The Data Link layer is responsible for combining bits into bytes and frames
Destination Address (DA): DA is used by the receiving devices to detect whether
into bytes. Frames are used at the Data Link layer to encapsulate packets from
an incoming packet is addressed at a particular switch. The destination
the Network layer for transfer in a media medium access type.
address can be an individual address or a broadcast or multicast MAC
The function of Ethernet ports is to pass data frames among others, using a set
address.
of bits known as the MAC frame format. This provides error detection with CRC
Source Address (SA): SA is a 48-bit MAC address used to identify
(cyclic redundancy check). But remember that this is bug fixing, not bug
transmitting devices. Broadcast and multicast address formats are invalid in
fixing.
the SA field.
Lenght or Type: 802.3 uses a Lenght field, but the Ethernet frame uses a Type
field to detect the Network layer protocol. 802.3 cannot recognize top-layer
Ethernet Frame Format
Preamble: The choppy 1.0 form provides a 5MHz speed at the start of each
packet. This allows the receiving devices to stop the incoming bit stream.
protocols and must be used with a proprietary LAN (such as IPX).
Data: This is a packet sent from the Network layer to the Data Link layer. Its
size can vary from 46 to 1,500 bytes.
Start Frame Delimiter (SFD)/Synch: SFD is 10101011, where a final pair
allows the receiver to change the 1.0 form somewhere in the middle, still
Frame Check Sequence (FCS): FCS is a field at the end of the frame used to
maintain the sync state and determine the start of the data.
store CRCs.
I Ethernet Fundamentals
Ethernet Addressing
Ethernet addressing uses the Media Access Control (MAC) address
printed on Network interface cards (NIC). A MAC or hardware address is a
48-bit (6-byte) address written in hexadecimal format.
Below is the 48-bit MAC address and how the bits are split.
Sending data in Full Duplex Ethernet Lan
1. PC1 creates and sends the original Ethernet frame using its MAC address
as the source address and PC2's MAC address as the destination address.
Unicast Ethernet Address Format
Organizationally unique identifier (OUI) is assigned to an
2. SW1 receives Ethernet frame and transmits it from G0/1 interface to
SW2.
3. Switch SW2 receives Ethernet frame and transmits it from F0/2 interface
organization by the IEEE. It consists of 24 bits or 3 bytes. The
to PC2.
organization, in turn, assigns a (24-bit or 3-byte) address that is
4. PC2 realizes that it is the destination MAC address and receives the frame
unique (by default and not guaranteed) on each NIC generation.
and processes it.
I Ethernet Fundamentals
Half and Full Duplex Ethernet
When IEEE first introduced the 10 BASE-T in 1990, Switches didn't
exist yet; instead, devices called Hubs were used, like a Switch, the Hub
used ports with RJ-45 connections to interconnect PCs; however, hubs
used different rules to transmit data.
Collision occurs due to the working logic of the hub
Hubs transmit data using physical layer standards rather than data
link standards and are therefore considered Layer 1 devices. When a hub
receives an electrical signal, the hub sends that electrical signal to all
other ports (except the inbound port). Thus, the data reaches all other hosts
connected to the hub.
The disadvantage of using hubs is that if two or more devices transmit a
If you replace the Hub with a Switch in the figure above, the switch avoids the
collision on the left. The switch operates as a Layer 2 device, meaning it looks
after the data link header and frames. A switch looks up MAC addresses and
even if the switch has to forward both packets to Larry on the left, the switch
sends the first packet and queues the other packet until the first packet is
finished.
signal at the same time, the electrical signal will collide and become
corrupted. The hub repeats all received electrical signals, even if it receives
multiple signals at the same time. For example, in the Figure PC shows
Archie and Bob sending an electrical signal simultaneously (in Steps
1A and 1B) and the hub repeating both electrical signals to Larry on the
left (Step 2).
Example of Half and Full Duplex Ethernet working together in a simple LAN.
I Wide Area Network (WAN)
WAN and IP Routing
Fundamentals
I Leased-Line WANs
I Using Ethernet in WAN
I IP Routing
I How to Use IP Routing in Layer 3
I Layer 3 Other Features
I DNS, ARP, Ping
I WAN Fundamentals
Wide Area Network (WAN)
Leased-Line WANs
Cisco IOS supports many different wide area network (WAN) protocols to
To connect your local networks to local networks in your remote offices
help you extend your local networks with other remote networks. Doing
using WAN, it uses a router with WAN connection for each local
your own structured cabling between different regions and trying to
network. First, you get the WAN connection suitable for your business
connect to all remote locations of your company using your own
from the ISPs (Internet Service Provider) and start using it.
infrastructure may not be cost effective or possible. A much better
Routers connect to both WAN and LAN as shown in the figure below.
solution is to lease existing infrastructure that service providers already
Note that a curved line between routers is a common way to represent a
have.
Leased-Line line when the drawing need not show any physical details
In this section, we will continue by talking about the different connection
of the line.
types, technologies and devices commonly used in WANs. In this
Chapter, I will talk about High-Level Data-Link Control (HDLC), Pointto-Point Protocol (PPP), Point-to-Point Protocol and Leased-Lines WANs
connections. Other WAN services such as Metro Ethernet, DSL, MPLS,
and VPN will also be covered in Chapter-13 on Wan Architecture.
Example of Leased-Line on a simple Enterprise network.
I WAN Fundamentals
The Leased-Line service receives and sends bits in both directions at a
Since Leased-Lines define only Layer 1 transmission service, many
predetermined rate using Full duplex logic. In fact, it logically behaves as
companies and standards organizations have created data link
if you have a bidirectional crossover Full duplex Ethernet connection
protocols to control and use Leased-Lines. Today, the two most popular
between the two Routers, as shown in Figure. Leased-Line uses two pairs of
data-link layer protocols used for leased lines between two routers are
cables to send data, allowing bidirectional operation.
High-Level Data Link Control (HDLC) and Point-to-Point Protocol
(PPP).
All data-link protocols follow a similar path to control the correct
distribution of data over a physical link of a certain type. For example,
an Ethernet data-link protocol uses a destination address field to
identify the correct device that should receive the data, and an FCS field
Logical View of Leased-Line Service
HDLC Data-Link Details of Leased-Lines
in the ethernet frame to check that the receiving device is receiving the
data correctly. HDLC provides similar functionality.
Leased-Lines provide layer 1 service. In other words, it receives and sends
bits between devices connected to the leased-line. However, the lease-line
itself does not define a data link layer protocol to be used on the leasedline.
Note: The default data protocol of Leased-Line lines is HDLC.
I WAN Fundamentals
How Routers Use the WAN Data Link
Leased-Lines connect to routers and routers focus on delivering packets to
the target computer. However, routers are physically connected to both
LANs and WANs, the Router needs to send this data inside with frames.
First, the TCP/IP network layer focuses on forwarding IP packets from the
source device to the destination device. Basically, LANs and WANs act as
LAN'lar ve WAN'lar üzerinden IP Yönlendirme Mantığı
a way to carry packets to the next router or end-user device. The figure
shows the point of view of the Network Layer.
General Concept of Routers De-encapsulating and Re-encapsulating IP packets
I WAN Fundamentals
Using Ethernet on WAN
When Ethernet first came out, it was only suitable for LANs. Due to the
limitations in cable lengths and devices, we were able to set up a LAN that
extended up to a kilometer or two.
As time went on, the IEEE improved its Ethernet standards making it a
good WAN technology. For example, the 1000BASE-LX standard uses
single-mode fiber cable that supports a cable length of 5 km; The
1000BASE-ZX standard also supports 70 km cable length. As time went
on and IEEE improved the cabling distances for fiber Ethernet
connections, Ethernet became a good WAN technology.
Many WAN service providers (SPs) today offer WAN services that
leverage Ethernet. SPs offer various Ethernet WAN services to their
customers.
Example of Fiber Ethernet Connection for Connecting to CPE Router Service Provider's WAN.
I IP Routing Fundamentals
IP Routing
Internet Protocol (IP)
Internet Protocol (IP) is actually the Network layer. Other protocols
available here are just to support it. The IP has an overview, it can be said
to see them all, and is aware of all interconnected networks. IP looks at
the address of each packet. It then chooses the best route using a routing
table and decides where to send a packet.
Network Layer Routing (Forwarding) Logic
Routers and end-user computers (called Host in TCP/IP network) work
together to perform IP routing. The host operating system (OS) has TCP/
IP software, including software that implements the network layer. This
software uses it to choose where to send IP packets, usually to a nearby
router. These routers choose where to send the IP packet. Together with the
host routers, the IP packet
It transmits to the correct destination as shown in the example in the
figure.
CPE PC-1 to PC-2 Routing Logic
I IP Routing Fundamentals
How Does IP Routing Use in Layer 3 (Network Layer)?
Although the network layer routing logic ignores the physical
Step 3: Compare the destination IP address in the IP packet with the
transmission details, the bits still need to be transmitted. To do this,
routing table and find the most suitable route to the destination
Network layer logic in a host or router must deliver the packet to the Data
Link layer protocols, which in turn ask the physical layer to actually
send data. Before sending the frames over each physical network, the
Data Link layer creates a frame and adds the appropriate header and
address. This route shows the next router's IP address on the router's
output interface.
Step 4: It encloses the IP packet in a new data-link header and trailer
suitable for the outgoing interface and transmits the frame.
trailer to the packet.
The following list summarizes how a router interface is transmitted
from one router to the other from the network layer for each packet,
starting with the incoming frame:
Step 1: To ensure that there is no error in the frame, the data connection
uses the Frame Check Sequence (FCS-Frame Check Sequence) field and
discards the frame if an error occurs.
Step 2: Assuming the frame was not fired in Step 1, it discards the old
data link header and trailer when leaving the IP packet.
CPE PC-1 to PC-2 Routing Logic
I IP Routing Fundamentals
In the figure, we will look at what stages the packet sent from PC-1 to PC-2 goes
Next, R1 compares the destination address of the packet (150.150.4.10) with
through in Network Layer and Data Link Layer.
the routing table and finds the outbound route to subnet 150.150.4.0. R1
forwards the packet from the interface (Serial0) to R2 (150.150.2.7) on this
matching route. R1 first encapsulates and sends the IP packet to an HDLC
frame.
Step C: When R2 receives HDLC frame, it repeats the same process as R1. R2
checks the FCS field and detects no errors, and then discards HDLC header
and trailer information. Then R2 compares the destination address of the
packet (150.150.4.10) with the routing table and finds the route to subnet
150.150.4.0 and sends the packet from Fast Ethernet 0/0 to 150.150.3.1. R2
Network Layer and Data-Link Layer Encapsulation
Step A: Network layer of PC1 adds PC2's IP address(150.150.4.10). To check if
this IP address is local, it should send it to the default router. PC1 adds an
Ethernet data link frame with the IP address of PC2 and R1 to the IP packet
and sends the frame to Ethernet.
Step B: R1 checks if there is an error in the FCS of the incoming ethernet frame
and if there is no error, it discards the header and trailer information.
sends the HDLC packet from R1 back to the Ethernet Frame by encapsulation.
Step D: Like R1 and R2, R3 checks FCS, discards old data-link header and
trailer information, and looks at its own route table for 150.150.4.0 subnet,
but because R3 is directly connected to 150.150.4.0 subnet, there is no next
router. All R3 has to do is encapsulate it by adding PC2's mac address and
destination ethernet address to the incoming Ethernet frame information.
Note: At the bottom of the Figure, R3 will use ARP once to learn PC2's MAC address before
sending any packets to PC2.
I IP Routing Fundamentals
IP Header
The routing process uses the IPv4 Header as shown in the figure below. The
32-bit source IP address and 32-bit destination IP address are listed in
the header.
Of course, it has more information fields in the header. But we will cover
as much as the CCNA training covers. For now we will focus on the source
and destination ip fields. Note that in the examples in this section, the IP
Header information remains unchanged by the IP Routing process, while
routers remove and add data-link headers each time they forward a
packet.
IP Header is 20 Bytes in total
Ethernet Frame Format
I IP Routing Fundamentals
Layer 3 (Network Layer) Other Features
TCP/IP defines many functions in Network Layer beyond IP. Of course, IP
Consider: What if you wanted to move your web page to another service
plays a huge role in networking today by defining IP addressing and IP
provider? Your IP address would change and no one would know your new IP.
routing. However, it is very important at the network layer in other standards
DNS lets you use a domain name to specify an IP address. You can change
and protocols defined by the RFC. In the last part of this section, I will talk
your IP address as often as you want so no one will know about the change.
about 3 network layer features that will help you a lot in the future.
DNS; It is used to resolve an FQDN (fully qualified domain name) such as
✓ Domain Name System (DNS)
www.yavuzbulut.com or ccna.yavuzbulut.com. FQDN is a hierarchy that can
✓ Address Resolution Protocol (ARP)
logically place a domain identifier-based system.
✓ Internet Control Message Protocol (ICMP)
Domain Name System (DNS)
Domain Name Service (DNS) resolves computer names, especially internet
names such as www.routersim.com. You don't have to use DNS, you can just
type the IP address of a device you want to connect to. An IP address identifies
user machines on both the network and the internet. However, DNS is designed
to make our lives easier.
A simple DNS Request
I IP Routing Fundamentals
Address Resolution Protocol (ARP)
Address Resolution Protocol (ARP) finds the hardware address of a user
machine from a known IP address. When IP has a datagram to send, it
has to announce the hardware address of the destination in the local
network to a Network layer protocol such as Ethernet or Token Ring (the
destination's IP address is pre-announced by the upper-layer protocols).
If the IP cannot find the hardware address of the target machine in the
ARP cache, it will use ARP to find this information.
Like the detective of IP, ARP queries the local network by sending a
broadcast requesting the hardware address of the machine it is asking
with a specific IP address. Essentially, ARP translates the software (IP)
address into a hardware address (for example, the Ethernet board address
of the target machine) and from that infers its location on the LAN by
sending a broadcast for the address. Figure 3-11 shows how ARP looks at
the local network.
A simple ARP Query
I IP Routing Fundamentals
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP) runs at the Network layer and is
Hops: Each IP packet is sent to a certain number of routers, known as hops, to
used by IP for many different services. ICMP is a management protocol and
pass over it. If it reaches the hop limit before it reaches its destination, the last
messaging service provider for IP. Messages are carried like IP datagrams. RFC
router that received this packet deletes it. Next, the hangman router uses ICMP
1256 is an addition to ICMP that provides expanded host capability for
to send an obituary message. It notifies the sending machine that the packet
routing gateways.
is dead.
ICMP packages have the following features:
Ping: Packet Internet Groper (Ping) uses ICMP echo request and replay
- Provides user machines with information about network problems.
- They are encapsulated in IP datagrams.
The following are some common ICMP-related events and messages:
Destination Unreachable: If a router can no longer send an IP packet, it uses
messages to check the physical and logical connectivity of machines in a
network community.
Traceroute: Using ICMP time-outs, Traceroute is used to find the path a packet
travels through the network community.
ICMP to send a message to the sender stating its status. For example, let's take
a look at Figure 3-12, which shows that the Lab_B router's E0 interface is
down. When HostA sends a packet destined for HostB, the Lab_B router will
send an ICMP destination unreachable message to the sending device (HostA
in this example).
Buffer Full: If the router's buffer is full to receive incoming packets, it will use
ICMP to send this message until the congestion is cleared.
A Simple ICMP Example
Note: Both the Ping and Troceroute command (also used as Trace, Microsoft Windows uses tracert)
allow you to verify your address settings in your network community.
Chapter-3
Switch Applications in
Network
04 - Using Command-Line Interface
05 - Switches Overview
06 - Basic Switch Configuration
07 - Configuring Switch Interfaces
I Accessing Cisco Switch with CLI
I Connecting to Cisco Switch
Using CLI
I Connecting to Console with Cable
I Connecting with Telnet
I Connecting via SSH
I Reviewing Router Modes
I Cisco IOS Configuration
I Using the Command-Line Interface
Accessing Cisco Switch with CLI
IOS User Interface
The Cisco Internetwork Operating System (IOS) is the core of Cisco routers and many
switches. In case you didn't know, a kernel is an essential core part of an operating system,
providing administrative capabilities and resources such as low-level hardware interfaces
and security.
Connecting to Cisco Switch
You can connect to configure a Cisco switch, verify the configuration, and check
Figure 4-1 CLI Connection Options
statistics. There are different ways to do this, but the most common is to first
connect to it via the console port. The console port is an RJ-45 (8 pin modular)
connection, which is usually located on the back of the switch, on new models, on the
front. Newer models also have a mini-USB B Console port. By default, a password
may or may not be set. By default it uses Cisco as username and password.
The second way to connect to a Cisco switch is with the Telnet program from the
network. Telnet is a terminal emulation program that acts as a dumb terminal.
Another way of connection is to connect via SSH, which is the most secure way to
connect to devices over the network.
Figure 4-2 USB or Serial Console Cable Connection Options
I Using the Command-Line Interface
Connecting to Console with Cable
Figure 4-3 shows the Cisco 2960-XR Switch Console Port Inputs.
The switch console port settings must be configured to match the computer's
serial port settings. The default console port settings on a switch are as
follows.
✓ 9600 bits/second
✓ No hardware flow control
✓ 8-bit ASCII
✓ No parity bits
✓ 1 stop bit
Figure 4-4 Terminal settings for console access.
As a terminal program, you can use programs such as Putty or SecureCRT
in the simplest way. With these programs, you can make serial, telnet and
ssh connections.
I Using the Command-Line Interface
Connecting with Telnet
Connecting via SSH
Telnet, part of the TCP/IP protocol stack, is a virtual terminal that allows you
Instead of Telnet, you can use Secure Shell. SSH creates a more secure
to connect remote devices to gather information and run programs.
session than Telnet applications that use unencrypted data streams. Secure
After your routers and switches are configured, you can use the Telnet
Shell (SSH) uses encrypted keys to send data so your username and
program to reconfigure and/or control your switches and routers without
password are not sent publicly.
using a console cable. For Telnet to work, you need to have VTY passwords on
switches and routers.
Reviewing Switch Modes
For configuration from the CLI, you can make general changes to the switch
line vty 0 ?
line vty 0 4
by typing configure terminal (or config t for short). This will take you to
password telnet
the global configuration mode and change the settings known as running-
login
config. A global command (running from the global config) is set only
once and affects the entire switch.
You can type config from the command line in privileged-mode and then
just press Enter to get to the terminal's default. As it looks below:
Bulut-R1#config
Figure 4-5 User ve Privileged Mode.
Configuring from terminal, memory, or network [terminal]? [press
enter]
Enter configuration commands, one per line. End with CNTL/Z.
Bulut-R1(config)#
I Using the Command-Line Interface
The User Mode example gives a warning as follows when you try to run the
Cisco IOS Configuration
reload command in user mode, this command works in privileged mode.
Some Basic Commands We Will Use:
Press RETURN to get started. User Access Verification
enable
disable
configure terminal
hostname
line console 0
password xxxxxxxx
login
interface GigabitEthernet
show running-config
show startup-config
write erase
erase startup-config
Password:
Bulut-SW1>
Bulut-SW1> reload
Translating "reload"
% Unknown command or computer name, or unable to find computer
address Bulut-SW1> enable
Password:
Bulut-SW1#
Bulut-SW1# reload
Proceed with reload? [confirm] y
00:08:42: %SYS-5-RELOAD: Reload requested by console. Reload
Reason: Reload Command.
Figure 4-6 Switching between modes.
erase nvram:
I LAN Switching Concepts
Overview of Switches
I Overview of Switch Operation Logic
I Mac Address Learning
I Loop Avoidance
I Analyzing and Verifying Switch
I Switches Overview
LAN Switching Concepts
Overview of Switch Operation Logic
2 LAN examples are given in Figure 5-1, the first is Campus LAN and the other
Consequently, the role of a switch is to transmit Ethernet frames. Switches are
is Data Center LAN. At first glance, it seems that there is no difference, but end
connected to each other, connecting user devices, servers and other devices. The
user devices are connected to the access switches in Campus LAN, and servers are
primary job of the switches is to forward the frames to the correct destination
connected to the access switches on the data center side. Although the topology is
(MAC) address. And to achieve this goal, the switches use logic based on the
the same here, we will choose and design our switches according to where we will
source and destination MAC address in the ethernet frameSample Switch
use the switches that we need to pay attention to when designing the network,
Forwarding and Filtering Decision header.
what type of devices will be connected and how much traffic there will be.
Figure 5-1 Example of Campus LAN and Data Center LAN.
Figure 5-2 Example of Switch Forwarding and Filtering Decision.
I Switches Overview
Figure 5-3 Example of Two Switch Forwarding and Filtering Decisions. First Switch.
Layer 2 switch has three main functions.
✓ Address learning
✓ Forward and filter decisions
✓ Avoid the loop.
Address Learning: Layer 2 switches remember the source hardware address of
each frame received from an interface and enter this information into a MAC
database called the forward/filter table.
Forward/filter Decisions: When a frame is received from the interface, the switch
looks at the target hardware address and finds the output interface in the MAC
database. The frame is sent from the specific destination port.
Loop Avoidance: Network vicious circles can occur if multiple connections
between switches are created for redundancy. Spanning Tree Protocol (STP) is
used to stop network loops while redundancy is still allowed.
Let's take a look at how forwarding and filtering is done in a two-switch
network in Figures 5-3 and 5-4.
Figure 5-4 Example of Two Switch Forwarding and Filtering Decisions. Second Switch.
I Switches Overview
Mac Address Learning
Avoiding the Loop
Fortunately, not all personnel need to know all these MAC addresses. Instead,
Redundant links between switches are good as they protect the entire network
each switch performs one of its main functions, mac address learning.
from becoming unusable if one link fails.
The switch creates the Address table by listening to the incoming frames and
But backup links, although very useful, cause more problems than they solve.
examining the source MAC address in the frames. A frame enters the switch
Due to the simultaneous sending of frames from all redundant links, it
and if the source MAC address is not in the MAC address table, the switch adds
causes network vicious circles and other problems.
that mac address to the table. This table entry lists the interface from which the
frame came. The learning logic of the Switch is that simple.
If there is no loop prevention mechanism, the switches will send broadcasts
nonstop across the network community. This is sometimes described as a
broadcast storm. Figure 5-6 shows how a broadcast spreads across the network.
Observe how a frame is constantly circulating through the physical network
medium of the network community.
Figure 5-5 Switch Learning: Adding an Empty Table and Two Entries.
Figure 5-6 Formation of vicious circle and its transformation into a broadcast storm.
I Switches Overview
Analyzing and Verifying the Switch
Some Commands We Can Use For Analysis and Verification:
Cisco Catalyst switches come from the factory ready to replace frames from
show mac address-table dynamic
Ethernet. All you have to do is connect the power cable, plug in the Ethernet
We can see the mac addresses that the Switch learns dynamically.
cables and the switch starts changing incoming frames. When you
connect multiple switches together, the frames are ready to be transmitted
between the switches as well. Let's take a look at the default settings.
✓ Interfaces are enabled by default, ready to work once the cable is
connected.
show interfaces status
We can see if the switch interface (port) is down or up.
show interfaces f0/1 counters
We can see outgoing packets from FastEthernet 0/1.
show mac address-table dynamic address 0200.1111.1111
✓ All interfaces are assigned Vlan1.
We can see which interface this mac address is on.
✓ 10/100 or 10/100/1000 Mbps speeds are in Auto mode.
show mac address-table dynamic interface fastEthernet 0/1
✓ MAC learning, routing, filtering logic works by default.
We can see the mac address of the connected device on this
✓ STP is enabled.
interface.
show mac address-table dynamic vlan 1
It shows us the mac addresses in Vlan 1.
show mac address-table count
We can see how many records are in the Switch mac table and how
much more we can record.
Basic Switch
Configuration
I CLI Security on Switch
I Local Usernames
I AAA Server
I Configuring SSH
I Giving IP to Switch
I Basic Switch Configuration
CLI Security on Switch
In this section, I will show you how we can secure our passwords when
we connect to the switch via the Console port or via telnet or ssh.
To protect user mode and privileged mode with simple passwords.
• To secure user mode access with local usernames.
• Securing user mode access with external authentication servers.
• Providing remote access with Secure Shell (SSH).
Figure 6-2 Basit şifre yapılandırma.
Switch# configure terminal
Switch(config)# enable secret love
Figure 6-1 Security concept with simple passwords.
Switch#(config)# line
Switch#(config-line)#
Switch#(config-line)#
Switch#(config-line)#
console 0
password faith
login
exit
Switch#(config)# line
Switch#(config-line)#
Switch#(config-line)#
Switch#(config-line)#
Switch#
vty 0 15
password hope
login
end
I Basic Switch Configuration
Switch# show running-config
!
Building configuration...
Current configuration: 1333 bytes
!
version 12.2
!
enable secret 5 $1$OwtI$A58c2XgqWyDNeDnv51mNR.
!
interface FastEthernet0/1
!
Protecting User Mode Access with Local Usernames and Passwords
When we look at the show running-config output on the side, our passwords are open.
Someone sitting next to us or someone listening to our network can see these
passwords. Now we will remove these passwords and add users in the local database
and log in with them.
interface FastEthernet0/2
!
! Several lines have been omitted here - in particular, lines for
FastEthernet interfaces 0/3 through 0/23.
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
line con 0
password faith
login
!
line vty 0 4
password hope
login
!
line vty 5 15
password hope
login
Figure 6-3 Login with Local User.
I Basic Switch Configuration
Protecting User Mode with External Authentication Servers
Configuring SSH
In this option, our username and passwords are stored on a remote AAA server,
SW1# configure terminal
!
SW1(config)# hostname SW1
SW1(config)# ip domain-name example.com
SW1(config)# crypto key generate rsa
The name for the keys will be: SW1.example.com
Choose the size of the key modulus in the range of 360 to 2048
for your
and when we try to connect to the switch, the switch goes and verifies the
username and password we entered from the AAA server, if the information is
correct, it allows us to log in.
General Purpose Keys. Choosing a key modulus greater than 512 may
take a few minutes.
Figure 6-4 Basic Authentication Process with External AAA Server.
Maintaining a Remote Connection with SSH
Instead of Telnet, you can use Secure Shell. SSH creates a more secure session
than Telnet applications that use unencrypted data streams. Secure Shell
(SSH) uses encrypted keys to send data so your username and password are
not sent publicly.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 4 seconds)
SW1(config)#
!
! Optionally, set the SSH version to version 2 (only) - preferred
!
SW1(config)# ip ssh version 2
!
! Next, configure the vty lines for local username support, just
like ! with Telnet
!
SW1(config)# line vty 0 15
SW1(config-line)# login local
SW1(config-line)# exit
!
! Define the local usernames, just like with Telnet
!
SW1(config)# username yavuz password cisco
SW1(config)# username bulut password cisco
SW1(config)# ^Z
SW1#
I Basic Switch Configuration
Giving the Switch an IP Address for Remote Access
We need to give an ip to the switch so that we can access it remotely and make
our settings via telnet or ssh. Let's not forget to give the default gateway ip to
be able to access from different subnets and vlans.
Bulut-Sw1# configure terminal
Bulut-Sw1(config)# interface vlan 1
Bulut-Sw1(config-if)# ip address 192.168.1.200 255.255.255.0
Bulut-Sw1config-if)# no shutdown
00:25:07: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
00:25:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1,
changed
state to up
Bulut-Sw1(config-if)# exit
Bulut-Sw1(config)# ip default-gateway 192.168.1.1
Figure 6-5 Giving IP for Remote Access to the Switch.
Configuring
Switch Interfaces
I Configuring Speed, Duplex, and Description
I Checking Interface Status
I Auto-negotiation
I Configuring Switch Interfaces
Configuring Speed, Duplex, and Description
Interface Shutdown and Administratively Check Its Status
Here, we will configure the process of manually adjusting our speed under the
Bulut-Sw1(config)# interface range FastEthernet 0/11 - 20
interface, manually selecting whether our connection will be half duplex or
FastEthernet We can enter the same settings with multiple commands
from 11 to 20.
full duplex, and adding annotations to inform and help us later about that
interface.
Bulut-Sw1(config)# interface fastEthernet 0/1
Bulut-Sw1(config-if)# shutdown
Bulut-Sw1# configure terminal
Bulut-Sw1(config-if)#
Bulut-Sw1(config)# interface FastEthernet 0/1
*Mar 2 03:02:19.701: %LINK-5-CHANGED: Interface FastEthernet0/1,
changed state to administratively down
Bulut-Sw1(config-if)# duplex full
Bulut-Sw1(config-if)# speed 100
Bulut-Sw1config-if)#
description
“3.Kat
yazıcı
bagli-full
100
mb
ayarli”
Bulut-Sw1# show interfaces f0/1 status
Bulut-Sw1(config-if)# exit
We can get information about the interface status.
Bulut-Sw1config)# interface range FastEthernet 0/11 - 20
Bulut-Sw1 (config -if-range)#
kullanıcılar var”
Bulut-Sw1(config-if-range)# ^Z
Bulut-Sw1#
Bulut-Sw1# show interfaces status
We can close an interface that we do not use, or we can close and
open the port remotely.
description
“Bu
portlarda
son
SW1(config)# interface fastethernet 0/2
SW1(config-if)# no speed
SW1(config-if)# no duplex
SW1(config-if)# no description
SW1(config-if)# no shutdown
We can remove a configuration that we entered before by putting
the no command at the beginning.
I Configuring Switch Interfaces
Auto-negotiation
By default, interfaces are in Autonegotiation mode. That is, when a device is
connected to an interface, it negotiates with it and asks for information such
as speed status, connection type (half/full) and configures itself accordingly.
Figure 7-3 Example of Switch and Hub Connection
Let's look at a few examples:
Checking and Analyzing Interface Status
Bulut-SW1# show interfaces status
Bulut-SW1# show interfaces fa0/13
Bulut-SW1# show interfaces gi0/1 status
Figure 7-1 Example 1
Figure 7-2 Example 2
Chapter - 4
VLAN and STP
APPLICATIONS
I Virtual LANs ( VLAN )
I Spanning Tree Protocol ( STP )
I Configuring RSTP and EtherChannel
I VLANs Concepts
I VLAN Trunking
VLANs
Virtual LANs
I VLAN Tagging
I Inter-Vlan Data Forwarding
I VLAN Configuration and Authentication
I VLAN Trunking Configuration
I Data and Voice VLAN
I Virtual LANs ( VLANs )
Virtual LANs
Concepts
In a network of switches, we can create a Virtual local area network (VLAN) to
separate broadcast domains. A VLAN is a logical grouping of resources and
network users connected to administratively defined ports on a switch. When
you create VLANs, you have the ability to create smaller broadcast domains in
Figure 8-1 Using different subnets with two physical switches without VLAN.
a Layer 2 switch network community by assigning different ports on the
switch to different subnets. Each VLAN acts as its own subnet or broadcast
In Figure 8-2 below, we can see the example of dividing our network into two
domain. In other words, frames broadcast to the network are only switched
subnets with VLANs on the switch using a single physical switch.
between logically grouped ports in the same VLAN.
Does this mean we won't need routers anymore? Maybe yes, maybe no. It all
depends on what you want and what your needs are. By default, hosts in a
particular VLAN cannot communicate with hosts that are members of another
VLAN. If you want inter-VLAN communication, the answer is that you still
need a router.
In figure 8-1 on the side, we can see that we have divided our network into two
subnets and two broadcast domains using 2 switches without VLAN.
Figure 8-2 Using two subnets in one switch using VLAN.
I Virtual LANs ( VLANs )
Using VLAN Trunking on Multiple Switches
We can interconnect two or more switches and connect hosts that are in the
same VLAN on these switches. As seen in the example given in Figure 8-3,
there are two switches and two different subnets are used by creating vlan 10
and vlan 20 in each switch. Separate cable is connected between 2 switches for
each vlan.
Figure 8-4 Using Vlan Trunking in multiple switches
Figure 8-3 Using VLAN in multi-switch without using VLAN Trunk
It would not be practical to use such an application in our network, for
example, if there were 5 vlans on each switch, then we would have to connect a
cable for each vlan between each switch, but such an application may make it
impossible to use VLANs in large networks, so you can use multiple switches
and multiple VLANs. In cases where we use the ports, we need to configure the
ports that we connect between the two switches as VLAN trunks. In Figure 8-4,
we can see an example of using VLAN trunk.
Figure 8-5 Example of Vlan Tagging between two Switches.
I Virtual LANs ( VLANs )
Frame Tagging
Every switch that the frame reaches must first detect its VLAN ID from the
By running ISL, you can interconnect many switches, and on trunk links,
frame tag. It then determines what to do with the frame by looking at the
you can still provide VLAN information while traffic flows between switches.
information in the filter table. If the frame reaches a switch with another
ISL operates at Layer 2 by encapsulating a data frame with a new header and
trunk link, the frame will be forwarded to the trunk link port.
cyclic redundancy check (CRC).
When the frame reaches an output determined by the forward/filter table to be
ISL is specific to Cisco switches and is used only for FastEthernet and Gigabit
an Access link matching the frame's VLAN ID, the switch removes the VLAN
Ethernet links. ISL routing is versatile and can be used on a switch port,
identifier. Thus, the target device will be able to receive the frames without
router interfaces, and server interface cards that are trunked to a server.
having to understand the VLAN IDs.
IEEE 802.1Q
Created by IEEE as a standard frame tagging method, IEEE 802.1Q adds a
field to the frame to identify the VLAN. If you are trunking between Cisco
switch link and a different brand switch, you should use 802.1Q for
Figure 8-6 802.1Q Trunking
Inter-Switch Link (ISL)
Inter-Switch Link (ISL) is a way to explicitly label VLAN information in an
Ethernet frame. This tagging information allows VLANs to be multiplexed
across a trunk link with an external encapsulation method (ISL). ISL allows
the switch to detect the VLAN membership of a frame along the trunk link.
trunking.
It works like this: First, define each port to be trunked with 802.1Q
encapsulation. Ports must be assigned a specific VLAN ID for their
communication, which makes them native VLANs. Ports placed on the same
trunk form a group with this native VLAN and each port is tagged with an ID
number with default VLAN 1. Native VLAN allows trunks to carry received
information without any VLAN IDs or frame tags.
I Virtual LANs ( VLANs )
Inter-Vlan Data Forwarding
VLAN Configuration and Verification
We have logically divided the switches with vlans, inter-vlan broadcasts and
Let's create three vlans on a switch.
traffic no longer go to other vlans, but what should we do if we need to access
hosts in other vlans and they need to reach us too? Then we need a router or a
switch that can do Layer 3 routing. To access a different vlan, we need to enter
the default router ip information on our hosts, otherwise you cannot go out of
your own vlan.
Figure 8-9 Example of three vlans on the Switch.
Figure 8-7 There is no route between Layer 2 switch Vlans.
SW1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)# vlan 10
SW1(config-vlan)# name Muhasebe-Vlan
SW1(config-vlan)# exit
SW1(config)# interface range fastethernet 0/11 - 12
SW1(config-if)# switchport access vlan 10
SW1(config-if)# switchport mode access
SW1(config-if)# end
SW1# show vlan brief
Figure 8-8 Routing between two physical interfaces and two vlans.
SW1# show running-config
SW1# show vlan id 10
I Virtual LANs ( VLANs )
Vlan Trunk Configuration
Let's make two switch and three vlan examples and vlan trunk between two
SW1# show interfaces gigabit 0/1 switchport
switches.
SW1# show interfaces trunk
SW1(config)# interface gigabit 0/1
SW1(config-if)# switchport mode dynamic desirable
SW1# show interfaces gigabit 0/1 switchport
SW1# show interfaces trunk
SW1# show vlan id 2
Figure 8-11 Example of vlan trunk between three vlans and two switches.
Figure 8-10 Example of vlan trunk between three vlans and two switches.
I Virtual LANs ( VLANs )
Data and Voice VLAN
Voice VLAN feature enables on access ports to carry IP voice traffic from an IP
phone.
You can also configure another VLAN for data traffic from a device such as a
Cisco IP phone connected access port, a VLAN for voice traffic, and a PC
attached to the phone.
SW1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)# vlan 10
SW1(config-vlan)# vlan 11
SW1(config-vlan)# interface range FastEthernet0/1 - 4
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 10
SW1(config-if)# switchport voice vlan 11
SW1# show interfaces FastEthernet 0/4 switchport
SW1# show interfaces trunk
SW1# show interfaces F0/4 trunk
Figure 8-12 Pre-IP Phone
Figure 8-13 Post IP Phone
Figure 8-14 Using Voice and Data Vlan on LAN
I STP Consecpts
STP/RSTP
Spanning Tree Protokol
I How STP Works
I Root Switch Selection
I RSTP Concepts
I EtherChannel
I Spanning Tree Protocol STP
Spanning Tree Protocol
STP Concepts
Routing protocols have processes that stop network loops at the Network layer.
However, if there are physical redundant links between your switches, the
routing protocols will not do anything like stop loops at the Data Link layer.
The Spanning Tree Protocol was developed to stop the vicious circles in the Layer
2 switch network. The basis of this very important protocol and how it works in
a switch network are important topics that we will cover throughout this Chapter.
Figure 9-1 Broadcast Storm.
Why Do We Need STP?
Redundant links between switches are good as they prevent the entire network
from becoming unusable if one link fails.
Sounds good, but redundant links, while very useful, cause more problems
than they solve. Due to the simultaneous sending of frames from all backup
links, it causes loops in the network, the Spanning Tree Protocol has been
developed to prevent this problem.
Figure 9-2 STP Blocks Loop in Network.
I Spanning Tree Protocol STP
How STP Works
It constantly monitors the network to find all links and closes redundant
Non-root Bridges: These are non-root bridges. Nonroot bridges swap their BPDUs
links to make sure there is no vicious circle. STP uses a spanning-tree
with all bridges and update the STP topology database on all switches. They
algorithm (STA) to first create a topology database and then search and
prevent loops and provide a defensive measure against link failures.
eliminate redundant links. With STP, frames will only be sent from priority
Port cost: Port cost determines the best path when multiple links are used
links selected by STP.
between switches and none of the links has a root port. The cost of a link is
Spanning Tree Terms
determined by the bandwidth of a link.
Root bridge: Root bridge is the bridge with the best bridge ID. Choosing a root
bridge that is the central point in the network with STP is important for all
switches in the network. All decisions in the network, such as which port to
block and which to put in forwarding mode, are made from the perspective of
this root bridge.
Bridge ID: Bridge ID is the record that STP keeps for all switches in the network.
This is determined by a combination of bridge priority (32,768 by default on
Cisco switches) and MAC address. The bridge with the lowest bridge ID becomes
the root bridge in the network.
BPDU: All switches change their information for use both in root switch
selection and in subsequent network configuration. Each switch compares the
Root port: The root port is always the direct link to the bridge or the shortest path
to the root bridge. If more than one link is connected to the root bridge, the port
cost is determined by checking the bandwidth of each link. The lowest cost port
becomes the root port. If multiple links have the same cost, the bridge with the
lower bridge ID will be used. Since multiple links can be from the same device,
the lowest port number will be used.
Designated port: A designated port is one that has the best (lowest) cost. A
designated port will be marked as a forwarding port. Nondesignated port: A
nondesignated port is a higher-cost port than a designated port. Nondesignated
ports are put in blocking mode. They are not forwarding ports.
Forwarding port: A forwarding port forwards frames.
parameters in the Bridge Protocol Data Unit (BPDU) that it receives from one
Blocked port: A blocked port will not forward frames to avoid vicious cycles.
neighbor and sends to the other.
However, a blocked port will always listen for frames.
I Spanning Tree Protocol STP
Root Switch Selection
Switch ID is used to select the root switch in the STP domain and to determine
the root port for each of the other devices in the STP domain. This ID is 8 bytes
in size and contains the priority and the MAC address of the device. The
default priority on all devices running IEEE STP is 32,768.
You use each switch's priority, along with its MAC address, to determine the
root switch. If two switches have the same priority value, the MAC address will
be decisive to determine which one has the lowest (good) ID. Here's how: If two
switches named A and B use the 32768 priority by default, their MAC
address will be used. If Switch A's MAC address is 0000.0c00.1111 and
Switch B's MAC address is 0000.0c00.2222, SwitchA will be the root switch.
Remember that lower value is best when choosing root switch.
By default, BPDUs will be sent every two seconds from all active ports on the
switch. (The switch with the lowest (good) switch ID is the root switch.) You can
change the ID of the switch by changing its priority. So it will automatically
become the root switch. Being able to do this is important in large networks.
Figure 9-3 Root Switch Selection Process
I Spanning Tree Protocol STP
Why is Root Switch Selection Important?
Convergence happens when all ports on switches switch to forwarding or blocking
mode. No data will be transmitted until the convergence is complete. And before
data can start transmitting again, all devices need to be updated. Yes, you read
that right: STP converges, while all host data stops the transfer! If you want to
stay connected (or always running) with your network users, you should make
sure that your switch network is physically well designed so that STP converges
quickly.
Convergence is really important as it ensures that all devices have the same
database. But as I specifically mentioned, it will cost you money. Usually, it
Figure 9-4 Using Cost on non-root ports
takes 50 seconds to go from blocking to forwarding, and I do not recommend
changing the STP timers (but you can change these timers if necessary). By
creating your physical switch design in a hierarchical fashion, as shown in
Figure 9-3, you can make your core switch the STP root. This will speed up the
STP converge time.
Figure 9-5 IEEE Default Cost Values
Figure 9-3 An optimal hierarchical switch design.
Note: Cost determines the best path when none of the links have a root port. The cost of a link is
determined by the bandwidth of a link.
I Spanning Tree Protocol STP
Rapid Spanning Tree Protocol
RSTP Concepts 802.1w
Would you like to have an STP configuration that works well in your switch
network and have all the features effectively on each switch, regardless of the
switch brand? Definitely yes! Good, then, welcome to the world of Rapid
Spanning Tree Protocol (RSTP).
Cisco developed Port-Fast, UplinkFast, and BackboneFast to correct the loopholes
✓ RSTP adds a mechanism by which a switch can change the root port
without going into forwarding mode.
✓ RSTP adds a mechanism to the designated port before a switch goes into
forwarding mode.
✓ RSTP reduces wait times in some cases.
and disadvantages of the IEEE 802.1d standards offered. The disadvantage of
these is that they are Cisco proprietary only and require additional
configuration. But the new 802.1w standard (RSTP) examines all these issues
in one package. Just enable RSTP and go.
STP and RSTP Comparison
✓ RSTP and STP use the same rules when choosing root switches.
✓ RSTP and STP use the same rules when choosing root ports.
✓ RSTP and STP use the same rules when choosing designated ports.
✓ RSTP and STP make each connection port forwarding or blocking, but RSTP
uses discarding instead of blocking.
Figure 9-6 Comparison of STP and RSTP Port Status
I Spanning Tree Protocol STP
PortFast
EtherChannel
If we use the portfast command on our switches, we avoid the problem of our
In STP, a port is blocked and we actually use a single connection even though
hosts not getting a DHCP address. Because STP takes a lot of time to converge
we have two connections, but with etherchannel you can combine the links and
and exceeds the hosts DHCP request time.
create a logical aggregation. Thus, many of our links will appear as one. If
BPDU Guard
doing this will provide the same redundancy as STP, why not merge our backup
links? It provides both redundancy like STP and allows us to use the ports
If you open PortFast, it's a really good idea to open BPDUGuard. If a switch port
with PortFast enabled receives a BPDU from that port, it will make the port error
disabled. This prevents an administrator from accidentally connecting another
switch or hub port to a PortFast configured switch port. In fact, you are
preventing this from happening and causing your network to crash or at least
be seriously damaged. You can only configure this command on your Access
layer switches to which users are directly connected. Therefore, we will not
actively, plus we can connect up to eight mutual ports between two switches. (It
may vary according to the switch brand and model)
As usual, EtherChannel has Cisco version and IEEE version. The Cisco version is
defined as Port Aggregation Protocol (PAgP) and the IEEE 802.3ad standard is
called Link Aggregation Control Protocol (LACP). Both standards work
equally, the configuration of the two is different.
configure this on our Core switch.
Figure 9-7 Example of EtherChannel Connection.
I Multiple Spanning Trees
MST and EtherChannel
I STP Modes and Standards
I RSTP Configuration
I EtherChannel Configuration
I MST and EtherChannel
Multiple Spanning Trees
STP Modes and Standards
In the mid-1990s, VLANs appeared along with switches. The emergence of
PVST+ Peer VLAN Spanning Tree: Since there was only one 802.1D
VLANs posed a challenge for STP, which was the only type of STP available at
Spanning Tree standard in the 1990s, Cisco developed the PVST+ protocol for a
the time, because STP defined a single Common Spanning Tree (CST) topology
Spannin Tree to Every Vlan.
for the entire LAN. IEEE needed to create a Multiple Spanning Tree to balance
RPVST+ Rapid Peer VLAN Spanning Tree: When IEEE created RSTP in 2001,
traffic between existing links as shown in Figure 10-1. In two different STP
Cisco created RPVST+. This Standard provides Spanning Tree per Vlan but
instances, SW3 can block on a different Interface in each VLAN as shown in
more features than RSTP.
MSTP: IEEE did not fully adopt Cisco's PVST+ and RPVST+ and created a
the figure.
different protocol as MSTP, initially defined as 802.1Q but later changed to
802.1S.
Figure 10-2 Timeline of Per-VLAN and Multiple STP Features
Figure 10-1 Load Balancing between an STP Vlan 1 and Vlan 2
Figure 10-3 STP Standard and Configuration Options.
I MST and EtherChannel
Layer 2 EtherChannel Configuration
Let's simply configure Layer 2 EtherChannel between two switches.
interface Port-channel 1
switchport mode trunk
no shut
interface range FastEthernet0/1-2
switchport mode trunk
channel-group 1 mode desirable
no shut
sh int trunk
Figure 10-4 Simple EtherChannel Example.
sh etherchannel summary
SW2#show etherchannel load-balance
We do the same configuration on both Switches. In the second Switch, we
can set the channel-goup mode as auto or desirable. If you are not using
multiple vlans on switches, you do not need to switchport mode trunk.
SW2(config)#port-channel load-balance ?
dst-ip
Dst IP Addr
dst-mac
Dst Mac Addr
src-dst-ip
Src XOR Dst IP Addr
src-dst-mac
Src XOR Dst Mac Addr
src-ip
Src IP Addr
src-mac
Src Mac Addr
Chapter - 5
IPv4 ADDRESSING
ve SUBNETTING
I Introduction to IPv4 Subnetting
I IPv4 Addressing
I Analyzing Subnet Masks
I Analyzing Existing Subnets
IPv4
Introduction to Subnetting
I Subnetting Basics
I Subnet Design
I Subnet Mask Selection
I Using Host Bits
I Plan and Implementation
I Introduction to IPv4 Subnetting
Subnetting Basics
How to Create Subnets?
If you want to take a single network address and create six networks from it, we
To create subnets, you take bits from the host portion of the IP address and
will need to use the subnetting method. Because this will allow you to take a
reserve them to define subnet addresses. This means fewer bits for the host, so
large network and divide them into smaller network segments.
the more subnets there are, the fewer bits there will be to identify the host.
There are tons of reasons to use subnetting, including the following benefits:
But before you actually subnetting, you have to define your plans based on
Low network traffic: We welcome any type of low traffic. Networks are no
both your current needs and your future situation.
different. Without reliable routers, packet traffic on the switches brings the
entire network to a standstill. With routers, most traffic will remain in the local
network, only packets destined for other networks will be passed through the
router. Routers create broadcast domains. The more broadcast domains you
create, the less network traffic and smaller broadcast domains occur in each
network segment.
1. Which hosts do we need to group with a subnet?
2. How many subnets are needed for this network?
3. How many host IP addresses are required for each subnet?
4. For simplicity, will we use a single subnet size or not?
Optimized network performance: This is the result of a low network traffic.
Simplified management: Identifying and isolating network problems is easier
in smaller network groups than in a large network.
Streamlined, wide geographic distance distribution: Because WAN links are
slower and more expensive than LAN links, connecting many small networks
will make the system more efficient if we have a large network spread over a
wide area.
Figure 11- 1 Subnet Planning, Design, and Implementation Tasks
I Introduction to IPv4 Subnetting
One Size Subnet Fits All
Designing
Public IP Networks
The IPs used in the internet environment had to
be unique and unique, so these IPs were divided
into Classes and allocated to ISPs and
companies. RFC Classes A, B and C have
reserved a certain part of IPs as Private IPs for
use in the LAN, let's take a look at them below.
Figure 11- Using 2 Single Subnets
Multiple Subnet Sizes (Variable-Length Subnet Masks)
Figure 11- 4 Two companies Public IP Usage
Figure 11- 5 Two Companies Using Private IP
Private IP Networks
Private IP list reserved for use in our local network.
Figure 11- 3 Using Three Subnets and Three Masks
Figure 11- 6 RFC 1918 Private IP Addresses
I Introduction to IPv4 Subnetting
Mask Selection
Selecting Host Bits for Subnet
If you have followed the topics in order so far, you can answer the following
How Many Subnets Do We Need?
questions. According to the example in Figure 11-3.
How many hosts do we need?
Number of Subnets required
Number of hosts / subnets required
It was preferred to use only one mask, as all subnets are the same size (same
number of hosts / subnets).
Choosing the IP block we will use in the subnet.
Figure 11- 9 Host and Subnet bit selection
✓ Let's use a single mask for each subnet.
✓ Let's have 200 Subnets.
✓ Have 200 hosts in each subnet.
✓ Let's use Class B 172.16.0.0 Network.
Figure 11- Class A, B and C Networks without 7 Subnets
Class A: 224 – 2 = 16,777,214
Figure 11- Class A, B and C Networks Using 8 Subnets
Figure 11- 11 Creating the Subnet Mask
Class B: 216 – 2 = 65,534
Class C: 28 –2
Binary—Class B Network
=254
Figure 11- 10 Mask selection N = 16, S = 8, H = 8
I Introduction to IPv4 Subnetting
Figure 11-13 Plan and implementation steps.
Figure 11-12 Subnets we can use for our example.
Figure 11-14 Applying subnets to different locations.
Plan and Implementation
Before starting the plan and implementation, we must choose which subnets
we will use for the devices and locations we will use. We can use the subnets in
the table above for our locations. If there are devices that will use Statip IP, we
can identify them and reserve those IPs on the DHCP server or adjust the DHCP
server IP distribution range accordingly.
Figure 11-14 Static IP usage and IP distribution from DHCP Server
IPv4
Addresses
I IPv4 Address Classes and Related Information
I Number and Size of Class A, B, and C Networks
I Default Mask
I Practicing IPv4
I IPv4 Addressing
IP Terminology
IPv4 Network Classes and Related Information
Bit: A bit is a number that is either 1 or 0.
There are five types of Classes in IPv4, Classes A, B and C are Unicast
Byte: A byte is 7 or 8 bits, depending on the parity used. For the remainder of
addresses, Class D is Mulicast addresses, and Class E is used in scientific
this module, we will think of a byte as 8 bits.
research.
Octet: An 8-bit octet is an ordinary 8-bit binary number. The terms byte and
octet are completely interchangeable in this module.
Network address: This is the application used in routing to send packets to a
remote network.
For example, 10.0.0.0, 172.16.0.0, and 192.168.10.0.
Broadcast address: This address, which is used by applications and user
Figure 12- 1 IPv4 Address Classes Based on First Octet Values
machines to send information to all hosts on the network, is defined as the
broadcast address.
For example,
255.255.255.255 includes all networks and hosts, 172.16.255.255 specifies
all networks on the 172.16.0.0 network, and 10.255.255.255 is the broadcast
address for all subnets and users on the 10.0.0.0 network.
Figure 12- 2 Basic Information for Classes A, B and C
I IPv4 Addressing
Number and Size of Class A, B, and C Networks
In Class A, the first octet is the network address, and the remaining three octets
Default Mask
Default Masks are as in the list below.
are host addresses. In Class B the first two octets are the network addresses, the
last two octets are the host addresses, in Class C the first three octets are the
network addresses and the last octets are reserved for hosts.
Figure 12- 3 Classes A, B and C Network and Host Numbers
Figure 12- 5 Classes A, B and C Default Mask Addresses
Figure 12- 4 Network and Host Bits
I IPv4 Addressing
Practicing IPv4
I IPv4 Addressing
IPv4 Practice Answers
I Subnet Mask Conversion
Subnet Masks
Analyzing
I Understanding the Powers of 2
I Prefix (CIDR)
I Prefix Conversion
I Subnet Mask Conversion Practice
I Classless and Classful Addressing
I Analyzing Subnet Masks
Subnet Mask Conversion
Converting from Binary to Decimal
Understanding the Powers of 2
What interests us in binary numbering is a value represented in typical decimal
The exponents of the number 2 are important to understand and keep in mind
format with the base 10 number arrangement we have used since kindergarten.
for IP subnetting. To browse to the power of 2, when you see a number with its
Binary numbers are placed in a value field: it starts from the right and
power, you will multiply the number itself by the number of exponents
continues to the left. Each number has a value equal to twice the previous number
specified. For example, 23 is 2x2x2 = 8. Here is a list of exponents of 2 that you
value.
should memorize:
Byte Values
128 64 32 16 8 4 2 1
Since they are all used, we sum all the bit fields. The maximum value of a byte
is seen as:
Figure 13-1 Powers of two memorization chart
11111111 = 128+64+32+16+8+4+2+1 = 255
Prefix Classless Inter-Domain Routing (CIDR)
There are many decimal values to which a binary number can equal. Let's look
at some examples:
Another term you should know well is Prefix = Classless Inter-Domain Routing
Which bits are used? Bits 128, 16, 4 and 2 are used, so we just add them.
reserve an address for a business or home user.
10010110 = 128+16+4+2 = 150
When a block address is received from the ISP, it will be: 192.168.10.32/28. This
Which bits are used? Bits 64, 32, 8 and 4 are used, so we just add them.
01101100 = 64+32+8+4 = 108
(CIDR). It is actually the method that ISPs (internet service providers) use to
tells you what your subnet mask is. The slash notation (/) means how many
bits will be 1. Obviously, the maximum can be /32 since a byte has 8 bits and
an IP address has 4 bytes (4x8=32). But keep in mind that since you have to
reserve at least 2 bits for the host bits, the largest available subnet mask
(regardless of the class of the address) can be /30.
I Analyzing Subnet Masks
Convert Subnet Prefixes (CIDR) to Binary
Let's look at examples of Binary to Prefix and Prefix to Binary conversions.
Figure 13-5 Example of Decimal to Binary, Binary to Prefix
Figure 13-2 Example of Conversion from Prefix to Binary
Subnet Mask Conversion Practice
Figure 13-3 Example of Binary to Prefix Conversion
Figure 13-4 Example of Conversion from Prefix to Binary and from Binary to Decimal
I Analyzing Subnet Masks
Classless and Classful Addressing
Figure 13-6 Classful Network Example
Figure 13-7 Example of Classless Network
I Analyzing Subnet Masks
Subnet Mask Conversion Practical Answers
Existing Subnets
Analyzing
I Subnet Determination
I Easy Mask Calculation
I Subnet ID Finding: Different Masks
I Finding Broadcast Addresses: Different Masks
I Practicing
I Analyzing Existing Subnets
Subnet Determination
We use blocks such as 4-8-16-32-64-128-256 when specifying subnets.
We can determine the size of the subnet according to the number of hosts that will
be in that subnet.
Figure 14-3 Resident Subnet for 172.16.150.41, 255.255.192.0
Two private IPs cannot be used in a Subnet Subnet ID and Broadcast Address
172.16.0.0 Network and Four Subnet Examples
For example, let's IP 172.16.150.41 and Subnet Mask 255.255.192.0 and find
these subnets.
Analyzing Current Subnet:
Easy Mask Calculation
Subnet ID:
Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is.
Step 2: If mask octet is 0, write 0.
Broadcast Address:
Figure 14-1 Class B Network and /18 Mask
Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is.
Step 2: If mask octet is 0, write 255.
Figure 14-2 Network 172.16.0.0, Divided into Four Equal Subnets
Table 14-4 Subnet ID and Broadcast Address Practice
I Analyzing Existing Subnets
Finding Subnet ID: Different Masks
Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is.
Step 2: If mask octet is 0, write 0.
Step 3: If the mask is not 255 or 0, we will use our magic number, subtract the
mask from 256 and find how many blocks the subnet has.
Figure 14-7 Finding Subnet ID: 192.168.5.77, 255.255.255.224
Subnet ID Practice
Figure 14-5 Calculating octets block by block
Figure 14-8 Finding Subnet ID: 192.168.5.77, 255.255.255.224
Figure 14-6 Finding Subnet ID: 130.4.102.1, 255.255.240.0
I Analyzing Existing Subnets
Finding a Broadcast Address: Different Masks
Broadcast Address Practicing
Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is.
Step 2: If mask octet is 0, write 255.
Step 3: If the mask is not 255 or 0, we subtract the mask from 256 and find how
many blocks the subnet has. Let the example be 16. 16-1= 15 When we add 15 to
the Subnet ID, we find the Broadcast Address.
Figure 14-11 Finding Broadcast Address from Shortcut
Figure 14-9 Find the Subnet Broadcast: 130.4.96.0, 255.255.240.0
Figure 14-10 Find the Subnet Broadcast: 192.168.5.64, 255.255.255.224
I Analyzing Existing Subnets
Figure 14-4 Subnet ID and Broadcast Address Responses
Figure 14-8 Finding Subnet ID Shortcut Answers
Figure 14-11 Shortcut Broadcast Address Answers
Chapter - 6
IPv4 ROUTING
I Cisco Router Management
I IPv4 Static Routes
I IPv4 Routing on LAN
I IPv4 Routing Troubleshooting
Cisco Router
Management
I Running the Router
I Cisco ISR Router
I Cisco Router Interface
I Router Interface IP Address
I Router Auxiliary Port
I Cisco Router Management
Running a Router
The first time you turn on a Cisco router, it runs a power-on self-test (POST).
This is the first part of the router boot process output. It is the information
If it passes, it searches for Cisco IOS from the flash drive and loads it (if an
about the bootstrap program when the POST runs first. Then it tells the router
IOS file exists). (By the way, if you don't know, flash memory is an
how to load (default is to find IOS in flash memory). It also lists the RAM
electronically erasable programmable read-only memory-EEPROM.) After
size in the router.
that, IOS loads and looks for a valid configuration (startup-config). It is
The next Chapter shows us how to decompress IOS into RAM:
stored in non-volatile RAM (NVRAM).
program load complete, entry point: 0x8000f000, size: 0x14b45f8
The following messages are the ones that appear when you first boot or reload a
Self decompressing the image :
router.
##############################################################
######
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
############################################ [OK]
Technical Support: http://www.cisco.com/techsupport
Pound signs tell us that IOS is being loaded into RAM. After unzipped IOS to
Copyright (c) 2006 by cisco Systems, Inc.
RAM, IOS is loaded and the router starts working as seen below. Note that the
Initializing memory for ECC
c2811 platform with 262144 Kbytes of main memory
iOS version is enhanced security version 12.4.(12):
Main memory is configured to 64 bit mode with ECC enabled
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M),
Upgrade ROMMON initialized
Version
program load complete, entry point: 0x8000f000, size: 0xcb80
12.4(12), RELEASE SOFTWARE (fc1)
program load complete, entry point: 0x8000f000, size: 0xcb80
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
Image text-base: 0x40093160, data-base: 0x41AA0000
I Cisco Router Management
One of the nice new features of ISR routers is that the IOS name is not
encrypted. The filename actually tells you what IOS can do, as in Advanced
Security. When IOS is loaded, the information learned from POST will be
displayed.
You can see it below.
[some output cut]
Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.
Processor board ID FTX1049A1AB
Figure 15-1 A General Enterprise Network Diagram
2 FastEthernet interfaces
4 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
Cisco Integrated Services Routers (ISR)
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
Other brands, including Cisco, often have several different types of router
62720K bytes of ATA CompactFlash (Read/Write)
models. Routers today often do a lot more than just forward packets; they
There are two FastEthernet, four serial interfaces and a VPN module. The size of
RAM, NVRAM and flash are also displayed. The router output above shows us
256MB of RAM, 239K of NVRAM and 64MB of flash.
actually act as a device or platform to provide many network services. Cisco
even branded enterprise routers not only as routers, but also as "Integrated
Services Routers (ISRs)", emphasizing the multi-purpose nature of the
products.
Note: When IOS is loaded and running, a pre configuration (called startup-config) is copied
from NVRAM to RAM. A copy of this file is placed in RAM and designated as running-config.
I Cisco Router Management
As an example, let's take the network functions needed in a typical branch
office. A typical corporate branch office needs a router for WAN/LAN
connectivity and a LAN switch to provide a LAN connection. Many branches
also need Voice over IP (VoIP) services and various security services to support IP
phones. In addition, it is difficult to imagine a company today with users
without Wi-Fi access. Therefore, Cisco has single router models that act as both
routers and switches and provide other functions, rather than requiring
multiple separate devices in a company, as shown in Figure 15-2.
Figure 15-3 Cisco 4321 Integrated Services Router (ISR) Model Router Photograph
Figure 15-3 shows a photo of the Cisco 4321 ISR and shows some of its more
important features. The figure shows a complete view of the back of the router.
This model comes with two internal Gigabit Ethernet Interface and two modular
slots that allow you to add small cards called Network Interface Modules
(NIMs). An example NIM (a NIM providing two serial interfaces) is shown on
the right of the figure. It has other inputs as well, including a router RJ-45 and
a USB console port.
Figure 15-2 A more detailed Enterprise Network Diagram
Note : Cisco has covered Serial connection issues ( Bandwidth and Clock Rate on Serial
Interfaces ) in CCNA curves since 1998, but since this technology is not used much anymore,
CCNA 200-301 has removed it from the training content.
I Cisco Router Management
Cisco Router Interfaces
Router Interfaces IP Address
Accessing the Cisco router CLI is the same as in sitches. We can connect via
Console, Telnet and SSH. If you forgot these connection methods, you can refer
to Chapter-2 topic 4 CLI usage again. Below we can see some types of interfaces
used in the router.interface ethernet 0
interface fastethernet 0/1
interface gigabitethernet 0/0
interface gigabitethernet 0/1/0
interface serial 1/0/1
Figure 15-4 IPv4 Address Example Diagram
R1# configure terminal
Enter configuration commands, one per line. End with CNTL/
Z. R1config)# interface G0/0
R1(config-if)# ip address 172.16.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# interface S0/0/0
R1(config-if)# ip address 172.16.4.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# interface G0/1/0
R1(config-if)# ip address 172.16.5.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# ^Z
R1#
IPv4
Static Routes
I IP Routing
I IP Routing Process
I IP Routing Example
I Configuration
I IPv4 Static Routes
IP Routing
This is an important topic to understand, as all routes and configurations are
IP related. IP routing is the process of moving packets from one network to
another using routers.
Before you start explaining this section, you have to know the difference
between a routing protocol and a routed protocol. A routing protocol is used by
Figure 16-1 Host Routing Logic Summary
routers to dynamically find all networks in the network community and
ensure that all routers are in the same routing table. Essentially, a routing
protocol determines the path a packet will follow through the network
community. Examples of routing protocols are RIP, RIPv2, EIGRP and OSPF.
When the routers learn all the networks, the routed protocol can be used to send
user data (packets) on the installed structure. Examples of routed protocols are
IPv4 and IPv6.
IP Routing Process
We've seen the basics of IP Routing in Chapter 1, chapter 3, and in this chapter,
we'll use the IP addressing terms we covered in chapters 2, 3, and 4.
Figure 16-2 Routing Logic Summary of Router
I IPv4 Static Routes
IP Routing Example
Our IP address is 172.16.1.9 / 24
Destination IP 172.16.2.9 / 24
Our Default Gateway Address is 172.16.1.1
Figure 16-4 Host A sends the packet to Host B.
We add our Mac address to the Ethernet Frame and send the packet to our
Step :1 Router 1 checks the Target Mac and FCS in the incoming packet, if there is no error, it goes to step 2.
default gateway.
Step :2 Router 1 de-encapsulates the incoming packet.
Figure 16-3 Example of routing in five steps
I IPv4 Static Routes
Step :3 Router 1 looks at the route table for the destination ip in the incoming packet
If the packet were to go to 172.16.3.9, it would send it from the G0/1/0 LAN
and selects the interface to send if there is a route in the table.
interface, then it would send the packet by encapsulating by adding an ethernet
frame, not hdlc.
Step :5 Router 1 sends the ready frame packet.
Step :4 Router 1 encapsulates the packet again.
I IPv4 Static Routes
Configuring IP Addresses
I am writing the Router 1 Ip configuration as an example, let's configure the other
routers together.
R1#
interface GigabitEthernet0/0
ip address 172.16.1.1 255.255.255.0
interface Serial0/0/0
ip address 172.16.4.1 255.255.255.0
interface GigabitEthernet0/1/0
ip address 172.16.5.1 255.255.255.0
R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
Gateway of last resort is not set
Figure 16-5 Simple network diagram configuration.
172.16.0.0/16 is variably subnetted, 6
C 172.16.1.0/24 is directly connected,
L 172.16.1.1/32 is directly connected,
C 172.16.4.0/24 is directly connected,
L 172.16.4.1/32 is directly connected,
C 172.16.5.0/24 is directly connected,
subnets, 2 masks
GigabitEthernet0/0
GigabitEthernet0/0
Serial0/0/0
Serial0/0/0
GigabitEthernet0/1/0
L 172.16.5.1/32 is directly connected, GigabitEthernet0/1/0
R1# show ip arp
Protocol Address
Age (min)
Hardware Addr
Type
Interface
Internet 172.16.1.1
-
0200.2222.2222
ARPA
GigabitEthernet0/0
Internet 172.16.1.9
35
0200.3333.3333
ARPA
GigabitEthernet0/0
I IPv4 Static Routes
Configuring Static Routes
Floating Static Routes
R1#
If you pay attention to the command line below, you will see the number 130
ip route 172.16.2.0 255.255.255.0 S0/0/0
ip route 172.16.3.0 255.255.255.0 172.16.5.3
R1# show ip route static
at the end of the line, now you will say what is this, this is administrative
distance. administrative distance; The priority order in the route table is 110
in OSPF AD default, it is static route 1 but here it is changed to 130 so OSPF
has first priority.
ip route 172.16.2.0 255.255.255.0 172.16.5.3 130
Figure 16-6 Static Routes Concept
Static Host Routes
The first line sends 10.2.2.2 as the next-hop router for the 10.1.1.0 subnet, the
second line sends the incoming route requests to the 10.1.1.9 host on the same
subnet to 10.9.9.9.
ip route 10.1.1.0 255.255.255.0 10.2.2.2
ip route 10.1.1.9 255.255.255.255 10.9.9.9
Figure 16-7 Using Floating Static Route for Subnet 172.16.2.0
Static Default Routes
R2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)# ip route 0.0.0.0 0.0.0.0 s0/0/1
R2(config)# ^Z
R2# show ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Serial0/0/1
LAN
IPv4 Routing
I VLAN Routing with I Router 802.1Q Trunk
I Configuring ROAS ( Router On A Stick )
I Configuring VLAN Routing with SVI
I Configuring VLAN Routing with Route Port
I Layer 3 EtherChannel
I IPv4 Routing (LAN)
VLAN Routing with Router 802.1Q Trunk
ROAS ( Router On A Stick ) Configuration
Routing by connecting a cable to the router for each vlan on the switch will not
In the example below, there are two vlans on the switch and it is connected to the
be very useful. There are more functional ways of doing this, I'll teach you
router with a single cable, in this case, we will make Sub-interfaces and allow
about them. What are our options, let's take a look at them;
different vlans to pass through with a single connection.
Router-On-A-Stick (ROAS)
Switched Virtual Interfaces (SVI) with Layer 3 Sw
VLAN Routing with Route Port on Layer 3 Switch
Ether Channel on Layer 3 Switch
Figure 17-2 Example of ROAS with Subinterfaces on Router B1
B1# show running-config
! Only pertinent lines shown
interface gigabitethernet 0/0
! No IP address up here! No encapsulation up here!
!
interface gigabitethernet 0/0.10
encapsulation dot1q 10
ip address 10.1.10.1 255.255.255.0
!
Figure 17-1 Example of Using Layer 3 Switch in Central Location
interface gigabitethernet 0/0.20
encapsulation dot1q 20
ip address 10.1.20.1 255.255.255.0
I IPv4 Routing (LAN)
Configuring Vlan Routing with Layer 3 SVI
Configuring Vlan Routing with Route Port on Layer 3 Switch
Using a router with ROAS to route packets makes sense in some situations,
When we use SVI in Layer 3 switches, the physical interfaces work as Layer 2
especially in small networks. In networks with larger LANs, we prefer to use
as usual, that is, the ethernet receives the frame souce the mac learns and the
Layer 3 switches for Inter VLAN Routing.
switch transmits the frame by adding the target mac address of the frame.
Instead, we can routing the Layer 3 switch physical port with the Layer 3 mode
as the route mode.
Figure 17-3 Example of Routing Using Vlan Interfaces on Layer 3 Switch
ip routing
!
interface vlan 10
ip address 10.1.10.1 255.255.255.0
!
interface vlan 20
ip address 10.1.20.1 255.255.255.0
!
interface vlan 30
ip address 10.1.30.1 255.255.255.0
SW1# show ip route
Figure 17-4 Example of Routing Using Route Port on Layer 3 Switch
ip routing
!
interface vlan 10
ip address 10.1.10.1 255.255.255.0 !
interface vlan 20
ip address 10.1.20.1 255.255.255.0
!
interface gigabitethernet 0/1
no switchport
ip address 10.1.30.1 255.255.255.0
SW1# show ip route
I IPv4 Routing (LAN)
EtherChannel on Layer 3 Switch
If you prefer multiple and redundant connections rather than a single
connection, you can use the Layer 3 EtherChannel application.
Figure 17-5 Example of Layer 3 EtherChannel
interface GigabitEthernet1/0/13
no switchport
no ip address
channel-group 12 mode desirable
!
interface GigabitEthernet1/0/14
no switchport
no ip address
channel-group 12 mode desirable
!
interface Port-channel12
no switchport
ip address 10.1.12.1 255.255.255.0
IPv4 Routing
Troubleshooting
I Troubleshooting Using the Ping Command
I Using Extended Ping
I Using the TraceRoute Command
I Using Extended TraceRoute
I Telnet and SSH Troubleshooting
I IPv4 Routing Troubleshooting
Troubleshooting Using the Ping Command
Step 1: Open a command (cmd) window and ping 127.0.0.1. This is the
Debugging IP addressing is clearly a very important skill. That's why this is
system diagnostic or loopback address, and your TCP/IP stack is considered to
where I'm going to show you the Cisco method of debugging IP addressing. Let's
be working if you can ping it. If you can't, then you have an IP stack problem
look at Figure 18-1 for an example of your simple IP problem. Poor Sally cannot
and need to reinstall TCP/IP on the host.
connect to the Windows server. Can you handle this by calling the Microsoft
C:\Users\Yavuz>ping 127.0.0.1
team and mentioning that their server is a pile of garbage and is causing all
your problems? Probably not such a good idea. Let's revisit our network instead.
Let's get started by following Cisco's troubleshooting steps. They are quite
simple, but equally important. Imagine you are at the client's machine and
cannot communicate with the server that is on a remote network. Below are four
Cisco recommended troubleshooting steps:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Step 2: Ping the IP address of the local host from the command window. If this
is successful, your network interface card (NIC) is working. If you can't, then
there is a problem with the NIC. Success here does not mean that the cable is
plugged into the NIC. Only the IP protocol stack on the host can communicate
with the NIC (with the help of the LAN driver).
Figure 18-1 Example of Simple Troubleshooting
C:\>ping 172.16.10.2
Pinging 172.16.10.2 with 32 bytes of data:
Reply from 172.16.10.2: bytes=32 time<1ms TTL=128
Reply from 172.16.10.2: bytes=32 time<1ms TTL=128
Reply from 172.16.10.2: bytes=32 time<1ms TTL=128
Reply from 172.16.10.2: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.10.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
I IPv4 Routing Troubleshooting
Step 3: From the command window, ping the default gateway. If ping is
If the user is still not able to communicate with the server after steps 1 to 4 are
working, it means that the NIC is connected to the network and can
successful, you probably have some name resolution problems and you should
communicate with the local network. If it doesn't, you have a physical network
problem somewhere between the NIC and the router.
C:\>ping 172.16.10.1
Pinging 172.16.10.1 with 32 bytes of data:
Reply from 172.16.10.1: bytes=32 time<1ms TTL=128
Reply from 172.16.10.1: bytes=32 time<1ms TTL=128
Reply from 172.16.10.1: bytes=32 time<1ms TTL=128
Reply from 172.16.10.1: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.10.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Step 4: If steps 1 to 3 are successful, try to ping the remote server. If this works,
there is IP communication between the local host and the remote server. Also, you
know it's running on its remote physical network.
check your Domain Name System (DNS) settings. But if there is a problem
pinging the remote server, you know you have some physical network problems, you
need to go to the server machine and do steps 1 to 3 until you find the problem.
Before we discuss IP address problems and how to fix them, I want to describe some
basic DOS commands you can use to help troubleshoot your network from both a PC
and a Cisco router (the commands may do the same thing, but they work
differently):
Packet InterNet Groper (ping): On a network, Ping uses ICMP echo request and
reply to test if the IP stack has started and is active.
traceroute: Displays a list of routers in the path to a destination network, using TTL
time-outs and ICMP error messages. This command will not work from a DOS
command system.
tracert: Same command as traceroute, but a Microsoft Window command and will
C:\>ping 172.16.20.2
Pinging 172.16.20.2 with 32 bytes of data:
Reply from 172.16.20.2: bytes=32 time<1ms TTL=128
Reply from 172.16.20.2: bytes=32 time<1ms TTL=128
Reply from 172.16.20.2: bytes=32 time<1ms TTL=128
Reply from 172.16.20.2: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.20.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
not work on a Cisco router.
arp -a: Used for IP-to-MAC address mapping on a Windows PC.
show ip arp: Same command as arp -a, but displays the ARP table on a Cisco router.
Like the traceroute and tracert commands, they are not interchangeable in DOS
and Cisco.
ipconfig /all: Only available from the DOS command line, it will show you the PC
network configuration.
I IPv4 Routing Troubleshooting
Using Extended Ping Test the Reverse Route
Troubleshooting Using the TraceRoute Command
Like ping, the traceroute command helps network engineers isolate problems. Here
is a comparison of the two:
Both send messages on the network to test the connection.
Both send a reply back to the incoming message.
Figure 18-2 Extended Ping
Both have broad support for many different operating systems.
Both can use a hotname or IP address to identify the target.
R1# ping
Protocol [ip]:
Target IP address: 172.16.2.101
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.2.101, timeout is 2
seconds: Packet sent with a source address of 172.16.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
1/2/4 ms
Routers have a standard and extended version of both, allowing better testing of
the reverse route.
Figure 18-3 Simple traceroute example.
traceroute 172.16.2.101
traceroute to 172.16.2.101, 64 hops max, 52 byte packets
1 172.16.1.1 (172.16.1.1) 0.870 ms 0.520 ms 0.496 ms
2 172.16.4.2 (172.16.4.2) 8.263 ms 7.518 ms 9.319 ms
3 172.16.2.101 (172.16.2.101) 16.770 ms 9.819 ms 9.830 ms
I IPv4 Routing Troubleshooting
Standard and Extended Traceroute
Telnet and SSH Troubleshooting
Telnet and ssh work from PC1 to R1 but not from PC1 to R2 and R3.
R1# traceroute 172.16.2.101
Type escape sequence to abort.
Tracing the route to 172.16.2.101
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.4.2 0 msec 0 msec 0 msec 2 172.16.2.101 0 msec 0 msec *
R1# traceroute
Protocol [ip]:
Target IP address: 172.16.2.101
Source address: 172.16.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]: Type escape
sequence to abort.
Tracing the route to 172.16.2.101
VRF info: (vrf in name/id, vrf out name/id)
Figure 18-4 Telnet and SSH Error Example.
Telnet and ssh from PC1 to R1, R1 to R2 and R2 to R3 are working, but if
PC1 still cannot reach other devices other than R1, there is probably a route
problem.
1 172.16.4.2 0 msec 0 msec 0 msec 2 172.16.2.101 0 msec 0 msec *
Figure 18-5 Example of Telnet and SSH.
Chapter - 7
OSPF
I OSPF Concepts
I OSPF Applications
I OSPF Network Types and Neighbors
I OSPF Fundamentals
OSPF Concepts
I Interior and Exterior Routing Protocols
I Administrative Distance
I Neighbors
I OSPF Areas and LSAs
I OSPF Concepts
Open Shortest Path First (OSPF) Fundamentals
Open Shortest Path First (OSPF) is an open standard routing protocol
Routing Protocol: It consists of a set of messages, rules and algorithms used
implemented by many manufacturers, including Cisco. If you have multiple
by routers to learn routes. This process includes the exchange and analysis of
routers and they are not all Cisco, you cannot use EIGRP. Your remaining
options are basically RIP, RIPv2, and OSPF. If it's a large network then your
really only options are OSPF and route redistribution. Redistribution is a
conversion service between routing protocols.
routing information. Each router chooses the best route for each subnet (route
selection) and finally places these best routes in the IP routing table.
Examples include RIP, EIGRP, OSPF, and BGP.
OSPF works using the Dijkstra algorithm. First, a shortest path tree (SPF) is
Routed Protocol and Routable Protocol: Both terms refer to a protocol that
configured and the resulting best paths are placed in the routing table. Although
defines packet structure and logical addressing, allowing routers to route or
not as fast as EIGRP, OSPF converges quickly and supports multiple, equal-
forward packets. Routers forward packets defined by routed and routable
cost routes to the same destination. It supports both IPv4 and IPv6 routed
protocols. Examples are IP Version 4 (IPv4) and IP Version 6 (IPv6).
protocols such as EIGRP.
OSPF provides the following features:
It consists of Areas and autonomous systems.
It minimizes routing update traffic.
It provides scalability.
Supports Subnet / Prefixes.
It has unlimited number of hops.
Many manufacturers allow its deployment (open standard).
OSPF is a link-state routing protocol most people are familiar with.
Interior and Exterior Routing Protocols
IGP: A routing protocol designed for use within a single autonomous system
(AS). For example RipV2, EIGRP and OSPF
EGP: It is a routing protocol designed to be used between different
autonomous systems. For example BGP (Border Gateway Protocols)
I OSPF Concepts
IGP Routing Protocol Algorithms
The basic algorithm of a routing protocol determines how it will do the routing
work. The term routing protocol algorithm refers to the logic and processes of
learning all routes, choosing the good path for each subnet, and using
different methods to solve the converging problem in response to changes in
the network. It uses three different algorithms of IGP routing protocols.
Distance vector (sometimes called Bellman-Ford after its creators)
Advanced distance vector (sometimes called “balanced hybrid”)
link state
Figure 19 -1 Example of IGP and EGP Routing Protocols
Metrics
It is used to choose the best route and compare routes.
Comparing Interior Gateway Protocols
Companies have several IGP options for their corporate networks, but most
companies nowadays use OSPF or EIGRP. We will learn OSPFv2 protocol,
EIGRP is in the training content of CCNP Enterprise certification.
Figure 19 -2 IGP Metrics
I OSPF Concepts
If a router receives two updates listing the same remote network, the first
thing the router checks is AD. If one of the advertised routes has a lower AD
than the other, the route with the lowest AD will be put in the routing table.
If two advertised routes for the same network have the same AD, routing
protocol metrics (hop count or line bandwidth) will be used to find the best
route to the remote network. The advertised route with the lowest metric will
Figure 19 -3 Comparison of RIP and OSPF Metrics
be put in the routing table. If two advertised routes have both the same AD
and the same metrics, then the routing protocol will load-balance the
remote network. (packages will be sent from both links).
Table 19 -4 Comparison of IGP Protocols
Administrative Distance
It is used to rate the reliability of a routing information from a neighboring
router. An administrative distance is a number between 0 and 255. 0 is
most reliable, 255 is untrusted, if AD 255 means no traffic will be passed
through this route.
Table 19 -5 Default Administrative Distances
I OSPF Concepts
OSPF Terminology
Link: A link is the network or router interface assigned to a particular network.
Neighbor: Neighbors are two or more routers with one interface in the public
When an interface is added to the OSPF process, it is considered a link on the
network, such as two routers connected by a point-to-point serial link.
OSPF side. This link or interface will have status information about both up/
down and one or more IP addresses.
Router ID: While OSPF has many optional features, most enterprise companies
using OSPF choose to configure an OSPF Router ID on each router. OSPF
speaking routers must have a Router ID (RID) to function properly. By default,
routers will choose an interface IP address to use as the RID. However, many
Adjacency: An adjacency is a relationship between two OSPF routers that
allows to exchange route updates directly. OSPF is very selective in sharing
routing information, unlike EIGRP, which shares routes directly with all its
neighbors. OSPF only shares routes with neighbors where it has established
adjacency. All neighbors will not be adjacent, this depends on both the network
type and the configuration of the routers.
network engineers prefer to specify the router ID of each router, so the output from
Hello protocol: OSPF Hello protocol provides dynamic neighbor detection and
commands like show ip ospf neigbors lists more recognizable Router IDs.
maintain neighbor relations. Hello packets and Link State Advertisements
(LSA) create and maintain a topological database. Hello packets are sent to
The router uses the following methods to select the Router ID.
224.0.0.5.
If the Router ID is entered while configuring Ospf, it uses this ID.
If any Loopback address is configured, if the Loopback interface is up, the
Loopback Interface IP with the larger IP will be used as the Router ID.
If it is not available in the above two options, Router ID is the one with the highest
IP among the Up Interfaces.
Figure 19 -6 OSPF Hello Package
I OSPF Concepts
Designated Router: A desiganted router (DR) is selected when OSPF routers are
connected to the same multi-access networks. But in reality they are networks
with a large number of receivers. Try not to confuse multi-access with
multipoint. Sometimes it can be easily confused.
Calculating the Best Route
OSPF LSAs contain useful information, but not specific information that
must be added to the router's IPv4 routing table. So to know which routes to
add to the routing table, each router needs to do some SPF math to choose the
The prime example is an Ethernet LAN. To minimize the number of installed
best routes. Then it selects the next-hop-router and adds which interface it will
neighborhoods, a DR is selected (eliminated) to spread/receive routing
go from to the table.
information to or from other routers on the broadcast network or link. This
ensures that the topology tables are synchronized. All routers in shared
networks will be adjacent to DR and backup designated router (BDR). The
selection will be won by the router with the highest priority, and if the priority
is the same across multiple routers, Router ID is used for DR selection.
Backup Designated Router: A backup designated router (BDR) is a primary
backup for DR on multi-access links (remember Cisco sometimes refers to it as
a broadcast network). BDR receives all routing updates from OSPF neighbor
routers, but does not send LSA updates.
Figure 19 -7 DR and BDR selection and Database Exchange over Ethernet
Figure 19 -8 Path selection for the best route.
Note: We will look at the cost values in detail while making the application.
I OSPF Concepts
OSPF Areas and LSAs
We can list the problems related to a single-area design as follows.
It can be used in some networks that are not very wide, which were not
A larger topology also requires more memory for the router database.
considered too much while designing. You just turn on OSPF on all routers,
The larger the database, the longer it will take to process the SPF algorithm in
put all interfaces in the same area (usually area 0) and it works! Figure 19-9
the router. It will require more CPU power.
shows 11 routers configured with Area 0.
A single interface status change (up or down) anywhere on the network causes
the SPF (Shortest Path First) algorithm to work again in every router.
OSPF Areas
OSPF area design can take into account a few basic rules. To apply the rules,
after you have properly drawn the networks and determined the router
interfaces, select the areas for each router and interface as follows:
Place all interfaces connected to the same subnet in the same area.
Figure 19 -9 Single Area OSPF
Larger OSPFv2 networks may have a single-area design. For example, now
imagine a corporate network with 900 routers and several thousand subnets
instead of just 11. As it turns out, it takes a lot of CPU time to run the SPF
algorithm on all this topology data. As a result, the OSPFv2 convergence time -
Areas must be adjacent.
Some routers may have all interfaces in a single area.
Some routers can be Area Border Router (ABR) because some interfaces are
connected in the backbone area and some are connected in the non-backbone
area.
may be too slow to react to changes in the network. Routers may also have less
All non-backbone areas must have a way to reach their area (area 0) by
RAM.
connecting at least one ABR in both the backbone area and the non-backbone
area.
I OSPF Concepts
Figure 19-10 Three OSPFv2 LSA Types Seen by Multi-Area OSPF Design
Figure 19 -9 Three-Area OSPF with D1 and D2 as ABRs
LSA (Link State Advertisement)
A Link State Advertisement (LSA) is an OSPF data packet containing linkstate and routing information shared between OSPF routers. An OSPF router
will only exchange LSA packets with routers for which it has set up adjacency.
When we look at it with the show ip ospf database command, it will seem like a
lot of complex code, but you will become familiar with them over time.
I Single-Area OSPF Applications
I Wildcard Mask
OSPF Applications
I Verify OSPF
I Configuring the OSPF Router ID
I Multi-Area OSPF Configuration
I Configuring OSPF Under Interface
I OSPF Additional Features
I OSPF Applications
Single-Area OSPF Applications
The way to understand the OSPFv2 configuration shown in this example is to
understand the OSPF network command. The OSPF network command
compares the first parameter in the command with the IP address of each
interface in the local router, trying to find a match. However, instead of
comparing the entire number in the network command with the entire IP
address on the interface, the router can compare wildcard masks as follows:
Wildcard Matching with the network Command
Wildcard 0.0.0.0: Compare four octets. In other words, the numbers must
match exactly.
Figure 20 -1 Example OSPFv2 configuration.
Wildcard 0.0.0.255: Compare only the first three octets. Ignore the last octet
when comparing numbers.
interface GigabitEthernet0/0.1
encapsulation dot1q 1 native
ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0.2
encapsulation dot1q 2
ip address 10.1.2.1 255.255.255.0
!
interface GigabitEthernet0/0/0
ip address 10.1.12.1 255.255.255.0
!
interface GigabitEthernet0/1/0
ip address 10.1.13.1 255.255.255.0
!
interface GigabitEthernet0/2/0
ip address 10.1.14.1 255.255.255.0
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
Wildcard 0.0.255.255: Compare only the first two octets. Ignore the last two
octets when comparing numbers.
Wildcard 0.255.255.255: Compare only the first octet. Ignore the last three
octets when comparing numbers.
Wildcard 255.255.255.255: Do not compare anything this wildcard mask
means all addresses will match the network command.
Let's understand the working logic by making the configurations on other
routers together and using different wildcard masks on those routers.
I OSPF Applications
Verifying OSPF
OSPF Router ID Configuration
We can control the configurations we have made using these commands.
While OSPF has many optional features, most enterprise companies using
OSPF choose to configure an OSPF Router ID on each router. OSPF speaking
routers must have a Router ID (RID) to function properly. By default, routers
will choose an interface IP address to use as the RID. However, many network
engineers prefer to specify the router ID of each router, so the output from
commands like show ip ospf neigbors lists more recognizable Router IDs.
The router uses the following methods to select the Router ID.
If the Router ID is entered while configuring Ospf, it uses this ID.
If any loopback address is configured, if the lookback interface is up, it uses
the larger IP as the Router ID.
If it is not available in the above two options, Router ID is the one with the
highest IP among the interfaces with Up.
Figure 20 -2 OSPFv2 authentication commands..
I OSPF Applications
Multi-Area OSPF Configuration
Configuring OSPF Under Interface
R1(config)# router ospf 1
router ospf 1
R1(config-router)# no network 10.0.0.0 0.255.255.255 area 0
network 10.1.1.0 0.0.0.255 area 0
R1(config-router)# interface g0/0.1
network 10.1.2.0 0.0.0.255 area 0
R1(config-subif)# ip ospf 1 area 0
network 10.1.12.0 0.0.0.255 area 23
R1(config-subif)# interface g0/0.2
network 10.1.13.0 0.0.0.255 area 23
R1(config-subif)# ip ospf 1 area 0
network 10.1.14.0 0.0.0.255 area 4
R1(config-subif)# interface g0/0/0
R1(config-if)# ip ospf 1 area 0
R1(config-if)# interface g0/2/0
R1(config-if)# ip ospf 1 area 0
I OSPF Applications
Default Routes:
OSPF Additional Features
Passive interfaces
Default routes
Metrics
Load balancing
Passive Interface: After OSPF is enabled on an Interface, the router tries to
find neighboring OSPF routers and establish a neighbor relationship. To
do this, the router periodically sends OSPF Hello messages (called Hello
Interval). The router also listens for Hello messages from potential
neighbors.
In some cases, some Interfaces do not need to be neighbors. There is no other
example, or there may be an Interface facing the WAN side, in this case we
can make this Interface a passive interface.
The interface continues to send the connected Subnet information, but
stops receiving and sending hello packets.
router ospf 1
passive-interface GigabitEthernet0/0.1
R1# show ip route static
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
! Rest of the legend omitted for brevity
Gateway of last resort is 192.0.2.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 192.0.2.1
B1# show ip route ospf
O*E2
0.0.0.0/0 [110/1] via 10.1.12.1, 00:20:51, GigabitEthernet0/1/0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
passive-interface GigabitEthernet0/0.2
O
10.1.3.0/24 [110/3] via 10.1.12.1, 00:20:51, GigabitEthernet0/1/0
O
10.1.13.0/24 [110/2] via 10.1.12.1, 00:20:51, GigabitEthernet0/1/0
I OSPF Applications
Interface Default Cost Values
OSPF Metrics (Cost): In Topic 19 OSPF Concepts, we talked about finding
the best route in SPF, now let's manually change the cost values here.
We can do it directly under Interface using ip ospf cost x command.
There are interface default cost values, we can change the cost settings by
changing these values, bandwidth settings.
We can change OSPF cost references.
Cost Value Change:
R1(config)# interface g0/0/0
R1(config-if)# ip ospf cost 4
R1(config-if)# interface g0/1/0
R1(config-if)# ip ospf cost 5
OSPF Cost Reference Replacement
Default 100 Mb 100 000 000
R1# show ip ospf interface brief
Interface
Gi0/0/0
Gi0/1/0
Gi0/2/0
PID
Are
Ip Address/Mask
Cost
State
Nbrs
1
1
1
0
0
0
10.1.12.1/24
10.1.13.1/24
10.1.14.1/24
4
5
1
DR
BDR
DR
1/1
1/1
1/1
F/C
ospf auto-cost reference-bandwidth value
no ospf auto-cost reference-bandwidth value
OSPF Load Balancing
For example, if a network has six possible routes between parts of the network, if
you want all routes to be used, the router can be configured under the ospf x
command with the maximum-paths 6 subcommand.
OSPF Network
Types and Neighbors
I OSPF Broadcast Network Type
I DR/BDR Manual Selection
I OSPF Point-to-Point Network Type
I OSPF Neighbor Relationships
I OSPF Network Types and Neighbors
OSPF Network Types
router ospf 1
OSPF Broadcast Network Type
By default, OSPF uses a broadcast type on all Ethernet Interface types. Note
that all Ethernet Interfaces in the examples in Chapter 20 depend on this
default setting.
router-id 1.1.1.1
!
interface gigabitEthernet0/0
ip ospf 1 area 0
!
interface gigabitEthernet0/1
ip ospf 1 area 0
Let's look at the following example to better understand the OSPF Broadcast
Network Type.
Figure 21 -2 R1’s List of Neighbors
Let's Verify Broadcast Network Type:
Figure 21 -1 Single Area Design
✓ OSPF sends a broadcast to 224.0.0.5 IP to all routers to detect neighbors.
Broadcast IP reserved for OSPF Routers.
Let's take a look with the commands below.
show ip ospf interface brief
show ip ospf interface g0/0
✓ Tries to select DR and BDR in each Subnet.
✓ It becomes DR because there is no other router in the G0/1 subnet.
✓ When there are 3 other routers in the G0/0 subnet, it will be DR, BDR or
DROther.
✓ It sends a broadcast to 224.0.0.6 to select DR, BDR and DROther.
Figure 21 -3 OSPF DR/BDR/DROther Roles in the Network
I OSPF Network Types and Neighbors
DR/BDR Manual Selection
Let's give priority to this router interface by entering the ip ospf
priority 99 command under Interface, but when we look with the show
ip ospf interface brief command, we will see that there is still no
change. This is because there is no reason to start the selection process again, so
the configuration we make will wait for the next election. If the interface of one
of the routers in the subnet is down, the process will start again. Let's turn one
of the interfaces off and on and test it and observe the results.
I OSPF Network Types and Neighbors
OSPF Point-to-Point Network Type
By nature, this OSPF network type works well for data links between two
These connections generally do not support datalink broadcasts. Also, having
routers. For example, let's take a look at the topology in Figure 21-4, which
only two devices in the connection adds a bit more convergence time. Since we
shows two Ethernet WAN links with three WAN links and one serial link, R1.
are using the Point-to-Point Network type, it tells the router not to use DR /
BDR.
R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# interface g0/0/0
R1(config-if)# ip ospf network point-to-point
R1(config-if)#
R1# show ip ospf interface g0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
Figure 21 -4 Sample OSPF Design with Serial and Ethernet WAN
First, let's look at the serial connection. Since R1 and R4 are directly
connected, we cannot add a third router. As you can imagine, the data link
Internet Address 10.1.12.1/24, Area 0, Attached via Interface Enable Process
ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 1 Topology-MTID
Cost
Disabled
Shutdown
Topology Name
0
4
no
no
Base
Enabled by interface config, including secondary ip addresses
Transmit Delay is 1 sec, State POINT_TO_POINT
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
protocols used to control a link with up to two devices may work differently
from Ethernet.
For example, the most commonly used data link protocols (HDLC and PPP)
data link protocols do not support broadcast.
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
R1# show ip ospf interface brief
Interface
Gi0/0/0
PID
Area
1
0
IP Address/Mask
10.1.12.1/24
Cost
State
4
P2P
Nbrs
1/1
F/C
I OSPF Network Types and Neighbors
OSPF Neighbor Relationships
When we enable OSPF on a router and interfaces, IOS then tries to discover
other neighbors connected to that interface by sending and listening OSPF
Hello messages. However, two routers may not be neighbors each time. They
must have compatible values for Hello packets exchanged between the two
routers and various other settings. Parameters in this hello package must
match, let's have a look at the list below.
Requirements for OSPF Neighbor Establishment;
Listed below are some commands with which we can check for problems
Chapter - 8
IP Version 6
I IPv6 Basics
I IPv6 Addressing and Subnetting
I IPv6 Address Applications
I IPv6 Routing Applications
IPv6
Fundamentals
I Internet Protocol Version 6 (IPv6)
I IPv6 Routing
I IPv6 Addressing Formats and Conversion
I IPv6 Prefix (Subnet ID)
I Practicing IPv6
I IPv6 Fundamentals
Internet Protocol Version 6 (IPv6)
People refer to IPv6 as the next generation Internet Protocol, and it was developed
as a solution to IPv4's inevitable, address exhaustion situation. You've probably
heard about IPv6 before. The capacity of its ancestor, IPv4, is insignificant
compared to it. That is why it will eventually be completely buried in history.
IPv6 addresses are 128 bits or 16 bytes..
Figure 22-1 IPv4 Adreslerinin tükenmesi, kısa ve uzun vade çözümleri.
2345:1111:2222:3333:4444:5555:6666:AAAA
2000:1:2:3:4:5:6:A
Why Do We Need IPv6?
IPv6 Routing
It is a fact that the number of people and devices connected to the network is
Like many functions of IPv6, IPv6 routing is similar to IPv4 routing from an
increasing day by day. This is not entirely a bad thing. We're always finding
overview, let's take a look at them.
some new and exciting ways to get more people to know, which is nice. In fact, this
To create and send IPv6 packets over an interface, end-user devices need an
is a basic human need. But the weather doesn't always mean perfectly blue skies
IPv6 address on those interfaces.
and sunny weather. Because, as I implied in the introduction of this section, the
addresses we will use for IPv4, on which our communication capability depends,
will be exhausted for now. IPv4 has 4.3 billion addresses in theory, and we know
we can't use all of them. The use of Classless Inter-Domain Routing (CIDR) and
Network Address Translation (NAT) helps prolong the inevitable dwindling of
addresses. But we will consume them, and that will be in a few years.
If the host needs to access a different subnet, it needs to know the default router
IP.
The router de-encapsulate and re-encapsulate when sending an IPv6 packet.
The router looks at the destination IP in the IPv6 packet and sends the packet
by matching it with the Route table.
I IPv6 Fundamentals
Figure 22-2 IPv6 Header
Figure 22-3 IPv6 Host Building and Sending an IPv6 Packet
Figure 22-4 IPv6 Router Performing Routine Encapsulation Tasks When Routing IPv6
Figure 22-5 Comparing an IPv6 Packet to R1’s IPv6 Routing Table
I IPv6 Fundamentals
IPv6 Routing Protocols
IPv6 Address Full Spelling
IPv6 routers need to learn routes for all possible IPv6 prefixes (subnets). As with
IPv6 addresses use the hexadecimal (hex) format. It consists of eight blocks,
IPv4, IPv6 routers use the routing protocols we know for IPv6. We can see them in
each block has four hex digits, each block separated by two dots. Let's look at
the table below.
the example.
Figure 22-6 IPv6 Routing Protocols
IPv6 Addressing Formats and Conversion
I will briefly talk about these issues here, but we will deal with them in detail in the 23rd issue.
Interpret and convert IPv6 addresses consisting of 32 numbers and letters.
How to shorten and interpret IPv6 addresses.
Interpreting IPv6 prefixes
How to find IPv6 prefix (subnet id).
Figure 22-7 Hexadecimal/Binary Conversion Chart
I IPv6 Fundamentals
IPv6 Shortening and Extending
And know that you cannot:
There are some subtleties that will help us when we write this long address. One is
2001::12::1234:56ab
that you can skip parts of the address to summarize. But to do this, you have to
Instead, the best you can do is:
follow some rules. First, you can discard leading zeros in each of the reserved
blocks. After doing that, the address in the previous example looks like this:
2001:db8:3c4d:12:0:0:1234:56ab
2001::12:0:0:1234:56ab
The reason why the above example is the best; in the other example, if we
discard the two zero blocks, the device looking at the address has no chance of
This is a good development. At least we don't have to write those extra zeros. But
knowing where to put the zeros back. In fact, the router will look at the wrong
what about the entire block with nothing but zeros in it? We can destroy at least
address and say, "Shall I place two blocks in the first pair of colons, or
some of them. If we look at our example again, we can omit two blocks of zeros by
should I place three blocks in the first set and one block in the second set?"
replacing them with two colons. The address will now be:
will say. And since the information the router needs is not there, it will keep
2001:db8:3c4d:12::1234:56ab
going.
Very nice! We wrote two colons in place of all zero blocks. The rule you have to
follow for this is that you can only place a contiguous block of zeros at an
address. So if your address has four zero blocks and they're all reserved, I can't
place all of them. Remember the rule that you can put a colon instead of just an
adjacent block. Check out this example:
2001:0000:0000:0012:0000:0000:1234:56ab
Figure 22-8 IPv6 Shortening and Extension Practical
I IPv6 Fundamentals
Prefix (Subnet ID)
As in IPv4, IPv6 uses subnet masks, but here we call it prefix. The logic here is the
same, we specify how many bits the host will use and how many bits the subnet
will use. We can write in two ways as in the example below, you can leave a space
if you want, or you can write adjacent.
2222:1111:0:1:A:B:C:D/64
2222:1111:0:1:A:B:C:D /64
Figure 22-9 Creating the IPv6 Prefix from an Address/Length
Let's look at the example;
2000:1234:5678:9ABC:1234:5678:9ABC:1111/64
Finding IPv6 Prefix
2000:1234:5678:9ABC:0000:0000:0000:0000/64
2000:1234:5678:9ABC::/64
Copy the first bits
Put zero for remaining bits
Calculated as multiples of Prefix 4.
To find the hex length of the Prefix, we divide the Prefix bits by 4 to find how
many hex-digits to write.
Copy the prefix hex digits as in the example.
Substitute zeros for other hex values.
Figure 22-10 Finding Prefix Practice
I IPv6 Fundamentals
Finding Different IPv6 Prefixes
2000:1234:5678:9ABC:1234:5678:9ABC:1111/56
2000:1234:5678:9A00:0000:0000:0000:0000/56
2000:1234:5678:9A00::/56
2000:1234:5678:9A::/56
Figure 22-10 Finding Different Prefixes
I IPv6 Fundamentals
Ansvers
Figure 22-8 IPv6 Shortening and Extending Practical Answers
Figure 22-10 Finding Prefix Practical Answers
Figure 22-10 Finding Different Prefixes Answers
IPv6 Addressing
and Subnetting
I Global Unicast Addressing Concepts
I Public and Private IPv6 Addresses
I IPv6 Global Routing Prefix
I Global Unicast IPv6 Addresses Range
I Unique Local Unicast Addresses
I IPv6 Addressing and Subnetting
Global Unicast Addressing Concepts
IPv6 Global Routing Prefix
In this section, we will focus on Glabal Unicast addresses, as the name suggests,
Companies that want to use these IPs should get the Global Routing Prefix and
they are IPs used in real real internet environment, such as Public IPs in IPv4. In
then distribute it to the end users.
this section we will also cover how a block of IPv6 Subneting and Global Unicast
addresses is created for giving to companies.
Public and Private IPv6 Addresses
IPv4 IPs were first distributed to each company for use in the public environment,
but as it was understood that these IPs would run out in time, after 1990 RFC
The term Global Routing Prefix actually refers to the idea that Internet routers
can have a way to express all addresses in the address block without needing
routes for smaller sections of that block. For example, Figure 23-1 shows three
companies with three different IPv6 global routing prefixes; The router on the
right (R4) has an IPv6 route for each global routing prefix.
reserved some IPs for use in the Private environment, we have seen these IPs before
in Chapter-5 and Thus, by giving companies a Public IP, they have extended the
IPv4 expiration process by using Private Ip inside. Of course, while going from
LAN to WAN, we converted these Private IPs to the Public IP given to us using
NAT, and we accessed the internet environment. I will cover NAT in Chapter-12.
There is a similar structure in IPv6 dada, so we can use it as Private and Public.
Global Unicast: Addresses that work like IPv4 public addresses. Companies that
need IPv6 addresses either allocate IPv6 address blocks to end users from Global
Prefixes assigned to them in ISPs. From now on, these companies only use IPv6
blocks starting with this prefix.
Unique Local: Addresses used like IPv4 private addresses. Multiple companies
can use the same IPs, they don't need to get an IP from anywhere.
Figure 23-1 Three Global Routing Prefixes, with One Route per Prefix
I IPv6 Addressing and Subnetting
Using Global Unicast IPv6 Address Subnetting
Imagine an ISP has received a Global Routing Prefix and it needs to distribute
it by dividing it into subnets as in IPv4.
Where and how much do we need IPv6 Subnets, actually we need 4 subnets in
the same IPv4 in the example below.
Figure 23-2 Prefix Assignment with IANA, RIRs, and ISPs
Global Unicast IPv6 Addresses Range
In fact, in IPv6, Global Unicast Addresses use most of the space, in IPv4,
classes such as A, B, C, D and E were classified where IPs are used. Which IP
will be used for what purpose in IPv6 is categorized as in the list below.
Figure 23-3 IPv6 Address Types
Figure 23-4 Locations for IPv6 Subnets
I IPv6 Addressing and Subnetting
Assigning IPs to Hosts in Subnet
After deciding which subnet to use in which location, we can configure IP
addresses for hosts. We can either configure the IPs manually or by using a
DHCP server.
2001:0DB8:1111 and /48 Prefix Assigned.
The company uses /64 for Interface ID.
16 bits left for Subnet, (We can use 65,536 Subnets.)
Figure 23-6 We Select the Subnets to Apply.
Figure 23-5 First available 16 Subnets
Figure 23-7 Implementing IPv6 Addresses
I IPv6 Addressing and Subnetting
Unique Local Unicast Addresses
Using Unique Local Address IPv6 Subnetting
Unique Local Unicast addresses act as private IPv6 addresses. The division of
It's the same as Global Unicast address, except that we don't choose the first two
these addresses into subnets has similar aspects to Global Unicast addresses.
digits (8 bits) for prefix, we choose the next 40 bits.
The biggest difference is related to Unique Local addresses (starting with hex
FD00:0001:0001::/48, or FD00:1:1::/48
FD) and the management process: Unique Local Prefixes are not registered with
any authority or company and can be used by multiple companies.
Although Unique Local addresses can be used without any registration or
assignment, we still have to follow some rules such as:
• In the first two digits we should use FD as hex.
• We must choose a unique 40-bit global ID.
• For the /48 Bit Prefix, we must add FD to the Global ID.
• Use the next 16 bits as the subnet field.
• Note that 64 bit remains for Interface ID.
Figure 23-8 IPv6 Unique Local Unicast Address Format
Figure 23-9 Using Unique Local Address Subnetting
I Configuring Static Unicast Address
IPv6 Address
Applications
I Full 128-Bit Address Configuration
I EUI-64 IPv6 Address Format
I Configuring Dynamic Unicast Address
I Using Private Address on Router
I Link-Local Addresses
I IPv6 Address Applications
Configuring Static Unicast Address
We have two options in IPv6 address configuration, the first option we specify
R1# show ipv6 interface GigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
all 128 bits, the second option we specify /64 prefix, the rest determine
IPv6 is enabled, link-local address is FE80::1:AAFF:FE00:1
Interface ID from 64 bit Interface mac address (48bit+16 bit). I will explain
No Virtual link-local address(es):
this in the upcoming issues.
Global unicast address(es):
2001:DB8:1111:1::1, subnet is 2001:DB8:1111:1::/64
Full 128-Bit Address Configuration
R1# show ipv6 interface brief
GigabitEthernet0/0
[up/up]
FE80::1:AAFF:FE00:1
2001:DB8:1111:1::1
GigabitEthernet0/1
[administratively down/down]
unassigned
GigabitEthernet0/0/0
[up/up]
FE80::32F7:DFF:FE29:8568
Figure 24-1 Full 128-Bit IPv6 Configuration
2001:DB8:1111:4::1
ipv6 unicast-routing
!
interface GigabitEthernet0/0
ipv6 address 2001:DB8:1111:1::1/64
!
interface GigabitEthernet0/0/0
ipv6 address 2001:0db8:1111:0004:0000:0000:0000:0001/64
R1# show ipv6 route connected
IPv6 Routing Table - default - 5 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static
route
C
C
2001:DB8:1111:1::/64 [0/0]
via GigabitEthernet0/0, directly connected
2001:DB8:1111:4::/64 [0/0]
via GigabitEthernet0/0/0, directly connected
I IPv6 Address Applications
EUI-64 IPv6 Address Format
Our second option in IPv6 address configuration, using EUI-64, we can
automatically assign the 64 bit after prefix as Interface ID. To do this, we can
use a DHCPv6 server with IPv4 or Stateless Address Auto Configuration
(SLAAC).
How does EUI-64 generate the Interface ID.
1- First, the interface takes the mac address and divides it into two. The mac
address is 48 bits 12 hex-digits, separating it into 6 hex-digits.
Figure 24-3 EUI-64 Interface ID Creation Process two Examples
2- Interface ID should be 64 bit 16 hex-digit, it adds 16 bit 4 hex-digit FFFE to
the middle of the mac address it splits into two and completes it to 64 bit.
3- The seventh bit of the resulting Interface ID inverts. So if the seventh bit is 0 it
makes 1, if it is 1 it makes 0.
Figure 24-4 Seventh Bit Change in EUI-64 Interface ID Generation Process
Figure 24-2 IPv6 Address EUI-64 Format
I IPv6 Address Applications
Configuring Dynamic Unicast Address
Normally, we prefer Dynamic IP configuration on end-user devices, we
usually determine the IP when making interface settings of devices such as
routers, but in some cases, for example, if there is a DSL or Cable Modem
connected to the Interface, we can use the DHCP or SLAAC method for that
interface.
Figure 24-5 Creating EUI-64 Interface ID Practice
Cisco Routers support both methods.
interface GigabitEthernet0/0/0
ipv6 address 2001:DB8:1111:1::/64 eui-64
! This interface uses DHCP to learn its IPv6 address
!
interface GigabitEthernet0/0/1
ipv6 address 2001:DB8:1111:4::/64 eui-64
!
interface FastEthernet0/1
[up/up]
FE80::1:AAFF:FE00:1
2001:DB8:1111:1:1:AAFF:FE00:1
GigabitEthernet0/0/1
ipv6 address dhcp
! This interface uses SLAAC to learn its IPv6 address
R1# show ipv6 interface brief
GigabitEthernet0/0
interface FastEthernet0/0
[up/up]
FE80::32F7:DFF:FE29:8568
2001:DB8:1111:4:32F7:DFF:FE29:8568
ipv6 address autoconfig
I IPv6 Address Applications
Using Private Address on Router
When the ipv6 unicast-routing command is enabled on the router, the router
Routers also use Link-Local addresses as next-hop IP addresses in IPv6
performs the following steps to perform IPv6 routing.
routers, as shown in Figure 24-6. In IPv6, hosts use the default router (default
• Gives the Interface an IPv6 Unicast IP.
gateway) concept, but in IPv4, hosts use an ip from the same subnet, but IPv6
• Allows inbound and outbound IPv6 Routing in the Interface.
• Defines the Prefix found in this Interface.
hosts use the router's Link-Local Ip. In the show ipv6 route command, the
neighboring router lists the link-local address of the neighboring router
instead of the global unicast or unique local unicast address.
• Interface up/up adds it to the route table.
Link-Local Addresses
IPv6 Link-Local Addresses use as private IPv6 Unicast address. These addresses
are not used to stream data in IPv6 packets. Instead, these addresses are used by
some common protocols and for routing.
Link-Local Address Concepts
IPv6 Link-Local Addresses define the rules so that sent packets are not
forwarded by any router to another subnet. As a result, protocol messages that
must remain within the Local LAN use IPv6 Link-Local addresses. For example,
Neighbor Discovery Protocol (NDP), which replaces the ARP functions of IPv4,
uses Link-Local addresses.
Figure 24-6 IPv6 Using Link-Local Addresses as the Next-Hop Address
I IPv6 Address Applications
Link-Local Address Configuration: If you use EUI-64 format in the interface,
Anycast: Like multicast addresses, an anycast address defines multiple
the Link-Local address will be created with the same method, but if you specify
interfaces. But there is one big difference: An anycast packet is delivered to a
the IPv6 address as static in the interface, you can configure the Link-Local
single address (actually, to the first address it finds, defined by its routing
Address as well.
distance). This address is special because you can assign a single address to
more than one interface. You can specify them as one-to-one-of-many addresses,
but just specify them as anycast for convenience.
Figure 24-7 Link-Local Address Format
Some Special Addresses
0:0:0:0:0:0:0:0 Equals :: This is equivalent to 0.0.0.0 of IPv4 and is typically a
host's source address when you use a stateful configuration.
0:0:0:0:0:0:0:1 Equals ::1 Equivalent to 127.0.0.1 in IPv4.
0:0:0:0:0:0:192.168.100.1 This is the way an IPv4 address is written in a mixed
IPv6/IPv4 network environment.
2000::/3 Global unicast address range.
FE80::/10 Link-local unicast range.
Multicast: As in IPv4, packets sent to a multicast address are delivered to all
interfaces detected by the multicast address. Sometimes people refer to them as
FF00::/8 Multicast range.
3FFF:FFFF::/32 Reserved for example and documentation.
2001:0DB8::/32 This too is reserved for example and documentation.
one-to-many addresses. Multicast addresses in IPv6 are really easy to spot
2002::/16 Used with 6to4, which is a transition system. A structure that allows
since they always start with FF.
IPv6 packets across an IPv4 network without the need for specified tunnels.
I IPv6 Address Applications
IPv6 Routing
Applications
I IPv6 Routes
I Static IPv6 Routes
I Static Default Routes
I Floating Static IPv6 Routes
I Neighbor Discovery Protocol NDP
I IPv6 Routing Applications
IPv6 Routes
R1# show ipv6 route static
Cisco Routers follow a similar path to IPv4 when adding IPv6 routes to the route
! Legend omitted for brevity
table.
S 2001:DB8:1111:2::/64 [1/0] via Serial0/0/0, directly connected
It adds the IPv6 addresses in the up interface to the route table as local and
R1# show ipv6 route 2001:db8:1111:2::22
Routing entry for 2001:DB8:1111:2::/64
connected.
Known via "static", distance 1 , metric 0
Adds statically entered routes to the routing table.
Route count is 1/1,
share count 0
Routing paths: directly connected via Serial0/0/0
If OSPFv3 is configured, it adds the routes learned from OSPFv3.
Static Routes Using Next-Hop Address:
Static IPv6 Routes
Static Routes Using Outgoing Interface:
R1(config)# ipv6 route 2001:db8:1111:2::/64 S0/0/0
R2(config)# ipv6 route 2001:db8:1111:1::/64 s0/0/1
R2's IPv6 address for our Next-Hop address R1, R1's IPv6 address in R2.
R1(config)# ipv6 route 2001:db8:1111:2::/64 2001:DB8:1111:4::2
R2(config)# ipv6 route 2001:db8:1111:1::/64 2001:db8:1111:4::1
R1# show ipv6 route static
! Legend omitted for brevity
S 2001:DB8:1111:2::/64 [1/0]
via 2001:DB8:1111:4::2
R1# show ipv6 route 2001:db8:1111:2::22/64
Routing entry for 2001:DB8:1111:2::/64
Known via "static", distance 1, metric 0
Backup from "ospf 1 [110]"
Route count is 1/1, share count 0 Routing paths:
Figure 25-1 IPv6 Static Route Example
2001:DB8:1111:4::2
I IPv6 Routing Applications
Static Routes Using Link-Local Address:
Static Default Routes:
! The first command is on router R1, listing R2's link-local address
!Forward out B1's S0/0/1 local interface...
R1(config)# ipv6 route 2001:db8:1111:2::/64 S0/0/0 FE80::FF:FE00:2
B1(config)# ipv6 route ::/0 S0/0/1
! The next command is on router R2, listing R1's link-local address
R2(config)# ipv6 route 2001:db8:1111:1::/64 S0/0/1 FE80::FF:FE00:1
B1# show ipv6 route static
S ::/0 [1/0]
via Serial0/0/1, directly connected
R1# show ipv6 route static
! Legend omitted for brevity
S 2001:DB8:1111:2::/64 [1/0]
via FE80::FF:FE00:2, Serial0/0/0
R1# show ipv6 route 2001:db8:1111:2::22
Routing entry for 2001:DB8:1111:2::/64
Known via "static" , distance 1, metric 0
Backup from "ospf 1 [110]"
Route count is 1/1, share count 0
Figure 25-2 Using Default Route in B1
Routing paths:
FE80::FF:FE00:2, Serial0/0/0
Last updated 00:08:10 ago
Static IPv6 Host Routes
R1(config)#
! The next command also lists host B's address, prefix length /128,
! but with R2's global unicast address as next-hop, and no outgoing
interface.
R1(config)# ipv6 route 2001:db8:1111:2::22/128 2001:DB8:1111:4::2
I IPv6 Routing Applications
Floating Static IPv6 Routes
R1# show ipv6 route static
! Legend omitted for brevity
S 2001:db8:1111:7::/64 [130/0]
via 2001:db8:1111:9::3
R1# show ipv6 route 2001:db8:1111:7::/64
Routing entry for 2001:db8:1111:7::/64
Known via "static", distance 130, metric 0
Route count is 1/1, share count 0
Routing paths:
2001:db8:1111:9::3
Last updated 00:00:58 ago
Table 25-3 Default Administrative Distance
Figure 25-4 Using the Floating Static Route
I IPv6 Routing Applications
Neighbor Discovery Protocol
Neighbor Discovery Protocol is a protocol that works like ARP in IPv4. NDP plays
an important role on routers. Let's look at some important functions of the NDP
protocol.
Neighbor MAC Discovery: Replaces ARP in IPv4. It can learn a Mac address from
a known IP address. Router Discovery: Allows Hosts in the same subnet to learn
IPv6 Router information.
SLAAC: When using Stateless Address Auto Configuration (SLAAC), the host
uses NDP messages to learn the prefix information used in the subnet.
DAD: Before the host uses an IPv6 address, it uses Duplicate Address Detection
(DAD) to check if another host is using that IPv6 address.
Figure 25-5 IPv6 Neighbor Table
Figure 25-6 Finding Default Router
Chapter - 9
Wireless LAN
I Wireless Networks Fundamentals
I Cisco Wireless Architecture
I Wireless Networks Security
I Creating a Wireless LAN
Wireless
Networks
Fundamentals
I Introduction to Wireless Technology
I Wireless LAN Topologies
I Other Wireless Topologies
I RF Overview
I Wireless Bands and Channels
I AP and Wireless Standards
I Wireless Networks Fundamentals
Introduction to Wireless Technology
Transferring a signal using the typical 802.11 arrangement works quite
similarly to a simple Ethernet hub: Both are two-way communication models.
They use the same frequency to send and receive, and this is referred to as halfduplex as described in the previous sections.
Wireless LANs (WLAN) use radio frequencies (RF) radiated into the air from
an antenna that creates radio waves. These waves can be absorbed, refracted or
reflected by water, walls and metal surfaces, reducing the signal strength.
Because of the inherent sensitivity surrounded by these environmental factors,
it is clear that wireless will never be able to deliver the same service that wired
networks can. But this still does not mean that we will not use wireless. Believe
me, we will definitely use it!
Various organizations have long struggled to help manage the use of wireless
devices, frequencies, standards, and frequency spectrum. Table 26-1 shows the
existing institutions around the world that have helped create, provide, and even
implement wireless standards.
Table 26-1 Wireless Standard Organizations
I Wireless Networks Fundamentals
Wireless LAN Topologies
Wireless communication takes place over free space using radio frequency (RF)
Since two devices use the same channel, one device sends data while the other
signals. The theory behind RF signals can be complex, which I'll explain in
device receives, the other device waits to send data, so it's a one-way
more detail in the following sections. Assume for now that the transmitter of
communication. If more than one signal is received at the same time with
one device is sending RF signals to the receiver of another device. As shown in
wireless communication, they can interfere with each other. The greater the
Figure 26-2, the transmitter can always reach the receiver as long as both
number of wireless devices, the greater the likelihood of interference. For
devices are tuned to the same frequency and use the same frequency to carry
data between them. Everything seems simple, though not very practical.
Figure 26-2 Unidirectional Communication
Figure 26-3 Bidirectional Communication
To take full advantage of wireless communication, data must travel in both
directions, as shown in Figure 26-3. Sometimes Device A needs to send data to
Device B while sometimes Device B wants to communicate to send data.
example, Figure 26-4 shows four devices tuned to the same channel and what
can happen if some or all data are transmitted simultaneously.
Figure 26-4 Several devices sending data on the same channel.
In order to avoid interference and pending returns, devices need to work in half
duplex. If they do not send and receive sequentially, interference and waiting
times will increase, but more than one device can share the same channel and
access that channel in wireless networks. For this reason, only one device
should transmit at any time, and 802.11 standards were created to ensure this.
Wireless devices are produced according to these standards.
I Wireless Networks Fundamentals
Basic Service Set
Since the operation of a BSS is dependent on the AP, the BSS is limited to the
As a solution, things can be settled with an AP (Accees Point) that every
area where the AP's signal is available. This is known as the Basic Set Area
wireless device can connect to. In order for the devices to connect to the AP, the
(BSA) or cell. In Figure 26-5 the cell is shown as a simply shaded circular area
AP broadcasts a BSS and the devices use the 802.11 standards to register. The
centered around the AP. Depending on the antenna attached to the AP and the
AP BSS broadcasts on a single channel and uses a single channel so that
physical environment that may affect the AP's signals, cells may have other
devices can communicate correctly.
shapes.
In addition, the AP identifies the wireless network with the Service Set Identifier
(SSID), which is a text string containing a logical name. It broadcasts a name
to the devices to be connected to the network with the AP SSID, and broadcasts
the mac address in the background with a BSSID broadcast for this SSID.
Figure 26-5 802.11 Basic Service Set
Figure 26-6 Traffic flow with BSS
I Wireless Networks Fundamentals
Distribution System
We gathered the BSS and wireless devices in an AP in one place, but for now
they can only communicate with each other, but the task of the beep AP does not
end with BSS only, it needs to communicate the devices connected to the network
with the devices on the wired network. Fortunately, the AP has a wired Ethernet
connection and this It can move the hosts on it to other networks over the
connection. The figure below has an example of how this happens.
Figure 26-8 Using Multiple SSIDs on an AP
In the figure above, an example of using more than one SSID on an AP is
given. In this example, the connection between the AP and the switch is
configured as trunk and we can connect users to different networks by
creating different SSIDs on the AP.
Figure 26-7 Distribution System Supporting a BSS
I Wireless Networks Fundamentals
Extended Service Set
Normally, an AP does not cover the entire area where clients can be found. For
example, you may need wireless coverage on all floors of a hotel, hospital, or
other large building. Simply add and configure more APs to cover more areas.
You must configure your network so that the APs communicate with each other
over the switch. As in the example given in Figure 26-9;
When you leave the coverage area of one AP and enter the coverage area of the
other AP, the host will automatically switch to the other AP without you needing
to take any action.
Figure 26-9 Extended Service Set Example
Figure 26-8 Using Multiple SSIDs on an AP
I Wireless Networks Fundamentals
Other Wireless Topologies
Repeater
Work Group Bridge
It is the transfer or extension of the signal by the existing AP to a region where
Let's say you have a device that supports a wired Ethernet connection but does
the signal of the Repeater AP is weak. Normally, the problem should be solved by
not have a wireless connection. For example, some mobile medical devices can
pulling a network cable to the area where the signal is weak and putting a new
only be designed with a wired connection. While it is possible to plug the device
AP. But if you do not have the possibility to pull a cable and you need an
into an Ethernet connection if needed, a wireless connection would be much
urgent solution, you can use this method.
more practical. You can use the York group bridge (WGB) to connect the
device's wired network adapter to a wireless network.
Figure 26-10 Example of Repeater Usage
Figure 26-11 Using WGB for Non-Wireless Device
I Wireless Networks Fundamentals
Outdoor Bridge
Mesh Network
An AP can be configured to act as a Bridge to create a single wireless
You may not be able to run Ethernet cables to every AP to provide wireless
connection from one network to another over a long distance. Outdoor Bridged
coverage over a very large area. Instead, you can use APs by configuring them
connections are often used to connect buildings or cities.
in mesh mode. In a mesh topology, wireless traffic is bridged from AP to AP
using another wireless channel in a daisy chain.
Figure 26-12 Point-to-Point Outdoor Bridge
Figure 26-14 Typical Wireless Mesh Network
Figure 26-13 Point-to-Multipoint Outdoor Bridge
I Wireless Networks Fundamentals
RF Overview
To send data over a wired connection, an electrical signal is applied at one end
Electromagnetic waves do not travel in a straight line. Instead, they are
and carried to the other. The wire of the cable is continuous and conductive, so
transmitted away from the antenna, expanding in all directions. The
the signal is transmitted quite easily. But a wireless connection does not have
resulting waves start small and expand outward, only to be replaced by new
any physical path to carry the signal.
waves. In empty space, electromagnetic waves expand outward in all three
In RF, the sender (a transmitter) can send an alternating current to a section
dimensions.
of wire (antenna), which tunes moving electric and magnetic fields that
propagate out and away as moving waves. Electric and magnetic fields move
Figure 26-16 shows a Simple antenna. The waves produced expand outward
together and are always at right angles to each other, as shown in Figure 26-15.
circularly. The waves will eventually reach the receiver in addition to many
The signal must be constantly switched or flipped up and down to allow the
other locations in other directions.
electric and magnetic field waves to overlap and push outward.
Figure 26-15 Moving Electric and Magnetic Waves.
Figure 26-16 Wave Propagation with a Simple Antenna
I Wireless Networks Fundamentals
At the receiving end of the wireless connection, the process is reversed. As the
electromagnetic waves reach the antenna of the receiver, they create an electrical
signal. If all goes well, the received signal will be a reasonable copy of the
original sent signal.
The electromagnetic waves involved in a wireless connection can be measured
Figure 26-18 Frequency Unit Names
and described in several ways. One of the key features is the frequency of the
wave, or the number of times the signal cycles fully up and down in 1 second.
Figure 26-17 shows how a wave cycle can be defined. A cycle begins when the
signal rises and falls from the centerline and rises again. The interval from the
apex of one center to the apex of the other center can be measured as a cycle.
Wherever you start measuring a loop, the signal should make a full row back to
its starting position, ready to repeat the same cyclic pattern.
Figure 26-17 Cycles in a Wave
Figure 26-19 Frekans Spektrumu
I Wireless Networks Fundamentals
Wireless Bands and Channels
One of the two main frequency ranges used for wireless LAN communication is
between 2.400 and 2.4835 GHz. It is often referred to as the 2.4 GHz band,
although it does not cover the entire range between 2.4 and 2.5 GHz.
The other wireless LAN range is often referred to as the 5-GHz band because it is
between 5.150 and 5.825 GHz. The 5 GHz band actually includes the following
Figure 26-20 2.4 Ghz Band Channels
four separate bands:
• 5.150 to 5.250 GHz
• 5.250 to 5.350 GHz
• 5.470 to 5.725 GHz
• 5.725 to 5.825 GHz
A frequency band contains a continuous frequency range. If a single frequency
is required for a wireless connection between two devices, what frequency can they
use? How many unique frequencies can be used in a band? Bands are often split
into several different channels to keep everything organized and harmonious.
Each channel is known by a channel number and is assigned a specific
frequency. As long as the channels are defined by the national or international
standards body, they can be used consistently in all locations. Figure 26-20 2.4
Figure 26-21 shows the channel layout for the 5 GHz bands.
Figure 26-21 5 Ghz Band Channels
I Wireless Networks Fundamentals
AP and Wireless Standards
Wireless devices and APs must all be able to operate in the same band. For
example, on the 5 GHz band, a wireless phone can only communicate with an
AP that offers Wi-Fi service on 5 GHz channels. In addition, devices and APs
must work in compliance with the 802.11 standards.
As the IEEE 802.11 Wi-Fi standard develops and innovations, it specifies these
standards with new names under the 802.11 standard.
Figure 26-22 IEEE 802.11 Standards
Cisco
Wireless
Architecture
I Autonomous AP Architecture
I Split-Mac AP Architecture
I Cloud-Based AP Architecture
I Comparing WLC Types
I Cisco AP Modes
I Cisco Wireless Architecture
Autonomous AP Architecture
The primary task of an Access Point is to transmit data from wireless devices to
An Autonomous AP must also be configured with a management IP address
a regular wired network. It acts as a bridge between the wired network and the
before you can manage remotely (10.10.10.10 in Figure 27-1). Ultimately,
client to allow wireless clients to access the wired network.
you will want to configure SSIDs, VLANs, and many RF parameters such as
An Autonomous AP works independently. It offers one or more BSS, we can
the channel to use and transmit power. The Management address is not
make it work with different Vlans by creating different SSIDs. Figure 27-1
shows the basic architecture.
normally part of data VLANs, so a special Management VLAN (i.e. VLAN 10)
must be created to reach the AP. Unless you are leveraging a management
platform such as Cisco Prime Infrastructure or Cisco DNA Center, each AP
must be configured individually.
Figure 27-1 Wireless Network Architecture with Autonomous AP
Figure 27-2 Data VLANs Coverage with Autonomous AP
I Cisco Wireless Architecture
Split-Mac AP Architecture
Because Autonomous APs work alone, managing RF operations can be quite
challenging. As a network administrator, you are responsible for selecting and
configuring the channel used by each AP, and identifying and dealing with
any Rogue APs that may interfere.
Management functions are not integrated with the processing of frames on RF
channels, but are things that need to be managed centrally. Therefore, these
functions can be moved away from the AP to a central platform.
When the functions of an Autonomous AP are divided, it is known as a
Lightweight AP and only performs real-time 802.11 processing.
Administrative operations of Lightweight APs are done by a Wireless Lan
Controller (WLC) that controls it. This is shown in Figure 27-3. APs continue
their duties in Layers 1 and 2. All other WLAN functions such as
authenticating users, managing security policies and even selecting RF
channels and output power are handled by WLC.
Note: Lightweight APs cannot run on their own without WLC.
Figure 27-3 Comparison of Autonomous AP and Lightweight AP.
I Cisco Wireless Architecture
CAPWAP Control Messages: Carries control messages used to configure the AP
and manage its operation. Control messages are authenticated and encrypted
so that the AP is only securely controlled by the appropriate WLC, then
transported over the control tunnel.
CAPWAP Data: Used for outgoing and incoming packets to wireless clients.
Data packets are carried over the data tunnel, but are not encrypted by default.
When data encryption is enabled for an AP, packets are protected by Datagram
Transport Layer Security (DTLS).
Figure 27-5 CAPWAP Tunneling with WLC
When connecting Lightweigth APs to switches, the switch's port works in
access mode, not trunk mode, APs create CAPWAP Tunnels between
themselves with WLC and vlans go and come from this tunnel.
Figure 27-4 Linking a Lightweight AP and WLC with CAPWAP
I Cisco Wireless Architecture
Cloud-Based AP Architecture
Autonomous APs work as standalone and we need to configure and maintain
them one by one or we need to use Cisco Prime Infrastructure. But as our
network grows, it will become increasingly difficult to control Autonomous
APs one by one.
Cloud-Based Cisco Meraki APs, on the other hand, can be easily managed from
a single center via a Management Portal on the Cloud. It can become very easy
to generate reports such as configurations of APs, user performance and
activity.
Figure 27-6 Cisco Meraki Cloud Based Wireless Network Architecture
I Cisco Wireless Architecture
Comparing WLC Types
Figure 27-7 Unified WLC
Figure 27-8 Cloud WLC
Figure 27-9 Mobility Express WLC
Figure 27-10 Embedded WLC
I Cisco Wireless Architecture
Cisco AP Modes
Local: It is the default mode in Lightweight AP. When not transmitting, the AP
Bridge : An AP becomes a private bridge (point-to-point or point-to-multipoint)
scans other channels to measure noise level, measure interference, find rogue
between two networks. Two APs in bridge mode can be used to connect two
devices, and match intrusion detection system (IDS) events.
locations separated by distance.
Monitor: The AP does not transmit at all, but its receiver is made to act as a
Flex+Bridge : FlexConnect operation is enabled on a mesh AP.
special sensor. The AP checks for IDS events, detects rogue APs, and locates
stations via location-based services.
FlexConnect: An AP at a remote location can carry the traffic between the SSID
and the VLAN locally over the switch, if WLC is turned off or cannot access, if
WLC and CAPWAP tunneling cannot be established and configured to do so.
Sniffer: An AP is set to receive traffic from other sources such as other 802.11
wireless devices. The captured traffic is then forwarded to network analysis
software installed on a PC, such as Wildpackets OmniPeek or WireShark, where
it can be further analyzed.
Rogue Detector : An AP is set to detect rogue/rogue devices by comparing MAC
addresses advertised on wired and wireless network. Fake devices are devices
that appear on both networks.
SE-Connect : The AP is dedicated to performing spectrum analysis of its radios
on all wireless channels. It sends spectrum analysis data to a PC running
software such as MetaGeek Chanalyzer or Cisco Spectrum Expert to collect and
analyze to discover sources of interference.
Wireless
Network Security
I Secure Connection Anatomy
I Wireless Client Authentication Methods
I Wireless Privacy and Integrity Methods
I WPA, WPA2, and WPA3
I Wireless Network Security
Secure Connection Anatomy
Authentication
In a wired connection, a client is directly connected to the switch and what they
Before users start using the wireless network, they need to be authenticated
send goes directly, but in a wireless connection, the clients are not directly
with some authentication methods.
connected.
Assume that your company's confidential information and documents can
Consider the scenario in Figure 28-1. The wireless user logs on to remote servers
be accessed through your wireless network. In this case, only trusted and
and shares a secret password. Since both untrusted users are in range of the
known devices should be given access to people. If guest users are allowed, they
client's signal, they can also learn the password by capturing the frames sent
should be allowed to join a different guest WLAN where they can access non-
in the channel. It also makes it easier for malicious users to listen and use
private or public resources.
signals that come and go in wireless communication.
Wireless authentication can take many forms. The first of these methods
only requires that all trusted users know a common preset password on the
APs. The password is stored on the user device and presented directly to the AP
when needed. What can happen if the device is stolen or lost? Most likely, any
user who owns the device can still authenticate to the network. One of the other
authentication methods requires use with an enterprise user database. In these
cases, the end user must enter a valid username and password, something
that will not be known to malicious people.
Figure 28-1 Unsecured Wireless Connection Traffic
I Wireless Network Security
Message Privacy
Integrity
Let's say you authenticate before joining the wireless network. However, data
We encrypt our data and hide it from other users using the same channel.
passing to and from the client is available to eavesdropping users on the same
Message integrity check (MIC) is a security tool that can protect against data
channel.
tampering. It adds a secret stamp in the encrypted data frame of the sender of
To maintain data privacy on a wireless network, data must be encrypted
a MIC. The stamp is based on the content of the data bits to be transmitted.
during air travel. Wireless data packets are encrypted when sent and decrypted
When the receiver decrypts the frame, he can compare the hidden stamp with
when received. It is to use an encryption method that the transmitter and
his own idea of what the stamp should be based on the data bits received. If the
receiver share so that data can be successfully encrypted and decrypted.
two stamps are the same, the recipient can safely assume that the data has not
been tampered with. Figure 28-3 shows MIC operation.
Figure 28-2 Encrypting Wireless Data to Protect Data Privacy
Figure 28-3 Checking Message Integrity over Wireless Network
I Wireless Network Security
Wireless Client Authentication Methods
WEP (Wired Equivalent Privacy)
You can use many authentication methods to connect wireless users to the
As you can imagine, Open Authentication offers nothing that can hide or
network. These methods became obsolete over time and authentication methods
encrypt data sent between a user and an AP. Alternatively, the 802.11
evolved as security vulnerabilities emerged and wireless hardware developed. In
standard has traditionally defined Wired Equivalent Privacy (WEP)
this Chapter, I will describe the most common authentication methods you may
standards as a method of making a wireless connection more similar or
encounter.
Open Authentication
The original 802.11 standard offered only two options for authenticating a
equivalent to a wired connection.
WEP uses the RC4 cipher algorithm to hide each wireless data frame. The same
algorithm encrypts the data at the sender and decrypts it at the receiver. The
algorithm uses a string of bits, often called a WEP key, as a key to derive other
user: Open Authentication and WEP. Open Authentication offers open access to
encryption keys, one per wireless frame. As long as the sender and receiver have
a wireless network, just checking whether users support the wireless standard
the same key, one can decrypt the other encryption.
802.11.
This method is often used in cafes, shopping malls and common places, where
authentication is done through a web page. Most operating systems will give
WEP keys can be 40 or 104 bits long, represented by a string of 10 or 26 hex
digits. As a general rule, longer keys provide more unique bits for the
algorithm, resulting in stronger encryption. WEP was defined in the 802.11
you a warning when joining such networks, informing you that your wireless
standard in 1999, but in 2001, a number of weaknesses were discovered and
data will not be secure at all if you join such networks.
exposed, so work began on finding better wireless security methods. WEP was
officially discontinued in 2004. WEP encryption is considered a weak method
to secure wireless LAN.
I Wireless Network Security
802.1x EAP
A more secure authentication method was needed than Open Authentication
and WEP. Instead of creating additional authentication methods to the 802.11
standard, Extensible Authentication Protocol (EAP), a more flexible and
scalable authentication framework, was chosen. EAP defines a set of common
functions that real authentication methods can use to authenticate users.
EAP can integrate with the IEEE 802.1x port-based access control standard.
When 802.1x is enabled, access to the network environment is restricted until a
Figure 28-4 802.1x Client Authentication Roles
client authenticates. This means that the wireless user cannot transmit data to
WLC becomes the agent in the client authentication process and controls user
any other part of the network until successful authentication.
access with 802.1x and communicates with the authentication server using the
Authentication is done without Open or WEP authentication. With 802.1x, it
EAP framework.
uses open authentication to associate with the client AP and then forwards it to
LEAP
a custom authentication server for the actual client authentication process.
To close the weaknesses in WEP, Cisco developed a proprietary wireless
Figure 28-4 shows the three-sided 802.1x arrangement:
authentication method called Lightweight EAP (LEAP). For authentication, the
client must provide username and password credentials. It asks for passwords
for messages received and sent for both the authentication server and the client.
This ensures mutual authentication as long as the messages can be
successfully decrypted, the client and AS have authenticated each other.
I Wireless Network Security
EAP-FAST
PEAP
Cisco has developed a more secure method called EAP Flexible Authentication
Like EAP-FAST, the Protected EAP (PEAP) method uses internal and external
with Flexible Authentication by Secure Tunneling (EAP-FAST).
authentication, while the AS provides a digital certificate to authenticate with
Authentication information is protected by passing a protected access credential
the requester in external authentication.
(PAC) between the AS and the recipient. PAC is a shared password format
AS's digital certificate consists of data in a standard format "signed" or
created by AS and used for mutual authentication. EAP-FAST is a sequence of
three phases:
Phase 1: The PAC is created or provisioned and installed on the client.
Phase 2: After the requestor and AS authenticate each other, they agree on a
Transport Layer Security (TLS) tunnel.
Phase 3: The end user is authenticated over the TLS tunnel for added security.
certified by the Certificate Authority. The third party is known as Certificate
Authority (CA) and is known and trusted by both AS and recipients. The
requestor must also have the CA certificate to be able to verify the certificate
obtained from the AS. The certificate is also used to pass a public key in plain
view, which can be used to help decrypt messages from the AS.
Note that only AS is PEAP certified. This means that the requester can easily
Note that there are two separate authentication processes in EAP-FAST, one with
AS to the requestor and one with the end user. These happen as internal
verify the AS. The client does not have or uses its own certificate, so it must be
authenticated within the TLS tunnel using one of the following two methods:
authentication as external authentication (outside the TLS tunnel) and
internal authentication (inside the TLS tunnel).
MSCHAPv2: Microsoft Challenge Authentication Protocol version 2
Like other EAP-based methods, a RADIUS server is required. However, in order
GTC: A hardware device user that generates one-time passwords for the Generic
for the RADIUS server to generate one PAC per user, it must also function as an
Token Card, or a manually generated password.
EAP-FAST server.
I Wireless Network Security
EAP-TLS
PEAP uses the digital certificate in AS as a powerful method to authenticate the
Note: EAP-TLS is only useful if wireless clients can accept and use digital certificates. Many wireless
RADIUS server. Getting and installing certificates on a single server is easy,
devices, such as communicators, medical devices, and RFID tags, have a base operating system that cannot
but EAP Transport Layer Security (EAP-TLS) requires installing certificates
on the AS and on each client device.
With EAP-TLS, AS and client exchange certificates and can authenticate each
other. A TLS tunnel is then built so that encryption keys can be exchanged
securely.
EAP-TLS is considered the most secure wireless authentication method
available, however, it can be difficult to implement. Each wireless client with AS
must obtain and install a certificate. Manually installing certificates on
hundreds or thousands of clients may not be practical. Instead, you need to
implement a Public Key Infrastructure (PKI) that can securely and efficiently
issue certificates and revoke them when a client or user no longer needs access to
the network. This usually involves setting up your own CA or establishing a
trust relationship with a third-party CA who can provide certificates to your
customers.
interface with a CA or use certificates.
I Wireless Network Security
Wireless Privacy and Integrity Methods
TKIP
CCMP
The Counter/CBC-MAC Protocol (CCMP) is considered more secure than TKIP.
After WEP authentication was found to be vulnerable in wireless clients
CCMP consists of two algorithms:
and APs, the Temporal Key Integrity Protocol (TKIP) was developed.
AES counter mode encryption
TKIP uses the following security features using legacy hardware and
Cipher Block Chaining Message Authentication Code (CBC-MAC) used as message
basic WEP encryption;
integrity check (MIC)
MIC: This efficient algorithm adds a hash value every frame as a message
The Advanced Encryption Standard (AES) is the current encryption algorithm
integrity check to prevent tampering; often referred to as “Michael” in
adopted by the US National Institute of Standards and Technology (NIST) and the
unofficial reference to the MIC.
Time Stamp: A timestamp is added to the MIC to prevent attacks that
attempt to reuse or reconstruct previously sent frames.
TKIP sequence counter: This feature provides a record of frames sent by a
unique MAC address to prevent frame tampering.
US government and widely used all over the world. In other words, AES is public
and offers the most secure encryption method available today.
For CCMP to be used to secure wireless networks, client devices and APs must
support AES Counter mode and CBC-MAC in hardware. CCMP is not available on
devices that only support WEP or TKIP. CCMP is used with WPA and WPA2.
Key mixing algorithm: This algorithm calculates a unique 128-bit WEP
GCMP
key for each frame.
Galois/Counter Mode Protocol (GCMP) is a robust authentication encryption suite
that is more secure and more efficient than CCMP. GCMP consists of two
algorithms:
AES counter mode encryption
Galois Message Authentication Code (GMAC) used as a message integrity check
(MIC) GCMP is used with WPA3.
I Wireless Network Security
WPA, WPA2, and WPA3
In the previous sections, we covered various authentication methods, encryption
It also uses Protected Management Frames (PMF) to secure critical 802.11
and message integrity algorithms. When it's time to configure a WLAN with
management frames between APs and clients and prevent malicious activities
wireless security, should we know which one is the best or which one works well
that could spoof or tamper with a BSS's operation.
together? Which authentication methods are compatible with which encryption
algorithms?
The Wi-Fi Alliance (http://wi-fi.org), a nonprofit wireless industry
association, has found easy ways to do this through its Wi-Fi Protected Access
(WPA) industry certifications. There are three different versions to date: WPA,
WPA2 and WPA3. Wireless products are tested in authorized testing
laboratories against strict criteria that represent the correct application of a
standard. As long as the Wi-Fi Alliance certifies a wireless client device and
an AP and its associated WLC for the same version of WPA, it must be
compliant and offer the same security components.
The Wi-Fi Alliance introduced WPA Version 3 (WPA3) as a future
replacement for WPA2 in 2018 and added several important and superior
security mechanisms. WPA3 benefits from stronger encryption by AES with
Galois/Counter Mode Protocol (GCMP).
Figure 28-5 Comparison of WPA, WPA2, and WPA3
Also note that WPA, WPA2, and WPA3 simplify wireless network
configuration and compliance because they limit what authentication and
privacy/integrity methods can be used.
I Wireless Network Security
Figure 28-6 Overview of Wireless Security Mechanisms and Options
Wireless
LAN Creation
I Connecting a Cisco AP
I Connecting the Cisco WLC to the Network
I Accessing Cisco WLC
I WLAN Configuration
I Creating a Wireless LAN
Connecting a Cisco AP
Connecting Cisco WLC to Network
A Cisco wireless network may consist of Lightweight APs or Autonomous APs
Let's get to know the ports on WLC.
working with one or more Wireless LAN Controllers. You must know how to
Service Port: Used for system recovery and first boot functions, always
connect each AP type to the switch side so that the APs can forward traffic
connected to a switch port in access mode.
between the appropriate VLANs and WLANs.
Distribution System Port : Used for all normal AP and AP management traffic,
usually connected to an 802.1Q trunked switch port.
Console Port : Used for system recovery and first boot functions; with a terminal
program (9600 baud by default, 8 data bits, 1 stop bit)
Redundancy Port: It allows us to backup the system by connecting a second
WLC.
Figure 29-5 Cisco Wireless LAN Controller Ports
Figure 29-1 Connecting Method of APs
Figure 29-6 Cisco 5508 Wireless LAN Controller
I Creating a Wireless LAN
Accessing Cisco WLC
To connect and configure a WLC, you need to open a web browser and access the page that
opens ( http / https ) by typing the WLC's management IP. It can only be done if the
WLC has its initial configuration and a management IP address assigned to the
management interface. The web-based GUI provides an efficient way to monitor,
configure, and troubleshoot a wireless network. You can also connect to a WLC via an
SSH session, where you can use its CLI to monitor, configure, and debug activity.
When you open the web browser by typing management IP, you will see the first login
screen. Click the Login button as shown in Figure 29-2; then enter your user credentials
when prompted.
Figure 29-3 Switching to the Advanced Configuration Interface
Figure 29-2 WLC Initial Login Screen
Figure 29-4 WLC Advanced Configuration GUI
I Creating a Wireless LAN
WLAN Configuration
It works with a Wireless LAN Controller and APs to provide network
connectivity to wireless clients. The AP broadcasts an SSID so that the client
can join. It connects to the switch via one of the WLC dynamic Interfaces. To
complete the path between SSID and VLAN as shown in Figure 29-7, we first
need to create a WLAN in WLC.
Figure 29-8 Displaying the List of RADIUS Authentication Servers
Figure 29-7 Connecting the Wired and Wireless Network
Step 1: Configure Radius Server
If you are going to perform 802.1x authentication on your network, you must
first set up the authentication server, if you do not have an authentication
server, you can skip this step.
Figure 29-9 Configuring a New RADIUS Server
I Creating a Wireless LAN
Step 2: Configuring the Interface
Figure 29-10 Displaying a List of Dynamic Interfaces
Figure 29-11 Defining a Dynamic Interface Name and VLAN ID
Figure 29-12 Editing the Dynamic Interface Parameters
I Creating a Wireless LAN
Step 3: Configuring WLAN
Figure 29-13 Displaying a List of WLANs
Figure 29-14 Creating a New WLAN
Figure 29-15 Configuring the General WLAN Parameters
I Creating a Wireless LAN
WLAN Security Configuration
Figure 29-16 Configuring Layer 2 WLAN Security
Figure 29-17 Selecting RADIUS Servers for WLAN Authentication
I Creating a Wireless LAN
QoS Configuration
Figure 29-18 Configuring QoS Settings
Figure 29-20 Configuring Management Access from Wireless Networks
We Finish WLAN Configuration
Figure 29-19 Displaying WLANs Configured on a Controller
Chapter - 10
ACCESS CONTROL LIST
I TCP/IP Transport and Applications
I Basic - ACL Access Control Lists
I Extended - ACL Access Control Lists
I TCP/IP Transport
TCP/IP
Transport and Applications
I TCP - Transmission Control Protocol
I UDP - User Datagram Protocol
I TCP/IP Applications
I URI - Uniform Resource Identifiers
I Using DNS
I File Transfer via HTTP
I TCP/IP Transport and Applications
TCP/IP Layer 4 Transport Protocols: TCP and UDP
TCP - Transmission Control Protocol
The main difference between TCP and UDP is that TCP provides a wide variety
Figure 30-1 shows TCP header fields. You do not need to memorize the names
of services to applications but UDP does not. For example, routers drop packets
or locations of the fields. We'll cover more in the remainder of this section.
for many reasons, including bit errors, congestion, and when the correct route
is not known. Many data link protocols detect errors but discard frames with
errors, but TCP provides retransmission (error recovery) and helps prevent
congestion (flow control), but UDP does not retransmit. As a result, many
application protocols choose to use TCP.
Figure 30-1 TCP Header
But do not think that UDP is worse than TCP because of its shortcomings. By
providing fewer services, UDP headers require fewer bytes than TCP, which
means less byte overhead on the network. UDP software does not slow down data
transfer when TCP is slow. Also, some applications, especially Voice over IP
(VoIP) and Video over IP today, don't need error recovery, so they use UDP.
Therefore, UDP also has an important place in TCP / IP networks today.
Figure 30-2 Example of Adding TCP Header
I TCP/IP Transport and Applications
Known (System) Ports: These are the ports used by the system, ports 0 to 1023
Figure 30-3 shows an example using three temporary port numbers on the left
are designated by IANA to be used by the system.
user device; The server on the right uses two system ports and one user register
User Register Ports: Fewer rules apply by IANA to assign these ports compared
port. Computers use three applications at the same time; therefore, the three port
to system ports, ports 1024 to 49151.
connection is open. Because a port on a single computer must be unique, the
Temporary (Dynamic, Dedicated) Ports: Numbers 49152 through 65535 that
connection between two ports must identify a unique port between the two
are unassigned and intended to be temporarily assigned and used for a client
computers. This uniqueness means you can use multiple applications at the
application dynamically while the application is running.
same time by talking to applications running on the same or different
computers. Port-based multiplexing ensures data is delivered to the right
applications.
Figure 30-3 Example of Port Usage between User and Server
Figure 30-4 Some of the Commonly Used Known System Ports
I TCP/IP Transport and Applications
UDP - User Datagram Protocol
TCP/IP Applications
UDP provides some of TCP's functions, such as data transfer and multiplexing
Creating a corporate network or connecting a small home or office network to
using port numbers, and requires less byte overhead and less processing than
the Internet is to use applications such as web browsing, text messaging,
TCP.
email, file downloads, audio and video. In this Chapter we will examine a
Applications using UDP are tolerant of lost data or have some application
specific application for web browsing using Hypertext Transfer Protocol
mechanism to recover lost data. For example, VoIP uses the UDP protocol because
(HTTP).
if a voice packet is lost, there is too much delay until the lost packet is detected
and retransmitted, and the voice is unintelligible so it uses UDP because the
UDP protocol works faster than TCP. . Also, DNS requests use UDP because the
user will retry an operation if DNS requests fail. As another example, Network
File System(NFS), a remote file system implementation, performs recovery
with application layer code, so UDP features are used by NFS.
The World Wide Web (WWW) consists of all Internet-connected web servers in
the world and all Internet-connected users with web browsers. Web servers store
information (in the form of web pages) that can be useful to different people. A
web browser installed on the end user's computer wants to connect to a web
server and view the web pages stored on the web server.
Several specific application processes must occur for this process to work. The
user must somehow define the server, the particular web page, and the protocol
used to retrieve data from the server. The client usually finds the web server's IP
Figure 30-5 UDP Header
address using DNS. The client must request the web page consisting of
multiple individual files and the server must send the files to the web browser.
I TCP/IP Transport and Applications
URI - Uniform Resource Identifiers
Using DNS
In order for the browser to display a web page, we need to type the web page
A host can use DNS to find the IP address of a particular web server. URIs
address to which we will connect to the browser, for example www.cisco.com.
usually list the name of the server. The web browser cannot send an IP packet
The browser user can identify a web page when you click something on a web
on behalf of the target web server, but the target web server can send a packet to
page or enter Uniform Resource Identifiers (URI) in the browser's address field.
the IP address. So, before the browser sends a packet to the web server, the browser
Both options (clicking a link and typing a URI) point to a URI because when
usually needs to resolve the name in the URI and the corresponding IP address
you click a link on a web page that link actually points to a URI.
of that name. When we examine the example below, we can see how the process
URIs used to connect to a web server include three basic components as outlined
takes place.
in Figure 30-6. The figure shows the official names of the URI fields. More
importantly, remember that the text before // identifies the protocol used to
connect to the server, the text between // and / identifies the server with its
name, and the web page after the /.
http://www.yavuzbulut.com/blog
Figure 30-6 Web page URI example
Figure 30-7 DNS Resolution and Web Page Request
I TCP/IP Transport and Applications
File Transfer with HTTP
To retrieve a file from the web server, the client sends an HTTP GET request to the
server listing the filename. If the server decides to send the file, the server sends
an HTTP GET response with a return code of 200 (meaning OK) with its
contents.
Web pages often consist of multiple files. Most web pages contain text as well as
various graphic images, animated advertisements, and possibly audio or video.
Each of these components is stored as a different file on the web server. To get
them all, the web browser takes the first file. This file may (and often does)
contain references to other URIs, so the browser requests other files as well. Figure
30-8 shows the scanner receiving the first file and then the other two files.
Figure 30-8 Multiple HTTP GET Requests/Responses
I Basic Access Control List
Basic - ACL
Access Control List
I ACL Location and Direction
I Types of ACLs
I Subnet Matching with Wildcard
I Standard Numbered ACL
I Configuring ACL with Standard Number
I Basic ACL - Access Control List
Basic Access Control List
IPv4 ACLs are most commonly used for packet filtering in Cisco routers. ACL
The arrows in Figure 31-1 indicate locations in the topology where you can
provides filtering by checking packets passing through routers. Once enabled,
filter packets flowing from left to right. For example, suppose you want to
the router decides whether to block or allow each IP packet.
allow packets sent by user A to server S1 but block packets sent by user B to
However, ACLs can also be used for many other IOS features. As an example,
server S1. Each arrowed line represents a location and direction in which a
ACLs can be used to match packages to implement Quality of Service (QoS)
router can filter sent packets.
features. By prioritizing some packets we can forward packets according to the
priority we want. For example, voice packets need to have very low latency so
that ACLs can match voice packets and QoS logic transmits voice packets
faster than data packets.
ACL Location and Direction
Cisco routers can apply ACLs to packets at the point where IP packets enter or
exit an Interface. In other words, the ACL is associated with an Interface and
packet flow direction (In or Out). In other words, the router checks the applied
ACLs in the In or Out direction of the Interfaces without making the routing
decision and makes the routing accordingly or not.
Figure 31-1 Packet traffic from user A and B to S1 server
I Basic ACL - Access Control List
Matching Packages
ACL Types
When you think about the location and direction of an ACL, you should
✓ Standard numbered ACLs (1–99)
already be thinking about which packets you want to allow or block. You must
✓ Extended numbered ACLs (100–199)
configure the router with an IP ACL that matches the packets. They are lists of
how to configure ACL commands to look at each packet, and which packets
should be discarded and which should be allowed.
For example, imagine that you allow the traffic from Host A to the S1 server
✓ Additional ACL numbers (1300–1999 standard, 2000–2699 extended)
✓ Named ACLs
✓ Improved editing with sequence numbers
and limit the outgoing traffic from the Host B user as in Figure 31-2, there are
already Host A and B IPs, we know where they want to go, accordingly, by
writing an ACL in R2, this is the ACL that we have decreased. We must
configure ' as In or Out in the right direction under S0/0/1 Interface. The
correct direction here is the In direction.
Figure 31-3 ACL Types
Figure 31-2 ACL Command Logic
I Basic ACL - Access Control List
Subnet Matching with Wildcard Address
Typically when you want to enforce an ACL you want to map not a
Let's practice by finding the IP ranges that the access-lists in the list below will check.
single private IP address, but a range of IP addresses or all IP addresses
in a subnet. If you want to check multiple IP addresses in one address
range.
You can map to subnets using WC masks. There is a short way to
calculate wildcards.
Subnet 10.1.1.0 SubnetMask 255.255.255.0
Subnet 172.16.8.0 SubnetMask 255.255.252.0
access-list 1 permit 172.16.8.0 0.0.3.255
From Subnet Mask
Finding Wildcard Easy
When you type the access list line as above, the access list allows all IPs
in the range from 172.16.8.0 to 172.16.11.255.
172.16.8.0
0. 0.3.255
+
———————————————
172.16.11.255
Figure 31-4 Using Wildcard
Note: When we add Subnet and Wildcard, we find the IP range that ACL will control in an easy way.
I Basic ACL - Access Control List
Standard Numbered ACL
Scripting
Standard ACLs are a type of Cisco filter that only looks at IPv4 packets,
Standard numbered IP ACLs use the following generic command:
configured to identify ACLs that match the source IP address of the packet.
access-list {1-99 | 1300-1999} {permit | deny} matching-parameters
Let's examine the example below;
access-list 1 permit 10.1.1.1
Figure 31-5 Example of Standard ACL
access-list 1 permit host 10.1.1.1
I Basic ACL - Access Control List
Configuring Standard Numbered ACLs
Lab - 1
Lab - 2
1- S1 Server can access Subnet of Host A and B.
1- Host A can access S1 server.
2- Subnet 10.1.1.0/24 cannot access S1 server.
3- All remaining 10.0.0.0/8 Subnets can be accessed.
Figure 31-6 Standart ACL Lab - 1
2- S1 Server cannot access Host C's Subnet.
3- Allow S2 Server to access Host C's Subnet.
4- S2 Server cannot access Host A and Binin Subnet.
R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2# configure terminal
R1(config)# access-list 1 remark Bu ACL S1 Sunucusunun Host A Subnetine Erisimine Izin Verir
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# access-list 1 permit 10.2.2.1
R2(config)# access-list 1 permit 10.1.1.1
R1(config)# access-list 2 remark Bu ACL S2 Sunucusunun Host C Subnetine Erisimine Izin Verir
R1(config)# access-list 2 permit 10.2.2.2
R2(config)# access-list 1 deny 10.1.1.0 0.0.0.255
R1(config)# interface Fa0/0
R2(config)# access-list 1 permit 10.0.0.0 0.255.255.255
R1(config-if)# ip access-group 1 out
R2(config)# interface S0/0/1
R1(config)# interface Fa0/1
R2(config-if)# ip access-group 1 in
R1(config-if)# ip access-group 2 out
Extended - ACL
Access Control List
I ACL with Extended Number
I Configuring Extended Numbered ACLs
I Named ACL
I Editing Named ACLs
I Named ACL Configuration
I Extended ACL
Extended Numbered ACL
Matching Packages
Extended ACLs are a type of Cisco filter that looks at IPv4 packets and is
Like standard numbered ACLs, extended IP ACLs use the access-list global
configured to control source, destination addresses and protocols at Layer 4.
command. The script is the same as the permit or deny keyword. At this point,
They are used between 100-199 or 2000-2699.
the command lists matching parameters and they are different of course.
Specifically, the extended ACL access-list command requires three matching
parameters: IP protocol type, source IP address, and destination IP address.
Figure 32-2 IP Header Focusing on Required Fields in Extended ACLs
Figure 32-1 ACL Types
Figure 32-3 Extended ACL Scripting
I Extended ACL
Mapping by TCP and UDP Port Numbers
Extended ACLs can also inspect the TCP and UDP header sections, specifically
In the first example below, packet filtering is done with the destination port,
the source and destination port number fields. Port numbers identify the
and in the second example, it is done with the source port.
application sending or receiving the data.
Figure 32-4 TCP Header and Port Number Fields After IP Header
Figure 32-6 Packet Filtering by Destination Port Number
Figure 32-5 Extended ACL Scripting in TCP and UDP usage
Figure 32-7 Source Port Numarası ile Paket Filtreleme
I Extended ACL
Popular Port Numbers
Example Extended ACL
I Extended ACL
Configuring Extended Numbered ACLs
Application example on R1.
interface Serial0
Lab - 1
ip address 172.16.12.1 255.255.255.0
1- Larry Server 1 cannot access the web server.
ip access-group 101 in
2- Bob cannot access ftp services
3- Do not block the remaining traffic.
!
interface Serial1
ip address 172.16.13.1 255.255.255.0
ip access-group 101 in
!
access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 web
access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
access-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq www
access-list 101 permit ip any any
Or
Configuring on R2 and R3.
interface Ethernet0
ip address 172.16.3.1 255.255.255.0
Figure 32-8 Extended ACL Lab - 1
ip access-group 103 in
access-list 103 remark deny Bob to FTP servers in subnet 172.16.1.0/24
access-list 103 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
access-list 103 permit ip any any
I Extended ACL
Lab-2
1- Sam cannot access the subnet where Bugs and Daffy are located.
We are making our configuration on the Yosemite Router.
2- Users on the Yosemite subnet cannot access the Seville subnet
interface ethernet 0
3- Do not block the remaining traffic.
!
ip access-group 110 in
access-list 110 deny ip host 10.1.2.1 10.1.1.0 0.0.0.255
access-list 110 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 110 permit ip any any
Figure 32-9 Extended ACL Lab - 2
I Extended ACL
Named ACL and Editing
We did the filtering with Standard and Extended ACLs, but since we used
Named ACL
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip access-list extended barney
Router(config-ext-nacl)# permit tcp host 10.1.1.2 eq www any
Router(config-ext-nacl)# deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
Router(config-ext-nacl)# deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
Router(config-ext-nacl)# deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# interface serial1
Router(config-if)# ip access-group barney out
Although they do the same things as Standard and Extended ACLs, they have
Router# show running-config
sequence numbers, if you did not write a remark (reminder note) after a while,
it may be difficult to remember why we wrote this ACL, but with Named ACLs,
you can give a name and then specify what this ACL is for. We remember that
we typed it in, and Named ACLs are easier to edit later.
some differences;
Using names instead of numbers to describe the ACL makes it easy to
remember what we wrote the ACL for.
Using ACL subcommands instead of global commands to define parameters.
Using ACL editing features that allow the CLI user to delete individual lines
from the ACL and add new lines.
Figure 32-10 Numbered and Named ACL Spelling
ip access-list extended barney
permit tcp host 10.1.1.2 eq www any
deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
permit ip any any
To delete a line where we wrote an edit.
Router(config)# ip access-list extended barney
Router(config-ext-nacl)# no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Router# show access-list
Extended IP access list barney
10 permit tcp host 10.1.1.2 eq www any
20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
50 permit ip any any
Chapter - 11
Network Security
I Security Architecture
I Securing Network Devices
I Switch Port Security Applications
I DHCP Applications
I DHCP Snooping and ARP Inspection
I Security Terminology
Security Architecture
I Security Threats
I Types of Attacks
I Controlling User Access
I Security Architecture
Security Terminology
Assuming that in a perfect world every user has access to everything on the
The organization may want Guest users to connect to the wireless network. If
network and every user makes full use of the available resources, you can create
the business offers a wireless connection to its employees (and guests), these
a network open to every user in a company. The network shown in Figure 33-1
signals can be accessed by unauthorized malicious people. And the list goes on.
may represent such a scenario. Even this ideal closed system is not completely
As the network and its connectivity expands, the business will have more
secure, as a user may want to annoy a co-worker or view information on a
company server that should be restricted or confidential.
difficulty maintaining the secure, closed boundary around itself, as seen in
Figure 33-2.
Figure 33-1 An Example of a Closed Company Network
Now imagine that almost no company uses such a limited and closed
environment. Ultimately, the company will want to connect to the internet and
some of its dealers. They will also want to be mobile-connected to use their
employees' laptops, tablets, and smartphones inside and outside the
organization.
Figure 33-2 Example of a Versatile Company Network
I Security Architecture
Security Threats
Because modern enterprise networks often consist of many parts working
For example, an attacker could send packets from a fake IP address instead of
together, securing them can become a very complex task. You can't attempt to
his own IP address as shown in Figure 4-4. When the target receives the packets,
secure it until you identify and assess most vulnerabilities and understand
it sends return traffic to the fake address that came to it instead of the
where the threats might come from. Appropriate measures and mitigation
attacker's real address. If there is a fake address, this device will receive the
measures can be taken after making the determinations.
packet. If there is no address, it will be forwarded first and then dropped.
Attacks That Spoof Addresses
Parameters and services can be used reliably when systems operate normally.
For example, when a device sends you an IP packet, you expect the destination IP
address in that packet to be your IP address. You expect the souce MAC address
in the Ethernet frame to be the sender's MAC address. Services like DHCP and
DNS should also work properly. If a device sends a DHCP or DNS request, it
expects the DHCP or DNS response to come from a legitimate and trusted server.
Figure 33-3 Simple Spoofing Attack
Spoofing attacks focus on this vulnerability. Attacks usually occur by
An attacker can also send fake MAC addresses to add false information to
replacing the required information with fake information. Address Spoofing
mac tables or ARP tables used by the switch. Fake MAC addresses can also be
attacks can be simple and straightforward; where one address value is replaced
sent to the DHCP server and fill the address distribution pool, leaving no
by another.
empty IP addresses for normal use.
I Security Architecture
Denial-of-Service (DOS) Attacks
Suppose a malicious user found an abnormal connection path to the company
server. The TCP connection starts with the malicious user sending the SYN
flag, but the sourec IP address is replaced with a fake one. The server adds the
TCP connection to the client connections table and responds to the bogus
address with a SYN-ACK. Because the spoof address is not included in the TCP
connection, there is no ACK response to complete the TCP three-way handshake.
The incomplete connection remains in the server's table until it times out and is
removed. During this time, the attacker could try to open so many connections
that the server's connection table is populated. At this point, the server is no
longer able to respond to TCP connections with real users, so the server is
inactive and stops. Figure 33-4 illustrates this process.
Figure 33-4 Denial-of-Service (DOS) Attacks
I Security Architecture
Man-in-the-Middle Attack
The man-in-the-middle attack uses the ARP table. Normally, if one host needs
Step 1: Client sends arp request to ask which mac address 198.51.100.10 is
to send data to another, it looks for the host to which it will send data in the
using.
ARP table. If found in the arp table, the Ethernet frame can be sent directly to
Step 2: The arp request goes to everyone on the network. The attacker listens to
the destination MAC address; if it cannot find it in the arp table, it issues an
the network and prepares.
ARP request containing the IP address of the target and should wait for the
Step 3: The attacker sends his own mac address.
target to respond with an ARP response and its own MAC address.
Now the attacker has come between the server and the client, the traffic now
passes through the attacker.
Figure 33-5 A Man-in-the-Middle Attack Begins
Figure 33-6 A Man-in-the-Middle Attack Occurs
I Security Architecture
Buffer Overflow Attacks
Human Vulnerabilities
Operating systems and applications normally read and write data using
An attacker can pose as IT staff and attempt to communicate with real end
buffers and volatile memory space. Buffers are also important when one system
users via phone calls, emails and social media. The end goal may be to
communicates with another, as IP packets and Ethernet frames come and go. As
persuade users to reveal their credentials or set their passwords to a "temporary"
long as memory space is properly protected and data is placed within the correct
value due to some fictitious IT overhaul to occur, and allow the attacker to gain
buffer limits, everything should work as expected.
easy access to secure systems. Attackers may also be physically present and
However, some systems and applications have vulnerabilities that could allow
spy on users as they enter their credentials.
buffers to fill. An attacker can exploit this by sending larger-than-expected
data.
Password Vulnerabilities
Malware
When users access a system, they usually enter a username and password. It
Some security threats can be in the form of malware or malware. For example, a
trojan is malicious software that is hidden and packaged inside other
seemingly legitimate and legitimate software. Trojan software is also installed
silently if a bona fide user decides to install it. Later, the malware can carry
out its own attacks on the local system or against other systems. Trojan
malware can only spread from one computer to another through user
interaction, such as opening email attachments, downloading software from
the Internet, and plugging a USB drive into a computer.
can be pretty easy to guess someone's username based on a person's real name.
An attacker can also easily gain access to the system if the user's password is
set to a default value or an easy-to-guess word or text string.
Think like an attacker for a moment and see if you can make some guesses
about the passwords you can try if you want to log into a random system.
Maybe the password is password123, 123456, etc. You have thought of
passwords like Maybe you can try username admin and password admin.
I Security Architecture
Controlling and Monitoring User Access
You can manage user activities to and from systems with Authentication,
Authorization, and Accounting (AAA) mechanisms. AAA uses some standard
methods to provide users with credentials before access is granted or authorized.
Accounting protocols can also log user activity in enterprise systems. AAA is
widely used to control and monitor access to network devices such as routers,
switches, firewalls and so on.
Authentication: Who is the user?
Authorization : What is the user allowed to do?
Figure 33-7 Example AAA
Accounting : What did the user do?
Developing a Security Program to Educate Users
AAA servers typically support the following two protocols to communicate with
An effective approach a business can take to improve information security is to
corporate resources:
educate users through a corporate security program. Many users may not have
TACACS+: A Cisco proprietary protocol that separates each of the AAA
IT knowledge, so they may not recognize vulnerabilities or realize the
functions. Communication is secure and encrypted over TCP port 49.
consequences of their own actions. For example, if a corporate user receives an
RADIUS: A standards-based protocol that combines Authentication and
email message threatening to expose some illegal behavior, they may be tempted
Authorization into a single source. Communication uses UDP ports 1812 and
to click a link to a malicious site. Such an action could introduce malware or
1813, but Accounting is not fully encrypted.
worms to a user's computer that could affect business operations.
Network
Devices Securing
I Securing IOS Passwords
I Firewall
I IPS ( Intrusion Prevention Systems )
I Next Generation Firewalls
I Securing Network Devices
Securing IOS Passwords
The best way to protect passwords on Cisco IOS devices is to not store passwords
Switch3# show running-config | section line con 0
on IOS devices. So use (AAA) server. However, it is common for some passwords
line con 0
to be stored in a router or switch configuration, and here I will describe some
password cisco
login
ways to protect these passwords.
Switch3(config)# service password-encryption
Switch3(config)# ^Z
Switch3# show running-config | section line con 0
line con 0
password 7 070C285F4D06
login
We can understand that we use the service password-encryption
Figure 34-1 Example Login Security Configuration
Hiding IOS Passwords
When we look at the passwords on Cisco IOS devices with show running-config,
you will see that these passwords are not hidden, we can protect these passwords
with the service password-encryption command.
command from the "7" that is automatically added after the password
command.
I Securing Network Devices
Enable Password Protection
Local Username and Password Protection
Switch3(config)# enable secret fred
Switch3# show running-config | include enable secret
enable secret 5 $1$ZGMA$e8cmvkz4UjiJhVp7.maLE1
R1(config)# enable algorithm-type scrypt secret mypass1
R1# show running-config | include enable
enable secret 9 $9$II/EeKiRW91uxE$fwYuOE5EHoii16AWv2wSywkLJ/KNeGj8uK/
24B0TVU6
Telnet-SSH Protection - ACL
We must protect the routers or switches with an ACL, we can restrict access to the
hosts we want or from a particular subnet.
line vty 0 4
login local
access-class 3 in
!
! Next command is a global command that matches IPv4 packets with ! a
source address that begins with 10.1.1.
access-list 3 permit 10.1.1.0 0.0.0.255
I Securing Network Devices
Firewall
Security Zones
A firewall examines all packets so the firewall can choose which packets to
Most companies have an inside and outside zone and a special zone called the
discard and which to allow. Firewall protects the network from problems by
Demilitarized Zone (DMZ). While the name DMZ comes from the real world,
allowing only allowed types of traffic to flow in and out of the network. In its
it has been used in IT for decades to refer to a firewall security zone used to
most basic form, firewall actually does the same job as routers do with ACLs, but
place servers that should be available to users on the public Internet. For
the firewall can perform this packet filtering function with more options and
example, Figure 5-8 shows a typical Internet design with several web servers
perform other security tasks.
connected to its DMZ via firewall.
The figure shows a firewall connecting to the Cisco Adaptive Security Appliance
(ASA) Firewall Internet connected to a Cisco router. All corporate traffic to and
from the Internet is sent through the firewall. Firewall considers its own rules
and decides whether to allow the packet.
Figure 34-2 Traditional Firewall Usage
Figure 34-3 Firewall Zone Usage Example
I Securing Network Devices
IPS (Intrusion Prevention Systems)
A traditional intrusion prevention system (IPS) may sit on the path that
packets travel through the network and filter packets, but make their decisions
with different logic. IPS first downloads a database of exploit signatures. Each
signature identifies different header field values found in packet sequences
used by different vulnerabilities. The IPS can then examine the packets,
compare them with known exploit signatures, and recognize when packets
might be malicious. Once defined, IPS can log the event, discard packets, and
even forward packets to another security application for further inspection.
A traditional IPS differs from firewalls in that we create the rules on the
firewall, based on the port numbers of the applications when creating these rules,
but the IPS implements logic based on signatures provided by the
manufacturer. These signatures look for such attacks:
• Dos
• DDos
• Worms
• Viruses
Figure 34-4 IPS and Signature Database
I Securing Network Devices
Next Generation Firewalls
In the mid-2010s, Cisco and some of its competitors began using the term Next
Advanced Malware Protection (AMP): A network-based anti-malware function
Generation to highlight new security products. In short, Next Generation
can run on the firewall, block file transfers that will install malware, and save
Firewalls (NGFW) and Next Generation IPS (NGIPS) are Cisco's current
copies of files for later analysis.
Firewall and IPS products. Next Generation products have useful features not
URL Filtering: This feature inspects the URLs in each web request, categorizes
found in previous products.
the URLs and filters traffic according to rules or speed limits. The Cisco Talos
As for Cisco products, Cisco has for many years called Firewalls Cisco Adaptive
security group monitors and generates trust scores for every known domain on
Security Appliance (ASA). Cisco acquired Sourcefire, a security product
the Internet; URL filtering can use these scores to decide on categorization,
company, around 2013. Most of the next-generation firewall (and IPS) features
filtering, or rate limiting.
come from software through this purchase. As of 2019, all Cisco firewalls
NGIPS : Cisco NGFW products can run NGIPS features along with the firewall.
currently sold are referred to as Cisco Firepower Firewall.
Some features of NGFW;
Traditional Firewall: Performs traditional firewall features such as packet
filtering, NAT/PAT and VPN termination.
Application Visibility and Control (AVC): This feature looks deep into
application layer data to identify the application. For example, it can identify
the application by data rather than port number to defend against attacks
using arbitrary port numbers.
Figure 34-5 NGIPS ve NGFW
Switch Port Security
I Switch Port Security Concepts
I Configuring Switch Port Security
I Switch Port Security Violation Modes
I Switch Port Security
Switch Port Security Concepts
If the network engineer knows which devices should be connected to which ports
on the switch, the engineer can use switch port security so that only those devices
can use these ports.
In the figure below, when PC1 will be connected to port F0/1 in SW1, if switch
port security is enabled on that port, the mac address of the connected device will
be checked.
Figure 35-1 Switch Port Security Concepts
Configuring Switch Port Security
There are four different methods of implementing switch port security, shown
in the figure below.
Figure 35-2 Switch Port Security Methods
I Switch Port Security
Switch Port Security Violation Modes
Protect and Restrict Mode
We saw the switch port security configuration in the previous topic, but if there
These mods block untrusted traffic but the port is not closed. As a result, the
is a security breach, what will this port do and what precautions will it take? In
port continues to forward secure traffic, but blocks unsafe traffic. Restrict
this section, we will see the commands we need to configure so that the switch
mode sends an SNMP message.
decides what to do in case of a security breach. The port has three security modes
to apply;
Shutdown Mode
The default violation mode is shutdown, the port becomes errdisable in case of
violation, we can see the status by using the show interfaces Fa0/13
status command. We have to go to the port and open it manually, but we
can do this automatically, we need to enter the following commands.
errdisable recovery cause psecure-violation
errdisable recovery interval seconds
switchport port-security violation protect
switchport port-security violation restrict
I Dynamic Host Configuration Protocol
DHCP
I DHCP Concepts
I DHCP Relay
I DHCP Configuration
I DHCP
Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP) provides one of the most
commonly used services in a TCP/IP network. Majority of hosts in TCP/IP
network are user devices and majority of user devices learn IP information
using IPv4 settings using DHCP.
DHCP uses the following four messages between client and server;
Discover : The host sends a discovery packet to find the DHCP server.
Offer : It sends an offer to that client by the DHCP server to give a specific IP
address.
It has many advantages over manually configuring IP settings. Hosts make
Request : The host requests to accept the offer of this DHCP server.
requests to the DHCP server using DHCP messages to configure IP settings. As
Acknowledgment: The DHCP server sends the information to the client with an
a result, the host IP configuration is controlled by IT personnel, resulting in
acknowledgment message.
less user error. DHCP allows host addresses to be permanently assigned IP
addresses, but more commonly, DHCP assigns hosts a temporary IP address to
use for a specified period of time.
DHCP Concepts
The host acts as a DHCP client. As a DHCP client, the host starts without IP
settings No IPv4 address, no subnet mask, no default gateway and no DNS
server IP address. However, a DHCP client knows about the DHCP protocol, so the
client can use this protocol to find a DHCP server or request to lease an IPv4
address.
Figure 36-1 DHCP Discover and Offer
I DHCP
DHCP Relay
DHCP packets are sent on the same subnet and within the vlan. Setting up a
DHCP server in every vlan and subnet will not be very functional. For this, you
need to forward your requests from the subnet you are on to the subnet where
DHCP is located, for this we use a DHCP relay IP helper address, as in the example
below.
Figure 36-2 IP Helper Address Effect
I DHCP Snooping
DHCP Snooping
Arp Inspection
I DHCP Snooping Logic
I Configuring DHCP Snooping
I DAI - Dynamic ARP Inspection
I DAI - Dynamic ARP Logic
I DAI Configuration
I DHCP Snooping ve Arp Inspection
DHCP Snooping
DHCP Snooping is to observe and block unwanted DHCP packets on our
network. For example, a malicious user connected to the switch can install a
DHCP server program on his computer and try to distribute IP by responding
to DHCP requests from the network, we can use DHCP snooping to prevent
this.
Figure 37-2 DHCP Attack Distributes correct IP but shows itself as GW.
Figure 37-1 Secure and insecure ports.
As in Figure 37-2, the attacker listens to DHCP requests coming from the
network with the DHCP server software she installed on her own computer and
tries to attack by giving false information.
Figure 37-3 DHCP Attack Man in the Middle
I DHCP Snooping ve Arp Inspection
DHCP Snooping Logic
DHCP Snooping Configuration
DHCP Snooping prevents such attacks by making our desired ports untrusted.
Figure 37-5 Example of DHCP Snooping Configuration
ip dhcp snooping
ip dhcp snooping vlan 10,20,30
no ip dhcp snooping information option
ip dhcp snopping database flash:/snoopy.db
!
interface GigabitEthernet1/0/2
ip dhcp snooping trust
Figure 37-4 DHCP Snooping Operating Rules
Step 1: Examines all incoming DHCP messages.
Step 2: Blocks DHCP server messages.
Step 3: Filters if user requests.
For DISCOVER
and REQUEST
messages, it checks for MAC
address
consistency between Ethernet frames and DHCP message.
Checks the IP address in the DHCP Snooping binding table for RELEASE or
DECLINE messages from the port.
Step 4: Create a new entry in the DHCP Snooping binding table for unfiltered
messages whose DHCP process is successful.
Limiting DHCP Messages
We can limit the dhcp messages that users can send.
errdisable recovery cause dhcp-rate-limit
errdisable recovery interval 30
!
interface GigabitEthernet1/0/2
ip dhcp snooping limit rate 10
!
interface GigabitEthernet1/0/3
ip dhcp snooping limit rate 2
I DHCP Snooping ve Arp Inspection
DAI - Dynamic ARP Inspection
The Dynamic ARP Inspection (DAI) feature on a switch examines ARP
Normally, a host uses ARP when it knows the IP address of another host and
messages from untrusted ports to filter out who it believes to be part of an
wants to know the MAC address of that host. However, for certain reasons, a host
attack. The key feature of DAI compares incoming ARP messages with two
may want to obtain information about all host MAC addresses in the subnet. It
data sources: the DHCP Snooping Binding table and any configured ARP
can be useful, for example, when a host changes its MAC address.
ACLs. If the incoming ARP message does not match the tables in the switch,
the switch discards the ARP message.
For example PC A ; Instead of PC1, it sends an Arp Reply because my mac
address has changed and updates the mac table in R2. At this point, when R2
forwards the IP packets to the IP address of PC1 (172.16.2.101), it places PC A's
mac address in the Ethernet frame instead of PC1's MAC address. Let's take a
look at what's going on in Figure 37-8.
Figure 37-6 Normal ARP Request
Figure 37-7 Incorrect Use of ARP Response Causes Incorrect ARP Data on R2.
I DHCP Snooping ve Arp Inspection
1- PC1 sends message to some server on left side of R2.
Dynamic ARP Inspection Logic
2- Server returns to PC1 IP address, but R2 sends PC 1's chest to PC A's mac
If a host does not yet have an IP address, that is, the DHCP process has not been
address.
completed, it does not need to use ARP. After the host learns an IP address and
3- PC A copies the package for later viewing.
subnet mask, it needs ARP to learn other host MAC addresses or the default
4- PC A forwards the packet in the new frame to PC1, so PC1 continues to work.
router in the subnet, so it sends some ARP messages. In short, it becomes DHCP
first, then ARP.
DAI compares the starting IP and starting MAC address fields of the ARP
message with the DHCP Snooping Binding table for all untrusted ports. Allows
DAI ARP if found in the table, but discards DAI ARP if not.
Figure 37-8 Man-in-the-Middle Attack Result
Figure 37-9 DAI Filtering ARP Based on DHCP Snooping Binding Table
I DHCP Snooping ve Arp Inspection
Note that although DAI can use DHCP Snooping Binding data as shown here, it
can also use similar statically structured data that lists the correct IP and MAC
address pairs through a tool called ARP ACL. Using ARP ACLs with DAI is
useful for ports connected to devices using static IP addresses rather than
DHCP. Note that DAI looks for both DCHP Snooping Binding data and ARP
ACLs.
Figure 37-10 DAI Configuration
DAI Dynamic ARP Inspection Configuration
Limiting DAI Messages
ip arp inspection vlan 11
ip dhcp snooping
errdisable recovery cause dhcp-rate-limit
ip dhcp snooping vlan 11
errdisable recovery cause arp-inspection
no ip dhcp snooping information option
errdisable recovery interval 30
!
!
interface GigabitEthernet1/0/2
ip dhcp snooping trust
ip arp inspection trust
show ip arp inspection
interface GigabitEthernet1/0/2
ip dhcp snooping limit rate 10
ip arp inspection limit rate 8
SW2# show ip arp inspection interfaces
SW2# show ip arp inspection statistics
Chapter - 12
IP SERVICES
I Device Management Protocols
I Network Address Translation (NAT)
I Quality of Service (QoS)
I Various IP Services
Device
Management Protocols
I System Message Logging (Syslog)
I Network Time Protocol (NTP)
I Cisco Discovery Protocol (CDP)
I Link Layer Discovery Protocol (LLDP)
I Device Management Protocols
System Message Logging (Syslog)
Saving Log Messages for Later Review
Cisco devices can send detailed system messages or notification messages. It is
When the console is logged on via telnet and ssh, IOS sends messages to the
important to record these messages in order to keep these messages and to be able
console and terminal sessions, and then IOS deletes the message. It's helpful
to be warned beforehand of problems that may occur on the network, there are
to keep a copy of the log messages for later review, so IOS provides two basic
several ways to do this.
ways to keep a copy.
When you want to log on to Cisco IOS devices and look at them instantly, we can
If we enter the logging buffered command while in global mode, IOS
give you real-time status information or save it for future viewing.
will store these messages in ram, we can see them later with the show logging
command.
Real-Time Message to Existing Users
Our other option is to send messages to a syslog server and store them there.
By default IOS shows log messages to all users. In fact, if you're using a console
logging host {address | hostname}
port, you've probably noticed a lot of syslog messages like Interfaces up or down.
We can send it to the server by entering the command.
The logging monitor command must be active in global configuration mode
in order for users connecting via Telnet and SSH to see these messages
instantly, and if the user wants to see these messages when connected, he or she
must also use the terminal monitor command in exec (enable) mode.
Figure 38-2 Storing Logs in Ram and Server
Figure 38-1 IOS Actions for Log Messages to Existing Users
I Device Management Protocols
Log Message Notification Level
We can ensure that the log messages are transmitted and stored at the level we
choose between 0-7.
SysLog Configuration
In the example below, we will see an example of configuring four devices to
send logs to the syslog server and store them in ram.
Figure 38-5 Simple syslog example
Figure 38-3 Log Message Levels
logging console 7
logging monitor debug
logging buffered 4
logging host 172.16.3.9
logging trap warning
show logging
Figure 38-4 Logging command options
I Device Management Protocols
Network Time Protocol (NTP)
Setting the Clock and Time Zone
It is very important that the time information is correct when recording system
R1# configure terminal
log messages, let's take another example, there are problems in the serial
Enter configuration commands, one per line. End with CNTL/Z.
connection between R1 and R2, and the OSPF connections are constantly
R1(config)# clock timezone UTC 3 0
R1(config)# clock summer-time utc recurring last Sun Mar 1:00 last
having problems, and you look at the system messages and see the results as
Sun Oct 1:00
below.
R1(config)# ^Z
R1#
R1# clock set 20:52:49 21 October 2015
R1# show clock
20:52:55.051 EDT Wed Oct 21 2015
Since the time information of the two routers is not correct, it will be very
difficult to solve the problem by looking at the logs, so time information is very
important in systems. We use NTP so that the clocks on the devices are
synchronized and show the correct time.
I Device Management Protocols
Simple NTP Configuration
Cisco provides two ntp configuration commands that determine how NTP
! Configuration on R1:
works in a router or switch:
ntp server 172.16.2.2
ntp master {stratum-level}: NTP Server mode — the device acts only
! Configuration on R2:
as an NTP server, not as an NTP client. The device gets the time information
ntp server 172.16.3.3
from the internal clock in the device.
! Configuration on R3:
ntp server {address | hostname}: NTP client / server mode — device
acts as both client and server. First, it acts as an NTP client to synchronize
time with a server. Once synchronized, the device can act as an NTP server to
provide time to other NTP clients.
ntp master 2
R1# show ntp status
Clock is synchronized, stratum 4, reference is 172.16.2.2
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is
2**21 ntp uptime is 1553800 (1/100 of seconds), resolution is 4000
reference time is DA5E7147.56CADEA7 (19:54:31.339 EST Thu Feb 4 2016)
Figure 38-6 Simple NTP Configuration
I Device Management Protocols
Redundant NTP Configuration
! Configuration on R1 ve R2:
To set our clock, you can refer to better resources on the Internet or purchase a
ntp server 193.140.100.40
custom-built NTP server with better clocking hardware. For example, we can
ntp server 178.79.155.116
enter ntp.ulakbim.gov.tr , tr.pool.ntp.org and directly nep server IP information.
ntp master 7
178.79.155.116 193.140.100.40
In other Routers, we can enter R1 and R2 ip as ntp servers.
R1 and R2 also do not reach the ntp servers when the internet connection is
gone, so we used the ntp master command to continue the ntp server task to
other devices.
By making stratum 7 for R1 and R2, we have taken it to a worse level than
the ntp server on the internet.
Figure 38-7 Configuring Redundant NTP
I Device Management Protocols
CDP and LLDP
Examining Information Learned by CDP
CDP: Discover basic information about neighboring routers and switches without
having to know the passwords of neighboring devices. Send CDP messages to each
of the interfaces to discover information. The messages essentially provide
information about the device that sent the CDP message. Devices that support CDP
learn about other devices by listening to messages sent by other devices.
CDP discovers some useful detail from neighboring Cisco devices:
Device identifier: Host Name
Address list: IP addresses
Port identifier: Port and Interface information
Capabilities list: Information about the type of device (router, switch, ip phone)
Platform: Model and software version of the device.
Figure 38-8 Using CDP
I Device Management Protocols
Examining Information Learned by LLDP
Link Layer Discovery Protocol (LLDP), defined in IEEE standard 802.1AB, is
a standardized protocol that provides the same general features as CDP. LLDP
has a similar configuration and practically the same show commands
compared to CDP.
LLDP Configuration
lldp run
!
interface gigabitEthernet1/0/17
no lldp transmit
no lldp receive
!
interface gigabitEthernet1/0/18
no lldp receive
interface gigabitEthernet1/0/19
lldp transmit
lldp receive
!
interface gigabitEthernet1/0/20
lldp receive
show lldp
show lldp interface g1/0/2
show lldp traffic
SW2# show lldp entry R1
I NAT Concepts
NAT
Network Address Translation
I Static NAT
I Dynamic NAT
I Overload NAT (PAT)
I NAT Configuration
I Network Address Translation
Availability of IPv4 Addresses
Initially, IPv4 addresses started to be given to each company and companies
were provided with access to the internet environment, but in the 1990s, with the
slow spread of the internet, it was understood that IPv4 addresses would not be
enough and it could not continue like this.
Many short-term solutions to the addressing problem have been proposed, but
three standards have been focused on to solve the problem. Two of the standards
work together: Network Address Translation (NAT) and Private Addresses.
Together, these features allow many organizations to use the same IPv4 network
numbers internally and still communicate well with the Internet. The third
standard, Classless Inter Domain Routing (CIDR), allows a company to reduce
the waste of IPv4 addresses by dividing that network address into subnets
instead of the entire network.
Figure 39-1 Example of CIDR Usage
Private Addressing
All IPs must be unique in the Internet environment, so since the IPv4
addresses will expire one day, some IPs have been reserved for use in the
corporate environment and every company can use these IPs within the
company without the approval of any institution, but they cannot use these
IPs in the internet environment. . We call these IPs Private IPs.
CIDR
A rule that defines how ISPs should assign globally unique IPv4 addresses to
each organization. The Internet Assigned Numbers Authority (IANA) does this
IP allocation.
Figure 39-2 Private IP Range
I Network Address Translation
Network Address Translation Concepts
Static NAT
NAT public, defined in RFC 3022, allows a host without a unique IP address to
Static NAT works like the example shown in Figure 39-4, but IP addresses are
communicate with another host on the Internet. Hosts may be using the same
statically mapped to each other.
private IP addresses used by other companies. In both cases, NAT allows these
addresses that cannot be used in the Internet environment to continue to be
used.
Figure 39-3 Exchange of Public IP with Private IP address NAT
Figure 39-4 Static NAT Example
I Network Address Translation
Dynamic NAT
Overloading NAT with Port Address Translation (PAT)
In Dynamic NAT, imagine we have five public IPs available as in the example,
and we have five users on the Inside side. We create a Pool for these five public
IPs and when an insider accesses the internet, we dynamically give the IPs in
this Pool to these users.
We use Nat Overload or Port Address Translation (PAT) when we have only
one public IP. It is the most commonly used method. In this example, we have
three users and all of them want to connect to a web server using port 80,
where the NAT device takes the IP addresses and port numbers, converting
them to public IP, and forwards them to the target.
Figure 39-5 Example of Dynamic NAT
Figure 39-6 NAT Overload (PAT) Example
I Network Address Translation
Static NAT Configuration
Figure 39-7 Static NAT Configuration
I Network Address Translation
Dynamic NAT Configuration
I Network Address Translation
NAT Overload (PAT) Configuration
I QoS Introduction
QoS
Quality of Service
I Bandwidth, Delay, Jitter, and Loss Management
I Traffic Types
I Classification and Marking
I Queuing
I Shaping and Policing
I Quality of Service
QoS Introduction
QoS: Bandwidth, Delay, Jitter, and Loss Management
Routers work with both WAN and LAN interfaces. While these LAN
There is a wide variety of QoS features in both routers and switches. These features
interfaces operate at higher speeds, WAN interfaces operate at slower speeds.
help us manage the traffic on our network. These features are;
While the router is busy sending packets waiting on this WAN interface,
• Bandwidth
hundreds or even thousands of IP packets may come from the LAN
interface and it has to transmit all of them from the same WAN interface.
What should the router do? Send them all in the order they came in?
Prioritize packets to send earlier than others, preferring one type of traffic
• Delay
• Jitter
• Loss
over another? Delete some packets when the number of packets waiting to
Bandwidth ; Expresses the speed of a connection in bits per second (bps). The QoS
exit the router is too large?
feature determines which packet is sent over the next connection; and controls how
much bandwidth each traffic type can use over time.
In the paragraph above, we talked about some of the many classic Quality
Delay ; It can be defined as the round-trip delay in outgoing and incoming packets.
of Service (QoS) questions on the network. For example, WAN router
jitter ; It refers to the variation in one-way delay between consecutive packets sent by
interfaces queue pending packets. The router may use a queue scheduling
the same application.
algorithm to determine which packets will be sent first or later, and may
Lost ; usually refers to the number of lost messages as a percentage of packets sent.
prioritize some packets and hold other packets.
The comparison is simple: for some application, if the sender sent 100 packets and
only 98 reached the destination, that application stream lost 2 percent.
I Quality of Service
Traffic Types
Data Applications
Voice and Video Applications
First, consider a basic web application that is on a user PC or tablet. The user
A phone call between two IP phones will create a flow for both directions. For
enters an address to open a web page. This request may require a single packet to
video it can be security camera or Video conference call traffic.
be sent to the web server, but may result in hundreds or thousands of packets
being returned to the web client, as shown in Figure 40-1.
VoIP takes the sound of a conversation made on one phone and puts it in IP
packets so that it can be heard on the other phone. Figure 40-2 illustrates the
general idea.
The steps in the figure include:
1-The phone user makes a phone call and starts talking.
Figure 40-1 HTTP Traffic
A chip called a 2-codec processes (digitizes) the audio to generate binary code
for a given time (usually 20 ms). Usually the G.711 codec is used 160 bytes.
So what is the impact of bandwidth, delay, jitter and loss on an interactive webbased application? First, packages require a certain amount of bandwidth
3-The phone encapsulates the data in an IP packet.
4-The phone sends the packet to the target IP phone.
capacity. As for delay, each of these packets takes some one-way delay from
server to client, and there is some jitter as well.
Figure 40-2 VOIP Paket G.711 Codec
I Quality of Service
With the G.711 codec, this single call also requires approximately 80 Kbps of
Classification and Marking
bandwidth (data-lik added on header and trailer). If we include the headers
QoS tools, such as ACLs, stop on the path that packets take as they are
and VoIP payload as in the figures, each of the IP packets has 200 bytes. Each
transmitted over a router or switch and check the passing traffic. Like ACLs,
holds 20 ms of digital audio, so the phone sends 50 packets per second. Each
QoS tools are enabled for one direction on interfaces.
of these 50 packets of 200 bytes is equivalent to 10,000 bytes per second, or
80,000 bits per second, or 80 Kbps. Other audio codecs require less bandwidth,
The term classification refers to the process of matching fields in a message to
the widely used G.729 takes about 24 Kbps (data-ness added on header and
select a QoS traffic. So, if we compare QoS tools again with ACLs, they classify
trailer).
and filter like ACLs; i.e. ACLs match (classify) package headers. ACLs help us
You can get quality voice traffic over an IP network, but you must implement
decide which packages to discard or which packages to choose.
QoS to do so. QoS tools are tuned to respond to the behavior required by
different types of traffic. Cisco recommends the following guidelines for
For example, if we enable QoS on the output interface of the router as in Figure
quality voice traffic:
Video call For video;
40-3, it will classify the outgoing traffic according to the rules we set and put it
• Delay (one-way): 150 ms or less.
• Bandwidth: 384 Kbps to 20+ Mbps
• Jitter: 30 ms or less.
• Delay (one-way): 200–400 ms
• Loss: 1% or less.
• Jitter: 30–50 ms
• Loss: 0.1%–1%
in a queue (Queue).
I Quality of Service
Figure 40-4 shows an example of a PC on the left sending an IP packet to
hosts (not shown) on the right of the figure. The first switch SW1 to forward
the packet does some mixed comparisons and marks the Differentiated
Services Code Point (DSCP) field of the packet as a 6-bit field, which means
the QoS flag in the IP herader. The next three devices that process this
Figure 40-3 Classifying and Queuing Traffic on a Router
Step 1: The router makes a forwarding decision.
Step 2: The router uses classification logic to determine the type of packets.
message—SW2, R1, and R2—use simpler mapping to classify the packet,
comparing the packet's DSCP value, mapping packets to a DSCP value in
Class 1 and other packets to a DSCP value in Class 2.
Step 3: The output interface of the router keeps the waiting packets in the
output queue.
Step 4: The scheduling logic of the Quene agent selects which packet to
prioritize and puts it in order.
Sometimes we can apply QoS to both the input and output interfaces of the
devices, which may cause the performance of the devices to decrease. It
recommends matching on packet headers recommended by both Cisco and
RFC, and then flagging the packet.
Figure 40-4 Systematically marking and classifying
I Quality of Service
Classification on Router with ACL and NBAR
This Chapter delves a little deeper into the Classification on routers, and we'll
NBAR2 looks at more in a message than the ACL can review. Many
take a closer look at the marking function.
applications cannot be identified by well-known port numbers alone. NBAR
Figure 40-5 shows IP and TCP headers. All these areas can be mapped for QoS
classification.
solves these problems.
For example, the Cisco WebEx application provides audio and video conferencing
on the web. In a QoS plan, you may want to categorize WebEx differently from
other video traffic and categorize it differently from voice calls between IP
phones. That is, you can classify WebEx traffic and give it a unique DSCP
Figure 40-5 Five classification areas used by the Extended ACL
mark. NBAR provides easy built-in matching capability for WebEx and more
than 1000 different app subcategories.
For example, if all IP phones use a subnet in the address range of 10.3.0.0/16,
we can configure an extended ACL to map all its packets in the 10.3.0.0/16
subnet and use this ACL for QoS operations suitable for voice traffic.
However, not every classification can be easily done by pairing it with an
ACL. In more demanding situations, Cisco Network-Based Application
Recognition (NBAR) can be used. In short, NBAR2 maps packets for
classification in a wide variety of ways, which is very useful for QoS.
Pairing apps with NBAR2;
I Quality of Service
IP Header Marking
Marking a QoS field in the IP header works well because the IP header goes from
The IPP only gave us eight (0-7) different values to mark, so later RFCs
the source host to the destination host. When a host sends data, it sends the
redefined the ToS byte with the DSCP field. DSCP increased the number of
data-link frame that contains the IP packet. Each router that forwards the IP
mark bits to 6 bits and allowed 64 unique values that could be marked. DSCP;
packet assigns the old data-link header and adds a new header. Because routers
It was considered the most common method to use when doing QoS in the late
do not discard and re-place IP headers, the flagging fields in the IP header
1990s, and it has become quite common to use the DSCP field for marking.
remain unchanged until they reach the destination host.
It defines a Type of Service (ToS) byte in the IP header as shown in Figure 40-6.
The original RFC defined a 3-bit IP Precedence (IPP) field for the QoS flag. This
field gives us eight separate binary values, for example 000, 001, 010, etc. - 111 When converting them to decimal numbers, we mark them with a number
between 0 and 7.
Figure 40-6 DSCP and IPP area in IP Header
I Quality of Service
Marking the Ethernet 802.1Q Header
Another useful Marking field is in the 802.1Q header. In the third byte of the
802.1Q header, it is marked as a 3-bit field and provides eight possible values
to mark (see Figure 40-7). It goes by two different names: Class of Service or
CoS and Priority Code Point or PCP.
Figure 40-8 Trunk Port’ta CoS Marking
Other Marking Areas
Figure 40-7 Class of Service Alanı 802.1Q/p Header
The 802.1Q header is not included in all Ethernet frames. The 802.1Q header
is only available when an 802.1Q trunk is used on a link. As a result, QoS
tools can only use CoS space for QoS features enabled on interfaces using
trunks as shown in Figure 40-8.
I Quality of Service
Defining Confidence Boundaries
The end-user device can flag the DSCP domain or even the CoS domain if
trunk is used for the connection. Would you trust these devices and allow
DSCP and CoS markings?
Most of us wouldn't, because anything the end user controls can be used
inappropriately at times. For example, a PC user might know that for Voice
Figure 40-9 Confidence Boundary SW
traffic it is marked with a DSCP called Expedited Forwarding (EF) 46. Since
voice traffic is prioritized by QoS, all traffic of PC users is marked as DSCP
46.
QoS plan creators must choose where to place the trust boundary of the network.
The trust boundary refers to the point in a packet path flowing over the network
at which network devices can trust valid QoS signals. This limit is typically
located on a device under the control of IT personnel.
Figure 40-10 Confidence Limit IP Phone
I Quality of Service
DiffServ Recommended Marking Values
Assured Forwarding (AF)
DiffServ is intended for consistent use of DSCP values across all networks by
Assured Forwarding (AF) DiffServ RFC (2597) defines a set of 12 DSCP
recommending specific Markings for certain types of traffic. Thus,
values that are intended to be used in concert with each other.
manufacturers can use these default settings for QoS features, so that QoS
Assured Forwarding defines specific AF DSCP text names and equivalent
can work better between different brands and devices.
There are three DSCP values used in marking in DiffServ. EF-AF and CS
decimal values as listed in Figure 11-11. Text names follow an AFXY format;
X corresponds to Queue (1 to 4) and Y corresponds to drop priority (1 to 3).
Expedited Forwarding (EF)
DiffServ defines the recommended Accelerated Forwarding (EF) DSCP value
(a single value) for packets that require low latency (delay), low jitter, and low
loss. Defines DSCP 46 and an equivalent text name (EF). QoS configuration
commands allow the use of a decimal value or text name, but one purpose of
using the text abbreviation is to make the value more memorable, so many
Figure 40-11 Differentiated Services Assured Forwarding Values and Meaning
QoS configurations refer to text names.
Many times QoS plans use EF to flag voice payload packets. By default, Cisco
IP Phones mark voice packets with EF and send signaling (sip, scp) packets
with CS3.
For example, if you marked the packet value 12, AF11, AF12, and AF13 all
enter a single Queue; Those with AF21, AF22 and AF23 enter another queue;
and such that. For the same Queue, AF21 takes priority and AF23 stays last.
I Quality of Service
Class Selector (CS)
Initially, the ToS field was defined by the 3-bit IPP field. When DiffServ
✓ DSCP EF: Voice payload
redefined the ToS domain, eight DSCP values were created so that the DSCP was
✓ AF4x: Interactive video (for example, videoconferencing)
backwards compatible with the IPP values. Class Selector (CS) DSCP values are
✓ AF3x: Streaming video
these settings.
✓ AF2x: High priority (low latency) data
✓ CS0: Standard data
Figure 40-12 Class Selector
Guidelines for DSCP Marking Values
With many different values, different uses of different DSCP values by
different devices in the same enterprise will complicate the deployment of QoS.
Without going into the depth of any QoS plans, the plans all set some
variation on how all devices should flag data:
I Quality of Service
Queuing
Round-Robin Scheduling (Prioritization)
The term queuing refers to the QoS toolset used to manage queues that hold
Routers use a popular tool called Class-Based Weighted Fair Queuing (CBWFQ)
packets while they wait for their turn to exit an interface. In Figure 40-13, the
to provide the least bandwidth for each class. That is, each class receives at least
output interface sends the first comer in a single queue, according to the
the amount of bandwidth configured, but perhaps more based on availability
queued traffic. Since QoS tools are not used here, Interface sends the first
later on. CBWFQ allows us to define weights as a percentage of link bandwidth
incoming traffic respectively.
while using a weighted sequential turn timing algorithm. Figure 40-15 shows
an example where three queues in the system are given 20, 30 and 50 percent of
the bandwidth, respectively.
Figure 40-13 Queue traffic without QoS
In Figure 40-14, there is more than one queue and it exits Interface in order
Figure 40-15 CBWFQ Round-Robin Scheduling
of priority.
With the queuing system shown in the figure, if the outbound link is
congested, the scheduler guarantees the percent bandwidth shown in the
figure for each queue. That is, queue 1 takes 20 percent of the connection
Figure 40-14 Queue traffic with QoS applied
even at peak times. In this method, the bandwidth is guaranteed, but the
output is determined by the sequential return algorithm.
I Quality of Service
Low Latency Queuing (LLQ)
Unfortunately, a round-robin timer does not provide enough low latency, jitter or
loss. Solution: Add Low Latency Queuing (LLQ) to the timer.
The solution, LLQ, tells the scheduler to treat one or more queues as special priority
queues. The LLQ scheduler always receives the message after one of these special
priority queues. Problem solved: very little delay for packets in this queue causes
very little flickering. Figure 11-17 shows adding LLQ logic for the audio queue.
Figure 40-16 Using LLQ with CBWFQ
In LLQ, we guarantee bandwidth with priority, and if voice traffic comes in the
output queue, it goes to the front of the queue.
I Quality of Service
Shaping and Policing
Where to Use Policing
Both Policing and Shaping monitor the bitrate of composite messages flowing
Policing monitors messages, measures speed and discards some messages. How
through a device. When enabled, it notes each packet that passes policing or
does this help us with QoS? At first glance, it seems to harm the network by
shaping and measures the bits per second over time. Both try to keep the bitrate at
throwing out the messages sent by the transport or application layer. How does
or below the configured rate, but use two different methods: discarding policing
this bandwitdh improve delay, jitter or loss?
packets, shaping keeping packets in queue to delay packets.
Policing only makes sense in certain situations and can generally be used on
Policing
routers between two networks. For example, consider a typical point-to-point
Traffic reaches network devices at a varying speed with spikes. In other words, if
metro Ethernet WAN connection between R1 and R2.
you graph the bitrate of the batch bits entering or leaving any interface, the
graph will look like the left side of Figure 40-17. Policing measures this rate, the
horizontal dashed line on the left represents the rate configured for policing.
Therefore, policing has information about the measured bitrate over time, which
can be compared to the preset rate. The right side of the figure cuts off excess
traffic at the rate set for policing.
Figure 40-18 Ethernet WAN: Link Speed Versus CIR
Now imagine you have a 200 Mbps metro ethernet connection as shown in the
figure. But keep in mind that the connection speed between the router and the
switch is 1 Gbps. Since the traffic leaving us is 1 Gb, but our main connection
speed is 200 Mbps, the packets leaving us will be held by the ISP, but we can
Figure 40-17 A Policing and Shaping Impact on Delivered Traffic Load
limit it to 200 Mbps before the traffic leaves us.
I Quality of Service
Shaping
You have a 1 Gbps connection between an ISP's metro ethernet switch and your
router, but the speed you get from the ISP is 200 Mbps, the ISP will not always
allow traffic exceeding 200Mbps. Solution ; We can set our speed to 200 Mbps by
slowing down the traffic using Shaping.
Shaping slows down messages by queuing messages from queues schedules.
Following the left-to-right flow in Figure 40-19, the packet is forwarded to an
Figure 40-20 One Second (1000 ms) Shaping Time Interval, Shaping at 20 percent of Line speed
interface for a router, so that the sending rate through shaping does not exceed.
The solution to this problem: configure a short time interval. Consider the
following time intervals (abbreviated Tc) and their effects with shorter time
intervals for the same example:
Tc = 1 second (1000 ms): Send at 1 Gbps for 200 ms, rest for 800 ms
Figure 40-19 Shaping Queues: Scheduling with LLQ and CBWFQ
Setting Good Shaping Interval for Audio and Video
Tc = .1 second (100 ms) : Send at 1 Gbps for 20 ms, rest for 80 msTc = .01
second (10 ms) : Send at 1 Gbps for 2 ms, rest for 8 ms
We tried to solve a QoS (quality of service) problem with a QoS (quality of
service) tool but the side effect of shaping is that it slows packets down, which
Use a short time frame when shaping. As a recommendation, use a 10ms
creates more latency and possibly more jitter. Fortunately, you can (and
timeframe to support audio and video.
should) configure some setting of Shaping that changes its internal
operation, reducing the latency and jitter that causes audio and video traffic.
I First Hop Redundancy Protocol (FHRP)
I HSRP Concepts
Various IP Services
I HSRP Load Balancing
I Simple Network Management Protocol (SNMP)
I FTP / TFTP
I IOS Image Update
I Various IP Services
First Hop Redundancy Protocol (FHRP)
When we use a design that includes redundant routers, switches, LAN
In Figure 41-2, there are two routers and two WAN connections on the Main
connections, and WAN connections in networks, in some cases other protocols are
Side, whichever route has priority when going to the remote site, it goes from
required to avoid the problems this causes.
there if one of the lines breaks, it uses the other one, there is only one router
For example, imagine a WAN with many remote branches. If each remote branch
but two wan connections on the remote side.
has two WAN links connecting it to the rest of the network, these routers can use
the IP routing protocol to choose the best routes. The routing protocol learns routes
over both WAN links, adding the best route to the routing table. When the better
WAN link fails, the routing protocol takes advantage of the redundant link and
adds the alternate routing to the IP routing table.
Figure 41–2 R1 with two Wan Connections Redundancy
Let's give a few examples. In Figure 41-1, we see a single WAN connection and a
single router connection network.
In Figure 41-3, backup was made with two routers, but only one gateway ip
was given to the hosts.
Figure 41–1 Router with Single WAN Connection
Figure 41–3 Using Two Routers
I Various IP Services
Why FHRP is Necessary
Of the designs shown so far, only the design in Figure 41-3 has two routers in the
network on the left side of the figure. Having redundant routers on the same
subnet gives us redundancy, but manual intervention is required to ensure
redundancy, in such cases it should use an FHRP in the network.
To see the necessity and benefit of using FHRP, first consider how these backup
routers can be used as default routers by hosts in VLAN 10 / subnet 10.1.1.0/24
as shown in Figure 41-4. Host IPs will remain unchanged, so each host has a
Figure 41–4 Using Different Default Routers for Different Users
single default router IP. Therefore, we have some design options for the default
There are three types of FHRP solutions, but we will only cover HSRP in the
router settings;
CCNA training curriculum.
All hosts in the subnet use R1 (10.1.1.9) as the default router and if R1 has a
problem, we can statically reconfigure the default router settings to IP 10.1.1.129
of R2.
Half the hosts use R1, half R2 as default routers, and if one of the routers fails,
we can statically reconfigure the default router settings of half the users.
Figure 41–5 FHRP Solutions
I Various IP Services
HSRP Concepts
It works with the HSRP active / standby model. HSRP allows two (or more) routers to
work together, all acting as default routers. However, only one router actively supports
end-user traffic at any given time.
Packets sent to the default gateway (router) by the hosts are transferred to this active
router. Then, other routers that are in an HSRP standby state will be on standby in case
the active HSRP router has a problem.
The HSRP active router implements a virtual IP address and a virtual MAC address.
Figure 41–6 Traffic exiting R1, R2 in Standby
This virtual IP address exists as part of an additional configuration, the HSRP
configuration.
Under the interface command, this virtual IP address is given in the same subnet as the
interface IP address, but with a different IP address. The router then automatically
generates a virtual MAC address. All cooperating HSRP routers know these virtual
addresses, but only active HSRP routers use these addresses.
In Figure 41-6, R1 is active and traffic is flowing through R1, R2 is in standby state.
In case of a problem occurring in R1, R2 will be activated as we will see in the figure
below.
Figure 41–7 R1 cannot be accessed and R2 has tripped.
I Various IP Services
HSRP Load Balancing
HSRP Configuration
It works with the HSRP active / standby model, so the hosts in the same subnet exit
R1# show running-config ! Lines omitted for brevity
interface GigabitEthernet0/0
through the active router. As in Figure 41-6, all traffic leaves R1 and R2 remains
on hold. But when configuring HSRP, we can actively select different routers for
ip address 10.1.1.9 255.255.255.0
standby version 2
standby 1 ip 10.1.1.1
different subnets, which allows us to actively use both devices by distributing
standby 1 priority 110
traffic. Let's examine the example in Figure 41-8.
standby 1 name HSRP-Group
standby 1 preempt
R2# show running-config ! Lines omitted for brevity
interface GigabitEthernet0/0
ip address 10.1.1.129 255.255.255.0
standby version 2
standby 1 ip 10.1.1.1
standby 1 preempt
standby 1 name HSRP-Group
sh standby brief
Default priority is 100. When R1 is made priority 110, R1 becomes an active router.
Figure 41–8 Load Balancing with HSRP Using
Different Active Routers in Different Subnets
I Various IP Services
Simple Network Management Protocol (SNMP)
SNMP Notifications
NMS (Network Management System): It is a software that provides
In addition to the Get and Set housings, SNMP can initiate communication
simultaneous monitoring and management of the information of all devices in
with the NMS. These messages, often referred to as notifications, use two
the network. NMS typically polls the SNMP agent on each device. NMS can
special SNMP messages: Trap and Inform, which tracks changes to devices via
report the status of devices on the network by sending e-mails or messages to a
SNMP and sends a Trap or Inform SNMP message to the NMS to list their
user. You can configure devices via SNMP if you have allowed SNMP in
status.
configuration changes. NMS uses SNMP Get message to request information
from a device. NMS sends an SNMP Set message to change the device's
configuration. Figure 41-9 shows this SNMP get and set traffic.
As an example of Trap, let's assume that Router 1's G0 / 0 Interface fails as
shown in step 1 in Figure 41-10. When Traps is configured, the router sends
an SNMP Trap message to the NMS and this Trap message informs that the
G0 / 0 Interface is down. Then the NMS software can send a text message to
the network support personnel, open a window on the NMS screen, change the
color of the correct router icon to red in the graphical interface, etc.
Figure 41–9 SNMP Get Request and Get Response Message Flow
Most commonly, a network administrator collects and stores statistics over
time using NMS. It can analyze various statistical data with stored data. To
be proactive, administrators can set limits for certain switch variables and tell
it to send a notification when a limit value is passed.
Figure 41–10 SNMP Trap Notification Process
I Various IP Services
Simple Network Management Protocol (SNMP)
NMS (Network Management System): It is a software that provides
simultaneous monitoring and management of the information of all devices
in the network. NMS typically polls the SNMP agent on each device. NMS
can report the status of devices on the network by sending e-mails or
messages to a user. You can configure devices via SNMP if you have allowed
SNMP in configuration changes. NMS uses SNMP Get message to request
information from a device. NMS sends an SNMP Set message to change the
device's configuration. Figure 41-9 shows this SNMP get and set traffic.
I Various IP Services
FTP and TFTP
IOS Image Upgrade
File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP). Both use a
Step 1: First, IOS Image is downloaded from Cisco support page.
user and server model where a user connects to a server and then the user can
Step 2: Place the downloaded file on FTP/TFTP and a USB stick.
copy files to or from the server.
Step 3: Send it to Router Compact Flash Memory using the copy command.
Managing with Cisco IOS FTP / TFTP
IOS exists as a file (single file) that routers load into RAM to use as the
operating system.
Cisco routers often use flash memory without a hard disk drive. Flash memory is
rewritable permanent storage. It is ideal for storing files that need to be kept when
the power of the router goes out. Flash memory has no moving parts, so it is less
likely to fail. Some routers have flash memory on the motherboard. Others have
flash memory slots that allow easy removal and replacement of the flash card,
but the card remains in the device most of the time. Also, many devices have
USB ports that support USB flash drives.
The IOS operating system is stored compressed in this flash memory. It stores
other files that are used not only for IOS, but also for startup-config and
system.
Figure 41–11 IOS Image Update
I Various IP Services
IOS Image Verification
FTP Upload
We can verify if there is any interference with the IOS Image file that we
There are many file transfer options in the network world; many of them IOS
downloaded from Cisco's site with the MD5 key we will get from the site.
support IOS file system transfer found in routers. TFTP and FTP have been
supported for the longest time, but newer types of protocols such as SFTP and
SCP are starting to be supported.
Sw-1(config)#ip ftp username cisco
Sw-1(config)#ip ftp password cisco
Sw-1#copy ftp: flash:
Address or name of remote host []? 192.168.1.10
Source filename []? c2960-lanbase-mz.122-25.SEE1.bin
Destination filename [c2960-lanbase-mz.122-25.SEE1.bin]?
Accessing ftp://192.168.1.10/c2960-lanbase-mz.122-25.SEE1.bin...
[OK - 4670455 bytes]
64016384 bytes total (54929883 bytes free)
Sw-1(config)#boot system flash:c2960-lanbase-mz.122-25.SEE1.bin
Chapter - 13
Network Architecture
I LAN Architecture
I WAN Architecture
I Cloud Computing Architecture
LAN
Architecture
I Two-Tier Campus Design (Collapsed Core)
I Three-Tier Campus Design (Core)
I Small Office/Home Office
I Power over Ethernet (POE)
I LAN Architecture
Two-Tier Campus Design (Collapsed Core)
He uses some common terms to refer to Cisco -oriented LAN designs to determine
Cisco uses three terms to describe the role of each switch in campus design:
all the requirements of a campus Lan and then to talk about it. You should know
Access, Distribution and Core.
some important campus design terminology.
Access: We define Switches as Access Layer.
The Two-Tier Campus Design
Distribution: We define it as the layer where Access Switches are connected.
As shown in Figure 42-1, it shows a typical design of a large campus Lan. This
Core: We define the layer where the distribution switches are connected.
LAN has about 1000 pc, each connected to 40 Switch, each supporting about 25
Figure shows a two-layer design in 42-1; The layers are the Access Tier (or
ports.
Layer) and the Distribution Tier (or Layer). A two-layer Two-tier design solves
the main need.
Figure 42-1 Campus LAN with Design Terminology Listed
I LAN Architecture
Two-Tier Design Terminology
Star: A design in which a central device is connected to other devices, so that
when you take the connections in any direction, the design looks like a light
shining star in all directions.
Full Mesh: All existing switches are the type of design in which they are
connected to each other.
Hybrid: A design that combines topology design concepts into a wider
(typically more complex) design.
Figure 42-3 Using a Full Mesh at the Distribution Layer, 6 Switches, 15 Links
Figure 42-2 The Star Topology Design Concept in Networking
I LAN Architecture
Three-Tier Campus Design (Core)
The two-layer design in Figure 42-1 is the most common campus design. It also
But, however, Three-Tier Layer (Core Layer) is a design, larger LAN designs;
passes with two common names; Two-tier and Collapsed Core. Collapsed Core
Savings on switch ports and cables. And in the connections between the
means that two -layer design does not have a third layer, Core layer.
Imagine that your campus has only two or three buildings. Each building has a
two-tier design in the building, and each building has a pair of distribution
switch and access switches spread around the building when necessary. How do
you tie the LANs in every building? As shown in only a few buildings, Figure
buildings, remember that the cables are withdrawn from the outside
underground and that the installation is usually more expensive. Therefore, it
can help reduce costs without increasing the number of cables used between
buildings.
42-4, it makes sense to simply cable distribution switches.
Figure 42-4 Three Buildings Non-Core Two-Tier Design
Figure 42-5 Three Buildings Three-Tier Design
I LAN Architecture
Small Office/Home Office
Small Office/Home Office (Soho) Lan. Soho varies significantly depending on
But, however, Three-Tier Layer (Core Layer) is a design, larger LAN designs;
the design of Campus LAN, a small number of switch, a few APs, a few router
Savings on switch ports and cables. And in the connections between the
and WAN connection designs and applications. The term Soho refers to a small
buildings, remember that the cables are withdrawn from the outside
office where a user or a small number of people work from home.
underground and that the installation is usually more expensive. Therefore,
At home, you probably use a single device called a mini router. One side of the
device is connected to the internet and the other side is connected to the devices in
it can help reduce costs without increasing the number of cables used between
buildings.
the house. At home, the devices can be connected with either Wi-Fi or a cable
Figure 42-7 shows how the only device used in the home or in the small office
ethernet cable. For example, as in Figure 42-6.
does the work of a few devices.
Figure 42-6 Typical Soho Network Usage
Figure 42-7 Distribution of tasks of a single device
I LAN Architecture
Power Over Ethernet (Poe)
It has been developed for devices that can work through the Ethernet cable. On the
switch, it must provide this power to the device connected by cable. Companies
can save cable costs by using Poe.
Figure 42-9 Power over Ethernet Standards
Figure 42-8 Power Over Ethernet Example
Poe usually provides a great advantage for devices that are used to positions
without a pre -electrical cable or socket. For example, you need to attach an
AP to the ceiling, and there is no electric cable, then Poe is very
advantageous. IP cameras can also be placed in the ceiling corners or various
external locations. Instead of pulling new power and network cables for each
device, you can provide power to the device by pulling a single Ethernet cable
and communicate with normal Ethernet via the same cable.
WAN
Architecture
I Metro Ethernet
I Multi Protocol Label Switching (MPLS)
I Internet
I VPN Fundamentals
I Site to Site VPN
I WAN Architecture
Metro Ethernet
Metro Ethernet (Metroe) includes various WAN services with some common
From the SP perspective, the SP must establish a network to create the Metro
features. Ethernet uses physical connections to connect the customer device to
Ethernet service. To keep the costs lower, the SP places a device physically as
the device of the service provider. This service is the layer of the WAN provider
close to many customers as possible. These SP switches need to be close to
transmitted to the Ethernet frames from the customer device to another. In
many customer positions, so that Ethernet standards support the distance
Figure 43-1, the Metro Ethernet shows the use of four branches.
from the POP ’point of the SP to each customer. Figure 43-2 brings together
some of these terms and ideas.
Figure 43-1 Metro Ethernet Concept as a Large Ethernet Switch
Metro Ethernet Design and Topology
Figure 43-2 Ethernet Access Links into a Metro Ethernet Service
In order to use Metro Ethernet service, each branch must be connected to the
service with an Ethernet connection.
Figure 43-3 Metro Ethernet Standards
I WAN Architecture
Multi Protocol Label Switching (MPLS)
In Figure 43-4, you've learned a lot about Layer 3 orientation, as represented by
MPLS creates a WAN service that directs IP packages among customer
the package flowing from left to right. Each router manifests a separate
locations. It distributes corporate routers and switches as usual. The SP then
guidance to transmit the package as shown in Step 1, 2 and 3. Each router
forms its own IP network covering a wide geographical region. The customer
makes a comparison between the target IP address of the package and the router's
then connects to the MPLS network with a connection from each location, the
IP routing table; The matching IP routing table input informs the Router where
customer sends IP packages from one location to another with SP orientation.
to send the next package. To learn these ways, routers typically run some
For example, Figure represents the MPLS network of the Figure 43-5 and the
routing protocols.
four router SPs in the middle, and the routers on the edges are routers of a
company.
Figure 43-4 Basic IP Routing of IP Packets
Figure 43-5 MPLS SP Topology Example
I WAN Architecture
Internet
In order to install the Internet environment, internet service providers (ISP) need
connections to other ISPs and their customers on other ISPs. It connects ISPs by using
various high -speed technologies in the internet infrastructure. They connect their
customers to the Internet using various technologies on ISPs. The combination of
customer networks connected to ISP networks and ISPs creates the Internet worldwide.
Some WAN technologies work well especially in internet access technologies. For
example, many telephone companies use the phone line at home, so that the ISPs do not
have to establish additional cables. Some use TV cables while some use wirelessly.
Figure 43-6 Internet Access Examples
DSL - Digital Subscriber Line
DSL technology is widely used in Turkey. The ISPs use their internet connection to
Consumers can usually use the Internet as a WAN service while connecting to the
homes or companies using existing telephone cables. There are varieties of DSL
Internet to achieve goals on the Internet. First, the company receives internet connection
connection, there are varieties such as ADSL, VDSL and G.SHDSL, these connection
to each location. Then, using the virtual private network (VPN) technology, the
models can be up to 100 MB/PS.
company can create VPN over the Internet. When sending VPN data over the internet, it
can keep the packages confidential by encrypt.
Access to the Internet
In addition to the traditional services shown in the figure, businesses can use internet
access technologies that are used more frequently by consumers, including DSL, cable,
4G / 5G and fiber ethernet. In this section, we will talk about Internet access
technologies before entering Internet VPN topics.
Figure 43-7 DSL Internet Access Example
I WAN Architecture
Cable TV Internet
Wireless Wan (3G, 4G, LTE, 5G)
Cable TV Internet is a very low cost connection for a SOHO (Small Office).
Most of you have a mobile phone with internet access. So, you can check your e-
Even for larger companies, cable (or DSL) can be very good as a backup link.
mail, navigate on the web, download app, and watch videos. Today, most of us
They use Dochis technology.
rely on our mobile phones and our internet access to these phones. In this
DOCSIS (Data Over Cable Service Interface Specification): All cable modems
section, we will examine mobile internet access technology.
and similar devices must comply with this standard.
Mobile phones use radio waves to communicate through a nearby base station.
The phone has a small radio antenna, but the base station has a much larger
antenna. Telephones, tablet computers, laptops and even routers (Wireless Wan
cards) can communicate over the Internet using this technology, as shown in
Figure 43-9.
Figure 43-8 Cable tv Internet Access Sample
Figure 43-9 Mobile Internet Access Example
I WAN Architecture
Fiber (ethernet) Internet
VPN BASES
Copper wires are used in cables used by DSL and cable internet, but by
VPNs (Virtual Private Network) can provide significant security features such
comparing different types of physical environment, fiber optic cable usually
as the following when sending data through an open network like the Internet:
supports higher speeds for longer distances. That is, by comparing physical
• Confidentiality (Privacy)
network technologies over the width of the network, fiber optic wiring supports
• Authentication
longer connections and these connections usually operate at equivalent or
• Data Integrity
higher speeds.
• Anti-Replay
Some ISPs now offer fiber Internet or Internet access, which is only called fiber.
Let's examine the traffic in Figure 43-10.
To do this job, some local companies with the right to wiring underground
(usually a telephone company) set up new fiber optic cables. After the cable
plant is installed (usually a large budget, as well as years of process), fiber
ISP, fiber optic cable using the customers to the Internet connects to the
Internet. Usually fiber uses ethernet protocols on fiber. Conclusion: High -speed
internet usually using ethernet technology.
Figure 43-10 VPN Tunnel Concepts for a Site-to-Site Intranet VPN
I WAN Architecture
Site to Site VPN
Remote Access VPNS with TLS
The site provides VPN services with a single VPN tunnel for devices in two
To support multiple devices in each location, a site to site VPN connection is
locations. For example, if there is dozens of devices that should communicate
created by CT personnel. On the contrary, a user can dynamically start their
between locations in each location, not every devices should form VPN. Instead,
VPN connections in cases where there is no site to site VPN. For example, a user
they configure devices such as routers or firewalls (as shown in Figure 43-10)
can enter a café and connect to free Wi-Fi, but in this cafe, there is no site VPN
to form a VPN tunnel. The tunnel creates endpoints and always leaves a
that can access the user's corporate network. Instead, the user can connect to the
working position, so that VPN is available when any device in both facilities
company network via a previously installed Remote Access VPN program.
decides to send data. All devices in each location can access other devices using
Remote access VPNs usually use the Transport Layer Security (TLS) protocol
VPN via Firewall and Router without having to create VPN.
to create a secure VPN session.
The data encryption for an IPSEC VPN usually works as shown in Figure
43-11.
Figure 43-12 Remote Access VPN Options (TLS)
Figure 43-11 Basic IPsec Encryption Process
Cloud
Computing Architecture
I server virtualization
I Creating Virtual Switch
I Physical Data Center Network
I Cloud Information Services
I Cloud Architecture
Server Virtualization
Traditionally, when you think of a server, that server runs an operating
Today, most companies are instead of a virtual data centers. Each OS is
system. Inside, hardware contains a CPU, some RAM, some kind of
separated from the hardware and is therefore virtual (unlike physical). Any piece
permanent storage (such as disk drives) and one or more NIC. And an
of hardware that we will consider as a physical server before can operate more than
operating system can use all the hardware on the server and then run one or
one operating system at the same time with each virtual OS called virtual
more applications. Figure 44-1 shows these main ideas.
machine.
Although a virtual server is separated from the hardware, an OS still needs
hardware. Each virtual machine has a configuration for minimum number of
VCPUs, minimum RAM and similar. The virtualization system then starts the
virtual machine, so that it has sufficient physical hardware capacity to support
all virtual machines running on that physical server. Therefore, virtual servers
use a subset of CPU, RAM, storage and NICs on the physical server. In Figure
Figure 44-1 is an OS on a classic physical server and working applications
With the physical server model shown in Figure 44-1, each physical server
44-2, it shows a graph of this concept with four different VMs working on a
physical server.
operates an operating system and the operating system uses all the hardware
on that server. This was valid for the servers in the days before the server
virtualization.
Figure 44-2 Four virtual servers and applications working
under the management of Hypervisor on the physical server
I Cloud Architecture
Creating Virtual Switch on the Virtualized Server
Generally, there are two nics on the servers today, of course, additional cards can
be increased, these cards have 1 GBPS, 10 GBPS or even 40 GBPS speeds that
support the speeds of NIC cards.
Normally, an operating system may be a NIC, maybe more. The operating
system has a NIC (at least) NIC to ensure normal operation, but it is a virtual
NIC for a VM. (For example, in VMware's virtualization systems, VM's virtual
Figure 44-3 Basic Networking in a Virtualized Host with a Virtual Switch
NIC is called VNIC.)
The server must combine the physical nic in a switch with VNICs used by VMs.
Ports Connected to VMS: VSWitch can configure a port in its own VLAN or
Often, each server usually usually uses a kind of internal ethernet switch
share the same VLAN with other VMs or even use the VLAN channel to itself.
concept called a virtual switch or vswitch. In Figure 44-3, an example with four
Ports Connected to Physical NICS: VSWitch uses physical NICs in server
VM, each of which is a VNIC, is shown. The physical server has two physical NICs.
hardware, so that Switch works with external physical switch. VSWitch can
VNICs and physical NICs are built in a virtual key.
use Vlan trunk (and uses it greatly).
Automated Configuration: Configuration can be easily done from the same
virtualization software that controls VMs. This programmability allows the
virtualization software to carry VMs VMs between servers and re -program the
VSWitch, so that VM has the same network capabilities, no matter where it
works.
I Cloud Architecture
Physical Data Center Network
Workflow with Virtualized Data Center
In a virtualized data center, each physical server must have a physical
Virtualization engineers also establish and privatize virtualization tools.
connection with the network. Figure shows traditional cables for a data center
Beyond the hypervisor on each server, many other useful tools help manage
LAN in 44-4. Each long rectangle represents a shelf in the data center; It
and control a virtualized data center. For example, with data central
represents small squares and cables representing nic ports.
management programs, the whole physical server can manage all
Hypervisor and virtual servers loaded on them.
Now a customer wants a "server". In fact, the developer requires a VM (or
many) with specific requirements: a certain number of VCPUs, a certain
amount of RAM, etc. The developer requesting the virtualization engineer to
establish VMs as shown in Figure 44-5.
Figure 44-4 Traditional Physical Data Center Network
Figure 44-5 Customer's virtual server request and creating an example
I Cloud Architecture
Cloud computing services
Cloud Information is a different model of providing IT services. Cloud
computing usually uses virtualization products, but uses products specially
produced for cloud computing. Cloud computing is not only a product group to be
applied; Instead, it is a way to provide IT services.
Private Cloud (On-Premise)
To create Private Cloud, an organization usually expands CT tools (such as
virtualization tools) and changes internal workflow processes.
For example, imagine that an application developer in a company needs VMs to
use to develop an application. The application developer may want these VMs to
start automatically and be available in minutes.
A lot of cloud computing services use a catalog to achieve this. This catalog is
found for the user as a web application that lists everything that can be requested
through the company's cloud infrastructure. 44-6, as shown in step 2, this step
appears in minutes without human interaction and is ready for use.
Figure 44-6 Basic Private Cloud Workflow to Create One VM
For the operation of this process, the cloud team must add some tools and
processes to the virtualized data center. For example, it uploads software to
create the cloud services interface catalog with the APIs of both user interface
and virtualization systems. This interface software can react to user requests
by using virtualization software with APIs to add, transport or create virtual
machinery. In addition, a cloud team consisting of server, virtualization and
network engineers can collect user statistics and updates accordingly to test
and add new services in the user interface.
I Cloud Architecture
Public Cloud
In Private Cloud, cloud provider and cloud user are part of the same company. In
Public Cloud, the opposite applies to this: The Public Cloud provider sells all services to
all users and all companies. The following figure shows the public cloud workflow.
Figure 44-8 IaaS Concept
Figure 44-7 Public Cloud Provider in the Internet
Cloud and the “as a service” model
Figure 44-9 SaaS Concept
In cloud computing, three most common models are used in the market today.
✓ Infrastructure as a Service
✓ Software as a Service
✓ (Development) Platform as a Service
Figure 44-10 PaaS Concept
Chapter - 14
NETWORK AUTOMATION
I Controller Based Networks
I Cisco Software Defined Access-SDA
I Understanding REST and JSON
I Understanding Ansible, Puppet, and Chef
Controller
Based Networks
I SDN and Controller Based Networks
I Controllers and Software-Defined Architecture
I Network Programmability and SDN Examples
I Controller Based Networks
SDN and Controller Based Networks
Data Plane
Software Defined Networking (SDN)
The term Data Plane refers to the tasks that a network device performs to
In this Chapter we will cover the most basic concepts of SDN and Network
programmability. We will start by dividing some of the functions found in
transmit a message. In other words, everything it does about receiving,
processing and transmitting the same data is part of the Data Plane.
traditional network devices, then I will talk about how we can easily manage a
As an example, consider how routers forward IP packets, as shown in the figure
network using central management software called Controller.
below. When you think of Layer 3 logic;
Data, Control, and Management Planes
Step 1: The host sends the packet to its default router, R1.
Step 2: R1 does some processing on the received packet, makes a forwarding
First, let's talk about some functions in network devices. Routers and switches,
decision and forwards the packet.
for example, are physically wired and wirelessly connected to each other to form
Steps 3 and 4: Routers R2 and R3 also receive, process and forward the packet.
a network. Switches transmit Ethernet frames, routers transmit IP packets.
They use many different protocols, such as routing protocols, to learn network
This example takes place in the Data Plane phase of the router.
layer routes.
Network devices can be categorized with a particular Plane, each function that it
does. These Categories are divided into three as Data Plane, Control Plane and
Management Plane.
Figure 45-1 Data Plane Operations on a Router in Simple
I Controller Based Networks
Let's take a look at the details of some of the functions that are commonly performed in
Traditional networks use both a distributed Data Plane and a distributed
the Data Plane phase in network devices from the list below.
Control Plane. In other words, every device has a Data Plane and a Control
■ Un-encapsulating and re-encapsulating an ethernet frame packet (Router and Layer
Plane. The example below shows the Data Plane and Control Plane stages in
3 Switches)
routers.
■ Adding or removing 802.1Q Trunk Headers (Routers and Switches)
■ Matching the destination MAC address on an Ethernet Framin with the MAC address
table (Layer 2 Switches)
■ Matching the destination IP address of an IP packet with the IP routing table (Routers
and Layer 3 Switches)
Figure 45-2 Working Logic of Control and Data Plane Stages in Router
■ Encrypting data and adding a new IP Header (for VPN] operations)
■ Changing the Source or Destination IP address (for NAT operation)
In the figure above, OSPF, the Control Plane protocol, works on all Routers. Adds,
Deleting a message due to a filter (ACLs and Port Security operations)
removes and changes routes in the OSPF IP Routing table on each Router. Once valid
All the actions in the list make up the Data Plane phase, because the Data Plane contains
all the actions per message.
Control Plane
The term Control Plane refers to any action that controls the Data Plane. You already
know many Control Plane protocols, for example all IP routing protocols work in Control
Plane phase.
routes are determined, Data Plane can forward incoming packets. The following list
includes most of the common Control Plane protocols:
■ Routing protocols OSPF, EIGRP, RIP, BGP
■ IPv4 ARP
■ IPv6 Neighbor Discovery Protocol (NDP)
■ MAC Address learning of switches.
■ STP
I Controller Based Networks
Management Plane
Control Plane directly affects the behavior of the Data Plane. However,
Management Plane does not directly affect Data Plane. Instead, the
Management Plane includes protocols that allow us to manage network devices.
Telnet and SSH are Management Plane protocols.
The figure below shows some of the Management Plane Protocols.
Figure 45-3 Working Logic of Control and Data Plane Stages in Router
I Controller Based Networks
Controllers and Software-Defined Architecture
A Controller centralizes control of software-based (SDN) network devices. The
New approaches to networking emerged in the 2010s, most of them porting
degree of control and the type of control vary greatly. For example, Controller
Control Plane functionality to a piece of software called Controller that runs as a
It can perform all Control Plane functions by replacing the distributed Control
central application.
Plane of devices. Alternatively, the Controller can manage the ongoing
Central Management with Controllers
operation of distributed Data, Control and Management Planes without
Most traditional Control plane operations use a distributed architecture. For
example, each Router runs its own OSPF Routing protocol process. To perform
operations, these distributed Control Plane processes use messages such as OSPF
protocol messages to establish communication between Routers. As a result,
traditional networks are said to use a distributed Control Plane.
There are pros and cons to using distributed or centralized architectures to
perform any function in a network. Many Control Plane functions have a long
history of working well with a distributed architecture. However, a centralized
changing the way devices operate. And the list goes on with many variations.
To better understand the idea of a Controller, consider a special case as shown
in Figure 45-4, where an SDN Controller centralizes all important Control
Plane functions. First, the Controller connects to the network so that it can
access the devices on the network. Each of the network devices still has a Data
Plan; however, the Control Plane functions of the devices are now performed by
the Controller. Programs the Controller Data Plane inputs directly. Network
devices do not populate routing tables with traditional distributed Control
Plane operations.
application may be easier to write than a distributed application because the
centralized application collects all the data in one place. This emerging world of
software-defined architectures (SDA) uses a centralized architecture with a
central Control Plan at its foundation called the Controller.
Figure 45-4 Centralized Control Plane and a Distributed Data Plane
I Controller Based Networks
Southbound Interface
In a Controller-based network architecture, the Controller must communicate with
network devices. In most network drawings and architectural drawings, these
network devices are typically located below the Controller as shown in Figure 45-4.
There is an Interface between the Controller and these devices, and given its location
at the bottom of the network devices in the drawings, these Interfaces came to be
known as the Southbound Interface (Southbound Interface) or SBI.
An SBI usually contains a protocol so that the Controller and devices can
communicate, but usually includes an application programming interface (API).
An API is a method for an application (program) to exchange data with another
application. Programs process data so an API allows two programs to exchange data.
While a protocol usually exists as a document from a body of standards, an API
exists as generally usable codes (functions, variables, and data structures) that can
be used by a program to transmit and copy structured data between programs on a
network.
It is an interface between SBI Controller and network devices and allows two
programs to communicate, the sole purpose is to allow Controller to program Data
Plane routing tables of network devices.
Figure 45-4 Centralized Control Plane and a Distributed Data Plane
I Controller Based Networks
Northbound Interface
In a central control model, the Controller does most of the work required for the
To see where the NBI is, first consider the Controller itself. A controller is
Control Plane and gathers all sorts of useful information about the Network.
software that runs on a VM or physical servers. An application can run on the
The controller can create a central repository for all this useful information
same server as the Controller and use an API, an NBI, so that the two programs
about the network. The following list lists the information that the Controller
can communicate.
collects on the network;
The Figure below shows just such an example. The big box in the figure
■ List of all devices on the network
represents the system where the Controller software is located. This Controller is
■ Capabilities of each device
Java based software and has a Java based native API. Controller manufacturer,
■ Interfaces / ports on each device
another company, or anyone can write an application that runs on the same
■ Current status of each Port
operating system that uses the Controller's Java API. Using this API to
■ Topology - which devices are connected to which interface
Device configuration - IP addresses, VLANs, etc.
exchange data with the controller, the application can learn the information
about the network.
a Controller; It opens the Northbound Interface (NBI) so that its data and
functions can be used by other programs, enabling much faster network
programmability. Programs can retrieve information using the Controller's
APIs. NBIs also enable programs to use the Controller's capabilities to program
streams entering devices using the Controller's SBIs.
Figure 45-5 Java API: Java Applications Communicates with Controller
I Controller Based Networks
Network Programmability and SDN Examples
In this Chapter, we will talk about three different SDN and network
The Open SDN model centralizes most Control Plane functions, with network
programmability solutions Cisco offers.
control by the Controller and all applications using the Controller's NBIs. The
• OpenDaylight Controller
• Cisco Application Centric Infrastructure (ACI)
Figure below, which actually shows network devices without Control Plane
functions, represents this centralized OpenFlow model of SDN.
• Cisco APIC Enterprise Module (APIC-EM)
In the OpenFlow model, applications can use any APIs (NBIs) they support in
OpenDaylight and OpenFlow It comes from the Open Networking Foundation
their Controller to dictate what type of routing table entries to add to devices, but
(ONF), a common SDN format, and is called Open SDN. ONF
network devices must be devices that support OpenFlow.
(www.opennetworking.org) acts as a consortium of users (operators) and
vendors to help establish SDN in the marketplace. The purpose of this study is
to try to help people implement their SDN vision using SBI and NBIs.
SDN's ONF model features OpenFlow. OpenFlow defines a Controller concept
with an IP-based SBI between Controller and network devices.
OpenFlow defines a standard idea of what a switch's capabilities are based on
the ASICs and TCAMs commonly used in switches today.
I Controller Based Networks
OpenDaylight Controller
Cisco Open SDN Controller (OSC)
OpenDaylight is one of the most successful SDN Controller platforms to
In the 2010s, Cisco released a commercial version of its OpenDaylight
emerge from the consolidation process in the 2010s as an open source SDN
Controller model called the Cisco Open SDN Controller (OSC). This Controller
Controller. All manufacturers can use the open source Controller as the basis
was inspired by the model developed for the ODL project.
for their products, and each manufacturer can focus on product differentiation
rather than core features.
Cisco no longer manufactures and sells Cisco OSC, I wanted to briefly
mention the past products for your knowledge.
As a result, the OpenDaylight SDN Controller (www.opendaylight.org) was
born in the mid-2010s. OpenDaylight (ODL) started as a separate project, but
is now maintained as a project managed by the Linux Foundation. Figure
45-6 shows a generalized version of the ODL architecture.
Figure 45-6 Architecture of NBI, Controller Internals, and SBI to Network Devices
I Controller Based Networks
Cisco Application Centric Infrastructure (ACI)
As Cisco redesigned networking for the data center, SCI designers focused on
the applications running in a data center and what they needed. As a result,
they created networking concepts around application architectures. Cisco has
made its network infrastructure application-centric, hence Cisco's SDN data
center solution is called Application Centric Infrastructure (ACI)
ACI Physical Design: Spine and Leaf
Cisco ACI uses a special physical switch topology called Spine and Leaf. With
ACI, the physical network contains a set of Spine Switches and a set of Leaf
switches, as shown in the Figure on the right.
Figure 45-7 Spine-Leaf Network Design
■ Each Leaf Switch must be connected to each Spine Switch.
■ Each Spine Switch must be connected to each Leaf Switch.
■ Leaf Switches cannot be interconnected.
■ Spine Switches cannot be interconnected.
■ Endpoints connect to Leaf switch only.
I Controller Based Networks
Cisco APIC Enterprise Module
When Cisco started implementing new network designs in companies, they
faced a major hurdle. Most of the existing devices in the customers' networks did
not have any corporate SDN solution, since some of the existing devices support
SBIs, it was seen that SDN solutions could not be implemented centrally, APICEM product was developed for this.
APIC-EM Basics
When Cisco introduced its first SDN (network programmability) solution, it
rejected the idea of customers replacing all their hardware and getting products
compatible with SDN solutions. Instead, he looked for ways to add the benefits of
SDN to networks with a central Controller without replacing existing devices.
Cisco APIC-EM product offered enterprise SDN solutions without changing
devices in existing networks.
What advantages can a Controller-based architecture offer if devices on the
network do not have new SDN features? It can provide the advantages in Figure
45-8.
Cisco announced the end of sales for its current APIC-EM product in 2019.
Many of the functions of the APIC-EM product have become key features of the
Cisco DNA Center (DNAC).
Figure 45-8 APIC-EM Controller Model
■ Topology Map: The application discovers and displays the topology of the
network.
■ Path Tracking: User provides a source and target device and the app shows the
route on the network with routing details at each step.
■ Plug and Play: This app provides plug and play support so you can take a
new device out of the box and make it IP accessible through automation in the
Controller.
■ Easy QoS: With a few simple steps in the Controller, you can configure
complex QoS features on each device.
SDA
I SDA Fabric, Underlay, and Overlay
Software Defined Access
I DNA Center as Network Management Platform
I DNA Center and SDA Operation
I Software-Defined Access
SDA Fabric, Underlay, and Overlay
Cisco Software Defined Access (SDA) is a completely new way to create Campus
Underlay : Overlay uses wired and wireless connections to dynamically find
LANs compared to traditional networking methods. Cisco began redesigning
all SDA supported devices and provide IP connectivity for those devices as part
Campus LANs with SDA in the mid-2010s.
of the process of creating VXLAN tunnels.
SDA uses a Software Based Architecture model with a Controller and various
APIs. In this architecture, a physical network is still used, which includes
Fabric: It uses a combination of overlay and underlay, which offers all the
features to transmit data over the network.
Switches, Routers, cables and various endpoints. As shown in the figure on the
right, Digital Network Architecture (DNA) software becomes the central
Controller, automation is provided using a graphical user interface (GUI) and
APIs. In short, DNA Center becomes the Controller of SDA networks.
Architecturally, the Controller SBI side includes; Fabric, Underlay and
Overlay.
Overlay: VXLAN tunnel mechanisms are created between SDA Switches, then
the SDA structure is used to move traffic from one device to another.
Figure 46-1 DNA-Centered SDA Architecture Model
I Software-Defined Access
SDA Underlay
SDA Overlay
SDA Underlay functions to provide connectivity between Switches in the SDA
First, an endpoint sends a frame to be delivered over the SDA network. The first
environment to support VXLAN tunnels in the Overlay network. Underlay
SDA Switch to receive the frame encapsulates the frame using a tunneling
uses the wired and wireless connections that make up the physical network to
feature called VXLAN and forwards the frame. Other SDA Switches forward
do this.
frames according to VXLAN tunnel details. The final SDA Switch removes the
Using Existing Devices for SDA Underlay
VXLAN details and forwards the original frames to the target endpoint.
Companies have two basic options for building an SDA underlay network.
They can use existing campus networks or alternatively purchase new
Switches and set up the SDA network without worrying about damaging
existing traffic and migrate endpoints to the new SDA network over time.
Using New Devices for SDA Underlay
Buying new devices for the SDA structure eliminates many of the difficulties
that can be encountered when using existing devices. You can easily order
compatible hardware and software and automatically configure all underlay
features with DNA Center.
Figure 46-3 Basics of VXLAN Encapsulation in SDA
For this to work, Underlay will first configure all switches with these IP
numbers, using the 172.16.0.0/16 IPv4 address space. The figure below
shows a small SDA design with four switches, each with the underlay IP
address shown (from 172.16.0.0/16 address space).
I Software-Defined Access
DNA Center and SDA Operation
Cisco DNA Center (www.cisco.com/go/dnacenter) has two important roles in our
networks:
• Working as a Controller in a network using Cisco SDA.
• Working as a network management platform for traditional (non-SDA)
network devices
Cisco DNA Center
Cisco DNA Center supports several Southbound APIs so it can communicate
with the devices it manages. You can think of them as two categories:
• Protocols supporting traditional network devices / software versions: Telnet,
SSH, SNMP
• Protocols supporting newer network devices / software versions: NETCONF,
RESTCONF
Cisco DNA Center requires legacy protocols to support many legacy Cisco
devices and operating system versions. Over time, Cisco is adding support for
NETCONF and RESTCONF to its more current hardware and software.
Figure 46-4 Cisco DNA Center with Northbound and Southbound Interfaces
I Software-Defined Access
DNA Center as Network Management Platform
Cisco Prime Infrastructure (PI) (www.cisco.com/go/primeinfrastructure)
The PI itself runs as an application on a server platform with GUI access via a
product is used to manage traditional corporate networks. Cisco Prime
web browser. The PI server can be purchased from Cisco as a software package to
Infrastructure has been used for network management in companies for many
install and run on your servers or as a physical device.
years. It includes the following features:
■ All PI functions and features are available through a single GUI.
■ Discovers network devices, creates an inventory, and creates a topology map
of them.
■ Provides support for traditional enterprise LAN, WAN, and data center
management functions.
Similarities of DNA Center to Traditional Management
All features of DNA Center are similar to traditional management software.
For example, both can discover network devices and create a network topology
map.
■ Uses SNMP, SSH, and Telnet, as well as CDP and LLDP, to view and learn
information about devices on the network.
As an example, the next page shows a network topology map in the DNA Center
■ Simplifies QoS configuration to each device
in Figure 46-5. Both PI and DNA Center can perform a discovery process to
It allows you to manage both wired and wireless networks from the same
find all devices on the network and then create topology maps to show the
management platform.
devices. (Interestingly, DNA Center can work with PI using data discovered
■ Manages software on network devices and automates updates.
by PI instead of performing the discovery work again.)
■ Performs initial setups for new network devices after physically installing
the new device, connecting a network cable and powering up the device.
I Software-Defined Access
Figure 46-5 DNA Center Topology Map
Figure 46-6 Details About a Cisco 9300 Switch from DNA Center and Click
The GUI mechanisms are relatively intuitive with the ability to click on more or
I recommend you take some time to use and watch some videos about Cisco
less details. Figure 45-6 shows a little more detail after pointing and clicking
DNA Center. You can find Cisco DNA Center virtual labs to practice with Cisco
one of the switches in the topology in Figure 45-5.
DNA Center at https://developer.cisco.com.
I Software-Defined Access
Differences between Traditional Management and DNA Center
Broadly speaking, there are a few key differences between Cisco DNA Center
■ EasyQoS: You can perform QoS, which is complicated to configure
and traditional network management platforms such as Cisco PI. The biggest
manually, with just a few simple options from Cisco DNA Center.
difference: Cisco DNA Center supports SDA while other management
Encrypted traffic analysis: Cisco DNA Center enables the use of different
applications do not. Cisco PI still has some traditional management features
algorithms to recognize security threats even with encrypted traffic.
not found in Cisco DNA Center. So while focusing on future features such as
■ Provides comprehensive information about the health status of devices.
SDA support that Cisco DNA Center has many of these features, consider PI
■ Network time travel: Shows historical client performance on a timeline to
extensively for traditional device management.
compare current behavior
By improving Cisco DNA Center features, it aims to simplify the work done by
businesses and to make changes much faster with lower costs. Cisco DNA
Center helps make initial setups easier and simplify the job to implement
features with demanding configurations and help you spot problems faster.
Some of the Cisco DNA Center-specific features include:
Note: Cisco hopes to continue updating the DNA Center traditional network management features compared
to the Cisco PI to the point where DNA Center can replace the PI.
Understanding
REST and JSON
I REST Based APIs
I REST APIs and HTTP
I Data Modeling and JSON
I Interpreting JSON
I Understanding REST and JSON
REST Based APIs
REST Based (RESTful) APIs
Applications use application programming interfaces (API) to communicate. To
REST APIs follow a set of ground rules for what constitutes and does not
do this, a program can learn variables and data structures used by another
constitute a REST API. It includes six properties defined by Roy Fielding,
program, make logical choices based on these values, change the values of these
creator of REST APIs. (You can find a good summary at https://
variables, create new variables, and delete variables. APIs allow programs
restfulapi.net). These six features
running on different computers to run collaboratively and exchange data to
achieve a goal.
■ Client/server architecture
In the API software world, some applications form an API along with many
■ Stateless Operation
other applications that use the API. Software developers add APIs to their
■ Clear statement of cacheable/uncacheable
software so that other applications can take advantage of the first application's
■ Uniform Interface
features.
■ Layered
A developer writes some code when writing an application, but by using some
Code-on-Demand
APIs that can provide data and functions, the developer can do more by writing
less code, reducing the amount of new code that needs to be written.
The first three of these features form the basis of how a REST API works. You
can see these first three features more easily when working with networking
REST APIs, now let's look at these first three features.
I Understanding REST and JSON
Client/Server Architecture
Stateless Operation
Like many applications, REST applications use a client/server architectural
The stateless nature of REST APIs means that REST does not save and use
model. First, an application developer creates a REST API, which acts as a REST
information about how to handle subsequent API changes.
server while the application is executed. Any other application can make a REST
API call (REST client) by running some code that causes a request to flow
For comparison, TCP protocol uses a stateful approach while UDP uses stateless
from the client to the server. For example, in Figure 47-1
processing. A TCP connection requires endpoints to initialize variables at each
end, update these variables over time, and use these variables for subsequent TCP
1- The REST client on the left sends a REST API message call to the REST
messages. For example, TCP uses sequence numbers and confirmation numbers
server.
to manage data flow in a TCP connection.
2- The REST server on the right has the API code that considers the request and
decides how to respond.
Cacheable (or Not)
3- The REST server returns the reply message with the appropriate data
To understand what the word cacheable means, consider what happens when you
variables in the reply message.
browse a website. When your browser loads a new web page, it contains various
objects (text, images, videos, audio) inside the page. Some objects rarely change,
so you'd better download the object once and not download it again; in this case,
the server marks this object as cacheable. For example, a logo or other image
displayed on many pages of a website hardly changes and can possibly be
cached. However, the product list returned in your most recent website search
cannot be cached because the server will want to update and provide a new list
Figure 47-1 Client / Server Operation with REST
each time you request the page.
I Understanding REST and JSON
REST APIs and HTTP
Read: Stores a copy of the variable structures and values in the client, allowing
APIs are used to allow two programs to exchange data. Some APIs can be
it to retrieve (read) the current value of the variables in the server.
designed as an interface between programs running on the same computer so
Update: Allows the client to change (update) the value of variables located on the
that communication between programs takes place within a single operating
server
system. Many APIs must be available for programs running on other
computers, so the API must define the type of network protocols supported by the
API, and many REST-based APIs use the HTTP protocol.
Delete: Allows the client to delete different instances of data variables from the
server
For example, if you're using a DNA Controller's Nourthbound REST API, you
might want to create something new, like a new security policy. From a
Developers of REST-based APIs often choose HTTP because the logic of HTTP
programming perspective, the security policy is available as a set of
matches some of the concepts that define it more generally for REST APIs.
configuration settings in the DNA Controller, represented internally by
HTTP uses the same principles as REST, works with a client/server model; It
uses the stateless operation model and includes headers that mark objects as
cacheable or non-cacheable.
variables. To do this, a REST client application uses a render action using the
DNA Center RESTful API, which creates variables on the DNA Controller via the
DNA Center REST API. Creating new configuration in Controller is done via
API using CRUD actions.
Software CRUD Actions and HTTP Verbs
HTTP works well with REST in part because HTTP has Verbs that match
The software industry uses CRUD, a catchy acronym for the four main actions
common program actions in the CRUD paradigm. Table 47-1 lists the terms
performed by an application. These actions
HTTP Verb and CRUD.
Create: Allows the client to create some new variables and data structures on the
server and initialize the values held on the server
Tablo 47-1 Comparing CRUD Actions to REST Verbs
I Understanding REST and JSON
Data Modeling and JSON
XML
Data modeling languages provide methods for using text to define variables so
Extensible Markup Language (XML) was developed later to make some
that text can be sent over a network or stored in a file. Data modeling languages
improvements to older markup languages. He needed a markup language that
give us a way to represent variables with text rather than the internal
could define variables to use on a web page. XML defines a markup language
representations used by any particular programming language.
with many features for describing variables, values, and data structures.
Every Data modeling language enables API servers to return data, so the API
client can replicate the same variable names as well as the data structures
available on the API server. To describe data structures, data modeling
languages contain special characters and rules that convey ideas about list
variables, dictionary variables, and other more complex data structures.
Compared to XML vs JSON, both try to be human readable, but XML is a bit
harder to read. For example, like HTML, XML uses start and end tags for each
variable, as shown in the figure below. Specifies a variable name with the value
located between the <macAddress> and </macAddress> tags in the
highlighted line in the example.
Data Modeling Languages
JSON
JavaScript Object Notation tries to strike a balance between human and
machine readability. At the same time, JSON data makes it easy for programs
to convert JSON text into variables, making it very useful for exchanging data
between applications that use APIs.
You can find details of JSON in IETF RFC 8259 and on a number of Internet
searches including www.json.org.
Example 47-1 JSON Output from a REST API Call
I Understanding REST and JSON
YAML (Ain't Markup Language)
XML tries to define markup details but YAML doesn't try to define markup
details. Instead, YAML focuses on the data model (structure) details. YAML
also tries to be clean and simple. YAML Data is the easiest to read of the
modeling languages.
Table 47-2 Comparing Data Modeling Languages
Example 47-2 YML File Used by Ansible
I Understanding REST and JSON
Interpreting JSON
Even without knowing anything about the JSON command line, you can
■ Value: The element that represents the key value, after the colon.
probably understand it from your previous knowledge of Cisco Routers and
■ Text: Listed in double quotes.
Switches. You can probably understand that the example below shows a list of
■ Numeric: Listed without quotation marks.
Interfaces on both devices in the JSON command line.
■ Array: A special value [ ]
■ Object(Object): A special value { }
■ Multiple Pairs: When listing the Multiple Key Value pair, separate the pairs with a
comma
the end of each pair (except the last pair).
To work with some of these rules, consider the JSON data of Example 47-4 and focus
Example 47-3 Simple JSON Listing Router Interfaces
on three Key: Value Pairs. The text after the example will analyze the example.
JSON Key Interpretation: Value Pairs
Let's review these rules about Key: Value Pairs: in JSON, which you can think
of as argument names and values.
Key: Value Pairs: Defines a Key: Value Pairs with the value before and after the
colon.
Key: Text used as a name that refers to a value, in double quotes, before a colon.
Example 47-4 One JSON Object (Dictionary) with Three Key:Value Pairs
As for other special characters, watch out for commas and curly braces. The first two
Key: Value Pairs: ends with a comma, so it must be followed by another Key: Value
Pairs:. The curly braces that start and end JSON data indicate a single JSON Object.
I Understanding REST and JSON
Interpreting JSON Objects and Arrays
It uses JSON Object and JSON Arrays to pass data structures beyond Key:
Value Pairs: with a simple value. Object can be somewhat flexible, but in most
uses they act like a dictionary. Arrays list an array of values. Let's look at how
to interpret the command line for JSON Object and Array.
{ } - Object : Consists of an Array and Key: Value Pairs, enclosed in a pair of
curly braces.
[ ] - Array : Not an array of values (Key: Value Pairs) enclosed in square
bracket pairs.
Example 47-5 A JSON Snippet Showing a Single JSON Array (List)
Now consider the entire structure of the JSON data in Figure 47-4. It has a
matching pair of curly braces to start and end text and enclose an object
(Object). This object contains two colons, so there are two Key: Value Pairs:
inside the object.
Key : All Key Value Pairs inside an object follow the rules of the previous Key:
Value Pairs.
Value Inside Arrays : For example, double quotes around text, no quotes around
numbers).
Example 47-5 shows a single array (Array) in JSON format. Notice that the
JSON data begins with square brackets [ followed by a list of three text values.
It then ends with a square bracket ].
Figure 47-4 Accurate/Complete JSON Data with One Object, Two Keys, Two JSON List Values
I Understanding REST and JSON
Shortened and Smooth JSON
JSON allows or disallows spaces depending on your needs. For humans, JSON
can be much easier to read with space-organized and aligned text. For example,
having matching opening and closing braces on the same line makes it much
easier to find which braces end with which.
{"1stbest": "Messi", "2ndbest": "Ronaldo", "3rdbest": "Pele"}
Understanding
Ansible, Puppet, and Chef
I Ansible, Puppet and Chef Basics
I Summary of Configuration Management Tools
I Ansible, Puppet, and Chef
Ansible, Puppet and Chef Basics
Ansible, Puppet, and Chef are configuration and management software
Templates: Using the Jinja2 language, templates represent a device's
packages. There are paid and free versions of these software tools, but you may
configuration with variables.
need to run them on Linux as some tools do not work on Windows operating
Variables: Using YAML, a file can list variables that Ansible will substitute
system.
into templates.
All three software agents emerged as part of the transition from hardware-based
servers to virtualized servers. As the number of Virtual Servers began to increase,
various automation software was needed to create, configure and remove VMs.
Ansible uses an agent-less architecture to manage network devices. It means
that Ansible does not trust any code (agent) running on the network device.
Instead, Ansible uses SSH or NETCONF features to make changes and get
Ansible
information on network devices. When using SSH, Ansible makes changes on
You can install Ansible (www.ansible.com) on a Linux VM on Mac, Linux or a
the device as its users do, but does the job with Ansible code instead of a human.
Windows to install its software. You can use the free open source version or use
the paid Ansible Tower server version. Once installed, several files are created,
such as:
Ansible uses the push model (Puppet and Chef use the pull model) as shown in
Figure 48-1, instead of the pull model. After installing Ansible, you need to
create and edit Playbooks and other Ansible files.
Playbooks: These files provide actions and logic for what Ansible should do.
Inventory: These files provide device names along with information about each
device so Ansible can perform functions for subsets of the inventory.
Figure 48-1 Ansible Push Model
I Ansible, Puppet, and Chef
Puppet
To use Puppet (www.puppet.com), you can start by installing it on a Linux
Puppet typically uses an agent-based architecture for network devices support.
operating system. You can install it on your own Linux server for testing, but
Some network devices enable Puppet support via an on-device tool. However,
for normal use you need to install it on a Linux server called Puppet master. As
not every Cisco operating system supports Puppet agents, so Puppet solves this
with Ansible, you can use the paid or free versions. You can start learning
problem by using a proxy agent running on some external computer (called
Puppet without a separate server to learn and test.
Agent-less process). The external agent then uses SSH to communicate with
Once installed, Puppet also uses several important text files with different
the network device, as shown in Figure 48-2.
components such as:
Manifest: A text file that makes the configuration status of a device human
readable in the Puppet master.
Resource, Class, Module: These terms refer to the components of the manifest.
Templates: Using a Puppet-specific language, these files allow Puppet to create
declarations (and modules, classes, and resources) by manipulating variables
in templates.
Figure 48-2 Agent Based and Agent-less Puppet Operation
I Ansible, Puppet, and Chef
Puppet agent (Agent) must be enabled earlier on the device, it uses a Pull model
Chef
to make this configuration appear on the device as shown in the figure below.
Chef (www.chef.io) is a software package that you install and run, like Ansible
Once installed these steps happen
and Puppet. The Chef company has many products, while the Chef Automate
Step 1: You create and edit all the files on the Puppet server.
software is what most people simply refer to as Chef. As in Puppet, in Chef you
Step 2: You need to configure and enable the agent or a proxy agent on each
run its software by installing it on a server.
device.
After installing the Chef software, you create several text files with different
Step 3: The Agent pulls the notification details from the server, which tells the
components such as:
Agent what its configuration should be.
Step 4: If the Agent device configuration needs to be updated, the Puppet tool
performs additional shots with the agent updating the device configuration to
get all the necessary details.
Resource: Chef-managed configurations are managed objects.
Recipe: Chef logic applied to determine when and how to act on resources.
Cookbooks: Provides a set of conveniences for the same type of work, grouped for
easier management and sharing.
Runlist: An ordered list of Recipes that should be run on a particular device.
It uses a similar architecture to Chef Puppet. Runs an agent for network devices.
Ansible and Puppet are more used because the Cisco device does not support a
Chef client.
Figure 48-3 Pull Model with Puppet
I Ansible, Puppet, and Chef
Summary of Configuration Management Tools
All three of the configuration management tools listed here have a good user
base and different strengths. Ansible is most commonly used to manage the
configuration of network devices, followed by Puppet and Chef. Supports
many Cisco devices with Ansible's Agent-less Architecture and use of SSH
Puppet's Agent-less model also provides broad support for Cisco devices.
Table 48-1 Comparison of Ansible, Puppet and Chef
I Course Summary with Physical Devices | lab
Final
I Exam Question Examples
I Exam Lab Examples
I How to enter the exam?
I Final
I
Final
Course Summary with Physical Devices
Let's repeat some of the configurations that we have handled and used frequently
on physical devices.
Configurations that we will repeat frequently;
1- CLI Access and CLI Security, Telnet and SSH
2- Switch Interface Configuration
3- VLAN creation and VLAN Trunking.
4- Static Route, Default Route
5- Routing Between VLAns
6- Switchport Security
7- DHCP configuration, DHCP Snooping and ARP Inspection
8- NAT Overload (PAT)
9- Cisco IOS Config Backup and Deletion.
R1
D-Sw
D-Sw
D-Sw
D-Sw
Sw-1
Sw-POE
WLC
ESXi
Gi 0/1
Fa 0/1
Vlan 10
Vlan 20
Vlan 30
Vlan 10
Vlan 10
Mngmt
Mngmt
Admin-YB
AP-1602
AP-1240
192.168.2.1 —->>>
192.168.2.2 —->>>
192.168.10.1
192.168.20.1
192.168.30.1
192.168.10.101
192.168.10.102
192.168.20.254
192.168.10.120
D-Sw
R1
Fa0/1
Gi0/1
D-Sw
D-Sw
D-Sw
D-Sw
Fa0/4
Fa0/5
Fa0/2
Fa0/3
Vlan 10
Vlan 20
Vlan 20
Sw-1
Sw-POE
Sw-POE
Fa0/1
Fa0/1
Fa0/2
Our Lab Topology
I Final
Exam Question Examples
https://learningnetwork.cisco.com/s/certification-exam-tutorials
1- Multiple-Choice Single Answer
2- Multiple-Choice Multiple Answer
3- Drag and Drop
4- Fill-in-the-Blank
5- Testlet
6- Simlet
7- Simulation
Multiple-Choice Single Answer
Drag and Drop Answer
Multiple-Choice Multiple Answer
I Final
How to enter the exam?
https://home.pearsonvue.com/cisco.aspx
You can take the test at Pearson VUE Test Centers or at home.
The exam has an average of 55-65 questions.
Exam duration is 120 minutes.
Exam Fee 350 Usd
Thank You.
For questions about education, you
can contact me at the Udemy question
and answer section.
www.udemy.com
www.yavuzbulut.com
Download