CCNA_ICND2_640-816__PDF

CCNA ICND2 (640-816)

! "# آ إ , ا و ا اه ودره ب فو آ إ

.

ICND2

لإ (%# ةآا ) ب*+ا اه ت*-#

CCNA 640-802

لإ ةد%&

"# ر5ا 3أ و

CBT Nuggets

لإ ح&) / "# ب*+ا اه ت*-# 0 12و

.

CBT Nuggets

لإ

.

يا و د و , ا أ

ا 7آ8 )

"/ "!-# 1و س1%#

Senior Technical Support,

Manager for VAS Platform.

By Eng. Waleed Mohsen Page 1

Did I Miss Anything?

I am always interested to hear how my readers of my books, do on both certification exams and future studies. If you would like to contact me and let me know how this book helped you in your certification goals, please do so. Did I miss anything? Let me know. My Contact Info is on www.arabhardware.com

with user ID Ultraviolet2006

Who Should Read This Book

This book is for those people preparing for the CCNA exam, whether through self-study, on-the-job training and practice. There are also some handy hints and tips along the way to hopefully make life a bit easier for you in this endeavor. It is small enough that you will find it easy to carry around with you. Big, heavy textbooks might look impressive on your bookshelf in your office, but can you really carry them all around with you when you are working in some server room or equipment closet somewhere?

Dedications

This book is dedicated to My MOM, DAD, My Little Brothers, also not to forget my Friends who have

Encouraged me and to all my Guests from Arab Hardware and finally to My WIFE, without who I couldn’t have made it through those long nights of writing and editing.

About the Author

Waleed Mohsen is graduated at Aug. 2005 from “Higher technological Institute” at 10 th

of Ramadan City with Graduation Grade Very Good ; Major studies were Electronics and Telecommunication Technology.

He enjoys Playing “3D-Shooter Network Games”, and studying the martial art of Taekwon-Do, at the

Week End.


THIS PAGE INTENTIONALLY LEFT

BLANK


Rebuilding the Small Office Network (REVISION) :

This will be our Network that we will rebuild it in this Series, and begin to enhancing as we go through, we have three routers, one is connected to the internet, and two of them are between Offices were the

Two Router on the Left is on one Office, and the other router on the right is the other office.

What we will focus on configuration now is the Switch, as the following :

1.

Beginning: Wipe out the entire Configuration on the Switch.

2.

Security: Passwords and Banners.

3.

Cosmetics: Name, Work Environment.

4.

Management: IP address and Gateway.

5.

Interfaces: Speed, Duplex, and Description.

6.

Verify and Backup: CDP, TFTP, Show interfaces.


1.

Wiping out the Configuration:

Now we will access our Switch, this switch has some configuration on it so we will wipe out the entire configuration, there are two ways, let’s see how:

The First way and the old way as following:

The second way depends on the device were you are this is the newer way:

Now what we have done is we have deleted the entire configuration on NVRAM, but the configuration is still active in the RAM, so to remove that configuration we will reload the Switch, as following:

After the rebooting process is complete it will ask the following:

We always answer No, on the first Question, as we will make our configuration by our self not through a wizard and we will answer on the second question by yes, to terminate auto-install, after that we are on the User-mode of the switch.


2.

Password, Security & Banners:

We will enable our most important password from accessing the privilege mode:

Now let’s enable the security on Telnet ports.

Now we will secure our Console ports:

Now we have secured the privilege mode, Telnet port, Console port, and now we will do our banner:


3.

Working with Hostname and Work Environment:

Let’s start with the Name of the Switch:

Now we will start with the Work Environment, what I mean is the ease of working with the Switch, let’s see how:

If you ever tried to exit from a mode to another mode, it will always pop up a line informing you some logs Information, and that is annoying, as it split out what you were typing in two, lets see the following, what I have done is exit from mode to another mode and just type the SHOW command and the line have split the Show word into two as SH and the other OW

So I will go to the console port and write the following command:

Also going to the VTY lines and do the same thing:

Now if I exit from mode to mode, let’s see the following:

As you see the command line while I am typing is copied and printed in a new line and the log message is in its line alone without splitting my command.


Now we will configure the switch for EXEC-TIMEOUT and NO IP DOMAIN-LOOK UP:

In the above picture what we have done is we configured the exec-timeout to non limit means the switch will not log me out if there is no action from me taken as its by default 5 Minutes, but that is done only in

LABS not in REAL world cause its extremely dangerous to not close the Session of the console as someone might access the Switch through the console and do what he wants.

Also the second command we have done is the no IP domain-lookup, (it’s described in the first Series

ICND1 p.61 Third TIP) .


4.

Managing IP address & Gateway:

By default all Cisco Switches have this interface known as VLAN1, the VLAN1 is were all the Switch port are assigned to by default, so to give to this switch a management IP address, we will do the following:

Now we will enable that port as following:

Now we are able to Telnet the Switch, cause of the Configuration we have done for Interface VLAN1, we will now configure the Default Gateway:

What we have done now that we able to manage the Switch locally through the Network, by telnet the

Switch, and globally through the internet, cause we have configured the Default Gateway, because without the default gateway the switch will not be able to access outside the network and we are not be able to access it from outside the Network from the internet.


5.

Managing Speed & Duplex Port:

By default all the interface of the Switch is set to automatically to detect the Speed and Duplex of its ports, auto detect is bad, sometimes it works most of the time but if it detect the speed or duplex wrong it will make the Speed of the port Slowly and sometimes the port is Shutdown, but I don’t say to access your organization switches with 1500 computers and configure all the switches manually, because about

95 % of auto detect is success, the ports that you should be configured manually are the Key-ports which are the ports connected to Routers, Switches, Servers, and ISP, we will demonstrate how to configure the speed and duplex of the port Manually.

Now we will set a Description for this Port; always write the Description in CAPITAL LETTERS as to be easily read it, usually we don’t describe all Ports, just the Key-Ports:

There is a Show command that show all the Description Ports, as Following:


6.

Verify by CDP and Backup the configuration

We will use the CDP (Cisco Discovery Protocol), to verify my Network Connections.

As you might see the Switch is connected by Two Routers, one Platform is 2611 and the other is 2801, through the Interfaces FE0/1 & FE 0/4 respectively, also the interfaces of the Router that I am connected to is Ethernet 0/0 for 2611 Router & FE 0/0 for 2801 Router.

Also we may use the following Command, which let us know in details about the connected devices to the Switch as following:


Now we will backup our Configuration, but we will not use the TFTP server as it will be used later in the series, so there are two ways for Backup the data without using TFTP Servers:

•

First the CCNA approved official method, which saves your running Configuration from RAM to your Start up Configuration NVRAM :

•

Second Way which is used in Real World for Fast Backup , is to take a Copy of the Running

Config and Paste it in a Notepad as following:

You do the SHOW RUN Command, and Scroll down to the very bottom till you found the word

END , and start Marking or high lighting to the Up till you reach the first !

mark, now as you see the following I didn’t capture the whole Marking command I just captured the command line

Show run, the were you start Marking, and were you end Marking.


After that take a COPY and Paste it in a Notepad; and that you have done the complete backup for the configuration of your Switch.

When you need to restore your configuration just take a Copy of the Configuration from the

Notepad, and go to the Switch, and enter the Global Configuration mode and just Paste it, after that you will notice the Switch will be configured, no TFTP server needed


We will now configure the Routers on the Network.

Now we have three routers, R1 is connected to the internet and R2, R3 are connected to each other to connect the two offices, were Router1 and Router2 in one Office and Router3 is at the other office.

What we will focus on configuration now is the Routers, as the following:

1.

Beginning: Wipe out the entire Configuration on the Router.

2.

Security: Passwords and Banners.

3.

Cosmetics: Name, Work Environment.

4.

Interfaces: Identify, IP, Speed, Duplex, Descriptions.

5.

Routing: Default (internet), RIP (internal).

6.

Verify and Backup: CDP, TFTP, Show IP Route/interfaces.


1.

Wiping out the Configuration:

Starting by Router1:

Then we reload the Router:

Starting at Router2:


Starting at Router3:



2.

Password, Security & Banners:

We will work now on Router2, First thing we will do is set a password on the privilege mode and then make a password on the Virtual terminal:

Also Secure the Console Port:

Now we will secure the Auxiliary port:

Ok now we have set the password configured lets set the banner:

Now every thing we have done on the Router is not encrypted except for the enable Secret command, because the Console, VTY Lines, and the Aux Password are visible clear in the show run commands, so we will do the following to encrypt them:


When we do the Show run command, we will notice that the passwords for the Console, VTY, and AUX are encrypted to level 7:


3.

Working with Hostname and Work Environment:

We will access Router2, and change its Name:

Now we will adjust the Work Environment the same as what we have done in Switch:

The same Precaution we have said in switch is also the same in Router that you don’t do the following

Command except in LAB Environment (no exec-timeout) :

After that saving the Configuration, by writing write or copy run start in the privilege mode:

For backing up the configuration, the same what we have done in switch which is, making the Show Run command and copy and paste it in the notepad.

For Router1 and Router3 we will copy the configuration of R2 from the Notepad and just paste it in the

Global Configuration mode.

IMPORTANT: In the Switch and Router after you paste the configuration on the Notepad, IF and I' am saying IF you are going to use this configuration file on other Router Platform different than the one you have taken the backup from, be sure to remove the following:

• The IOS Version, cause you don’t know if the other routers have IOS version 12.4 or not.

• The hostname of the Router or the Switch should be removed, you will remove only the name not the hostname word in the following you will remove the R2 .


It will be as the following after you remove the hostname:

•

All the Interface should be removed, cause each router have different Interface name, and numbers, unless you have all the routers the Same interfaces so you may keep the interface configuration there:

•

You may remove the Control-Plane:

Just make sure that the configuration file is as basic as possible.

For simplicity just make each backup for each router or each switch on its Notepad rather than removing the above lines manually.


4.

Managing IP address, Speed & Duplex:

Accessing R1, and type the following Command:

As you might see, E0/0 is shutdown with no IP address Configured, so we will configure the IP address:

Give a description to the interface:

Accessing R2, and type the following Command:

As you might see, FE0/0 is shutdown with no IP address & S0/1/0 too, so we will configure the IP address:

Now if I do the Show IP interface Brief on R2:

You will notice that the FE0/0 in R2 the Status (Physical) is UP and the Protocol is UP, but the Serial

0/1/0 the Status (Physical) is DOWN .


The reason is that the two routers are connecting to each other through a Cross-over Serial Cable, one

Interface of the router should be DCE (Data Communication Equipment) and the other interface of the other Router should be DTE (Data Terminal Equipment), the DCE is the Clock Provider, so we will do the following Command on Router 2 to check that Serial interface if its DTE or DCE.

Now as you can see at the Third Line that this interface is DCE, with Clock Rate 2Mbps, so if this interface is set to DCE and with clock rate, so WHY it’s Down?!!

Well the reason why is because the other side of the interface is SHUTDOWN , so if the other side is shutdown so the Serial interface on router 2 doesn’t get any Electrical Signal on that interface at all.

So will access Router 3:

As you might notice that the Serial interface is shutdown so we will open it and configure the IP address.


So we will go to Router 2 and see the Serial interfaces Status:

As you might see its up and working.

NOTICE (hint for Lab Environment only):

If you want to make one of the Router interfaces to be connected Virtual means no devices is connected physically just making the router to assume that there is a device connected to that interface, do the following:

First access the interface and then open the interface by no shutdown Command, then type the NO keep alive command, where it tells the router to not ping on himself to sense if something is connected or not.

So when we show this interface, we will find out that its up and working although nothing is connected to it:


Now let’s look at the following picture after we have done the basic Configuration for the routers and switch in this network:

For now those routers cannot ping or reach the other remotely Network because there is no Routing

Protocol configured yet, but they can only reach what they are directly connected to, as example Router1 can ping on F0/0 on Router2 but cant reach on S0/1/0 on Router2 as its on other Network.

We will setup RIP protocol on Router1, but first we will do the following command, which make us to be sure that there is no other Routing Protocol configured on the router:

As you might see no results appear, as there is no configuration for Routing protocol done on the Router.

We will configure now the RIP protocol, with version 2 (if you want to know why version 2 is preferred than Version 1 please Review ICND1_P.125

).

Ok now we will type the Network address that need to be advertised and known by other Routers on the

Networks:


Let’s do the following Commands, that didn’t reply back by Result at the beginning:

As you might notice this Command has showed the RIP protocol as a Configured routing protocol on this

Router, for RIP Protocol, it says at the first line its Sending a Broad-Cast every 30 Seconds, and the next

Broad-Cast will be in 8 Seconds.

Let’s concentrate on the following line taken from the above pictures:

If you notice the following picture, you will notice the Interface that sends the Network Information

Broad-cast to other Routers, which is E0/0:

The following picture is the Network that is Broad-cast by the interface E0/0:

If you notice the following line:

What that means is that the router doesn’t see any routing information sources from the other routers because none of the Routers on the other Networks are running RIP protocol till now, once we get R2 running the RIP protocol we will see Router2 as a Source of information in this line in the above Picture.


We will configure now the RIP protocol, with version 2 on Router 2, and advertise Network 192.168.1.0

& 192.168.2.0:

Now we will see the following:

Let’s concentrate on the following lines taken from the above pictures:

The following lines say that the Networks that are being advertised are through those Interfaces:

And the following lines are for the Network IP that is advertised:


If you notice the following line:

What that means is that the router doesn’t see any routing information sources from the other routers because it takes about 30 Seconds from Router1 to advertise on its Network.

Now lets get back to Router1 and see if it’s been updated by RIP protocol from Router2 or not.

As you have noticed the Highlighted line is the Routing Information from Router2 for the Network

192.168.1.2

Ok if we do the following Command:

You will find at the highlighted line is the Network that is learned by the RIP protocol from Router2 from the Interface 192.168.1.2 of E0/0.


Now lets Ping to check that the Packets are able to reach the Destination or not:

From Router 1 we will ping to IP 192.168.1.2 which is IP address for E0/0 at Router 2:

As you might see the Success rate is 100%, ok lets Ping at Router 2 the other Interface (S0/1/0):

Also the success rate is 100%, because Router1 knows how to reach to those both Networks by RIP protocol, also Router 2 is able to reply back the Ping to Router1 cause it knows how to Reach to

Router1 Networks through RIP , because if Router 2 doesn’t know how to reach to Network 192.168.1.0 from Network 192.168.2.0, the Ping Fails.

Ok let’s see the following Example, it will explain more clearly about the Ping issue we have said now:

If we ping from Router1 to Router3 Serial interface 0/0 at IP address 192.168.2.2, will it PING?? Well most of people say if I am able to reach Network 192.168.2.0 and I am able to Ping IP address

192.168.2.1 then this IP 192.168.2.2 should reply back normally because Router1 see that’s Network by the RIP protocol, well let’s SEE!!

Success Rate is 0%, the reason for that fail is because you have to remember that the Routing is TWO way Process means when Router1 is pinging on Router 3 it’s actually sending the packets and reaches to the Network 192.168.2.0 and to the Interface S0/0 of Router3 Successfully, the problem is that Router3 doesn’t know how to reply back to the Network 192.168.1.0 cause this network hasn’t yet added to the

Router Table cause RIP protocol is not activated.


So in order to allow those ping to be successful, we will enable RIP protocol on Router 3, and we will advertise for the Network connected to Router3.

Now if we checked the Routing Table for Router3:

As you might see the Network 192.168.1.0 is added to the Routing Table cause RIP protocol is enabled now on Router3 which make it able to communicate to Router1 and update their Tables with each other.

Now if we Ping the IP 192.168.2.2 from Router1:

Ping is Successful 100%, Packets are able to go to the Interface S0/0 on Router3 and Router3 is able to reply back to Router1.

Also we should be able now to reach to the network 192.168.3.0 from Router1 cause we have advertised that network at Router3, as you might see the following:


If we typed the Trace Route command to follow the Packet path from Router1 to Router3 you will find the Following:

You will notice that each Trace Route , it Ping three Times to the HOP it reaches, so it reaches the first

HOP at IP 192.168.1.2 at Router 2, and to the IP 192.168.2.2 at Router3.


Configuring Route to INTERNET:

Now we have configured RIP protocol on all three Routers, we will configure now the Default Route to the Internet, which is at Router1 Interface E0/1 that is connected to the ISP.

Accessing Router1, and checking for the interfaces as Following:

As you might notice E0/1 is Shutdown with no IP address assigned to it.

So we will assign an IP address 68.110.171.98 with SM 255.255.255.224

Now checking the interfaces and its Status:

E0/1 is now UP and assigned with IP address.

Now let’s ping on ISP IP address, to check Connectivity:

Ping is Successful, we have now Internet Connection but we don’t have any route to the Internet, mean if

I Ping to any IP address outside the Internet as the public DNS server IP address 4.2.2.2 it will not Ping:


The reason why is because, it doesn’t know about the route beyond the ISP, lets see the following

Command for checking the Route table on Router1:

As you notice it does know the Internal Network by RIP protocol and to the ISP IP address because it’s directly connected, what it doesn’t know is what Beyond the ISP because RIP can’t manage that size of

Table of Routing, so what most Organization do is Static Default Route:

So at that point, it says to the router sends every Traffic you don’t know how to reach to its destination to the ISP IP address which is 68.110.171.97

So if we show the Routing Table on Router1:

You will find that Static default route is Added as S* Mark.


Now let’s try ping the Global DNS IP address 4.2.2.2:

Now it Pings Successfully, so Router1 is able to access to the internet but the other Routers cannot access the Internet cause they will try to access with their Private IP address which will be blocked by the ISP, this is due NAT is not enabled now on Router1 and as soon they reach the ISP, the ISP will block those

Packet from getting Further as it doesn’t pass Private IP address.

Notice, Something COOL (Bonus Info not Present in CCNA but in CCNP but it will help)!!:

As you may know now that Router1 is able to reach to the ISP and beyond ISP, but the Other Two

Routers (Router2, and Router3) are not able to access the ISP IP address because of Two Reasons:

1.

NAT Configuration is not done (NAT will be Described Later in this Course).

2.

We haven’t yet done the Static Route Configuration on both Routers, to tell them if anything comes to you and don’t find it in your Routing Table you will forward it to the ISP IP address.

So what we will do is configuring both Router2 and Router3 by Static Route to the ISP IP address.

BUT what I will show you is a simple command that is done on any Router Protocol that Updates Every

Router on the Network with the STATIC Route that is present on the Router sending that updates.

So if this Static Route is the Route to the ISP IP address (Static Default Route) then all Routers on the

Network will update their Table by that Static Route.

So from the Router that is configured on it the Static Default Route, which is here Router1, we will go to

Global Configuration mode and we are using in this case the RIP protocol, we will write the following:

Now what that command does is sending the Static Route onto the RIP process, to all the Other Routers on the Network using RIP protocol.


Now if we show the Routing Table of Router1, you will notice that the only Static route we have is to ISP

IP address and that Static Route will be automatically send to the other Routers table on the network:

So if we access Router2 and see its Routing Table, we will find the following:

You will notice the Last Line, it says if you don’t know how to access the Network that is not present on your routing table or you don’t have much information on it just send it through interface F0/0 on IP

192.168.1.1, and as you notice the Symbol here is R* which means that the Static Default route is update by RIP protocol


If we go to Router3 and see the Routing Table, we will find the following:

You will notice the Last Line that R* which means that the Static Default route is update by RIP protocol and it says if you don’t know how to access the Network that is not present on your routing table or you don’t have much information on it just send it through interface S0/0 on 192.168.2.1.


Backup Configuration:

Now let’s backup our Configuration on Router1, our TFTP server will be the PC that has IP 192.168.1.50

We have discussed how to Download and Install the TFTP Server Software on PC at (ICND1_P.161) , so review it if you need to now how we get it.

So from the following Picture we run the TFTP Program:

As you might notice that the IP of the PC is 192.168.1.50, and the TFTP server IP address will be the

Same IP of the PC.

So going to Router1, we will just ping on the IP address 192.168.1.50 just to make sure that we are able to reach it.

Check is Ok now we are able to reach it successfully. We will copy the Running Config which is Stored on RAM to the TFTP server:

As you might see it will ask for the TFTP Server IP address, and it will ask you whether you want to save the Configuration file with name r1-confg , but here we will save the same filename but with extension

.txt

which enable us to open it by WordPad if we need to check it later or take a copy and paste it in the

Global Configuration Mode, when we need to Restore our Configuration.



Check is Ok now we are able to reach it successfully. We will copy the Running Config which is Stored on RAM to the TFTP server, we will do another style than what we do before by typing the URL of the

Destination [tftp://192.168.1.50/r2-confg.txt]:

As you might see, it doesn’t ask you for the Destination TFTP IP address or the name of the file cause you have just entered them already, all you have to do is to press the ENTER Key to continue Backup

Process


Check is Ok now we are able to reach it successfully. We will copy the Running Config which is Stored on RAM to the TFTP server:


If we opened our TFTP Server Folder, that we saved on it our Running configuration, you will find all the files are in extension TXT were you will be able to open it in a WordPad Normally:

Now last thing we will do is Backup our IOS.

First we will know the name of our IOS and Take that name Copy to paste it later:

Now we will do the following Command:

As you might see above we write the Copy flash TFTP which gives the order for Copying the IOS present in the Flash Memory to the TFTP server, after that it will ask for the IOS name, which you have already tae the Name Copy from the Sh Flash Command before and just paste it here, after that it will tell you that it will save the IOS file name to the TFTP server as [c2600-ik9o3s3-mz.124-19.bin], and you will accept that as its with the Same extension file name, don’t change the extension or it will not work.


If I Grab my TFTP server Program to see the progress of copying you will see the following:


VLAN Foundation:

What VLAN does is logically group our Users together, if you observe the above picture we have two groups of user’s one group with BLUE color and the other group with the PINK color, so what I can do with VLans is that actually groups those people together and able them to communicate with each others were the Blue users are on the Blue Ports only, and the Pink users are on the Pink ports only.

So if the Blue user send a Broadcast, all the other Blue users that are on the Blue ports will receive that broadcast domain, but the Pink users will not, also the same story goes for the Pink users if it does send a

Broadcast all the other Pink users will receive it only not the Blue ones, so what VLAN does here is that it separates those users into Two Broadcast Domains or into Two Different Segment or into Two

Collision Domain.

Ok if you noticed in the picture that there are White color ports, What are they for? Well those ports are used for Transferring ALL VLAN Traffic between Switches for all the users on it (Blue, & Pink), and that what Cisco calls it a TRUNK Port.

Pink Users can’t communicate to Blue Users; unless there is a Router between VLANS (will be

Discussed Later).

The last thing we will talk about is the QOS (Quality of Service), which separates and serve first the

Priority Traffic from the non-Priority Traffic, for Example if the Blue ports are connected to IP PHONE , and the Pink ports is connected to PC , IP phone doesn’t generate much Traffic as PC does, but its high priority to be served first, so VLAN allows me to separate logically the VOIP Traffic from the PC traffic and make it the first Priority over the PC Traffic.


Normal Switch World:

We will review what Normal Switch is without any VLAN configuration:

•

By default each port is One Collision Domain, and that is good thing as the computer that is connected to the port will be able to Send and receive at the same time, if they are operated on the

Full Duplex mode, also its much better than the Hub as PC connected to the HUB only one can send OR Receive at a Time as it’s a Half Duplex World but in Switch multiple PC may Send and receive at the SAME time.

•

Broad Cast in the Switch is sent to all other Ports, by default.

• One Subnet per LAN, mean if the NETWORK IP on the Switch is 172.16.1.0/24, So all PC should start with the Same Network ID so as to be able to communicate with each other on that

LAN, as example the Two PCs on the switch one will be assign for IP 172.16.1

.50 & the other will be 172.16.1

.51, they are both on the Same Network ID and are able to communicate with each other cause all those PC are on the Same Subnet, if one of those PC changes it’s Network ID it will be Isolated from the Rest of the Network and wont be able to communicate with the others

PC.

•

Very Limited Access control, what that means is that it’s very difficult for me to restrict a PC from communicating with other PC on the Same Network.


Flexibility of VLAN:

With VLANS you get Segmentation of Users without Routers, before in the past times in a network without Routers present and before VLANS it’s Impossible to separate users apart as all will be in one

Network, but as VLAN present it’s possible to separate user apart into different Subnet, even with the absence of Routers.

As you might notice in Building A there are two switches connected to each other so by logic all PC connected to those Switches should be able to communicate with each other but because VLAN

Configuration one of the PC which is colored in blue will not be able to communicate with the other Two

Pink PC cause they are on different Subnet (Different VLAN) although they are all connected to the same

Switch, but the Blue PC in Building A will be able to Communicate to PCs present in Building B.


What is TRUNKING?

Trunking allows the switches to pass multiple VLANS traffic between each other.

•

So as you might see we have three different VLans on the Switch A, so if the Green VLAN Sends a Broadcast Packet it will send it out to the Trunk to Switch B and Switch_B will send the

Broadcast out to all the Green VLans ports.

•

The Switch places VLAN Information into each Frame header so before the frame starts to travel to the other Switch through the Trunk Port, it should be marked by what VLAN it Comes from, so when the other Switch receive it, it will know how to deal with that frame and how to forward it to the right VLAN, this VLAN information is only in LAYER2 FEATURE meaning that TAG I placed is inside Layer 2 Header.

Trunking Language 802.1Q:

802.1Q is the Trunking Protocol that allows Switches to communicate with each other and share information; that protocol is Industry Standard means it works on any Switch Vendors.


Ok let’s say the Pink VLAN sends a Broadcast, the Broadcast will be send from the Pink PC at the left in the figure above, and so the broadcast will be send into the switch, now before the Switch sends that

Packet across the Trunk, we would like to investigate the Packet that is ZOOM in the below picture to understand it.

As you might see from the Left its the Destination MAC address which will be in our Case

(FF:FF:FF:FF:FF:FF) cause its broadcast, after that the Source MAC address (the MAC address of the sending PC), and a little 4byte data were the Switch Sticks it inside the Packet before it get across the

Trunk, this 4 Byte data is divided into Two pieces, one with 3 Bit is the Priority Field, and the other Piece is the VLAN Number, so this TAG tells what this Frame belong to which VLAN number; so as example we may say that the Pink VLAN is VLAN number 10 and the Blue VLAN is VLAN number 20.

So when that Frame crosses the Trunk link to the other Switch, the other Switch will look at the VLAN number and find it belong to VLAN 10 after that it will take that TAG OFF, and forward that Broadcast frame to all Ports that is connected to VLAN 10, without that TAG, as PC doesn’t know what VLAN it is on, cause VLAN is Switching Technology.


NATIVE VLAN:

The Native VLAN is designed for frames that is send and received on the TRUNK port which does not have TAGGED on it.

Mean as we said before any frames sends between the switches through the TRUNK port this frame should be Tagged by the Switch (means the Frame has the VLAN ID that it belongs to).

What if we have in the Network a HUB between the Two Switches and we need to establish a Trunk between the Two Switches.

Ok the Concept of the Native VLAN is as following:

•

When one of the Two PC that is connected to the HUB wants to communicate with the rest of the

Network, what will be done is that the Native VLAN will take their traffic that comes in Un-

Tagged (meaning it has no VLAN ID) to the Switch Trunk Port and place that Traffic on an existed VLAN according to your Configuration at the Switch Trunk Port.

Example:

•

So when one of those PC connected to the HUB send a Broadcast, the Broadcast will go through the HUB and then to the Switch, after that the Switch will receive that Traffic from the TRUNK

Port and find out that this Traffic has no TAG in its frame header, so the Switch need to know what VLAN are those traffic belong to.

• As a result the Native VLAN that is configured on that Switch Trunk Port will assign a VLAN ID to that Untagged Traffic, so as to be able to communicate with the rest of the Network.

•

Native VLAN assign a VLANID according to your Configuration on the Switch, but by default its VLAN1.


Another Example:

Now let’s observe the following Network:

We have a Switch at the Left and IP phone in the middle and a PC at the right. IP phone convert your voice into Packets, to travel through the Network.

Now one of the security issues here is that the PC is able to HACK on the IP Phone and records the phone calls, so what we need to do is we actually separate the IP phone and the PC in a Different Network, which is done by VLAN.

One of the most features in the IP Phone is that it has a Switch port on its Back, which means that this

Cisco IP phone can Tag its Packet by itself without needing a Switch for doing that, so the phone itself put a little Tag on the Frame Header it sends across the Network, so the Switch will be configured that the

Port connected to the IP Phone will be Trunk Port and because the IP phone sends the Frame with a

TAG on it, so the Trunk Port will understand that it belong to a Specific VLAN ID.

Now Computer have no Idea what VLans are, because they don’t have the capability of Tagging its packets because that is a Switch Function not a Computer Function, so the PC when it Send a Traffic on the Network it will send the DATA Un-Tagged, just like the Two PC we were talking about previously that is connected to the HUB, and we will assign the Switch Port to a Native VLAN which assign any Un-

Tagged Packets to a VLAN ID according to your configuration, say for example it will be VLAN 10 and the IP phone will be on VLAN 50.


VLAN Trunking Protocol (VTP):

VTP is the protocol of Trunking between Switches which is (802.1Q).

Lets take an example, when you are in a large Organization which has a hundreds of switches, and many

VLans is created, by the time the Organization becomes bigger and more VLans needed to be created, and what you should do is accessing each Switch by Telnet on it and add the New VLAN in each Switch manually, and that will be Hard enough to do that.

So what VTP does is Replicates the VLans on all the other Switches, mean if I need to add VLAN55 on all the Switches of the Network what I will do is add it just on the Server Switch and VTP will sends out a Message on the Trunk Links to all the other Switches and says I have an Update which is VLAN55 is newly added, and all the other Switches will add that VLAN too.

But as an Administrator, VTP doesn’t add the Ports that need to be assigned for VLAN so you have to assign it by yourself manually on each Switch.

VTP Modes:

We have three Modes of VTP, by default when you run a new switch, it acts as a Server ; let’s see the

Following Three Modes:

1.

Server Mode (Default) :

• Every Switch by Default is a Server.

•

Switch that acts as a Server is able to Change VLAN information.

•

Send and Receives VTP Updates.

• Saves VLAN Configuration.

2.

Client Mode:

• Switches that act as a Clients Cannot Change VLAN Information, means cannot add

VLAN or Delete VLAN.

• Send and Receives VTP updates.

•

Does Not save VLAN Configuration.

3.

Transparent Mode:

•

Switch that act as a Transparent has the ability to change VLAN Information, means it can add, Delete, and modify its OWN VLAN .

•

Does not listen to any VTP Updates, so if one of the Switches sends a VTP Updates saying please add this new VLAN number, the Transparent Switch will say NO, as I have my VLAN database and I won’t update it or tell you about it.

•

It Forwards (Pass through) VTP Updates, means if we have a Server Switch connected to a Transparent Switch and then from the Transparent Switch we have a Client Switch connected to it, So if Server Switch has a VTP Updates it will pass it to the Transparent


Switch, the Transparent Switch wont listen to it or look at it, it will just Forward the

Updates to the Client Switch.

•

Save VLAN Configuration.

VLAN Pruning:

It keeps Unnecessary Broadcast Traffic from Crossing Trunk Links.

•

Here is a picture of three Switches, connecting together on the Trunk Links, as you notice there are Green VLAN and Red VLAN and Blue VLAN, but notice that the Last Switch does not have any Green VLAN ports, so the Concept of VLAN Pruning and the benefit you get from it is when a Green PC sends a Broadcast, normally the Broadcast will move to the TRUNK link passing to the Second and third Switch and the third switch will just drop the broadcast packet cause no Green VLAN present their.

•

So VLAN Pruning can take that Broadcast and stops it at the last Second switch to get it.

•

VLAN Pruning works only on VTP Servers .

•

If the Last Switch has added after that a Green VLAN on it, it will send through the VTP that any

Broadcast for Green VLAN, please pass it to me.


Configuring VLans and VTP:

As you might see below, the Network have some changes as the office grows up, as you see below R1 &

R2 are connected between them the Office that has grown to three Switches, Switch1 has become the

Core Switch were all Switches on the Network are connected to Switch1. The left Office all are on the same Network ID (192.168.1.0)

In the following Scenarios we will do the Following:

1.

Configure Trunks.

2.

Configure VTP.

3.

Configure VLans.

4.

Assign ports to VLAN.


Accessing Switch2, through Console port, and we will do the following:

We will check the status ports of the Switch:

As you might see some of the Interfaces are UP , which indicate of some connected devices, but what is more important to me now is that the VLAN1 interface is shutdown!! So we will enable that port and

Configure its IP address.

Accessing Switch3 and Configuring the VLAN interface as Following:

Now if we tried ping from Switch3 to Switch1, let’s see the following:

It pings successfully, also if we tried to ping from Switch3 to Switch2, let’s see the following:

It will ping successfully!!


So every thing now is belongs to VLAN1, meaning all our ports belongs to VLAN1, lets do the following

Show Command on Switch3, to see all the VLAN1 interfaces.

As you might see all the interfaces on the Switch is on VLAN1 by default, except for Fa0/1 cause this

Port is Trunk Port, which we will talk about it later.


Configuring VLans and VTP:

1.

Configuring Trunks:

First step is configuring the TRUNK port between switches, so at Switch1 the F0/12 & F0/11 will be the

Trunk Port, so as to share all the VLAN information across them.

Notice: VTP wont work on any interface that is not TRUNK, meaning the Trunk Port has to be active so as to start sharing the VTP updates between Switches because it will cross that link.

Starting at Switch1 for Configuring the Trunk Port because that is our Core Switch of our Network:

First we need to show the interface FE0/11 what its Mode type:

As you might see this Interface is by default is in Dynamic Desirable mode, all switch ports by default is in Dynamic Desirable mode, as you might see in the following:

• Now what that mode means is that the

Switch port may become an Access Port or a Trunk Port according to the type of device connected to, now Access port is the port that is always connected to a PC because it can’t be a Trunk Port.

•

The Trunk port is used Between Switches, because it’s used to transmit all VLAN information between switches.

Now this Dynamic Mode is Horrific, cause it switches between two Modes (Trunk, Access) according to the connected device automatically which will be a security thread on the network, the reason why it’s dangerous, let’s see the following example.

If one of the Employee, brought his own switch to the company he works in and plug it into one of the ports of the Switch present in his Company Network, as soon as he does that the Switch port that is connected to the Employee Switch will be changed into a Trunk Port, and start negotiating the VLans information and VTP Updates, and that is dangerous as that employee may know the VLAN database and may attack them too, so it’s horrible to have those ports in a Dynamic mode.


So accessing Switch number1 and under the Ports FE0/11 & FE0/12, we will configure the Port from

Auto Mode to Trunk Port, as following:

By doing that command it will return the following Error:

The Reason for that line appear is because that Switch has the ability to work on both Trunk

Encapsulation on its interface which is 802.1Q

& ISL ( Inter-Switch Link ) “ which is a Cisco Systems proprietary protocol” cause its Switch type 3550 which has many features, so the line above says that the

Trunking Encapsulation Is set to Auto and it cannot be configured to Trunk port unless you specify what

Type of Encapsulation to be used as Following:

Now we have hard coded what language it’s going to speak, I will configure the interface FE0/11 of the

Switch to be a Trunk Port, as following:

Ok so we now have configured FE0/11 to be a Trunk Port, now we will move to FE0/12.

Now we have configured FE0/11 & Fe0/12 as a Trunk port, for Security reason we will configure the

Rest of the Port of the Switch as an Access Port.


So from FE0/1 to FE0/10 & from FE0/13 to FE0/23 will be access port as follow:

As you might see above from the Command line we have configured the rest of the interfaces from

Dynamic Mode to Access Mode.

If we do the Show Run Command, you will find the Following:

As you might observe in that Picture that the interfaces we have configured are changed from Dynamic

Mode to Access Mode, so as to make sure that those ports Works only for PC and Routers and not

Switch.


Let’s go to Switch2 & Switch3 to configure the Trunk Port:

Notice that Switch2 & Switch3 is of type 2950, which hasn’t the ability as 3550 Switch to support an ISL

Encapsulation, but they support 802.1Q only, so we will do the following command direct without choosing what type of Encapsulation to be active; because as by default the 802.1Q encapsulation will work when you enable the Trunk port on it:

Also the command that we typed on 3550 Switch which is Switch port Trunk Encapsulation that is used for specifying what type of Encapsulation to be used on the Trunk Port, is not present in the Switch

2950, as following:

Now we will configure the rest of the interfaces of the Switch to be Access mode, as following:

If we run the Show Run Command, you will find the Following Interface is change to Access mode, except of course FE0/1 which is our Trunk Port:


Accessing Switch3 and do the same as Switch2:

Now configuring the rest of the interfaces to Access Mode:

After that Save your Configurations from RAM to NVRAM.


2.

Configure VTP:

We will access Switch2, and do the following:

We will describe the above picture in details:

•

VTP Version: it’s the Current VTP version running which is version 2.

•

Configuration Revision: The Configuration Revision is 0, meaning there is no change made to the switch.

•

Maximum VLans Supported Locally: this Switch support 128 VLAN.

•

Number of Existing VLans: it is the Active VLans on that switch and currently its five VLans

Active (we will see why it’s Five VLans later).


•

VTP Operating Mode: As we said any Switch by Default is Server Mode.

•

VTP Domain Name: it has no Domain name now, as its Blank

•

VTP Pruning Mode: The Pruning Mode is disabled, (we described Pruning mode before).

Now we will stop describing the rest of the lines and start to the Configuration of the VTP, but before

Configuring, I will explain why by Default the Active VLans is Five, cause as following:

When we do the following command, it shows the VLans that are active on that Switch:

VLAN number1 is the Default VLAN on any Switch and it’s always active. The other four VLans are for

Standard issue and they should present in any Switch you buy, those VLans are used for Different

Technology rather-than the Ethernet cable medium.

Lets take an Example the VLAN 1002 fddi-Default is used with the FIBER-Optic Cable Medium, and its

Status is act/unsup means its Active but unsupported cause this Switch doesn’t have any FDDI-

Interfaces installed on it.


VTP configuration (we will configure three Major Aspects):

I.

Configuring VTP Domain Name.

II.

Adding Password for VTP Domain (Optional).

III.

VTP Mode.

I.

Let’s start with configuring the VTP domain name, at our Core Switch which is Switch1:

•

When we assign Switch1 with the VTP Domain Name as example Nugget World , the other two

Switches connected to Switch1 will automatically join that Domain Name, the reason why is because Switch2 & Switch3 has no Domain Name configured to them as we saw on Switch2 that the VTP Domain Name is BLANK, so Since its Blank it will join any Domain Name Created and be part of it. Once the Switch joins that Domain Name it will never change or join another

Domain Name , unless you change it manually.

Notice: The Name of the Domain Name is Case Sensitive.

If I show the VTP Status of Switch1, You will find that the Domain Name is placed their:


If I jumped to Switch2 to check if it has joined the Domain Created by Switch1 You will find that it has joined it:

Also the Last line is the last Local Update ID is from 192.168.1.11, which means it has been updated by

Switch1 from the interface that has IP address 192.168.1.11 which is the Local VLAN1 IP of Switch2.

If I jumped to Switch3 to check if it has joined the Domain Created by Switch1 You will find that it has joined too:

Also the Highlighted line is the last Local Update ID is from 192.168.1.12, which means it has been updated by Switch1 from the interface that has IP address 192.168.1.12 which is the Local VLAN1 IP of

Switch3.


II.

Adding Passwords for VTP Domains:

Well for adding a Password you will enter the Global Configuration mode, and just type the

Command VTP password and after that the password word you want to enter, after that you should go to Switch2 and Switch3 and type in the Same Password you have entered in Switch1 so as they are able to Share information between them.

III.

VTP Mode:

When you type the following it will give you the three Modes of VTP:

You have Server, Client, & Transparent modes, now remember that the Switch is by default is a Server so we will leave Switch1 as it’s without configuration cause we need it in a Server Mode.

Accessing Switch2 and do the following:

When we do the VTP Status, you will notice that the Mode is changed to Client as following:


3.

Configure VLans:

So configuring VLans will be only on Switch1 as it’s the Server Switch because on Client Switch you may not be able to Create or Modify or Delete VLans.

Now accessing Switch1 and start Creating VLAN number 10 as example, let’s see the following:

Now if we make the Show Vlan Command, you will find the following:

As you might see VLAN0010 is added in the VLAN Table and its status is active, you may also rename that VLAN into a description name as SALES so as to be logically understand, as following:

Now if we make the Show Vlan Command, you will find that VLAN10 is renamed to SALES, as following:


Now let’s show the VTP Status on our Switch1:

You will notice that the Configuration Revision is changed to 3 .

Let’s check the other Two Switches, for the Configuration Revision:

In Switch2 you will find the Configuration Revision is 3 , also if you observe the last line in the following Picture you will notice that the Last modified Configuration is from IP address 192.168.1.10, which is the IP address for Switch1, meaning that Switch1 starts to Update other Switches through VTP.

If we show the VLAN information on Switch2, we will find the following:

As you might observe VLAN10 is added automatically to VLAN database of Switch2.


In Switch3 you will find the Configuration Revision is 3 and that should be the same on all of the

Switches on the Network cause that’s how it find that it has the latest Updates from the other Switches, also if you observe the last line in the following Picture you will notice that the Last modified

Configuration is from IP address 192.168.1.10, which is the IP address for Switch1, meaning that Switch1 starts to Update other Switches through VTP.

If we show the VLAN information on Switch3, we will find the following:

As you might observe VLAN10 is added automatically to VLAN database of Switch3.

Ok now we will create Two More VLans on Switch1


Checking our VLans is created and Added in the VLAN Database table on switch1:

As you might see the Two VLans is Created and added and are Active now, but there are no interfaces are assigned to this three VLans we have Created, Keep in mind that those Two VLans will be added

Automatically in the VLAN table on switch2 & switch3.

Let’s check the VTP Status on Switch1:

You will observe that the Configuration Revision is changed from number 3 to number 5 because of the two changes we have made which is adding two new VLans to switch1, you will notice to that on

Switch2 & Switch3 the Configuration Revision will be changed to Number 5 .


Remember when we said that FE0/1 on Switch3 is not present in the VLAN interfaces when we run the

Show VLAN at P.48, it’s because this interface is configured as a Trunk Port.

So we will do the following Command which show us the Switch port Mode Characteristics.

• Switch port is Enabled.

•

Administrative Mode is Trunk.

•

Operation Mode is Trunk.

What is the difference between Administrative Mode & Operational Mode, well remember when we accessed first the Switch and all the interfaces are on Dynamic

Mode that was the Administrative Mode and it was Dynamic by default so if we didn’t configure the ports which were Dynamic and leave it as it is you will have found that when we run the above command in the above picture that the Administrative Mode is

Dynamic and the Operational Mode will be Trunk cause its connected to a Switch port at the other side so the port will be a Trunk Port not Access Port .

• The Trunking Encapsulation is Dot1Q which is the (802.1Q) Protocol.


If we do the following Command:

It will sow you the port that are on the Trunk Mode, as you might see FE0/1 its Mode is ON and

Encapsulation is 802.1Q with Status Trunking, and have a Native VLAN 1, and below is the VLans that are assigned for that Port.


4.

Assign Ports to VLAN

Now let’s start assigning the Ports to the VLans we have created.

Starting with Switch3 we will assign port FE0/8 to the VLAN10:

Now what we have done is that we first to be sure that we made that interface in Access mode, after that assigning it to the VLAN10.

Now FE0/8 is the only port on VLAN10 and the other ports are on VLAN1 so if test by ping from PC

192.168.1.50 that is connected to FE0/8 to any of the other ports on the Network, we will see the following:

Ping will not work as port FE0/8 now is in a Different VLAN which means it’s in a different Segment which means it’s in a different Broadcast Domain.


If we Add port FE0/11 at Switch2 to VLAN10:

Now if we Ping from PC (192.168.1.20) that is on Switch2 to the PC (192.168.1.50) connected on

Switch1 it will Ping Successfully.

Now let’s change the PC connected on Switch2 from VLAN10 to VLAN20:

If I show the VLAN table on Switch2:

You will find that FE0/8 is on VLAN20 which is Marketing VLAN.

NOTICE: Whenever you Create a VLans on your Network its better idea to match the Subnet Number with the VLAN ID number, as example for VLAN1 the Network ID will be 192.168.

1 .0/24, and for

VLAN10 the Network ID will be 192.168.

10 .0/24, and for VLAN20 the Network ID will be

192.168.

20 .0/24, and so on…Etc.


Three methods to Route between VLans:

1.

Separates Port to Each VLAN on the Router.

2.

Router-ON-A-STICK.

3.

Layer 3 Switching.

For CCNA Exam you should be able to route through VLans through number 1 & number 2, but for number 3 it’s in CCNP.

1.

Starting with Separate Port to Each VLAN:

We have go two VLans (50,51), were PC (192.168.1.50) is assigned to VLAN50, and the other PC

(192.168.2.50)is assigned to VLAN51, now we can go to our router and configure their port to the perspective IP address as the same Subnet of the PC. Also the ports of the Switches will be assigned to

VLAN50 and the other port will be assigned to Port VLAN51, the two PC will have a Default Gateway

IP address as example the PC (192.168.1.50) will have a default GW 192.168.1.1.

The problem in doing separate port for Each VLAN is that it’s neither Practicable nor its Scalable, meaning the more VLans you add it will need more Ports to be connected to the router and that means you need a Router with a large number of interfaces supported and that will be Extremely Expensive, that’s why Cisco came out with the Method number2 which is Router ON-A-STICK.

2.

Router-ON-A-STICK.

What we do is we configure a Trunk connection to the router, now remember that TRUNK connection forwards all the VLans Traffic, so if one of the PC wants to communicate with the other PC it will send the Traffic to the Default GW IP address through the Trunk port, we will explain later how it’s

Configured.


3.

Layer 3 Switching

Layer3 Switch is a (Router inside a Switch), instead of having an outside Router, we create a VLAN interfaces on that Layer3 Switch that is reachable by everything inside that VLAN.


Understands how a Router-On-A-Stick Works:

Router on a Stick method offers a routing between different VLans, the ports between the Router and the

Switch should be a Trunk port, and the interface should be Fast Ethernet or greater such as Gig

Ethernet, it will not work on Ethernet interface.

If VLAN50 is on Subnet 192.168.1

.0

& VLAN51 is on Subnet 192.168.2

.0

, now what IP will the interface of the router to be configured?? NONE, cause we don’t configure the physical interface of the router, but we configure the Sub interface of the router.

Now accessing Router2 from our previous Network, and we will configure Router2 as the Router on a

Stick, and the F0/0 will be our Trunk Port:


Now first we check the interface F0/0, what IP address is configured in it.

As you might see that FE0/0 has IP address 192.168.1.2, what we will do now is start creating Subinterface under that interface, so we will do the following Command.

As you might see there is a HUGE numbers of Sub-interfaces we may create it under the Main Interface

FE0/0.

If we tried to create the Sub-interface 20 under the Fe0/0 and assign them an IP address as follow you will find that the following Message Appears:

This message means that I need to tell this router that this sub-interface will respond to Packets comes from a Specific VLAN; so the way we will do that is as following:

What I have done is set the type of Encapsulation will be used on that Interface for VLAN 20 and that tells the router to response to packets coming from VLAN20 Specifically. The message appears below the command we type will be described later.

Now we may assign our Sub-interface IP address normally:

Now we will create our other Sub-interface and assign to it IP address normally, this Sub-interface will be created on the same Interface FE0/0.


Now when we do the following:

You will find out that the two Sub-interfaces we created are appeared in the table with their respective IP address.

Now all I have to do is assign the Default GW for the PC in VLAN20 to 192.168.20.1

& assign the

Default GW for the PC in VLAN10 to 192.168.10.1

.

Now we will describe the following paragraph why it did previously appears:

By default the biggest number of bytes can be send on Ethernet is 1500 Bytes, but when you enable the

VLAN Mode and the switch will start to put the (4-BYTES) of data for VLAN information over the 1500 bytes, you actually increase the size of the packet to 1504 Bytes, so that message says it’s better that the switch and the router be able to handle that Size of Packets.

In Cisco devices its done Automatic once you enable this feature, the Cisco Devices Automatically make the Maximum packet size (MTU) Maximum Transmission Unit is 1496Byte so when the 4 Byte is added it will be in total 1500 Byte .

Now if I ping from PC 192.168.20.20 to the Default GW of that PC which is 192.168.20.1, as following:


Now we will try to Ping from the PC 192.168.20.20 to the other VLAN which is 192.168.10.1, as following:

The reason why all those VLans 10 & 20 are able to communicate with each other is because Router2 knows their route in its Routing table, so if we done the following command, you will find that the router had learned Two network address which are 192.168.10.0 & 192.168.20.0 and the type of Connection is

C which Is directly connected through Sub-interface as following:

Now if we Ping on 192.168.1.1, from PC 192.168.20.20


It will give Request Timed Out. The reason why is because R1 doesn’t know how to reach to the Route

Network 192.168.20.0

because it’s not present in its Routing Table.

So we will add that Network by Static Route as Following:

The above Static Route will able the router to reach the network 192.168.20.0 through the Interface of

Router2 F0/0.

Now we will try to Ping Again:

The Ping is Successful.

Now we will try Tracert from the PC 192.168.20.20 to the IP 192.168.1.1.

That proof that the packets is going through the Router On A Stick (192.168.20.1), and then jump to the

IP address 192.168.1.1


Understanding the Spanning Tree Protocol (STP)

When you design a Switch Network its best to approach it in a layer, as you might see of the following picture it’s extremely large Network Switches that is designed in three separate Cisco Model layers which are (Access Layer, Distribution Layer, and Core Layer)

The access layer are the devices were it actually Plug-in into the Network, as for example from the above

Picture we have Servers Connected to the Switch and PCs connected to the Switch too.

The Distribution Layer is were the VLans and Separate Network are on its Own and is used to connect the

Access Layer to the Core Layer.

The Core Layer is considered the Backbone of the Network, were all the Major Traffic is traveling between the Two Networks, as in figure above.

•

Ether Channel can provide more Bandwidth on Key Links, What Ether Channel is that it can take from 2 to 8 Ports of the switch at once and bundle them together into a Single PIPE, as example the Two Core Switches above in the picture have a three lines between them each with

100Mbps so what Ether Channel do is bundle them as if it’s one PIPE and the speed will be in total 300 Mbps, so its advantage to have a Large Speed between your Core Switch by doing this technique.

Also if you noticed in the previous picture you may find a Redundant Connection between each Switch and the other Switch were its useful cause it eliminate a Single point of Failure. So the Switches in

Access Layer are connected to the Switches in the Distribution layer and the Distribution layer Switches are connected to the Core Layer Switches by two or more Links and that is called Redundant Link, so

Redundant links are Great if its design in the right way or it will be BAD.


Why does redundancy link may come BAD??

Switch by Default when it receives a Broadcast Packet it will sends it out on its all ports by default. So when the PC at the TOP sends a Broadcast Packet to the Switch, the Switch will send that Broadcast packet to all of its port (X, Y) except from the port it receives from, the other Switch down will receive this Broadcast packet from portA and portB.

FIRST : The Broadcast received from PortA will be forwarded to PortB and to the PC.

Second : The Broadcast Received from PortB will be forwarded to PortA and to the PC.

The broadcast packets sent from PortA and PortB will be reached by PortX and PortY and what the Switch will do in that case is as following:

First: The Broadcast received from PortX will be forwarded to PortY and to the PC.

Second: The Broadcast Received from PortY will be forwarded to PortX and to the PC.

This Loop will be keep in happening along the Network between the Two Switches till the utilization of the Network become 100% which is BAD , and everything will be stopped due to HIGH TRAFFIC were the PC will be unable to send its packets.

Notice: There is a field in the Packet called TTL (Time To Live) that’s indicates how long the Packets will Survive in the network till it’s deleted, but TTL is a feature in Layer3 only which is managed by the

Routers were the Routers receives the Packet and Subtract the TTL from the Packet till it reach Zero and the Router will destroy the Packet so as not to consume the Network Band-Width for unwanted Packets.

So in our Example there are no Routers so the Packets will be in LOOP between the Switches forever.

So our Point here is that the Redundant Connections are necessary in Large networks, but there should be some type of mechanism that enable one of the links to be working and the other Link will be at a

Standby State so as if the main link is down the other one will be enabled Automatic.

So STP (Spanning Tree Protocol) is used to drop all the Redundant Links on your network until they are needed. So what Spanning-tree does is find all the best links in the organization and make them active and the other links will be Redundant links till something happened to the working links as it maybe

Shutdown or the cable becomes bad so in that Case the STP will make the Redundant Link Work.


The Facts about Spanning Tree:

•

•

The original STP (802.1D) was created to prevent Loops.

Switches send “Probes” to the network called Bridge Protocol Data Units (BPDUs) to discover

Loops, how it works?? Well let’s explain again on the last example we have described before.

•

Now if Switch1 sends a Probe which is a (Broadcast Frame) from PortB , and Switch2 receives it at PortY , it will send that broadcast frame to all its ports except from the port it had received from it, so Switch2 will send it to the PC and to the PortX , when Switch1 receives its Probe that was sent from Switch2 from PortX , it will understand that there is some kind of

LOOP in the network so that it will take its Action.

• The BPDUs Probe help to select the Core Switch of the Network, Called Root

Bridge, Only one Switch in the Entire Network is chosen to be the Root Bridge the reason why is because to make all the other switch find the best way to reach that Root Bridge Switch then block all the Redundant Links.

Note: if you leave the Spanning Tree Protocol by default to choose the Root

Bridge Switch on your network this will be horrible, the reason why is because

Spanning tree will select the Oldest Switch in the whole Network as the Root

Bridge , Oldest-Switch here means the Oldest Switch Manufacture Date not as how long it has been running ON. So as Example if the Oldest Switch in your

Network may be manufactured at 1992 with 10Mb/s Ports and is selected as the

Root Bridge as a result all the other Switches in the Network will guess that this is the Center of the Network and will find the Best Route to connect to that

Switch, and as a Result the Network performance will be Horrible, cause it’s an

Old Switch with just 10Mbps ports and all the Network Traffic is going through that Switch as it’s the Selected Root Bridge .

•

Every Cisco Switch runs STP by default, so you can connect the Network together with

Redundant Links and you going to not to have any loops, but it’s just going to be an inefficient

Network.


Understanding BPDUs and Selections:

The way of selection the Root Bridge Switch among all the Switches in the Network is chosen according to the BRIDGEID value.

The BridgeID is built of two Pieces:

1.

Priority .

2.

Switch MAC Address .

Every New switch by Default has the Same Priority Number which is 32768 .

The lower the Priority is the more chances for the switch to be the Root Bridge, so if you installed a

Newer Switches (which has just come Out of its manufacture Box) on your Network all Switches will have the same Priority number so all switches are equal to be selected as a Root Bridge so the Second option to look at is the MAC ADDRESS the lowest Switch MAC Address will be selected as the Root

Bridge , that’s why as we said before when we leave the STP by default to select the Root Bridge it will select the Oldest Switch manufacture in the Network, cause by logic it has the lower MAC Address than the other New Switches have if all the Priority number are Equal.

EXAMPLE:

We have Three Switches were all have the same priority number, so the Root Bridge will be selected by the lowest Switch MAC Address .

So in our example the Switch that has MAC address aaaa.aaaa.aaaa

will be the Root Bridge, so when the Root Bridge is defined, all the other Switches will have to find the best Route to that Root Bridge.

The best Route to the Root Bridge is determined by something called the LINKCOST of the Cable, we will Discuss how the Link Cost is determined but let’s assume that the three cables above between the switches each has a Link Cost is equal to 19 .

So all the Switches in the network will try to find the best route to the Root Bridge Switch, So Switch2 will cost 19 if he goes direct to the Root Bridge Switch which is Switch1, or will cost 19+19 if he goes to the Root Bridge on the other way cause it will cost 19 first if he goes to Switch3 at the right and then to the Root Bridge which will cost another 19 so the total cost for that route will be 38 , so Switch2 will


choose the link that will cost 19 only because its less in cost and Switch2 will make its Port as the ROOT

PORT , the same will goes to Switch3 .

Notes:

•

•

The Root Bridge always all its Ports are Opened none of its ports is Blocked.

The Ports on the Root Bridge never become a Root Port, because that is the port where it reaches the Root Bridge to.

Notes:

•

Designated Port is a Forward Port that Forwards all the Traffic passing through it, and only one

Designated port should be present per link.

So the link between Switch2 and Switch3 will have only one Designated Port to forward the Traffic from one Switch and one Blocked Port from the other Switch and this will be determined by the Lowest

BRIDGE ID too, so Switch2 will have the Forward Port because it’s lower in BRIDGE ID than Switch3 and Switch3 will Block its Port because it has Higher Bridge ID , so the link between Switch2 and

Switch3 is blocked till one of the Main Links is Down, the STP will make that link Up and Running.

How STP find the Best PATH:

Step1: Select the Root Bridge

Step2: Switches find the lowest cost Path to Root.


Configuring Basic STP:

You will notice that we have add a Redundant Link between Switch2 & Switch3, So we have made a loop in the Network, as soon as there is a Loop in that network the STP take a step to stop that loop as we described before, now what we will do is that we will access those Switches to see who has been chosen to be the Root Bridge.


Starting with our Core Switch (Switch1), let do the following:

Lets start Describing the above Picture:

•

•

For Vlan1 the Spanning Tree is enabled with Protocol IEEE which is an Industry Standard.

Under that you will find the RootID & BridgeID .

On the following Picture you will find information about the Root-Bridge-ID :

First the Priority of the Root Bridge is 32769, and the MAC address of the Root Bridge is

0008.20fd.be80, the cost 19 is the Cost to reach to the Root Bridge from Port11 (FE0/11).

The Hello Time is the Time for checking if there is a Loop in the network by Sending every 2 Seconds a

BPDU.


On the following is the BridgeID information or the Information about Switch1 which is Currently the

Switch we are viewing from it now:

As you might notice we have the PriorityID which is 32769 and the MAC Address of Switch1, the Hello

Time is the Time for checking if there is a Loop in the network by Sending every 2 Seconds a BPDU.

You might notice the First line at the Bridge ID is as following:

You will notice the (priority 32768 sys-id-ext 1) in the above picture, you might remember when we said before that the Default priority on every Switch is 32768 , now Cisco Switches run a Special Spanning tree called Per VLAN Spanning Tree (PVST) so what it does is it add the VLAN number to the priority

Default number, so all Switches that is on VLAN1 will have the Priority number 32769 cause the Default

ID is 32768 + 1 which is the Number of VLAN of that Switch and the sys-id-ext is referred to system ID extension, if you were in VLAN10 then the Priority for that Switch will be 32778 , so all switches will be equal in the priority so it’s Using the MAC Address to specify the Root Bridge.

The following lines are Specifying which port are the Root Port and which are Blocked and Designated as well:

You will find the following Port Status for Switch1:

•

F0/11 is a Root port, and its Status is Forward with Cost 19 to the Root Bridge.

•

F0/12 is an Alternative Port, and its Status is Blocked with Cost 19 to the Root Bridge.


So as from the following Picture you will find that the connection between Switch1 and Switch3 is

Blocked now, and the Port F0/12 at Switch1 is in Block State because Switch1 has a Higher Bridge

ID or a higher MAC Address than Switch3.

Switch2 became the Root Bridge because it has the Smallest MAC-Address in the Whole Network, but what if we need Switch1 be the Root Bridge rather than Switch2, that what we will do in the following Configuration.

We will access Switch2, and you will notice the following:

The highlighted Line says that “This Bridge is the Root” also you will notice that the MAC Address of the RootID is the Same as the MAC Address of the BridgeID, also you will notice that all the Port is

Designated and Forward because the Root Bridge Never Blocks its Ports.


Now Configuring Switch1 to be the Root Bridge:

As you might see that there are Variety of Options for Spanning Tree, but we will choose the VLAN

Option.

From the Following Picture we assign VLAN1 because we are modifying Spanning Tree for Vlan1 because every Switches on that network is on VLAN1, We will choose the Option root as to be the Root

Bridge as Following:

As from the above Picture it will ask you if you need that Switch to be the primary Root Bridge, or to be a

Secondary Root Bridge which works as a Backup, so as soon as I choose the Primary Option, it will

Lower the Switch priority to the IEEE Recommended Value.


Let’s check if Switch1 now has become the Root Bridge or not:

You will notice that the Priority is decreased to 24577 which is below to 32768 which is the default

Priority number of the Switch, also notice that this Switch has become the Root from the line “This bridge is the root” , notice also that All its Ports is Forwarding except the F0/12 that was locked before now it’s in Learning Mode, so if I see that Port Again after a while after it finishes Learning we will find that it has changed to Forward State as from the below Picture.

Another Way to set the Switch to be the Root Bridge is by Manually Set the Priority of the Switch as

Following, as you might see that you can Start the Priority number by 0 to set the Root Bridge but you will have to increment by 4096 for each Switch later on as it says below:


Now let’s Say we will Ping from PC1 to PC2, and while we are Pinging we will Block the link between

Switch1 & Switch3, the reason for doing that is because we need to know how long the STP will take to discover that there is a Broke in the Main Line Network and will Bring up the other Redundant Link.

Now pinging from PC1 to PC2 as following:

Now while Pinging we will disable the Main Link that is between Switch1 and Switch3 as following we will access Switch1 and Shutdown F0/12 Port:


You will notice that the Ping Start to Give “Request Time Out” as following

If we do the Show Spanning Tree on Switch3 , you will find that the Status of the Port F0/24 that was

Blocked is now in listening mode :

After a While if we do the Show Spanning Tree again you will find that the Port F0/24 is changed into

Learning Mode :

After a while you will find that the PC1 is able to ping now to PC2, as following:

You will notice while you are doing this Practically that it will take about from 30 to 50 Sec. for the STP to detect that there is a Line Down and need to Up the Other backup line, this period is too long because remember that now days we are running Connection as VOIP, Airplane Ticket and so on, even if the connection is down for only 2 Seconds the phone calls will be dropped down and everything is Dropped, so Imagine a Production network that its down for 30 to 50 Seconds that’s Terrible.


Now let’s say that the Line is Fixed and back to work again, so we will enable the F0/12 at Switch1, and let’s see what happens:

You will find that the network has fallen down again, as from the following Ping:

Also you will find that on Switch1 that F0/12 starts to be in listening Mode again:

After a while the Port is changed from Listening Mode to learning Mode:

After a while the Port is changed from Learning Mode to Forward Mode:

As we said before this process takes from 30 to 50 Seconds and that is too long, so this type of STP is an old version, we will discuss on the next Section the Enhanced STP.


Enhancement to STP:

As with all network Technology, as STP has been used for all this years it has evolved and it has enhanced.

In this section we will look at the Modern STP and some of the Enhancement that is done on it.

We will discuss on the following Points:

•

The STP Port Transitioning Process (why it takes so long for the STP to make the Port Active).

•

Initial Enhancement: PVST+ (Per Vlan Spanning Tree) that enhancement was introduced by

Cisco and it was use for Optimizing your Network.

•

Ultimate Enhancement: RSTP (Rapid Spanning Tree Protocol)


Problem with Spanning Tree Protocol:

STP was Created a Long time Ago, so here is the problem with Spanning Tree:

•

At it’s the Original Creation STP first went through its two individual

Phases before it starts Forwarding the Ports which are first it Listen and then it Learn .

•

When you get a New Switch from out of the box and start connecting it to the network you will find that the Led above the port is Colored

Amber (Orange-Red) for about 30 Seconds .

•

The First 15 Seconds the Switch is going to the listening Phase and all it doing in this 15 Seconds is it listens for BPDUs , the reason why is because if you plug in a New Device to the Switch that Device could be another Switch that can Cause a loop in the network that may have a Redundant Connection that I don’t know yet about it. So it’s going to wait 15 Seconds listening to that Port to see if it sees another switch on that port by listening to their BPDUs or not, so if it does listen to a

BPDU and this port is not allowing BPDU it will Shut the port down, but if 15 Seconds is passed with no BPDU received it will move to the next Phase which is

Learning Phase.

•

In the Learning Phase it wait for 15 Seconds for Learning the Device MAC Address that is connected on that port, of course 15 Second is more than enough for a PC or a Server to send a

Packet with its Source MAC Address and allow the Switch to Populate the CAM Table.

•

So 30 Second Later the port is finally is in Forward State were the Led is Turned from Amber to

Green.

•

Remember in the last Scenario when we Shutdown the Port FE0/12 of Switch1 as if the Link has become Down and After a While you noticed that STP allows Switch3 to Enable the Port FE0/24 for the Traffic to be moved on again, Well the Time Taken by Switch3 to be sure that the

Working Link between (Switch1 & Switch3) is Down will take about 20 Seconds before Moving its Blocked Port (FE0/24) into listening Mode, and then will pass it into the Learning Mode and

Finally to the Forward Mode, meaning in Total the Blocked Port will be Active and Forwarding after 50 Seconds in total (20 Sec. Blocked Mode + 15 Sec. Listening Mode + 15 Sec. Learning

Mode).


Problem and Solution:

Spanning Tree Delays cause too many problems to the network.

1.

Problem with PCs: Modern PCs can boot faster than the 30 Second for Spanning Tree to make the port forward and up, what is the relation between fast PC and the Delay in Spanning tree??

The problem is that the PC or the Laptop is ready and active after booting while the Port of the

Switch is not Ready still, and if that PC has no IP after booting and is configured to take an IP

Automatic by Sending a request to the DHCP Server well that Request will not reach the DHCP

Server as the Port is still not Active till after 30 Sec.

waiting.

The Solution: The solution for that Issue is PORTFAST , this is a command that essentially disable and turn off STP on a specific port, as following:

As you might observe above that we access some of the interfaces of the switch and type the command spanning-tree port fast , after typing that command the Switch will give you a Warning message which says that that interface you configured to be worked as a Port fast should be done on an interface that is connect to a single host (Single PC), cause if you connect a Hub, Switch, bridges,…etc you can cause a temporary Loops, also Port fast can have effects if the interface you are configuring on is non Trunking Ports.

2.

Problem with Uplink Ports, were this is the ports that are connected to another Switches the problem here is that it take 50 Seconds of Down time to change the blocked port to a forward Port if the switch sense that the Main link is down and need to active the other Redundant Link, and that take 50 seconds as we mentioned!!

The Solution: the solution for this problem is using the new version of Spanning tree which name is Rapid Spanning-Tree .


Initial STP Enhancement: PVST+

Let’s talk about the initial enhancement that Cisco made to the normal Spanning tree Protocol, PVST was working only on Cisco Switches and after that it become an essentially Standard as PVST+ that it works on any Vendor Devices.

Ok!! What Cisco enhancement does to the normal STP is allow you to run an instance of STP per VLAN, meaning each STP is working in its own VLAN.

See the following Picture for Normal STP:

Let’s say Switch1 becomes the Root

Bridge, and the Link between Switch2

& Switch3 is disabled by STP because Switch2 & Switch3 are already communicating to the Root

Bridge and for preventing the Loop that might cause if this link is enabled, but if you think about it you have just disabled a Useful link in your network that it might become handy if you used it to transfer some of your Network Traffic, that what

PVST comes in.

What PVST do is that it has a Separate Spanning-tree topology on each different VLAN we creating, meaning it allows Different Root Bridge per VLAN. Let’s look at the following Picture:

You will notice that Switch1 is the Root Bridge for VLAN10 and Switch2 is the Root Bridge for

VLAN20.

Now if you notice that when Switch1 were the Root Bridge The Link Between Switch2 & Switch3 is

Down but in our case with PVST it will be down only for VLAN10 but that link will be up for VLAN20, the same thing happens too for VLAN20 The Link Between Switch3 & Switch1 will be Down only for

VLAN20 but that link will be up for VLAN10.


Let’s see that on Switch1:

If you remember from previous Section when we did the Initial Spanning-Tree Configuration and we show the following:

You will find that whenever we show the Spanning-Tree Information it shows at first the Information on

VLAN1 and which is the Root Bridge for this VLAN and its Priority, its MAC-Address and so on… and also you have noticed from the above Picture that Switch1 is the Root Bridge but there is the --More--

Keyword which shows you the rest of the Spanning-Tree VLans on that Switch which means PVST is working by default whenever you create more than a VLAN on the Switch.


If we find the rest of the Show command you will find that VLAN10 has its STP and has its own Root

Bridge rather than Switch1 that acts as a Root Bridge in VLAN1, because you remember that in VLAN1 we set the Priority command for the Spanning Tree protocol to act on Vlan1 only as following Command,

(config)#spanning-tree Vlan 1 priority 0

If we find the rest of the Show command you will find that VLAN30 has its STP and has its own Root

Bridge too.


So if you need all this VLans to have a specific Root Bridge, say we will make Switch1 is the Root-

Bridge for all VLans we will do the following:

This command above says that we may specify a Range of VLans to be written as we may say if we have

VLAN 10, 20, & 30, you may write this command as {10,20,30} or {10-30} as your choice so we will choose them as following:

From the above picture we have Chosen Switch1 to be the Root Primary Bridge for VLans 1,10,20,30.

If we do the Show Spanning Tree Command for VLAN10 you will find that Switch1 is the Root Bridge, as following:


The same goes for VLAN20 you will find that Switch1 is the Root Bridge, as following and so on for all the Switches:

Problem with PVST+

PVST+ surely have solved some of the problems present in normal STP as Redundant link is being used by other VLAN, Each VLAN has its own Root Bridge and if one of the links is down for a certain

VLAN, only the VLans that is using this link as a common for reaching their root bridge will suffer for a

50 Seconds till the other redundant link becomes working. So the industry have invented the new spanning –Tree named Rapid STP.


Rapid STP:

It’s a New Standard which name is 802.1w or its common name is Rapid STP , its and enhanced version of Spanning Tree that is much more Proactive than the previous version, let me describe the Word

“ PROACTIVE ”, in normal STP it find out its Active links to the Root Bridge and Blocks the rest of the links that are not used and essentially it forget about those blocked links, so when the Active links Fails

STP goes to discover a back up path to the Root Bridge all over again for 50 Seconds as we mentioned before.

Rapid STP: knows the Primary Active Ports & Remember the Backup Ports too, as from the following

Picture we will say that a Normal STP will know the Active Links which is between Sw1, Sw3, and Sw1,

Sw2, and Block the Link between Switch2 and Switch3 and Forget about it, so when one of the Main

Links is down it will start to rediscover all over again to check the network if there is another path to the

Root Bridge which take another 50Seconds as we mentioned above and finally will enable the Blocked

Link to an Active Link till the Main Link is Up again.

The difference in Rapid STP is that it remembers the Blocked Link between Switch2 and Switch3 rather than forget it as Normal STP, so when one of the Main Links falls down, it knows which link should work as Backup and Turn it ON.

The Main point we should know when turning ON Rapid STP is that all the Switches on the Network should Support Rapid STP, because if only one Switch in the entire organization doesn’t support Rapid

STP it will slow down the entire Network, the reason why we will discuss Later!!


HOW RSTP Improves Performance:

The Port Types in RSTP are the Same as normal STP, but with only one Difference port which is

Alternate Port, as Following:

•

•

Root Port: used to reach the Root Bridge.

Designated Port: Forwarding Port One Per Link.

• Alternate Port: instead of Block Port as in Normal STP, it sees that port as an Alternate Port, which is used as a Backup path to the Root



We will work on the Following Diagram Network, were Switch1 acts as a Root Bridge:

Starting with Switch1 As from the following we have configured the RAPID STP on Switch1

You will notice that there are three types of mode for Spanning Tree, MST which is the normal STP that the Switch has one STP for all VLANS on the Switch, PVST which is STP for each VLAN on the Switch,

Rapid PVST it’s a Combination for Per-VLAN and Rapid STP.


Note: IN order the RAPID STP works in our Network we have to enable this feature on all our Switches present.

We will configure Switch2 & Switch3 for RSTP, as following:

If we check for the type of Spanning Tree Protocol running on Switch1 as Example, you will find that its

Running the RSTP as Highlighted below in the Picture and Switch1 is the Root Bridge, were the Concept of STP is Still the Same here too:


If we Checked Switch3 as example the Status of its Port, we will find that in the Role Column that Port

F0/24 is Alternate and its Status is Block and Once one of the Main Link is Down the Altn (Alternative) port will be turned to Root Port:

Now let’s Say we will Ping from PC1 to PC2, and while we are Pinging we will Block the link between

Switch1 & Switch3, the reason for doing that is because we need to know how long the RSTP will take to discover that there is a Broke in the Main Line Network and will Bring up the other Redundant Link.

Before Pinging to Make RSTP takes Effect quickly in speed we should specify which ports are connected to a host or Routers and configure those Ports into PORTFAST mode because if we didn’t those Ports will pass first to the Listen Mode then to the Learning Mode which will take 30 Seconds if the Main

Links is Down which will slow down the whole Process for the RSTP.


So accessing Switch3, and Configuring Port F0/8 as Port fast, and as you can see the Warning Message we have Explained before.

Configuring F0/4 as a Port Fast:

Accessing Switch2 and Configuring Port F0/8 with Port Fast Mode:

Now pinging from PC1 to PC2 as following:

Now while Pinging we will disable the Main Link that is between Switch1 and Switch3 as following we will access Switch1 and Shutdown F0/12 Port:


You will notice that the PING is Still going and their were no Failure as from the following Picture, and you will notice that the Pinging time is equal to 1 millisecond when we have Shutdown the Port on

Switch1, and once again after a while the Time will become less than 1milliseconds :


Trouble Shooting and Security Best Practice:

Troubleshooting a Switch Network:

1.

Get Familiar with the Network.

2.

Absolutely have an Accurate Network Diagram.

3.

Work logically from Bottom to UP (OSI Layer)

Common Trouble Shooting Issue:

Port Issues:

•

•

•

Check Cabling Issues .

Verify Speed and Duplex Auto-Negotiation.

Check that Assigned VLAN to the host has not been Deleted; and the best Indicator for that is the Light of the Port on the Switch which will turn Amber (Orange-red color).

Spanning Tree Issue:

•

•

Grab your Network Diagram and Solve the Immediate Issue (Disconnect the Redundant Links).

Ensure all Links are reflected on Network Diagram , meaning you should have the latest Update

•

Network Diagram.

STP will detect any Loops present within a Seven Switches Chained with each other, after that if more switches is added after the Seventh one STP won’t be able to detect the Loops as between

Switch7 and Switch8 below and chaos will happen.

•

•

Ensure Root Bridge Selection is appropriate .

Make sure all Switches on the Network Running RSTP (If Possible cause Older Switches doesn’t Support RSTP).


VLAN and Trunking Issues:

•

Watch for Native VLans Mismatch , meaning the Native VLans on each Trunk Port of the two

Switches should have the Same Native VLAN numbers otherwise there will be a Mismatch, and an Error message will appear by the Switch as following:

•

Hard Code Trunk Port to “ON”, meaning configure the Port that is Connected to a Switch to be a Trunk Port, and the Port connected to a PC or Router to Access Port, Just Don’t leave the Ports

• to be Dynamic or Auto Discovery for management and Security Reasons.

Verify IP Address Assignments in a VLAN, means make sure that the VLAN Subnet is the same

• subnet that all PCs present in that VLAN.

Use Ping and Trace route to Diagnose Routing Issue.

VTP Issues:

•

•

Verify your Trunks.

Verify VTP Information, verify the Domain Name, the Passwords, the Version number, and the

•

VTP Modes (Server, Clients, or Transparent mode)

LAST Resort: To completely Delete all VLAN Information on the Switch and Start

Configuring the Vlan again because you couldn’t find were exactly the problem, write the below Command:

R0#delete flash:vlan.dat

What this command does is that it delete the File Vlan.dat

that contain all the Vlan Information, and then you should reboot the Switch to clear out VLAN Information


Switch Security Checklist:

•

Physical Security, if someone can get to your Switch Physically they can do a lot of damage very quickly, as if someone hold press on the “MODE” button for 10 seconds, the Switch will erase all

•

• the configuration and return to the Default Factory Setting, but you may Turn Off that Feature.

Set Passwords and Logon Banners, set on Console Ports VTY ports and Enable secrets.

Disable the web-server service; it’s better to disable the Web-Server as by default this Service is

ON for Security reasons as it has some vulnerable points in it. You may disable Web Server

Service and Secure Web Server Service as following:

Sw1(config)#no IP http server

Sw1(config)#no IP http secure server

•

Limit Remote Access Subnets (Access-List), we will talk about Access List in the Next Section, but what that means is don’t let people Telnet to the Switch or SSH into the Switch that don’t belong their because if somebody can telnet to the IP of the Switch they will just try Randomly entering the Password to break in, by using an Access List you can say only this IP address or

•

• only Subnet of Addresses can Telnet to the Switch.

Use SSH whenever Possible.

Configure Logging.

What that means is the message logs that appear on your Console whenever you do any Action or any interface goes UP or Shuts Down it will report to you, as following message when you move from one Mode to another:

To simply have a History for those Logs Information we may assign a Small memory to the

Switch to save those logs in it:

As you might see above in the Picture, we write logging and after that we will choose Buffered to set the Buffered Parameters.


Below in the picture we will choose the size to be specified in bytes to be allocated in the

Memory Switch for recording those Logs, we will allocate 64,000 Bytes or 64 Kbytes of Memory which is a decent amount for maybe 3 to 5 Days of logging History depending on type of the

Network:

If we do the Show Log Command, you will see all the Stuff that was happening on the Switch:

You will find the Information Log History starting from Log Buffer (64000 bytes) till the End of the picture.


But that Look of history is kind of hesitating as you can’t get everything up by your Eye, so there is another way of viewing the Logs by assigning the Switch an IP address of one of the Hosts that is connected to it and view that logs from your PC.

You can do that by downloading a free handy program that receives those Logs messages from the Switch and help you in viewing it pretty clear, you may Download from the following Site: http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/

After installing the Software and running it we will find the Main windows of the program as follow:

By default this Program is enabled to receive any Message logs from any network Devices sending their Logs to the IP of the Host were this program is running on it.

Let’s do the following Configuration on the Switch on GNS3 that have IP 192.168.3.180 to make it send the Logs to our PC which has the IP address 192.168.3.13:

You will observe the final line in the Above Picture says “Logging to host 192.168.3.13 started -

CLI initiated”


If we check back to our Program if it had received the message or not, you will find out that it had received the Message logs successfully, and it saves it on your Local PC under the Main Program

Folder name Logs Folder:

•

Limit CDP Reach (When Possible), disable the Cisco Discovery Protocol and there are two

Ways whether you Disable it on the Whole Switch or on a Specific Interface on the Switch, the reason for disabling CDP is because CDP is sent out by the Switch from every interface it have every 60 Seconds, and if someone opens a Packet Sniffer on one of the local PC in the Network he may Knows the IOS version and the name of the Switch and the IP address of the Switch…etc.

We said to Limit the CDP (When Possible) the reason I write when possible is because the new

CISCO Equipment like the IP Phones need CDP to operate efficiently.

For Disabling the CDP on Whole Switch use the following Command, and you will not be able to see the Switch using CDP

For Disabling CDP on a Specific Interface not on the whole switch:

•

Use BPDU Guard on PORTFASTS Ports, you might remember that Port Fast mode is supported only on nontrunking access ports because these ports typically do not transmit or receive BPDUs. The most secure implementation of Port Fast is to enable it only on ports that connect end stations to switches.

What BPDU guard does is prevents loops by moving a nontrunking port into an err disable state when a BPDU is received on that port. When the BPDU guard feature is enabled on the switch, spanning tree shuts down Port Fast-configured interfaces that receive BPDUs, instead of putting them into the spanning tree blocking state.


In a valid configuration, Port Fast-configured interfaces do not receive BPDUs. If a Port Fastconfigured interface receives a BPDU, an invalid configuration exists, such as connection of an unauthorized device. The BPDU guard feature provides a secure response to invalid configurations because the administrator must manually put the interface back in service.

You may configure BPDU Guard by accessing one of the interface of the Switches and write the

Following command as in the following Picture:

S3(Config-if)#spanning-tree bpduguard this Command Enables the BPDU Guard on a Specific interface, where it tells the Switch “Don’t Accept BPDU on this Interface and if that happens then

Shutdown that Interface”.

Another Scenario if someone has connected a HUB from one of the interfaces of the Switch and then to another HUB and after that back to the Switch again, the BPDU Guard will detect that loop and will Shutdown both of the interfaces so as not to causes any Loop on the Network.


Understanding How Port Fast BPDU Filtering Works

BPDU filtering allows you to avoid transmitting BPDUs on Port Fast-enabled ports that are connected to an end system. When you enable Port Fast on the switch, spanning tree places ports in the forwarding state immediately, instead of going through the listening, learning, and forwarding states. By default, spanning tree sends BPDUs from all ports regardless of whether

Port Fast is enabled.

S3(Config-if)#spanning-tree bpdufilter this Command says to that Interface to not Send or

Receive BPDU, and that is dangerous and the reason is because it will ignore BPDU coming on that Port and it will not Shutdown the Port Down, so if someone Set a Network like the above picture and a BPDUFilter is turned ON then that will cause a LOOP in the Network.


VLSM (Variable Links Subnet Mask):

PLEASE CHECK THE SUBNETTING METHODE IN ICND1 BEFORE READING THIS

SCENARIO.

VLSM means that you may change your Subnet mask whenever or wherever on your Network, now remember what Subnetting is that it breaks one Network into Small Networks, you may notice below in the Picture at its Top right corner it says Subnet this network by the 192.168.1.0/24 using the most efficient addressing Possible , whenever you see that line means you will use the VLSM, which means you will use a Custom Subnet masks on every segment on the Network.

How to Start:

Step 1) Start with the Largest SUBNET, means start with the Largest Segment that has the largest User in it.

Determine the number of clients and convert to binary

- In this example, the binary representation of 60 = 00111100

Step 2) Reserve required bits in subnet mask and find incremental value

- The binary value of 60 clients tells us that we need at least 6 client bits to satisfy this requirement (since you cannot get the number 60 with any less than 6 bits – 111100)

- Our original subnet mask is 255.255.255.0 (Class C subnet)

- The full binary representation of the subnet mask is as follows:

255.255.255.0 = 11111111.11111111.11111111.00000000


- We must ensure 6 of the client bits (0) remain client bits (save the clients!) in order to satisfy the requirements. All other bits can become network bits:

New Mask = 11111111.11111111.11111111.11 000000  note the 6 client bits that we have saved

- If we convert the mask back to decimal, we now have the subnet mask that will be used on all the new networks – 255.255.255.192

- Our increment bit is the last possible network bit, converted back to a binary number:

New Mask = 11111111.11111111.11111111.1(1)000000 – bit with the parenthesis is your increment bit.

If you convert this bit to a decimal number, it becomes the number „64 

Step 3) Use increment to find network ranges

- Start with your given network address and add your increment to the sub netted octet:

192.168.1.0

192.168.1.64

We will need only one network cause we have only 60 Client per Subnet.

- You can now fill in your end ranges, which is the last possible IP address before you start the next range

192.168.1.0 – 192.168.1.63


Now we have solved the First Subnet we will move to the next Subnet

Step 1) Determine the number of clients and convert to binary






255.255.255.0 = 11111111.11111111.11111111.00000000


New Mask = 11111111.11111111.11111111.111 00000  note the 5 client bits that we have saved







192.168.1.0 Those ranges couldn’t be Used as its already used in the First 60 Hosts.

192.168.1.32 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ .

192.168.1.64

192.168.1.96

We will need two network cause we have two network with 20 Client per Subnet.


192.168.1.64 – 192.168.1.95

192.168.1.96 – 192.168.1.127


The Network will finally looks like the following with its Subnet Mask numbers and IP ranges:

Now FINAL STEP:

You see the WAN Links, how many users are there on Point-to-Point Wan Link, the Answer is 2 users

(That’s why it’s called Point-to-Point), because their will be never no more than 2 users on Point-to-Point

WAN Link.

Step 1) Determine the number of clients and convert to binary






255.255.255.0 = 11111111.11111111.11111111.00000000


New Mask = 11111111.11111111.11111111.11111100  note the 2 client bits that we have saved








192.168.1.128

192.168.1.132

192.168.1.136

We will need three network cause we have three Point-to-Point Links between two Routers per Subnet.


192.168.1.128 – 192.168.1.131

192.168.1.132 – 192.168.1.135

192.168.1.136 – 192.168.1.139

NOTES:

1.

In Real World you have to leave some room for Max users per Subnet while designing your

Network with VLSM, because if your Company hires new Users and it have exceeded the MAX.

Number of users per subnet according to your Design then you will have to readdress the Entire network again.

2.

VLSM in real world is very commonly used on the Point-to-Point WAN Links most of them uses

/30 and in the Local Networks they uses /24 , that leads to the Big Point which is if you uses

VLSM you must have Classless Routing Protocol (RIP version2, OSPF, EIGRP, ISIS)


Distance Vector VS Link State:

Type of Routing Protocols:

1.

Distance Vector:

Easy to Configure

Not Many Feature and they are not Fast.

Routing Protocol as RIP, IGRP.

2.

Link State:

Difficult to Configure (More knowledge Required).

Feature-Riffic (More Speed)

Routing Protocol as OSPF, IS-IS

3.

Hyprid:

The best of Link State, and Distance Victor, its easy to Configure as Distance vector and Have Many Feature and Speed as Link State.

Proprietary for Cisco Devices Only.

Routing protocol as EIGRP.


Distance Vector Routing Protocol:

Distance Vector (DV) Routing protocol by default send the Entire Routing Table at specific intervals, as

RIP Protocol Send the entire Routing Table every 30 Seconds as a Broadcast or Multicast depending on the version of RIP you are using to the entire Network.

DV Protocols have a Looping Issues , let’s Describe the following:

If we have the above Network running and the Routing Protocol between those Routers is RIP, as you know now that the updates is send within every 30 Seconds between them.

Now here is the Scenario, if Router C sends its Update Table to Router B that it Knows Network

( 192.168.1.0

, 2.0

, 3.0

, & 4.0

), So Router B will update its table that it has a way to reach to network

192.168.1.0

through Router C , Ok here is the action, if someone had removed the Cable of Network

192.168.1.0 from Router C , so Router C will loses the Connection to the Network 192.168.1.0 and

Unfortunately Router C has just sent the Update 2 seconds ago to RouterB .

So Router C has 28 Seconds left to send its next update and inform everyone that the Network

192.168.1.0 is down, but say Router B will send its Update Routing table saying that it knows network

( 192.168.1.0

, 2.0

, 3.0

, & 4.0

), so when Router C receives that Update it will says Great!! Because I have just lost my connection to network 192.168.1

.0 now so I will point to you as my next hop for reaching network 192.168.1.0

After 28 Seconds Later Router C will send its Update to the network saying that it has a New Path for reaching Network 192.168.1.0 through Router B with 2 HOPS away cause Router B has sent before the

Routing Table to the Network saying that it knows how to reach to network 192.168.1.0

through 1 HOP which was Router C before, 1 HOP means 1 Router to pass through it till we reach that network, so 2

HOPS here means that Router C is saying if Router B is able to reach network 192.168.1.0 through 1

Hop then I will be able to reach to that network through 2 HOP which are Router B and after that another

Router that will able me to reach to that Network.

Router B will receive that Update and says “that’s Strange if I was able to reach Network 192.168.1.0

through 1 HOP which is Router C and Router C now have said that to reach that Network 192.168.1.0

you will have to pass 2 HOPS through me, so Router B will say if its 2 HOPS away from Router C then it will be 3 HOPS away from me ( Router B ) to reach that network”.

Now If Router A receives that Update from Router B where this update says that it knows how to reach to network 192.168.1.0 through 3 HOPS, well Router A will say “well that’s Strange because I used to reach to 192.168.1.0 through 2 HOPS because Router B was Updating me before that it can reach network 192.168.1.0 through 1 HOP and to reach to Router B only 1 HOP Is needed so in total is 2

HOPS, but now Router B updates me to reach it, it will takes 3 HOPS from Router B, so Router A will update its distance to 4 HOPS to reach that Network”, and this system will goes for no limit updating each other with Counting up the Hops that’s why DV Protocols have a Looping Issues.


DV LOOP Preventing:

There are five Loop prevention Mechanism built in Cisco Routers there purposes is to keep out the

Loop that was happening in the Last Scenario. The Five mechanisms are the following:

1.

Maximum Distance:

RIP protocol Maximum Distance is 16 Hops, so once a RIP network is announced to be 16

HOPS away it’s consider dead, as what happened in our previous scenario when the Routers where updating the table and the Hops counts up till no end and enter a loop.

So what Maximum Distance does is prevent that loop and whenever there is a Network with

16 HOP away its consider too far and consider dead, that’s why RIP Protocol is used in small network cause there are large network that has links more than 16 Hops further than each other..

2.

Route Poisoning:

Route Poisoning is kind of integrated with Maximum Distance, and what it does is if there is a Network is down it advertise immediately that it’s down, so if the network 192.168.1.0

is unplugged from Router C as from our previous example it will immediately announce that the Network 192.168.1.0

is down by poisoning that network and setting it’s number of Hops to 16, and send that Update to Router B and Router B will receive it and find out that network 192.168.1.0

is 16 Hops away from Router C which is Far away and consider that network dead!!

3.

Triggered Updates:

If you remember in our previous scenario the main reason for the loop problem to be occurred is because the cable to the network 192.168.1.0

connected to Router C is unplugged and Router C had already sent its Update 2 Seconds Ago, so it has to wait 28

Seconds later to tell everybody that the Network 192.168.1.0

is down, and that what the problem occurred when Router B send to Router C that it knows how to reach to network

192.168.1.0.

So Triggered Updates says when any network connected physically to the Router Is

Suddenly doesn’t exist, immediately negate every timer on that router so instead of waiting

28 Seconds I will immediately sends my Updates to Router B telling that network

192.168.1.0 is poisoned.


4.

Split Horizon:

What Split horizon does is tell Routers do not send updates back in the same direction you received them on a network said to be advertise.

Explain: Split Horizon is a Rule that says do not tell Routers about ROUTES that they told you about, so If Router C tells Router B that it know network 192.168.1.0/24, Router B will be banned from telling Router C that it knows network 192.168.1.0, cause of the Split

Horizon Rule, and that is perfect cause it prevent loops from being started again.

5.

Hold Down Timers:

It’s a Timer set by the Router that when it receives the Update from another Router that the

Network is down, and during that Time counting down the Router that set it up refuses to get any Updates Status about that Network unless that Timer reaches 0, in Cisco the Default

Timer is 180 Seconds.

Explain: When Network 192.168.1.0 is down Router C sends an Update to RouterB that network 192.168.1.0 is down, so Router B receives that Update and tell Router A that the network 192.168.1.0 is down, so both Router B & Router A will set a Hold Down Timer

(The Timer is varied according to the type of protocol you uses) and says that I will not accept any more updates about that network till my Timer reaches zero, the benefit of the

Hold Down Timer is if you have a flapping interface, a flapping interfaces is the interface that goes Up and Down many times and the reason of that is you may have a bad Cable or a

Bad Connector or bad NIC.

So if the Hold Down Timer is not enabled, and you have an interface that goes up and down many times so as a result Router C will send an Update to Router B which goes to Router A that the Network is UP, and when the Network is Down Router C will send another Update to Rotuer B that will send to Rotuer A that the network is Down and so on, and that will cause an overhead on the Processor of your Routers.


Link State Routing Protocols:

Link State (LS) Routing Protocol forms a neighbor Relationship between each other rather than

Broadcast or Multicast as in Distant Vector.

After initial Routing Table Exchanged, Routers send Small, Event-based Updates, meaning the

Routers will send only the Updates when there is a change had happened in the network only, it doesn’t need to send the whole Routing table every 30 Second as RIP does.

There are two types of protocols in LS Protocols: o

OSPF (Open Shortest Path First) o

IS-IS

Advantages of LS Routing:

1.

Much faster to Converge, meaning they can find where is the problem exist in the network and Repair it as quickly as possible and much faster than DV protocols.

2.

No Routing Loops (Routers have a Complete Map of the Network).

3.

Forces you to design your network Correctly.

Disadvantage of LS Routing:

1.

Demand on Router Resources, they will use more Processors and more memory because they are Complex.

2.

Require a Solid Network Design.

3.

Technical Complexity.


OSPF Concepts:

•

Route Summarization:

Route Summarization is all about making the routing Table Smaller, because the larger the Routing Table becomes the Slower the Router will be, so what we do to make our Router efficient is to shrink our

Routing Table. Let’s look at the following Diagram:

R1 have access to this entire Network in its tables and know how to reach them, now as every Routing

Protocols does Router1 sends its Routing Table to R2 and R2 will store it in its Routing Table.

Here is the first Issue; R2 have about 16 Routes (from 192.168.0.0 to 15.0) in its Routing table, and goes all in the same direction to reach to those Networks which is through Router1.

The Second Issue is if one of those Networks at R1 is down it will have to updates to R2 and R2 will have to update the next Router and so on, so more Bandwidth is consumed for that Updating.

Here what Routing Summarization about, what it does is it summarizes that entire Route present at the

Routing table in to a Fewer Route.

Example: The idea of Summarization is to take out the similar of bits in the Routes and Group them together, so as from following we have grouped the Similar Bits that are repeated in every Network and we draw a Red line that separates between the Bits that don’t change in the whole Route with the Bits that is changing.

So as you might see at the left the red line that separates between the 20 bits on the left that doesn’t change in the whole Routing table and the 12 bit at the right that changes, so Router1 will announce that it knows the

Network 192.168.0.0/20, the /20 is 255.255.240.0 which if we convert it to binary it will be

11111111.11111111.

1111 0000.00000000, so if we calculated the range for that it will start from 192.168.0.0 to 192.168.15.255

•

So from what we have done is we have accomplished our goal to suppressed the whole Route networks at Router1 into one Network and advertise that Single Network to Router2, so as we said before Smaller Routing Table = Faster

Routers .


•

Second thing is that we have Suppressed the Updates, meaning if one of the Networks on R1 as example 192.168.1.0/24 is down, R1 will no longer sends an update to R2 that this network is down because R2 doesn’t know that there is a network 192.168.1.0/24 exist but it just know the

Routing Network 192.168.0.0/24 that R1 Summarizes it and send it.

So here is the Question does R2 really needs to know that 192.168.1.0

network is down? Well everyone will say Yes cause if there is traffic to that network R2 will have to know that this network is UP, but that doesn’t happen because when R2 sends the first Packet to R1 requesting to be delivered to that network R1 will reply back that this Network is Unreachable.

So R1 will take care of any packets coming into and reply back.

•

OSPF Area Designs and Terms

The Area in OSPF is a group of Routers that all have the same Running information; here is an example if you have a network that is growing bigger and bigger well logically the Routing tables on those Routers will Grows bigger and bigger as well and the process on the Routers will be over headed, so what we can do is split our network into Groups of Routers were each Group of Routers has the Same exact information of Routing table of its Group and those grouped Routers are grouped in Areas .

So let’s have a Similarity example in Real Life, if you have a Detailed Map for Nasr City with its Roads and you need to go to the Mall, all you have to do is look at the Map and find your way.

Ok!! Now you have another Map which is Egypt Map, that Map shows the Travel Roads present in the

Country but it’s difficult to see the Roads in Details, so which Map you will choose, Well it will be obviously the Detailed Small MAP, because its focused on a Specific Areas in Cairo, that’s the Idea of

Area in OSPF, once your network Growth too big all the Routers in that Network will have to look at every Packet coming in and knows how to route it, it’s like looking at the Big Map not at the Detailed

Map and that is going to slow down the Routers, so by breaking the network into Areas It will be much easier for the Routers to process the packets.

Cisco recommends to not to have more than 50 Routers in an Area.

Ok!! Now we know the concepts let’s talk about the Routers. Routers inside the Area knows nothing but the route inside of that Area it belongs to it doesn’t knows the Route that present at other Areas, as from the following Picture Routers in Area0 knows nothing about Area1 nor Area2 but knows about Area0 it belongs to. The Routers that sit between areas known as

Area Border Router (ABR) those Routers should be a Super Routers on your network that have fast

Processor and more RAMs because these Routers have the Routing Map for two or More Area to Route between them, and ABR are the only routers that are able to Route Summarize (that we describes it before).

When you design those Areas it has to be a Hierarchical Design, meaning you have to group similar

Subnets in similar Areas, so for Example in Area1 we may have subnet 192.168.1.0/24 and the ABR will summarize those network and advertise to Area0 that Area1 is all about 192.168.1.0/24, and Routers present in Area0 they don’t need to know anything more about Area1 than the Route (192.168.1.0/24), and the same Goes for Area2 all Network present in Area2 is Summarized into one Subnet by the ABR.


If you don’t design your Network right by Subnetting and grouping them right in each Area with OSPF, it will be horrific because the ABR will not be able to summarize the network and there will be no point in dividing the Areas and it will be more Processing Cycles on the Routers.

So the whole reason that we use Multiple Areas is to summarize, so when you set up OSPF you will have to be careful while Subnetting the Network.

The Other Router in the OSPF Network that does Summarization is Autonomous System Boundary

Router (ASBR) this Router is used to Connect OSPF Network with another completely different Routing

Systems Network it’s not another Area but it uses another Routing Protocol, as Example this Router may connect OSPF network with a RIP Network or with the Internet, and so on.


•

RULES for OSPF: o

All Areas must be connected to Area0. o

All Routers in an Area have the same Topology Table (have the Same Road MAP).

Meaning All Routers in the same Area have the same Topology table (or the same Road

MAP) but every Router within the Area has a Different Routing Table, lets Explain by the

Following Picture:

All Routers in the same Area has the Same Topology (have the Same Road Map), meaning if we have four Routers as example in Area0 as from the above Picture;

Router (Giza) knows that it can Reach to Router (Maadi) direct and also knows that it have another Backup Path in case of that Direct Path is down by passing through

(Shobra) & (Nozha) Router, that’s meaning the Same Topology Table, but any

Routers in Area0 doesn’t know the Topology Table in Area1 or Area2.

Every Router within the Area have a Different Routing Table, meaning For Router

(Giza) it may say the best Route to Router (Maadi) is through my Direct Connection to it, while for Router (Shobra) it may say the best route for Router (Maadi) is passing through Router (Nozha) as its much better than passing through Router

(Giza).

So think about those two concepts as a Real Road MAP in between your hand for

Cairo City where you live at Shobra and need to go to Giza is different than who lives at ElNozha and need to go to GIZA , both have the Road MAP and knows how to reach GIZA but within Different ways. o

Localize Update within Area0, meaning whenever something Happens in Area0 Every one in Area0 Should knows about it, but other Areas should not knows about that Update.

o

Requires Hierarchical Design, you must Design your Network Right by Subnetting correctly the Networks and Group the Similar Subnets in an Area.


Understanding OSPF Neighbor Relationships:

Unlike the RIP protocol, OSPF performs direct relationship with the Router it want to speak with, not as the RIP protocol were it sends a broadcast every 30 Seconds for informing everybody on the network its routing Table.

In OSPF, routers that needs to communicate with each other and exchange the information they uses the

HELLO Protocol (Technical name), the Hello messages are Sent when you configure OSPF on whatever

Interfaces you designate, in OSPF those Hello messages are sent once every 10 Seconds on Broadcast or

P2P networks, or every 30 Seconds on NBMA (Non Broadcast Mutli Access) Networks such as Frame

Relay networks.

The more often you send a Hello message, the sooner you know if your neighbor is down or not and make the Router to take the Action, so some Administrators Adjust the 10 Seconds Period time to 2 Seconds to make ensure that the other Router is Online.

When the Sending Router send the Hello message, the Hello Message Contain the Following:

•

•

Router ID, the IP address of the Sender Router.

Hello and Dead Times*, how often they will say Hello (10 Seconds or less) and how many

•

•

Hellos messages can be missed until the Router believe that the other side is down.

Network Mask*, advertise what the Sender Subnet Mask of the Router.

AREA ID*, Advertise from What Area it belongs.

The Sign * presents above means that the Both Routers that need to communicate with each other must match this criteria from both Sides, or they will not communicate as example if the Hello Timer from one router is 1 Second and from other Router is 3 Seconds then the Timer doesn’t match and they will not communicate.


Configuring OSPF

In CCNA Exam it only test you on what is called Single Area OSPF, meaning only One Area will be operated by OSPF in CCNA level, what we will do here is doing the Single Area Configuration and

Multiple Area Configuration to feel the Power of OSPF but before Starting Multiple Area we will first

Explain the Single Area OSPF.

First Area0 is the Area that is Surrounded by the Blue Line, and Area1 is the Area that is Surrounded by the Red Line, we will assume that Area1 has the Subnetting from 172.16.0.0/24 to 172.16.7.0/24.

First Accessing Router1, as following:

As you might observe when we were Configuring OSPF Protocol we have added the Process ID , the

Process ID is just Identify the Process on your Router, it doesn’t have to be the Same on all the Routers while Configuring OSPF Protocol on them but it’s better to make it the Same on all Routers so as to be able to remember them Easily. So we will choose Process ID 1.

Next I need to add my Network Command, now remember the Network Command in OSPF does two things, first it advertise what networks can be accessed from the Router Advertising them, and the Second thing is Specifying which Interface to Advertise them.


So advertising the network 192.168.1.0, as following:

You will notice that when we tried to advertise the Network at first it says

Incomplete Command , the reason why is because it need a Wild Card bits, what is Wild card bits? A Wild

Card bits is kind of like a Match Statement meaning if I need to advertise the Class C network

192.168.1.0 on Router1, I have to write the Wild Card Mask and the

Wild Card Mask is exactly the Opposite of Subnet Mask, so it will be 0.0.0.255, instead of 255.255.255.0, if you want to know the Formula of Converting the Subnet Mask to Wild Card mask you will Subtract

255.255.255.255 to the Subnet Mask. So as in our Example:

255.255.255.255 – 255.255.255.0 = 0.0.0.255

Now any time you see the number 0 in your Wild Card Mask match it with the Network IP you have typed in, and that mean in technical Terms “Look at These number” . And for the number 255 in Wild

Card Mask means “I don’t Care” , what that does when I typed the Wild Card mask is that I instruct the

Router to look at its interfaces that starts with 192.168.1.x (where x is from 0 to 255) and advertise its

Routing table through its Interfaces 192.168.1.x

192 .168.

1 .0 0 .0.

0 .255 Those Arrows I have matched them with the IP Address and with the Wild Card Mask that have number 0, is where I will inform the Router to advertise at the network 192.168.1.x

To understand well what we were saying let’s take an example on Router2, if you notice well Router2 is connected to 4 different Network which are (192.168.1.2 & 192.168.2.1 & 192.168.10.1 & 192.168.20.1), when we were using RIP Protocol we will have to write 4 line command to advertise each of those

Networks, so imagine about 17 Network or more are connected to a Single Router you will have to write

17 different line Statement for each of the network to be advertised.

But in OSPF protocol when we use the Wild Card mask it will be different as following:

R2(Config-router)#network 192.168.0.0

0.0.255.255

The above Statement means that the Router will Run OSPF Routing Protocol on all its interfaces that start with 192.168.x.x and advertise the networks on those interfaces.

Another example to show you the power of the OSPF, let’s Say on Router3 I need to run OSPF on a specific interface, meaning only use advertising of OSPF protocol on a specific interface no matter if I added another interface in the future I only need to be sure that my interface is the only interface is running OSPF.

So to do that on interface S0/0 I will write R3(Config-router)#network 192.168.2.2

0.0.0.0

That means run OSPF and Advertise my Routing Table Specifically on interface that has IP

192.168.2.2 only.


Back to Router1 continuing Configuration:

So now we are running OSPF on interface 192.168.1.1 at Area 0, and don’t think that by typing the above command that we are advertising the network 192.168.1.1 no but we are advertising the network that belongs to that interface which is 192.168.1.0/24.

We will do the following command, SH IP protocol :

This command show us what Routing protocol on the Router is Running, as you might see OSPF is the

Routing Protocol, Router ID is 192.168.1.1 that is the name of the router (we will explain later what is

Router ID), you will observe number of area in this router is 1.

You will find also the Routing for networks, were this router is Routing the network 192.168.1.1 0.0.0.0 in Area 0.

Now if I show the following command to check if I have a Neighbor (of course you wouldn’t find any neighbor at the moment because none of the routers in the network is configured to work on OSPF protocol.)


Now accessing Router2 and configuring it with the Protocol OSPF:

You will observe in the upper picture that we enabled OSPF on the interfaces 192.168.0.0 0.0.255.255, if you notice well Router2 is connected to 4 different Network which are (192.168.1.2 & 192.168.2.1 &

192.168.10.1 & 192.168.20.1) so all starts with 192.168.x.x

If we do the following Command:

You will notice that the Router ID is the IP address of the Router 192.168.20.1, & the Network that I am advertising is 192.168.0.0

0.0.255.255

, or 192.168.0.0/16 that what I am advertising.

If I do the show neighbor command on Router2:

You will find that Router2 has formed a Neighbor with Router1, were the Neighbor ID for Router1 is

192.168.1.1 and Router2 Connects to Router1 on IP address 192.168.1.1 and communicating with

Router1 through the Local interface on Router2 FE0/0.

If we do the neighbor command on Router1:

You will find that Router1 has formed a Neighbor with Router2, were the Neighbor ID (Name of the

Router) for Router2 is 192.168.20.1 and Router1 Connects to Router2 through IP address 192.168.1.2 and communicating with Router2 through the Local interface on Router1 E0/0.


If we do the following command:

You will notice that the Router have learned the Remote Network on Router2 by the OSPF Protocol, as you might observe from the above picture Router1 has learned the Network (192.168.10.0/24,

192.168.20.0/24, & 192.168.2.0/24).

You will notice that the Default Static Route that has the mark S* at Router1 is not known by any of the

Routers in the whole network, cause if we checked at Router2 as following you will find it hasn’t information about that Route, and then no Routers are connected to the internet.

So what we will do is make Router1 to advertise for all the Default network it have, by using the following Command:

Now this command what it says “Any Default Information you have, send it onto OSPF to the other

Routers”


So when I go back to Router2, and find if it had learned the Default Route of Router1:

You will find that it had learned the Default Route of Router1 by the OSPF Protocol.

Now Configuring Router3:

First we will enable the OSPF Routing Protocol, and then we will show the interfaces of that Router, you will find that it have Two Sub networks, (192.168.0.0 & 172.30.0.0), in this Router we will configure the

AREA0 for OSPF for the network 192.168.0.0, and after that we will Configure AREA1 for the networks

172.30.0.0 (This Multi Area Configuration is not present in CCNA but in CCNP but it will show you the

Power of the OSPF Routing).

Configuring Network 192.168.0.0 for OSPF Advertising on Router3:

Let’s see check for neighbor Relationship with other Routers:


Let’s check our IP Routing Table:



Now we will Add Area1 on Router3, but before that we will have to Summarize the network of

172.30.x.x:

We have 8 Subnet networks starting from 172.30.0.0 to 172.30.7.0

When we convert them to binary, we will focus on the third Octet:

So the Network Summarization will be 172.30.0.0/21 or with Subnet Mask 255.255.248.0, now what will be the Wild Card Mask?, we will get it by using the Formula we have said before 255.255.255.255 –

255.255.248.0 = 0.0.7.255

So the Wild Card Mask is 0.0.7.255, which I can use it to Run OSPF on only the interfaces starting with

172.30.0.0 to 172.30.7.0

So by typing the following command, I have configured those interface to be on Area1 and I have just make that Router to be ABR (Area Border Router) that is Routing between two separates Area


Let’s check the following Routing Protocol:

You will find that Router3 is Routing for the Networks 172.30.0.0 in Area1, & 192.168.0.0 in Area0

Now if we go back to Router2 you will find the following Routes Added in the Table:

You will find that Router2 has learned all the Networks in Area1 were IA means (InterArea), but why it didn’t learned the Summary of all the Network on Router3 instead of learning them all one by one , well that is because we didn’t do a specific command on Router 3 that tells it to Summarize all the

Network it have, so lets do the following command on Router3.


Accessing Router3, with OSPF process ID 1:

Now typing the Command for summarizing the whole network:

Now if we go back to Router2 you will find that all the Routes from Router3 are summarized into one

Route as shown in the Table:


Understanding Router ID:

The OSPF Router ID:

•

•

Identify the Routers to OSPF Neighbors.

By default, it’s the Highest physical Interface at Startup, as following:

If you have this Router with those Interfaces configured with those IP addresses, when you enable OSPF process, the highest physical interface will be the Router ID, so in that

Picture the Router ID will be 210.62.58.1

•

Loop back interfaces beat physical interfaces, (Loop Back interfaces is a Virtual interface you may Create it on the Router, and the

Router will assume that this interface is connected to a PC).

To Create a loop Back Interface and assign it IP address do the Following:


•

New Router-ID Command Beats ALL.

Ok let’s see the Router-ID command in the Following:

As you might see we have applied a change to the Router ID to 3.3.3.3 and in order that to take effect it says Reboot the Router or use the Command Clear IP OSPF process, as following:

After that process it will take down the connection with the neighbors and come up Again and it will show you the following message:

If I checked the Router ID for Router3 now from Router 2 interface we will see that it has been changed:


Trouble Shooting OSPF:

90% of your Troubleshooting of OSPF is focused around Routes that is not showing up as a Result neighbors aren’t forming, so the best thing you can do is to do the Show command: “show IP ospf neighbor” were obviously if you are not seeing the Routes you are not seeing a neighbors, so you will go to investigate mainly on the following Criteria:

•

Hello and Dead Times * , how often they will say Hello (10 Seconds or less) and how many

•

•

•

Hellos messages can be missed until the Router believe that the other side is down.

Network Mask * , advertise what the Sender Subnet Mask of the Router.

AREA ID * , Advertise from What Area it belongs.

Authentication Passwords*, if you are protecting your OSPF network, so the Authentication passwords should match at all Routers running OSPF to be able to communicate.

The Sign * presents above means that the Both Routers that need to communicate with each other must match this criteria from both Sides, or they will not communicate as example if the Hello Timer from one router is 1 Second and from other Router is 3 Seconds then the Timer doesn’t match and they will not communicate.


EIGRP Concepts

Why you would choose to use EIGRP ?

1.

Backup Routes , EIGRP is the only Routing protocol in the world that allows backup

Routes!!, let’s take an example in OSPF or RIP as an example it first search for the best

Route to reach its Destination and add it in its Routing Table and they forget about all the other paths that reaches the Same Destination, so if the Primary Link goes down, OSPF and or RIP will have to re-discover for another Route to reach its Destination and find the best route and add it in the Routing Table.

In EIGRP it stores the Backup Routes in something called as a Topology Table (described

Later) so at the beginning EIGRP will Discover the Whole network for all paths Leading to the Destination it wants to go, after that it choose the best Route as it’s the Main Link and add it in the Routing Table, and the other Paths that leads to the same Destination it will add them in the Topology Table as Backup Route, so once the Main link that is used is Down it will check the best backup Path it have in the Topology table and put it in the Routing Table to be functional.

2.

Simple Configuration, easy in configuration and doing all the features of OSPF.

3.

Flexibility in Summarization, if you remembered back in OSPF you will find that the only place where you can assign a Summarization is at the ABR (Area Border Router) but in

EIGRP there is no concept of Areas because you can summarize whenever and wherever you want.

4.

Unequal Cost Load-Balancing, every Routing Protocol even the Static Routing Protocol allows you to do Equal Load Balancing , but in EIGRP can actually analyze the Network and the paths it have and if it found two paths to the Same Destination we may make EIGRP by a single command to use that both lines for Load balancing, even if those two lines have an

Unequal Speed we may use the Unequal Load balance feature.

As from the picture, you will notice that

Router1 has two Serial Lines were one of the lines has the Speed 1.544 Mbps, and the other is half the Speed which have 768 Kbps, what

EIGRP does is it unequally load balance those two lines were it may send one Packet at the

768 Kbps Line and Two packets at the T1 Line according to their speed, but mostly other

Routing protocol doesn’t do that, all it does is sending one packet at T1 line and one Packet at the other line, which make the T1 Line to be reduced to the Speed of the other line which is 768 Kbps because its sending the same quantity of

Packet on T1 Line that is sending on the other line.


5.

Combines best of the Distance Vector and Link State.

6.

Support Multiple network Protocols, it does support Old Internet Protocol like IPX/SPX, but now days we Support just TCP/IP and all new Router with the Newer IOS doesn’t have this feature anymore.


How EIGRP Works:

EIGRP Routers maintain three separates tables:

1.

Neighbor table.

2.

Topology table.

3.

Routing table.

When you first start running the protocol, the neighbors will discover each other and just like OSPF it does send the HELLO message for exchanging the Routing table and for checking if the Router is Online or its down, once neighbors are formed they could exchange the Routing table, now all those Routes that are discovered is stored in the Topology Table and this is EIGRP Road Map of the Network, and it will remember all the best Routes and all of the backup Routes and store them in the Topology Table. lets take an Example, as you might see from the picture Router0 has two Ways to reach the network 192.168.1.0, the best Route for

Router0 to reach that Network is through

Router2, and that path will be placed in the

Topology Table and will be marked as

Successor and that is the Primary Route, and that Route will be moved after that to the

Routing Table, to be actively used by the router.

Router0 also notices that it can reach to the network 192.168.1.0 through Router1 and then to Router2 and

EIGRP will add that Backup Route in the Topology Table and stays in the Topology Table and marked it as Feasible Successor , so if the Main link is Down, EIGRP will erase the Main Route that were used in the Routing Table and Place it with another Backup Route (Feasible Successor) from the Topology Table to the Routing Table.


Configuring EIGRP :

You will observe that there is something called an Autonomous System number, its not as in OSPF were its called Process ID; no there is a difference the reason is because in OSPF you may choose any Process

ID on the Router and assign to it and on another Router you may assign another Process ID; it doesn’t matter if all the Router on your Network Running OSPF if they have the same Process ID or not.

But in EIGRP it matters meaning all Routers Running EIGRP on my Network or in the whole Company must have the same Autonomous System number, otherwise the EIGRP will say that this Router is not in the same company I am in and will not exchange the Routing table with him.

We will do our Show Command, as following:

You will find that we have Two connection one to the local Network which is 192.168.1.1 and the other connection to the Internet, so I need to advertise my EIGRP on my local network only to the ISP.

So we will do the following Command:

By doing that command we have enabled

EIGRP to send the HELLO message out of all interfaces starting with 192.168.1.x


Doing the same Configuration on Router2 :

You will notice we have use the Autonomous system number 10 as in Router1; also we have done the

Show Command to review our Networks and choose what we will advertise.

Of Course we will advertise all 192.168.x.x networks using the EIGRP Protocol with the help of the Wild

Card Mask, as 192.168.0.0

0.0.255.255

, and the final line indicates that a Neighbor relationship is formed with 192.168.1.1 from FE0/0 interface and its UP .

Let’s check our neighbor relationship from Router2:

You will find out that a Relationship is formed with Router1 with its IP address 192.168.1.1 on FE0/0.

•

Uptime Column indicates for how long this neighbor has been running.

•

Hold (Sec) Column indicates how long Router2 will believe that Router1 is up and running till its dead, by default EIGRP sends Hello every 5 Seconds, so if the neighbor stops sending the

Hello Message after 5 Seconds then this Hold Timer will count down till it reaches zero and it will find the other Backup Route to be enabled, but if it send the Hello message before it reaches

Zero then nothing happened everything is going to be OK and the Hold Timer will reset it self to

15 Seconds and starts counting down again till it hears another Hello Message, and so on, you will find from the below picture many captured for checking the Hold Timer please observe the

Hold Timer.


You will observe that the Timer is Changing every time, and from the third time we show it, it reaches 10 Seconds then after that it reset to 14 Seconds again because it has heard the Hello

Message from the other Neighbor so it reset its Time, that’s why hopefully you should never see that timer below 10, because if it does then that means you are missing the Hello message.

•

SRTT Column its name refer to (Source Round trip timer), it’s a timer for how longs it takes to the neighbor and come back and that help it engage how long it should be waiting before it

• expects the Hello Message.

H Column this column is just a list of the neighbors in order were its received, so example if

Router2 gets another Neighbor it will have in the column number one after the number zero shown above and so on.

Doing the same Configuration on Router3 :

You will notice we have use the Autonomous system number 10 as in Router1 & 2.

We will advertise all 192.168.x.x networks using the EIGRP Protocol with the help of the Wild Card

Mask, as 192.168.0.0

0.0.255.255

, and the final line indicates that a Neighbor relationship is formed with

192.168.2.1 from S0/0 interface and its UP .


If we show the interfaces on that Router, you will find that it’s the Router that has all those Loopback interfaces on it, on a different Network:

So Running EIGRP on those interfaces and Advertising them to the rest of the Network:

Let’s check our neighbors from Router3 (Now Remember Neighbors means doing the relation ship with the other Router beside me and exchanging the Routing Table with each other):


Now checking the Routing Table on Router3, as following:

You will notice that it has learned new Routes from the other Routers by the Protocol EIGRP that is marked as letter D .

Let’s check the Routing table at Router2 (Auto Summary):

You will notice that the feature Auto Summarization is enabled by default and have summarized the entire network from 172.30.1.0

to 172.30.8.0

into one single summarized network 172.30.0.0

/16 .


What does EIGRP does is any time you have a network that is advertising across the boundary that is not the same Network it will auto Summarize.

Example:

At Router0 you have a Class B Network (172.30.0.0/24), and at the other interface it has a Class C

Network (192.168.1.0/24), also Class C Network between Router1 and Router2.

So when I advertise a dis-contiguous network (A network that is not the Same Class as the other Network across the Boundary “Across the Router”), EIGRP will does a little favor for me and Auto Summarize that network to 172.30.0.0

/16 (Class B Default Subnet) instead of 172.30.0.0

/24 .

Same things goes to Routrer2 were it have Two Boundary Network were you have a Class A Network

(10.0.0.0/24), and at the other interface it has a Class C Network (192.168.2.0/24).

So when I advertise a dis-contiguous network (A network that is not the Same Class as the other Network across the Boundary “Across the Router”), EIGRP will Auto Summarize that network to its default class subnet 10.0.0.0

/8 (Class A Default Subnet) instead of 10.0.0.0

/24 .

But the disadvantage of Auto Summary feature is that it does waste a whole range of network as for the

Class A example it has auto-summarized it to a Default Class A network which is too much for me that I don’t need all of that Subnets to be created, and the other routers in the networks will believe that I know the whole range of 10.0.0.0/8 and that is not true and the Router will drop most of the packets coming into cause some of the network does not exist in that range that is created by the EIGRP.


So we will turn OFF that Feature on all Routers on the Network as following:

For Router1:

For Router2:

If we check our Routing Table on Router2, you will find out that we have all the Networks are advertised in details with no Summarization in it:



As we observe above in the picture is that Router2 has a detailed Route for all 172.30.x.x Network from

Router3 and that what we don’t want it to be because we need to summarize all that networks in to less as possible, but at the same time we don’t EIGRP to Auto Summarize it, so what we will do now is that we will Manually summarize those networks:

If you remember before in OSPF that we can Summarize only on ABR Routers, but in EIGRP we may

Summarize on any Routers, so at Router3 and at interface S0/0 because that we want to send the

Summary Route out of it, so we will do the following:

You might notice that we have entered the Subnet Mask (255.255.248.0) because we have calculated before in OSPF for the 7 Network 172.30.0.1 to 172.30.0.7 at Page 137.

After doing the above command, the following message should appear indicating that Summary is changed with “ new adjacency” and it will take the neighbor down then up as refreshing.


Now checking Routing Table at Router2:

You will find that we have summarized the network 172.30.0.0/21 and you will find that it has add the network 172.30.8.0/24 because it wasn’t in the range of sub-netting we have done, so its added Manually.

Going to Router3 to check the Routing Table, you will find the following Notice:

Notice: The highlighted line says that the Summary Route we have created, is sending out all the traffic of the summary Route to NULL0 (it’s Garbage Place), that means any traffic that it gets and matches this summary Route, the Router will automatically send it to the Garbage meaning its going to drop that

Traffic, so why it do something like that?


Well think about this, all of the Routes at Router3 has a Specific Subnet Mask which was /24 , so when we created a Summary Route of 172.30.0.0

/21 we have created a specific range of IP address to be covered which starts from 172.30.0.0 to 172.30.7.0 with subnet mask /21 ; now here is the Idea if one of the

Network in that Range we mentioned does not exist as example the network 172.130.4.0, so if one of the

Packets asked for that network the Router will look at its table and find that it does not exist so it will ask the next Routers beside it for searching for that network and it will says I don’t know how to reach that network and they will keep searching the entire network for that IP Network that doesn’t really exist, which cause a Slow in the whole network.

Rule no. 1 of Routing:

The rule that we will mention now is for all Routing Protocol, and it says if you have a Specific Subnet

Mask (Class-full Network) it will use that Network.

So lets take an example at Router3, from the above Picture, if Router3 gets a Packet needs to go to

172.30.3.50

so Router 3 will looks at its Routing Table and says I have found that Network and it does match at my Routing Table and I will forward that Packet to the interface Loopback3 , but before forwarding that Packet it have searched in its Routing table and find Out another match for that IP which is 172.30.0.0/21and it may forward that packet to NULL0 .

So Router3 will say that I will not use the 172.30.0.0/21 because I have another Route with a Specific

Subnet Mask which refers to the better the Route is which is 172.30.3.0

/24 so I will use it and forward the

Packet to Loopback3 .

So the following line will never be used as long it has a more Specific Route, So the only time that the

Router actually use this Route to the Garbage Place is if these one of those more specific Routes don’t exist and that means the Network doesn’t Exist.

So we have saved a Broadcast and more Processing on the Router to be used for searching a Network that does not exist.


Access-Lists:

Access List is a List of Permit or Deny Statement, as example:

•

Permit 192.168.2.50, meaning grant an Access to the Internet for that IP.

•

Deny 192.168.1.0/24, meaning Deny Access to the internet for that whole Network.

•

Permit TCP port 80 for 200.1.1.1, meaning grant Access for the IP 200.1.1.1 to access only TCP

Protocol at port 80.

•

Permit All TCP Traffic for 210.0.1.0/24, meaning grant Access for the network 210.0.1.0/24 to access ALL ports under TCP Protocol.

Where can Access-list be used for:

•

Access Control , permitting and denying Traffic whether inbound or outbound direction.

• NAT (Network Address Translators), we can specify which IP address will be able to permitted to be Translated using NAT and access the Internet.

•

QOS (Quality of Service), we can specify which IP address will have more Priority than other IP address and will be served first.


Using Access-List for Security:

If you are using Access List for Security its like hiring a Guard for your Router to stand on the Interface, as soon as we give that Guard a List he is going to scan all of the traffic passing through that interface whether it was Traffic coming in (Inbound) or Coming Out (Outbound) from that Interface depending on how we can configure the Direction that will be scanned on that interface.

Rules of the Access List:

1.

List that we specify it to the Router is Read from TOP to Bottom and stops at the first match.

So for example we have that Guard standing on the Interface F0/0 and have the

Access-List as you might see in the above picture, and the first Statement in the Access-List says

“Deny 10.1.5.1” so if we configured that guard to Scan the Inbound Traffic Only meaning the

Packets that comes to the Router, and one of the Packets come with IP address 10.1.5.10 so the

Guard will check its Access-List from Top to Bottom and it Stops at the first Match for that IP packet whether it have the Permit or Deny scenario and take the action based on that.

So as example Assume that the Third line in the Access List above says Permit 10.0.0.0/8 , so if one of the Packets have the IP address 10.1.5.12, so the Guard will check its Access-List and stops at the third line that says permit access to any packet that starts with 10.x.x.x, and the packet will pass, and if another packets with IP address 10.1.5.1 comes to the interface the guard will check its access-List from Top-to-Bottom and find a Match that Says Deny IP 10.1.5.1, and the

Router Drops that Packets, even also it says in the third Statement pass any IP packet that start with 10.x.x.x, so you see that the order of the Access-List while you create it is Very Important.

2.

Access list is applied to the interface only whether to be INBOUND or OURBOUND direction.

3.

At any Access-list you create it by default; it has at the Last line a rule which is

DENY ALL , which denies every Packet to be passed, but when you create your Access-List you will not see that Rule because it’s Invisible, so while creating your Access-List and after you finished Creating you will add the last Line of your configuration


Permit ALL which permit all the Traffic to be pass because if you don’t add that Line the Router will never pass any Traffic through its interface except for the ones you specify for, because of the present of that Invisible Rule.

Notice: when you apply your Access-List on a Specific Interface and applied that Access List for

Outbound Direction, then Any Traffic coming out of that Interface will be applied to the

Access-List Rule, but any incoming Traffic to that Interface will not be applied to the

Access-List Rule because as we said before Access-List is Applied only to monitor only one direction whether to be inbound or outbound.

Access-Lists Types:

1.

Standard, we will speak more briefly on that Later.

2.

Extended, we will speak more briefly on that Later.

3.

Dynamic , its Access List that expand and Shrink depending on who is going through, as example: you can have somebody that use a Username and Password to access the Internet because not everybody in the company is allowed to access the internet, so what you can do is to set up a Dynamic Access-List that says if this username and password comes in, then add it in the Dynamic Access-List and allows that PC to access the internet for a Certain amount of

Time and then remove him from the Access-List.

4.

Established (Reflexive), we will speak more briefly on that Later.

5.

Time-Based, its more Explained in CCNP, its an Access List were it becomes Active for a

Specific Amount of Time or Time Range, so with that you may say for Example: internet access is allowed in my company after Working Hours say after 5 PM, so the Access-List will be Disabled after 5 PM and will be enable at 9 AM .

6.

Context-Based Access Control (CBAC), its part of CCSP Security Track, were it function your

Router as a PIX Firewall.


Standard Access-List:

•

Match based on the Source IP address. So you are permitted or denied based on your IP Source

Address, not on what are you accessing!!

• Lower Process Utilization.

Extended Access-List:

•

•

Matches Based on Source/Destination Address, Protocol, Source/Destination Port Number.

Higher Processor Utilization.

Reflexive Access-List:

•

Allows to return traffic for Internal requests only!!

Any traffic is generated from the internet will be denied to be entered to the local Network, EXCEPT for the Traffic that is generated from inside the Local Network and need a Request back from the Internet as from our example above were one of our Customer has requested a Google.com Webpage, so when the

Request reaches Google Server the Server will reply back for its Default Webpage, in that Case only that reply back will be allowed by the Router to be entered to its Local Network.


Configuring Access Lists:

As you might see we will apply our Four Scenarios on that Network, so Starting with Scenario1.

Working with Access-List:


When you do the above command there are varieties of Numbers Range, each range represent a Type of

Access-List, for example from number {1 to 99} and {1300 to 1999} it’s a Standard Access-list, and from

{100 to 199} and {2000 to 2699} is the Extended Access-List, and so on.

So we will choose to create the Standard Access-List:

After that it asks you whether you need to add a Deny or Permit Rule in that Access List, so we will choose the Deny Rule for now, as following:

After that we will specify the IP Address or the Hostname, as following:

Now it asks us for the Wild Card Mask to specify if you need a Specific IP address or for a Specific

Network, in our Scenario we need to deny only one IP address:

When we do our Show Command for checking our Access-list Table:

You will find that it has deny that Specific IP address which is 192.168.5.100

Another Way to do that Scenario:

This is another way for specifying an IP address for a

Host by using the Keyword

“Host” instead of typing the IP address and then the Wild Card

Mask, here we have typed the word Host and then the IP address of that Host and notice that it didn’t ask you for a Wild

Card Mask, cause the Router understand it’s a single IP.


We have now added another Rule which is permit any network of IP Range 192.168.5.0, and when we do the Show Access-List Command, we will find that the Rules are arranged according to your entering the

Rules:

So in that Access-List when a Packet with IP address 192.168.5.20 is passed by the interface the Access list will compare it from the Top to the Bottom of the list, and the First Rule will not imply on that

Packet, and then the Second Rule will be implied on it which states to Permit its access, but don’t forget about the Invisible Rule that present at the Last of the Access-List were its by default is created. So if there is a Packet which is not 192.168.x.x it will be denied from Passing through the Router.

Now we will apply our Access-List on the Interface S0/0 of Router3:

Now it asks which Access-list you need to specify so we will choose Access-List number 1, which we created before:

Now it asks which Traffic direction we need to apply that List on to, so we will choose the Traffic that comes into the Router so we will choose “ in ” Keyword.

Now after we have applied that Access-List on interface, lets Review what we have done, we have permit the Networks 192.168.5.x and we have denied the IP 192.168.5.100 & Any other Network.


That means any traffic coming to Router 3 will be blocked unless it’s in the range 192.1689.5.x

, so what does that means?! Meaning if you remember that these Routers is Working EIGRP Routing Protocol between them and forming Neighbors, and when you applied this Access-list in interface S0/0 you have denied the Hello Message that comes from Router2 with IP address 192.168.2.1, and the following message Appears:

Which indicates that the Holding Time is Expired, and the neighbors is no longer Exist.

Starting with Scenario1:

Blocking Host A from Accessing Host B, so we will access our Router3, and do the following:

Before applying the Access-List Scenario we will ensure at first that Host A is able to reach to Host B to make sure of reaching that Network:

As you might observe that we are Able to reach Host B from Host A by passing through the

Sub-interface 192.168.10.1 at Router2 then to the interface S0/0 at Router3 then to the Host B.


Now the most important Step is where I may apply that Access-List? And At which interface and at which Router and at which Direction?

The Access-List that will be applied is :

Router(config)#Access-list 10 deny host 192.168.10.50

Router(config)#Access-list 10 permit any

As you might observed before that there are many places to apply Access-List, but which is the most proper place:

These are the following places:

1.

You may apply the Access list at F0/0.10 as a Direction Inbound at Router2.

2.

You may apply the Access list at S0/1/0 as a Direction Outbound at Router2.

3.

You may apply the Access list at S0/0 as a Direction Inbound at Router3.

4.

You may apply the Access list at E0/0 as a Direction Outbound at Router3.

Let’s Describe each place with its Point of Failure:

Point 1: we can’t apply Access list at that Interface because you have denied Host A from Accessing everything out to any another Network, because that interface is the Default Gateway, so whenever Host

A trying to access anything out of its Network it will be blocked not from just being be able to reach Host

B but from everything. So this will be not our Choice.

Point 2: Imagine that there is another Network is connected after Router2, as Router4 that is connected to

Host C as from the following Picture, if we applied the Access List on that Interface with that direction mentioned above, we have Successfully Blocked Host A from Accessing Host B but also we have blocked him from Accessing Host C , So this will be not our Choice.

Point 3: if we applied it at S0/0 with Direction inbound to Router3, we have Successfully Blocked Host

A from Accessing Host B but also we have blocked him from Accessing Host C , So this will be not our

Choice.

Point 4: The best Place to Add that Access-List is at E0/0 as a Direction Outbound at Router3, because that is the Safest way to Block Host A from Accessing Host B without denying Host A from anything else.


Cisco Recommends to place the Standard Access-List as much Close as Possible to the Destination, so as not to deny the Host from accessing too much, as in our Example at Point 2 and Point 3.

So configuring our Router3 and Creating our Access-List first:

After that applying our Access-List on the Interface E0/0 with Direction Outbound:


Let’s try to ping from Host A to Host B:

As you might observe it gives now Destination Net Unreachable and its replied from Router3 with IP address 192.168.2.2.

Now we will do the Show command for checking the Access-List Table:

You will notice the (8 Matches) which means that the Deny Rule have Denied the Host 192.168.10.50 eight Times , meaning from the Ping we have done above we have 4 Packets are Pinging to the destination 192.168.3.50 and we have eight times Blocking meaning Windows sends a one Packet of

Ping Two Times, that’s why the result is eight matches not four.



Blocking Host A from Telnetting or SSHing to R1:

Creating our Access-List on Router1, as following:

We have now created our Access-List number 70 and create a Remark for that Access-List which says

“THIS WILL DENY HOSTA FROM TELNETTING TO R1”.

Now we will create our Deny List, and the Permit List as Usual at every Access-list:

Now accessing our VTY Lines and Apply our Access-List to the Telnet ports: we will choose Access-List number 70, and then we choose the IN which states that the Access-List will be applied only for the Incoming Traffic to the VTY Lines.


Now let’s access our Host A and try to Telnet to Router1:

Lets Check if Host B can Access the Router by Telnetting it, because our goal is to Prevent Only Host A:

So now we have accomplished our Goal by Denying Only Host A to access the Router, now if we checked the Access List on Router1:

You will find that there are “2 Matches” for the Permit Rule, which indicate a Successful Logging on to the Router Remotely.


Working with Expanded Access-List:

Accessing Router3:

Creating Extended Access-List as from the following Picture:

We will not describe the Dynamic Option at the Extended Access-List, now we will create a Deny Rule under the Access-list we have created now and you will see many Protocols that are supported on layer4 in OSI–Model, also if you noticed you may enter the Number of the Ports:

So we will focus only on the protocols for CCNA Level, “IP- TCP- UDP- ICMP”.

•

•

•

•

TCP protocol for the reliable connection.

UDP protocol for Unreliable Connection.

ICMP protocol Is used for Ping.

IP protocol any protocol under TCP/IP.


Now we will deny the IP address 192.168.10.50 from accessing this destination IP address 192.168.3.50 using any protocol in the TCP/IP

Now let’s deny using the TCP protocol from IP 192.168.10.50, as following:

Now if we hit the ?

Mark you will find another Options appeared in the TCP Protocol, as shown below:

Now from the previous Picture you will find that TCP gives you the Option to specify which Port

Number to work on it as from following:

•

•

•

Any, means denying every Port under TCP Protocol. eq, means for equal were you specify a specific Port to take action on it. gt, means for greater were you specify a Port which will be greater than the one you will mention

• to take action on it. lt, means for lesser than were you specify a Port which will be less than the one you will mention to take action on it.

Other options are self explanatory.


Now we will deny the IP address 192.168.10.50 from using the TCP protocol Port number 80 which is

HTTP port number (Web Access):

• Notice that at the first Line at the beginning of the Picture we specify the Source IP address but we didn’t specify the Source Port number “because as you know before from ICND1 that the

Source port Is randomly generated by the System you work on it so you will not know which Port will be generated so you will not type anything”.

•

After that we will type the Keyword “any” which specify any destination IP address, after that we hit the ?

mark, and then we use the Keyword eq for specifying the port we want to use and then we type the Port 80.

•

So that Command Says “Block the IP 192.168.10.50 from accessing any Destination IP address using the TCP protocol Port 80”.



Use an External Access-List to Prevent Host A from accessing the R2 WAN link, that means we will prevent HOST A from Accessing IP 192.168.2.1/24 and 192.168.2.2/24:

Now the most important Step is where I may apply that Access-List? And At which interface and at which Router and at which Direction?

The Access-List that will be applied is :

Router(config)#Access-list 100 deny IP host 192.168.10.50 192.168.2.0 0.0.0.255

Router(config)#Access-list 100 permit IP any any

As you might observed before that there are many places to apply Access-List, but which is the most proper place:

These are the following places:

1.

You may apply the Access list at F0/0.10 as a Direction Inbound at Router2.

2.

You may apply the Access list at S0/1/0 as a Direction Outbound at Router2.

3.

You may apply the Access list at S0/0 as a Direction Inbound at Router3.

Let’s Describe each place with its Point of Failure:

Point 1: This is the Best Place to select our Location for Placing the Access-List at F0/0.10 at a Direction

Inbound at Router2, to deny the Packets before it travels our from Router2.

Point 2: we may succeed to achieve our Goal if we placed the Access-list at S0/1/0 at a Direction

Outbound but it will make more processing on the Router because the packet will enter the Router2 first then it will look at the Routing Table and find out it will need to get out on interface S0/1/0 but before its send the Access-list will deny it, So this will be not our Choice.

Point 3: the same as Point2 that there is no need to take the Packet to be passed through Router2 and

Blocked at Router3, it will take processing on Router2 and Router3, So this will be not our Choice.


Cisco Recommends to place the Extended Access-List as much Close as Possible to the SOURCE, so as not to process too much on the Routers, as in our Example at Point 2 and Point 3.

So before applying this Access-list we will check first that we are able to ping to the Wan Link from

HOST A at IP 192.168.2.1 & 192.168.2.2:

Accessing Router2 and Applying the Access-list 100:

So if we show our Access-list table:


If we tried to ping to the WAN Links, as following the Ping will not Succeed:

Now after Applying that Access List will HOST A will be able to ping to HOST B?

Well the answer for that Question is YES , because the Access-List is Denying only the Destination IP address 192.168.2.0/24 but not any other Destination, because as we said before that the Access-List is read by the Router from top to bottom, and when the Packet that HostA will send it to HostB it will place the Destination as 192.168.3.50, so when that packet enters Router2 , the Access-List will check first its

Source IP address and the Protocol will be used and Destination Port, and finally the Destination IP address, and since the Destination IP address is not denied because it’s on other Network then the Packet will pass and Ping Successfully.



Use an Extended Access-List to prevent Host A from Accessing the CBTNuggets Home Page.

So we will deny HOST A from using TCP protocol with Destination Port 80 with the Destination IP address of CBTNuggets.com.

First we will need to know the IP address of CBTNuggets.com site, so we will know it by pinging this

Site:

So the IP address of CBTNuggets.com is 128.242.116.211.

Now we have to place the Access List to the interface F0/0.10 of Router2 because that is the most perfect interface we have chosen in the Scenario3 before, BUT as we said before only one Access-List is placed per an interface per direction , because we have already an existing

Access-List at that interface that prevent Host A from accessing the WAN Link, so what we will do is that we will modify that Access-List.


First we will Delete the Access-List100 from the Router and Recreate it again:

As you might observe from the above Picture that we have deleted the Access-List first then we recreate it again and applying the Rule deny using the TCP protocol for the host 192.168.10.50

and then after that it asks you what Port you want to deny, BUT as we said before that what it asks you for to enter is the

Source Port not the destination so you never ever enter a Port number after the Source IP Address, so we will choose the Host Command in that List which indicate that we will ignore the Source PORT and we will enter the IP address of the Destination as following:


As you might see that there are many options so we will enter our destination Port by choosing the eq which states for Equal to and then we hit the ?

mark, and will find many Protocols with their Ports between brackets:

You will notice at the last line the Protocol WWW with between brackets its port which is 80, so now you have TWO option whether entering the port number or entering the name of the protocol which is

WWW , in our scenario we will enter the Port number 80:

Now if we checked our Access-List, as following:

You will find that the Router have Swap the port 80 to www.


Now we will add our Old Commands that was originally exist at Access-list which deny Host A from

Accessing the WAN Link that is between Router2 and Router3.

Now when we check our access-List:

Now let’s Test out from HOST A if it’s able to Access Google.com or not, and it will be able to Access:

Now if we checked our Access-List, you will find something Cool:

You will find that there are about 131 Matches of Permit Rule.


Now the ultimate Test, lets try to access the CBTNUGGETS.com:

It gives Connection Time Out, so our Access-List is Working.

If we want to check the counter of the Access-List lets check it out now:

You will find that 9 packets were trying to be send for accessing the CBTNuggets.com


TIPS and TRICK in Access-LIST:

There are two ways of Typing Access-List as Following:

First Type:

Second Type:

We will describe the Second Type as we have already finished the First one.

As you might see above the Access-List have all the function we have described above, were you can create the Extended and Standard Access-list and some More Options, so by typing

IP access-List there are variety of improvement we will encounter it now.

So starting with the Extended Access-List, let’s see what happens next:

It will ask you what access-List number you want to create and there is the last Line which enables you to create the Access-List Name, were instead of creating just numbers you may Create Access-list based on its Name, as following we will create an Access-List with name DENY_HOSTA


WHEN WE HIT THE ?

Mark we will find a variety of Options, as below:

The same rules exist as Deny and Permit, and so on but if you noticed carefully the name of the mode we are on its (config-extnacl ), nacl means “Named Access Controller”, because we have created an Access-

List based on a Name not on a Number.

Now let’s add some random permit Rules, as following:

You will notice that I don’t have to type at the beginning access-list I just typed the permit command because I am at the nacl mode .

Now when I show access-List Table, as following:

You will find the both access-List we have created, the Access-List 100 & the Access-list

DENY_HOSTA .

Now only from Named Access-List we may only edit the Access-List, if you observed above you will find that there is a Sequence Number as 10, 20, & 30 , if you noticed that you cannot modify your Access-

List as after you create them you cannot edit them, but you can Delete the whole access-List and recreate it again, as example if you have the above Access-List100 and you may need to Swap between the first and Second Rule, you cant do that so all you have to do is to delete that Access-List and Recreate it again according to your needs.


But in the Named Access-List you may make Modification and Edit the List, as example I may need to enter a Rule between the Two Sequence Number 10 & 20, so I will choose a Sequence Number between those two Numbers as in our Scenario I will choose number 15:

As you might observer that we have a Sequence number from 1 to 2147483647 as above in the picture so

I have choose Sequence Number 15 to Squeeze it between the Two Sequence numbers as 10 & 20, also in the above Rule we have created a Permit Rule using TCP port for the IP 192.168.10.50 to Destination

4.2.2.4.

Now when I do the Show Command you will find that the Rule we have created is Squeezed between number 10 and 20:

Now you may not only squeeze in Rules but you may also Delete Rules as following as in here we will delete the Rule number 20:

When we do the Show Command, you will find the following:


But Nowadays you may Modify even a Numbered Access-List forget about what I have said that you cannot Modify numbered Access-List, as following we will remove Access-List the Rule with Sequence number 20:

Now when we check our Access-List Table:


Reflexive Access-List:

•

It allows the returned traffic to be passed through the Router for Internal requests only!!

Any traffic is generated from the internet will be denied to be entered to the local Network, EXCEPT for the Traffic that is generated from inside the Local Network and need a Request back from the Internet as from our example above were one of our Customer has requested a Google.com Webpage, so when the

Request reaches Google Server the Server will reply back for its Default Webpage, in that Case only that reply back will be allowed by the Router to be entered to its Local Network.

Now to create a Reflexive Access-List, you will have first to create an Extended Access-List, so on

Router1 we will do the following:

You will notice that we choose the established Keyword which is used to create the Reflexive Access-

List, and we enabled all TCP protocol to be replied back.


Now we will apply that Access-List to be applied to Router1 at Ethernet interface 0/1:

So what that Access-List does is it permits the TCP protocol from any source to any destination if it has been established from inside the Local Network Only.

So if some one at the internet tries to access the local network but their were no Establish from the Local

Network, then the Access-list will deny that connection.


NAT (Network Address Translation):

Network Address Translation translates the private address into a public Address so as to be able to surf to the internet.

Types of NAT:

1.

Dynamic NAT.

2.

NAT Overload.

3.

Static NAT.


DYNAMIC NAT:

As you might see above this is the typical Picture for Dynamic NAT for Translating inside Address to

Outside address (From Private Address to Public Address), you will notice that this type of NAT is oneto-one translation, meaning as this client goes out to the Internet this Client will be assigned an a Public

Address, and that Public Address will be assigned for that user as long as its session is opened till that session is closed the Public IP address will be returned back to the Pool.

Also you may use that Type of NAT in the Opposite Direction meaning a Client from the Internet need to access the MAIL Server at the local Network so he will access using the Real IP Address as 200.1.1.3 and from the Table Above it will be Translated to 192.168.1.51 which will be the Mail Server IP Local

Address as example.


NAT Overload:

This Type of NAT is the Most Commonly Used, were Multi user on the Local Network are able to

Access the Internet on a Single Public IP Address.

Now let’s see, Two PC on the same Network on the left need to access the internet, but all we have is a single Internet IP address (200.1.1.1), ok now how NAT works is as following.

If one of the PC need to access the internet it will go to the Router, and the Router will realize that it has a

Private IP address (192.168.1.50), so what router will do is to translate this Private IP to a Public IP to access the internet.

Lets say this pc wants to access cisco.com

, as we said before on the TCP/IP layer (Transport Layer), each window you open it locally on your computer has a Source port and a Destination port, so if this PC want to access cisco.com

it will access it by HTTP protocol so the Destination Port will be 80 , and the Source port is Generated Randomly by Windows System lets say the source port will be 6751 , so when the request reach cisco.com

the Server will reply back as a Destination port 6751 and Source port is 80 .

So what NAT does is using the Unique Source Port number of PC 6751 to make the Translation of the IP address Unique, so when I enter the Router it will enter by the source IP 192.168.1.50

with Source port number 6751, and as we said before this is called Socket a combination of IP address and Port number is called Socket.

So when I enter the router as 192.168.1.50:6751 it will come out as 200.1.1.1:6751 , the Same Source Port number is used at the Internet IP address.

Inside the Router a Table is created called a NAT Table, were all the information is recorded in that table, so when the Server cisco.com

replies back and the router receives it, it will look for the Port Number and find it 6751 , and it will forward that Data to the IP 192.168.1.50


Ok what if both of those PC 192.168.1.50

& 192.168.1.51

choose the same Source Port Number as 6751, what will happen??

Well, whoever reach first to the Router, will be served first and it will get out of the router with port number 6751, the Second one that will reach later the router will take the action to change the outside address Port number from 6751 to 6752, and will go out, so when the Server replies come back the

Router, the Router will compare it with the data in the outside address table and find out that this port number is been changed to 6752 so it will change it back to the original port number 6751 and forward it to the IP address 192.168.1.51

That’s why this Form of NAT is called PAT (Port Address Translation).


Hosting Server Using Static NAT

NAT also works with Static Entries, meaning let’s say we had a server on our network 192.168.1.51, well that server needs to be accessed from the internet meaning if it’s an email server, and someone send you an email from the internet, the email will come into the router, and then into your email server, so how do you set NAT up a way that allows it to go the opposite direction, well that is using Static NAT, Static

NAT has no problem at all, as you might see in the below Picture we say to the router if someone send a

Request to the IP 200.1.1.2, I need you to forward that request to the IP 192.168.1.51 which is the email server as an example.

Also notice that if the IP 192.168.1.51 needs to Access the Internet it will access by the IP 200.1.1.2 it will not be converted to an IP with Port number within it because it already have the Whole IP address for it no one is sharing and vice versa if some One need to Access the Local IP 192.168.1.51 it will Access the IP 200.1.1.2 and then be translated to the Private IP address.

Notice Also if I had another Web Server on my Network and need to assign it an Public IP address so as my clients be able to access the Web server through the internet but unfortunately I have only Two Public

IP address were one for the Local Host to be able to access the internet, and the other IP address for the

Email Server.

So what we will do fortunately is that Static NAT support Port Address as we may combine Port

Numbers with it, were who ever will access the Web Server we will assign the 200.1.1.2:80 on TCP protocol will be pointed to the IP Address for the Web-Server , and if some one need to access the Email then we will assign 200.1.1.2:25 with TCP Protocol to be pointed to the Email Server IP address.


Configure NAT Overload:

Most of our Focus and Configuration will be on Router1 because it’s the Router that will do NAT,

Now let’s check if HostA is able to ping to the DNS Server 4.2.2.2:

You will notice that when it reach the IP Gateway 192.168.1.1 it starts to give Request Timed Out, because the ISP Prevent a Private IP Address to be passed into it. So lets configure NAT on Router1.


Steps of Configure NAT Overload:

1.

Label Interface.

2.

Identify internal IP address to be translated.

3.

Enable NAT overload.

First Step “Label Interface”:

First we will identify which Ports on the Router to be connected to the Local Area Network and which will be connected to the Outside the Network (Internet).

As you might Observe Above is that the inside interface will be the E0/0 and the outside Interface that will be connected to the ISP will be E0/1.

Second Step “Identify internal IP address to be translated”:

In this Step I will tell the Router which IP Address will be Translated and which IP address Shouldn’t be

Translated, and we will do that by using Access-List.

So we will create a Named Access-List (because it’s Much Easier to Remember):


Now we will create a Rule to Permit All PCs to be able to Access the Internet except the Network

192.168.3.0/24 .

Third Step “Enable NAT overload”:

First we will specify that we need the Router to perform the NAT from Inside Local Address:

After that we will NAT based on the Source Address Translation, and the Source Address that I will going to Translate is present at the Access-List as following:

Now you have two options above, whether to choose to make the Translation to be output through a

Specific Interface and use the Interface IP Address or through a Pool of Public IP Addresses.


So in our Scenario we will choose to apply to a specific interface to be out from and that interface will be

E0/1 then we will say to the Router to Overload so as to allow many Host to share that Public IP Address:

So in general that large Command will be explained briefly as following:

R1(config)#ip nat inside source list NAT_ADDRESSES interface ethernet 0/1 overload

•

•

Please Router I would like to NAT?

Router will says how would you like to NAT?

• You reply and says I would like to NAT from inside my network to the Outside and the Source addresses that I would like to NAT are identified in the Access-List named

“NAT_ADDRESSES” and anything that is permitted by that Access-List is going to be permitted to be NATTED and I would like to NAT them out interface Ethernet 0/1 and please overload that address.

Now let’s check our HOSTA if its able to access the Internet:

You will find that it’s able to reach the DNS Server 4.2.2.2 Successfully.


Now let’s check the NAT TABLE, as following:

• You have the Column name “INSIDE LOCAL” which represents the Local IP Addresses, with

• their Local Port Number.

You have the Column name “INSIDE GLOBAL” which represents the IP Addresses that all

Local Addresses will be Translated to with their Local Port Number, so you will find out that all

Private IP Address is translated into the Public IP addresses that is present at E0/1 but with the

•

Same Port Number.

“Outside Local & Outside Global” are the Same and they are the Destination Port Number and

Destination IP Addresses.

• Also you will notice the First Column have the Protocol Type like TCP protocol, and you will notice there is an ICMP Protocol for the destination 4.2.2.2.

Now if we Ping from Router3 lets see if it’s able to ping or not:

You will notice that its able to Ping Successfully, although we have applied the Rule of the Access-list saying that it should Deny Network 192.168.3.0/24, but Router3 is able to ping because its coming out of the interface S0/0 not E0/0, which is a Network 192.168.2.2 not 192.168.3.0/24.

Also to check that lets Return to Router1, and check the NAT Table:

You will find out that the IP 192.168.2.2 is using the ICMP protocol to ping to 4.2.2.2 and its Translated to IP 68.110.171.98

.


Now if I want to ping from Router3 but from E0/0, we will do the Following:

What we have done here is that we were pinging from Router3 from Source IP Address 192.168.3.1 but the Ping was Dying.

If we showed the Access-List Table, we will find the following:

NOTICE: The Deny Access-List here in our Case doesn’t Deny the Network 192.168.3.0 from being

Routed but its denying from being NAT, so the Packet is able to reach R1 and is able to get out of its interface and Routed Successfully with its Private IP Address but the ISP is blocking that Ping Packets from being reach its destination.


Configuring STATIC NAT:

Let’s assume that HOSTA needs to be accessed from outside the Internet using a Public IP Address so here is what we will go to do, in the following Configuration:

Before Configuration you will have to Request another Public IP address from your ISP as the first one is used for your LOCAL Network to be NAT outside, so assume that the ISP have provided you with another Public IP address “68.110.171.99” so as we able to Map to that HOSTA.


NOTICE: Static NAT is a Two-Way-NAT, meaning any time the Host 192.168.10.50 need to access the internet it will be translated to 68.110.171.99

, and also vice versa any time when any one wants to access the Host from the internet it will access the 68.110.171.99 and it will be translated to 192.168.10.50 inside the Local Network so as to be able to Access it, so there is no difference if we configure the direction to be INSIDE or OUTSIDE, but it will be only different in writing the IP address if the Local will be written first and then the Global IP or vice versa so in our Example we have written the Local IP first then the Global IP address because we have choose the INSIDE Direction and because it tells you to write the Local then the Global as from the following Picture:

What if you have only One Public IP address and there are no any other IP address Available to be given by the ISP or your company won’t to buy any New IP address because its expensive, so what we will do is that we will use that only Public IP address to NAT the Local Private IP Address of PC to be able to surf the internet, and at the same time we will use that IP as a Static to be pointed to a Specific IP address on our Local Network but we will not take the whole IP address as a Static NAT, but we will use Port

Numbers to specify what type of Services will be accessed to the Local Network.

So what we have done is that any time my outside Interface (E0/1) gets a request on TCP Port 80 it will translate that request into the inside IP address 192.168.10.50 with Port 80.


Configuring Dynamic NAT with Overload:

Dynamic NAT with Overload is done with Larger Organization, were you have more than one Real IP

Address, so in our scenario we have Two Public IP addresses which are 68.110.171.99 & 68.110.171.100, so in the following picture we have assigned a Pool name “PUBLIC_ADDRESSES” within inside them those Two IP addresses.

The advantage of the Dynamic NAT is that if one of the public Addresses is out of Port Numbers it will switch to the other Public IP addresses because if you have thousands of users on the Network they will use all the Ports to be able to Surf Outside the internet.

So we will assign the IP addresses in the Access-List to be used by the Dynamic NAT:


The World of VPN:

VPN stand for (Virtual Private Network), it’s a Network that is virtually private, let’s say everybody has an Internet Connection all the offices and home PC all are connected to the internet, what if you want to connect your Offices with each other through that Internet, well the Old way is to connect the Two

Offices with each other with a Private Leased-line, the other way and the cheaper one is Connecting those offices through a VPN connection.

VPN Connection is Heavily Encrypted and Secured, it’s very difficult to break through that Secure

Connection, the disadvantage of that Connection is because of its heavily Secured Encryption it take a lot of overhead on the router than just connection to a Private line as on private Line you don’t need to

Encrypt the data just let the Routers talk to each other smoothly.

If you want to connect many offices to each other all you have to do is to get an internet connection on each office, like a DSL and you may connect them through VPN connection, rather than connecting each

Office with a Leased line that will cost much more.

VPN Connection comes in Two Styles:

1.

Site to Site (L2L) which refers to LAN To LAN.

2.

Remote Access.

Site to Site (L2L):

The Following Picture refers to a Site to Site Connection.

Imagine there is a Network connected to the Router at the Left, and one of the PC at that network needs to access any IP address that is present at the other Network of the other side, so the Router will understand that it need to access the VPN, so the Message that comes from the PC will enter the Router with no

Encryption in a Clear Text, as soon as the Router will realize that it will across the VPN it will encrypt that data and send it through the internet, and it will reach the other Router that it will Unencrypted the data and send to the Destination PC.


Remote Access:

If L2L is for Connecting Offices between each other the Remote Access Is for Linking HomePC or laptops to Offices.

In that type of connection the PC is connected through the internet by a VPN Connection that will encrypt the data and pass it to the internet to the other Router to the Destination PC. The

VPN Connection is done on the PC by some

VPN Client Software that you may download it from the internet; now Days those Home PC maybe connected to a router on their network and that small router may support a VPN connection type L2L.

What if you were an Administrator for thousands of PC at that Network, and all need to access the VPN connection, you can’t just pass over each PC and install the VPN Client Software and make the Configuration one by one, because it will take too long, so the solution is that there is a New technology at the Remote Access Connection type which is called SSL VPN or WEB VPN

What these Technology do is that it allow the Destination Router that is connected to the Destination

Network to generate a WEPPAGE, so when any of the PC connects to the Router it will display that

Webpage and asks for your username and Password, and when you enter the correct information what will happen next is that the Router will install a Mini version of VPN Client Software on your PC and will establish a VPN Connection, and when you finish your Work and terminate the connection, the software on your laptop will be eliminated, this Procedure of connection is called SSL tunneling .


The Chunks that Build IPSEC:

VPN technology works by Protocol name IPSEC , it’s the protocol that makes all the Encryption in the

VPN Connection, IPSEC is one of the protocols that works with TCP/IP, IPSEC presents at the

Transport Layer (Layer4 at OSI model).

IPSESC is builds of four Major Category’s protocols:

•

Encryption Protocols:

Encryption protocols has 3 Encryptions type you may choose one of them to work with ( DES ,

3DES , and AES ) those protocols are used to Secure and encryption your data, and those protocols In the List is mentioned from Weakest to the Strongest, the Weaker your Encryption you choose the less process it takes and the more fast the connection you will have, the

Stronger the Encryption the more Secure your data are, but the more Overhead you will have and the longer you take to do that Encryption.

So as an Administrator you will have to choose what type of Encryption level.


•

Authentication Protocols:

Authentication makes sure that the Data doesn’t change from one End to another, for Example:

If you have a Client that is connected to a VPN connection, when somebody try to Hack your network, they may not understand those Packets that are going across the VPN Connection because they are all Encrypted so what they can do is send a spoof packets, what that mean is that he may send a Packet looks like you and pretend to be you but it’s not it’s a FAKE Packets, so what Authentications do is make Sure that the packets you are Sending is from You not from anyone else, Authentication Protocols are MDS , and SHA-1 .

•

Protection Protocols:

Protection allows you to do all of what we mentioned above on the Public Network, let’s take an Example:

If there is a PC connected to a VPN Network as following picture:

If this PC is encrypting the Data then this PC has the Encryption KEY, so this Encryption

Formula allows him to Scramble the data before he sends it, now in order for this data to be

Decrypted Successfully the Router should have the Same KEY Formula as the PC have, so the

PC somehow has to send this Formula KEY to the Router so as the Router be able to Decrypt the Data Successfully, here lies the problem how you send the Encryption KEY over the internet without allowing any hacker guys to capture that Key Formula, that what Protection protocol does by sending those Data Protected. We will discuss that later in more Details.

•

Negotiation protocols:

The idea behind IPSEC is that its information should never become outdated, meaning a new Key

Formulas is generated all the time so to be updated that Negotiation protocol will help.

When originally IPSEC is invented it come with the Negotiation Protocol AH (Authentication header) which doesn’t support the Encryption, so they came out with the Negotiation Protocol ESP that allow to make Encryption and Authentication and Protection, after that they came out with the last version of

Negotiation protocol which is ESP+AH that doubles everything in Encryption and Authentication and

Protection.


Secure over a Public Network:

How it’s possible to send the Encryption KEY over the Internet and reach its Destination Secured without anyone could grab that KEY and use it, here is the IDEA the way were VPN works is through a

Combination of Security KEYS, there are two types of Encryption and Decryption:

•

•

Symmetric Encryption.

Asymmetric Encryption. a.

Symmetric Encryption is the Encryption that uses the Same Key to Encrypt and

Decrypt so it’s called Shared KEY , the benefit of the Symmetric Encryption is that it’s really fast and easy on the processor of the router, when we talked about the Encryption

Protocols which are DES, 3DES, and AES , and those are example of a Symmetric

Encryption. So the Router will generate the Keys and will send it to the other Router over the VPN Network so as the other Router would be able to Decrypt the Data.

The Question here is how you may be sure that no one can grab that Shared Key and use it to Decrypt the DATA over that network, that’s why the Protection protocol is invented by using Diffie-Hellman (DH) , Diffie-Hellman is the name of the two persons that actually created a System of protecting the KEYS which we will describe later in the

Asymmetric Encryption.. b.

Asymmetric Encryption uses Two key Systems one for Public and the other for Private, the Public Key is used to Encrypt the Data and the Private KEY is used to Decrypt that data, and also if the data is Encrypted by the Private KEY it will be Decrypted by the

Public KEY.

Those Keys are called Public and Private Keys for a Reason!! Let’s take the following

Example:


When Router2 brings up a VPN Connection, the first thing that happens is that Router1 will send the

Public KEY to Router2, that’s why this key is called Public because its sent over the internet, so now

Router2 will use the DH Public KEY to Encrypt the Shared Key that it will be used later for Encrypting and Decrypting the data, the Reason for Using DH Public Key over the Shared Key because we cant send the Shared Key as it is over the internet because that will be Dangerous for Security reasons.

So Router2 will generate the Shared Secret Key and Encrypt it with the DH PUBLIC Key and it will send that Encrypted Key to Router1 and the Only thing it can Decrypt that is the Private KEY.

Once Router1 has received the Shared Secret KEY from Router2 after Decrypting it by using the DH

Private Key , now the both routers have the Same Symmetric Key (Shared Key) for Encryption and

Decryption the Data for that Session, so the role for DH Public and private Keys is to transfer the

Shared Secret Key Securely.

Now once that VPN Session is ended, the Shared Secret Key is deleted, and if a new session comes up a new Shared Secret Key is generated.


WAN Connections, Understanding PPP Authentication:

Let’s review some of the Physical Link Technology for WAN connection.

There are two ways of connection to the Internet:

1.

First way is to install WIC-1t or WIC-2T, which is a Card installed in the Router for Serial

Interface the difference between the Two of them is WIC-1T provide one Serial interface, &

WIC-2T provide two Serial interface at the Same Card, after that a Serial Cable were at one End a

Connector of DB-60 is connected to the WIC card and the V.35 connector is connected to the

CSU/DSU unit, which is used for providing a Clock Rate for the line, and Convert from a Serial

Cable to a RJ-48 Cable, after that an RJ-48 Cable is connected to the wall connector at a point called DEMARC, were at this point the ISP Responsibilities Start.

2.

Second Way Is to connect the router to the Card T1 CSU/DSU, as this card has a built in the unit

DSU/CSU, and just connect it to the RJ-48 to the DEMARC Point.


Leased line Protocol:

1.

High Level Data Link Control (HDLC).

2.

Point to Point Protocol (PPP).

1.

High Level Data Link Control (HDLC):

HDLC is the Default Leased Line Protocol on all Cisco Routers, meaning if you installed a Serial Card into your Router, by default it will talk HDLC, the advantage of HDLC is that it has Extremely Low

Overhead which means this protocol is very fast in communicating it doesn’t have to put large or massive amount of data in packet Header.

The disadvantage of HDLC is its Cisco proprietary means it works on Cisco Routers Only, the second disadvantage is that it has no Features at all.

2.

Point to Point Protocol (PPP):

PPP is an Industry Standard, meaning I may connect Cisco router on one Side and any other vendor

Router at the other Side and they will communicate perfectly, PPP has a Moderate Overhead not low as

HDLC.

One of the advantages of PPP is its Features:

1.

Authentication: it’s not very common that we use an Authentication in Serial Links because there is just only two Fixed Routers at both Side of the Serial Connection, but as you know PPP can works on any type of connections Like Modems, when somebody dials into your network and just connected to a phone line you want to make sure that those users are prompted to be asked for username and Passwords because if not they just have to dial and access the network without any username and password.

2.

Compression: As Data is sent from your PC to your Router, the Router is able to Compress that data before sending into the WAN Connection to reduce Bandwidth consuming while sending it, at the receiver side it will Decompress that data again; when enabling the Compression feature on your Router it takes more Processor Cycle to be done.

3.

Callback: This Feature is primarily used on Modems, when you dial from your Modem to the

Router and enter your Authenticate information (Username, & Password), the Router immediately will Hang up on you and Dial you back on a Predefined number, the idea behind that is it ensures that no one just Steal your Username and Password and Dial on Some other

Location, if you have a Home you dial from that is the only location or only phone number that is allowed to dial because the router will dial you back.

4.

Multilink: it’s the Most Famous Feature in PPP Link, what it does is that its able to combine

Multiple WAN Connections into One for increasing the Speed so if you have three T1 Serial

Lines between the Two Routers with speed 1.5Mbps the Multilink Feature combines that 3 lines into one line with the SUM of their Speed by 4.5Mbps, the Multilink feature does that by load balance the data at each line.


Configuration of PPP:

We will focus on Configuring the PPP Authentication on Router2 and Router3 with the Serial Link between them that act as a Leased Line.


Accessing Router3 and checking what type of Wan Protocol it uses at Serial Interface 0/0:

As you might observe its using HDLC protocol by default, let’s check for Router2 what type of protocol it uses, You will observe that it uses HDLC Protocol too:


So let’s start Configuring Router2 to use PPP protocol on its Serial Interface S0/1/0, as Following:

What you have done after that Configuration is you have changed the Data Link Language from HDLC to

PPP.

If we checked the status of the Data Link Layer at that Serial Interface, we will find out that its down, the reason for that is because Router2 is working as a PPP protocol, but Router3 is Working as HDLC protocol on its Serial Link so there is a Mismatch:

Now accessing Router3 and configuring its Serial Interface to work on PPP Protocol:

Now if we checked the Status of the Data Link Layer at the Serial Interface, you will find that it’s UP:


If we checked our Serial Interface S0/0 on Router3:

As you might see the Encapsulation is turned from HDLC to PPP.

Let’s Describe the Following Line:

LCP (Link Control Protocol) Status is Open means that the LCP Features is working on the PPP Link which are (Authentication, Multilink, Compression, & Callback), so if there is some Problem as

Authentication or Compression or Multilink, were they Couldn’t negotiate with the Modem or the Router in front of it you will find that the Status will be CLOSED .

You may also see the Following Line:

PPP use some Control Protocol, so when you see IPCP (IP Control Protocol) that what allows the TCP/IP to work over the PPP Link, also the CDPCP (Cisco Discovery Protocol Control protocol) that what allows

CDP to work over the PPP Link, and see your neighbor Connection.


There are Two Types of Authentication in PPP Protocol:

1.

PAP

2.

CHAP

The old one name PAP (Password Authentication Protocol), the new one is Name CHAP (Challenge handshake Authentication Protocol).

You will never see PAP any more used in those Days, and the reason why is because all the Username and Password is sent in a Clear Text without any encryption, were anyone can hack it Easily.

For CHAP it does Send the Username but it doesn’t Send the Password to the Destination Router but

Send the HASH of the Password instead, so how CHAP works is not through an Encryption but through

Hash.

There is a Big difference between the two Were Encryption is taking a Data and runs it through a

Mathematical Formula and the Data that will comes out as a result will be Scrambled and when this

Scrambled DATA is sent through the Internet and reach its Destination the Destination Router Should use a Decryption Formula to Decrypt that Scrambled DATA into a known Data.

In HASH the way is different because it uses an Irreversible Formula to Hash the Data, so if a Data Runs through a Complex Mathematical Formula the Result will be some answer this answer cant be reversed back to the Original Data, that’s the Difference and this answers will be sent Across the Wire to the internet, so at the Destination Router it cannot Decrypt the hashing Data that is coming because its not an

Encryption way but its in Hash format, so the only way to be sure that this Data is valid or not is to have the same password written at the Destination Router and it will run on it the Same Complex Mathematical formula and if the Result is Equal to the Hash Number that was received then the User is Valid and

Authenticated.

So in order the Authentication to be working Correctly the Password should be written at Both Routers

Correctly.

Lets see the following Example to Understand More:

If we were at Router3 and we make the Privilege Password as cisco1 as following and then we enable the

Service Password that Encrypt any clear text password on the Router to a Password to level 7:

So when we make the Show Run Command:

When you look at the both Password above there is the Secret Password and the Normal password that is now Encrypted by Level 7 cause of the Command we have done above which is Service Password-

Encryption.


The Normal Password is an Example of Encryption so as we said before you can reverse in the formula to

Decrypt the password that is Encrypted:

We will go to Google and Type the following:

At the Search result you will choose first link on the Search Page Result:

After you enter this Site you will take a copy of the Encrypted Password and Paste it in the Box and Click

Crack Password.

Now you have seen that the Password is Decrypted in a Clear Text.

Now for that Password it’s not encrypted but its Hashed by MD5 that’s why you see number 5 below in the picture after the word Secret so the following Line is a HASH for the Password you have written, also you can not Reverse Engineer that Hash:


Configuring PPP Authentication:

There are Two Steps for Enabling the PPP Authentication:

1.

Creating a User Account.

2.

Turn the PPP Authentication ON.

But in the following we will Turn ON the PPP Authentication at first, and then Create the User Account, the reason why because I need to show you some of the Troubleshooting that we will do in the following

Steps:

First Accessing Router3, and enabling the PPP Authentication:

You will notice that there are many Authentication protocols as eap which Is a Very Secure protocol, ms-chap & ms-chap-v2 this is Microsoft version of CHAP, were if you were dialing to a Router using

Microsoft Windows client, you will have to use ms-chap or ms-chap-v2.

As soon as we enabled the PPP authentication, the Serial interface 0/0 will be down:

The reason why Serial Interface 0/0 is down is because the other Side of the Serial interface which is the

Router2 is not Supporting the PPP Authentication so Router3 TERMINATE the Connection, the

Termination signal was sent to Router2 from Router3 because Router3 was told by the Administrator to require CHAP Authentication , so the other side wasn’t prepared to handle that so its Terminated.


If you see the following Picture you will find the Highlighted line is saying the Status of the LCP is

TERM sent means a termination Signal is sent to the other side.

So what we will do is to create First a User Account as we said before and then enable the PPP

Authentication.

At first before a Session is established a Two-Way-Hash Technique is done that technique is were the

Two Routers at the both Side will Authenticate each other, were Router3 will have to send the Username and the HASH to Router2, and Router2 will send its Username and its HASH to Router3 so if the HASH

Result is Equal to each other a Session is Established, Let’s Explain when Router2 Send its Username and its HASH to Router3 in details:

By default when I have enabled Authentication on the Routers and they are going to speak to each other,

At first Router2 will send a Hello message saying my Username is R2, and My Password is (HASH numbers and letters ), now Router3 is going to look at its user-database and search if he has a User

Account with name R2, So if Router3 founds that username in its database it will look at the password tagged to that username and run on it the mathematical formula to convert it into HASH so if the Result is equal to the Received HASH then a Session is established.

So in order the Session to be established the Both Side must be Configured by the Same Password.


Creating a User Account on Router3:

Creating a User Account on Router2:

After we have created a Username and a password on Router2, you will notice from the below picture that the Line protocol serial Interface S0/0 is Changed to Up

After that we will enable the Authentication PPP by using CHAP, as following:

Let’s see how the PPP Authentication is happened Step by Step between the Two Routers Live:

First we will disable the Authentication PPP on one of the Routers say Router2, and then we will enable a

Command line Name Debug which shows you a log message that tells you what the Router is doing now, and after that we will enable the PPP Authentication and we will see the Authentication Step by step:

1.

Enabling the Debug Command:

2.

Disabling the PPP Authentication:


3.

Now Enabling the PPP Authentication and we will see the Steps for Authentication between the

Two Routers as Two-Way-Hash as following:

Lets Describe the Important Lines above:

•

The below line states that the PPP is connected to a Leased Line.

•

The below Lines States that Authorization is Required, and cause an Authorization is required the

Next Line states that Router2 will send a ChallengeID:

•

At the same time Router2 receives a Challenge ID from Router3:

That is the Two-Way-Hash that is happened above, were Router2 send its Username to Router3 and

Router3 Sends its Username to Router2.

•

Now Router2 is Using the Hostname that was received from Router3, as shown below from the figure were it says Using hostname from unknown Source , and compare it with its local

Database, if this Username is Found in the Local Database then it will get that Password from the

Local Database which is Tagged with the Username that is present in the Local Database too.


Below line says Using the Password from AAA (that is the Local Database) were Router2 is

Using the password that is present in its local Database.

•

The below lines indicates that Router2 has sent its CHAP password, and the Next Line says it received the HASH from Router3

•

The Below lines Indicates that the Authentication Is Success cause the Password is Matched at the both Sides, so if the Password wasn’t Matched you will find a Fail instead of Success.


Understanding FRAME RELAY

Frame Relay originated as a result of Monitoring Leased Lines, Leased Lines is a way to connect between two location were the Bandwidth is dedicated for them only, the benefit of that is all the Bandwidth is yours at all the Time, the problem is when that Bandwidth is not being used because nobody uses 100% of the Bandwidth in 100% of the time its just sitting their.

So what Service providers says is that because the Leased lines has a Dedicated Bandwidth and may not be used fully at all the time, they will make a Cloud with Gigs of Bandwidth so if someone is using the

Bandwidth that will be OK, but if not then there is a chance that someone else will be using that

Bandwidth.

Frame Relay is a Packet Switching Technology, in old times X.25

was the first Technology and after that it became Frame Relay and After that it became ATM and after that it became MPLS .

The advantage of Packet Switching is that the Service provider sell you the Line in a Cheaper cost cause they don’t have to dedicated the line for you.


Frame Relay Terminology:

•

Committed Information Rate (CIR) , this is the minimum Bandwidth that the Service Provider

Guarantees you, meaning if the CIR that Service Provider provides you is 500Kbps, so the

Minimum Guarantee rate of download is 500Kbps and maybe Increase but not decrease over that

Speed if there is available Bandwidth in the cloud but you may have to pay more to the Service provider for the more speed you consume.

•

Local Access Rate (LAR) , local access rate is physically how fast the circuit can go, as example in Ethernet Technology when you plug in the 100Mbps Cable, the cable are capable to Handle a

Bandwidth of 100Mbps, in Frame relay Technology the Physically port on the Router may have

LAR of 2Mbps but the CIR maybe only 500Kbps which will be only 500Kbps Speed of

Download that is your limit unless there is a bandwidth available in the cloud as we said before it may rise more than 500Kbps but you will have to pay more to the Service provider for that Burst of the Speed unless you adjust your Speed Port of your Router.

•

Local Management Interface (LMI) , it’s the language you speak between your Router and the

Service Provider, it’s a signaling protocol that the service provider can use to send you the statistics about the line as the status of the line, the status of your packets if its dropping or delivered, and you may use LMI to send DLCI Information.

•

Data Link Connection Identifier (DLCI) , in Ethernet Technology we use MAC Address to send the Frame from the Source to the Destination and vice versa, but in Frame Relay we use

DLCI that is equivalent to MAC Address.

•

Permanent Virtual Circuits (PVC) , when you signup for a Frame Relay Service Provider you will assign up for a Single connection from your router to the Frame Relay cloud, starting from the cloud you may have more than one PVC were every single PVC has its own CIR Rate, as example a PVC from Arizona to Florida the CIR rate will be 500 Kbps, and from Arizona to

California will be 800 Kbps, so total CIR Rate speed is 1300 Kbps or 1.3 Mbps, so its OK for me if I didn’t exceed the LAR rate, also each PVC has its own monthly cost you should pay to the

Service Provider. The advantage in Frame Relay Technology than the Leased Line Technology is that in Frame Relay I may use only one Serial interface in the Router and connect to the cloud with Multiple PVC, but in leased line I use only one Serial interface for one Destination location.


How DLCI Work:

DLCI is the addressing for the Frame relay uses to reach its destinations, it’s technically numbered from

16 to 1024.

Ok if MO Router wants to sends the frame to AZ Router , it will send the Frame to the Destination DLCI

200, and comes out from DLCI 100, and so on for all the routers.

DLCI ARE LOCALLY SIGNIFICANT , let’s look at the following picture to understand more.

As you might notice from the above picture is that the three DLCI for the three Routers (MO, TX, and

CA) are the same having DLCI 300, so you may say that this is a Conflict DLCI Address, but that is not true because DLCI is Local Significant that means DLCI 300 at MO Routers means something in MO

Service provider Region that could be very different from what DLCI 300 in TX Service provider Region.


Let’s take an example from the above picture the AZ Router also have a DLCI 300 and also MO Router at the other side has a DLCI of 300; is that should be a conflict in the DLCI address?? NO because the reason is that it’s possible is because DLCI are locally significant which means when you send data from

AZ Router to DLCI 300 the Service provider have a little map as the routing table saying that if AZ

Router sends DATA from DLCI 300 that means it need to go through the Cloud to reach DLCI 300 at

MO.

The only thing you cannot do is to apply the same two DLCI Numbers at the same interface and at the same location as in AZ Routers you cannot apply the DLCI 300 on two of its PVC cause that will make the router to be confused.


Frame Relay PVC Design

1.

The most common way used in connecting the Sites together because it’s cheaper in price is

HUB-AND-SPOKE design, as you might see all the three offices are connected to AZ Router with only three PVC only.

The disadvantage of that design is that you have a single point of failure so if the S0/0 in AZ

Router is down all the other three offices will be down because they won’t be able to communicate with each other through AZ Router and won’t be able to communicate with AZ

Router itself.

The second Disadvantage of that design is the Delay, cause if we have a VOIP Telephony on MO

Router that need to speak to the VOIP Telephony on CA Router so the packets should transfer first to AZ Router and then to CA Router.

2.

Full Mesh Design , has PVC connection to every office which is the most Costly Design ever, of course it has no Disadvantage except for the Price.

3.

Partial Mesh Design is the best choice for cost and redundancy links between offices.


Interface Configuration:

You can design your network in either Multipoint to point , or a Point to Point.

•

Multipoint to Point is a Poor design Strategy, because all the routers are on the Same Subnet it makes the router believes as if its kind of Ethernet Network, so if AZ router want to send a

Broadcast message it will be received by all the Routers Connected to it as MO, TX, and CA

Routers, but AZ router is the only Router that can do that because if CA Router as example sends a Broadcast Message on its link it will be received only by AZ routers because it has only one

PVC between the two offices.

Multiple DLCI numbers is assigned to the same interface as in AZ Router S0/0 because it’s connected to three PVC.

The Multipoint to point design causes Split Horizon Problems . What that means is if MO

Router sends an Update Routing table to AZ Router and it receives that update and adds it in its routing table, the Split Horizon will ask AZ router to not send out the Routing Table Update from the interface it had received from it that update, so TX and CA Routers will not get that Update from AZ Routers because they are already connected to the same interface. So the solution in

Multipoint Design for that update to reach the two other routers is to shutoff the Split Horizon

Method.


Point to Point

As we said before you may choose to configure a Point to Point Configuration OR Multipoint to point configuration, and this is something you set it up by your hand the ISP has no control over your choice.

In Point to Point Design all the routers are on Different Subnet, and AZ router will think that its connect to three Different Leased Line to the three routers, rather than thinking that its connected to an Ethernet and all routers are on the same Subnet as in Multipoint to Point.

The way to set it up is to create Point to Point Sub-interface for each DLCI on one Serial interface at AZ

Router, and that is better because it eliminates the Split-Horizon.


Configuring Frame Relay:

We will start Configuration the Multipoint type.

Now Router1 has a DLCI to Router2, and has another DLCI to Router3 sitting between them a Frame

Relay Service Provider, now R1 is connected to the Frame Relay Service Provider at serial interface

S0/1/0.

First thing is that we will configure the port S0/1/0 by giving it an IP address as following:

After assigning the IP address to the Interface, the Second thing we will do is configuring the

Encapsulation Protocol on that interface:

On some old routers you may configure the Frame Relay protocol as following:

You will type the above line and then you will choose from the three choices below the Signaling protocol that you will use to speak to the Service Provider. Lmi-type stands for (Local Management

Interface) which is the language that is used to be spoken between you and the Service provider. You will have to know what type of Signaling your Service provider is using to configure your LMI type, in Newer

Routers it Auto Detect the Signal.


After Configuring that Port with the Encapsulation Language you will open the port as following:

Now the Port should be Physical and Protocol in UP Status.

The following command is good in troubleshooting Frame Relay problems as this command tells you the

Signals that are between you and your Frame Relay Service Provider.

There are many information’s in the above picture what we will focus on is the following line:

The following lines tells you the number of messages you have sent and the number of messages you have received, the point here is that the Sending message and the Receiving messages should be relative

Equal.

Look at the following Lines:

IF the Sending message is increasing and the TIMEOUT is increasing too, this means that probably you have an LMI Mismatch.

Notice the first line is telling you what type of LMI you are using, as from the following lines it uses

Cisco LMI:


Back to our Serial interface S0/1/0; on Multipoint Configuration we have to use the Frame Relay Map

Command:

As you might see above there are many of Protocols you may choose to Map it, we will choose to MAP IP protocol:

As you might see above you will have to Type the Destination IP address you want to reach followed by the DLCI you would like to use to get their, so we will type the IP address for Destination to Router2 which is 192.168.1.2 followed by the LOCAL DLCI of Router1 that will use it to reach their which is

DLCI 102 .


NOTE: if we were connecting from Router1 and need to do the Frame Relay MAP to Router2 BUT

Router2 is not a Cisco Device maybe another Vendor, so in that case we will add new information which tell Router1 to use the Industry Standard Frame Relay Language:

The Highlighted Word which is IETF is the Standard Protocol used for all Routers type to communicate between others.

Notice there is a Broadcast Command as in below picture that allows Router1 to Send Broadcast Traffic to Router2, why we do that because Router1 may need to send an Update Routing Table on RIP Protocol or OSPF or EIGRP and by default Frame Relay Routers like Router1 will deny broadcast messages to be send across the Link, so if you didn’t do the following Command your Routing Protocols won’t work over the Frame Relay Network.

Now we will add the Second Map to reach to Router3:

We will do the following Command to overview our Map we have added on Router1:

As you may notice their are two Maps is added lets explain the First MAP:

•

•

The First one says to reach IP 192.168.1.2 you will use DLCI number 102.

Also it’s Statically defined by the Administrator and the Broadcast keyword is Turned ON.

It’s using Cisco as a Frame Relay Language which means the other side must be a Cisco Router to be able to Communicate and its Status is defined but Inactive when you see Inactive that’s mean the Router at the other side is not Setup for Communicating.


NOTE: if you assigned to the Map a DLCI that doesn’t Exist it will give the Status as Deleted , let’s see the following:

Let’s assign for Example a DLCI & IP that doesn’t exist in our Frame Relay network to Router1:

Let’s show the Map we have added with its Status:

As you might notice the DLCI status is Deleted ; this means that the Service provider doesn’t know what are you talking about because you are sending an information to a DLCI 432 that doesn’t exist.

Lets Configure Router2:

Starting by configuring the IP address for the Serial Interface at Router2, and enable the Encapsulation

Frame Relay:

Configuring the Map on Router2 to be able to reach Router1:


Let’s see the Map Status:

•

•

•

The First one says to reach IP 192.168.1.1 you will use DLCI number 201.

Also it’s Statically defined by the Administrator and the Broadcast keyword is Turned ON.

It’s using Cisco Frame Relay Language which means the other side must be a Cisco Router to be able to Communicate and its Status is defined and it’s active .

Now if we tried to ping on Router1 it will Successfully Ping:

If we returned to Router1 and check the status for the Map that leads to Router2 at IP 192.168.1.2, it should by now be active:

Now we will Configure Frame Relay Configuration on Router3:

Configuring the Frame Relay Map to reach to Router1 through DLCI 301 :


Now after configuring the MAP to Router1 lets check by pinging on IP of router1:

The Ping is Successfully Works!!

So let’s Check our Map on Router2 & Router3:

Router2 & Router3 has the Map and the DLCI number to be able to reach to Router1 and we are able to

Ping to Router1 Successful.

Now one of the Problems with Frame Relay Multipoint is that I can’t Ping from Router3 to Router2 or

Vice versa the reason for that is because both Routers 2 & 3 have no MAP for reaching each other.

If I Ping from Router3 to Router2, The Ping Fails:

So to Make Router3 knows how to reach to Router2 and Vice versa they have to know that their only route for that is through Router1, to do that as following:


We check for the MAP we added on Router3:

As you might see that the Router to Router2 which is 192.168.1.2 is added with the DLCI to reach it is

301, and its Status is ACTIVE.

NOTE: if we Ping now from Router3 to Router2 , the ping will fail cause Router2 is not able to Reply

Back because it hasn’t a MAP to reach to Router3.

We will add the MAP on Router2 to be able to reach to Router3:

Now if we Make Trace-route from Router2 to Router3, it will deliver successfully, as following:

If we Ping from Router2 to Router3, it will Ping Successfully cause Router3 knows how to Reply back to

Router2 and Router2 knows how to reach to Router3:

Now as we said before the Disadvantage of Multipoint to point is the Split Horizon, lets take an example if a Small Network is Connected to Router3 and Router3 have send the Update Routing Table to Router1, because of Split Horizon Router1 will not Send that Update on the Interface it had received that update from it, so Router2 will not be able to get those Updates, so we would have to Turn OFF Split Horizon in order to allow that Update to be reached via all Routers on the Network.


Point to Point Configuration:

•

You will notice in Point to Point Configuration that each router is in Different Segment or

•

Different Network rather than all will be in one Network as in Multipoint.

Also another notice is that all the Interfaces of the router is Set up on the SUBINTERFACE not on the Physical Interface, the reason for that is because for Router1 I have just only one Serial

Interface so I have to connect the TWO PVC Connection to the TWO Sub-interface on Router1

• with each Sub-interface number referred to the DLCI Number for Simplicity.

For Router2 & Router3 I have configured their Sub-interface instead of the Physical interface although they are only connected to one PVC that I might be able to connect them to the physical interface direct but I do that because of for Future Design as I may add more PVC between

Router2 and Router3 so all I have to do is to create more Sub-interface rather than Reconfiguring the Whole Design.


Now let’s start by Router1, by configuring the Point to point Frame relay:

We will access the Physical interface of S0/1/0 and the only command that you will type on that interface is as following, because everything else will be on Sub-Interface:

Back to the Configuration Mode and type the following:

As you might see that we accessed the Sub-interface of S0/1/0 and created the Sub Interface of 102 with

Point to Point Link.

Let’s add the IP address of that Sub-interface as following:

There is no Frame Relay MAP Command in Point to Point Configuration, so we will do the following

Command:

That command Says any time you are using this Sub-interface S0/1/0 .102 make sure you use DLCI 102 as you go out. No MAP necessary nor Broadcast.

Now configuring the other Sub-interface on Router1:


We will configure Router2:

We will configure Router3:

If I check the MAP Table at Router 3:

You will notice that the Sub interface is configured on it the MAP for Point-to-Point using DLCI 301, and the Broadcast feature is enable by default.

If I tried to ping from Router1 to Router2 & Router3, I will be able to ping Successfully:


If I Ping from Router2 to Router3, I should be able to ping it, cause EIGRP Protocol is taking control of everything here, not as in Multipoint Design were I have to create a Map to be able to ping from Router2 to Router3; If I check for the Routing Table on Router2:

You will notice that EIGRP protocol is advertising the Network 192.168.2.0 at Router3 to Router2 through Router1, in Point- to-point Design there is no Split Horizon Problem .

If I Ping from Router2 to Router3, it will ping Successfully:

If I check the Route Table on Router3:

You will notice that it had learned the Network 192.168.1.0 by EIGRP Protocol.

Also we are able to Ping on Router2:


Understanding Basic Concept and Addressing IPV6 :

IPV6 Addressing:

Address Size moved from 32-Bit (IPV4) to 128 Bit (IPV6), its divided into 8 Octet of 4 HEX Characters

Each, as following i9s an IPV6 Example:

2001:0050:0000:0000:0000:0AB4:1E2B:98AA

You will notice that instead of DOT (.) between the addresses its now in IPV6 is COLONS (:), with each group is 4 HEX Characters were one Group Start from (0000) and end with (FFFF).

To Manage that Long Address with 8 Groups of Octet, there are Simple Rules to Shrink that addresses

Down to be more Manageable.

RULE1: Eliminate Groups of Consecutive Zeros by using a Double Colon, as following:

From 2001:0050:0000:0000:0000:0AB4:1E2B:98AA

TO

2001:0050::0AB4:1E2B:98AA

This Rule can only be used only once and per Address, so you see that we have a three Groups of

Zeros and we have eliminate them by placing them with double Colon “::”.

RULE2: Drop Leading Zeros, as Following:

2001:0050::0AB4:1E2B:98AA

TO

2001:50::AB4:1E2B:98AA

In Rule number 2 we Remove the Leading Zeros as you might See Above, to Shorten and Manage

More the Address.


IPV6 Header:

IPV6 Provides a Simple Header, than IPV4 which needs a little Process on the Router than IPV4 Header.

IPV6 Header is bigger than IPV4 Header meaning it actually adds more Data in the Header because of our

Addresses is So Big, were you will find that the Source &

Destination Address is 128 Bit, and in IPV4 its just 32 Bit.

Types of Communication and Addresses:

In IPV6 there are only three types of Messages:

1.

UNICAST: One-to-One.

2.

MULTICAST: One-to-Many.

3.

ANYCAST: One-to-Closest.

You will notice that the BROADCAST is not present at IPV6 but its placed by MULTICAST .

In ANYCAST you are able to Give Multiple Devices the

Same IP Address, as from the following Example you will find Two Routers “Router1 & Router0” those both Routers are provided with the Same IP Addresses at their Ethernet

Interfaces, so when PC0 wants to Access the Internet it

May Accesses from Router0 or Router1 according to the

Closest to it, so If Router1 is Closer than Router0, so PC0 will access through Router1.

Another Example you may observe it in Daily Life, is when you open a Google Webpage, it opens the Webpage according to your language at First, so if iam in Egypt and I have write in Google.com it will Direct me to

Google.com.eg, cause that Server is the Closest to me cause

I am from EGYPT.


Type of Addresses in IPV6:

1.

Link Local Address: This is Address that you used to Communicate with Layer2 Domain, for example if you have Many PCs is connected to the same Switch they will use Link Local Address to communicate with Each Other.

2.

Unique/Site Local Address: In IPV4 we use in Our Organization and internal Network a Private

IP Addresses to be able to communicate with each other because of Shortage in IP Public Range and because we cant buy every Host PC an IP Public Address, so this Idea of using Private IP address should be faded away in IPV6 because we have a Massive IP Range but that doesn’t happen, in IPV6 address you may use the Unique or Site Local Address its just your Option.

3.

Global Scope Address: This is the Internet or as some people call it Internet2 , Global Scope are Public Addresses


Link Local Addresses (Details):

Those Addresses is assigned Automatically to the PCs, whenever they Comes Online meaning whenever they trying to Connect to the Local Network, even if those PCs are able to Reach the DHCP Server or

Not, those IP addresses will be generated Automatically and assigned to the PC, its Similar to the IP

169.254.x.x in IPV4 when the PC cannot find its DHCP Server.

These Addresses will always begin with FE80 ( First 10 Bits are 1111 1110 10 ) followed by 54Bits of

Zeros.

The Last 64 Bits is the 48-Bit MAC Addresses of the Host with FFFE Squeezed in the Middle.

So lets have an Example, if you a PC with its MAC Address 0019.D122.DCF3 those are 48Bits so to

Reach them to 64Bits is to Squeeze the FFFE in the Middle of the MAC Address. So it will be as following:

0019.D1

FF.FE

22.DCF3. So FFFE is Placed in the Middle of the MAC Address were the D122 is Split into Two Mac Address D1FF & FE22.


Unique Local (RFC4193) / Site Local Address (RFC3513):

Unique Local is the New Name, for that type of Address, and Site Local is the Old Name.

Now these Addresses are used within Enterprise Network to identify the boundary of their Network, so this Range of Addresses is like the Private IP Addresses in IPV4 like 192.168.x.x

These Addresses will always begin with FC00 ( First 7 Bits are 1111 110(L) ), you will notice that the

First four Bits are all ones, and the next Three Bits are 110 which is related to the Hexa Value C which is in Hexa is (1100), after that the (L) is related to the Last Bit which will be

0 or 1 according to you, and its always set to 1 if all Local Addresses are Assigned by you.

So our Real First 8-Bits will be 1111 1101 , so in Hexa it will be FD00 followed by two Colons “ :: ”

So all Private IP Address in IPV6 will start by FD00.

You will find above in the picture after the First Octet, the 40 Bits of Global ID were this ID will be your

Company, meaning Every PC on your Company will have the Same Global ID.

The Next 16 Bits are going to be the Subnet ID, because you going to have VLans and have Subnets within your Company.

Finally the last 64-Bits just as we seen in the Link Local Address it will be 48-Bit MAC Addresses of the

Host with FFFE Squeezed in the Middle, OR come up with your own

Interface ID like having an IP in that Filed from DHCP Pool, were there is a DHCP Pool for IPV6.


Global Addresses:

RFC Standard says that These Addresses will always begin with 2000 were the ( First 3 Bits are 0010 ), you will notice that the First three Bits are 0010 which is in Hexa the Number 2.

•

•

•

The Global Routing Prefix is 48 Bits or Less.

The Subnet ID is Comprised of whatever Bits are Left Over After Global Routing Prefix.

Finally the last 64-Bits just as we seen in the Link Local Address it will be 48-Bit MAC

Addresses of the Host with FFFE Squeezed in the Middle, OR come up with your own

Interface ID like having an IP in that Filed from DHCP Pool, were there is a DHCP Pool for

IPV6.

The Primary Addresses Expected to Comprise IPV6 internet are From the 2001::/16 Subnet, meaning all

ISP now that will work with IPV6 will start with 2001 at the beginning of the Address.

If you want to see what Sites are Migrated already see the following:

Go to Google and search as following:

After that I will choose a Website that Supports IPV6 as following:


After that it will switch you to another Page looks like the following, and we will choose the Unicast & bgp Option and we hit Submit:

The Following Results Appears

Network Next Hop Metric LocPrf Weight Path

* 2001:200::/32 2001:1888::1:12:2

4294967295 0 6939 2914 2500 i

* 2001:1888::1:5:2

4294967295 0 278 2914 2500 i

* 2001:4830:E0:4::1

0 0 30071 2914 2500 i

*> 2600:80A:50F::1 4294967295 300 0 701 2500 i

* 2001:1888::1:27:2

0 0 6175 2914 2500 i

* 2001:1890:61:9113::1

4294967295 200 0 7018 2914 2500 i

* 2001:1890:61:9013::1

4294967295 200 0 7018 2914 2500 i

*> 2001:200:136::/48

2001:1888::1:12:2

4294967295 0 6939 2516 7660 9367 i

*> 2001:200:600::/40

2001:1888::1:12:2

4294967295 0 6939 2516 7667 i

*> 2001:200:900::/40

2001:1888::1:12:2

4294967295 0 6939 2516 7660 i

You will notice that all the Sites appeared to Have at the Beginning the number 2001:xxx,


Configuring IPV6:

As you might observe each Router is connected to its Local Network using a Unique local Address

Scheme, were that is the private IP Address in IPV6 that we will provide and all start with 1FE0 its like

IPV4 were the Local Unique Addresses starts with 192.168.x.x or 10.x.x.x, then after that following the address 1111 . You will notice that the Subnet Mask is /32 , the reason why is because of the following:

As we said before each group in IPV6 is 16-Bit, and in IPV4 each group is 8 –Bit, so if we write the following IPV4 Address with its Subnet Mask It will look like following:

192.168.0.0/16 that means that the first group and the Second group will be 16 bit of ones in the

Subnet Mask as each PC on the Network should Start with 192.168.x.x as the Subnet Mask is set to be

255.255.0.0 because its /16 .

In IPV6 it’s Different, as following:

1FE0:1111::1/32 that means that the first group and the Second group will be 32 bit of ones in the

Subnet Mask because each group is 16 Bit, and each PC on the Network will Start with 1FE0:1111:…… as the Subnet Mask is set to be FFFF:FFFF:0:0:…… because its /32.

So every PC on the local Network will start by 1FE0:1111 , we have provided the Interface of the Router with the IP Address 1FE0:1111::1/32.

In WAN Link we use the Global IP Address start with 2001:210:10:1 because the Subnet Mask is set to

/64, because remember as we said before each group is 16 Bit, so the first 4 Group will not be changed.

The Local Network at the right is the same description at the left Local Network.



First we will Enable IPV6 on the Router because by default its not enabled, and we will choose the

UNICAST mode, as we said before their are three types of communication so in our Scenario we will use the UNICAST:

Now accessing the interface f0/0 and assigning it the IPV6:

You will find in the above picture that you may assign that interface a Link-Local Address if you want to communicate Local or you may assign it with IPV6 Prefix, as that we will assign it now:

Now accessing Interface S0/1/0 for Assigning the WAN Link IPV6:

Now we will show our IPV6 Table briefly:

Now in that picture, you will find Two Addresses at FE0/0, the Default Address is

FE80::214:1CFF:FE14:112C, That is the Link Local Address, with the FFFE is Squeezed at the Middle of the MAC Address; and the other Address that we configure it Manually, also the Status and the Link

Protocol is UP.

The Same story for the Serial Interface S0/1/0.102, the Default Address is FE80::214:1CFF:FE14:112C,

That is the Link Local Address, with the FFFE is Squeezed at the Middle of the MAC Address; and the other Address that we configure it Manually, also the Status and the Link Protocol is UP.



Configuring IPV6 on the Following Interface:

So now we have configured our IPV6 on the Wan Link between the Two Routers, now lets Test the

Connection and use the Ping Command:

You will find that we are able to ping to Router1 through the Frame Relay Wan Connection, now lets try to Ping on the Local Network of Router1:

You will find that non of the packets are able to reach to that Network because Router2 Doesn’t know about that Network from Router1, so we need a Routing Protocol Works with IPV6.


IPV6 Routing Protocols:

In Addition to Static Routing, nearly Every Routing Protocol has been updated to Support IPV6.

•

•

•

•

•

RIPNG (RIP Next Generation).

OSPF V3.

EIGRP FOR IPV6.

IS-IS FOR IPV6.

MP-BGP4, (Multi Protocol BGP).

Configuring RIPNG on our Network for exchanging the Routing table Information, so Accessing Router2 as following:

First you will have to enable Router Rip for IPV6, followed by a TAG, were you may type anything in that as Name, or Numbers anything, so in our Scenario we will type 1 as a Tag.

You will notice in RIP IPV6 there is no Network Command that define which interface to Advertise that network, all you have to do is to access the interface that you need to be advertised and enable the RIP protocol with the TAG

(It must be the Same) on it, as following:

Number you have entered before

So now what we have done is that we are advertising that Network that is connected to E0/0 to everybody else, so we have Turned ON RIP on that Interface.

Now Going to Interface S0/0/.201 and enable the RIP Protocol on it to start Advertising:


Now accessing Router1, and Enable RIP Protocol, on interface S0/1/0.102 & FE0/0:

Now we will use the Show Commands, for Checking the RIP Protocol, if it’s Working or not:

You will find above the Process ID is 1 , and this RIP Process ID 1 is part of the Multi-Cast Group because in IPV6 there is no Broadcast and its using for Broadcasting the Address FF02::9, Administrative

Distance is 120, Updates is every 30 Seconds, and its Working for the Interfaces S0/1/0.102 & FE0/0.

You will find that Router2 has learned the Network 1FE0:1111::/32 through the RIP Protocol, via

Interface FE80::214:1CFF:FE14:112C through interface serial0/0.201


The same Goes for Router1 it will learn the Local Network from Router2:

Now lets Ping from Router1 to Router2 Local Network:

You will find that we are able to Ping Successfully.


The Migration to IPV6:

How does one Migrate to IPV6, Now Days technology Exists to provide a Smooth, non Pressured

Transition, meaning the Internet is all moving to Internet version2 , there are three Different Strategies for

Migrating:

1.

Dual Stack Routers.

2.

Tunneling (6to4 & 4to6).

3.

NAT protocol Translation (NAT-PT).

Dual Stack Routers:

What we can do in that strategy is setup a Router that can run Both Protocol at the Same Time for IPV4 and IPV6, were Client IPV4 are still able to connect to the IPV4 Internet, and IPV6 Client are still able to

Connect to Inmternet2 or IPV6 Internet.

Tunneling (6to4 & 4to6):

In that Case you are Connected to IPV6 Internet, and your internal network are still running IPV4 type, so in that case you will create a type of Tunnel which is kind of like a VPN through the IPV6 Internet, that allows IPV4 protocol to Pass through it and be able to communicate between these two IPV4 Networks, and the Same goes for IPV6 Network if you have Two Network Having IPV6 and the Internet is still

IPV4 you may Use a Tunnel to be able to Communicate with your Network, as in China and Japan they are Migrating to IPV6 and using that Method with USA to be able to Communicate through the IPV4

Internet.


NAT protocol Translation (NAT-PT):

This is a Special Type of NAT that can go between IPV4 and IPV6 Protocols, so if I am IPV6 Client and

Connecting to IPV4 Internet I can NAT between those Two Versions, and the Same Goes if the Client is

IPV4 and the Internet is IPV6.

7)ا 1 -8 <


CCNA_ICND2_640-816__PDF

.

ICND2

CCNA 640-802

CBT Nuggets

.

CBT Nuggets

Senior Technical Support,

Manager for VAS Platform.

THIS PAGE INTENTIONALLY LEFT

BLANK

Related documents

Products

Support

CCNA_ICND2_640-816__PDF

.

ICND2

CCNA 640-802

CBT Nuggets

.

CBT Nuggets

Senior Technical Support,

Manager for VAS Platform.

THIS PAGE INTENTIONALLY LEFT

BLANK

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib