You are on page 1of 60

ICND1

Interconnecting Cisco Networking Devices


By Tom Price

ICND1 Page 1

Network Foundations
22 October 2014
09:08

What is a network?
A network is a modern form of communication for humans.
Cisco is the 'debated' inventor of routers - the industry leader in network equipment.
Networks provide the infrastructure to transfer resources.
Common Network Equipment
Switches
Routers
Wireless Access Points
Client PC's and Servers
Cabling
Ethernet - used to connect PC's, servers to wall jacks/switches. 100m max distance. Cost efficient.
Fibre - gives much greater bandwidth than Ethernet and much greater distance. Used for connecting
servers to switches and fast Internet connections.
Serial - still used by ISP's to connect to a CSU/DSU. Being phased out and now uncommon.
Speed
Networks handle speed in bits per second (eg. 100Mbps).
Bit (smallest unit)
Byte (8 Bits)
Kilobyte (1024 Bytes)
Megabyte (1024KB)
Gigabyte (1024MB)
Terabyte (1024)
REMEMBER - dont get confused with megabytes per second (MBps) and megabits per second
(Mbps)...you would need to divide Mbps by 8 to give the MBps speed!!
Ethernet - has speeds of 10Mbps, 100Mbps, 1000Mbps (1Gbps) and 10Gbps.
Example of Network Speed
Imagine we have a 10Mbps network and we would like to save a 10MB picture to the file server.
10Mbps divide by 8 = 1.25MBps
10MB / 1.25 = 1.25 = 8 seconds
With the overhead of sending data in packets we would estimate the time taken to save the 10MB
picture would be 10 seconds!!!

ICND1 Page 2

OSI Model
22 October 2014
09:51

The OSI model is a network communication model.


It is a standard architecture defining network communication providing a system to "break down"
network communication.
Each layer has its own standards.
Protocols
OSI was an actual protocol and competed with TCP/IP protocol (like VHS and Betamax!).
Simpler addressing in TCP/IP and so TCP/IP was chosen as the standard.

OSI Model - 7 Layers


7

Application

Presentation

Session

Transport

Network

Data Link

Physical

Remember!!
**Please Do Not Throw Sausage Pizza Away**
Layers and their functions
Application - eg. Internet Explorer, Vuze, Firefox, Chrome, World of Warcraft
Presentation - makes data generic. Eg. turns pics into GIF's, does encryption. Enables receiving
application understand.
Session - maintains the session and keeps the process alive.
Transport - how data is sent - the application decides. TCP/UDP are main protocols used (ICMP for
ping). Data apps would use TCP for reliability as provides acknowledgments (ack's). Voice/Video uses
UDP for speed and not fussy if a packet or two is dropped - however Voice is affected by jitter.
Transport layer uses ports - destination and source. Eg. Port 80 for HTTP.
Network - logical addressing - IP addresses. Routers sit here.
Data Link - physical addressing - MAC addresses. Switches sit here.
Physical - bits sent over the wire. Network cable, NIC cards.
Note
Routers and switches also need to be able to send bits (Layer 1).

Example
Make an online payment via Bank Website
1. Application - log into the Banks website using Internet Explorer.
2. Presentation - converts data into standard required by the Web server regardless of the
browser used. HTML, GIF etc.
3. Session - was started when we logged into website.
4. Transport - needs to be reliable - TCP!! Adds destination port so the receiving web server
ICND1 Page 3

4. Transport - needs to be reliable - TCP!! Adds destination port so the receiving web server
knows which app the data is for - HTTPS 443. Adds source port (dynamic/random port) so the
bank web server can send ack's back to tell us payment has been made!
5. Network - used DNS to find out IP address of the Bank website. Uses source and destination IP
addresses.
6. Data Link - needs source and destination MAC address. Computer sees that bank website IP is
in a different network and so sends an ARP request for the default gateway (router) MAC
address and PC sends request for router to forward onto Bank web server.
7. Physical - here the bits are sent over the wire through each router etc.
NOTE
Switches sit at Layer 2 - Data Link.
They learn physical addresses (MAC). Hubs worked at the physical layer but could not learn MAC
addresses and just flooded all ports with broadcasts.
Routers sit at Layer 3 - Network.
They look at IP addresses and use their Routing table to decide where to send.

ICND1 Page 4

TCP/IP Model
12 November 2014
11:04

The TCP/IP network model is a four-layer model. It is effectively a reduced version of the OSI model.
However, the OSI model is more widely used as it breaks down the network layers into greater
depth and gives a better explanation of data flow.
TCP/IP Model

Application

Transport

Internet

Network Interface

Spells NITA!
Layers and their functions
Application - defines TCP/IP protocols and how programs interface with transport layer. Eg. HTTP,
Telnet, DNS, FTP
Transport - provides session management and transport protocol. Eg. TCP, UDP, ICMP, RTP.
Internet - packages data into IP datagrams and performs routing. Eg. ARP, IP.
Network Interface - how data is physically sent through the network. Eg. Ethernet, Token ring

How the layers map between both models...

Ethernet Frame Diagram

Preamble
8

Destination
6

Source
6

Type
2

Data
46-1500

A runt is a frame which is less than 64 bytes in size and a giant is a frame which is greater than 1518
bytes in size...both are discarded by a switch! !

ICND1 Page 5

FCS (CRC)
4 bytes

Straight-Through, Crossover and Rollover Cables


23 January 2015
10:34

Different devices require different cables when connected together in a network!


Two simple rules to remember!
1. When devices are different then a straight-through cable is used.
2. When the devices are the same then a crossover cable is used.
Router to Router Crossover
Switch to Switch Crossover
PC to Router

Crossover

PC to Switch

Straight-Through

Switch to Router Straight-Through


Switch to Hub

Crossover

Straight-Through Cables
These are used to connect computers, printers to a switch or hub (a client to a host).
Pin 1 to Pin 1
Pin 2 to Pin 2
Pin 3 to Pin 3
Etc

Crossover Cables
These are commonly used to connect two hosts together. Eg. Router to Router, Switch to Switch or PC to PC.
Pin 1 to Pin 3
Pin 2 to Pin 6
Pin 3 to Pin 1
Pin 4 to Pin 7
Pin 5 to Pin 8
Etc

ICND1 Page 6

Rollover/Console Cables
These are used to connect a PC to a switch/router for management purposes.
Pin 1 to Pin 8
Pin 2 to Pin 7
Pin 3 to Pin 6
Pin 4 to Pin 5
Etc

ICND1 Page 7

IP Addressing
22 October 2014
10:23

IPv4
32 bit address
Consists of four octets - 0 to 255 - eg 192.168.0.100 (In binary =
11000000.10101000.00000000.01100100 = 32 bits)
Combines with default gateway and subnet mask.
Eg.
IP Address: 192.168.0.100
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.0.1

Example of how IP addresses are used


Ping to test connectivity between two PC's on same network
PC1 (192.168.0.4) types 'ping 192.168.0.5' in command prompt. This is IP address of PC2.
This initiates an ARP request which is sent to the switch. The switch then sends this to all ports apart
from the port PC1 is connected to. PC2 with the address 192.168.0.5 sends back its MAC address
using a Unicast message. PC1 then sends the actual ping to PC2 once it knows its MAC. The switch
also remembers the MAC addresses of each device and the port which they are connected to.
MAC address - 12 character (48 bit or 6 byte) hexadecimal address (eg. 1E:4T:FG:15:6F:8D). Each
character is 4 bits (eg 1001). These are assigned to each NIC (network interface card).
They have to be unique on the LAN (and they should be when assigned by manufacturer!) but in
theory they could be the same on different LANs across a WAN link.
Default Gateway - is a router which takes us off our network and onto the Internet (or just another
subnet within our network.)
NOTE
If the above ping was sent to a device which was on a different network to our own (eg.
11.25.200.46) then PC1 would have recognised that this IP is in a different network and would have
sent an ARP for the MAC address of its default gateway (router).

Moving around Layer 2 & 3


Switches - sit at Layer 2 - only use MAC addresses
Routers - sit at Layer 3 - use IP addresses
However, we do have L3 Switches which can remember IP addresses.
When sending data routers strip off the MAC addresses and adds a new source and destination MAC
address.
IP addresses never change in the packet.
Default Route (0.0.0.0)
If a router does not know the route it sends it to the Internet/ISP router.
BGP - Border Gateway Protocol - this holds all of the routes for the Internet!! Knows everything!!
Useful command - arp -a - this shows all devices on the LAN (IP and MAC address).

Assigning IP Addresses
Static
ICND1 Page 8

Static
Servers, Routers, printers.
We can rename network connections to give a meaningful name (Go to Ctrl Panel -> Network
Adapter -> Advanced).
DHCP
This is a server role - we define an IP address scope - eg. LAN PC's.
When PC's boot up they send a broadcast for IP address. The DHCP server is listening using ports
67,68.
We can add exclusions into scopes for any IP addresses which we may have defined statically (and
also add reservations too). A router can also be a DHCP server.
DHCP Relay
If we have lots of remote offices we can run DHCP from a central point. We can enable DHCP relay
on a router to allow DHCP broadcasts to grab IP addresses from the main office server. As
remember...routers discard broadcasts by default

ICND1 Page 9

Public and Private IP Addresses


22 October 2014
11:15

Private - not routable on the Internet!!


10.0.0.0

->

10.255.255.255

172.16.0.0

->

172.31.255.255

192.168.0.0 ->

192.168.255.255

Automatic (APIPA)
Assigned when PC cannot contact DHCP server.
169.254.0.0 ->

169.254.255.255

Loopback (ping) (127.0.0.1)

127.0.0.0

->

127.255.255.255

Special Addresses
The first address of the subnet is the network ID.
The last address of a subnet is the broadcast address.
Eg.
Network ID = 192.168.1.0/24
Broadcast = 192.168.1.255
NAT is used so private addresses can be used on the Internet. It translates all private addresses to
the external IP address given by your ISP.

ICND1 Page 10

Classes of Addresses
22 October 2014
11:24

Default Subnet Mask


Class A 1 - 126

255.0.0.0 (/8)

Class B

128 - 191 255.255.0.0 (/16)

Class C

192 - 223 255.255.255.0 (/24)

Class D 224 - 239 (multicast addresses)


Class E

240 - 254 (experimental addresses)

Classfull addressing is where we use the default subnet mask as above.

Cisco advises not having a network with >500 devices due to broadcast traffic!
Classless Addressing
This is where we can use a Class C subnet mask with a Class A network.
Eg.
Class A network - 10.0.0.0
Subnet Mask - 255.255.255.0 (This gives us 254 useable addresses)
Types of messages
Unicast - message sent to 1 device
Multicast - message sent to a group of devices (devices tune into a specific IP address in the class D
range)
Broadcast - message sent to all devices

ICND1 Page 11

How Applications Speak - TCP & UDP


22 October 2014
11:47

Transport Layer (Layer 4)


TCP and UDP are the primary transport layer protocols used today.
UDP - says "I hope it got there!"

TCP - says "I know it got there!"


TCP uses a 3 way handshake (SYN then SYN,ACK then ACK) to establish connection.
UDP (User Datagram Protocol)
Less reliable than TCP.
Used in VOIP and Video - real-time - no need to resubmit lost packets.
DNS uses UDP as it is very fast. Nslookup - tell me the IP address of a hostname!!
DNS - destination port would be 53 for any DNS requests. A random source port would be assigned
eg. 50001.
DNS is a simple answer and question - there is no confirmation of whether the question or answer
was received.
TCP (Transmission Control Protocol)
TCP uses a 3 way handshake to establish the connection. It uses acknowledgments to ensure
packets have been received. HTTP is TCP based - ensures webpages load completely!
3 Way Handshake process
1. PC1 sends a SYN to PC2 with sequence number 1000
2. PC2 receives the SYN and sends back a SYN, ACK with sequence number 5000 and ack = 1001
3. PC1 then receives the SYN,ACK and sends an ACK to PC2 with ack = 5001
The handshake process uses sequence numbers that increment when sending data.

Note:
The ACK is always 1 more than the sequence number (see above for example!)
TCP Communication always starts with a 3 way handshake before any actual data is transmitted.
1. SYN,
2. SYN + ACK
3. ACK
TCP adds source and destination port to each packet.

TCP Windowing
This is the process where data is sent in groups of packets to speed up a download/copy process.
Eg. You'll notice when we save a large file to a file server it will initially say '10 hours' then '6 hours'
etc to copy. This is because sending PC will gradually increase the number of packets it sends at one
time until the server says "No...that's enough packets...don't send any more than that at any one
time"...and so the PC will stop increasing the number of packets it sends at one time. This is why the
ETA always varies.
Flow Control Methods
- Windowing - see above!!!
- Buffering - where devices store incoming traffic in a memory queue, to be processed when
possible.
- Congestion Avoidance - is used during peak time where networks drop low priority traffic to
maintain faster processing of higher priority traffic such as Voice or Video.

ICND1 Page 12

Common TCP and UDP Port Numbers


22 October 2014
13:09

Common TCP Ports


21

FTP

22

SSH

23

Telnet

25

SMTP

53

DNS Server

80

HTTP

110

POP3

443

HTTPS

Common UDP Ports


53

DNS Client

69

TFTP (Trivial File Transfer Protocol)

We can use port numbers to restrict access. Eg. Block Internet access - port 80, 443.
Need these ports allowed on the firewall if we are allowed the traffic.

FCS (Frame Check Sequence)


This is a hash added to the end of each TCP packet. It tells us if the frame is good/not corrupt!
Also called CRC (Cyclic Redundancy Check).
Data names at different Layers...
Segment -> Application
Packet -> Network
Frame -> Data Link

ICND1 Page 13

Switching
22 October 2014
13:39

Hubs
-

1980's
Uses CSMA/CD - to recover from collisions
Sit at the physical layer
One collision domain
Half duplex - only 1 person can send or receive at any one time
No intelligence!
- The hub sends all packets to all network ports (broadcast)
- No security

Bridge
- 1990's
- Broke network into multiple collision domains
- Limited ports
- Separated hubs
- Learned MAC addresses (sit at layer 2)
- Software based - was very slow (not ASIC based like cisco routers/switches)

Switch
-

2000's
Every port is its own collision domain - eg. 24 port switch will have 24 collision domains
Full Duplex - everyone can send and receive at the same time!
ASIC based (Application Specific Integrated Circuit) - hardware based and very fast.
Varying port speeds Eg. 100Mbps, 1000Mbps
Managed, Intelligent - can configure ports, VLAN's etc
Learns MAC addresses of all connected devices
Fibre Optic
- Common to connect switches together
- Need SFP module on switch
- Multi mode - plastic, cheap
- Single mode - glass, expensive
CAM Table (Content Accessible Memory)
- Stores MAC addresses and the associated port/interface the device is connected to
- Empty when the switch boots up
- Takes approx. 5 seconds for the switch to learn all MAC addresses of connected devices!

ICND1 Page 14

How a Switch behaves


22 October 2014
14:34

Example
When a PC pings another PC using IP address on same network
- ARP broadcast (FFFF:FFFF:FFFF is the broadcast address) is sent to find out MAC address of
PC2 using its IP address.
- This is sent to all ports on the switch.
- Port with the matching IP replies with its MAC address using Unicast message
- Switch learns the MAC address of the sender & receiver of the ping message - stores the MAC
address and Port/interface in its CAM table!
- Entries in the CAM have a lifespan of 5 minutes.

Broadcast domains
If we have several switches connected together we still only have 1 broadcast domain.
Each port would still be in its own collision domain.

Layer 2 Switching Methods


Store-and-Forward Switching
The switch copies each Frame into it's memory and performs a CRC check (Cyclic Redundancy Check)
for errors. If a CRC error is found then the Frame is discarded. If the Frame is error free then the
switch forwards the frame out of the relevant interface.
Bad CRC
A Frame is discarded if it is smaller than 64 bytes in length, a runt, or if the Frame is larger than 1518
bytes in length - called a giant.
This method ensures high level of error-free network traffic.

Cut-Through Switching
The switch copies into memory only the destination MAC address which is located within the first 6
bytes of the Frame. The switch then looks up the MAC address in its CAM table and forwards out of
the relevant interface. This method reduces delay as the Frames are not checked for errors and are
forwarded as soon as the MAC address is read and the outgoing interface determined.
However, bad frames are still forwarded. The destination will receive this bad frame and then
performs a CRC and realises it is bad, and will then request for it to be re-sent. This wastes
bandwidth and can cause slow network performance.

NOTE
Todays switches are better suited for a store-and-forward environment.

ICND1 Page 15

Cisco IOS
22 October 2014
16:45

The Interconnect Operating System (IOS)


- Command line method to configure devices
- Consistent through nearly all cisco devices
- It is software like MS Windows, OSX, Linux.
Console Connection
- Allows us to configure a Cisco device using console cable and terminal program eg. Putty
- Console cable - RJ45-to-serial
- Console ports are normally 'blue'
1.
2.
3.
4.
5.

Get a console cable


Connect to PC serial port
Connect RJ45 end to console port on switch
Get a terminal program eg. Putty.
Set it to connect via COM port
a. BAUD rate = 9600
b. Data Bits = 8
c. Parity = None
d. Stop Bits = 1

NOTE - configuring the incorrect BAUD rate results in unreadable characters on screen while
accessing the Cisco CLI!
IOS Command Modes
Switch>

User Mode (User Exec)


Basic View - cant do any configuration
Enable (en)

Switch#

Priveleged Mode (Priv Exec)


More commands available (eg. Show running-config) but
still cannot configure
Configure terminal (conf t)

Switch(confi
g)#

Global Config mode


Can do all configuration, configure ports, VLANs,
hostname, IP addr etc.

Use the 'tab' key to suggests commands.


Use '?' to tell us available commands.
CTRL + Z exits all modes

ICND1 Page 16

Base Configuration
22 October 2014
17:01

Initial Switch Configuration


- Switches can work straight out of the box
- Choose 'No' at the initial config question
Name the Switch
- Switch> Enable
- Switch# conf t
- Switch(config)# hostname Toms-Switch
Negate Commands (use 'no')
- Switch (config)# no hostname
Console Password
- Switch(config)# line console 0
- Switches only have 1 console port
- Switch(config-line)# password cisco
<- REMEMBER THIS LINE
- Switch(config)# login
Telnet Password (manage remotely)
- Switch(config)# line vty 0 15
- Switch(config-line)# password cisco
- When looking at running config it will show 0-4 and 5-15 vty ports...this is because cisco
devices only used to have telnet 5 ports.
- We dont need to use 'login' here as this is already enabled for vty ports.
Enable Mode Password (Priveleged mode)
- Switch(config)# enable secret cisco
- We could have used enable password but this does not encrypt the password and could
be seen as clear text in the running config.
Encrypt Passwords (only line of sight - easily cracked)
- Switch(config)# service password-encryption
This encrypts all passwords including vty and console.however these are easily
cracked and only to prevent line of sight attacks.
Other Useful Commands (for the console line)
The below command stops the console session from timing out!
- Switch(config)# line con 0
- Switch(config-line)# no exec-timeout
This stops all status alerts from inserting into any command we may be typing!
- Switch(config)# line con 0
- Switch(config-line)# logging synchronous
Management (VLAN) IP Address
A switch needs an IP address to be managed remotely. Default VLAN is VLAN 1.
We need to create a VLAN interface called an SVI (Switch Virtual Interface) .
- Switch(config)# interface vlan 1
- Switch(config-if)ip address 10.1.1.10 255.255.255.0
All VLANs interfaces are shutdown by default...need to enable interface.
- Switch(config-if)# no shutdown
ICND1 Page 17

- Switch(config-if)# no shutdown
- The interface will then change to up
Default Gateway
For us to manage the above switch we would need to be logged onto a PC in VLAN 1 in the same
subnet.
So to manage the switch from another network we would need to configure a default gateway. If
we need to do troubleshooting on a switch (eg. Ping, tracert) then we need this configured.
- Switch(config)# ip default gateway 10.1.1.1
Shutdown Unused Ports
It is good practice to shutdown an unused ports to prevent people from plugging in infected laptops
etc to the network.
- Switch(config)# int range fa0/10 - 15
- Switch(config-if-range)# shutdown
This shutdowns all ports in the range 10-15!
Logon Banner
We can create a banner message to be displayed for all logins.
- Switch(config)# banner motd + *****CENTRESOFT NETWORK - SWITCH 1*****+
- NOTE: '+' is the delimiting character...anything we type in between the + will be used as
the banner!!
- We could have used banner login but this only displays when there is login
required/configured for the connection.
Saving Configurations
Running config is saved in RAM...which is volatile and lost if switch is rebooted!
Startup config is stored in NVRAM...which is non volatile and safe if switch loses power!
- Switch# copy running-config startup-config
OR
- Switch# write memory (this method is no longer officially supported!)
SSH (Secure Shell)
Telnet is not secure! None of the communication is encrypted - all in clear text! We could use
Wireshark to intercept packets and find out passwords etc...still difficult to do though as we would
need to still gain access to the switch.
SSH is secure and communication is encrypted...so it is the preferred method of remote working!
Uses certificates...Eg. Website has a certificate with a public and private key. It hands us the public
key so we can encrypt our session key! We then send our encrypted session data over the Internet
to the website which can decrypt the data using the private key!! The switch/router works in the
same way...
1. Configure hostname
2. Configure domain name
a. Switch(config)# ip domain-name nugget-lab.com
3. Generate encryption keys
a. Switch(config)# crypto key generate RSA 1024
4. Create local user accounts
a. switch(config)# username user secret cisco
5. Choose to allow telnet + SSH
a. Switch(config)# line vty 0 15
b. Switch(config-line)# transport input ssh telnet
6. Enable local logins
a. Switch(config-line)# login local
We then use SSH client to connect eg. Putty.

ICND1 Page 18

Network Time Protocol (NTP)


04 November 2014
15:51

Each Cisco device has a clock! Its important that we have the correct time on the device as we
sometimes have to check logs on the device and need to track certain events etc and so time is
important! Another practical use to make sure we have the correct time is when we look at running
configurations...we can see the last time the config was edited and by who!
We can set a cisco device as an NTP server or client.
1. To configure an NTP server
a. R1(config)# clock set 12:00:00 4 Nov 2014
b. R1(config)# ntp master 3
i. We simply set the time on the device, set device as master and other devices will
pull the time from this device! The number is the stratum number.
2. To configure an NTP client
a. R2(config)# ntp server A.B.C.D
i. We specify the IP address of the server. We can also just use Windows servers as
the server.
ii. We can use the prefer command too if we want to set several time servers.
To verify NTP we can use the below commands
- R2# show ntp status
This tells us which server the device is synchronized to
- R2# show ntp associations
This tells us how many ntp servers we have configured for the device and which was is
set as preferred/master and info about these ntp servers.

NTP Stratum - this is the measure of hops away from the source.

ICND1 Page 19

Configuration Backups
23 October 2014
10:31

Creating a backup
We can use TFTP to backup switch configs.
1. Download and install TFTPD32 - freeware.
2. Ensure port 69 inbound is allowed on PC firewall.
3. Ensure Everyone group has access to the save file location in TFTPD32.
4. Switch# copy running-config tftp
5. Enter IP address of PC you are copying config to.
Restoring a backup
Make sure you are connected via Ethernet and the switch/router has an IP address...may need to
assign one before we restore config (eg. Assign management IP of switch).
1. Switch# copy tftp running-config

ICND1 Page 20

Port Security
23 October 2014
10:36

BYOD - Bring Your Own Device


Common for users laptop to have a virus/Trojan etc and potentially infect the network! Users
bringing in these devices can also slow down the network/Internet!
Port Security allows us to restrict connections to the LAN in two ways
- Number of MAC addresses allowed per port (stops a user plugging in a hub with multiple
devices)
- What MAC address is allowed on a port (only allows users to plug in approved devices)
We can react in 3 ways if one of the above conditions is broken

- Shutdown -> ERR-DISABLE - Shuts down the port!


- Protect -> Ignores any device which MAC is not allowed
- Restrict -> Same as Protect but adds info to the event logs
Restricting by number of MAC addresses allowed
We will configure a port to only allow 1 MAC address on the port...
- Switch(config)# int fa0/14
- Switch(config-if)# switchport mode access
- Switch(config-if)# switchport port-security maximum 1
- Switch(config-if)# switchport port-security violation shutdown (or protect/restrict)
- Switch(config-if)# switchport port-security
This command turns on port security!!!
We could set this number to 2 if we had PC and IP phone.
Restricting by MAC addresses
- Switch(config-if)# switchport port-security mac-address sticky
This will use the address of the currently connected device. If we then plug in another
device then this will cause a violation! Instead of sticky we could just enter the MAC
address (show mac address-table - can find MAC address here)
Useful Commands
- Switch# show port-security
This will show us any ports with port-security enabled and any violations etc
- If a port has been shut down if we do a show ip int brief the port status will show as ERRDISABLE
We then need to 'shutdown' and then 'no shutdown' the port to bring it back up!

ICND1 Page 21

Switching - Day to Day


23 October 2014
10:59

Network is slow...
Its common for users to complain that the network is slow!!
This can be due to speed and duplex issues on the switch.
Switches are set to auto-detect speed and duplex but with 100Mbps switches it is always best to
hard code them!
Most of the time auto-detect works fine...if both switch interface and PC network adapter are set to
auto-detect.
Duplex Mismatch (causes Late Collisions!!!)
Network issues normally lie with 'duplex' where one side is set to full-duplex and the other side set
to half duplex - normally where the devices have been unable to auto-detect!! If a switch interface
(100Mbps) fails to auto-detect then it will default to half-duplex!! This has been fixed in 1Gbps
switches!!! This results in slow performance as packets drop and collide with high frequency.
This is called a duplex mismatch. It is normally on routers/switches where we need to look at the
config.
To solve we simply hard code both devices as full duplex.
100Mbps devices -> Hard code them!! Router, switch, server.
1000Mbps devices -> Auto (leave as auto-detect)

Speed and Duplex Config


- Switch(config)# int fa0/1
- Switch(config-if)# speed 100
- Switch(config-if)# duplex full

NOTE - If we hard code either speed or duplex then we must hard code both of them!
On the Server/PC we would go into the Network Adapter settings -> Advanced and choose the
Speed/duplex option and set it there.
Troubleshooting slow networks
This is normally due to collisions on the network.
- Switch# show interface fa0/14
Here we can see the duplex/speed settings on that interface and confirm that it is set to
100Mbps and full etc.
We can also see that the interface is up and packets dropped/collisions!! We should
never see collisions!!
- Collison - this happens within the first 32 bytes (should only occur on hubs in a half-duplex
environment).
- Late Collision - this happens >32 bytes - this is normally due to a duplex mismatch!!

CRC errors - CRC hash is added to each packet to confirm integrity.this is normally a faulty
network cable! Also when there is "excessive noise"!!
Finding devices
Ping IP address of device and then do an arp -a command to find out MAC address.
We can then go to the switch and view the MAC address table
- Switch# show mac address-table | mac-address
- Extended Ping
If we type ping and press enter we can then specify several other parameters. EG.
Protocol, repeat count, timeout period, datagram size.

ICND1 Page 22

VLAN's and Trunks


23 October 2014
12:10

A "Normal Switch"
- Multiple collision domains (Eg. 24 port switch will have 24 collision domains)
- One broadcast domain (inc. switches which are daisy chained)
- One IP network subnet for all of its hosts
Eg. 192.168.1.0/24
- One failure domain
- Limited security
VLAN Foundations
- A VLAN logically groups users
It can separate a switch into separate networks
- It segments the broadcast domain
Will only broadcast on its own VLAN
- Offers subnet correlation
Eg. 192.168.1.0/24 and 192.168.2.0/24
- Access control
- Quality of service (QoS)
We can give VLAN's higher priority than another (eg. Voice over internet)
- Can give us Layer 3 control - L3 Switch!
- Switch adds a Frame tag which identifies which VLAN id the frame belongs to - these are
carried over trunk links between switches
- VLAN's limit broadcast propagation!
Trunk Ports
A trunk carries all VLAN's and is used to connect switches together.
Normally set to 1Gbps ports.
Flexibility of VLAN's
- Can group devices together. Eg
Servers in a VLAN
Computers in a VLAN
Phones in a VLAN
- Can separate buildings/office into separate VLAN's
Feels good and reduces broadcast traffic!
- Can separate Ethernet and WiFi traffic.
- Server Virtualization. Eg...
We can setup a trunk on the interface connected to the DHCP server
Server can then communicate with all VLAN's, devices and saves us having a server on
each VLAN

ICND1 Page 23

VTP and 802.1Q


23 October 2014
12:45

VTP and 802.1q


Trunking is the ability to link multiple switches together and pass VLAN info between them. Aka
tagging.
- Trunking places VLAN info into each frame (4 bit).
- 802.1Q is the language used to tag packets with VLAN info.
- Trunking is a Layer 2 feature (Data Link).
Native VLAN
This is used to send info between switches which is not tagged with VLAN info.
- Eg. Telnet, SSH and CDP traffic.
The native VLAN must match on connecting switches. As default the native VLAN is 1.
If the native VLAN's on switches do not match then we have a native VLAN mismatch. We could
have a situation where VLAN 10 is the native VLAN on one switch and VLAN 20 is the native VLAN on
another switch. And so, both of these VLANS would be sending unnecessary broadcasts to each
other due to the native VLAN mismatch!!
We configure the native VLAN on trunk port.
Eg. To change the native vlan to VLAN 2
switch(config)#int fa0/20
switch(config-if)#switchport trunk native vlan 2

Note
802.1q does not encapsulate Ethernet frames. Instead it inserts a header after the destination and
source MAC address!

VTP (VLAN Trunking Protocol)


VTP is actually not a trunking protocol...should be called a discovery and replication protocol!!
It replicates all VLAN's across all switches.
Must be careful when connecting switches as all switch configs will be replaced with the latest "rev"
version!!
Each time we make a change on a switch the "rev" version increases and will update on all other
servers which are clients and servers.
VTP revisions survive config resets (write erase).
VTP works through a common domain name on all switches.

**Cisco does not recommend VTP!!**


- This is because it can be easily misused and can cause serious network outages
For example we could accidentally connect a lab switch to the live network and
cause all VLAN's to be deleted!!
- Always best to manually create VLAN's on each switch.

VTP Modes
Server (Default)
- Gives the power to change VLAN info
- Sends and receives VTP updates
- Saves VLAN config
Client
ICND1 Page 24

Client
- Cannot change VLAN info - gets updates from the server
- Sends and receives VTP updates
- Does not save VLAN config
Transparent (Turns VTP Off!)
- Power to change VLAN info
- Forwards (passes through) VTP updates
- Does not listen to VTP updates
- Saves VLAN config
VLAN Pruning
This keeps unnecessary broadcast traffic from crossing trunk links. Traffic will only be
forwarded across a trunk link if that VLAN exists on the switch.
Only works on VTP Servers.
- All switches need to be servers.

ICND1 Page 25

Configuring VLAN's
23 October 2014
12:59

Reminder - we use VLAN's to separate users and devices to reduce broadcast traffic.
1. Create VLAN's and name
a. Switch# show vlan brief
i. This gives a breakdown of all VLAN's
b. Switch(config)# vlan 50
c. Switch(config-vlan)# name SERVERS
2. Assign ports to VLAN's
a. Switch(config)# int fa0/10
b. Switch(config-if)# switchport mode access
c. Switch(config-if)# switchport access vlan 50
i. VLAN's will show down in 'show ip int brief' if there are no active ports in the VLAN
Useful command
We can also use the show vlan id x command to tell us what ports are tagged to that VLAN.
Switch# show vlan id 10

VLANs = IP Subnet = Broadcast Domain


Note - VLAN's are stored in a database called VLAN.dat. The database survives a write erase and
so to completely delete we need to run the below..
- Erase startup-config
- Delete vlan.dat
- Reload
VLAN Interfaces
On L3 switches we can create VLAN interfaces for each VLAN so they can communicate without a
router.
As remember - each VLAN is a different network/subnet and we need a L3 assistant to be able to
communicate.
- Switch(config)# int vlan 50
- Switch(config-if)# ip address 10.1.50.10 255.255.255.0
- Switch(config-if)# no shutdown
We could now set the above IP as the default gateway of a PC to communicate on our network. Has
to be a L3 Switch.

Configuring VLAN's on Mulitple Switches (using VTP)


1. Set VTP name and Mode and password
a. First we need to disable dynamic mode on all ports to stop them trying to be a trunk
i. Switch(config)# int range all ports
ii. Switch(config-if-range)# switchport mode access
b. Now we set the name and mode
i. Switch(config)# vtp domain CBT
ii. Switch(config)# vtp mode server
iii. Switch(config)# vtp password cisco
2. Configure Trunk ports
a. Switch(config)# int fa0/1
b. Switch(config-if)# switchport mode trunk
ICND1 Page 26

b. Switch(config-if)# switchport mode trunk


3. Create VLANs and name
a. See previous!
4. Assign ports to VLANs
a. See previous!
NOTE
- Transparent mode disables VTP
- New switches will auto join the domain and download VLAN's etc so thats why its important
we disable dynamic mode on each port!

Best practice is not use VTP and create VLANs manually on each Switch!!
To Turn Off Trunking...
...use the switchport mode access command!!!

ICND1 Page 27

Dynamic Trunking Protocol (DTP)


03 November 2014
09:10

Dynamic Trunking Protocol allows for the creation of trunks between two switches. When two
connected ports are configured in dynamic mode, and at least one of the ports is configured as
desirable then the two switches will form a trunk across the link.
- Switch (config-if)# switchport mode dynamic desirable/auto

DTP is enabled by default on all modern switches. However this is bad design as we could have ports
forming trunk links and causing a security risk.
The best thing is to disable DTP!!

Configure all ports as access ports. We can then configure any trunk ports as we need them which is
best practice
- Switch(config-if-range)# switchport mode access
However, even when a port is statically configured as an access port as above, DTP is still active on
the port. If we setup a trunk between two switches in different VTP domains then we would get the
below error...
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of VTP
domain mismatch.
DTP advertisements include the VTP domain name and so the trunk will not form if the VTP domain
names are different. We can kill DTP once and for all with the below command
- Switch(config-if)# switchport nonegotiate
This prevents DTP packets from being sent.

ICND1 Page 28

Routing Overview
23 October 2014
13:23

Routing is the process of moving IP packets between IP-based networks.


- Eg. Move data between two networks via a Cisco router
192.168.1.0/24 and 192.168.2.0/24
Two different networks
- Packets not destined for its own network will be routed by its default gateway!
When a packet is sent for an outside network it is sent to the router (the default gateway).
- The router looks at the packet and see's that it is not for itself (by IP address) and then looks at
its routing table.
- It will know where to forward next due to the routes stored in its table (static, OSPF or default
route etc)

Note
When packets go over a serial data link (across a WAN) they do not add the source and destination
MAC Address. They use HDLC or PPP. HDLC uses the Type field in a packet so receiving devices can
see what is encapsulated. It uses L2 headers for any next hop routers in a path.
Routers
- CEF enhanced (Cisco Express Forwarding) - software based - (not ASIC based like Switches)
very fast and powerful
- Not as fast as switches!!
- IOS is the brain-power behind the routing process
- Popular model is 2800 series
- Normally 1U - take up 1 space on a rack
- Normally have 2 Ethernet interfaces
- WIC - Wan Interface Card to receive Internet line from the outside.
- 'Blue' ports are console ports
Process Switching/Fast Switching/CEF
- Process switching requires the CPU to be personally involved with every forwarding/routing
decision. It is like doing math, long hand! You have to work out the route each time.
- Fast Switching still uses the CPU, but once a packet has been forwarded it stores info about
how to reach the destination in a fast-switching cache. When another packet goes to the
same destination the cache is used...so the processor does not have to re-compute the route.
- Cisco Express Forwarding (CEF) is the evolution of optimizing the router to make it able to
forward more packets faster. CEF builds a Forwarding Information Base (FIB) and contains
pre-computed reverse lookups and next hop information. CEF is like having programmed an
Excel spreadsheet. As soon as the numbers hit the cells, the answer is already calculated!

Base Config of a Router


SAME AS SWITCH CONFIG!!
- Set hostname, console password etc.
- However, all interfaces are set to shutdown by default - remember to use 'no shutdown'
- Routers support more telnet sessions
- Set IP Address for interface/interfaces
Eg. For interface facing the internet and facing our own network will need IP addresses
assigning.
- Set default route (0.0.0.0)
Ip route 0.0.0.0 0.0.0.0 fa0/1
This sends any traffic which we dont know to the Internet...let our ISP router find
the route!
ICND1 Page 29

the route!
Configuring a Loopback Interface
Loopback interfaces are very common on Cisco routers as they allow for management, logging and
authentication. They are logical interfaces that are 'always up'. They are not tied to any physical
interface and therefore cannot go down unless they are administratively shutdown.
- R1(config)# interface loopback 1
- R1(config-if)# ip address A.B.C.D 255.255.255.0
We can use 'no' command to remove the interface.

ICND1 Page 30

Routing Data Between VLAN's


23 October 2014
14:55

- VLAN's are a L2 feature


- Hosts on different VLAN's cannot speak directly without a L3 assistant!

...this is where the Router comes in!


Option 1 - Using separate interfaces
We can have the router connected to ports on the switch which are assigned to each VLAN on the
switch.
This is not used anymore as if we had 10 VLANs on a switch then we would need 10 physical
connections from the router to the switch which is just not practical.

Option 2 - Using single interface and trunk ports


This is called Router-on-a-stick. We have 1 physical connection from the Router to the Switch.
We create sub-interfaces on the router - one for each VLAN and set the port on the switch
connecting to the router as a trunk port.
Example
We have 1 router, 1 switch, 2 VLAN's (VLAN10, VLAN20)
1. Create sub interfaces on router for each VLAN
Router(config)# int fa0/0.10
2. Set encapsulation using dot1q to allow VLAN 10 traffic in this case
Router(config-if)# encapsulation dot1q 10
3. Set IP address of interface (same range as all PC's in VLAN etc)
a. Router(config-if)# ip address 10.1.1.100 255.255.255.0
4. Set the interface on the switch to a trunk port
a. Switch(config-if)# switchport mode trunk
b. Switch(config-if)# switchport trunk allowed vlan 1,10,20
We would then need to do the same for VLAN20!
NOTE: Make sure you do a "no shutdown" on the physical interface too!! EG. Fa0/0

Option 3 - Layer 3 Switch


A Layer 3 Switch can handle IP addresses and so removes the need for a router! The switch does all
of the routing.
We simply create interfaces for all VLANS on the switch (like we did for the Management VLAN) and
assign suitable IP Address!
Cisco 3550 is an example of a L3 Switch.
This option is much faster than using a router-on-a-stick as it has ASIC (Application Specific
Integrated Circuitry) support - routes at wire speed.

ICND1 Page 31

VLAN Routing on Layer 3 Switch


03 November 2014
09:18

Not much different here.


1. Create the VLANs and VLAN interfaces (SVI - Switch Virtual Interface) on the L3 switch (all
client PC's in each VLAN have the VLAN interface IP address as it's default gateway)
2. Then create a default route (0.0.0.0 etc) to the routers connected interface on the switch.
Make sure we have an interface configured for the connection from the L3 switch to the
router (use ip routing and no switchport command on switch interface to router to give L3
functionality).
See below for more info...

http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3intervlanrouting.html

ICND1 Page 32

Configure Router as DHCP server


23 October 2014
16:49

1. Create DHCP pools


a. Router(config)# ip dhcp pool SALES
b. Router(dhcp-config)# network 192.168.20.0 255.255.255.0
c. Router(dhcp-config)# default-router 192.168.20.1
d. Router(dhcp-config)# lease 7 0 0

So...we would have SALES VLAN 20 configured on a switch.and we would have an interface
configured on the router with IP address 192.168.20.1 255.255.255.0 (or we would use a L3 switch
with VLAN interfaces configured). The lease command defines how long the assignment will last for
until the router reassigns the IP address (lease days hours minutes). The command is optional...the
default lease is 1 day.
We can also set DNS server by using dns-server A.B.C.D command.
Any PC which is connected to a port in VLAN 20 would pick up an IP in the 192.168.20.xx range!!
Excluded Addresses
We can exclude addresses so that they are not used in any DHCP pools.
- Router(config)# ip dhcp excluded-address 192.168.20.10 192.168.20.20
This would exclude any addresses in the range 192.168.20.10 - 20!

DHCP process (DORA!)


1.
2.
3.
4.

The client sends a discover message.


The server sends an offer message.
The client sends a request message.
The server sends an acknowledgment message.

ICND1 Page 33

External Authentication Methods


12 November 2014
13:54

We can use a server that routers and switches can use to authenticate logons to. This provides a
central location of a user directory, authentication auditing and access control...it is much easier to
manage.
We can either use a RADIUS or TACACS+ server.
RADIUS Server
- Uses UDP
- Encrypts only the password during transmission
- Combines authentication and authorization
- Is open standard and more interoperable than TACACS+
- Uses less memory and CPU cycles on routers
- Offers interoperability...it's supported by everyone!
- Excellent performance - very light on routers and switches
TACACS+ server
- Uses TCP
- Encrypts the entire session
- Separates Authentication, Authorization and Accountability.
- Only supported by Cisco
- Uses more memory than RADIUS
- Offers excellent security - more secure than RADIUS as whole session is encrypted
- Flexibility - TCP is much more flexible than UDP and can do much more in advanced networks
Most Enterprise networks use RADIUS over TACACS+ as it is light on routers/switches and everything
supports it!!

ICND1 Page 34

IP Subnetting
23 October 2014
16:54

Binary basics
- IPv4 address is a 4 octet address
- Class A, B, C
A = 255.0.0.0
B = 255.255.0.0
C = 255.255.255.0
- 8 bits in a byte with values as below

128

64

32

16

- A bit is a 1 or 0...on or off!!

Subnetting based on number of networks


Example 1
Class C: 195.5.20.0
Need: 50 networks

1. Determine number of networks and convert to binary


a. 50 = 00110010 = 6 bits
2. Reserve bits in subnet mask and find increment
a. 255.255.255.0 = 11111111.11111111.11111111.00000000 = 11111111.11111111.11111111.11111100 = 255.255.255.252 = /30
b. Increment is lowest network bit = 4
3. Use increment to find network ranges
a. Lowest network bit = 4
192.5.20.0 -> 195.5.20.3
192.5.20.4 -> 195.5.20.7
195.5.20.8 -> 195.5.20.11
195.20.12 -> 195.5.20.15
Example 2
Class A: 10.0.0.0
Need: 100 networks
1. Determine number of networks and convert to binary
a. 1000 = 11 11101000 = 10 bits
2. Reserve bits in subnet mask and find increment
a. 255.0.0.0 = 11111111.00000000.0000000.00000000 = 11111111.11111111.11000000.00000000 = 255.255.192.0 = /18
b. Increment is lowest network bit = 64
3. Use increment to find network ranges
a. Lowest network bit = 64
10.0.0.0 -> 10.0.63.255
10.0.64.0 -> 10.0.127.255
10.0.128.0 -> 10.0.191.255
10.0.192.0 -> 10.0.255.255
10.1.0.0 -> 10.1.0.63.255
10.1.64.0 -> 10.1.127.255
10.1.128.0 -> 10.1.191.255
.

4. Hosts = 2^14 -2 = 16,382


Networks = 2^8 = 256

Subnetting based on host requirements


Same as before but this time we save the host bits as zeros (count from the right hand side)!!
Example 1
Class C: 216.21.5.0
Hosts: 30 per network
1. Determine the number of hosts and convert to binary
a. 30 = 00011110 = 5 bits

ICND1 Page 35

2. Reserve bits in subnet mask and find increment


a. 255.255.255.0 = 255.255.255.11100000 = 255.255.255.224 = /27
b. Increment is the lowest network bit = 32
3. Use increment to find network ranges
a. Increment = 32

216.21.5.0 -> 216.21.5.31


216.21.5.32 -> 216.21.5.63
216.21.5.64 -> 216.21.5.95
216.21.5.96 -> 216.21.5.127
216.21.5.128 -> 216.21.5.159

4. Hosts = 32 -2 = 30
Networks = 2^3 = 8

Subnet Zero
You may have noticed the ip subnet zero default command in running config. The subnet zero (or zero subnet) is the first subnet of a subnetted network.
EG. Class B: 172.16.0.0. Need 50 hosts per network.
1. Hosts = 50 = 00110010 = 110010 = 6 bits
2. Subnet mask = 255.255.11000000.000000
3. Ranges
a. 172.16.0.0 -> 172.16.31.255
b. 172.16.32.0 -> 172.16.63.255
c. 172.16.64.0 -> 172.16.95.255
d. 172.16.96.0 -> 172.16.127.255

The first subnet would be subnet zero.

ICND1 Page 36

VLSM - Variable Length Subnet Masking


24 October 2014
13:52

We can use several different subnet masks if we need several networks of different sizes.
We would this exactly in the same way accept we work out the subnet mask for the biggest
network first (number of hosts) and then work out the next biggest etc.
Example
Network ID: 192.168.1.0/24
Number of networks = 3
Hosts per network = 60, 30 20
Start with the largest subnet first...then work your way down in host size.

So the biggest network here is 60.


1. 60 = 00111100 = 6 bits
2. 255.255.255.0 = 255.255.255.11000000 = 255.255.255.192 = /26
a. Increment = 64
3. Inc = 64, so the range for this network is...
192.168.1.0 -> 192.168.1.63
Hosts = 2^6 -2 = 62
Networks = 2^2 = 4
The next biggest network is 30
1. 30 = 00011110 = 5 bits
2. 255.255.255.0 = 255.255.255.11100000 = 255.255.255.224 = /27
a. Inc = 32
3. Inc = 32, so the range for this network is.remember to carry off where the 1st network
ended
192.168.1.64 -> 192.168.1.95
The next biggest network is 20
1. 20 = 00010100 = 5 bits
2. 255.255.255.0 = 255.255.255.11100000 = 255.255.255.224 = /27
a. Increment = 32
3. Inc = 32, so the range for this network is.remember to carry off where the 1st network
ended
192.168.1.96 -> 192.168.1.127
Hosts = 2^5 -2 = 30

NOTE: Variable Length Subnet Masks allow us to make more efficient use of available IP addresses.

ICND1 Page 37

Routing and Static Routes


27 October 2014
12:06

Purpose of Routing

- Stopping broadcasts - helps reduce traffic (eg. DHCP requests, ARP requests)
- Find the best possible path to a destination
- Move unicast traffic between networks
Allows PC's on different subnets to communicate directly
Static Routing
Routers have no config out of the box!! They only know how to connect to networks configured on the router!!
Each router has to have each network defined on an interface to be able to talk back and forth.
Static routes allow us to "educate" the router to new places
Eg. We can tell a router how to connect to a subnet which is not configured on the routers interface.

Default route acts as "catch-all"...it sends any traffic which it does not have a route for to the Internet.
RULE - the more specific a route is the better...it will be chosen first!!
Example
1. Router(config)# ip route 192.168.3.0 255.255.255.0 192.168.2.2
2. Router(config)# ip route 0.0.0.0 0.0.0.0 68.25.121.199
Route 1 would be chosen by the router as it is more specific...it states that the network is class C as it supplies a
more specific subnet. If a more specific subnet mask appears in the routing table then that route will take
precedence.

USEFUL COMMAND
- Show ip route
This shows every network which the router know how to reach.

Configure a Static Route

- R1(config)# ip route 192.168.3.0 255.255.255.0 192.168.2.2


Dest Network Subnet Mask Interface of connected router

- R2(config)# ip route 192.168.1.0 255.255.255.0 192.168.2.1


Dest Network Subnet Mask Interface of connected router

Static Routes are good for small networks with a couple of offices.
They dont work so well for larger networks as there are more routers, networks involved and would require lots of
ICND1 Page 38

They dont work so well for larger networks as there are more routers, networks involved and would require lots of
config on each router!

ICND1 Page 39

Routing Protocols
27 October 2014
12:30

Routing protocols allow routers to tell connected routers of it's known routes!
- "Tell your friend what you know!!"
- Each router in a network tells all the other routers about it's networks.
They are/offer
- Dynamic - automatically build routing table
- Redundancy - can have several routes in case a path is lost...failover automatically
- Best path - based on what protocol is used they can automatically determine best path (they
use a metric).

Link State vs Distance Vector protocols


Distance vector protocols simply use the shortest route (fewest hops)to the destination regardless
of the connection speed. Link state will track the state and connection speed of each link and will
choose the fastest route. Link state protocols do require more processing power on the router
because of its awareness of connection speeds etc. Link state protocols converge quickly and build
topology tables. Distance Vector protocols simply update the local routing table when updates are
received from it's neighbours.

RIP
- Like Fiat Punto!! Not Fast!!
- Default "Hello" advertising cycle is 30 secs
Says hello and tells routers about its routing table every 30 secs...not efficient!
- Recovery - 90 secs
- Metric - best path - uses hop count - number of routers - not efficient!!
- Only pro is that all devices support it!
- Distance Vector protocol
- Inefficient as it keeps sending full routing table even if there has been no changes!
- RIPng for IPv6

IGRP
- Cisco created to replace RIP
- Now obsolete as "hello" was set to 90 secs and recovery set to 270 secs!!
- THIS PROTOCOL CAN BE IGNORED!!

OSPF
-

Open Shortest Path First


Most popular routing protocol
Like a Corvette!! Does routing very well!!
Uses Dijkstra's Algorithm!
Default hello is 10 secs
After initial hello it only says "Hi" to each router instead of the whole routing table...if
the routing table changes it will tell the router of the change...it is efficient!!
Metric: cost/bandwidth <- uses fastest speed!
100/bandwidth. Eg. 100/1.44 (Mbps) = 69.4444
Uses the fastest route (which would be the lowest value)!!!
Maintains a topology map

- Link state routing protocol


- OSPFv2 for IPv4

OSPFv3 for IPv6


ICND1 Page 40

- OSPFv3 for IPv6

IS-IS
- Like a 1967 Corvette!!
- Was competitor to OSPF - used for OSI!!
OSPF won as it was used for TCP/IP
- Excellent protocol!!
- Rarely used...requires expertise!!

EIGRP
-

Like a Ferrari!!
Very fast protocolbut uncommon.
Created by Cisco for Cisco...easy to configure.
Metric - can include reliability, MTU, delay on packets...uses 'K' value.

BGP
-

Border Gateway Protocol


Like a Hummer!! Not fast but very robust!!
Used for the Internet
Handles thousands of routes
Not for LAN's...used in ISP's

NOTE:
We can use a mixture of each protocol in our network.if a router has learned routes via different
protocols then administrative distance is used. This tells us how believable the routing protocol is.
Administrative Distances
Each protocol has an administrative distance to tell us how believable it is!
RIP

120

IS-IS

115

OSPF

110

EIGRP

90

BGP

20

Static Route

Connected Interface 0

ICND1 Page 41

Configuring OSPF
27 October 2014
16:10

How to get OSPF working


On Router 1
1. Turn on OSPF
a. R1(config)# router ospf 1
i. The 1 is the Process ID (1-65535)...just use 1! The process ID is just the same as on
Windows...each program has an ID so we can kill it via task manager etc...they
don't need to match other routers and only have local significance.
2. Tell it what interfaces to use and what networks to advertise the command does

both things!!!!
Best practice is to define the exact IP address of the interface we want to send hello packets
on.
Areas must match. Areas define how many routers to cover - summarize entries in the routing
table (eg. 192.168.0.0/16 instead of 192.168.1.0/24 and 192.168.2.0/24).
a. R1(config-router)# network 192.168.2.0 0.0.0.255 area 0
i. BUT IT IS BETTER TO DEFINE THE EXACT INTERFACE IP...
1) R1(config-router)# 192.168.2.1 0.0.0.0 area 0
The wildcard bits tell us to "ignore the zeroes and look at the ones!!"
The above commands turns on "hello" packets on that interface and
also advertises 192.168.2.0 network to it's neighbours!

On Router 2
1. Turn on OSPF
a. R2(config)# router ospf 1
2. Tell it what interfaces to use
a. R2(config-router)# network 192.168.2.2 0.0.0.0 area 0

HOWEVER.still more to do...


Each router above already knows about those two networks as they are directly connected on those
interfaces!!
ICND1 Page 42

interfaces!!
We need to advertise the 192.168.1.0 network on R1 and the 192.168.3.0 network on R2. You will
see from the diagram that there is no need to send hello packets on those two interfaces as there
are no routers attached to those networks...we just need to advertise the route. We can do this by
configuring the interfaces as passive interfaces. This advertises the route but does not send "hello"
packets on the interface.

On Router 1
1. Set interface as passive
a. R1(config-router)# passive interface fa0/0
2. Tell it to advertise network
a. R1(config-router)# network 192.168.1.1 0.0.0.0 area 0

On Router 2
1. Set interface as passive
a. R2(config-router)# passive interface fa0/0
2. Tell it to advertise network
a. R2(config-router)# network 192.168.3.1 0.0.0.0 area 0

Now we're all done!!


The 192.168.1.0 and 192.168.3.0 networks are now being advertised but are not sending "hello"
packets which is what we want. The 192.168.2.xx interfaces are sending the "hello" packets to
inform each router of the 192.168.1.0 and 192.168.3.0 networks!!

**USEFUL COMMANDS**
- R1# show ip ospf neighbour
This tells us if the router has any neighbours and tells us the dead timer of a connected
router
- R1# show ip route
Will tell us of routes established by OSPF
- R1# show ip protocols
See if OSPF is enabled
- R1# debug ip ospf packet
Can see 'hello' messages
- R1# show ip database
Shows us the OSPF link states

Router ID
The router ID is the highest (loopback) IP address configured on a router (unless a router ID has been
manually configured). If no loopback IP address is set then the Router uses the highest IP address
configured on its active interfaces.

CDP (Cisco Discovery Protocol)


We can use the Cisco Discovery Protocol to see information about connected devices.
You may need to issue the CDP run command if none of the commands work.
R1# Show cdp neighbours detail
- This will tell us the IP address and outgoing/incoming ports of any attached devices!!
R2# Show cdp entry *
- Again this tells us the IP address and outgoing/incoming ports of any attached devices!!

Route Preference
Be aware that a more specific subnet mask beats administrative distance!!
So... an RIP /26 learned route will beat an EIGRP /24 learned route!!!
ICND1 Page 43

Designated Router (DR) and Backup Designated Router (BDR)


A DR is a router chosen within an OSPF area where all other routers exchange their routing
information with...instead of exchanging their routing info with all router across the area...a central
point for exchanging OSPF routing information!!
On LANs, DR and BDR have to be elected. Two rules are used to elect a DR and BDR:
1. router with the highest OSPF priority will become a DR. By default, all routers have a priority of 1
2. if there is a tie, a router with the highest router ID wins the election
The router with the second highest OSPF priority or router ID will become a BDR.

ICND1 Page 44

Access Control Lists


28 October 2014
11:07

An access list is a list of permit and deny statements.


Eg.

Permit 192.168.2.50
Deny 192.168.1.0/24
Permit TCP port 80 for 200.1.1.1

Access lists are a matching mechanism.


They can be used for
- Access control
- NAT
- Quality of service
- Demand dial routing
- Policy routing
- Route filtering

Using ACLs for Security


- Enter global config mode and then interface mode
R1(config-std-nacl)# permit 10.1.5.1
Deny 192.168.1.53
Permit 172.30.0.0/16
*IMPLICIT DENY*
- The list is read from top to bottom and stops at the first match.
- There is an implicit deny at the end of the list.all IP's are denied access unless there has been
a permit statement in the list!
- An ACL can be applied to an interface inbound or outbound.
- Inbound is traffic coming into the router
- Outbound is the traffic coming out of the router

BE CAREFUL WHEN APPLYING AN ACCESS LIST


- Be sure you have applied in the correct direction!!

ICND1 Page 45

Standard and Extended Access List - Overview


28 October 2014
11:23

Standard
- Matches based only on source address
- Lower processor utilization
- Affect depends on application
Eg. Deny 10.1.1.1, permit 10.1.1.2
- Apply as close to the destination as possible!
Extended
- Matches based on source/destination IP address, protocol, source/destination port number
Eg. TCP/IP - TCP allow, UDP deny, ICMP allow
- Higher processor utilization
- Syntax takes some time to learn
- Apply as close to the source as possible!
Reflexive (established)
- Allows traffic to be returned for any requests made from our local network
Eg. Users accesses Google.com - the webpage would be allowed to be sent
back/received.

ICND1 Page 46

Configuring and Applying Standard Access Control Lists


04 November 2014
09:22

Scenario

**Assume all Ethernet ports are Fa0/0**


Remember that there are two stages to creating an access list
1. Configuration
2. Application

Example 1
Use a standard access list to block 10.1.1.1 from reaching 10.1.1.6 and 192.168.1.0/24.
- After looking at the network diagram I can see that we need to block R3 from reaching R1. Remember standard
access lists can only block source IP address - in this case 10.1.1.1. We need to go as close as possible to the
destination so we are not affecting any other network flow. In this case it will be best to create the access list on
R1 and apply on S0/0 inbound.
1. Configuration
R1(config)# access-list 1 deny host 10.1.1.1
- Each line we create in an access list has a sequence number which determines the order in which rules are
evaluated. We can squeeze lines in where necessary!
- Remember there is an implicit deny at the end of an access list.
- We need to add a permit any statement.
R1(config)# access-list 1 permit any
- This will add another step to the access list before the implicit deny!
Configuration is now done!!
ICND1 Page 47

Configuration is now done!!

2. Application
We need to apply the access list to S0/0 inbound on R1.
R1(config)# int s0/0
R1(config-if)# ip access-group 1 in
- Important we apply this in the correct direction!
ALL DONE!! We have now configured and applied the access list. We would test by pinging and using telnets etc.

Example 2
Use a standard access list to block access to the 192.168.1.0/24 from 192.168.2.128/25
1. Configuration
Get as close to the destination as possible. Looking at diagram it will be best to create the access list on R1 and
apply on the Fa0/0 interface outbound.

R1(config)# access-list 2 deny 192.168.2.125 0.0.0.127


- Here we are using a wildcard mask so we can block a network instead of a host.
- To get the wildcard mask we just subtract the subnet mask from 255!
- Remember to add the permit any command!
R1(config)# access-list 2 permit any
Config now done.
2. Application
We need to apply the access list to Fa0/0 outbound on R1
R1(config)# int fa0/0
R1(config-if)# ip access-group 2 out

All done...we would test with pings etc to ensure all working OK!

Example 3 - Named Access Lists


Use a standard access list to block 192.168.2.50 from reaching the 10.1.1.1 WAN IP address.
1. Configuration
Looking at the diagram it would be most efficient to apply on R2 S0/1 outbound. We could apply on R3 S0/0
inbound but this would be creating unnecessary network traffic.
R2(config)# ip access-list standard BLOCK_PC2_ACL
- If we use the ip access-list command then we can give it a meaningful name!! Must better way to create
access lists!
R2(config-std-nacl)# deny 192.168.2.50
R2(config-std-nacl)# permit any
- Remember this!!
2. Application
We need to apply to R2 S0/1 outbound.
R2(config)# int s0/1
R2(config-if)# ip access-group BLOCK_PC2_ACL out
- The name is case sensitive
ALL DONE!! Again test with pings etc to ensure we have desired effect.

Using Standard ACL's to limit Telnet and SSH access


We can create a standard access list and apply to the vty lines using the access-class command.
Eg. We would like to permit only the 10.1.1.0/24 to be able to telnet/SSH to R1.

R1(config)# ip access-list LIMIT_SSH_TELNET


R1(config-std-nacl)# permit 10.1.1.0 0.0.0.255
R1(config-std-nacl)# deny any
R1(config)# line vty 0 15
ICND1 Page 48

R1(config)# line vty 0 15


R1(config-line)# access-class LIMIT_SSH_TELNET in

All done!!

ICND1 Page 49

Configuring and Applying Extended Access Control Lists


05 November 2014
08:58

Remember that extended access control lists gives us more flexibility and control...we can block using
source/destination IP address, protocol, source/destination port number!!

Scenario

**Assume all Ethernet ports are Fa0/0**

Example 1
Use an extended ACL to block 192.168.1.0/24 from reaching 192.168.2.128/25.
- We need to apply as close to the source as possible...and so in this case it would be most efficient to apply on R1
Fa0/0 inbound!
1. Config
R1(config)# access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.128 0.0.0.127
- Extended access lists have a number between 100-199...or we could just use ip access-list command to
create a named access list.
- Source address comes first and then destination address
R1(config)# access-list 100 permit ip any any
- Remember we need the permit any statement

2. Application
R1(config)# int fa0/0
R1(config-if)# ip access-group 100 in
All done...we can test with pings.

Example 2
Block 192.168.1.50 from reaching 192.168.2.50 on https or http.
- In this case we can just edit the previous access list! We will need to insert the commands to block http and https
before the permit any statement. We can do this using the sequence number...use show ip access-list to see what

ICND1 Page 50

before the permit any statement. We can do this using the sequence number...use show ip access-list to see what
sequence number we should use.
1. Config
R1(config)# ip access-list extended 100
R1(config-ext-nacl)# 11 deny tcp host 192.168.1.50 host 192.168.2.50 eq 80
R1(config-ext-nacl)# 12 deny tcp host 192.168.1.50 host 192.168.2.50 eq 443
This will add two commands before the permit any command to block http (80) and https (443)!!

To test we could telnet to 192.168.2.50 from 192.168.1.50 on port 80 and 443.


- Telnet 192.168.2.50 80/443
We can then run the show ip-access-list on R1 to see how many packets have been dropped!
2. Application
We already applied the ACL in Example 1 :).

Example 3
Permit 192.168.2.0/25 to access 10.1.1.1 using only telnet and SSH.
- We need to configure as close to the source and so it will be most efficient to configure and apply on R2 Fa0/0
inbound. Telnet port is 23, SSH is 22.
1. Config
R2(config)# ip access-list extended R3_TELNET_SSH
R2(config-ext-nacl)# permit tcp 192.168.2.0 0.0.0.127 host 10.1.1.1 eq 22
R2(config-ext-nacl)# permit tcp 192.168.2.0 0.0.0.127 host 10.1.1.1 eq 23
R2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.127 host 10.1.1.1
- This denies all other traffic from 192.168.2.0 as we only want to allow SSH and Telnet as per above
commands!
R2(config-ext-nacl)# permit any any
2. Application
R2(config)# int fa0/0
R2(config-if)# ip access-group R3_TELNET_SSH in
All done!! Just to confirm that the 192.168.2.0 would still be able to access the 192.168.2.128 network...it can still go
through R3...just simply only able to telnet and SSH the 10.1.1.1 WAN Ip address!! The 192.168.2.128 network is a
completely different subnet/network!

Example 4
Block 192.168.1.0/24 from reaching any WAN IP address.
- So we need to block access to 10.1.1xx...all of the WAN links!
- Apply as close to the source as possible and so it will be best to apply on R1 Fa0/0 inbound.

1. Config
R1(config)# ip access-list extended BLOCK_WAN
R1(config-ext-nacl)# deny ip 192.168.1.0. 0.0.0.255 10.1.1.4 0.0.0.3
R1(config-ext-nacl)# deny ip 192.168.1.0. 0.0.0.255 10.1.1.0 0.0.0.3
R1(config-ext-nacl)# permit ip any any
2. Application
R1(config)# int fa0/0
R1(config-if)# ip access-group BLOCK_WAN in
NOTE
The 192.168.1.0 will still be able to access all of the LAN networks...eg 192.168.2.0 and 192.168.2.128...which is what we
want! The network will just be unable to contact the WAN IP's directly! They can still pass through them though.

Example 5
Permit access to 192.168.2.50 using only SMTP (25), POP3(110) and IMAP(143) from anywhere.
- As we do not know the source we will need to apply as close to destination as possible.so it would be most
efficient to apply on R2 Fa0/0 outbound.
1. Config
R2(config)# ip access-list extended EMAIL_FILTER_R2
R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 25
R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 110
R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 143
R2(config-ext-nacl)# deny ip any host 192.168.2.50
- Ensure we get no other traffic coming to 192.168.2.50 (as imagine it is an email/Exch server)
ICND1 Page 51

- Ensure we get no other traffic coming to 192.168.2.50 (as imagine it is an email/Exch server)
R2(config-ext-nacl)# permit ip any any
- We need this command as we would have other PC's/devices on the 192.168.2.0 network and we wouldn't
want to block all traffic to these devices!
2. Application
R2(config)# int fa0/0
R2(config-if)# ip access-group EMAIL_FILTER_R2 out
All sorted!! Test with pings etc...
NOTE:
We can also use 'gt' or 'lt' instead of 'eq' if we want to specify a port with is greater than or less than the port specified.
Eg.
R2(config-ext-nacl)# permit tcp any host 192.168.20.50 gt 100
- This would allow all traffic to host 192.168.20.50 on a destination port greater than 100.

Editing Access Lists


To edit an access list we can use the ip access-list command and then enter the relevant sequence number to insert the
new command (or delete by using the no command). We would first use show ip access -list command so we can see the
current sequence numbers in the access list
R2# show ip access-list
Extended IP access list BLOCK_TRAFFIC
10 permit tcp any any
20 permit udp any any
We will now insert a command to allow ICMP traffic...
R2(config)# ip access-list BLOCK_TRAFFIC
R2(config-ext-nacl)# 15 permit icmp any any
R2(config-ext-nacl)# exit

If we issue another show ip access -list command we will see the command has been inserted between the previous two
entries
R2# show ip access-list
Extended IP access list BLOCK_TRAFFIC
10 permit tcp any any
15 permit icmp any any
20 permit udp any any
To remove a line from an access list we can issue the no command as follows in ACL config mode
R2(config-ext-nacl)# no 20
- This would remove just the '20 permit udp any any' line

To remove an access list completely we would issue the below command in global config mode
R2(config)# no access-list BLOCK_TRAFFIC

Access Control List Logging


We can add the log option to any access list which will then log any denied packets. Its does not log any packets which
have been permitted.
R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 25 log

ICND1 Page 52

NAT Concepts
10 November 2014
09:08

Network Address Translation


- Translates private addresses to public addresses!!
- ISP's do not allow private addresses to be routed on the Internet.
- This is where NAT comes in!
How NAT works
There are 3 types of NAT
- PAT
- Dynamic
- Static

PAT (Port Address Translation)


This is very common and used everywhere! It translates many private addresses to 1 public
address!!
1. PC (192.168.1.10) attempts to access webpage on the Internet (Eg. Cisco.com).
2. A source port is generated (eg. 6711) and is added to the request.
3. The request for the webpage is received from the router which realises it is a private address
with a source port.
4. The router then translates the address to the assigned public address for the network and
attaches the source port.
5. This is then sent to Cisco.com over the Internet
6. Cisco responds back to the public IP address which included the source port.
7. The request then hits the router which can redirect it back to the PC using the source port!
Source port = any number between 1 - 65,535!
Dynamic NAT
This creates one-to-one mappings.
- We can have a pool of private and public addresses and do one-to-one mappings.
- Eg. 10 public and 10 private IP's.
- We don't save any IP addresses in this case
- Used for overlapping addresses - where we temporarily use the same private IP address in an
organisation - router sits in between and does NAT.
- Not used very often!
Static NAT
This also creates one-to-one mappings.
- Eg. Used for a mail server or a web server.
MX record (A/www record for website) points to the public IP
On the internal router we configure it to forward port 25/80/443 traffic to the internal IP
of the mail server/web server
Called port forwarding

ICND1 Page 53

NAT Configuration
10 November 2014
09:24

Scenario

PAT
1. Do the base config on a router!
2. Configure interfaces on the router.
- R1(config)# int fa0/0
- R1(config-if)# ip address 192.168.1.1 255.255.255.0
- R1(config)# int fa0/1
- R1(config-if)# ip address dhcp
3. Setup DHCP scope
- R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10
- R1(config)# ip dhcp pool LAN
- R1(dhcp-config)# network 192.168.1.0 255.255.255.0
- R1(dhcp-config)# dns-server 8.8.8.8
- R1(dhcp-config)# default-router 192.168.1.1
Note - some routers will auto-configure the default route if we have configured the WAN
interface to use DHCP.
4. Identify our interfaces (inside and outside)
- Show ip int brief
- R1(config)# int fa0/0
- R1(config-if)# ip nat inside
- R1(config)# int fa0/1
- R1(config)# ip nat outside
5. Identify our inside IP addresses
- 192.168.1.0/24
- Here we use an access list
- R1(config)# ip access-list standard INSIDE_NAT_ADDRESSES
- R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
6. IP NAT Connection Command
- R1(config)# ip nat inside source list INSIDE_NAT_ADDRESSES interface fa0/1 overload
The overload command enables PAT
Without this it would only allow 1 addresses to be NAT'd - this is dynamic NAT
ICND1 Page 54

Without this it would only allow 1 addresses to be NAT'd - this is dynamic NAT

Static NAT
- R1(config)# ip nat inside source static 192.168.1.51 208.53.91.7
IP of server

Public IP Address

- Can add in port numbers to direct traffic to web server etc.


- R1(config)# ip nat inside source static tcp 192.168.1.53 80 208.53.91.7 80

Types of NAT addresses


Inside Local - our Private Address!
Inside Global - our Public Address!
Outside Global - the Public Address of website we are accessing!

So...NAT translates Inside Local to Inside Global!!

Useful NAT Commands


- R1# show ip nat statistics
- This tells us how many active translations there are and how many packets have
been translated etc.
- R1# show ip nat translations
- This tells us what inside IP addresses are being translated and to what...eg Inside
Local and Inside Global addresses.

ICND1 Page 55

IPv6 Concepts
10 November 2014
10:12

Why do we need IPv6?


- There is an IP address shortage!! Only 4 billion IPv4 addresses!!
- Current IP addresses are poorly allocated...some companies/organisation were allocated a
ridiculous number of addresses which are not being usedbut IANA can't just ask for them
back!!
- New network devices are on the rise...even fridges and microwaves are now coming with
network cards!
- NAT (the current solution) is seen as a hindrance to innovation.
IPv6 Addressing
- Address size moved from 32 bit (IPv4) to 128 bit (IPv6)
- Provides a ridiculously high number of addresses! We could assign an IP address to each atom
on the surface of the Earth x 100!!!
- Addresses are hexadecimal (0-9, A-F)
Divided into 8 group of 4 hex characters - each character is 4 bits in length
EG. 2001:0050:0000:0000:0000:0AB4:1E2B:98AA
So each octet = 4 x 4 = 16 and the whole address = 16 x 8 = 128 bits!!
RULE 1 - Eliminate groups of consecutive zero's
Using the above example
2001:0050::0AB4:1E2B:98AA
Note - We can only use this once in an address.
RULE 2 - Drop leading zero's
2001:50::AB4:1E2B:98AA
Simplified IPv6 headers
- Simpler for routers to process
- Uses the next header field which eliminates a lot of complexity
NDP (Neighbour Discovery Protocol)
PC's using IPv6 use NDP to learn MAC addresses on the same LAN (not ARP like IPv4!!).

Types of Communication and Addresses


- Unicast -> one-to-one
- Multicast -> one-to-many
- Anycast -> one-to-closest
We give the same address to multiple devices eg. Web server.
When someone tries to access the website it uses the closest device as it will be most
efficient.
- No more broadcasts!! These have been replaced by multicasts...they provide the same
functions as broadcasts!
Link Local address
- Similar to IPv4 APIPA address (169.25.x.x)
- Layer 2
- Allows devices to communicate where no DHCP server is available...however unable to route
on Internet
- FE80: (FE80::/64)
- Uses EUI-64 addressing...uses MAC address of device and squeezes FFFE in the middle...eg
MAC 02:FE:4G:8A:CH:1F
64 bits

64 bits

NETWORK

HOST
ICND1 Page 56

NETWORK

HOST

FE80:0000:0000:0000 02FE:4GFF:FE8A:CH1F

Unique/Site Local Addresses


- Same as IPv4 private address
- Sometimes known as static unicast configuration!
Global Address
- Same as public IPv4 address
- High level 3 bits set to 001 (2000::/3) (0010 in binary)
- Global routing prefix is 48 bits or less
- Global Addresses begin with 2000::/3

Global Prefix Subnet ID Interface ID

'n' bits

64 -n bits 64 bits

IANA dish out the UIP addresses to all organizations!! They would decide the global routing prefix!
Example

The Subnet ID is comprised of bits left over after the global routing prefix.
The primary address expected to comprise the IPv6 internet are from the 2001::/16 subnet.

ICND1 Page 57

IPv6 Configuration
11 November 2014
10:00

Scenario

Turn on IPv6 Routing


IPv6 routing is turned off by default (unlike IPv4).
- R1(config)# ipv6 unicast-routing
- R2(config)# ipv6 unicast-routing
Assigning Addresses
- R1(config)# int fa0/0
- R1(config-if)# ipv6 address 2001:55::1/64
- R1(config-if)# no shutdown
- R1(config)# int s0/0
- R1(config-if)# ipv6 address 2001:210:10:1::1/64
- R1(config-if)# no shutdown
-

R2(config)# int fa0/0


R2(config-if)# ipv6 address 2001:56::1/64
R2(config-if)# no shutdown
R2(config)# int s0/0
R2(config-if)# ipv6 address 2001:210:10:1::2/64
R2(config-if)# no shutdown

Verify Addresses
- R1# show ipv6 int brief
- R1# ping ipv6 ip-address

Configure Static Routing


Pretty much same as IPv4!
- R1(config)# ipv6 route 2001:56::1/64 2001:210:10:1::2/64
Dest Network Connected Interface
- R2(config)# ipv6 route 2001:55::1/64 2001:210:10:1::1/64
All done!

ICND1 Page 58

Configure Dynamic Routing - OSPFv3


This is different to IPv4 as we no longer use the network command!
We enable OSPF, assign a router-ID and then add interfaces/networks we want to advertise to the
OSPF process!
- R1(config)# ipv6 router ospf1
- R1(config-rtr)# router-id 1.1.1.1
- R2(config)# ipv6 router ospf1
- R2(config-rtr)# router-id 2.2.2.2
In IPv6 we need to set the router-ID else the router will not send hello packets
-

R1(config)# int fa0/0


R1(config-if)# ipv6 ospf 1 area 0
R1(config)# int s0/0
R1(config-if)# ipv6 ospf 1 area 0
Show ipv6 protocols

R2(config)# int fa0/0


R2(config-if)# ipv6 ospf 1 area 0
R2(config)# int s0/0
R2(config-if)# ipv6 ospf 1 area 0
- Show ipv6 ospf neighbours
All done!!

ICND1 Page 59

The Migration to IPv6


12 November 2014
10:23

Mulitple methods exist to provide a smooth, non-pressured transition


- Dual Stack routers
This is where we simply enable IPv4 and IPv6 routing and assign each interface an IPv4
and IPv6 IP address!!
This enables us to communicate via IPv4 and IPv6 at the same time!
- Tunnelling (6to4 and 4to6)
This uses encapsulation where IPv6 packets are encapsulated within IPv4 packets for
transmission over IPv4 networks (and vice versa for IPv4 over IPv6 networks).
- NAT Protocol Translation (NAT-PT)
This is where a block of IPv4 addresses at an IPv4 interface is set aside for translating
addresses as IPv6 hosts start sessions with IPv4 hosts.

ICND1 Page 60

You might also like