Professional Documents
Culture Documents
ICND1 Page 1
Network Foundations
22 October 2014
09:08
What is a network?
A network is a modern form of communication for humans.
Cisco is the 'debated' inventor of routers - the industry leader in network equipment.
Networks provide the infrastructure to transfer resources.
Common Network Equipment
Switches
Routers
Wireless Access Points
Client PC's and Servers
Cabling
Ethernet - used to connect PC's, servers to wall jacks/switches. 100m max distance. Cost efficient.
Fibre - gives much greater bandwidth than Ethernet and much greater distance. Used for connecting
servers to switches and fast Internet connections.
Serial - still used by ISP's to connect to a CSU/DSU. Being phased out and now uncommon.
Speed
Networks handle speed in bits per second (eg. 100Mbps).
Bit (smallest unit)
Byte (8 Bits)
Kilobyte (1024 Bytes)
Megabyte (1024KB)
Gigabyte (1024MB)
Terabyte (1024)
REMEMBER - dont get confused with megabytes per second (MBps) and megabits per second
(Mbps)...you would need to divide Mbps by 8 to give the MBps speed!!
Ethernet - has speeds of 10Mbps, 100Mbps, 1000Mbps (1Gbps) and 10Gbps.
Example of Network Speed
Imagine we have a 10Mbps network and we would like to save a 10MB picture to the file server.
10Mbps divide by 8 = 1.25MBps
10MB / 1.25 = 1.25 = 8 seconds
With the overhead of sending data in packets we would estimate the time taken to save the 10MB
picture would be 10 seconds!!!
ICND1 Page 2
OSI Model
22 October 2014
09:51
Application
Presentation
Session
Transport
Network
Data Link
Physical
Remember!!
**Please Do Not Throw Sausage Pizza Away**
Layers and their functions
Application - eg. Internet Explorer, Vuze, Firefox, Chrome, World of Warcraft
Presentation - makes data generic. Eg. turns pics into GIF's, does encryption. Enables receiving
application understand.
Session - maintains the session and keeps the process alive.
Transport - how data is sent - the application decides. TCP/UDP are main protocols used (ICMP for
ping). Data apps would use TCP for reliability as provides acknowledgments (ack's). Voice/Video uses
UDP for speed and not fussy if a packet or two is dropped - however Voice is affected by jitter.
Transport layer uses ports - destination and source. Eg. Port 80 for HTTP.
Network - logical addressing - IP addresses. Routers sit here.
Data Link - physical addressing - MAC addresses. Switches sit here.
Physical - bits sent over the wire. Network cable, NIC cards.
Note
Routers and switches also need to be able to send bits (Layer 1).
Example
Make an online payment via Bank Website
1. Application - log into the Banks website using Internet Explorer.
2. Presentation - converts data into standard required by the Web server regardless of the
browser used. HTML, GIF etc.
3. Session - was started when we logged into website.
4. Transport - needs to be reliable - TCP!! Adds destination port so the receiving web server
ICND1 Page 3
4. Transport - needs to be reliable - TCP!! Adds destination port so the receiving web server
knows which app the data is for - HTTPS 443. Adds source port (dynamic/random port) so the
bank web server can send ack's back to tell us payment has been made!
5. Network - used DNS to find out IP address of the Bank website. Uses source and destination IP
addresses.
6. Data Link - needs source and destination MAC address. Computer sees that bank website IP is
in a different network and so sends an ARP request for the default gateway (router) MAC
address and PC sends request for router to forward onto Bank web server.
7. Physical - here the bits are sent over the wire through each router etc.
NOTE
Switches sit at Layer 2 - Data Link.
They learn physical addresses (MAC). Hubs worked at the physical layer but could not learn MAC
addresses and just flooded all ports with broadcasts.
Routers sit at Layer 3 - Network.
They look at IP addresses and use their Routing table to decide where to send.
ICND1 Page 4
TCP/IP Model
12 November 2014
11:04
The TCP/IP network model is a four-layer model. It is effectively a reduced version of the OSI model.
However, the OSI model is more widely used as it breaks down the network layers into greater
depth and gives a better explanation of data flow.
TCP/IP Model
Application
Transport
Internet
Network Interface
Spells NITA!
Layers and their functions
Application - defines TCP/IP protocols and how programs interface with transport layer. Eg. HTTP,
Telnet, DNS, FTP
Transport - provides session management and transport protocol. Eg. TCP, UDP, ICMP, RTP.
Internet - packages data into IP datagrams and performs routing. Eg. ARP, IP.
Network Interface - how data is physically sent through the network. Eg. Ethernet, Token ring
Preamble
8
Destination
6
Source
6
Type
2
Data
46-1500
A runt is a frame which is less than 64 bytes in size and a giant is a frame which is greater than 1518
bytes in size...both are discarded by a switch! !
ICND1 Page 5
FCS (CRC)
4 bytes
Crossover
PC to Switch
Straight-Through
Crossover
Straight-Through Cables
These are used to connect computers, printers to a switch or hub (a client to a host).
Pin 1 to Pin 1
Pin 2 to Pin 2
Pin 3 to Pin 3
Etc
Crossover Cables
These are commonly used to connect two hosts together. Eg. Router to Router, Switch to Switch or PC to PC.
Pin 1 to Pin 3
Pin 2 to Pin 6
Pin 3 to Pin 1
Pin 4 to Pin 7
Pin 5 to Pin 8
Etc
ICND1 Page 6
Rollover/Console Cables
These are used to connect a PC to a switch/router for management purposes.
Pin 1 to Pin 8
Pin 2 to Pin 7
Pin 3 to Pin 6
Pin 4 to Pin 5
Etc
ICND1 Page 7
IP Addressing
22 October 2014
10:23
IPv4
32 bit address
Consists of four octets - 0 to 255 - eg 192.168.0.100 (In binary =
11000000.10101000.00000000.01100100 = 32 bits)
Combines with default gateway and subnet mask.
Eg.
IP Address: 192.168.0.100
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.0.1
Assigning IP Addresses
Static
ICND1 Page 8
Static
Servers, Routers, printers.
We can rename network connections to give a meaningful name (Go to Ctrl Panel -> Network
Adapter -> Advanced).
DHCP
This is a server role - we define an IP address scope - eg. LAN PC's.
When PC's boot up they send a broadcast for IP address. The DHCP server is listening using ports
67,68.
We can add exclusions into scopes for any IP addresses which we may have defined statically (and
also add reservations too). A router can also be a DHCP server.
DHCP Relay
If we have lots of remote offices we can run DHCP from a central point. We can enable DHCP relay
on a router to allow DHCP broadcasts to grab IP addresses from the main office server. As
remember...routers discard broadcasts by default
ICND1 Page 9
->
10.255.255.255
172.16.0.0
->
172.31.255.255
192.168.0.0 ->
192.168.255.255
Automatic (APIPA)
Assigned when PC cannot contact DHCP server.
169.254.0.0 ->
169.254.255.255
127.0.0.0
->
127.255.255.255
Special Addresses
The first address of the subnet is the network ID.
The last address of a subnet is the broadcast address.
Eg.
Network ID = 192.168.1.0/24
Broadcast = 192.168.1.255
NAT is used so private addresses can be used on the Internet. It translates all private addresses to
the external IP address given by your ISP.
ICND1 Page 10
Classes of Addresses
22 October 2014
11:24
255.0.0.0 (/8)
Class B
Class C
Cisco advises not having a network with >500 devices due to broadcast traffic!
Classless Addressing
This is where we can use a Class C subnet mask with a Class A network.
Eg.
Class A network - 10.0.0.0
Subnet Mask - 255.255.255.0 (This gives us 254 useable addresses)
Types of messages
Unicast - message sent to 1 device
Multicast - message sent to a group of devices (devices tune into a specific IP address in the class D
range)
Broadcast - message sent to all devices
ICND1 Page 11
Note:
The ACK is always 1 more than the sequence number (see above for example!)
TCP Communication always starts with a 3 way handshake before any actual data is transmitted.
1. SYN,
2. SYN + ACK
3. ACK
TCP adds source and destination port to each packet.
TCP Windowing
This is the process where data is sent in groups of packets to speed up a download/copy process.
Eg. You'll notice when we save a large file to a file server it will initially say '10 hours' then '6 hours'
etc to copy. This is because sending PC will gradually increase the number of packets it sends at one
time until the server says "No...that's enough packets...don't send any more than that at any one
time"...and so the PC will stop increasing the number of packets it sends at one time. This is why the
ETA always varies.
Flow Control Methods
- Windowing - see above!!!
- Buffering - where devices store incoming traffic in a memory queue, to be processed when
possible.
- Congestion Avoidance - is used during peak time where networks drop low priority traffic to
maintain faster processing of higher priority traffic such as Voice or Video.
ICND1 Page 12
FTP
22
SSH
23
Telnet
25
SMTP
53
DNS Server
80
HTTP
110
POP3
443
HTTPS
DNS Client
69
We can use port numbers to restrict access. Eg. Block Internet access - port 80, 443.
Need these ports allowed on the firewall if we are allowed the traffic.
ICND1 Page 13
Switching
22 October 2014
13:39
Hubs
-
1980's
Uses CSMA/CD - to recover from collisions
Sit at the physical layer
One collision domain
Half duplex - only 1 person can send or receive at any one time
No intelligence!
- The hub sends all packets to all network ports (broadcast)
- No security
Bridge
- 1990's
- Broke network into multiple collision domains
- Limited ports
- Separated hubs
- Learned MAC addresses (sit at layer 2)
- Software based - was very slow (not ASIC based like cisco routers/switches)
Switch
-
2000's
Every port is its own collision domain - eg. 24 port switch will have 24 collision domains
Full Duplex - everyone can send and receive at the same time!
ASIC based (Application Specific Integrated Circuit) - hardware based and very fast.
Varying port speeds Eg. 100Mbps, 1000Mbps
Managed, Intelligent - can configure ports, VLAN's etc
Learns MAC addresses of all connected devices
Fibre Optic
- Common to connect switches together
- Need SFP module on switch
- Multi mode - plastic, cheap
- Single mode - glass, expensive
CAM Table (Content Accessible Memory)
- Stores MAC addresses and the associated port/interface the device is connected to
- Empty when the switch boots up
- Takes approx. 5 seconds for the switch to learn all MAC addresses of connected devices!
ICND1 Page 14
Example
When a PC pings another PC using IP address on same network
- ARP broadcast (FFFF:FFFF:FFFF is the broadcast address) is sent to find out MAC address of
PC2 using its IP address.
- This is sent to all ports on the switch.
- Port with the matching IP replies with its MAC address using Unicast message
- Switch learns the MAC address of the sender & receiver of the ping message - stores the MAC
address and Port/interface in its CAM table!
- Entries in the CAM have a lifespan of 5 minutes.
Broadcast domains
If we have several switches connected together we still only have 1 broadcast domain.
Each port would still be in its own collision domain.
Cut-Through Switching
The switch copies into memory only the destination MAC address which is located within the first 6
bytes of the Frame. The switch then looks up the MAC address in its CAM table and forwards out of
the relevant interface. This method reduces delay as the Frames are not checked for errors and are
forwarded as soon as the MAC address is read and the outgoing interface determined.
However, bad frames are still forwarded. The destination will receive this bad frame and then
performs a CRC and realises it is bad, and will then request for it to be re-sent. This wastes
bandwidth and can cause slow network performance.
NOTE
Todays switches are better suited for a store-and-forward environment.
ICND1 Page 15
Cisco IOS
22 October 2014
16:45
NOTE - configuring the incorrect BAUD rate results in unreadable characters on screen while
accessing the Cisco CLI!
IOS Command Modes
Switch>
Switch#
Switch(confi
g)#
ICND1 Page 16
Base Configuration
22 October 2014
17:01
- Switch(config-if)# no shutdown
- The interface will then change to up
Default Gateway
For us to manage the above switch we would need to be logged onto a PC in VLAN 1 in the same
subnet.
So to manage the switch from another network we would need to configure a default gateway. If
we need to do troubleshooting on a switch (eg. Ping, tracert) then we need this configured.
- Switch(config)# ip default gateway 10.1.1.1
Shutdown Unused Ports
It is good practice to shutdown an unused ports to prevent people from plugging in infected laptops
etc to the network.
- Switch(config)# int range fa0/10 - 15
- Switch(config-if-range)# shutdown
This shutdowns all ports in the range 10-15!
Logon Banner
We can create a banner message to be displayed for all logins.
- Switch(config)# banner motd + *****CENTRESOFT NETWORK - SWITCH 1*****+
- NOTE: '+' is the delimiting character...anything we type in between the + will be used as
the banner!!
- We could have used banner login but this only displays when there is login
required/configured for the connection.
Saving Configurations
Running config is saved in RAM...which is volatile and lost if switch is rebooted!
Startup config is stored in NVRAM...which is non volatile and safe if switch loses power!
- Switch# copy running-config startup-config
OR
- Switch# write memory (this method is no longer officially supported!)
SSH (Secure Shell)
Telnet is not secure! None of the communication is encrypted - all in clear text! We could use
Wireshark to intercept packets and find out passwords etc...still difficult to do though as we would
need to still gain access to the switch.
SSH is secure and communication is encrypted...so it is the preferred method of remote working!
Uses certificates...Eg. Website has a certificate with a public and private key. It hands us the public
key so we can encrypt our session key! We then send our encrypted session data over the Internet
to the website which can decrypt the data using the private key!! The switch/router works in the
same way...
1. Configure hostname
2. Configure domain name
a. Switch(config)# ip domain-name nugget-lab.com
3. Generate encryption keys
a. Switch(config)# crypto key generate RSA 1024
4. Create local user accounts
a. switch(config)# username user secret cisco
5. Choose to allow telnet + SSH
a. Switch(config)# line vty 0 15
b. Switch(config-line)# transport input ssh telnet
6. Enable local logins
a. Switch(config-line)# login local
We then use SSH client to connect eg. Putty.
ICND1 Page 18
Each Cisco device has a clock! Its important that we have the correct time on the device as we
sometimes have to check logs on the device and need to track certain events etc and so time is
important! Another practical use to make sure we have the correct time is when we look at running
configurations...we can see the last time the config was edited and by who!
We can set a cisco device as an NTP server or client.
1. To configure an NTP server
a. R1(config)# clock set 12:00:00 4 Nov 2014
b. R1(config)# ntp master 3
i. We simply set the time on the device, set device as master and other devices will
pull the time from this device! The number is the stratum number.
2. To configure an NTP client
a. R2(config)# ntp server A.B.C.D
i. We specify the IP address of the server. We can also just use Windows servers as
the server.
ii. We can use the prefer command too if we want to set several time servers.
To verify NTP we can use the below commands
- R2# show ntp status
This tells us which server the device is synchronized to
- R2# show ntp associations
This tells us how many ntp servers we have configured for the device and which was is
set as preferred/master and info about these ntp servers.
NTP Stratum - this is the measure of hops away from the source.
ICND1 Page 19
Configuration Backups
23 October 2014
10:31
Creating a backup
We can use TFTP to backup switch configs.
1. Download and install TFTPD32 - freeware.
2. Ensure port 69 inbound is allowed on PC firewall.
3. Ensure Everyone group has access to the save file location in TFTPD32.
4. Switch# copy running-config tftp
5. Enter IP address of PC you are copying config to.
Restoring a backup
Make sure you are connected via Ethernet and the switch/router has an IP address...may need to
assign one before we restore config (eg. Assign management IP of switch).
1. Switch# copy tftp running-config
ICND1 Page 20
Port Security
23 October 2014
10:36
ICND1 Page 21
Network is slow...
Its common for users to complain that the network is slow!!
This can be due to speed and duplex issues on the switch.
Switches are set to auto-detect speed and duplex but with 100Mbps switches it is always best to
hard code them!
Most of the time auto-detect works fine...if both switch interface and PC network adapter are set to
auto-detect.
Duplex Mismatch (causes Late Collisions!!!)
Network issues normally lie with 'duplex' where one side is set to full-duplex and the other side set
to half duplex - normally where the devices have been unable to auto-detect!! If a switch interface
(100Mbps) fails to auto-detect then it will default to half-duplex!! This has been fixed in 1Gbps
switches!!! This results in slow performance as packets drop and collide with high frequency.
This is called a duplex mismatch. It is normally on routers/switches where we need to look at the
config.
To solve we simply hard code both devices as full duplex.
100Mbps devices -> Hard code them!! Router, switch, server.
1000Mbps devices -> Auto (leave as auto-detect)
NOTE - If we hard code either speed or duplex then we must hard code both of them!
On the Server/PC we would go into the Network Adapter settings -> Advanced and choose the
Speed/duplex option and set it there.
Troubleshooting slow networks
This is normally due to collisions on the network.
- Switch# show interface fa0/14
Here we can see the duplex/speed settings on that interface and confirm that it is set to
100Mbps and full etc.
We can also see that the interface is up and packets dropped/collisions!! We should
never see collisions!!
- Collison - this happens within the first 32 bytes (should only occur on hubs in a half-duplex
environment).
- Late Collision - this happens >32 bytes - this is normally due to a duplex mismatch!!
CRC errors - CRC hash is added to each packet to confirm integrity.this is normally a faulty
network cable! Also when there is "excessive noise"!!
Finding devices
Ping IP address of device and then do an arp -a command to find out MAC address.
We can then go to the switch and view the MAC address table
- Switch# show mac address-table | mac-address
- Extended Ping
If we type ping and press enter we can then specify several other parameters. EG.
Protocol, repeat count, timeout period, datagram size.
ICND1 Page 22
A "Normal Switch"
- Multiple collision domains (Eg. 24 port switch will have 24 collision domains)
- One broadcast domain (inc. switches which are daisy chained)
- One IP network subnet for all of its hosts
Eg. 192.168.1.0/24
- One failure domain
- Limited security
VLAN Foundations
- A VLAN logically groups users
It can separate a switch into separate networks
- It segments the broadcast domain
Will only broadcast on its own VLAN
- Offers subnet correlation
Eg. 192.168.1.0/24 and 192.168.2.0/24
- Access control
- Quality of service (QoS)
We can give VLAN's higher priority than another (eg. Voice over internet)
- Can give us Layer 3 control - L3 Switch!
- Switch adds a Frame tag which identifies which VLAN id the frame belongs to - these are
carried over trunk links between switches
- VLAN's limit broadcast propagation!
Trunk Ports
A trunk carries all VLAN's and is used to connect switches together.
Normally set to 1Gbps ports.
Flexibility of VLAN's
- Can group devices together. Eg
Servers in a VLAN
Computers in a VLAN
Phones in a VLAN
- Can separate buildings/office into separate VLAN's
Feels good and reduces broadcast traffic!
- Can separate Ethernet and WiFi traffic.
- Server Virtualization. Eg...
We can setup a trunk on the interface connected to the DHCP server
Server can then communicate with all VLAN's, devices and saves us having a server on
each VLAN
ICND1 Page 23
Note
802.1q does not encapsulate Ethernet frames. Instead it inserts a header after the destination and
source MAC address!
VTP Modes
Server (Default)
- Gives the power to change VLAN info
- Sends and receives VTP updates
- Saves VLAN config
Client
ICND1 Page 24
Client
- Cannot change VLAN info - gets updates from the server
- Sends and receives VTP updates
- Does not save VLAN config
Transparent (Turns VTP Off!)
- Power to change VLAN info
- Forwards (passes through) VTP updates
- Does not listen to VTP updates
- Saves VLAN config
VLAN Pruning
This keeps unnecessary broadcast traffic from crossing trunk links. Traffic will only be
forwarded across a trunk link if that VLAN exists on the switch.
Only works on VTP Servers.
- All switches need to be servers.
ICND1 Page 25
Configuring VLAN's
23 October 2014
12:59
Reminder - we use VLAN's to separate users and devices to reduce broadcast traffic.
1. Create VLAN's and name
a. Switch# show vlan brief
i. This gives a breakdown of all VLAN's
b. Switch(config)# vlan 50
c. Switch(config-vlan)# name SERVERS
2. Assign ports to VLAN's
a. Switch(config)# int fa0/10
b. Switch(config-if)# switchport mode access
c. Switch(config-if)# switchport access vlan 50
i. VLAN's will show down in 'show ip int brief' if there are no active ports in the VLAN
Useful command
We can also use the show vlan id x command to tell us what ports are tagged to that VLAN.
Switch# show vlan id 10
Best practice is not use VTP and create VLANs manually on each Switch!!
To Turn Off Trunking...
...use the switchport mode access command!!!
ICND1 Page 27
Dynamic Trunking Protocol allows for the creation of trunks between two switches. When two
connected ports are configured in dynamic mode, and at least one of the ports is configured as
desirable then the two switches will form a trunk across the link.
- Switch (config-if)# switchport mode dynamic desirable/auto
DTP is enabled by default on all modern switches. However this is bad design as we could have ports
forming trunk links and causing a security risk.
The best thing is to disable DTP!!
Configure all ports as access ports. We can then configure any trunk ports as we need them which is
best practice
- Switch(config-if-range)# switchport mode access
However, even when a port is statically configured as an access port as above, DTP is still active on
the port. If we setup a trunk between two switches in different VTP domains then we would get the
below error...
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/1 because of VTP
domain mismatch.
DTP advertisements include the VTP domain name and so the trunk will not form if the VTP domain
names are different. We can kill DTP once and for all with the below command
- Switch(config-if)# switchport nonegotiate
This prevents DTP packets from being sent.
ICND1 Page 28
Routing Overview
23 October 2014
13:23
Note
When packets go over a serial data link (across a WAN) they do not add the source and destination
MAC Address. They use HDLC or PPP. HDLC uses the Type field in a packet so receiving devices can
see what is encapsulated. It uses L2 headers for any next hop routers in a path.
Routers
- CEF enhanced (Cisco Express Forwarding) - software based - (not ASIC based like Switches)
very fast and powerful
- Not as fast as switches!!
- IOS is the brain-power behind the routing process
- Popular model is 2800 series
- Normally 1U - take up 1 space on a rack
- Normally have 2 Ethernet interfaces
- WIC - Wan Interface Card to receive Internet line from the outside.
- 'Blue' ports are console ports
Process Switching/Fast Switching/CEF
- Process switching requires the CPU to be personally involved with every forwarding/routing
decision. It is like doing math, long hand! You have to work out the route each time.
- Fast Switching still uses the CPU, but once a packet has been forwarded it stores info about
how to reach the destination in a fast-switching cache. When another packet goes to the
same destination the cache is used...so the processor does not have to re-compute the route.
- Cisco Express Forwarding (CEF) is the evolution of optimizing the router to make it able to
forward more packets faster. CEF builds a Forwarding Information Base (FIB) and contains
pre-computed reverse lookups and next hop information. CEF is like having programmed an
Excel spreadsheet. As soon as the numbers hit the cells, the answer is already calculated!
the route!
Configuring a Loopback Interface
Loopback interfaces are very common on Cisco routers as they allow for management, logging and
authentication. They are logical interfaces that are 'always up'. They are not tied to any physical
interface and therefore cannot go down unless they are administratively shutdown.
- R1(config)# interface loopback 1
- R1(config-if)# ip address A.B.C.D 255.255.255.0
We can use 'no' command to remove the interface.
ICND1 Page 30
ICND1 Page 31
http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3intervlanrouting.html
ICND1 Page 32
So...we would have SALES VLAN 20 configured on a switch.and we would have an interface
configured on the router with IP address 192.168.20.1 255.255.255.0 (or we would use a L3 switch
with VLAN interfaces configured). The lease command defines how long the assignment will last for
until the router reassigns the IP address (lease days hours minutes). The command is optional...the
default lease is 1 day.
We can also set DNS server by using dns-server A.B.C.D command.
Any PC which is connected to a port in VLAN 20 would pick up an IP in the 192.168.20.xx range!!
Excluded Addresses
We can exclude addresses so that they are not used in any DHCP pools.
- Router(config)# ip dhcp excluded-address 192.168.20.10 192.168.20.20
This would exclude any addresses in the range 192.168.20.10 - 20!
ICND1 Page 33
We can use a server that routers and switches can use to authenticate logons to. This provides a
central location of a user directory, authentication auditing and access control...it is much easier to
manage.
We can either use a RADIUS or TACACS+ server.
RADIUS Server
- Uses UDP
- Encrypts only the password during transmission
- Combines authentication and authorization
- Is open standard and more interoperable than TACACS+
- Uses less memory and CPU cycles on routers
- Offers interoperability...it's supported by everyone!
- Excellent performance - very light on routers and switches
TACACS+ server
- Uses TCP
- Encrypts the entire session
- Separates Authentication, Authorization and Accountability.
- Only supported by Cisco
- Uses more memory than RADIUS
- Offers excellent security - more secure than RADIUS as whole session is encrypted
- Flexibility - TCP is much more flexible than UDP and can do much more in advanced networks
Most Enterprise networks use RADIUS over TACACS+ as it is light on routers/switches and everything
supports it!!
ICND1 Page 34
IP Subnetting
23 October 2014
16:54
Binary basics
- IPv4 address is a 4 octet address
- Class A, B, C
A = 255.0.0.0
B = 255.255.0.0
C = 255.255.255.0
- 8 bits in a byte with values as below
128
64
32
16
ICND1 Page 35
4. Hosts = 32 -2 = 30
Networks = 2^3 = 8
Subnet Zero
You may have noticed the ip subnet zero default command in running config. The subnet zero (or zero subnet) is the first subnet of a subnetted network.
EG. Class B: 172.16.0.0. Need 50 hosts per network.
1. Hosts = 50 = 00110010 = 110010 = 6 bits
2. Subnet mask = 255.255.11000000.000000
3. Ranges
a. 172.16.0.0 -> 172.16.31.255
b. 172.16.32.0 -> 172.16.63.255
c. 172.16.64.0 -> 172.16.95.255
d. 172.16.96.0 -> 172.16.127.255
ICND1 Page 36
We can use several different subnet masks if we need several networks of different sizes.
We would this exactly in the same way accept we work out the subnet mask for the biggest
network first (number of hosts) and then work out the next biggest etc.
Example
Network ID: 192.168.1.0/24
Number of networks = 3
Hosts per network = 60, 30 20
Start with the largest subnet first...then work your way down in host size.
NOTE: Variable Length Subnet Masks allow us to make more efficient use of available IP addresses.
ICND1 Page 37
Purpose of Routing
- Stopping broadcasts - helps reduce traffic (eg. DHCP requests, ARP requests)
- Find the best possible path to a destination
- Move unicast traffic between networks
Allows PC's on different subnets to communicate directly
Static Routing
Routers have no config out of the box!! They only know how to connect to networks configured on the router!!
Each router has to have each network defined on an interface to be able to talk back and forth.
Static routes allow us to "educate" the router to new places
Eg. We can tell a router how to connect to a subnet which is not configured on the routers interface.
Default route acts as "catch-all"...it sends any traffic which it does not have a route for to the Internet.
RULE - the more specific a route is the better...it will be chosen first!!
Example
1. Router(config)# ip route 192.168.3.0 255.255.255.0 192.168.2.2
2. Router(config)# ip route 0.0.0.0 0.0.0.0 68.25.121.199
Route 1 would be chosen by the router as it is more specific...it states that the network is class C as it supplies a
more specific subnet. If a more specific subnet mask appears in the routing table then that route will take
precedence.
USEFUL COMMAND
- Show ip route
This shows every network which the router know how to reach.
Static Routes are good for small networks with a couple of offices.
They dont work so well for larger networks as there are more routers, networks involved and would require lots of
ICND1 Page 38
They dont work so well for larger networks as there are more routers, networks involved and would require lots of
config on each router!
ICND1 Page 39
Routing Protocols
27 October 2014
12:30
Routing protocols allow routers to tell connected routers of it's known routes!
- "Tell your friend what you know!!"
- Each router in a network tells all the other routers about it's networks.
They are/offer
- Dynamic - automatically build routing table
- Redundancy - can have several routes in case a path is lost...failover automatically
- Best path - based on what protocol is used they can automatically determine best path (they
use a metric).
RIP
- Like Fiat Punto!! Not Fast!!
- Default "Hello" advertising cycle is 30 secs
Says hello and tells routers about its routing table every 30 secs...not efficient!
- Recovery - 90 secs
- Metric - best path - uses hop count - number of routers - not efficient!!
- Only pro is that all devices support it!
- Distance Vector protocol
- Inefficient as it keeps sending full routing table even if there has been no changes!
- RIPng for IPv6
IGRP
- Cisco created to replace RIP
- Now obsolete as "hello" was set to 90 secs and recovery set to 270 secs!!
- THIS PROTOCOL CAN BE IGNORED!!
OSPF
-
IS-IS
- Like a 1967 Corvette!!
- Was competitor to OSPF - used for OSI!!
OSPF won as it was used for TCP/IP
- Excellent protocol!!
- Rarely used...requires expertise!!
EIGRP
-
Like a Ferrari!!
Very fast protocolbut uncommon.
Created by Cisco for Cisco...easy to configure.
Metric - can include reliability, MTU, delay on packets...uses 'K' value.
BGP
-
NOTE:
We can use a mixture of each protocol in our network.if a router has learned routes via different
protocols then administrative distance is used. This tells us how believable the routing protocol is.
Administrative Distances
Each protocol has an administrative distance to tell us how believable it is!
RIP
120
IS-IS
115
OSPF
110
EIGRP
90
BGP
20
Static Route
Connected Interface 0
ICND1 Page 41
Configuring OSPF
27 October 2014
16:10
both things!!!!
Best practice is to define the exact IP address of the interface we want to send hello packets
on.
Areas must match. Areas define how many routers to cover - summarize entries in the routing
table (eg. 192.168.0.0/16 instead of 192.168.1.0/24 and 192.168.2.0/24).
a. R1(config-router)# network 192.168.2.0 0.0.0.255 area 0
i. BUT IT IS BETTER TO DEFINE THE EXACT INTERFACE IP...
1) R1(config-router)# 192.168.2.1 0.0.0.0 area 0
The wildcard bits tell us to "ignore the zeroes and look at the ones!!"
The above commands turns on "hello" packets on that interface and
also advertises 192.168.2.0 network to it's neighbours!
On Router 2
1. Turn on OSPF
a. R2(config)# router ospf 1
2. Tell it what interfaces to use
a. R2(config-router)# network 192.168.2.2 0.0.0.0 area 0
interfaces!!
We need to advertise the 192.168.1.0 network on R1 and the 192.168.3.0 network on R2. You will
see from the diagram that there is no need to send hello packets on those two interfaces as there
are no routers attached to those networks...we just need to advertise the route. We can do this by
configuring the interfaces as passive interfaces. This advertises the route but does not send "hello"
packets on the interface.
On Router 1
1. Set interface as passive
a. R1(config-router)# passive interface fa0/0
2. Tell it to advertise network
a. R1(config-router)# network 192.168.1.1 0.0.0.0 area 0
On Router 2
1. Set interface as passive
a. R2(config-router)# passive interface fa0/0
2. Tell it to advertise network
a. R2(config-router)# network 192.168.3.1 0.0.0.0 area 0
**USEFUL COMMANDS**
- R1# show ip ospf neighbour
This tells us if the router has any neighbours and tells us the dead timer of a connected
router
- R1# show ip route
Will tell us of routes established by OSPF
- R1# show ip protocols
See if OSPF is enabled
- R1# debug ip ospf packet
Can see 'hello' messages
- R1# show ip database
Shows us the OSPF link states
Router ID
The router ID is the highest (loopback) IP address configured on a router (unless a router ID has been
manually configured). If no loopback IP address is set then the Router uses the highest IP address
configured on its active interfaces.
Route Preference
Be aware that a more specific subnet mask beats administrative distance!!
So... an RIP /26 learned route will beat an EIGRP /24 learned route!!!
ICND1 Page 43
ICND1 Page 44
Permit 192.168.2.50
Deny 192.168.1.0/24
Permit TCP port 80 for 200.1.1.1
ICND1 Page 45
Standard
- Matches based only on source address
- Lower processor utilization
- Affect depends on application
Eg. Deny 10.1.1.1, permit 10.1.1.2
- Apply as close to the destination as possible!
Extended
- Matches based on source/destination IP address, protocol, source/destination port number
Eg. TCP/IP - TCP allow, UDP deny, ICMP allow
- Higher processor utilization
- Syntax takes some time to learn
- Apply as close to the source as possible!
Reflexive (established)
- Allows traffic to be returned for any requests made from our local network
Eg. Users accesses Google.com - the webpage would be allowed to be sent
back/received.
ICND1 Page 46
Scenario
Example 1
Use a standard access list to block 10.1.1.1 from reaching 10.1.1.6 and 192.168.1.0/24.
- After looking at the network diagram I can see that we need to block R3 from reaching R1. Remember standard
access lists can only block source IP address - in this case 10.1.1.1. We need to go as close as possible to the
destination so we are not affecting any other network flow. In this case it will be best to create the access list on
R1 and apply on S0/0 inbound.
1. Configuration
R1(config)# access-list 1 deny host 10.1.1.1
- Each line we create in an access list has a sequence number which determines the order in which rules are
evaluated. We can squeeze lines in where necessary!
- Remember there is an implicit deny at the end of an access list.
- We need to add a permit any statement.
R1(config)# access-list 1 permit any
- This will add another step to the access list before the implicit deny!
Configuration is now done!!
ICND1 Page 47
2. Application
We need to apply the access list to S0/0 inbound on R1.
R1(config)# int s0/0
R1(config-if)# ip access-group 1 in
- Important we apply this in the correct direction!
ALL DONE!! We have now configured and applied the access list. We would test by pinging and using telnets etc.
Example 2
Use a standard access list to block access to the 192.168.1.0/24 from 192.168.2.128/25
1. Configuration
Get as close to the destination as possible. Looking at diagram it will be best to create the access list on R1 and
apply on the Fa0/0 interface outbound.
All done...we would test with pings etc to ensure all working OK!
All done!!
ICND1 Page 49
Remember that extended access control lists gives us more flexibility and control...we can block using
source/destination IP address, protocol, source/destination port number!!
Scenario
Example 1
Use an extended ACL to block 192.168.1.0/24 from reaching 192.168.2.128/25.
- We need to apply as close to the source as possible...and so in this case it would be most efficient to apply on R1
Fa0/0 inbound!
1. Config
R1(config)# access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.128 0.0.0.127
- Extended access lists have a number between 100-199...or we could just use ip access-list command to
create a named access list.
- Source address comes first and then destination address
R1(config)# access-list 100 permit ip any any
- Remember we need the permit any statement
2. Application
R1(config)# int fa0/0
R1(config-if)# ip access-group 100 in
All done...we can test with pings.
Example 2
Block 192.168.1.50 from reaching 192.168.2.50 on https or http.
- In this case we can just edit the previous access list! We will need to insert the commands to block http and https
before the permit any statement. We can do this using the sequence number...use show ip access-list to see what
ICND1 Page 50
before the permit any statement. We can do this using the sequence number...use show ip access-list to see what
sequence number we should use.
1. Config
R1(config)# ip access-list extended 100
R1(config-ext-nacl)# 11 deny tcp host 192.168.1.50 host 192.168.2.50 eq 80
R1(config-ext-nacl)# 12 deny tcp host 192.168.1.50 host 192.168.2.50 eq 443
This will add two commands before the permit any command to block http (80) and https (443)!!
Example 3
Permit 192.168.2.0/25 to access 10.1.1.1 using only telnet and SSH.
- We need to configure as close to the source and so it will be most efficient to configure and apply on R2 Fa0/0
inbound. Telnet port is 23, SSH is 22.
1. Config
R2(config)# ip access-list extended R3_TELNET_SSH
R2(config-ext-nacl)# permit tcp 192.168.2.0 0.0.0.127 host 10.1.1.1 eq 22
R2(config-ext-nacl)# permit tcp 192.168.2.0 0.0.0.127 host 10.1.1.1 eq 23
R2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.127 host 10.1.1.1
- This denies all other traffic from 192.168.2.0 as we only want to allow SSH and Telnet as per above
commands!
R2(config-ext-nacl)# permit any any
2. Application
R2(config)# int fa0/0
R2(config-if)# ip access-group R3_TELNET_SSH in
All done!! Just to confirm that the 192.168.2.0 would still be able to access the 192.168.2.128 network...it can still go
through R3...just simply only able to telnet and SSH the 10.1.1.1 WAN Ip address!! The 192.168.2.128 network is a
completely different subnet/network!
Example 4
Block 192.168.1.0/24 from reaching any WAN IP address.
- So we need to block access to 10.1.1xx...all of the WAN links!
- Apply as close to the source as possible and so it will be best to apply on R1 Fa0/0 inbound.
1. Config
R1(config)# ip access-list extended BLOCK_WAN
R1(config-ext-nacl)# deny ip 192.168.1.0. 0.0.0.255 10.1.1.4 0.0.0.3
R1(config-ext-nacl)# deny ip 192.168.1.0. 0.0.0.255 10.1.1.0 0.0.0.3
R1(config-ext-nacl)# permit ip any any
2. Application
R1(config)# int fa0/0
R1(config-if)# ip access-group BLOCK_WAN in
NOTE
The 192.168.1.0 will still be able to access all of the LAN networks...eg 192.168.2.0 and 192.168.2.128...which is what we
want! The network will just be unable to contact the WAN IP's directly! They can still pass through them though.
Example 5
Permit access to 192.168.2.50 using only SMTP (25), POP3(110) and IMAP(143) from anywhere.
- As we do not know the source we will need to apply as close to destination as possible.so it would be most
efficient to apply on R2 Fa0/0 outbound.
1. Config
R2(config)# ip access-list extended EMAIL_FILTER_R2
R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 25
R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 110
R2(config-ext-nacl)# permit tcp any host 192.168.2.50 eq 143
R2(config-ext-nacl)# deny ip any host 192.168.2.50
- Ensure we get no other traffic coming to 192.168.2.50 (as imagine it is an email/Exch server)
ICND1 Page 51
- Ensure we get no other traffic coming to 192.168.2.50 (as imagine it is an email/Exch server)
R2(config-ext-nacl)# permit ip any any
- We need this command as we would have other PC's/devices on the 192.168.2.0 network and we wouldn't
want to block all traffic to these devices!
2. Application
R2(config)# int fa0/0
R2(config-if)# ip access-group EMAIL_FILTER_R2 out
All sorted!! Test with pings etc...
NOTE:
We can also use 'gt' or 'lt' instead of 'eq' if we want to specify a port with is greater than or less than the port specified.
Eg.
R2(config-ext-nacl)# permit tcp any host 192.168.20.50 gt 100
- This would allow all traffic to host 192.168.20.50 on a destination port greater than 100.
If we issue another show ip access -list command we will see the command has been inserted between the previous two
entries
R2# show ip access-list
Extended IP access list BLOCK_TRAFFIC
10 permit tcp any any
15 permit icmp any any
20 permit udp any any
To remove a line from an access list we can issue the no command as follows in ACL config mode
R2(config-ext-nacl)# no 20
- This would remove just the '20 permit udp any any' line
To remove an access list completely we would issue the below command in global config mode
R2(config)# no access-list BLOCK_TRAFFIC
ICND1 Page 52
NAT Concepts
10 November 2014
09:08
ICND1 Page 53
NAT Configuration
10 November 2014
09:24
Scenario
PAT
1. Do the base config on a router!
2. Configure interfaces on the router.
- R1(config)# int fa0/0
- R1(config-if)# ip address 192.168.1.1 255.255.255.0
- R1(config)# int fa0/1
- R1(config-if)# ip address dhcp
3. Setup DHCP scope
- R1(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10
- R1(config)# ip dhcp pool LAN
- R1(dhcp-config)# network 192.168.1.0 255.255.255.0
- R1(dhcp-config)# dns-server 8.8.8.8
- R1(dhcp-config)# default-router 192.168.1.1
Note - some routers will auto-configure the default route if we have configured the WAN
interface to use DHCP.
4. Identify our interfaces (inside and outside)
- Show ip int brief
- R1(config)# int fa0/0
- R1(config-if)# ip nat inside
- R1(config)# int fa0/1
- R1(config)# ip nat outside
5. Identify our inside IP addresses
- 192.168.1.0/24
- Here we use an access list
- R1(config)# ip access-list standard INSIDE_NAT_ADDRESSES
- R1(config-std-nacl)# permit 192.168.1.0 0.0.0.255
6. IP NAT Connection Command
- R1(config)# ip nat inside source list INSIDE_NAT_ADDRESSES interface fa0/1 overload
The overload command enables PAT
Without this it would only allow 1 addresses to be NAT'd - this is dynamic NAT
ICND1 Page 54
Without this it would only allow 1 addresses to be NAT'd - this is dynamic NAT
Static NAT
- R1(config)# ip nat inside source static 192.168.1.51 208.53.91.7
IP of server
Public IP Address
ICND1 Page 55
IPv6 Concepts
10 November 2014
10:12
64 bits
NETWORK
HOST
ICND1 Page 56
NETWORK
HOST
FE80:0000:0000:0000 02FE:4GFF:FE8A:CH1F
'n' bits
64 -n bits 64 bits
IANA dish out the UIP addresses to all organizations!! They would decide the global routing prefix!
Example
The Subnet ID is comprised of bits left over after the global routing prefix.
The primary address expected to comprise the IPv6 internet are from the 2001::/16 subnet.
ICND1 Page 57
IPv6 Configuration
11 November 2014
10:00
Scenario
Verify Addresses
- R1# show ipv6 int brief
- R1# ping ipv6 ip-address
ICND1 Page 58
ICND1 Page 59
ICND1 Page 60