What Is a Network? The first assignment in understanding how to build a computer network is defining what a network is and understanding how it is used to help a business meet its objectives. Network is a combination of computer hardware, cabling, network devices, and computer software used together to allow computers to communicate with each other. Or A network is basically all of the components (hardware and software) involved in connecting computers across small and large distances. Networks are used to provide easy access to information, thus increasing productivity for users. Network Characteristics The following characteristics should be considered in network design and ongoing maintenance: Availability : Availability is typically measured in a percentage based on the number of minutes that exist in a year. Therefore, uptime would be the number of minutes the network is available divided by the number of minutes in a year. Cost : includes the cost of the network components, their installation, and their ongoing maintenance. Reliability : defines the reliability of the network components and the connectivity between them. Mean time between failures (MTBF) is commonly used to measure reliability. Security : includes the protection of the network components and the data they contain and/or the data transmitted between them. Speed : includes how fast data is transmitted between network end points (the data rate). Scalability : defines how well the network can adapt to new growth, including new users, applications, and network components. Topology : describes the physical cabling layout and the logical way data moves between components. Many different types and locations of networks exist. You might use a network in your home or home office to communicate via the Internet, to locate information, to place orders for merchandise, and to send messages to friends. You might have work in a small office that is set up with a network that connects other computers and printers in the office. You might work in a large enterprise in which many computers, printers, storage devices, and servers communicate and store information from many departments over large geographic areas. Networks carry data in many types of environments, including homes, small businesses, and large enterprises. In a large enterprise, a number of locations might need to Communicate with each other, and you can describe those locations as follows: Corporate office: A Corporate or main office is a site where everyone is connected via a network and where the bulk of corporate information is located. A Corporate office can have hundreds or even thousands of people who depend on network access to do their jobs. A main office might use several connected networks, which can span many floors in an office building or cover a campus that contains several buildings. Remote locations: A variety of remote access locations use networks to connect to the main office or to each other. Branch offices: In branch offices, smaller groups of people work and communicate with each other via a network. Although some corporate information might be stored at a branch office, it is more likely that branch offices have local network resources, such as printers, but must access information directly from the main office. Home offices: When individuals work from home, the location is called a home office. Home office workers often require on-demand connections to the main or branch offices to access information or to use network resources such as file servers. Mobile users: Mobile users connect to the main office network while at the main office, at the branch office, or traveling. The network access needs of mobile users are based on where the mobile users are located. Network Components All of these networks share many common components. As we describe in definition that network is basically sharing of information via network components. So network component play a major role in designing and maintaining network. Some most essential network components listed here. Network Components Applications network-aware network unaware Protocols open standard proprietary Computer Windows, Macintosh OS, UNIX, Linux, Networking Devices hubs, bridges, switches, routers, firewalls, wireless access points, modems Media types copper, coaxial, utp, fiber cabling Network security : Security is a fundamental component of every network design. When planning, building, and operating a network, you should understand the importance of a strong security policy. Network Security: A security policy defines what people can and can’t do with network components and resources. Need for Network Security: In the past, hackers were highly skilled programmers who understood the details of computer communications and how to exploit vulnerabilities. Today almost anyone can become a hacker by downloading tools from the Internet. These complicated attack tools and generally open networks have generated an increased need for network security and dynamic security policies. The easiest way to protect a network from an outside attack is to close it off completely from the outside world. A closed network provides connectivity only to trusted known parties and sites; a closed network does not allow a connection to public networks. Because they have no Internet connectivity, networks designed in this way can be considered safe from Internet attacks. However, internal threats still exist. There is a estimates that 60 to 80 percent of network misuse comes from inside the enterprise where the misuse has taken place. With the development of large open networks, security threats have increased significantly in the past 20 years. Hackers have discovered more network vulnerabilities, and because you can now download applications that require little or no hacking knowledge to implement, applications intended for troubleshooting and maintaining and optimizing networks can, in the wrong hands, be used maliciously and pose severe threats. An adversary: A person that is interested in attacking your network; his motivation can range from gathering or stealing information, creating a DoS, or just for the challenge of it Types of attack: Classes of attack might include passive monitoring of communications, active network attacks, close-in attacks, exploitation by insiders, and attacks through the service provider. Information systems and networks offer attractive targets and should be resistant to attack from the full range of threat agents, from hackers to nation-states. A system must be able to limit damage and recover rapidly when attacks occur. There are five types of attack: Passive Attack: A passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive information that can be used in other types of attacks. Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly encrypted traffic, and capturing authentication information such as passwords. Passive interception of network operations enables adversaries to see upcoming actions. Passive attacks result in the disclosure of information or data files to an attacker without the consent or knowledge of the user. Active Attack: In an active attack, the attacker tries to bypass or break into secured systems. This can be done through stealth, viruses, worms, or Trojan horses. Active attacks include attempts to circumvent or break protection features, to introduce malicious code, and to steal or modify information. These attacks are mounted against a network backbone, exploit information in transit, electronically penetrate an enclave, or attack an authorized remote user during an attempt to connect to an enclave. Active attacks result in the disclosure or dissemination of data files, DoS, or modification of data. Distributed Attack : A distributed attack requires that the adversary introduce code, such as a Trojan horse or backdoor program, to a ―trusted‖ component or software that will later be distributed to many other companies and users Distribution attacks focus on the malicious modification of hardware or software at the factory or during distribution. These attacks introduce malicious code such as a back door to a product to gain unauthorized access to information or to a system function at a later date. Insider Attack : An insider attack involves someone from the inside, such as a disgruntled employee, attacking the network Insider attacks can be malicious or no malicious. Malicious insiders intentionally eavesdrop, steal, or damage information; use information in a fraudulent manner; or deny access to other authorized users. No malicious attacks typically result from carelessness, lack of knowledge, or intentional circumvention of security for such reasons as performing a task Close-in Attack : A close-in attack involves someone attempting to get physically close to network components, data, and systems in order to learn more about a network Close-in attacks consist of regular individuals attaining close physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to information. Close physical proximity is achieved through surreptitious entry into the network, open access, or both. Mitigating Common Threats Improper and incomplete network device installation is an often-overlooked security threat that, if left unaddressed, can have terrible results. Software-based security measures alone cannot prevent intended or even accidental network damage caused by poor installation. Now we will describe how to mitigate common security threats to Server Routers and Switches. Physical Installations: Physical installations involve four types of threats: Hardware, electrical, environmental, and maintenance. Hardware threats: Hardware threats involve threats of physical damage to the router or switch hardware. Missioncritical Cisco network equipment should be located in wiring closets or in computer or telecommunications rooms that meet these minimum requirements: The room must be locked with only authorized personnel allowed access. The room should not be accessible via a dropped ceiling, raised floor, window, ductwork, or point of entry other than the secured access point. If possible, use electronic access control with all entry attempts logged by security systems and monitored by security personnel. If possible, security personnel should monitor activity via security cameras with automatic recording. Hardware threats involve physical damage to network components, such as servers, routers, and switches. Electrical threats : Electrical threats include irregular fluctuations in voltage, such as brownouts and voltage spikes, Electrical threats, such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss, can be limited by adhering to these guidelines: Install uninterruptible power supply (UPS) systems for mission-critical Cisco network devices. Install backup generator systems for mission-critical supplies. Plan for and initiate regular UPS or generator testing and maintenance procedures based on the manufacturersuggested preventative maintenance schedule. Install redundant power supplies on critical devices. Monitor and alarm power-related parameters at the power supply and device levels. Environmental threats: Environmental threats include very low or high temperatures, moisture, electrostatic, and magnetic Interference Environmental threats, such as temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry), also require mitigation. Take these actions to limit environmental damage to Cisco network devices: Supply the room with dependable temperature and humidity control systems. Always verify the recommended environmental parameters of the Cisco network equipment with the supplied product documentation. Remove any sources of electrostatic and magnetic interference in the room. If possible, remotely monitor and alarm the environmental parameters of the room. Maintenance threats : Maintenance threats include not having backup parts or components for critical network components; not labeling components and their cabling correctly Maintenance threats include poor handling of key electronic components, electrostatic discharge (ESD), lack of critical spares, poor cabling, poor labeling, and so on. Maintenance-related threats are a broad category that includes many items. Follow the general rules listed here to prevent maintenance-related threats: Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage, disconnection, or incorrect termination. Use cable runs, raceways, or both to traverse rack-to-ceiling or rack-to-rack connections. Always follow ESD procedures when replacing or working with internal router and switch device components. Maintain a stock of critical spares for emergency use. Do not leave a console connected to and logged into any console port. Always log off administrative interfaces when leaving a station. Do not rely upon a locked room as the only necessary protection for a device. Always remember that no room is ever totally secure. After intruders are inside a secure room, nothing is left to stop them from connecting a terminal to the console port of a Cisco router or switch. OSI Reference Model The OSI reference model is the primary model for network communications. The early development of LANs, MANs, and WANs was confused in many ways. The early 1980s saw great increases in the number and sizes of networks. As companies realized that they could save money and gain productivity by using networking technology, they added networks and expanded existing networks as rapidly as new network technologies and products were introduced. In 1984, the International Organization for Standardization (ISO) developed the OSI Reference Model to describe how information is transferred from one networking component to another, from the point when a user enters information using a keyboard and mouse to when that information is converted to electrical or light signals transferred along a piece of wire (or radio waves transferred through the air). ISO developed the seven-layer model to help vendors and network administrators gain a better understanding of how data is handled and transported between networking devices, as well as to provide a guideline for the implementation of new networking standards and technologies. To assist in this process, the OSI Reference Model separates the network communication process into seven simple layers. Dividing the network into these seven layers provides these advantages: Reduces complexity: It breaks network communication into smaller, simpler parts. It divides the network communication process into smaller and simpler components, thus aiding component development, design, and troubleshooting. Standardizes interfaces: It standardizes network components to allow multiple vendor development and support. Facilitates modular engineering: It allows different types of network hardware and software to communicate with each other. Interoperability between Vendors : It allows multiple-vendor development through standardization of network components. Defines the process for connecting two layers together, promoting interoperability between vendors It Allows vendors to compartmentalize their design efforts to fit a modular design, which eases implementations and simplifies troubleshooting Ensures interoperable technology: It prevents changes in one layer from affecting the other layers, allowing for quicker development. Accelerates evolution: It provides for effective updates and improvements to individual components without affecting other components or having to rewrite the entire protocol. Simplifies teaching and learning: It breaks network communication into smaller components to make learning easier. Provides a teaching tool to help network administrators understand the communication process used between networking components. OSI Reference Model Each OSI layer contains a set of functions performed by programs to enable data to travel from a source to a destination on a network. In our pervious article I told you the advantage of OSI model. advantage of OSI model In this article I will provide brief descriptions of each layer in the OSI reference model. Application Layer The application layer is the OSI layer that is closest to the user. This layer provides network services to the user's applications. It differs from the other layers in that it does not provide services to any other OSI layer, but only to applications outside the OSI reference model. Applications layer provide a platform to access the data of remote computer. The application layer protocols that you should know are as follows: SNMP (Simple Network Management Protocol): Communicates status and allows control of networked devices. TFTP (Trivial File Transfer Protocol): Simple, lightweight file-transfer. DNS (Domain Naming System): Translates a website name (easy for people) to an IP address (easy for computers). DHCP (Dynamic Host Configuration Protocol): Assigns IP, mask, and DNS server (plus a bunch of other stuff) to hosts. Telnet: Provides a remote terminal connection to manage devices to which you are not close enough to use a console cable. HTTP (Hypertext Transfer Protocol): Browses web pages. FTP (File Transfer Protocol): Reliably sends/retrieves all file types. SMTP (Simple Mail Transfer Protocol): Sends email. POP3 (Post Office Protocol v.3): Retrieves email. NTP (Network Time Protocol): Synchronizes networked device clocks. Presentation layer The presentation layer is responsible for formatting data so that application-layer protocols (and then the users) can recognize and work with it. Presentation layer format the file extensions, such as .doc, .jpg, .txt, .avi, and so on. you realize that each of these file types is formatted for use by a particular type of application. The presentation layer taking the application layer data and marking it with the formatting codes so that it can be viewed reliably when accessed later. If necessary, the presentation layer might be able to translate between multiple data formats by using a common format. The Session Layer The session layer establishes, manages, and terminates sessions between two communicating hosts. It provides its services to the presentation layer. The session layer also synchronizes dialogue between the presentation layers of the two hosts and manages their data exchange. For example, web servers have many users, so many communication processes are open at a given time. Therefore, keeping track of which user communicates on which path is important. Transport Layer The transport layer is possibly the most important layer for exam study purposes. A lot is going on here, and it is heavily tested. The transport layer's main jobs It sets up and maintains a session connection between two devices. It can provide for the reliable or unreliable delivery of data across this connection. It multiplexes connections, allowing multiple applications to simultaneously send and receive data. When Implementing a reliable connection, sequence numbers and acknowledgments (ACKs) are used. Flow control (through the use of windowing or acknowledgements) Reliable connections (through the use of sequence numbers and Acknowledgement ) Transport layer use two protocols for sending data TCP and UDP. TCP TCP is connection oriented protocols. Connection-oriented transmission is said to be reliable. Thinks TCP as registry AD facility available in Indian post office. For this level of service, you have to buy extra ticket and put a bunch of extra labels on it to track where it is going and where it has been. But, you get a receipt when it is delivered, you are guaranteed delivery, and you can keep track of whether your shipment got to its destination. All of this costs you more—but it is reliable! UDP UDP is connection less protocols. Connection-less transmission is said to be unreliable. Now, don't get too wrapped up in the term "unreliable" this doesn't mean that the data isn't going to get there; it only means that it isn't guaranteed to get there. Think of your options when you are sending a postcard, put it in the mailbox, and chances are good that it will get where it's supposed to go—but there is no guarantee, and stuff does go missing once in a while. On the other hand, it's cheap. The transport layer can use two basic flow control methods: Ready/not ready signals Windowing There are two problems with the use of ready/not ready signals to implement flow control. First, the destination may respond to the source with a not ready signal when its buffer fills up. While this message is on its way to the source, the source is still sending information to the destination, which the destination will probably have to drop because its buffer space is full. The second problem with the use of these signals is that once the destination is ready to receive more information, it must first send a ready signal to the source, which must receive it before more information can be sent.In many implementations, the window size is dynamically negotiated up front and can be renegotiated during the lifetime of the connection. In windowing a window size is defined between two host engaged in data transmission. And sender host will wait for an acknowledgement signal after sending the segments equal to window size. If any packet lost in way receiver will respond with acknowledgement for lost packet. And sender will send lost packet again. Reliability When reliability is necessary, it should cover these four items: recognizing lost packets and having them re-sent recognizing packets that arrive out of order and reordering them detecting duplicate packets and dropping the extra ones Avoiding congestion Connection Multiplexing/Application Mapping Transport layer assigns a unique set of numbers for each connection. These numbers are called port or socket numbers. TCP, and UDP, provide a multiplexing function for a device: This allows multiple applications to simultaneously send and receive data. Imagine a server that performs a number of functions—for example email, web pages, FTP, and DNS. The server has a single IP address, but can perform all these different functions for all the hosts that want to connect to it. The transport layer (layer 4) uses port numbers to distinguish between different types of traffic that might be headed for the same IP address. Port numbers are divided into ranges by the IANA. Following are the current port ranges: Port number descriptions 0–1023 Well-Known—For common TCP/IP functions and applications 1024–49151 Registered—For applications built by companies Dynamic/Private—For dynamic connections or unregistered 49152–65535 applications Common TCP and UDP Port Numbers FTP Telnet SMTP DNS HTTP POP NNTP HTTPS TCP 20, 21 23 25 53 80 110 119 443 DNS DHCP TFTP NTP SNMP UDP 53 67,68 69 123 161 Network Layer The network layer provides a logical topology and layer-3 addresses. Routers function at the network layer. This layer is responsible for three main functions: Defines logical addresses used at layer-3 Finds paths, based on the network numbers of logical addresses, to reach destination devices Connects different data link types together, such as Ethernet, FDDI, Serial, and Token Ring IP packet Where the transport layer uses segments to transfer information between machines, the Internet layer uses datagram’s. Datagram is just another word for packet. The IP protocol is mainly responsible for these functions: Connectionless data delivery: best effort delivery with no data recovery capabilities Hierarchical logical addressing to provide for highly scalable internetworks IP addresses are broken into two components: Network component Defines on what segment, in the network, a device is located Host component defines the specific device on a particular network segment Two types of packets are used at the Network layer: data and route updates. Data packets Used to transport user data through the internetwork. Protocols used to support data traffic are called routed protocols; examples of routed protocols are IP and IPv6. Route update packets Used to update neighboring routers about the networks connected to all routers within the internetwork. Protocols that send route update packets are called routing protocols; examples of some common ones are RIP, RIPv2, EIGRP, and OSPF. Route update packets are used to help build and maintain routing tables on each router. IP Classes Class A addresses range from 1-126: 00000001-01111111. Class B addresses range from 128-191: 10000000-10111111. Class C addresses range from 192-223: 11000000-11011111. Class D addresses range from 224-239: 11100000-11101111. Class E addresses range from 240-254: 1. 0 is reserved and represents all IP addresses; 2. 127 is a reserved address and is used for testing, like a loop back on an interface: 3. 255 is a reserved address and is used for broadcasting purposes. Public addresses are Class A, B, and C addresses that can be used to access devices in other public networks, such as the Internet. Public IP address assign authority The Internet Assigned Numbers Authority (IANA) is ultimately responsible for handing out and managing public addresses. Normally you get public addresses directly from your ISP, which, in turn, requests them from one of five upstream address registries: American Registry for Internet Numbers (ARIN) Reseaux IP Europeans Network Coordination Center (RIPE NCC) Asia Pacific Registry for Internet Numbers (APNIC) Latin American and Caribbean Internet Address Registry (LACNIC) African Network Information Centre (AfriNIC) Private IP and ISP: Private ip address can be used to configure private network. You can use private ip to build your network without paying a single rupee. But one biggest problem with private ip is that with private you can not access the internet. This is the point where ISP comes from. ISP purchases a bulk of public ip address and provide them on rent. Whatever you pay to ISP for accessing internet is actually the charge of using public ip address. Private ip address:- Not route able in public network Class A: 10.0.0.0-10.255.255.255 (1 Class A network) Class B: 172.16.0.0-172.31.255.255 (16 Class B networks) Class C: 192.168.0.0-192.168.255.255 (256 Class C networks) Protocol Description IP IP of TCP/IP, featuring routable 32-bit addressing. IPX The equivalent of IP in Novell Netware. ICMP Internet Connection Management Protocol. Incorporates Ping and Traceroute, which are layer 3 link-testing utilities. OSPF, IGRP, Dynamic routing protocols that learn about remote networks and the best paths EIGRP, RIP, ISIS to them from other routers running the same protocol. ARP, RARP Address Resolution Protocol (and Reverse ARP). ARP learns what MAC address is associated with a given IP address. Reverse ARP learns an IP address given a MAC address. Data link layer Main functions of data link layer is Defining the Media Access Control (MAC) or hardware addresses Defining the physical or hardware topology for connections Defining how the network layer protocol is encapsulated in the data link layer frame Providing both connectionless and connection-oriented services Defines hardware (MAC) addresses as well as the communication process that occurs within a media. The first six hexadecimal digits of a MAC address form the OUI. MAC addresses only need to be unique in a broadcast domain, You can have the same MAC address in different broadcast domains (virtual LANs). There are two specifications of Ethernet frame Ethernet II and 802 802.2 use a SAP or SNAP field to differentiate between encapsulatedlayer-3 payloads. With a SNAP frame, the SAP fields are set to 0xAA and the type field is used to indicate the layer-3 protocol. One of the issues of the original SAP field in the 802.2 SAP frame is that even though it is eight bits (one byte) in length, only the first six bits are used for identifying upper-layer protocols, which allows up to 64 protocols. 802.2 SNAP frame support of up to 65,536 protocols Ethernet II’s Version of Ethernet Ethernet II does not have any sub layers, while IEEE 802.2/3 has two: LLC and MAC. Ethernet II has a type field instead of a length field (used in 802.3). IEEE 802.2 defines the type for IEEE Ethernet Physical Layer The Physical layer communicates directly with the various types of actual communication media. Different kinds of media represent these bit values in different ways. Some use audio tones, while others utilize state transitions— changes in voltage from high to low and low to high. Specific protocols are needed for each type of media to explain the proper bit patterns to be used, how data is encoded into media signals, and the various qualities of the physical media’s attachment interface. Fiber Cabling Two types of fiber are used for connections: multimode and single-mode. Multimode fiber has a fiber thickness of either 850 or 1300 nanometers (nm), and the light signal is typically provided by an LED. When transmitting a signal, the light source is bounced off of the inner cladding (shielding) surrounding the fiber. Multimode fiber can achieve speeds in the hundreds of Mbps range, and many signals can be generated per fiber. Single-mode fiber has a fiber thickness of 1300 or 1550 nm and uses a laser as the light source. Because lasers provide a higher output than LEDs, single-mode fiber can span over 10 kilometers and have speeds up to 100Gbps. With single-mode fiber, only one signal is used per fiber. Loss factor is used to describe any signal loss in the fiber before the light source gets to the end of the fiber. Connector loss is a loss that occurs when a connector joins two pieces of fibers: a slight signal loss is expected. Attenuation describe the signal loose due to distance Microbending is when a wrinkle in the fiber, typically where the cable is slightly bent, causes a distortion in the light source. Macrobending is when there is leakage of the light source from the fiber, typically from a bend in the fiber cable. to overcome this problem over long distances, optical amplifiers can be used. Two main standards are used to describe the transmission of signals across a fiber: SONET is defined by the Exchange Carriers Standards Association (ECSA) and American National Standards Institute (ANSI) and is typically used in North America. SDH is an international standard used throughout most of the world (with the exception of North America). Both of these standards define the physical layer framing used to transmit light sources, which also includes overhead for the transmission. Cisco's three-layer hierarchical model Core Layer: The core provides a high-speed layer-2 switching infrastructure and typically does not manipulate packet contents. Distribution Layer: The distribution layer provides a boundary between the access and core layers. It contains routers and switches. Routers are used to provide the logical boundary--broadcasts are contained within the access layer and Filtering policies can be implemented to restrict traffic flows. Access Layer: The access layer provides the user's initial access to the network, which is typically via switches or hubs. TCP/IP protocol The TCP/IP protocol stack has four layers. Note that although some of the layers in the TCP/IP protocol stack have the same names as layers in the OSI reference model, the layers have different functions in each model, as is described in the following list: Application layer: The application layer handles high-level protocols, including issues of representation, encoding, and dialog control. The TCP/IP model combines all application-related issues into one layer and ensures that this data is properly packaged for the next layer. Transport layer: The transport layer deals with QoS issues of reliability, flow control, and error correction. One of its protocols, TCP, provides for reliable network communications. Internet layer: The purpose of the Internet layer is to send source datagrams from any network on the internetwork and have them arrive at the destination, regardless of the path they took to get there. Network access layer: The name of this layer is broad and somewhat confusing. It is also called the host-to-network layer. It includes the LAN and WAN protocols and all the details in the OSI physical and data link layers. sub-netting Benefits of subnetting: Reduced network traffic: One network will not access the data of other network without the use of router. Thus we can reduce the amount of data remain in one network. Less data less overhead, collision, or broadcast storm. Optimized network performance: This is a result of reduced network traffic. Simplified management: It's easier to identify and isolate network problems in a group of Smaller connected networks than within one gigantic network. Facilitated spanning of large geographical distances Because WAN links are significantly slower and more expensive than LAN links, a single large network that spans long distances can create problems in every area earlier listed. Connecting multiple smaller networks makes the system more efficient. Powers of 2 Powers of 2 are important to understand and memorize for use with IP subnetting. 21 2 2 3 2 4 2 5 2 6 2 7 2 8 2 2 4 8 16 32 64 128 256 29 512 10 1024 11 2048 12 4096 13 8192 14 16384 15 32768 16 65536 2 2 2 2 2 2 2 Before we go further let’s get familiar with subnetting components Subnet mask: A subnet mask is a 32-bit value that allows the receiver of IP packets to distinguish the network ID portion of the IP address from the host ID portion of the IP address. Every IP address is composed of a network component and a host component. The subnet mask has a single purpose: to identify which part of an IP address is the network component and which part is the host component. Subnet mask value 0 represent host ID while subnet mask value 1 to 255 represents Network ID in ip address. Classless Inter-Domain Routing (CIDR): This slash notation is sometimes called CIDR (Classless Inter-Domain Routing) notation. It’s basically the method that ISPs (Internet service providers) use to allocate a number of Addresses to a company, a home—a customer. The slash notation is simply the number of 1s in a row in the subnet mask. The real reason to use CIDR notation is simply that it is easier to say and especially to type. Address Class and Default Mask: Subnetting happens when we extend the subnet mask past the default boundary for the address we are working with. So it's obvious that we first need to be sure of what the default mask is supposed to be for any given address. When faced with a subnetting question, the first thing to do is decide what class the address belongs to. And later decide what the default subnet mask is. One of the rules that Cisco devices follow is that a subnet mask must be a contiguous string of 1s followed by a contiguous string of 0s. There are no exceptions to this rule: A valid mask is always a string of 1s, followed by 0s to fill up the rest of the 32 bits. (There is no such rule in the real world, but we will stick to the Cisco rules here—it's a Cisco exam, after all.) Therefore, the only possible valid values in any given octet of a subnet mask are 0, 128, 192, 224, 240, 248, 252, 254, and 255. Any other value is invalid. Block Size: The process of subnetting creates several smaller classless subnets out of one larger classful . The spacing between these subnets, or how many IP addresses apart they are, is called the Block Size. Network ID and Broadcast ID: The first address in a network number is called the network address, or wire number. This address is used to uniquely identify one segment or broadcast domain from all the other segments in the network. The Broadcast ID: The last address in the network number is called the directed broadcast address and is used to represent all hosts on this network segment. it is the common address of all hosts on that Network ID. This should not be confused with a full IP broadcast to the address of 255.255.255.255, which hits every IP host that can hear it; the Broadcast ID hits only hosts on a common subnet. A directed broadcast is similar to a local broadcast. The main difference is that routers will not propagate local broadcasts between segments, but they will, by default, propagate directed broadcasts. Host Addresses: Any address between the network address and the directed broadcast address is called a host address for the segment. You assign these middle addresses to host devices on the segment, such as PCs, servers, routers, and switches. Method of Subnetting: There is several method of subnetting. Different author different approach to calculate the subnets. You should choose the method you can understand and perform subnetting easily. Whatever approach you choose need conversion of decimal to binary. Cram up this chart 27 26 25 24 23 22 21 20 128 64 32 16 8 4 2 1 To convert a decimal number into binary, you must turn on the bits (make them a 1) that would add up to that number, as follows: 187 = 10111011 = 128+32+16+8+2+1 224 = 11100000 = 128+64+32 To convert a binary number into decimal, you must add the bits that have been turned on (the 1s), as follows: 10101010 = 128+32+8+2 = 170 11110000 = 128+64+32+16 = 240 The IP address 138.101.114.250 is represented in binary as 10001010.01100101.01110010.11111010 The subnet mask of 255.255.255.224 is represented in binary as 11111111.11111111.11111111.11100000 Practical approach of subnetting When faced with a subnetting question, the first thing to do is decide what class the address belongs to. for examples: 192.168.1.1 The first octet is between 192 and 223 so it is a Class C address Default mask for Class C: is 255.255.255.0 In exam default subnet mask is not subnetted. Now write down the given ip address as shown here. Write down the default side of IP as it is and reset of part where actual subnetting will perform in binary 192.168. 1 .00000001 255.255.255.00000000 (defaul maks) Step 1:- calculate the CIDR value CIDR are the on bit in subnet mask. As you can see in our example we have on bit only in default side. 255.255.255.00000000 So our CIDR value is 24 + 0 = 24 Step 2:- calculate the Subnet mask To calculate the subnet mask use the binary to decimal chart given above. Add the decimal place value of on network bit. <==H bit 255.255.255.00000000 N bit==> In our example we are using on default mask so our subnet mask will be 255.255.255.0 Step 3:- calculate the Total Host To calculate the total host count the H bit and use this formula Total host = 2H <==H bit 255.255.255.00000000 Total host = 28 = 256 Step 4:- calculate the Valid Host Subtract 2 from Total host Every network or subnet has two reserved addresses that cannot be assigned to a host. These addresses are called the Network ID and the Broadcast ID, respectively. They are the first and last IPs in any network or subnet. We lose those two IP addresses from the group of values that could be assigned to hosts. Total host : 28 - 2 = 256 -2 = 254 Step 5:- calculate the Network To calculate the Network count the N bit and use this formula Network = 20 255.255.255.00000000 N bit==> Network = 20 = 1 Step 6:- Find out the block Size Finding block size is very easy just subtract the subnet mask from 256 256 – Subnet mask (only the last octal, don’t include the default subnet mask) 256 - 0 = 256 Step 7:- Write down the subnet chart Network 1 CIDR Value /24 Net ID First Valid Host Last Valid Host Broadcast ID IP 192.168.1.0 192.168.1.1 192.168.1.254 192.168.1.255 Sunetmask 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 Subnetting of CIDR /25 Now do the subnetting of CIDR /25 using same method Step 1:- calculate the CIDR value CIDR = sum of all on bit in subnet mask 255.255.255.10000000 So our CIDR value is 24 + 1 = 25 Step 2:- calculate the Subnet mask Add the decimal place value of on network bit. <==H bit 255.255.255.10000000 N bit==> In our example we have one on bit and as you can see in decimal chart the place value of 1000000 is 128 so our subnet mask will be 255.255.255.128 Step 3:- calculate the Total Host Total host = 2H <==H bit 255.255.255.10000000 Total host = 27 = 128 Step 4:- calculate the Valid Host Subtract 2 from Total host Total host - 2 128 -2 = 126 Step 5:- calculate the Network To calculate the Network count the N bit and use this formula Network = 21 255.255.255.10000000 N bit==> Network = 21 = 2 Step 6:- Find out the block Size 256 – Subnet mask (only the last octal, don’t include the default subnet mask) 256 - 128 = 128 With help of block size you can easy find out the network ID and broadcast ID of all possible networks as we have 8 bits in one octal those can give maximum of 28 = 256 decimal number We start from 0 so it will end up on 255 (Do not get confuse because we are counting from 0 not from 1 so the last digit will be 255 not 256. It will 256 only when you count from 1 ). All subnetting will perform between these two numbers. Create a table of x Columns where x is the number of your network First ip of first network will always be 0 and last ip of last network will be 255 fill its in chart Now you have network ID of first network and broadcast ID of last network. Now add block size in the first ip of first network to get the network ID of second network and so on till we get the network id of last network First network ID 0 Second Network ID 0 +128 = 128 Fill this in Chart. As you can see from 128 next network is started so the last IP of first network will be 127 fill it in chart. With this method you can fill the last ip of all networks. Now you have first ip ( network ID ) of all networks and the last ip (Broadcast ID) of all networks. At this point you can easily fill the valid ip in each network. As valid hosts are all ip address those fall between network ip and host ip. Step 7:- Write down the subnet chart CIDR /25 Network 1 Network 2 Net ID 192.168.1.0 192.168.1.128 First Valid Host 192.168.1.1 192.168.1.129 Last Valid Host 192.168.1.126 192.168.1.254 Broadcast ID 192.168.1.127 192.168.1.255 Binary ANDing Binary ANDing is the process of performing multiplication to two binary numbers. In the decimal numbering system, ANDing is addition: 2 and 3 equals 5. In decimal, there are an countless number of answers when ANDing two numbers together. However, in the binary numbering system, the AND function give up only two possible outcomes, based on four different combinations. These answers, can be displayed as a truth table: 0 and 0 = 0 1 and 0 = 0 0 and 1 = 0 1 and 1 = 1 You use ANDing most often when comparing an IP address to its subnet mask. The end result of ANDing these two numbers together is to give up the network number of that address. Example Question What is the network number of the IP address 192.168.100.115 if it has a subnet mask of 255.255.255.240? Answer Step 1 Convert both the IP address and the subnet mask to binary: 192.168.100.115 = 11000000.10101000.01100100.01110011 255.255.255.240 = 11111111.11111111.11111111.11110000 Step 2 Perform the AND operation to each pair of bits—1 bit from the address ANDed to the corresponding bit in the subnet mask. Refer to the truth table for the possible outcomes: 192.168.100.115 = 11000000.10101000.01100100.01110011 255.255.255.240 = 11111111.11111111.11111111.11110000 ANDed result = 11000000.10101000.01100100.01110000 Step 3 Convert the answer back into decimal: 11000000.10101000.01100100.01110000 = 192.168.100.112 The IP address 192.168.100.115 belongs to the 192.168.100.112 network when a mask of 255.255.255.240 is used. My easy method Conversion of decimal to binary and vice versa to get network ID is too time consuming process in exam. So I found this easy method. Step 1:- Decide from which class this IP belongs and what's its default subnet mask As given IP have 192 in its first octal so it’s a class C IP. And default subnet mask of class C is 255.255.255.0 Step2:- Find out the block size. ( As we describe above) 256 -240 = 16 Step3:- Write down all possible network using block size till we do not get our host partition in middle of two network 0,16,32,48,64,80,96,112,128, As our host number is 115 which fall in the network of 112 so our network ID is 192.168.1.112, And our host's broad cast ID is 192.168.1.127 as from 128 onward next network will start. Variable length subnet mask VLSM enables you to have more than one mask for a given class of address, albeit a class A, B, or C network number. VLSM, originally defined in RFC 1812, allows you to apply different subnet masks to the same class address space Classful protocols, such as RIPv1 and IGRP, do not support VLSM. To deploy VLSM requires a routing protocol that is classless—BGP, EIGRP, IS-IS, OSPF, or RIPv2, for instance. VLSM provides Two major advantages: more efficient use of addressing Ability to perform route summarization when you perform classful subnetting, all subnets have the same number of hosts because they all use the same subnet mask. This leads to inefficiencies. For example, if you borrow 4 bits on a Class C network, you end up with 14 valid subnets of 14 valid hosts. A serial link to another router only need 2 hosts, but with classical subnetting, you end up wasting 12 of those hosts. Even with the ability to use NAT and private addresses, where you should never run out of addresses in a network design, you still want to ensure that the IP plan that you create is as efficient as possible. An efficient addressing scheme using VLSM. 1. Find the largest segment in the area—the segment with the largest number of devices connected to it. 2. Find the appropriate subnet mask for the largest network segment. 3. Write down your subnet numbers to fit your subnet mask. 4. For your smaller segments, take one of these newly created subnets and apply a different, more appropriate, subnet mask to it. 5. Write down your newly subnetted subnets. 6. For even smaller segments, go back to step 4. Route Summarization Route summarization is the ability to take a bunch of contiguous network numbers in your routing table and advertise these contiguous routes as a single summarized route. Route summarization, or supernetting, is needed to reduce the number of routes that a router advertises to its neighbor. Remember that for every route you advertise, the size of your update grows. It has been said that if there were no route summarization, the Internet backbone would have warped from the total size of its own routing tables back in 1997. Routing updates, whether done with a distance vector or link-state protocol, grow with the number of routes you need to advertise. In simple terms, a router that needs to advertise ten routes needs ten specific lines in its update packet. The more routes you have to advertise, the bigger the packet. The bigger the packet, the more bandwidth the update takes, reducing the bandwidth available to transfer data. But with route summarization, you can advertise many routes with only one line in an update packet. This reduces the size of the update, allowing you more bandwidth for data transfer. Summarization allows you to create a more efficient routing environment by providing the following advantages: It reduces the size of routing tables, requiring less memory and processing. It reduces the size of updates, requiring less bandwidth. It contains network problems Example of VLSM Above image shows several branch offices using subnetted Class C (/26) addresses that provide each branch with 62 possible host IPs. The branches are connected to the central office via point-to-point WAN links. The ideal mask to use for such a link is /30 because it provides only 2 hosts, one for each end of the link. The problem arises when the routing protocols are configured: Prior to VLSM, the /30 networks could not be used because the /26 networks existed in the same system and the classful routing protocols could only advertise one mask per class of address. All networks, including the little /30 links, had to use the same mask of /26. This wastes 60 IP addresses on each WAN link. With the implementation of VLSM-capable routing protocols, we can deploy a /30 mask on the point-to-point links, and the routing protocols can advertise them as /30s along with the /26s in the branches because the subnet mask for each network is included in the routing updates. VLSM has allowed us to make the point-to-point link networks the ideal size (two hosts on each) using /30 masks. This has allowed us to use a single subnetted Class C network for all the addressing requirements in this scenario— and as you'll see, it makes a perfect opportunity to summarize these routes. This is what is meant by "more efficient addressing"— in other words, making networks the right size without depleting the limited address space or limiting future growth. Classless Interdomain Routing (CIDR) Classless Interdomain Routing, specified in RFC 2050, is an extension to VLSM and route summarization. With VLSM, you can summarize subnets back to the Class A, B, or C network boundary. For example, if you have a Class C network 192.168.1.0/24 and subnet it with a 26-bit mask, you have created four subnets. Using VLSM and summarization, you can summarize these four subnets back to 192.168.1.0/24. CIDR takes this one step further and allows you to summarize a block of contiguous class A, B, and C network numbers. This practice is commonly referred to as supernetting. Today’s classless protocols support supernetting. However, it is most commonly configured by ISPs on the Internet using BGP. Discontiguous subnets are not supported by classful protocols but are supported by classless protocols. Classful protocols do not include the subnet mask when advertising network and subnet numbers. When implementing route summarization, another thing you’ll need to consider is that routing decisions, by a router, must be made on the entire destination IP address in the IP packet header. The router always uses the longest matching prefix in the routing table. CIDR allows you to summarize class networks together; VLSM allows you to summarize subnets only back to the class network boundaryEach segment has a single network number and mask. VLSM allows a class address, not a network segment, to have more than one subnet mask. How to connect with Cisco devices in windows In this lab scenario I will demonstrate that how can you connect with a Cisco router. To connect physical Cisco device you need a console cable. Attach cable to com port on computer and other end to console port of Cisco devices. Console Port When you first obtain a new Cisco device, it won't be configured. That is to say, it will not do any of the customized functions you might need; it does not have any IP addresses, and it is generally not going to do what you paid for. Routers need basic configuration to function on a network. The console port is used for local management connections. This means that you must be able to physically reach the console port with a cable that is typically about six feet long. The console port looks exactly like an Ethernet port. Once you have proper console cable follow this path Now on computer click on stat button ==> program = = > accessories == > communications == > hyper terminal == > location information == > cancel == > Confirm cancel == > yes == > hyper terminal == > OK Connection Descriptions == > Vinita == > OK == > location information == > confirm cancel == > yes == > hyper terminal == > connect to == > OK == > Port Settings == > Do setting as Given Below and press OK. If you still have problem in configuring hyper terminal or you do not have hyper terminal options in accessories you can use this tiny software. With this software you connect with any devices that support Telnet, SSH, Rlogin, console connections. This is ready to use software. Download it and execute it. Select Serial sub key from Session main key and rest it will do automatically. Download Putty How to connect with router in Boson Simulator. If you use Boson simulator for CCNA practical then select erouter from tools menu and select router from available list. ( Device only be available when any topology will be loaded in simulator. Use Boson Network designer to create topology.) How to connect with router in packet tracer. First create a desire topology by dragging devices to workspace. Once you have created topology configurations in packet tracer is straight forward. To Configure any device double click on it and select CLI. Device A Router's serial port Router's Ethernet port Router's Ethernet port Router's Ethernet port Console of router/switch Switch port Computer NIC Computer NIC Cable Cisco serial DCE/DTE cables Crossover Straight-through Crossover Rollover Crossover Crossover Straight-through Device B Router's serial port Router's Ethernet port Switch port Computer NIC Computer COM port Switch port Computer NIC Switch port Advantages of the IOS:-Internetwork operating system include: Connectivity: The IOS supports a variety of data link layer technologies for the LAN and WAN environments, including copper and fiber wiring as well as wireless. Scalability : The IOS supports both fixed and modular chassis platforms, enabling you to purchase the appropriate hardware for your needs, yet still allowing you to leverage the same IOS CLI to reduce your management costs. Reliability : To ensure that your critical resources are always reachable, Cisco has developed many products and IOS features to provide network redundancy. Security: With the IOS, you can strictly control access to your network and networking devices in accordance with your internal security policies. Naming Conventions for IOS Images c1841-advipservicesk9-mz.124-6.T7.bin ( this name is used to expalation) c1841 : The c1841 refers to the name of the platform on which the image will run. This is important because different router models have different processors, and an image compiled for one processor or router model will typically not run on a different model. advipservicesk9 : The advipservicesk9 refers to the features included in this IOS version, commonly referred to as the feature set. In this example, the IOS is the advanced IP services and the k9 refers to the inclusion of encryption support. mz or z: The mz or z means that the image is compressed and must be uncompressed before loading/running. If you see l (the letter l, not the number 1) here, this indicates where the IOS image is run from. The l indicates a relocatable image and that the image can be run from RAM. Remember that some images can run directly from flash, depending on the router model. 124-6.T7 : The 124-6.T7 indicates the software version number of the IOS. In this instance, the version is 12.4(6)T7. Images names with T indicate new features, and without the T the mainline (only bug fixes are made to it). .bin : The .bin at the end indicates that this is a binary image. Connections Cisco's networking products support two types of external connections: ports (referred to as lines) and interfaces. Out-of-band management (which you do by console ports) does not affect the bandwidth flowing through your network, while in-band management(which is doen by interface) does. Console Port: Almost every Cisco product has a console port. This port is used to establish an out of- band connection in order to access the CLI to manage your Cisco device. Most console connections to Cisco devices require an RJ-45 rollover cable and an RJ-45-to-DB9 terminal adapter. The rollover cable pins are reversed on the two sides. Com port setting Speed 9600 bps Data bits 8 Stop bits 1 Parity & Flow Control None Cabling Devices A straight-through cable is used for DTE-to-DCE connections. A hub to a router, PC, or file server A switch to a router, PC, or file server Crossover cables should by used when you connect a DTE to another DTE or a DCE to another DCE. A hub to another hub A switch to another switch A hub to a switch A PC, router, or file server to another PC, router, or file server Interface of Router Console: The console port is used for local management connections. This means that you must be able to physically reach the console port with a cable. The console port looks exactly like an Ethernet port. It uses the same connector, but it has different wiring and is often identified with a light blue label "CONSOLE." Aux Port: The AUX port is really just another console port that is intended for use with a modem, so you can remotely connect and administer the device by phoning it. However using aux port for configuration create some security issues, so make sure that you get advice on addressing those before setting this up. Ethernet Port:An Ethernet port (which might be a FastEthernet or even a GigabitEthernet port, depending on your router model) is intended to connect to the LAN. Some routers have more than one Ethernet or FastEthernet port; it really depends on what you need and of course what you purchase. The Ethernet port usually connects to the LAN switch with a straight-through cable. Serial Port: A Cisco serial port is a proprietary design, a 60-pin D-sub. This connector can be configured for almost any kind of serial communication. You need a cable that has the Cisco connector on one end and the appropriate type of connector for the service you want to connect to on the other. Other Connections: Your router may have some other port like T1 controller for wan services. Or you could have bri and pri port. But none of these ports are tested in CCNA exam so you need to concern about these ports. Switch Interface Nomenclature The Catalyst 2950 and 2960 switches support only fixed interfaces, while some of Cisco’s higher end switches, such as the 6500s, support modular slots with interface cards. The nomenclature of an interface is type slot_#/port_#. The type of interface is the media type, such as ethernet, fastethernet, or gigabit. Following this is the slot number. For all fixed interfaces on a Cisco switch, the slot number is always 0. The port number is the number of the port in the specified slot. Unlike Cisco router ports, switch port numbers start at 1 and work their way up. For instance, on a 2960, the very first port is fastethernet 0/1, the second port is fastethernet 0/2, and so on. Some 2960 switches support Gigabit Ethernet interfaces, so the nomenclature for the interface would look like this: gigabitethernet 0/1. Router Interface Nomenclature When referring to fixed interfaces, the interface numbers always begin with 0 (not 1, like the switches) and work their way up within a particular interface type. For routers that have only fixed interfaces, the interface nomenclature is type port_#. For example, if a router has two fixed Ethernet interfaces and two fixed serial interfaces, they would be called ethernet 0 and ethernet 1 and serial 0 and serial 1. The port numbers begin at 0 within each interface type. Through use of an interface type and a number, each of the interfaces can be uniquely identified. However, if a router has modular slots, where you can insert interface cards into these slots, the interface nomenclature is like the Catalyst switches: type slot_#/ port_#. Each slot has a unique slot number beginning with 0, and within each slot, the ports begin at 0 and work their way up. For example, if you had a modular router with two slots, the first slot would be 0 and the second 1. If the first slot had four Ethernet interfaces, the interface numbers would be 0– 3 and if the second slot had two Ethernet interfaces, the interface numbers would be 0 and 1. Here’s an example of a four-port serial module in the third slot of a 3640 router: serial 2/0, serial 2/1, serial 2/2, and serial 2/3. Here are some examples of routers with modular interfaces: 2600, 3600, 3700, 7000, 7200, and 7500. The exception to this is the 1600 and 1700 routers; even though they are modular, you don’t configure any slot number when specifying a particular interface. Cisco devices hardware component booting process ROM: ROM contains the necessary firmware to boot up your router and typically has the following four components: POST (power-on self-test) Performs tests on the router's hardware components. Bootstrap program Brings the router up and determines how the IOS image and configuration files will be found and loaded. ROM Monitor (ROMMON mode) A mini–operating system that allows you to perform low-level testing and troubleshooting, the password recovery procedure, Mini-IOS A stripped-down version of the IOS that contains only IP code. This should be used in emergency situations where the IOS image in flash can't be found and you want to boot up your router and load in another IOS image. This stripped-down IOS is referred to as RXBOOT mode. RAM: RAM is like the memory in your PC. On a router, it (in most cases) contains the running IOS image; the active configuration file; any tables (including routing, ARP, CDP neighbor, and other tables); and internal buffers for temporarily storing information, such as interface input and output buffers. The IOS is responsible for managing memory. When you turn off your router, everything in RAM is erased. Flash: Flash is a form of nonvolatile memory in that when you turn the router off, the information stored in flash is not lost. Routers store their IOS image in flash, but other information can also be stored here. Note that some lowerend Cisco routers actually run the IOS directly from flash (not RAM). Flash is slower than RAM, a fact that can create performance issues. NVRAM: NVRAM is like flash in that its contents are not erased when you turn off your router. It is slightly different, though, in that it uses a battery to maintain the information when the Cisco device is turned off. Routers use NVRAM to store their configuration files. In newer versions of the IOS, you can store more than one configuration file here. Router Boot up Process: A router typically goes through five steps when booting up: The router loads and runs POST (located in ROM), testing its hardware components, including memory and interfaces. The bootstrap program is loaded and executed. The bootstrap program finds and loads an IOS image: Possible locations: - flash, a TFTP server, or the Mini-IOS in ROM. Once the IOS is loaded, the IOS attempts to find and load a configuration file, stored in NVRAM After the configuration is loaded, you are presented with the CLI interface. you are placed into is User EXEC mode. Setup Mode: Cisco devices include a feature called Setup mode to help you make a basic initial configuration. Setup mode will run only if there is no configuration file in NVRAM—either because the router is brand-new, or because it has been erased. Setup mode will ask you a series of questions and apply the configuration to the device based on your answers. You can abort Setup mode by typing CTRL+C or by saying "no" either when asked if you want to enter the initial configuration dialog or when asked if you want to save the configuration at the end of the question. Configuration register: The configuration register is a special register in the router that determines many of its boot up and running options, including how the router finds the IOS image and its configuration file. The configuration register is a four-character hexadecimal value that can be changed to manipulate how the router behaves at bootup. The default value is 0x2102. The characters "0x" indicate that the characters that follow are in hexadecimal. This makes it clear whether the value is "two thousand one hundred and two" or, as in this case, "two one zero two hexadecimal". The fourth character in the configuration register is known as the boot field. Changing the value for this character will have the following effects: 0x2100 = Always boot to ROMMON. 0x2101 = Always boot to RXBOOT. 0x2102 through 0x210F = Load the first valid IOS in flash; values of 2 through F for the fourth character specify other IOS image files in flash. The third character in the configuration register can modify how the router loads the configuration file. The setting of 0x2142 causes the router to ignore the startup-config file in NVRAM (which is where the password is stored) and proceed without a configuration—as if the router were brand new or had its configuration erased. How to reset Router password The Password Recovery process is simple and takes less than five minutes depending on how fast your router boots 1. Connect to the console port, start your terminal application, and power cycle the router. When you see the boot process beginning, hit the Break sequence. (This is usually Ctrl+Page Break, but it might differ for different terminal applications.) Doing this interrupts the boot process and drops the router into ROMMON. 2. At the ROMMON prompt, enter the command confreg 0x2142 to set the configuration register to 0x2142. 3. Restart the router by power cycling it or by issuing the command reset. 4. When the router reloads, the configuration register setting of 0x2142 instructs the router to ignore the startup-config file in NVRAM. You will be asked if you want to go through Setup mode because the router thinks it has no startup-configuration file. Exit from Setup mode. 5. Press Return and enable command enable to go into privileged EXEC command mode. No password is required because the startup config file was not loaded. 6. Load the configuration manually by entering copy startup-config running-config. 7. Go into the Global Configuration mode using the command configure terminal and change the password with the command enable password password or enable secret password. 8. Save the new password by entering copy running-config startup-config. 9. Go to the global config prompt, and change the configuration register back to the default setting with the command config-register 0x2102. Exit back to the privileged exec prompt. 10. Reboot the router using the reload command. You will be asked to save your changes; you can do so if you have made additional configuration changes. Reset password on 1841 System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1) Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory. Self decompressing the image : ################ monitor: command "boot" aborted due to user interrupt rommon 1 > confreg 0x2142 rommon 2 > reset System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1) Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory. Self decompressing the image : ############################################################### [OK] Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul-07 04:52 by pt_team Image text-base: 0x60080608, data-base: 0x6270CD50 Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory. Processor board ID FTX0947Z18E M860 processor: part number 0, mask 49 2 FastEthernet/IEEE 802.3 interface(s) 191K bytes of NVRAM. 31360K bytes of ATA CompactFlash (Read/Write) Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul-07 04:52 by pt_team --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: no Press RETURN to get started! Router>enable Router#copy startup-config running-config Destination filename [running-config]? 428 bytes copied in 0.416 secs (1028 bytes/sec) Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#enable password vinita Router(config)#enable secret vinita Router(config)#config-register 0x2102 Router(config)#exit Router#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] Router#reload Proceed with reload? [confirm] Cisco IOS Mode User Privilege Configurations CLI Access Modes: Each Cisco device on CLI interface supports three access modes User EXEC: Provides basic access to the IOS with limited command availability (basically simple monitoring and troubleshooting commands) Privilege EXEC: Provides high-level management access to the IOS, including all commands available at User EXEC mode Configuration:Allows configuration changes to be made to the device User EXEC Mode Your initial access to the CLI is via the User EXEC mode, which has only a limited number of IOS commands you can execute. Depending on the Cisco device’s configuration, you might be prompted for a password to access this mode. This mode is typically used for basic troubleshooting of networking problems. You can tell that you are in User EXEC mode by examining the prompt on the left side of the screen: Router> If you see a > character at the end of the information, you know that you are in User EXEC mode. The information preceding the > is the name of the Cisco device. For instance, the default name of all Cisco routers is Router, whereas the 2960 switch’s User EXEC prompt looks like this: Switch>. These device names can be changed with the hostname command. Privilege EXEC Mode Once you have gained access to User EXEC mode, you can use the enable command to access Privilege EXEC mode: Router> enable Router# Once you enter the enable command, if a Privilege EXEC password has been configured on the Cisco device, you will be prompted for it. Upon successfully authenticating, you will be in Privilege EXEC mode. You can tell that you are in this mode by examining the CLI prompt. In the preceding code example, notice that the > changed to a #. When you are in Privilege EXEC mode, you have access to all of the User EXEC commands as well as many more advanced management and troubleshooting commands. These commands include extended ping and trace abilities, managing configuration files and IOS images, and detailed troubleshooting using debug commands. About the only thing that you can’t do from this mode is change the configuration of the Cisco device—this can be done only from Configuration mode. If you wish to return to User EXEC mode from Privilege EXEC mode, use the exit command: Router# exit Router> Again, by examining the prompt, you can tell that you are now in User EXEC mode. Configuration Modes of Cisco IOS Software From privileged EXEC mode, you can enter global configuration mode using the configure terminal command. From global configuration mode, you can access specific configuration modes, which include, but are not limited to, the following: Interface: Supports commands that configure operations on a per-interface basis Subinterface: Supports commands that configure multiple virtual interfaces on a single physical interface Controller: Supports commands that configure controllers (for example, E1 and T1 controllers) Line: Supports commands that configure the operation of a terminal line (Example: the console or the vty ports) Router: Supports commands that configure an IP routing protocol If you enter the exit command, the router backs out one level, eventually logging out. In general, you enter the exit command from one of the specific configuration modes to return to global configuration mode. Press Ctrl+Z or enter end to leave configuration mode completely and return to the privileged EXEC mode. Commands that affect the entire device are called global commands. The hostname and enable password commands are examples of global commands. Commands that point to or indicate a process or interface that will be configured are called major commands. When entered, major commands cause the CLI to enter a specific configuration mode. Major commands have no effect unless you immediately enter a subcommand that supplies the configuration entry. For example, the major command interface serial 0 has no effect unless you follow it with a subcommand that tells what is to be done to that interface. Router Modes Router> User mode Router# Privileged mode (also known as EXEC-level mode) Router(config)# Global configuration mode Router(config-if)# Interface mode Router(config-subif)# Subinterface mode Router(config-line)# Line mode Router(config-router)# Router configuration mode Help Facilities of the Cisco IOS Cisco IOS Software uses several command-line input help facilities, among these context-sensitive help is the most powerful feature of cisco ios. Context-Sensitive Help One of the more powerful features of the IOS is context-sensitive help. Context sensitive help is supported at all modes within the IOS, including User EXEC, Privilege EXEC, and Configuration modes. You can use this feature in a variety of ways. If you are not sure what command you need to execute, at the prompt, type either help or ?. The Cisco device then displays a list of commands that can be executed at the level in which you are currently located, along with a brief description of each command. Here is an example from a router’s CLI at User EXEC mode: Router>? Exec commands: <1-99> Session number to resume connect Open a terminal connection disconnect Disconnect an existing network connection enable Turn on privileged commands exit Exit from the EXEC ipv6 ipv6 logout Exit from the EXEC ping Send echo messages resume Resume an active network connection show Show running system information ssh Open a secure shell client connection telnet Open a telnet connection terminal Set terminal line parameters traceroute Trace route to destination Router> If you see -- More -- at the bottom of the screen, this indicates that more help information is available than can fit on the current screen. On a Cisco device, if you press the SPACEBAR, the IOS pages down to the next screen of help information; if you press the ENTER key, help scrolls down one line at a time Any other keystroke breaks out of the help text. For more detailed help, you can follow a command or parameter with a space and a ?. This causes the CLI to list the available options or parameters that are included for the command. For instance, you could type copy followed by a space and a ? to see all of the parameters available for the copy command: Router#copy ? running-config Copy from current system configuration startup-config Copy from startup configuration tftp: Copy from tftp: file system Router#copy In this example, you can see at least the first parameter necessary after the copy command. Please note that additional parameters may appear after the first one, depending on the next parameter that you enter. If you’re not sure how to spell a command, you can enter the first few characters and immediately follow these characters with a ?. Typing e?, for instance, lists all the commands that begin with e at the current mode: Router# e? enable erase exit Router# e This example shows that three commands begin with the letter e in Privilege EXEC mode. Console Error Messages error messages: Identifies problems with any Cisco IOS commands that are incorrectly entered so that you can alter or correct them. Error:-% Invalid input detected at '^' marker. Errors certainly creep up when you enter commands. Whenever you mistype a command, the IOS tells you that it has encountered a problem with the previously executed command. For instance, this message indicates a CLI input error: Router#copy running-config stertup-config ^ % Invalid input detected at '^' marker. Router# As you can see in this example that we have typed stert on the place of startup. You should examine the line between the command that you typed in and the error message. Somewhere in this line, you’ll see a ^ character. This is used by the IOS to indicate that an error exists in the command line at that spot. Error:-% Incomplete command. This error indicates that you have not entered all the necessary parameters for the command. The syntax of the command is correct, but more parameters are necessary. Router#copy running-config % Incomplete command. Router#copy running-config ? startup-config Copy to startup configuration tftp: Copy to current system configuration Router#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] Router# In this case, you can use the context-sensitive help feature to help you figure out what parameter or parameters you forgot. Error:-% Ambiguous command: "show i" You will see this error message if you do not type in enough characters to make a command or parameter unique. Router#show i % Ambiguous command: "show i" Router#show i? interfaces ip ipv6 Router#show i In this example, apparently, more than one parameter for the show command begins with the letter i. As shown above you can use context-sensitive help to figure out what parameter to use. % Unknown command or computer name, or unable to find computer address If you enter a command that the IOS does not understand, you’ll see this error message. If you see this, use the context-sensitive help to figure out the correct command to enter. 2960 switch overview functionality New CCNA exam cover 2960 Switch. In this article I will give a you a overview of 2960 switch functionality. 2960 Overview The 2960 series of switches comes with the LAN-based software image, which provides advanced quality of service, rate limiting, access control list (ACL), and many other features. Depending on the series of 2960 Switch could have fast Ethernet port or dual purpose gigabit Ethernet port. The dual-purpose Gigabit Ethernet (GE) port supports a 10/100/1000 port and an SFP (fiber) port, where one of the two ports (not both) can be used. The 2960 series supports an optional external redundant power supply (RPS) that can be attached to the rear of the chassis. 2960 LEDs and MODE Button The front of the 2960 chassis has many LEDs that you can use to monitor the switch's activity and performance. At the top-left of the 2960's front chassis are the SYSTEM and RPS LEDs. The colors of these LEDs and their meanings are shown in Table LED SYSTEM RPS Color Green Amber Off Green Description The system is up and operational. The system experienced a malfunction. The system is powered down. The RPS is attached and operational. The RPS is installed but is not operational. Check the RPS to ensure that it hasn't Amber failed. Both the internal power supply and the external RPS are installed, but the RPS is Flashing amber providing power. Off The RPS is not installed. MODE Button The meaning of the LED above each port on the front of the 2960's chassis depends on the LED's mode setting. You can change the mode by pressing the MODE button on the bottom-left side of the chassis front, below the SYSTEM and RPS LEDs. Just above the MODE button are three port-mode LEDs: STAT, DUPLX, and SPEED. By default, the STAT LED is lit, indicating that the LEDs above the Ethernet ports refer to the status of the port. Table shows the LED colors and descriptions for the various port statuses. LED Color Green Flashing green Flashing green and amber Amber Off LED Meaning A powered-up physical layer connection to the device is attached to the port. Traffic is entering and/or leaving the port. An operational problem is occurring with the port—perhaps excessive errors or a connection problem. The port has been disabled manually (shut down), disabled because it is in a blocking STP state, or disabled because of a security issue. No powered-up physical layer connection exists on the port. If you push the MODE button once, the MODE LED will change from STAT to DUPLX. The LEDs above each of the ports will reflect the duplex setting of the associated port. If the LED above the port is off, the port is set to halfduplex; if the LED is green, the port is set to full-duplex. By pressing the MODE button again, the MODE LED will change from DUPLX to SPEED. The 2960 supports 10/100 and 10/100/1000 ports. When the mode LED is set to SPEED, the LEDs above the port refer to the speed at which the port is operating. If the LED is off, the port is operating at 10 Mbps; if solid green, 100 Mbps; and if blinking green, 1 Gbps. Switch Bootup Process For your initial access to the switch, make sure you plug the rollover cable into the switch’s console port and the other end into the COM port of your computer. Start up a terminal emulation program such as HyperTerminal. Switch have same hardware component that router have. And follow the same booting process. To know more about Cisco Devices booting process read our pervious article System Configuration Dialog If no configuration is found, the IOS will run the setup script, commonly called the System Configuration Dialog. This script asks you questions to help it create a basic configuration on the switch. When posing questions, the setup script uses brackets ([ and ]) to indicate default values. Leaving these answers blank (that is, not supplying an answer) results in the script accepting the value indicated in brackets for the configuration component. In the script, you can configure the switch’s hostname, set up a Privilege EXEC password, assign a password for the virtual type terminals (VTYs), and set up an IP address for a VLAN interface to manage the switch remotely. Here’s an example of this script: Would you like to enter the initial configuration dialog? [yes/no]: yes At any point you may enter a question mark '?' for help. Use ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Basic of switching Bridges and switches are layer 2 devices that segment (break up) collision domains. A collision domain basically includes all the devices that share a media type at layer 1. Difference between bridge and switch Functions Bridges Switches Form of switching Software Hardware Method of switching Store and forward Store and forward, cut-through, Fragment-free port 2-20 100 plus Duplex Half Half and full Collision domains 1 per port 1 per port Broadcast domains 1 per vlan STP instances 1 1 Methods of Switching Store and Forward: Store and Forward is the basic mode that bridges and switches use. It is the only mode that bridges can use, but many switches can use one or more of the other modes as well, depending on the model. In Storeand-Forward switching, the entire frame is buffered (copied into memory) and the Cyclic Redundancy Check (CRC), also known as the FCS or Frame Check Sequence is run to ensure that the frame is valid and not corrupted. Cut Through: Cut Through is the fastest switching mode. The switch analyzes the first six bytes after the preamble of the frame to make its forwarding decision. Those six bytes are the destination MAC address, which, if you think about it, is the minimum amount of information a switch has to look at to switch efficiently. After the forwarding decision has been made, the switch can begin to send the frame out the appropriate port(s), even if the rest of the frame is still arriving at the inbound port. The chief advantage of Cut-Through switching is speed; no time is spent running the CRC, and the frame is forwarded as fast as possible Fragment-free: Switching will switch a frame after the switch sees at least 64 bytes, which prevents the switching of runt frames. This is the default switching method for the 1900 series. 2950 doesn’t support cut-through Fragment-Free switching is sometimes called "runtless" switching for this reason. Because the switch only ever buffers 64 bytes of each frame, Fragment Free is a faster mode than Store and Forward, but there still exists a risk of forwarding bad frames, so the previously described mechanisms to change to Store and Forward if excessive bad CRCs are received are often implemented as well. Functions of Bridging and Switching Learning: Address learning refers to the intelligent capability of switches to dynamically learn the source MAC addresses of devices that are connected to its various ports. These addresses are stored in RAM in a table that lists the address and the port on which a frame was last received from that address. This enables a switch to selectively forward the frame out the appropriate port(s), based on the destination MAC address of the frame. Anytime a device that is connected to a switch sends a frame through the switch, the switch records the source MAC address of the frame in a table and associates that address with the port the frame arrived on. Bridges place learned source MAC addresses and their corresponding ports in a CAM (content addressable memory Forwarding: Address learning refers to the intelligent capability of switches to dynamically learn the source MAC addresses of devices that are connected to its various ports. These addresses are stored in RAM in a table that lists the address and the port on which a frame was last received from that address. This enables a switch to selectively forward the frame out the appropriate port(s), based on the destination MAC address of the frame. Anytime a device that is connected to a switch sends a frame through the switch, the switch records the source MAC address of the frame in a table and associates that address with the port the frame arrived on. There are some situations in which a switch cannot make its forwarding decision and flood the frame. Three frame types that are always flooded: Broadcast address Destination MAC address of FFFF.FFFF.FFFFF Multicast address Destination MAC addresses between 0100.5E00.0000 and 0100.5E7F.FFFF Unknown unicast destination MAC addresses The MAC address is not found in the CAM table Removing layer-2 loops Spanning Tree Protocol (STP - 802.1d) The main function of the Spanning Tree Protocol (STP) is to remove layer-2 loops from your topology We will discuss more about removing loop function in our next article Static MAC Addresses In addition to having the switches learn MAC addresses dynamically, you can manually create static entries. You might want to do this for security reasons. Statically configuring MAC addresses on the switch is not very common today. If configured, static entries are typically used for network devices, such as servers and routers. Port Security Feature: Port security is a switch feature that allows you to lock down switch ports based on the MAC address or addresses associated with the interface, preventing unauthorized access to a LAN. Three options are possible if a security violation occurs—the MAC address is seen connected to a different port. Protect: When the number of secure addresses reaches the maximum number allowed, any additionally learned addresses will be dropped. restrict : Causes the switch to generate a security violation alert. Shutdown: Causes the switch to generate an alert and to disable the interface. The only way to re-enable the interface is to use the no shutdown command. This is the default violation mode if you don’t specify the mode. EtherChannels: An EtherChannel is a layer 2 solution that allows you to aggregate multiple layer 2 Ethernet-based connections between directly connected devices. Basically, an EtherChannel bundles together multiple Ethernet ports between devices, providing what appears to be single logical interface. EtherChannels provide these advantages: Redundancy If one connection in the channel fails, you can use other connections in the channel. More bandwidth each connection can be used simultaneously to send frames. Simplified management Configuration is done on the logical interface, not on each individual connection in the channel. EtherChannel Restrictions Interfaces in an EtherChannel must be configured identically: speed, duplexing, and VLAN settings (in the same VLAN if they are access ports or the same trunk properties) must be the same. When setting up EtherChannels, you can use up to eight interfaces bundled together: Up to eight Fast Ethernet connections, providing up to 800 Mbps Up to eight Gigabit Ethernet connections, providing up to 8 Gbps Up to eight 10-Gigabit Ethernet connections, providing up to 80 Gbps You can have a total of six EtherChannels on a switch. EtherChannel Operations: Channels can be formed dynamically between devices by using one of two protocols: Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP). Remember that ports participating in a channel must be configured identically. Once a channel is formed, load balancing can be used by the connected devices to utilize all the ports in the channel. Load balancing is performed by reducing part of the binary addressing in the frame or packet to a numeric value and then associating the numeric value to one of the ports in the channel. Load balancing can use MAC or IP addresses, source or destination addresses, or both source and destination address pairs. With this fashion, you are guaranteed that all links in the channel will be utilized; however, you are not guaranteed that all the ports will be utilized the same. For example, if you are load balancing based on source addresses; you are guaranteed that different source MAC addresses will use different ports in the channel. All traffic from a single-source MAC address, however, will always use the same port in the channel. Given this situation, if you have one device generating a lot of traffic, that link will possibly be utilized more than other links in the channel. In this situation, you might want to load balance based on destination or both source and destination addresses. Spanning Tree Protocols In our last article we learn about basic functions of switching. We mentioned that one of the functions of a switch was Layer 2 Loop removal. The Spanning Tree Protocol (STP) carries out this function. STP is a critical feature; without it many switched networks would completely stop to function. Either accidentally or intentionally in the process of creating a redundant network, the problem arises when we create a looped switched path. A loop can be defined as two or more switches that are interconnected by two or more physical links. Switching loops create three major problems: Broadcast storms—Switches must flood broadcasts, so a looped topology will create multiple copies of a single broadcast and perpetually cycle them through the loop. MAC table instability—Loops make it appear that a single MAC address is reachable on multiple ports of a switch, and the switch is constantly updating the MAC table. Duplicate frames— Because there are multiple paths to a single MAC, it is possible that a frame could be duplicated in order to be flooded out all paths to a single destination MAC. All these problems are serious and will bring a network to an effective standstill unless prevented Removing layer-2 loops Spanning Tree Protocol (STP - 802.1d) The main function of the Spanning Tree Protocol (STP) is to remove layer-2 loops from your topology. For STP to function, the switches need to share information. What they share are bridge protocol data units Root Port: After the root switch is elected, every other switch in the network needs to choose a single port on itself that it will use to reach the root. This port is called the root port. The root port is always the link directly connected to the root bridge, or the shortest path to the root bridge. If more than one link connects to the root bridge, then a port cost is determined by checking the bandwidth of each link. The lowest-cost port becomes the root port. If multiple links have the same cost, the bridge with the lower advertising bridge ID is used. Since multiple links can be from the same device, the lowest port number will be used. Root Bridge: Switch with the lowest switch ID is chosen as root. The switch ID is made up of two components: The switch's priority, which defaults to 32,768 on Cisco switches (two bytes in length) The switch's MAC address (six bytes in length) All other decisions in the network—such as which port is to be blocked and which port is to be put in forwarding mode—are made from the perspective of this root bridge BPDUs: Which are sent out as multicast information that only other layer-2 devices are listening to. BPDUs are used to share information, and these are sent out as multicasts every two seconds. The BPDU contains the bridge’s or switch’s ID, made up of a priority value and the MAC address. BPDUs are used for the election process. Path Costs: Path costs are calculated from the root switch. A path cost is basically the accumulated port costs from the root switch to other switches in the topology. When the root advertises BPDUs out its interfaces, the default path cost value in the BPDU frame is 0. When a connected switch receives this BPDU, it increments the path cost by the cost of its local incoming port. If the port was a Fast Ethernet port, then the path cost would be figured like this: 0 (the root’s path cost) + 19 (the switch’s port cost) = 19. This switch, when it advertises BPDUs to switches behind it, will include the updated path cost. As the BPDUs propagate further and further from the root switch, the accumulated path cost values become higher and higher. Connection Type 10Gb 1Gb 100Mb 10Mb New Cost Value 2 4 19 100 Old Cost Value 1 1 10 100 Remember that path costs are incremented as a BPDU comes into a port, not when a BPDU is advertised out of a port. Designated Port A designated port is one that has been determined as having the best (lowest) cost. A designated port will be marked as a forwarding port. Each (LAN) segment also has a single port that is uses to reach the root. This port is called a designated port Forwarding port A forwarding port forwards frames. Blocked port A blocked port is the port that, in order to prevent loops, will not forward frames. However, a blocked port will always listen to frames Nondesignated port A nondesignated port is one with a higher cost than the designated port. Nondesignated ports are put in blocking mode—they are not forwarding ports. Port States Blocking: Ports will go into a blocking state under one of three conditions: Election of a root switch (for instance, when you turn on all the switches in a network) When a switch receives a BPDU on a port that indicates a better path to the root switch than the port the switch is currently using to reach the root If a port is not a root port or a designated port. A port in a blocked state will remain there for 20 seconds by default during this state; the port is only listening to and processing BPDUs on its interfaces. Any other frames that the switch receives on a blocked port are dropped. Listening: the port is still listening for BPDUs and double-checking the layer-2 topology. Again, the only traffic that is being processed in this state consists of BPDUs; all other traffic is dropped. default for this value is 15 seconds. Learning: Port is still listening for and processing BPDUs on the port; however, unlike while in the listening state, the port begins to process user frames. When processing user frames, the switch is examining the source addresses in the frames and updating its CAM table, but the switch is still not forwarding these frames out destination ports. Defaults to 15 seconds Forwarding: the port will process BPDUs, update its CAM table with frames that it receives, and forward user traffic through the port. Disabled: A port in a disabled state is not participating in STP. Convergence: STP convergence has occurred when all root and designated ports are in a forwarding state and all other ports are in a blocking state. Per-VLAN STP: STP doesn't guarantee an optimized loop-free network. PVST supports one instance of STP per VLAN. Rapid Spanning Tree Protocol The 802.1d standard was designed back when waiting for 30 to 50 seconds for layer 2 convergence wasn’t a problem. However, in today’s networks, this can cause serious performance problems for networks that use real-time applications, such as voice over IP (VoIP) or video. The Rapid Spanning Tree Protocol (RSTP) is an IEEE standard, defined in 802.1w, which is interoperable with 802.1d and an extension to it. With RSTP, there are only three port states: discarding (it is basically the grouping of 802.1d’s blocking, listening, and disabled states). Learning Forwarding Additional Port Roles With RSTP, there is still a root switch and there are still root and designated ports, performing the same roles as those in 802.1d. However, RSTP adds two additional port types: alternate ports and backup ports. These two ports are similar to the ports in a blocking state in 802.1d. An alternate port is a port that has an alternative path or paths to the root but is currently in a discarding state. A backup port is a port on a segment that could be used to reach the root switch, but an active port is already designated for the segment. The best way to look at this is that an alternate port is a secondary, unused root port, and a backup port is a secondary, unused designated port. RSTP BPDUs With 802.1w, if a BPDU is not received in three expected hello periods (6 seconds), STP information can be aged out instantly and the switch considers that its neighbor is lost and actions should be taken. This is different from 802.1d, where the switch had to miss the BPDUs from the root—here, if the switch misses three consecutive hellos from a neighbor, actions are immediately taken. Virtual LAN A virtual LAN (VLAN) is a logical grouping of network devices in the same broadcast domain that can span multiple physical segments. Advantages of VLANs: Increase the number of broadcast domains while reducing their size. Provide additional security. Increase the flexibility of network equipment. Allow a logical grouping of users by function, not location. Make user adds, moves, and changes easier. Subnets and VLANs : Logically speaking, VLANs are also subnets. A subnet, or a network, is a contained broadcast domain. A broadcast that occurs in one subnet will not be forwarded, by default, to another subnet. Routers, or layer-3 devices, provide this boundary function. Switch provide this function at layer 2 by VLAN. Scalability: VLANs provide for location independence. This flexibility makes adds, changes, and moves of networking devices a simple process. It also allows you to group people together, which also makes implementing your security policies straightforward. IP protocols supports 500 devices per vlans. VLAN Membership : A device’s membership in a VLAN can be determined by one of two methods: static or dynamic Static: - you have to assign manually Dynamic:- Configure VTP server and it will automatically do rest VLAN Connections : two types of connections: access links and trunks. Access-Link Connections An access-link connection is a connection between a switch and a device with a normal Ethernet NIC, where the Ethernet frames are transmitted unaltered. Trunk Connections trunk connections are capable of carrying traffic for multiple VLANs. Cisco supports two Ethernet trunking methods: Cisco’s proprietary Inter Switch Link (ISL) protocol for Ethernet IEEE’s 802.1Q, commonly referred to as dot1q for Ethernet ISL is Cisco-proprietary trunking method that adds a 26-byte header and a 4-byte trailer to the original Ethernet frame. Cisco’s 1900 switch supports only ISL 802.1Q is a standardized trunking method that inserts a four-byte field into the original Ethernet frame and recomputed the FCS. The 2950 only supports 802.1Q. 802.1Q trunks support two types of frames: tagged and untagged. An untagged frame does not carry any VLAN identification information in it—basically, this is a standard, unaltered Ethernet frame. A tagged frame contains VLAN information, and only other 802.1Q-aware devices on the trunk will be able to process this frame Trunk Tagging For VLANs to span across multiple switches, you obviously need to connect the switches to each other. Although it is possible to simply plug one switch into another using an Access port just as you would plug in a host or a hub, doing so kills the VLAN-spanning feature and a bunch of other useful stuff too. A switch-to-switch link must be set up as a trunk link in order for the VLAN system to work properly. A trunk link is a special connection; the key difference between an ordinary connection (an Access port) and a Trunk port is that although an Access port is only in one VLAN at a time, a Trunk port has the job of carrying traffic for all VLANs from one switch to another. Any time you connect a switch to another switch, you want to make it a trunk. Trunking methods create the illusion that instead of a single physical connection between the two trunking devices, a separate logical connection exists for each VLAN between them. When trunking, the switch adds the source port’s VLAN identifier to the frame so that the device (typically a switch) at the other end of the trunk understands what VLAN originated this frame and the destination switch can make intelligent forwarding decisions on not just the destination MAC address, but also the source VLAN identifier. Since information is added to the original Ethernet frame, normal NICs will not understand this information and will typically drop the frame. Therefore, you need to ensure that when you set up a trunk connection on a switch’s interface, the device at the other end also supports the same trunking protocol and has it configured. If the device at the other end doesn’t understand these modified frames or is not set up for trunking, it will, in most situations, drop them. The modification of these frames, commonly called tagging. By default, all VLANs are permitted across a trunk link. Switch-to-Switch trunk links always require the use of a crossover cable, never a straight-through cable. Key feature about DTP A trunk can be created only on a Fast Ethernet or Gigabit Ethernet connection; 10Mb Ethernet ports are not fast enough to support the increased traffic from multiple VLANs, so the commands are not available for a regular Ethernet port. By default, traffic from all VLANs is allowed on a trunk. You can specify which VLANs are permitted (or not) to cross a particular trunk if you have that requirement, but these functions are not covered in the CCNA exam. Switches (whether trunked or not) are always connected with crossover cables, not straight-through cables. Dynamic Trunk Protocol (DTP) DTP supports five trunking modes On or Trunk interface always assumes the connection is a trunk, even if the remote end does not support trunking. Desirable the interface will generate DTP messages on the interface, but it make the assumption that the other side is not trunk-capable and will wait for a DTP message from the remote side. In this state, the interface starts as an access-link connection. If the remote side sends a DTP message, and this message indicates that trunking is compatible between the two switches, a trunk will be formed and the switch will start tagging frames on the interface. If the other side does not support trunking, the interface will remain as an access-link connection Auto-negotiate interface passively listens for DTP messages from the remote side and leaves the interface as an access-link connection. If the interface receives a DTP message, and the message matches trunking capabilities of the interface, then the interface will change from an access-link connection to a trunk connection and start tagging frames No-negotiate, interface is set as a trunk connection and will automatically tag frames with VLAN information; however, the interface will not generate DTP messages: DTP is disabled. This mode is typically used when connecting trunk connections to non-Cisco devices that don’t understand Cisco’s proprietary trunking protocol and thus won’t understand the contents of these messages. Off If an interface is set to off, the interface is configured as an access link. No DTP messages are generated in this mode, nor are frames tagged. VLAN Trunk Protocol (VTP) VTP is a Layer 2 protocol that takes care of the steps of creating and naming VLANs on all switches in the system. We still have to set port membership to VLANs at each switch, which we can do either statically or using a VMPS. VTP works by establishing a single switch as being in charge of the VLAN information for a domain. In this case, a domain is simply a group of switches that all have the same VTP domain name. This simply puts all the switches into a common administrative group. The VLAN Trunk Protocol (VTP) is a proprietary Cisco protocol used to share VLAN configuration information between Cisco switches on trunk connections When you are setting up VTP, you have three different modes: Server client and transparent. Server mode: This is the one switch that is in charge of the VLAN information for the VTP domain. You may add, delete, and change VLAN information on this switch, and doing so affects the entire VTP domain. This way, we only have to enter our VLAN information once, and the Server mode switch propagates it to all the other switches in the domain. Client mode: Client mode switches get VLAN information from the Server. You cannot add, delete, or change VLAN information on a Client mode switch; in fact, the commands to do so are disabled. Transparent mode: A Transparent mode switch is doing its own thing; it will not accept any changes to VLAN information from the Server, but it will forward those changes to other switches in the system. You can add, delete, and change VLANs—but those changes only affect the Transparent mode switch and are not sent to other switches in the domain. VTP Messages An advertisement request message is a VTP message a client generates When the server responds to a client’s request, it generates a subset advertisement A summary advertisement is also generated by a switch in VTP server mode. Summary advertisements are generated every five minutes by default (300 seconds), or when a configuration change takes place on the server switch VTP Pruning VTP gives you a way to preserve bandwidth by configuring it to reduce the amount of broadcasts, multicasts, and unicast packets. This is called pruning. VTP pruning enabled switches sends broadcasts only to trunk links that actually must have the information. VTP pruning is used on trunk connections to dynamically remove VLANs not active between the two switches. It requires all of the switches to be in server mode. Basic Switch Configurations Command In this article I will introduce the Cisco Internetwork Operating System (IOS) command line interface (CLI) for the 2960 series switch. You will need to logon to a switch and become familiar with the different levels of access on the switch. You will also become familiar with the commands available to you in each mode (user or privileged) and the switch help facility, history, and editing features. User vs. Privileged Mode User mode is indicated with the > next to the switch name. You can look at settings but can not make changes from user mode. In Privilege mode, indicated by the #, you can do anything. To get into privilege mode the keyword is enable. HELP To view all commands available from this mode type:?This will give you the list of all available commands for the switch in your current mode. You can also use the question mark after you have started typing a command. For example if you want to use a show command but you do not remember which one it is, use the ? as this will output all commands that you can use with the show command. Configuration Mode From privilege mode you can enter configuration mode by typing config term command you can exit configuration mode type type end or <CTL>+z Configuration of Cisco 2960 Switch To practically implement these command either create a simple topology on packet tracer or download this topology. Example topology for basic switch commands Now click on any switch and configure it as given below To know all available command on user exec mode type ? and press enter Switch>? Exec commands: [1-99] Session number to resume connect Open a terminal connection disconnect Disconnect an existing network connection enable Turn on privileged commands exit Exit from the EXEC logout ping Exit from the EXEC Send echo messages [Output is omitted] Three command can be used to logout from terminal use any one Switch>enable Switch#disable Switch>exit Switch con0 is now available Press RETURN to get started. Show version command will tell about the device platform and detected interface and ios name Switch>enable Switch#show version Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Wed 12-Oct-05 22:05 by pt_team ROM: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4) System returned to ROM by power-on Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory. 24 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) [Output is omitted] show mac address command will show all detected mac address dynamically and manually Switch#show mac-address-table Mac Address Table ------------------------------------------Vlan Mac Address Type ---- ------------------ ----- Ports 1 0001.643a.5501 DYNAMIC Gig1/1 Run time configuration of ram can be any time by simple show run commands Switch#show running-config Building configuration... Current configuration : 925 bytes version 12.2 no service password-encryption ! hostname Switch [Output is omitted] To view startup configuration [ Stored in NVRAM] use show start command Switch#show startup-config Current configuration : 925 bytes version 12.2 no service password-encryption ! hostname Switch [Output is omitted] show vlan command will give the detail overview of all vlan configured on switch Switch#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ----------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 [Output is omitted] show interface command will show all detected interface with their hardware description and configuration Switch#show interfaces FastEthernet0/1 is up, line protocol is up (connected) Hardware is Lance, address is 0060.2f9d.9101 (bia 0060.2f9d.9101) MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set [Output is omitted] interface vlan 1 is used to assign ip address and default gateway to switch. Show interface vlan 1 will give a over view of vlan1. Switch#show interface vlan1 Vlan1 is administratively down, line protocol is down Hardware is CPU Interface, address is 0060.5c23.82ae (bia 0060.5c23.82ae) MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 [Output is omitted] delete command is used to delete all vlan configuration from switch Don’t add space between flash and vlan.dat Run this exactly shown here adding a space could erase flash entirely leaving switch blank Switch#delete flash:vlan.dat Delete filename [vlan.dat]? Delete flash:/vlan.dat? [confirm] %deleting flash:/vlan.dat Startup configuration can be removed by erase commands Switch#erase startup-config Erasing the nvram filesystem will remove all configuration files! Continue? [confirm] [OK] Erase of nvram: complete %SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram use configure terminal command to go in global configuration mode Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Now change default switch name to switch 1 Switch(config)#hostname Switch1 Set enable password to vinita and secret to nikki Switch1(config)#enable password vinita Switch1(config)#enable secret nikki Set console password to vinita and enable it by login command, order of command is important set password before you enable it Switch1(config)#line console 0 Switch1(config-line)#password vinita Switch1(config-line)#login Switch1(config-line)#exit Enable 5 telnet session [ vty0 - vty4] for router and set their password to vinita Switch1(config)#line vty 0 4 Switch1(config-line)#password vinita Switch1(config-line)#login Switch1(config-line)#exit Now set switch ip address to 192.168.0.10 255.255.255.0 and default gateway to 192.168.0.5 Switch1(config)#interface vlan1 Switch1(config-if)#ip address 192.168.0.10 255.255.255.0 Switch1(config-if)#exit Switch1(config)#ip default-gateway 192.168.0.5 Set a description finance VLAN to interface fast Ethernet 1 Switch1(config)#interface fastEthernet 0/1 Switch1(config-if)#description finance VLAN By default switch automatically negotiate speed and duplex but you can adjust it manually Switch1(config-if)#duplex full %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to downSwitch1 (config-if)#duplex auto %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up Switch1(config-if)#duplex half %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up Switch1(config-if)#duplex auto Switch1(config-if)#speed 10 Switch1(config-if)#speed 100 Switch1(config-if)#speed auto Switch1(config-if)#exit Switch1(config)#exit mac address table can be wiped out by clear commands Switch1#show Switch1#show mac-address-table Mac Address Table ------------------------------------------Vlan Mac Address Type ---- ------------------ ----- Ports 1 0001.643a.5501 DYNAMIC Gig1/1 Switch1#clear mac-address-table Switch1#clear mac-address-table ? dynamic dynamic entry type Switch1#clear mac-address-table dynamic To restart switch use reload command [ running configuration will be erased so copy it first to startup configuration ] Switch1#reload Proceed with reload? [confirm] Switch con0 is now available Press RETURN to get started. CCNA basic switch configuration commands sheet Command switch>? switch>enable switch# switch#disable switch>exit switch#show version switch#show flash: switch#show mac-address-table switch#show running-config switch#show startup-config switch#show vlan switch#show interfaces switch#show interface vlan1 Switch#delete flash:vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] Switch#erase startup-config Switch#reload Switch#configure terminal Switch(config)#hostname Switch1 descriptions The ? works here the same as in a router Used to get the list of all available commands User mode, same as a router Privileged mode Leaves privileged mode Leaves user mode Displays information about software and hardware. Displays information about flash memory (will work only for the 2900/2950 series). Displays the current MAC address forwarding table . Displays the current configuration in DRAM. Displays the current configuration in NVRAM. Displays the current VLAN configuration. Displays the interface configuration and status of line: up/up, up/down, admin down. Displays setting of virtual interface VLAN 1, the default VLAN on the switch. To Reset Switch Configuration Removes the VLAN database from flash memory. Press Enter Press Enter Erases the file from NVRAM. Restarts the switch. To Set Host Names Moves to global configuration mode Creates a locally significant host name of the switch. This is the same command as the router. Switch1(config)# To Set Passwords Switch(config)#enable password vinita Sets the enable password to vinita Sets the encrypted secret password to nikki Switch(config)#enable secret nikki Enters line console mode Switch(config)#line console 0 Enables password checking Switch(config-line)#login Sets the password to vinita Switch(config-line)#password vinita Exits line console mode Switch(config-line)#exit Enters line vty mode for all five virtual ports Switch(config-line)#line vty 0 4 Enables password checking Switch(config-line)#login Sets the password to vinita Switch(config-line)#password vinita Exits line vty mode Switch(config-line)#exit Switch(config)# To Set IP Addresses and Default Gateways Enters the virtual interface for VLAN 1, the default VLAN on the switch Switch(config)#interface vlan1 Switch(config-if)#ip address Sets the IP address and netmask to allow for remote access to the switch 192.168.0.10 255.255.255.0 Switch(config-if)#exit Switch(config)#ip default-gateway 192.168.0.5 Allows IP information an exit past the local network To Set Interface Descriptions Switch(config)#interface fastethernet Enters interface configuration mode 0/1 Switch(config-if)#description Finance Adds a description of the interface VLAN To Set Duplex Operation Switch(config)#interface fastethernet Moves to interface configuration mode 0/1 Forces full-duplex operation Switch(config-if)#duplex full Enables auto-duplex config Switch(config-if)#duplex auto Forces half-duplex operation Switch(config-if)#duplex half To Set Operation Speed Switch(config)#interface fastethernet 0/1 Forces 10-Mbps operation Switch(config-if)#speed 10 Forces 100-Mbps operation Switch(config-if)#speed 100 Enables autospeed configuration Switch(config-if)#speed auto MAC Address Table Displays current MAC address forwarding table switch#show mac address-table Deletes all entries from current MAC address forwarding table switch#clear mac address-table switch#clear mac address-table Deletes only dynamic entries from table dynamic Spanning Tree Protocols In our last article we learn about basic functions of switching. We mentioned that one of the functions of a switch was Layer 2 Loop removal. The Spanning Tree Protocol (STP) carries out this function. STP is a critical feature; without it many switched networks would completely stop to function. Either accidentally or intentionally in the process of creating a redundant network, the problem arises when we create a looped switched path. A loop can be defined as two or more switches that are interconnected by two or more physical links. Switching loops create three major problems: Broadcast storms—Switches must flood broadcasts, so a looped topology will create multiple copies of a single broadcast and perpetually cycle them through the loop. MAC table instability—Loops make it appear that a single MAC address is reachable on multiple ports of a switch, and the switch is constantly updating the MAC table. Duplicate frames— Because there are multiple paths to a single MAC, it is possible that a frame could be duplicated in order to be flooded out all paths to a single destination MAC. All these problems are serious and will bring a network to an effective standstill unless prevented Removing layer-2 loops Spanning Tree Protocol (STP - 802.1d) The main function of the Spanning Tree Protocol (STP) is to remove layer-2 loops from your topology. For STP to function, the switches need to share information. What they share are bridge protocol data units Root Port After the root switch is elected, every other switch in the network needs to choose a single port on itself that it will use to reach the root. This port is called the root port. The root port is always the link directly connected to the root bridge, or the shortest path to the root bridge. If more than one link connects to the root bridge, then a port cost is determined by checking the bandwidth of each link. The lowest-cost port becomes the root port. If multiple links have the same cost, the bridge with the lower advertising bridge ID is used. Since multiple links can be from the same device, the lowest port number will be used. Root Bridge Switch with the lowest switch ID is chosen as root. The switch ID is made up of two components: The switch's priority, which defaults to 32,768 on Cisco switches (two bytes in length) The switch's MAC address (six bytes in length) All other decisions in the network—such as which port is to be blocked and which port is to be put in forwarding mode—are made from the perspective of this root bridge BPDUs Which are sent out as multicast information that only other layer-2 devices are listening to. BPDUs are used to share information, and these are sent out as multicasts every two seconds. The BPDU contains the bridge’s or switch’s ID, made up of a priority value and the MAC address. BPDUs are used for the election process. Path Costs Path costs are calculated from the root switch. A path cost is basically the accumulated port costs from the root switch to other switches in the topology. When the root advertises BPDUs out its interfaces, the default path cost value in the BPDU frame is 0. When a connected switch receives this BPDU, it increments the path cost by the cost of its local incoming port. If the port was a Fast Ethernet port, then the path cost would be figured like this: 0 (the root’s path cost) + 19 (the switch’s port cost) = 19. This switch, when it advertises BPDUs to switches behind it, will include the updated path cost. As the BPDUs propagate further and further from the root switch, the accumulated path cost values become higher and higher. New Cost Value Old Cost Value Connection Type 10Gb 2 1 1Gb 4 1 100Mb 19 10 10Mb 100 100 Remember that path costs are incremented as a BPDU comes into a port, not when a BPDU is advertised out of a port. Designated Port A designated port is one that has been determined as having the best (lowest) cost. A designated port will be marked as a forwarding port. Each (LAN) segment also has a single port that is uses to reach the root. This port is called a designated port Forwarding port A forwarding port forwards frames. Blocked port A blocked port is the port that, in order to prevent loops, will not forward frames. However, a blocked port will always listen to frames Nondesignated port A nondesignated port is one with a higher cost than the designated port. Nondesignated ports are put in blocking mode—they are not forwarding ports. Port States Blocking Ports will go into a blocking state under one of three conditions: Election of a root switch (for instance, when you turn on all the switches in a network) When a switch receives a BPDU on a port that indicates a better path to the root switch than the port the switch is currently using to reach the root If a port is not a root port or a designated port. A port in a blocked state will remain there for 20 seconds by default during this state; the port is only listening to and processing BPDUs on its interfaces. Any other frames that the switch receives on a blocked port are dropped. Listening the port is still listening for BPDUs and double-checking the layer-2 topology. Again, the only traffic that is being processed in this state consists of BPDUs; all other traffic is dropped. default for this value is 15 seconds. Learning Port is still listening for and processing BPDUs on the port; however, unlike while in the listening state, the port begins to process user frames. When processing user frames, the switch is examining the source addresses in the frames and updating its CAM table, but the switch is still not forwarding these frames out destination ports. Defaults to 15 seconds Forwarding the port will process BPDUs, update its CAM table with frames that it receives, and forward user traffic through the port. Disabled A port in a disabled state is not participating in STP. Convergence STP convergence has occurred when all root and designated ports are in a forwarding state and all other ports are in a blocking state. Per-VLAN STP STP doesn't guarantee an optimized loop-free network. PVST supports one instance of STP per VLAN. Rapid Spanning Tree Protocol The 802.1d standard was designed back when waiting for 30 to 50 seconds for layer 2 convergence wasn’t a problem. However, in today’s networks, this can cause serious performance problems for networks that use real-time applications, such as voice over IP (VoIP) or video. The Rapid Spanning Tree Protocol (RSTP) is an IEEE standard, defined in 802.1w, which is interoperable with 802.1d and an extension to it. With RSTP, there are only three port states: discarding (it is basically the grouping of 802.1d’s blocking, listening, and disabled states). Learning Forwarding Additional Port Roles With RSTP, there is still a root switch and there are still root and designated ports, performing the same roles as those in 802.1d. However, RSTP adds two additional port types: alternate ports and backup ports. These two ports are similar to the ports in a blocking state in 802.1d. An alternate port is a port that has an alternative path or paths to the root but is currently in a discarding state. A backup port is a port on a segment that could be used to reach the root switch, but an active port is already designated for the segment. The best way to look at this is that an alternate port is a secondary, unused root port, and a backup port is a secondary, unused designated port. RSTP BPDUs With 802.1w, if a BPDU is not received in three expected hello periods (6 seconds), STP information can be aged out instantly and the switch considers that its neighbor is lost and actions should be taken. This is different from 802.1d, where the switch had to miss the BPDUs from the root—here, if the switch misses three consecutive hellos from a neighbor, actions are immediately taken. Virtual LAN A virtual LAN (VLAN) is a logical grouping of network devices in the same broadcast domain that can span multiple physical segments. Advantages of VLANs: Increase the number of broadcast domains while reducing their size. Provide additional security. Increase the flexibility of network equipment. Allow a logical grouping of users by function, not location. Make user adds, moves, and changes easier. Subnets and VLANs Logically speaking, VLANs are also subnets. A subnet, or a network, is a contained broadcast domain. A broadcast that occurs in one subnet will not be forwarded, by default, to another subnet. Routers, or layer-3 devices, provide this boundary function. Switch provide this function at layer 2 by VLAN. Scalability VLANs provide for location independence. This flexibility makes adds, changes, and moves of networking devices a simple process. It also allows you to group people together, which also makes implementing your security policies straightforward. IP protocols supports 500 devices per vlans. VLAN Membership A device’s membership in a VLAN can be determined by one of two methods: static or dynamic Static: - you have to assign manually Dynamic:- Configure VTP server and it will automatically do rest VLAN Connections two types of connections: access links and trunks. Access-Link Connections An access-link connection is a connection between a switch and a device with a normal Ethernet NIC, where the Ethernet frames are transmitted unaltered. Trunk Connections trunk connections are capable of carrying traffic for multiple VLANs. Cisco supports two Ethernet trunking methods: Cisco’s proprietary Inter Switch Link (ISL) protocol for Ethernet IEEE’s 802.1Q, commonly referred to as dot1q for Ethernet ISL is Cisco-proprietary trunking method that adds a 26-byte header and a 4-byte trailer to the original Ethernet frame. Cisco’s 1900 switch supports only ISL 802.1Q is a standardized trunking method that inserts a four-byte field into the original Ethernet frame and recomputed the FCS. The 2950 only supports 802.1Q. 802.1Q trunks support two types of frames: tagged and untagged. An untagged frame does not carry any VLAN identification information in it—basically, this is a standard, unaltered Ethernet frame. A tagged frame contains VLAN information, and only other 802.1Q-aware devices on the trunk will be able to process this frame Trunk Tagging For VLANs to span across multiple switches, you obviously need to connect the switches to each other. Although it is possible to simply plug one switch into another using an Access port just as you would plug in a host or a hub, doing so kills the VLAN-spanning feature and a bunch of other useful stuff too. A switch-to-switch link must be set up as a trunk link in order for the VLAN system to work properly. A trunk link is a special connection; the key difference between an ordinary connection (an Access port) and a Trunk port is that although an Access port is only in one VLAN at a time, a Trunk port has the job of carrying traffic for all VLANs from one switch to another. Any time you connect a switch to another switch, you want to make it a trunk. Trunking methods create the illusion that instead of a single physical connection between the two trunking devices, a separate logical connection exists for each VLAN between them. When trunking, the switch adds the source port’s VLAN identifier to the frame so that the device (typically a switch) at the other end of the trunk understands what VLAN originated this frame and the destination switch can make intelligent forwarding decisions on not just the destination MAC address, but also the source VLAN identifier. Since information is added to the original Ethernet frame, normal NICs will not understand this information and will typically drop the frame. Therefore, you need to ensure that when you set up a trunk connection on a switch’s interface, the device at the other end also supports the same trunking protocol and has it configured. If the device at the other end doesn’t understand these modified frames or is not set up for trunking, it will, in most situations, drop them. The modification of these frames, commonly called tagging. By default, all VLANs are permitted across a trunk link. Switch-to-Switch trunk links always require the use of a crossover cable, never a straight-through cable. Key feature about DTP A trunk can be created only on a Fast Ethernet or Gigabit Ethernet connection; 10Mb Ethernet ports are not fast enough to support the increased traffic from multiple VLANs, so the commands are not available for a regular Ethernet port. By default, traffic from all VLANs is allowed on a trunk. You can specify which VLANs are permitted (or not) to cross a particular trunk if you have that requirement, but these functions are not covered in the CCNA exam. Switches (whether trunked or not) are always connected with crossover cables, not straight-through cables. Dynamic Trunk Protocol (DTP) DTP supports five trunking modes On or Trunk interface always assumes the connection is a trunk, even if the remote end does not support trunking. Desirable the interface will generate DTP messages on the interface, but it make the assumption that the other side is not trunk-capable and will wait for a DTP message from the remote side. In this state, the interface starts as an access-link connection. If the remote side sends a DTP message, and this message indicates that trunking is compatible between the two switches, a trunk will be formed and the switch will start tagging frames on the interface. If the other side does not support trunking, the interface will remain as an access-link connection Auto-negotiate interface passively listens for DTP messages from the remote side and leaves the interface as an access-link connection. If the interface receives a DTP message, and the message matches trunking capabilities of the interface, then the interface will change from an access-link connection to a trunk connection and start tagging frames No-negotiate, interface is set as a trunk connection and will automatically tag frames with VLAN information; however, the interface will not generate DTP messages: DTP is disabled. This mode is typically used when connecting trunk connections to non-Cisco devices that don’t understand Cisco’s proprietary trunking protocol and thus won’t understand the contents of these messages. Off If an interface is set to off, the interface is configured as an access link. No DTP messages are generated in this mode, nor are frames tagged. VLAN Trunk Protocol (VTP) VTP is a Layer 2 protocol that takes care of the steps of creating and naming VLANs on all switches in the system. We still have to set port membership to VLANs at each switch, which we can do either statically or using a VMPS. VTP works by establishing a single switch as being in charge of the VLAN information for a domain. In this case, a domain is simply a group of switches that all have the same VTP domain name. This simply puts all the switches into a common administrative group. The VLAN Trunk Protocol (VTP) is a proprietary Cisco protocol used to share VLAN configuration information between Cisco switches on trunk connections When you are setting up VTP, you have three different modes: Server client and transparent. Server mode— This is the one switch that is in charge of the VLAN information for the VTP domain. You may add, delete, and change VLAN information on this switch, and doing so affects the entire VTP domain. This way, we only have to enter our VLAN information once, and the Server mode switch propagates it to all the other switches in the domain. Client mode— Client mode switches get VLAN information from the Server. You cannot add, delete, or change VLAN information on a Client mode switch; in fact, the commands to do so are disabled. Transparent mode— A Transparent mode switch is doing its own thing; it will not accept any changes to VLAN information from the Server, but it will forward those changes to other switches in the system. You can add, delete, and change VLANs— but those changes only affect the Transparent mode switch and are not sent to other switches in the domain. VTP Messages An advertisement request message is a VTP message a client generates When the server responds to a client’s request, it generates a subset advertisement A summary advertisement is also generated by a switch in VTP server mode. Summary advertisements are generated every five minutes by default (300 seconds), or when a configuration change takes place on the server switch VTP Pruning VTP gives you a way to preserve bandwidth by configuring it to reduce the amount of broadcasts, multicasts, and unicast packets. This is called pruning. VTP pruning enabled switches sends broadcasts only to trunk links that actually must have the information. VTP pruning is used on trunk connections to dynamically remove VLANs not active between the two switches. It requires all of the switches to be in server mode Switch port security configure ethereal channel In this article I will show you that how can you Configuring the IP address and subnet mask Setting the IP default gateway Enable telnet session for switch Enable Ethereal Channel Enable port security To perform this activity download this lab topology and load in packet tracer or create your own topology as shown in figure Switch Port Security Configure IP address subnet mask and default gateway IP address and default gateway is used to configure switch remotely via telnet or SSH. Without this essential configurations you have connect with switch via console cable each time. That's very tedious as you have to go near to switch each time. Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S1 S1(config)#interface vlan 1 S1(config-if)#ip address 10.0.0.10 255.0.0.0 S1(config-if)#no shutdown %LINK-5-CHANGED: Interface Vlan1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up S1(config-if)#exit S1(config)#ip default-gateway 10.0.0.1 Enable Telnet and password protect the line You can secure a switch by using passwords to restrict various levels of access. Using passwords and assigning privilege levels are simple ways of providing both local and remote terminal access control in a network. Passwords can be established on individual lines, such as the console, and to the privileged EXEC (enable) mode. Passwords are case sensitive. By default There are five VTY ports on the switch, allowing five simultaneous Telnet sessions, noting that other Cisco devices might have more than five logical VTY ports. The five total VTY ports are numbered from 0 through 4 and are referred to all at once as line vty 0 4. S1(config)#line console 0 S1(config-line)#password vinita S1(config-line)#login S1(config-line)#exit S1(config)#line vty 0 4 S1(config-line)#password vinita S1(config-line)#login S1(config-line)#exit S1(config)# Enable Switch port security this feature set allows you (among several other options) to disable a port if more than one MAC address is detected as being connected to the port. This feature is commonly applied to ports that connect security-sensitive devices such as servers. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S2 S2(config)#interface fastEthernet 0/1 S2(config-if)#switchport mode access S2(config-if)#switchport port-security S2(config-if)#switchport port-security maximum 1 S2(config-if)#switchport port-security mac-address sticky S2(config-if)#switchport port-security violation shutdown S2(config-if)#exit S2(config)# You can verify port security. Click on the red x button on the right hand portion of the PT window. This will allow you to delete a connection in the topology. Place the x over the connection between Server and S2 and click. The connection should disappear. Select the lightening bolt button on the bottom left-hand corner of the PT window to pull up connection types. Click the “copper straight-through” connection. Click the TestPC device and select the fastethernet port. Next, click on S2 and select port Fa0/1. From the command prompt of TestPC type the command ping 10.0.0.4. The ping should fail. On S3, enter the command show port-security interface fa0/1. Port security is enabled, port-status is secure-shutdown, security violation count is 1. Configure Ethereal channel Ethereal Channel allows you to combine switch ports to increase more bandwidth. If you connect switch ports without Ethereal Channel configurations STP switch’s in built function will shutdown one of these port to avoid loop. You can download this example topology for practice of Ethereal Channel . Ethereal Channel To enable EtherChannel on DLS1, enter the interface range mode for ports F0/11 and F0/12 on with the command interface range f0/11 - 12. Enter the command switchport mode trunk. Enter the command channel-group 1 mode desirable. Repeat steps a through c on DLS2. Configure Vlan vtp server stp dtp In our pervious article you learnt about the feature of switching. To read these articles you can follow these links. Method of switching basic functions Spanning tree protocols stp Virtual lan trunk tagging dtp vtp vtp pruning In this tutorial I will demonstrate that how can you Configure Access or Trunk links Create VLAN Assign VLAN membership Configure Intra VLAN routing Configure VTP Server Make VTP Clients Show STP Static Configure DTP port To complete these lab either create a topology as shown in figure or download this file and load it in packet tracer Advance switch configuration PC configurations Devices IP Address VLAN Connected With PC0 10.0.0.2 VLAN10 Switch1 on F0/1 PC1 20.0.0.2 VLAN20 Switch1 on F0/2 PC2 10.0.0.3 VLAN10 Switch2 on F0/1 PC3 PC4 PC5 20.0.0.3 10.0.0.4 20.0.0.4 VLAN20 VLAN10 VLAN20 Switch2 on F0/2 Switch3 on F0/1 Switch3 on F0/2 2960 – 24 TTL Switch 1 Configuration Port Connected to VLAN LINK STATUS F0/1 With PC0 VLAN10 Access OK F0/2 With PC1 VLAN20 Access OK Gig1/1 With Router VLAN 10,20 Trunk OK Gig 1/2 With Switch2 VLAN 10,20 Trunk OK F0/24 Witch Switch2 VLAN 10,20 Trunk OK 2960 – 24 TTL Switch 2 Configuration F0/1 With PC0 VLAN10 Access OK F0/2 With PC1 VLAN20 Access OK Gig 1/2 With Switch1 VLAN 10,20 Trunk OK Gig 1/1 With Switch3 VLAN 10,20 Trunk OK F0/24 Witch Switch1 VLAN 10,20 Trunk Blocked F0/23 Witch Switch3 VLAN 10,20 Trunk OK 2960 – 24 TTL Switch 3 Configuration F0/1 With PC0 VLAN10 Access OK F0/2 With PC1 VLAN20 Access OK Gig 1/1 With Switch2 VLAN 10,20 Trunk OK F0/24 Witch Switch1 VLAN 10,20 Trunk Blocked Task You are the administrator at ComputerNetworkingNotes.com. company have two department sales and management. You have given three pc for sales and three pc in management. You created two VLAN. VLAN 10 for sales and VLAN20 for management. For backup purpose you have interconnected switch with one extra connection. You have one router for intera VLAN communications. Let's start configuration first assign IP address to all pc's To assign IP address double click on pc and select ip configurations from desktop tab and give ip address as shown in table given above VLAN Trunking Protocol Configure VTP Server We will first create a VTP Server so it can automatically propagate VLAN information to other switch. Double click on Switch1 and select CLI. Set hostname to S1 and create VTP domain name example and set password to vinita ( Remember password is case sensitive ). Switch 1 Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S1 S1(config)#vtp mode server Device mode already VTP SERVER. S1(config)#vtp domain example Changing VTP domain name from NULL to example S1(config)#vtp password vinita Setting device VLAN database password to vinita Configure VTP clients Once you have created a VTP domain. Configure remaining Switch to Client mode. Switch 2 Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S2 S2(config)#vtp mode client Setting device to VTP CLIENT mode. S2(config)#vtp domain example Changing VTP domain name from NULL to example S2(config)#vtp password vinita Setting device VLAN database password to vinita S2(config)# Switch 3 Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S3 S3(config)#vtp mode client Setting device to VTP CLIENT mode. S3(config)#vtp domain example Changing VTP domain name from NULL to example S3(config)#vtp password vinita Setting device VLAN database password to vinita S3(config)# Dynamic Trunking Protocol Configure DTP port All Switch ports remain by default in access mode. Access port can not transfer the trunk frame. Change mode to trunk on all the port those are used to interconnect the switches Switch 1 S1(config)#interface fastEthernet 0/24 S1(config-if)#switchport mode trunk %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up S1(config-if)#exit S1(config)#interface gigabitEthernet 1/1 S1(config-if)#switchport mode trunk S1(config-if)#exit S1(config)#interface gigabitEthernet 1/2 S1(config-if)#switchport mode trunk %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2, changed state to up S1(config-if)#exit S1(config)# Switch 2 S2(config)#interface gigabitEthernet 1/1 S2(config-if)#switchport mode trunk %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to up S2(config-if)#exit S2(config)#interface gigabitEthernet 1/2 S2(config-if)#switchport mode trunk S2(config-if)#exit S2(config)#interface fastEthernet 0/23 S2(config-if)#switchport mode trunk %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23, changed state to up S2(config-if)#exit S2(config)#interface fastEthernet 0/24 S2(config-if)#switchport mode trunk S2(config-if)#exit Switch 3 S3(config)#interface fastEthernet 0/24 S3(config-if)#switchport mode trunk S3(config-if)#exit S3(config)#interface gigabitEthernet 1/1 S3(config-if)#switchport mode trunk S3(config-if)#exit Virtual LAN (VLAN) Create VLAN After VTP server configuration its time to organize VLAN. We need only to create VLAN on VTP server and reset will be done by VTP Server automatically. Switch 1 S1(config)#vlan 10 S1(config-vlan)#exit S1(config)#vlan 20 S1(config-vlan)#exit S1(config)# As we have already configure VTP server in our network so we don't need to create VLAN on S2 or S3. We need only to associate VLAN with port. Assign VLAN membership Switch 1 S1(config)#interface fastEthernet 0/1 S1(config-if)#switchport access vlan 10 S1(config-if)#interface fastEthernet 0/2 S1(config-if)#switchport access vlan 20 Switch 2 S2(config)#interface fastEthernet 0/1 S2(config-if)#switchport access vlan 10 S2(config-if)#interface fastEthernet 0/2 S2(config-if)#switchport access vlan 20 Switch 3 S3(config)#interface fastEthernet 0/1 S3(config-if)#switchport access vlan 10 S3(config-if)#interface fastEthernet 0/2 S3(config-if)#switchport access vlan 20 Now we have two working vlan. To test connectivity do ping form 10.0.0.2 to 10.0.0.3 and 10.0.0.4. if you get successfully replay then you have successfully created VLAN and VTP server. Spanning-Tree Protocol In this configuration STP will block these ports F0/24 of S1 , F0/23 and F0/24 of S2 and F0/24 of S3 to avoid loop at layer to two. Verify those ports blocked due to STP functions Verify STP ports Switch 2 S2#show spanning-tree active VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0002.174D.7794 Cost 4 Port 26(GigabitEthernet1/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 00D0.FF08.82E1 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 20 Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- --------------------------Fa0/1 Desg FWD 19 128.1 P2p Fa0/2 Desg FWD 19 128.2 P2p Fa0/23 Desg FWD 19 128.23 P2p Fa0/24 Altn BLK 19 128.24 P2p Gi1/1 Desg FWD 4 128.25 P2p Gi1/2 Root FWD 4 128.26 P2p [Output is omitted] S2# You can test STP protocols status on S1 and S3also with show spanning-tree active command Router on Stick At this point of configurations you have two successfully running VLAN but they will not connect each other. To make intra VLAN communications we need to configure router . To do this double click on router and select CLI. Configure intra VLAN Router Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastEthernet 0/0 Router(config-if)#no ip address Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fastEthernet 0/0.10 Router(config-subif)#encapsulation dot1Q 10 Router(config-subif)#ip address 10.0.0.1 255.0.0.0 Router(config-subif)#exit Router(config)#interface fastEthernet 0/0.20 Router(config-subif)#encapsulation dot1Q 20 Router(config-subif)#ip address 20.0.0.1 255.0.0.0 Router(config-subif)#exit To test connectivity between different vlan do ping form any pc to all reaming pc. it should be ping successfully. If you have error download this configured topology and cross check that where you have committed mistake. Configured VLAN VTP STP topology VLAN VTP Server STP DTP command reference sheet Creates VLAN 10 and enters VLAN configuration mode for further definitions. Switch(config)#vlan 10 Assigns a name to the VLAN. The length of the name can be from 1 to 32 Switch(config-vlan)#name Sales characters. Applies changes, increases the revision number by 1, and returns to global Switch(config-vlan)#exit configuration mode. Switch(config)#interface Moves to interface configuration mode fastethernet 0/1 Switch(config-if)#switchport Sets the port to access mode mode access Assigns this port to VLAN 10 Switch(config-if)#switchport access vlan 10 Switch#show vlan Switch#show vlan brief Switch#show vlan id 10 Switch#show vlan name sales Switch#show interfaces vlan x Switch#delete flash:vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] Switch# Switch(config)#interface fastethernet 0/5 Switch(config-if)#no switchport access vlan 5 Switch(config-if)#exit Switch(config)#no vlan 5 Switch#copy running-config startupconfig Switch(config-if) #switchport mode trunk Switch(config)#vtp mode server Switch(config)#vtp mode client Switch(config)#vtp mode transparent Switch(config)#no vtp mode Switch(config)#vtp domain domain-name Switch(config)#vtp password password Switch(config)#vtp pruning Switch#show vtp status Switch#show vtp counters Displays VLAN information Displays VLAN information in brief Displays information about VLAN 10 only Displays information about VLAN named sales only Displays interface characteristics for the specified VLAN Removes the entire VLAN database from flash. Make sure there is no space between the colon (:) and the characters vlan.dat. You can potentially erase the entire contents of the flash with this command if the syntax is not correct. Make sure you read the output from the switch. If you need to cancel, press ctrl+c to escape back to privileged mode: Moves to interface configuration mode. Removes port from VLAN 5 and reassigns it to VLAN 1—the default VLAN. Moves to global configuration mode. Removes VLAN 5 from the VLAN database. Saves the configuration in NVRAM Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link. Changes the switch to VTP server mode. Changes the switch to VTP client mode. Changes the switch to VTP transparent mode. Returns the switch to the default VTP server mode. Configures the VTP domain name. The name can be from 1 to 32 characters long. Configures a VTP password . Enables VTP pruning Displays general information about VTP configuration Displays the VTP counters for the switch Cisco Discovery Protocol CDP Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help administrators collect information about both locally attached and remote devices. By using CDP, you can gather hardware and protocol information about neighbor devices, which is useful info for troubleshooting the network. CDP messages are generated every 60 seconds as multicast messages on each of its active interfaces. The information shared in a CDP packet about a Cisco device includes the following: Name of the device configured with the hostname command IOS software version Hardware capabilities, such as routing, switching, and/or bridging Hardware platform, such as 2600, 2950, or 1900 The layer-3 address(es) of the device The interface the CDP update was generated on CDP allows devices to share basic configuration information without even configuring any protocol specific information and is enabled by default on all interfaces. CDP is a Datalink Protocol occurring at Layer 2 of the OSI model. CDP is not routable and can only go over to directly connected devices. CDP is enabled, by default, on all Cisco devices. CDP updates are generated as multicasts every 60 seconds with a hold-down period of 180 seconds for a missing neighbor. The no cdp run command globally disables CDP, while the no cdp enable command disables CDP on an interface. Use show cdp neighbors to list out your directly connected Cisco neighboring devices. Adding the detail parameter will display the layer-3 addressing configured on the neighbor. How could CDP help you? Manoj has just been hired as a senior network consultant at a large bank in Lucknow, Uttar Pradesh. He is expected to be able to take care of any problem that comes up. No problem at all here—he only has to worry about people possibly not getting the right money transaction if the network goes down. Manoj starts his job happily. Soon, of course, the network has some problems. He asks one of the junior administrators for a network map so he can troubleshoot the network. This person tells him that the old senior administrator (who just got fired) had them with him and now no one can find them. Cashiers are calling every couple of minutes because they can’t get the necessary information they need to take care of their customers. What should he do? CDP to the rescue! Thank God this bank has all Cisco routers and switches and that CDP is enabled by default on all Cisco devices. Also, luckily, the dissatisfied administrator who just got fired didn't turn off CDP on any devices before he left. All Manoj has to do now is to use the show cdp neighbor detail command to find all the information he needs about each device to help draw out the bank network . Cisco Discovery Protocols Configuration commands Router#show cdp Displays global CDP information (such as timers) Router#show cdp neighbors Displays information about neighbors Router#show cdp neighbors detail Displays more detail about the neighbor device Router#show cdp entry word Displays information about the device named word Router#show cdp entry * Displays information about all devices Router#show cdp interface Displays information about interfaces that have CDP running Router#show cdp interface x Displays information about specific interface x running CDP Router#show cdp traffic Displays traffic information—packets in/out/version Router(config)#cdp holdtime x Changes the length of time to keep CDP packets Router(config)#cdp timer x Changes how often CDP updates are sent Router(config)#cdp run Enables CDP globally (on by default) Router(config)#no cdp run Turns off CDP globally Router(config-if)#cdp enable Enables CDP on a specific interface Router(config-if)#cdp enable Enables CDP on a specific interface Router(config-if)#no cdp enable Turns off CDP on a specific interface Router#clear cdp counters Resets traffic counters to 0 Router#clear cdp table Deletes the CDP table Router#debug cdp adjacency Monitors CDP neighbor information Router#debug cdp events Monitors all CDP events Router#debug cdp ip Monitors CDP events specifically for IP Router#debug cdp packets Monitors CDP packet-related information Basic router configurations show commands In our last article I show you that how can you connect Cisco router. In this article I will show how can you can configure router. For demonstration purpose I used packet tracer software. If you haven’t install packet tracer read our pervious article to download and install packet tracer. Link is given on the top side of left. Create a simple topology by dragging dives on workspace as show in figure. Basic Show Commands Router#show running-config Building configuration... Current configuration : 419 bytes ! version 12.4 no service password-encryption ! hostname Router ! ip ssh version 1 ! interface FastEthernet0/0 [output is Omitted] Show the active configuration in memory. The currently active configuration script running on the router is referred to as the running-config on the routers command-line interface. Note that privileged mode is required. The running configuration script is not automatically saved on a Cisco router, and will be lost in the event of power failure. The running configuration must be manually saved with the 'copy' command Router#show flash System flash directory: File Length Name/status 1 33591768 c1841-advipservicesk9-mz.124-15.T1.bin [33591768 bytes used, 30424616 available, 64016384 total] 63488K bytes of processor board System flash (Read/Write) Flash memory is a special kind of memory on the router that contains the operating system image file(s). Unlike regular router memory, Flash memory continues to maintain the file image even after power is lost. Router#show history The routers Command Line Interface (CLI) maintains by default the last 10 commands you have entered in memory. To retrieve the previous command you typed Press the up arrow To retrieve the next command you typed Press the down arrow Router#show protocols Use this command to view the status of the current layer 3 routed protocols running on your router Router#show version Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul-07 04:52 by pt_team ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1) System returned to ROM by power-on System image file is "flash:c1841-advipservicesk9-mz.124-15.T1.bin" [output is Omitted] Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory. Processor board ID FTX0947Z18E M860 processor: part number 0, mask 49 2 FastEthernet/IEEE 802.3 interface(s) 1 Low-speed serial(sync/async) network interface(s) 191K bytes of NVRAM. 31360K bytes of ATA CompactFlash (Read/Write) Configuration register is 0x2102 This command will give you critical information, such as: router platform type, operating system revision, operating system last boot time and file location, amount of memory, number of interfaces, and configuration register Router#show clock *1:46:13.169 UTC Mon Nov 1 2009 Will show you Routers clock Router#show hosts will display a cached list of hosts and all of their interfaces IP addresses Router#show users Will show a list of all users who are connected to the router Router#show interfaces will give you detailed information about each interface Router#show protocols will show the global and interface-specific status of any layer 3 protocols Router#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 10.0.0.1 FastEthernet0/1 unassigned Serial0/0/0 20.0.0.1 YES manual up up YES manual administratively down down YES manual up up Vlan1 unassigned YES manual administratively down down Router# This command will show brief descriptions about interface. This command mostly used in troubleshooting. There may be three possible conditions of status. UP :- interface is up and operational DOWN :- physical link is detected but there are some problem in configurations. Administratively down :- port is disable by shutdown command ( Default mode of any port on router.) R1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, FastEthernet0/0 C 20.0.0.0/8 is directly connected, Serial0/0/0 D 30.0.0.0/8 [90/40514560] via 20.0.0.2, 00:02:55, Serial0/0/0 D 40.0.0.0/8 [90/41026560] via 20.0.0.2, 00:02:54, Serial0/0/0 D 50.0.0.0/8 [90/41029120] via 20.0.0.2, 00:02:50, Serial0/0/0 R1# This command will give a detail about known route. Router will not forward packet if route is not shown here for that packet. Router’s routing decision is made by this routing table. R1#show controllers serial 0/0/0 Interface Serial0/0/0 Hardware is PowerQUICC MPC860 DCE V.35, clock rate 64000 idb at 0x81081AC4, driver data structure at 0x81084AC0 Most common use of this command is to find out whether the port is DCE end or DTE. If the port is DCE end then clock rate and bandwidth command will require. As you can see in output that port is DCE. R1#show ip protocols Routing Protocol is "eigrp 1 " Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 1 Automatic network summarization is in effect Automatic address summarization: Maximum path: 4 Routing for Networks: 10.0.0.0 20.0.0.0 Routing Information Sources: Gateway Distance Last Update 20.0.0.2 90 16 Distance: internal 90 external 170 Use this command to know about running routing protocols. This will give the complete status about routing protocols likes on which interface its receiving updates and on which interface its broadcasting update what is time intervals press enter to get back router prompt Router> You are now in User mode. Type ?to view all the available commands at this prompt. Router>? From privilege mode you can enter in configuration mode by typing configure terminal you can exit configuration mode type exit or <CTL>+z Router>enable Router#config terminal Router(config)#exit Router# To read more about Cisco mode read our previous article To view all commands available from this mode type: ? and press: enter This will give you the list of all available commands for the router in your current mode. You can also use the question mark after you have started typing a command. For example if you want to use a show command but you do not remember which one it uses 'show ?' will output all commands that you can use with the show command. Router#show ? access-expression List access expression access-lists List access lists backup Backup status cdp CDP information clock Display the system clock cls DLC user information compress Show compression statistics configuration Contents of Non-Volatile memory --More— Basic router configurations login in router In our last article I show you that how can you connect Cisco router. In this article I will show how can you can configure router. For demonstration purpose I used packet tracer software. If you haven’t install packet tracer read our pervious article to download and install packet tracer. Link is given on the top side of left. Create a simple topology by dragging dives on workspace as shown in figure. Click inside the Router and select CLI and press Enter to get started. Setup mode start automatically if there is no startup configuration present. The answer inside the square brackets [ ], is the default answer. If this is the answer you want, just press enter. Pressing CTRL+C at any time will end the setup process, shut down all interfaces, and take you to user mode (Router>). You cannot use setup mode to configure an entire router. It does only the basics. For example, you can only turn on either RIPv1 or Interior Gateway Routing Protocol (IGRP), but not Open Shortest Path First Protocol (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP). You cannot create access control lists (ACL) here or enable Network Address Translation (NAT). You can assign an IP address to an interface, but not to a subinterface. All in all, setup mode is very limiting. --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: Write no and press enter. To get router prompt You are now connected to Router and are in user mode prompt. The prompt is broken down into two parts, the hostname and the mode. ―Router‖ is the Router0's hostname and ―>‖ means you are in user mode. Press RETURN to get started Router> User mode is indicated with the '>' next to the router name. in this mode you can look at settings but can not make changes. In Privilege mode(indicated by the '#', you can do anything). To get into privilege mode the keyword is enable. Next type the command enable to get to the privileged mode prompt. Router > enable Router# To get back to the user mode, simply type disable. From the user mode type logout or exit to leave the router. Router#disable Router> Router>exit Router con0 is now available Press RETURN to get started press enter to get back router prompt Router> You are now in User mode. Type ?to view all the available commands at this prompt. Router>? From privilege mode you can enter in configuration mode by typing configure terminal you can exit configuration mode type exit or <CTL>+z Router>enable Router#config terminal Router(config)#exit Router# To read more about Cisco mode read our previous article To view all commands available from this mode type ? and press enter This will give you the list of all available commands for the router in your current mode. You can also use the question mark after you have started typing a command. For example if you want to use a show command but you do not remember which one it uses 'show ?' will output all commands that you can use with the show command. Router#show ? access-expression List access expression access-lists List access lists backup Backup status cdp CDP information clock Display the system clock cls DLC user information compress Show compression statistics configuration Contents of Non-Volatile memory --More-To read more about available help options read our previous article Basic Global Configurations mode Commands Configuring a Router Name This command works on both routers and switches Router(config)#hostname Lucknow Lucknow(config)# You could choose any descriptive name for your cisco devices Configuring Passwords This command works on both routers and switches Router(config)#enable password test Sets enable password to test Router(config)#enable secret vinita Sets enable secret password to vinita Router(config)#line console 0 Enters console line mode Router(config-line)#password console Sets console line mode password to console Router(config-line)#login Enables password checking at login Router(config)#line vty 0 4 Enters vty line mode for all five vty lines Router(config-line)#password telnet Sets vty password to telnet Router(config-line)#login Enables password checking at login Router(config)#line aux 0 Enters auxiliary line mode Router(config-line)#password aux Sets auxiliary line mode password to aux Router(config-line)#login Enables password checking at login CAUTION: The enable secret password is encrypted by default. The enable password is not. For this reason, recommended practice is that you never use the enable password command. Use only the enable secret password command in a router or switch configuration. You cannot set both enable secret password and enable password to the same password. Doing so defeats the use of encryption. Configuring a Fast Ethernet Interface Router(config)#interface fastethernet 0/0 Moves to Fast Ethernet 0/0 interface configuration mode Router(config-if)#description Student Lab LAN Optional descriptor of the link is locally significant Router(config-if)#ip address 192.168.20.1 255.255.255.0 Assigns address and subnet mask to interface Router(config-if)#no shutdown Turns interface on Creating a Message of the Day Banner Router(config)#banner motd # Next Schedule metting with manager is Postponed # Router(config)# The MOTD banner is displayed on all terminals and is useful for sending messages that affect all users. Use the no banner motd command to disable the MOTD banner. The MOTD banner displays before the login prompt and the login banner, if one has been created. Creating a Login Banner Router(config)#banner login # Unauthorized access is prohibited ! Please enter your username and password. # Router(config)# The login banner displays before the username and password login prompts. Use the no banner login command to disable the login banner. The MOTD banner displays before the login banner. # is known as a delimiting character. The delimiting character must surround the banner and login message and can be any character so long as it is not a character used within the body of the message Assigning a Local Host Name to an IP Address Router(config)#ip host Lucknow 172.16.1.1 Assigns a host name to the IP address. After this assignment, you can use the host name rather than an IP address when trying to Telnet or ping to that address The no ip domain-lookup Command Router(config)#no ip domain-lookup Router(config)# Turns off trying to automatically resolve an unrecognized command to a local host name Ever type in a command incorrectly and are left having to wait for a minute or two as the router tries to translate your command to a domain server of 255.255.255.255? The router is set by default to try to resolve any word that is not a command to a Domain Name System (DNS) server at address 255.255.255.255. If you are not going to set up DNS, turn off this feature to save you time as you type, especially if you are a poor typist The logging synchronous Command Router(config)#line console 0 Router(config-line)#exec-timeout 0 0 Router(config-line)# Sets the time limit when the console automatically logs off. Set to 0 0 (minutes seconds) means the console never logs off. The command exec-timeout 0 0 is great for a lab environment because the console never logs out. This is considered to be bad security and is dangerous in the real world. The default for the exec-timeout command is 10 minutes and zero (0) seconds (exec-timeout 10 0). Saving and erasing configurations Router(config)#exit Bring you back in Privilege exec mode Router#copy running-config startup-config Saves the running configuration to local NVRAM Router#copy running-config tftp Saves the running configuration remotely to a TFTP server Router#erase startup-config Deletes the startup configuration file from NVRAM Configuration Example: Basic Router Configuration For example purpose we will use the topology created in start of this article. Create a simple topology by dragging dives on workspace as shown in figure. Click inside the Router and select CLI and press Enter to get started. --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: no Press RETURN to get started! Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#description Student Lab LAN R1(config-if)#ip address 192.168.20.1 255.255.255.0 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R1(config-if)#exit R1(config)#banner motd # Next Schedule metting with is postponed # R1(config)#banner login # Unauthorized access is prohibited ! Enter you user name and password # R1(config)#ip host Lucknow 172.16.1.1 R1(config)#no ip domain-lookup R1(config)#line console 0 R1(config-line)#exec-timeout 0 0 R1(config-line)#logging synchronous R1(config-line)#password consloe R1(config-line)#login R1(config-line)#exit R1(config)#line vty 0 4 R1(config-line)#password telnet R1(config-line)#login R1(config-line)#exit % Unrecognized command R1(config)#enable password test R1(config)#enable secret vinita R1(config)#exit %SYS-5-CONFIG_I: Configured from console by console R1#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] R1# Administration of Cisco devices In this article I will demonstrate that how can you perform basic administrative task on Cisco devices. Back Up and Restore IOS You can use TFTP, FTP, or RCP to transfer an IOS image to or from a server. Only tftp server is covered in CCNA exam so we will cover it. TFTP is the trivial file transfer protocol. Unlike FTP, there are no means of authenticating with a username or password or navigating directories. To back up your IOS, you will use the copy command from within privileged EXEC mode. The syntax of this command is copy <from> <to>. Thus, if you want to copy an IOS from your IOS to a TFTP server, the syntax would be copy tftp flash. After executing this command, you will be prompted with a number of questions asking for such things as the IOS filename and IP address of the TFTP server. To restore or upgrade your IOS from a TFTP server to a router, the syntax would be copy tftp flash. Remember the following troubleshooting steps if you are having difficulties using TFTP: Verify that the TFTP server is running. Verify cable configurations. You should use a crossover cable between a router and a server or, if you have a switch, use a straight-through cable from the router to the switch and from the switch to the server. Verify that your router is on the same subnet as your TFTP server. If you are using a Linux TFTP server, make sure that you first use the touch command to create a zero-byte file with the name of the IOS image; otherwise, the file will not copy to the TFTP server. no ip domain-lookup Router(config)#no ip domain-lookup Ever type in a command incorrectly and are left having to wait for a minute or two as the router tries to translate your command to a domain server of 255.255.255.255? The router is set by default to try to resolve any word that is not a command to a Domain Name System (DNS) server at address 255.255.255.255. If you are not going to set up DNS, turn off this feature to save you time as you type, especially if you are not good in typing. logging synchronous Router(config)#line console 0 Router(config-line)#logging synchronous Router(config-line)#exit Router(config)# Some time it happens that you are typing a command and an informational line appears in the middle of what you were typing? Lose your place? Do not know where you are in the command, so you just press R and start all over? The logging synchronous command tells the router that if any informational items get displayed on the screen, your prompt and command line should be moved to a new line, so as not to confuse you. The informational line does not get inserted into the middle of the command you are trying to type. If you were to continue typing, the command would execute properly, even though it looks wrong on the screen. exec-timeout Router(config)#line console 0 Router(config-line)#exec-timeout 0 0 Router(config-line)# The command exec-timeout 0 0 is great for a lab environment because the console never logs out. This is considered to be bad security and is dangerous in the real world. The default for the exec-timeout command is 10 minutes and zero (0) seconds (exec-timeout 10 0). erase startup-config Router#erase startup-config Some time you want to reconfigure the router. Or want to sell the old one. In such a scenario you would like to erase the start up configuration. The running configuration is still in dynamic memory. Reload the router to clear the running configuration. do Command Router(config)#do show running-config The do command is useful when you want to execute EXEC commands, such as show, clear, or debug, while remaining in global configuration mode or in any configuration submode. You cannot use the do command to execute the configure terminal command because it is the configure terminal command that changes the mode to global configuration mode Summary of Useful commands for administrations Router(config)#boot system flash Loads the Cisco IOS Software with image-name imagename Router(config)#boot system tftp imageLoads the Cisco IOS Software with image-name from a TFTP server name 172.16.10.3 Router(config)#boot system rom Loads the Cisco IOS Software from ROM. Router(config)#exit exit from global configurations Saves the running configuration to NVRAM. The router will execute Router#copy running-config startup-config commands in their order on the next reload. Router#copy running-config startup-config Saves the running configuration from DRAM to NVRAM (locally). Router#copy running-config tftp Copies the running configuration to the remote TFTP server Address or name of remote host[ ]? The IP address of the TFTP server. Press Enter key 192.168.1.20 Destination Filename [Router-confg]? The name to use for the file saved on the TFTP server Press Enter key !!!!!!!!!!!!!!! Each bang symbol (!) = 1 datagram of data. 624 bytes copied in 7.05 secs Router# File has been transferred successfully Router#copy tftp running-config Copies the configuration file from the TFTP server to DRAM. Address or name of remote host[ ]? The IP address of the TFTP server. 192.168.119.20 Source filename [ ]?Router-confg Enter the name of the file you want to retrieve Destination filename [running-config]? Press Enter key Router# File has been transferred successfully. Router#copy flash tftp Backup of flash to tftp Router#copy tftp flash Restore flash from tftp server SDM Security Device Manager SDM is a web-based application, implemented with Java that manages the basic administration and security features on a Cisco router. SDM is installed in the router’s flash memory and is remotely accessed from an administrator’s desktop using a web browser with Java and Secure Sockets Layer (SSL) (HTTPS). Originally, Cisco developed SDM for small office/home office (SOHO) networks, where the administrator performing the configuration is probably not familiar with Cisco's CLI. SDM was designed by Cisco to allow you to perform basic administration functions and to manage the security features of your router. SDM cannot perform all functions that can be performed from the CLI, such as the configuration of complex QoS policies or the Border Gateway Protocol (BGP) routing protocol, to name a couple. Nor are all interface types supported within SDM, such as ISDN and dialup. However, for the features and interface types not supported, you can still configure these from the CLI of the router.Likewise, most troubleshooting tasks are still done from the CLI with show and debug commands. PC Requirements Operating System Xp, Vista, Server 2000, ( not Advance server), Server2003 Internet browser Internet Explorer higher then 5.6, Mozilla firefox Java installed. Minimally you’ll need version 1.4.2(08) of Sun’s Java Runtime Environment (JRE). Minimum screen resolution of 1024x768. (a resolution lower than this will not allow you to view the entire Java-based screen). On your router, you’ll minimally need IOS version 12.2 for SDM to function; and depending on the version of SDM, you will need between 5MB and 8MB of available flash on your router. The default user account and passwords in the sdmconfig-xxxx.cfg file included with SDM are sdm and sdm—don't use these! Change them before copying and pasting the configuration from the sdmconfig file into the router. Everyone knows these passwords, and these are the first passwords an attacker will guess to break into the router. SDM Security Device Manager File Descriptions Filename Description Support file for SDM common.tar securedesktop-ios-xxxx- Cisco Secure Desktop (CSD) client software for the SSL VPN client, where xxxx represents the version number of CSD k9.pkg SSL VPN Client (SVC) tunneling software, where xxxx represents the version of SVC sslclient-win-xxxx.pkg Application file for SDM es.tar Support HTML file for SDM home.shtml Support file for SDM home.tar Default router configuration with commands necessary to access SDM, where xxxx sdmconfig-xxxx.cfg represents the model number of the router Wireless application setup program for a radio module installed in the router wlanui.tar SDM application file sdm.tar IPS signature files (some common names are attack-drop.sdf, 128MB.sdf, 256MB.sdf, xxxx.sdf and sdmips.sdf) Necessary Router Configuration Step 1 Enable the HTTP and HTTPS servers on your router by entering the following commands in global configuration mode: Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip http server Router(config)# ip http secure-server Router(config)# ip http authentication local Router(config)# ip http timeout-policy idle 600 life 86400 requests 10000 Step 2 Create a user account defined with privilege level 15 (enable privileges). Enter the following command in global configuration mode, replacing username and password with the strings that you want to use: Router(config)# username username privilege 15 secret 0 password For example, if you chose the username admin and the password vinita, you would enter the following: Router(config)# username admin privilege 15 secret 0 vinita You will use this username and password to log in to Cisco SDM. Step 3 Configure SSH and Telnet for local login and privilege level 15. Use the following commands: Router(config)# line vty 0 4 Router(config-line)# privilege level 15 Router(config-line)# login local Router(config-line)# transport input telnet ssh Router(config-line)# exit Step 4 Assign ip address to Fast Ethernet port. This will be used to access this router Router(config)#interface fastethernet 0/0 Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#no shutdown Accessing SDM Cisco SDM is stored in the router flash memory. It is invoked by executing an HTML file in the router archive, which then loads the signed Cisco SDM Java file. To launch Cisco SDM, complete the following steps: Step 1 From your browser, enter the following URL: https://<router IP address> In our example it would be https://192.168.1.1 The https:// designation specifies that SSL protocol be used for a secure connection. The http:// designation can be used if SSL is not available. Step 2 The Cisco SDM home page will appear in the browser window. The username and password dialog box will appear. The type and shape of the dialog box will depend on the type of browser that you are using. Enter the username and password for the privileged (privilege level 15) account on your router. The Cisco SDM Java applet will begin loading to your PC's web browser. Step 3 Cisco SDM is a signed Java applet. This can cause your browser to display a security warning. Accept the certificate. Cisco SDM displays the Launch page. Basic of routing Routing is the process by which a packet gets from one location to another. To route a packet, a router needs to know the destination address and on what interface to send the traffic out .When a packet comes into an interface (in interface) on a router, it looks up the destination IP address in the packet header and compares it with its routing table. The routing table, which is stored in RAM, tells the router which outgoing interface the packet should go out to reach the destination network. There are three ways to control routing decisions on your router: Static routes Default routes Dynamic routes Static Routes Use a static route when you want to manually define the path that the packet will take through your network. Static routes are useful in small networks with rarely changing routes, when you have little bandwidth and do not want the overhead of a dynamic routing protocol, or when you want to manually define all of your routes for security reasons. Static routes are created in global configuration mode. The syntax for the static route is as follows: ip route destination network address [subnet mask] {next-hop-address | interface] [distance] Defaults routers This is the special type of static route, commonly called the gateway of last resort. If the specified destination is not listed in the routing table, the default route can be used to route the packet. A default route has an IP address of 0.0.0.0 and a subnet mask of 0.0.0.0, often represented as 0.0.0.0/0. Default routes are commonly used in small networks on a perimeter router pointing to the directly connected ISP router. Dynamic Routes A router learns dynamic routes by running a routing protocol. Routing protocols will learn about routes from other neighboring routers running the same routing protocol. Through this sharing process, a router will eventually learn about all of the reachable network and subnet numbers in the network. Now be familiar with the terms routing protocol and routed protocol that have two different meanings. A routing protocol learns about routes for a routed protocol. Routed protocol: Any network protocol that provides enough information in its network layer address to enable a packet to be forwarded from one host to another host based on the addressing scheme, without knowing the entire path from source to destination. Packets generally are conveyed from end system to end system. IP is an example of a routed protocol. Routing protocol: Facilitates the exchange of routing information between networks, enabling routers to build routing tables dynamically. Traditional IP routing stays simple because it uses next-hop (next-router) routing, in which the router needs to consider only where it sends the packet and does not need to consider the subsequent path of the packet on the remaining hops (routers). Routing Information Protocol (RIP) is an example of a routing protocol. There are two types of routing protocols: Interior Gateway Protocols (IGP): These routing protocols exchange routing information within an autonomous system. Routing Information Protocol version 2 (RIPv2), Enhanced Interior Gateway Routing (EIGRP), and Open Shortest Path First (OSPF) are examples of IGPs. Exterior Gateway Protocols (EGP): These routing protocols are used to route between autonomous systems. Border Gateway Protocol (BGP) is the EGP of choice in networks today. Metrics Metrics can be calculated based on a single characteristic of a path. More complex metrics can be calculated by combining several path characteristics. The metrics that routing protocols most commonly use are as follows: Hop count: The number of times that a packet passes through the output port of one router Bandwidth: The data capacity of a link; for instance, normally, a 10-Mbps Ethernet link is preferable to a 64-kbps leased line Delay: The length of time that is required to move a packet from source to destination Load: The amount of activity on a network resource, such as a router or link Reliability: Usually refers to the bit error rate of each network link Cost: A configurable value that on Cisco routers is based by default on the bandwidth of the Interface Routing Protocols Metric Description RIP Hop count How many layer 3 hops away from the destination OSPF Cost Measurement in the inverse of the bandwidth of the links EIGRP Bandwidth The capacity of the links in Kbps (T1 = 1554) EIGRP Delay Time it takes to reach the destination EIGRP Load The path with the least utilization EIGRP MTU The path that supports the largest frame sizes EIGRP Reliability The path with the least amount of errors or down time Autonomous Systems An autonomous system (AS) is a group of networks under a single administrative control, which could be your company, a division within your company, or a group of companies. Not every routing protocol understands the concept of an AS. Routing protocols that understand the concept of an AS are EIGRP, OSPF, IS-IS, and BGP. RIP doesn’t understand autonomous systems, while OSPF does; but OSPF doesn’t require you to configure the AS number, whereas other protocols, such as EIGRP, do. Administrative Distance Administrative distance is the measure of trustworthiness that a router assigns to how a route to a network was learned. An administrative distance is an integer from 0 to 255. A routing protocol with a lower administrative distance is more trustworthy than one with a higher administrative distance. Administrative Route Type Distance 0 Connected interface route 1 Static route 90 Internal EIGRP route (within the same AS) 110 OSPF route 120 RIPv1 and v2 route 170 External EIGRP (from another AS) 255 Unknown route (is considered an invalid route and will not be used) Routing protocols can be further classified into two categories: Distance vector routing protocols Link state routing protocols Distance Vector Routing Protocols Distance vector–based routing algorithms (also known as Bellman-Ford-Moore algorithms) pass periodic copies of a routing table from router to router and accumulate distance vectors. (Distance means how far, and vector means in which direction.) Regular updates between routers communicate topology changes. Sometimes these protocols are referred to as routing by rumor, since the routers learn routing information from directly connected neighbors, and these neighbors might have learned these networks from other neighboring routers. RIP is an example of a routing protocol that is a distance vector. Advertising Updates Routers running distance vector protocols learn who their neighbors are by listening for routing broadcasts on their interfaces. No formal handshaking process or hello process occurs to discover who are the neighboring routers. Distance vector protocols assume that through the broadcast process, neighbors will be learned, and if a neighbor fails, the missed broadcasts from these neighbors will eventually be detected Distance vector algorithms call for each router to send its entire routing table to each of its adjacent or directly connected neighbors. Distance vector routing tables include information about the total path cost (defined by its metric) and the logical address of the first router on the path to each network it knows about. When a router receives an update from a neighboring router, it compares the update to its own routing table. The router adds the cost of reaching the neighboring router to the path cost reported by the neighbor to establish the new metric. If the router learns about a better route (smaller total metric) to a network from its neighbor, the router updates its own routing table. Distance Vector Protocol Problems and Solutions Problem: Convergence The term convergence refers to the time it takes for all of the routers to understand the current topology of the network. When a router receives an update from a neighboring router, it compares the update to its own routing table. The router adds the cost of reaching the neighboring router to the path cost reported by the neighbor to establish the new metric. If the router learns about a better route (smaller total metric) to a network from its neighbor, the router updates its own routing table. It’s too time consuming process. Because in a 10 router topology last router will know about the network of first router only while all middle router will complete their periodic update. For example if interval timer is set to 60 second then last router will know about first network in 60*8 480 second or 8 minute. Solution: Change the periodic timer interval One solution is to change the periodic timer interval. For instance, in an example the timer was set to 60 seconds. To speed up convergence, you might want to set the interval to 10 seconds. Also, by setting the timer to 10 seconds, you are creating six times the amount of routing broadcast traffic, which is not very efficient A second solution is to implement triggered updates The distance vector routing protocol would still generate periodic updates; however, whenever a change takes place, the router will immediately generate an update without waiting for the periodic timer to expire. This can decrease convergence times, but it also creates a problem. If you have a flapping route, then an update will be triggered each time the route changes state, which creates a lot of unnecessary broadcast traffic in your network and could cause a broadcast storm. Problem: Routing Loops A routing loop is a layer-3 loop in the network. Basically, it is a disagreement about how to reach a destination network. Because distance vector routing protocols trust the next router without compiling a topology map of all networks and routers, distance vector protocols run the risk of creating loops in a network. This is analogous of driving to a location without a map. Instead, you trust what each sign tells you. Trusting the street signs might get you where you want to go, but I've been in some cities where trusting what the signs say will lead you in loops. The same is true with distance vector routing protocols. Simply trusting what the next router tells it can potentially lead the packets to loop endlessly. These loops could saturate a network and cause systems to crash. This, in turn, makes managers very upset and means that you have to work late into the evening to fix it. Solution: Counting to Infinity Solution: Maximum Hop Count IP packets have inherent limits via the Time-To-Live (TTL) value in the IP header. In other words, a router must reduce the TTL field by at least 1 each time it gets the packet. If the TTL value becomes 0, the router discards that packet. However, this does not stop the router from continuing to attempt to send the packet to a network that is down. To avoid this prolonged problem, distance vector protocols define infinity as some maximum number. This number refers to a routing metric, such as a hop count. Solution: Split Horizon Split horizon states that if a neighboring router sends a route to a router, the receiving router will not propagate this route back to the advertising router on the same interface. Split horizon prevents a router from advertising a route back out the same interface where the router originally learned the route. One way to eliminate routing loops and speed up convergence is through the technique called split horizon. The split horizon rule is that sending information about a route back in the direction from which the original update came is never useful. Solution: Route Poisoning Another operation complementary to split horizon is a technique called route poisoning. Route poisoning attempts to improve convergence time and eliminate routing loops caused by inconsistent updates. With this technique, when a router loses a link, the router advertises the loss of a route to its neighbor device. Route poisoning enables the receiving router to advertise a route back toward the source with a metric higher than the maximum. The advertisement back seems to violate split horizon, but it lets the router know that the update about the down network was received. The router that received the update also sets a table entry that keeps the network state consistent while other routers gradually converge correctly on the topology change. This mechanism allows the router to learn quickly of the down route and to ignore other updates that might be wrong for the hold-down period. This prevents routing loops. A poisoned route has an infinite metric assigned to it. A poison reverse causes the router to break split horizon rule and advertise the poisoned route out all interfaces. When a router detects that one of its connected routes has failed, the router will poison the route by assigning an infinite metric to it. In IP RIP, the route is assigned a hop count of 16 (15 is the maximum), thus making it an unreachable network. When a router advertises a poised route to its neighbors, its neighbors break the rule of split horizon and send back to the originator the same poisoned route, called a poison reverse. This ensures that everyone received the original update of the poisoned route. Solution:Hold-Down Timers In order to give the routers enough time to propagate the poisoned route and to ensure that no routing loops occur while propagation is occurring; the routers implement a hold-down mechanism. During this period, the routers will freeze the poisoned route in their routing tables for the period of the hold-down timer, which is typically three times the interval of the routing broadcast update. When hold-down timers are used, a poisoned route will remain in the routing table until the timer expires. However, if a router with a poisoned route receives a routing update from a neighboring router with a metric that is the same or better than the original route, the router will abort the hold-down period, remove the poisoned route, and put the new route in its table. However, if a router receives a worse route from a neighboring router, the router treats this as a suspect route and assumes that this route is probably part of a routing loop, ignoring the update. One of the problems of using hold-down timers is that they cause the distance vector routing protocol to converge slowly—if the hold-down period is 180 seconds, you can’t use a valid alternative path with a worse metric until the hold-down period expires. Therefore, your users will lose their connections to this network for at least three minutes. Hold-down timers perform route maintenance as follows: 1. When a router receives an update from a neighbor indicating that a previously accessible network is now inaccessible, the router marks the route as inaccessible and starts a hold-down timer. 2. If an update arrives from a neighboring router with a better metric than originally recorded for the network, the router marks the network as accessible and removes the hold-down timer. 3. If at any time before the hold-down timer expires, an update is received from a different neighboring router with a poorer metric, the update is ignored. Ignoring an update with a higher metric when a holddown is in effect enables more time for the knowledge of the change to propagate through the entire network. 4. During the hold-down period, routes appear in the routing table as ―possibly down.‖ Basic of static routing Static routing occurs when you manually add routes in each router's routing table. There are advantages and disadvantages to static routing, but that's true for all routing processes. Static routing has the following advantages: There is no overhead on the router CPU. There is no bandwidth usage between routers. It adds security because the administrator can choose to allow routing access to certain networks only. Static routing has the following disadvantages: The administrator must really understand the internetwork and how each router is connected in order to configure routes correctly. If a network is added to the internetwork, the administrator has to add a route to it on all routers—manually. It's not possible in large networks because maintaining it would be a full-time job in itself. Command syntax for static route: ip route [destination_network] [mask] [next-hop_address or exit_interface] [administrative_distance] [permanent] ip route The command used to create the static route. destination_network The network you're placing in the routing table. mask The subnet mask being used on the network. next-hop_address The address of the next-hop router that will receive the packet and forward it to the remote network. exit_interfaceUsed in place of the next-hop address if you want, and shows up as a directly connected route. administrative_distance By default, static routes have an administrative distance of 1 (or even 0 if you use an exit interface instead of a next-hop address). permanent Keyword (Optional) Without the permanent keyword in a static route statement, a static route will be removed if an interface goes down. Adding the permanent keyword to a static route statement will keep the static routes in the routing table even if the interface goes down and the directly connected networks are removed. In previous article you learn that How to connect Cisco devices How to use available help options Basic of routing protocols Show commands How to configure router for basic In this article we will recall all the topics you have learnt yet and will try to implement these command in practically. Create a topology as shown in figure on packet tracer or download this topology. Now configure PC-0 first.To configure pc double click on pc and select desktop Now click on IP configurations Set ip address as shown in figure IP address 10.0.0.2 Subnet mask 255.0.0.0 Default Gateway 10.0.0.1 Follow the same process in PC-2 and set the ip address to IP address 30.0.0.2 Subnet mask 255.0.0.0 Default Gateway 30.0.0.1 Now double click on 1841 Router 0 and select CLI Type no and press enter to avoid startup configuration Now you are in user exec mode. --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: no Press RETURN to get started! Router> Set Hostname to R1 and assign 10.0.0.1 255.0.0.0 ip address to fast Ethernet 0/0. also set a message “ Unauthorized access is prohibited”. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#banner motd # Unauthorized access is prohibited # R1(config)#interface fastethernet 0/0 R1(config-if)#ip address 10.0.0.1 255.0.0.0 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up R1(config-if)#exit R1(config)# Configure Router-2 in same way with hostname R2 and 30.0.0.1 255.0.0.0 ip address on fast Ethernet 0/0. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R2 R2(config)#interface fastEthernet 0/0 R2(config-if)#ip address 30.0.0.1 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R2(config-if)#exit R2(config)# Now we have connectivity between local segment and router's Ethernet port. configure serial port When Serial connections are configured they need one more command that normal Ethernet connections do not. That command is the clock rate command. The clock rate command establishes a common rate at which the sending and receiving routers will send data to each other. It should be noted that if using a service provider circuit, there is no need for the clock rate command since the service provider provides the clocking. Establish a simple serial to serial connection between R1 Serial 0/0/0 and R2 Serial 0/0/0. Now configure serial port on both router with ip address 20.0.0.1 255.0.0.0 on one and 20.0.0.2 255.0.0.0 on two. On R1 R1(config)#interface serial 0/0/0 R1(config-if)#ip address 20.0.0.1 255.0.0.0 R1(config-if)#clock rate 64000 R1(config-if)#bandwidth 64 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up R1(config-if)#exit R1(config)# On R2 R2(config)#interface serial 0/0 R2(config-if)#ip address 20.0.0.2 255.0.0.0 R2(config-if)#no shutdown R2(config-if)#exit At this point you have configured ip address on interfaces. But still pc0 will not ping to pc1 as R1 have no information the network of 30.0.0.0 There are two way to configure route in router. Static or Dynamic. You will learn more about static and dynamic in our next article. In this example we will use simple static route. First tell R1 about to network of 30.0.0.0 R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.2 R1(config)# In this command 30.0.0.0 is the destination network and 255.0.0.0 is the subnetmask on destination network and 20.0.0.2 is the ip address of next hope 30.0.0.0 = destination network. 255.0.0.0 = subnet mask. 20.0.0.2 = next-hop address. Say this way "To get to the destination network of 30.0.0.0, with a subnet mask of 255.0.0.0, send all packets to 20.0.0.2" Now tell R2 about to network of 10.0.0.0 R2(config)#ip route 10.0.0.0 255.0.0.0 20.0.0.1 R2(config)# Now test the connectivity. Go on pc1 and C:\> ping 30.0.0.2 If you get reply then you have successfully configured static routing between R1 and R2. But if you get error then download this configured topology and do cross check that where you have committed mistakes Default Routing default routingis used to send packets with a remote destination network not in the routing table to the next-hop router. You should only use default routing on stub networks—those with only one exit path out of the network. In our next article you will learn advance static route configurations Read it now Static Route Configurations In this article I will demonstrate an example of static route configurations. We will use four different series router so you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in figure. A static route is a manually configured route on your router. Static routes are typically used in smaller networks and when few networks or subnets exist, or with WAN links that have little available bandwidth. With a network that has hundreds of routes, static routes are not scalable, since you would have to configure each route and any redundant paths for that route on each router. 1841 Series Router0 (R1) 2811 Series Router0 (R4) FastEthernet0/0 Serial0/0/0 FastEthernet0/0 Serial0/0/0 IP address 10.0.0.1 20.0.0.1 IP address 50.0.0.1 40.0.0.2 Connected With Pc0 R2 on Serial 0/0 Connected With Pc1 R3 on Serial 0/0 2621XM Series Router0 (R3) 2620XM Series Router1 (R2) FastEthernet0/0 Serial0/0/0 FastEthernet0/0 Serial0/0 IP address 30.0.0.2 40.0.0.1 IP address 30.0.0.1 20.0.0.2 Connected With FastEthernet0/0 R4 on Serial 0/0/0 Connected With R3 on FastEthernet0/0 R1 on Serial 0/0/0 PC-PT PC0 FastEthernet0 PC-PT PC1 Default Gateway FastEthernet0 Default Gateway IP address 10.0.0.2 Connected With R1 on FastEthernet0/0 10.0.0.1 IP address 50.0.0.2 Connected With R4 on FastEthernet0/0 50.0.0.1 To configure any router double click on it and select CLI.To configure this topology use this step by step guide. (1841Router0) Hostname R1 To configure and enable static routing on R1 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#ip address 10.0.0.1 255.0.0.0 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 20.0.0.1 255.0.0.0 R1(config-if)#clock rate 64000 R1(config-if)#bandwidth 64 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to down R1(config-if)#exit %LINK-5-CHANGED: Interface Serial0/0/0, changed state to up R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.2 R1(config)#ip route 40.0.0.0 255.0.0.0 20.0.0.2 R1(config)#ip route 50.0.0.0 255.0.0.0 20.0.0.2 (2620XM-Router1) Hostname R2 To configure and enable static routing on R2 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R2 R2(config)#interface serial 0/0 R2(config-if)#ip address 20.0.0.2 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up R2(config-if)#exit R2(config)#interface fastethernet 0/0 R2(config-if)#ip address 30.0.0.1 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up R2(config-if)#exit %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R2(config)#ip route 10.0.0.0 255.0.0.0 20.0.0.1 R2(config)#ip route 40.0.0.0 255.0.0.0 30.0.0.2 R2(config)#ip route 50.0.0.0 255.0.0.0 30.0.0.2 (2620XM-Router2)Hostname R3 To configure and enable static routing on R3 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R3 R3(config)#interface fastethernet 0/0 R3(config-if)#ip address 30.0.0.2 255.0.0.0 R3(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R3(config-if)#interface serial 0/0 R3(config-if)#ip address 40.0.0.1 255.0.0.0 R3(config-if)#clock rate 64000 R3(config-if)#bandwidth 64 R3(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0, changed state to down R3(config-if)#exit %LINK-5-CHANGED: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up R3(config)#ip route 10.0.0.0 255.0.0.0 30.0.0.1 R3(config)#ip route 20.0.0.0 255.0.0.0 30.0.0.1 R3(config)#ip route 50.0.0.0 255.0.0.0 40.0.0.2 (2811Router3) Hostname R4 To configure and enable static routing on R4 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface serial 0/0/0 Router(config-if)#ip address 40.0.0.2 255.0.0.0 Router(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up Router(config-if)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip address 50.0.0.1 255.0.0.0 Router(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up Router(config-if)#exit Router(config)#ip route 10.0.0.0 255.0.0.0 40.0.0.1 Router(config)#ip route 20.0.0.0 255.0.0.0 40.0.0.1 Router(config)#ip route 30.0.0.0 255.0.0.0 40.0.0.1 PC-1 PC>ipconfig IP Address......................: 10.0.0.2 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 10.0.0.1 PC>ping 50.0.0.2 Pinging 50.0.0.2 with 32 bytes of data: Reply from 50.0.0.2: bytes=32 time=156ms TTL=124 Reply from 50.0.0.2: bytes=32 time=127ms TTL=124 Reply from 50.0.0.2: bytes=32 time=156ms TTL=124 Reply from 50.0.0.2: bytes=32 time=140ms TTL=124 Ping statistics for 50.0.0.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 127ms, Maximum = 156ms, Average = 144ms PC> PC-2 PC>ipconfig IP Address......................: 50.0.0.2 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 50.0.0.1 PC>ping 10.0.0.2 Pinging 10.0.0.2 with 32 bytes of data: Reply from 10.0.0.2: bytes=32 time=140ms TTL=124 Reply from 10.0.0.2: bytes=32 time=141ms TTL=124 Reply from 10.0.0.2: bytes=32 time=157ms TTL=124 Reply from 10.0.0.2: bytes=32 time=156ms TTL=124 Ping statistics for 10.0.0.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 140ms, Maximum = 157ms, Average = 148ms To test static routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured static routing but if you did not get replay double check this configuration and try to troubleshoot. I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake Routing Information Protocol RIP Routing Information Protocol (RIP) is a standards-based, distance-vector, interior gateway protocol (IGP) used by routers to exchange routing information. RIP uses hop count to determine the best path between two locations. Hop count is the number of routers the packet must go through till it reaches the destination network. The maximum allowable number of hops a packet can traverse in an IP network implementing RIP is 15 hops. it has a maximum allowable hop count of 15 by default, meaning that 16 is deemed unreachable. RIP works well in small networks, but it's inefficient on large networks with slow WAN links or on networks with a large number of routers installed. In a RIP network, each router broadcasts its entire RIP table to its neighboring routers every 30 seconds. When a router receives a neighbor's RIP table, it uses the information provided to update its own routing table and then sends the updated table to its neighbors. Differences between RIPv1 or RIPv2 RIPv1 A classful protocol, broadcasts updates every 30 seconds, hold-down period 180 seconds. Hop count is metric (Maximum 15). RIP supports up to six equal-cost paths to a single destination, where all six paths can be placed in the routing table and the router can load-balance across them. The default is actually four paths, but this can be increased up to a maximum of six. Remember that an equal-cost path is where the hop count value is the same. RIP will not load-balance across unequal-cost paths RIPv2 RIPv2 uses multicasts, version 1 use broadcasts, RIPv2 supports triggered updates—when a change occurs, a RIPv2 router will immediately propagate its routing information to its connected neighbors. RIPv2 is a classless protocol. RIPv2 supports variable-length subnet masking (VLSM) RIPv2 supports authentication. You can restrict what routers you want to participate in RIPv2. This is accomplished using a hashed password value. RIP Timers RIP uses four different kinds of timers to regulate its performance: Route update timer Sets the interval (typically 30 seconds) between periodic routing updates in which the router sends a complete copy of its routing table out to all neighbors. Route invalid timer Determines the length of time that must elapse (180 seconds) before a router determines that a route has become invalid. It will come to this conclusion if it hasn’t heard any updates about a particular route for that period. When that happens, the router will send out updates to all its neighbors letting them know that the route is invalid. Holddown timer This sets the amount of time during which routing information is suppressed. Routes will enter into the holddown state when an update packet is received that indicated the route is unreachable. This continues either until an update packet is received with a better metric or until the holddown timer expires. The default is 180 seconds. Route flush timer Sets the time between a route becoming invalid and its removal from the routing table (240 seconds). Before it's removed from the table, the router notifies its neighbors of that route's impending failure. The value of the route invalid timer must be less than that of the route flush timer. This gives the router enough time to tell its neighbors about the invalid route before the local routing table is updated. Rip Routing configurations We will use two router and four subnet. Create a topology as shown in figure on packet tracer. Router R1 R2 FastEthernet 0/0 10.0.0.1 30.0.0.1 FastEthernet 0/1 20.0.0.1 40.0.0.1 Serial 0/0/0 50.0.0.1 50.0.0.2 PC PC0 PC2 PC4 PC6 IP Address 20.0.0.2 40.0.0.2 10.0.0.2 30.0.0.2 PC PC1 PC3 PC5 PC7 IP Address 20.0.0.3 40.0.0.3 10.0.0.3 30.0.0.3 Assign ip address to PC. Select pc and double click on it. select ip configurations from desktop tab and set ip address given as in table. To configure router double click on it and select CLI.To configure this topology use this step by step guide. (1841Router0) Hostname R1 To configure and enable rip routing on R1 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#ip address 10.0.0.1 255.0.0.0 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R1(config-if)#exit R1(config)#interface fastethernet 0/1 R1(config-if)#ip address 20.0.0.1 255.0.0.0 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 50.0.0.1 255.0.0.0 R1(config-if)#clock rate 64000 R1(config-if)#bandwidth 64 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to down R1(config-if)#exit R1(config)#router rip R1(config-router)#network 10.0.0.0 R1(config-router)#network 20.0.0.0 R1(config-router)#network 50.0.0.0 (2811Router1) Hostname R2 To configure and enable rip routing on R2 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R2 R2(config)#interface fastethernet 0/0 R2(config-if)#ip address 30.0.0.1 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R2(config-if)#exit R2(config)#interface fastethernet 0/1 R2(config-if)#ip address 40.0.0.1 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up R2(config-if)#exit R2(config)#interface serial 0/0/0 R2(config-if)#ip address 50.0.0.2 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to up R2(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up R2(config-if)#exit R2(config)#router rip R2(config-router)#network 30.0.0.0 R2(config-router)#network 40.0.0.0 R2(config-router)#network 50.0.0.0 R2(config-router)#exit To test rip routing do ping from pc0 to all pc and vice versa. If you get replay then you have successfully configured rip routing but if you did not get replay double check this configuration and try to troubleshoot. I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake Rip Routing Configurations In our pervious article we discuss about the feature of RIP and configured a simple topology. Routing Information Protocol RIP In this article I will demonstrate an example of Rip Routingconfigurations. We will use four different series router so you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in figure. IP RIP comes in two different versions: 1 and 2. Version 1 is a distance vector protocol and is defined in RFC 1058. Version 2 is a hybrid protocol and is defined in RFCs 1721 and 1722. The CCNA exam now primarily focuses on version 2. There are no major differences between RIPv1 or RIPv2 so far configurations concern. To read more about differences between RIPv1 or RIPv2 or know about the characteristics read our pervious article about RIP. 1841 Series Router0 (R1) 2811 Series Router0 (R4) FastEthernet0/0 Serial0/0/0 FastEthernet0/0 Serial0/0/0 IP address 10.0.0.1 20.0.0.1 IP address 50.0.0.1 40.0.0.2 Connected With Pc0 R2 on Serial 0/0 Connected With Pc1 R3 on Serial 0/0 2621XM Series Router0 (R3) 2620XM Series Router1 (R2) FastEthernet0/0 Serial0/0/0 FastEthernet0/0 Serial0/0 IP address 30.0.0.2 40.0.0.1 IP address 30.0.0.1 20.0.0.2 Connected With FastEthernet0/0 R4 on Serial 0/0/0 Connected With R3 on FastEthernet0/0 R1 on Serial 0/0/0 PC-PT PC0 PC-PT PC1 FastEthernet0 Default Gateway IP address 10.0.0.2 10.0.0.1 Connected With R1 on FastEthernet0/0 FastEthernet0 Default Gateway IP address 50.0.0.2 50.0.0.1 Connected With R4 on FastEthernet0/0 To configure any router double click on it and select CLI. To configure this topology use this step by step guide. (1841Router0) Hostname R1 To configure and enable rip routing on R1 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#ip address 10.0.0.1 255.0.0.0 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 20.0.0.1 255.0.0.0 R1(config-if)#clock rate 64000 R1(config-if)#bandwidth 64 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to down R1(config-if)#exit %LINK-5-CHANGED: Interface Serial0/0/0, changed state to up R1(config)#router rip R1(config-router)#network 10.0.0.0 R1(config-router)#network 20.0.0.0 R1(config-router)#exit R1(config)# (2620XM-Router1) Hostname R2 To configure and enable rip routing on R2 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R2 R2(config)#interface serial 0/0 R2(config-if)#ip address 20.0.0.2 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up R2(config-if)#exit R2(config)#interface fastethernet 0/0 R2(config-if)#ip address 30.0.0.1 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up R2(config-if)#exit %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R2(config)#router rip R2(config-router)#network 20.0.0.0 R2(config-router)#network 30.0.0.0 R2(config-router)#exit R2(config)# (2620XM-Router2)Hostname R3 To configure and enable rip routing on R3 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R3 R3(config)#interface fastethernet 0/0 R3(config-if)#ip address 30.0.0.2 255.0.0.0 R3(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R3(config-if)#interface serial 0/0 R3(config-if)#ip address 40.0.0.1 255.0.0.0 R3(config-if)#clock rate 64000 R3(config-if)#bandwidth 64 R3(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0, changed state to down R3(config-if)#exit %LINK-5-CHANGED: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up R3(config)#router rip R3(config-router)#network 30.0.0.0 R3(config-router)#network 40.0.0.0 R3(config-router)#exit R3(config)# (2811Router3) Hostname R4 To configure and enable rip routing on R4 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface serial 0/0/0 Router(config-if)#ip address 40.0.0.2 255.0.0.0 Router(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up Router(config-if)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip address 50.0.0.1 255.0.0.0 Router(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up Router(config-if)#exit R4(config)#router rip R4(config-router)#network 40.0.0.0 R4(config-router)#network 50.0.0.0 R4(config-router)#exit R4(config)# PC-1 PC>ipconfig IP Address......................: 10.0.0.2 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 10.0.0.1 PC>ping 50.0.0.2 Pinging 50.0.0.2 with 32 bytes of data: Reply from 50.0.0.2: bytes=32 time=156ms TTL=124 Reply from 50.0.0.2: bytes=32 time=127ms TTL=124 Reply from 50.0.0.2: bytes=32 time=156ms TTL=124 Reply from 50.0.0.2: bytes=32 time=140ms TTL=124 Ping statistics for 50.0.0.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 127ms, Maximum = 156ms, Average = 144ms PC> PC-2 PC>ipconfig IP Address......................: 50.0.0.2 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 50.0.0.1 PC>ping 10.0.0.2 Pinging 10.0.0.2 with 32 bytes of data: Reply from 10.0.0.2: bytes=32 time=140ms TTL=124 Reply from 10.0.0.2: bytes=32 time=141ms TTL=124 Reply from 10.0.0.2: bytes=32 time=157ms TTL=124 Reply from 10.0.0.2: bytes=32 time=156ms TTL=124 Ping statistics for 10.0.0.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 140ms, Maximum = 157ms, Average = 148ms You can verify that RIP is running successfully via show ip protocols command in privilege mode. R1#show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds, next due in 2 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Triggered RIP Key-chain FastEthernet0/0 1 21 Serial0/0/0 1 21 Automatic network summarization is in effect Maximum path: 4 Routing for Networks: 10.0.0.0 20.0.0.0 Passive Interface(s): Routing Information Sources: Gateway Distance Last Update 20.0.0.2 120 00:00:20 Distance: (default is 120) R1# You can use show ip route command to troubleshoot rip network. If you did not see information about any route checks the router attached with that network. R1#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set C 10.0.0.0/8 is directly connected, FastEthernet0/0 C 20.0.0.0/8 is directly connected, Serial0/0/0 R 30.0.0.0/8 [120/1] via 20.0.0.2, 00:00:01, Serial0/0/0 R 40.0.0.0/8 [120/2] via 20.0.0.2, 00:00:01, Serial0/0/0 R 50.0.0.0/8 [120/3] via 20.0.0.2, 00:00:01, Serial0/0/0 R1# To test rip routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured rip routing but if you did not get replay double check this configuration and try to troubleshoot. I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake rip routing configurations Commands Router(config)#router rip Router(config-router)#network w.x.y.z Router(config)#no router rip Router(config-router)#no network w.x.y.z Router(config-router)#version 2 Router(config-router)#version 1 Router(config-router)#no auto-summary Router(config-router)#passive-interface s0/0/0 Router(config-router)#no ip split-horizon Router(config-router)#ip split-horizon Router(config-router)#timers basic 30 90 180 270 360 Router#debug ip rip Router#show ip rip database Descriptions Enables RIP as a routing protocol w.x.y.z is the network number of the directly connected network you want to advertise. Turns off the RIP routing process Removes network w.x.y.z from the RIP routing process. RIP will now send and receive RIPv2 packets globally. RIP will now send and receive RIPv1 packets only RIPv2 summarizes networks at the classful boundary. This command turns autosummarization off. RIP updates will not be sent out this interface. Turns off split horizon (on by default). Re-enables split horizon Changes timers in RIP: 30 = Update timer (in seconds) 90 = Invalid timer (in seconds) 180 = Hold-down timer (in seconds) 270 = Flush timer (in seconds) 360 = Sleep time (in milliseconds) Displays all RIP activity in real time Displays contents of the RIP database Enhanced Interior Gateway Routing Protocol (EIGRP) EIGRP is the advance version of Cisco’s earlier version IGRP. Before you learn more about EIGRP let be familiar with IGRP. Interior Gateway Routing Protocol (IGRP) The Interior Gateway Routing Protocol (IGRP) is a Cisco-proprietary routing protocol for IP. it is a distance vector protocol. It uses a sophisticated metric based on bandwidth and delay. It uses triggered updates to speed-up convergence. It supports unequal-cost load balancing to a single destination. IGRP is Cisco proprietary uses bandwidth, delay, reliability, load, and MTU as its metrics (bandwidth and delay be default). IGRP's routing update period is every 90 seconds. Its hold-down period is 280 seconds, and its flush period is 630 seconds. It also supports triggered updates and load balancing across unequal-cost paths. IGRP requires an AS number in its router command; plus, when entering network numbers for the network command, they are entered as the classful network number, as they are for RIP. IGRP supports both equal- and unequal-cost paths for load balancing to single destination Equal-cost paths are enabled by default, where IGRP supports up to six equal-cost paths (four by default) to a single destination in the IP routing table. IGRP, however, also supports unequal-cost paths, but this feature is disabled by default. Enhanced Interior Gateway Routing Protocol The Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-proprietary routing protocol for IP. These characteristics include: Fast convergence Loop-free topology VLSM and route summarization Multicast and incremental updates Routes for multiple routed protocols Here is a brief comparison of EIGRP and IGRP: Both offer load balancing across six paths (equal or unequal). They have similar metric structures. EIGRP has faster convergence (triggered updates and saving a neighbor’s routing table locally). EIGRP has less network overhead, since it uses incremental updates. Interesting point about these protocols is that if you have some routers in your network running IGRP and others running EIGRP and both sets have the same autonomous system number, routing information will automatically be shared between the two. EIGRP uses a 32-bit metric, while IGRP uses a 24-bit metric. EIGRP uses the Diffusing Update Algorithm (DUAL) to update the routing table. One really unique feature of EIGRP is that it supports three routed protocols: IP, IPX, and AppleTalk Hello packets are generated every five seconds on LAN interfaces as multicasts (224.0.0.10). For EIGRP routers to become neighbors, the following information must match: The AS number The K-values (these enable/disable the different metric components) When two routers determine whether they will become neighbors, they go through the following process: 1. The first router generates a Hello with configuration information. 2. If the configuration information matches, the second router responds with an Update message with topology information. 3. The first router responds with an ACK message, acknowledging the receipt of the second’s ACK. 4. The first router sends its topology to the second router via an Update message. 5. The second router responds back with an ACK. You must specify the AS number when configure EIGRP. Even though EIGRP is classless, you must configure it as a classful protocol when specifying your network numbers with the network command. EIGRP Terms Term Definition The best path to reach a destination within the topology table. Successor The best backup path to reach a destination within the topology table—multiple successors Feasible successor can be feasible for a particular destination. This is all of the successor routes from the topology table. There is a separate routing table for Routing table each routed protocol. The distance (metric) that a neighboring router is advertising for a specific route. Advertised distance The distance (metric) that your router has computed to reach a specific route: the advertised Feasible distance distance from the neighboring router plus the local router’s interface metric. Contains a list of the EIGRP neighbors and is similar to the adjacencies that are built in OSPF between the designated router/backup DR and the other routers on a segment. Each routed Neighbor table protocol (IP, IPX, and AppleTalk) for EIGRP has its own neighbor table. Similar to OSPF’s database, contains a list of all destinations and paths the EIGRP router learned—it is basically a compilation of the neighboring routers’ routing tables. A separate Topology table topology table exists for each routed protocol. EIGRP Routing Configurations EIGRP is a Cisco-proprietary routing protocol for TCP/IP. It’s actually based on Cisco’s proprietary IGRP routing protocol, with many enhancements built into it. Because it has its roots in IGRP, the configuration is similar to IGRP; however, it has many link state characteristics that were added to it to allow EIGRP to scale to enterprise network sizes. To know these characteristics read our pervious article. In this article I will demonstrate an example of EIGRP Routing configurations. We will use four different series router so you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in figure. 1841 Series Router0 (R1) 2811 Series Router0 (R4) FastEthernet0/0 Serial0/0/0 FastEthernet0/0 Serial0/0/0 IP address 10.0.0.1 20.0.0.1 IP address 50.0.0.1 40.0.0.2 Connected With Pc0 R2 on Serial 0/0 Connected With Pc1 R3 on Serial 0/0 2621XM Series Router0 (R3) 2620XM Series Router1 (R2) FastEthernet0/0 Serial0/0/0 FastEthernet0/0 Serial0/0 IP address 30.0.0.2 40.0.0.1 IP address 30.0.0.1 20.0.0.2 Connected With FastEthernet0/0 R4 on Serial 0/0/0 Connected With R3 on FastEthernet0/0 R1 on Serial 0/0/0 PC-PT PC0 PC-PT PC1 FastEthernet0 Default Gateway IP address 10.0.0.2 10.0.0.1 Connected With R1 on FastEthernet0/0 FastEthernet0 Default Gateway IP address 50.0.0.2 50.0.0.1 Connected With R4 on FastEthernet0/0 To configure any router double click on it and select CLI.To configure this topology use this step by step guide. (1841Router0) Hostname R1 To configure and enable eigrp routing on R1 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#ip address 10.0.0.1 255.0.0.0 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 20.0.0.1 255.0.0.0 R1(config-if)#clock rate 64000 R1(config-if)#bandwidth 64 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to down R1(config-if)#exit %LINK-5-CHANGED: Interface Serial0/0/0, changed state to up R1(config)#router eigrp 1 R1(config-router)#network 10.0.0.0 R1(config-router)#network 20.0.0.0 R1(config-router)#exit R1(config)# (2620XM-Router1) Hostname R2 To configure and enable eigrp routing on R2 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R2 R2(config)#interface serial 0/0 R2(config-if)#ip address 20.0.0.2 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up R2(config-if)#exit R2(config)#interface fastethernet 0/0 R2(config-if)#ip address 30.0.0.1 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up R2(config-if)#exit %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R2(config)#router eigrp 1 R2(config-router)#network 20.0.0.0 R2(config-router)#network 30.0.0.0 R2(config-router)#exit R2(config)# (2620XM-Router2)Hostname R3 To configure and enable eigrp routing on R3 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R3 R3(config)#interface fastethernet 0/0 R3(config-if)#ip address 30.0.0.2 255.0.0.0 R3(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R3(config-if)#interface serial 0/0 R3(config-if)#ip address 40.0.0.1 255.0.0.0 R3(config-if)#clock rate 64000 R3(config-if)#bandwidth 64 R3(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0, changed state to down R3(config-if)#exit %LINK-5-CHANGED: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up R3(config)#router eigrp 1 R3(config-router)#network 30.0.0.0 R3(config-router)#network 40.0.0.0 R3(config-router)#exit R3(config)# (2811Router3) Hostname R4 To configure and enable eigrp routing on R4 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface serial 0/0/0 Router(config-if)#ip address 40.0.0.2 255.0.0.0 Router(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up Router(config-if)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip address 50.0.0.1 255.0.0.0 Router(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up Router(config-if)#exit R3(config)#router eigrp 1 R3(config-router)#network 30.0.0.0 R3(config-router)#network 40.0.0.0 R3(config-router)#exit R3(config)# PC-1 PC>ipconfig IP Address......................: 10.0.0.2 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 10.0.0.1 PC>ping 50.0.0.2 Pinging 50.0.0.2 with 32 bytes of data: Reply from 50.0.0.2: bytes=32 time=156ms TTL=124 Reply from 50.0.0.2: bytes=32 time=127ms TTL=124 Reply from 50.0.0.2: bytes=32 time=156ms TTL=124 Reply from 50.0.0.2: bytes=32 time=140ms TTL=124 Ping statistics for 50.0.0.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 127ms, Maximum = 156ms, Average = 144ms PC> PC-2 PC>ipconfig IP Address......................: 50.0.0.2 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 50.0.0.1 PC>ping 10.0.0.2 Pinging 10.0.0.2 with 32 bytes of data: Reply from 10.0.0.2: bytes=32 time=140ms TTL=124 Reply from 10.0.0.2: bytes=32 time=141ms TTL=124 Reply from 10.0.0.2: bytes=32 time=157ms TTL=124 Reply from 10.0.0.2: bytes=32 time=156ms TTL=124 Ping statistics for 10.0.0.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 140ms, Maximum = 157ms, Average = 148ms You can verify that eigrp is running successfully via show ip protocols command in privilege mode. R4#show ip protocols Routing Protocol is "ospf 4" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 50.0.0.1 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 50.0.0.0 0.255.255.255 area 0 40.0.0.0 0.255.255.255 area 0 Routing Information Sources: Gateway Distance Last Update 40.0.0.1 110 00:01:26 Distance: (default is 110) R4# You can use show ip route command to troubleshoot eigrp network. If you did not see information about any route checks the router attached with that network. R4#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set O 10.0.0.0/8 [110/1564] via 40.0.0.1, 00:02:37, Serial0/0/0 O 20.0.0.0/8 [110/1563] via 40.0.0.1, 00:02:37, Serial0/0/0 O 30.0.0.0/8 [110/782] via 40.0.0.1, 00:02:37, Serial0/0/0 C 40.0.0.0/8 is directly connected, Serial0/0/0 C 50.0.0.0/8 is directly connected, FastEthernet0/0 R4# To test eigrp routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured eigrp routing but if you did not get replay double check this configuration and try to troubleshoot. I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake eigrp routing configurations Configuration command of EIGRP Commands Descriptions Turns on the EIGRP process. 1 is the autonomous system number, which can be a Router(config)#router eigrp 1 number between 1 and 65,535. Note:- All routers in the same autonomous system must use the same autonomous system number. Router(config-router)#network Specifies which network to advertise in EIGRP. 10.0.0.0 Sets the bandwidth of this interface to x kilobits to allow EIGRP to make a better Router(config-if)#bandwidth x metric calculation TIP: The bandwidth command is used for metric calculations only. It does not change interface performance. Router(config-router)#no Removes the network from the EIGRP process. network 10.0.0.0 Router(config)#no router eigrp 1 Disables routing process 1 Router(config-router)#autoEnables auto-summarization for the EIGRP process. summary Router(config-router)#no Turns off the auto-summarization feature. autosummary include routes with a metric less than or equal to n times the minimum metric Router(config-router)#variance n route for that destination, where n is the number specified by the variance command NOTE: If a path is not a feasible successor, it is not used in load balancing. EIGRP supports up to six unequalcost paths. Router(config)#interface serial Enters interface configuration mode. 0/0 Sets the bandwidth of this interface to 256 kilobits to allow EIGRP to make a Router(config-if)#bandwidth 256 better metric calculation. Router#show ip eigrp neighbors Displays the neighbor table. Router#show ip eigrp neighbors Displays a detailed neighbor table. detail Router#show ip eigrp interfaces Shows information for each interface Router#show ip eigrp interfaces Shows information for a specific interface serial 0/0 Router#show ip eigrp interfaces 1 Shows information for interfaces running process 1. Displays the topology table Router#show ip eigrp topology Shows the number and type of packets sent and received Router#show ip eigrp traffic Shows a routing table with only EIGRP entries Router#show ip route eigrp Displays events/actions related to EIGRP feasible successor metrics (FSM) Router#debug eigrp fsm Displays events/actions related to EIGRP packets Router#debug eigrp packet Displays events/actions related to your EIGRP neighbors Router#debug eigrp neighbor Router#debug ip eigrp neighbor Displays events/actions related to your EIGRP neighbors Router#debug ip eigrp Displays EIGRP event notifications notifications OPEN SHORTEST PATH FIRST(OSPF) Biggest advantage of OSPF over EIGRP is that it will run on any device as its based on open standard Advantages It will run on most routers, since it is based on an open standard. It uses the SPF algorithm, developed by Dijkstra, to provide a loop-free topology. It provides fast convergence with triggered, incremental updates via Link State Advertisements (LSAs). It is a classless protocol and allows for a hierarchical design with VLSM and route summarization. Disadvantages: It requires more memory to hold the adjacency (list of OSPF neighbors), topology and routing tables. It requires extra CPU processing to run the SPF algorithm It is complex to configure and more difficult to troubleshoot. Features OSPF implements a two-layer hierarchy: the backbone (area 0) and areas off of the backbone (areas 1– 65,535) To provide scalability OSPF supports two important concepts: autonomous systems and areas. Synchronous serial links, no matter what the clock rate of the physical link is, the bandwidth always defaults to 1544 Kbps. OSPF uses cost as a metric, which is the inverse of the bandwidth of a link. Router Identities Each router in an OSPF network needs a unique ID that is used to provide a unique identity to the OSPF router. The router ID is chosen according to one of the two following criteria: The highest IP address on its loop back interfaces (this is a logical interface on a router) The highest IP address on its active interfaces OSPF learns about its neighbors and builds its adjacency and topology tables by sharing LSAs OSPF routers will generate hello LSAs every 10 seconds. If a neighbor is not seen within the dead interval time, which defaults to 40 seconds, the neighbor is declared dead. First before a router will accept any routing information from another OSPF router, they have to build an adjacency with each other on their connected interfaces. When this adjacency is built, the two routers (on the connected interfaces) are called a neighbor, which indicates a special relationship between the two. In order for two routers to become neighbors, the following must match on each router: The area number and its type The hello and dead interval timers The OSPF password (optional), if it is configured The area stub flag (used to contain OSPF messages and routing information, OSPF routers will go through three states called the exchange process: 1. Down state The new router has not exchanged any OSPF information with any other router. 2. Init state A destination router has received a new router's hello and adds it to its neighbor list (assuming that certain values match). Note that communication is only unidirectional at this point. 3. Two-Way state The new router receives a unidirectional reply to its initial hello packet and adds destination router to its neighbor database. Once the routers have entered a two-way state, they are considered neighbors. o o For each network multi-access segment, there is a DR and a BDR as well as other routers. This process is true for multi-access segments, (an example, if you have ten VLANs in your switched area, you’ll have ten DRs and ten BDRs.) but not point-to-point links, where DRs are not necessary. o The router with the highest priority (or highest router ID) becomes the DR. Loop back Interfaces A loop back interface is a logical, virtual interface on a router that always remains up. By default, the router doesn't have any loop back interfaces, but they can easily be created. OSPF routers use Link State Advertisements (LSAs) to communicate with each other. One type of LSA is a hello, which is used to form neighbor relationships and as a keep-alive function. Hellos are generated every ten seconds. When sharing link information (directly connected routes), links are sent to the DR (224.0.0.6) and the DR Disseminates this to everyone (224.0.0.5) else on the segment. Sharing Routing Information After electing the DR/BDR pair, the routers continue to generate hellos to maintain communication. This is considered an exstart state, in which the OSPF routers are ready to share link state information. The process the routers go through is called an exchange protocol 1.Exstart state The DR and BDR form adjacencies with the other OSPF routers on the segment, and then within each adjacency, the router with the highest router ID becomes the master and starts the exchange process first (shares its link state information)—note that the DR is not necessarily the master for the exchange process. The remaining router in the adjacency will be the slave. 2. Exchange state The master starts sharing link state information first, with the slave. These are called DBDs (database description packets), also referred to as DDPs. The DBDs contain the link-state type, the ID of the advertising router, the cost of the advertised link, and the sequence number of the link. The slave responds back with an LSACK—an acknowledgment to the DBD from the master. The slave then compares the DBD's information with its own. 3. Loading state If the master has more up-to-date information than the slave, the slave will respond to the master's original DBD with an LSR (Link State Request). The master will then send a LSU (Link State Update) with the detailed information of the links to the slave. The slave will then incorporate this into its local link state database. Again, the slave will generate an LSACK to the master to acknowledge the fact that it received the LSU. If a slave has more up-to-date information, it will repeat the "exchange" and "loading" states. 4. Full state Once the master and the slave are synchronized, they are considered to be in a full state. To summarize these four steps, OSPF routers share a type of LSA message in order to disclose information about available routes. Basically, an LSA update message contains a link and a state, as well as other information. A link is the router interface on which the update was generated (a connected route). The state is a description of this interface, including the IP address configured on it as well as the relationship this router has with its neighboring router. However, OSPF routers will not share this information with just any OSPF router. A two-way state indicates that two OSPF routers are neighbors. A full state indicates the completion of sharing of links between routers. Cost metric is the inverse of the accumulated bandwidth values of routers’ interfaces. The default Measurement that Cisco uses in calculating the cost metric is: cost = 108/(interface bandwidth) OSPF Routing Configurations In this article I will demonstrate an example of OSPF Routing configurations. We will use four different series router so you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in figure. Configuring OSPF is slightly different from configuring RIP. When configuring OSPF, use the following syntax: Router(config)# router ospf process_ID Router(config-router)# network IP_address wildcard_mask area area_# The process_ID is locally significant and is used to differentiate between OSPF processes running on the same router. Your router might be a boundary router between two OSPF autonomous systems, and to differentiate them on your router, you’ll give them unique process IDs. Note that these numbers do not need to match between different routers and that they have nothing to do with autonomous system numbers. 1841 Series Router0 (R1) 2811 Series Router0 (R4) FastEthernet0/0 Serial0/0/0 FastEthernet0/0 Serial0/0/0 IP address 10.0.0.1 20.0.0.1 IP address 50.0.0.1 40.0.0.2 Connected With Pc0 R2 on Serial 0/0 Connected With Pc1 R3 on Serial 0/0 2621XM Series Router0 (R3) 2620XM Series Router1 (R2) FastEthernet0/0 Serial0/0/0 FastEthernet0/0 Serial0/0 IP address 30.0.0.2 40.0.0.1 IP address 30.0.0.1 20.0.0.2 Connected With FastEthernet0/0 R4 on Serial 0/0/0 Connected With R3 on FastEthernet0/0 R1 on Serial 0/0/0 PC-PT PC0 PC-PT PC1 FastEthernet0 Default Gateway IP address 10.0.0.2 10.0.0.1 Connected With R1 on FastEthernet0/0 FastEthernet0 Default Gateway IP address 50.0.0.2 50.0.0.1 Connected With R4 on FastEthernet0/0 To configure any router double click on it and select CLI.To configure this topology use this step by step guide. (1841Router0) Hostname R1 To configure and enable ospf routing on R1 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#ip address 10.0.0.1 255.0.0.0 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R1(config-if)#exit R1(config)#interface serial 0/0/0 R1(config-if)#ip address 20.0.0.1 255.0.0.0 R1(config-if)#clock rate 64000 R1(config-if)#bandwidth 64 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to down R1(config-if)#exit %LINK-5-CHANGED: Interface Serial0/0/0, changed state to up R1(config)#router ospf 1 R1(config-router)#network 10.0.0.0 0.255.255.255 area 0 R1(config-router)#network 20.0.0.0 0.255.255.255 area 0 R1(config-router)#exit R1(config)# (2620XM-Router1) Hostname R2 To configure and enable ospf routing on R2 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R2 R2(config)#interface serial 0/0 R2(config-if)#ip address 20.0.0.2 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up R2(config-if)#exit R2(config)#interface fastethernet 0/0 R2(config-if)#ip address 30.0.0.1 255.0.0.0 R2(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up R2(config-if)#exit %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R2(config)#router ospf 2 R2(config-router)#network 20.0.0.0 0.255.255.255 area 0 R2(config-router)#network 3 00:03:10: %OSPF-5-ADJCHG: Process 2, Nbr 20.0.0.1 on Serial0/0 from LOADING to FULL, Loading Done0.0.0.0 0.255.255.255 area 0 R2(config-router)#network 30.0.0.0 0.255.255.255 area 0 R2(config-router)#exit R2(config)# (2620XM-Router2)Hostname R3 To configure and enable ospf routing on R3 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R3 R3(config)#interface fastethernet 0/0 R3(config-if)#ip address 30.0.0.2 255.0.0.0 R3(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R3(config-if)#interface serial 0/0 R3(config-if)#ip address 40.0.0.1 255.0.0.0 R3(config-if)#clock rate 64000 R3(config-if)#bandwidth 64 R3(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0, changed state to down R3(config-if)#exit %LINK-5-CHANGED: Interface Serial0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up R3(config)#router ospf 3 R3(config-router)#network 40.0.0.0 0.255.255.255 area 0 R3(config-router)#network 30.0.0.0 0.255.255.255 area 0 00:04:53: %OSPF-5-ADJCHG: Process 3, Nbr 30.0.0.1 on FastEthernet0/0 from LOADING to FULL, Loading D R3(config-router)#exit R3(config)# %SYS-5-CONFIG_I: Configured from console by console R3# (2811Router3) Hostname R4 To configure and enable ospf routing on R4 follow these commands exactly. Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface serial 0/0/0 Router(config-if)#ip address 40.0.0.2 255.0.0.0 Router(config-if)#no shutdown %LINK-5-CHANGED: Interface Serial0/0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up Router(config-if)#exit Router(config)#interface fastethernet 0/0 Router(config-if)#ip address 50.0.0.1 255.0.0.0 Router(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up Router(config-if)#exit R4(config)#router ospf 4 R4(config-router)#network 50.0.0.0 0.255.255.255 area 0 R4(config-router)#network 40.0.0.0 0.255.255.255 area 0 R4(config-router)# 00:06:32: %OSPF-5-ADJCHG: Process 4, Nbr 40.0.0.1 on Serial0/0/0 from LOADING to FULL, Loading Done R4(config-router)#exit R4(config)# PC-1 PC>ipconfig IP Address......................: 10.0.0.2 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 10.0.0.1 PC>ping 50.0.0.2 Pinging 50.0.0.2 with 32 bytes of data: Reply from 50.0.0.2: bytes=32 time=156ms TTL=124 Reply from 50.0.0.2: bytes=32 time=127ms TTL=124 Reply from 50.0.0.2: bytes=32 time=156ms TTL=124 Reply from 50.0.0.2: bytes=32 time=140ms TTL=124 Ping statistics for 50.0.0.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 127ms, Maximum = 156ms, Average = 144ms PC> PC-2 PC>ipconfig IP Address......................: 50.0.0.2 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 50.0.0.1 PC>ping 10.0.0.2 Pinging 10.0.0.2 with 32 bytes of data: Reply from 10.0.0.2: bytes=32 time=140ms TTL=124 Reply from 10.0.0.2: bytes=32 time=141ms TTL=124 Reply from 10.0.0.2: bytes=32 time=157ms TTL=124 Reply from 10.0.0.2: bytes=32 time=156ms TTL=124 Ping statistics for 10.0.0.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 140ms, Maximum = 157ms, Average = 148ms You can verify that ospf is running successfully via show ip protocols command in privilege mode. R4#show ip protocols Routing Protocol is "ospf 4" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 50.0.0.1 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 50.0.0.0 0.255.255.255 area 0 40.0.0.0 0.255.255.255 area 0 Routing Information Sources: Gateway Distance Last Update 40.0.0.1 110 00:01:26 Distance: (default is 110) R4# You can use show ip route command to troubleshoot ospf network. If you did not see information about any route checks the router attached with that network. R4#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set O 10.0.0.0/8 [110/1564] via 40.0.0.1, 00:02:37, Serial0/0/0 O 20.0.0.0/8 [110/1563] via 40.0.0.1, 00:02:37, Serial0/0/0 O 30.0.0.0/8 [110/782] via 40.0.0.1, 00:02:37, Serial0/0/0 C 40.0.0.0/8 is directly connected, Serial0/0/0 C 50.0.0.0/8 is directly connected, FastEthernet0/0 R4# To test ospf routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured ospf routing but if you did not get replay double check this configuration and try to troubleshoot. I have uploaded a configured and tested topology in case you are unable to locate the problem spot then download this configuration file. And try to find out where have you committed mistake ospf routing configurations Configuration command of OSPF Commands Descriptions Starts OSPF process 1. The process ID is any positive integer value between 1 and Router(config)#router ospf 1 65,535. Router(config-router)#network OSPF advertises interfaces, not networks. Uses the wildcard mask to determine which interfaces to advertise. 172.16.0.0 0.0.255.255 area 0 Router(config-if)#ip ospf Changes the Hello Interval timer to 20 seconds. hellointerval timer 20 Router(config-if)#ip ospf Changes the Dead Interval timer to 80 seconds. deadinterval 80 NOTE: Hello and Dead Interval timers must match for routers to become neighbors Displays parameters for all protocols running on the router Router#show ip protocol Displays a complete IP routing table Router#show ip route Displays basic information about OSPF routing processes Router#show ip ospf Displays OSPF info as it relates to all interfaces Router#show ip ospf interface Router#show ip ospf interface Displays OSPF information for interface fastethernet 0/0 fastethernet 0/0 Router#show ip ospf borderDisplays border and boundary router information routers Lists all OSPF neighbors and their states Router#show ip ospf neighbor Router#show ip ospf neighbor Displays a detailed list of neighbors detail Clears entire routing table, forcing it to rebuild Router#clear ip route * Clears specific route to network a.b.c.d Router#clear ip route a.b.c.d Resets OSPF counters Router#clear ip opsf counters Resets entire OSPF process, forcing OSPF to re-create neighbors, database, and Router#clear ip ospf process routing table Displays all OSPF events Router#debug ip ospf events Router#debug ip ospf adjacency Displays various OSPF states and DR/ BDR election between adjacent routers Displays OPSF packets Router#debug ip ospf packets Access control list ACLs are basically a set of commands, grouped together by a number or name that is used to filter traffic entering or leaving an interface. When activating an ACL on an interface, you must specify in which direction the traffic should be filtered: Inbound (as the traffic comes into an interface) Outbound (before the traffic exits an interface) Inbound ACLs: Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. If the packet is permitted by the tests, it is processed for routing. Outbound ACLs: Incoming packets are routed to the outbound interface and then processed through the outbound ACL. Universal fact about Access control list 1. ACLs come in two varieties:Numbered and named 2. Each of these references to ACLs supports two types of filtering: standard and extended. 3. Standard IP ACLs can filter only on the source IP address inside a packet. 4. Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet. 5. There are two actions an ACL can take: permit or deny. 6. Statements are processed top-down. 7. Once a match is found, no further statements are processed—therefore, order is important. 8. If no match is found, the imaginary implicit deny statement at the end of the ACL drops the packet. 9. An ACL should have at least one permit statement; otherwise, all traffic will be dropped because of the hidden implicit deny statement at the end of every ACL. No matter what type of ACL you use, though, you can have only one ACL per protocol, per interface, per direction. For example, you can have one IP ACL inbound on an interface and another IP ACL outbound on an interface, but you cannot have two inbound IP ACLs on the same interface. Access List Ranges Type IP Standard IP Extended IP Standard Expanded Range IP Extended Expanded Range Range 1–99 100–199 1300–1999 2000–2699 Standard ACLs A standard IP ACL is simple; it filters based on source address only. You can filter a source network or a source host, but you cannot filter based on the destination of a packet, the particular protocol being used such as the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP), or on the port number. You can permit or deny only source traffic. Extended ACLs: An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters, which allow administrators more flexibility and control. Named ACLs One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by number, which is not too descriptive of its use. With a named ACL, this is not the case because you can name your ACL with a descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL simply numbered 1. There are both IP standard and IP extended named ACLs. Another advantage to named ACLs is that they allow you to remove individual lines out of an ACL. With numbered ACLs, you cannot delete individual statements. Instead, you will need to delete your existing access list and re-create the entire list. Configuration Guidelines Order of statements is important: put the most restrictive statements at the top of the list and the least restrictive at the bottom. ACL statements are processed top-down until a match is found, and then no more statements in the list are processed. If no match is found in the ACL, the packet is dropped (implicit deny). Each ACL needs either a unique number or a unique name. The router cannot filter traffic that it, itself, originates. You can have only one IP ACL applied to an interface in each direction (inbound and outbound)—you can't have two or more inbound or outbound ACLs applied to the same interface. (Actually, you can have one ACL for each protocol, like IP and IPX, applied to an interface in each direction.) Applying an empty ACL to an interface permits all traffic by default: in order for an ACL to have an implicit deny statement, you need at least one actual permit or deny statement. Remember the numbers you can use for IP ACLs.Standard ACLs can use numbers ranging 1–99 and 1300– 1999, and extended ACLs can use 100–199 and 2000–2699. Wildcard mask is not a subnet mask. Like an IP address or a subnet mask, a wildcard mask is composed of 32 bits when doing the conversion; subtract each byte in the subnet mask from 255. There are two special types of wildcard masks: 0.0.0.0 and 255.255.255.255 A 0.0.0.0 wildcard mask is called a host mask 255.255.255.255. If you enter this, the router will cover the address and mask to the keyword any. Placement of ACLs Standard ACLs should be placed as close to the destination devices as possible. Extended ACLs should be placed as close to the source devices as possible. standard access lists Because a standard access list filters only traffic based on source traffic, all you need is the IP address of the host or subnet you want to permit or deny. ACLs are created in global configuration mode and then applied on an interface. The syntax for creating a standard ACL is access-list {1-99 | 1300-1999} {permit | deny} source-address [wildcard mask] In this article we will configure standard access list. If you want read the feature and characteristic of access list reads this previous article. Access control list In this article we will use a RIP running topology. Which we created in RIP routing practical. Download this RIP routing topology and open it in packet tracer Rip Routing If you want to learn how we created this topology then read this article Configure Rip Routing Three basic steps to configure Standard Access List Use the access-list global configuration command to create an entry in a standard ACL. Use the interface configuration command to select an interface to which to apply the ACL. Use the ip access-group interface configuration command to activate the existing ACL on an interface. With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective you should be able to do following: 1. Match a specific host, 2. Match an entire subnet, 3. Match an IP range, or 4. Match Everyone and anyone Match specific hosts Task You have given a task to block 10.0.0.3 from gaining access on 40.0.0.0. While 10.0.0.3 must be able to communicate with networks. Other computer from the network of 10.0.0.0 must be able to connect with the network of 40.0.0.0. Decide where to apply ACL and in which directions. Our host must be able to communicate with other host except 40.0.0.0 so we will place this access list on FastEthernet 0/1 of R2 (2811) connected to the network of 40.0.0.0. Direction will be outside as packet will be filter while its leaving the interface. If you place this list on R1(1841) then host 10.0.0.3 will not be able to communicate with any other hosts including 40.0.0.0. To configure R2 double click on it and select CLI (Choose only one method result will be same) R2>enable R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)#access-list 1 deny host 10.0.0.3 R2(config)#access-list 1 permit any R2(config)#interface fastEthernet 0/1 R2(config-if)#ip access-group 1 out OR R2>enable R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)#access-list 1 deny 10.0.0.3 0.0.0.0 R2(config)#access-list 1 permit any R2(config)#interface fastEthernet 0/1 R2(config-if)#ip access-group 1 out To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully replay. PC>ping 40.0.0.3 Pinging 40.0.0.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 40.0.0.3: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), PC>ping 30.0.0.3 Pinging 30.0.0.3 with 32 bytes of data: Request timed out. Reply from 30.0.0.3: bytes=32 time=140ms TTL=126 Reply from 30.0.0.3: bytes=32 time=156ms TTL=126 Reply from 30.0.0.3: bytes=32 time=112ms TTL=126 Ping statistics for 30.0.0.3: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 112ms, Maximum = 156ms, Average = 136ms As we applied access list only on specific host so other computer from the network of 10.0.0.0 must be able to connect with the network of 40.0.0.0. To test do ping from 10.0.0.2 to 40.0.0.3 PC>ipconfig IP Address......................: 10.0.0.2 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 10.0.0.1 PC>ping 40.0.0.3 Pinging 40.0.0.3 with 32 bytes of data: Request timed out. Reply from 40.0.0.3: bytes=32 time=141ms TTL=126 Reply from 40.0.0.3: bytes=32 time=140ms TTL=126 Reply from 40.0.0.3: bytes=32 time=125ms TTL=126 Ping statistics for 40.0.0.3: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 125ms, Maximum = 141ms, Average = 135ms Match an entire subnet Task You have given a task to the network of 10.0.0.0 from gaining access on 40.0.0.0. While 10.0.0.0 must be able to communicate with networks . Wildcards Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or networks. Formula to calculate wild card mask for access list The key to matching an entire subnet is to use the following formula for the wildcard mask. It goes as follows: Wildcard mask = 255.255.255.255 – subnet So for example if my current subnet was 255.0.0.0, the mask would be 0.255.255.255. 255.255.255.255 255 .0 .0 .0 ---------------0. 255 .255.255 ---------------Once you have calculated the wild card mask rest is same as we did in pervious example R2>enable Enter configuration commands, one per line. End with CNTL/Z. R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255 R2(config)#access-list 2 permit any R2(config)#interface fastethernet 0/1 R2(config-if)#ip access-group 2 out R2(config-if)# To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully replay. Now do ping from 10.0.0.2 to 40.0.0.3 and further 30.0.0.2 result should be same as the packet is filtering on network based Match an IP range You are a network administrator at ComputerNetworkingNotes.com. You task is to block an ip range of 10.3.16.0 – 10.3.31.255 from gaining access to the network of 40.0.0.0 Solutions Our range is 10.3.16.0 – 10.3.31.255. In order to find the mask, take the higher IP and subtract from it the lower IP. 10.3.31.255 10.3.16.0 -------------0.0.15.255 -------------In this case the wildcard mask for this range is 0.0.15.255. To permit access to this range, you would use the following: R2>enable Enter configuration commands, one per line. End with CNTL/Z. R2(config)#access-list 2 deny 10.3.16.0 0.0.15.255 R2(config)#access-list 2 permit any R2(config)#interface fastethernet 0/1 R2(config-if)#ip access-group 2 out R2(config-if)# One thing to note is that each non-zero value in the mask must be one less than a power of 2, i.e. 0, 1, 3, 7, 15, 31, 63, 127, 255. Match Everyone and Anyone This is the easiest of Access-Lists to create, just use the following: access-list 1 permit any or access-list 1 permit 0.0.0.0 255.255.255.255 Secure telnet session via standard ACL This is among the highly tested topic in CCNA exam. We could use extended ACL to secure telnet session but if you did that, you’d have to apply it inbound on every interface, and that really wouldn’t scale well to a large router with dozens, even hundreds, of interfaces.Here's a much better solution: Use a standard IP access list to control access to the VTY lines themselves. To perform this function, follow these steps: 1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the routers. 2. Apply the access list to the VTY line with the access-class command Secure R2 in a way that only 20.0.0.2 can telnet it beside it all other telnet session should be denied R2>enable R2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R2(config)#access-list 3 permit host 20.0.0.2 R2(config)#line vty 0 4 R2(config-line)#password vinita R2(config-line)#login R2(config-line)#access-class 3 in To test do telnet from 20.0.0.2 first is should be successful. PC>ipconfig IP Address......................: 20.0.0.2 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 20.0.0.1 PC>telnet 50.0.0.2 Trying 50.0.0.2 ... User Access Verification Password: R2> Now telnet it from any other pc apart from 20.0.0.2. it must be filter and denied PC>ipconfig IP Address......................: 20.0.0.3 Subnet Mask.....................: 255.0.0.0 Default Gateway.................: 20.0.0.1 PC>telnet 50.0.0.2 Trying 50.0.0.2 ... % Connection refused by remote host PC> Configure Extended Access Lists An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters, which allow administrators more flexibility and control. access-list access-list-number {permit | deny} protocol source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [log] Command Parameters access-list Descriptions Main command Identifies the list using a number in the ranges of access-list-number 100–199 or 2000– 2699. Indicates whether this entry allows or blocks the permit | deny specified address. IP, TCP, UDP, ICMP, GRE, or IGRP. protocol Identifies source and destination IP addresses. source and destination The operator can be lt (less than), gt (greater than), eq (equal to), or neq (not equal to). The port number referenced can be either the source port or the destination port, depending on where source-wildcard and destination-wildcard in the ACL the port number is configured. As an alternative to the port number, well-known application names can be used, such as Telnet, FTP, and SMTP. For inbound TCP only. Allows TCP traffic to pass if the packet is a response to an outboundinitiated session. This type of traffic has the established acknowledgement (ACK) bits set. (See the Extended ACL with the Established Parameter example.) Sends a logging message to the console. log Before we configure Extended Access list you should cram up some important port number Well-Known Port Numbers and IP Protocols Port Number IP Protocol 20 (TCP) FTP data 21 (TCP) FTP control 23 (TCP) Telnet 25 (TCP) Simple Mail Transfer Protocol (SMTP) 53 (TCP/UDP) Domain Name System (DNS) 69 (UDP) TFTP 80 (TCP) HTTP In this article we will configure Extended access list. If you want to read the feature and characteristic of access list reads this previous article. Access control list In this article we will use a RIP running topology. Which we created in RIP routing practical. Download this RIP routing topology and open it in packet tracer Rip Routing If you want to learn how we created this topology then read this article Configure Rip Routing Three basic steps to configure Extended Access List Use the access-list global configuration command to create an entry in a Extended ACL. Use the interface configuration command to select an interface to which to apply the ACL. Use the ip access-group interface configuration command to activate the existing ACL on an interface. With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective you should be able to do following: 1. Block host to host 2. Block host to network 3. Block Network to network 4. Block telnet access for critical resources of company 5. Limited ftp access for user 6. Stop exploring of private network form ping 7. Limited web access 8. Configure established keyword Block host to host Task You are the network administrator at ComputerNetworkingNotes.com. Your company hire a new employee and give him a pc 10.0.0.3. your company's critical record remain in 40.0.0.3. so you are asked to block the access of 40.0.0.3 from 10.0.0.3. while 10.0.0.3 must be able connect with other computers of network to perfom his task. Decide where to apply ACL and in which directions. As we are configuring Extended access list. With extended access list we can filter the packed as soon as it genrate. So we will place our access list on F0/0 of Router1841 the nearest port of 10.0.0.3 To configure Router1841 (Hostname R1) double click on it and select CLI R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)#access-list 101 deny ip host 10.0.0.3 40.0.0.3 0.0.0.0 R1(config)#access-list 101 permit ip any any R1(config)#interface fastEthernet 0/0 R1(config-if)#ip access-group 101 in R1(config-if)#exit R1(config)# Verify by doing ping from 10.0.0.3 to 40.0.0.3. It should be reqest time out. Also ping other computers of network including 40.0.0.2. ping shuld be sucessfully. Block host to network Task Now we will block the 10.0.0.3 from gaining access on the network 40.0.0.0. ( if you are doing this practical after configuring pervious example don't forget to remove the last access list 101. With no access-list command. Or just close the packet tracer without saving and reopen it to be continue with this example.) R1(config)#access-list 102 deny ip host 10.0.0.3 40.0.0.0 0.255.255.255 R1(config)#access-list 102 permit ip any any R1(config)#interface fastEthernet 0/0 R1(config-if)#ip access-group 102 in R1(config-if)#exit R1(config)# Verify by doing ping from 10.0.0.3 to 40.0.0.3. and 40.0.0.2.It should be reqest time out. Also ping computers of other network. ping shuld be sucessfully. Once you have calculated the wild card mask rest is same as we did in pervious example R2>enable Enter configuration commands, one per line. End with CNTL/Z. R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255 R2(config)#access-list 2 permit any R2(config)#interface fastethernet 0/1 R2(config-if)#ip access-group 2 out R2(config-if)# To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping 30.0.0.3 it should be successfully replay. Network to Network Access List Task Student’s lab is configured on the network of 10.0.0.0. While management's system remain in the network of 40.0.0.0. You are asked to stop the lab system from gaining access in management systems Now we will block the network of 10.0.0.0 from gaining access on the network 40.0.0.0. ( if you are doing this practical after configuring pervious example don't forget to remove the last access list 101. With no access-list command. Or just close the packet tracer without saving and reopen it to be continue with this example.) R1(config)#access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255 R1(config)#access-list 103 permit ip any any R1(config)#interface fastethernet 0/0 R1(config-if)#ip access-group 103 in R1(config-if)#exit R1(config)# Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3. and 40.0.0.2.It should be reqest time out. Also ping computers of other network. ping shuld be sucessfully. Network to host Task For the final scenario you will block all traffic to 40.0.0.3 from the Network of 10.0.0.0 To accomplish this write an extended access list. The access list should look something like the following. R1(config)#interface fastethernet 0/0 R1(config-if)#no ip access-group 103 in R1(config-if)#exit R1(config)#no access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255 R1(config)#access-list 104 deny ip 10.0.0.0 0.255.255.255 40.0.0.3 0.0.0.0 R1(config)#access-list 104 permit ip any any R1(config)#interface fastethernet 0/0 R1(config-if)#ip access-group 104 in R1(config-if)#exit R1(config)# Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3.It should be reqest time out. Also ping computers of other network. ping shuld be sucessfully. Application based Extended Access list In pervoius example we filter ip base traffic. Now we will filter applicaion base traffic. To do this practical either create a topology as shown in figure and enable telnet and http and ftp service on server or download this pre configured topology and load it in packet tracer. Extended Access list The established keyword The established keyword is a advanced feature that will allow traffic through only if it sees that a TCP session is already established. A TCP session is considered established if the three-way handshake is initiated first. This keyword is added only to the end of extended ACLs that are filtering TCP traffic. You can use TCP established to deny all traffic into your network except for incoming traffic that was first initiated from inside your network. This is commonly used to block all originating traffic from the Internet into a company's network except for Internet traffic that was first initiated from users inside the company. The following configuration would accomplish this for all TCP-based traffic coming in to interface serial 0/0/0 on the router: R1(config)#access-list 101 permit tcp any any established R1(config)#interface serial 0/0/0 R1(config-if)#ip access-group 101 in R1(config-if)#exit Although the access list is using a permit statement, all traffic is denied unless it is first established from the inside network. If the router sees that the three-way TCP handshake is successful, it will then begin to allow traffic through. To test this access list double click on any pc from the network 10.0.0.0 and select web brower. Now give the ip of 30.0.0.2 web server. It should get sucessfully access the web page. Now go 30.0.0.2 and open command prompt. And do ping to 10.0.0.2 or any pc from the network the 10.0.0.0. it will request time out. Stop ping but can access web server We host our web server on 30.0.0.2. But we do not want to allow external user to ping our server as it could be used as denial of services. Create an access list that will filter all ping requests inbound on the serial 0/0/0 interface of router2. R2(config)#access-list 102 deny icmp any any echo R2(config)#access-list 102 permit ip any any R2(config)#interface serial 0/0/0 R2(config-if)#ip access-group 102 in To test this access list ping from 10.0.0.2 to 30.0.0.2 it should be request time out. Now open the web browser and access 30.0.0.2 it should be successfully retrieve Grant FTP access to limited user You want to grant ftp access only to 10.0.0.2. no other user need to provide ftp access on server. So you want to create a list to prevent FTP traffic that originates from the subnet 10.0.0.0/8, going to the 30.0.0.2 server, from traveling in on Ethernet interface E0/1 on R1. R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0 eq 20 R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0 eq 21 R1(config)#access-list 103 deny tcp any any eq 20 R1(config)#access-list 103 deny tcp any any eq 21 R1(config)#access-list 103 permit ip any any R1(config)#interface fastethernet 0/1 R1(config-if)#ip access-group 103 in R1(config-if)#exit Grant Telnet access to limited user For security purpose you don’t want to provide telnet access on server despite your own system. Your system is 10.0.0.4. create a extended access list to prevent telnet traffic that originates from the subnet of 10.0.0.0 to server. R1(config)#access-list 104 permit tcp host 10.0.0.4 30.0.0.2 0.0.0.0 eq 23 R1(config)#access-list 104 deny tcp 10.0.0.0 0.255.255.255 30.0.0.2 0.0.0.0 eq 23 R1(config)#access-list 104 permit ip any any R1(config)#interface fast 0/1 R1(config-if)#ip access-group 104 in R1(config-if)#exit Wan terms definitions Encapsulation method hdlc ppp A WAN is a data communications network that operates beyond the geographical scope of a LAN. WANs use facilities provided by a service provider, or carrier, such as a telephone or cable company. They connect the locations of an organization to each other, to locations of other organizations, to external services, and to remote users. WANs generally carry a variety of traffic types, such as voice, data, and video. WAN connections are made up of many types of equipment and components. data communications equipment (DCE) terminates a connection between two sites and provides clocking and synchronization for that connection; it connects to data termination equipment (DTE). A DTE is an end-user device, such as a router or PC, which connects to the WAN via the DCE. Term Customer premises equipment (CPE) Demarcation point Definition Your network's equipment, which includes the DCE (modem, NT1, CSU/ DSU) and your DTE (router, access server) Where the responsibility of the carrier is passed on to you; this could be inside or outside your local facility; note that this is a logical boundary, not necessarily a physical boundary The connection from the carrier's switching equipment to the demarcation point Local loop Central office (CO) The carrier's switch within the toll network switch The carrier's internal infrastructure for transporting your data Toll network Customer premises equipment (CPE) Customer premises equipment (CPE) is equipment that's owned by the subscriber and located on the subscriber’s premises. Demarcation point The demarcation point is the precise spot where the service provider’s responsibility ends and the CPE begins. It’s generally a device in a telecommunications closet owned and installed by the telecommunications company (telco). It’s your responsibility to cable (extended demarc) from this box to the CPE, which is usually a connection to a CSU/DSU or ISDN interface. Local loop The local loop connects the demarc to the closest switching office, which is called a central office. Central office (CO) This point connects the customer’s network to the provider’s switching network. Toll network The toll network is a trunk line inside a WAN provider’s network. This network is a collection of switches and facilities owned by the ISP. Definitely familiarize yourself with these terms because they’re crucial to understanding WAN technologies. Synchronous V/s asynchronous Synchronous serial connection allows you to simultaneously send and receive information without having to wait for any signal from the remote side. Nor does a synchronous connection need to indicate when it is beginning to send something or the end of a transmission. These two things, plus how clocking is done, are the three major differences between synchronous and asynchronous connections—asynchronous connections are typically used for dialup connections, such as modems. wide-area networking can be broken into three categories: Leased line Circuit switched Packet switched Leased-Line Connections In lease line, you get your very own piece of wire from your location to the service provider's network. This is good because no other customer can affect your line, as can be the case with other WAN services. You have a lot of control over this circuit to do things such as Quality of Service and other traffic management. The downside is that a leased line is expensive and gets a lot more expensive if you need to connect offices that are far apart. These are usually referred to as a point-to-point or dedicated connection. A leased line is a pre-established WAN communications path that goes from the CPE through the DCE switch, then over to the CPE of the remote site. The distance between the two sites is small, making them cost-effective. You have a constant amount of traffic between two sites and need to guarantee bandwidth for certain applications Circuit-Switched Connections A circuit-switched WAN uses the phone company as the service provider, either with analog dial-up or digital ISDN connections. With circuit-switching, if you need to connect to the remote LAN, a call is dialed and a circuit is established; the data is sent across the circuit, and the circuit is taken down when it is no longer needed. Circuitswitched connections include the following types: Asynchronous serial connections These include analog modem dialup connections and the standard telephone system, which is commonly referred to as Plain Old Telephone Service (POTS) by the telephone carriers. Synchronous serial connections These include digital ISDN BRI and PRI dialup connections; they provide guaranteed bandwidth. Packet-Switched Connections Packet-switched WAN services allow you to connect to the provider's network in much the same way as a PC connects to a hub: When connected, your traffic is affected by other customers' and theirs by you. This can be an issue sometimes, but it can be managed. The advantage of this shared-bandwidth technology is that with a single physical connection from your router's serial port, you can establish virtual connections to many other locations around the world. Packet-switched connections use logical circuits to make connections between two sites. These logical circuits are referred to as virtual circuits (VCs). So if you have a lot of branch offices and they are far away from the head office, a packet-switched solution is a good idea. X.25 The oldest of these four technologies is X.25, which is an ITU-T standard. X.25 is a network layer protocol that runs across both synchronous and asynchronous physical circuits, providing a lot of flexibility for your connection options. X.25 was actually developed to run across unreliable medium. It provides error detection and correction, as well as flow control, at both the data link layer (by LAPB) and the network layer (by X.25). In this sense, it performs a function similar to what TCP, at the transport layer, provides for IP. Because of its overhead, X.25 is best delegated to asynchronous, unreliable connections. If you have a synchronous digital connection, another protocol, such as Frame Relay or ATM, is much more efficient. Frame Relay Frame Relay is a digital packet-switched service that can run only across synchronous digital connections at the data link layer. Because it uses digital connections (which have very few errors), it does not perform any error correction or flow control as X.25 does. Frame Relay will, however, detect errors and drops bad frames. It is up to a higher layer protocol, such as TCP, to resend the dropped information. ATM ATM is also a packet-switched technology that uses digital circuits. Unlike Frame Relay and X.25, however, this service uses fixed-length (53 byte) packets, called cells, to transmit information. Therefore, this service is commonly called a cell-switched service. It has an advantage over Frame Relay in that it can provide guaranteed throughput and minimal delay for a multitude of services, includingvoice, video, and data. However, it does cost more than Frame Relay services. ATM (sort of an enhanced Frame Relay) can offer a connection guaranteed bandwidth, limited delay, limited number of errors, Quality of Service (QoS), and more. Frame Relay can provide some minimal guarantees to connections, but not to the degree of precision that ATM can. Whereas Frame Relay is limited to 45 Mbps connections, ATM can scale to very high speeds: OC-192 (SONET), for instance, affords about 10 Gbps of bandwidth. Encapsulation method With each WAN solution, there is an encapsulation type. Encapsulations wrap an information envelope around your data that is used to transport your data traffic. If you use leased line as your wide-area networking choice, you can encapsulate your data inside a High-Level Data-Link Control (HDLC) frame, PPP frame, or Serial Line IP (SLIP) frame. For packet-switched networks, you can encapsulate or package your data in X.25 frames, Frame Relay, or Asynchronous Transfer Mode (ATM) frames. HDLC Based on ISO standards, the HDLC (High-Level Data Link Control) protocol can be used with synchronous and asynchronous connections and defines the frame type and interaction between two devices at the data link layer. Cisco's HDLC is a proprietary protocol and will not work with other company's router. PPP PPP (the Point-to-Point Protocol) is based on an open standard. PPP has two main components: LCP (Link Control Protocol) NCP (Network Control Protocol) NCP is responsible for supporting multiple Layer 3 protocols. Each protocol has its own NCP, such as the IPCP for IP communication and IPXCP for IPX communication. Think of NCP as the "packager"; it is responsible for packaging, or encapsulating, your packets into a control protocol that is readable by PPP. The link control protocol is used for establishing the link and negotiating optional settings. These options include Compression— You can compress your data to conserve bandwidth across your WAN. Options for compression are Stacker and Predictor. Callback— With callback, you dial into a router using a modem or ISDN and then disconnect. The other router then calls you back at a predefined number. This option is used for centralized billing and security reasons. Multilink— Multilink allows you to bundle together more than one link to create more bandwidth. (Traffic will load balance across the links.) For example, you can bundle two 64K channels together to get a combined 128K. Authentication— You can use authentication to verify a router's identity when it is connecting into your router. Options for authentication include CHAP and PAP. PPP Authentication PAP goes through a two-way handshake process. In this process, the source sends its username (or hostname) and password, in clear text, to the destination. The destination compares this information with a list of locally stored usernames and passwords. If it finds a match, the destination sends back an accept message. If it doesn't find a match, it sends back a reject message. CHAP uses a three-way handshake process to perform the authentication. The source sends its username (not its password) to the destination. The destination sends back a challenge, which is a random value generated by the destination. used by the source to find the appropriate password to use for authentication Both sides then take the source's username, the matching password, and the challenge and run them through the MD5 hashing function. The source then takes the result of this function and sends it to the destination. The destination compares this value to the hashed output that it generated—if the two values match, then the password used by the source must have been the same as was used by the destination, and thus the destination will permit the connection. Configure hdlc ppp pap chap In this article I will demonstrate how can you configure wan encapsulation protocols. HDLC is the default encapsulation for synchronous serial links on Cisco routers. You would only use the encapsulation hdlc command to return the link to its default state For practical example of HDLC PPP create a simple topology as shown in figure or download this pre configured topology and load it in packet tracer. Pre configured topology for PPP and HDLC Double click on R1 and check the default encapsulation Router> Router#show interfaces serial 0/0/0 Serial0/0/0 is up, line protocol is up (connected) Hardware is HD64570 Internet address is 20.0.0.1/8 MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation HDLC, loopback not set, keepalive set (10 sec) [output is omited] As you can verify that default encapsulation on router is HDLC. A wan link work only when it detects same protocols on same sides. To check it change the default encapsulation to PPP. Router#configure terminal Router(config)#interface serial 0/0/0 Router(config-if)#encapsulation ppp Router(config)#exit Router#show interfaces serial 0/0/0 Serial0/0/0 is up, line protocol is down (disabled) Hardware is HD64570 Internet address is 20.0.0.1/8 MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) [output is omited] as you can see that line protocols is disable. To enable it set the encapsulation back to HDLC and restart the port with shut down command Router#configure terminal Router(config)#interface serial 0/0/0 Router(config-if)#encapsulation hdlc Router(config-if)#shutdown Router(config-if)#no shutdown Router(config-if)#exit Router(config)#exit Router#show interfaces serial 0/0/0 Serial0/0/0 is up, line protocol is up (connected) Hardware is HD64570 Internet address is 20.0.0.1/8 MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation HDLC, loopback not set, keepalive set (10 sec) [output is omited] Configuration of PPP Now we will configure PPP encapsulations on both router. We will also authenticate it with CHAP. Hostname of Router are R1 and R2 and password is vinita. Double Click on R1 and configure it Router>enable Router#configure terminal Router(config)#hostname R1 R1(config)#username R2 password vinita R1(config)#interface serial 0/0/0 R1(config-if)#encapsulation ppp R1(config-if)#ppp authentication chap R1(config-if)#exit R1(config)# Now configure R2 for PPP Router>enable Router#configure terminal Router(config)#hostname R2 R2(config)#username R1 password vinita R2(config)#interface serial 0/0/0 R2(config-if)#encapsulation ppp R2(config-if)#ppp authentication chap R2(config-if)#exit %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up R2(config)# HDLC PPP command reference sheet Moves to interface configuration mode Router(config)#interface serial 0/0/0 Router(config-if)#encapsulation hdlc Sets the encapsulation mode for this interface to HDLC Moves to interface configuration mode Router(config)#interface serial 0/0/0 Changes encapsulation from default HDLC to PPP Router(config-if)#encapsulation ppp Sets a username of R1 and a password of vinita for authentication from the Router(config)#username R1 password other side of the PPP serial link. This is used by the local router to vinita authenticate the PPP peer Moves to interface configuration mode. Router(config)#interface serial 0/0/0 Router(config-if)#ppp authentication Turns on Password Authentication Protocol (PAP) authentication only pap Router(config-if)#ppp authentication Turns on Challenge Handshake Authentication Protocol (CHAP) authentication only. chap Router(config-if)#ppp authentication Defines that the link will use PAP authentication, but will try CHAP if PAP fails or is rejected by other side. pap chap Router(config-if)#ppp authentication Defines that the link will use CHAP authentication, but will try PAP if CHAP fails or is rejected by other side. chap pap Router(config-if)#ppp pap sentusername R1 password vinita Router#show interfaces serial x Router#show controllers serial x Router#debug serial interface Router#debug ppp Router#debug ppp packet Router#debug ppp negotiation This command must be set if using PAP in Cisco IOS Software Release 11.1 or later Lists information for serial interface x Tells you what type of cable (DCE/DTE) is plugged into your interface and whether a clock rate has been set Displays whether serial keepalive counters are incrementing Displays any traffic related to PPP Displays PPP packets that are being sent and received Displays PPP packets related to the negotiation of the PPP link Frame Really Frame Relay is a scalable WAN solution that is often used as an alternative to leased lines when leased lines prove to be cost unaffordable. With Frame Relay, you can have a single serial interface on a router connecting into multiple remote sites through virtual circuits. Basic concept of Frame Relay For exam prospective You should be familiar with terms Virtual Circuits (VCs) A VC is a logical connection between two devices; therefore, many of these VCs can exist on the same physical connection. The advantage that VCs have over leased lines is that they can provide full connectivity at a much lower price. VCs are also full-duplex: you can simultaneously send and receive on the same VC. There are two types of VCs: permanent VCs (PVCs) and switched or semipermanent VCs (SVCs). PVC is similar to a leased line: it is configured up front by the carrier and remains up as long as there is a physical circuit path from the source to the destination. SVC are similar to telephone circuit-switched connections: whenever you need to send data to a connection, an SVC is dynamically built and then torn down once your data has been sent. Disadvantage of PVCs is that they require a lot of manual configuration up front to establish the VC. Another disadvantage is that they aren't very flexible: if the PVC fails, there is no dynamic rebuilding of the PVC around the failure. LMI Three different standards are defined for LMI:1. ANSI's Annex D standard, T1.617 2. ITU-T's Q.933 Annex A standard 3. The Gang of Four Because LMI is locally significant, each Frame Relay DTE in your network does not have to use the same LMI type The main function of LMI is to allow the Frame Relay DTE and DCE to exchange status information about the VCs and themselves Cisco has default timers for their status enquiry and full status update messages. Status enquiry messages are sent every ten seconds, by default. Every sixth message is a full status update message. The three possible states that your PVC can be in are Active— Active is good. Active means that everything is up and operational. Inactive— Inactive is bad. Inactive means that you are connected to your Frame Relay provider, but there is a problem with the far-end connection. The problem is most likely between the far-end router and its connection to the Frame Relay provider. You should contact your provider to troubleshoot the issue. Deleted— Deleted is also bad. Deleted means that there is a problem between your router and the Frame Relay provider's equipment. You should contact your provider to troubleshoot this issue. DLCI Each VC has a unique local address, called a DLCI. Circuits are identified by data-link connection identifiers (DLCI). DLCIs are assigned by your provider and are used between your router and the Frame Relay provider. In other words, DLCIs are locally significant. This means that as a VC traverses various segments in a WAN, the DLCI numbers can be different for each segment. DLCIs are locally significant. The carrier’s switches take care of mapping DLCI numbers for a VC between DTEs and DCEs. Nonbroadcast Multiaccess Nonbroadcast multiaccess (NBMA) is a term used to describe WAN networks that use VCs for connectivity Frame Relay is a nonbroadcast multi-access (NBMA) medium, which means that broadcast traffic is not allowed to traverse Frame Relay traffic. Split Horizon Issues The main problem of NBMA environments arises when the network is partially meshed for a subnet. This can create problems with routing protocols that support split horizon. Solutions to Split Horizon Problems Given the preceding problem with routing protocols that use split horizon, there are solutions that you can use to overcome this issue: Use static routes instead of dynamic routing protocols. This is not a scalable solution. Disable split horizon with the no ip split-horizon command.This could create a loop, If you are not careful Have a fully meshed topology where every router has a PVC to every other router. This can get expensive. Use subinterfaces. This is your best option. Subinterfaces A subinterface is a subset of an existing physical interface. As far as the router is concerned, the subinterface is a separate interface. By creating subinterfaces, each circuit can be on its own subnet. There are two types of subinterfaces: Point-to-point— This maps a single IP subnet to a single subinterface and DLCI. Multipoint— This maps a single IP subnet to multiple DLCIs on a subinterface. Inverse-Arp Frame Relay needs a mechanism to map Layer 3 addresses withLayer 2 Frame Relay DLCIs. This can be done through a static map command (shown later in the configuration section) or through inverse-arp. Just like Ethernet ARP, inverse-arp is used to map a Layer 3 address to a Layer 2 address. However, Ethernet ARP maps an IP address to a MAC address and inverse-arp works to map an IP address (or other protocol) to a DLCI. FECN (Forward explicit congestion notification) This value in the Frame Relay frame header is set by the carrier switch (typically) to indicate congestion inside the carrier network to the destination device at the end of the VC; the carrier may be doing this to your traffic as it is on its way to its destination. BECN (backward explicit congestion notification) This value is set by the destination DTE (Frame Relay device) in the header of the Frame Relay frame to indicate congestion (from the source to the destination) to the source of the Frame Relay frames (the source DTE, the router). Sometimes the carrier switches can generate BECN frames in the backward direction to the source to speed up the congestion notification process. The source can then adapt its rate on the VC appropriately. Access rate This is the speed of the physical connection (such as a T1) between your router and the Frame Relay switch. CIR (committed information rate) This is the average data rate, measured over a fixed period of time, that the carrier guarantees for a VC. BC (committed burst rate) This is the average data rate (over a period of a smaller fixed time than CIR) that a provider guarantees for a VC; in other words, it implies a smaller time period but a higher average than the CIR to allow for small bursts in traffic. BE (excessive burst rate) This is the fastest data rate at which the provider will ever service the VC. Some carriers allow you to set this value to match the access rate. DE (discard eligibility) This is used to mark a frame as low priority. You can do this manually, or the carrier will do this for a frame that is nonconforming to your traffic contract (exceeding CIR/BC values). Oversubscription When you add up all of the CIRs of your VCs on an interface, they exceed the access rate of the interface: you are betting that all of your VCs will not run, simultaneously, at their traffic-contracted rates. Configuration of Frame Relay Configuring Frame Relay involves the following steps: Chang the encapsulation Go in interface mode and select the Frame Relay encapsulation on the interface. There are two types of Frame Relay encapsulations: Cisco and IETF. Cisco is the default. The syntax to set your encapsulation is encapsulation frame-relay [ietf] Configuring the LMI type The three LMI types are Cisco, Ansi, and Q933a. For IOS 11.2 and higher, the LMI type is automatically detected frame-relay lmi-type [cisco | ansi | 933a] Configuring the Frame Relay map configuring a static Frame Relay map, is optional unless you are using subinterfaces. The Frame Relay map will map a Layer 3 address to a local DLCI. This step is optional because inverse-arp will automatically perform this map for you. The syntax for a Frame Relay map is as follows: frame-relay map protocol address dlci [broadcast] [cisco | ietf] Configuring subinterfaces If you are using a routing protocol in a hub-and-spoke topology, you will probably want to use subinterfaces to avoid the split-horizon problem. To configure a subinterface, remove the IP address off the main interface and put it under the subinterface. Configuring a subinterface involves assigning it a number and specifying the type. The following command creates point-to-point subinterface serial0/0.1 Router(config)#interface serial0/0.1 point-to-point To create a multipoint subinterface, enter multipoint instead: Router(config)#interface serial0/0.1 multipoint Assign IP address to subinterface After entering one of these commands you will be taken to the subinterface configuration mode where you can enter your IP address: Router(config-subif)#ip address 10.0.0.2 255.0.0.0 If you are using a multipoint subinterface, you will need to configure frame-relay maps and you cannot rely on inverse-arp. If you are using a point-to-point subinterface, you will need to assign a DLCI to the subinterface. This is only for point-to-point subinterfaces; this is not needed on the main interface or on multipoint subinterfaces. To assign a DLCI to a point-to-point subinterface, enter the following command under the subinterface: frame-relay interface-dlci dlci Configuration of Frame Relay Lets practically implement whatever you learn so far. Download this pre configured topology and load it in packet tracer. Download topology for packet tracer Now first configure R1. Fast Ethernet port and hostname is already configured. Double click on R1 and configure serial port for frame relay encapsulation and further create sub interface for connecting R2, R3, R4. Configure also static route for connecting remaining network. Configure R1 R1>enable R1#configure terminal R1(config)#interface serial 0/0/0 R1(config-if)#encapsulation frame-relay R1(config-if)#no shutdown R1(config-if)#exit R1(config-subif)#interface serial 0/0/0.102 point-to-point R1(config-subif)#ip address 192.168.1.245 255.255.255.252 R1(config-subif)#frame-relay interface-dlci 102 R1(config-subif)#exit R1(config)#interface serial 0/0/0.103 point-to-point R1(config-subif)#ip address 192.168.1.249 255.255.255.252 R1(config-subif)#frame-relay interface-dlci 103 R1(config-subif)#exit R1(config)#interface serial 0/0/0.104 point-to-point R1(config-subif)#ip address 192.168.1.253 255.255.255.252 R1(config-subif)#frame-relay interface-dlci 104 R1(config-subif)#exit R1(config)#ip route 192.168.1.64 255.255.255.224 192.168.1.246 R1(config)#ip route 192.168.1.96 255.255.255.224 192.168.1.250 R1(config)#ip route 192.168.1.128 255.255.255.224 192.168.1.254 R1(config)#exit configure R2 R2>enable R2#configure terminal R2(config)#interface serial 0/0/0 R2(config-if)#encapsulation frame-relay R2(config-if)#no shutdown R2(config-if)#exit R2(config)#interface serial 0/0/0.101 point-to-point R2(config-subif)#ip address 192.168.1.246 255.255.255.252 R2(config-subif)#frame-relay interface-dlci 101 R2(config-subif)#exit R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.245 configure R3 R3>enable R3#configure terminal R3(config)#interface serial 0/0/0 R3(config-if)#encapsulation frame-relay R3(config-if)#no shutdown R3(config-if)#exit R3(config)#interface serial 0/0/0.101 point-to-point R3(config-subif)#ip address 192.168.1.250 255.255.255.252 R3(config-subif)#frame-relay interface-dlci 101 R3(config-subif)#exit R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.249 R3(config)# configure R4 R4>enable R4#configure terminal R4(config)#interface serial 0/0/0 R4(config-if)#encapsulation frame-relay R4(config-if)#no shutdown R4(config-if)#exit R4(config)#interface serial 0/0/0.101 point-to-point R4(config-subif)#ip address 192.168.1.254 255.255.255.252 R4(config-subif)#frame-relay interface-dlci 101 R4(config-subif)#exit R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.253 R4(config)# now verify by doing ping from pc0 to all pc. It should be ping successfully. I have uploaded a configured topology but use it as the final resort first try yourself to configure it. Donload Configured Frame Relay Router(config)#interface serial 0/0/0 Router(config-if)#encapsulation frame-relay Router(config-if)#frame-relay lmitype {ansi | cisco | q933a} Router(config-if)#frame-relay interface-dlci 110 Router(config-fr-dlci)#exit Router(config-if)#frame-relay map ip 192.168.100.1 110 broadcast Router(config-if)#no frame-relay inverse arp Router#show frame-relay map Router#show frame-relay pvc Router#show frame-relay lmi Router#clear frame-relay counters Router#clear frame-relay inarp Router#debug frame-relay lmi Enter in interface mode Turns on Frame Relay encapsulation with the default encapsulation type of cisco Depending on the option you select, this command sets the LMI type to the ANSI standard, the Cisco standard, or the ITU-T Q.933 Annex A standard. Sets the DLCI number of 110 on the local interface and enters Frame Relay DLCI configuration mode Returns to interface configuration mode Maps the remote IP address (192.168.100.1) to the local DLCI number (110). The optional broadcast keyword specifies that broadcasts across IP should be forwarded to this address. This is necessary when using dynamic routing protocols. Turns off Inverse ARP. Displays IP/DLCI map entries Displays the status of all PVCs configured Displays LMI statistics Clears and resets all Frame Relay counters Clears all Inverse ARP entries from the map table Used to help determine whether a router and Frame Relay switch are exchanging LMI packets properly Welcome to the Wireless Network Wireless Networking Wireless Networking Types of Networks Wireless Networking Access Modes Wireless Networking Basic Wireless Networking Basic Security Wireless Networking Wireless networking is the new face of networking. Wireless networking have been around for many years. Cell phones are also a type of wireless communication and are popular today for people talking to each other worldwide. Wireless networking are not only less expensive than more traditional wired networking but also much easier to install. An important goal of this site is to provide you adequate knowledge for installing a wireless network and get certified in wireless networks as well as. Perhaps you already useing wireless networking in your local coffee shop, at the airport, or in hotel lobbies, and you want to set up a small office or home network. You already know how great wireless networking is, so you want to enjoy the benefits where you live and work. It is truly transformational to one's lifestyle to decouple computing from the wires! If you are looking to set up a wireless network, you've come to the right place. We will show you the best way to set up wirless network easily. Many people are looking to find out how to use wireless networking at home. In this wireless networking section we provide An Absolute Beginner's Guide provides in the perfect format for easily learning what you need to know to get up to speed with wireless network without wasting a lot of time. The organization of this site, and the special elements that we have described in this section will help you get the information you need quickly, accurately, and with clarity. In this section you will find inspiration as well as practical information. we believe that Wireless networks is a modest technology that has the power to have a huge and positive impact.. This is wonderful material, and it's lots of fun! So what are you waiting for? It's time to Go for wireless networking. Wireless Network A wireless network enables people to communicate and access applications and information without wires. This provides freedom of movement and the ability to extend applications to different parts of a building, city, or nearly anywhere in the world. Wireless networks allow people to interact with e-mail or browse the Internet from a location that they prefer. Many types of wireless communication systems exist, but a distinguishing attribute of a wireless network is that communication takes place between computer devices. These devices include personal digital assistants (PDAs), laptops, personal computers (PCs), servers, and printers. Computer devices have processors, memory, and a means of interfacing with a particular type of network. Traditional cell phones don't fall within the definition of a computer device; however, newer phones and even audio headsets are beginning to incorporate computing power and network adapters. Eventually, most electronics will offer wireless network connections. As with networks based on wire, or optical fiber, wireless networks convey information between computer devices. The information can take the form of e-mail messages, web pages, database records, streaming video or voice. In most cases, wireless networks transfer data, such as e-mail messages and files, but advancements in the performance of wireless networks is enabling support for video and voice communications as well. Types of Wireless Networks WLANS: Wireless Local Area Networks WLANS allow users in a local area, such as a university campus or library, to form a network or gain access to the internet. A temporary network can be formed by a small number of users without the need of an access point; given that they do not need access to network resources. WPANS: Wireless Personal Area Networks The two current technologies for wireless personal area networks are Infra Red (IR) and Bluetooth (IEEE 802.15). These will allow the connectivity of personal devices within an area of about 30 feet. However, IR requires a direct line of site and the range is less. WMANS: Wireless Metropolitan Area Networks This technology allows the connection of multiple networks in a metropolitan area such as different buildings in a city, which can be an alternative or backup to laying copper or fiber cabling. WWANS: Wireless Wide Area Networks These types of networks can be maintained over large areas, such as cities or countries, via multiple satellite systems or antenna sites looked after by an ISP. These types of systems are referred to as 2G (2nd Generation) systems. Comparison of Wireless Network Types Type Coverage Performance Standards Applications Wireless PAN Within reach of Moderate a person Wireless PAN Within reach of a person Moderate Bluetooth, IEEE 802.15, and IrDa Cable replacement for peripherals Cable replacement for peripherals Wireless LAN Within a building or campus High IEEE 802.11, Wi-Fi, and HiperLAN Mobile extension of wired networks Wireless MAN Within a city High Proprietary, IEEE 802.16, and WIMAX Fixed wireless between homes and businesses and the Internet Wireless WAN Worldwide Low CDPD and Cellular 2G, 2.5G, and 3G Mobile access to the Internet from outdoor areas Wireless networking Access Modes Two 802.11 access modes can be used in a WLAN: Ad hoc mode Infrastructure mode Ad hoc mode is based on the Independent Basic Service Set (IBSS). In IBSS, clients can set up connections directly to other clients without an intermediate AP. This allows you to set up peer-to-peer network connections and is sometimes used in a SOHO. The main problem with ad hoc mode is that it is difficult to secure since each device you need to connect to will require authentication. This problem, in turn, creates scalability issues. Infrastructure mode was designed to deal with security and scalability issues. In infrastructure mode, wireless clients can communicate with each other, albeit via an AP. Two infrastructure mode implementations are in use: Basic Service Set (BSS) Extended Service Set (ESS) In BSS mode, clients connect to an AP, which allows them to communicate with other clients or LANbased resources. The WLAN is identified by a single SSID; however, each AP requires a unique ID, called a Basic Service Set Identifier (BSSID), which is the MAC address of the AP’s wireless card. This mode is commonly used for wireless clients that don’t roam, such as PCs. In ESS mode, two or more BSSs are interconnected to allow for larger roaming distances. To make this as transparent as possible to the clients, such as PDAs, laptops, or mobile phones, a single SSID is used among all of the APs. Each AP, however, will have a unique BSSID. Coverage Areas A WLAN coverage area includes the physical area in which the RF signal can be sent and received Two types of WLAN coverage’s are based on the two infrastructure mode implementations: Basic Service Area (BSA) Extended Service Area (ESA) The terms BSS and BSA, and ESS and ESA, can be confusing. BSS and ESS refer to the building topology whereas BSA and ESA refer to the actual signal coverage BSA With BSA, a single area called a cell is used to provide coverage for the WLAN clients and AP ESA With ESA, multiple cells are used to provide for additional coverage over larger distances or to overcome areas that have or signal interference or degradation. When using ESA, remember that each cell should use a different radio channel. Wireless Basic Radio Frequency Transmission Factors Radio frequencies (RF) are generated by antennas that propagate the waves into the air. Antennas fall under two different categories: directional and omni-directional. Directional antennas are commonly used in point-to-point configurations (connecting two distant buildings), and sometimes point-to-multipoint (connecting two WLANs). An example of a directional antenna is a Yagi antenna: this antenna allows you to adjust the direction and focus of the signal to intensify your range/reach. Omni-directional antennas are used in point-to-multipoint configurations, where they distribute the wireless signal to other computers or devices in your WLAN. An access point would use an omni-directional antenna. These antennas can also be used for point-to-point connections, but they lack the distance that directional antennas supply Three main factors influence signal distortion: Absorption Objects that absorb the RF waves, such as walls, ceilings, and floors Scattering Objects that disperse the RF waves, such as rough plaster on a wall, carpet on the floor, or drop-down ceiling tiles Reflection Objects that reflect the RF waves, such as metal and glass Responsible body The International Telecommunication Union-Radio Communication Sector (ITU-R) is responsible for managing the radio frequency (RF) spectrum and satellite orbits for wireless communications: its main purpose is to provide for cooperation and coexistence of standards and implementations across country boundaries. Two standards bodies are primarily responsible for implementing WLANs: IEEE defines the mechanical process of how WLANs are implemented in the 802.11 standards so that vendors can create compatible products. The Wi-Fi Alliance basically certifies companies by ensuring that their products follow the 802.11 standards, thus allowing customers to buy WLAN products from different vendors without having to be concerned about any compatibility issues. Frequencies bands: WLANs use three unlicensed bands: 1. 900 MHz Used by older cordless phones 2. 2.4 GHz Used by newer cordless phones, WLANs, Bluetooth, microwaves, and other devices 3. 5 GHz Used by the newest models of cordless phones and WLAN devices 900 MHz and 2.4 GHz frequencies are referred to as the Industrial, Scientific, and Medical (ISM) bands. 5 GHz frequency the Unlicensed National Information Infrastructure (UNII) band. Unlicensed bands are still regulated by governments, which might define restrictions in their usage. A hertz (Hz) is a unit of frequency that measures the change in a state or cycle in a wave (sound or radio) or alternating current (electricity) during 1 second. Transmission Method Direct Sequence Spread Spectrum (DSSS) uses one channel to send data across all frequencies within that channel. Complementary Code Keying (CCK) is a method for encoding transmissions for higher data rates, such as 5.5 and 11 Mbps, but it still allows backward compatibility with the original 802.11 standard, which supports only 1 and 2 Mbps speeds. 802.11b and 802.11g support this transmission method. OFDM (Orthogonal Frequency Division Multiplexing) increases data rates by using a spread spectrum: modulation. 802.11a and 802.11g support this transmission method. MIMO (Multiple Input Multiple Output) transmission, which uses DSSS and/or OFDM by spreading its signal across 14 overlapping channels at 5 MHz intervals. 802.11n uses it. Use of 802.11n requires multiple antennas. WLAN Standards Standards 802.11a 802.11b 802.11g 802.11n Data Rate 54 Mbps 11 Mbps 54 Mbps 248 Mbps (with 2×2 antennas) Throughput 23 Mbps 4.3 Mbps 19 Mbps 74 Mbps Frequency 5 GHz 2.4 GHz 2.4 GHz 2.4 and/or 5 GHz Compatibility None With 802.11g and the With 802.11b original 802.11 802.11a, b, and g Range (meters) 35–120 38–140 38–140 70–250 Up to 23 3 14 DSSS DSSS/OFDM MIMO Number of Channels 3 Transmission OFDM Wireless Networking Basic Security How an end user client with a WLAN NIC accesses a LAN 1. To allow clients to find the AP easily, the AP periodically broadcasts beacons, announcing its (SSID) Service Set Identifier, data rates, and other WLAN information. 2. SSID is a naming scheme for WLANs to allow an administrator to group WLAN devices together. 3. To discover APs, clients will scan all channels and listen for the beacons from the AP(s). By default, the client will associate itself with the AP that has the strongest signal. 4. When the client associates itself with the AP, it sends the SSID, its MAC address, and any other security information that the AP might require based on the authentication method configured on the two devices. 5. Once connected, the client periodically monitors the signal strength of the AP to which it is connected. 6. If the signal strength becomes too low, the client will repeat the scanning process to discover an AP with a stronger signal. This process is commonly called roaming. SSID and MAC Address Filtering When implementing SSIDs, the AP and client must use the same SSID value to authenticate. By default, the access point broadcasts the SSID value, advertising its presence, basically allowing anyone access to the AP. Originally, to prevent rogue devices from accessing the AP, the administrator would turn off the SSID broadcast function on the AP, commonly called SSID cloaking. To allow a client to learn the SSID value of the AP, the client would send a null string value in the SSID field of the 802.11 frame and the AP would respond; of course, this defeats the security measure since through this query process, a rogue device could repeat the same process and learn the SSID value. Therefore, the APs were commonly configured to filter traffic based on MAC addresses. The administrator would configure a list of MAC addresses in a security table on the AP, listing those devices allowed access; however, the problem with this solution is that MAC addresses can be seen in clear-text in the airwaves. A rogue device can easily sniff the airwaves, see the valid MAC addresses, and change its MAC address to match one of the valid ones. This is called MAC address spoofing. WEP WEP (Wired Equivalent Privacy) was first security solutions for WLANs that employed encryption. WEP uses a static 64-bit key, where the key is 40 bits long, and a 24-bit initialization vector (IV) is used. IV is sent in clear-text. Because WEP uses RC4 as an encryption algorithm and the IV is sent in clear-text, WEP can be broken. To alleviate this problem, the key was extended to 104 bits with the IV value. However, either variation can easily be broken in minutes on laptops and computers produced today. 802.1x EAP The Extensible Authentication Protocol (EAP) is a layer 2 process that allows a wireless client to authenticate to the network. There are two varieties of EAP: one for wireless and one for LAN connections, commonly called EAP over LAN (EAPoL). One of the concerns in wireless is allowing a WLAN client to communicate to devices behind an AP. Three standards define this process: EAP, 802.1x, and Remote Authentication Dial In User Service (RADIUS). EAP defines a standard way of encapsulating authentication information, such as a username and password or a digital certificate that the AP can use to authenticate the user.802.1x and RADIUS define how to packetize the EAP information to move it across the network. WPA Wi-Fi Protected Access (WPA) was designed by the Wi-Fi Alliance as a temporary security solution to provide for the use of 802.1x and enhancements in the use of WEP until the 802.11i standard would be ratified. WPA can operate in two modes: personal and enterprise mode. Personal mode was designed for home or SOHO usage. A pre-shared key is used for authentication, requiring you to configure the same key on the clients and the AP. With this mode, no authentication server is necessary as it is in the official 802.1 x standards. Enterprise mode is meant for large companies, where an authentication server will centralize the authentication credentials of the clients. WPA2 WPA2 is the IEEE 802.11i implementation from the Wi-Fi Alliance. Instead of using WEP, which uses the weak RC4 encryption algorithm, the much more secure Advanced Encryption Standard (AES)–counter mode CBC-MAC Protocol (CCMP) algorithm is used. Complete ipv6 tutorials No matter for which certification are you preparing IPv6 has become the essential part of all major certifications. In order to get IT certification you must be familiar with IPv6. With a complete series of article on ipv6 tutorials we have tried our level best to give you whatever universal certifications require from IT professionals. Limitations of IPv4 ipv6 tutorials on builtin features of IPv6 ipv6 tutorials on Comparison of IPv4 and IPv6 ipv6 tutorials on common terms and concepts ipv6 tutorials on types of address format ipv6 tutorials on Special Addresses ipv6 tutorials on Address Assignment ipv6 tutorials on Address Autoconfiguration ipv6 tutorials on Assigning address to Windows server 2008 and Windows vista ipv6 tutorials on tools ipconfig ping tracert netstat pathping ipv6 tutorials on icmp overview error messages ipv6 tutorials on neighbor discovery ipv6 tutorials on Transition Strategies ipv6 tutorials on configure cisco router with IPv6 ipv6 tutorials on configure routing with IPv6 The current version of IP (known as version 4 or IPv4) has not changed substantially since Request for Comments (RFC) 791, which was published in 1981. IPv4 has proven to be robust, easily implemented, and interoperable. It has stood up to the test of scaling internetworks to a global utility the size of today’s Internet. This is a tribute to its initial design. However, the initial design of IPv4 did not anticipate the following: Limitations of IPv4 The recent exponential growth of the Internet and the impending exhaustion of the IPv4 address space Given that an IP address is 32 bits in length, there are 232 actual IP addresses, which are 4.3 billion addresses. Only 3.7 billion of these are actually usable. Many addresses are reserved, such as the research (239–254), broadcast (255), multicast (224–239), private (10, 172.16, and 192.168), and loopback addresses (127). And, of course, many of the usable addresses are already assigned, leaving about 1.3 billion addresses for new growth. As a result, public IPv4 addresses have become relatively scarce, forcing many users and some organizations to use a NAT to map a single public IPv4 address to multiple private IPv4 addresses. Although NATs promote reuse of the private address space, they violate the fundamental design principle of the original Internet that all nodes have a unique, globally reachable address, preventing true end-to-end connectivity for all types of networking applications. Additionally, the rising prominence of Internet-connected devices and appliances ensures that the public IPv4 address space will eventually be depleted. The need for simpler configuration Most current IPv4 implementations must be either manually configured or use a stateful address configuration protocol such as Dynamic Host Configuration Protocol (DHCP). With more computers and devices using IP, there is a need for a simpler and more automatic configuration of addresses and other configuration settings that do not rely on the administration of a DHCP infrastructure. The requirement for security at the Internet layer Private communication over a public medium such as the Internet requires cryptographic services that protect the data being sent from being viewed or modified in transit. Although a standard now exists for providing security for IPv4 packets (known as Internet Protocol security, or IPSec. This standard is optional for IPv4 and additional security solutions, some of which are proprietary, are prevalent. The need for better support for prioritized and real-time delivery of data Although standards for prioritized and real-time delivery of data—sometimes referred to as Quality of Service (QoS)—exist for IPv4, real-time traffic support relies on the 8 bits of the historical IPv4 Type of Service (TOS) field and the identification of the payload, typically using a User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) port. Unfortunately, the IPv4 TOS field has limited functionality and, over time, has been redefined and has different local interpretations. The current standards for IPv4 use the TOS field to indicate a Differentiated Services Code Point (DSCP), a value set by the originating node and used by intermediate routers for prioritized delivery and handling. Additionally, payload identification that uses a TCP or UDP port is not possible when the IPv4 packet payload is encrypted. To address these and other concerns, the Internet Engineering Task Force (IETF) has developed a suite of protocols and standards known as IP version 6 (IPv6). Features built into IPv6 In our last section we learnt about the limitations of IPv6. Now we will discuss built in feature of IPv6. Very large address space IPv6’s large address space deals with global growth, where route prefixes can be easily aggregated in routing updates. Security IP security (IPSec) is built into IPv6, whereas it is an awkward add-on in IPv4. With IPv6, two devices can dynamically negotiate security parameters and build a secure tunnel between them with no user intervention. Mobility With the growth of mobile devices, such as PDAs and smart phones, devices can roam between wireless networks without breaking their connections. Streamlined encapsulation The IPv6 encapsulation is simpler than IPv4, providing faster forwarding rates by routers and better routing efficiency. No checksums are included, reducing processing on endpoints. No broadcasts are used, reducing utilization of devices within the same subnet. QoS Information is built into the IPv6 header, where a flow label identifies the traffic; this alleviates intermediate network devices from having to examine contents inside the packet, the TCP/UDP headers, and payload information to classify the traffic for QoS correctly. Transition capabilities Various solutions exist to allow IPv4 and IPv6 to successfully coexist when migrating between the two. One method, dual stack, allows you to run both protocols simultaneously on an interface of a device. A second method, tunneling, allows you to tunnel IPv6 over IPv4 and vice versa to transmit an IP version of one type across a network using another type. Cisco supports a third method, referred to as Network Address Translation-Protocol Translation (NATPT), to translate between IPv4 and IPv6 (sometimes the term Proxy is used instead of Protocol). Stateless and Stateful Address Configuration To simplify host configuration, IPv6 supports both stateful address configuration (such as address configuration in the presence of a DHCP for IPv6, or DHCPv6, server) and stateless address configuration (such as address configuration in the absence of a DHCPv6 server). New Protocol for Neighboring Node Interaction The Neighbor Discovery protocol for IPv6 is a series of Internet Control Message Protocol for IPv6 (ICMPv6) messages that manages the interaction of neighboring nodes (nodes on the same link). Neighbor Discovery replaces and extends the Address Resolution Protocol (ARP) (broadcast-based), ICMPv4 Router Discovery, and ICMPv4 Redirect messages with efficient multicast and unicast Neighbor Discovery messages. Extensibility IPv6 can easily be extended for new features by adding extension headers after the IPv6 header. Comparison of IPv4 and IPv6 IPv6 solves the Address Depletion Problem With the explosion in the popularity of the Internet has come the introduction of commerce related activities that can now be done over the Internet by an ever-increasing number of devices. With IPv4, the number of public addresses available to new devices is limited and shrinking. IPv4 cannot continue to scale and provide global connectivity to all of the planned Internet-capable devices to be produced and connected in the next 10 years. Although these devices can be assigned private addresses, address and port translation introduces complexity to the devices that want to perform server, listening, or peer functionality. IPv6 solves the IPv4 public address depletion problem by providing an address space to last well into the twenty-first century. The business benefit of moving to IPv6 is that mobile cell phones, personal data assistants (PDAs), automobiles, appliances, and even people can be assigned multiple globally reachable addresses. The growth of the devices connected to the Internet and the software that these devices run can proceed without restraint and without the complexity and cost of having to operate behind NATs. IPv6 Solves the Disjoint Address Space Problem With IPv4, there are typically two different addressing schemes for the home and the enterprise network. In the home, an Internet gateway device (IGD) is assigned a single public IPv4 address and the IGD assigns private IPv4 addresses to the hosts on the home network. An enterprise might have multiple public IPv4 addresses or a public address range and either assign public, private, or both types of addresses within the enterprise’s intranet. However, the public and private IPv4 address spaces are disjoint; they do not provide symmetric reach ability at the Network layer. Symmetric reach ability exists when packets can be sent to and received from an arbitrary destination. With IPv4, there is no single addressing scheme that is applied to both networks that allows seamless connectivity. Connectivity between disjoint networks requires intermediate devices such as NATs or proxy servers. With IPv6, both homes and enterprises will be assigned global address prefixes and can seamlessly connect, subject to security restrictions such as firewall filtering and authenticated communication. IPv6 Solves the International Address Allocation Problem The Internet was principally a creation of educational institutions and government agencies of the United States of America. In the early days of the Internet, connected sites in the United States received IPv4 address prefixes without regard to summarize ability or need. The historical result of this address allocation practice is that the United States has a disproportionate number of public IPv4 addresses. With IPv6, public address prefixes are assigned to regional Internet registries, which, in turn, assign address prefixes to other ISPs and organizations based on justified need. This new address allocation practice ensures that address prefixes will be distributed globally based on regional connectivity needs, rather than by historical origin. This makes the Internet more of a truly global resource, rather than a United States—centric one. The business benefit to organizations across the globe is that they can rely on having available public IPv6 address space, without the current cost of obtaining IPv4 public address prefixes from their ISP. IPv6 Restores End-to-End Communication With IPv4 NATs, there is a technical barrier for applications that rely on listening or peer based connectivity because of the need for the communicating peers to discover and advertise their public IPv4 addresses and ports. The workarounds for the translation barrier might also require the deployment of echo or rendezvous servers on the Internet to provide public address and port configuration information. With IPv6, NATs are no longer necessary to conserve public address space, and the problems associated with mapping addresses and ports disappear for developers of applications and gateways. More importantly, end-to-end communication is restored between hosts on the Internet by using addresses in packets that do not change in transit. IPv6 Uses Scoped Addresses and Address Selection Unlike IPv4 addresses, IPv6 addresses have a scope, or a defined area of the network over which they are unique and relevant. For example, IPv6 has a global address that is equivalent to the IPv4 public address and a unique local address that is roughly equivalent to the IPv4 private address. Typical IPv4 routers do not distinguish a public address from a private address and will forward a privately addressed packet on the Internet. An IPv6 router, on the other hand, is aware of the scope of IPv6 addresses and will never forward a packet over an interface that does not have the correct scope. IPv6 Has More Efficient Forwarding IPv6 is a streamlined version of IPv4. Excluding prioritized delivery traffic, IPv6 has fewer fields to process and fewer decisions to make in forwarding an IPv6 packet. Unlike IPv4, the IPv6 header is a fixed size (40 bytes), which allows routers to process IPv6 packets faster. Additionally, the hierarchical and summarize able addressing structure of IPv6 global addresses means that there are fewer routes to analyze in the routing tables of organization and Internet backbone routers. The consequence is traffic that can be forwarded at higher data rates, resulting in higher performance for tomorrow’s high-bandwidth applications that use multiple data types. IPv6 Has Support for Security and Mobility IPv6 has been designed to support security (IPsec) (AH and ESP header support required) and mobility (Mobile IPv6) (optional). Although one could argue that these features are available for IPv4, they are available on IPv4 as extensions, and therefore they have architectural or connectivity limitations that might not have been present if they had been part of the original IPv4 design. It is always better to design features in rather than bolt them on. The result of designing IPv6 with security and mobility in mind is an implementation that is a defined standard, has fewer limitations, and is more robust and scalable to handle the current and future communication needs of the users of the Internet. The business benefit of requiring support for IPsec and using a single, global address space is that IPv6 can protect packets from end to end across the entire IPv6 Internet. Unlike IPsec on the IPv4 Internet, which must be modified and has limited functionality when the endpoints are behind NATs, IPsec on the IPv6 Internet is fully functional between any two endpoints. IPv6 common terms and concepts Node Any device that runs an implementation of IPv6. This includes routers and hosts. Router A node that can forward IPv6 packets not explicitly addressed to itself. On an IPv6 network, a router also typically advertises its presence and host configuration information. Host A node that cannot forward IPv6 packets not explicitly addressed to itself (a non router). A host is typically the source and a destination of IPv6 traffic, and it silently discards traffic received that is not explicitly addressed to itself. Upper-layer protocol A protocol above IPv6 that uses IPv6 as its transport. Examples include Internet layer protocols such as ICMPv6 and Transport layer protocols such as TCP and UDP (but not Application layer protocols such as FTP and DNS, which use TCP and UDP as their transport). Link The set of network interfaces that are bounded by routers and that use the same 64-bit IPv6 unicast address prefix. Other terms for ―link‖ are subnet and network segment. Network Two or more subnets connected by routers. Another term for network is internetworks. Neighbors Nodes connected to the same link. Neighbors in IPv6 have special significance because of IPv6 Neighbor Discovery, which has facilities to resolve neighbor link layer addresses and detect and monitor neighbor reach ability. Interface The representation of a physical or logical attachment of a node to a link. An example of a physical interface is a network adapter. An example of a logical interface is a ―tunnel‖ interface that is used to send IPv6 packets across an IPv4 network by encapsulating the IPv6 packet inside an IPv4 header. Address An identifier that can be used as the source or destination of IPv6 packets that is assigned at the IPv6 layer to an interface or set of interfaces. Packet The protocol data unit (PDU) that exists at the IPv6 layer and is composed of an IPv6 header and payload. Link MTU The maximum transmission unit (MTU)—the number of bytes in the largest IPv6 packet—that can be sent on a link. Because the maximum frame size includes the link-layer medium headers and trailers, the link MTU is not the same as the maximum frame size of the link. The link MTU is the same as the maximum payload size of the linklayer technology. For example, for Ethernet using Ethernet II encapsulation, the maximum Ethernet frame payload size is 1500 bytes. Therefore, the link MTU is 1500. For a link with multiple link-layer technologies (for example, a bridged link), the link MTU is the smallest link MTU of all the link-layer technologies present on the link. Path MTU The maximum-sized IPv6 packet that can be sent without performing host fragmentation between a source and destination over a path in an IPv6 network. The path MTU is typically the smallest link MTU of all the links in the path. Types of IPv6 Address Format Whereas IPv4 addresses use a dotted-decimal format, where each byte ranges from 0 to 255. IPv6 addresses use eight sets of four hexadecimal addresses (16 bits in each set), separated by a colon (:), like this: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx (x would be a hexadecimal value). This notation is commonly called string notation. Hexadecimal values can be displayed in either lower- or upper-case for the numbers A–F. A leading zero in a set of numbers can be omitted; for example, you could either enter 0012 or 12 in one of the eight fields—both are correct. If you have successive fields of zeroes in an IPv6 address, you can represent them as two colons (::). For example, 0:0:0:0:0:0:0:5 could be represented as ::5; and ABC:567:0:0:8888:9999:1111:0 could be represented as ABC:567::8888:9999:1111:0. However, you can only do this once in the address: ABC::567::891::00 would be invalid since :: appears more than once in the address. The reason for this limitation is that if you had two or more repetitions, you wouldn’t know how many sets of zeroes were being omitted from each part. An unspecified address is represented as ::, since it contains all zeroes. Types of IPv6 Addresses Anycast An anycast address identifies one or more interfaces. Notice that the term device isn’t used since a device can have more than one interface. Sometimes people use the term node to designate an interface on a device. Basically, an anycast is a hybrid of a unicast and multicast address. With a unicast, one packet is sent to one destination; With a multicast, one packet is sent to all members of the multicast group; With an anycast, a packet is sent to any one member of a group of devices that are configured with the anycast address. By default, packets sent to an anycast address are forwarded to the closet interface (node), which is based on the routing process employed to get the packet to the destination. Given this process, anycast addresses are commonly referred to as one-to-the-nearest address. Multicast Represent a group of interfaces interested in seeing the same traffic. The first 8 bits are set to FF. The next 4 bits are the lifetime of the address: 0 is permanent and 1 is temporary. The next 4 bits indicate the scope of the multicast address (how far the packet can travel): 1 is for a node, 2 is for a link, 5 is for the site, 8 is for the organization, and E is global (the Internet). For example, a multicast address that begins with FF02::/16 is a permanent link address, whereas an address of FF15::/16 is a temporary address for a site. Unicast Unicast IPv6 Addresses The following types of addresses are unicast IPv6 addresses: Global unicast addresses Link-local addresses Site-local addresses Unique local addresses Special addresses Transition addresses Global Unicast Addresses IPv6 global addresses are equivalent to public IPv4 addresses. They are globally routable and reachable on the IPv6 Internet. Global unicast addresses are designed to be aggregated or summarized for an efficient routing infrastructure. Unlike the current IPv4-based Internet, which is a mixture of both flat and hierarchical routing, the IPv6-based Internet has been designed from its foundation to support efficient, hierarchical addressing and routing. The scope of a global address is the entire IPv6 Internet. RFC 4291 defines global addresses as all addresses that are not the unspecified, loopback, link-local unicast, or multicast addresses. However, Figure shows the structure of global unicast addresses defined in RFC 3587 that are currently being used on the IPv6 Internet. The structure of global unicast addresses defined in RFC 3587 The fields in the global unicast address are described in the following list: Fixed portion set to 001 the three high-order bits are set to 001. Global Routing Prefix Indicates the global routing prefix for a specific organization’s site. The combination of the three fixed bits and the 45-bit Global Routing Prefix is used to create a 48-bit site prefix, which is assigned to an individual site of an organization. A site is an autonomously operating IP-based network that is connected to the IPv6 Internet. Network architects and administrators within the site determine the addressing plan and routing policy for the organization network. Once assigned, routers on the IPv6 Internet forward IPv6 traffic matching the 48-bit prefix to the routers of the organization’s site. Subnet ID The Subnet ID is used within an organization’s site to identify subnets within its site. The size of this field is 16 bits. The organization’s site can use these 16 bits within its site to create 65,536 subnets or multiple levels of addressing hierarchy and an efficient routing infrastructure. With 16 bits of subnetting flexibility, a global unicast prefix assigned to an organization site is equivalent to a public IPv4 Class A address prefix (assuming that the last octet is used for identifying nodes on subnets). The routing structure of the organization’s network is not visible to the ISP. Interface ID Indicates the interface on a specific subnet within the site. The size of this field is 64 bits. The interface ID in IPv6 is equivalent to the node ID or host ID in IPv4. Local-Use Unicast Addresses Local-use unicast addresses do not have a global scope and can be reused. There are two types of local-use unicast addresses: 1. Link-local addresses are used between on-link neighbors and for Neighbor Discovery processes. 2. Site-local addresses are used between nodes communicating with other nodes in the same organization. Link-Local Addresses FE8:: through FEB:: Link-local addresses are a new concept in IPv6. These kinds of addresses have a smaller scope as to how far they can travel: just the local link (the data link layer link). Routers will process packets destined to a link-local address, but they will not forward them to other links. Their most common use is for a device to acquire unicast site-local or global unicast addressing information, discovering the default gateway, and discovering other layer 2 neighbors on the segment. IPv6 link-local addresses, identified by the initial 10 bits being set to 1111 1110 10 and the next 54 bits set to 0, are used by nodes when communicating with neighboring nodes on the same link. For example, on a single-link IPv6 network with no router, link-local addresses are used to communicate between hosts on the link. IPv6 link-local addresses are similar to IPv4 link-local addresses defined in RFC 3927 that use the 169.254.0.0/16 prefix. The use of IPv4 link-local addresses is known as Automatic Private IP Addressing (APIPA) in Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP. The scope of a link local address is the local link. A link-local address is required for some Neighbor Discovery processes and is always automatically configured, even in the absence of all other unicast addresses. Link-local addresses always begin with FE80. With the 64-bit interface identifier, the prefix for link-local addresses is always FE80::/64. An IPv6 router never forwards link-local traffic beyond the link. Site-Local Addresses FEC:: through FFF:: represent a particular site or company. These addresses can be used within a company without having to waste any public IP addresses—not that this is a concern, given the large number of addresses available in IPv6. However, by using private addresses, you can easily control who is allowed to leave your network and get returning traffic back by setting up address translation policies for IPv6. Site-local addresses, identified by setting the first 10 bits to 1111 1110 11, are equivalent to the IPv4 private address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). For example, private intranets that do not have a direct, routed connection to the IPv6 Internet can use site local addresses without conflicting with global addresses. Site-local addresses are not reachable from other sites, and routers must not forward site-local traffic outside the site. Site-local addresses can be used in addition to global addresses. The scope of a sitelocal address is the site. Unlike link-local addresses, site-local addresses are not automatically configured and must be assigned either through stateless or stateful address autoconfiguration. The first 10 bits are always fixed for site-local addresses, beginning with FEC0::/10. After the 10 fixed bits is a 54-bit Subnet ID field that provides 54 bits with which you can create subnets within your organization. You can have a flat subnet structure, or you can divide the high order bits of the Subnet ID field to create a hierarchical and summarize able routing infrastructure. After the Subnet ID field is a 64-bit Interface ID field that identifies a specific interface on a subnet. Site-local addresses have been formally deprecated in RFC 3879 for future IPv6 implementations. However, existing implementations of IPv6 can continue to use site-local addresses. Zone IDs for Local-Use Addresses Unlike global addresses, local-use addresses (link-local and site-local addresses) can be reused. Link-local addresses are reused on each link. Site-local addresses can be reused within each site of an organization. Because of this address reuse capability, link-local and site-local addresses are ambiguous. To specify the link on which the destination is located or the site within which the destination is located, an additional identifier is needed. This additional identifier is a zone identifier (ID), also known as a scope ID, which identifies a connected portion of a network that has a specified scope. The syntax specified in RFC 4007 for identifying the zone associated with a local-use address is Address%zone ID, in which Address is a local-use unicast IPv6 address and zone ID is an integer value representing the zone. The values of the zone ID are defined relative to the sending host. Therefore, different hosts might determine different zone ID values for the same physical zone. For example, Host A might choose 3 to represent the zone of an attached link and Host B might choose 4 to represent the same link. Unique Local Addresses Site-local addresses provide a private addressing alternative to global addresses for intranet traffic. However, because the site-local address prefix can be reused to address multiple sites within an organization, a site-local address prefix can be duplicated. The ambiguity of site local addresses in an organization adds complexity and difficulty for applications, routers, and network managers. To replace site-local addresses with a new type of address that is private to an organization yet unique across all the sites of the organization, RFC 4193 defines unique local IPv6 unicast addresses. The first 7 bits have the fixed binary value of 1111110. All local addresses have the address prefix FC00::/7. The Local (L) flag is set 1 to indicate that the prefix is locally assigned. The L flag value set to 0 is not defined in RFC 3879. Therefore, unique local addresses within an organization with the L flag set to 1 have the address prefix of FD00::/8. The Global ID identifies a specific site within an organization and is set to a randomly derived 40-bit value. By deriving a random value for the Global ID, an organization can have statistically unique 48-bit prefixes assigned to their sites. Additionally, two organizations that use unique local addresses that merge have a low probability of duplicating a 48-bit unique local address prefix, minimizing site renumbering. Unlike the Global Routing Prefix in global addresses, the Global IDs in unique local address prefixes are not designed to be summarized. Unique local addresses have a global scope, but their reach ability is defined by routing topology and filtering policies at Internet boundaries. Organizations will not advertise their unique local address prefixes outside of their organizations or create DNS entries with unique local addresses in the Internet DNS. Organizations can easily create filtering policies at their Internet boundaries to prevent all unique local-addressed traffic from being forwarded. Because they have a global scope, unique local addresses do not need a zone ID. The global address and unique local address share the same structure beyond the first 48 bits of the address. In both addresses, the 16-bit Subnet ID field identifies a subnet within an organization. Because of this, you can create a subnetted routing infrastructure that is used for both local and global addresses. For example, a specific subnet of your organization can be assigned both the global prefix 2001:DB8:4D1C:221A::/64 and the local prefix FD0E:2D:BA9:221A::/64, where the subnet is identified for both types of prefixes by the Subnet ID value of 221A. Although the subnet identifier is the same for both prefixes, routes for both prefixes must still be propagated throughout the routing infrastructure so that addresses based on both prefixes are reachable. Summary tables of IPv6 Addresses Address Value Description Global 2000::/3 These are assigned by the IANA and used on public networks. They are equivalent to IPv4 global (sometimes called public) addresses. ISPs summarize these to provide scalability in the Internet. Reserved (range) Reserved addresses are used for specific types of anycast as well as for future use. Currently about 1/256th of the IPv6 address space is reserved. Private FE80::/10 Like IPv4, IPv6 supports private addressing, which is used by devices that don’t need to access a public network. The first two digits are FE, and the third digit can range from 8 to F. ::1 Like the 127.0.0.1 address in IPv4, 0:0:0:0:0:0:0:1, or ::1, is used for local testing functions; unlike IPv4, which dedicates a complete A class block of addresses for local testing, only one is used in IPv6. :: 0.0.0.0 in IPv4 means ―unknown‖ address. In IPv6, this is represented by 0:0:0:0:0:0:0:0, or ::, and is typically used in the source address field of the packet when an interface doesn’t have an address and is trying to acquire one dynamically. Loopback Unspecified In our next article we will discus about special IPv6 address, IPv4 address and their equivalents IPv6 address. And then we learn how to assign these addresses to host, router and other devices. Special IPv6 Addresses corresponding IPv4 In our pervious article we learnt about IPv6 address types and format in this article we learn about some special types of IPv6 address. This article is the second volume of IPv6 address types and formats so if you have missed our pervious article we suggest you to review it. types of IPv6 address format Special IPv6 Addresses The following are special IPv6 addresses: Unspecified address The unspecified address (0:0:0:0:0:0:0:0 or ::) is used only to indicate the absence of an address. It is equivalent to the IPv4 unspecified address of 0.0.0.0. The unspecified address is typically used as a source address when a unique address has not yet been determined. The unspecified address is never assigned to an interface or used as a destination address. Loopback address The loopback address (0:0:0:0:0:0:0:1 or ::1) is assigned to a loopback interface, enabling a node to send packets to itself. It is equivalent to the IPv4 loopback address of 127.0.0.1. Packets addressed to the loopback address must never be sent on a link or forwarded by an IPv6 router. Transition Addresses To aid in the transition from IPv4 to IPv6 and the coexistence of both types of hosts, the following addresses are defined: IPv4-compatible address The IPv4-compatible address, 0:0:0:0:0:0:w.x.y.z or ::w.x.y.z (where w.x.y.z is the dotted decimal representation of a public IPv4 address), is used by IPv6/IPv4 nodes that are communicating with IPv6 over an IPv4 infrastructure that uses public IPv4 addresses, such as the Internet. IPv4-compatible addresses are deprecated in RFC 4291 and are not supported in IPv6 for Windows Vista and Windows Server 2008. IPv4-mapped address The IPv4-mapped address, 0:0:0:0:0:FFFF:w.x.y.z or ::FFFF: w.x.y.z, is used to represent an IPv4 address as a 128bit IPv6 address. 6to4 address An address of the type 2002:WWXX:YYZZ:Subnet ID:Interface ID, where WWXX:YYZZ is the colon hexadecimal representation of w.x.y.z (a public IPv4 address), is assigned a node for the 6to4 IPv6 transition technology. ISATAP address An address of the type 64-bit prefix:0:5EFE:w.x.y.z, where w.x.y.z is a private IPv4 address, is assigned to a node for the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology. Teredo address A global address that uses the prefix 2001::/32 and is assigned to a node for the Teredo IPv6 transition technology. Beyond the first 32 bits, Teredo addresses are used to encode the IPv4 address of a Teredo server, flags, and an obscured version of a Teredo client’s external address and UDP port number. IPv4 Addresses and their corresponding IPv6 IPv4 Address IPv6 Address Internet address classes Not applicable in IPv6 Multicast addresses (224.0.0.0/4) IPv6 multicast addresses (FF00::/8) Broadcast addresses Not applicable in IPv6 Unspecified address is 0.0.0.0 Unspecified address is :: Loopback address is 127.0.0.1 Loopback address is ::1 Public IP addresses Aggregatable global unicast addresses Private IP addresses (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) Site-local addresses (FEC0::/48) APIPA addresses (169.254.0.0/16) Link-local addresses (FE80::/64) Text representation: Dotted decimal notation Text representation: Colon hexadecimal format with suppression of leading zeros and zero compression. IPv4-compatible addresses are expressed in dotted decimal notation. Network bits representation: Subnet mask in dotted decimal notation or prefix length Network bits representation: Prefix length notation only Assigning IPv6 address to Devices IPv6 Addresses for a Host An IPv4 host with a single network adapter typically has a single IPv4 address assigned to that adapter. An IPv6 host, however, usually has multiple IPv6 addresses assigned to each adapter. The interfaces on a typical IPv6 host are assigned the following unicast addresses: A link-local address for each interface Additional unicast addresses for each interface (which could be one or multiple unique local or global addresses) The loopback address (::1) for the loopback interface Typical IPv6 hosts are always logically multi homed because they always have at least two addresses with which they can receive packets—a link-local address for local link traffic and a routable unique local or global address. Additionally, each interface on an IPv6 host is listening for traffic on the following multicast addresses: The interface-local scope all-nodes multicast address (FF01::1) The link-local scope all-nodes multicast address (FF02::1) The solicited-node address for each unicast address assigned The multicast addresses of joined groups IPv6 Addresses for a Router The interfaces on an IPv6 router are assigned the following unicast addresses: A link-local address for each interface Additional unicast addresses for each interface (which could be one or multiple unique local or global addresses) The loopback address (::1) for the loopback interface Additionally, the interfaces of an IPv6 router are assigned the following anycast addresses: A Subnet-Router anycast address for each subnet Additional anycast addresses (optional) Additionally, the interfaces of an IPv6 router are listening for traffic on the following multicast addresses: The interface-local scope all-nodes multicast address (FF01::1) The interface-local scope all-routers multicast address (FF01::2) The link-local scope all-nodes multicast address (FF02::1) The link-local scope all-routers multicast address (FF02::2) The site-local scope all-routers multicast address (FF05::2) The solicited-node address for each unicast address assigned The multicast addresses of joined groups Static Address Assignment One option you have is to statically assign a unicast address to a device’s interface using either of these two approaches: Specify all 128-bits manually Use EUI-64 You can manually specify the entire 128-bit address, or you can specify the subnet ID and have the device use the EUI-64 method to create the interface ID part of the address Manually Configuring the IPv6 Protocol Unlike IPv6 in Windows XP and Windows Server 2003, the IPv6 protocol in Windows Server 2008 and Windows Vista is installed and enabled by default. The IPv6 protocol for Windows Server 2008 and Windows Vista is designed to be auto configuring. For example, it automatically configures link-local addresses for communication between nodes on a link. If there is an IPv6 router on the host’s subnet or an ISATAP router, the host uses received router advertisements to automatically configure additional addresses, a default router, and other configuration parameters. You can manually configure IPv6 addresses and other parameters in Windows Vista using the following: Form lan card properties From command prompt The properties of Internet Protocol Version 6 (TCP/IPv6) component Just as you can configure IPv4 settings through the properties of the Internet Protocol Version 4 (TCP/IPv4) component in the Network Connections folder, you can now configure IPv6 settings through the properties of the Internet Protocol Version 6 (TCP/IPv6) component. The set of dialog boxes for IPv6 configuration is very similar to the corresponding dialog boxes for IPv4. However, the properties of the Internet Protocol Version 6 (TCP/IPv6) component provide only basic configuration of IPv6. Commands in the netsh interface ipv6 context Just as you can in Windows XP and Windows Server 2003, you can configure IPv6 settings for Windows Server 2008 or Windows Vista from the interface ipv6 context of the Netsh.exe tool. Although typical IPv6 hosts do not need to be manually configured, IPv6 routers must be manually configured. Configuring IPv6 Through the Properties of Internet Protocol Version 6 (TCP/IPv6) To manually configure IPv6 settings through the Network Connections folder, do the following: From the Network Connections folder, right-click the connection or adapter on which you want to manually configure IPv6, and then click Properties. On the Networking tab for the properties of the connection or adapter, under This Connection Uses The Following Items, double-click Internet Protocol Version 6 (TCP/IPv6) in the list. Windows Vista displays the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box. The Internet Protocol Version 6 (TCP/IPv6) Properties dialog box General Tab On the General tab of the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box, you can configure the following: Obtain an IPv6 address automatically Specifies that IPv6 addresses for this connection or adapter are automatically determined by stateful or stateless address autoconfiguration. Use the following IPv6 address< Specifies that an IPv6 address and default gateway for this connection or adapter are manually configured. IPv6 address Provides a space for you to type an IPv6 unicast address. You can specify additional IPv6 addresses from the Advanced TCP/IP Settings dialog box. Subnet prefix length Provides a space for you to type the subnet prefix length for the IPv6 address. For typical IPv6 unicast addresses, this value should be set to 64, its default value. Default gateway Provides a space for you to type the IPv6 unicast address of the default gateway. Obtain DNS server address automatically Specifies that the IPv6 addresses for DNS servers are automatically determined by stateful address autoconfiguration (DHCPv6). Use the following DNS server addresses Specifies that the IPv6 addresses of the preferred and alternate DNS servers for this connection or adapter are manually configured. Preferred DNS server Provides a space for you to type the IPv6 unicast address of the preferred DNS server. Alternate DNS server Provides a space for you to type the IPv6 unicast address of the alternate DNS server. You can specify additional DNS servers from the Advanced TCP/IP Settings dialog box. Advanced TCP/IP Settings From the General tab, you can click Advanced to access the Advanced TCP/IP Settings dialog box. This dialog box is very similar to the Advanced TCP/IP Settings dialog box for the Internet Protocol Version 4 (TCP/IPv4) component except there is no WINS tab (IPv6 does not use NetBIOS and the Windows Internet Name Service [WINS]) or Options tab (TCP/IP filtering is defined only for IPv4 traffic). For IPv6, the Advanced TCP/IP Settings dialog box has IP Settings and DNS tabs. The IP Settings tab From the IP Settings tab, you can configure the following: Multiple IPv6 addresses (by clicking Add under IP Addresses) For each unicast IPv6 address, you must specify an IPv6 address and a subnet prefix length. The Add button is available only if Use The Following Ipv6 Address has been selected on the General tab of the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box. Multiple default gateways (by clicking Add under Default Gateways) For each default gateway, you must specify the IPv6 address of the gateway and whether you want the metric for the default route associated with this default gateway to be manually specified or based on the speed of the connection or adapter. Route metrics You can also specify whether to use a specific metric for the routes associated with the configuration of IPv6 addresses or default gateways or a metric determined by the speed of the connection or adapter. The DNS tab From the DNS tab, you can configure the following: The IPv6 addresses of DNS servers, in order of use (by clicking Add under DNS Server Addresses, In Order Of Use). Primary and connection-specific DNS suffix and name registration and devolution behavior. These settings are the same as for IPv4. Configuring IPv6 with the Netsh.exe Tool You can also configure IPv6 addresses, default gateways, and DNS servers at the command line using commands in the netsh interface ipv6 context. Configuring Addresses To configure IPv6 addresses, you can use the netsh interface ipv6 add address command with the following syntax: netsh interface ipv6 add address [interface=]InterfaceNameorIndex [address=]IPv6Address [/PrefixLength] [[type=]unicast|anycast] [[validlifetime=]Time|infinite] [[preferredlifetime=] Time|infinite] [[store=]active|persistent] interface The connection or adapter’s name or interface index. address The IPv6 address to add, optionally followed by the subnet prefix length (default of 64). type The type of IPv6 address, either unicast (default) or anycast. validlifetime The lifetime over which the address is valid. Time values can be expressed in days, hours, minutes, and seconds (for example, 1d2h3m4s). The default value is infinite. preferredlifetime The lifetime over which the address is preferred. Time values can be expressed in days, hours, minutes, and seconds. The default value is infinite. store How to store the IPv6 address—either active (the address is removed upon system restart) or persistent (address remains after system restart), which is the default. For example, to configure the IPv6 unicast address 2001:db8:290c:1291::1 on the interface named ―Local Area Connection‖ with infinite valid and preferred lifetimes and make the address persistent, you use the following command: netsh interface ipv6 add address "Local Area Connection" 2001:db8:290c:1291::1 Adding Default Gateways To configure a default gateway, you can use the netsh interface ipv6 add route command and add a default route (::/0) with the following syntax: netsh interface ipv6 add route [prefix=]::/0 [interface=]InterfaceNameorIndex [[nexthop=]IPv6Address] [[siteprefixlength=]Length] [[metric=]MetricValue] [[publish=] no|yes|immortal] [[validlifetime=]Time|infinite] [[preferredlifetime=]Time|infinite] [[store=]active|persistent] prefix The IPv6 address prefix and prefix length for the default route. For other routes, you can substitute ::/0 with AddressPrefix/PrefixLength. interface The connection or adapter’s name or interface index. nexthop If the prefix is for destinations that are not on the local link, the next-hop IPv6 address of a neighboring router. siteprefixlength If the prefix is for destinations on the local link, you can optionally specify the prefix length for the address prefix assigned to the site to which this IPv6 node belongs. metric A value that specifies the preference for using the route. Lower values are preferred. publish As an IPv6 router, this option specifies whether the subnet prefix corresponding to the route will be included in router advertisements and whether the lifetimes for the prefixes are infinite (the immortal option). validlifetime The lifetime over which the route is valid. Time values can be expressed in days, hours, minutes, and seconds (for example, 1d2h3m4s). The default value is infinite. preferredlifetime The lifetime over which the route is preferred. Time values can be expressed in days, hours, minutes, and seconds. The default value is infinite. store How to store the route, either active (route is removed upon system restart) or persistent (route remains after restart), which is the default. For example, to add a default route that uses the interface named ―Local Area Connection‖ with a next-hop address of fe80::2aa:ff:fe9a:21b8 you use the following command: netsh interface ipv6 add route ::/0 "Local Area Connection" fe80::2aa:ff:fe9a:21b8 Adding DNS Servers To configure the IPv6 addresses of DNS servers, you can use the netsh interface ipv6 add dnsserver command with the following syntax: netsh interface ipv6 add dnsserver [name=]InterfaceName [[address=]IPv6Address] [[index=]PreferenceValue] name The connection or adapter’s name. address The IPv6 address of the DNS server. index The preference for the DNS server address. By default, the DNS server is added to the end of the list of DNS servers. If an index is specified, the DNS server is placed in that position in the list and the other DNS servers are moved down the list. For example, to add a DNS server with the IPv6 address 2001:db8:99:4acd::8 that uses the interface named ―Local Area Connection,‖ you use the following command: netsh interface ipv6 add dnsserver "Local Area Connection" 2001:db8:99:4acd::8 IPv6 Address Autoconfiguration Autoconfiguration is an incredibly useful solution because it allows devices on a network to address themselves with a link-local unicast address Types of Autoconfiguration There are three types of autoconfiguration: Stateless Configuration of addresses and other settings is based on the receipt of Router Advertisement messages. These messages have the Managed Address Configuration and Other Stateful Configuration flags set to 0, and they include one or more Prefix Information options, each with its Autonomous flag set to 1. Stateful Configuration is based on the use of an address configuration protocol, such as DHCPv6, to obtain addresses and other configuration settings. A host uses stateful autoconfiguration when it receives a Router Advertisement message with no Prefix Information options and either the Managed Address Configuration flag or the Other Stateful Configuration flag is set to 1. A host can also use stateful autoconfiguration when there are no routers present on the local link. Both Configurations is based on the receipt of Router Advertisement messages that include Prefix Information options, each with its Autonomous flag set to 1, and have the Managed Address Configuration or Other Stateful Configuration flags set to 1. For all types of autoconfiguration, a link-local address is always configured automatically. Stateful Configuration The client detects a router; the client examines the router advertisement messages to determine whether DHCPv6 has been set up. If the router specifies that DHCPv6 is supported, or no router advertisement messages are seen, the client will begin to find a DHCPv6 server by generating a DHCP solicit message. This message is sent to the ALL-DHCPAgents multicast address, using the link-local scope to ensure the message isn’t forwarded, by default, beyond the local link. An agent is either a DHCPv6 server or a relay, such as a router. Stateless Autoconfiguration Stateless autoconfiguration is an extension of DHCPv6. the client uses information in router advertisement messages to configure an IPv6 address for the interface. This is accomplished by taking the first 64 bits in the router advertisement source address (the prefix of the router’s address) and using the EUI-64 process to create the 64-bit interface ID. Stateless autoconfiguration was designed primarily for cell phones, PDAs, and home network and appliance equipment to assign addresses automatically without having to manage a DHCP server infrastructure. Normally, routers generate periodic router advertisement (RA) messages the client can listen to and then use to generate its link address automatically; however, when the client is booting up, waiting for the RA might take awhile. In this situation, the client will generate a router solicitation message, asking the router to reply with an RA so the client can generate its interface address. Two steps to IPv6 autoconfiguration Autoconfigured Address States Autoconfigured addresses are in one or more of the following states: Tentative The address is in the process of being verified as unique. Verification occurs through duplicate address detection. A node cannot receive unicast traffic to a tentative address. It can, however, receive and process multicast Neighbor Advertisement messages sent in response to the Neighbor Solicitation message that has been sent during duplicate address detection. Valid The address can be used for sending and receiving unicast traffic. The valid state includes both the preferred and deprecated states. The sum of the times that an address remains in the tentative, preferred, and deprecated states is determined by the Valid Lifetime field in the Prefix Information option of a Router Advertisement message or the Valid-Lifetime field of a DHCPv6 IA (Identity Association) Address option. Preferred The address is valid, its uniqueness has been verified, and it can be used for unlimited communications. A node can send and receive unicast traffic to and from a preferred address. The period of time that an address can remain in the tentative and preferred states is determined by the Preferred Lifetime field in the Prefix Information option of a Router Advertisement message or the Preferred-Lifetime field of a DHCPv6 IA Address option. Deprecated The address is valid and its uniqueness has been verified, but its use is discouraged for new communication. Existing communication sessions can still use a deprecated address. A node can send and receive unicast traffic to and from a deprecated address. Invalid The address can no longer be used to send or receive unicast traffic. An address enters the invalid state after the valid lifetime expires. Autoconfiguration Process The address autoconfiguration process defined in RFC 4862 for the physical interface of an IPv6 node is the following: 1. A tentative link-local address is derived based on the link-local prefix of FE80::/64 and a EUI-64–derived interface identifier. 2. Using duplicate address detection to verify the uniqueness of the tentative link-local address, a Neighbor Solicitation message is sent with the Target Address field that is set to the tentative link-local address. 3. If a Neighbor Advertisement message (sent in response to the Neighbor Solicitation message) is received, this indicates that another node on the local link is using the tentative link-local address and address autoconfiguration stops. At this point, manual configuration must be performed on the node. 4. If no Neighbor Advertisement message (sent in response to the Neighbor Solicitation message) is received, the tentative link-local address is assumed to be unique and valid. The link-local address is initialized for the interface. The link-layer multicast address of the solicited-node address corresponding to the link-local address is registered with the network adapter. For an IPv6 host, the address autoconfiguration continues as follows: 1. The host sends a Router Solicitation message. While routers periodically send router advertisements, the host sends a Router Solicitation message to request an immediate router advertisement, rather than waiting until the next router advertisement. By default, up to three Router Solicitation messages are sent. 2. If no Router Advertisement messages are received, the host uses an address configuration protocol to obtain addresses and other configuration parameters. 3. If a Router Advertisement message is received, the hop limit, reachable time, retransmission timer, and maximum transmission unit (if that option is present) are set. 4. For each Prefix Information option present, the following actions occur: o If the On-Link flag is set to 1, the prefix is added to the prefix list. o If the Autonomous flag is set to 1, the prefix and an appropriate interface identifier are used to derive a tentative address. o Duplicate address detection is used to verify the uniqueness of the tentative address. o If the tentative address is in use, the use of the address is not initialized for the interface. o If the tentative address is not in use, the address is initialized. This includes setting the valid and preferred lifetimes based on the Valid Lifetime and Preferred Lifetime fields in the Prefix Information option. If needed, it also includes registering the link-layer multicast address of the solicited-node address corresponding to the new address with the network adapter. 5. If the Managed Address Configuration flag in the Router Advertisement message is set to 1, an address configuration protocol is used to obtain additional addresses. 6. If the Other Stateful Configuration flag in the Router Advertisement message is set to 1, an address configuration protocol is used to obtain additional configuration parameters. In our next tutorial we will learn how to configure IPv6 on Server 2008 and windows vista. Assign IPv6 address to Windows server 2008 and Windows vista assign IPv6 address to windows server 2008 and vista guides notes In our pervious article we learnt about IPv6 Address Autoconfiguration. Now we will discuss the Autoconfiguration behave of Windows Server environment. This article is the next series of our pervious article so if you have missed our last tutorial review it now IPv6 Address Autoconfiguration IPv6 Protocol for Windows Server 2008 and Windows Vista Autoconfiguration Specifics The following are the specific autoconfiguration behaviors of IPv6 in Windows Server 2008 and Windows Vista: Computers running Windows Server 2008 or Windows Vista by default generate random interface IDs for non-temporary autoconfigured IPv6 addresses, including public and link-local addresses, rather than using EUI-64–based interface IDs. A public IPv6 address is a global address that is registered in DNS and is typically used by server applications for incoming connections, such as a Web server. You can disable this default behavior with the netsh interface ipv6 set global randomizeidentifiers=disabled command. You can enable the default behavior with the netsh interface ipv6 set global randomizeidentifiers=enabled command. With a randomly derived interface ID, the chance of duplicating the link-local address is very small. Therefore, computers running Windows Server 2008 or Windows Vista do not wait for duplicate address detection (DAD) to complete before sending router solicitations or multicast listener discovery reports using their derived link-local addresses. This is known as optimistic DAD. Computers running Windows Server 2008 or Windows Vista do not attempt stateful address autoconfiguration with DHCPv6 if no router advertisements are received. RFC 4862 does not require a specific order for sending the initial router solicitation and performing duplicate address detection for the derived link-local address. The IPv6 protocol for Windows Server 2008 and Windows Vista sends the Router Solicitation message before performing duplicate address detection on the link-local address. In this way, duplicate address detection and router discovery are done in parallel to save time during the interface initialization process. If the derived link-local address is a duplicate, stateless address autoconfiguration for the IPv6 protocol for Windows Server 2008 and Windows Vista can continue with the receipt of a multicast Router Advertisement message containing site-local, unique local, or global prefixes. The attempted link-local address is shown with a ―Duplicate‖ state in the display of the netsh interface ipv6 show address command and a site-local, unique local, or global address—rather than the duplicate link-local address—is used for neighbor discovery processes. Autoconfigured Addresses for the IPv6 Protocol for Windows Server 2008 and Windows Vista By default, the following IPv6 addresses are automatically configured for the IPv6 protocol for Windows Server 2008 and Windows Vista: Link-local addresses using randomly derived interface identifiers are assigned to all local area network (LAN) interfaces. If included as a site-local prefix in a Prefix Information option of a router advertisement with the Autonomous flag set to 1, a site-local address using a randomly derived interface identifier is assigned to the LAN interface that received the router advertisement. If included as a global or unique local prefix in a Prefix Information option of a router advertisement with the Autonomous flag set to 1, a global or unique local address using a randomly derived permanent interface identifier is assigned to the LAN interface that received the router advertisement. If included as a global or unique local prefix in a Prefix Information option of a router advertisement with the Autonomous flag set to 1, a temporary global or unique local address using a randomly derived temporary interface identifier is assigned to the LAN interface that received the router advertisement. This is the default behavior for Windows Vista. Window Server 2008 does not create temporary addresses by default. You can enable temporary addresses with the netsh interface ipv6 set privacy enabled command. If the M flag is set to 1 in a received Router Advertisement message, a stateful IPv6 address based on DHCPv6 scope for the subnet is assigned to the LAN interface that received the DHCPv6 Reply message. If public IPv4 addresses are assigned to interfaces of the computer and there are no global or unique local autoconfiguration prefixes received in Router Advertisement messages, corresponding 6to4 addresses using 6to4-derived interface identifiers are assigned to the 6to4 tunneling interface. 6to4 is described in RFC 3056. For computers running Windows Vista, for all IPv4 addresses that are assigned to interfaces of the computer, corresponding link-local addresses using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)– derived interface identifiers (::0:5EFE:w.x.y.z or ::200:5EFE:w.x.y.z) are assigned to the ISATAP tunneling interface. ISATAP is described in RFC 4214. If included as a global, unique local, or site-local prefix in a Prefix Information option of a router advertisement received on the ISATAP interface, a global, unique local, or site local address using the ISATAP-derived interface identifier corresponding to the IPv4 address that is the best source to use to reach the ISATAP router is assigned to the ISATAP interface. The loopback address (::1) is assigned to the Loopback Pseudo-Interface 1. IPv6-Enabled Tools Windows Server 2008 and Windows Vista include the following IPv6-enabled command-line tools that are most commonly used for network troubleshooting: Ipconfig Route Ping Tracert Pathping Netstat Ipconfig The ipconfig tool displays all current TCP/IP network configuration values, and it is used to perform maintenance tasks such as refreshing DHCP and DNS settings. In Windows Server 2008 and Windows Vista, the ipconfig command without options displays IPv4 and IPv6 configuration for all physical adapters and tunnel interfaces that have addresses. The following is an example display of the ipconfig command on a computer running Windows Server 2008 or Windows Vista: c:\> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : www.ComputerNetworkingNotes.com IPv6 Address. . . . . . . . . . . : 2001:db8:21da:7:713e:a426:d167:37ab Temporary IPv6 Address. . . . . . : 2001:db8:21da:7:5099:ba54:9881:2e54 Link-local IPv6 Address . . . . . : fe80::713e:a426:d167:37ab%6 IPv4 Address. . . . . . . . . . . : 157.60.14.11 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::20a:42ff:feb0:5400%6 IPv4 Default Gateway . . . . . . : 157.60.14.1 Tunnel adapter Local Area Connection* 6: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 2001:db8:908c:f70f:0:5efe:157.60.14.11 Link-local IPv6 Address . . . . . : fe80::5efe:157.60.14.11%9 Site-local IPv6 Address . . . . . : fec0::6ab4:0:5efe:157.60.14.11%1 Default Gateway . . . . . . . . . : fe80::5efe:131.107.25.1%9 fe80::5efe:131.107.25.2%9 Tunnel adapter Local Area Connection* 7: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Ipconfig.exe displays the IPv6 addresses before the IPv4 addresses and indicates the type of IPv6 address using the following labels: IPv6 Address A global address with a permanent interface ID Temporary IPv6 Address A global address with a randomly derived interface ID that has a short valid lifetime Link-local IPv6 Address A link-local address with its corresponding zone ID (the interface index) Site-local IPv6 Address A site-local address with its corresponding zone ID (the site ID) For more information about the different types of IPv6 addresses and the zone ID By default, the interface names containing an asterisk (*) are tunneling interfaces. Route The Route tool displays the entries in the local IPv4 and IPv6 routing tables and allows you to change them. The Route tool displays both the IPv4 and IPv6 routing table when you run the route print command. You can change entries in the IPv6 routing table with the Route.exe tool with the route add, route change, and route delete commands. Ping In previous versions of Windows, the Ping tool verified IPv4-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol (ICMP) Echo messages. The receipt of corresponding Echo Reply messages is displayed, along with round-trip times. Ping is the primary TCP/IP tool used to troubleshoot reach ability and name resolution. The Ping tool in Windows Server 2008 and Windows Vista has been enhanced to support IPv6 in the following ways: Ping uses either ICMPv4 Echo or ICMPv6 Echo Request messages to verify IPv4-based or IPv6-based connectivity. Ping can parse both IPv4 and IPv6 address formats. If you specify a target host by name, the addresses returned by using Windows name resolution techniques can contain both IPv4 and IPv6 addresses—in which case, by default, an IPv6 address is preferred (subject to source and destination address selection). The following is an example display of the Ping tool on a computer running Windows Server 2008 or Windows Vista for an IPv6 destination address: C:\>ping 2001:db8:1:f282:dd48:ab34:d07c:3914 Pinging 2001:db8:1:f282:dd48:ab34:d07c:3914 from 2001:db8:1:f282:3cec:bf16:505:eae6 with 32 bytes of data: Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Ping statistics for 2001:db8:1:f282:dd48:ab34:d07c:3914: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms The following command-line options support IPv6: -i HopLimit Sets the value of the Hop Limit field in the IPv6 header. The default value is 128. The –i option is also used to set the value of the Time-to-Live (TTL) field in the IPv4 header. -R Forces Ping to trace the round-trip path by sending the ICMPv6 Echo Request message to the destination and to include an IPv6 Routing extension header with the sending node as the next destination. -S SourceAddr Forces Ping to use a specified IPv6 source address. -4 Forces Ping to use an IPv4 address when the DNS name query for a host name returns both IPv4 and IPv6 addresses. -6 Forces Ping to use an IPv6 address when the DNS name query for a host name returns both IPv4 and IPv6 addresses. Note down The Ping -f, -v TOS, -r count, -s count, -j host-list, and -k host-list command line options are not supported for IPv6. Tracert The Tracert tool determines the path taken to a destination. For IPv4, Tracert sends ICMPv4 Echo messages to the destination with incrementally increasing TTL field values. For IPv6, Tracert sends ICMPv6 Echo Request messages to the destination with incrementally increasing Hop Limit field values. Tracert displays the path as the list of nearside router interfaces of the routers in the path between a source host and a destination node. The Tracert tool in Windows Server 2008 and Windows Vista has been enhanced to support IPv6 in the following ways: Tracert can parse both IPv4 and IPv6 address formats. If you specify a target host by name, the addresses returned using Windows name resolution techniques can contain both IPv4 and IPv6 addresses—in which case, by default, an IPv6 address is preferred (subject to source and destination address selection). The following is an example display of the Tracert tool on a computer running Windows Server 2008 or Windows Vista: c:\>tracert 2001:db8:1:f282:dd48:ab34:d07c:3914 Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 2001:db8:1:f241:2b0:d0ff:fea4:243d 2 <1 ms <1 ms <1 ms 2001:db8:1:f2ac:2b0:d0ff:fea5:d347 3 <1 ms <1 ms <1 ms 2001:db8:1:f282:dd48:ab34:d07c:3914 Trace complete. The following Tracert command-line options support IPv6: -R Forces Tracert to trace the round-trip path by sending the ICMPv6 Echo Request message to the destination, including an IPv6 Routing extension header with the sending node as the next destination -S SourceAddr Forces Tracert to use a specified IPv6 source address -4 Forces Tracert to use an IPv4 address when the DNS name query for a host name returns both IPv4 and IPv6 addresses -6 Forces Tracert to use an IPv6 address when the DNS name query for a host name returns both IPv4 and IPv6 addresses Note The Tracert -j host-list command-line option is not supported for IPv6. Pathping The Pathping tool provides information about network latency and network loss at intermediate hops between a source and destination. For IPv4, Pathping sends multiple ICMPv4 Echo messages to each router between a source and destination over a period of time, and then it computes results based on the packets returned from each router. For IPv6, Pathping sends ICMPv6 Echo Request messages. Because Pathping displays the degree of packet loss at any given router or link, you can determine which routers or subnets might be having network problems. Pathping performs the equivalent of the Tracert tool by identifying which routers are in the path, and then it sends messages periodically to all the routers over a specified time period and computes statistics based on the number returned from each. The Pathping tool in Windows Server 2008 and Windows Vista has been enhanced to support IPv6 in the following ways: Pathping can parse both IPv4 and IPv6 address formats. If you specify a target host by name, the addresses returned using Windows name resolution techniques can contain both IPv4 and IPv6 addresses—in which case, by default, an IPv6 address is preferred (subject to source and destination address selection). The following is an example display of the Pathping tool on a computer running Windows Server 2008 or Windows Vista: C:\>pathping 2001:db8:1:f282:dd48:ab34:d07c:3914 Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops 0 server1.example.microsoft.com [2001:db8:1:f282:204:5aff:fe56:1006] 1 2001:db8:1:f282:dd48:ab34:d07c:3914 Computing statistics for 25 seconds... Source to Here This Node/Link Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address 0 server1.example.microsoft.com [2001:db8:1:f282:204:5aff:fe56:1006] 0/ 100 = 0% | 1 0ms 0/ 100 = 0% 0/ 100 = 0% 2001:db8:1:f282:dd48:ab34:d07c: 3914 Trace complete. The following Pathping command-line options support IPv6: -4 Forces Pathping to use an IPv4 address when the DNS name query for a host name returns both IPv4 and IPv6 addresses -6 Forces Pathping to use an IPv6 address when the DNS name query for a host name returns both IPv4 and IPv6 addresses Note The Pathping -g host-list command-line option is not supported for IPv6. Netstat The Netstat tool displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IPv4 routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), the IPv6 routing table, and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Displaying IPv6 Configuration with Netsh Useful commands to display information about the IPv6 configuration of a computer running Windows Server 2008 and Windows Vista are the following: Netsh interface ipv6 show interface Netsh interface ipv6 show address Netsh interface ipv6 show route Netsh interface ipv6 show neighbors Netsh interface ipv6 show destination cache Netsh interface ipv6 show interfaceM This command displays the list of IPv6 interfaces. By default, the interface names containing an asterisk (*) are tunneling interfaces. Netsh interface ipv6 show address This command displays the list of IPv6 addresses for each interface. Netsh interface ipv6 show route This command displays the list of routes in the IPv6 routing table. Netsh interface ipv6 show neighbors This command displays the contents of the neighbor cache, sorted by interface. The neighbor cache stores the linklayer addresses of recently resolved next-hop addresses. Netsh interface ipv6 show destinationcache This command displays the contents of the destination cache, sorted by interface. The destination cache stores the next-hop addresses for destination addresses. ICMPv6 Overview Like IPv4, the specification for the Internet Protocol version 6 (IPv6) header and extension headers does not provide facilities for reporting errors. Instead, IPv6 uses an updated version of the Internet Control Message Protocol (ICMP) named ICMP version 6 (ICMPv6). ICMPv6 has the common IPv4 ICMP functions of reporting delivery and forwarding errors and providing a simple echo service for troubleshooting. ICMPv6 is defined in RFC 4443 and is required for an IPv6 implementation. The ICMPv6 protocol also provides a packet structure framework for the following: Neighbor Discovery Neighbor Discovery (ND) is a series of five ICMPv6 messages that manage node-tonode communication on a link. ND replaces Address Resolution Protocol (ARP), ICMPv4 Router Discovery, and the ICMPv4 Redirect message Multicast Listener Discovery Multicast Listener Discovery (MLD) is a series of three ICMPv6 messages that are equivalent to the Internet Group Management Protocol (IGMP) for IPv4 for managing subnet multicast membership. ICMPv6 is also used by other protocols, such as Secure Neighbor Discovery (SEND). SEND is not supported by IPv6 for Windows Vista and Windows Server 2008 Types of ICMPv6 Messages There are two types of ICMPv6 messages: Error messages Error messages report errors in the forwarding or delivery of IPv6 packets by either the destination node or an intermediate router. The high-order bit of the 8-bit Type field for all ICMPv6 error messages is set to 0. Therefore, valid values for the Type field for ICMPv6 error messages are in the range of 0 through 127. ICMPv6 error messages include Destination Unreachable, Packet Too Big, Time Exceeded, and Parameter Problem. Informational messages Informational messages provide diagnostic functions and additional host functionality, such as MLD and ND. The high-order bit of the 8-bit Type field for all ICMPv6 informational messages is set to 1. Therefore, valid values for the Type field for ICMPv6 information messages are in the range of 128 through 255. ICMPv6 informational messages described in RFC 4443 include Echo Request and Echo Reply. There are additional ICMPv6 informational messages defined for Mobile IPv6. ICMPv6 Error Messages ICMPv6 error messages report forwarding or delivery errors by either a router or the destination host, and they consist of the following messages: Destination Unreachable (ICMPv6 Type 1) Packet Too Big (ICMPv6 Type 2) Time Exceeded (ICMPv6 Type 3) Parameter Problem (ICMPv6 Type 4) To conserve network bandwidth, ICMPv6 error messages are not sent for every error encountered. Instead, ICMPv6 error messages are rate limited. Although not required by RFC 4443, the recommended method for rate limiting ICMPv6 error messages is known as token bucket. There is an average rate of transmission of ICMPv6 error messages that cannot be exceeded. The rate of transmission can be based on a number of ICMPv6 error messages per second or a specified percentage of a link’s bandwidth. However, to better handle error notification for busty traffic, the node can send a number of messages in a burst, provided the number of messages in the burst does not exceed the overall transmission rate. Destination Unreachable A router or a destination host sends an ICMPv6 Destination Unreachable message when the packet cannot be forwarded to the destination node or upper-layer protocol. In the Destination Unreachable message, the Type field is set to 1 and the Code field is set to a value in the range of 0 through 6. Following the Checksum field is a 32-bit Unused field and the leading portion of the discarded packet, sized so that the entire IPv6 packet containing the ICMPv6 message is no larger than 1280 bytes (the minimum IPv6 MTU). The number of bytes of the discarded packet included in the message varies if there are IPv6 extension headers present. For an ICMPv6 message without extension headers, up to 1232 bytes of the discarded packet are included (1280 less a 40-byte IPv6 header and an 8byte ICMPv6 Destination Unreachable header). Packet Too Big A router sends an ICMPv6 Packet Too Big message when the packet cannot be forwarded because the link MTU on the forwarding interface of the router is smaller than the size of the IPv6 packet Time Exceeded A router typically sends an ICMPv6 Time Exceeded message when the Hop Limit field in the IPv6 header becomes zero after decrementing its value during the forwarding process. ICMPv6 Informational Messages Echo Request An IPv6 node sends an ICMPv6 Echo Request message to a destination to solicit an immediate Echo Reply message. The Echo Request/Echo Reply message facility provides a simple diagnostic function to aid in the troubleshooting of a variety of reach ability and routing problems. Echo Reply An IPv6 node sends an ICMPv6 Echo Reply message in response to the receipt of an ICMPv6 Echo Request message Echo Request messages can be sent to a multicast address. As specified in RFC 4443, an Echo Request message sent to a multicast address should be answered with an Echo Reply message, sent from a unicast address assigned to the interface on which the Echo Request was received. The IPv6 protocol for Windows Vista and Windows Server 2008 does not respond to multicast Echo Request messages. Echo Request messages can be sent to a multicast address. As specified in RFC 4443, an Echo Request message sent to a multicast address should be answered with an Echo Reply message, sent from a unicast address assigned to the interface on which the Echo Request was received. The IPv6 protocol for Windows Vista and Windows Server 2008 does not respond to multicast Echo Request messages. IPv6 Neighbor Discovery Overview Internet Protocol version 6 (IPv6) Neighbor Discovery (ND) is a set of messages and processes defined in RFC 4861 that determine relationships between neighboring nodes. ND replaces Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP) router discovery, and the ICMP Redirect message used in IPv4. ND also provides additional functionality. ND is used by nodes to do the following: Resolve the link-layer address of a neighboring node to which an IPv6 packet is being forwarded. Determine when the link-layer address of a neighboring node has changed. Determine whether a neighbor is still reachable. ND is used by hosts to do the following: Discover neighboring routers. Auto configure addresses, address prefixes, routes, and other configuration parameters. ND is used by routers to do the following: Advertise their presence, host configuration parameters, routes, and on-link prefixes. Inform hosts of a better next-hop address to forward packets for a specific destination. There are five different ND messages: Router Solicitation (ICMPv6 type 133) Router Advertisement (ICMPv6 type 134) Neighbor Solicitation (ICMPv6 type 135) Neighbor Advertisement (ICMPv6 type 136) Redirect (ICMPv6 type 137) Router Solicitation The Router Solicitation message is sent by IPv6 hosts to discover the presence of IPv6 routers on the link. A host sends a multicast Router Solicitation message to prompt IPv6 routers to respond immediately, rather than waiting for an unsolicited Router Advertisement message. For example, assuming that the local link is Ethernet, in the Ethernet header of the Router Solicitation message you will find these settings: The Source Address field is set to the MAC address of the sending network adapter. The Destination Address field is set to 33-33-00-00-00-02. In the IPv6 header of the Router Solicitation message, you will find the following settings: The Source Address field is set to either a link-local IPv6 address assigned to the sending interface or the IPv6 unspecified address (::). The Destination Address field is set to the link-local scope all-routers multicast address (FF02::2). The Hop Limit field is set to 255. Router Advertisement IPv6 routers send unsolicited Router Advertisement messages pseudo-periodically—that is, the interval between unsolicited advertisements is randomized to reduce synchronization issues when there are multiple advertising routers on a link—and solicited Router Advertisement messages in response to the receipt of a Router Solicitation message. The Router Advertisement message contains the information required by hosts to determine the link prefixes, the link MTU, specific routes, whether or not to use address autoconfiguration, and the duration for which addresses created through address autoconfiguration are valid and preferred. For example, assuming that the local link is Ethernet in the Ethernet header of the Router Advertisement message, you will find these settings: The Source Address field is set to the MAC address of the sending network adapter. The Destination Address field is set to either 33-33-00-00-00-01 or the unicast MAC address of the host that sent a Router Solicitation from a unicast address. In the IPv6 header of the Router Advertisement message, you will find the following settings: The Source Address field is set to the link-local address assigned to the sending interface. The Destination Address field is set to either the link-local scope all-nodes multicast address (FF02::1) or the unicast IPv6 address of the host that sent the Router Solicitation message from a unicast address. The Hop Limit field is set to 255. Neighbor Solicitation IPv6 nodes send the Neighbor Solicitation message to discover the link-layer address of an on-link IPv6 node or to confirm a previously determined link-layer address. It typically includes the link-layer address of the sender. Typical Neighbor Solicitation messages are multicast for address resolution and unicast when the reach ability of a neighboring node is being verified. For example, assuming that the local link is Ethernet, in the Ethernet header of the Neighbor Solicitation message, you will find the following settings: The Source Address field is set to the MAC address of the sending network adapter. For a multicast Neighbor Solicitation message, the Destination Address field is set to the Ethernet MAC address that corresponds to the solicited-node address of the target. For a unicast Neighbor Solicitation message, the Destination Address field is set to the unicast MAC address of the neighbor. In the IPv6 header of the Neighbor Solicitation message, you will find these settings: The Source Address field is set to either a unicast IPv6 address assigned to the sending interface or, during duplicate address detection, the unspecified address (::). For a multicast Neighbor Solicitation, the Destination Address field is set to the solicited node address of the target. For a unicast Neighbor Solicitation, the Destination Address field is set to the unicast address of the target. Neighbor Advertisement An IPv6 node sends the Neighbor Advertisement message in response to a Neighbor Solicitation message. An IPv6 node also sends unsolicited Neighbor Advertisements to inform neighboring nodes of changes in link-layer addresses or the node’s role. The Neighbor Advertisement contains information required by nodes to determine the type of Neighbor Advertisement message, the sender’s role on the network, and typically the link-layer address of the sender. For example, assuming that the local link is Ethernet, in the Ethernet header of the Neighbor Advertisement message, you will find the following settings: The Source Address field is set to the MAC address of the sending network adapter. The Destination Address field is set, for a solicited Neighbor Advertisement, to the unicast MAC address of the initial Neighbor Solicitation sender. For an unsolicited Neighbor Advertisement, the Destination Address field is set to 33-33-00-00-00-01, which is the Ethernet MAC address corresponding to the link-local scope all-nodes multicast address. In the IPv6 header of the Neighbor Advertisement message, you will find these settings: The Source Address field is set to a unicast address assigned to the sending interface. The Destination Address field is set, for a solicited Neighbor Advertisement, to the unicast IP address of the sender of the initial Neighbor Solicitation. For an unsolicited Neighbor Advertisement, the Destination Address field is set to the link-local scope all-nodes multicast address (FF02::1). The Hop Limit field is set to 255. Redirect The Redirect message is sent by an IPv6 router to inform an originating host of a better first hop address for a specific destination. Redirect messages are sent only by routers for unicast traffic, are unicast only to originating hosts, and are processed only by hosts. For example, assuming that the local link is Ethernet, in the Ethernet header of the Redirect message, you will find the following settings: The Source Address field is set to the MAC address of the sending network adapter. The Destination Address field is set to the unicast MAC address of the originating sender. In the IPv6 header of the Redirect message, you will find these settings: The Source Address field is set to a unicast address that is assigned to the sending interface. The Destination Address field is set to the unicast IP address of the originating host. The Hop Limit field is set to 255. Neighbor Discovery Processes The ND protocol provides message exchanges for the following processes: Address resolution (including duplicate address detection) Router discovery (includes prefix and parameter discovery) Neighbor unreachability detection Redirect function Transition Strategies One nice feature of moving your network to IPv6 is that you don't have to do it all in one step. Various migration strategies support both IPv4 and IPv6 as you migrate from the former to the latter. Most common method for transition is given in following table. Transition Method Description Dual stacking Devices such as PCs and routers run both IPv4 and IPv6, and thus have two sets of addresses. Manual IPv6-over-IPv4 (6to4) tunneling IPv6 packets are tunneled across an IPv4 network by encapsulating them in IPv4 packets. This requires routers configured with dual stacks. Dynamic 6to4 tunneling Allows IPv6 localities to connect to other IPv6 localities across an IPv4 backbone, such as the Internet, automatically. This method applies a unique IPv6 prefix to each locality without having to retrieve IPv6 addressing information from address registries or ISPs. Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunneling Uses virtual links to connect IPv6 localities together within a site that is primarily using IPv4. Boundary routers between the two addressing types must be configured with dual stacks. Teredo tunneling Instead of using routers to tunnel packets, Teredo tunneling has the hosts perform the tunneling. This requires the hosts to be configured with dual stacks. It is commonly used to move packets through an IPv4 address translation device. NAT Proxying and Translation (NAT-PT) Has an address translation device translate addresses between an IPv6 and IPv4 network and vice versa. Dual Stacking In dual stacking, a device runs both protocol stacks: IPv4 and IPv6. Of all the transition methods, this is the most common one. Dual stacking can be accomplished on the same interface or different interfaces of the device. Figure shows an example of dual stacking on a router, where Network A has a mixture of devices configured for the two different protocols, and the router configured in a dual stack mode. Older IPv4-only applications can still work while they are migrated to IPv6 by supporting newer APIs to handle IPv6 addresses and DNS lookups with IPv6 addresses. The main disadvantage of dual stacking on a segment is that devices configured using only one stack must forward their traffic to a dual-stacked device, such as a router, which must then forward the traffic back to the same segment using the other stack. This is an inefficient use of bandwidth, but it does allow devices using both protocol stacks to coexist on the same network segment. How to configure cisco router with IPv6 In our pervious article we learnt a lot about transition of IPv4 to IPv6. In this tutorial we will configure Cisco router with transition method discussed in pervious article. Dual Stacking This is the most common type of migration strategy because, well, it’s the easiest on us—it allows our devices to communicate using either IPv4 or IPv6. Dual stacking lets you upgrade your devices and applications on the network one at a time. As more and more hosts and devices on the network are upgraded, more of your communication will happen over IPv6, and after you’ve arrived—everything’s running on IPv6, and you get to remove all the old IPv4 protocol stacks you no longer need. Plus, configuring dual stacking on a Cisco router is amazingly easy—all you have to do is enable IPv6 forwarding and apply an address to the interfaces already configured with IPv4. It will look something like this: Router(config)#ipv6 unicast-routing Router(config)#interface fastethernet 0/0 Router(config-if)#ipv6 address 2001:db8:3c4d:1::/64 eui-64 Router(config-if)#ip address 192.168.255.1 255.255.255.0 You can read more about dual stack in our pervious article. 6to4 Tunneling 6to4 tunneling is really useful for carrying IPv6 data over a network that’s still IPv4. It’s quite possible that you’ll have IPv6 subnets or other portions of your network that are all IPv6, and those networks will have to communicate with each other. Not so complicated, but when you consider that you might find this happening over a WAN or some other network that you don’t control, well, that could be a bit ugly. So what do we do about this if we don’t control the whole network? Create a tunnel that will carry the IPv6 traffic for us across the IPv4 network, that’s what. The whole idea of tunneling isn’t a difficult concept, and creating tunnels really isn’t as hard as you might think. All it really comes down to is snatching the IPv6 packet that’s happily traveling across the network and sticking an IPv4 header onto the front of it. configure the tunnel on each router: Router1(config)#int tunnel 0 Router1(config-if)#ipv6 address 2001:db8:1:1::1/64 Router1(config-if)#tunnel source 192.168.30.1 Router1(config-if)#tunnel destination 192.168.40.1 Router1(config-if)#tunnel mode ipv6ip Router2(config)#int tunnel 0 Router2(config-if)#ipv6 address 2001:db8:2:2::1/64 Router2(config-if)#tunnel source 192.168.40.1 Router2(config-if)#tunnel destination 192.168.30.1 Router2(config-if)#tunnel mode ipv6ip Configuring Cisco Routers with IPv6 To use IPv6 on your router, you must, at a minimum, enable the protocol and assign IPv6 addresses to your interfaces, like this: Router(config)# ipv6 unicast-routing Router(config)# interface type [slot_#/]port_# Router(config-if)# ipv6 address ipv6_address_prefix/prefix_length [eui-64] The ipv6 unicast-routing command globally enables IPv6 and must be the first IPv6 command executed on the router. The ipv6 address command assigns the prefix, the length, and the use of EUI-64 to assign the interface ID. Optionally, you can omit the eui-64 parameter and configure the entire IPv6 address. You can use the show ipv6 interface command to verify an interface’s configuration. Here’s an example configuration, with its verification: Router(config)# ipv6 unicast-routing By default, IPv6 traffic forwarding is disabled, so using this command enables it. Also, as you’ve probably guessed, IPv6 isn’t enabled by default on any interfaces either, so we have to go to each interface individually and enable it. There are a few different ways to do this, but a really easy way is to just add an address to the interface. You use the interface configuration command ipv6 address <ipv6prefix>/ <prefix-length > [eui-64] to get this done. Router(config)# interface fastethernet0/0 Router(config-if)# ipv6 address 2001:1cc1:dddd:2::/64 eui-64 Router(config-if)# end Router# show ipv6 interface fastethernet0/0 FastEthernet0/0 is administratively down, line protocol is down IPv6 is enabled, link-local address is FE80::207:EFF:FE46:4070 [TEN] No Virtual link-local address(es): Global unicast address(es): 2001:1CC1:DDDD:2:207:EFF:FE46:4070, subnet is 2001:1CC1:DDDD:2::/64 [EUI/TEN] Joined group address(es): FF02::1 FF02::2 To set up a static DNS resolution table on the router, use the ipv6 host command; you can also specify a DNS server with the ip name-server command: Router(config)# ipv6 host hostname [port_#] ipv6_address1 [ipv6_address2…] Router(config)# ip name-server DNS_server_IPv6_address The ip name-server command can be used to assign both IPv4 and IPv6 DNS servers. Routing and IPv6 As in IPv4, routers in IPv6 find best paths to destinations based on metrics and administrative distances; and like IPv4, IPv6 routers look for the longest matching prefix in the IPv6 routing table to forward a packet to its destination. The main difference is that the IPv6 router is looking at 128 bits when making a routing decision instead of 32 bits. RIPng Routing Information Protocol next generation (RIPng) is actually similar to RIP for IPv4, with these characteristics: It's a distance vector protocol. The hop-count limit is 15. Split horizon and poison reverse are used to prevent routing loops. It is based on RIPv2. Cisco routers running 12.2(2) T and later support RIPng. These are the enhancements in RIPng: An IPv6 packet is used to transport the routing update. The ALL-RIP routers multicast address (FF02::9) is used as the destination address in routing advertisements and is delivered to UDP port 521. Routing updates contain the IPv6 prefix of the router and the next-hop IPv6 address. Enabling RIPng is a little bit different than enabling RIP for IPv4. First, you use the ipv6 router rip tag command to enable RIPng globally: Router(config)# ipv6 router rip tag This takes you into a subcommand mode, where you can change some of the global values for RIPng, such as disabling split horizon, the administrative distance, and timers. The tag is a locally significant identifier used to differentiate between multiple RIP processes running on the router. Unlike RIP for IPv6, there is no network command to include interfaces in RIPng. Instead, you must enable RIPng on a per-interface basis with the ipv6 rip tag enable command: Router(config)# interface type [slot_#/]port_# Router(config-if)# ipv6 rip tag enable The tag parameter associates the interface with the correct RIPng routing process. To view the routing protocol configuration, use the show ipv6 rip command: Router# show ipv6 rip RIP process "RIPPROC1", port 521, multicast-group FF02::9, pid 187 Administrative distance is 120. Maximum paths is 16 Updates every 30 seconds, expire after 180 Holddown lasts 0 seconds, garbage collect after 120 Split horizon is on; poison reverse is off Default routes are not generated Periodic updates 2, trigger updates 0 Interfaces: FastEthernet0/0 Redistribution: None In this example, the tag is RIPPROC1 for the name of the RIPng routing process and RIPng is enabled on FastEthernet0/0. To view the IPv6 routing table for RIPng, use the show ipv6 route rip command. EIGRPv6 As with RIPng, EIGRPv6 works much the same as its IPv4 predecessor does—most of the features that EIGRP provided before EIGRPv6 will still be available. EIGRPv6 is still an advanced distance-vector protocol that has some link-state features. The neighbor discovery process using hellos still happens, and it still provides reliable communication with reliable transport protocol that gives us loop-free fast convergence using the Diffusing Update Algorithm (DUAL). Hello packets and updates are sent using multicast transmission, and as with RIPng, EIGRPv6’s multicast address stayed almost the same. In IPv4 it was 224.0.0.10; in IPv6, it’s FF02::A (A = 10 in hexadecimal notation). But obviously, there are differences between the two versions. Most notably, and just as with RIPng, the use of the network command is gone, and the network and interface to be advertised must be enabled from interface configuration mode. But you still have to use the router configuration mode to enable the routing protocol in EIGRPv6 because the routing process must be literally turned on like an interface with the no shutdown command The configuration for EIGRPv6 is going to look like this: Router1(config)#ipv6 router eigrp 12 The 12 in this case is still the autonomous system (AS) number. The prompt changes to (config-rtr), and from here you must perform a no shutdown: Router1(config-rtr)#no shutdown Other options also can be configured in this mode, like redistribution. So now, let's go to the interface and enable IPv6: Router1(config-if)#ipv6 eigrp 12 The 12 in the interface command again references the AS number that was enabled in the configuration mode. Last to check out in our group is what OSPF looks like in the IPv6 routing protocol. OSPFv3 The new version of OSPF continues the trend of the routing protocols having many similarities with their IPv4 versions. The foundation of OSPF remains the same—it is still a link-state routing protocol that divides an entire internetworks or autonomous system into areas, making a hierarchy. In OSPF version 2, the router ID (RID) is determined by the highest IP addresses assigned to the router (or you could assign it). In version 3, you assign the RID, area ID, and link-state ID, which are all still 32-bit values but are not found using the IP address anymore because an IPv6 address is 128 bits. Changes regarding how these values are assigned, along with the removal of the IP address information from OSPF packet headers, makes the new version of OSPF capable of being routed over almost any Network layer protocol! Adjacencies and next-hop attributes now use link-local addresses, and OSPFv3 still uses multicast traffic to send its updates and acknowledgments, with the addresses FF02::5 for OSPF routers and FF02::6 for OSPF-designated routers. These new addresses are the replacements for 224.0.0.5 and 224.0.0.6, respectively. Other, less flexible IPv4 protocols don’t give us the ability that OSPFv2 does to assign specific networks and interfaces into the OSPF process—however, this is something that is still configured under the router configuration process. And with OSPFv3, just as with the other IPv6 routing protocols we have talked about, the interfaces and therefore the networks attached to them are configured directly on the interface in interface configuration mode. The configuration of OSPFv3 is going to look like this: Router1(config)#ipv6 router osfp 10 Router1(config-rtr)#router-id 1.1.1.1 You get to perform some configurations from router configuration mode like summarization and redistribution, but we don’t even need to configure OSPFv3 from this prompt if we configure OSPFv3 from the interface. When the interface configuration is completed, the router configuration process is added automatically and the interface configuration looks like this: Router1(config-if)#ipv6 ospf 10 area 0.0.0.0 So, if we just go to each interface and assign a process ID and area—poof, we are done
© Copyright 2024