What Is a Network?
The first assignment in understanding how to build a computer network is defining what a network is and
understanding how it is used to help a business meet its objectives.
Network is a combination of computer hardware, cabling, network devices, and computer software used together to
allow computers to communicate with each other.
Or
A network is basically all of the components (hardware and software) involved in connecting computers across
small and large distances. Networks are used to provide easy access to information, thus increasing productivity for
users.
Network Characteristics
The following characteristics should be considered in network design and ongoing maintenance:
п‚· Availability : Availability is typically measured in a percentage based on the number of minutes that exist in a
year. Therefore, uptime would be the number of minutes the network is available divided by the number of
minutes in a year.
п‚· Cost : includes the cost of the network components, their installation, and their ongoing maintenance.
п‚· Reliability : defines the reliability of the network components and the connectivity between them. Mean time
between failures (MTBF) is commonly used to measure reliability.
п‚· Security : includes the protection of the network components and the data they contain and/or the data
transmitted between them.
п‚· Speed : includes how fast data is transmitted between network end points (the data rate).
п‚· Scalability : defines how well the network can adapt to new growth, including new users, applications, and
network components.
п‚· Topology : describes the physical cabling layout and the logical way data moves between components.
Many different types and locations of networks exist. You might use a network in your home or home office to
communicate via the Internet, to locate information, to place orders for merchandise, and to send messages to friends.
You might have work in a small office that is set up with a network that connects other computers and printers in the
office. You might work in a large enterprise in which many computers, printers, storage devices, and servers
communicate and store information from many departments over large geographic areas.
Networks carry data in many types of environments, including homes, small businesses, and large enterprises. In
a large enterprise, a number of locations might need to Communicate with each other, and you can describe those
locations as follows:
Corporate office: A Corporate or main office is a site where everyone is connected via a network and where the bulk
of corporate information is located. A Corporate office can have hundreds or even thousands of people who depend
on network access to do their jobs. A main office might use several connected networks, which can span many floors
in an office building or cover a campus that contains several buildings.
Remote locations: A variety of remote access locations use networks to connect to the main office or to each other.
Branch offices: In branch offices, smaller groups of people work and communicate with each other via a network.
Although some corporate information might be stored at a branch office, it is more likely that branch offices have
local network resources, such as printers, but must access information directly from the main office.
Home offices: When individuals work from home, the location is called a home office. Home office workers often
require on-demand connections to the main or branch offices to access information or to use network resources such
as file servers.
Mobile users: Mobile users connect to the main office network while at the main office, at the branch office, or
traveling. The network access needs of mobile users are based on where the mobile users are located.
Network Components
All of these networks share many common components. As we describe in definition that network is basically
sharing of information via network components. So network component play a major role in designing and
maintaining network. Some most essential network components listed here.
Network Components
Applications
network-aware
network unaware
Protocols
open standard
proprietary
Computer
Windows, Macintosh OS, UNIX, Linux,
Networking Devices hubs, bridges, switches, routers, firewalls, wireless access points, modems
Media types
copper, coaxial, utp, fiber cabling
Network security :
Security is a fundamental component of every network design. When planning, building, and operating a network,
you should understand the importance of a strong security policy.
Network Security: A security policy defines what people can and can’t do with network components and resources.
Need for Network Security: In the past, hackers were highly skilled programmers who understood the details of
computer communications and how to exploit vulnerabilities. Today almost anyone can become a hacker by
downloading tools from the Internet. These complicated attack tools and generally open networks have generated an
increased need for network security and dynamic security policies.
The easiest way to protect a network from an outside attack is to close it off completely from the outside
world. A closed network provides connectivity only to trusted known parties and sites; a closed network does not
allow a connection to public networks.
Because they have no Internet connectivity, networks designed in this way can be considered safe from
Internet attacks. However, internal threats still exist. There is a estimates that 60 to 80 percent of network misuse
comes from inside the enterprise where the misuse has taken place.
With the development of large open networks, security threats have increased significantly in the past 20 years.
Hackers have discovered more network vulnerabilities, and because you can now download applications that require
little or no hacking knowledge to implement, applications intended for troubleshooting and maintaining and
optimizing networks can, in the wrong hands, be used maliciously and pose severe threats.
An adversary: A person that is interested in attacking your network; his motivation can range from gathering or
stealing information, creating a DoS, or just for the challenge of it
Types of attack:
Classes of attack might include passive monitoring of communications, active network attacks, close-in attacks,
exploitation by insiders, and attacks through the service provider. Information systems and networks offer attractive
targets and should be resistant to attack from the full range of threat agents, from hackers to nation-states. A system
must be able to limit damage and recover rapidly when attacks occur.
There are five types of attack:
Passive Attack: A passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive
information that can be used in other types of attacks. Passive attacks include traffic analysis, monitoring of
unprotected communications, decrypting weakly encrypted traffic, and capturing authentication information such as
passwords. Passive interception of network operations enables adversaries to see upcoming actions. Passive attacks
result in the disclosure of information or data files to an attacker without the consent or knowledge of the user.
Active Attack: In an active attack, the attacker tries to bypass or break into secured systems. This can be done
through stealth, viruses, worms, or Trojan horses. Active attacks include attempts to circumvent or break protection
features, to introduce malicious code, and to steal or modify information. These attacks are mounted against a network
backbone, exploit information in transit, electronically penetrate an enclave, or attack an authorized remote user
during an attempt to connect to an enclave. Active attacks result in the disclosure or dissemination of data files, DoS,
or modification of data.
Distributed Attack : A distributed attack requires that the adversary introduce code, such as a Trojan horse or backdoor program, to a ―trusted‖ component or software that will later be distributed to many other companies and users
Distribution attacks focus on the malicious modification of hardware or software at the factory or during distribution.
These attacks introduce malicious code such as a back door to a product to gain unauthorized access to information or
to a system function at a later date.
Insider Attack : An insider attack involves someone from the inside, such as a disgruntled employee, attacking the
network Insider attacks can be malicious or no malicious. Malicious insiders intentionally eavesdrop, steal, or damage
information; use information in a fraudulent manner; or deny access to other authorized users. No malicious attacks
typically result from carelessness, lack of knowledge, or intentional circumvention of security for such reasons as
performing a task
Close-in Attack : A close-in attack involves someone attempting to get physically close to network components, data,
and systems in order to learn more about a network Close-in attacks consist of regular individuals attaining close
physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to
information. Close physical proximity is achieved through surreptitious entry into the network, open access, or both.
Mitigating Common Threats
Improper and incomplete network device installation is an often-overlooked security threat that, if left unaddressed,
can have terrible results. Software-based security measures alone cannot prevent intended or even accidental network
damage caused by poor installation. Now we will describe how to mitigate common security threats to Server Routers
and Switches.
Physical Installations: Physical installations involve four types of threats:
Hardware, electrical, environmental, and maintenance.
Hardware threats: Hardware threats involve threats of physical damage to the router or switch hardware. Missioncritical Cisco network equipment should be located in wiring closets or in computer or telecommunications rooms that
meet these minimum requirements:
п‚· The room must be locked with only authorized personnel allowed access.
п‚· The room should not be accessible via a dropped ceiling, raised floor, window, ductwork, or point of entry
other than the secured access point.
п‚· If possible, use electronic access control with all entry attempts logged by security systems and monitored by
security personnel.
п‚· If possible, security personnel should monitor activity via security cameras with automatic recording.
Hardware threats involve physical damage to network components, such as servers, routers, and switches.
Electrical threats : Electrical threats include irregular fluctuations in voltage, such as brownouts and voltage spikes,
Electrical threats, such as voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and
total power loss, can be limited by adhering to these guidelines:
п‚· Install uninterruptible power supply (UPS) systems for mission-critical Cisco network devices.
п‚· Install backup generator systems for mission-critical supplies.
п‚· Plan for and initiate regular UPS or generator testing and maintenance procedures based on the manufacturersuggested preventative maintenance schedule.
п‚· Install redundant power supplies on critical devices.
п‚· Monitor and alarm power-related parameters at the power supply and device levels.
Environmental threats: Environmental threats include very low or high temperatures, moisture, electrostatic, and
magnetic Interference Environmental threats, such as temperature extremes (too hot or too cold) or humidity extremes
(too wet or too dry), also require mitigation.
Take these actions to limit environmental damage to Cisco network devices:
п‚· Supply the room with dependable temperature and humidity control systems. Always verify the recommended
environmental parameters of the Cisco network equipment with the supplied product documentation.
п‚· Remove any sources of electrostatic and magnetic interference in the room.
п‚· If possible, remotely monitor and alarm the environmental parameters of the room.
Maintenance threats : Maintenance threats include not having backup parts or components for critical network
components; not labeling components and their cabling correctly Maintenance threats include poor handling of key
electronic components, electrostatic discharge (ESD), lack of critical spares, poor cabling, poor labeling, and so on.
Maintenance-related threats are a broad category that includes many items. Follow the general rules listed here to
prevent maintenance-related threats:
п‚· Clearly label all equipment cabling and secure the cabling to equipment racks to prevent accidental damage,
disconnection, or incorrect termination.
п‚· Use cable runs, raceways, or both to traverse rack-to-ceiling or rack-to-rack connections.
п‚· Always follow ESD procedures when replacing or working with internal router and switch device
components.
п‚· Maintain a stock of critical spares for emergency use.
п‚· Do not leave a console connected to and logged into any console port. Always log off administrative
interfaces when leaving a station.
п‚· Do not rely upon a locked room as the only necessary protection for a device. Always remember that no room
is ever totally secure. After intruders are inside a secure room, nothing is left to stop them from connecting a
terminal to the console port of a Cisco router or switch.
OSI Reference Model
The OSI reference model is the primary model for network communications. The early development of
LANs, MANs, and WANs was confused in many ways. The early 1980s saw great increases in the number and sizes
of networks. As companies realized that they could save money and gain productivity by using networking
technology, they added networks and expanded existing networks as rapidly as new network technologies and
products were introduced.
In 1984, the International Organization for Standardization (ISO) developed the OSI Reference Model to
describe how information is transferred from one networking component to another, from the point when a user enters
information using a keyboard and mouse to when that information is converted to electrical or light signals transferred
along a piece of wire (or radio waves transferred through the air).
ISO developed the seven-layer model to help vendors and network administrators gain a better understanding
of how data is handled and transported between networking devices, as well as to provide a guideline for the
implementation of new networking standards and technologies. To assist in this process, the OSI Reference Model
separates the network communication process into seven simple layers.
Dividing the network into these seven layers provides these advantages:
Reduces complexity: It breaks network communication into smaller, simpler parts. It divides the network
communication process into smaller and simpler components, thus aiding component development, design, and
troubleshooting.
Standardizes interfaces: It standardizes network components to allow multiple vendor development and support.
Facilitates modular engineering: It allows different types of network hardware and software to communicate with
each other.
Interoperability between Vendors : It allows multiple-vendor development through standardization of network
components. Defines the process for connecting two layers together, promoting interoperability between vendors It
Allows vendors to compartmentalize their design efforts to fit a modular design, which eases implementations and
simplifies troubleshooting
Ensures interoperable technology: It prevents changes in one layer from affecting the other layers, allowing for
quicker development.
Accelerates evolution: It provides for effective updates and improvements to individual components without
affecting other components or having to rewrite the entire protocol.
Simplifies teaching and learning: It breaks network communication into smaller components to make learning
easier. Provides a teaching tool to help network administrators understand the communication process used between
networking components.
OSI Reference Model
Each OSI layer contains a set of functions performed by programs to enable data to travel from a source to a
destination on a network. In our pervious article I told you the advantage of OSI model.
advantage of OSI model
In this article I will provide brief descriptions of each layer in the OSI reference model.
Application Layer
The application layer is the OSI layer that is closest to the user. This layer provides network services to the user's
applications. It differs from the other layers in that it does not provide services to any other OSI layer, but only to
applications outside the OSI reference model. Applications layer provide a platform to access the data of remote
computer.
The application layer protocols that you should know are as follows:
п‚· SNMP (Simple Network Management Protocol): Communicates status and allows control of networked
devices.
п‚· TFTP (Trivial File Transfer Protocol): Simple, lightweight file-transfer.
п‚· DNS (Domain Naming System): Translates a website name (easy for people) to an IP address (easy for
computers).
п‚·
п‚·
п‚·
п‚·
п‚·
п‚·
п‚·
DHCP (Dynamic Host Configuration Protocol): Assigns IP, mask, and DNS server (plus a bunch of other
stuff) to hosts.
Telnet: Provides a remote terminal connection to manage devices to which you are not close enough to use a
console cable.
HTTP (Hypertext Transfer Protocol): Browses web pages.
FTP (File Transfer Protocol): Reliably sends/retrieves all file types.
SMTP (Simple Mail Transfer Protocol): Sends email.
POP3 (Post Office Protocol v.3): Retrieves email.
NTP (Network Time Protocol): Synchronizes networked device clocks.
Presentation layer
The presentation layer is responsible for formatting data so that application-layer protocols (and then the users) can
recognize and work with it. Presentation layer format the file extensions, such as .doc, .jpg, .txt, .avi, and so on. you
realize that each of these file types is formatted for use by a particular type of application. The presentation layer
taking the application layer data and marking it with the formatting codes so that it can be viewed reliably when
accessed later. If necessary, the presentation layer might be able to translate between multiple data formats by using a
common format.
The Session Layer
The session layer establishes, manages, and terminates sessions between two communicating hosts. It provides its
services to the presentation layer. The session layer also synchronizes dialogue between the presentation layers of the
two hosts and manages their data exchange. For example, web servers have many users, so many communication
processes are open at a given time. Therefore, keeping track of which user communicates on which path is important.
Transport Layer
The transport layer is possibly the most important layer for exam study purposes. A lot is going on here, and it is
heavily tested. The transport layer's main jobs
п‚· It sets up and maintains a session connection between two devices.
п‚· It can provide for the reliable or unreliable delivery of data across this connection.
п‚· It multiplexes connections, allowing multiple applications to simultaneously send and receive data. When
п‚· Implementing a reliable connection, sequence numbers and acknowledgments (ACKs) are used.
п‚· Flow control (through the use of windowing or acknowledgements)
п‚· Reliable connections (through the use of sequence numbers and Acknowledgement )
Transport layer use two protocols for sending data TCP and UDP.
TCP
TCP is connection oriented protocols. Connection-oriented transmission is said to be reliable. Thinks TCP as registry
AD facility available in Indian post office. For this level of service, you have to buy extra ticket and put a bunch of
extra labels on it to track where it is going and where it has been. But, you get a receipt when it is delivered, you are
guaranteed delivery, and you can keep track of whether your shipment got to its destination. All of this costs you
more—but it is reliable!
UDP
UDP is connection less protocols. Connection-less transmission is said to be unreliable. Now, don't get too wrapped
up in the term "unreliable" this doesn't mean that the data isn't going to get there; it only means that it isn't guaranteed
to get there. Think of your options when you are sending a postcard, put it in the mailbox, and chances are good that it
will get where it's supposed to go—but there is no guarantee, and stuff does go missing once in a while. On the other
hand, it's cheap.
The transport layer can use two basic flow control methods:
п‚· Ready/not ready signals
п‚· Windowing
There are two problems with the use of ready/not ready signals to implement flow control.
First, the destination may respond to the source with a not ready signal when its buffer fills up. While this message is
on its way to the source, the source is still sending information to the destination, which the destination will probably
have to drop because its buffer space is full.
The second problem with the use of these signals is that once the destination is ready to receive more information, it
must first send a ready signal to the source, which must receive it before more information can be sent.In many
implementations, the window size is dynamically negotiated up front and can be renegotiated during the lifetime of
the connection.
In windowing a window size is defined between two host engaged in data transmission. And sender host will wait for
an acknowledgement signal after sending the segments equal to window size. If any packet lost in way receiver will
respond with acknowledgement for lost packet. And sender will send lost packet again.
Reliability
When reliability is necessary, it should cover these four items:
п‚· recognizing lost packets and having them re-sent
п‚· recognizing packets that arrive out of order and reordering them
п‚· detecting duplicate packets and dropping the extra ones
п‚· Avoiding congestion
Connection Multiplexing/Application Mapping
Transport layer assigns a unique set of numbers for each connection. These numbers are called port or socket
numbers. TCP, and UDP, provide a multiplexing function for a device: This allows multiple applications to
simultaneously send and receive data.
Imagine a server that performs a number of functions—for example email, web pages, FTP, and DNS. The server has
a single IP address, but can perform all these different functions for all the hosts that want to connect to it. The
transport layer (layer 4) uses port numbers to distinguish between different types of traffic that might be headed for
the same IP address.
Port numbers are divided into ranges by the IANA. Following are the current port ranges:
Port number
descriptions
0–1023
Well-Known—For common TCP/IP functions and applications
1024–49151
Registered—For applications built by companies
Dynamic/Private—For dynamic connections or unregistered
49152–65535
applications
Common TCP and UDP Port Numbers
FTP
Telnet
SMTP
DNS
HTTP
POP
NNTP
HTTPS
TCP
20, 21
23
25
53
80
110
119
443
DNS
DHCP
TFTP
NTP
SNMP
UDP
53
67,68
69
123
161
Network Layer
The network layer provides a logical topology and layer-3 addresses. Routers function at the network layer. This layer
is responsible for three main functions:
п‚· Defines logical addresses used at layer-3
п‚· Finds paths, based on the network numbers of logical addresses, to reach destination devices
п‚· Connects different data link types together, such as Ethernet, FDDI, Serial, and Token Ring
IP packet
Where the transport layer uses segments to transfer information between machines, the Internet layer uses datagram’s.
Datagram is just another word for packet.
The IP protocol is mainly responsible for these functions:
п‚· Connectionless data delivery: best effort delivery with no data recovery capabilities
п‚· Hierarchical logical addressing to provide for highly scalable internetworks
IP addresses are broken into two components:
п‚· Network component Defines on what segment, in the network, a device is located
п‚· Host component defines the specific device on a particular network segment
Two types of packets are used at the Network layer: data and route updates.
Data packets
Used to transport user data through the internetwork. Protocols used to support data traffic are called routed protocols;
examples of routed protocols are IP and IPv6.
Route update packets
Used to update neighboring routers about the networks connected to all routers within the internetwork. Protocols that
send route update packets are called routing protocols; examples of some common ones are RIP, RIPv2, EIGRP, and
OSPF. Route update packets are used to help build and maintain routing tables on each router.
IP Classes
п‚· Class A addresses range from 1-126: 00000001-01111111.
п‚· Class B addresses range from 128-191: 10000000-10111111.
п‚· Class C addresses range from 192-223: 11000000-11011111.
п‚· Class D addresses range from 224-239: 11100000-11101111.
п‚· Class E addresses range from 240-254:
1. 0 is reserved and represents all IP addresses;
2. 127 is a reserved address and is used for testing, like a loop back on an interface:
3. 255 is a reserved address and is used for broadcasting purposes.
Public addresses are Class A, B, and C addresses that can be used to access devices in other public networks, such
as the Internet. Public IP address assign authority The Internet Assigned Numbers Authority (IANA) is ultimately
responsible for handing out and managing public addresses. Normally you get public addresses directly from your
ISP, which, in turn, requests them from one of five upstream address registries:
п‚· American Registry for Internet Numbers (ARIN)
п‚· Reseaux IP Europeans Network Coordination Center (RIPE NCC)
п‚· Asia Pacific Registry for Internet Numbers (APNIC)
п‚· Latin American and Caribbean Internet Address Registry (LACNIC)
п‚· African Network Information Centre (AfriNIC)
Private IP and ISP: Private ip address can be used to configure private network. You can use private ip to build your
network without paying a single rupee. But one biggest problem with private ip is that with private you can not access
the internet. This is the point where ISP comes from. ISP purchases a bulk of public ip address and provide them on
rent. Whatever you pay to ISP for accessing internet is actually the charge of using public ip address.
Private ip address:- Not route able in public network
п‚· Class A: 10.0.0.0-10.255.255.255 (1 Class A network)
п‚· Class B: 172.16.0.0-172.31.255.255 (16 Class B networks)
п‚· Class C: 192.168.0.0-192.168.255.255 (256 Class C networks)
Protocol
Description
IP
IP of TCP/IP, featuring routable 32-bit addressing.
IPX
The equivalent of IP in Novell Netware.
ICMP
Internet Connection Management Protocol. Incorporates Ping and Traceroute,
which are layer 3 link-testing utilities.
OSPF, IGRP,
Dynamic routing protocols that learn about remote networks and the best paths
EIGRP, RIP, ISIS to them from other routers running the same protocol.
ARP, RARP
Address Resolution Protocol (and Reverse ARP). ARP learns what MAC
address is associated with a given IP address. Reverse ARP learns an IP address
given a MAC address.
Data link layer
Main functions of data link layer is
п‚· Defining the Media Access Control (MAC) or hardware addresses
п‚· Defining the physical or hardware topology for connections
п‚· Defining how the network layer protocol is encapsulated in the data link layer frame
п‚· Providing both connectionless and connection-oriented services
п‚· Defines hardware (MAC) addresses as well as the communication process that occurs within a media.
п‚· The first six hexadecimal digits of a MAC address form the OUI.
п‚· MAC addresses only need to be unique in a broadcast domain,
п‚· You can have the same MAC address in different broadcast domains (virtual LANs).
There are two specifications of Ethernet frame Ethernet II and 802
802.2 use a SAP or SNAP field to differentiate between encapsulatedlayer-3 payloads.
With a SNAP frame, the SAP fields are set to 0xAA and the type field is used to indicate the layer-3 protocol. One of
the issues of the original SAP field in the 802.2 SAP frame is that even though it is eight bits (one byte) in length,
only the first six bits are used for identifying upper-layer protocols, which allows up to 64 protocols.
802.2 SNAP frame support of up to 65,536 protocols
Ethernet II’s Version of Ethernet
п‚· Ethernet II does not have any sub layers, while IEEE 802.2/3 has two: LLC and MAC.
п‚· Ethernet II has a type field instead of a length field (used in 802.3). IEEE 802.2 defines the type for IEEE
Ethernet
Physical Layer
The Physical layer communicates directly with the various types of actual communication media. Different kinds of
media represent these bit values in different ways. Some use audio tones, while others utilize state transitions—
changes in voltage from high to low and low to high. Specific protocols are needed for each type of media to explain
the proper bit patterns to be used, how data is encoded into media signals, and the various qualities of the physical
media’s attachment interface.
Fiber Cabling
Two types of fiber are used for connections: multimode and single-mode.
Multimode fiber
has a fiber thickness of either 850 or 1300 nanometers (nm), and the light signal is typically provided by an LED.
When transmitting a signal, the light source is bounced off of the inner cladding (shielding) surrounding the fiber.
Multimode fiber can achieve speeds in the hundreds of Mbps range, and many signals can be generated per fiber.
Single-mode fiber
has a fiber thickness of 1300 or 1550 nm and uses a laser as the light source. Because lasers provide a higher output
than LEDs, single-mode fiber can span over 10 kilometers and have speeds up to 100Gbps. With single-mode fiber,
only one signal is used per fiber.
п‚· Loss factor is used to describe any signal loss in the fiber before the light source gets to the end of the fiber.
п‚· Connector loss is a loss that occurs when a connector joins two pieces of fibers: a slight signal loss is
expected.
п‚· Attenuation describe the signal loose due to distance
п‚· Microbending is when a wrinkle in the fiber, typically where the cable is slightly bent, causes a distortion in
the light source.
п‚· Macrobending is when there is leakage of the light source from the fiber, typically from a bend in the fiber
cable. to overcome this problem over long distances, optical amplifiers can be used.
Two main standards are used to describe the transmission of signals across a fiber:
SONET is defined by the Exchange Carriers Standards Association (ECSA) and American National Standards
Institute (ANSI) and is typically used in North America.
SDH is an international standard used throughout most of the world (with the exception of North America). Both of
these standards define the physical layer framing used to transmit light sources, which also includes overhead for the
transmission.
Cisco's three-layer hierarchical model
Core Layer: The core provides a high-speed layer-2 switching infrastructure and typically does not manipulate
packet contents.
Distribution Layer: The distribution layer provides a boundary between the access and core layers. It contains
routers and switches. Routers are used to provide the logical boundary--broadcasts are contained within the access
layer and Filtering policies can be implemented to restrict traffic flows.
Access Layer: The access layer provides the user's initial access to the network, which is typically via switches or
hubs.
TCP/IP protocol
The TCP/IP protocol stack has four layers. Note that although some of the layers in the TCP/IP protocol stack have
the same names as layers in the OSI reference model, the layers have different functions in each model, as is
described in the following list:
Application layer: The application layer handles high-level protocols, including issues of representation, encoding,
and dialog control. The TCP/IP model combines all application-related issues into one layer and ensures that this data
is properly packaged for the next layer.
Transport layer: The transport layer deals with QoS issues of reliability, flow control, and error correction. One of
its protocols, TCP, provides for reliable network communications.
Internet layer: The purpose of the Internet layer is to send source datagrams from any network on the internetwork
and have them arrive at the destination, regardless of the path they took to get there.
Network access layer: The name of this layer is broad and somewhat confusing. It is also called the host-to-network
layer. It includes the LAN and WAN protocols and all the details in the OSI physical and data link layers.
sub-netting
Benefits of subnetting:
Reduced network traffic: One network will not access the data of other network without the use of router. Thus we
can reduce the amount of data remain in one network. Less data less overhead, collision, or broadcast storm.
Optimized network performance: This is a result of reduced network traffic.
Simplified management: It's easier to identify and isolate network problems in a group of Smaller connected
networks than within one gigantic network. Facilitated spanning of large geographical distances Because WAN links
are significantly slower and more expensive than LAN links, a single large network that spans long distances can
create problems in every area earlier listed. Connecting multiple smaller networks makes the system more efficient.
Powers of 2
Powers of 2 are important to understand and memorize for use with IP subnetting.
21
2
2
3
2
4
2
5
2
6
2
7
2
8
2
2
4
8
16
32
64
128
256
29
512
10
1024
11
2048
12
4096
13
8192
14
16384
15
32768
16
65536
2
2
2
2
2
2
2
Before we go further let’s get familiar with subnetting components
Subnet mask: A subnet mask is a 32-bit value that allows the receiver of IP packets to distinguish the network ID
portion of the IP address from the host ID portion of the IP address. Every IP address is composed of a network
component and a host component. The subnet mask has a single purpose: to identify which part of an IP address is the
network component and which part is the host component. Subnet mask value 0 represent host ID while subnet mask
value 1 to 255 represents Network ID in ip address.
Classless Inter-Domain Routing (CIDR): This slash notation is sometimes called CIDR (Classless Inter-Domain
Routing) notation. It’s basically the method that ISPs (Internet service providers) use to allocate a number of
Addresses to a company, a home—a customer. The slash notation is simply the number of 1s in a row in the subnet
mask. The real reason to use CIDR notation is simply that it is easier to say and especially to type.
Address Class and Default Mask: Subnetting happens when we extend the subnet mask past the default boundary
for the address we are working with. So it's obvious that we first need to be sure of what the default mask is supposed
to be for any given address. When faced with a subnetting question, the first thing to do is decide what class the
address belongs to. And later decide what the default subnet mask is. One of the rules that Cisco devices follow is that
a subnet mask must be a contiguous string of 1s followed by a contiguous string of 0s. There are no exceptions to this
rule: A valid mask is always a string of 1s, followed by 0s to fill up the rest of the 32 bits. (There is no such rule in the
real world, but we will stick to the Cisco rules here—it's a Cisco exam, after all.) Therefore, the only possible valid
values in any given octet of a subnet mask are 0, 128, 192, 224, 240, 248, 252, 254, and 255. Any other value is
invalid.
Block Size: The process of subnetting creates several smaller classless subnets out of one larger classful . The spacing
between these subnets, or how many IP addresses apart they are, is called the Block Size.
Network ID and Broadcast ID: The first address in a network number is called the network address, or wire number.
This address is used to uniquely identify one segment or broadcast domain from all the other segments in the network.
The Broadcast ID: The last address in the network number is called the directed broadcast address and is used to
represent all hosts on this network segment. it is the common address of all hosts on that Network ID. This should not
be confused with a full IP broadcast to the address of 255.255.255.255, which hits every IP host that can hear it; the
Broadcast ID hits only hosts on a common subnet. A directed broadcast is similar to a local broadcast.
The main difference is that routers will not propagate local broadcasts between segments, but they will, by default,
propagate directed broadcasts.
Host Addresses: Any address between the network address and the directed broadcast address is called a host address
for the segment. You assign these middle addresses to host devices on the segment, such as PCs, servers, routers, and
switches.
Method of Subnetting:
There is several method of subnetting. Different author different approach to calculate the subnets. You should choose
the method you can understand and perform subnetting easily. Whatever approach you choose need conversion of
decimal to binary. Cram up this chart
27
26
25
24
23
22
21
20
128
64
32
16
8
4
2
1
To convert a decimal number into binary, you must turn on the bits (make them a 1) that would add up to that number,
as follows:
187 = 10111011 = 128+32+16+8+2+1
224 = 11100000 = 128+64+32
To convert a binary number into decimal, you must add the bits that have been turned on (the 1s), as follows:
10101010 = 128+32+8+2 = 170
11110000 = 128+64+32+16 = 240
The IP address 138.101.114.250 is represented in binary as
10001010.01100101.01110010.11111010
The subnet mask of 255.255.255.224 is represented in binary as
11111111.11111111.11111111.11100000
Practical approach of subnetting
When faced with a subnetting question, the first thing to do is decide what class the address belongs to. for examples:
192.168.1.1
The first octet is between 192 and 223 so it is a Class C address
Default mask for Class C: is 255.255.255.0
In exam default subnet mask is not subnetted. Now write down the given ip address as shown here. Write down the
default side of IP as it is and reset of part where actual subnetting will perform in binary
192.168. 1 .00000001
255.255.255.00000000
(defaul maks)
Step 1:- calculate the CIDR value
CIDR are the on bit in subnet mask. As you can see in our example we have on bit only in default side.
255.255.255.00000000
So our CIDR value is 24 + 0 = 24
Step 2:- calculate the Subnet mask
To calculate the subnet mask use the binary to decimal chart given above. Add the decimal place value of on network
bit.
<==H bit
255.255.255.00000000
N bit==>
In our example we are using on default mask so our subnet mask will be 255.255.255.0
Step 3:- calculate the Total Host
To calculate the total host count the H bit and use this formula
Total host = 2H <==H bit
255.255.255.00000000
Total host = 28 = 256
Step 4:- calculate the Valid Host
Subtract 2 from Total host Every network or subnet has two reserved addresses that cannot be assigned to a host.
These addresses are called the Network ID and the Broadcast ID, respectively. They are the first and last IPs in any
network or subnet. We lose those two IP addresses from the group of values that could be assigned to hosts.
Total host : 28 - 2 = 256 -2 = 254
Step 5:- calculate the Network
To calculate the Network count the N bit and use this formula
Network = 20
255.255.255.00000000
N bit==>
Network = 20 = 1
Step 6:- Find out the block Size
Finding block size is very easy just subtract the subnet mask from 256
256 – Subnet mask (only the last octal, don’t include the default subnet mask)
256 - 0 = 256
Step 7:- Write down the subnet chart
Network 1
CIDR Value /24
Net ID
First Valid Host
Last Valid Host
Broadcast ID
IP
192.168.1.0
192.168.1.1
192.168.1.254
192.168.1.255
Sunetmask
255.255.255.0
255.255.255.0
255.255.255.0
255.255.255.0
Subnetting of CIDR /25
Now do the subnetting of CIDR /25 using same method
Step 1:- calculate the CIDR value CIDR = sum of all on bit in subnet mask
255.255.255.10000000
So our CIDR value is 24 + 1 = 25
Step 2:- calculate the Subnet mask
Add the decimal place value of on network bit.
<==H bit
255.255.255.10000000
N bit==>
In our example we have one on bit and as you can see in decimal chart the place value of 1000000 is 128 so our
subnet mask will be 255.255.255.128
Step 3:- calculate the Total Host
Total host = 2H
<==H bit
255.255.255.10000000
Total host = 27 = 128
Step 4:- calculate the Valid Host
Subtract 2 from Total host
Total host - 2
128 -2 = 126
Step 5:- calculate the Network
To calculate the Network count the N bit and use this formula
Network = 21
255.255.255.10000000
N bit==>
Network = 21 = 2
Step 6:- Find out the block Size
256 – Subnet mask (only the last octal, don’t include the default subnet mask)
256 - 128 = 128
With help of block size you can easy find out the network ID and broadcast ID of all possible networks as we have 8
bits in one octal those can give maximum of 28 = 256 decimal number
We start from 0 so it will end up on 255 (Do not get confuse because we are counting from 0 not from 1 so the last
digit will be 255 not 256. It will 256 only when you count from 1 ). All subnetting will perform between these two
numbers.
Create a table of x Columns where x is the number of your network
First ip of first network will always be 0 and last ip of last network will be 255 fill its in chart
Now you have network ID of first network and broadcast ID of last network.
Now add block size in the first ip of first network to get the network ID of second network and so on till we get the
network id of last network
First network ID 0
Second Network ID 0 +128 = 128
Fill this in Chart.
As you can see from 128 next network is started so the last IP of first network will be 127 fill it in chart. With this
method you can fill the last ip of all networks.
Now you have first ip ( network ID ) of all networks and the last ip (Broadcast ID) of all networks. At this point you
can easily fill the valid ip in each network. As valid hosts are all ip address those fall between network ip and host ip.
Step 7:- Write down the subnet chart
CIDR /25
Network 1
Network 2
Net ID
192.168.1.0
192.168.1.128
First Valid Host
192.168.1.1
192.168.1.129
Last Valid Host
192.168.1.126
192.168.1.254
Broadcast ID
192.168.1.127
192.168.1.255
Binary ANDing
Binary ANDing is the process of performing multiplication to two binary numbers. In the decimal numbering system,
ANDing is addition: 2 and 3 equals 5. In decimal, there are an countless number of answers when ANDing two
numbers together. However, in the binary numbering system, the AND function give up only two possible outcomes,
based on four different combinations. These answers, can be displayed as a truth table:
0 and 0 = 0
1 and 0 = 0
0 and 1 = 0
1 and 1 = 1
You use ANDing most often when comparing an IP address to its subnet mask. The end result of ANDing these two
numbers together is to give up the network number of that address.
Example Question
What is the network number of the IP address 192.168.100.115 if it has a subnet mask of 255.255.255.240?
Answer
Step 1 Convert both the IP address and the subnet mask to binary:
192.168.100.115 = 11000000.10101000.01100100.01110011
255.255.255.240 = 11111111.11111111.11111111.11110000
Step 2 Perform the AND operation to each pair of bits—1 bit from the address ANDed to the corresponding bit in the
subnet mask. Refer to the truth table for the possible outcomes:
192.168.100.115 = 11000000.10101000.01100100.01110011
255.255.255.240 = 11111111.11111111.11111111.11110000
ANDed result = 11000000.10101000.01100100.01110000
Step 3 Convert the answer back into decimal:
11000000.10101000.01100100.01110000 = 192.168.100.112
The IP address 192.168.100.115 belongs to the 192.168.100.112 network when a mask of 255.255.255.240 is used.
My easy method
Conversion of decimal to binary and vice versa to get network ID is too time consuming process in exam. So I found
this easy method.
Step 1:- Decide from which class this IP belongs and what's its default subnet mask
As given IP have 192 in its first octal so it’s a class C IP. And default subnet mask of class C is 255.255.255.0
Step2:- Find out the block size. ( As we describe above)
256 -240 = 16
Step3:- Write down all possible network using block size till we do not get our host partition in middle of two
network
0,16,32,48,64,80,96,112,128,
As our host number is 115 which fall in the network of 112 so our network ID is
192.168.1.112,
And our host's broad cast ID is 192.168.1.127 as from 128 onward next network will start.
Variable length subnet mask
VLSM enables you to have more than one mask for a given class of address, albeit a class A, B, or C network
number.
VLSM, originally defined in RFC 1812, allows you to apply different subnet masks to the same class address space
Classful protocols, such as RIPv1 and IGRP, do not support VLSM. To deploy VLSM requires a routing protocol that
is classless—BGP, EIGRP, IS-IS, OSPF, or RIPv2, for instance.
VLSM provides Two major advantages:
п‚· more efficient use of addressing
п‚· Ability to perform route summarization
when you perform classful subnetting, all subnets have the same number of hosts because they all use the same
subnet mask. This leads to inefficiencies. For example, if you borrow 4 bits on a Class C network, you end up with 14
valid subnets of 14 valid hosts. A serial link to another router only need 2 hosts, but with classical subnetting, you end
up wasting 12 of those hosts. Even with the ability to use NAT and private addresses, where you should never run out
of addresses in a network design, you still want to ensure that the IP plan that you create is as efficient as possible.
An efficient addressing scheme using VLSM.
1. Find the largest segment in the area—the segment with the largest number of devices connected to it.
2. Find the appropriate subnet mask for the largest network segment.
3. Write down your subnet numbers to fit your subnet mask.
4. For your smaller segments, take one of these newly created subnets and apply a different, more
appropriate, subnet mask to it.
5. Write down your newly subnetted subnets.
6. For even smaller segments, go back to step 4.
Route Summarization
Route summarization is the ability to take a bunch of contiguous network numbers in your routing table and
advertise these contiguous routes as a single summarized route.
Route summarization, or supernetting, is needed to reduce the number of routes that a router advertises to its
neighbor. Remember that for every route you advertise, the size of your update grows. It has been said that if there
were no route summarization, the Internet backbone would have warped from the total size of its own routing tables
back in 1997.
Routing updates, whether done with a distance vector or link-state protocol, grow with the number of routes you need
to advertise. In simple terms, a router that needs to advertise ten routes needs ten specific lines in its update packet.
The more routes you have to advertise, the bigger the packet. The bigger the packet, the more bandwidth the update
takes, reducing the bandwidth available to transfer data. But with route summarization, you can advertise many routes
with only one line in an update packet. This reduces the size of the update, allowing you more bandwidth for data
transfer.
Summarization allows you to create a more efficient routing environment by providing the following advantages:
п‚· It reduces the size of routing tables, requiring less memory and processing.
п‚· It reduces the size of updates, requiring less bandwidth.
п‚· It contains network problems
Example of VLSM
Above image shows several branch offices using subnetted Class C (/26) addresses that provide each branch with 62
possible host IPs. The branches are connected to the central office via point-to-point WAN links. The ideal mask to
use for such a link is /30 because it provides only 2 hosts, one for each end of the link. The problem arises when the
routing protocols are configured: Prior to VLSM, the /30 networks could not be used because the /26 networks existed
in the same system and the classful routing protocols could only advertise one mask per class of address. All
networks, including the little /30 links, had to use the same mask of /26. This wastes 60 IP addresses on each WAN
link.
With the implementation of VLSM-capable routing protocols, we can deploy a /30 mask on the point-to-point links,
and the routing protocols can advertise them as /30s along with the /26s in the branches because the subnet mask for
each network is included in the routing updates.
VLSM has allowed us to make the point-to-point link networks the ideal size (two hosts on each) using /30 masks.
This has allowed us to use a single subnetted Class C network for all the addressing requirements in this scenario—
and as you'll see, it makes a perfect opportunity to summarize these routes. This is what is meant by "more efficient
addressing"— in other words, making networks the right size without depleting the limited address space or limiting
future growth.
Classless Interdomain Routing (CIDR)
Classless Interdomain Routing, specified in RFC 2050, is an extension to VLSM and route summarization.
With VLSM, you can summarize subnets back to the Class A, B, or C network boundary. For example, if you have a
Class C network 192.168.1.0/24 and subnet it with a 26-bit mask, you have created four subnets. Using VLSM and
summarization, you can summarize these four subnets back to 192.168.1.0/24.
CIDR takes this one step further and allows you to summarize a block of contiguous class A, B, and C network
numbers. This practice is commonly referred to as supernetting. Today’s classless protocols support supernetting.
However, it is most commonly configured by ISPs on the Internet using BGP.
Discontiguous subnets are not supported by classful protocols but are supported by classless protocols. Classful
protocols do not include the subnet mask when advertising network and subnet numbers. When implementing route
summarization, another thing you’ll need to consider is that routing decisions, by a router, must be made on the entire
destination IP address in the IP packet header. The router always uses the longest matching prefix in the routing table.
CIDR allows you to summarize class networks together; VLSM allows you to summarize subnets only back to the
class network boundaryEach segment has a single network number and mask. VLSM allows a class address, not a
network segment, to have more than one subnet mask.
How to connect with Cisco devices in windows
In this lab scenario I will demonstrate that how can you connect with a Cisco router. To connect physical Cisco device
you need a console cable. Attach cable to com port on computer and other end to console port of Cisco devices.
Console Port
When you first obtain a new Cisco device, it won't be configured. That is to say, it will not do any of the customized
functions you might need; it does not have any IP addresses, and it is generally not going to do what you paid for.
Routers need basic configuration to function on a network. The console port is used for local management
connections. This means that you must be able to physically reach the console port with a cable that is typically about
six feet long. The console port looks exactly like an Ethernet port.
Once you have proper console cable follow this path
Now on computer click on stat button ==> program = = > accessories == > communications == > hyper terminal
== > location information == > cancel == > Confirm cancel == > yes == > hyper terminal == > OK Connection
Descriptions == > Vinita == > OK == > location information == > confirm cancel == > yes == > hyper terminal ==
> connect to == > OK == > Port Settings == > Do setting as Given Below and press OK.
If you still have problem in configuring hyper terminal or you do not have hyper terminal options in
accessories you can use this tiny software. With this software you connect with any devices that support Telnet, SSH,
Rlogin, console connections. This is ready to use software. Download it and execute it. Select Serial sub key from
Session main key and rest it will do automatically.
Download Putty
How to connect with router in Boson Simulator.
If you use Boson simulator for CCNA practical then select erouter from tools menu and select router from available
list. ( Device only be available when any topology will be loaded in simulator. Use Boson Network designer to create
topology.)
How to connect with router in packet tracer.
First create a desire topology by dragging devices to workspace. Once you have created topology configurations in
packet tracer is straight forward. To Configure any device double click on it and select CLI.
Device A
Router's serial port
Router's Ethernet port
Router's Ethernet port
Router's Ethernet port
Console of router/switch
Switch port
Computer NIC
Computer NIC
Cable
Cisco serial DCE/DTE cables
Crossover
Straight-through
Crossover
Rollover
Crossover
Crossover
Straight-through
Device B
Router's serial port
Router's Ethernet port
Switch port
Computer NIC
Computer COM port
Switch port
Computer NIC
Switch port
Advantages of the IOS:-Internetwork operating system include:
п‚·
п‚·
п‚·
п‚·
Connectivity: The IOS supports a variety of data link layer technologies for the LAN and WAN
environments, including copper and fiber wiring as well as wireless.
Scalability : The IOS supports both fixed and modular chassis platforms, enabling you to purchase the
appropriate hardware for your needs, yet still allowing you to leverage the same IOS CLI to reduce your
management costs.
Reliability : To ensure that your critical resources are always reachable, Cisco has developed many products
and IOS features to provide network redundancy.
Security: With the IOS, you can strictly control access to your network and networking devices in accordance
with your internal security policies.
Naming Conventions for IOS Images
c1841-advipservicesk9-mz.124-6.T7.bin ( this name is used to expalation)
п‚· c1841 : The c1841 refers to the name of the platform on which the image will run. This is important because
different router models have different processors, and an image compiled for one processor or router model
will typically not run on a different model.
п‚· advipservicesk9 : The advipservicesk9 refers to the features included in this IOS version, commonly referred
to as the feature set. In this example, the IOS is the advanced IP services and the k9 refers to the inclusion of
encryption support.
п‚· mz or z: The mz or z means that the image is compressed and must be uncompressed before loading/running.
If you see l (the letter l, not the number 1) here, this indicates where the IOS image is run from. The l
indicates a relocatable image and that the image can be run from RAM. Remember that some images can run
directly from flash, depending on the router model.
п‚· 124-6.T7 : The 124-6.T7 indicates the software version number of the IOS. In this instance, the version is
12.4(6)T7. Images names with T indicate new features, and without the T the mainline (only bug fixes are
made to it).
п‚· .bin : The .bin at the end indicates that this is a binary image.
Connections
Cisco's networking products support two types of external connections:
ports (referred to as lines) and interfaces. Out-of-band management (which you do by console ports) does not affect
the bandwidth flowing through your network, while in-band management(which is doen by interface) does.
Console Port: Almost every Cisco product has a console port. This port is used to establish an out of- band
connection in order to access the CLI to manage your Cisco device. Most console connections to Cisco devices
require an RJ-45 rollover cable and an RJ-45-to-DB9 terminal adapter.
The rollover cable pins are reversed on the two sides.
Com port setting
Speed
9600 bps
Data bits
8
Stop bits
1
Parity & Flow Control
None
Cabling Devices
A straight-through cable is used for DTE-to-DCE connections.
п‚· A hub to a router, PC, or file server
п‚· A switch to a router, PC, or file server
Crossover cables should by used when you connect a DTE to another DTE or a DCE to another DCE.
п‚· A hub to another hub
п‚· A switch to another switch
п‚· A hub to a switch
п‚· A PC, router, or file server to another PC, router, or file server
Interface of Router
Console: The console port is used for local management connections. This means that you must be able to physically
reach the console port with a cable. The console port looks exactly like an Ethernet port. It uses the same connector,
but it has different wiring and is often identified with a light blue label "CONSOLE."
Aux Port: The AUX port is really just another console port that is intended for use with a modem, so you can
remotely connect and administer the device by phoning it. However using aux port for configuration create some
security issues, so make sure that you get advice on addressing those before setting this up.
Ethernet Port:An Ethernet port (which might be a FastEthernet or even a GigabitEthernet port, depending on your
router model) is intended to connect to the LAN. Some routers have more than one Ethernet or FastEthernet port; it
really depends on what you need and of course what you purchase. The Ethernet port usually connects to the LAN
switch with a straight-through cable.
Serial Port: A Cisco serial port is a proprietary design, a 60-pin D-sub. This connector can be configured for almost
any kind of serial communication. You need a cable that has the Cisco connector on one end and the appropriate type
of connector for the service you want to connect to on the other.
Other Connections: Your router may have some other port like T1 controller for wan services. Or you could have bri
and pri port. But none of these ports are tested in CCNA exam so you need to concern about these ports.
Switch Interface Nomenclature
The Catalyst 2950 and 2960 switches support only fixed interfaces, while some of Cisco’s higher end switches, such
as the 6500s, support modular slots with interface cards.
The nomenclature of an interface is type slot_#/port_#.
The type of interface is the media type, such as ethernet, fastethernet, or gigabit.
Following this is the slot number. For all fixed interfaces on a Cisco switch, the slot number is always 0.
The port number is the number of the port in the specified slot.
Unlike Cisco router ports, switch port numbers start at 1 and work their way up. For instance, on a 2960, the very first
port is fastethernet 0/1, the second port is fastethernet 0/2, and so on. Some 2960 switches support Gigabit Ethernet
interfaces, so the nomenclature for the interface would look like this:
gigabitethernet 0/1.
Router Interface Nomenclature
When referring to fixed interfaces, the interface numbers always begin with 0 (not 1, like the switches) and work their
way up within a particular interface type.
For routers that have only fixed interfaces, the interface nomenclature is type port_#.
For example, if a router has two fixed Ethernet interfaces and two fixed serial interfaces, they would be called
ethernet 0 and ethernet 1 and serial 0 and serial 1. The port numbers begin at 0 within each interface type. Through
use of an interface type and a number, each of the interfaces can be uniquely identified.
However, if a router has modular slots, where you can insert interface cards into these slots, the interface
nomenclature is like the Catalyst switches:
type slot_#/ port_#. Each slot has a unique slot number beginning with 0, and within each slot, the ports begin at 0
and work their way up.
For example, if you had a modular router with two slots, the first slot would be 0 and the second 1. If the first slot had
four Ethernet interfaces, the interface numbers would be 0– 3 and if the second slot had two Ethernet interfaces, the
interface numbers would be 0 and 1.
Here’s an example of a four-port serial module in the third slot of a 3640 router: serial 2/0, serial 2/1, serial 2/2, and
serial 2/3. Here are some examples of routers with modular interfaces: 2600, 3600, 3700, 7000, 7200, and 7500.
The exception to this is the 1600 and 1700 routers; even though they are modular, you don’t configure any slot
number when specifying a particular interface.
Cisco devices hardware component booting process
ROM: ROM contains the necessary firmware to boot up your router and typically has the following four components:
п‚· POST (power-on self-test) Performs tests on the router's hardware components.
п‚· Bootstrap program Brings the router up and determines how the IOS image and configuration files will be
found and loaded.
 ROM Monitor (ROMMON mode) A mini–operating system that allows you to perform low-level testing
and troubleshooting, the password recovery procedure,
п‚· Mini-IOS A stripped-down version of the IOS that contains only IP code. This should be used in emergency
situations where the IOS image in flash can't be found and you want to boot up your router and load in
another IOS image. This stripped-down IOS is referred to as RXBOOT mode.
RAM: RAM is like the memory in your PC. On a router, it (in most cases) contains the running IOS image; the active
configuration file; any tables (including routing, ARP, CDP neighbor, and other tables); and internal buffers for
temporarily storing information, such as interface input and output buffers. The IOS is responsible for managing
memory. When you turn off your router, everything in RAM is erased.
Flash: Flash is a form of nonvolatile memory in that when you turn the router off, the information stored in flash is
not lost. Routers store their IOS image in flash, but other information can also be stored here. Note that some lowerend Cisco routers actually run the IOS directly from flash (not RAM). Flash is slower than RAM, a fact that can
create performance issues.
NVRAM: NVRAM is like flash in that its contents are not erased when you turn off your router. It is slightly
different, though, in that it uses a battery to maintain the information when the Cisco device is turned off. Routers use
NVRAM to store their configuration files. In newer versions of the IOS, you can store more than one configuration
file here.
Router Boot up Process: A router typically goes through five steps when booting up:
п‚· The router loads and runs POST (located in ROM), testing its hardware components, including memory
and interfaces.
п‚· The bootstrap program is loaded and executed.
п‚· The bootstrap program finds and loads an IOS image: Possible locations: - flash, a TFTP server, or the
Mini-IOS in ROM.
п‚· Once the IOS is loaded, the IOS attempts to find and load a configuration file, stored in NVRAM
п‚· After the configuration is loaded, you are presented with the CLI interface. you are placed into is User
EXEC mode.
Setup Mode: Cisco devices include a feature called Setup mode to help you make a basic initial configuration. Setup
mode will run only if there is no configuration file in NVRAM—either because the router is brand-new, or because it
has been erased. Setup mode will ask you a series of questions and apply the configuration to the device based on
your answers. You can abort Setup mode by typing CTRL+C or by saying "no" either when asked if you want to enter
the initial configuration dialog or when asked if you want to save the configuration at the end of the question.
Configuration register: The configuration register is a special register in the router that determines many of its boot
up and running options, including how the router finds the IOS image and its configuration file. The configuration
register is a four-character hexadecimal value that can be changed to manipulate how the router behaves at bootup.
The default value is 0x2102.
The characters "0x" indicate that the characters that follow are in hexadecimal. This makes it clear whether the value
is "two thousand one hundred and two" or, as in this case, "two one zero two hexadecimal".
The fourth character in the configuration register is known as the boot field. Changing the value for this character will
have the following effects:
п‚· 0x2100 = Always boot to ROMMON.
п‚· 0x2101 = Always boot to RXBOOT.
п‚· 0x2102 through 0x210F = Load the first valid IOS in flash; values of 2 through F for the fourth character
specify other IOS image files in flash.
The third character in the configuration register can modify how the router loads the configuration file. The setting of
0x2142 causes the router to ignore the startup-config file in NVRAM (which is where the password is stored) and
proceed without a configuration—as if the router were brand new or had its configuration erased.
How to reset Router password
The Password Recovery process is simple and takes less than five minutes depending on how fast your router boots
1. Connect to the console port, start your terminal application, and power cycle the router. When you see
the boot process beginning, hit the Break sequence. (This is usually Ctrl+Page Break, but it might
differ for different terminal applications.) Doing this interrupts the boot process and drops the router
into ROMMON.
2. At the ROMMON prompt, enter the command confreg 0x2142 to set the configuration register to
0x2142.
3. Restart the router by power cycling it or by issuing the command reset.
4. When the router reloads, the configuration register setting of 0x2142 instructs the router to ignore the
startup-config file in NVRAM. You will be asked if you want to go through Setup mode because the
router thinks it has no startup-configuration file. Exit from Setup mode.
5. Press Return and enable command enable to go into privileged EXEC command mode. No password is
required because the startup config file was not loaded.
6. Load the configuration manually by entering copy startup-config running-config.
7. Go into the Global Configuration mode using the command configure terminal and change the
password with the command enable password password or enable secret password.
8. Save the new password by entering copy running-config startup-config.
9. Go to the global config prompt, and change the configuration register back to the default setting with
the command config-register 0x2102. Exit back to the privileged exec prompt.
10. Reboot the router using the reload command. You will be asked to save your changes; you can do so if
you have made additional configuration changes.
Reset password on 1841
System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)
Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory.
Self decompressing the image :
################
monitor: command "boot" aborted due to user interrupt
rommon 1 > confreg 0x2142
rommon 2 > reset
System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)
Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory.
Self decompressing the image :
############################################################### [OK]
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M),
Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 04:52 by pt_team
Image text-base: 0x60080608, data-base: 0x6270CD50
Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory.
Processor board ID FTX0947Z18E
M860 processor: part number 0, mask 49
2 FastEthernet/IEEE 802.3 interface(s)
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M),
Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 04:52 by pt_team
--- System Configuration Dialog --Continue with configuration dialog? [yes/no]: no
Press RETURN to get started!
Router>enable
Router#copy startup-config running-config
Destination filename [running-config]?
428 bytes copied in 0.416 secs (1028 bytes/sec)
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable password vinita
Router(config)#enable secret vinita
Router(config)#config-register 0x2102
Router(config)#exit
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#reload
Proceed with reload? [confirm]
Cisco IOS Mode User Privilege Configurations
CLI Access Modes: Each Cisco device on CLI interface supports three access modes
п‚· User EXEC: Provides basic access to the IOS with limited command availability (basically simple
monitoring and troubleshooting commands)
п‚· Privilege EXEC: Provides high-level management access to the IOS, including all commands available at
User EXEC mode
п‚· Configuration:Allows configuration changes to be made to the device
User EXEC Mode
Your initial access to the CLI is via the User EXEC mode, which has only a limited number of IOS commands you
can execute. Depending on the Cisco device’s configuration, you might be prompted for a password to access this
mode.
This mode is typically used for basic troubleshooting of networking problems. You can tell that you are in User
EXEC mode by examining the prompt on the left side of the screen:
Router>
If you see a > character at the end of the information, you know that you are in User EXEC mode. The information
preceding the > is the name of the Cisco device.
For instance, the default name of all Cisco routers is Router, whereas the 2960 switch’s User EXEC prompt looks like
this: Switch>. These device names can be changed with the hostname command.
Privilege EXEC Mode
Once you have gained access to User EXEC mode, you can use the enable command to access Privilege EXEC mode:
Router> enable
Router#
Once you enter the enable command, if a Privilege EXEC password has been configured on the Cisco device, you
will be prompted for it. Upon successfully authenticating, you will be in Privilege EXEC mode. You can tell that you
are in this mode by examining the CLI prompt. In the preceding code example, notice that the > changed to a #.
When you are in Privilege EXEC mode, you have access to all of the User EXEC commands as well as many more
advanced management and troubleshooting commands. These commands include extended ping and trace abilities,
managing configuration files and IOS images, and detailed troubleshooting using debug commands. About the only
thing that you can’t do from this mode is change the configuration of the Cisco device—this can be done only from
Configuration mode. If you wish to return to User EXEC mode from Privilege EXEC mode, use the exit command:
Router# exit
Router>
Again, by examining the prompt, you can tell that you are now in User EXEC mode.
Configuration Modes of Cisco IOS Software
From privileged EXEC mode, you can enter global configuration mode using the configure terminal command.
From global configuration mode, you can access specific configuration modes, which include, but are not limited to,
the following:
п‚· Interface: Supports commands that configure operations on a per-interface basis
п‚· Subinterface: Supports commands that configure multiple virtual interfaces on a single physical interface
п‚· Controller: Supports commands that configure controllers (for example, E1 and T1 controllers)
п‚· Line: Supports commands that configure the operation of a terminal line (Example: the console or the vty ports)
п‚· Router: Supports commands that configure an IP routing protocol
If you enter the exit command, the router backs out one level, eventually logging out. In general, you enter the
exit command from one of the specific configuration modes to return to global configuration mode. Press Ctrl+Z or
enter end to leave configuration mode completely and return to the privileged EXEC mode.
Commands that affect the entire device are called global commands.
The hostname and enable password commands are examples of global commands.
Commands that point to or indicate a process or interface that will be configured are called major commands. When
entered, major commands cause the CLI to enter a specific configuration mode.
Major commands have no effect unless you immediately enter a subcommand that supplies the configuration entry.
For example, the major command interface serial 0 has no effect unless you follow it with a subcommand that tells
what is to be done to that interface.
Router Modes
Router>
User mode
Router#
Privileged mode (also known as EXEC-level mode)
Router(config)#
Global configuration mode
Router(config-if)#
Interface mode
Router(config-subif)#
Subinterface mode
Router(config-line)#
Line mode
Router(config-router)#
Router configuration mode
Help Facilities of the Cisco IOS
Cisco IOS Software uses several command-line input help facilities, among these context-sensitive help is the most
powerful feature of cisco ios.
Context-Sensitive Help
One of the more powerful features of the IOS is context-sensitive help. Context sensitive help is supported at all
modes within the IOS, including User EXEC, Privilege EXEC, and Configuration modes. You can use this feature in
a variety of ways. If you are not sure what command you need to execute, at the prompt, type either help or ?. The
Cisco device then displays a list of commands that can be executed at the level in which you are currently located,
along with a brief description of each command.
Here is an example from a router’s CLI at User EXEC mode:
Router>?
Exec commands:
<1-99> Session number to resume
connect Open a terminal connection
disconnect Disconnect an existing network connection
enable
Turn on privileged commands
exit
Exit from the EXEC
ipv6
ipv6
logout
Exit from the EXEC
ping
Send echo messages
resume Resume an active network connection
show
Show running system information
ssh
Open a secure shell client connection
telnet Open a telnet connection
terminal Set terminal line parameters
traceroute Trace route to destination
Router>
If you see -- More -- at the bottom of the screen, this indicates that more help information is available than can fit on
the current screen. On a Cisco device,
if you press the SPACEBAR, the IOS pages down to the next screen of help information;
if you press the ENTER key, help scrolls down one line at a time Any other keystroke breaks out of the help text.
For more detailed help, you can follow a command or parameter with a space and a ?. This causes the CLI to list the
available options or parameters that are included for the command. For instance, you could type copy followed by a
space and a ? to see all of the parameters available for the copy command:
Router#copy ?
running-config Copy from current system configuration
startup-config Copy from startup configuration
tftp:
Copy from tftp: file system
Router#copy
In this example, you can see at least the first parameter necessary after the copy command. Please note that additional
parameters may appear after the first one, depending on the next parameter that you enter.
If you’re not sure how to spell a command, you can enter the first few characters and immediately follow these
characters with a ?. Typing e?, for instance, lists all the commands that begin with e at the current mode:
Router# e?
enable erase exit
Router# e
This example shows that three commands begin with the letter e in Privilege EXEC mode.
Console Error Messages
error messages: Identifies problems with any Cisco IOS commands that are incorrectly entered so that you can alter or
correct them.
Error:-% Invalid input detected at '^' marker.
Errors certainly creep up when you enter commands. Whenever you mistype a command, the IOS tells you that it has
encountered a problem with the previously executed command. For instance, this message indicates a CLI input error:
Router#copy running-config stertup-config
^
% Invalid input detected at '^' marker.
Router#
As you can see in this example that we have typed stert on the place of startup.
You should examine the line between the command that you typed in and the error message. Somewhere in this line,
you’ll see a ^ character. This is used by the IOS to indicate that an error exists in the command line at that spot.
Error:-% Incomplete command.
This error indicates that you have not entered all the necessary parameters for the command. The syntax of the
command is correct, but more parameters are necessary.
Router#copy running-config
% Incomplete command.
Router#copy running-config ?
startup-config Copy to startup configuration
tftp:
Copy to current system configuration
Router#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Router#
In this case, you can use the context-sensitive help feature to help you figure out what parameter or parameters you
forgot.
Error:-% Ambiguous command: "show i"
You will see this error message if you do not type in enough characters to make a command or parameter unique.
Router#show i
% Ambiguous command: "show i"
Router#show i?
interfaces ip ipv6
Router#show i
In this example, apparently, more than one parameter for the show command begins with the letter i. As shown above
you can use context-sensitive help to figure out what parameter to use.
% Unknown command or computer name, or unable to find computer address
If you enter a command that the IOS does not understand, you’ll see this error message. If you see this, use the
context-sensitive help to figure out the correct command to enter.
2960 switch overview functionality
New CCNA exam cover 2960 Switch. In this article I will give a you a overview of 2960 switch functionality.
2960 Overview
The 2960 series of switches comes with the LAN-based software image, which provides advanced quality of service,
rate limiting, access control list (ACL), and many other features.
Depending on the series of 2960 Switch could have fast Ethernet port or dual purpose gigabit Ethernet port.
The dual-purpose Gigabit Ethernet (GE) port supports a 10/100/1000 port and an SFP (fiber) port, where one of the
two ports (not both) can be used. The 2960 series supports an optional external redundant power supply (RPS) that
can be attached to the rear of the chassis.
2960 LEDs and MODE Button
The front of the 2960 chassis has many LEDs that you can use to monitor the switch's activity and performance. At
the top-left of the 2960's front chassis are the SYSTEM and RPS LEDs. The colors of these LEDs and their meanings
are shown in Table
LED
SYSTEM
RPS
Color
Green
Amber
Off
Green
Description
The system is up and operational.
The system experienced a malfunction.
The system is powered down.
The RPS is attached and operational.
The RPS is installed but is not operational. Check the RPS to ensure that it hasn't
Amber
failed.
Both the internal power supply and the external RPS are installed, but the RPS is
Flashing amber
providing power.
Off
The RPS is not installed.
MODE Button
The meaning of the LED above each port on the front of the 2960's chassis depends on the LED's mode setting. You
can change the mode by pressing the MODE button on the bottom-left side of the chassis front, below the SYSTEM
and RPS LEDs. Just above the MODE button are three port-mode LEDs: STAT, DUPLX, and SPEED. By default,
the STAT LED is lit, indicating that the LEDs above the Ethernet ports refer to the status of the port.
Table shows the LED colors and descriptions for the various port statuses.
LED Color
Green
Flashing green
Flashing green and
amber
Amber
Off
LED Meaning
A powered-up physical layer connection to the device is attached to the port.
Traffic is entering and/or leaving the port.
An operational problem is occurring with the port—perhaps excessive errors or a connection
problem.
The port has been disabled manually (shut down), disabled because it is in a blocking STP
state, or disabled because of a security issue.
No powered-up physical layer connection exists on the port.
If you push the MODE button once, the MODE LED will change from STAT to DUPLX. The LEDs above each of
the ports will reflect the duplex setting of the associated port. If the LED above the port is off, the port is set to halfduplex; if the LED is green, the port is set to full-duplex.
By pressing the MODE button again, the MODE LED will change from DUPLX to SPEED. The 2960 supports
10/100 and 10/100/1000 ports. When the mode LED is set to SPEED, the LEDs above the port refer to the speed at
which the port is operating. If the LED is off, the port is operating at 10 Mbps; if solid green, 100 Mbps; and if
blinking green, 1 Gbps.
Switch Bootup Process
For your initial access to the switch, make sure you plug the rollover cable into the switch’s console port and the other
end into the COM port of your computer. Start up a terminal emulation program such as HyperTerminal.
Switch have same hardware component that router have. And follow the same booting process. To know more about
Cisco Devices booting process read our pervious article
System Configuration Dialog
If no configuration is found, the IOS will run the setup script, commonly called the System Configuration Dialog.
This script asks you questions to help it create a basic configuration on the switch. When posing questions, the setup
script uses brackets ([ and ]) to indicate default values. Leaving these answers blank (that is, not supplying an answer)
results in the script accepting the value indicated in brackets for the configuration component. In the script, you can
configure the switch’s hostname, set up a Privilege EXEC password, assign a password for the virtual type terminals
(VTYs), and set up an IP address for a VLAN interface to manage the switch remotely.
Here’s an example of this script:
Would you like to enter the initial configuration dialog? [yes/no]: yes
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.
Basic of switching
Bridges and switches are layer 2 devices that segment (break up) collision domains. A collision domain basically
includes all the devices that share a media type at layer 1.
Difference between bridge and switch
Functions
Bridges
Switches
Form of switching
Software
Hardware
Method of switching
Store and forward
Store and forward, cut-through, Fragment-free
port
2-20
100 plus
Duplex
Half
Half and full
Collision domains
1 per port
1 per port
Broadcast domains
1
per vlan
STP instances
1
1
Methods of Switching
Store and Forward: Store and Forward is the basic mode that bridges and switches use. It is the only mode that
bridges can use, but many switches can use one or more of the other modes as well, depending on the model. In Storeand-Forward switching, the entire frame is buffered (copied into memory) and the Cyclic Redundancy Check (CRC),
also known as the FCS or Frame Check Sequence is run to ensure that the frame is valid and not corrupted.
Cut Through: Cut Through is the fastest switching mode. The switch analyzes the first six bytes after the preamble
of the frame to make its forwarding decision. Those six bytes are the destination MAC address, which, if you think
about it, is the minimum amount of information a switch has to look at to switch efficiently. After the forwarding
decision has been made, the switch can begin to send the frame out the appropriate port(s), even if the rest of the
frame is still arriving at the inbound port. The chief advantage of Cut-Through switching is speed; no time is spent
running the CRC, and the frame is forwarded as fast as possible
Fragment-free: Switching will switch a frame after the switch sees at least 64 bytes, which prevents the switching of
runt frames. This is the default switching method for the 1900 series. 2950 doesn’t support cut-through Fragment-Free
switching is sometimes called "runtless" switching for this reason. Because the switch only ever buffers 64 bytes of
each frame, Fragment Free is a faster mode than Store and Forward, but there still exists a risk of forwarding bad
frames, so the previously described mechanisms to change to Store and Forward if excessive bad CRCs are received
are often implemented as well.
Functions of Bridging and Switching
Learning: Address learning refers to the intelligent capability of switches to dynamically learn the source MAC
addresses of devices that are connected to its various ports. These addresses are stored in RAM in a table that lists the
address and the port on which a frame was last received from that address. This enables a switch to selectively
forward the frame out the appropriate port(s), based on the destination MAC address of the frame. Anytime a device
that is connected to a switch sends a frame through the switch, the switch records the source MAC address of the
frame in a table and associates that address with the port the frame arrived on.
Bridges place learned source MAC addresses and their corresponding ports in a CAM (content addressable memory
Forwarding: Address learning refers to the intelligent capability of switches to dynamically learn the source MAC
addresses of devices that are connected to its various ports. These addresses are stored in RAM in a table that lists the
address and the port on which a frame was last received from that address. This enables a switch to selectively
forward the frame out the appropriate port(s), based on the destination MAC address of the frame. Anytime a device
that is connected to a switch sends a frame through the switch, the switch records the source MAC address of the
frame in a table and associates that address with the port the frame arrived on.
There are some situations in which a switch cannot make its forwarding decision and flood the frame.
Three frame types that are always flooded:
п‚· Broadcast address Destination MAC address of FFFF.FFFF.FFFFF
п‚· Multicast address Destination MAC addresses between 0100.5E00.0000 and 0100.5E7F.FFFF
п‚· Unknown unicast destination MAC addresses The MAC address is not found in the CAM table
Removing layer-2 loops
Spanning Tree Protocol (STP - 802.1d) The main function of the Spanning Tree Protocol (STP) is to remove layer-2
loops from your topology
We will discuss more about removing loop function in our next article
Static MAC Addresses
In addition to having the switches learn MAC addresses dynamically, you can manually create static entries. You
might want to do this for security reasons. Statically configuring MAC addresses on the switch is not very common
today. If configured, static entries are typically used for network devices, such as servers and routers.
Port Security Feature: Port security is a switch feature that allows you to lock down switch ports based on the MAC
address or addresses associated with the interface, preventing unauthorized access to a LAN. Three options are
possible if a security violation occurs—the MAC address is seen connected to a different port.
п‚· Protect: When the number of secure addresses reaches the maximum number allowed, any additionally
learned addresses will be dropped.
п‚· restrict : Causes the switch to generate a security violation alert.
п‚· Shutdown: Causes the switch to generate an alert and to disable the interface. The only way to re-enable the
interface is to use the no shutdown command. This is the default violation mode if you don’t specify the
mode.
EtherChannels: An EtherChannel is a layer 2 solution that allows you to aggregate multiple layer 2 Ethernet-based
connections between directly connected devices. Basically, an EtherChannel bundles together multiple Ethernet ports
between devices, providing what appears to be single logical interface.
EtherChannels provide these advantages:
п‚· Redundancy If one connection in the channel fails, you can use other connections in the channel.
п‚· More bandwidth each connection can be used simultaneously to send frames.
п‚· Simplified management Configuration is done on the logical interface, not on each individual connection in
the channel.
EtherChannel Restrictions
Interfaces in an EtherChannel must be configured identically: speed, duplexing, and VLAN settings (in the same
VLAN if they are access ports or the same trunk properties) must be the same.
When setting up EtherChannels, you can use up to eight interfaces bundled together:
п‚· Up to eight Fast Ethernet connections, providing up to 800 Mbps
п‚· Up to eight Gigabit Ethernet connections, providing up to 8 Gbps
п‚· Up to eight 10-Gigabit Ethernet connections, providing up to 80 Gbps
You can have a total of six EtherChannels on a switch.
EtherChannel Operations: Channels can be formed dynamically between devices by using one of two protocols:
Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP). Remember that ports participating
in a channel must be configured identically. Once a channel is formed, load balancing can be used by the connected
devices to utilize all the ports in the channel. Load balancing is performed by reducing part of the binary addressing in
the frame or packet to a numeric value and then associating the numeric value to one of the ports in the channel.
Load balancing can use MAC or IP addresses, source or destination addresses, or both source and destination address
pairs. With this fashion, you are guaranteed that all links in the channel will be utilized; however, you are not
guaranteed that all the ports will be utilized the same. For example, if you are load balancing based on source
addresses; you are guaranteed that different source MAC addresses will use different ports in the channel. All traffic
from a single-source MAC address, however, will always use the same port in the channel. Given this situation, if you
have one device generating a lot of traffic, that link will possibly be utilized more than other links in the channel. In
this situation, you might want to load balance based on destination or both source and destination addresses.
Spanning Tree Protocols
In our last article we learn about basic functions of switching. We mentioned that one of the functions of a switch was
Layer 2 Loop removal. The Spanning Tree Protocol (STP) carries out this function. STP is a critical feature; without it
many switched networks would completely stop to function. Either accidentally or intentionally in the process of
creating a redundant network, the problem arises when we create a looped switched path. A loop can be defined as
two or more switches that are interconnected by two or more physical links. Switching loops create three major
problems:
 Broadcast storms—Switches must flood broadcasts, so a looped topology will create multiple copies of a
single broadcast and perpetually cycle them through the loop.
 MAC table instability—Loops make it appear that a single MAC address is reachable on multiple ports of a
switch, and the switch is constantly updating the MAC table.
 Duplicate frames— Because there are multiple paths to a single MAC, it is possible that a frame could be
duplicated in order to be flooded out all paths to a single destination MAC.
All these problems are serious and will bring a network to an effective standstill unless prevented
Removing layer-2 loops
Spanning Tree Protocol (STP - 802.1d) The main function of the Spanning Tree Protocol (STP) is to remove layer-2
loops from your topology. For STP to function, the switches need to share information. What they share are bridge
protocol data units
Root Port: After the root switch is elected, every other switch in the network needs to choose a single port on itself
that it will use to reach the root. This port is called the root port.
The root port is always the link directly connected to the root bridge, or the shortest path to the root bridge. If more
than one link connects to the root bridge, then a port cost is determined by checking the bandwidth of each link. The
lowest-cost port becomes the root port. If multiple links have the same cost, the bridge with the lower advertising
bridge ID is used. Since multiple links can be from the same device, the lowest port number will be used.
Root Bridge: Switch with the lowest switch ID is chosen as root. The switch ID is made up of two components:
п‚· The switch's priority, which defaults to 32,768 on Cisco switches (two bytes in length)
п‚· The switch's MAC address (six bytes in length)
All other decisions in the network—such as which port is to be blocked and which port is to be put in forwarding
mode—are made from the perspective of this root bridge
BPDUs: Which are sent out as multicast information that only other layer-2 devices are listening to. BPDUs are used
to share information, and these are sent out as multicasts every two seconds. The BPDU contains the bridge’s or
switch’s ID, made up of a priority value and the MAC address. BPDUs are used for the election process.
Path Costs: Path costs are calculated from the root switch. A path cost is basically the accumulated port costs from
the root switch to other switches in the topology. When the root advertises BPDUs out its interfaces, the default path
cost value in the BPDU frame is 0. When a connected switch receives this BPDU, it increments the path cost by the
cost of its local incoming port. If the port was a Fast Ethernet port, then the path cost would be figured like this: 0 (the
root’s path cost) + 19 (the switch’s port cost) = 19. This switch, when it advertises BPDUs to switches behind it, will
include the updated path cost. As the BPDUs propagate further and further from the root switch, the accumulated path
cost values become higher and higher.
Connection Type
10Gb
1Gb
100Mb
10Mb
New Cost Value
2
4
19
100
Old Cost Value
1
1
10
100
Remember that path costs are incremented as a BPDU comes into a port, not when a BPDU is advertised out of a port.
Designated Port A designated port is one that has been determined as having the best (lowest) cost. A designated port
will be marked as a forwarding port. Each (LAN) segment also has a single port that is uses to reach the root. This
port is called a designated port
Forwarding port A forwarding port forwards frames.
Blocked port A blocked port is the port that, in order to prevent loops, will not forward frames. However, a blocked
port will always listen to frames
Nondesignated port A nondesignated port is one with a higher cost than the designated port. Nondesignated ports are
put in blocking mode—they are not forwarding ports.
Port States
Blocking: Ports will go into a blocking state under one of three conditions:
п‚· Election of a root switch (for instance, when you turn on all the switches in a network)
п‚· When a switch receives a BPDU on a port that indicates a better path to the root switch than the port the
switch is currently using to reach the root
п‚· If a port is not a root port or a designated port.
A port in a blocked state will remain there for 20 seconds by default during this state; the port is only listening to and
processing BPDUs on its interfaces. Any other frames that the switch receives on a blocked port are dropped.
Listening: the port is still listening for BPDUs and double-checking the layer-2 topology. Again, the only traffic that
is being processed in this state consists of BPDUs; all other traffic is dropped. default for this value is 15 seconds.
Learning: Port is still listening for and processing BPDUs on the port; however, unlike while in the listening state,
the port begins to process user frames. When processing user frames, the switch is examining the source addresses in
the frames and updating its CAM table, but the switch is still not forwarding these frames out destination ports.
Defaults to 15 seconds
Forwarding: the port will process BPDUs, update its CAM table with frames that it receives, and forward user traffic
through the port.
Disabled: A port in a disabled state is not participating in STP.
Convergence: STP convergence has occurred when all root and designated ports are in a forwarding state and all
other ports are in a blocking state.
Per-VLAN STP: STP doesn't guarantee an optimized loop-free network. PVST supports one instance of STP per
VLAN.
Rapid Spanning Tree Protocol
The 802.1d standard was designed back when waiting for 30 to 50 seconds for layer 2 convergence wasn’t a problem.
However, in today’s networks, this can cause serious performance problems for networks that use real-time
applications, such as voice over IP (VoIP) or video.
The Rapid Spanning Tree Protocol (RSTP) is an IEEE standard, defined in 802.1w, which is interoperable with
802.1d and an extension to it. With RSTP, there are only three port states:
 discarding (it is basically the grouping of 802.1d’s blocking, listening, and disabled states).
п‚· Learning
п‚· Forwarding
Additional Port Roles
With RSTP, there is still a root switch and there are still root and designated ports, performing the same roles as those
in 802.1d. However, RSTP adds two additional port types: alternate ports and backup ports.
These two ports are similar to the ports in a blocking state in 802.1d.
An alternate port is a port that has an alternative path or paths to the root but is currently in a discarding state.
A backup port is a port on a segment that could be used to reach the root switch, but an active port is already
designated for the segment.
The best way to look at this is that an alternate port is a secondary, unused root port, and a backup port is a secondary,
unused designated port.
RSTP BPDUs
With 802.1w, if a BPDU is not received in three expected hello periods (6 seconds), STP information can be aged out
instantly and the switch considers that its neighbor is lost and actions should be taken. This is different from 802.1d,
where the switch had to miss the BPDUs from the root—here, if the switch misses three consecutive hellos from a
neighbor, actions are immediately taken.
Virtual LAN
A virtual LAN (VLAN) is a logical grouping of network devices in the same broadcast domain that can span
multiple physical segments.
Advantages of VLANs:
п‚· Increase the number of broadcast domains while reducing their size.
п‚· Provide additional security.
п‚· Increase the flexibility of network equipment.
п‚· Allow a logical grouping of users by function, not location.
п‚· Make user adds, moves, and changes easier.
Subnets and VLANs : Logically speaking, VLANs are also subnets. A subnet, or a network, is a contained broadcast
domain. A broadcast that occurs in one subnet will not be forwarded, by default, to another subnet. Routers, or layer-3
devices, provide this boundary function. Switch provide this function at layer 2 by VLAN.
Scalability: VLANs provide for location independence. This flexibility makes adds, changes, and moves of
networking devices a simple process. It also allows you to group people together, which also makes implementing
your security policies straightforward.
IP protocols supports 500 devices per vlans.
VLAN Membership : A device’s membership in a VLAN can be determined by one of two methods: static or
dynamic
п‚· Static: - you have to assign manually
п‚· Dynamic:- Configure VTP server and it will automatically do rest
VLAN Connections : two types of connections: access links and trunks.
Access-Link Connections An access-link connection is a connection between a switch and a device with a normal
Ethernet NIC, where the Ethernet frames are transmitted unaltered.
Trunk Connections trunk connections are capable of carrying traffic for multiple VLANs. Cisco supports two
Ethernet trunking methods:
 Cisco’s proprietary Inter Switch Link (ISL) protocol for Ethernet
 IEEE’s 802.1Q, commonly referred to as dot1q for Ethernet
ISL is Cisco-proprietary trunking method that adds a 26-byte header and a 4-byte trailer to the original Ethernet
frame. Cisco’s 1900 switch supports only ISL
802.1Q is a standardized trunking method that inserts a four-byte field into the original Ethernet frame and
recomputed the FCS. The 2950 only supports 802.1Q. 802.1Q trunks support two types of frames: tagged and
untagged.
 An untagged frame does not carry any VLAN identification information in it—basically, this is a standard,
unaltered Ethernet frame.
п‚· A tagged frame contains VLAN information, and only other 802.1Q-aware devices on the trunk will be able
to process this frame
Trunk Tagging
For VLANs to span across multiple switches, you obviously need to connect the switches to each other. Although it is
possible to simply plug one switch into another using an Access port just as you would plug in a host or a hub, doing
so kills the VLAN-spanning feature and a bunch of other useful stuff too. A switch-to-switch link must be set up as a
trunk link in order for the VLAN system to work properly. A trunk link is a special connection; the key difference
between an ordinary connection (an Access port) and a Trunk port is that although an Access port is only in one
VLAN at a time, a Trunk port has the job of carrying traffic for all VLANs from one switch to another. Any time you
connect a switch to another switch, you want to make it a trunk.
Trunking methods create the illusion that instead of a single physical connection between the two trunking devices, a
separate logical connection exists for each VLAN between them. When trunking, the switch adds the source port’s
VLAN identifier to the frame so that the device (typically a switch) at the other end of the trunk understands what
VLAN originated this frame and the destination switch can make intelligent forwarding decisions on not just the
destination MAC address, but also the source VLAN identifier. Since information is added to the original Ethernet
frame, normal NICs will not understand this information and will typically drop the frame. Therefore, you need to
ensure that when you set up a trunk connection on a switch’s interface, the device at the other end also supports the
same trunking protocol and has it configured. If the device at the other end doesn’t understand these modified frames
or is not set up for trunking, it will, in most situations, drop them. The modification of these frames, commonly called
tagging.
By default, all VLANs are permitted across a trunk link. Switch-to-Switch trunk links always require the use of a
crossover cable, never a straight-through cable.
Key feature about DTP
п‚· A trunk can be created only on a Fast Ethernet or Gigabit Ethernet connection; 10Mb Ethernet ports are not
fast enough to support the increased traffic from multiple VLANs, so the commands are not available for a
regular Ethernet port.
п‚· By default, traffic from all VLANs is allowed on a trunk. You can specify which VLANs are permitted (or
not) to cross a particular trunk if you have that requirement, but these functions are not covered in the CCNA
exam.
п‚· Switches (whether trunked or not) are always connected with crossover cables, not straight-through cables.
Dynamic Trunk Protocol (DTP) DTP supports five trunking modes
п‚· On or Trunk interface always assumes the connection is a trunk, even if the remote end does not support
trunking.
п‚· Desirable the interface will generate DTP messages on the interface, but it make the assumption that the other
side is not trunk-capable and will wait for a DTP message from the remote side. In this state, the interface
starts as an access-link connection. If the remote side sends a DTP message, and this message indicates that
trunking is compatible between the two switches, a trunk will be formed and the switch will start tagging
frames on the interface. If the other side does not support trunking, the interface will remain as an access-link
connection
п‚· Auto-negotiate interface passively listens for DTP messages from the remote side and leaves the interface as
an access-link connection. If the interface receives a DTP message, and the message matches trunking
capabilities of the interface, then the interface will change from an access-link connection to a trunk
connection and start tagging frames
п‚· No-negotiate, interface is set as a trunk connection and will automatically tag frames with VLAN
information; however, the interface will not generate DTP messages: DTP is disabled. This mode is typically
used when connecting trunk connections to non-Cisco devices that don’t understand Cisco’s proprietary
trunking protocol and thus won’t understand the contents of these messages.
п‚· Off If an interface is set to off, the interface is configured as an access link. No DTP messages are generated
in this mode, nor are frames tagged.
VLAN Trunk Protocol (VTP)
VTP is a Layer 2 protocol that takes care of the steps of creating and naming VLANs on all switches in the system.
We still have to set port membership to VLANs at each switch, which we can do either statically or using a VMPS.
VTP works by establishing a single switch as being in charge of the VLAN information for a domain. In this case, a
domain is simply a group of switches that all have the same VTP domain name. This simply puts all the switches into
a common administrative group.
The VLAN Trunk Protocol (VTP) is a proprietary Cisco protocol used to share VLAN configuration information
between Cisco switches on trunk connections When you are setting up VTP, you have three different modes: Server
client and transparent.
Server mode: This is the one switch that is in charge of the VLAN information for the VTP domain. You may add,
delete, and change VLAN information on this switch, and doing so affects the entire VTP domain. This way, we only
have to enter our VLAN information once, and the Server mode switch propagates it to all the other switches in the
domain.
Client mode: Client mode switches get VLAN information from the Server. You cannot add, delete, or change
VLAN information on a Client mode switch; in fact, the commands to do so are disabled.
Transparent mode: A Transparent mode switch is doing its own thing; it will not accept any changes to VLAN
information from the Server, but it will forward those changes to other switches in the system. You can add, delete,
and change VLANs—but those changes only affect the Transparent mode switch and are not sent to other switches in
the domain.
VTP Messages
An advertisement request message is a VTP message a client generates When the server responds to a client’s request,
it generates a subset advertisement A summary advertisement is also generated by a switch in VTP server mode.
Summary advertisements are generated every five minutes by default (300 seconds), or when a configuration change
takes place on the server switch
VTP Pruning
VTP gives you a way to preserve bandwidth by configuring it to reduce the amount of broadcasts, multicasts, and
unicast packets. This is called pruning. VTP pruning enabled switches sends broadcasts only to trunk links that
actually must have the information.
VTP pruning is used on trunk connections to dynamically remove VLANs not active between the two switches. It
requires all of the switches to be in server mode.
Basic Switch Configurations Command
In this article I will introduce the Cisco Internetwork Operating System (IOS) command line interface (CLI) for the
2960 series switch. You will need to logon to a switch and become familiar with the different levels of access on the
switch. You will also become familiar with the commands available to you in each mode (user or privileged) and the
switch help facility, history, and editing features.
User vs. Privileged Mode
User mode is indicated with the > next to the switch name. You can look at settings but can not make changes from
user mode. In Privilege mode, indicated by the #, you can do anything. To get into privilege mode the keyword is
enable.
HELP
To view all commands available from this mode type:?This will give you the list of all available commands for the
switch in your current mode. You can also use the question mark after you have started typing a command. For
example if you want to use a show command but you do not remember which one it is, use the ? as this will output all
commands that you can use with the show command.
Configuration Mode
From privilege mode you can enter configuration mode by typing config term command you can exit configuration
mode type type end or <CTL>+z
Configuration of Cisco 2960 Switch
To practically implement these command either create a simple topology on packet tracer or download this topology.
Example topology for basic switch commands
Now click on any switch and configure it as given below
To know all available command on user exec mode type ? and press enter
Switch>?
Exec commands:
[1-99]
Session number to resume
connect
Open a terminal connection
disconnect Disconnect an existing network connection
enable
Turn on privileged commands
exit
Exit from the EXEC
logout
ping
Exit from the EXEC
Send echo messages
[Output is omitted]
Three command can be used to logout from terminal use any one
Switch>enable
Switch#disable
Switch>exit
Switch con0 is now available
Press RETURN to get started.
Show version command will tell about the device platform and detected interface and ios name
Switch>enable
Switch#show version
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version
12.2(25)FX, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by pt_team
ROM: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX,
RELEASE SOFTWARE (fc4)
System returned to ROM by power-on
Cisco WS-C2960-24TT (RC32300) processor (revision C0) with
21039K bytes of memory.
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
[Output is omitted]
show mac address command will show all detected mac address dynamically and manually
Switch#show mac-address-table
Mac Address Table
------------------------------------------Vlan Mac Address
Type
---- ------------------ -----
Ports
1 0001.643a.5501 DYNAMIC Gig1/1
Run time configuration of ram can be any time by simple show run commands
Switch#show running-config
Building configuration...
Current configuration : 925 bytes
version 12.2
no service password-encryption
!
hostname Switch
[Output is omitted]
To view startup configuration [ Stored in NVRAM] use show start command
Switch#show startup-config
Current configuration : 925 bytes
version 12.2
no service password-encryption
!
hostname Switch
[Output is omitted]
show vlan command will give the detail overview of all vlan configured on switch
Switch#show vlan
VLAN Name
Status Ports
---- -------------------------------- --------- ----------------------1 default
active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
[Output is omitted]
show interface command will show all detected interface with their hardware description and configuration
Switch#show interfaces
FastEthernet0/1 is up, line protocol is up (connected)
Hardware is Lance, address is 0060.2f9d.9101 (bia 0060.2f9d.9101)
MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
[Output is omitted]
interface vlan 1 is used to assign ip address and default gateway to switch. Show interface vlan 1 will give a over
view of vlan1.
Switch#show interface vlan1
Vlan1 is administratively down, line protocol is down
Hardware is CPU Interface, address is 0060.5c23.82ae
(bia 0060.5c23.82ae)
MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
[Output is omitted]
delete command is used to delete all vlan configuration from switch Don’t add space between flash and vlan.dat
Run this exactly shown here adding a space could erase flash entirely leaving switch blank
Switch#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
%deleting flash:/vlan.dat
Startup configuration can be removed by erase commands
Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
use configure terminal command to go in global configuration mode
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Now change default switch name to switch 1
Switch(config)#hostname Switch1
Set enable password to vinita and secret to nikki
Switch1(config)#enable password vinita
Switch1(config)#enable secret nikki
Set console password to vinita and enable it by login command, order of command is important set password before
you enable it
Switch1(config)#line console 0
Switch1(config-line)#password vinita
Switch1(config-line)#login
Switch1(config-line)#exit
Enable 5 telnet session [ vty0 - vty4] for router and set their password to vinita
Switch1(config)#line vty 0 4
Switch1(config-line)#password vinita
Switch1(config-line)#login
Switch1(config-line)#exit
Now set switch ip address to 192.168.0.10 255.255.255.0 and default gateway to 192.168.0.5
Switch1(config)#interface vlan1
Switch1(config-if)#ip address 192.168.0.10 255.255.255.0
Switch1(config-if)#exit
Switch1(config)#ip default-gateway 192.168.0.5
Set a description finance VLAN to interface fast Ethernet 1
Switch1(config)#interface fastEthernet 0/1
Switch1(config-if)#description finance VLAN
By default switch automatically negotiate speed and duplex but you can adjust it manually
Switch1(config-if)#duplex full
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to downSwitch1
(config-if)#duplex auto
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
Switch1(config-if)#duplex half
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to down
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
Switch1(config-if)#duplex auto
Switch1(config-if)#speed 10
Switch1(config-if)#speed 100
Switch1(config-if)#speed auto
Switch1(config-if)#exit
Switch1(config)#exit
mac address table can be wiped out by clear commands
Switch1#show
Switch1#show mac-address-table
Mac Address Table
------------------------------------------Vlan Mac Address
Type
---- ------------------ -----
Ports
1 0001.643a.5501 DYNAMIC Gig1/1
Switch1#clear mac-address-table
Switch1#clear mac-address-table ?
dynamic dynamic entry type
Switch1#clear mac-address-table dynamic
To restart switch use reload command [ running configuration will be erased so copy it first to startup
configuration ]
Switch1#reload
Proceed with reload? [confirm]
Switch con0 is now available
Press RETURN to get started.
CCNA basic switch configuration commands sheet
Command
switch>?
switch>enable
switch#
switch#disable
switch>exit
switch#show version
switch#show flash:
switch#show mac-address-table
switch#show running-config
switch#show startup-config
switch#show vlan
switch#show interfaces
switch#show interface vlan1
Switch#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:vlan.dat? [confirm]
Switch#erase startup-config
Switch#reload
Switch#configure terminal
Switch(config)#hostname Switch1
descriptions
The ? works here the same as in a router Used to get the list of all available
commands
User mode, same as a router
Privileged mode
Leaves privileged mode
Leaves user mode
Displays information about software and hardware.
Displays information about flash memory (will work only for the 2900/2950
series).
Displays the current MAC address forwarding table
.
Displays the current configuration in DRAM.
Displays the current configuration in NVRAM.
Displays the current VLAN configuration.
Displays the interface configuration and status of line: up/up, up/down,
admin down.
Displays setting of virtual interface VLAN 1, the default VLAN on the
switch.
To Reset Switch Configuration
Removes the VLAN database from flash memory.
Press Enter
Press Enter
Erases the file from NVRAM.
Restarts the switch.
To Set Host Names
Moves to global configuration mode
Creates a locally significant host name of the switch. This is the same
command as the router.
Switch1(config)#
To Set Passwords
Switch(config)#enable password vinita Sets the enable password to vinita
Sets the encrypted secret password to nikki
Switch(config)#enable secret nikki
Enters line console mode
Switch(config)#line console 0
Enables password checking
Switch(config-line)#login
Sets the password to vinita
Switch(config-line)#password vinita
Exits line console mode
Switch(config-line)#exit
Enters line vty mode for all five virtual ports
Switch(config-line)#line vty 0 4
Enables password checking
Switch(config-line)#login
Sets the password to vinita
Switch(config-line)#password vinita
Exits line vty mode
Switch(config-line)#exit
Switch(config)#
To Set IP Addresses and Default Gateways
Enters the virtual interface for VLAN 1, the default VLAN on the switch
Switch(config)#interface vlan1
Switch(config-if)#ip address
Sets the IP address and netmask to allow for remote access to the switch
192.168.0.10 255.255.255.0
Switch(config-if)#exit
Switch(config)#ip default-gateway
192.168.0.5
Allows IP information an exit past the local network
To Set Interface Descriptions
Switch(config)#interface fastethernet
Enters interface configuration mode
0/1
Switch(config-if)#description Finance
Adds a description of the interface
VLAN
To Set Duplex Operation
Switch(config)#interface fastethernet
Moves to interface configuration mode
0/1
Forces full-duplex operation
Switch(config-if)#duplex full
Enables auto-duplex config
Switch(config-if)#duplex auto
Forces half-duplex operation
Switch(config-if)#duplex half
To Set Operation Speed
Switch(config)#interface fastethernet
0/1
Forces 10-Mbps operation
Switch(config-if)#speed 10
Forces 100-Mbps operation
Switch(config-if)#speed 100
Enables autospeed configuration
Switch(config-if)#speed auto
MAC Address Table
Displays current MAC address forwarding table
switch#show mac address-table
Deletes all entries from current MAC address forwarding table
switch#clear mac address-table
switch#clear mac address-table
Deletes only dynamic entries from table
dynamic
Spanning Tree Protocols
In our last article we learn about basic functions of switching. We mentioned that one of the functions of a switch was
Layer 2 Loop removal. The Spanning Tree Protocol (STP) carries out this function. STP is a critical feature; without it
many switched networks would completely stop to function. Either accidentally or intentionally in the process of
creating a redundant network, the problem arises when we create a looped switched path. A loop can be defined as
two or more switches that are interconnected by two or more physical links. Switching loops create three major
problems:
 Broadcast storms—Switches must flood broadcasts, so a looped topology will create multiple copies of a
single broadcast and perpetually cycle them through the loop.
 MAC table instability—Loops make it appear that a single MAC address is reachable on multiple ports of a
switch, and the switch is constantly updating the MAC table.
 Duplicate frames— Because there are multiple paths to a single MAC, it is possible that a frame could be
duplicated in order to be flooded out all paths to a single destination MAC.
All these problems are serious and will bring a network to an effective standstill unless prevented
Removing layer-2 loops
Spanning Tree Protocol (STP - 802.1d) The main function of the Spanning Tree Protocol (STP) is to remove layer-2
loops from your topology. For STP to function, the switches need to share information. What they share are bridge
protocol data units
Root Port
After the root switch is elected, every other switch in the network needs to choose a single port on itself that it will use
to reach the root. This port is called the root port.
The root port is always the link directly connected to the root bridge, or the shortest path to the root bridge. If more
than one link connects to the root bridge, then a port cost is determined by checking the bandwidth of each link. The
lowest-cost port becomes the root port. If multiple links have the same cost, the bridge with the lower advertising
bridge ID is used. Since multiple links can be from the same device, the lowest port number will be used.
Root Bridge
Switch with the lowest switch ID is chosen as root. The switch ID is made up of two components:
п‚· The switch's priority, which defaults to 32,768 on Cisco switches (two bytes in length)
п‚· The switch's MAC address (six bytes in length)
All other decisions in the network—such as which port is to be blocked and which port is to be put in forwarding
mode—are made from the perspective of this root bridge
BPDUs
Which are sent out as multicast information that only other layer-2 devices are listening to. BPDUs are used to share
information, and these are sent out as multicasts every two seconds. The BPDU contains the bridge’s or switch’s ID,
made up of a priority value and the MAC address. BPDUs are used for the election process.
Path Costs
Path costs are calculated from the root switch. A path cost is basically the accumulated port costs from the root switch
to other switches in the topology. When the root advertises BPDUs out its interfaces, the default path cost value in the
BPDU frame is 0. When a connected switch receives this BPDU, it increments the path cost by the cost of its local
incoming port. If the port was a Fast Ethernet port, then the path cost would be figured like this: 0 (the root’s path
cost) + 19 (the switch’s port cost) = 19. This switch, when it advertises BPDUs to switches behind it, will include the
updated path cost. As the BPDUs propagate further and further from the root switch, the accumulated path cost values
become higher and higher.
New Cost Value
Old Cost Value
Connection Type
10Gb
2
1
1Gb
4
1
100Mb
19
10
10Mb
100
100
Remember that path costs are incremented as a BPDU comes into a port, not when a BPDU is advertised out of a port.
Designated Port A designated port is one that has been determined as having the best (lowest) cost. A designated port
will be marked as a forwarding port. Each (LAN) segment also has a single port that is uses to reach the root. This
port is called a designated port
Forwarding port A forwarding port forwards frames.
Blocked port A blocked port is the port that, in order to prevent loops, will not forward frames. However, a blocked
port will always listen to frames
Nondesignated port A nondesignated port is one with a higher cost than the designated port. Nondesignated ports are
put in blocking mode—they are not forwarding ports.
Port States
Blocking
Ports will go into a blocking state under one of three conditions:
п‚· Election of a root switch (for instance, when you turn on all the switches in a network)
п‚· When a switch receives a BPDU on a port that indicates a better path to the root switch than the port the
switch is currently using to reach the root
п‚· If a port is not a root port or a designated port.
A port in a blocked state will remain there for 20 seconds by default during this state; the port is only listening to and
processing BPDUs on its interfaces. Any other frames that the switch receives on a blocked port are dropped.
Listening
the port is still listening for BPDUs and double-checking the layer-2 topology. Again, the only traffic that is being
processed in this state consists of BPDUs; all other traffic is dropped. default for this value is 15 seconds.
Learning
Port is still listening for and processing BPDUs on the port; however, unlike while in the listening state, the port
begins to process user frames. When processing user frames, the switch is examining the source addresses in the
frames and updating its CAM table, but the switch is still not forwarding these frames out destination ports. Defaults
to 15 seconds
Forwarding
the port will process BPDUs, update its CAM table with frames that it receives, and forward user traffic through the
port.
Disabled
A port in a disabled state is not participating in STP.
Convergence
STP convergence has occurred when all root and designated ports are in a forwarding state and all other ports are in a
blocking state.
Per-VLAN STP
STP doesn't guarantee an optimized loop-free network. PVST supports one instance of STP per VLAN.
Rapid Spanning Tree Protocol
The 802.1d standard was designed back when waiting for 30 to 50 seconds for layer 2 convergence wasn’t a problem.
However, in today’s networks, this can cause serious performance problems for networks that use real-time
applications, such as voice over IP (VoIP) or video.
The Rapid Spanning Tree Protocol (RSTP) is an IEEE standard, defined in 802.1w, which is interoperable with
802.1d and an extension to it. With RSTP, there are only three port states:
 discarding (it is basically the grouping of 802.1d’s blocking, listening, and disabled states).
п‚· Learning
п‚· Forwarding
Additional Port Roles
With RSTP, there is still a root switch and there are still root and designated ports, performing the same roles as those
in 802.1d. However, RSTP adds two additional port types: alternate ports and backup ports.
These two ports are similar to the ports in a blocking state in 802.1d.
An alternate port is a port that has an alternative path or paths to the root but is currently in a discarding state.
A backup port is a port on a segment that could be used to reach the root switch, but an active port is already
designated for the segment.
The best way to look at this is that an alternate port is a secondary, unused root port, and a backup port is a secondary,
unused designated port.
RSTP BPDUs
With 802.1w, if a BPDU is not received in three expected hello periods (6 seconds), STP information can be aged out
instantly and the switch considers that its neighbor is lost and actions should be taken. This is different from 802.1d,
where the switch had to miss the BPDUs from the root—here, if the switch misses three consecutive hellos from a
neighbor, actions are immediately taken.
Virtual LAN
A virtual LAN (VLAN) is a logical grouping of network devices in the same broadcast domain that can span
multiple physical segments.
Advantages of VLANs:
п‚· Increase the number of broadcast domains while reducing their size.
п‚· Provide additional security.
п‚· Increase the flexibility of network equipment.
п‚· Allow a logical grouping of users by function, not location.
п‚· Make user adds, moves, and changes easier.
Subnets and VLANs
Logically speaking, VLANs are also subnets. A subnet, or a network, is a contained broadcast domain. A broadcast
that occurs in one subnet will not be forwarded, by default, to another subnet. Routers, or layer-3 devices, provide this
boundary function. Switch provide this function at layer 2 by VLAN.
Scalability
VLANs provide for location independence. This flexibility makes adds, changes, and moves of networking devices a
simple process. It also allows you to group people together, which also makes implementing your security policies
straightforward.
IP protocols supports 500 devices per vlans.
VLAN Membership
A device’s membership in a VLAN can be determined by one of two methods: static or dynamic
п‚· Static: - you have to assign manually
п‚· Dynamic:- Configure VTP server and it will automatically do rest
VLAN Connections
two types of connections: access links and trunks.
Access-Link Connections An access-link connection is a connection between a switch and a device with a normal
Ethernet NIC, where the Ethernet frames are transmitted unaltered.
Trunk Connections trunk connections are capable of carrying traffic for multiple VLANs. Cisco supports two
Ethernet trunking methods:
 Cisco’s proprietary Inter Switch Link (ISL) protocol for Ethernet
 IEEE’s 802.1Q, commonly referred to as dot1q for Ethernet
ISL is Cisco-proprietary trunking method that adds a 26-byte header and a 4-byte trailer to the original Ethernet
frame. Cisco’s 1900 switch supports only ISL
802.1Q is a standardized trunking method that inserts a four-byte field into the original Ethernet frame and
recomputed the FCS. The 2950 only supports 802.1Q. 802.1Q trunks support two types of frames: tagged and
untagged.
 An untagged frame does not carry any VLAN identification information in it—basically, this is a standard,
unaltered Ethernet frame.
п‚· A tagged frame contains VLAN information, and only other 802.1Q-aware devices on the trunk will be able
to process this frame
Trunk Tagging
For VLANs to span across multiple switches, you obviously need to connect the switches to each other. Although it is
possible to simply plug one switch into another using an Access port just as you would plug in a host or a hub, doing
so kills the VLAN-spanning feature and a bunch of other useful stuff too. A switch-to-switch link must be set up as a
trunk link in order for the VLAN system to work properly. A trunk link is a special connection; the key difference
between an ordinary connection (an Access port) and a Trunk port is that although an Access port is only in one
VLAN at a time, a Trunk port has the job of carrying traffic for all VLANs from one switch to another. Any time you
connect a switch to another switch, you want to make it a trunk.
Trunking methods create the illusion that instead of a single physical connection between the two trunking devices, a
separate logical connection exists for each VLAN between them. When trunking, the switch adds the source port’s
VLAN identifier to the frame so that the device (typically a switch) at the other end of the trunk understands what
VLAN originated this frame and the destination switch can make intelligent forwarding decisions on not just the
destination MAC address, but also the source VLAN identifier. Since information is added to the original Ethernet
frame, normal NICs will not understand this information and will typically drop the frame. Therefore, you need to
ensure that when you set up a trunk connection on a switch’s interface, the device at the other end also supports the
same trunking protocol and has it configured. If the device at the other end doesn’t understand these modified frames
or is not set up for trunking, it will, in most situations, drop them. The modification of these frames, commonly called
tagging.
By default, all VLANs are permitted across a trunk link. Switch-to-Switch trunk links always require the use of a
crossover cable, never a straight-through cable.
Key feature about DTP
п‚· A trunk can be created only on a Fast Ethernet or Gigabit Ethernet connection; 10Mb Ethernet ports are not
fast enough to support the increased traffic from multiple VLANs, so the commands are not available for a
regular Ethernet port.
п‚· By default, traffic from all VLANs is allowed on a trunk. You can specify which VLANs are permitted (or
not) to cross a particular trunk if you have that requirement, but these functions are not covered in the CCNA
exam.
п‚· Switches (whether trunked or not) are always connected with crossover cables, not straight-through cables.
Dynamic Trunk Protocol (DTP) DTP supports five trunking modes
п‚· On or Trunk interface always assumes the connection is a trunk, even if the remote end does not support
trunking.
п‚· Desirable the interface will generate DTP messages on the interface, but it make the assumption that the other
side is not trunk-capable and will wait for a DTP message from the remote side. In this state, the interface
starts as an access-link connection. If the remote side sends a DTP message, and this message indicates that
trunking is compatible between the two switches, a trunk will be formed and the switch will start tagging
frames on the interface. If the other side does not support trunking, the interface will remain as an access-link
connection
п‚· Auto-negotiate interface passively listens for DTP messages from the remote side and leaves the interface as
an access-link connection. If the interface receives a DTP message, and the message matches trunking
capabilities of the interface, then the interface will change from an access-link connection to a trunk
connection and start tagging frames
п‚· No-negotiate, interface is set as a trunk connection and will automatically tag frames with VLAN
information; however, the interface will not generate DTP messages: DTP is disabled. This mode is typically
used when connecting trunk connections to non-Cisco devices that don’t understand Cisco’s proprietary
trunking protocol and thus won’t understand the contents of these messages.
п‚· Off If an interface is set to off, the interface is configured as an access link. No DTP messages are generated
in this mode, nor are frames tagged.
VLAN Trunk Protocol (VTP)
VTP is a Layer 2 protocol that takes care of the steps of creating and naming VLANs on all switches in the system.
We still have to set port membership to VLANs at each switch, which we can do either statically or using a VMPS.
VTP works by establishing a single switch as being in charge of the VLAN information for a domain. In this case, a
domain is simply a group of switches that all have the same VTP domain name. This simply puts all the switches into
a common administrative group.
The VLAN Trunk Protocol (VTP) is a proprietary Cisco protocol used to share VLAN configuration information
between Cisco switches on trunk connections When you are setting up VTP, you have three different modes: Server
client and transparent.
Server mode—
This is the one switch that is in charge of the VLAN information for the VTP domain. You may add, delete, and
change VLAN information on this switch, and doing so affects the entire VTP domain. This way, we only have to
enter our VLAN information once, and the Server mode switch propagates it to all the other switches in the domain.
Client mode—
Client mode switches get VLAN information from the Server. You cannot add, delete, or change VLAN information
on a Client mode switch; in fact, the commands to do so are disabled.
Transparent mode—
A Transparent mode switch is doing its own thing; it will not accept any changes to VLAN information from the
Server, but it will forward those changes to other switches in the system. You can add, delete, and change VLANs—
but those changes only affect the Transparent mode switch and are not sent to other switches in the domain.
VTP Messages
An advertisement request message is a VTP message a client generates When the server responds to a client’s request,
it generates a subset advertisement A summary advertisement is also generated by a switch in VTP server mode.
Summary advertisements are generated every five minutes by default (300 seconds), or when a configuration change
takes place on the server switch
VTP Pruning
VTP gives you a way to preserve bandwidth by configuring it to reduce the amount of broadcasts, multicasts, and
unicast packets. This is called pruning. VTP pruning enabled switches sends broadcasts only to trunk links that
actually must have the information.
VTP pruning is used on trunk connections to dynamically remove VLANs not active between the two switches. It
requires all of the switches to be in server mode
Switch port security configure ethereal channel
In this article I will show you that how can you
п‚· Configuring the IP address and subnet mask
п‚· Setting the IP default gateway
п‚· Enable telnet session for switch
п‚· Enable Ethereal Channel
п‚· Enable port security
To perform this activity download this lab topology and load in packet tracer or create your own topology as shown in
figure
Switch Port Security
Configure IP address subnet mask and default gateway
IP address and default gateway is used to configure switch remotely via telnet or SSH. Without this essential
configurations you have connect with switch via console cable each time. That's very tedious as you have to go near
to switch each time.
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#interface vlan 1
S1(config-if)#ip address 10.0.0.10 255.0.0.0
S1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
S1(config-if)#exit
S1(config)#ip default-gateway 10.0.0.1
Enable Telnet and password protect the line
You can secure a switch by using passwords to restrict various levels of access. Using passwords and assigning
privilege levels are simple ways of providing both local and remote terminal access control in a network. Passwords
can be established on individual lines, such as the console, and to the privileged EXEC (enable) mode. Passwords are
case sensitive. By default There are five VTY ports on the switch, allowing five simultaneous Telnet sessions, noting
that other Cisco devices might have more than five logical VTY ports. The five total VTY ports are numbered from 0
through 4 and are referred to all at once as line vty 0 4.
S1(config)#line console 0
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#line vty 0 4
S1(config-line)#password vinita
S1(config-line)#login
S1(config-line)#exit
S1(config)#
Enable Switch port security
this feature set allows you (among several other options) to disable a port if more than one MAC address is detected
as being connected to the port. This feature is commonly applied to ports that connect security-sensitive devices such
as servers. You can use the port security feature to restrict input to an interface by limiting and identifying MAC
addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port
does not forward packets with source addresses outside the group of defined addresses.
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S2
S2(config)#interface fastEthernet 0/1
S2(config-if)#switchport mode access
S2(config-if)#switchport port-security
S2(config-if)#switchport port-security maximum 1
S2(config-if)#switchport port-security mac-address sticky
S2(config-if)#switchport port-security violation shutdown
S2(config-if)#exit
S2(config)#
You can verify port security.
п‚· Click on the red x button on the right hand portion of the PT window. This will allow you to delete a
connection in the topology. Place the x over the connection between Server and S2 and click. The
connection should disappear.
п‚· Select the lightening bolt button on the bottom left-hand corner of the PT window to pull up connection
types. Click the “copper straight-through” connection. Click the TestPC device and select the fastethernet
port. Next, click on S2 and select port Fa0/1.
п‚· From the command prompt of TestPC type the command ping 10.0.0.4. The ping should fail.
п‚· On S3, enter the command show port-security interface fa0/1.
Port security is enabled, port-status is secure-shutdown, security violation count is 1.
Configure Ethereal channel
Ethereal Channel allows you to combine switch ports to increase more bandwidth. If you connect switch ports without
Ethereal Channel configurations STP switch’s in built function will shutdown one of these port to avoid loop. You
can download this example topology for practice of Ethereal Channel .
Ethereal Channel
п‚·
To enable EtherChannel on DLS1, enter the interface range mode for ports F0/11 and F0/12 on with the
command interface range f0/11 - 12.
п‚· Enter the command switchport mode trunk.
п‚· Enter the command channel-group 1 mode desirable.
п‚· Repeat steps a through c on DLS2.
Configure Vlan vtp server stp dtp
In our pervious article you learnt about the feature of switching. To read these articles you can follow these links.
Method of switching basic functions
Spanning tree protocols stp
Virtual lan trunk tagging dtp vtp vtp pruning
In this tutorial I will demonstrate that how can you
п‚· Configure Access or Trunk links
п‚· Create VLAN
п‚· Assign VLAN membership
п‚· Configure Intra VLAN routing
п‚· Configure VTP Server
п‚· Make VTP Clients
п‚· Show STP Static
п‚· Configure DTP port
To complete these lab either create a topology as shown in figure or download this file and load it in packet tracer
Advance switch configuration
PC configurations
Devices IP Address
VLAN
Connected With
PC0
10.0.0.2
VLAN10
Switch1 on F0/1
PC1
20.0.0.2
VLAN20
Switch1 on F0/2
PC2
10.0.0.3
VLAN10
Switch2 on F0/1
PC3
PC4
PC5
20.0.0.3
10.0.0.4
20.0.0.4
VLAN20
VLAN10
VLAN20
Switch2 on F0/2
Switch3 on F0/1
Switch3 on F0/2
2960 – 24 TTL Switch 1 Configuration
Port Connected to
VLAN
LINK
STATUS
F0/1 With PC0
VLAN10
Access
OK
F0/2 With PC1
VLAN20
Access
OK
Gig1/1 With Router
VLAN 10,20
Trunk
OK
Gig 1/2 With Switch2
VLAN 10,20
Trunk
OK
F0/24 Witch Switch2
VLAN 10,20
Trunk
OK
2960 – 24 TTL Switch 2 Configuration
F0/1 With PC0
VLAN10
Access
OK
F0/2 With PC1
VLAN20
Access
OK
Gig 1/2 With Switch1
VLAN 10,20
Trunk
OK
Gig 1/1 With Switch3
VLAN 10,20
Trunk
OK
F0/24 Witch Switch1
VLAN 10,20
Trunk
Blocked
F0/23 Witch Switch3
VLAN 10,20
Trunk
OK
2960 – 24 TTL Switch 3 Configuration
F0/1 With PC0
VLAN10
Access
OK
F0/2 With PC1
VLAN20
Access
OK
Gig 1/1 With Switch2
VLAN 10,20
Trunk
OK
F0/24 Witch Switch1
VLAN 10,20
Trunk
Blocked
Task
You are the administrator at ComputerNetworkingNotes.com. company have two department sales and management.
You have given three pc for sales and three pc in management. You created two VLAN. VLAN 10 for sales and
VLAN20 for management. For backup purpose you have interconnected switch with one extra connection. You have
one router for intera VLAN communications.
Let's start configuration first assign IP address to all pc's
To assign IP address double click on pc and select ip configurations from desktop tab and give ip address as shown in
table given above
VLAN Trunking Protocol
Configure VTP Server
We will first create a VTP Server so it can automatically propagate VLAN information to other switch. Double click
on Switch1 and select CLI. Set hostname to S1 and create VTP domain name example and set password to vinita (
Remember password is case sensitive ).
Switch 1
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#vtp mode server
Device mode already VTP SERVER.
S1(config)#vtp domain example
Changing VTP domain name from NULL to example
S1(config)#vtp password vinita
Setting device VLAN database password to vinita
Configure VTP clients
Once you have created a VTP domain. Configure remaining Switch to Client mode.
Switch 2
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S2
S2(config)#vtp mode client
Setting device to VTP CLIENT mode.
S2(config)#vtp domain example
Changing VTP domain name from NULL to example
S2(config)#vtp password vinita
Setting device VLAN database password to vinita
S2(config)#
Switch 3
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S3
S3(config)#vtp mode client
Setting device to VTP CLIENT mode.
S3(config)#vtp domain example
Changing VTP domain name from NULL to example
S3(config)#vtp password vinita
Setting device VLAN database password to vinita
S3(config)#
Dynamic Trunking Protocol
Configure DTP port
All Switch ports remain by default in access mode. Access port can not transfer the trunk frame. Change mode to
trunk on all the port those are used to interconnect the switches
Switch 1
S1(config)#interface fastEthernet 0/24
S1(config-if)#switchport mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24,
changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24,
changed state to up
S1(config-if)#exit
S1(config)#interface gigabitEthernet 1/1
S1(config-if)#switchport mode trunk
S1(config-if)#exit
S1(config)#interface gigabitEthernet 1/2
S1(config-if)#switchport mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2,
changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2,
changed state to up
S1(config-if)#exit
S1(config)#
Switch 2
S2(config)#interface gigabitEthernet 1/1
S2(config-if)#switchport mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1,
changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1,
changed state to up
S2(config-if)#exit
S2(config)#interface gigabitEthernet 1/2
S2(config-if)#switchport mode trunk
S2(config-if)#exit
S2(config)#interface fastEthernet 0/23
S2(config-if)#switchport mode trunk
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23,
changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23,
changed state to up
S2(config-if)#exit
S2(config)#interface fastEthernet 0/24
S2(config-if)#switchport mode trunk
S2(config-if)#exit
Switch 3
S3(config)#interface fastEthernet 0/24
S3(config-if)#switchport mode trunk
S3(config-if)#exit
S3(config)#interface gigabitEthernet 1/1
S3(config-if)#switchport mode trunk
S3(config-if)#exit
Virtual LAN (VLAN)
Create VLAN
After VTP server configuration its time to organize VLAN. We need only to create VLAN on VTP server and reset
will be done by VTP Server automatically.
Switch 1
S1(config)#vlan 10
S1(config-vlan)#exit
S1(config)#vlan 20
S1(config-vlan)#exit
S1(config)#
As we have already configure VTP server in our network so we don't need to create VLAN on S2 or S3. We need
only to associate VLAN with port.
Assign VLAN membership
Switch 1
S1(config)#interface fastEthernet 0/1
S1(config-if)#switchport access vlan 10
S1(config-if)#interface fastEthernet 0/2
S1(config-if)#switchport access vlan 20
Switch 2
S2(config)#interface fastEthernet 0/1
S2(config-if)#switchport access vlan 10
S2(config-if)#interface fastEthernet 0/2
S2(config-if)#switchport access vlan 20
Switch 3
S3(config)#interface fastEthernet 0/1
S3(config-if)#switchport access vlan 10
S3(config-if)#interface fastEthernet 0/2
S3(config-if)#switchport access vlan 20
Now we have two working vlan. To test connectivity do ping form 10.0.0.2 to 10.0.0.3 and 10.0.0.4. if you get
successfully replay then you have successfully created VLAN and VTP server.
Spanning-Tree Protocol
In this configuration STP will block these ports F0/24 of S1 , F0/23 and F0/24 of S2 and F0/24 of S3 to avoid loop at
layer to two. Verify those ports blocked due to STP functions
Verify STP ports
Switch 2
S2#show spanning-tree active
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0002.174D.7794
Cost
4
Port
26(GigabitEthernet1/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 00D0.FF08.82E1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20
Interface
Role Sts Cost
Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------Fa0/1
Desg FWD 19
128.1 P2p
Fa0/2
Desg FWD 19
128.2 P2p
Fa0/23
Desg FWD 19
128.23 P2p
Fa0/24
Altn BLK 19
128.24 P2p
Gi1/1
Desg FWD 4
128.25 P2p
Gi1/2
Root FWD 4
128.26 P2p
[Output is omitted]
S2#
You can test STP protocols status on S1 and S3also with
show spanning-tree active command
Router on Stick
At this point of configurations you have two successfully running VLAN but they will not connect each other. To
make intra VLAN communications we need to configure router . To do this double click on router and select CLI.
Configure intra VLAN
Router
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface fastEthernet 0/0
Router(config-if)#no ip address
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface fastEthernet 0/0.10
Router(config-subif)#encapsulation dot1Q 10
Router(config-subif)#ip address 10.0.0.1 255.0.0.0
Router(config-subif)#exit
Router(config)#interface fastEthernet 0/0.20
Router(config-subif)#encapsulation dot1Q 20
Router(config-subif)#ip address 20.0.0.1 255.0.0.0
Router(config-subif)#exit
To test connectivity between different vlan do ping form any pc to all reaming pc. it should be ping successfully. If
you have error download this configured topology and cross check that where you have committed mistake.
Configured VLAN VTP STP topology
VLAN VTP Server STP DTP command reference sheet
Creates VLAN 10 and enters VLAN configuration mode for further definitions.
Switch(config)#vlan 10
Assigns a name to the VLAN. The length of the name can be from 1 to 32
Switch(config-vlan)#name Sales
characters.
Applies changes, increases the revision number by 1, and returns to global
Switch(config-vlan)#exit
configuration mode.
Switch(config)#interface
Moves to interface configuration mode
fastethernet 0/1
Switch(config-if)#switchport
Sets the port to access mode
mode access
Assigns this port to VLAN 10
Switch(config-if)#switchport
access vlan 10
Switch#show vlan
Switch#show vlan brief
Switch#show vlan id 10
Switch#show vlan name sales
Switch#show interfaces vlan x
Switch#delete flash:vlan.dat
Delete filename [vlan.dat]?
Delete flash:vlan.dat? [confirm]
Switch#
Switch(config)#interface
fastethernet 0/5
Switch(config-if)#no switchport
access vlan 5
Switch(config-if)#exit
Switch(config)#no vlan 5
Switch#copy running-config
startupconfig
Switch(config-if) #switchport
mode trunk
Switch(config)#vtp mode server
Switch(config)#vtp mode client
Switch(config)#vtp mode
transparent
Switch(config)#no vtp mode
Switch(config)#vtp domain
domain-name
Switch(config)#vtp password
password
Switch(config)#vtp pruning
Switch#show vtp status
Switch#show vtp counters
Displays VLAN information
Displays VLAN information in brief
Displays information about VLAN 10 only
Displays information about VLAN named sales only
Displays interface characteristics for the specified VLAN
Removes the entire VLAN database from flash.
Make sure there is no space between the colon (:) and the characters vlan.dat. You
can potentially erase the entire contents of the flash with this command if the
syntax is not correct. Make sure you read the output from the switch. If you need
to cancel, press ctrl+c to escape back to privileged mode:
Moves to interface configuration mode.
Removes port from VLAN 5 and reassigns it to VLAN 1—the default VLAN.
Moves to global configuration mode.
Removes VLAN 5 from the VLAN database.
Saves the configuration in NVRAM
Puts the interface into permanent trunking mode and negotiates to convert the link
into a trunk link.
Changes the switch to VTP server mode.
Changes the switch to VTP client mode.
Changes the switch to VTP transparent mode.
Returns the switch to the default VTP server mode.
Configures the VTP domain name. The name can be from 1 to 32 characters long.
Configures a VTP password
.
Enables VTP pruning
Displays general information about VTP configuration
Displays the VTP counters for the switch
Cisco Discovery Protocol CDP
Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help administrators collect
information about both locally attached and remote devices. By using CDP, you can gather hardware and protocol
information about neighbor devices, which is useful info for troubleshooting the network.
CDP messages are generated every 60 seconds as multicast messages on each of its active interfaces.
The information shared in a CDP packet about a Cisco device includes the following:
п‚· Name of the device configured with the hostname command
п‚· IOS software version
п‚· Hardware capabilities, such as routing, switching, and/or bridging
п‚· Hardware platform, such as 2600, 2950, or 1900
п‚· The layer-3 address(es) of the device
п‚· The interface the CDP update was generated on
CDP allows devices to share basic configuration information without even configuring any protocol specific
information and is enabled by default on all interfaces.
CDP is a Datalink Protocol occurring at Layer 2 of the OSI model.
CDP is not routable and can only go over to directly connected devices.
CDP is enabled, by default, on all Cisco devices. CDP updates are generated as multicasts every 60 seconds with a
hold-down period of 180 seconds for a missing neighbor. The no cdp run command globally disables CDP, while the
no cdp enable command disables CDP on an interface. Use show cdp neighbors to list out your directly connected
Cisco neighboring devices. Adding the detail parameter will display the layer-3 addressing configured on the
neighbor.
How could CDP help you?
Manoj has just been hired as a senior network consultant at a large bank in Lucknow, Uttar Pradesh. He is expected to
be able to take care of any problem that comes up. No problem at all here—he only has to worry about people
possibly not getting the right money transaction if the network goes down. Manoj starts his job happily.
Soon, of course, the network has some problems. He asks one of the junior administrators for a network map so he
can troubleshoot the network. This person tells him that the old senior administrator (who just got fired) had them
with him and now no one can find them. Cashiers are calling every couple of minutes because they can’t get the
necessary information they need to take care of their customers. What should he do?
CDP to the rescue! Thank God this bank has all Cisco routers and switches and that CDP is enabled by default on all
Cisco devices. Also, luckily, the dissatisfied administrator who just got fired didn't turn off CDP on any devices
before he left. All Manoj has to do now is to use the show cdp neighbor detail command to find all the information
he needs about each device to help draw out the bank network .
Cisco Discovery Protocols Configuration commands
Router#show cdp
Displays global CDP information (such as timers)
Router#show cdp neighbors
Displays information about neighbors
Router#show cdp neighbors detail Displays more detail about the neighbor device
Router#show cdp entry word
Displays information about the device named word
Router#show cdp entry *
Displays information about all devices
Router#show cdp interface
Displays information about interfaces that have CDP running
Router#show cdp interface x
Displays information about specific interface x running CDP
Router#show cdp traffic
Displays traffic information—packets in/out/version
Router(config)#cdp holdtime x
Changes the length of time to keep CDP packets
Router(config)#cdp timer x
Changes how often CDP updates are sent
Router(config)#cdp run
Enables CDP globally (on by default)
Router(config)#no cdp run
Turns off CDP globally
Router(config-if)#cdp enable
Enables CDP on a specific interface
Router(config-if)#cdp enable
Enables CDP on a specific interface
Router(config-if)#no cdp enable
Turns off CDP on a specific interface
Router#clear cdp counters
Resets traffic counters to 0
Router#clear cdp table
Deletes the CDP table
Router#debug cdp adjacency
Monitors CDP neighbor information
Router#debug cdp events
Monitors all CDP events
Router#debug cdp ip
Monitors CDP events specifically for IP
Router#debug cdp packets
Monitors CDP packet-related information
Basic router configurations show commands
In our last article I show you that how can you connect Cisco router. In this article I will show how can you can
configure router. For demonstration purpose I used packet tracer software. If you haven’t install packet tracer read our
pervious article to download and install packet tracer. Link is given on the top side of left. Create a simple topology
by dragging dives on workspace as show in figure.
Basic Show Commands
Router#show running-config
Building configuration...
Current configuration : 419 bytes
!
version 12.4
no service password-encryption
!
hostname Router
!
ip ssh version 1
!
interface FastEthernet0/0
[output is Omitted]
Show the active configuration in memory. The currently active configuration script running on the router is referred to
as the running-config on the routers command-line interface. Note that privileged mode is required. The running
configuration script is not automatically saved on a Cisco router, and will be lost in the event of power failure. The
running configuration must be manually saved with the 'copy' command
Router#show flash
System flash directory:
File Length Name/status
1 33591768 c1841-advipservicesk9-mz.124-15.T1.bin
[33591768 bytes used, 30424616 available, 64016384 total]
63488K bytes of processor board System flash (Read/Write)
Flash memory is a special kind of memory on the router that contains the operating system image file(s). Unlike
regular router memory, Flash memory continues to maintain the file image even after power is lost.
Router#show history
The routers Command Line Interface (CLI) maintains by default the last 10 commands you have entered in memory.
To retrieve the previous command you typed
Press the up arrow
To retrieve the next command you typed
Press the down arrow
Router#show protocols
Use this command to view the status of the current layer 3 routed protocols running on your router
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T1,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 04:52 by pt_team
ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)
System returned to ROM by power-on
System image file is "flash:c1841-advipservicesk9-mz.124-15.T1.bin"
[output is Omitted]
Cisco 1841 (revision 5.0) with 114688K/16384K bytes of memory.
Processor board ID FTX0947Z18E
M860 processor: part number 0, mask 49
2 FastEthernet/IEEE 802.3 interface(s)
1 Low-speed serial(sync/async) network interface(s)
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
This command will give you critical information, such as: router platform type, operating system revision, operating
system last boot time and file location, amount of memory, number of interfaces, and configuration register
Router#show clock
*1:46:13.169 UTC Mon Nov 1 2009
Will show you Routers clock
Router#show hosts
will display a cached list of hosts and all of their interfaces IP addresses
Router#show users
Will show a list of all users who are connected to the router
Router#show interfaces
will give you detailed information about each interface
Router#show protocols
will show the global and interface-specific status of any layer 3 protocols
Router#show ip interface brief
Interface
IP-Address
OK? Method Status
Protocol
FastEthernet0/0
10.0.0.1
FastEthernet0/1
unassigned
Serial0/0/0
20.0.0.1
YES manual up
up
YES manual administratively down down
YES manual up
up
Vlan1
unassigned YES manual administratively down down
Router#
This command will show brief descriptions about interface. This command mostly used in troubleshooting. There
may be three possible conditions of status.
UP :- interface is up and operational
DOWN :- physical link is detected but there are some problem in configurations.
Administratively down :- port is disable by shutdown command ( Default mode of any port on router.)
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 10.0.0.0/8 is directly connected, FastEthernet0/0
C 20.0.0.0/8 is directly connected, Serial0/0/0
D 30.0.0.0/8 [90/40514560] via 20.0.0.2, 00:02:55, Serial0/0/0
D 40.0.0.0/8 [90/41026560] via 20.0.0.2, 00:02:54, Serial0/0/0
D 50.0.0.0/8 [90/41029120] via 20.0.0.2, 00:02:50, Serial0/0/0
R1#
This command will give a detail about known route. Router will not forward packet if route is not shown here for that
packet. Router’s routing decision is made by this routing table.
R1#show controllers serial 0/0/0
Interface Serial0/0/0
Hardware is PowerQUICC MPC860
DCE V.35, clock rate 64000
idb at 0x81081AC4, driver data structure at 0x81084AC0
Most common use of this command is to find out whether the port is DCE end or DTE. If the port is DCE end then
clock rate and bandwidth command will require. As you can see in output that port is DCE.
R1#show ip protocols
Routing Protocol is "eigrp 1 "
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Default networks flagged in outgoing updates
Default networks accepted from incoming updates
EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0
EIGRP maximum hopcount 100
EIGRP maximum metric variance 1
Redistributing: eigrp 1
Automatic network summarization is in effect
Automatic address summarization:
Maximum path: 4
Routing for Networks:
10.0.0.0
20.0.0.0
Routing Information Sources:
Gateway
Distance Last Update
20.0.0.2
90
16
Distance: internal 90 external 170
Use this command to know about running routing protocols. This will give the complete status about routing protocols
likes on which interface its receiving updates and on which interface its broadcasting update what is time intervals
press enter to get back router prompt
Router>
You are now in User mode. Type ?to view all the available commands at this prompt.
Router>?
From privilege mode you can enter in configuration mode by typing configure terminal you can exit configuration
mode type exit or <CTL>+z
Router>enable
Router#config terminal
Router(config)#exit
Router#
To read more about Cisco mode read our previous article
To view all commands available from this mode type: ? and press: enter This will give you the list of all available
commands for the router in your current mode. You can also use the question mark after you have started typing a
command. For example if you want to use a show command but you do not remember which one it uses 'show ?' will
output all commands that you can use with the show command.
Router#show ?
access-expression List access expression
access-lists List access lists
backup Backup status
cdp CDP information
clock Display the system clock
cls DLC user information
compress Show compression statistics
configuration Contents of Non-Volatile memory
--More—
Basic router configurations login in router
In our last article I show you that how can you connect Cisco router. In this article I will show how can you can
configure router. For demonstration purpose I used packet tracer software. If you haven’t install packet tracer read our
pervious article to download and install packet tracer. Link is given on the top side of left. Create a simple topology
by dragging dives on workspace as shown in figure.
Click inside the Router and select CLI and press Enter to get started. Setup mode start automatically if there is no
startup configuration present. The answer inside the square brackets [ ], is the default answer. If this is the answer
you want, just press enter. Pressing CTRL+C at any time will end the setup process, shut down all interfaces, and
take you to user mode (Router>).
You cannot use setup mode to configure an entire router. It does only the basics. For example, you can only turn on
either RIPv1 or Interior Gateway Routing Protocol (IGRP), but not Open Shortest Path First Protocol (OSPF) or
Enhanced Interior Gateway Routing Protocol (EIGRP). You cannot create access control lists (ACL) here or enable
Network Address Translation (NAT). You can assign an IP address to an interface, but not to a subinterface. All in all,
setup mode is very limiting.
--- System Configuration Dialog --Continue with configuration dialog? [yes/no]:
Write no and press enter. To get router prompt
You are now connected to Router and are in user mode prompt. The prompt is broken down into two parts, the
hostname and the mode. ―Router‖ is the Router0's hostname and ―>‖ means you are in user mode.
Press RETURN to get started
Router>
User mode is indicated with the '>' next to the router name. in this mode you can look at settings but can not make
changes.
In Privilege mode(indicated by the '#', you can do anything). To get into privilege mode the keyword is enable.
Next type the command enable to get to the privileged mode prompt.
Router > enable
Router#
To get back to the user mode, simply type disable. From the user mode type logout or exit to leave the router.
Router#disable
Router>
Router>exit
Router con0 is now available
Press RETURN to get started
press enter to get back router prompt
Router>
You are now in User mode. Type ?to view all the available commands at this prompt.
Router>?
From privilege mode you can enter in configuration mode by typing configure terminal you can exit configuration
mode type exit or <CTL>+z
Router>enable
Router#config terminal
Router(config)#exit
Router#
To read more about Cisco mode read our previous article
To view all commands available from this mode type ? and press enter This will give you the list of all available
commands for the router in your current mode. You can also use the question mark after you have started typing a
command. For example if you want to use a show command but you do not remember which one it uses 'show ?' will
output all commands that you can use with the show command.
Router#show ?
access-expression List access expression
access-lists List access lists
backup Backup status
cdp CDP information
clock Display the system clock
cls DLC user information
compress Show compression statistics
configuration Contents of Non-Volatile memory
--More-To read more about available help options read our previous article
Basic Global Configurations mode Commands
Configuring a Router Name
This command works on both routers and switches
Router(config)#hostname Lucknow
Lucknow(config)#
You could choose any descriptive name for your cisco devices
Configuring Passwords
This command works on both routers and switches
Router(config)#enable password test
Sets enable password to test
Router(config)#enable secret vinita
Sets enable secret password to vinita
Router(config)#line console 0
Enters console line mode
Router(config-line)#password console Sets console line mode password to console
Router(config-line)#login
Enables password checking at login
Router(config)#line vty 0 4
Enters vty line mode for all five vty lines
Router(config-line)#password telnet
Sets vty password to telnet
Router(config-line)#login
Enables password checking at login
Router(config)#line aux 0
Enters auxiliary line mode
Router(config-line)#password aux
Sets auxiliary line mode password to aux
Router(config-line)#login
Enables password checking at login
CAUTION: The enable secret password is encrypted by default. The enable password is not. For this reason,
recommended practice is that you never use the enable password command. Use only the enable secret password
command in a router or switch configuration.
You cannot set both enable secret password and enable password to the same password. Doing so defeats the use of
encryption.
Configuring a Fast Ethernet Interface
Router(config)#interface fastethernet 0/0
Moves to Fast Ethernet 0/0 interface configuration mode
Router(config-if)#description Student Lab LAN
Optional descriptor of the link is locally significant
Router(config-if)#ip address 192.168.20.1 255.255.255.0 Assigns address and subnet mask to interface
Router(config-if)#no shutdown
Turns interface on
Creating a Message of the Day Banner
Router(config)#banner motd # Next Schedule metting with manager is Postponed #
Router(config)#
The MOTD banner is displayed on all terminals and is useful for sending messages that affect all users. Use the no
banner motd command to disable the MOTD banner. The MOTD banner displays before the login prompt and the
login banner, if one has been created.
Creating a Login Banner
Router(config)#banner login # Unauthorized access is prohibited !
Please enter your username and password. #
Router(config)#
The login banner displays before the username and password login prompts. Use the no banner login command to
disable the login banner. The MOTD banner displays before the login banner.
# is known as a delimiting character. The delimiting character must surround the banner and login message and
can be any character so long as it is not a character used within the body of the message
Assigning a Local Host Name to an IP Address
Router(config)#ip host Lucknow 172.16.1.1
Assigns a host name to the IP address. After this assignment, you can use the host name rather than an IP address
when trying to Telnet or ping to that address
The no ip domain-lookup Command
Router(config)#no ip domain-lookup
Router(config)#
Turns off trying to automatically resolve an unrecognized command to a local host name
Ever type in a command incorrectly and are left having to wait for a minute or two as the router tries to translate your
command to a domain server of 255.255.255.255? The router is set by default to try to resolve any word that is not a
command to a Domain Name System (DNS) server at address 255.255.255.255. If you are not going to set up DNS,
turn off this feature to save you time as you type, especially if you are a poor typist
The logging synchronous Command
Router(config)#line console 0
Router(config-line)#exec-timeout 0 0
Router(config-line)#
Sets the time limit when the console automatically logs off. Set to 0 0 (minutes seconds) means the console never logs
off.
The command exec-timeout 0 0 is great for a lab environment because the console never logs out. This is considered
to be bad security and is dangerous in the real world. The default for the exec-timeout command is 10 minutes and
zero (0) seconds (exec-timeout 10 0).
Saving and erasing configurations
Router(config)#exit
Bring you back in Privilege exec mode
Router#copy running-config startup-config Saves the running configuration to local NVRAM
Router#copy running-config tftp
Saves the running configuration remotely to a TFTP server
Router#erase startup-config
Deletes the startup configuration file from NVRAM
Configuration Example: Basic Router Configuration
For example purpose we will use the topology created in start of this article. Create a simple topology by dragging
dives on workspace as shown in figure.
Click inside the Router and select CLI and press Enter to get started.
--- System Configuration Dialog --Continue with configuration dialog? [yes/no]: no
Press RETURN to get started!
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#description Student Lab LAN
R1(config-if)#ip address 192.168.20.1 255.255.255.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#banner motd # Next Schedule metting with is postponed #
R1(config)#banner login # Unauthorized access is prohibited !
Enter you user name and password #
R1(config)#ip host Lucknow 172.16.1.1
R1(config)#no ip domain-lookup
R1(config)#line console 0
R1(config-line)#exec-timeout 0 0
R1(config-line)#logging synchronous
R1(config-line)#password consloe
R1(config-line)#login
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password telnet
R1(config-line)#login
R1(config-line)#exit
% Unrecognized command
R1(config)#enable password test
R1(config)#enable secret vinita
R1(config)#exit
%SYS-5-CONFIG_I: Configured from console by console
R1#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
R1#
Administration of Cisco devices
In this article I will demonstrate that how can you perform basic administrative task on Cisco devices.
Back Up and Restore IOS
You can use TFTP, FTP, or RCP to transfer an IOS image to or from a server. Only tftp server is covered in CCNA
exam so we will cover it. TFTP is the trivial file transfer protocol. Unlike FTP, there are no means of authenticating
with a username or password or navigating directories.
To back up your IOS, you will use the copy command from within privileged EXEC mode. The syntax of this
command is copy <from> <to>. Thus, if you want to copy an IOS from your IOS to a TFTP server, the syntax would
be copy tftp flash. After executing this command, you will be prompted with a number of questions asking for such
things as the IOS filename and IP address of the TFTP server.
To restore or upgrade your IOS from a TFTP server to a router, the syntax would be copy tftp flash.
Remember the following troubleshooting steps if you are having difficulties using TFTP:
п‚· Verify that the TFTP server is running.
п‚· Verify cable configurations. You should use a crossover cable between a router and a server or, if you have a
switch, use a straight-through cable from the router to the switch and from the switch to the server.
п‚· Verify that your router is on the same subnet as your TFTP server.
п‚· If you are using a Linux TFTP server, make sure that you first use the touch command to create a zero-byte
file with the name of the IOS image; otherwise, the file will not copy to the TFTP server.
no ip domain-lookup
Router(config)#no ip domain-lookup
Ever type in a command incorrectly and are left having to wait for a minute or two as the router tries to translate your
command to a domain server of 255.255.255.255? The router is set by default to try to resolve any word that is not a
command to a Domain Name System (DNS) server at address 255.255.255.255. If you are not going to set up DNS,
turn off this feature to save you time as you type, especially if you are not good in typing.
logging synchronous
Router(config)#line console 0
Router(config-line)#logging synchronous
Router(config-line)#exit
Router(config)#
Some time it happens that you are typing a command and an informational line appears in the middle of what you
were typing? Lose your place? Do not know where you are in the command, so you just press R and start all over?
The logging synchronous command tells the router that if any informational items get displayed on the screen, your
prompt and command line should be moved to a new line, so as not to confuse you. The informational line does not
get inserted into the middle of the command you are trying to type. If you were to continue typing, the command
would execute properly, even though it looks wrong on the screen.
exec-timeout
Router(config)#line console 0
Router(config-line)#exec-timeout 0 0
Router(config-line)#
The command exec-timeout 0 0 is great for a lab environment because the console never logs out. This is considered
to be bad security and is dangerous in the real world. The default for the exec-timeout command is 10 minutes and
zero (0) seconds (exec-timeout 10 0).
erase startup-config
Router#erase startup-config
Some time you want to reconfigure the router. Or want to sell the old one. In such a scenario you would like to erase
the start up configuration. The running configuration is still in dynamic memory. Reload the router to clear the
running configuration.
do Command
Router(config)#do show running-config
The do command is useful when you want to execute EXEC commands, such as show, clear, or debug, while
remaining in global configuration mode or in any configuration submode. You cannot use the do command to execute
the configure terminal command because it is the configure terminal command that changes the mode to global
configuration mode
Summary of Useful commands for administrations
Router(config)#boot system flash
Loads the Cisco IOS Software with image-name
imagename
Router(config)#boot system tftp imageLoads the Cisco IOS Software with image-name from a TFTP server
name 172.16.10.3
Router(config)#boot system rom
Loads the Cisco IOS Software from ROM.
Router(config)#exit
exit from global configurations
Saves the running configuration to NVRAM. The router will execute
Router#copy running-config startup-config
commands in their order on the next reload.
Router#copy running-config startup-config Saves the running configuration from DRAM to NVRAM (locally).
Router#copy running-config tftp
Copies the running configuration to the remote TFTP server
Address or name of remote host[ ]?
The IP address of the TFTP server. Press Enter key
192.168.1.20
Destination Filename [Router-confg]?
The name to use for the file saved on the TFTP server Press Enter key
!!!!!!!!!!!!!!!
Each bang symbol (!) = 1 datagram of data.
624 bytes copied in 7.05 secs
Router#
File has been transferred successfully
Router#copy tftp running-config
Copies the configuration file from the TFTP server to DRAM.
Address or name of remote host[ ]?
The IP address of the TFTP server.
192.168.119.20
Source filename [ ]?Router-confg
Enter the name of the file you want to retrieve
Destination filename [running-config]?
Press Enter key
Router#
File has been transferred successfully.
Router#copy flash tftp
Backup of flash to tftp
Router#copy tftp flash
Restore flash from tftp server
SDM Security Device Manager
SDM is a web-based application, implemented with Java that manages the basic administration and security features
on a Cisco router. SDM is installed in the router’s flash memory and is remotely accessed from an administrator’s
desktop using a web browser with Java and Secure Sockets Layer (SSL) (HTTPS). Originally, Cisco developed SDM
for small office/home office (SOHO) networks, where the administrator performing the configuration is probably not
familiar with Cisco's CLI.
SDM was designed by Cisco to allow you to perform basic administration functions and to manage the security
features of your router. SDM cannot perform all functions that can be performed from the CLI, such as the
configuration of complex QoS policies or the Border Gateway Protocol (BGP) routing protocol, to name a couple.
Nor are all interface types supported within SDM, such as ISDN and dialup. However, for the features and interface
types not supported, you can still configure these from the CLI of the router.Likewise, most troubleshooting tasks are
still done from the CLI with show and debug commands.
PC Requirements
п‚· Operating System Xp, Vista, Server 2000, ( not Advance server), Server2003
п‚· Internet browser Internet Explorer higher then 5.6, Mozilla firefox
 Java installed. Minimally you’ll need version 1.4.2(08) of Sun’s Java Runtime Environment (JRE).
п‚· Minimum screen resolution of 1024x768.
п‚· (a resolution lower than this will not allow you to view the entire Java-based screen).
 On your router, you’ll minimally need IOS version 12.2 for SDM to function; and depending
п‚· on the version of SDM, you will need between 5MB and 8MB of available flash on your router.
The default user account and passwords in the sdmconfig-xxxx.cfg file included with SDM are sdm and sdm—don't
use these! Change them before copying and pasting the configuration from the sdmconfig file into the router.
Everyone knows these passwords, and these are the first passwords an attacker will guess to break into the router.
SDM Security Device Manager File Descriptions
Filename
Description
Support file for SDM
common.tar
securedesktop-ios-xxxx- Cisco Secure Desktop (CSD) client software for the SSL VPN client, where xxxx
represents the version number of CSD
k9.pkg
SSL VPN Client (SVC) tunneling software, where xxxx represents the version of SVC
sslclient-win-xxxx.pkg
Application file for SDM
es.tar
Support HTML file for SDM
home.shtml
Support file for SDM
home.tar
Default router configuration with commands necessary to access SDM, where xxxx
sdmconfig-xxxx.cfg
represents the model number of the router
Wireless application setup program for a radio module installed in the router
wlanui.tar
SDM application file
sdm.tar
IPS signature files (some common names are attack-drop.sdf, 128MB.sdf, 256MB.sdf,
xxxx.sdf
and sdmips.sdf)
Necessary Router Configuration
Step 1 Enable the HTTP and HTTPS servers on your router by entering the following commands in global
configuration mode:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip http server
Router(config)# ip http secure-server
Router(config)# ip http authentication local
Router(config)# ip http timeout-policy idle 600 life 86400 requests 10000
Step 2 Create a user account defined with privilege level 15 (enable privileges). Enter the following command in
global configuration mode, replacing username and password with the strings that you want to use:
Router(config)# username username privilege 15 secret 0 password
For example, if you chose the username admin and the password vinita, you would enter the following:
Router(config)# username admin privilege 15 secret 0 vinita
You will use this username and password to log in to Cisco SDM.
Step 3 Configure SSH and Telnet for local login and privilege level 15. Use the following commands:
Router(config)# line vty 0 4
Router(config-line)# privilege level 15
Router(config-line)# login local
Router(config-line)# transport input telnet ssh
Router(config-line)# exit
Step 4 Assign ip address to Fast Ethernet port. This will be used to access this router
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#no shutdown
Accessing SDM
Cisco SDM is stored in the router flash memory. It is invoked by executing an HTML file in the router archive, which
then loads the signed Cisco SDM Java file. To launch Cisco SDM, complete the following steps:
Step 1 From your browser, enter the following URL:
https://<router IP address>
In our example it would be
https://192.168.1.1
The https:// designation specifies that SSL protocol be used for a secure connection. The http:// designation can be
used if SSL is not available.
Step 2 The Cisco SDM home page will appear in the browser window. The username and password dialog box will
appear. The type and shape of the dialog box will depend on the type of browser that you are using. Enter the
username and password for the privileged (privilege level 15) account on your router. The Cisco SDM Java applet
will begin loading to your PC's web browser.
Step 3 Cisco SDM is a signed Java applet. This can cause your browser to display a security warning. Accept the
certificate. Cisco SDM displays the Launch page.
Basic of routing
Routing is the process by which a packet gets from one location to another. To route a packet, a router needs to know
the destination address and on what interface to send the traffic out .When a packet comes into an interface (in
interface) on a router, it looks up the destination IP address in the packet header and compares it with its routing table.
The routing table, which is stored in RAM, tells the router which outgoing interface the packet should go out to reach
the destination network. There are three ways to control routing decisions on your router:
п‚· Static routes
п‚· Default routes
п‚· Dynamic routes
Static Routes
Use a static route when you want to manually define the path that the packet will take through your network. Static
routes are useful in small networks with rarely changing routes, when you have little bandwidth and do not want the
overhead of a dynamic routing protocol, or when you want to manually define all of your routes for security reasons.
Static routes are created in global configuration mode. The syntax for the static route is as follows:
ip route destination network address [subnet mask]
{next-hop-address | interface] [distance]
Defaults routers
This is the special type of static route, commonly called the gateway of last resort. If the specified destination is not
listed in the routing table, the default route can be used to route the packet. A default route has an IP address of 0.0.0.0
and a subnet mask of 0.0.0.0, often represented as 0.0.0.0/0. Default routes are commonly used in small networks on a
perimeter router pointing to the directly connected ISP router.
Dynamic Routes
A router learns dynamic routes by running a routing protocol. Routing protocols will learn about routes from other
neighboring routers running the same routing protocol. Through this sharing process, a router will eventually learn
about all of the reachable network and subnet numbers in the network.
Now be familiar with the terms routing protocol and routed protocol that have two different meanings. A routing
protocol learns about routes for a routed protocol.
Routed protocol:
Any network protocol that provides enough information in its network layer address to enable a packet to be
forwarded from one host to another host based on the addressing scheme, without knowing the entire path from
source to destination. Packets generally are conveyed from end system to end system. IP is an example of a routed
protocol.
Routing protocol:
Facilitates the exchange of routing information between networks, enabling routers to build routing tables
dynamically. Traditional IP routing stays simple because it uses next-hop (next-router) routing, in which the router
needs to consider only where it sends the packet and does not need to consider the subsequent path of the packet on
the remaining hops (routers). Routing Information Protocol (RIP) is an example of a routing protocol.
There are two types of routing protocols:
п‚· Interior Gateway Protocols (IGP): These routing protocols exchange routing information within an
autonomous system. Routing Information Protocol version 2 (RIPv2), Enhanced Interior Gateway Routing
(EIGRP), and Open Shortest Path First (OSPF) are examples of IGPs.
п‚· Exterior Gateway Protocols (EGP): These routing protocols are used to route between autonomous
systems. Border Gateway Protocol (BGP) is the EGP of choice in networks today.
Metrics
Metrics can be calculated based on a single characteristic of a path. More complex metrics can be calculated by
combining several path characteristics. The metrics that routing protocols most commonly use are as follows:
п‚· Hop count:
The number of times that a packet passes through the output port of one router
п‚· Bandwidth:
The data capacity of a link; for instance, normally, a 10-Mbps Ethernet link is preferable to a 64-kbps leased
line
п‚· Delay:
The length of time that is required to move a packet from source to destination
п‚· Load:
The amount of activity on a network resource, such as a router or link
п‚· Reliability:
Usually refers to the bit error rate of each network link
п‚· Cost:
A configurable value that on Cisco routers is based by default on the bandwidth of the Interface
Routing Protocols Metric
Description
RIP
Hop count
How many layer 3 hops away from the destination
OSPF
Cost
Measurement in the inverse of the bandwidth of the links
EIGRP
Bandwidth
The capacity of the links in Kbps (T1 = 1554)
EIGRP
Delay
Time it takes to reach the destination
EIGRP
Load
The path with the least utilization
EIGRP
MTU
The path that supports the largest frame sizes
EIGRP
Reliability
The path with the least amount of errors or down time
Autonomous Systems
An autonomous system (AS) is a group of networks under a single administrative control, which could be your
company, a division within your company, or a group of companies.
Not every routing protocol understands the concept of an AS. Routing protocols that understand the concept of an AS
are EIGRP, OSPF, IS-IS, and BGP. RIP doesn’t understand autonomous systems, while OSPF does; but OSPF
doesn’t require you to configure the AS number, whereas other protocols, such as EIGRP, do.
Administrative Distance
Administrative distance is the measure of trustworthiness that a router assigns to how a route to a network was
learned.
An administrative distance is an integer from 0 to 255. A routing protocol with a lower administrative distance is
more trustworthy than one with a higher administrative distance.
Administrative
Route Type
Distance
0
Connected interface route
1
Static route
90
Internal EIGRP route (within the same AS)
110
OSPF route
120
RIPv1 and v2 route
170
External EIGRP (from another AS)
255
Unknown route (is considered an invalid route and will not be used)
Routing protocols can be further classified into two categories:
п‚· Distance vector routing protocols
п‚· Link state routing protocols
Distance Vector Routing Protocols
Distance vector–based routing algorithms (also known as Bellman-Ford-Moore algorithms) pass periodic copies of a
routing table from router to router and accumulate distance vectors. (Distance means how far, and vector means in
which direction.) Regular updates between routers communicate topology changes.
Sometimes these protocols are referred to as routing by rumor, since the routers learn routing information from
directly connected neighbors, and these neighbors might have learned these networks from other neighboring routers.
RIP is an example of a routing protocol that is a distance vector.
Advertising Updates
Routers running distance vector protocols learn who their neighbors are by listening for routing broadcasts on their
interfaces. No formal handshaking process or hello process occurs to discover who are the neighboring routers.
Distance vector protocols assume that through the broadcast process, neighbors will be learned, and if a neighbor
fails, the missed broadcasts from these neighbors will eventually be detected
Distance vector algorithms call for each router to send its entire routing table to each of its adjacent or directly
connected neighbors. Distance vector routing tables include information about the total path cost (defined by its
metric) and the logical address of the first router on the path to each network it knows about.
When a router receives an update from a neighboring router, it compares the update to its own routing table. The
router adds the cost of reaching the neighboring router to the path cost reported by the neighbor to establish the new
metric. If the router learns about a better route (smaller total metric) to a network from its neighbor, the router updates
its own routing table.
Distance Vector Protocol Problems and Solutions
Problem: Convergence
The term convergence refers to the time it takes for all of the routers to understand the current topology of the
network. When a router receives an update from a neighboring router, it compares the update to its own routing table.
The router adds the cost of reaching the neighboring router to the path cost reported by the neighbor to establish the
new metric. If the router learns about a better route (smaller total metric) to a network from its neighbor, the router
updates its own routing table. It’s too time consuming process. Because in a 10 router topology last router will know
about the network of first router only while all middle router will complete their periodic update. For example if
interval timer is set to 60 second then last router will know about first network in 60*8 480 second or 8 minute.
Solution: Change the periodic timer interval
One solution is to change the periodic timer interval. For instance, in an example the timer was set to 60 seconds. To
speed up convergence, you might want to set the interval to 10 seconds. Also, by setting the timer to 10 seconds, you
are creating six times the amount of routing broadcast traffic, which is not very efficient
A second solution is to implement triggered updates
The distance vector routing protocol would still generate periodic updates; however, whenever a change takes place,
the router will immediately generate an update without waiting for the periodic timer to expire. This can decrease
convergence times, but it also creates a problem. If you have a flapping route, then an update will be triggered each
time the route changes state, which creates a lot of unnecessary broadcast traffic in your network and could cause a
broadcast storm.
Problem: Routing Loops
A routing loop is a layer-3 loop in the network. Basically, it is a disagreement about how to reach a destination
network. Because distance vector routing protocols trust the next router without compiling a topology map of all
networks and routers, distance vector protocols run the risk of creating loops in a network. This is analogous of
driving to a location without a map. Instead, you trust what each sign tells you. Trusting the street signs might get you
where you want to go, but I've been in some cities where trusting what the signs say will lead you in loops. The same
is true with distance vector routing protocols. Simply trusting what the next router tells it can potentially lead the
packets to loop endlessly. These loops could saturate a network and cause systems to crash. This, in turn, makes
managers very upset and means that you have to work late into the evening to fix it.
Solution: Counting to Infinity Solution: Maximum Hop Count
IP packets have inherent limits via the Time-To-Live (TTL) value in the IP header. In other words, a router must
reduce the TTL field by at least 1 each time it gets the packet. If the TTL value becomes 0, the router discards that
packet. However, this does not stop the router from continuing to attempt to send the packet to a network that is down.
To avoid this prolonged problem, distance vector protocols define infinity as some maximum number. This number
refers to a routing metric, such as a hop count.
Solution: Split Horizon
Split horizon states that if a neighboring router sends a route to a router, the receiving router will not propagate this
route back to the advertising router on the same interface. Split horizon prevents a router from advertising a route
back out the same interface where the router originally learned the route. One way to eliminate routing loops and
speed up convergence is through the technique called split horizon. The split horizon rule is that sending information
about a route back in the direction from which the original update came is never useful.
Solution: Route Poisoning
Another operation complementary to split horizon is a technique called route poisoning. Route poisoning attempts to
improve convergence time and eliminate routing loops caused by inconsistent updates. With this technique, when a
router loses a link, the router advertises the loss of a route to its neighbor device. Route poisoning enables the
receiving router to advertise a route back toward the source with a metric higher than the maximum. The
advertisement back seems to violate split horizon, but it lets the router know that the update about the down network
was received. The router that received the update also sets a table entry that keeps the network state consistent while
other routers gradually converge correctly on the topology change. This mechanism allows the router to learn quickly
of the down route and to ignore other updates that might be wrong for the hold-down period. This prevents routing
loops.
A poisoned route has an infinite metric assigned to it. A poison reverse causes the router to break split horizon rule
and advertise the poisoned route out all interfaces. When a router detects that one of its connected routes has failed,
the router will poison the route by assigning an infinite metric to it. In IP RIP, the route is assigned a hop count of 16
(15 is the maximum), thus making it an unreachable network. When a router advertises a poised route to its neighbors,
its neighbors break the rule of split horizon and send back to the originator the same poisoned route, called a poison
reverse. This ensures that everyone received the original update of the poisoned route.
Solution:Hold-Down Timers
In order to give the routers enough time to propagate the poisoned route and to ensure that no routing loops occur
while propagation is occurring; the routers implement a hold-down mechanism. During this period, the routers will
freeze the poisoned route in their routing tables for the period of the hold-down timer, which is typically three times
the interval of the routing broadcast update. When hold-down timers are used, a poisoned route will remain in the
routing table until the timer expires. However, if a router with a poisoned route receives a routing update from a
neighboring router with a metric that is the same or better than the original route, the router will abort the hold-down
period, remove the poisoned route, and put the new route in its table. However, if a router receives a worse route from
a neighboring router, the router treats this as a suspect route and assumes that this route is probably part of a routing
loop, ignoring the update. One of the problems of using hold-down timers is that they cause the distance vector
routing protocol to converge slowly—if the hold-down period is 180 seconds, you can’t use a valid alternative path
with a worse metric until the hold-down period expires. Therefore, your users will lose their connections to this
network for at least three minutes.
Hold-down timers perform route maintenance as follows:
1. When a router receives an update from a neighbor indicating that a previously accessible network is now
inaccessible, the router marks the route as inaccessible and starts a hold-down timer.
2. If an update arrives from a neighboring router with a better metric than originally recorded for the network,
the router marks the network as accessible and removes the hold-down timer.
3. If at any time before the hold-down timer expires, an update is received from a different neighboring router
with a poorer metric, the update is ignored. Ignoring an update with a higher metric when a holddown is in
effect enables more time for the knowledge of the change to propagate through the entire network.
4. During the hold-down period, routes appear in the routing table as ―possibly down.‖
Basic of static routing
Static routing occurs when you manually add routes in each router's routing table. There are advantages and
disadvantages to static routing, but that's true for all routing processes.
Static routing has the following advantages:
п‚· There is no overhead on the router CPU.
п‚· There is no bandwidth usage between routers.
п‚· It adds security because the administrator can choose to allow routing access to certain networks only.
Static routing has the following disadvantages:
п‚· The administrator must really understand the internetwork and how each router is connected in order to
configure routes correctly.
 If a network is added to the internetwork, the administrator has to add a route to it on all routers—manually.
п‚· It's not possible in large networks because maintaining it would be a full-time job in itself.
Command syntax for static route:
ip route [destination_network] [mask] [next-hop_address or
exit_interface] [administrative_distance] [permanent]
ip route The command used to create the static route.
destination_network The network you're placing in the routing table.
mask The subnet mask being used on the network.
next-hop_address The address of the next-hop router that will receive the packet and forward it to the remote
network.
exit_interfaceUsed in place of the next-hop address if you want, and shows up as a directly connected route.
administrative_distance By default, static routes have an administrative distance of 1 (or even 0 if you use an exit
interface instead of a next-hop address).
permanent Keyword (Optional) Without the permanent keyword in a static route statement, a static route will be
removed if an interface goes down. Adding the permanent keyword to a static route statement will keep the static
routes in the routing table even if the interface goes down and the directly connected networks are removed.
In previous article you learn that
п‚· How to connect Cisco devices
п‚· How to use available help options
п‚· Basic of routing protocols
п‚· Show commands
п‚· How to configure router for basic
In this article we will recall all the topics you have learnt yet
and will try to implement these command in practically.
Create a topology as shown in figure on packet tracer or
download this topology.
Now configure PC-0 first.To configure pc double click on pc and select desktop
Now click on IP configurations
Set ip address as shown in figure
IP address 10.0.0.2
Subnet mask 255.0.0.0
Default Gateway 10.0.0.1
Follow the same process in PC-2 and set the ip address to
IP address 30.0.0.2
Subnet mask 255.0.0.0
Default Gateway 30.0.0.1
Now double click on 1841 Router 0 and select CLI
Type no and press enter to avoid startup configuration
Now you are in user exec mode.
--- System Configuration Dialog --Continue with configuration dialog? [yes/no]: no
Press RETURN to get started!
Router>
Set Hostname to R1 and assign 10.0.0.1 255.0.0.0 ip address to fast Ethernet 0/0. also set a message “
Unauthorized access is prohibited”.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#banner motd # Unauthorized access is prohibited #
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#
Configure Router-2 in same way with hostname R2 and 30.0.0.1 255.0.0.0 ip address on fast Ethernet 0/0.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface fastEthernet 0/0
R2(config-if)#ip address 30.0.0.1 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
R2(config)#
Now we have connectivity between local segment and router's Ethernet port.
configure serial port
When Serial connections are configured they need one more command that normal Ethernet connections do not. That
command is the clock rate command.
The clock rate command establishes a common rate at which the sending and receiving routers will send data to each
other.
It should be noted that if using a service provider circuit, there is no need for the clock rate command since the service
provider provides the clocking. Establish a simple serial to serial connection between R1 Serial 0/0/0 and R2 Serial
0/0/0.
Now configure serial port on both router with ip address 20.0.0.1 255.0.0.0 on one and 20.0.0.2 255.0.0.0 on two.
On R1
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 20.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R1(config-if)#exit
R1(config)#
On R2
R2(config)#interface serial 0/0
R2(config-if)#ip address 20.0.0.2 255.0.0.0
R2(config-if)#no shutdown
R2(config-if)#exit
At this point you have configured ip address on interfaces.
But still pc0 will not ping to pc1 as R1 have no information the network of 30.0.0.0
There are two way to configure route in router. Static or Dynamic. You will learn more about static and dynamic in
our next article. In this example we will use simple static route.
First tell R1 about to network of 30.0.0.0
R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.2
R1(config)#
In this command 30.0.0.0 is the destination network and 255.0.0.0 is the subnetmask on destination network and
20.0.0.2 is the ip address of next hope
30.0.0.0 = destination network.
255.0.0.0 = subnet mask.
20.0.0.2 = next-hop address.
Say this way "To get to the destination network of 30.0.0.0, with a subnet mask of 255.0.0.0, send all packets to
20.0.0.2"
Now tell R2 about to network of 10.0.0.0
R2(config)#ip route 10.0.0.0 255.0.0.0 20.0.0.1
R2(config)#
Now test the connectivity. Go on pc1 and
C:\> ping 30.0.0.2
If you get reply then you have successfully configured static routing between R1 and R2.
But if you get error then download this
configured topology
and do cross check that where you have committed mistakes
Default Routing
default routingis used to send packets with a remote destination network not in the routing table to the next-hop
router. You should only use default routing on stub networks—those with only one exit path out of the network.
In our next article you will learn advance static route configurations
Read it now
Static Route Configurations
In this article I will demonstrate an example of static route configurations. We will use four different series router so
you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in figure.
A static route is a manually configured route on your router. Static routes are typically used in smaller networks and
when few networks or subnets exist, or with WAN links that have little available bandwidth. With a network that has
hundreds of routes, static routes are not scalable, since you would have to configure each route and any redundant
paths for that route on each router.
1841 Series Router0 (R1)
2811 Series Router0 (R4)
FastEthernet0/0 Serial0/0/0
FastEthernet0/0 Serial0/0/0
IP address
10.0.0.1
20.0.0.1
IP address
50.0.0.1
40.0.0.2
Connected
With
Pc0
R2 on Serial
0/0
Connected
With
Pc1
R3 on Serial
0/0
2621XM Series Router0 (R3)
2620XM Series Router1 (R2)
FastEthernet0/0 Serial0/0/0
FastEthernet0/0
Serial0/0
IP address
30.0.0.2
40.0.0.1
IP address
30.0.0.1
20.0.0.2
Connected
With
FastEthernet0/0
R4 on Serial
0/0/0
Connected
With
R3 on
FastEthernet0/0
R1 on
Serial 0/0/0
PC-PT PC0
FastEthernet0
PC-PT PC1
Default
Gateway
FastEthernet0
Default
Gateway
IP address
10.0.0.2
Connected
With
R1 on
FastEthernet0/0
10.0.0.1
IP address
50.0.0.2
Connected
With
R4 on
FastEthernet0/0
50.0.0.1
To configure any router double click on it and select CLI.To configure this topology use this step by step guide.
(1841Router0) Hostname R1
To configure and enable static routing on R1 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 20.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
R1(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.2
R1(config)#ip route 40.0.0.0 255.0.0.0 20.0.0.2
R1(config)#ip route 50.0.0.0 255.0.0.0 20.0.0.2
(2620XM-Router1) Hostname R2
To configure and enable static routing on R2 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface serial 0/0
R2(config-if)#ip address 20.0.0.2 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R2(config-if)#exit
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 30.0.0.1 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config)#ip route 10.0.0.0 255.0.0.0 20.0.0.1
R2(config)#ip route 40.0.0.0 255.0.0.0 30.0.0.2
R2(config)#ip route 50.0.0.0 255.0.0.0 30.0.0.2
(2620XM-Router2)Hostname R3
To configure and enable static routing on R3 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R3
R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.0.0.2 255.0.0.0
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#interface serial 0/0
R3(config-if)#ip address 40.0.0.1 255.0.0.0
R3(config-if)#clock rate 64000
R3(config-if)#bandwidth 64
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0, changed state to down
R3(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R3(config)#ip route 10.0.0.0 255.0.0.0 30.0.0.1
R3(config)#ip route 20.0.0.0 255.0.0.0 30.0.0.1
R3(config)#ip route 50.0.0.0 255.0.0.0 40.0.0.2
(2811Router3) Hostname R4
To configure and enable static routing on R4 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 40.0.0.2 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
Router(config-if)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 50.0.0.1 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
Router(config)#ip route 10.0.0.0 255.0.0.0 40.0.0.1
Router(config)#ip route 20.0.0.0 255.0.0.0 40.0.0.1
Router(config)#ip route 30.0.0.0 255.0.0.0 40.0.0.1
PC-1
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 50.0.0.2
Pinging 50.0.0.2 with 32 bytes of data:
Reply from 50.0.0.2: bytes=32 time=156ms TTL=124
Reply from 50.0.0.2: bytes=32 time=127ms TTL=124
Reply from 50.0.0.2: bytes=32 time=156ms TTL=124
Reply from 50.0.0.2: bytes=32 time=140ms TTL=124
Ping statistics for 50.0.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 127ms, Maximum = 156ms, Average = 144ms
PC>
PC-2
PC>ipconfig
IP Address......................: 50.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 50.0.0.1
PC>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 10.0.0.2: bytes=32 time=140ms TTL=124
Reply from 10.0.0.2: bytes=32 time=141ms TTL=124
Reply from 10.0.0.2: bytes=32 time=157ms TTL=124
Reply from 10.0.0.2: bytes=32 time=156ms TTL=124
Ping statistics for 10.0.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 140ms, Maximum = 157ms, Average = 148ms
To test static routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured
static routing but if you did not get replay double check this configuration and try to troubleshoot. I have uploaded a
configured and tested topology in case you are unable to locate the problem spot then download this configuration
file. And try to find out where have you committed mistake
Routing Information Protocol RIP
Routing Information Protocol (RIP) is a standards-based, distance-vector, interior gateway protocol (IGP) used by
routers to exchange routing information. RIP uses hop count to determine the best path between two locations. Hop
count is the number of routers the packet must go through till it reaches the destination network. The maximum
allowable number of hops a packet can traverse in an IP network implementing RIP is 15 hops.
it has a maximum allowable hop count of 15 by default, meaning that 16 is deemed unreachable. RIP works well in
small networks, but it's inefficient on large networks with slow WAN links or on networks with a large number of
routers installed.
In a RIP network, each router broadcasts its entire RIP table to its neighboring routers every 30 seconds. When a
router receives a neighbor's RIP table, it uses the information provided to update its own routing table and then sends
the updated table to its neighbors.
Differences between RIPv1 or RIPv2
RIPv1
п‚· A classful protocol, broadcasts updates every 30 seconds, hold-down period 180 seconds. Hop count is metric
(Maximum 15).
п‚· RIP supports up to six equal-cost paths to a single destination, where all six paths can be placed in the routing
table and the router can load-balance across them. The default is actually four paths, but this can be increased
up to a maximum of six. Remember that an equal-cost path is where the hop count value is the same. RIP will
not load-balance across unequal-cost paths
RIPv2
п‚· RIPv2 uses multicasts, version 1 use broadcasts,
 RIPv2 supports triggered updates—when a change occurs, a RIPv2 router will immediately propagate its
routing information to its connected neighbors.
п‚· RIPv2 is a classless protocol. RIPv2 supports variable-length subnet masking (VLSM)
п‚· RIPv2 supports authentication. You can restrict what routers you want to participate in RIPv2. This is
accomplished using a hashed password value.
RIP Timers
RIP uses four different kinds of timers to regulate its performance:
Route update timer
Sets the interval (typically 30 seconds) between periodic routing updates in which the router sends a complete copy of
its routing table out to all neighbors.
Route invalid timer
Determines the length of time that must elapse (180 seconds) before a router determines that a route has become
invalid. It will come to this conclusion if it hasn’t heard any updates about a particular route for that period. When that
happens, the router will send out updates to all its neighbors letting them know that the route is invalid.
Holddown timer
This sets the amount of time during which routing information is suppressed. Routes will enter into the holddown
state when an update packet is received that indicated the route is unreachable. This continues either until an update
packet is received with a better metric or until the holddown timer expires. The default is 180 seconds.
Route flush timer
Sets the time between a route becoming invalid and its removal from the routing table (240 seconds). Before it's
removed from the table, the router notifies its neighbors of that route's impending failure. The value of the route
invalid timer must be less than that of the route flush timer. This gives the router enough time to tell its neighbors
about the invalid route before the local routing table is updated.
Rip Routing configurations
We will use two router and four subnet. Create a topology as shown in figure on packet tracer.
Router
R1
R2
FastEthernet 0/0
10.0.0.1
30.0.0.1
FastEthernet 0/1
20.0.0.1
40.0.0.1
Serial 0/0/0
50.0.0.1
50.0.0.2
PC
PC0
PC2
PC4
PC6
IP Address
20.0.0.2
40.0.0.2
10.0.0.2
30.0.0.2
PC
PC1
PC3
PC5
PC7
IP Address
20.0.0.3
40.0.0.3
10.0.0.3
30.0.0.3
Assign ip address to PC. Select pc and double click on it. select ip configurations from desktop tab and set ip
address given as in table.
To configure router double click on it and select CLI.To configure this topology use this step by step guide.
(1841Router0) Hostname R1
To configure and enable rip routing on R1 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#interface fastethernet 0/1
R1(config-if)#ip address 20.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 50.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
R1(config)#router rip
R1(config-router)#network 10.0.0.0
R1(config-router)#network 20.0.0.0
R1(config-router)#network 50.0.0.0
(2811Router1) Hostname R2
To configure and enable rip routing on R2 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 30.0.0.1 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
changed state to up
R2(config-if)#exit
R2(config)#interface fastethernet 0/1
R2(config-if)#ip address 40.0.0.1 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,
changed state to up
R2(config-if)#exit
R2(config)#interface serial 0/0/0
R2(config-if)#ip address 50.0.0.2 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
R2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0,
changed state to up
R2(config-if)#exit
R2(config)#router rip
R2(config-router)#network 30.0.0.0
R2(config-router)#network 40.0.0.0
R2(config-router)#network 50.0.0.0
R2(config-router)#exit
To test rip routing do ping from pc0 to all pc and vice versa. If you get replay then you have successfully configured
rip routing but if you did not get replay double check this configuration and try to troubleshoot. I have uploaded a
configured and tested topology in case you are unable to locate the problem spot then download this configuration
file. And try to find out where have you committed mistake
Rip Routing Configurations
In our pervious article we discuss about the feature of RIP and configured a simple topology.
Routing Information Protocol RIP
In this article I will demonstrate an example of Rip Routingconfigurations. We will use four different series router so
you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in figure.
IP RIP comes in two different versions: 1 and 2. Version 1 is a distance vector protocol and is defined in RFC 1058.
Version 2 is a hybrid protocol and is defined in RFCs 1721 and 1722. The CCNA exam now primarily focuses on
version 2. There are no major differences between RIPv1 or RIPv2 so far configurations concern. To read more about
differences between RIPv1 or RIPv2 or know about the characteristics read our pervious article about RIP.
1841 Series Router0 (R1)
2811 Series Router0 (R4)
FastEthernet0/0 Serial0/0/0
FastEthernet0/0 Serial0/0/0
IP address
10.0.0.1
20.0.0.1
IP address
50.0.0.1
40.0.0.2
Connected
With
Pc0
R2 on Serial
0/0
Connected
With
Pc1
R3 on Serial
0/0
2621XM Series Router0 (R3)
2620XM Series Router1 (R2)
FastEthernet0/0 Serial0/0/0
FastEthernet0/0
Serial0/0
IP address
30.0.0.2
40.0.0.1
IP address
30.0.0.1
20.0.0.2
Connected
With
FastEthernet0/0
R4 on Serial
0/0/0
Connected
With
R3 on
FastEthernet0/0
R1 on
Serial 0/0/0
PC-PT PC0
PC-PT PC1
FastEthernet0
Default
Gateway
IP address
10.0.0.2
10.0.0.1
Connected
With
R1 on
FastEthernet0/0
FastEthernet0
Default
Gateway
IP address
50.0.0.2
50.0.0.1
Connected
With
R4 on
FastEthernet0/0
To configure any router double click on it and select CLI. To configure this topology use this step by step guide.
(1841Router0) Hostname R1
To configure and enable rip routing on R1 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 20.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
R1(config)#router rip
R1(config-router)#network 10.0.0.0
R1(config-router)#network 20.0.0.0
R1(config-router)#exit
R1(config)#
(2620XM-Router1) Hostname R2
To configure and enable rip routing on R2 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface serial 0/0
R2(config-if)#ip address 20.0.0.2 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R2(config-if)#exit
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 30.0.0.1 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config)#router rip
R2(config-router)#network 20.0.0.0
R2(config-router)#network 30.0.0.0
R2(config-router)#exit
R2(config)#
(2620XM-Router2)Hostname R3
To configure and enable rip routing on R3 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R3
R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.0.0.2 255.0.0.0
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#interface serial 0/0
R3(config-if)#ip address 40.0.0.1 255.0.0.0
R3(config-if)#clock rate 64000
R3(config-if)#bandwidth 64
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0, changed state to down
R3(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R3(config)#router rip
R3(config-router)#network 30.0.0.0
R3(config-router)#network 40.0.0.0
R3(config-router)#exit
R3(config)#
(2811Router3) Hostname R4
To configure and enable rip routing on R4 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 40.0.0.2 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
Router(config-if)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 50.0.0.1 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
R4(config)#router rip
R4(config-router)#network 40.0.0.0
R4(config-router)#network 50.0.0.0
R4(config-router)#exit
R4(config)#
PC-1
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 50.0.0.2
Pinging 50.0.0.2 with 32 bytes of data:
Reply from 50.0.0.2: bytes=32 time=156ms TTL=124
Reply from 50.0.0.2: bytes=32 time=127ms TTL=124
Reply from 50.0.0.2: bytes=32 time=156ms TTL=124
Reply from 50.0.0.2: bytes=32 time=140ms TTL=124
Ping statistics for 50.0.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 127ms, Maximum = 156ms, Average = 144ms
PC>
PC-2
PC>ipconfig
IP Address......................: 50.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 50.0.0.1
PC>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 10.0.0.2: bytes=32 time=140ms TTL=124
Reply from 10.0.0.2: bytes=32 time=141ms TTL=124
Reply from 10.0.0.2: bytes=32 time=157ms TTL=124
Reply from 10.0.0.2: bytes=32 time=156ms TTL=124
Ping statistics for 10.0.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 140ms, Maximum = 157ms, Average = 148ms
You can verify that RIP is running successfully via show ip protocols command in privilege mode.
R1#show ip protocols
Routing Protocol is "rip"
Sending updates every 30 seconds, next due in 2 seconds
Invalid after 180 seconds, hold down 180, flushed after 240
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: rip
Default version control: send version 1, receive any version
Interface
Send Recv Triggered RIP Key-chain
FastEthernet0/0
1 21
Serial0/0/0
1 21
Automatic network summarization is in effect
Maximum path: 4
Routing for Networks:
10.0.0.0
20.0.0.0
Passive Interface(s):
Routing Information Sources:
Gateway
Distance Last Update
20.0.0.2
120 00:00:20
Distance: (default is 120)
R1#
You can use show ip route command to troubleshoot rip network. If you did not see information about any route
checks the router attached with that network.
R1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 10.0.0.0/8 is directly connected, FastEthernet0/0
C 20.0.0.0/8 is directly connected, Serial0/0/0
R 30.0.0.0/8 [120/1] via 20.0.0.2, 00:00:01, Serial0/0/0
R 40.0.0.0/8 [120/2] via 20.0.0.2, 00:00:01, Serial0/0/0
R 50.0.0.0/8 [120/3] via 20.0.0.2, 00:00:01, Serial0/0/0
R1#
To test rip routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured rip
routing but if you did not get replay double check this configuration and try to troubleshoot. I have uploaded a
configured and tested topology in case you are unable to locate the problem spot then download this configuration
file. And try to find out where have you committed mistake
rip routing configurations
Commands
Router(config)#router rip
Router(config-router)#network w.x.y.z
Router(config)#no router rip
Router(config-router)#no network w.x.y.z
Router(config-router)#version 2
Router(config-router)#version 1
Router(config-router)#no auto-summary
Router(config-router)#passive-interface s0/0/0
Router(config-router)#no ip split-horizon
Router(config-router)#ip split-horizon
Router(config-router)#timers basic 30 90 180 270
360
Router#debug ip rip
Router#show ip rip database
Descriptions
Enables RIP as a routing protocol
w.x.y.z is the network number of the directly connected network
you want to advertise.
Turns off the RIP routing process
Removes network w.x.y.z from the RIP routing process.
RIP will now send and receive RIPv2 packets globally.
RIP will now send and receive RIPv1 packets only
RIPv2 summarizes networks at the classful boundary. This
command turns autosummarization off.
RIP updates will not be sent out this interface.
Turns off split horizon (on by default).
Re-enables split horizon
Changes timers in RIP: 30 = Update timer (in seconds) 90 =
Invalid timer (in seconds) 180 = Hold-down timer (in seconds)
270 = Flush timer (in seconds) 360 = Sleep time (in
milliseconds)
Displays all RIP activity in real time
Displays contents of the RIP database
Enhanced Interior Gateway Routing Protocol (EIGRP)
EIGRP is the advance version of Cisco’s earlier version IGRP. Before you learn more about EIGRP let be familiar
with IGRP.
Interior Gateway Routing Protocol (IGRP)
The Interior Gateway Routing Protocol (IGRP) is a Cisco-proprietary routing protocol for IP. it is a distance vector
protocol.
п‚· It uses a sophisticated metric based on bandwidth and delay.
п‚· It uses triggered updates to speed-up convergence.
п‚· It supports unequal-cost load balancing to a single destination.
IGRP is Cisco proprietary uses bandwidth, delay, reliability, load, and MTU as its metrics (bandwidth and delay be
default).
IGRP's routing update period is every 90 seconds. Its hold-down period is 280 seconds, and its flush period is 630
seconds.
It also supports triggered updates and load balancing across unequal-cost paths.
IGRP requires an AS number in its router command; plus, when entering network numbers for the network
command, they are entered as the classful network number, as they are for RIP.
IGRP supports both equal- and unequal-cost paths for load balancing to single destination Equal-cost paths are
enabled by default, where IGRP supports up to six equal-cost paths (four by default) to a single destination in the IP
routing table. IGRP, however, also supports unequal-cost paths, but this feature is disabled by default.
Enhanced Interior Gateway Routing Protocol
The Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-proprietary routing protocol for IP. These
characteristics include:
п‚· Fast convergence
п‚· Loop-free topology
п‚· VLSM and route summarization
п‚· Multicast and incremental updates
п‚· Routes for multiple routed protocols
Here is a brief comparison of EIGRP and IGRP:
п‚· Both offer load balancing across six paths (equal or unequal).
п‚· They have similar metric structures.
 EIGRP has faster convergence (triggered updates and saving a neighbor’s routing table locally).
п‚· EIGRP has less network overhead, since it uses incremental updates.
Interesting point about these protocols is that if you have some routers in your network running IGRP and others
running EIGRP and both sets have the same autonomous system number, routing information will automatically be
shared between the two.
п‚· EIGRP uses a 32-bit metric, while IGRP uses a 24-bit metric.
п‚· EIGRP uses the Diffusing Update Algorithm (DUAL) to update the routing table.
п‚· One really unique feature of EIGRP is that it supports three routed protocols: IP, IPX, and AppleTalk
п‚· Hello packets are generated every five seconds on LAN interfaces as multicasts (224.0.0.10).
For EIGRP routers to become neighbors, the following information must match:
п‚· The AS number
п‚· The K-values (these enable/disable the different metric components)
When two routers determine whether they will become neighbors, they go through the following process:
1. The first router generates a Hello with configuration information.
2. If the configuration information matches, the second router responds with an Update message with topology
information.
3. The first router responds with an ACK message, acknowledging the receipt of the second’s ACK.
4. The first router sends its topology to the second router via an Update message.
5. The second router responds back with an ACK.
You must specify the AS number when configure EIGRP. Even though EIGRP is classless, you must configure it as a
classful protocol when specifying your network numbers with the network command.
EIGRP Terms
Term
Definition
The best path to reach a destination within the topology table.
Successor
The best backup path to reach a destination within the topology table—multiple successors
Feasible successor
can be feasible for a particular destination.
This is all of the successor routes from the topology table. There is a separate routing table for
Routing table
each routed protocol.
The distance (metric) that a neighboring router is advertising for a specific route.
Advertised distance
The distance (metric) that your router has computed to reach a specific route: the advertised
Feasible distance
distance from the neighboring router plus the local router’s interface metric.
Contains a list of the EIGRP neighbors and is similar to the adjacencies that are built in OSPF
between the designated router/backup DR and the other routers on a segment. Each routed
Neighbor table
protocol (IP, IPX, and AppleTalk) for EIGRP has its own neighbor table.
Similar to OSPF’s database, contains a list of all destinations and paths the EIGRP router
learned—it is basically a compilation of the neighboring routers’ routing tables. A separate
Topology table
topology table exists for each routed protocol.
EIGRP Routing Configurations
EIGRP is a Cisco-proprietary routing protocol for TCP/IP. It’s actually based on Cisco’s proprietary IGRP routing
protocol, with many enhancements built into it. Because it has its roots in IGRP, the configuration is similar to IGRP;
however, it has many link state characteristics that were added to it to allow EIGRP to scale to enterprise network
sizes. To know these characteristics read our pervious article.
In this article I will demonstrate an example of EIGRP Routing configurations. We will use four different series
router so you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in
figure.
1841 Series Router0 (R1)
2811 Series Router0 (R4)
FastEthernet0/0 Serial0/0/0
FastEthernet0/0 Serial0/0/0
IP address
10.0.0.1
20.0.0.1
IP address
50.0.0.1
40.0.0.2
Connected
With
Pc0
R2 on Serial
0/0
Connected
With
Pc1
R3 on Serial
0/0
2621XM Series Router0 (R3)
2620XM Series Router1 (R2)
FastEthernet0/0 Serial0/0/0
FastEthernet0/0
Serial0/0
IP address
30.0.0.2
40.0.0.1
IP address
30.0.0.1
20.0.0.2
Connected
With
FastEthernet0/0
R4 on Serial
0/0/0
Connected
With
R3 on
FastEthernet0/0
R1 on
Serial 0/0/0
PC-PT PC0
PC-PT PC1
FastEthernet0
Default
Gateway
IP address
10.0.0.2
10.0.0.1
Connected
With
R1 on
FastEthernet0/0
FastEthernet0
Default
Gateway
IP address
50.0.0.2
50.0.0.1
Connected
With
R4 on
FastEthernet0/0
To configure any router double click on it and select CLI.To configure this topology use this step by step guide.
(1841Router0) Hostname R1
To configure and enable eigrp routing on R1 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 20.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
R1(config)#router eigrp 1
R1(config-router)#network 10.0.0.0
R1(config-router)#network 20.0.0.0
R1(config-router)#exit
R1(config)#
(2620XM-Router1) Hostname R2
To configure and enable eigrp routing on R2 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface serial 0/0
R2(config-if)#ip address 20.0.0.2 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R2(config-if)#exit
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 30.0.0.1 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config)#router eigrp 1
R2(config-router)#network 20.0.0.0
R2(config-router)#network 30.0.0.0
R2(config-router)#exit
R2(config)#
(2620XM-Router2)Hostname R3
To configure and enable eigrp routing on R3 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R3
R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.0.0.2 255.0.0.0
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#interface serial 0/0
R3(config-if)#ip address 40.0.0.1 255.0.0.0
R3(config-if)#clock rate 64000
R3(config-if)#bandwidth 64
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0, changed state to down
R3(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R3(config)#router eigrp 1
R3(config-router)#network 30.0.0.0
R3(config-router)#network 40.0.0.0
R3(config-router)#exit
R3(config)#
(2811Router3) Hostname R4
To configure and enable eigrp routing on R4 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 40.0.0.2 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
Router(config-if)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 50.0.0.1 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
R3(config)#router eigrp 1
R3(config-router)#network 30.0.0.0
R3(config-router)#network 40.0.0.0
R3(config-router)#exit
R3(config)#
PC-1
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 50.0.0.2
Pinging 50.0.0.2 with 32 bytes of data:
Reply from 50.0.0.2: bytes=32 time=156ms TTL=124
Reply from 50.0.0.2: bytes=32 time=127ms TTL=124
Reply from 50.0.0.2: bytes=32 time=156ms TTL=124
Reply from 50.0.0.2: bytes=32 time=140ms TTL=124
Ping statistics for 50.0.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 127ms, Maximum = 156ms, Average = 144ms
PC>
PC-2
PC>ipconfig
IP Address......................: 50.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 50.0.0.1
PC>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 10.0.0.2: bytes=32 time=140ms TTL=124
Reply from 10.0.0.2: bytes=32 time=141ms TTL=124
Reply from 10.0.0.2: bytes=32 time=157ms TTL=124
Reply from 10.0.0.2: bytes=32 time=156ms TTL=124
Ping statistics for 10.0.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 140ms, Maximum = 157ms, Average = 148ms
You can verify that eigrp is running successfully via show ip protocols command in privilege mode.
R4#show ip protocols
Routing Protocol is "ospf 4"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 50.0.0.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
50.0.0.0 0.255.255.255 area 0
40.0.0.0 0.255.255.255 area 0
Routing Information Sources:
Gateway
Distance Last Update
40.0.0.1
110 00:01:26
Distance: (default is 110)
R4#
You can use show ip route command to troubleshoot eigrp network. If you did not see information about any route
checks the router attached with that network.
R4#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
O 10.0.0.0/8 [110/1564] via 40.0.0.1, 00:02:37, Serial0/0/0
O 20.0.0.0/8 [110/1563] via 40.0.0.1, 00:02:37, Serial0/0/0
O 30.0.0.0/8 [110/782] via 40.0.0.1, 00:02:37, Serial0/0/0
C 40.0.0.0/8 is directly connected, Serial0/0/0
C 50.0.0.0/8 is directly connected, FastEthernet0/0
R4#
To test eigrp routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured
eigrp routing but if you did not get replay double check this configuration and try to troubleshoot. I have uploaded a
configured and tested topology in case you are unable to locate the problem spot then download this configuration
file. And try to find out where have you committed mistake
eigrp routing configurations
Configuration command of EIGRP
Commands
Descriptions
Turns on the EIGRP process. 1 is the autonomous system number, which can be a
Router(config)#router eigrp 1
number between 1 and 65,535.
Note:- All routers in the same autonomous system must use the same autonomous system number.
Router(config-router)#network
Specifies which network to advertise in EIGRP.
10.0.0.0
Sets the bandwidth of this interface to x kilobits to allow EIGRP to make a better
Router(config-if)#bandwidth x
metric calculation
TIP: The bandwidth command is used for metric calculations only. It does not change interface performance.
Router(config-router)#no
Removes the network from the EIGRP process.
network 10.0.0.0
Router(config)#no router eigrp 1 Disables routing process 1
Router(config-router)#autoEnables auto-summarization for the EIGRP process.
summary
Router(config-router)#no
Turns off the auto-summarization feature.
autosummary
include routes with a metric less than or equal to n times the minimum metric
Router(config-router)#variance n route for that destination, where n is the number specified by the variance
command
NOTE: If a path is not a feasible successor, it is not used in load balancing. EIGRP supports up to six unequalcost paths.
Router(config)#interface serial
Enters interface configuration mode.
0/0
Sets the bandwidth of this interface to 256 kilobits to allow EIGRP to make a
Router(config-if)#bandwidth 256
better metric calculation.
Router#show ip eigrp neighbors Displays the neighbor table.
Router#show ip eigrp neighbors
Displays a detailed neighbor table.
detail
Router#show ip eigrp interfaces Shows information for each interface
Router#show ip eigrp interfaces
Shows information for a specific interface
serial 0/0
Router#show ip eigrp interfaces 1 Shows information for interfaces running process 1.
Displays the topology table
Router#show ip eigrp topology
Shows the number and type of packets sent and received
Router#show ip eigrp traffic
Shows a routing table with only EIGRP entries
Router#show ip route eigrp
Displays events/actions related to EIGRP feasible successor metrics (FSM)
Router#debug eigrp fsm
Displays events/actions related to EIGRP packets
Router#debug eigrp packet
Displays events/actions related to your EIGRP neighbors
Router#debug eigrp neighbor
Router#debug ip eigrp neighbor Displays events/actions related to your EIGRP neighbors
Router#debug ip eigrp
Displays EIGRP event notifications
notifications
OPEN SHORTEST PATH FIRST(OSPF)
Biggest advantage of OSPF over EIGRP is that it will run on any device as its based on open standard
Advantages
п‚· It will run on most routers, since it is based on an open standard.
п‚· It uses the SPF algorithm, developed by Dijkstra, to provide a loop-free topology.
п‚· It provides fast convergence with triggered, incremental updates via Link State Advertisements (LSAs).
п‚· It is a classless protocol and allows for a hierarchical design with VLSM and route summarization.
Disadvantages:
п‚· It requires more memory to hold the adjacency (list of OSPF neighbors), topology and routing tables.
п‚· It requires extra CPU processing to run the SPF algorithm
п‚· It is complex to configure and more difficult to troubleshoot.
Features
 OSPF implements a two-layer hierarchy: the backbone (area 0) and areas off of the backbone (areas 1–
65,535)
п‚· To provide scalability OSPF supports two important concepts: autonomous systems and areas.
п‚· Synchronous serial links, no matter what the clock rate of the physical link is, the bandwidth always defaults
to 1544 Kbps.
п‚· OSPF uses cost as a metric, which is the inverse of the bandwidth of a link.
Router Identities
Each router in an OSPF network needs a unique ID that is used to provide a unique identity to the OSPF router. The
router ID is chosen according to one of the two following criteria:
п‚· The highest IP address on its loop back interfaces (this is a logical interface on a router)
п‚· The highest IP address on its active interfaces
OSPF learns about its neighbors and builds its adjacency and topology tables by sharing LSAs OSPF routers will
generate hello LSAs every 10 seconds. If a neighbor is not seen within the dead interval time, which defaults to 40
seconds, the neighbor is declared dead.
First before a router will accept any routing information from another OSPF router, they have to build an adjacency
with each other on their connected interfaces. When this adjacency is built, the two routers (on the connected
interfaces) are called a neighbor, which indicates a special relationship between the two. In order for two routers to
become neighbors, the following must match on each router:
п‚· The area number and its type
п‚· The hello and dead interval timers
п‚· The OSPF password (optional), if it is configured
п‚· The area stub flag (used to contain OSPF messages and routing information,
OSPF routers will go through three states called the exchange process:
п‚· 1. Down state The new router has not exchanged any OSPF information with any other router.
п‚· 2. Init state A destination router has received a new router's hello and adds it to its neighbor list (assuming
that certain values match). Note that communication is only unidirectional at this point.
п‚· 3. Two-Way state The new router receives a unidirectional reply to its initial hello packet and adds destination
router to its neighbor database. Once the routers have entered a two-way state, they are considered neighbors.
п‚·
o
o
For each network multi-access segment, there is a DR and a BDR as well as other routers.
This process is true for multi-access segments, (an example, if you have ten VLANs in your switched
area, you’ll have ten DRs and ten BDRs.) but not point-to-point links, where DRs are not necessary.
o The router with the highest priority (or highest router ID) becomes the DR.
Loop back Interfaces
A loop back interface is a logical, virtual interface on a router that always remains up. By default, the router doesn't
have any loop back interfaces, but they can easily be created.
OSPF routers use Link State Advertisements (LSAs) to communicate with each other. One type of LSA is a hello,
which is used to form neighbor relationships and as a keep-alive function. Hellos are generated every ten seconds.
When sharing link information (directly connected routes), links are sent to the DR (224.0.0.6) and the DR
Disseminates this to everyone (224.0.0.5) else on the segment.
Sharing Routing Information
After electing the DR/BDR pair, the routers continue to generate hellos to maintain communication. This is
considered an exstart state, in which the OSPF routers are ready to share link state information. The process the
routers go through is called an exchange protocol
1.Exstart state
The DR and BDR form adjacencies with the other OSPF routers on the segment, and then within each adjacency, the
router with the highest router ID becomes the master and starts the exchange process first (shares its link state
information)—note that the DR is not necessarily the master for the exchange process. The remaining router in the
adjacency will be the slave.
2. Exchange state
The master starts sharing link state information first, with the slave. These are called DBDs (database description
packets), also referred to as DDPs. The DBDs contain the link-state type, the ID of the advertising router, the cost of
the advertised link, and the sequence number of the link. The slave responds back with an LSACK—an
acknowledgment to the DBD from the master. The slave then compares the DBD's information with its own.
3. Loading state
If the master has more up-to-date information than the slave, the slave will respond to the master's original DBD with
an LSR (Link State Request). The master will then send a LSU (Link State Update) with the detailed information of
the links to the slave. The slave will then incorporate this into its local link state database. Again, the slave will
generate an LSACK to the master to acknowledge the fact that it received the LSU. If a slave has more up-to-date
information, it will repeat the "exchange" and "loading" states.
4. Full state
Once the master and the slave are synchronized, they are considered to be in a full state. To summarize these four
steps, OSPF routers share a type of LSA message in order to disclose information about available routes. Basically, an
LSA update message contains a link and a state, as well as other information.
A link is the router interface on which the update was generated (a connected route).
The state is a description of this interface, including the IP address configured on it as well as the relationship this
router has with its neighboring router. However, OSPF routers will not share this information with just any OSPF
router.
A two-way state indicates that two OSPF routers are neighbors. A full state indicates the completion of sharing of
links between routers.
Cost metric is the inverse of the accumulated bandwidth values of routers’ interfaces. The default Measurement that
Cisco uses in calculating the cost metric is: cost = 108/(interface bandwidth)
OSPF Routing Configurations
In this article I will demonstrate an example of OSPF Routing configurations. We will use four different series router
so you can get familiar with all different platform covered in CCNA exam. Create a topology as shown in figure.
Configuring OSPF is slightly different from configuring RIP. When configuring OSPF, use the following syntax:
Router(config)# router ospf process_ID
Router(config-router)# network IP_address wildcard_mask
area area_#
The process_ID is locally significant and is used to differentiate between OSPF processes running on the same
router. Your router might be a boundary router between two OSPF autonomous systems, and to differentiate them on
your router, you’ll give them unique process IDs. Note that these numbers do not need to match between different
routers and that they have nothing to do with autonomous system numbers.
1841 Series Router0 (R1)
2811 Series Router0 (R4)
FastEthernet0/0 Serial0/0/0
FastEthernet0/0 Serial0/0/0
IP address
10.0.0.1
20.0.0.1
IP address
50.0.0.1
40.0.0.2
Connected
With
Pc0
R2 on Serial
0/0
Connected
With
Pc1
R3 on Serial
0/0
2621XM Series Router0 (R3)
2620XM Series Router1 (R2)
FastEthernet0/0 Serial0/0/0
FastEthernet0/0
Serial0/0
IP address
30.0.0.2
40.0.0.1
IP address
30.0.0.1
20.0.0.2
Connected
With
FastEthernet0/0
R4 on Serial
0/0/0
Connected
With
R3 on
FastEthernet0/0
R1 on
Serial 0/0/0
PC-PT PC0
PC-PT PC1
FastEthernet0
Default
Gateway
IP address
10.0.0.2
10.0.0.1
Connected
With
R1 on
FastEthernet0/0
FastEthernet0
Default
Gateway
IP address
50.0.0.2
50.0.0.1
Connected
With
R4 on
FastEthernet0/0
To configure any router double click on it and select CLI.To configure this topology use this step by step guide.
(1841Router0) Hostname R1
To configure and enable ospf routing on R1 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface fastethernet 0/0
R1(config-if)#ip address 10.0.0.1 255.0.0.0
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#exit
R1(config)#interface serial 0/0/0
R1(config-if)#ip address 20.0.0.1 255.0.0.0
R1(config-if)#clock rate 64000
R1(config-if)#bandwidth 64
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
R1(config)#router ospf 1
R1(config-router)#network 10.0.0.0 0.255.255.255 area 0
R1(config-router)#network 20.0.0.0 0.255.255.255 area 0
R1(config-router)#exit
R1(config)#
(2620XM-Router1) Hostname R2
To configure and enable ospf routing on R2 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface serial 0/0
R2(config-if)#ip address 20.0.0.2 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R2(config-if)#exit
R2(config)#interface fastethernet 0/0
R2(config-if)#ip address 30.0.0.1 255.0.0.0
R2(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R2(config)#router ospf 2
R2(config-router)#network 20.0.0.0 0.255.255.255 area 0
R2(config-router)#network 3
00:03:10: %OSPF-5-ADJCHG: Process 2, Nbr 20.0.0.1 on Serial0/0 from
LOADING to FULL, Loading Done0.0.0.0 0.255.255.255 area 0
R2(config-router)#network 30.0.0.0 0.255.255.255 area 0
R2(config-router)#exit
R2(config)#
(2620XM-Router2)Hostname R3
To configure and enable ospf routing on R3 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R3
R3(config)#interface fastethernet 0/0
R3(config-if)#ip address 30.0.0.2 255.0.0.0
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#interface serial 0/0
R3(config-if)#ip address 40.0.0.1 255.0.0.0
R3(config-if)#clock rate 64000
R3(config-if)#bandwidth 64
R3(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0, changed state to down
R3(config-if)#exit
%LINK-5-CHANGED: Interface Serial0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to up
R3(config)#router ospf 3
R3(config-router)#network 40.0.0.0 0.255.255.255 area 0
R3(config-router)#network 30.0.0.0 0.255.255.255 area 0
00:04:53: %OSPF-5-ADJCHG: Process 3, Nbr 30.0.0.1 on FastEthernet0/0 from
LOADING to FULL, Loading D
R3(config-router)#exit
R3(config)#
%SYS-5-CONFIG_I: Configured from console by console
R3#
(2811Router3) Hostname R4
To configure and enable ospf routing on R4 follow these commands exactly.
Router>enable
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface serial 0/0/0
Router(config-if)#ip address 40.0.0.2 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
Router(config-if)#exit
Router(config)#interface fastethernet 0/0
Router(config-if)#ip address 50.0.0.1 255.0.0.0
Router(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
Router(config-if)#exit
R4(config)#router ospf 4
R4(config-router)#network 50.0.0.0 0.255.255.255 area 0
R4(config-router)#network 40.0.0.0 0.255.255.255 area 0
R4(config-router)#
00:06:32: %OSPF-5-ADJCHG: Process 4, Nbr 40.0.0.1 on Serial0/0/0 from
LOADING to FULL, Loading Done
R4(config-router)#exit
R4(config)#
PC-1
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 50.0.0.2
Pinging 50.0.0.2 with 32 bytes of data:
Reply from 50.0.0.2: bytes=32 time=156ms TTL=124
Reply from 50.0.0.2: bytes=32 time=127ms TTL=124
Reply from 50.0.0.2: bytes=32 time=156ms TTL=124
Reply from 50.0.0.2: bytes=32 time=140ms TTL=124
Ping statistics for 50.0.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 127ms, Maximum = 156ms, Average = 144ms
PC>
PC-2
PC>ipconfig
IP Address......................: 50.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 50.0.0.1
PC>ping 10.0.0.2
Pinging 10.0.0.2 with 32 bytes of data:
Reply from 10.0.0.2: bytes=32 time=140ms TTL=124
Reply from 10.0.0.2: bytes=32 time=141ms TTL=124
Reply from 10.0.0.2: bytes=32 time=157ms TTL=124
Reply from 10.0.0.2: bytes=32 time=156ms TTL=124
Ping statistics for 10.0.0.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 140ms, Maximum = 157ms, Average = 148ms
You can verify that ospf is running successfully via show ip protocols command in privilege mode.
R4#show ip protocols
Routing Protocol is "ospf 4"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 50.0.0.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
50.0.0.0 0.255.255.255 area 0
40.0.0.0 0.255.255.255 area 0
Routing Information Sources:
Gateway
Distance Last Update
40.0.0.1
110 00:01:26
Distance: (default is 110)
R4#
You can use show ip route command to troubleshoot ospf network. If you did not see information about any route
checks the router attached with that network.
R4#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
O 10.0.0.0/8 [110/1564] via 40.0.0.1, 00:02:37, Serial0/0/0
O 20.0.0.0/8 [110/1563] via 40.0.0.1, 00:02:37, Serial0/0/0
O 30.0.0.0/8 [110/782] via 40.0.0.1, 00:02:37, Serial0/0/0
C 40.0.0.0/8 is directly connected, Serial0/0/0
C 50.0.0.0/8 is directly connected, FastEthernet0/0
R4#
To test ospf routing do ping from pc1 to pc2 and vice versa. If you get replay then you have successfully configured
ospf routing but if you did not get replay double check this configuration and try to troubleshoot. I have uploaded a
configured and tested topology in case you are unable to locate the problem spot then download this configuration
file. And try to find out where have you committed mistake
ospf routing configurations
Configuration command of OSPF
Commands
Descriptions
Starts OSPF process 1. The process ID is any positive integer value between 1 and
Router(config)#router ospf 1
65,535.
Router(config-router)#network OSPF advertises interfaces, not networks. Uses the wildcard mask to determine
which interfaces to advertise.
172.16.0.0 0.0.255.255 area 0
Router(config-if)#ip ospf
Changes the Hello Interval timer to 20 seconds.
hellointerval timer 20
Router(config-if)#ip ospf
Changes the Dead Interval timer to 80 seconds.
deadinterval 80
NOTE: Hello and Dead Interval timers must match for routers to become neighbors
Displays parameters for all protocols running on the router
Router#show ip protocol
Displays a complete IP routing table
Router#show ip route
Displays basic information about OSPF routing processes
Router#show ip ospf
Displays OSPF info as it relates to all interfaces
Router#show ip ospf interface
Router#show ip ospf interface
Displays OSPF information for interface fastethernet 0/0
fastethernet 0/0
Router#show ip ospf borderDisplays border and boundary router information
routers
Lists all OSPF neighbors and their states
Router#show ip ospf neighbor
Router#show ip ospf neighbor
Displays a detailed list of neighbors
detail
Clears entire routing table, forcing it to rebuild
Router#clear ip route *
Clears specific route to network a.b.c.d
Router#clear ip route a.b.c.d
Resets OSPF counters
Router#clear ip opsf counters
Resets entire OSPF process, forcing OSPF to re-create neighbors, database, and
Router#clear ip ospf process
routing table
Displays all OSPF events
Router#debug ip ospf events
Router#debug ip ospf adjacency Displays various OSPF states and DR/ BDR election between adjacent routers
Displays OPSF packets
Router#debug ip ospf packets
Access control list
ACLs are basically a set of commands, grouped together by a number or name that is used to filter traffic entering or
leaving an interface.
When activating an ACL on an interface, you must specify in which direction the traffic should be filtered:
п‚·
п‚·
Inbound (as the traffic comes into an interface)
Outbound (before the traffic exits an interface)
Inbound ACLs:
Incoming packets are processed before they are routed to an outbound interface. An inbound ACL is efficient because
it saves the overhead of routing lookups if the packet will be discarded after it is denied by the filtering tests. If the
packet is permitted by the tests, it is processed for routing.
Outbound ACLs:
Incoming packets are routed to the outbound interface and then processed through the outbound ACL.
Universal fact about Access control list
1. ACLs come in two varieties:Numbered and named
2. Each of these references to ACLs supports two types of filtering: standard and extended.
3. Standard IP ACLs can filter only on the source IP address inside a packet.
4. Whereas an extended IP ACLs can filter on the source and destination IP addresses in the packet.
5. There are two actions an ACL can take: permit or deny.
6. Statements are processed top-down.
7. Once a match is found, no further statements are processed—therefore, order is important.
8. If no match is found, the imaginary implicit deny statement at the end of the ACL drops the packet.
9. An ACL should have at least one permit statement; otherwise, all traffic will be dropped because of the
hidden implicit deny statement at the end of every ACL.
No matter what type of ACL you use, though, you can have only one ACL per protocol, per interface, per direction.
For example, you can have one IP ACL inbound on an interface and another IP ACL outbound on an interface, but
you cannot have two inbound IP ACLs on the same interface.
Access List Ranges
Type
IP Standard
IP Extended
IP Standard Expanded Range
IP Extended Expanded Range
Range
1–99
100–199
1300–1999
2000–2699
Standard ACLs
A standard IP ACL is simple; it filters based on source address only. You can filter a source network or a source host,
but you cannot filter based on the destination of a packet, the particular protocol being used such as the Transmission
Control Protocol (TCP) or the User Datagram Protocol (UDP), or on the port number. You can permit or deny only
source traffic.
Extended ACLs:
An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source
and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters,
which allow administrators more flexibility and control.
Named ACLs
One of the disadvantages of using IP standard and IP extended ACLs is that you reference them by number, which is
not too descriptive of its use. With a named ACL, this is not the case because you can name your ACL with a
descriptive name. The ACL named DenyMike is a lot more meaningful than an ACL simply numbered 1. There are
both IP standard and IP extended named ACLs.
Another advantage to named ACLs is that they allow you to remove individual lines out of an ACL. With numbered
ACLs, you cannot delete individual statements. Instead, you will need to delete your existing access list and re-create
the entire list.
Configuration Guidelines
п‚· Order of statements is important: put the most restrictive statements at the top of the list and the least
restrictive at the bottom.
п‚· ACL statements are processed top-down until a match is found, and then no more statements in the list are
processed.
п‚· If no match is found in the ACL, the packet is dropped (implicit deny).
п‚· Each ACL needs either a unique number or a unique name.
п‚· The router cannot filter traffic that it, itself, originates.
п‚·
You can have only one IP ACL applied to an interface in each direction (inbound and outbound)—you can't
have two or more inbound or outbound ACLs applied to the same interface. (Actually, you can have one ACL
for each protocol, like IP and IPX, applied to an interface in each direction.)
п‚· Applying an empty ACL to an interface permits all traffic by default: in order for an ACL to have an implicit
deny statement, you need at least one actual permit or deny statement.
 Remember the numbers you can use for IP ACLs.Standard ACLs can use numbers ranging 1–99 and 1300–
1999, and extended ACLs can use 100–199 and 2000–2699.
п‚· Wildcard mask is not a subnet mask. Like an IP address or a subnet mask, a wildcard mask is composed of 32
bits when doing the conversion; subtract each byte in the subnet mask from 255.
There are two special types of wildcard masks:
0.0.0.0 and 255.255.255.255
A 0.0.0.0 wildcard mask is called a host mask
255.255.255.255. If you enter this, the router will cover the address and mask to the keyword any.
Placement of ACLs
Standard ACLs should be placed as close to the destination devices as possible.
Extended ACLs should be placed as close to the source devices as possible.
standard access lists
Because a standard access list filters only traffic based on source traffic, all you need is the IP address of the host or
subnet you want to permit or deny. ACLs are created in global configuration mode and then applied on an interface.
The syntax for creating a standard ACL is
access-list {1-99 | 1300-1999} {permit | deny} source-address
[wildcard mask]
In this article we will configure standard access list. If you want read the feature and characteristic of access list reads
this previous article.
Access control list
In this article we will use a RIP running topology. Which we created in RIP routing practical.
Download this RIP routing topology and open it in packet tracer
Rip Routing
If you want to learn how we created this topology then read this article Configure Rip Routing
Three basic steps to configure Standard Access List
п‚· Use the access-list global configuration command to create an entry in a standard ACL.
п‚· Use the interface configuration command to select an interface to which to apply the ACL.
п‚· Use the ip access-group interface configuration command to activate the existing ACL on an interface.
With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective
you should be able to do following:
1. Match a specific host,
2. Match an entire subnet,
3. Match an IP range, or
4. Match Everyone and anyone
Match specific hosts
Task
You have given a task to block 10.0.0.3 from gaining access on 40.0.0.0. While 10.0.0.3 must be able to communicate
with networks. Other computer from the network of 10.0.0.0 must be able to connect with the network of 40.0.0.0.
Decide where to apply ACL and in which directions.
Our host must be able to communicate with other host except 40.0.0.0 so we will place this access list on FastEthernet
0/1 of R2 (2811) connected to the network of 40.0.0.0. Direction will be outside as packet will be filter while its
leaving the interface. If you place this list on R1(1841) then host 10.0.0.3 will not be able to communicate with any
other hosts including 40.0.0.0.
To configure R2 double click on it and select CLI (Choose only one method result will be same)
R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny host 10.0.0.3
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out
OR
R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 1 deny 10.0.0.3 0.0.0.0
R2(config)#access-list 1 permit any
R2(config)#interface fastEthernet 0/1
R2(config-if)#ip access-group 1 out
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping
30.0.0.3 it should be successfully replay.
PC>ping 40.0.0.3
Pinging 40.0.0.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 40.0.0.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>ping 30.0.0.3
Pinging 30.0.0.3 with 32 bytes of data:
Request timed out.
Reply from 30.0.0.3: bytes=32 time=140ms TTL=126
Reply from 30.0.0.3: bytes=32 time=156ms TTL=126
Reply from 30.0.0.3: bytes=32 time=112ms TTL=126
Ping statistics for 30.0.0.3:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 112ms, Maximum = 156ms, Average = 136ms
As we applied access list only on specific host so other computer from the network of 10.0.0.0 must be able to
connect with the network of 40.0.0.0. To test do ping from 10.0.0.2 to 40.0.0.3
PC>ipconfig
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 10.0.0.1
PC>ping 40.0.0.3
Pinging 40.0.0.3 with 32 bytes of data:
Request timed out.
Reply from 40.0.0.3: bytes=32 time=141ms TTL=126
Reply from 40.0.0.3: bytes=32 time=140ms TTL=126
Reply from 40.0.0.3: bytes=32 time=125ms TTL=126
Ping statistics for 40.0.0.3:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 125ms, Maximum = 141ms, Average = 135ms
Match an entire subnet
Task
You have given a task to the network of 10.0.0.0 from gaining access on 40.0.0.0. While 10.0.0.0 must be able to
communicate with networks .
Wildcards
Wildcards are used with access lists to specify an individual host, a network, or a certain range of a network or
networks.
Formula to calculate wild card mask for access list
The key to matching an entire subnet is to use the following formula for the wildcard mask. It goes as follows:
Wildcard mask = 255.255.255.255 – subnet
So for example if my current subnet was 255.0.0.0, the mask would be 0.255.255.255.
255.255.255.255
255 .0 .0 .0
---------------0. 255 .255.255
---------------Once you have calculated the wild card mask rest is same as we did in pervious example
R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping
30.0.0.3 it should be successfully replay.
Now do ping from 10.0.0.2 to 40.0.0.3 and further 30.0.0.2 result should be same as the packet is filtering on network
based
Match an IP range
You are a network administrator at ComputerNetworkingNotes.com. You task is to block an ip range of 10.3.16.0 –
10.3.31.255 from gaining access to the network of 40.0.0.0
Solutions
Our range is 10.3.16.0 – 10.3.31.255. In order to find the mask, take the higher IP and subtract from it the lower IP.
10.3.31.255
10.3.16.0 -------------0.0.15.255
-------------In this case the wildcard mask for this range is 0.0.15.255.
To permit access to this range, you would use the following:
R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.3.16.0 0.0.15.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
One thing to note is that each non-zero value in the mask must be one less than a power of 2, i.e. 0, 1, 3, 7, 15, 31, 63,
127, 255.
Match Everyone and Anyone
This is the easiest of Access-Lists to create, just use the following:
access-list 1 permit any
or
access-list 1 permit 0.0.0.0 255.255.255.255
Secure telnet session via standard ACL
This is among the highly tested topic in CCNA exam. We could use extended ACL to secure telnet session but if you
did that, you’d have to apply it inbound on every interface, and that really wouldn’t scale well to a large router with
dozens, even hundreds, of interfaces.Here's a much better solution:
Use a standard IP access list to control access to the VTY lines themselves.
To perform this function, follow these steps:
1. Create a standard IP access list that permits only the host or hosts you want to be able to telnet into the
routers.
2. Apply the access list to the VTY line with the access-class command
Secure R2 in a way that only 20.0.0.2 can telnet it beside it all other telnet session should be denied
R2>enable
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 3 permit host 20.0.0.2
R2(config)#line vty 0 4
R2(config-line)#password vinita
R2(config-line)#login
R2(config-line)#access-class 3 in
To test do telnet from 20.0.0.2 first is should be successful.
PC>ipconfig
IP Address......................: 20.0.0.2
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...
User Access Verification
Password:
R2>
Now telnet it from any other pc apart from 20.0.0.2. it must be filter and denied
PC>ipconfig
IP Address......................: 20.0.0.3
Subnet Mask.....................: 255.0.0.0
Default Gateway.................: 20.0.0.1
PC>telnet 50.0.0.2
Trying 50.0.0.2 ...
% Connection refused by remote host
PC>
Configure Extended Access Lists
An extended ACL gives you much more power than just a standard ACL. Extended IP ACLs check both the source
and destination packet addresses. They can also check for specific protocols, port numbers, and other parameters,
which allow administrators more flexibility and control.
access-list access-list-number {permit | deny}
protocol source source-wildcard [operator port]
destination destination-wildcard [operator port]
[established] [log]
Command Parameters
access-list
Descriptions
Main command
Identifies the list using a number in the ranges of
access-list-number
100–199 or 2000– 2699.
Indicates whether this entry allows or blocks the
permit | deny
specified address.
IP, TCP, UDP, ICMP, GRE, or IGRP.
protocol
Identifies source and destination IP addresses.
source and destination
The operator can be lt (less than), gt (greater
than), eq (equal to), or neq (not equal to). The
port number referenced can be either the source
port or the destination port, depending on where
source-wildcard and destination-wildcard
in the ACL the port number is configured. As an
alternative to the port number, well-known
application names can be used, such as Telnet,
FTP, and SMTP.
For inbound TCP only. Allows TCP traffic to
pass if the packet is a response to an outboundinitiated session. This type of traffic has the
established
acknowledgement (ACK) bits set. (See the
Extended ACL with the Established Parameter
example.)
Sends a logging message to the console.
log
Before we configure Extended Access list you should cram up some important port number
Well-Known Port Numbers and IP Protocols
Port Number
IP Protocol
20 (TCP)
FTP data
21 (TCP)
FTP control
23 (TCP)
Telnet
25 (TCP)
Simple Mail Transfer Protocol (SMTP)
53 (TCP/UDP)
Domain Name System (DNS)
69 (UDP)
TFTP
80 (TCP)
HTTP
In this article we will configure Extended access list. If you want to read the feature and characteristic of access list
reads this previous article.
Access control list
In this article we will use a RIP running topology. Which we created in RIP routing practical.
Download this RIP routing topology and open it in packet tracer
Rip Routing
If you want to learn how we created this topology then read this article
Configure Rip Routing
Three basic steps to configure Extended Access List
п‚· Use the access-list global configuration command to create an entry in a Extended ACL.
п‚· Use the interface configuration command to select an interface to which to apply the ACL.
п‚· Use the ip access-group interface configuration command to activate the existing ACL on an interface.
With Access Lists you will have a variety of uses for the wild card masks, but typically For CCNA exam prospective
you should be able to do following:
1. Block host to host
2. Block host to network
3. Block Network to network
4. Block telnet access for critical resources of company
5. Limited ftp access for user
6. Stop exploring of private network form ping
7. Limited web access
8. Configure established keyword
Block host to host
Task
You are the network administrator at ComputerNetworkingNotes.com. Your company hire a new employee and give
him a pc 10.0.0.3. your company's critical record remain in 40.0.0.3. so you are asked to block the access of 40.0.0.3
from 10.0.0.3. while 10.0.0.3 must be able connect with other computers of network to perfom his task.
Decide where to apply ACL and in which directions.
As we are configuring Extended access list. With extended access list we can filter the packed as soon as it genrate.
So we will place our access list on F0/0 of Router1841 the nearest port of 10.0.0.3
To configure Router1841 (Hostname R1) double click on it and select CLI
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#access-list 101 deny ip host 10.0.0.3 40.0.0.3 0.0.0.0
R1(config)#access-list 101 permit ip any any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 to 40.0.0.3. It should be reqest time out. Also ping other computers of network
including 40.0.0.2. ping shuld be sucessfully.
Block host to network
Task
Now we will block the 10.0.0.3 from gaining access on the network 40.0.0.0. ( if you are doing this practical after
configuring pervious example don't forget to remove the last access list 101. With no access-list command. Or just
close the packet tracer without saving and reopen it to be continue with this example.)
R1(config)#access-list 102 deny ip host 10.0.0.3 40.0.0.0 0.255.255.255
R1(config)#access-list 102 permit ip any any
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip access-group 102 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 to 40.0.0.3. and 40.0.0.2.It should be reqest time out. Also ping computers of
other network. ping shuld be sucessfully.
Once you have calculated the wild card mask rest is same as we did in pervious example
R2>enable
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#access-list 2 deny 10.0.0.0 0.255.255.255
R2(config)#access-list 2 permit any
R2(config)#interface fastethernet 0/1
R2(config-if)#ip access-group 2 out
R2(config-if)#
To test first do ping from 10.0.0.3 to 40.0.0.3 it should be request time out as this packet will filter by ACL. Then ping
30.0.0.3 it should be successfully replay.
Network to Network Access List
Task
Student’s lab is configured on the network of 10.0.0.0. While management's system remain in the network of 40.0.0.0.
You are asked to stop the lab system from gaining access in management systems
Now we will block the network of 10.0.0.0 from gaining access on the network 40.0.0.0. ( if you are doing this
practical after configuring pervious example don't forget to remove the last access list 101. With no access-list
command. Or just close the packet tracer without saving and reopen it to be continue with this example.)
R1(config)#access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
R1(config)#access-list 103 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3. and 40.0.0.2.It should be reqest time out. Also ping
computers of other network. ping shuld be sucessfully.
Network to host
Task
For the final scenario you will block all traffic to 40.0.0.3 from the Network of 10.0.0.0 To accomplish this write an
extended access list. The access list should look something like the following.
R1(config)#interface fastethernet 0/0
R1(config-if)#no ip access-group 103 in
R1(config-if)#exit
R1(config)#no access-list 103 deny ip 10.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
R1(config)#access-list 104 deny ip 10.0.0.0 0.255.255.255 40.0.0.3 0.0.0.0
R1(config)#access-list 104 permit ip any any
R1(config)#interface fastethernet 0/0
R1(config-if)#ip access-group 104 in
R1(config-if)#exit
R1(config)#
Verify by doing ping from 10.0.0.3 and 10.0.0.2 to 40.0.0.3.It should be reqest time out. Also ping computers of other
network. ping shuld be sucessfully.
Application based Extended Access list
In pervoius example we filter ip base traffic. Now we will filter applicaion base traffic. To do this practical either
create a topology as shown in figure and enable telnet and http and ftp service on server or download this pre
configured topology and load it in packet tracer.
Extended Access list
The established keyword
The established keyword is a advanced feature that will allow traffic through only if it sees that a TCP session is
already established. A TCP session is considered established if the three-way handshake is initiated first. This
keyword is added only to the end of extended ACLs that are filtering TCP traffic.
You can use TCP established to deny all traffic into your network except for incoming traffic that was first initiated
from inside your network. This is commonly used to block all originating traffic from the Internet into a company's
network except for Internet traffic that was first initiated from users inside the company. The following configuration
would accomplish this for all TCP-based traffic coming in to interface serial 0/0/0 on the router:
R1(config)#access-list 101 permit tcp any any established
R1(config)#interface serial 0/0/0
R1(config-if)#ip access-group 101 in
R1(config-if)#exit
Although the access list is using a permit statement, all traffic is denied unless it is first established from the inside
network. If the router sees that the three-way TCP handshake is successful, it will then begin to allow traffic through.
To test this access list double click on any pc from the network 10.0.0.0 and select web brower. Now give the ip of
30.0.0.2 web server. It should get sucessfully access the web page. Now go 30.0.0.2 and open command prompt. And
do ping to 10.0.0.2 or any pc from the network the 10.0.0.0. it will request time out.
Stop ping but can access web server
We host our web server on 30.0.0.2. But we do not want to allow external user to ping our server as it could be used
as denial of services. Create an access list that will filter all ping requests inbound on the serial 0/0/0 interface of
router2.
R2(config)#access-list 102 deny icmp any any echo
R2(config)#access-list 102 permit ip any any
R2(config)#interface serial 0/0/0
R2(config-if)#ip access-group 102 in
To test this access list ping from 10.0.0.2 to 30.0.0.2 it should be request time out. Now open the web browser and
access 30.0.0.2 it should be successfully retrieve
Grant FTP access to limited user
You want to grant ftp access only to 10.0.0.2. no other user need to provide ftp access on server. So you want to create
a list to prevent FTP traffic that originates from the subnet 10.0.0.0/8, going to the 30.0.0.2 server, from traveling in
on Ethernet interface E0/1 on R1.
R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0 eq 20
R1(config)#access-list 103 permit tcp host 10.0.0.2 30.0.0.2 0.0.0.0 eq 21
R1(config)#access-list 103 deny tcp any any eq 20
R1(config)#access-list 103 deny tcp any any eq 21
R1(config)#access-list 103 permit ip any any
R1(config)#interface fastethernet 0/1
R1(config-if)#ip access-group 103 in
R1(config-if)#exit
Grant Telnet access to limited user
For security purpose you don’t want to provide telnet access on server despite your own system. Your system is
10.0.0.4. create a extended access list to prevent telnet traffic that originates from the subnet of 10.0.0.0 to server.
R1(config)#access-list 104 permit tcp host 10.0.0.4 30.0.0.2 0.0.0.0 eq 23
R1(config)#access-list 104 deny tcp 10.0.0.0 0.255.255.255 30.0.0.2 0.0.0.0 eq 23
R1(config)#access-list 104 permit ip any any
R1(config)#interface fast 0/1
R1(config-if)#ip access-group 104 in
R1(config-if)#exit
Wan terms definitions Encapsulation method hdlc ppp
A WAN is a data communications network that operates beyond the geographical scope of a LAN.
WANs use facilities provided by a service provider, or carrier, such as a telephone or cable company. They connect
the locations of an organization to each other, to locations of other organizations, to external services, and to remote
users. WANs generally carry a variety of traffic types, such as voice, data, and video.
WAN connections are made up of many types of equipment and components.
data communications equipment (DCE) terminates a connection between two sites and provides clocking and
synchronization for that connection; it connects to data termination equipment (DTE).
A DTE is an end-user device, such as a router or PC, which connects to the WAN via the DCE.
Term
Customer premises
equipment (CPE)
Demarcation point
Definition
Your network's equipment, which includes the DCE (modem, NT1, CSU/ DSU) and your
DTE (router, access server)
Where the responsibility of the carrier is passed on to you; this could be inside or outside your
local facility; note that this is a logical boundary, not necessarily a physical boundary
The connection from the carrier's switching equipment to the demarcation point
Local loop
Central office (CO)
The carrier's switch within the toll network
switch
The carrier's internal infrastructure for transporting your data
Toll network
Customer premises equipment (CPE)
Customer premises equipment (CPE) is equipment that's owned by the subscriber and located on the subscriber’s
premises.
Demarcation point
The demarcation point is the precise spot where the service provider’s responsibility ends and the CPE begins. It’s
generally a device in a telecommunications closet owned and installed by the telecommunications company (telco).
It’s your responsibility to cable (extended demarc) from this box to the CPE, which is usually a connection to a
CSU/DSU or ISDN interface.
Local loop
The local loop connects the demarc to the closest switching office, which is called a central office.
Central office (CO)
This point connects the customer’s network to the provider’s switching network.
Toll network
The toll network is a trunk line inside a WAN provider’s network. This network is a collection of switches and
facilities owned by the ISP. Definitely familiarize yourself with these terms because they’re crucial to understanding
WAN technologies.
Synchronous V/s asynchronous
Synchronous serial connection allows you to simultaneously send and receive information without having to wait for
any signal from the remote side. Nor does a synchronous connection need to indicate when it is beginning to send
something or the end of a transmission. These two things, plus how clocking is done, are the three major differences
between synchronous and asynchronous connections—asynchronous connections are typically used for dialup
connections, such as modems.
wide-area networking can be broken into three categories:
п‚· Leased line
п‚·
п‚·
Circuit switched
Packet switched
Leased-Line Connections
In lease line, you get your very own piece of wire from your location to the service provider's network. This is good
because no other customer can affect your line, as can be the case with other WAN services. You have a lot of control
over this circuit to do things such as Quality of Service and other traffic management. The downside is that a leased
line is expensive and gets a lot more expensive if you need to connect offices that are far apart.
These are usually referred to as a point-to-point or dedicated connection. A leased line is a pre-established WAN
communications path that goes from the CPE through the DCE switch, then over to the CPE of the remote site.
п‚· The distance between the two sites is small, making them cost-effective.
п‚· You have a constant amount of traffic between two sites and need to guarantee bandwidth for certain
applications
Circuit-Switched Connections
A circuit-switched WAN uses the phone company as the service provider, either with analog dial-up or digital ISDN
connections. With circuit-switching, if you need to connect to the remote LAN, a call is dialed and a circuit is
established; the data is sent across the circuit, and the circuit is taken down when it is no longer needed. Circuitswitched connections include the following types:
Asynchronous serial connections
These include analog modem dialup connections and the standard telephone system, which is commonly referred to as
Plain Old Telephone Service (POTS) by the telephone carriers.
Synchronous serial connections
These include digital ISDN BRI and PRI dialup connections; they provide guaranteed bandwidth.
Packet-Switched Connections
Packet-switched WAN services allow you to connect to the provider's network in much the same way as a PC
connects to a hub: When connected, your traffic is affected by other customers' and theirs by you. This can be an issue
sometimes, but it can be managed. The advantage of this shared-bandwidth technology is that with a single physical
connection from your router's serial port, you can establish virtual connections to many other locations around the
world. Packet-switched connections use logical circuits to make connections between two sites. These logical circuits
are referred to as virtual circuits (VCs). So if you have a lot of branch offices and they are far away from the head
office, a packet-switched solution is a good idea.
X.25
The oldest of these four technologies is X.25, which is an ITU-T standard. X.25 is a network layer protocol that runs
across both synchronous and asynchronous physical circuits, providing a lot of flexibility for your connection options.
X.25 was actually developed to run across unreliable medium. It provides error detection and correction, as well as
flow control, at both the data link layer (by LAPB) and the network layer (by X.25). In this sense, it performs a
function similar to what TCP, at the transport layer, provides for IP. Because of its overhead, X.25 is best delegated to
asynchronous, unreliable connections. If you have a synchronous digital connection, another protocol, such as Frame
Relay or ATM, is much more efficient.
Frame Relay
Frame Relay is a digital packet-switched service that can run only across synchronous digital connections at the data
link layer. Because it uses digital connections (which have very few errors), it does not perform any error correction
or flow control as X.25 does. Frame Relay will, however, detect errors and drops bad frames. It is up to a higher layer
protocol, such as TCP, to resend the dropped information.
ATM
ATM is also a packet-switched technology that uses digital circuits. Unlike Frame Relay and X.25, however, this
service uses fixed-length (53 byte) packets, called cells, to transmit information. Therefore, this service is commonly
called a cell-switched service. It has an advantage over Frame Relay in that it can provide guaranteed throughput and
minimal delay for a multitude of services, includingvoice, video, and data. However, it does cost more than Frame
Relay services. ATM (sort of an enhanced Frame Relay) can offer a connection guaranteed bandwidth, limited delay,
limited number of errors, Quality of Service (QoS), and more. Frame Relay can provide some minimal guarantees to
connections, but not to the degree of precision that ATM can. Whereas Frame Relay is limited to 45 Mbps
connections, ATM can scale to very high speeds: OC-192 (SONET), for instance, affords about 10 Gbps of
bandwidth.
Encapsulation method
With each WAN solution, there is an encapsulation type. Encapsulations wrap an information envelope around your
data that is used to transport your data traffic. If you use leased line as your wide-area networking choice, you can
encapsulate your data inside a High-Level Data-Link Control (HDLC) frame, PPP frame, or Serial Line IP (SLIP)
frame. For packet-switched networks, you can encapsulate or package your data in X.25 frames, Frame Relay, or
Asynchronous Transfer Mode (ATM) frames.
HDLC
Based on ISO standards, the HDLC (High-Level Data Link Control) protocol can be used with synchronous and
asynchronous connections and defines the frame type and interaction between two devices at the data link layer.
Cisco's HDLC is a proprietary protocol and will not work with other company's router.
PPP
PPP (the Point-to-Point Protocol) is based on an open standard.
PPP has two main components:
п‚· LCP (Link Control Protocol)
п‚· NCP (Network Control Protocol)
NCP is responsible for supporting multiple Layer 3 protocols. Each protocol has its own NCP, such as the IPCP for IP
communication and IPXCP for IPX communication. Think of NCP as the "packager"; it is responsible for packaging,
or encapsulating, your packets into a control protocol that is readable by PPP.
The link control protocol is used for establishing the link and negotiating optional settings. These options include
 Compression— You can compress your data to conserve bandwidth across your WAN. Options for
compression are Stacker and Predictor.
 Callback— With callback, you dial into a router using a modem or ISDN and then disconnect. The other
router then calls you back at a predefined number. This option is used for centralized billing and security
reasons.
 Multilink— Multilink allows you to bundle together more than one link to create more bandwidth. (Traffic
will load balance across the links.) For example, you can bundle two 64K channels together to get a combined
128K.
 Authentication— You can use authentication to verify a router's identity when it is connecting into your
router. Options for authentication include CHAP and PAP.
PPP Authentication
PAP goes through a two-way handshake process. In this process, the source sends its username (or hostname) and
password, in clear text, to the destination. The destination compares this information with a list of locally stored
usernames and passwords. If it finds a match, the destination sends back an accept message. If it doesn't find a match,
it sends back a reject message.
CHAP uses a three-way handshake process to perform the authentication. The source sends its username (not its
password) to the destination. The destination sends back a challenge, which is a random value generated by the
destination. used by the source to find the appropriate password to use for authentication Both sides then take the
source's username, the matching password, and the challenge and run them through the MD5 hashing function. The
source then takes the result of this function and sends it to the destination. The destination compares this value to the
hashed output that it generated—if the two values match, then the password used by the source must have been the
same as was used by the destination, and thus the destination will permit the connection.
Configure hdlc ppp pap chap
In this article I will demonstrate how can you configure wan encapsulation protocols. HDLC is the default
encapsulation for synchronous serial links on Cisco routers. You would only use the encapsulation hdlc command to
return the link to its default state
For practical example of HDLC PPP create a simple topology as shown in figure or download this pre configured
topology and load it in packet tracer.
Pre configured topology for PPP and HDLC
Double click on R1 and check the default encapsulation
Router>
Router#show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 20.0.0.1/8
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
[output is omited]
As you can verify that default encapsulation on router is HDLC. A wan link work only when it detects same
protocols on same sides. To check it change the default encapsulation to PPP.
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation ppp
Router(config)#exit
Router#show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is down (disabled)
Hardware is HD64570
Internet address is 20.0.0.1/8
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation PPP, loopback not set, keepalive set (10 sec)
[output is omited]
as you can see that line protocols is disable. To enable it set the encapsulation back to HDLC and restart the port
with shut down command
Router#configure terminal
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation hdlc
Router(config-if)#shutdown
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#exit
Router#show interfaces serial 0/0/0
Serial0/0/0 is up, line protocol is up (connected)
Hardware is HD64570
Internet address is 20.0.0.1/8
MTU 1500 bytes, BW 64 Kbit, DLY 20000 usec, rely 255/255, load 1/255
Encapsulation HDLC, loopback not set, keepalive set (10 sec)
[output is omited]
Configuration of PPP
Now we will configure PPP encapsulations on both router. We will also authenticate it with CHAP. Hostname of
Router are R1 and R2 and password is vinita.
Double Click on R1 and configure it
Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#username R2 password vinita
R1(config)#interface serial 0/0/0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication chap
R1(config-if)#exit
R1(config)#
Now configure R2 for PPP
Router>enable
Router#configure terminal
Router(config)#hostname R2
R2(config)#username R1 password vinita
R2(config)#interface serial 0/0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication chap
R2(config-if)#exit
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0,
changed state to up
R2(config)#
HDLC PPP command reference sheet
Moves to interface configuration mode
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation hdlc Sets the encapsulation mode for this interface to HDLC
Moves to interface configuration mode
Router(config)#interface serial 0/0/0
Changes encapsulation from default HDLC to PPP
Router(config-if)#encapsulation ppp
Sets a username of R1 and a password of vinita for authentication from the
Router(config)#username R1 password
other side of the PPP serial link. This is used by the local router to
vinita
authenticate the PPP peer
Moves to interface configuration mode.
Router(config)#interface serial 0/0/0
Router(config-if)#ppp authentication
Turns on Password Authentication Protocol (PAP) authentication only
pap
Router(config-if)#ppp authentication Turns on Challenge Handshake Authentication Protocol (CHAP)
authentication only.
chap
Router(config-if)#ppp authentication Defines that the link will use PAP authentication, but will try CHAP if PAP
fails or is rejected by other side.
pap chap
Router(config-if)#ppp authentication Defines that the link will use CHAP authentication, but will try PAP if
CHAP fails or is rejected by other side.
chap pap
Router(config-if)#ppp pap
sentusername R1 password vinita
Router#show interfaces serial x
Router#show controllers serial x
Router#debug serial interface
Router#debug ppp
Router#debug ppp packet
Router#debug ppp negotiation
This command must be set if using PAP in Cisco IOS Software Release 11.1
or later
Lists information for serial interface x
Tells you what type of cable (DCE/DTE) is plugged into your interface and
whether a clock rate has been set
Displays whether serial keepalive counters are incrementing
Displays any traffic related to PPP
Displays PPP packets that are being sent and received
Displays PPP packets related to the negotiation of the PPP link
Frame Really
Frame Relay is a scalable WAN solution that is often used as an alternative to leased lines when leased lines prove to
be cost unaffordable. With Frame Relay, you can have a single serial interface on a router connecting into multiple
remote sites through virtual circuits.
Basic concept of Frame Relay
For exam prospective You should be familiar with terms
Virtual Circuits (VCs)
A VC is a logical connection between two devices; therefore, many of these VCs can exist on the same physical
connection. The advantage that VCs have over leased lines is that they can provide full connectivity at a much lower
price. VCs are also full-duplex: you can simultaneously send and receive on the same VC.
There are two types of VCs: permanent VCs (PVCs) and switched or semipermanent VCs (SVCs).
PVC is similar to a leased line: it is configured up front by the carrier and remains up as long as there is a physical
circuit path from the source to the destination.
SVC are similar to telephone circuit-switched connections: whenever you need to send data to a connection, an SVC
is dynamically built and then torn down once your data has been sent.
Disadvantage of PVCs is that they require a lot of manual configuration up front to establish the VC. Another
disadvantage is that they aren't very flexible: if the PVC fails, there is no dynamic rebuilding of the PVC around the
failure.
LMI
Three different standards are defined for LMI:1. ANSI's Annex D standard, T1.617
2. ITU-T's Q.933 Annex A standard
3. The Gang of Four
Because LMI is locally significant, each Frame Relay DTE in your network does not have to use the same LMI type
The main function of LMI is to allow the Frame Relay DTE and DCE to exchange status information about the VCs
and themselves Cisco has default timers for their status enquiry and full status update messages. Status enquiry
messages are sent every ten seconds, by default. Every sixth message is a full status update message.
The three possible states that your PVC can be in are
 Active— Active is good. Active means that everything is up and operational.
 Inactive— Inactive is bad. Inactive means that you are connected to your Frame Relay provider, but there is a
problem with the far-end connection. The problem is most likely between the far-end router and its
connection to the Frame Relay provider. You should contact your provider to troubleshoot the issue.
 Deleted— Deleted is also bad. Deleted means that there is a problem between your router and the Frame
Relay provider's equipment. You should contact your provider to troubleshoot this issue.
DLCI
Each VC has a unique local address, called a DLCI. Circuits are identified by data-link connection identifiers (DLCI).
DLCIs are assigned by your provider and are used between your router and the Frame Relay provider. In other words,
DLCIs are locally significant. This means that as a VC traverses various segments in a WAN, the DLCI numbers can
be different for each segment. DLCIs are locally significant. The carrier’s switches take care of mapping DLCI
numbers for a VC between DTEs and DCEs.
Nonbroadcast Multiaccess
Nonbroadcast multiaccess (NBMA) is a term used to describe WAN networks that use VCs for connectivity Frame
Relay is a nonbroadcast multi-access (NBMA) medium, which means that broadcast traffic is not allowed to traverse
Frame Relay traffic.
Split Horizon Issues
The main problem of NBMA environments arises when the network is partially meshed for a subnet. This can create
problems with routing protocols that support split horizon.
Solutions to Split Horizon Problems
Given the preceding problem with routing protocols that use split horizon, there are solutions that you can use to
overcome this issue:
п‚· Use static routes instead of dynamic routing protocols. This is not a scalable solution.
п‚· Disable split horizon with the no ip split-horizon command.This could create a loop, If you are not careful
п‚· Have a fully meshed topology where every router has a PVC to every other router. This can get expensive.
п‚· Use subinterfaces. This is your best option.
Subinterfaces
A subinterface is a subset of an existing physical interface. As far as the router is concerned, the subinterface is a
separate interface. By creating subinterfaces, each circuit can be on its own subnet. There are two types of
subinterfaces:
 Point-to-point— This maps a single IP subnet to a single subinterface and DLCI.
 Multipoint— This maps a single IP subnet to multiple DLCIs on a subinterface.
Inverse-Arp
Frame Relay needs a mechanism to map Layer 3 addresses withLayer 2 Frame Relay DLCIs. This can be done
through a static map command (shown later in the configuration section) or through inverse-arp. Just like Ethernet
ARP, inverse-arp is used to map a Layer 3 address to a Layer 2 address. However, Ethernet ARP maps an IP address
to a MAC address and inverse-arp works to map an IP address (or other protocol) to a DLCI.
FECN (Forward explicit congestion notification)
This value in the Frame Relay frame header is set by the carrier switch (typically) to indicate congestion inside the
carrier network to the destination device at the end of the VC; the carrier may be doing this to your traffic as it is on
its way to its destination.
BECN (backward explicit congestion notification)
This value is set by the destination DTE (Frame Relay device) in the header of the Frame Relay frame to indicate
congestion (from the source to the destination) to the source of the Frame Relay frames (the source DTE, the router).
Sometimes the carrier switches can generate BECN frames in the backward direction to the source to speed up the
congestion notification process. The source can then adapt its rate on the VC appropriately.
Access rate
This is the speed of the physical connection (such as a T1) between your router and the Frame Relay switch.
CIR (committed information rate)
This is the average data rate, measured over a fixed period of time, that the carrier guarantees for a VC.
BC (committed burst rate)
This is the average data rate (over a period of a smaller fixed time than CIR) that a provider guarantees for a VC; in
other words, it implies a smaller time period but a higher average than the CIR to allow for small bursts in traffic.
BE (excessive burst rate)
This is the fastest data rate at which the provider will ever service the VC. Some carriers allow you to set this value to
match the access rate.
DE (discard eligibility)
This is used to mark a frame as low priority. You can do this manually, or the carrier will do this for a frame that is
nonconforming to your traffic contract (exceeding CIR/BC values).
Oversubscription
When you add up all of the CIRs of your VCs on an interface, they exceed the access rate of the interface: you are
betting that all of your VCs will not run, simultaneously, at their traffic-contracted rates.
Configuration of Frame Relay
Configuring Frame Relay involves the following steps:
Chang the encapsulation
Go in interface mode and select the Frame Relay encapsulation on the interface. There are two types of Frame Relay
encapsulations: Cisco and IETF. Cisco is the default. The syntax to set your encapsulation is
encapsulation frame-relay [ietf]
Configuring the LMI type
The three LMI types are Cisco, Ansi, and Q933a. For IOS 11.2 and higher, the LMI type is automatically detected
frame-relay lmi-type [cisco | ansi | 933a]
Configuring the Frame Relay map
configuring a static Frame Relay map, is optional unless you are using subinterfaces. The Frame Relay map will map
a Layer 3 address to a local DLCI. This step is optional because inverse-arp will automatically perform this map for
you. The syntax for a Frame Relay map is as follows:
frame-relay map protocol address dlci [broadcast] [cisco | ietf]
Configuring subinterfaces
If you are using a routing protocol in a hub-and-spoke topology, you will probably want to use subinterfaces to avoid
the split-horizon problem. To configure a subinterface, remove the IP address off the main interface and put it under
the subinterface. Configuring a subinterface involves assigning it a number and specifying the type. The following
command creates point-to-point subinterface serial0/0.1
Router(config)#interface serial0/0.1 point-to-point
To create a multipoint subinterface, enter multipoint instead:
Router(config)#interface serial0/0.1 multipoint
Assign IP address to subinterface
After entering one of these commands you will be taken to the subinterface configuration mode where you can enter
your IP address:
Router(config-subif)#ip address 10.0.0.2 255.0.0.0
If you are using a multipoint subinterface, you will need to configure frame-relay maps and you cannot rely on
inverse-arp.
If you are using a point-to-point subinterface, you will need to assign a DLCI to the subinterface. This is only for
point-to-point subinterfaces; this is not needed on the main interface or on multipoint subinterfaces. To assign a DLCI
to a point-to-point subinterface, enter the following command under the subinterface:
frame-relay interface-dlci dlci
Configuration of Frame Relay
Lets practically implement whatever you learn so far. Download this pre configured topology and load it in packet
tracer.
Download topology for packet tracer
Now first configure R1. Fast Ethernet port and hostname is already configured. Double click on R1 and configure
serial port for frame relay encapsulation and further create sub interface for connecting R2, R3, R4. Configure also
static route for connecting remaining network.
Configure R1
R1>enable
R1#configure terminal
R1(config)#interface serial 0/0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config-subif)#interface serial 0/0/0.102 point-to-point
R1(config-subif)#ip address 192.168.1.245 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 102
R1(config-subif)#exit
R1(config)#interface serial 0/0/0.103 point-to-point
R1(config-subif)#ip address 192.168.1.249 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 103
R1(config-subif)#exit
R1(config)#interface serial 0/0/0.104 point-to-point
R1(config-subif)#ip address 192.168.1.253 255.255.255.252
R1(config-subif)#frame-relay interface-dlci 104
R1(config-subif)#exit
R1(config)#ip route 192.168.1.64 255.255.255.224 192.168.1.246
R1(config)#ip route 192.168.1.96 255.255.255.224 192.168.1.250
R1(config)#ip route 192.168.1.128 255.255.255.224 192.168.1.254
R1(config)#exit
configure R2
R2>enable
R2#configure terminal
R2(config)#interface serial 0/0/0
R2(config-if)#encapsulation frame-relay
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface serial 0/0/0.101 point-to-point
R2(config-subif)#ip address 192.168.1.246 255.255.255.252
R2(config-subif)#frame-relay interface-dlci 101
R2(config-subif)#exit
R2(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.245
configure R3
R3>enable
R3#configure terminal
R3(config)#interface serial 0/0/0
R3(config-if)#encapsulation frame-relay
R3(config-if)#no shutdown
R3(config-if)#exit
R3(config)#interface serial 0/0/0.101 point-to-point
R3(config-subif)#ip address 192.168.1.250 255.255.255.252
R3(config-subif)#frame-relay interface-dlci 101
R3(config-subif)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.249
R3(config)#
configure R4
R4>enable
R4#configure terminal
R4(config)#interface serial 0/0/0
R4(config-if)#encapsulation frame-relay
R4(config-if)#no shutdown
R4(config-if)#exit
R4(config)#interface serial 0/0/0.101 point-to-point
R4(config-subif)#ip address 192.168.1.254 255.255.255.252
R4(config-subif)#frame-relay interface-dlci 101
R4(config-subif)#exit
R4(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.253
R4(config)#
now verify by doing ping from pc0 to all pc. It should be ping successfully. I have uploaded a configured topology but
use it as the final resort first try yourself to configure it.
Donload Configured Frame Relay
Router(config)#interface serial 0/0/0
Router(config-if)#encapsulation
frame-relay
Router(config-if)#frame-relay
lmitype {ansi | cisco | q933a}
Router(config-if)#frame-relay
interface-dlci 110
Router(config-fr-dlci)#exit
Router(config-if)#frame-relay map
ip 192.168.100.1 110 broadcast
Router(config-if)#no frame-relay
inverse arp
Router#show frame-relay map
Router#show frame-relay pvc
Router#show frame-relay lmi
Router#clear frame-relay counters
Router#clear frame-relay inarp
Router#debug frame-relay lmi
Enter in interface mode
Turns on Frame Relay encapsulation with the default encapsulation type of
cisco
Depending on the option you select, this command sets the LMI type to the
ANSI standard, the Cisco standard, or the ITU-T Q.933 Annex A standard.
Sets the DLCI number of 110 on the local interface and enters Frame Relay
DLCI configuration mode
Returns to interface configuration mode
Maps the remote IP address (192.168.100.1) to the local DLCI number (110).
The optional broadcast keyword specifies that broadcasts across IP should be
forwarded to this address. This is necessary when using dynamic routing
protocols.
Turns off Inverse ARP.
Displays IP/DLCI map entries
Displays the status of all PVCs configured
Displays LMI statistics
Clears and resets all Frame Relay counters
Clears all Inverse ARP entries from the map table
Used to help determine whether a router and Frame Relay switch are
exchanging LMI packets properly
Welcome to the Wireless Network
Wireless Networking
Wireless Networking Types of Networks
Wireless Networking Access Modes
Wireless Networking Basic
Wireless Networking Basic Security
Wireless Networking
Wireless networking is the new face of networking. Wireless networking have been around for many years. Cell
phones are also a type of wireless communication and are popular today for people talking to each other worldwide.
Wireless networking are not only less expensive than more traditional wired networking but also much easier to
install. An important goal of this site is to provide you adequate knowledge for installing a wireless network and get
certified in wireless networks as well as.
Perhaps you already useing wireless networking in your local coffee shop, at the airport, or in hotel lobbies, and you
want to set up a small office or home network. You already know how great wireless networking is, so you want to
enjoy the benefits where you live and work. It is truly transformational to one's lifestyle to decouple computing from
the wires! If you are looking to set up a wireless network, you've come to the right place. We will show you the best
way to set up wirless network easily. Many people are looking to find out how to use wireless networking at home.
In this wireless networking section we provide An Absolute Beginner's Guide provides in the perfect format for easily
learning what you need to know to get up to speed with wireless network without wasting a lot of time.
The organization of this site, and the special elements that we have described in this section will help you get the
information you need quickly, accurately, and with clarity. In this section you will find inspiration as well as practical
information. we believe that Wireless networks is a modest technology that has the power to have a huge and positive
impact.. This is wonderful material, and it's lots of fun! So what are you waiting for? It's time to Go for wireless
networking.
Wireless Network
A wireless network enables people to communicate and access applications and information without wires. This
provides freedom of movement and the ability to extend applications to different parts of a building, city, or nearly
anywhere in the world. Wireless networks allow people to interact with e-mail or browse the Internet from a location
that they prefer.
Many types of wireless communication systems exist, but a distinguishing attribute of a wireless network is that
communication takes place between computer devices. These devices include personal digital assistants (PDAs),
laptops, personal computers (PCs), servers, and printers. Computer devices have processors, memory, and a means of
interfacing with a particular type of network. Traditional cell phones don't fall within the definition of a computer
device; however, newer phones and even audio headsets are beginning to incorporate computing power and network
adapters. Eventually, most electronics will offer wireless network connections.
As with networks based on wire, or optical fiber, wireless networks convey information between computer devices.
The information can take the form of e-mail messages, web pages, database records, streaming video or voice. In most
cases, wireless networks transfer data, such as e-mail messages and files, but advancements in the performance of
wireless networks is enabling support for video and voice communications as well.
Types of Wireless Networks
WLANS: Wireless Local Area Networks
WLANS allow users in a local area, such as a university campus or library, to form a network or gain access to the
internet. A temporary network can be formed by a small number of users without the need of an access point; given
that they do not need access to network resources.
WPANS: Wireless Personal Area Networks
The two current technologies for wireless personal area networks are Infra Red (IR) and Bluetooth (IEEE 802.15).
These will allow the connectivity of personal devices within an area of about 30 feet. However, IR requires a direct
line of site and the range is less.
WMANS: Wireless Metropolitan Area Networks
This technology allows the connection of multiple networks in a metropolitan area such as different buildings in a
city, which can be an alternative or backup to laying copper or fiber cabling.
WWANS: Wireless Wide Area Networks
These types of networks can be maintained over large areas, such as cities or countries, via multiple satellite systems
or antenna sites looked after by an ISP. These types of systems are referred to as 2G (2nd Generation) systems.
Comparison of Wireless Network Types
Type
Coverage
Performance
Standards
Applications
Wireless
PAN
Within reach of
Moderate
a person
Wireless PAN Within reach of a person
Moderate Bluetooth, IEEE 802.15, and IrDa
Cable replacement for peripherals
Cable replacement for
peripherals
Wireless
LAN
Within a
building or
campus
High
IEEE 802.11, Wi-Fi, and HiperLAN
Mobile extension of wired
networks
Wireless
MAN
Within a city
High
Proprietary, IEEE 802.16, and WIMAX
Fixed wireless between
homes and businesses and
the Internet
Wireless
WAN
Worldwide
Low
CDPD and Cellular 2G, 2.5G, and 3G
Mobile access to the Internet
from outdoor areas
Wireless networking Access Modes
Two 802.11 access modes can be used in a WLAN:
п‚· Ad hoc mode
п‚· Infrastructure mode
Ad hoc mode is based on the Independent Basic Service Set (IBSS). In IBSS, clients can set up connections directly
to other clients without an intermediate AP. This allows you to set up peer-to-peer network connections and is
sometimes used in a SOHO. The main problem with ad hoc mode is that it is difficult to secure since each device you
need to connect to will require authentication. This problem, in turn, creates scalability issues.
Infrastructure mode was designed to deal with security and scalability issues. In infrastructure mode, wireless
clients can communicate with each other, albeit via an AP. Two infrastructure mode implementations are in use:
п‚· Basic Service Set (BSS)
п‚· Extended Service Set (ESS)
In BSS mode,
clients connect to an AP, which allows them to communicate with other clients or LANbased resources. The WLAN
is identified by a single SSID; however, each AP requires a unique ID, called a Basic Service Set Identifier (BSSID),
which is the MAC address of the AP’s wireless card. This mode is commonly used for wireless clients that don’t
roam, such as PCs.
In ESS mode,
two or more BSSs are interconnected to allow for larger roaming distances. To make this as transparent as possible to
the clients, such as PDAs, laptops, or mobile phones, a single SSID is used among all of the APs. Each AP, however,
will have a unique BSSID.
Coverage Areas
A WLAN coverage area includes the physical area in which the RF signal can be sent and received Two types of
WLAN coverage’s are based on the two infrastructure mode implementations:
п‚· Basic Service Area (BSA)
п‚· Extended Service Area (ESA)
The terms BSS and BSA, and ESS and ESA, can be confusing. BSS and ESS refer to the building topology whereas
BSA and ESA refer to the actual signal coverage
BSA
With BSA, a single area called a cell is used to provide coverage for the WLAN clients and AP
ESA
With ESA, multiple cells are used to provide for additional coverage over larger distances or to overcome areas that
have or signal interference or degradation. When using ESA, remember that each cell should use a different radio
channel.
Wireless Basic
Radio Frequency Transmission Factors
Radio frequencies (RF) are generated by antennas that propagate the waves into the air.
Antennas fall under two different categories:
directional and omni-directional.
Directional antennas are commonly used in point-to-point configurations (connecting two distant buildings), and
sometimes point-to-multipoint (connecting two WLANs).
An example of a directional antenna is a Yagi antenna: this antenna allows you to adjust the direction and focus of the
signal to intensify your range/reach.
Omni-directional antennas are used in point-to-multipoint configurations, where they distribute the wireless signal to
other computers or devices in your WLAN. An access point would use an omni-directional antenna. These antennas
can also be used for point-to-point connections, but they lack the distance that directional antennas supply
Three main factors influence signal distortion:
п‚· Absorption Objects
that absorb the RF waves, such as walls, ceilings, and floors
п‚· Scattering Objects
that disperse the RF waves, such as rough plaster on a wall, carpet on the floor, or drop-down ceiling tiles
п‚· Reflection Objects
that reflect the RF waves, such as metal and glass
Responsible body
The International Telecommunication Union-Radio Communication Sector (ITU-R) is responsible for managing the
radio frequency (RF) spectrum and satellite orbits for wireless communications: its main purpose is to provide for
cooperation and coexistence of standards and implementations across country boundaries.
Two standards bodies are primarily responsible for implementing WLANs:
п‚· IEEE
defines the mechanical process of how WLANs are implemented in the 802.11 standards so that vendors can
create compatible products.
п‚· The Wi-Fi Alliance
basically certifies companies by ensuring that their products follow the 802.11 standards, thus allowing
customers to buy WLAN products from different vendors without having to be concerned about any
compatibility issues.
Frequencies bands:
WLANs use three unlicensed bands:
1. 900 MHz Used by older cordless phones
2. 2.4 GHz Used by newer cordless phones, WLANs, Bluetooth, microwaves, and other devices
3. 5 GHz Used by the newest models of cordless phones and WLAN devices
п‚· 900 MHz and 2.4 GHz frequencies are referred to as the Industrial, Scientific, and Medical (ISM) bands.
п‚· 5 GHz frequency the Unlicensed National Information Infrastructure (UNII) band.
п‚· Unlicensed bands are still regulated by governments, which might define restrictions in their usage.
A hertz (Hz) is a unit of frequency that measures the change in a state or cycle in a wave (sound or radio) or
alternating current (electricity) during 1 second.
Transmission Method
Direct Sequence Spread Spectrum (DSSS)
uses one channel to send data across all frequencies within that channel. Complementary Code Keying (CCK) is a
method for encoding transmissions for higher data rates, such as 5.5 and 11 Mbps, but it still allows backward
compatibility with the original 802.11 standard, which supports only 1 and 2 Mbps speeds. 802.11b and 802.11g
support this transmission method.
OFDM (Orthogonal Frequency Division Multiplexing)
increases data rates by using a spread spectrum: modulation. 802.11a and 802.11g support this transmission method.
MIMO (Multiple Input Multiple Output)
transmission, which uses DSSS and/or OFDM by spreading its signal across 14 overlapping channels at 5 MHz
intervals. 802.11n uses it. Use of 802.11n requires multiple antennas.
WLAN Standards
Standards
802.11a
802.11b
802.11g
802.11n
Data Rate
54 Mbps
11 Mbps
54 Mbps
248 Mbps (with 2Г—2
antennas)
Throughput
23 Mbps
4.3 Mbps
19 Mbps
74 Mbps
Frequency
5 GHz
2.4 GHz
2.4 GHz
2.4 and/or 5 GHz
Compatibility
None
With 802.11g and the
With 802.11b
original 802.11
802.11a, b, and g
Range (meters)
35–120
38–140
38–140
70–250
Up to 23
3
14
DSSS
DSSS/OFDM
MIMO
Number of Channels 3
Transmission
OFDM
Wireless Networking Basic Security
How an end user client with a WLAN NIC accesses a LAN
1. To allow clients to find the AP easily, the AP periodically broadcasts beacons, announcing its (SSID) Service
Set Identifier, data rates, and other WLAN information.
2. SSID is a naming scheme for WLANs to allow an administrator to group WLAN devices together.
3. To discover APs, clients will scan all channels and listen for the beacons from the AP(s). By default, the
client will associate itself with the AP that has the strongest signal.
4. When the client associates itself with the AP, it sends the SSID, its MAC address, and any other security
information that the AP might require based on the authentication method configured on the two devices.
5. Once connected, the client periodically monitors the signal strength of the AP to which it is connected.
6. If the signal strength becomes too low, the client will repeat the scanning process to discover an AP with a
stronger signal. This process is commonly called roaming.
SSID and MAC Address Filtering
When implementing SSIDs, the AP and client must use the same SSID value to authenticate. By default, the access
point broadcasts the SSID value, advertising its presence, basically allowing anyone access to the AP. Originally, to
prevent rogue devices from accessing the AP, the administrator would turn off the SSID broadcast function on the AP,
commonly called SSID cloaking. To allow a client to learn the SSID value of the AP, the client would send a null
string value in the SSID field of the 802.11 frame and the AP would respond; of course, this defeats the security
measure since through this query process, a rogue device could repeat the same process and learn the SSID value.
Therefore, the APs were commonly configured to filter traffic based on MAC addresses. The administrator would
configure a list of MAC addresses in a security table on the AP, listing those devices allowed access; however, the
problem with this solution is that MAC addresses can be seen in clear-text in the airwaves. A rogue device can easily
sniff the airwaves, see the valid MAC addresses, and change its MAC address to match one of the valid ones.
This is called MAC address spoofing.
WEP
WEP (Wired Equivalent Privacy) was first security solutions for WLANs that employed encryption. WEP uses a
static 64-bit key, where the key is 40 bits long, and a 24-bit initialization vector (IV) is used. IV is sent in clear-text.
Because WEP uses RC4 as an encryption algorithm and the IV is sent in clear-text, WEP can be broken. To alleviate
this problem, the key was extended to 104 bits with the IV value. However, either variation can easily be broken in
minutes on laptops and computers produced today.
802.1x EAP
The Extensible Authentication Protocol (EAP) is a layer 2 process that allows a wireless client to authenticate to the
network. There are two varieties of EAP: one for wireless and one for LAN connections, commonly called EAP over
LAN (EAPoL).
One of the concerns in wireless is allowing a WLAN client to communicate to devices behind an AP. Three standards
define this process: EAP, 802.1x, and Remote Authentication Dial In User Service (RADIUS). EAP defines a
standard way of encapsulating authentication information, such as a username and password or a digital certificate
that the AP can use to authenticate the user.802.1x and RADIUS define how to packetize the EAP information to
move it across the network.
WPA
Wi-Fi Protected Access (WPA) was designed by the Wi-Fi Alliance as a temporary security solution to provide for
the use of 802.1x and enhancements in the use of WEP until the 802.11i standard would be ratified. WPA can operate
in two modes: personal and enterprise mode. Personal mode was designed for home or SOHO usage. A pre-shared
key is used for authentication, requiring you to configure the same key on the clients and the AP. With this mode, no
authentication server is necessary as it is in the official 802.1 x standards. Enterprise mode is meant for large
companies, where an authentication server will centralize the authentication credentials of the clients.
WPA2
WPA2 is the IEEE 802.11i implementation from the Wi-Fi Alliance. Instead of using WEP, which uses the weak RC4
encryption algorithm, the much more secure Advanced Encryption Standard (AES)–counter mode CBC-MAC
Protocol (CCMP) algorithm is used.
Complete ipv6 tutorials
No matter for which certification are you preparing IPv6 has become the essential part of all major
certifications. In order to get IT certification you must be familiar with IPv6. With a complete series of article
on ipv6 tutorials we have tried our level best to give you whatever universal certifications require from IT
professionals.
Limitations of IPv4
ipv6 tutorials on builtin features of IPv6
ipv6 tutorials on Comparison of IPv4 and IPv6
ipv6 tutorials on common terms and concepts
ipv6 tutorials on types of address format
ipv6 tutorials on Special Addresses
ipv6 tutorials on Address Assignment
ipv6 tutorials on Address Autoconfiguration
ipv6 tutorials on Assigning address to Windows server 2008 and Windows vista
ipv6 tutorials on tools ipconfig ping tracert netstat pathping
ipv6 tutorials on icmp overview error messages
ipv6 tutorials on neighbor discovery
ipv6 tutorials on Transition Strategies
ipv6 tutorials on configure cisco router with IPv6
ipv6 tutorials on configure routing with IPv6
The current version of IP (known as version 4 or IPv4) has not changed substantially since Request for Comments
(RFC) 791, which was published in 1981. IPv4 has proven to be robust, easily implemented, and interoperable. It has
stood up to the test of scaling internetworks to a global utility the size of today’s Internet. This is a tribute to its initial
design.
However, the initial design of IPv4 did not anticipate the following:
Limitations of IPv4
The recent exponential growth of the Internet and the impending exhaustion of the IPv4 address space
Given that an IP address is 32 bits in length, there are 232 actual IP addresses, which are 4.3 billion addresses. Only
3.7 billion of these are actually usable. Many addresses are reserved, such as the research (239–254), broadcast (255),
multicast (224–239), private (10, 172.16, and 192.168), and loopback addresses (127). And, of course, many of the
usable addresses are already assigned, leaving about 1.3 billion addresses for new growth. As a result, public IPv4
addresses have become relatively scarce, forcing many users and some organizations to use a NAT to map a single
public IPv4 address to multiple private IPv4 addresses. Although NATs promote reuse of the private address space,
they violate the fundamental design principle of the original Internet that all nodes have a unique, globally reachable
address, preventing true end-to-end connectivity for all types of networking applications. Additionally, the rising
prominence of Internet-connected devices and appliances ensures that the public IPv4 address space will eventually
be depleted.
The need for simpler configuration
Most current IPv4 implementations must be either manually configured or use a stateful address configuration
protocol such as Dynamic Host Configuration Protocol (DHCP). With more computers and devices using IP, there is
a need for a simpler and more automatic configuration of addresses and other configuration settings that do not rely
on the administration of a DHCP infrastructure.
The requirement for security at the Internet layer
Private communication over a public medium such as the Internet requires cryptographic services that protect the data
being sent from being viewed or modified in transit. Although a standard now exists for providing security for IPv4
packets (known as Internet Protocol security, or IPSec. This standard is optional for IPv4 and additional security
solutions, some of which are proprietary, are prevalent.
The need for better support for prioritized and real-time delivery of data
Although standards for prioritized and real-time delivery of data—sometimes referred to as Quality of Service
(QoS)—exist for IPv4, real-time traffic support relies on the 8 bits of the historical IPv4 Type of Service (TOS) field
and the identification of the payload, typically using a User Datagram Protocol (UDP) or Transmission Control
Protocol (TCP) port. Unfortunately, the IPv4 TOS field has limited functionality and, over time, has been redefined
and has different local interpretations. The current standards for IPv4 use the TOS field to indicate a Differentiated
Services Code Point (DSCP), a value set by the originating node and used by intermediate routers for prioritized
delivery and handling. Additionally, payload identification that uses a TCP or UDP port is not possible when the IPv4
packet payload is encrypted. To address these and other concerns, the Internet Engineering Task Force (IETF) has
developed a suite of protocols and standards known as IP version 6 (IPv6).
Features built into IPv6
In our last section we learnt about the limitations of IPv6. Now we will discuss built in feature of IPv6.
Very large address space
IPv6’s large address space deals with global growth, where route prefixes can be easily aggregated in routing updates.
Security
IP security (IPSec) is built into IPv6, whereas it is an awkward add-on in IPv4. With IPv6, two devices can
dynamically negotiate security parameters and build a secure tunnel between them with no user intervention.
Mobility
With the growth of mobile devices, such as PDAs and smart phones, devices can roam between wireless networks
without breaking their connections. Streamlined encapsulation The IPv6 encapsulation is simpler than IPv4, providing
faster forwarding rates by routers and better routing efficiency.
п‚· No checksums are included, reducing processing on endpoints.
п‚· No broadcasts are used, reducing utilization of devices within the same subnet.
QoS
Information is built into the IPv6 header, where a flow label identifies the traffic; this alleviates intermediate network
devices from having to examine contents inside the packet, the TCP/UDP headers, and payload information to classify
the traffic for QoS correctly.
Transition capabilities
Various solutions exist to allow IPv4 and IPv6 to successfully coexist when migrating between the two. One method,
dual stack, allows you to run both protocols simultaneously on an interface of a device. A second method, tunneling,
allows you to tunnel IPv6 over IPv4 and vice versa to transmit an IP version of one type across a network using
another type. Cisco supports a third method, referred to as Network Address Translation-Protocol Translation (NATPT), to translate between IPv4 and IPv6 (sometimes the term Proxy is used instead of Protocol).
Stateless and Stateful Address Configuration
To simplify host configuration, IPv6 supports both stateful address configuration (such as address configuration in the
presence of a DHCP for IPv6, or DHCPv6, server) and stateless address configuration (such as address configuration
in the absence of a DHCPv6 server).
New Protocol for Neighboring Node Interaction
The Neighbor Discovery protocol for IPv6 is a series of Internet Control Message Protocol for IPv6 (ICMPv6)
messages that manages the interaction of neighboring nodes (nodes on the same link). Neighbor Discovery replaces
and extends the Address Resolution Protocol (ARP) (broadcast-based), ICMPv4 Router Discovery, and ICMPv4
Redirect messages with efficient multicast and unicast Neighbor Discovery messages.
Extensibility
IPv6 can easily be extended for new features by adding extension headers after the IPv6 header.
Comparison of IPv4 and IPv6
IPv6 solves the Address Depletion Problem
With the explosion in the popularity of the Internet has come the introduction of commerce related activities that can
now be done over the Internet by an ever-increasing number of devices. With IPv4, the number of public addresses
available to new devices is limited and shrinking. IPv4 cannot continue to scale and provide global connectivity to all
of the planned Internet-capable devices to be produced and connected in the next 10 years. Although these devices can
be assigned private addresses, address and port translation introduces complexity to the devices that want to perform
server, listening, or peer functionality. IPv6 solves the IPv4 public address depletion problem by providing an address
space to last well into the twenty-first century. The business benefit of moving to IPv6 is that mobile cell phones,
personal data assistants (PDAs), automobiles, appliances, and even people can be assigned multiple globally
reachable addresses. The growth of the devices connected to the Internet and the software that these devices run can
proceed without restraint and without the complexity and cost of having to operate behind NATs.
IPv6 Solves the Disjoint Address Space Problem
With IPv4, there are typically two different addressing schemes for the home and the enterprise network.
In the home, an Internet gateway device (IGD) is assigned a single public IPv4 address and the IGD assigns private
IPv4 addresses to the hosts on the home network.
An enterprise might have multiple public IPv4 addresses or a public address range and either assign public, private,
or both types of addresses within the enterprise’s intranet.
However, the public and private IPv4 address spaces are disjoint; they do not provide symmetric reach ability at the
Network layer. Symmetric reach ability exists when packets can be sent to and received from an arbitrary destination.
With IPv4, there is no single addressing scheme that is applied to both networks that allows seamless connectivity.
Connectivity between disjoint networks requires intermediate devices such as NATs or proxy servers. With IPv6,
both homes and enterprises will be assigned global address prefixes and can seamlessly connect, subject to security
restrictions such as firewall filtering and authenticated communication.
IPv6 Solves the International Address Allocation Problem
The Internet was principally a creation of educational institutions and government agencies of the United States of
America. In the early days of the Internet, connected sites in the United States received IPv4 address prefixes without
regard to summarize ability or need. The historical result of this address allocation practice is that the United States
has a disproportionate number of public IPv4 addresses.
With IPv6, public address prefixes are assigned to regional Internet registries, which, in turn, assign address prefixes
to other ISPs and organizations based on justified need. This new address allocation practice ensures that address
prefixes will be distributed globally based on regional connectivity needs, rather than by historical origin. This makes
the Internet more of a truly global resource, rather than a United States—centric one. The business benefit to
organizations across the globe is that they can rely on having available public IPv6 address space, without the current
cost of obtaining IPv4 public address prefixes from their ISP.
IPv6 Restores End-to-End Communication
With IPv4 NATs, there is a technical barrier for applications that rely on listening or peer based connectivity because
of the need for the communicating peers to discover and advertise their public IPv4 addresses and ports. The
workarounds for the translation barrier might also require the deployment of echo or rendezvous servers on the
Internet to provide public address and port configuration information.
With IPv6, NATs are no longer necessary to conserve public address space, and the problems associated with
mapping addresses and ports disappear for developers of applications and gateways. More importantly, end-to-end
communication is restored between hosts on the Internet by using addresses in packets that do not change in transit.
IPv6 Uses Scoped Addresses and Address Selection
Unlike IPv4 addresses, IPv6 addresses have a scope, or a defined area of the network over which they are unique and
relevant. For example,
IPv6 has a global address that is equivalent to the IPv4 public address and a unique local address that is roughly
equivalent to the IPv4 private address.
Typical IPv4 routers do not distinguish a public address from a private address and will forward a privately addressed
packet on the Internet.
An IPv6 router, on the other hand, is aware of the scope of IPv6 addresses and will never forward a packet over an
interface that does not have the correct scope.
IPv6 Has More Efficient Forwarding
IPv6 is a streamlined version of IPv4. Excluding prioritized delivery traffic, IPv6 has fewer fields to process and
fewer decisions to make in forwarding an IPv6 packet.
Unlike IPv4, the IPv6 header is a fixed size (40 bytes), which allows routers to process IPv6 packets faster.
Additionally, the hierarchical and summarize able addressing structure of IPv6 global addresses means that there are
fewer routes to analyze in the routing tables of organization and Internet backbone routers. The consequence is traffic
that can be forwarded at higher data rates, resulting in higher performance for tomorrow’s high-bandwidth
applications that use multiple data types.
IPv6 Has Support for Security and Mobility
IPv6 has been designed to support security (IPsec) (AH and ESP header support required) and mobility (Mobile
IPv6) (optional). Although one could argue that these features are available for IPv4, they are available on IPv4 as
extensions, and therefore they have architectural or connectivity limitations that might not have been present if they
had been part of the original IPv4 design. It is always better to design features in rather than bolt them on. The result
of designing IPv6 with security and mobility in mind is an implementation that is a defined standard, has fewer
limitations, and is more robust and scalable to handle the current and future communication needs of the users of the
Internet. The business benefit of requiring support for IPsec and using a single, global address space is that IPv6 can
protect packets from end to end across the entire IPv6 Internet. Unlike IPsec on the IPv4 Internet, which must be
modified and has limited functionality when the endpoints are behind NATs, IPsec on the IPv6 Internet is fully
functional between any two endpoints.
IPv6 common terms and concepts
Node
Any device that runs an implementation of IPv6. This includes routers and hosts.
Router
A node that can forward IPv6 packets not explicitly addressed to itself. On an IPv6 network, a router also typically
advertises its presence and host configuration information.
Host
A node that cannot forward IPv6 packets not explicitly addressed to itself (a non router). A host is typically the source
and a destination of IPv6 traffic, and it silently discards traffic received that is not explicitly addressed to itself.
Upper-layer protocol
A protocol above IPv6 that uses IPv6 as its transport. Examples include Internet layer protocols such as ICMPv6 and
Transport layer protocols such as TCP and UDP (but not Application layer protocols such as FTP and DNS, which
use TCP and UDP as their transport).
Link
The set of network interfaces that are bounded by routers and that use the same 64-bit IPv6 unicast address prefix.
Other terms for ―link‖ are subnet and network segment.
Network
Two or more subnets connected by routers. Another term for network is internetworks.
Neighbors
Nodes connected to the same link. Neighbors in IPv6 have special significance because of IPv6 Neighbor Discovery,
which has facilities to resolve neighbor link layer addresses and detect and monitor neighbor reach ability.
Interface
The representation of a physical or logical attachment of a node to a link. An example of a physical interface is a
network adapter. An example of a logical interface is a ―tunnel‖ interface that is used to send IPv6 packets across an
IPv4 network by encapsulating the IPv6 packet inside an IPv4 header.
Address
An identifier that can be used as the source or destination of IPv6 packets that is assigned at the IPv6 layer to an
interface or set of interfaces.
Packet
The protocol data unit (PDU) that exists at the IPv6 layer and is composed of an IPv6 header and payload.
Link
MTU The maximum transmission unit (MTU)—the number of bytes in the largest IPv6 packet—that can be sent on a
link. Because the maximum frame size includes the link-layer medium headers and trailers, the link MTU is not the
same as the maximum frame size of the link. The link MTU is the same as the maximum payload size of the linklayer technology. For example, for Ethernet using Ethernet II encapsulation, the maximum Ethernet frame payload
size is 1500 bytes. Therefore, the link MTU is 1500. For a link with multiple link-layer technologies (for example, a
bridged link), the link MTU is the smallest link MTU of all the link-layer technologies present on the link.
Path
MTU The maximum-sized IPv6 packet that can be sent without performing host fragmentation between a source and
destination over a path in an IPv6 network. The path MTU is typically the smallest link MTU of all the links in the
path.
Types of IPv6 Address Format
п‚· Whereas IPv4 addresses use a dotted-decimal format, where each byte ranges from 0 to 255.
IPv6 addresses use eight sets of four hexadecimal addresses (16 bits in each set), separated by a colon (:),
like this: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx (x would be a hexadecimal value). This notation is
commonly called string notation.
 Hexadecimal values can be displayed in either lower- or upper-case for the numbers A–F.
п‚·
A leading zero in a set of numbers can be omitted;
for example, you could either enter 0012 or 12 in one of the eight fields—both are correct.
п‚· If you have successive fields of zeroes in an IPv6 address, you can represent them as two colons (::). For
example, 0:0:0:0:0:0:0:5 could be represented as ::5; and ABC:567:0:0:8888:9999:1111:0 could be
represented as ABC:567::8888:9999:1111:0. However, you can only do this once in the address:
ABC::567::891::00 would be invalid since :: appears more than once in the address. The reason for this
limitation is that if you had two or more repetitions, you wouldn’t know how many sets of zeroes were being
omitted from each part.
п‚· An unspecified address is represented as ::, since it contains all zeroes.
Types of IPv6 Addresses
Anycast
An anycast address identifies one or more interfaces. Notice that the term device isn’t used since a device can have
more than one interface. Sometimes people use the term node to designate an interface on a device. Basically, an
anycast is a hybrid of a unicast and multicast address.
п‚· With a unicast, one packet is sent to one destination;
п‚· With a multicast, one packet is sent to all members of the multicast group;
п‚· With an anycast, a packet is sent to any one member of a group of devices that are configured with the
anycast address. By default, packets sent to an anycast address are forwarded to the closet interface (node),
which is based on the routing process employed to get the packet to the destination. Given this process,
anycast addresses are commonly referred to as one-to-the-nearest address.
Multicast
п‚· Represent a group of interfaces interested in seeing the same traffic.
п‚· The first 8 bits are set to FF.
п‚· The next 4 bits are the lifetime of the address: 0 is permanent and 1 is temporary.
п‚· The next 4 bits indicate the scope of the multicast address (how far the packet can travel):
1 is for a node, 2 is for a link, 5 is for the site, 8 is for the organization,
and E is global (the Internet).
For example, a multicast address that begins with FF02::/16 is a permanent link address, whereas an address of
FF15::/16 is a temporary address for a site.
Unicast
Unicast IPv6 Addresses
The following types of addresses are unicast IPv6 addresses:
п‚· Global unicast addresses
п‚· Link-local addresses
п‚· Site-local addresses
п‚· Unique local addresses
п‚· Special addresses
п‚· Transition addresses
Global Unicast Addresses
IPv6 global addresses are equivalent to public IPv4 addresses. They are globally routable and reachable on the IPv6
Internet. Global unicast addresses are designed to be aggregated or summarized for an efficient routing infrastructure.
Unlike the current IPv4-based Internet, which is a mixture of both flat and hierarchical routing, the IPv6-based
Internet has been designed from its foundation to support efficient, hierarchical addressing and routing. The scope of a
global address is the entire IPv6 Internet. RFC 4291 defines global addresses as all addresses that are not the
unspecified, loopback, link-local unicast, or multicast addresses. However, Figure shows the structure of global
unicast addresses defined in RFC 3587 that are currently being used on the IPv6 Internet.
The structure of global unicast addresses defined in RFC 3587 The fields in the global unicast address are described in
the following list:
п‚· Fixed portion set to 001 the three high-order bits are set to 001.
 Global Routing Prefix Indicates the global routing prefix for a specific organization’s site. The combination
of the three fixed bits and the 45-bit Global Routing Prefix is used to create a 48-bit site prefix, which is
assigned to an individual site of an organization. A site is an autonomously operating IP-based network that is
connected to the IPv6 Internet. Network architects and administrators within the site determine the addressing
plan and routing policy for the organization network. Once assigned, routers on the IPv6 Internet forward
IPv6 traffic matching the 48-bit prefix to the routers of the organization’s site.
 Subnet ID The Subnet ID is used within an organization’s site to identify subnets within its site. The size of
this field is 16 bits. The organization’s site can use these 16 bits within its site to create 65,536 subnets or
multiple levels of addressing hierarchy and an efficient routing infrastructure. With 16 bits of subnetting
flexibility, a global unicast prefix assigned to an organization site is equivalent to a public IPv4 Class A
address prefix (assuming that the last octet is used for identifying nodes on subnets). The routing structure of
the organization’s network is not visible to the ISP.
п‚· Interface ID Indicates the interface on a specific subnet within the site. The size of this field is 64 bits. The
interface ID in IPv6 is equivalent to the node ID or host ID in IPv4.
Local-Use Unicast Addresses
Local-use unicast addresses do not have a global scope and can be reused. There are two types of local-use unicast
addresses:
1. Link-local addresses are used between on-link neighbors and for Neighbor Discovery processes.
2. Site-local addresses are used between nodes communicating with other nodes in the same organization.
Link-Local Addresses FE8:: through FEB::
Link-local addresses are a new concept in IPv6. These kinds of addresses have a smaller scope as to how far they can
travel: just the local link (the data link layer link). Routers will process packets destined to a link-local address, but
they will not forward them to other links. Their most common use is for a device to acquire unicast site-local or global
unicast addressing information, discovering the default gateway, and discovering other layer 2 neighbors on the
segment. IPv6 link-local addresses, identified by the initial 10 bits being set to 1111 1110 10 and the next 54 bits set
to 0, are used by nodes when communicating with neighboring nodes on the same link. For example, on a single-link
IPv6 network with no router, link-local addresses are used to communicate between hosts on the link. IPv6 link-local
addresses are similar to IPv4 link-local addresses defined in RFC 3927 that use the 169.254.0.0/16 prefix. The use of
IPv4 link-local addresses is known as Automatic Private IP Addressing (APIPA) in Windows Vista, Windows Server
2008, Windows Server 2003, and Windows XP. The scope of a link local address is the local link. A link-local
address is required for some Neighbor Discovery processes and is always automatically configured, even in the
absence of all other unicast addresses. Link-local addresses always begin with FE80. With the 64-bit interface
identifier, the prefix for link-local addresses is always FE80::/64.
An IPv6 router never forwards link-local traffic beyond the link.
Site-Local Addresses FEC:: through FFF::
represent a particular site or company. These addresses can be used within a company without having to waste any
public IP addresses—not that this is a concern, given the large number of addresses available in IPv6. However, by
using private addresses, you can easily control who is allowed to leave your network and get returning traffic back by
setting up address translation policies for IPv6. Site-local addresses, identified by setting the first 10 bits to 1111 1110
11, are equivalent to the IPv4 private address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). For example,
private intranets that do not have a direct, routed connection to the IPv6 Internet can use site local addresses without
conflicting with global addresses. Site-local addresses are not reachable from other sites, and routers must not forward
site-local traffic outside the site. Site-local addresses can be used in addition to global addresses. The scope of a sitelocal address is the site. Unlike link-local addresses, site-local addresses are not automatically configured and must be
assigned either through stateless or stateful address autoconfiguration. The first 10 bits are always fixed for site-local
addresses, beginning with FEC0::/10. After the 10 fixed bits is a 54-bit Subnet ID field that provides 54 bits with
which you can create subnets within your organization. You can have a flat subnet structure, or you can divide the
high order bits of the Subnet ID field to create a hierarchical and summarize able routing infrastructure. After the
Subnet ID field is a 64-bit Interface ID field that identifies a specific interface on a subnet. Site-local addresses have
been formally deprecated in RFC 3879 for future IPv6 implementations. However, existing implementations of IPv6
can continue to use site-local addresses.
Zone IDs for Local-Use Addresses
Unlike global addresses, local-use addresses (link-local and site-local addresses) can be reused. Link-local addresses
are reused on each link. Site-local addresses can be reused within each site of an organization. Because of this address
reuse capability, link-local and site-local addresses are ambiguous. To specify the link on which the destination is
located or the site within which the destination is located, an additional identifier is needed. This additional identifier
is a zone identifier (ID), also known as a scope ID, which identifies a connected portion of a network that has a
specified scope. The syntax specified in RFC 4007 for identifying the zone associated with a local-use address is
Address%zone ID, in which Address is a local-use unicast IPv6 address and zone ID is an integer value representing
the zone. The values of the zone ID are defined relative to the sending host. Therefore, different hosts might
determine different zone ID values for the same physical zone. For example, Host A might choose 3 to represent the
zone of an attached link and Host B might choose 4 to represent the same link.
Unique Local Addresses
Site-local addresses provide a private addressing alternative to global addresses for intranet traffic. However, because
the site-local address prefix can be reused to address multiple sites within an organization, a site-local address prefix
can be duplicated. The ambiguity of site local addresses in an organization adds complexity and difficulty for
applications, routers, and network managers.
To replace site-local addresses with a new type of address that is private to an organization yet unique across all the
sites of the organization, RFC 4193 defines unique local IPv6 unicast addresses. The first 7 bits have the fixed binary
value of 1111110. All local addresses have the address prefix FC00::/7. The Local (L) flag is set 1 to indicate that the
prefix is locally assigned. The L flag value set to 0 is not defined in RFC 3879. Therefore, unique local addresses
within an organization with the L flag set to 1 have the address prefix of FD00::/8. The Global ID identifies a specific
site within an organization and is set to a randomly derived 40-bit value. By deriving a random value for the Global
ID, an organization can have statistically unique 48-bit prefixes assigned to their sites. Additionally, two organizations
that use unique local addresses that merge have a low probability of duplicating a 48-bit unique local address prefix,
minimizing site renumbering. Unlike the Global Routing Prefix in global addresses, the Global IDs in unique local
address prefixes are not designed to be summarized. Unique local addresses have a global scope, but their reach
ability is defined by routing topology and filtering policies at Internet boundaries. Organizations will not advertise
their unique local address prefixes outside of their organizations or create DNS entries with unique local addresses in
the Internet DNS. Organizations can easily create filtering policies at their Internet boundaries to prevent all unique
local-addressed traffic from being forwarded. Because they have a global scope, unique local addresses do not need a
zone ID. The global address and unique local address share the same structure beyond the first 48 bits of the address.
In both addresses, the 16-bit Subnet ID field identifies a subnet within an organization. Because of this, you can create
a subnetted routing infrastructure that is used for both local and global addresses. For example, a specific subnet of
your organization can be assigned both the global prefix 2001:DB8:4D1C:221A::/64 and the local prefix
FD0E:2D:BA9:221A::/64, where the subnet is identified for both types of prefixes by the Subnet ID value of 221A.
Although the subnet identifier is the same for both prefixes, routes for both prefixes must still be propagated
throughout the routing infrastructure so that addresses based on both prefixes are reachable.
Summary tables of IPv6 Addresses
Address
Value
Description
Global
2000::/3
These are assigned by the IANA and used on public networks.
They are equivalent to IPv4 global (sometimes called public)
addresses. ISPs summarize these to provide scalability in the
Internet.
Reserved
(range)
Reserved addresses are used for specific types of anycast as well
as for future use. Currently about 1/256th of the IPv6 address
space is reserved.
Private
FE80::/10
Like IPv4, IPv6 supports private addressing, which is used by
devices that don’t need to access a public network. The first two
digits are FE, and the third digit can range from 8 to F.
::1
Like the 127.0.0.1 address in IPv4, 0:0:0:0:0:0:0:1, or ::1, is used
for local testing functions; unlike IPv4, which dedicates a
complete A class block of addresses for local testing, only one is
used in IPv6.
::
0.0.0.0 in IPv4 means ―unknown‖ address. In IPv6, this is
represented by 0:0:0:0:0:0:0:0, or ::, and is typically used in the
source address field of the packet when an interface doesn’t have
an address and is trying to acquire one dynamically.
Loopback
Unspecified
In our next article we will discus about special IPv6 address, IPv4 address and their equivalents IPv6 address. And
then we learn how to assign these addresses to host, router and other devices.
Special IPv6 Addresses corresponding IPv4
In our pervious article we learnt about IPv6 address types and format in this article we learn about some special types
of IPv6 address. This article is the second volume of IPv6 address types and formats so if you have missed our
pervious article we suggest you to review it.
types of IPv6 address format
Special IPv6 Addresses
The following are special IPv6 addresses:
Unspecified address
The unspecified address (0:0:0:0:0:0:0:0 or ::) is used only to indicate the absence of an address. It is equivalent to the
IPv4 unspecified address of 0.0.0.0. The unspecified address is typically used as a source address when a unique
address has not yet been determined. The unspecified address is never assigned to an interface or used as a destination
address.
Loopback address
The loopback address (0:0:0:0:0:0:0:1 or ::1) is assigned to a loopback interface, enabling a node to send packets to
itself. It is equivalent to the IPv4 loopback address of 127.0.0.1. Packets addressed to the loopback address must never
be sent on a link or forwarded by an IPv6 router.
Transition Addresses
To aid in the transition from IPv4 to IPv6 and the coexistence of both types of hosts, the following addresses are
defined:
IPv4-compatible address
The IPv4-compatible address, 0:0:0:0:0:0:w.x.y.z or ::w.x.y.z (where w.x.y.z is the dotted decimal representation of a
public IPv4 address), is used by IPv6/IPv4 nodes that are communicating with IPv6 over an IPv4 infrastructure that
uses public IPv4 addresses, such as the Internet. IPv4-compatible addresses are deprecated in RFC 4291 and are not
supported in IPv6 for Windows Vista and Windows Server 2008.
IPv4-mapped address
The IPv4-mapped address, 0:0:0:0:0:FFFF:w.x.y.z or ::FFFF: w.x.y.z, is used to represent an IPv4 address as a 128bit IPv6 address.
6to4 address
An address of the type 2002:WWXX:YYZZ:Subnet ID:Interface ID, where WWXX:YYZZ is the colon hexadecimal
representation of w.x.y.z (a public IPv4 address), is assigned a node for the 6to4 IPv6 transition technology.
ISATAP address
An address of the type 64-bit prefix:0:5EFE:w.x.y.z, where w.x.y.z is a private IPv4 address, is assigned to a node for
the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) IPv6 transition technology.
Teredo address
A global address that uses the prefix 2001::/32 and is assigned to a node for the Teredo IPv6 transition technology.
Beyond the first 32 bits, Teredo addresses are used to encode the IPv4 address of a Teredo server, flags, and an
obscured version of a Teredo client’s external address and UDP port number.
IPv4 Addresses and their corresponding IPv6
IPv4 Address
IPv6 Address
Internet address classes
Not applicable in IPv6
Multicast addresses (224.0.0.0/4)
IPv6 multicast addresses (FF00::/8)
Broadcast addresses
Not applicable in IPv6
Unspecified address is 0.0.0.0
Unspecified address is ::
Loopback address is 127.0.0.1
Loopback address is ::1
Public IP addresses
Aggregatable global unicast addresses
Private IP addresses (10.0.0.0/8,
172.16.0.0/12, and 192.168.0.0/16)
Site-local addresses (FEC0::/48)
APIPA addresses (169.254.0.0/16)
Link-local addresses (FE80::/64)
Text representation: Dotted decimal notation
Text representation: Colon hexadecimal
format with suppression of leading zeros and
zero compression. IPv4-compatible addresses
are expressed in dotted decimal notation.
Network bits representation: Subnet mask in
dotted decimal notation or prefix length
Network bits representation: Prefix length
notation only
Assigning IPv6 address to Devices
IPv6 Addresses for a Host
An IPv4 host with a single network adapter typically has a single IPv4 address assigned to that adapter. An IPv6 host,
however, usually has multiple IPv6 addresses assigned to each adapter. The interfaces on a typical IPv6 host are
assigned the following unicast addresses:
п‚· A link-local address for each interface
п‚· Additional unicast addresses for each interface (which could be one or multiple unique local or global
addresses)
п‚·
The loopback address (::1) for the loopback interface Typical IPv6 hosts are always logically multi homed
because they always have at least two addresses with which they can receive packets—a link-local address for
local link traffic and a routable unique local or global address. Additionally, each interface on an IPv6 host is
listening for traffic on the following multicast addresses:
п‚· The interface-local scope all-nodes multicast address (FF01::1)
п‚· The link-local scope all-nodes multicast address (FF02::1)
п‚· The solicited-node address for each unicast address assigned
п‚· The multicast addresses of joined groups
IPv6 Addresses for a Router
The interfaces on an IPv6 router are assigned the following unicast addresses:
п‚· A link-local address for each interface
п‚· Additional unicast addresses for each interface (which could be one or multiple unique local or global
addresses)
п‚· The loopback address (::1) for the loopback interface
п‚· Additionally, the interfaces of an IPv6 router are assigned the following anycast addresses:
п‚· A Subnet-Router anycast address for each subnet
п‚· Additional anycast addresses (optional)
п‚· Additionally, the interfaces of an IPv6 router are listening for traffic on the following multicast addresses:
п‚· The interface-local scope all-nodes multicast address (FF01::1)
п‚· The interface-local scope all-routers multicast address (FF01::2)
п‚· The link-local scope all-nodes multicast address (FF02::1)
п‚· The link-local scope all-routers multicast address (FF02::2)
п‚· The site-local scope all-routers multicast address (FF05::2)
п‚· The solicited-node address for each unicast address assigned
п‚· The multicast addresses of joined groups
Static Address Assignment
One option you have is to statically assign a unicast address to a device’s interface using either of these two
approaches:
Specify all 128-bits manually
Use EUI-64
You can manually specify the entire 128-bit address, or you can specify the subnet ID and have the device use the
EUI-64 method to create the interface ID part of the address
Manually Configuring the IPv6 Protocol
Unlike IPv6 in Windows XP and Windows Server 2003, the IPv6 protocol in Windows Server 2008 and Windows
Vista is installed and enabled by default. The IPv6 protocol for Windows Server 2008 and Windows Vista is designed
to be auto configuring. For example, it automatically configures link-local addresses for communication between
nodes on a link. If there is an IPv6 router on the host’s subnet or an ISATAP router, the host uses received router
advertisements to automatically configure additional addresses, a default router, and other configuration parameters.
You can manually configure IPv6 addresses and other parameters in Windows Vista using the following:
п‚· Form lan card properties
п‚· From command prompt
The properties of Internet Protocol Version 6 (TCP/IPv6) component
Just as you can configure IPv4 settings through the properties of the Internet Protocol Version 4 (TCP/IPv4)
component in the Network Connections folder, you can now configure IPv6 settings through the properties of the
Internet Protocol Version 6 (TCP/IPv6) component. The set of dialog boxes for IPv6 configuration is very similar to
the corresponding dialog boxes for IPv4. However, the properties of the Internet Protocol Version 6 (TCP/IPv6)
component provide only basic configuration of IPv6.
Commands in the netsh interface ipv6 context
Just as you can in Windows XP and Windows Server 2003, you can configure IPv6 settings for Windows Server 2008
or Windows Vista from the interface ipv6 context of the Netsh.exe tool. Although typical IPv6 hosts do not need to be
manually configured, IPv6 routers must be manually configured.
Configuring IPv6 Through the Properties of Internet Protocol Version 6 (TCP/IPv6)
To manually configure IPv6 settings through the Network Connections folder, do the following:
п‚· From the Network Connections folder, right-click the connection or adapter on which you want to manually
configure IPv6, and then click Properties.
п‚· On the Networking tab for the properties of the connection or adapter, under This Connection Uses The
Following Items, double-click Internet Protocol Version 6 (TCP/IPv6) in the list.
Windows Vista displays the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box.
The Internet Protocol Version 6 (TCP/IPv6) Properties dialog box
General Tab
On the General tab of the Internet Protocol Version 6 (TCP/IPv6) Properties dialog box, you can configure the
following:
п‚· Obtain an IPv6 address automatically Specifies that IPv6 addresses for this connection or adapter are
automatically determined by stateful or stateless address autoconfiguration.
п‚· Use the following IPv6 address< Specifies that an IPv6 address and default gateway for this connection or
adapter are manually configured.
п‚· IPv6 address Provides a space for you to type an IPv6 unicast address. You can specify additional IPv6
addresses from the Advanced TCP/IP Settings dialog box.
п‚· Subnet prefix length Provides a space for you to type the subnet prefix length for the IPv6 address. For
typical IPv6 unicast addresses, this value should be set to 64, its default value.
п‚· Default gateway Provides a space for you to type the IPv6 unicast address of the default gateway.
п‚· Obtain DNS server address automatically Specifies that the IPv6 addresses for DNS servers are
automatically determined by stateful address autoconfiguration (DHCPv6).
п‚· Use the following DNS server addresses Specifies that the IPv6 addresses of the preferred and alternate
DNS servers for this connection or adapter are manually configured.
п‚· Preferred DNS server Provides a space for you to type the IPv6 unicast address of the preferred DNS server.
п‚· Alternate DNS server Provides a space for you to type the IPv6 unicast address of the alternate DNS server.
You can specify additional DNS servers from the Advanced TCP/IP Settings dialog box.
Advanced TCP/IP Settings
From the General tab, you can click Advanced to access the Advanced TCP/IP Settings dialog box. This dialog box is
very similar to the Advanced TCP/IP Settings dialog box for the Internet Protocol Version 4 (TCP/IPv4) component
except there is no WINS tab (IPv6 does not use NetBIOS and the Windows Internet Name Service [WINS]) or
Options tab (TCP/IP filtering is defined only for IPv4 traffic). For IPv6, the Advanced TCP/IP Settings dialog box has
IP Settings and DNS tabs.
The IP Settings tab
From the IP Settings tab, you can configure the following:
п‚· Multiple IPv6 addresses (by clicking Add under IP Addresses) For each unicast IPv6 address, you must
specify an IPv6 address and a subnet prefix length. The Add button is available only if Use The Following
Ipv6 Address has been selected on the General tab of the Internet Protocol Version 6 (TCP/IPv6) Properties
dialog box.
п‚· Multiple default gateways (by clicking Add under Default Gateways) For each default gateway, you must
specify the IPv6 address of the gateway and whether you want the metric for the default route associated with
this default gateway to be manually specified or based on the speed of the connection or adapter.
п‚· Route metrics You can also specify whether to use a specific metric for the routes associated with the
configuration of IPv6 addresses or default gateways or a metric determined by the speed of the connection or
adapter.
The DNS tab
From the DNS tab, you can configure the following:
п‚· The IPv6 addresses of DNS servers, in order of use (by clicking Add under DNS Server Addresses, In Order
Of Use).
п‚· Primary and connection-specific DNS suffix and name registration and devolution behavior. These settings
are the same as for IPv4.
Configuring IPv6 with the Netsh.exe Tool
You can also configure IPv6 addresses, default gateways, and DNS servers at the command line using commands in
the netsh interface ipv6 context.
Configuring Addresses
To configure IPv6 addresses, you can use the netsh interface ipv6 add address command with the following syntax:
netsh interface ipv6 add address [interface=]InterfaceNameorIndex [address=]IPv6Address
[/PrefixLength] [[type=]unicast|anycast] [[validlifetime=]Time|infinite] [[preferredlifetime=]
Time|infinite] [[store=]active|persistent]
 interface The connection or adapter’s name or interface index.
п‚· address The IPv6 address to add, optionally followed by the subnet prefix length (default of 64).
п‚· type The type of IPv6 address, either unicast (default) or anycast.
п‚· validlifetime The lifetime over which the address is valid. Time values can be expressed in days, hours,
minutes, and seconds (for example, 1d2h3m4s). The default value is infinite.
п‚·
preferredlifetime The lifetime over which the address is preferred. Time values can be expressed in days,
hours, minutes, and seconds. The default value is infinite.
 store How to store the IPv6 address—either active (the address is removed upon system restart) or persistent
(address remains after system restart), which is the default.
For example, to configure the IPv6 unicast address 2001:db8:290c:1291::1 on the interface named ―Local Area
Connection‖ with infinite valid and preferred lifetimes and make the address persistent, you use the following
command:
netsh interface ipv6 add address "Local Area Connection" 2001:db8:290c:1291::1
Adding Default Gateways
To configure a default gateway, you can use the netsh interface ipv6 add route command and add a default route
(::/0) with the following syntax:
netsh interface ipv6 add route [prefix=]::/0 [interface=]InterfaceNameorIndex
[[nexthop=]IPv6Address] [[siteprefixlength=]Length] [[metric=]MetricValue] [[publish=]
no|yes|immortal] [[validlifetime=]Time|infinite] [[preferredlifetime=]Time|infinite]
[[store=]active|persistent]
п‚· prefix The IPv6 address prefix and prefix length for the default route. For other routes, you can substitute ::/0
with AddressPrefix/PrefixLength.
 interface The connection or adapter’s name or interface index.
п‚· nexthop If the prefix is for destinations that are not on the local link, the next-hop IPv6 address of a
neighboring router.
п‚· siteprefixlength If the prefix is for destinations on the local link, you can optionally specify the prefix length
for the address prefix assigned to the site to which this IPv6 node belongs.
п‚· metric A value that specifies the preference for using the route. Lower values are preferred.
п‚· publish As an IPv6 router, this option specifies whether the subnet prefix corresponding to the route will be
included in router advertisements and whether the lifetimes for the prefixes are infinite (the immortal option).
п‚· validlifetime The lifetime over which the route is valid. Time values can be expressed in days, hours, minutes,
and seconds (for example, 1d2h3m4s). The default value is infinite.
п‚· preferredlifetime The lifetime over which the route is preferred. Time values can be expressed in days, hours,
minutes, and seconds. The default value is infinite.
п‚· store How to store the route, either active (route is removed upon system restart) or persistent (route remains
after restart), which is the default.
For example, to add a default route that uses the interface named ―Local Area Connection‖ with a next-hop address of
fe80::2aa:ff:fe9a:21b8 you use the following command:
netsh interface ipv6 add route ::/0 "Local Area Connection" fe80::2aa:ff:fe9a:21b8
Adding DNS Servers
To configure the IPv6 addresses of DNS servers, you can use the netsh interface ipv6 add dnsserver command with
the following syntax:
netsh interface ipv6 add dnsserver [name=]InterfaceName [[address=]IPv6Address]
[[index=]PreferenceValue]
 name The connection or adapter’s name.
п‚· address The IPv6 address of the DNS server.
п‚· index The preference for the DNS server address.
By default, the DNS server is added to the end of the list of DNS servers. If an index is specified, the DNS server is
placed in that position in the list and the other DNS servers are moved down the list.
For example, to add a DNS server with the IPv6 address 2001:db8:99:4acd::8 that uses the interface named ―Local
Area Connection,‖ you use the following command:
netsh interface ipv6 add dnsserver "Local Area Connection" 2001:db8:99:4acd::8
IPv6 Address Autoconfiguration
Autoconfiguration is an incredibly useful solution because it allows devices on a network to address themselves with
a link-local unicast address
Types of Autoconfiguration
There are three types of autoconfiguration:
п‚· Stateless Configuration of addresses and other settings is based on the receipt of Router Advertisement
messages. These messages have the Managed Address Configuration and Other Stateful Configuration flags
set to 0, and they include one or more Prefix Information options, each with its Autonomous flag set to 1.
п‚·
Stateful Configuration is based on the use of an address configuration protocol, such as DHCPv6, to obtain
addresses and other configuration settings. A host uses stateful autoconfiguration when it receives a Router
Advertisement message with no Prefix Information options and either the Managed Address Configuration
flag or the Other Stateful Configuration flag is set to 1. A host can also use stateful autoconfiguration when
there are no routers present on the local link.
п‚· Both Configurations is based on the receipt of Router Advertisement messages that include Prefix
Information options, each with its Autonomous flag set to 1, and have the Managed Address Configuration or
Other Stateful Configuration flags set to 1. For all types of autoconfiguration, a link-local address is always
configured automatically.
Stateful Configuration
The client detects a router; the client examines the router advertisement messages to determine whether DHCPv6 has
been set up. If the router specifies that DHCPv6 is supported, or no router advertisement messages are seen, the client
will begin to find a DHCPv6 server by generating a DHCP solicit message. This message is sent to the ALL-DHCPAgents multicast address, using the link-local scope to ensure the message isn’t forwarded, by default, beyond the
local link. An agent is either a DHCPv6 server or a relay, such as a router.
Stateless Autoconfiguration
Stateless autoconfiguration is an extension of DHCPv6. the client uses information in router advertisement messages
to configure an IPv6 address for the interface. This is accomplished by taking the first 64 bits in the router
advertisement source address (the prefix of the router’s address) and using the EUI-64 process to create the 64-bit
interface ID. Stateless autoconfiguration was designed primarily for cell phones, PDAs, and home network and
appliance equipment to assign addresses automatically without having to manage a DHCP server infrastructure.
Normally, routers generate periodic router advertisement (RA) messages the client can listen to and then use to
generate its link address automatically; however, when the client is booting up, waiting for the RA might take awhile.
In this situation, the client will generate a router solicitation message, asking the router to reply with an RA so the
client can generate its interface address.
Two steps to IPv6 autoconfiguration
Autoconfigured Address States
Autoconfigured addresses are in one or more of the following states:
п‚· Tentative The address is in the process of being verified as unique. Verification occurs through duplicate
address detection. A node cannot receive unicast traffic to a tentative address. It can, however, receive and
process multicast Neighbor Advertisement messages sent in response to the Neighbor Solicitation message
that has been sent during duplicate address detection.
п‚· Valid The address can be used for sending and receiving unicast traffic. The valid state includes both the
preferred and deprecated states. The sum of the times that an address remains in the tentative, preferred, and
deprecated states is determined by the Valid Lifetime field in the Prefix Information option of a Router
Advertisement message or the Valid-Lifetime field of a DHCPv6 IA (Identity Association) Address option.
п‚· Preferred The address is valid, its uniqueness has been verified, and it can be used for unlimited
communications. A node can send and receive unicast traffic to and from a preferred address. The period of
time that an address can remain in the tentative and preferred states is determined by the Preferred Lifetime
field in the Prefix Information option of a Router Advertisement message or the Preferred-Lifetime field of a
DHCPv6 IA Address option.
п‚· Deprecated The address is valid and its uniqueness has been verified, but its use is discouraged for new
communication. Existing communication sessions can still use a deprecated address. A node can send and
receive unicast traffic to and from a deprecated address.
п‚· Invalid The address can no longer be used to send or receive unicast traffic. An address enters the invalid
state after the valid lifetime expires.
Autoconfiguration Process
The address autoconfiguration process defined in RFC 4862 for the physical interface of an IPv6 node is the
following:
1. A tentative link-local address is derived based on the link-local prefix of FE80::/64 and a EUI-64–derived
interface identifier.
2. Using duplicate address detection to verify the uniqueness of the tentative link-local address, a Neighbor
Solicitation message is sent with the Target Address field that is set to the tentative link-local address.
3. If a Neighbor Advertisement message (sent in response to the Neighbor Solicitation message) is received, this
indicates that another node on the local link is using the tentative link-local address and address
autoconfiguration stops. At this point, manual configuration must be performed on the node.
4. If no Neighbor Advertisement message (sent in response to the Neighbor Solicitation message) is received,
the tentative link-local address is assumed to be unique and valid. The link-local address is initialized for the
interface. The link-layer multicast address of the solicited-node address corresponding to the link-local
address is registered with the network adapter.
For an IPv6 host, the address autoconfiguration continues as follows:
1. The host sends a Router Solicitation message. While routers periodically send router advertisements, the host
sends a Router Solicitation message to request an immediate router advertisement, rather than waiting until
the next router advertisement. By default, up to three Router Solicitation messages are sent.
2. If no Router Advertisement messages are received, the host uses an address configuration protocol to obtain
addresses and other configuration parameters.
3. If a Router Advertisement message is received, the hop limit, reachable time, retransmission timer, and
maximum transmission unit (if that option is present) are set.
4. For each Prefix Information option present, the following actions occur:
o If the On-Link flag is set to 1, the prefix is added to the prefix list.
o If the Autonomous flag is set to 1, the prefix and an appropriate interface identifier are used to derive
a tentative address.
o Duplicate address detection is used to verify the uniqueness of the tentative address.
o If the tentative address is in use, the use of the address is not initialized for the interface.
o If the tentative address is not in use, the address is initialized. This includes setting the valid and
preferred lifetimes based on the Valid Lifetime and Preferred Lifetime fields in the Prefix Information
option. If needed, it also includes registering the link-layer multicast address of the solicited-node
address corresponding to the new address with the network adapter.
5. If the Managed Address Configuration flag in the Router Advertisement message is set to 1, an address
configuration protocol is used to obtain additional addresses.
6. If the Other Stateful Configuration flag in the Router Advertisement message is set to 1, an address
configuration protocol is used to obtain additional configuration parameters.
In our next tutorial we will learn how to configure IPv6 on Server 2008 and windows vista.
Assign IPv6 address to Windows server 2008 and Windows vista
assign IPv6 address to windows server 2008 and vista guides notes
In our pervious article we learnt about IPv6 Address Autoconfiguration. Now we will discuss the Autoconfiguration
behave of Windows Server environment. This article is the next series of our pervious article so if you have missed
our last tutorial review it now
IPv6 Address Autoconfiguration
IPv6 Protocol for Windows Server 2008 and Windows Vista Autoconfiguration Specifics
The following are the specific autoconfiguration behaviors of IPv6 in Windows Server 2008 and Windows Vista:
п‚· Computers running Windows Server 2008 or Windows Vista by default generate random interface IDs for
non-temporary autoconfigured IPv6 addresses, including public and link-local addresses, rather than using
EUI-64–based interface IDs.
A public IPv6 address is a global address that is registered in DNS and is typically used by server
applications for incoming connections, such as a Web server.
You can disable this default behavior with the
netsh interface ipv6 set global randomizeidentifiers=disabled
command. You can enable the default behavior with the
netsh interface ipv6 set global randomizeidentifiers=enabled command.
п‚· With a randomly derived interface ID, the chance of duplicating the link-local address is very small.
Therefore, computers running Windows Server 2008 or Windows Vista do not wait for duplicate address
detection (DAD) to complete before sending router solicitations or multicast listener discovery reports using
their derived link-local addresses. This is known as optimistic DAD.
п‚· Computers running Windows Server 2008 or Windows Vista do not attempt stateful address
autoconfiguration with DHCPv6 if no router advertisements are received.
п‚· RFC 4862 does not require a specific order for sending the initial router solicitation and performing duplicate
address detection for the derived link-local address. The IPv6 protocol for Windows Server 2008 and
Windows Vista sends the Router Solicitation message before performing duplicate address detection on the
link-local address. In this way, duplicate address detection and router discovery are done in parallel to save
time during the interface initialization process.
п‚· If the derived link-local address is a duplicate, stateless address autoconfiguration for the IPv6 protocol for
Windows Server 2008 and Windows Vista can continue with the receipt of a multicast Router Advertisement
message containing site-local, unique local, or global prefixes. The attempted link-local address is shown with
a ―Duplicate‖ state in the display of the
netsh interface ipv6 show address
command and a site-local, unique local, or global address—rather than the duplicate link-local address—is
used for neighbor discovery processes.
Autoconfigured Addresses for the IPv6 Protocol for Windows Server 2008 and Windows Vista
By default, the following IPv6 addresses are automatically configured for the IPv6 protocol for Windows Server 2008
and Windows Vista:
п‚· Link-local addresses using randomly derived interface identifiers are assigned to all local area network (LAN)
interfaces.
п‚· If included as a site-local prefix in a Prefix Information option of a router advertisement with the Autonomous
flag set to 1, a site-local address using a randomly derived interface identifier is assigned to the LAN interface
that received the router advertisement.
п‚· If included as a global or unique local prefix in a Prefix Information option of a router advertisement with the
Autonomous flag set to 1, a global or unique local address using a randomly derived permanent interface
identifier is assigned to the LAN interface that received the router advertisement.
п‚· If included as a global or unique local prefix in a Prefix Information option of a router advertisement with the
Autonomous flag set to 1, a temporary global or unique local address using a randomly derived temporary
interface identifier is assigned to the LAN interface that received the router advertisement. This is the default
behavior for Windows Vista. Window Server 2008 does not create temporary addresses by default. You can
enable temporary addresses with the netsh interface ipv6 set privacy enabled command.
п‚· If the M flag is set to 1 in a received Router Advertisement message, a stateful IPv6 address based on
DHCPv6 scope for the subnet is assigned to the LAN interface that received the DHCPv6 Reply message.
п‚· If public IPv4 addresses are assigned to interfaces of the computer and there are no global or unique local
autoconfiguration prefixes received in Router Advertisement messages, corresponding 6to4 addresses using
6to4-derived interface identifiers are assigned to the 6to4 tunneling interface. 6to4 is described in RFC 3056.
п‚· For computers running Windows Vista, for all IPv4 addresses that are assigned to interfaces of the computer,
corresponding link-local addresses using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)–
derived interface identifiers (::0:5EFE:w.x.y.z or ::200:5EFE:w.x.y.z) are assigned to the ISATAP tunneling
interface. ISATAP is described in RFC 4214.
п‚· If included as a global, unique local, or site-local prefix in a Prefix Information option of a router
advertisement received on the ISATAP interface, a global, unique local, or site local address using the
ISATAP-derived interface identifier corresponding to the IPv4 address that is the best source to use to reach
the ISATAP router is assigned to the ISATAP interface.
п‚· The loopback address (::1) is assigned to the Loopback Pseudo-Interface 1.
IPv6-Enabled Tools
Windows Server 2008 and Windows Vista include the following IPv6-enabled command-line tools that are most
commonly used for network troubleshooting:
п‚· Ipconfig
п‚· Route
п‚· Ping
п‚· Tracert
п‚· Pathping
п‚· Netstat
Ipconfig
The ipconfig tool displays all current TCP/IP network configuration values, and it is used to perform maintenance
tasks such as refreshing DHCP and DNS settings. In Windows Server 2008 and Windows Vista, the ipconfig
command without options displays IPv4 and IPv6 configuration for all physical adapters and tunnel interfaces that
have addresses. The following is an example display of the ipconfig command on a computer running Windows
Server 2008 or Windows Vista:
c:\> ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : www.ComputerNetworkingNotes.com
IPv6 Address. . . . . . . . . . . : 2001:db8:21da:7:713e:a426:d167:37ab
Temporary IPv6 Address. . . . . . : 2001:db8:21da:7:5099:ba54:9881:2e54
Link-local IPv6 Address . . . . . : fe80::713e:a426:d167:37ab%6
IPv4 Address. . . . . . . . . . . : 157.60.14.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::20a:42ff:feb0:5400%6
IPv4 Default Gateway . . . . . . : 157.60.14.1
Tunnel adapter Local Area Connection* 6:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:db8:908c:f70f:0:5efe:157.60.14.11
Link-local IPv6 Address . . . . . : fe80::5efe:157.60.14.11%9
Site-local IPv6 Address . . . . . : fec0::6ab4:0:5efe:157.60.14.11%1
Default Gateway . . . . . . . . . : fe80::5efe:131.107.25.1%9
fe80::5efe:131.107.25.2%9
Tunnel adapter Local Area Connection* 7:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ipconfig.exe displays the IPv6 addresses before the IPv4 addresses and indicates the type of IPv6 address using the
following labels:
п‚· IPv6 Address A global address with a permanent interface ID
п‚· Temporary IPv6 Address A global address with a randomly derived interface ID that has a short valid
lifetime
п‚· Link-local IPv6 Address A link-local address with its corresponding zone ID (the interface index)
п‚· Site-local IPv6 Address A site-local address with its corresponding zone ID (the site ID) For more
information about the different types of IPv6 addresses and the zone ID By default, the interface names
containing an asterisk (*) are tunneling interfaces.
Route
The Route tool displays the entries in the local IPv4 and IPv6 routing tables and allows you to change them. The
Route tool displays both the IPv4 and IPv6 routing table when you run the
route print
command. You can change entries in the IPv6 routing table with the Route.exe tool with the route add, route change,
and route delete commands.
Ping
In previous versions of Windows, the Ping tool verified IPv4-level connectivity to another TCP/IP computer by
sending Internet Control Message Protocol (ICMP) Echo messages. The receipt of corresponding Echo Reply
messages is displayed, along with round-trip times. Ping is the primary TCP/IP tool used to troubleshoot reach ability
and name resolution. The Ping tool in Windows Server 2008 and Windows Vista has been enhanced to support IPv6
in the following ways:
п‚· Ping uses either ICMPv4 Echo or ICMPv6 Echo Request messages to verify IPv4-based or IPv6-based
connectivity.
п‚· Ping can parse both IPv4 and IPv6 address formats.
п‚· If you specify a target host by name, the addresses returned by using Windows name resolution techniques
can contain both IPv4 and IPv6 addresses—in which case, by default, an IPv6 address is preferred (subject to
source and destination address selection). The following is an example display of the Ping tool on a computer
running Windows Server 2008 or Windows Vista for an IPv6 destination address:
C:\>ping 2001:db8:1:f282:dd48:ab34:d07c:3914
Pinging 2001:db8:1:f282:dd48:ab34:d07c:3914 from
2001:db8:1:f282:3cec:bf16:505:eae6 with 32 bytes of data:
Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms
Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms
Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms
Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms
Ping statistics for 2001:db8:1:f282:dd48:ab34:d07c:3914:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
The following command-line options support IPv6:
п‚·
-i HopLimit
Sets the value of the Hop Limit field in the IPv6 header. The default value is 128. The –i option is also used to
set the value of the Time-to-Live (TTL) field in the IPv4 header.
п‚· -R
Forces Ping to trace the round-trip path by sending the ICMPv6 Echo Request message to the destination and
to include an IPv6 Routing extension header with the sending node as the next destination.
п‚· -S SourceAddr
Forces Ping to use a specified IPv6 source address.
п‚· -4
Forces Ping to use an IPv4 address when the DNS name query for a host name returns both IPv4 and IPv6
addresses.
п‚· -6
Forces Ping to use an IPv6 address when the DNS name query for a host name returns both IPv4 and IPv6
addresses.
Note down
The Ping -f, -v TOS, -r count, -s count, -j host-list, and -k host-list command line options are not supported for IPv6.
Tracert
The Tracert tool determines the path taken to a destination. For IPv4, Tracert sends ICMPv4 Echo messages to the
destination with incrementally increasing TTL field values. For IPv6, Tracert sends ICMPv6 Echo Request messages
to the destination with incrementally increasing Hop Limit field values. Tracert displays the path as the list of nearside
router interfaces of the routers in the path between a source host and a destination node. The Tracert tool in Windows
Server 2008 and Windows Vista has been enhanced to support IPv6 in the following ways:
п‚· Tracert can parse both IPv4 and IPv6 address formats.
п‚· If you specify a target host by name, the addresses returned using Windows name resolution techniques can
contain both IPv4 and IPv6 addresses—in which case, by default, an IPv6 address is preferred (subject to
source and destination address selection). The following is an example display of the Tracert tool on a
computer running Windows Server 2008 or Windows Vista:
c:\>tracert 2001:db8:1:f282:dd48:ab34:d07c:3914
Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 2001:db8:1:f241:2b0:d0ff:fea4:243d
2 <1 ms <1 ms <1 ms 2001:db8:1:f2ac:2b0:d0ff:fea5:d347
3 <1 ms <1 ms <1 ms 2001:db8:1:f282:dd48:ab34:d07c:3914
Trace complete.
The following Tracert command-line options support IPv6:
п‚· -R
Forces Tracert to trace the round-trip path by sending the ICMPv6 Echo Request message to the destination,
including an IPv6 Routing extension header with the sending node as the next destination
п‚· -S SourceAddr
Forces Tracert to use a specified IPv6 source address
п‚· -4
Forces Tracert to use an IPv4 address when the DNS name query for a host name returns both IPv4 and IPv6
addresses
п‚· -6
Forces Tracert to use an IPv6 address when the DNS name query for a host name returns both IPv4 and IPv6
addresses
Note The Tracert -j host-list command-line option is not supported for IPv6.
Pathping
The Pathping tool provides information about network latency and network loss at intermediate hops between a
source and destination. For IPv4, Pathping sends multiple ICMPv4 Echo messages to each router between a source
and destination over a period of time, and then it computes results based on the packets returned from each router. For
IPv6, Pathping sends ICMPv6 Echo Request messages. Because Pathping displays the degree of packet loss at any
given router or link, you can determine which routers or subnets might be having network problems. Pathping
performs the equivalent of the Tracert tool by identifying which routers are in the path, and then it sends messages
periodically to all the routers over a specified time period and computes statistics based on the number returned from
each. The Pathping tool in Windows Server 2008 and Windows Vista has been enhanced to support IPv6 in the
following ways:
п‚· Pathping can parse both IPv4 and IPv6 address formats.
п‚·
If you specify a target host by name, the addresses returned using Windows name resolution techniques can
contain both IPv4 and IPv6 addresses—in which case, by default, an IPv6 address is preferred (subject to
source and destination address selection). The following is an example display of the Pathping tool on a
computer running Windows Server 2008 or Windows Vista:
C:\>pathping 2001:db8:1:f282:dd48:ab34:d07c:3914
Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops
0 server1.example.microsoft.com [2001:db8:1:f282:204:5aff:fe56:1006]
1 2001:db8:1:f282:dd48:ab34:d07c:3914
Computing statistics for 25 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 server1.example.microsoft.com
[2001:db8:1:f282:204:5aff:fe56:1006]
0/ 100 = 0% |
1 0ms 0/ 100 = 0% 0/ 100 = 0% 2001:db8:1:f282:dd48:ab34:d07c:
3914
Trace complete.
The following Pathping command-line options support IPv6:
п‚· -4
Forces Pathping to use an IPv4 address when the DNS name query for a host name returns both IPv4 and
IPv6 addresses
п‚· -6
Forces Pathping to use an IPv6 address when the DNS name query for a host name returns both IPv4 and
IPv6 addresses
Note The Pathping -g host-list command-line option is not supported for IPv6.
Netstat
The Netstat tool displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the
IPv4 routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), the IPv6 routing table, and IPv6
statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols).
Displaying IPv6 Configuration with Netsh
Useful commands to display information about the IPv6 configuration of a computer running Windows Server 2008
and Windows Vista are the following:
п‚· Netsh interface ipv6 show interface
п‚· Netsh interface ipv6 show address
п‚· Netsh interface ipv6 show route
п‚· Netsh interface ipv6 show neighbors
п‚· Netsh interface ipv6 show destination cache
Netsh interface ipv6 show interfaceM
This command displays the list of IPv6 interfaces. By default, the interface names containing an asterisk (*) are
tunneling interfaces.
Netsh interface ipv6 show address
This command displays the list of IPv6 addresses for each interface.
Netsh interface ipv6 show route
This command displays the list of routes in the IPv6 routing table.
Netsh interface ipv6 show neighbors
This command displays the contents of the neighbor cache, sorted by interface. The neighbor cache stores the linklayer addresses of recently resolved next-hop addresses.
Netsh interface ipv6 show destinationcache
This command displays the contents of the destination cache, sorted by interface. The destination cache stores the
next-hop addresses for destination addresses.
ICMPv6 Overview
Like IPv4, the specification for the Internet Protocol version 6 (IPv6) header and extension headers does not provide
facilities for reporting errors. Instead, IPv6 uses an updated version of the Internet Control Message Protocol (ICMP)
named ICMP version 6 (ICMPv6). ICMPv6 has the common IPv4 ICMP functions of reporting delivery and
forwarding errors and providing a simple echo service for troubleshooting. ICMPv6 is defined in RFC 4443 and is
required for an IPv6 implementation. The ICMPv6 protocol also provides a packet structure framework for the
following:
п‚·
Neighbor Discovery Neighbor Discovery (ND) is a series of five ICMPv6 messages that manage node-tonode communication on a link. ND replaces Address Resolution Protocol (ARP), ICMPv4 Router Discovery,
and the ICMPv4 Redirect message
п‚· Multicast Listener Discovery Multicast Listener Discovery (MLD) is a series of three ICMPv6 messages that
are equivalent to the Internet Group Management Protocol (IGMP) for IPv4 for managing subnet multicast
membership.
ICMPv6 is also used by other protocols, such as Secure Neighbor Discovery (SEND). SEND is not supported by
IPv6 for Windows Vista and Windows Server 2008
Types of ICMPv6 Messages
There are two types of ICMPv6 messages:
п‚· Error messages Error messages report errors in the forwarding or delivery of IPv6 packets by either the
destination node or an intermediate router. The high-order bit of the 8-bit Type field for all ICMPv6 error
messages is set to 0. Therefore, valid values for the Type field for ICMPv6 error messages are in the range of
0 through 127. ICMPv6 error messages include Destination Unreachable, Packet Too Big, Time Exceeded,
and Parameter Problem.
п‚· Informational messages Informational messages provide diagnostic functions and additional host
functionality, such as MLD and ND. The high-order bit of the 8-bit Type field for all ICMPv6 informational
messages is set to 1. Therefore, valid values for the Type field for ICMPv6 information messages are in the
range of 128 through 255.
ICMPv6 informational messages described in RFC 4443 include Echo Request and Echo Reply. There are additional
ICMPv6 informational messages defined for Mobile IPv6.
ICMPv6 Error Messages
ICMPv6 error messages report forwarding or delivery errors by either a router or the destination host, and they consist
of the following messages:
п‚· Destination Unreachable (ICMPv6 Type 1)
п‚· Packet Too Big (ICMPv6 Type 2)
п‚· Time Exceeded (ICMPv6 Type 3)
п‚· Parameter Problem (ICMPv6 Type 4)
To conserve network bandwidth, ICMPv6 error messages are not sent for every error encountered. Instead, ICMPv6
error messages are rate limited. Although not required by RFC 4443, the recommended method for rate limiting
ICMPv6 error messages is known as token bucket. There is an average rate of transmission of ICMPv6 error
messages that cannot be exceeded. The rate of transmission can be based on a number of ICMPv6 error messages per
second or a specified percentage of a link’s bandwidth. However, to better handle error notification for busty traffic,
the node can send a number of messages in a burst, provided the number of messages in the burst does not exceed the
overall transmission rate.
Destination Unreachable
A router or a destination host sends an ICMPv6 Destination Unreachable message when the packet cannot be
forwarded to the destination node or upper-layer protocol. In the Destination Unreachable message, the Type field is
set to 1 and the Code field is set to a value in the range of 0 through 6. Following the Checksum field is a 32-bit
Unused field and the leading portion of the discarded packet, sized so that the entire IPv6 packet containing the
ICMPv6 message is no larger than 1280 bytes (the minimum IPv6 MTU). The number of bytes of the discarded
packet included in the message varies if there are IPv6 extension headers present. For an ICMPv6 message without
extension headers, up to 1232 bytes of the discarded packet are included (1280 less a 40-byte IPv6 header and an 8byte ICMPv6 Destination Unreachable header).
Packet Too Big
A router sends an ICMPv6 Packet Too Big message when the packet cannot be forwarded because the link MTU on
the forwarding interface of the router is smaller than the size of the IPv6 packet
Time Exceeded
A router typically sends an ICMPv6 Time Exceeded message when the Hop Limit field in the IPv6 header becomes
zero after decrementing its value during the forwarding process.
ICMPv6 Informational Messages
Echo Request
An IPv6 node sends an ICMPv6 Echo Request message to a destination to solicit an immediate Echo Reply message.
The Echo Request/Echo Reply message facility provides a simple diagnostic function to aid in the troubleshooting of
a variety of reach ability and routing problems.
Echo Reply
An IPv6 node sends an ICMPv6 Echo Reply message in response to the receipt of an ICMPv6 Echo Request message
Echo Request messages can be sent to a multicast address. As specified in RFC 4443, an Echo Request message sent
to a multicast address should be answered with an Echo Reply message, sent from a unicast address assigned to the
interface on which the Echo Request was received. The IPv6 protocol for Windows Vista and Windows Server 2008
does not respond to multicast Echo Request messages. Echo Request messages can be sent to a multicast address. As
specified in RFC 4443, an Echo Request message sent to a multicast address should be answered with an Echo Reply
message, sent from a unicast address assigned to the interface on which the Echo Request was received. The IPv6
protocol for Windows Vista and Windows Server 2008 does not respond to multicast Echo Request messages.
IPv6 Neighbor Discovery Overview
Internet Protocol version 6 (IPv6) Neighbor Discovery (ND) is a set of messages and processes defined in RFC 4861
that determine relationships between neighboring nodes. ND replaces Address Resolution Protocol (ARP), Internet
Control Message Protocol (ICMP) router discovery, and the ICMP Redirect message used in IPv4. ND also provides
additional functionality.
ND is used by nodes to do the following:
п‚· Resolve the link-layer address of a neighboring node to which an IPv6 packet is being forwarded.
п‚· Determine when the link-layer address of a neighboring node has changed.
п‚· Determine whether a neighbor is still reachable.
ND is used by hosts to do the following:
п‚· Discover neighboring routers.
п‚· Auto configure addresses, address prefixes, routes, and other configuration parameters.
ND is used by routers to do the following:
п‚· Advertise their presence, host configuration parameters, routes, and on-link prefixes.
п‚· Inform hosts of a better next-hop address to forward packets for a specific destination.
There are five different ND messages:
п‚· Router Solicitation (ICMPv6 type 133)
п‚· Router Advertisement (ICMPv6 type 134)
п‚· Neighbor Solicitation (ICMPv6 type 135)
п‚· Neighbor Advertisement (ICMPv6 type 136)
п‚· Redirect (ICMPv6 type 137)
Router Solicitation
The Router Solicitation message is sent by IPv6 hosts to discover the presence of IPv6 routers on the link. A host
sends a multicast Router Solicitation message to prompt IPv6 routers to respond immediately, rather than waiting for
an unsolicited Router Advertisement message. For example, assuming that the local link is Ethernet, in the Ethernet
header of the Router Solicitation message you will find these settings:
п‚· The Source Address field is set to the MAC address of the sending network adapter.
п‚· The Destination Address field is set to 33-33-00-00-00-02. In the IPv6 header of the Router Solicitation
message, you will find the following settings:
п‚· The Source Address field is set to either a link-local IPv6 address assigned to the sending interface or the
IPv6 unspecified address (::).
п‚· The Destination Address field is set to the link-local scope all-routers multicast address (FF02::2).
п‚· The Hop Limit field is set to 255.
Router Advertisement
IPv6 routers send unsolicited Router Advertisement messages pseudo-periodically—that is, the interval between
unsolicited advertisements is randomized to reduce synchronization issues when there are multiple advertising routers
on a link—and solicited Router Advertisement messages in response to the receipt of a Router Solicitation message.
The Router Advertisement message contains the information required by hosts to determine the link prefixes, the link
MTU, specific routes, whether or not to use address autoconfiguration, and the duration for which addresses created
through address autoconfiguration are valid and preferred. For example, assuming that the local link is Ethernet in the
Ethernet header of the Router Advertisement message, you will find these settings:
п‚· The Source Address field is set to the MAC address of the sending network adapter.
п‚· The Destination Address field is set to either 33-33-00-00-00-01 or the unicast MAC address of the host that
sent a Router Solicitation from a unicast address.
In the IPv6 header of the Router Advertisement message, you will find the following settings:
п‚· The Source Address field is set to the link-local address assigned to the sending interface.
п‚· The Destination Address field is set to either the link-local scope all-nodes multicast address (FF02::1) or the
unicast IPv6 address of the host that sent the Router Solicitation message from a unicast address.
п‚· The Hop Limit field is set to 255.
Neighbor Solicitation
IPv6 nodes send the Neighbor Solicitation message to discover the link-layer address of an on-link IPv6 node or to
confirm a previously determined link-layer address. It typically includes the link-layer address of the sender. Typical
Neighbor Solicitation messages are multicast for address resolution and unicast when the reach ability of a
neighboring node is being verified. For example, assuming that the local link is Ethernet, in the Ethernet header of the
Neighbor Solicitation message, you will find the following settings:
п‚· The Source Address field is set to the MAC address of the sending network adapter.
п‚· For a multicast Neighbor Solicitation message, the Destination Address field is set to the Ethernet MAC
address that corresponds to the solicited-node address of the target. For a unicast Neighbor Solicitation
message, the Destination Address field is set to the unicast MAC address of the neighbor.
In the IPv6 header of the Neighbor Solicitation message, you will find these settings:
п‚· The Source Address field is set to either a unicast IPv6 address assigned to the sending interface or, during
duplicate address detection, the unspecified address (::).
п‚· For a multicast Neighbor Solicitation, the Destination Address field is set to the solicited node address of the
target. For a unicast Neighbor Solicitation, the Destination Address field is set to the unicast address of the
target.
Neighbor Advertisement
An IPv6 node sends the Neighbor Advertisement message in response to a Neighbor Solicitation message. An IPv6
node also sends unsolicited Neighbor Advertisements to inform neighboring nodes of changes in link-layer addresses
or the node’s role. The Neighbor Advertisement contains information required by nodes to determine the type of
Neighbor Advertisement message, the sender’s role on the network, and typically the link-layer address of the sender.
For example, assuming that the local link is Ethernet, in the Ethernet header of the Neighbor Advertisement message,
you will find the following settings:
п‚· The Source Address field is set to the MAC address of the sending network adapter.
п‚· The Destination Address field is set, for a solicited Neighbor Advertisement, to the unicast MAC address of
the initial Neighbor Solicitation sender. For an unsolicited Neighbor Advertisement, the Destination Address
field is set to 33-33-00-00-00-01, which is the Ethernet MAC address corresponding to the link-local scope
all-nodes multicast address.
In the IPv6 header of the Neighbor Advertisement message, you will find these settings:
п‚· The Source Address field is set to a unicast address assigned to the sending interface.
п‚· The Destination Address field is set, for a solicited Neighbor Advertisement, to the unicast IP address of the
sender of the initial Neighbor Solicitation. For an unsolicited Neighbor Advertisement, the Destination
Address field is set to the link-local scope all-nodes multicast address (FF02::1).
п‚· The Hop Limit field is set to 255.
Redirect
The Redirect message is sent by an IPv6 router to inform an originating host of a better first hop address for a specific
destination. Redirect messages are sent only by routers for unicast traffic, are unicast only to originating hosts, and are
processed only by hosts. For example, assuming that the local link is Ethernet, in the Ethernet header of the Redirect
message, you will find the following settings:
п‚· The Source Address field is set to the MAC address of the sending network adapter.
п‚· The Destination Address field is set to the unicast MAC address of the originating sender.
In the IPv6 header of the Redirect message, you will find these settings:
п‚· The Source Address field is set to a unicast address that is assigned to the sending interface.
п‚· The Destination Address field is set to the unicast IP address of the originating host.
п‚· The Hop Limit field is set to 255.
Neighbor Discovery Processes
The ND protocol provides message exchanges for the following processes:
п‚· Address resolution (including duplicate address detection)
п‚· Router discovery (includes prefix and parameter discovery)
п‚· Neighbor unreachability detection
п‚· Redirect function
п‚· Transition Strategies
п‚· One nice feature of moving your network to IPv6 is that you don't have to do it all in one step. Various
migration strategies support both IPv4 and IPv6 as you migrate from the former to the latter.
п‚· Most common method for transition is given in following table.
Transition Method
Description
Dual stacking
Devices such as PCs and routers run both IPv4 and IPv6, and thus have two sets
of addresses.
Manual IPv6-over-IPv4 (6to4)
tunneling
IPv6 packets are tunneled across an IPv4 network by encapsulating them in IPv4
packets. This requires routers configured with dual stacks.
Dynamic 6to4 tunneling
Allows IPv6 localities to connect to other IPv6 localities across an IPv4 backbone,
such as the Internet, automatically. This method applies a unique IPv6 prefix to
each locality without having to retrieve IPv6 addressing information from address
registries or ISPs.
Intra-Site Automatic Tunnel
Addressing Protocol (ISATAP)
tunneling
Uses virtual links to connect IPv6 localities together within a site that is primarily
using IPv4. Boundary routers between the two addressing types must be
configured with dual stacks.
Teredo tunneling
Instead of using routers to tunnel packets, Teredo tunneling has the hosts perform
the tunneling. This requires the hosts to be configured with dual stacks. It is
commonly used to move packets through an IPv4 address translation device.
NAT Proxying and Translation
(NAT-PT)
Has an address translation device translate addresses between an IPv6 and IPv4
network and vice versa.
п‚·
п‚·
п‚· Dual Stacking
In dual stacking, a device runs both protocol stacks: IPv4 and IPv6. Of all the transition methods, this is the
most common one. Dual stacking can be accomplished on the same interface or different interfaces of the
device. Figure shows an example of dual stacking on a router, where Network A has a mixture of devices
configured for the two different protocols, and the router configured in a dual stack mode. Older IPv4-only
applications can still work while they are migrated to IPv6 by supporting newer APIs to handle IPv6
addresses and DNS lookups with IPv6 addresses.
The main disadvantage of dual stacking on a segment is that devices configured using only one stack must
forward their traffic to a dual-stacked device, such as a router, which must then forward the traffic back to the
same segment using the other stack. This is an inefficient use of bandwidth, but it does allow devices using
both protocol stacks to coexist on the same network segment.
How to configure cisco router with IPv6
In our pervious article we learnt a lot about transition of IPv4 to IPv6. In this tutorial we will configure Cisco router
with transition method discussed in pervious article.
Dual Stacking
This is the most common type of migration strategy because, well, it’s the easiest on us—it allows our devices to
communicate using either IPv4 or IPv6. Dual stacking lets you upgrade your devices and applications on the network
one at a time. As more and more hosts and devices on the network are upgraded, more of your communication will
happen over IPv6, and after you’ve arrived—everything’s running on IPv6, and you get to remove all the old IPv4
protocol stacks you no longer need.
Plus, configuring dual stacking on a Cisco router is amazingly easy—all you have to do is enable IPv6 forwarding and
apply an address to the interfaces already configured with IPv4. It will look something like this:
Router(config)#ipv6 unicast-routing
Router(config)#interface fastethernet 0/0
Router(config-if)#ipv6 address 2001:db8:3c4d:1::/64 eui-64
Router(config-if)#ip address 192.168.255.1 255.255.255.0
You can read more about dual stack in our pervious article.
6to4 Tunneling
6to4 tunneling is really useful for carrying IPv6 data over a network that’s still IPv4. It’s quite possible that you’ll
have IPv6 subnets or other portions of your network that are all IPv6, and those networks will have to communicate
with each other. Not so complicated, but when you consider that you might find this happening over a WAN or some
other network that you don’t control, well, that could be a bit ugly.
So what do we do about this if we don’t control the whole network? Create a tunnel that will carry the IPv6 traffic for
us across the IPv4 network, that’s what.
The whole idea of tunneling isn’t a difficult concept, and creating tunnels really isn’t as hard as you might think. All it
really comes down to is snatching the IPv6 packet that’s happily traveling across the network and sticking an IPv4
header onto the front of it.
configure the tunnel on each router:
Router1(config)#int tunnel 0
Router1(config-if)#ipv6 address 2001:db8:1:1::1/64
Router1(config-if)#tunnel source 192.168.30.1
Router1(config-if)#tunnel destination 192.168.40.1
Router1(config-if)#tunnel mode ipv6ip
Router2(config)#int tunnel 0
Router2(config-if)#ipv6 address 2001:db8:2:2::1/64
Router2(config-if)#tunnel source 192.168.40.1
Router2(config-if)#tunnel destination 192.168.30.1
Router2(config-if)#tunnel mode ipv6ip
Configuring Cisco Routers with IPv6
To use IPv6 on your router, you must, at a minimum, enable the protocol and assign IPv6 addresses to your interfaces,
like this:
Router(config)# ipv6 unicast-routing
Router(config)# interface type [slot_#/]port_#
Router(config-if)# ipv6 address ipv6_address_prefix/prefix_length [eui-64]
The ipv6 unicast-routing command globally enables IPv6 and must be the first IPv6 command executed on the
router. The ipv6 address command assigns the prefix, the length, and the use of EUI-64 to assign the interface ID.
Optionally, you can omit the eui-64 parameter and configure the entire IPv6 address. You can use the show ipv6
interface command to verify an interface’s configuration. Here’s an example configuration, with its verification:
Router(config)# ipv6 unicast-routing
By default, IPv6 traffic forwarding is disabled, so using this command enables it. Also, as you’ve probably guessed,
IPv6 isn’t enabled by default on any interfaces either, so we have to go to each interface individually and enable it.
There are a few different ways to do this, but a really easy way is to just add an address to the interface. You use the
interface configuration command ipv6 address <ipv6prefix>/ <prefix-length > [eui-64] to get this done.
Router(config)# interface fastethernet0/0
Router(config-if)# ipv6 address 2001:1cc1:dddd:2::/64 eui-64
Router(config-if)# end
Router# show ipv6 interface fastethernet0/0
FastEthernet0/0 is administratively down, line protocol is down
IPv6 is enabled, link-local address is FE80::207:EFF:FE46:4070
[TEN]
No Virtual link-local address(es):
Global unicast address(es):
2001:1CC1:DDDD:2:207:EFF:FE46:4070, subnet is
2001:1CC1:DDDD:2::/64 [EUI/TEN]
Joined group address(es):
FF02::1
FF02::2
To set up a static DNS resolution table on the router, use the ipv6 host command; you can also specify a DNS server
with the ip name-server command:
Router(config)# ipv6 host hostname [port_#] ipv6_address1 [ipv6_address2…]
Router(config)# ip name-server DNS_server_IPv6_address
The ip name-server command can be used to assign both IPv4 and IPv6 DNS servers.
Routing and IPv6
As in IPv4, routers in IPv6 find best paths to destinations based on metrics and administrative distances; and like
IPv4, IPv6 routers look for the longest matching prefix in the IPv6 routing table to forward a packet to its destination.
The main difference is that the IPv6 router is looking at 128 bits when making a routing decision instead of 32 bits.
RIPng
Routing Information Protocol next generation (RIPng) is actually similar to RIP for IPv4, with these
characteristics:
п‚· It's a distance vector protocol.
п‚· The hop-count limit is 15.
п‚· Split horizon and poison reverse are used to prevent routing loops.
п‚· It is based on RIPv2.
п‚· Cisco routers running 12.2(2) T and later support RIPng.
These are the enhancements in RIPng:
п‚· An IPv6 packet is used to transport the routing update.
п‚· The ALL-RIP routers multicast address (FF02::9) is used as the destination address in routing
advertisements and is delivered to UDP port 521.
п‚· Routing updates contain the IPv6 prefix of the router and the next-hop IPv6 address.
Enabling RIPng is a little bit different than enabling RIP for IPv4. First, you use the ipv6 router rip tag command to
enable RIPng globally:
Router(config)# ipv6 router rip tag
This takes you into a subcommand mode, where you can change some of the global values for RIPng, such as
disabling split horizon, the administrative distance, and timers. The tag is a locally significant identifier used to
differentiate between multiple RIP processes running on the router. Unlike RIP for IPv6, there is no network
command to include interfaces in RIPng. Instead, you must enable RIPng on a per-interface basis with the ipv6 rip
tag enable command:
Router(config)# interface type [slot_#/]port_#
Router(config-if)# ipv6 rip tag enable
The tag parameter associates the interface with the correct RIPng routing process. To view the routing protocol
configuration, use the show ipv6 rip command:
Router# show ipv6 rip
RIP process "RIPPROC1", port 521, multicast-group FF02::9,
pid 187
Administrative distance is 120. Maximum paths is 16
Updates every 30 seconds, expire after 180
Holddown lasts 0 seconds, garbage collect after 120
Split horizon is on; poison reverse is off
Default routes are not generated
Periodic updates 2, trigger updates 0
Interfaces:
FastEthernet0/0
Redistribution:
None
In this example, the tag is RIPPROC1 for the name of the RIPng routing process and RIPng is enabled on
FastEthernet0/0. To view the IPv6 routing table for RIPng, use the show ipv6 route rip command.
EIGRPv6
As with RIPng, EIGRPv6 works much the same as its IPv4 predecessor does—most of the features that EIGRP
provided before EIGRPv6 will still be available.
EIGRPv6 is still an advanced distance-vector protocol that has some link-state features. The neighbor discovery
process using hellos still happens, and it still provides reliable communication with reliable transport protocol that
gives us loop-free fast convergence using the Diffusing Update Algorithm (DUAL).
Hello packets and updates are sent using multicast transmission, and as with RIPng, EIGRPv6’s multicast address
stayed almost the same.
In IPv4 it was 224.0.0.10; in IPv6, it’s FF02::A (A = 10 in hexadecimal notation).
But obviously, there are differences between the two versions. Most notably, and just as with RIPng, the use of the
network command is gone, and the network and interface to be advertised must be enabled from interface
configuration mode.
But you still have to use the router configuration mode to enable the routing protocol in EIGRPv6 because the routing
process must be literally turned on like an interface with the no shutdown command The configuration for EIGRPv6
is going to look like this:
Router1(config)#ipv6 router eigrp 12
The 12 in this case is still the autonomous system (AS) number. The prompt changes to
(config-rtr),
and from here you must perform a no shutdown:
Router1(config-rtr)#no shutdown
Other options also can be configured in this mode, like redistribution. So now, let's go to the interface and enable
IPv6:
Router1(config-if)#ipv6 eigrp 12
The 12 in the interface command again references the AS number that was enabled in the configuration mode. Last to
check out in our group is what OSPF looks like in the IPv6 routing protocol.
OSPFv3
The new version of OSPF continues the trend of the routing protocols having many similarities with their IPv4
versions. The foundation of OSPF remains the same—it is still a link-state routing protocol that divides an entire
internetworks or autonomous system into areas, making a hierarchy. In OSPF version 2, the router ID (RID) is
determined by the highest IP addresses assigned to the router (or you could assign it).
In version 3, you assign the RID, area ID, and link-state ID, which are all still 32-bit values but are not found using
the IP address anymore because an IPv6 address is 128 bits. Changes regarding how these values are assigned, along
with the removal of the IP address information from OSPF packet headers, makes the new version of OSPF capable of
being routed over almost any Network layer protocol!
Adjacencies and next-hop attributes now use link-local addresses, and OSPFv3 still uses multicast traffic to send its
updates and acknowledgments, with the addresses FF02::5 for OSPF routers and FF02::6 for OSPF-designated
routers. These new addresses are the replacements for 224.0.0.5 and 224.0.0.6, respectively.
Other, less flexible IPv4 protocols don’t give us the ability that OSPFv2 does to assign specific networks and
interfaces into the OSPF process—however, this is something that is still configured under the router configuration
process. And with OSPFv3, just as with the other IPv6 routing protocols we have talked about, the interfaces and
therefore the networks attached to them are configured directly on the interface in interface configuration mode.
The configuration of OSPFv3 is going to look like this:
Router1(config)#ipv6 router osfp 10
Router1(config-rtr)#router-id 1.1.1.1
You get to perform some configurations from router configuration mode like summarization and redistribution, but
we don’t even need to configure OSPFv3 from this prompt if we configure OSPFv3 from the interface.
When the interface configuration is completed, the router configuration process is added automatically and the
interface configuration looks like this:
Router1(config-if)#ipv6 ospf 10 area 0.0.0.0
So, if we just go to each interface and assign a process ID and area—poof, we are done

High-Speed Internet Quick Start Guide - Frontier

My Net N900 Central Router User Manual - Western Digital

MELBOURNE VESSEL RECEIVALS & CUT OFFS

User Guide Wireless Linksys Router WRT120N

(Surchrge\211\374\222\350\217\221 for ME.xls)

Sr# Name of Project Estimate Cost 1 Repairing of Nallah Moza

Integrated Result System - Version 2015.01.07

Cisco WRV200 Wireless-G VPN Router with RangeBooster

Reference Manual for the 54 Mbps Wireless Router WGR614 v6

How to update your smart card by the receiver - The Last Drakkar

BNG Use Cases and Sample Configurations

Junos® OS Release 12.1X46 for the Branch and - Juniper Networks

SAM D20/D21 Serial USART Driver (SERCOM - Atmel Corporation