ICND1

1 2 3 4 5 6 7 8 Building a Simple Network .....................................3 Understanding TCP/IP ..........................................17 Understanding Ethernet........................................32 LAN Network Topologies......................................42 Operating Cisco IOS..............................................51 Configuring a Cisco Switch ..................................57 Extending the LAN.................................................78 Exploring the Functions of Routing......................88 Configuring a Cisco Router................................105 Understanding WAN Technologies .................130 RIP Routing ........................................................153 Managing Your Network Environment ...........164

CCNA Quick Reference Sheets
Eric Rivard Jim Doherty

9 10 11 12

ICND2
1 2 3 4 5 6 7 8 9 10 11 Implementing VLANS and Trunks .....................172 Redundant Switching and STP ..........................183 Troubleshooting Switched Networks ...............203 Routing Operations and VLSM ..........................210 Implementing OSPF in a Single Area ................230 Implementing EIGRP ...........................................247 Managing Traffic with ACLs...............................257 Managing Address Space with NAT and IPv6 .......................................................270 Establishing Serial Point-to-Point Connections ...............................281 Establishing Frame Relay Connections..........291 Introducing VPN Solutions...............................302

ciscopress.com
From the Library of MARCO A. ZUNIGA C.

[2] CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

About the Authors
Eric Rivard, A+, MCSE, CCNP, CCSE, is an IT manager at Valley Center Municipal Water District. Over the past several years, he has taught professionals in both academic and industry settings topics on SCADA, Windows, networking, and IT security. Before joining Valley Center MWD, Eric was a network and security consultant in the San Diego area. He is the author of the first and second edition of the CCNA Flash Cards and Exam Practice Pack. He holds a B.S. in information technology from the University of Phoenix. He lives with his wife and two children in Oceanside, CA. Jim Doherty is currently the director of strategic marketing with Symbol Technologies. Prior to joining Symbol, Jim worked at Cisco Systems, where he led marketing campaigns for IP telephony, and routing and switching. Over the past several years, he has taught professionals in both academic and industry settings on a broad range of topics, including networking, electric circuits, statistics, and wireless communication methods. Jim is the coauthor of Cisco Networking Simplified and wrote the “Study Notes” section of the CCNA Flash Cards and Exam Practice Pack. Jim holds a B.S. in electrical engineering from N.C. State University and an MBA from Duke University. Jim also served in the United States Marine Corps, where he earned the rank of sergeant before leaving to pursue an education.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[3]

SECTION 1 Building a Simple Network

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

ICND1
Part I: Summarizing Network Technology

Section 1 Building a Simple Network
Exploring the Functions of Networking
A network is a collection of devices and end systems. Networks consist of computers, servers, and network devices, such as switches and routers, that can communicate with each other.

Common Physical Components of a Network
Figure 1-1 shows the four major categories of physical components on a network: n Personal computers (PCs): Send and receive data and are the endpoints of the network.
n n n

Interconnections: Are the components that provide a means for data to travel across the network. This includes network interface cards (NIC), network media, and connectors. Switches: Provide network access for the PCs. Routers: Interconnect networks.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[4]

SECTION 1 Building a Simple Network
FIGURE 1-1
Network Components
Interconnection Internet Router Interconnection

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

PC Switch

PC

Networking Fundamentals
Networking has its own jargon and common terms. The following terms are used throughout the industry and appear many times in this study guide:
n n n n n n n n

Network interface card (NIC): Connects a computer to a LAN. Medium: The physical transport used to carry data. Most of the time, this can be just a cable (twisted-pair or fiber), but it also includes air (for wireless transmission). Protocol: A set of communication rules used by computer or network devices. Cisco IOS Software: The most widely deployed network system software. Cisco IOS services include basic connectivity, security, network management, and other advanced services. Client: A computer or program that requests information from a server. Server: A computer or program that provides services of information to clients. Network operating system (NOS): Refers to the operating system running on servers. This includes Windows 2003 Server, Novell NetWare, UNIX, and Linux. Connectivity device: Any device that connects cable segments, connects two or more small networks into a larger one, or divides a large network into small ones.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[5]

SECTION 1 Building a Simple Network
n n n n

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Local-area network (LAN): A network confined to a small geographic area. This can be a room, building, or campus. Wide-area network (WAN): Interconnects LANs using leased carrier lines or satellite technology over a large geographic location. Physical topology: A network’s physical shape. These shapes include linear bus, ring, star, and mesh. Logical topology: The path that data takes from one computer to another.

Why Network Computers?
One of the primary functions of a network is to increase productivity by linking computers and computer networks. Corporate networks are typically divided into user groups, which are usually based on groups of employees. Remoteaccess locations, such as branches, home offices, and mobile workers, usually connect to the corporate LAN using a WAN service.

Resource-Sharing Functions and Benefits
Networks allow users to share resources and data. Major resources that are shared are as follows:
n n n n

Data and applications: Consist of computer data and network-aware applications such as e-mail. Resources: Include input and output devices such as cameras and printers. Network storage: Consists of directly attached storage devices (physical storage that is directly attached to a computer and shared server), network attached storage, and storage area networks. Backup devices: Devices that back up files and data from multiple computers.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[6]

SECTION 1 Building a Simple Network

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Networking Applications
Networking applications are computer programs that run over networks.

Network User Applications
Network user applications include the following:
n n n n n

E-mail Web browsers Instant messaging Collaboration Databases

Categories of Network Applications
Network applications function in one of three ways, with each application function affecting the network in different ways:
n n n

Batch applications: Started by a human and complete on their own without further interaction. FTP and TFTP are examples. Interactive applications: Include database updates and queries. A person requests data from the server and waits for a reply. Response time is typically more dependent on the server than the network. Real-time applications: Include Voice over IP (VoIP) and video. Network bandwidth is critical because these applications are time critical. Quality of service (QoS) and sufficient network bandwidth are mandatory for these applications.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

525. Availability: The measure of the likelihood that the network will be available for use when required.600 is the number of minutes in a year. Reliability: The dependability of the devices that make up the network (for example. Scalability: How well the network can accommodate more users and more data. Inc. monitor. .600] * 100. Cost: The general cost of network components. and so on. switches. Logical topology defines the data path of the network. Network administration applications fall into two general categories: n Network monitoring: Examples are protocol analyzers and network sniffers. Sniffers allow you to view not only the communication between computers but also the data that is being transmitted. Please see page MARCO A. remote control of devices. installation. All rights reserved. Network management: Helps make managing a network easier by providing device inventory.[7] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Network Administration Applications Network administration applications help manage a network. routers. software license compliance. and maintenance. From the Library of 311 for more details. ZUNIGA C. and so on). Security: Defines how secure the network and network data are. Physical topology defines the physical components of the network: cables. and troubleshoot a network. This publication is protected by copyright. n Characteristics of a Network Networks are characterized using the following terms: n n n n Speed: Also called data rate. n n n © 2008 Cisco Systems. speed is how fast data is transmitted over the network.600 – Minutes downtime) / 525. Calculated using the following formula: [(525. Protocol analyzers capture network packets between computers and decode the packets for easy reading. These applications configure. and notifications of network problems. PCs. Topology: Defines the design of the network. network devices.

The attacker gains access to information or data without the consent or knowledge of users. Classes of Attacks The following five classes of network attacks exist: n n n n n Passive: Attacks that include capturing and monitoring unprotected communication and capturing passwords. Please see page MARCO A. and steal and modify data. Insider: Attacks that occur from authorized users inside a network. Can be either malicious or nonmalicious. ZUNIGA C. External threats are threats external to the company or network. Internal threats are threats that originate from within the company network and might be intentional or unintentional. . Network security involves finding a balance between open and evolving networks and protecting company and private data. From the Library of 311 for more details.[8] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Network Security Network security involves securing the network from external and internal threats. Close-in: Attacks attempted by an individual in close physical proximity to networks or facilities. with the intent of gathering or changing data. Distribution: Attacks that focus on malicious changes to hardware or software at the factory or during distribution to introduce malicious code to unsuspecting users. All rights reserved. Inc. Active: Attacks that actively try to break or bypass security devices. This publication is protected by copyright. introduce malicious code. © 2008 Cisco Systems.

This publication is protected by copyright. Test: Involves testing systems to ensure that they function properly. Please see page MARCO A. the four facets are as follows: n n n n Secure: Involves installing and configuring devices for security. Secure FIGURE 1-2 Network Security Wheel Manage and Improve Corporate Security Policy Monitor and Respond Test © 2008 Cisco Systems. From the Library of 311 for more details. Inc. Monitor: After the network has been secured. you might need to improve the security of the network.[9] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Network Security Process Network security is an ongoing process that continually evolves. All rights reserved. . ZUNIGA C. Figure 1-2 shows the network security wheel. it must be monitored to ensure security. Improve: After monitoring and testing.

© 2008 Cisco Systems. These types of attacks include sniffers. Maintenance: Electrostatic discharge. and Internet Domain Name System (DNS) queries. Mitigation includes using uninterruptible power supplies (UPS) and backup generators. and power losses. Mitigation involves providing climatecontrolled rooms for critical network devices. voice. From the Library of 311 for more details. This publication is protected by copyright.[ 10 ] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Mitigating Physical and Environmental Threats Low-risk devices are typically low-end devices where access to the physical devices and cabling does not present a high risk to the network. ping sweeps. poor cabling. Reconnaissance Attacks Reconnaissance attacks are attacks that gather information about the target. and video traffic. Inc. brownouts. Mitigation involves restricting access to the hardware device to only authorized personnel. . All rights reserved. Environmental: Room-temperature extremes or humidity extremes. Please see page MARCO A. port scans. and lack of critical spares. ZUNIGA C. High-risk devices are mission-critical devices that route and control large amounts of data. noise. The four classes of physical threats are as follows: n n n n Hardware: Physical damage to the router or switch. Electrical: Voltage spikes.

Trust exploitation: Attacks that occur when a trusted source on a network takes advantage of its trust. ZUNIGA C. and not using plain-text passwords. Mitigation of these attacks includes disabling accounts after a specific number of unsuccessful login attempts. HTTP. and FTP to gain elevated access rights to the computer running the software. These attacks require access to the network media or devices between the source and destination. The five types of access attacks are as follows: n Password attacks: Attacks that try to compromise passwords. IP spoofing. For example. using sniffers. Port redirection: Attacks that use a compromised host to pass traffic through a firewall that would otherwise be dropped. operating systems. All rights reserved. These include brute-force attacks. captures and modifies information as it is transmitted from one network to another. Trojan horse programs. They have the following characteristics: n Exploiting well-known weaknesses in software found on servers such as send mail. and authentication services. Man-in-the-middle attacks: Attacks that occur when an attacker. n n n n Application Layer Attacks Application layer attacks try to exploit well-known vulnerabilities and passwords. This publication is protected by copyright. and packet sniffers. © 2008 Cisco Systems. . Buffer overflow: These attacks exploit programming errors that can result in a memory-access exception and program termination or a breach of system security. Please see page MARCO A.[ 11 ] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Access Attacks Access attacks exploit known web services. having complex password requirements. it can lead to other systems being compromised on the same network. From the Library of 311 for more details. Inc. if a trusted system on a network is compromised. databases.

Instead. ZUNIGA C. This publication is protected by copyright. Subscribe to mailing lists that publicize current software vulnerabilities and attacks. Please see page MARCO A. can be a vulnerability because Telnet sends all session data in clear text. Password stealing by prompting the user to enter the system password to gain access to the user’s system or accounts.[ 12 ] SECTION 1 Building a Simple Network n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Trojan horse programs that monitor login attempts and capture account information. use Secure Shell (SSH). Inc. All rights reserved. Use intrusion detection systems/intrusion prevention systems (IDS/IPS) to scan and stop network attacks. Management Protocol and Vulnerabilities Protocols used to manage network devices. Secure Socket Layer (SSL). Java and ActiveX attacks that pass malicious programs to users through a web browser. These programs then send the information to the attacker. From the Library of 311 for more details. Other network protocols that can be compromised and should be secured and monitored are as follows: n n n n Simple Network Management Protocol (SNMP) Syslog TFTP Network Time Protocol (NTP) © 2008 Cisco Systems. or IPsec. . Application Layer Attacks and Mitigation Several ways to mitigate application layer attacks are as follows: n n n n Read system and device logs. Patch computers and devices regularly. such as Telnet.

OSI Reference Model The OSI model is a standardized framework for network functions and schemes. and cable pin-outs. V. UDP IP 802. . HTTP ASCII/EBCDIC. The OSI model consists of seven layers.[ 13 ] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Host-to-Host Communication Model For different vendor hosts to communicate with each other. which can be applied in a “plug-and-play” manner. Inc. Provides logical addressing used by routers and the network hierarchy. Please see page MARCO A. which lets developers modularize design efforts. and provides error detection but no correction. Frame Relay Physical (Layer 1) EIA/TIA. JPEG/MP3 Operating systems. 802. a consistent model or standard is needed. Manages multiple applications. Provides reliable or best-effort delivery and some error correction.35 © 2008 Cisco Systems. Handles encryption and other processing. ZUNIGA C. TABLE 1-1 Layer OSI Model Function Examples Application (Layer 7) Presentation (Layer 6) Session (Layer 5) Transport (Layer 4) Network (Layer 3) Data link (Layer 2) User interface. This method allows many independent developers to work on separate network functions.2. uses MAC addresses to access endpoints. scheduling TCP. Creates frames from bits of data. All rights reserved. From the Library of 311 for more details. Specifies voltage. as outlined in Table 1-1. wire speed. HDLC. It breaks otherwise complex network interaction into simple elements. Telnet. This publication is protected by copyright.3.

you should know the following: n n n n n Application layer: Data Transport layer: Segment Network layer: Packet Data link layer: Frame Physical layer: Bits Peer-to-Peer Communication For packets to travel from a source to a destination. As the data moves down the communication stack. the receiving device strips the header. it adds a TCP or User Datagram Protocol (UDP) header to the data. © 2008 Cisco Systems. each OSI layer of the source computer must communicate with its peer at the destination. each part of the message is encapsulated by the layer below it. Inc. This publication is protected by copyright. and an IP header is added. which contains information for that layer (de-encapsulation). A PDU can include different information as it goes up or down the OSI model. thus becoming a frame. All rights reserved. For the ICND exam. this is called a segment. Please see page MARCO A. The packet is passed to the data link layer. the data becomes a packet. The segment is then passed to the network layer. From the Library of 311 for more details. . When the transport layer receives upper-layer data. This frame is then converted into bits and is passed across the network medium. thus. This is data encapsulation. ZUNIGA C.[ 14 ] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Encapsulation and De-encapsulation Protocol data units (PDU) communicate between layers. It is given a different name according to the information it is carrying (the layer it is at). Encapsulation is the method of adding headers and trailers. and it is unwrapped at the destination for use by the corresponding layer. As shown in Figure 1-3.

Inc. ZUNIGA C. All rights reserved. These protocols. From the Library of 311 for more details.[ 15 ] SECTION 1 Building a Simple Network FIGURE 1-3 Data Encapsulation Application Presentation Session Transport CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Upper Layer Data TCP Header Upper Layer Data Data Data Data FCS FCS PDU IP Header LLC Header MAC Header Network Data Link Physical 0101110101001000010 } } } } Segment Packet Frame Bits TCP/IP Stack The TCP/IP suite of protocols communicates across any set of interconnected networks. are well suited for communication across both LANs and WANs. providing communication services directly to the application layer Application layer: Provides specifications of applications such as e-mail. This publication is protected by copyright. initially developed by the Defense Advanced Research Projects Agency (DARPA). file transfer. . The protocol suite defines the following four layers: n n n n Network access layer: Consists of the physical and data link OSI model layers Internet layer: Provides routing of data from the source to a destination and defines addressing schemes Transport layer: The core of the TCP/IP suite. Please see page MARCO A. and network management © 2008 Cisco Systems.

[ 16 ] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty TCP/IP Stack Versus OSI Model Figure 1-4 shows the TCP/IP model. The TCP/IP protocol stack closely follows the OSI reference model. Please see page MARCO A. This publication is protected by copyright. . FIGURE 1-4 OSI Versus TCP/IP Model Application Application Presentation Session Transport Internet Network Access Data Link Physical Transport Network Data Link Physical TCP/IP Stack OSI Reference Model © 2008 Cisco Systems. Inc. From the Library of 311 for more details. ZUNIGA C. All rights reserved. All standard Layer 1 and Layer 2 protocols are supported (called the network interface layer in TCP/IP).

The protocol suite includes Layer 3 and Layer 4 specifications as well as specifications for higher-layer applications. . From the Library of 311 for more details. The protocols initially developed by DARPA are well suited for communication across both LANs and WANs. Internet Protocol (IP) IP is a connectionless protocol that provides best-effort delivery routing of packets. Please see page MARCO A. Inc. © 2008 Cisco Systems. IP has the following characteristics: n n n n n Operates at Layer 3 of the OSI (network) and Layer 2 of the TCP/IP (Internet) model Is connectionless Uses hierarchical addressing Provides best-effort delivery of packets Has no built-in data recovery Figure 2-1 shows the IP header information.[ 17 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 2 Understanding TCP/IP TCP/IP Overview The TCP/IP suite of protocols is used to communicate across any set of interconnected networks. This publication is protected by copyright. such as e-mail and file transfer. ZUNIGA C. All rights reserved.

Inc. Each IP datagram includes the source and destination IP address in the header. A two-part addressing scheme allows the IP address to identify both the network and the host: n n All the endpoints within a network share a common network number. The remaining bits identify each host within that network. From the Library of 311 for more details. This publication is protected by copyright. As shown in Figure 2-2. Please see page MARCO A. . each node must have a unique 32-bit logical IP address. © 2008 Cisco Systems. All rights reserved.[ 18 ] SECTION 2 Understanding TCP/IP FIGURE 2-1 IP Header Version (4) Priority & Type Header Length (4) of Service (8) Identification (16) Time to live (8) Protocol (8) Flags (3) Total Length (16) Fragment offset (13) Bit 0 Bit 15 Bit 16 Bit 31 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Header checksum (16) 20 Bytes Source IP Address (32) Destination IP Address (32) Options (0 or 32 if any) Data (varies if any) IP Addressing In a TCP/IP environment. IP addresses consist of two parts: the network address portion (network ID) and the host address component (host ID). ZUNIGA C.

and C are the most common. From the Library of 311 for more details. Multicast Group 16 17 Multicast Group 24 25 Multicast Group 32 Network Network 8 9 Host 16 17 Host 24 25 Host 32 Bits: Class B: Bits: 16 17 Host 24 25 Host 32 16 17 Network 24 25 Host 32 . Classes A. Class D addresses are used for multicast purposes. This scheme was based on the assumption that the world would have many more small networks than large networks. All rights reserved. Class C addresses allow many more networks. each with fewer hosts (24 network bits and 8 host bits). FIGURE 2-3 A Through D IP Address Classes Bits: Class A: 1 0NNNNNNN Range (1-126) 1 8 9 10NNNNNN Range (128-191) 1 8 9 110NNNNN Class C: Bits: Class D: Range (192-223) 1 8 9 1110MMMM Range (224-239) © 2008 Cisco Systems. Figure 2-3 shows the address range for classes A–D. B. Please see page MARCO A. This publication is protected by copyright. Class B has 16 network bits and 16 host bits. ZUNIGA C. Class A has 8 network bits and 24 host bits. and Class E addresses are used for research. Inc.[ 19 ] SECTION 2 Understanding TCP/IP FIGURE 2-2 Two-Part IP Addresses Binary 8 bits=octet 32 Bits CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 11111111 255 • 11111111 255 • 11111111 255 • 11111111 255 Dotted Decimal Network Portion Host Portion IP Address Classes Five classes of IP addresses exist: classes A through E.

255 172. For example.255 Networks using private addresses can still connect to the Internet if they use Network Address Translation (NAT).168. Directed broadcast address: An IP address that has all binary 1s in the host bit portion of the address.31. Used to send data to all devices on the network. Local broadcast address: An address used if a device wants to communicate with all devices on the local network.255 192. These addresses cannot be assigned to individual devices on a network. ZUNIGA C. The address is 127.0 to 192.255.16.16.255/16. The reserved addresses are as follows: n n n n Network address: An IP address that has all binary 0s in the host bit portion of the address. .255. © 2008 Cisco Systems. The address is 255. This publication is protected by copyright.0.1. For example.255.168.255. All rights reserved. From the Library of 311 for more details.0 to 172. Three blocks of IP addresses are reserved for private networks: n n n 10.0. The IP addresses are not routed on the Internet.0 to 10. Inc.16.0.255. Private IP Addresses RFC 1918 defines IP addresses that are reserved for use in private networks.[ 20 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Reserved IP Addresses Some IP addresses in TCP/IP are reserved for specific purposes. Please see page MARCO A. 172.0. Loopback address: Used by the TCP/IP stack to test TCP/IP by sending a message internally to itself. 172.255.0.0/16.0.0.255.255.

Inc. All rights reserved. Figure 2-4 shows the UDP header. From the Library of 311 for more details. UDP is simple and efficient but unreliable. best-effort protocol used for applications that provide their own error-recovery process. It trades reliability for speed. UDP does not check for segment delivery. TCP/IP Transport Layer The TCP/IP model transport layer is responsible for the following: n n n n n Session multiplexing Segmentation Flow control Connection-oriented or connectionless transport Reliable or unreliable data transport Two protocols function at the transport layer: UDP and TCP. TCP is a connection-oriented. Please see page MARCO A.[ 21 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Tools to Determine the IP Address of a Host n n Windows OS: ipconfig is a command-line tool in Windows operating systems that finds the TCP/IP parameters assigned to a host. UDP UDP is a connectionless. best-effort delivery protocol. UDP is a connectionless. . © 2008 Cisco Systems. reliable protocol. ZUNIGA C. This publication is protected by copyright. UNIX/Linux: ifconfig determines the TCP/IP information of a host.

From the Library of 311 for more details. . Figure 2-5 shows the TCP header. reliable protocol that is responsible for breaking messages into segments and reassembling them at the destination (resending anything not received). TCP also provides virtual circuits between applications. This publication is protected by copyright. Please see page MARCO A. Inc. FIGURE 2-5 TCP Header Source port (16) Destination port (16) Bit 0 Bit 15 Bit 16 Bit 31 Sequence number (32) 20 Bytes Window (16) Acknowledgment number (32) Header Reserved Length (4) (6) Checksum (16) Code bits (6) Urgent (16) Options (0 or 32 if any) Data (varies) © 2008 Cisco Systems. ZUNIGA C.[ 22 ] SECTION 2 Understanding TCP/IP FIGURE 2-4 UDP Header Source port (16) Destination port (16) Bit 0 Bit 15 Bit 16 Bit 31 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 8 Bytes Length (16) Data (if any) Checksum (16) TCP TCP is a connection-oriented. All rights reserved.

All rights reserved. Port (or socket) numbers keep track of different conversations crossing the network at any given time. © 2008 Cisco Systems. Applications that do not use well-known port numbers have them randomly assigned from a specific range. From the Library of 311 for more details. Figure 2-6 shows the TCP/UDP port numbers from common applications. Inc. .[ 23 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty TCP/IP Applications Some of the most common TCP/IP applications are as follows: n n n n n File Transfer Protocol (FTP): A TCP-based protocol that supports bidirectional binary and ASCII file transfers Trivial File Transfer Protocol (TFTP): A UDP-based protocol that can transfer configuration files and Cisco IOS Software images between systems Simple Mail Transfer Protocol (SMTP): An e-mail delivery protocol Terminal Emulation (Telnet): Allows remote command-line access to another computer Simple Network Management Protocol (SNMP): Provides the means to monitor and control network devices Dynamic Host Configuration Protocol (DHCP): Assigns IP addresses and other TCP/IP parameters such as subnet mask. HTTPS. This publication is protected by copyright. Well-known port numbers are controlled by the Internet Assigned Numbers Authority (IANA). DNS/WINS server addresses. Please see page MARCO A. ZUNIGA C. n n Port Numbers Both TCP and UDP can send data from multiple upper-layer applications at the same time. and SSH. and default gateways automatically to hosts Domain Name Service (DNS): Translates domain names into IP addresses NOTE Other examples include HTTP.

Inc.[ 24 ] SECTION 2 Understanding TCP/IP FIGURE 2-6 Port Numbers Application Layer F T P T E L N E T S M T P D N S T F T P S N M P R I P CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 21 Transport Layer 23 TCP 25 53 69 161 UDP 520 Port Numbers Port number ranges are as follows: n n n Numbers 1 through 1024 are considered well-known ports. . All rights reserved. Please see page MARCO A. ZUNIGA C. Numbers 1025 through 49151 are registered. Numbers 49152 through 65535 are private vendor assigned and are dynamic. From the Library of 311 for more details. Establishing a TCP Connection End stations use control bits called SYNs (for synchronize) and Initial Sequence Numbers (ISNs) to synchronize during connection establishment. This publication is protected by copyright. © 2008 Cisco Systems.

ack) Host A sends a SYN segment with sequence number 100. FIGURE 2-7 TCP Three-Way Handshake 1 Send SYN (seq=100 ctl=SYN) SYN Received SYN Received 3 Established (seq=101 ack=301 ctl=ack) Send SYN. Step 2. Note that the sequence number in this step is the same as the ACK in Step 2. ACK 2 (seq=300 ack=101 ctl=syn. This publication is protected by copyright. Note that the ACK field in host B is now expecting to hear sequence 101. Host A Host B © 2008 Cisco Systems. Please see page MARCO A. Step 3. Inc.[ 25 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Three-Way Handshake The synchronization requires each side to send its own initial sequence number and to receive a confirmation of it in acknowledgment (ACK) from the other side. From the Library of 311 for more details. host A sends data. In the next segment. which are further defined in the following list: Step 1. ZUNIGA C. Figure 2-7 outlines the steps in the TCP three-way handshake. . All rights reserved. Host B also sends a SYN. Host B sends an ACK and confirms the SYN it received.

ZUNIGA C. Step 3. The sender sends 3 bytes before expecting an ACK. TCP implements flow control by using the SYN and ACK fields in the TCP header. TCP reassembles the segments into a complete message. The Window field is a number that indicates the maximum number of unacknowledged bytes allowed outstanding at any time. Figure 2-8 shows the windowing process as outlined here: Step 1. All rights reserved. The sender sends the next 2 bytes but still specifies its window size of 3. Step 2. Step 4. With a window size of 1. specifies 3 as the next byte. Please see page MARCO A. it is resent. If a segment is not acknowledged within a given period. This publication is protected by copyright. and specifies a window size of 2. along with the Window field. The receiver can handle a window size of only 2. From the Library of 311 for more details. The window size from one end station tells the other side of the connection how much it can accept at one time. TCP Flow Control Flow control provides a mechanism for the receiver to control the transmission speed. each datagram is numbered so that at the receiving end. each segment must be acknowledged before another segment is sent.[ 26 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty TCP Sequence and Acknowledgment Numbers In TCP. . TCP Windowing Windowing ensures that one side of a connection is not overwhelmed with data it cannot process. © 2008 Cisco Systems. The receiver replies by requesting byte 5 and specifying a window size of 2. so it drops byte 3. This is the least-efficient use of bandwidth. Inc.

Examples include Ethernet segments. and hubs. Repeaters regenerate and retime (or clean up) the signal. From the Library of 311 for more details. serial links.[ 27 ] SECTION 2 Understanding TCP/IP FIGURE 2-8 TCP Windowing Example Sender Window Size = 3 Send 1 Window Size = 3 Send 2 Window Size = 3 Send 3 Window Size = 3 Send 3 Window Size = 3 Send 4 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Receiver Packet 3 Is Dropped ACK 3 Window Size = 2 ACK 5 Window Size = 2 A TCP/IP session can have different window sizes for each node. Exploring the Packet Delivery Process Layer 1 Devices Layer 1 devices operate at the physical layer and are only involved in transmitting signals (moving bits). . ZUNIGA C. repeaters. This publication is protected by copyright. All rights reserved. © 2008 Cisco Systems. allowing it to travel a longer distance over a given medium. one out) or multiport. Repeaters can be single-port (one in. eventually becoming unreadable. Please see page MARCO A. Inc. Repeaters (see Figure 2-9) are necessary because a signal’s quality degrades over distance.

. When a collision occurs. Using a hub. FIGURE 2-10 Hub © 2008 Cisco Systems. both stations resend the signal after a random period. From the Library of 311 for more details. Hubs also increase network reliability by isolating endpoints. the network continues to operate. they simply clean up signals. Hubs provide no filtering or intelligence. A group of devices connected to the same physical medium is known as a collision domain. Ethernet devices use a method called carrier sense multiple access collision detect (CSMA/CD) when sending bits. If two devices transmit a signal at the same time.[ 28 ] SECTION 2 Understanding TCP/IP FIGURE 2-9 Repeater CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Hubs are similar to repeaters and are often called multiport repeaters (usually having from 4 to 20 ports). a collision results. if a single cable fails. Please see page MARCO A. Collisions increase with the number of stations and reduce usable bandwidth (see Figure 2-10). This publication is protected by copyright. All rights reserved. ZUNIGA C. Inc.

Layer 3 Devices Layer 3 devices operate at the network layer of the OSI model. ZUNIGA C. which uses a different addressing scheme than Layer 2 devices. Bridges keep track of destinations in MAC address tables. This is because the switching functions are performed in hardware.[ 29 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Layer 2 Devices Layer 2 devices operate at the data link layer and. Network interface cards (NICs) are considered Layer 2 devices because they provide MAC addresses used by other Layer 2 devices. but they are outside the scope of the ICND1 and ICND2 exams. isolate endpoints. Bridges keep local traffic from going to other LAN segments but can filter traffic intended for other LAN segments using the MAC address of the destination endpoint. in most cases. All rights reserved. Switches proved more ports than bridges and also support virtual LANs (VLANs. The two most common Layer 3 devices are routers and multilayer switches. avoiding data collisions (discussed later). Devices such as bridges and switches use MAC addresses to switch data frames. FIGURE 2-11 Bridge Bridge Switches (or LAN switches) are similar to bridges and have the same functionality as bridges but are typically much faster than bridges. From the Library of 311 for more details. whereas bridges use software. other Layer 3 protocols exist. This publication is protected by copyright. Figure 2-11 shows that bridges connect LAN segments and isolate collision domains. . Please see page MARCO A. As shown in © 2008 Cisco Systems. Inc. IP addresses are one type of Layer 3 address. discussed later). which increases bandwidth.

. Please see page MARCO A. From the Library of 311 for more details.0 172.[ 30 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Figure 2-12. FIGURE 2-12 Routers 172.16. ZUNIGA C. Using Layer 3 addresses allows multilayer switches to implement quality and security policies. Routers can also connect different types of Layer 2 networks. This advance was enabled because of high-speed software embedded in hardware ASICs. This publication is protected by copyright. Inc. Routers regulate traffic and make up the backbone of most IP networks.0 172.3.16. Routers can make intelligent decisions about the best path a packet can take across the network.0 Internet Multilayer switches are the same as regular Layer 2 switches but can process and make switching decisions based on Layer 3 addresses.16. This has reduced the bottleneck that used to occur with software-based Layer 3 devices.4. All rights reserved. © 2008 Cisco Systems.1. routers pass data packets between networks based on their IP (or possibly other Layer 3) address.16.2.0 172.

ARP sends a broadcast looking for the destination address. An ARP cache table is checked when looking for a destination. . IP uses a protocol called Address Resolution Protocol (ARP). If the address is not in the ARP table. ZUNIGA C. All rights reserved. To find the MAC address of the destination.[ 31 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Mapping Layer 2 Addressing to Layer 3 Addressing For IP hosts to communicate on Ethernet networks. ARP maps a known IP address to a MAC sublayer address. This publication is protected by copyright. Inc. the IP host must know the IP address and MAC address of the destination computer. © 2008 Cisco Systems. Please see page MARCO A. From the Library of 311 for more details.

ARP. Protocols: Examples include Ethernet protocols. Interconnections: Provide a means for data to travel. LANs are usually located in a building or campus and do not cover a large distance. Intel. Also include NICs and network media. LANs consist of the following components: n n n n Computers: Examples include PCs and servers. All rights reserved. © 2008 Cisco Systems. Ethernet Ethernet is one of the most widely used LAN standards. the IEEE defined new standards for Ethernet called Ethernet 802. This publication is protected by copyright. As Figure 3-1 shows. LANs connect computers. Please see page MARCO A.[ 32 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 3 Understanding Ethernet Ethernet was developed in the 1970s by Digital Equipment Corporation (DEC). The 802. low-error data networks that cover a small geographic area.3. Later. and other devices in a single building or a limited area. Definition of a LAN Local-area networks (LAN) are high-speed. routers. From the Library of 311 for more details. printer. Network devices: Examples include hubs. terminals. and switches. Ethernet operates at Layers 1 and 2 of the OSI model. and DHCP. They are relatively inexpensive to develop and maintain. . Inc. and Xerox.3 standard is the standard that is in use today. IP. ZUNIGA C.

The data link layer (Layer 2) has the following functions: n n n Two sublayers perform data-link functions: the MAC layer and the Logical Link Control (LLC) layer. The MAC address is a 48-bit address expressed as 12 hex digits. Physical Provides physical addressing Provides support for connection-oriented and connectionless services Provides frame sequencing and flow control © 2008 Cisco Systems. Inc. and topology.35 The physical layer (Layer 1) defines cabling.2 Ethernet 802. connection specifications. All rights reserved. The MAC sublayer is responsible for how data is sent over the wire.3 EIA/TIA-232 v. .[ 33 ] SECTION 3 Understanding Ethernet FIGURE 3-1 Frame Relay Data Link HDLC CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Physical and Data Link Layers 802. Figure 3-2 shows the Media Access Control (MAC) sublayer (802. This publication is protected by copyright. ZUNIGA C. Please see page MARCO A.3). From the Library of 311 for more details.

© 2008 Cisco Systems.xxxx Ethernet II Uses "Type" Here and Does Not Use 802.2. Inc.[ 34 ] SECTION 3 Understanding Ethernet FIGURE 3-2 MAC Sublayer #Bytes 8 Preamble 6 Dest Add 6 Source Add 2 Length MAC Layer . SNAP is used to support non-802 protocols. All rights reserved. Two types of LLC frames exist: service access points (SAP) and Subnetwork Access Protocol (SNAP).2) is responsible for identifying and encapsulating different protocol types. . Figure 3-3 shows the LLC sublayer frame. From the Library of 311 for more details. This publication is protected by copyright. ZUNIGA C. IEEE Assigned Vendor Assigned MAC Address The MAC sublayer defines the following: n n n n n n Physical addressing Network topology Line discipline Error notification Orderly delivery of frames Optional flow control The LLC sublayer (802.3 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Variable Data 4 FCS 0000. Please see page MARCO A.802.0C xx.

Please see page MARCO A. © 2008 Cisco Systems. All rights reserved.[ 35 ] SECTION 3 Understanding Ethernet FIGURE 3-3 LLC Sublayer 1 Dest SAP AA 1 Source SAP AA 802.802. If no other station is transmitting. all devices receive all signals. and no station has priority over any other. many stations can transmit on the Ethernet media. This publication is protected by copyright. Ethernet uses a method called carrier sense multiple access collision detect (CSMA/CD) to detect collisions. From the Library of 311 for more details. a collision occurs. the station transmits across the media. . Before a station transmits. If a collision occurs. When devices send signals at the same time. ZUNIGA C. it listens to the network (carrier sense) to make sure that no other station is transmitting. Inc.3 Role of CSMA/CD in Ethernet All stations on an Ethernet segment are connected to the same media.2 (SNAP) 1 or 2 Ctrl 03 3 OUI ID CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 2 Variable Type Data Or 1 Dest SAP 1 802. A scheme is needed to detect and compensate for collisions. the transmitting stations detect the collision and run a backoff algorithm. Therefore. In CSMA/CD. The backoff algorithm computes a random time that each station waits before retransmitting.2 (SAP) 1 or 2 Ctrl Variable Data Source SAP Preamble Dest add Source add Length Data FCS MAC Layer .

All rights reserved. This publication is protected by copyright. Stations view broadcast frames as public service announcements. Ethernet Addresses The Ethernet address. As shown in Figure 3-4. Uniquely identifies the Ethernet hardware. OUI 24-Bits Vendor Assigned 24-bits FIGURE 3-4 MAC Addresses 48-bit MAC Address © 2008 Cisco Systems. This is IEEE assigned and identifies the manufacturer of the card. the MAC address is usually displayed in a hexadecimal format such as 00-0d-65-ac-50-7f. or MAC address. the MAC address is 48 bits and consists of the following two components: n n Organizational Unique Identifier (OUI): 24 bits.[ 36 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Ethernet LAN Traffic Three major types of network traffic exist on a LAN: n n n Unicasts: The most common type of LAN traffic. Please see page MARCO A. . Multicasts: Traffic in which one transmitter tries to reach only a subset. Typically burned into the adapter. A unicast frame is a frame intended for only one host. Inc. or group. From the Library of 311 for more details. All stations receive and process broadcast frames. Broadcasts: Intended for all hosts. ZUNIGA C. of the entire segment. Vendor-assigned: 24 bits. is the Layer 2 address of the network adapter of the network device.

4. 5 UTP 2-pair 100 m 100BASE-TX EIA/TIA Cat 5 UTP 2-pair 100 m 100BASE-FX 62. unshielded twisted-pair (UTP) cable. over fiber. 10BASE5. and 10BASE-F.[ 37 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Connecting to an Ethernet LAN The term Ethernet encompasses several LAN implementations.3 extension that operates over fiber and copper at 1000 Mbps. Fast Ethernet or 100-Mbps Ethernet: Operates over UTP or fiber.5/50 micromultimode fiber 275 m 1000BASE-LX 9-micron singlemode fiber 3–10 km Maximum Segment Length Connector 25 m ISO 8877 (RJ-45) ISO 8877 (RJ-45) Duplex media ISO 8877 interface (RJ-45) (RJ-45) connector (MIC) ST ISO 8877 — — © 2008 Cisco Systems. or 1 gigabit per second (Gbps). 10-Gigabit Ethernet: Defined in 802. All rights reserved. 10BASE-T. Please see page MARCO A. ZUNIGA C.3ae. and all support various cabling structures. The following four main categories of Ethernet exist: n n n n Ethernet (DIX) and IEEE 802. This publication is protected by copyright. or fiber.5/125 micromultimode fiber 400 m 1000BASE-CX 1000BASE-T STP EIA/TIA Cat 5 UTP 4-pair 100 m 1000BASE-SX 62. TABLE 3-1 Media Ethernet Media and Connection Requirements 10BASE-T EIA/TIA Cat 3. Physical layer implementations vary. Fast Ethernet and Gigabit Ethernet require UTP Category 5e (or higher) or fiber cabling.3: Operate at 10 Mbps over coaxial cable. . From the Library of 311 for more details. runs in full-duplex mode only. The standards are referred to as 10BASE2. Table 3-1 compares cable and connecter specifications. Gigabit Ethernet: An 802. Inc.

CAT 4. UTP has a small diameter that can be an advantage when space for cabling is at a minimum. Please see page MARCO A. The two categories of twisted-pair cables are unshielded twisted-pair (UTP) and shielded twisted-pair (STP). It is prone to electrical noise and interference because of the lack of shielding. This publication is protected by copyright. and they allow you to deploy different types of 1000BASE-X technology without having to change the physical interface of the switch. defined as follows: n UTP cable: Usually connected to equipment with an RJ-45 connector. Seven categories of UTP cable exist: CAT 1. The pairs are twisted to prevent interference (crosstalk). CAT 5. ZUNIGA C. All rights reserved. The most common types of media are as follows: n Twisted-pair cable: Used for telephony and most Ethernet networks. Each pair makes up a circuit that can transmit signals. . GBICs are interchangeable. GBICs support UTP and fiber media.[ 38 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty A Gigabit Interface Converter (GBIC) is a hot-swappable I/O device that plugs into a Cisco Gigabit Ethernet port. CAT 3. Inc. From the Library of 311 for more details. and CAT 6. CAT 5e. Network Media Types Network media refers to the physical path that signals take across a network. CAT 2. Unshielded Twisted Pairs Twisted Pair FIGURE 3-5 UTP Outer Jacket Color-Coded Plastic Insulation © 2008 Cisco Systems.

This offers a large jump in bandwidth over other types of cables (1 Gbps or greater). Figure 3-7 shows an RJ-45 connector and its pin connections. Shielded Twisted Pairs Overall Shield Pair Shields Twisted Pair FIGURE 3-6 STP Outer Jacket Color-Coded Plastic Insulation n Fiber-optic cable: Allows the transmission of light signals. and maximum length is 100 m). Multimode fiber is used primarily in systems with short transmission distances (less than 2 km). This publication is protected by copyright. . each taking a slightly different path.[ 39 ] SECTION 3 Understanding Ethernet n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty STP cable: Provides much better protection against electrical noise and interference than UTP but is thicker and more expensive. Single-mode fiber is typically used for long-distance and high-bandwidth applications. several modes (or wavelengths) propagate down the fiber. From the Library of 311 for more details. defined as follows: n Multimode: With this type of fiber. n UTP Implementation An RJ-45 connector is use with UTP cabling. Single-mode: This type of fiber has only one mode in which light can propagate. The two types of fiber-optic cables are multimode and single-mode. All rights reserved. Inc. © 2008 Cisco Systems. Please see page MARCO A. ZUNIGA C. The cable speed and maximum length are the same as for UTP (speed is 10 to 100 Mbps.

ZUNIGA C. All rights reserved. Figure 3-8 shows the pins for a straight-through cable. Straight-through cables are typically used to connect different devices (data terminal equipment [DTE] to data communications equipment [DCE]). This publication is protected by copyright. . Inc. such as switch-to-router connections. From the Library of 311 for more details. Please see page MARCO A.[ 40 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The two types of connections are straight-through and crossover. FIGURE 3-7 RJ-45 Connector Bits: Class A: 1 0NNNNNNN Range (1-126) 1 8 9 10NNNNNN Range (128-191) 1 8 9 110NNNNN Class C: Bits: Class D: Range (192-223) 1 8 9 1110MMMM Range (224-239) Multicast Group 16 17 Multicast Group 24 25 Multicast Group 32 Network Network 8 9 Host 16 17 Host 24 25 Host 32 FIGURE 3-8 Straight-Through Wiring Cable 10 BASE-TX 100BASE-T Straight-Through Bits: Class B: Bits: 16 17 Host 24 25 Host 32 Hub/Switch Pin Label 1 RD+ 2 RD– 3 TD+ 4 NC 5 NC 6 TD– 7 NC 8 NC Server/Router Pin Label 1 TD+ 2 TD– 3 RD+ 4 NC 5 NC 6 RD– 7 NC 8 NC 16 17 Network 24 25 Host 32 © 2008 Cisco Systems.

. Please see page MARCO A. This publication is protected by copyright. such as switch-to-switch connections. Inc. Figure 3-9 shows the pins for a crossover cable. The primary exception to this rule is switch-to-hub connections. FIGURE 3-9 Crossover Wiring Cable 10 BASE-T/ 100BASE-T Crossover Hub/Switch Pin Label 1 RD+ 2 RD– 3 TD+ 4 NC 5 NC 6 TD– 7 NC 8 NC Hub/Switch Pin Label 1 RD+ 2 RD– 3 TD+ 4 NC 5 NC 6 TD– 7 NC 8 NC © 2008 Cisco Systems. All rights reserved.[ 41 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Crossover cables are typically used to connect similar devices. which use a crossover cable. From the Library of 311 for more details. ZUNIGA C.

[ 42 ] SECTION 4 LAN Network Topologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Part II: Growing the Network (LANs) Section 4 LAN Network Topologies Choosing the Right Network Topology A topology refers to the way in which network devices are connected. As shown in Figure 4-1. This publication is protected by copyright. All rights reserved. Please see page MARCO A. or the packets will collide and both will be destroyed (and must be resent). Inc. The following sections discuss each topology. . © 2008 Cisco Systems. ZUNIGA C. An example of this is a network in which each endpoint is connected to every other endpoint (a meshed network) but the signal can flow in only sequential order (a ring network). or signals will bounce back and cause errors. The ends of the wire must be connected to a device or terminator. a bus or linear bus connects all devices with a single cable. The three primary categories of physical topologies are as follows: n n n Bus Ring Star A logical topology refers to how signals travel from endpoint to endpoint. From the Library of 311 for more details. The physical and logical topologies can be the same or different. Only a single packet can be transmitted at a time on a bus. A physical topology refers to the physical layout of the endpoints and the connecting cables.

In a single ring. a frame travels in a logical order around the ring. If an end station wants to send data. or router) where all end devices meet. © 2008 Cisco Systems. and the data is removed at the intended destination. Figure 4-4 shows an extended star topology. all devices are connected to all other devices. FIGURE 4-1 Bus Topology FIGURE 4-2 Ring Topology FIGURE 4-3 Star Topology In an extended star. going from one end station to the next. The frame continues around the ring. Please see page MARCO A. If parts of both rings fail. it is added to the frame. continues. which means that if one ring fails. data travels in a single direction. but for networks with more than a few devices. In a ring topology. which then connect to end stations. provide good redundancy without the expense of full meshes. . which have at least one device with multiple connections. the system can still operate. stars have a central connection (hub. each ring sends data in a different direction. ZUNIGA C. In a dual ring. Inc. Star topologies are the most common physical topology in Ethernet LANs. FIGURE 4-4 Extended Star Topology In a full-mesh topology. Figure 4-5 shows a full-mesh topology. however. switch. All rights reserved. a “wrap” (a connection between the two rings) can heal the fault. This publication is protected by copyright. or fault tolerance. or host. Great redundancy exists on full-mesh networks. Stars cost more than other topologies but are more fault tolerant because a cable failure usually affects only one end device. Partial-mesh topologies. As shown in Figure 4-3. From the Library of 311 for more details. it becomes overly expensive and complicated. the entire system fails. Two rings create redundancy. The frame. the central networking device connects to other networking devices. The disadvantage of a star is that if the central device fails.[ 43 ] SECTION 4 LAN Network Topologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Figure 4-2 shows a ring topology.

. See Figure 4-6. From the Library of 311 for more details. Please see page MARCO A. Wireless adapters must be installed on a laptop (wireless NIC) to communicate with the network. Inc. FIGURE 4-6 Wireless Topology © 2008 Cisco Systems. All rights reserved. such as wireless networks. This publication is protected by copyright. Wireless communications use radio frequencies (RF) or infrared (IR) waves to transmit data over a LAN. ZUNIGA C. Wireless gives network designers many new options. because no physical medium is required to connect end stations (which is great for installation in old buildings or offices with inadequate space for cabling).[ 44 ] SECTION 4 LAN Network Topologies FIGURE 4-5 Full-Mesh Topology CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The last type of network topology is one that does not require the use of traditional cable connections.

Repeaters are Layer 1 devices that amplify a signal from one segment to another. Hubs let you add and remove computers without © 2008 Cisco Systems. or switches.[ 45 ] SECTION 4 LAN Network Topologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The Challenges of Shared LANs An Ethernet segment is a network connection made by a single unbroken network cable.5µ multimode: 250 m 50µ multimode: 550 m Extending a LAN Segment Although Ethernet has segment distance limitations. hubs. All rights reserved. ZUNIGA C. This publication is protected by copyright. Any transmission beyond the physical limitation will degrade the signal. Segments can only span a limited physical distance. All devices connected to a hub compete for the same amount of bandwidth. . are self-contained Ethernet segments in a box. you can extend the segment by adding repeaters. Table 4-1 lists the Ethernet segment distance limitations. From the Library of 311 for more details. Please see page MARCO A. also called Ethernet concentrators or Ethernet repeaters. Inc. TABLE 4-1 10BASE-T 10BASE-FL 100BASE-TX 100BASE-FX 1000BASE-T 1000BASE-LX 1000BASE-SX Ethernet Segment Distance Limitations Description Segment Length Ethernet Specification 10 Mbps over twisted-pair 10 Mbps over fiber 100 Mbps over twisted-pair 100 Mbps over fiber Gigabit Ethernet over twisted-pair Gigabit Ethernet over fiber Gigabit Ethernet over fiber 100 m 2000 m 100 m 400 m 100 m Multimode: 550 m Single-mode: 10 km 62. Hubs.

a collision results. the chances that devices transmit at the same time increase. Each end station resends after a random time (called a backoff algorithm). From the Library of 311 for more details. Collisions occur when two or more end stations “listen” for traffic on the segment. . All rights reserved. A collision domain is a group of devices connected to the same network segment such that if two devices access the medium at the same time.[ 46 ] SECTION 4 LAN Network Topologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty disabling the network but do not create additional collision domains. As the number of end stations increases. and all are destroyed and must be resent. ZUNIGA C. collisions increase to the point where the system is virtually unusable because collisions are constantly occurring. The simultaneous transmissions collide. Inc. Switches are Layer 2 devices that amplify a signal and use Layer 2 information to route traffic. hear nothing. Hubs provide no filtering and forward all traffic out all ports regardless of where they are destined. As networks grow. Repeaters and hubs amplify a signal and increase segment distance limitations. all devices compete for the same bandwidth. The most common causes of network congestion are as follows: n n n Increases in PC speed and performance Increases in network data Bandwidth-intensive applications © 2008 Cisco Systems. resulting in more collisions. they cannot decrease collisions. Solving Network Challenges with Switched LAN Technology As networks grow and evolve. Collisions are by-products of CSMA/CD. network congestion increases. however. This publication is protected by copyright. Please see page MARCO A. The network segments that share the same bandwidth are called collision domains. All devices on the same network segment receive all signals sent on the segment. Collisions and Collision Domains In traditional Ethernet segments. and then transmit at the same time.

All rights reserved. This function allows the switch to store frames and forward them to the correct port. Bridges used the concept of segmentation to allow more end stations to be added to a LAN (called scaling). Please see page MARCO A. Higher port density: Port density is the number of ports available on a single device. switches process frames in hardware through the use of application-specific integrated circuits (ASICs). ZUNIGA C. Data buffering: A buffer is memory storage.[ 47 ] SECTION 4 LAN Network Topologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Bridges Bridges were used as an early solution for network congestion. multiport. Switches also have the following features: n n n High-speed backplane: A circuit board that allows the switch to monitor multiple conversations. From the Library of 311 for more details. This publication is protected by copyright. . which increases the network’s overall speed. Unlike bridges that process frames using software. © 2008 Cisco Systems. FIGURE 4-7 Segmenting a Network Through Bridges Only Data Frames Intended for Segment A Are Allowed Through from Segment B. A switch can have hundreds of ports. very smart bridges. Inc. Segmentation is shown in Figure 4-7. Segmentation is a method of breaking up collision domains. Bridge Collision Domain A Collision Domain B Switches Layer 2 switches are really just high-speed. Bridges are more intelligent than hubs and can forward or block traffic based on the data frame’s destination address (whereas hubs just send the frame to every port and end station).

[ 48 ]

SECTION 4 LAN Network Topologies
n n n

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

High port speeds: Switches can support a mixture of port speeds from 10 Mbps to 10 Gbps. Lower latency: Latency is the measure of the time it takes an incoming frame to come back out of a switch. Virtual LANs (VLAN): Switches can logically segment networks into separate broadcast domains.

All these features (particularly port density) allow microsegmentation, which means that each end station has a dedicated switch port. This eliminates collisions, because each collision domain has only a single end station. Although these features can reduce some network congestion, faster PCs can flood a network with traffic. Broadcasts and multicasts also contribute to network congestion.

Switch Frame Transmission Modes
The following three primary frame switching modes exist:
n n

Cut-through: The switch checks the destination address and immediately begins forwarding the frame. This can decrease latency but can also transmit frames containing errors. Store and forward: The switch waits to receive the entire frame before forwarding. The entire frame is read, and a cyclic redundancy check (CRC) is performed. If the CRC is bad, the frame is discarded. Latency increases as a function of frame length. Fragment-free (modified cut-through): The switch reads the first 64 bytes before forwarding the frame. The minimum number of bytes necessary to detect and filter out collision frames is 64 bytes.

n

How Switches Segment the Ethernet Network
Ethernet switches perform three major functions in segmenting a network: forwarding, filtering, and flooding. Switches perform these functions by the following methods:
n

MAC address learning: Switches learn the MAC addresses of devices attached to each of their ports. These addresses are stored in a MAC database.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 49 ]

SECTION 4 LAN Network Topologies
n

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Forwarding and filtering: Switches determine which port a frame must be sent out to reach its destination. If the address is known, the frame is sent only on that port. If it’s unknown, the frame is flooded to all ports except the one from which it originated. Flooding: Switches flood all unknown frames, broadcasts, and multicasts to all ports on the switch except the one from which it originated.

n

Switches in Action
A switch uses its MAC address table when forwarding frames to devices. When a switch is first powered on, it has an empty MAC address table. With an empty MAC address table, the switch must learn the MAC addresses of attached devices. This learning process is outlined below using Figure 4-8:
Step 1. Step 2.

Initially, the switch MAC address table is empty. Station A with the MAC address sends a frame to station C. When the switch receives this frame, it does the following:
n n

Because the MAC table is empty, the switch must flood the frame to all other ports (except E0, the frame origin). The switch notes the source address of the originating device and associates it with port E0 in its MAC address table entry.

Step 3.

The switch continues to learn addresses in this manner, continually updating the table. As the MAC table becomes more complete, the switching becomes more efficient, because frames are forwarded to specific ports rather than being flooded out all ports.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 50 ]

SECTION 4 LAN Network Topologies
FIGURE 4-8
Frame Forwarding by a Switch
A E0 0260.8c01.1111 E2 B E3 D E1 MAC Address Table E0: 0260.8c01.1111 E3: 0260.8c01.4444 C

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

0260.8c01.2222

0260.8c01.3333

0260.8c01.4444

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 51 ]

SECTION 5 Operating Cisco IOS

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Section 5 Operating Cisco IOS
Cisco IOS enables network services in switches and routers. It provides the following features:
n n n n n

Carries network protocols and functions Connectivity Security Scalability Reliability

The Cisco IOS command-line interface (CLI) can be accessed through a console connection, modem connection, or Telnet/SSH sessions. These connections are called EXEC sessions.

Cisco Device Startup
When a Cisco device starts up, it goes through the following steps:
Step 1. Step 2. Step 3.

Completes power-on self test (POST) Finds and loads Cisco IOS Software image Finds and applies device configuration

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 52 ]

SECTION 5 Operating Cisco IOS

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

External Configuration Sources
An IOS device can be configured from any of the following external sources:
n n n n n n

Console terminal Remote terminal (aux port) Telnet TFTP CiscoWorks SSH

Only a console connection or remote terminal connection can be used to initially configure a router or switch.

Console Connection
To establish a connection through a console port, you need a rollover cable to connect a console port to a PC. To set up the connection, follow these steps:
Step 1. Step 2.

Cable the device using a rollover cable. You might need an adapter for the PC. Configure the terminal emulation application with the following COM port settings: 9600 bps, 8 data bits, no parity, 1 stop bit, and no flow control.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 53 ]

SECTION 5 Operating Cisco IOS

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Cisco IOS Software Command-Line Interface Functions
Cisco IOS uses a hierarchy of commands in its command-mode structure. For security, Cisco IOS separates EXEC sessions into these two access levels:
n n

User EXEC mode (user mode) Privileged EXEC mode (enable mode)

User EXEC mode is the first mode you enter when you log in to the IOS. This mode is limited and is mostly used to view statistics. You cannot change a router’s configuration in this mode. By default, the greater-than sign (>) indicates that you are in user mode. This is how the router prompt looks in user mode:
Router>

In privileged EXEC mode, you can view and change the configuration in a router; you have access to all the router’s commands and the powerful debug commands. To enter privileged mode, enter the enable command while in user mode. By default, the pound symbol (#) indicates that you are in privileged mode. This mode is usually protected with a password. Here is an example of how to enter privileged mode. You also see the output of the prompt:
Router>enable Password: Router#

Keyboard Help in the CLI
Several commands built into IOS provide help when you enter configuration commands:
n

? displays a list of commonly used commands.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

From the Library of 311 for more details. Inc. . Enhanced Editing Commands Enabled by default. This publication is protected by copyright. show ? lists all variants of the show command. All rights reserved. enhanced editing commands allow shortcuts to speed the editing process.[ 54 ] SECTION 5 Operating Cisco IOS n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty -More appears at the bottom of the screen when additional information exists. Press any other key to return to the user-mode prompt. ZUNIGA C. Display the next line by pressing Enter. TABLE 5-1 Command Enhanced Editing Commands Action Ctrl-A Ctrl-E Esc-B Esc-F Ctrl-B Ctrl-F Ctrl-D Backspace Ctrl-R Ctrl-U Moves the cursor to the beginning of the line Moves the cursor to the end of the line Moves the cursor back one word Moves the cursor forward one word Moves the cursor back one character Moves the cursor forward one character Deletes a single character Removes one character to the left of the cursor Redisplays a line Erases from the cursor to the beginning of the line continues © 2008 Cisco Systems. Table 5-1 shows the enhanced editing commands available in Cisco IOS Software. Please see page MARCO A. Display the next available screen by pressing the spacebar. s? lists all commands that start with s.

This publication is protected by copyright. This buffer defaults to ten lines.[ 55 ] SECTION 5 Operating Cisco IOS TABLE 5-1 Command CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Enhanced Editing Commands Action continued Ctrl-W Ctrl-Z Tab Ctrl-P or up arrow Ctrl-N or down arrow Erases a word Ends configuration mode and returns to the EXEC mode Completes a partially entered (unambiguous) command Recalls commands. Please see page MARCO A. but it can be configured to a maximum of 256 using the history size command. Inc. All rights reserved. . From the Library of 311 for more details. beginning with the most recent Returns the most recent commands in the buffer Command History A command history is available to review previously entered commands. ZUNIGA C. © 2008 Cisco Systems. as follows: terminal history size number-of-lines history size number-of-lines show history sets session command buffer size sets the buffer size permanently shows command buffer contents Console Error Messages When you enter an incorrect command. you receive one of three messages detailed in Table 5-2.

% Invalid input detected at '^' marker. with a space between the command and the question mark. followed by a question mark (?). © 2008 Cisco Systems. All rights reserved. From the Library of 311 for more details. Reenter the command. .[ 56 ] SECTION 5 Operating Cisco IOS TABLE 5-2 Console Error Messages Meaning CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Error Message How to Get Help % Ambiguous command: "show con" Not enough characters were entered to define a specific command. Please see page MARCO A. Keywords or values are missing. The command was entered incorrectly. % Incomplete command. followed by a question mark (?). Inc. with no space between the command and the question mark. ZUNIGA C. This publication is protected by copyright. Reenter the command. The caret (^) marks the point of the error. Enter a question mark (?) to display all the commands or parameters that are available in this mode.

2. Please see page MARCO A. Inc. From the Library of 311 for more details. . Step 2. A power-on self test (POST) checks the hardware. Initial startup procedure: Step 1. Observe the boot sequence. Step 3.[ 57 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 6 Configuring a Cisco Switch Starting a Switch When a Catalyst switch is started for the first time. 3. ZUNIGA C. This publication is protected by copyright. A startup routine initiates the operating system. a default configuration is loaded. © 2008 Cisco Systems. Software configuration settings are loaded. Attach the switch to the power source to start the switch (there is no on/off switch). A terminal is connected to the console port. Before you start the switch. verify the following: n n n All network cable connections are secure. A terminal application is selected. Three main operations are performed during normal startup: 1. All rights reserved.

Inc. . Pressing the Mode button toggles through the following LED display modes: n n n Port status Bandwidth utilization Full-duplex support Port Status LEDs FIGURE 6-1 Catalyst 2960 LEDs System LED Port Mode LEDs Mode Button Table 6-1 details switch LED status indications for the Catalyst 2960. From the Library of 311 for more details. and fault conditions. normal operation. All rights reserved. © 2008 Cisco Systems. ZUNIGA C. These LEDs provide information on switch status during startup.[ 58 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Switch LED Indicators Figure 6-1 shows the LEDs on the front panel of the switch. This publication is protected by copyright. Please see page MARCO A.

such as IP address and host name Interface configuration: Configures parameters specific to a switch port © 2008 Cisco Systems. This publication is protected by copyright. . one or more POST errors Green: RPS operational Flashing green: RPS connected but is powering another device Amber: RPS installed but not operational Flashing amber: The internal power supply and RPS have power and are powering the switch Green: Link present Flashing green: Link present with traffic activity Alternating green and amber: Link fault Amber: Port not forwarding Green: Bandwidth utilization displayed over the amber LED on a logarithmic scale Amber: Maximum backplane utilization since the switch was powered on Green and amber: Depends on the model Green: Ports are configured in full-duplex mode Off: Ports are half-duplex Port status (STAT) Bandwidth utilization (UTL) Full-duplex (FDUP) Configuring a Switch from the Command Line The following two configuration modes are available: n n Global configuration: Configures global parameters on a switch. Inc. From the Library of 311 for more details.[ 59 ] SECTION 6 Configuring a Cisco Switch TABLE 6-1 LED System LED Redundant power supply (RPS) CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Catalyst 2960 LEDs Status Green: System powered and operational Amber: System malfunction. ZUNIGA C. Please see page MARCO A. All rights reserved.

From the Library of 311 for more details. Inc.0 Admin-Sw(config-if)#no shutdown © 2008 Cisco Systems. The interface-id parameter identifies the type and number of the interface you want to configure. as follows: switch(config)#interface g0 switch(config-if)# Configuring a Host Name To give the switch a host name or identify it.168. Enable the interface by issuing the no shutdown command. Please see page MARCO A. follow these steps: Step 1. The IOS command to enter interface configuration mode is interface interface-id. This publication is protected by copyright. This is a logical interface used for management. To enter interface mode. The following example shows the necessary command syntax for all three steps: Admin-Sw(config)#interface vlan1 Admin-Sw(config-if)#ip address 192. Assign the IP address and subnet masks.255.255. Step 2.[ 60 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The IOS command to enter global configuration mode is configure terminal. use the hostname privileged IOS command. Step 3. All rights reserved. as follows: switch(config)#hostname Admin-SW Admin-Sw(config)# Configuring the Switch IP Address and Default Gateway To assign an IP address on a Catalyst 2960 switch. . ZUNIGA C. you first need to be in global configuration mode.0. Enter the VLAN 1 interface.10 255.

168. From the Library of 311 for more details. Inc.1 Showing Switch Status To display the status of a switch. show startup-config displays the last saved configuration. This type of address is called a sticky address. use the ip default-gateway ip-address global configuration command. NOTE Some switches can be configured to dynamically learn MAC addresses associated with a port and automatically create a static entry for the learned MAC address in the MAC address table. MAC Address Configuration The mac-address-table static global configuration command associates a MAC address with a particular switched port interface. including any changes made in the session that have not yet been saved. show interfaces displays information on connections and ports that connect with other devices.0. . Managing MAC Addresses MAC address tables contain the following three types of addresses: n n Dynamic addresses are learned by the switch and then are dropped when they are not in use.[ 61 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty To configure the default gateway. Permanent and static addresses are assigned by an administrator. All rights reserved. show version displays information about the system hardware and software. Please see page MARCO A. The syntax for the mac-address-table command is as follows: mac-address-table static mac-address vlan vlan-id interface interface-id You verify the MAC address table settings using the show mac-address-table command. as follows: Switch(config)#ip default-gateway 192. This publication is protected by copyright. ZUNIGA C. © 2008 Cisco Systems. use one of the following commands: n n n n show running-configuration displays the currently active configuration in memory.

From the Library of 311 for more details. .[ 62 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Understanding Switch Security Securing a switch includes physical. ZUNIGA C. environmental. Set up and monitor syslog. All rights reserved. Disable unused ports. Physical and environmental security is outlined in Chapter 2. This publication is protected by copyright. Configure port security. Some basic security suggestions for network devices are as follows: n n n n n n n n Use complex passwords for all devices. Physically secure access to the switch. You can configure the following passwords using the CLI: n n n n Console: Password that accesses the console port Telnet: Password that accesses the virtual terminal ports on the switch Enable: Nonencrypted password that accesses privileged EXEC mode Secret: Encrypted password that accesses privileged EXEC mode © 2008 Cisco Systems. Use banners to warn against unauthorized access. Please see page MARCO A. and access security. Inc. Limit Telnet access using access lists. Use SSH instead of Telnet. You configure passwords to secure access to the switch. Configuring Password Security The CLI is used to configure password security.

From the Library of 311 for more details. . as follows: Cat2960(config)#service password-encryption Configuring Console Password To configure the console password. ZUNIGA C. enter the following: Cat2960(config)#line console 0 Cat2960(config-line)#login Cat2960(config-line)#password CCNA Configuring Telnet Password To configure the Telnet password. enter the following: Cat2960(config)#line vty 0 15 Cat2960(config-line)#login Cat2960(config-line)#password CCNA Configuring Enable and Secret Passwords To configure enable and secret passwords. Telnet. To encrypt them. use the service passwordencryption global command. Inc. and enable passwords are displayed unencrypted.[ 63 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty If the enable password and the enable secret password are both set on the switch. All rights reserved. the enable secret password will override the enable password. Please see page MARCO A. enter the following: Cat2960(config)#enable password Cisco Cat2960(config)#enable secret cisco © 2008 Cisco Systems. This publication is protected by copyright. The console.

The message of the day (MOTD) is displayed before the login banner. as follows: Cat2960#config t Enter configuration commands. In the previous command. The login banner is configured using the banner login global command. Please see page MARCO A. Step 2. Inc. It is displayed to anyone who connects to the Cisco IOS device through Telnet. Cat2960(config)#banner login # Enter TEXT message. # End with the character ‘#’. the # character is a delimiting character and can be any character. and all communication between the Cisco device and the host is sent in clear text.[ 64 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Login Banner and MOTD The login banner is displayed before the username and password login prompts on a Catalyst switch. # Cat2960(config)# <ENTER> End with the character ‘#’. Create a local username and password on the device. <ENTER> SSH Access Cisco recommends using SSH to encrypt communication between the Cisco device and the host. Use the banner motd # text # global configuration command to configure the MOTD. Telnet is unsecure. Use the following steps to configure SSH access: Step 1. console port. . Warning only authorized users many access this switch. Assign a domain name to the device. ZUNIGA C. one per line. Cat2960(config)#banner motd # Enter TEXT message. From the Library of 311 for more details. or auxiliary port. This publication is protected by copyright. Notice! Only Authorized Personnel Are Allowed to Access This Device End with CNTL/Z. All rights reserved. © 2008 Cisco Systems.

This is done through standard access lists. This publication is protected by copyright.cisco. Please see page MARCO A. To restrict access to vty lines.com switch(config)#crypto key generate rsa The name for the keys will be: switch. . CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Generate a security key. Configure vty ports to authenticate using SSH.[ 65 ] SECTION 6 Configuring a Cisco Switch Step 3. Recommended practice dictates restricting access to vty lines by IP address.. Standard access lists allow you to permit or deny traffic based on the source IP address. any IP address can connect to a vty line.[OK] switch(config)#ip ssh ver 2 switch(config)#line vty 0 15 switch(config-line)#login local switch(config-line)#transport input telnet ssh Securing vty Access By default. From the Library of 311 for more details. © 2008 Cisco Systems. ZUNIGA C. How many bits in the modulus [512]: % Generating 512 bit RSA keys ..com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Inc. Choosing a key modulus greater than 512 may take a few minutes. Step 4. Enable SSH. All rights reserved. Step 5. The following commands demonstrate how to configure SSH access: switch(config)#username eric password 0 ciscopress switch(config)#ip domain-name cisco. you would create a standard access list that permits each authorized IP address to connect to vty and apply the access list to the vty lines.

All rights reserved. The command syntax to apply an access list to an interface is as follows: access-class access-list-number {in | out} The following commands create access list number 10. Wildcards are used with access lists to specify a host.16. Wildcard Masks Wildcard masks define the subset of the 32 bits in the IP address that must be matched.0 0. In wildcard masks. From the Library of 311 for more details. network.10. ZUNIGA C.0. or part of a network.255 SwitchA(config)#line vty 0 15 SwitchA(config-if)#access-class 10 in This applies the access list to telnet ports © 2008 Cisco Systems. For example. .0.168.255.0/24: SwitchA(config)#access list 10 permit ip 192. the first two portions of the IP address must match 172. it will be denied.0 with a wildcard mask of 0.10. if a host is not specifically permitted. permitting Telnet access to the vty lines from IP network 192. when 0s are present.255.0. Mask bits with a binary value of 1 are wildcards.0. Please see page MARCO A.[ 66 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty At the end of each access list is an implicit deny any statement.168. the octet address must match. but the last two octets can be in the range of 1 to 255. Inc.16. Configuring and Applying vty Access Lists The command syntax to create a standard IP access list is as follows: access-list access-list-number {permit | deny} source-address [wildcard-mask] The access-list-number parameter is a number from 1 to 99 or 1300 to 1999. This publication is protected by copyright. So. if you have an IP address 172. Wildcard masks work exactly the opposite of subnet masks.

. From the Library of 311 for more details. switchport port-security maximum value: Configures the maximum number of MAC addresses allowed on the port. The shutdown keyword tells the switch to shut down all access to the port if a violation occurs. ZUNIGA C. Please see page MARCO A. This publication is protected by copyright. Inc. All rights reserved. switchport port-security violation {restrict | shutdown}: Configures the action to be taken when the maximum number of MAC addresses is reached and when MAC addresses not associated with the port try to access the port.[ 67 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Implementing and Verifying Port Security Port security limits the number of MAC address allowed per port and can also limit which MAC addresses are allowed. The following example demonstrates how to configure port security: Cat2960(config)#int f0/1 Cat2960(config-if)#switchport mode access Cat2960(config-if)#switchport port-security Cat2960(config-if)#switchport port-security max 1 Cat2960(config-if)#switchport port-security mac-address sticky Cat2960(config-if)#switchport port-sec violation restrict © 2008 Cisco Systems. The default value is 1. The restrict keyword tells the switch to restrict access to learned MAC addresses that are above the maximum defined addresses. Allowed MAC addresses can be manually configured or dynamically learned by the switch. The interface command to configure port security is as follows: switchport port-security [mac-address mac-address | mac-address sticky [mac-address] | maximum value | violation {restrict | shutdown} n n n n switchport port-security mac-address mac-address: Manually configures the port to use a specific MAC address. switchport port-security mac-address sticky: Configures the switch to dynamically learn the MAC address of the device attached to the port.

It is also expensive to make moves or changes in the network setup. © 2008 Cisco Systems. . and flexibility. VLANs Users of shared LANs are usually grouped based on where people are located rather than how they use the network (physical rather than logical). From the Library of 311 for more details. The use of VLANs also decreases the cost of arranging users. The use of VLANs improves performance. because no extra cabling is required.[ 68 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty To verify port security use the show port-security command. Please see page MARCO A. as follows: Cat2960#show port-security Secure Port MaxSecureAddr (Count) Fa0/1 1 CurrentAddr (Count) 0 SecurityViolation (Count) 0 : 0 Restrict Security Action ——————————————————————————————————————————————————————————————————————————Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 8320 Securing Unused Ports To secure unused ports. All rights reserved. This publication is protected by copyright. either disable the port or place the port in an unused VLAN. The virtual LAN (VLAN) organizes physically separate users into the same broadcast domain. Virtual LANs solve these problems. Inc. ZUNIGA C. Shared LANs have little embedded security. security. A switch port is disabled by issuing the shutdown interface command. because all traffic can be seen by all end stations.

and so on. Only ports assigned to a specific VLAN share broadcasts. other VLANs do not see other VLANs’ broadcasts. engineering. everyone on the second floor. rather than everyone on the first floor. This publication is protected by copyright. For example. FIGURE 6-2 VLAN Design 3rd Floor 2nd Floor 1st Floor SALES HR ENG © 2008 Cisco Systems. ZUNIGA C. VLANs allow logically defined user groups rather than user groups defined by their physical locations. VLAN segmentation is not bound by the physical location of users. A VLAN can exist on one or several switches. From the Library of 311 for more details. .[ 69 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VLAN Characteristics VLANs are logical broadcast domains that can span multiple physical LAN segments. Inc. Please see page MARCO A. VLANs improve segmentation. VLANs are characterized as follows: n n n n n VLANs define broadcast domains that can span multiple LAN segments. and security. All rights reserved. flexibility. and finance. you can arrange user groups such as accounting. Figure 6-2 shows a typical VLAN design.

Inc. This publication is protected by copyright. The VMPS is a database that maps MAC addresses to VLANs. This method offers flexibility but increases switching overhead (computer processing requirements). VLAN membership can be either static or dynamic: n n Static assignment: The VLAN port is statically configured by an administrator. VLANs require a trunk or physical connection for each VLAN to span multiple switches. All rights reserved. Please see page MARCO A. Adding and Assigning VLANs The vlan vlan-id global command adds a VLAN to a Catalyst 2960 switch. VLANs can also be assigned based on MAC addresses.[ 70 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VLAN Operation Each VLAN on a switch behaves as if it were a separate physical bridge. and broadcasts) only to ports assigned to the same VLAN from which they originated. This drastically reduces network traffic. . The switch forwards packets (including unicasts. ZUNIGA C. as demonstrated here: Cat2960(config)#vlan 10 Cat2960(config-vlan)#name Admin Cat2960(config-vlan)#vlan 20 Cat2960(config-vlan)#name Sales © 2008 Cisco Systems. A port can belong to only one VLAN at a time. multicasts. VLAN Assignment A port can be assigned (configured) to a given VLAN. From the Library of 311 for more details. Each trunk can carry traffic for multiple VLANs. Dynamic assignment: The switch uses a VMPS (VLAN Membership Policy Server).

Benefits of microsegmentation are as follows: n n n Collision-free domains from one larger collision domain Efficient use of bandwidth by enabling full-duplex communication Low latency and high frame-forwarding rates at each interface port © 2008 Cisco Systems. Please see page MARCO A. This publication is protected by copyright. From the Library of 311 for more details. Microsegmentation is implemented by installing LAN switches. Microsegmentation reduces and can even eliminate collisions because each segment is its own collision domain. . the status. as demonstrated here: Cat2960(config)#int f0/1 Cat2960(config-if)#switchport access vlan 10 Cat2960(config-if)#int f0/2 Cat2960(config-if)#switchport access vlan 20 Verifying VLANs The commands to verify VLAN configurations are as follows: n n n show vlan id vlan#: Displays information about a specific VLAN show vlan brief: Displays one line for each VLAN that displays the VLAN name. Inc.[ 71 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The switchport access vlan vlan-id interface command assigns a port to a specific VLAN. Each network device gets the full bandwidth of the segment and does not have to share the segment with other devices. ZUNIGA C. and the switch ports assigned to that VLAN show vlan: Displays information on all configured VLANs Maximizing the Benefits of Switching Microsegmentation Microsegmentation is a network design (functionality) where each workstation or device on a network gets its own dedicated segment (collision domain) to the switch. All rights reserved.

Efficiency is rated at 100 percent in both directions. With full-duplex. bidirectional communication can occur at the same time. CSMA/CD is susceptible to collisions. The duplex setting must match on devices sharing a segment. Simplex runs in a single direction only. Can connect with both half. From the Library of 311 for more details. Please see page MARCO A. and Simplex Communication Half-Duplex Simplex Can send and receive data at the same time. Multipoint attachments. Half-duplex is also bidirectional communication. All rights reserved. Half-Duplex. but signals can flow in only one direction at a time. — Data is sent in one direction only and can never return to the source over the same link. Inc. Efficiency is typically rated at 50 to 60 percent. Point-to-point connection only.and full-duplex devices. Collision-free. Uses a dedicated switched port with separate circuits. This publication is protected by copyright. — Satellite TV downlink is an example. .[ 72 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Duplex Communication Duplexing is the mode of communication in which both ends can send and receive information. Configuring and Verifying Port Duplex The default port settings on a Catalyst 2960 switch are as follows: n n Duplex: auto Speed: auto © 2008 Cisco Systems. Not used very often in internetworking. and simplex communication. Both ends must be configured to run in full-duplex mode. half-duplex. — 100 percent efficiency in one direction. Table 6-1 provides a comparative summary of fullduplex. ZUNIGA C. TABLE 6-1 Full-Duplex Full-Duplex.

multiple copies of frames. BW 10000 Kbit. as follows: Cat2960#show interface f0/1 FastEthernet0/1 is up. address is 0019. ARP Timeout 04:00:00 Physical Redundancy in an Ethernet LAN A redundant topology has multiple connections to switches or other devices. use the show interface interface-id command.e81a.e81a. Figure 6-3 depicts a redundant topology. and MAC address table instability. line protocol is up Hardware is Fast Ethernet. Redundancy ensures that a single point of failure does not cause the entire switched network to fail. © 2008 Cisco Systems. including broadcast storms. use the following commands: Switch(config)#interface f0/1 Switch(config-if)#duplex {auto | full | half} Switch(config-if)#speed {10 | 100 | 1000 | auto} To view duplex and speed settings. loopback not set Keepalive set (10 sec) Auto-duplex. . All rights reserved.4801) MTU 1500 bytes. From the Library of 311 for more details. media type is 10/100BaseTX input flow-control is off.4801 (bia 0019. Please see page MARCO A. rxload 1/255 Encapsulation ARPA. txload 1/255. output flow-control is unsupported ARP type: ARPA. Inc. DLY 1000 usec. ZUNIGA C. Layer 2 redundancy. can cause problems in a network. Auto-speed.[ 73 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty To change the default settings. This publication is protected by copyright. however. reliability 255/255.

STP operation is transparent to end stations. remember the following: n n n n Switches operate at Layer 2 of the OSI model. Problems generally are seen at Layer 1 and Layer 2. From the Library of 311 for more details. Layer 3 issues could be regarding IP connectivity to the switch for management purposes. STP is a Layer 2 protocol that prevents looping traffic in a redundant switched network by blocking traffic on the redundant links. Switches provide an interface to the physical media. All rights reserved. Please see page MARCO A. . © 2008 Cisco Systems. This publication is protected by copyright. ZUNIGA C. If the main link goes down. STP activates the standby path.[ 74 ] SECTION 6 Configuring a Cisco Switch FIGURE 6-3 Redundant Topology Server/Host X Router Y CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Segment 1 Segment 2 Spanning Tree Protocol The solution to problems caused in a redundant switched network is the Spanning Tree Protocol (STP). Troubleshooting Switch Issues When troubleshooting switch issues. Inc.

line protocol is up (connected) Hardware is Gigabit Ethernet Port. reliability 255/255.5040) MTU 1500 bytes. 0 no buffer Received 20320 broadcasts (12683 multicast) 0 runts. 0 late collision. as follows: SwitchA#show interface g0/1 GigabitEthernet0/1 is up.65ac. rxload 1/255 <Text-Ommited> 5 minute output rate 10000 bits/sec. DLY 10 usec. 0 frame. This publication is protected by copyright. Please see page MARCO A. 15 interface resets 0 babbles.[ 75 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Identifying and Resolving Media Issues Common switch Layer 1 issues include the following: n n n Bad wires or damaged wires. New equipment is installed. Bad wiring and EMI commonly show up as excessive collisions and noise. Inc. 0 giants. .65ac. BW 1000000 Kbit. 0 overrun. 0 underruns 8 output errors. 0 throttles 3 input errors. ZUNIGA C. 3 CRC. 0 deferred 0 lost carrier. 363178961 bytes. 1874 collisions. 880704302 bytes. 0 output buffers swapped out © 2008 Cisco Systems.5040 (bia 000d. 7 packets/sec 1476671 packets input. 0 ignored 0 input packets with dribble condition detected 1680749 packets output. EMI is introduced. txload 1/255. All rights reserved. 0 no carrier 0 output buffer failures. This is displayed by excessive collisions and runts when issuing the show interface command. From the Library of 311 for more details. address is 000d.

Please see page MARCO A. Duplex Issues The following items can create duplex issues: n n One end set to full-duplex and the other set to half-duplex results in a duplex mismatch. a user might say that she cannot access the network. . n One end set to half-duplex and auto-negotiation on the other: n n Auto-negotiation will fail. One end set to full-duplex and auto-negotiation on the other: n n Auto-negotiation will fail. Both ends set to half-duplex causes no mismatch. Media issues should be isolated and resolved as indicated in the previous topic. and the end reverts to half-duplex. This publication is protected by copyright.[ 76 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Identifying and Resolving Access Port Issues Common port access issues are as follows: n n n Media-related issues Duplex mismatch Speed mismatch Media-Related Issues Media-related issues might be reported as an access issue. Results in a duplex mismatch. and the end reverts to half-duplex. ZUNIGA C. for example. All rights reserved. From the Library of 311 for more details. © 2008 Cisco Systems. Inc.

[ 77 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Speed Issues n n One end set to one speed and the other set to another results in a mismatch. From the Library of 311 for more details. All rights reserved. This publication is protected by copyright. Please see page MARCO A. . Results in a mismatch. ZUNIGA C. One end set to a higher speed and auto-negotiation on the other: n n Auto-negotiation will fail. and the end will revert to a lower speed. Inc. © 2008 Cisco Systems.

11a/b/g.[ 78 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 7 Extending the LAN Exploring Wireless Networking In recent years. use unlicensed radio frequencies. The AP is like a hub or switch on a wired LAN and is the connectivity point for all wireless devices to access the network. such as 802. business’s need for network mobility has made wireless LANs (WLANs) common in today’s networks. . Inc. From the Library of 311 for more details. Difference Between WLANs and LANs The following are some of the differences between WLANs and LANs: n n n WLANs use radio waves as the physical layer. This publication is protected by copyright. WLANs use carrier sense multiple access collision avoidance (CSMA/CA) instead of CSMA/CD for media access. Unlike wired LANs. As such. wireless devices transmit and receive data using radio frequencies (RF) or infrared signals. The IEEE standards on WLANs. © 2008 Cisco Systems. WLANs operate in half-duplex. ZUNIGA C. higher-layer protocols such as IP and IPsec can function on WLANs. WLANs are based on IEEE standards that define physical and data-link specifications. All rights reserved. an RF license is not needed to implement WLANs. Please see page MARCO A. These frequencies or signals are sent through an access point (AP). Because the standards define Layer 1 and Layer 2 specifications.

[ 79 ] SECTION 7 Extending the LAN n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty WLANs use a different frame type than Ethernet.725 to 5. WLAN devices have no physical network connection. creating radio waves. All rights reserved.400 to 2.825 GHz © 2008 Cisco Systems. Radio waves have problems that are not found on wires. Inc.4 GHz 5 GHz 902 to 928 MHz 2. Please see page MARCO A. and noise Privacy issues n n n An access point is a shared device similar to an Ethernet hub for shared bandwidth. From the Library of 311 for more details.483 GHz 5. . resulting in the following: n n n Reflection: Occurs when RF waves bounce off objects like metal or glass Scattering: Occurs when RF waves strike uneven surfaces Absorption: Occurs when RF waves are absorbed by objects such as water As shown in Table 7-1. They are often mobile and battery powered. interference. several unlicensed bands are used by the ITU-R local FCC Wireless.350 GHz. 5. Higher frequencies allow higher data rates but also have a shorter distance. Radio Frequency Transmission Radio frequencies are radiated into the air through an antenna.150 to 5. ZUNIGA C. such as n n Connectivity issues such as coverage problems. WLANs must adhere to each country’s RF standards. Outside objects can affect radio waves. TABLE 7-1 Band ITU-R Local FCC Wireless Bands Range 900 MHz 2. This publication is protected by copyright.

11 Standards 802.5 3 DSSS-OFDM 1. of Channels Transmission Data Rates (Mbps) 802. . DSSS 1. 12. ZUNIGA C.4 3 IR. 5. This publication is protected by copyright. Inc. All rights reserved. and the total summation of transmitter.11 802. TABLE 7-2 Ratified Frequency Band (GHz) No. 18.11g 1997 2. 2 1999 2. 36.11a 802. 2. and antenna. 54 © 2008 Cisco Systems. EIRP is calculated using the following formula: EIRP = Transmitter power + Antenna gain – Cable loss 802. 2. 9. local country code regulations still exist inside the frequencies to limit characteristics such as transmission power. 24.11 Standards Table 7-2 shows the different 802. 18.5. 54 2003 2. 36. 12. 48. cable.11 standards. FHSS. 24.5.11b 802. 5. 11 and 6. 11 1999 5 Up to 23 OFDM 6.[ 80 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Although these three frequencies do not require licenses.4 3 DSSS 1. 48. Please see page MARCO A. From the Library of 311 for more details. Effective Isotropic Radiated Power (EIRP) is the final unit of measurement monitored by local regulatory agencies. antenna gain. 9.

5. 9. 48. and 11.5-. It uses DSSS to provide 1-. 36.11a uses Orthogonal Frequency-Division Multiplexing (OFDM). hackers try to exploit weak security keys and passwords to gain access to the network. When an access point is identified. and 11-Mbps speeds for backward compatibility to 802. and 11. but only 3 channels have nonoverlapping frequencies: 1. looking for wireless access points to exploit. 802. © 2008 Cisco Systems.5. Inc.11a provides from 12 to 23 nonoverlapping channels. hackers are finding it easier to compromise WLANs. . WLAN Security With the increase of low-cost APs. Rogue APs are also unauthorized APs installed on the network by employees. Hackers: Most hackers start by war driving. 802.11b uses Direct Sequence Spread Spectrum (DSSS).11b. 18.[ 81 ] SECTION 7 Extending the LAN These standards are described as follows: n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 802. 24.11g uses three nonoverlapping channels: 1. It has eight data rates: 6. Please see page MARCO A. It uses OFDM to provide the following rates: 6. This publication is protected by copyright. ZUNIGA C. 12. 18. It has four data rates: 1. 2-. 9.11b provides up to 14 channels. and 54 Mbps. From the Library of 311 for more details. and 11 Mbps. 12. 36. 24. 802. All rights reserved. 6. 2. 6. 5. WLAN Security Threats WLANs security threats include the following: n n n War driving: A term used to describe when someone is driving around with a laptop and wireless card/antenna. 802. and 54 Mbps. 48. Rogue APs: Access points installed on a WLAN that can be used to interfere with day-to-day network operation.

Use intrusion detection/prevention systems to monitor. stronger encryption. © 2008 Cisco Systems. include the following: n n n n Wired Equivalent Privacy (WEP): Uses basic encryption. This publication is protected by copyright.11i): Uses Advanced Encryption Standard (AES) for strong encryption. Uses Temporal Key Integrity Protocol (TKIP) for encryption. The client scans all changes and sends out probe requests. From the Library of 311 for more details. dynamic keys. and prevent WLAN attacks. listed from weakest to strongest. APs send out beacons announcing the service set identifier (SSID) and data rates. and 802.[ 82 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Mitigating Security Threats Three steps a network administrator can take to mitigate security threats are as follows: n n n Use authentication to ensure that only authorized clients access the WLAN.1x EAP: Uses dynamic keys. 802. Inc. weak authentication. Encrypt wireless data. ZUNIGA C. All rights reserved. Please see page MARCO A. 802.1x authentication. . Wireless Client Association Wireless clients associate with APs as follows: 1.1x user authentication. and dynamic keys. and static keys and is not scalable. Wireless security methods. 2. and user authentication. Wi-Fi Protected Access (WPA): Created by the Wi-Fi Alliance as a standard. WPA2 (802. identify. Evolution of Wireless LAN Security Wireless security methods have evolved over time to increase security.

802. © 2008 Cisco Systems. which contains the client’s identity. The client becomes active on the medium and associates to the access point. It forces the port into an unauthorized state. ZUNIGA C. 2. FIGURE 7-1 802. From the Library of 311 for more details. so only 802. The AP accepts the association.1x works on a WLAN. is forwarded to the authentication server. Authentication and other security information is sent to the AP. The client’s EAP-Response packet. The client associates to the AP with the strongest signal. 4. .1x on a WLAN Figure 7-1 shows how 802. Please see page MARCO A.[ 83 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 3. The AP sends a probe response. Request Identity Identity Identity 1. All rights reserved. and the client listens for the response from the APs. This publication is protected by copyright. Inc.1x traffic is forwarded. The access point detects the client asso- ciation and enables the client’s port. The access point replies with an EAP-Request Identity message to the client to obtain the client’s identity. 5.1x Client (Supplicant) AP (Authenticator) Authentication Server Start AP blocks all requests until authentication completes.

The authentication server authenticates the client and sends an ACCEPT or REJECT packet from the authentication server to the access point. Inc. From the Library of 311 for more details. Upon receiving the ACCEPT packet. the access point transitions the client’s port to an authorized state and traffic is forwarded. . with all APs configured with a common SSID to allow roaming. 4. Extended Service Set (ESS): More than one access point exists.11 supports the following two topologies: n n Ad hoc mode: Wireless clients connect directly to each other without an access point.1x/EAP for authentication Personal: Products tested to be interoperable in the PSK-only authentication mode Implementing a WLAN 802. ZUNIGA C. WPA and WPA2 Modes WPA and WPA2 support these two modes: n n Enterprise: Products that are interoperable with both Pre-Shared Key (PSK) and IEEE 802.[ 84 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 3. Please see page MARCO A. The following two modes of infrastructure mode exist: n n Basic Service Set (BSS): Wireless clients connect to each other and the wireless network through one access point. All rights reserved. © 2008 Cisco Systems. This publication is protected by copyright. Infrastructure mode: Wireless clients connect through an access point.

[ 85 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty WLAN Service Area and Data Rates As shown in Figure 7-2. Rate shifting occurs on a transmission-by-transmission basis. Clients will always try to communicate with the highest possible data rate. the lower the data rate.11b. The closer a client is to an AP. the higher the data rate. Figure 7-3 shows the data rates for 802. Please see page MARCO A. Inc. In other words. . ZUNIGA C. All rights reserved. FIGURE 7-2 Basic Service Area Service Area Channel 6 WLAN clients can shift data rates while moving. This publication is protected by copyright. the basic service area is the access point’s RF coverage area. the farther the client is from the AP. © 2008 Cisco Systems. it is the area that is covered by the access point. From the Library of 311 for more details.

11a) RF channel SSID Authentication method Encryption method Optional power adjustment © 2008 Cisco Systems. .[ 86 ] SECTION 7 Extending the LAN FIGURE 7-3 802. From the Library of 311 for more details.11g. APs should be configured with the following parameters: n n n n n n n IP address.11a/b/g. 802. 802. All rights reserved. and default gateway Wireless protocol (802. Please see page MARCO A. subnet mask. Inc. ZUNIGA C.11b Data Rates 1 Mbps DSSS CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 2 Mbps DSSS 5.5 Mbps DSSS 11 Mbps DSSS Access Point Configuration APs can be configured through a command-line interface or a browser GUI. This publication is protected by copyright.

Please see page MARCO A. Wireless Troubleshooting Most wireless problems are due to incorrect configuration. Verify wireless operation. From the Library of 311 for more details. Step 4. Verify that users have the correct passwords and encryption type. Configure security on the AP and client. The antenna is in the optimal position. Step 5. All rights reserved. This publication is protected by copyright. Install and configure a wireless client with no security. Step 2. Steps to troubleshoot configurations are as follows: n n Verify channel configuration. Step 7.[ 87 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Steps to Implement a Wireless Network Seven basic steps are required to implement a wireless network: Step 1. Inc. Configure the AP with no security. Step 6. ZUNIGA C. . Verify wireless connectivity. Other common wireless problems are due to RF installation. You should verify the following: n n n n The radio is enabled on both the AP and the clients. Install the AP. Verify wired operation. including DHCP and Internet access. The external antenna is connected. Check for interference from outside objects such as metal or water. © 2008 Cisco Systems. Step 3.

ZUNIGA C.[ 88 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Part III: Connecting LANs Section 8 Exploring the Functions of Routing Router Overview Routing is the act of finding a path to a destination and moving data across this path from source to destination. The routing process uses network routing tables. Please see page MARCO A. This publication is protected by copyright. Inc. Packet forwarding: After the path is determined. All rights reserved. Routers do this by using a routing protocol to communicate the network information from the router’s own routing table with neighboring router’s. and algorithms to determine the most efficient path for forwarding the IP packet. . Router Function Routers have the following two key functions: n Path determination: Routing tables and network addresses transmit packets through the network. The process of routing includes determining the optimum path through the network. a router forwards the packets through its network interface toward the destination. protocols. n © 2008 Cisco Systems. From the Library of 311 for more details.

17. All rights reserved.1.17.0 172.3.2. ZUNIGA C.120.120.1.3.0. for hosts in network 10. From the Library of 311 for more details. This publication is protected by copyright.0 Connected RIP EIGRP Routed Protocol: IP Routing Protocol: RIP.0 172.2. a router needs the following key information: n n n n n Destination address: The destination (typically an IP address) of the information being sent Sources of information: Where the information came from (typically an IP address) Possible routes: The likely routes to get from source to destination Best route: The best path to the intended destination Status of routes: The known paths to destination FIGURE 8-1 Routing Tables 10.0 S0 S1 Exit Interface E0 S0 S1 172.0 172. EIGRP © 2008 Cisco Systems. Please see page MARCO A.[ 89 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Key Information a Router Needs In Figure 8-1.0 E0 S0 Network Protocol Destination Network 10. . Inc.16.0 to communicate with hosts in network 172.16.120.2.2.16.

Routing Information Protocol (RIP). A router can use the following types of entries in the routing table to select the best path: n n n Static routes: Manually entered routes in the routing table Dynamic routes: Routes dynamically learned from a routing protocol Default routes: A static or dynamic route that tells the router where to route packets not explicitly in the router’s routing table © 2008 Cisco Systems. ZUNIGA C. Defines the address format and use of fields within the packet. n Routing protocols determine how routed protocols are used by: n n Providing mechanisms for sharing routing information. Internetwork Packet Exchange (IPX).[ 90 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Routing Versus Routed Network layer protocols are either routed protocols or routing protocols. AppleTalk. and others. Path Determination Routing tables and network addresses transmit packets through the network. The process of routing includes determining the optimum path through the network and then moving the packets along the path. Please see page MARCO A. Inc. Allowing routers to update each other about network changes. and Border Gateway Protocol (BGP) are examples of routing protocols. From the Library of 311 for more details. These are defined as follows: n A routed protocol: n n Is any network layer protocol that provides enough information within its address to allow the packet to direct user traffic. All rights reserved. This publication is protected by copyright. Routed protocols include IP. Open Shortest Path First (OSPF). Enhanced IGRP (EIGRP). .

Delay: The time required to move the packet from the current router to the destination. congestion. This publication is protected by copyright.[ 91 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Routing Table A router is constantly learning about routes in the network and storing this information in its routing table. ZUNIGA C. expense. Destination/next-hop tells the router whether the destination is directly connected or is available through an adjacent router. Load: The amount of activity on the network. This depends on the bandwidth of intermediate links. Inc. All rights reserved. and other metrics assigned by the administrator. Cost: An arbitrary value based on bandwidth. From the Library of 311 for more details. port delays at each router. and distance. The router learns about routes in one of three ways: n n n Directly connected networks Statically (routing information entered by the network administrator) Dynamically (a routing process running in the network) Information stored in a routing table includes destination/next-hop and routing metrics. . The router uses its table to make forwarding decisions. © 2008 Cisco Systems. Hop count: The number of routers the packet must travel through before reaching the destination. Some common metrics are as follows: n n n n n n Bandwidth: The link’s data capacity. Please see page MARCO A. Routing metrics are measures of path desirability. Reliability: The error rate of each network link. Different protocols use different metrics. Dynamic Routing Protocols Routing protocols use their own rules and metrics to build and update routing tables automatically.

RIP is an example of a distance vector routing protocol. Each router increments the metrics as they are passed on (incrementing hop count. the routing information is distance vector metrics (such as the number of hops). This method of updating is called “routing by rumor. B C Distance—How Far? Vector—In Which Direction? D FIGURE 8-2 Distance Vector Routing Protocols A D C Routing Table B A Routing Table Routing Table Routing Table n Link-state routing: The link-state–based routing algorithm (also known as shortest path first [SPF]) maintains a database of topology information. Please see page MARCO A. . for example). but the routers do not know the exact topology of an internetwork. Router B shares information with Routers A and C. Distance accumulation keeps track of the routing distance between any two points in the network. ZUNIGA C. In this case. All rights reserved.” Each router receives updates from its direct neighbor. Router C shares routing information with Routers B and D.[ 92 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Routing Methods Routing protocols are designed around one of the following routing methods: n Distance vector routing: Routers using distance vector–based routing share routing table information with each other. Unlike the distance vector algorithm. In Figure 8-2. From the Library of 311 for more details. This publication is protected by copyright. link-state routing maintains full knowledge © 2008 Cisco Systems. Inc.

Link-state routing converges fast and is robust against routing loops. . Link-state updates are sent less often than distance vector updates. FIGURE 8-3 Link-State Routing Protocols C D Link-State Packets Topological Database SPF Algorithm Routing Table B A Shortest Path First Tree OSPF and Intermediate System–to–Intermediate System (IS-IS) are examples of link-state routing protocols. Link-state supports classless addressing and summarization.[ 93 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty of distant routers and how they interconnect. All rights reserved. Distance vector sends complete routing tables. Link-state routing provides better scaling than distance vector routing for the following reasons: n n n n n Link-state sends only topology changes. Network information is shared in the form of link-state advertisements (LSA). which limits the scope of route changes. From the Library of 311 for more details. Link-state uses a two-state hierarchy (areas and autonomous systems). but it requires a great deal of memory and strict network designs. See Figure 8-3. Inc. Please see page MARCO A. ZUNIGA C. © 2008 Cisco Systems. This publication is protected by copyright.

From the Library of 311 for more details. Cisco Enhanced IGRP (EIGRP) is an example of a balanced hybrid protocol. Inc. Table 8-1 shows the values for the first seven places. Balanced hybrid routing provides faster convergence while limiting the use of resources such as bandwidth.[ 94 ] SECTION 8 Exploring the Functions of Routing n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Advanced distance vector: Combines aspects of both distance vector and link-state protocols. As with base 10. ZUNIGA C. This type of system is called binary or base 2. Please see page MARCO A. Table 8-1 Binary 2 0. All rights reserved. and then it rolls over to the next column. . This publication is protected by copyright. it updates only when there is a topology change. When counting. Then you move to the “tens” column. and processor overhead. but it uses the same logic as the base 10 system we use every day. 21. memory. For example. This numbering system might seem awkward at first glance. you start in the “ones” column and count until you reach the highest unit. 101. 102. 22. Understanding Binary Basics Computers use a numbering system based on only 1s and 0s. This continues with successive powers (1. 103). which is a power of the base. The binary system’s columns or placeholders are 20. but unlike distance vector routing protocols. base 10 has ten numbers (0 through 9). 1 27 128 0 26 64 0 25 32 1 24 16 0 23 8 1 22 4 1 21 2 1 20 1 1 Base 2 Numbering System Number of Symbols Symbols Base Exponent Place Value Example: Convert 47 to Binary © 2008 Cisco Systems. binary counting starts with the “ones” column until all the numbers are exhausted. 23. Balanced hybrid routing uses distance vectors with more accurate metrics. and so on.

From the Library of 311 for more details.16. 2. In the preceding example.253 172. Adding those values yields 47.0. Figure 8-4 shows a flat network with all hosts in the same broadcast domain. To convert from binary to decimal.) Repeat the process until the value of the subtraction equals 0. and 32 all contain 1s. Inc. the use of bandwidth becomes very inefficient (all systems on the network receive all the broadcasts on the network). This publication is protected by copyright.0. To convert between decimal and binary. Constructing a Network Addressing Scheme Without subnets.0. 64 cannot be used. The next value (16) is too large.16. . simply add up the “place values” of the digits that are 1s. These flat topologies result in short routing tables. the placeholders for 1.16. All rights reserved.[ 95 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Binary numbers are used extensively in networking. it is best to build a simple table like the one just shown. because it is greater than 47.255. A 1 is then placed in the 8 column. 4. They are the basis of IP addressing.1 172. so a 0 is placed in that column.0. an organization operates as a single network.2 172.16. FIGURE 8-4 Flat Network Address Scheme 172. Please see page MARCO A. 8. ZUNIGA C. a 1 is placed in the column representing 32. and the subtraction is performed again (15 – 8 = 7.255. but as the network grows.254 172.3 172. Put a 1 in the highest place value.16.) Now subtract the place value from the decimal number (47 – 32 = 15). again build a table.) To convert from decimal to binary.0 © 2008 Cisco Systems. (101111 in binary is 47 in decimal. (In this example.16.

[ 96 ]

SECTION 8 Exploring the Functions of Routing

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Network addressing can be made more efficient by breaking the addresses into smaller segments, or subnets. Subnetting provides additional structure to an addressing scheme without altering the addresses. In Figure 8-5, the network address 172.16.0.0 is subdivided into four subnets: 172.16.1.0, 172.16.2.0, 172.16.3.0, and 172.16.4.0. If traffic were evenly distributed to each end station, the use of subnetting would reduce the overall traffic seen by each end station by 75 percent.
FIGURE 8-5
Subnetted Address Scheme

172.16.3.0

172.16.4.0

172.16.1.0

172.16.2.0

Subnet Mask
As shown in Figure 8-6, a subnet mask is a 32-bit value written as four octets. In the subnet mask, each bit is used to

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 97 ]

SECTION 8 Exploring the Functions of Routing

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

determine how the corresponding bit in the IP address should be interpreted (network, subnet, or host). The subnet mask bits are coded as follows:
n n n

Binary 1 for the network bits Binary 1 for the subnet bits Binary 0 for the host bits
Network Host

FIGURE 8-6
IP Address and Subnet Mask
IP Address 172

16

0

0

Network Default Subnet Mask

Host

255 11111111

255 11111111

0 00000000

0 00000000

Also Written as "/16" Where 16 Represents the Number of 1s in the Mask.

Network 8-bit Subnet Mask

Subnet

Host

255

255

255

0

Also Written as "/24" Where 24 Represents the Number of 1s in the Mask.

Although dotted-decimal is most common, the subnet can be represented in several ways:
n n n

Dotted-decimal: 172.16.0.0 255.255.0.0 Bit count: 172.16.0.0/16 Hexadecimal: 172.16.0.0 0xFFFF0000
© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 98 ]

SECTION 8 Exploring the Functions of Routing

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

The ip netmask-format command can specify the display format of network masks for the router. Dotted-decimal is the default.

Default Subnet Masks
Each address class has a default subnet mask. The default subnet masks only the network portion of the address, the effect of which is no subnetting. With each bit of subnetting beyond the default, you can create 2n–2 subnets. Figure 8-7 and Table 8-2 show the effect of increasing the number of subnet bits.
FIGURE 8-7
Default Subnet Masks
Bits: Class A: 1 0NNNNNNN Range (1-126) 1 8 9 10NNNNNN Range (128-191) 1 8 9 110NNNNN Class C: Bits: Class D: Range (192-223) 1 8 9 1110MMMM Range (224-239) Multicast Group 16 17 Multicast Group 24 25 Multicast Group 32 Network Network 8 9 Host 16 17 Host 24 25 Host 32

Bits: Class B: Bits:

16 17 Host

24 25 Host

32

16 17 Network

24 25 Host

32

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 99 ]

SECTION 8 Exploring the Functions of Routing
Table 8-2
Address

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Subnetting
Subnet Address Number of Subnets Comments

10.5.22.5/8

255.0.0.0

0

This is the default Class A subnet address. The mask includes only the network portion of the address and provides no additional subnets. This Class A subnet address has 16 bits of subnetting, but only the bits in the second octet (those beyond the default) contribute to the subnetting. In this case, 16 bits are used for subnetting, but because the default for a Class B address is 16 bits, no additional subnets are created. This case has a total of 26 bits of subnetting, but the Class B address can use only 10 of them to create subnets. The result creates 1024 subnets.

10.5.22.5/16

255.255.0.0

254

155.13.22.11/16

255.255.0.0

0

155.13.10.11/26

255.255.255.192

1022

How Routers Use Subnet Masks
To determine the subnet of the address, a router performs a logical AND operation with the IP address and subnet mask. Recall that the host portion of the subnet mask is all 0s. The result of this operation is that the host portion of the address is removed, and the router bases its decision only on the network portion of the address. In Figure 8-8, the host bits are removed, and the network portion of the address is revealed. In this case, a 10-bit subnet address is used, and the network (subnet) number 172.16.2.128 is extracted.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 100 ]

SECTION 8 Exploring the Functions of Routing
FIGURE 8-8
Identifying Network Portion of Address
172.16.2.160 255.255.255.192 10101100 11111111 Network Subnet

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Host

00010000 11111111

00000010 11111111

10100000 11000000

10101100

00010000

00000010 128 192 224 240 248 252 254 255

10000000 128 192 224 240 248 252 254 255 128

Network Number

172

16

2

Broadcast Addresses
Broadcast messages are sent to every host on the network. Two kinds of broadcasts exist:
n n

Directed broadcasts can broadcast to all hosts within a subnet and to all subnets within a network. (170.34.2.255 sends a broadcast to all hosts in the 170.34.2.0 subnet.) Flooded broadcasts (255.255.255.255) are local broadcasts within a subnet.

Identifying Subnet Addresses
Given an IP address and subnet mask, you can identify the subnet address, broadcast address, first usable address, and last usable address using the following method, which is displayed in Figure 8-9:
Step 1. Step 2.

Write the 32-bit address, and write the subnet mask below that. Draw a vertical line just after the last 1 bit in the subnet mask.
© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 101 ]

SECTION 1 Introduction
Step 3. Step 4. Step 5. Step 6. FIGURE 8-9
Identifying Subnet Addresses
174.24.4.176 255.255.255.192 174.24.4.128 174.24.4.191 174.24.4.129 174.24.4.190 174 24 4 176

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Copy the portion of the IP address to the left of the line. Place all 0s for the remaining free spaces to the right. This is the subnet number. Copy the portion of the IP address to the left of the line. Place all 1s for the remaining free spaces to the right. This is the broadcast address. Copy the portion of the IP address to the left of the line. Place all 0s in the remaining free spaces until you reach the last free space. Place a 1 in that free space. This is your first usable address. Copy the portion of the IP address to the left of the line. Place all 1s in the remaining free spaces until you reach the last free space. Place a 0 in that free space. This is your last usable address.

10101110 11111111 10101110 10101110 10101110 10101110

00011000 11111111 00011000 00011000 00011000 00011000

00000100 11111111 00000100 00000100 00000100 00000100

10110000 11000000 10000000 10111111 10000001 10111110

Host Mask Subnet Broadcast First Last

How to Implement Subnet Planning
Subnetting decisions should always be based on growth estimates rather than current needs. To plan a subnet, follow these steps:
Step 1.

Determine the number of subnets and hosts per subnet required.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 102 ]

SECTION 1 Introduction
Step 2.

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

The address class you are assigned, and the number of subnets required, determine the number of subnetting bits used. For example, with a Class C address and a need for 20 subnets, you have a 29-bit mask (255.255.255.248). This allows the Class C default 24-bit mask and 5 bits required for 20 subnets. (The formula 2n–2 yields only 14 subnets for 4 bits, so 5 bits must be used.) The remaining bits in the last octet are used for the host field. In this case, each subnet has 23–2, or 6, hosts. The final host addresses are a combination of the network/subnet plus each host value. In Figure 8-10, the hosts on the 192.168.5.32 subnet would be addressed as 192.168.5.33, 192.168.5.34, 192.168.5.35, and so forth.
20 Subnets 5 Hosts per Subnet Class C Address: 192.168.5.0

Step 3. Step 4.

FIGURE 8-10
Subnetting a Network

192.168.5.16 Other Subnets

192.168.5.32

192.168.5.48

Configuring Static Routes
To configure a static route on a Cisco router, enter the following global command:
ip route destination-network [mask] {next-hop-address | outbound- interface} [distance] [permanent]

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 103 ]

SECTION 1 Introduction Here’s an example:

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

RouterB(config)#ip route 172.17.0.0 255.255.0.0 172.16.0.1

This example instructs the router to route to 172.16.0.1 any packets that have a destination of 172.17.0.0 to 172.17.255.255. The distance parameter defines the administrative distance or the route. The value for distance is a number from 1 to 254 (1 is the default if not defined) that rates the distance in hops of the destination. For example, a distance of 1 means that the destination is one hop away. If a router has two routes to the same destination, the route with the lowest distance is used. The permanent statement specifies that the route will not be removed even if the router interface shuts down.

Default Route
A default route is a special type of route with an all-0s network and network mask. The default route directs any packets for which a next hop is not specifically listed in the routing table. By default, if a router receives a packet to a destination network that is not in its routing table, it drops the packet. When a default route is specified, the router does not drop the packet. Instead, it forwards the packet to the IP address specified in the default route. To configure a static default route on a Cisco router, enter the following global configuration command:
ip route 0.0.0.0 0.0.0.0 [ip-address-of-the-next-hop-router | outbound-interface]

For example, the following command configures the router to route all packets with destinations not in its routing table to IP 172.16.0.2:
RouterB(config)#ip route 0.0.0.0 0.0.0.0 172.16.0.2

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 104 ]

SECTION 1 Introduction

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Verifying Routing
The show ip route command, as follows, verifies routing tables:
RouterA#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.1.10.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks D D C S D D D D D D C D S* 10.1.10.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.20.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.10.0/24 is directly connected, FastEthernet0/0 10.0.0.0/8 [1/0] via 10.1.10.0 10.1.60.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.50.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.40.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.100.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.254.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 192.168.0.0/24 [90/2172416] via 192.168.1.2, 1w6d, Serial0/0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks 192.168.1.0/30 is directly connected, Serial0/0/0 192.168.1.0/24 is a summary, 1w6d, Null0 0.0.0.0/0 [1/0] via 10.1.10.1

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 105 ]

SECTION 9 Configuring a Cisco Router

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Section 9 Configuring a Cisco Router
Starting a Router
When a router is booted up, it goes through the following sequence (see Figure 9-1):
1. The router checks its hardware with a power-on self test (POST). 2. The router loads a bootstrap code. 3. The Cisco IOS Software is located and loaded using the information in the bootstrap code. 4. The configuration is located and loaded.

After this sequence completes, the router is ready for normal operation. When the router is started for the first time, it does not have an initial configuration. The IOS will execute a questionderived initial configuration routine called setup mode. You can enter setup mode at any time by entering the setup privileged EXEC command. Setup mode configures the following:
n n n n

Initial global parameters, such as host name, enable secret password, and Telnet passwords Initial protocols Interfaces AutoSecure

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

This publication is protected by copyright. From the Library of 311 for more details. ZUNIGA C. . All rights reserved.[ 106 ] SECTION 9 Configuring a Cisco Router FIGURE 9-1 Router Boot Flow Chart START Boot Field=1 0x1 YES NO Router Boot Flowchart CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Check Start-up Config Boot System YES Commands Do What They Say Run POST NO Load Bootstrap YES Boot Field=0 0x0 YES Run ROM Monitor Config Reg Bit 13=1 Success ? NO NO Use IOS in ROM NO 5 Failures Valid YES IOS in Flash ? Use IOS from Flash Attempt to Get IOS from Network NO (RXBoot mode) x YES YES Use File from Network Load IOS Config Reg Bit 6=1 ? NO Valid Config ? NO YES Normal NO Up Start Complete YES Setup Dialog © 2008 Cisco Systems. Please see page MARCO A. Inc.

and exit to EXEC mode. ROM: Read-only memory contains startup microcode. Router Components The major router components are as follows: n n n n n n RAM: Random-access memory contains key software (IOS). you can enter No to discontinue the setup. [1]: Go back to the beginning of setup without saving the created configuration. From the Library of 311 for more details. Logging In to the Router Cisco IOS Software provides a command interpreter called the EXEC. Pressing Enter accepts the defaults. save it to NVRAM. The EXEC interprets the commands that are entered and carries out the corresponding operations. This publication is protected by copyright. NVRAM: Nonvolatile RAM stores the configuration.[ 107 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty When the setup mode configuration process is completed. Default answers appear in square brackets ([]). At the first setup prompt. Please see page MARCO A. ZUNIGA C. Flash memory: Flash contains the Cisco IOS Software image. [2]: Accept the created configuration. Inc. the setup command gives you the following options: n n n [0]: Go to the EXEC prompt without saving the created configuration. . To access EXEC mode. The setup process can be aborted at any time by pressing Ctrl-C. you must log in to the router through the © 2008 Cisco Systems. Configuration register: Controls the bootup method. All rights reserved. Interfaces: The interface is the physical connection to the external devices.

show interfaces displays information on connections and ports that connect with other devices. This level can be passwordprotected. © 2008 Cisco Systems. Two EXEC modes exist. including any changes made in the session that have not yet been saved. All rights reserved. The enable command allows access to this mode (disable exits to user mode). ZUNIGA C. show startup-config displays the last saved configuration. Privileged EXEC (enable mode) level allows you to access all router commands. . FIGURE 9-2 Cisco IOS Software EXEC Modes Console wg_ro_c con0 is now available Press RETURN to get started wg_ro_c> wg_ro_c>enable wg_ro_c# wg_ro_c#disable wg_ro_c> wg_ro_c>logout Privileged-Mode Prompt User-Mode Prompt Displaying Router Status Output from the following show commands provides valuable information about the router status: n n n n show running-configuration displays the currently active configuration in memory. This publication is protected by copyright.[ 108 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty command line. From the Library of 311 for more details. show version displays information about the system hardware and software. as shown in Figure 9-2: n n User EXEC level provides a limited number of basic commands. Please see page MARCO A. Inc.

[ 109 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring a Router From privileged EXEC mode. Major commands have no effect unless they are immediately followed by a subcommand that supplies the configuration entry. as follows: Router(config)# interface serial 0 Router(config-if)# shutdown Router(config)# router rip Router(config-router)# network 10. Major commands cause the CLI to enter a specific configuration mode. Please see page MARCO A.0 © 2008 Cisco Systems. Commands that indicate a process or interface that will be configured are called major commands. From global configuration mode. Inc. This publication is protected by copyright.0.0. All rights reserved. ZUNIGA C. . the configure terminal command provides access to global configuration mode. you can access these specific configuration modes: n n n n n Interface: Configures operations on a per-interface basis Subinterface: Configures multiple virtual interfaces Controller: Supports commands that configure controllers (such as E1 and T1) Line: Configures the operation of a terminal line Router: Configures IP routing protocols Major Command/Subcommand Relationship Figure 9-3 shows the major command and subcommand relationships. From the Library of 311 for more details.

[ 110 ] SECTION 9 Configuring a Cisco Router FIGURE 9-3 IOS Command and Subcommand Relationships User EXEC Commands .. All rights reserved.. ZUNIGA C. Privileged EXEC Commands .Router(config-if)# ip address ipx address encapsulation shutdown / no shutdown etc.... .Router(config)# configure hostname etc. Line Commands . line vty console etc. From the Library of 311 for more details.. CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Interface Commands .. © 2008 Cisco Systems. enable secret ip route interface ethernet serial bri etc. This publication is protected by copyright.Router(config-line)# password login modem commands etc....Router(config-router)# network version auto-summary etc..Router# all User EXEC commands debug commands reload Global Configuration Commands . router rip ospf igrp etc.. Please see page MARCO A. Inc. Routing Engine Commands .Router> ping show (limited) enable etc...

however. it changes the metric of the link as seen by routing protocols. All rights reserved. . This publication is protected by copyright. From the Library of 311 for more details.000 cannot be abbreviated as 64. The following example demonstrates the command syntax needed to configure a serial interface on a router: Router# configure terminal Router(config)# interface s1 Router(config-if)# clock rate 64000 Router(config-if)# bandwidth 64 Router# show interface serial 1 Router# show controller displays the information about the physical interface and if it is a DTE or DCE. names a router (or a switch): Router> enable Router# configure terminal Router(config)# hostname Dallas Configuring a Serial Interface NOTE Unambiguous abbreviations of commands are allowed. The bandwidth entered has no effect on the line’s actual speed. For example. Please see page MARCO A. The bandwidth command overrides the default bandwidth. Abbreviations of delimiters are not allowed. Enabling or Disabling an Interface Example By default. Inc. The following commands show you how to enable or disable a router interface: Router# configure terminal Router(config)# interface s1 Router(config)#no shutdown Router(config)#shutdown enables the interface disables the interface © 2008 Cisco Systems. as follows. ZUNIGA C.[ 111 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Assigning a Router Name Example The hostname command. all interfaces on a router are initially disabled. a clock rate of 64.

. Figure 9-4 shows the line and data-link status of a serial interface and describes how to interrupt the interface status.1 255. ZUNIGA C.168. Please see page MARCO A.255.[ 112 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring an Interface IP Address Example The following commands configure a router interface with an IP address: Router# configure terminal Router(config)# interface s1 Router(config)#ip address 192.0 Router(config)#no shutdown Verifying Interface Configuration The show interface command displays the following: n n n n n n Whether the interface is administratively down Whether the line protocol is up or down An Internet address (if one is configured) Maximum transmission unit (MTU) and bandwidth Traffic statistics on the interface Interface encapsulation type One of the most important elements of the show interface command is the display of the line and data-link status. From the Library of 311 for more details. Inc. This publication is protected by copyright. All rights reserved.255. © 2008 Cisco Systems.1.

2 SRC IP: 192. line protocol is down Exploring the Packet-Delivery Process For hosts on an IP network to communicate with each other. they need a Layer 2 address (MAC address) and an IP address.3333.168.1111.1/30 Carrier Detect (Layer 1) Operational– Connection ProblemInterface ProblemDisabledSerial0 Serial0 Serial0 Serial0 is is is is Keepalives (Layer 2) up. . This publication is protected by copyright.2 L2 = 1111.3333. Please see page MARCO A.168.3333 1111.3 © 2008 Cisco Systems. line protocol is up Hardware is PQUICC with Fractional T1 CSU/DSU Internet address is 192. From the Library of 311 for more details. line protocol is down down.168. Inc. ZUNIGA C.1111 L3 = 192. line protocol is down administratively down.3 L2 = 1111. Each host maintains an ARP table that contains the IP–to–MAC address mappings (see Figure 9-5).1.1.168. All rights reserved.[ 113 ] SECTION 9 Configuring a Cisco Router FIGURE 9-4 Displaying Interface Line and Data-Link Status CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Router#sh int s0 Serial10 is up.1.1111 192.1111.1. IP-enabled hosts use ARP to map the MAC address to the IP address when communicating with hosts on a local segment.1.168. FIGURE 9-5 Host-to-Host Packet Delivery A B DST MAC: SRC MAC: DST IP: 1111.3333 L3 = 192. line protocol is up up.

4444.2 A B L2 = 1111. strip off the MAC address information.1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). The source MAC address and IP will be that of host A. as follows: Router# ping 10. This publication is protected by copyright. All rights reserved.168. the router will respond with its local MAC address and the IP address of the remote host.1.168.10.2 DST MAC: SRC MAC: DST IP: 3333.3 Using Common IOS Tools You can verify connectivity using the ping command. Please see page MARCO A. 100-byte ICMP Echos to 10. the local host will send an ARP request to find the MAC address of the host’s default gateway.1 L2 = 2222.10.3333.3 SRC IP: 192.168. round-trip min/avg/max = 4/4/4 ms © 2008 Cisco Systems.5555 L3 = 192.3333.1. and maximum times for packets that make the round trip to the target system and back.4444 L3 = 192. and rewrite the MAC address with the source MAC address of the router’s exiting Ethernet interface and the destination MAC address of host B. Host A sends a packet with the destination MAC address of the router’s Ethernet interface and the IP address of host B.4444 192. .168.4444. From the Library of 311 for more details.10.1.168.168.1.1.1. You can assess the path’s reliability using this command.10. ZUNIGA C. the router will take the packet. When the router receives the packet. Because the remote host is on a remote network.2 SRC IP: 192.168.5555 2222.168.10 Type escape sequence to abort.1111.3333 L3 = 192. Sending 5. Inc. The IP information does not change. In Figure 9-6.1 L2 = 2222.3333.3 L2 = 1111. The ping command also tells you the minimum.1111.[ 114 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty When an IP host wants to communicate with a host on a remote network.3333. host A wants to communicate with host B. average.10.3333 1111.1111 192.1. FIGURE 9-6 Host-to-Host Packet Delivery Through a Router DST MAC: SRC MAC: DST IP: 1111.1111 L3 = 192.

© 2008 Cisco Systems. Please see page MARCO A. .1. You can also set up a different password for each line by using the line vty port number command.10 4 msec 4 msec 4 msec Router# The show ip arp command displays the router’s ARP cache.1.1. as follows.10 1 10. Router Security Configuring Router Passwords: Console and Telnet The following example configures passwords on the console and vty lines of a router to homer and bart: Router(config)# line console 0 Router(config-line)# login Router(config-line)# password homer Router(config)# line vty 0 4 Router(config-line)# login Router(config-line)# password bart The numbers 0 through 4 in the line vty command specify the number of Telnet sessions allowed in the router.10 Type escape sequence to abort.1. to view the actual routes that packets take between devices: Router# trace 10.1. Inc.1. ZUNIGA C. Tracing the route to 10.[ 115 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty You can use the trace command. From the Library of 311 for more details. This publication is protected by copyright. All rights reserved.

[ 116 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Router Passwords: Enable and Secret Passwords The following configures an enable password of apu and an enable secret password of flanders: NOTE When the enable secret password is set. as follows: Router(config)#service password-encryption Configuring Login Banner and MOTD The login banner is displayed before the username and password login prompts on a Cisco router. This publication is protected by copyright. Router(config)#banner login # Enter TEXT message. Telnet. Notice! Only Authorized Personnel Are Allowed to Access This Device End with CNTL/Z. as follows: Router#config t Enter configuration commands. or auxiliary port. and enable passwords are displayed unencrypted. Please see page MARCO A. The login banner is configured using the banner login global command. # End with the character ‘#’. ZUNIGA C. # Router(config)# © 2008 Cisco Systems. The no enable secret command disables the encrypted password. The console. use the service password-encryption global command. console port. To encrypt them. Router(config)# enable password apu Router(config)# enable secret flanders The no enable password command disables the privileged EXEC mode password. Warning only authorized users many access this switch. it is used instead of the enable password. Inc. one per line. <ENTER> End with the character ‘#’. <ENTER> . Use the banner motd # text # global configuration command to configure the MOTD. It is displayed to anyone connecting to the router through Telnet. From the Library of 311 for more details. as follows: Router(config)#banner motd # Enter TEXT message. All rights reserved. The MOTD is displayed before the login banner.

com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. Telnet is unsecure. Assign a domain name to the device. Generate a security key..cisco. . Inc.. From the Library of 311 for more details. Please see page MARCO A. Step 3. Use the following steps to configure SSH access: Step 1.com Router(config)#crypto key generate rsa The name for the keys will be: router.[OK] Router(config)#ip ssh ver 2 Router(config)#line vty 0 15 Router(config-line)#login local Router(config-line)#transport input telnet ssh © 2008 Cisco Systems. How many bits in the modulus [512]: % Generating 512 bit RSA keys . Step 4. This publication is protected by copyright. Create a local username and password on the device. Router(config)#username eric password 0 ciscopress Router(config)#ip domain-name cisco. ZUNIGA C. and all communication between the Cisco device and host is sent in clear text. Step 2.[ 117 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty SSH Access Cisco recommends using SSH to encrypt communication between the Cisco device and the host. All rights reserved. Enable SSH. Configure vty ports to authenticate using SSH. Step 5.

From the Library of 311 for more details. Configuring and Applying vty Access Lists The command syntax to create a standard IP access list is as follows: access-list access-list-number {permit | deny} source-address [wildcard-mask] The access-list-number parameter is a number from 1 to 99 or 1300 to 1999. ZUNIGA C. Standard access lists allow you to permit or deny traffic based on the source IP address. the first two portions of the IP address must match 172. network. At the end of each access list is an implicit deny any statement. after a vty password has been applied. This is done through standard access lists.0. This publication is protected by copyright.255 Router(config)#line vty 0 15 Router(config-if)#access-class 10 in This applies the access list to vty lines © 2008 Cisco Systems. if you have an IP address of 172. you would create a standard access list that permits each authorized IP address to connect to vty and apply the access list to the vty ports. SwitchA(config)#access list 10 permit ip 192. but the last two octets can be in the range of 1 to 255. Wildcard Masks Wildcard masks define the subset of the 32 bits in the IP address that must be matched. Inc. or part of a network. To restrict access to vty ports. So. All rights reserved. Wildcards are used with access lists to specify a host. the octet address must match.[ 118 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Securing vty Access By default. In wildcard masks.255. You should restrict access to vty ports to only specific IP address.0 with a wildcard mask of 0.0.255. For example. .10. when 0s are present.16. Mask bits with a binary value of 1 are wildcards.0. if a host is not specifically permitted. it will be denied.0. Please see page MARCO A.0 0. any IP address can connect to vty ports.168.16.

ZUNIGA C. SDM helps simplify router deployments and troubleshoot complex network and Virtual Private Network (VPN) connectivity issues. SDM is supported on all Cisco routers and is a free tool that provides built-in wizards to help simply router configuration. Inc. This publication is protected by copyright. . From the Library of 311 for more details. FIGURE 9-7 Cisco Security Device Manager © 2008 Cisco Systems. Please see page MARCO A.[ 119 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Cisco Router and Security Device Manager The Cisco Security Device Manager (SDM) is a web-based tool that configures Cisco routers (see Figure 9-7). All rights reserved.

[ 120 ] SECTION 9 Configuring a Cisco Router SDM has the following features: n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Is an embedded web-based management tool Provides intelligent wizards to enable quicker and easier deployments and does not required Cisco IOS CLI knowledge Provides tools for advanced users such as n n n ACL editor VPN crypto map editor IOS CLI preview Cisco SDM User Interface To access SDM on your Cisco router. This publication is protected by copyright. ZUNIGA C. Please see page MARCO A. Create a user account with enable privileges: Router(config)#username admin priviledge 15 password 0 password Configure SSH and Telnet for local login and privilege level 15: Router(config)#line vty 0 4 Router(config-line)#privilege level 15 Router(config-line)#login local Router(config-line)#transport input telnet Router(config-line)#transport input telnet ssh © 2008 Cisco Systems. Inc. perform the following steps: Step 1. Enable HTTP/HTTPS server on the router: Router(config)#ip http server Router(config)#ip http secure-server Router(config)#ip http authentication local Step 2. Step 3. All rights reserved. From the Library of 311 for more details. .

10.1. From the Library of 311 for more details.168. you can access it by typing in the IP address of the router’s interface in a web browser.255. Some of these wizards are as follows: n n n n n n n LAN Wizard: Configures LAN interfaces and DHCP. go to the following URL: http://www. and the password is cisco. To download the latest version of SDM. Please see page MARCO A.10.cisco. After being connected. you need to connect to the router’s Fast Ethernet interface through a crossover cable. open your web browser. After you connect. The default username is cisco.10. © 2008 Cisco Systems.2 255. you would type https://192. Security Audit Wizard: Audits the router and disables any unused or insecure service running on the router. change the IP address of your computer to 10.10.1. VPN Wizard: Configures site-to-site or remote VPN access. SDM will run and you will be guided through the SDM Express Setup Wizard to configure the router for the first time. All rights reserved. This publication is protected by copyright. If you are configuring a router for the first time that has SDM installed.168.248. Requires the Advanced Security IOS Software. For example.255. . disable any pop-up blockers. if the router’s Fast Ethernet interface IP is 192.1. WAN Wizard: Configures WAN interfaces. and connected to SDM through web address http://10. Inc.10.10. Next. ZUNIGA C.[ 121 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty After SDM is installed on a router. Firewall Wizard: Configures firewall policies on a router that has Cisco Security IOS Software. QoS Wizard: Configures quality of service.com/pcgi-bin/tablebuild.pl/sdm SDM Wizards SDM contains several wizards to simply router configuration tasks. IPS Wizard: Configures IPS policies.

acknowledging the process. From the Library of 311 for more details. After the client receives the DHCPOFFER. it responds with a DHCPREQUEST. 4.255. The DHCP server hosts allocated network addresses and other IP configuration parameters. DHCP is built on a client-server model. 2.255. indicating that it accepted the DHCPOFFER. A DHCP server receives the DHCPDISCOVER message and responds with a DHCPOFFER message. This publication is protected by copyright. 3. © 2008 Cisco Systems. This message contains IP configuration information such as DNS and default gateway. it broadcasts a DHCPDISCOVER message on its local physical segment using IP address 255. When a client boots up. Inc. DHCP supports the following three mechanisms for IP address allocation: n n n Automatic allocation: Assigns a permanent IP address to a client Dynamic allocation: Assigns an IP address to a client for a set period of time Manual allocation: Assigns a specific IP address to a client as defined by the administrator using the client’s MAC address DHCP Figure 9-8 shows the DHCP process as outlined here: 1.[ 122 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring a Router as a DHCP Server DHCP is a protocol that leases IP addresses to IP hosts.255. . All rights reserved. The server receives the DHCPREQUEST and sends a DHCPACK. ZUNIGA C. Please see page MARCO A. The DHCP client is a host that requests initialization parameters from a DHCP server.

© 2008 Cisco Systems. as shown in Figure 9-9. ZUNIGA C. the SDM Express Wizard will run. Please see page MARCO A. If you are configuring a router for the first time using SDM. follow these steps: Step 1. Log on to the router using SDM. You have three ways to configure a Cisco router as a DHCP server: with the CLI.[ 123 ] SECTION 9 Configuring a Cisco Router FIGURE 9-8 DHCP Process DHCPOFFER DHCPDISCOVER CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty DHCPREQUEST DHCPACK Client DHCP Server Using a Router as a DHCP Server Cisco IOS Software includes a full DHCP server implementation that assigns IP addresses from specified address pools in the router and outer IP parameters such as DNS server and default router. This publication is protected by copyright. Inc. Step 2. All rights reserved. one of the tasks the wizard allows you to do is configure the router as a DHCP server. Click the Configure button. or in SDM after the router is configured. with the SDM Express Wizard. . From the Library of 311 for more details. If a router is preconfigured and you want to configure it as DHCP server.

From the Library of 311 for more details.[ 124 ] SECTION 9 Configuring a Cisco Router FIGURE 9-9 Cisco SDM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Step 3. © 2008 Cisco Systems. Click the Additional Task button. All rights reserved. Please see page MARCO A. ZUNIGA C. Inc. This publication is protected by copyright. as shown in Figure 9-10. .

[ 125 ] SECTION 9 Configuring a Cisco Router FIGURE 9-10 Configuring DHCP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Step 4. This publication is protected by copyright. Expand the DHCP folder and select DHCP Pools. From the Library of 311 for more details. ZUNIGA C. as shown in Figure 9-11. Please see page MARCO A. All rights reserved. Click the Add button. . © 2008 Cisco Systems. Inc.

. All rights reserved. Inc. © 2008 Cisco Systems. ZUNIGA C. From the Library of 311 for more details. The IP address pool must be on the same subnet as the IP address of the LAN interface. DHCP Pool range. Configure the DHCP Pool Name. as shown in Figure 9-12. Please see page MARCO A. Click the OK button to save the configuration to the router. DHCP Pool Network. This publication is protected by copyright.[ 126 ] SECTION 9 Configuring a Cisco Router FIGURE 9-11 Configuring DHCP Pools CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Step 5. Lease Length. and DHCP Options.

This is done through the following interface command: ip helper-address [global] address © 2008 Cisco Systems. This publication is protected by copyright. All rights reserved. If the DHCP server is on a different segment than the DHCP client. By default. Inc. routers do not forward broadcasts.[ 127 ] SECTION 9 Configuring a Cisco Router FIGURE 9-12 Configure DHCP Options CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty DHCP/Bootp Relay Agent When a DHCP-enabled client requests an IP address through a DHCPDISCOVER message. the DHCP server will not see the DHCPDISCOVER messages from clients. From the Library of 311 for more details. The router needs to be configured to forward the DHCPDISCOVER broadcasts to the DHCP server. . ZUNIGA C. this message is broadcast to the local segment. Please see page MARCO A.

11. as follows: Router(config)#int f0/0 Router(config-if)# ip helper-address 192. ZUNIGA C. . In Figure 9-13.[ 128 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The address parameter is the IP address of the DHCP server. From the Library of 311 for more details. The ip helper-address command enables forwarding of UDP broadcasts received on the configured interface to a specific IP address. This publication is protected by copyright.168. the DHCP Pool Status button in SDM monitors the DHCP pool status in SDM. FIGURE 9-13 SDM DHCP Pool Status © 2008 Cisco Systems. Please see page MARCO A. Inc.200 Monitoring DHCP Server Function The DHCP server on the router can be monitored through the SDM or CLI. All rights reserved.

Use the show session command to find the session number.2. Inc.2 To establish a SSH session. The resume command or pressing Enter resumes the last active session. ZUNIGA C. Please see page MARCO A. use the ssh command. A Telnet or SSH session can be ended with the exit. All rights reserved. as follows: RouterA#ssh 10. The resume session-number command reconnects to a specific session. The show ssh command displays the list of hosts that are connected through SSH. logout. disconnect.2. Pressing Ctrl-Shift-6 followed by X suspends the current session.2 The show sessions command displays a list of hosts to which you are connected. This publication is protected by copyright.2. © 2008 Cisco Systems. Both the router’s IP address and host name (when DNS or the host entry is present) can be used as an argument. From the Library of 311 for more details. and clear commands. as follows: RouterA#telnet 10.2. . Accessing Remote Devices with Telnet or SSH To establish a Telnet session.[ 129 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The show ip dhcp conflicts command displays any conflicts found by the DHCP server. use the telnet command.

ZUNIGA C. Inc. This publication is protected by copyright. and other devices in a building or small geographic area. users. FIGURE 10-1 WAN Connections Service Provider WANs Versus LANs LANs connect computers.[ 130 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section IV: Connecting Networks Section 10 Understanding WAN Technologies WAN Technologies Overview WANs connect networks. From the Library of 311 for more details. © 2008 Cisco Systems. WANs connect LANs across a wide geographic area. Figure 10-1 shows that companies use the WAN to connect company sites and mobile users for information exchange. . All rights reserved. and services across a broad geographic area. Please see page MARCO A. peripherals. LANs and all devices in the LAN are usually owned by the local organization. Outside service providers own the WAN and WAN devices.

and operational connections. Please see page MARCO A. Modems modulate and demodulate a signal. they are multiport devices that switch Frame Relay. High-Level Data Link Control (HDLC). where one set of wires carries data and a separate set of wires carries clocking for that data. Synchronous links try to use the same speed as the other end of a serial link. data service units/channel service units (DSU/CSU) convert one form of digital format to another digital format. Modems or DSU/CSUs: In analog lines. mechanical. Routers provide network layer services. modems convert analog to digital. The data link layer defines WAN protocols that define how data is encapsulated for transmission across the WAN. . and PPP. enabling data to be transmitted over telephone lines. ZUNIGA C. X. Inc. WAN networking devices: Used in the WAN network. which designate the beginning and end of each character.[ 131 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty WAN Access and the OSI Model WANs and their protocols function at Layers 1 and 2 of the OSI reference model. or ATM traffic. In digital lines. Examples of these protocols are Frame Relay. Communication servers: Concentrate dial-in and dial-out user communications. All rights reserved. This publication is protected by copyright. They operate at the data link layer of the OSI model. From the Library of 311 for more details. n Understanding Serial WAN Interfaces WAN serial interfaces are either synchronous or asynchronous: n Synchronous links have identical frequencies and contain individual characters encapsulated in control bits. they route data from one network to another.25. Synchronous transmission occurs on V. The physical components of WANs define electrical. WAN Devices The following devices are used for WAN services: n n n Routers: Connect the LAN to the WAN.35 and other interfaces. © 2008 Cisco Systems. ATM. called start/stop bits.

An example of a DCE is a CSU/DSU or a serial interface configured for clocking. Modems are asynchronous. All rights reserved. WAN Review Figure 10-2 shows the typical WAN terminology and the list that follows provides more detailed definitions: FIGURE 10-2 WAN Terminology WAN Service Provider Toll Network S S S S S S CO Switch Local Loop S Trunks and Switches Demarcation Customer Premises Equipment (CPE) Point-to-Point or Circuit-Switched Connection © 2008 Cisco Systems. . The port configured as DTE requires external clocking from the CSU/DSU or other DCE device. ZUNIGA C. From the Library of 311 for more details. This publication is protected by copyright. Please see page MARCO A. in other words. but there is no check or adjustment of the rates if they are slightly different. Serial interfaces are specified as DTE (data terminal equipment) or data communications equipment (DCE). Inc. Asynchronous links agree on the same speed.[ 132 ] SECTION 10 Understanding WAN Technologies n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Asynchronous links send digital signals without timing. Only 1 byte per transfer is sent. DCE converts user data into the service provider’s preferred format. DCEs provide clocking for the serial link.

such as asynchronous serial. speed. including IP and IPX. LAPB is a data link layer protocol specified by X. PPP can use either Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) for authentication. Local loop (or last mile): The cabling from the demarc into the WAN service provider’s central office.25/Link Access Procedure. Central office (CO): A switching facility that provides a point of presence for WAN service. . Layer 2 Encapsulation Protocols n n High-Level Data Link Control (HDLC): The default encapsulation type for Cisco routers on point-to-point dedicated links and circuit-switched connections. and a switching point for calls.048 Mbps. Point-to-Point Protocol (PPP): Provides connections between devices over several types of physical interfaces.544/2. ISDN. Demarcation (or demarc): Marks the point where CPE ends and the local loop begins.25. From the Library of 311 for more details. It is usually located in the telecommunications closet. Please see page MARCO A. but can be as high as 10 Gbps). This publication is protected by copyright. Inc. WAN Cabling Several ways exist to carry traffic across the WAN. All rights reserved. WANs use serial communication for long-distance communications. X. the exit point from the WAN for called devices. ZUNIGA C. Connection speeds typically vary from 56 kbps to T1/E1 (1. The implementation depends on distance. and the type of service required. Balanced (LAPB): Defines connections between DTE and DCE for remote terminal access. The central office is the entry point to the WAN cloud.[ 133 ] SECTION 10 Understanding WAN Technologies n n n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Customer premises equipment (CPE): Located on the subscriber’s premises and includes both equipment owned by the subscriber and devices leased by the service provider. PPP works with many network layer protocols. High-Speed Serial Interface (HSSI). n © 2008 Cisco Systems. Toll network: A collection of trunks inside the WAN cloud. and synchronous.

This publication is protected by copyright. and Synchronous Optical Network (SONET). Four types of multiplexing operate at the physical layer: n n Time-division multiplexing (TDM) Frequency-division multiplexing (FDM) © 2008 Cisco Systems. Asynchronous Transfer Mode (ATM): International standard for cell relay using fixed-length (53-byte) cells for multiple service types. Inc. ATM Packet-Switched Service Provider PPP. or link. T3.25) can handle multiple virtual circuits. PPP. ATM takes advantage of high-speed transmission media such as E3. Frame Relay. Figure 10-3 shows the typical WAN connections that each Layer 2 encapsulation protocol supports. Please see page MARCO A.25. Fixed-length cells allow hardware processing. . All rights reserved. FIGURE 10-3 WAN Connections Leased Line HDLC. which greatly reduces transit delays. SLIP X. HDLC Circuit-Switched Telephone Company Multiplexing Multiplexing is the process of combining multiple signals over a single wire. From the Library of 311 for more details. ZUNIGA C. fiber. SLIP.[ 134 ] SECTION 10 Understanding WAN Technologies n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Frame Relay: Industry-standard switched data link layer protocol. Frame Relay (based on X.

Leased-line connections are typically synchronous serial connections. This publication is protected by copyright. Figure 10-5 shows an example of a circuit-switched WAN topology. WAN Communication Link Options WAN services are generally leased from service providers on a subscription basis. ZUNIGA C. Leased lines provide a reserved connection for the client but are costly. In WDM and DWDM. Figure 10-4 shows an example of a leased line WAN topology. each data channel is allocated bandwidth based on wavelength (inverse of frequency). In FDM. thus bandwidth is wasted when there is no data to transfer. Inc. In statistical multiplexing. All rights reserved. From the Library of 311 for more details. © 2008 Cisco Systems. Please see page MARCO A. bandwidth is dynamically allocated to data channels. The following three main types of WAN connections (services) exist: n Leased line: A leased line (or point-to-point dedicated connection) provides a preestablished connection through the service provider’s network (WAN) to a remote network.[ 135 ] SECTION 10 Understanding WAN Technologies n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Wave-division multiplexing (WDM) and dense WDM (DWDM) Statistical-division multiplexing In TDM. FIGURE 10-4 Leased-Line WAN Synchronous Serial n Circuit-switched: Circuit switching provides a dedicated circuit path between sender and receiver for the duration of the call. each data channel is allocated bandwidth based on time slots. Circuit switching is used for basic telephone service or Integrated Services Digital Network (ISDN). . regardless of whether data is transferred. An example of this is FM radio. information of each data channel is allocated bandwidth based on the signal frequency of the traffic.

It has become common for remote sites to connect to the central office through the Internet using VPNs. Please see page MARCO A. Usually. these remote sites connect to the Internet using digital subscriber line (DSL) or a packet-switching technology such as cable. Figure 10-6 shows an example of a packet-switched WAN topology. but at a much lower cost.[ 136 ] SECTION 10 Understanding WAN Technologies FIGURE 10-5 Circuit-Switched WAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Telephone Company Asynchronous Serial ISDN Layer 1 n Packet-switched: With packet switching. From the Library of 311 for more details. . Packet switching offers leased line–type services over shared lines. ZUNIGA C. FIGURE 10-6 Packet-Switched WAN Service Provider Synchronous Serial Enabling the Internet Connection Almost every business today connects to the Internet. devices transport packets using virtual circuits (VCs) that provide end-toend connectivity. Inc. Programmed switching devices provide physical connections. All rights reserved. © 2008 Cisco Systems. Packet headers identify the destination. This publication is protected by copyright.

DSL Equipment The twisted-pair wires that provide phone service are ideal because the available frequency ranges on the wires far exceed those required to carry a voice conversation.[ 137 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Packet-Switched Communications Packet-switched networks send data over different routes of a shared public network to reach the same destination. . DSL Types and Standards Two types of DSL exist: asymmetric DSL (ADSL) and symmetric DSL (SDSL). Please see page MARCO A. they might arrive out of order. when the packets reach the destination. ZUNIGA C. ADSL’s downlink speed is much greater than its uplink speed (thus the asymmetry). Digital Subscriber Line DSL is a modem technology that uses the existing phone wires connected to virtually every home in most countries. This publication is protected by copyright. This is done because most users download much more from the Internet than they upload. Inc. All rights reserved. DSL operates at Layer 1 of the OSI model and relies on higher-layer protocols for connection services and encapsulation. The term xDSL refers to the different variations of DSL. DSL requires some specialized equipment to ensure that voice and data are kept separate and are routed to the right place: n n n Low-pass filters (LPF): Placed on all phone jacks not used by a computer to prevent interference from highfrequency data signals DSL modems: The interface from the phone line to the computer DSL access multiplexers (DSLAM): Aggregate hundreds of signals from homes and are the access point to the Internet © 2008 Cisco Systems. SDSL is more useful for businesses because it gives equal bandwidth to the uplink and downlink. In other words. From the Library of 311 for more details. no dedicated path exists between the source and destination. Because packet-switched networks use different routes to send data. It is the responsibility of the receiving protocol to assemble the packets in the correct order.

DSL is an always-on technology.8 Mbps for both downlink and uplink 768 kbps for both downlink and uplink 1.000 DSL Limitations and Advantages Advantages: n n n n DSL offers speeds up to and exceeding T1 for a fraction of the cost.000 18.36 Mbps for both downlink and uplink 18.048 Mbps for both downlink and uplink 192 kbps to 2. They are listed in Table 10-1. all of which are supported by DSL providers.544 to 6 Mbps downlink and 640 kbps uplink 12.96 to 52. ZUNIGA C.000 28. © 2008 Cisco Systems.000 4. Table 10-1 DSL Type DSL Standards Speed Distance Limit (ft) Full-rate ADSL G. and the signals cannot be amplified.lite Very high data rate DSL (VDSL) ISDN DSL (IDSL) High data rate DSL (HDSL) G. . DSL has some distance limitations. Please see page MARCO A.000 12. From the Library of 311 for more details.SHDSL 384 kbps to 8 Mbps downlink and up to 1.[ 138 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty DSL Standards Several international DSL standards exist. Inc.500 22. Limitations: n n n Availability. The telephone company must install DSL equipment.544 to 2.024 Mbps uplink 1. DSL supports data and voice. All rights reserved. This publication is protected by copyright. DSL service providers can add circuits as needed.

ZUNIGA C. © 2008 Cisco Systems. Cable is fairly widespread in the United States. Please see page MARCO A. cable modems provide always-on connectivity. Cable modems use quadrature amplitude modulation (QAM) to encode digital data into an analog signal to deliver 30 to 40 Mbps in one 6-MHz cable channel. so access is generally available. Inc. in this case. This gives you the convenience of not having to dial up with every use. This publication is protected by copyright. Like DSL. From the Library of 311 for more details. Cable also offers speeds well over those of T1 (some claim up to six times T1 speed). which provides greater bandwidth and less noise than standard coaxial. .[ 139 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Cable Cable uses the same basic principles as DSL in that the bandwidth needed to accomplish the primary function (providing TV programming) is only a fraction of the available bandwidth on the wire or. All rights reserved. A headend facility at the local cable office manages traffic flows and performs the following functions: n n n n Receives programming from networks Converts signals and places them on the proper channel frequency Combines all channels into one broadband analog channel Broadcasts the combined analog signal to subscribers Cable Limitations and Advantages Advantages: n n n Cable offers very high speeds in both upstream and downstream directions. cable. but it does make a system more vulnerable to hackers (which is why routers and firewalls should be installed behind a cable modem). Many cable providers deploy hybrid-fiber coaxial (HFC) cable.

When the IP address scheme was originally developed.0.2.22 © 2008 Cisco Systems.[ 140 ] SECTION 10 Understanding WAN Technologies Limitation: n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Cable is a shared medium.0. Inc.2.0.0. From the Library of 311 for more details.0.21.34. so as more people use the system. each gets less bandwidth.34.0. This publication is protected by copyright. Figure 10-7 shows how NAT translates the inside address of 10.21 172. An additional (and equally important) benefit of NAT is that it hides private addresses from public networks.0. Please see page MARCO A.1 Internet 10.0.2 SA 172. ZUNIGA C.0.22 Outside 10. Introducing NAT and PAT Network Address Translation (NAT) was initially developed as an answer to the diminishing number of IP addresses.0.1 to the outside address of 172.2 Inside Global IP Address 172. it was believed that the address space would not run out. All rights reserved.2.34. making communication more secure from hackers.2 NAT Table Inside Local IP Address 10. .0. The combination of the PC explosion and the emergence of other network-ready devices quickly consumed many of the available addresses.1 10. FIGURE 10-7 Network Address Translation Inside SA 10.0.34.2.

0. © 2008 Cisco Systems.536 sessions to a single public address.0.0.2:1533 172. The address translation is still one-to-one.1:2610 172. or other network device.21:2610 10. Static NAT uses one-to-one private-to-public address translation. as shown in Figure 10-8. PAT increments the IP address (if available).0.0.1: 2610 10.0.0. FIGURE 10-8 Port Address Translation Inside SA 10.[ 141 ] SECTION 10 Understanding WAN Technologies n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty NAT is configured on a router.1 PAT Internet SA 10. This is called overloading and is accomplished by assigning port numbers.0.0. If one is not found.2: 1533 SA 10.22:1533 n n Because the port number is 16 bits.1: 2610 SA 10.0. ZUNIGA C. Inc. Port Address Translation (PAT) is a form of dynamic address translation that uses many (private addresses) to few or one (public address). This publication is protected by copyright.0. Dynamic NAT matches private addresses to a pool of public addresses on an as-needed basis.1: 2610 Outside 10.0. From the Library of 311 for more details.2.0.0.0.34. Please see page MARCO A. firewall.0.2 NAT Table Inside Local IP Address Inside Global IP Address 10. All rights reserved.2.34. PAT continues to look for available port numbers. . PAT can theoretically map 65.

Click the Next button. Configuring the DHCP Client and PAT Using SDM To configure a router to be a DHCP client and accept an IP address from an ISP provider. as shown in Figure 10-9. A legal routable IP address that represents one or more inside local IP addresses to the outside world. Click the Next button. private network. All rights reserved. . Step 2. use the following steps: Step 1. The IP address of an outside host as it appears to the inside. From the Library of 311 for more details. If your ISP is using PPP over Ethernet (PPPoE). This publication is protected by copyright. Usually a routable IP address. select the Enable PPPoE check box. Outside global address The IP address assigned to a host on the outside network by the host’s owner. and then click the Interfaces and Connections button. © 2008 Cisco Systems. Usually a private IP address. and then click the Next button. ZUNIGA C. as shown in Figure 10-10. This is usually a private IP address. Table 10-2 Name NAT Terminology Description Inside local address Inside global address Outside local address The IP address assigned to a host on the inside. and click the Create New Connection button. The WAN Wizard appears. Log on to the router using SDM. Select the Ethernet (PPPoE or Unencapsulated Routing) option.[ 142 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty NAT Terminology Table 10-2 lists the Cisco NAT terminology. private network. Inc. Click the Configure button. Please see page MARCO A. Select the Dynamic (DHCP Client) option and enter the router’s host name.

.[ 143 ] SECTION 10 Understanding WAN Technologies FIGURE 10-9 SDM Router DHCP Client Configuration CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty © 2008 Cisco Systems. ZUNIGA C. From the Library of 311 for more details. Inc. This publication is protected by copyright. All rights reserved. Please see page MARCO A.

ZUNIGA C. All rights reserved. . Select the Port Address Translation check box and select the inside interface.[ 144 ] SECTION 10 Understanding WAN Technologies FIGURE 10-10 SDM WAN Wizard CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Step 3. Inc. Click the Next button. This publication is protected by copyright. © 2008 Cisco Systems. Please see page MARCO A. as shown in Figure 10-11. From the Library of 311 for more details.

The clear ip nat translation outside local-ip global-ip command clears a specific outside translation address. Verifying NAT and PAT Configuration The clear ip nat translation * command clears all dynamic translation tables. All rights reserved. The clear ip nat translation inside global-ip local-ip command clears a specific entry from a dynamic inside translation table. ZUNIGA C. Please see page MARCO A.[ 145 ] SECTION 10 Understanding WAN Technologies FIGURE 10-11 SDM WAN Wizard Advanced Options CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Step 4. From the Library of 311 for more details. This publication is protected by copyright. The show ip nat statistics command shows all translation statistics. © 2008 Cisco Systems. Verify the configuration and click the Finish button. Inc. . The show ip nat translations command lists all active translations.

PPP uses a Network Control Protocol (NCP) component to encapsulate multiple protocols and the Link Control Protocol (LCP) to set up and negotiate control options on the data link. The Cisco version of HDLC uses a proprietary field that acts as a protocol field. ZUNIGA C. Please see page MARCO A. if the encapsulation type has been changed to another protocol. © 2008 Cisco Systems.[ 146 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Serial Encapsulation Configuring HDLC HDLC is a data-link protocol used on synchronous serial data links. because it lacks a mechanism to indicate which protocol it is carrying. FIGURE 10-12 HDLC Frame Flag Address Control Proprietary Data FCS Flag Cisco HDLC Because HDLC is the default encapsulation type on serial links. However. This field makes it possible for a single serial link to accommodate multiple network-layer protocols. This publication is protected by copyright. From the Library of 311 for more details. . Figure 10-12 shows the frame format of HDLC. Inc. PPP should be used when communicating with non-Cisco devices. the following command changes the serial interface encapsulation back to HDLC: Router(config-if)#encapsulation hdlc Configuring PPP As shown in Figure 10-13. you don’t need to configure HDLC. Cisco HDLC is a point-to-point protocol that can be used on leased lines between two Cisco devices. HDLC cannot support multiple protocols on a single link. All rights reserved.

performs challenge handshake Compresses data at source. ZUNIGA C. Table 10-3 Feature PPP Configuration Options How It Operates Protocol Authentication Compression Error detection Multilink Requires a password. reproduces data at destination Monitors data dropped on link. Other Options Link Control Protocol Synchronous or Asynchronous Physical Media Physical Layer PPP Configuration Options Cisco routers using PPP encapsulation include the LCP options shown in Table 10-3. CHAP Stacker or Predictor Magic Number Multilink Protocol (MP) © 2008 Cisco Systems. All rights reserved. From the Library of 311 for more details. avoids frame looping Provides load balancing across multiple links PAP. . This publication is protected by copyright.[ 147 ] SECTION 10 Understanding WAN Technologies FIGURE 10-13 Point-to-Point Protocol IP IPX Layer 3 Protocols CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty IPCP PPP IPXCP Many Others Network Layer Network Control Protocol Data Link Layer Authentication. Please see page MARCO A. Inc.

either PAP or CHAP is used to authenticate the link. This publication is protected by copyright. as follows: RouterB(config-if)#encapsulation ppp PPP Authentication Protocols The two methods of authentication on PPP links are as follows: n n Password Authentication Protocol (PAP): The less-secure of the two methods. passwords are sent in clear text and are exchanged only upon initial link establishment.[ 148 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Establishing a PPP Session The three phases of PPP session establishment are described as follows: 1. CHAP passwords are exchanged as message digest algorithm 5 (MD5) hash values. Link establishment: Each PPP device sends LCP packets to configure and test the link (Layer 2). ZUNIGA C. Please see page MARCO A. © 2008 Cisco Systems. enter the encapsulation ppp interface command. Authentication phase (optional): If authentication is configured. This must take place before the network layer protocol phase can begin (Layer 2). CHAP uses a three-way handshake process to perform one-way authentication on a PPP serial interface. 2. . All rights reserved. 3. Network layer protocol phase: PPP sends NCP packets to choose and configure one or more network layer proto- cols to be encapsulated and sent over the PPP data link (Layer 3). Enabling PPP To enable PPP encapsulation on a serial interface. Challenge Handshake Authentication Protocol (CHAP): Used upon initial link establishment and periodically to make sure that the router is still communicating with the same host. Inc. From the Library of 311 for more details.

1. Make sure that each router has a host name assigned to it using the hostname command. ZUNIGA C. load 1/255 Encapsulation PPP. BW 1544 Kbit. Step 2. the second method is used.2/24 MTU 1500 bytes. line protocol is up Hardware is HD64570 Internet address is 192.168. keepalive set (10sec) © 2008 Cisco Systems. define the username of the remote router and the password that both routers will use with the username remote-router-name password password command. the first method you specify in the command is used. loopback not set.[ 149 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring PPP Authentication The three steps to enable PPP authentication on a Cisco router are as follows: Step 1. From the Library of 311 for more details. This publication is protected by copyright. rely 255/255.) The following commands configure CHAP and PAP for authentication with the password of cisco. (If both PAP and CHAP are enabled. The remote router’s host name is RouterA: RouterB(config)#hostname RouterB RouterB(config)#username RouterA password cisco RouterB(config)#int s0 RouterB(config-if)#ppp authentication chap pap Verifying the Serial Encapsulation Configuration The show interface interface-number command shows the encapsulation type configured on the router’s serial interface and the LCP and NCP states of an interface if PPP encryption is enabled: RouterA#show int s0 Serial0 is up. . Configure PPP authentication with the ppp authentication {chap | chap pap | pap chap | pap} interface command. On each router. Step 3. All rights reserved. DLY 20000 usec. Inc. If the peer suggests the second method or refuses the first method. Please see page MARCO A.

CDPCP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Last input 00:00:02. ZUNIGA C. or deleted. Inc. A connection identifier maps packets to outbound ports on the service provider’s switch. Total output drops: 0 (text omitted) The IOS debug ppp authentication command shows successful CHAP or PAP authentication. The debug ppp negotiation command shows PPP-enabled routers performing negotiation. The entire path to the destination is determined before the frame is sent. PVCs save bandwidth (no circuit establishment or teardown) but can be expensive. output hang never Last clearing of “show interface” counters never Input queue: 0/75/0 (size/max/drops). This publication is protected by copyright. Frame Relay Terminology n VC (virtual circuit): A logical circuit between two network devices. inactive. VC status can be active. a lookup table maps the frame to the correct outbound port. Please see page MARCO A. . From the Library of 311 for more details. Today. SVCs are established on demand and are torn down when transmission is complete. Frame Relay Frame Relay is a connection-oriented Layer 2 protocol that allows several data connections (virtual circuits) to be multiplexed onto a single physical link.[ 150 ] SECTION 10 Understanding WAN Technologies LCP Open Open: IPCP. A VC can be permanent (PVC) or switched (SVC). Frame Relay relies on upper-layer protocols for error correction. most Frame Relay circuits are PVCs. All rights reserved. Frame Relay specifies only the connection between a router and a service provider’s local access switching equipment. output 00:00:02. © 2008 Cisco Systems. When the switch receives a frame.

From the Library of 311 for more details. ATM networks are composed of ATM switches interconnected by point-to-point ATM links.933 Annex A). n n ATM and Cell Switching Asynchronous Transfer Mode (ATM) was originally developed as a high-speed public WAN transport for voice. FECN (forward explicit congestion notification): A message sent to a destination device when a Frame Relay switch senses congestion in the network. and Network Node Interfaces (NNI). Northern Telecom. The three types of LMIs supported by Cisco Frame Relay switches are Cisco (developed by Cisco. The DLCI is locally significant. and Q933a (ITU-T Q. which connect ATM switches. © 2008 Cisco Systems. LMI (Local Management Interface): A signaling standard that manages the connection between the router and the Frame Relay switch. A BECN message requests a reduced data transmission rate. ANSI Annex D (ANSI standard T1. LMIs track and manage keepalive mechanisms. This publication is protected by copyright. Inc. and DLCI status. Inverse ARP: Routers use inverse ARP to discover the network address of a device associated with a VC. StrataCom.[ 151 ] SECTION 10 Understanding WAN Technologies n n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty DLCI (data-link connection identifier): Identifies the logical connection between two directly connected sets of devices. video. Please see page MARCO A. The links connecting the switches come in two forms: User-Network Interfaces (UNI). and data. ATM was later modified by the ATM Forum to include transport over private networks. and DEC). multicast messages. CIR (committed information rate): The minimum guaranteed data transfer rate agreed to by the Frame Relay switch. The router configures itself to match the LMI type response. ZUNIGA C.617). . BECN (backward explicit congestion notification): A message sent to a source router when a Frame Relay switch recognizes congestion in the network. which connect ATM endpoints to ATM switches. Routers autosense LMI types by sending a status request to the Frame Relay switch. All rights reserved.

[ 152 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The asynchronous part of ATM refers to the protocol’s ability to use a more efficient version of time-division multiplexing (TDM). This publication is protected by copyright. . From the Library of 311 for more details. Inc. Time division means that each data stream has an assigned slot in a repeating sequence. Please see page MARCO A. Multiplexing is a method of combining multiple data streams into a single physical or logical connection. With synchronous TDM. ZUNIGA C. As shown in Figure 10-14. each time slot is preassigned and is held open if the station assigned to it has no data to send. asynchronous transmission allows empty slots to be filled by stations that have data to send. All rights reserved. FIGURE 10-14 Asynchronous Transfer Mode 2 4 4 2 2 3 ATM Makes Efficient Use of All Time Slots 1 4 3 2 1 4 © 2008 Cisco Systems.

Inc. IGP and EGP An autonomous system (AS) refers to a group of networks under a common administrative domain. Examples include RIP. Routing protocols are divided into two classes based on how they interact with other autonomous systems: exterior gateway protocols (EGP) and interior gateway protocols (IGP). A routing protocol does this by defining rules to communicate with neighboring routings and then sending information about the router’s learned routes to neighboring routers. From the Library of 311 for more details. BGP is an example of an EGP. IGPs exchange information within an AS. This publication is protected by copyright. OSPF. EGPs exchange information between autonomous systems. FIGURE 11-1 IGPs and EGPs IGPs: RIP. ZUNIGA C.[ 153 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 11 RIP Routing Dynamic Routing Protocol Overview Routing protocols determine the best path packets take to reach a destination in a network. and IS-IS. . EIGRP. All rights reserved. EIGRP EGPs: BGP Autonomous System 100 Autonomous System 200 © 2008 Cisco Systems. Please see page MARCO A.

Please see page MARCO A. . “Exploring the Functions of Routing. From the Library of 311 for more details.” three classes or methods of routing protocols exist: n n n Distance vector Link-state Advanced distance vector (also called balanced hybrid) Routing Ranges with Administrative Distance Several routing protocols can be used at the same time in the same network. This publication is protected by copyright. When more than a single source of routing information exists for the same destination prefix. ZUNIGA C. Inc. All rights reserved.[ 154 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Classes of Routing Protocols As mentioned in Chapter 8. the source with the lowest administrative distance value is preferred. Table 11-1 shows the default administrative distance of learned routes. Table 11-1 Route Source AD Default Distance Values Connected interface Static route EIGRP BGP Internal EIGRP IGRP IS-IS RIP EGP 0 1 5 20 90 100 115 120 140 continues © 2008 Cisco Systems.

Routers using classful routing protocols automatically perform route summarization across network boundaries. summarization is controlled manually. Please see page MARCO A.” Each router receives updates from its direct neighbor. IS-IS. The ip classless command prevents a router from dropping packets for an unknown subnetwork of a directly attached network if a default route is configured. The ip classless command is enabled by default. As a result. all subnetworks of the same major network must use the same subnet mask. In Figure 11-2. Distance Vector Route Selection Routers using distance vector–based routing share routing table information with each other. RIPv1 is an example of a classful routing protocol.[ 155 ] SECTION 11 RIP Routing Table 11-1 Route Source CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty AD continued Default Distance Values ODR External EIGRP Internal BGP Unknown 160 170 200 255 Classless Versus Classful Routing Classless routing protocols include subnet mask information in routing advertisements and support variable-length subnet mask (VLSM). In this case. This method of updating is called “routing by rumor. and EIGRP are classless routing protocols. Classful routing protocols do not include the subnet mask in routing advertisements. This publication is protected by copyright. the routing information © 2008 Cisco Systems. OSPF. Router B shares information with Routers A and C. From the Library of 311 for more details. Inc. All rights reserved. Router C shares routing information with Routers B and D. RIP v2. ZUNIGA C. In classless routing. .

Please see page MARCO A. As the network discovery proceeds. Router B knows about the networks to Router C. which increments the distance to these networks by 1. All rights reserved. Router A increments the distance metric for any route learned by Router B. routers accumulate metrics and learn the best paths to various destinations. each directly connected network has a distance of 0. For example. This publication is protected by copyright. . FIGURE 11-2 Distance Vector Routing Protocols C Distance—How Far? Vector—In Which Direction? D B A D C Routing Table B A Routing Table Routing Table Routing Table Distance accumulation keeps track of the routing distance between any two points in the network. which is directly connected. Router A learns about other networks based on information it receives from Router B. for example). but the routers do not know the exact topology of an internetwork. Each router increments the metrics as they are passed on (incrementing hop count. In Figure 11-3. Inc.[ 156 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty is distance vector metrics (such as the number of hops). How Information Is Discovered with Distance Vectors Network discovery is the process of learning about nondirectly connected destinations. ZUNIGA C. © 2008 Cisco Systems. Router B then shares this information with Router A. From the Library of 311 for more details.

Please see page MARCO A. This publication is protected by copyright. Some common metrics are as follows: n n n n n n Bandwidth: The link’s data capacity.0.0 S0 10.0.0 S0 0 0 1 2 Routing Table 10. .4.0 S0 10.0 S1 10.3.0 S0 0 0 1 1 Routing Table 10.0 S0 10.0.0. The network is converged when all routers have consistent routing tables.3. Routing metrics are measures of path desirability.0.2.0.0 E0 Routing Table 10.0. Different protocols use different metrics. © 2008 Cisco Systems.2.4.0 S0 C CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10. expense. All rights reserved.0 S0 10. congestion. Routing Metrics Routing protocols use their own rules and metrics to build and update routing tables automatically.1.0. Cost: An arbitrary value based on bandwidth.0.0 E0 10.0. This depends on bandwidth.1.0 S1 10. routing loops can occur if the network has inconsistent routing entries. Load: The amount of activity on the interface.[ 157 ] SECTION 11 RIP Routing FIGURE 11-3 Distance Vector Route-Learning Process 10.0. ZUNIGA C. Reliability: The error rate of each network link. Hop count: The number of routers the packet must travel through before reaching the destination.4. From the Library of 311 for more details. Slow convergence on a new configuration is one cause of this phenomenon. and distance.0 S0 10.1. port delays.3.0.0 E0 10.2.0. and other metrics assigned by the administrator.0 S0 B S1 10. Delay: The time required to move the packet from the current router to the destination.4.2.1.0.0 E0 A S0 10.0. Inc.3.0.0 S0 0 0 1 2 During updates.

From the Library of 311 for more details.0 S0 10.4.1. Split horizon also eliminates unnecessary routing updates.0. Split Horizon Split horizon is one way to eliminate routing loops and speed convergence. thus speeding convergence.3.2. Router A.0 S0 10.0.0.0.0.0.0. ZUNIGA C. no new route with the same or a worse metric will be accepted for the same destination for some period of time.0 E0 10.4.2.3. All rights reserved.0.0 S1 10.0 S0 10.0 S0 X Routing Table 10.0 10.0.0. will not send route advertisements that contain routes learned on serial interface 0 out serial interface 0.0 X Routing Table 10.1.4. it is considered inaccessible.3.[ 158 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Techniques to Eliminate Routing Loops A routing loop prevents some packets from being properly routed because of incorrect routing information circulating in the network.2.0 S0 10. In Figure 11-4.0 S0 Routing Table 10. . using split horizon.0. © 2008 Cisco Systems.3. If the router has no valid alternative path to the network.0. FIGURE 11-4 Split Horizon E0 A S0 S0 B S1 S0 C E0 10. Routing loops usually occur when unreachable networks are incorrectly replaced by older routing information from other devices in the network.2. Please see page MARCO A. Routing protocols have some mechanisms to prevent routing loops.0.0.0 S0 10. The idea behind split horizon is that it is never useful to send information about a route back in the direction from which the update came.0 E0 10. Inc.1. This publication is protected by copyright.0 10.4.0 S1 10.1.0 S0 0 0 1 2 0 0 1 1 0 0 1 2 Hold-Down Timers Hold-down timers dictate that when a route is invalid.0. This allows network updates to propagate throughout the network.0 10.0.

2. Router C “poisons” its link to network 10.0.0.0. Inc.0 coming from neighboring routers that might claim to have a valid alternative path. when network 10. All rights reserved.4.0 S0 0 0 1 2 C Routing Table 10.0 E0 10.4.0 S0 10.0 jump to infinity.1. Route poisoning basically sets a route to “unreachable” and locks the table (using hold-down timers) until the network has converged.0.0 E0 Down 10.0. .0 goes down. FIGURE 11-5 Routing Poisoning E0 A S0 S0 B S1 S0 C E0 10.0 S0 10.0 S0 0 10.0. From the Library of 311 for more details.3.0 X Routing Table 10.0.0.4.0.4. it sends a return message (overriding split horizon) called a poison reverse back to Router C.4. The router advertises the poisoned route to its neighbors.0. This message ensures that all routers on that segment have received information about the poisoned route. ZUNIGA C.0 S0 2 Poison Reverse In Figure 11-6. stating that network 10.0. Please see page MARCO A.0.0 S0 10.0 S0 0 0 1 1 Routing Table 10. when Router B sees the metric to 10.0 10.0 S1 10.0 S1 10.3.0.1.1.0 S0 1 10.4. it is unreachable).4.0.3.0. After the hold-down timer expires (which is just longer than the time to convergence).0.0.[ 159 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Route poisoning (part of split horizon) also eliminates routing loops caused by inconsistent updates.4. © 2008 Cisco Systems. Router C is no longer susceptible to incorrect updates about network 10.0 by sending an update for network 10.0 is inaccessible.1. Router C begins accepting updates again. Route Poisoning In Figure 11-5.0.4.0 that indicates it has an infinite metric and a hop count of 16 (that is.0.0. This publication is protected by copyright.2.0 10.2.0 10.4.3.0.2.0.

0.0. thus a hop count of 16 is unreachable.2.0 10.0 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10.3. The maximum allowable hop count is 15.1.0 S0 10.4.4.0. RIP is subject to the split horizon rule.0 S0 1 10. Inc.3.0. This publication is protected by copyright.0 S0 Infinity 10.4. Two versions of RIP exist: version 1 and version 2. © 2008 Cisco Systems.0. From the Library of 311 for more details.0 S0 0 0 1 2 Routing Table 10.3. All rights reserved.2. ZUNIGA C.1.0 S0 10.0.0 S1 10.1. the default is 4.0 10.0.0. RIP can load-balance over as many as 16 equal-cost paths.2.0.3. triggered updates are routing updates sent immediately out a router’s interface when it notices that a directly connected subnet has changed state.0 E0 10.0 S0 10. Please see page MARCO A.0 S0 2 Possibly Down Triggered Updates Also known as flash updates.0 S1 10.2.0.4.0. RIP RIP is a true distance vector routing protocol that sends its complete routing table out all active interfaces every 30 seconds. .0.0 Routing Table 10.0 S0 0 10.1.0.0.0.[ 160 ] SECTION 11 RIP Routing FIGURE 11-6 Poison Reverse E0 A S0 S0 B S1 S0 C E0 Poison Reverse 0 0 2 10.0. RIP uses a hop count as its metric to determine the best path to a remote network.0 E1 Routing Table 10.

From the Library of 311 for more details. Route hold-down timer: If RIP receives an update with a hop count higher than the metric recording in the routing table. RIP v2 also supports manual route summarization and authentication. As a result. Default is 30 seconds. Route invalid timer: The time that must expire before a route becomes invalid. RIP goes into a hold-down for 180 seconds. ZUNIGA C. RIP version 2 also sends routing updates through multicast. . RIPv1 does not support variable-length subnet mask. RIP v1 broadcasts updates.[ 161 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty RIPv1 and RIPv2 Comparisons RIP version 1 is a classful protocol. Default is 240 seconds. meaning that it does not send its subnet mask in routing updates. Please see page MARCO A. All rights reserved. Configuring and Verifying RIP The commands to enable RIP on a Cisco router are as follows: n n router rip global command network connected-network-address configuration command © 2008 Cisco Systems. RIP version 2 is a classless protocol that supports VLSM and sends its subnet mask in routing updates. RIP Timers RIP uses four timers to regulate performance and route updates: n n n n Route update timer: The time between router updates. Route flush timer: The time from when a route becomes invalid to when it is removed from the routing table. Inc. Default is 180 seconds. RIP v1 does not. This publication is protected by copyright.

displays values associated with routing timers. .168.[ 162 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty For example.2. and network information associated with the entire router: RouterB#show ip protocols Routing Protocol is “rip” Sending updates every 30 seconds.1. flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: rip Default version control: send version 1. next due in 2 seconds Invalid after 180 seconds. the administrative distance.0 192. ZUNIGA C.168. the following commands enable RIP and advertise routes for the locally connected networks 192. Please see page MARCO A.1.0: RouterB(config)#router rip RouterB(config-router)#network 192. This publication is protected by copyright.0 RouterB(config-router)#network 192.168. From the Library of 311 for more details. as follows.2.1.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) Send 1 1 Recv 1 2 1 2 Key-chain © 2008 Cisco Systems. Inc. receive any version Interface Serial0 Serial1 Routing for Networks: 192.2.168. hold down 180.0 and 192.0 The IOS command show ip protocols.168.168. All rights reserved.

thus allowing you to troubleshoot RIP. M .candidate default U . This publication is protected by copyright. Inc.connected. Please see page MARCO A.0.1. displays the Cisco routing table’s contents: RouterA#show ip route Codes: C .IGRP. 00:00:21. Troubleshooting RIP The debug ip rip command displays routing updates as they are sent and received.168.0. S . N2 .0 1.OSPF NSSA external type 1. Serial0 The [120/1] indicates that 120 is the AD and 1 is the number of hops to the remote network.1 is directly connected. Ethernet0 0. Serial0 192.0/24 is directly connected.0/0 [120/1] via 192.OSPF interarea N1 .IS-IS level-2. EX .ODR Gateway of last resort is 192.1.0.2.EIGRP external. R . R indicates that RIP has learned paths to networks 192. L1 .168.0.168. E2 .0/24 and 0.per-user static route. O .0.168.IS-IS level-1.0.168. IA .0/24 is directly connected. o . Serial0 192.OSPF external type 2.0.0/32 is subnetted.0.0/24 [120/1] via 192.B . Loopback0 192.1.IS-IS.BGP D . From the Library of 311 for more details.168. L2 . 1 subnets C R C C R* 1.168.static. 00:00:21.1. as follows.OSPF NSSA external type 2 E1 .[ 163 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Displaying the Routing Table The show ip route command. ZUNIGA C.0/0.1 to network 0.mobile.1.0. .0.1.RIP. © 2008 Cisco Systems.OSPF external type 1.EIGRP.OSPF. I . * .1.EGP i . All rights reserved. E .1.

© 2008 Cisco Systems. Inc. allowing devices running different network layer protocols to learn about each other. address lists. CDP summary information includes device identifiers. port identifiers. FIGURE 12-1 CDP CDP CDP CDP CDP runs over all LANs. ATM. From the Library of 311 for more details. and other WANs employing Subnetwork Access Protocol (SNAP) encapsulation. Frame Relay. Please see page MARCO A. All rights reserved.[ 164 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 12 Managing Your Network Environment Discovering Neighbors on the Network with CDP Cisco Discovery Protocol (CDP) is a proprietary tool that enables access to protocol and address information on directly connected devices. CDP runs over the data link layer. This publication is protected by copyright. ZUNIGA C. CDP starts by default on bootup and sends updates every 60 seconds. . and platform.

[ 165 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Implementation of CDP n n n n n n cdp enable enables CDP on an interface. This publication is protected by copyright. From the Library of 311 for more details. The show cdp neighbors detail command shows the same information as sh cdp neighbors. show cdp neighbors displays the CDP updates received on the local interfaces and information about CDP neighbors. show cdp displays the CDP output. in addition to the network layer address of the CDP neighbor. the following is displayed: n n n n n n Neighbor device ID Local interface Holdtime value in seconds Neighbor device capability code (router. All rights reserved. This command displays the same information as the show cdp entry * command. no cdp run disables CDP on a device. no cdp enable disables CDP on an interface. Please see page MARCO A. . ZUNIGA C. For each CDP neighbor. switch) Neighbor hardware platform Neighbor remote port ID n show cdp neighbors detail displays updates received on the local interfaces. Inc. © 2008 Cisco Systems. cdp run allows other CDP devices to get information about your device.

3. . 2. 4. All rights reserved. show cdp interface displays interface status and configuration information. it goes through the following sequence: 1. The router checks its hardware with a power-on self test (POST). Please see page MARCO A. The configuration is located and loaded. © 2008 Cisco Systems. This publication is protected by copyright. The router loads a bootstrap code.[ 166 ] SECTION 12 Managing Your Network Environment n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty show cdp entry displays the following information about neighboring devices: n n n n n n n Neighbor device ID Layer 3 protocol information Device platform Device capabilities Local interface type and outgoing remote port ID Holdtime value in seconds Cisco IOS Software type and release n n show cdp traffic displays information about interface traffic. Inc. ZUNIGA C. The Cisco IOS Software is located and loaded using the information in the bootstrap code. Managing Router Startup and Configuration When a router is booted up. From the Library of 311 for more details.

and password recovery. Reads the configuration register to determine how to boot. ROMMON: A low-level operating system normally used for manufacturing. Interfaces: The interface is the physical connection to the external devices. NVRAM: Nonvolatile RAM stores the configuration. Some routers run the IOS image directly from flash and do not need to transfer it to RAM. Please see page MARCO A. Physical connections can include Token Ring and FDDI. ZUNIGA C. POST: Tests the basic function of the router hardware and determines the hardware present. ROM Functions ROM contains the startup microcode and consists of the following four areas: n n n n Bootstrap code: Brings the router up during initialization.[ 167 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Router Components The major router components are as follows: n n n n n n RAM: Random-access memory contains key software (IOS). Inc. All rights reserved. © 2008 Cisco Systems. From the Library of 311 for more details. . testing. Mini Cisco IOS Software file: Loads a new Cisco IOS image into flash memory from a TFTP server. This publication is protected by copyright. Flash memory: Flash contains the Cisco IOS Software image. ROM: Read-only memory contains startup microcode. troubleshooting. Configuration register: Controls the bootup method.

Inc. The auto-install routine attempts to download a configuration file from a TFTP server. All rights reserved. The last line contains the register value. Table 12-1 shows the configuration register values and meanings.[ 168 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty How a Cisco Device Locates and Loads IOS Images The bootstrap code locates and loads the Cisco IOS image. If the configuration register’s fourth character is from 0x2 to 0xF. Changing this value changes the location of the IOS load (and many other things). Please see page MARCO A. ZUNIGA C. A reload command must be used for the new configuration to be set. the router initiates an auto-install or setup utility. The Configuration Register The config register includes information that specifies where to locate the Cisco IOS Software image. This publication is protected by copyright. the bootstrap parses the startup-config file in NVRAM from the boot system command that specifies the name and location of the Cisco IOS Software image to load. Configurations in NVRAM are executed. It does this by first looking at the configuration register. After the IOS is loaded. use the show version command to determine the current image. The register value is checked only during the boot process. Before changing the configuration register. Table 12-1 0x0 0x1 0x2 to 0xF Configuration Register Values Meaning Configuration Register Boot Field Value Use ROM monitor mode (manually boot using the boot command) Automatically boot from ROM (provides IOS subset) Examine NVRAM for boot system commands (0x2 is the default if router has flash) © 2008 Cisco Systems. the router must be configured. Changing the configuration register changes the location of the IOS load. From the Library of 311 for more details. . If one does not exist in NVRAM. The default value for the configuration register is 0x2102.

The show startup-config command shows the configuration file saved in NVRAM.[ 169 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The show version command verifies changes in the configuration register setting. URL prefixes for Cisco network devices are as follows: n n n n n n n n n n bootflash: Boot flash memory flash: Available on all platforms flh: Flash load helper log files ftp: File Transfer Protocol (FTP) network server nvram: NVRAM rcp: Remote Copy Protocol (RCP) network server slot0: First PCMCIA flash memory card slot1: Second PCMCIA flash memory card system: Contains the system memory and the running configuration tftp: Trivial File Transfer Protocol (TFTP) network server © 2008 Cisco Systems. All rights reserved. From the Library of 311 for more details. ZUNIGA C. The uniform resource locator (URL) convention allows you to specify files on network devices. Managing IOS Images The Cisco IOS File System (IFS) feature provides an interface to the router file systems. including the image filenames and sizes. This is the configuration that will be used if the router is reloaded and the running-config is not saved. The show flash command displays contents in flash memory. Inc. . Please see page MARCO A. This publication is protected by copyright. The show running-config command shows the current running configuration in RAM.

ZUNIGA C. In Cisco IOS Release 12. the copy commands are used to move configuration from one component or device to another. you must enter the IP address of the remote host and the name of the source and destination system image file. The router prompts you for the IP address of the remote host and the name of the source and destination system image file. All rights reserved.3T and later. Inc. erase start copy tftp start copy start tftp Blank 000000 000000 © 2008 Cisco Systems. it merges with the existing configuration in RAM. From the Library of 311 for more details. Cisco IOS copy Command As shown in Figure 12-2. .[ 170 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Backing Up and Upgrading IOS Images wg_ro_a# show flash wg_ro_a# copy flash tftp wg_ro_a# copy tftp flash When using the copy flash command. Please see page MARCO A. This publication is protected by copyright. It does not overwrite the existing configuration. The syntax is as follows: copy object source destination For example: copy running-config startup-config FIGURE 12-2 IOS copy Command RAM Config copy running startup copy startup running (merge) config term (merge) Console copy tftp run (merge) copy run tftp TFTP server NVRAM Config NOTE When a configuration is copied into RAM. the configure replace command allows you to overwrite the running configuration.

The following table details the differences between the two. From the Library of 311 for more details. show debug Characteristics Processing Load Primary Use Static Low overhead Gather facts Dynamic High overhead Observe processes © 2008 Cisco Systems. Inc. These commands allow you to view the current configuration in RAM or the startup configuration commands in NVRAM. This publication is protected by copyright. You know that you are looking at the current config file when you see the words “Current configuration” at the top of the display. Troubleshooting Troubleshooting is aided with the show and debug commands.[ 171 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The show running-config and show startup-config commands are useful troubleshooting aids. All rights reserved. ZUNIGA C. Please see page MARCO A. . You know that you are looking at the startup config file when you see a message at the top telling you that NVRAM has been used to store the configuration.

engineering. rather than everyone on the first floor. From the Library of 311 for more details. Please see page MARCO A. All rights reserved. . you can arrange user groups such as accounting. © 2008 Cisco Systems. Inc. For example. VLANs improve segmentation.[ 172 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty ICND2 Part I: LAN Switching Section 1 Implementing VLANS and Trunks VLANs The virtual LAN (VLAN) organizes physically separate users into the same broadcast domain. security. and flexibility. The use of VLANs improves performance. and so on. VLAN segmentation is not bound by the physical location of users. flexibility. and security. n n n VLANs define broadcast domains that can span multiple LAN segments. everyone on the second floor. because no extra cabling is required. ZUNIGA C. This publication is protected by copyright. VLAN Characteristics VLANs allow logically defined user groups rather than user groups defined by their physical locations. and finance. The use of VLANs also decreases the cost of arranging users.

From the Library of 311 for more details. A VLAN can exist on one or several switches. or a trunk. Please see page MARCO A. Ports assigned to the same VLAN share broadcasts and are in the same broadcast domain. Figure 1-1 shows a VLAN design. This publication is protected by copyright. a voice VLAN. ZUNIGA C. . Inc. Note that VLANs are defined by user functions rather than locations. All rights reserved.[ 173 ] SECTION 1 Implementing VLANs and Trunks n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Each switch port can be assigned to an access VLAN. FIGURE 1-1 VLAN Design 3rd Floor 2nd Floor 1st Floor SALES HR ENG © 2008 Cisco Systems.

[ 174 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VLAN Operation Figure 1-2 shows that each VLAN on a switch behaves as if it were a separate physical bridge. The switch supports up to 255 VLANs. multicasts. and broadcasts) only to ports assigned to the same VLAN from which they originated. FIGURE 1-2 VLAN Operation Green VLAN Switch A Green VLAN Red VLAN Black VLAN Green VLAN VLANs require a trunk or a physical connection for each VLAN to span multiple switches. Each trunk can carry traffic for multiple VLANs. Supported VLANs The Catalyst 2960 supports VLANs in VLAN Trunking Protocol (VTP) client. VLANs are identified by a number from 1 to 4094. VLAN IDs 1002 through 1005 are reserved. and transparent mode. server. From the Library of 311 for more details. This drastically cuts down on network traffic. ZUNIGA C. . © 2008 Cisco Systems. All rights reserved. Please see page MARCO A. Inc. The switch forwards packets (including unicasts. This publication is protected by copyright.

802. ZUNIGA C. deletions. From the Library of 311 for more details. Trunking The IEEE 802.1Q defines how to carry traffic from multiple VLANs over a single point-to-point link.1Q protocol defines VLAN topologies and connects multiple switches and routers. you would have to manually add VLAN information to each switch in the network. This publication is protected by copyright.[ 175 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VLAN Port Membership Modes A port must be assigned (configured) to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries: n n n n Static access: The port belongs to only one VLAN and is manually assigned. Cisco supports 802. VLAN Trunking Protocol VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that maintains VLAN configuration consistency throughout a common administrative domain by managing VLAN additions. . Without VTP. Inc.1Q): The port is a member of all VLANs.1Q trunking over Fast Ethernet and Gigabit Ethernet links. © 2008 Cisco Systems. 802. Dynamic access ports cannot connect to another switch. Voice VLAN: The port is an access port attached to a Cisco IP phone that is configured to use one VLAN for voice traffic and another VLAN for data traffic from a device connected to the IP phone. All rights reserved. Dynamic access: The port belongs to one VLAN and is dynamically assigned by a VLAN Membership Policy Server (VMPS). Please see page MARCO A. Trunk (IEEE 802.1Q tagging provides a standard method of identifying frames that belong to a particular VLAN by using an internal process that modifies the existing Ethernet frame with the VLAN identification. and name changes across multiple switches.

If the revision number is lower. All rights reserved. The server advertises VLAN configuration information to maintain domain consistency. From the Library of 311 for more details.[ 176 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty How VTP Works Whenever a change occurs in the VLAN database. Inc. ZUNIGA C."new vlan added" © 2008 Cisco Systems. the switch ignores the advertisement. .” has been added. Sync to the latest vlan information 2 1. If the revision number is the same. A VTP domain is one or more interconnected switches that share the same VTP environment. it overwrites its configuration with the new information if the new revision number is higher than the one it already has. VTP cannot cross a Layer 3 boundary. the VTP server notifies all switches in its VTP domain that a new VLAN. the VTP server increments its configuration revision number and then advertises the new revision throughout the VTP domain. the switch replies with the more up-to-date revision number. FIGURE 1-3 Advertising VLAN Configuration Information VTP Domain "ICND" 3. VTP Example In Figure 1-3. Please see page MARCO A. When a switch receives the VTP advertisement. named “ICND. This publication is protected by copyright.

delete. all switch VLAN information is deleted. . delete. VTP Advertisements VTP advertisements are only sent over trunk links. ZUNIGA C. Client: Switch cannot create. Transmits and receives VTP updates over trunk links. or modify VLANs. VLAN Database VLAN information is stored in a file located in flash called vlan. Switch can add. VTP advertisements include n n n n n n VTP domain name VTP configuration revision number Update identity and update timestamp Message digest algorithm 5 (MD5) VLAN configuration Frame format VLAN ID. or transparent. All rights reserved. If this file is deleted. In VTP version 2. Please see page MARCO A. Transparent: Switch does not participate in the VTP domain. name. VLAN configurations are not advertised until a management domain name is specified or learned. client. and modify VLANs locally. and state © 2008 Cisco Systems. The default mode is server mode. From the Library of 311 for more details. and modify VLANs and other configuration parameters for the VTP domain. type. They are flooded over the native VLAN (VLAN1 by default) every five minutes or whenever a change occurs. transparent switches forward VTP advertisements they receive. Following are the VTP modes: n n n Server: Switch can add.[ 177 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VTP Modes A Catalyst switch can operate in three different modes: server. Inc. delete.dat. This publication is protected by copyright.

Inc. Figure 1-4 shows an example of VTP pruning. ZUNIGA C. Version 2 includes the following additional features: n n n n Token Ring support Unrecognized type-length-value Version-dependent transparent mode (forwards VTP messages in transparent mode out all trunk links) Consistency checks VTP Pruning VTP pruning improves bandwidth by restricting broadcasts. and unknown unicasts from flooding the entire domain. . From the Library of 311 for more details. VTP version 1 is the default VTP version. All rights reserved. FIGURE 1-4 VTP Pruning Flooded Traffic is Pruned Switch 4 Port 2 Switch 2 Switch 5 RED VLAN Port 1 Switch 6 Switch 3 Switch 1 © 2008 Cisco Systems. This publication is protected by copyright. Please see page MARCO A.[ 178 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VTP Versions Two versions of VTP exist: version 1 and 2. multicasts.

From the Library of 311 for more details. 5. Configure VTP. Please see page MARCO A. This publication is protected by copyright. Step 2. Step 3. and Trunks The steps to configure VLANs on a Catalyst 2960 switch are as follows: Step 1. © 2008 Cisco Systems. ZUNIGA C. All rights reserved. . because traffic for the red VLAN has been pruned on the links indicated on switches 2 and 4. VLANs. Inc. update traffic from station A is not forwarded to switches 3. Default VTP Configuration The default VTP configuration on a Catalyst 2960 switch is as follows: n n n n n VTP domain: Null VTP mode: Server VTP version: Version 1 VTP password: None VTP pruning: Disabled Configuring VTP. Add VLANs and assign port membership modes. With VTP pruning enabled. a trunk carries traffic for all VLANs in the VTP management domain. and 6.[ 179 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty By default. Define trunks.

password: Can be set for the VTP management domain.[ 180 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VTP Command vtp [mode {server | client | transparent}] [domain domain-name] [password password] [pruning {enable | disable}] [version {1 | 2}] n n n n domain-name: Can be specified or learned (is case sensitive). . From the Library of 311 for more details. version: Setting the version on a server propagates the changes throughout the entire VTP domain. ZUNIGA C. This publication is protected by copyright. Inc. Please see page MARCO A. All rights reserved. and Deleting a VLAN on a 2960 Switch(config)#vlan 10 Switch(config-vlan)#name Accounting © 2008 Cisco Systems. Modifying. The password is case sensitive and must be the same for all the switches in the management domain. Configuring VTP on a 2960 Cat2960(config)#vtp mode server Cat2960(config)#vtp domain CiscoPress Changing VTP domain name from NULL to CiscoPress Cat2960(config)#vtp password ICND Setting device VLAN database password to ICND Cat2960(config)#vtp version 2 Cat2960(config)#vtp pruning Pruning switched on Cat2960#show vtp status Cat2960#show vtp counters Adding. pruning: VTP pruning on a server propagates the changes throughout the entire VTP domain.

The switchport trunk command sets Fast Ethernet or Gigabit Ethernet ports to trunk mode. switchport mode [dynamic {auto | desirable} | trunk] n n n mode dynamic auto allows the interface to convert to a trunk link if the connecting neighbor interface is set to trunk or desirable. or auto. Please see page MARCO A.[ 181 ] SECTION 1 Implementing VLANs and Trunks Switch(config)#vlan 10 Switch(config-vlan)#name Sales Switch(config)#no vlan 10 Switch#show vlan brief CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring a Trunk Link Cisco switches use DTP (Dynamic Trunking Protocol) to negotiate a trunk link. desirable. trunk sets the interface to trunking on. This is the recommended setting. From the Library of 311 for more details. ZUNIGA C. Inc. All rights reserved. This publication is protected by copyright. mode dynamic desirable allows the interface to actively attempt to convert the link to a trunk link. Cat2960(config)#interface g0/1 Cat2960(config-if)#switchport mode trunk Cat2960(config-if)#interface g0/2 Cat2960(config-if)#switchport mode dynamic desirable Cat2960#show interface trunk Defining Allowed VLANs By default. use the following command: switchport trunk allowed vlan {add | all | except | remove} vlan-list © 2008 Cisco Systems. all VLANs (1–4094) are allowed to propagate on all trunk links. The link becomes a trunk if the neighbor interface is set to trunk. . To limit a trunk to allow only specified VLANs.

From the Library of 311 for more details. This publication is protected by copyright. All rights reserved.[ 182 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The following command allows only VLANs 10–50 on a trunk link: Cat2960(config-if)#switchport trunk allowed vlan 10-50 Assigning Ports to a VLAN on a 2960 Assigning a single port: Cat2960(config)#interface fastethernet 0/1 Cat2960(config-if-range)#switchport mode access Cat2960(config-if-range)#switchport access vlan 10 Assigning a range of ports: Cat2960(config)#interface range fastethernet 0/1 . Please see page MARCO A. . ZUNIGA C. Inc.12 Cat2960(config-if-range)#switchport mode access Cat2960(config-if-range)#switchport access vlan 10 © 2008 Cisco Systems.

All rights reserved. Redundancy ensures that a single point of failure does not cause the entire switched network to fail. © 2008 Cisco Systems. Figure 2-1 shows a redundant topology. From the Library of 311 for more details. multiple copies of frames. In the absence of the Spanning Tree Protocol (STP). including broadcast storms. Inc. . Please see page MARCO A. multiple loops.[ 183 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 2 Redundant Switching and STP Redundant Switched Topology Issues A redundant topology has multiple connections to switches or other devices. FIGURE 2-1 Redundant Switched Topology Server/Host X Router Y Segment 1 Segment 2 Broadcast Storms The flooding of broadcast frames can cause a broadcast storm (indefinite flooding of frames) unless a mechanism is in place to prevent it. ZUNIGA C. and MAC address table instability. This publication is protected by copyright. Layer 2 redundancy can cause problems in a network.

multiple frame transmissions occur as follows: © 2008 Cisco Systems. All rights reserved. switch B transmits the frame a second time. Switch A checks the destination and floods it to the bottom Ethernet link. Please see page MARCO A. 4. Protocols that use sequence numbering see that the sequence has recycled. This publication is protected by copyright. ZUNIGA C. which is received by switch A. segment 2. 2.[ 184 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty An example of a broadcast storm is shown in Figure 2-2 and can be described as follows: 1. FIGURE 2-2 Broadcast Storm Server/Host X Router Y Segment 1 Broadcast Switch A Switch B Multiple Frame Transmission Some protocols cannot correctly handle duplicate transmissions. From the Library of 311 for more details. Switch B receives the frame on the bottom port and transmits a copy to the top segment. Other protocols process the duplicate frame with unpredictable results. As depicted in Figure 2-3. . The frame travels continuously in both directions. Inc. Host X sends a broadcast frame. Because the original frame arrives at switch B through the top segment. 3.

2. All rights reserved. Note that Router Y has now received the same frame twice. Switch A also receives a copy. they both learn the MAC address for host X and associate it with port 0. it floods the frame on all ports except the originating port. 3. This publication is protected by copyright. When the frame arrives at switches A and B. One copy is received over the direct Ethernet connection. This process repeats indefinitely. Host X sends a frame to Router Y. 2. segment 1. . Host X sends a frame to Router Y. From the Library of 311 for more details. Switch B receives the frame on segment 2 and forwards it to segment 1. 3. If the switch does not find an entry in the MAC address table for Router Y. © 2008 Cisco Systems. FIGURE 2-3 Multiple Frame Transmission Server/Host X Segment 1 Router Y Switch A Switch B MAC Database Instability Database instability occurs when a switch receives the same frame on different ports. Switch A checks the destination address. Figure 2-4 shows how this occurs: 1.[ 185 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 1. Please see page MARCO A. ZUNIGA C. Inc. Switches A and B receive the frame on port 1 and incorrectly associate host X’s MAC address with that port. The frame is flooded out port 1 of each switch (assuming that Router Y’s address is unknown).

[ 186 ] SECTION 2 Redundant Switching and STP FIGURE 2-4 MAC Database Instability Unicast MAC Table Host X= Port 0 MAC Table Host X= Port 1 Switch A Port 1 Port 1 Port 0 Server/Host X CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Router Y Segment 1 Unicast Port 0 Switch B Host X= Port 0 MAC Table Host X= Port 1 MAC Table Multiple Loops Multiple loops can occur in large switched networks. a broadcast storm clogs the network with useless traffic. Figure 2-5 shows an example of multiple loops occurring in a network. This publication is protected by copyright. . Inc. Unlike the time-tolive (TTL) mechanism in IP. Please see page MARCO A. ZUNIGA C. All rights reserved. From the Library of 311 for more details. Ethernet has no built-in mechanism to stop loops after they begin. When multiple loops are present. © 2008 Cisco Systems. Packet switching is adversely affected in such a case and might not work.

This publication is protected by copyright.1d STP by default. If the main link goes down. ZUNIGA C. (DEC) and was revised in the IEEE 802. All rights reserved. The two algorithms are incompatible.[ 187 ] SECTION 2 Redundant Switching and STP FIGURE 2-5 Network Experiencing Multiple Loops Broadcast Loop Server/Host CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Loop Loop Workstations Spanning Tree Protocol Spanning Tree Protocol (STP) prevents looping traffic in a redundant switched network by blocking traffic on the redundant links. . From the Library of 311 for more details. STP was developed by Digital Equipment Corp. © 2008 Cisco Systems. Please see page MARCO A. Catalyst switches use the IEEE 802. STP operation is transparent to end stations. Spanning Tree activates the standby path.1d specification. Spanning Tree Operation STP assigns roles to switches and ports so that only one path is available through the switch network at any given time. Inc.

. Assignment is made by cost. This publication is protected by copyright. Table 2-1 Link Speed Spanning Tree Costs Cost 10 Gbps 1 Gbps 100 Mbps 10 Mbps 2 4 19 100 On the root bridge. From the Library of 311 for more details. Figure 2-6 shows a root bridge. On the root bridge. all ports are set to the forwarding state. and port status. and a single designated port for each network segment. and Port Status Root Bridge SW X Designated Port (F) 100BASE-T Designated Port (F) Root Port (F) Nonroot Bridge Nondesignated Port (B) SW Y 10BASE-T © 2008 Cisco Systems. All rights reserved. FIGURE 2-6 Root Bridge. Nonroot Bridge.[ 188 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty This is accomplished by assigning a single root bridge. only the root port is set to the forwarding state. Table 2-1 shows the costs for switch interfaces. For the nonroot bridge. The port with the lowest-cost path to the root bridge is chosen as the root port. root ports for nonroot bridges. ZUNIGA C. Please see page MARCO A. Inc. The bridge with the lowest-cost path to the root bridge is the designated port. all ports are designated ports. One designated port is assigned on each segment. nonroot bridge.

Each bridge has a unique bridge ID. When switches have the same priority. Figure 2-7 shows switch X as the root bridge. Lowest sender port ID © 2008 Cisco Systems. The bridge with the lowest bridge ID is selected as the root bridge. Inc. the one with the lowest MAC address is the root bridge. This publication is protected by copyright. ZUNIGA C.[ 189 ] SECTION 2 Redundant Switching and STP Spanning Tree must select the following: n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty One root bridge One root port per nonroot bridge One designated port per network segment Selecting the Root Bridge Switches running STP exchange information at regular intervals using a frame called the bridge protocol data unit (BPDU). . The bridge ID contains the bridge MAC address and a priority number. The midrange value of 32768 is the default priority. Lowest path cost to the root bridge 2. Please see page MARCO A. FIGURE 2-7 Root Bridge Selection Switch X Default Priority 32768 (8000 hex) MAC 0c0011111111 BPDU Switch Y Default Priority 32768 (8000 hex) MAC 0c0022222222 Spanning Tree Election Criteria Spanning Tree builds paths from the root bridge along the fastest links. All rights reserved. Lowest sender bridge ID 3. It selects paths according to the following criteria: 1. From the Library of 311 for more details.

Each switch port in a network running STP is in one of the following states listed in Table 2-2. does not learn MAC addresses Receives BPDUs to determine its role in STP. Spanning Tree begins recalculating the network. From the Library of 311 for more details. discards frames Forwards frames. In Figure 2-8. but not all switches receive it at the same time. learns MAC addresses. Please see page MARCO A. Spanning Tree activates previously blocked links. It usually takes 50 seconds for a port to go from the blocking state to the forwarding state. When a link goes down. Inc. if switch X fails. . switch Y does not receive the BPDU. This delay is known as propagation delay. but the timers can be adjusted. switch Y is now the root bridge. If switch X comes back up. Connectivity is reestablished by placing key blocked ports in the forwarding state. the network topology must change. Table 2-2 Port State Blocking Listening Learning Forwarding Spanning Tree Port States Timer Max Age (20 sec) Forward Delay (15 sec) Forward Delay — Actions Receives BPDUs. Spanning Tree recalculates the network. discards frames and MAC addresses Receives and transmits BPDUs. does not learn MAC addresses. This information is sent throughout the network. switches wait until the entire network is updated before setting any ports to the forwarding state. and switch X is once again the root bridge. This publication is protected by copyright. © 2008 Cisco Systems. ZUNIGA C. To prevent temporary loops.[ 190 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Port States Frames take a finite amount of time to travel or propagate through the network. discards frames. Spanning Tree Recalculation When a link fails. If the BPDU is not received before the MAXAGE timer expires. In the figure. receives and transmits BPDUs The forward delay is the time it takes for a port to go to a higher state. All rights reserved.

PortFast is used on access ports that are connected to a single workstation or server to allow these devices to connect to the network immedidately rather than waiting for STP to converge. The workstation can fail to get an IP address because the switch port the workstation is connected to might not have transitioned to the forwarding state by the time DHCP times out. . Please see page MARCO A. Inc. ZUNIGA C.[ 191 ] SECTION 2 Redundant Switching and STP FIGURE 2-8 Spanning Tree Recalculation Switch X MAC 0c0011111111 Default Priority 32768 Port 0 MAXAGE Root Bridge CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 100BASE-T Designated Port Port 0 Root Port (F) Switch Y MAC 0c0022222222 Default Priority 32768 Port 1 Designated Port 10BASE-T BPDU X Port 1 X Nondesignated Port (B) Time to Convergence A network is said to have converged when all ports in a switched network are in either a blocking or forwarding state after a topology change. © 2008 Cisco Systems. PortFast Spanning Tree PortFast is a Cisco feature that causes an access port on a switch to transition immediately from the blocking state to the forwarding state. PortFast is useful if a workstation is configured to acquire an IP address through Dynamic Host Configuration Protocol (DHCP). All rights reserved. thus bypassing the listening and learning states. From the Library of 311 for more details. This publication is protected by copyright.

1D standard BID consisted of the bridge priority and MAC address. and nondesignated port. This is accomplished by reusing a portion of the Priority field as the extended system ID to carry the VID. Because PVST+ requires a separate instance of Spanning Tree for each VLAN. root port. Per-VLAN STP+ (PVST+) PVST+ creates a different spanning-tree instance for each VLAN on a switch. the spanning-tree topology can be configured so that each VLAN has a different root bridge. ZUNIGA C. in PVST+. Therefore. Inc. In PVST+.768. PVST+ Extended Bridge ID PVST+ requires a separate instance of Spanning Tree for each VLAN. . Providing different STP root switches per VLAN creates a more redundant network. PVST+ is enabled by default on Cisco switches running 802.1D. The original 802. All rights reserved. Extended system ID: A 12-bit field carrying the VID. the BID field is required to carry VLAN ID (VID) information. © 2008 Cisco Systems. MAC address: A 6-byte field containing the MAC address of the switch. This publication is protected by copyright. Each VLAN has its own root bridge. From the Library of 311 for more details. The default is 32. Please see page MARCO A. designated port. the BID consists of the following: n n n Bridge priority: A 4-bit field. STP requires that each switch have a unique bridge ID (BID).[ 192 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring PortFast PortFast is configured using the following interface command: SwitchA(config-if)#spanning-tree portfast PortFast can be configured globally on all nontrunking links using the following global command: SwitchA(config-if)#spanning-tree portfast default PortFast can be disabled using the no spanning-tree portfast interface command.

These ports are allowed to immediately enter the forwarding state rather than passively wait for the network to converge. PVRST+ defines a spanning-tree protocol that has one instance of RSTP per VLAN. 802. Multiple Spanning Tree Protocol (MSTP) MSTP (802. the 802. Inc. Please see page MARCO A.1w) significantly speeds the convergence process after a topology change occurs in a switched network. RSTP works by designating an alternative port and a backup port. ZUNIGA C.1D.1Q-2003) allows switches running RSTP to group VLANs into one instance of Spanning Tree. All rights reserved. .1w) Rapid Spanning Tree Protocol (RSTP. a redundant port can take up to 50 seconds to transition from a blocking state to a forwarding state.1D.1D standard. © 2008 Cisco Systems. Table 2-3 shows the new port states in RSTP and describes how they compare to 802. In 802.[ 193 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Rapid Spanning Tree Protocol (802. Each VLAN group has a separate instance of Spanning Tree that is independent of other Spanning Tree instances. which uses one spanning tree instance for the entire switched network.1w standard uses Common Spanning Tree (CST). Table 2-3 Enabled Enabled Enabled Enabled Disabled Port State Comparison STP Port State RSTP Port State Port Included in Active Topology? Operational Status Blocking Listening Learning Forwarding Disabled Discarding Discarding Learning Forwarding Disabled No No Yes Yes No Per-VLAN Rapid Spanning Tree Plus (PVRST+) Like the original 802. From the Library of 311 for more details. This publication is protected by copyright.

All rights reserved. the blocking port in 802. Inc. The port roles in RSTP are as follows: n n n n Root port: The port that received the best BPDU on a switch Designated port: The port that sends the best BPDU on the segment Backup port: A port that receives more useful BPDUs from the same switch it is on and is in a blocking state Alternate port: A port that receives more useful BPDUs from another switch and is in a blocking state In RSTP. FIGURE 2-9 RSTP Port Roles X D X Root D R = Root Port D = Designated Port A = Alternate Port B = Backup Port © 2008 Cisco Systems. However. Also. the alternate port will become the new root port. The root port and designated port roles are the same as they are in 802. . the Spanning Tree Algorithm determines the role of a port based on BPDUs.1D is split into the backup and alternate port roles. and the backup port will become the new designated port.1D. in RSTP. ZUNIGA C.[ 194 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty RSTP Port Roles RSTP has new port roles. Please see page MARCO A. This publication is protected by copyright. if the root port fails. From the Library of 311 for more details. Figure 2-9 shows the new port roles in RSTP.

. RSTP sends a BPDU every hello-time (2 seconds by default). From the Library of 311 for more details. Additionally. Inc. This publication is protected by copyright. Full-duplex is assumed to be point-to-point. Point-to-Point Link A point-to-point link is a link in RSTP that directly connects two switches (an uplink) in full-duplex. Link Type In RSTP. © 2008 Cisco Systems. ZUNIGA C. Edge Port An RSTP edge port is a port that is directly connected to end stations.[ 195 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty New BPDU Format RSTP uses a new BPDU format. the switch considers it has lost connectivity to its direct neighbor and begins to transition to the forwarding state. Because directly connected end stations cannot create bridging loops in a switched network. If a port does not receive three consecutive BPDUs (6 seconds). RSTP uses BPDUs as a keepalive mechanism. and a half-duplex link is considered a shared point. Please see page MARCO A. Edge ports are configured using the spanning-tree portfast interface command. All rights reserved. the edge port directly transitions to the forwarding state. The link type is automatically derived from the duplex mode of a port. a link can only rapidly transition to a forwarding state on edge port and on point-to-point links.

UplinkFast. the switch with the lowest MAC © 2008 Cisco Systems.[ 196 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring RSTP Cisco Catalyst switches support three types of STP: n n n PVST+ PVRST+ MSTP The default STP for Cisco Catalyst switches is PVST+. Step 3. Designate and configure a switch to be the root bridge. Step 2. Designate and configure a switch to be the secondary (backup) root bridge. Step 4. one root bridge for all VLANs. enables PVRST+ on a Cisco Catalyst switch: SwitchA(config)#spanning-tree mode rapid-pvst Configuring the Root and Backup Root Switch In STP. Verify the configuration. perform the following steps: Step 1. The BID consists of the bridge priority and the switch MAC address. The Cisco version of PVST+ includes proprietary extensions such as BackboneFast. with a separate STP instance for each VLAN. This publication is protected by copyright. Because all Cisco switches have the same bridge priority (32768). as follows. All rights reserved. . and PortFast. Enable PVRST+. Enabling PVRST+ The spanning-tree mode rapid-pvst global command. To configure PVRST+. Please see page MARCO A. From the Library of 311 for more details. and no load sharing. Inc. the root switch is the switch with the lowest bridge ID (BID). ZUNIGA C.

To specify a switch to be the root switch. and the older switch will be the root bridge. Please see page MARCO A. as follows: Cat2960(config)#spanning-tree vlan 1 root secondary Verifying PVRST+ To verify whether RSTP is enabled on a switch. the following command configures the switch to be the root switch for only VLAN 1: Cat2960(config)#spanning-tree vlan 1 root primary The spanning-tree root primary command increases the switch priority (lowering the numerical value) so that the switch becomes the root bridge and forces Spanning Tree to perform a recalculation. this is not desired.65ac.5040 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24606 (priority 24576 sys-id-ext 30) Address 000d. use the following global command: spanning-tree vlan vlan-number root primary For example. To configure the backup root switch. use the show spanning-tree vlan vlan-number command. . ZUNIGA C.5040 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec © 2008 Cisco Systems. use the spanning-tree vlan vlan-number root secondary global command. For example. In many cases.65ac. Inc. This publication is protected by copyright. an older (and potentially slower) switch will have a lower MAC address than a newer switch. as follows: SwitchA#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 24606 Address 000d. All rights reserved. From the Library of 311 for more details.[ 197 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty address will be the root bridge.

ZUNIGA C. If one of the physical links in the EtherChannel group fails.2 Type —— P2p P2p CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty EtherChannel EtherChannel is a Cisco feature that allows combining of up to eight physical links into one logical connection. and 10 Gigabit Ethernet links can be configured for EtherChannel. the other links still forward traffic. Thus with EtherChannel. This logical connection load-balances traffic between the physical links and is seen by Spanning Tree as one link.Nbr ———— 128. Ways to secure the network include n n n Physical security Switch security (switch authentication) Port-based authentication © 2008 Cisco Systems. All rights reserved. you must ensure that the network is secure from unauthorized activity. This publication is protected by copyright. instead of a redundant link not being used.[ 198 ] SECTION 2 Redundant Switching and STP Aging Time 300 Interface ————Gi0/1 Gi0/2 Role —— Desg Desg Sts —FWD FWD Cost —— 4 4 Prio. Inc. Securing the Expanded Network As also mentioned in ICND1. From the Library of 311 for more details.1 128. Gigabit Ethernet. Fast Ethernet. EtherChannel provides an easy way to increase network bandwidth. Please see page MARCO A. . all physical links are forwarding traffic.

[ 199 ]

SECTION 2 Redundant Switching and STP

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Physical Security
Physical security prevents unauthorized physical access to switches. This means that switches are in a secure location (for example, a locked closet and rack), with only authorized personnel allowed to access the devices.

Switch Security
Switch security, also called switch-based authentication, prevents unauthorized users from accessing the switch remotely and viewing or changing the configuration of a switch. Switch-based authentication includes
n n n n n n n n n n n

Setting privilege-level passwords Setting enable passwords Setting Telnet passwords Setting console passwords Setting username and password pairs with different levels of access Controlling switch access with a TACACS+ or RADIUS authentication server Configuring the switch to use Secure Shell (SSH) instead of Telnet Configuring HTTPS on the switch Disabling unneeded services, such as tcp-small-servers, udp-small-server, finger, and the service config Using warning banners Configuring switch logging

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 200 ]

SECTION 2 Redundant Switching and STP

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Implementing and Verifying Port Security
Port security limits the number of MAC address allowed per port and can also limit which MAC addresses are allowed. Allowed MAC addresses can be manually configured or dynamically learned by the switch. The interface command to configure port security is as follows:
switchport port-security [mac-address mac-address | mac-address sticky [mac-address] | maximum value | violation {restrict | shutdown}

n n n n

switchport port-security mac-address mac-address: Manually configures the port to use a specific MAC address. switchport port-security mac-address sticky: Configures the switch to dynamically learn the MAC address of the device attached to the port. switchport port-security maximum value: Configures the maximum number of MAC addresses allowed on the port. The default value is 1. switchport port-security violation {restrict | shutdown}: Configures the action to be taken when the maximum number of MAC addresses is reached and when MAC addresses not associated with the port try to access the port. The restrict parameter tells the switch to restrict access to learned MAC addresses that are above the maximum defined addresses. The shutdown parameter tells the switch to shut down all access to the port if a violation occurs.

The following example demonstrates how to configure port security:
Cat2960(config)#int f0/1 Cat2960(config-if)#switchport mode access Cat2960(config-if)#switchport port-security Cat2960(config-if)#switchport port-security max 1 Cat2960(config-if)#switchport port-security mac-address sticky Cat2960(config-if)#switchport port-sec violation restrict

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 201 ]

SECTION 2 Redundant Switching and STP

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

To verify port security, use the show port-security command, as follows:
Cat2960#show port-security Secure Port MaxSecureAddr (Count) Fa0/1 1 CurrentAddr (Count) 0 SecurityViolation (Count) 0 : 0 Restrict Security Action

——————————————————————————————————————————————————————————————————————————Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 8320

Securing Unused Ports
To secure unused ports, either disable the port or place the port in an unused VLAN. A switch port is disabled by issuing the shutdown interface command.

Port-Based Authentication
Port-based authentication prevents unauthorized devices from gaining access to the network. Based on 802.1x, port-based authentication requires a client to be authenticated to a server before it is allowed on the LAN. 802.1x is a standards-based method that defines client-server–based access control and has the following device roles, as displayed in Figure 2-10:
n n n

Client: The device (workstation) that requests access to the LAN. Must be running 802.1x-compliant client software. Authentication server: Performs the authentication of the client, validating the identity of the client. Currently, a RADIUS server with Extensible Authentication Protocol (EAP) is the only supported authentication server. Switch: Controls the physical access to the network based on the authentication status of the client. Acts as a proxy between the client and authentication server.
© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 202 ]

SECTION 2 Redundant Switching and STP
FIGURE 2-10
802.1x Device Roles
802.1x Client 802.1x Switch

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

802.1x RADIUS Authentication Server

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 203 ]

SECTION 3 Troubleshooting Switched Networks

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Section 3 Troubleshooting Switched Networks
In a switched environment, typical issues include physical issues or hardware problems, Layer 2 issues, and configuration issues. Physical issues can include port failures, network interface card (NIC) failures, and port configuration issues. Layer 2 issues can include links not properly trunking, CAM table inconsistencies (the CAM table is the table that stores all the MAC addresses and the ports associated with the MAC addresses), or spanning-tree issues. Configuration issues can include these issues and inconsistencies in configuration such as VTP, VLANs, or Spanning Tree.

General Troubleshooting Suggestions
The following are three suggestions to general switch troubleshooting:
n n n

Become familiar with normal switch operation. Have an accurate physical and logical map of the network. Do not assume a component is working without checking it first.

Troubleshooting Port Connectivity Problems
Common causes for port connectivity problems include hardware issues, configuration issues, and traffic issues.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 204 ]

SECTION 3 Troubleshooting Switched Networks

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Hardware Issues
n n n n

Check the port status of the ports involved. Make sure that the ports are enabled and not shut down. Check the cable. Make sure that the cable is good and that the proper cable type is used. Check for loose connections. Make sure that the cable is plugged in to the correct port.

Cable Type
When using copper cabling, make sure you are using the correct cable type for the connection you are making. Straight-through RJ-45 cables connect nonsimilar devices to each other: data terminal equipment (DTE) devices (end stations, routers, or servers) to a data communications equipment (DCE) device (switch or hub). Crossover cables typically connect simialar devices, such as when connecting one switch to another. Figure 3-1 shows the pin-outs for a crossover cable.
FIGURE 3-1
Crossover Cable and Pin-Outs
Cable 10BASE-TX 100BASE-T Straight-Through Straight-Through Cable

8 Hub/Switch Pin Label 1 RD+ 2 RD– 3 TD+ 4 NC 5 NC 6 TD– 7 NC 8 NC Server/Router Pin Label 1 TD+ 2 TD– 3 RD+ 4 NC 5 NC 6 RD– 7 NC 8 NC 1
8 1 8

1 8
1

wowbwgwbr o b g br

wowbwgwbr o b g br

Wires on Cable Ends Are in Same Order.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

txload 1/255. . SwitchA#show interface g0/1 GigabitEthernet0/1 is up. 0 no buffer Received 20320 broadcasts (12683 multicast) 0 runts. 0 deferred 0 lost carrier. 0 collisions.5040 (bia 000d. or statistics and errors. This publication is protected by copyright. The following command shows the information for interface g0/1. 7 packets/sec 1476671 packets input. line protocol is up (connected) Hardware is Gigabit Ethernet Port. output flow-control is off ARP type: ARPA. 0 interface resets 0 babbles. 0 underruns 0 output errors. The highlighted areas are areas you should be familiar with. 363178961 bytes. address is 000d. Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 10000 bits/sec.[ 205 ] SECTION 3 Troubleshooting Switched Networks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Verify Port Information To view port information. 1000Mb/s. such as port type. 0 no carrier 0 output buffer failures. 0 ignored 0 input packets with dribble condition detected 1680749 packets output. loopback not set Keepalive set (10 sec) Full-duplex. DLY 10 usec. 0 overrun. 0 output buffers swapped out © 2008 Cisco Systems. Inc. 0 giants. BW 1000000 Kbit. use the show interface interface-id privileged EXEC command. rxload 1/255 Encapsulation ARPA. output hang never Last clearing of “show interface” counters never Input queue: 0/2000/0/0 (size/max/drops/flushes). link type is auto. All rights reserved. reliability 255/255. ARP Timeout 04:00:00 Last input 00:00:09. 880704302 bytes. Please see page MARCO A. media type is 1000BaseSX input flow-control is on. speed. From the Library of 311 for more details. ZUNIGA C.65ac. 0 frame. 0 throttles 0 input errors.65ac. output never. 8 packets/sec 5 minute output rate 10000 bits/sec. duplex settings.5040) MTU 1500 bytes. 0 late collision. 0 CRC.

Excessive runts: Runts are frames smaller than 64 bytes with a bad frame check sequence (FCS). Please see page MARCO A. © 2008 Cisco Systems. The cause is usually a faulty NIC. Excessive collisions: Duplex mismatch. oversaturated medium. Port Connectivity Problem Summary n n n n Become familiar with normal switch operation. ZUNIGA C. Have an accurate physical and logical map of the network. Check port status of ports involved. Excessive giants: Giants are frames greater than the Ethernet maximum transmission unit (MTU) of 1518 bytes. This publication is protected by copyright. Inc. . Do not assume that a component is working without checking it first.[ 206 ] SECTION 3 Troubleshooting Switched Networks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Port Errors The following are reasons for common port errors: n n n n “errDisable” message: EtherChannel misconfiguration. All rights reserved. make sure that your routing is configured correctly. native VLAN mismatch. Bad cabling or inconsistent duplex settings cause runts. or distance between the two switches exceeds the cable specifications. duplex mismatch. make sure that they are on the same VLAN. Troubleshooting VLANs The first step in troubleshooting VLANs is to check the VLAN configuration. If hosts cannot communicate between VLANs. From the Library of 311 for more details. Unidirectional Link Detection (UDLD). BPDU port-guard has been enabled on the port. faulty port. If hosts cannot communicate with each other.

Inc. NICs on the segment do not have compatible settings.[ 207 ] SECTION 3 Troubleshooting Switched Networks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VLAN problems are classified into two categories: intraVLAN and interVLAN connectivity. . From the Library of 311 for more details. All rights reserved. ZUNIGA C. Faulty NICs. Please see page MARCO A. Troubleshooting Slow IntraVLANs Cause for slowness between hosts on the same VLAN can be caused by n n n n n Traffic loops Overloaded or oversubscribed VLAN Switch congestion Misconfiguration Hardware problems © 2008 Cisco Systems. Bad cabling on the segment. This publication is protected by copyright. Problems within each category are as follows: n n n Slow collision domain connectivity Slow broadcast domain connectivity (slow VLAN) Slow broadcast domain interVLAN connectivity Troubleshooting Collision Domain Issues Causes for collision domain issues include the following: n n n n The segment is overloaded or oversubscribed.

For example. Here are some common trunking issues: n n n Both sides of the links are not set to the correct trunking mode. Troubleshooting Trunking Most trunking problems occur because of misconfiguration on the trunking links. This publication is protected by copyright. All rights reserved. A native VLAN mismatch exists.[ 208 ] SECTION 3 Troubleshooting Switched Networks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting InterVLAN Connectivity Most interVLAN connectivity issues are caused by misconfiguration. From the Library of 311 for more details. However. client. first verify that the interfaces are physically working. The domain name is case sensitive. A common indication that a switch is experiencing a VTP problem is when the switch is not receiving or updating its VLAN information. both sides of the link are set to auto. Inc. If using a VTP password. The same trunking encapsulation is not used on both sides. The following are common things to check when troubleshooting VTP problems: n n n n Make sure that trunking is configured between the switches. The password is case sensitive. or transparent. make sure that the password is the same on both switches. Troubleshooting VTP VTP problems occur when a misconfiguration exists between the switches and VTP information is not propagating. VTP information is sent over trunk links. © 2008 Cisco Systems. Please see page MARCO A. ZUNIGA C. Verify that the switch is in the proper mode: server. Make sure that the domain name matches on both switches. InterVLAN routing was probably not properly configured and needs to be configured to route between the VLANs. .

If a new switch is added to the network. STP works at Layer 2 of the OSI model. the new switch will overwrite all VLAN information in the VTP domain.[ 209 ] SECTION 3 Troubleshooting Switched Networks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Adding a New Switch to a VTP Domain By default. If a bridging loop is found. All rights reserved. resulting in lost VLANs. change the VTP domain name back to the proper VTP domain name. all Cisco switches are VTP servers. From the Library of 311 for more details. If this is the cause. © 2008 Cisco Systems. Use the following commands to view Spanning Tree information and see whether a loop exists in the network: n n n show spanning-tree: Displays the root ID. A failure in Spanning Tree usually leads to a bridging loop. To identify a bridging loop. . This publication is protected by copyright. and priority time for all VLANs in STP. bridge ID. check the port utilization on your devices and look for abnormal values. ZUNIGA C. debug spanning-tree: Verifies receipt of BPDUs and troubleshoots other Spanning Tree errors. show spanning-tree vlan vlan-id: Displays STP information for a specific VLAN. Troubleshooting Spanning Tree Spanning Tree’s primary function is to prevent loops from occurring in a redundant switched network. Inc. disable the redundant ports to break the loop. and add the switch to the network. its revision number might be higher than the revision number of the actual VTP server. To prevent this from occurring. reset the revision number on the new switch to 0 by changing its VTP domain name on the switch. Please see page MARCO A.

. From the Library of 311 for more details. Possible routes: Likely routes to get from source to destination. A router needs the following key information. ZUNIGA C.[ 210 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Part II: Routing Section 4 Routing Operations and VLSM Routing Overview Routing is the process of getting packets and messages from one location to another. This includes the subnet address. The router learns about routes in one of two ways: n n Manually (routing information entered by the network administrator) Dynamically (a routing process running in the network) © 2008 Cisco Systems. All rights reserved. This publication is protected by copyright. Status of routes: Known paths to destinations. Best route: The best path to the intended destination. Inc. as displayed in Figure 4-1: n n n n Destination address: The destination (typically an IP address) of the information being sent. A router is constantly learning about routes in the network and storing this information in its routing table. The router uses its table to make forwarding decisions. Please see page MARCO A.

ZUNIGA C.2.120.2. Dynamic routing uses routing protocols to disseminate knowledge throughout the network. A routing protocol defines communication rules and interprets network layer address information. All rights reserved.0 E0 S0 Network Protocol Destination Network Exit Interface Routed Protocol: IP Connected Learned 10.120.[ 211 ] SECTION 4 Routing Operations and VLSM FIGURE 4-1 Information Needed by Router for Routing 10. Inc.0 E0 S0 Dynamic Routing Overview Routing protocols determine paths between routers and maintain routing tables.1.16. . This publication is protected by copyright. Please see page MARCO A.16. From the Library of 311 for more details.0 172.1. Routing protocols describe the following: n n n n Routing update methods Information contained in updates When updates are sent Paths to other routers © 2008 Cisco Systems.0 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 172.

Interior gateway protocols (IGP). The administrative distance metric is an integer from 0 to 255. Figure 4-2 shows autonomous systems and where IGPs and EGPs are used. From the Library of 311 for more details. FIGURE 4-2 Autonomous Systems IGPs: RIP. A Border Gateway Protocol (BGP) is an example of an EGP. ZUNIGA C. EIGRP. Exterior gateway protocols (EGP) connect between autonomous systems. Inc. the router uses an administrative distance (AD) value to rate the trustworthiness of each routing information source. This publication is protected by copyright. Figure 4-3 shows that Router A has two paths to network E learned from RIP and EIGRP. Because Interior Gateway Routing Protocol (IGRP) has a lower AD than RIP. All rights reserved. © 2008 Cisco Systems. .[ 212 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Autonomous Systems An autonomous system refers to a group of networks under a common administrative domain. exchange routing information within an autonomous system. In general. Router A will pick the path advertised by IGRP. Please see page MARCO A. such as Routing Information Protocol (RIP) and Enhanced IGRP (EIGRP). When more than a single source of routing information exists. a route with a lower number is considered more trustworthy and is more likely to be used. OSPF EGPs: BGP Autonomous System 100 Autonomous System 200 Administrative Distance Several routing protocols can be used at the same time in the same network.

All rights reserved. Please see page MARCO A. Inc. Table 4-1 Default Administrative Distance Values Default Distance Route Source Connected interface Static route EIGRP IGRP OSPF RIP External EIGRP Unknown 0 1 90 100 110 120 170 255 © 2008 Cisco Systems. . This publication is protected by copyright. From the Library of 311 for more details. Which route is best? CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty EIGRP Administrative Distance=100 B A RIP Administrative Distance=120 C D E Table 4-1 shows the default administrative distance values.[ 213 ] SECTION 4 Routing Operations and VLSM FIGURE 4-3 Administrative Distance Determines Path I need to send a packet to Network E. ZUNIGA C. Both Router B and C will get it there.

End stations in different segments (broadcast domains) cannot communicate with each other without the use of a Layer 3 device such as a router. Figure 4-4 shows a router attached to a switch. This setup is called “router on a stick. this protocol re-creates the topology of the entire network. For interVLAN routing with a router. RIPv2 is a distance vector protocol. Inc. which forwards them to the other VLAN. .[ 214 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Routing Protocol Classes The following three basic routing protocol classes exist: n n n Distance vector: Uses the direction (vector) and distance to other routers as metrics. Balance hybrid: Combines the link-state and distance vector algorithms. Link-state: Also called shortest path first. From the Library of 311 for more details. each VLAN must have a separate physical connection on the router. This publication is protected by copyright. InterVLAN routing is handled by either a router or a Layer 3 switch. ZUNIGA C. The end stations in the two VLANs communicate with each other by sending packets to the router. performed at Layer 2. or trunking must be enabled on a single physical connection for interVLAN routing to work.” © 2008 Cisco Systems. Open Shortest Path First (OSPF) and Intermediate System–to–Intermediate System (IS-IS) are link-state protocols. All rights reserved. InterVLAN Routing VLANs create a logical segmentation of Layer 3. EIGRP is a balanced hybrid protocol. Please see page MARCO A.

A single port can have many subinterfaces. This publication is protected by copyright. A subinterface is a logical.3 FastEthernet 0/0 © 2008 Cisco Systems.1 FastEthernet 0/0. ZUNIGA C. Router on a stick requires a Fast Ethernet (or Gigabit Ethernet) port. addressable interface on the router’s physical port. From the Library of 311 for more details.1. FIGURE 4-5 Using Subinterfaces FastEthernet 0/0. Inc.1.1 Q CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Router On a Stick VLAN 1 VLAN 2 10. . All rights reserved.2 10.2 FastEthernet 0/0. FastEthernet 0. Please see page MARCO A.1.[ 215 ] SECTION 4 Routing Operations and VLSM FIGURE 4-4 Router on a Stick 802. with one subinterface configured per VLAN. In Figure 4-5.2. the FastEthernet 0/0 interface is divided into multiple subinterfaces (FastEthernet 0.2.2. and so on).2 Dividing Physical Interfaces into Subinterfaces InterVLAN routing using router on a stick requires the use of subinterfaces.

255. . 10.20.” Each router receives updates from its direct neighbor. For large networks.1 255. for example). Distance Vector Routing Routers using distance vector–based routing share routing table information with each other.168. first create a subinterface and then configure the subinterface with the encapsulation dot1q vlan-id command.1 255. where the vlan-id is the VLAN number of the associated VLAN. Please see page MARCO A.255.10 RouterB(config-if)#ip address 192. In the previous example.168. use a Layer 3 switch to perform interVLAN routing. respectively. the native VLAN is not encapsulated.1 255. In this case.0 RouterB(config-if)#encapsulation dot1q 10 RouterB(config-if)#int f0/0.168. This method of updating is called “routing by rumor.10 and f0/0. ZUNIGA C. From the Library of 311 for more details. and 20: RouterB(config)#int f0/0 RouterB(config-if)#ip address 192. The following example enables interVLAN routing for VLANs 1. This publication is protected by copyright. all traffic must go through the router’s interface.20 RouterB(config-if)#ip address 192.[ 216 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Subinterfaces for InterVLAN Routing To configure interVLAN routing on a router.0 RouterB(config-if)#int f0/0. By using subinterfaces for interVLAN communication. VLAN 1 is the default native VLAN if not otherwise specified with the dot1q vlan-id native command.10. the physical interface f0/0 is in the native VLAN because the encapsulation dot1q command is not configured.255. Each router increments the metrics as they are passed on (incrementing hop count. © 2008 Cisco Systems.20 were configured for 802.1. Inc.1Q. Router B shares information with Routers A and C.255. Router C shares routing information with Routers B and D.255.0 RouterB(config-if)#encapsulation dot1q 20 Remember that in 802. In Figure 4-6. this can cause a bottleneck. To prevent a bottleneck. All rights reserved.255.1Q tagging and are therefore in VLANs 10 and 20. the routing information is distance vector metrics (such as the number of hops). The subinterfaces f0/0.

[ 217 ] SECTION 4 Routing Operations and VLSM FIGURE 4-6 Distance Vector Route Information C Distance—How Far? Vector—In Which Direction? D B CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty A D C Routing Table B A Routing Table Routing Table Routing Table Distance accumulation keeps track of the routing distance between any two points in the network. From the Library of 311 for more details. routers accumulate metrics and learn the best paths to various destinations. each directly connected network has a distance of 0. © 2008 Cisco Systems. which is directly connected. . In Figure 4-7. This publication is protected by copyright. ZUNIGA C. For example. Router A increments the distance metric for any route learned by Router B. All rights reserved. As the network discovery proceeds. Router B increments its distance metrics by 1 and sends them to Router A. Please see page MARCO A. Router A learns about other networks based on information it receives from Router B. Inc. Router B knows about the networks to Router C. How Information Is Discovered with Distance Vectors Network discovery is the process of learning about nondirectly connected destinations. but the routers do not know the exact topology of an internetwork.

4.0 S0 0 0 1 1 Routing Table 10. Bandwidth: An administrative value that usually reflects the link speed of an interface.0.0 S0 10. Delay: A fixed attribute based on interface type.0 E0 A S0 10.0.3.0. All rights reserved. This publication is protected by copyright. n n n n © 2008 Cisco Systems.0.0 S0 B S1 10. Inc. Usually based on bandwidth.0. Metrics can be calculated based on one or more characteristics of a path.0 S0 0 0 1 2 Examining Distance Vector Routing Metrics Distance vector routing protocols use routing algorithms to determine the best route. For example.4. even if the link speed is greater than 1544 kbps.0 E0 Routing Table 10. the better the path.3.0. Please see page MARCO A. ZUNIGA C.0. MTU (maximum transmission unit): The maximum frame size allowed on the link. Commonly used metrics are as follows: n n Cost: An arbitrary value based on a network administrator–determined value.0 S0 10.0. Load: The amount of activity on a network resource.2.0 S1 10.1.0.4.0 E0 10. Reliability: The bit-error rate of each network link. These algorithms generate a metric value for each path through the network.3. such as a router or link.0.2.0.1.0.0 S0 C CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10.0 S1 10.1. .[ 218 ] SECTION 4 Routing Operations and VLSM FIGURE 4-7 Network Discovery for Distance Vector 10.0.3. This is not based on the actual link speed of an interface. the default value of serial links is 1544 kbps.0 S0 10.2.4.0.1.0.0 S0 10. The lower the metric.0.0 S0 0 0 1 2 Routing Table 10.0 S0 10.2.0 E0 10. From the Library of 311 for more details.

During updates. How Routing Loops Occur in Distance Vector Protocols During updates. The table includes the total path cost (defined by its metric) and the logical address of the first router on the path to each destination network. with a hop count of 2.0. all routers have correct tables. A Topology Change Causes Routing Table Update. In Figure 4-8. This publication is protected by copyright. © 2008 Cisco Systems. Router C is directly connected to network 10. Inc. From the Library of 311 for more details. FIGURE 4-8 Routing Table Updates Process to Update this Routing Table Process to Update this Routing Table B Router A Sends Out this Updated Routing Table After the Next Period Expires. Figure 4-9 illustrates how a routing loop occurs. All rights reserved. . If the update contains information about a better (lower-metric) route to a destination. Therefore. Figure 4-9 uses hop count as a cost metric.[ 219 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Updating Routing Tables A router compares the information contained in the update to its current table. it adds 1 to all costs reported by Router A.4.0. Please see page MARCO A.0 is through Router B. Router A’s path to network 10. The network is converged when all routers have consistent routing tables. ZUNIGA C. with a distance of 0. routing loops can occur if the network has inconsistent routing entries. Slow convergence on a new configuration is one cause of this phenomenon. so the cost of each link is 1.4. the router updates its own routing table. Router B is one unit of cost from Router A. the router sends its entire routing table to each of its adjacent neighbors. Before a network failure.0.

2.4.0 S0 C CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10. called counting to infinity.0 E0 Routing Table 10.4.2. Routers A and B still do not know of the failure.0.0 S0 B S1 10.3.3. Inc.0 S0 1 10. .0. This condition. Router A’s table still shows a valid path to 10.4.0.0.0 through Router B.0.0. With each update.1.0 S1 10.0.0 E0 10.1.[ 220 ] SECTION 4 Routing Operations and VLSM FIGURE 4-9 Hop Count as a Cost Metric 10.0 with a hop count of 2 (remember.0 as 4.0 S0 Infinity 10. This publication is protected by copyright.0 S1 10.2. continuously loops packets around the network.0.4.4.0 E0 A S0 10.0 S0 10.2. At this point.4. ZUNIGA C.0 E1 0 0 1 2 Routing Table 10.0.0 S0 0 10. From the Library of 311 for more details. and Router C detects the failure and stops routing packets to that network.0 S0 2 In Figure 4-10.1.0 fails. If Router B sends out its normal update to Routers A and C. Now Router C sends an update back to Router B.0.0 S0 10. All rights reserved. Please see page MARCO A. the incorrect information continues to bounce between the routers.4. B has incremented the hop count for A).0 S0 0 0 1 2 Routing Table 10.0.1.0.0 through Router B and updates its routing table to reflect a path to network 10.3.0. © 2008 Cisco Systems.0.0.3.0. network 10.0 S0 10. which then updates Router A.0. Without some mechanism to prevent this.0.0.0.0. the updates continue.4. Router A detects the modified distance vector to network 10. Router C sees a valid path to 10.4.

© 2008 Cisco Systems.0 S0 0 0 1 1 Routing Table 10.0.0 S0 0 0 1 2 C Routing Table 10.4.0.0.0.0.0 E0 10.0 S1 10.0 A S0 10.2.4.0.0. Inc.0 S0 B S1 10.1. thus speeding convergence.0 S0 10.0 S0 C CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10.0 S0 B S1 10.0 S0 1 10.0 S0 10.0 S1 10.1.3.0 X E0 Routing Table 10.3.0. this is interface Serial 0 for Router A and interface Serial 1 for Router B.0 E0 10.0 S0 10.0 S0 0 0 1 2 C Routing Table 10.0.3.4.0.0.2.2.0 E0 Routing Table 10.0 S0 10.0.0. Split horizon also eliminates unnecessary routing updates.3.0 S0 2 10.0 S1 10.0 S0 C 10.0.4.0 S0 10.0.0. All rights reserved.2. This publication is protected by copyright.0 S1 10.0. ZUNIGA C.1.0 E0 Down 10. .4. In this case.2.4.0.3.0 S0 10.0.2.3.1.1.4.0. From the Library of 311 for more details. If the router has no valid alternative path to the network. it is considered inaccessible.2. Figure 4-11 shows the same network.0.0 S0 0 10.0.0.0.0.0.0. Routers A and B do not advertise the failed route 10.0 out of the interfaces they originally learned the route.0.0 E0 A S0 10.[ 221 ] SECTION 4 Routing Operations and VLSM FIGURE 4-10 Counting to Infinity E0 10. Please see page MARCO A.0 S0 0 0 1 1 Routing Table 10.3.0 S0 10.1.0 E0 10.0 S0 10.1.2.1.0.1.3.0.4.0 S0 0 0 1 1 Split Horizon Split horizon is one way to eliminate routing loops and speed convergence.0.0.4. The idea behind split horizon is that it is never useful to send information about a route back in the direction from which the update came.

0 E0 10.4.0 E0 10.1.0. From the Library of 311 for more details.0.0 S0 10.” By poisoning a route.0.3.0.0 E1 0 0 1 2 Routing Table 10.0.[ 222 ] SECTION 4 Routing Operations and VLSM FIGURE 4-11 Split Horizon Eliminates Routing Loops 10.0 E1 0 0 1 2 Routing Table 10. All rights reserved.0. Router C “poisons” its link to network 10.0.0.2.0.3. When network 10.0.0 S0 10. Route poisoning sets a route to “unreachable.0 S0 1 10. the router is not susceptible to incorrect updates about the poisoned network from other routers that claim to have a valid alternate path.1.0.0. This publication is protected by copyright.3.4.0 S0 0 10. seen as a hop count of 16 in RIP).4.0.0.0 A E0 S0 S0 10.0 S0 Infinity 10.4.4.0 goes down.0 E0 A S0 10.0.3. ZUNIGA C.4.2.2.0 B S1 10.2.0 S0 10.1.0 S0 0 0 1 2 Routing Table 10.0.0. Inc.4.0 S0 B S1 10.3.0.1.1.0.1.0 S0 10.0 S0 0 0 1 2 Route Poisoning Route poisoning (part of split horizon) also eliminates routing loops caused by inconsistent updates.0 S1 10.0.0.0.2.0 S0 10.0 S0 10.2. FIGURE 4-12 Route Poisoning Eliminates Routing Loops 10.1.0.0 E0 Routing Table 10.0 S0 C CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10.0 S0 10.0.3.3.0 with an infinite metric (marked as unreachable.0. .4. Figure 4-12 shows an example of route poisoning.0.0 S1 10.0 S1 10.0 S0 10.0 E0 Routing Table 10.0 S0 0 0 1 2 Routing Table 10.0.0.4. Please see page MARCO A.0.0.4.0.0.2.0 S0 2 © 2008 Cisco Systems.0.2.3.0 S0 C 10.0 S1 10.0 S0 10.0.1.

ZUNIGA C.3. From the Library of 311 for more details. Router B sends a poison reverse back to Router C.0.0 E0 10. Please see page MARCO A.3.1.0.1. Poison Reverse In Figure 4-13.0.0 jump to infinity.0.0.0 jump to infinity.2. The following two problems exist with triggered updates: n n The update message can be dropped or corrupted. This message ensures that all routers on that segment have received information about the poisoned route.0.4.0.1.0.0 S1 10.3.0. Inc.1. when Router B sees the metric to 10.0 is inaccessible.4.0 S0 B S1 10.3.0.4.2.0. © 2008 Cisco Systems.0 S0 0 0 1 2 Routing Table 10.0. All rights reserved.2. If this happens.0.0.0.0. it sends a return message (overriding split horizon) called a poison reverse back to Router C.0 S0 C 10. the bad route can be reinserted into a router that received the triggered update. Router C is no longer susceptible to incorrect updates about network 10.4.2.0 E0 A S0 10.0. This publication is protected by copyright.0 E1 Poison Reverse 0 0 2 Routing Table 10. The poison reverse states that network 10.4.0 S0 Infinity 10.4.0 S0 0 10. FIGURE 4-13 Using Poison Reverse to Broadcast Information About a Failed Route 10.4. which then generate their own triggered updates.0 S0 10. The updates do not happen instantly.0 S0 1 10. The router detecting the change immediately sends an update message to adjacent routers.[ 223 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty When Router B sees the metric of 10.4.0.0 E0 Routing Table 10.4.0 S0 10.0 S1 10. A router can issue a regular update before receiving the triggered update. stating that network 10.0 S0 2 Possibly Down Triggered Updates A triggered update is sent immediately in response to a change in the network.0.0.0.0 is inaccessible. Poison reverse is a specific circumstance that overrides split horizon.0 S0 10.0. This continues until the network converges. .

2.4.0.0 S1 S0 Network 10.4. . ZUNIGA C. Then Back Up.0. 1. Figure 4-14 shows the hold-down implementation process. it marks the route as inaccessible and starts a hold-down timer.0 S0 B Update After Hold-down Time.0 10. From the Library of 311 for more details. This publication is protected by copyright.0.0 Is Down.0.0 E0 A S0 10.0. the router removes the timer and uses the new metric. This allows the triggered update to propagate throughout the network. Then Back Down. Inc. Hold-Down Timers Hold-down timers prevent regular update messages from inappropriately reinstating a route that might have gone bad.4. When a router receives an update that a network is down. 10. They force routers to hold any changes for a period of time.4. which is described in the following list: FIGURE 4-14 Hold-Down Timer Process 10. 10.0.0. If an update is received from a neighboring router with a better metric. Please see page MARCO A.2. Network 10. © 2008 Cisco Systems.3.0 Is Unreachable. no new route with the same or a worse metric will be accepted for the same destination for a period of time.1.0 E0 C Update After Hold-down Time. All rights reserved.[ 224 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Solution: Hold-down timers dictate that when a route is invalid.

. During the hold-down period. All rights reserved. If an update is received (before the hold-down timer expires) with a poorer metric. link-state routing maintains full knowledge of distant routers and how they interconnect. Inc. the update is ignored. each router has a full map of the network topology. © 2008 Cisco Systems. routes appear in the routing table as “possibly down. From the Library of 311 for more details. As such. This publication is protected by copyright.[ 225 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 3. Unlike the distance vector algorithm. See Figure 4-15. a router can independently make a decision based on its map of the network. 4. Please see page MARCO A. ZUNIGA C. FIGURE 4-15 Link-State Routing C D Link-State Packets Topological Database SPF Algorithm Routing Table B A Shortest Path First Tree With link-state routing protocols.” Link-State Routing The link-state-based routing algorithm (also known as shortest path first [SPF]) maintains a database of topology information. Network information is shared in the form of link-state advertisements (LSA).

Distance vector sends complete routing tables. From the Library of 311 for more details. Inc. memory. Link-state routing converges fast and is robust against routing loops. Balanced hybrid routing provides faster convergence while limiting the use of resources such as bandwidth. Link-state supports classless addressing and summarization. Advanced distance vector routing uses distance vectors with more accurate metrics. and processor overhead. This publication is protected by copyright. Areas limit the scope of route changes. Cisco Enhanced IGRP is an example of an advanced distance vector protocol.[ 226 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Each link-state router must keep a record of the following: n n n Immediate neighbor routers All other routers in the network The best paths to each destination Link-state routing provides better scaling than distance vector routing for the following reasons: n n n n n Link-state sends only topology changes (called triggered updates). ZUNIGA C. Link-state uses a hierarchy by dividing large routing domains into smaller routing domains called areas. but unlike distance vector routing protocols. but it requires a great deal of memory and strict network designs. Link-state updates are sent less often than distance vector updates. it updates only when a topology change occurs. © 2008 Cisco Systems. Advanced Distance Vector Routing Advanced distance vector (also called balanced hybrid) routing combines aspects of both distance vector and link-state protocols. . Please see page MARCO A. All rights reserved.

55. VLSMs are not available in RIPv1.55.2. © 2008 Cisco Systems. The primary benefit of VLSMs is more efficient use of IP addresses. Adding subnets works the same way as normal subnets. FIGURE 4-16 Subnets/Hosts Fixed Without VLSMs 192.[ 227 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Variable-Length Subnet Mask (VLSM) VLSMs were developed to allow multiple levels of subnetting in an IP network. All rights reserved.192 192. each with a fixed number of hosts.55.55.32 192.224 192. you are confined to a fixed number of subnets. Figure 4-17 shows the same network.2. subnet a subnet. But What If You Had Some Subnets with 30 Hosts.2. . ZUNIGA C. with a varying number of hosts.2. and Several Others with 6 Hosts? 192. you can have multiple subnets.55. Please see page MARCO A. Figure 4-16 shows that without VLSMs. This publication is protected by copyright.55.2.55.0/27 This Class C Subnetting Scheme Has 6 Subnets. From the Library of 311 for more details.2. Each with 30 Hosts…. Inc.2. in effect.128 192.96 With VLSMs. and VLSM uses bits from the subnet portion of the address.64 192. This allows network administrators to overcome the limitations of fixed-sized subnets within a network and.

2. © 2008 Cisco Systems.2.55 .2.55.55.104 192 .55. 011 01 Network Host Subnet VLSM Summarizing Routes In large networks. .55.32 192.[ 228 ] SECTION 4 Routing Operations and VLSM FIGURE 4-17 VLSMs Increase the Number of Subnet/Host Possibilities CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 192 .2. it is impractical for a router to maintain tables with hundreds of thousands of routes.55.2. Please see page MARCO A. Router summarization is most effective within a subnetted environment when the network addresses are in contiguous blocks in powers of 2.64 192.55.55. 2.55.128 192.112 192. 011 00000 01 Network Subnet Host 192. 2. Route summarization (also called route aggregation or supernetting) reduces the number of routes that a router must maintain by representing a series of network numbers in a single summary address.224 192.2.55 . From the Library of 311 for more details.2.2. ZUNIGA C.29 The New Subnets Created Using VLSM Now Each Have 6 Hosts 192. This publication is protected by copyright. All rights reserved.0/27 192.2.192 192.55. Inc.

and OSPF.0/8 10.0/8.0.1.0. Classless routing schemes.[ 229 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Route summarization can also isolate topology changes. . Router B thinks it has two routes to network 10.168.1.0. Please see page MARCO A. All other routers use a summary address.0/24 A 192.0/8.0.0 C 10.0 B 192.2.0/8 10. Summarizing Routes in Discontinuous Networks RIP and EIGRP automatically perform route summarization to the classful network boundary when routing updates cross between two major networks.0.168. Because the network is discontinuous.2. EIGRP.1. however. RIP and EIGRP automatically perform route summarization to the classful network boundary when routing updates cross between two major networks. As a result.0. because the routing changes are propagated only to the router that accesses the rest of the network.1. ZUNIGA C.1. Routers A and C automatically summarize that they are connected to network 10. such as RIPv2. support route summarization using subnets and VLSMs. this automatic summarization causes problems if the network is discontinuous. Figure 4-18 shows Routers A and C are connected to networks 10. OSPF must be configured to manually perform summarization. From the Library of 311 for more details.1.0/24 © 2008 Cisco Systems. IS-IS.0. This works fine if the network is continuous. This publication is protected by copyright. FIGURE 4-18 Autosummarization in a Discontinuous Network 10.1.0/24 and 10.0.2. All rights reserved.0/24. Inc.

each router uses the SPF algorithm to calculate a loop-free. while listening for Hellos from other routers. © 2008 Cisco Systems. OSPF does this by sending Hellos out each OSPF interface. If these parameters are different. the first thing the router does is create a topology table of the network. Please see page MARCO A. Cisco IOS automatically calculates cost based on the interface bandwidth. If the routers share a common data link and agree on certain parameters set in their Hello packets. classless protocol that converges quickly and uses costs as a metric. OSPF routers can form adjacencies with certain neighbor routers. they do not become neighbors and communication stops. Because of the varying types of link-state information. When all databases are complete. Inc. OSPF is an open-standard. bestpath topology and builds its routing table based on this topology. After adjacencies have been formed. each router sends link-state advertisements (LSA) to all adjacent routers. When a router is configured for OSPF. This publication is protected by copyright.[ 230 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 5 Implementing OSPF in a Single Area OSPF is an interior gateway protocol based on link state rather than distance vectors. All rights reserved. Finally. they become neighbors. These LSAs describe the state of each of the router’s links. The routers that OSPF routers build adjacencies with are determined by the data link media type. From the Library of 311 for more details. ZUNIGA C. . OSPF uses Dijkstra’s shortest path first (SPF) algorithm to determine the best path to each network. OSPF defines multiple LSA types. OSPF was developed in the 1980s as an answer to RIP’s inability to scale well in large IP networks. routers receiving an LSA from neighbors record the LSA in a link-state database and flood a copy of the LSA to all other neighbors.

First. It is the means by which neighbors are discovered and acts as keepalives between neighbors. If other interfaces later come online that have a higher IP address. This publication is protected by copyright. © 2008 Cisco Systems.[ 231 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty OSPF Terminology When learning about OSPF. Inc. . Hello Packet The Hello protocol ensures that communication between OSPF routers is bidirectional. It also establishes and maintains neighbor relationships and elects the designated router (DR) and the backup designated router (BDR) to represent the segment on broadcast and nonbroadcast multiaccess (NBMA) networks. Initialization occurs when a router loads its OSPF configuration. it must be able to define a router ID for the entire OSPF process. A router can receive its router ID from several sources. Second. whether at startup or when OSPF is first configured or reloaded. ZUNIGA C. you might encounter different terminology for the OSPF tables. Following is list of common terminology used in OSPF: n n n OSPF neighbor table = Adjacency database OSPF topology table = OSPF topology database (link-state database [LSDB]) Routing table = Forwarding database Router ID For OSPF to initialize. From the Library of 311 for more details. it can be assigned manually through the router-id command. The router ID is chosen when OSPF is initialized. the OSPF router ID does not change until the OSPF process is restarted. If no loopback address is defined. The loopback interface is a logical interface that never goes down. All rights reserved. an OSPF enabled router will select the numerically highest IP address on any of its OSPFconfigured interfaces as its router ID. it is the numerically highest IP address set on a loopback interface. Please see page MARCO A.

This publication is protected by copyright.[ 232 ] SECTION 5 Implementing OSPF in a Single Area Each Hello packets contains the following: n n n n n n n n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Router ID of the originating router Area ID of the originating router interface Address mask of the originating router interface Authentication type and information of the originating router interface HelloInterval RouterDeadInterval Router priority DR and BDR 5 flag bits for optional capabilities Router IDs of the originating router’s neighbors Hello packets are periodically sent out each interface using IP multicast address 224. point-to-point. ZUNIGA C. All rights reserved. For OSPF-enabled routers to become neighbors. The HelloInterval each router uses to send out the Hello protocol is based on the media type. On NBMA networks the default HelloInterval is 30 seconds. certain parameters in the Hello packet must match. .0. These parameters are as follows: n n Subnet mask used on the subnet Subnet number © 2008 Cisco Systems. The default HelloInterval of broadcast.5 (AllSPFRouters). Please see page MARCO A. and point-to-multipoint networks is 10 seconds. Inc.0. From the Library of 311 for more details.

From the Library of 311 for more details. the next step is for routers to exchange link-state information. . This publication is protected by copyright. ZUNIGA C. They are flooded within a single area. The ICND exam will only test you on two LSA types.[ 233 ] SECTION 5 Implementing OSPF in a Single Area n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty HelloInterval DeadInterval OSPF area ID LSAs After OSPF-enabled routers form full adjacencies. Please see page MARCO A. Type 1 and Type 2. LSAs report the state of routers’ links. They describe the set of routers attached to a particular network. Type 2 LSAs are network LSAs and are generated by the DR and BDR. The sequence number and timer ensure that each router has the most current LSA. All rights reserved. LSAs are also packets that OSPF uses to advertise changes in the condition of links to other OSPF routers in the form of a link-state update. These LSAs describe the states of the router’s links to the area and are flooded within a single area. LSAs have a sequence number and a timer. Type 1 LSAs are router LSAs and are generated by each router for each area to which it belongs. LSAs have the following characteristics: n n n n LSAs are reliable. Inc. LSAs are flooded throughout the OSPF area. LSAs are refreshed every 30 minutes. Eleven different and distinct link-state packet formats are used in OSPF. This is done through LSAs. © 2008 Cisco Systems. and each is used for a different purpose.

Routers on these networks do not elect a DR or BDR.5. ZUNIGA C. If the default priority value of 1 is left on all router interfaces.0. From the Library of 311 for more details. and the router with the second-highest OSPF interface priority is the BDR. Point-to-multipoint networks are a special configuration of NBMA networks in which networks are treated as a collection of point-to-point links. All routers on the broadcast segment form adjacencies with the DR and BDR. X. all OSPF packets are multicast. they are capable of connecting more than two routers but have no broadcast capability. and the second-highest becomes the BDR.0.6. such as a T1. Please see page MARCO A.25. The OSPF interface priority defaults to 1 but should be administratively configured to manually define the DR and BDR. Inc. No DR/BDR elections take place. Hellos are still multicast to the all OSPF routers address of 224. All rights reserved. and ATM. and all OSPF packets are unicast. connect a single pair of routers that always become adjacent. NBMA networks include Frame Relay. NBMA networks elect a DR and BDR. . all LSA packets are multicast to the DR and BDR address of 224.0. and because all links are seen as point-topoint. Point-to-point networks. The router with the highest OSPF interface priority is elected the DR. the DR/BDR election relies on the router ID (RID): The highest RID on the segment becomes the DR.0. OSPF routers on broadcast networks elect a designated router (DR) and backup designated router (BDR). © 2008 Cisco Systems. This publication is protected by copyright.[ 234 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty OSPF Network Types OSPF defines the following five network types: n n n n n Broadcast networks Nonbroadcast multiaccess (NBMA) networks Point-to-point networks Point-to-multipoint networks Virtual links Examples of broadcast networks are Ethernet and Token Ring. On broadcast networks.

priority. OSPF will be enabled on both interfaces.16. All rights reserved.2.0. Inc.1. The show ip ospf interface command lists the area in which the router interface resides and the neighbors of the interface. line protocol is up Internet Address 10. Here is an example of the show ip ospf interface command: RouterB# show ip ospf interface ethernet 0 Ethernet0 is up. .10. and authentication if it is configured. ZUNIGA C. Additionally. Area 0 Process ID 1.1/27 and 192.0.0. The show ip route command displays all known routes. From the Library of 311 for more details. For example. Network Type BROADCAST. Verifying OSPF The show ip protocols command verifies that OSPF is configured.255 area 0 The process ID is locally significant to the router and is used to differentiate between different OSPF processes running on the router. Notice that you must specify the wildcard mask instead of the subnet mask: RouterA(config)#router ospf 10 RouterA(config-router)#network 192. Cost: 10 © 2008 Cisco Systems.1. cost. This publication is protected by copyright.[ 235 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Virtual links are a special configuration that is interpreted by the router as unnumbered point-to-point networks. process ID. timer intervals. Please see page MARCO A.0 0. it lists the interface state.10. For example. router ID.33/27 each. DR and BDR. if a router has two interfaces configured with IP addresses 192. Router ID 172.10. Configuring OSPF The router ospf process-id command enables the OSPF process. this value (unlike the autonomous system value in EIGRP) does not need to match between routers. the following configuration enables OSPF process 10 and activates OSPF on all interfaces that have interface addresses that match the address and mask combination for area 0. network type.168. Virtual links are created by the administrator. and the network address wildcard-mask area area-id command assigns networks to a specific OSPF area.1/24.168.168.

Inc.0. . In per-packet load balancing. the router distributes packets based on the destination address. Retransmit 5 Hello due in 00:00:06 Index 1/1. From the Library of 311 for more details.1.1. EIGRP.2 Backup Designated router (ID) 172. IGRP. Adjacent neighbor count is 1 Adjacent with neighbor 172. OSPF only supports equal-cost load balancing. EIGRP also supports unequal-cost load balancing. Dead 40. Interface address 10.[ 236 ] SECTION 5 Implementing OSPF in a Single Area Transmit Delay is 1 sec.1. All rights reserved.16. Load Balancing with OSPF Load balancing is a function of Cisco IOS router software and is supported for static routes. ZUNIGA C. and BGP. IS-IS. Wait 40.1 Suppress hello for 0 neighbor(s) (Designated Router) To analyze the OSPF events.2. When a router has multiple paths with the same AD and cost to a destination.0. the router sends one packet for one destination over the first path.0. use the debug ip ospf events command. RIPv2.1 Timer intervals configured. and the second packet for the same destination over the second path.1. maximum is 2 Last flood scan time is 0 msec. This publication is protected by copyright. packets are load-balanced across the paths. RIP. maximum is 4 msec Neighbor Count is 1. flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 2. Priority 1 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Designated Router (ID) 172.1.16.16. Per-Destination and Per-Packet Load Balancing In per-destination load balancing. Hello 10. Interface address 10. OSPF. © 2008 Cisco Systems. Please see page MARCO A. State BDR.

Please see page MARCO A. Because OSPF’s metric is based on cost. All rights reserved. OSPF supports three types of authentication: n n n Null authentication Plain-text authentication MD5 authentication © 2008 Cisco Systems. ZUNIGA C. .[ 237 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Load Balancing with Different Costs OSPF does not support unequal-cost load balancing. This publication is protected by copyright. In the example that follows. The ip ospf cost interface-cost interface command sets the OSPF cost of an interface. Inc. From the Library of 311 for more details. to load-balance between two links with different costs. To use the other link for load balancing. you have to manually configure each interface with the same cost. If OSPF has two unequal links to a destination. you need to manually change the cost of the interface. only the lowest-cost path is used. you would enter the following commands to make both interfaces have the same cost: RouterA(config)#interface serial 0/0 RouterA(config-if)#ip ospf cost 10 RouterA(config-if)#interface serial 0/1 RouterA(config-if)#ip ospf cost 10 Authentication with OSPF OSPF authentication prevents unauthorized routers from forming adjacencies with OSPF-enabled routers. The other path remains idle.

Assign a password to be used with the ip ospf authentication-key password interface command.[ 238 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Plain-Text Authentication The following steps configure OSPF plain-text authentication: Step 1. State POINT_TO_POINT.16. Retransmit 5 Hello due in 00:00:04 Index 2/2. Configure authentication under the OSPF area using the area area-id authentication command. Wait 40. From the Library of 311 for more details. Dead 40. Router ID 172. Network Type POINT_TO_POINT. Step 2. This publication is protected by copyright. The following enables plain-text authentication using the password of cisco on interface serial 0/0: RouterA(config)#interface serial 0/0 RouterA(config-if)#ip ospf authentication-key cisco RouterA(config-if)#ip ospf authentication RouterA(config-if)#! RouterA(config)#router ospf 1 RouterA(config-if)#area 0 authentication Verifying Plain-Text Authentication The show ip ospf interface command shows whether OSPF authentication is enabled. The highlighted item in the following example shows that plain-text authentication is enabled: RouterA# show ip ospf interface serial0 Serial0 is up.0. Area 0 Process ID 10. Hello 10.0. line protocol is up Internet Address 192. Please see page MARCO A. Step 3. . Specify the authentication type with the ip ospf authentication interface command. All rights reserved. Timer intervals configured.1/24. ZUNIGA C. Cost: 64 Transmit Delay is 1 sec. Inc.16.1. flood queue length 0 Next 0x0(0)/0x0(0) © 2008 Cisco Systems.

This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. RouterA(config)#interface serial 0/0 RouterA(config-if)#ip ospf message-digest-key 1 md5 cisco RouterA(config-if)#ip ospf authentication message-digest RouterA(config-if)# RouterA(config)#router ospf 1 RouterA(config-router)#area 0 authentication message-digest Verifying MD5 Authentication The show ip ospf interface command shows whether OSPF authentication is enabled. Area 0 Process ID 10. From the Library of 311 for more details.0.1. All rights reserved. The ip ospf message-digest-key key-id md5 password interface command sets the password between the two routers. Router ID 172. maximum is 4 msec Neighbor Count is 0. .[ 239 ] SECTION 5 Implementing OSPF in a Single Area Last flood scan length is 1. line protocol is up Internet Address 192. Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) Simple password authentication enabled Configuring MD5 Authentication Configuring MD5 authentication between two OSPF routers is similar to configuring plain-text authentication. Cost: 64 © 2008 Cisco Systems.16. The following commands enable MD5 authentication for key 1 with the password of cisco: NOTE The key-id and password parameters must be the same between neighboring devices. Inc. except you need to have a key ID and a password.1/24.16. maximum is 1 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Last flood scan time is 0 msec.0. Network Type POINT_TO_POINT. The highlighted item in the following example shows that MD5 authentication is enabled: RouterA# show ip ospf interface serial0 Serial0 is up. The area area-id authentication message-digest command enables MD5 for the OSPF area.

Figure 5-1 shows a basic flow chart to begin the troubleshooting process in OSPF. Please see page MARCO A. Dead 40. Inc. © 2008 Cisco Systems. All rights reserved. maximum is 4 msec Neighbor Count is 0. Hello 10. ZUNIGA C.[ 240 ] SECTION 5 Implementing OSPF in a Single Area Transmit Delay is 1 sec. maximum is 1 Last flood scan time is 0 msec. Retransmit 5 Hello due in 00:00:04 Index 2/2. State POINT_TO_POINT. CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Timer intervals configured. This publication is protected by copyright. Wait 40. Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1 Troubleshooting OSPF Troubleshooting OSPF can be complex. flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1. . From the Library of 311 for more details.

From the Library of 311 for more details. OSPF routers not establishing FULL neighbors See Figure 5-2.[ 241 ] SECTION 5 Implementing OSPF in a Single Area FIGURE 5-1 OSPF Troubleshooting Flow Chart Main CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty What is the OSPF problem? Receiving “ospf-4 badlas type error” message The OSPF packet is being corrupted layer-2 software. the router must have an interface with a valid IP address in the UP/UP state. Receiving “ospf unknown protocol” message when configuring OSPF IOS feature set does not support OSPF or you are configuring OSPF on a 1600 or 1800 series router. All rights reserved. Inc. . Receiving “can’t allocate router-id” message when configuring OSPF For the OSPF process to begin. OSPF Route Check © 2008 Cisco Systems. ZUNIGA C. Please see page MARCO A. This publication is protected by copyright. OSPF Neighbor States OSPF routes missing from routing table See Figure 5-3.

FIGURE 5-2 Troubleshooting Neighbor States OSPF Neighbor States What is the state of the OSPF neighborhood when issuing the show ip ospf neighbor command? state = init Init State Check state = exstart or exchange MTU or Layer 2 Check state = loading Corrupted Packet Check state = 2way Two-Way Check No command output received Link Check © 2008 Cisco Systems. ZUNIGA C. From the Library of 311 for more details. This publication is protected by copyright. All rights reserved.[ 242 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting Neighbor States Figure 5-2 displays some of the most common neighbor states and describes steps to resolve the received neighbor states. Inc. . Please see page MARCO A.

. All rights reserved. FIGURE 5-3 OSPF Routing Table Troubleshooting Flow Chart OSPF Route Check Determine what types of routes are missing from the routing table What type of OSPF routes are you missing from the table? All OSPF Routes Check Adjacencies Only Summary Routes Check area 0 and verify that it is contiguous © 2008 Cisco Systems.[ 243 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting Routing Table Figure 5-3 shows a flow chart to troubleshoot OSPF routing table issues. This publication is protected by copyright. Please see page MARCO A. From the Library of 311 for more details. Inc. ZUNIGA C.

and neighbors adjacent on the interface. show ip ospf neighbor: Lists neighbors and current neighbor status.[ 244 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting Commands n n n n n n show ip ospf interface: Lists the area in which the interface belongs. changed state to down 00:50:57: OSPF: Interface Serial0 going Down 00:50:57: OSPF: 172. debug ip ospf adj: Shows the authentication process if OSPF authentication is configured. Please see page MARCO A. debug ip ospf packet: Shows log messages that describe the contents of all OSPF packets. The debug ip ospf adj command is an important command for troubleshooting OSPF adjacencies. use the debug ip ospf adj command. .16.1 on Serial0 is dead.10. OSPF routers exchange Hello packets to create neighbor adjacencies. The following output shows a successful adjacency on the serial 0 interface: RouterA# debug ip ospf adj 00:50:57: %LINK-3-UPDOWN: Interface Serial0. Inc.16. For an OSPF adjacency to occur. debug ip ospf hello: Shows messages describing Hello packets and Hello failures. All rights reserved. ZUNIGA C.36 address 192.64. This publication is protected by copyright. the following four items in an OSPF Hello packet must match: n n n n Area ID Hello/dead intervals Authentication password Stub area flag To determine whether any of these Hello packet options do not match. From the Library of 311 for more details. state DOWN © 2008 Cisco Systems. debug ip ospf events: Shows messages for each OSPF packet.

70.70 on Serial0.70.70.70. Inc.70.16. length 12 © 2008 Cisco Systems. From the Library of 311 for more details. ZUNIGA C.16. router ID 172. state 2WAY 00:51:13: OSPF: Send DBD to 70.70 on Serial0 seq 0x19A4 opt 0x42 flag 0x7 len 32 mtu 1500 state EXSTART 00:51:13: OSPF: First DBD and we are not SLAVE 00:51:13: OSPF: Rcv DBD from 70.64.2 on Serial0 is dead.10. Neighbor Down: Interface down or detached 00:50:58: OSPF: Build router LSA for area 0. changed state to up 00:51:13: OSPF: 2 Way Communication to 70. seq 0x8000000A 00:51:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.16.70.70 on Serial0 seq 0x2486 opt 0x42 flag 0x2 len 72 mtu 1500 state EXSTART 00:51:13: OSPF: NBR Negotiation Done.70.70. . Please see page MARCO A.70 00:51:13: OSPF: sent LS REQ packet to 192. This publication is protected by copyright.16.70.70.36. All rights reserved.70.70 address 192.70 on Serial0 from FULL to DOWN. We are the MASTER 00:51:13: OSPF: Send DBD to 70.64.36.2. changed state to down 00:51:03: %LINK-3-UPDOWN: Interface Serial0. Nbr 70.70. seq 0x80000009 00:50:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.70.10. router ID 172. state DOWN 00:50:57: %OSPF-5-ADJCHG: Process 10.[ 245 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 00:50:57: OSPF: 70. changed state to up 00:51:03: OSPF: Interface Serial0 going Up 00:51:04: OSPF: Build router LSA for area 0.70 on Serial0 seq 0x2486 opt 0x42 flag 0x7 len 32 00:51:13: OSPF: Rcv DBD from 70.70.70.70.70 on Serial0 seq 0x2487 opt 0x42 flag 0x3 len 72 00:51:13: OSPF: Database request to 70.

70 on Serial0.70. state FULL 00:51:13: %OSPF-5-ADJCHG: Process 10. Loading Done 00:51:14: OSPF: Build router LSA for area 0. router ID 172.70.70. Nbr 70.70. Inc.70 on Serial0 seq 0x2488 opt 0x42 flag 0x1 len 32 00:51:13: OSPF: Rcv DBD from 70.70.70. .70.70 on Serial0 seq 0x2487 opt 0x42 flag 0x0 len 32 mtu 1500 state EXCHANGE 00:51:13: OSPF: Send DBD to 70. From the Library of 311 for more details.70 on Serial0 00:51:13: OSPF: Synchronized with 70.70 on Serial0 seq 0x2488 opt 0x42 flag 0x0 len 32 mtu 1500 state EXCHANGE 00:51:13: OSPF: Exchange Done with 70. This publication is protected by copyright. Please see page MARCO A.70. ZUNIGA C.70. All rights reserved.36. seq 0x8000000B © 2008 Cisco Systems.70.10.70 on Serial0 from LOADING to FULL.70.16.[ 246 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 00:51:13: OSPF: Rcv DBD from 70.70.

which use a complex metric based on bandwidth and delay. meaning that it sends the subnet mask of its interfaces in routing updates. Please see page MARCO A. ZUNIGA C. Neighbor discovery/recovery: EIGRP discovers neighboring devices using periodic Hello messages. The topology table holds all successor and feasible successor routes in its table. EIRGP is an advanced distance vector protocol with some link-state features. As such. IPX. AppleTalk). All rights reserved. EIGRP Features n n n n n Protocol-independent modules: EIGRP supports IP. EIGRP is classified as a balanced hybrid protocol. Inc. Routing table: Holds the best routes (the successor routes) to each destination. Diffusing Update Algorithm (DUAL): EIGRP uses DUAL to calculate and maintain loop-free paths and provide fast convergence. tracking. EIGRP Terminology n n n Neighbor table: Lists all adjacent routers. and acknowledging updates and EIGRP messages. EIGRP is a classless routing protocol. Includes the neighbor’s address and the interface through which it can be reached. . © 2008 Cisco Systems. Partial updates: EIGRP sends partial triggered updates instead of periodic updates. Internetwork Packet Exchange (IPX).[ 247 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 6 Implementing EIGRP Enhanced IGRP (EIGRP) is a Cisco-proprietary routing protocol. IPv6. EIGRP routers keep a neighbor table for each routed Layer 3 protocol (IP. and AppleTalk. Topology table: Contains all learned routes to a destination. This publication is protected by copyright. Reliable Transport Protocol: RTP controls sending. From the Library of 311 for more details.

Please see page MARCO A.0 RouterA(config-router)#network 192. Feasible distance (FD): The sum of the AD plus the cost between the local router and the next-hop router.4. A backup route.0 and 192.3.168. show ip route eigrp: Displays all EIGRP routes in the routing table. ZUNIGA C. The following is a list of the terminology DUAL uses to select a route: n n n n Successor: The primary route used to reach a destination.168. including successors and feasible successors. Advertised distance (AD): The lowest-cost route between the next-hop router and the destination. is selected if the advertised distance is less than the feasible distance. © 2008 Cisco Systems. This is followed by the network command to enable EIGRP on the specified interfaces.168.168.0 n n n n show ip eigrp neighbors: Displays EIGRP adjacencies and directly connected neighbors. Must have an AD less than the FD of the current successor route. .[ 248 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty EIGRP Path Calculation DUAL uses distance information (metric) to select the best. Configuring and Verifying EIGRP The router eigrp process-id command enables EIGRP on the router. Inc.0: RouterA(config)#router eigrp 100 (100 is the process-id) RouterA(config-router)#network 192.3. show ip eigrp topology: Displays the EIGRP topology table.4. From the Library of 311 for more details. The successor route is kept in the routing table. loop-free path to a destination. called the feasible successor. This publication is protected by copyright. Feasible successor: The backup route. All rights reserved. It does this by selecting a successor with the best feasible distance. The following commands enable EIGRP using AS 100 and then enable EIGRP on all router interfaces with IP addresses in the networks 192. debug eigrp neighbors: Displays neighbors discovered by EIGRP and the contents of Hello packets.

1.2. By default. EIGRP can automatically load-balance up to 4 equal-cost routes (16 routes being the maximum). Router A has two unequal paths to network 10. FIGURE 6-1 EIGRP Unequal-Cost Load Balancing Router A 10. From the Library of 311 for more details. Unequal-cost load balancing is when a router can load-balance traffic to a destination through links of different cost or speeds. Please see page MARCO A. This publication is protected by copyright.[ 249 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Load Balancing with EIGRP Load balancing is a router’s ability to balance traffic over all its network’s ports that are the same metric from the destination address.x.2. All rights reserved. The multiplier is a variance value between 1 and 128. this is called equal-cost load balancing. Inc.1. EIGRP uses a complex metric based on bandwidth. you need to use the variance multiplier command on Router A. In Figure 6-1.x through Router B. EIGRP only uses bandwidth and delay to calculate its metric. and MTU to select the best path to a destination. ZUNIGA C. load.2x 10 Router B 10 Router C 20 20 Because the path through Router B has a lower cost than the path through Router C. To configure Router A to perform unequal-cost load balancing. Router A will route all traffic to network 10.1. reliability. delay. with the default set to 1. . © 2008 Cisco Systems. By default.

The following steps enable authentication on a Cisco router: Step 1. Step 5. Create a key number: key number. Step 3. All rights reserved. ZUNIGA C. Step 4.2. Enable MD5 authentication using the ip authentication mode eigrp process-id md5 interface command.1. In this case. Step 6. divide the metric of the cost between Router C by the cost of Router B. So the variance to perform unequal-cost load balancing to network 10.[ 250 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty To determine the variance. Inc. . The following example configures MD5 authentication with cisco as the key: RouterA(config)#interface serial 0/0 RouterA(config-if)#ip authentication mode eigrp 100 md5 RouterA(config-if)#ip authentication key-chain eigrp 100 cisco RouterA(config-if)#! RouterA(config)#key chain cisco RouterA(config-keychain-key)#key 1 RouterA(config-keychain-key)#key-string firstkey © 2008 Cisco Systems. Enter the interface you want to configure authentication on. The following configuration sets the variance on Router A to 2: RouterA(config)#router eigrp 100 RouterA(config-router)#variance 2 EIGRP Authentication EIGRP supports MD5 route authentication.x is 2. it would be 40/20. From the Library of 311 for more details. Please see page MARCO A. Step 7. Exit interface configuration mode. which equals 2. This publication is protected by copyright. Identify the key chain you configured in Step 3 using the key chain name-of-key-chain command. Identify the key string using the key-string text command. Create an authentication key using the ip authentication key-chain eigrp process-id key-chain command. Step 2. The key-chain parameter is the name of the key you want to create.

Please see page MARCO A. FIGURE 6-2 EIGRP Troubleshooting Flow Chart EIGRP Main Which best describes the problem? Local EIGRP route not establishing EIGRP neighbors with neighboring router See Figure 6-3 EIGRP Neighbor Check Routes missing from routing table See Figure 6-5 EIGRP Route Check Receiving “Not on Common Subnet” error EIGRP router is receiving a hello packet that is sourced from an IP address on a subnet that is not configured on the EIGRP receiving interface. From the Library of 311 for more details. This publication is protected by copyright. Inc.[ 251 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting EIGRP Figure 6-2 shows a basic flow chart with the steps to take to approach EIGRP troubleshooting. All rights reserved. . Verify the variance command is configured correctly Load balancing not working Seeing routes Stuck in Active (SIA) Queries are not returning to the router when running DUAL © 2008 Cisco Systems. ZUNIGA C.

From the Library of 311 for more details. © 2008 Cisco Systems. All rights reserved. RIP and IGRP Update Loss after Upgrading to Cisco IOS 11. ZUNIGA C.[ 252 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty EIGRP Neighbor Troubleshooting When EIGRP is not forming neighbor relationships with other EIGRP routers. Y Can you successfully ping between neighbors with packet sizes up to the interface MTU size? N Check the MTU selling for the neighboring interfaces. use the flow charts from Cisco. Inc. the neighboring routers should be on the same primary network. If they are the same. Y (continue with next chart) Y Are the neighbors attached via Frame Relay Netwokr? N Is EIGRP enabled for appropriate networks on both the local and 1 neighboring router? N Y N Are broadcast packets dropped from the frame relay broadcast queue?2 The primary address assigned to the interface must be part of the network used by the network configuration command under EIGRP. Your frame-relay broadcast queue may need to be tuned. Y Is the frame-relay map command being used for manual mappings? N Y Ensure tha the frame-relay map command has been configured with the broadcast keyword. interfaces.com in Figures 6-3 and 6-4 to troubleshoot the issue. and so on. Check cabling. This publication is protected by copyright. Please see page MARCO A. . This allows EIGRP multicast packet delivery across the Frame Relay Network. if they are not already. there is a Layer 2 problem that must be fixed. Refer to OSPF and EIGRP Neighbor Loss. FIGURE 6-3 EIGRP Neighbor Check: Part I EIGRP Neighbor Check Are neighboring routers attached via the same primary network? N EIGRP will not form neighbors over secondary networks: therefore. Make them the same.2 or later.

All rights reserved. Modify the ACL to permit EIGRP packets from the neighbor. Y N Your problem is not a common problem. Check the physical cabling.[ 253 ] SECTION 6 Implementing EIGRP FIGURE 6-4 EIGRP Neighbor Check: Part II EIGRP Neighbor Check (continued) CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty (return to previous chart) Are there any inbound access control lists (ACLs) configured on the neighboring interface for either route?3 Y Temporarily remove the ACLs. verify the switch settings. Please see page MARCO A. From the Library of 311 for more details. © 2008 Cisco Systems. This publication is protected by copyright. Does this help? Y N N Are you manually changing the EIGRP hello interval or hold timers? The inbound ACL is not permitting the EIGRP hellos from the neighbor to be processed. Inc. . ZUNIGA C. It is recommended that the hold timer value be at least three times the value of the hello interval. If a LAN switch separates the neighboring routers.

Modify the list as necessary. Figures 6-5 and 6-6 outline some common steps for troubleshooting the error. Check physical cabling. if they are not already. This publication is protected by copyright. . Check cabling. If they are the same. Does local router have an inbound distribute list. The distribute list is denying the routes. an outbound distribute list? Is autosummarization enabled? N N Y Remove the distribute list. © 2008 Cisco Systems. or neighboring router. FIGURE 6-5 EIGRP Route Check: Part I EIGRP Route Check Are you missing all EIGRP routes from the routing table?5 Y Are routes in the EIGRP 6 topology table? Y Your problem is not a common problem. there is a Layer 2 problem that must be fixed. Refer to Enhanced Interior Gateway Protocol. N N (continue with next chart) Are you missing external routes from the routing table? Y Is the local router forming EIGRP neighbors with the routers that should be advertising routes? Y N EIGRP Neighbor Check Y Are the missing routes part of disontinuous networks? N Can you ping between neighbors with packet size up to the interface maximum MTU size? N Y Y Check the MTU setting for the neighboring interfaces. From the Library of 311 for more details. interfaces and so on. ZUNIGA C. Does this solve the problem? N Y Y You must disable autosummarization for discontinuous networks to exchange information.[ 254 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty EIGRP Route Troubleshooting If EIGRP is not populating the routing table. Please see page MARCO A. All rights reserved. Inc. Make them the same.

© 2008 Cisco Systems. Does this solve the problem? Y The distribute list is denying the routes. Check physical cabling. This publication is protected by copyright. once the duplicate IP address is changed. . or does the neighboring router have an outbound distribute list? Y Remove the distribute list. The duplicate RID must be changed or removed on one of the routers. Inc. in order for the RID to be changed N Does the local router have an inbound distribute list. ZUNIGA C. Modify the list as necessary. Note: The EIGRP process must be restarted. All rights reserved. From the Library of 311 for more details. Please see page MARCO A.[ 255 ] SECTION 6 Implementing EIGRP FIGURE 6-6 EIGRP Route Check: Part II EIGRP Route Check (continued) (return to previous chart) CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Does the router’s originating router have the same ID as the local router? Y Routers should not have duplicate RIDs. N Your problem is not a common problem.

[ 256 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting MD5 Authentication The debug eigrp packets command allows you to troubleshot EIGRP MD5 authentication problems. This publication is protected by copyright. STUB. invalid authentication *Apr 21 16:50:18.749: EIGRP: Dropping peer. Flags 0x0. In the following example. From the Library of 311 for more details. All rights reserved.749: EIGRP: Serial0/0/1: ignored packet from 192. Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 *Apr 21 16:50:18.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192. IPXSAP. Router A is receiving EIGRP packets with MD5 authentication and a key string different from what it is expecting.749: EIGRP: Sending HELLO on Serial0/0/1 *Apr 21 16:50:18.101. PROBE.1. authentication mismatch *Apr 21 16:50:18. SIAQUERY. and the neighbor relationship is declared down: RouterA#debug eigrp packets EIGRP Packets debugging is on (UPDATE.749: AS 100. REQUEST.101 (Serial0/0/1) is down: Auth failure © 2008 Cisco Systems. ZUNIGA C. HELLO. The result is an authentication mismatch. ACK. opcode = 5 (invalid authentication) *Apr 21 16:50:18.1. QUERY. Please see page MARCO A.749: EIGRP: pkt key id = 2. Inc.168. REPLY.168. . SIAREPLY) R2# *Apr 21 16:50:18.

Access lists are used to define the traffic that a firewall or VPN concentrator will encrypt. Access lists can be used to filter both incoming and outgoing traffic on a router’s interface. . By following a set of conventions. Network Address Translation. (It is subject to access lists within other routers as it passes through them. From the Library of 311 for more details. and packet prioritization. Access lists help limit traffic by filtering based on packet characteristics. Packet Filtering Access lists can be configured to permit or deny incoming and outgoing packets on an interface. © 2008 Cisco Systems. All rights reserved. Inc. route filters. Access lists define a set of rules that routers use to identify particular types of traffic.) Access lists are used for many reasons. Cisco routers also use access lists for quality of service (QoS). ZUNIGA C. it becomes more important to manage the increased traffic going across the network. Please see page MARCO A.[ 257 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Part III: Access Lists and Managing Address Spaces Section 7 Managing Traffic with ACLs As a network grows. This publication is protected by copyright. Cisco security devices like firewalls and VPN concentrators use access lists to define access to the network. An access list applied to a router specifies only rules for traffic going through the router. the network administrator can exercise greater control over network traffic by restricting network use by certain users or devices. Traffic originating from a router is not affected by that router’s access lists.

Extended ACLs should be placed as close to the source as possible. From the Library of 311 for more details. and other parameters. Extended lists specify protocols.[ 258 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Types of Access Lists The following two methods identify access control lists (ACL): n n Numbered ACLs: Use a number for identification Named ACLs: Use a descriptive name or number for identification Numbered and named ACLs can be categorized further into the following types of ACLs: n Standard access lists check packets’ source addresses. Inc. © 2008 Cisco Systems. This publication is protected by copyright. Please see page MARCO A. . All rights reserved. ZUNIGA C. Figure 7-1 shows the standard access list processes. port numbers. allowing admins more flexibility and control. Standard IP access lists permit or deny output for an entire protocol suite based on the source network/subnet/host IP address. Standard Access List Processes FIGURE 7-1 Standard Access List Processes E0 Outgoing Packet Incoming Packet Yes Source Permit? S0 NO n Extended access lists check both source and destination packet addresses. Standard ACLs should be placed as close to the destination as possible.

1300 to 1999 Filter based on source and destination Specify a specific IP protocol and port number Range: 100 to 199. TABLE 7-1 Standard Types of Access Lists Extended Filter based on source Permit or deny the entire TCP/IP protocol suite Range: 1 to 99. deny all Deny © 2008 Cisco Systems. This publication is protected by copyright. From the Library of 311 for more details. ZUNIGA C. 2000 to 2699 Access List Operations Access list statements are operated on one at a time from top to bottom. Please see page MARCO A.[ 259 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Table 7-1 shows the difference between standard and extended access lists. . Inc. FIGURE 7-2 ACL Process Packets to Interface(s) in the Access Group Y Match First Test Y ? N Deny Y Deny Match Next Test(s) ? N Match Last Test ? N Packet Discard Bucket Y Permit Permit Destination Interface(s) Deny Y Y Permit Implicit Deny 4 If no match. Figure 7-2 shows the process of ACLs. All rights reserved.

You can have several different access lists for any given protocol. n Protocol Access List Identifiers The access list number entered by the administrator determines how the router handles the access list. Conditions for an access list vary by protocol. this method reduces overhead (no routing table lookups). per direction. Access List Process Options n Inbound access lists: Incoming packets are processed before they are sent to the outbound interface. . If the packet is to be discarded. per interface is allowed on any access list. If no match is found. An implicit deny statement is present at the end of the list (all remaining packets are dropped). the packet is tested against the next statement until a match is found or the end of the list is reached. © 2008 Cisco Systems. This publication is protected by copyright.[ 260 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty As soon as a packet header match is found. The arguments in the statement follow the number. it is processed in the normal way. Please see page MARCO A. ZUNIGA C. Inc. Unless at least one permit statement exists in an access list. The types of conditions allowed depend on the type of list (defined by the access list number). all traffic is blocked. Outbound access lists: Outgoing packets are processed by the router first and then are tested against the access list criteria. From the Library of 311 for more details. but only one protocol. access lists check the packet and upper-layer headers for different items (depending on the type of access list [standard or extended]). and the rest of the statements are skipped. Testing Against Access List Statements For TCP/IP packets. All rights reserved. the packet is operated on (permitted or denied). If the packet is permitted.

After a packet is checked for a match with the access list statement. 64 32 16 8 4 2 1 Octet Bit Position and Address Value for Bit Examples Check All address Bits (Match All) FIGURE 7-3 Wildcard Masking 128 0 0 0 0 0 0 0 0 = 0 0 1 1 1 1 1 1 = Ignore Last 6 Address Bits 0 0 0 0 1 1 1 1 = Ignore Last 4 Address Bits 1 1 1 1 1 1 0 0 = Check Last 2 Address Bits 1 1 1 1 1 1 1 1 = Do Not Check Address (Ignore Bits in Octet) © 2008 Cisco Systems. Please see page MARCO A. it is either permitted through an interface or discarded. Wildcard mask bits are defined as follows: n n A wildcard mask bit of 0 means to check the corresponding bit value. Extended IP access lists use the range 100 to 199 and 2000 to 2699. A wildcard mask bit of 1 means do not check (ignore) that corresponding bit value. . Wildcard Masking It is not always necessary to check every bit within an address. Wildcard masking identifies which bits should be checked or ignored (see Figure 7-3). All rights reserved.[ 261 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Standard IP access lists are assigned the range of numbers 1 to 99 and 1300 to 1999. Administrators can use this tool to select one or more IP addresses for filtering. ZUNIGA C. Inc. From the Library of 311 for more details. This publication is protected by copyright.

If you subtract this subnet mask from 255.29 0.0/22 has the following subnet mask: 255. Inc.0).0.16.0 can be written as host 172.252.0. This publication is protected by copyright.0 as the address. enter the full address followed by a mask of all 0s (0.29.255.255.255.0.255.0.255 Abbreviations can be used instead of entering an entire wildcard mask. 172.0.16.3 and allows you to add access-list entry sequence numbers to the beginning standard and extended access-list rules to allow you to make additions and changes to individual rules in the access list.0 0.255. Ignore all addresses: Use the word any to specify all addresses: 0.255. 0.0. n n Check all addresses: To match a specific address. IP access list entry sequence numbering requires Cisco IOS Software Release 12.0.252.255.30. A shortcut to find the wildcard mask is to subtract the subnet mask from 255.255 can be written as any. followed by a mask of all 1s (255.[ 262 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty To specify an IP host address within a permit or deny statement. All rights reserved. 03.30.255 you get the wildcard mask to use: 255. enter 0.0. For example. To specify that all destination addresses are permitted in an access list.16. Prior to IP access list entry sequence numbering. .0. if you wanted to edit one line in an access list.0.255 – 255. ZUNIGA C.255.255. IP Access List Entry Sequence Numbering IP access list entry sequence numbering allows you to edit the order of ACL statements using sequence numbers. Please see page MARCO A.0 255.255. the entire access list had to be removed and replaced with the new updated access list. use the word host: 172.255.255.255). From the Library of 311 for more details. © 2008 Cisco Systems.255.

the Telnet connection is dropped and a single-entry dynamic ACL entry is added to the extended ACL to permit the user to traverse through the router. Inc. Dynamic ACLs depend on the user authenticating to the router and an extended access list. A user who wants to traverse through the router is blocked by the extended ACL until he authenticates to the router through Telnet with a username and password. All rights reserved. After being authenticated. the configuration starts with an extended ACL that blocks traffic through the router. Please see page MARCO A. Standard IP access lists block traffic at the destination and should be as close as possible to the destination of the traffic to be denied. Additional Types of ACLs Standard and extended ACLs can become the basis for other types of ACLs that provide additional functionality. From the Library of 311 for more details. ZUNIGA C. . Considered lock-and-key.[ 263 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Guidelines for Placing Access Lists Extended IP access lists can block traffic from leaving the source and should be as close as possible to the source of the traffic to be denied. These other types of ACLS include the following: n n n Dynamic ACLs (lock-and-key) Reflective ACLs Time-based ACLs Dynamic ACLs Dynamic ACLs (lock-and-key) dynamically create access-list entries on the router to allow a user that has authenticated to the router through Telnet to access resources that are blocked behind the router. This publication is protected by copyright. © 2008 Cisco Systems.

Time-Based ACLs Time-based ACLs are similar to extended access lists. except they control access based on time. per direction. ZUNIGA C. but are “nested” within an extended named IP ACL that is applied to an interface. Guidelines for Implementing Access Lists n n n Be sure to use the correct numbers for the type of list and protocols you want filtered. Reflective ACLs contain only temporary entries that are created when a new IP session begins and are removed when the session ends. You can use only one access list per protocol. Reflective ACLs are not applied directly to an interface. All rights reserved. Put more-specific statements before more-general ones. Remember that all access lists end with an implicit deny any statement. per interface. They are used to allow outbound traffic.[ 264 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Reflective ACLs Reflective ACLs allow IP packets to be filtered based on upper-layer session information. . Inc. making statement ordering critical to efficient operation. Always place specific and frequent statements at the beginning of an access list. Frequently occurring conditions should be placed before less-frequent conditions. © 2008 Cisco Systems. Named access lists and ACLs using extended sequence entries allow the removal and changes of individual statements. A single interface can have one access list per protocol. From the Library of 311 for more details. This publication is protected by copyright. and they limit inbound traffic in response to sessions that originate from a network inside the router. Please see page MARCO A. Configuring IP Access Lists Access lists are processed from top to bottom.

Create your statements before applying the list to an interface. An interface with an empty access list applied to it allows (permits) all traffic.0. All rights reserved. From the Library of 311 for more details. This publication is protected by copyright.1 and 192.[ 265 ] SECTION 7 Managing Traffic with ACLs n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Additions are always added to the end of the access list. the implicit deny at the end of every list causes all packets to be denied.0. Access lists filter only traffic going through the router. the following command creates access list number 10. Every access list should include at least one permit statement. Without an explicit permit. which denies any IP address between 192. n n n Configuring Standard IP Access Lists The command syntax to create a standard IP access list is as follows: access-list access-list-number {permit | deny} source-address [wildcard-mask] where access-list-number is a number from 1 to 99 or 1300 to 1999.255: RouterA(config)#access-list 10 deny 192.168. You cannot selectively add or remove statements in the middle of standard or extended access lists unless you are using named ACLs or extended sequence entries (IOS 12. Please see page MARCO A. .255.255. Inc.3).0.168.168. ZUNIGA C. For example.0 0.255 RouterA(config)#access-list 10 permit any any Configuring Extended IP Access Lists The Cisco IOS command syntax to create an extended access list is as follows: access-list access-list-number {permit | deny} protocol source-address source-wildcard [operator port] destination-address destination-wildcard [operator port] © 2008 Cisco Systems.

0 0. . and IGRP.1.168.4.255 eq 21 Using IP Access List Entry Sequence Numbers To use entry sequence numbers.1.0.0/24 to network 172. Internet Control Message Protocol (ICMP). Please see page MARCO A.1. This publication is protected by copyright. The following example creates an extended ACL.0/24 and applies the ACL to interface Ethernet 0: RouterA>enable RouterA#config term RouterA(config)#access-list 101 deny tcp 172. The following example creates an extended access list that blocks FTP traffic from network 172. if you want to add a rule in between rule 1 and 10.0.4.0 0.16.0/16: RouterA(config)#ip access list extended 100 RouterA(config-ext-nacl)#1 permit tcp 192. From the Library of 311 for more details. generic routing encapsulation (GRE). gt (greater than).0 0. © 2008 Cisco Systems.0.0. Then you add the access list rules by first defining the entry sequence where you want the rule to be added in the access list.0. Inc. eq (equal to).16.0.0.3.255 eq ftp In the preceding example.3.255 172. All rights reserved.0. operator port can be lt (less than). using entry sequence numbers. you give it a sequence number between 1 and 10. User Datagram Protocol (UDP). you first create the access list.0.255 RouterA(config)#access-list 101 permit ip any any RouterA(config)#interface ethernet 0 RouterA(config-if)#access group 101 in 172.0. you would enter the ACL you want to edit and then use the sequence number to identify which line you want to edit.0 0.16. If you want to edit only one line in the ACL.16.16.0.255.168. or neq (not equal to) and a protocol port number. ZUNIGA C.255.0 0.16.0/24 to network 172.255 eq http RouterA(config-ext-nacl)#10 permit tcp 192.255 172. TCP.0.0 0.16.168.0. that permits HTTP and FTP traffic from network 192.[ 266 ] SECTION 7 Managing Traffic with ACLs where: n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty protocol examples include IP.

Then remove the access list by entering the no access-list access-list-number global command. This publication is protected by copyright. first remove it from the interface by entering the no ip access-group access-listnumber direction command. The following creates a named access list that blocks ping from networks 172.0. ZUNIGA C. Inc. where name is the name of the access list. Issuing this command places you in named IP access list subcommand mode.3.0.16.101 echo RouterA(config-ext-nacl)#permit ip any any Applying Access Lists To apply an access list to an interface on a Cisco router.255 host 192.168.0 0.0. Please see page MARCO A. you use the ip access-list extended name global command.101: RouterA(config)#ip access-list extended block-ping RouterA(config-ext-nacl)#deny icmp 172. use the ip access-group interface command.[ 267 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Named Access Lists When you create a named access list.160. the following applies access list 10 to serial interface 0 as an inbound access list: RouterA(config)#int s0 RouterA(config-if)#ip access-group 10 in To remove an access list from a router.0. which then allows you to enter the access list parameters. as follows: ip access-group access-list-number {in | out} For example.0. From the Library of 311 for more details. . © 2008 Cisco Systems.0/22 to host 192.168. All rights reserved.

0. Create a dynamic ACL that applies to the extended ACL you created after it is authenticated. Step 2. From the Library of 311 for more details. Create a user authentication method on the router. Inc.0.1.0 0. For example: RouterA(config)#access-list 101 permit tcp any host 192.[ 268 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Creating Dynamic Access Lists Follow these steps to create a dynamic ACL: Step 1. ZUNIGA C. Define an extended ACL to permit vty access but block all other traffic.0 0.255 10. Please see page MARCO A.168. All rights reserved. For example. This publication is protected by copyright.1 eq telnet RouterA(config)#interface s0 RouterA(config-if)#ip access-group 101 in Step 3. The following example enables local authentication on the router: RouterA(config)#username remote password 0 cisco RouterA(config)#username remote autocommand access-enable host timeout 10 This creates a user named remote with a password of cisco and configures the router to time out after 10 minutes of idle traffic. the router needs to be configured to locally authenticate when a user tries to connect to the vty ports: RouterA(config)#line vty 0 4 RouterA(config-line)#login local © 2008 Cisco Systems.0.255 Because this example is using local authentication.168. .1.0. the following command creates the dynamic ACL that is applied to ACL 101: RouterA(config)#access-list 101 dynamic remoteaccess timeout 15 permit ip 192. This can either be local or remote using a AAA or RADIUS server.1.1.

Most current Cisco devices support 16 virtual terminal lines. Most access list errors are due to an incorrect statement entry that denies traffic. Inc. Restrictions on vty access should include all virtual ports. Standard and extended access lists applied to physical interfaces do not prevent router-initiated Telnet sessions. © 2008 Cisco Systems. The show running-config and show access-list commands display all access lists configured on a router. numbered vty 0 through vty 15. verify that the statements are correct and applied to the proper interface and direction. because users can connect through any vty port.[ 269 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Verifying Access List Configuration The show ip interface interface-type interface-number command displays whether an IP access list is applied to an interface. All rights reserved. devices also have virtual ports (called virtual terminal lines). Also. Troubleshooting Access Lists Access lists are processed from the top down. The syntax for a vty access list is as follows: line vty {vty# | vty-range} access-class {IP access list #} in After the vty statements are added. This publication is protected by copyright. remember that at the end of each access list is an implicit deny any statement. and out prevents Telnet connections to other routers from the vty ports. Virtual terminal access lists can block vty access to the router or block access to other routers on allowed vty sessions. ZUNIGA C. From the Library of 311 for more details. Please see page MARCO A. they are assigned to the router with the following command: access-class access-list-number {in | out} Specifying in prevents incoming Telnet connections. . To troubleshoot access lists. Virtual Terminal (vty) Access Lists In addition to physical ports.

Please see page MARCO A.21 172.[ 270 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 8 Managing Address Space with NAT and IPv6 Network Address Translation (NAT) was initially developed as an answer to the diminishing number of IP addresses.0. making communication more secure from hackers. The combination of the PC explosion and the emergence of other network-ready devices quickly consumed many of the available addresses.22 FIGURE 8-1 NAT Outside 10.34. Dynamic NAT matches private addresses to a pool of public addresses on an as-needed basis.34. From the Library of 311 for more details. When the IP address scheme was originally developed. Properties of NAT are as follows: n n n NAT is configured on a router.1 10.34.2 NAT Table Inside Local IP Address 10.1 Internet 10. or other network device.0. The address translation is still one-to-one.0.22 © 2008 Cisco Systems.0.0.0.0.2. This publication is protected by copyright.1 to the outside address 172. Inc.34.0.2.2 Inside Global IP Address 172. Figure 8-1 shows how NAT translates the inside address of 10. All rights reserved.2. . it was believed that the address space would not run out.2. firewall.0. ZUNIGA C.21.2 SA 172. An additional (and equally important) benefit of NAT is that it hides private addresses from public networks.0. Static NAT uses one-to-one private-to-public address translation. Inside SA 10.0.0.

Details of PAT are as follows: n n Because the port number is 16 bits.1 PAT Internet SA 10.0.2. PAT continues to look for available port numbers.2 NAT Table Inside Local IP Address Inside Global IP Address 10.0.0.0.536 sessions to a single public address.21:2610 10.2:1533 172.1:2610 172. as shown in Figure 8-2. .0. Please see page MARCO A.0. This publication is protected by copyright. From the Library of 311 for more details.1: 2610 Outside 10.34. FIGURE 8-2 PAT Inside SA 10.22:1533 © 2008 Cisco Systems.2.0.0. PAT increments the IP address (if available).2: 1533 SA 10.0.0.0.34.0.0.0.[ 271 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Port Address Translation (PAT) is a form of dynamic address translation that uses many (private addresses) to few or one (public address). All rights reserved. If one is not found.0. ZUNIGA C. Inc.1: 2610 10.1: 2610 SA 10.0. PAT can theoretically map 65. This is called overloading and is accomplished by assigning port numbers.

Please see page MARCO A. The following example creates the static mapping and defines interface s0 as connecting to the outside network and interface e0 as connecting to the inside network: RouterB(config)#ip nat inside source static 192.1. ZUNIGA C. All rights reserved. A legal routable IP address that represents one or more inside local IP addresses to the outside world.5 216.[ 272 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty NAT Terminology Table 8-1 lists the Cisco NAT terminology. Usually a routable IP address. . The IP address assigned to a host on the outside network by the host’s owner.1. you must first create the static mapping table and then define which interfaces on your router connect to the inside network and the outside network. From the Library of 311 for more details. private network. This publication is protected by copyright. private network.168.10. Configuring Static NAT To configure static NAT. TABLE 8-1 Name NAT Terminology Description Inside local address Inside global address Outside local address Outside global address The IP address assigned to a host on the inside. This is usually is a private IP address.3 RouterB(config)#int s0 RouterB(config-if)#ip nat outside RouterB(config-if)#int e0 RouterB(config-if)#ip nat inside © 2008 Cisco Systems. Inc. Usually a private IP address. The IP address of an outside host as it appears to the inside.

Then create an access list that defines the internal hosts to be translated.0 0.240 (creates a NAT pool called cisco) RouterB(config)#access-list 10 permit 192.1.0. Finally.0.1 216. you have to define which interface is internal and which interface is external: RouterB(config)#ip nat pool cisco 216. This publication is protected by copyright. As with static NAT.1 RouterA(config)#ip nat inside source list 99 interface fa0/1 overload RouterA(config)#interface ethernet 0 RouterA(config-if)#ip nat inside RouterA(config-if)#exit RouterA(config)#interface fa 0/1 RouterA(config-if)#ip nat ouside RouterA(config-if)#exit RouterA(config)#exit © 2008 Cisco Systems.255 (defines the IP addresses that will be translated) RouterB(config)#ip nat inside source list 10 pool cisco (establishes dynamic translation of access list 10 with the NAT pool named cisco) Configuring PAT To configure PAT.[ 273 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Dynamic NAT To configure dynamic NAT.1. All rights reserved.0.0. . as follows: RouterA>enable RouterA#config term RouterA(config)#acess-list 99 permit 10.255. Please see page MARCO A. From the Library of 311 for more details. you first define an access list that permits the internal hosts to be translated. you first have to create a NAT pool of external IP addresses that internal hosts can draw from. enable the translation to occur.1.255. ZUNIGA C.10. You then use the ip nat inside source list access-list-number interface interface-type overload global command.1. Inc.168.14 netmask 255.

The clear ip nat translation outside local-ip global-ip command clears a specific outside translation address. The show ip nat statistics command shows all translation statistics. All rights reserved. From the Library of 311 for more details. Please see page MARCO A. This publication is protected by copyright. Transitioning to IPv6 IPv6 is an updated version of IP with the following features: n n n n n n n n Larger address space (128 bits) Simplified header Autoconfiguration Security with mandatory IPsec for all IPv6 devices Mobility Enhanced multicast support Extensions headers Flow labels © 2008 Cisco Systems. Inc. The clear ip nat translation inside global-ip local-ip command clears a specific entry from a dynamic translation table. The show ip nat translations command lists all active translations.[ 274 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Verifying NAT and Resolving Translation Table Issues The clear ip nat translation * command clears all dynamic translation tables. ZUNIGA C. .

it is assumed that the missing digits are leading 0s. ZUNIGA C. Format 3-bits FIGURE 8-3 IPv6 Address Structure Top-Level Aggregation 13-bits Next-Level Aggregation 24-bits Site-Level Aggregation 16-bits Rsvd 8-bits Interface ID 64-bits Two rules for reducing the size of written IPv6 address are as follows: n Rule 1: The leading 0s in any segment do not have to be written. This publication is protected by copyright. For example. An example of an IPv6 address is as follows: 2001:0D02:0000:0000:0000:C003:0001:F00D Figure 8-3 shows the IPv6 address structure. From the Library of 311 for more details. If any segment has fewer than four hexadecimal digits. Format of IPv6 Addresses IPv6 addresses are 128 bits long and are represented in eight 16-bit hexadecimal segments. the primary reason for the move to IPv6 is because of the depletion of IPv4 addresses.[ 275 ] SECTION 8 Managing Address Space with NAT and IPv6 n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Improved address allocation Address aggregation Although IPv6 has many advanced features. . Please see page MARCO A. 2001:0D02:0000:0000:0000:C003:0001:F00D can be written as 2001:D02:0:0:0:C003:1:F00D © 2008 Cisco Systems. Inc. All rights reserved.

the network administrator assigns an IPv6 address to a host. Types of IPv6 Addresses The three types of IPv6 addresses are as follows: n n n Unicast: A global unicast address is an address that is globally unique and can be routed globally. 2001:D02:0:0:0:C003:1:F00D can be further reduced to 2001:D02::C003:1:F00D The double colon can only be used once. From the Library of 311 for more details. Please see page MARCO A. Anycast: An address that represents a service instead of a device. This publication is protected by copyright. Inc. Multicast: An address that identifies a set of devices. © 2008 Cisco Systems. Features one-to-many mapping. For example. Features one-to-nearest mapping. Replicates IPv4 broadcast addresses. consecutive fields of all 0s can be represented with a double colon (::). ZUNIGA C. Assigning IPv6 Addresses IPv6 addresses can be assigned in one of the following ways: n n n Statically Stateless autoconfiguration DHCPv6 In static assignment. Link-local unicast addresses are addresses that are confined to a single link. .[ 276 ] SECTION 8 Managing Address Space with NAT and IPv6 n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Rule 2: Any single. All rights reserved.

Please see page MARCO A. All rights reserved. If the end system has a 64-bit MAC address. This publication is protected by copyright.[ 277 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Hosts use stateless autoconfiguration by waiting for a router to advertise the local prefix. DHCPv6 works that same way that DHCPv4 works. IPv6 has one specific requirement: The router must be able to determine the link-local address of each neighboring router. This is called the EUI-64 address. In other words. © 2008 Cisco Systems. From the Library of 311 for more details. . do not use a global unicast address as a next-hop address when configuring IPv6 static routes. Inc. If the end system has a 48-bit MAC address. the host flips the global/local bit and inserts 0XFFEE in the middle of the MAC address. and it is joined to the prefix to form the IPv6 address. However. the host joins the prefix and its MAC address to form an IPv6 address. ZUNIGA C. Routing with IPv6 IPv6 supports the following routing protocols: n n n n n n Static RIPng OSPFv3 EIGRP for IPv6 IS-IS for IPv6 MP-BGP Static Routing Static routing with IPv6 is configured the same way as with IPv4.

some changes to RIPng include the following: n n n Uses IPv6 for transport. Uses multicast group FF02::09 to advertise routes every 30 seconds. OSPFv3 does not include authentication because authentication in IPv6 is handled through IPsec. Inc. . This publication is protected by copyright. Three current IPv6 transition mechanisms are as follows: © 2008 Cisco Systems. RIPng uses hop count as its metric and has a maximum hop count of 15. a distance vector protocol. However. These strategies are called transition mechanisms. OSPFv3 runs directly over IPv6 and advertises using multicast groups FF02::5 and FF02::06. which is version 2. EIGRP for IPv6 EIGRP for IPv6 is the same EIGRP protocol as used with IPv4. All rights reserved. From the Library of 311 for more details. OSPFv3 OSPFv3 is based on the current version of OSPF. Updates are sent on UDP port 521. Please see page MARCO A. It uses the same metric but includes a protocol-dependent module for IPv4 and IPv6. Like version 2. and FF02::06 is the “all OSPF DRs” address. OSPFv3 sends Hellos to neighbors.[ 278 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty RIPng RIPng is the IPv6 of RIP. RIPng is defined in RFC 2080 and is based on RIPv2. and they allow IPv4 hosts to communicate with IPv6 hosts. ZUNIGA C. Strategies for Implementing IPv6 Several strategies exist for migrating from IPv4 to IPv6. and exchanges LSAs and database descriptors (DBD). However. but uses its link-local address as the source address of its advertisements. FF02::5 is the “all OSPF routers” address.

Configuring IPv6 IPv6 is not enabled by default on Cisco routers. From the Library of 311 for more details. The following example configures a router with IPv6. The following are steps for configuring IPv6: Step 1. EIGRP). Configure routing (static. Step 6. This publication is protected by copyright. Please see page MARCO A. Configure router interfaces. and configures a name server: RouterA#config term RouterA(config)#ipv6 unicast-routing RouterA(config)#interface ethernet 0 RouterA(config-if)#ipv6 address 2001:0d02::2:0100/64 RouterA(config-if)#interface tunnel 0 (create the tunnel interface) © 2008 Cisco Systems. All rights reserved. Step 3. ZUNIGA C. OSPF. Step 2. The ipv6 unicast-routing global command enables IPv6 on the router. Allocate IPv6 addresses to devices. Configure name servers. RIPng. enables RIPng. Obtain IPv6 prefixes. assigns an IPv6 address. Configure tunnels (if communicating over an IPv4 network). Inc. configures a tunnel. Step 5.[ 279 ] SECTION 8 Managing Address Space with NAT and IPv6 n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Dual stack: A network interface that is configured with an IPv4 address and an IPv6 address Tunneling: Consists of encapsulating IPv6 packets within IPv4 packets Proxying and translation: A device that can translate IPv6 addresses to IPv4 addresses to communicate with IPv4 servers. . Step 4.

All rights reserved. Please see page MARCO A.[ 280 ] SECTION 8 Managing Address Space with NAT and IPv6 RouterA(config-if)#ipv6 unnumbered ethernet 0 RouterA(config-if)#tunnel source ethernet 0 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty (identify the tunnel) (configure tunnel source as e0) (the IPv4 address the tunnel terminates) (configure the tunnel mode as IPv6) RouterA(config-if)#tunnel desitnation 192.2 RouterA(config-if)#tunnel mode ipv6ip RouterA(config-if)#exit RouterA(config)#ipv6 router rip cisco RouterA(config-rtr)#interface s0 RouterA(config-if)#ipv6 rip cisco enable (enable rip with the process called cisco) (enable rip for the interface) RouterA(config-if)#ip name-server 2001:d02::c003:1::f00d (enable name servers) © 2008 Cisco Systems. This publication is protected by copyright. From the Library of 311 for more details.168. .10. ZUNIGA C. Inc.

and services across a broad geographic area. All rights reserved. FIGURE 9-1 WAN Connections Service Provider Understanding Serial WAN Interfaces WAN serial interfaces.35 and other interfaces. © 2008 Cisco Systems. called start/stop bits. where one set of wires carries data and a separate set of wires carries clocking for that data. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.[ 281 ] SECTION 9 Establishing Serial Point-to-Point Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Part IV: Extending the Network into the WAN Section 9 Establishing Serial Point-to-Point Connections WANs connect networks. This publication is protected by copyright. defined as follows. Synchronous transmission occurs on V. . which designate the beginning and end of each character. Synchronous links try to use the same speed as the other end of a serial link. are either synchronous or asynchronous: n Synchronous links have identical frequencies and contain individual characters encapsulated in control bits. Companies use the WAN to connect company sites for information exchange (see Figure 9-1). Inc. users.

All rights reserved. Serial interfaces are specified as DTE (data terminal equipment) or data communications equipment (DCE). WAN Review Figure 9-2 shows the typical WAN topology with explanations as follows: n Customer premises equipment (CPE): Located on the subscriber’s premises and includes both equipment owned by the subscriber and devices leased by the service provider. but no check or adjustment of the rates occurs if they are slightly different. ZUNIGA C. An example of a DCE is a channel service unit/data service unit (CSU/DSU) or a serial interface configured for clocking. in other words. From the Library of 311 for more details.[ 282 ] SECTION 9 Establishing Serial Point-to-Point Connections n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Asynchronous links send digital signals without timing. Modems are asynchronous. The port configured as DTE requires external clocking from the CSU/DSU or other DCE device. Only 1 byte per transfer is sent. WAN Service Provider Toll Network S S S S S S CO Switch Local Loop FIGURE 9-2 Typical WAN Topology S Trunks and Switches Demarcation Customer Premises Equipment (CPE) Point-to-Point or Circuit-Switched Connection © 2008 Cisco Systems. This publication is protected by copyright. . Asynchronous links agree on the same speed. DCEs provide clocking for the serial link. Please see page MARCO A. DCE converts user data into the service provider’s preferred format. Inc.

Inc. Leased-line connections typically are synchronous serial connections. Toll network: A collection of trunks inside the WAN cloud. ZUNIGA C. Local loop (or last mile): The cabling from the demarc into the WAN service provider’s central office. The central office is the entry point to the WAN cloud. This publication is protected by copyright. © 2008 Cisco Systems. Please see page MARCO A. Usually it is located in the telecommunications closet. Leased lines provide a reserved connection for the client but are costly. and a switching point for calls. FIGURE 9-3 Leased-Line WAN Synchronous Serial n Circuit-switched: Circuit switching provides a dedicated circuit path between sender and receiver for the duration of the call. Circuit switching is used for basic telephone service or ISDN. .[ 283 ] SECTION 9 Establishing Serial Point-to-Point Connections n n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Demarcation (or demarc): Marks the point where CPE ends and the local loop begins. From the Library of 311 for more details. All rights reserved. The following three main types of WAN connections (services) exist: n Leased-line: A leased line (or point-to-point dedicated connection) provides a preestablished connection through the service provider’s network (WAN) to a remote network. Central office (CO): A switching facility that provides a point of presence for WAN service. WAN Connection Types WAN services are generally leased from service providers on a subscription basis. the exit point from the WAN for called devices.

Packet headers identify the destination. Please see page MARCO A. but at a much lower cost.[ 284 ] SECTION 9 Establishing Serial Point-to-Point Connections FIGURE 9-4 Circuit-Switched WAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Telephone Company Asynchronous Serial ISDN Layer 1 n Packet-switched: With packet switching. This publication is protected by copyright. © 2008 Cisco Systems. FIGURE 9-5 Packet-Switched WAN Service Provider Synchronous Serial Layer 2 Encapsulation Protocols n High-Level Data Link Control (HDLC): The default encapsulation type on point-to-point dedicated links and circuit-switched connections. Programmed switching devices provide physical connections. ZUNIGA C. devices transport packets using virtual circuits (VC) that provide end-toend connectivity. All rights reserved. . From the Library of 311 for more details. Inc. Packet switching offers leased line–type services over shared lines.

From the Library of 311 for more details. and synchronous. SLIP. T3. and Synchronous Optical Network (SONET). PPP uses Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) for basic security. . SLIP X. ATM takes advantage of high-speed transmission media such as E3. Frame Relay (based on X. ZUNIGA C. All rights reserved. Frame Relay. Fixed-length cells allow hardware processing. n n Figure 9-6 shows the typical WAN connections that each Layer 2 encapsulation protocol supports. such as asynchronous serial.[ 285 ] SECTION 9 Establishing Serial Point-to-Point Connections n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Point-to-Point Protocol (PPP): Provides connections between devices over several types of physical interfaces. including IP and IPX. Inc.25. Frame Relay: Industry-standard switched data link layer protocol. ISDN. PPP. Please see page MARCO A. PPP works with many network layer protocols. HDLC Circuit-Switched Telephone Company © 2008 Cisco Systems. Asynchronous Transfer Mode (ATM): International standard for cell relay using fixed-length (53-byte) cells for multiple service types. FIGURE 9-6 WAN Connection Support by Layer 2 Encapsulation Protocols Leased Line HDLC. High-Speed Serial Interface (HSSI).25) can handle multiple virtual circuits. which greatly reduces transit delays. This publication is protected by copyright. ATM Packet-Switched Service Provider PPP.

This publication is protected by copyright. HDLC cannot support multiple protocols on a single link. Inc. Figure 9-7 shows the frame format of HDLC. if the encapsulation type has been changed to another protocol. ZUNIGA C. © 2008 Cisco Systems. . From the Library of 311 for more details. All rights reserved. This field makes it possible for a single serial link to accommodate multiple network-layer protocols. PPP should be used when communicating with non-Cisco devices. PPP uses a Network Control Protocol (NCP) component to encapsulate multiple protocols and the Link Control Protocol (LCP) to set up and negotiate control options on the data link. Please see page MARCO A. you don’t need to configure HDLC. The Cisco version of HDLC uses a proprietary field that acts as a protocol field. However.[ 286 ] SECTION 9 Establishing Serial Point-to-Point Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Serial Point-to-Point Encapsulation Configuring HDLC HDLC is a data-link protocol used on synchronous serial data links. the following command changes the serial interface encapsulation back to HDLC: Router(config-if)#encapsulation hdlc Configuring PPP As shown in Figure 9-8. Cisco HDLC is a point-to-point protocol that can be used on leased lines between two Cisco devices. because it lacks a mechanism to indicate which protocol it is carrying. FIGURE 9-7 HDLC Frame Format Flag Address Control Proprietary Data FCS Flag Cisco HDLC Because HDLC is the default encapsulation type on serial links.

All rights reserved. avoids frame looping Load balancing across multiple links PAP. performs challenge handshake Compresses data at the source. reproduces data at the destination Monitors data dropped on a link. Please see page MARCO A. CHAP Stacker or Predictor Magic Number Multilink Protocol (MP) © 2008 Cisco Systems. ZUNIGA C. From the Library of 311 for more details. . Other Options Link Control Protocol Synchronous or Asynchronous Physical Media Physical Layer PPP Configuration Options Cisco routers using PPP encapsulation include the LCP options shown in Table 9-1. Table 9-1 Feature PPP Configuration Options How It Operates Protocol Authentication Compression Error detection Multilink Requires a password. This publication is protected by copyright. Inc.[ 287 ] SECTION 9 Establishing Serial Point-to-Point Connections FIGURE 9-8 Point-to-Point Protocol IP IPX Layer 3 Protocols CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty IPCP PPP IPXCP Many Others Network Layer Network Control Protocol Data Link Layer Authentication.

Link establishment: Each PPP device sends LCP packets to configure and test the link (Layer 2). Challenge Handshake Authentication Protocol (CHAP): Used upon initial link establishment and periodically to make sure that the router is still communicating with the same host. Step 3. This publication is protected by copyright. CHAP passwords are exchanged as MD5 hash values. ZUNIGA C. All rights reserved. either PAP or CHAP is used to authenticate the link. CHAP uses a three-way handshake process to perform one-way authentication on a PPP serial interface. Inc. © 2008 Cisco Systems. Network layer protocol phase: PPP sends NCP packets to choose and configure one or more network layer protocols to be encapsulated and sent over the PPP data link (Layer 3). Please see page MARCO A.[ 288 ] SECTION 9 Establishing Serial Point-to-Point Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Establishing a PPP Session The three phases of PPP session establishment are link establishment. as follows: RouterB(config-if)#encapsulation ppp PPP Authentication Protocols The two methods of authentication on PPP links are as follows: n n Password Authentication Protocol (PAP): The less-secure of the two methods. Step 2. Authentication phase (optional): If authentication is configured. enter the encapsulation ppp interface command. Enabling PPP To enable PPP encapsulation on a serial interface. Passwords are sent in clear text and are exchanged only upon initial link establishment. and the network protocol phase: Step 1. This must take place before the network layer protocol phase can begin (Layer 2). . From the Library of 311 for more details. authentication.

Configure PPP authentication with the ppp authentication {chap | chap pap | pap chap | pap} interface command. DLY 20000 usec. The remote router’s host name is RouterA: RouterB(config)#hostname RouterB RouterB(config)#username RouterA password cisco RouterB(config)#int s0 RouterB(config-if)#ppp authentication chap pap Verifying the Serial Encapsulation Configuration The show interface interface-number command. define the username of the remote router and password that both routers will use with the username remote-router-name password password command. the second method is used.2/24 MTU 1500 bytes. rely 255/255. load 1/255 © 2008 Cisco Systems.[ 289 ] SECTION 9 Establishing Serial Point-to-Point Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring PPP Authentication The three steps to enable PPP authentication on a Cisco router are as follows: Step 1. . shows the encapsulation type configured on the router’s serial interface and the LCP and NCP states of an interface if PPP encryption is enabled: RouterA#show int s0 Serial0 is up.) The following commands configure CHAP and PAP for authentication with the password of cisco. the first method you specify in the command is used. From the Library of 311 for more details. This publication is protected by copyright.168. Inc. All rights reserved. line protocol is up Hardware is HD64570 Internet address is 192. On each router. Step 2. as follows. Please see page MARCO A. Step 3. ZUNIGA C. (If both PAP and CHAP are enabled.1. BW 1544 Kbit. If the peer suggests the second method or refuses the first method. Make sure that each router has a host name assigned to it using the hostname command.

keepalive set (10sec) LCP Open Open: IPCP. CDPCP Last input 00:00:02. Please see page MARCO A. From the Library of 311 for more details. Total output drops: 0 (text omitted) © 2008 Cisco Systems. All rights reserved. output 00:00:02. Inc. . loopback not set. This publication is protected by copyright. ZUNIGA C.[ 290 ] SECTION 9 Establishing Serial Point-to-Point Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Encapsulation PPP. output hang never Last clearing of “show interface” counters never Input queue: 0/75/0 (size/max/drops).

21.35. FIGURE 10-1 Frame Relay Functions at Layer 1 and 2 of the OSI Reference Model 7 6 5 4 3 2 1 OSI Reference Model Application Presentation Session Transport Network Data Link Physical IP/IPX/AppleTalk. Please see page MARCO A. V. When the switch receives a frame. . Inc. the bulk of Frame Relay functions exist at the lower two layers of the OSI reference model. Upper-layer information (such as IP data) is encapsulated by Frame Relay and is transmitted over the link. From the Library of 311 for more details. Cisco routers support the EIA/TIA-232. All rights reserved. and EIA/TIA-530 serial connections. Frame Relay Stack As Figure 10-1 shows. Frame Relay is supported on the same physical serial connections that support point-to-point connections.21. ZUNIGA C. X. This publication is protected by copyright. V. The entire path to the destination is determined before the frame is sent. Frame Relay relies on upper-layer protocols for error correction. EIA/TIA-449. a lookup table maps the frame to the correct outbound port. Frame Relay specifies only the connection between a router and a service provider’s local access switching equipment. Frame Relay EIA/TIA-232.[ 291 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 10 Establishing Frame Relay Connections Frame Relay is a connection-oriented Layer 2 protocol that allows several data connections (virtual circuits) to be multiplexed onto a single physical link. X. EIA/TIA-530 Frame Relay © 2008 Cisco Systems. etc. EIA/TIA-449.35. A connection identifier maps packets to outbound ports on the service provider’s switch.

most Frame Relay circuits are PVCs.617). ZUNIGA C. multicast messages. StrataCom. CIR (committed information rate): The minimum guaranteed data transfer rate agreed to by the Frame Relay switch. A BECN message requests a reduced data transmission rate. inactive. or deleted. ANSI Annex D (ANSI standard T1. Northern Telecom. but routers can autosense LMI types by sending a status request to the Frame Relay switch. Please see page MARCO A. The router configures itself to match the LMI type response. Today. Inc. BECN (backward explicit congestion notification): A message sent to a source router when a Frame Relay switch recognizes congestion in the network. All rights reserved. This publication is protected by copyright. VC status can be active. The three types of LMIs supported by Cisco Frame Relay switches are Cisco (developed by Cisco. and q933a (ITU-T Q. FECN (forward explicit congestion notification): A message sent to a destination device when a Frame Relay switch senses congestion in the network. LMI (Local Management Interface): A signaling standard that manages the connection between the router and the Frame Relay switch. . LMIs track and manage keepalive mechanisms. PVCs save bandwidth (no circuit establishment or teardown) but can be expensive. The DLCI is locally significant. n n n n n n © 2008 Cisco Systems. and DEC).2 and later).933 Annex A). DLCI (data-link connection identifier): Identifies the logical connection between two directly connected sets of devices. Inverse ARP (Inverse Address Resolution Protocol): Routers use Inverse ARP to discover the network address of a device associated with a VC. and status. A VC can be a permanent virtual circuit (PVC) or a switched virtual circuit (SVC). SVCs are established on demand and are torn down when transmission is complete. From the Library of 311 for more details. LMI is configurable (in Cisco IOS Software Release 11.[ 292 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Frame Relay Terminology n VC (virtual circuit): A logical circuit between two network devices.

because all sites are connected to all other sites.[ 293 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Frame Relay Topologies Frame Relay networks can be designed using star. The number of links required in a full-mesh topology that has n nodes is [n * (n – 1)]/2. FIGURE 10-2 Frame Relay Topologies Full Mesh Partial Mesh Star (Hub and Spoke) A star topology. © 2008 Cisco Systems. All rights reserved. also known as a hub-and-spoke configuration. Star topologies require the fewest PVCs. and partial-mesh topologies. . This publication is protected by copyright. ZUNIGA C. Please see page MARCO A. In a full-mesh topology. full-mesh. Figure 10-2 shows the three topologies in Frame Relay. making them relatively inexpensive. which usually provides services. Although it is expensive. this method provides redundancy. is the common network topology. Inc. all routers have virtual circuits to all other destinations. Remote sites are connected to a central site. The hub router provides a multipoint connection using a single interface to interconnect multiple PVCs. Full-mesh networks become very expensive as the number of nodes increases. From the Library of 311 for more details.

1.1. From the Library of 311 for more details. Figure 10-3 shows how Inverse ARP maps a DLCI to an IP address. Connections usually depend on the traffic patterns within the network.1.1. the physical network does not provide the multiaccess capabilities that Ethernet does. In typical multiaccess networks.1) DLCI (500) © 2008 Cisco Systems. These addresses can be manually configured or dynamically mapped using Inverse ARP. Frame Relay Address Mapping Because Frame Relay is an NBMA. so each router might not have a separate PVC to reach the other remote routers on the same subnet. However.1 Inverse ARP or Frame Relay Map Frame Relay IP (10. . not all sites have direct access to all other sites. you can encounter split horizon when running a routing protocol. Because Frame Relay is nonbroadcast. a Frame Relay network provides nonbroadcast multiaccess (NBMA) connectivity between remote sites. Inc. such as Ethernet. to reduce costs. All rights reserved. ZUNIGA C. After the address is mapped. This publication is protected by copyright. By default. it is stored in the router’s Frame Relay map table. When running Frame Relay with multiple PVCs over a single interface. With this topology. broadcasts perform this functionality. FIGURE 10-3 Inverse ARP Maps DLCIs to IP Addresses DLCI: 500 DSU/CSU PVC 10. An NBMA environment is treated like other broadcast media environments. where all the routers are on the same subnet. Please see page MARCO A. To correctly route packets. another mechanism is needed. each DLCI must be mapped to a next-hop address.[ 294 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty In a partial-mesh topology. it needs to have a way to map Layer 2 information with Layer 3. NBMA clouds are usually built in a hub-and-spoke topology.

The router connects to a Frame Relay switch through a channel service unit/data service unit (CSU/DSU). Inverse ARP messages are sent every 60 seconds. The router sends a VC status inquiry to the Frame Relay switch. Please see page MARCO A. The router advertises itself by sending an Inverse ARP to each active DLCI. This publication is protected by copyright. 3. and enable Inverse ARP. The DLCI is the Frame Relay Layer 2 address. 4. From the Library of 311 for more details. All rights reserved. Inc. 5. 6. . and it is locally significant. The routers create map entries with the local DLCI and network layer address of the remote routers. How Service Providers Map Frame Relay DLCIs DLCIs are numbers that identify the logical connection between the router and the Frame Relay switch. ZUNIGA C. Configuring Frame Relay The three commands used to configure basic Frame Relay on a router select the Frame Relay encapsulation type. The switch responds with a status message that includes DLCI information for the usable PVCs. Static maps must be configured if Inverse ARP is not supported. DLCIs are usually assigned by the Frame Relay service provider. LMI information is exchanged every 10 seconds. 2. 7. The commands used are as follows: encapsulation frame-relay [cisco | ietf] frame-relay lmi-type {ansi | cisco | q933i} frame-relay inverse-arp [protocol] [dlci] © 2008 Cisco Systems. A Frame Relay router learns about a remote router’s DLCI by either Inverse ARP (which is automatically enabled on Cisco routers) or by static mappings. establish the LMI connection.[ 295 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty LMI Signaling Process 1.

To statically configure the map table.0. These static maps can also be used to control broadcasts.16. ZUNIGA C. © 2008 Cisco Systems.255. cisco RouterA(config-if)#encapsulation frame-relay cisco Configuring a Static Frame Relay Map A router’s address-to-DLCI table can be defined statically when Inverse ARP is not supported. All rights reserved. This publication is protected by copyright. . From the Library of 311 for more details. The frame interface dlci command also statically maps a local DLCI to a configured Layer 3 protocol on a subinterface.1 RouterA(config-if)#frame-relay lmi-type RouterA(config-if)#bandwidth 64 RouterA(config-if)#frame-relay inverse-arp ip 16 RouterA(config-if)#exit RouterA(config)#exit RouterA# 255.[ 296 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Basic Frame Relay RouterA>enable RouterA#config term RouterA(config)#int ser 1 RouterA(config-if)#ip address 10. use the following command: frame-relay map protocol protocol-address dlci [broadcast] [ietf | cisco | payload-compress packet-by-packet] where: n n n protocol specifies bridging or logical link control. payload-compress is an optional Cisco-proprietary compression method. Please see page MARCO A. The difference is that map statements are used in multipoint Frame Relay configurations and the frame interface dlci command is used in point-to-point subinterface configurations. broadcast is an optional parameter that controls broadcasts and multicasts over the VC.255. Inc.

and because of the split horizon rule. causing Routers C and D to not learn about Router B. From the Library of 311 for more details. All rights reserved.[ 297 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Resolving Reachability Issues in Frame Relay In any Frame Relay topology. In Figure 10-4. when a single interface must be used to interconnect multiple sites. Two problems that the Frame Relay NBMA topology can cause are routing update problems because of split horizon and broadcast replications issues. The best option is to configure subinterfaces. FIGURE 10-4 Frame Relay Reachability Issues A C 1 B D These reachability issues can be solved by disabling split horizon or configuring subinterfaces on the router. Because Router A received the update on its serial interface. © 2008 Cisco Systems. This publication is protected by copyright. ZUNIGA C. Disabling split horizon increase the chances of routing loops in a network. Router A cannot send the updated route information to Routers C and D. Inc. you can have reachability issues because of the NBMA nature of Frame Relay. Please see page MARCO A. These logically assigned interfaces let the router forward broadcast updates in a Frame Relay network. Router A receives a routing update from Router B. .

This publication is protected by copyright. Please see page MARCO A. . multiple PVC connections are established with multiple physical interfaces or subinterfaces on remote routers on a single subinterface. one PVC connection is established with another physical interface or subinterface on a remote router using a single subinterface. In other words. It is also possible (and sometimes recommended) to turn off split horizon to solve this problem. and then configure each subinterface with the IP address. Subinterfaces can be configured as either point-to-point or multipoint. each point-to-point subinterface is a different subnet. FIGURE 10-5 Subinterface Example 1 B 2 A C 3 D Routing Update Routing Update Routing Update Configuring Subinterfaces To enable Frame Relay on a subinterface. © 2008 Cisco Systems. enable Frame Relay encapsulation on the serial interface.[ 298 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty As Figure 10-5 shows. the subinterface acts similar to a leased line. ZUNIGA C. With point-to-point configuration. By configuring virtual circuits as point-to-point connections. and each interface has its own local DLCI. All rights reserved. Inc. All interfaces involved use the same subnet. subinterfaces are logical subdivisions of a physical interface. Routing updates received on one subinterface can be sent out another subinterface without violating split horizon rules. you must remove the IP address from the primary interface with the no ip address ip-address subnet-mask interface command. With multipoint configuration. From the Library of 311 for more details.

168.293.) must match the physical interface number to which this subinterface belongs.255.294.5 255.168.1.5 255.168. The number that precedes the period (. Inc.0 West-SD(config-if)#encap frame-relay West-SD(config-if)#int s0.5 255.0 West-SD(config-if)#frame-relay interface-dlci 20 Configuring Multipoint Subinterfaces To configure multipoint subinterfaces. use the following command: frame-relay interface-dlci dlci-number The range of subinterface numbers is 1 to 4.255.168.1.967.255.255. .255.0 © 2008 Cisco Systems.255.2. The dlci-number option binds the local DLCI to the Layer 3 protocol configured on the subinterface.255. Configuring Point-to-Point Subinterfaces To configure point-to-point subinterfaces. Please see page MARCO A. enter the following sample commands: West-SD(config-if)#no ip address 192.2 point-to-point West-SD(config-if)#ip address 192.1. enter the following sample commands: West-SD(config-if)#no ip address 192. use the following command: CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty interface serial-number.subinterface-number {multipoint | point-to-point} To configure a subinterface. All rights reserved.0 West-SD(config-if)#frame-relay interface-dlci 10 West-SD(config-if)#int s0. This is the only way to link an LMI-derived PVC to a subinterface (LMI does not know about subinterfaces). ZUNIGA C. From the Library of 311 for more details. as evidenced by the show frame-relay map command.[ 299 ] SECTION 10 Establishing Frame Relay Connections To select a subinterface.255.1 point-to-point West-SD(config-if)#ip address 192. This publication is protected by copyright.5 255.

This publication is protected by copyright. show frame-relay pvc: Displays the status of all configured connections. and invalid LMI messages).0 West-SD(config-if)#frame-relay interface-dlci 10 Verifying Frame Relay You can use the following commands to verify and display Frame Relay information: n n n n show interface: Displays Layer 1 and Layer 2 status.2/24 © 2008 Cisco Systems.1. show frame-relay map: Displays the current map entries for static and dynamic routes. traffic statistics. and the LMI DLCIs used for the local management interface. The frame-relay-inarp command clears all dynamic entries. Troubleshooting Frame Relay The show interface command provides a wealth of information for troubleshooting Frame Relay. and BECN and FECN packets received by the router. status messages sent. line protocol is down Hardware is HD64570 Internet address is 192. show frame-relay lmi: Displays LMI traffic statistics (LMI type. Please see page MARCO A. Inc. DLCI information.1. From the Library of 311 for more details. ZUNIGA C. What follows are different examples of output from the show interface command and possible reasons for the Frame Relay link failures: RouterA#show int s0 Serial0 is down.168. All rights reserved.255.168.255.5 255.1 multipoint CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty West-SD(config-if)#ip address 192.[ 300 ] SECTION 10 Establishing Frame Relay Connections West-SD(config-if)#encap frame-relay West-SD(config-if)#int s0. .

the error is at the physical layer. line protocol is down Hardware is HD64570 Internet address is 192. This publication is protected by copyright. and the problem is with the data link layer. perform the following: n n n Check the cable to make sure that it is a DTE serial cable and that the cables are securely attached. To troubleshoot the problem. or the serial line. the CSU/DSU. the problem lies with your carrier. the line is up but the line protocol is down. Causes for the line protocol being down include the following: n n n n Frame Relay provider not activating its port LMI mismatch Encapsulation mismatch DLCI is inactive or has been deleted © 2008 Cisco Systems. . RouterA#show int s0 Serial0 is up.[ 301 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty If the show interface command shows that the interface is down and the line protocol is down. This means that the problem is with the cable.2/24 In the preceding example. All rights reserved.1. If replacing the cable does not work. If the cable does not work on the second port. try a different serial port. Inc. From the Library of 311 for more details. Please see page MARCO A. If the cable is correct. This means that the router is getting carrier signal from the CSU/DSU. ZUNIGA C.168. try replacing the cable.

ZUNIGA C. Types of VPNs The following two types of VPN networks exist: n n Site-to-site Remote access © 2008 Cisco Systems. In other words. From the Library of 311 for more details. . Scalability: Because VPNs use the Internet. securely through the Internet. and telecommuters to the network. Inc. VPNs allow office locations and remote users to interconnect with each other. This publication is protected by copyright. the interconnected networks become part of the network as if they were connected through a leased line such as a classic WAN link.[ 302 ] SECTION 11 Introducing VPN Solutions CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 11 Introducing VPN Solutions What Is a VPN? Virtual Private Networks (VPN) provide an Internet-based WAN infrastructure of connecting branch offices. home offices. Security: VPNs use advanced encryption and authentication protocols to protect data from unauthorized access. Benefits of VPNs VPNs provide the following benefits: n n n Cost savings: VPNs enable organizations to use the Internet to interconnect offices. adding new users or organizations is easily done without changing the organization’s network infrastructure. All rights reserved. Please see page MARCO A. After they are connected through the secure VPN connection.

[ 303 ] SECTION 11 Introducing VPN Solutions CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Site-to-site VPNs are an extension of a classic WAN network.” The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all traffic from a particular site to the destination site. © 2008 Cisco Systems. A VPN gateway can be a router. Please see page MARCO A. Figure 11-2 shows an example of remote-access VPNs. a firewall. ZUNIGA C. Inc. Figure 11-1 shows an example of a site-to-site VPN. a VPN concentrator. . and each host connects through VPN client software. Remote VPNs can use any Internet-based medium to connect to the VPN. They connect entire networks to each other. mobile users. or a Cisco ASA series adaptive security appliance. The destination VPN gateway decrypts the traffic and forwards it to the private network. All traffic is sent and received through a VPN “gateway. This publication is protected by copyright. They connect individual hosts’ security to the company private network. FIGURE 11-1 Site-to-Site VPN Remote site or DSL cable Router or POP Internet Central site Intranet Extranet Business-to-Business Remote-access VPNs are used for telecommuters. All rights reserved. From the Library of 311 for more details. and extranet traffic.

All rights reserved. This publication is protected by copyright. ZUNIGA C. As shown in Figure 11-3. . From the Library of 311 for more details. Inc. two components of Cisco Easy VPN exist: n n Cisco Easy VPN Server Cisco Easy VPN Remote © 2008 Cisco Systems. Please see page MARCO A.[ 304 ] SECTION 11 Introducing VPN Solutions FIGURE 11-2 Remote-Access VPNs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Remote access client DSL Cable POP Telecommuter POP Internet Central site or or Router or Mobile Extranet Business-to-Business Cisco Easy VPN Cisco Easy VPN is a cost-effective solution for deploying VPNs that is ideal for remote offices that have little IT support.

Cisco IOS IPsec/SSL VPNs Cisco IOS IPsec/SSL–based VPNs. It also terminates VPN tunnels in site-to-site VPNs. Inc. The VPN server can terminate VPN tunnels initiated by mobile and remote workers running Cisco VPN client software. Please see page MARCO A. Cisco ASA adaptive security appliance. WebVPNs allow an organization to extend secure remote access to almost any Internet-enabled host. . PIX firewalls. or WebVPNs. Cisco PIX firewall. Cisco ASA appliances. Because no client software is needed. ZUNIGA C. or a Cisco IOS router. This publication is protected by copyright. A WebVPN does not require client software to be installed on the endpoint host. provide remote-access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. From the Library of 311 for more details. and Cisco VPN hardware clients to receive security polices from a Cisco Easy VPN server to minimize VPN configuration requirements at remote locations. All rights reserved. The Cisco VPN remote enables Cisco IOS routers. © 2008 Cisco Systems.[ 305 ] SECTION 11 Introducing VPN Solutions FIGURE 11-3 Cisco Easy VPN Components Easy VPN Server Easy VPN Clients Internet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Headquarters Remote Office Workplace Resources The VPN server is a dedicated VPN gateway like a Cisco VPN concentrator.

This is done through checksums. Antirelay protection: Verifies that each packet is unique and not duplicated. thus allowing IPsec to support newer and better algorithms. IPsec provides the following four functions: n n n n Confidentiality (encryption): Packets are encrypted before being transmitting across a network. Please see page MARCO A. ZUNIGA C. Data integrity: The receiver can verify that the transmitted data was not altered or changed.[ 306 ] SECTION 11 Introducing VPN Solutions CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VPN Components The hardware and software components that usually make up a VPN are as follows: n n n Cisco VPN-enabled IOS routers Cisco ASA adaptive security appliances VPN clients Introducing IPsec IPsec is an industry-standard protocol that acts at the network layer. keying or technology. . protecting and authenticating IP packets between IPsec peers (devices). Authentication: Ensures that the connection is made with the desired communication partner. All rights reserved. IPsec is not bound to any specific encryption or authentication algorithm. From the Library of 311 for more details. IPsec secures a path between a pair of gateways. © 2008 Cisco Systems. or a gateway and a host. This is done by comparing the sequence number of the received packets with a sliding window to the destination host or gateway. or security algorithms. This publication is protected by copyright. a pair of hosts. Inc.

rendering it unreadable. for encryption to work. These rules are based on an algorithm. IPsec supports the following encryption algorithms: n n Data Encryption Standard (DES): Uses a 56-bit key that ensures high-performance encryption. Please see page MARCO A. The data is digitally scrambled.[ 307 ] SECTION 11 Introducing VPN Solutions CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Confidentiality IPsec provides confidentiality by encrypting the data.00 One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR Internet 4ehIDx67NMop9eR U78IOPotVBn45TR Hmmm… I cannot read a thing. From the Library of 311 for more details. FIGURE 11-4 Encryption Confidentiality Pay to Terry Smith $100. the shorter the key. Triple DES (3DES): A variant of DES that breaks data into 64-bit blocks.00 One Hundred and xx/100 Dollars Encryption Algorithm Encryption Algorithm Pay to Terry Smith $100. the easier it is to break. ZUNIGA C. This publication is protected by copyright. Uses a symmetric key cryptosystem. Inc. Encryption Algorithms Encryption rules are based on an algorithm and key. © 2008 Cisco Systems. As shown in Figure 11-4. The degree of security depends on the length of the key of the encryption algorithm. each time with an independent 56-bit key. Uses a symmetric key cryptosystem. thus providing signification encryption strength over DES. . All rights reserved. both the sender and receiver must know the rules to transform the original message into its coded form. 3DES then processes each block three times.

Inc. This hash is added to the original message and forwarded to the remote host. 192-. The data integrity algorithm is called the Hash-based Message Authentication Code (HMAC). and 256-bit keys. HMAC . Data Integrity To ensure data integrity. The message and 160-bit shared secret key are combined and run through the SHA-1 hash algorithm. IPsec uses a data integrity algorithm that adds a hash to the message. HMAC is a type of message authentication code that uses a cryptographic hash function in combination with a secret key. The Diffie-Hellman (DH) Key Exchange is a public key exchange that exchanges symmetric shared secret keys used for encryption and decryption over an insecure channel. From the Library of 311 for more details. . The hash guarantees the integrity of the original message. producing a 128-bit hash. This hash is added to the original message and forwarded to the remote host. Two common HMAC algorithms used by IPsec are as follows: n HMAC . If the transmitted hash matches the received hash.[ 308 ] SECTION 11 Introducing VPN Solutions n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Advanced Encryption Standard (AES): Provides stronger encryption than DES and is more efficient than 3DES. Key lengths can be 128-. Diffie-Hellman Key Exchange Encryption algorithms such as DES and 3DES require a symmetric shared secret key to perform encryption and decryption. the message has not been tampered with. n © 2008 Cisco Systems. This publication is protected by copyright. Please see page MARCO A. The message and 128-bit shared secret key are combined and run through the MD5 hash algorithm. All rights reserved. ZUNIGA C. producing a 160-bit hash.Message Digest Algorithm 5 (MD5): Uses a 128-bit shared secret key.Secure Hash Algorithm-1 (SHA-1): Uses a 160-bit secret key.

. Inc. To do this. and integrity. the two main IPsec framework protocols are as follows: n Authentication Header (AH): AH provides authentication and data integrity for IPsec using the authentication and data integrity algorithms. Please see page MARCO A. As such. before a communication path is considered secure. As shown in Figure 11-5. and key exchange. Shamir. IPsec relies on existing algorithms to implement encryption. The two peer authentication methods are as follows: n n Pre-Shared Keys (PSK): Pre-Shared Keys are a secret key value entered into each peer manually that authenticates the peer. thus concealing the data payload and the identities of the source and destination. All rights reserved. AH can be used with ESP to provide data encryption and tamper-aware security features. the end devices must be authenticated. This publication is protected by copyright. From the Library of 311 for more details. AH does not encrypt packets and. Encapsulation Security Protocol (ESP): ESP provides encryption. used alone. and Adelman (RSA) signatures: RSA signatures use the exchange of digital certifications to authenticate the peers. authentication. authentication. provides weak protection. n © 2008 Cisco Systems.[ 309 ] SECTION 11 Introducing VPN Solutions CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Authentication In a VPN. Rivest. IPsec Protocol Framework IPsec is a framework of open standards that spells out the rules for secure communications. ESP encrypts the IP packet and the ESP header. ZUNIGA C.

[ 310 ] SECTION 11 Introducing VPN Solutions FIGURE 11-5 IPsec Framework Protocols Authentication Header Router A All data in clear text Router B CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Encapsulating Security Payload Router A Data payload is encrypted Router B AH provides the following: • Authentication • Integrity ESP provides the following: • Encryption • Authentication • Integrity Figure 11-6 shows the standard algorithms that IPsec uses. . This publication is protected by copyright. ZUNIGA C. All rights reserved. FIGURE 11-6 IPsec Framework and Authentication Protocols IPsec Protocol ESP Encryption IPsec Framework Choices: ESP +AH 3 DES AH DES AES Authentication MD5 SHA Diffie-Hellman DH1 DH2 DH5 © 2008 Cisco Systems. Inc. Please see page MARCO A. From the Library of 311 for more details.

Inc. which may include electronic versions and/or custom covers and content particular to your business. The information is provided on an “as is” basis. Use of a term in this digital Short Cut should not be regarded as affecting the validity of any trademark or service mark. From the Library of MARCO A. and branding interests.com. The authors.S. electronic or mechanical. Inc. First Digital Edition July 2007 ISBN-10: 1-58705-460-4 ISBN-13: 978-1-58705-460-0 Feedback Information At Cisco Press. please contact: U. our goal is to create in-depth technical Short Cuts of the highest quality and value. Inc. Cisco Press or Cisco Systems. without written permission from the publisher. Each Short Cut is crafted with care and precision. marketing focus. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this digital Short Cut. or by any information storage and retrieval system. undergoing rigorous development that involves the unique expertise of members of the professional technical community. you can contact us through e-mail at feedback@ciscopress. Corporate and Government Sales 1800-382-3419 corpsales@pearsontechgroup.[ 311 ] CCNA Quick Reference Sheets Eric Rivard Jim Doherty Copyright © 2008 Cisco Systems. For more information. cannot attest to the accuracy of this information. Cisco Press. and Cisco Systems. or otherwise alter it to better suit your needs. ZUNIGA C. No part of this digital Short Cut may be reproduced or transmitted in any form or by any means. but no warranty or fitness is implied. Every effort has been made to make this digital Short Cut as complete and accurate as possible.com Warning and Disclaimer This digital Short Cut is designed to provide information about the CCNA exam. including photocopying. We greatly appreciate your assistance. Corporate and Government Sales The publisher offers excellent discounts on this digital Short Cut when ordered in quantity for bulk purchases or special sales. For sales outside the United States please contact: International Sales international@pearsoned. The opinions expressed in this digital Short Cut belong to the authors and are not necessarily those of Cisco Systems. training goals. recording. . except for the inclusion of brief quotations in a review. If you have any comments on how we could improve the quality of this digital Short Cut. Reader feedback is a natural continuation of this process. Indiana 46240 USA All rights reserved. Trademark Acknowledgments All terms mentioned in this digital Short Cut that are known to be trademarks or service marks have been appropriately capitalized. Published by: Cisco Press 800 East 96th Street Indianapolis. Inc.com. Please be sure to include the digital Short Cut title and ISBN in your message.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.
ciscoexam-online-sale-200-125-exam    | udemy-newccnax-sale-200-125-exam    | whats-new-with-ccna-sale-200-125-exam    | ccna-practice-quiz-sale-200-125-exam    | What-is-the-difference-sale-200-125-exam-cert    | boson-practice-sale-200-125-exam-practice    | measureup-Cisco-Certified-Network-Associate-sale-200-125-exam    | globed-cisco-new-ccna-sale-200-125-exam-standard    | exam-labs-sale-200-125-exam-cert    | streaming-ccna-sale-200-125-exam-technologies    | caring-charts-blood-pressure-sale-200-125-exam    | pluralsight-courses-networking-cisco-sale-200-125-exam    | pearsonitcertification-articles-sale-200-125-exam    | safaribooksonline-library-sale-200-125-exam-routing    | learncisco-ccna.php-sale-200-125-exam-tast    | protechgurus-fees-syllabus-sale-200-125-exam    | certificationkits-cisco-ccna-sale-200-125-exam-standard-kit    | zeqr-lazaro-diaz-course-sale-200-125-exam    | 9tut-faqs-tips-sale-200-125-exam    | scribd-document-CCNA-sale-200-125-exam    | itunes-ccnax-sale-200-125-exam    | linkedin-cisco-sale-200-125-exam-questions-details    | teachertube-ccna-sale-200-125-exam-practice    | killexams-detail-sale-200-125-exam    | examsboost-test-sale-200-125-exam    | ccnav6-online-full-collections-sale-200-125-exam    | spiceworks-topic-sale-200-125-exam    | behance-gallery-sale-200-125-exam    | vceguide-share-experience-sale-200-125-exam    | techexams-forums-ccna-sale-200-125-exam    | free4arab-sale-200-125-exam    | openlearning-courses-sale-200-125-exam    | mindhub-Cisco-Certified-Network-sale-200-125-exam    | vceplus-ccna-exam-sale-200-125-exam    | examsforall-cisco-sale-200-125-exam    | how2pass-ccna-practice-tests-sale-200-125-exam    | simulationexams-details-ccna-sale-200-125-exam    | teksystems-sale-200-125-exam-routing-switching    | cram-flashcards-sale-200-125-exam    | pass4cert-cisco-new-ccna-sale-200-125-exam    | snatpedia-ccnaa-sale-200-125-exam    | cert4sure-free-download-sale-200-125-exam    | logicindia-ccnarouting-switching-sale-200-125-exam    | justcerts-practice-questions-sale-200-125-exam    | isc2-cissp-sale-CISSP-exam    | infosecinstitute-cissp-boot-camp-sale-CISSP-exam    | tomsitpro-security-certifications-sale-CISSP-125-exam    | infoworld-cissp-certification-sale-CISSP-exam    | welivesecurity.com-cissp-certified-sale-CISSP-exam    | searchsecurity-definition-sale-CISSP-exam    | simplilearn-cyber-security-training-sale-CISSP-exam    | arstechnica-security-sale-CISSP-exam    | cybrary-course-cissp-sale-CISSP-exam    | skillset-cissp-sale-CISSP-exam    | transcender-certprep-sale-CISSP-exam    | pearsonvue-sale-CISSP-exam-cert    | gocertify-isc2-issp-sale-CISSP-exam    | trainingcamp-training-bootcamp-sale-CISSP-exam    | cbtnuggets-security-sale-CISSP-exam    | cglobalknowledge.com-us-en-sale-CISSP-exam    | itgovernance-cissp-sale-CISSP-exam    | boson-certification-sale-CISSP-exam    | firebrandnordic-training-sale-CISSP-exam    | firebrandnordic-sale-CISSP-exam-123    | cybervista-sale-CISSP-exam-cert    | becker-sale-CISSP-exam-pdf    | youracclaim-certified-information-sale-CISSP-exam    | techexams-forums-sale-CISSP-exam    | munitechacademy-courses-sale-CISSP-exam    | hot-topics-cyber-security-courses-sale-CISSP-exam    | pearsonitcertification-sale-CISSP-exam    | sybextestbanks-wiley-sale-CISSP-exam    | lifewire-preparing-sale-CISSP-exam    | villanovau.com-resources-iss-sale-CISSP-exam    | intenseschool-boot-sale-CISSP-exam    | phoenixts-training-sale-CISSP-exam    | infosecisland-blogview-sale-CISSP-exam    | centralohioissa-member-sale-CISSP-exam    | learningtree-courses-certified-information-sale-CISSP-exam    | udallas.edu-executive-education-sale-CISSP-exam    | umbctraining-Courses-catalog-sale-CISSP-exam    | skyhighnetworks-cloud-security-sale-CISSP-exam    | helpnetsecurity-cert-sale-CISSP-exam    | secureninja-certification-bootcamp-sale-CISSP-exam    | mercurysolutions-information-sale-CISSP-exam    | exam-labs-info-sale-100-105-exam-pdf    | cbtnuggets-training-ccna-icnd1-sale-100-105-exam    | gocertify-ccent-practice-quiz-sale-100-105-exam    | ciscopress.com-ccna-icnd1-sale-100-105-exam    | boson-practice-sale-100-105-exam    | examcollectionuk-vce-download-sale-100-105-exam    | pearsonitcertification-articles-sale-100-105-exam    | transcender-practice-sale-100-105-exam-test    | techexams-forums-ccna-ccent-sale-100-105-exam    | shop-oreilly-sale-100-105-exam    | safaribooksonline-library-view-sale-100-105-exam    | subnetting-download-ccent-sale-100-105-exam    | 2cram-icnd1-online-quiz-sale-100-105-exam    | networklessons-routing-sale-100-105-exam    | centriq-123-ccna-certification-sale-100-105-exam    | ituonline-interconnecting-sale-100-105-exam    | transcender-introducing-the-new-sale-100-105-exam    | measureup-Networking-Devices-Part-sale-100-105-exam    | vceguide-icnd1-experience-sale-100-105-exam    | dumpscollection-dumps-sale-100-105-exam    | computerminds-business-sale-100-105-exam    | globed-ccent-or-icnd1-sale-100-105-exam    | ucertify-load-course-sale-100-105-exam    | academy-gns3-sale-100-105-exam    | visiontrainingsystems-product-sale-100-105-exam    | pearsonhighered-program-Wilkins-CCENT-sale-100-105-exam    | vceplus-ccent-sale-100-105-exam    | mindhub-Interconnecting-sale-100-105-exam    | sale-70-410-exam    | we-sale-70-410-exam    |
http://mleb.net/    | http://mleb.net/    |