ICND1

1 2 3 4 5 6 7 8 Building a Simple Network .....................................3 Understanding TCP/IP ..........................................17 Understanding Ethernet........................................32 LAN Network Topologies......................................42 Operating Cisco IOS..............................................51 Configuring a Cisco Switch ..................................57 Extending the LAN.................................................78 Exploring the Functions of Routing......................88 Configuring a Cisco Router................................105 Understanding WAN Technologies .................130 RIP Routing ........................................................153 Managing Your Network Environment ...........164

CCNA Quick Reference Sheets
Eric Rivard Jim Doherty

9 10 11 12

ICND2
1 2 3 4 5 6 7 8 9 10 11 Implementing VLANS and Trunks .....................172 Redundant Switching and STP ..........................183 Troubleshooting Switched Networks ...............203 Routing Operations and VLSM ..........................210 Implementing OSPF in a Single Area ................230 Implementing EIGRP ...........................................247 Managing Traffic with ACLs...............................257 Managing Address Space with NAT and IPv6 .......................................................270 Establishing Serial Point-to-Point Connections ...............................281 Establishing Frame Relay Connections..........291 Introducing VPN Solutions...............................302

ciscopress.com
From the Library of MARCO A. ZUNIGA C.

[2] CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

About the Authors
Eric Rivard, A+, MCSE, CCNP, CCSE, is an IT manager at Valley Center Municipal Water District. Over the past several years, he has taught professionals in both academic and industry settings topics on SCADA, Windows, networking, and IT security. Before joining Valley Center MWD, Eric was a network and security consultant in the San Diego area. He is the author of the first and second edition of the CCNA Flash Cards and Exam Practice Pack. He holds a B.S. in information technology from the University of Phoenix. He lives with his wife and two children in Oceanside, CA. Jim Doherty is currently the director of strategic marketing with Symbol Technologies. Prior to joining Symbol, Jim worked at Cisco Systems, where he led marketing campaigns for IP telephony, and routing and switching. Over the past several years, he has taught professionals in both academic and industry settings on a broad range of topics, including networking, electric circuits, statistics, and wireless communication methods. Jim is the coauthor of Cisco Networking Simplified and wrote the “Study Notes” section of the CCNA Flash Cards and Exam Practice Pack. Jim holds a B.S. in electrical engineering from N.C. State University and an MBA from Duke University. Jim also served in the United States Marine Corps, where he earned the rank of sergeant before leaving to pursue an education.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[3]

SECTION 1 Building a Simple Network

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

ICND1
Part I: Summarizing Network Technology

Section 1 Building a Simple Network
Exploring the Functions of Networking
A network is a collection of devices and end systems. Networks consist of computers, servers, and network devices, such as switches and routers, that can communicate with each other.

Common Physical Components of a Network
Figure 1-1 shows the four major categories of physical components on a network: n Personal computers (PCs): Send and receive data and are the endpoints of the network.
n n n

Interconnections: Are the components that provide a means for data to travel across the network. This includes network interface cards (NIC), network media, and connectors. Switches: Provide network access for the PCs. Routers: Interconnect networks.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[4]

SECTION 1 Building a Simple Network
FIGURE 1-1
Network Components
Interconnection Internet Router Interconnection

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

PC Switch

PC

Networking Fundamentals
Networking has its own jargon and common terms. The following terms are used throughout the industry and appear many times in this study guide:
n n n n n n n n

Network interface card (NIC): Connects a computer to a LAN. Medium: The physical transport used to carry data. Most of the time, this can be just a cable (twisted-pair or fiber), but it also includes air (for wireless transmission). Protocol: A set of communication rules used by computer or network devices. Cisco IOS Software: The most widely deployed network system software. Cisco IOS services include basic connectivity, security, network management, and other advanced services. Client: A computer or program that requests information from a server. Server: A computer or program that provides services of information to clients. Network operating system (NOS): Refers to the operating system running on servers. This includes Windows 2003 Server, Novell NetWare, UNIX, and Linux. Connectivity device: Any device that connects cable segments, connects two or more small networks into a larger one, or divides a large network into small ones.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[5]

SECTION 1 Building a Simple Network
n n n n

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Local-area network (LAN): A network confined to a small geographic area. This can be a room, building, or campus. Wide-area network (WAN): Interconnects LANs using leased carrier lines or satellite technology over a large geographic location. Physical topology: A network’s physical shape. These shapes include linear bus, ring, star, and mesh. Logical topology: The path that data takes from one computer to another.

Why Network Computers?
One of the primary functions of a network is to increase productivity by linking computers and computer networks. Corporate networks are typically divided into user groups, which are usually based on groups of employees. Remoteaccess locations, such as branches, home offices, and mobile workers, usually connect to the corporate LAN using a WAN service.

Resource-Sharing Functions and Benefits
Networks allow users to share resources and data. Major resources that are shared are as follows:
n n n n

Data and applications: Consist of computer data and network-aware applications such as e-mail. Resources: Include input and output devices such as cameras and printers. Network storage: Consists of directly attached storage devices (physical storage that is directly attached to a computer and shared server), network attached storage, and storage area networks. Backup devices: Devices that back up files and data from multiple computers.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[6]

SECTION 1 Building a Simple Network

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Networking Applications
Networking applications are computer programs that run over networks.

Network User Applications
Network user applications include the following:
n n n n n

E-mail Web browsers Instant messaging Collaboration Databases

Categories of Network Applications
Network applications function in one of three ways, with each application function affecting the network in different ways:
n n n

Batch applications: Started by a human and complete on their own without further interaction. FTP and TFTP are examples. Interactive applications: Include database updates and queries. A person requests data from the server and waits for a reply. Response time is typically more dependent on the server than the network. Real-time applications: Include Voice over IP (VoIP) and video. Network bandwidth is critical because these applications are time critical. Quality of service (QoS) and sufficient network bandwidth are mandatory for these applications.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

PCs. routers. software license compliance. 525. Please see page MARCO A. Physical topology defines the physical components of the network: cables. monitor.600] * 100. Inc. Network management: Helps make managing a network easier by providing device inventory. n Characteristics of a Network Networks are characterized using the following terms: n n n n Speed: Also called data rate.600 – Minutes downtime) / 525. Calculated using the following formula: [(525. . and so on). and so on. This publication is protected by copyright. These applications configure. and maintenance. n n n © 2008 Cisco Systems. and notifications of network problems. Cost: The general cost of network components. ZUNIGA C. and troubleshoot a network. Topology: Defines the design of the network. Sniffers allow you to view not only the communication between computers but also the data that is being transmitted. Reliability: The dependability of the devices that make up the network (for example. Availability: The measure of the likelihood that the network will be available for use when required. Protocol analyzers capture network packets between computers and decode the packets for easy reading. Network administration applications fall into two general categories: n Network monitoring: Examples are protocol analyzers and network sniffers. From the Library of 311 for more details. Scalability: How well the network can accommodate more users and more data. remote control of devices. network devices. speed is how fast data is transmitted over the network. installation. Logical topology defines the data path of the network.600 is the number of minutes in a year.[7] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Network Administration Applications Network administration applications help manage a network. All rights reserved. Security: Defines how secure the network and network data are. switches.

Can be either malicious or nonmalicious. Insider: Attacks that occur from authorized users inside a network. Inc. Internal threats are threats that originate from within the company network and might be intentional or unintentional. This publication is protected by copyright. Please see page MARCO A. Distribution: Attacks that focus on malicious changes to hardware or software at the factory or during distribution to introduce malicious code to unsuspecting users. The attacker gains access to information or data without the consent or knowledge of users. introduce malicious code. External threats are threats external to the company or network. Classes of Attacks The following five classes of network attacks exist: n n n n n Passive: Attacks that include capturing and monitoring unprotected communication and capturing passwords. . with the intent of gathering or changing data. ZUNIGA C.[8] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Network Security Network security involves securing the network from external and internal threats. Close-in: Attacks attempted by an individual in close physical proximity to networks or facilities. Active: Attacks that actively try to break or bypass security devices. Network security involves finding a balance between open and evolving networks and protecting company and private data. © 2008 Cisco Systems. From the Library of 311 for more details. All rights reserved. and steal and modify data.

All rights reserved. you might need to improve the security of the network. From the Library of 311 for more details. ZUNIGA C. Inc. Test: Involves testing systems to ensure that they function properly. Please see page MARCO A. Monitor: After the network has been secured. Secure FIGURE 1-2 Network Security Wheel Manage and Improve Corporate Security Policy Monitor and Respond Test © 2008 Cisco Systems. This publication is protected by copyright.[9] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Network Security Process Network security is an ongoing process that continually evolves. the four facets are as follows: n n n n Secure: Involves installing and configuring devices for security. . Figure 1-2 shows the network security wheel. Improve: After monitoring and testing. it must be monitored to ensure security.

poor cabling. Reconnaissance Attacks Reconnaissance attacks are attacks that gather information about the target. The four classes of physical threats are as follows: n n n n Hardware: Physical damage to the router or switch. Inc. voice. Mitigation involves restricting access to the hardware device to only authorized personnel. Mitigation includes using uninterruptible power supplies (UPS) and backup generators. Electrical: Voltage spikes. These types of attacks include sniffers. brownouts. and lack of critical spares. . Environmental: Room-temperature extremes or humidity extremes. noise. ping sweeps. and power losses. Please see page MARCO A. Maintenance: Electrostatic discharge. All rights reserved. ZUNIGA C. High-risk devices are mission-critical devices that route and control large amounts of data. port scans.[ 10 ] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Mitigating Physical and Environmental Threats Low-risk devices are typically low-end devices where access to the physical devices and cabling does not present a high risk to the network. This publication is protected by copyright. and Internet Domain Name System (DNS) queries. and video traffic. © 2008 Cisco Systems. Mitigation involves providing climatecontrolled rooms for critical network devices. From the Library of 311 for more details.

and not using plain-text passwords. The five types of access attacks are as follows: n Password attacks: Attacks that try to compromise passwords. . ZUNIGA C. having complex password requirements. and packet sniffers. For example. Buffer overflow: These attacks exploit programming errors that can result in a memory-access exception and program termination or a breach of system security. Trust exploitation: Attacks that occur when a trusted source on a network takes advantage of its trust. Trojan horse programs. Inc. HTTP. it can lead to other systems being compromised on the same network. These attacks require access to the network media or devices between the source and destination. This publication is protected by copyright. They have the following characteristics: n Exploiting well-known weaknesses in software found on servers such as send mail. Mitigation of these attacks includes disabling accounts after a specific number of unsuccessful login attempts. Port redirection: Attacks that use a compromised host to pass traffic through a firewall that would otherwise be dropped. From the Library of 311 for more details. All rights reserved. databases. captures and modifies information as it is transmitted from one network to another.[ 11 ] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Access Attacks Access attacks exploit known web services. These include brute-force attacks. if a trusted system on a network is compromised. Please see page MARCO A. © 2008 Cisco Systems. using sniffers. and FTP to gain elevated access rights to the computer running the software. Man-in-the-middle attacks: Attacks that occur when an attacker. and authentication services. IP spoofing. operating systems. n n n n Application Layer Attacks Application layer attacks try to exploit well-known vulnerabilities and passwords.

Please see page MARCO A. Use intrusion detection systems/intrusion prevention systems (IDS/IPS) to scan and stop network attacks. . such as Telnet. All rights reserved. These programs then send the information to the attacker. Other network protocols that can be compromised and should be secured and monitored are as follows: n n n n Simple Network Management Protocol (SNMP) Syslog TFTP Network Time Protocol (NTP) © 2008 Cisco Systems. Java and ActiveX attacks that pass malicious programs to users through a web browser. Subscribe to mailing lists that publicize current software vulnerabilities and attacks. Management Protocol and Vulnerabilities Protocols used to manage network devices. Inc. or IPsec. ZUNIGA C. Patch computers and devices regularly. use Secure Shell (SSH). From the Library of 311 for more details. can be a vulnerability because Telnet sends all session data in clear text.[ 12 ] SECTION 1 Building a Simple Network n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Trojan horse programs that monitor login attempts and capture account information. Application Layer Attacks and Mitigation Several ways to mitigate application layer attacks are as follows: n n n n Read system and device logs. Password stealing by prompting the user to enter the system password to gain access to the user’s system or accounts. Instead. Secure Socket Layer (SSL). This publication is protected by copyright.

Handles encryption and other processing. and cable pin-outs. The OSI model consists of seven layers.35 © 2008 Cisco Systems. From the Library of 311 for more details. Specifies voltage. Manages multiple applications. JPEG/MP3 Operating systems. . Inc. Creates frames from bits of data. Provides logical addressing used by routers and the network hierarchy. and provides error detection but no correction. HTTP ASCII/EBCDIC. This publication is protected by copyright. Provides reliable or best-effort delivery and some error correction. TABLE 1-1 Layer OSI Model Function Examples Application (Layer 7) Presentation (Layer 6) Session (Layer 5) Transport (Layer 4) Network (Layer 3) Data link (Layer 2) User interface. 802. This method allows many independent developers to work on separate network functions. It breaks otherwise complex network interaction into simple elements. OSI Reference Model The OSI model is a standardized framework for network functions and schemes. Please see page MARCO A.[ 13 ] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Host-to-Host Communication Model For different vendor hosts to communicate with each other. which can be applied in a “plug-and-play” manner. Frame Relay Physical (Layer 1) EIA/TIA. V.3. UDP IP 802. as outlined in Table 1-1. a consistent model or standard is needed. ZUNIGA C. wire speed. which lets developers modularize design efforts. Telnet. uses MAC addresses to access endpoints. scheduling TCP. HDLC. All rights reserved.2.

© 2008 Cisco Systems. it adds a TCP or User Datagram Protocol (UDP) header to the data. As shown in Figure 1-3. . each part of the message is encapsulated by the layer below it. As the data moves down the communication stack. thus. This frame is then converted into bits and is passed across the network medium. For the ICND exam. which contains information for that layer (de-encapsulation). Please see page MARCO A. and an IP header is added. All rights reserved. and it is unwrapped at the destination for use by the corresponding layer. the data becomes a packet. When the transport layer receives upper-layer data. The segment is then passed to the network layer. this is called a segment. From the Library of 311 for more details. A PDU can include different information as it goes up or down the OSI model. This publication is protected by copyright. It is given a different name according to the information it is carrying (the layer it is at). Encapsulation is the method of adding headers and trailers. This is data encapsulation. thus becoming a frame. you should know the following: n n n n n Application layer: Data Transport layer: Segment Network layer: Packet Data link layer: Frame Physical layer: Bits Peer-to-Peer Communication For packets to travel from a source to a destination. each OSI layer of the source computer must communicate with its peer at the destination. ZUNIGA C. Inc. The packet is passed to the data link layer. the receiving device strips the header.[ 14 ] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Encapsulation and De-encapsulation Protocol data units (PDU) communicate between layers.

This publication is protected by copyright. are well suited for communication across both LANs and WANs. The protocol suite defines the following four layers: n n n n Network access layer: Consists of the physical and data link OSI model layers Internet layer: Provides routing of data from the source to a destination and defines addressing schemes Transport layer: The core of the TCP/IP suite. initially developed by the Defense Advanced Research Projects Agency (DARPA). file transfer. From the Library of 311 for more details. ZUNIGA C. . Inc. Please see page MARCO A. providing communication services directly to the application layer Application layer: Provides specifications of applications such as e-mail. All rights reserved.[ 15 ] SECTION 1 Building a Simple Network FIGURE 1-3 Data Encapsulation Application Presentation Session Transport CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Upper Layer Data TCP Header Upper Layer Data Data Data Data FCS FCS PDU IP Header LLC Header MAC Header Network Data Link Physical 0101110101001000010 } } } } Segment Packet Frame Bits TCP/IP Stack The TCP/IP suite of protocols communicates across any set of interconnected networks. These protocols. and network management © 2008 Cisco Systems.

Inc. ZUNIGA C. . The TCP/IP protocol stack closely follows the OSI reference model. All rights reserved. All standard Layer 1 and Layer 2 protocols are supported (called the network interface layer in TCP/IP). Please see page MARCO A. FIGURE 1-4 OSI Versus TCP/IP Model Application Application Presentation Session Transport Internet Network Access Data Link Physical Transport Network Data Link Physical TCP/IP Stack OSI Reference Model © 2008 Cisco Systems.[ 16 ] SECTION 1 Building a Simple Network CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty TCP/IP Stack Versus OSI Model Figure 1-4 shows the TCP/IP model. From the Library of 311 for more details. This publication is protected by copyright.

From the Library of 311 for more details. Inc. IP has the following characteristics: n n n n n Operates at Layer 3 of the OSI (network) and Layer 2 of the TCP/IP (Internet) model Is connectionless Uses hierarchical addressing Provides best-effort delivery of packets Has no built-in data recovery Figure 2-1 shows the IP header information. All rights reserved. The protocol suite includes Layer 3 and Layer 4 specifications as well as specifications for higher-layer applications.[ 17 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 2 Understanding TCP/IP TCP/IP Overview The TCP/IP suite of protocols is used to communicate across any set of interconnected networks. Internet Protocol (IP) IP is a connectionless protocol that provides best-effort delivery routing of packets. This publication is protected by copyright. ZUNIGA C. Please see page MARCO A. The protocols initially developed by DARPA are well suited for communication across both LANs and WANs. such as e-mail and file transfer. . © 2008 Cisco Systems.

From the Library of 311 for more details. each node must have a unique 32-bit logical IP address. All rights reserved. The remaining bits identify each host within that network. As shown in Figure 2-2. Inc. A two-part addressing scheme allows the IP address to identify both the network and the host: n n All the endpoints within a network share a common network number. © 2008 Cisco Systems. . ZUNIGA C.[ 18 ] SECTION 2 Understanding TCP/IP FIGURE 2-1 IP Header Version (4) Priority & Type Header Length (4) of Service (8) Identification (16) Time to live (8) Protocol (8) Flags (3) Total Length (16) Fragment offset (13) Bit 0 Bit 15 Bit 16 Bit 31 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Header checksum (16) 20 Bytes Source IP Address (32) Destination IP Address (32) Options (0 or 32 if any) Data (varies if any) IP Addressing In a TCP/IP environment. This publication is protected by copyright. Each IP datagram includes the source and destination IP address in the header. Please see page MARCO A. IP addresses consist of two parts: the network address portion (network ID) and the host address component (host ID).

From the Library of 311 for more details. Class D addresses are used for multicast purposes. and Class E addresses are used for research. FIGURE 2-3 A Through D IP Address Classes Bits: Class A: 1 0NNNNNNN Range (1-126) 1 8 9 10NNNNNN Range (128-191) 1 8 9 110NNNNN Class C: Bits: Class D: Range (192-223) 1 8 9 1110MMMM Range (224-239) © 2008 Cisco Systems. each with fewer hosts (24 network bits and 8 host bits). Class B has 16 network bits and 16 host bits. and C are the most common. Classes A. This scheme was based on the assumption that the world would have many more small networks than large networks.[ 19 ] SECTION 2 Understanding TCP/IP FIGURE 2-2 Two-Part IP Addresses Binary 8 bits=octet 32 Bits CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 11111111 255 • 11111111 255 • 11111111 255 • 11111111 255 Dotted Decimal Network Portion Host Portion IP Address Classes Five classes of IP addresses exist: classes A through E. This publication is protected by copyright. ZUNIGA C. Please see page MARCO A. Class A has 8 network bits and 24 host bits. Figure 2-3 shows the address range for classes A–D. B. Multicast Group 16 17 Multicast Group 24 25 Multicast Group 32 Network Network 8 9 Host 16 17 Host 24 25 Host 32 Bits: Class B: Bits: 16 17 Host 24 25 Host 32 16 17 Network 24 25 Host 32 . All rights reserved. Inc. Class C addresses allow many more networks.

All rights reserved.255.31. 172.255/16.0 to 192.0. .16. 172. The reserved addresses are as follows: n n n n Network address: An IP address that has all binary 0s in the host bit portion of the address.255 172.168.0 to 172.16. For example. The address is 255.255 Networks using private addresses can still connect to the Internet if they use Network Address Translation (NAT).0.255. Directed broadcast address: An IP address that has all binary 1s in the host bit portion of the address. Used to send data to all devices on the network. The address is 127.1.0. The IP addresses are not routed on the Internet.255. Loopback address: Used by the TCP/IP stack to test TCP/IP by sending a message internally to itself.0/16.[ 20 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Reserved IP Addresses Some IP addresses in TCP/IP are reserved for specific purposes. Please see page MARCO A. This publication is protected by copyright. © 2008 Cisco Systems. Private IP Addresses RFC 1918 defines IP addresses that are reserved for use in private networks.16.255.255 192.0. Inc. These addresses cannot be assigned to individual devices on a network.0.255. Local broadcast address: An address used if a device wants to communicate with all devices on the local network.255.255. From the Library of 311 for more details.0.255. For example. Three blocks of IP addresses are reserved for private networks: n n n 10.168. ZUNIGA C.0.0 to 10.

UDP does not check for segment delivery. UDP is simple and efficient but unreliable. Figure 2-4 shows the UDP header. Please see page MARCO A. UNIX/Linux: ifconfig determines the TCP/IP information of a host. From the Library of 311 for more details. TCP/IP Transport Layer The TCP/IP model transport layer is responsible for the following: n n n n n Session multiplexing Segmentation Flow control Connection-oriented or connectionless transport Reliable or unreliable data transport Two protocols function at the transport layer: UDP and TCP. ZUNIGA C. best-effort delivery protocol. It trades reliability for speed. TCP is a connection-oriented. best-effort protocol used for applications that provide their own error-recovery process. This publication is protected by copyright. All rights reserved. © 2008 Cisco Systems. Inc. UDP is a connectionless. . UDP UDP is a connectionless.[ 21 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Tools to Determine the IP Address of a Host n n Windows OS: ipconfig is a command-line tool in Windows operating systems that finds the TCP/IP parameters assigned to a host. reliable protocol.

ZUNIGA C. reliable protocol that is responsible for breaking messages into segments and reassembling them at the destination (resending anything not received). TCP also provides virtual circuits between applications. Please see page MARCO A. FIGURE 2-5 TCP Header Source port (16) Destination port (16) Bit 0 Bit 15 Bit 16 Bit 31 Sequence number (32) 20 Bytes Window (16) Acknowledgment number (32) Header Reserved Length (4) (6) Checksum (16) Code bits (6) Urgent (16) Options (0 or 32 if any) Data (varies) © 2008 Cisco Systems. All rights reserved. .[ 22 ] SECTION 2 Understanding TCP/IP FIGURE 2-4 UDP Header Source port (16) Destination port (16) Bit 0 Bit 15 Bit 16 Bit 31 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 8 Bytes Length (16) Data (if any) Checksum (16) TCP TCP is a connection-oriented. Figure 2-5 shows the TCP header. From the Library of 311 for more details. Inc. This publication is protected by copyright.

This publication is protected by copyright. From the Library of 311 for more details.[ 23 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty TCP/IP Applications Some of the most common TCP/IP applications are as follows: n n n n n File Transfer Protocol (FTP): A TCP-based protocol that supports bidirectional binary and ASCII file transfers Trivial File Transfer Protocol (TFTP): A UDP-based protocol that can transfer configuration files and Cisco IOS Software images between systems Simple Mail Transfer Protocol (SMTP): An e-mail delivery protocol Terminal Emulation (Telnet): Allows remote command-line access to another computer Simple Network Management Protocol (SNMP): Provides the means to monitor and control network devices Dynamic Host Configuration Protocol (DHCP): Assigns IP addresses and other TCP/IP parameters such as subnet mask. Well-known port numbers are controlled by the Internet Assigned Numbers Authority (IANA). HTTPS. Port (or socket) numbers keep track of different conversations crossing the network at any given time. n n Port Numbers Both TCP and UDP can send data from multiple upper-layer applications at the same time. Applications that do not use well-known port numbers have them randomly assigned from a specific range. . Inc. © 2008 Cisco Systems. and default gateways automatically to hosts Domain Name Service (DNS): Translates domain names into IP addresses NOTE Other examples include HTTP. All rights reserved. ZUNIGA C. Please see page MARCO A. Figure 2-6 shows the TCP/UDP port numbers from common applications. and SSH. DNS/WINS server addresses.

From the Library of 311 for more details. ZUNIGA C. Please see page MARCO A. . Establishing a TCP Connection End stations use control bits called SYNs (for synchronize) and Initial Sequence Numbers (ISNs) to synchronize during connection establishment. Numbers 49152 through 65535 are private vendor assigned and are dynamic. © 2008 Cisco Systems. Inc. This publication is protected by copyright.[ 24 ] SECTION 2 Understanding TCP/IP FIGURE 2-6 Port Numbers Application Layer F T P T E L N E T S M T P D N S T F T P S N M P R I P CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 21 Transport Layer 23 TCP 25 53 69 161 UDP 520 Port Numbers Port number ranges are as follows: n n n Numbers 1 through 1024 are considered well-known ports. Numbers 1025 through 49151 are registered. All rights reserved.

ZUNIGA C. Step 3. Please see page MARCO A. Note that the ACK field in host B is now expecting to hear sequence 101. Host B also sends a SYN. Step 2. In the next segment. Host A Host B © 2008 Cisco Systems. Note that the sequence number in this step is the same as the ACK in Step 2. All rights reserved.[ 25 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Three-Way Handshake The synchronization requires each side to send its own initial sequence number and to receive a confirmation of it in acknowledgment (ACK) from the other side. This publication is protected by copyright. Inc. FIGURE 2-7 TCP Three-Way Handshake 1 Send SYN (seq=100 ctl=SYN) SYN Received SYN Received 3 Established (seq=101 ack=301 ctl=ack) Send SYN. Figure 2-7 outlines the steps in the TCP three-way handshake. From the Library of 311 for more details. host A sends data.ack) Host A sends a SYN segment with sequence number 100. which are further defined in the following list: Step 1. Host B sends an ACK and confirms the SYN it received. . ACK 2 (seq=300 ack=101 ctl=syn.

it is resent. The receiver replies by requesting byte 5 and specifying a window size of 2. The window size from one end station tells the other side of the connection how much it can accept at one time. so it drops byte 3. The receiver can handle a window size of only 2. The sender sends the next 2 bytes but still specifies its window size of 3. Please see page MARCO A. each segment must be acknowledged before another segment is sent. TCP Flow Control Flow control provides a mechanism for the receiver to control the transmission speed. Figure 2-8 shows the windowing process as outlined here: Step 1. This is the least-efficient use of bandwidth. The Window field is a number that indicates the maximum number of unacknowledged bytes allowed outstanding at any time. ZUNIGA C. Step 3. TCP implements flow control by using the SYN and ACK fields in the TCP header. This publication is protected by copyright. TCP Windowing Windowing ensures that one side of a connection is not overwhelmed with data it cannot process. each datagram is numbered so that at the receiving end. TCP reassembles the segments into a complete message. All rights reserved. specifies 3 as the next byte.[ 26 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty TCP Sequence and Acknowledgment Numbers In TCP. along with the Window field. If a segment is not acknowledged within a given period. The sender sends 3 bytes before expecting an ACK. Inc. With a window size of 1. Step 2. . © 2008 Cisco Systems. Step 4. and specifies a window size of 2. From the Library of 311 for more details.

Exploring the Packet Delivery Process Layer 1 Devices Layer 1 devices operate at the physical layer and are only involved in transmitting signals (moving bits). ZUNIGA C. Repeaters regenerate and retime (or clean up) the signal. This publication is protected by copyright. From the Library of 311 for more details. and hubs. eventually becoming unreadable. .[ 27 ] SECTION 2 Understanding TCP/IP FIGURE 2-8 TCP Windowing Example Sender Window Size = 3 Send 1 Window Size = 3 Send 2 Window Size = 3 Send 3 Window Size = 3 Send 3 Window Size = 3 Send 4 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Receiver Packet 3 Is Dropped ACK 3 Window Size = 2 ACK 5 Window Size = 2 A TCP/IP session can have different window sizes for each node. Repeaters (see Figure 2-9) are necessary because a signal’s quality degrades over distance. one out) or multiport. serial links. Inc. allowing it to travel a longer distance over a given medium. repeaters. Repeaters can be single-port (one in. © 2008 Cisco Systems. All rights reserved. Examples include Ethernet segments. Please see page MARCO A.

they simply clean up signals. ZUNIGA C. Hubs also increase network reliability by isolating endpoints. Ethernet devices use a method called carrier sense multiple access collision detect (CSMA/CD) when sending bits. . This publication is protected by copyright. both stations resend the signal after a random period. Collisions increase with the number of stations and reduce usable bandwidth (see Figure 2-10). the network continues to operate. Please see page MARCO A. All rights reserved. Hubs provide no filtering or intelligence. FIGURE 2-10 Hub © 2008 Cisco Systems. If two devices transmit a signal at the same time.[ 28 ] SECTION 2 Understanding TCP/IP FIGURE 2-9 Repeater CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Hubs are similar to repeaters and are often called multiport repeaters (usually having from 4 to 20 ports). When a collision occurs. From the Library of 311 for more details. A group of devices connected to the same physical medium is known as a collision domain. if a single cable fails. a collision results. Using a hub. Inc.

Network interface cards (NICs) are considered Layer 2 devices because they provide MAC addresses used by other Layer 2 devices. IP addresses are one type of Layer 3 address.[ 29 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Layer 2 Devices Layer 2 devices operate at the data link layer and. which uses a different addressing scheme than Layer 2 devices. Figure 2-11 shows that bridges connect LAN segments and isolate collision domains. which increases bandwidth. avoiding data collisions (discussed later). other Layer 3 protocols exist. As shown in © 2008 Cisco Systems. This is because the switching functions are performed in hardware. isolate endpoints. but they are outside the scope of the ICND1 and ICND2 exams. Inc. Switches proved more ports than bridges and also support virtual LANs (VLANs. FIGURE 2-11 Bridge Bridge Switches (or LAN switches) are similar to bridges and have the same functionality as bridges but are typically much faster than bridges. Please see page MARCO A. discussed later). Layer 3 Devices Layer 3 devices operate at the network layer of the OSI model. in most cases. All rights reserved. Devices such as bridges and switches use MAC addresses to switch data frames. The two most common Layer 3 devices are routers and multilayer switches. . whereas bridges use software. This publication is protected by copyright. From the Library of 311 for more details. Bridges keep local traffic from going to other LAN segments but can filter traffic intended for other LAN segments using the MAC address of the destination endpoint. Bridges keep track of destinations in MAC address tables. ZUNIGA C.

4.0 172. This publication is protected by copyright.16.[ 30 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Figure 2-12. © 2008 Cisco Systems. All rights reserved. routers pass data packets between networks based on their IP (or possibly other Layer 3) address.0 172. Using Layer 3 addresses allows multilayer switches to implement quality and security policies. FIGURE 2-12 Routers 172.16.16. Routers can also connect different types of Layer 2 networks. ZUNIGA C.16. This has reduced the bottleneck that used to occur with software-based Layer 3 devices. This advance was enabled because of high-speed software embedded in hardware ASICs. Routers regulate traffic and make up the backbone of most IP networks.3.0 Internet Multilayer switches are the same as regular Layer 2 switches but can process and make switching decisions based on Layer 3 addresses. Inc. Routers can make intelligent decisions about the best path a packet can take across the network.2. . From the Library of 311 for more details.1.0 172. Please see page MARCO A.

the IP host must know the IP address and MAC address of the destination computer. ZUNIGA C.[ 31 ] SECTION 2 Understanding TCP/IP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Mapping Layer 2 Addressing to Layer 3 Addressing For IP hosts to communicate on Ethernet networks. All rights reserved. Inc. IP uses a protocol called Address Resolution Protocol (ARP). . ARP sends a broadcast looking for the destination address. This publication is protected by copyright. ARP maps a known IP address to a MAC sublayer address. If the address is not in the ARP table. To find the MAC address of the destination. From the Library of 311 for more details. © 2008 Cisco Systems. An ARP cache table is checked when looking for a destination. Please see page MARCO A.

the IEEE defined new standards for Ethernet called Ethernet 802. terminals. ARP. From the Library of 311 for more details. low-error data networks that cover a small geographic area. Protocols: Examples include Ethernet protocols. Network devices: Examples include hubs. and DHCP. This publication is protected by copyright. and other devices in a single building or a limited area. . and switches. All rights reserved.3 standard is the standard that is in use today. Intel. ZUNIGA C. Inc. routers. Later. They are relatively inexpensive to develop and maintain. Ethernet Ethernet is one of the most widely used LAN standards. © 2008 Cisco Systems.3. printer. LANs connect computers. and Xerox. Definition of a LAN Local-area networks (LAN) are high-speed.[ 32 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 3 Understanding Ethernet Ethernet was developed in the 1970s by Digital Equipment Corporation (DEC). IP. Also include NICs and network media. Ethernet operates at Layers 1 and 2 of the OSI model. LANs are usually located in a building or campus and do not cover a large distance. As Figure 3-1 shows. The 802. Please see page MARCO A. Interconnections: Provide a means for data to travel. LANs consist of the following components: n n n n Computers: Examples include PCs and servers.

. From the Library of 311 for more details. The MAC sublayer is responsible for how data is sent over the wire. Inc.3). The MAC address is a 48-bit address expressed as 12 hex digits.35 The physical layer (Layer 1) defines cabling. This publication is protected by copyright. connection specifications. ZUNIGA C. The data link layer (Layer 2) has the following functions: n n n Two sublayers perform data-link functions: the MAC layer and the Logical Link Control (LLC) layer.[ 33 ] SECTION 3 Understanding Ethernet FIGURE 3-1 Frame Relay Data Link HDLC CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Physical and Data Link Layers 802. and topology.3 EIA/TIA-232 v. All rights reserved. Please see page MARCO A. Figure 3-2 shows the Media Access Control (MAC) sublayer (802.2 Ethernet 802. Physical Provides physical addressing Provides support for connection-oriented and connectionless services Provides frame sequencing and flow control © 2008 Cisco Systems.

IEEE Assigned Vendor Assigned MAC Address The MAC sublayer defines the following: n n n n n n Physical addressing Network topology Line discipline Error notification Orderly delivery of frames Optional flow control The LLC sublayer (802.0C xx. SNAP is used to support non-802 protocols.[ 34 ] SECTION 3 Understanding Ethernet FIGURE 3-2 MAC Sublayer #Bytes 8 Preamble 6 Dest Add 6 Source Add 2 Length MAC Layer . All rights reserved.xxxx Ethernet II Uses "Type" Here and Does Not Use 802. ZUNIGA C. This publication is protected by copyright. . Please see page MARCO A.3 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Variable Data 4 FCS 0000.2) is responsible for identifying and encapsulating different protocol types.2.802. © 2008 Cisco Systems. Two types of LLC frames exist: service access points (SAP) and Subnetwork Access Protocol (SNAP). Inc. From the Library of 311 for more details. Figure 3-3 shows the LLC sublayer frame.

2 (SNAP) 1 or 2 Ctrl 03 3 OUI ID CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 2 Variable Type Data Or 1 Dest SAP 1 802. Inc. the station transmits across the media. Ethernet uses a method called carrier sense multiple access collision detect (CSMA/CD) to detect collisions. it listens to the network (carrier sense) to make sure that no other station is transmitting.802. Therefore. many stations can transmit on the Ethernet media.[ 35 ] SECTION 3 Understanding Ethernet FIGURE 3-3 LLC Sublayer 1 Dest SAP AA 1 Source SAP AA 802. If a collision occurs. Before a station transmits. © 2008 Cisco Systems. This publication is protected by copyright. and no station has priority over any other. the transmitting stations detect the collision and run a backoff algorithm. From the Library of 311 for more details. In CSMA/CD. A scheme is needed to detect and compensate for collisions. .3 Role of CSMA/CD in Ethernet All stations on an Ethernet segment are connected to the same media. all devices receive all signals. If no other station is transmitting. When devices send signals at the same time. a collision occurs. ZUNIGA C. The backoff algorithm computes a random time that each station waits before retransmitting. Please see page MARCO A.2 (SAP) 1 or 2 Ctrl Variable Data Source SAP Preamble Dest add Source add Length Data FCS MAC Layer . All rights reserved.

Please see page MARCO A. All rights reserved. Typically burned into the adapter. From the Library of 311 for more details. or MAC address. or group. Broadcasts: Intended for all hosts. A unicast frame is a frame intended for only one host. of the entire segment. Vendor-assigned: 24 bits. Uniquely identifies the Ethernet hardware. . Ethernet Addresses The Ethernet address. As shown in Figure 3-4.[ 36 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Ethernet LAN Traffic Three major types of network traffic exist on a LAN: n n n Unicasts: The most common type of LAN traffic. This is IEEE assigned and identifies the manufacturer of the card. All stations receive and process broadcast frames. ZUNIGA C. Stations view broadcast frames as public service announcements. Inc. the MAC address is usually displayed in a hexadecimal format such as 00-0d-65-ac-50-7f. is the Layer 2 address of the network adapter of the network device. This publication is protected by copyright. Multicasts: Traffic in which one transmitter tries to reach only a subset. the MAC address is 48 bits and consists of the following two components: n n Organizational Unique Identifier (OUI): 24 bits. OUI 24-Bits Vendor Assigned 24-bits FIGURE 3-4 MAC Addresses 48-bit MAC Address © 2008 Cisco Systems.

Physical layer implementations vary.5/125 micromultimode fiber 400 m 1000BASE-CX 1000BASE-T STP EIA/TIA Cat 5 UTP 4-pair 100 m 1000BASE-SX 62. and 10BASE-F. Please see page MARCO A. or fiber. Gigabit Ethernet: An 802. and all support various cabling structures.3ae. The standards are referred to as 10BASE2. 10BASE5. runs in full-duplex mode only. From the Library of 311 for more details. TABLE 3-1 Media Ethernet Media and Connection Requirements 10BASE-T EIA/TIA Cat 3.[ 37 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Connecting to an Ethernet LAN The term Ethernet encompasses several LAN implementations.3 extension that operates over fiber and copper at 1000 Mbps. Fast Ethernet or 100-Mbps Ethernet: Operates over UTP or fiber. Inc. 10-Gigabit Ethernet: Defined in 802. ZUNIGA C. over fiber.5/50 micromultimode fiber 275 m 1000BASE-LX 9-micron singlemode fiber 3–10 km Maximum Segment Length Connector 25 m ISO 8877 (RJ-45) ISO 8877 (RJ-45) Duplex media ISO 8877 interface (RJ-45) (RJ-45) connector (MIC) ST ISO 8877 — — © 2008 Cisco Systems. All rights reserved. This publication is protected by copyright. Fast Ethernet and Gigabit Ethernet require UTP Category 5e (or higher) or fiber cabling. unshielded twisted-pair (UTP) cable. .3: Operate at 10 Mbps over coaxial cable. Table 3-1 compares cable and connecter specifications. 10BASE-T. or 1 gigabit per second (Gbps). The following four main categories of Ethernet exist: n n n n Ethernet (DIX) and IEEE 802. 5 UTP 2-pair 100 m 100BASE-TX EIA/TIA Cat 5 UTP 2-pair 100 m 100BASE-FX 62. 4.

. The two categories of twisted-pair cables are unshielded twisted-pair (UTP) and shielded twisted-pair (STP). Please see page MARCO A. This publication is protected by copyright. CAT 5e. CAT 5. The most common types of media are as follows: n Twisted-pair cable: Used for telephony and most Ethernet networks. CAT 4.[ 38 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty A Gigabit Interface Converter (GBIC) is a hot-swappable I/O device that plugs into a Cisco Gigabit Ethernet port. Network Media Types Network media refers to the physical path that signals take across a network. ZUNIGA C. All rights reserved. GBICs support UTP and fiber media. Inc. CAT 3. Each pair makes up a circuit that can transmit signals. It is prone to electrical noise and interference because of the lack of shielding. and they allow you to deploy different types of 1000BASE-X technology without having to change the physical interface of the switch. From the Library of 311 for more details. CAT 2. and CAT 6. Unshielded Twisted Pairs Twisted Pair FIGURE 3-5 UTP Outer Jacket Color-Coded Plastic Insulation © 2008 Cisco Systems. Seven categories of UTP cable exist: CAT 1. The pairs are twisted to prevent interference (crosstalk). defined as follows: n UTP cable: Usually connected to equipment with an RJ-45 connector. UTP has a small diameter that can be an advantage when space for cabling is at a minimum. GBICs are interchangeable.

Multimode fiber is used primarily in systems with short transmission distances (less than 2 km). Please see page MARCO A. several modes (or wavelengths) propagate down the fiber. Figure 3-7 shows an RJ-45 connector and its pin connections. n UTP Implementation An RJ-45 connector is use with UTP cabling. Single-mode: This type of fiber has only one mode in which light can propagate. The cable speed and maximum length are the same as for UTP (speed is 10 to 100 Mbps. ZUNIGA C. each taking a slightly different path. Single-mode fiber is typically used for long-distance and high-bandwidth applications. Inc. This publication is protected by copyright. This offers a large jump in bandwidth over other types of cables (1 Gbps or greater). Shielded Twisted Pairs Overall Shield Pair Shields Twisted Pair FIGURE 3-6 STP Outer Jacket Color-Coded Plastic Insulation n Fiber-optic cable: Allows the transmission of light signals. From the Library of 311 for more details. The two types of fiber-optic cables are multimode and single-mode. © 2008 Cisco Systems.[ 39 ] SECTION 3 Understanding Ethernet n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty STP cable: Provides much better protection against electrical noise and interference than UTP but is thicker and more expensive. defined as follows: n Multimode: With this type of fiber. and maximum length is 100 m). . All rights reserved.

Figure 3-8 shows the pins for a straight-through cable. FIGURE 3-7 RJ-45 Connector Bits: Class A: 1 0NNNNNNN Range (1-126) 1 8 9 10NNNNNN Range (128-191) 1 8 9 110NNNNN Class C: Bits: Class D: Range (192-223) 1 8 9 1110MMMM Range (224-239) Multicast Group 16 17 Multicast Group 24 25 Multicast Group 32 Network Network 8 9 Host 16 17 Host 24 25 Host 32 FIGURE 3-8 Straight-Through Wiring Cable 10 BASE-TX 100BASE-T Straight-Through Bits: Class B: Bits: 16 17 Host 24 25 Host 32 Hub/Switch Pin Label 1 RD+ 2 RD– 3 TD+ 4 NC 5 NC 6 TD– 7 NC 8 NC Server/Router Pin Label 1 TD+ 2 TD– 3 RD+ 4 NC 5 NC 6 RD– 7 NC 8 NC 16 17 Network 24 25 Host 32 © 2008 Cisco Systems. Inc. All rights reserved. Please see page MARCO A. . Straight-through cables are typically used to connect different devices (data terminal equipment [DTE] to data communications equipment [DCE]). From the Library of 311 for more details. This publication is protected by copyright. ZUNIGA C. such as switch-to-router connections.[ 40 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The two types of connections are straight-through and crossover.

FIGURE 3-9 Crossover Wiring Cable 10 BASE-T/ 100BASE-T Crossover Hub/Switch Pin Label 1 RD+ 2 RD– 3 TD+ 4 NC 5 NC 6 TD– 7 NC 8 NC Hub/Switch Pin Label 1 RD+ 2 RD– 3 TD+ 4 NC 5 NC 6 TD– 7 NC 8 NC © 2008 Cisco Systems. ZUNIGA C. Figure 3-9 shows the pins for a crossover cable. Inc. This publication is protected by copyright.[ 41 ] SECTION 3 Understanding Ethernet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Crossover cables are typically used to connect similar devices. From the Library of 311 for more details. such as switch-to-switch connections. Please see page MARCO A. All rights reserved. which use a crossover cable. . The primary exception to this rule is switch-to-hub connections.

This publication is protected by copyright. All rights reserved. From the Library of 311 for more details. An example of this is a network in which each endpoint is connected to every other endpoint (a meshed network) but the signal can flow in only sequential order (a ring network). a bus or linear bus connects all devices with a single cable. or the packets will collide and both will be destroyed (and must be resent). A physical topology refers to the physical layout of the endpoints and the connecting cables. Please see page MARCO A. or signals will bounce back and cause errors. The ends of the wire must be connected to a device or terminator.[ 42 ] SECTION 4 LAN Network Topologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Part II: Growing the Network (LANs) Section 4 LAN Network Topologies Choosing the Right Network Topology A topology refers to the way in which network devices are connected. Only a single packet can be transmitted at a time on a bus. ZUNIGA C. Inc. The physical and logical topologies can be the same or different. . © 2008 Cisco Systems. The following sections discuss each topology. As shown in Figure 4-1. The three primary categories of physical topologies are as follows: n n n Bus Ring Star A logical topology refers to how signals travel from endpoint to endpoint.

Two rings create redundancy. or host. Great redundancy exists on full-mesh networks. a “wrap” (a connection between the two rings) can heal the fault.[ 43 ] SECTION 4 LAN Network Topologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Figure 4-2 shows a ring topology. the system can still operate. All rights reserved. The frame continues around the ring. From the Library of 311 for more details. Inc. all devices are connected to all other devices. ZUNIGA C. or fault tolerance. If an end station wants to send data. The frame. which means that if one ring fails. FIGURE 4-4 Extended Star Topology In a full-mesh topology. switch. which then connect to end stations. Please see page MARCO A. Stars cost more than other topologies but are more fault tolerant because a cable failure usually affects only one end device. Figure 4-5 shows a full-mesh topology. each ring sends data in a different direction. This publication is protected by copyright. going from one end station to the next. the entire system fails. and the data is removed at the intended destination. it becomes overly expensive and complicated. which have at least one device with multiple connections. but for networks with more than a few devices. In a single ring. or router) where all end devices meet. data travels in a single direction. the central networking device connects to other networking devices. In a ring topology. The disadvantage of a star is that if the central device fails. however. FIGURE 4-1 Bus Topology FIGURE 4-2 Ring Topology FIGURE 4-3 Star Topology In an extended star. As shown in Figure 4-3. continues. If parts of both rings fail. Star topologies are the most common physical topology in Ethernet LANs. a frame travels in a logical order around the ring. Partial-mesh topologies. © 2008 Cisco Systems. . it is added to the frame. Figure 4-4 shows an extended star topology. stars have a central connection (hub. In a dual ring. provide good redundancy without the expense of full meshes.

such as wireless networks. All rights reserved. See Figure 4-6. ZUNIGA C. Inc. Wireless adapters must be installed on a laptop (wireless NIC) to communicate with the network. because no physical medium is required to connect end stations (which is great for installation in old buildings or offices with inadequate space for cabling). FIGURE 4-6 Wireless Topology © 2008 Cisco Systems.[ 44 ] SECTION 4 LAN Network Topologies FIGURE 4-5 Full-Mesh Topology CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The last type of network topology is one that does not require the use of traditional cable connections. This publication is protected by copyright. Wireless communications use radio frequencies (RF) or infrared (IR) waves to transmit data over a LAN. Please see page MARCO A. Wireless gives network designers many new options. From the Library of 311 for more details. .

are self-contained Ethernet segments in a box. also called Ethernet concentrators or Ethernet repeaters. or switches. Hubs let you add and remove computers without © 2008 Cisco Systems. . Segments can only span a limited physical distance. TABLE 4-1 10BASE-T 10BASE-FL 100BASE-TX 100BASE-FX 1000BASE-T 1000BASE-LX 1000BASE-SX Ethernet Segment Distance Limitations Description Segment Length Ethernet Specification 10 Mbps over twisted-pair 10 Mbps over fiber 100 Mbps over twisted-pair 100 Mbps over fiber Gigabit Ethernet over twisted-pair Gigabit Ethernet over fiber Gigabit Ethernet over fiber 100 m 2000 m 100 m 400 m 100 m Multimode: 550 m Single-mode: 10 km 62. Table 4-1 lists the Ethernet segment distance limitations. Repeaters are Layer 1 devices that amplify a signal from one segment to another. hubs. Please see page MARCO A.5µ multimode: 250 m 50µ multimode: 550 m Extending a LAN Segment Although Ethernet has segment distance limitations. ZUNIGA C. you can extend the segment by adding repeaters. Any transmission beyond the physical limitation will degrade the signal. This publication is protected by copyright. Hubs.[ 45 ] SECTION 4 LAN Network Topologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The Challenges of Shared LANs An Ethernet segment is a network connection made by a single unbroken network cable. All rights reserved. From the Library of 311 for more details. Inc. All devices connected to a hub compete for the same amount of bandwidth.

Collisions and Collision Domains In traditional Ethernet segments. From the Library of 311 for more details. ZUNIGA C. The most common causes of network congestion are as follows: n n n Increases in PC speed and performance Increases in network data Bandwidth-intensive applications © 2008 Cisco Systems. Inc. and then transmit at the same time. All devices on the same network segment receive all signals sent on the segment. . Hubs provide no filtering and forward all traffic out all ports regardless of where they are destined. This publication is protected by copyright. The simultaneous transmissions collide. they cannot decrease collisions. however. Solving Network Challenges with Switched LAN Technology As networks grow and evolve. Switches are Layer 2 devices that amplify a signal and use Layer 2 information to route traffic.[ 46 ] SECTION 4 LAN Network Topologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty disabling the network but do not create additional collision domains. and all are destroyed and must be resent. All rights reserved. resulting in more collisions. Collisions are by-products of CSMA/CD. hear nothing. As networks grow. The network segments that share the same bandwidth are called collision domains. a collision results. Collisions occur when two or more end stations “listen” for traffic on the segment. Please see page MARCO A. As the number of end stations increases. Repeaters and hubs amplify a signal and increase segment distance limitations. collisions increase to the point where the system is virtually unusable because collisions are constantly occurring. A collision domain is a group of devices connected to the same network segment such that if two devices access the medium at the same time. all devices compete for the same bandwidth. network congestion increases. Each end station resends after a random time (called a backoff algorithm). the chances that devices transmit at the same time increase.

[ 47 ] SECTION 4 LAN Network Topologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Bridges Bridges were used as an early solution for network congestion. switches process frames in hardware through the use of application-specific integrated circuits (ASICs). This publication is protected by copyright. Bridges used the concept of segmentation to allow more end stations to be added to a LAN (called scaling). All rights reserved. Segmentation is shown in Figure 4-7. This function allows the switch to store frames and forward them to the correct port. © 2008 Cisco Systems. FIGURE 4-7 Segmenting a Network Through Bridges Only Data Frames Intended for Segment A Are Allowed Through from Segment B. Unlike bridges that process frames using software. A switch can have hundreds of ports. multiport. Bridges are more intelligent than hubs and can forward or block traffic based on the data frame’s destination address (whereas hubs just send the frame to every port and end station). Please see page MARCO A. ZUNIGA C. Higher port density: Port density is the number of ports available on a single device. Switches also have the following features: n n n High-speed backplane: A circuit board that allows the switch to monitor multiple conversations. Data buffering: A buffer is memory storage. Inc. . Segmentation is a method of breaking up collision domains. which increases the network’s overall speed. From the Library of 311 for more details. Bridge Collision Domain A Collision Domain B Switches Layer 2 switches are really just high-speed. very smart bridges.

[ 48 ]

SECTION 4 LAN Network Topologies
n n n

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

High port speeds: Switches can support a mixture of port speeds from 10 Mbps to 10 Gbps. Lower latency: Latency is the measure of the time it takes an incoming frame to come back out of a switch. Virtual LANs (VLAN): Switches can logically segment networks into separate broadcast domains.

All these features (particularly port density) allow microsegmentation, which means that each end station has a dedicated switch port. This eliminates collisions, because each collision domain has only a single end station. Although these features can reduce some network congestion, faster PCs can flood a network with traffic. Broadcasts and multicasts also contribute to network congestion.

Switch Frame Transmission Modes
The following three primary frame switching modes exist:
n n

Cut-through: The switch checks the destination address and immediately begins forwarding the frame. This can decrease latency but can also transmit frames containing errors. Store and forward: The switch waits to receive the entire frame before forwarding. The entire frame is read, and a cyclic redundancy check (CRC) is performed. If the CRC is bad, the frame is discarded. Latency increases as a function of frame length. Fragment-free (modified cut-through): The switch reads the first 64 bytes before forwarding the frame. The minimum number of bytes necessary to detect and filter out collision frames is 64 bytes.

n

How Switches Segment the Ethernet Network
Ethernet switches perform three major functions in segmenting a network: forwarding, filtering, and flooding. Switches perform these functions by the following methods:
n

MAC address learning: Switches learn the MAC addresses of devices attached to each of their ports. These addresses are stored in a MAC database.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 49 ]

SECTION 4 LAN Network Topologies
n

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Forwarding and filtering: Switches determine which port a frame must be sent out to reach its destination. If the address is known, the frame is sent only on that port. If it’s unknown, the frame is flooded to all ports except the one from which it originated. Flooding: Switches flood all unknown frames, broadcasts, and multicasts to all ports on the switch except the one from which it originated.

n

Switches in Action
A switch uses its MAC address table when forwarding frames to devices. When a switch is first powered on, it has an empty MAC address table. With an empty MAC address table, the switch must learn the MAC addresses of attached devices. This learning process is outlined below using Figure 4-8:
Step 1. Step 2.

Initially, the switch MAC address table is empty. Station A with the MAC address sends a frame to station C. When the switch receives this frame, it does the following:
n n

Because the MAC table is empty, the switch must flood the frame to all other ports (except E0, the frame origin). The switch notes the source address of the originating device and associates it with port E0 in its MAC address table entry.

Step 3.

The switch continues to learn addresses in this manner, continually updating the table. As the MAC table becomes more complete, the switching becomes more efficient, because frames are forwarded to specific ports rather than being flooded out all ports.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 50 ]

SECTION 4 LAN Network Topologies
FIGURE 4-8
Frame Forwarding by a Switch
A E0 0260.8c01.1111 E2 B E3 D E1 MAC Address Table E0: 0260.8c01.1111 E3: 0260.8c01.4444 C

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

0260.8c01.2222

0260.8c01.3333

0260.8c01.4444

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 51 ]

SECTION 5 Operating Cisco IOS

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Section 5 Operating Cisco IOS
Cisco IOS enables network services in switches and routers. It provides the following features:
n n n n n

Carries network protocols and functions Connectivity Security Scalability Reliability

The Cisco IOS command-line interface (CLI) can be accessed through a console connection, modem connection, or Telnet/SSH sessions. These connections are called EXEC sessions.

Cisco Device Startup
When a Cisco device starts up, it goes through the following steps:
Step 1. Step 2. Step 3.

Completes power-on self test (POST) Finds and loads Cisco IOS Software image Finds and applies device configuration

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 52 ]

SECTION 5 Operating Cisco IOS

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

External Configuration Sources
An IOS device can be configured from any of the following external sources:
n n n n n n

Console terminal Remote terminal (aux port) Telnet TFTP CiscoWorks SSH

Only a console connection or remote terminal connection can be used to initially configure a router or switch.

Console Connection
To establish a connection through a console port, you need a rollover cable to connect a console port to a PC. To set up the connection, follow these steps:
Step 1. Step 2.

Cable the device using a rollover cable. You might need an adapter for the PC. Configure the terminal emulation application with the following COM port settings: 9600 bps, 8 data bits, no parity, 1 stop bit, and no flow control.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 53 ]

SECTION 5 Operating Cisco IOS

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Cisco IOS Software Command-Line Interface Functions
Cisco IOS uses a hierarchy of commands in its command-mode structure. For security, Cisco IOS separates EXEC sessions into these two access levels:
n n

User EXEC mode (user mode) Privileged EXEC mode (enable mode)

User EXEC mode is the first mode you enter when you log in to the IOS. This mode is limited and is mostly used to view statistics. You cannot change a router’s configuration in this mode. By default, the greater-than sign (>) indicates that you are in user mode. This is how the router prompt looks in user mode:
Router>

In privileged EXEC mode, you can view and change the configuration in a router; you have access to all the router’s commands and the powerful debug commands. To enter privileged mode, enter the enable command while in user mode. By default, the pound symbol (#) indicates that you are in privileged mode. This mode is usually protected with a password. Here is an example of how to enter privileged mode. You also see the output of the prompt:
Router>enable Password: Router#

Keyboard Help in the CLI
Several commands built into IOS provide help when you enter configuration commands:
n

? displays a list of commonly used commands.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

TABLE 5-1 Command Enhanced Editing Commands Action Ctrl-A Ctrl-E Esc-B Esc-F Ctrl-B Ctrl-F Ctrl-D Backspace Ctrl-R Ctrl-U Moves the cursor to the beginning of the line Moves the cursor to the end of the line Moves the cursor back one word Moves the cursor forward one word Moves the cursor back one character Moves the cursor forward one character Deletes a single character Removes one character to the left of the cursor Redisplays a line Erases from the cursor to the beginning of the line continues © 2008 Cisco Systems. Enhanced Editing Commands Enabled by default. Table 5-1 shows the enhanced editing commands available in Cisco IOS Software. From the Library of 311 for more details. Display the next line by pressing Enter. . All rights reserved. Press any other key to return to the user-mode prompt. s? lists all commands that start with s. ZUNIGA C. enhanced editing commands allow shortcuts to speed the editing process.[ 54 ] SECTION 5 Operating Cisco IOS n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty -More appears at the bottom of the screen when additional information exists. show ? lists all variants of the show command. This publication is protected by copyright. Inc. Please see page MARCO A. Display the next available screen by pressing the spacebar.

Inc. This buffer defaults to ten lines.[ 55 ] SECTION 5 Operating Cisco IOS TABLE 5-1 Command CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Enhanced Editing Commands Action continued Ctrl-W Ctrl-Z Tab Ctrl-P or up arrow Ctrl-N or down arrow Erases a word Ends configuration mode and returns to the EXEC mode Completes a partially entered (unambiguous) command Recalls commands. © 2008 Cisco Systems. beginning with the most recent Returns the most recent commands in the buffer Command History A command history is available to review previously entered commands. you receive one of three messages detailed in Table 5-2. but it can be configured to a maximum of 256 using the history size command. . All rights reserved. This publication is protected by copyright. ZUNIGA C. as follows: terminal history size number-of-lines history size number-of-lines show history sets session command buffer size sets the buffer size permanently shows command buffer contents Console Error Messages When you enter an incorrect command. Please see page MARCO A. From the Library of 311 for more details.

Keywords or values are missing. All rights reserved. © 2008 Cisco Systems. . Reenter the command.[ 56 ] SECTION 5 Operating Cisco IOS TABLE 5-2 Console Error Messages Meaning CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Error Message How to Get Help % Ambiguous command: "show con" Not enough characters were entered to define a specific command. Reenter the command. The caret (^) marks the point of the error. followed by a question mark (?). ZUNIGA C. % Invalid input detected at '^' marker. with a space between the command and the question mark. The command was entered incorrectly. with no space between the command and the question mark. followed by a question mark (?). Please see page MARCO A. % Incomplete command. From the Library of 311 for more details. This publication is protected by copyright. Inc. Enter a question mark (?) to display all the commands or parameters that are available in this mode.

All rights reserved. Observe the boot sequence. Attach the switch to the power source to start the switch (there is no on/off switch). Step 3. A terminal is connected to the console port. Please see page MARCO A.[ 57 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 6 Configuring a Cisco Switch Starting a Switch When a Catalyst switch is started for the first time. © 2008 Cisco Systems. . A power-on self test (POST) checks the hardware. Software configuration settings are loaded. This publication is protected by copyright. a default configuration is loaded. 2. verify the following: n n n All network cable connections are secure. Three main operations are performed during normal startup: 1. Before you start the switch. Initial startup procedure: Step 1. From the Library of 311 for more details. Inc. A terminal application is selected. 3. ZUNIGA C. Step 2. A startup routine initiates the operating system.

Inc. and fault conditions. ZUNIGA C. These LEDs provide information on switch status during startup. All rights reserved. normal operation. From the Library of 311 for more details.[ 58 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Switch LED Indicators Figure 6-1 shows the LEDs on the front panel of the switch. Pressing the Mode button toggles through the following LED display modes: n n n Port status Bandwidth utilization Full-duplex support Port Status LEDs FIGURE 6-1 Catalyst 2960 LEDs System LED Port Mode LEDs Mode Button Table 6-1 details switch LED status indications for the Catalyst 2960. This publication is protected by copyright. © 2008 Cisco Systems. Please see page MARCO A. .

Please see page MARCO A. . From the Library of 311 for more details. All rights reserved. This publication is protected by copyright. ZUNIGA C. Inc.[ 59 ] SECTION 6 Configuring a Cisco Switch TABLE 6-1 LED System LED Redundant power supply (RPS) CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Catalyst 2960 LEDs Status Green: System powered and operational Amber: System malfunction. one or more POST errors Green: RPS operational Flashing green: RPS connected but is powering another device Amber: RPS installed but not operational Flashing amber: The internal power supply and RPS have power and are powering the switch Green: Link present Flashing green: Link present with traffic activity Alternating green and amber: Link fault Amber: Port not forwarding Green: Bandwidth utilization displayed over the amber LED on a logarithmic scale Amber: Maximum backplane utilization since the switch was powered on Green and amber: Depends on the model Green: Ports are configured in full-duplex mode Off: Ports are half-duplex Port status (STAT) Bandwidth utilization (UTL) Full-duplex (FDUP) Configuring a Switch from the Command Line The following two configuration modes are available: n n Global configuration: Configures global parameters on a switch. such as IP address and host name Interface configuration: Configures parameters specific to a switch port © 2008 Cisco Systems.

Step 2.0 Admin-Sw(config-if)#no shutdown © 2008 Cisco Systems.255. Please see page MARCO A.0. Assign the IP address and subnet masks. The following example shows the necessary command syntax for all three steps: Admin-Sw(config)#interface vlan1 Admin-Sw(config-if)#ip address 192. use the hostname privileged IOS command. ZUNIGA C. This is a logical interface used for management. This publication is protected by copyright. . Enable the interface by issuing the no shutdown command.255. as follows: switch(config)#hostname Admin-SW Admin-Sw(config)# Configuring the Switch IP Address and Default Gateway To assign an IP address on a Catalyst 2960 switch. From the Library of 311 for more details.[ 60 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The IOS command to enter global configuration mode is configure terminal.10 255. Step 3. The interface-id parameter identifies the type and number of the interface you want to configure.168. follow these steps: Step 1. Enter the VLAN 1 interface. The IOS command to enter interface configuration mode is interface interface-id. Inc. All rights reserved. To enter interface mode. you first need to be in global configuration mode. as follows: switch(config)#interface g0 switch(config-if)# Configuring a Host Name To give the switch a host name or identify it.

168. Managing MAC Addresses MAC address tables contain the following three types of addresses: n n Dynamic addresses are learned by the switch and then are dropped when they are not in use.0.[ 61 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty To configure the default gateway. NOTE Some switches can be configured to dynamically learn MAC addresses associated with a port and automatically create a static entry for the learned MAC address in the MAC address table. including any changes made in the session that have not yet been saved. show interfaces displays information on connections and ports that connect with other devices. use one of the following commands: n n n n show running-configuration displays the currently active configuration in memory. as follows: Switch(config)#ip default-gateway 192. use the ip default-gateway ip-address global configuration command. .1 Showing Switch Status To display the status of a switch. show startup-config displays the last saved configuration. Permanent and static addresses are assigned by an administrator. © 2008 Cisco Systems. This type of address is called a sticky address. From the Library of 311 for more details. MAC Address Configuration The mac-address-table static global configuration command associates a MAC address with a particular switched port interface. All rights reserved. Inc. show version displays information about the system hardware and software. ZUNIGA C. The syntax for the mac-address-table command is as follows: mac-address-table static mac-address vlan vlan-id interface interface-id You verify the MAC address table settings using the show mac-address-table command. Please see page MARCO A. This publication is protected by copyright.

[ 62 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Understanding Switch Security Securing a switch includes physical. Use SSH instead of Telnet. From the Library of 311 for more details. environmental. Limit Telnet access using access lists. Disable unused ports. Configuring Password Security The CLI is used to configure password security. This publication is protected by copyright. Some basic security suggestions for network devices are as follows: n n n n n n n n Use complex passwords for all devices. ZUNIGA C. Use banners to warn against unauthorized access. Physically secure access to the switch. Please see page MARCO A. Configure port security. Set up and monitor syslog. You configure passwords to secure access to the switch. All rights reserved. and access security. Physical and environmental security is outlined in Chapter 2. Inc. . You can configure the following passwords using the CLI: n n n n Console: Password that accesses the console port Telnet: Password that accesses the virtual terminal ports on the switch Enable: Nonencrypted password that accesses privileged EXEC mode Secret: Encrypted password that accesses privileged EXEC mode © 2008 Cisco Systems.

the enable secret password will override the enable password. From the Library of 311 for more details. enter the following: Cat2960(config)#line console 0 Cat2960(config-line)#login Cat2960(config-line)#password CCNA Configuring Telnet Password To configure the Telnet password. enter the following: Cat2960(config)#enable password Cisco Cat2960(config)#enable secret cisco © 2008 Cisco Systems. as follows: Cat2960(config)#service password-encryption Configuring Console Password To configure the console password. Please see page MARCO A. . use the service passwordencryption global command. Telnet. ZUNIGA C. The console. and enable passwords are displayed unencrypted.[ 63 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty If the enable password and the enable secret password are both set on the switch. To encrypt them. enter the following: Cat2960(config)#line vty 0 15 Cat2960(config-line)#login Cat2960(config-line)#password CCNA Configuring Enable and Secret Passwords To configure enable and secret passwords. All rights reserved. Inc. This publication is protected by copyright.

Create a local username and password on the device. one per line. All rights reserved. the # character is a delimiting character and can be any character. Use the following steps to configure SSH access: Step 1. It is displayed to anyone who connects to the Cisco IOS device through Telnet. Inc. Step 2. © 2008 Cisco Systems. Notice! Only Authorized Personnel Are Allowed to Access This Device End with CNTL/Z. Assign a domain name to the device. as follows: Cat2960#config t Enter configuration commands. and all communication between the Cisco device and the host is sent in clear text. Use the banner motd # text # global configuration command to configure the MOTD. Please see page MARCO A. In the previous command. <ENTER> SSH Access Cisco recommends using SSH to encrypt communication between the Cisco device and the host.[ 64 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Login Banner and MOTD The login banner is displayed before the username and password login prompts on a Catalyst switch. The message of the day (MOTD) is displayed before the login banner. Warning only authorized users many access this switch. This publication is protected by copyright. ZUNIGA C. # End with the character ‘#’. console port. Cat2960(config)#banner motd # Enter TEXT message. Telnet is unsecure. . Cat2960(config)#banner login # Enter TEXT message. From the Library of 311 for more details. # Cat2960(config)# <ENTER> End with the character ‘#’. The login banner is configured using the banner login global command. or auxiliary port.

you would create a standard access list that permits each authorized IP address to connect to vty and apply the access list to the vty lines. Enable SSH. ZUNIGA C. CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Generate a security key. This is done through standard access lists.com switch(config)#crypto key generate rsa The name for the keys will be: switch. Standard access lists allow you to permit or deny traffic based on the source IP address.. Step 4. © 2008 Cisco Systems. Configure vty ports to authenticate using SSH..com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. . Inc. From the Library of 311 for more details. The following commands demonstrate how to configure SSH access: switch(config)#username eric password 0 ciscopress switch(config)#ip domain-name cisco. To restrict access to vty lines. Step 5. Choosing a key modulus greater than 512 may take a few minutes. Recommended practice dictates restricting access to vty lines by IP address. This publication is protected by copyright.[OK] switch(config)#ip ssh ver 2 switch(config)#line vty 0 15 switch(config-line)#login local switch(config-line)#transport input telnet ssh Securing vty Access By default.cisco. How many bits in the modulus [512]: % Generating 512 bit RSA keys . any IP address can connect to a vty line. Please see page MARCO A.[ 65 ] SECTION 6 Configuring a Cisco Switch Step 3. All rights reserved.

Configuring and Applying vty Access Lists The command syntax to create a standard IP access list is as follows: access-list access-list-number {permit | deny} source-address [wildcard-mask] The access-list-number parameter is a number from 1 to 99 or 1300 to 1999.0 0.0 with a wildcard mask of 0.0/24: SwitchA(config)#access list 10 permit ip 192. Please see page MARCO A. permitting Telnet access to the vty lines from IP network 192. when 0s are present. or part of a network. the octet address must match.255 SwitchA(config)#line vty 0 15 SwitchA(config-if)#access-class 10 in This applies the access list to telnet ports © 2008 Cisco Systems.0. Inc. the first two portions of the IP address must match 172.255. it will be denied. if you have an IP address 172. Wildcards are used with access lists to specify a host. For example. if a host is not specifically permitted.0.168. Mask bits with a binary value of 1 are wildcards.16.0.255. So.0. Wildcard Masks Wildcard masks define the subset of the 32 bits in the IP address that must be matched. but the last two octets can be in the range of 1 to 255.10.168.[ 66 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty At the end of each access list is an implicit deny any statement. All rights reserved. network. In wildcard masks.16. ZUNIGA C.10. The command syntax to apply an access list to an interface is as follows: access-class access-list-number {in | out} The following commands create access list number 10. . Wildcard masks work exactly the opposite of subnet masks. From the Library of 311 for more details. This publication is protected by copyright.

From the Library of 311 for more details. switchport port-security mac-address sticky: Configures the switch to dynamically learn the MAC address of the device attached to the port.[ 67 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Implementing and Verifying Port Security Port security limits the number of MAC address allowed per port and can also limit which MAC addresses are allowed. The following example demonstrates how to configure port security: Cat2960(config)#int f0/1 Cat2960(config-if)#switchport mode access Cat2960(config-if)#switchport port-security Cat2960(config-if)#switchport port-security max 1 Cat2960(config-if)#switchport port-security mac-address sticky Cat2960(config-if)#switchport port-sec violation restrict © 2008 Cisco Systems. This publication is protected by copyright. The interface command to configure port security is as follows: switchport port-security [mac-address mac-address | mac-address sticky [mac-address] | maximum value | violation {restrict | shutdown} n n n n switchport port-security mac-address mac-address: Manually configures the port to use a specific MAC address. Please see page MARCO A. switchport port-security violation {restrict | shutdown}: Configures the action to be taken when the maximum number of MAC addresses is reached and when MAC addresses not associated with the port try to access the port. All rights reserved. . Allowed MAC addresses can be manually configured or dynamically learned by the switch. ZUNIGA C. Inc. switchport port-security maximum value: Configures the maximum number of MAC addresses allowed on the port. The default value is 1. The restrict keyword tells the switch to restrict access to learned MAC addresses that are above the maximum defined addresses. The shutdown keyword tells the switch to shut down all access to the port if a violation occurs.

security. It is also expensive to make moves or changes in the network setup. because all traffic can be seen by all end stations. This publication is protected by copyright. The use of VLANs improves performance. A switch port is disabled by issuing the shutdown interface command. Inc. © 2008 Cisco Systems.[ 68 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty To verify port security use the show port-security command. ZUNIGA C. as follows: Cat2960#show port-security Secure Port MaxSecureAddr (Count) Fa0/1 1 CurrentAddr (Count) 0 SecurityViolation (Count) 0 : 0 Restrict Security Action ——————————————————————————————————————————————————————————————————————————Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 8320 Securing Unused Ports To secure unused ports. All rights reserved. because no extra cabling is required. . either disable the port or place the port in an unused VLAN. The use of VLANs also decreases the cost of arranging users. VLANs Users of shared LANs are usually grouped based on where people are located rather than how they use the network (physical rather than logical). Virtual LANs solve these problems. The virtual LAN (VLAN) organizes physically separate users into the same broadcast domain. From the Library of 311 for more details. and flexibility. Please see page MARCO A. Shared LANs have little embedded security.

A VLAN can exist on one or several switches. Only ports assigned to a specific VLAN share broadcasts. VLAN segmentation is not bound by the physical location of users. VLANs are characterized as follows: n n n n n VLANs define broadcast domains that can span multiple LAN segments.[ 69 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VLAN Characteristics VLANs are logical broadcast domains that can span multiple physical LAN segments. and so on. flexibility. ZUNIGA C. Inc. Please see page MARCO A. Figure 6-2 shows a typical VLAN design. rather than everyone on the first floor. VLANs allow logically defined user groups rather than user groups defined by their physical locations. everyone on the second floor. For example. engineering. you can arrange user groups such as accounting. From the Library of 311 for more details. other VLANs do not see other VLANs’ broadcasts. All rights reserved. VLANs improve segmentation. FIGURE 6-2 VLAN Design 3rd Floor 2nd Floor 1st Floor SALES HR ENG © 2008 Cisco Systems. and finance. . and security. This publication is protected by copyright.

VLANs require a trunk or physical connection for each VLAN to span multiple switches. and broadcasts) only to ports assigned to the same VLAN from which they originated. multicasts. From the Library of 311 for more details. All rights reserved. Each trunk can carry traffic for multiple VLANs. . VLAN membership can be either static or dynamic: n n Static assignment: The VLAN port is statically configured by an administrator. Inc. VLAN Assignment A port can be assigned (configured) to a given VLAN. This method offers flexibility but increases switching overhead (computer processing requirements). Dynamic assignment: The switch uses a VMPS (VLAN Membership Policy Server). Adding and Assigning VLANs The vlan vlan-id global command adds a VLAN to a Catalyst 2960 switch. The switch forwards packets (including unicasts. This drastically reduces network traffic. The VMPS is a database that maps MAC addresses to VLANs. as demonstrated here: Cat2960(config)#vlan 10 Cat2960(config-vlan)#name Admin Cat2960(config-vlan)#vlan 20 Cat2960(config-vlan)#name Sales © 2008 Cisco Systems. ZUNIGA C. Please see page MARCO A. VLANs can also be assigned based on MAC addresses. A port can belong to only one VLAN at a time. This publication is protected by copyright.[ 70 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VLAN Operation Each VLAN on a switch behaves as if it were a separate physical bridge.

From the Library of 311 for more details. All rights reserved. the status. and the switch ports assigned to that VLAN show vlan: Displays information on all configured VLANs Maximizing the Benefits of Switching Microsegmentation Microsegmentation is a network design (functionality) where each workstation or device on a network gets its own dedicated segment (collision domain) to the switch. Benefits of microsegmentation are as follows: n n n Collision-free domains from one larger collision domain Efficient use of bandwidth by enabling full-duplex communication Low latency and high frame-forwarding rates at each interface port © 2008 Cisco Systems. Please see page MARCO A. Microsegmentation is implemented by installing LAN switches. Inc. Each network device gets the full bandwidth of the segment and does not have to share the segment with other devices.[ 71 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The switchport access vlan vlan-id interface command assigns a port to a specific VLAN. ZUNIGA C. This publication is protected by copyright. as demonstrated here: Cat2960(config)#int f0/1 Cat2960(config-if)#switchport access vlan 10 Cat2960(config-if)#int f0/2 Cat2960(config-if)#switchport access vlan 20 Verifying VLANs The commands to verify VLAN configurations are as follows: n n n show vlan id vlan#: Displays information about a specific VLAN show vlan brief: Displays one line for each VLAN that displays the VLAN name. Microsegmentation reduces and can even eliminate collisions because each segment is its own collision domain. .

and full-duplex devices. Please see page MARCO A. CSMA/CD is susceptible to collisions. — Satellite TV downlink is an example. and simplex communication. Uses a dedicated switched port with separate circuits. Collision-free. Simplex runs in a single direction only. Half-duplex is also bidirectional communication. but signals can flow in only one direction at a time. This publication is protected by copyright. Table 6-1 provides a comparative summary of fullduplex. ZUNIGA C. . Configuring and Verifying Port Duplex The default port settings on a Catalyst 2960 switch are as follows: n n Duplex: auto Speed: auto © 2008 Cisco Systems. Both ends must be configured to run in full-duplex mode.[ 72 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Duplex Communication Duplexing is the mode of communication in which both ends can send and receive information. half-duplex. From the Library of 311 for more details. and Simplex Communication Half-Duplex Simplex Can send and receive data at the same time. Not used very often in internetworking. The duplex setting must match on devices sharing a segment. All rights reserved. Inc. — Data is sent in one direction only and can never return to the source over the same link. Efficiency is rated at 100 percent in both directions. TABLE 6-1 Full-Duplex Full-Duplex. — 100 percent efficiency in one direction. Multipoint attachments. Can connect with both half. Efficiency is typically rated at 50 to 60 percent. Point-to-point connection only. bidirectional communication can occur at the same time. Half-Duplex. With full-duplex.

reliability 255/255. use the show interface interface-id command. © 2008 Cisco Systems. Auto-speed. loopback not set Keepalive set (10 sec) Auto-duplex. Inc. including broadcast storms. as follows: Cat2960#show interface f0/1 FastEthernet0/1 is up. Redundancy ensures that a single point of failure does not cause the entire switched network to fail. txload 1/255.e81a.4801) MTU 1500 bytes. rxload 1/255 Encapsulation ARPA. ARP Timeout 04:00:00 Physical Redundancy in an Ethernet LAN A redundant topology has multiple connections to switches or other devices. This publication is protected by copyright.[ 73 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty To change the default settings. media type is 10/100BaseTX input flow-control is off. Figure 6-3 depicts a redundant topology. can cause problems in a network. BW 10000 Kbit.e81a. and MAC address table instability. use the following commands: Switch(config)#interface f0/1 Switch(config-if)#duplex {auto | full | half} Switch(config-if)#speed {10 | 100 | 1000 | auto} To view duplex and speed settings. output flow-control is unsupported ARP type: ARPA.4801 (bia 0019. From the Library of 311 for more details. however. DLY 1000 usec. Please see page MARCO A. . ZUNIGA C. address is 0019. All rights reserved. multiple copies of frames. line protocol is up Hardware is Fast Ethernet. Layer 2 redundancy.

This publication is protected by copyright.[ 74 ] SECTION 6 Configuring a Cisco Switch FIGURE 6-3 Redundant Topology Server/Host X Router Y CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Segment 1 Segment 2 Spanning Tree Protocol The solution to problems caused in a redundant switched network is the Spanning Tree Protocol (STP). Please see page MARCO A. STP is a Layer 2 protocol that prevents looping traffic in a redundant switched network by blocking traffic on the redundant links. . STP operation is transparent to end stations. © 2008 Cisco Systems. Troubleshooting Switch Issues When troubleshooting switch issues. Problems generally are seen at Layer 1 and Layer 2. Switches provide an interface to the physical media. From the Library of 311 for more details. remember the following: n n n n Switches operate at Layer 2 of the OSI model. ZUNIGA C. If the main link goes down. Inc. STP activates the standby path. All rights reserved. Layer 3 issues could be regarding IP connectivity to the switch for management purposes.

New equipment is installed. 0 deferred 0 lost carrier. 0 underruns 8 output errors. 880704302 bytes. This is displayed by excessive collisions and runts when issuing the show interface command.5040) MTU 1500 bytes. EMI is introduced. 15 interface resets 0 babbles. Inc. ZUNIGA C. 3 CRC. 363178961 bytes. 0 giants. 1874 collisions. rxload 1/255 <Text-Ommited> 5 minute output rate 10000 bits/sec. 7 packets/sec 1476671 packets input. line protocol is up (connected) Hardware is Gigabit Ethernet Port. 0 late collision. 0 output buffers swapped out © 2008 Cisco Systems. BW 1000000 Kbit.[ 75 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Identifying and Resolving Media Issues Common switch Layer 1 issues include the following: n n n Bad wires or damaged wires. 0 frame. 0 no carrier 0 output buffer failures. This publication is protected by copyright. 0 no buffer Received 20320 broadcasts (12683 multicast) 0 runts. . address is 000d. as follows: SwitchA#show interface g0/1 GigabitEthernet0/1 is up. Bad wiring and EMI commonly show up as excessive collisions and noise. reliability 255/255. All rights reserved.65ac.65ac. 0 overrun. txload 1/255. Please see page MARCO A. DLY 10 usec. 0 throttles 3 input errors.5040 (bia 000d. From the Library of 311 for more details. 0 ignored 0 input packets with dribble condition detected 1680749 packets output.

All rights reserved. and the end reverts to half-duplex. Inc.[ 76 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Identifying and Resolving Access Port Issues Common port access issues are as follows: n n n Media-related issues Duplex mismatch Speed mismatch Media-Related Issues Media-related issues might be reported as an access issue. n One end set to half-duplex and auto-negotiation on the other: n n Auto-negotiation will fail. Results in a duplex mismatch. and the end reverts to half-duplex. ZUNIGA C. This publication is protected by copyright. © 2008 Cisco Systems. Both ends set to half-duplex causes no mismatch. From the Library of 311 for more details. a user might say that she cannot access the network. Duplex Issues The following items can create duplex issues: n n One end set to full-duplex and the other set to half-duplex results in a duplex mismatch. Please see page MARCO A. . for example. Media issues should be isolated and resolved as indicated in the previous topic. One end set to full-duplex and auto-negotiation on the other: n n Auto-negotiation will fail.

This publication is protected by copyright. From the Library of 311 for more details. Please see page MARCO A.[ 77 ] SECTION 6 Configuring a Cisco Switch CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Speed Issues n n One end set to one speed and the other set to another results in a mismatch. and the end will revert to a lower speed. © 2008 Cisco Systems. Inc. ZUNIGA C. All rights reserved. . Results in a mismatch. One end set to a higher speed and auto-negotiation on the other: n n Auto-negotiation will fail.

wireless devices transmit and receive data using radio frequencies (RF) or infrared signals. Please see page MARCO A. WLANs operate in half-duplex. The AP is like a hub or switch on a wired LAN and is the connectivity point for all wireless devices to access the network.11a/b/g. such as 802. Difference Between WLANs and LANs The following are some of the differences between WLANs and LANs: n n n WLANs use radio waves as the physical layer. business’s need for network mobility has made wireless LANs (WLANs) common in today’s networks. The IEEE standards on WLANs. As such. higher-layer protocols such as IP and IPsec can function on WLANs.[ 78 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 7 Extending the LAN Exploring Wireless Networking In recent years. use unlicensed radio frequencies. Because the standards define Layer 1 and Layer 2 specifications. . This publication is protected by copyright. These frequencies or signals are sent through an access point (AP). ZUNIGA C. © 2008 Cisco Systems. All rights reserved. an RF license is not needed to implement WLANs. WLANs are based on IEEE standards that define physical and data-link specifications. Unlike wired LANs. WLANs use carrier sense multiple access collision avoidance (CSMA/CA) instead of CSMA/CD for media access. Inc. From the Library of 311 for more details.

. Higher frequencies allow higher data rates but also have a shorter distance. This publication is protected by copyright. TABLE 7-1 Band ITU-R Local FCC Wireless Bands Range 900 MHz 2. Outside objects can affect radio waves. From the Library of 311 for more details.483 GHz 5. 5. Radio Frequency Transmission Radio frequencies are radiated into the air through an antenna. Inc. such as n n Connectivity issues such as coverage problems. creating radio waves. and noise Privacy issues n n n An access point is a shared device similar to an Ethernet hub for shared bandwidth.4 GHz 5 GHz 902 to 928 MHz 2. They are often mobile and battery powered. WLANs must adhere to each country’s RF standards. All rights reserved.400 to 2.150 to 5. Radio waves have problems that are not found on wires. ZUNIGA C. several unlicensed bands are used by the ITU-R local FCC Wireless. Please see page MARCO A. WLAN devices have no physical network connection. interference.825 GHz © 2008 Cisco Systems.[ 79 ] SECTION 7 Extending the LAN n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty WLANs use a different frame type than Ethernet.725 to 5.350 GHz. resulting in the following: n n n Reflection: Occurs when RF waves bounce off objects like metal or glass Scattering: Occurs when RF waves strike uneven surfaces Absorption: Occurs when RF waves are absorbed by objects such as water As shown in Table 7-1.

antenna gain.11b 802. 11 1999 5 Up to 23 OFDM 6. and antenna. 24. This publication is protected by copyright. 5. 24.11 standards.5. 54 2003 2.11 Standards Table 7-2 shows the different 802. FHSS. EIRP is calculated using the following formula: EIRP = Transmitter power + Antenna gain – Cable loss 802. 2. Please see page MARCO A. 2. . 12. and the total summation of transmitter. 48. cable. 9. 9.11g 1997 2. 36. ZUNIGA C. All rights reserved.5. 12. of Channels Transmission Data Rates (Mbps) 802. From the Library of 311 for more details. DSSS 1.4 3 DSSS 1.11a 802. 36. Effective Isotropic Radiated Power (EIRP) is the final unit of measurement monitored by local regulatory agencies. 18.5 3 DSSS-OFDM 1. 48. Inc. 2 1999 2. 18. 5.4 3 IR. local country code regulations still exist inside the frequencies to limit characteristics such as transmission power.11 Standards 802.[ 80 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Although these three frequencies do not require licenses. TABLE 7-2 Ratified Frequency Band (GHz) No. 54 © 2008 Cisco Systems. 11 and 6.11 802.

9. 12. hackers are finding it easier to compromise WLANs.5-. 24. 2-. . 802.11b uses Direct Sequence Spread Spectrum (DSSS). 6. 5. 18. It has four data rates: 1. and 54 Mbps. 6. hackers try to exploit weak security keys and passwords to gain access to the network. © 2008 Cisco Systems. and 11-Mbps speeds for backward compatibility to 802. and 11 Mbps. and 11. Please see page MARCO A. WLAN Security With the increase of low-cost APs. WLAN Security Threats WLANs security threats include the following: n n n War driving: A term used to describe when someone is driving around with a laptop and wireless card/antenna.11g uses three nonoverlapping channels: 1. Rogue APs: Access points installed on a WLAN that can be used to interfere with day-to-day network operation.[ 81 ] SECTION 7 Extending the LAN These standards are described as follows: n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 802. Hackers: Most hackers start by war driving. When an access point is identified. It has eight data rates: 6.11a uses Orthogonal Frequency-Division Multiplexing (OFDM).11b provides up to 14 channels. 36. 48. and 11. 2. and 54 Mbps. but only 3 channels have nonoverlapping frequencies: 1. This publication is protected by copyright. looking for wireless access points to exploit. 802. 36. 12. 48. Inc. 5.11b. All rights reserved. It uses DSSS to provide 1-. 24. 802. Rogue APs are also unauthorized APs installed on the network by employees.11a provides from 12 to 23 nonoverlapping channels. 9. 802.5. ZUNIGA C. From the Library of 311 for more details. 18. It uses OFDM to provide the following rates: 6.

WPA2 (802. stronger encryption. identify. .11i): Uses Advanced Encryption Standard (AES) for strong encryption. and 802. Uses Temporal Key Integrity Protocol (TKIP) for encryption. © 2008 Cisco Systems. include the following: n n n n Wired Equivalent Privacy (WEP): Uses basic encryption. and prevent WLAN attacks. Wireless Client Association Wireless clients associate with APs as follows: 1. All rights reserved. 802. and static keys and is not scalable. Wireless security methods. Use intrusion detection/prevention systems to monitor. Evolution of Wireless LAN Security Wireless security methods have evolved over time to increase security.1x EAP: Uses dynamic keys. This publication is protected by copyright.1x user authentication. APs send out beacons announcing the service set identifier (SSID) and data rates. From the Library of 311 for more details. listed from weakest to strongest. Wi-Fi Protected Access (WPA): Created by the Wi-Fi Alliance as a standard. and user authentication. Encrypt wireless data.1x authentication. and dynamic keys. ZUNIGA C. Inc. The client scans all changes and sends out probe requests. Please see page MARCO A. 802. weak authentication.[ 82 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Mitigating Security Threats Three steps a network administrator can take to mitigate security threats are as follows: n n n Use authentication to ensure that only authorized clients access the WLAN. 2. dynamic keys.

The access point replies with an EAP-Request Identity message to the client to obtain the client’s identity. The AP sends a probe response. is forwarded to the authentication server. The client’s EAP-Response packet. The client associates to the AP with the strongest signal.1x works on a WLAN. ZUNIGA C. 4. All rights reserved. 802. From the Library of 311 for more details. The AP accepts the association. 2.1x traffic is forwarded. and the client listens for the response from the APs. Please see page MARCO A. . The client becomes active on the medium and associates to the access point. Authentication and other security information is sent to the AP. 5. It forces the port into an unauthorized state. The access point detects the client asso- ciation and enables the client’s port.[ 83 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 3. Request Identity Identity Identity 1. which contains the client’s identity. This publication is protected by copyright.1x on a WLAN Figure 7-1 shows how 802. FIGURE 7-1 802. Inc. © 2008 Cisco Systems. so only 802.1x Client (Supplicant) AP (Authenticator) Authentication Server Start AP blocks all requests until authentication completes.

Inc. Infrastructure mode: Wireless clients connect through an access point. WPA and WPA2 Modes WPA and WPA2 support these two modes: n n Enterprise: Products that are interoperable with both Pre-Shared Key (PSK) and IEEE 802. From the Library of 311 for more details. 4. The authentication server authenticates the client and sends an ACCEPT or REJECT packet from the authentication server to the access point. Extended Service Set (ESS): More than one access point exists.[ 84 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 3. the access point transitions the client’s port to an authorized state and traffic is forwarded. The following two modes of infrastructure mode exist: n n Basic Service Set (BSS): Wireless clients connect to each other and the wireless network through one access point. . © 2008 Cisco Systems. This publication is protected by copyright. with all APs configured with a common SSID to allow roaming.11 supports the following two topologies: n n Ad hoc mode: Wireless clients connect directly to each other without an access point. All rights reserved. ZUNIGA C.1x/EAP for authentication Personal: Products tested to be interoperable in the PSK-only authentication mode Implementing a WLAN 802. Please see page MARCO A. Upon receiving the ACCEPT packet.

From the Library of 311 for more details. the farther the client is from the AP. Please see page MARCO A.[ 85 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty WLAN Service Area and Data Rates As shown in Figure 7-2. Inc. Figure 7-3 shows the data rates for 802. the lower the data rate. the basic service area is the access point’s RF coverage area. All rights reserved. In other words. This publication is protected by copyright. The closer a client is to an AP. ZUNIGA C. Clients will always try to communicate with the highest possible data rate.11b. the higher the data rate. it is the area that is covered by the access point. . © 2008 Cisco Systems. Rate shifting occurs on a transmission-by-transmission basis. FIGURE 7-2 Basic Service Area Service Area Channel 6 WLAN clients can shift data rates while moving.

11a) RF channel SSID Authentication method Encryption method Optional power adjustment © 2008 Cisco Systems. APs should be configured with the following parameters: n n n n n n n IP address. 802.11b Data Rates 1 Mbps DSSS CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 2 Mbps DSSS 5.11a/b/g. Please see page MARCO A. Inc. This publication is protected by copyright. ZUNIGA C. 802.11g.[ 86 ] SECTION 7 Extending the LAN FIGURE 7-3 802. and default gateway Wireless protocol (802. From the Library of 311 for more details. All rights reserved. subnet mask.5 Mbps DSSS 11 Mbps DSSS Access Point Configuration APs can be configured through a command-line interface or a browser GUI. .

The external antenna is connected. including DHCP and Internet access. Check for interference from outside objects such as metal or water. Other common wireless problems are due to RF installation. Step 5. Please see page MARCO A. Verify wireless operation. Steps to troubleshoot configurations are as follows: n n Verify channel configuration. © 2008 Cisco Systems. ZUNIGA C. Step 3. All rights reserved. The antenna is in the optimal position. Install and configure a wireless client with no security. This publication is protected by copyright. Step 7. . You should verify the following: n n n n The radio is enabled on both the AP and the clients. From the Library of 311 for more details. Verify wireless connectivity. Configure security on the AP and client. Verify wired operation.[ 87 ] SECTION 7 Extending the LAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Steps to Implement a Wireless Network Seven basic steps are required to implement a wireless network: Step 1. Step 2. Step 4. Step 6. Inc. Install the AP. Verify that users have the correct passwords and encryption type. Configure the AP with no security. Wireless Troubleshooting Most wireless problems are due to incorrect configuration.

ZUNIGA C. All rights reserved. From the Library of 311 for more details. Router Function Routers have the following two key functions: n Path determination: Routing tables and network addresses transmit packets through the network. The process of routing includes determining the optimum path through the network. protocols. The routing process uses network routing tables. Inc. . and algorithms to determine the most efficient path for forwarding the IP packet. Please see page MARCO A. This publication is protected by copyright. Routers do this by using a routing protocol to communicate the network information from the router’s own routing table with neighboring router’s. Packet forwarding: After the path is determined. a router forwards the packets through its network interface toward the destination.[ 88 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Part III: Connecting LANs Section 8 Exploring the Functions of Routing Router Overview Routing is the act of finding a path to a destination and moving data across this path from source to destination. n © 2008 Cisco Systems.

ZUNIGA C.0 172.17. for hosts in network 10.120.0.3.2.3. a router needs the following key information: n n n n n Destination address: The destination (typically an IP address) of the information being sent Sources of information: Where the information came from (typically an IP address) Possible routes: The likely routes to get from source to destination Best route: The best path to the intended destination Status of routes: The known paths to destination FIGURE 8-1 Routing Tables 10.16.120.1. .16. EIGRP © 2008 Cisco Systems.120.0 to communicate with hosts in network 172.2. All rights reserved. This publication is protected by copyright.16.0 172.2.0 172.17.[ 89 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Key Information a Router Needs In Figure 8-1. From the Library of 311 for more details.1.0 E0 S0 Network Protocol Destination Network 10. Please see page MARCO A.0 S0 S1 Exit Interface E0 S0 S1 172. Inc.0 Connected RIP EIGRP Routed Protocol: IP Routing Protocol: RIP.2.

From the Library of 311 for more details. Inc. The process of routing includes determining the optimum path through the network and then moving the packets along the path. This publication is protected by copyright. Routed protocols include IP. ZUNIGA C. and others. and Border Gateway Protocol (BGP) are examples of routing protocols. . Internetwork Packet Exchange (IPX). AppleTalk. n Routing protocols determine how routed protocols are used by: n n Providing mechanisms for sharing routing information.[ 90 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Routing Versus Routed Network layer protocols are either routed protocols or routing protocols. Path Determination Routing tables and network addresses transmit packets through the network. Defines the address format and use of fields within the packet. Open Shortest Path First (OSPF). These are defined as follows: n A routed protocol: n n Is any network layer protocol that provides enough information within its address to allow the packet to direct user traffic. Routing Information Protocol (RIP). Allowing routers to update each other about network changes. Enhanced IGRP (EIGRP). All rights reserved. A router can use the following types of entries in the routing table to select the best path: n n n Static routes: Manually entered routes in the routing table Dynamic routes: Routes dynamically learned from a routing protocol Default routes: A static or dynamic route that tells the router where to route packets not explicitly in the router’s routing table © 2008 Cisco Systems. Please see page MARCO A.

From the Library of 311 for more details. © 2008 Cisco Systems. Routing metrics are measures of path desirability. The router uses its table to make forwarding decisions. and other metrics assigned by the administrator. The router learns about routes in one of three ways: n n n Directly connected networks Statically (routing information entered by the network administrator) Dynamically (a routing process running in the network) Information stored in a routing table includes destination/next-hop and routing metrics. Reliability: The error rate of each network link. ZUNIGA C. Cost: An arbitrary value based on bandwidth. port delays at each router. Different protocols use different metrics. and distance. This publication is protected by copyright. This depends on the bandwidth of intermediate links. expense. Destination/next-hop tells the router whether the destination is directly connected or is available through an adjacent router. Inc. congestion. . All rights reserved. Delay: The time required to move the packet from the current router to the destination. Some common metrics are as follows: n n n n n n Bandwidth: The link’s data capacity. Please see page MARCO A. Load: The amount of activity on the network. Hop count: The number of routers the packet must travel through before reaching the destination. Dynamic Routing Protocols Routing protocols use their own rules and metrics to build and update routing tables automatically.[ 91 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Routing Table A router is constantly learning about routes in the network and storing this information in its routing table.

Distance accumulation keeps track of the routing distance between any two points in the network. Inc. This publication is protected by copyright. From the Library of 311 for more details. Please see page MARCO A. All rights reserved. B C Distance—How Far? Vector—In Which Direction? D FIGURE 8-2 Distance Vector Routing Protocols A D C Routing Table B A Routing Table Routing Table Routing Table n Link-state routing: The link-state–based routing algorithm (also known as shortest path first [SPF]) maintains a database of topology information. This method of updating is called “routing by rumor. Unlike the distance vector algorithm. ZUNIGA C. . RIP is an example of a distance vector routing protocol. the routing information is distance vector metrics (such as the number of hops). In Figure 8-2.[ 92 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Routing Methods Routing protocols are designed around one of the following routing methods: n Distance vector routing: Routers using distance vector–based routing share routing table information with each other.” Each router receives updates from its direct neighbor. Router C shares routing information with Routers B and D. Router B shares information with Routers A and C. link-state routing maintains full knowledge © 2008 Cisco Systems. Each router increments the metrics as they are passed on (incrementing hop count. In this case. for example). but the routers do not know the exact topology of an internetwork.

See Figure 8-3. FIGURE 8-3 Link-State Routing Protocols C D Link-State Packets Topological Database SPF Algorithm Routing Table B A Shortest Path First Tree OSPF and Intermediate System–to–Intermediate System (IS-IS) are examples of link-state routing protocols. . Link-state routing provides better scaling than distance vector routing for the following reasons: n n n n n Link-state sends only topology changes. This publication is protected by copyright. Please see page MARCO A. Network information is shared in the form of link-state advertisements (LSA). but it requires a great deal of memory and strict network designs. All rights reserved. Distance vector sends complete routing tables. From the Library of 311 for more details. Link-state uses a two-state hierarchy (areas and autonomous systems). which limits the scope of route changes. ZUNIGA C. Link-state updates are sent less often than distance vector updates.[ 93 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty of distant routers and how they interconnect. Link-state supports classless addressing and summarization. © 2008 Cisco Systems. Inc. Link-state routing converges fast and is robust against routing loops.

and so on. ZUNIGA C. Please see page MARCO A. All rights reserved.[ 94 ] SECTION 8 Exploring the Functions of Routing n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Advanced distance vector: Combines aspects of both distance vector and link-state protocols. When counting. This numbering system might seem awkward at first glance. it updates only when there is a topology change. but it uses the same logic as the base 10 system we use every day. From the Library of 311 for more details. binary counting starts with the “ones” column until all the numbers are exhausted. 22. . Understanding Binary Basics Computers use a numbering system based on only 1s and 0s. The binary system’s columns or placeholders are 20. As with base 10. 21. and then it rolls over to the next column. you start in the “ones” column and count until you reach the highest unit. 103). and processor overhead. Balanced hybrid routing uses distance vectors with more accurate metrics. 102. Inc. base 10 has ten numbers (0 through 9). Table 8-1 shows the values for the first seven places. Balanced hybrid routing provides faster convergence while limiting the use of resources such as bandwidth. Cisco Enhanced IGRP (EIGRP) is an example of a balanced hybrid protocol. Then you move to the “tens” column. This publication is protected by copyright. For example. 23. This continues with successive powers (1. 1 27 128 0 26 64 0 25 32 1 24 16 0 23 8 1 22 4 1 21 2 1 20 1 1 Base 2 Numbering System Number of Symbols Symbols Base Exponent Place Value Example: Convert 47 to Binary © 2008 Cisco Systems. but unlike distance vector routing protocols. memory. This type of system is called binary or base 2. which is a power of the base. 101. Table 8-1 Binary 2 0.

. so a 0 is placed in that column. A 1 is then placed in the 8 column. (101111 in binary is 47 in decimal. Put a 1 in the highest place value. To convert between decimal and binary.) Repeat the process until the value of the subtraction equals 0. All rights reserved. FIGURE 8-4 Flat Network Address Scheme 172.0.) To convert from decimal to binary.0.254 172. The next value (16) is too large. Constructing a Network Addressing Scheme Without subnets. and 32 all contain 1s. the use of bandwidth becomes very inefficient (all systems on the network receive all the broadcasts on the network).[ 95 ] SECTION 8 Exploring the Functions of Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Binary numbers are used extensively in networking. These flat topologies result in short routing tables. Adding those values yields 47.0.) Now subtract the place value from the decimal number (47 – 32 = 15).253 172.16. an organization operates as a single network. To convert from binary to decimal. From the Library of 311 for more details. the placeholders for 1.16.16. 4. simply add up the “place values” of the digits that are 1s. a 1 is placed in the column representing 32. 2. ZUNIGA C.2 172.16. They are the basis of IP addressing.3 172. again build a table. because it is greater than 47.16.255. Inc.0. Figure 8-4 shows a flat network with all hosts in the same broadcast domain. (In this example. 8.1 172.0 © 2008 Cisco Systems. but as the network grows.255. and the subtraction is performed again (15 – 8 = 7.16. Please see page MARCO A. 64 cannot be used. This publication is protected by copyright. it is best to build a simple table like the one just shown. In the preceding example.

[ 96 ]

SECTION 8 Exploring the Functions of Routing

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Network addressing can be made more efficient by breaking the addresses into smaller segments, or subnets. Subnetting provides additional structure to an addressing scheme without altering the addresses. In Figure 8-5, the network address 172.16.0.0 is subdivided into four subnets: 172.16.1.0, 172.16.2.0, 172.16.3.0, and 172.16.4.0. If traffic were evenly distributed to each end station, the use of subnetting would reduce the overall traffic seen by each end station by 75 percent.
FIGURE 8-5
Subnetted Address Scheme

172.16.3.0

172.16.4.0

172.16.1.0

172.16.2.0

Subnet Mask
As shown in Figure 8-6, a subnet mask is a 32-bit value written as four octets. In the subnet mask, each bit is used to

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 97 ]

SECTION 8 Exploring the Functions of Routing

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

determine how the corresponding bit in the IP address should be interpreted (network, subnet, or host). The subnet mask bits are coded as follows:
n n n

Binary 1 for the network bits Binary 1 for the subnet bits Binary 0 for the host bits
Network Host

FIGURE 8-6
IP Address and Subnet Mask
IP Address 172

16

0

0

Network Default Subnet Mask

Host

255 11111111

255 11111111

0 00000000

0 00000000

Also Written as "/16" Where 16 Represents the Number of 1s in the Mask.

Network 8-bit Subnet Mask

Subnet

Host

255

255

255

0

Also Written as "/24" Where 24 Represents the Number of 1s in the Mask.

Although dotted-decimal is most common, the subnet can be represented in several ways:
n n n

Dotted-decimal: 172.16.0.0 255.255.0.0 Bit count: 172.16.0.0/16 Hexadecimal: 172.16.0.0 0xFFFF0000
© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 98 ]

SECTION 8 Exploring the Functions of Routing

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

The ip netmask-format command can specify the display format of network masks for the router. Dotted-decimal is the default.

Default Subnet Masks
Each address class has a default subnet mask. The default subnet masks only the network portion of the address, the effect of which is no subnetting. With each bit of subnetting beyond the default, you can create 2n–2 subnets. Figure 8-7 and Table 8-2 show the effect of increasing the number of subnet bits.
FIGURE 8-7
Default Subnet Masks
Bits: Class A: 1 0NNNNNNN Range (1-126) 1 8 9 10NNNNNN Range (128-191) 1 8 9 110NNNNN Class C: Bits: Class D: Range (192-223) 1 8 9 1110MMMM Range (224-239) Multicast Group 16 17 Multicast Group 24 25 Multicast Group 32 Network Network 8 9 Host 16 17 Host 24 25 Host 32

Bits: Class B: Bits:

16 17 Host

24 25 Host

32

16 17 Network

24 25 Host

32

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 99 ]

SECTION 8 Exploring the Functions of Routing
Table 8-2
Address

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Subnetting
Subnet Address Number of Subnets Comments

10.5.22.5/8

255.0.0.0

0

This is the default Class A subnet address. The mask includes only the network portion of the address and provides no additional subnets. This Class A subnet address has 16 bits of subnetting, but only the bits in the second octet (those beyond the default) contribute to the subnetting. In this case, 16 bits are used for subnetting, but because the default for a Class B address is 16 bits, no additional subnets are created. This case has a total of 26 bits of subnetting, but the Class B address can use only 10 of them to create subnets. The result creates 1024 subnets.

10.5.22.5/16

255.255.0.0

254

155.13.22.11/16

255.255.0.0

0

155.13.10.11/26

255.255.255.192

1022

How Routers Use Subnet Masks
To determine the subnet of the address, a router performs a logical AND operation with the IP address and subnet mask. Recall that the host portion of the subnet mask is all 0s. The result of this operation is that the host portion of the address is removed, and the router bases its decision only on the network portion of the address. In Figure 8-8, the host bits are removed, and the network portion of the address is revealed. In this case, a 10-bit subnet address is used, and the network (subnet) number 172.16.2.128 is extracted.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 100 ]

SECTION 8 Exploring the Functions of Routing
FIGURE 8-8
Identifying Network Portion of Address
172.16.2.160 255.255.255.192 10101100 11111111 Network Subnet

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Host

00010000 11111111

00000010 11111111

10100000 11000000

10101100

00010000

00000010 128 192 224 240 248 252 254 255

10000000 128 192 224 240 248 252 254 255 128

Network Number

172

16

2

Broadcast Addresses
Broadcast messages are sent to every host on the network. Two kinds of broadcasts exist:
n n

Directed broadcasts can broadcast to all hosts within a subnet and to all subnets within a network. (170.34.2.255 sends a broadcast to all hosts in the 170.34.2.0 subnet.) Flooded broadcasts (255.255.255.255) are local broadcasts within a subnet.

Identifying Subnet Addresses
Given an IP address and subnet mask, you can identify the subnet address, broadcast address, first usable address, and last usable address using the following method, which is displayed in Figure 8-9:
Step 1. Step 2.

Write the 32-bit address, and write the subnet mask below that. Draw a vertical line just after the last 1 bit in the subnet mask.
© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 101 ]

SECTION 1 Introduction
Step 3. Step 4. Step 5. Step 6. FIGURE 8-9
Identifying Subnet Addresses
174.24.4.176 255.255.255.192 174.24.4.128 174.24.4.191 174.24.4.129 174.24.4.190 174 24 4 176

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Copy the portion of the IP address to the left of the line. Place all 0s for the remaining free spaces to the right. This is the subnet number. Copy the portion of the IP address to the left of the line. Place all 1s for the remaining free spaces to the right. This is the broadcast address. Copy the portion of the IP address to the left of the line. Place all 0s in the remaining free spaces until you reach the last free space. Place a 1 in that free space. This is your first usable address. Copy the portion of the IP address to the left of the line. Place all 1s in the remaining free spaces until you reach the last free space. Place a 0 in that free space. This is your last usable address.

10101110 11111111 10101110 10101110 10101110 10101110

00011000 11111111 00011000 00011000 00011000 00011000

00000100 11111111 00000100 00000100 00000100 00000100

10110000 11000000 10000000 10111111 10000001 10111110

Host Mask Subnet Broadcast First Last

How to Implement Subnet Planning
Subnetting decisions should always be based on growth estimates rather than current needs. To plan a subnet, follow these steps:
Step 1.

Determine the number of subnets and hosts per subnet required.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 102 ]

SECTION 1 Introduction
Step 2.

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

The address class you are assigned, and the number of subnets required, determine the number of subnetting bits used. For example, with a Class C address and a need for 20 subnets, you have a 29-bit mask (255.255.255.248). This allows the Class C default 24-bit mask and 5 bits required for 20 subnets. (The formula 2n–2 yields only 14 subnets for 4 bits, so 5 bits must be used.) The remaining bits in the last octet are used for the host field. In this case, each subnet has 23–2, or 6, hosts. The final host addresses are a combination of the network/subnet plus each host value. In Figure 8-10, the hosts on the 192.168.5.32 subnet would be addressed as 192.168.5.33, 192.168.5.34, 192.168.5.35, and so forth.
20 Subnets 5 Hosts per Subnet Class C Address: 192.168.5.0

Step 3. Step 4.

FIGURE 8-10
Subnetting a Network

192.168.5.16 Other Subnets

192.168.5.32

192.168.5.48

Configuring Static Routes
To configure a static route on a Cisco router, enter the following global command:
ip route destination-network [mask] {next-hop-address | outbound- interface} [distance] [permanent]

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 103 ]

SECTION 1 Introduction Here’s an example:

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

RouterB(config)#ip route 172.17.0.0 255.255.0.0 172.16.0.1

This example instructs the router to route to 172.16.0.1 any packets that have a destination of 172.17.0.0 to 172.17.255.255. The distance parameter defines the administrative distance or the route. The value for distance is a number from 1 to 254 (1 is the default if not defined) that rates the distance in hops of the destination. For example, a distance of 1 means that the destination is one hop away. If a router has two routes to the same destination, the route with the lowest distance is used. The permanent statement specifies that the route will not be removed even if the router interface shuts down.

Default Route
A default route is a special type of route with an all-0s network and network mask. The default route directs any packets for which a next hop is not specifically listed in the routing table. By default, if a router receives a packet to a destination network that is not in its routing table, it drops the packet. When a default route is specified, the router does not drop the packet. Instead, it forwards the packet to the IP address specified in the default route. To configure a static default route on a Cisco router, enter the following global configuration command:
ip route 0.0.0.0 0.0.0.0 [ip-address-of-the-next-hop-router | outbound-interface]

For example, the following command configures the router to route all packets with destinations not in its routing table to IP 172.16.0.2:
RouterB(config)#ip route 0.0.0.0 0.0.0.0 172.16.0.2

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 104 ]

SECTION 1 Introduction

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Verifying Routing
The show ip route command, as follows, verifies routing tables:
RouterA#show ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 10.1.10.1 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks D D C S D D D D D D C D S* 10.1.10.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.20.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.10.0/24 is directly connected, FastEthernet0/0 10.0.0.0/8 [1/0] via 10.1.10.0 10.1.60.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.50.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.40.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.100.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 10.1.254.0/24 [90/28416] via 10.1.10.254, 2w0d, FastEthernet0/0 192.168.0.0/24 [90/2172416] via 192.168.1.2, 1w6d, Serial0/0/0 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks 192.168.1.0/30 is directly connected, Serial0/0/0 192.168.1.0/24 is a summary, 1w6d, Null0 0.0.0.0/0 [1/0] via 10.1.10.1

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 105 ]

SECTION 9 Configuring a Cisco Router

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Section 9 Configuring a Cisco Router
Starting a Router
When a router is booted up, it goes through the following sequence (see Figure 9-1):
1. The router checks its hardware with a power-on self test (POST). 2. The router loads a bootstrap code. 3. The Cisco IOS Software is located and loaded using the information in the bootstrap code. 4. The configuration is located and loaded.

After this sequence completes, the router is ready for normal operation. When the router is started for the first time, it does not have an initial configuration. The IOS will execute a questionderived initial configuration routine called setup mode. You can enter setup mode at any time by entering the setup privileged EXEC command. Setup mode configures the following:
n n n n

Initial global parameters, such as host name, enable secret password, and Telnet passwords Initial protocols Interfaces AutoSecure

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 106 ] SECTION 9 Configuring a Cisco Router FIGURE 9-1 Router Boot Flow Chart START Boot Field=1 0x1 YES NO Router Boot Flowchart CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Check Start-up Config Boot System YES Commands Do What They Say Run POST NO Load Bootstrap YES Boot Field=0 0x0 YES Run ROM Monitor Config Reg Bit 13=1 Success ? NO NO Use IOS in ROM NO 5 Failures Valid YES IOS in Flash ? Use IOS from Flash Attempt to Get IOS from Network NO (RXBoot mode) x YES YES Use File from Network Load IOS Config Reg Bit 6=1 ? NO Valid Config ? NO YES Normal NO Up Start Complete YES Setup Dialog © 2008 Cisco Systems. From the Library of 311 for more details. This publication is protected by copyright. Please see page MARCO A. . ZUNIGA C. All rights reserved. Inc.

NVRAM: Nonvolatile RAM stores the configuration. ZUNIGA C. save it to NVRAM. Pressing Enter accepts the defaults. Logging In to the Router Cisco IOS Software provides a command interpreter called the EXEC. Configuration register: Controls the bootup method. Inc. . ROM: Read-only memory contains startup microcode. All rights reserved. The EXEC interprets the commands that are entered and carries out the corresponding operations. you can enter No to discontinue the setup. Interfaces: The interface is the physical connection to the external devices. This publication is protected by copyright. Router Components The major router components are as follows: n n n n n n RAM: Random-access memory contains key software (IOS).[ 107 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty When the setup mode configuration process is completed. The setup process can be aborted at any time by pressing Ctrl-C. Flash memory: Flash contains the Cisco IOS Software image. At the first setup prompt. and exit to EXEC mode. you must log in to the router through the © 2008 Cisco Systems. From the Library of 311 for more details. To access EXEC mode. Default answers appear in square brackets ([]). the setup command gives you the following options: n n n [0]: Go to the EXEC prompt without saving the created configuration. [2]: Accept the created configuration. Please see page MARCO A. [1]: Go back to the beginning of setup without saving the created configuration.

© 2008 Cisco Systems. including any changes made in the session that have not yet been saved. Two EXEC modes exist. This publication is protected by copyright. show startup-config displays the last saved configuration. The enable command allows access to this mode (disable exits to user mode). show interfaces displays information on connections and ports that connect with other devices. Please see page MARCO A. All rights reserved. This level can be passwordprotected. Inc. FIGURE 9-2 Cisco IOS Software EXEC Modes Console wg_ro_c con0 is now available Press RETURN to get started wg_ro_c> wg_ro_c>enable wg_ro_c# wg_ro_c#disable wg_ro_c> wg_ro_c>logout Privileged-Mode Prompt User-Mode Prompt Displaying Router Status Output from the following show commands provides valuable information about the router status: n n n n show running-configuration displays the currently active configuration in memory.[ 108 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty command line. as shown in Figure 9-2: n n User EXEC level provides a limited number of basic commands. From the Library of 311 for more details. ZUNIGA C. . show version displays information about the system hardware and software. Privileged EXEC (enable mode) level allows you to access all router commands.

the configure terminal command provides access to global configuration mode. Commands that indicate a process or interface that will be configured are called major commands. From the Library of 311 for more details. Major commands cause the CLI to enter a specific configuration mode. . Please see page MARCO A. you can access these specific configuration modes: n n n n n Interface: Configures operations on a per-interface basis Subinterface: Configures multiple virtual interfaces Controller: Supports commands that configure controllers (such as E1 and T1) Line: Configures the operation of a terminal line Router: Configures IP routing protocols Major Command/Subcommand Relationship Figure 9-3 shows the major command and subcommand relationships.[ 109 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring a Router From privileged EXEC mode. as follows: Router(config)# interface serial 0 Router(config-if)# shutdown Router(config)# router rip Router(config-router)# network 10.0. All rights reserved. Major commands have no effect unless they are immediately followed by a subcommand that supplies the configuration entry. Inc. This publication is protected by copyright.0. From global configuration mode.0 © 2008 Cisco Systems. ZUNIGA C.

All rights reserved. From the Library of 311 for more details.... CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Interface Commands . Please see page MARCO A.. ZUNIGA C.Router(config)# configure hostname etc. This publication is protected by copyright..Router(config-if)# ip address ipx address encapsulation shutdown / no shutdown etc...Router(config-router)# network version auto-summary etc.Router(config-line)# password login modem commands etc. line vty console etc.[ 110 ] SECTION 9 Configuring a Cisco Router FIGURE 9-3 IOS Command and Subcommand Relationships User EXEC Commands ..Router> ping show (limited) enable etc.. © 2008 Cisco Systems. Inc. router rip ospf igrp etc. Line Commands . Privileged EXEC Commands . . Routing Engine Commands ..... enable secret ip route interface ethernet serial bri etc..Router# all User EXEC commands debug commands reload Global Configuration Commands .

all interfaces on a router are initially disabled. Abbreviations of delimiters are not allowed. a clock rate of 64. From the Library of 311 for more details. names a router (or a switch): Router> enable Router# configure terminal Router(config)# hostname Dallas Configuring a Serial Interface NOTE Unambiguous abbreviations of commands are allowed. Please see page MARCO A. All rights reserved. The following example demonstrates the command syntax needed to configure a serial interface on a router: Router# configure terminal Router(config)# interface s1 Router(config-if)# clock rate 64000 Router(config-if)# bandwidth 64 Router# show interface serial 1 Router# show controller displays the information about the physical interface and if it is a DTE or DCE. This publication is protected by copyright. The bandwidth entered has no effect on the line’s actual speed. ZUNIGA C. Enabling or Disabling an Interface Example By default.[ 111 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Assigning a Router Name Example The hostname command.000 cannot be abbreviated as 64. as follows. . The following commands show you how to enable or disable a router interface: Router# configure terminal Router(config)# interface s1 Router(config)#no shutdown Router(config)#shutdown enables the interface disables the interface © 2008 Cisco Systems. For example. however. Inc. it changes the metric of the link as seen by routing protocols. The bandwidth command overrides the default bandwidth.

© 2008 Cisco Systems.0 Router(config)#no shutdown Verifying Interface Configuration The show interface command displays the following: n n n n n n Whether the interface is administratively down Whether the line protocol is up or down An Internet address (if one is configured) Maximum transmission unit (MTU) and bandwidth Traffic statistics on the interface Interface encapsulation type One of the most important elements of the show interface command is the display of the line and data-link status.255.168. ZUNIGA C. All rights reserved.[ 112 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring an Interface IP Address Example The following commands configure a router interface with an IP address: Router# configure terminal Router(config)# interface s1 Router(config)#ip address 192.1.1 255. Figure 9-4 shows the line and data-link status of a serial interface and describes how to interrupt the interface status. . From the Library of 311 for more details. This publication is protected by copyright. Please see page MARCO A. Inc.255.

3333 L3 = 192. line protocol is up up.3 © 2008 Cisco Systems. Each host maintains an ARP table that contains the IP–to–MAC address mappings (see Figure 9-5). .2 SRC IP: 192.1. From the Library of 311 for more details.168. line protocol is up Hardware is PQUICC with Fractional T1 CSU/DSU Internet address is 192.1.1/30 Carrier Detect (Layer 1) Operational– Connection ProblemInterface ProblemDisabledSerial0 Serial0 Serial0 Serial0 is is is is Keepalives (Layer 2) up. Please see page MARCO A. Inc.168. IP-enabled hosts use ARP to map the MAC address to the IP address when communicating with hosts on a local segment. All rights reserved.1111. line protocol is down Exploring the Packet-Delivery Process For hosts on an IP network to communicate with each other.168.168.1111 192.1.1111.168. line protocol is down down.3333 1111. they need a Layer 2 address (MAC address) and an IP address. FIGURE 9-5 Host-to-Host Packet Delivery A B DST MAC: SRC MAC: DST IP: 1111.1111 L3 = 192.3333. This publication is protected by copyright.3333.1. ZUNIGA C. line protocol is down administratively down.3 L2 = 1111.2 L2 = 1111.[ 113 ] SECTION 9 Configuring a Cisco Router FIGURE 9-4 Displaying Interface Line and Data-Link Status CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Router#sh int s0 Serial10 is up.1.

168.3333.2 A B L2 = 1111. You can assess the path’s reliability using this command.3333. Please see page MARCO A. the router will take the packet.1111.3333 L3 = 192. and rewrite the MAC address with the source MAC address of the router’s exiting Ethernet interface and the destination MAC address of host B. The IP information does not change.3 L2 = 1111.1.168.4444 L3 = 192. average.1111 L3 = 192. the router will respond with its local MAC address and the IP address of the remote host. Because the remote host is on a remote network.4444.1. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).168. .168. This publication is protected by copyright.10 Type escape sequence to abort. the local host will send an ARP request to find the MAC address of the host’s default gateway. host A wants to communicate with host B.1111 192.1.1 L2 = 2222.10.168. and maximum times for packets that make the round trip to the target system and back. From the Library of 311 for more details. round-trip min/avg/max = 4/4/4 ms © 2008 Cisco Systems.10. The source MAC address and IP will be that of host A. Host A sends a packet with the destination MAC address of the router’s Ethernet interface and the IP address of host B.10. strip off the MAC address information. as follows: Router# ping 10.4444. Sending 5.10. When the router receives the packet. Inc.5555 2222. ZUNIGA C. All rights reserved.3 SRC IP: 192.[ 114 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty When an IP host wants to communicate with a host on a remote network.3333.1.168.1.1111.2 SRC IP: 192.1.4444 192.1.3333. 100-byte ICMP Echos to 10.3333 1111.10. The ping command also tells you the minimum.168.1.1 L2 = 2222.168. In Figure 9-6. FIGURE 9-6 Host-to-Host Packet Delivery Through a Router DST MAC: SRC MAC: DST IP: 1111.3 Using Common IOS Tools You can verify connectivity using the ping command.2 DST MAC: SRC MAC: DST IP: 3333.5555 L3 = 192.

1. . © 2008 Cisco Systems. ZUNIGA C. This publication is protected by copyright. From the Library of 311 for more details.1.10 4 msec 4 msec 4 msec Router# The show ip arp command displays the router’s ARP cache. Router Security Configuring Router Passwords: Console and Telnet The following example configures passwords on the console and vty lines of a router to homer and bart: Router(config)# line console 0 Router(config-line)# login Router(config-line)# password homer Router(config)# line vty 0 4 Router(config-line)# login Router(config-line)# password bart The numbers 0 through 4 in the line vty command specify the number of Telnet sessions allowed in the router.1.10 Type escape sequence to abort.10 1 10.[ 115 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty You can use the trace command. All rights reserved.1. as follows. Inc.1.1. Please see page MARCO A. Tracing the route to 10. You can also set up a different password for each line by using the line vty port number command. to view the actual routes that packets take between devices: Router# trace 10.

as follows: Router#config t Enter configuration commands. # Router(config)# © 2008 Cisco Systems. one per line. and enable passwords are displayed unencrypted. Inc. From the Library of 311 for more details. The console. To encrypt them. Use the banner motd # text # global configuration command to configure the MOTD. # End with the character ‘#’. Warning only authorized users many access this switch. The no enable secret command disables the encrypted password. The MOTD is displayed before the login banner. All rights reserved. use the service password-encryption global command. Notice! Only Authorized Personnel Are Allowed to Access This Device End with CNTL/Z. ZUNIGA C. Please see page MARCO A. console port. Router(config)#banner login # Enter TEXT message. it is used instead of the enable password.[ 116 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Router Passwords: Enable and Secret Passwords The following configures an enable password of apu and an enable secret password of flanders: NOTE When the enable secret password is set. <ENTER> . Telnet. <ENTER> End with the character ‘#’. It is displayed to anyone connecting to the router through Telnet. as follows: Router(config)#banner motd # Enter TEXT message. as follows: Router(config)#service password-encryption Configuring Login Banner and MOTD The login banner is displayed before the username and password login prompts on a Cisco router. This publication is protected by copyright. Router(config)# enable password apu Router(config)# enable secret flanders The no enable password command disables the privileged EXEC mode password. The login banner is configured using the banner login global command. or auxiliary port.

Use the following steps to configure SSH access: Step 1. From the Library of 311 for more details.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Step 5. Please see page MARCO A. This publication is protected by copyright. Step 3..[OK] Router(config)#ip ssh ver 2 Router(config)#line vty 0 15 Router(config-line)#login local Router(config-line)#transport input telnet ssh © 2008 Cisco Systems. and all communication between the Cisco device and host is sent in clear text. Router(config)#username eric password 0 ciscopress Router(config)#ip domain-name cisco. Enable SSH. Inc. Assign a domain name to the device. How many bits in the modulus [512]: % Generating 512 bit RSA keys . Create a local username and password on the device. Choosing a key modulus greater than 512 may take a few minutes. Configure vty ports to authenticate using SSH. All rights reserved.[ 117 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty SSH Access Cisco recommends using SSH to encrypt communication between the Cisco device and the host. ZUNIGA C. Step 4. Generate a security key. ..com Router(config)#crypto key generate rsa The name for the keys will be: router.cisco. Step 2. Telnet is unsecure.

SwitchA(config)#access list 10 permit ip 192. after a vty password has been applied. ZUNIGA C. Inc.16.0 0. network.255 Router(config)#line vty 0 15 Router(config-if)#access-class 10 in This applies the access list to vty lines © 2008 Cisco Systems.168. Configuring and Applying vty Access Lists The command syntax to create a standard IP access list is as follows: access-list access-list-number {permit | deny} source-address [wildcard-mask] The access-list-number parameter is a number from 1 to 99 or 1300 to 1999. To restrict access to vty ports.0.10. This is done through standard access lists. In wildcard masks. This publication is protected by copyright. Please see page MARCO A. All rights reserved. it will be denied. So. . the first two portions of the IP address must match 172. or part of a network. Standard access lists allow you to permit or deny traffic based on the source IP address.[ 118 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Securing vty Access By default.16. Wildcards are used with access lists to specify a host.0. if you have an IP address of 172. the octet address must match. but the last two octets can be in the range of 1 to 255.255. any IP address can connect to vty ports. when 0s are present.255.0. You should restrict access to vty ports to only specific IP address. From the Library of 311 for more details. Wildcard Masks Wildcard masks define the subset of the 32 bits in the IP address that must be matched. you would create a standard access list that permits each authorized IP address to connect to vty and apply the access list to the vty ports. For example.0. Mask bits with a binary value of 1 are wildcards. At the end of each access list is an implicit deny any statement.0 with a wildcard mask of 0. if a host is not specifically permitted.

Inc. . SDM is supported on all Cisco routers and is a free tool that provides built-in wizards to help simply router configuration. ZUNIGA C.[ 119 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Cisco Router and Security Device Manager The Cisco Security Device Manager (SDM) is a web-based tool that configures Cisco routers (see Figure 9-7). Please see page MARCO A. All rights reserved. FIGURE 9-7 Cisco Security Device Manager © 2008 Cisco Systems. From the Library of 311 for more details. This publication is protected by copyright. SDM helps simplify router deployments and troubleshoot complex network and Virtual Private Network (VPN) connectivity issues.

. perform the following steps: Step 1. Step 3.[ 120 ] SECTION 9 Configuring a Cisco Router SDM has the following features: n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Is an embedded web-based management tool Provides intelligent wizards to enable quicker and easier deployments and does not required Cisco IOS CLI knowledge Provides tools for advanced users such as n n n ACL editor VPN crypto map editor IOS CLI preview Cisco SDM User Interface To access SDM on your Cisco router. From the Library of 311 for more details. This publication is protected by copyright. Please see page MARCO A. Enable HTTP/HTTPS server on the router: Router(config)#ip http server Router(config)#ip http secure-server Router(config)#ip http authentication local Step 2. Inc. ZUNIGA C. All rights reserved. Create a user account with enable privileges: Router(config)#username admin priviledge 15 password 0 password Configure SSH and Telnet for local login and privilege level 15: Router(config)#line vty 0 4 Router(config-line)#privilege level 15 Router(config-line)#login local Router(config-line)#transport input telnet Router(config-line)#transport input telnet ssh © 2008 Cisco Systems.

255. .10.pl/sdm SDM Wizards SDM contains several wizards to simply router configuration tasks. Security Audit Wizard: Audits the router and disables any unused or insecure service running on the router. Requires the Advanced Security IOS Software.[ 121 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty After SDM is installed on a router.1.10.168.248.com/pcgi-bin/tablebuild. If you are configuring a router for the first time that has SDM installed. The default username is cisco. if the router’s Fast Ethernet interface IP is 192. Some of these wizards are as follows: n n n n n n n LAN Wizard: Configures LAN interfaces and DHCP. From the Library of 311 for more details. Inc. Next.255. you would type https://192.cisco. open your web browser. ZUNIGA C. SDM will run and you will be guided through the SDM Express Setup Wizard to configure the router for the first time.10.2 255.1. you need to connect to the router’s Fast Ethernet interface through a crossover cable. QoS Wizard: Configures quality of service. you can access it by typing in the IP address of the router’s interface in a web browser. VPN Wizard: Configures site-to-site or remote VPN access. For example.10.10.168. change the IP address of your computer to 10. After you connect. and the password is cisco.1. This publication is protected by copyright. © 2008 Cisco Systems. disable any pop-up blockers. and connected to SDM through web address http://10. IPS Wizard: Configures IPS policies. go to the following URL: http://www. All rights reserved. After being connected. Firewall Wizard: Configures firewall policies on a router that has Cisco Security IOS Software. To download the latest version of SDM.10. WAN Wizard: Configures WAN interfaces. Please see page MARCO A.

acknowledging the process. This message contains IP configuration information such as DNS and default gateway. DHCP supports the following three mechanisms for IP address allocation: n n n Automatic allocation: Assigns a permanent IP address to a client Dynamic allocation: Assigns an IP address to a client for a set period of time Manual allocation: Assigns a specific IP address to a client as defined by the administrator using the client’s MAC address DHCP Figure 9-8 shows the DHCP process as outlined here: 1. it responds with a DHCPREQUEST. indicating that it accepted the DHCPOFFER. The DHCP server hosts allocated network addresses and other IP configuration parameters. . 3.255.255. DHCP is built on a client-server model. Please see page MARCO A. 2. Inc. From the Library of 311 for more details.[ 122 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring a Router as a DHCP Server DHCP is a protocol that leases IP addresses to IP hosts. A DHCP server receives the DHCPDISCOVER message and responds with a DHCPOFFER message. The server receives the DHCPREQUEST and sends a DHCPACK. All rights reserved. This publication is protected by copyright.255. it broadcasts a DHCPDISCOVER message on its local physical segment using IP address 255. ZUNIGA C. The DHCP client is a host that requests initialization parameters from a DHCP server. When a client boots up. After the client receives the DHCPOFFER. 4. © 2008 Cisco Systems.

ZUNIGA C. . Please see page MARCO A.[ 123 ] SECTION 9 Configuring a Cisco Router FIGURE 9-8 DHCP Process DHCPOFFER DHCPDISCOVER CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty DHCPREQUEST DHCPACK Client DHCP Server Using a Router as a DHCP Server Cisco IOS Software includes a full DHCP server implementation that assigns IP addresses from specified address pools in the router and outer IP parameters such as DNS server and default router. with the SDM Express Wizard. If a router is preconfigured and you want to configure it as DHCP server. Inc. © 2008 Cisco Systems. Step 2. You have three ways to configure a Cisco router as a DHCP server: with the CLI. as shown in Figure 9-9. one of the tasks the wizard allows you to do is configure the router as a DHCP server. Log on to the router using SDM. All rights reserved. This publication is protected by copyright. From the Library of 311 for more details. the SDM Express Wizard will run. If you are configuring a router for the first time using SDM. follow these steps: Step 1. or in SDM after the router is configured. Click the Configure button.

as shown in Figure 9-10. ZUNIGA C. Click the Additional Task button. © 2008 Cisco Systems. . From the Library of 311 for more details. This publication is protected by copyright. All rights reserved. Please see page MARCO A. Inc.[ 124 ] SECTION 9 Configuring a Cisco Router FIGURE 9-9 Cisco SDM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Step 3.

Click the Add button. All rights reserved. ZUNIGA C. . as shown in Figure 9-11. Inc. Please see page MARCO A.[ 125 ] SECTION 9 Configuring a Cisco Router FIGURE 9-10 Configuring DHCP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Step 4. © 2008 Cisco Systems. This publication is protected by copyright. Expand the DHCP folder and select DHCP Pools. From the Library of 311 for more details.

. This publication is protected by copyright. Please see page MARCO A. Lease Length. ZUNIGA C.[ 126 ] SECTION 9 Configuring a Cisco Router FIGURE 9-11 Configuring DHCP Pools CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Step 5. The IP address pool must be on the same subnet as the IP address of the LAN interface. and DHCP Options. Configure the DHCP Pool Name. Inc. DHCP Pool Network. From the Library of 311 for more details. All rights reserved. © 2008 Cisco Systems. DHCP Pool range. Click the OK button to save the configuration to the router. as shown in Figure 9-12.

routers do not forward broadcasts. If the DHCP server is on a different segment than the DHCP client. This is done through the following interface command: ip helper-address [global] address © 2008 Cisco Systems. this message is broadcast to the local segment. the DHCP server will not see the DHCPDISCOVER messages from clients. By default. The router needs to be configured to forward the DHCPDISCOVER broadcasts to the DHCP server. . Inc. ZUNIGA C.[ 127 ] SECTION 9 Configuring a Cisco Router FIGURE 9-12 Configure DHCP Options CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty DHCP/Bootp Relay Agent When a DHCP-enabled client requests an IP address through a DHCPDISCOVER message. This publication is protected by copyright. All rights reserved. Please see page MARCO A. From the Library of 311 for more details.

200 Monitoring DHCP Server Function The DHCP server on the router can be monitored through the SDM or CLI. From the Library of 311 for more details. This publication is protected by copyright. Inc. The ip helper-address command enables forwarding of UDP broadcasts received on the configured interface to a specific IP address. ZUNIGA C.11. FIGURE 9-13 SDM DHCP Pool Status © 2008 Cisco Systems. . In Figure 9-13. as follows: Router(config)#int f0/0 Router(config-if)# ip helper-address 192. All rights reserved.168. Please see page MARCO A.[ 128 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The address parameter is the IP address of the DHCP server. the DHCP Pool Status button in SDM monitors the DHCP pool status in SDM.

A Telnet or SSH session can be ended with the exit.2. Both the router’s IP address and host name (when DNS or the host entry is present) can be used as an argument. The resume command or pressing Enter resumes the last active session.[ 129 ] SECTION 9 Configuring a Cisco Router CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The show ip dhcp conflicts command displays any conflicts found by the DHCP server. . From the Library of 311 for more details. use the telnet command.2 To establish a SSH session. as follows: RouterA#ssh 10. disconnect. Inc.2.2 The show sessions command displays a list of hosts to which you are connected. The resume session-number command reconnects to a specific session. logout. All rights reserved.2. The show ssh command displays the list of hosts that are connected through SSH. This publication is protected by copyright. ZUNIGA C. as follows: RouterA#telnet 10. Pressing Ctrl-Shift-6 followed by X suspends the current session.2. Accessing Remote Devices with Telnet or SSH To establish a Telnet session. use the ssh command. Please see page MARCO A. and clear commands. Use the show session command to find the session number. © 2008 Cisco Systems.

Inc. LANs and all devices in the LAN are usually owned by the local organization. WANs connect LANs across a wide geographic area.[ 130 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section IV: Connecting Networks Section 10 Understanding WAN Technologies WAN Technologies Overview WANs connect networks. and other devices in a building or small geographic area. Figure 10-1 shows that companies use the WAN to connect company sites and mobile users for information exchange. All rights reserved. This publication is protected by copyright. and services across a broad geographic area. Outside service providers own the WAN and WAN devices. From the Library of 311 for more details. © 2008 Cisco Systems. ZUNIGA C. FIGURE 10-1 WAN Connections Service Provider WANs Versus LANs LANs connect computers. peripherals. . users. Please see page MARCO A.

ZUNIGA C. X. where one set of wires carries data and a separate set of wires carries clocking for that data. High-Level Data Link Control (HDLC). they are multiport devices that switch Frame Relay. Modems or DSU/CSUs: In analog lines. The data link layer defines WAN protocols that define how data is encapsulated for transmission across the WAN. or ATM traffic. All rights reserved. which designate the beginning and end of each character. data service units/channel service units (DSU/CSU) convert one form of digital format to another digital format. WAN networking devices: Used in the WAN network. called start/stop bits. mechanical. they route data from one network to another. ATM. WAN Devices The following devices are used for WAN services: n n n Routers: Connect the LAN to the WAN. They operate at the data link layer of the OSI model. © 2008 Cisco Systems. Inc.25. Examples of these protocols are Frame Relay. . n Understanding Serial WAN Interfaces WAN serial interfaces are either synchronous or asynchronous: n Synchronous links have identical frequencies and contain individual characters encapsulated in control bits. This publication is protected by copyright. Modems modulate and demodulate a signal. The physical components of WANs define electrical. Communication servers: Concentrate dial-in and dial-out user communications. modems convert analog to digital. Synchronous links try to use the same speed as the other end of a serial link. and PPP. Please see page MARCO A. From the Library of 311 for more details. In digital lines. Routers provide network layer services. enabling data to be transmitted over telephone lines.35 and other interfaces. and operational connections. Synchronous transmission occurs on V.[ 131 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty WAN Access and the OSI Model WANs and their protocols function at Layers 1 and 2 of the OSI reference model.

ZUNIGA C. Modems are asynchronous. DCEs provide clocking for the serial link. Please see page MARCO A. in other words. An example of a DCE is a CSU/DSU or a serial interface configured for clocking. but there is no check or adjustment of the rates if they are slightly different. .[ 132 ] SECTION 10 Understanding WAN Technologies n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Asynchronous links send digital signals without timing. Asynchronous links agree on the same speed. Serial interfaces are specified as DTE (data terminal equipment) or data communications equipment (DCE). All rights reserved. Inc. Only 1 byte per transfer is sent. This publication is protected by copyright. From the Library of 311 for more details. DCE converts user data into the service provider’s preferred format. The port configured as DTE requires external clocking from the CSU/DSU or other DCE device. WAN Review Figure 10-2 shows the typical WAN terminology and the list that follows provides more detailed definitions: FIGURE 10-2 WAN Terminology WAN Service Provider Toll Network S S S S S S CO Switch Local Loop S Trunks and Switches Demarcation Customer Premises Equipment (CPE) Point-to-Point or Circuit-Switched Connection © 2008 Cisco Systems.

PPP works with many network layer protocols. ISDN. This publication is protected by copyright.25/Link Access Procedure. Central office (CO): A switching facility that provides a point of presence for WAN service. It is usually located in the telecommunications closet. but can be as high as 10 Gbps). n © 2008 Cisco Systems. Inc. X. From the Library of 311 for more details. . the exit point from the WAN for called devices. High-Speed Serial Interface (HSSI). Local loop (or last mile): The cabling from the demarc into the WAN service provider’s central office. The central office is the entry point to the WAN cloud. and a switching point for calls.544/2. All rights reserved.25. and the type of service required. LAPB is a data link layer protocol specified by X. WANs use serial communication for long-distance communications. including IP and IPX. Balanced (LAPB): Defines connections between DTE and DCE for remote terminal access. ZUNIGA C. Connection speeds typically vary from 56 kbps to T1/E1 (1. Please see page MARCO A. and synchronous. WAN Cabling Several ways exist to carry traffic across the WAN. Toll network: A collection of trunks inside the WAN cloud. such as asynchronous serial. Demarcation (or demarc): Marks the point where CPE ends and the local loop begins. The implementation depends on distance.048 Mbps.[ 133 ] SECTION 10 Understanding WAN Technologies n n n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Customer premises equipment (CPE): Located on the subscriber’s premises and includes both equipment owned by the subscriber and devices leased by the service provider. PPP can use either Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) for authentication. speed. Point-to-Point Protocol (PPP): Provides connections between devices over several types of physical interfaces. Layer 2 Encapsulation Protocols n n High-Level Data Link Control (HDLC): The default encapsulation type for Cisco routers on point-to-point dedicated links and circuit-switched connections.

Four types of multiplexing operate at the physical layer: n n Time-division multiplexing (TDM) Frequency-division multiplexing (FDM) © 2008 Cisco Systems. Frame Relay. Frame Relay (based on X. which greatly reduces transit delays. ZUNIGA C. Please see page MARCO A.25) can handle multiple virtual circuits. Asynchronous Transfer Mode (ATM): International standard for cell relay using fixed-length (53-byte) cells for multiple service types. T3. From the Library of 311 for more details. This publication is protected by copyright. SLIP. Inc. ATM takes advantage of high-speed transmission media such as E3. FIGURE 10-3 WAN Connections Leased Line HDLC. SLIP X. Figure 10-3 shows the typical WAN connections that each Layer 2 encapsulation protocol supports. and Synchronous Optical Network (SONET).25. HDLC Circuit-Switched Telephone Company Multiplexing Multiplexing is the process of combining multiple signals over a single wire. PPP.[ 134 ] SECTION 10 Understanding WAN Technologies n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Frame Relay: Industry-standard switched data link layer protocol. ATM Packet-Switched Service Provider PPP. Fixed-length cells allow hardware processing. All rights reserved. . or link. fiber.

This publication is protected by copyright. Leased-line connections are typically synchronous serial connections. Leased lines provide a reserved connection for the client but are costly. each data channel is allocated bandwidth based on time slots. each data channel is allocated bandwidth based on wavelength (inverse of frequency). In statistical multiplexing. bandwidth is dynamically allocated to data channels. Inc. Figure 10-5 shows an example of a circuit-switched WAN topology. All rights reserved. In FDM.[ 135 ] SECTION 10 Understanding WAN Technologies n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Wave-division multiplexing (WDM) and dense WDM (DWDM) Statistical-division multiplexing In TDM. information of each data channel is allocated bandwidth based on the signal frequency of the traffic. FIGURE 10-4 Leased-Line WAN Synchronous Serial n Circuit-switched: Circuit switching provides a dedicated circuit path between sender and receiver for the duration of the call. In WDM and DWDM. From the Library of 311 for more details. An example of this is FM radio. ZUNIGA C. Please see page MARCO A. © 2008 Cisco Systems. regardless of whether data is transferred. . Circuit switching is used for basic telephone service or Integrated Services Digital Network (ISDN). thus bandwidth is wasted when there is no data to transfer. WAN Communication Link Options WAN services are generally leased from service providers on a subscription basis. The following three main types of WAN connections (services) exist: n Leased line: A leased line (or point-to-point dedicated connection) provides a preestablished connection through the service provider’s network (WAN) to a remote network. Figure 10-4 shows an example of a leased line WAN topology.

. these remote sites connect to the Internet using digital subscriber line (DSL) or a packet-switching technology such as cable. but at a much lower cost. Usually. It has become common for remote sites to connect to the central office through the Internet using VPNs. © 2008 Cisco Systems. Packet headers identify the destination. Figure 10-6 shows an example of a packet-switched WAN topology. Please see page MARCO A.[ 136 ] SECTION 10 Understanding WAN Technologies FIGURE 10-5 Circuit-Switched WAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Telephone Company Asynchronous Serial ISDN Layer 1 n Packet-switched: With packet switching. devices transport packets using virtual circuits (VCs) that provide end-toend connectivity. Programmed switching devices provide physical connections. From the Library of 311 for more details. This publication is protected by copyright. FIGURE 10-6 Packet-Switched WAN Service Provider Synchronous Serial Enabling the Internet Connection Almost every business today connects to the Internet. ZUNIGA C. Packet switching offers leased line–type services over shared lines. All rights reserved. Inc.

The term xDSL refers to the different variations of DSL. Please see page MARCO A. Digital Subscriber Line DSL is a modem technology that uses the existing phone wires connected to virtually every home in most countries. DSL Equipment The twisted-pair wires that provide phone service are ideal because the available frequency ranges on the wires far exceed those required to carry a voice conversation. when the packets reach the destination. they might arrive out of order. Because packet-switched networks use different routes to send data. Inc. . DSL requires some specialized equipment to ensure that voice and data are kept separate and are routed to the right place: n n n Low-pass filters (LPF): Placed on all phone jacks not used by a computer to prevent interference from highfrequency data signals DSL modems: The interface from the phone line to the computer DSL access multiplexers (DSLAM): Aggregate hundreds of signals from homes and are the access point to the Internet © 2008 Cisco Systems. no dedicated path exists between the source and destination. It is the responsibility of the receiving protocol to assemble the packets in the correct order. In other words.[ 137 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Packet-Switched Communications Packet-switched networks send data over different routes of a shared public network to reach the same destination. From the Library of 311 for more details. ZUNIGA C. ADSL’s downlink speed is much greater than its uplink speed (thus the asymmetry). This publication is protected by copyright. SDSL is more useful for businesses because it gives equal bandwidth to the uplink and downlink. All rights reserved. This is done because most users download much more from the Internet than they upload. DSL Types and Standards Two types of DSL exist: asymmetric DSL (ADSL) and symmetric DSL (SDSL). DSL operates at Layer 1 of the OSI model and relies on higher-layer protocols for connection services and encapsulation.

DSL supports data and voice.024 Mbps uplink 1.000 18. This publication is protected by copyright. DSL service providers can add circuits as needed.000 DSL Limitations and Advantages Advantages: n n n n DSL offers speeds up to and exceeding T1 for a fraction of the cost.000 4.[ 138 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty DSL Standards Several international DSL standards exist.000 28. All rights reserved. Limitations: n n n Availability.SHDSL 384 kbps to 8 Mbps downlink and up to 1.048 Mbps for both downlink and uplink 192 kbps to 2.lite Very high data rate DSL (VDSL) ISDN DSL (IDSL) High data rate DSL (HDSL) G. DSL has some distance limitations. From the Library of 311 for more details. and the signals cannot be amplified. © 2008 Cisco Systems.500 22.544 to 2. They are listed in Table 10-1. Inc.96 to 52. Table 10-1 DSL Type DSL Standards Speed Distance Limit (ft) Full-rate ADSL G. Please see page MARCO A.000 12. all of which are supported by DSL providers. . ZUNIGA C.544 to 6 Mbps downlink and 640 kbps uplink 12. DSL is an always-on technology.8 Mbps for both downlink and uplink 768 kbps for both downlink and uplink 1. The telephone company must install DSL equipment.36 Mbps for both downlink and uplink 18.

This publication is protected by copyright. in this case.[ 139 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Cable Cable uses the same basic principles as DSL in that the bandwidth needed to accomplish the primary function (providing TV programming) is only a fraction of the available bandwidth on the wire or. All rights reserved. . which provides greater bandwidth and less noise than standard coaxial. Many cable providers deploy hybrid-fiber coaxial (HFC) cable. Cable also offers speeds well over those of T1 (some claim up to six times T1 speed). © 2008 Cisco Systems. From the Library of 311 for more details. This gives you the convenience of not having to dial up with every use. Like DSL. Cable is fairly widespread in the United States. ZUNIGA C. Inc. Cable modems use quadrature amplitude modulation (QAM) to encode digital data into an analog signal to deliver 30 to 40 Mbps in one 6-MHz cable channel. so access is generally available. cable. cable modems provide always-on connectivity. Please see page MARCO A. but it does make a system more vulnerable to hackers (which is why routers and firewalls should be installed behind a cable modem). A headend facility at the local cable office manages traffic flows and performs the following functions: n n n n Receives programming from networks Converts signals and places them on the proper channel frequency Combines all channels into one broadband analog channel Broadcasts the combined analog signal to subscribers Cable Limitations and Advantages Advantages: n n n Cable offers very high speeds in both upstream and downstream directions.

ZUNIGA C.0.34. Please see page MARCO A.34.1 to the outside address of 172.0. it was believed that the address space would not run out.0.2.34.2.34.0.0. This publication is protected by copyright.1 Internet 10.0. From the Library of 311 for more details.22 Outside 10. Inc.[ 140 ] SECTION 10 Understanding WAN Technologies Limitation: n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Cable is a shared medium.0. The combination of the PC explosion and the emergence of other network-ready devices quickly consumed many of the available addresses.0.0. each gets less bandwidth.2 NAT Table Inside Local IP Address 10. so as more people use the system.22 © 2008 Cisco Systems.2. making communication more secure from hackers. An additional (and equally important) benefit of NAT is that it hides private addresses from public networks.2.1 10.21. When the IP address scheme was originally developed.21 172.0. Introducing NAT and PAT Network Address Translation (NAT) was initially developed as an answer to the diminishing number of IP addresses.0.0.2 SA 172. All rights reserved.2 Inside Global IP Address 172. . Figure 10-7 shows how NAT translates the inside address of 10. FIGURE 10-7 Network Address Translation Inside SA 10.

34.2:1533 172.22:1533 n n Because the port number is 16 bits. Port Address Translation (PAT) is a form of dynamic address translation that uses many (private addresses) to few or one (public address). Dynamic NAT matches private addresses to a pool of public addresses on an as-needed basis.[ 141 ] SECTION 10 Understanding WAN Technologies n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty NAT is configured on a router. firewall. If one is not found.0. FIGURE 10-8 Port Address Translation Inside SA 10.536 sessions to a single public address.0. All rights reserved.0.2 NAT Table Inside Local IP Address Inside Global IP Address 10.0. This publication is protected by copyright. This is called overloading and is accomplished by assigning port numbers.0. The address translation is still one-to-one.0.1: 2610 SA 10. or other network device.0.0. From the Library of 311 for more details.0.2. Please see page MARCO A. PAT increments the IP address (if available).0.1 PAT Internet SA 10.1:2610 172.2.1: 2610 Outside 10.0. Static NAT uses one-to-one private-to-public address translation. Inc. © 2008 Cisco Systems. PAT continues to look for available port numbers.1: 2610 10.2: 1533 SA 10.0.0.0. .0.34. as shown in Figure 10-8.0. ZUNIGA C. PAT can theoretically map 65.21:2610 10.

Select the Ethernet (PPPoE or Unencapsulated Routing) option. © 2008 Cisco Systems. Inc. A legal routable IP address that represents one or more inside local IP addresses to the outside world. . select the Enable PPPoE check box. as shown in Figure 10-10. From the Library of 311 for more details. The IP address of an outside host as it appears to the inside. If your ISP is using PPP over Ethernet (PPPoE). This is usually a private IP address. Select the Dynamic (DHCP Client) option and enter the router’s host name. private network. Usually a private IP address. as shown in Figure 10-9. This publication is protected by copyright. and then click the Interfaces and Connections button. Step 2. use the following steps: Step 1. Usually a routable IP address. Please see page MARCO A. Outside global address The IP address assigned to a host on the outside network by the host’s owner. Configuring the DHCP Client and PAT Using SDM To configure a router to be a DHCP client and accept an IP address from an ISP provider. ZUNIGA C. Click the Next button. All rights reserved. Click the Next button. The WAN Wizard appears. Click the Configure button. and then click the Next button. private network.[ 142 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty NAT Terminology Table 10-2 lists the Cisco NAT terminology. Table 10-2 Name NAT Terminology Description Inside local address Inside global address Outside local address The IP address assigned to a host on the inside. and click the Create New Connection button. Log on to the router using SDM.

This publication is protected by copyright. Inc. .[ 143 ] SECTION 10 Understanding WAN Technologies FIGURE 10-9 SDM Router DHCP Client Configuration CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty © 2008 Cisco Systems. From the Library of 311 for more details. Please see page MARCO A. ZUNIGA C. All rights reserved.

This publication is protected by copyright. . Click the Next button. Please see page MARCO A. From the Library of 311 for more details.[ 144 ] SECTION 10 Understanding WAN Technologies FIGURE 10-10 SDM WAN Wizard CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Step 3. © 2008 Cisco Systems. ZUNIGA C. All rights reserved. Select the Port Address Translation check box and select the inside interface. Inc. as shown in Figure 10-11.

ZUNIGA C. Inc. Verify the configuration and click the Finish button. From the Library of 311 for more details. © 2008 Cisco Systems.[ 145 ] SECTION 10 Understanding WAN Technologies FIGURE 10-11 SDM WAN Wizard Advanced Options CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Step 4. Please see page MARCO A. . The show ip nat statistics command shows all translation statistics. This publication is protected by copyright. The clear ip nat translation outside local-ip global-ip command clears a specific outside translation address. The clear ip nat translation inside global-ip local-ip command clears a specific entry from a dynamic inside translation table. The show ip nat translations command lists all active translations. Verifying NAT and PAT Configuration The clear ip nat translation * command clears all dynamic translation tables. All rights reserved.

All rights reserved. This field makes it possible for a single serial link to accommodate multiple network-layer protocols. if the encapsulation type has been changed to another protocol. FIGURE 10-12 HDLC Frame Flag Address Control Proprietary Data FCS Flag Cisco HDLC Because HDLC is the default encapsulation type on serial links. Figure 10-12 shows the frame format of HDLC. PPP uses a Network Control Protocol (NCP) component to encapsulate multiple protocols and the Link Control Protocol (LCP) to set up and negotiate control options on the data link. HDLC cannot support multiple protocols on a single link. © 2008 Cisco Systems. However. Please see page MARCO A.[ 146 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Serial Encapsulation Configuring HDLC HDLC is a data-link protocol used on synchronous serial data links. . Cisco HDLC is a point-to-point protocol that can be used on leased lines between two Cisco devices. ZUNIGA C. the following command changes the serial interface encapsulation back to HDLC: Router(config-if)#encapsulation hdlc Configuring PPP As shown in Figure 10-13. The Cisco version of HDLC uses a proprietary field that acts as a protocol field. you don’t need to configure HDLC. PPP should be used when communicating with non-Cisco devices. This publication is protected by copyright. From the Library of 311 for more details. Inc. because it lacks a mechanism to indicate which protocol it is carrying.

Inc. From the Library of 311 for more details. performs challenge handshake Compresses data at source. Other Options Link Control Protocol Synchronous or Asynchronous Physical Media Physical Layer PPP Configuration Options Cisco routers using PPP encapsulation include the LCP options shown in Table 10-3.[ 147 ] SECTION 10 Understanding WAN Technologies FIGURE 10-13 Point-to-Point Protocol IP IPX Layer 3 Protocols CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty IPCP PPP IPXCP Many Others Network Layer Network Control Protocol Data Link Layer Authentication. avoids frame looping Provides load balancing across multiple links PAP. reproduces data at destination Monitors data dropped on link. Please see page MARCO A. CHAP Stacker or Predictor Magic Number Multilink Protocol (MP) © 2008 Cisco Systems. . Table 10-3 Feature PPP Configuration Options How It Operates Protocol Authentication Compression Error detection Multilink Requires a password. All rights reserved. ZUNIGA C. This publication is protected by copyright.

Please see page MARCO A. 3. This must take place before the network layer protocol phase can begin (Layer 2). This publication is protected by copyright. passwords are sent in clear text and are exchanged only upon initial link establishment. Inc. Authentication phase (optional): If authentication is configured. 2. Challenge Handshake Authentication Protocol (CHAP): Used upon initial link establishment and periodically to make sure that the router is still communicating with the same host.[ 148 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Establishing a PPP Session The three phases of PPP session establishment are described as follows: 1. Network layer protocol phase: PPP sends NCP packets to choose and configure one or more network layer proto- cols to be encapsulated and sent over the PPP data link (Layer 3). either PAP or CHAP is used to authenticate the link. From the Library of 311 for more details. . Link establishment: Each PPP device sends LCP packets to configure and test the link (Layer 2). All rights reserved. © 2008 Cisco Systems. enter the encapsulation ppp interface command. ZUNIGA C. Enabling PPP To enable PPP encapsulation on a serial interface. CHAP passwords are exchanged as message digest algorithm 5 (MD5) hash values. as follows: RouterB(config-if)#encapsulation ppp PPP Authentication Protocols The two methods of authentication on PPP links are as follows: n n Password Authentication Protocol (PAP): The less-secure of the two methods. CHAP uses a three-way handshake process to perform one-way authentication on a PPP serial interface.

1. From the Library of 311 for more details.168. ZUNIGA C. Make sure that each router has a host name assigned to it using the hostname command. If the peer suggests the second method or refuses the first method. Inc.[ 149 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring PPP Authentication The three steps to enable PPP authentication on a Cisco router are as follows: Step 1. the first method you specify in the command is used. Configure PPP authentication with the ppp authentication {chap | chap pap | pap chap | pap} interface command.) The following commands configure CHAP and PAP for authentication with the password of cisco. The remote router’s host name is RouterA: RouterB(config)#hostname RouterB RouterB(config)#username RouterA password cisco RouterB(config)#int s0 RouterB(config-if)#ppp authentication chap pap Verifying the Serial Encapsulation Configuration The show interface interface-number command shows the encapsulation type configured on the router’s serial interface and the LCP and NCP states of an interface if PPP encryption is enabled: RouterA#show int s0 Serial0 is up. On each router. keepalive set (10sec) © 2008 Cisco Systems. Step 3. DLY 20000 usec. rely 255/255.2/24 MTU 1500 bytes. . loopback not set. Step 2. All rights reserved. BW 1544 Kbit. line protocol is up Hardware is HD64570 Internet address is 192. Please see page MARCO A. define the username of the remote router and the password that both routers will use with the username remote-router-name password password command. the second method is used. load 1/255 Encapsulation PPP. This publication is protected by copyright. (If both PAP and CHAP are enabled.

Frame Relay Frame Relay is a connection-oriented Layer 2 protocol that allows several data connections (virtual circuits) to be multiplexed onto a single physical link. PVCs save bandwidth (no circuit establishment or teardown) but can be expensive. This publication is protected by copyright. The entire path to the destination is determined before the frame is sent. Frame Relay relies on upper-layer protocols for error correction. Inc. © 2008 Cisco Systems. Please see page MARCO A.[ 150 ] SECTION 10 Understanding WAN Technologies LCP Open Open: IPCP. Frame Relay specifies only the connection between a router and a service provider’s local access switching equipment. A connection identifier maps packets to outbound ports on the service provider’s switch. SVCs are established on demand and are torn down when transmission is complete. ZUNIGA C. a lookup table maps the frame to the correct outbound port. output 00:00:02. VC status can be active. inactive. From the Library of 311 for more details. most Frame Relay circuits are PVCs. CDPCP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Last input 00:00:02. Frame Relay Terminology n VC (virtual circuit): A logical circuit between two network devices. . output hang never Last clearing of “show interface” counters never Input queue: 0/75/0 (size/max/drops). A VC can be permanent (PVC) or switched (SVC). The debug ppp negotiation command shows PPP-enabled routers performing negotiation. or deleted. Total output drops: 0 (text omitted) The IOS debug ppp authentication command shows successful CHAP or PAP authentication. All rights reserved. When the switch receives a frame. Today.

Northern Telecom. ZUNIGA C. FECN (forward explicit congestion notification): A message sent to a destination device when a Frame Relay switch senses congestion in the network.[ 151 ] SECTION 10 Understanding WAN Technologies n n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty DLCI (data-link connection identifier): Identifies the logical connection between two directly connected sets of devices. n n ATM and Cell Switching Asynchronous Transfer Mode (ATM) was originally developed as a high-speed public WAN transport for voice. and DEC). and Network Node Interfaces (NNI). Routers autosense LMI types by sending a status request to the Frame Relay switch. and Q933a (ITU-T Q. ANSI Annex D (ANSI standard T1. and DLCI status. ATM was later modified by the ATM Forum to include transport over private networks. The router configures itself to match the LMI type response. A BECN message requests a reduced data transmission rate. Inverse ARP: Routers use inverse ARP to discover the network address of a device associated with a VC. multicast messages. . LMIs track and manage keepalive mechanisms. Please see page MARCO A. which connect ATM endpoints to ATM switches. video. The DLCI is locally significant. This publication is protected by copyright. Inc. The links connecting the switches come in two forms: User-Network Interfaces (UNI). ATM networks are composed of ATM switches interconnected by point-to-point ATM links. StrataCom. CIR (committed information rate): The minimum guaranteed data transfer rate agreed to by the Frame Relay switch. and data. The three types of LMIs supported by Cisco Frame Relay switches are Cisco (developed by Cisco. © 2008 Cisco Systems. which connect ATM switches. From the Library of 311 for more details. LMI (Local Management Interface): A signaling standard that manages the connection between the router and the Frame Relay switch.617). All rights reserved.933 Annex A). BECN (backward explicit congestion notification): A message sent to a source router when a Frame Relay switch recognizes congestion in the network.

ZUNIGA C. . With synchronous TDM. Inc. Multiplexing is a method of combining multiple data streams into a single physical or logical connection. each time slot is preassigned and is held open if the station assigned to it has no data to send. FIGURE 10-14 Asynchronous Transfer Mode 2 4 4 2 2 3 ATM Makes Efficient Use of All Time Slots 1 4 3 2 1 4 © 2008 Cisco Systems. All rights reserved. asynchronous transmission allows empty slots to be filled by stations that have data to send. Please see page MARCO A.[ 152 ] SECTION 10 Understanding WAN Technologies CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The asynchronous part of ATM refers to the protocol’s ability to use a more efficient version of time-division multiplexing (TDM). This publication is protected by copyright. As shown in Figure 10-14. Time division means that each data stream has an assigned slot in a repeating sequence. From the Library of 311 for more details.

This publication is protected by copyright. and IS-IS. Please see page MARCO A. Routing protocols are divided into two classes based on how they interact with other autonomous systems: exterior gateway protocols (EGP) and interior gateway protocols (IGP). BGP is an example of an EGP. FIGURE 11-1 IGPs and EGPs IGPs: RIP. ZUNIGA C. All rights reserved. A routing protocol does this by defining rules to communicate with neighboring routings and then sending information about the router’s learned routes to neighboring routers. EGPs exchange information between autonomous systems.[ 153 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 11 RIP Routing Dynamic Routing Protocol Overview Routing protocols determine the best path packets take to reach a destination in a network. IGP and EGP An autonomous system (AS) refers to a group of networks under a common administrative domain. OSPF. From the Library of 311 for more details. Inc. EIGRP EGPs: BGP Autonomous System 100 Autonomous System 200 © 2008 Cisco Systems. EIGRP. . IGPs exchange information within an AS. Examples include RIP.

This publication is protected by copyright. Table 11-1 shows the default administrative distance of learned routes. the source with the lowest administrative distance value is preferred. Inc. Table 11-1 Route Source AD Default Distance Values Connected interface Static route EIGRP BGP Internal EIGRP IGRP IS-IS RIP EGP 0 1 5 20 90 100 115 120 140 continues © 2008 Cisco Systems. ZUNIGA C. From the Library of 311 for more details. .” three classes or methods of routing protocols exist: n n n Distance vector Link-state Advanced distance vector (also called balanced hybrid) Routing Ranges with Administrative Distance Several routing protocols can be used at the same time in the same network. All rights reserved. Please see page MARCO A. When more than a single source of routing information exists for the same destination prefix. “Exploring the Functions of Routing.[ 154 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Classes of Routing Protocols As mentioned in Chapter 8.

This publication is protected by copyright. This method of updating is called “routing by rumor. Classful routing protocols do not include the subnet mask in routing advertisements. In classless routing. and EIGRP are classless routing protocols. RIP v2. all subnetworks of the same major network must use the same subnet mask.” Each router receives updates from its direct neighbor. The ip classless command prevents a router from dropping packets for an unknown subnetwork of a directly attached network if a default route is configured.[ 155 ] SECTION 11 RIP Routing Table 11-1 Route Source CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty AD continued Default Distance Values ODR External EIGRP Internal BGP Unknown 160 170 200 255 Classless Versus Classful Routing Classless routing protocols include subnet mask information in routing advertisements and support variable-length subnet mask (VLSM). the routing information © 2008 Cisco Systems. From the Library of 311 for more details. . Inc. Distance Vector Route Selection Routers using distance vector–based routing share routing table information with each other. Router C shares routing information with Routers B and D. RIPv1 is an example of a classful routing protocol. OSPF. summarization is controlled manually. Router B shares information with Routers A and C. As a result. In Figure 11-2. ZUNIGA C. In this case. Routers using classful routing protocols automatically perform route summarization across network boundaries. Please see page MARCO A. IS-IS. The ip classless command is enabled by default. All rights reserved.

This publication is protected by copyright. In Figure 11-3. Router A increments the distance metric for any route learned by Router B. Router B knows about the networks to Router C. © 2008 Cisco Systems.[ 156 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty is distance vector metrics (such as the number of hops). Each router increments the metrics as they are passed on (incrementing hop count. ZUNIGA C. which increments the distance to these networks by 1. for example). Router B then shares this information with Router A. FIGURE 11-2 Distance Vector Routing Protocols C Distance—How Far? Vector—In Which Direction? D B A D C Routing Table B A Routing Table Routing Table Routing Table Distance accumulation keeps track of the routing distance between any two points in the network. each directly connected network has a distance of 0. Please see page MARCO A. All rights reserved. As the network discovery proceeds. For example. . routers accumulate metrics and learn the best paths to various destinations. Inc. Router A learns about other networks based on information it receives from Router B. but the routers do not know the exact topology of an internetwork. which is directly connected. From the Library of 311 for more details. How Information Is Discovered with Distance Vectors Network discovery is the process of learning about nondirectly connected destinations.

routing loops can occur if the network has inconsistent routing entries. Load: The amount of activity on the interface. This depends on bandwidth. expense. .4.1.0 S0 10.0 E0 10. The network is converged when all routers have consistent routing tables.0 E0 A S0 10. and distance.2.4.0 S0 10.[ 157 ] SECTION 11 RIP Routing FIGURE 11-3 Distance Vector Route-Learning Process 10. Cost: An arbitrary value based on bandwidth.3.0. Inc.0. Routing Metrics Routing protocols use their own rules and metrics to build and update routing tables automatically.4.0 S1 10.4. Routing metrics are measures of path desirability.0.0 S0 0 0 1 2 During updates.0 S0 10. Delay: The time required to move the packet from the current router to the destination.3. ZUNIGA C.0. Please see page MARCO A.0. All rights reserved.3.0 S0 B S1 10.3. This publication is protected by copyright.0. and other metrics assigned by the administrator.0 S0 C CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10.2.0 S0 10.0.0 S0 0 0 1 1 Routing Table 10. Slow convergence on a new configuration is one cause of this phenomenon.0.0 S1 10.0.0 E0 Routing Table 10. Different protocols use different metrics.0.2.0. Reliability: The error rate of each network link.0.1.0 E0 10. Some common metrics are as follows: n n n n n n Bandwidth: The link’s data capacity.0 S0 0 0 1 2 Routing Table 10. congestion.0 S0 10.0.0.0.1. port delays.1. From the Library of 311 for more details. © 2008 Cisco Systems. Hop count: The number of routers the packet must travel through before reaching the destination.0.2.

0.0 S1 10.1.1.0. using split horizon.0.0.0 10.2.0 S0 10.0 S0 10.0 S1 10.0 10.3. From the Library of 311 for more details.0.2.0.0 S0 10. Routing loops usually occur when unreachable networks are incorrectly replaced by older routing information from other devices in the network.0. Routing protocols have some mechanisms to prevent routing loops.0.1.0.0 S0 X Routing Table 10.0 S0 Routing Table 10.[ 158 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Techniques to Eliminate Routing Loops A routing loop prevents some packets from being properly routed because of incorrect routing information circulating in the network. ZUNIGA C. The idea behind split horizon is that it is never useful to send information about a route back in the direction from which the update came. it is considered inaccessible. This allows network updates to propagate throughout the network. Please see page MARCO A. thus speeding convergence.4.0 S0 10. © 2008 Cisco Systems. Router A. This publication is protected by copyright. Inc.3.0 S0 0 0 1 2 0 0 1 1 0 0 1 2 Hold-Down Timers Hold-down timers dictate that when a route is invalid.0.0.0. no new route with the same or a worse metric will be accepted for the same destination for some period of time.0 E0 10.1.0. Split horizon also eliminates unnecessary routing updates.3.2. FIGURE 11-4 Split Horizon E0 A S0 S0 B S1 S0 C E0 10.0.3.0. .0 E0 10.0. All rights reserved.2. Split Horizon Split horizon is one way to eliminate routing loops and speed convergence.0 X Routing Table 10.0 S0 10.0 10.4. If the router has no valid alternative path to the network.4.4. will not send route advertisements that contain routes learned on serial interface 0 out serial interface 0. In Figure 11-4.

Route poisoning basically sets a route to “unreachable” and locks the table (using hold-down timers) until the network has converged.0 that indicates it has an infinite metric and a hop count of 16 (that is.0. stating that network 10.0 10.0.0 is inaccessible.1.0.0.0 X Routing Table 10.4. ZUNIGA C.[ 159 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Route poisoning (part of split horizon) also eliminates routing loops caused by inconsistent updates.0 coming from neighboring routers that might claim to have a valid alternative path. when network 10.0 by sending an update for network 10. Route Poisoning In Figure 11-5.1.0. .4.0. Please see page MARCO A.0 10. All rights reserved.0 S0 10.0. Router C begins accepting updates again. FIGURE 11-5 Routing Poisoning E0 A S0 S0 B S1 S0 C E0 10.3.0.0 S0 10. Router C is no longer susceptible to incorrect updates about network 10. it sends a return message (overriding split horizon) called a poison reverse back to Router C.0. © 2008 Cisco Systems.0. Inc.2.0.0 E0 10.4.1.0.0.3.4. it is unreachable).0.4.0 S1 10. when Router B sees the metric to 10.0.0.0 S0 0 10.0 goes down.0. After the hold-down timer expires (which is just longer than the time to convergence).4.0 E0 Down 10. Router C “poisons” its link to network 10.0.0 S0 2 Poison Reverse In Figure 11-6.4.0 S0 1 10. This publication is protected by copyright.0.0 S0 0 0 1 1 Routing Table 10.0 S0 10.4.1.0 S0 0 0 1 2 C Routing Table 10.4.0. From the Library of 311 for more details.0 S1 10. This message ensures that all routers on that segment have received information about the poisoned route.4.0 jump to infinity.2.0. The router advertises the poisoned route to its neighbors.0 10.3.2.0.2.3.

3. RIP RIP is a true distance vector routing protocol that sends its complete routing table out all active interfaces every 30 seconds.[ 160 ] SECTION 11 RIP Routing FIGURE 11-6 Poison Reverse E0 A S0 S0 B S1 S0 C E0 Poison Reverse 0 0 2 10.1.0 S0 0 0 1 2 Routing Table 10.1.0.0. . The maximum allowable hop count is 15. RIP can load-balance over as many as 16 equal-cost paths. All rights reserved.0 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10.0.3.0.0 Routing Table 10.0 S1 10.1.2.0.0. Two versions of RIP exist: version 1 and version 2. the default is 4.2.0 S0 0 10.1. ZUNIGA C.0 S0 10.0. thus a hop count of 16 is unreachable.0 S0 10.4. Please see page MARCO A.0 E0 10.2. From the Library of 311 for more details.0 E1 Routing Table 10.0 10. triggered updates are routing updates sent immediately out a router’s interface when it notices that a directly connected subnet has changed state. © 2008 Cisco Systems.0.4. RIP is subject to the split horizon rule.0.0 S0 Infinity 10.0 S1 10.4.0 S0 10.0. RIP uses a hop count as its metric to determine the best path to a remote network.2.0 S0 1 10.0 10.4. Inc.0.0.0.3.0.0 S0 2 Possibly Down Triggered Updates Also known as flash updates. This publication is protected by copyright.3.0.0.

meaning that it does not send its subnet mask in routing updates. Inc. Route invalid timer: The time that must expire before a route becomes invalid. RIPv1 does not support variable-length subnet mask. RIP goes into a hold-down for 180 seconds. Route hold-down timer: If RIP receives an update with a hop count higher than the metric recording in the routing table. Configuring and Verifying RIP The commands to enable RIP on a Cisco router are as follows: n n router rip global command network connected-network-address configuration command © 2008 Cisco Systems. RIP v1 does not. As a result. From the Library of 311 for more details. RIP v1 broadcasts updates. RIP version 2 is a classless protocol that supports VLSM and sends its subnet mask in routing updates. Default is 30 seconds. RIP Timers RIP uses four timers to regulate performance and route updates: n n n n Route update timer: The time between router updates. RIP version 2 also sends routing updates through multicast. Default is 180 seconds. Default is 240 seconds. Please see page MARCO A. This publication is protected by copyright. Route flush timer: The time from when a route becomes invalid to when it is removed from the routing table.[ 161 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty RIPv1 and RIPv2 Comparisons RIP version 1 is a classful protocol. RIP v2 also supports manual route summarization and authentication. All rights reserved. ZUNIGA C. .

168. ZUNIGA C. Please see page MARCO A. This publication is protected by copyright. and network information associated with the entire router: RouterB#show ip protocols Routing Protocol is “rip” Sending updates every 30 seconds. Inc. receive any version Interface Serial0 Serial1 Routing for Networks: 192.1. All rights reserved. as follows.0 and 192.1.168.168. the administrative distance.0 The IOS command show ip protocols. . the following commands enable RIP and advertise routes for the locally connected networks 192.2.168.2.168. From the Library of 311 for more details.0 192.2.168.0: RouterB(config)#router rip RouterB(config-router)#network 192. hold down 180.1.[ 162 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty For example.0 RouterB(config-router)#network 192. next due in 2 seconds Invalid after 180 seconds. flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: rip Default version control: send version 1.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) Send 1 1 Recv 1 2 1 2 Key-chain © 2008 Cisco Systems. displays values associated with routing timers.

thus allowing you to troubleshoot RIP.mobile. Serial0 192. E2 .BGP D . Serial0 192. IA .1.IGRP.EIGRP.168.IS-IS. 1 subnets C R C C R* 1.168.0. .0.0/0. R . displays the Cisco routing table’s contents: RouterA#show ip route Codes: C .0/24 [120/1] via 192.1. All rights reserved.0.OSPF interarea N1 .168. 00:00:21. S .1 is directly connected. N2 .0 1. M .RIP.ODR Gateway of last resort is 192. 00:00:21. * .1.B . EX .1.0.0. ZUNIGA C. © 2008 Cisco Systems. Troubleshooting RIP The debug ip rip command displays routing updates as they are sent and received. R indicates that RIP has learned paths to networks 192.168.168.168.OSPF external type 2.1. E . Inc.OSPF NSSA external type 2 E1 .OSPF external type 1.1. o .0/24 and 0. From the Library of 311 for more details.0.2. Loopback0 192.per-user static route. I . Ethernet0 0.0.IS-IS level-1. L2 .OSPF NSSA external type 1.0/24 is directly connected.OSPF. O .[ 163 ] SECTION 11 RIP Routing CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Displaying the Routing Table The show ip route command.0/0 [120/1] via 192.1. This publication is protected by copyright.connected.0/32 is subnetted. Please see page MARCO A.EGP i .1 to network 0.168.0/24 is directly connected.IS-IS level-2.candidate default U .0. Serial0 The [120/1] indicates that 120 is the AD and 1 is the number of hops to the remote network. L1 .1.EIGRP external.static. as follows.0.0.

. Frame Relay. From the Library of 311 for more details. This publication is protected by copyright. FIGURE 12-1 CDP CDP CDP CDP CDP runs over all LANs. ATM. port identifiers. ZUNIGA C. Inc. All rights reserved. and platform. and other WANs employing Subnetwork Access Protocol (SNAP) encapsulation. CDP runs over the data link layer.[ 164 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 12 Managing Your Network Environment Discovering Neighbors on the Network with CDP Cisco Discovery Protocol (CDP) is a proprietary tool that enables access to protocol and address information on directly connected devices. address lists. Please see page MARCO A. © 2008 Cisco Systems. CDP summary information includes device identifiers. CDP starts by default on bootup and sends updates every 60 seconds. allowing devices running different network layer protocols to learn about each other.

Inc. in addition to the network layer address of the CDP neighbor. switch) Neighbor hardware platform Neighbor remote port ID n show cdp neighbors detail displays updates received on the local interfaces. For each CDP neighbor. © 2008 Cisco Systems. All rights reserved. show cdp displays the CDP output. The show cdp neighbors detail command shows the same information as sh cdp neighbors. ZUNIGA C. This publication is protected by copyright. show cdp neighbors displays the CDP updates received on the local interfaces and information about CDP neighbors. . cdp run allows other CDP devices to get information about your device. This command displays the same information as the show cdp entry * command. no cdp enable disables CDP on an interface.[ 165 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Implementation of CDP n n n n n n cdp enable enables CDP on an interface. From the Library of 311 for more details. the following is displayed: n n n n n n Neighbor device ID Local interface Holdtime value in seconds Neighbor device capability code (router. Please see page MARCO A. no cdp run disables CDP on a device.

it goes through the following sequence: 1. 3. The Cisco IOS Software is located and loaded using the information in the bootstrap code. The router loads a bootstrap code. . All rights reserved. © 2008 Cisco Systems. Please see page MARCO A. This publication is protected by copyright. 2. The configuration is located and loaded. 4. From the Library of 311 for more details.[ 166 ] SECTION 12 Managing Your Network Environment n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty show cdp entry displays the following information about neighboring devices: n n n n n n n Neighbor device ID Layer 3 protocol information Device platform Device capabilities Local interface type and outgoing remote port ID Holdtime value in seconds Cisco IOS Software type and release n n show cdp traffic displays information about interface traffic. show cdp interface displays interface status and configuration information. Inc. Managing Router Startup and Configuration When a router is booted up. ZUNIGA C. The router checks its hardware with a power-on self test (POST).

Flash memory: Flash contains the Cisco IOS Software image. Reads the configuration register to determine how to boot. Inc. . From the Library of 311 for more details. Please see page MARCO A. © 2008 Cisco Systems.[ 167 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Router Components The major router components are as follows: n n n n n n RAM: Random-access memory contains key software (IOS). testing. ROM Functions ROM contains the startup microcode and consists of the following four areas: n n n n Bootstrap code: Brings the router up during initialization. Interfaces: The interface is the physical connection to the external devices. ROMMON: A low-level operating system normally used for manufacturing. Some routers run the IOS image directly from flash and do not need to transfer it to RAM. This publication is protected by copyright. All rights reserved. NVRAM: Nonvolatile RAM stores the configuration. troubleshooting. POST: Tests the basic function of the router hardware and determines the hardware present. ZUNIGA C. and password recovery. Mini Cisco IOS Software file: Loads a new Cisco IOS image into flash memory from a TFTP server. Physical connections can include Token Ring and FDDI. ROM: Read-only memory contains startup microcode. Configuration register: Controls the bootup method.

If one does not exist in NVRAM. If the configuration register’s fourth character is from 0x2 to 0xF. All rights reserved. The default value for the configuration register is 0x2102. The register value is checked only during the boot process. . Inc. This publication is protected by copyright. use the show version command to determine the current image. the router initiates an auto-install or setup utility. Please see page MARCO A. Changing the configuration register changes the location of the IOS load. Configurations in NVRAM are executed. Before changing the configuration register. A reload command must be used for the new configuration to be set. The Configuration Register The config register includes information that specifies where to locate the Cisco IOS Software image. the router must be configured. The auto-install routine attempts to download a configuration file from a TFTP server. From the Library of 311 for more details. It does this by first looking at the configuration register. Table 12-1 shows the configuration register values and meanings. ZUNIGA C. the bootstrap parses the startup-config file in NVRAM from the boot system command that specifies the name and location of the Cisco IOS Software image to load. After the IOS is loaded. The last line contains the register value. Table 12-1 0x0 0x1 0x2 to 0xF Configuration Register Values Meaning Configuration Register Boot Field Value Use ROM monitor mode (manually boot using the boot command) Automatically boot from ROM (provides IOS subset) Examine NVRAM for boot system commands (0x2 is the default if router has flash) © 2008 Cisco Systems. Changing this value changes the location of the IOS load (and many other things).[ 168 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty How a Cisco Device Locates and Loads IOS Images The bootstrap code locates and loads the Cisco IOS image.

This is the configuration that will be used if the router is reloaded and the running-config is not saved. Inc. The show startup-config command shows the configuration file saved in NVRAM. From the Library of 311 for more details. ZUNIGA C. Managing IOS Images The Cisco IOS File System (IFS) feature provides an interface to the router file systems. including the image filenames and sizes. The show flash command displays contents in flash memory. Please see page MARCO A. URL prefixes for Cisco network devices are as follows: n n n n n n n n n n bootflash: Boot flash memory flash: Available on all platforms flh: Flash load helper log files ftp: File Transfer Protocol (FTP) network server nvram: NVRAM rcp: Remote Copy Protocol (RCP) network server slot0: First PCMCIA flash memory card slot1: Second PCMCIA flash memory card system: Contains the system memory and the running configuration tftp: Trivial File Transfer Protocol (TFTP) network server © 2008 Cisco Systems. The show running-config command shows the current running configuration in RAM.[ 169 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The show version command verifies changes in the configuration register setting. The uniform resource locator (URL) convention allows you to specify files on network devices. This publication is protected by copyright. All rights reserved. .

This publication is protected by copyright. From the Library of 311 for more details. In Cisco IOS Release 12. the copy commands are used to move configuration from one component or device to another.3T and later. The syntax is as follows: copy object source destination For example: copy running-config startup-config FIGURE 12-2 IOS copy Command RAM Config copy running startup copy startup running (merge) config term (merge) Console copy tftp run (merge) copy run tftp TFTP server NVRAM Config NOTE When a configuration is copied into RAM. Inc. ZUNIGA C. it merges with the existing configuration in RAM. the configure replace command allows you to overwrite the running configuration. you must enter the IP address of the remote host and the name of the source and destination system image file. erase start copy tftp start copy start tftp Blank 000000 000000 © 2008 Cisco Systems. All rights reserved.[ 170 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Backing Up and Upgrading IOS Images wg_ro_a# show flash wg_ro_a# copy flash tftp wg_ro_a# copy tftp flash When using the copy flash command. Cisco IOS copy Command As shown in Figure 12-2. . It does not overwrite the existing configuration. The router prompts you for the IP address of the remote host and the name of the source and destination system image file. Please see page MARCO A.

[ 171 ] SECTION 12 Managing Your Network Environment CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The show running-config and show startup-config commands are useful troubleshooting aids. ZUNIGA C. Inc. These commands allow you to view the current configuration in RAM or the startup configuration commands in NVRAM. All rights reserved. Please see page MARCO A. Troubleshooting Troubleshooting is aided with the show and debug commands. From the Library of 311 for more details. You know that you are looking at the startup config file when you see a message at the top telling you that NVRAM has been used to store the configuration. This publication is protected by copyright. . show debug Characteristics Processing Load Primary Use Static Low overhead Gather facts Dynamic High overhead Observe processes © 2008 Cisco Systems. You know that you are looking at the current config file when you see the words “Current configuration” at the top of the display. The following table details the differences between the two.

This publication is protected by copyright. Inc. engineering. because no extra cabling is required. you can arrange user groups such as accounting. . The use of VLANs also decreases the cost of arranging users. VLANs improve segmentation. flexibility. ZUNIGA C.[ 172 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty ICND2 Part I: LAN Switching Section 1 Implementing VLANS and Trunks VLANs The virtual LAN (VLAN) organizes physically separate users into the same broadcast domain. For example. and flexibility. rather than everyone on the first floor. The use of VLANs improves performance. everyone on the second floor. Please see page MARCO A. From the Library of 311 for more details. and finance. security. n n n VLANs define broadcast domains that can span multiple LAN segments. and so on. VLAN segmentation is not bound by the physical location of users. © 2008 Cisco Systems. All rights reserved. and security. VLAN Characteristics VLANs allow logically defined user groups rather than user groups defined by their physical locations.

Inc. This publication is protected by copyright. or a trunk. A VLAN can exist on one or several switches. Figure 1-1 shows a VLAN design. All rights reserved. Please see page MARCO A. FIGURE 1-1 VLAN Design 3rd Floor 2nd Floor 1st Floor SALES HR ENG © 2008 Cisco Systems. From the Library of 311 for more details. a voice VLAN. ZUNIGA C.[ 173 ] SECTION 1 Implementing VLANs and Trunks n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Each switch port can be assigned to an access VLAN. Ports assigned to the same VLAN share broadcasts and are in the same broadcast domain. Note that VLANs are defined by user functions rather than locations. .

This drastically cuts down on network traffic. From the Library of 311 for more details. Please see page MARCO A. The switch supports up to 255 VLANs. © 2008 Cisco Systems. Supported VLANs The Catalyst 2960 supports VLANs in VLAN Trunking Protocol (VTP) client. This publication is protected by copyright. VLANs are identified by a number from 1 to 4094. multicasts. and transparent mode. VLAN IDs 1002 through 1005 are reserved. server. Inc. The switch forwards packets (including unicasts. . and broadcasts) only to ports assigned to the same VLAN from which they originated. Each trunk can carry traffic for multiple VLANs. FIGURE 1-2 VLAN Operation Green VLAN Switch A Green VLAN Red VLAN Black VLAN Green VLAN VLANs require a trunk or a physical connection for each VLAN to span multiple switches.[ 174 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VLAN Operation Figure 1-2 shows that each VLAN on a switch behaves as if it were a separate physical bridge. ZUNIGA C. All rights reserved.

VLAN Trunking Protocol VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that maintains VLAN configuration consistency throughout a common administrative domain by managing VLAN additions. 802. Cisco supports 802. From the Library of 311 for more details. . All rights reserved. deletions.1Q): The port is a member of all VLANs. Please see page MARCO A. This publication is protected by copyright.[ 175 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VLAN Port Membership Modes A port must be assigned (configured) to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries: n n n n Static access: The port belongs to only one VLAN and is manually assigned. Voice VLAN: The port is an access port attached to a Cisco IP phone that is configured to use one VLAN for voice traffic and another VLAN for data traffic from a device connected to the IP phone. you would have to manually add VLAN information to each switch in the network. Dynamic access: The port belongs to one VLAN and is dynamically assigned by a VLAN Membership Policy Server (VMPS). Trunking The IEEE 802. and name changes across multiple switches.1Q tagging provides a standard method of identifying frames that belong to a particular VLAN by using an internal process that modifies the existing Ethernet frame with the VLAN identification. © 2008 Cisco Systems. Inc. ZUNIGA C.1Q defines how to carry traffic from multiple VLANs over a single point-to-point link. Dynamic access ports cannot connect to another switch. Trunk (IEEE 802.1Q protocol defines VLAN topologies and connects multiple switches and routers. Without VTP. 802.1Q trunking over Fast Ethernet and Gigabit Ethernet links.

If the revision number is lower. Please see page MARCO A. . Sync to the latest vlan information 2 1. The server advertises VLAN configuration information to maintain domain consistency. ZUNIGA C.[ 176 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty How VTP Works Whenever a change occurs in the VLAN database. it overwrites its configuration with the new information if the new revision number is higher than the one it already has. named “ICND. the switch replies with the more up-to-date revision number. the VTP server increments its configuration revision number and then advertises the new revision throughout the VTP domain. All rights reserved. the VTP server notifies all switches in its VTP domain that a new VLAN. the switch ignores the advertisement.” has been added. VTP cannot cross a Layer 3 boundary. Inc. A VTP domain is one or more interconnected switches that share the same VTP environment. VTP Example In Figure 1-3."new vlan added" © 2008 Cisco Systems. When a switch receives the VTP advertisement. If the revision number is the same. From the Library of 311 for more details. FIGURE 1-3 Advertising VLAN Configuration Information VTP Domain "ICND" 3. This publication is protected by copyright.

ZUNIGA C. or modify VLANs. and modify VLANs locally. All rights reserved. delete. They are flooded over the native VLAN (VLAN1 by default) every five minutes or whenever a change occurs. VTP advertisements include n n n n n n VTP domain name VTP configuration revision number Update identity and update timestamp Message digest algorithm 5 (MD5) VLAN configuration Frame format VLAN ID. and modify VLANs and other configuration parameters for the VTP domain. Client: Switch cannot create.[ 177 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VTP Modes A Catalyst switch can operate in three different modes: server. or transparent. Following are the VTP modes: n n n Server: Switch can add. If this file is deleted. This publication is protected by copyright. client. From the Library of 311 for more details. VLAN Database VLAN information is stored in a file located in flash called vlan. The default mode is server mode. Transmits and receives VTP updates over trunk links. VTP Advertisements VTP advertisements are only sent over trunk links. In VTP version 2. delete. Transparent: Switch does not participate in the VTP domain. and state © 2008 Cisco Systems. Switch can add. all switch VLAN information is deleted. .dat. transparent switches forward VTP advertisements they receive. Inc. type. delete. name. Please see page MARCO A. VLAN configurations are not advertised until a management domain name is specified or learned.

Figure 1-4 shows an example of VTP pruning. This publication is protected by copyright. multicasts. Version 2 includes the following additional features: n n n n Token Ring support Unrecognized type-length-value Version-dependent transparent mode (forwards VTP messages in transparent mode out all trunk links) Consistency checks VTP Pruning VTP pruning improves bandwidth by restricting broadcasts.[ 178 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VTP Versions Two versions of VTP exist: version 1 and 2. Inc. All rights reserved. and unknown unicasts from flooding the entire domain. ZUNIGA C. VTP version 1 is the default VTP version. From the Library of 311 for more details. Please see page MARCO A. . FIGURE 1-4 VTP Pruning Flooded Traffic is Pruned Switch 4 Port 2 Switch 2 Switch 5 RED VLAN Port 1 Switch 6 Switch 3 Switch 1 © 2008 Cisco Systems.

Step 3. Inc. because traffic for the red VLAN has been pruned on the links indicated on switches 2 and 4. This publication is protected by copyright. With VTP pruning enabled. Define trunks. update traffic from station A is not forwarded to switches 3. From the Library of 311 for more details. and 6. . 5.[ 179 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty By default. ZUNIGA C. Please see page MARCO A. a trunk carries traffic for all VLANs in the VTP management domain. Step 2. and Trunks The steps to configure VLANs on a Catalyst 2960 switch are as follows: Step 1. All rights reserved. Add VLANs and assign port membership modes. © 2008 Cisco Systems. Configure VTP. VLANs. Default VTP Configuration The default VTP configuration on a Catalyst 2960 switch is as follows: n n n n n VTP domain: Null VTP mode: Server VTP version: Version 1 VTP password: None VTP pruning: Disabled Configuring VTP.

All rights reserved. Inc. and Deleting a VLAN on a 2960 Switch(config)#vlan 10 Switch(config-vlan)#name Accounting © 2008 Cisco Systems. From the Library of 311 for more details. ZUNIGA C. Please see page MARCO A. version: Setting the version on a server propagates the changes throughout the entire VTP domain. This publication is protected by copyright. The password is case sensitive and must be the same for all the switches in the management domain. pruning: VTP pruning on a server propagates the changes throughout the entire VTP domain. . password: Can be set for the VTP management domain. Modifying. Configuring VTP on a 2960 Cat2960(config)#vtp mode server Cat2960(config)#vtp domain CiscoPress Changing VTP domain name from NULL to CiscoPress Cat2960(config)#vtp password ICND Setting device VLAN database password to ICND Cat2960(config)#vtp version 2 Cat2960(config)#vtp pruning Pruning switched on Cat2960#show vtp status Cat2960#show vtp counters Adding.[ 180 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VTP Command vtp [mode {server | client | transparent}] [domain domain-name] [password password] [pruning {enable | disable}] [version {1 | 2}] n n n n domain-name: Can be specified or learned (is case sensitive).

All rights reserved. The switchport trunk command sets Fast Ethernet or Gigabit Ethernet ports to trunk mode. Inc. This publication is protected by copyright. use the following command: switchport trunk allowed vlan {add | all | except | remove} vlan-list © 2008 Cisco Systems. ZUNIGA C. Cat2960(config)#interface g0/1 Cat2960(config-if)#switchport mode trunk Cat2960(config-if)#interface g0/2 Cat2960(config-if)#switchport mode dynamic desirable Cat2960#show interface trunk Defining Allowed VLANs By default. desirable. The link becomes a trunk if the neighbor interface is set to trunk. From the Library of 311 for more details. trunk sets the interface to trunking on. . This is the recommended setting. switchport mode [dynamic {auto | desirable} | trunk] n n n mode dynamic auto allows the interface to convert to a trunk link if the connecting neighbor interface is set to trunk or desirable. Please see page MARCO A. To limit a trunk to allow only specified VLANs.[ 181 ] SECTION 1 Implementing VLANs and Trunks Switch(config)#vlan 10 Switch(config-vlan)#name Sales Switch(config)#no vlan 10 Switch#show vlan brief CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring a Trunk Link Cisco switches use DTP (Dynamic Trunking Protocol) to negotiate a trunk link. or auto. mode dynamic desirable allows the interface to actively attempt to convert the link to a trunk link. all VLANs (1–4094) are allowed to propagate on all trunk links.

[ 182 ] SECTION 1 Implementing VLANs and Trunks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty The following command allows only VLANs 10–50 on a trunk link: Cat2960(config-if)#switchport trunk allowed vlan 10-50 Assigning Ports to a VLAN on a 2960 Assigning a single port: Cat2960(config)#interface fastethernet 0/1 Cat2960(config-if-range)#switchport mode access Cat2960(config-if-range)#switchport access vlan 10 Assigning a range of ports: Cat2960(config)#interface range fastethernet 0/1 . Inc. ZUNIGA C. All rights reserved.12 Cat2960(config-if-range)#switchport mode access Cat2960(config-if-range)#switchport access vlan 10 © 2008 Cisco Systems. From the Library of 311 for more details. . This publication is protected by copyright. Please see page MARCO A.

and MAC address table instability. © 2008 Cisco Systems. This publication is protected by copyright. multiple loops. From the Library of 311 for more details. ZUNIGA C. Redundancy ensures that a single point of failure does not cause the entire switched network to fail. All rights reserved. . In the absence of the Spanning Tree Protocol (STP). including broadcast storms. multiple copies of frames. FIGURE 2-1 Redundant Switched Topology Server/Host X Router Y Segment 1 Segment 2 Broadcast Storms The flooding of broadcast frames can cause a broadcast storm (indefinite flooding of frames) unless a mechanism is in place to prevent it. Inc. Layer 2 redundancy can cause problems in a network. Please see page MARCO A.[ 183 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 2 Redundant Switching and STP Redundant Switched Topology Issues A redundant topology has multiple connections to switches or other devices. Figure 2-1 shows a redundant topology.

FIGURE 2-2 Broadcast Storm Server/Host X Router Y Segment 1 Broadcast Switch A Switch B Multiple Frame Transmission Some protocols cannot correctly handle duplicate transmissions.[ 184 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty An example of a broadcast storm is shown in Figure 2-2 and can be described as follows: 1. Other protocols process the duplicate frame with unpredictable results. All rights reserved. As depicted in Figure 2-3. multiple frame transmissions occur as follows: © 2008 Cisco Systems. Switch A checks the destination and floods it to the bottom Ethernet link. switch B transmits the frame a second time. 4. 2. This publication is protected by copyright. ZUNIGA C. The frame travels continuously in both directions. 3. From the Library of 311 for more details. Protocols that use sequence numbering see that the sequence has recycled. Because the original frame arrives at switch B through the top segment. . Inc. Switch B receives the frame on the bottom port and transmits a copy to the top segment. which is received by switch A. Please see page MARCO A. segment 2. Host X sends a broadcast frame.

[ 185 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 1. Figure 2-4 shows how this occurs: 1. FIGURE 2-3 Multiple Frame Transmission Server/Host X Segment 1 Router Y Switch A Switch B MAC Database Instability Database instability occurs when a switch receives the same frame on different ports. Host X sends a frame to Router Y. Please see page MARCO A. When the frame arrives at switches A and B. . ZUNIGA C. segment 1. it floods the frame on all ports except the originating port. This publication is protected by copyright. they both learn the MAC address for host X and associate it with port 0. Inc. Switch A also receives a copy. Note that Router Y has now received the same frame twice. Host X sends a frame to Router Y. If the switch does not find an entry in the MAC address table for Router Y. © 2008 Cisco Systems. Switch B receives the frame on segment 2 and forwards it to segment 1. Switches A and B receive the frame on port 1 and incorrectly associate host X’s MAC address with that port. Switch A checks the destination address. 2. The frame is flooded out port 1 of each switch (assuming that Router Y’s address is unknown). This process repeats indefinitely. One copy is received over the direct Ethernet connection. 3. All rights reserved. From the Library of 311 for more details. 2. 3.

Inc. © 2008 Cisco Systems. From the Library of 311 for more details. Please see page MARCO A. . Unlike the time-tolive (TTL) mechanism in IP. All rights reserved. This publication is protected by copyright. When multiple loops are present. Packet switching is adversely affected in such a case and might not work. ZUNIGA C.[ 186 ] SECTION 2 Redundant Switching and STP FIGURE 2-4 MAC Database Instability Unicast MAC Table Host X= Port 0 MAC Table Host X= Port 1 Switch A Port 1 Port 1 Port 0 Server/Host X CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Router Y Segment 1 Unicast Port 0 Switch B Host X= Port 0 MAC Table Host X= Port 1 MAC Table Multiple Loops Multiple loops can occur in large switched networks. a broadcast storm clogs the network with useless traffic. Figure 2-5 shows an example of multiple loops occurring in a network. Ethernet has no built-in mechanism to stop loops after they begin.

© 2008 Cisco Systems. STP operation is transparent to end stations.1d specification. Spanning Tree activates the standby path.1d STP by default. The two algorithms are incompatible. (DEC) and was revised in the IEEE 802. ZUNIGA C. From the Library of 311 for more details. STP was developed by Digital Equipment Corp. Please see page MARCO A. Catalyst switches use the IEEE 802. This publication is protected by copyright. . All rights reserved. If the main link goes down.[ 187 ] SECTION 2 Redundant Switching and STP FIGURE 2-5 Network Experiencing Multiple Loops Broadcast Loop Server/Host CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Loop Loop Workstations Spanning Tree Protocol Spanning Tree Protocol (STP) prevents looping traffic in a redundant switched network by blocking traffic on the redundant links. Spanning Tree Operation STP assigns roles to switches and ports so that only one path is available through the switch network at any given time. Inc.

and Port Status Root Bridge SW X Designated Port (F) 100BASE-T Designated Port (F) Root Port (F) Nonroot Bridge Nondesignated Port (B) SW Y 10BASE-T © 2008 Cisco Systems. ZUNIGA C. Please see page MARCO A. Nonroot Bridge. Assignment is made by cost. The port with the lowest-cost path to the root bridge is chosen as the root port. only the root port is set to the forwarding state. One designated port is assigned on each segment. This publication is protected by copyright. All rights reserved.[ 188 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty This is accomplished by assigning a single root bridge. Inc. Figure 2-6 shows a root bridge. Table 2-1 shows the costs for switch interfaces. root ports for nonroot bridges. The bridge with the lowest-cost path to the root bridge is the designated port. nonroot bridge. FIGURE 2-6 Root Bridge. Table 2-1 Link Speed Spanning Tree Costs Cost 10 Gbps 1 Gbps 100 Mbps 10 Mbps 2 4 19 100 On the root bridge. On the root bridge. all ports are designated ports. and a single designated port for each network segment. From the Library of 311 for more details. . all ports are set to the forwarding state. For the nonroot bridge. and port status.

The midrange value of 32768 is the default priority. Please see page MARCO A. FIGURE 2-7 Root Bridge Selection Switch X Default Priority 32768 (8000 hex) MAC 0c0011111111 BPDU Switch Y Default Priority 32768 (8000 hex) MAC 0c0022222222 Spanning Tree Election Criteria Spanning Tree builds paths from the root bridge along the fastest links.[ 189 ] SECTION 2 Redundant Switching and STP Spanning Tree must select the following: n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty One root bridge One root port per nonroot bridge One designated port per network segment Selecting the Root Bridge Switches running STP exchange information at regular intervals using a frame called the bridge protocol data unit (BPDU). It selects paths according to the following criteria: 1. . When switches have the same priority. Lowest path cost to the root bridge 2. ZUNIGA C. All rights reserved. Figure 2-7 shows switch X as the root bridge. the one with the lowest MAC address is the root bridge. Inc. Lowest sender bridge ID 3. The bridge with the lowest bridge ID is selected as the root bridge. This publication is protected by copyright. The bridge ID contains the bridge MAC address and a priority number. Each bridge has a unique bridge ID. From the Library of 311 for more details. Lowest sender port ID © 2008 Cisco Systems.

ZUNIGA C. discards frames. does not learn MAC addresses Receives BPDUs to determine its role in STP. This publication is protected by copyright. Spanning Tree Recalculation When a link fails. Spanning Tree recalculates the network. discards frames Forwards frames. In the figure. To prevent temporary loops. receives and transmits BPDUs The forward delay is the time it takes for a port to go to a higher state. This information is sent throughout the network. switch Y does not receive the BPDU. does not learn MAC addresses. . Spanning Tree begins recalculating the network. Inc. if switch X fails. learns MAC addresses. Please see page MARCO A. In Figure 2-8. If the BPDU is not received before the MAXAGE timer expires. switches wait until the entire network is updated before setting any ports to the forwarding state. When a link goes down. Connectivity is reestablished by placing key blocked ports in the forwarding state. switch Y is now the root bridge. Table 2-2 Port State Blocking Listening Learning Forwarding Spanning Tree Port States Timer Max Age (20 sec) Forward Delay (15 sec) Forward Delay — Actions Receives BPDUs. It usually takes 50 seconds for a port to go from the blocking state to the forwarding state. From the Library of 311 for more details. This delay is known as propagation delay.[ 190 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Port States Frames take a finite amount of time to travel or propagate through the network. If switch X comes back up. but the timers can be adjusted. discards frames and MAC addresses Receives and transmits BPDUs. © 2008 Cisco Systems. All rights reserved. the network topology must change. and switch X is once again the root bridge. but not all switches receive it at the same time. Each switch port in a network running STP is in one of the following states listed in Table 2-2. Spanning Tree activates previously blocked links.

Please see page MARCO A. ZUNIGA C. Inc. This publication is protected by copyright. The workstation can fail to get an IP address because the switch port the workstation is connected to might not have transitioned to the forwarding state by the time DHCP times out. © 2008 Cisco Systems. . PortFast Spanning Tree PortFast is a Cisco feature that causes an access port on a switch to transition immediately from the blocking state to the forwarding state. From the Library of 311 for more details. thus bypassing the listening and learning states. PortFast is useful if a workstation is configured to acquire an IP address through Dynamic Host Configuration Protocol (DHCP).[ 191 ] SECTION 2 Redundant Switching and STP FIGURE 2-8 Spanning Tree Recalculation Switch X MAC 0c0011111111 Default Priority 32768 Port 0 MAXAGE Root Bridge CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 100BASE-T Designated Port Port 0 Root Port (F) Switch Y MAC 0c0022222222 Default Priority 32768 Port 1 Designated Port 10BASE-T BPDU X Port 1 X Nondesignated Port (B) Time to Convergence A network is said to have converged when all ports in a switched network are in either a blocking or forwarding state after a topology change. PortFast is used on access ports that are connected to a single workstation or server to allow these devices to connect to the network immedidately rather than waiting for STP to converge. All rights reserved.

the BID field is required to carry VLAN ID (VID) information.1D.[ 192 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring PortFast PortFast is configured using the following interface command: SwitchA(config-if)#spanning-tree portfast PortFast can be configured globally on all nontrunking links using the following global command: SwitchA(config-if)#spanning-tree portfast default PortFast can be disabled using the no spanning-tree portfast interface command. root port. designated port. ZUNIGA C. Providing different STP root switches per VLAN creates a more redundant network. the spanning-tree topology can be configured so that each VLAN has a different root bridge. and nondesignated port. Please see page MARCO A. © 2008 Cisco Systems. From the Library of 311 for more details. Extended system ID: A 12-bit field carrying the VID. PVST+ is enabled by default on Cisco switches running 802. This is accomplished by reusing a portion of the Priority field as the extended system ID to carry the VID. Therefore.768. This publication is protected by copyright. . in PVST+.1D standard BID consisted of the bridge priority and MAC address. The default is 32. Per-VLAN STP+ (PVST+) PVST+ creates a different spanning-tree instance for each VLAN on a switch. MAC address: A 6-byte field containing the MAC address of the switch. PVST+ Extended Bridge ID PVST+ requires a separate instance of Spanning Tree for each VLAN. Each VLAN has its own root bridge. Inc. In PVST+. All rights reserved. The original 802. STP requires that each switch have a unique bridge ID (BID). the BID consists of the following: n n n Bridge priority: A 4-bit field. Because PVST+ requires a separate instance of Spanning Tree for each VLAN.

Multiple Spanning Tree Protocol (MSTP) MSTP (802.1w standard uses Common Spanning Tree (CST). This publication is protected by copyright.1D standard.1w) significantly speeds the convergence process after a topology change occurs in a switched network.1D. RSTP works by designating an alternative port and a backup port. Table 2-3 Enabled Enabled Enabled Enabled Disabled Port State Comparison STP Port State RSTP Port State Port Included in Active Topology? Operational Status Blocking Listening Learning Forwarding Disabled Discarding Discarding Learning Forwarding Disabled No No Yes Yes No Per-VLAN Rapid Spanning Tree Plus (PVRST+) Like the original 802. 802.1D. All rights reserved. Each VLAN group has a separate instance of Spanning Tree that is independent of other Spanning Tree instances. From the Library of 311 for more details. Inc. which uses one spanning tree instance for the entire switched network. © 2008 Cisco Systems.1Q-2003) allows switches running RSTP to group VLANs into one instance of Spanning Tree. ZUNIGA C.1w) Rapid Spanning Tree Protocol (RSTP.[ 193 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Rapid Spanning Tree Protocol (802. the 802. . These ports are allowed to immediately enter the forwarding state rather than passively wait for the network to converge. a redundant port can take up to 50 seconds to transition from a blocking state to a forwarding state. Please see page MARCO A. PVRST+ defines a spanning-tree protocol that has one instance of RSTP per VLAN. Table 2-3 shows the new port states in RSTP and describes how they compare to 802. In 802.

However. The root port and designated port roles are the same as they are in 802. if the root port fails.1D. in RSTP. . ZUNIGA C. All rights reserved.[ 194 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty RSTP Port Roles RSTP has new port roles. FIGURE 2-9 RSTP Port Roles X D X Root D R = Root Port D = Designated Port A = Alternate Port B = Backup Port © 2008 Cisco Systems. the blocking port in 802. Also. Please see page MARCO A.1D is split into the backup and alternate port roles. Inc. Figure 2-9 shows the new port roles in RSTP. the alternate port will become the new root port. the Spanning Tree Algorithm determines the role of a port based on BPDUs. The port roles in RSTP are as follows: n n n n Root port: The port that received the best BPDU on a switch Designated port: The port that sends the best BPDU on the segment Backup port: A port that receives more useful BPDUs from the same switch it is on and is in a blocking state Alternate port: A port that receives more useful BPDUs from another switch and is in a blocking state In RSTP. and the backup port will become the new designated port. This publication is protected by copyright. From the Library of 311 for more details.

If a port does not receive three consecutive BPDUs (6 seconds). RSTP sends a BPDU every hello-time (2 seconds by default). Edge Port An RSTP edge port is a port that is directly connected to end stations. © 2008 Cisco Systems. Link Type In RSTP. Please see page MARCO A. Additionally. RSTP uses BPDUs as a keepalive mechanism. the switch considers it has lost connectivity to its direct neighbor and begins to transition to the forwarding state. The link type is automatically derived from the duplex mode of a port.[ 195 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty New BPDU Format RSTP uses a new BPDU format. Full-duplex is assumed to be point-to-point. . a link can only rapidly transition to a forwarding state on edge port and on point-to-point links. This publication is protected by copyright. From the Library of 311 for more details. All rights reserved. the edge port directly transitions to the forwarding state. Edge ports are configured using the spanning-tree portfast interface command. and a half-duplex link is considered a shared point. Inc. ZUNIGA C. Because directly connected end stations cannot create bridging loops in a switched network. Point-to-Point Link A point-to-point link is a link in RSTP that directly connects two switches (an uplink) in full-duplex.

the root switch is the switch with the lowest bridge ID (BID). one root bridge for all VLANs. Designate and configure a switch to be the root bridge. Step 3. Because all Cisco switches have the same bridge priority (32768). as follows. ZUNIGA C. perform the following steps: Step 1. enables PVRST+ on a Cisco Catalyst switch: SwitchA(config)#spanning-tree mode rapid-pvst Configuring the Root and Backup Root Switch In STP. Step 2. and no load sharing. From the Library of 311 for more details. UplinkFast.[ 196 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring RSTP Cisco Catalyst switches support three types of STP: n n n PVST+ PVRST+ MSTP The default STP for Cisco Catalyst switches is PVST+. The BID consists of the bridge priority and the switch MAC address. Enabling PVRST+ The spanning-tree mode rapid-pvst global command. with a separate STP instance for each VLAN. Please see page MARCO A. To configure PVRST+. This publication is protected by copyright. Enable PVRST+. Inc. Step 4. The Cisco version of PVST+ includes proprietary extensions such as BackboneFast. and PortFast. All rights reserved. the switch with the lowest MAC © 2008 Cisco Systems. Verify the configuration. . Designate and configure a switch to be the secondary (backup) root bridge.

use the following global command: spanning-tree vlan vlan-number root primary For example.[ 197 ] SECTION 2 Redundant Switching and STP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty address will be the root bridge.65ac. this is not desired.65ac. as follows: Cat2960(config)#spanning-tree vlan 1 root secondary Verifying PVRST+ To verify whether RSTP is enabled on a switch. To specify a switch to be the root switch. All rights reserved. an older (and potentially slower) switch will have a lower MAC address than a newer switch. as follows: SwitchA#show spanning-tree vlan 1 VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 24606 Address 000d. Please see page MARCO A. and the older switch will be the root bridge. Inc. This publication is protected by copyright. ZUNIGA C. use the spanning-tree vlan vlan-number root secondary global command. For example. use the show spanning-tree vlan vlan-number command. From the Library of 311 for more details. . the following command configures the switch to be the root switch for only VLAN 1: Cat2960(config)#spanning-tree vlan 1 root primary The spanning-tree root primary command increases the switch priority (lowering the numerical value) so that the switch becomes the root bridge and forces Spanning Tree to perform a recalculation. To configure the backup root switch. In many cases.5040 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24606 (priority 24576 sys-id-ext 30) Address 000d.5040 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec © 2008 Cisco Systems.

This logical connection load-balances traffic between the physical links and is seen by Spanning Tree as one link. ZUNIGA C.Nbr ———— 128. Securing the Expanded Network As also mentioned in ICND1. . Fast Ethernet. you must ensure that the network is secure from unauthorized activity. Inc. Gigabit Ethernet. This publication is protected by copyright.1 128. From the Library of 311 for more details. EtherChannel provides an easy way to increase network bandwidth. All rights reserved.2 Type —— P2p P2p CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty EtherChannel EtherChannel is a Cisco feature that allows combining of up to eight physical links into one logical connection. Thus with EtherChannel. If one of the physical links in the EtherChannel group fails. all physical links are forwarding traffic. and 10 Gigabit Ethernet links can be configured for EtherChannel. Ways to secure the network include n n n Physical security Switch security (switch authentication) Port-based authentication © 2008 Cisco Systems. instead of a redundant link not being used. the other links still forward traffic. Please see page MARCO A.[ 198 ] SECTION 2 Redundant Switching and STP Aging Time 300 Interface ————Gi0/1 Gi0/2 Role —— Desg Desg Sts —FWD FWD Cost —— 4 4 Prio.

[ 199 ]

SECTION 2 Redundant Switching and STP

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Physical Security
Physical security prevents unauthorized physical access to switches. This means that switches are in a secure location (for example, a locked closet and rack), with only authorized personnel allowed to access the devices.

Switch Security
Switch security, also called switch-based authentication, prevents unauthorized users from accessing the switch remotely and viewing or changing the configuration of a switch. Switch-based authentication includes
n n n n n n n n n n n

Setting privilege-level passwords Setting enable passwords Setting Telnet passwords Setting console passwords Setting username and password pairs with different levels of access Controlling switch access with a TACACS+ or RADIUS authentication server Configuring the switch to use Secure Shell (SSH) instead of Telnet Configuring HTTPS on the switch Disabling unneeded services, such as tcp-small-servers, udp-small-server, finger, and the service config Using warning banners Configuring switch logging

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 200 ]

SECTION 2 Redundant Switching and STP

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Implementing and Verifying Port Security
Port security limits the number of MAC address allowed per port and can also limit which MAC addresses are allowed. Allowed MAC addresses can be manually configured or dynamically learned by the switch. The interface command to configure port security is as follows:
switchport port-security [mac-address mac-address | mac-address sticky [mac-address] | maximum value | violation {restrict | shutdown}

n n n n

switchport port-security mac-address mac-address: Manually configures the port to use a specific MAC address. switchport port-security mac-address sticky: Configures the switch to dynamically learn the MAC address of the device attached to the port. switchport port-security maximum value: Configures the maximum number of MAC addresses allowed on the port. The default value is 1. switchport port-security violation {restrict | shutdown}: Configures the action to be taken when the maximum number of MAC addresses is reached and when MAC addresses not associated with the port try to access the port. The restrict parameter tells the switch to restrict access to learned MAC addresses that are above the maximum defined addresses. The shutdown parameter tells the switch to shut down all access to the port if a violation occurs.

The following example demonstrates how to configure port security:
Cat2960(config)#int f0/1 Cat2960(config-if)#switchport mode access Cat2960(config-if)#switchport port-security Cat2960(config-if)#switchport port-security max 1 Cat2960(config-if)#switchport port-security mac-address sticky Cat2960(config-if)#switchport port-sec violation restrict

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 201 ]

SECTION 2 Redundant Switching and STP

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

To verify port security, use the show port-security command, as follows:
Cat2960#show port-security Secure Port MaxSecureAddr (Count) Fa0/1 1 CurrentAddr (Count) 0 SecurityViolation (Count) 0 : 0 Restrict Security Action

——————————————————————————————————————————————————————————————————————————Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 8320

Securing Unused Ports
To secure unused ports, either disable the port or place the port in an unused VLAN. A switch port is disabled by issuing the shutdown interface command.

Port-Based Authentication
Port-based authentication prevents unauthorized devices from gaining access to the network. Based on 802.1x, port-based authentication requires a client to be authenticated to a server before it is allowed on the LAN. 802.1x is a standards-based method that defines client-server–based access control and has the following device roles, as displayed in Figure 2-10:
n n n

Client: The device (workstation) that requests access to the LAN. Must be running 802.1x-compliant client software. Authentication server: Performs the authentication of the client, validating the identity of the client. Currently, a RADIUS server with Extensible Authentication Protocol (EAP) is the only supported authentication server. Switch: Controls the physical access to the network based on the authentication status of the client. Acts as a proxy between the client and authentication server.
© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 202 ]

SECTION 2 Redundant Switching and STP
FIGURE 2-10
802.1x Device Roles
802.1x Client 802.1x Switch

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

802.1x RADIUS Authentication Server

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 203 ]

SECTION 3 Troubleshooting Switched Networks

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Section 3 Troubleshooting Switched Networks
In a switched environment, typical issues include physical issues or hardware problems, Layer 2 issues, and configuration issues. Physical issues can include port failures, network interface card (NIC) failures, and port configuration issues. Layer 2 issues can include links not properly trunking, CAM table inconsistencies (the CAM table is the table that stores all the MAC addresses and the ports associated with the MAC addresses), or spanning-tree issues. Configuration issues can include these issues and inconsistencies in configuration such as VTP, VLANs, or Spanning Tree.

General Troubleshooting Suggestions
The following are three suggestions to general switch troubleshooting:
n n n

Become familiar with normal switch operation. Have an accurate physical and logical map of the network. Do not assume a component is working without checking it first.

Troubleshooting Port Connectivity Problems
Common causes for port connectivity problems include hardware issues, configuration issues, and traffic issues.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

[ 204 ]

SECTION 3 Troubleshooting Switched Networks

CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty

Hardware Issues
n n n n

Check the port status of the ports involved. Make sure that the ports are enabled and not shut down. Check the cable. Make sure that the cable is good and that the proper cable type is used. Check for loose connections. Make sure that the cable is plugged in to the correct port.

Cable Type
When using copper cabling, make sure you are using the correct cable type for the connection you are making. Straight-through RJ-45 cables connect nonsimilar devices to each other: data terminal equipment (DTE) devices (end stations, routers, or servers) to a data communications equipment (DCE) device (switch or hub). Crossover cables typically connect simialar devices, such as when connecting one switch to another. Figure 3-1 shows the pin-outs for a crossover cable.
FIGURE 3-1
Crossover Cable and Pin-Outs
Cable 10BASE-TX 100BASE-T Straight-Through Straight-Through Cable

8 Hub/Switch Pin Label 1 RD+ 2 RD– 3 TD+ 4 NC 5 NC 6 TD– 7 NC 8 NC Server/Router Pin Label 1 TD+ 2 TD– 3 RD+ 4 NC 5 NC 6 RD– 7 NC 8 NC 1
8 1 8

1 8
1

wowbwgwbr o b g br

wowbwgwbr o b g br

Wires on Cable Ends Are in Same Order.

© 2008 Cisco Systems, Inc. All rights reserved. This publication is protected by copyright. Please see page MARCO A. ZUNIGA C. From the Library of 311 for more details.

address is 000d. txload 1/255. 0 throttles 0 input errors. Please see page MARCO A. 363178961 bytes. 0 collisions. The highlighted areas are areas you should be familiar with. 880704302 bytes. link type is auto. 0 ignored 0 input packets with dribble condition detected 1680749 packets output.[ 205 ] SECTION 3 Troubleshooting Switched Networks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Verify Port Information To view port information. speed. Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 10000 bits/sec. output never. line protocol is up (connected) Hardware is Gigabit Ethernet Port. 0 underruns 0 output errors.5040) MTU 1500 bytes. This publication is protected by copyright. ARP Timeout 04:00:00 Last input 00:00:09.5040 (bia 000d. BW 1000000 Kbit. such as port type. From the Library of 311 for more details. 0 giants. 0 frame. 7 packets/sec 1476671 packets input. use the show interface interface-id privileged EXEC command. rxload 1/255 Encapsulation ARPA.65ac.65ac. or statistics and errors. 0 output buffers swapped out © 2008 Cisco Systems. output flow-control is off ARP type: ARPA. SwitchA#show interface g0/1 GigabitEthernet0/1 is up. reliability 255/255. 0 interface resets 0 babbles. 0 overrun. 0 no buffer Received 20320 broadcasts (12683 multicast) 0 runts. output hang never Last clearing of “show interface” counters never Input queue: 0/2000/0/0 (size/max/drops/flushes). All rights reserved. media type is 1000BaseSX input flow-control is on. . DLY 10 usec. 0 no carrier 0 output buffer failures. 1000Mb/s. Inc. 8 packets/sec 5 minute output rate 10000 bits/sec. 0 CRC. The following command shows the information for interface g0/1. 0 deferred 0 lost carrier. duplex settings. 0 late collision. loopback not set Keepalive set (10 sec) Full-duplex. ZUNIGA C.

Do not assume that a component is working without checking it first. faulty port. duplex mismatch. or distance between the two switches exceeds the cable specifications. Port Connectivity Problem Summary n n n n Become familiar with normal switch operation. make sure that they are on the same VLAN. Check port status of ports involved. Excessive giants: Giants are frames greater than the Ethernet maximum transmission unit (MTU) of 1518 bytes. Have an accurate physical and logical map of the network.[ 206 ] SECTION 3 Troubleshooting Switched Networks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Port Errors The following are reasons for common port errors: n n n n “errDisable” message: EtherChannel misconfiguration. This publication is protected by copyright. © 2008 Cisco Systems. From the Library of 311 for more details. The cause is usually a faulty NIC. native VLAN mismatch. Excessive runts: Runts are frames smaller than 64 bytes with a bad frame check sequence (FCS). Bad cabling or inconsistent duplex settings cause runts. Inc. . All rights reserved. Please see page MARCO A. BPDU port-guard has been enabled on the port. If hosts cannot communicate with each other. Unidirectional Link Detection (UDLD). Troubleshooting VLANs The first step in troubleshooting VLANs is to check the VLAN configuration. ZUNIGA C. make sure that your routing is configured correctly. Excessive collisions: Duplex mismatch. If hosts cannot communicate between VLANs. oversaturated medium.

All rights reserved. Inc.[ 207 ] SECTION 3 Troubleshooting Switched Networks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VLAN problems are classified into two categories: intraVLAN and interVLAN connectivity. ZUNIGA C. . Bad cabling on the segment. Troubleshooting Slow IntraVLANs Cause for slowness between hosts on the same VLAN can be caused by n n n n n Traffic loops Overloaded or oversubscribed VLAN Switch congestion Misconfiguration Hardware problems © 2008 Cisco Systems. NICs on the segment do not have compatible settings. Please see page MARCO A. Faulty NICs. This publication is protected by copyright. Problems within each category are as follows: n n n Slow collision domain connectivity Slow broadcast domain connectivity (slow VLAN) Slow broadcast domain interVLAN connectivity Troubleshooting Collision Domain Issues Causes for collision domain issues include the following: n n n n The segment is overloaded or oversubscribed. From the Library of 311 for more details.

The password is case sensitive. Troubleshooting VTP VTP problems occur when a misconfiguration exists between the switches and VTP information is not propagating. The following are common things to check when troubleshooting VTP problems: n n n n Make sure that trunking is configured between the switches. VTP information is sent over trunk links. If using a VTP password. For example. A common indication that a switch is experiencing a VTP problem is when the switch is not receiving or updating its VLAN information. Inc. All rights reserved. The same trunking encapsulation is not used on both sides. ZUNIGA C. Verify that the switch is in the proper mode: server. However. © 2008 Cisco Systems. Here are some common trunking issues: n n n Both sides of the links are not set to the correct trunking mode. The domain name is case sensitive. From the Library of 311 for more details. or transparent. client. Troubleshooting Trunking Most trunking problems occur because of misconfiguration on the trunking links. This publication is protected by copyright. Make sure that the domain name matches on both switches. . make sure that the password is the same on both switches. Please see page MARCO A. InterVLAN routing was probably not properly configured and needs to be configured to route between the VLANs. both sides of the link are set to auto.[ 208 ] SECTION 3 Troubleshooting Switched Networks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting InterVLAN Connectivity Most interVLAN connectivity issues are caused by misconfiguration. A native VLAN mismatch exists. first verify that the interfaces are physically working.

This publication is protected by copyright. its revision number might be higher than the revision number of the actual VTP server. To identify a bridging loop. ZUNIGA C. If this is the cause. To prevent this from occurring. All rights reserved. © 2008 Cisco Systems. Inc. change the VTP domain name back to the proper VTP domain name.[ 209 ] SECTION 3 Troubleshooting Switched Networks CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Adding a New Switch to a VTP Domain By default. bridge ID. the new switch will overwrite all VLAN information in the VTP domain. disable the redundant ports to break the loop. check the port utilization on your devices and look for abnormal values. If a new switch is added to the network. resulting in lost VLANs. Use the following commands to view Spanning Tree information and see whether a loop exists in the network: n n n show spanning-tree: Displays the root ID. Troubleshooting Spanning Tree Spanning Tree’s primary function is to prevent loops from occurring in a redundant switched network. Please see page MARCO A. and priority time for all VLANs in STP. If a bridging loop is found. STP works at Layer 2 of the OSI model. and add the switch to the network. . reset the revision number on the new switch to 0 by changing its VTP domain name on the switch. From the Library of 311 for more details. debug spanning-tree: Verifies receipt of BPDUs and troubleshoots other Spanning Tree errors. all Cisco switches are VTP servers. A failure in Spanning Tree usually leads to a bridging loop. show spanning-tree vlan vlan-id: Displays STP information for a specific VLAN.

The router uses its table to make forwarding decisions. The router learns about routes in one of two ways: n n Manually (routing information entered by the network administrator) Dynamically (a routing process running in the network) © 2008 Cisco Systems. Best route: The best path to the intended destination. as displayed in Figure 4-1: n n n n Destination address: The destination (typically an IP address) of the information being sent.[ 210 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Part II: Routing Section 4 Routing Operations and VLSM Routing Overview Routing is the process of getting packets and messages from one location to another. From the Library of 311 for more details. All rights reserved. ZUNIGA C. A router needs the following key information. Please see page MARCO A. Possible routes: Likely routes to get from source to destination. A router is constantly learning about routes in the network and storing this information in its routing table. Status of routes: Known paths to destinations. Inc. This publication is protected by copyright. . This includes the subnet address.

0 172. ZUNIGA C.120.16. From the Library of 311 for more details. .1. A routing protocol defines communication rules and interprets network layer address information.1.0 E0 S0 Network Protocol Destination Network Exit Interface Routed Protocol: IP Connected Learned 10.[ 211 ] SECTION 4 Routing Operations and VLSM FIGURE 4-1 Information Needed by Router for Routing 10. Dynamic routing uses routing protocols to disseminate knowledge throughout the network.2. All rights reserved. Please see page MARCO A.16.120.0 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 172.0 E0 S0 Dynamic Routing Overview Routing protocols determine paths between routers and maintain routing tables. Routing protocols describe the following: n n n n Routing update methods Information contained in updates When updates are sent Paths to other routers © 2008 Cisco Systems. This publication is protected by copyright.2. Inc.

In general. FIGURE 4-2 Autonomous Systems IGPs: RIP. Interior gateway protocols (IGP). From the Library of 311 for more details. ZUNIGA C. Please see page MARCO A. Exterior gateway protocols (EGP) connect between autonomous systems. the router uses an administrative distance (AD) value to rate the trustworthiness of each routing information source. Because Interior Gateway Routing Protocol (IGRP) has a lower AD than RIP. Figure 4-2 shows autonomous systems and where IGPs and EGPs are used. EIGRP. Router A will pick the path advertised by IGRP. a route with a lower number is considered more trustworthy and is more likely to be used. A Border Gateway Protocol (BGP) is an example of an EGP. OSPF EGPs: BGP Autonomous System 100 Autonomous System 200 Administrative Distance Several routing protocols can be used at the same time in the same network. The administrative distance metric is an integer from 0 to 255.[ 212 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Autonomous Systems An autonomous system refers to a group of networks under a common administrative domain. This publication is protected by copyright. All rights reserved. Figure 4-3 shows that Router A has two paths to network E learned from RIP and EIGRP. © 2008 Cisco Systems. such as Routing Information Protocol (RIP) and Enhanced IGRP (EIGRP). exchange routing information within an autonomous system. When more than a single source of routing information exists. . Inc.

[ 213 ] SECTION 4 Routing Operations and VLSM FIGURE 4-3 Administrative Distance Determines Path I need to send a packet to Network E. All rights reserved. From the Library of 311 for more details. Which route is best? CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty EIGRP Administrative Distance=100 B A RIP Administrative Distance=120 C D E Table 4-1 shows the default administrative distance values. ZUNIGA C. Please see page MARCO A. . This publication is protected by copyright. Both Router B and C will get it there. Inc. Table 4-1 Default Administrative Distance Values Default Distance Route Source Connected interface Static route EIGRP IGRP OSPF RIP External EIGRP Unknown 0 1 90 100 110 120 170 255 © 2008 Cisco Systems.

From the Library of 311 for more details. Open Shortest Path First (OSPF) and Intermediate System–to–Intermediate System (IS-IS) are link-state protocols.” © 2008 Cisco Systems. All rights reserved. ZUNIGA C. InterVLAN routing is handled by either a router or a Layer 3 switch. . this protocol re-creates the topology of the entire network. or trunking must be enabled on a single physical connection for interVLAN routing to work. This setup is called “router on a stick. Inc. Link-state: Also called shortest path first. This publication is protected by copyright. performed at Layer 2.[ 214 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Routing Protocol Classes The following three basic routing protocol classes exist: n n n Distance vector: Uses the direction (vector) and distance to other routers as metrics. each VLAN must have a separate physical connection on the router. Figure 4-4 shows a router attached to a switch. which forwards them to the other VLAN. For interVLAN routing with a router. InterVLAN Routing VLANs create a logical segmentation of Layer 3. Please see page MARCO A. RIPv2 is a distance vector protocol. EIGRP is a balanced hybrid protocol. The end stations in the two VLANs communicate with each other by sending packets to the router. End stations in different segments (broadcast domains) cannot communicate with each other without the use of a Layer 3 device such as a router. Balance hybrid: Combines the link-state and distance vector algorithms.

All rights reserved.2 Dividing Physical Interfaces into Subinterfaces InterVLAN routing using router on a stick requires the use of subinterfaces. This publication is protected by copyright.2.1.1 FastEthernet 0/0. In Figure 4-5. FIGURE 4-5 Using Subinterfaces FastEthernet 0/0.1.3 FastEthernet 0/0 © 2008 Cisco Systems. with one subinterface configured per VLAN. FastEthernet 0. .2 FastEthernet 0/0.1 Q CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Router On a Stick VLAN 1 VLAN 2 10.[ 215 ] SECTION 4 Routing Operations and VLSM FIGURE 4-4 Router on a Stick 802. ZUNIGA C. A subinterface is a logical. addressable interface on the router’s physical port. From the Library of 311 for more details.2.1. and so on). Please see page MARCO A.2 10. the FastEthernet 0/0 interface is divided into multiple subinterfaces (FastEthernet 0. A single port can have many subinterfaces. Inc. Router on a stick requires a Fast Ethernet (or Gigabit Ethernet) port.2.

In the previous example. 10. this can cause a bottleneck. © 2008 Cisco Systems. the physical interface f0/0 is in the native VLAN because the encapsulation dot1q command is not configured. The following example enables interVLAN routing for VLANs 1. This method of updating is called “routing by rumor. use a Layer 3 switch to perform interVLAN routing. By using subinterfaces for interVLAN communication. The subinterfaces f0/0. respectively.20 were configured for 802.1Q. .10.168. Please see page MARCO A.255. For large networks. the routing information is distance vector metrics (such as the number of hops).168.10 and f0/0.255. Inc. ZUNIGA C.20.1Q tagging and are therefore in VLANs 10 and 20.1 255. In this case. all traffic must go through the router’s interface.10 RouterB(config-if)#ip address 192.168.20 RouterB(config-if)#ip address 192.255. In Figure 4-6.0 RouterB(config-if)#int f0/0. To prevent a bottleneck. Each router increments the metrics as they are passed on (incrementing hop count. All rights reserved. VLAN 1 is the default native VLAN if not otherwise specified with the dot1q vlan-id native command.0 RouterB(config-if)#encapsulation dot1q 20 Remember that in 802. for example).” Each router receives updates from its direct neighbor. and 20: RouterB(config)#int f0/0 RouterB(config-if)#ip address 192.255.1. Distance Vector Routing Routers using distance vector–based routing share routing table information with each other. Router C shares routing information with Routers B and D. first create a subinterface and then configure the subinterface with the encapsulation dot1q vlan-id command.1 255. This publication is protected by copyright. Router B shares information with Routers A and C.255. the native VLAN is not encapsulated.1 255.255.0 RouterB(config-if)#encapsulation dot1q 10 RouterB(config-if)#int f0/0. where the vlan-id is the VLAN number of the associated VLAN. From the Library of 311 for more details.[ 216 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Subinterfaces for InterVLAN Routing To configure interVLAN routing on a router.

From the Library of 311 for more details. Router B increments its distance metrics by 1 and sends them to Router A. This publication is protected by copyright. . Router A increments the distance metric for any route learned by Router B. All rights reserved.[ 217 ] SECTION 4 Routing Operations and VLSM FIGURE 4-6 Distance Vector Route Information C Distance—How Far? Vector—In Which Direction? D B CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty A D C Routing Table B A Routing Table Routing Table Routing Table Distance accumulation keeps track of the routing distance between any two points in the network. ZUNIGA C. which is directly connected. © 2008 Cisco Systems. In Figure 4-7. Please see page MARCO A. How Information Is Discovered with Distance Vectors Network discovery is the process of learning about nondirectly connected destinations. Router B knows about the networks to Router C. but the routers do not know the exact topology of an internetwork. As the network discovery proceeds. For example. Inc. each directly connected network has a distance of 0. Router A learns about other networks based on information it receives from Router B. routers accumulate metrics and learn the best paths to various destinations.

0 S0 10. such as a router or link.0. Commonly used metrics are as follows: n n Cost: An arbitrary value based on a network administrator–determined value. Load: The amount of activity on a network resource.0. the better the path. Usually based on bandwidth. MTU (maximum transmission unit): The maximum frame size allowed on the link.2.2.0 S0 B S1 10. the default value of serial links is 1544 kbps.2.0 S1 10.0.0 S0 10. For example. The lower the metric.4.0.0.0.0.3.4.0. This is not based on the actual link speed of an interface.3.0 S0 0 0 1 2 Routing Table 10.0 E0 10.0 S0 10. Delay: A fixed attribute based on interface type.1.0 S0 0 0 1 1 Routing Table 10.0.0.4.2.0 E0 A S0 10. even if the link speed is greater than 1544 kbps.0 E0 10.0 S0 10.1.0. All rights reserved.0 S0 10.0 S1 10.3. . Please see page MARCO A.0 E0 Routing Table 10. This publication is protected by copyright. n n n n © 2008 Cisco Systems.0 S0 0 0 1 2 Examining Distance Vector Routing Metrics Distance vector routing protocols use routing algorithms to determine the best route.0.1.0.0 S0 C CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10.0.0.1.0. ZUNIGA C.4. Bandwidth: An administrative value that usually reflects the link speed of an interface. Metrics can be calculated based on one or more characteristics of a path. From the Library of 311 for more details. Inc.[ 218 ] SECTION 4 Routing Operations and VLSM FIGURE 4-7 Network Discovery for Distance Vector 10. Reliability: The bit-error rate of each network link.3. These algorithms generate a metric value for each path through the network.

[ 219 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Updating Routing Tables A router compares the information contained in the update to its current table. Figure 4-9 uses hop count as a cost metric. If the update contains information about a better (lower-metric) route to a destination. The network is converged when all routers have consistent routing tables. How Routing Loops Occur in Distance Vector Protocols During updates.0. All rights reserved.0. The table includes the total path cost (defined by its metric) and the logical address of the first router on the path to each destination network. Therefore. During updates. it adds 1 to all costs reported by Router A.4. This publication is protected by copyright.0. with a distance of 0. routing loops can occur if the network has inconsistent routing entries. © 2008 Cisco Systems. . Slow convergence on a new configuration is one cause of this phenomenon. A Topology Change Causes Routing Table Update. In Figure 4-8. with a hop count of 2. Inc.0 is through Router B. From the Library of 311 for more details. Please see page MARCO A.4. Router B is one unit of cost from Router A. the router updates its own routing table. all routers have correct tables. FIGURE 4-8 Routing Table Updates Process to Update this Routing Table Process to Update this Routing Table B Router A Sends Out this Updated Routing Table After the Next Period Expires. so the cost of each link is 1. Figure 4-9 illustrates how a routing loop occurs. ZUNIGA C. Before a network failure. Router C is directly connected to network 10. the router sends its entire routing table to each of its adjacent neighbors. Router A’s path to network 10.

3. With each update. called counting to infinity.0 as 4.2.0.1. Router A detects the modified distance vector to network 10. This publication is protected by copyright.0 E1 0 0 1 2 Routing Table 10.2.0. continuously loops packets around the network. © 2008 Cisco Systems.0 E0 10. If Router B sends out its normal update to Routers A and C.4. network 10.4.3.0 S1 10.0 through Router B. Router A’s table still shows a valid path to 10.0 S0 2 In Figure 4-10.0 S0 B S1 10.0.0 S0 10.1.3.2. the updates continue.4. Routers A and B still do not know of the failure.0 E0 A S0 10.0 S0 C CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10. Inc.0 S0 10.0.4. Now Router C sends an update back to Router B.2.1.0 S0 1 10.0.3.0.0.0.4.[ 220 ] SECTION 4 Routing Operations and VLSM FIGURE 4-9 Hop Count as a Cost Metric 10.0.0.4.0 S0 10.0.0 S0 0 10.0.0.4.4.1. From the Library of 311 for more details. .0 S0 0 0 1 2 Routing Table 10. Please see page MARCO A.0. and Router C detects the failure and stops routing packets to that network.4.0. Router C sees a valid path to 10. B has incremented the hop count for A).0.0 through Router B and updates its routing table to reflect a path to network 10. ZUNIGA C.0.0.0. At this point. which then updates Router A.0 S1 10.0 with a hop count of 2 (remember.0 S0 Infinity 10. This condition. All rights reserved.0.0 fails.0. Without some mechanism to prevent this.0 E0 Routing Table 10. the incorrect information continues to bounce between the routers.

3.0 E0 A S0 10.0.0 S1 10. If the router has no valid alternative path to the network.0 S0 10.0.0.1.0 S1 10.1.0 S0 10.0. Inc.2.0 S0 0 0 1 2 C Routing Table 10.3.3. this is interface Serial 0 for Router A and interface Serial 1 for Router B.2.0.0 S1 10.0.0 S0 C CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10.0 S0 B S1 10.4.0 S0 0 0 1 1 Routing Table 10.0 S0 0 10.4.0 E0 10.0 S0 B S1 10. .0 out of the interfaces they originally learned the route.0.2.0.0.0. In this case.0 S0 2 10. Routers A and B do not advertise the failed route 10.0. This publication is protected by copyright.1.0.0 S0 10.0 E0 10.0 E0 Routing Table 10.0 S0 0 0 1 1 Split Horizon Split horizon is one way to eliminate routing loops and speed convergence. All rights reserved.1.0 S0 C 10.[ 221 ] SECTION 4 Routing Operations and VLSM FIGURE 4-10 Counting to Infinity E0 10.0.0.0. Please see page MARCO A. The idea behind split horizon is that it is never useful to send information about a route back in the direction from which the update came. thus speeding convergence.0.0 S0 0 0 1 2 C Routing Table 10.0.1.3. Figure 4-11 shows the same network.1.4.2.4.2. Split horizon also eliminates unnecessary routing updates.1.0.4.0 S0 10.4.0 S0 10. ZUNIGA C. © 2008 Cisco Systems.0.0 S0 0 0 1 1 Routing Table 10.0 S1 10.2.0 S0 10.0.0.3.1.0.0.0 E0 10.3.0.0.3.0.0.0 S0 1 10.4. it is considered inaccessible.1.0 S0 10.0 E0 Down 10.2. From the Library of 311 for more details.0.0 X E0 Routing Table 10.3.4.0.0 A S0 10.0.4.0 S0 10.0.0.2.

4.4.2.0 goes down.3.0. .0 S0 C CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 10.0 E0 Routing Table 10.0 E1 0 0 1 2 Routing Table 10.0 S0 0 0 1 2 Route Poisoning Route poisoning (part of split horizon) also eliminates routing loops caused by inconsistent updates.3.1.2.0 S1 10. Router C “poisons” its link to network 10.0.2.[ 222 ] SECTION 4 Routing Operations and VLSM FIGURE 4-11 Split Horizon Eliminates Routing Loops 10.0 S1 10.0.0.2.0 S1 10.4.0 S0 10.4.1.1.0.3.0. When network 10.2.1.0 S0 0 10. FIGURE 4-12 Route Poisoning Eliminates Routing Loops 10.3.0 S0 10. From the Library of 311 for more details.0 S0 10.0.3.0 S0 0 0 1 2 Routing Table 10.0 S0 B S1 10.0.0.0 S1 10.0 S0 10.0.4.4.2.0 E0 10.0 A E0 S0 S0 10.0. Figure 4-12 shows an example of route poisoning.0.0.0.0 E0 A S0 10.0 S0 10.2.1.1. seen as a hop count of 16 in RIP).0 S0 10.0.0.0.0 S0 2 © 2008 Cisco Systems.0.0 S0 0 0 1 2 Routing Table 10. All rights reserved.0. ZUNIGA C.0.0.0.0 B S1 10.0 E0 10.0 S0 10. Please see page MARCO A.2.0.0 E0 Routing Table 10.0.0.0. Inc.3.3.0 with an infinite metric (marked as unreachable.0.0.0.4. This publication is protected by copyright.4.” By poisoning a route.3.1.4.0 S0 Infinity 10.0.1.0. the router is not susceptible to incorrect updates about the poisoned network from other routers that claim to have a valid alternate path.0 E1 0 0 1 2 Routing Table 10.0.0 S0 C 10.0 S0 10.4.0 S0 1 10.0 S0 10.0. Route poisoning sets a route to “unreachable.0.

0 S0 1 10.0.4.0 E1 Poison Reverse 0 0 2 Routing Table 10.1.0 S0 10.0 S0 C 10. which then generate their own triggered updates.0.0 S1 10.0 jump to infinity.0 E0 A S0 10.0 S0 0 0 1 2 Routing Table 10. Router C is no longer susceptible to incorrect updates about network 10.0.0. This message ensures that all routers on that segment have received information about the poisoned route. A router can issue a regular update before receiving the triggered update.4. From the Library of 311 for more details.0.3.0. Poison reverse is a specific circumstance that overrides split horizon.0 S0 0 10.4. The updates do not happen instantly. it sends a return message (overriding split horizon) called a poison reverse back to Router C.0 S0 10. All rights reserved.0.0 S0 Infinity 10.0.0 is inaccessible.4.1. This continues until the network converges. the bad route can be reinserted into a router that received the triggered update.0.0 S0 10.0.0 is inaccessible.2.4. when Router B sees the metric to 10.0.3.0 S0 B S1 10.2.4.0. The following two problems exist with triggered updates: n n The update message can be dropped or corrupted.0. Poison Reverse In Figure 4-13. The poison reverse states that network 10.3.4. FIGURE 4-13 Using Poison Reverse to Broadcast Information About a Failed Route 10.0 E0 10.0.4. ZUNIGA C.3.0.0 E0 Routing Table 10. .2.0.[ 223 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty When Router B sees the metric of 10. This publication is protected by copyright.2. If this happens.0.0.0. stating that network 10.0 jump to infinity.4.0 S1 10. Please see page MARCO A.0. Inc. © 2008 Cisco Systems.1. Router B sends a poison reverse back to Router C.0.0 S0 2 Possibly Down Triggered Updates A triggered update is sent immediately in response to a change in the network. The router detecting the change immediately sends an update message to adjacent routers.0.1.

0. Inc. Then Back Down.0 E0 C Update After Hold-down Time. which is described in the following list: FIGURE 4-14 Hold-Down Timer Process 10.0 S0 B Update After Hold-down Time.4. Hold-Down Timers Hold-down timers prevent regular update messages from inappropriately reinstating a route that might have gone bad.4.0.0 Is Unreachable.0 S1 S0 Network 10. All rights reserved. it marks the route as inaccessible and starts a hold-down timer. 2. This publication is protected by copyright. This allows the triggered update to propagate throughout the network.0.0.0 10. If an update is received from a neighboring router with a better metric.4. no new route with the same or a worse metric will be accepted for the same destination for a period of time.2. 10. Figure 4-14 shows the hold-down implementation process. Please see page MARCO A. the router removes the timer and uses the new metric.0 Is Down.0 E0 A S0 10. Network 10. 1. From the Library of 311 for more details. © 2008 Cisco Systems.3.0. . Then Back Up. 10. They force routers to hold any changes for a period of time. When a router receives an update that a network is down. ZUNIGA C.0.1.[ 224 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Solution: Hold-down timers dictate that when a route is invalid.4.0.

From the Library of 311 for more details.” Link-State Routing The link-state-based routing algorithm (also known as shortest path first [SPF]) maintains a database of topology information. All rights reserved. the update is ignored. Inc. . This publication is protected by copyright. During the hold-down period. Unlike the distance vector algorithm. routes appear in the routing table as “possibly down. See Figure 4-15. If an update is received (before the hold-down timer expires) with a poorer metric. © 2008 Cisco Systems. 4. ZUNIGA C. As such. FIGURE 4-15 Link-State Routing C D Link-State Packets Topological Database SPF Algorithm Routing Table B A Shortest Path First Tree With link-state routing protocols.[ 225 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 3. each router has a full map of the network topology. Network information is shared in the form of link-state advertisements (LSA). Please see page MARCO A. a router can independently make a decision based on its map of the network. link-state routing maintains full knowledge of distant routers and how they interconnect.

Advanced distance vector routing uses distance vectors with more accurate metrics. Balanced hybrid routing provides faster convergence while limiting the use of resources such as bandwidth. This publication is protected by copyright. Inc. All rights reserved.[ 226 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Each link-state router must keep a record of the following: n n n Immediate neighbor routers All other routers in the network The best paths to each destination Link-state routing provides better scaling than distance vector routing for the following reasons: n n n n n Link-state sends only topology changes (called triggered updates). Link-state uses a hierarchy by dividing large routing domains into smaller routing domains called areas. © 2008 Cisco Systems. Cisco Enhanced IGRP is an example of an advanced distance vector protocol. Link-state routing converges fast and is robust against routing loops. Areas limit the scope of route changes. Link-state supports classless addressing and summarization. Advanced Distance Vector Routing Advanced distance vector (also called balanced hybrid) routing combines aspects of both distance vector and link-state protocols. but it requires a great deal of memory and strict network designs. . Please see page MARCO A. Link-state updates are sent less often than distance vector updates. ZUNIGA C. From the Library of 311 for more details. it updates only when a topology change occurs. memory. but unlike distance vector routing protocols. and processor overhead. Distance vector sends complete routing tables.

VLSMs are not available in RIPv1. with a varying number of hosts. This allows network administrators to overcome the limitations of fixed-sized subnets within a network and. © 2008 Cisco Systems.55.2.2.55. From the Library of 311 for more details.2. Adding subnets works the same way as normal subnets. All rights reserved. ZUNIGA C.128 192. .224 192.55.55. But What If You Had Some Subnets with 30 Hosts. you can have multiple subnets. each with a fixed number of hosts. and Several Others with 6 Hosts? 192.96 With VLSMs. Inc.2. Figure 4-16 shows that without VLSMs.2.55.2. Each with 30 Hosts….192 192. and VLSM uses bits from the subnet portion of the address.32 192.55.55.0/27 This Class C Subnetting Scheme Has 6 Subnets.64 192. Please see page MARCO A. subnet a subnet.2.[ 227 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Variable-Length Subnet Mask (VLSM) VLSMs were developed to allow multiple levels of subnetting in an IP network. This publication is protected by copyright. you are confined to a fixed number of subnets. FIGURE 4-16 Subnets/Hosts Fixed Without VLSMs 192. in effect. Figure 4-17 shows the same network. The primary benefit of VLSMs is more efficient use of IP addresses.

55.29 The New Subnets Created Using VLSM Now Each Have 6 Hosts 192. © 2008 Cisco Systems.2.55. Please see page MARCO A. Inc. 2.55.2. Route summarization (also called route aggregation or supernetting) reduces the number of routes that a router must maintain by representing a series of network numbers in a single summary address.[ 228 ] SECTION 4 Routing Operations and VLSM FIGURE 4-17 VLSMs Increase the Number of Subnet/Host Possibilities CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 192 .55.2.0/27 192. 011 00000 01 Network Subnet Host 192. From the Library of 311 for more details.64 192.55. ZUNIGA C.2.55 .32 192.128 192. 2.2.2.2.112 192.2.55.2. This publication is protected by copyright.55. 011 01 Network Host Subnet VLSM Summarizing Routes In large networks.55.192 192.104 192 .55. Router summarization is most effective within a subnetted environment when the network addresses are in contiguous blocks in powers of 2. it is impractical for a router to maintain tables with hundreds of thousands of routes.224 192. All rights reserved. .55 .

Inc.0/8. IS-IS. Router B thinks it has two routes to network 10. All rights reserved. FIGURE 4-18 Autosummarization in a Discontinuous Network 10. OSPF must be configured to manually perform summarization.168.0/8 10.0 C 10.0.1.0. such as RIPv2. All other routers use a summary address. Figure 4-18 shows Routers A and C are connected to networks 10.1. From the Library of 311 for more details. Routers A and C automatically summarize that they are connected to network 10. ZUNIGA C. support route summarization using subnets and VLSMs.0.2.2.1.0 B 192.168.0/24.1. Classless routing schemes.[ 229 ] SECTION 4 Routing Operations and VLSM CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Route summarization can also isolate topology changes.1. this automatic summarization causes problems if the network is discontinuous. Please see page MARCO A.2.0.1. Summarizing Routes in Discontinuous Networks RIP and EIGRP automatically perform route summarization to the classful network boundary when routing updates cross between two major networks. Because the network is discontinuous.0/24 and 10. This works fine if the network is continuous. This publication is protected by copyright. because the routing changes are propagated only to the router that accesses the rest of the network. and OSPF.0.0. .0.0.0/8 10.1. RIP and EIGRP automatically perform route summarization to the classful network boundary when routing updates cross between two major networks. however. EIGRP. As a result.0/24 © 2008 Cisco Systems.0/24 A 192.0/8.

These LSAs describe the state of each of the router’s links. When a router is configured for OSPF. they become neighbors. © 2008 Cisco Systems. The routers that OSPF routers build adjacencies with are determined by the data link media type. If the routers share a common data link and agree on certain parameters set in their Hello packets. . OSPF was developed in the 1980s as an answer to RIP’s inability to scale well in large IP networks. Because of the varying types of link-state information. This publication is protected by copyright. Cisco IOS automatically calculates cost based on the interface bandwidth. After adjacencies have been formed. each router sends link-state advertisements (LSA) to all adjacent routers. the first thing the router does is create a topology table of the network. OSPF routers can form adjacencies with certain neighbor routers. From the Library of 311 for more details. All rights reserved. classless protocol that converges quickly and uses costs as a metric. bestpath topology and builds its routing table based on this topology. OSPF is an open-standard. Please see page MARCO A. If these parameters are different. OSPF defines multiple LSA types. each router uses the SPF algorithm to calculate a loop-free. OSPF uses Dijkstra’s shortest path first (SPF) algorithm to determine the best path to each network. Inc. When all databases are complete. OSPF does this by sending Hellos out each OSPF interface.[ 230 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 5 Implementing OSPF in a Single Area OSPF is an interior gateway protocol based on link state rather than distance vectors. they do not become neighbors and communication stops. ZUNIGA C. Finally. routers receiving an LSA from neighbors record the LSA in a link-state database and flood a copy of the LSA to all other neighbors. while listening for Hellos from other routers.

The router ID is chosen when OSPF is initialized. the OSPF router ID does not change until the OSPF process is restarted. Following is list of common terminology used in OSPF: n n n OSPF neighbor table = Adjacency database OSPF topology table = OSPF topology database (link-state database [LSDB]) Routing table = Forwarding database Router ID For OSPF to initialize. you might encounter different terminology for the OSPF tables. © 2008 Cisco Systems. All rights reserved. Inc. whether at startup or when OSPF is first configured or reloaded. It also establishes and maintains neighbor relationships and elects the designated router (DR) and the backup designated router (BDR) to represent the segment on broadcast and nonbroadcast multiaccess (NBMA) networks. . it can be assigned manually through the router-id command. Initialization occurs when a router loads its OSPF configuration. If no loopback address is defined. Please see page MARCO A.[ 231 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty OSPF Terminology When learning about OSPF. It is the means by which neighbors are discovered and acts as keepalives between neighbors. If other interfaces later come online that have a higher IP address. an OSPF enabled router will select the numerically highest IP address on any of its OSPFconfigured interfaces as its router ID. A router can receive its router ID from several sources. Hello Packet The Hello protocol ensures that communication between OSPF routers is bidirectional. it must be able to define a router ID for the entire OSPF process. The loopback interface is a logical interface that never goes down. ZUNIGA C. it is the numerically highest IP address set on a loopback interface. From the Library of 311 for more details. First. Second. This publication is protected by copyright.

0. The HelloInterval each router uses to send out the Hello protocol is based on the media type. All rights reserved. and point-to-multipoint networks is 10 seconds. This publication is protected by copyright. For OSPF-enabled routers to become neighbors. Inc. From the Library of 311 for more details. point-to-point. Please see page MARCO A.0.[ 232 ] SECTION 5 Implementing OSPF in a Single Area Each Hello packets contains the following: n n n n n n n n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Router ID of the originating router Area ID of the originating router interface Address mask of the originating router interface Authentication type and information of the originating router interface HelloInterval RouterDeadInterval Router priority DR and BDR 5 flag bits for optional capabilities Router IDs of the originating router’s neighbors Hello packets are periodically sent out each interface using IP multicast address 224. The default HelloInterval of broadcast. certain parameters in the Hello packet must match. . On NBMA networks the default HelloInterval is 30 seconds. ZUNIGA C. These parameters are as follows: n n Subnet mask used on the subnet Subnet number © 2008 Cisco Systems.5 (AllSPFRouters).

This is done through LSAs. Type 2 LSAs are network LSAs and are generated by the DR and BDR. The sequence number and timer ensure that each router has the most current LSA. Type 1 LSAs are router LSAs and are generated by each router for each area to which it belongs. This publication is protected by copyright. LSAs have the following characteristics: n n n n LSAs are reliable. Type 1 and Type 2. LSAs are refreshed every 30 minutes. Inc. Please see page MARCO A. . LSAs are flooded throughout the OSPF area. Eleven different and distinct link-state packet formats are used in OSPF. All rights reserved. the next step is for routers to exchange link-state information. LSAs report the state of routers’ links. LSAs have a sequence number and a timer. These LSAs describe the states of the router’s links to the area and are flooded within a single area. and each is used for a different purpose. ZUNIGA C. The ICND exam will only test you on two LSA types. They are flooded within a single area. LSAs are also packets that OSPF uses to advertise changes in the condition of links to other OSPF routers in the form of a link-state update. They describe the set of routers attached to a particular network. © 2008 Cisco Systems.[ 233 ] SECTION 5 Implementing OSPF in a Single Area n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty HelloInterval DeadInterval OSPF area ID LSAs After OSPF-enabled routers form full adjacencies. From the Library of 311 for more details.

such as a T1.25. All rights reserved. and because all links are seen as point-topoint. and the router with the second-highest OSPF interface priority is the BDR. all LSA packets are multicast to the DR and BDR address of 224.0.0. and all OSPF packets are unicast. This publication is protected by copyright. the DR/BDR election relies on the router ID (RID): The highest RID on the segment becomes the DR. OSPF routers on broadcast networks elect a designated router (DR) and backup designated router (BDR). NBMA networks include Frame Relay.0. Inc. Point-to-multipoint networks are a special configuration of NBMA networks in which networks are treated as a collection of point-to-point links. . From the Library of 311 for more details.5. ZUNIGA C. X. © 2008 Cisco Systems. All routers on the broadcast segment form adjacencies with the DR and BDR. and ATM. Point-to-point networks. Please see page MARCO A. Hellos are still multicast to the all OSPF routers address of 224. and the second-highest becomes the BDR.6. The OSPF interface priority defaults to 1 but should be administratively configured to manually define the DR and BDR. Routers on these networks do not elect a DR or BDR. The router with the highest OSPF interface priority is elected the DR. they are capable of connecting more than two routers but have no broadcast capability. all OSPF packets are multicast.0. On broadcast networks. If the default priority value of 1 is left on all router interfaces.[ 234 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty OSPF Network Types OSPF defines the following five network types: n n n n n Broadcast networks Nonbroadcast multiaccess (NBMA) networks Point-to-point networks Point-to-multipoint networks Virtual links Examples of broadcast networks are Ethernet and Token Ring. connect a single pair of routers that always become adjacent. NBMA networks elect a DR and BDR. No DR/BDR elections take place.

Notice that you must specify the wildcard mask instead of the subnet mask: RouterA(config)#router ospf 10 RouterA(config-router)#network 192.1/27 and 192. it lists the interface state. Area 0 Process ID 1.168.0.10. Cost: 10 © 2008 Cisco Systems. router ID. For example. For example. and authentication if it is configured.0.2. Additionally. cost. ZUNIGA C. Router ID 172. The show ip ospf interface command lists the area in which the router interface resides and the neighbors of the interface.10. This publication is protected by copyright.16. From the Library of 311 for more details.0 0. this value (unlike the autonomous system value in EIGRP) does not need to match between routers. if a router has two interfaces configured with IP addresses 192.1/24. The show ip route command displays all known routes. priority. Inc. OSPF will be enabled on both interfaces. timer intervals. Virtual links are created by the administrator.168.255 area 0 The process ID is locally significant to the router and is used to differentiate between different OSPF processes running on the router.0.33/27 each. Network Type BROADCAST. Please see page MARCO A. Verifying OSPF The show ip protocols command verifies that OSPF is configured. . All rights reserved. and the network address wildcard-mask area area-id command assigns networks to a specific OSPF area. process ID.1. Here is an example of the show ip ospf interface command: RouterB# show ip ospf interface ethernet 0 Ethernet0 is up. the following configuration enables OSPF process 10 and activates OSPF on all interfaces that have interface addresses that match the address and mask combination for area 0.1.[ 235 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Virtual links are a special configuration that is interpreted by the router as unnumbered point-to-point networks.168. line protocol is up Internet Address 10. network type. DR and BDR.10. Configuring OSPF The router ospf process-id command enables the OSPF process.

ZUNIGA C.0. In per-packet load balancing.16. and the second packet for the same destination over the second path.0. Adjacent neighbor count is 1 Adjacent with neighbor 172.2 Backup Designated router (ID) 172. Interface address 10. EIGRP also supports unequal-cost load balancing. Please see page MARCO A. From the Library of 311 for more details. Wait 40. maximum is 2 Last flood scan time is 0 msec. All rights reserved.1 Timer intervals configured.1. Load Balancing with OSPF Load balancing is a function of Cisco IOS router software and is supported for static routes.16. OSPF. the router sends one packet for one destination over the first path. Inc. OSPF only supports equal-cost load balancing.[ 236 ] SECTION 5 Implementing OSPF in a Single Area Transmit Delay is 1 sec. IS-IS.2. RIPv2. State BDR.16. IGRP. When a router has multiple paths with the same AD and cost to a destination. use the debug ip ospf events command.1. Dead 40.0.1 Suppress hello for 0 neighbor(s) (Designated Router) To analyze the OSPF events. Priority 1 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Designated Router (ID) 172. Interface address 10. flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 2.1. packets are load-balanced across the paths. the router distributes packets based on the destination address.1. Per-Destination and Per-Packet Load Balancing In per-destination load balancing. . RIP. maximum is 4 msec Neighbor Count is 1. Hello 10. EIGRP. © 2008 Cisco Systems. This publication is protected by copyright. Retransmit 5 Hello due in 00:00:06 Index 1/1.1. and BGP.

In the example that follows.[ 237 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Load Balancing with Different Costs OSPF does not support unequal-cost load balancing. Inc. ZUNIGA C. This publication is protected by copyright. From the Library of 311 for more details. If OSPF has two unequal links to a destination. The ip ospf cost interface-cost interface command sets the OSPF cost of an interface. Please see page MARCO A. to load-balance between two links with different costs. you would enter the following commands to make both interfaces have the same cost: RouterA(config)#interface serial 0/0 RouterA(config-if)#ip ospf cost 10 RouterA(config-if)#interface serial 0/1 RouterA(config-if)#ip ospf cost 10 Authentication with OSPF OSPF authentication prevents unauthorized routers from forming adjacencies with OSPF-enabled routers. you have to manually configure each interface with the same cost. . All rights reserved. To use the other link for load balancing. OSPF supports three types of authentication: n n n Null authentication Plain-text authentication MD5 authentication © 2008 Cisco Systems. Because OSPF’s metric is based on cost. The other path remains idle. only the lowest-cost path is used. you need to manually change the cost of the interface.

. Router ID 172. Area 0 Process ID 10. Step 2. ZUNIGA C.1. Assign a password to be used with the ip ospf authentication-key password interface command. line protocol is up Internet Address 192. State POINT_TO_POINT. The highlighted item in the following example shows that plain-text authentication is enabled: RouterA# show ip ospf interface serial0 Serial0 is up. Cost: 64 Transmit Delay is 1 sec. Hello 10. Please see page MARCO A. Timer intervals configured.[ 238 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Plain-Text Authentication The following steps configure OSPF plain-text authentication: Step 1. Inc.1/24.0.16. Dead 40. Configure authentication under the OSPF area using the area area-id authentication command. All rights reserved. This publication is protected by copyright.0. Wait 40. Specify the authentication type with the ip ospf authentication interface command.16. Retransmit 5 Hello due in 00:00:04 Index 2/2. flood queue length 0 Next 0x0(0)/0x0(0) © 2008 Cisco Systems. From the Library of 311 for more details. Step 3. Network Type POINT_TO_POINT. The following enables plain-text authentication using the password of cisco on interface serial 0/0: RouterA(config)#interface serial 0/0 RouterA(config-if)#ip ospf authentication-key cisco RouterA(config-if)#ip ospf authentication RouterA(config-if)#! RouterA(config)#router ospf 1 RouterA(config-if)#area 0 authentication Verifying Plain-Text Authentication The show ip ospf interface command shows whether OSPF authentication is enabled.

16.1/24.1. Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) Simple password authentication enabled Configuring MD5 Authentication Configuring MD5 authentication between two OSPF routers is similar to configuring plain-text authentication. Area 0 Process ID 10. This publication is protected by copyright. RouterA(config)#interface serial 0/0 RouterA(config-if)#ip ospf message-digest-key 1 md5 cisco RouterA(config-if)#ip ospf authentication message-digest RouterA(config-if)# RouterA(config)#router ospf 1 RouterA(config-router)#area 0 authentication message-digest Verifying MD5 Authentication The show ip ospf interface command shows whether OSPF authentication is enabled. except you need to have a key ID and a password. maximum is 1 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Last flood scan time is 0 msec. From the Library of 311 for more details. The highlighted item in the following example shows that MD5 authentication is enabled: RouterA# show ip ospf interface serial0 Serial0 is up. The area area-id authentication message-digest command enables MD5 for the OSPF area. maximum is 4 msec Neighbor Count is 0. The ip ospf message-digest-key key-id md5 password interface command sets the password between the two routers. The following commands enable MD5 authentication for key 1 with the password of cisco: NOTE The key-id and password parameters must be the same between neighboring devices. line protocol is up Internet Address 192. All rights reserved. Inc. Please see page MARCO A. Cost: 64 © 2008 Cisco Systems. ZUNIGA C. .0.16.0. Network Type POINT_TO_POINT. Router ID 172.[ 239 ] SECTION 5 Implementing OSPF in a Single Area Last flood scan length is 1.

flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1. Dead 40. Inc. Adjacent neighbor count is 0 Suppress hello for 0 neighbor(s) Message digest authentication enabled Youngest key id is 1 Troubleshooting OSPF Troubleshooting OSPF can be complex. Hello 10. CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Timer intervals configured. Wait 40. From the Library of 311 for more details. maximum is 1 Last flood scan time is 0 msec.[ 240 ] SECTION 5 Implementing OSPF in a Single Area Transmit Delay is 1 sec. Please see page MARCO A. Figure 5-1 shows a basic flow chart to begin the troubleshooting process in OSPF. State POINT_TO_POINT. © 2008 Cisco Systems. Retransmit 5 Hello due in 00:00:04 Index 2/2. maximum is 4 msec Neighbor Count is 0. ZUNIGA C. . This publication is protected by copyright. All rights reserved.

Receiving “can’t allocate router-id” message when configuring OSPF For the OSPF process to begin.[ 241 ] SECTION 5 Implementing OSPF in a Single Area FIGURE 5-1 OSPF Troubleshooting Flow Chart Main CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty What is the OSPF problem? Receiving “ospf-4 badlas type error” message The OSPF packet is being corrupted layer-2 software. From the Library of 311 for more details. All rights reserved. This publication is protected by copyright. Inc. OSPF routers not establishing FULL neighbors See Figure 5-2. . Receiving “ospf unknown protocol” message when configuring OSPF IOS feature set does not support OSPF or you are configuring OSPF on a 1600 or 1800 series router. ZUNIGA C. OSPF Neighbor States OSPF routes missing from routing table See Figure 5-3. OSPF Route Check © 2008 Cisco Systems. Please see page MARCO A. the router must have an interface with a valid IP address in the UP/UP state.

[ 242 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting Neighbor States Figure 5-2 displays some of the most common neighbor states and describes steps to resolve the received neighbor states. . All rights reserved. Inc. Please see page MARCO A. From the Library of 311 for more details. ZUNIGA C. This publication is protected by copyright. FIGURE 5-2 Troubleshooting Neighbor States OSPF Neighbor States What is the state of the OSPF neighborhood when issuing the show ip ospf neighbor command? state = init Init State Check state = exstart or exchange MTU or Layer 2 Check state = loading Corrupted Packet Check state = 2way Two-Way Check No command output received Link Check © 2008 Cisco Systems.

From the Library of 311 for more details. Inc. Please see page MARCO A. ZUNIGA C. This publication is protected by copyright. .[ 243 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting Routing Table Figure 5-3 shows a flow chart to troubleshoot OSPF routing table issues. FIGURE 5-3 OSPF Routing Table Troubleshooting Flow Chart OSPF Route Check Determine what types of routes are missing from the routing table What type of OSPF routes are you missing from the table? All OSPF Routes Check Adjacencies Only Summary Routes Check area 0 and verify that it is contiguous © 2008 Cisco Systems. All rights reserved.

From the Library of 311 for more details.1 on Serial0 is dead. . The following output shows a successful adjacency on the serial 0 interface: RouterA# debug ip ospf adj 00:50:57: %LINK-3-UPDOWN: Interface Serial0.10. For an OSPF adjacency to occur. This publication is protected by copyright. ZUNIGA C.16. debug ip ospf hello: Shows messages describing Hello packets and Hello failures.16.64. use the debug ip ospf adj command.36 address 192. debug ip ospf adj: Shows the authentication process if OSPF authentication is configured. the following four items in an OSPF Hello packet must match: n n n n Area ID Hello/dead intervals Authentication password Stub area flag To determine whether any of these Hello packet options do not match. Inc. OSPF routers exchange Hello packets to create neighbor adjacencies. debug ip ospf events: Shows messages for each OSPF packet. state DOWN © 2008 Cisco Systems. The debug ip ospf adj command is an important command for troubleshooting OSPF adjacencies. All rights reserved. changed state to down 00:50:57: OSPF: Interface Serial0 going Down 00:50:57: OSPF: 172. debug ip ospf packet: Shows log messages that describe the contents of all OSPF packets.[ 244 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting Commands n n n n n n show ip ospf interface: Lists the area in which the interface belongs. show ip ospf neighbor: Lists neighbors and current neighbor status. and neighbors adjacent on the interface. Please see page MARCO A.

All rights reserved.70.2 on Serial0 is dead. From the Library of 311 for more details.70 on Serial0 seq 0x2486 opt 0x42 flag 0x2 len 72 mtu 1500 state EXSTART 00:51:13: OSPF: NBR Negotiation Done.36.70. changed state to down 00:51:03: %LINK-3-UPDOWN: Interface Serial0. state 2WAY 00:51:13: OSPF: Send DBD to 70.16.2.70.16.16. This publication is protected by copyright.70. changed state to up 00:51:03: OSPF: Interface Serial0 going Up 00:51:04: OSPF: Build router LSA for area 0.64.70. ZUNIGA C.70.70 address 192. router ID 172.10.70 00:51:13: OSPF: sent LS REQ packet to 192.70 on Serial0 seq 0x19A4 opt 0x42 flag 0x7 len 32 mtu 1500 state EXSTART 00:51:13: OSPF: First DBD and we are not SLAVE 00:51:13: OSPF: Rcv DBD from 70.70 on Serial0 seq 0x2487 opt 0x42 flag 0x3 len 72 00:51:13: OSPF: Database request to 70. seq 0x80000009 00:50:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0. router ID 172. changed state to up 00:51:13: OSPF: 2 Way Communication to 70. seq 0x8000000A 00:51:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0.70.70.70. Inc. Nbr 70.70 on Serial0.64.70.70.70. length 12 © 2008 Cisco Systems. .70.10. Please see page MARCO A. We are the MASTER 00:51:13: OSPF: Send DBD to 70.[ 245 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 00:50:57: OSPF: 70.70.70.16.70 on Serial0 seq 0x2486 opt 0x42 flag 0x7 len 32 00:51:13: OSPF: Rcv DBD from 70. state DOWN 00:50:57: %OSPF-5-ADJCHG: Process 10.70 on Serial0 from FULL to DOWN.36.70. Neighbor Down: Interface down or detached 00:50:58: OSPF: Build router LSA for area 0.

70.10.70.70 on Serial0 00:51:13: OSPF: Synchronized with 70.70.70 on Serial0 from LOADING to FULL.70. All rights reserved.70 on Serial0 seq 0x2488 opt 0x42 flag 0x1 len 32 00:51:13: OSPF: Rcv DBD from 70. router ID 172.[ 246 ] SECTION 5 Implementing OSPF in a Single Area CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty 00:51:13: OSPF: Rcv DBD from 70. seq 0x8000000B © 2008 Cisco Systems.70.70.70 on Serial0 seq 0x2488 opt 0x42 flag 0x0 len 32 mtu 1500 state EXCHANGE 00:51:13: OSPF: Exchange Done with 70. ZUNIGA C.70 on Serial0.70.70.70 on Serial0 seq 0x2487 opt 0x42 flag 0x0 len 32 mtu 1500 state EXCHANGE 00:51:13: OSPF: Send DBD to 70. Loading Done 00:51:14: OSPF: Build router LSA for area 0. Please see page MARCO A. Inc. state FULL 00:51:13: %OSPF-5-ADJCHG: Process 10. Nbr 70.16. From the Library of 311 for more details.70.70.70. . This publication is protected by copyright.36.70.

© 2008 Cisco Systems. which use a complex metric based on bandwidth and delay. . EIGRP routers keep a neighbor table for each routed Layer 3 protocol (IP. Neighbor discovery/recovery: EIGRP discovers neighboring devices using periodic Hello messages. Topology table: Contains all learned routes to a destination.[ 247 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 6 Implementing EIGRP Enhanced IGRP (EIGRP) is a Cisco-proprietary routing protocol. EIGRP Terminology n n n Neighbor table: Lists all adjacent routers. meaning that it sends the subnet mask of its interfaces in routing updates. and AppleTalk. EIGRP is classified as a balanced hybrid protocol. and acknowledging updates and EIGRP messages. EIRGP is an advanced distance vector protocol with some link-state features. AppleTalk). Partial updates: EIGRP sends partial triggered updates instead of periodic updates. Reliable Transport Protocol: RTP controls sending. EIGRP is a classless routing protocol. The topology table holds all successor and feasible successor routes in its table. From the Library of 311 for more details. EIGRP Features n n n n n Protocol-independent modules: EIGRP supports IP. This publication is protected by copyright. tracking. Inc. ZUNIGA C. All rights reserved. Please see page MARCO A. IPv6. As such. Routing table: Holds the best routes (the successor routes) to each destination. Internetwork Packet Exchange (IPX). Includes the neighbor’s address and the interface through which it can be reached. Diffusing Update Algorithm (DUAL): EIGRP uses DUAL to calculate and maintain loop-free paths and provide fast convergence. IPX.

3. Advertised distance (AD): The lowest-cost route between the next-hop router and the destination.168. show ip eigrp topology: Displays the EIGRP topology table.0 RouterA(config-router)#network 192. Please see page MARCO A. The following is a list of the terminology DUAL uses to select a route: n n n n Successor: The primary route used to reach a destination. A backup route. loop-free path to a destination. Must have an AD less than the FD of the current successor route. © 2008 Cisco Systems. Feasible distance (FD): The sum of the AD plus the cost between the local router and the next-hop router. including successors and feasible successors. The successor route is kept in the routing table.0 n n n n show ip eigrp neighbors: Displays EIGRP adjacencies and directly connected neighbors. This is followed by the network command to enable EIGRP on the specified interfaces.4. is selected if the advertised distance is less than the feasible distance.168. From the Library of 311 for more details. All rights reserved. Inc. Feasible successor: The backup route.3. .168. ZUNIGA C. It does this by selecting a successor with the best feasible distance. Configuring and Verifying EIGRP The router eigrp process-id command enables EIGRP on the router.[ 248 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty EIGRP Path Calculation DUAL uses distance information (metric) to select the best.0: RouterA(config)#router eigrp 100 (100 is the process-id) RouterA(config-router)#network 192. The following commands enable EIGRP using AS 100 and then enable EIGRP on all router interfaces with IP addresses in the networks 192. called the feasible successor.4. This publication is protected by copyright.0 and 192.168. debug eigrp neighbors: Displays neighbors discovered by EIGRP and the contents of Hello packets. show ip route eigrp: Displays all EIGRP routes in the routing table.

2. . you need to use the variance multiplier command on Router A. Router A has two unequal paths to network 10. Router A will route all traffic to network 10. EIGRP can automatically load-balance up to 4 equal-cost routes (16 routes being the maximum). Unequal-cost load balancing is when a router can load-balance traffic to a destination through links of different cost or speeds. delay.2x 10 Router B 10 Router C 20 20 Because the path through Router B has a lower cost than the path through Router C. From the Library of 311 for more details. All rights reserved. The multiplier is a variance value between 1 and 128. this is called equal-cost load balancing. Inc.1. By default.x.1.[ 249 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Load Balancing with EIGRP Load balancing is a router’s ability to balance traffic over all its network’s ports that are the same metric from the destination address. © 2008 Cisco Systems.x through Router B. with the default set to 1.1. FIGURE 6-1 EIGRP Unequal-Cost Load Balancing Router A 10. EIGRP only uses bandwidth and delay to calculate its metric. To configure Router A to perform unequal-cost load balancing. In Figure 6-1. This publication is protected by copyright. load. ZUNIGA C. EIGRP uses a complex metric based on bandwidth. Please see page MARCO A. reliability. By default. and MTU to select the best path to a destination.2.

Step 3. Step 6. Please see page MARCO A. ZUNIGA C. which equals 2. In this case.1. Step 4. The following configuration sets the variance on Router A to 2: RouterA(config)#router eigrp 100 RouterA(config-router)#variance 2 EIGRP Authentication EIGRP supports MD5 route authentication. Exit interface configuration mode. Create an authentication key using the ip authentication key-chain eigrp process-id key-chain command. Step 2.2. Step 7. Step 5. The following example configures MD5 authentication with cisco as the key: RouterA(config)#interface serial 0/0 RouterA(config-if)#ip authentication mode eigrp 100 md5 RouterA(config-if)#ip authentication key-chain eigrp 100 cisco RouterA(config-if)#! RouterA(config)#key chain cisco RouterA(config-keychain-key)#key 1 RouterA(config-keychain-key)#key-string firstkey © 2008 Cisco Systems. . Identify the key string using the key-string text command.x is 2. divide the metric of the cost between Router C by the cost of Router B. All rights reserved. The following steps enable authentication on a Cisco router: Step 1. it would be 40/20. Create a key number: key number. So the variance to perform unequal-cost load balancing to network 10. This publication is protected by copyright. From the Library of 311 for more details. The key-chain parameter is the name of the key you want to create. Enable MD5 authentication using the ip authentication mode eigrp process-id md5 interface command. Identify the key chain you configured in Step 3 using the key chain name-of-key-chain command.[ 250 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty To determine the variance. Inc. Enter the interface you want to configure authentication on.

This publication is protected by copyright. FIGURE 6-2 EIGRP Troubleshooting Flow Chart EIGRP Main Which best describes the problem? Local EIGRP route not establishing EIGRP neighbors with neighboring router See Figure 6-3 EIGRP Neighbor Check Routes missing from routing table See Figure 6-5 EIGRP Route Check Receiving “Not on Common Subnet” error EIGRP router is receiving a hello packet that is sourced from an IP address on a subnet that is not configured on the EIGRP receiving interface. Inc. .[ 251 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting EIGRP Figure 6-2 shows a basic flow chart with the steps to take to approach EIGRP troubleshooting. All rights reserved. Please see page MARCO A. From the Library of 311 for more details. ZUNIGA C. Verify the variance command is configured correctly Load balancing not working Seeing routes Stuck in Active (SIA) Queries are not returning to the router when running DUAL © 2008 Cisco Systems.

Your frame-relay broadcast queue may need to be tuned. there is a Layer 2 problem that must be fixed. © 2008 Cisco Systems. use the flow charts from Cisco. the neighboring routers should be on the same primary network. ZUNIGA C. Inc. FIGURE 6-3 EIGRP Neighbor Check: Part I EIGRP Neighbor Check Are neighboring routers attached via the same primary network? N EIGRP will not form neighbors over secondary networks: therefore. Please see page MARCO A. From the Library of 311 for more details. Y Is the frame-relay map command being used for manual mappings? N Y Ensure tha the frame-relay map command has been configured with the broadcast keyword. Y (continue with next chart) Y Are the neighbors attached via Frame Relay Netwokr? N Is EIGRP enabled for appropriate networks on both the local and 1 neighboring router? N Y N Are broadcast packets dropped from the frame relay broadcast queue?2 The primary address assigned to the interface must be part of the network used by the network configuration command under EIGRP. interfaces.[ 252 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty EIGRP Neighbor Troubleshooting When EIGRP is not forming neighbor relationships with other EIGRP routers. if they are not already. and so on.com in Figures 6-3 and 6-4 to troubleshoot the issue. Y Can you successfully ping between neighbors with packet sizes up to the interface MTU size? N Check the MTU selling for the neighboring interfaces. Make them the same. Check cabling. All rights reserved. . Refer to OSPF and EIGRP Neighbor Loss. RIP and IGRP Update Loss after Upgrading to Cisco IOS 11. If they are the same. This allows EIGRP multicast packet delivery across the Frame Relay Network.2 or later. This publication is protected by copyright.

. verify the switch settings. Does this help? Y N N Are you manually changing the EIGRP hello interval or hold timers? The inbound ACL is not permitting the EIGRP hellos from the neighbor to be processed. From the Library of 311 for more details. Please see page MARCO A. Inc. This publication is protected by copyright. ZUNIGA C. Modify the ACL to permit EIGRP packets from the neighbor. Check the physical cabling. If a LAN switch separates the neighboring routers. Y N Your problem is not a common problem. © 2008 Cisco Systems. All rights reserved. It is recommended that the hold timer value be at least three times the value of the hello interval.[ 253 ] SECTION 6 Implementing EIGRP FIGURE 6-4 EIGRP Neighbor Check: Part II EIGRP Neighbor Check (continued) CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty (return to previous chart) Are there any inbound access control lists (ACLs) configured on the neighboring interface for either route?3 Y Temporarily remove the ACLs.

there is a Layer 2 problem that must be fixed. © 2008 Cisco Systems. If they are the same. Does this solve the problem? N Y Y You must disable autosummarization for discontinuous networks to exchange information.[ 254 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty EIGRP Route Troubleshooting If EIGRP is not populating the routing table. an outbound distribute list? Is autosummarization enabled? N N Y Remove the distribute list. Does local router have an inbound distribute list. Refer to Enhanced Interior Gateway Protocol. Inc. Figures 6-5 and 6-6 outline some common steps for troubleshooting the error. From the Library of 311 for more details. Make them the same. Check physical cabling. Modify the list as necessary. N N (continue with next chart) Are you missing external routes from the routing table? Y Is the local router forming EIGRP neighbors with the routers that should be advertising routes? Y N EIGRP Neighbor Check Y Are the missing routes part of disontinuous networks? N Can you ping between neighbors with packet size up to the interface maximum MTU size? N Y Y Check the MTU setting for the neighboring interfaces. if they are not already. FIGURE 6-5 EIGRP Route Check: Part I EIGRP Route Check Are you missing all EIGRP routes from the routing table?5 Y Are routes in the EIGRP 6 topology table? Y Your problem is not a common problem. The distribute list is denying the routes. This publication is protected by copyright. interfaces and so on. ZUNIGA C. . Check cabling. or neighboring router. All rights reserved. Please see page MARCO A.

Please see page MARCO A. N Your problem is not a common problem. ZUNIGA C. . once the duplicate IP address is changed. Does this solve the problem? Y The distribute list is denying the routes.[ 255 ] SECTION 6 Implementing EIGRP FIGURE 6-6 EIGRP Route Check: Part II EIGRP Route Check (continued) (return to previous chart) CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Does the router’s originating router have the same ID as the local router? Y Routers should not have duplicate RIDs. From the Library of 311 for more details. Check physical cabling. or does the neighboring router have an outbound distribute list? Y Remove the distribute list. in order for the RID to be changed N Does the local router have an inbound distribute list. All rights reserved. Modify the list as necessary. The duplicate RID must be changed or removed on one of the routers. Inc. Note: The EIGRP process must be restarted. © 2008 Cisco Systems. This publication is protected by copyright.

In the following example.749: EIGRP: Serial0/0/1: ignored packet from 192.168. Please see page MARCO A.749: AS 100. This publication is protected by copyright. opcode = 5 (invalid authentication) *Apr 21 16:50:18. authentication mismatch *Apr 21 16:50:18. REPLY. SIAQUERY. Router A is receiving EIGRP packets with MD5 authentication and a key string different from what it is expecting.749: EIGRP: pkt key id = 2.753: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192. IPXSAP. PROBE. All rights reserved. and the neighbor relationship is declared down: RouterA#debug eigrp packets EIGRP Packets debugging is on (UPDATE.168.101.1.749: EIGRP: Dropping peer. ACK. HELLO.749: EIGRP: Sending HELLO on Serial0/0/1 *Apr 21 16:50:18. STUB. Flags 0x0.[ 256 ] SECTION 6 Implementing EIGRP CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Troubleshooting MD5 Authentication The debug eigrp packets command allows you to troubleshot EIGRP MD5 authentication problems. ZUNIGA C. From the Library of 311 for more details. Inc.101 (Serial0/0/1) is down: Auth failure © 2008 Cisco Systems. invalid authentication *Apr 21 16:50:18. Seq 0/0 idbQ 0/0 iidbQ un/rely 0/0 *Apr 21 16:50:18. The result is an authentication mismatch. REQUEST. QUERY. .1. SIAREPLY) R2# *Apr 21 16:50:18.

Packet Filtering Access lists can be configured to permit or deny incoming and outgoing packets on an interface. By following a set of conventions. Access lists are used to define the traffic that a firewall or VPN concentrator will encrypt. the network administrator can exercise greater control over network traffic by restricting network use by certain users or devices. An access list applied to a router specifies only rules for traffic going through the router. All rights reserved.[ 257 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Part III: Access Lists and Managing Address Spaces Section 7 Managing Traffic with ACLs As a network grows. ZUNIGA C. Cisco security devices like firewalls and VPN concentrators use access lists to define access to the network. . (It is subject to access lists within other routers as it passes through them. it becomes more important to manage the increased traffic going across the network. Please see page MARCO A.) Access lists are used for many reasons. Access lists define a set of rules that routers use to identify particular types of traffic. Cisco routers also use access lists for quality of service (QoS). Network Address Translation. Access lists can be used to filter both incoming and outgoing traffic on a router’s interface. This publication is protected by copyright. Traffic originating from a router is not affected by that router’s access lists. and packet prioritization. Inc. From the Library of 311 for more details. Access lists help limit traffic by filtering based on packet characteristics. route filters. © 2008 Cisco Systems.

© 2008 Cisco Systems. Standard IP access lists permit or deny output for an entire protocol suite based on the source network/subnet/host IP address. . Inc. Extended lists specify protocols. allowing admins more flexibility and control. Figure 7-1 shows the standard access list processes.[ 258 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Types of Access Lists The following two methods identify access control lists (ACL): n n Numbered ACLs: Use a number for identification Named ACLs: Use a descriptive name or number for identification Numbered and named ACLs can be categorized further into the following types of ACLs: n Standard access lists check packets’ source addresses. Please see page MARCO A. Standard ACLs should be placed as close to the destination as possible. From the Library of 311 for more details. ZUNIGA C. All rights reserved. Extended ACLs should be placed as close to the source as possible. and other parameters. This publication is protected by copyright. Standard Access List Processes FIGURE 7-1 Standard Access List Processes E0 Outgoing Packet Incoming Packet Yes Source Permit? S0 NO n Extended access lists check both source and destination packet addresses. port numbers.

2000 to 2699 Access List Operations Access list statements are operated on one at a time from top to bottom. FIGURE 7-2 ACL Process Packets to Interface(s) in the Access Group Y Match First Test Y ? N Deny Y Deny Match Next Test(s) ? N Match Last Test ? N Packet Discard Bucket Y Permit Permit Destination Interface(s) Deny Y Y Permit Implicit Deny 4 If no match. 1300 to 1999 Filter based on source and destination Specify a specific IP protocol and port number Range: 100 to 199. TABLE 7-1 Standard Types of Access Lists Extended Filter based on source Permit or deny the entire TCP/IP protocol suite Range: 1 to 99.[ 259 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Table 7-1 shows the difference between standard and extended access lists. Inc. From the Library of 311 for more details. deny all Deny © 2008 Cisco Systems. All rights reserved. Please see page MARCO A. . ZUNIGA C. Figure 7-2 shows the process of ACLs. This publication is protected by copyright.

Conditions for an access list vary by protocol. From the Library of 311 for more details. If no match is found. Access List Process Options n Inbound access lists: Incoming packets are processed before they are sent to the outbound interface. If the packet is to be discarded. it is processed in the normal way. If the packet is permitted. per direction. Please see page MARCO A. Unless at least one permit statement exists in an access list. and the rest of the statements are skipped. ZUNIGA C. per interface is allowed on any access list. Testing Against Access List Statements For TCP/IP packets. The types of conditions allowed depend on the type of list (defined by the access list number). An implicit deny statement is present at the end of the list (all remaining packets are dropped). the packet is operated on (permitted or denied). all traffic is blocked. © 2008 Cisco Systems. . this method reduces overhead (no routing table lookups). the packet is tested against the next statement until a match is found or the end of the list is reached. All rights reserved. n Protocol Access List Identifiers The access list number entered by the administrator determines how the router handles the access list. but only one protocol. Outbound access lists: Outgoing packets are processed by the router first and then are tested against the access list criteria. This publication is protected by copyright. access lists check the packet and upper-layer headers for different items (depending on the type of access list [standard or extended]). You can have several different access lists for any given protocol. Inc.[ 260 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty As soon as a packet header match is found. The arguments in the statement follow the number.

Extended IP access lists use the range 100 to 199 and 2000 to 2699. ZUNIGA C. it is either permitted through an interface or discarded. Administrators can use this tool to select one or more IP addresses for filtering. After a packet is checked for a match with the access list statement. This publication is protected by copyright. Wildcard mask bits are defined as follows: n n A wildcard mask bit of 0 means to check the corresponding bit value. Wildcard Masking It is not always necessary to check every bit within an address. Inc. Please see page MARCO A. Wildcard masking identifies which bits should be checked or ignored (see Figure 7-3). All rights reserved. 64 32 16 8 4 2 1 Octet Bit Position and Address Value for Bit Examples Check All address Bits (Match All) FIGURE 7-3 Wildcard Masking 128 0 0 0 0 0 0 0 0 = 0 0 1 1 1 1 1 1 = Ignore Last 6 Address Bits 0 0 0 0 1 1 1 1 = Ignore Last 4 Address Bits 1 1 1 1 1 1 0 0 = Check Last 2 Address Bits 1 1 1 1 1 1 1 1 = Do Not Check Address (Ignore Bits in Octet) © 2008 Cisco Systems.[ 261 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Standard IP access lists are assigned the range of numbers 1 to 99 and 1300 to 1999. . A wildcard mask bit of 1 means do not check (ignore) that corresponding bit value. From the Library of 311 for more details.

255. IP access list entry sequence numbering requires Cisco IOS Software Release 12.255. Please see page MARCO A. This publication is protected by copyright. For example. All rights reserved.0 255. use the word host: 172.0.255.255.255. Inc. the entire access list had to be removed and replaced with the new updated access list.255 Abbreviations can be used instead of entering an entire wildcard mask.29.255.0. 03.255.255 – 255. enter the full address followed by a mask of all 0s (0.255.0/22 has the following subnet mask: 255. IP Access List Entry Sequence Numbering IP access list entry sequence numbering allows you to edit the order of ACL statements using sequence numbers.30.16. followed by a mask of all 1s (255.255 can be written as any.0. If you subtract this subnet mask from 255. Ignore all addresses: Use the word any to specify all addresses: 0.255. A shortcut to find the wildcard mask is to subtract the subnet mask from 255.255.255 you get the wildcard mask to use: 255.0.30. 0.0 can be written as host 172.0. Prior to IP access list entry sequence numbering.3 and allows you to add access-list entry sequence numbers to the beginning standard and extended access-list rules to allow you to make additions and changes to individual rules in the access list.[ 262 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty To specify an IP host address within a permit or deny statement.29 0. To specify that all destination addresses are permitted in an access list. enter 0.0. if you wanted to edit one line in an access list.0.255. © 2008 Cisco Systems.255).0.252.252.255. n n Check all addresses: To match a specific address.255.0). From the Library of 311 for more details.16. ZUNIGA C.16. 172.0 as the address.0. .0 0.0.

. © 2008 Cisco Systems. Standard IP access lists block traffic at the destination and should be as close as possible to the destination of the traffic to be denied. Please see page MARCO A. This publication is protected by copyright. A user who wants to traverse through the router is blocked by the extended ACL until he authenticates to the router through Telnet with a username and password. the configuration starts with an extended ACL that blocks traffic through the router. Dynamic ACLs depend on the user authenticating to the router and an extended access list. All rights reserved. These other types of ACLS include the following: n n n Dynamic ACLs (lock-and-key) Reflective ACLs Time-based ACLs Dynamic ACLs Dynamic ACLs (lock-and-key) dynamically create access-list entries on the router to allow a user that has authenticated to the router through Telnet to access resources that are blocked behind the router. the Telnet connection is dropped and a single-entry dynamic ACL entry is added to the extended ACL to permit the user to traverse through the router. Considered lock-and-key. After being authenticated. Additional Types of ACLs Standard and extended ACLs can become the basis for other types of ACLs that provide additional functionality. Inc.[ 263 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Guidelines for Placing Access Lists Extended IP access lists can block traffic from leaving the source and should be as close as possible to the source of the traffic to be denied. ZUNIGA C. From the Library of 311 for more details.

From the Library of 311 for more details. Always place specific and frequent statements at the beginning of an access list. © 2008 Cisco Systems. You can use only one access list per protocol. Frequently occurring conditions should be placed before less-frequent conditions. Configuring IP Access Lists Access lists are processed from top to bottom. A single interface can have one access list per protocol. and they limit inbound traffic in response to sessions that originate from a network inside the router. making statement ordering critical to efficient operation.[ 264 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Reflective ACLs Reflective ACLs allow IP packets to be filtered based on upper-layer session information. Remember that all access lists end with an implicit deny any statement. except they control access based on time. per interface. Please see page MARCO A. per direction. Time-Based ACLs Time-based ACLs are similar to extended access lists. Put more-specific statements before more-general ones. but are “nested” within an extended named IP ACL that is applied to an interface. They are used to allow outbound traffic. Named access lists and ACLs using extended sequence entries allow the removal and changes of individual statements. This publication is protected by copyright. Guidelines for Implementing Access Lists n n n Be sure to use the correct numbers for the type of list and protocols you want filtered. Reflective ACLs are not applied directly to an interface. ZUNIGA C. All rights reserved. Inc. . Reflective ACLs contain only temporary entries that are created when a new IP session begins and are removed when the session ends.

An interface with an empty access list applied to it allows (permits) all traffic.255.255: RouterA(config)#access-list 10 deny 192. This publication is protected by copyright. Please see page MARCO A.168. For example. . You cannot selectively add or remove statements in the middle of standard or extended access lists unless you are using named ACLs or extended sequence entries (IOS 12.1 and 192. Inc. From the Library of 311 for more details. Create your statements before applying the list to an interface.[ 265 ] SECTION 7 Managing Traffic with ACLs n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Additions are always added to the end of the access list.255 RouterA(config)#access-list 10 permit any any Configuring Extended IP Access Lists The Cisco IOS command syntax to create an extended access list is as follows: access-list access-list-number {permit | deny} protocol source-address source-wildcard [operator port] destination-address destination-wildcard [operator port] © 2008 Cisco Systems.0 0. n n n Configuring Standard IP Access Lists The command syntax to create a standard IP access list is as follows: access-list access-list-number {permit | deny} source-address [wildcard-mask] where access-list-number is a number from 1 to 99 or 1300 to 1999. the following command creates access list number 10. Access lists filter only traffic going through the router. which denies any IP address between 192.0.3).168. Without an explicit permit.0.255. the implicit deny at the end of every list causes all packets to be denied.0.168. ZUNIGA C. Every access list should include at least one permit statement. All rights reserved.

. Inc.16.0/16: RouterA(config)#ip access list extended 100 RouterA(config-ext-nacl)#1 permit tcp 192.0. gt (greater than). Internet Control Message Protocol (ICMP). you first create the access list. using entry sequence numbers. From the Library of 311 for more details. operator port can be lt (less than).255 172.0.0 0.0.4. Then you add the access list rules by first defining the entry sequence where you want the rule to be added in the access list.1.255.255. generic routing encapsulation (GRE). © 2008 Cisco Systems. you would enter the ACL you want to edit and then use the sequence number to identify which line you want to edit.16.0.1.0 0. All rights reserved.168.0/24 and applies the ACL to interface Ethernet 0: RouterA>enable RouterA#config term RouterA(config)#access-list 101 deny tcp 172. The following example creates an extended ACL.1.4.0. you give it a sequence number between 1 and 10.168. ZUNIGA C.16.0 0.0 0.[ 266 ] SECTION 7 Managing Traffic with ACLs where: n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty protocol examples include IP. User Datagram Protocol (UDP). or neq (not equal to) and a protocol port number.16.0. and IGRP.3.3.255 eq http RouterA(config-ext-nacl)#10 permit tcp 192. TCP.255 eq ftp In the preceding example. This publication is protected by copyright. if you want to add a rule in between rule 1 and 10.255 RouterA(config)#access-list 101 permit ip any any RouterA(config)#interface ethernet 0 RouterA(config-if)#access group 101 in 172. that permits HTTP and FTP traffic from network 192.0.255 eq 21 Using IP Access List Entry Sequence Numbers To use entry sequence numbers.0 0.0.255 172.0 0.0.16. If you want to edit only one line in the ACL.0.0.0.0/24 to network 172.168. Please see page MARCO A. eq (equal to).16.0.0/24 to network 172.16. The following example creates an extended access list that blocks FTP traffic from network 172.

Then remove the access list by entering the no access-list access-list-number global command. as follows: ip access-group access-list-number {in | out} For example. Issuing this command places you in named IP access list subcommand mode. . This publication is protected by copyright.101 echo RouterA(config-ext-nacl)#permit ip any any Applying Access Lists To apply an access list to an interface on a Cisco router.[ 267 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Named Access Lists When you create a named access list. the following applies access list 10 to serial interface 0 as an inbound access list: RouterA(config)#int s0 RouterA(config-if)#ip access-group 10 in To remove an access list from a router.3.101: RouterA(config)#ip access-list extended block-ping RouterA(config-ext-nacl)#deny icmp 172.0/22 to host 192.168.0. All rights reserved.0.0.0. use the ip access-group interface command.16. © 2008 Cisco Systems. first remove it from the interface by entering the no ip access-group access-listnumber direction command. you use the ip access-list extended name global command. Please see page MARCO A.0.255 host 192.168.0 0. Inc.160. The following creates a named access list that blocks ping from networks 172. where name is the name of the access list. which then allows you to enter the access list parameters. From the Library of 311 for more details. ZUNIGA C.

0.255 Because this example is using local authentication.1. Inc. For example.168. Create a dynamic ACL that applies to the extended ACL you created after it is authenticated. This can either be local or remote using a AAA or RADIUS server. ZUNIGA C. Please see page MARCO A. the router needs to be configured to locally authenticate when a user tries to connect to the vty ports: RouterA(config)#line vty 0 4 RouterA(config-line)#login local © 2008 Cisco Systems.168.0 0. From the Library of 311 for more details. The following example enables local authentication on the router: RouterA(config)#username remote password 0 cisco RouterA(config)#username remote autocommand access-enable host timeout 10 This creates a user named remote with a password of cisco and configures the router to time out after 10 minutes of idle traffic.1.1. .0. All rights reserved. Step 2. Create a user authentication method on the router.0. Define an extended ACL to permit vty access but block all other traffic.1 eq telnet RouterA(config)#interface s0 RouterA(config-if)#ip access-group 101 in Step 3.0.255 10. the following command creates the dynamic ACL that is applied to ACL 101: RouterA(config)#access-list 101 dynamic remoteaccess timeout 15 permit ip 192.1. For example: RouterA(config)#access-list 101 permit tcp any host 192. This publication is protected by copyright.[ 268 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Creating Dynamic Access Lists Follow these steps to create a dynamic ACL: Step 1.0 0.

. Virtual Terminal (vty) Access Lists In addition to physical ports. All rights reserved. and out prevents Telnet connections to other routers from the vty ports. Please see page MARCO A. Troubleshooting Access Lists Access lists are processed from the top down. remember that at the end of each access list is an implicit deny any statement. Most current Cisco devices support 16 virtual terminal lines. This publication is protected by copyright. The syntax for a vty access list is as follows: line vty {vty# | vty-range} access-class {IP access list #} in After the vty statements are added. ZUNIGA C. Standard and extended access lists applied to physical interfaces do not prevent router-initiated Telnet sessions. Most access list errors are due to an incorrect statement entry that denies traffic. devices also have virtual ports (called virtual terminal lines). Virtual terminal access lists can block vty access to the router or block access to other routers on allowed vty sessions. © 2008 Cisco Systems.[ 269 ] SECTION 7 Managing Traffic with ACLs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Verifying Access List Configuration The show ip interface interface-type interface-number command displays whether an IP access list is applied to an interface. verify that the statements are correct and applied to the proper interface and direction. The show running-config and show access-list commands display all access lists configured on a router. because users can connect through any vty port. numbered vty 0 through vty 15. To troubleshoot access lists. Also. they are assigned to the router with the following command: access-class access-list-number {in | out} Specifying in prevents incoming Telnet connections. Inc. Restrictions on vty access should include all virtual ports. From the Library of 311 for more details.

All rights reserved. firewall. Inc.[ 270 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 8 Managing Address Space with NAT and IPv6 Network Address Translation (NAT) was initially developed as an answer to the diminishing number of IP addresses.1 10.22 © 2008 Cisco Systems.34.2.0. The address translation is still one-to-one.0.0. Static NAT uses one-to-one private-to-public address translation.0.34.1 Internet 10. or other network device.21. Please see page MARCO A. ZUNIGA C.2 NAT Table Inside Local IP Address 10. From the Library of 311 for more details. Dynamic NAT matches private addresses to a pool of public addresses on an as-needed basis.0.0.21 172.2.22 FIGURE 8-1 NAT Outside 10. The combination of the PC explosion and the emergence of other network-ready devices quickly consumed many of the available addresses.0. Properties of NAT are as follows: n n n NAT is configured on a router. .2 Inside Global IP Address 172.1 to the outside address 172.2 SA 172.0.0.34.34.0.2. This publication is protected by copyright.0. When the IP address scheme was originally developed. Figure 8-1 shows how NAT translates the inside address of 10. Inside SA 10.2. making communication more secure from hackers.0. An additional (and equally important) benefit of NAT is that it hides private addresses from public networks. it was believed that the address space would not run out.

1: 2610 10.2: 1533 SA 10. This is called overloading and is accomplished by assigning port numbers.0.0.[ 271 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Port Address Translation (PAT) is a form of dynamic address translation that uses many (private addresses) to few or one (public address).0. PAT can theoretically map 65. FIGURE 8-2 PAT Inside SA 10.0.0. .2:1533 172.1: 2610 SA 10.0.22:1533 © 2008 Cisco Systems. Inc.34.1 PAT Internet SA 10.1: 2610 Outside 10.2 NAT Table Inside Local IP Address Inside Global IP Address 10.536 sessions to a single public address.0.0. ZUNIGA C.0. All rights reserved. PAT continues to look for available port numbers.2.2.34.0.0. From the Library of 311 for more details. as shown in Figure 8-2.21:2610 10. This publication is protected by copyright. Details of PAT are as follows: n n Because the port number is 16 bits.0. If one is not found. PAT increments the IP address (if available).1:2610 172.0. Please see page MARCO A.0.0.0.

private network. ZUNIGA C. Usually a routable IP address. Inc. The IP address assigned to a host on the outside network by the host’s owner. From the Library of 311 for more details. Usually a private IP address. . Configuring Static NAT To configure static NAT. A legal routable IP address that represents one or more inside local IP addresses to the outside world. TABLE 8-1 Name NAT Terminology Description Inside local address Inside global address Outside local address Outside global address The IP address assigned to a host on the inside. All rights reserved. private network. you must first create the static mapping table and then define which interfaces on your router connect to the inside network and the outside network.1.3 RouterB(config)#int s0 RouterB(config-if)#ip nat outside RouterB(config-if)#int e0 RouterB(config-if)#ip nat inside © 2008 Cisco Systems.168.1. Please see page MARCO A.[ 272 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty NAT Terminology Table 8-1 lists the Cisco NAT terminology. The following example creates the static mapping and defines interface s0 as connecting to the outside network and interface e0 as connecting to the inside network: RouterB(config)#ip nat inside source static 192. This publication is protected by copyright. This is usually is a private IP address.10. The IP address of an outside host as it appears to the inside.5 216.

1.14 netmask 255. From the Library of 311 for more details. You then use the ip nat inside source list access-list-number interface interface-type overload global command.1. enable the translation to occur. Then create an access list that defines the internal hosts to be translated. you first have to create a NAT pool of external IP addresses that internal hosts can draw from. you have to define which interface is internal and which interface is external: RouterB(config)#ip nat pool cisco 216. As with static NAT. Inc. ZUNIGA C.0.1.168. .1 RouterA(config)#ip nat inside source list 99 interface fa0/1 overload RouterA(config)#interface ethernet 0 RouterA(config-if)#ip nat inside RouterA(config-if)#exit RouterA(config)#interface fa 0/1 RouterA(config-if)#ip nat ouside RouterA(config-if)#exit RouterA(config)#exit © 2008 Cisco Systems. as follows: RouterA>enable RouterA#config term RouterA(config)#acess-list 99 permit 10. All rights reserved.240 (creates a NAT pool called cisco) RouterB(config)#access-list 10 permit 192.0 0.10.255 (defines the IP addresses that will be translated) RouterB(config)#ip nat inside source list 10 pool cisco (establishes dynamic translation of access list 10 with the NAT pool named cisco) Configuring PAT To configure PAT.255.0. Finally.0.1 216.[ 273 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Dynamic NAT To configure dynamic NAT.1.255. This publication is protected by copyright. you first define an access list that permits the internal hosts to be translated. Please see page MARCO A.0.

The show ip nat statistics command shows all translation statistics. All rights reserved. This publication is protected by copyright. . Please see page MARCO A. From the Library of 311 for more details.[ 274 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Verifying NAT and Resolving Translation Table Issues The clear ip nat translation * command clears all dynamic translation tables. Transitioning to IPv6 IPv6 is an updated version of IP with the following features: n n n n n n n n Larger address space (128 bits) Simplified header Autoconfiguration Security with mandatory IPsec for all IPv6 devices Mobility Enhanced multicast support Extensions headers Flow labels © 2008 Cisco Systems. ZUNIGA C. The clear ip nat translation outside local-ip global-ip command clears a specific outside translation address. The show ip nat translations command lists all active translations. The clear ip nat translation inside global-ip local-ip command clears a specific entry from a dynamic translation table. Inc.

If any segment has fewer than four hexadecimal digits. From the Library of 311 for more details. Please see page MARCO A. Inc. An example of an IPv6 address is as follows: 2001:0D02:0000:0000:0000:C003:0001:F00D Figure 8-3 shows the IPv6 address structure. All rights reserved. Format 3-bits FIGURE 8-3 IPv6 Address Structure Top-Level Aggregation 13-bits Next-Level Aggregation 24-bits Site-Level Aggregation 16-bits Rsvd 8-bits Interface ID 64-bits Two rules for reducing the size of written IPv6 address are as follows: n Rule 1: The leading 0s in any segment do not have to be written. 2001:0D02:0000:0000:0000:C003:0001:F00D can be written as 2001:D02:0:0:0:C003:1:F00D © 2008 Cisco Systems. Format of IPv6 Addresses IPv6 addresses are 128 bits long and are represented in eight 16-bit hexadecimal segments. . This publication is protected by copyright. ZUNIGA C.[ 275 ] SECTION 8 Managing Address Space with NAT and IPv6 n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Improved address allocation Address aggregation Although IPv6 has many advanced features. the primary reason for the move to IPv6 is because of the depletion of IPv4 addresses. it is assumed that the missing digits are leading 0s. For example.

© 2008 Cisco Systems. For example. . This publication is protected by copyright. All rights reserved. Replicates IPv4 broadcast addresses. Multicast: An address that identifies a set of devices. 2001:D02:0:0:0:C003:1:F00D can be further reduced to 2001:D02::C003:1:F00D The double colon can only be used once.[ 276 ] SECTION 8 Managing Address Space with NAT and IPv6 n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Rule 2: Any single. Anycast: An address that represents a service instead of a device. the network administrator assigns an IPv6 address to a host. Inc. ZUNIGA C. From the Library of 311 for more details. consecutive fields of all 0s can be represented with a double colon (::). Please see page MARCO A. Features one-to-many mapping. Link-local unicast addresses are addresses that are confined to a single link. Assigning IPv6 Addresses IPv6 addresses can be assigned in one of the following ways: n n n Statically Stateless autoconfiguration DHCPv6 In static assignment. Features one-to-nearest mapping. Types of IPv6 Addresses The three types of IPv6 addresses are as follows: n n n Unicast: A global unicast address is an address that is globally unique and can be routed globally.

DHCPv6 works that same way that DHCPv4 works. If the end system has a 64-bit MAC address. In other words. . This is called the EUI-64 address. © 2008 Cisco Systems. Routing with IPv6 IPv6 supports the following routing protocols: n n n n n n Static RIPng OSPFv3 EIGRP for IPv6 IS-IS for IPv6 MP-BGP Static Routing Static routing with IPv6 is configured the same way as with IPv4. the host flips the global/local bit and inserts 0XFFEE in the middle of the MAC address. If the end system has a 48-bit MAC address. Inc. the host joins the prefix and its MAC address to form an IPv6 address.[ 277 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Hosts use stateless autoconfiguration by waiting for a router to advertise the local prefix. However. and it is joined to the prefix to form the IPv6 address. This publication is protected by copyright. From the Library of 311 for more details. do not use a global unicast address as a next-hop address when configuring IPv6 static routes. ZUNIGA C. IPv6 has one specific requirement: The router must be able to determine the link-local address of each neighboring router. Please see page MARCO A. All rights reserved.

RIPng uses hop count as its metric and has a maximum hop count of 15. FF02::5 is the “all OSPF routers” address. OSPFv3 does not include authentication because authentication in IPv6 is handled through IPsec. Updates are sent on UDP port 521. some changes to RIPng include the following: n n n Uses IPv6 for transport. However. which is version 2. RIPng is defined in RFC 2080 and is based on RIPv2. . However. Like version 2. a distance vector protocol. Please see page MARCO A. and they allow IPv4 hosts to communicate with IPv6 hosts. Uses multicast group FF02::09 to advertise routes every 30 seconds. OSPFv3 OSPFv3 is based on the current version of OSPF. OSPFv3 sends Hellos to neighbors. OSPFv3 runs directly over IPv6 and advertises using multicast groups FF02::5 and FF02::06. Three current IPv6 transition mechanisms are as follows: © 2008 Cisco Systems. All rights reserved. Inc. These strategies are called transition mechanisms. This publication is protected by copyright. but uses its link-local address as the source address of its advertisements. and exchanges LSAs and database descriptors (DBD).[ 278 ] SECTION 8 Managing Address Space with NAT and IPv6 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty RIPng RIPng is the IPv6 of RIP. ZUNIGA C. Strategies for Implementing IPv6 Several strategies exist for migrating from IPv4 to IPv6. It uses the same metric but includes a protocol-dependent module for IPv4 and IPv6. From the Library of 311 for more details. and FF02::06 is the “all OSPF DRs” address. EIGRP for IPv6 EIGRP for IPv6 is the same EIGRP protocol as used with IPv4.

This publication is protected by copyright. All rights reserved. enables RIPng. Step 4. Please see page MARCO A. Step 6. Configure router interfaces. RIPng. The following are steps for configuring IPv6: Step 1. Allocate IPv6 addresses to devices. From the Library of 311 for more details. configures a tunnel. OSPF. Configure name servers. Configure routing (static. EIGRP). Inc. ZUNIGA C. assigns an IPv6 address. Step 3. Step 2. Step 5. and configures a name server: RouterA#config term RouterA(config)#ipv6 unicast-routing RouterA(config)#interface ethernet 0 RouterA(config-if)#ipv6 address 2001:0d02::2:0100/64 RouterA(config-if)#interface tunnel 0 (create the tunnel interface) © 2008 Cisco Systems. Obtain IPv6 prefixes. The following example configures a router with IPv6. The ipv6 unicast-routing global command enables IPv6 on the router. Configuring IPv6 IPv6 is not enabled by default on Cisco routers. .[ 279 ] SECTION 8 Managing Address Space with NAT and IPv6 n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Dual stack: A network interface that is configured with an IPv4 address and an IPv6 address Tunneling: Consists of encapsulating IPv6 packets within IPv4 packets Proxying and translation: A device that can translate IPv6 addresses to IPv4 addresses to communicate with IPv4 servers. Configure tunnels (if communicating over an IPv4 network).

[ 280 ] SECTION 8 Managing Address Space with NAT and IPv6 RouterA(config-if)#ipv6 unnumbered ethernet 0 RouterA(config-if)#tunnel source ethernet 0 CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty (identify the tunnel) (configure tunnel source as e0) (the IPv4 address the tunnel terminates) (configure the tunnel mode as IPv6) RouterA(config-if)#tunnel desitnation 192. From the Library of 311 for more details. . This publication is protected by copyright. ZUNIGA C. All rights reserved.2 RouterA(config-if)#tunnel mode ipv6ip RouterA(config-if)#exit RouterA(config)#ipv6 router rip cisco RouterA(config-rtr)#interface s0 RouterA(config-if)#ipv6 rip cisco enable (enable rip with the process called cisco) (enable rip for the interface) RouterA(config-if)#ip name-server 2001:d02::c003:1::f00d (enable name servers) © 2008 Cisco Systems. Please see page MARCO A. Inc.168.10.

users. where one set of wires carries data and a separate set of wires carries clocking for that data. Synchronous transmission occurs on V. are either synchronous or asynchronous: n Synchronous links have identical frequencies and contain individual characters encapsulated in control bits. defined as follows. Please see page MARCO A. and services across a broad geographic area. All rights reserved. Inc. which designate the beginning and end of each character.35 and other interfaces. This publication is protected by copyright. .[ 281 ] SECTION 9 Establishing Serial Point-to-Point Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Part IV: Extending the Network into the WAN Section 9 Establishing Serial Point-to-Point Connections WANs connect networks. From the Library of 311 for more details. © 2008 Cisco Systems. Companies use the WAN to connect company sites for information exchange (see Figure 9-1). ZUNIGA C. FIGURE 9-1 WAN Connections Service Provider Understanding Serial WAN Interfaces WAN serial interfaces. Synchronous links try to use the same speed as the other end of a serial link. called start/stop bits.

Serial interfaces are specified as DTE (data terminal equipment) or data communications equipment (DCE). Inc. but no check or adjustment of the rates occurs if they are slightly different. WAN Review Figure 9-2 shows the typical WAN topology with explanations as follows: n Customer premises equipment (CPE): Located on the subscriber’s premises and includes both equipment owned by the subscriber and devices leased by the service provider. Asynchronous links agree on the same speed. Only 1 byte per transfer is sent.[ 282 ] SECTION 9 Establishing Serial Point-to-Point Connections n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Asynchronous links send digital signals without timing. Modems are asynchronous. ZUNIGA C. An example of a DCE is a channel service unit/data service unit (CSU/DSU) or a serial interface configured for clocking. WAN Service Provider Toll Network S S S S S S CO Switch Local Loop FIGURE 9-2 Typical WAN Topology S Trunks and Switches Demarcation Customer Premises Equipment (CPE) Point-to-Point or Circuit-Switched Connection © 2008 Cisco Systems. This publication is protected by copyright. in other words. . DCE converts user data into the service provider’s preferred format. From the Library of 311 for more details. All rights reserved. The port configured as DTE requires external clocking from the CSU/DSU or other DCE device. Please see page MARCO A. DCEs provide clocking for the serial link.

From the Library of 311 for more details. Inc. Leased lines provide a reserved connection for the client but are costly. Toll network: A collection of trunks inside the WAN cloud. Circuit switching is used for basic telephone service or ISDN. The central office is the entry point to the WAN cloud. This publication is protected by copyright. ZUNIGA C. Usually it is located in the telecommunications closet. FIGURE 9-3 Leased-Line WAN Synchronous Serial n Circuit-switched: Circuit switching provides a dedicated circuit path between sender and receiver for the duration of the call. All rights reserved. © 2008 Cisco Systems.[ 283 ] SECTION 9 Establishing Serial Point-to-Point Connections n n n n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Demarcation (or demarc): Marks the point where CPE ends and the local loop begins. and a switching point for calls. Leased-line connections typically are synchronous serial connections. The following three main types of WAN connections (services) exist: n Leased-line: A leased line (or point-to-point dedicated connection) provides a preestablished connection through the service provider’s network (WAN) to a remote network. Central office (CO): A switching facility that provides a point of presence for WAN service. WAN Connection Types WAN services are generally leased from service providers on a subscription basis. the exit point from the WAN for called devices. Local loop (or last mile): The cabling from the demarc into the WAN service provider’s central office. . Please see page MARCO A.

devices transport packets using virtual circuits (VC) that provide end-toend connectivity. Packet headers identify the destination. Packet switching offers leased line–type services over shared lines. Inc. © 2008 Cisco Systems. From the Library of 311 for more details. Please see page MARCO A. .[ 284 ] SECTION 9 Establishing Serial Point-to-Point Connections FIGURE 9-4 Circuit-Switched WAN CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Telephone Company Asynchronous Serial ISDN Layer 1 n Packet-switched: With packet switching. ZUNIGA C. but at a much lower cost. All rights reserved. FIGURE 9-5 Packet-Switched WAN Service Provider Synchronous Serial Layer 2 Encapsulation Protocols n High-Level Data Link Control (HDLC): The default encapsulation type on point-to-point dedicated links and circuit-switched connections. This publication is protected by copyright. Programmed switching devices provide physical connections.

25. ISDN. T3. This publication is protected by copyright. PPP uses Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) for basic security. such as asynchronous serial. PPP. Frame Relay: Industry-standard switched data link layer protocol. Fixed-length cells allow hardware processing. From the Library of 311 for more details. SLIP X. including IP and IPX. Frame Relay (based on X. HDLC Circuit-Switched Telephone Company © 2008 Cisco Systems. All rights reserved. Frame Relay. and synchronous. Asynchronous Transfer Mode (ATM): International standard for cell relay using fixed-length (53-byte) cells for multiple service types. . ATM takes advantage of high-speed transmission media such as E3. FIGURE 9-6 WAN Connection Support by Layer 2 Encapsulation Protocols Leased Line HDLC. SLIP. High-Speed Serial Interface (HSSI). which greatly reduces transit delays. n n Figure 9-6 shows the typical WAN connections that each Layer 2 encapsulation protocol supports. Inc. PPP works with many network layer protocols. and Synchronous Optical Network (SONET). ZUNIGA C.[ 285 ] SECTION 9 Establishing Serial Point-to-Point Connections n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Point-to-Point Protocol (PPP): Provides connections between devices over several types of physical interfaces.25) can handle multiple virtual circuits. Please see page MARCO A. ATM Packet-Switched Service Provider PPP.

Figure 9-7 shows the frame format of HDLC. © 2008 Cisco Systems. This field makes it possible for a single serial link to accommodate multiple network-layer protocols. the following command changes the serial interface encapsulation back to HDLC: Router(config-if)#encapsulation hdlc Configuring PPP As shown in Figure 9-8. This publication is protected by copyright. because it lacks a mechanism to indicate which protocol it is carrying. if the encapsulation type has been changed to another protocol. Inc. The Cisco version of HDLC uses a proprietary field that acts as a protocol field. All rights reserved. FIGURE 9-7 HDLC Frame Format Flag Address Control Proprietary Data FCS Flag Cisco HDLC Because HDLC is the default encapsulation type on serial links.[ 286 ] SECTION 9 Establishing Serial Point-to-Point Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Serial Point-to-Point Encapsulation Configuring HDLC HDLC is a data-link protocol used on synchronous serial data links. HDLC cannot support multiple protocols on a single link. PPP uses a Network Control Protocol (NCP) component to encapsulate multiple protocols and the Link Control Protocol (LCP) to set up and negotiate control options on the data link. . From the Library of 311 for more details. ZUNIGA C. you don’t need to configure HDLC. Cisco HDLC is a point-to-point protocol that can be used on leased lines between two Cisco devices. PPP should be used when communicating with non-Cisco devices. However. Please see page MARCO A.

ZUNIGA C. Inc. performs challenge handshake Compresses data at the source. From the Library of 311 for more details. Other Options Link Control Protocol Synchronous or Asynchronous Physical Media Physical Layer PPP Configuration Options Cisco routers using PPP encapsulation include the LCP options shown in Table 9-1. Table 9-1 Feature PPP Configuration Options How It Operates Protocol Authentication Compression Error detection Multilink Requires a password. reproduces data at the destination Monitors data dropped on a link. . This publication is protected by copyright. Please see page MARCO A. All rights reserved.[ 287 ] SECTION 9 Establishing Serial Point-to-Point Connections FIGURE 9-8 Point-to-Point Protocol IP IPX Layer 3 Protocols CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty IPCP PPP IPXCP Many Others Network Layer Network Control Protocol Data Link Layer Authentication. CHAP Stacker or Predictor Magic Number Multilink Protocol (MP) © 2008 Cisco Systems. avoids frame looping Load balancing across multiple links PAP.

either PAP or CHAP is used to authenticate the link. Inc. This publication is protected by copyright. Passwords are sent in clear text and are exchanged only upon initial link establishment. CHAP passwords are exchanged as MD5 hash values. Challenge Handshake Authentication Protocol (CHAP): Used upon initial link establishment and periodically to make sure that the router is still communicating with the same host. and the network protocol phase: Step 1. as follows: RouterB(config-if)#encapsulation ppp PPP Authentication Protocols The two methods of authentication on PPP links are as follows: n n Password Authentication Protocol (PAP): The less-secure of the two methods. All rights reserved. This must take place before the network layer protocol phase can begin (Layer 2). enter the encapsulation ppp interface command. From the Library of 311 for more details. Step 3. © 2008 Cisco Systems. Link establishment: Each PPP device sends LCP packets to configure and test the link (Layer 2). . CHAP uses a three-way handshake process to perform one-way authentication on a PPP serial interface. Enabling PPP To enable PPP encapsulation on a serial interface. authentication.[ 288 ] SECTION 9 Establishing Serial Point-to-Point Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Establishing a PPP Session The three phases of PPP session establishment are link establishment. Please see page MARCO A. Network layer protocol phase: PPP sends NCP packets to choose and configure one or more network layer protocols to be encapsulated and sent over the PPP data link (Layer 3). ZUNIGA C. Step 2. Authentication phase (optional): If authentication is configured.

the first method you specify in the command is used.[ 289 ] SECTION 9 Establishing Serial Point-to-Point Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring PPP Authentication The three steps to enable PPP authentication on a Cisco router are as follows: Step 1. This publication is protected by copyright.168. rely 255/255. Configure PPP authentication with the ppp authentication {chap | chap pap | pap chap | pap} interface command. Inc. ZUNIGA C. load 1/255 © 2008 Cisco Systems. . line protocol is up Hardware is HD64570 Internet address is 192. Step 3. Make sure that each router has a host name assigned to it using the hostname command. All rights reserved.2/24 MTU 1500 bytes.1. If the peer suggests the second method or refuses the first method. (If both PAP and CHAP are enabled.) The following commands configure CHAP and PAP for authentication with the password of cisco. define the username of the remote router and password that both routers will use with the username remote-router-name password password command. shows the encapsulation type configured on the router’s serial interface and the LCP and NCP states of an interface if PPP encryption is enabled: RouterA#show int s0 Serial0 is up. the second method is used. as follows. Please see page MARCO A. From the Library of 311 for more details. On each router. DLY 20000 usec. The remote router’s host name is RouterA: RouterB(config)#hostname RouterB RouterB(config)#username RouterA password cisco RouterB(config)#int s0 RouterB(config-if)#ppp authentication chap pap Verifying the Serial Encapsulation Configuration The show interface interface-number command. Step 2. BW 1544 Kbit.

Total output drops: 0 (text omitted) © 2008 Cisco Systems. This publication is protected by copyright. output hang never Last clearing of “show interface” counters never Input queue: 0/75/0 (size/max/drops). CDPCP Last input 00:00:02. From the Library of 311 for more details. ZUNIGA C. keepalive set (10sec) LCP Open Open: IPCP. All rights reserved.[ 290 ] SECTION 9 Establishing Serial Point-to-Point Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Encapsulation PPP. Inc. output 00:00:02. Please see page MARCO A. . loopback not set.

From the Library of 311 for more details. Cisco routers support the EIA/TIA-232. the bulk of Frame Relay functions exist at the lower two layers of the OSI reference model. X.21. Frame Relay relies on upper-layer protocols for error correction. Frame Relay is supported on the same physical serial connections that support point-to-point connections. a lookup table maps the frame to the correct outbound port. Inc. Frame Relay EIA/TIA-232. . Frame Relay Stack As Figure 10-1 shows. etc. V. All rights reserved. When the switch receives a frame. A connection identifier maps packets to outbound ports on the service provider’s switch. EIA/TIA-530 Frame Relay © 2008 Cisco Systems.35. Upper-layer information (such as IP data) is encapsulated by Frame Relay and is transmitted over the link. FIGURE 10-1 Frame Relay Functions at Layer 1 and 2 of the OSI Reference Model 7 6 5 4 3 2 1 OSI Reference Model Application Presentation Session Transport Network Data Link Physical IP/IPX/AppleTalk. and EIA/TIA-530 serial connections. EIA/TIA-449. X. ZUNIGA C.21. Please see page MARCO A.[ 291 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 10 Establishing Frame Relay Connections Frame Relay is a connection-oriented Layer 2 protocol that allows several data connections (virtual circuits) to be multiplexed onto a single physical link. EIA/TIA-449. Frame Relay specifies only the connection between a router and a service provider’s local access switching equipment. The entire path to the destination is determined before the frame is sent. V. This publication is protected by copyright.35.

and status. The router configures itself to match the LMI type response. Please see page MARCO A.2 and later). This publication is protected by copyright.617). BECN (backward explicit congestion notification): A message sent to a source router when a Frame Relay switch recognizes congestion in the network. Today. SVCs are established on demand and are torn down when transmission is complete. FECN (forward explicit congestion notification): A message sent to a destination device when a Frame Relay switch senses congestion in the network.[ 292 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Frame Relay Terminology n VC (virtual circuit): A logical circuit between two network devices. DLCI (data-link connection identifier): Identifies the logical connection between two directly connected sets of devices. and DEC). Inc. The three types of LMIs supported by Cisco Frame Relay switches are Cisco (developed by Cisco. CIR (committed information rate): The minimum guaranteed data transfer rate agreed to by the Frame Relay switch. multicast messages. inactive. n n n n n n © 2008 Cisco Systems.933 Annex A). Inverse ARP (Inverse Address Resolution Protocol): Routers use Inverse ARP to discover the network address of a device associated with a VC. ANSI Annex D (ANSI standard T1. StrataCom. From the Library of 311 for more details. Northern Telecom. LMI is configurable (in Cisco IOS Software Release 11. but routers can autosense LMI types by sending a status request to the Frame Relay switch. All rights reserved. and q933a (ITU-T Q. LMIs track and manage keepalive mechanisms. . A VC can be a permanent virtual circuit (PVC) or a switched virtual circuit (SVC). or deleted. LMI (Local Management Interface): A signaling standard that manages the connection between the router and the Frame Relay switch. The DLCI is locally significant. ZUNIGA C. VC status can be active. A BECN message requests a reduced data transmission rate. most Frame Relay circuits are PVCs. PVCs save bandwidth (no circuit establishment or teardown) but can be expensive.

Inc.[ 293 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Frame Relay Topologies Frame Relay networks can be designed using star. making them relatively inexpensive. In a full-mesh topology. all routers have virtual circuits to all other destinations. © 2008 Cisco Systems. FIGURE 10-2 Frame Relay Topologies Full Mesh Partial Mesh Star (Hub and Spoke) A star topology. All rights reserved. this method provides redundancy. full-mesh. which usually provides services. . because all sites are connected to all other sites. The hub router provides a multipoint connection using a single interface to interconnect multiple PVCs. Full-mesh networks become very expensive as the number of nodes increases. This publication is protected by copyright. Although it is expensive. Remote sites are connected to a central site. is the common network topology. The number of links required in a full-mesh topology that has n nodes is [n * (n – 1)]/2. Star topologies require the fewest PVCs. From the Library of 311 for more details. Please see page MARCO A. Figure 10-2 shows the three topologies in Frame Relay. ZUNIGA C. and partial-mesh topologies. also known as a hub-and-spoke configuration.

1. When running Frame Relay with multiple PVCs over a single interface. . To correctly route packets. An NBMA environment is treated like other broadcast media environments. With this topology. Frame Relay Address Mapping Because Frame Relay is an NBMA. This publication is protected by copyright. FIGURE 10-3 Inverse ARP Maps DLCIs to IP Addresses DLCI: 500 DSU/CSU PVC 10. Connections usually depend on the traffic patterns within the network. All rights reserved. ZUNIGA C. so each router might not have a separate PVC to reach the other remote routers on the same subnet.1 Inverse ARP or Frame Relay Map Frame Relay IP (10. Inc. From the Library of 311 for more details. By default.[ 294 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty In a partial-mesh topology. such as Ethernet. Because Frame Relay is nonbroadcast.1. Please see page MARCO A. you can encounter split horizon when running a routing protocol. Figure 10-3 shows how Inverse ARP maps a DLCI to an IP address.1. broadcasts perform this functionality.1) DLCI (500) © 2008 Cisco Systems. In typical multiaccess networks. a Frame Relay network provides nonbroadcast multiaccess (NBMA) connectivity between remote sites. However. it needs to have a way to map Layer 2 information with Layer 3. each DLCI must be mapped to a next-hop address. NBMA clouds are usually built in a hub-and-spoke topology. the physical network does not provide the multiaccess capabilities that Ethernet does. to reduce costs. another mechanism is needed. not all sites have direct access to all other sites. where all the routers are on the same subnet. it is stored in the router’s Frame Relay map table. These addresses can be manually configured or dynamically mapped using Inverse ARP.1. After the address is mapped.

[ 295 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty LMI Signaling Process 1. 7. The switch responds with a status message that includes DLCI information for the usable PVCs. ZUNIGA C. The router advertises itself by sending an Inverse ARP to each active DLCI. 6. The router sends a VC status inquiry to the Frame Relay switch. The DLCI is the Frame Relay Layer 2 address. Inc. The commands used are as follows: encapsulation frame-relay [cisco | ietf] frame-relay lmi-type {ansi | cisco | q933i} frame-relay inverse-arp [protocol] [dlci] © 2008 Cisco Systems. How Service Providers Map Frame Relay DLCIs DLCIs are numbers that identify the logical connection between the router and the Frame Relay switch. 5. . The router connects to a Frame Relay switch through a channel service unit/data service unit (CSU/DSU). Static maps must be configured if Inverse ARP is not supported. 2. and enable Inverse ARP. and it is locally significant. LMI information is exchanged every 10 seconds. From the Library of 311 for more details. All rights reserved. establish the LMI connection. The routers create map entries with the local DLCI and network layer address of the remote routers. Inverse ARP messages are sent every 60 seconds. DLCIs are usually assigned by the Frame Relay service provider. Please see page MARCO A. A Frame Relay router learns about a remote router’s DLCI by either Inverse ARP (which is automatically enabled on Cisco routers) or by static mappings. This publication is protected by copyright. 3. 4. Configuring Frame Relay The three commands used to configure basic Frame Relay on a router select the Frame Relay encapsulation type.

The frame interface dlci command also statically maps a local DLCI to a configured Layer 3 protocol on a subinterface. All rights reserved. This publication is protected by copyright. ZUNIGA C. © 2008 Cisco Systems. use the following command: frame-relay map protocol protocol-address dlci [broadcast] [ietf | cisco | payload-compress packet-by-packet] where: n n n protocol specifies bridging or logical link control. The difference is that map statements are used in multipoint Frame Relay configurations and the frame interface dlci command is used in point-to-point subinterface configurations. broadcast is an optional parameter that controls broadcasts and multicasts over the VC.0.1 RouterA(config-if)#frame-relay lmi-type RouterA(config-if)#bandwidth 64 RouterA(config-if)#frame-relay inverse-arp ip 16 RouterA(config-if)#exit RouterA(config)#exit RouterA# 255.255. cisco RouterA(config-if)#encapsulation frame-relay cisco Configuring a Static Frame Relay Map A router’s address-to-DLCI table can be defined statically when Inverse ARP is not supported. payload-compress is an optional Cisco-proprietary compression method. Inc. These static maps can also be used to control broadcasts.[ 296 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Configuring Basic Frame Relay RouterA>enable RouterA#config term RouterA(config)#int ser 1 RouterA(config-if)#ip address 10. Please see page MARCO A.255. To statically configure the map table. From the Library of 311 for more details. .16.

[ 297 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Resolving Reachability Issues in Frame Relay In any Frame Relay topology. This publication is protected by copyright. Please see page MARCO A. FIGURE 10-4 Frame Relay Reachability Issues A C 1 B D These reachability issues can be solved by disabling split horizon or configuring subinterfaces on the router. © 2008 Cisco Systems. All rights reserved. In Figure 10-4. . Two problems that the Frame Relay NBMA topology can cause are routing update problems because of split horizon and broadcast replications issues. From the Library of 311 for more details. Router A cannot send the updated route information to Routers C and D. Inc. These logically assigned interfaces let the router forward broadcast updates in a Frame Relay network. and because of the split horizon rule. Router A receives a routing update from Router B. Disabling split horizon increase the chances of routing loops in a network. you can have reachability issues because of the NBMA nature of Frame Relay. when a single interface must be used to interconnect multiple sites. Because Router A received the update on its serial interface. The best option is to configure subinterfaces. ZUNIGA C. causing Routers C and D to not learn about Router B.

Inc. By configuring virtual circuits as point-to-point connections. FIGURE 10-5 Subinterface Example 1 B 2 A C 3 D Routing Update Routing Update Routing Update Configuring Subinterfaces To enable Frame Relay on a subinterface. subinterfaces are logical subdivisions of a physical interface. ZUNIGA C. multiple PVC connections are established with multiple physical interfaces or subinterfaces on remote routers on a single subinterface. one PVC connection is established with another physical interface or subinterface on a remote router using a single subinterface. you must remove the IP address from the primary interface with the no ip address ip-address subnet-mask interface command. the subinterface acts similar to a leased line. enable Frame Relay encapsulation on the serial interface. All rights reserved. Routing updates received on one subinterface can be sent out another subinterface without violating split horizon rules. Subinterfaces can be configured as either point-to-point or multipoint. and each interface has its own local DLCI. All interfaces involved use the same subnet. In other words. each point-to-point subinterface is a different subnet. It is also possible (and sometimes recommended) to turn off split horizon to solve this problem. Please see page MARCO A. With point-to-point configuration. © 2008 Cisco Systems. . and then configure each subinterface with the IP address.[ 298 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty As Figure 10-5 shows. With multipoint configuration. From the Library of 311 for more details. This publication is protected by copyright.

use the following command: frame-relay interface-dlci dlci-number The range of subinterface numbers is 1 to 4.0 West-SD(config-if)#frame-relay interface-dlci 20 Configuring Multipoint Subinterfaces To configure multipoint subinterfaces. This publication is protected by copyright.2 point-to-point West-SD(config-if)#ip address 192.255.1.255. enter the following sample commands: West-SD(config-if)#no ip address 192.967.5 255. This is the only way to link an LMI-derived PVC to a subinterface (LMI does not know about subinterfaces).1. enter the following sample commands: West-SD(config-if)#no ip address 192.) must match the physical interface number to which this subinterface belongs.255. The number that precedes the period (. Inc.5 255.255.5 255.293.2.168.294. ZUNIGA C.subinterface-number {multipoint | point-to-point} To configure a subinterface.0 West-SD(config-if)#frame-relay interface-dlci 10 West-SD(config-if)#int s0. The dlci-number option binds the local DLCI to the Layer 3 protocol configured on the subinterface.255.168.255. as evidenced by the show frame-relay map command.5 255. .[ 299 ] SECTION 10 Establishing Frame Relay Connections To select a subinterface. Configuring Point-to-Point Subinterfaces To configure point-to-point subinterfaces.168. Please see page MARCO A. All rights reserved. From the Library of 311 for more details.255.1.0 West-SD(config-if)#encap frame-relay West-SD(config-if)#int s0.1 point-to-point West-SD(config-if)#ip address 192.168. use the following command: CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty interface serial-number.255.0 © 2008 Cisco Systems.

255. From the Library of 311 for more details. status messages sent.1.1 multipoint CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty West-SD(config-if)#ip address 192. Inc. Please see page MARCO A. All rights reserved. What follows are different examples of output from the show interface command and possible reasons for the Frame Relay link failures: RouterA#show int s0 Serial0 is down.168.[ 300 ] SECTION 10 Establishing Frame Relay Connections West-SD(config-if)#encap frame-relay West-SD(config-if)#int s0. Troubleshooting Frame Relay The show interface command provides a wealth of information for troubleshooting Frame Relay.5 255. show frame-relay lmi: Displays LMI traffic statistics (LMI type.168. and the LMI DLCIs used for the local management interface. and invalid LMI messages). The frame-relay-inarp command clears all dynamic entries. .1. show frame-relay pvc: Displays the status of all configured connections. This publication is protected by copyright.2/24 © 2008 Cisco Systems. and BECN and FECN packets received by the router.0 West-SD(config-if)#frame-relay interface-dlci 10 Verifying Frame Relay You can use the following commands to verify and display Frame Relay information: n n n n show interface: Displays Layer 1 and Layer 2 status.255. show frame-relay map: Displays the current map entries for static and dynamic routes. DLCI information. traffic statistics. line protocol is down Hardware is HD64570 Internet address is 192. ZUNIGA C.

This publication is protected by copyright. This means that the problem is with the cable. Please see page MARCO A. RouterA#show int s0 Serial0 is up. line protocol is down Hardware is HD64570 Internet address is 192.2/24 In the preceding example. try replacing the cable. the problem lies with your carrier. the error is at the physical layer. and the problem is with the data link layer. Causes for the line protocol being down include the following: n n n n Frame Relay provider not activating its port LMI mismatch Encapsulation mismatch DLCI is inactive or has been deleted © 2008 Cisco Systems. perform the following: n n n Check the cable to make sure that it is a DTE serial cable and that the cables are securely attached.[ 301 ] SECTION 10 Establishing Frame Relay Connections CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty If the show interface command shows that the interface is down and the line protocol is down. This means that the router is getting carrier signal from the CSU/DSU. the line is up but the line protocol is down. If the cable is correct. . the CSU/DSU. or the serial line. try a different serial port. ZUNIGA C. From the Library of 311 for more details. If replacing the cable does not work. Inc.168. All rights reserved. If the cable does not work on the second port.1. To troubleshoot the problem.

From the Library of 311 for more details. . After they are connected through the secure VPN connection. and telecommuters to the network. Types of VPNs The following two types of VPN networks exist: n n Site-to-site Remote access © 2008 Cisco Systems. securely through the Internet. All rights reserved. the interconnected networks become part of the network as if they were connected through a leased line such as a classic WAN link. Inc. Please see page MARCO A. This publication is protected by copyright. Benefits of VPNs VPNs provide the following benefits: n n n Cost savings: VPNs enable organizations to use the Internet to interconnect offices. home offices.[ 302 ] SECTION 11 Introducing VPN Solutions CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Section 11 Introducing VPN Solutions What Is a VPN? Virtual Private Networks (VPN) provide an Internet-based WAN infrastructure of connecting branch offices. Security: VPNs use advanced encryption and authentication protocols to protect data from unauthorized access. In other words. VPNs allow office locations and remote users to interconnect with each other. ZUNIGA C. adding new users or organizations is easily done without changing the organization’s network infrastructure. Scalability: Because VPNs use the Internet.

mobile users. This publication is protected by copyright. Remote VPNs can use any Internet-based medium to connect to the VPN. a VPN concentrator. FIGURE 11-1 Site-to-Site VPN Remote site or DSL cable Router or POP Internet Central site Intranet Extranet Business-to-Business Remote-access VPNs are used for telecommuters. From the Library of 311 for more details. They connect individual hosts’ security to the company private network. The destination VPN gateway decrypts the traffic and forwards it to the private network. or a Cisco ASA series adaptive security appliance. Figure 11-1 shows an example of a site-to-site VPN.” The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all traffic from a particular site to the destination site. All rights reserved. a firewall. Inc. Please see page MARCO A. and each host connects through VPN client software. A VPN gateway can be a router.[ 303 ] SECTION 11 Introducing VPN Solutions CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Site-to-site VPNs are an extension of a classic WAN network. They connect entire networks to each other. . ZUNIGA C. Figure 11-2 shows an example of remote-access VPNs. All traffic is sent and received through a VPN “gateway. © 2008 Cisco Systems. and extranet traffic.

ZUNIGA C. two components of Cisco Easy VPN exist: n n Cisco Easy VPN Server Cisco Easy VPN Remote © 2008 Cisco Systems. Inc. Please see page MARCO A. . As shown in Figure 11-3. This publication is protected by copyright. From the Library of 311 for more details.[ 304 ] SECTION 11 Introducing VPN Solutions FIGURE 11-2 Remote-Access VPNs CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Remote access client DSL Cable POP Telecommuter POP Internet Central site or or Router or Mobile Extranet Business-to-Business Cisco Easy VPN Cisco Easy VPN is a cost-effective solution for deploying VPNs that is ideal for remote offices that have little IT support. All rights reserved.

Cisco ASA adaptive security appliance. Because no client software is needed. and Cisco VPN hardware clients to receive security polices from a Cisco Easy VPN server to minimize VPN configuration requirements at remote locations.[ 305 ] SECTION 11 Introducing VPN Solutions FIGURE 11-3 Cisco Easy VPN Components Easy VPN Server Easy VPN Clients Internet CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Headquarters Remote Office Workplace Resources The VPN server is a dedicated VPN gateway like a Cisco VPN concentrator. The VPN server can terminate VPN tunnels initiated by mobile and remote workers running Cisco VPN client software. All rights reserved. © 2008 Cisco Systems. provide remote-access connectivity from almost any Internet-enabled location using a web browser and its native SSL encryption. or a Cisco IOS router. or WebVPNs. A WebVPN does not require client software to be installed on the endpoint host. PIX firewalls. Cisco PIX firewall. WebVPNs allow an organization to extend secure remote access to almost any Internet-enabled host. From the Library of 311 for more details. Please see page MARCO A. ZUNIGA C. The Cisco VPN remote enables Cisco IOS routers. It also terminates VPN tunnels in site-to-site VPNs. This publication is protected by copyright. Cisco IOS IPsec/SSL VPNs Cisco IOS IPsec/SSL–based VPNs. Inc. Cisco ASA appliances. .

Inc. . This is done by comparing the sequence number of the received packets with a sliding window to the destination host or gateway. Data integrity: The receiver can verify that the transmitted data was not altered or changed. ZUNIGA C.[ 306 ] SECTION 11 Introducing VPN Solutions CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty VPN Components The hardware and software components that usually make up a VPN are as follows: n n n Cisco VPN-enabled IOS routers Cisco ASA adaptive security appliances VPN clients Introducing IPsec IPsec is an industry-standard protocol that acts at the network layer. IPsec secures a path between a pair of gateways. keying or technology. Authentication: Ensures that the connection is made with the desired communication partner. Antirelay protection: Verifies that each packet is unique and not duplicated. a pair of hosts. IPsec provides the following four functions: n n n n Confidentiality (encryption): Packets are encrypted before being transmitting across a network. IPsec is not bound to any specific encryption or authentication algorithm. This is done through checksums. From the Library of 311 for more details. Please see page MARCO A. © 2008 Cisco Systems. All rights reserved. or security algorithms. protecting and authenticating IP packets between IPsec peers (devices). This publication is protected by copyright. thus allowing IPsec to support newer and better algorithms. or a gateway and a host.

All rights reserved. Uses a symmetric key cryptosystem. Please see page MARCO A. IPsec supports the following encryption algorithms: n n Data Encryption Standard (DES): Uses a 56-bit key that ensures high-performance encryption. rendering it unreadable. both the sender and receiver must know the rules to transform the original message into its coded form. thus providing signification encryption strength over DES. These rules are based on an algorithm. 3DES then processes each block three times. Triple DES (3DES): A variant of DES that breaks data into 64-bit blocks. the shorter the key. the easier it is to break. As shown in Figure 11-4. This publication is protected by copyright. for encryption to work. The degree of security depends on the length of the key of the encryption algorithm. From the Library of 311 for more details. Inc.00 One Hundred and xx/100 Dollars 4ehIDx67NMop9eR U78IOPotVBn45TR Internet 4ehIDx67NMop9eR U78IOPotVBn45TR Hmmm… I cannot read a thing. The data is digitally scrambled.00 One Hundred and xx/100 Dollars Encryption Algorithm Encryption Algorithm Pay to Terry Smith $100. ZUNIGA C. each time with an independent 56-bit key. Encryption Algorithms Encryption rules are based on an algorithm and key. . FIGURE 11-4 Encryption Confidentiality Pay to Terry Smith $100. © 2008 Cisco Systems.[ 307 ] SECTION 11 Introducing VPN Solutions CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Confidentiality IPsec provides confidentiality by encrypting the data. Uses a symmetric key cryptosystem.

.[ 308 ] SECTION 11 Introducing VPN Solutions n CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Advanced Encryption Standard (AES): Provides stronger encryption than DES and is more efficient than 3DES. Please see page MARCO A. The hash guarantees the integrity of the original message. 192-. From the Library of 311 for more details. This hash is added to the original message and forwarded to the remote host. The data integrity algorithm is called the Hash-based Message Authentication Code (HMAC). HMAC is a type of message authentication code that uses a cryptographic hash function in combination with a secret key.Secure Hash Algorithm-1 (SHA-1): Uses a 160-bit secret key. This hash is added to the original message and forwarded to the remote host. Inc. IPsec uses a data integrity algorithm that adds a hash to the message. n © 2008 Cisco Systems. If the transmitted hash matches the received hash. The message and 128-bit shared secret key are combined and run through the MD5 hash algorithm. Key lengths can be 128-. The message and 160-bit shared secret key are combined and run through the SHA-1 hash algorithm. producing a 160-bit hash. and 256-bit keys. Diffie-Hellman Key Exchange Encryption algorithms such as DES and 3DES require a symmetric shared secret key to perform encryption and decryption. producing a 128-bit hash. the message has not been tampered with.Message Digest Algorithm 5 (MD5): Uses a 128-bit shared secret key. HMAC . ZUNIGA C. All rights reserved. Data Integrity To ensure data integrity. This publication is protected by copyright. The Diffie-Hellman (DH) Key Exchange is a public key exchange that exchanges symmetric shared secret keys used for encryption and decryption over an insecure channel. Two common HMAC algorithms used by IPsec are as follows: n HMAC .

the two main IPsec framework protocols are as follows: n Authentication Header (AH): AH provides authentication and data integrity for IPsec using the authentication and data integrity algorithms. This publication is protected by copyright. n © 2008 Cisco Systems. provides weak protection. and Adelman (RSA) signatures: RSA signatures use the exchange of digital certifications to authenticate the peers. ESP encrypts the IP packet and the ESP header. To do this. AH can be used with ESP to provide data encryption and tamper-aware security features. ZUNIGA C. and integrity. AH does not encrypt packets and. the end devices must be authenticated. before a communication path is considered secure. The two peer authentication methods are as follows: n n Pre-Shared Keys (PSK): Pre-Shared Keys are a secret key value entered into each peer manually that authenticates the peer. IPsec relies on existing algorithms to implement encryption. Shamir. used alone. All rights reserved. thus concealing the data payload and the identities of the source and destination.[ 309 ] SECTION 11 Introducing VPN Solutions CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Authentication In a VPN. As shown in Figure 11-5. and key exchange. IPsec Protocol Framework IPsec is a framework of open standards that spells out the rules for secure communications. Please see page MARCO A. Encapsulation Security Protocol (ESP): ESP provides encryption. As such. authentication. From the Library of 311 for more details. Rivest. Inc. . authentication.

ZUNIGA C.[ 310 ] SECTION 11 Introducing VPN Solutions FIGURE 11-5 IPsec Framework Protocols Authentication Header Router A All data in clear text Router B CCNA Quick Reference Sheets by Eric Rivard and Jim Doherty Encapsulating Security Payload Router A Data payload is encrypted Router B AH provides the following: • Authentication • Integrity ESP provides the following: • Encryption • Authentication • Integrity Figure 11-6 shows the standard algorithms that IPsec uses. . From the Library of 311 for more details. All rights reserved. This publication is protected by copyright. Inc. Please see page MARCO A. FIGURE 11-6 IPsec Framework and Authentication Protocols IPsec Protocol ESP Encryption IPsec Framework Choices: ESP +AH 3 DES AH DES AES Authentication MD5 SHA Diffie-Hellman DH1 DH2 DH5 © 2008 Cisco Systems.

Use of a term in this digital Short Cut should not be regarded as affecting the validity of any trademark or service mark. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this digital Short Cut. which may include electronic versions and/or custom covers and content particular to your business. The opinions expressed in this digital Short Cut belong to the authors and are not necessarily those of Cisco Systems. please contact: U. except for the inclusion of brief quotations in a review. Cisco Press or Cisco Systems. recording. Inc. From the Library of MARCO A. Cisco Press. . Each Short Cut is crafted with care and precision.com. Every effort has been made to make this digital Short Cut as complete and accurate as possible. Indiana 46240 USA All rights reserved. No part of this digital Short Cut may be reproduced or transmitted in any form or by any means. Inc. without written permission from the publisher. and branding interests. Inc. Corporate and Government Sales 1800-382-3419 corpsales@pearsontechgroup.com Warning and Disclaimer This digital Short Cut is designed to provide information about the CCNA exam. but no warranty or fitness is implied. undergoing rigorous development that involves the unique expertise of members of the professional technical community. We greatly appreciate your assistance. marketing focus.S.com. cannot attest to the accuracy of this information.[ 311 ] CCNA Quick Reference Sheets Eric Rivard Jim Doherty Copyright © 2008 Cisco Systems. and Cisco Systems. For more information. For sales outside the United States please contact: International Sales international@pearsoned. Please be sure to include the digital Short Cut title and ISBN in your message. If you have any comments on how we could improve the quality of this digital Short Cut. or by any information storage and retrieval system. The information is provided on an “as is” basis. Inc. Trademark Acknowledgments All terms mentioned in this digital Short Cut that are known to be trademarks or service marks have been appropriately capitalized. or otherwise alter it to better suit your needs. including photocopying. our goal is to create in-depth technical Short Cuts of the highest quality and value. you can contact us through e-mail at feedback@ciscopress. electronic or mechanical. The authors. Corporate and Government Sales The publisher offers excellent discounts on this digital Short Cut when ordered in quantity for bulk purchases or special sales. training goals. Published by: Cisco Press 800 East 96th Street Indianapolis. ZUNIGA C. Reader feedback is a natural continuation of this process. First Digital Edition July 2007 ISBN-10: 1-58705-460-4 ISBN-13: 978-1-58705-460-0 Feedback Information At Cisco Press.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.
ciscoexam-online-sale-200-125-exam    | udemy-newccnax-sale-200-125-exam    | whats-new-with-ccna-sale-200-125-exam    | ccna-practice-quiz-sale-200-125-exam    | What-is-the-difference-sale-200-125-exam-cert    | boson-practice-sale-200-125-exam-practice    | measureup-Cisco-Certified-Network-Associate-sale-200-125-exam    | globed-cisco-new-ccna-sale-200-125-exam-standard    | exam-labs-sale-200-125-exam-cert    | streaming-ccna-sale-200-125-exam-technologies    | caring-charts-blood-pressure-sale-200-125-exam    | pluralsight-courses-networking-cisco-sale-200-125-exam    | pearsonitcertification-articles-sale-200-125-exam    | safaribooksonline-library-sale-200-125-exam-routing    | learncisco-ccna.php-sale-200-125-exam-tast    | protechgurus-fees-syllabus-sale-200-125-exam    | certificationkits-cisco-ccna-sale-200-125-exam-standard-kit    | zeqr-lazaro-diaz-course-sale-200-125-exam    | 9tut-faqs-tips-sale-200-125-exam    | scribd-document-CCNA-sale-200-125-exam    | itunes-ccnax-sale-200-125-exam    | linkedin-cisco-sale-200-125-exam-questions-details    | teachertube-ccna-sale-200-125-exam-practice    | killexams-detail-sale-200-125-exam    | examsboost-test-sale-200-125-exam    | ccnav6-online-full-collections-sale-200-125-exam    | spiceworks-topic-sale-200-125-exam    | behance-gallery-sale-200-125-exam    | vceguide-share-experience-sale-200-125-exam    | techexams-forums-ccna-sale-200-125-exam    | free4arab-sale-200-125-exam    | openlearning-courses-sale-200-125-exam    | mindhub-Cisco-Certified-Network-sale-200-125-exam    | vceplus-ccna-exam-sale-200-125-exam    | examsforall-cisco-sale-200-125-exam    | how2pass-ccna-practice-tests-sale-200-125-exam    | simulationexams-details-ccna-sale-200-125-exam    | teksystems-sale-200-125-exam-routing-switching    | cram-flashcards-sale-200-125-exam    | pass4cert-cisco-new-ccna-sale-200-125-exam    | snatpedia-ccnaa-sale-200-125-exam    | cert4sure-free-download-sale-200-125-exam    | logicindia-ccnarouting-switching-sale-200-125-exam    | justcerts-practice-questions-sale-200-125-exam    | isc2-cissp-sale-CISSP-exam    | infosecinstitute-cissp-boot-camp-sale-CISSP-exam    | tomsitpro-security-certifications-sale-CISSP-125-exam    | infoworld-cissp-certification-sale-CISSP-exam    | welivesecurity.com-cissp-certified-sale-CISSP-exam    | searchsecurity-definition-sale-CISSP-exam    | simplilearn-cyber-security-training-sale-CISSP-exam    | arstechnica-security-sale-CISSP-exam    | cybrary-course-cissp-sale-CISSP-exam    | skillset-cissp-sale-CISSP-exam    | transcender-certprep-sale-CISSP-exam    | pearsonvue-sale-CISSP-exam-cert    | gocertify-isc2-issp-sale-CISSP-exam    | trainingcamp-training-bootcamp-sale-CISSP-exam    | cbtnuggets-security-sale-CISSP-exam    | cglobalknowledge.com-us-en-sale-CISSP-exam    | itgovernance-cissp-sale-CISSP-exam    | boson-certification-sale-CISSP-exam    | firebrandnordic-training-sale-CISSP-exam    | firebrandnordic-sale-CISSP-exam-123    | cybervista-sale-CISSP-exam-cert    | becker-sale-CISSP-exam-pdf    | youracclaim-certified-information-sale-CISSP-exam    | techexams-forums-sale-CISSP-exam    | munitechacademy-courses-sale-CISSP-exam    | hot-topics-cyber-security-courses-sale-CISSP-exam    | pearsonitcertification-sale-CISSP-exam    | sybextestbanks-wiley-sale-CISSP-exam    | lifewire-preparing-sale-CISSP-exam    | villanovau.com-resources-iss-sale-CISSP-exam    | intenseschool-boot-sale-CISSP-exam    | phoenixts-training-sale-CISSP-exam    | infosecisland-blogview-sale-CISSP-exam    | centralohioissa-member-sale-CISSP-exam    | learningtree-courses-certified-information-sale-CISSP-exam    | udallas.edu-executive-education-sale-CISSP-exam    | umbctraining-Courses-catalog-sale-CISSP-exam    | skyhighnetworks-cloud-security-sale-CISSP-exam    | helpnetsecurity-cert-sale-CISSP-exam    | secureninja-certification-bootcamp-sale-CISSP-exam    | mercurysolutions-information-sale-CISSP-exam    | exam-labs-info-sale-100-105-exam-pdf    | cbtnuggets-training-ccna-icnd1-sale-100-105-exam    | gocertify-ccent-practice-quiz-sale-100-105-exam    | ciscopress.com-ccna-icnd1-sale-100-105-exam    | boson-practice-sale-100-105-exam    | examcollectionuk-vce-download-sale-100-105-exam    | pearsonitcertification-articles-sale-100-105-exam    | transcender-practice-sale-100-105-exam-test    | techexams-forums-ccna-ccent-sale-100-105-exam    | shop-oreilly-sale-100-105-exam    | safaribooksonline-library-view-sale-100-105-exam    | subnetting-download-ccent-sale-100-105-exam    | 2cram-icnd1-online-quiz-sale-100-105-exam    | networklessons-routing-sale-100-105-exam    | centriq-123-ccna-certification-sale-100-105-exam    | ituonline-interconnecting-sale-100-105-exam    | transcender-introducing-the-new-sale-100-105-exam    | measureup-Networking-Devices-Part-sale-100-105-exam    | vceguide-icnd1-experience-sale-100-105-exam    | dumpscollection-dumps-sale-100-105-exam    | computerminds-business-sale-100-105-exam    | globed-ccent-or-icnd1-sale-100-105-exam    | ucertify-load-course-sale-100-105-exam    | academy-gns3-sale-100-105-exam    | visiontrainingsystems-product-sale-100-105-exam    | pearsonhighered-program-Wilkins-CCENT-sale-100-105-exam    | vceplus-ccent-sale-100-105-exam    | mindhub-Interconnecting-sale-100-105-exam    | sale-70-410-exam    | we-sale-70-410-exam    |
http://mleb.net/    | http://mleb.net/    |