CCNA FROM Screeeeeem

Cisco ccna/ccent interconnecting Cisco networking devices part 1
1. Welcome to Cisco ccent ( 35:26 mins )

To check details about certifications go to
www.cisco.com/certification
ICND2 is called as well CCNA
Ccent ( ICND 1 )
2. Foundation : what is a network ( 35:32 mins )

network : collection of devices that can communicate together
lan : PC + switch to connect together
router : used to connect different lans together
difference between internet and wan
1) internet :
public network
no security
no guarantee services
can be used to connect
different offices
2) wan :
private network
security
guarantee services
because we pay AT&T as
an example to maintain
our links through the AT&T
network ( those links are
fast but the problem is
they are costly )
When we run a network that contains applications we care about

the following :
1. Speed :
Bit = o or 1 ( binary )
Byte = 8bit ( character ) , as an example if we type the
letter W , that letter represent 8 bit or a byte , another
example is the word WAS represent 3 bytes
W = 1 byte = 8 bit = 00101010 as an example
Kilobyte = 1024 byte
Megabyte = 1024 kilobyte
Gigabyte=1024 megabyte
Terabyte = 1024 gigabyte

Bit
Multiply 8 ( X 8 )
byte
Multiply 1024 ( X
Kilobyte
1024 )
Multiply 1024 ( X
megabyte
1024 )
Multiply 1024 ( X
gigabyte
1024 )
Multiply 1024 ( X
Terabyte
1024 )
Bit X 8 = byte
Byte X1024 = kilobyte
kilobyte X1024 =
megabyte
megabyte X1024 =
gigabyte
gigabyte X1024 =
terabyte
All the network is tied to Bits , as an example a modem speed

56kbps means 56 kilo bits per second ( this is called also the
throughput )
Kbps = kilo bit per seconds
kBps = kilo byte per seconds
lan links speeds are in general : 10Mbps , 100mbps , 1000mbps
wan links speeds are in general : 56kbps , 1.544mbps ( T1 ) ,
100mbps ( as you notice wan link speeds are slower than lan link
speeds )
2. delay : like what happens in voice over ip (VOIP ) , ip phones
found in the network is an example of the delay that happens
3. availability : availability of the bandwidth
network designs ( topologies ) : ways of connecting your devices
together
1. bus topology : The problem of this
topology is if the thick line went
down then we lose a group of
devices
2. token ring topology : There is a

token ring that is arrived to each
device and grapping the data
sending or receiving and delivering
to each device
3. star topology ( most used

nowadays ) : It looks like a star,
there is a switch in the middle and
all other devices (PC) connected to
it
Examples:
3.
Foundations in the OSI world (43: 30 mins)

OSI functions :
1. Helps break down network functions
2. Create standards for equipment manufacturing
3. Allows vendors to focus in specialized areas of the network
4. To memorize the OSI model use one of the following :
5. Please do not throw sausage pizza away
6. All people seems to need dominos pizza
OSI Model :
Layer name
Remarks
Application
It provides an interface that allows applications
layer
to communicate across the network like email
system , online games or a browser
Presentation
The data becomes formatted in a general format
layer
that is understandable by any server
communicating to like if you are going to
www.google.com , that site is formatted in a
general format ( HTML ) and maybe it contains a
picture ( JPEG format ) , HTML and JPEG are
generic formats that are understood by all
Generic encryption services like whats used on
online banking sites
Session layer
It starts and ends a session
Logically keeps sessions separate
Transport layer
Describes how the data is sent , we can send the
data reliably or unreliably ( TCP is a reliable
protocol and UDP is an unreliable protocol )

Define well known services ( ports )
Network layer
Provides logical addressing ( ip addresses )
( when you assign an ip address it happens in
this layer )
Finds best path to a destination
Routers work here
Data link layer
Provides physical addressing ( Mac address ) ,
Mac address is the address of network interface
cards ( NIC )
Ensures data is error free , it ensures that the
packet once it has been sent to once it has
been received it wont be changed ( packet
wont change during its travel from source to
destination )
Switches work here
Physical layer
Provides access to the cable
Electrical signals , ones and zeros ( 0 or 1 )
Physical connections like cables , network
cards , wan interfaces
In Cisco , application , presentation and session layers are least
important because its handled by windows
Reliable protocol ( TCP ) means once you send a message to a
server that server replies back with an ACK packet , in case the
sender didnt receive an ACK packet from the server then the source
will resend the packet until it receives the ACK packet
Unreliable protocol ( UDP ) is used with real time applications like
VOIP or video over IP ( as an example streaming a movie on the
network ) , in case a packet is dropped we will then have some
glitches in video or the voice goes scramble in the unreliable
protocol we dont care if the packet was dropped or not
MAC address is used to allow computers to communicate on the
network
Ports are used to designate what service you are trying to access as
an example maybe a server has a DB and email system on it , to
differentiate between those two features we use ports to designate
which service to use
Transport layer chooses reliability protocols ( TCP or UDP ) and port
numbers
OSI model in real world :
Example: a client wants to access Cisco website
Client information: ip address 10.1.1.5
Mac address: 00a0151189f2
Server information: ip address 200.1.1.1(cisco.com)
Source
Destination
Application
Send me a webpage ( get Cisco
layer
web site )
Presentation Package it in http
layer
Session layer Creating an own session for
requesting Cisco site
Transport
Use TCP protocol ( because
layer
http uses TCP in general ) plus
specify the source and
destination ports , the source
port is the web browser port
( its dynamic as an example
1098 and the destination port
is 80
Network
It adds source and destination
layer
ip address
Data link
It adds source and destination
layer
Mac address
Physical
Putting all the information on
layer
wire
Application
layer
Presentation
layer
Session layer
Transport
layer
Network layer
Data link
layer
Physical layer
Mac
address
Mac
address
0089:1111:3333
0089:1111:2222
Notes about the example above:
All the 7 steps are done in a reverse way on the destination
side starting from the physical layer going up to the
application layer
The Mac address changes when the packet is sent from the
source to the destination
At 1st the source Mac address will be 00a0151189f2 and the
destination will be 0089:1111:2222
2nd the source Mac address will be 0089:1111:2222 and the
destination will be 0089:1111:3333 and so on until it arrives
to the destination
The ip address dont change from the beginning of sending
the packet to its arrival at the destination the source ip
address is 10.1.1.5 and the destination ip address is
200.1.1.1
Ipconfig/all command is used to show the Mac address in
hexadecimal
Netstat n command is used to show all the open sessions from my
computer by ip address only
Netstat command is used to show all the open sessions from my
computer in general
4. basic TCP/IP : addressing fundamentals ( 39: 42 mins )

how OSI and TCP/IP models relate together :
OSI model describes how network communicates
TCP/IP model describes how network communications
actually happen
OSI model
model) (DOD)
Application
layer
Presentation
layer
Session layer
Transport layer
Network
layer
NOTE: there
Data
link layer
correlation
Physical layer
TCP/IP model (department of defense

Application layer
Transport layer
Internet layer
Network access
layer
is a page that describe the

between the 2 models
Ip address format
1. The ip address has 4 octets , its always combined with a
subnet mask and a default gateway
2. The subnet mask dictates which portion of the IP address
identifies the network and the host , in the subnet mask the
number 255 represents a network and the number 0
represents a host
Example:
Ip address: 172.30.3.82 (those represent 4 octets)
Subnet mask: 255.255.255.0
Default gateway: 172.30.3.1
Every interface on the router represents a network ( connected to a
specific network )
Example:
If 10.1.1.10 wants to communicate with 10.1.1.11 it sends an

address resolution protocol ( ARP ) to know the ip address of the
destination , ARP is a broadcast message , once 10.1.1.11
receives the ARP message it will respond back with its MAC
address , then 10.1.1.10 starts transferring data to 10.1.1.11
Computers dont start talking with other computers directly it
must use data link addresses at 1st (MAC address)
If 10.1.1.10 wants to communicate with 10.5.5.100 , we cant use
ARP because they are on different networks and the routers
DONT forward broadcasts , so the source address will forward
the packet to the default gateway ( there will be an ARP process
but only to send the packet to the address of the default
gateway )
Step 1: source ip address: 10.1.1.10
source MAC address: MAC
10.1.1.10
Destination ip address: 10.5.5.100
destination MAC address:
MAC router interface 10.1.1.1
Step 2: the router checks based on the routing table it contains so that it
can know how to reach 10.5.5.100
Source ip address: 10.1.1.10
router interface 10.2.2.1
Step 3: source ip address: 10.1.1.10
router interface 10.3.3.1
And so on until the packet reaches 10.5.5.100
Default address classes :
1. Class A :
1st octet of the ip address is in the range 1-126 ( as an
example 10.5.1.1 )
Subnet mask 255.0.0.0
Hosts available In this class is 16777214 ( Cisco
recommends to have 500 hosts per network
2. Class B :
1st octet of the ip address in the range 128-191 ( as an
example 150.51.233.1 )
Hosts available In this class is 65536
3. Class C :
1st octet of the ip address in the range 192-223 ( as an
example 220.1.50.63 )

Hosts available In this class is 254
Any address starts with 127 in the 1st octet field is a
loopback address ( 127.x.x.x )
Public addresses VS private addresses :
1. Public addresses are usable on the internet and internal networks
and they are provided by the ISP
2. Private addresses are usable on internal networks only , there are
3 ranges of private addresses :
Class A : 10.0.0.0-10.255.255.255
Class B : 172.16.0.0-172.31.255.255
Class C : 192.168.0.0-192.168.255.255
The loopback range is 127.x.x.x and its used for testing purposes
only
Network address translation ( NAT ) is used to allow people to share
public addresses to surf the internet ( as an example using one
public ip address for several computers instead of using multiple IP
addresses for each computer )
Auto configuration range ( APIPA ) is 169.254.x.x and its used if a
host cant get an ip address automatically from a DHCP server
5. Basic TCP/IP: TCP and UDP communication (23:20 mins)

Basic difference between TCP and UDP protocols :
TCP ( transmission control
UDP ( user datagram protocol )
protocol )
Build connections : when sending
Connection less : when sending
packets it creates sessions and
packets you dont know if the
uses 3 way handshake in its
packet is dropped or not ( it
sending
doesnt care if the packet arrives
or not )
Uses sequence numbers
Best effort delivery ( used with
real time applications like VOIP )
Reliable protocol : it uses ACK
Unreliable protocol
packets , if the sender didnt
receive an ACK packet it will
resend the packet until it receives
the ACK packet
TCP 3 way handshake process :
1. Source sends SYN packet to the destination
2. The destination sends back a SYN-ACK packet to the source
to acknowledge that it received the packet
3. The source sends back an ACK packet to the destination to
acknowledge receiving the SYN-ACK packet
After those 3 way handshake the communication starts ,

every time you open a website as an example you must
enter the 3 way handshake process
Sequence numbers :
it
of
it
TCP
windowing :
increases
the number
data sent
based on
how reliable
detects the
connection
Example:
3.
Sequence numbers reflect how many bytes a computer is sending
at once , because that in real life it appears as big numbers
6. Basic TCP/IP: understanding port numbers (17:17 mins)

Ports are used to separate different applications used on my
computer ( as an example one server that contains two services
like a DB and an email system , if we want to differentiate
between those two services we specify the port number )
Port numbers are used to specify which session to use in sending
or receiving packets
Socket = ip address : port number ( example 10.5.1.100:80 , this
is called together socket )
0-1023 are considered well known ports ( reserved and cant be
assigned )
Well known TCP/UDP Port numbers :
TCP ( transmission control protocol UDP( user datagram protocol ) ( 0( 0-65535)
65535 )
Port 21 : FTP ( file transfer
Port 53 : DNS client port ( as an
protocol ) port , used for sending
example this port is used if Im
and receiving files
using my pc to retrieve the ip
address of www.yahoo.com when I
type it in any browser
Port 80 : http port
Port 69 : TFTP ( trivial file transfer
protocol ) port , used to send and
receive from Cisco devices
Port 110 : pop3 ( post office
protocol ) port , used for receiving
emails
Port 443 : https port
Port 22 : SSH port , its considered
encrypted telnet
Port 23 : telnet port , this is
considered non secure
Port 25 : SMTP ( simple mail
transfer protocol ) port , used for
sending mails
Port 53 : DNS server port , used so
that servers can resolve names to
ip addresses
7. Basic TCP/IP: the tale of two packets (20:47 mins)
If the packet is sent locally on the same network the source uses the
ARP to know the MAC address of the destination
If the packet is sent on a different network , it doesnt use ARP
because the router doesnt forward broadcast packets ( ARP ) , so
the packet is sent to the default gateway ( interface of the router ) ,
in this case only an ARP packet is sent but not to know the
destination MAC address instead its sent to know the MAC address
of the router interface ( default gateway )
8. LANS: welcome to Ethernet (22:31 mins)

Ethernet speed is measured in bits per second ( bps ) not bytes per
second ( Bps ) ( as an example Ethernet speed = 10 Mbps not 10
MBps )
Ethernet operates in physical layer and data link layer :
Data link layer
Logical link control ( LLC ) layer :
it picks which direction it will go
in the network layer
Media access control ( MAC )
layer : this sub layer defines the
addressing used by Ethernet ( it
defines the MAC addresses )
Physical layer : examples of the physical standards are CAT 5 and
RJ45 connections , wireless and fiber optic
CSMA/CD ( carrier sense , multiple access / collision detection ) ,
CSMA/CD is a set of rules governing how you talk on an Ethernet
network :
Carrier : the network signal
Sense : the ability to detect if there is a carrier signal ( in
general Ethernet devices detects the carrier signals )
Multiple access : all devices have equal access
Collision : what happens if two devices send at the same
time
Detection : how the computers handle collisions when they
happen
Any Ethernet device like a switch port or a NIC must support
CSMA/CD
Ethernet uses CSMA/CD and token ring uses CSMA/CA ( carrier
sense multiple access /collision avoidance ) , in token rings there
wont happen a collision at all because the is only one token
available only one device sends at a time
Methods of communication :
1. Unicast message : when one computer wants to send to
another computer
2. Broadcast message : one message sent to all (example : an
ARP packet, it will go out all of the switch ports except the
one it received on )
3. Multicast message : one message sent to group of devices ,
the message is arrived to a group of computers if they were
members of that multicast group , the main advantage of

multicast messages is it helps with reducing the
consumption of bandwidth available
Example of using multicast : the radio stream , if this radio stream uses
unicast messages then it will use a lot of bandwidth to maintain a link for
each PC running that radio channel and if its using broadcast messages
then the network will be flooded so the best solution for radio streams is
to use multicast messages
MAC addresses : the official explanation
9. LANS: understanding the physical connections (18: 17 mins)
Ethernet cables :
Category 5 ( CAT
5 ) unshielded
twisted pair
( UTP )
Maximum
100 meters
distance
Connection
RJ 45 ( a
type
famous type of
CAT 5 is CAT5e
Multi mode fiber
Single mode
fiber
275 meters to a
few miles
Varies , this type
is better than
single mode as :
it sends
multi signals
through the
path
its cheaper
1 mile to
many miles
Varies
and its lower

in cost
cabling standards :
Color
1
2
3
4
5
6
7
8
number
/cabling
standard
T568-A
Gree gree Oran
blue
Blue
orang Brow Brow
n
n
ge
strip
e
n
n
strip
strip
strip
T568-B
Oran oran Gree
blue
Blue
green Brow Brow
ge
ge
n
strip
n
n
strip
strip
strip
straight through connection = T568A+ T568A OR T568B+T568B
cross over connection = T568A+t568B
You can do a customized cabling standard but in this case it wont
support the maximum standard distance of CAT 5, which is 100
meters!
Ethernet connection rules :
1. Unlike devices use straight through cables
Examples: PC connected to a switch, router connected to a switch, PC
connected to a HUB, router connected to a HUB
2. Like devices use cross over cables
Examples: PC connected to another PC, router connected to another
router, PC connected to a router, switch connected to another switch, HUB
connected to another HUB, switch connected to a HUB
Like devices are :
1. PC , Router
2. Switch , HUB
10. LANS: understanding LAN switches (19: 46 mins)
HUBS :
only regenerates the signal ( a packet that is sent is
received for all )
hub= 1 collision domain and 1 broadcast domain
Hub is also called shared CSMA/CD
the problem of a hub is only 1 device can send or receive at
a time , in case a collision occurred ( two devices sent at the
same time ) one of the devices who detected the collision
will send a jam packet to stop all the network
communications
the more the devices on a hub the more the chance of a

collision to happen
hubs work on physical layer
collision domain : how many devices can send and receive at the
same time
broadcast domain : how far a broadcast will travel before it stops
bridges :
bridges are software based
number of collision domains = number of ports on the
bridge
bridges are slow in general
bridges has the capability to learn MAC addresses
bridges have a low number of ports
bridges work on data link layer
switches :
switches support full duplex communications , each port
connected to a device can send and receive at the same
time ( no collisions happens at all with switches )
switches are hardware based , its application specific
integration circuitry ( ASIC ) devices
number of collision domains = number of ports on the
switch
switches work on data link layer
example on full duplex link , if we have 100 mbps link speed , that
means it is 200mbps full duplex ( 100mbps to send data and
100mbps to receive data )
how a switch work : once the switch 1st boot up it starts building its
CAM ( content access memory ) table
Example:
11. LANS: working with the Cisco switch IOS (29:15 mins)
what is the Cisco IOS :

1. the internetwork operating system
2. a command line method of configuring a Cisco device
3. software that is consistent through nearly all Cisco devices
4. learn it once , use it many times
5. more powerful than any graphic interface
connecting to the Cisco switch :
1. get a console cable
2. plug the serial end into the back of your PC
3. plug the RJ 45 end into the console port on the switch
4. get a terminal program like :
hyper terminal
teraterm
minicom
securecrt
5. set it to connect via com port with the following configurations
:
baud rate : 9600
data bits : 8
parity : none
stop bits : 1
Flow control : none
Tips about the commands in the Cisco IOS:
If you type ? at any sentence in the IOS it will show you a full list of
commands , after that press ENTER to go sentence by sentence ,
press SPACE to go page by page and finally you can press ANY
CHARACTER to get out of the help system
Router#c?
In this way the ? will show all the commands that start
with the letter C
If we typed ? and found <CR> , that means carriage return and it
means there are no commands left to include in the command we
type
In the help system if you find any word with capital letters that
means its variable and you need to enter something to fill that
variable
Example:
Router#clock set 13:16:30 ?
Say we want to enter a
month name instead of
<1-31> day of the month
entering a number (1-31)
the command
MONTH month of the year
then will be: Router#clock
set 13:16:30 September
You can use the TAB key on the keyboard to auto complete the
command
If we typed any command and had the message incomplete
command , then that means that there is a missing parameter
If we typed any command and had the message ambiguous
command , then that means that I typed a command in an
incomplete way ( I must type it in a full way because there would be
properly more than a command that have the same start , For
instance, you could type "qu," but that would be an ambiguous
command because both "quit" and "quote" are valid commands
If we typed any command and had the message unrecognized
command , then that means that I typed the command in the wrong
mode
Router# show history , this command is used to check all the
commands I typed before , it memorizes up to 10 by default and this
value can be changed
IOS modes :
1. Switch > this is called user mode ( user exec ) , only basic show
commands , telnet commands and pin command can be run in this
mode
2. Switch # this is called privileged mode ( privileged exec ) , from user
mode you type the command ENABLE to enter this mode , you can
view anything in this mode like viewing the current configuration of
the switch/router
3. Switch (config) # this is called global configuration mode, in this
mode we can configure global command, and those global
commands globally affect the switch/router, as an example if you
type switch (config) #hostname . Command this will change the
hostname of the router/switch , to enter this mode you type from the
privileged mode config terminal switch # config terminal
4. Switch (config-if)# this is called interface configuration mode , any
command typed in this mode affect a specific interface only , to
enter this mode you type as an example the command switch
(config ) # interface fa0/0 from global configuration mode
Switch (config-if)# end , this moves you back to privilege mode from
interface mode
If you type the command EXIT in any mode it will move you back one
step
CTRL+Z , moves you back to privilege mode from any mode
CTRL+E , moves the cursor to the end of the line
CTRL+A , moves the cursor to the beginning of the line
12. LANS: initial setup of a Cisco switch (35:03 mins)
1.
2.
3.
Understanding the physical indicators on the switch ( the lights ) :

System indicator : if its green then its good , if its amber ( yellow )
that means there is a problem , usually after booting the switch the
system indicator gets solid green
Rps ( redundant power supply ) indicator : in case we connected
both batteries found in the switch to electricity it will get solid green
( that means the switch is power redundant )
Mode button : this gives us the option to choose a specific mode for
the switch
Stat mode : this is the default mode , this shows on the switch
the status of the port , if as an example a port is plugged in it
will show a green light
Util mode : this shows on the switch the utilization status of
the switch , as an example if the switch is 10% utilized then
the 1st 4 ports of the switch will show green , if the utilization
of the switch is 100% then all the ports are lit green , this
mode only shows how much throughput is going through the
switch
Duplex mode : this mode will show the duplex status for each
port on the switch , if the port is lit green it means that the
port is configured as full duplex and if the port isnt lit then it
means that the port is configured as half duplex mode
Speed mode : this mode shows the speed of each port on the
switch , if the speed of the port is 100mbps then it will be lit
green and if its 10mbps it wont be lit green
Once you boot the switch you will notice the following on the
screen (IN ORDER!):
the MAC address of the switch
the flash that have the IOS
the decompression process for the IOS and copying the IOS
information to the NVRAM
The switch model , the IOS version and the .bin flash name
It shows the test process for the internal parts
It shows the memory of the switch , as an example
65526K/8192K
It shows how many interfaces are installed
It shows how much NVRAM is found ( this is where the
switch stores its configuration)
At the end of the boot process it will ask you to enter the
initial setup wizard or not
Enable secret and enable password commands allows you to protect
the privilege mode
Router (config) # enable password PASSWORD
Router (config) # enable secret PASSWORD
CTRL+C command is used to exit the initial setup wizard mode
Router ( config ) # hostname NAME command is used to change the

hostname of the router
General information about VLANS :
Number of VLANS = number of broadcast domains
Using VLANS , each VLAN is isolated from others
by default VLAN 1 is created and all the interfaces in the
switch are assigned to that default VLAN ( VLAN1 )
To configure a management IP for the switch we need to configure
interface VLAN 1 : Interface vlan1 is a virtual interface that is
used in general for configuring an IP address for the switch to
have the ability to telnet to that particular switch , in general all
members of VLAN1 can reach interface VLAN 1
To have the ability to telnet to a switch we need to configure an ip
address and a default gateway
To configure an ip address and a default gateway for the switch :
Switch (config) # interface VLAN 1
Switch (config-if) # ip address 172.30.2.180 255.255.255.0 (this
to configure an IP)
Switch (config - if) # no shutdown
Switch (config) # ip default-gateway 172.30.2.1 (this is to
configure a DG)
Switch # Show interface VLAN 1 command is used to see the status
of the interface VLAN 1 and the ip configured for that particular
switch , if we ran that command and noticed the following : VLAN1 is
administratively down , line protocol is down (VLAN1 is
administratively down means that the port is shutdown and we need
to enable it with the no shutdown command - Switch (config - if) #
no shutdown - and it shows the physical state ( physical layer state )
, line protocol is down shows the data link state ( data link layer
state )
Switch # show running-config command ( switch # show run ) is
used to show the current configuration ( running-config is the
configuration found in the RAM ) , if the switch goes down we will
then lose this configuration because that we save all the runningconfig configuration to the startup-config ( startup-config is the
configuration found in NVRAM non volatile RAM - )
Switch # show startup-config command is used to show the startup
configuration ( startup-config is the configuration found in the
NVRAM)
Switch # show version command is used to show the model of the
switch , current IOS version that is running on the switch , how long
the switch was up and running , model number of the switch and the
memory available on the switch
Switch# copy running config startup config command is used to

copy the configuration from the RAM to the NVRAM so that if the
switch went down we wont lose the configuration
13. LANS: configuring switch security, part 1 (37: 08 mins)

If you dont set password on the switch it wont allow you to telnet
to it until you set one
User mode passwords are passwords on telnet ports ,console ports
and auxiliary ports
Privilege mode passwords are passwords configured using the
commands switch ( config ) # enable password PASSWORD and
switch ( config ) # enable secret PASSWORD
Switch ( config ) # enable password PASSWORD command is used to
enable security on the privilege mode ( #) ( enable privilege mode
password ) , the problem of this command is it appears in the Switch
# show run as plain text
Example:
> enable
Password:
#
Switch (config ) # enable secret PASSWORD command is used to
enable security on the privilege mode ( #) ( enable privilege mode
password ) , this command appears in the Switch # show run as
hashed or encrypted , the Switch (config ) # enable secret
PASSWORD command supersedes Switch ( config ) # enable
password PASSWORD command
To do a quick backup for the switch /router we copy the running
configuration to a notepad and if we want to restore that
configuration back we just enter to the global configuration mode
and paste it there
Switch # show run command is used to view the configured
passwords ( privileged mode password and user mode passwords) ,
in general telnet passwords , console passwords , enable password
and auxiliary passwords appears in plain text and enable secret
password is the only one that appears encrypted
Based on the previous point if we want to encrypt all the passwords
that appear in the Switch # show run command we use the Switch
(config ) # service password-encryption command
Example:
Switch # show run
Enable secret 5 2nbjhb/$ksjh
this is called level 5 encryption
(MD5 hashing)
!
!
Line con 0
Password 7 234shdj
weak and can be
this is called level 7 encryption, this is

Broke easily (you can Google for a
BREAK CISCO PASSWORD)

To protect privilege mode (#) with a password we use the Switch
(config ) # enable secret PASSWORD command or Switch ( config ) #
enable password PASSWORD command
To protect user mode (>) with a password we secure the telnet ports
, the console port and the auxiliary port
To configure a password on the console port :
Switch (config) # line con 0
Switch (config- line) # password PASSWORD
assigns a password
to console
Switch (config-line) # login
to inform the
router to ask for a password
To configure a password on the telnet ports :
Switch (config) # line vty 0 4
Switch (config- line) # password PASSWORD
Notes:
Switch ( config-line )# login command in telnet is configured
by default , this command gives you the prompt password
required none is set in case we didnt configure a password
, or password : in case we configured a password
If we configured the command Switch ( config-line )# no
login then you can enter the switch using telnet without
prompting you for entering a password
Vty ports are ports that accept telnet sessions , as an
example if we configure the command Switch ( config ) #
line vty 0 15 that means we are configuring for 16 telnet
sessions ( this is the maximum the switch can handle ) , in
this case 16 telnet sessions can be active at the same time
(16 people can telnet at the same time )
If we configure the command Switch ( config ) # line vty 0 1
then only 2 people will be requested for a password and can
telnet to the switch
Logger banners :
1. Banner login : this banner is displayed when you login using VTY ( it
appears before requesting the user name and password )
2. Banner MOTD : this banner is displayed once you connect to the
router directly , or you telnet to the router or connect by console
Note: if you configure both the banner MOTD and the banner
login, the banner MOTD will appear before the banner login
Switch ( config ) # banner motd here I type anything I want it to
appear command is used to configure the banner MOTD , the is
any symbol I can use but it must be the same at the beginning and
the end of the text I want to include
telnet is weak because it uses a password that can be caught by
packet sniffers like wireshark program
to configure telnet we only need to configure a password for it
SSH ( secure shell ) : its telnet plus encryption protocol
to configure SSH :
1. it needs a user name and password
2. assign a domain name that will be used to generate the encryption
certificates
3. Generate RSA keys to secure the SSH sessions, the general template
looks like: switch name. Domain name( example : SW1.virus.com ,
SW1 is the switch name and virus.com is the domain name )
4. specify which version of SSH to use
5. configure to use SSH instead of telnet
The following example will show how to configure SSH with specifying
each point from above:
1. switch ( config )
request from us
# username USERNAME password PASSWORD

# ip domain name DOMAINNAME
# crypto key generate rsa
this command will
the size of the
Key to generate,
the best to choose is 1024 (the
Default is 512)
4. switch ( config ) # ip ssh version 2
5. switch ( config ) # line vty 0 4
Switch (config) # transport input Ssh
this command enables
SSH and disables telnet,
The default command
is switch (config) #
Transport input telnet
and its enabled by default,
We can also enable
both telnet and SSH using the
Command switch
(config) # transport input telnet
Ssh
14. LANS: configuring switch security, part 2 (19: 00 mins)

switch # show ip interface brief command is used to show what ip
addresses are configure and what interfaces we have on the switch ,
it will appear as a table , in the table there is a column called status
that represents the physical layer and another column called
protocol that represents the data link layer
switch # terminal monitor command is used to display all the sys

messages on the screen while connected using telnet/ssh session
Example: 01:38:06: % sys-5-config-I configured from console by
shady on VTY0 (172.30.2.50)
Console session will show those messages by default on the screen
switch # show Mac address-table command is used to show the MAC
address table , it contains static MAC addresses ( learnt manually by
adding it to the table list) and dynamic MAC addresses ( learnt
automatically )
port security :
port security is a way to lock down what devices can plug-in
to the switch or how many devices can plug-in to your
switch
using port security we can secure the port by MAC address
so that only specific computers can connect to specific ports
to configure port security :
Switch (config) # interface fastethernet 0/5
Switch (config-if) # switchport mode access
this command is used to
change the port mode to be
An access port (access ports are
configured if we
An end device to that port like a PC or a
router), in
Case this port is connected to another
switch then we
Configure the port mode to be TRUNK
Switch (config-if) # switchport port-security
enable port security only
Switch (config-if) # switchport port-security maximum 1

this command
means that the maximum
MAC addresses allowed
connecting to
This port (interface) is 1
and because
Number 1 is the default this
command
Wont appear in the switch#
show run
Results
Switch (config-if) # switchport port-security violation ?
This command is used to tell us what I will do if somebody violates my

policy
? = 1) shutdown: it will shutdown the port and the only way to enable that
port again is to run the command switch (config-if) # no shutdown
2) Protect: based on our example if somebody attaches more than a
device (more than a MAC
address ) to this port , it will just accept the 1 st device and the other will
be ignored and cant access the network ( in other words it will just tell the
new device that Im sorry , Im not listening to you )
3) restrict : restrict is like protect keyword plus logging the violation
breach , this is used a lot just to know who violated that port as it logs all
the violations that happen on the port
NOTE: restrict and protect dont shut down the port but they just ignore it
Switch (config-if) # switchport port-security Mac-address ?
This command is used to specify the MAC addresses allowed by learning
them manually or learning them automatically
? = 1) H.H.H: to specify a MAC address manually by typing it in the format
H.H.H
2) Sticky: to learn the Mac address that is connected to the port
automatically, the automatic learnt MAC address will appear in the
running config
Example: this is a sample running config file (NOTE: you wont find the
command switchport port
Security maximum as based on this example its using the default
number so it wont appear in the
Running config file):
Interface fastethernet 0/5
Switchport mode access
Switchport port-security
Switchport port-security Mac-address sticky
Switchport port-security Mac-address sticky 0015.c5af.ea57
this
appears automatically if we
Used the keyword sticky
switch(config-if)# do show run int fa0/5 , the DO command allow us
to run any show command from any mode instead of running it from
privilege mode only
Switch # show port-security interface fastethernet 0/5 command is
used to show port security information for a specific interface
Example:
Switch # show port-security interface fastethernet 0/5
Port status: secure-up
Security violation count: 0
Last source address: VLAN: 0015.c5af.ea37:1

Notes about the above example:
if the pc is connected to the port the port status will show
secure-up and if the pc isnt connected to the port it will
show secure-down and finally if the port is shutdown and
has been violated it will show us secure-shutdown
the security violation count shows how many violations
happened on this port , restrict keyword will increase this
count but protect keyword wont
the command switch # show port-security interface
fastethernet 0/5 shows the last Mac address that violated
security
switch # show port-security command is used to show the port
security information for all interfaces
switch(config)# interface range fastethernet 0/2-24
this
command is used to configure a
Range of ports at the same
time with the same
configuration, this command
configures the ports 2-24
Switch (config-if-range) # switchport mode access
Switch (config-if-range) # switchport port-security
15. LANS: optimizing and troubleshooting switches (31: 44 mins)

by default each port on the switch is configured as auto duplex and
auto speed ( it auto detects the duplex and speed ) , most of the
problems that happen on the switch isnt from detecting the speed
but from detecting the duplex like duplex mismatch problem
Duplex mismatch is a problem that happens if one side is configured
as half duplex and the other side is configured as full duplex (a PC
connecting slow is a result from duplex mismatch. Another example
is a switch that contains collisions because as we know there isnt an
collisions found when we use switches but in case there is the
problem would be properly a duplex mismatch issue )
full duplex is to send and receive at the same time
half duplex is to send OR receive at one time
collection of commands to know :
Switch (config-if) # duplex half
command used to configure the
port as half duplex
Switch (config-if) # duplex full
command used to configure the
port as full duplex
Switch (config-if) #speed 10

command used to set the speed
to 10Mbps (NOTE that
There isnt an available command for
Ethernet ports, speed
Commands are only available for
fastethernet ports or gigabit Ethernet
ports)
Switch (config) # line con 0
Switch (config-line) # logging synchronous
Switch (config-line) # exec-timeout 30 0
Switch (config-line) # exit
Switch (config) # line vty 0 4
Switch (config-line) # logging synchronous
this command is used
to make the
Log/status messages appear
on the
Screen in separate lines instead
of
Interrupting the commands we
type
Switch (config-line) # exec-timeout 30 5
in general if you
dont type anything for
5 minutes then the session
you opened
Will timeout and you will get
Disconnected, with this
command you
Extend the time to 30 minutes
and 5
Seconds
Switch (config-line) # no exec-timeout 30 0
in case you dont
Want to disconnect your open
session at
All (you cancel any timeout
period)
domain lookup : this is a feature that allows you to type in privilege
mode any word and the router/switch start trying to translate that
word to an ip address , but in general we disable this feature using
the command switch (config)# no ip domain-lookup
Example:
Before applying the command switch (config) # no ip domain-lookup
Switch# flow
Translating flow . Domain server (255.255.255.255)
%unknown command or computer name, or unable to find computer

address
Above its trying to resolve the word flow (properly a device on the
network) to an ip address by sending broadcast messages to know that ip
address
After applying the command switch (config) # no ip domain-lookup
Switch# flow
%unknown command or computer name, or unable to find computer
address
There isnt any translation process now so no broadcast messages to be
sent even
alias : in case we have a long command we can make an alias for it
to use it instead of typing that command every time
Switch (config) # alias exec s show ip interface brief
In this command we must specify the mode the actual command
(show ip interface brief) runs in, here its privilege mode (exec) and
the alias we chose is the letter (S)
broadcast storms and STP ( spanning tree protocol )
troubleshooting using show commands :

switch # show ip interface brief command will show you all the
ports available on the switch and the status of every port , if the
protocol status is showing down then there is a data link layer
problem like mismatch encapsulation
switch# show interface fastethernet 0/2 command will show you
details about a specific port ( in this example fa0/2 ) like the Mac
address , MTU , bandwidth , delay , reliability ( in general this must
be 255/255 , if the cable was flipping then this amount will decrease
that means the flip cable wont be reliable - ) , it also shows the
duplex mode , speed , txload ( how much load you are sending , if its
1/255 that means this port isnt sending a lot ) and rxload ( how
much load you are receiving ) and finally it shows you how many bits
per rate are received and sent ( input/output rate ) , how many
packet was in/out from this port and how many broadcast packets
has been received
Example:
If there is 17928 packets input and 14446 broadcasts received then
the broadcast packets would be 14446/17928=0.80=80% (80% of the
packets are broadcasts), in general the broadcast packets mustnt
be more than 20%
switch # show interface description command shows the ports of the
switch, the status of each port and the description ( what has been
configured using switch (config-if)#description DESCRIPTION
command ) of each port , it also shows all the bad packets like runts
, giants , input errors , CRC , frame , overrun , ignored and throttles ,
finally it shows you the total packets output , collision and late
collision
runts ( packets that are too small in size ) and giants ( packets that
are too big in size ) are dropped in general and they are resulted
from bad connections
input errors , CRC and frames are resulted usually from a faulty NIC
or switch port or if there is any interference on the cable itself
late collision happens if the cable is too long ( longer than 100
meters for CAT 5 cables ) because if the cable is too long then the
distance for the packet to arrive is long as well
collisions happens usually when there is a duplex mismatch
switch # show run command is the easiest way to check the current
configurations
16. Wireless: understanding wireless networking (34:25 mins)

types of wireless networks :
personal area network ( PAN ) : it uses a small radius feet like
connecting a Bluetooth set to a mobile device or connecting a
wireless mouse
local area network (LAN )
metropolitan area network ( MAN ) like a point to point
wireless bridges
wide area network (WAN ) like cellular networks
wireless LAN facts :
1. a wireless access point (WAP ) communicates like a hub :
2. it has a shared signal ( in other words the more users connected
to the wireless access point the more bandwidth is used )

1.
2.
3.
1.
2.
3.
4.
1.
2.
3.
3. it acts as half duplex

4. uses unlicensed bands of radio frequency (RF ) , unlicensed
means not managed internationally ( no need to buy a license to
use it ) , as an example if you go to a park and the wireless that
was available in that park is saturated , you cant complain to
anybody to fix that issue because it doesnt comply with any
license
5. wireless is a physical layer and data link layer standard
6. facing connectivity issues because of interference
7. uses CSMA/CA instead of CSMA/CD ( like token rings ) as an
example if a user wants to send a packet it informs at 1 st the
whole wireless network that it will send a packet , when the
access point ( AP ) replies back to that user then that user can
start sending
unlicensed frequencies :
900 MHZ range : 902MHZ-928MHZ ( this is a low data rate and it
covers big ranges ) , we dont find a lot of devices within this range
because the lower the frequency ( lower data rates ) you have the
further range you will get but that results to less bandwidth ( lower
frequency= further range = less bandwidth )
2.4GHZ range : 2.400GHZ-2.483GHZ
5GHZ range : 5.150GHZ-5.350GHZ ( this is a high data rate and
covers shorter ranges )
Understanding radio frequencies ( RF ) :
Radio frequency (RF) waves are absorbed ( passing through walls )
or reflected ( by metal )
Higher data rates ( high frequencies ) have shorter ranges ( the
more speed you are using the closer in you must be to the WAP )
In general the more you get far from the wireless access point the
weaker the signal becomes
802.11 ( wireless ) , 802.3 ( Ethernet )
The 802.11 line up :
802.11B:
Most popular standard ( more popular than 802.11A although
802.11A is better )
The speed reaches Up to 11MBps ( 1, 2,5.5,11 data rates )
Three clean channels available without any interference
It uses 2.4GHZ RF
802.11G :
Backwards compatible with 802.11B
The speed reaches up to 54MBps ( 12 data rates )
Three clean channels available without any interference
It uses 2.4GHZ RF
802.11A:
The speed reaches up to 54MBps ( 12 data rates )
12 to 23 clean channels available without any interference
It uses 5.8GHZ RF
Not cross compatible with 802.11B/G because 802.11A uses a
different range ( 5.8GHZ ) than 802.11B/G(2.4GHZ )
NOTE: there is a page that describes wireless channels and the clean
channels
Wireless access points ( WAP ) in general has a coverage of 300 feet
without obstructions
ITU-R : international telecommunication union radio communication
sector , this regulates the radio frequencies used for wireless
transmission
Institute of electrical and electronic engineers (IEEE) maintains the
802.11 wireless transmission standards
WI-FI alliance ensures certified interoperability between 802.11
wireless vendors
17. Wireless: wireless security and implementation (29:27 mins)

Wireless dangers :
1. War driving : is to drive your car in a neighborhood that have a
wireless connection and using that connection for free
2. Hackers
3. Employees : some of the employees may bring their own wireless
access points and plug it in the company network to have a
wireless connection , those wireless access points are called
rouge wireless access points
Wireless security : its in general a combination of authentication
and encryption
1. Authentication : an example of authentication is to require a
user name and password or using certificates to accomplish
the authentication process , ( examples of authentication
methods are 802.1x authentication and pre shared keys )
2. Encryption: anything sent on the network is encrypted to
protect the data , ( examples of encryption methods are WEPwired equivalent privacy - , WPA WI-FI protected access and
WPA2 )
3. Intrusion prevention system ( IPS ) : is used to detect rouge
wireless access points , if IPS detects a rouge access point it
will shutdown the port the rouge access point has been
connected to or the IPS will send you a message or email
Evolution of wireless security
1. Originally : pre-shared key WEP : Pre-shared key is a system of
security where you type a key on the wireless access point and all
the clients that join that wireless access point must type that same
key , In general pre-shared key method is weak because if one of the
employers left the company then you need to change that key on all
the devices
2. Evolution 1 : pre-shared key WPA1 : This evolution improves the
security from WEP encryption to WPA1 encryption as WPA1 uses
TKIP (temporal key integrity protocol) method for the encryption and
that is a bit strong compared to WEP encryption
3. Evolution 2 : WPA1 and 802.1x authentication : In general the 802.1x
authentication concept is when a device joins the wireless access
point it sends to that access point a user name and password or a
certificate based on what authentication method the device is
using , the access point passes that user name and password or that
certificate to a specific server to check that this user name and
password or this certificate is valid , after that the server sends
back to the access point that the user name and password or the
certificate is valid , finally the device join the wireless access point
network
Each time a device is joined to the wireless access point several
encryption keys (those arent pre-shared keys) are generated using
an encryption algorithm (every new session established creates new
encryption keys)
The advantage of 802.1x authentication is its a bit strong , lets say
for an example one of the employees left the company we dont
need to change the key as we did in the pre-shared key method
instead we just disable the user account or the certificate that
employee was using from the main server
4. Evolution 3 : WPA2 ( 802.11I )and 802.1x authentication : this
evolution improves the security from WPA1 encryption and 802.1x
authentication to WPA2 encryption and 802.1x authentication as
WPA2 uses AES (advanced encryption standard ) method for the
encryption and that is a bit strong compared to WPA1 that uses TKIP
( temporal key integrity protocol ) method for the encryption
NOTE: evolution 2 and evolution 3 supports pre-shared keys as well
Understanding the SSID :
The service set identifier (SSID ) uniquely identifies and
separates wireless networks , SSID is the name of the wireless
network
You can have a wireless access point that have multiple SSID
as an example you can have a wireless access point that have
2 SSID one is called public ( unsecured network ) and the other
is called private ( secured network )
When a wireless client is enabled the following happens :
1. The client issues a probe ( request )
2. The wireless access point respond with a beacon ( on the client side
all the available SSID appears , in other words the client can notice
the available networks )
3. The client associates with a chosen SSID ( the client joins the SSID
that is held by the wireless access point who have the strongest
signal as may be this SSID is shared by multiple wireless access
points so the client joins itself with the one who provides the
strongest signal )
4. The wireless access point adds the client MAC address to its
association table
If the signal goes weak then the client re issue another probe ( request ) ,
the closer wireless access point with the same SSID will reply back to the
client
The correct design of a wireless LAN
( WLAN ) :
1. Radio frequencies ( RF) service
areas should have 10%-15% overlap
( this percentage can be known by
using fluke networks or software
sniffers )
2. Repeaters should have 50% overlap
3. Bordering access points should use
different channels
Setting up a wireless network :
1. Pretest the switch port that will be
used to connect the wireless access
point on it with a laptop by testing
DHCP service and DNS service on
that laptop while its connected to that switch port
2. Connect the wireless access point to that switch port
3. Setup and test the SSID that have been created without configuring
additional security
4. Add security ( WEP/WPA1/WPA2 ) to the wireless access point and
test it
5. Add authentication ( 802.1x/pre-shared key ) to the wireless access
point and test it
18. Advanced TCP/IP: working with binary (25:51 mins)
IPv4 address :
IPv4 address can be one of 3 different classes : class A , class B
and class C
When the IP address is combined with a subnet mask it defines
a network and host portion ( example : if we have the ip
address 10.1.1.1 with a subnet mask 255.0.0.0 we notice that
10 is the network part ( because its linked with 255 from the
subnet mask ) and 1.1.1 is the host part ( because its linked
with 0 from the subnet mask )
IP protocol Operates at layer 3 of the OSI model
IPv4 address is a 4 octet address ( 4 byte address as 1 octet

equals 1 byte or 32 bit address , example : 10.10.10.10)
Working with binary :
Example: we want to convert 210 in decimal to binary
27
26
25
24
23
22
21
20
128
64
32
16
8
4
2
1
binary
1
1
0
1
0
0
1
0
Example:
27
128
Binar 0
y
we want to convert 00110110 in binary

26
25
24
23
22
64
32
16
8
4
0
1
1
0
1
to decimal
21
20
2
1
1
0
After adding the numbers that is linked with 1 in binary we will have
the number:
32+16+4+2=54 in decimal
19. advanced TCP/IP: IP sub netting part 1 (55:06 mins)
Every interface on the router represents a network
Sub netting stands for breaking our main network to multiple
networks
Steps for sub netting :
1. Determine the number of networks and convert it to binary
2. Reserve bits in your subnet mask and find your increment
3. Use increment to find your network ranges
Example: if we have the IP address 216.21.5.0 with a subnet mask
255.255.255.0 and we want 5 networks to implement with that given IP
address
1. 5 networks , 5 = 00000101 , 3 bits reserved to implement the
number 5 or we can just do the following : 2 3-2=6 , 3 bits covers 6
networks and what we want is 5
To know the number of subnets, it equals 2x where x is the number of
bits; according to this example we have 3 bits so there are 8 subnets
2. The result from point 1 is we want 3 bits
We use 255.255.255.0 subnet mask as the IP address 216.21.5.0 is a
class C address , if it was class A address we will use 255.0.0.0 ( /8)
and if its class B address we will use 255.255.0.0 (/16)
255.255.255.0 = 11111111.11111111.11111111.00000000 those are
the 3 bits found in point 1
11111111.11111111.11111111.11100000 so the
subnet mask to use is 255.255.255.224, after that we subtract 256224=32 to know the increment
According to the above subnet mask if we want to know the number

of hosts in each subnet = 2x-2 where x= number of zeros, in the
example above 25-2=30 host per subnet
3. From point 2 we knew the increment = 32 so we start incrementing
based on that
Network ID
Broadcast ID
Usable hosts
210.21.5.0
210.21.5.31
1-30
210.21.5.32
210.21.5.63
33-62
210.21.5.64
210.21.5.95
65-94
210.21.5.96
210.21.5.107
97-106
210.21.5.108
210.21.5.139
109-138
210.21.5.140
210.21.5.171
141-170
210.21.5.172
210.21.5.223
173-222
210.21.5.224
210.21.5.255
225-254
Bit notation : example of bit notation = 255.255.255.0 - /24 ( 24 1
bits )
The subnet 255.255.255.252 gives 2 usable networks and that is
usually useful for point to point wan links
NOTE: this section will explain sub netting based on the number of
hosts
Example: if you have the IP address 216.21.5.0 and you want to use
that ip address for 5 networks and 30 hosts per network
1. To have 30 hosts : 25-2 = 30 , that results to have 5 bits to cover the
situation
2. 255.255.255.0 = 11111111.11111111.11111111.00000000 those are
the 5 bits found in point 1
11111111.11111111.11111111.11100000 so the
subnet mask to use is 255.255.255.224 as we care for the SUBNET
BITS! , after that we subtract 256-224=32 to know the increment
The number of subnets = 23 = 8
The number of hosts per subnet = 25-2=30 hosts per subnet
3.
Network ID
Broadcast ID
Usable hosts
210.21.5.0
210.21.5.31
1-30
210.21.5.32
210.21.5.63
33-62
210.21.5.64
210.21.5.95
65-94
210.21.5.96
210.21.5.107
97-106
210.21.5.108
210.21.5.139
109-138
210.21.5.140
210.21.5.171
141-170
210.21.5.172
210.21.5.223
173-222
210.21.5.224
210.21.5.255
225-254

NOTE: this section will explain sub netting based on reverse
engineering method ( we are given the IP and the subnet mask and
we need to know the network range for that specific IP )
Example: if you have the IP address 192.168.1.127 and the subnet
mask 255.255.255.224 what will the network range be that includes
this given IP ADDRESS?
256-224 = 32 increment so we start doing the increment process
until we find the following range:
192.168.1.96-192.168.1.127, finally we discover that the ip
192.168.1.127 isnt a valid host ip instead its a broadcast IP!!
22. Routing: initial router configuration (31: 07 mins)
There is a USB port on the router that is used usually to connect a
USB drive to hold the encryption keys or to use it as a flash for the
router
A WIC card is a wan internet card
2801 router model have different cards installed on it , it contains 2
fast Ethernet ports ( one is used for example to connect to internet
and the other is used to connect to the internal network , it also
contains a T1 interface that is used to connect T1 lines and finally it
has switch ports ) , because those available cards on this model we
can use this router as a router and switch in the same time
Router boot process ( what happens when you boot up the router ) :
1. It shows the total memory of the router and the model of the
router
2. It shows the name of the IOS image found in the flash of the
router
3. It shows how many interfaces are available on the router
4. It shows the size of the flash and NVRAM available on the router
All the commands we applied on the switch in PREVIOUS sections
are the same that are applied to the routers except for configuring
the IP address and the default gateway
Router (config) # interface fastethernet 4
Router (config-if) # description DESCRIPTION
this
command is used to configure
The description for the
port
Router (config-if) # ip address 68.110.171.98 255.255.255.224 this
command is used to assign a
Static ip to
this specific interface, in
Case we want to assign
a dynamic
Ip address to this specific

interface
Then we use the
command
Router (config-if) # ip
address DHCP
Router (config-if) # no shutdown
23. Routing: SDM and DHCP server configuration, part 1 (32: 06 mins)
SDM :
1. SDM means Security device manager
2. SDM is a Graphical user interface (GUI ) that you can use to
configure and manage your router
3. SDM is a web based tool that uses java
4. SDM works on all main line routers ( all models ) like 2800 ,
800 and 2600 router models
5. SDM is designed to allow IOS configuration without extensive
knowledge about that
Steps for configuring your router to support SDM :
1. Generate encryption keys ( used in SSH and https ) , to
generate those keys we need to configure a domain name
2. Turn on the http/https servers for your router
3. Create a privilege level 15 user account
4. Configure your VTY and http access ports for privilege level 15
and to use the local user database
5. Install java on your PC and access the router using one of the
following ways :
a) Using a web browser if SDM is installed on the router only ,

new routers come by default with SDM installed on it
b) Using the SDM java program if the SDM is installed on the
PC ,the advantage of using this method is its faster
As you notice we can install the SDM on the flash of the router or on
the PC or on both of them , depending on the way we install the SDM
we can use the above methods to access the router and configure it
Configuring your router to support SDM ( based on the points
above ) :
1. Router ( config)# ip domain-name DOMAIN NAME this command is
used to configure a
Domain name as the keys for
SSH and https cant be
generated without a domain
name
Router (config) # crypto key generate rsa ?
This command
will request from us the size
Of the Key
to generate, the best to choose
Is 1024
(the default is 512)
?= a) general-keys keyword, if you generate general-purpose keys,
only one pair of RSA keys will be generated. This pair will be used
with IKE policies specifying either RSA signatures or RSA-encrypted
nonces. Therefore, a general-purpose key pair might be used more
frequently than a special-usage key pair. ( if I dont type it , this will
be applied by default )
b) usage-keys keyword, if you generate special-usage keys, two
pairs of RSA keys will be generated. One pair will be used with any
Internet Key Exchange (IKE) policy that specifies RSA signatures as
the authentication method, and the other pair used with any IKE
policy that specifies RSA-encrypted nonces as the authentication
method.
NOTE : if we change the domain name after creating the crypto keys
then we need to regenerate those keys to adopt with the new
domain name
2. Router ( config ) # ip http server
this command is used to turn
on the
Http server (port 80)
Router (config) # ip http secure-server this command is used to turn
on https
Server (port 443)
3. Router (config) # username USERNAME privilege 15 ? this

command is used to create a user
Name that have a privilege
level 15 (
This privilege level is the
highest and
Its called enable mode
level as well)
?= a) password PASSWORD keyword is used to specify a password
that will use level 0 (unencrypted password and this level is the
default) (its the same like the router (config) # enable password
PASSWORD command)
b) Password 7 PASSWORD keyword is used to specify a password
that will be encrypted if we run the router# sh run command but this
password can be breakable
c) Secret PASSWORD keyword is used to specify a password that is
encrypted and stronger from using password keyword (it is the same
like the router (config) # enable secret PASSWORD command
If I use the username and password declared in this point it will
enter me directly to privilege mode (passing enable mode) because
the privilege level Im using is 15
4. router(config)# ip http authentication local
to secure http access ports
(Http server) and to use the
local user
Database
The local keyword means that once we enter a user name and
password in the browser to access SDM the router checks that user
name and password with its local DB ( what has been configured in
point 3 is called the local DB )
We can use the command router(config)# ip http authentication
enable instead of the command router(config)# ip http
authentication local if we want the router to check the username
and password and compare it with the enable passwords ( what has
been entered using the Router (config) # enable password
PASSWORD or Router (config) # enable secret PASSWORD
commands instead of checking the local DB ( what has been entered
using Router ( config ) # username USERNAME privilege 15 password
PASSWORD command )
Router (config) # line vty 0 4
Router (config-line) # login local
secure the VTY ports and to
Use the local user database

The local keyword means that once we enter a user name and
password in the telnet session to access the router , that router will
check the user name and password with its local DB ( what has been
configured in point 3 is called the local DB ) instead of using the
password that is configured usually using the router (config-line)#
password PASSWORD command
Router (config-line) # transport input all
this command
both telnet and SSH on the
Router and its equivalent to the
command
Switch (config)
#transport input telnet Ssh
5. Open SDM by browser ( if the SDM is installed on the router ) or from
the SDM program itself if its installed on the local PC
24. Routing: SDM and DHCP server configuration, part 2 (20: 02 mins)
Dynamic host configuration protocol ( DHCP ):
1. DHCP allows you to give devices IP addresses without manual
configuration
2. DHCP IP address is Typically given for a specific time
3. Can be manually allocated for key network devices ( we can reserve
an IP address based on the MAC address device )
4. DHCP servers can be server based or router based , server based
advantage is that it would be easier to use using the GUI , router
based advantage is that it would be more stable
DHCP process :
1. DHCP discover message
( Broadcast message )
2. DHCP offer message
( unicast message )
3. DHCP request message
( unicast message )
4. DHCP ACK ( unicast message
)
To configure DHCP using SDM , this could be done from additional

tools tab :
Domain name : if we choose this option for DHCP then once
you double check the name of any client in the network who
has been assigned with this DHCP option you will notice that
the name of the client has been added beside it this domain
name
Tick mark () import all the DHCP options into the DHCP
server database , in case the router has been assigned a
dynamically IP address from the ISP , using this option it can
pull other DHCP options provided from the same ISP , once the
router receives those options it starts assigning it dynamically
to the clients who requests an ip address from this router
In SDM if you press on the DHCP pool status tab you will notice the
leased IP addresses
To configure the DHCP using command line :
Router (config) # ip DHCP pool POOLNAME
this command
is used to configure the
DHCP pool name
Router (config) #network 192.168.1.0 255.255.255.0 this command
is used to configure the IP
Addresses that will be
available in this
DHCP pool (those IP
addresses will be
Leased to clients)
Router (config) # domain-name DOMAINNAME
this command
is used to configure the
Domain name that would be
offered by
The DHCP router to the
clients when
They assign an IP address
from this
Router
Router (config) # default-router 192.168.1.1
this
command is used to configure the
Default gateway that would
be offered
By the DHCP router to the
clients when
They assign an IP address
from this
Router
Router (config) # import all
Tick mark
this command is the same of

() import all the DHCP
options into the
Router (config) # lease 3
DHCP server database

this command is used if we
want to
Lease the IP addresses for 3
days
Router (config) # ip DHCP excluded-address 192.168.1.1
192.168.1.19
Router (config) # ip DHCP excluded-address 192.168.1.101
192.168.1.254
The two above commands Excludes those IP address Ranges from our
pool so the available ip addresses Left that will be leased for Clients is
192.168.1.20-192.168.1.100
Router# show ip DHCP binding
this command shows all the
IP addresses leased to the
Clients using DHCP and the MAC
addresses for the
Clients that are using the leased ip
addresses
25. Routing: implementing static routing (37: 32 mins)

The purpose of the routers is to stop broadcast and allow traffic to
move from one network to another
Router# show ip route command allow us to know what networks
can be reachable by the router ( it shows us the list of networks a
router can reach )
Example:
Router# show ip route
Gateway of last resort
this sentence shows us the details
of the default route
To configure static routes :
R1 (config) # Ip route 192.168.3.0 255.255.255.0 192.168.2.2
the above command is to configure a static route , the general
command syntax is :
R1(config)# ip route destination_network next_hop_address the next

hop address could be an ip address of the next router , in our
example it would be 192.168.2.2 or we can use the local interface ,
according to our example it will be S1
Default route : any route the router cant reach it ( its not found in
the routing table ) will start using the default route to reach the
unreachable networks
To configure default route :
R1 (config) # ip route 0.0.0.0 0.0.0.0 S1
to configure default route
On R1, we can use instead of S1
keyword
68.110.171.97
Router(config)# ip name-server 4.2.2.2
configure a DNS server for
The router so that if we want to
resolve the ip
Address of www.google.com this
DNS server
4.2.2.2 Will do the task
26. Routing: implementing dynamic routing with RIP (40: 46 mins)
Routing protocols : routing protocols tells other routers on the

network what stuff I know , it allows routers to build paths
automatically by saving those paths and the next hop addresses to
reach those routers in routing tables
Types of routing protocols :
1. Distance vector routing protocols:
Distance vector routing protocols is easy to configure
It doesnt contain a lot of features ( its slow in detecting
problems on the network )
some distance vector routing protocols examples are RIP
and IGRP
2. links state routing protocols :
link state routing protocols are difficult to configure ( more
knowledge is required )
link state routing protocol is rich of features
some link state routing protocols examples are OSPF and
IS-IS ( its an OSI protocol )
3. hybrid routing protocols :
hybrid routing protocols combines the best of link state
routing protocol and distance vector routing protocol
its a Cisco proprietary routing protocol ( it only works
with Cisco devices )
some hybrid routing protocols examples are EIGRP
( enhanced entries gateway routing protocol )
RIP ( routing information protocol ) : RIP comes in 2 versions
1. RIPv1 :
Classfull version , it doesnt support VLSM (variable length
subnet mask and it means changing your subnet mask
wherever and whenever you want ) , it only advertise
networks but without their subnet masks
Example:
No authentication : the RIP authentication in general means

to request a password to add a route to the routing table or
to request a password for joining the RIP routing network ,
RIPv1 doesnt support authentication and that is a problem
as I can just connect a rouge RIP router to poison the
routing table with fake routes that results making the
network goes down
RIPv1 uses broadcast , it sends packets every 30 seconds to
check the entries found in the routing table that they are
still valid or not
2. RIPv2 :
Classless version , it supports VLSM ( it advertises the
routes with their subnet masks )
RIPv2 supports authentication
RIPv2 uses multicast , only RIP routers receive the hello
packets , in RIPv1 the technique used was broadcasting
those hello packets for all the devices in the network
Steps to configure RIP :
1. Turn on RIP using its global configuration command
2. Change the version of RIP used
3. Enter the network statements , those statements are used to :
a) Tells RIP what networks to advertise
b) Tells RIP what interfaces to send advertisements on
To configure RIP :
Router (config) #router rip
turn on RIP routing
Protocol
Router (config-router) # version 2
this command is
used to change version of RIP
To version 2, the default
version is version 1
Router (config-router) # network 192.168.1.0
this command is
used to advertise the directly
connected networks , in general
the syntax of the network we type
must be Classfull , in case we
didnt type a Classfull network
address the IOS will change that
command automatically to be
Classfull
Router (config-router) # no auto-summary
to disable RIP from auto
Summarizing the network
addresses to Classfull addresses,
in router# show ip route command
it will start showing details about

the subnets
Example:
Router# show run | include ip route command is used to only show

the commands that include the word ip route in it
Router# debug ip rip command is used to show details of the RIP
process
Router# show ip protocols command is used to show what routing
protocols are running on the router plus showing details on it
27. Routing: internet access with NAT and PAT (24: 41 mins)
Router# u all command is used to disable all debugging commands
on the router
NAT ( network address translation ) allows multiple devices to share
an internet IP address ( a public address )
PAT( port address translation ) is a form of NAT and its called NAT
overload
Static Nat is usually used with web servers
To configure NAT using SDM there is a tab for NAT that contain 2
options :
1. Basic NAT : its the same PAT ( NAT overload )
2. Advanced NAT or static NAT
How PAT works :
Steps to configure PAT : note that this is a example without

explanation as this section is only an introduction for NAT and PAT
Router (config) # access-list 1 permit 192.168.1.0 0.0.0.255
Router (config) #interface VLAN1
Router (config-if) # ip Nat inside
Router (config-if) # exit
Router (config) # interface fastethernet 0/4
Router (config-if) #ip Nat outside
Router (config-if) # exit
Router (config) # ip Nat inside source list 1 interface fast Ethernet
0/4 overload
In the last command the overload keyword means that I can allow
more than a client (the IP range that is declared in access list 1) to
use the public IP address we have
Router# show ip Nat translations command is used to show all the
Nat translations that is held by the router , it also shows the
following :
1. Inside local address : this represents
my PC
2. Inside global address : this represents

the local public IP address configured
on our local router
3. Outside global : this represents the
remote public IP address configured on
remote router
4. Outside local : this represents the
remote PC
28. Routing: WAN connectivity (27: 38 mins)

Wan connections is used to connect you to the internet like frame
relay , ATM , PPP and HDLC
Lan connections is used to connect you local like Ethernet
technology
Wan links define a new type of layer 1 and layer 2 connectivity :
Wan links allows links to the internet or other offices
Data link
ISDN , metro Ethernet , MPLS , T1,E1, dial up modems ,
layer
frame relay , ATM , PPP and HDLC ( in lan there was
Mac addresses )
Physical
serial physical connections ( in lan connections it was
layer
Ethernet cables like CAT5E and RJ45 connections )
Frame relay connects using DLCI , DLCI is like MAC addresses in
LAN
ATM connects using VPI/VCI pair, VPI/VCI pair is like MAC
addresses in LAN
Leased line protocols are HDLC and PPP ( the y are the only
protocols that work on point to point connections like leased lines
)
Styles of WAN connections ( data link layer connections ):
1. Leased lines connections :
Its a dedicated
bandwidth line
( bandwidth is only
assigned for me and its
not shared )
Its very expensive
Examples on leased
lines : T1 CAS
( 1.544Mbps) and E1 CAS
The problem is if you have a high bandwidth speed link ,
if you dont use all of it the rest will remain unused
without having any benefit from it
2. Circuit switched connections :

Its an on demand bandwidth used between different
locations ( we use the dial up technology to get it when
we need it )
The advantage of this technology is its the very cheap
The disadvantage of this technology is its slow
bandwidth and the time we spend to install this
technology
Examples on circuit switched connections : dialup
modems and ISDN
3. Packet switched connections :
Its a shared bandwidth technology but a guaranteed
bandwidth between
locations ( if you pay
for this service you
guarantee a specific
bandwidth but maybe
you gain more ( this is
called bursting ) but
no less
The advantage of this
technology is that you
can connect a serial
cable to the internet
cloud and from that cloud we can connect to multiple
offices using only one packet switched connection ( that
is done using that is done using virtual circuits )
Examples on packet switched connections : ATM , frame
relay , X.25 ( old technology ) and MPLS
The 1st technology was x.25 then it became frame relay
then ATM and now MPLS
The physical connections for WAN ( physical layer connections ):

configuring leased line connections :
1. Leased line can be configured using HDLC ( high level data link
control )
This is a layer 2 WAN protocol ( if you want to compare it
to layer 2 LAN protocol it will be Ethernet technology )
This is a Cisco proprietary protocol ( it only works with
Cisco routers )
the default protocol that is used
Its simple to configure and use
Extremely low overhead
No features
2. Leased line can be also configured using PPP ( point to point
protocol )
This protocol is alternative to HDLC
Industry standard ( This protocol works with all the
routers and its not proprietary to Cisco only )
Moderate overhead
Feature- riffic , it supports four major features :
1. Authentication : you add a user name and password

on the wan link , it must match on both sides
2. Compression : it helps to use less bandwidth but it will
use more processing on routers
3. Call back feature , this primarily used on modems ,
when you dial in to the modem and authenticate
( type your username and password ) , the router
immediately hangs up on you and dials you back to a
predefined number ( this is used for security or if we
want the call distances bill to be charged on the other
side not on us )
4. Multilink : its a system you employ that allows you to
combine the bandwidth of multiple wan connections
into one , say as an example we have 3 T1 links , the
multilink feature combines that bandwidth together
so the result is we have 4.5Mbps and it loads balance
the traffic over those 3 links !
The encapsulation ( HDLC/PPP ) must be matched at both ends of
the link , if its not the same then the link wont work and it will
show protocol status down in the results of the command Router#
show ip interface brief
Router # show run interface serial 0/0 command is used to show
the configuration of serial 0/0 from the router # show run
command only
If the encapsulation used was HDLC ( the default encapsulation
used on Cisco devices ) it wont appear using the router # show
run command
Router# show interfaces serial 0/0 command is used to show all
the details about a specific interface ( in this example showing
the details of serial 0/0 ) , this command is used to check the
current encapsulation used on this serial in case we have a leased
line ( it shows the HDLC and PPP information and if those
protocols are working or not )
Example: this example shows that PPP is working fine
Router# show interfaces serial 0/0
Encapsulation PPP, LCP open
Open IPCP, CDPCP
LCP is the link control protocol and its
responsible to negotiate the PPP
features , it will show us LCP closed if
there is a problem to negotiate with
compression , authentication , multilink
or call back feature , IPCP (ip control
protocol ) and CDPCP ( Cisco discovery
protocol control protocol ) are control
protocols; IPCP lets the IP protocol

(TCP/IP ) to work on the WAN link ( PPP
link ) ,CDPCP allows CDP to work over a
WAN link
Router# show controllers serial 0/0 command is used to know the
cable type connected to this specific interface ( it will show that
the type of the cable is DTE or DCE ) ( DCE is always connected to
the ISP side and DTE is connected on our side )
Router# show ip interface brief command is used mostly to show
the protocol status , if the protocol is showing down status then
properly the problem is a mismatch encapsulation ( another
command to check the function of HDLC or PPP )
How to configure PPP :
Router (config) interface serial 0/0
Router (config-if) # encapsulation PPP
configure the encapsulation
On this interface that is used to
configure leased line
On it
Router (config-if) # clock 56000
specify the speed of the
connection, this is configured if and
only if this specific interface is a DCE
( data clock equipment , is a type of
connector that needs clock
configuration to work properly it
determines how fast the WAN
connection goes - , this value is usually
configured from the ISP side but if we
are in a lab environment we need to
configure it as if its not configured
the link wont work ) , 56000 is
measured in bits per second so the
value here is 56 kilo bit per second
29. Management and security: telnet, SSH and CDP (28: 48 mins)
Router# telnet 192.168.2.2 command is used to telnet to another
router form our router
Managing telnet/SSH :
1. Press < CTRL , SHIFT , 6 > then X : this suspends the
telnet/SSH session , to resume that session we just type the
command router# resume 1 ( number 1 represents the session
number ) from our router or we press the button ENTER in
privilege mode , the later command will resume the recent

session opened
2. Router# show sessions command is used to show the open
sessions from your router ( when you run this command you
will notice an asterisk * that shows the recent open session )
3. Router# show users command is used to show the open
sessions to your router ( when you run this command you will
notice a column called location , this column will show you
which users routers are connected to your router , usually
when you run this command it takes some time until the IP
addresses found under the locations column is resolved to its
names , to get around this issue we just run the command
router(config)# no ip domain-lookup to disable the domain
lookup feature and stop the resolving issue , in this case it
runs faster than before )
4. Router# disconnect command is used to kill one of your open
telnet sessions ( at 1st I run the command Router# show
sessions to know which session Is opened from my router and I
want to kill then I run this command )
5. Router# clear line X command where X represents the number
of session opened to my router ( at 1st I run the command
Router# show users to know which session is opened to my
router and I want to kill then I run this command )
6. Router# exit command is used to kill a telnet session , in case I
want to telnet again to that same device I need to run the
command Router# telnet IPADDRESS again
7. Router # show lines command is used to show all the lines
( telnet connection ports ) on your router and the status of
each one
CDP ( Cisco discovery protocol ) :
1. CDP allows you to discover directly connected Cisco devices
2. Its a Cisco proprietary protocol
3. CDP is useful for building accurate network diagrams because
using CDP we can know the IP address , IOS version and the
router platform of Cisco neighbor devices
4. CDP is a broadcast packet that is sent every 60 seconds
Some useful CDP commands :
1. Router# show cdp neighbors command is used to discover
basic information for directly connected Cisco devices , some
of the basic information that is discovered
(This command is used to know the local and remote
interfaces)
When we run this command:
a) The local interface : this is the interface on our router that
is connected to the other directly Cisco device , this same
information can be known if we run the command router#

show ip interface brief
b) The port ID : this is the remote interface of the connected
Cisco device
2. Router# show cdp entry * command is used to show all the
remote connected devices on our router , if I run the command
router# show cdp entry NAMEOFROUTER it will show me the
remote IP address for a specific Cisco device
3. Router# show cdp neighbors detail command is the same
function of router# show cdp entry command ( this command
is used to know remote IP addresses )
4. Router ( config-if)# no cdp enable command is used to disable
CDP on a specific interface ( if we run this command then the
directly connected Cisco device to this interface wont be
discovered )
5. Router(config)# no cdp run command is used to disable CDP on
all the interfaces found on the router
We usually use telnet commands , CDP commands and router#
show ip interface brief command to know all the IP addresses and
interfaces found in a network
30. Management and security: file management (20: 11 mins)

TFTP ( trivial file transfer protocol ) server uses UDP port 69 and
its main function to copy from/to the router to do a backup or
restore for the IOS found on the router to this TFTP server
RAM equals running config and NVRAM equals startup config
Router# show flash command is used to see all the files in the
flash like the name of the IOS file ( this is what Router# show
version do as well )
Router# show running-config command is used to check what the
RAM contains
Router# show startup-config command is used to check what the
NVRAM contains
Router# show version command is used to check the value of the
RAM and NVRAM and to know the name of the IOS file as well
Example:
Router# show version
238592K/23552K
those two values combined together is
the NVRAM
Memory components :
1. RAM : RAM represents the running config file the benefit of the
RAM that its very fast in read/write but the disadvantage of RAM
is it loses data when the router is shutdown or restarted because
that we usually copy the configuration file from RAM to NVRAM
before restart using the command router# copy running-config

startup-config
Example of using the RAM is for packet buffers
2. NVRAM : this is considered small in size and it represents the
startup config file
3. Flash : this component is used to store the IOS , in general once
you start the router it starts decompressing the IOS from the
flash to the RAM
Some useful commands :
1. Router# copy running-config startup-config command is used to
copy the configuration file from RAM to NVRAM ( router# wr
command do the same function as well )
2. Router# copy running-config TFTP command is used to copy the
configuration file from RAM to TFTP server
3. Router# copy flash TFTP command is used to copy the configuration
file from flash to TFTP server ( to backup the IOS on a TFTP server ) (
this command can be typed like this as well : router# copy flash :
NAMEOFIOS.bin TFTP://IPOFTFTPSERVER/NAMEOFIOS.bin )
4. Router# copy TFTP run command is used to copy the configuration
file from TFTP server to the RAM ( NOTE that if you run this
command and we had already a running config file it wont overwrite
the current file instead it will merge both configuration files to
appear as one file , it will overwrite entries in the current
configuration file if there is a conflict only )
5. Router# copy tftp startup-config command is used to copy the
configuration file from TFTP server to NVRAM ( not like router# copy
TFTP run it wont merge with the current configuration file instead it
will replace it totally )
6. Router # reload command is used to restart the router and reload
the configuration file from NVRAM
If want to restore our configuration we do the following :
1. Router# copy TFTP startup-config
2. Router# reload
Note that we didnt run the command router# copy startup-config
running-config because it will do the merge (anything copied to runningconfig will be merged) plus once we reboot the router all the running
config found in RAM will be erased (flushed)
If you want to upgrade your IOS you do the following :

1. We put the new IOS and place it on a TFTP server
2. we boot the router from the TFTP server using the command
router# boot system TFTP : //IPOFTFTPSERVER/NAMEOFIOS.bin
, to check that the new IOS is working fine
3. if we find that the new IOS is corrupted then we just boot
normally from flash with using the current IOS
4. if we find that the new IOS is working fine from TFTP then we
copy that new IOS to the flash using the command router#
copy TFTP flash
Cisco ccna interconnecting Cisco networking devices part 2

1. review : rebuilding the small office network part 1 ( 33:54 mins )
to delete all the configuration on the router :
There are two ways to do that:
1) router# erase startup-config
delete all the
Configuration file found in NVRAM
Router# reload
reboot the router,
When the prompt asks to save
the configuration or not we
choose NO
2) router# write erase
this command has the
same function of
Router# erase startup-config
Router# reload
auxiliary ports are found only on routers and they are used to
connect modems on it
to build a small office at 1st we care about configuring the switches
( LAN tasks ) :
1) beginning : wipe out configurations :
This is done using switch# erase startup-config and switch# write
erase commands
2) security : passwords and banners
a) this is done by configuring passwords for privilege mode using
switch (config) # enable password PASSWORD and switch (config)
# enable secret PASSWORD commands
b) this is done by configuring passwords for telnet ports , auxiliary
ports and con ports
c) this is done by configuring banners on the switches using the
command Switch ( config ) # banner motd here I type anything
I want it to appear
d) use the command switch (config)# service password-encryption
to encrypt all the clear text passwords
3) cosmetics : name , work environment
a) configure names for the switches using the command
switch(config)# hostname HOSTNAME
b) configure work environment :
4)
5)
6)
a)
b)
c)
use the command switch(config-line)# no exec-timeout or

switch(config-line)# exec-timeout 0 0 so that the connection
sessions last forever without been kicking out
use the command switch(config-line)# logging synchronous
to make the Log/status messages appear on the Screen in
separate lines instead of Interrupting the commands we
type
use the command switch(config)# no ip domain-lookup to
stop the feature of translating names to IP addresses that
results fasting the issues
management : IP address and gateway
all switch ports in general are assigned to VLAN1
to configure an ip address and DG for the switch :
Switch (config) # interface VLAN 1
Switch (config-if) # ip address 172.30.2.180 255.255.255.0
Switch (config - if) # no shutdown
Switch (config) # ip default-gateway 172.30.2.1
We assign the ip address for interface VLAN1 and we
enable that interface as its administratively down by
default
Interfaces : speed , duplex and description :
We configure the speed of the port by using the command
Switch (config-if) #speed 10
We configure the duplex for the port using the command
Switch (config-if) # duplex full or Switch (config-if) #
duplex half
We use the command switch (config-if)#description
DESCRIPTION to configure a description for the switch port
Verify and backup : CDP, TFTP , show interfaces
For CDP we use the command :
switch# show cdp neighbors command to know the local
and remote interfaces
switch# show cdp neighbors details command to know the
remote IP addresses
for TFTP we use the command :
switch# copy flash TFTP command to back up the IOS to a
TFTP server
Router# copy run TFTP command to backup the
configuration file to a TFTP server ( we can also copy the
running configuration by copying and paste it starting from
the ! mark to a notepad and in case we want to restore that
configuration back then we just copy all that configuration
starting from ! mark and paste it in the global
configuration mode )
Switch# show interfaces command is used to show each interface
in details

router tasks :
1) beginning : wipe out config
2) security : passwords and banners ( for routers there is an
additional configuration for auxiliary ports , in case the console
port cant be used to login to the router we can use this aux port
to do the task )
3) cosmetics : names , work environment
4) interfaces : identify IP address , speed , duplex and description
5) routing : default routes ( used for external routing-internet- ) ,
RIP ( used for internal routing)
6) verify and backup : CDP , TFTP , show ip router , show interfaces
most of the points mentioned above are discussed before and they
are similar to switches tasks

to access internet we need a default route on the router plus NAT
on internet routers we use a default route to reach routes
beyond ISP ( to reach internet )
on internet routers we configure NAT to let all internal routers
reach and surf the internet
some useful commands :
1) router(config)# interface fastethernet 0/0
Router (config-if) # no keepalive
to disable this specific
interface from sending keepalive
messages that is used mainly to
know what is connected on that
interface , if the keepalive
messages are disabled and we ran
2) router# show ip protocols

used to show what routing
the command router# show ip

interface brief the status of this
port will be UP/UP regardless if
there is a cable connected or not !
(Be aware from using this
command)
this command is
protocols are configured on this

router ( as an example if we run
this router that was configured for
RIP it will show under the
sentence routing information
sources all the routers in the
network that is configured for RIP
and has been learnt by this router
)
3) router# traceroute 192.168.3.1
to track the path to a
Specific ip address
Example:
Router# traceroute 192.168.3.1
1 192.168.1.2 0msec 0msec 4msec
2 192.168.2.2 0msec * 4msec
notice the *, this is
a normal issue (the IOS always
drops the second ping on the final
hop)
4) router(config)# router RIP
Router (config-router) # redistribute static
this command is
used to advertise static
routes in RIP ( the router who
have any static or static default
route will advertise it using RIP
protocol to other routers , the
other routers who receive that
advertise will have a new route
learnt by RIP with a symbol R* that means static routes
advertised by RIP - ) , the main
function of this command is to
configure a static default route on
one router then advertising it to
other routers using the RIP
protocol instead of visiting each
router and configuring that static

default route manually !
4. Switch VLANS : understanding VLANS ( 16:09 mins )

VLANS ( virtual LANS ) :
VLANS are logically groups of users
VLANS segments broadcast domains , only the broadcast
packet is sent in the same VLAN
VLAN support access control
VLAN helps in quality of service ( prioritize traffic is placed in a
separate VLAN )
Trunk ports : those ports help to span VLAN among multiple
switches , it carries VLAN information ( VLAN traffic ) between
switches , trunk ports are assigned to ALL the VLANS ( in other
words it carries ALL the different VLANS traffic )
Number of VLANS = number of broadcast domains =number of
subnets
VLAN is a subnet correlation (each VLAN has a separate
subnet, so to let the VLANS talk together they must have a
route between them)
Normal switching functions :
One broadcast domain ( broadcasts sent to all ports )
One subnet per LAN
Number of collision domains = number of ports on the switch
Very limited access control, switches are very difficult to
restrict traffic, the only way to restrict the traffic in switches is
to use access lists and that is a headache! , to work around
this issue we use VLANS
Flexibility of VLANS :
Segmentation of users without routers
No longer limited to physical locations ( the user can be
located anywhere , we just plug that user port to the assigned
VLAN )
Tighter control of broadcasts
5. Switch VLANS : understanding trunks and VTP( 39:07 mins )

What is trunking ( tagging ) :
1. Trunking passes multi VLAN information between switches
2. Places vlan information Into each frame
3. Layer 2 feature
4. Trunk links are also called tag links because its responsible of
tagging VLAN traffic while it passes the link
Before the packet is sent on trunk ports its tagged and once it
arrives the destination the packet will be untagged and arrives as
normal data
NOTE : anything below in this section written as VTP will be meant
about the method of Cisco to manage the VLANS because they also
call the vlan trunking protocols ( ISL , 802.1Q ) as VTP as well so if
you notice any term VTP we meant the messaging protocol that
manages the addition ,deletion and renaming of VLANS , and if you
notice any term called VLAN trunking protocol ( tagging protocols or
trunking protocols ) we mean ISL and 802.1q
VTP (we will call this VRP , the details are mentioned below ) :
1. Is a Cisco proprietary Layer 2 messaging protocol that
manages the addition, deletion, and renaming of VLANs on a
network-wide basis.
2. The only vlan trunking protocol ( tagging protocol ) is 802.1Q
Before there was:
802.1Q : its a industry standard and this is currently
used , this tagging protocol allows switches that have
different VLANS to communicate together
ISL ( inter switch link ) : its a Cisco proprietary trunking
protocol and it has been discontinued
3. VTP must be named VRP ( vlan replication protocol ) to stop

confusing VTP with 802.1Q ( read the above notes for more
details )
4. VTP replicates VLANS , once you add a new VLAN on a switch ,
its replicated using VTP to other switches , VTP only replicates
added and deleted VLANS , we still need to assign ports to
each created VLAN manually
5. VTP works on trunk links

with VTP once you create a VLAN on any switch the VTP database
counter increases by 1 , ( the VTP database that have the highest
counter number replicates to the rest of the switches because it
assumes that it contains the latest updated information )
if we bring an old switch that contains some existing configuration
for VLANS and plugged it to our network, if that old switch contains
a higher counter number than the other switches it will replicate its
configuration to our switches and ruin the network , if we tried to
restore the configuration on our switches it wont solve the problem
because it will still contain a lower counter number than the counter
number of the old switch so the old switch will replicate again, to
work around this issue we configure our switches with VLAN
configurations manually to update the database counter and make it
the highest
to protect the replication process we configure VTP domain names ,
in this case only the switches that have the same VTP domain names
will do a replication among each other using VTP
Native VLANS :
1. The default Native VLAN is VLAN 1
2. Native VLANs must match on all switches to function in a proper
way
3. Native VLAN is designed in general for packets received on trunks
that havent been tagged
Example 1:
Example 2:
VTP modes :
1. Server mode ( default mode ) :
Power to change VLAN information ( adding, deleting and
changing )
Sends and receives VTP updates
Saves VLAN configuration
2. Client mode :
Cant change VLAN information
Sends and receives VTP updates
Doesnt save VLAN configuration
3. Transparent mode :
Power to change VLAN information
Forwards ( passes through ) VTP updates
Doesnt listen to VTP advertisements
Save VLAN information
Note that if we configured all the switches in the network in
transparent mode this is like disabling VTP in our network
In general we configure one VTP server and the rest as VTP clients
( in this case we do the changes on the VTP server only and then the
changes are replicated to the VTP clients ) , if we configured a
switch as transparent mode it will have its own database (VLAN

information )that dont replicate with others , it receives from VTP
servers but dont change it on its own database, it only passes those
updates to the connected devices on the transparent switch
VLAN pruning :
It keeps unnecessary broadcast traffic from crossing trunk
links
This technique only works on VTP servers
Switch(config)# VTP pruning command is used only on VTP servers
to turn on VTP pruning
Example:
6.
Switch
VLANS: configuring VLANS and VTP part 1(35:58 mins)

1. configure trunks ( the links that are found between switches to
pass the VLAN information )
2. configure VTP :
configure VTP domain name
configure a password for the VTP domain name
configure the VTP mode
3. configure VLANS
4. assign ports to each created VLAN
5. configuring routing protocols to route traffics between created
VLANS
access ports on the switch are used to connect devices such as PCS
on it
trunk ports on the switch are used to connect trunk links between
switches
1. configure trunks
Switch (config-if) # switchport mode trunk
to configure the port as
a trunk port ( this means that this
port is connected to another
switch ) , by default the mode for
any port switch is dynamic
desirable ( this means that this
port can be an access port or a
trunk port depending on what is
connected on that port )
NOTE that if we ran the command switch (config-if) # switchport mode
trunk on some switches you may face an error:
Command rejected: an interface whose trunk encapsulation is auto
cannot be configured to trunk mode
This happens because some switches have the choice to choose
between the 2 trunking protocols ISL and 802.1Q like the 3550 switch,
to overcome this issue we specify the encapsulation to be 802.1q
instead of being the default as auto negotiate using the command:
switch (config-if) # switchport trunk encapsulation dot1q, if we didnt
receive this error that means that this switch only supports the dot1q
encapsulation
Switch (config) # interface range fastethernet 0/2-24 this
command is used to specify a range
Of interfaces to configure a
similar command for all those
interfaces instead of
accessing each interface
individually
Switch (config-if) # switchport mode access
this
command is used to configure the
port as a access port , we use
this command after
specifying the trunk ports as
we need to configure all the
ports on the switch to be
access ports or trunk ports
switch# show run interface fastethernet 0/1 command shows only
information related about this specific interface
switch # show VTP status command shows all the information
related to VTP like VTP version , VTP revision ( how many changes
was made to this switch ) , max VLAN supported at one time ( in
general the maximum number of VLANS we can have on a switch is

1-4094 ) , number of existing VLANS , VTP domain name , VTP mode
and finally it shows the local updater ID
Example: switch # show VTP status
Configuration last modified by 0.0.0.0
0.0.0.0 means that this
switch we ran this command local updater ID is 192.168.1.12
on (usually this switch is configured as a VTP server,
If this switch is a VTP client the 0.0.0.0
wont appear as we cant modify the
configuration of VLAN except in VTP
server mode, so it will show us the IP of
the VTP server switch instead of 0.0.0.0
switch# show VLAN command is used to show what VLANS was
created on the network and it only shows you the access ports
assigned to every VLAN
Example: switch# show VLAN
1: native VLAN
those are predefined VLANs
created to support different 1002: fddi-default
networks
1003: token-ring-default
1004: fddinet-default
1005: trnet-default
switch# show interfaces trunk command is used to show the trunk
ports configured on the switch
switch# show interfaces fastethernet 0/0 switchport command is
used to show the status of a specific port if its configured as access
port or trunk port and the status of the encapsulation mode if its
trunk or dynamic
Example: switch# show interfaces fastethernet 0/0 switchport
Administrative mode: the administrative mode entry will show you
the status of the encapsulation mode, by
default it will show you the keyword dynamic,
if we ran the command switch (config-if) #
switchport trunk encapsulation dot1Q then it
will show you the keyword trunk
Operational mode:
the operational mode entry shows the status
of the port if its trunk or access
if we have 3 switches and we configured only one switch with a
domain name ( the rest have BLANK domain names ) , that
configured domain name will be replicated to the switches that have
a blank domain name , if we configure later a new domain name it
wont be replicated like what happened before as the replication is
done only if there is a BLANK domain name
2. configure VTP
Switch (config) # VTP domain DOMAINNAME

to configure the domain
Name, note that the DOMAINNAME
is case
Sensitive
Switch (config) # VTP password PASSWORD
to configure a password
For the domain name
Switch (config) # VTP mode client
configure the mode
For the switch, if we didnt
configure the VTP
mode, by default it
will be a VTP server
3. configure VLANS
Switch (config) # VLAN NUMBER
create only a VLAN
With a specified number and we
can verify that using the
command switch# show VLAN
Switch (config-vlan) # name NAME
to assign a name to the
VLAN
Switch (config-vlan) # exit
7. Switch VLANS: configuring VLANS and VTP part 2(39:36 mins)

NOTE : in this section we will continue the configuration of the
switches based on the previous section , we will finalize point 4 and
point 5 in this section
4. Assign ports to VLANS :
Switch (Config-if) # switchport access VLAN NUMBER this command
is used to assign interface
Fastethernet 0/0 to a specific
VLAN number, in this case
any PC connected to this port
will be joined to that specific
VLAN number
The best practice to assign VLAN numbers is : Vlan number = subnet
number
As an example VLAN 1 has a subnet of 192.168.1.0, VLAN 10 has a
subnet of 192.168.10.0; VLAN 20 has a subnet of 192.168.20.0 and
so on
5. Routing between VLANS

There are three methods to route between VLANS :
1. Separate port to each VLAN
2. Layer 3 switch
3. Router on a stick
1. Separate port to each VLAN :
2. Layer 3 switch :
A layer 3 switch is a switch that has layer 3 capabilities , it works
based on creating interface VLANS
A layer 2 switch is a switch that has layer 2 capabilities only
3. Router on a stick
There are 3 steps to configure router on the stick :

1. Configure router sub interfaces , NOTE that we dont assign an ip
address to the physical interface , all the assigned ip addresses
are for the created sub interfaces
2. Configuring the switch port connected to the router as a trunk

port
3. Assign a VLAN number to each created sub interface
Router on a stick method is useful because we can secure VLANS by
using access lists (ACL ) as an example to prevent users of a specific
vlan to reach users of another vlan
1. Router ( config ) # interface fastethernet 0/0.50 this command is
used to create a sub
Interface, the number 50 is
any number we specify but
we prefer to match it with
the VLAN number for
simplicity
Router (config - subif) # ip address 192.168.1.1 255.255.255.0
After running the above command you will receive a message:
% configuring IP routing on a LAN subinterface is only allowed if that sub
interface is already configured as part of an IEEE 802.10, IEEE 802.1Q or
ISL VLAN
That means we need to inform the router that this created sub interface
will respond to packets that come from a specific VLAN ( in our example its
50 ) , to solve this message we run the command router (config-subif)#
encapsulation dot1Q 50
2. switch ( config) # interface fastethernet 0/0
Switch (config-if) # switchport mode trunk
3. Router(config subif )# encapsulation dot1Q 50 this command
configures
Encapsulation for a specific
sub interface to respond to
all the traffic that comes
from a specific VLAN (in our
example its 50) and
eliminate the message we
received in point 1
After running the above command you will receive a message:
If the interface doesnt support baby giant frames , maximum MTU of the
interface has to be reduced by 4 bytes on both sides of the connection to
properly transmit or receive large packets , please refer to documentation
on configuring IEEE 802.1Q VLANS
Baby giant frame : the biggest packet you can send is 1500bytes , in
case that packet is tagged to be sent over a trunk we will add a 4
byte ( tag size ) to the 1500 to result 1504bytes for the packet , that
is called baby giant frame and that must be supported by switches
and routers , in general the routers and switches adjust the size of
the packet to be 1496 bytes instead of 1500 bytes so that when that
packet is tagged it will be 1500 bytes ( this is the maximum size that
can be handled by Ethernet technology )
If we ping from a PC in one VLAN to a PC in another VLAN and it
wasnt successful then we need to check the router if it contains any
routing entries for those VLANS
8. Switch STP: understanding the spanning tree protocol (28:18 mins)
An ideal design for any network is to divide it to switch layers :

A layered approach allows for easy, manageable growth
Ether channel technology can provide more bandwidth on key
links , ether channel can bundle 2-8 ports in a single pipe , in
this case we can have increased bandwidth ( throughput )
Redundant connections eliminates a single point of failure
Redundancy chaos :
Switches forward broadcast packets out of all its ports by
design except the one it receives on
Redundant connections are necessary in business networks
The place of spanning tree : we drop tress on a redundant link
( block a specific redundant link ) until those links are needed
then that tree ( block ) is removed from that link
TTL ( time to live ) : TTL is how long the packet survive , TTL is a
layer 3 field that works only with routers , if switches was capable to
understand the TTL field then we wouldnt face any loops
STP (Spanning tree protocol ) :
Original STP ( 802.1D) was created to prevent loops
Switches send probes into the network , those probes are
called BPDUs ( bridge protocol data units ) to discover loops ,
once a BPDU is arrived on a switch , the switch starts to
analyze that BPDU , if it found its name in it then that means
this BPDU was passed before from this switch that results
there is a loop in the network
The BPDU also helps to elect a root bridge ( this is the core
switch of the network )
The simplest view of STP : all switches find the best path to
reach the root bridge then block all the redundant links ( the
remaining links that cause the loops )
Switches run STP by default
General notes about STP elections :
There are 3 port types in general :
1. Root port ( RP ) : this port is used to reach the root bridge
2. Designated port ( DP ) : this port is a forwarding port , there

must be one DP per link
3. Blocking / non- designated port : this is a blocked port
( where the tree falls )
Bridge ID = prority.MAC address , the default number of the
priority is 32768 and the Mac address is the MAC of the switch
itself not the interfaces , the lower the priority it is the best to
be elected as a root bridge , if all the switches are equal in
there priority the n we compare based on the MAC address ,
the lower Mac address will be the best to be elected as a root
bridge
By default STP elects the oldest manufactured switch as a root
bridge because by default it contains the lowest bridge ID
STP election process ( how STP finds the best path ) :
1. Elect the root bridge: STP must elect a root bridge, which is based
on Lower Priority. by default all STP switches have 32768 so STP
Priority+ Mac address is considered ( based on lower MAC
address )
2. Root Bridge will have all its ports as designated ports
3. Elect the RP: All other Switches or Non Root Switches must select
a path to the Root Bridge. This depends on the lower cost path to
the root, regardless of direct or indirect connectivity with Root
Bridge. Every switch must have a RP; the minimum root path
calculation is performed by processing Incoming BPDUs. , The
Incoming BPDU carry Root path cost that is the cumulative path
cost of number of paths between the Root Bridge and Non Root
Bridge.
NOTE: if the cost path is tied then we elect based on lower bridge
ID, if the lower bridge ID is tied then we elect based on the lower
physical port ID
Bandwidth of the link
Cost of the link
10Mbps
100
100Mbps
19
1Gbps
4
10Gbps
2
4. All other Switches or non Root Bridges must select one DP, the
election of DP is done like RP exactly!
In brief:
RP: lowest path, if tied then we will go to lowest bridge id, if tied then we
will go to lowest physical port id
DP: lowest bridge id, if tied then we will go to the lowest physical port id
Example:
Exclusion examples:
1.
2.
9.
Switch STP: configuring basic STP (21:16 mins)
Switch # show spanning-tree command shows you the following :

1. It shows you the root ID ( bridge ID ) , the root ID is the bridge ID
for the root bridge , it shows the priority value , the Mac address
of the root bridge , the local switch port that the root bridge is
connected on ( this shows the local port switch that we ran this
command on )
2. It shows you the bridge ID of the switch that you ran this
command on , if we ran this command on the root bridge the root
ID will give the same information of the bridge ID and it will show
you that this is the root bridge plus all the ports will be In
forwarding state ( designated ports )
3. It shows you the port status on the switch
PVST+ (Per VLAN STP ) : its an enhanced version of STP that runs
by default on Cisco switches , once you run the command Switch #
show spanning-tree you will notice that the priority value = priority
+ VLAN number ( sys-id ext ) , more details about this enhancement
version will be found in next section
Example:
According to the above example:
1. The root bridge priority is 32769 and
the Mac address is 0009.e848.6c00
2. The root bridge is connected
on DS1 local
port fa0/27
3. The priority
for DS1 is
32769
=
32768
( default
)+1
vlan number ( sys-id-ext ) as PVST+ is running on this switch by
default
Example:
According to the above example:
1. One of
the
features
that you will know in next section about PVST+ is we can

have a root bridge for each
VLAN , in
this
example we will find for VLAN 20

DS1 is the root bridge and the
priority
is 32788
32768 ( default ) + 20 ( vlan number )

There are 2 ways To configure a switch to be the root bridge
manually :
1. Switch (config)# spanning-tree vlan 1 root primary this command is

used to configure a switch to be a root bridge ( it will decrease the
priority as much as needed to elect this switch as a root bridge ) ,
we must specify in the command the VLAN to modify STP in that
VLAN , if we used instead of the primary keyword the secondary
keyword it will configure this switch as a backup switch , this
command is basically used with PVST+ to configure a root bridge for
each VLAN we have in the network
2. Switch (config)# spanning-tree vlan 1 priority 0 this command will
configure this switch to be a root bridge by specifying manually the
priority to be 0 , the priority can be configured with a number
between 0-61440 with increments of 4096
If somebody connects a switch to the network and changed the
priority for that switch to be the lowest to elect it as a root bridge ,
in this case it will ruin the network , to protect our network from
such attacks we configure root guard
10. Switch STP: enhancements to STP (29:54 mins)
Notes :
1. When you 1st plug in a device to a switch port it will take 30
seconds ( 15 seconds in listening mode and 15 seconds in
learning mode ) to check the device , the 1st 15 seconds of
listening mode is used basically to double check that this port
doesnt have another switch connected on it and that is done by
checking if the port receives a BPDU or not , if a port is
configured to not receive BPDUs , and it received one in the 1st 15
seconds ( listening mode ) then instead of entering the learning
mode it will be shutdown
2. A blocking port transitioning from the blocking state to a
forwarding state ( changing from blocking mode to listening mode
to learning mode and finally transferred to forwarding mode ) will
take 50 seconds = 20 seconds in blocking mode , 15 seconds in
listening mode and 15 seconds in learning mode
3. When there is a failover in STP ( one link goes down and another
link works until the 1st links is functioning ) , it will take 30-50
seconds , if there is another failover ( the original link is up again
and functioning ) it will take 1-1:30 mins because we add a
blocking timer to the 30-50 seconds that happened In the 1st
failover
Problems and solutions of STP :
1. STP faces some problems with PCs : modern PCs can boot faster
than 30 seconds ( listening and learning modes ) and that amount
is faster than a port transitioning from blocking state to
forwarding state ( 50 seconds ) , in this case the PCs are forced to
wait those 50 seconds until it starts communicating on the
network as the PC wont work until the port works
The solution for this problem is to use portfast feature , this
feature transitions the port from blocking mode to forwarding
mode immediately without entering the listening and learning
modes , this feature is enabled using the command switch
(config-if)# spanning-tree portfast ( this command disables STP
on that port and its configured only on access ports )
2. STP faces some problems with uplink ports (ports that are
connecting to other switches ) : if this port transition from
blocking mode to forwarding mode it will spend approximately 50
seconds and that is a big amount that causes trouble in our
network
The solution for this problem is to use RSTP (rapid spanning tree)
Initial STP enhancements :
1. PVST+ ( per VLAN spanning tree + ) :
Runs as an instance of STP per VLAN
Allows different root bridges per VLAN
In STP we had a disabled link ( resulted from a blocking port

) , using PVST+ all the links will be used based on VLANS
By default PVST+ runs on Cisco switches
Example:
2. RSTP ( rapid STP ) :

RSTP is also known as 802.1W
RSTP is designed to be a proactive system ,in STP it forgets
about the blocked ports and in case it wants to transfer a
blocked port to a forwarding port it must rediscover it from
beginning and that takes time , in RSTP it remembers all
the ports and mark the blocked ports ( named in STP ) as
alternate ports
RSTP Redefines port roles that help in improving the
performance :
1. Root port : this port is used to reach the root bridge ( its
the same like STP )
2. Designated port :
this is a
forwarding port
and there must be
one port per link (
its the same like
STP )
3. Alternate ports :
this port is a
discarding port ( in STP there are blocking ports and in
RSTP its called alternate ports so instead of having a
disabled link like in STP we have a backup path to the
root using RSTP )
RSTP have many similarities with STP
RSTP must be running on all the switches found in our
network because if we have any switch running STP and the
others are configured as RSTP , that STP switch will slow
down the network
Usually we enable with RSTP the portfast feature using the
command switch(config)# spanning-tree portfast to improve the
performance and have a fast network
When a port goes down in RSTP it is transitioned to alternate port
mode and wont give any outage , but when you failback to that
alternate port ( to transition to forwarding mode again ) it will be
down for 1-2 seconds only
Switch # show spanning tree command is used to show the status
of RSTP if its running or not
Switch(config )# spanning-tree mode rapid-pvst command is used to
enable RSTP on the switch , this command must be run on all the
switches in the network to have a fast network , we can also use the
keywords MST ( multiple spanning tree instead of rapid-pvst , this
spanning tree mode is the oldest mode and it runs one instance of
spanning tree on all the VLANS , this type is used when there are a
lot of VLANS on the network and we dont want to consume a lot of
router resources ) or PVST+ ( this is the default spanning tree
running , so no need to enable it )
11. General switching: troubleshooting and security best practices (29:23

mins)
Troubleshooting a switched network :

1. Get familiar with the network
2. Absolutely have an accurate network diagram
3. Work logically , from the bottom-up ( OSI )
Common troubleshooting issues :

1. Port issues :
Check cabling issues
Verify speed and duplex auto configuration , usually the
problem we face is from the duplex mismatch not from the
speed
Check that the assigned VLANS has not been deleted , if a
PC is assigned to a VLAN and that VLAN was deleted it will
show the port switch as amber and the PC cant
communicate anymore with the network
2. Spanning tree issues : usually if there is a problem all the lights
on the switch will appear as amber
Solve the immediate issue ( disconnect redundant links ) , in
this case we wont face any spanning tree problems once
we specify which redundant link to disable of course by
using STP technology
Ensure all the links are reflected on a network diagram as
we need an updated network diagram , in general spanning
tree has an effective radius ( distance ) of 7 devices
Ensure root bridge selection is appropriate
Make sure all the switches are running RSTP
3. VLAN and trunking issues :
Watch for native VLAN mismatch , as in page 52 from this
document if the native VLAN didnt match we will face a
problem , so we prefer to unify it on all switches
Hard code trunk ports to be on using the command
switch ( config if ) # switchport mode trunk , by default its
configured as dynamically allocated
Verify the IP address assignments in a VLAN
Use ping and traceroute commands to diagnose routing
issues
4. VTP issues :
Verify the trunks
Verify VTP information like the VTP password , VTP version ,
VTP domain name and the VTP modes
Last resort to solve VTP issues is to delete the VLAN.dat
that is found in the flash and reconfigure the VLANS from
beginning , all the VLAN information in general is found in
VLAN .dat , if you want to flush all the VLAN configuration
just run the command switch # delete flash : VLAN.dat then
reboot the switch
Switch security is essential :
Most security focuses around the network perimeter
Switch security checklist :
a. Physical security : we secure the location of the switch itself

because if somebody as an example pressed the mode button
found on the switch for 10 seconds it will erase all the
configuration , this feature can be disabled using command
line
b. Set passwords and logon banners
c. Disable the web server , this feature is used to give a GUI page
through web browser to check the switch ports and configure
them , the web server can be disabled by running the
command switch ( config ) # no ip http server
d. Limit remote access subnets using ACL
e. Use SSH whenever its possible
f. Configure logging , this is done in 2 ways :
1. Logging the messages on the local switch :
Switch (config) # logging buffered 64000 this command will
allocate 64000 bytes for memory buffer to log messages like
when an interface is up or down it will log that event
Switch # show logging command is used to show the logged
messages on the switch
2. Logging all the messages to be saved on a remote host that
has a program to receive those messages like kiwi syslog
demon , to configure the switch to send those logs we run
the command switch ( config ) # logging A.B.C.D
g. Limit CDP reach when its possible : we disable CDP in case we
want to protect our network from packet sniffers as they can
read CDP packets but we dont recommend disabling CDP as IP
phones use CDP to function
To limit CDP reach it can be done in 2 ways:
1. Switch(Config)# no CDP run
2. Switch ( config- if ) # no CDP enable
h. Use BDPU guard on portfast ports :in general BPDU is used
with STP to announce switches and discover if there are any
loops in the network , we enable BPDUguard on portfast ports
( ports connected to PCs ) as those ports dont need to receive
a BPDU because PCs are connected on those ports only , in
case we connected a switch on this port and it started to send
BPDUs , once the portfast that is enabled for BPDUguard
received a BPDU it will shut down the port ( it enters in an
error0disabled state ) and that helps to prevent loops
In brief: The BPDU guard feature puts Port Fast-enabled
interfaces that receive BPDUs in an error-disabled state.
This feature can be enabled using the command switch (config)
# spanning-tree bpduguard
Example:
If we configured BPDUfilter using the command switch (config) #
spanning-tree bpdufilter, The BPDU filtering feature prevents the
switch interface from sending or receiving BPDUs.
bdpuguard stops sending BPDU from an interface and in case it
receives a BPDU it goes in error state ( shut down ) and this is
activated on portfast ports in general , its used to protect our
network from connecting an additional hub or switch on our existing
switch , bpdufilter from other hand stops sending AND receiving on
the port , in case it receives any BPDU it will only discard it and its
used on the access layer switches ports as we dont need to receive
STP information there
12. Sub netting: understanding VLSM (18:42 mins)

VLSM ( variable link subnet mask ) : can change my subnet mask
whenever and wherever
If you use VLSM then you need a classless routing protocol to work
with VLSM like RIPv2 , OSPF , IS-IS and EIGRP , the class full routing
protocols like IGRP and RIPv1 wont work with VLSM in a proper way
In any VLSM scenario we do the following :

1. Start with the largest subnet
2. After specify the 1st network range we do sub netting again and
pick a suitable network range
3. Dont forget the point to point links
Example:
13. Routing protocols: distance vector VS link state (26:25 mins)

Types of routing protocols: refer to page 36 for more information
Distance vector ( DV ) routing protocols :
1. DV routing protocols send the entire routing table at specific
intervals ( as an example RIP sends its entire routing table to the
entire network as broadcasts or multicasts ( depending on the
version of RIP ) every 30 seconds , those updates are keepalives
of the RIP , if a RIP router didnt receive this update every 30
seconds then there is properly a problem occurring )
2. In their simplicity DV routing protocols have looping issues like
countdown to infinity
Example on countdown to infinity problem:
DV loop preventions :
1. Maximum distance : the maximum distance for RIP is 16 hops
away , the 16th hop is considered as dead
2. Route poisoning : in case there is a down network , it will be
advertised by RIP as a 16 hop and according to the 1st mechanism
( maximum distance ) that hop will be considered dead
3. Triggered update : when there is a change in the network
( properly a network is down ) , the router immediately triggers
an update ( instead of waiting for 30 seconds to send an update
about that change ) to update other routers that there is a
network change( the down network will be advertised as route
poisoning )
4. Hold down timers : when there is a down network , all the routers
that arent connected directly to that down network will set this
timer so that it wont receive any updates related to that down
network until the hold timer expires ( by default its 180 seconds )
, this mechanism is useful if we have flapping links that goes up
and down frequently
5. Split horizon : it informs the router not to send updates back in
the same direction they received them on networks than have
been advertised , this mechanism causes a lot of problems in
frame relays so we prefer to disable this mechanism in frame
relay
Example:
link state (LS ) routing protocol :
1. It forms neighbor relationships rather than sending broadcasts as in

DV , after the relationship is established the LS routing protocols
starts to send hello packets at specific intervals to double check that
the neighbors is still alive
2. After the initial routing tables has been exchanged , routers send
small event based updates ( update is sent when we there is a
change )
3. There are currently two LS protocols : OSPF and IS-IS
Advantages of LS routing :
1. Much faster to converge
2. No routing loops because the routers have a map for all the network
( they know everything I the network )
3. Forces you to design your network in a proper way
Disadvantages of LS routing :
1. Demand on router resources , as LS routing protocols uses a lot of
memory and CPU
2. LS is considered a technical complexity
3. LS requires a solid network design
13. Routing protocols: OSPF concepts (30:36 mins)
Route summarization :
The purpose of route summarization is to have smaller routing
tables ( fewer routes found in the routing table ) because if we
have larger routing tables that leads to having slower routers
Route summarization is the process of summing up all these
routes into fewer advertisements
Routing summarization suppress routing tables and routing
updates ( the routing table is small and the router is faster in
processing )
Example:
OSPF area designs and terms
All areas must connect to area 0 , an area in general is a group

of routers that all have the same routing information , each
area mustnt contain more than 50 routers , usually we use
different areas to represent different geographical locations
and to summarize ( we use multiple areas to summarize ) ,
inside of the areas you have internal routers ( only connected
in the same area )
All routers in an area have the same topology table ( topology
table shows all the map of an area with all the paths ) but
every router within the same area have different routing tables
, as an example in case a router in area 0 went down the other

routers will check the topology table to recreate an alternate
path to reach the destination , but the routing table is
different from router to another within the same area
Requires a hierarchal design , you group similar subnets in
similar areas to form summarization addresses
The goal is to localize updates within an area
The purpose of using OSPF with multiple areas is to use
summarization as much as we can so that if we can do
summarization we do it!
Notes about the example above:
Area 1 summarizes the 172.16.1.0-172.16.4.0 = 172.16.1.0/16
Area 2 summarizes the 172.17.1.0-172.17.15.0 = 172.17.1.0/16
The internet section is an external routing protocol like RIP or EIGRP
Summarization is done on ABR and ASBR routers only in OSPF
network
ABR ( area border routers ) :
It contains two topology tables one for area 0 that explains
about routers in area 0 and one for the other area connected
to area 0
The summarization happens on ABR routers
Connect between area 0 and another area
Sits between areas
ASBR ( autonomous system boundary router ) :
Routers in OSPF that connects to routers outside your network
, it connects OSPF to internet or another routing protocol like
RIP or EIGRP
The summarization happens on ASBR routers
Understanding OSPF neighbor relationships ( how OSPF forms
neighbors ) :
Unlike RIP , OSPF form a direct relationship with routers it
want to speak with
In OSPF , routers exchange routes between each other and
then maintain that relationship using hello protocol
OSPF hello packet is used to allow routers to form a
relationship with other OSPF routers and exchange routes
Hello messages are sent when you configure OSPF on the
interfaces you designate ( hello messages sent on chosen
interfaces )
Hellos messages are sent once every 10 seconds on broadcast
and point to point networks ( usually we change this value to
be lower so that we can detect failures faster ) and is sent one
every 30 seconds on non broadcast multi-access networks like
frame relay
Hello messages contains all sort of information like :
1. Router ID , the name of the OSPF router

2. Hello and dead timers ***, the dead timer is the time to
keep the relation available in case we didnt receive a hello
packet
3. Network mask ***
4. Area ID ***
5. DR/BDR ip addresses
6. Router priority
7. Neighbors , this includes the list of neighbors each router
knows
8. Authentication password ***
NOTE *** means that it must match between routers to form a relationship
14. Routing protocols: OSPF configuration and troubleshooting (39:53
mins)
Router ( config ) # router OSPF 1
enable OSPF routing
Protocol, the process ID (1 in our
example) is used to identify the
OSPF process, the process ID is a
number between 1-65535 and it
mustnt be the same on all the
routers but its recommended to
unify it
Router (config- router) # network 192.168.1.0 0.0.0.255 area 0 this
command is used to
configure what
networks to advertise
( send hello packets to
specific
destinations ) , the
192.168.1.0 is a
classfull network ( this
is configured like what
we do in RIP ) , the
0.0.0.255 is a wildcard
mask that is used as a
match statement , the
0 bit means match and
the 255 means I dont
care
Router (config router) # default-information originate
this
command is used to
advertise static routes
in OSPF ( the router
who have any static or

static default route
will advertise it using
OSPF protocol to other
routers , the other
routers who receive
that advertise will
have a new route
learnt by OSPF with a
symbol O*E2 - that
means static routes
advertised by OSPF
- ) , the main function
of this command is to
configure a static
default route on one
router then
advertising it to other
routers using the
OSPF protocol instead
of visiting each router
and configuring that
static default route
manually ! This
command is like
Router (config-router)
# redistribute static in
RIP
Examples:
1. If we have the network range : 172.30.0.0/16 172.30.7.0/16 and we
wanted to advertise them using OSPF , that can be done in one of
the following ways :
a. Router (config-router ) # network 172.30.0.0 0.0.255.255 area
0
b. Router ( config-router ) # network 172.30.0.0 0.0.7.255 area 0
According to the second command the wildcard mask is 0.0.7.255 and that
can be calculated by subtracting 255.255.255.255 from 255.255.248.0 ( /
21 the summarization subnet mask ) , the number 7 here means
172.30.0.0-172.30.7.0 and is usually matched with the last network id in
the range ( 172.30.7.0 ) but this case only works in OSPF and it doesnt
work in ACL
2.
3.
4.
5.

1. Router ( config ) # no router RIP command is used to disable RIP
protocol
2. Router # show ip OSPF neighbor command is used to show the
OSPF neighbors formed with this router
3. Router ( config ) # show run | include ip route command will show
only the command that contains the keywords IP route
Example:
Router # show ip OSPF neighbor
Neighbor ID pri
state
dead time
address
interface
192.168.1.1
1
full/DR 00:00:33 192.168.1.1 fastethernet 0/0
The address column represents the IP address of the neighbor interface
connected to this router
Understanding the OSPF router ID
1. The OSPF route ID is the name of the router , it identifies the
router to the OSPF neighbors
2. The router ID is elected by the following sequence :
At startup The router ID will be the highest physical
interface on that router by default
If there is a loopback address it will be preferred on the

physical interface even if it was lower that the physical
interface , this can be configured using the command :
Router (config) # interface loopback 0
Router (config if) # ip address 192.168.1.1 255.255.255.0
In case we configured the router ID manually it will be
preferred on the loopback address and the physical
interface , this can be done running the command
Router ( config-router ) # router-ID A.B.C.D notice that if
you run this command you need to reboot the router to take
effect or at least reboot the OSPF process using the
command router # clear ip process OSPF ( this command
will shutdown the neighbors and then those neighbors are
formed again )
Troubleshooting OSPF :
Run the command router # debug ip ospf adj to show the
process of forming the neighbors
The best way to troubleshoot OSPF is to run the command
router # show ip ospf neighbors , if there wasnt any
neighbors showing then we need to check that the hello and
dead timers , the network mask , the area id and the
authentication passwords are matching between the routers
to form the neighbors relation
15. Routing protocols: EIGRP concepts and configuration (32:28 mins)

EIGRP is the best routing protocol so far but its own problem is that
its a Cisco proprietary protocol
Why you would choose to use EIGRP :
1. It uses backup routes ( fast convergence /DUAL ) , OSPF and RIP
only remember the best route and put that route in the routing
table , if that route went down it needs to search again for
another best route , EIGRP from other hand uses backup routes
and it saves those routes in the topology table , in case the best
route that is found in the routing table went down , EIGRP will use
the backup route immediately as the best route without any
additional calculations ( in OSPF and RIP it does the calculation
again to know the new best route )
DUAL stands for diffused update algorithm , DUAL is the
engine that runs EIGRP ( its responsible for calculating the
routes in EIGRP , in OSPF the engine is called SPF )
DUAL is better than SPF because it doesnt increase any
load on the process of the routers
2. Simple configuration
3. Flexibility in summarization , in OSPF you configure

summarization at the ABR and ASBR only , in EIGRP you can
configure summarization whenever and wherever you want
4. It allows for unequal load balancing ( all the other protocols use
equal load balancing )
5. Combines best of distance vector and link state
6. Supports multiple network protocols ( like IPX , apple talk and IP )
7. EIGRP uses hello packets like OSPF to discover neighbors , by
default EIGRP sends hello packets every 5 seconds
8. EIGRP supports sub second convergence
EIGRP tables :
1. Neighbor table : this table shows all the neighbors formed
2. Topology table : this table contains the EIGRP whole map for the
network , it remembers all of the best routes ( appeared in the
topology table as a successor primary link - ) and the backup
routes ( appeared in the topology table as a feasible successor
backup link - )
3. Routing table : this table contains all the best routes
( successors )
Example:
Configuring EIGRP :
Router ( config ) # router EIGRP 1

enable EIGRP , the number 1
is called an AS ( autonomous
system number ) , its a
number between 1-65535
and it must be matched on
all the routers running this
same EIGRP process
Router (config router) # network 192.168.1.0
this command is
used to advertise the
Directly connected networks
and it has the same syntax
of RIP, we can use the
command router (config
router) # network
192.168.1.0 0.0.0.255 as
well like OSPF but of course
without the area keyword
Router # show ip EIGRP neighbors command is used to show
you the neighbors this router formed a relation with
Example:
Router # show ip EIGRP neighbors
H
address
interface
hold uptime (sec) SRTT (ms) RTO
QCNT
Seq num
0
192.168.1.1
FA0/0
11 00: 00: 40
4 200
0
2
The H column lists all the neighbors in the order it received it
The address column represents the neighbor IP
The interface column represents the local interface on this router that is
connected to the neighbor
The hold uptime column represents how long it believes until that
neighbor is dead
The SRTT ( source round trip timer ) column represents how long it gets
to the neighbor and back , it helps to engage how long it should be
waiting before it expects a hello packet
Router # show ip route command is used to show the EIGRP
routes , it appears as D
Summarization in EIGRP :
EIGRP summarizes addresses automatically ( auto summary is
enabled by default ) , anytime you have a discontinues
network ( a network advertised across a boundary that is not
the same network , in the following example I will explain this
further )
16. Access-lists: the rules of ACLs (access control lists) (27:44 mins)
An ACL is an identifier list that allows ( permits ) or deny specific
traffic based on a list of permit and deny statements
Examples:
1. ACL can be used to allow for a specific host ( example permit
192.168.2.58 )
2. ACL can be used to deny a whole subnet ( example deny
192.168.1.0/24 )
3. ACL can be used to allow a specific port for an IP ( example permit
TCP port 80 for 200.1.1.1 )
4. ACL can be used to deny a range of ports for a whole subnet
( example permit all TCP traffic for 210.0.1.0/24 )
ACL can be used for :

Access control : permitting and denying traffic
NAT : permit or deny hosts to be translated to public IPs
Quality of service : configuring a specific host to have a higher
priority than others
Demand dial routing
Policy routing
Route filtering
Security concerns
Rules of ACLs :
1. ACLs are read from top to bottom , once the 1st match is found
you stop reading and exit the ACL
Example:
Deny 10.1.5.1
according to this example we read the 1st sentence
from top and realize that we Permit 5.3.1.2
deny 10.1.5.1 then we
permit 5.3.1.2, now in the 3rd sentence we dont give
Permit 10.1.5.1
attention for it because we already denied 10.1.5.1 so
we wont permit it again (the
1st match applies only)
2. At the bottom of each ACL there is an invisible implicit deny
statement , because that we use at least one permit statement in
the ACL unless our goal was to deny all the traffic
3. The ACL is applied to an interface as inbound ( into that
interface ) or outbound ( out that interface )
4. In every ACL the order is important
Adding ACL capabilities ( types ) :
1. Standard :
Standard ACL matches based on the source of the IP address
only ( who you are )
It has a lower processor utilization
It affects depends on applications ( if I apply this ACL in an
outbound way it will have an affect different that applying it
in an inbound way )
Example:
2. Extended :
Extended ACL matches based on source/destination
addresses , protocol , source/destination port numbers
It has a higher processor utilization
The syntax of extended ACL takes some time to learn it
3. Dynamic : this type of ACL expands and shrinks depending on
whose going through at a time
Example : an ACL has been created to allow users to access the internet
for a specific amount of time , if the username and password provided by
that user didnt match that ACL they wont have the ability to access the
internet , if the username and password have been matched then they
can use the internet for a specific amount of time configured based on the
ACL
4. Established ( reflexive ) : this type of ACL allows the return traffic
for internal requests ( requests that have originated from inside
the network ) , this type is basically used If we want to deny all
traffic that are originated from internet
Example in theory:
Example in practical based on commands that will be explained in page

89:
5. Time based : this type of ACL is activated for a moment of time

only
Example: we create a time based ACL if we want to allow internet access
after business hours (in this case the ACL will be activated during
business hours to deny internet access)
6. Context based access control ( CBAC ) : this type of ACL is a new
way to turn the router to work as a Cisco firewall ( pix firewall or
ASA ) , it turns on the router some firewall features , in this case
the router starts to inspect all traffic going through it
16. Access-lists: configuring ACLs part 1 (34:40 mins)

In the standard ACL we place the ACL as close as possible to the
destination because we cant specify except source IPs using the
standard ACL , if we place the standard ACL near the source we will
then deny alot of traffic and that isnt recommended
To create a standard ACL :
Create the ACL standard
Apply that ACL on a specific interface as inbound or outbound
Router ( config )# access-list 1 deny 192.168.5.100 0.0.0.0
command is used to create a
standard ACL
( standard ACL uses a
number between 1-99
or 1300-1999) that
uses a number of 1 ,
this ACL denies traffic
coming from a host
( in our example
192.168.5.100 ) , we
can use instead of the
deny keyword the
permit keyword or the
remark keyword ( the
remark keyword is
used only to put
comments on that
created ACL ) , this
command can be
written in another way
: Router ( config )
access-list 1 deny host
192.168.5.100 ( as
0.0.0.0 = the host
keyword )
Router (config) # access-list 1 permit 192.168.5.0 0.0.0.255
command is used to permit
Traffic from a network
192.168.5.0
Router (config) # access-list 1 permit any
to
Overcome the implicit
deny, this is usually
typed at the end of
each ACL, the any
keyword represents
0.0.0.0
255.255.255.255
Router (config) # interface serial 0/0
Router (config-if) # ip access-group 1 in
command is used to apply
this
The ACL on a specific
interface, in our
example we are
applying the ACL
number 1 on serial 0/0
in an inbound way, we
can use the out
keyword instead of in
keyword as well
Router# show access-list command is used to show what ACL lists

are created on the router and it shows you how many times it
permitted the traffic or denied the traffic
Router # show ip access-lists command is used to show what ACL
lists are created on the router and it has the same function of
Router# show access-list
Router # show access-lists 70 command is used to show the ACL 70
only
Example: in this example 192.168.5.100 pings the router interface
192.168.2.1
Router# show access-list
Standard IP access-list 1
10 deny 192.168.5.100 (8 matches)
20 permit 192.168.0.0 wildcard bits 0.0.255.255
30 permit 192.168.5.0 wildcard bits 0.0.0.255
According to the above example we note the following:
20 permit 192.168.0.0 wildcard bits 0.0.255.255 can be created
using the command Router ( config )# access-list 1 permit
192.168.5.100 0.0.255.255
8 matches shows that the ACL blocked the traffic coming from
192.168.5.100 8 times ( every ping send 4 packets and shows in the
ACL as 8 times ( send/receive ) , each time 192.168.5.100 pings the
router a reply will be : reply from 192.168.2.1 destination host
unreachable because there is a deny statement for 192.168.5.100
10, 20 and 30 are called sequence numbers and can be edited only in
named ACL , this number helps to modify the existing ACL or
entering a new statement in that existing ACL as before using
sequence numbers we had to copy all the applied commands of the

ACL to a notepad to edit it then pasting it back in the configuration
mode
Example: in this example 192.168.10.50 is telnetting to router
Router# show access-lists 70
Standard IP access-list 1
10 deny 192.168.10.50 (6 matches)
20 permit any (2 matches)
2 matches shows that the ACL allowed the traffic coming from
192.168.10.50 2 times ( every telnet send 2 packets
We configure an ACL to prevent telnet or SSH because in general if
you dont know the username and password to access the router ,
still you have the ability to guess that password to enter the router
so we create an ACL to allow only specific hosts to telnet
For telnet and SSH we apply the ACL on the VTY ports instead of
applying them on a specific interface like what we do in general with
the standard ACL
Router ( config ) # access-list 70 remark THIS WILL DENY HOST A
FROM TELLNETTING TO R1
This command is only a comment, it will appear in the router# show
run and router# show access-list commands
Router (config) # access-list 70 deny 192.168.10.50 0.0.0.0
Router (config) # access-list 70 permit any
Router (config) # line vty 0 4
Router (config-line) # access-class 70 in
to apply
ACL 70 on the VTY
ports, we always use
the in keyword with
telnet or SSH
17. Access-lists: configuring ACLs part 2 (48:42 mins)
The rule of ACL is to apply one ACL per interface per direction , if we
have as an example one ACL on one interface in an inbound way and
we wanted to add another ACL on the same interface In an inbound
way as well we cant because we already have an existing ACL on
that interface in the same direction , but if we add an ACL on that
interface in an outbound way it can be done but usually if we are
concerned about the inbound way and we cant add a new ACL we
can just edit the existing ACL and add some entries to it
We apply the extended ACL as close to the source
We try our best to use less entries in ACL because the larger the ACL
is the more processing is done for it
Router ( config ) # no access-list 25 command is used to remove the
access list number 25
Router ( config ) # access-list 150 deny IP 192.168.10.50 0.0.0.0

192.168.3.50 0.0.0.0
This command is used to block the IP traffic from the source
192.168.10.50 to the destination 192.168.3.50
Notes about the above command:
The extended ACL uses the numbers 100-199 or 2000-2699
In the CCNA level we care about five types of layer 4 OSI model
protocols :
1. TCP : its a reliable connection like web browsing , FTP , telnet ,
ssh , email
2. UDP : unreliable connection like VOIP , video streaming , online
games , instant messages
3. ICMP ( internet control message protocol ) : this type of protocol
is used for a lot of things like ping ( it sends an ICMP echo and
ICMP echo reply )
4. IP : this type includes all the above protocols : TCP , UDP and
ICMP , this is used in case I want to include all the layer 4
protocols , in case I am concerned about TCP only as an example I
just use the TCP keyword , if I care about UDP traffic only I just
include the UDP keyword only and so on
5. ESP ( encapsulation security payload ) : this protocol is used for
VPN connections
The above command can be written in another way :
Router (config) # access-list 150 deny IP host 192.168.10.50 host
192.168.3.50
Router ( config ) # access-list 150 deny IP host 192.168.10.50 eq 80
any eq 80
This command is used to block the IP traffic from the source
192.168.10.50 that matches port 80 only to the destination
192.168.3.50 that matches port 80 only , as you notice we dont care
a lot about the eq 80 related to the source , we concern more about
the destination so the correct way to write the above command is :
Router (config) # access-list 150 deny IP host 192.168.10.50 any eq
80
Router ( config ) # access-list 150 permit ip any any command is
used at the end of each extended ACL to allow the rest of the traffic
as there is an implicit deny
Router ( config-if ) # ip access-group 150 in command is used to
apply the extended ACL 150 to an interface in an inbound way
Examples showing full typing of the commands mentioned above:
named ACL examples :

1) router ( config ) # ip access-list extended DENY_HOSTA
this
command is used to
Create an Extended
named ACL (we can
create a standard
named ACL as well)
with the name
DENY_HOSTA
Router (config-ext-nacl) # permit ip host 192.168.10.50 host
4.2.2.2
Router (config) # interface gigabitethernet0/1
Router (config-if) # ip access-group DENY_HOSTA in
1) router ( config ) # ip access-list extended DENY_HOSTA
this
command is to used to edit
ACL 150
Router (config-ext-nacl) # no 20
this
command will delete entry
20
For this example if we run the command router# show ip access-list it will
show you the following:
Router# show ip access-list
Extended ip access list 150
10 permit ip host 192.168.10.50 host 4.2.2.2
30 permit ip any any
the entry 20 has
been deleted
18. NAT (network address translation): understanding the 3 styles of NAT
(20:00 mins)
NAT allows you to convert the private cooperate addresses to public
addresses that work on internet
We dont recommended to assign the public IP addresses that are

used in NAT to any router interfaces but it can be used as we will
notice in this section
Types of NAT :
1. Dynamic NAT
2. NAT overload
3. Static NAT
Understanding dynamic NAT :
Each client gain a
public IP from a pool of
addresses
The client must own
the IP addresses used
in a NAT pool
Dynamic NAT is used
to solve problems with
addressing like
overlapping addresses
Dynamic NAT is using
in general 1-1 NAT
translations based on a pool
We use dynamic NAT with NAT overload in big organizations if we
want clients to use pool of public addresses to surf the internet
Example on the overlapping addresses situation
Understanding NAT overload ( the most common used type ) :

In Nat overload multiple devices share a single public IP
address
Nat overload is commonly called PAT ( port address
translation ) because it works based on ports
Understanding static NAT ( hosting servers ) :
Static NAT is used to host servers

We usually combine the static Nat with NAT overload , NAT
overload will be used to provide outbound access for clients to
surf the internet and the static NAT will be used to provide
inbound access for our hosting servers like our web servers
19. NAT: command line NAT configuration (35:41 mins)

Router ( config ) # ip domain-lookup command is used to enable the
domain lookup feature that is used to translate names to ip
addresses , this command relies on the router (config )# ip name
server A.B.C.D command to know what names are mapped to what IP
addresses
We use static default routes on the routers to let routers access the
internet and we use along with that Nat to let clients access the
internet
Router# ping 4.2.2.2 source Ethernet 0/0 command is used to ping
the ip 4.2.2.2 from the router interface e0/0 , we specify which
interface to ping from because maybe other interfaces on the router
are denied from pinging
Router # show ip Nat translations command is used to show you all
the Nat happening on a specific router , it will show you the inside
local address ( our private local addresses ) , inside global address (
our public IP address ) , outside local address and outside global
address
Steps to configure NAT overload :
1. Label the interfaces , this is done to know which interface
represents the internal network and which one represents the
outside network
2. Identify internal IP addresses to be translated , this is done by
using ACL to tell the router which internal IPs we want to translate
and which IPs we dont
3. Enable Nat overload
Example showing how the steps are implemented to configure NAT
overload:
1. router (config ) # interface Ethernet 0/0
Router (config-if) # ip Nat inside

used to tell the router that
this command is
Ethernet 0/0 is the inside

interface ( represents the
internal network)
Router (config-if) # interface Ethernet 0/1
Router (config-if) # ip Nat outside
tell the router that
Ethernet 0/1 is the outside
interface ( represents the
outside network)
2. Router (config) # ip access-list standard NAT_ADDRESSESS
this
command will create a
Standard ACL that will
specify what IPs are
allowed to be Natted
or denied based on
source addresses
(client IPs)
Router (config-ext-nacl) # deny 192.168.3.0 0.0.0.255
this
command excludes the
network
192.168.3.0/24 from
being allowed to be
Natted
Router (config-ext-nacl) # permit 192.168.0.0 0.0.255.255
this command will allow the
Rest of the network
192.168.0.0/24 to be
Natted
3. Router (config ) # ip Nat inside source list NAT_ADDRESSESS
interface Ethernet 0/1 overload
This command means I want to Nat (ip Nat ) from inside of the network
(inside ) based on the source address translation (source ) the source
addresses that I want to translate are in ACL (list ) that is called
NAT_ADDRESSESS (NAT_ADDRESSESS ) sending them outside interface
Ethernet 0/1 ( interface Ethernet 0/1 , we use the ip address of the
interface Ethernet 0/1 to do the translation and reach the internet , in our
example its 68.110.171.98 ) and overload ( overload , this keyword will
allow multiple internal addresses to use this single public IP address
68.110.171.98 , if we dont overload then only 1 client will have internet
access )
Configuring static Nat : static Nat is what allows me to create

mappings to let internal hosts be accessible from outside , in
general we dont use the IP address of the router interface to Nat a
host from our network , but if that public IP that is assigned to the
router interface is the only public IP we have then we configure
static port mappings , the below examples will show the
configuration of static Nat and static port mapping
1. Router ( config ) # ip Nat inside source static 192.168.10.50
68.110.171.99
This example shows how to translate the ip 192.168.10.50 to a
public IP 68.110.171.99
2. Router ( config ) # ip Nat inside source static TCP 192.168.10.50
80 interface ethernet0/1 80
a. This example shows that we only have only 1 public IP
(68.110.171.98 ) and we need to publish our web server
( 192.168.10.50 ) so we specify the ports 80 with the static Nat
command , in this case whenever Ethernet 0/1 gets a request
on port 80 it will translate that request to 192.168.10.50 on
port 80
b. We can replace interface ethernet0/1 keyword with the public
IP 68.110.171.98 as its the same , in general if we use the
same ip of the interface we use the interface ethernet0/1
keyword and if we use a different ip than the ip of the router
interface we just type it in clear text
Configuring dynamic Nat with overload :
Router (config) ip Nat pool PUBLIC_ADDRESSES 68.110.171.99
68.110.171.100 netmask 255.255.255.0
This command creates a pool of public IP addresses starting from
68.110.171.99 and ending to 68.110.171.100 (this pool contains only 2
public IP addresses)
Router (config) # ip Nat inside source list NAT_ADDRESSESS pool
PUBLIC_ADDRESSES overload
This command is using allowing the clients declared in NAT_ADDRESSESS
(the explanation of this ACL is found in page 93) to be translated to the
public IP addresses declared in the pool PUBLIC_ADDRESSES and to use
the overload feature
a. In the overload configuration found in page 93 we were using
instead of PUBLIC_ADDRESSES pool the interface Ethernet 0/1
keyword because we were using the IP address of the router
interface not a pool of public IP addresses ( in our example 2 public
IPs )
b. If we didnt use the overload keyword then we will only have 2
clients accessing the internet because we only have 2 public IP
addresses available in the pool PUBLIC_ADDRESSES
20. Wan connections: concepts of VPN technology (33:20 mins)

VPN ( virtual private network ) :
1. VPN is a cheaper connection
2. The VPN is available anywhere the internet is available
3. The VPN is heavily encrypted and secured but that makes more
overhead on the router

4. VPN is a many to many connection , it allows anybody to connect
to anybody
1.
2.
Cisco VPN styles :

Site to site ( L2L) ( lan 2 lan )
Remote access
Site to site ( L2L ):
Site to site style is a replacement of private lines ( lines used

to connect offices )
Site to site is used for connecting offices
R
e
m
o
t
e
access :
Remote access style is used to connect homes or laptops to
the office
Remote access client is installed usually on those home PCs
and laptops , and its called VPN client
Once the VPN client is authenticated with the office , the home
PC or laptop is then connected to the office securely and the
traffic is sent in an encrypted way
We can use this style to connect an IP phone at home and use
that phone as Im sitting in the office
Ssl VPN ( web VPN ) : instead of installing VPN client on a
laptop or home PC we use SSL VPN , the function of SSL VPN is
to allow the router to generate a website that request for a
username and password from the user ,once the user
authenticates with the website the router will install on your
laptop or home PC a mini VPN client as long as you are
connected to that VPN , once your disconnected form that VPN
the mini VPN client is removed
IPSEC :
The IPSEC is the security protocol of VPN ( IPSEC does the
encryption on VPN)
IPSEC works at the transport layer ( its another protocol like TCP,
UDP ,IP )
IPSEC contains 4 categories :
1. Encryption protocols :
Encryption protocols are used to secure the data
The weaker the encryption the faster the connection and
the less the processing on the router
The stronger the encryption the more secure you are but
there is more overhead on the router
The Encryption protocols are DES ( weakest ) , 3DES, AES
(strongest )
2. Authentication protocols :
Authentication protocols makes sure that data isnt
changed when its transferred from one end to another
,authentication protocols stops man in the middle
attacks ( maybe some intruders will spoof the traffic
( send fake traffic ) when we send traffic through VPN )
The Authentication protocols are : MD5 , SHA-1
3. Protection protocols :
When somebody sends traffic on the VPN connection it
will be sent as encrypted data ( scrambled ) , both ends
of the VPN connection must have the encryption
/decryption keys to understand the encrypted data that
was transferred , both ends of the VPN connection must
have the same encryption keys to understand that
encrypted traffic , protection protocols transfer those
encryption keys from one end to another without being
attacked by man in the middle attackers
The protection protocols are : DH1 ( deffi Hellman ) ,
DH2, DH5, DH7
4. Negotiation protocols
The negotiation protocols are : AH ( authentication
header , this protocol cant do encryption ) , ESP
(encapsulated security payload , this protocol can do
encryption , authentication and protection , ESP+AH
Negotiation protocols are the changer of IPSEC , if we
want only to have authentication protocols ( point 2 ) we
use AH , if we want authentication , protection and
encryption protocols included in the IPSEC ( point 1,point
2 and point 3 ) we will use ESP and so on , in other words
using those protocols I can specify what IPSEC category
is included within IPSEC
The negotiation protocol gives the IPSEC a feature not to
be replaced in future because it customizes the IPSEC as
much as we want
Security over a public network :
VPN works based on encryption keys
Encryption key styles ( types ) :
1. Symmetric encryption :
Symmetric encryption uses the same key to encrypt
and decrypt the data
The benefit of symmetric encryption is its fast
Examples on the symmetric encryption : DES,3DES

and AES
The problem of this method is whenever the client
connects to the VPN the router creates an encryption
key ( its called shared secret key ) and it must send
that created encryption key all over the internet to
the other router to form the VPN in a successful way
2. Asymmetric encryption :
Asymmetric encryption use two different types of
encryption keys , public and private keys ( anything
encrypted by the public key can be decrypted with the
private key and anything encrypted by the private key
can be decrypted by the public key )
VPN site to site type uses both symmetric and asymmetric keys :
When the VPN is established between 2 routers ,each router will
have 2 keys one public sent to the other router and one private kept
in the router , R1 sends a DH public key from R1 to R2 (anything
encrypted with this public key cant be decrypted except with the
private key ) the private key is kept hidden in R1 , R2 generates a
symmetric secret key and encrypt it with the public key it received
from R1 , then it sends the encrypted shared secret key from R2 to
R1 and then R1 decrypts the encrypted shared secret key , the result
R1 and R2 use the same shared secret key , once the VPN is done
the shared secret key is dropped and every time a new VPN session
or new data transfer will create a new symmetric keys ( all the above
if R1 connects to R2 , if R2 connects to R1 the same procedure
applies )
21. Wan connections: implementing PPP authentication (34:39 mins)

The physical connections : refer to page 41 for more information
The point to point leased line protocols : refer to page 41-43 for
more information
PPP authentication :
1. PAP ( password authentication protocol ) : this type is rarely used
because the username and password is sent in clear text
2. CHAP ( challenge handshake authentication protocol ) : this type
doesnt send the password over the link , it only sends the
username and the password is hashed using the MD5 hash
The difference between hashing and encryption :
Encryption uses a formula to encrypt data and this formula
is the same one used to decrypt the data
Hashing : the password we type on the 1st router enters a
hashing algorithm , the result from that algorithm is sent
over the link , the password we type on the 2nd router enters
another hashing algorithm as well and the result will be
compared with the result received from the 1st router , if
both results matched then the routers are successfully
authenticated , if not then they dont form an authentication
relation
Configuring PPP authentication :
1. Create a user account
2. Enable it
Enabling PPP and Configuring it for authentication :
Router1 (config) # username Router2 password Cisco this command
is used to create a
Username and password on
the router, as you notice the
username router2 must
match the hostname of the
2nd router (found in the
below command and that
was configured using the
command router2 (config)
#hostname router2) and the
password must match on
router1 and router2
Router2 (config) #username Router1 password Cisco
this
command and the above are used
To configure the PPP
authentication (point 1 in
configuring PPP
authentication)
Router1 (config) #interface serial 0/0
Router1 ( config-if)# encapsulation PPP this command is used to

enable the PPP
encapsulation on this
specific interface , note that
this encapsulation must be
matched with the other end
of the link , in case it didnt
match it will show you if we
run the command router#
show interface serial 0/0
physical up data link down
router (config-if) # PPP authentication chap
this command is
used to enable chap PPP
authentication type, we can
use instead the chap
keyword the PAP keyword to
enable pap, if the
authentication type
configured on this router
didnt match with the other
router on the other side of
the link then once you run
the command router # show
interfaces serial 0/0 it will
show LCP termsent instead
of LCP open (point 2 in
configuring PPP
authentication)
Router# debug PPP authentication command is used to show the
ppp authentication establishing between the routers
22. Wan connections: understanding frame relay (28:42 mins)
Frame relay is a packet switching technology , more information can
be found on page 41
Frame relay terminology :
CIR ( committed information rate ) : this is the minimum
bandwidth the ISP guarantees you ( we pay for this
bandwidth ) , if there is a bandwidth available we can burst
above the CIR ( the CIR is considered as a logical speed )
LAR ( local access

rate ) : this is
physically how fast
that circuit can go , as
an example if the
physical cable speed is
2Mbps and the CIR is
only 50Kbps , the
router will only send
based on CIR ( LAR is
considered as a
physical speed )
LMI ( Local
management
interface ) : the
language you speak between the router and the service
provider , its a signaling protocol that the ISP uses to send
you statistics on the line like giving you information about the
status , the relative quality of your transmission if its
dropping packets or not , it can also be used to send DLCI
information
DLCI ( data link connection identifier ) : every site is identified
by a DLCI and its the equivalent of Mac addresses in Ethernet
technology
PVC ( permanent virtual circuit ) : each PVC has its own CIR
and has a recurring monthly cost
How DLCIs work :
1. DLCIs are locally significant ( you can have similar DLCI numbers
in your design but you can have the same DLCI number on the
same interface in the same location
Example
2. its any number between 16 and 1024

frame relay PVC designs :
1. Hub and spoke design :
This design is the most common design used because its
cheap
The disadvantages of using this design :
a. You have a single point of failure , if that links is down
everything will be down
b. There is a delay in this
design : the delay is how
long it will take a packet
to arrive from one place
to another , we care
lately about delay issues
because there is a VOIP
traffic implemented
newly in the data
networks
2. Full mesh design :
every office has a PVC with

other offices
the disadvantage of this
design is its costly ( very
expensive )
3. partial mesh design :

critical sites only have full
connectivity to other
offices ( not all routers
have full redundant links
to all offices )
its a good compromise
between redundancy ,
performance and cost
frame relay interface configuration : it can be configured in 2 ways

1. multi point design :
all routers must be on the same subnet
multiple DLCI numbers are mapped to the multipoint
interface
multipoint configuration causes problems with split
horizon , to overcome this issue we shutdown the split
horizon mechanism
2. point to point design
This is the best design to use

All routers must be on different subnets
This design doesnt face any problem with split horizon
We create point to point sub interfaces for each peer ( one
sub interface for each DLCI )
23. Wan connections: configuring frame relay (30:52 mins)

Multipoint configuration :
For R1
Router1 (config) # interface serial 0/1/0
Router1 (config if) # ip address 192.168.1.1 255.255.255.0
Router1 (config-if) #no shutdown
Router1 (config-if) # encapsulation frame-relay
this
command is used to enable frame
Relay on the interface
router1 (config-if) # frame-relay lmi-type Cisco
this
which signaling to use
between our router and the
ISP router , in modern
routers we dont need to
run this command as they
have the ability to auto
detect what signaling
protocol is running , we can
specify instead of the Cisco
keyword ansi or q933a
signaling protocols
router1 (config-if) # frame-relay map ip 192.168.1.2 102 broadcast
for every
neighbor we have
to connect to ( we
use this command
to connect PVCs
together and as we
have 2 neighbors
so we must have 2
frame-relay map
commands ) , we
specify the remote
ip address to reach
that network ( in
our example
192.168.1.2 ) and
we specify the
local DLCI ( in our
example 102 ) , the
broadcast keyword
is used to send
broadcast
addresses from
this router to the
other routers
connected
( broadcast is used
with RIP
advertisements
,OSPF
advertisements
and EIGRP
advertisements
and by default
frame relay denies
those broadcasts ,
if this wasnt
included the
routing protocols
wont work ) , we
can use instead of
the broadcast
keyword the IETF
keyword if the
other router we
are communicating
with isnt Cisco
router1 (config-if) # frame-relay map ip 192.168.1.3 103 broadcast
router1 (config-if) no ip split-horizon
disable the split horizon on
R1 as in multipoint
configuration we need to
disable this mechanism to
avoid problems
For R2
Router2 (config) # interface serial 0/0

Router2 (config-if) # frame-relay map ip 192.168.1.1 201 broadcast
Now R2 and R1 can ping each other
For R3
Router3 (config) # interface serial 0
Now R3 can ping R1 BUT it cant ping R2 because that we add a
frame relay map command on R2 and R3 to reach each other , after
adding the below commands R2 can be able to ping R3
this allows R3 to reach
R2 through R1
this allows R2 to reach R3
Through R1
Point to point configuration :
For R1
Router1 (config) # interface serial 0/1/0
we dont specify
any command below the
physical interface as
everything must be
mentioned below the sub
interfaces only
Router (config-if) # no shutdown
once we enable the main
interface all the sub
interfaces will be enabled
as well
Router (config-if) #exit
Router1 (config) # interface serial 0/1/0.102 point-to-point
this
Point to point interface,
we can replace the pointto-point keyword with the
multipoint keyword
(default)
Router1 (config-subif) # ip address 192.168.1.1 255.255.255.0
Router1 (config-subif) # frame-relay interface-dlci 102
in
multipoint configuration we
needed to specify the
frame really MAP
command and the
broadcast keyword plus
we needed to disable the
split horizon , in point to
point we only specify the
local DLCI as this
command will enable the
broadcast by default and
the routing protocols will
work fine ( in point to
point we dont need to
map for each neighbor to
reach all networks and we
dont need to disable split
horizon )
router1 (config-fr-dlci) # exit
router1 (config-subif) #exit
Router1
Router1
Router1
For R2
Router2
Router2
Router2
Router2
Router2
Router2
Router2
forR3
Router3
Router3
Router3
Router3
Router3
Router3
Router3
To
1.
(config) # interface serial 0/1/0.103 point-to-point

(config-subif) # ip address 192.168.2.1 255.255.255.0
(config-subif) # frame-relay interface-dlci 103
(config) # interface serial 0/0
(config-if) # encapsulation frame-relay
(config) # interface serial 0/0.102 point-to-point
(config-fr-dlci) #interface serial 0/0
(config-if) #no shutdown
(config) # interface serial 0/0

(config-if) # encapsulation frame-relay
(config) # interface serial 0.103 point-to-point
(config-fr-dlci) #interface serial 0/0
(config-if) #no shutdown
verify frame relay configuration :
Router# show frame relay map ( in short it can be written as
router# sh frame map )
This command is used to show what frame relay maps do we have
on the router (what DLCI is mapped to what interfaces)
Example
Router# show frame relay map
Serial 0/1/0 (up): IP 192.168.1.2 dlci 102(0x66, 0x1860), static,
broadcast
Cisco, status defined, inactive
Notes about the above result :
The above result shows us that we can reach the IP
192.168.1.2 using the DLCI 102
Static means that the map has been statically entered by the
admin
Broadcast shows us that we specified the broadcast keyword in
the frame relay map command
Cisco means that the LMI type is Cisco and it must be matched
with other routers
status defined , inactive means that this router is setup but
the other router connected on the other side isnt configured
till now , if its shows status defined , active then that means
that both routers from both ends are configured and ready to
communicate , if it shows status deleted , inactive then that
means the map we configured on our router cant be

recognized by the ISP ( doesnt exist )
2. router# show frame-relay LMI command is used to show if the
data link connectivity was down and the signaling protocols ( LMI
types ) between your router and the ISP ( what we care mostly in
this command the num status enq.sent VS num status msgs
received- they must be approximately the same - , if there was
an increase in num status enq.sent related to num status timeout
then there is a mismatch in LMI
3. router# show frame-relay pvc command is used to show every
DLCI we have on our router , the status and stats of that DLCI
( like how many packets has sent and how many broadcasts are
sent) and what interfaces its on
24. IPv6: understanding basic concepts and addressing (33:59 mins)
IPv6 addressing :
1. Address size moved from 32 bits ( ipv4 ) to 128 bits ( ipv6) , it
provides 340282366920938463463374607431770000000
addresses
2. To made addresses more manageable , its divided into 8 groups
of 4 hex characters each
Example:
2001:0050:0000:0000:0000:0ab4:1e2b:98aa as you notice each
group (as an example 98aa) is a 4 hex character
Rules of ipv6 addresses to manage :
1. Rule 1 : eliminate groups of consecutive zeros by using a double
colon ( :: ) , but you can use this rule only once per address
2. Rule 2 : drop leadings zeros
Example:
The original IPv6: 2001:0050:0000:0000:0000:0ab4:1e2b:98aa
Applying rule 1:2001:0050::0ab4:1e2b:98aa
Applying rule 2: 2001:50::ab4:1e2b:98aa
Types of communication ( messages ) in IPv6 :
1. Unicast : this is a one to one communication type
2. Multicast : this is a one too many communication type
3. Anycast : this is a one to closet communication type , this type
gives multiple devices the same IP addresses
Examples on anycast type:
1. As an example eBay company have 3 servers for hosting its website
and they were configured for anycast address , one in china , the
other in UK and one in US , if I was living in UK and I wanted to
access the eBay website I would be directed using the routing
protocols to the server located in UK ( the closet ) , if I was living in
china and I wanted to access the eBay website I would be directed
using the routing protocols to the server located in china ( the closet
) and so on
2.
NOTE: there is a page that describes the IPv6 header

In IPv6 there isnt a broadcast type , all the communications done by
broadcast is done now in IPv6 using multicast
Types of addresses in IPv6 :
1. Link-local scope address : this type of address is used to
communicate in layer 2 domain ( used to communicate with
devices on the same switch )
2. Unique/site local scope address : this type is used for
organizations ( this type of address is like the private addresses
in IPv4 )
3. Global scope address : this type is used for internet ( this type of
address is called internet 2 , those are public addresses ,with ipv6
every device in our network can have a global scope address not
like in IPv4 )
Link local address :

This address is assigned automatically when the IPv6 host
comes online , this address is auto generated IF OR IF THERE
ISNT a DHCP
This type is similar to 169.254.x.x addresses in IPv4 ( in IPv4
the 169.254.x.x address is generated when there isnt any
DHCP available but in IPv6 the link local address is generated

with or without the DHCP )
Every device has a link local address
This type of address always begin with FE80 ( first 10 bits :
1111(F)1110(E)10(1000 represents 8 ) followed by 54 bits of
zeros ( 10+54 = 1st 64 bits )
Last 64 bits is the 48 bit Mac address with FFFE squeezed in
the middle
Link local address is only used if you are speaking with another
device on the same link ( same switch ) , the other types of
addresses are used to communicate us with other devices
connected in other subnets or on other switches/routers
Unique(RFC
local
4193 ) /site-local (RFC 3513 ) addresses :
The new name of this type is called unique local address , it
was known before as site local address
This type is used within the enterprise networks to identify the
boundary of their networks
This type of addresses look like the private addresses in IPv4
Use the following format :
Currently , the site address begin with FD00::/8 ( that means

1111 1101 , the (L) is 1 locally assigned - ) , what is showing
in the picture above is FC00::/7 ( in case L =0 )
Global addresses :
This is the new pool of addresses that will build IPv6 internet
The 1st 3 bits ( high level bits ) are set to 001 ( 2000::/3 =
001xxxx::/3 )
The primary addresses expected to comprise the IPv6 internet
are from the 2001::/16 subnet ( this block is assigned to
internet to be public on internet - )
25. IPv6: configuring, routing and interoperating (23:36 mins)

Configuring IPv6
R1 (config) # ip routing
this command is used to enable
TCP/IP on the router, in newer
routers this is enabled by default
R1 (config) # ipv6 unicast-routing
turn on the IPv6 unicast routing
(there is multicast routing and
anycast routing as well but in
CCNA we are only concerned
about unicast routing
R1 (config) # interface fastethernet 0/0
R1 (config-if) # ipv6 address 1FE0:1111::1/32
this command
is used to assign an IPv6 address
To this specific interface
R1 (config-if) #no shutdown
R1 (config) # interface serial 0/0
R1 (config-if) # ipv6 address 2001:210:10:1:1/64
R1 (config-if) #no shutdown
Router# ping ipv6 2001:210:10:1::1 command is used to verify
connectivity by pinging a specific ipv6 address
Router # show ipv6 interface brief command is used to verify the
ipv6 addresses assigned to the interfaces , it shows as well all the
link local addresses ( the main benefit from knowing the link local
address is to derive the Mac address from it )
Ipv6 routing protocols : in addition to static routing nearly every

protocol has been updated to support IPv6 :
RIPng ( RIP next generation )
OSPFv3
EIGRP for IPv6
IS-IS for IPv6
MP-BGP4 (Multiprotocol BGPv4) , BGP is a routing protocol for
internet , this is explained further in CCNP
Configuring RIPng from global configuration mode :
Router (config) # ipv6 router rip 1
this command
is used to enable RIPng on this
Router from global configuration
mode, RIPng uses a tag that
identifies this rip process (in our
example number 1) and it could
be any number (this tag is only
used to identify the rip process
Router (config-rtr) # exit
there is no need to run
any network
Commands like the normal rip
protocol
Configuring RIPng from interface mode :
Router (config) # interface fastethernet0/0
Router (config-if) # ipv6 rip 1 enable
this command
is used to enable RIPng
From The interface mode,
in this example it uses the
TAG number
Router (config) # interface serial 0/0
Router (config-if) # ipv6 rip 1 enable
Router # show ipv6 rip command is used to show information about
the RIPng process , it will show you the multicast address group
( RIPng sends to a multicast group FF02::9 as there is no broadcast
in IPv6 )
Router# show ipv6 route command is used to show the IPv6 routing
table ( the L icon means its a link local address )
Router # traceroute ipv6 1Fe0:2222::1 command is used to trace an
ipv6 address
Migration mechanisms to IPv6 :
1. Dual-stack routers : we setup a router that supports both
protocols IPv4 and IPv6
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
Tunneling :
a. 6 to 4
b. 4 to 6
3. NAT protocol translation ( NAT-PT)

CCNA FROM Screeeeeem

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CCNA FROM Screeeeeem

Încărcat de

Drepturi de autor:

Formate disponibile

Cisco ccna/ccent interconnecting Cisco networking devices part 1

1. Welcome to Cisco ccent ( 35:26 mins )

2. Foundation : what is a network ( 35:32 mins )

When we run a network that contains applications we care about

Terabyte = 1024 gigabyte

All the network is tied to Bits , as an example a modem speed

2. token ring topology : There is a

3. star topology ( most used

Foundations in the OSI world (43: 30 mins)

protocol and UDP is an unreliable protocol )

4. basic TCP/IP : addressing fundamentals ( 39: 42 mins )

TCP/IP model (department of defense

is a page that describe the

If 10.1.1.10 wants to communicate with 10.1.1.11 it sends an

Subnet mask 255.255.255.0

5. Basic TCP/IP: TCP and UDP communication (23:20 mins)

After those 3 way handshake the communication starts ,

6. Basic TCP/IP: understanding port numbers (17:17 mins)

8. LANS: welcome to Ethernet (22:31 mins)

members of that multicast group , the main advantage of

MAC addresses : the official explanation

9. LANS: understanding the physical connections (18: 17 mins)

Multi mode fiber

and its lower

10. LANS: understanding LAN switches (19: 46 mins)

the more the devices on a hub the more the chance of a

what is the Cisco IOS :

12. LANS: initial setup of a Cisco switch (35:03 mins)

Understanding the physical indicators on the switch ( the lights ) :

Router ( config ) # hostname NAME command is used to change the

Switch# copy running config startup config command is used to

13. LANS: configuring switch security, part 1 (37: 08 mins)

this is called level 7 encryption, this is

BREAK CISCO PASSWORD)

# username USERNAME password PASSWORD

14. LANS: configuring switch security, part 2 (19: 00 mins)

switch # terminal monitor command is used to display all the sys

this command is used to

Switch (config-if) # switchport port-security maximum 1

This command is used to tell us what I will do if somebody violates my

Last source address: VLAN: 0015.c5af.ea37:1

15. LANS: optimizing and troubleshooting switches (31: 44 mins)

Switch (config-if) #speed 10

%unknown command or computer name, or unable to find computer

troubleshooting using show commands :

16. Wireless: understanding wireless networking (34:25 mins)

3. it acts as half duplex

17. Wireless: wireless security and implementation (29:27 mins)

IPv4 address is a 4 octet address ( 4 byte address as 1 octet

we want to convert 00110110 in binary

According to the above subnet mask if we want to know the number

21. advanced TCP/IP: IP sub netting part 3 (19:53 mins)

Ip address to this specific

a) Using a web browser if SDM is installed on the router only ,

3. Router (config) # username USERNAME privilege 15 ? this

this command is used to

Use the local user database

To configure DHCP using SDM , this could be done from additional

this command is the same of

options into the

Router (config) # lease 3

DHCP server database

25. Routing: implementing static routing (37: 32 mins)

R1(config)# ip route destination_network next_hop_address the next