Documente Academic
Documente Profesional
Documente Cultură
Bit X 8 = byte
Byte X1024 = kilobyte
kilobyte X1024 =
megabyte
megabyte X1024 =
gigabyte
gigabyte X1024 =
terabyte
3.
Source
Destination
Application
Send me a webpage ( get Cisco
layer
web site )
Presentation Package it in http
layer
Session layer Creating an own session for
requesting Cisco site
Transport
Use TCP protocol ( because
layer
http uses TCP in general ) plus
specify the source and
destination ports , the source
port is the web browser port
( its dynamic as an example
1098 and the destination port
is 80
Network
It adds source and destination
layer
ip address
Data link
It adds source and destination
layer
Mac address
Physical
Putting all the information on
layer
wire
Application
layer
Presentation
layer
Session layer
Transport
layer
Network layer
Data link
layer
Physical layer
Mac
address
Mac
address
0089:1111:3333
0089:1111:2222
Notes about the example above:
All the 7 steps are done in a reverse way on the destination
side starting from the physical layer going up to the
application layer
The Mac address changes when the packet is sent from the
source to the destination
At 1st the source Mac address will be 00a0151189f2 and the
destination will be 0089:1111:2222
2nd the source Mac address will be 0089:1111:2222 and the
destination will be 0089:1111:3333 and so on until it arrives
to the destination
The ip address dont change from the beginning of sending
the packet to its arrival at the destination the source ip
address is 10.1.1.5 and the destination ip address is
200.1.1.1
Ipconfig/all command is used to show the Mac address in
hexadecimal
Netstat n command is used to show all the open sessions from my
computer by ip address only
Netstat command is used to show all the open sessions from my
computer in general
Transport layer
Internet layer
Network access
layer
Ip address format
1. The ip address has 4 octets , its always combined with a
subnet mask and a default gateway
2. The subnet mask dictates which portion of the IP address
identifies the network and the host , in the subnet mask the
number 255 represents a network and the number 0
represents a host
Example:
Ip address: 172.30.3.82 (those represent 4 octets)
Subnet mask: 255.255.255.0
Default gateway: 172.30.3.1
Every interface on the router represents a network ( connected to a
specific network )
Example:
it
of
it
TCP
windowing :
increases
the number
data sent
based on
how reliable
detects the
connection
Example:
3.
Sequence numbers reflect how many bytes a computer is sending
at once , because that in real life it appears as big numbers
in this case only an ARP packet is sent but not to know the
destination MAC address instead its sent to know the MAC address
of the router interface ( default gateway )
Ethernet cables :
Category 5 ( CAT
5 ) unshielded
twisted pair
( UTP )
Maximum
100 meters
distance
Connection
RJ 45 ( a
type
famous type of
CAT 5 is CAT5e
Single mode
fiber
275 meters to a
few miles
Varies , this type
is better than
single mode as :
it sends
multi signals
through the
path
its cheaper
1 mile to
many miles
Varies
HUBS :
only regenerates the signal ( a packet that is sent is
received for all )
hub= 1 collision domain and 1 broadcast domain
Hub is also called shared CSMA/CD
the problem of a hub is only 1 device can send or receive at
a time , in case a collision occurred ( two devices sent at the
same time ) one of the devices who detected the collision
will send a jam packet to stop all the network
communications
11. LANS: working with the Cisco switch IOS (29:15 mins)
You can use the TAB key on the keyboard to auto complete the
command
If we typed any command and had the message incomplete
command , then that means that there is a missing parameter
If we typed any command and had the message ambiguous
command , then that means that I typed a command in an
incomplete way ( I must type it in a full way because there would be
properly more than a command that have the same start , For
instance, you could type "qu," but that would be an ambiguous
command because both "quit" and "quote" are valid commands
If we typed any command and had the message unrecognized
command , then that means that I typed the command in the wrong
mode
Router# show history , this command is used to check all the
commands I typed before , it memorizes up to 10 by default and this
value can be changed
IOS modes :
1. Switch > this is called user mode ( user exec ) , only basic show
commands , telnet commands and pin command can be run in this
mode
2. Switch # this is called privileged mode ( privileged exec ) , from user
mode you type the command ENABLE to enter this mode , you can
view anything in this mode like viewing the current configuration of
the switch/router
3. Switch (config) # this is called global configuration mode, in this
mode we can configure global command, and those global
commands globally affect the switch/router, as an example if you
type switch (config) #hostname . Command this will change the
hostname of the router/switch , to enter this mode you type from the
privileged mode config terminal switch # config terminal
4. Switch (config-if)# this is called interface configuration mode , any
command typed in this mode affect a specific interface only , to
enter this mode you type as an example the command switch
(config ) # interface fa0/0 from global configuration mode
Switch (config-if)# end , this moves you back to privilege mode from
interface mode
If you type the command EXIT in any mode it will move you back one
step
CTRL+Z , moves you back to privilege mode from any mode
CTRL+E , moves the cursor to the end of the line
CTRL+A , moves the cursor to the beginning of the line
1.
2.
3.
Line con 0
Password 7 234shdj
weak and can be
any symbol I can use but it must be the same at the beginning and
the end of the text I want to include
telnet is weak because it uses a password that can be caught by
packet sniffers like wireshark program
to configure telnet we only need to configure a password for it
SSH ( secure shell ) : its telnet plus encryption protocol
to configure SSH :
1. it needs a user name and password
2. assign a domain name that will be used to generate the encryption
certificates
3. Generate RSA keys to secure the SSH sessions, the general template
looks like: switch name. Domain name( example : SW1.virus.com ,
SW1 is the switch name and virus.com is the domain name )
4. specify which version of SSH to use
5. configure to use SSH instead of telnet
The following example will show how to configure SSH with specifying
each point from above:
1. switch ( config )
2. switch ( config )
3. switch ( config )
request from us
that means the flip cable wont be reliable - ) , it also shows the
duplex mode , speed , txload ( how much load you are sending , if its
1/255 that means this port isnt sending a lot ) and rxload ( how
much load you are receiving ) and finally it shows you how many bits
per rate are received and sent ( input/output rate ) , how many
packet was in/out from this port and how many broadcast packets
has been received
Example:
If there is 17928 packets input and 14446 broadcasts received then
the broadcast packets would be 14446/17928=0.80=80% (80% of the
packets are broadcasts), in general the broadcast packets mustnt
be more than 20%
switch # show interface description command shows the ports of the
switch, the status of each port and the description ( what has been
configured using switch (config-if)#description DESCRIPTION
command ) of each port , it also shows all the bad packets like runts
, giants , input errors , CRC , frame , overrun , ignored and throttles ,
finally it shows you the total packets output , collision and late
collision
runts ( packets that are too small in size ) and giants ( packets that
are too big in size ) are dropped in general and they are resulted
from bad connections
input errors , CRC and frames are resulted usually from a faulty NIC
or switch port or if there is any interference on the cable itself
late collision happens if the cable is too long ( longer than 100
meters for CAT 5 cables ) because if the cable is too long then the
distance for the packet to arrive is long as well
collisions happens usually when there is a duplex mismatch
switch # show run command is the easiest way to check the current
configurations
1.
2.
3.
1.
2.
3.
4.
1.
2.
3.
It uses 5.8GHZ RF
Not cross compatible with 802.11B/G because 802.11A uses a
different range ( 5.8GHZ ) than 802.11B/G(2.4GHZ )
NOTE: there is a page that describes wireless channels and the clean
channels
Wireless access points ( WAP ) in general has a coverage of 300 feet
without obstructions
ITU-R : international telecommunication union radio communication
sector , this regulates the radio frequencies used for wireless
transmission
Institute of electrical and electronic engineers (IEEE) maintains the
802.11 wireless transmission standards
WI-FI alliance ensures certified interoperability between 802.11
wireless vendors
employers left the company then you need to change that key on all
the devices
2. Evolution 1 : pre-shared key WPA1 : This evolution improves the
security from WEP encryption to WPA1 encryption as WPA1 uses
TKIP (temporal key integrity protocol) method for the encryption and
that is a bit strong compared to WEP encryption
3. Evolution 2 : WPA1 and 802.1x authentication : In general the 802.1x
authentication concept is when a device joins the wireless access
point it sends to that access point a user name and password or a
certificate based on what authentication method the device is
using , the access point passes that user name and password or that
certificate to a specific server to check that this user name and
password or this certificate is valid , after that the server sends
back to the access point that the user name and password or the
certificate is valid , finally the device join the wireless access point
network
Each time a device is joined to the wireless access point several
encryption keys (those arent pre-shared keys) are generated using
an encryption algorithm (every new session established creates new
encryption keys)
The advantage of 802.1x authentication is its a bit strong , lets say
for an example one of the employees left the company we dont
need to change the key as we did in the pre-shared key method
instead we just disable the user account or the certificate that
employee was using from the main server
4. Evolution 3 : WPA2 ( 802.11I )and 802.1x authentication : this
evolution improves the security from WPA1 encryption and 802.1x
authentication to WPA2 encryption and 802.1x authentication as
WPA2 uses AES (advanced encryption standard ) method for the
encryption and that is a bit strong compared to WPA1 that uses TKIP
( temporal key integrity protocol ) method for the encryption
NOTE: evolution 2 and evolution 3 supports pre-shared keys as well
Understanding the SSID :
The service set identifier (SSID ) uniquely identifies and
separates wireless networks , SSID is the name of the wireless
network
You can have a wireless access point that have multiple SSID
as an example you can have a wireless access point that have
2 SSID one is called public ( unsecured network ) and the other
is called private ( secured network )
When a wireless client is enabled the following happens :
1. The client issues a probe ( request )
2. The wireless access point respond with a beacon ( on the client side
all the available SSID appears , in other words the client can notice
the available networks )
3. The client associates with a chosen SSID ( the client joins the SSID
that is held by the wireless access point who have the strongest
signal as may be this SSID is shared by multiple wireless access
points so the client joins itself with the one who provides the
strongest signal )
4. The wireless access point adds the client MAC address to its
association table
If the signal goes weak then the client re issue another probe ( request ) ,
the closer wireless access point with the same SSID will reply back to the
client
The correct design of a wireless LAN
( WLAN ) :
1. Radio frequencies ( RF) service
areas should have 10%-15% overlap
( this percentage can be known by
using fluke networks or software
sniffers )
2. Repeaters should have 50% overlap
3. Bordering access points should use
different channels
Setting up a wireless network :
1. Pretest the switch port that will be
used to connect the wireless access
point on it with a laptop by testing
DHCP service and DNS service on
that laptop while its connected to that switch port
2. Connect the wireless access point to that switch port
3. Setup and test the SSID that have been created without configuring
additional security
4. Add security ( WEP/WPA1/WPA2 ) to the wireless access point and
test it
5. Add authentication ( 802.1x/pre-shared key ) to the wireless access
point and test it
18. Advanced TCP/IP: working with binary (25:51 mins)
IPv4 address :
IPv4 address can be one of 3 different classes : class A , class B
and class C
When the IP address is combined with a subnet mask it defines
a network and host portion ( example : if we have the ip
address 10.1.1.1 with a subnet mask 255.0.0.0 we notice that
10 is the network part ( because its linked with 255 from the
subnet mask ) and 1.1.1 is the host part ( because its linked
with 0 from the subnet mask )
IP protocol Operates at layer 3 of the OSI model
to decimal
21
20
2
1
1
0
After adding the numbers that is linked with 1 in binary we will have
the number:
32+16+4+2=54 in decimal
19. advanced TCP/IP: IP sub netting part 1 (55:06 mins)
Every interface on the router represents a network
Sub netting stands for breaking our main network to multiple
networks
Steps for sub netting :
1. Determine the number of networks and convert it to binary
2. Reserve bits in your subnet mask and find your increment
3. Use increment to find your network ranges
Example: if we have the IP address 216.21.5.0 with a subnet mask
255.255.255.0 and we want 5 networks to implement with that given IP
address
1. 5 networks , 5 = 00000101 , 3 bits reserved to implement the
number 5 or we can just do the following : 2 3-2=6 , 3 bits covers 6
networks and what we want is 5
To know the number of subnets, it equals 2x where x is the number of
bits; according to this example we have 3 bits so there are 8 subnets
2. The result from point 1 is we want 3 bits
We use 255.255.255.0 subnet mask as the IP address 216.21.5.0 is a
class C address , if it was class A address we will use 255.0.0.0 ( /8)
and if its class B address we will use 255.255.0.0 (/16)
255.255.255.0 = 11111111.11111111.11111111.00000000 those are
the 3 bits found in point 1
11111111.11111111.11111111.11100000 so the
subnet mask to use is 255.255.255.224, after that we subtract 256224=32 to know the increment
Network ID
Broadcast ID
Usable hosts
210.21.5.0
210.21.5.31
1-30
210.21.5.32
210.21.5.63
33-62
210.21.5.64
210.21.5.95
65-94
210.21.5.96
210.21.5.107
97-106
210.21.5.108
210.21.5.139
109-138
210.21.5.140
210.21.5.171
141-170
210.21.5.172
210.21.5.223
173-222
210.21.5.224
210.21.5.255
225-254
Bit notation : example of bit notation = 255.255.255.0 - /24 ( 24 1
bits )
The subnet 255.255.255.252 gives 2 usable networks and that is
usually useful for point to point wan links
20. advanced TCP/IP: IP sub netting part 2 (22:29 mins)
NOTE: this section will explain sub netting based on the number of
hosts
Example: if you have the IP address 216.21.5.0 and you want to use
that ip address for 5 networks and 30 hosts per network
1. To have 30 hosts : 25-2 = 30 , that results to have 5 bits to cover the
situation
2. 255.255.255.0 = 11111111.11111111.11111111.00000000 those are
the 5 bits found in point 1
11111111.11111111.11111111.11100000 so the
subnet mask to use is 255.255.255.224 as we care for the SUBNET
BITS! , after that we subtract 256-224=32 to know the increment
The number of subnets = 23 = 8
The number of hosts per subnet = 25-2=30 hosts per subnet
3.
Network ID
Broadcast ID
Usable hosts
210.21.5.0
210.21.5.31
1-30
210.21.5.32
210.21.5.63
33-62
210.21.5.64
210.21.5.95
65-94
210.21.5.96
210.21.5.107
97-106
210.21.5.108
210.21.5.139
109-138
210.21.5.140
210.21.5.171
141-170
210.21.5.172
210.21.5.223
173-222
210.21.5.224
210.21.5.255
225-254
23. Routing: SDM and DHCP server configuration, part 1 (32: 06 mins)
SDM :
1. SDM means Security device manager
2. SDM is a Graphical user interface (GUI ) that you can use to
configure and manage your router
3. SDM is a web based tool that uses java
4. SDM works on all main line routers ( all models ) like 2800 ,
800 and 2600 router models
5. SDM is designed to allow IOS configuration without extensive
knowledge about that
Steps for configuring your router to support SDM :
1. Generate encryption keys ( used in SSH and https ) , to
generate those keys we need to configure a domain name
2. Turn on the http/https servers for your router
3. Create a privilege level 15 user account
4. Configure your VTY and http access ports for privilege level 15
and to use the local user database
5. Install java on your PC and access the router using one of the
following ways :
24. Routing: SDM and DHCP server configuration, part 2 (20: 02 mins)
Dynamic host configuration protocol ( DHCP ):
1. DHCP allows you to give devices IP addresses without manual
configuration
2. DHCP IP address is Typically given for a specific time
3. Can be manually allocated for key network devices ( we can reserve
an IP address based on the MAC address device )
4. DHCP servers can be server based or router based , server based
advantage is that it would be easier to use using the GUI , router
based advantage is that it would be more stable
DHCP process :
1. DHCP discover message
( Broadcast message )
2. DHCP offer message
( unicast message )
3. DHCP request message
( unicast message )
4. DHCP ACK ( unicast message
)
has been assigned with this DHCP option you will notice that
the name of the client has been added beside it this domain
name
Tick mark () import all the DHCP options into the DHCP
server database , in case the router has been assigned a
dynamically IP address from the ISP , using this option it can
pull other DHCP options provided from the same ISP , once the
router receives those options it starts assigning it dynamically
to the clients who requests an ip address from this router
In SDM if you press on the DHCP pool status tab you will notice the
leased IP addresses
To configure the DHCP using command line :
Router (config) # ip DHCP pool POOLNAME
this command
is used to configure the
DHCP pool name
Router (config) #network 192.168.1.0 255.255.255.0 this command
is used to configure the IP
Addresses that will be
available in this
DHCP pool (those IP
addresses will be
Leased to clients)
Router (config) # domain-name DOMAINNAME
this command
is used to configure the
Domain name that would be
offered by
The DHCP router to the
clients when
They assign an IP address
from this
Router
Router (config) # default-router 192.168.1.1
this
command is used to configure the
Default gateway that would
be offered
By the DHCP router to the
clients when
They assign an IP address
from this
Router
Router (config) # import all
Tick mark
want to
Lease the IP addresses for 3
days
Router (config) # ip DHCP excluded-address 192.168.1.1
192.168.1.19
Router (config) # ip DHCP excluded-address 192.168.1.101
192.168.1.254
The two above commands Excludes those IP address Ranges from our
pool so the available ip addresses Left that will be leased for Clients is
192.168.1.20-192.168.1.100
Router# show ip DHCP binding
this command shows all the
IP addresses leased to the
Clients using DHCP and the MAC
addresses for the
Clients that are using the leased ip
addresses
command syntax is :
Example:
27. Routing: internet access with NAT and PAT (24: 41 mins)
Router# u all command is used to disable all debugging commands
on the router
NAT ( network address translation ) allows multiple devices to share
an internet IP address ( a public address )
PAT( port address translation ) is a form of NAT and its called NAT
overload
Static Nat is usually used with web servers
To configure NAT using SDM there is a tab for NAT that contain 2
options :
1. Basic NAT : its the same PAT ( NAT overload )
2. Advanced NAT or static NAT
How PAT works :
1. Leased line can be configured using HDLC ( high level data link
control )
This is a layer 2 WAN protocol ( if you want to compare it
to layer 2 LAN protocol it will be Ethernet technology )
This is a Cisco proprietary protocol ( it only works with
Cisco routers )
the default protocol that is used
Its simple to configure and use
Extremely low overhead
No features
2. Leased line can be also configured using PPP ( point to point
protocol )
This protocol is alternative to HDLC
Industry standard ( This protocol works with all the
routers and its not proprietary to Cisco only )
Moderate overhead
Feature- riffic , it supports four major features :
29. Management and security: telnet, SSH and CDP (28: 48 mins)
Router# telnet 192.168.2.2 command is used to telnet to another
router form our router
Managing telnet/SSH :
1. Press < CTRL , SHIFT , 6 > then X : this suspends the
telnet/SSH session , to resume that session we just type the
command router# resume 1 ( number 1 represents the session
number ) from our router or we press the button ENTER in
4. if we find that the new IOS is working fine from TFTP then we
copy that new IOS to the flash using the command router#
copy TFTP flash
4)
5)
6)
a)
b)
c)
Before the packet is sent on trunk ports its tagged and once it
arrives the destination the packet will be untagged and arrives as
normal data
NOTE : anything below in this section written as VTP will be meant
about the method of Cisco to manage the VLANS because they also
call the vlan trunking protocols ( ISL , 802.1Q ) as VTP as well so if
you notice any term VTP we meant the messaging protocol that
manages the addition ,deletion and renaming of VLANS , and if you
notice any term called VLAN trunking protocol ( tagging protocols or
trunking protocols ) we mean ISL and 802.1q
VTP (we will call this VRP , the details are mentioned below ) :
1. Is a Cisco proprietary Layer 2 messaging protocol that
manages the addition, deletion, and renaming of VLANs on a
network-wide basis.
2. The only vlan trunking protocol ( tagging protocol ) is 802.1Q
Before there was:
802.1Q : its a industry standard and this is currently
used , this tagging protocol allows switches that have
different VLANS to communicate together
ISL ( inter switch link ) : its a Cisco proprietary trunking
protocol and it has been discontinued
Example 2:
VTP modes :
1. Server mode ( default mode ) :
Power to change VLAN information ( adding, deleting and
changing )
Sends and receives VTP updates
Saves VLAN configuration
2. Client mode :
Cant change VLAN information
Sends and receives VTP updates
Doesnt save VLAN configuration
3. Transparent mode :
Power to change VLAN information
Forwards ( passes through ) VTP updates
Doesnt listen to VTP advertisements
Save VLAN information
Note that if we configured all the switches in the network in
transparent mode this is like disabling VTP in our network
In general we configure one VTP server and the rest as VTP clients
( in this case we do the changes on the VTP server only and then the
changes are replicated to the VTP clients ) , if we configured a
6.
Switch
1. configure trunks
Switch (config) # interface fastethernet 0/0
Switch (config-if) # switchport mode trunk
this command is used
to configure the port as
a trunk port ( this means that this
port is connected to another
switch ) , by default the mode for
any port switch is dynamic
desirable ( this means that this
port can be an access port or a
trunk port depending on what is
connected on that port )
NOTE that if we ran the command switch (config-if) # switchport mode
trunk on some switches you may face an error:
Command rejected: an interface whose trunk encapsulation is auto
cannot be configured to trunk mode
This happens because some switches have the choice to choose
between the 2 trunking protocols ISL and 802.1Q like the 3550 switch,
to overcome this issue we specify the encapsulation to be 802.1q
instead of being the default as auto negotiate using the command:
switch (config-if) # switchport trunk encapsulation dot1q, if we didnt
receive this error that means that this switch only supports the dot1q
encapsulation
Switch (config) # interface range fastethernet 0/2-24 this
command is used to specify a range
Of interfaces to configure a
similar command for all those
interfaces instead of
accessing each interface
individually
Switch (config-if) # switchport mode access
this
command is used to configure the
port as a access port , we use
this command after
specifying the trunk ports as
we need to configure all the
ports on the switch to be
access ports or trunk ports
switch# show run interface fastethernet 0/1 command shows only
information related about this specific interface
switch # show VTP status command shows all the information
related to VTP like VTP version , VTP revision ( how many changes
was made to this switch ) , max VLAN supported at one time ( in
2. Layer 3 switch :
A layer 3 switch is a switch that has layer 3 capabilities , it works
based on creating interface VLANS
A layer 2 switch is a switch that has layer 2 capabilities only
3. Router on a stick
and routers , in general the routers and switches adjust the size of
the packet to be 1496 bytes instead of 1500 bytes so that when that
packet is tagged it will be 1500 bytes ( this is the maximum size that
can be handled by Ethernet technology )
If we ping from a PC in one VLAN to a PC in another VLAN and it
wasnt successful then we need to check the router if it contains any
routing entries for those VLANS
4. All other Switches or non Root Bridges must select one DP, the
election of DP is done like RP exactly!
In brief:
RP: lowest path, if tied then we will go to lowest bridge id, if tied then we
will go to lowest physical port id
DP: lowest bridge id, if tied then we will go to the lowest physical port id
Example:
Exclusion examples:
1.
2.
9.
Example:
According to the above example:
1. The root bridge priority is 32769 and
the Mac address is 0009.e848.6c00
2. The root bridge is connected
on DS1 local
port fa0/27
3. The priority
for DS1 is
32769
=
32768
( default
)+1
vlan number ( sys-id-ext ) as PVST+ is running on this switch by
default
Example:
According to the above example:
1. One of
the
features
Notes :
1. When you 1st plug in a device to a switch port it will take 30
seconds ( 15 seconds in listening mode and 15 seconds in
learning mode ) to check the device , the 1st 15 seconds of
listening mode is used basically to double check that this port
doesnt have another switch connected on it and that is done by
checking if the port receives a BPDU or not , if a port is
configured to not receive BPDUs , and it received one in the 1st 15
seconds ( listening mode ) then instead of entering the learning
mode it will be shutdown
2. A blocking port transitioning from the blocking state to a
forwarding state ( changing from blocking mode to listening mode
to learning mode and finally transferred to forwarding mode ) will
take 50 seconds = 20 seconds in blocking mode , 15 seconds in
listening mode and 15 seconds in learning mode
3. When there is a failover in STP ( one link goes down and another
link works until the 1st links is functioning ) , it will take 30-50
seconds , if there is another failover ( the original link is up again
and functioning ) it will take 1-1:30 mins because we add a
blocking timer to the 30-50 seconds that happened In the 1st
failover
Problems and solutions of STP :
1. STP faces some problems with PCs : modern PCs can boot faster
than 30 seconds ( listening and learning modes ) and that amount
is faster than a port transitioning from blocking state to
forwarding state ( 50 seconds ) , in this case the PCs are forced to
wait those 50 seconds until it starts communicating on the
network as the PC wont work until the port works
The solution for this problem is to use portfast feature , this
feature transitions the port from blocking mode to forwarding
mode immediately without entering the listening and learning
modes , this feature is enabled using the command switch
(config-if)# spanning-tree portfast ( this command disables STP
on that port and its configured only on access ports )
2. STP faces some problems with uplink ports (ports that are
connecting to other switches ) : if this port transition from
blocking mode to forwarding mode it will spend approximately 50
seconds and that is a big amount that causes trouble in our
network
The solution for this problem is to use RSTP (rapid spanning tree)
Initial STP enhancements :
1. PVST+ ( per VLAN spanning tree + ) :
Runs as an instance of STP per VLAN
Allows different root bridges per VLAN
2. Designated port :
this is a
forwarding port
and there must be
one port per link (
its the same like
STP )
3. Alternate ports :
this port is a
discarding port ( in STP there are blocking ports and in
RSTP its called alternate ports so instead of having a
disabled link like in STP we have a backup path to the
root using RSTP )
RSTP have many similarities with STP
RSTP must be running on all the switches found in our
network because if we have any switch running STP and the
others are configured as RSTP , that STP switch will slow
down the network
Usually we enable with RSTP the portfast feature using the
command switch(config)# spanning-tree portfast to improve the
performance and have a fast network
When a port goes down in RSTP it is transitioned to alternate port
mode and wont give any outage , but when you failback to that
alternate port ( to transition to forwarding mode again ) it will be
down for 1-2 seconds only
Switch # show spanning tree command is used to show the status
of RSTP if its running or not
Switch(config )# spanning-tree mode rapid-pvst command is used to
enable RSTP on the switch , this command must be run on all the
switches in the network to have a fast network , we can also use the
keywords MST ( multiple spanning tree instead of rapid-pvst , this
spanning tree mode is the oldest mode and it runs one instance of
spanning tree on all the VLANS , this type is used when there are a
lot of VLANS on the network and we dont want to consume a lot of
router resources ) or PVST+ ( this is the default spanning tree
running , so no need to enable it )
Example:
If we configured BPDUfilter using the command switch (config) #
spanning-tree bpdufilter, The BPDU filtering feature prevents the
switch interface from sending or receiving BPDUs.
bdpuguard stops sending BPDU from an interface and in case it
receives a BPDU it goes in error state ( shut down ) and this is
activated on portfast ports in general , its used to protect our
network from connecting an additional hub or switch on our existing
switch , bpdufilter from other hand stops sending AND receiving on
the port , in case it receives any BPDU it will only discard it and its
used on the access layer switches ports as we dont need to receive
STP information there
Example:
DV loop preventions :
1. Maximum distance : the maximum distance for RIP is 16 hops
away , the 16th hop is considered as dead
2. Route poisoning : in case there is a down network , it will be
advertised by RIP as a 16 hop and according to the 1st mechanism
( maximum distance ) that hop will be considered dead
3. Triggered update : when there is a change in the network
( properly a network is down ) , the router immediately triggers
an update ( instead of waiting for 30 seconds to send an update
about that change ) to update other routers that there is a
network change( the down network will be advertised as route
poisoning )
4. Hold down timers : when there is a down network , all the routers
that arent connected directly to that down network will set this
timer so that it wont receive any updates related to that down
network until the hold timer expires ( by default its 180 seconds )
, this mechanism is useful if we have flapping links that goes up
and down frequently
5. Split horizon : it informs the router not to send updates back in
the same direction they received them on networks than have
been advertised , this mechanism causes a lot of problems in
frame relays so we prefer to disable this mechanism in frame
relay
Example:
2.
3.
4.
5.
4. It allows for unequal load balancing ( all the other protocols use
equal load balancing )
5. Combines best of distance vector and link state
6. Supports multiple network protocols ( like IPX , apple talk and IP )
7. EIGRP uses hello packets like OSPF to discover neighbors , by
default EIGRP sends hello packets every 5 seconds
8. EIGRP supports sub second convergence
EIGRP tables :
1. Neighbor table : this table shows all the neighbors formed
2. Topology table : this table contains the EIGRP whole map for the
network , it remembers all of the best routes ( appeared in the
topology table as a successor primary link - ) and the backup
routes ( appeared in the topology table as a feasible successor
backup link - )
3. Routing table : this table contains all the best routes
( successors )
Example:
Configuring EIGRP :
Router ( config ) # router EIGRP 1
H
address
interface
hold uptime (sec) SRTT (ms) RTO
QCNT
Seq num
0
192.168.1.1
FA0/0
11 00: 00: 40
4 200
0
2
The H column lists all the neighbors in the order it received it
The address column represents the neighbor IP
The interface column represents the local interface on this router that is
connected to the neighbor
The hold uptime column represents how long it believes until that
neighbor is dead
The SRTT ( source round trip timer ) column represents how long it gets
to the neighbor and back , it helps to engage how long it should be
waiting before it expects a hello packet
Router # show ip route command is used to show the EIGRP
routes , it appears as D
Summarization in EIGRP :
EIGRP summarizes addresses automatically ( auto summary is
enabled by default ) , anytime you have a discontinues
network ( a network advertised across a boundary that is not
the same network , in the following example I will explain this
further )
16. Access-lists: the rules of ACLs (access control lists) (27:44 mins)
An ACL is an identifier list that allows ( permits ) or deny specific
traffic based on a list of permit and deny statements
Examples:
1. ACL can be used to allow for a specific host ( example permit
192.168.2.58 )
2. ACL can be used to deny a whole subnet ( example deny
192.168.1.0/24 )
3. ACL can be used to allow a specific port for an IP ( example permit
TCP port 80 for 200.1.1.1 )
4. ACL can be used to deny a range of ports for a whole subnet
( example permit all TCP traffic for 210.0.1.0/24 )
2. Extended :
Extended ACL matches based on source/destination
addresses , protocol , source/destination port numbers
It has a higher processor utilization
The syntax of extended ACL takes some time to learn it
3. Dynamic : this type of ACL expands and shrinks depending on
whose going through at a time
Example : an ACL has been created to allow users to access the internet
for a specific amount of time , if the username and password provided by
that user didnt match that ACL they wont have the ability to access the
internet , if the username and password have been matched then they
can use the internet for a specific amount of time configured based on the
ACL
4. Established ( reflexive ) : this type of ACL allows the return traffic
for internal requests ( requests that have originated from inside
the network ) , this type is basically used If we want to deny all
traffic that are originated from internet
Example in theory:
keyword represents
0.0.0.0
255.255.255.255
Router (config) # interface serial 0/0
Router (config-if) # ip access-group 1 in
command is used to apply
this
The ACL on a specific
interface, in our
example we are
applying the ACL
number 1 on serial 0/0
in an inbound way, we
can use the out
keyword instead of in
keyword as well
this command is
1.
2.
R
e
m
o
t
e
access :
Remote access style is used to connect homes or laptops to
the office
Remote access client is installed usually on those home PCs
and laptops , and its called VPN client
Once the VPN client is authenticated with the office , the home
PC or laptop is then connected to the office securely and the
traffic is sent in an encrypted way
We can use this style to connect an IP phone at home and use
that phone as Im sitting in the office
Ssl VPN ( web VPN ) : instead of installing VPN client on a
laptop or home PC we use SSL VPN , the function of SSL VPN is
to allow the router to generate a website that request for a
username and password from the user ,once the user
authenticates with the website the router will install on your
laptop or home PC a mini VPN client as long as you are
connected to that VPN , once your disconnected form that VPN
the mini VPN client is removed
IPSEC :
The IPSEC is the security protocol of VPN ( IPSEC does the
encryption on VPN)
IPSEC works at the transport layer ( its another protocol like TCP,
UDP ,IP )
IPSEC contains 4 categories :
1. Encryption protocols :
Encryption protocols are used to secure the data
The weaker the encryption the faster the connection and
the less the processing on the router
The stronger the encryption the more secure you are but
there is more overhead on the router
The Encryption protocols are DES ( weakest ) , 3DES, AES
(strongest )
2. Authentication protocols :
Authentication protocols makes sure that data isnt
changed when its transferred from one end to another
,authentication protocols stops man in the middle
attacks ( maybe some intruders will spoof the traffic
( send fake traffic ) when we send traffic through VPN )
The Authentication protocols are : MD5 , SHA-1
3. Protection protocols :
When somebody sends traffic on the VPN connection it
will be sent as encrypted data ( scrambled ) , both ends
of the VPN connection must have the encryption
/decryption keys to understand the encrypted data that
was transferred , both ends of the VPN connection must
have the same encryption keys to understand that
encrypted traffic , protection protocols transfer those
encryption keys from one end to another without being
attacked by man in the middle attackers
The protection protocols are : DH1 ( deffi Hellman ) ,
DH2, DH5, DH7
4. Negotiation protocols
The negotiation protocols are : AH ( authentication
header , this protocol cant do encryption ) , ESP
(encapsulated security payload , this protocol can do
encryption , authentication and protection , ESP+AH
Negotiation protocols are the changer of IPSEC , if we
want only to have authentication protocols ( point 2 ) we
use AH , if we want authentication , protection and
encryption protocols included in the IPSEC ( point 1,point
2 and point 3 ) we will use ESP and so on , in other words
using those protocols I can specify what IPSEC category
is included within IPSEC
The negotiation protocol gives the IPSEC a feature not to
be replaced in future because it customizes the IPSEC as
much as we want
Security over a public network :
VPN works based on encryption keys
Encryption key styles ( types ) :
1. Symmetric encryption :
Symmetric encryption uses the same key to encrypt
and decrypt the data
The benefit of symmetric encryption is its fast
frame relay PVC designs :
1. Hub and spoke design :
This design is the most common design used because its
cheap
The disadvantages of using this design :
a. You have a single point of failure , if that links is down
everything will be down
b. There is a delay in this
design : the delay is how
long it will take a packet
to arrive from one place
to another , we care
lately about delay issues
because there is a VOIP
traffic implemented
newly in the data
networks
For R1
Router1 (config) # interface serial 0/1/0
Router1 (config if) # ip address 192.168.1.1 255.255.255.0
Router1 (config-if) #no shutdown
Router1 (config-if) # encapsulation frame-relay
this
command is used to enable frame
Relay on the interface
router1 (config-if) # frame-relay lmi-type Cisco
this
command is used to configure
which signaling to use
between our router and the
ISP router , in modern
routers we dont need to
run this command as they
have the ability to auto
detect what signaling
protocol is running , we can
specify instead of the Cisco
keyword ansi or q933a
signaling protocols
router1 (config-if) # frame-relay map ip 192.168.1.2 102 broadcast
this command is used
for every
neighbor we have
to connect to ( we
use this command
to connect PVCs
together and as we
have 2 neighbors
so we must have 2
frame-relay map
commands ) , we
specify the remote
ip address to reach
that network ( in
our example
192.168.1.2 ) and
we specify the
local DLCI ( in our
example 102 ) , the
broadcast keyword
is used to send
broadcast
addresses from
this router to the
other routers
connected
( broadcast is used
with RIP
advertisements
,OSPF
advertisements
and EIGRP
advertisements
and by default
frame relay denies
those broadcasts ,
if this wasnt
included the
routing protocols
wont work ) , we
can use instead of
the broadcast
keyword the IETF
keyword if the
other router we
are communicating
with isnt Cisco
router1 (config-if) # frame-relay map ip 192.168.1.3 103 broadcast
router1 (config-if) no ip split-horizon
this command is used to
disable the split horizon on
R1 as in multipoint
configuration we need to
disable this mechanism to
avoid problems
For R2
Router2 (config) # interface serial 0/0
For R1
Router1 (config) # interface serial 0/1/0
Router1 (config-if) # encapsulation frame-relay
we dont specify
any command below the
physical interface as
everything must be
mentioned below the sub
interfaces only
Router (config-if) # no shutdown
once we enable the main
interface all the sub
interfaces will be enabled
as well
Router (config-if) #exit
Router1 (config) # interface serial 0/1/0.102 point-to-point
this
command is used to configure
Point to point interface,
we can replace the pointto-point keyword with the
multipoint keyword
(default)
Router1 (config-subif) # ip address 192.168.1.1 255.255.255.0
Router1 (config-subif) # frame-relay interface-dlci 102
in
multipoint configuration we
needed to specify the
frame really MAP
command and the
broadcast keyword plus
we needed to disable the
split horizon , in point to
point we only specify the
local DLCI as this
command will enable the
broadcast by default and
the routing protocols will
work fine ( in point to
point we dont need to
map for each neighbor to
reach all networks and we
dont need to disable split
horizon )
router1 (config-fr-dlci) # exit
router1 (config-subif) #exit
Router1
Router1
Router1
For R2
Router2
Router2
Router2
Router2
Router2
Router2
Router2
forR3
Router3
Router3
Router3
Router3
Router3
Router3
Router3
To
1.
using the routing protocols to the server located in china ( the closet
) and so on
2.
Unique(RFC
local
4193 ) /site-local (RFC 3513 ) addresses :
The new name of this type is called unique local address , it
was known before as site local address
This type is used within the enterprise networks to identify the
boundary of their networks
This type of addresses look like the private addresses in IPv4
Use the following format :
001xxxx::/3 )
The primary addresses expected to comprise the IPv6 internet
are from the 2001::/16 subnet ( this block is assigned to
internet to be public on internet - )
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
2.
Tunneling :
a. 6 to 4
b. 4 to 6