Ccna (Router Configurations)

Cisco Certified Network Associate
(CCNA)
Exam Code No: 640 – 802
Chapter
Routing Protocol
Static Routing
Default Routing
Dynamic Routing
RIP
RIPv2
IGRP
EIGRP
OSPF
Frame-Relay
Managing Traffic with Access-list
NAT and PAT
PAP and CHAP
Switch
VPN
Layers
IP Addresses
Wireless
Routing Basics
What is Routing ?
o The term “routing” is used for taking a packet from one device and sending it
through the network to another device on a different network.
o Routers don’t really care about hosts—they only care about networks and the best
path to each network.
Routers route traffic to all the networks in your internetwork. To be able to route packets,
a router must know, at a minimum, the following:
 Destination address
 Neighbor routers from which it can learn about remote networks
 Possible routes to all remote networks
 The best route to each remote network
 How to maintain and verify routing information
Routing Example :
192.168.20.1
192.168.10.1 F0/0
F0/0
192.168.10.2 192.168.20.2
Internet
• Routing is taking place from Host_A to Host_B through the Lab_A Router.
• To be able to route, the router must know how to get into the network
172.16.20.0.
ROUTING TYPES
1. Static Routing
2. Default Routing
3. Dynamic Routing
1. Static Routing.
Static routing occurs when you manually add routes in each router’s routing table.
By default, Static routes have an Administrative Distance (AD) of 1
Features
 There is no overhead on the router CPU
 There is no bandwidth usage between routers
 It adds security, because the administrator can choose to allow routing access to
certain networks only.
Configuration Static Routing

Router(config)#ip route Destination_network Mask Next-Hop_Address (or)
Router(config)#ip route Destination_network Mask Exit interface
ip route : The command used to create the static route.
destination_network : The network you’re placing in the routing table.
mask : The subnet mask being used on the network.
next-hop_address : The address of the next-hop router
Exitinterface : You can use it in place of the next-hop address
administrative_distance : By default, static routes have an administrative distance of 1
DTE DCE DTE DCE

F0/0 F0/0
S0/0 S0/0 S0/1 S0/0
DTE - Data Terminal Equipment

DCE - Data Communication Equipment
2. Default Routing.
Default routing is used to send packets with a remote destination network not
in the routing table to the next-hop router.
We can only use default routing on stup networks. Those with only one exit
Path out of the network.
Configuration Default Routing

Router(config)#ip route 0.0.0.0 0.0.0.0 Next-Hop_Address
Router(config)#ip route 0.0.0.0 0.0.0.0 Exit interface
Router(config)#ip default-network ?
3. Dynamic Routing.
Dynamic routing is when protocols are used to find networks and update routing
table on routers.
A routing protocol defines the set of rules used by router when it communicates
routing information between neighbor routers
There are two type of routing protocols used in internetwors:
 Interior Gateway Protocols (IGPs)
IGPs are used to exchange routing information with routers in the same
Autonomous System(AS) number.
 Exterior Gateway Protocols (EGPs)
EGPs are used to communicate between different Autonomous System.
Autonomous System.
An autonomous system is a collection of networks under a common

administrative domain, which basically means that all routers sharing the same routing
table information are in the same AS.
Routing Protocol Basics.
• Administrative Distances
• Routing protocol
• Routing Loops
Administrative Distances.
The Administrative Distance (AD) is used to rate the trustworthiness of routing

information received on a router from a neighbor router. An Administrative Distance is an
integer from 0 to 255, where 0 is the most trusted and 255 means no traffic will be passed
via this route.
If a router receives two updates listing he sane remote network, the first thing the
router checks is the AD. If one of the advertised routes has lower AD than the other, then
the route with the lowest AD will be placed in the routing table.
If both advertised routes to the same network have the same AD, then routing
protocol metrics (such as hop count or bandwidth of the lines) will be used to find the
best path to the remote network. The advertised route with the lowest metric will be
placed in the routing table.
But if both advertised routes have the same AD as well as the same metrics, then
the routing protocol will load-balance in the remote network
Default Administrative Distances

Route Source Default AD
Connected interface 0
Static Route 1
EIGRP 90
IGRP 100
OSPF 110
RIP 120
External EIGRP 170
Unknown 255 This route will never be used
Routing Protocols.
There are three classes of Routing Protocol
• Distance vector protocol
• Link state protocol
• Hybrid protocol
Distance vector protocol.

The Distance-vector protocols find the best path to remote network by judging
distance. Each time a packet goes through a router, that’s called a hop. The route with the
least number of hops to the network is determined to be the best route. The vector
indicates the direction to the remote network. They send the entire routing table to
directly connected neighbors.
Ex: RIP, IGRP.
Link state protocol.

Also called shortest-path-first protocols, the routers each create three separate
tables. One keeps track of directly attached neighbors, one determines the topology of the
entire internet work, and one is used as the routing tables. Link state routers know more
about the internet work than any distance-vector routing protocol. Link state protocols
send updates containing the state of their own links to all other routers on the network
Ex: OSPF
Hybrid protocol
Hybrid protocol use aspects of both distance-vector and link state protocol.
Ex: EIGRP
Distance-vector Routing Protocols
 The distance-vector routing algorithm passes complete routing table contents to

neighboring routers.
 A router receiving an update from a neighbor router believes the information
about remote networks without actually finding out for itself.
 It’s possible to have network that has multiple links to the same remote network,
and if that’s the case, the administrative distance is checked first. If the AD is the
same, the protocol will have to use other metrics to determine the best path to use
to that remote network.
Converged Network
Routing Loops
Distance-vector routing protocols keep track of any changes to the internet work
by broadcasting periodic routing updates out all active interfaces. This broadcast includes
the complete routing table.
Routing loops can occur because a every router isn’t updated simultaneously.
Routing Loops Example
Router A Router B Router C Router E
Network 3 Network 4 Network 5
Router D
The interface to Network 5 fails. All routers know about Network 5 from Router
E. RouterA, in its tables, has a path to Network 5 through Router B.
When Network 5 fails, Router E tells Router C. This causes Router C to stop
routing to Network 5 through Router E. But Routers A, B, and D don’t know about
Network 5 yet, so they keep sending out update information. Router C will eventually
send out its update and cause B to stop routing to Network 5, but Routers A and D are
still not updated. To them, it appears that Network 5 is still available through Router B
with a metric of 3.The problem occurs when Router A sends out its regular 30-second
“Hello, I’m still here—these are the links I know about” message, which includes the
ability to reach Network 5 and now Routers B and D receive the wonderful news that
Network 5 can be reached from Router A, so Routers B and D then send out the
information that Network 5 is available. Anypacket destined for Network 5 will go to
Router A, to Router B, and then back to Router A.This is a routing loop.
Loop Avoidance
Maximum Hop count

RIP permits a hop count of up to 15, so anything that requires 16 hops is deemed
unreachable. Thus, the maximum hop count will control how long it takes for a routing
table entry to become invalid.
Split Horizon
This reduces incorrect routing information and routing overhead in a distance-
vector network by enforcing the rule that routing information cannot be sent back in the
direction from which it was received
Route Poisoning
when Network 5 goes down, Router E initiates route poisoning by

advertising Network 5 as 16, or unreachable. When Router C receives a route poisoning
from Router E, it sends an update, called a poison reverse, back to Router E. This ensures
all routes on the segment have received the poisoned route information.
Router Configuration Modes
 User mode (or) Console mode - Router> (user logon mode)

 Privilege mode - Router# (user logon mode)
 Global Configuration mode - Router(config)#
 Specification mode - Router(config-if)#
Password set to Console mode
Router>enable
Router#configuration terminal
Router(config)#line console 0
Router(config-line)#password *****
Router(config-line)#login
Password set to Privilege mode
Text Password
Router>enable
Router(config)#enable password *****
Secret Password
Router>enable
Router(config)#enable secret *****
Password set to Auxiliary port
Router>enable
Router(config)#line aux 0
Password set to Vty (Virtual Teletype-TELNET)
Router>enable
Router(config)#line vty 0 4 (In Router 0-15)
Configure IP address to LAN port
Router>enable
Router(config)#interface Fastethernet 0/0
Router(config-if)#ip address ***.***.***.***. ***.***.***.***
Router(config-if)#no shutdown
Static Routing Configuration

LAB
10.0.0.1 20.0.0.1 20.0.0.2

S0/0 40.0.0.1 40.0.0.2 50.0.0.1
F0/0 S3/0 S3/1 S0/0 F0/0
1700 A 3600 A 1700 B
F0/0
30.0.0.1
1700A
Router>enable
Router(config)#hostname 1700A
1700A(config)#interface Fast Ethernet 0/0
1700A(config-if)#ip address 10.0.0.1 255.0.0.0
1700A(config-if)#no shutdown
1700A(config)#interface Serial 0/0
1700A(config-if)#ip address 20.0.0.1. 255.0.0.0
1700A(config-if)#control Z
1700A#show ip route
1700A#show ip interface brief
1700A(config)#ip route 30.0.0.0 255.0.0.0 20.0.0.2 or S0/0 exit interface
1700A(config)#ip route 40.0.0.0 255.0.0.0 20.0.0.2 or S0/0 (exit interface)
1700A(config)#ip route 50.0.0.0 255.0.0.0 20.0.0.2 or S0/0 (exit interface)
1700A(config)#exit
1700A# show ip protocol
3600A
Router>enable
3600A(config)#interface S3/0
3600A#show controllers S3/0 (to see a DCE end or DTE end)
3600A(config-if)#clock rate 64000
3600A#show ip route
3600A(config)#ip route 10.0.0.0 255.0.0.0 20.0.0.1 or 20.0.0.2
3600A(config)#ip route 50.0.0.0 255.0.0.0 40.0.0.2 or 40.0.0.1
3600A(config)#exit
1700B
Router>enable
Router(config)#hostname 1700B
1700B(config)#interface Fast Ethernet 0/0
1700B(config-if)#ip address 40.0.0.1 255.0.0.0
1700B(config-if)#no shutdown
1700B(config)#interface Serial 0/0
1700B(config-if)#control Z
1700B#show ip route
1700B#show ip interface brief
1700B(config)#ip route 10.0.0.0 255.0.0.0 40.0.0.1 or 40.0.0.2
1700B(config)#ip route 20.0.0.0 255.0.0.0 40.0.0.1 or 40.0.0.2
1700B(config)#ip route 30.0.0.0 255.0.0.0 40.0.0.1 or 40.0.0.2(exit interface) S0/0
1700B(config)#exit
1700B#show ip route
1700B#show ip protocol
1700B#ping 10.0.0.1
Default Routing Configuration

LAB
10.0.0.1 20.0.0.1 20.0.0.2

S0/0 30.0.0.1 30.0.0.2 40.0.0.1
F0/0 S3/0 S3/1 S0/0 F0/0
1700 A 3600 A 1700 B
1700A
Router>enable
1700A#show ip route
1700A(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2
or
1700A(config)#ip route 0.0.0.0 0.0.0.0 S0/0
or
1700A(config)#ip default-network 0.0.0.0 0.0.0.0 20.0.0.0
1700A(config)#exit
1700A#show ip protocol
3600A
Router>enable
3600A#show controllers S3/0 (to see a DCE or DTE )
3600A#show ip route
3600A(config)#ip route 0.0.0.0 0.0.0.0 30.0.0.2
or
3600A(config)#ip route 0.0.0.0 0.0.0.0 S3/1
or
3600A(config)#ip default-network 30.0.0.0
3600A(config)#ip route 10.0.0.0 255.0.0.0 20.0.0.1 or S3/0(static routing)
3600A(config)#exit
1700B
Router>enable
1700B#show ip route
1700B(config)#ip route 0.0.0.0 0.0.0.0 30.0.0.1
or
1700B(config)#ip route 0.0.0.0 0.0.0.0 S0/0
or
1700B(config)#ip default-network 30.0.0.0
1700B(config)#exit
1700B#show ip route
1700B#ping 10.0.0.1
Routing Information Protocol (RIP)
 Routing Information Protocol is a true distance-vector routing protocol.

 It sends the complete routing table out to all active interfaces every 30 seconds.
 RIP only uses hop count to determine the best way to remote network, but it has a
maximum allowable hop count of 0-15 by default, meaning that 16 is deemed
unreachable.
 RIP version 1 uses only class full routing, which means that all devices in the
network must use the same subnet mask.
 RIP version 2 provides something called prefix routing, and does send subnet
mask information with the route updates. This is called classless routing.
RIP Timers
RIP uses three different kinds of timers to regulate its performance.

Route update timer
Router update timer sets the interval 30 seconds between periodic routing
updates, in which the router sends a complete copy of its routing table out to all
neighbors.
Router invalid timers
A router invalid timer determines the length of time that must elapse 180 seconds
before a router determines that a route has become invalid. It will come to this conclusion
if it hasn’t heard any updates about a particular route for that period. When that happens,
thee router will send out updates to all its neighbors letting them know that the route is
invalid.
Hold-down timer
This sets the amount of time during which routing information is suppressed.
Routers will enter into the hold-down state when an update packet is received that
indicated the route is unreachable. This continues until entire an update packet is received
with a better metric or until the hold-down timer expires. The default is 180 seconds
Route flush timer
Route flush timers’ sets the time between a route becoming invalid and its interval
from the routing table 240 seconds. Before it’s removed from the table, the router notifies
its neighbors of that route’s impending demise. The value of the route invalid timer must
be less than that of the route flush timers
RIP (Routing Information Protocol) Configuration
LAB
S3/1
S3/0
50.0.0.1
20.0.0.2
3600A
20.0.0.1 50.0.0.2
S0/0 60.0.0.2 S0/0
30.0.0.2 60.0.0.1
10.0.0.1 30.0.0.1 S1/0 S1/1 S1/0 F0/0
F0/0 S0/1 80.0.0.1
1700A 3600B 1700B
S1/0 S1/1
40.0.0.1 70.0.0.2
S0/0
S0/1
40.0.0.2 70.0.0.1
3600C
1700A
Router>enable
1700A#show ip route
1700A#configuration terminal
1700A(config)#router rip
1700A(config-router)#network 10.0.0.0
1700A(config-router)#control Z
1700A#show ip route
3600A
Router>enable
3600A(config-if)#exit
3600A#show ip route
3600B
Router>enable
3600B(config)#interface S1/0
3600B(config-if)#clock rate 64000
3600B(config-if)#ip address 60.0.0.1. 255.0.0.0
3600B(config-if)#exit
3600B(config)#router rip
3600B(config-router)#network 30.0.0.0
3600B#show ip route
3600B# show ip protocol
3600C
Router>enable
Router(config)#hostname 3600C
3600C(config)#interface S0/0
3600C(config-if)#ip address 40.0.0.2 255.0.0.0
3600C(config-if)#no shutdown
3600C(config-if)#clock rate 64000
3600C(config)#interface Serial 0/1
3600C(config-if)#ip address 70.0.0.1. 255.0.0.0
3600C(config-if)#exit
3600C(config)#router rip
3600C(config-router)#network 40.0.0.0
3600C(config-router)#control Z
3600C#show ip route
3600C#show ip interface brief
1700B
Router>enable
1700B#show ip route
1700B#configuration terminal
1700B(config-router)#control Z
Routing Information Protocol version 2
• Both RIPv1 and RIPv2 are distance-vector protocols, which means that each router
running RIP sends its complete routing tables out all active interfaces at periodic time
intervals.
• The timers and loop-avoidance schemes are the same in both RIP versions.
• Both RIPv1 and RIPv2 are configured as classful addressing, (but RIPv2 is
considered classless because subnet information is sent with each route update)
• Both have the same administrative distance (120)
• RIP is an open standard, you can use RIP with any brand of router.
• Alogrithm – Bellman Ford
• Multicast addresse 224.0.0.9
RIP Version 1 RIP Version 2
Distance Vector Distance Vector
Maximum hop count of 15 Maximum hop count of 15
Classful Classless
No support for VLSM Supports VLSM networks
No support for discontiguous Support discontiguous networks

RIP Version 2 (Routing Information Protocol) Configuration
LAB
192.168.1.17 - 22 192.168.1.33 - 46
192.168.1.5 192.168.1.9
F0/0 S0/0 S0/0
S3/0 S3/1 F0/0
192.168.1.6 192.168.1.10
1700 A 3600 A 1700 B
RIPV2 Supports Classless IP Addresses

Question:
IP Address 192.168.1.0/24
1700A - F0/0 - Need – 6 IP Addresses
WAN Serial Connection Need – 2 IP Addresses (S0/0 & S3/0)
WAN Serial Connection Need – 2 IP Addresses (S3/1 & S0/0)
1700B – F0/0 Need – 14 IP Addresses
Answer:
IP Addresses 192.168.1.0/24
Need 2 IP Addresses 22 = 4 – 2= 2
192.168.1. 12 6 3 1 8 4 2 1
8 4 2 6
Borrowing 2 bits
Network ID First Host ID Last Host ID Broadcast ID
192.168.1.4 192.168.1.5 192.168.1.6 192.168.1.7
192.168.1.8 192.168.1.9 192.168.1.10 192.168.1.11
Need 6 IP Addresses 23 = 8 – 2 = 6
192..168.1. 12 6 3 1 8 4 2 1
8 4 2 6
Borrowing 3 bits
The following IP already use
192.168.1.8 192.168.1.9 192.168.1.14 192.168.1.15
So we are use following IP Addresses
192.168.1.16 192.168.1.17 192.168.1.22 192.168.1.23
Need 14 IP Addresses 24 = 16 – 2 = 14
Borrowing 4 bits
192.168.1. 12 6 3 1 8 4 2 1
8 4 2 6

The following IP already use
192.168.1.16 192.168.1.17 192.168.1.30 192.168.1.31
So we are use following IP Addresses
192.168.1.32 192.168.1.33 192.168.1.46 192.168.1.47
1700A
Router>enable
1700A#show ip route
1700A(config-router)#version 2
1700A(config)#exit
3600A
Router>enable
3600A#show ip route
3600A(config-router)#router rip
3600A(config)#exit
1700B
Router>enable
1700B(config-if)#interface Serial 0/0
1700B#show ip route
1700B(config-if)#version 2
1700B#show ip route
1700B#ping 192.168.1.17
To change Update time, Invalid time, Hold downtime &
Flush out time by default to customize use following command
Router>en
Router(config)#router RIP
Router(config-router)#time basic **(update) **(invalid) **(hold down) **(flush time)
RIP V1 & RIP V2 Configuration
(Router Information Protocol Version 1 & Router Information Protocol Version 2)
LAB
RIP V1 RIP V2
10.0.0.1
20.0.0.1 20.0.0.2 30.0.0.1 30.0.0.2 40.0.0.1
F0/0 S0/0
S3/0 S3/1 S0/0 F0/0
1700 A 3600 A 1700 B
1700A
Router>enable
1700A#show ip route
1700A(config)#exit
3600A
Router>enable
3600A#show ip route
3600A(config-router)#router rip
3600A(config)#exit
1700B
Router>enable
1700B#show ip route
1700B(config-if)#version 2
1700B#show ip route
1700B#ping 10.0.0.1
Another type to configure RIPV2 in this 1700A Router
Serial S0/0 interface configuration command
1700B(config-if)#ip received version 1
Interior Gateway Routing Protocol (IGRP)
 Interior Gateway Routing Protocol (IGRP) is a Cisco-proprietary distance-vector

routing protocol.
 To use IGRP, all your routers must be Cisco routers.
 IGRP has a maximum hop count of 255 with a default of 100.
 IGRP uses bandwidth and delay of the line by default as a metric for determining the
best route to an internetwork.
 Reliability, load, and maximum transmission unit (MTU) can also be used, although
they are not used by default.
Note:
The main difference between RIP and IGRP configuration is that when you configure
IGRP, you supply the autonomous system number. All routers must use the same number
in order to share routing table information.
IGRP RIP
Can be used in large internetworks Works best in smaller networks
Uses an autonomous system number for Does not yse aytibiniys system numbers
activation
Gives a full route table update every 90 Gives full route table update every 30
seconds seconds
Has an administrative distance of 100 Has an administrative distance of 120
Uses bandwidth and delay of the line as Uses only hop count to determine the best
metric (lowest composite metric),with a path to a remote network, with 15 hops
maximum hop count of 255 being the maximum
IGRP Timers
To control performance, IGRP includes the following timers with default settings:
Update timers :
These specify how frequently routing-update messages should be sent. The
default is 90 seconds.
Invalid timers :
These specify how long a router should wait before declaring a route invalid if it
doesn’t receive a specific update about it. The default is three times the update period.
Holddown timers :
These specify the holddown period. The default is three times the update timer
period plus 10 seconds.
Flush timers :
These indicate how much time should pass before a route should be flushed from
the routing table. The default is seven times the routing update period. If the update timer
is 90 seconds by default, then 7 × 90 = 630 seconds elapse before a route will be flushed
from the route table.
IGRP (Interior Gateway Routing Protocol) Configuration

LAB
10.0.0.1
20.0.0.1 20.0.0.2 30.0.0.1 30.0.0.2 40.0.0.1
F0/0 S0/0
S3/1 F0/0
S3/0 S0/0
1700 A 3600 A 1700 B
1700A
Router>enable
1700A(config)#router igrp 100 (autonomous system number)
3600A
Router>enable
3600A(config-if)#interface Serial 3/1
3600A(config)# router igrp 100 (autonomous system number)

1700B
Router>enable
1700B(config)#router igrp 100 (autonomous system number)
1700B#show ip route
1700B#ping 10.0.0.1
EIGRP (Enhanced Interior Gateway Routing Protocol)
o Enhanced IGRP (EIGRP) is a classless, enhanced distance-vector protocol that

gives us a real edge over IGRP.
o Like IGRP, EIGRP uses the concept of an autonomous system to describe the set
of contiguous routers that run the same routing protocol and share routing
information.
o But unlike IGRP, EIGRP includes the subnet mask in its route updates
o The advertisement of subnet information allows us to use VLSM and
summarization when designing our networks.
o EIGRP is sometimes referred to as a hybrid routing protocol because ithas
characteristics of both distance-vector and link-state protocols.
o It sends traditional distance-vector updates containing information about networks
plus the cost of reaching them from the perspective of the adverting router
o EIGRP has a maximum hop count of 255.
Powerful features that make EIGRP a real standout from IGRP
 Support for IP, IPX, and AppleTalk via protocol-dependent modules Considered
classless (same as RIPv2 and OSP
 Support for VLSM/CIDR
 Support for summaries and discontiguous networks
 Efficient neighbor discovery
 Communication via Reliable Transport Protocol (RTP)
 Best path selection via Diffusing Update Algorithm (DUAL)
Note:
Cisco calls EIGRP a distance vector routing protocol, or sometimes an
advanced distance vector or even a hybrid routing protocol.
• EIGRP supports different Network layer protocols through the use of protocol-
dependent modules (PDMs).
• Each EIGRP PDM will maintain a separate series of tables containing the routing
information that applies to a specific protocol.
• It means that there will be IP/EIGRP tables, IPX/EIGRP tables, and
AppleTalk/EIGRP tables.
Neighbor Discovery
Before EIGRP routers are willing to exchange routes with each other, they must
become neighbors.There are three conditions that must be met for neighborship
establishment:
 Hello or ACK received
 AS numbers match
 Identical metrics (K values)
To maintain the neighborship relationship, EIGRP routers must also continue

receiving Hellos from their neighbors.
EIGRP routers that belong to different autonomous systems (ASes) don’t
automatically share routing information and they don’t become neighbors.
The only time EIGRP advertises its entire routing table is when it discovers a new
neighbor and forms an adjacency with it through the exchange of Hello packets. When
this happens, both neighbors advertise their entire routing tables to one another. After
each has learned its neighbor’s routes, only changes to the routing table are propagated
from then on.
EIGRP maintains three tables containing information about the internetworks.

Neighbor Table
Records information about routers with whom neighborship relationships have

been formed.
Topology Table
Stores the route advertisements about every route in the internetwork received
from each neighbor.
Routing Table
Stores the routes that are currently used to make routing decisions.
EIGRP IP Routing Table
List of directly connected routers IP IGRP Neighbors Table

running EIGRP with which this
router has an adjacency Next-Hop Router Interface
IP EIGRP Topology Table

List of all routers learned from
Destination 1 FD and AD via each neighbors
Each EIGRP neighbors
List of all best routes from The IP Routing Table

EIGRP topology table and other Destination Best Route
routing processes
Feasible distance
This is the best metric along all paths to a remote network, including the metric
to the neighbor that is advertising that remote network. This is the route that you will find
in the routing table, because it is considered the best path. The metric of a feasible
distance is the metric reported by the neighbor (called reported distance), plus the metric
to the neighbor reporting the route.
Reported distance ( Advertised Distance )
This is the metric of a remote network, as reported by a neighbor. It is also

the routing table metric of the neighbor.
Neighbor table
Each router keeps state information about adjacent neighbors. When a newly
discovered neighbor is learned, the address and interface of the neighbor are recorded,
and this information is held in the neighbor table, stored in RAM. There is one neighbor
table for each protocol-dependent module
.
Topology table
The topology table is populated by the PDMs and acted upon by the Diffusing
Update Algorithm (DUAL). It contains all destinations advertised by neighboring
routers, holding each destination address and a list of neighbors that have advertised the
destination. For each neighbor, the advertised metric is recorded, which comes only from
the neighbor’s routing table. If the neighbor is advertising this destination, it must be
using the route to forward packets.
Feasible successor
A destination entry is moved from the topology table to the routing table when
there is a feasible successor. A feasible successor is a path whose reported distance is less
than the feasible distance, and it is considered a backup route. EIGRP will keep up to six
feasible successors in the topology table. Only the one with the best metric
(the successor).is placed in the routing table.
Successor
A successor route is the best route to a remote network. A successor route is used
by EIGRP to forward traffic to a destination and is stored in the routing table. It is backed
up by a feasible successor route that is stored in the topology table—if one is available.
• A feasible successor is a backup route and is stored in the topology table.
• A successor route is stored in the topology table and also placed in the routing
table.
Reliable Transport Protocol (RTP)

o EIGRP uses a proprietary protocol, called Reliable Transport Protocol (RTP), to
manage the communication of messages between EIGRP-speaking routers.
o EIGRP sends updates via multicast traffic, it uses the Class D address 224.0.0.10.
o If EIGRP doesn’t get a reply from a neighbor, it will switch to using unicasts to
resend the same data.
o If it still doesn’t get a reply after 16 unicast attempts, the neighbor is declared dead.
o This process is reffered to as reliable multicast
Diffusing Update Algorithm (DUAL)
EIGRP uses Diffusing Update Algorithm (DUAL) for selecting and maintaining
the best path to each remote network. This algorithm allows for the following:
o Backup route determination if one is available
o Support of Variable-Length Subnet Masks (VLSMs)
o Dynamic route recoveries
o Queries for an alternate route if no route can be found
DUAL provides EIGRP with possibly the fastest route convergence time among all
protocols.
EIGRP Metrics
Another really sweet thing about EIGRP is that unlike many other protocols that
use a single factor to compare routes and select the best possible path, EIGRP can use a
combination of four:
 Bandwidth
 Delay
 Load
 Reliability
 MTU
Like IGRP, EIGRP uses only bandwidth and delay of the line to determine the
best path to a remote network by default.
Maximum Paths and Hop Count

By default, EIGRP (and IGRP) can provide unequal cost load balancing of up to
four links. However, you can have EIGRP actually load balance across up to six links.
EIGRP (and IGRP) has a maximum hop count of 100, but can be set up to 255.
If you need to stop EIGRP from working on a specific interface, such as Ethernet
interface or a serial connection to the Internet. Configure with passive-interface interface
command.
By using the no auto-summary command, EIGRP will advertise all the subnets
between the two routers. If the networks were larger, you could then provide manual
summarization on these same boundaries.
EIGRP (Enhanced Interior Gateway Routing Protocol) Configuration

LAB
S3/1
S3/0
50.0.0.1
20.0.0.2
512 kbps 3600A 128 kbps
20.0.0.1 50.0.0.2
S0/0 60.0.0.2 S0/0
256 kbps 30.0.0.2 60.0.0.1 256 kbps
10.0.0.1 30.0.0.1 S1/0 S1/1 S1/0 F0/0
F0/0 S0/1 80.0.0.1
1700A 3600B 1700B
S1/0 S1/1
40.0.0.1 70.0.0.2
128 kbps 512 kbps
S0/0
S0/1
40.0.0.2 70.0.0.1
3600C
1700A
Router>enable
1700A(config-if)#bandwidth 512
1700A(config)#router EIGRP 500 (autonomous no: 0 – 65565)
1700A#show ip route
1700A#show ip EIGRP topology
1700A#show ip EIGRP neighbors
If we want to stop Fast Ethernet Port to advertise,
type following command:
1700A(config)#router EIGRP 500
1700A(config-router)#passive-interface F0/0 (enable command)
1700A(config-router)#no passive-interface F0/0 (disable command)
3600A
Router>enable
3600A(config-if)#interface S3/1
3600A#show ip route
3600B
Router>enable
3600B(config-if)#bandwidth 256
3600B(config-if)#ip address 60.0.0.1. 255.0.0.0
3600B(config)#router EIGRP 500
3600B#show ip route
3600B#show ip EIGRP topology
3600B#show ip EIGRP neighbor
3600C
Router>enable
3600C(config if)#bandwidth 128
3600C(config-if)#ip address 70.0.0.1. 255.0.0.0
3600C(config if)#bandwidth 512
3600C(config)#router EIGRP 500
3600C#show ip route
3600C#show ip interface brief
3600C#show ip EIGRP topology
3600C#show ip EIGRP neighbor
1700B
Router>enable
1700B#show ip EIGRP neighbor
EIGRP Summarization Configuration
LAB
20.0.0.1 20.0.0.2
10.0.0.1 S0/0 S0/1 30.0.0.1
F0/0 F0/0
1700 A 3600 A
Loopback 0 - 172.168.4.1
Loopback 1 - 172.168.5.1
Loopback 2 - 172.168.6.1
Loopback 3 - 172.168.7.1
Loopback 4 - 172.168.8.1
Loopback 5 - 172.168.9.1
Loopback 6 - 172.168.10.1
Loopback 7 - 172.168.11.1
Loopback 8 - 172.168.12.1
1700A
Router>en
1700A(config)#interface fast Ethernet 0/0
1700A(config-if)#ip address 10.0.01 255.0.0.0
1700A#show ip route
1700B
Router>en
1700B(config)#interface fast Ethernet 0/0
1700B(config-if)#interface S0/1
1700B(config-if)# interface Loop back 0
1700B(config-if)# ip address 172.168.4.1 255.255.0.0
1700B#show ip route
1700B#show ip EIGRP neighbors
Manually assign Summarization
1700B(config-router)#no auto summarization

To manually summarization configure this command.(each
and every network summarized).To minimize the routing table
configure below command.
1700B(config)#interface s0/0
1700B(config-if)#ip summary-address eigrp 500 172.168.4.0 255.255.252.0
EIGRP Load Balancing Configuration

LAB
Unequal Cost Path
S0/0 20.0.0.1 768 kbps 20.0.0.2

S3/0
50.0.0.1
10.0.0.1
30.0.0.1 512 kbps
F0/0 S0/1 30.0.0.2 S3/1 F0/0
256 kpbs
S1/0 40.0.0.1 40.0.0.2 S3/2
1700 A 3600 A
Bandwith default delay 20000

1700A
Router>en
1700A(config-if)#ip address 10.0.01 255.0.0.0
1700A(config-if)# bandwidth 512
1700A(config-if)# bandwidth 256
3600A
Router>enable
Load Balancing Command
Following Command used to bandwidth balance command.

Calculate Load balancing = Feasible Distance multiply to
different between Feasible Distance (Eg., FD*3)
1700A(config-router)#variance *** [* - number to multiply] (Enable)
1700A(config-router)#no variance (Disable)
1700A#show ip route
OSPF (Open Shortest Path First)
Open Shortest Path First (OSPF) is an open standards routing protocol that’s been
implemented by a wide variety of network vendors, including Cisco.
This works by using the Dijkstra algorithm. First, a shortest path tree is
constructed, and then the routing table is populated with the resulting best paths. OSPF
converges quickly, although perhaps not as quickly as EIGRP, and it supports multiple,
equal-cost routes to the same destination. But unlike EIGRP, it only supports IP routing.
OSPF provides the following features:
 Consists of areas and autonomous systems

 Minimizes routing update traffic
 Allows scalability
 Supports VLSM/CIDR
 Has unlimited hop count
 Allows multi-vendor deployment (open standard)
Note:
OSPF is the first link-state routing protocol that most people are introduced to.
OSPF and RIP comparison
Chracteristic OSPF RIPv2 RIPv1

Type of protocol Link-state Distance-vector Distance-vector
Classless support Yes Yes No
VLSM support Yes Yes No
Auto summarization No Yes Yes
Manual summarization Yes No No
Discontiguous Yes Yes No
Route propagation Multicast on Periodic multicast Periodic
change multicast
Path metric Bandwidth Hops Hops
Hop count limit None 15 15
Convergence Fast Slow Slow
Peer authentication Yes Yes No
Hierarchical network Yes (using areas) Yes No
Updates Event Triggered Routetable Routable
updates updates
Route computation Dijkstra Bellman-Ford Bell-Ford
OSPF is supposed to be designed in a hierarchical fashion, which basically means

that you can separate the larger internetwork into smaller internetworks called areas. This
is the best design for OSPF.
The reasons for creating OSPF in a hierarchical design include:

• To decrease routing overhead
• To speed up convergence
• To confine network instability to single areas of the network
Each router in the network connects to the backbone called area 0, or the
backbone area.OSPF must have an area 0, and all routers should connect to this area if
at all possible.But routers that connect other areas to the backbone within an AS are
called Area Border Routers (ABRs). Still, at least one interface must be in area 0.
OSPF runs inside an autonomous system, but can also connect multiple
autonomous systems together. The router that connects these ASes together is called an
Autonomous System Boundary Router (ASBR).
OSPF Terminology
Link
A link is a network or router interface assigned to any given network. When an
interface is added to the OSPF process, it’s considered by OSPF to be a link.
Router ID
The Router ID (RID) is an IP address used to identify the router. Cisco chooses
the Router ID by using the highest IP address of all configured loopback interfaces. If no
loopback interfaces are configured with addresses, OSPF will choose the highest IP
address of all active physical interfaces.
Neighbors
Neighbors are two or more routers that have an interface on a common
network,such as two routers connected on a point-to-point serial link.
Adjacency
An adjacency is a relationship between two OSPF routers that permits the direct
exchange of route updates. OSPF is really picky about sharing routing information—
unlike EIGRP, which directly shares routes with all of its neighbors. Instead, OSPF
directly shares routes only with neighbors that have also established adjacencies. And not
all neighbors will become adjacent—this depends upon both the type of network and the
configuration of the routers.
Hello protocol
The OSPF Hello protocol provides dynamic neighbor discovery and maintains
neighbor relationships. Hello packets and Link State Advertisements (LSAs) build and
maintain the topological database. Hello packets are addressed to 224.0.0.5.
Neighborship database
The neighborship database is a list of all OSPF routers for which Hello packets
have been seen. A variety of details, including the Router ID and state, are maintained on
each router in the neighborship database.
Topology database
The topology database contains information from all of the Link State
Advertisement packets that have been received for an area. The router uses the
information from the topology database as input into the Dijkstra algorithm that computes
the shortest path to every network. LSA packets are used to update and maintain the
topology database.
Link State Advertisement
A Link State Advertisement (LSA) is an OSPF data packet containing link-state
and routing information that’s shared among OSPF routers. There are different types of
LSA packets. An OSPF router will exchange LSA packets only with routers to which it
has established adjacencies.
Designated router
A designated router (DR) is elected whenever OSPF routers are connected to the
same multi-access network. A prime example is an Ethernet LAN.
Backup designated router
A backup designated router (BDR) is a hot standby for the DR on multi-access
links The BDR receives all routing updates from OSPF adjacent routers, but doesn’t
flood LSA updates.
OSPF areas
An OSPF area is a grouping of contiguous networks and routers. All routers in

the same area share a common Area ID.
Broadcast (multi-access)
Broadcast (multi-access) networks such as Ethernet allow multiple devices to

connect to (or access) the same network, as well as provide a broadcast ability in which a
single packet is delivered to all nodes on the network. In OSPF, a DR and a BDR must be
elected for each broadcast multi-access network.
Non-broadcast multi-access
Non-Broadcast Multi-Access (NBMA) networks are types such as Frame Relay,

X.25, and Asynchronous Transfer Mode (ATM). These networks allow for multi-access,
but have no broadcast ability like Ethernet. So, NBMA networks require special OSPF
configuration to function properly and neighbor relationships must be defined.
Point-to-point
Point-to-point refers to a type of network topology consisting of a direct

connection between two routers that provides a single communication path. The point-to-
point connection can be physical, as in a serial cable directly connecting two routers, or it
can be logical.
Point-to-multipoint
Point-to-multipoint refers to a type of network topology consisting of a series of

connections between a single interface on one router and multiple destination routers.All
of the interfaces on all of the routers sharing the point-to-multipoint connection belong to
the same network. As with point-to-point, no DRs or BDRs are needed.
SPF Tree Calculation
Within an area, each router calculates the best/shortest path to every network in
that same area.This calculation is based upon the information collected in the topology
database and an algorithm called shortest path first (SPF)
OSPF uses a metric referred to as cost. A cost is associated with every outgoing
interface included in an SPF tree. The cost of the entire path is the sum of costs of the
outgoing interfaces along the path.
Cisco uses a simple equation of 108/ bandwidth.The bandwidth is the configured
bandwidth for the interface. Using this rule, a 100Mbps Fast Ethernet interface would
have a default OSPF cost of 1 and a 10Mbps Ethernet interface would have a cost of 10.
An interface set with a bandwidth of 64,000 would have a default cost of 1563.
OSPF (Open Shortest Path First) Single Area Configuration
LAB
10.0.0.1 20.0.0.1 20.0.0.2

S0/0 30.0.0.1 30.0.0.2 40.0.0.1
F0/0 S3/0 S3/1 S0/0 F0/0
1700 A 3600 A 1700 B
1700A
Router>en
1700A(config)#router OSPF 1 (Process ID 1 - 65535)
1700A(config-router)#network 10.0.0.0 0.255.255.255 area 0
1700A#show ip route
1700A#show ip OSPF interface
1700A#show ip OSPF neighbors
1700A#show ip OSPF database
3600A
Router>en
3600A#show ip route
1700B
Router>en
1700B(config)#interface fast Ethernet 0/0
1700B(config)#router OSPF 1 (Process ID 1 - 65535)
1700B(config-router)#network 30.0.0.0 0.255.255.255 area 0
1700B#show ip route
1700B#show ip OSPF interface
1700B#show ip OSPF neighbors
1700B#show ip OSPF database
OSPF (Open Shortest Path First) Broadcast Area Configuration

LAB
1700 A
Loopback
20.0.0.1
F0/0 10.0.0.1
10.0.0.2 10.0.0.3
F0/0 F0/0
1700 B 1700 C
Loopback Loopback
30.0.0.1 40.0.0.1
While configure in OSPF broadcast, following few steps.

Step 1: Switch off our Switch
Step 2: Configure router
Step 3: Switch on our Switch
Why we want to switch off the Switch?
After we have finished router configuration switch on our Switch. The Switch
will running election process and finished to select then assigned the priority one and
two. The first priority goes to Designated Router (DR) and Second priority goes to
Backup Designated Router (BDR).
If we have change default priority use following command (Priority 0 - 255)
Router>en
Router(config)#interface
Router(config-if)#ip ospf priority 1
or
or
Hello Interval Configuration
Router>en
Router(config)#interface S0/0
Router(config-if)#ip ospf hello-interval
Router(config-if)#ip ospf dead-interval multiply 4
1700A
Router>en
1700A(config-if)#interface loop back 0
1700A#show ip route
1700B
Router>en
1700B(config-if)#interface loop back 0
1700B#show ip route
1700C
Router>en
1700C(config)#interface Fast Ethernet 0/0
1700C(config-if)#interface loop back
1700C(config)#router OSPF 1 (Process ID 1 - 65535)
1700C(config-router)#network 10.0.0.0 0.255.255.255 area 0
1700C#show ip route
1700C#show ip OSPF interface
1700C#show ip OSPF neighbors
1700C#show ip OSPF database
OSPF (Open Shortest Path First) – Multi Area Configuration

LAB
Area 0 Area Area 1 Area 2

Area Border
Border Router
Router
10.0.0.1 20.0.0.1 20.0.0.2 30.0.0.1 30.0.0.2 40.0.0.2 50.0.0.1 50.0.0.2 60.0.0.1
40.0.0.1
F0/0
S0/0 F0/
S3/0 S3/1 S0/0 S1/0 S0/0
S1/0 3600 B S1/1 3600 C 1700 B 0
1700 A 3600 A
Loopback Loopback Loopback Loopback
Loopback
1.1.1.1. 2.2.2.2 4.4.4.4 5.5.5.5
3.3.3.3
Virtual
Link
1700A
Router>en
1700A(config-if)#interface loop back 0
1700A# show ip interface brief
1700A(config)#router OSPF 1
1700A#show ip route
3600A
Router>en
3600A(config-if)#interface loop back
3600A(config)#router OSPF 2
3600A#show ip route
3600B
Router>en
3600B(config-if)#interface loop back
3600B(config)#router OSPF 3
3600B#show ip route
To create Virtual link collect update information
between all routers on different areas network to type
following command
3600B(config-router)#area virtual-link
3600B(config-router)#loopback 4.4.4.4
3600C
Router>en
3600C(config-if)#interface S1/0
3600C(config-if)#interface loop back
3600C(config)#router OSPF 4
3600C#show ip route
3600C#show ip OSPF interface
3600C#show ip OSPF neighbors
3600C#show ip OSPF database
1700B
Router>en
1700B(config-if)#interface Fast Ethernet 0/0
1700B(config-if)#interface loop back
1700B(config-if)#ip address 5.5.5.5.5 255.255.255.255
1700B(config-if )#exit
1700B#show ip route
Wan Technologies
Frame-Relay
Frame-Relay Overview
– Connections made by virtual circuits

– Connection-oriented service
Frame-Relay Stack
Frame-Relay
OSI Reference Model
Application
Presentation
IP/IPX/Apple talk etc.,
Session
FRAME-RELAY
Transport
EIA/TIA-232, EIA/TIA-449, V.35, X.21,
Network EIA/TIA-530
Data-link
Frame Relay Terminology
Physical
Selecting a Frame Relay Topology
• Frame Relay default: nonbroadcast, multiaccess (NBMA)
Reachability Issues with Routing Updates
• Problem:
– Broadcast traffic must be replicated for
each active connection.
– Split-horizon rule prevents routing updates received on
one interface from being forwarded out the same interface.
–
Resolving Reachability Issues
• Split horizon can cause problems in NBMA environments.

• Subinterfaces can resolve split horizon issues.
• Solution: A single physical interface simulates multiple logical
interfaces.
Frame Relay Address Mapping
– Use LMI to get locally significant DLCI from the Frame Relay
switch.
– Use Inverse ARP to map the local DLCI to the remote router’s
network layer address.
Frame Relay Signaling
Cisco supports three LMI standards:
• Cisco
• ANSI T1.617 Annex D
• ITU-T Q.933 Annex A
Frame Relay Inverse ARP and LMI Signaling
Stages of Inverse ARP and LMI Operation

How Service Providers Map Frame Relay DLCIs: Enterprise View
• Frame Relay is an ITU-T and ANSI standard that defines the process for
sending data over a public data network.
• The core aspects of Frame Relay function at the lower two layers of the OSI
reference model.
• Frame Relay allows you to interconnect your remote sites in a variety of
topologies including star, full mesh, and partial mesh.
• A Frame Relay NBMA topology may cause routing update reachability issues,
which are solved by using subinterfaces.
• A Frame Relay connection requires that, on a VC, the local DLCI be mapped
to a destination network layer address such as an IP address.
• LMI is a signaling standard between the router and the Frame Relay switch
that is responsible for managing the connection and maintaining status
between the devices.
• Service providers map Frame Relay DLCIs so that DLCIs with local
significance appear at each end of a Frame Relay connection.
Access rate:
The maximum speed at which the Frame Relay interface can transmit.
Committed Information Rate (CIR)
The maximum bandwidth of data guaranteed to be delivered.
Virtual Circuits
Frame Relay operates using virtual circuits,
There are two types of virtual circuits:

Permanent
The telco creates the mappings inside their gear, and as long as you pay the bill,
they will remain in place.
Switched
The virtual circuit is established when data needs to be transmitted, then is taken
down when data transfer is complete.
Data Link Connection Identifiers (DLCIs)

• Frame Relay PVCs are identified to DTE end devices using Data
LinkConnectionIdentifiers (DLCIs).
• Inverse ARP (IARP) is used to map a known DLCI to an IP address.
Local Management Interface (LMI)
o Local Management Interface (LMI) is a signaling standard used between your
router and the first Frame Relay switch.
o Keepalives : These verify that data is flowing.
Three standard LMI signaling formats :
o Cisco
o ANSI
o ITU-T
Frame Relay Congestion Control

Three types of congestion bits
Discard Eligibility (DE)
Forward Explicit Congestion Notification (FECN)
Backward Explicit Congestion Notification (BECN)
Discard Eligibility (DE)

when you burst (transmit packets beyond the CIR of a PVC), any packets
exceeding the CIR are eligible to be discarded if the provider’s network is congested at
the time. Because of this, the excessive bits are marked with a Discard Eligibility
Forward Explicit Congestion Notification (FECN)
When the Frame Relay network recognizes congestion in the cloud, the switch
will set the Forward Explicit Congestion Notification (FECN) bit to 1 in a Frame Relay
packet header. This will indicate to the destination DTE that the path the frame just
traversed is congested.
Backward Explicit Congestion Notification (BECN)
When the switch detects congestion in the Frame Relay network, it’ll set the
Backward Explicit Congestion Notification (BECN) bit in a Frame Relay frame that’s
destined for the source router. This notifies the router that congestion is being
encountered ahead.
Frame-Relay Point-to-Point over OSPF Configuration
LAB
20.0.0.2 Loopback
S1/0 50.0.0.1
Act as FRAME-
RELAY Switch
3600 B
DLCI
DLCI - 100 101
10.0.0.01 DLCI - 200 S3/1 30.0.0.2

DLCI - 300 DLCI Loopback
F0/0 S0/0 102 S0/0 60.0.0.1
S3/2
S3/0
S3/3 DLCI
1700 A S0/0 Sub Interface 3600 C
103
S0/0 - 100 - 20.0.0.1 3600 A
S0/0 - 200 - 30.0.0.1 Frame-Relay
40.0.0.2
S0/0 - 300 - 40.0.0.1 Switch Loopback
70.0.01
S0/0
1700 B
1700A
Router>enable
1700A(config)#iinterface F0/0
1700A(config-if)#encapsulation frame-relay
1700A(config-if)#interface S0/0.100 Point-to-Point
1700A(config-subif)#ip address 20.0.0.1 255.0.0.0
1700A(config-subif)#no shutdown
1700A(config-subif)#frame-relay interface-dlci 100
1700A(config-subif)#control Z
1700A(config)#router ospf 1
1700A#sh ip route
1700A#show frame-relay map
LMI Configuration
1700A#conf t
1700A(config-if)#frame-relay lmi-type cisco
Or
1700A(config-if)#frame-relay lmi-type ansi
Or
1700A(config-if)#frame-relay lmi-type c
1700A(config-ig)#control Z
1700A#sh ip route
1700A#show frame-relay pvc
1700A#show frame-relay lmi
3600B
Router>enable
3600B(config-if)#interface Loopback 0
3600B(config-if)#encapsulation frame-relay
3600B(config-if)#ip ospf network point-to-point
3600B#sh ip route
3600B(config)#router ospf 1
3600B#show frame-relay map
3600B#conf t
3600B(config-if)#frame-relay lmi-type cisco
Or
3600B(config-if)#frame-relay lmi-type ansi
Or
3600B(config-if)#frame-relay lmi-type c
3600B(config-ig)#control Z
3600B#sh ip route
3600B#show frame-relay pvc
3600B#show frame-relay lmi
3600C
Router>enable
3600C(config-if)#interface Loopback 0
3600C(config-if)#encapsulation frame-relay
3600C(config-if)#ip ospf network point-to-point
3600C(config)#router ospf 1
3600C#show frame-relay map
3600C#configuration terminal
3600C(config-if)#frame-relay lmi-type cisco
Or
3600C(config-if)#frame-relay lmi-type ansi
Or
3600C(config-if)#frame-relay lmi-type
3600C(config-ig)#control Z
3600C#sh ip route
3600C#show frame-relay pvc
3600C#show frame-relay lmi
1700B
Router>enable
1700B(config)#iinterface loopback 0
1700B(config-if)#ip ospf network point-to-point
1700B(config-if)#frame-relay lmi-type cisco
Or
1700B(config-if)#frame-relay lmi-type ansi
Or
1700B(config-if)#frame-relay lmi-type
1700B(config-ig)#control Z
1700B#sh ip route
1700B#show frame-relay pvc
1700B#show frame-relay lmi
3600A
Router>enable
3600A(config)#frame-relay switching
3600A(config)# interface Serial3/0
3600A(config-if)#frame-relay intf-type dce
3600A(config-if)# frame-relay lmi-type cisco
3600A(config-if)# frame-relay route 100 interface Serial3/1 101
3600A(config-if)# interface Serial3/1
3600A(config-if)#frame-relay route 101 interface Serial3/0 100
3600A(config-if)#clockrate 64000
3600A(config-if)#interface Serial3/2
3600A(config-if)# interface Serial3/3
3600A(config-if)#clockrate 64000
3600A#show frame-relay lmi
3600A#show frame-relay
3600A# show frame-relay pvc
3600A#
Frame-Relay Point-to-Multipoint over OSPF Configuration
LAB
20.0.0.2 Loopback
S1/0 30.0.0.1
Act as FRAME-
RELAY Switch
3600 B
DLCI
DLCI - 100 101
10.0.0.01 20.0.0.1 DLCI - 200 S3/1 20.0.0.3

DLCI - 300 DLCI Loopback
F0/0 S0/0 102 S0/0 40.0.0.1
S3/2
S3/0
S3/3 DLCI
1700 A 3600 C
103
3600 A
Frame-Relay
20.0.0.4
Switch Loopback
50.0.01
S0/0
1700 B
1700A
Router>en
Router(config)#ho
1700A(config)#interface f0/0
1700A(config)#interface s0/0
1700A(config-if)#ip ospf network point-to-multipoint
1700A(config)#router ospf 1
1700A(config-router)#^Z
1700A#show ip ospf neighbors
1700A#show ip ospf database
3600B
Router>en
3600B(config)#interface loop back 0
3600B(config)#interface s1/0
3600B(config-if)#ip ospf network point-to-multipoint
3600B(config-if)#^Z
3600B# show ip route
3600B# show frame-relay map
3600B# show frame-relay pvc
3600C
Router>en
3600C(config)#interface loop back 0
3600C(config)#interface s1/0
3600C(config-if)#encapsulation frame-relay
3600C(config-if)#ip ospf network point-to-multipoint
3600C(config-if)#^Z
3600C(config)#router ospf 1
3600C# show ip route
3600C# show frame-relay pvc
3600A
Router>en
3600A(config)#frame-relay switching
3600A(config-if)#frame-relay route 100 interface s3/1 101
3600A#show frame-relay pvc
Managing Traffic with Access Lists
 An access list is essentially a list of conditions that categorize packets.

 They can be really helpful when you need to control over network traffic.
 Manage IP traffic as network access grows.
 Filter packets as they pass through the router.
There are a few important rules that a packet follows when it’s being compared with an
access list:
• It’s always compared with each line of the access list in sequential order—i.e.,
it’ll always start with the first line of the access list, then go to line 2, then line 3,
and so on.
• It’s compared with lines of the access list only until a match is made. Once the
packet matches the condition on a line of the access list, the packet is acted upon,
and no further comparisons take place.
• There is an implicit “deny” at the end of each access list—this means that if a
packet doesn’t match the condition on any of the lines in the access list, the packet
will be discarded.
Two main types of access lists

1. Standard access lists
These use only the source IP address in an IP packet as the condition test.
All decisions are made based on source IP address. This means that standard access lists
basically permit or deny an entire suite of protocols.
2. Extended access lists
Extended access lists can evaluate many of the other fields in the
Layer 3 and layer 4 headers of an IP packet. They can evaluate source and destination IP
addresses, the protocol field in the Network layer header, and port number at the
Transport layer header. This gives extended access lists the ability to make much more
granular decisions when controlling traffic.
Named access lists
Technically there really are only two since named access lists are either standard or
extended and not actually a new type. They’re created and referred to differently than
standard and extended access lists. But they’re functionally the same.
Access List Configuration Guidelines
 Access list numbers indicate which protocol is filtered.
 One access list per interface, per protocol, per direction is allowed.
 The order of access list statements controls testing.
 Place the most restrictive statements at the top of list.
 There is an implicit deny any statement as the last access list test. Every list needs at
least one permit statement.
 Create access lists before applying them to interfaces.
 Any time a new entry is added to the access list, it will be placed at the bottom of the
list.
 Access lists filter traffic going through the router; they do not apply to traffic
originating from the router.
 You cannot remove one line from an access list. If you try to do this, you will remove
the entire list.
Inbound access lists

When an access list is applied to inbound packets on an interface, those packets
are processed through the access list before being routed to the outbound interface. Any
packets that are denied won’t be routed because they’re discarded before the routing
process is invoked.
Outbound access lists
When an access list is applied to outbound packets on an interface,those packets
are routed to the outbound interface and then processed through the access list
before being queued.
Access-list types are generally differentiated using a number.

1-99 IP standard access list
100-199 IP extended access list
1000-1099 IPX SAP access list
1100-1199 Extended 48-bit MAC address access list
1200-1299 IPX summary address access list
1300-1999 IP standard access list (expanded range)
200-299 Protocol type-code access list
2000-2699 IP extended access list (expanded range)
300-399 DECnet access list
600-699 Appletalk access list
700-799 48-bit MAC address access list
800-899 IPX standard access list
900-999 IPX extended access list
Well-Known TCP Port Numbers
In TCP/IP and UDP networks, port is an endpoint to a logical connection and the
way a client program specifies a specific server program on a computer in a network.
Some ports have numbers the are preassigned to them by the IANA (Internet Assigned
Number in Authority), and these are known as well-known prots (specifed RFC 1700).
Port numbers range from 0 -65536.
Serial Port Description

No Number
001 1 TCP Port Service Multiplexer (TCPMUX)
002 5 Remote Job Entry
003 7 ECHO echo
004 9 DISCARD discard
005 13 DAYTIME daytime
006 18 MSP (Message Send Protocol)
007 19 Chargen character generator
008 20 FTP (File Transfer Protocol) – Data
009 21 FTP (File Transfer Protocol) – Control
010 23 TELNET
011 25 SMTP (Simple Mail Tranfer Protocol)
012 29 MSG ICP
013 37 TIME
014 42 Host Name Server
015 43 WhoIs Nickname
016 49 Login Host Protocol / TAC Access Control System
017 53 DNS (Domain Name Server)
018 69 TFTP (Trival File Transfer Protocol)
019 70 Gopher Services
020 71 Finger
021 80 HTTP (Hypher Text Transfer Protocol)
022 101 NIC Host Name Server
023 103 X.400 Standard
024 109 POP 2 (Post Of Protocol Version 2)
025 110 POP 3 (Post Of Protocol Version 3)
026 111 Sun Remote Procedure Call sunrpc
027 113 Ident Protocol ident
028 115 SFTP (Simple File Transfer Protocol)
029 118 SQL Services
030 119 NNTP (Network News Transport Protocol)
031 137 NetBIOS Name Service
032 139 NetBIOS Datagram Service
033 143 IMAP (Interim Mail Access Protocol)
034 150 NetBIOS Session Service
035 156 SQL Server
036 161 SNMP (SNMP)
037 179 BGP (Border Gateway Protocol)
Serial Port Description
No Number
038 190 GACP (Gateway Access Control Protocol)
039 194 Internet Relay Chat irc
040 197 DLS (Directory Location Service)
041 389 LDAP (Lightweight Directory Access Protocol)
042 396 Novell Netware Over IP
043 443 HTTPS (HTTPS)
044 444 SNPP (Simple Network Paging Protocol)
045 445 Microsoft – DS
046 448 Apple Quick Time
047 512 EXEC exec
048 513 LOGIN rlogin
049 514 RCMD (Remote Command)
050 515 IPD Printer Service
051 540 UUCP (Unix-to-Unix Copy Program)
052 543 KLOGIN (Kerberos Login)
053 544 KSHELL (Kerberos Shell)
054 546 DHCP – Client
055 547 DHCP (DHCP) – Server
056 563 SNEWS
057 569 MSN
058 1080 SOCKS
059
060
Standard access lists Configuration
LAB
10.0.0.1 20.0.0.1 20.0.0.2 30.0.0.1

F0/0 S0/0 S0/0 F0/0
1700 A 1700 B
Switch Switch
10.0.0.2 10.0.0.3 30.0.0.2 30.0.0.3
Block TELNET traffic from 30.0.0.3
Permit all
1700A
Router>enable
1700A(config)#line vty 0 4
1700A(config-line)#password 123
1700A(config-line)#enble secret
1700A(config-line)#login
1700A(config-line)#exit
1700A#show ip route
1700A(config)#access-list 10 deny 30.0.0.3 0.0.0.0 (standard access-list range 1-99)
(we want to deny this IP only S0,wildcard mask 0.0.0.0 )
1700A(config)#access-list 10 permit any (access to telnet others IP)
1700A(config)#line vty 0 4 (inform to telnet)
1700A(config-line)#access-class 10 in (enble)
1700A(config-line)#no access-class 10 in (disable)
1700A(config-line)#control Z
1700A#show ip access-list
1700B
Router>enable
1700B#show ip route
Extended access lists Configuration
LAB
Outbound Inbound Inbound

Outbound
10.0.0.1 20.0.0.1 20.0.0.2 30.0.0.1

F0/0 S0/0 S0/0 F0/0
1700 A 1700 B
Switch Switch
10.0.0.2 10.0.0.3 30.0.0.2 30.0.0.3
Block FTP traffic from 30.0.0.2
Permit all
1700A
Router>enable
1700A#show ip route
1700A(config)#access-list 100 deny tcp 30.0.0.2 0.0.0.0 10.0.0.2 0.0.0.0 eq 21
30.0.0.2 - Source IP Address
10.0.0.2 - Destination IP Address
EQ 21 - Equal 21 (21- FTP Port no.,)
100 - Extended access-list range 100-199
1700A(config)#access-list 100 permit ip any any

Any - without 30.0.0.2 to access all
Any - with 10.0.0.2 to access all
1700A(config)#interface F0/0
1700A(config-if)#ip access-group 100 out (Outbound interface)
1700A#show ip access-list
1700B
Router>enable
1700B#show ip route
Extended access lists Configuration
LAB - 2
Outbound Inbound Inbound

Outbound
10.0.0.1 20.0.0.1 20.0.0.2 30.0.0.1

F0/0 S0/0 S0/0 F0/0
1700 A 1700 B
Switch Switch
10.0.0.2 10.0.0.3 30.0.0.2 30.0.0.3 30.0.0.4
Block FTP and HTTP traffic from 30.0.0.4
Block HTTP traffic from 30.0.0.3
Permit all
Block ICMP Packets traffic from 10.0.0.2
1700A
Router>enable
1700A#show ip route
or
1700A(config)#access-list 100 deny tcp host 30.0.0.3 10.0.0.0 0.255.255.255 eq 80
1700A(config)#access-list 100 deny tcp host30.0.0.4 10.0.0.2 0.0.0.0 eq 21

or

or
1700A(config)#access-list 100 deny tcp host 30.0.0.4 10.0.0.2 0.0.0.0 eq 80
1700A(config)#access-list 100 permit ip any any
1700A(config-if)#ip access-group 100 out (which interface we want to configure S0/0)
or
1700A(config-if)#ip access-group 100 in (which interface we want to configure F0/0)
1700A#
1700A#
1700B
Router>enable
1700B#show ip route
1700B(config)#access-list 199 deny icmp 10.0.0.2 0.0.0.0 30.0.0.0 0.255.255.255 echo
1700B(config)#access-list 199 permit ip any any
1700B(config-if)#ip access-group 199 in
1700B#show ip access-list
Network Address Translator (NAT)

This is used when a end user's network only needs to have a few addresses
available to access the Global Internet.
A table is created on the router that lists 'inside' local addresses to 'inside'global addresses
which are the legal IP addresses.
This mapping can be done statically or via the use of a dynamic pool of available legal
addresses.
Following are a number of different ways to implement NAT:

Static Address Translation
This is where one-to-one mapping is carried out between inside
local and outside global addresses.
Dynamic Source Address Translation
This is where individual addresses within a pool of global addresses are
dynamically mapped to local addresses.
NAT operation is illustrated in the following diagram:

For both static and dynamic NAT the process occurs as follows:
An inside station connects to an outside station.
When the first packet arrives from the inside station the router checks the NAT table.
If no static match has been found the router carries out a translation of the inside
address to an outside address from the available pool of outside addresses by
replacing the address. The resultant mapping is saved as a 'simple entry'.
The outside station receives the packet and replies to the outside address given by the
NAT table.
The router carries out a lookup in its table of inside to outside address mappings and
forwards the packet to the station with the inside address.
The packet is received and the rest of the conversation uses the NAT table.
Address Overloading (PAT)

Sometimes called Port Address Translation (PAT), this is where each client uses
the same IP address but uses a different port. A good example is access to a web
server.Users from a private address, say in the 10.0.0.0 network, have their individual
addresses translated to just one legal IP address but separate port numbers between 1024
and 65535.
They can all have separate conversations with a web server having just one
address and destination port of 80 (HTTP). This applies just as well if one user has
several sessions with the same web server, the different port numbers distinguish the
sessions.
The process operates as follows:
 An inside station connects to an outside station.
 When the first packet arrives from the inside station the router checks the NAT
table.
 If no static match has been found the router carries out a translation
of the inside address to an outside address from the available pool of outside
addresses by replacing the address. The resultant mapping is saved as an
'extended entry'. If other inside addresses wants to connect to outside stations then
the same IP address is used but a different TCP port is utilised to distinguish the
conversations.
 The outside station receives the packet and replies to the outside address
given by the NAT table.
 The router carries out a lookup in its table of inside to outside address and port
mappings and forwards the packet to the station with the inside address.
 The packet is received and the rest of the conversation uses the NAT table.
Static NAT Configuration

LAB
10.0.0.1 20.0.0.1 30.0.0.1

20.0.0.2
F0/0 S0/0 F0/0
S0/0
1700 A 1700 B
Switch
Switch
10.0.0.2 10.0.0.3
30.0.0.2
SERVER
1700A
Router>enable
1700A(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2
1700A(config)#exit
1700A#show ip route
1700A#config t
1700A(config)#ip nat inside source static 10.0.0.2 20.0.0.1
1700A(config-if)#ip nat inside
1700A(config-if)#ip nat outside
1700A#debug ip nat ?
1700A#show ip nat translation
1700B
Router>enable
Dynamic NAT Configuration (o.k)
LAB
ISP
10.0.0.64 20.0.0.1 20.0.0.2 30.0.0.1
F0/0 S0/0 S0/0 F0/0
1700 A
Switch Switch
10.0.0.65 10.0.0.66 30.0.0.2 200.200.200.0/24
Major Network ID 10.0.0.0/8

SERVER SERVER
Major Network ID in LAN 10.0.0.0 / 8

Need 62 IP’s 2 6 = 64 – 2 = 62
Network 6 Bits
128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1 128 64 32 16 8 4 2 1
10.
NID - 10.0.0.64
FHID - 10.0.0.65
LHID - 10.0.0.126
BCID - 10.0.0.127
Subnetmask – 255.255.255.192
ISP Provided ID 200.200.200.0 / 24

Need 6 IP’s 2 3 =8–2=6
Network 3 Bits
128 64 32 16 8 4 2 1
200. 200. 200.
NID - 200.200.200.8
FHID - 200.200.200.9
LHID - 200.200.200.14
BCID - 200.200.200.15
Subnetmask – 255.255.255.248
1700A
Router>enable
1700A(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2
1700A(config)#exit
1700A#show ip route
1700A#config t
1700A(config)#access-list permit 1 10.0.0.64 0.0.0.63
1700A(config)#ip nat pool CCNA 200.200.200.9 200.200.200.14 netmask 255.255.255.248
1700A(config)#ip nat inside source list 1 pool CCNA
1700A#debug ip nat
1700A#show ip nat translation
1700B
Router>enable
1700B(config)#ip route 200.200.200.0 255.255.255.0 20.0.0.1
1700B(config)#exit
1700B#show ip route
PAT (Port Address Translation) Configuration(o.k)

LAB
ISP
10.0.0.1 20.0.0.1 30.0.0.1
20.0.0.2
F0/0 S0/0 F0/0
S0/0
1700 A 1700 B
Switch
Switch
10.0.0.2 10.0.0.3
30.0.0.2
SERVER
1700A
Router>enable
1700A(config)#ip route 0.0.0.0 0.0.0.0 20.0.0.2
1700A(config)#access-list 1 permit 10.0.0.0 0.255.255.25
1700A(config)#ip nat inside source list 1interface S0/0 overload
Why we configured PAT, private network communicate to
public network.Because Private IP is non-routable addresses.
In remote network to communicate public addresses to
configure Port forwarding following command.
1700A(config)#ip nat inside source static tcp 10.0.0.2 21 20.0.0.1 21 extendable
1700A(config)#ip nat inside source static tcp 10.0.0.2 80 20.0.0.1 80 extendable
10.0.0.2 - which machine communicate to the network
20.0.0.2 - which public ip to access
21 - FTP port number
80 - HTTP port number
Extendable - continue
How to check?
In remote machine (whatever network)
ftp://20.0.0.1/ (which file we want to download?)
http://20.0.0.1/shalom.html
1700B
Router>enable
High-Level Data-Link Control (HDLC)
 The High-Level Data-Link Control (HDLC) protocol is a popular ISO-standard,

bit-oriented Data Link layer protocol.
 It specifies an encapsulation method for data on synchronous serial data links

using frame characters and checksums.
 HDLC is a point-to-point protocol used on leased lines. No authentication can be

used with HDLC.
 HDLC is the default encapsulation used by Cisco routers over synchronous serial
links.
 Cisco’s HDLC is proprietary—it won’t communicate with any other vendor’s

HDLC implementation.
 Each vendor has a different way for the HDLC protocol to encapsulate multiple
Network layer protocols.
Cisco HDLC frame format

Point-to-Point Protocol (PPP)
o Point-to-Point Protocol (PPP) is a Data Link layer protocol that can be used over
either asynchronous serial (dial-up) or synchronous serial (ISDN) media.
o It uses the LCP (Link Control Protocol) to build and maintain data-link
connections.
o Network Control Protocol (NCP) is used to allow multiple Network layer
protocols (routed protocols) to be used on a point-to-point connection.
o The basic purpose of PPP is to transport layer 3 packets across a Data Link layer
point-to-point link.
PPP contains four main components:
 EIA/TIA-232-C, V.24, V.35, and ISDN - A Physical layer international standard

for serial communication.
 HDLC - A method for encapsulating datagrams over serial links.
 LCP - A method of establishing, configuring, maintaining, and terminating the

point-to-point connection.
 NCP - A method of establishing and configuring different Network layer

protocols. NCP is designed to allow the simultaneous use of multiple Network
layer protocols. Some examples of protocols here are IPCP (Internet Protocol
Control Protocol) and IPXCP (Internetwork Packet Exchange Control Protocol).
Protocol stack compared to the OSI reference model
 It is important to understand that the PPP protocol stack is specified at the

Physical and Data Link layers only.
 NCP is used to allow communication of multiple Network layer protocols by
encapsulating the protocols across a PPP data link.
Link Control Protocol (LCP) Configuration options
Link Control Protocol (LCP) offers different PPP encapsulation options including the
following
Authentication
This option tells the calling side of the link to send information that can identify
the user. The two methods are PAP and CHAP.
Compression
This is used to increase the throughput of PPP connections by compressing the
data or payload prior to transmission. PPP decompresses the data frame on the receiving
end.
Error detection
PPP uses Quality and Magic Number options to ensure a reliable, loop-free data
link.
Multilink
Starting in IOS version 11.1, multilink is supported on PPP links with Cisco
routers. This option allows several separate physical paths to appear to be one logical
path at layer 3. For example, two T1s running multilink PPP would appear as a single
3Mbps path to a layer 3 routing protocol.
PPP callback
PPP can be configured to call back after successful authentication. With callback
enabled, a calling router (client)will contact a remote router (server) and authenticate as
described in the previous section. Both routers must be configured for the callback
feature. Once authentication is completed, the remote router will terminate the connection
and then re-initiate a connection to the calling router from the remote router.
PPP Sssion Etablishment
Dial-up or
Circuit-
Switched
Network
PPP Session Establishment
1. Link establishment Phase

2. Authentication Phase (optional)
3. Network Layer Protocol Phase
Link-establishment phase
LCP packets are sent by each PPP device to configure and test the link. These
packets contain a field called the Configuration Option that allows each device to see the
size of the data, compression, and authentication. If no Configuration Option field
ispresent, then the default configurations are used.
Authentication phase
If required, either CHAP or PAP can be used to authenticate a link. Authentication
takes place before Network layer protocol information is read. It is possible that link-
quality determination may occur at this same time.
Network layer protocol phase

PPP uses the Network Control Protocol (NCP) to allow multiple Network layer
protocols to be encapsulated and sent over a PPP data link. Each Network layer protocol
(e.g., IP, IPX, AppleTalk, which are routed protocols) establishes a service with NCP.
PPP Authentication Methods

There are two methods of authentication that can be used with PPP links:
1. Password Authentication Protocol (PAP)
2. Challenge Handshake Authentication Protocol (CHAP)
Password Authentication Protocol (PAP)
The Password Authentication Protocol (PAP) is the less secure of the two
methods. Passwords are sent in clear text, and PAP is only performed upon the initial link
establishment. When the PPP link is first established, the remote node sends back to the
originating router the username and password until authentication is acknowledged.
Challenge Handshake Authentication Protocol (CHAP)
The Challenge Handshake Authentication Protocol (CHAP) is used at the initial

startup of a link and at periodic checkups on the link to make sure the router is still
communicating with the same host. After PPP finishes its initial link-establishment phase,
the local router sends a challenge request to the remote device. The remote device sends a
value calculated using a one-way hash function called MD5. The local router checks this
hash value to make sure it matches. If the values don’t match, the link is immediately
terminated.
PAP (Password Authentication Protocol) Configuration (O.K)
LAB
ISP
30.0.0.1
20.0.0.1 20.0.0.2
10.0.0.1
F0/0 S0/0 S0/0 F0/0
PAP PPP PAP
1700A
Router>enable
1700A(config)#username CCNA password 123 (Destination username and Password)
1700A(config)#interface Serial S0/0
1700A(config-if)#enacapsulation PPP
1700A(config-if)#PPP authentication PAP
1700A(config-if)#PPP PAP sent-username CCSP password 123 (Source user and password)
1700A#show ip route
1700A#debug PPP authentication

1700A#config t
1700A(config-if)#shoutdown
1700A#
*Mar 5 01:05:07.671: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 5 01:05:07.671: Se0/0 PPP: Using default call direction
*Mar 5 01:05:07.671: Se0/0 PPP: Treating connection as a dedicated line
*Mar 5 01:05:07.671: Se0/0 PPP: Session handle[31000006] Session id[6]
*Mar 5 01:05:07.671: Se0/0 PPP: Authorization required
*Mar 5 01:05:07.679: Se0/0 PAP: Using hostname from interface PAP
*Mar 5 01:05:07.679: Se0/0 PAP: Using password from interface PAP
*Mar 5 01:05:07.679: Se0/0 PAP: O AUTH-REQ id 3 len 13 from "ccsp"
*Mar 5 01:05:07.683: Se0/0 PAP: I AUTH-REQ id 3 len 13 from "ccna"
*Mar 5 01:05:07.683: Se0/0 PAP: Authenticating peer ccna
*Mar 5 01:05:07.687: Se0/0 PPP: Sent PAP LOGIN Request
*Mar 5 01:05:07.687: Se0/0 PPP: Received LOGIN Response PASS
*Mar 5 01:05:07.691: Se0/0 PPP: Sent LCP AUTHOR Request
*Mar 5 01:05:07.691: Se0/0 PPP: Sent IPCP AUTHOR Request
*Mar 5 01:05:07.691: Se0/0 LCP: Received AAA AUTHOR Response PASS
*Mar 5 01:05:07.691: Se0/0 IPCP: Received AAA AUTHOR Response PASS
*Mar 5 01:05:07.695: Se0/0 PAP: O AUTH-ACK id 3 len 5
*Mar 5 01:05:07.695: Se0/0 PAP: I AUTH-ACK id 3 len 5
*Mar 5 01:05:07.699: Se0/0 PPP: Sent CDPCP AUTHOR Request
*Mar 5 01:05:07.703: Se0/0 CDPCP: Received AAA AUTHOR Response PASS
*Mar 5 01:05:07.747: %SYS-5-CONFIG_I: Configured from console by console
*Mar 5 01:05:08.701: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0,
changed state to up
Interface serial shutdown, to see a state up or down the two
authentications displayed in screen
1700B
Router>enable
1700B(config)#username CCSP password 123 (Destination username and Password)
1700B(config-if)#encapsulation PPP
1700B(config-if)#PPP authentication PAP
1700B(config-if)#PPP PAP sent-username CCNA password 123 (Source user and password)
1700B(config-router)#^Z
1700B#show ip route
1700B#debug PPP authentication
1700B#
changed state to down

*Mar 1 13:00:31.301: Se0/0 PPP: Session handle[AA000004] Session id[3]
*Mar 1 13:00:31.313: Se0/0 PAP: Using hostname from interface PAP
*Mar 1 13:00:31.313: Se0/0 PAP: Using password from interface PAP
*Mar 1 13:00:31.313: Se0/0 PAP: O AUTH-REQ id 3 len 13 from "ccna"
*Mar 1 13:00:31.317: Se0/0 PAP: I AUTH-REQ id 3 len 13 from "ccsp"
*Mar 1 13:00:31.317: Se0/0 PAP: Authenticating peer ccsp
*Mar 1 13:00:31.321: Se0/0 PPP: Sent PAP LOGIN Request
*Mar 1 13:00:31.329: Se0/0 PAP: O AUTH-ACK id 3 len 5
*Mar 1 13:00:31.329: Se0/0 PAP: I AUTH-ACK id 3 len 5
changed state to up
CHAP (Challenge Handshake Authentication Protocol) Configuration
LAB
ISP
30.0.0.1
20.0.0.1 20.0.0.2
10.0.0.1
F0/0 S0/0 S0/0 F0/0
CHAP PPP CHAP
1700A
Router>enable
1700A(config)#username 1700B password 123 (Destination username and password)
1700A(config)#interface Serial S0/0
1700A(config-if)#enacapsulation PPP (Authentication Protocol)
1700A(config-if)#PPP authentication CHAP
1700A#show ip route
1700A#config t
1700A(config-if)#
*Mar 5 14:53:43.225: %LINK-5-CHANGED: Interface Serial0/0, changed state to adm
inistratively down
*Mar 5 14:53:46.326: Se0/0 PPP: Session handle[D700003B] Session id[61]
*Mar 5 14:53:46.338: Se0/0 CHAP: O CHALLENGE id 57 len 26 from "1700A"
*Mar 5 14:53:46.342: Se0/0 CHAP: I CHALLENGE id 57 len 26 from "1700B"
*Mar 5 14:53:46.346: Se0/0 CHAP: Using hostname from unknown source
*Mar 5 14:53:46.346: Se0/0 CHAP: Using password from AAA
*Mar 5 14:53:46.346: Se0/0 CHAP: O RESPONSE id 57 len 26 from "1700A"
*Mar 5 14:53:46.350: Se0/0 CHAP: I RESPONSE id 57 len 26 from "1700B"
*Mar 5 14:53:46.354: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 5 14:53:46.362: Se0/0 CHAP: O SUCCESS id 57 len 4
*Mar 5 14:53:46.366: Se0/0 CHAP: I SUCCESS id 57 len 4
changed state to up
1700B
Router>enable
1700B(config)#username 1700A password 123 (Destination username and password)
1700B(config)#interface Serial S0/0
1700B(config-if)#enacapsulation PPP (Authentication Protocol)
1700B(config-if)#PPP authentication CHAP
1700B#show ip route
1700A#config t
1700B#
*Mar 2 00:23:21.542: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down

*Mar 2 00:23:24.643: Se0/0 PPP: Session handle[6D00003E] Session id[61]
*Mar 2 00:23:24.651: Se0/0 CHAP: O CHALLENGE id 57 len 26 from "1700B"
*Mar 2 00:23:24.655: Se0/0 CHAP: I CHALLENGE id 57 len 26 from "1700A"
*Mar 2 00:23:24.659: Se0/0 CHAP: Using hostname from unknown source
*Mar 2 00:23:24.659: Se0/0 CHAP: Using password from AAA
*Mar 2 00:23:24.659: Se0/0 CHAP: O RESPONSE id 57 len 26 from "1700B"
*Mar 2 00:23:24.667: Se0/0 CHAP: I RESPONSE id 57 len 26 from "1700A"
*Mar 2 00:23:24.667: Se0/0 PPP: Sent CHAP LOGIN Request
*Mar 2 00:23:24.679: Se0/0 CHAP: O SUCCESS id 57 len 4
*Mar 2 00:23:24.679: Se0/0 CHAP: I SUCCESS id 57 len 4
changed state to up
Redistribution of EIGRP and OSPF Configuration
LAB
EIGRP OSPF
20.0.0.2
30.0.0.2
F0/0 S0/0 S3/0 S3/1
S0/0 F0/0
10.0.0.1 20.0.0.1 30.0.0.1 40.0.0.1
1700A
Router>enable
1700A(config)#router eigrp 100
1700A#show ip route
3600A
Router>enable
3600A(config-router)#router ospf 1
3600A(config-router)#exit
3600A(config-router)#redistribute ospf 1 metric 1 1 0 1 1 (EIGRP have band,load….,)
3600A(config-router)#redistribute eigrp 100 metric 1 subnet (ospf have a wildcard mask)
3600A#show ip route
1700B
Router>enable
1700B(config)router ospf 1
\
Redistribution of RIP and EIGRP Configuration
LAB
RIP EIGRP
20.0.0.2
30.0.0.2
F0/0 S0/0 S3/0 S3/1
S0/0 F0/0
10.0.0.1 20.0.0.1 30.0.0.1 40.0.0.1
1700A
Router>enable
1700A#show ip route
3600A
Router>enable
3600A(config-router)#router eigrp 100
3600A(config-router)#redistribute eigrp 100 metric 1(metric 1 have a rip hop count)
3600A(config-router)#router eigrp 100
3600A(config-router)#redistribute rip metric 1 1 0 1 1 (bandwidth,delay,load,reliability,MTU,)
3600A#show ip route
1700B
Router>enable
1700B(config)router eigrp 100
Redistribution of RIP and OSPF Configuration
LAB
RIP OSPF
20.0.0.2
30.0.0.2
F0/0 S0/0 S3/0 S3/1
S0/0 F0/0
10.0.0.1 20.0.0.1 30.0.0.1 40.0.0.1
1700A
Router>enable
1700A#show ip route
3600A
Router>enable
3600A(config-router)#redistribute ospf 1 metric 1(metric 1 have a rip hop count)
3600A(config-router)#redistribute rip metric 1 subnet (because ospf have a wildcard mask)
3600A#show ip route
1700B
Router>enable
1700B(config)router ospf 1
Fundamentals of Switching
SWITCH
LAN Segmentation
In a collision domain, a frame sent by a device can cause collision with a frame
sent by another device in the same collision domain. Moreover, a device can hear the
frames destined for any device in the same collision domain.
In a broadcast domain, a broadcast frame sent by a device can be received by all

other devices in the same broadcast domain.
A LAN segment or an Ethernet network segment consists of the devices

connected with a coaxial cable or a hub. The devices are in the same collision domain.
Ethernet congestion problem
Ethernet congestion problem occurs when too many devices are connected to the
same Ethernet network segment, such that the high network bandwidth utilization
increases the possibility of collision, which causes degradation of network performance.
LAN segmentation
LAN segmentation solves the congestion problem by breaking the network into
separate segments or collision domains using bridges, switches or routers (but not hub s
or repeaters). LAN segmentation can reduce the number of collisions in the network and
increase the total bandwidth of the network (e.g. 10 Mbps for one segment, 20 Mbps for
two segments, 30 Mbps for three segments, and so on).
80/20 rule
The 80/20 rule should be used when designing how to segment a network, i.e.
80% or more data traffic should be on the local network segment while 20% or less data
traffic should cross network segments.
Layer 2 Switching
• Layer – 2 switching is hardware based, which means it uses the MAC address from
the host NIC card to filter the network traffic.
• Layer 2 switch can be considered as multi port bridge.
• Layer 2 switches are fast because they do not look at the network layer header
information, instead it looks at the frames hardware address before deciding to either
forward the frame or drop it.
Layer 2 Switching Provides the Following :
• Hardware based bridging

• Wire speed
• Low latency
• Low cost.
Limitations of Layer 2 Switching
With bridge the connected networks are still one large broadcast domain.
Layer 2 switch cannot break the broadcast domain, this cause performance issue which
limits the size of your network.
For this one reason the switch cannot completely replace routers in the internetwork.
Bridging v/s LAN Switching

Layer 2 switches are just bridges with more ports, however there are some important
differences.
Bridges are software based. While switches are hardware based because they use ASIC
(Application Specific Integrated Circuit) chip that help make filtering decisions.
LAN Switching
Address learning – learning the MAC addresses of the connected devices to

build the bridge table.
Forward and filter decision – forwarding and filtering frames based on the
bridge table entries and the bridge logic.
Loop avoidance – avoiding network loop by using Spanning Tree Protocol
A bridge or switch maintains a forwarding table (also known as bridge table or MAC
address table) which maps destination physical addresses with the interfaces or ports to
forward frames to the addresses.
A bridge or switch builds a bridge table by learning the MAC addresses of the connected
devices. When a bridge is first powered on, the bridge table is empty. The bridge listens
to the incoming frames and examines the source MAC addresses of the frames. For
example, if there is an incoming frame with a particular source MAC address received
from a particular interface, and the bridge does not have an entry in its table for the MAC
address, an entry will be created to associate the MAC address with the interface.
The default aging time for an entry in a bridge table is 300 seconds (5 minutes). It means
that an entry will be removed from the bridge table if the bridge has not heard any
message from the concerned host for 5 minutes.
ADDRESS LEARNING
How Switches Learn Addresses

Examining the Forward/Filter Process
A bridge or switch forwards or filters a frame based on the following logic:
1. If the destination MAC address of the frame is the broadcast address

(i.e.FFFF.FFFF.FFFF) or a multicast address, the frame is forwarded out all
interfaces,except the interface at which the frame is received.
2. If the destination MAC address is an unicast address and there is no associated

entry in the bridge table, the frame is forwarded out all interfaces, except the
interface at which the frame is received.
3. If there is an entry for the destination MAC address in the bridge table, and the
associated interface is not the interface at which the frame is received, the frame
is forwarded out that interface only.
4. Otherwise, drop the frame.
Broadcast and Multicast Frames
• Broadcast and multicast frames do not have a destination address specified.
• The source address will always be the hardware address of the device transmitting
the frame, and the destination address will either be all 1’s which is a broadcast.
• With the network or subnet address specified and the host address all 1’s are
multicast.
eg: 255.255.255.255 (broadcast)
172.16.255.255 (multicast)
o Multicast sends the frame to a certain network or subnet and all hosts
within that network or subnet.
o broadcast of all 1’s sends the frame to all networks and hosts.
There are three types of switching method:
Store-and-forward switching
The entire frame is received and the CRC is computed and verified before
forwarding the frame.
If the frame is too short (i.e. less than 64 bytes including the CRC), too long (i.e.
more than 1518 bytes including the CRC), or has CRC error, it will be discarded.
It has the lowest error rate but the longest latency for switching. However, for
high-speed network (e.g. Fast Ethernet or Gigabit Ethernet network), the latency is not
significant.
It is the most commonly used switching method, and is supported by most
switches.
Cut-through switching (also known as Fast Forward switching )

A frame is forwarded as soon as the destination MAC address in the header has
been received (the 1st 6 bytes following the preamble).
It has the highest error rate (because a frame is forwarded without verifying the
CRC and confirming there is no collision) but the shortest latency for switching.
Fragment-free switching ( Modified Cut-through switching )

A frame is forwarded after the first 64 bytes of the frame have been received.
Since a collision can be detected within the first 64 bytes of a frame, fragment-free
switching can detect a frame corrupted by a collision and drop it.Therefore, fragment-free
switching provides better error checking than cut-through switching.
The error rate of fragment-free switching is above store-and-forward switching
and below cut-through switching.
The latency of fragment-free switching is shorter than store-and- forward
switching and longer than cut-through switching.
NOTE:
Bridges only support store-and-forward switching. Most new switch models also
use store-and-forward switching.
However, it should be noted that Cisco 1900 switches use fragment-free switching
by default.
Redundant Topology Overview
– Redundant topology eliminates single points of failure.

– Redundant topology causes broadcast storms, multiple frame copies, and
MAC address table instability problems.
Broadcast Storms
• Host X sends a broadcast.

• Switches continue to propagate broadcast traffic over and over.
Multiple Frame Copies
• Host X sends a unicast frame to router Y.

• MAC address of router Y has not been learned by either switch yet.
• Router Y will receive two copies of the same frame.
MAC Database Instability
• Host X sends a unicast frame to router Y.

• MAC address of router Y has not been learned by either switch.
• Switches A and B learn the MAC address of host X on port 0.
• The frame to router Y is flooded.
• Switches A and B incorrectly learn the MAC address of host X on port 1.
Spanning-Tree Protocol Overview
Spanning-Tree Protocol
• Provides a loop-free redundant network topology by placing certain ports in the

blocking state.
Spanning Tree Protocol Basics
 Spanning Tree Protocol or STP (IEEE 802.1d) is used to solve the looping
problem.It runs on bridges and switches in a network. It implements a Spanning
Tree Algorithm (STA), which calculates a loop-free topology for the network.
 STP ensures that there is only one active path between any two network segments
by blocking the redundant paths. A redundant path is used only when the
corresponding active path failed. It is not used for load-balancing.
 Because STP solves the looping problem by blocking one or more links in a
network, the frames traveling between some source / destination devices may not
be able to use the shortest physical path.
 Bridges exchange STP information using messages called Bridge Protocol Data
Units (BPDUs) through Layer 2 multicast.
A Port of Bridge running STP can be in one of the following:
Handling of BDUs Learning MAC Handling of

State addresses frames
Disabled Doesnot receive Does not learn Discards frames

(Administratively BPDUs Addresses received
Down)
Blocking Receives BPDUs Does not learn Discards frames
(default state when a addresses received
Bridge is powered on)
Listending Receives and Does not learn Discards frames
(a blocking port goes Forwards BPDUs addresses received
Through this state before
entering the learning state)
Learning Receives and Learns addresses Discards frames
(a listening port goes Forwards BPDUs received
through this state before
entering the forwarding
state)
Forwarding Receives and Learn addresses Receives and
(all ports in the forwarding Forwards BPDUs forwards frames
state belong to the current
spanning tree.)
By default, the transition from the blocking state to the listening state takes 20
seconds (MaxAge time), from the listening state to the learning state takes 15 seconds
(FwdDlay time), and from the listening state to the forwarding state takes another 15
seconds (FwdDlay time). The whole process takes 50 seconds
Spanning-Tree Operation
• One root bridge per network
• One root port per nonroot bridge
• One designated port per segment
• Nondesignated ports
A spanning tree consists of a root bridge, which likes the root of a living tree.
There is only one root bridge in the whole switched network. There is a single path from
the root bridge (root) to each network segment (leaf). The paths form the spanning tree of
the network. The bridges place the interfaces on the spanning tree in the forwarding state,
and the interfaces not on the spanning tree in the blocking state.
Each bridge has an 8-byte Bridge ID, which is the concatenation of the priority
(2-byte)and the MAC address (6 byte) of the bridge. The default priority of a device is
32,768.
The bridge with the lowest bridge ID is elected as the root bridge.
The root path cost of a bridge (i.e. cost of the path from the bridge to the root bridge) is
the accumulated cost of the links along the root path. The cost of a link is determined by
its bandwidth.
The following default costs are used for different types of links:
Link Speed New IEEE Cost Original IEEE Cost

10Gbps 2 1
1Gbps 4 1
100Mbps 19 10
10Mbps 100 100
In a spanning tree, the ports of a non-root bridge can be classified as follows:
Root port
The root port of a bridge is the port that is the closest to the root bridge in terms of
path cost. The path cost can be calculated based on the information stored in the BPDUs
sent by the root bridge.
Designated port
For each physical network segment, the bridge with the lowest cost to the root
bridge is elected as the designated bridge of that segment. If two or more bridges have
the same cost to the root bridge, the bridge with the lowest bridge ID is elected. The
designated bridge puts the port connected to that segment in the forwarding state. This
port is known as a designated port. For those segments that are directly connected to the
root bridge, the root bridge is their designated bridge.
Spanning-Tree Protocol Root Bridge Selection
• Bpdu = Bridge Protocol Data Unit

(default = sent every two seconds)
• Root bridge = Bridge with the lowest bridge ID
• Bridge ID = Bridge Priority & MAC addresses
• In the example, which switch has the lowest bridge ID?
Spanning-Tree Port States (Cont.)

Spanning-Tree Example
BPDU & STP Logic
There are two types of BPDUs. They are:
 Configuration BPDU
 Topology Change Notification (TCN) BPDU
The root bridge sends a Configuration BPDU (or Hello BPDU) out each interface
periodically (every 2 seconds, by default). Each bridge forwards the BPDU to the other
bridges downstream after updating several fields in the BPDU, including the cost from
this bridge to the root bridge. As long as such BPDUs are received periodically, a bridge
knows that the path to the root bridge is still working. Otherwise, it needs to update its
spanning tree.
A Configuration BPDU is 35 bytes long and contains the following information:
 Protocol ID (2 bytes) and Version (1 byte).

 Message type (1 byte) – Configuration BPDU or TCN BPDU.
 Flag (1 byte) – It contains a topology change (TC) bit and a topology
change acknowledgement (TCA) bit.
 Root bridge ID (8 bytes) – Bridge ID of the root bridge.
 Root path cost (4 bytes) – Cost of the path from the sender bridge
(the bridge forwarding the BPDU) to the root bridge.
 Sender bridge ID (8 bytes).
 Port ID (2 bytes) of the port forwarding the BPDU.
 Message Age (2 bytes) in 1/256 second.
The time elapsed since the root bridge sent the original BPDU that this BPDU is
based on.
.
Hello time (2 bytes) in 1/256 second.
. The time interval between BPDUs is sent from the root bridge.
. The default Hello interval is 2 seconds.
 MaxAge time (2 bytes) in 1/256 second.If a new BPDU is not received before the
MaxAge timer expires, the BPDU information is considered invalid and the bridge
will try to update the STP topology.
In other words, it is the time interval required for a port (on the alternate path) to
transit from the blocking state to the listening state.The default MaxAge is 20
seconds.
 Forward Delay time (fwddlay) (2 bytes) in 1/256 second.The time interval for a port
to move from the listening state to the learning state. It is also the time interval for a
port to move from the learning state to the forwarding.The default forward
delay time interval is 15 seconds.
TCN BPDU :
A Topology Change Notification (TCN) BPDU is sent out when a bridge detects
that a port in the forwarding state is going down or a port is moving to the forwarding
state (e.g.the port is enabled by the administrator). The bridge will send TCN BPDUs out
of its root port towards the root bridge at every Hello interval until it is acknowledged. A
TCN BPDU is only 4 bytes long, which includes protocol ID, version field, and message
type field. It virtually contains no information.
When a non-root bridge receives a TCN BPDU, it will forward the BPDU
upstream towards the root bridge. It will also set the TCA bit in the next Configuration
BPDU going downstream. The Configuration BPDU notifies the downstream bridge that
the TCN BPDU has been received so that it can stop sending out TCN BPDUs.
When the root bridge receives a TCN BPDU, it will send out a Configuration
BPDU with the TCA bit set, just like a non-root bridge. In addition, the TC bit of the
BPDU will also be set to notify all the bridges in the network that there is a topology
change. The TC bit will be set by the root bridge for a certain period of time
(MaxAge + Fwddlay).
When a bridge receives a BPDU with the TC bit set, it will shorten the aging time
of its bridge table entries from the default of 300 seconds to the Forward Delay time.
Therefore the entries will be timed out quickly and the bridge will learn the topology of
the new spanning tree.
VLAN Operation Overview
A Virtual LAN (VLAN) is a broadcast domain created based on the functional, security,
or other requirements, instead of the physical locations of the devices, on a switch or
across switches. With VLANs, a switch can group different interfaces into different
broadcast domains. Without VLANs, all interfaces of a switch are in the same broadcast
domain; switches connected with each other are also in the same broadcast domain,
unless there is a router in between.
Different ports of a switch can be assigned to different VLANs. A VLAN can also span
multiple switches.
The advantages of implementing VLAN are:
. It can group devices based on the requirements other than their physical
locations.
. It breaks broadcast domains and increases network throughput.
. It provides better security by separating devices into different VLANs.
. Since each VLAN is a separate broadcast domain, devices in different VLANs
cannot listen or respond to the broadcast traffic of each other.
. Inter-VLAN communication can be controlled by configuring access control
lists on the router or Layer 3 switch connecting the VLANs.
VLANs can be configured using one of the following two methods:
Static VLAN
Assigning VLANs to switch ports based on the port numbers.

It is easier to set up and manage.
Dynamic VLAN
Assigning VLANs to switch ports based on the MAC addresses of the

devices connected to the ports.
A VLAN management application is used to set up a database of MAC addresses,

and configure the switches to assign VLANs to the switch ports dynamically based on the
MAC addresses of the connected devices. The application used by Cisco switches is
called VLAN Management Policy Server (VMPS).
Cisco switches support a separate instance of spanning tree and a separate bridge
table for each VLAN.
A VLAN = A Broadcast Domain = Logical Network (Subnet)
VLAN Operation
• Each logical VLAN is like a separate physical bridge.

• VLANs can span across multiple switches.
• Trunks carry traffic for multiple VLANs.
• Trunks use special encapsulation to distinguish between different VLANs.
VLAN Membership Modes
VLAN Trunking
There are two different types of links in a switched network:
Access link
A link that is part of only one VLAN. Therefore, a port connecting to an access
link can be a member of only one VLAN.
Trunk link
A 100 Mbps or 1000 Mbps point-to-point link that connects switches or routers,
and carries frames of different VLANs.Therefore, a port connecting to a trunk link can be
a member of multiple VLANs. All VLANs are configured on a trunk link by default.
VLAN Trunking, by making use of frame tagging, allows traffic from different VLANs
to transmit through the same Ethernet link (trunk link) across switches.
VLAN Trunking identifies the VLAN from which a frame is sent by tagging the frame
with the source VLAN ID (12-bit long). This feature is known as frame tagging or
frame identification.
With frame tagging, a switch knows which ports it should forward a broadcast frame
(forward out the ports which have the same VLAN ID as the source VLAN ID). It also
knows which bridge table it should use for forwarding an unicast frame (since a separate
bridge table is used for each VLAN).
A frame tag is added when a frame is forwarded out to a trunk link, and is removed when
the frame is forwarded out to an access link. Therefore, any device attached to an access
link is unaware of its VLAN membership.
Cisco switches support two trunking protocols:
Inter-switch Link (ISL)

. It is a Cisco proprietary VLAN trunking protocol and can only be used between
Cisco switches or switches supporting ISL.
. It encapsulates a frame by an ISL header and trailer.
. An ISL header is 26 bytes long and contains the 12-bit VLAN ID, MAC
addresses of the sending and the receiving switch, and some other information.
. An ISL trailer is 4 bytes long and contains the CRC of the frame.
. It supports a separate instance of spanning tree for each VLAN by using a Cisco
proprietary feature called Per-VLAN Spanning Tree (PVST+). Different
instances of spanning tree allow the STP parameters of different VLANs to be
configured independently. For example, we can break a network loop by
blocking different links for different VLANs instead of blocking the same link for
all VLANs, so that the available bandwidth can be used more efficiently.
IEEE 802.1q
. It is the IEEE standard trunking protocol.
. It inserts a 4-byte header to the middle of the original Ethernet header. The
802.1q header contains the 12-bit VLAN ID and some other information.
Ethernet frame without 802.1Q header
Destination Source Type Data FCS

Addresses addresses (2 bytes) (46-1500bytes) (4 bytes)
(6 bytes) (6 bytes)
Ethernet frame with 802.1Q header
Destination Source 802.1Q Type Data FCS

Addresses addresses header (2 bytes) (46-1500bytes) (4 bytes)
(6 bytes) (6 bytes) (4 bytes)
Recalculation of the FCS is required after the insertion of the 802.1q header as the
original header has been changed.
It did not support a separate instance of spanning tree for each VLAN originally.
However, Cisco switches can use PVST+ with 802.1q to support this feature.
IEEE has also defined a new specification called 802.1S, which can be used with 802.1q
to support multiple instances of spanning tree.
It defines one VLAN as the native VLAN. It does not insert 802.1q header into
the frames sent from the native VLAN over a trunk link. The default native
LAN is VLAN 1.
Since 802.1q is defined as a type of Ethernet frame, it does not require that every
device on a link understands 802.1q. By defining a trunk port as a member of
the native VLAN, any Ethernet device (even if it does not understand 802.1q)
connected to the trunk port can read frames for the native VLAN.
Both sides of a trunk link must agree on which VLAN is used as the native
VLAN. Otherwise, the trunk will not operate properly.
802.1Q Trunking
Importance of Native VLANs
802.1Q Frame
Per-VLAN Spanning Tree
ISL Tagging
ISL Encapsulation
VTP Protocol Features
o A messaging system that advertises VLAN configuration information

o Maintains VLAN configuration consistency throughout a common administrative
domain
o Sends advertisements on trunk ports only
VTP Modes
Server
• Creates VLANs
• Modifies VLANs
• Deletes VLANs
• Sends/forwards
advertisements
• Synchronizes
• Saved in NVRAM
Client
• Forwards
advertisements
• Synchronizes
• Not saved in
NVRAM
Transparent
• Creates VLANs
• Modifies VLANs
• Deletes VLANs
• Forwards
advertisements
• Does not
synchronize
• Saved in NVRAM
VTP Operation
• VTP advertisements are sent as multicast frames.
• VTP servers and clients are synchronized to the latest revision number.
• VTP advertisements are sent every 5 minutes or when there is a change.
VTP Pruning
• Increases available bandwidth by reducing unnecessary flooded traffic
• Example: Station A sends broadcast, and broadcast is flooded only toward any
switch with ports assigned to the red VLAN
Switch Inter VLAN(Virtual Local Area Network) Configuration
LAB
VLAN 2
VLAN 1
F0/3 F0/4 F0/2
S0/0 F0/0 F0/2

Internet F0/1 F0/1
1700 A F0/6 F0/3

F0/5
VLAN 3
1700A
Router>enable
1700A(config-if)#no ip addresses
1700A(config-if)#interface F0/0.1(sub interface creation)
1700A(config-subif)#encapsulation Dot1Q 1 (encapsulation type)
1700A(config-subif)#interface F0/0.2
1700A(config-subif)#encapsulation Dot1Q 2
1700A(config-subif)#interface F0/0.3
1700A(config-subif)#encapsulation Dot1Q 3
1700A(config-subif)#^Z
1700A#show ip route
3550 Switch
Switch>en
Switch#config t
Switch(config)#host name 3550
3550(config)#interface vlan 1
3550(config-if)#ip address 192.168.10.1 255.255.255.0
3550(config-if)#no shutdown
3550(config-if)#exit
3550(config)#ip default gateway 192.168.10.17
3550(config)#interface F0/1
3550(config-if)#description connection 1700A
3550(config-if)#interface F0/2
3550(config-if)#description connection 3560
3550(config)#interface F0/1 (Through Router)
3550(config-if)#switch port trunk encapsulation dot1Q
3550(config-if)#switch port mode trunk
3550(config)#interface F0/2 (Through Switch)
3550(config-if)#switch port trunk encapsulation dot1Q
3550(config-if)#switch port mode trunk
3550(config)#vtp mode server
3550(config)#vtp domain CCSP
3550(config-if)#^Z
3550#show interface trunk
3550#config t
3550(config)#vlan 3
3550(config-vlan)#name sales
3550(config-vlan)#^Z
3550#show vlan
3550(config-if)#switchport mode access
3550(config-if)#switch port access vlan 3
3550(config-if)#switchport mode access
3550(config-if)#switch port access vlan 3
3550(config-if)#^Z
3550#show vlan
3560 Switch
Switch>en
Switch#config t
Switch(config)#hostname 3560
3560(config-if)#description connection to 3550
3560(config)#inter vlan 1
3560(config-if)#ip address 192.168.10.2 255.255.255.0
3560(config-if)#no shutdown
3560(config)#ip default gateway 192.168.10.17
3560(config-if)#switch-port trunk encapsulation dot1Q
3560(config-if)#switch-port modetrunk
3560(config)#vtp mode client
3560(config)#vtp domain CCSP
3560(config-if)#^Z
3560#show vtp status
3560#config t
3560(config)#vlan 2
3560(config-vlan)#name production
3560(config-vlan)#^Z
3560#show vlan
3560(config-if)switch-port mode access vlan 2
3560(config-if)#switch-port access vlan 2
3560(config-if)switch-port mode access vlan 2
3560(config-if)#switch-port access vlan 2
3560(config-if)#^Z
3560#show spanning tree
3560#show vtp status
3560#show vlan
Virtual Private Networks (VPN)
A virtual private network (VPN) allows the creation of private networks across the
Internet, enabling privacy and tunneling of non-TCP/IP protocols.
VPNs are used to give remote users and disjointed networks connectivity over a
public medium like the Internet instead of using more expensive permanent means.
What is a VPN?
VPN is a generictermthatdescribesanycombinationoftechnologiesthatcanbeusedtosecure
a connection through an otherwise unsecured or untrusted network.
Types of VPNs
Types of VPNs are named based upon the role they play in a business. There are
three different categories of VPNs:
Remote access VPNs
Remote access VPNs allow remote users like telecommuters to securely access the
corporate network wherever and whenever they need to.
Site-to-site VPNs
Site-to-site VPNs, or intranet VPNs, allow a company to connect its remote sites
to the corporate backbone securely over a public medium like the Internet instead of
requiring more expensive WAN connections like Frame Relay.
Extranet VPNs
Extranet VPNs allow an organization’s suppliers, partners, and customers to be
connected to the corporate network in a limited way for business-to-business (B2B)
communications.
VPN Components: Security

Keys
• Secret code that the encryption algorithm uses to create a unique

version of cipher-text
• 8-bits keys = 256 combinations or two to the eighth power
• 16-bits keys = 65,536 combinations or two to the 16th power
• 56-bits keys = 72,057,594,037,927,900 or two to the 56th power
• 168-bits keys …
Remote Access Virtual Private Network
Public Server
Sales e-mail
world wide web
File Transfer
Mobile User
Finance
Mobile user
Internet
Gateway
IT
Management
Internet Mobile user
Remote Access VPN Features
o Remote Access VPNs provide communications between a corporate network and

remote and/or mobile employees.
o Strong authentication is critical to verify remote and mobile users’ identities as
accurately and efficiently as possible.
o Remote Access VPNs require centralized management.
o Remote Access VPNs require a high degree of scalability to handle the vast number
of remote users accessing the VPN.
Intranet Virtual Private Network
Public Server
Sales e-mail
world wide
web
File Transfer
Finance
Remote Site
Internet
Gatewayl
IT
Management
Internet
Remote Access VPN Features

o Remote Access VPNs provide communications between a corporate network and
remote and/or mobile employees.
o Strong authentication is critical to verify remote and mobile users’ identities as
accurately and efficiently as possible.
o Remote Access VPNs require centralized management.
o Remote Access VPNs require a high degree of scalability to handle the vast number
of remote users accessing the VPN.
Extranet Virtual Private Network
Public Server
Sales e-mail Partnets
world wide
web
File Transfer
Finance
Internet
Gatewayl
IT
Management
Customers
Internet
Extranet VPN Features

o Extranet VPNs are between a company and its strategic partners, customers and
suppliers.
o Extranet VPNs require an open, standards-based solution to ensure interoperability.
The accepted standard for Internet-based VPNs is the Internet Protocol Security
[IPSec] standard.
o Extranet VPNs use traffic control to eliminate bottlenecks at network access points
and guarantee swift delivery of and rapid response times for critical data.
Four of the most common tunneling protocols in use:

Layer 2 Forwarding (L2F)
Layer 2 Forwarding (L2F) is a Cisco-proprietary tunneling protocol, and it was
their first tunneling protocol created for virtual private dial-up networks (VPDNs). VPDN
allows a device to use a dial-up connection to create a secure connection to a corporate
network. L2F was later replaced by L2TP, which is backward compatible with L2F.
Point-to-Point Tunneling Protocol (PPTP)
Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to allow the

secure transfer of data from remote networks to the corporate network
.
Layer 2 Tunneling Protocol (L2TP)
Layer 2 Tunneling Protocol (L2TP) was created by Cisco and Microsoft to replace
L2F and PPTP. L2TP merged the capabilities of both L2F and PPTP into one tunneling
protocol.
Generic Routing Encapsulation (GRE)
Generic Routing Encapsulation (GRE) is another Cisco-proprietary tunneling

protocol. It forms virtual point-to-point links, allowing for a variety of protocols to be
encapsulated in IP tunnels.
Introduction of CISCO IOS IPsec
 IPSec is an industry-wide standard suite of protocols and algorithms that allows

for secure data transmission over an IP-based network that functions at the layer 3
network layer of the OSI model.
 IPSec can’t be used to encrypt non-IP traffic. This means that if you run into a
situation where you have to encrypt non-IP traffic, you’ll need to create a GRE
tunnel for it and then use IPSec to encrypt that tunnel
IP Sec Transforms
An IPSec transform specifies a single security protocol with its corresponding

security algorithm; without these transforms, IPSec wouldn’t be able to give us its glory.
Its very important to understand the security protocols and the supporting
encryption and hashing algorithms that IPSec relies upon.
Security Protocols
The two primary security protocols used by IPSec :
 Authentication Header (AH)
 Encapsulating Security Payload (ESP)

Authentication Header (AH)
The AH protocol provides authentication for the data and the IP header of a
packet using a one-way hash for packet authentication.
Working mechanism :
The sender generates a one-way hash; then the receiver generates the same one-
way hash. If the packet has changed in any way, it won’t be authenticated and will be
dropped. So basically, IPSec relies upon AH to guarantee authenticity. AH checks the
entire packet, but it doesn’t offer any encryption services.
Encapsulating Security Payload (ESP)
ESP will provide confidentiality, data origin authentication, connectionless integrity, anti-
replay service, and limited traffic-flow confidentiality by defeating traffic flow analysis.
Four components of ESP:

Confidentiality :
Confidentiality is provided through the use of symmetric encryption algorithms

like DES or 3DES. Confidentiality can be selected separately from all other services, but
the confidentiality selected must be the same on all endpoints of your VPN.
Data origin authentication and connectionless integrity :
Data origin authentication and connectionless integrity are joint services offered
as an option in conjunction with the likewise optional confidentiality.
Anti-replay service :
You can only use the anti-replay service if data origin authentication is selected.
Anti-replay election is based upon the receiver, meaning the service is effective only if
the receiver checks the sequence number. In case you were wondering, a replay attack is
when a hacker nicks a copy of an authenticated packet and later transmits it to the
intended destination. When the duplicate, authenticated IP packet gets to the destination,
it can disrupt services and other ugly stuff. The Sequence Number field is designed to foil
this type of attack.
Traffic flow :
For traffic flow confidentiality to work, you have to have tunnel mode selected.
And it’s most effective if it’s implemented at a security gateway where tons of traffic
amasses— a situation that can mask the true source-destination patterns of bad guys
trying to breach your network’s security.
Virtual Private Network (VPN) Site-to-Site Configuration

LAB
1700 A 20.0.0.1
1700B 20.0.0.2 1700C
S0/0
S0/0
F0/0 Switch F0/0 F0/0

10.0.0.1 10.0.0.2 30.0.0.1
Internet
10.0.0.3 10.0.0.4
20.0.0.1
1700A 20.0.0.2 1700B
S0/0
S0/0
Switch F0/0 F0/0

10.0.0.1 30.0.0.1
Internet
10.0.0.3 10.0.0.4
1700A
Router>en
Router#config t
1700A(config)#crypto isakmp enble
(Internet security Architecture key management protocol)
1700A(config)#crypto isakmp policy 10 (1- 10000 Policy number)
1700A(config-isakmp)#authentication pre-share
1700A(config-isakmp)#encryption 3des
1700A(config-isakmp)#hash sha (authentication for between hacks)
1700A(config-isakmp)#group 5 (integrity checking)
1700A(config-isakmp#exit
1700A(config)#crypto isakmp key CISCO address 20.0.0.2 (Destination address)
1700A(config)#crypto ipsec transform-set 20 esp-3des esp-sha-hmac ah-sha-hmac
1700A(config-crypto-trans)#exit
1700A(config)#access-list 100 permit ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.255
1700A(config)#crypto map AAA 10 ipsec-isakmp (10 – Policy number)
1700A(config-cryptomap)#match address 100
1700A(config-cryptomap)#set peer 20.0.0.2 (Destinaion address)
1700A(config-cryptomap)#set transform-set 20 (20 – Transform name)
1700A(config-cryptomap)#set pfs group 5 (Perfect forward security)
1700A(config-cryptomap)#exit
1700A(config-if)#crypto map AAA (Which int., we want to start encryption)
1700A(config-if)#^Z
1700A#show ip route
1700A#config t
1700A#ping 30.0.0.1
1700A#show crypto isakmp sa
1700A#show crypto ipsec sa
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (30.0.0.0/255.0.0.0/0/0)
current_peer 20.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 20.0.0.1, remote crypto endpt.: 20.0.0.2

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0xBFD33C73(3218291827)
inbound esp sas:
spi: 0x9357B85B(2471999579)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: 1, crypto map: aaa
sa timing: remaining key lifetime (k/sec): (4507657/3454)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
spi: 0x8EEC094D(2397833549)
transform: ah-sha-hmac ,
Status: ACTIVE
inbound pcp sas:
outbound esp sas:

spi: 0xBFD33C73(3218291827)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
spi: 0x232953F4(589911028)
Status: ACTIVE
outbound pcp sas:
1700B
Router>en
Router#config t
1700B(config)#interface F0/0
1700B(config)#crypto isakmp enble
1700B(config)#crypto isakmp policy 10 (1- 10000 Policy number)
1700B(config-isakmp)#authentication pre-share
1700B(config-isakmp)#encryption 3des
1700B(config-isakmp)#hash sha (authentication for between hacks)
1700B(config-isakmp)#group 5 (integrity checking)
1700B(config-isakmp#exit
1700B(config)#crypto isakmp key CISCO address 20.0.0.1 (Destination address)
1700B(config)#crypto ipsec transform-set 20 esp-3des esp-sha-hmac ah-sha-hmac
1700B(config-crypto-trans)#exit
1700B(config)#access-list 100 permit ip 30.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
1700B(config)#crypto map AAA 10 ipsec-isakmp (10 – Policy number)
1700B(config-cryptomap)#match address 100
1700B(config-cryptomap)#set peer 20.0.0.1 (Destinaion address)
1700B(config-cryptomap)#set transform-set 20 (20 – Transform name)
1700B(config-cryptomap)#set pfs group 5 (Perfect forward security)
1700B(config-cryptomap)#exit
1700B(config-if)#crypto map AAA (Which int., we want to start encryption)
1700B(config-if)#^Z
1700B#show ip route
1700B#config t
1700B#ping 10.0.0.1
1700B#show crypto isakmp sa
1700B#show crypto ipsec sa
1700B#show crypto IPsec SA
interface: Serial0/0
Crypto map tag: aaa, local addr 20.0.0.2
protected vrf: (none)

local ident (addr/mask/prot/port): (30.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
current_peer 20.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 20.0.0.2, remote crypto endpt.: 20.0.0.1

path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0
current outbound spi: 0x9357B85B(2471999579)
inbound esp sas:

spi: 0xBFD33C73(3218291827)
IV size: 8 bytes
Status: ACTIVE
inbound ah sas:
spi: 0x232953F4(589911028)
Status: ACTIVE
inbound pcp sas:
outbound esp sas:

spi: 0x9357B85B(2471999579)
IV size: 8 bytes
Status: ACTIVE
outbound ah sas:
spi: 0x8EEC094D(2397833549)
Status: ACTIVE
outbound pcp sas:

VPN SDM type Configuration
20.0.0.2 1700B
1700A 20.0.0.1 S0/0
S0/0 Internet
F0/0
F0/0
10.0.0.1 30.0.0.1
Switch
30.0.0.2
10.0.0.3 10.0.0.4
Step 1 - Install JAVA Runtime Environment ver 5 and above (Local machine).
Step 2 - Install SDM (Security Device Manager)
1700A
Router>en
Router#config t
1700A(config)#username CCNA privilege level 15 password 123
1700A(config-line)#privilege level 15
1700A(config)#ip http authentication local
1700B
Router>en
Router#config t
1700B(config)#username CCSP privilege level 15 password 123
1700B(config)#line vty 0 4
1700B(config-line)#privilege level 15
1700B(config-line)#exit
1700B(config)#ip http authentication local
IPv6 with GRE (Generic Routing Encapsulation) Tunnel Configuration
LAB
20.0.0.2 1700B
1700A 20.0.0.1 S0/0
S0/0 Internet
fec
2
0:: F0/0
11
F0/0 1:1
:/
/ 11 30.0.0.1
:2
10.0.0.1
:1
2
c0
fe
Switch
VPN Tunnel
10.0.0.3 10.0.0.4
1700A
Router>en
Router#config t
1700A(config)#ipv6 unicast-routing
1700A(config)#ipv6 cef (Cisco Express Forwarding)
1700A(config-if)#^Z
1700A#show ip route
1700A#config t
1700A(config)#router eigrp 100 (0 - 65535)
1700A(config)#int tunnel 0
1700A(config-if)#ipv6 ospf 1 area0
1700A(config)#crypto isakmp enble
1700A(config)#interface tunnel 0
1700A(config-if)#tunnel source S0/0
1700A(config-if)#tunnel destination 20.0.0.2 (Public IP)
1700A(config-if)#ipv6 address fec0::1:1/112
1700A(config)#crypto isakmp policy 10 (1- 10000 Policy number)
1700A(config-isakmp)#authentication pre-share
1700A(config-isakmp)#encryption 3des
1700A(config-isakmp)#hash sha (authentication for between hacks)
1700A(config-isakmp)#group 5 (integrity checking)
1700A(config-isakmp#exit
1700A(config)#crypto isakmp key CISCO address 20.0.0.2 (Destination address)
1700A(config)#crypto ipsec transform-set 20 esp-3des esp-sha-hmac ah-sha-hmac
1700A(config-crypto-trans)#exit
1700A(config)#access-list 100 permit ip 10.0.0.0 0.255.255.255 30.0.0.0 0.255.255.255
1700A(config)#crypto map AAA 10 ipsec-isakmp (10 – Policy number)
1700A(config-cryptomap)#match address 100
1700A(config-cryptomap)#set peer 20.0.0.2 (Destinaion address)
1700A(config-cryptomap)#set transform-set 20 (20 – Transform name)
1700A(config-cryptomap)#set pfs group 5 (Perfect forward security)(optional)
1700A(config-cryptomap)#exit
1700A(config-if)#crypto map AAA (Which int., we want to start encryption)
1700A(config-if)#^Z
1700A#ping 30.0.0.1
1700A#ping fec0::1:1
1700A#show crypto isakmp sa
1700A#show crypto ipsec sa
1700B
Router>en
Router#config t
1700B(config)#ipv6 unicast-routing
1700B(config)#ipv6 cef (Cisco Express Forwarding)
1700B(config-if)#^Z
1700B#show ip route
1700B#config t
1700B(config)#router eigrp 100 (0 - 65535)
1700B(config)#int tunnel 0
1700B(config-if)#ipv6 ospf 1 area 0
1700B(config)#crypto isakmp enble
1700B(config)#interface tunnel 0
1700B(config-if)#tunnel source S0/0
1700B(config-if)#tunnel destination 20.0.0.1 (Public IP)
1700B(config-if)#ipv6 address fec0::1:2/112
1700B(config)#crypto isakmp policy 10 (1- 10000 Policy number)
1700B(config-isakmp)#authentication pre-share
1700B(config-isakmp)#encryption 3des
1700B(config-isakmp)#hash sha (authentication for between hacks)
1700B(config-isakmp)#group 5 (integrity checking)
1700B(config-isakmp#exit
1700B(config)#crypto isakmp key CISCO address 20.0.0.1 (Destination address)
1700B(config)#crypto ipsec transform-set 20 esp-3des esp-sha-hmac ah-sha-hmac
1700B(config-crypto-trans)#exit
1700B(config)#access-list 100 permit ip 30.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
1700B(config)#crypto map AAA 10 ipsec-isakmp (10 – Policy number)
1700B(config-cryptomap)#match address 100
1700B(config-cryptomap)#set peer 20.0.0.1 (Destinaion address)
1700B(config-cryptomap)#set transform-set 20 (20 – Transform name)
1700B(config-cryptomap)#set pfs group 5 (Perfect forward security)(optional)
1700B(config-cryptomap)#exit
1700B(config-if)#crypto map AAA (Which int., we want to start encryption)
1700B(config-if)#^Z
1700B#show ip route
1700B#ping 10.0.0.1
1700b#ping fec0::1:1
1700B#show crypto isakmp sa
1700B#show crypto ipsec sa
1700B#show crypto IPsec SA
CISCO IOS (Internetworking Operationg System)
DRAM
NVRAM
FLASH
Capacity of Components 1760 series

NVRAM - 32kb
DRAM - 64MB
FLASH - 32MB
Type of Router mode and Configuration Registry

Normal mode - 0X2102
RX Boot mode - 0X2101
ROM Monitor - 0X2142
Initially router boots from the flash memory, if NVRAM
is empty.If the user has already saved the running-config
in startup-config then the router boots with the startup-
config with out prompting the initial auto install facility.
IOS Back-up and Restore Configuration
20.0.0.1
1700A
S0/0
Switch F0/0
10.0.0.1
Internet
Back-up 10.0.0.4
TFTP server
10.0.0.3
IOS Back-up command

Install TFTP server (use solarwind.exe – 3rd Party tool) in local machine
1700A#show flash
1700A#copy flash: tftp:
Source file name: xxxxxxxxxx
Remote host: 10.0.0.3
Destination file name: xxxxxxxxxx (same source file name)
Configuration Back-up command

1700A
Router>enable
1700A#show ip route
1700A#copy running configuration startup configuration
1700A#copy startup configuration tftp:
10.0.0.3
File name: AAAAt
Erase Starting configuration command

1700A#erase startup configuration
Restore IOS configuration commane

If we are already erase the starting configuration. So router doesn’t boot from
flash rom because of to change the RX Boot mode.
Router>en
Router#config t
Router(config)#config-register 0X2101
Router(config)#exit
Router#reload
Few second to reload…………
Router(config)#interface F0/0
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no shutdown
Router(config-if)#^Z
Router#ping 10.0.0.3
Router#copy tftp: flash:

Host: 10.0.0.3
Source file name: xxxxxxxxxx
Same name to transfer: xxxxxxxxxx
erase :yes
Configuration restores command

Router#copy tftp: startup configuration
Source address: 10.0.0.3
Source file name: AAAA
Change Normal mode command

Router#reload
Password Recovery Configuration
Router>en
Router#config t
Router(config)#line console 0
Router(config-line)#password 123
Password recovery steps

Switch off our Router then on
Press Control+Break
Rommon 1 >confreg 0X2142 (to by pass the NVRAM)
Rommon 2 >reset
Would u like to default configuration ? No
Router#show running configuration
Router#show startup configuration
To see a Password
Router#show ver
Router#config t
Router(config)#exit
Router#reload
No
Secure Shell
Secure
Shell 20.0.0.1
Server S0/0
F0/0
10.0.0.1
Internet
10.0.0.3 10.0.0.4
1700A
Router>en
Router#config t
1700A(config)#ip domain-name CCNA.COM
1700A(config)#crypto key generate rsa usage-keys modulus 1024
1700A(config)#user-name CCSP password 123
1700A(config-line)#login local
1700A(config)#enable secret 123
Use this Software

Putty.exe
Wireshake.exe
Configuration Back-up
20.0.0.1
1700A 20.0.0.2 1700B
S0/0
S0/0
Switch F0/0 F0/0

10.0.0.1 30.0.0.1
Internet
Remot Back-up
FTP Server
10.0.0.4 30.0.0.2
Back-up
FTP server
10.0.0.3
1700A
Router>en
Router#config t
1700A(config)#ip FTP username Administrator
1700A(config)#ip FTP password 1700
1700A(config)#archive
1700A(config-archive)#path ftp://10.0.0.3 /Cisco backup/rip (any routing protocol)
1700A(config-archive)#path ftp://30.0.0.2 /Cisco backup/rip (any routing protocol)
1700A(config-archive)#write memory
If we want to change any configuration copy running
conffg to startingconfig automatically backup.
1700A#copy running configuration startconfiguration

SYSLOG Server Configuration
20.0.0.1
1700A 20.0.0.2 1700B
S0/0
S0/0
Switch F0/0 F0/0

10.0.0.1 30.0.0.1
Internet
Syslog Server
30.0.0.2
10.0.0.3 10.0.0.4
1700A
Router>en
Router#config t
1700A(config)#logging 30.0.0.2
1700A(config)#logging trap notification
1700A(config)#logging sourch-interface F0/0
1700A(config)#archive
1700A(config-archive)log config
1700A(config-archive-log-cfg)#logging enable
1700A(config-archive-cfg)#hidekeys (Password Doesnot see in syslock server)
1700A(config-archive-cfg)#notify syslog
1700A(config-archive-cfg)#^Z
1700A#show
IPV6 Routing Configuration
10.0.0.1
fec0::1:1/112
F0/0
S0/0 S0/1
fec0::11:1
fec0::10:2
1700A
fec0::10:1 fec0::11:2
S0/0 fec0::12:1 fec0::12:2 S0/1
S0/1 S0/0 1700C
1700B
F0/0 F0/0
20.0.0.1
30.0.0.1
fec0::2:1/112
fec0::3:1/112
1700A
Router>en
Router#config t
1700A(config)#ipv6 unicast-routing
1700A(config)#ipv6 cef (Cisco Express Forwarding)
1700A(config-if)#ipv6 address fec0::1:1
1700A(config-if)#ipv6 address fec0::10:1/112
1700A(config-if)#ipv6 fec0::12:1/112
1700A(config-if)#^Z
1700A#show ip route
1700A(config-if)#ipv6 ospf 1 area 0
1700A(config-if#interface S0/0
1700A(config-if)#^Z
1700A#show ip route
1700A#show ipv6 route
1700B
Router>en
Router#config t
1700B(config)#ipv6 unicast-routing
1700B(config)#ipv6 cef (Cisco Express Forwarding)
1700B(config-if)#ipv6 fec0::12:1/112
1700B(config-router)#exit
1700B(config-if#interface S0/0
1700B(config-if)#^Z
1700B#show ip route
1700B#show ipv6 route
1700C
Router>en
Router#config t
1700C(config)#ipv6 unicast-routing
1700C(config)#ipv6 cef (Cisco Express Forwarding)
1700C(config)#interface F0/0
1700C(config-if)#ipv6 address fec0::3:1/112
1700C(config-if)#ipv6 address fec0::12:2/112
1700C(config-if)#ipv6 fec0::11:2/112
1700C(config)#router OSPF 1 (Process ID 1 - 65535)
1700C(config-router)#exit
1700C(config)#interface F0/0
1700C(config-if)#ipv6 ospf 1 area 0
1700C(config-if#interface S0/0
1700C(config-if)#ipv6 ospf 1 area 0
1700C(config-if)#ipv6 ospf area 0
1700C(config-if)#^Z
1700C#show ip route
1700C#show ipv6 route
Dynamic Host Configuration Protocol Configuration
LAB
DHCP DHCP
Server Relay
10.0.0.1 20.0.0.1 30.0.0.1
20.0.0.2
F0/0 S0/0 F0/0
S0/0
Unicast
1700 A 1700 B
Switch
Switch
10.0.0.2 10.0.0.3
30.0.0.2
SERVER
Router do not forward the broadcast packet across the

network.It’s send a packet to unicast.
1700A
Router>enable
1700A#show ip route
1700A#config t
1700A(config)#service dhcp
1700A(dhcp-config)#ip dhcp pool ccna (Some name)
1700A(dhcp-config)#network 10.0.0.0 255.0.0.0
1700A(dhcp-config)#default-router 10.0.0.1
1700A(dhcp-config)#dns-server xxx.xxx.xxx.xxx
1700A(dhcp-config)#netbios-name-server xxx.xxx.xxx.xxx (If DNS not available to use)
1700A(dhcp-config)#exit
1700A(config)#ip dhcp excluded-address 10.0.0.2 10.0.0.10
1700A(config)#exit
1700A#show ip dhcp database
1700A#show ip dhcp binding
1700A(config)#service dhcp
1700A(dhcp-config)#ip dhcp pool ccna (Some name)
1700A(dhcp-config)#network 30.0.0.0 255.0.0.0
1700A(dhcp-config)#default-router 30.0.0.1
1700A(dhcp-config)#dns-server xxx.xxx.xxx.xxx
1700A(dhcp-config)#netbios-name-server xxx.xxx.xxx.xxx (If DNS not available to use)
1700A(dhcp-config)#exit
1700A(config)#ip dhcp excluded address 30.0.0.2 30.0.0.10
1700A(config)#exit
1700A#show ip dhcp database
1700A#show ip dhcp binding
1700B
Router>enable
1700B#show ip route
1700B#config t
1700B(config-if)#ip helpher-address 20.0.0.1 (next hop address)
CISCO DEFINATIONS
ADSP - AppleTalk Data Stream Protocol

AEP - AppleTalk Echo Protocol
AFP - AppleTalk Filling Protocol
AFP - AppleTalk Filling Protocol
APPN - Advanced Peer-to-Peer Net-working
ARB - Area Border router.
ARIS - Aggregate Route-Based Switching.
ARLL - Advanced Run-Length Limited
ARP - Address Resolution Protocol
ASP - AppleTalk Session Protocol
ATM - Asynchronous Transfer Mode
BGP - Border Gateway Protocol
BOOTP - Bootable Protocol
BPDU - Bridge Protocol Data Unit
CIDR - Classes Inter-Domain Routing
CIR - Committed Information Rate
CPE - Customer Permises Equipment
DARPA - Defense Advanced Research Projects Agency
DEMARC - Demarcation
DHCP - Dynamic Host Configuration Protocol
DHCP - Dynamic Host Configuration Protocol
DSAP - Destination Service Access Point
EIT/TIA - Electronics Industry Association /
Telecommunications Industry Association
EGP - Exterior Gateway Protocol
EBGP - External Border Gateway Protocol
EIGRP - Enhanced Interior Gateway Routing Protocol
FCS - Frame Check Sequence
FDM - Fequency- Division Multiplexing
FTP - File Transfer Protocol
GPS - Global Positioning Services
HDLC - High-level Data Link Control
HTTP - Hypertext Transfer Protocol
HTTPS - Hypertext Transfer Protocol Secure
ICMP - Internet Control Message Protocol
ICS - Internet Connection Sharing
IGMP - Internet Group Management Protocol
IGRP - Interior Gateway Routing Protocol
IMAP4 - Internet Message Access Protocol, Version 4
INARP - Inverse ARP
IOS - Internetwork Operating System
ISDN - Integrated Services Digital Network
IP - Internet Protocol
LCP - Link Control Protocol
LDAP - Lightweight Directory Access Protocol
LMI - Local Management Interface
LPD - Line Printer Daemon
LPR - Line Printer Remote
MMDS - Multipoint Microwave Distribution System
NBP - Name Binding Protocol
NCP - NetWare Core Protocol
NDS - NetWare Directory Service
NNTP - Network News Transfer Protocol
NTP - Network Time Protocol
NVRAM - Nonvolatile RAM
OSPF - Open Shortest Path First
OUI - Organizationally Unique Identifier
PAP - Printer Access Protocol
POP - Point Of Presence (Post Office Protocol)
PPP - Point-to-Point Protocol
PPPoA - Point-to-Point Protocol over ATM
PPPoE - Point-to-Point Protocol Ethernet
PPTP - Point-to-Point Tunneling Protocol
PVC - Permanent Virtual Circuit
Proxy ARP - Proxy Address Resolution Protocol
RAID - Redundant Array of Inexpensive (Independent) Disks
RARP - Reverse Address Resolution Protocol
RAS - Windows Remote Access Service
RDP - Remote Desktop Protocol
RIP - Routing Information Protocol
RTMP - Routing Table Maintenance Protocol
SAP - Service Advertising Protocol
SCP - Secure Copy Protocol
SFTP - Secure File Transfer Protocol
SLIP - Serial Line Internet Protocol
SMB - Server Message Block
STP - Spanning Tree Protocol
SMTP - Simple Mail Transfer Protocol
SNAP - Sub-Network Access Protocol
SNMP - Simple Network Management Protocol
SSAP - Source Service Access Point
SSH - Secure Shell
STP - Spanning Tree Protocol
SVC - Switched Virtual Circuit
TDM - Time Division Multiplexed
TDM - Time-Division Multiplexing
TELNET - Terminal Emulation
TFTP - Trivial File Transfer Protocol
UDP - User Datagram Protocol
VLANs - Virtual LANs
VLSM - Variable Length Subnet Masking
WLAN - Wireless LAN
ZIP - Zone Information Protocol
IETF - Internet Engineering Task Force
VPN - Virtual private networks
NAS - Network Access server
LNS - L2TP Network Server
PPP - Point-to-Point Protocol
ISAKMP - Internet Security Association and Key Management Protocol
PPTP - point-to-point tunneling protocol
L2TP - Layer 2 Tunnelling Protocol
L2TPv3 - Layer 2 Tunnelling Protocol version 3
MPLS - Multi-protocol label switching
L2F - Layer 2 Forwarding
VPDN - virtual private dial-up network
PPTP - Point-to-Point Tunneling Protocol
Sella

Ccna (Router Configurations)

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ccna (Router Configurations)

Încărcat de

Drepturi de autor:

Formate disponibile

Cisco Certified Network Associate

Managing Traffic with Access-list

NAT and PAT

PAP and CHAP

Configuration Static Routing

DTE DCE DTE DCE

S0/0 S0/0 S0/1 S0/0

DTE - Data Terminal Equipment

Configuration Default Routing

An autonomous system is a collection of networks under a common

Routing Protocol Basics.

The Administrative Distance (AD) is used to rate the trustworthiness of routing

Default Administrative Distances

Distance vector protocol.

Link state protocol.

Distance-vector Routing Protocols

 The distance-vector routing algorithm passes complete routing table contents to

Routing Loops Example

Router A Router B Router C Router E

Network 3 Network 4 Network 5

Maximum Hop count

when Network 5 goes down, Router E initiates route poisoning by

Router Configuration Modes

 User mode (or) Console mode - Router> (user logon mode)

Password set to Console mode

Password set to Privilege mode

Password set to Auxiliary port

Configure IP address to LAN port

Static Routing Configuration

10.0.0.1 20.0.0.1 20.0.0.2

1700 A 3600 A 1700 B

Default Routing Configuration

10.0.0.1 20.0.0.1 20.0.0.2

1700 A 3600 A 1700 B

 Routing Information Protocol is a true distance-vector routing protocol.

RIP uses three different kinds of timers to regulate its performance.

Router invalid timers

Route flush timer

Routing Information Protocol version 2

RIP Version 1 RIP Version 2

Distance Vector Distance Vector

Maximum hop count of 15 Maximum hop count of 15

No support for VLSM Supports VLSM networks

No support for discontiguous Support discontiguous networks

1700 A 3600 A 1700 B

RIPV2 Supports Classless IP Addresses

Network ID First Host ID Last Host ID Broadcast ID

1700 A 3600 A 1700 B

 Interior Gateway Routing Protocol (IGRP) is a Cisco-proprietary distance-vector

IGRP (Interior Gateway Routing Protocol) Configuration

1700 A 3600 A 1700 B

3600A(config)# router igrp 100 (autonomous system number)

o Enhanced IGRP (EIGRP) is a classless, enhanced distance-vector protocol that

Powerful features that make EIGRP a real standout from IGRP

To maintain the neighborship relationship, EIGRP routers must also continue

EIGRP maintains three tables containing information about the internetworks.

Records information about routers with whom neighborship relationships have

EIGRP IP Routing Table

List of directly connected routers IP IGRP Neighbors Table

IP EIGRP Topology Table

List of all best routes from The IP Routing Table

Reported distance ( Advertised Distance )