Train Signal - Notes

Cisco ICND2 CCNA (Part 2)
Configure Medium-Size Routed & Switched Networks! (Interconnecting Cisco Networking Devices - Part 2)
By Chris Bryant
Train Signal, Inc., 2002-2007
Introduction to ICND2
Welcome to Your ICND2 Video Boot Camp!

Switching Point-to-Point Protocols and Frame Relay Static Routing and RIP Binary Math, Conversions, and Subnetting Link State Protocols and OSPF EIGRP IP Version 6, NAT, and PAT ACLs and Router Summarization Introduction to VPNs
Your Instructor
Chris Bryant, CCIE #12933 Earned my CCIE on February 26, 2004, and founded The Bryant Advantage in June of that year. My Video Boot Camp and Ultimate Study Packages place on emphasis on clearly explained theory and as much work as possible on REAL Cisco routers and switches. Free Tutorials, Daily Exam Questions, and more at my website: www.thebryantadvantage.com
CCNA Exam Paths

There are two separate paths to the CCNA:
Two-exam path: ICND1 and ICND2 (640-822, 640816) One-exam path: CCNA (640-802)
Passing the ICND1 exam makes you a CCENT (Cisco Certified Entry Networking Technician). There is some overlap of topics between exams, especially switching, static routing, RIP, and binary conversions.
Review: CCENT (ICND1) Topic 1: Switching
Switching
Repeaters, Hubs and Bridges Building the MAC Table Flood, Filter or Forward? Frame Processing Methods Virtual LANs Cisco Three-Layer Switching Model Introduction to STP Basic Switch Security Port Security Defaults, Options and Configurations
With many networking terms, the name is indeed the recipe, and that's very true of a repeater. A repeater's job is to repeat an electrical signal, the form that our data has taken to be sent across a cable. Remember, "it's all ones and zeroes!" The repeater takes an incoming signal and then generates a new, clean copy of that exact signal. This prevented maximum cable lengths from stopping transmissions, and also helped to ward off attenuation - the gradual weakening of an electric signal as it travels.
A hub is basically the same as a repeater, but the hub will have more ports. That's the only difference between the two. (Some hubs have greater capabilities than others, but a "basic" hub is simply a multiport repeater.) Neither hubs nor repeaters have anything to do with the Data Link layer of the OSI model, nor do they perform any switching at all. Hubs and repeaters are strictly Physical layer devices, and that's where the trouble comes in. For our next example, we'll consider a hub with four PCs connected to it.
To prevent this, a host on a shared Ethernet segment will use CSMA/CD (Carrier Sense Multiple Access with Collision Detection). To review, here's the CSMA/CD process:
A host that wants to send data will first "listen to the wire", meaning that it checks the shared media to see if it's in use. If the media is in use, the host backs off for a few milliseconds before checking again. If the media is not in use, the host sends the data.
If two PCs happen to send data at the exact same time, the voltage on the wire will actually change, indicating to the hosts that there has been a data collision. The two PCs that sent the data will generate a "jam signal", which indicates to the other hosts on the shared media that they should not send data due to a collision. Those two PCs both invoke a backoff timer, also in milliseconds. When each host's random timer expires, they will each begin the entire process again by listening to the wire. Since the backoff timer value is totally random, it's unlikely the two hosts will have the same problem again.
Before we talk about switches, here's an old joke:

Q. What's the difference between bridges and switches? A. Marketing.
Let's review the key concepts of hubs vs. switches.

With hubs, we've got one big collision domain consisting of all connected hosts. When hosts are connected to their own switch ports, they each have their own individual collision domain. Hubs only allow one device to transmit at a time, resulting in shared bandwidth. Switches allow hosts to transmit simultaneously. When one host connected to a hub sends a broadcast, every other host receives that broadcast and there's nothing we can do about it. When a host connected to a switch sends a broadcast, every other host receives it by default - but there is something we can do about that, as you'll see in the VLAN section of this course.
Microsegmentation is a term sometimes used in Cisco documentation to describe the "one host, one collision domain" effect of that last bullet point. It's not a term I hear a great deal in the field, and you might not either, but it's a good term to know for Cisco exams.
A Cisco switch will do one of three things with an incoming frame:

Forward it Flood it Filter it
To make this decision, the switch uses its MAC Address table to check if there's an entry for the destination MAC address - but first, the switch will actually check to see if there's an entry for the source MAC address of the frame, because it's that source MAC that the switch will use to actually build the table in the first place!
SW1#show mac-address-table Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ------------------------All 0008.7de9.9800 STATIC CPU All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU All 0100.0cdd.dddd STATIC CPU 1 aaaa.aaaa.aaaa DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 5
SW1#show mac-address-table dynamic Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ------------------------1 aaaa.aaaa.aaaa DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 1
No, so the switch will create one. SW1#show mac-address-table dynamic Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ------------------------1 aaaa.aaaa.aaaa DYNAMIC Fa0/1 1 cccc.cccc.cccc DYNAMIC Fa0/2
SW1#show mac-address-table dynamic Mac Address Table ------------------------------------------Vlan Mac Address Type Ports ------------------------1 aaaa.aaaa.aaaa DYNAMIC Fa0/1 1 bbbb.bbbb.bbbb DYNAMIC Fa0/1 1 cccc.cccc.cccc DYNAMIC Fa0/2 1 dddd.dddd.dddd DYNAMIC Fa0/3
We don't get to say "never" in networking very often, and as you progress in your studies, you'll learn there's almost always an exception to the rule in CiscoLand. (That's what makes it fun, though!) There is no exception to this particular rule, though: Switches never send a frame back out the same port it came in on.
Flooding is performed when the switch has no entry for the frame's destination MAC address. When a frame is flooded, it is sent out every single port on the switch except the one it came in on. Unknown unicast frames are always flooded. Forwarding is performed when the switch does have an entry for the frame's destination MAC address. Forwarding a frame means the frame is being sent out only one port on the switch. Filtering is performed when the switch has an entry for both the source and destination MAC address, and the MAC table indicates that both addresses are found off the same port.
There's one other frame type that is sent out every port on the switch except the one that received it, and that's a broadcast frame. Broadcast frames are intended for all hosts, and the MAC broadcast address is ff-ff-ff-ffff-ff (or FF-FF-FF-FF-FF-FF, as a MAC address's case does not matter).
Now that we've looked at how the MAC table is built, let's take a look at the different names this table is called:
CAM table (short for Content Addressable Memory) bridging table switching table MAC table
Anytime you see those terms, they're referring to the MAC address table. Four names for the same thing? Welcome to networking! ;)
Once the switch decides whether to forward, filter, or flood the frame, there's one more decision to be made - what processing method will be used to handle this forwarding? The processing options are:
store-and-forward cut-through fragment-free
This continual generation of new broadcasts is called a broadcast storm, and this is one storm that can sink your switch for good. A broadcast storm can overwhelm a switch's memory and CPU capabilities, rendering the switch virtually useless.
To illustrate how Virtual LANs can help limit broadcast propagation, we'll assign an IP address to each one of our hosts and then take a look at the default Cisco switch settings for VLANs. The circle(s) will continue to illustrate the broadcast domain(s). The numbers on the switch indicate the switch port that's connected to that host.
It's vital to remember that no traffic pings or data packets - can be sent from one VLAN to another without the intervention of a Layer 3 device, most likely a router.
The first time you hear the term "campus network" or "campus LAN", the word "campus" may suggest a university or a school of some kind. While such a school may well have a campus LAN, that term is used to describe any network that connects multiple buildings that are physically close to each other. The Cisco switching model consists of three layers:
Access Distribution Core
Cisco switches use the Spanning Tree Protocol (STP) to prevent switching loops, and luckily, STP is enabled by default. You'll learn much more about STP in your CCNA studies, but you need to know its basics now. STP will determine a loop-free path for frames, and ports that are not on that path will be placed into blocking mode.
The first one is about as basic as it gets. Lock up your switches - preferably more than once! No casual passerby should even know your switches exist, much less be able to yank a cable out just for the fun of it. Many server rooms have passcard systems or at least a locked door, but occasionally I still see a server room that's relying on the kindness of strangers. Don't do that!
10
Unused VLANs - An Often Overlooked Security Feature We spoke about VLANs at length earlier in this section, but you can also use an unused VLAN as a security feature. Cisco switch ports on many models have some undesirable defaults:
They're open, where router interfaces are shut by default They're actively attempting to trunk, meaning they are available for connection to another switch All ports are in VLAN 1, and everyone knows that
These are not desirable defaults when it comes to unused ports on a switch. From top to bottom, here's how we can change those defaults to increase switch security:
Close unused ports with the shutdown command Prevent the port from trunking with the switchport mode access command Place the port into an unused VLAN
As usual, the switch will first inspect the source MAC address of an incoming frame. If the incoming source MAC address is considered secure, the user will be able to access the network. If the source MAC is considered non-secure, the port will take one of several actions - more on that in a moment. The source MAC address of the incoming frame really acts as a password.
11
aging allows you to set aging options for secure MAC addresses. mac-address allows you to specify secure MAC addresses. maximum allows you to specify how many secure MAC addresses there will be. The default is one.
violation allows you to specify what should happen if a non-secure source MAC address is received on the port. Those options are: SW2(config-if)#switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode
The default mode is shutdown, and this mode shuts the port down, transmits a message to the log indicating the action taken, and drops the violating frames. The interface status will be err-disabled, (short for error-disabled) meaning it must be manually reopened. restrict drops the violating frames and transmits a message to the log indicating an issue, but does not shut the port down. protect simply drops the violating frames.
12
To configure the port to shut down if a frame is received with any source MAC address other than bb-bb-bb-bb-bb-bb, we'd use the following config: SW2(config)#int fast 0/3 SW2(config-if)#switchport mode access SW2(config-if)#switchport port-security SW2(config-if)#switchport port-security macaddress bbbb.bbbb.bbbb
There's always a chance that you don't know the source MAC address that should act as the secure address. If you configure the port with sticky port security (don't blame me, I didn't name it!), the first source MAC address learned on the port will be the secure address, and all others will be non-secure unless you use the maximum option to change that. SW2(config-if)#switchport port-security macaddress sticky
The command show port-security interface fast0/3 verifies that port security is running, the port status, violation mode, the number of secure MAC addresses, and even the last source address of the last frame received!
13
SW2#show port-security int Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address Security Violation Count
fast 0/3 : Enabled : Secure-up : Shutdown : 0 mins : Absolute : Disabled : 1 : 1 : 0 : 1 : 00d0.58ad.4d51 : 0
That sticky MAC address will also appear in the config. interface FastEthernet0/3 switchport mode access switchport port-security switchport port-security mac-address sticky switchport port-security mac-address sticky 00d0.58ad.4d51
To illustrate what happens when a nonsecure address hits that port, I've disconnected the host with the learned secure sticky address and replaced it with another host. What's the result? SW2#show int fast 0/3 FastEthernet0/3 is down, line protocol is down (err-disabled)
14
An err-disabled port! When you see err-disabled next to the line protocol message, that means that an error of some kind has shut that port down. In this case, that's the result of a nonsecure MAC address hitting a port that had already learned another address as secure.
A couple of important points regarding err-disabled ports:

The port LED will go dark The port must be manually reopened with the no shutdown command
The reason for the port shutdown can be verified with show port-security interface. The port status is "Secureshutdown", the violation mode is in the default of shutdown, and note that the last source address shown is not the one we saw earlier - that's the reason the port shut down.
15
SW2#show port-security int Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address Security Violation Count
fast 0/3 : Enabled : Secure-shutdown : Shutdown : 0 mins : Absolute : Disabled : 1 : 1 : 0 : 1 : 0010.7b39.c5e9 : 1
If we want both this address and the previous one to be secure, we can change the port-security maximum value to 2 and then reopen the port.
SW2(config-if)#switchport port-security maximum 2 SW2(config)#int fast 0/3 SW2(config-if)#shutdown SW2(config-if)#no shutdown SW2(config-if)#^Z SW2# 4d10h: %LINK-5-CHANGED: Interface FastEthernet0/3, changed state to administratively down 4d10h: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down 4d10h: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to up 4d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up
16
Verify the interface is indeed back up with show interface: SW2#show int fast 0/3 FastEthernet0/3 is up, line protocol is up (connected)
Verify the changes to the port security scheme:

SW2#show port-security int fast 0/3 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address : 0010.7b39.c5e9 Security Violation Count : 0
Review: CCENT (ICND1) Topic 2: Binary Math and Subnetting
17
Binary Math and Subnetting
The Secret (Of Binary Success, That Is) Decimal > Binary, Binary > Decimal Subnetting Basics Calculating Number of Valid Subnets Prefix Notification Calculating Number of Valid Hosts Calculating Number of Valid IP Addresses in a Given Subnet Calculating the Subnet Number of a Given IP Address Meeting Stated Design Requirements
Class A: Class B: Class C: Class A: Class B: Class C:
1 - 126, 8 NW Bits, 24 Host Bits 128 - 191, 16 NW Bits, 16 Host Bits 192 - 223, 24 NW Bits , 8 Host Bits 255.0.0.0 255.255.0.0 255.255.255.0
Determining The Number Of Valid Subnets

Number of subnets = (2 squared by the number of subnet bits) Now here's the interesting part: You *may* need to subtract 2 from that result to get the correct answer.
You should subtract 2 from the result if:

You see the no ip subnet-zero command in the configuration. This command will appear near the top of the router configuration. The routing protocol is classful, and that means RIPv1 or IGRP.
18
You should not subtract 2 from the result if:

The classless protocols RIPv2, EIGRP, or OSPF are in use. The term "VLSM" for "Variable-Length Subnet Masking" is used.
The ip subnet-zero command appears in the configuration. This is the default setting, and you'll see it near the top of the router configuration: username R1 password 0 CCNA ip subnet-zero no ip domain-lookup
Prefix Notation
Prefix notation is a quicker way of stating what the subnet mask of a network is. Note that the subnet mask consists of a number of consecutive 1s. Prefix notation is simply a slash followed by the number of 1s in the subnet mask. The subnet mask 255.255.255.0 is instead referred to as slash 24 when spoken, or /24 when written. This is the generally accepted way subnet masks are spoken and written about.
Review the rules for network, subnet, and host bits:

A. The rules for Class A, Class B, and Class C determine the network portion. B. Compare the remaining bits of the default and actual mask. The portion where the Default Mask and Subnet Mask both have zeroes is the host bits portion of the address. C. The remaining bits where the Default Mask has zeroes but the Subnet Mask has one are the subnet bits. These are the bits that are being borrowed from the host bits.
19
Determining The Number Of Valid Hosts

To determine the number of valid hosts, a somewhat similar formula is used:
Valid Hosts On A Subnet = (2 squared by number of host bits) 2

Thankfully, we always subtract the two when determining the number of valid hosts on a subnet.
Determining The Subnet Number Of A Given IP Address

Given an IP address and subnet mask, determining the subnet it resides on is accomplished by performing a Boolean AND operation. First, the IP address and its subnet mask will be converted to binary. The Boolean AND is simply a bit-by-bit comparison of the address and the subnet mask. If both bits are 1, the result of the Boolean AND is 1. If a 0 is set for that bit on either the subnet mask or IP address, or both, the result of the AND is a 0.
Determining The Range Of Valid Host Addresses On A Subnet To determine the range of valid host addresses on a subnet, first determine how many overall host addresses are on that subnet. The first address in the range is the network number and is not a valid host address; the final address in the range is the broadcast address for that subnet and is not a valid host address. All addresses between the two are valid host addresses.
20
Meeting Stated Design Requirements
Consider this question:

Your network uses Class B network 165.10.0.0. You need at least 150 subnets that have no more than 200 hosts apiece. Which of the following subnet masks should you use? Remember the formulas for determining the number of subnets, or the number of valid hosts per subnet:
Number of subnets = (2 to the nth power), where n equals the number of subnet bits. Number of valid hosts on a subnet = (2 to the nth power) 2, where n equals the number of host bits.
Watch Our For Overlapping Networks!
You could see something like this on your exam, but this word of advice is valuable for your real-world experiences - when you're building on someone else's subnetting scheme, watch out for overlapping networks. By overlapping networks, I mean two subnets in the same network that are "overlapping" and therefore using the a few of the same IP addresses. This is particularly true when you're left with a few address blocks from a subnetting scheme that you didn't create. Let's use the following network for an example.
50-host network address range: 10.1.1.65 - 10.1.1.126 Range for 10.1.1.0 /25 network: 10.1.1.1 - 10.1.1.126 - Overlaps With Preexisting Subnet! Range for 10.1.1.128 / 25 network: 10.1.1.129 - 10.1.1.254 - Does Not Overlap With The 50-host network.
21
Video 1 Advanced Switching
Switching II
STP Root Bridges, Root Ports, and Designated Ports STP Timers and Port States Portfast VLANs and Trunking Access and Trunk Port Comparison VTP Router on a Stick RSTP and PVST Etherchannels
The Spanning Tree Protocol (STP) , defined by IEEE 802.1d, prevents switching loops from occurring by placing ports along the most desirable path into forwarding mode, while ports along less-desirable paths are placed into blocking mode. Once STP converges, every port on these paths is in either forwarding or blocking mode, making only one path available between any two destinations, and a switching loop cannot occur.
22
Note: You're going to hear about routing loops later in your studies, if you haven't already. STP has nothing to do with routing loops. STP is strictly a Layer 2 protocol and is used to prevent switching loops. If a problem arises with the available path, STP will run the spanning-tree algorithm to recalculate the available paths and determine the best path. Ports along the new best path will be brought out of blocking mode and into forwarding mode, while ports along less-desirable paths are placed into blocking mode. Again, only one path will be available.
The Root Bridge Election

STP must first determine a root bridge for every Virtual LAN (VLAN). When people are born, they act like they are the center of the universe. In a similar fashion, when a switch is first powered on, it believes it is the root bridge for every single VLAN on your network. Since your network has multiple switches, and they all believe they are the root bridge for every VLAN, there must be an election process to determine the true root bridge for each VLAN.
The election process is carried out by the exchange of BPDUs (Bridge Protocol Data Units). Switches are continually sending BPDUs; hubs, repeaters, routers, servers, and other network devices do not send BPDUs.
23
The root bridges Bridge ID (BID)

The BID is a combination of the bridges priority and MAC address. At the beginning of the election process, every switch thinks it is the root, so this will at first be the sending routers BID. The bridge with the lowest BID will be the root bridge. The default priority value is 32768 for all switches; therefore, since the lowest BID wins, the switch with the lowest MAC address will become the root bridge unless the priority is changed.
Cost To Reach Root From This Bridge: STP considers the path to have the lowest cost to be the best path. Every port is assigned a cost relative to its speed; the higher the speed, the lower the port cost. BID Of The BPDUs Sender: This simply identifies which switch sent the BPDU.
When a switch receives a BPDU, the switch compares the root bridge BID contained in the BPDU against its own BID.
If the incoming root bridge BID is lower than that of the switch receiving it, the switch starts announcing that device as the root bridge. If the incoming BID is higher than that of the receiver, the receiver continues to announce itself as the root. This process continues until every switch has agreed on the root bridge. (This may sound confusing, but we'll go through an illustrated example in just a moment.)
24
BLOCKING: Frames are not forwarded, but BPDUs are accepted. LISTENING: Frames are not forwarded, and the MAC address table is not yet being built. LEARNING: Frames are not forwarded. MAC addresses are being learned and the MAC address table is being built. FORWARDING: Frames are forwarded, MAC addresses are still learned.
Note that even though we have a "learning" state, there are two states where the port is learning MAC addresses - learning and forwarding. There is a fifth STP state, disabled, and it's just what it sounds like. The port is actually disabled, and disabled ports cannot accept BPDUs.
We're going to take two looks at STP in action, the first with two switches and the second with three switches. In the first example, there are two separate crossover cables connecting the switches. It's important to note that once STP has converged, one port - and only one port - will be in blocking mode, with the other three in forwarding mode.
25
In the following network, there are three switches, fully meshed. When VLAN 10 comes online, all three switches will believe they are the root bridge for VLAN 10.
For clarity's sake, each switch's MAC address is the switch's letter repeated 12 times. The switch priorities have been left at their defaults, resulting in the BIDs shown below.
MAC Address Switch A Switch B Switch C aaaa.aaaa.aaaa bbbb.bbbb.bbbb cccc.cccc.cccc Default Priority 32768 32768 32768 Bridge ID (BID)
32768:aaaa.aaaa.aaaa 32768:bbbb.bbbb.bbbb 32768:cccc.cccc.cccc
At this point, only the root switch actually originates BPDUs. The other switches receive them, read them, update the port costs, and then forward them - but nonroot switches do not originate BPDUs. The switching network is now in a state of convergence - all switches are in agreement on the various STP port states, and all ports are in either Forwarding or Blocking mode.
26
Here are some common port speeds and their associated STP port costs:
10 MBPS: 100 100 MBPS: 19 1 GBPS (also expressed as 1000 MBPS): 4 10 GBPS: 2
The root bridge will transmit a BPDU with the Root Path Cost set to zero. When a neighboring switch receives this BDPU, that switch adds the cost of the port the BPDU was received on to the incoming Root Path Cost. Root Path Cost increments as BPDUs are received, not sent. That new root path cost value will be reflected in the BDPU that switch then sends out.
The STP Timers

Once these elections have taken place, the root bridge will begin sending a Hello BPDU out all its ports every two seconds. This Hello BPDU serves as the heartbeat of STP, since as long as the nonroot bridges receive it, they know the path to the root is unchanged and stable. Once that heartbeat disappears, its an indication of a failure somewhere along the path. STP will run the spanning-tree algorithm to determine the best available path, and ports will be brought out of blocking mode as needed to build this path.
27
The Hello BPDUs carry values for three timers that are used by all bridges in identifying situations when the STP algorithm needs to be run again:
Hello Time: Time between Hello BPDUs. Default: 2 seconds. Max Age: The bridge should wait this amount of time after not hearing a Hello BPDU before attempting to change the STP topology. Default: 20 seconds. Forward Delay: The amount of time a port should stay in the listening and learning stages as it changes from blocking to forwarding mode. Default: 15 seconds.
The STP Interface States

When a port goes from blocking state to forwarding state, it does not do so instantly. If it did, loops could result. STP has interfaces go through two intermediate states between blocking and forwarding -- listening and learning. A port coming out of blocking state first goes into listening state. The port is listening for Hello BPDUs from other possible root switches. The port will listen for the value of the Forward Delay timer, 15 seconds by default.
The port will then go into learning state. This state has the port learn the new location of MAC addresses, but will not allow forwarding of them, since there is a good possibility other switches are currently converging and loops could develop if MAC addresses were learned from other switches during convergence. Learning state also lasts the duration of the ForwardDelay timer.
28
To review the order and timers involved:

Port comes out of blocking state, goes into listening state for 15 seconds Port transitions from listening to learning, stays in learning state for 15 seconds Port transitions from learning to blocking
So What Happens If I Turn STP Off?

A lot of bad things. The most obvious is that you're going to have switching loops form very quickly, which in turn will lead to broadcast storms. A broadcast storm occurs when one broadcast is answered with multiple broadcasts, which in turn generate even more broadcasts. It's a really ugly situation, and there really is no good reason to turn STP off.
Consider the amount of time a port ordinarily takes to go from blocking to forwarding when it stops receiving Hello BPDUs:
Port stays in blocking mode for 20 seconds before beginning the transition to listening (as defined by the MaxAge value) Port stays in listening mode for 15 seconds before beginning the transition to learning (as defined by the Forward Delay value) Port stays in learning mode for 15 seconds before transitioning to forwarding mode (also as defined by Forward Delay)
29
That's 50 seconds, or what seems like 50 hours in networking terms. :) The listening and learning stages are there for a reason, the primary one being loop prevention during convergence. In certain circumstances, we can avoid these delays with Portfast.
Portfast allows a port to bypass the listening and learning stages of this process, but is only appropriate to use on switch ports that connect directly to an end-user device, such as a PC. Using portfast on a port leading to another networking device can lead to switching loops. That threat is so serious that Cisco even warns you about it on the router when you configure Portfast.
Virtual LANs (VLANs)

We went over basic VLAN concepts in the Basic Switching section, and I'm going to repeat that information here since it relates closely to the information following this section - namely, trunking and VLAN Trunking Protocol (VTP). There is some new material in the following that's pertinent to the CCNA exam, so read carefully - this is not just the same VLAN information from earlier in the course.
30
Before we take a look at how Virtual LANs can help us limit broadcasts, I want to reiterate that broadcasts are not evil, and they can't be eliminated. The more you learn about networking, the more you realize that broadcasts are actually quite helpful and have some very important roles in our network. What we want to do is limit broadcasts, particularly the sending of broadcasts to hosts that do not need them.
It's vital to remember that no traffic - pings or data packets - can be sent from one VLAN to another without the intervention of a Layer 3 device, most likely a router. Notice I said "most likely". We really have two options here:
Using a technique called "router on a stick" Using a Layer 3 switch for that switch
You're not going to be asked questions about L3 switches in your CCNA exam, but as a CCNA you should certainly know they exist. An L3 switch is a switch that can actually run routing protocols as well. You can switch on some ports and configure other ports as routing ports!
31
VLANs have uses beyond limiting broadcasts. One common usage is to use VLANs to group users by their job function or department. Let's say you have three hosts each in your Accounting and Security departments, and two in Maintenance. Without VLANs, they're in one big group, sharing the same address space. (For clarity, I've left out the cabling. Straightthrough cables, that is!)
VLANs and the MAC Address Table

In the first Switching section in this course, you learned - everyone repeat after me - the switch examines the source MAC address of incoming frames before looking at anything else. That's how the switch builds its MAC table.
Trunking
Trunking is the process of allowing VLAN traffic to flow over physically connected switches. In order for a switch receiving a frame to know the destination VLAN of that frame, a tag is placed on the frame indicating the destination VLAN by the transmitting switch ("frame tagging").
32
The Inter-Switch Protocol (ISL) is the Ciscoproprietary trunking protocol. Obviously, it can only be used between two Cisco switches. The entire frame is encapsulated before transmission across the trunk. IEEE 802.1Q, generally known as "dot1q", is the industry standard trunking protocol. If a non-Cisco switch is involved in the trunk, this is the trunking protocol to use. Dot1q does not encapsulate the entire frame. Instead, a 4-byte header is added to the Ethernet header, indicating the VLAN to which the frame is intended.
The key difference between the two is the way they handle - or do not handle - the native vlan. By default, the native vlan is VLAN 1. The native vlan is the default vlan. When dot1q is ready to transmit a frame destined for the native vlan over the trunk, the protocol will not put that 4-byte header onto the frame. Instead, the frame is transmitted as-is. This helps to cut down even more on overhead.
To sum it up:
ISL is the Cisco-proprietary trunking protocol. ISL encapsulates every frame before it crosses the trunk, and doesn't recognize the native VLAN concept. Dot1q is the industry standard, places only a 4-byte header onto a frame, and won't even do that if the frame is destined for the native VLAN.
33
Therefore, according to IOS Help, we actually have five options for trunk ports:
on off auto desirable nonegotiate
On means that the switchport is unconditionally trunking, whether the other end of the trunk likes it or not. Off means that the port will not trunk with the remote partner under any circumstances. This mode is the result of making a port an access port. Desirable means that the port will actively attempt to trunk. If the remote port is in on, desirable, or auto mode, a trunk will result.
Auto means the port will trunk, but the other side must initiate trunking. If the remote port is desirable or on mode, a trunk will result. If both sides are in auto trunking mode, no trunk will result. Finally, nonegotiate means that the local port will go into permanent trunking mode, but Dynamic Trunking Protocol (DTP) frames are not sent across the trunk.
34
VLAN Trunking Protocol (VTP)

VTP allows switches to advertise VLAN information between other members of the same VTP domain. VTP allows a consistent view of the switched network across all switches. When a VLAN is created on one switch in a VTP server, all other VTP devices in the domain are notified of that VLANs existence. VTP servers will know about every VLAN -- even VLANs that have no members on that switch.
This information is shared between VTP devices in the form of summary advertisements. A VTP Server will send one of these advertisements every five minutes, and immediately upon a change in its VTP database. There are three separate VTP modes. Be sure you are very clear on all three before taking the CCNA exam.
In server mode, VLANs can be created, modified, and deleted. When these actions are taken, the changes are advertised to all switches in the VTP domain. VTP Servers can originate, forward, and process VTP summary ads. VTP Servers keep VLAN configuration information upon reboot by storing that information in non-volatile RAM (NVRAM).
35
In client mode, the switch cannot modify, create, or delete VLANs. VTP clients cannot retain VLAN configuration information upon reboot. VTP clients keep this information in their running configuration, but not in NVRAM. If a VTP client is reloaded, it must obtain this information from a VTP server when it comes back up. VTP clients can accept and process summary advertisements.
The third VTP mode is a specialty VTP mode, transparent mode. You don't see it very often, but you still see it on occasion. Take special note of the differences between transparent mode and the other two VTP modes.
Switches in transparent mode forward the VTP advertisements received from other switches, but they do not process the information contained in those ads. VLANs can be created, deleted, and modified on a transparent server, but those changes are not advertised to the other switches in the VTP domain - they are locally significant only. Transparent VTP switches keep their VLAN information in NVRAM, just as VTP Servers do.
36
There are two VTP basics we have to be aware of for VLAN information to be correctly exchanged.
1. The VTP domain name must match. This is casesensitive. "CISCO" and "cisco" are two different domains. The VTP domain is set with the vtp domain command. When you see the domain name changed from NULL to a new name, NULL indicates that there was no previous domain name.
2. To distribute information about a newly-created VLAN, the switch upon which that VLAN is created must be in Server mode. You can't have a VTP domain with only VTP clients.
VTP Configuration Revision Numbers Most VTP deployments are going to have two or more VTP servers, so when one VTP server sends a summary advertisement, how does the receiving VTP server know if that ad has the latest and greatest information?
37
Every VTP summary advertisement has a configuration revision number that is incremented by one when it updates its own VTP database. That same number is placed into the outgoing VTP summary advertisement. If the receiving switch's own VTP configuration revision number is lower than that of the incoming advertisement, the incoming ad's information is considered to be more recent and is accepted.
If the receiving switch's revision number is higher than that of the incoming advertisement, the incoming advertisement is considered out-ofdate and is therefore ignored.
If you want to authenticate VTP updates, you can do so with the vtp password command. This password is case-sensitive and needs to be set on every VTP switch in the domain.
38
VTP Pruning
Trunk ports belong to all VLANs, which leads to an issue involving broadcasts and multicasts. A trunk port will forward broadcasts and multicasts for all VLANs it knows about, regardless of whether the remote switch actually has ports in that VLAN! In the following example, VTP allows both switches to know about VLANs 2 - 19, even though neither switch has ports in all those VLANs. Since a trunk port belongs to every VLAN, they both forward broadcasts and multicasts for all those VLANs. Both switches are transmitting and receiving broadcasts and multicasts that they do not need, since the only VLANs they have in common are VLANs 10 and 11.
Configuring VTP Pruning allows the switches to send broadcasts and multicasts to a remote switch only if the remote switch actually has ports that belong to that VLAN. This simple configuration will prevent a great deal of unnecessary traffic from crossing the trunk. The command vtp pruning enables pruning for all VLANs in the VTP domain. All VLANs from 2 - 1001 are eligible to be pruned. The reserved VLANs you see in show vlan brief - VLANs 1 and 1002 - 1005 cannot be pruned. You cannot enable pruning on a VTP client.
"Router On A Stick"
We have two options for configuring interVLAN communication:
Using an L3 switch Configuring "router on a stick" (ROAS)
39
L3 switches are becoming more and more prevalent in today's networks, and as a CCNA you should know that an L3 switch doesn't require an outside device to allow interVLAN communication. You're very likely to see ROAS configs on your CCNA exam, though, and let's face it - we can't just tear out a client's L2 switch and replace it with an L3 switch just because we want to!
Right away, we've got a few important details to take note of:
As expected, the switch ports connected to the hosts are access ports. The switch port connected to the router must be trunking, and the trunking protocol (ISL or dot1q) must be the same as that used by the router. The router must use a Fast Ethernet port for ROAS. A regular Ethernet port will not suffice. (Gigabit Ethernet, or 1000 MBPS Ethernet, is great, too, but you probably won't have a spare Gig Ethernet port to spare.)
Let's move up to the router and begin the configuration. The next important detail is that the Fast Ethernet port on the router will be using subinterfaces, and we'll use two commands on each subinterface:
the encapsulation command, matching the encap type set on the connecting switch's trunk port an appropriate IP address for the VLAN indicated by the encapsulation command
40
The Router:
The port must be a Fast Ethernet port. An Ethernet port won't do the job. You can create Ethernet subinterfaces, but the encapsulation command will not be recognized. R3(config)#interface e0.12 R3(config-subif)#encapsulation ? % Unrecognized command Subinterfaces must be configured on the FE port.
The trunking protocol configured on the router's subinterfaces must match that of the trunk port connected to that router.
The IP address configured on a subinterface must be part of the subnet used by the VLAN indicated in the encapsulation command. For example, the following config required an IP address from VLAN 2's address space since the encapsulation command is configured with a VLAN ID tag of 2.
R1(config)#int fast 0/0.2 R1(config-subif)#encapsulation ? dot1Q IEEE 802.1Q Virtual LAN isl Inter Switch Link - Virtual LAN encapsulation R1(config-subif)#encapsulation isl ? <1-1000> Virtual LAN Identifier. R1(config-subif)#ip address 172.12.2.1 255.255.255.0
41
The Switch:
The switch port connected to the router must be trunking. The trunking protocol in use (ISL or dot1q) must match the one in use on the router's subinterfaces. Naturally, the ports leading to the hosts must be access ports.
The Hosts:
Each host should have its default gateway set to the IP address on the router subinterface that is part of that VLAN's address space.
ROAS FSC
(Frequently Screwedup Configurations)
I think you'll agree with me that the ROAS config is very straightforward, but it is commonly misconfigured. Since there's not much to configure in the first place, the misconfiguration is pretty easy to spot! Since we perform most of the ROAS config on the router, we tend to concentrate on the router config when we have a problem. What we have to keep in mind with ROAS troubleshooting is that the problem might not be on the router - it might be on the hosts, or even the switch!
42
R1 Config:
interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.2 encapsulation isl 2 ip address 172.12.4.1 255.255.255.0 no ip redirects no snmp trap link-status ! interface FastEthernet0/0.4 encapsulation isl 4 ip address 172.12.2.1 255.255.255.0 no ip redirects no snmp trap link-status
ROAS troubleshooting can be a little tricky without a structured approach, so I suggest the approach I've always used:
Always check the default gateway settings on the hosts first. Make sure the port leading to the router is trunking. On the router, make sure the IP address assigned to each subinterface is from the subnet assigned to the VLAN that's assigned to that subinterface.
Follow those three tips and you'll configure and troubleshoot ROAS successfully every time!
Rapid Spanning Tree Protocol

So you understand STP, and you've got all those STP features down - and now here's another kind of STP! Specifically, it's RSTP, or Rapid Spanning Tree Protocol. RSTP is defined by IEEE 802.1w, and is considered an extension of IEEE 802.1d, the formal name of STP. Where does the "rapid" part come in? Isn't STP rapid enough?
43
Well ... not really. The 30-second delay caused by the listening and learning states during STP convergence was once considered an acceptable delay. Then again, a floppy disk used to be considered all the storage space anyone would ever need, and that theory didn't exactly stand the test of time!
The "rapid" in RSTP comes in with the new port states. The STP port states disabled, blocking, and listening are combined into the RSTP port state discarding, which is the initial RSTP port state. RSTP ports transition from the discarding state to the learning state, where incoming frames are still discarded. However, the MAC addresses are now being learned by the switch. Finally, an RSTP port will transition to the forwarding state, which is the same as the STP forwarding state.
Let's compare the transition states: STP: disabled > blocking > listening > learning > forwarding RSTP: discarding > learning > forwarding
44
There are other port types unique to RSTP. You know what a root port is, but RSTP also has edge ports and point-to-point ports. An edge port is just what it sounds like - a port on the edge of the network. In this case, it's a switch port that is connected to a single host, most likely an end user's PC. An edge port will operate just like an STP port that is running Portfast.
A point-to-point port is any port that is connected to another switch and is running in full-duplex mode.
Edge Ports And RSTP Topology Changes

Edge ports play a role in when RSTP considers a topology change to have taken place. Rather, I should say that they don't play a role, because RSTP considers a topology change to have taken place when a port moves into Forwarding mode - unless that port is an edge port. When an edge port moves into Forwarding mode, RSTP doesn't consider that a topology change, since only a single host will be connected to that particular port.
45
Another major difference between STP and RSTP is the way BPDUs are handled. With STP, only the root bridge is sending BPDUs every two seconds; the nonroot bridges simply forward, or relay, that BPDU when they receive it. RSTP-enabled switches generate a BPDU every two seconds, regardless of whether they have received a BPDU from the root switch or not. (The default value of hello time, the interval at which switches send BPDUs, is two seconds in both STP and RSTP.)
This change not only allows all switches in the network to have a role in detecting link failures, but discovery of link failures is faster. Why? Because every switch expects to see a BPDU from its neighbor every two seconds, and if three BPDUs are missed, the link is considered down. The switch then immediately ages out all information concerning that port. This cuts the error detection process from 20 seconds in STP to 6 seconds in RSTP.
When a switch running STP misses a BPDU, the MaxAge timer begins. This timer dictates how long the switch will retain the last BPDU before timing it out and beginning the STP recalculation process. By default, MaxAge is 20 seconds. When a switch running RSTP misses three BPDUs, it will immediately are out the superior BPDU's information and begin the STP recalculation process. Since the default hello-time is 2 seconds for both STP and RSTP, it takes an RSTP-enabled switch only 6 seconds overall to determine that a link to a neighbor has failed.
46
Per-VLAN Spanning Tree

Per-VLAN Spanning Tree Plus (PVST+) is just what it sounds like - every VLAN has its own instance of STP running. PVST+ allows per-VLAN load balancing and is also Ciscoproprietary.
The "+" has been left off this acronym for so long that it's generally just referred to as "PVST" today. PVST is actually the version of STP that we've been running during the entire switching section of the course - Cisco Catalyst switches run PVST by default. You'll see many of the benefits of PVST in future studies, but just to mention one - we can loadbalance on a per-VLAN basis by default. Let's take a quick look as to when that might come in handy using a two-switch example.
Etherchannels
An Etherchannel is the logical bundling of two to eight parallel Ethernet trunks. This bundling of trunks is also referred to as aggregation. This provides greater throughput, and is another effective way to avoid the 50-second wait between blocking and forwarding states in case of a link failure.
47
Spanning-Tree Protocol (STP) considers an Etherchannel to be one link. If one of the physical links making up the logical Etherchannel should fail, there is no STP reconfiguration, since STP doesnt know the physical link went down. STP sees only the Etherchannel, and a single link failure will not bring an Etherchannel down.
Video 2 PTP WAN Links, HDLC, PPP, and Frame Relay
PTP WAN Links, HDLC, PPP, and Frame Relay

HDLC vs. PPP PPP Features PAP and CHAP Frame Relay Introduction Frame Relay LMI Theory Frame Relay Configs, DLCIs, Frame Maps, and Inverse ARP Frame Subinterfaces and Split Horizon Frame Relay LMI Show, Debug, and Lab FECN, BECN, DE Bits PVC Status Meanings
48
With a point-to-point WAN link, we've got two options for encapsulation HDLC and PPP. (HDLC and PPP do not run on LANs, so you won't be configuring these on Ethernet interfaces.)
This particular version of the High Data-Link Control encapsulation is Cisco-proprietary, a fancy way of saying "only Cisco routers understand this encapsulation type". If a Cisco router at the end of a PTP link is running HDLC encapsulation, the remote partner in the link must be a Cisco router and must also be set to use HDLC. Cisco's version of HDLC uses a protocol type field that other vendors' routers do not understand.
PPP Features
Even thought the default setting of a Cisco serial interface is to use HDLC encapsulation, you're generally going to change that encap type to PPP. PPP is supported by non-Cisco vendors where HDLC is not, so if you've got a multivendor environment, you must use PPP instead of HDLC.
49
PPP offers many features that HDLC does not, including the following:
Authentication through the use of the Password Authentication Protocol (PAP) and the ChallengeHandshake Authentication Protocol (CHAP) Compression capabilities through the use of Stacker or Predictor PPP Multilink, the ability to bundle multiple physical channel into a single logical channel
Support for error detection and error recovery features Encapsulation for multiple routed protocols, including IP, Novell IPX, and AppleTalk PPP Callback, a feature allowing a dial-in user to call in and authenticate, at which time the connection is terminated and the network calls the user back
To configure either PAP or CHAP, we need to do two things:

Create a local username / password database Configure the interface with the appropriate commands
Creating a database sounds complicated, but it's quite easy. We'll use the username / password command to do so. Since you're going to be a CCNA soon, we'll use CCNA as the password; the router names themselves will be the passwords. To begin, we'll configure CHAP authentication on R1.
50
Why You Should Choose CHAP Over PAP

A natural question at this point is "If the configuration's about the same, why use one over the other?" The drawback with PAP is that the both the username and password are sent over the WAN link in clear text. If a potential network intruder intercepts that information, they're going to become an actual network intruder in no time, since they can easily read the username and password.
Multilink PPP, Compression, And PPP Callback

Multilink PPP (MPPP) allows us to bundle multiple physical WAN links into one logical link. There are different reasons for doing this and they generally depend on the network topology, but the main reason I've used it over ISDN links is to allow the data packets to be broken up into fragments. In turn, this fragmentation allows for greater load balancing, where each of the physical links will carry a similar load rather than having one link carry most of the load.
PPP also allows us to enable one of two compression techniques, Stacker or Predictor. Both are enabled with the interface-level command compress. The differences between the two are far beyond the scope of the CCNA exam, but if you'd like to read more, search Cisco's website for either.
51
ISDN is no longer on the CCNA exam, but there is an ISDN-related PPP feature you should know about, since it's still somewhat popular on ISDN networks. PPP callback gives our router the ability to accept a phone call from a remote user, authenticate that user, and then hang up on them and then call them back.
"Who's Causin' All This?"

A better way to ask this question is "Who's handling all of these PPP capabilities?" The answer - the Link Control Protocol (LCP).
Just as the Session layer is the "manager" of the entire OSI model, LCP is really the manager of PPP. LCP handles the configuration, maintenance, and eventual teardown of any PPP connection. All of the features that make PPP so attractive to network admins - PPP callback, PAP and CHAP authentication, PPP multilink, and error detection/correction - are negotiated and handled by LCP.
52
Frame Relay's got three things going for it that endears it to network admins:
it's cheap ("cost-effective", "requires less investment", or whatever sales department catchphrase you want to use) it's reliable it's cheap and reliable (see above)
The frame relay service provider guarantees a certain amount of bandwidth will be available to a given user at any time. The more guaranteed bandwidth desired, the more it costs, but its still cheaper than a dedicated point-to-point link. This guaranteed bandwidth is referred to as the committed information rate (CIR).
Frame relay is a packet-switching protocol. The packets may take different physical paths to the remote devices, at which point they will be reassembled and will take the form of the original message. In contrast, circuit-switching protocols have dedicated paths for data to travel from one point to another.
53
There are two types of virtual circuits, one much more popular than the other. A permanent virtual circuit (PVC) is available at all times, where a switched virtual circuit (SVC) is up only when certain criteria are met. You're going to see PVCs in most of today's networks, and that's the kind of virtual circuit we'll work with throughout this section.
A frame relay network is often referred to as an NBMA network, or nonbroadcast multiaccess. "nonbroadcast" means that broadcasts are not transmitted over frame relay by default, not that they cannot be sent. "multiaccess" means that the frame relay network will be shared by multiple devices.
A PVC can be full-mesh or partialmesh. A full mesh describes a topology where every router has a logical connection to every other router in the frame relay network. These are rare in today's networks, but they are out there!
54
The LMI: The Heartbeat Of Frame Relay

Local Management Interface (LMI) messages are sent between the DCE, typically the service provider, and the DTE, the Cisco router. LMI Status messages serve as keepalives for the frame connection. If keepalives are not continually received by both the DCE and DTE, the frame connection will drop. The LMI also indicates the PVC status to the router, reflected as either active or inactive.
The LMI types must match on the DTE and DCE for the PVC to be established. There are three types of LMI:
Cisco (the default) ansi q933a
On rare occasions - such as your CCNA exam, perhaps :) - the Frame LMI may not match. Let's take a look at how that happens, what happens when there is an LMI mismatch, and how to diagnose and troubleshoot the issue.
55
The LMI must match in order for our line protocol to stay up, but so must the Frame encapsulation type. The encapsulation type must be agreed upon by the DTEs at each end of the connection; the DCE does not care which Frame encap type is used.
We've only got two Frame encapsulation choices:

Cisco (the default - detecting a pattern here?) IETF (the industry standard)
Interestingly enough, IOS Help does not mention the Cisco default, only the option to change the Frame encap to IETF.
Frame Relay VCs use Data-Link Connection Identifiers (DLCIs) as their addresses. A DLCI is simply a Frame Relay Layer 2 address, but it's a bit different from other addresses in that they can be reused from one router to another. The reason that DLCIs have local significance only is that DLCI numbers are not advertised to other routers, and other routers can use the same DLCI numbers without causing connectivity issues.
56
Frame map statements are the core of Frame's operation, and we've got to have them. We've got two choices when it comes to Frame mapping:
Use Inverse ARP (iARP) to enable dynamic mapping Use static frame map statements to create a static configuration
Inverse ARP
Configuring Inverse ARP is simple enough, because it's enabled by default on a Cisco interface running Frame Relay. When you enter the encapsulation frame-relay command and then open the interface, you're running Inverse ARP.
R1#show frame map Serial0 (up): ip 0.0.0.0 dlci 123(0x7B,0x1CB0) broadcast, CISCO, status defined, inactive Serial0 (up): ip 0.0.0.0 dlci 122(0x7A,0x1CA0) broadcast, CISCO, status defined, inactive This mapping to "0.0.0.0" occasionally happens with Inverse ARP. Those are the only mappings we have right now, and they're going to be the only ones we do get in this particular situation.
57
The key to writing successful frame map statements is simple: Always map the local DLCI to the remote IP address.
Subinterfaces And Frame Relay

In the previous examples, we've used physical Serial interfaces for our Frame Relay networks. Using a physical Serial interface can lead to some routing complications, particularly on the hub router. One of those complications is Split Horizon. Split Horizon is a distance-vector routing protocol behavior. If we're running OSPF on our network, there's no problem. On RIP networks, split horizon can be a problem, as illustrated by the following network topology.
We do have three solutions to this problem:

Create a logical full mesh between all routers (usually not practical) Use the interface-level command no ip splithorizon Use multipoint and/or point-to-point subinterfaces
58
When it comes to deciding whether a subinterface should be point-to-point or multipoint, it really depends on the network topology and the number of remote routers a subinterface will be communicating with. There's no "one size fits all" answer to that question, but for both exam room and server room success, it's vital to know:
Subinterfaces are often used to work around split horizon You have to define multipoint or point-to-point Always, always, always use the frame interface-dlci command with ptp subinterfaces
Frame Relay uses two different values to indicate that the WAN is becoming congested:
FECN - Forward Explicit Congestion Notification BECN - Backward Explicit Congestion Notification
The Discard Eligible bit is considered a Frame Relay congestion notification bit, but the purpose is a bit different from the BECN and FECN. Frames are sometimes dropped as a result of congestion, and frames with the DE bit set will be dropped before frames without that bit set. Basically, setting the DE bit on a frame indicates data that's considered less important than data without the DE bit set.
59
PVC Status Messages

When you check PVCs with show frame-relay pvc, you'll see one of three status messages for each PVC:
active inactive deleted
Personally, I've always kept those two straight like this:

inactive means it's the other guy's fault (the problem is remote) deleted means it's your fault (the problem is local)
Video 3 Static Routing and RIP
60
Static Routing and RIP

Static Routing Theory and Configuration Distance Vector Protocol Behavior Split Horizon and Route Poisoning RIP Theory and Version Differences The Joy of show ip protocols RIP Limitations RIP Timers Floating Static Routers
For this example and all others in this course, the last octet of the IP address for any physical interface will be the router number. That's a good habit to get into for your home lab studies as well. For loopbacks, we'll use the router number for each octet.
The networks used in this section:

Frame Relay (Serial interfaces, all routers): 172.12.123.x /24 R2's loopback interface: 2.2.2.2 /24 R3's loopback interface: 3.3.3.3 /24
61
We've got two choices to get a route to 2.2.2.0 into that table:
Configure a static route Configure a dynamic routing protocol throughout the network
Since we're in the static routing section of the course, let's choose a static route! We use the ip route command to create static routes, and we actually have two choices when it comes to static routes. We can create
A static route to a given host or destination network A default static route, which will be used when there is no other match in the routing table for a destination network
At this point in the ip route command, you must specify one of these two values:
The local router's exit interface (NOT the IP address) The remote router's IP address that we want to send that packet to
62
The syntax for a default static route looks a bit odd, so be ready to identify it on the exam: R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#ip route 0.0.0.0 0.0.0.0 172.12.123.2
Default static routes serve two major purposes, one of which we've just seen - we can send data to networks that have no specific entry in the routing table. This also helps to keep routing tables concise and complete, and as you advance in your Cisco studies, you'll learn that it's important to control the size of the routing table while keeping it complete.
Static routes have their place, but they're not terribly scalable. Scalability refers to a network feature or protocol's ability to remain useful without a great deal of manual intervention as the network grows, and it's a term you'll hear often in your Cisco studies and your real-world job.
63
Changing The Administrative Distance Of a Static Route The default AD of a static route is 1; the only route type considered more trustworthy is a directly connected route, which has an AD of zero. There may be times when you want to change the AD of a static route, and we can do that with the distance option. First, we're going to examine the theory of and configure RIP, and after the RIP section we'll take a look at this kind of route - a floating static route.
Distance Vector Routing

The main distance vector protocol in use in today's networks is the Routing Information Protocol (RIP). A less popular distance vector protocol is the Interior Gateway Routing Protocol (IGRP). IGRP is still in some production networks, but it's no longer on the CCNA exams and it's not even supported by recent IOS versions. Therefore, we'll spend all of our time here studying RIP.
Before we head into a detailed discussion of RIP, there are two distance vector routing loop prevention behaviors you should know about - split horizon and route poisoning. A routing loop occurs when an overall path to a destination in the packet enters a loop where the packet is routed in an unending circle. Loops generally occur due to router misconfiguration or poor network design.
64
Split Horizon is a simple yet powerful routing loop avoidance feature. The rule of split horizon is that a route cannot be advertised out the same interface upon which the advertisement for that same network was originally received.
That's simple enough, and so is the concept of route poisoning. Route Poisoning occurs when a route becomes unavailable. You'd think that a distance vector routing protocol would simply stop advertising a route when it becomes unavailable, but that's not quite what happens.
With route poisoning, the router with the failed route continues to advertise the route, but with a metric indicating the route is unreachable. With RIP, that means advertising the route with a metric of 16, which RIP considers an unreachable route.
65
The incoming update from R1's serial0 interface mentions "hops" several times, where the outgoing update mentions a "metric". They're actually the same thing. Both versions of RIP use hop count for their metric, a measurement of how far it is to a remote destination. That's a serious limitation for RIP when it comes to Wide Area Networks (WANs), because RIP will consider both paths in the following example to have the same metric:
Viewing And Changing RIP Timers

You've probably noticed the RIP timers in the output of show ip protocols: R1#show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds Invalid after 180 seconds, hold down 180, flushed after 240 It's rare you'll have cause to change these, but after a quick discussion of what these timers mean, I'll show you how to change them.
updates - easy enough, that's how often RIP sends full routing updates invalid - If the router doesn't get an update for a route for this amount of time, the route is marked unreachable (hop count of 16) and it's advertised as such. The route is still used to forward packets, though, until one of the other timers expires. Default is 180 seconds.
66
holddown - Routes go into holddown when they get a packet indicating that the route has a metric of 16 and is unreachable. The router will not accept an advertisement for that same route from another source until the holddown timer expires. Default is 180 seconds. flush - Overall amount of time between the last update received for a route and the point where the route is finally removed from the routing table. Default is 240 seconds. Note that this is an overall time; once the invalid timer expires at the default of 180 seconds, it's another 60 seconds until the route finally gets flushed from the table (240 - 180 = 60).
It's rare that you have cause to change these timers, but you can do so with the timers basic command. You do have to specify the value of each timer, not just the one you want to change. You should also observe these rules when doing so, as per Cisco recommendations:
invalid timer should be at least three times the update timer holddown timer should be at least three times the update timer flush timer should be larger than both of the individual invalid and holddown timers
Video 4 OSPF
67
OSPF
Link State Routing Protocol Concepts and Basics The DR and BDR Hello Packets Troubleshooting Adjacency Issues Hub-and-Spoke NBMA OSPF Networks Broadcast Networks The OSPF RID OSPF Router Types Advantages of OSPF Point-to-Point OSPF Networks Default-Information Originate (always?) OSPF Authentication
A major drawback of distance vector protocols is that they not only send routing updates at a regularly scheduled time, but these routing updates contain full routing tables for that protocol. When a RIP router sends a routing update packet, that packet contains every single RIP route that router has in its routing table! This takes up valuable bandwidth and puts an unnecessary drain on the receiving router's CPU and memory resources.
Link state protocols do not exchange routes and metrics. Link-state protocols exchange just that the state of their links, and the cost associated with those links. (OSPF refers to its metric as cost, a term we'll revisit later in this section.)
68
As these Link State Advertisements (LSA) arrive from OSPF neighbors, the router performs a series of computations on these LSAs, giving the router a complete picture of the network. This series of computations is known as the Shortest Path First (SPF) algorithm, also referred to as the Dijkstra algorithm.
R1#show ip ospf database OSPF Router with ID (1.1.1.1) (Process ID 1) Router Link States (Area 0) ADV Router Age Seq# 1.1.1.1 2.2.2.2 172.23.23.3 Net Link States ADV Router 1.1.1.1 54 33 7 (Area 0) Age 12
Link ID Link count 1.1.1.1 2.2.2.2 172.23.23.3 Link ID 172.12.123.1
Checksum 1 1 1
0x80000002 0xDCA2 0x80000005 0x98DA 0x80000003 0xCEF9 Seq# Checksum 0x80000002 0xAE63
The Designated Router and Backup Designated Router If all routers in an OSPF network had to form adjacencies with every other router, and continued to exchange LSAs with every other router, a large amount of bandwidth would be used any time a router flooded a network topology change. Instead, most OSPF networks will elect a designated router and a backup designated router to handle this workload.
69
The designated router is the router that will receive the LSAs from the other routers in the area, and then flood the LSA indicating the network change to all non-DR and nonBDR routers. Routers that are neither the DR nor the BDR for a given network segment are indicated in show ip ospf neighbor as DROTHERS, as you'll see shortly.
Instead of having every router flooding the network with LSAs after a network change, the change notification is sent straight to the DR, and the DR then floods the network with the change. If the DR fails, the backup designated router (BDR) takes its place. The BDR is promoted to DR and another election is held, this one to elect a new BDR.
The value used to elect the DR and BDR is the OSPF interface priority. By default, this value is one on all OSPFenabled interfaces. To influence the election, the interface-level command ip ospf priority is used. Setting an interfaces priority to zero prevents it from becoming the DR or BDR.
70
Hello packets perform two main tasks in OSPF, both of them vital:
OSPF Hellos allow neighbors to dynamically discover each other OSPF Hellos allow the neighbors to remind each other that they are still there, which means they're still neighbors!
OSPF-enabled interfaces send hello packets at regularly scheduled intervals. The default intervals are 10 seconds on a broadcast segment such as Ethernet and 30 seconds for non-broadcast links such as Serial links. OSPF Hellos have a destination IP address of 224.0.0.5, an address from the reserved Class D range of multicast addresses (224.0.0.0 - 239.255.255.255)
Neighbor Value #1 & 2: Subnet Number And Mask

Simple enough - if the routers are not on the same subnet and using the same mask, they will not become neighbors.
71
Neighbor Value #3 & 4: The Hello And Dead Timers

These timers have vastly different roles, but they are intertwined in one very important way. The Hello timer defines how often OSPF Hello packets will be multicast to 224.0.0.5, while the Dead timer is how long an OSPF router will wait to hear a Hello from an existing neighbor. When the Dead timer expires, the adjacency is dropped!
The default dead time for OSPF is four times the hello time, which makes it 40 seconds for Ethernet links and 120 seconds for nonbroadcast links. The OSPF dead time adjusts dynamically if the hello time is changed. If you change the hello time to 15 seconds on an Ethernet interface, the dead time will then be 60 seconds.
Down - No hellos received from that neighbor Attempt - Unicast hello packets are being sent to the neighbor; you'll only see this in OSPF NBMA networks, since they're configured with neighbor commands. Init - First Hello packet has been received from this neighbor.
72
2-Way - Each router has received a Hello packet containing its own RID, meaning that bidirectional communication is in place. When a router receives a Hello packet containing its own RID, that's the remote router's way of saying "I received the Hello packet you sent me earlier." Exstart - Following DR / BDR election, the exchange of link state database information can begin. Router with the highest OSPF RID will being the exchange and increment the initial sequence number, which is determined during this stage.
Exchange - Database descriptor (DBD) packets are exchanged; these packets contain a description of the link state database. Loading - Routers now send Link State Request (LSR) packets to their potential neighbor. Full - Router databases are synchronized and the adjacency has been formed.
How the Dijkstra Algorithm Assists with Loop Prevention Link state protocols do not rely on distance vector loop prevention methods such as split horizon or poison reverse. Those wouldn't work with link-state protocols since link state routers are not actually exchanging routes. Instead, the Dijkstra Algorithm (also known as the SPF algorithm) recalculates network changes so quickly that routing loops literally have no time to form.
73
Upon detection of a change in the network topology, such as a down link, the detecting router floods news of this change. The routers receiving this new information then flood the change to all its neighbors, and the process continues until all routers are informed of the change. The routers run the SPF Algorithm immediately after learning of the change, and new routes are determined almost immediately. This default linkstate behavior is what makes OSPF convergence much faster than distance-vector convergence.
OSPF is commonly configured on huband-spoke networks like the one we worked with in the Frame Relay section, so that's exactly the one we're going to use here. R2 and R3 are connected via an Ethernet segment as well; we'll configure that after taking care of the hub-and-spoke network.
Here are the network numbers, with each router's number acting as the last octet for all subnets on that router.
Frame Relay network: 172.12.123.0 /24 Ethernet segment : 172.23.23.0 /24
74
In turn, each router is using a different kind of interface on the Frame Relay network.
R1 is using Serial0, the physical interface R2 is using Serial0.123, a multipoint subinterface R3 is using Serial0.31, a point-to-point subinterface
Each router has a loopback with its own number for each octet. Each loopback has a subnet mask of 255.255.255.255 (a host mask).
The default priority of an OSPF-enabled interface is 1. The interface with the highest priority becomes the DR, and the interface with the second-highest priority will become the BDR. It's not enough here to make R1 the DR, though. We want to prevent R2 or R3 from ever becoming the DR or BDR on the hub-and-spoke segment, even if R1 is reloaded. We'll do so by setting the appropriate priorities to zero.
We've got to fix that before an adjacency can form. We have two options:
Use the ip ospf hello command to change the hello timer on R3 (If we change it on R1, we'll lose the adjacency we already have with R2) Use the ip ospf network command to change R3's OSPF network type on that subinterface to nonbroadcast, which will make it match R1's hello and dead timers
75
OSPF assigns a cost to every OSPFenabled interface. The interface cost is based on the port's speed. The formula OSPF uses to calculate the interface cost is: 100,000,000 / Bandwidth in BPS (NOT KBPS!)
Here are some default OSPF interface costs for common interface speeds:
56 kbps = 1785 T1 line = 64 Ethernet = 10 16 MBPS Token Ring = 6 FDDI and 100 MBPS Ethernet = 1
By default, the OSPF Router ID (RID) will be the numerically highest IP address of all loopback interfaces configured on the router. In the previous lab, the RID for each router was the IP address on the router's loopback interface.
76
That's easy enough to remember, but why use a loopback address for the OSPF RID instead of the physical interfaces? A physical interface can become unavailable in a number of ways - the actual hardware can go bad, the cable attached to the interface can come loose - but the only way for a loopback interface to be unavailable is for it to be manually deleted or for the entire router to go down.
In turn, a loopback interface's higher level of stability and availability results in fewer SPF recalculations, which results in a more stable network overall. Oddly enough, an interface does not have to be OSPF-enabled to have its IP address used as the OSPF RID.
It's rare to have a router running OSPF that doesn't have at least one loopback interface, but if there is no loopback, the highest IP address on the router's physical interfaces will be the OSPF RID.
77
OSPF Router Types

OSPF categorizes routers into four different categories:
Internal Routers are routers whose interfaces are all in the same area. Area Border Routers (ABR) will have at least one interface in Area 0, and connect other areas to Area 0.
Backbone Routers are routers with at least one interface in Area 0. All ABRs are backbone routers, but not all backbone routers are ABRs. Autonomous System Border Routers take routes from other protocols and place them into the OSPF domain. This process is called route redistribution.
There are some concrete reasons to choose OSPF over other routing protocols:
OSPF supports VLSM. OSPF is suitable for multivendor networks, where the Cisco-proprietary EIGRP is not. RIP sends the entire routing table in an update packet, and RIP also converges slowly as do all distance vector routing protocols.
78
Default-Information Originate (Always?)

One of the benefits of running OSPF is that all of our routers have a similar view of the network. There are times, though, that you may not want all of your routers to have a full routing table. This involves the use of stub and total stub areas, and while the configuration of those areas is beyond the scope of the CCNA and CCENT exams, I do want to show you an example of when we might configure such an area. This also helps to illustrate a command that you just might see on your CCNA exam!
If that central router does have a default route, the default-information originate command will do the job. R1(config)#router ospf 1 R1(config-router)#defaultinformation originate
Video 5 EIGRP
79
EIGRP
Introduction to EIGRP Successors and Feasible Successors EIGRP vs. RIPv2 Basic Configuration Wildcard Masks Load Sharing (Equal and Unequal-cost) EIGRP, RIPv2, and Autosummarization Passive vs. Active Routes
Introduction To EIGRP
Link state protocols (OSPF) and distance vector protocols (RIP) have clear-cut differences in the way the best routes are determined and what is actually exchanged between routers. Just as a hybrid plant has characteristics of more than one plant, a hybrid routing protocol has characteristics of both link state and distance vector protocols. The hybrid protocol is Enhanced Interior Gateway Routing Protocol EIGRP.
EIGRP has a lot going for it:

Rapid convergence upon a change in the network, because backup routes ("Feasible Successors") are calculated before they're actually needed due to the loss of a primary route ("Successor") Offers multiprotocol support (supports IP, IPX, and AppleTalk) Supports Variable-Length Subnet Masking (VLSM) and Classless Inter-Domain Routing (CIDR)
80
The one little problem with EIGRP is that it's Ciscoproprietary, making it unsuitable for a multivendor environment. EIGRP is the enhanced version of the original Interior Gateway Routing Protocol (IGRP), which is no longer supported by new Cisco IOSes and is no longer a part of the CCNA exams. EIGRP acts like a distance vector protocol in that EIGRP neighbors initially exchange full routing tables. Just about every other EIGRP behavior is more like a link state protocol.
EIGRP uses Hello packets (sent to multicast address 224.0.0.10) to keep, establish, and maintain neighbor relationships. The Reliable Transport Protocol (RTP) is used to handle the transport of messages between EIGRPenabled routers. EIGRP also acts like a link state protocol in that when network topology changes occur, updates containing only the change are sent, rather than another full routing table.
EIGRP uses autonomous systems to identify routers that will belong to the same logical group. EIGRP routers that exist in separate autonomous systems will not exchange routes. They won't even become neighbors in the first place!
81
For an EIGRP neighbor relationship to be established, the routers must receive Hello packets from the neighbor, the Autonomous System number must match, and the metric weights must match. (Do not confuse the k metrics with the route metrics; they are two totally separate metrics.)
The metric weights refer to the level of importance EIGRP gives to the bandwidth, delay, load, and reliability metrics. By default, EIGRP considers bandwidth and delay when calculating metrics, and does not consider the other metric weights.
The Successor and Feasible Successor

EIGRP keeps three tables - the route table, where the best route to each destination is kept; the topology table, where all feasible routes are kept; and the neighbor table, where the EIGRP neighbors and information about them are kept.
82
As an EIGRP-enabled router learns about the network, the router will put the best route to a given destination in its routing table. EIGRP keeps the best routes along with less-desirable but still valid routes in the topology table. EIGRP actually calculates these backup routes before a failure occurs, making convergence after a failure much faster than RIP.
The EIGRP term for the best route is the Successor. Any valid alternate route is referred to as the Feasible Successor. The decision process for whether a route can become a Feasible Successor can be summed up in one question.
The EIGRP Feasible Successor Question The router asks itself, Is the neighboring routers metric for this route lower than my metric?
If so, no loop is present, and that route is a Feasible Successor. If not, a loop may be present, and that route cannot be a Feasible Successor. That's all well and good - but what if there is no Feasible Successor?
83
EIGRP uses the Diffusing Update Algorithm (DUAL) to issue queries to neighbors for a loop-free route to the destination. If the routers receiving the DUAL queries do not have a route, those routes will also send DUAL queries to their neighbors. This process continues until a route is found and the original router is informed of the route, or no valid route is found.
Wildcard Masks
Wildcard masks do look a little odd at first, but since we use them in access lists, EIGRP, and OSPF, we better know how to configure them!
They're really just "reverse subnet masks". For instance, the network 172.12.123.0 255.255.255.0 means that all hosts that begin with 172.12.123 are part of that network. When you write out the network number and the mask in binary and compare the two, the ones in the subnet mask are "care" bits and the zeroes are "I don't care" bits.
84
172.12.123.0 = 10101100 00001100 01111011 00000000 255.255.255.0 = 11111111 11111111 11111111 00000000
Wildcard masks take the opposite approach. The zeroes are "I care", and the ones are "I don't care". In this example, we want to enable EIGRP on all interfaces whose first three octets are 172.12.123, and after that, we don't care!
10101100 00001100 01111011 00000000 = 172.12.123.0 00000000 00000000 00000000 11111111 = 0.0.0.255
Using wildcard masks takes some getting used to, and just make sure to be careful on your exam:
Subnet masks begin with strings of consecutive 1s Wildcard masks begin with strings of consecutive 0s
85
The variance command is simply a multiplier. The router will multiply the Feasible Distance by this value. Any feasible successor with a metric less than that new value will be entered into the routing table. In print, that sounds a little confusing. In reality, it's simple, as you're about to see!
Load Sharing And The maximumpaths command

You've probably noticed that we didn't have to enter any commands to perform equal-cost load balancing with EIGRP. EIGRP will enter four equal-cost routes to the same destination into the routing table by default, and this value can be changed with the maximum-paths command to a minimum of one and a maximum of 16. R1(config)#router eigrp 100 R1(config-router)#maximum-paths ? <1-16> Number of paths Setting maximum-paths to 1 disables load balancing.
EIGRP uses the Diffusing Update Algorithm (DUAL) to calculate routes, and there's one other important role DUAL plays in an EIGRP deployment. If a Successor route is lost and there is no Feasible Successor, we've got a problem! DUAL doesn't give up easily, though. DUAL will mark the route as Active, indicating that the route is being calculated and cannot be used to route data, and will send out a Query message to all of that router's EIGRP neighbors.
86
A DUAL Query is basically one neighbor asking another, "Hey, do you know how to get to this network I just lost my route to?" If that neighbor has a route, the query will be answered with that route. If the neighbor doesn't have such a route, that neighbor will ask its neighbors. The process continues until a downstream router replies with the desired route, or the EIGRP downstream routers run out of neighbors to ask.
Routes in the EIGRP Topology table marked as Active are considered unusable, since Active indicates that the route is currently being calculated by DUAL. Hopefully the route comes out of Active very quickly and becomes Passive, as indicated by the "P" in the following Topology table. When it comes to EIGRP routes, Passive is good and Active is bad!
Video 6 IP Version 6 and NAT
87
IP Version 6 and NAT

IPv6 Theory and Introduction Zero Compression and Leading Zero Compression IPv6 Reserved Addresses The Autoconfiguration Process OSPF v3 Basics Transition Strategies NAT Theory and Introduction Static NAT Configuration Dynamic NAT Configuration PAT Configuration
That's right - I said IPv6 uses 128-bit addresses. IPv6 addresses consist of eight 16-bit hex fields. IPv6 also has other important uses. Mobile IP, which allows end systems such as Global Positioning Systems and IP Phones to move without losing connectivity, is built into IPv6, as is IP Security (IPSec). As more and more devices demand an IP address of some kind, the closer the widespread usage of IPv6. You could be using it right now on such a device and not even know it. (IP Sec is compatible with IPv4, but is built-in to IPv6.)
You're familiar with the IPv4 headers, but there are quite a few changes in the move to IPv6. There are eight header fields in IPv6:
version - This is set to "6" in IPv6. traffic class - In IPv4, this was the Type Of Service (TOS) field flow label - No equivalent in IPv4, this field allows a packet to be labeled as part of a particular flow. payload length - IPv4's equivalent is the Total Length field hop limit - Roughly equivalent to IPv4's Time To Live (TTL) field next header - Equivalent to IPv4's Protocol field source address, destination address - they're now 128 bits!
88
There are some IPv4 fields that are not in IPv6:

Header Length Identification Flags Fragment Offset Header Checksum
Typical IPv4 address: 129.14.12.200 Typical IPv6 address: 1029:9183:81AE:0000:0000:0 AC1:2143:019B As you can see, IPv6 isn't exactly just tacking two more octets onto an IPv4 address!
If you have consecutive fields of zeroes in an IPv6 address, they can be expressed with two colons. It doesn't matter if you have two fields or eight, you can simply type two colons and that will represent all of them. The key here is that you can only do this once in an IPv6 address. This is zero compression.
89
Here's an example:
Original format: 1234:1234:0000:0000:0000:0000:3456:3434 Using zero compression: 1234:1234::3456:3434
Leading zeroes in any 16-bit field can be dropped, but each block you do this with must have at least one number remaining. For example, if the block is all zeroes, you have to leave one zero. This is leading zero compression.
Let's look at an example of leading zero compression. Taking the address 1234:0000:1234:0000:1234:0000:1234:0123, we have four different fields that have leading zeroes. The address could be written out as it is, or we can drop the leading zeroes.
Original format: 1234:0000:1234:0000:1234:0000:0123:1234 With leading zero compression: 1234:0:1234:0:1234:0:123:1234
90
There's no problem with using zero compression and leading zero compression in the same address, as shown here:
Original format: 1111:0000:0000:1234:0011:0022:0033:0044 With zero and leading zero compression: 1111::1234:11:22:33:44
The official name of the first IPv6 unicast address we'll discuss is aggregateable global unicast address. Quite a bit of documentation on IPv6 leaves the "aggregateable" off, so we'll refer to these addresses simply as global unicast addresses.
This address type is equivalent to the public IPv4 address classes. These addresses are fully routable and can be used for Internet access. The word "aggregateable" refers to the ability to aggregate, or summarize, these addresses to make routing more efficient. Unlike IPv4, IPv6 is specifically designed to be fully hierarchical, allowing for easier and more efficient route aggregation.
91
IPv6 offers two kinds of local addresses, linklocal and site-local. Site-local addresses allow devices in the same organization, or site, to exchange data. Site-local addresses are IPv6's equivalent to IPv4's private address classes, since hosts using them are able to communicate with each other throughout the organization, but these addresses cannot be used to reach Internet hosts or hosts on a remote site.
Link-local addresses have a smaller scope than site-local. Link-local addresses are local to a physical link. These particular addresses are not used at all in forwarding data. One protocol that uses these addresses is Neighbor Discovery Protocol (NDP), IPv6's answer to ARP.
You can identify these and other IPv6 addresses by their initial bits:
001 - Global address 1111 1111 - Multicast (FF) 1111 1110 11 - Site local (FEC0) 1111 1110 10 - Link Local (FE80) ::x.x.x.x or 0:0:0:0:0:0:x.x.x.x - IPv4-compatible address. Any IPv6 address with the first 96 bits set to zero is an IPv4-compatible address. I used zero compression in the first representation of that range, and leading zero compression for the second.
92
IPv4 has the reserved address 127.0.0.1 to allow for testing; IPv6 has a loopback address reserved for the same purpose. This address will give you some practice with your zero compression:
IP v6 Loopback: 0000:0000:0000:0000:0000:0000:0000:0001 Using Leading Zero Compression Only: 0:0:0:0:0:0:0:1 Combining Leading Zero and Zero Compression: ::1
Unique to IPv6 is the unspecified address. You may be thinking "if it's unspecified, how do we know what it is?" Great question! This address is used to represent an unknown address:
IPv6 Unspecified Address: 0000:0000:0000:0000:0000:0000:0000:0000 Using Zero Compression: 0:0:0:0:0:0:0:0, or just ::/128. Since the unspecified address is ::/128, it follows that the default route for IPv6 is ::/0.
As for reserved addresses, you're certainly familiar with the private address ranges in IPv4. You also know that they're a bit spread out over the spectrum of IPv4 addresses! In IPv6, any address that begins with the bit stream "1111 1110 1" is a private address.
93
If you see an address with a great many zeroes at the beginning, it may well be an IPv4-compatible IPv6 address. Such an address is going to have zeroes for the first 96 bits, which makes zero compression even better! The rest of the bits will be a hexadecimal expression of the IPv4 address. You should know how to convert there, so here's an example: IPv6 Address To Convert: ::D190:4E71
Hex D1 = Decimal 209 Hex 90 = Decimal 144 Hex 4E = Decimal 78 Hex 71 = Decimal
The IPv4 address that was embedded into the IPv6 address is 209.144.78.113. Just another good reason to know your hex conversions!
94
You know what a multicast is, and that IPv4 multicast addresses are Class D addresses with a first octet value of 224 - 239. The IPv6 multicast range is much larger, but just as easy to remember. Any address that begins with "1111 1111", or "FF" in hex, is a multicast address -- the full prefix being FF00::/8.
IPv6 route aggregation gets fairly complicated due to the sheer length of the addresses, and this is more of a topic for your future IPv6 studies. You should know one term used with aggregation, though, and that is Site-Level Aggregator. An SLA can roughly be compared to an IPv4 subnet, except that there will be many more routes in an SLA than there will be in an IPv4 summary route.
Along with unicasts and multicasts, IPv6 introduces a unique address type, the anycast. An anycast address is actually assigned to multiple interfaces, and an anycast is delivered to the closest host that shares that anycast address. Hosts that share an anycast address are members of an anycast group.
95
That sounds kind of like multicasting, doesn't it? The key difference is that a multicast is sent to all members of the multicast group, while an anycast is sent to only one member of the anycast group - the closest one! How is "closest" defined?
On a LAN, the closest anycast group member is the first one that was learned. On a WAN, the closest anycast group member is determined by the routing protocol metric.
IPv4 has DHCP; IPv6's equivalent is autoconfiguration. There are two main types of autoconfiguration - stateless and stateful. Stateful autoconfiguration is used when the host obtains an IPv6 address and other information from a server. If that sounds kinda like DHCP, that's because it is - DHCPv6, actually! You hear the term stateful autoconfiguration more often than "DHCPv6", though, but you should know they're one and the same.
The key phrase there is "from a server". If the DHCPv6 server goes down, we're out of luck. With stateless autoconfiguration, there's no such dependency, and the entire process starts with the IPv6 host configuring its own link-local address! Obviously, this is a major change from IPv4.
96
The local host will create its own link-local address by using the link-local prefix FE80::0 followed by the interface identifier, which itself is derived from the host's MAC address. If a host has an interface identifier of ABCD:1234:5678, the resulting link-local address will be FE80:ABCD:1234:5678.
At this point, the host will send a Neighbor Solicitation (NS) message to see if any other host on the link is using that same link-local address. The NS has a destination address of FF02::1, the "all-nodes" multicast address.
If another host on the link is using that address, that host will respond with a Neighbor Advertisement. When the host that sent the NS receives the NA, it will disable its link-local address. If the MAC addresses are unique, as they should be, this will not happen very often. This entire process is also called DAD - the Duplicate Address Detection procedure
97
When the local host is satisfied that it has a unique link-local address, it will send a Router Solicitation (RS) onto the segment. The destination for the RS will be FF02::2, the "all-routers" multicast address.
What's the host soliciting? It needs additional configuration information from a router, which will be sent in the form of a Router Advertisement (RA). (Routers will also transmit RAs periodically without an express solicitation.) The router attaches the network prefix to the host's link-local address, which results in the host's full IPv6 address complete with network prefix.
We've got quite a few options for IPv6 routing protocols!

RIP for IPv6 - the actual name is RIPng (new generation) EIGRP for IPv6 ISIS for IPv6 OSPF v3 (Version 3, defined in RFC 2740.) Static routes are still available with IPv6 Multiprotocol BGP V4 (MPBGPVer4 or simply MPBGP)
98
Just as Cisco routers no longer support IGRP for IPv4 routing, there is no such thing as "IGRP for IPv6". To enable a Cisco router's IPv6 routing capabilities, run ipv6 unicast-routing. R1(config)#ipv6 unicast-routing
OSPF For IPv6 (OSPF Version 3) Of the IPv6-compatible protocols listed earlier, OSPF v3 is probably the one in the most widespread use today. Let's take a look at some basic OSPFv3 commands and compare OSPF v3 to IPv4's OSPF v2.
In IPv6, you're not going to start an OSPF configuration with router ospf. One major difference between the OSPF v2 and OSPF v3 is that while OSPF v2 is enabled globally, OSPF v3 is enabled on a per-interface basis. This will automatically create a routing process. R1(config-if)#ipv6 ospf area 0
99
One similarity between the two versions is their use of the OSPF RID. OSPF v3 is going to use the exact same set of rules to determine the local router's RID - and OSPF v3 is going to use an IPv4 address as the RID! If there is no IPv4 address configured on the router, you'll need to use our old friend router-id to create the RID. The RID must be entered in IPv4 format, even if you're only running IPv6 on the router. R1(config-router)#router-id 12.1.1.1
OSPF v3 NBMA configurations require neighbor statements, just like v2. One major difference between the two is that OSPF v3 allows a link to be part of multiple OSPF instances, where OSPF v2 would allow a link to be part of only one. OSPF v3 point-to-point and point-to-multipoint configurations do not elect DRs and BDRs, just like IP v4. OSPF v3 headers are smaller than v2, since v3 headers have no authentication fields. The OSPF v2 reserved address 224.0.0.5 is represented in OSPF v3 by FF02::5. The OSPF v2 reserved address 224.0.0.6 is represented in OSPF v3 by FF02::6.
Before we begin the configuration, we need to enable IPv6 packet forwarding with ipv6 unicast-routing, the IPv6 version of Cisco Express Forwarding (CEF) with ipv6 cef, and the OSPF v3 process with ipv6 router ospf.
R1(config)#ipv6 unicast-routing R1(config)#ipv6 cef R1(config)#ipv6 router ospf 1 R1(config-rtr)# R2(config)#ipv6 unicast-routing R2(config)#ipv6 cef R2(config)#ipv6 router ospf 1 R2(config-rtr)#
100
Remember - if you don't have any IPv4 addresses configured on the router, you must configure an OSPF RID with the router-id command! R1(config)#ipv6 router ospf 1 R1(config-rtr)#router-id 1.1.1.1 R2(config)#ipv6 router ospf 1 R2(config-rtr)#router-id 2.2.2.2
Also remember - OSPF v3 interfaces are placed into areas at the interface level. R1(config-rtr)#int fast 0/1 R1(config-if)#ipv6 ospf 1 ? area Set the OSPF area ID R1(config-if)#ipv6 ospf 1 area 0 R2(config-rtr)#int fast 0/1 R2(config-if)#ipv6 ospf 1 area 0
R2(config-if)#ipv6 ospf ? <1-65535> Process ID authentication Enable authentication cost Interface cost database-filter Filter OSPF LSA during synchronization and flooding dead-interval Interval after which a neighbor is declared dead demand-circuit OSPF demand circuit flood-reduction OSPF Flood Reduction hello-interval Time between HELLO packets mtu-ignore Ignores the MTU in DBD packets neighbor OSPF neighbor network Network type priority Router priority retransmit-interval Time between retransmitting lost link state advertisements transmit-delay Link state transmit delay
101
One thing we still like to see in OSPF v3 are adjacencies! Here, the router console lets us know that an adjacency has just been formed. Note the message indicates that OSPF v3 is in use. *Mar 4 16:13:48.623: %OSPFv3-5ADJCHG: Process 1, Nbr 1.1.1.1 on FastEthernet0/1 from LOADING to FULL, Loading Done
Verify OSPF v3 adjacencies with show ipv6 ospf neighbor.

R2#show ipv6 ospf neighbor Neighbor ID Pri State Dead Time Interface ID Interface 1.1.1.1 1 FULL/BDR 00:00:30 10 FastEthernet0/1
R2#show ipv6 ospf neighbor detail Neighbor 1.1.1.1 In the area 0 via interface FastEthernet0/1 Neighbor: interface-id 10, link-local address FE80::20A:41FF:FE64:31C2 Neighbor priority is 1, State is FULL, 6 state changes DR is 2.2.2.2 BDR is 1.1.1.1 Options is 0x84EFB26D Dead timer due in 00:00:34 Neighbor is up for 00:06:52 Index 1/1/1, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0) Last retransmission scan length is 0, maximum is 0 Last retransmission scan time is 0 msec, maximum is 0 msec
102
R2#show ipv6 ospf Routing Process "ospfv3 1" with ID 2.2.2.2 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 0. Checksum Sum 0x000000 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Reference bandwidth unit is 100 mbps Area BACKBONE(0) Number of interfaces in this area is 1 SPF algorithm executed 3 times Number of LSA 6. Checksum Sum 0x0293F7 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0
The IPv6 equivalent of OSPF IPv4's clear ip ospf process is clear ipv6 ospf process. Just as with OSPF v2, the OSPF database is cleared out and then rebuilt with this command.
R1#clear ip ospf process R1# R1# R1#clear ipv6 ospf process Reset ALL OSPF processes? [no]: y R1# *Jan 22 02:46:33.535: %OSPFv3-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from FULL to DOWN, Neighbor Down: Interface down or detached R1# *Jan 22 02:46:41.879: %OSPFv3-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from LOADING to FULL, Loading Done
103
To get this job done, you're either translating or encapsulating. There are three primary methods of accomplishing this. The first is the dual stack. A host runs dual stack when it runs both IPv6 and IPv6 on an interface. Dual stack helps meet the migration challenge we face when end users want to keep using their favorite IPv4-based apps while the network moves forward to IPv6-based apps.
Another solution is the 6-to-4 tunnel. Cisco documentation states that setting up a 6-to-4 tunnel is very simple on the host ends of the tunnel. A 6-to4 tunnel is also automatic, is torn down when the session ends, and is a scalable solution. 6-to-4 tunneling is accomplished by taking an IPv6 packet and encapsulating it into an IPv4 packet for transport across the IPv4 section of the network, then de-encapsulating it when the remote edge router is ready to route it across the IPv6 network. The IPv6 networks shown in this method are IPv6 islands.
6to4 tunnels also have a reserved IPv6 address prefix for edge routers such as the ones shown below. These prefixes begin with 2002 and are followed by the router's IPv4 address expressed in hex. These prefixes carry a /48 prefix, such as 2002:1234:83cd::/48.
104
The IPv4 address of the interface involved in the tunneling is vital in determining the correct IPv6 address for the tunnel. Let's say the IPv4 address of the router on the left is 220.200.18.42. We know the address for the corresponding tunnel interface begins with 2002 - but what's the rest of it? Breaking down each octet into hex, we get:
220 = 13 units of 16, 12 units of 1 = hex value is DC 200 = 12 units of 16, 8 units of 1 = hex value is C8 18 = 1 unit of 16, 2 units of 1 = hex value is 11 42 = 2 units of 16, 10 units of 1 = hex value is 2A
The IPv6 address for the tunnel interface is 2002:DCC8:112A::/48. R1(config)#int fast 0/1 R1(config-if)#ip address 220.200.18.42 255.255.255.0 R1(config-if)#int tunnel0 R1(config-if)#ipv6 address 2002:DCC8:112A::/48
105
Another method of cutting over from one version to the other is Network Address Translation - Protocol Translation. NAT-PT works much like plain old NAT. If you have IPv6 hosts that need to intercommunicate with IPv4 hosts on another segment, NATPT may be the perfect solution.
NAT routers translate private IPv4 addresses to public IPv4 addresses, and back again; NAT-PT routers translate IPv6 addresses to IPv4 addresses, and back again. And speaking of NAT.....
NAT allows a network host with a private IP address to have the source IP address of their packets "translated" into a routable address. Otherwise, hosts with RFC 1918 private addresses could not access the Internet, nor could they communicate with remote hosts across a WAN. Routers recognize the private addresses as unroutable. Without NAT or PAT, the host in the following example cannot access any web-based hosts.
106
Port Address Translation (PAT) allows a single routable IP address to be used by multiple inside private IP hosts. The private IP addresses are translated to the same public IP, but each host will use a different port number. PAT is commonly referred to as "overloading".
The private IP address ranges are defined by RFC 1918, and they fall into these ranges:
Class A: 10.0.0.0 /8 Class B: 172.16.0.0 /12 Class C: 192.168.0.0 /16
Note that the masks that accompany these private address ranges are not the network masks for the classes (/8, /16, /24).
Inside local addresses are used by hosts on the inside network to communicate with other hosts on that same network. These are the addresses that are actually configured on the hosts. In the earlier diagram, the inside local address is 10.1.1.1 /16. These inside local addresses are translated into inside global addresses. Inside global addresses are routable addresses. In the previous illustration, we haven't configured NAT yet, so there is no inside global address.
107
Outside global addresses are the addresses assigned by NAT on a remote network. Finally, outside local addresses are the actual addresses of remote hosts on the remote network. These will be RFC 1918 private addresses as well. The terms "inside" and "outside" are relative - if they're addresses on your end of the WAN, they're inside. If they're addresses assigned on the remote end of the WAN, they're outside.
R3(config)#interface ethernet0 R3(config-if)#ip address 10.5.5.100 255.0.0.0 R3(config-if)#ip nat inside R3(config-if)#interface serial0 R3(config-if)#ip address 210.1.1.1 255.255.255.0 R3(config-if)#ip nat outside R3(config)#ip nat inside source static 10.5.5.5 210.1.1.2 R3(config)#ip nat inside source static 10.5.5.6 210.1.1.3 R3(config)#ip nat inside source static 10.5.5.7 210.1.1.4
R3#show ip nat translations Pro Inside global Inside local Outside local Outside global --- 210.1.1.2 10.5.5.5 ------- 210.1.1.3 10.5.5.6 ------- 210.1.1.4 10.5.5.7 -----
108
R3#show ip nat statistics Total active translations: 3 (3 static, 0 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet0 Hits: 0 Misses: 0 Expired translations: 0
Dynamic NAT
The obvious problem with Static NAT is that it's not a scalable solution. If you have only a few hosts that need Internet access, it's fine, but most organizations have quite a few hosts that are using private addresses and need Internet access. Dynamic NAT allows a pool of inside global addresses to be created. The public IP addresses are mapped to a private address as needed, and the mapping is dropped when the communication ends. There's no permanent one-to-one mapping as we saw with Static NAT.
R3#conf t R3(config)#access-list 1 permit 10.5.5.0 0.0.0.255 R3#conf t R3(config)#interface ethernet0 R3(config-if)#ip nat inside R3(config-if)#interface serial0 R3(config-if)#ip nat outside R3#conf t R3(config)#ip nat inside source list 1 pool NATPOOL R3(config)#ip nat pool NATPOOL 200.1.1.2 200.1.1.5 netmask 255.255.255.0
109
R3#show ip nat statistics Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet0 Hits: 0 Misses: 0 Expired translations: 0 Dynamic mappings: -- Inside Source access-list 1 pool NATPOOL refcount 0 pool NATPOOL: netmask 255.255.255.0 start 200.1.1.2 end 200.1.1.5 type generic, total addresses 4, allocated 0 (0%), misses 0
R3#conf t R3(config)#access-list 1 permit 10.5.5.0 0.0.0.255 R3#conf t R3(config)#interface ethernet0 R3(config-if)#ip nat inside R3(config-if)#interface serial0 R3(config-if)#ip nat outside R3#conf t R3(config)#ip nat inside source list 1 pool NATPOOL R3(config)#ip nat pool NATPOOL 200.1.1.2 200.1.1.5 netmask 255.255.255.0
Port Address Translation is simple to configure. Instead of referring to a NAT pool with the ip nat inside source command, refer to the outside interface followed by the word overload. R2(config)#int ethernet0 R2(config-if)#ip nat inside R2(config-if)#int serial0 R2(config-if)#ip nat outside R2(config-if)#exit R2(config)#ip nat inside source list 1 interface serial0 overload R2(config)#access-list 1 permit 10.5.5.0 0.0.0.255
110
Let's say you configured NAT a while back on the 10.1.0.0 /16 network a while back. The ACL in your NAT config looks like this:
R2(config)#access-list 1 permit 10.1.0.0 0.0.255.255
R2(config)#access-list 1 permit 10.1.0.0 0.0.255.255 R2(config)#access-list 1 permit 10.3.0.0 0.0.255.255
A little ACL tip here as well... we could have written a single-line ACL that matches both networks.....
... but that also matches 10.2.0.0 /16, and we might not want that. Be careful! :)
111
Video 7 VPNs and IPSec
VPNs and IPSec

Definitions and Tunneling Protocols Data Encryption Technologies Key Encryption Schemes IPSec, AH and ESP A VPN in Your Web Browser
VPNs offer three vital functions, all of which are important in today's networks. Note that two of these occur at the receiver, and one at the sender. Data origin authentication allows the receiver to guarantee the source of the packet.
112
Encryption is just that - the sender encrypts the packets before sending them. If an intruder picks them off the wire, they will have no meaning.
Integrity is the receiver's ability to ensure that the data was not affected or altered in any fashion as it traveled across the VPN.
There are three different protocols we can use to create this tunnel. Originally defined in RFC 1701, Generic Routing Encapsulation enables a Cisco router to encapsulate a packet in an IP header. When the packet reaches the remote router, the header is stripped off. GRE's drawback is that there's no encryption scheme, and that's a pretty big drawback. Defined in RFC 2661, The Layer 2 Tunneling Protocol (L2TP) is actually a hybrid of Microsoft's Point-to-Point Tunneling Protocol (PPTP) and Cisco's own Layer 2 Forwarding (L2F). Again, the major drawback is that L2TP doesn't have an encryption scheme either.
113
This drawback is corrected by IP Security, generally referred to as IPSec. IPSec does offer encryption along with authentication, and that's why you'll see more IPSec in today's networks than L2TP or GRE. That's also why we're going to spend the majority of this section working with IPSec.
A couple of the tunneling protocols we've already mentioned - L2TP and L2F - obviously work at Layer 2 of the OSI model. Tunneling protocols can actually run at different OSI layers:
Secure Shell (SSH) and Secure/Multipurpose Internet Mail Extensions (S/MIME) both run at the Application layer. Secure Socket Layer (SSL) runs at the Transport layer, although some documentation lists it as running at the Presentation layer. As mentioned, L2TP and L2F both run at the Data Link layer.
There are two general types of remote access VPNs, and the name of one of them is a little misleading. The obvious one is client-initiated, where a remote user will use a VPN client to create a secure tunnel across an ISP's network to the enterprise network. The oddly-named Network Access Server-initiated VPN starts with the remote user as well. The user will dial in to a Network Access Server, and the NAS is the device that creates a secure tunnel to the enterprise network.
114
Data Confidentiality means that only the devices that should see the data in an unencrypted form will. Generally, this is achieved by one endpoint encrypting the data and sending it across the link in that fashion, with the second endpoint unencrypting the data. Data Integrity means that the recipient of the data can guarantee that the received data is the same as the transmitted data - in short, that the data was not altered during transport.
Data Origin Authentication guarantees that the data originated from a specific endpoint. Anti-replay protection (sometimes just called "replay protection") protects against replay attacks, a malicious repeat and/or delay of a valid transmission.
Data Encryption Technologies

For data to be encrypted, it follows that something's got to perform this encryption! One such encryption tool is the Data Encryption Standard (DES). DES was developed in 1976, and a few problems have developed with DES since then. The main issue is that the key used by DES to encrypt data is only 56 bits in size. (A key is a random string of binary digits.)
115
Thirty years ago, that was fine, but then again floppy disks used to be the largest storage unit any of us needed! Depending on whose documentation you read, DES keys can be broken in any time frame from 24 hours to ten minutes. That's bad, no matter how long it takes! Triple DES (TDES) is just what it sounds like - the DES encryption procedure is run three times, with three different 56-bit DES keys. That's a total of 168 bits, but the effective security provided is considered to be only 112 bits.
TDES is sometimes referred to as 3DES, and you may see it expressed that way on your exam; however, to avoid confusion with TDES variations 2TDES and 3TDES, the "3DES" abbreviation is discouraged.
The Advanced Encryption Standard (AES) is being rapidly adopted by governments and organizations around the world. AES can run on any Cisco router that has IPSec DES/3DES capability. The actual function of AES is far beyond the scope of this exam, but it really is quite fascinating. Visit www.wikipedia.org and search on "advanced encryption standard" to learn exactly how it works.
116
Symmetric encryption is an algorithm where the key that is used for encryption is also used for decryption. Symmetric encryption is sometimes called secret key encryption. Variations of symmetric encryption include stream algorithms, where one bit or byte is encrypted/decrypted at a time, and block algorithms, where blocks of data are encrypted/decrypted as a whole. These data blocks are usually 64 bits in size. Both DES and TDES use symmetric encryption.
The drawback to symmetric encryption is that the key is used for two purposes, making it that much easier for an intruder to discover the key. Proper key management is vital (and that can be said for asymmetric encryption as well!)
In contrast, asymmetric encryption involves two keys for both the sender and receiver. This public key encryption scheme involves a public and private key for each user. Before starting the actual encryption process, the public key should be certified by a third party called a Certificate Authority (CA).
117
If "Dan" has a public key, the CA will make sure Dan is who he says he is, and the CA will then issue a digital certificate saying just that. The digital certificate is a combination of Dan's public key and the CA's private root key.
The CA may be global, such as www.verisign.com, or it may be a CA in your very own organization. The key here (no pun intended) is that you better trust your CA, because the entire public key encryption process is built around the CA verifying users and their public keys.
It seems like quite a Catch-22; to create the VPN, we need the endpoints to exchange secret keys, but since the VPN doesn't exist yet, the secret keys must be exchanged over a non-secure connection! The algorithm RIP uses will also help us out here. The Diffie-Hellman algorithm allows the exchange of secret keys over a non-secure communications channel. Referred to in some documentation as exponential key agreement, this protocol was also designed in 1976 - but it's still in use today in networks around the world.
118
IPSec is a combination of three following protocols:

Authentication Header (AH), which defines a method for authentication and securing data Encapsulating Security Payload (ESP), which defines a method for authenticating, securing, and encrypting data Internet Key Exchange (IKE), which negotiates the security parameters and authentication keys
Defined in RFC 2402, Authentication Header (AH) offers solid security -- it provides data origin authentication as well as offering optional anti-replay protection. The drawback with AH is that the authentication it provides for the IP Header is not complete. That's because some of the IP fields can't be correctly predicted by the receiver - these are mutable fields which may change during transmission. AH will successfully protect the IP packet's payload, though, which is really what we're interested in.
To sum it up, AH does offer:

data origin authentication data integrity anti-replay protection (optional)
AH does not offer data confidentiality.
119
The Encapsulating Security Payload (ESP) does just that - as you can see from the IPSec packet illustration, there is an ESP Header and ESP Trailer surrounding, or encapsulating, the data. ESP offers all of the following:
data origin authentication anti-replay protection data confidentiality
Comparing AH and ESP, you might be wondering why you'd ever choose AH over ESP. Here are a few things to consider:
ESP is more processor-intensive than AH. If your data does not require data confidentiality, AH may meet all your requirements. ESP requires strong cryptography, which isn't available and/or allowed everywhere. AH has no such requirement.
Both ESP and AH can be run in one of two modes Tunnel Mode and Transport Mode. In Tunnel mode, the entire IPSec process is transparent to the end hosts; specialized IPSec gateway devices handle the IPSec workload. The entire IP packet is encrypted, and then that encrypted packet is placed into another IP packet. This total encapsulation results in a kind of "virtual tunnel" being created between the two endpoints
120
The end hosts themselves perform the encapsulation when Transport mode is used, which naturally means that IPSec has to be running on those hosts. No new IP header is attached when Transport mode is in use.
When you're about to enter credit card information on a website, you should see the "http" in the address bar turn to "https". That means you're using Secure Socket Layer (SSL), which will encrypt this sensitive information. SSL is now being used to create VPNs as well, allowing you to use your web browser to connect to a VPN! Most VPN software is easy to work with, but frankly, some of it's not. Using SSL VPNs means no additional software has to be purchased or installed. Cisco is hardly the only vendor pushing out SSL VPNs. To look into the many options for SSL VPNs today, just search on "SSL VPN" in your favorite search engine and you'll find quite a few solutions.
Most VPN software is easy to work with, but frankly, some of it's not. Using SSL VPNs means no additional software has to be purchased or installed. Cisco is hardly the only vendor pushing out SSL VPNs. To look into the many options for SSL VPNs today, just search on "SSL VPN" in your favorite search engine and you'll find quite a few solutions.
121
Video 8 ACLs and Route Summarization
ACLs and Route Summarization

ACL Login and the Implicit Deny Standard ACLs and Remarks Host and Any The Order of the Lines Extended ACLs Named ACLs Telnet Access, Placing ACLs, and Blocking Pings Dynamic and Time-Based ACLs Port Number Review Route Summarization with RIP and EIGRP
The basic purpose of Access Control Lists (ACLs) is to allow a router to permit or deny packets based on a variety of criteria. The ACL is configured in global mode, but is applied at the interface level. An ACL does not take effect until it is expressly applied to an interface with the ip access-group command. Packets can be filtered as they enter or exit an interface.
122
When a packet enters or exits an interface with an ACL applied, the packet is compared against the criteria of the ACL. If the packet matches the first line of the ACL, the appropriate permit or deny action is taken. If there is no match, the second lines criteria is examined. Again, if there is a match, the appropriate action is taken; if there is no match, the third line of the ACL is compared to the packet.
This process continues until a match is found, at which time the ACL stops running. If no match is found, a implicit deny is applied to the packet. If a packet is not expressly permitted by a line in the ACL, it will be subject to the implicit deny. Take special note of the implicit deny feature. Forgetting about this deny is the #1 reason for ACLs not giving you the desired results.
A standard ACL is concerned with only one factor, the source IP address of the packet. The destination IP address is not considered. Extended ACLs consider both the source and destination IP address of the packet, and can consider the port number as well. You'll see some of those options later in this section.
123
ACLs use wildcard masks to determine what part of a network number should and should not be examined for matches against the ACL. Wildcard masks are written in binary, and then converted to dotted decimal for router configuration. Zeroes indicate to the router that this particular bit must match, and ones are used as I dont care bits the ACL does not care if there is a match or not.
Standard ACLs consider only the source IP address for matches. The ACL lines are run from top to bottom. If there is no match on the first line, the second is run; if no match on the second, the third is run, and so on until there is a match, or the end of the ACL is reached. This top-to-bottom process places special importance on the order of the lines. This theory is true of all ACLs. There is an implicit deny at the end of every ACL. If packets are not expressly permitted, they are implicitly denied.
If Router 3s Ethernet interface should only accept packets with a source network of 172.12.12.0, the ACL will be configured like this:
124
Overall, using an ACL to deny or permit traffic at the interface level is a twostep process:
Write the ACL with the access-list command Apply the ACL with the ip access-group command. You must specify the direction of the packets to which the ACL will be applied either in(bound) or out(bound).
A great rule of thumb when determining the effect of an ACL: "If traffic isn't explicitly permitted, it's implicitly denied."
Access lists can become quite large and intricate. If one admin writes an ACL and another admin comes in six months later to troubleshoot an issue, that second admin may have no idea what the ACL was trying to accomplish. Believe me, when you see a convoluted 70-line ACL that just doesn't make sense to you, you'll wish there was some kind of basic explanation!
125
It is acceptable to configure a wildcard mask of all ones or all zeroes. A wildcard mask of 0.0.0.0 means the address specified in the ACL line must be matched exactly; a wildcard mask of 255.255.255.255 means that all addresses will match the line.
Wildcard masks have the option of using the word host to represent a wildcard mask of 0.0.0.0. Consider a configuration where only packets from IP source 10.1.1.1 should be allowed and all other packets denied. The following ACLs both do that. R3#conf t R3(config)#access-list 6 permit 10.1.1.1 0.0.0.0 R3(config)#conf t R3(config)#access-list 7 permit host 10.1.1.1
The keyword any can be used to represent a wildcard mask of 255.255.255.255. Both of the following lines permit all traffic.
R3(config)#access-list 15 permit any R3(config)#access-list 15 permit 0.0.0.0 255.255.255.255
126
R3(config)#access-list 15 deny 172.18.18.0 0.0.0.255 R3(config)#access-list 15 permit any R3(config)#access-list 15 permit any R3(config)#access-list 15 deny 172.18.18.0 0.0.0.255 R3(config)#access-list 15 deny 172.18.18.0 255.0.0.0 R3(config)#access-list 15 permit any R3(config)#access-list 15 permit any R3(config)#access-list 15 deny 172.18.18.0 255.0.0.0
Here are the two remaining possibilities:

R3(config)#access-list 15 deny 172.18.18.0 0.0.0.255 R3(config)#access-list 15 permit any R3(config)#access-list 15 permit any R3(config)#access-list 15 deny 172.18.18.0 0.0.0.255
Extended ACLs allow both the IP source and destination address to be matched. Actually, they require it. Even if you don't want to use either of those two criteria for matching, you still have to put any for the one you don't want to use. The source port, destination port, and protocol type can also be matched. These are truly optional options - you don't have to specify a value for any of those options if you're not using them to match traffic.
127
Two rules regarding the direction of the ACL: A single interface can have two ACLs applied to it for each protocol - one for outbound traffic and the other for inbound traffic. To illustrate what happens when you configure two ACLs in the same direction and for the same protocol, I've created another extended ACL that matches any TCP traffic, regardless of source or destination IP address, as long as the destination port is port 80.
Named ACLs are just that rather than using a number to identify them, names are used. Consider a router with 75 ACLs. If the routers are given intuitive names, it can be much easier to see what the author of the list was trying to do - especially if they don't leave remarks with their numbered ACLs! The syntax of a named ACL is slightly different than the numbered type, but the operation is the same, as is the use of host and any.
In another section of the course, you learned how to configure a password on a router or switch's VTY lines to control access only to those who know the password. That might not be enough, though, as you may want to control Telnet access according to the IP address of the host attempting to connect. We can do that with an ACL and the access-class command.
128
Placement can also be affected when you consider how inbound and outbound ACLs handle traffic.
Outbound ACLs are applied after packets have already been sent to the outbound interface by the routing engine, but before they're put in the transmissions queue. In contrast, inbound ACLs are applied before the routing engine handles them.
Commonly referred to as "lock-and-key", dynamic ACLs allow the creation of a dynamic extended access list. Certain Telnet users will be able to authenticate as usual, but this access to their intended destination is strictly temporary. Once their access time has elapsed, the access is terminated. It's just like giving someone a key to the lock on your front door, and when they leave, you lock the door right behind them.
The natural question is "How long does the remote host have access to the specified network?" That's up to us as the network admins, and there are two different kinds of timeouts we can set:
an absolute timeout, where the remote host has "x" minutes of access, and that's it an idle timeout, where the connection is terminated once no data is exchanged for "x" minutes
129
Finally, you may want to prevent or allow certain types of traffic according to the time. Time-based ACLs can be set to deny or permit traffic - you guessed it - on the basis of time. To write a time-based ACL, you must first define the times this ACL will be applied. You can do this on a per-day basis or choose daily, weekdays, or weekend as shown by IOS Help.
Some Common TCP Ports:

FTP - File Transfer Protocol - Uses TCP ports 20 and 21. SSH - Secure Shell - Uses TCP port 22. Telnet uses TCP port 23. SMTP - Simple Mail Transfer Protocol - uses TCP port 25. HTTP - HyperText Transfer Protocol - uses TCP port 80. POP3 - Post Office Protocol 3 - uses TCP port 110. SSL - Secure Socket Layer - uses TCP port 443.
Some Common UDP Ports:

DHCP - Dynamic Host Control Protocol - uses UDP ports 67 and 68. TFTP - Trivial File Transfer Protocol - uses UDP port 69. SNMP - Simple Network Management Protocol - uses UDP port 161.
130
Protocols Using Both TCP And UDP Ports

DNS - Domain Name Service - uses UDP and TCP port 53. The port number 24 is reserved in both UDP and TCP for private mail systems
Route summarization is a technique used to keep routing tables as compact as possible while keeping an accurate picture of the network topology. Your ability to summarize routes will be tested on the CCNA exam, and when you practice this skill, you will solve every question regarding summarization that Cisco or anyone else asks you.
Sooner or later, though, you'll write an ACL on the router and then realize you forgot a line. Take the following for example:
R1(config)#access-list R1(config)#access-list R1(config)#access-list R1(config)#access-list 45 45 45 45 deny 172.12.0.0 0.0.255.255 deny 172.14.0.0 0.0.255.255 deny 172.16.0.0 0.0.255.255 permit any
131
After writing the ACL, you realize you meant to deny the 172.12.13.0 /24 network as well. In the good old days, you'd have to delete that ACL and type it in all over again. The Cisco IOS now assigns each line in an ACL a sequence number, and you can use those sequence numbers to your advantage in this situation. Let's run show ip access-list 45.
R1#show ip access-list 45 Standard IP access list 45 10 deny 172.12.0.0, wildcard bits 0.0.255.255 20 deny 172.14.0.0, wildcard bits 0.0.255.255 30 deny 172.16.0.0, wildcard bits 0.0.255.255 40 permit any
R1(config)#ip access-list standard 45 R1(config-std-nacl)#? Standard Access List configuration commands: <1-2147483647> default deny exit no permit remark Sequence Number Set a command to its defaults Specify packets to reject Exit from access-list configuration mode Negate a command or set its defaults Specify packets to forward Access list entry comment
132
The change is verified with show access-list 45. R1#show access-list 45 Standard IP access list 45 5 deny 172.13.0.0, wildcard bits 0.0.255.255 10 deny 172.12.0.0, wildcard bits 0.0.255.255 20 deny 172.14.0.0, wildcard bits 0.0.255.255 30 deny 172.16.0.0, wildcard bits 0.0.255.255 40 permit any
R1(config)#ip access-list standard 45 R1(config-std-nacl)#no ? <1-2147483647> deny permit Sequence Number Specify packets to reject Specify packets to forward
R1(config-std-nacl)#no 20 ? <cr> R1(config-std-nacl)#no 20
R1#show access-list 45 Standard IP access list 45 5 deny 172.13.0.0, wildcard bits 0.0.255.255 10 deny 172.12.0.0, wildcard bits 0.0.255.255 30 deny 172.16.0.0, wildcard bits 0.0.255.255 40 permit any
133

Train Signal - Notes

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Train Signal - Notes

Cargado por

Copyright:

Formatos disponibles

Cisco ICND2 CCNA (Part 2)

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Welcome to Your ICND2 Video Boot Camp!

CCNA Exam Paths

Review: CCENT (ICND1) Topic 1: Switching

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Before we talk about switches, here's an old joke:

Train Signal, Inc., 2002-2007

Let's review the key concepts of hubs vs. switches.

A Cisco switch will do one of three things with an incoming frame:

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

fast 0/3 : Enabled : Secure-up : Shutdown : 0 mins : Absolute : Disabled : 1 : 1 : 0 : 1 : 00d0.58ad.4d51 : 0

Train Signal, Inc., 2002-2007

A couple of important points regarding err-disabled ports:

Train Signal, Inc., 2002-2007

fast 0/3 : Enabled : Secure-shutdown : Shutdown : 0 mins : Absolute : Disabled : 1 : 1 : 0 : 1 : 0010.7b39.c5e9 : 1

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Verify the changes to the port security scheme:

Review: CCENT (ICND1) Topic 2: Binary Math and Subnetting

Train Signal, Inc., 2002-2007

Binary Math and Subnetting

Class A: Class B: Class C: Class A: Class B: Class C:

Train Signal, Inc., 2002-2007

Determining The Number Of Valid Subnets

You should subtract 2 from the result if:

You should not subtract 2 from the result if:

Review the rules for network, subnet, and host bits:

Determining The Number Of Valid Hosts

Valid Hosts On A Subnet = (2 squared by number of host bits) 2

Train Signal, Inc., 2002-2007

Determining The Subnet Number Of A Given IP Address

Meeting Stated Design Requirements

Consider this question:

Watch Our For Overlapping Networks!

Video 1 Advanced Switching

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

The Root Bridge Election

Train Signal, Inc., 2002-2007

The root bridges Bridge ID (BID)

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

32768:aaaa.aaaa.aaaa 32768:bbbb.bbbb.bbbb 32768:cccc.cccc.cccc

Train Signal, Inc., 2002-2007

Train Signal, Inc., 2002-2007

The STP Timers

Train Signal, Inc., 2002-2007

The STP Interface States

To review the order and timers involved:

So What Happens If I Turn STP Off?

Train Signal, Inc., 2002-2007