CCNA 2 Routing and Switching v5.

0 Chapter 1

1. 1. Chapter 1: Introduction to Switched Networks Routing and Switching © 2008 Cisco

Systems, Inc. All Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 1 1.0 Introduction 1.1 LAN Design 1.2 Switched Environment 1.3 Summary
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
3. 3. Chapter 1: Objectives Upon completion of this chapter, you will be able to:  Describe
convergence of data, voice, and video in the context of switched networks.  Describe a
switched network in a small-to-medium-sized business.  Explain the process of frame
forwarding in a switched network.  Compare a collision domain to a broadcast domain.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
4. 4. Converged Networks Growing Complexity of Networks  Our digital world is
changing.  Information must be accessed from anywhere in the world.  Networks
must be secure, reliable, and highly available. Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 4
5. 5. Converged Networks Elements of a Converged Network  Collaboration is a
requirement.  To support collaboration, networks employ converged solutions.  Data
services include voice systems, IP phones, voice gateways, video support, and video
conferencing.  Call control, voice messaging, mobility, and automated attendant are
also common features. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 5
6. 6. Converged Networks Benefits of a Converged Network  Multiple types of traffic;
only one network to manage.  Substantial savings over installation and management of
separate voice, video, and data networks.  Integrates IT management. Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
7. 7. Converged Networks Borderless Switched Networks  The Cisco Borderless Network
is a network architecture that allows organizations to connect anyone, anywhere, anytime,
and on any device securely, reliably, and seamlessly.  Cisco Borderless Network is
designed to address IT and business challenges, such as supporting the converged
network and changing work patterns. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 7
8. 8. Converged Networks Hierarchy in the Borderless Switched Network Borderless
switched network design guidelines are built upon the following principles: 
Hierarchical  Modularity  Resiliency  Flexibility Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 8
9. 9. Converged Networks Core, Distribution, Access Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 9
10. 10. Switched Networks Role of Switched Networks  Switching technologies are crucial
to network design.  Switching allow traffic to be sent only where it is needed in most
cases, using fast methods.  A switched LAN:  Allows more flexibility  Allows more
traffic management  Supports quality of service, additional security, wireless, IP
telephony, and mobility services Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 10
11. 11. Switched Networks Form Factor Fixed Platform Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 11
12. 12. Switched Networks Form Factor (cont.) Modular Platform Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
13. 13. Switched Networks Form Factor (cont.) Stackable Platform Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
14. 14. Frame Forwarding Switching as a General Concept  A switch makes a decision
based on ingress and a destination port.  A LAN switch keeps a table that it uses to
determine how to forward traffic through the switch.  Cisco LAN switches forward
Ethernet frames based on the destination MAC address of the frames. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
15. 15. Frame Forwarding Dynamically Populating a Switch MAC Address Table  A
switch must first learn which devices exist on each port before it can transmit a frame. 
It builds a table called a MAC address or content addressable memory (CAM) table. 
The mapping device <-> port is stored in the CAM table.  CAM is a special type of
memory used in high-speed searching applications.  The information in the MAC
address table used to send frames.  When a switch receives an incoming frame with a
MAC address that is not found in the CAM table, it floods it to all ports, but the one that
received the frame. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 15
16. 16. Frame Forwarding Switch Forwarding Methods Add a header Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
17. 17. Frame Forwarding Store-and-Forward Switching  Allows the switch to:  Check
for errors (via FCS check)  Perform automatic buffering  Slower forwarding process
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
18. 18. Frame Forwarding Store-and-Forward Switching (cont.) Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
19. 19. Frame Forwarding Cut-Through Switching  Allows the switch to start forwarding in
about 10 microseconds  No FCS check  No automatic buffering Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
20. 20. Frame Forwarding Cut-Through Switching (cont.) Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 20
21. 21. Switching Domains Collision Domains A collision domain is the segment where
devices must compete to communicate.  All ports of a hub belong to the same collision
domain.  Every port of a switch is a collision domain on its own.  A switch break the
segment into smaller collision domains, easing device competition. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. Switching Domains Broadcast Domains A broadcast domain is the extend of the
network where a broadcast frame can be heard.  Switches forward broadcast frames to
all ports; therefore, switches do not break broadcast domains.  All ports of a switch,
with its default configuration, belong to the same broadcast domain.  If two or more
switches are connected, broadcasts are forwarded to all ports of all switches, except for
the port that originally received the broadcast. Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 22
23. 23. Switching Domains Alleviating Network Congestion Switches help alleviating
network congestion by:  Facilitating the segmentation of a LAN into separate collision
domains  Providing full-duplex communication between devices  Taking advantage
 of their high-port density  Buffering large frames  Employing high-speed ports 
Taking advantage of their fast internal switching process  Having a low, per-port cost
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
24. 24. Chapter 1: Summary In this chapter, you learned:  The trend in networks is towards
convergence using a single set of wires and devices to handle voice, video, and data
transmission.  There has been a dramatic shift in the way businesses operate.  There
are no physical offices or geographic boundaries constraints. Resources must now be
seamlessly available anytime and anywhere.  The Cisco Borderless Network
architecture enables different elements, from access switches to wireless access points, to
work together and allow users to access resources from any place at any time.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
25. 25. Chapter 1: Summary (cont.)  The traditional, three-layer hierarchical design model
divides the network into core, distribution, and access layers, and allows each portion of
the network to be optimized for specific functionality.  It provides modularity,
resiliency, and flexibility, which provides a foundation that allows network designers to
overlay security, mobility, and unified communication features.  Switches use either
store-and-forward or cut-through switching.  Every port on a switch forms a separate
collision domain allowing for extremely high-speed, full-duplex communication. 
Switch ports do not block broadcasts and connecting switches can extend the size of the
broadcast domain, often resulting in degraded network performance. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25

CCNA 2 Routing and Switching v5.0 Chapter 2

1. 1. Chapter 2: Introduction to Switched Networks Routing and Switching © 2008 Cisco

Systems, Inc. All Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 2 2.0 Introduction 2.1 Basic Switch Configuration 2.2 Switch Security:
Management and Implementation Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 2
3. 3. Chapter 2: Objectives Upon completion of this chapter, you will be able to:  Explain
the advantages and disadvantages of static routing.  Configure initial settings on a Cisco
switch.  Configure switch ports to meet network requirements.  Configure the
management switch virtual interface.  Describe basic security attacks in a switched
environment.  Describe security best practices in a switched environment.  Configure
the port security feature to restrict network access. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 3
4. 4. Basic Switch Configuration Switch Boot Sequence 1. Power-on self test (POST). 2.
Run boot loader software. 3. Boot loader performs low-level CPU initialization. 4. Boot
loader initializes the flash file system 5. Boot loader locates and loads a default IOS
 operating system software image into memory and passes control of the switch over to
the IOS. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 4
5. 5. Basic Switch Configuration Switch Boot Sequence (cont.) To find a suitable Cisco IOS
image, the switch goes through the following steps: Step 1. It attempts to automatically
boot by using information in the BOOT environment variable. Step 2. If this variable is
not set, the switch performs a top-to-bottom search through the flash file system. It loads
and executes the first executable file, if it can. Step 3. The IOS software then initializes
the interfaces using the Cisco IOS commands found in the configuration file and startup
configuration, which is stored in NVRAM. Note: The boot system command can be used
to set the BOOT environment variable. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 5
6. 6. Basic Switch Configuration Recovering from a System Crash  The boot loader can
also be used to manage the switch if the IOS cannot be loaded.  The boot loader can be
accessed through a console connection by: 1. Connecting a PC by console cable to the
switch console port. Unplug the switch power cord. 2. Reconnecting the power cord to
the switch and press and hold the Mode button. 3. The System LED turns briefly amber
and then solid green. Release the Mode button.  The boot loader switch:prompt appears
in the terminal emulation software on the PC. Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 6
7. 7. Basic Switch Configuration Switch LED Indicators  Each port on Cisco Catalyst
switches have status LED indicator lights.  By default, these LED lights reflect port
activity, but they can also provide other information about the switch through the Mode
button.  The following modes are available on Cisco Catalyst 2960 switches: • System
LED • Redundant Power System (RPS) LED • Port Status LED • Port Duplex LED • Port
Speed LED • Power over Ethernet (PoE) Mode LED Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 7
8. 8. Basic Switch Configuration Cisco Catalyst 2960 Switch Modes Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
9. 9. Basic Switch Configuration Preparing for Basic Switch Management  To remotely
manage a Cisco switch, it must be configured to access the network.  An IP address and
a subnet mask must be configured.  If managing the switch from a remote network, a
default gateway must also be configured.  The IP information (address, subnet mask,
gateway) is to be assigned to a switch switch virtual interface (SVI).  Although these IP
settings allow remote management and remote access to the switch, they do not allow the
switch to route Layer 3 packets. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 9
10. 10. Basic Switch Configuration Preparing for Basic Switch Management (cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
11. 11. Basic Switch Configuration Preparing for Basic Switch Management (cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
12. 12. Configuring Switch Ports Duplex Communication Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 12
13. 13. Configuring Switch Ports Configuring Switch Ports at the Physical Layer
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
14. 14. Configuring Switch Ports Auto-MDIX Feature  Certain cable types (straight-
through or crossover) were historically required when connecting devices.  The
automatic medium-dependent interface crossover (auto-MDIX) feature eliminates this
problem.  When auto-MDIX is enabled, the interface automatically detects and
appropriately configures the connection.  When using auto-MDIX on an interface, the
interface speed and duplex must be set to auto. Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 14
15. 15. Configuring Switch Ports Auto-MDIX Feature (cont.) Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 15
16. 16. Configuring Switch Ports Auto-MDIX Feature (cont.) Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 16
17. 17. Configuring Switch Ports Verifying Switch Port Configuration Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
18. 18. Configuring Switch Ports Network Access Layer Issues Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
19. 19. Configuring Switch Ports Network Access Layer Issues (cont.) Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
20. 20. Configuring Switch Ports Troubleshooting Switch Media (Connection) Issues
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
21. 21. Secure Remote Access SSH Operation  Secure Shell (SSH) is a protocol that
provides a secure (encrypted), command-line based connection to a remote device. 
SSH is commonly used in UNIX-based systems.  The Cisco IOS software also supports
SSH.  A version of the IOS software, including cryptographic (encrypted) features and
capabilities, is required to enable SSH on Catalyst 2960 switches.  Because its strong
encryption features, SSH should replace Telnet for management connections.  SSH uses
TCP port 22, by default. Telnet uses TCP port 23. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. Secure Remote Access SSH Operation (cont.) Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 22
23. 23. Secure Remote Access Configuring SSH Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 23
24. 24. Secure Remote Access Verifying SSH Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 24
25. 25. Security Concerns in LANs MAC Address Flooding  Switches automatically
populate their CAM tables by watching traffic entering their ports.  Switches forward
traffic trough all ports if it cannot find the destination MAC in its CAM table.  Under
such circumstances, the switch acts as a hub. Unicast traffic can be seen by all devices
connected to the switch.  An attacker could exploit this behavior to gain access to
traffic normally controlled by the switch by using a PC to run a MAC flooding tool. 
Such tool is a program created to generate and send out frames with bogus source MAC
addresses to the switch port.  As these frames reach the switch, it adds the bogus MAC
address to its CAM table, taking note of the port the frames arrived. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
26. 26. Security Concerns in LANs MAC Address Flooding (cont.)  Eventually the CAM
table fills out with bogus MAC addresses.  The CAM table now has no room for legit
 devices present in the network and, therefore, never finds their MAC addresses in the
CAM table.  All frames are now forwarded to all ports, allowing the attacker to access
traffic to other hosts. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 26
27. 27. Security Concerns in LANs MAC Address Flooding (cont.) An attacker flooding the
CAM table with bogus entries. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 27
28. 28. Security Concerns in LANs MAC Address Flooding (cont.) The switch now behaves
as a hub. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 28
29. 29. Security Concerns in LANs DHCP Spoofing  DHCP is a network protocol used to
automatically assign IP information.  Two types of DHCP attacks are: • DHCP
spoofing • DHCP starvation  In DHCP spoofing attacks, a fake DHCP server is placed
in the network to issue DHCP addresses to clients.  DHCP starvation is often used
before a DHCP spoofing attack to deny service to the legitimate DHCP server.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
30. 30. Security Concerns in LANs DHCP Spoof Attack Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 30
31. 31. Security Concerns in LANs Leveraging Cisco Discovery Protocol  The Cisco
Discovery Protocol is a Layer 2 Cisco proprietary protocol used to discover other directly
connected Cisco devices.  The Cisco Discovery Protocol is designed to allow the
devices to auto-configure their connections.  If an attacker is listening to Cisco
Discovery Protocol messages, it could learn important information about the device
model and running software version. Note: Cisco recommends disabling CDP when not
in use. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 31
32. 32. Security Concerns in LANs Leveraging Telnet  The Telnet protocol is insecure and
should be replaced by SSH.  An attacker can use Telnet as part of other attacks: • Brute
force password attack • Telnet DOS attack  When passwords cannot be captured,
attackers will try as many combinations of characters as possible. This attempt to guess
the password is known as brute force password attack.  Telnet can be used to test the
guessed password against the system. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 32
33. 33. Security Concerns in LANs Leveraging Telnet (cont.)  In a Telnet DoS attack, the
attacker exploits a flaw in the Telnet server software running on the switch that renders
the Telnet service unavailable.  This sort of attack prevents an administrator from
remotely accessing switch management functions.  This can be combined with other
direct attacks on the network as part of a coordinated attempt to prevent the network
administrator from accessing core devices during the breach.  Vulnerabilities in the
Telnet service that permit DoS attacks to occur are usually addressed in security patches
that are included in newer Cisco IOS revisions. Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 33
34. 34. Security Best Practices 10 Best Practices  Develop a written security policy for the
organization.  Shut down unused services and ports.  Use strong passwords and
change them often.  Control physical access to devices.  Use HTTPS instead of
 HTTP.  Perform backup operations on a regular basis.  Educate employees about
social engineering attacks.  Encrypt and password-protect sensitive data.  Implement
firewalls.  Keep software up-to-date. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 34
35. 35. Security Best Practices Network Security Tools: Options  Network security tools
are important to network administrators.  Network security tools allow an administrator
to test the strength of the security measures implemented.  An administrator can launch
an attack against the network and analyze the results. This is also to determine how to
adjust security policies to mitigate those types of attacks.  Security auditing and
penetration testing are two basic functions that network security tools perform.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
36. 36. Security Best Practices Network Security Tools: Audits  Network security tools can
be used to audit the network.  By monitoring the network, an administrator can assess
what type of information an attacker would be able to gather. For example, by attacking
and flooding the CAM table of a switch, an administrator learn which switch ports are
vulnerable to MAC flooding and can correct the issue.  Network security tools can also
be used as penetration test tools. Penetration testing is a simulated attack and helps to
determine how vulnerable the network is when under a real attack.  Weaknesses within
the configuration of networking devices can be identified based on penetration test
results.  Changes can be made to make the devices more resilient to attacks.  Such
tests can damage the network and should be carried out under very controlled conditions.
 An offline test bed network that mimics the actual production network is ideal.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
37. 37. Switch Port Security Secure Unused Ports Disabling unused ports is a simple, yet
efficient security guideline. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 37
38. 38. Switch Port Security DHCP Snooping DHCP Snooping specifies which switch ports
can respond to DHCP requests Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 38
39. 39. Switch Port Security Port Security: Operation  Port security limits the number of
valid MAC addresses allowed on a port.  The MAC addresses of legitimate devices are
allowed access, while other MAC addresses are denied.  Any additional attempts to
connect by unknown MAC addresses generate a security violation.  Secure MAC
addresses can be configured in a number of ways: • Static secure MAC addresses •
Dynamic secure MAC addresses • Sticky secure MAC addresses Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
40. 40. Switch Port Security Port Security: Violation Modes  IOS considers a security
violation when either of these situations occurs: • The maximum number of secure MAC
addresses for that interface have been added to the CAM, and a station whose MAC
address is not in the address table attempts to access the interface. • An address learned or
configured on one secure interface is seen on another secure interface in the same VLAN.
 There are three possible actions to take when a violation is detected: • Protect • Restrict
• Shutdown Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 40
41. 41. Switch Port Security Dynamic Port Security Defaults Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 41
42. 42. Switch Port Security Configuring Dynamic Port Security Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
43. 43. Switch Port Security Configuring Port Security Sticky Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 43
44. 44. Switch Port Security Verifying Port Security Sticky Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 44
45. 45. Switch Port Security Verifying Port Security Stick – Running Configuration
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
46. 46. Switch Port Security Verifying Port Security – Secure MAC Addresses
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
47. 47. Switch Port Security Ports in Error Disabled State  A port security violation can put
a switch in error disabled state.  A port in error disabled is effectively shutdown.  The
switch communicates these events through console messages. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
48. 48. Switch Port Security Ports in Error Disabled State (cont.) The show interface
command also reveals a switch port on error disabled state. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
49. 49. Switch Port Security Ports in Error Disabled State (cont.) A shutdown or no shutdown
interface configuration mode command must be issued to re-enable the port.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
50. 50. Switch Port Security Network Time Protocol  The Network Time Protocol (NTP) is
used to synchronize the clocks of computer systems data networks.  NTP can get the
correct time from an internal or external time source.  Time sources can be: • Local
master clock • Master clock on the Internet • GPS or atomic clock  A network device
can be configured as either an NTP server or an NTP client.  See slide notes for more
information on NTP. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 50
51. 51. Switch Port Security Configuring NTP Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 51
52. 52. Switch Port Security Verifying NTP Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 52
53. 53. Chapter 2: Summary In this chapter, you learned:  Cisco LAN switch boot
sequence.  Cisco LAN switch LED modes.  How to remotely access and manage a
Cisco LAN switch through a secure connection.  Cisco LAN switch port duplex modes.
 Cisco LAN switch port security, violation modes, and actions.  Best practices for
switched networks. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 53
54. 54. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
54
CCNA 2 Routing and Switching v5.0 Chapter 3

1. 1. Chapter 3: VLANs Routing & Switching © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 3 3.1 VLAN Segmentation 3.2 VLAN Implementation 3.3 VLAN Security
and Design 3.4 Summary Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 2
3. 3. Chapter 3: Objectives  Explain the purpose of VLANs in a switched network. 
Analyze how a switch forwards frames based on VLAN configuration in a multi-
switched environment.  Configure a switch port to be assigned to a VLAN based on
requirements.  Configure a trunk port on a LAN switch.  Configure Dynamic Trunk
Protocol (DTP).  Troubleshoot VLAN and trunk configurations in a switched network.
 Configure security features to mitigate attacks in a VLAN-segmented environment. 
Explain security best practices for a VLAN-segmented environment. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
4. 4. 3.1 VLAN Segmentation © 2008 Cisco Systems, Inc. All Presentation_ID rights
reserved. Cisco Confidential 4
5. 5. Overview of VLANs VLAN Definitions  A VLAN is a logical partition of a Layer 2
network.  Multiple partitions can be created, allowing for multiple VLANs to co-exist.
 Each VLAN is a broadcast domain, usually with its own IP network.  VLANs are
mutually isolated and packets can only pass between them via a router.  The
partitioning of the Layer 2 network takes place inside a Layer 2 device, usually via a
switch.  The hosts grouped within a VLAN are unaware of the VLAN’s existence.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
6. 6. Overview of VLANs VLAN Definitions (cont.) Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 6
7. 7. Overview of VLANs Benefits of VLANs  Security  Cost reduction  Better
performance  Shrink broadcast domains  Improved IT staff efficiency  Simpler
project and application management Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 7
8. 8. Overview of VLANs Types of VLANs  Data VLAN  Default VLAN  Native
VLAN  Management VLAN Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 8
9. 9. Overview of VLANs Types of VLANs (cont.) Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 9
10. 10. Overview of VLANs Voice VLANs  VoIP traffic is time-sensitive and requires: •
Assured bandwidth to ensure voice quality. • Transmission priority over other types of
network traffic. • Ability to be routed around congested areas on the network. • Delay of
less than 150 ms across the network.  The voice VLAN feature enables access ports to
carry IP voice traffic from an IP phone.  The switch can connect to a Cisco 7960 IP
phone and carry IP voice traffic.  The sound quality of an IP phone call can deteriorate
if the data is unevenly sent; the switch supports quality of service (QoS). Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
11. 11. Overview of VLANs Voice VLANs (cont.)  The Cisco 7960 IP phone has two RJ-
45 ports that each support connections to external devices. • Network Port (10/100 SW) -
Use this port to connect the phone to the network. The phone can also obtain inline power
from the Cisco Catalyst switch over this connection. • Access Port (10/100 PC) - Use this
port to connect a network device, such as a computer, to the phone. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
12. 12. Overview of VLANs Voice VLANs (cont.) Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 12
13. 13. VLANs in a Multi-Switched Environment VLAN Trunks  A VLAN trunk carries
more than one VLAN.  A VLAN trunk is usually established between switches so
same- VLAN devices can communicate, even if physically connected to different
switches.  A VLAN trunk is not associated to any VLANs; neither is the trunk ports
used to establish the trunk link.  Cisco IOS supports IEEE802.1q, a popular VLAN
trunk protocol. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 13
14. 14. VLANs in a Multi-Switched Environment VLAN Trunks (cont.) Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
15. 15. VLANs in a Multi-Switched Environment Controlling Broadcast Domains with
VLANs  VLANs can be used to limit the reach of broadcast frames.  A VLAN is a
broadcast domain of its own.  A broadcast frame sent by a device in a specific VLAN is
forwarded within that VLAN only.  VLANs help control the reach of broadcast frames
and their impact in the network.  Unicast and multicast frames are forwarded within the
originating VLAN. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 15
16. 16. VLANs in a Multi-Switched Environment Tagging Ethernet Frames for VLAN
Identification  Frame tagging is the process of adding a VLAN identification header to
the frame.  It is used to properly transmit multiple VLAN frames through a trunk link.
 Switches tag frames to identify the VLAN to that they belong. Different tagging
protocols exist; IEEE 802.1Q is a vey popular example.  The protocol defines the
structure of the tagging header added to the frame.  Switches add VLAN tags to the
frames before placing them into trunk links and remove the tags before forwarding
frames through nontrunk ports.  When properly tagged, the frames can transverse any
number of switches via trunk links and still be forwarded within the correct VLAN at the
destination. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 16
17. 17. VLANs in a Multi-Switched Environment Tagging Ethernet Frames for VLAN
Identification Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 17
18. 18. VLANs in a Multi-Switched Environment Native VLANs and 802.1Q Tagging 
Frames that belong to the native VLAN are not tagged.  Frames received untagged
remain untagged and are placed in the native VLAN when forwarded.  If there are no
ports associated to the native VLAN and no other trunk links, an untagged frame is
dropped.  In Cisco switches, the native VLAN is VLAN 1, by default. Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
19. 19. VLANs in a Multi-Switched Environment Voice VLAN Tagging Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
20. 20. 3.2 VLAN Implementations © 2008 Cisco Systems, Inc. All Presentation_ID rights
reserved. Cisco Confidential 20
21. 21. VLAN Assignment VLAN Ranges on Catalyst Switches  Cisco Catalyst 2960 and
3560 Series switches support over 4,000 VLANs.  VLANs are split into two categories:
• Normal range VLANs • VLAN numbers from 1 to 1,005 • Configurations stored in the
vlan.dat (in the flash memory) • VTP can only learn and store normal range VLANs •
Extended Range VLANs • VLAN numbers from 1,006 to 4,096 • Configurations stored
in the running configuration (NVRAM) • VTP does not learn extended range VLANs
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. VLAN Assignment Creating a VLAN Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 22
23. 23. VLAN Assignment Assigning Ports to VLANs Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 23
24. 24. VLAN Assignment Assigning Ports to VLANs (cont.) Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 24
25. 25. VLAN Assignment Changing VLAN Port Membership Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
26. 26. VLAN Assignment Changing VLAN Port Membership (cont.) Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
27. 27. VLAN Assignment Deleting VLANs Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 27
28. 28. VLAN Assignment Verifying VLAN Information Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 28
29. 29. VLAN Assignment Verifying VLAN Information (cont.) Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
30. 30. VLAN Assignment Configuring IEEE 802.1q Trunk Links Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
31. 31. VLAN Assignment Resetting the Trunk To Default State Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
32. 32. VLAN Assignment Resetting the Trunk To Default State (cont.) Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
33. 33. VLAN Assignment Verifying Trunk Configuration Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 33
34. 34. Dynamic Trunking Protocol Introduction to DTP  Switch ports can be manually
configured to form trunks.  Switch ports can also be configured to negotiate and
establish a trunk link with a connected peer.  The Dynamic Trunking Protocol (DTP)
manages trunk negotiation.  DTP is a Cisco proprietary protocol and is enabled, by
default, in Cisco Catalyst 2960 and 3560 switches.  If the port on the neighbor switch is
configured in a trunk mode that supports DTP, it manages the negotiation.  The default
DTP configuration for Cisco Catalyst 2960 and 3560 switches is dynamic auto.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
35. 35. Dynamic Trunking Protocol Negotiated Interface Modes  Cisco Catalyst 2960 and
3560 support the following trunk modes: • Switchport mode dynamic auto • Switchport
 mode dynamic desirable • Switchport mode trunk • Switchport nonegotiate
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
36. 36. Troubleshooting VLANs and Trunks IP Addressing Issues with VLAN  It is a
common practice to associate a VLAN with an IP network.  Because different IP
networks only communicate through a router, all devices within a VLAN must be part of
the same IP network to communicate.  The figure displays that PC1 cannot
communicate to the server because it has a wrong IP address configured. Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
37. 37. Troubleshooting VLANs and Trunks Missing VLANs  If all the IP addresses
mismatches have been solved, but the device still cannot connect, check if the VLAN
exists in the switch. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 37
38. 38. Troubleshooting VLANs and Trunks Introduction to Troubleshooting Trunks
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
39. 39. Troubleshooting VLANs and Trunks Common Problems with Trunks  Trunking
issues are usually associated with incorrect configurations.  The most common type of
trunk configuration errors are: 1. Native VLAN mismatches 2. Trunk mode mismatches
3. Allowed VLANs on trunks  If a trunk problem is detected, the best practice
guidelines recommend to troubleshoot in the order shown above. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
40. 40. Troubleshooting VLANs and Trunks Trunk Mode Mismatches  If a port on a trunk
link is configured with a trunk mode that is incompatible with the neighboring trunk port,
a trunk link fails to form between the two switches.  Use the show interfaces trunk
command to check the status of the trunk ports on the switches.  To fix the problem,
configure the interfaces with proper trunk modes. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 40
41. 41. Troubleshooting VLANs and Trunks Incorrect VLAN List  VLANs must be
allowed in the trunk before their frames can be transmitted across the link.  Use the
switchport trunk allowed vlan command to specify which VLANs are allowed in a trunk
link.  Use the show interfaces trunk command to ensure the correct VLANs are
permitted in a trunk. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 41
42. 42. 3.3 VLAN Security and Design © 2008 Cisco Systems, Inc. All Presentation_ID
rights reserved. Cisco Confidential 42
43. 43. Attacks on VLANs Switch Spoofing Attack  There are a number of different types
of VLAN attacks in modern switched networks; VLAN hopping is one example.  The
default configuration of the switch port is dynamic auto.  By configuring a host to act as
a switch and form a trunk, an attacker could gain access to any VLAN in the network. 
Because the attacker is now able to access other VLANs, this is called a VLAN hopping
attack.  To prevent a basic switch spoofing attack, turn off trunking on all ports, except
the ones that specifically require trunking. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 43
44. 44. Attacks on VLANs Double-Tagging Attack  Double-tagging attack takes advantage
of the way that hardware on most switches de-encapsulate 802.1Q tags.  Most switches
perform only one level of 802.1Q de-encapsulation, allowing an attacker to embed a
 second, unauthorized attack header in the frame.  After removing the first and legit
802.1Q header, the switch forwards the frame to the VLAN specified in the unauthorized
802.1Q header.  The best approach to mitigating double-tagging attacks is to ensure that
the native VLAN of the trunk ports is different from the VLAN of any user ports.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
45. 45. Attacks on VLANs Double-Tagging Attack (cont.) Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 45
46. 46. Attacks on VLANs PVLAN Edge  The Private VLAN (PVLAN) Edge feature, also
known as protected ports, ensures that there is no exchange of unicast, broadcast, or
multicast traffic between protected ports on the switch.  Local relevancy only.  A
protected port only exchanges traffic with unprotected ports.  A protected port does not
exchange traffic with another protected port. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 46
47. 47. Design Best Practices for VLANs VLAN Design Guidelines  Move all ports from
VLAN 1 and assign them to a not-in-use VLAN  Shut down all unused switch ports. 
Separate management and user data traffic.  Change the management VLAN to a
VLAN other than VLAN 1. (The same goes to the native VLAN.)  Ensure that only
devices in the management VLAN can connect to the switches.  The switch should only
accept SSH connections.  Disable autonegotiation on trunk ports.  Do not use the auto
or desirable switch port modes. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 47
48. 48. Chapter 3: Summary This chapter:  Introduced VLANs and their types  Described
the connection between VLANs and broadcast domains  Discussed IEEE 802.1Q frame
tagging and how it enables differentiation between Ethernet frames associated with
distinct VLANs as they traverse common trunk links.  Examined the configuration,
verification, and troubleshooting of VLANs and trunks using the Cisco IOS CLI and
explored basic security and design considerations. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 48

CCNA 2 Routing and Switching v5.0 Chapter 4

1. 1. Chapter 4: Routing Concepts Routing & Switching © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 4 4.0 Routing Concepts 4.1 Initial Configuration of a Router 4.2 Routing
Decisions 4.3 Router Operation 4.4 Summary Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 2
3. 3. Chapter 4: Objectives  Configure a router to route between multiple directly
connected networks  Describe the primary functions and features of a router.  Explain
how routers use information in data packets to make forwarding decisions in a small- to
medium-sized business network.  Explain the encapsulation and de-encapsulation
process used by routers when switching packets between interfaces.  Compare ways in
 which a router builds a routing table when operating in a small- to medium-sized business
network.  Explain routing table entries for directly connected networks.  Explain how
a router builds a routing table of directly connected networks. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
4. 4. Chapter 4: Objectives (cont.)  Explain how a router builds a routing table using static
routes.  Explain how a router builds a routing table using a dynamic routing protocol.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
5. 5. Functions of a Router Characteristics of a Network Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 5
6. 6. Functions of a Router Why Routing? The router is responsible for the routing of traffic
between networks. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 6
7. 7. Functions of a Router Routers are Computers Routers are specialized computers
containing the following required components to operate: • Central processing unit (CPU)
• Operating system (OS) - Routers use Cisco IOS • Memory and storage (RAM, ROM,
NVRAM, Flash, hard drive) Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 7
8. 8. Functions of a Router Routers are Computers Routers use specialized ports and
network interface cards to interconnect to other networks. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 8
9. 9. Functions of a Router Routers Interconnect Networks  Routers can connect multiple
networks.  Routers have multiple interfaces, each on a different IP network.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
10. 10. Functions of a Router Routers Choose Best Paths  Routers use static routes and
dynamic routing protocols to learn about remote networks and build their routing tables.
 Routers use routing tables to determine the best path to send packets.  Routers
encapsulate the packet and forward it to the interface indicated in routing table.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
11. 11. Functions of a Router Routers Choose Best Paths Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 11
12. 12. Functions of a Router Packet Forwarding Methods  Process switching – An older
packet forwarding mechanism still available for Cisco routers.  Fast switching – A
common packet forwarding mechanism which uses a fast-switching cache to store next
hop information.  Cisco Express Forwarding (CEF) – The most recent, fastest, and
preferred Cisco IOS packet-forwarding mechanism. Table entries are not packet-triggered
like fast switching but change-triggered. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 12
13. 13. Connect Devices Connect to a Network Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 13
14. 14. Connect Devices Default Gateways To enable network access devices must be
configured with the following IP address information IP address - Identifies a unique
host on a local network. Subnet mask - Identifies the host’s network subnet. Default
gateway - Identifies the router a packet is sent to to when the destination is not on the
same local network subnet. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 14
15. 15. Connect Devices Document Network Addressing Network Documentation should
include at least the following in a topology diagram and addressing table:  Device
names  Interfaces  IP addresses and subnet mask  Default gateways Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
16. 16. Connect Devices Enable IP on a Host Statically Assigned IP address – The host is
manually assigned an IP address, subnet mask and default gateway. A DNS server IP
address can also be assigned. • Used to identify specific network resources such as
network servers and printers. • Can be used in very small networks with few hosts.
Dynamically Assigned IP Address – IP Address information is dynamically assigned by a
server using Dynamic Host Configuration Protocol (DHCP). • Most hosts acquire their IP
address information through DHCP. • DHCP services can be provided by Cisco routers.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
17. 17. Connect Devices Device LEDs Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 17
18. 18. Connect Devices Console Access Console access requires: • Console cable – RJ-45-
to-DB-9 console cable • Terminal emulation software – Tera Term, PuTTY,
HyperTerminal Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 18
19. 19. Connect Devices Enable IP on a Switch  Network infrastructure devices require IP
addresses to enable remote management.  On a switch, the management IP address is
assigned on a virtual interface. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 19
20. 20. Basic Settings on a Router Configure Basic Router Settings Basics tasks that should
be first configured on a Cisco Router and Cisco Switch:  Name the device –
Distinguishes it from other routers  Secure management access – Secures privileged
EXEC, user EXEC, and Telnet access, and encrypts passwords to their highest level 
Configure a banner – Provides legal notification of unauthorized access.  Save the
Configuration Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 20
21. 21. Basic Settings on a Router Configure an IPv4 Router Interface To be available, a
router interface must be:  Configured with an address and subnet mask .  Must be
activated using no shutdown command. By default LAN and WAN interfaces are not
activated.  Serial cable end labeled DCE must be configured with the clock rate
command.  Optional description can be included. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. Basic Settings on a Router Configure an IPv6 Router Interface To configure interface
with IPv6 address and subnet mask:  Use the ipv6 address ipv6- address/ipv6-length
[link-local | eui- 64]interface configuration command.  Activate using the no shutdown
command. IPv6 interfaces can support more than one address:  Configure a specified
global unicast - ipv6-address /ipv6-length  Configure a global IPv6 address with an
interface identifier (ID) in the low-order 64 bits - ipv6-address /ipv6- length eui-64 
Configure a link-local address - ipv6- address /ipv6-length link-local Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
23. 23. Basic Settings on a Router Configure a Loopback Interface A loopback interface is a
logical interface that is internal to the router:  It is not assigned to a physical port, it is
 considered a software interface that is automatically in an UP state.  A loopback
interface is useful for testing.  It is important in the OSPF routing process.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
24. 24. Verify Connectivity of Directly Connected Networks Verify Interface Settings Show
commands are used to verify operation and configuration of interface:  show ip
interfaces brief  show ip route  show running-config Show commands are used to
gather more detailed interface information:  show interfaces  show ip interfaces
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
25. 25. Verify Connectivity of Directly Connected Networks Verify Interface Settings Some
of the common commands to verify the IPv6 interface configuration are:  show ipv6
interface brief - displays a summary for each of the interfaces.  show ipv6 interface
gigabitethernet 0/0 - displays the interface status and all the IPv6 addresses for this
interface.  show ipv6 route - verifies that IPv6 networks and specific IPv6 interface
addresses have been installed in the IPv6 routing table. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 25
26. 26. Verify Connectivity of Directly Connected Networks Filter Show Command Output
Show command output can be managed using the following command and filters:  Use
the terminal length number command to specify the number of lines to be displayed. A
value of 0 (zero) prevents the router from pausing between screens of output.  To filter
specific output of commands use the (|)pipe character after show command. Parameters
that can be used after pipe include: section, include, exclude, begin Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
27. 27. Verify Connectivity of Directly Connected Networks Command History Feature The
command history feature temporarily stores a list of executed commands for access:  To
recall commands press Ctrl+P or the UP Arrow.  To return to more recent commands
press Ctrl+N or the Down Arrow.  By default, command history is enabled and the
system captures the last 10 commands in the buffer. Use the show history privileged
EXEC command to display the buffer contents.  Use the terminal history size user
EXEC command to increase or decrease size of the buffer. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 27
28. 28. Switching Packets between Networks Router Switching Functions Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
29. 29. Switching Packets between Networks Send a Packet Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 29
30. 30. Switching Packets between Networks Forward to the Next Hop Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
31. 31. Switching Packets between Networks Packet Routing Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 31
32. 32. Switching Packets between Networks Reach the Destination Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
33. 33. Path Determination Routing Decisions Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 33
34. 34. Path Determination Best Path Best path is selected by a routing protocol based on the
value or metric it uses to determine the distance to reach a network:  A metric is the
value used to measure the distance to a given network.  Best path to a network is the
 path with the lowest metric. Dynamic routing protocols use their own rules and metrics to
build and update routing tables:  Routing Information Protocol (RIP) - Hop count 
Open Shortest Path First (OSPF) - Cost based on cumulative bandwidth from source to
destination  Enhanced Interior Gateway Routing Protocol (EIGRP) - Bandwidth, delay,
load, reliability Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 34
35. 35. Path Determination Load Balancing When a router has two or more paths to a
destination with equal cost metrics, then the router forwards the packets using both paths
equally: • Equal cost load balancing can improve network performance. • Equal cost load
balancing can be configured to use both dynamic routing protocols and static routes. •
RIP, OSPF and EIGRP support equal cost load balancing. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 35
36. 36. Path Determination of the route Administrative Distance If multiple paths to a
destination are configured on a router, the path installed in the routing table is the one
with the lowest Administrative Distance (AD): • A static route with an AD of 1 is more
reliable than an EIGRP-discovered route with an AD of 90. • A directly connected route
with an AD of 0 is more reliable than a static route with an AD of 1. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
37. 37. The Routing Table The Routing Table A routing table is a file stored in RAM that
contains information about:  Directly connected routes  Remote routes  Network or
next hop associations Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 37
38. 38. The Routing Table Routing Table Sources The show ip route command is used to
display the contents of the routing table:  Local route interfaces - Added to the routing
table when an interface is configured. (displayed in IOS 15 or newer)  Directly
connected interfaces - Added to the routing table when an interface is configured and
active.  Static routes - Added when a route is manually configured and the exit interface
is active.  Dynamic routing protocol - Added when EIGRP or OSPF are implemented
and networks are identified. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 38
39. 39. The Routing Table Routing Table Sources Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 39
40. 40. The Routing Table Remote Network Routing Entries Interpreting the entries in the
routing table. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 40
41. 41. Directly Connected Routes Directly Connected Interfaces A newly deployed router,
without any configured interfaces, has an empty routing table. An active, configured,
directly connected interface creates two routing table entries:  Link Local (L) 
Directly Connected (C) Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 41
42. 42. Directly Connected Routes Directly Connected Example A routing table with the
directly connected interfaces of R1 configured and activated. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
43. 43. Directly Connected Routes Directly Connected IPv6 Example The show ipv6 route
command shows the ipv6 networks and routes installed in the routing table.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
44. 44. Statically Learned Routes Static Routes Static routes and default static routes can be
implemented after directly connected interfaces are added to the routing table:  Static
routes are manually configured  They define an explicit path between two networking
devices.  Static routes must be manually updated if the topology changes.  Their
benefits include improved security and control of resources.  Configure a static route to
a specific network using the ip route network mask {next-hop-ip | exit-intf} command. 
A default static route is used when the routing table does not contain a path for a
destination network.  Configure a default static route using the ip route 0.0.0.0 0.0.0.0
{exit-intf | next-hop-ip} command. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 44
45. 45. Statically Learned Routes Default Static Routes Example Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
46. 46. Statically Learned Routes Static Routes Example Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 46
47. 47. Statically Learned Routes Static IPv6 Routes Example Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 47
48. 48. Dynamic Routing Protocols Dynamic Routing Dynamic routing is used by routers to
share information about the reachability and status of remote networks. It performs
network discovery and maintains routing tables. Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 48
49. 49. Dynamic Routing Protocols IPv4 Routing Protocols Cisco ISR routers can support a
variety of dynamic IPv4 routing protocols including:  EIGRP – Enhanced Interior
Gateway Routing Protocol  OSPF – Open Shortest Path First  IS-IS – Intermediate
System-to-Intermediate System  RIP – Routing Information Protocol Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
50. 50. Dynamic Routing Protocols IPv4 Routing Protocols Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 50
51. 51. Dynamic Routing Protocols IPv6 Routing Protocols Cisco ISR routers can support a
variety of dynamic IPv6 routing protocols including:  RIPng - RIP next generation 
OSPFv3  EIGRP for IPv6  MP-BGP4 - Multicast Protocol-Border Gateway Protocol
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
52. 52. Dynamic Routing Protocols IPv6 Routing Protocols Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 52
53. 53. Chapter 4: Summary  There are many key structures and performance-related
characteristics referred to when discussing networks: topology, speed, cost, security,
availability, scalability, and reliability.  Cisco routers and Cisco switches have many
similarities. They support a similar modal operating system, similar command structures,
and many of the same commands.  One distinguishing feature between switches and
routers is the type of interfaces supported by each.  The main purpose of a router is to
connect multiple networks and forward packets from one network to the next. This means
that a router typically has multiple interfaces. Each interface is a member or host on a
different IP network. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 53
54. 54. Chapter 4: Summary (cont.)  The routing table is a list of networks known by the
router.  A remote network is a network that can only be reached by forwarding the
 packet to another router.  Remote networks are added to the routing table in two ways:
either by the network administrator manually configuring static routes or by
implementing a dynamic routing protocol.  Static routes do not have as much overhead
as dynamic routing protocols; however, static routes can require more maintenance if the
topology is constantly changing or is unstable.  Dynamic routing protocols
automatically adjust to changes without any intervention from the network administrator.
Dynamic routing protocols require more CPU processing and also use a certain amount
of link capacity for routing updates and messages. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 54
55. 55. Chapter 4: Summary (cont.)  Routers make their primary forwarding decision at
Layer 3, the Network layer. However, router interfaces participate in Layers 1, 2, and 3.
Layer 3 IP packets are encapsulated into a Layer 2 data link frame and encoded into bits
at Layer 1.  Router interfaces participate in Layer 2 processes associated with their
encapsulation. For example, an Ethernet interface on a router participates in the ARP
process like other hosts on that LAN.  Components of the IPv6 routing table are very
similar to the IPv4 routing table. For instance, it is populated using directly connected
interfaces, static routes and dynamically learned routes. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 55

CCNA 2 Routing and Switching v5.0 Chapter 5

1. 1. Chapter 5: Inter-VLAN Routing Routing & Switching © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 5 5.1 Inter-VLAN Routing Configuration 5.2 Troubleshooting Inter-VLAN
Routing 5.3 Layer 3 Switching 5.4 Summary Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 2
3. 3. Chapter 5: Objectives  Describe the three primary options for enabling inter-VLAN
routing.  Configure legacy inter-VLAN routing.  Configure router-on-a-stick inter-
VLAN routing.  Troubleshoot common inter-VLAN configuration issues. 
Troubleshoot common IP addressing issues in an inter-VLAN-routed environment. 
Configure inter-VLAN routing using Layer 3 switching.  Troubleshoot inter-VLAN
routing in a Layer 3-switched environment. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 3
4. 4. 5.1 Inter-VLAN Routing Configuration © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 4
5. 5. Inter-VLAN Routing Operation What is Inter-VLAN routing?  Layer 2 switches
cannot forward traffic between VLANs without the assistance of a router.  Inter-VLAN
routing is a process for forwarding network traffic from one VLAN to another, using a
router. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 5
6. 6. Inter-VLAN Routing Operation Legacy Inter-VLAN Routing In the past:  Actual
routers were used to route between VLANs.  Each VLAN was connected to a different
physical router interface.  Packets would arrive on the router through one through
interface, be routed and leave through another.  Because the router interfaces were
connected to VLANs and had IP addresses from that specific VLAN, routing between
VLANs was achieved.  Large networks with large number of VLANs required many
router interfaces. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 6
7. 7. Inter-VLAN Routing Operation Router-on-a-Stick Inter-VLAN Routing  The router-
on-a-stick approach uses a different path to route between VLANs.  One of the router’s
physical interfaces is configured as a 802.1Q trunk port so it can understand VLAN tags.
 Logical subinterfaces are created; one subinterface per VLAN.  Each subinterface is
configured with an IP address from the VLAN it represents.  VLAN members (hosts)
are configured to use the subinterface address as a default gateway.  Only one of the
router’s physical interface is used. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 7
8. 8. Inter-VLAN Routing Operation Multilayer Switch Inter-VLAN Routing  Multilayer
switches can perform Layer 2 and Layer 3 functions, replacing the need for dedicated
routers.  Multilayer switches support dynamic routing and inter-VLAN routing.  The
multilayer switch must have IP routing enabled.  A switch virtual interface (SVI) exists
for VLAN 1 by default. On a multilayer switch, a logical (layer 3) interface can be
configured for any VLAN.  The switch understands network-layer PDUs; therefore, can
route between its SVIs, just as a router routes between its interfaces.  With a multilayer
switch, traffic is routed internal to the switch device.  This routing process is a suitable
and scalable solution. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 8
9. 9. Configure Legacy Inter-VLAN Routing Preparation  Legacy inter-VLAN routing
requires routers to have multiple physical interfaces.  Each one of the router’s physical
interfaces is connected to a unique VLAN.  Each interface is also configured with an IP
address for the subnet associated with the particular VLAN.  Network devices use the
router as a gateway to access the devices connected to the other VLANs. Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
10. 10. Configure Legacy Inter-VLAN Routing Preparation (cont.) Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
11. 11. Configure Legacy Inter-VLAN Routing Switch Configuration Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
12. 12. Configure Legacy Inter-VLAN Routing Router Interface Configuration
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
13. 13. Configure Router-on-a-Stick Preparation  An alternative to legacy inter-VLAN
routing is to use VLAN trunking and subinterfaces.  VLAN trunking allows a single
physical router interface to route traffic for multiple VLANs.  The physical interface of
the router must be connected to a trunk link on the adjacent switch.  On the router,
subinterfaces are created for each unique VLAN.  Each subinterface is assigned an IP
address specific to its subnet or VLAN and is also configured to tag frames for that
 VLAN. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 13
14. 14. Configure Router-on-a-Stick Switch Configuration Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 14
15. 15. Configure Router-on-a-Stick Router Subinterface Configuration Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
16. 16. Configure Router-on-a-Stick Verifying Subinterfaces Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 16
17. 17. Configure Router-on-a-Stick Verifying Subinterfaces (cont.) Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
18. 18. Configure Router-on-a-Stick Verifying Routing  Access to devices on remote
VLANs can be tested using the ping command.  The ping command sends an ICMP
echo request to the destination address.  When a host receives an ICMP echo request, it
responds with an ICMP echo reply.  Tracert is a useful utility for confirming the routed
path taken between two devices. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 18
19. 19. 6.2 Troubleshoot Inter- VLAN Routing © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 19
20. 20. Inter-VLAN Configuration Issues Switch Port Issues  When using the legacy
routing model, ensure that the switch ports connect to the router interfaces and are
configured with the correct VLANs.  Use the switchport access vlan [appropriate vlan#]
command to correct any erroneous VLAN port assignment.  Ensure that the router is
connected to the correct switch port.  When using router-on-a-stick, ensure that the
switch port connected to the router is configured as a trunk link.  Use the switchport
mode trunk command to make the switch port a trunk. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 20
21. 21. Inter-VLAN Configuration Issues Verify Switch Configuration Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. Inter-VLAN Configuration Issues Verify Router Configuration  With router-on-a-
stick configurations, a common problem is assigning the wrong VLAN ID to the
subinterface.  The show interface command can help detect this problem.  If this is
the case, use the encapsulation dot1q <vlan_id> interface command to fix the problem.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
23. 23. Inter-VLAN Configuration Issues Verify Router Configuration (cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
24. 24. IP Addressing Issues Errors with IP Address and Subnet Masks  When using legacy
inter-VLAN routing, ensure that the router has the correct IP address and mask on the
interfaces connecting to the switch.  Ensure that the network devices are configured
with the correct IP address and mask.  In the router, use the ip address command to fix
any erroneous IP assignments.  In the PCs, refer to the installed operating system
documentation to properly change IP information. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 24
25. 25. IP Addressing Issues Verifying IP Address and Subnet Mask Configuration Issues 
Use the show ip interface command to verify if the correct IP address is configured in the
router.  Use the show running-config when troubleshooting router-related problems. 
 When troubleshooting addressing issues, ensure that the subinterface is configured with
the correct address for that VLAN.  Subinterface IDs are often configured to match the
VLAN number, which makes it easier to manage inter-VLAN configuration, but this is
not a requirement. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 25
26. 26. 5.3 Layer 3 Switching © 2008 Cisco Systems, Inc. All Presentation_ID rights
reserved. Cisco Confidential 26
27. 27. Layer 3 Switching Operation and Configuration Introduction to Layer 3 Switching 
Layer 3 switches usually have packet-switching throughputs in the millions of packets
per second (pps).  All Catalyst multilayer switches support the following types of Layer
3 interfaces: • Routed port • Switch virtual interface (SVI)  High-performance switches,
such as the Catalyst 6500 and Catalyst 4500, are able to perform most of the router’s
functions.  Several models of Catalyst switches require enhanced software for specific
routing protocol features. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 27
28. 28. Layer 3 Switching Operation and Configuration Inter-VLAN Routing with Switch
Virtual Interfaces  Today’s routing has become faster and cheaper and can be
performed at hardware speed.  Routing can be transferred to core and distribution
devices with little to no impact on network performance.  Many users are in separate
VLANs, and each VLAN is usually a separate subnet. This implies that each distribution
switch must have IP addresses matching each access switch VLAN.  Layer 3 (routed)
ports are normally implemented between the distribution and the core layer. This model
is less dependent on spanning tree, because there are no loops in the Layer 2 portion of
the topology. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 28
29. 29. Layer 3 Switching Operation and Configuration Inter-VLAN Routing with SVIs
(Cont.)  By default, an SVI is created for the default VLAN (VLAN 1). This allows for
remote switch administration.  Any additional SVIs must be created by the
administrator.  SVIs are created the first time the VLAN interface configuration mode
is entered for a particular VLAN SVI.  Enter the interface vlan 10 command to create
an SVI named VLAN 10.  The VLAN number used corresponds to the VLAN tag
associated with data frames on an 802.1Q encapsulated trunk.  When the SVI is created,
ensure that the specific VLAN is present in the VLAN database. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
30. 30. Layer 3 Switching Operation and Configuration Inter-VLAN Routing with SVIs
(Cont.)  SVIs advantages include: • Much faster than router-on-a-stick, because
everything is hardware-switched and routed. • No need for external links from the switch
to the router for routing. • Not limited to one link. Layer 2 EtherChannels can be used
between the switches to get more bandwidth. • Latency is much lower, because it does
not need to leave the switch. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 30
31. 31. Layer 3 Switching Operation and Configuration Inter-VLAN Routing with Routed
Ports  A routed port is a physical port that acts similarly to an interface on a router. 
Routed ports are not associated with any VLANs.  Layer 2 protocols, such as STP, do
not function on a routed interface.  Routed ports on a Cisco IOS switch do not support
 subinterfaces.  To configure routed ports, use the no switchport interface configuration
mode command.  Note: Routed ports are not supported on Catalyst 2960 Series
switches. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 31
32. 32. Layer 3 Switching Operation and Configuration Configuring Static Routes on a
Catalyst 2960  The Cisco Switch Database Manager (SDM) provides multiple
templates for the Cisco Catalyst 2960 switch.  The SDM lanbase-routing template can
be enabled to allow the switch to route between VLANs and to support static routing. 
Use the show sdm prefer command to verify which template is in use.  The SDM
template can be changed in global configuration mode with the sdm prefer command.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
33. 33. Troubleshooting Layer 3 Switching Layer 3 Switch Configuration Issues To
troubleshoot Layer 3 switching issues, verify the following for accuracy:  VLANs •
VLANs must be defined across all the switches. • VLANs must be enabled on the trunk
ports. • Ports must be in the right VLANs.  SVIs • SVIs must have the correct IP
address or subnet mask. • SVIs must be up. • SVIs must match with the VLAN number.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
34. 34. Troubleshooting Layer 3 Switching Layer 3 Switching Configuration Issues (Cont.)
To troubleshoot Layer 3 switching issues, verify the following for accuracy:  Routing •
Routing must be enabled. • Each interface or network should be added to the routing
protocol.  Hosts • Hosts must have the correct IP address or subnet mask. • Hosts must
have a default gateway associated with an SVI or routed port. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
35. 35. Chapter 5: Summary This chapter described and explained the following concepts: 
Inter-VLAN routing, the process of routing traffic between different VLANs, using either
a dedicated router or a multilayer switch  Legacy, router-on-a-stick, and multilayer
switch inter-VLAN routing  Layer 3 switching, SVIs, and routed ports 
Troubleshooting inter-VLAN routing with a router or a Layer 3 switch  Common errors
involving VLAN, trunk, Layer 3 interface, and IP address configurations Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
36. 36. Chapter 5: Summary Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 36

CCNA 2 Routing and Switching v5.0 Chapter 6

1. 1. Chapter 6: Static Routing Routing and Switching Essentials © 2008 Cisco Systems,
Inc. All Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 6 6.1 Static Routing Implementation 6.2 Configure Static and Default Routes
6.3 Review of CIDR and VLSM 6.4 Configure Summary and Floating Static Routes 6.5
 Troubleshoot Static and Default Route Issues 6.6 Summary Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
3. 3. Chapter 6: Objectives  Explain the advantages and disadvantages of static routing. 
Explain the purpose of different types of static routes.  Configure IPv4 and IPv6 static
routes by specifying a next-hop address.  Configure an IPv4 and IPv6 default routes. 
Explain the use of legacy classful addressing in network implementation.  Explain the
purpose of CIDR in replacing classful addressing. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 3
4. 4. Chapter 6: Objectives (cont.)  Design and implement a hierarchical addressing
scheme.  Configure an IPv4 and IPv6 summary network address to reduce the number
of routing table updates.  Configure a floating static route to provide a backup
connection.  Explain how a router processes packets when a static route is configured.
 Troubleshoot common static and default route configuration issues. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
5. 5. Static Routing Reach Remote Networks A router can learn about remote networks in
one of two ways: • Manually - Remote networks are manually entered into the route table
using static routes. • Dynamically - Remote routes are automatically learned using a
dynamic routing protocol. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 5
6. 6. Static Routing Why Use Static Routing? Static routing provides some advantages over
dynamic routing, including:  Static routes are not advertised over the network, resulting
in better security.  Static routes use less bandwidth than dynamic routing protocols, no
CPU cycles are used to calculate and communicate routes.  The path a static route uses
to send data is known. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 6
7. 7. Static Routing Why Use Static Routing? (cont.) Static routing has the following
disadvantages:  Initial configuration and maintenance is time-consuming. 
Configuration is error-prone, especially in large networks.  Administrator intervention
is required to maintain changing route information.  Does not scale well with growing
networks; maintenance becomes cumbersome.  Requires complete knowledge of the
whole network for proper implementation. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 7
8. 8. Static Routing When to Use Static Routes Static routing has three primary uses: 
Providing ease of routing table maintenance in smaller networks that are not expected to
grow significantly.  Routing to and from stub networks. A stub network is a network
accessed by a single route, and the router has no other neighbors.  Using a single
default route to represent a path to any network that does not have a more specific match
with another route in the routing table. Default routes are used to send traffic to any
destination beyond the next upstream router. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 8
9. 9. Types of Static Routes Static Route Applications Static Routes are often used to: 
Connect to a specific network.  Provide a Gateway of Last Resort for a stub network. 
Reduce the number of routes advertised by summarizing several contiguous networks as
one static route.  Create a backup route in case a primary route link fails.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
10. 10. Types of Static Routes Standard Static Route Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 10
11. 11. Types of Static Routes Default Static Route  A default static route is a route that
matches all packets.  A default route identifies the gateway IP address to which the
router sends all IP packets that it does not have a learned or static route.  A default
static route is simply a static route with 0.0.0.0/0 as the destination IPv4 address.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
12. 12. Types of Static Routes Summary Static Route Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 12
13. 13. Types of Static Routes Floating Static Route  Floating static routes are static routes
that are used to provide a backup path to a primary static or dynamic route, in the event
of a link failure.  The floating static route is only used when the primary route is not
available.  To accomplish this, the floating static route is configured with a higher
administrative distance than the primary route. Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 13
14. 14. Configure IPv4 Static Routes ip route Command Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 14
15. 15. Configure IPv4 Static Routes Next-Hop Options The next hop can be identified by an
IP address, exit interface, or both. How the destination is specified creates one of the
three following route types:  Next-hop route - Only the next-hop IP address is specified.
 Directly connected static route - Only the router exit interface is specified.  Fully
specified static route - The next-hop IP address and exit interface are specified.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
16. 16. Configure IPv4 Static Routes Configure a Next-Hop Static Route When a packet is
destined for the 192.168.2.0/24 network, R1: 1. Looks for a match in the routing table
and finds that it has to forward the packets to the next-hop IPv4 address 172.16.2.2. 2. R1
must now determine how to reach 172.16.2.2; therefore, it searches a second time for a
172.16.2.2 match. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 16
17. 17. Configure IPv4 Static Routes Configure Directly Connected Static Route
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
18. 18. Configure IPv4 Static Routes Configure a Fully Specified Static Route In a fully
specified static route:  Both the output interface and the next-hop IP address are
specified.  This is another type of static route that is used in older IOSs, prior to CEF. 
This form of static route is used when the output interface is a multi-access interface and
it is necessary to explicitly identify the next hop.  The next hop must be directly
connected to the specified exit interface. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 18
19. 19. Configure IPv4 Static Routes Verify a Static Route Along with ping and traceroute,
useful commands to verify static routes include:  show ip route  show ip route static 
show ip route network Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 19
20. 20. Configure IPv4 Default Routes Default Static Route Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 20
21. 21. Configure IPv4 Default Routes Configure a Default Static Route Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. Configure IPv4 Default Routes Verify a Default Static Route Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
23. 23. Configure IPv6 Static Routes The ipv6 route Command Most of parameters are
identical to the IPv4 version of the command. IPv6 static routes can also be implemented
as:  Standard IPv6 static route  Default IPv6 static route  Summary IPv6 static route
 Floating IPv6 static route Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 23
24. 24. Configure IPv6 Static Routes Next-Hop Options The next hop can be identified by an
IPv6 address, exit interface, or both. How the destination is specified creates one of three
route types:  Next-hop IPv6 route - Only the next-hop IPv6 address is specified. 
Directly connected static IPv6 route - Only the router exit interface is specified.  Fully
specified static IPv6 route - The next-hop IPv6 address and exit interface are specified.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
25. 25. Configure IPv6 Static Routes Configure a Next-Hop Static IPv6 Route
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
26. 26. Configure IPv6 Static Routes Configure Directly Connected Static IPv6 Route
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
27. 27. Configure IPv6 Static Routes Configure Fully Specified Static IPv6 Route
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
28. 28. Configure IPv6 Static Routes Verify IPv6 Static Routes Along with ping and
traceroute, useful commands to verify static routes include:  show ipv6 route  show
ipv6 route static  show ipv6 route network Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 28
29. 29. Configure IPv6 Default Routes Default Static IPv6 Route Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
30. 30. Configure IPv6 Default Routes Configure a Default Static IPv6 Route
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
31. 31. Configure IPv6 Default Routes Verify a Default Static Route Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
32. 32. Classful Addressing Classful Network Addressing Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 32
33. 33. Classful Addressing Classful Subnet Masks Class A Class B Class C Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
34. 34. Classful Addressing Classful Routing Protocol Example Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
35. 35. Classful Addressing Classful Addressing Waste Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 35
36. 36. CIDR Classless Inter-Domain Routing Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 36
37. 37. CIDR CIDR and Route Summarization Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 37
38. 38. CIDR Static Routing CIDR Example Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 38
39. 39. CIDR Classless Routing Protocol Example Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 39
40. 40. VLSM Fixed Length Subnet Masking Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 40
41. 41. VLSM Variable Length Subnet Masking Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 41
42. 42. VLSM VLSM in Action VLSM allows the use of different masks for each subnet: 
After a network address is subnetted, those subnets can be further subnetted.  VLSM is
simply subnetting a subnet. VLSM can be thought of as sub-subnetting.  Individual host
addresses are assigned from the addresses of "sub-subnets". Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
43. 43. VLSM Subnetting Subnets Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 43
44. 44. VLSM VLSM Example Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 44
45. 45. Configure IPv4 Summary Routes Route Summarization Route summarization, also
known as route aggregation, is the process of advertising a contiguous set of addresses as
a single address with a less-specific, shorter subnet mask:  CIDR is a form of route
summarization and is synonymous with the term supernetting.  CIDR ignores the
limitation of classful boundaries, and allows summarization with masks that are smaller
than that of the default classful mask.  This type of summarization helps reduce the
number of entries in routing updates and lowers the number of entries in local routing
tables. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 45
46. 46. Configure IPv4 Summary Routes Calculate a Summary Route Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
47. 47. Configure IPv4 Summary Routes Summary Static Route Example Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
48. 48. Configure IPv6 Summary Routes Summarize IPv6 Network Addresses  Aside from
the fact that IPv6 addresses are 128 bits long and written in hexadecimal, summarizing
IPv6 addresses is actually similar to the summarization of IPv4 addresses. It just requires
a few extra steps due to the abbreviated IPv6 addresses and hex conversion.  Multiple
static IPv6 routes can be summarized into a single static IPv6 route if: • The destination
networks are contiguous and can be summarized into a single network address. • The
multiple static routes all use the same exit interface or next-hop IPv6 address.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
49. 49. Configure IPv6 Summary Routes Calculate IPv6 Network Addresses There are seven
steps to summarize IPv6 networks into a single IPv6 prefix: Step 1. List the network
addresses (prefixes) and identify the part where the addresses differ. Step 2. Expand the
IPv6 if it is abbreviated. Step 3. Convert the differing section from hex to binary. Step 4.
Count the number of far left matching bits to determine the prefix-length for the summary
route. Step 5. Copy the matching bits and then add zero bits to determine the summarized
network address (prefix). Step 6. Convert the binary section back to hex. Step 7. Append
the prefix of the summary route (result of Step 4). Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 49
50. 50. Configure IPv6 Summary Routes Configure an IPv6 Summary Address
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
51. 51. Configure Floating Static Routes Floating Static Routes Floating static routes are
static routes that have an administrative distance greater than the administrative distance
of another static route or dynamic routes:  The administrative distance of a static route
can be increased to make the route less desirable than that of another static route or a
route learned through a dynamic routing protocol.  In this way, the static route “floats”
and is not used when the route with the better administrative distance is active. 
However, if the preferred route is lost, the floating static route can take over, and traffic
can be sent through this alternate route. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 51
52. 52. Configure Floating Static Routes Configure a Floating Static Route Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
53. 53. Configure Floating Static Routes Test the Floating Static Route To test a floating
static route:  Use a show ip route command to verify that the routing table is using the
default static route.  Use a traceroute command to follow the traffic flow out the
primary route.  Disconnect the primary link or shutdown the primary exit interface. 
Use a show ip route command to verify that the routing table is using the floating static
route.  Use a traceroute command to follow the traffic flow out the backup route.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
54. 54. Troubleshoot Static and Default Route Issues Static Routes and Packet Forwarding
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54
55. 55. Troubleshoot IPv4 Static and Default Route Configuration Troubleshoot a Missing
Route Common IOS troubleshooting commands include:  ping  traceroute  show ip
route  show ip interface brief  show cdp neighbors detail Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 55
56. 56. Troubleshoot IPv4 Static and Default Route Configuration Solve a Connectivity
Problem  Finding a missing (or misconfigured) route is a relatively straightforward
process, if the right tools are used in a methodical manner.  Use the ping command to
confirm the destination can’t be reached.  A traceroute would also reveal what is the
closest router (or hop) that fails to respond as expected. In this case, the router would then
send an Internet Control Message Protocol (ICMP) destination unreachable message back
to the source.  The next step is to investigate the routing table. Look for missing or
misconfigured routes.  Incorrect static routes are a common cause of routing problems.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
57. 57. Troubleshoot IPv4 Static and Default Route Configuration Solve a Connectivity
Problem (cont.) Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 57
58. 58. Troubleshoot IPv4 Static and Default Route Configuration Solve a Connectivity
Problem (cont.)  Refer to the topology shown in the previous slide.  The user at PC1
reports that he cannot access resources on the R3 LAN.  This can be confirmed by
pinging the LAN interface of R3 using the LAN interface of R1 as the source (see Figure
1). The results show that there is no connectivity between these LANs.  A traceroute
would reveal that R2 is not responding as expected.  For some reason, R2 forwards the
traceroute back to R1. R1 returns it to R2.  This loop would continue until the time to
live (TTL) value decrements to zero, in which case, the router would then send an
 Internet Control Message Protocol (ICMP) destination unreachable message to R1.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
59. 59. Troubleshoot IPv4 Static and Default Route Configuration Solve a Connectivity
Problem (cont.)  The next step is to investigate the routing table of R2, because it is the
router displaying a strange forwarding pattern.  The routing table would reveal that the
192.168.2.0/24 network is configured incorrectly.  A static route to the 192.168.2.0/24
network has been configured using the next-hop address 172.16.2.1.  Using the
configured next-hop address, packets destined for the 192.168.2.0/24 network are sent
back to R1.  Based on the topology, the 192.168.2.0/24 network is connected to R3, not
R1. Therefore, the static route to the 192.168.2.0/24 network on R2 must use next-hop
192.168.1.1, not 172.16.2.1. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 59
60. 60. Chapter 6: Summary  Static routes can be configured with a next-hop IP address,
which is commonly the IP address of the next-hop router.  When a next-hop IP address
is used, the routing table process must resolve this address to an exit interface.  On
point-to-point serial links, it is usually more efficient to configure the static route with an
exit interface.  On multi-access networks, such as Ethernet, both a next-hop IP address
and an exit interface can be configured on the static route.  Static routes have a default
administrative distance of "1". Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 60
61. 61. Chapter 6: Summary (cont.)  A static route is only entered in the routing table if the
next-hop IP address can be resolved through an exit interface.  Whether the static route
is configured with a next-hop IP address or exit interface, if the exit interface that is used
to forward that packet is not in the routing table, the static route is not included in the
routing table.  In many cases, several static routes can be configured as a single
summary route. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 61
62. 62. Chapter 6: Summary (cont.)  The ultimate summary route is a default route,
configured with a 0.0.0.0 network address and a 0.0.0.0 subnet mask.  If there is not a
more specific match in the routing table, the routing table uses the default route to
forward the packet to another router.  A floating static route can be configured to back
up a main link by manipulating its administrative value. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 62

CCNA 2 Routing and Switching v5.0 Chapter 7

1. 1. Chapter 7: Routing Dynamically Routing & Switching © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 7 7.1 Dynamic Routing Protocols 7.2 Distance Vector Dynamic Routing 7.3
RIP and RIPng Routing 7.4 Link-State Dynamic Routing 7.5 The Routing Table 7.6
 Summary Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 2
3. 3. Chapter 7: Objectives  Explain the basic operation of dynamic routing protocols. 
Compare and contrast dynamic and static routing.  Determine which networks are
available during an initial network discovery phase.  Define the different categories of
routing protocols.  Describe the process by which distance vector routing protocols
learn about other networks.  Identify the types of distance-vector routing protocols. 
Configure the RIP routing protocol.  Configure the RIPng routing protocol.  Explain
the process by which link-state routing protocols learn about other networks.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
4. 4. Chapter 7: Objectives (cont.)  Describe the information sent in a link-state update. 
Describe advantages and disadvantages of using link-state routing protocols.  Identify
protocols that use the link-state routing process. (OSPF, IS-IS)  Determine the route
source, administrative distance, and metric for a given route.  Explain the concept of a
parent/child relationship in a dynamically built routing table.  Compare the IPv4
classless route lookup process and the IPv6 lookup process.  Analyze a routing table to
determine which route will be used to forward a packet. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 4
5. 5. Dynamic Routing Protocol Operation The Evolution of Dynamic Routing Protocols 
Dynamic routing protocols used in networks since the late 1980s  Newer versions
support the communication based on IPv6 Routing Protocols Classification
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
6. 6. Dynamic Routing Protocol Operation Purpose of Dynamic Routing Protocols Routing
Protocols are used to facilitate the exchange of routing information between routers. The
purpose of dynamic routing protocols includes:  Discovery of remote networks 
Maintaining up-to-date routing information  Choosing the best path to destination
networks  Ability to find a new best path if the current path is no longer available
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
7. 7. Dynamic Routing Protocol Operation Purpose of Dynamic Routing Protocols (cont.)
Main components of dynamic routing protocols include:  Data structures - Routing
protocols typically use tables or databases for its operations. This information is kept in
RAM.  Routing protocol messages - Routing protocols use various types of messages to
discover neighboring routers, exchange routing information, and other tasks to learn and
maintain accurate information about the network.  Algorithm - Routing protocols use
algorithms for facilitating routing information for best path determination.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
8. 8. Dynamic Routing Protocol Operation Purpose of Dynamic Routing Protocols (cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
9. 9. Dynamic Routing Protocol Operation The Role of Dynamic Routing Protocols
Advantages of dynamic routing include:  Automatically share information about remote
networks  Determine the best path to each network and add this information to their
routing tables  Compared to static routing, dynamic routing protocols require less
administrative overhead  Help the network administrator manage the time-consuming
process of configuring and maintaining static routes Disadvantages of dynamic routing
include:  Part of a router’s resources are dedicated for protocol operation, including
 CPU time and network link bandwidth  Times when static routing is more appropriate
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
10. 10. Dynamic verses Static Routing Using Static Routing Networks typically use a
combination of both static and dynamic routing. Static routing has several primary uses:
 Providing ease of routing table maintenance in smaller networks that are not expected
to grow significantly.  Routing to and from a stub network. A network with only one
default route out and no knowledge of any remote networks.  Accessing a single default
router. This is used to represent a path to any network that does not have a match in the
routing table. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 10
11. 11. Dynamic verses Static Routing Using Static Routing (cont.) Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
12. 12. Dynamic verses Static Routing Static Routing Scorecard Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
13. 13. Dynamic verses Static Routing Dynamic Routing Scorecard Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
14. 14. Routing Protocol Operating Fundamentals Dynamic Routing Protocol Operation In
general, the operations of a dynamic routing protocol can be described as follows: 1. The
router sends and receives routing messages on its interfaces. 2. The router shares routing
messages and routing information with other routers that are using the same routing
protocol. 3. Routers exchange routing information to learn about remote networks. 4.
When a router detects a topology change the routing protocol can advertise this change to
other routers. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 14
15. 15. Routing Protocol Operating Fundamentals Cold Start  R1 adds the 10.1.0.0 network
available through interface FastEthernet 0/0 and 10.2.0.0 is available through interface
Serial 0/0/0.  R2 adds the 10.2.0.0 network available through interface Serial 0/0/0 and
10.3.0.0 is available through interface Serial 0/0/1.  R3 adds the 10.3.0.0 network
available through interface Serial 0/0/1 and 10.4.0.0 is available through interface
FastEthernet 0/0. Routers running RIPv2 Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 15
16. 16. Routing Protocol Operating Fundamentals Network Discovery R1:  Sends an
update about network 10.1.0.0 out the Serial0/0/0 interface  Sends an update about
network 10.2.0.0 out the FastEthernet0/0 interface  Receives update from R2 about
network 10.3.0.0 with a metric of 1  Stores network 10.3.0.0 in the routing table with a
metric of 1 Routers running RIPv2 Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 16
17. 17. Routing Protocol Operating Fundamentals Network Discovery (cont.) R2:  Sends an
update about network 10.3.0.0 out the Serial 0/0/0 interface  Sends an update about
network 10.2.0.0 out the Serial 0/0/1 interface  Receives an update from R1 about
network 10.1.0.0 with a metric of 1  Stores network 10.1.0.0 in the routing table with a
metric of 1  Receives an update from R3 about network 10.4.0.0 with a metric of 1 
Stores network 10.4.0.0 in the routing table with a Routers running RIPv2 metric of 1
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
18. 18. Routing Protocol Operating Fundamentals Network Discovery (cont.) R3:  Sends an
update about network 10.4.0.0 out the Serial 0/0/1 interface  Sends an update about
network 10.3.0.0 out the FastEthernet0/0  Receives an update from R2 about network
10.2.0.0 with a metric of 1  Stores network 10.2.0.0 in the routing table with a metric of
1 Routers running RIPv2 Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 18
19. 19. Routing Protocol Operating Fundamentals Exchanging the Routing Information R1:
 Sends an update about network 10. 1. 0. 0 out the Serial 0/0/0 interface  Sends an
update about networks 10. 2. 0. 0 and 10. 3. 0. 0 out the FastEthernet0/0 interface 
Receives an update from R2 about network 10. 4. 0. 0 with a metric of 2  Stores
network 10. 4. 0. 0 in the routing table with a metric of 2  Same update from R2
contains information about network 10. 3. 0. 0 with a metric of 1. There is no change;
therefore, the routing information remains the same Routers running RIPv2
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
20. 20. Routing Protocol Operating Fundamentals Exchanging the Routing Information
(cont.) R2:  Sends an update about networks 10. 3. 0. 0 and 10. 4. 0. 0 out of Serial
0/0/0 interface  Sends an update about networks 10. 1. 0. 0 and 10. 2. 0. 0 out of Serial
0/0/1 interface  Receives an update from R1 about network 10. 1. 0. 0. There is no
change; therefore, the routing information remains the same.  Receives an update from
R3 about network 10. 4. 0. 0. There is no change; therefore, the routing information
remains the same. Routers running RIPv2 Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 20
21. 21. Routing Protocol Operating Fundamentals Exchanging the Routing Information
(cont.) R3:  Sends an update about network 10. 4. 0. 0 out the Serial 0/0/1 interface 
Sends an update about networks 10. 2. 0. 0 and 10. 3. 0. 0 out the FastEthernet0/0
interface  Receives an update from R2 about network 10. 1. 0. 0 with a metric of 2 
Stores network 10. 1. 0. 0 in the routing table with a metric of 2  Same update from R2
contains information about network 10. 2. 0. 0 with a metric of 1. There is no change;
therefore, the routing information remains the same. Routers running RIPv2
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. Routing Protocol Operating Fundamentals Achieving Convergence The network is
converged when all routers have complete and accurate information about the entire
network:  Convergence time is the time it takes routers to share information, calculate
best paths, and update their routing tables.  A network is not completely operable until
the network has converged.  Convergence properties include the speed of propagation
of routing information and the calculation of optimal paths. The speed of propagation
refers to the amount of time it takes for routers within the network to forward routing
information.  Generally, older protocols, such as RIP, are slow to converge, whereas
modern protocols, such as EIGRP and OSPF, converge more quickly. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
23. 23. Types of Routing Protocols Classifying Routing Protocols Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
24. 24. Types of Routing Protocols IGP and EGP Routing Protocols Interior Gateway
Protocols (IGP) -  Used for routing within an AS  Include RIP, EIGRP, OSPF, and
IS-IS Exterior Gateway Protocols (EGP) -  Used for routing between AS  Official
 routing protocol used by the Internet Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 24
25. 25. Types of Routing Protocols Distance Vector Routing Protocols Distance vector IPv4
IGPs:  RIPv1 - First generation legacy protocol  RIPv2 - Simple distance vector
routing protocol  IGRP - First generation Cisco proprietary protocol (obsolete) 
EIGRP - Advanced version of distance vector routing For R1, 172.16.3.0/24 is one hop
away (distance). It can be reached through R2 (vector). Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 25
26. 26. Types of Routing Protocols Distance Vector or Link-State Routing Protocols
Distance vector protocols use routers as sign posts along the path to the final destination.
A link-state routing protocol is like having a complete map of the network topology. The
sign posts along the way from source to destination are not necessary, because all link-
state routers are using an identical map of the network. A link-state router uses the link-
state information to create a topology map and to select the best path to all destination
networks in the topology. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 26
27. 27. Types of Routing Protocols Link-State Routing Protocols Link-state IPv4 IGPs: 
OSPF - Popular standards based routing protocol  IS-IS - Popular in provider networks.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
28. 28. Types of Routing Protocols Classful Routing Protocols Classful routing protocols do
not send subnet mask information in their routing updates:  Only RIPv1 and IGRP are
classful.  Created when network addresses were allocated based on classes (class A, B,
or C).  Cannot provide variable length subnet masks (VLSMs) and classless
interdomain routing (CIDR).  Create problems in discontiguous networks.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
29. 29. Types of Routing Protocols Classless Routing Protocols Classless routing protocols
include subnet mask information in the routing updates:  RIPv2, EIGRP, OSPF, and
IS_IS  Support VLSM and CIDR  IPv6 routing protocols Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
30. 30. Types of Routing Protocols Routing Protocol Characteristics Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
31. 31. Types of Routing Protocols Routing Protocol Metrics A metric is a measurable value
that is assigned by the routing protocol to different routes based on the usefulness of that
route:  Used to determine the overall “cost” of a path from source to destination. 
Routing protocols determine the best path based on the route with the lowest cost.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
32. 32. Distance Vector Routing Protocol Operation Distance Vector Technologies Distance
vector routing protocols:  Share updates between neighbors  Not aware of the network
topology  Some send periodic updates to broadcast IP 255.255.255.255 even if
topology has not changed  Updates consume bandwidth and network device CPU
resources  RIPv2 and EIGRP use multicast addresses  EIGRP will only send an
update when topology has changed Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 32
33. 33. Distance Vector Routing Protocol Operation Distance Vector Algorithm RIP uses the
Bellman-Ford algorithm as its routing algorithm. IGRP and EIGRP use the Diffusing
 Update Algorithm (DUAL) routing algorithm developed by Cisco. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
34. 34. Types of Distance Vector Routing Protocols Routing Information Protocol Updates
use UDP port 520 RIPng is based on RIPv2 with a 15 hop limitation and the
administrative distance of 120 Routing updates broadcasted every 30 seconds
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
35. 35. Types of Distance Vector Routing Protocols Enhanced Interior-Gateway Routing
Protocol EIGRP:  Is bounded triggered updates  Uses a Hello keepalives mechanism
 Maintains a topology table  Supports rapid convergence  Is a multiple network
layer protocol support Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 35
36. 36. Configuring the RIP Protocol Router RIP Configuration Mode Advertising Networks
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
37. 37. Configuring the RIP Protocol Examining Default RIP Settings Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
38. 38. Configuring the RIP Protocol Enabling RIPv2 Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 38
39. 39. Configuring the RIP Protocol Disabling Auto Summarization  Similarly to RIPv1,
RIPv2 automatically summarizes networks at major network boundaries by default.  To
modify the default RIPv2 behavior of automatic summarization, use the no auto-summary
router configuration mode command.  This command has no effect when using RIPv1.
 When automatic summarization has been disabled, RIPv2 no longer summarizes
networks to their classful address at boundary routers. RIPv2 now includes all subnets
and their appropriate masks in its routing updates.  The show ip protocols now states
that automatic network summarization is not in effect. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 39
40. 40. Configuring the RIP Protocol Configuring Passive Interfaces Sending out unneeded
updates on a LAN impacts the network in three ways:  Wasted Bandwidth  Wasted
Resources  Security Risk Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 40
41. 41. Configuring the RIP Protocol Propagating a Default Route Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
42. 42. Configuring the RIPng Protocol Advertising IPv6 Networks Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
43. 43. Configuring the RIPng Protocol Examining the RIPng Configuration Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
44. 44. Configuring the RIPng Protocol Examining the RIPng Configuration (cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
45. 45. Link-State Routing Protocol Operation Shortest Path First Protocols Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
46. 46. Link-State Routing Protocol Operation Dijkstra’s Algorithm Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
47. 47. Link-State Updates Link-State Routing Process Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 47
48. 48. Link-State Updates Link and Link-State The first step in the link-state routing process
is that each router learns about its own links and its own directly connected networks.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
49. 49. Link-State Updates Say Hello The second step in the link-state routing process is that
each router is responsible for meeting its neighbors on directly connected networks.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
50. 50. Link-State Updates Say Hello The third step in the link-state routing process is that
each router builds a link-state packet (LSP) containing the state of each directly
connected link. 1. R1; Ethernet network 10.1.0.0/16; Cost 2 2. R1 -> R2; Serial point-to-
point network; 10.2.0.0/16; Cost 20 3. R1 -> R3; Serial point-to-point network;
10.7.0.0/16; Cost 5 4. R1 -> R4; Serial point-to-point network; 10.4.0.0/16; Cost 20
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
51. 51. Link-State Updates Flooding the LSP The fourth step in the link-state routing process
is that each router floods the LSP to all neighbors, who then store all LSPs received in a
database. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 51
52. 52. Link-State Updates Building the Link-State Database The final step in the link-state
routing process is that each router uses the database to construct a complete map of the
topology and computes the best path to each destination network. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
53. 53. Link-State Updates Building the SPF Tree Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 53
54. 54. Link-State Updates Building the SPF Tree Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 54
55. 55. Link-State Updates Adding OSPF Routes to the Routing Table Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55
56. 56. Why Use Link-State Routing Protocols Why Use Link-State Protocols?
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
57. 57. Why Use Link-State Routing Protocols Why Use Link-State Protocols?
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
58. 58. Why Use Link-State Routing Protocols Disadvantages of Link-State Protocols
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
59. 59. Why Use Link-State Routing Protocols Protocols that Use Link-State There are only
two link-state routing protocols:  Open Shortest Path First (OSPF) most popular • began
in 1987 • two current versions • OSPFv2 - OSPF for IPv4 networks • OSPFv3 - OSPF for
IPv6 networks  IS-IS was designed by International Organization for Standardization
(ISO ) Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 59
60. 60. Parts of an IPv4 Route Entry Routing Table Entries Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 60
61. 61. Parts of an IPv4 Route Entry Directly Connected Entries Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 61
62. 62. Parts of an IPv4 Route Entry Remote Network Entries Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 62
63. 63. Dynamically Learned IPv4 Routes Routing Table Terms Routes are discussed in
terms of:  Ultimate route  Level 1 route  Level 1 parent route  Level 2 child routes
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63
64. 64. Dynamically Learned IPv4 Routes Ultimate Route An ultimate route is a routing table
entry that contains either a next-hop IP address or an exit interface. Directly connected,
dynamically learned, and link local routes are ultimate routes. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 64
65. 65. Dynamically Learned IPv4 Routes Level 1 Route Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 65
66. 66. Dynamically Learned IPv4 Routes Level 1 Parent Route Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 66
67. 67. Dynamically Learned IPv4 Routes Level 2 Child Route Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 67
68. 68. The Routing Table Route Lookup Process 1. If the best match is a level 1 ultimate
route, then this route is used to forward the packet. 2. If the best match is a level 1 parent
route, proceed to the next step. 3. The router examines child routes (the subnet routes) of
the parent route for a best match. 4. If there is a match with a level 2 child route, that
subnet is used to forward the packet. 5. If there is not a match with any of the level 2
child routes, proceed to the next step. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 68
69. 69. The Routing Table Route Lookup Process (cont.) 6. The router continues searching
level 1 supernet routes in the routing table for a match, including the default route, if
there is one. 7. If there is now a lesser match with a level 1 supernet or default routes, the
router uses that route to forward the packet. 8. If there is not a match with any route in the
routing table, the router drops the packet. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 69
70. 70. The IPv4 Route Lookup Process Best Route = Longest Match Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 70
71. 71. The IPv4 Route Lookup Process IPv6 Routing Table Entries  Components of the
IPv6 routing table are very similar to the IPv4 routing table (directly connected
interfaces, static routes, and dynamically learned routes).  IPv6 is classless by design,
all routes are effectively level 1 ultimate routes. There is no level 1 parent of level 2 child
routes. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 71
72. 72. Analyze an IPVv6 Routing Table Directly Connected Entries Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 72
73. 73. Analyze an IPVv6 Routing Table Remote IPv6 Network Entries Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 73
74. 74. Chapter 7: Summary Dynamic routing protocols:  Used by routers to automatically
learn about remote networks from other routers  Purpose includes: discovery of remote
networks, maintaining up-to-date routing information, choosing the best path to
destination networks, and ability to find a new best path if the current path is no longer
available  Best choice for large networks but static routing is better for stub networks.
 Function to inform other routers about changes  Can be classified as either classful or
classless, distance-vector or link-state, and an interior or an exterior gateway protocol
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 74
 75. 75. Chapter 7: Summary (cont.) Dynamic routing protocols:  A link-state routing
protocol can create a complete view or topology of the network by gathering information
from all of the other routers  Metrics are used to determine the best path or shortest path
to reach a destination network  Different routing protocols may use different (hops,
bandwidth, delay, reliability, and load)  Show ip protocols command displays the IPv4
routing protocol settings currently configured on the router, for IPv6, use show ipv6
protocols Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 75
76. 76. Chapter 7: Summary (cont.) Dynamic routing protocols:  Cisco routers use the
administrative distance value to determine which routing source to use  Each dynamic
routing protocol has a unique administrative value, along with static routes and directly
connected networks, lower is preferred the route  Directly connected networks are
preferred source, followed by static routes and then various dynamic routing protocols 
An OSPF link is an interface on a router, information about the state of the links is known
as link-states  Link-state routing protocols apply Dijkstra’s algorithm to calculate the
best path route which uses accumulated costs along each path, from source to destination,
to determine the total cost of a route Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 76
77. 77. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
77

CCNA 2 Routing and Switching v5.0 Chapter 8

1. 1. Chapter 8: Single-Area OSPF Routing & Switching © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 8 8.1 Characteristics of OSPF 8.2 Configuring Single-area OSPFv2 8.3
Configure Single-area OSPFv3 Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 2
3. 3. Chapter 8: Objectives Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 3
4. 4. Open Shortest Path First Evolution of OSPF Interior Gateway Protocols 1988 1989
updated in 2008 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 4
5. 5. Open Shortest Path First Features of OSPF Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 5
6. 6. Open Shortest Path First Components of OSPF Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 6
7. 7. Open Shortest Path First Components of OSPF (cont.) OSPF Routers Exchange
Packets - These packets are used to discover neighboring routers and also to exchange
routing information to maintain accurate information about the network. Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
8. 8. Open Shortest Path First Link-State Operation If a neighbor is present, the OSPF-
enabled router attempts to establish a neighbor adjacency with that neighbor
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
9. 9. Open Shortest Path First Link-State Operation (cont.)  LSAs contain the state and
cost of each directly connected link.  Routers flood their LSAs to adjacent neighbors. 
Adjacent neighbors receiving the LSA immediately flood the LSA to other directly
connected neighbors, until all routers in the area have all LSAs. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
10. 10. Open Shortest Path First Link-State Operation  Build the topology table based on
the received LSAs.  This database eventually holds all the information about the
topology of the network.  Execute the SPF Algorithm. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 10
11. 11. Open Shortest Path First Link-State Operation (cont.) From the SPF tree, the best
paths are inserted into the routing table. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 11
12. 12. Open Shortest Path First Single-area and Multiarea OSPF Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
13. 13. Open Shortest Path First Single-area and Multiarea OSPF (cont.) Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
14. 14. OSPF Messages Encapsulating OSPF Messages Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 14
15. 15. OSPF Messages Types of OSPF Packets Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 15
16. 16. OSPF Messages Hello Packet OSPF Type 1 packet = Hello packet:  Discover OSPF
neighbors and establish neighbor adjacencies.  Advertise parameters on which two
routers must agree to become neighbors.  Elect the Designated Router (DR) and
Backup Designated Router (BDR) on multiaccess networks like Ethernet and Frame
Relay. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 16
17. 17. OSPF Messages Hello Packet (cont.) Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 17
18. 18. OSPF Messages Hello Packet Intervals OSPF Hello packets are transmitted:  To
224.0.0.5 in IPv4 and FF02::5 in IPv6 (all OSPF routers)  Every 10 seconds (default on
multiaccess and point-to-point networks)  Every 30 seconds (default on non-broadcast
multiaccess [NBMA] networks)  Dead interval is the period that the router waits to
receive a Hello packet before declaring the neighbor down  Router floods the LSDB
with information about down neighbors out all OSPF enabled interfaces  Cisco’s
default is 4 times the Hello interval Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 18
19. 19. OSPF Messages Link-State Updates Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 19
20. 20. OSPF Operation OSPF Operational States When an OSPF router is initially
connected to a network, it attempts to:  Create adjacencies with neighbors  Exchange
routing information  Calculate the best routes  Reach convergence  OSPF
 progresses through several states while attempting to reach convergence. Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
21. 21. OSPF Operation Establish Neighbor Adjacencies Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. OSPF Operation Establish Neighbor Adjacencies (cont.) DR and BDR election only
occurs on multi-access networks such as Ethernet LANs. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 22
23. 23. OSPF Operation OSPF DR and BDR Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 23
24. 24. OSPF Operation Synchronizing OSPF Database Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 24
25. 25. OSPF Operation Synchronizing OSPF Database (cont.) Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
26. 26. OSPF Router ID OSPF Network Topology Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 26
27. 27. OSPF Router ID Router IDs Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 27
28. 28. Configure Single-area OSPFv2 The network Command Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
29. 29. Configure Single-Area OSPFv2 Passive Interface  By default, OSPF messages are
forwarded out all OSPF-enabled interfaces. However, these messages really only need to
be sent out interfaces connecting to other OSPF-enabled routers.  Sending out unneeded
messages on a LAN affects the network in three ways:  Inefficient Use of Bandwidth 
Inefficient Use of Resources  Increased Security Risk  The Passive Interface feature
helps limiting the scope of routing updates advertisements. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
30. 30. Configure Single-area OSPFv2 Configuring Passive Interfaces Use the passive-
interface router configuration mode command to prevent the transmission of routing
messages through a router interface, but still allow that network to be advertised to other
routers. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 30
31. 31. OSPF Cost OSPF Metric = Cost Cost = reference bandwidth / interface bandwidth
(default reference bandwidth is 10^8) Cost = 100,000,000 bps / interface bandwidth in
bps Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
31
32. 32. OSPF Cost OSPF Accumulates Costs Cost of an OSPF route is the accumulated value
from one router to the destination network. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 32
33. 33. OSPF Cost Adjusting the Reference Bandwidth  Use the command - auto-cost
reference-bandwidth  Must be configured on every router in the OSPF domain 
Notice that the value is expressed in Mb/s:  Gigabit Ethernet - auto-cost reference-
bandwidth 1000  10 Gigabit Ethernet - auto-cost reference-bandwidth 10000
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
34. 34. OSPF Cost Default Interface Bandwidths On Cisco routers, the default bandwidth on
most serial interfaces is set to 1.544 Mb/s. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 34
35. 35. OSPF Cost Adjusting the Interface Bandwidths Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 35
36. 36. OSPF Cost Manually Setting the OSPF Cost Both the bandwidth interface command
and the ip ospf cost interface command achieve the same result, which is to provide an
accurate value for use by OSPF in determining the best route. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
37. 37. Verify OSPF Verify OSPF Neighbors Verify that the router has formed an adjacency
with its neighboring routers. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 37
38. 38. Verify OSPF Verify OSPF Protocol Settings Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 38
39. 39. Verify OSPF Verify OSPF Process Information Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 39
40. 40. Verify OSPF Verify OSPF Interface Settings Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 40
41. 41. OSPFv2 vs. OSPFv3 OSPFv3 Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 41
42. 42. OSPFv2 vs. OSPFv3 Similarities Between OSPFv2 to OSPFv3 Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
43. 43. OSPFv2 vs. OSPFv3 Differences Between OSPFv2 to OSPFv3 Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
44. 44. OSPFv2 vs. OSPFv3 Link-Local Addresses FF02::5 address is the all OSPF router
address FF02::6 is the DR/BDR multicast address Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 44
45. 45. Configuring OSFPv3 OSPFv3 Network Topology Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 45
46. 46. Configuring OSFPv3 OSPFv3 Network Topology (cont.) Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
47. 47. Configuring OSFPv3 Link-Local Addresses  Link-local addresses are automatically
created when an IPv6 global unicast address is assigned to the interface (required). 
Global unicast addresses are not required.  Cisco routers create the link-local address
using FE80::/10 prefix and the EUI-64 process unless the router is configured manually,
 EUI-64 involves using the 48-bit Ethernet MAC address, inserting FFFE in the middle
and flipping the seventh bit. For serial interfaces, Cisco uses the MAC address of an
Ethernet interface.  Notice in the figure that all three interfaces are using the same link-
local address. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 47
48. 48. Configuring OSFPv3 Assigning Link-Local Addresses Manually configuring the
link-local address provides the ability to create an address that is recognizable and easier
to remember. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 48
49. 49. Configuring OSFPv3 Configuring the OSPFv3 Router ID Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
50. 50. Configuring OSFPv3 Configuring the OSPFv3 Router ID (cont.) Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
51. 51. Configuring OSFPv3 Modifying an OSPFv3 Router ID Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
52. 52. OSPF Configuring OSFPv3 Enabling OSPFv3 on Interfaces Instead of using the
network router configuration mode command to specify matching interface addresses,
OSPFv3 is configured directly on the interface. Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 52
53. 53. Verify OSPFv3 Verify OSPFv3 Neighbors/Protocol Settings Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
54. 54. Verify OSPFv3 Verify OSPFv3 Interfaces Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 54
55. 55. Verify OSPFv3 Verify IPv6 Routing Table Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 55
56. 56. Chapter 8: Summary OSPF:  For IPv4 is OSPFv2  For IPv6 is OSPFv3 
Classless, link-state routing protocol with a default administrative distance of 110, and is
denoted in the routing table with a route source code of O  OSPFv2 is enabled with the
router ospf process-id global configuration mode command. The process-id value is
locally significant, which means that it does not need to match other OSPF routers to
establish adjacencies with those neighbors.  Network command uses the wildcard-mask
value which is the inverse of the subnet mask, and the area-id value Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
57. 57. Chapter 8: Summary (cont.) OSPF:  By default, OSPF Hello packets are sent every
10 seconds on multiaccess and point-to-point segments and every 30 seconds on NBMA
segments (Frame Relay, X.25, ATM), and are used by OSPF to establish neighbor
adjacencies. The Dead interval is four times the Hello interval, by default.  For routers
to become adjacent, their Hello interval, Dead interval, network types, and subnet masks
must match. Use the show ip ospf neighborscommand to verify OSPF adjacencies.  In a
multiaccess network, OSPF elects a DR to act as collection and distribution point for
LSAs sent and received. A BDR is elected to assume the role of the DR should the DR
fail. All other routers are known as DROTHERs. All routers send their LSAs to the DR,
which then floods the LSA to all other routers in the multiaccess network.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
58. 58. Chapter 8: Summary (cont.) OSPF:  In multiaccess networks, the router with the
highest router ID is the DR, and the router with the second highest router ID is the BDR.
This can be superseded by the ip ospf priority command on that interface. The router with
the highest priority value is the DR, and next-highest the BDR.  The show ip protocols
command is used to verify important OSPF configuration information, including the
OSPF process ID, the router ID, and the networks the router is advertising.  OSPFv3 is
enabled on an interface and not under router configuration mode. OSPFv3 needs link-
local addresses to be configured. IPv6 Unicast routing must be enabled for OSPFv3. A
32- bit router-ID is required before an interface can be enabled for OSPFv3.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
59. 59. Chapter 8: Summary (cont.) OSPF:  The show ip protocols command is used to
verify important OSPFv2 configuration information, including the OSPF process ID, the
router ID, and the networks the router is advertising.  OSPFv3 • Enabled on an interface
and not under router configuration mode • Needs link-local addresses to be configured.
IPv6 • Unicast routing must be enabled for OSPFv3 • 32-bit router-ID is required before
 an interface can be enabled for OSPFv3 • show ipv6 protocols command is a quick way
to verify configuration information (OSPF process ID, the router ID, and the interfaces
enabled for OSPFv3) Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 59
60. 60. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
60

CCNA 2 Routing and Switching v5.0 Chapter 9

1. 1. Chapter 9: Access Control Lists Routing & Switching © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 9 9.1 IP ACL Operation 9.2 Standard IPv4 ACLs 9.3 Extended IPv4 ACLSs
9.4 Contextual Unit: Debug with ACLs 9.5 Troubleshoot ACLs 9.6 Contextual Unit:
IPv6 ACLs 9.7 Summary Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 2
3. 3. Chapter 9: Objectives  Explain how ACLs are used to filter traffic.  Compare
standard and extended IPv4 ACLs.  Explain how ACLs use wildcard masks.  Explain
the guidelines for creating ACLs.  Explain the guidelines for placement of ACLs. 
Configure standard IPv4 ACLs to filter traffic according to networking requirements. 
Modify a standard IPv4 ACL using sequence numbers.  Configure a standard ACL to
secure vty access. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 3
4. 4. Chapter 9: Objectives (continued)  Explain the structure of an extended access
control entry (ACE).  Configure extended IPv4 ACLs to filter traffic according to
networking requirements.  Configure an ACL to limit debug output.  Explain how a
router processes packets when an ACL is applied.  Troubleshoot common ACL errors
using CLI commands.  Compare IPv4 and IPv6 ACL creation.  Configure IPv6 ACLs
to filter traffic according to networking requirements. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 4
5. 5. Purpose of ACLs What is an ACL? Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 5
6. 6. Purpose of ACLs A TCP Conversation Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 6
7. 7. Purpose of ACLs Packet Filtering  Packet filtering, sometimes called static packet
filtering, controls access to a network by analyzing the incoming and outgoing packets
and passing or dropping them based on given criteria, such as the source IP address,
destination IP addresses, and the protocol carried within the packet.  A router acts as a
packet filter when it forwards or denies packets according to filtering rules.  An ACL is
a sequential list of permit or deny statements, known as access control entries (ACEs).
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
8. 8. Purpose of ACLs Packet Filtering (Cont.) Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 8
9. 9. Purpose of ACLs ACL Operation The last statement of an ACL is always an implicit
deny. This statement is automatically inserted at the end of each ACL even though it is
not physically present. The implicit deny blocks all traffic. Because of this implicit deny,
an ACL that does not have at least one permit statement will block all traffic.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
10. 10. Standard versus Extended IPv4 ACLs Types of Cisco IPv4 ACLs Standard ACLs
Extended ACLs Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 10
11. 11. Standard versus Extended IPv4 ACLs Numbering and Naming ACLs
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
12. 12. Wildcard Masks in ACLs Introducing ACL Wildcard Masking Wildcard masks and
subnet masks differ in the way they match binary 1s and 0s. Wildcard masks use the
following rules to match binary 1s and 0s:  Wildcard mask bit 0 - Match the
corresponding bit value in the address.  Wildcard mask bit 1 - Ignore the corresponding
bit value in the address. Wildcard masks are often referred to as an inverse mask. The
reason is that, unlike a subnet mask in which binary 1 is equal to a match and binary 0 is
not a match, in a wildcard mask the reverse is true. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 12
13. 13. Wildcard Masks in ACLs Wildcard Mask Examples: Hosts / Subnets Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
14. 14. Wildcard Masks in ACLs Wildcard Mask Examples: Match Ranges Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
15. 15. Wildcard Masks in ACLs Calculating the Wildcard Mask Calculating wildcard masks
can be challenging. One shortcut method is to subtract the subnet mask from
255.255.255.255. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 15
16. 16. Wildcard Masks in ACLs Wildcard Mask Keywords Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 16
17. 17. Wildcard Masks in ACLs Examples Wildcard Mask Keywords Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
18. 18. Guidelines for ACL creation General Guidelines for Creating ACLs  Use ACLs in
firewall routers positioned between your internal network and an external network such
as the Internet.  Use ACLs on a router positioned between two parts of your network to
control traffic entering or exiting a specific part of your internal network.  Configure
ACLs on border routers, that is routers situated at the edges of your networks. 
Configure ACLs for each network protocol configured on the border router interfaces.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
19. 19. Guidelines for ACL creation General Guidelines for Creating ACLs (cont.) The Three
Ps  One ACL per protocol - To control traffic flow on an interface, an ACL must be
defined for each protocol enabled on the interface.  One ACL per direction - ACLs
control traffic in one direction at a time on an interface. Two separate ACLs must be
created to control inbound and outbound traffic.  One ACL per interface - ACLs control
traffic for an interface, for example, GigabitEthernet 0/0. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 19
20. 20. Guidelines for ACL creation ACL Best Practices Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 20
21. 21. Guidelines for ACL Placement Where to Place ACLs Every ACL should be placed
where it has the greatest impact on efficiency. The basic rules are:  Extended ACLs -
Locate extended ACLs as close as possible to the source of the traffic to be filtered. 
Standard ACLs - Because standard ACLs do not specify destination addresses, place
them as close to the destination as possible. Placement of the ACL and therefore the type
of ACL used may also depend on: the extent of the network administrator’s control,
bandwidth of the networks involved, and ease of configuration. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. Guidelines for ACL Placement Standard ACL Placement Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
23. 23. Guidelines for ACL Placement Extended ACL Placement Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
24. 24. Configure Standard IPv4 ACLs Entering Criteria Statements Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
25. 25. Configure Standard IPv4 ACLs Configuring a Standard ACL Example ACL 
access-list 2 deny host 192.168.10.10  access-list 2 permit 192.168.10.0 0.0.0.255 
access-list 2 deny 192.168.0.0 0.0.255.255  access-list 2 permit 192.0.0.0
0.255.255.255 Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 25
26. 26. Configure Standard IPv4 ACLs Configuring a Standard ACL (cont.) The full syntax
of the standard ACL command is as follows: Router(config)# access-list access-list-
number deny permit remark source [ source-wildcard ] [ log ] To remove the ACL, the
global configuration no access-list command is used. The remark keyword is used for
documentation and makes access lists a great deal easier to understand. Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
27. 27. Configure Standard IPv4 ACLs Internal Logic  Cisco IOS applies an internal logic
when accepting and processing standard access list statements. As discussed previously,
access list statements are processed sequentially. Therefore, the order in which statements
are entered is important. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 27
28. 28. Configure Standard IPv4 ACLs Applying Standard ACLs to Interfaces After a
standard ACL is configured, it is linked to an interface using the ip access-group
command in interface configuration mode: Router(config-if)# ip access-group { access-
list-number | access-list-name } { in | out } To remove an ACL from an interface, first
enter the no ip access-group command on the interface, and then enter the global no
access-list command to remove the entire ACL. Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 28
29. 29. Configure Standard IPv4 ACLs Applying Standard ACLs to Interfaces (Cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
30. 30. Configure Standard IPv4 ACLs Creating Named Standard ACLs Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
31. 31. Configure Standard IPv4 ACLs Commenting ACLs Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 31
32. 32. Modify IPv4 ACLs Editing Standard Numbered ACLs Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 32
33. 33. Modify IPv4 ACLs Editing Standard Numbered ACLs (cont.) Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
34. 34. Modify IPv4 ACLs Editing Standard Named ACLs Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 34
35. 35. Modify IPv4 ACLs Verifying ACLs Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 35
36. 36. Modify IPv4 ACLs ACL Statistics Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 36
37. 37. Modify IPv4 ACLs Standard ACL Sequence Numbers  Another part of the IOS
internal logic involves the internal sequencing of standard ACL statements. Range
statements that deny three networks are configured first followed by five host statements.
The host statements are all valid statements because their host IP addresses are not part of
the previously entered range statements.  The host statements are listed first by the
show command, but not necessarily in the order that they were entered. The IOS puts
host statements in an order using a special hashing function. The resulting order
optimizes the search for a host ACL entry. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 37
38. 38. Securing VTY ports with a Standard IPv4 ACL Configuring a Standard ACL to
Secure a VTY Port Filtering Telnet or SSH traffic is typically considered an extended IP
ACL function because it filters a higher level protocol. However, because the access-
class command is used to filter incoming or outgoing Telnet/SSH sessions by source
address, a standard ACL can be used. Router(config-line)# access-class access-list-
number { in [ vrf-also ] | out } Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 38
39. 39. Securing VTY ports with a Standard IPv4 ACL Verifying a Standard ACL used to
Secure a VTY Port Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 39
40. 40. Structure of an Extended IPv4 ACL Extended ACLs Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 40
41. 41. Structure of an Extended IPv4 ACL Extended ACLs (Cont.) Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
42. 42. Configure Extended IPv4 ACLs Configuring Extended ACLs The procedural steps
for configuring extended ACLs are the same as for standard ACLs. The extended ACL is
first configured, and then it is activated on an interface. However, the command syntax
and parameters are more complex to support the additional features provided by extended
ACLs. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 42
43. 43. Configure Extended IPv4 ACLs Applying Extended ACLs to Interfaces
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
44. 44. Configure Extended IPv4 ACLs Filtering Traffic with Extended ACLs
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
45. 45. Configure Extended IPv4 ACLs Creating Named Extended ACLs Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
46. 46. Configure Extended IPv4 ACLs Verifying Extended ACLs Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
47. 47. Configure Extended IPv4 ACLs Editing Extended ACLs Editing an extended ACL
can be accomplished using the same process as editing a standard. An extended ACL can
be modified using:  Method 1 - Text editor  Method 2 – Sequence numbers
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
48. 48. Processing Packets with ACLs Inbound ACL Logic  Packets are tested against an
inbound ACL, if one exists, before being routed.  If an inbound packet matches an ACL
statement with a permit, it is sent to be routed.  If an inbound packet matches an ACL
statement with a deny, it is dropped and not routed.  If an inbound packet does not meet
any ACL statements, then it is “implicitly denied” and dropped without being routed.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
49. 49. Processing Packets with ACLs Outbound ACL Logic  Packets are first checked for
a route before being sent to an outbound interface. If there is no route, the packets are
dropped.  If an outbound interface has no ACL, then the packets are sent directly to that
interface.  If there is an ACL on the outbound interface, it is tested before being sent to
that interface.  If an outbound packet matches an ACL statement with a permit, it is sent
to the interface. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 49
50. 50. Processing Packets with ACLs Outbound ACL Logic (cont.)  If an outbound packet
matches an ACL statement with a deny, it is dropped.  If an outbound packet does not
meet any ACL statements, then it is “implicitly denied” and dropped. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
51. 51. Processing Packets with ACLs ACL Logic Operations  When a packet arrives at a
router interface, the router process is the same, whether ACLs are used or not. As a frame
enters an interface, the router checks to see whether the destination Layer 2 address
matches its the interface Layer 2 address or if the frame is a broadcast frame.  If the
frame address is accepted, the frame information is stripped off and the router checks for
an ACL on the inbound interface. If an ACL exists, the packet is tested against the
statements in the list. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 51
52. 52. Processing Packets with ACLs ACL Logic Operations (cont.)  If the packet is
accepted, it is then checked against routing table entries to determine the destination
interface. If a routing table entry exists for the destination, the packet is then switched to
the outgoing interface, otherwise the packet is dropped.  Next, the router checks
whether the outgoing interface has an ACL. If an ACL exists, the packet is tested against
the statements in the list.  If there is no ACL or the packet is permitted, the packet is
encapsulated in the new Layer 2 protocol and forwarded out the interface to the next
device. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 52
53. 53. Processing Packets with ACLs Standard ACL Decision Process  Standard ACLs
only examine the source IPv4 address. The destination of the packet and the ports
involved are not considered.  Cisco IOS software tests addresses against the conditions
in the ACL. The first match determines whether the software accepts or rejects the
address. Because the software stops testing conditions after the first match, the order of
 the conditions is critical. If no conditions match, the address is rejected. Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
54. 54. Processing Packets with ACLs Extended ACL Decision Process The ACL first filters
on the source address, then on the port and protocol of the source. It then filters on the
destination address, then on the port and protocol of the destination, and makes a final
permit or deny decision. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 54
55. 55. Common ACLs Errors Troubleshooting Common ACL Errors - Example 1 Host
192.168.10.10 has no connectivity with 192.168.30.12. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 55
56. 56. Common ACLs Errors Troubleshooting Common ACL Errors – Example 2 The
192.168.10.0 /24 network cannot use TFTP to connect to the 192.168.30.0 /24 network.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
57. 57. Common ACLs Errors Troubleshooting Common ACL Errors – Example 3 The
192.168.11.0 /24 network can use Telnet to connect to 192.168.30.0 /24, but according to
company policy, this connection should not be allowed. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 57
58. 58. Common ACLs Errors Troubleshooting Common ACL Errors – Example 4 Host
192.168.30.12 is able to Telnet to connect to 192.168.31.12, but company policy states
that this connection should not be allowed. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 58
59. 59. Common ACLs Errors Troubleshooting Common ACL Errors – Example 5 Host
192.168.30.12 can use Telnet to connect to 192.168.31.12, but according to the security
policy, this connection should not be allowed. Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 59
60. 60. IPv6 ACL Creation Type of IPv6 ACLs Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 60
61. 61. IPv6 ACL Creation Comparing IPv4 and IPv6 ACLs Although IPv4 and IPv6 ACLs
are very similar, there are three significant differences between them.  Applying an
IPv6 ACL IPv6 uses the ipv6 traffic-filter command to perform the same function for
IPv6 interfaces.  No Wildcard Masks The prefix-length is used to indicate how much of
an IPv6 source or destination address should be matched.  Additional Default
Statements permit icmp any any nd-na permit icmp any any nd-ns Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61
62. 62. Configuring IPv6 ACLs Configuring IPv6 Topology Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 62
63. 63. Configuring IPv6 ACLs Configuring IPv6 ACLs There are three basic steps to
configure an IPv6 ACL: 1. From global configuration mode, use the ipv6 access-list
name command to create an IPv6 ACL. 2. From the named ACL configuration mode, use
the permit or deny statements to specify one or more conditions to determine if a packet
is forwarded or dropped. 3. Return to privileged EXEC mode with the end command.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63
64. 64. Configuring IPv6 ACLs Applying an IPv6 ACL to an Interface Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 64
65. 65. Configuring IPv6 ACLs IPv6 ACL Examples Deny FTP Restrict Access
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 65
66. 66. Configuring IPv6 ACLs Verifying IPv6 ACLs Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 66
67. 67. Chapter 9: Summary  By default a router does not filter traffic. Traffic that enters
the router is routed solely based on information within the routing table.  Packet
filtering, controls access to a network by analyzing the incoming and outgoing packets
and passing or dropping them based on criteria such as the source IP address, destination
IP addresses, and the protocol carried within the packet.  A packet-filtering router uses
rules to determine whether to permit or deny traffic. A router can also perform packet
filtering at Layer 4, the transport layer.  An ACL is a sequential list of permit or deny
statements. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 67
68. 68. Chapter 9: Summary (cont.)  The last statement of an ACL is always an implicit
deny which blocks all traffic. To prevent the implied deny any statement at the end of the
ACL from blocking all traffic, the permit ip any any statement can be added.  When
network traffic passes through an interface configured with an ACL, the router compares
the information within the packet against each entry, in sequential order, to determine if
the packet matches one of the statements. If a match is found, the packet is processed
accordingly.  ACLs are configured to apply to inbound traffic or to apply to outbound
traffic. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 68
69. 69. Chapter 9: Summary (cont.)  Standard ACLs can be used to permit or deny traffic
only from source IPv4 addresses. The destination of the packet and the ports involved are
not evaluated. The basic rule for placing a standard ACL is to place it close to the
destination.  Extended ACLs filter packets based on several attributes: protocol type,
source or destination IPv4 address, and source or destination ports. The basic rule for
placing an extended ACL is to place it as close to the source as possible. Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 69
70. 70. Chapter 9: Summary (cont.)  The access-list global configuration command defines
a standard ACL with a number in the range of 1 to 99 or an extended ACL with numbers
in the range of 100 to 199 and 2000 to 2699. Both standard and extended ACLs can be
named.  The ip access-list standard name is used to create a standard named ACL,
whereas the command ip access-list extended name is for an extended access list. IPv4
ACL statements include the use of wildcard masks.  After an ACL is configured, it is
linked to an interface using the ip access-group command in interface configuration
mode. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 70
71. 71. Chapter 9: Summary (cont.)  Remember the three Ps, one ACL per protocol, per
direction, per interface.  To remove an ACL from an interface, first enter the no ip
access-group command on the interface, and then enter the global no access-list
command to remove the entire ACL.  The show running-config and show access-lists
commands are used to verify ACL configuration. The show ip interface command is used
to verify the ACL on the interface and the direction in which it was applied.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 71
72. 72. Chapter 9: Summary (cont.)  The access-class command configured in line
configuration mode restricts incoming and outgoing connections between a particular
 VTY and the addresses in an access list.  Like IPv4 named ACLs, IPv6 names are
alphanumeric, case sensitive and must be unique. Unlike IPv4, there is no need for a
standard or extended option.  From global configuration mode, use the ipv6 access-list
name command to create an IPv6 ACL. The prefix-length is used to indicate how much
of an IPv6 source or destination address should be matched.  After an IPv6 ACL is
configured, it is linked to an interface using the ipv6 traffic-filter command.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 72
73. 73. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
73

CCNA 2 Routing and Switching v5.0 Chapter 10

1. 1. Chapter 10: DHCP Routing & Switching © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 10 10.0 Introduction 10.1 Dynamic Host Configuration Protocol v4 10.2
Dynamic Host Configuration Protocol v6 10.3 Summary Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 2
3. 3. Chapter 10: Objectives  Describe the operation of DHCPv4 in a small-to-medium-
sized business network.  Configure a router as a DHCPv4 server.  Configure a router
as a DHCPv4 client.  Troubleshoot a DHCP configuration for IPv4 in a switched
network.  Explain the operation of DHCPv6.  Configure a stateless DHCPv6 for a
small-to-medium-sized business.  Configure a stateful DHCPv6 for a small-to-medium-
sized business.  Troubleshoot a DHCP configuration for IPv6 in a switched network.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
4. 4. 10.1 Dynamic Host Configuration Protocol v4 © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 4
5. 5. DHCPv4 Operation Introducing DHCPv4 DHCPv4 uses three different address
allocation methods:  Manual Allocation – The administrator assigns a pre-allocated
IPv4 address to the client, and DHCPv4 communicates only the IPv4 address to the
device.  Automatic Allocation – DHCPv4 automatically assigns a static IPv4 address
permanently to a device, selecting it from a pool of available addresses.  Dynamic
Allocation – DHCPv4 dynamically assigns, or leases, an IPv4 address from a pool of
addresses for a limited period of time chosen by the server, or until the client no longer
needs the address. This method is the most commonly used. Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
6. 6. DHCPv4 Operation DHCPv4 Operation Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 6
7. 7. DHCPv4 Operation DHCPv4 Message Format Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 7
8. 8. DHCPv4 Operation Format DHCPv4 Discover and Offer Messages Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
9. 9. DHCPv4 Operation Configuring a DHCPv4 Server A Cisco router running the Cisco
IOS software can be configured to act as a DHCPv4 server. To set up DHCP: 1. Exclude
 addresses from the pool. 2. Set up the DHCP pool name. 3. Define the range of addresses
and subnet mask. Use the default-router command for the default gateway. Optional
parameters that can be included in the pool – dns server, domain-name. To disable
DHCP, use the no service dhcp command. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 9
10. 10. DHCPv4 Operation Verifying a DHCPv4 Server  Commands to verify DHCP:
show running-config | section dhcp show ip dhcp binding show ip dhcp server statistics 
On the PC, issue the ipconfig /all command. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 10
11. 11. DHCPv4 Operation DHCPv4 Relay Using an IP helper address enables a router to
forward DHCPv4 broadcasts to the DHCPv4 server. Acting as a relay. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
12. 12. Configuring a DHCPv4 Client Configuring a Router as a DHCPv4 Client
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
13. 13. Troubleshoot DHCPv4 Troubleshooting Tasks Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 13
14. 14. Troubleshoot DHCPv4 Verifying the Router DHCPv4 Configuration Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
15. 15. Troubleshoot DHCPv4 Debugging DHCPv4 Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 15
16. 16. 10.2 Dynamic Host Configuration Protocol v6 © 2008 Cisco Systems, Inc. All
Presentation_ID rights reserved. Cisco Confidential 16
17. 17. SLAAC and DHCPv6 Stateless Address Autoconfiguration Stateless Address
Autoconfiguration (SLAAC) is a method in which a device can obtain an IPv6 global
unicast address without the services of a DHCPv6 server. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 17
18. 18. SLAAC and DHCPv6 SLAAC Operation Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 18
19. 19. SLAAC and DHCPv6 SLAAC and DHCPv6 Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 19
20. 20. SLAAC and DHCPv6 SLAAC Option Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 20
21. 21. SLAAC and DHCPv6 Stateless DHCP Option Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. SLAAC and DHCPv6 Stateful DHCP Option Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 22
23. 23. SLAAC and DHCPv6 DHCPv6 Operations Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 23
24. 24. Stateless DHCPv6 Configuring a Router as a Stateless DHCPv6 Server
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
25. 25. Stateless DHCPv6 Configuring a Router as a Stateless DHCPv6 Client
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
26. 26. Stateless DHCPv6 Verifying Stateless DHCPv6 Verify the stateless DHCP client
using the following commands:  show IPv6 interface  debug ipv6 dhcp detail
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
 27. 27. Stateful DHCPv6 Configuring a Router as a Stateful DHCPv6 Server Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
28. 28. Stateful DHCPv6 Verifying Stateful DHCPv6  Verify the stateful DHCPv6 server
using the following commands: show ipv6 dhcp pool show ipv6 dhcp binding  Verify
the stateful DHCPv6 client using the show ipv6 interface command. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
29. 29. Stateful DHCPv6 Configuring a Router as a Stateful DHCPv6 Relay Agent
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
30. 30. Troubleshooting DHCPv6 Troubleshooting Tasks Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 30
31. 31. Troubleshooting DHCPv6 Verifying the Router DHCPv6 Configuration
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
32. 32. Troubleshooting DHCPv6 Debugging DHCPv6 Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 32
33. 33. 10.3 Summary © 2008 Cisco Systems, Inc. All Presentation_ID rights reserved.
Cisco Confidential 33
34. 34. Chapter 10: Summary  All nodes on a network require a unique IP address to
communicate with other devices.  DHCPv4 includes three different address allocation
methods: Manual Allocation Automatic Allocation Dynamic Allocation  There are two
methods available for the dynamic configuration of IPv6 global unicast addresses:
Stateless Address Autoconfiguration (SLAAC) Dynamic Host Configuration Protocol for
IPv6 (Stateful DHCPv6) Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 34
35. 35. Chapter 10: Summary (cont.) The same tasks are involved when troubleshooting
DHCPv4 and DHCPv6:  Resolve address conflicts.  Verify physical connectivity. 
Test connectivity using a static IP address.  Verify the switch port configuration.  Test
the operation on the same subnet or VLAN. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 35
36. 36. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
36

CCNA 2 Routing and Switching v5.0 Chapter 11

1. 1. Chapter 11: Network Address Translation for IPv4 Routing & Switching © 2008 Cisco
Systems, Inc. All Presentation_ID rights reserved. Cisco Confidential 1
2. 2. Chapter 11 11.1 NAT Operation 11.2 Configuring NAT 11.3 Troubleshooting NAT
11.4 Summary Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 2
3. 3. Chapter 11: Objectives  Describe NAT characteristics.  Describe the benefits and
drawbacks of NAT.  Configure static NAT using the CLI.  Configure dynamic NAT
using the CLI.  Configure PAT using the CLI.  Configure port forwarding using the
CLI.  Configure NAT64.  Use show commands to verify NAT operation.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
4. 4. 11.1 NAT Operation © 2008 Cisco Systems, Inc. All Presentation_ID rights reserved.
Cisco Confidential 4
5. 5. NAT Characteristics IPv4 Private Address Space  IPv4 address space is not big
enough to uniquely address all the devices that must be connected to the Internet. 
Network private addresses are described in RFC 1918 and are to designed to be used
within an organization or site only.  Private addresses are not routed by Internet routers
while public addresses are.  Private addresses can alleviate IPv4 scarcity, but because
they aren’t routed by Internet devices, they first need to be translated.  NAT is process
used to perform such translation. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 5
6. 6. NAT Characteristics IPv4 Private Address Space Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 6
7. 7. NAT Characteristics What is NAT?  NAT is a process used to translate network
addresses.  NAT’s primary use is to conserve public IPv4 addresses.  NAT is usually
implemented at border network devices, such as firewalls or routers.  NAT allows the
networks to use private addresses internally, only translating to public addresses when
needed.  Devices within the organization can be assigned private addresses and operate
with locally unique addresses.  When traffic must be sent or received to or from other
organizations or the Internet, the border router translates the addresses to a public and
globally unique address. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 7
8. 8. NAT Characteristics What is NAT? (cont.) Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 8
9. 9. NAT Characteristics NAT Terminology  Inside network is the set of devices using
private addresses  Outside network refers to all other networks  NAT includes four
types of addresses: • Inside local address • Inside global address • Outside local address •
Outside global address Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 9
10. 10. NAT Characteristics NAT Terminology (cont.) Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 10
11. 11. Types of NAT Static NAT  Static NAT uses a one-to-one mapping of local and
global addresses.  These mappings are configured by the network administrator and
remain constant.  Static NAT is particularly useful when servers hosted in the inside
network must be accessible from the outside network.  A network administrator can
SSH to a server in the inside network by pointing the SSH client to the proper inside
global address. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 11
12. 12. Types of NAT Static NAT (cont.) Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 12
13. 13. Types of NAT Dynamic NAT  Dynamic NAT uses a pool of public addresses and
assigns them on a first-come, first-served basis.  When an inside device requests access
to an outside network, dynamic NAT assigns an available public IPv4 address from the
pool.  Dynamic NAT requires that enough public addresses are available to satisfy the
total number of simultaneous user sessions. Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 13
14. 14. Types of NAT Dynamic NAT (cont.) Presentation_ID © 2008 Cisco Systems, Inc.
All rights reserved. Cisco Confidential 14
15. 15. Types of NAT Port Address Translation  Port Address Translation (PAT) maps
multiple private IPv4 addresses to a single public IPv4 address or a few addresses. 
PAT uses the pair source port and source IP address to keep track of what traffic belongs
to what internal client.  PAT is also known as NAT overload.  By also using the port
number, PAT forwards the response packets to the correct internal device.  The PAT
process also validates that the incoming packets were requested, thus adding a degree of
security to the session. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential 15
16. 16. Types of NAT Comparing NAT and PAT  NAT translates IPv4 addresses on a 1:1
basis between private IPv4 addresses and public IPv4 addresses.  PAT modifies both
the address and the port number.  NAT forwards incoming packets to their inside
destination by referring to the incoming source IPv4 address provided by the host on the
public network.  With PAT, there is generally only one or a very few publicly exposed
IPv4 addresses.  PAT is able to translate protocols that do not use port numbers, such as
ICMP; each one of these protocols is supported differently by PAT. Presentation_ID ©
2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
17. 17. Benefits of NAT Benefits of NAT  Conserves the legally registered addressing
scheme  Increases the flexibility of connections to the public network  Provides
consistency for internal network addressing schemes  Provides network security
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
18. 18. Benefits of NAT Disadvantages of NAT  Performance is degraded  End-to-end
functionality is degraded  End-to-end IP traceability is lost  Tunneling is more
complicated  Initiating TCP connections can be disrupted Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
19. 19. 11.2 Configuring NAT © 2008 Cisco Systems, Inc. All Presentation_ID rights
reserved. Cisco Confidential 19
20. 20. Configuring Static NAT Configuring Static NAT There are two basic tasks to
perform when configuring static NAT translations:  Create the mapping between the
inside local and outside local addresses.  Define which interfaces belong to the inside
network and which belong to the outside network. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 20
21. 21. Configuring Static NAT Configuring Static NAT Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 21
22. 22. Configuring Static NAT Analyzing Static NAT Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 22
23. 23. Configuring Static NAT Verifying Static NAT Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 23
24. 24. Configuring Static NAT Verifying Static NAT (cont.) Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 24
25. 25. Configuring Dynamic NAT Dynamic NAT Operation  The pool of public IPv4
addresses (inside global address pool) is available to any device on the inside network on
a first-come, first-served basis.  With dynamic NAT, a single inside address is
translated to a single outside address.  The pool must be large enough to accommodate
 all inside devices.  A device is unable to communicate to any external networks if no
addresses are available in the pool. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 25
26. 26. Configuring Dynamic NAT Configuring Dynamic NAT Presentation_ID © 2008
Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
27. 27. Configuring Dynamic NAT Analyzing Dynamic NAT Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 27
28. 28. Configuring Dynamic NAT Analyzing Dynamic NAT Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 28
29. 29. Configuring Dynamic NAT Verifying Dynamic NAT Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 29
30. 30. Configuring Dynamic NAT Verifying Dynamic NAT Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 30
31. 31. Configuring PAT Configuring PAT: Address Pool Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 31
32. 32. Configuring PAT Configuring PAT: Single Address Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 32
33. 33. Configuring PAT Analyzing PAT Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 33
34. 34. Configuring PAT Analyzing PAT Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 34
35. 35. Configuring PAT Verifying PAT Translations Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 35
36. 36. Port Forwarding Port Forwarding  Port forwarding is the act of forwarding a
network port from one network node to another.  A packet sent to the public IP address
and port of a router can be forwarded to a private IP address and port in inside network.
 Port forwarding is helpful in situations where servers have private addresses, not
reachable from the outside networks. Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 36
37. 37. Port Forwarding SOHO Example Presentation_ID © 2008 Cisco Systems, Inc. All
rights reserved. Cisco Confidential 37
38. 38. Port Forwarding Configuring Port Forwarding with IOS In IOS, Port forwarding is
essentially a static NAT translation with a specified TCP or UDP port number.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
39. 39. Configuring NAT and IPv6 NAT for IPv6?  NAT is a workaround for IPv4 address
scarcity.  IPv6 with a 128-bit address provides 340 undecillion addresses.  Address
space is not an issue for IPv6.  IPv6 makes IPv4 public-private NAT unnecessary by
design; however, IPv6 does implement a form of private addresses, and it is implemented
differently than they are for IPv4. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 39
40. 40. Configuring NAT and IPv6 IPv6 Unique Local Addresses  IPv6 unique local
addresses (ULAs) are designed to allow IPv6 communications within a local site. 
ULAs are not meant to provide additional IPv6 address space.  ULAs have the prefix
FC00::/7, which results in a first hextet range of FC00 to FDFF.  ULAs are also known
as local IPv6 addresses (not to be confused with IPv6 link-local addresses).
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
41. 41. Configuring NAT and IPv6 NAT for IPv6  IPv6 also uses NAT, but in a much
different context.  In IPv6, NAT is used to provide transparent communication between
IPv6 and IPv4.  NAT64 is not intended to be a permanent solution; it is meant to be a
transition mechanism.  Network Address Translation-Protocol Translation (NAT-PT)
was another NAT-based transition mechanism for IPv6, but is now deprecated by IETF.
 NAT64 is now recommended. Presentation_ID © 2008 Cisco Systems, Inc. All rights
reserved. Cisco Confidential 41
42. 42. Configuring NAT and IPv6 NAT for IPv6 Presentation_ID © 2008 Cisco Systems,
Inc. All rights reserved. Cisco Confidential 42
43. 43. 11.3 Troubleshooting NAT © 2008 Cisco Systems, Inc. All Presentation_ID rights
reserved. Cisco Confidential 43
44. 44. Configuring NAT and IPv6 Troubleshooting NAT: show commands Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
45. 45. Configuring NAT and IPv6 Troubleshooting NAT: debug command Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
46. 46. Chapter 11: Summary This chapter has outlined:  How NAT is used to help
alleviate the depletion of the IPv4 address space.  NAT conserves public address space
and saves considerable administrative overhead in managing adds, moves, and changes.
 NAT for IPv4, including: • NAT characteristics, terminology, and general operations •
Different types of NAT, including static NAT, dynamic NAT, and NAT with overloading
• Benefits and disadvantages of NAT  The configuration, verification, and analysis of
static NAT, dynamic NAT, and NAT with overloading. Presentation_ID © 2008 Cisco
Systems, Inc. All rights reserved. Cisco Confidential 46
47. 47. Chapter 11: Summary (cont.)  How port forwarding can be used to access an
internal devices from the Internet.  Troubleshooting NAT using show and debug
commands.  How NAT for IPv6 is used to translate between IPv6 addresses and IPv4
addresses. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco
Confidential 47
48. 48. Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
48