Table FF.1 lists the seven layers of the OSI model and significant aspects of each layer.
Table FF.1. The OSI Model
OSI Layer | Important Functions |
|---|---|
Application | Provides an interface between a host’s communication software and any necessary external applications. Evaluates what resources are necessary and available resources for communication between two devices. Synchronizes client/server applications. Provides error control and data integrity between applications. Provides system-independent processes to a host. |
Presentation | Presents data to the application layer. Acts as a data format translator. Handles the structuring of data and negotiating data transfer syntax to Layer 7. Processes involved include data encryption, decryption, compression, and decompression. |
Session | Handles dialog control among devices. Determines the beginning, middle, and end of a session or conversation that occurs between applications (intermediary). |
Transport | Manages end-to-end connections and data delivery between two hosts. Segments and reassembles data. Provides transparent data transfer by hiding details of the transmission from the upper layers. |
Network | Determines best path for packet delivery across the network. Determines logical addressing, which can identify the destination of a packet or datagram. Uses data packets (IP, IPX) and route update packets (RIP, EIGRP, and so on). Uses routed protocols IP, IPX, and AppleTalk DDP. Devices include routers and Layer 3 switches. |
Data Link | Ensures reliable data transfer from the Network layer to the Physical layer. Oversees physical or hardware addressing. Formats packets into a frame. Provides error notification. Devices include bridges and Layer 2 switches. |
Physical | Moves bits between nodes. Assists with the activation, maintenance, and deactivation of physical connectivity between devices. Devices include hubs and repeaters. |
Table FF.2. Application Layer Protocols
Function | |
|---|---|
Telnet | A TCP/IP protocol that provides terminal emulation to a remote host by creating a virtual terminal. TeraTerm is one program that can be installed on a user computer to create Telnet sessions. This protocol requires authentication via a username and password. |
Hypertext Transfer Protocol (HTTP) | Enables web browsing with the transmission of Hypertext Markup Language (HTML) documents on the Internet. |
Secure Hypertext Transfer Protocol (HTTPS) | Enables secure web browsing. A secure connection is indicated when the URL begins with https:// or when there is a lock symbol at the lower-right corner of the web page that is being viewed. |
File Transfer Protocol (FTP) | Allows a user to transfer files. Provides access to files and directories. |
Trivial File Transfer Protocol (TFTP) | A bare-bones version of FTP that does not provide access to directories. With TFTP, you can simply send and receive files. Unlike FTP, TFTP is not secure and sends smaller blocks of data. |
Domain Name System (DNS) | Resolves hostnames such as cisco.com into IP addresses. |
Simple Mail Transfer Protocol (SMTP) | Sends electronic mail across the network. |
Post Office Protocol 3 (POP3) | Receives electronic mail by accessing a network server. |
Network File System (NFS) | Allows users with different operating systems (that is, NT and Unix workstations) to share files through a network. Remote files appear as though they reside on a local machine even though the local machine might be “diskless.” |
Network News Transfer Protocol (NNTP) | Offers access to Usenet newsgroup postings. |
Simple Network Management Protocol (SNMP) | Monitors the network and manages configurations. Collects statistics to analyze network performance and ensure network security. |
Network Time Protocol (NTP) | Synchronizes clocks on the Internet to provide accurate local time on the user system. |
Dynamic Host Configuration Protocol (DHCP) | Works dynamically to provide an IP address, subnet mask, domain name, and a default gateway for routers. Works with DNS and WINS (used for NetBIOS addressing). |
TCP uses Positive Acknowledgment and Retransmission (PAR):
The source device begins a timer when a segment is sent and retransmits if the timer runs out before an acknowledgment is received.
The source device keeps track of segments that are sent and requires an acknowledgment for each segment.
The destination device acknowledges when a segment is received by sending a packet to the source that iterates the next sequence number it is looking for from the source.
Two domains determine data transport reliability:
Broadcast domain: A group of nodes that can receive each other’s broadcast messages and are segmented by routers.
Collision domain: A group of nodes that share the same media and are segmented by switches. A collision occurs if two nodes attempt a simultaneous transmission. Carrier Sense Multiple Access Collision Detection (CSMA/CD) sends a jam signal to notify the devices that there has been a collision. The devices then halt transmission for a random backoff time.
Bandwidth: The total amount of information that can traverse a communications medium measured in millions of bits per second. Bandwidth is helpful for network performance analysis. Also, availability is increasing but limited.
Crosstalk: An electrical or magnetic field that is a result of one communications signal that can affect the signal in a nearby circuit.
Near-end crosstalk (NEXT): Crosstalk measured at the transmitting end of a cable.
Far-end crosstalk (FEXT): Crosstalk measured at the far end of the cable from where the transmission was sent.
Unshielded twisted-pair (UTP) cables are vulnerable to Electromagnetic Interference (EMI) and use an RJ-45 connector. Fiber-optic cables are not susceptible to EMI.
Use a straight-through cable to connect the following devices:
Terminated directly into a dedicated hub or switch port
From a PC to a switch or a hub
From a router to a switch or a hub
Use a cross-over cable to connect the following devices:
Spread Spectrum Wireless LANs allow for high-speed transmissions over short distances.
Wireless Fidelity (Wi-Fi) is defined by IEEE 802.11.
A MAC address is hard-coded (burnt-in) on the network interface controller (NIC) of the Physical layer device attached to the network. Each MAC address must be unique and use the following format:
Consists of 48 bits (or 6 bytes).
Displayed by 12 hexadecimal digits (0 through 9, A through F).
First six hexadecimal digits in the address are a vendor code or organizationally unique identifier (OUI) assigned to that NIC manufacturer.
Last six hexadecimal digits are assigned by the NIC manufacturer and must be different from any other number assigned by that manufacturer.
Example of a MAC address: 00:00:07:A9:B2:EB
The OUI in this example is 00:00:07.
The broadcast address value is FFFF.FFFF.FFFF.
802.3 frame information and parameters are as follows:
The data-link header portion of the frame contains the Destination MAC address (6B), Source MAC address (6B), and Length (2B).
The Logical Link Control portion of the frame contains Destination Service Access Point (DSAP), Source Service Access Point (SSAP), and Control information. All three are 1B long. The Service Access Point (SAP) identifies an upper-layer protocol such as IP (06) or IPX (E0).
The Data and cyclical redundancy check (CRC) portion of the frame is also called the data-link trailer. The Data field can be anywhere from 43 to 1497B long. The frame check sequence (FCS) field is 4B long. FCS or CRC provides error detection.
Bridges and switches examine the source MAC address of each inbound frame to learn MAC addresses.
Switches are multiport bridges that use ASIC hardware chips for frame forwarding. Dedicated bandwidth enables the switch port to guarantee the speed assigned to that port. For example, 100Mbps port connections get 100Mbps transmission rates.
Hubs use half-duplex technology. Switches can be set up for full-duplex.
WAN interfaces are used to provide a point of interconnection between Cisco routers and other network devices. Types of WAN interfaces include the following:
Basic Rate Interface (BRI)
Synchronous Serial
Asynchronous Serial
High-Speed Serial Interface (HSSI)
T1 Controller Card
BRI is an Integrated Services Digital Network (ISDN) line that consists of two 64Kbps bearer (B) channels and one 16Kbps data (D) channel.
DCE equipment might consist of a:
Modem
Channel Service Unit/Data Service Unit (CSU/DSU)
BRI NT-1
DTE equipment might consist of a:
Router
PC
Server
Four memory components are used by Cisco devices. Those components include ROM, Flash, RAM, and NVRAM.
RAM contains the running IOS, with the exception of Run-From-Flash (RFF) routers. RAM also contains the running configuration or the active configuration that is used after a machine is booted.
Given the example filename c2600-ipbase-1.122-1.T.bin, from left to right, each portion of the filename represents the following:
c2600: Hardware platform (Cisco 2600 router)
ipbase: Feature set
1: File format (compressed relocatable)
122: IOS version number
l: Maintenance release number
T: Train identifier
Internet Control Messaging Protocol (ICMP) is used by ping and traceroute utilities. Packet Internet Groper (ping) allows you to validate that an IP address exists and can accept requests.
ping is an echo, and the response is an echo response.
Routers send Destination Unreachable messages when they can’t reach the destination network and they are forced to drop the packet. The router that drops the packet sends the ICMP DU message.
A traceroute traces the route or path taken from a client to a remote host. Traceroute also reports the IP addresses of the routers at each next hop on the way to the destination. This is especially useful when you suspect that a router on the route to an unreachable network is responsible for dropping the packet.
Three classes of attack are commonly found in today’s network environment:
Access attacks
Reconnaissance attacks
Denial of service (DoS) attacks
An access attack is just what it sounds like. It is an attempt to access another user account or network device through improper means. The four main types of access attacks are:
Password attacks
Trust exploitation
Port redirection
Man-in-the-middle
The four main subcategories or methods of gathering network data for a reconnaissance attack are:
Packet sniffers
Port scans
Ping sweeps
Information queries
The following actions can be taken to lessen the impact of an attack on a network:
IPv4 addresses
Consist of 32 bits.
Are broken into four octets (8 bits each).
Use dotted-decimal format; an example is 172.16.122.204.
Minimum value (per octet) is 0, and the maximum value is 255.
0.0.0.0 is a network ID.
255.255.255.255 is a broadcast IP.
TCP/IP defines two additional address classes:
Class D: Used for multicast addresses
Class E: Used for research purposes
The 127.x.x.x address range is reserved for loopback addresses.
Default subnet masks:
Class A: 255.0.0.0
Class B: 255.255.0.0
Class C: 255.255.255.0
Classless Interdomain Routing (CIDR) notation might also be used to identify the subnet mask. The CIDR notation for each network class can be determined by counting the 1s in binary or the number of bits that make up the network portion of the address.
The mask is written in slash notation as follows:
Class A: /8
Class B: /16
Class C: /24
IANA Private Address Space Allocations:
Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
To calculate the hosts in a subnet, we can use the formula 2H – 2. The exponent H represents the number of host bits in a network.
To calculate the networks in a subnet, we can use the formula 2N – 2. The exponent N represents the number of subnet bits in a network.
The range of valid IP addresses in a subnet is the first IP address after the Network ID and the last IP address before the broadcast IP address.
The following represents IP subnetting:
IP address = 100.15.209.0
Subnet mask = 255.255.254.0
Network ID = 100.15.208.0
Broadcast IP = 100.15.209.255
Valid IP range = 100.15.208.1 to 100.15.209.254
IPv6 is a workable IP version that was created in the event that the IP space from IPv4 is exhausted.
IPv6 address format summary:
Defined by RFC 2373 and RFC 237.
Consists of 128 bits with a 64-bit network prefix and a 64-bit local identifier.
Represented by 32 hexadecimal digits broken into eight smaller groups of four.
Uses CIDR notation (slash notation) to discern a subnet range, so you might see the same IP address subnetted and written out as 2001:0BD2:0200:08F1:0000:0000:0000:16AB/16.
The same IPv6 IP address can be written in all of the following ways:
2001:0BD2:0200:08F1:0000:0000:0000:16AB
2001:BD2:200:8F1:0:0:0:16AB
2001:BD2:200:8F1::16AB
Link-local addresses: Addresses that have the shortest reach of the IP address types. They can go only as far as the Layer 2 domain. These addresses are autogenerated with or without the use of a DHCP server. So, when an IPv6 node goes online, this address is assigned automatically.
Unique/site-local addresses: Addresses that have a broader scope than link-local addresses. They can expand to the size of an organization and are used to describe the boundary of the organizational network. These are the private addresses for IPv6.
Global addresses: Addresses that have the broadest scope of all. As the name indicates, these addresses are for global use—that is, for Internet communications.
Multicast: Addresses that are extremely important because of their use for group communications and broadcast messaging.
Routers and Layer 3 switches perform the following functions:
Do not forward broadcasts or multicasts by default.
Make best-path decisions.
Filter packets with access lists.
Remove and add Layer 2 frames.
Quality of service (QoS) rules for traffic types.
Routers decide which interface to forward a packet through by examining the network portion of each IP address.
To gain access to an EXEC session to an IOS for configuration and administration, you can use the following methods:
Console: Out-of-band CLI access via a rollover cable connected to the COM port of your terminal PC.
Auxiliary: Out-of-band CLI access via rollover cable connected to external modem for remote access.
Telnet: In-band CLI access to an active IP address on the device’s vty lines using the Telnet protocol. Requires configuration.
SSH: Secure encrypted in-band CLI access to an active IP address using the SSH protocol. Requires configuration.
HTTP/HTTPS: In-band GUI access to an active IP address using the HTTP or HTTPS protocol. Requires configuration.
To solidify the startup process, the following is a recap of the stages of the bootup, any fallback procedures, and the memory locations involved:
POST located in ROM tests the hardware.
Bootstrap located in ROM looks at boot field in configuration register to locate IOS. 0×2100 boots to ROMmon located in ROM.
0×2101-0×210F prompts the bootstrap to parse startup-config in NVRAM for any
boot systemcommands. If there are any commands, do what they say.If no
boot systemcommands, load first file in Flash. If no file is in Flash, TFTP boot. If no IOS file found from TFTP, go to ROMmon mode.After IOS is loaded, check configuration register. If 0x2142, ignore startup-config in NVRAM. If 0x2102, load startup-config in NVRAM. If no startup-config, TFTP autoinstall. If no TFTP autoinstall configuration found, enter Setup Mode.
Table FF.16. IOS Navigation Modes
Prompt | Description | |
|---|---|---|
User EXEC | Router> | Basic troubleshooting and verification |
Privileged EXEC | Router# | All available commands including |
Global Configuration | Router(config)# | Configurations that apply to the entire device |
Line Configuration | Router(config-line)# | Configurations that apply to the terminal lines into a device |
Interface Configuration | Router(config-if)# | Configurations that apply to interfaces |
Subinterface Configuration | Router(config-subif)# | Configurations that apply to logical extensions of the physical interface |
Router Configuration | Router(config-router)# | Configurations that apply to routing protocols |
The question mark shows all the available commands at that particular prompt. To see all the available commands that start with a letter or letter(s), type the letter(s) immediately followed by the question mark. To see the list of commands that follows a keyword, type the keyword followed by the question mark separated by a space. Commands can be abbreviated as long as there are enough characters to recognize what command you are entering.
Table FF.17. Cisco IOS Terminal Editing Keystrokes
Keystroke | Function |
|---|---|
Ctrl+A | Moves the cursor to the beginning of the command line. |
Ctrl+E | Moves the cursor to the end of the command line. |
Ctrl+B | Moves the cursor back one character. |
Ctrl+F | Moves the cursor forward one character. |
Esc+B | Moves cursor back one word. |
Esc+F | Moves cursor forward one word. |
Ambiguous command: This error is displayed when you have not typed enough characters for the IOS to distinguish which command you want to use. In other words, several commands start with those same characters, so you must type more letters of the command for the IOS to recognize your particular command.
Incomplete command: The IOS has recognized your keyword syntax with this error message; however, you need to add more keywords to tell the IOS what you want to do with this command.
Invalid input: Also known as the “fat finger” error, this console error message is displayed when you mistype a command. The IOS displays a caret (^) up to the point where the IOS could understand your command.
Table FF.18. Global Configuration Commands
Command | Description |
|---|---|
| Alters the configuration register. |
| Specifies location to load IOS. |
| Changes the name of the Cisco router or switch. |
| Creates a message of the day login banner. |
| Configures a static mapping of a hostname to an IP address. |
| Specifies a DNS server IP address for dynamic name resolution. |
| Enables automatic name resolution. |
| Assigns a domain name to a Cisco device. |
First and foremost, ensure that you physically secure access to your Cisco devices to ensure that there are no intentional or unintentional disruptions or access to the device itself.
To secure User EXEC to your console port:
Router(config)#line console 0 Router(config-line)#login Router(config-line)#password password
To secure User EXEC to your aux port:
Router(config)#line aux 0 Router(config-line)#login Router(config-line)#password password
To secure User EXEC to all five Telnet lines:
Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password password
To secure access to Privileged EXEC mode:
Router(config)#enable secret password Router(config)#enable password password
The enable secret global configuration command encrypts the password using a MD5 hash. If the enable secret and the enable password commands are used at the same time, the enable secret password is used.
To encrypt the enable password and the line passwords, use the service password-encryption command.
To secure terminal access to the Cisco device, use SSH over Telnet. The steps to configure SSH are as follows:
Configure a hostname on the device other than the default hostname.
Configure a domain name for the Cisco device.
Generate an RSA key (at least a 1024-bit key is recommended) with the
crypto key generatecommand.Create a username/password combination with the
usernameusernamepasswordpasswordcommand.(Optional) Limit the vty lines to allow only SSH with the
transport input SSHcommand.
Table FF.19. Interface Configuration Commands
Description | |
|---|---|
| Assigns an IP address to an interface. |
| Administratively enables an interface. |
| Changes the duplex setting to full duplex. |
clock rate | Sets the timing speed of the network on a DCE interface in bps. |
| Sets the logical bandwidth setting for routing protocols in Kbps. |
| Dynamically assigns an IP address to an interface from a DHCP server. |
Table FF.20. Switch Configuration Commands
Command | Description |
|---|---|
| Configures several interfaces with the same parameters. |
| Assigns an IP address to a VLAN interface. |
| Sets the gateway of last resort for a Layer 2 switch. |
| Changes the speed of an autosensing link in Mbps. |
| Sets the duplex of a switchport. |
The copy command is used to copy files from one location to another. For example, to save the current configuration, we copy the running-config in RAM to the startup-config in NVRAM using the copy running-config startup-config command.
The copy command is used to copy files between our device and a TFTP server. For instance, copy flash tftp backs up the IOS in flash to a TFTP server. copy flash tftp can be used to upgrade, downgrade, or restore an IOS back onto our device. Before copying to a TFTP server, the following preparation steps are in order:
The TFTP server must have the TFTP service running.
Your device must be cabled correctly. If a switch, plug the TFTP server into the switch with a straight-through Ethernet cable. If going directly between a router and the TFTP server, use a cross-over cable.
There must be enough room on the TFTP server and your device’s memory to store these files.
Table F.21. General show Commands
Command | Mode | Output |
|---|---|---|
| Privileged | Current active configuration in RAM. |
| Privileged | Configuration stored in NVRAM that will be loaded on reboot. |
| User and Privileged | Status of the interfaces as well as physical and logical address, encapsulation, bandwidth, reliability, load, MTU, duplex, broadcasts, collisions, and frame errors. |
| User and Privileged | Status of the interfaces and their logical addresses. |
| User and Privileged | Microcode of the interface including DCE/DTE cable connection. |
| User and Privileged | Filenames and sizes of IOS files stored in Flash memory. |
| User and Privileged | IOS version, system uptime, amount of RAM, NVRAM, Flash memory, and configuration register. |
Table FF.22. Interface Status Values
Layer 1 | Layer 2 (Line Protocol) | Possible Symptoms |
|---|---|---|
Up | Up | None. Interface is functional. |
Up | Down | Encapsulation mismatch, lack of clocking on serial interfaces. |
Down | Down | Cable is disconnected or attached to a shutdown interface on the far-end device. |
Administratively Down | Down | Local interface was not enabled with the |
Proprietary Cisco Layer 2 protocol that uses multicast to gather hardware and protocol information about directly connected devices.
Network layer protocol- and media-independent.
Enabled by default on all Cisco devices, but can be disabled globally:
Router(config)#no cdp runor can be disabled on interface-by-interface basis:
Router(config-if)#no cdp enableTo learn the remote device’s Layer 3 address and IOS version:
Router>show cdp neighbor detailor
Router>show cdp entry *Telnet enables a virtual terminal connection to a remote device’s IP address using the Application layer protocol, Telnet (TCP port 23 at Transport layer).
To Telnet from IOS, enter the keyword telnet followed by the IP address or hostname. If you only type an IP address or hostname in User EXEC or Privileged EXEC mode, IOS automatically assumes that you are Telnetting. To Telnet to a Cisco device, the vty passwords must be set, or you receive the “Password required, but none set” error. To access Privileged EXEC mode in a Telnet session, you must have enable password set, or you receive the “% No password set” error.
To suspend the Telnet session, press Ctrl+Shift+6, x.
To see a list of the active sessions in the originating router, use the
show sessionscommand.To resume a suspended session, press the Enter key from User EXEC or Privileged EXEC mode, or enter
resumefollowed by the session number.To close a Telnet session from the device we are Telnetted into, enter
exitorlogoutfrom User EXEC or Privileged EXEC mode.To close a Telnet session from the originating device, enter
disconnectfollowed by the session number.To see log messages in your Telnet session, use the Privileged EXEC command
terminal monitorin the device that you are Telnetted into.
Your Cisco device can act as a DHCP server and respond to DHCP requests on a segment. To configure the Cisco device as a DHCP server, you must first enable the interface that will receive the DHCP requests and assign an IP address to it. After the interface is enabled, you define the DHCP address pool with the ip dhcp pool poolname global configuration command. After you are in dhcp-config mode, you can define the DHCP address scope with network command followed by the IP subnet to be assigned. You can also define additional parameters such as the default gateway, DNS server, domain name, and length of the IP lease. To exclude IP addresses from being assigned (such as if you have statically assigned them to specific devices), use the ip dhcp excluded-address ip-address command to remove the IP(s) from the scope.
To verify the devices that have been assigned IP addresses from the DHCP address scope, use the show dhcp bindings command.
Switches have the following functions:
Segment LANs into multiple collision domains.
Learn MAC addresses by examining the source MAC address of each frame received and store them in a CAM table.
Base their forwarding decisions based on the destination MAC address of an Ethernet frame.
Flood broadcast, multicast, and unknown unicast frames out all ports except the one it was received.
A switch has three methods of forwarding frames:
Store-and-forward: Latency varying transmission method that buffers the entire frame and calculates the CRC before forwarding the frame.
Cut-through: Looks only at the destination MAC address in an Ethernet frame and forwards it.
Fragment-free: Checks the first 64 bytes for frame fragments (due to collisions) before forwarding the fame.
Half-duplex interfaces have one-way communications with suboptimal throughput because they operate in a collision domain in which CSMA/CD must be enabled. When connected to a hub, they must run half duplex.
Full-duplex interfaces simultaneously send and receive, allowing higher throughput because CSMA/CD is disabled. Connections to other switches or devices can be full-duplex.
This configuration limits the number of MAC addresses that can be dynamically learned on a switch port:
Switch(config-if)#switchport mode access Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 1 Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}
If a violation occurs, the default response of a Catalyst switch is to shut down the port. To have the port increase a violation counter and alert an administrator using SNMP, use the restrict keyword. The protect keyword only allows traffic from the secure port. It also drops packets from other MAC addresses until the number of MAC addresses drops below the maximum.
To secure an interface by statically assigning the permitted MAC address(es) attached to the port, use the switchport port-security mac-address MAC_address command on the interface. Alternatively, you can have the switch learn these addresses up to the maximum by using sticky-learned addresses with the command switchport port-security mac-address sticky.
Packets originating from a nonrouting device destined for another network are sent to their default gateway (Layer 3 device on segment). The router consults its routing table to determine if the destination network can be reached. If not, the ICMP Destination Unreachable message is sent to the source. If so, packet is forwarded out interface associated with the destination network in routing table.
Connected interfaces: As soon as we assign an IP address to a working (up/line protocol up) interface, the router associates the entire subnet of the interface’s IP address in the routing table.
Static routes: These are manual entries that an administrator enters into the configuration that describes the destination network and the next hop (router along the destination path).
Routing protocols: Protocols exchanged between routing devices to dynamically advertise networks.
When multiple routing sources are advertising the same IP subnet, the router uses the source with the lowest administrative distance.
Static routes are useful in stub networks in which we want to control the routing behavior by manually configuring destination networks into the routing table.
Router(config)#ip route 10.0.0.0 255.0.0.0 192.168.2.5A floating static route can be configured when redundant connections exist and you want to use the redundant link if the primary fails. This is configured by adding a higher administrative distance at the end of a static route.
Router(config)#ip route 10.0.0.0 255.0.0.0 192.168.2.9 2A default route is a gateway of last resort for a router when there isn’t a specific match for an IP destination network in the routing table (such as packets destined for the Internet).
Router(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0With routing protocols, you can specify a default network, which is a network in the routing table that routing devices consider the gateway of last resort. Using their routing protocols, they determine the best path to the default network.
Router(config)#ip default-network 192.168.1.0In complex networks with multiple pathways to destinations, dynamic routing protocols enable routers to advertise their networks to each other and dynamically react to topology changes.
Routing protocols determine the best path based on the lowest metric.
Because one of the core responsibilities of routing protocols is to build routing tables to determine optimal routing paths, we need to have some means of measuring which routes are preferred when there are multiple pathways to a destination. Routing protocols use some measure of metrics to identify which routes are optimal to reach a destination network. The lowest cumulative metric to a destination is the preferred path and the one that ultimately enters the routing table. Different routing protocols use one or several of the following metrics to calculate the best path.
Table FF.24. Routing Metrics
Metric | Description |
|---|---|
Hop count | The number of routing devices that the packet must travel to reach a destination network |
Bandwidth | The cumulative bandwidth of the links to the destination in kilobits per second |
Delay | The length of time (measured in microseconds) a packet takes from source to destination |
Reliability | The consistency of the links and paths toward the destination based on error rates of the interfaces |
Load | The cumulative amount of congestion or saturation of the links toward the destination |
MTU | The maximum frame size that is allowed to traverse the links to the destination |
Cost | An arbitrary number typically based on the bandwidth of the link |
Interior gateway routing protocols: IG routing protocols advertise networks and metrics within an autonomous system.
Exterior gateway routing protocols: EG routing protocols advertise networks in between autonomous systems.
Classful routing: The routing updates only contain the classful networks without any subnet mask. Summarization is automatically done when a router advertises a network out an interface that is not within the same major subnet. Classful routing protocols must have a FLSM design and do not operate correctly with discontiguous networks.
Classless routing: The routing updates can contain subnetted networks since the subnet mask is advertised in the updates. Route summarization can be manually configured at any bit boundary. Classless routing protocols support VLSM designs and discontiguous networks.
Distance vector: The entire routing table is periodically sent to directly connected neighbors regardless of a topology change. These routing protocols manipulate the routing table updates before sending that information to their neighbors and are slow to converge when a topology change occurs.
Link state: All possible link states are stored in an independent topology table in which the best routes are calculated and put into the routing table. The topology table is initially synchronized with discovered neighbors followed by frequent hello messages. These routing protocols are faster to converge than distance vector routing protocols.
Hybrid: By using the best characteristics from link-state and routing protocols, these advanced routing protocols efficiently and quickly build their routing information and converge when topology changes occur.
Redistribution is the method of configuring routing protocols to advertise networks from other routing protocols:
One-way redistribution: Networks from an edge protocol are injected into a more robust core routing protocol, but not the other way around. This method is the safest way to perform redistribution.
Two-way redistribution: Networks from each routing protocol are injected into the other. This is the least preferred method because it is possible that suboptimal routing or routing loops might occur because of the network design or the difference in convergence times when a topology change occurs.
Distance vector routing protocols contain several measures to prevent routing loops:
Maximum hop counts: To ensure that routing metrics do not increment until infinity in a routing loop, distance vector routing protocols have a maximum hop count.
Split horizon: Subnets learned from neighbor routers should not be sent back out the same interface from which the original update came.
Route poisoning with poison reverse: When a route to a subnet fails, the subnet is advertised with an infinite metric. Routers receiving the poisoned route override the split-horizon rule and send a poison reverse back to source.
Hold-down timers: The amount of time a router ignores any information about an alternative route with a higher metric to a poisoned subnet.
Flash updates/triggered updates: When a route fails, the router immediately shoots out an update as opposed to waiting for a normal update interval.
The configuration for RIP is seamless as long as you remember these two simple rules:
Router(config)#router rip Router(config-router)#network 192.168.7.0 Router(config-router)#network 172.17.0.0
Router(config)#router rip Router(config-router)#network 192.168.7.0 Router(config-router)#network 172.17.0.0 Router(config-router)#version 2 Router(config-router)#no auto-summary
Before using any debug commands, verify the processor utilization using the show processes command.
Wireless networks have impacted our existing network environments profoundly over the last few years. Because this is the newest topic on the CCENT and CCNA exams, much of what you need to know is the foundations of wireless:
Wireless networks exist by using FCC unmanaged/unregulated radio frequency (RF) signals. This allows corporations to implement wireless technology without FCC approval.
The primary technologies that exist today are 802.11b, 802.11g, and 802.11a. 802.11b/g uses the 2.4GHz frequency range. 802.11a uses the 5GHz frequency range. The 2.4GHz band is much more saturated with consumer electronics (such as cordless phones and microwaves) than the 5GHz band. 802.11n is still in draft status at the time of this writing.
Higher radio frequencies can handle more bandwidth but have less range than the lower radio frequencies.
When implementing wireless technology in a larger building, adjacent wireless access points should use different channels to avoid interfering with each other.
The primary channels used in the U.S. for 802.11b/g are channels 1, 6, and 11. These three channels do not have any overlapping frequencies with each other.
The Wi-Fi Alliance is an organization whose aim is to create a cross-vendor certification of wireless equipment. Purchasing equipment certified by the Wi-Fi Alliance ensures that all the wireless networking gear you use will be compatible with each other.
Because wireless networking has become so prevalent in businesses, it is imperative that every network technician knows the foundations of wireless security. Table FF.28 describes the wireless encryption standards currently available.
Table FF.28. Wireless Encryption Standards
Security Standard | Encryption Strength | Key Distribution | Encryption Cipher |
|---|---|---|---|
WEP | 40-bit | Preshared keys | RC4 |
WEP2 | 104-bit | Preshared keys | RC4 |
WPA | 128-bit | Preshared keys or 802.1x; TKIP allows dynamic key rotation | RC4 |
WPA2 (802.11i) | Varied strength; currently up to 256-bit | Preshared keys or 802.1x | AES |
Wireless authentication adds an entirely new layer of security to your wireless network. Rather than simply requiring a preshared key (PSK) to gain access to the WLAN, users must authenticate using one of many EAP methods. Encryption keys are dynamically generated after a successful authentication.
Network authentication for LAN environments is called 802.1x (also known as EAP over LAN [EAPOL]).
When implementing wireless access points, you can use a Basic Service Set (BSS), which is a single access point. Or you can use an Extended Service Set (ESS), which is two or more BSSs that tie users to the same LAN. These typically have overlapping coverage areas.
The farther you move from a wireless access point, the more your speed decreases. 802.11a/b/g have the following steps:
802.11a and 802.11g:
802.11b:
Implementing a wireless network should typically be done in four steps:
NAT is in use on virtually every Internet-connected router in the world today. This technology acts as a security boundary and Internet address sharing system. The following facts are relevant to NAT.
NAT operates by typically translating private IP addresses to public Internet addresses. The following are the private address ranges as defined by RFC 1918:
Class A: 10.X.X.X
Class B: 172.16.X.X to 172.31.X.X
Class C: 192.168.X.X
The three primary forms of NAT are as follows:
Static NAT allows you to manually map one IP address to another in a one-to-one relationship.
Dynamic NAT allows you to define a pool of addresses to be translated along with a pool of addresses they will be translated to.
NAT overload/PAT allows a single Internet IP address to support many internal clients.
The standards bodies have developed many terms to describe the location of an IP address in the world of NAT:
Inside local addresses: Refers to everything inside your network.
Inside global addresses: The Internet valid IP address assigned to your router that is directly connected to the Internet.
Outside global addresses: A standard Internet IP address accessible from any host connected to the Internet.
Outside local addresses: How an Internet host is seen by the internal network as it is translated through the NAT router into your local network.
Wide-area network (WAN) connections tie together geographically distant locations, enabling them to communicate as if directly connected. The following facts are relevant to WANs.
WAN technologies only encompass the Physical and Data Link layers of the OSI model. The three major categories of WAN technology used to connect networks today are as follows:
Leased lines: Provides a dedicated, point-to-point link between two locations.
Circuit-switched networks: Establishes a dedicated channel (or circuit) for the duration of the transmission, and then tears down the channel when the transmission is complete.
Packet-switched networks: Enables the service provider to create a large pool of bandwidth for its clients who establish connections through the shared bandwidth using virtual circuits.
Cisco routers connect to most WAN connections through their serial ports. The Cisco side of the connection uses either a DB-60 or Smart Serial port. The CSU/DSU that the Cisco router connects to will have one of five standard connectors: V.35, X.21, EIA/TIA-232, EIA/TIA-449, or EIA/TIA-530.
At the Data Link layer, Cisco routers primarily use one of two WAN encapsulations for leased line and circuit switched networks:
Point-to-Point Protocol (PPP): The most popular, industry-standard, feature-packed protocol for connecting routers
Cisco High-level Data Link Control (HDLC): A Cisco-proprietary, low-overhead protocol that makes your WAN connections very efficient between Cisco devices
HDLC is the default encapsulation on all Cisco serial interfaces. However, PPP is used to gain more features and industry standard capabilities when connecting over the WAN. It is made up of three sublayers:
ISO HDLC: Responsible for enabling PPP to be supported by multiple devices.
Link Control Protocol (LCP): Feature negotiation layer that performs the following functions:
Authentication: Requires a username and password for the connecting device.
Callback: Enables a dialup server (or router) running PPP to call back the person who initially dialed into the location using a predefined number.
Compression: Makes WAN connections more efficient by minimizing the amount of data sent.
Multilink: Bundles multiple WAN connections (or WAN channels in the case of ISDN) into a single, logical connection.
Network Control Protocol (NCP): Gives PPP the functionality to enable multiple Network layer protocols to run across a single WAN link at any given time.
When configuring PPP authentication, you can choose between two authentication protocols:
Password Authentication Protocol (PAP): Sends username and password once in clear-text format when authenticating.
Challenge Handshake Authentication Protocol (CHAP): Sends a username and hashed password when demanded by the CHAP server.
When configuring PPP compression, you can choose between three compression types:
Stacker: A flat compression algorithm that is notoriously heavy on CPU resources and has less effect on the router’s memory resources. Useful for WAN links with many traffic patterns.
Predictor: A dictionary-based compression algorithm that is notoriously heavy on memory resources and has less effect on the router’s CPU resources. Useful for WAN links with similar traffic patterns.
Microsoft Point-to-Point Compression (MPPC): Used for Microsoft Windows dial-up clients wanting to use compression.
To activate PPP encapsulation on an interface, use the following syntax:
Router(config)#interface serial 0 Router(config-if)#encapsulation ppp
When adding CHAP authentication to your configuration, you need to ensure that you create a user account that matches the hostname of the other side of the connection. In addition, the passwords must be the same on both sides. Here is a PPP CHAP authentication configuration between the Kirk and Spock routers:
Kirk(config)#username Spock password cisco Kirk(config)#interface serial 0 Kirk(config-if)#encapsulation ppp Kirk(config-if)#ppp authentication chap Spock(config)#username Kirk password cisco Spock(config)#interface serial 0 Spock(config-if)#encapsulation ppp Spock(config-if)#ppp authentication chap
The show interface command is one of the most useful when verifying the PPP configuration. The connection is active when the LCP Open tag is seen, as shown here:
Router#show interface serial 0
Serial0 is up, line protocol is up
Hardware is PowerQUICC Serial
Internet address is 10.2.2.2/24
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
LCP Open
Open: IPCP, CCP, CDPCPWhen troubleshooting PPP authentication issues, use the debug ppp authentication command to observe the authentication process as it occurs.