Embed Size (px)
Citation preview
DHCP Messages to acquired an IP address
Client- DHCP Discover Message to the broadcast address.1.Server-DHCP Offer Message directly to the client.2.Client- DHCP Request Message directly to the server.3.Server- DHCP Acknowledgment directly to the client.4.
PSTN - Public Switched Telephone Network(PC)
Circuit Switching
VOIP- Voice Over Internet Protocol(VP)
Packet Switching
ATM- Asynchronous Transfer Mode(AC)
Cell Switching
Frame Relay
- Point to Point (FP)Packet Switching
Leased Line - Circuit Switching(LC)
ICMP Echo and the Ping Command
ICMP echo request - sending a message to another IP address.•The purpose is for testing network activity.•ICMP does not rely on the application, work on Layer 1 ,2 and 3 OSI model.•
10.0.0.0/24 is not the VLSM because there is no words for the variably sunbneted,8 subnets
•
And No other /30 or /26 in other subnet•
What is VLSM?
PC -PSTN CircuitAC-ATM CellFP-frame relay PacketLC-lease line CircuitVP-VOIP Packet
CCENT1 NotesTuesday, 16 November 20102:35 PM
CCENT Page 1
No buffer mean no memory left to receive packet when the broadcast storm occur.
The RIP version 2 has auto-summarization so that 192.168.1.0 is the parent route for both 192.168.1.1/27 and 192.168.1.193/27.
Answer: User mode and Enable mode.
#log in
To protect access to the user mode prompt(before enable mode-Router>en).
•
# password cisco
Set privilleged mode clear text( plain text) password.
•
# enable password cisco
Set privellged mode encrypted password.•
#enable secret password
causes encryption of password that would not be normally encrypted such as the enable password.
•
#Service password- encryption.
CCENT Page 2
Note When we choose the MAC add in each device have unique separate mac on NICs and also in the same LAN ,not be same and duplicated on which devices switch or another PCs. Answer : B and C.
In a crossover cable:* Pin 1 is connected to pin 3 (and vice-versa).* Pin 2 is connected to pin 6 (and vice-versa).* The other pins (4,5,7,8) are straight-through.* To remember: 1326 - "1 times 3 times 2 equals 6"
CCENT Page 3
Routing notes/ProtocolsTuesday, 16 November 20102:36 PM
CCENT Page 4
CCENT Page 5
B's ARP is empty which means doesn't know MAC address of any computer.•B only knows that the IP address of computer C is 10.1.1.3. B doesn't know MAC address of computer C.
•
B' have to find the MAC address of computer C. It can broadcast ARP Packets to every where .Computer C will receive and reply to ARP Packet.
•
To choose - General The Source MAC ADD The Source IP
The Source MAC ADD
The Destination MAC
The Destination IP
What is the location of the packet currently ?1.The MAC add cannot pass through the router from one subnet to another subnet.
2.
Which direction have to go ?3.The packet cannot go backwards towards the direction of it's source address, to find the destination MAC address. ( Flood or not)
The source IP and the destination IP never change although the MAC address changes depending on the current location of the packet .
4.
When the ARP is empty, ARP request is sending the broadcast Mac add FF:FF:FF:FF:FF to the router to ask the destination MAC add of the packet . The router reply his MAC add as the destination MAC because it cannot pass through the other side of the router if the destination address is at other side.
5.
10.1.1.2 Arrive onPc (B)
Not Fa0/2
? No routerTo Pc©
Flood still happen until finding a Pc© 's Mac add in Mac addressTable.
10.1.1.3
(FF FF)
ARP Notes1.Tuesday, 16 November 20105:11 PM
CCENT Page 6
The ARP request cannot jump to another router over the Serial link or the different subnet.
•
So the router PS4S_SFX in the same subnet can reply to the request.•
How the router will respond to this request?
To choose - The Source MAC ADD The Source IP
The Source MAC ADD
The Destination MAC
The Destination IP
What is the location of the packet currently ?1.The MAC add cannot pass through the router from one subnet to another subnet.
2.
Which direction have to go ?3.The packet cannot go backwards towards the direction of it's source address, to find the destination MAC address. ( Flood or not)
The source IP and the destination IP never change although the MAC address changes depending on the current location of the packet .
4.
x.x.x.x(P4S-F ) PC IP address
1.Arrive on P4S-F
(From P4S-F to P4S-SFX )router's Fa0/0
? Yep, have Serial Link. Fa0/0(P4S-SFX)
not passing through the P4S-SFX router. Changes in the Mac address of the dest.
The Web server's add or P4S-ILM Router's add.
CCENT Page 7
The Command named "arp" shows the ARP table in Window OS including MAC Address, IP address.
Outgoing ARP(request) packet from PC-1:
Source MAC:0001.4286.A521(source add: 192.168.0.6)
Dest MAC : FF FF FF FF FF FF (broadcast Mac address)
Packet payload:
"Please tell me the MAC address of 192.168.1.6"
ARP reply(respond ) packet coming into PC-A:
Source MAC: 0006.2A86.071
Dest MAC : 0001.4286.A521
Packet payload:
"The MAC address of 192.168.1.6 is 0006.2A86.071 "
Which device will respond to this arp request?Ans: Router 01 through from it's (fa0/0)
-----------
Outgoing ARP packet from Router02:
Source MAC: 00E0.A3AB.1101
Dest MAC: FFFFFFFFFFF (broadcast Mac address)
Packet payload:
"Please tell me the MAC address of 192.168.1.6"
Which device is respond to ARP request?Ans:PC3 ARP reply packet coming into Router:
Source MAC: 0003.E476.A17B
Dest MAC : 00E0.A3AB.1101
Packet payload:
"The MAC address of 192.168.1.6 is 0003.E476.A17B "
form PC 2 to PC 3 sending ARP request:
Source MAC 00E0 B018 C15
destination MAC FF FF FF FF FF FF (64 byte)
CCENT Page 8
destination MAC FF FF FF FF FF FF (64 byte)
The packet message or pay load:What is the MAC address of the destination address 192.168.1.6 (web server)-----
Which Device is respond to arp request?PC3 responds directly to PC2, router don't need to send packet between two PCs in the same subnet .The switch fowards the packet between PCs although the router turns off.
CCENT Page 9
Whether a switch needs to flood or not depends on its MAC address table.1.
If the switch already has the Mac address of the destination in its own MAC address table ,t he switch doesn't need to flood all its ports. IF not, the switch need to flood everywhere .
2.
Importantly, the switch should not send the packet back to the source port.3.
Collision and switchingTuesday, 16 November 20105:33 PM
CCENT Page 10
Fast-Forward and Fragment-Free are two forms of cut-through switching.Fast-Forward offers the lowest level of latency by immediately forwarding a packet after receiving the destination address. Because Fast-Forward starts forwarding before the entire packet is received, there can be times when packets are relayed with errors. Although the destination network adapter discards the faulty packet upon receipt, the superfluous traffic can be deemed unacceptable. Packets forwarded with errors can be reduced by using the Fragment-Free option. In Fast-Forward mode, latency is measured first-bit-received to first-bit-transmitted or FIFO.
Fragment-Free switching filters out collision fragments, the majority of packet errors, before forwarding begins. In a properly functioning network, collision fragments must be less than 64 bytes. Anything greater than 64 bytes is a valid packet and is usually received 3-4 Ethernet-Switch 1420 and Ethernet-Switch 1220 Installation and Configuration Guide.Switching Modes without error. Fragment-Free switching waits until the received packet has been determined not to be a collision fragment before forwarding the packet. In Fragment-Free mode, latency is measured as FIFO.
Store-and-ForwardThe third switching mode supported by the Ethernet Switch 1420 and 1220 is the traditional Store-and-Forward mode. Complete packets are stored and checked for errors prior to transmission. In Store-and-Forward mode, latency is measured last-bit-received to first-bit-transmitted or LIFO. This does not include the time it takes to receive the entire packet, which can vary, according to packet size, from 65 microseconds to 1.3 milliseconds.Store-and-Forward is the most error-free form of switching, but the forwarding latency is higher than either of the two cut-through switching modes,
20
If your attached networks experience a significant number of collisions, you can use Fragment-Free to eliminate the chance of forwarding collision fragments.
•
If you are experiencing frame check sequence (FCS) or alignment errors, use Store-and-Forward to ensure that packets with errors are filtered and not propagated to the rest of the network.
•
Store-and-Forward is always used for transfers from 10-Mbps to 100-Mbps ports.
•
Store-and-Forward is always used for broadcast packets; multicast packetscan be Store-and-Forward or the switching mode set for the switch.
•
Bridging vs. LAN SwitchingIt’s true—layer 2 switches really are pretty much just bridges that give us a lot more ports, butthere are some important differences you should always keep in mind:�Bridges are software based, while switches are hardware based because they use ASICchips to help make filtering decisions.�A switch can be viewed as a multiport bridge.�There can be only one spanning-tree instance per bridge, while switches can have
CCENT Page 11
There can be only one spanning-tree instance per bridge, while switches can have many.(I’m going to tell you all about spanning trees in a bit.)�Switches have a higher number of ports than most bridges.�Both bridges and switches forward layer 2 broadcasts.�Bridges and switches learn MAC addresses by examining the source address of eachframe received.�Both bridges and switches make forwarding decisions based on layer 2 addresses.
CCENT Page 12
Serial Link don't use the Mac address only use in the Ethernet .The Mac Address can pass through on the switch and not on the router. The Mac address cannot pass through the other side of the router.The Switch don't have the Mac address except for the configuration.
Features HDLC PPP
Error detection Yes Yes
Error correction No Yes
Looped link detection No Yes
Authentication No Yes
Only synchronous links Yes Both
Cisco default encapsulation Yes No
Compatible with non-Cisco routers No Yes
TFTP use UDP but FTP use TCP.
Source and destination IP and MAC addressSunday, 21 November 20104:24 PM
CCENT Page 13
The sequence order is 341,441 and 541 respectively.Meaning of acknowledgement = 341:
The acknowledgement no 341 means all three segments were discarded by a router (lost) before they reached PC2.
Meaning of acknowledgement = 441:
The acknowledgement no 441 means the second segment hasn't yet been received by PC2. So that, The second segment was discarded by a router before it reached PC2. The first segment was received by PC2.
Meaning of acknowledgement = 541:
The acknowledgement no 541 means the first and second segments have been received by PC2. The third segment has not yet been received by PC2.
Meaning of acknowledgement = 641:
The sequence no 641 means all three segments have been received by PC2. The acknowledgment is 641 regardless of which order the segments are received.
After the router checks the frame check sequence (FCS) in the data link trailer, the data link header and trailer are not needed anymore and the router does his function such as matching destination IP address and the router need to build new data link header to forward the packet out.
TCP segments and SSH and login banner motdSunday, 21 November 20105:18 PM
CCENT Page 14
router need to build new data link header to forward the packet out.
Reconnaissance means to detect ,to inspect, to observe the data in order to gain the information for some purpose.
line vty 0 15login localTransport input telnet ssh( include both telnet and ssh)Username……………. Password ………………..IP domain name cisco .comcryto key generate key
CCENT Page 15
The login local command and transport input telnet ssh are only put in the vty config mode .Others username ...password …..,ip domain-name example.com and cryto key generate key command are put into the global mode. Show cryto key mypubkey rsa command are put on the privelleged mode. User mode is not including with # key.
The banner command :
Sw1Cairo(config)#banner motd %Welcome% MOTD shown in before the log
in prompt for temporary messages.
Sw1 (config)# banner % Same as MOTD.
Sw1(config)# banner login %Welcome%Login after the MOTD banner such as permanent message written.
Sw1Cairo(config)# banner exec %welcome% Shown in message when log
in.
CCENT Page 16
CCENT Page 17
ATM Frame-lay HDLC DSL(Digital Subscriber Line) SONET(Synchronous optical Network) /SDH
Cisco routers use proprietary Frame Relay encapsulation by default.
Cisco propriety Non cisco propriety Cisco 7507 routers
Not Cost effective Cost effective packet Switching technology.
Sending data across the serial link(synchronous link),point to point connection.
For remote dial and access office connectivity.Allow analog voice signal Digital voice signal(MHz) to be sent over the same local loop wiring at the same time.
A High speed Fiber technology
WAN Encapsulation technology
Default Encapsulation method Cost effective than T1 circuit. Built with the series of ring segment
the physical and data link layer protocol.
Data Link layer protocol Physical and Data link layer protocol
Physical layer
Hub& Spoke topology. Non-Broadcast Multi Access Network -Don't support the broadcasts, does support the multiple devices
utilized for Leased line TDM circuits. HDLC cannot create NBMA network
No more than 18000 feet from the service provider.If more, It's ADSL.(the physical configuration-The local loop must be connected to the voice switch at the local CO,(DSLAM-DSL access multiplexer- separate the voice traffic from the data traffic, splitting the voice traffic to a voice switch and the data traffic to a router).
capabilities such as framing, multiplexing, status, trace, and performance monitoring
High speed requirement, Voice and video.
For data only ,medium speed requirement.
Speed -256 Kbps to 45 MbpsT1 speed-1.544Mbps
ADSL- Asymmetric (different link speed 1.104MHz is divided into FDM 256 channels each channel speed is 4.312KHz each)Disadvantages: used adaptive technology ADSL is not fixed ; it changes based on the condition and type of the local loop cable.Combine with QAM and FDMChannel O is the normal telephone line just for voice channel.Channel6- Channel 30-upstream bits.64 Kbps to 1Mbps.Channel 31- Channel 255 -downstream bits.500Kbps to 8Mbps.224*4000*15 or 13.4 MHZ
DSL, VHSL-Very High DSL, SDSL-Symmetric(the same link speed) DSL.Can replace with A, V, S and H in * DSL.Analog modem and DSL
The standard OC-1 interface is 51.8Mbps.
WAN protocolsMonday, 22 November 20101:33 PM
CCENT Page 18
Analog modem and DSLsupport both asymmetric/symmetric speed. Cable modem only support asymmetric speed.
Great benefits-DSL and cable modem always on the internet service without having to dial a number .
Serial Link don't use the Mac address only use in the Ethernet .The Mac Address can pass through on the switch and not on the router. The Mac address cannot pass through the other side of the router.The Switch don't have the Mac address except for the configuration.
Features HDLC PPP SLIP
Error detection Yes Yes NO while transmission
Error correction No Yes NO while transmission
Looped link detection
No Yes NO
Authentication No Yes, chap or PAP
NO, on PPP.
Only synchronous links or other asynchronous link
Yes ,only synchronous
Both NO, Asynchronous link. Support only IP.
Cisco default encapsulation on serial link.
Yes No, can't also support TCP/IP
NOT Recommended encapsulation forCisco Device , only for TCP/IP Support Multiple Protocol.
Compatible with Non-Cisco routers
No Yes Yes
Non-Broadcast Multi Access Network
No No NO
Support for compression
NO YES Yes, but slow than others technology.
Remote connectivity Yes Yes Yes
HDLC =High Level Data Link ControlPPP =Point to Point ProtocolSLIP =Serial Line Internet Protocol
CSU-DSU is DCE and the router is till DTE.Frame Relay switch is DCE and the router is DTE.
CCENT Page 19
TFTP use UDP but FTP use TCP.
Frame Relay is the physical and data link layer protocol.
CCENT Page 20
CCENT Page 21
The seven steps of configuration about Switch port security
1.Switch port mode access
for making the switch interface to access for the regular port not for the trunk port.
2.Switchport port-security
To enable port security. This command is need for either Sticky or not.Switch(config)#interface fa0/1Switch(config-if) #switchport port-security
3.Switchport port- security maximum ( default to one Mac address)
Maximum no of allowed Mac address on the port. This command is needed for Sticky.Switch(config-if)#switchport port-security maximum 5
4.Switchport port-security violation ( protect, restrict, shutdown)
When the Pc's mac address is not coherence with the allowed specify mac-address .It can cause violation.by setting rule :to protect ,to restrict, shutdown. It's need for either Sticky or not.Single interface:Switch(config)# interface fastethernet 0/1Switch(config-if)# shutdownRange of interfaces:Switch(config)# interface range fastethernet 0/2 - 8Switch(config-if-range)# shutdown
5.Switchport port-security mac-address xxxxxxxxxxx
Specify the Mac address allow to send the frames this interface. It is not necessary for Sticky process.
6.Switchport port-security mac-address sticky.
Just for the first configuration Mac address to allow in the current configuration and the network engineer don't need to know about which MAC address should be allowed to configure.
Port security allows a the switch to track mac addresses and perform an action if a violation occurs (due to too many mac addresses being associated with a port). Sticky actually shows the mac address in the show running-config. If you save the running-config to startup-config prior to a reboot, the switch will come back up with the mac addresses already assigned to a port. Without enabling sticky, the mac addresses are relearned. This is not the learning for the cam table, but for the port -security process.
•
"switchport port-security mac-address sticky" command show the switch can remember dynamically learned addresses when the switch is restarted.
•
Protect: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.Restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments. Shutdown:In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the shutdown and no shutdown interface configuration commands. This is the default mode.
Switch ports SecurityTuesday, 23 November 20103:01 PM
CCENT Page 22
ANS: A ,C
CCENT Page 23
Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-address mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.
Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts. .
Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.
CCENT Page 24
Switch port port security and access layer
Chapter 1Access Layer
The access layer interfaces with end devices, such as PCs, printers, and IP phones, to provide access to the rest of the network. The access layer can include routers, switches, bridges, hubs, and wireless access points (AP). The main purpose of the access layer is to provide a means of connecting devices to the network and controlling which devices are allowed to communicate on the network.
Roll over the ACCESS button in the figure.
Distribution Layer
The distribution layer aggregates the data received from the access layer switches before it is transmitted to the core layer for routing to its final destination. The distribution layer controls the flow of network traffic using policies and delineates broadcast domains by performing routing functions between virtual LANs (VLANs) defined at the access layer. VLANs allow you to segment the traffic on a switch into separate subnet works. For example, in a university you might separate traffic according to faculty, students, and guests. Distribution layer switches are typically high-performance devices that have high availability and redundancy to ensure reliability. You will learn more about VLANs, broadcast domains, and inter-VLAN routing later in this course.
Core Layer
The core layer of the hierarchical design is the high-speed backbone of the internetwork. The core layer is critical for interconnectivity between distribution layer devices, so it is important for the core to be highly available and redundant. The core area can also connect to Internet resources. The core aggregates the traffic from all the distribution layer devices, so it must be capable of forwarding large amounts of data quickly. The figure shows two floors of a building. The user computers and network devices that need network access are on one floor. The resources, such as e-mail servers and database servers, are located on another floor. To ensure that each floor has access to the network, access layer and distribution switches are installed in the wiring closets of each floor and connected to each of the devices needing network access. The figure shows a small rack of switches. The access layer switch and distribution layer switch are stacked one on top of each other in the wiring closet.
Although the core and other distribution layer switches are not shown, you can see how the physical layout of a network differs from the logical layout of a network.
Roll over the DISTRIBUTION button in the figure.
Benefits of a Hierarchical Network
There are many benefits associated with hierarchical network designs.
Scalability
Hierarchical networks scale very well. The modularity of the design allows you to replicate design elements as the network grows. Because each instance of the module is consistent, expansion is easy to plan and implement. For example, if your design model consists of two distribution layer switches for every 10 access layer switches, you can continue to add access layer switches until you have 10 access layer switches cross-connected to the two
For example, if you want to limit the use of HTTP to a specific user community connected at the access layer, you could apply a policy that blocks HTTP traffic at the distribution layer. Restricting traffic based on higher layer protocols, such as IP and HTTP, requires that your switches are able to process policies at that layer.
CCENT Page 25
access layer switches until you have 10 access layer switches cross-connected to the two distribution layer switches before you need to add additional distribution layer switches to the network topology. Also, as you add more distribution layer switches to accommodate the load from the access layer switches, you can add additional core layer switches to handle the additional load on the core.
Redundancy
As a network grows, availability becomes more important. You can dramatically increase availability through easy redundant implementations with hierarchical networks. Access layer switches are connected to two different distribution layer switches to ensure path redundancy. If one of the distribution layer switches fails, the access layer switch can switch to the other distribution layer switch. Additionally, distribution layer switches are connected to two or more core layer switches to ensure path availability if a core switch fails. The only layer where redundancy is limited is at the access layer. Typically, end node devices, such as PCs, printers, and IP phones, do not have the ability to connect to multiple access layer switches for redundancy. If an access layer switch fails, just the devices connected to that one switch would be affected by the outage. The rest of the network would continue to function unaffected.
Performance
Communication performance is enhanced by avoiding the transmission of data through low-performing, intermediary switches. Data is sent through aggregated switch port links from the access layer to the distribution layer at near wire speed in most cases. The distribution layer then uses its high performance switching capabilities to forward the traffic up to the core, where it is routed to its final destination. Because the core and distribution layers perform their operations at very high speeds, there is less contention for network bandwidth. As a result, properly designed hierarchical networks can achieve near wire speed between all devices.Security
Security is improved and easier to manage. Access layer switches can be configured with various port security options that provide control over which devices are allowed to connect to the network. You also have the flexibility to use more advanced security policies at the distribution layer. You may apply access control policies that define which communication protocols are deployed on your network and where they are permitted to go. For example, if you want to limit the use of HTTP to a specific user community connected at the access layer, you could apply a policy that blocks HTTP traffic at the distribution layer. Restricting traffic based on higher layer protocols, such as IP and HTTP, requires that your switches are able to process policies at that layer. Some access layer switches support Layer 3 functionality, but it is usually the job of the distribution layer switches to process Layer 3 data, because they can process it much more efficiently.
Manageability
Manageability is relatively simple on a hierarchical network. Each layer of the hierarchical design performs specific functions that are consistent throughout that layer. Therefore, if you need to change the functionality of an access layer switch, you could repeat that change across all access layer switches in the network because they presumably perform the same functions at their layer. Deployment of new switches is also simplified because switch configurations can be copied between devices with very few modifications. Consistency between the switches at each layer allows for rapid recovery and simplified troubleshooting. In some special situations, there could be configuration inconsistencies between devices, so you should ensure that configurations are well documented so that you can compare them before deployment.
Maintainability
Because hierarchical networks are modular in nature and scale very easily, they are easy to maintain. With other network topology designs, manageability becomes increasingly complicated as the network grows. Also, in some network design models, there is a finite limit to how large the network can grow before it becomes too complicated and expensive to maintain. In the hierarchical design model, switch functions are defined at each layer, making the selection of the correct switch easier. Adding switches to one layer does not necessarily mean there will not be a bottleneck or other limitation at another layer. For a full mesh network topology to achieve maximum performance, all switches need to be high-performance switches, because each switch needs to be capable of performing all the functions on the network. In the hierarchical model, switch functions are different at each layer. You can save money by using less expensive access layer switches at the lowest layer, and spend more on the distribution and core layer switches to achieve high performance on the network.Hierarchical Network Design Principles
Just because a network seems to have a hierarchical design does not mean that the network is well designed. These simple guidelines will help you differentiate between well-designed and poorly designed hierarchical networks. This section is not intended to provide you with all the skills and knowledge you need to design a hierarchical network, but it offers you an opportunity to begin to practice your skills by transforming a flat network topology into a hierarchical network topology.
Network Diameter
When designing a hierarchical network topology, the first thing to consider is network diameter. Diameter is usually a measure of distance, but in this case, we are using the term to measure the number of devices. Network diameter is the number of devices that a packet has to cross before it reaches its destination. Keeping the network diameter low ensures low and predictable latency between devices.
CCENT Page 26
Roll over the Network Diameter button in the figure.
In the figure, PC1 communicates with PC3. There could be up to six interconnected switches between PC1 and PC3. In this case, the network diameter is 6. Each switch in the path introduces some degree of latency. Network device latency is the time spent by a device as it processes a packet or frame. Each switch has to determine the destination MAC address of the frame, check its MAC address table, and forward the frame out the appropriate port. Even though that entire process happens in a fraction of a second, the time adds up when the frame has to cross many switches.
In the three-layer hierarchical model, Layer 2 segmentation at the distribution layer practically eliminates network diameter as an issue. In a hierarchical network, network diameter is always going to be a predictable number of hops between the source and destination devices.
Bandwidth Aggregation
Each layer in the hierarchical network model is a possible candidate for bandwidth aggregation. Bandwidth aggregation is the practice of considering the specific bandwidth requirements of each part of the hierarchy. After bandwidth requirements of the network are known, links between specific switches can be aggregated, which is called link aggregation. Link aggregation allows multiple switch port links to be combined so as to achieve higher throughput between switches. Cisco has a proprietary link aggregation technology called EtherChannel, which allows multiple Ethernet links to be consolidated. A discussion of EtherChannel is beyond the scope of this course. To learn more, visit: http://www.cisco.com/en/US/tech/tk389/tk213/tsd_technology_support_protocol_home.html.
Roll over the Bandwidth Aggregation button in the figure.
In the figure, computers PC1 and PC3 require a significant amount of bandwidth because they are used for developing weather simulations. The network manager has determined that the access layer switches S1, S3, and S5 require increased bandwidth. Following up the hierarchy, these access layer switches connect to the distribution switches D1, D2, and D4. The distribution switches connect to core layer switches C1 and C2. Notice how specific links on specific ports in each switch are aggregated. In this way, increased bandwidth is provided for in a targeted, specific part of the network. Note that in this figure, aggregated links are indicated by two dotted lines with an oval tying them together. In other figures, aggregated links are represented by a single, dotted line with an oval.
Redundancy
Redundancy is one part of creating a highly available network. Redundancy can be provided in a number of ways. For example, you can double up the network connections between devices, or you can double the devices themselves. This chapter explores how to employ redundant network paths between switches. A discussion on doubling up network devices and employing special network protocols to ensure high availability is beyond the scope of this course. For an interesting discussion on high availability, visit: http://www.cisco.com/en/US/products/ps6550/products_ios_technology_home.html.
Implementing redundant links can be expensive. Imagine if every switch in each layer of the network hierarchy had a connection to every switch at the next layer. It is unlikely that you will be able to implement redundancy at the access layer because of the cost and limited features in the end devices, but you can build redundancy into the distribution and core layers of the network. Roll over the Redundant Links button in the figure.
In the figure, redundant links are shown at the distribution layer and core layer. At the distribution layer, there are two distribution layer switches, the minimum required to support redundancy at this layer. The access layer switches, S1, S3, S4, and S6, are cross-connected to the distribution layer switches. This protects your network if one of the distribution switches fails. In case of a failure, the access layer switch adjusts its transmission path and forwards the traffic through the other distribution switch.
Some network failure scenarios can never be prevented, for example, if the power goes out in the entire city, or the entire building is demolished because of an earthquake. Redundancy does not attempt to address these types of disasters.
Start at the Access Layer
Imagine that a new network design is required. Design requirements, such as the level of performance or redundancy necessary, are determined by the business goals of the organization. Once the design requirements are documented, the designer can begin selecting the equipment and infrastructure to implement the design. When you start the equipment selection at the access layer, you can ensure that you accommodate all network devices needing access to the network. After you have all end devices accounted for, you have a better idea of how many access layer switches you need. The number of access layer switches, and the estimated traffic that each generates, helps you to determine how many distribution layer switches are required to achieve the performance and redundancy needed for the network. After you have determined the number of distribution layer switches, you can identify how many core switches are required to maintain the performance of the network.
A thorough discussion on how to determine which switch to select based on traffic flow analysis and how many core switches are required to maintain performance is beyond the scope of this course. For a good introduction to network design, read this book that is
CCENT Page 27
scope of this course. For a good introduction to network design, read this book that is available from Ciscopress.com: Top-Down Network Design, by Priscilla Oppenheimer (2004).
Converged networks give you options that had not existed previously. You can now tie voice and video communications directly into an employee's personal computer system, as shown in the figure. There is no need for an expensive handset phone or videoconferencing equipment. You can accomplish the same function using special software integrated with a personal computer. Softphones, such as the Cisco IP Communicator, offer a lot of flexibility for businesses. The person in the top left of the figure is using a softphone on the computer. When software is used in place of a physical phone, a business can quickly convert to converged networks, because there is no capital expense in purchasing IP phones and the switches needed to power the phones. With the addition of inexpensive webcams, videoconferencing can be added to a softphone. These are just a few examples provided by a broader communications solution portfolio that redefine business processes today.
Legacy Equipment
Convergence is the process of combining voice and video communications on a data network. Converged networks have existed for a while now, but were only feasible in large enterprise organizations because of the network infrastructure requirements and complex management that was involved to make them work seamlessly. There were high network costs associated with convergence because more expensive switch hardware was required to support the additional bandwidth requirements. Converged networks also required extensive management in relation to Quality of Service (QoS), because voice and video data traffic needed to be classified and prioritized on the network. Few individuals had the expertise in voice, video, and data networks to make convergence feasible and functional. In addition, legacy equipment hinders the process. The figure shows a legacy telephone company switch. Most telephone companies today have made the transition to digital-based switches. However, there are many offices that still use analog phones, so they still have existing analog telephone wiring closets. Because analog phones have not yet been replaced, you will also see equipment that has to support both legacy PBX telephone systems and IP-based phones. This sort of equipment will slowly be migrated to modern IP-based phone switches.Advanced Technology
Converging voice, video, and data networks has become more popular recently in the small to medium-sized business market because of advancements in technology. Convergence is now easier to implement and manage, and less expensive to purchase. The figure shows a high-end VoIP phone and switch combination suitable for a medium-sized business of 250-400 employees. The figure also shows a Cisco Catalyst Express 500 switch and a Cisco 7906G phone suitable for small to medium-sized businesses. This VoIP technology used to be affordable only to enterprises and governments.
Moving to a converged network can be a difficult decision if the business already invested in separate voice, video, and data networks. It is difficult to abandon an investment that still works, but there are several advantages to converging voice, video, and data on a single network infrastructure.
One benefit of a converged network is that there is just one network to manage. With separate voice, video, and data networks, changes to the network have to be coordinated across networks. There are also additional costs resulting from using three sets of network cabling. Using a single network means you just have to manage one wired infrastructure.Another benefit is lower implementation and management costs. It is less expensive to implement a single network infrastructure than three distinct network infrastructures. Managing a single network is also less expensive. Traditionally, if a business has a separate voice and data network, they have one group of people managing the voice network and another group managing the data network. With a converged network, you have one group managing both the voice and data networks. Separate Voice, Video and Data Networks
As you see in the figure, a voice network contains isolated phone lines running to a PBX switch to allow phone connectivity to the Public Switched Telephone Network (PSTN). When a new phone is added, a new line has to be run back to the PBX. The PBX switch is typically located in a telco wiring closet, separate from the data and video wiring closets. The wiring closets are usually separated because different support personnel require access to each system. However, using a properly designed hierarchical network, and implementing QoS policies that prioritize the audio data, voice data can be converged onto an existing data network with little to no impact on audio quality.
Click the Video Network button in the figure to see an example of a separate video network.
In this figure, videoconferencing equipment is wired separately from the voice and data networks. Videoconferencing data can consume significant bandwidth on a network. As a result, video networks were maintained separately to allow the videoconferencing equipment to operate at full speed without competing for bandwidth with voice and data streams. Using a properly designed hierarchical network, and implementing QoS policies that prioritize the video data, video can be converged onto an existing data network with little to no impact on video quality.Click the Data Network button in the figure to see an example of a separate data network.
The data network interconnects the workstations and servers on a network to facilitate resource sharing. Data networks can consume significant data bandwidth, which is why voice, video, and data networks were kept separated for such a long time. Now that properly designed hierarchical networks can accommodate the bandwidth requirements of voice, video, and data communications at the same time, it makes sense to converge them all onto a single hierarchical network.
CCENT Page 28
Traffic Flow Analysis
Traffic flow analysis is the process of measuring the bandwidth usage on a network and analyzing the data for the purpose of performance tuning, capacity planning, and making hardware improvement decisions. Traffic flow analysis is done using traffic flow analysis software. Although there is no precise definition of network traffic flow, for the purposes of traffic flow analysis we can say that network traffic is the amount of data sent through a network for a given period of time. All network data contributes to the traffic, regardless of its purpose or source. Analyzing the various traffic sources and their impact on the network, allows you to more accurately tune and upgrade the network to achieve the best possible performance.
Traffic flow data can be used to help determine just how long you can continue using existing network hardware before it makes sense to upgrade to accommodate additional bandwidth requirements. When you are making your decisions about which hardware to purchase, you should consider port densities and switch forwarding rates to ensure adequate growth capability. Port density and forwarding rates are explained later in this chapter.There are many ways to monitor traffic flow on a network. You can manually monitor individual switch ports to get the bandwidth utilization over time. When analyzing the traffic flow data, you want to determine future traffic flow requirements based on the capacity at certain times of the day and where most of the data is generated and sent. However, to obtain accurate results, you need to record enough data. Manual recording of traffic data is a tedious process that requires a lot of time and diligence. Fortunately, there are some automated solutions.User Communities Analysis
User community analysis is the process of identifying various groupings of users and their impact on network performance. The way users are grouped affects issues related to port density and traffic flow, which, in turn, influences the selection of network switches. Port density is explained later in this chapter.
In a typical office building, end users are grouped according to their job function, because they require similar access to resources and applications. You may find the Human Resource (HR) department located on one floor of an office building, while Finance is located on another floor. Each department has a different number of users and application needs, and requires access to different data resources available through the network. For example, when selecting switches for the wiring closets of the HR and Finance departments, you would choose a switch that had enough ports to meet the department
CCENT Page 29
departments, you would choose a switch that had enough ports to meet the department needs and was powerful enough to accommodate the traffic requirements for all the devices on that floor. Additionally, a good network design plan factors in the growth of each department to ensure that there are enough open switch ports that can utilized before the next planned upgrade to the network.
As shown in the figure, the HR department requires 20 workstations for its 20 users. That translates to 20 switch ports needed to connect the workstations to the network. If you were to select an appropriate access layer switch to accommodate the HR department, you would probably choose a 24 port switch, which has enough ports to accommodate the 20 workstations and the uplinks to the distribution layer switches.Future Growth
But this plan does not account for future growth. Consider what will happen if the HR department grows by five employees. A solid network plan includes the rate of personnel growth over the past five years to be able to anticipate the future growth. With that in mind, you would want to purchase a switch that can accommodate more than 24 ports, such as stackable or modular switches that can scale.
As well as looking at the number of devices on a given switch in a network, you should investigate the network traffic generated by end-user applications. Some user communities use applications that generate a lot of network traffic, while other user communities do not. By measuring the network traffic generated for all applications in use by different user communities, and determining the location of the data source, you can identify the effect of adding more users to that community.
A workgroup-sized user community in a small business is supported by a couple of switches and typically connected to the same switch as the server. In medium-sized businesses or enterprises, user communities are supported by many switches. The resources that medium-sized business or enterprise user communities need could be located in geographically separate areas. Consequently, the location of the user communities influences where data stores and server farms are located.
Data Stores and Data Servers Analysis
When analyzing traffic on a network, consider where the data stores and servers are located so that you can determine the impact of traffic on the network. Data stores can be servers, storage area networks (SANs), network-attached storage (NAS), tape backup units, or any other device or component where large quantities of data are stored.
When considering the traffic for data stores and servers, consider both client-server traffic and server-server traffic.
As you can see in the figure, client-server traffic is the traffic generated when a client device accesses data from data stores or servers. Client-server traffic typically traverses multiple switches to reach its destination. Bandwidth aggregation and switch forwarding rates are important factors to consider when attempting to eliminate bottlenecks for this type of traffic.
Click the Server-Server Communication button in the figure.
Server-server traffic is the traffic generated between data storage devices on the network. Some server applications generate very high volumes of traffic between data stores and other servers. To optimize server-server traffic, servers needing frequent access to certain resources should be located in close proximity to each other so that the traffic they generate does not affect the performance of the rest of the network. Servers and data stores are typically located in data centers within a business. A data center is a secured area of the building where servers, data stores, and other network equipment are located. A device can be physically located in the data center but represented in quite a different location in the logical topology. Traffic across data center switches is typically very high due to the server-server and client-server traffic that traverses the switches. As a result, switches selected for data centers should be higher performing switches than the switches you would find in the wiring closets at the access layer.
By examining the data paths for various applications used by different user communities, you can identify potential bottlenecks where performance of the application can be affected by inadequate bandwidth. To improve the performance, you could aggregate links to accommodate the bandwidth, or replace the slower switches with faster switches capable of handling the traffic load.
CCENT Page 30
Topology Diagrams
A topology diagram is a graphical representation of a network infrastructure. A topology diagram shows how all switches are interconnected, detailed down to which switch port interconnects the devices. A topology diagram graphically displays any redundant paths or aggregated ports between switches that provide for resiliency and performance. It shows where and how many switches are in use on your network, as well as identifies their configuration. Topology diagrams can also contain information about device densities and user communities. Having a topology diagram allows you to visually identify potential bottlenecks in network traffic so that you can focus your traffic analysis data collection on areas where improvements can have the most significant impact on performance.
A network topology can be very difficult to piece together after the fact if you were not part of the design process. Network cables in the wiring closets disappear into the floors and ceilings, making it difficult to trace their destinations. And because devices are spread throughout the building, it is difficult to know how all of the pieces are connected together. With patience, you can determine just how everything is interconnected and then document the network infrastructure in a topology diagram.
The figure displays a simple network topology diagram. Notice how many switches are present in the network, as well as how each switch is interconnected. The topology diagram identifies each switch port used for inter-switch communications and redundant paths between access layer switches and distribution layer switches. The topology diagram also displays where different user communities are located on the network and the location of the servers and data stores.
CCENT Page 31
Switch Form Factors
What are the key features of switches that are used in hierarchical networks? When you look up the specifications for a switch, what do all of the acronyms and word phrases mean? What does "PoE" mean and what is "forwarding rate"? In this topic, you will learn about these features.
When you are selecting a switch, you need to decide between fixed configuration or modular configuration, and stackable or non-stackable. Another consideration is the thickness of the switch expressed in number of rack units. For example, the Fixed Configuration Switches shown in the figure are all 1 rack unit (1U). These options are sometimes referred to as switch form factors.
Fixed Configuration Switches
Fixed configuration switches are just as you might expect, fixed in their configuration. What that means is that you cannot add features or options to the switch beyond those that originally came with the switch. The particular model you purchase determines the features and options available. For example, if you purchase a 24-port gigabit fixed switch, you cannot add additional ports when you need them. There are typically different configuration choices that vary in how many and what types of ports are included.
Modular Switches
Modular switches offer more flexibility in their configuration. Modular switches typically come with different sized chassis that allow for the installation of different numbers of modular line cards. The line cards actually contain the ports. The line card fits into the switch chassis like expansion cards fit into a PC. The larger the chassis, the more modules it can support. As you can see in the figure, there can be many different chassis sizes to choose from. If you bought a modular switch with a 24-port line card, you could easily add an additional 24 port line card, to bring the total number of ports up to 48.
Stackable Switches
Stackable switches can be interconnected using a special backplane cable that provides high-bandwidth throughput between the switches. Cisco introduced StackWise technology in one of its switch product lines. StackWise allows you to interconnect up to nine switches using fully redundant backplane connections. As you can see in the figure, switches are stacked one atop of the other, and cables connect the switches in daisy chain fashion. The stacked switches effectively operate as a single larger switch. Stackable switches are desirable where fault tolerance and bandwidth availability are critical and a modular switch is too costly to implement. Using cross-connected connections, the network can recover quickly if a single switch fails. Stackable switches use a special port for interconnections and do not use line ports for inter-switch connections. The speeds are also typically faster than using line ports for connection switches.
Performance
When selecting a switch for the access, distribution, or core layer, consider the ability of the switch to support the port density, forwarding rates, and bandwidth aggregation requirements of your network.
Port Density
Port density is the number of ports available on a single switch. Fixed configuration switches typically support up to 48 ports on a single device, with options for up to four additional ports for small form-factor pluggable (SFP) devices, as shown in the figure. High port densities allow for better use of space and power when both are in limited supply. If you have two switches that each contain 24 ports, you would be able to support up to 46 devices, because you lose at least one port per switch to connect each switch to the rest of the network. In addition, two power outlets are required. On the other hand, if you have a single 48-port switch, 47 devices can be supported, with only one port used to connect the switch to the rest of the network, and only one power outlet needed to accommodate the single switch.
Modular switches can support very high port densities through the addition of multiple switch port line cards, as shown in the figure. For example, the Catalyst 6500 switch can support in excess of 1,000 switch ports on a single device.
Large enterprise networks that support many thousands of network devices require high
CCENT Page 32
Large enterprise networks that support many thousands of network devices require high density, modular switches to make the best use of space and power. Without using a high-density modular switch, the network would need many fixed configuration switches to accommodate the number of devices that need network access. This approach can consume many power outlets and a lot of closet space.
You must also address the issue of uplink bottlenecks. A series of fixed configuration switches may consume many additional ports for bandwidth aggregation between switches for the purpose of achieving target performance. With a single modular switch, bandwidth aggregation is less of an issue because the backplane of the chassis can provide the necessary bandwidth to accommodate the devices connected to the switch port line cards.
Link Aggregation
Click the Link Aggregation button in the figure.
As part of bandwidth aggregation, you should determine if there are enough ports on a switch to aggregate to support the required bandwidth. For example, consider a Gigabit Ethernet port, which carries up to 1 Gb/s of traffic. If you have a 24-port switch, with all ports capable of running at gigabit speeds, you could generate up to 24 Gb/s of network traffic. If the switch is connected to the rest of the network by a single network cable, it can only forward 1 Gb/s of the data to the rest of the network. Due to the contention for bandwidth, the data would forward more slowly. That results in 1/24th wire speed available to each of the 24 devices connected to the switch. Wire speed describes the theoretical maximum data transmission rate of a connection. For example, the wire speed of an Ethernet connection is dependent on the physical and electrical properties of the cable, combined with the lowest layer of the connection protocols.
Link aggregation helps to reduce these bottlenecks of traffic by allowing up to eight switch ports to be bound together for data communications, providing up to 8 Gb/s of data throughput when Gigabit Ethernet ports are used. With the addition of multiple 10 Gigabit Ethernet (10GbE) uplinks on some enterprise-layer switches, very high throughput rates can be achieved. Cisco uses the term EtherChannel when describing aggregated switch ports.
As you can see in the figure, four separate ports on switches C1 and D1 are used to create a 4-port EtherChannel. EtherChannel technology allows a group of physical Ethernet links to create one logical Ethernet link for the purpose of providing fault tolerance and high-speed
CCENT Page 33
create one logical Ethernet link for the purpose of providing fault tolerance and high-speed links between switches, routers, and servers. In this example, there is four times the throughput when compared to the single port connection between switches C1 and D2.PoE and Layer 3 Functionality
Two other characteristics you want to consider when selecting a switch are Power over Ethernet (PoE) and Layer 3 functionality.
Power over Ethernet
Power over Ethernet (PoE) allows the switch to deliver power to a device over the existing Ethernet cabling. As you can see in the figure, this feature can be used by IP phones and some wireless access points. PoE allows you more flexibility when installing wireless access points and IP phones because you can install them anywhere you can run an Ethernet cable. You do not need to consider how to run ordinary power to the device. You should only select a switch that supports PoE if you are actually going to take advantage of the feature, because it adds considerable cost to the switch.
Click the switch icon to see PoE ports.
Click the phone icon to see the phone ports.
Click the wireless access point icon to see its ports.
Layer 3 Functions
Click the Layer 3 Functions button in the figure to see some Layer 3 functions that can be provided by switches in a hierarchical network.
Typically, switches operate at Layer 2 of the OSI reference model where they deal primarily with the MAC addresses of devices connected to switch ports. Layer 3 switches offer advanced functionality. Layer 3 switches are also known as multilayer switches.
Access Layer Switch Features
Now that you know which factors to consider when choosing a switch, let us examine which features are required at each layer in a hierarchical network. You will then be able to match
CCENT Page 34
features are required at each layer in a hierarchical network. You will then be able to match the switch specification with its ability to function as an access, distribution, or core layer switch.
Access layer switches facilitate the connection of end node devices to the network. For this reason, they need to support features such as port security, VLANs, Fast Ethernet/Gigabit Ethernet, PoE, and link aggregation.
Port security allows the switch to decide how many or what specific devices are allowed to connect to the switch. All Cisco switches support port layer security. Port security is applied at the access layer. Consequently, it is an important first line of defense for a network. You will learn about port security in Chapter 2.
VLANs are an important component of a converged network. Voice traffic is typically given a separate VLAN. In this way, voice traffic can be supported with more bandwidth, more redundant connections, and improved security. Access layer switches allow you to set the VLANs for the end node devices on your network.Port speed is also a characteristic you need to consider for your access layer switches. Depending on the performance requirements for your network, you must choose between Fast Ethernet and Gigabit Ethernet switch ports. Fast Ethernet allows up to 100 Mb/s of traffic per switch port. Fast Ethernet is adequate for IP telephony and data traffic on most business networks, however, performance is slower than Gigabit Ethernet ports. Gigabit Ethernet allows up to 1000 Mb/s of traffic per switch port. Most modern devices, such as workstations, notebooks, and IP phones, support Gigabit Ethernet. This allows for much more efficient data transfers, enabling users to be more productive. Gigabit Ethernet does have a drawback-switches supporting Gigabit Ethernet are more expensive.
Another feature requirement for some access layer switches is PoE. PoE dramatically increases the overall price of the switch across all Cisco Catalyst switch product lines, so it should only be considered when voice convergence is required or wireless access points are being implemented, and power is difficult or expensive to run to the desired location.
Link aggregation is another feature that is common to most access layer switches. Link aggregation allows the switch to use multiple links simultaneously. Access layer switches take advantage of link aggregation when aggregating bandwidth up to distribution layer switches.
Because the uplink connection between the access layer switch and the distribution layer switch is typically the bottleneck in communication, the internal forwarding rate of access layer switches does not need to be as high as the link between the distribution and access layer switches. Characteristics such as the internal forwarding rate are less of a concern for access layer switches because they only handle traffic from the end devices and forward it to the distribution layer switches.
In a converged network supporting voice, video and data network traffic, access layer switches need to support QoS to maintain the prioritization of traffic. Cisco IP phones are types of equipment that are found at the access layer. When a Cisco IP phone is plugged into an access layer switch port configured to support voice traffic, that switch port tells the IP phone how to send its voice traffic. QoS needs to be enabled on access layer switches so that voice traffic the IP phone has priority over, for example, data traffic.
Distribution Layer Switch Features
Distribution layer switches have a very important role on the network. They collect the data from all the access layer switches and forward it to the core layer switches. As you will learn later in this course, traffic that is generated at Layer 2 on a switched network needs to be managed, or segmented into VLANs, so it does not needlessly consume bandwidth throughout the network. Distribution layer switches provides the inter-VLAN routing functions so that one VLAN can communicate with another on the network. This routing typically takes place at the distribution layer because distribution layer switches have higher processing capabilities than the access layer switches. Distribution layer switches alleviate the core switches from needing to perform that task since the core is busy handling the forwarding of very high volumes of traffic. Because inter-VLAN routing is performed at the distribution layer, the switches at this layer need to support Layer 3 functions.
Security Policies
Another reason why Layer 3 functionality is required for distribution layer switches is because of the advanced security policies that can be applied to network traffic. Access lists are used to control how traffic flows through the network. An Access Control List (ACL) allows the switch to prevent certain types of traffic and permit others. ACLs also allow you to control which network devices can communicate on the network. Using ACLs is
CCENT Page 35
to control which network devices can communicate on the network. Using ACLs is processing-intensive because the switch needs to inspect every packet and see if it matches one of the ACL rules defined on the switch. This inspection is performed at the distribution layer, because the switches at this layer typically have the processing capability to handle the additional load, and it also simplifies the use of ACLs. Instead of using ACLs for every access layer switch in the network, they are defined on the fewer distribution layer switches, making management of the ACLs much easier.Quality of Service
The distribution layer switches also need to support QoS to maintain the prioritization of traffic coming from the access layer switches that have implemented QoS. Priority policies ensure that audio and video communications are guaranteed adequate bandwidth to maintain an acceptable quality of service. To maintain the priority of the voice data throughout the network, all of the switches that forward voice data must support QoS; if not all of the network devices support QoS, the benefits of QoS will be reduced. This results in poor performance and quality for audio and video communications.
The distribution layer switches are under high demand on the network because of the functions that they provide. It is important that distribution switches support redundancy for adequate availability. Loss of a distribution layer switch could have significant impact on the rest of the network because all access layer traffic passes through the distribution layer switches. Distribution layer switches are typically implemented in pairs to ensure availability. It is also recommended that distribution layer switches support multiple, hot swappable power supplies. Having more than one power supply allows the switch to continue operating even if one of the power supplies failed during operation. Having hot swappable power supplies allows you to change a failed power supply while the switch is still running. This allows you to repair the failed component without impacting the functionality of the network.
Finally, distribution layer switches need to support link aggregation. Typically, access layer switches use multiple links to connect to a distribution layer switch to ensure adequate bandwidth to accommodate the traffic generated on the access layer, and provide fault tolerance in case a link is lost. Because distribution layer switches accept incoming traffic from multiple access layer switches, they need to be able to forward all of that traffic as fast as possible to the core layer switches. As a result, distribution layer switches also need high-bandwidth aggregated links back to the core layer switches. Newer distribution layer switches support aggregated 10 Gigabit Ethernet (10GbE) uplinks to the core layer switches.
Core Layer Switch Features
The core layer of a hierarchical topology is the high-speed backbone of the network and requires switches that can handle very high forwarding rates. The required forwarding rate is largely dependent on the number of devices participating in the network. You determine your necessary forwarding rate by conducting and examining various traffic flow reports and user communities analyses. Based on your results, you can identify an appropriate switch to support the network. Take care to evaluate your needs for the present and near future. If you choose an inadequate switch to run in the core of the network, you face potential bottleneck issues in the core, slowing down all communications on the network.
Link Aggregation
The core layer also needs to support link aggregation to ensure adequate bandwidth coming into the core from the distribution layer switches. Core layer switches should have support for aggregated 10GbE connections, which is currently the fastest available Ethernet connectivity option. This allows corresponding distribution layer switches to deliver traffic as efficiently as possible to the core.Redundancy
The availability of the core layer is also critical, so you should build in as much redundancy as you can. Layer 3 redundancy typically has a faster convergence than Layer 2 redundancy in the event of hardware failure. Convergence in this context refers to the time it takes for the network to adapt to a change, not to be confused with a converged network that supports data, audio, and video communications. With that in mind, you want to ensure that your core layer switches support Layer 3 functions. A complete discussion on the implications of Layer 3 redundancy is beyond the scope of this course. It remains an open question about the need for Layer 2 redundancy in this context. Layer 2 redundancy is examined in Chapter 5 when we discuss the spanning tree protocol (STP). Also, look for core layer switches that support additional hardware redundancy features like redundant power supplies that can be swapped while the switch continues to operate. Because of the high workload carried by core layer switches, they tend to operate hotter than access or distribution layer switches, so they should have more sophisticated cooling options. Many
CCENT Page 36
distribution layer switches, so they should have more sophisticated cooling options. Many true, core layer-capable switches have the ability to swap cooling fans without having to turn the switch off.
For example, it would be disruptive to shut down a core layer switch to change a power supply or a fan in the middle of the day when the network usage is at its highest. To perform a hardware replacement, you could expect to have at least a 5 minute network outage, and that is if you are very fast at performing the maintenance. In a more realistic situation, the switch could be down for 30 minutes or more, which most likely is not acceptable. With hot-swappable hardware, there is no downtime during switch maintenance.
QoS is an important part of the services provided by core layer switches. For example, service providers (who provide IP, data storage, e-mail and other services) and enterprise Wide Area Networks (WANs), are adding more voice and video traffic to an already growing amount of data traffic. At the core and network edge, mission-critical and time-sensitive traffic such as voice should receive higher QoS guarantees than less time-sensitive traffic such as file transfers or e-mail. Since high-speed WAN access is often prohibitively expensive, adding bandwidth at the core layer is not an option. Because QoS provides a software based solution to prioritize traffic, core layer switches can provide a cost effect way of supporting optimal and differentiated use of existing bandwidth.
Chapter 2We use the speed unit is bits per second. Data storage is Mbytes .Switches are using in the Ethernet.Carrier Sense- It’s the media access. Its in the data link layer
Types of Ethernet Speed bits/sec Command
Original Ethernet 10Mbit/s R1(config)# interface e0/0
Fast Ethernet 100Mbit/s R1(config)#interface fa0/0
Gigabit Ethernet 1,000Mbit/s R1(config)#interface gi0/0
10 Gigabit Ethernet 10,000Mbit/s
1 Terabit Ethernet(doesn't exist yet)
1000 Gbit/s or 1000,000 Mbit/s
CSMA/CD is half-duplex Ethernet and they must wait a random amount of time after a collision has occurred .The CSMA/CD protocol functions somewhat like a dinner party in a dark room. Everyone around the table must listen for a period of quiet before speaking (Carrier Sense). Once a space occurs everyone has an equal chance to say something (Multiple Access). If two people start talking at the same instant they detect that fact, and quit speaking (Collision Detection.) To translate this into Ethernet terms, each interface must wait until there is no signal on the channel, then it can begin transmitting. If some other interface is transmitting there will be a signal on the channel, which is called carrier. All other interfaces must wait until carrier ceases before trying to transmit, and this process is called Carrier Sense.
All Ethernet interfaces are equal in their ability to send frames onto the network. No one gets a higher priority than anyone else, and democracy reigns. This is what is meant by Multiple Access. Since signals take a finite time to travel from one end of an Ethernet system to the other, the first bits of a transmitted frame do not reach all parts of the network simultaneously. Therefore, it's possible for two interfaces to sense that the network is idle and to start transmitting their frames simultaneously. When this happens, the Ethernet system has a way to sense the "collision" of signals and to stop the transmission and resend the frames. This is called Collision Detect.
The CSMA/CD protocol is designed to provide fair access to the shared channel so that all stations get a chance to use the network. After every packet transmission all stations use the CSMA/CD protocol to determine which station gets to use the Ethernet channel next
a-full (auto-negotiated) means full duplex.a-half(auto-negotiated) means half duplex.If the speed is not known, use 10Mbps,half duplex.If the speed is somehow known to be 10 or 100Mbps,default to use half duplex.If the speed is somehow known to be 1000Mbps/1 Gbps, default to use full duplex.
CCENT Page 37
If the speed is somehow known to be 1000Mbps/1 Gbps, default to use full duplex.Ethernet interfaces using speed faster than 1 Gbps always use full duplex.
5Q- scenario: new NIC install in pc, which operates at half duplex and switch, operates at full duplex so they can not communicate what is solution.Your solution is to match up the duplex settings. Full duplex.
Two frame at Data link layer: LLC and Ethernet .ISO mean equal for everyone .IEEE the first two frame together. How you synchronous (the preamble.),the state of frame delimiter, the destination address is the most important for the data., the source address, MAC(the address of NIC).6 bytes *8 = 48 bits
The types of error:
Auto-negotiation errorsFCS errors The cisco provide the Internetwork operating system .The size of collision domain is reduced by switch but switch increases the no of collision domain instead of using hub.( what is a collision?)switch has a full duplex so it can reduce the collision but hub can't reduce.
Wireless is half duplex . HUB Switch
..
Latency is the time a frame or a packet takes to travel from the source station to the final destination.
Chapter2 cisco academy noteCSMA/CD
Ethernet signals are transmitted to every host connected to the LAN using a special set of rules to determine which station can access the network. The set of rules that Ethernet uses is based on the IEEE carrier sense multiple access/collision detect (CSMA/CD) technology. You may recall from CCNA Exploration: Networking Fundamentals that CSMA/CD is only used with half-duplex communication typically found in hubs. Full-duplex switches do not use CSMA/CD.
Carrier Sense
In the CSMA/CD access method, all network devices that have messages to send must listen before transmitting.
If a device detects a signal from another device, it waits for a specified amount of time before attempting to transmit.
When there is no traffic detected, a device transmits its message. While this transmission is occurring, the device continues to listen for traffic or collisions on the LAN. After the message is sent, the device returns to its default listening mode.
Multi-access
If the distance between devices is such that the latency of the signals of one device means that signals are not detected by a second device, the second device may also start to transmit. The media now has two devices transmitting signals at the same time. The messages propagate across the media until they encounter each other. At that point, the signals mix and the messages are destroyed, a collision has occurred. Although the messages are corrupted, the jumble of remaining signals continues to propagate across the media.
Collision Detection
When a device is in listening mode, it can detect when a collision occurs on the shared media, because all devices can detect an increase in the amplitude of the signal above the normal level.
When a collision occurs, the other devices in listening mode, as well as all the transmitting devices, detect the increase in the signal amplitude. Every device that is transmitting continues to transmit to ensure that all devices on the
Switching implementations now dominate applications in which bridging technologies were implemented in prior network designs. Superior throughput performance, higher port density, lower per-port cost, and greater flexibility have contributed to the emergence of switches as replacement technology for bridges and as complements to routing technology.
Pasted from <http://docwiki.cisco.com/wiki/Internetworking_Technology_Handbook>
CCENT Page 38
that is transmitting continues to transmit to ensure that all devices on the network detect the collision.
Jam Signal and Random Backoff
When a collision is detected, the transmitting devices send out a jamming signal. The jamming signal notifies the other devices of a collision, so that they invoke a backoff algorithm. This backoff algorithm causes all devices to stop transmitting for a random amount of time, which allows the collision signals to subside.
After the delay has expired on a device, the device goes back into the "listening before transmit" mode. A random backoff period ensures that the devices that were involved in the collision do not try to send traffic again at the same time, which would cause the whole process to repeat. However, during the backoff period, a third device may transmit before either of the two involved in the collision have a chance to re-transmit.
CCENT Page 39
Ethernet Communications
Reference the selected Ethernet Communications area in the figure.
CCENT Page 40
Communications in a switched LAN network occur in three ways: unicast, broadcast, and multicast:
Unicast: Communication in which a frame is sent from one host and addressed to one specific destination. In unicast transmission, there is just one sender and one receiver. Unicast transmission is the predominant form of transmission on LANs and within the Internet. Examples of protocols that use unicast transmissions include HTTP, SMTP, FTP, and Telnet.
Broadcast: Communication in which a frame is sent from one address to all other addresses. In this case, there is just one sender, but the information is sent to all connected receivers. Broadcast transmission is essential when sending the same message to all devices on the LAN. An example of a broadcast transmission is the address resolution query that the address resolution protocol (ARP) sends to all computers on a LAN.
Multicast: Communication in which a frame is sent to a specific group of devices or clients. Multicast transmission clients must be members of a logical multicast group to receive the information. An example of multicast transmission is the video and voice transmissions associated with a network-based, collaborative business meeting.
Ethernet Frame
Click the Ethernet Frame button in the figure.
The first course in our series, CCNA Exploration: Networking Fundamentals, described the structure of the Ethernet frame in detail. To briefly review, the Ethernet frame structure adds headers and trailers around the Layer 3 PDU to encapsulate the message being sent. Both the Ethernet header and trailer have several sections (or fields) of information that are used by the Ethernet protocol. The figure shows the structure of the current Ethernet frame standard, the revised IEEE 802.3 (Ethernet).
Roll over each field name to see its description.
Preamble and Start Frame Delimiter Fields
The Preamble (7 bytes) and Start Frame Delimiter (SFD) (1 byte) fields are used for synchronization between the sending and receiving devices. These first 8 bytes of the frame are used to get the attention of the receiving nodes. Essentially, the first few bytes tell the receivers to get ready to receive a new frame.
Destination MAC Address Field
The Destination MAC Address field (6 bytes) is the identifier for the intended recipient. This address is used by Layer 2 to assist a device in determining if a frame is addressed to it. The address in the frame is compared to the MAC address in the device. If there is a match, the device accepts the frame.
Source MAC Address Field
The Source MAC Address field (6 bytes) identifies the frame's originating NIC or interface. Switches use this address to add to their lookup tables.
Length/Type Field
The Length/Type field (2 bytes) defines the exact length of the frame's data field. This field is used later as part of the Frame Check Sequence (FCS) to ensure that the message was received properly. Only a frame length or a frame type can be entered here. If the purpose of the field is to designate a type, the Type field describes which protocol is implemented. When a node receives a frame and the Length/Type field designates a type, the node determines which higher layer protocol is present. If the two-octet value is equal to or greater than 0x0600 hexadecimal or 1536 decimal, the contents of the Data Field are decoded according to the protocol indicated; if the two-byte value is less than 0x0600 then the value represents the length of the data in the frame.
Data and Pad Fields
The Data and Pad fields (46 to 1500 bytes) contain the encapsulated data from a higher layer, which is a generic Layer 3 PDU, or more commonly, an IPv4 packet. All frames must be at least 64 bytes long (minimum length aides the detection of collisions). If a small packet is encapsulated, the Pad field is used to increase the size of the frame to the minimum size.
Frame Check Sequence Field
The FCS field (4 bytes) detects errors in a frame. It uses a cyclic redundancy check (CRC). The sending device includes the results of a CRC in the FCS field of the frame. The receiving device receives the frame and generates a CRC to look for errors. If the calculations match, no error has occurred. If the calculations do not match, the frame is dropped.
MAC Address
Click the MAC Address button in the figure.
CCENT Page 41
In CCNA Exploration: Networking Fundamentals, you learned about the MAC address. An Ethernet MAC address is a two-part 48-bit binary value expressed as 12 hexadecimal digits. The address formats might be similar to 00-05-9A-3C-78-00, 00:05:9A:3C:78:00, or 0005.9A3C.7800.
All devices connected to an Ethernet LAN have MAC-addressed interfaces. The NIC uses the MAC address to determine if a message should be passed to the upper layers for processing. The MAC address is permanently encoded into a ROM chip on a NIC. This type of MAC address is referred to as a burned in address (BIA). Some vendors allow local modification of the MAC address. The MAC address is made up of the organizational unique identifier (OUI) and the vendor assignment number.
Roll over each field name to see its description.
Organizational Unique Identifier
The OUI is the first part of a MAC address. It is 24 bits long and identifies the manufacturer of the NIC card. The IEEE regulates the assignment of OUI numbers. Within the OUI, there are 2 bits that have meaning only when used in the destination address, as follows:
Broadcast or multicast bit: Indicates to the receiving interface that the frame is destined for all or a group of end stations on the LAN segment.
Locally administered address bit: If the vendor-assigned MAC address can be modified locally, this bit should be set.
Vendor Assignment Number
The vendor-assigned part of the MAC address is 24 bits long and uniquely identifies the Ethernet hardware. It can be a BIA or modified by software indicated by the local bit.
CCENT Page 42
There are two types of duplex settings used for communications on an Ethernet network: half duplex and full duplex. The figure shows the two duplex settings available on modern network equipment.
Half Duplex: Half-duplex communication relies on unidirectional data flow where sending and receiving data are not performed at the same time. This is similar to how walkie-talkies or two-way radios function in that only one person can talk at any one time. If someone talks while someone else is already speaking, a collision occurs. As a result, half-duplex communication implements CSMA/CD to help reduce the potential for collisions and detect them when they do happen. Half-duplex communications have performance issues due to the constant waiting, because data can only flow in one direction at a time. Half-duplex connections are typically seen in older hardware, such as hubs. Nodes that are attached to hubs that share their connection to a switch port must operate in half-duplex mode because the end computers must be able to detect collisions. Nodes can operate in a half-duplex mode if the NIC card cannot be configured for full duplex operations. In this case the port on the switch defaults to a half-duplex mode as well. Because of these limitations, full-duplex communication has replaced half duplex in more current hardware.
Full Duplex: In full-duplex communication, data flow is bidirectional, so data can be sent and received at the same time. The bidirectional support enhances performance by reducing the wait time between transmissions. Most Ethernet, Fast Ethernet, and Gigabit Ethernet NICs sold today offer full-duplex capability. In full-duplex mode, the collision detect circuit is disabled. Frames sent by the two connected end nodes cannot collide because the end nodes use two separate circuits in the network cable. Each full-duplex connection uses only one port. Full-duplex connections require a switch that supports full duplex or a direct connection between two nodes that each support full duplex. Nodes that are directly attached to a dedicated switch port with NICs that support full duplex should be connected to switch ports that are configured to operate in full-duplex mode.
Standard, shared hub-based Ethernet configuration efficiency is typically rated at 50 to 60 percent of the 10-Mb/s bandwidth. Full-duplex Fast Ethernet, compared to 10-Mb/s bandwidth, offers 100 percent efficiency in both directions (100-Mb/s transmit and 100-Mb/s receive).
Switch Port Settings
A port on a switch needs to be configured with duplex settings that match the media type. Later in this chapter, you will configure duplex settings. The Cisco Catalyst switches have three settings:
The auto option sets autonegotiation of duplex mode. With autonegotiation enabled, the two ports communicate to decide the best mode of operation.The full option sets full-duplex mode.The half option sets half-duplex mode.
For Fast Ethernet and 10/100/1000 ports, the default is auto. For 100BASE-FX ports, the default is full. The 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mb/s, but when set to 1,000 Mb/s, they operate only in full-duplex mode.
Note: Autonegotiation can produce unpredictable results. By default, when autonegotiation fails, the Catalyst switch sets the corresponding switch port to half-duplex mode. This type of failure happens when an attached device does not support autonegotiation. If the device is manually configured to operate in half-duplex mode, it matches the default mode of the switch. However, autonegotiation errors can happen if the device is manually configured to operate in full-duplex mode. Having half-duplex on one end and full-duplex on the other causes late collision errors at the half-duplex end. To avoid this situation, manually set the duplex parameters of the switch to match the attached device. If the switch port is in full-duplex mode and the attached device is in half-duplex mode, check for FCS errors on the switch full-duplex port.
auto-MDIX
Connections between specific devices, such as switch-to-switch or switch-to-
CCENT Page 43
Connections between specific devices, such as switch-to-switch or switch-to-router, once required the use of certain cable types (cross-over, straight-through). Instead, you can now use the mdix auto interface configuration command in the CLI to enable the automatic medium-dependent interface crossover (auto-MDIX) feature.
When the auto-MDIX feature is enabled, the switch detects the required cable type for copper Ethernet connections and configures the interfaces accordingly. Therefore, you can use either a crossover or a straight-through cable for connections to a copper 10/100/1000 port on the switch, regardless of the type of device on the other end of the connection.
The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is disabled by default.
To see how this works, click the steps in the figure.
The following describes this process:
Step 1. The switch receives a broadcast frame from PC 1 on Port 1.
Step 2. The switch enters the source MAC address and the switch port that received the frame into the address table.
Step 3. Because the destination address is a broadcast, the switch floods the frame to all ports, except the port on which it received the frame.
Step 4. The destination device replies to the broadcast with a unicast frame addressed to PC 1.
Step 5. The switch enters the source MAC address of PC 2 and the port number of the switch port that received the frame into the address table. The destination address of the frame and its associated port is found in the MAC address table.
Step 6. The switch can now forward frames between source and destination devices without flooding, because it has entries in the address table that identify the associated ports.
CCENT Page 44
CCENT Page 45
Network Latency
Latency is the time a frame or a packet takes to travel from the source station to the final destination. Users of network-based applications experience latency when they have to wait many minutes to access data stored in a data center or when a website takes many minutes to load in a browser. Latency has at least three sources.
First, there is the time it takes the source NIC to place voltage pulses on the wire, and the time it takes the destination NIC to interpret these pulses. This is sometimes called NIC delay, typically around 1 microsecond for a 10BASE -T NIC.
Second, there is the actual propagation delay as the signal takes time to travel through the cable. Typically, this is about 0.556 microseconds per 100 m for Cat 5 UTP. Longer cable and slower nominal velocity of propagation (NVP) result in more propagation delay.
Third, latency is added based on network devices that are in the path between two devices. These are either Layer 1, Layer 2, or Layer 3 devices. These three contributors to latency can be discerned from the animation as the frame traverses the network.Latency does not depend solely on distance and number of devices. For example, if three properly configured switches separate two computers, the computers may experience less latency than if two properly configured routers separated them. This is because routers conduct more complex and time -intensive functions. For example, a router must analyze Layer 3 data, while switches just analyze the Layer 2 data. Since Layer 2 data is present earlier in the frame structure than the Layer 3 data, switches can process the frame more quickly. Switches also support the high transmission rates of voice, video, and data networks by employing application-specific integrated circuits (ASIC) to provide hardware support for many networking tasks. Additional switch features such as port-based memory buffering, port level QoS, and congestion management, also help to reduce network latency.
Switch-based latency may also be due to oversubscribed switch fabric. Many entry-level switches do not have enough internal throughput to manage full bandwidth capabilities on all ports simultaneously. The switch needs to be able to manage the amount of peak data expected on the network. As the switching
CCENT Page 46
manage the amount of peak data expected on the network. As the switching technology improves, the latency through the switch is no longer the issue. The predominant cause of network latency in a switched LAN is more a function of the media being transmitted, routing protocols used, and types of applications running on the network.
Network Congestion
The primary reason for segmenting a LAN into smaller parts is to isolate traffic and to achieve better use of bandwidth per user. Without segmentation, a LAN quickly becomes clogged with traffic and collisions. The figure shows a network that is subject to congestion by multiple node devices on a hub -based network.
These are the most common causes of network congestion:
Increasingly powerful computer and network technologies. Today, CPUs, buses, and peripherals are much faster and more powerful than those used in early LANs, therefore they can send more data at higher rates through the network, and they can process more data at higher rates.Increasing volume of network traffic. Network traffic is now more common because remote resources are necessary to carry out basic work. Additionally, broadcast messages, such as address resolution queries sent out by ARP, can adversely affect end-station and network performance.High-bandwidth applications. Software applications are becoming richer in their functionality and are requiring more and more bandwidth. Desktop publishing, engineering design, video on demand (VoD), electronic learning (e -learning), and streaming video all require considerable processing power and speed.
LAN Segmentation
LANs are segmented into a number of smaller collision and broadcast domains using routers and switches. Previously, bridges were used, but this type of network equipment is rarely seen in a modern switched LAN. The figure shows the routers and switches segmenting a LAN.
CCENT Page 47
the routers and switches segmenting a LAN.
In the figure the network is segmented into four collision domains using the switch.
Roll over the Collision Domain to see the size of each collision domain.
However, the broadcast domain, in the figure spans the entire network.
Roll over the Broadcast Domain to see the size of broadcast domain.
Bridges and Switches
Although bridges and switches share many attributes, several distinctions differentiate these technologies. Bridges are generally used to segment a LAN into a couple of smaller segments. Switches are generally used to segment a large LAN into many smaller segments. Bridges have only a few ports for LAN connectivity, whereas switches have many.Routers
Even though the LAN switch reduces the size of collision domains, all hosts connected to the switch, and in the same VLAN, are still in the same broadcast domain. Because routers do not forward broadcast traffic by default, they can be used to create broadcast domains. Creating additional, smaller broadcast domains with a router reduces broadcast traffic and provides more available bandwidth for unicast communications. Each router interface connects to a separate network, containing broadcast traffic within the LAN segment in which it originated.
Click the Controlled Collision and Broadcast Domain button to see the effect of introducing routers and more switches into the network.
Roll over the two text areas to identify the different broadcast and collision domains.
Controlling Network Latency
When designing a network to reduce latency, you need to consider the latency caused by each device on the network. Switches can introduce latency on a network when oversubscribed on a busy network. For example, if a core level switch has to support 48 ports, each one capable of running at 1000 Mb/s full duplex, the switch should support around 96 Gb/s internal throughput if it is to maintain full wirespeed across all ports simultaneously. In this example, the throughput requirements stated are typical of core-level switches, not of access-level switches.
The use of higher layer devices can also increase latency on a network. When a Layer 3 device, such as a router, needs to examine the Layer 3 addressing information contained within the frame, it must read further into the frame than a Layer 2 device, which creates a longer processing time. Limiting the use of higher layer devices can help reduce network latency. However, appropriate use of Layer 3 devices helps prevent contention from broadcast traffic in a large broadcast domain or the high collision rate in a large collision domain.
Removing Bottlenecks
Bottlenecks on a network are places where high network congestion results in slow performance.
Click on the Removing Network Bottlenecks button in the figure.
In this figure which shows six computers connected to a switch, a single server is also connected to the same switch. Each workstation and the server are all connected using a 1000 Mb/s NIC. What happens when all six computers try to access the server at the same time? Does each workstation get 1000 Mb/s dedicated access to the server? No, all the computers have to share the 1000 Mb/s connection that the server has to the switch. Cumulatively, the computers are capable of 6000 Mb/s to the switch. If each connection was used at full capacity, each computer would be able to use only 167 Mb/s, one-sixth of the 1000 Mb/s bandwidth. To reduce the bottleneck to the server, additional network cards can be installed, which increases the total bandwidth the server is capable
CCENT Page 48
cards can be installed, which increases the total bandwidth the server is capable of receiving. The figure shows five NIC cards in the server and approximately five times the bandwidth. The same logic applies to network topologies. When switches with multiple nodes are interconnected by a single 1000 Mb/s connection, a bottleneck is created at this single interconnect. Removing Bottlenecks
Bottlenecks on a network are places where high network congestion results in slow performance.
Click on the Removing Network Bottlenecks button in the figure.
In this figure which shows six computers connected to a switch, a single server is also connected to the same switch. Each workstation and the server are all connected using a 1000 Mb/s NIC. What happens when all six computers try to access the server at the same time? Does each workstation get 1000 Mb/s dedicated access to the server? No, all the computers have to share the 1000 Mb/s connection that the server has to the switch. Cumulatively, the computers are capable of 6000 Mb/s to the switch. If each connection was used at full capacity, each computer would be able to use only 167 Mb/s, one -sixth of the 1000 Mb/s bandwidth. To reduce the bottleneck to the server, additional network cards can be installed, which increases the total bandwidth the server is capable of receiving. The figure shows five NIC cards in the server and approximately five times the bandwidth. The same logic applies to network topologies. When switches with multiple nodes are interconnected by a single 1000 Mb/s connection, a bottleneck is created at this single interconnect.
Strange LAN collision domains structure:
Switch Packet Forwarding Methods
In this topic, you will learn how switches forward Ethernet frames on a network. Switches can operate in different modes that can have both positive and negative effects.
In the past, switches used one of the following forwarding methods for switching data between network ports: store-and-forward or cut-through switching. Referencing the Switch Forwarding Methods button shows these two methods. However, store-and-forward is the sole forwarding method used on current models of Cisco Catalyst switches.
Store-and-Forward Switching
In store-and-forward switching, when the switch receives the frame, it stores the data in buffers until the complete frame has been received. During the storage process, the switch analyzes the frame for information about its destination. In this process, the switch also performs an error check using the Cyclic Redundancy Check (CRC) trailer portion of the Ethernet frame.
CRC uses a mathematical formula, based on the number of bits (1s) in the frame, to determine whether the received frame has an error. After confirming the integrity of the frame, the frame is forwarded out the appropriate port toward its destination. When an error is detected in a frame, the switch discards the frame. Discarding frames with errors reduces the amount of bandwidth consumed by corrupt data. Store-and-forward switching is required for
CCENT Page 49
bandwidth consumed by corrupt data. Store-and-forward switching is required for Quality of Service (QoS) analysis on converged networks where frame classification for traffic prioritization is necessary. For example, voice over IP data streams need to have priority over web-browsing traffic.
Click on the Store-and-Forward Switching button and play the animation for a demonstration of the store-and-forward process.
Cut-through Switching
In cut-through switching, the switch acts upon the data as soon as it is received, even if the transmission is not complete. The switch buffers just enough of the frame to read the destination MAC address so that it can determine to which port to forward the data. The destination MAC address is located in the first 6 bytes of the frame following the preamble. The switch looks up the destination MAC address in its switching table, determines the outgoing interface port, and forwards the frame onto its destination through the designated switch port. The switch does not perform any error checking on the frame. Because the switch does not have to wait for the entire frame to be completely buffered, and because the switch does not perform any error checking, cut-through switching is faster than store-and-forward switching. However, because the switch does not perform any error checking, it forwards corrupt frames throughout the network. The corrupt frames consume bandwidth while they are being forwarded. The destination NIC eventually discards the corrupt frames.
Click on the Cut-Through Switching button and play the animation for a demonstration of the cut-through switching process.
There are two variants of cut-through switching:
Fast-forward switching: Fast-forward switching offers the lowest level of latency. Fast-forward switching immediately forwards a packet after reading the destination address. Because fast-forward switching starts forwarding before the entire packet has been received, there may be times when packets are relayed with errors. This occurs infrequently, and the destination network adapter discards the faulty packet upon receipt. In fast -forward mode, latency is measured from the first bit received to the first bit transmitted. Fast -forward switching is the typical cut-through method of switching.
Fragment-free switching: In fragment-free switching, the switch stores the first 64 bytes of the frame before forwarding. Fragment-free switching can be viewed as a compromise between store-and-forward switching and cut-through switching. The reason fragment-free switching stores only the first 64 bytes of the frame is that most network errors and collisions occur during the first 64 bytes. Fragment -free switching tries to enhance cut-through switching by performing a small error check on the first 64 bytes of the frame to ensure that a collision has not occurred before forwarding the frame. Fragment-free switching is a compromise between the high latency and high integrity of store-and-forward switching, and the low latency and reduced integrity of cut-through switching.
Some switches are configured to perform cut-through switching on a per-port basis until a user-defined error threshold is reached and then they automatically change to store-and-forward. When the error rate falls below the threshold, the port automatically changes back to cut-through switching.
CCENT Page 50
Layer 2 and Layer 3 Switching
CCENT Page 51
Layer 2 and Layer 3 Switching
In this topic, you will review the concept of Layer 2 switching and learn about Layer 3 switching.
A Layer 2 LAN switch performs switching and filtering based only on the OSI Data Link layer (Layer 2) MAC address. A Layer 2 switch is completely transparent to network protocols and user applications. Recall that a Layer 2 switch builds a MAC address table that it uses to make forwarding decisions.
A Layer 3 switch, such as the Catalyst 3560, functions similarly to a Layer 2 switch, such as the Catalyst 2960, but instead of using only the Layer 2 MAC address information for forwarding decisions, a Layer 3 switch can also use IP address information. Instead of only learning which MAC addresses are associated with each of its ports, a Layer 3 switch can also learn which IP addresses are associated with its interfaces. This allows the Layer 3 switch to direct traffic throughout the network based on IP address information.
Layer 3 switches are also capable of performing Layer 3 routing functions, reducing the need for dedicated routers on a LAN. Because Layer 3 switches have specialized switching hardware, they can typically route data as quickly as they can switch.
CCENT Page 52
As a security feature, Cisco IOS software separated the EXEC sessions into these access levels:
User EXEC: Allows a person to access only a limited number of basic monitoring commands. User EXEC mode is the default mode you enter after logging in to a Cisco switch from the CLI. User EXEC mode is identified by the > prompt.Privileged EXEC: Allows a person to access all device commands, such as those used for configuration and management, and can be password-protected to allow only authorized users to access the device. Privileged EXEC mode is identified by the # prompt.
To change from user EXEC mode to privileged EXEC mode, enter the enable command. To change from privileged EXEC mode to user EXEC mode, enter the disable command. On a real network, the switch prompts for the password. Enter the correct password. By default, the password is not configured. The figure shows the Cisco IOS commands used to navigate from user EXEC mode to privileged EXEC mode and back again.
GUI-based Alternatives to the CLI
There are a number of graphical management alternatives for managing a Cisco switch. Using a GUI offers simplified switch management and configuration without in-depth knowledge of the Cisco CLI.
Click the Cisco Network Assistant button in the figure.
Cisco Network Assistant
Cisco Network Assistant is a PC-based GUI network management application optimized for small and medium-sized LANs. You can configure and manage groups of switches or standalone switches. The figure shows the management interface for Network Assistant. Cisco Network Assistant is available at no cost and can be downloaded from Cisco (CCO username/password required):
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps5931/product_data_sheet0900aecd8068820a.html
Click the CiscoView Application button in the figure.
CiscoView Application
The CiscoView device-management application displays a physical view of the
CCENT Page 53
The CiscoView device-management application displays a physical view of the switch that you can use to set configuration parameters and to view switch status and performance information. The CiscoView application, purchased separately, can be a standalone application or part of a Simple Network Management Protocol (SNMP) platform. The figure shows the management interface for the CiscoView Device Manager. Learn more about CiscoView Device Manager at:
http://www.cisco.com/en/US/products/sw/cscowork/ps4565/prod_bulletin0900aecd802948b0.html
Click the Cisco Device Manager button in the figure.
Cisco Device Manager
Cisco Device Manager is web-based software that is stored in the switch memory. You can use Device Manager to configure and manage switches. You can access Device Manager from anywhere in your network through a web browser. The figure shows the management interface.
Click the SNMP Network Management button in the figure.
SNMP Network Management
You can manage switches from a SNMP-compatible management station, such as HP OpenView. The switch is able to provide comprehensive management information and provide four Remote Monitoring (RMON) groups. SNMP network management is more common in large enterprise networks.
Cisco View
Cisco Device Manager
Cisco Network Assistant
CCENT Page 54
SNMP
CCENT Page 55
CCENT Page 56
Copy configuration to tftp server
CCENT Page 57
To recover the password on a Cisco 2960 switch, use the following steps:
Step 1. Connect a terminal or PC with terminal-emulation software to the switch console port.
Step 2. Set the line speed on the emulation software to 9600 baud.
Step 3. Power off the switch. Reconnect the power cord to the switch and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button.
Step 4. Initialize the Flash file system using the flash_init command.
Step 5. Load any helper files using the load_helper command.
Step 6. Display the contents of Flash memory using the dir flash command:
The switch file system appears:
Directory of flash:13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX11 -rwx 5825 Mar 01 1993 22:31:59 config.text18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat16128000 bytes total (10003456 bytes free)
Step 7. Rename the configuration file to config.text.old, which contains the password definition, using the rename flash:config.text flash:config.text.old command.
Step 8. Boot the system with the boot command.
Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N.
Step 10. At the switch prompt, enter privileged EXEC mode using the enable command.
Step 11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command.
Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console:
Source filename [config.text]? Destination filename [running-config]?
Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.
Step 13. Enter global configuration mode using the configure terminal command.
Step 14. Change the password using the enable secret password command.
Step 15. Return to privileged EXEC mode using the exit command.
Step 16. Write the running configuration to the startup configuration file using the copy running-config startup-config command.
Step 17. Reload the switch using the reload command.
Note: The password recovery procedure can be different depending on the Cisco switch series, so you should refer to the product documentation before you attempt a password recovery.
CCENT Page 58
To remove the MOTD banner, enter the no format of this command in global configuration mode, for example, S1(config)#no banner login.
The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns). The MOTD banner displays before the login banner if it is configured.
To remove the login banner, enter the no format of this command in global configuration mode, for example S1(config)#no banner motd.
CCENT Page 59
You should be aware of another type of DHCP attack called a DHCP starvation attack. The attacker PC continually requests IP addresses from a real DHCP server by changing their source MAC addresses. If successful, this kind of DHCP attack causes all of the leases on the real DHCP server to be allocated, thus preventing the real users (DHCP clients) from obtaining an IP address.To prevent DHCP attacks, use the DHCP snooping and port security features on the Cisco Catalyst switches.
Cisco Catalyst DHCP Snooping and Port Security Features
DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages; untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. This feature can be coupled with DHCP options in which switch information, such as the port ID of the DHCP request, can be inserted into the DHCP request packet.
Click the DHCP Snooping button.
Untrusted ports are those not explicitly configured as trusted. A DHCP binding table is built for untrusted ports. Each entry contains a client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses.
These steps illustrate how to configure DHCP snooping on a Cisco IOS switch:
Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command.
Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp snooping vlan number [number] command.Step 3. Define ports as trusted or untrusted at the interface level by defining the trusted ports using the ip dhcp snooping trust command.
Step 4. (Optional) Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit raterate command.
CDP Attacks
The Cisco Discovery Protocol (CDP) is a proprietary protocol that all Cisco devices can be configured to use. CDP discovers other Cisco devices that are directly connected, which allows the devices to auto-configure their connection in some cases, simplifying configuration and connectivity. CDP messages are not encrypted.
By default, most Cisco routers and switches have CDP enabled. CDP information is sent in periodic broadcasts that are updated locally in each device's CDP database. Because CDP is a Layer 2 protocol, it is not propagated by routers.
CDP contains information about the device, such as the IP address, software version, platform, capabilities, and the native VLAN. When this information is available to an attacker, they can use it to find exploits to attack your network, typically in the form of a Denial of Service (DoS) attack.
The figure is a portion of an Ethereal packet trace showing the inside of a CDP packet. The Cisco IOS software version discovered via CDP, in particular, would allow the attacker to research and determine whether there were any security vulnerabilities specific to that particular version of code. Also, because CDP is unauthenticated, an attacker could craft bogus CDP packets and have them received by the attacker's directly connected Cisco device.
CCENT Page 60
received by the attacker's directly connected Cisco device.
To address this vulnerability, it is recommended that you disable the use of CDP on devices that do not need to use it.
The Telnet protocol can be used by an attacker to gain remote access to a Cisco network switch. In an earlier topic, you configured a login password for the vty lines and set the lines to require password authentication to gain access. This provides an essential and basic level of security to help protect the switch from unauthorized access. However, it is not a secure method of securing access to the vty lines. There are tools available that allow an attacker to launch a brute force password cracking attack against the vty lines on the switch.
Brute Force Password Attack
The first phase of a brute force password attack starts with the attacker using a list of common passwords and a program designed to try to establish a Telnet session using each word on the dictionary list. Luckily, you are smart enough not to use a dictionary word, so you are safe for now. In the second phase of a brute force attack, the attacker uses a program that creates sequential character combinations in an attempt to "guess" the password. Given enough time, a brute force password attack can crack almost all passwords used.
The simplest thing that you can do to limit the vulnerability to brute force password attacks is to change your passwords frequently and use strong passwords randomly mixing upper and lowercase letters with numerals. More advanced configurations allow you to limit who can communicate with the vty lines by using access lists, but that is beyond the scope of this course.
DoS Attack
Another type of Telnet attack is the DoS attack. In a DoS attack, the attacker exploits a flaw in the Telnet server software running on the switch that renders the Telnet service unavailable. This sort of attack is mostly a nuisance because it prevents an administrator from performing switch management functions.
Vulnerabilities in the Telnet service that permit DoS attacks to occur are usually addressed in security patches that are included in newer Cisco IOS revisions. If you are experiencing a DoS attack against the Telnet service, or any other service on a Cisco device, check to see if there is a newer Cisco IOS revision available.
Network Security Tools Features
A secure network really is a process not a product. You cannot just enable a switch with a secure configuration and declare the job done. To say you have a secure network, you need to have a comprehensive network security plan defining how to regularly verify that your network can withstand the latest
CCENT Page 61
defining how to regularly verify that your network can withstand the latest malicious network attacks. The changing landscape of security risks means that you need auditing and penetration tools that can be updated to look for the latest security risks. Common features of a modern network security tool include:
Service identification: Tools are used to target hosts using the Internet Assigned Numbers Authority (IANA) port numbers. These tools should also be able to discover an FTP server running on a non-standard port or a web server running on port 8080. The tool should also be able to test all the services running on a host.Support of SSL services: Testing services that use SSL level security, including HTTPS, SMTPS, IMAPS, and security certificate. Non-destructive and destructive testing: Performing non-destructive security audits on a routine basis that do not compromise or only moderately compromise network performance. The tools should also let you perform destructive audits that significantly degrade network performance. Destructive auditing allows you to see how well your network withstands attacks from intruders.Database of vulnerabilities: Vulnerabilities change all the time.
Network security tools need to be designed so they can plug in a module of code and then run a test for that vulnerability. In this way, a large database of vulnerabilities can be maintained and uploaded to the tool to ensure that the most recent vulnerabilities are being tested.
You can use network security tools to:
Capture chat messages Capture files from NFS trafficCapture HTTP requests in Common Log Format Capture mail messages in Berkeley mbox formatCapture passwordsDisplay captured URLs in browser in real timeFlood a switched LAN with random MAC addressesForge replies to DNS address / pointer queries Intercept packets on a switched LAN
Port Security
A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. A switch can be configured to act like a hub, which means that every system connected to the switch can potentially view all network traffic passing through the switch to all systems connected to the switch. Thus, an attacker could collect traffic that contains usernames, passwords, or configuration information about the systems on the network.
All switch ports or interfaces should be secured before the switch is deployed. Port security limits the number of valid MAC addresses allowed on a port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.
If you limit the number of secure MAC addresses to one and assign a single secure MAC address to that port, the workstation attached to that port is assured the full bandwidth of the port, and only that workstation with that particular secure MAC address can successfully connect to that switch port.
Secure MAC Address Types
There are a number of ways to configure port security. The following describes the ways you can configure port security on a Cisco switch:
Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-address mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.
Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts. Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.
CCENT Page 62
Sticky MAC Addresses
Sticky secure MAC addresses have these characteristics:
When you enable sticky learning on an interface by using the switchport port-security mac-address sticky interface configuration command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration. If you disable sticky learning by using the no switchport port-security mac-address sticky interface configuration command, the sticky secure MAC addresses remain part of the address table but are removed from the running configuration. When you configure sticky secure MAC addresses by using the switchport port-security mac-address sticky mac-address interface configuration command, these addresses are added to the address table and the running configuration. If port security is disabled, the sticky secure MAC addresses remain in the running configuration. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost. If you disable sticky learning and enter the switchport port-security mac-address sticky mac-address interface configuration command, an error message appears, and the sticky secure MAC address is not added to the running configuration.
Security Violation Modes
It is a security violation when either of these situations occurs:
The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface. An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs. The figure presents which kinds of data traffic are forwarded when one of the following security violation modes are configured on a port:
protect: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments. shutdown: In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the shutdown and no shutdown interface configuration commands. This is the default mode.
CCENT Page 63
Verify Port Security
After you have configured port security for your switch, you want to verify that it has been configured correctly. You need to check each interface to verify that you have set the port security correctly. You also have to check to make sure that you
CCENT Page 64
have set the port security correctly. You also have to check to make sure that you have configured static MAC addresses correctly.
Verify Port Security Settings
To display port security settings for the switch or for the specified interface, use the show port-security [interface interface-id] command.
The output displays the following:
Maximum allowed number of secure MAC addresses for each interfaceNumber of secure MAC addresses on the interfaceNumber of security violations that have occurredViolation mode
CCENT Page 65
DE capsulation Process
Step1. Checks the data Link trailer(CRC/check sequence) to see if the data is in error.
MAC header IP header
Port header
Data size
FCS(Bits and bytes)
Calculation /check with CRC (Bits and bytes in Ethernet frame )
……...Bits/bytes Bits/Bytes
Bits/bytes Bits/Bytes
Bits/Bytes
Step2. the data is in error, it is discarded. Build the new header.
Build new MAC header
IP header
Port header
Data Size
new FCS(Bits and bytes)
Step3.After checking the CRC , when the data link layer is not in error ...the data link layer reads and interprets the cont rol information in the data link header. Changing the MAC address of source in the local interface of new router and finding the MAC address of the destination IP address in the Mac address Table.
Step4.It strips the data link header and tailor and then passed to the remaining data up to the network layer based on the control information in the data link layer. Sending the packet matching and finding the Destination IP address in routing table.
……………..
Port (TCP/UDP header )
Data
Step 5. Transport layer( choosing the port no from the receiver to send the packet to forward to the receiver port no.)
………….
…………. Data
Step6. Session layer ( de-segmentation) Data
Step7. Presentation layer (decoding data) Data
Step 8.Application layer choosing the application to open the data. Data
Encapsulation process (down from Application to the Physical)
Step 1.data sent it from the application to the application layer. Data
Step2.Add the application header(layer7), to the user data.(using application software.) Data
Step3.Add the presentation header (layer6),to the user data. (encoding) Data
Step4.Add the session layer header(layer5),to the user data. (segmentation) Data Data Data Data Data
Step5.Add the transport layer header(layer 4).to the user data.(TCP/UDP header) …... ….. Port header(TCP/UDP)
DataSize
…..
Step6.Add the network layer header( Layer3),to the user data.( IP header) ……... IP header Port header Data Size …...
Step7.Add the data link layer header and tailor, the layer 2 tailor is the frame check sequences to detect whether the data is in error. (Ethernet header and FCS tailor)
MAC header/LLC(Bits/bytes)
IP header
(Bits/bytes)
Port header Data size (Bits/Bytes)
FCS(Bits /Bytes)
Step8.The physical layer that transmit the bits onto the network media a defined by the media type. MAC header/LLC
IP header Port header Data FCS(Bits/Bytes)
(Choose the device and cabling and calculate the transmission rate in bits to choose which device is the most suitable) MAC header/LLC
IP header Port header Data FCS(Bits/Bytes)
Steps of layer PDU(addresses) OSI layer TCP/IP Model Function
Application( is the closet with the end user)
7. Data Application 4. Application ( Application+ Presentation+ Session.)
File server, print server, database server, webserver
Presentation6. Data Presentation Application4.(Application+ Presentation+Session.)
Encryption, decryption and translation service.
Session5. Segment(combine with the transport layer)
Session(timing) Application4.(Application+ Presentation+Session.)
Dialog Control( It handles security and creation of the session.)terminates connections between applications at each end. Inter-host communication.
Transport4. Segment(port no) Transport Transport3. End to end connection
Network3. Packets(logical add/IP) Network Internet2. Routing(logical addressing)
Data Link 2. Frames(Physical add/MAC) Data Link Network Access1.(Physical and Data link)
LLC and MAC (physical addressing)
Physical1. Bits Physical Network Access1. Physical Device and cabling,
OSI Model and TCP/IP model
Data Encapsulation and DE capsulation processWednesday, 24 November 20104:52 PM
CCENT Page 66
Physical1. Bits Physical Network Access1.(Physical and Data link)
Physical Device and cabling,
The Encapsulation and Decapsulation process when the packet travels from the source to the destination.
When the source has to transfer the data it encapsulate the data in a packet with source and destination IP address it ,then encapsulate the packet into a frame with source and destination MAC address.that is the hardware address and send the frame out as bit on the wire means physical layer work here.
After that the frame is received by the source gateway – a router and is decapsulated.If the destination MAC address is the router, the router will search the routing table for the interface to reach the destination host,encapsulate the packet in the appropriate frame format for the outgoing interface with new source and the destination layer2 (MAC) address and forward the frame out that interface.
This process is repeated at each router until the packet reaches its destination. (ARP Request and respond).
And from the source to destination the layer 2 address is change into the destination at each hop but the layer 3 address that is the source and destination IP address remain the same.
CCENT Page 67
The" tracert" command is used in the window to show the packet 's path follows to the destination.The "traceroute" command is used in the Cisco IOS to show the routing path to the destination.
The" netstat -r" shows the routing table in the Window IOS.Just only "netstat" shows the current TCP connections.The" ipconfig" mainly to show the address of it's PCs .optionally , to flush the contents of both DNS and DHCP client .
The "end" -Ends the current configuration session and jump directly to privileged EXEC mode.To copy the running-config startup-config , we need to go back the privileged EXEC mode.The "exit"-Exits the current command mode and returns to the preceding mode. For example, exits from global configuration-line interface mode to the global configuration step by step.
ip route destination network address
subnet mask Next hop address (interface at other end of same interface's subnet)
Administration distance
192.168.1.0 255.255.255.0 10.2.1.2 10
COMMAND LISTSMonday, 29 November 20103:04 PM
CCENT Page 68
#show interfaces Fa0/0 can show the bandwidth and MTU and encapsulation type…..# show flash can show the content of flash memory and the amount of flash……#show boot can show the configuration register setting ,The contents of boot environment variable, the name of config-file
Router2#copy run startDestination filename [startup-config]? Building configuration...[OK]
To save running-config to startup-config.
Router console, telnet ,SSH configuration commandRouter> en (user-mode)Router#conf t (privileged mode)Router(config)#hostname Router1(global configuration mode)Router1(config)#line console 0(only one console line)Router1(config-line)#password ciscoRouter1(config-line)# login (if this command is not typed when configure on console, the router will not ask password when you log in )
Router1(config-line)#exit or endRouter1(config)#(If exit command is typed, you can reach to the previous global config mode) or( end command is typed, You can reach directly to privileged mode)..Router1(config)#service password-encryption(to encrypt all password such as console configuration, telnet configuration , serial link ppp chap interface configuration from current situation to future situation, aux configuration both duration in the present and to allow for the new password to encrypt all in the future.)
For example, when login the user authentication or console login:User Access Verification n mmmmmmmmmmm Password: Password:
Router1(config)#enable secret Cisco(When you login to the privileged mode ,the most secure password after typing >en or after user authentication /console login).For example, when you login they will ask you:Router2>enPassword:
CCENT Page 69
Router1(config)#line vty 0 4(telnet lines are five lines)Router1(config-line)#password ciscoRouter1(config-line)#login #Transport input telnet Router1(config-line)#exit Router2# telnet 172.16.1.1Trying 172.16.1.1 ...Open
User Access Verification
Password: Router1>
Telnet just only allow switch but you cannot go into enable mode /privileged without setting enable password or enable secret password.
Router1(config) #line vty 5 11Router1(config-line)#transport input sshRouter1(config-line)#login localRouter1(config-line)#Router1(config-line)#ip domain-name MyDomain1 Router1(config)#username MyDomain1 password ciscoRouter1(config)#ip ssh version 1 or 2.Please create RSA keys (of not more than 512 bits size) to enable SSH v1.Router1(config)#crypto key generate rsa( local key)Please create RSA keys (of at least 768 bits size) to enable SSH v2.Router1(config)#crypto key generate rsa(pubic key).In other Router2, you can login. you can log in: Router2>Router2>enPassword: Router2#ssh -l MyDomain1 172.16.1.1OpenPassword:
Router1>enPassword: Router1#
CCENT Page 70
IP default-gateway commandThe ip default−gateway command differs from the other two commands. It should only be used when ip routing is disabled on the Cisco router.
If the router is a host in the IP world, you can use this command to define a default gateway for it.
•
You might also use this command when your low end Cisco router is in boot mode in order to TFTP a Cisco IOS® Software image to the router. In boot mode, the router does not have ip routing enabled.
•
ip default−gateway 172.16.15.4
IP default-networkUnlike the ip default−gateway command, you can use ip default−network when ip routing is enabled on the Cisco router.When you configure ip default−network the router considers routes to that network for installation as the gateway of last resort on the router.For every network configured with ip default−network, if a router has a route to that network, that route is flagged as a candidate default route.
CCENT Page 71
that network, that route is flagged as a candidate default route.The ip default−network command must be known to IGRP or EIGRP.RIP advertises a route to 0.0.0.0 if a gateway of last resort is selected using the ip default−network command.The default route announced using the ip default−network command is not propagated by Open Shortest Path First (OSPF).ip route 0.0.0.0 0.0.0.0Creating a static route to network 0.0.0.0 0.0.0.0 is another way to set the gateway of last resort on a router.As with the ip default−network command, using the static route to 0.0.0.0 is not dependent on any routing protocols. However, ip routing must be enabled on the router.
ARP- IP to MACRARP-In reverse.
You can learn about a network’s topology by using the following commands: telnet show cdp neighbor show cdp neighbor detail
One of the following two situations may cause you to configure IP for your switch: Network management To employ VLAN
Which of the following connectivity utilities use ICMP messages for troubleshooting the connection? (Choose all that reply)Ans: A, CA. PingB. TelnetC. TraceD. Show version
Which of the following information is not visible after you issue a ping?Ans: DA. Quantity of ICMP packets sentB. Timeout durationC. Success rateD. MAC addressE. None of the above
If the configuration register is set to 0x2102, where will the system look for boot instruction?Ans: BA. FlashB. NVRAMC. RAMD. ROME. None of the above
Which of the following is the first step in the router boot process?Ans: DA. Locate and load Cisco IOSB. Load bootstrapC. Locate and load router configuration fileD. POST
The Line Login Command¶In line configuration mode, there is a command named " login". For example: Router(config)# line console 0Router(config-line)# login...
CCENT Page 72
...
"login" - Authenticate using the password specified in line configuration mode, and don't have any username. Compatible with Console and Telnet. Incompatible with SSH.
•
"login local" - Authenticate using the locally-configured username + password list. Compatible with Console, Telnet, and SSH.
•
"login authentication default" - Authenticate using "Authentication, Authorization, and Accounting" (AAA) default method list. Can contact an external RADIUS server to verify authentication.
•
This command is applicable to Telnet, SSH, and Console. There are different forms of the command, meanings as follows:
The "login" form of the command (with no other parameters) requires you next use the "password" command (also in line config mode). For example: Router(config)# line console 0Router(config-line)# loginRouter(config-line)# password ciscoThe "login local" form of the command requires you use the "username ... password ..." command (in global config mode). The following example configures the Console, Telnet, and SSH to all use the same locally-configured username + password list. Router(config)# line console 0Router(config-line)# login localRouter(config-line)# exitRouter(config)# line vty 0 15Router(config-line)# login localRouter(config-line)# transport input allRouter(config-line)# exitRouter(config)# username tom password tpassRouter(config)# username dick password dpassRouter(config)# username harry password hpass
Pasted from <http://www.inferic.com/wiki/TelecomEng.Cisco-IOS-Commands.ashx>
The Line Login Command¶In line configuration mode, there is a command named " login". For example: Router(config)# line console 0Router(config-line)# login...
"login" - Authenticate using the password specified in line configuration mode, and don't have any username. Compatible with Console and Telnet. Incompatible with SSH.
•
"login local" - Authenticate using the locally-configured username + password list. Compatible with Console, Telnet, and SSH.
•
"login authentication default" - Authenticate using "Authentication, Authorization, and Accounting" (AAA) default method list. Can contact an external RADIUS server to verify authentication.
•
This command is applicable to Telnet, SSH, and Console. There are different forms of the command, meanings as follows:
The "login" form of the command (with no other parameters) requires you next use the "password" command (also in line config mode). For example: Router(config)# line console 0Router(config-line)# loginRouter(config-line)# password ciscoThe "login local" form of the command requires you use the "username ... password ..." command (in global config mode). The following example configures the Console, Telnet, and SSH to all use the same locally-configured username + password list. Router(config)# line console 0Router(config-line)# login localRouter(config-line)# exitRouter(config)# line vty 0 15Router(config-line)# login localRouter(config-line)# transport input allRouter(config-line)# exitRouter(config)# username tom password tpassRouter(config)# username dick password dpassRouter(config)# username harry password hpass
/16networkthen allocate 5 subnets from this, each /26.How many /26 subnets remaining?
8 . 8. 0. 0/16
CCENT Page 73
8 . 8. 0. 0/168 . 8. 8. 2/6 (2 ^ 10 bits) subnets - 5 subnets= 1024-5=101926-16=10 2^ 10= 1024
/24 subnets being allocated from a /16 parent network.24-16=8 bits2^8=256 subnets256 subnets - 8 subnets were required for the diagram = 248 remaining subnets
CCENT Page 74
Name Max Bandwidth(data speed) Frequency MIMO(Multiple In and Multiple Out)
IEEE 802.11a 54 Mbit/s (OFDM) 5 GHz(U-N11 band) No
IEEE 802.11b 11 Mbit/s DSS 2.4 GHz(ISM band) No
IEEE 802.11g 54 Mbit/s (OFDM) 2.4 GHz(ISM band) No
IEEE 802.11n 54-600 Mbit/s (5 GHz or2.4GHz) Yes
IEEE 802.11c Bridge operation procedures; included in the IEEE 802.1D standard
IEEE 802.11i Enhanced security WPA2
IEEE 802.11n Higher throughput improvements using MIMO (multiple input, multiple output antennas)
Yes
IEEE 802.11r Fast roaming
IEEE 802.11s ESS Extended Service Set Mesh Networking
The bandwidth is the same rate in 802.11a and 802.11g. The 802.11n is the maximum bandwidth among them. On the other hand , the 802.11b is the lowest bandwidth among them.The frequency is the same range in 802.11a and 802.11n.The frequency is the same range in 802.11b and 802.11gThe problem with 802.11b lies in how the Data Link layer is dealt with. In order to solve problems in the RF spectrum, a typeof Ethernet collision detection was created called CSMA/CA, Carrier Sense Multiple Access with Collision Avoidance.
CSMA/CA is also called a Request-to-Send, Clear-to-Send (RTS/CTS) because of the way that hosts must communicate to the access point (AP). With every packet sent, an RTS/CTS and acknowledgment must be received, and because of this rather cumbersome process, it’s kind of hard to believe it all actually works!
802.11b uses a modulation technique called Direct Sequence Spread Spectrum (DSSS) that’s just not as robust as the Orthogonal Frequency Division Multiplexing (OFDM) modulation used by both 802.11g and 802.11a. 802.11g clients using OFDM enjoy much better performance at the same ranges as 802.11b clients do, but when 802.11g clients are operating at the 802.11b rates (11Mbps, 5.5Mbps, 2Mbps, and 1Mbps), they’re actually using the same modulation 802.11b does.
To configure the SSID network ID name on Wireless network, we must enter on the(config-if) mode. Because we must issue the interface Dot11 Radio interface command on the configuration interface mode.
The IEEE 802.3 for Ethernet LAN and the IEEE 802.11 for WLAN have headers and tailers .Both headers including Source
Wireless NetworkMonday, 29 November 20104:46 PM
CCENT Page 75
WEP(Wired Equivalent Privacy) is the weakest for the Wireless Security.With open authentication, even if a client can complete authentication and associate with anaccess point, the use of WEP prevents the client from sending and receiving data from the accesspoint unless the client has the correct WEP key. Disadvantages:When static WEP keys are used, a network administrator must perform the time-consuming task of entering the same keys on every device in the WLAN.
Wi-Fi Protected Access (WPA) is a standard developed in 2003 by the Wi-Fi Alliance, formerly known as WECA. WPA provides a standard for authentication and encryption of WLANs that’s intended to solve known security problems.
WPA2 means Wi-fi Protected Access 2 supports Advanced Encryption Standard Counter Mode. So, It is the best security and it is more advanced than WPA.The PSK verifies users via a password or identifying code (also called a passphrase) on boththe client machine and the access point. A client only gains access to the network if its passwordmatches the access point's password. The PSK also provides keying material that TKIPor AES uses to generate an encryption key for each packet of transmitted data.
Which of the following WLAN security standard for IEEE standard?The standard is IEEE 802.11 i. The Wifi alliance defined the term WPA2 to refer to that same standard.
Two types of authentication were specified by the IEEE 802.11 committee: open authentication and shared-key authentication. Open authentication involves little more than supplying the correct SSID—but it’s the most common method in use today.
With shared-key authentication, the access point sends the client device a challenge-text packet that the client must then encrypt with the correct Wired Equivalency Protocol (WEP) key and return to the access point.Without the correct key, authentication fails and the client won’t be allowed to associate with the access point. But shared-key authentication is still not considered secure because all an intruder has to do to get around this is detect both the clear-text challenge and the same challenge encrypted with a WEP key and then decipher the WEP key. Surprise—shared key isn’t used in today’s WLANs because of clear-text challenge.
IBSS mean Independent Basic Service Set. It doesn't have Access point.•
ADHOC-Individual wireless devices communicate directly in ad-hoc mode. •
BSS is one access point at home with one SSID.•
ESS is creating an Extended Service Set(ESS). Mobile Wireless clients can roam within the same network if you set all your access points to the same Service Set ID(SSID).
•
The IEEE 802.3 for Ethernet LAN and the IEEE 802.11 for WLAN have headers and tailers .Both headers including Source and destination address (6 bytes).
CCENT Page 76
Standard Key distribution
Device authentication
User Authentication
Encryption
WEP Static Yes (weak) NO Yes weak
Cisco Dynamic Yes Yes(802.1x) Yes (TKIP)
WPA Both Yes Yes(802.1x) Yes (TKIP)
802.11i WPA2
Both Yes Yes(802.11i) Yes(AES)
CCENT Page 77
Which of the following security features were not in the original WEP security standard but are not in the original WEP standard?Dynamic key exchangePre-shared keysAES encryption.
CCENT Page 78
What is spanning protocol?Determine the root bridge, set the forwarding state. RB,RP,DP,Block•Each bridge determine the root port.•Bridges determine the designated port for each LAN segment.•All other ports are in block stage.•
Switches :Quality of service The 3-bit precedence allows 8 priority levels. The ToS bits are D-min delay-max throughput, R-max reliability, C-min cost.The packet delay through switch fabric consists of time (1) for forwarding decision, and (2) to transfer packet across switch.Packet delay through processor consists of time (1) for policing decision, (2) forwarding decision,(3) to transfer across switch, and (4) for output scheduling decision
BlockingThe switch will *not* forward data frames out this port. Just listens to BDUs.The purpose of blocking state is to prevent the use of looped paths. All ports are in the blocking state by default when the switch is powered up.ListeningThe port listens to BPDUs and learns all the paths in the switched network.The switch is receiving and processing BPDUs but not learning MAC addresses, and not sending data frames.LearningThe switch is receiving BPDUs and populating the MAC address table, but is not sending data frames.Forward delay means the time it takes to transition a port from listening to learning mode, which is set to 15 seconds by default and can be seen in the show spanning tree output.ForwardingThe port sends and receives all data frames on the bridged port .If the port is still a designated port or rort port at the e nd of learning state and the switch will forward data/frames out this port.DisabledPort is administratively shutdown ("shutdown" command was used).Discarding(a RSTP state)
To provide path redundancy, Spanning-Tree Protocol defines a tree that spans all switches in an extended network. Spanning-Tree Protocol forces certain redundant data paths into a standby (blocked) state. If one network segment in the Spanning-Tree Protocol becomes unreachable, or if Spanning-Tree Protocol costs change, the spanning-tree algorithm reconfigures the spanning-tree topology and re-establishes the link by activating the standby path.The spanning tree algorithm determines the network (which computer hosts are in which segment) and this data is exchanged using Bridge Protocol Data Units (BPDUs).A BPDU exchange results in the following:• One switch is elected as the root switch.• The shortest distance to the root switch is calculated for each switch.• A designated switch is selected. This is the switch closest to the root switch through which frames will be forwarded to the root.• A port for each switch is selected. This is the port providing the best path from the switch to the root switch.• Ports included in the Spanning-Tree Protocol are selected.
It is broken down into two steps:
Step 1: The algorithm determines the best message a bridge can send by evaluating the
configuration messages it has received and choosing the best option.
Step 2: Once it selects the top message for a particular bridge to send, it compares its choice with
possible configuration messages from the non-root-connections it has. If the best option from step
1 isn't better than what it receives from the non-root-connections, it will prune that port.
Protocol ID - Always 0.
Version - Always 0. •
Type - Determines which of the two BPDU formats this frame contains (Configuration BPDU or TCN
spanningprotocol
Spanning Tree ProtocolWednesday, 16 March 20111:42 PM
CCENT Page 79
Type - Determines which of the two BPDU formats this frame contains (Configuration BPDU or TCN
BPDU).
•
Flags - Used to handle changes in the active topology and is covered in the next section on
Topology Change Notifications.
•
Root BID - Contains the Bridge ID of the Root Bridge. After convergence, all Configuration BPDUs
in the bridged network should contain the same value for this field (for a single VLAN). NetXRay
breaks out the two BID subfields: Bridge Priority and bridge MAC address.
•
Root Path Cost - The cumulative cost of all links leading to the Root Bridge. •
Sender BID - The BID of the bridge that created the current BPDU. This field is the same for all
BPDUs sent by a single switch (for a single VLAN), but it differs between switches.
•
Port ID - Contains a unique value for every port. Port 1/1 contains the value 0x8001, whereas Port
1/2 contains 0x8002.
•
Message Age - Records the time since the Root Bridge originally generated the information that the
current BPDU is derived from.
•
Max Age - Maximum time that a BPDU is saved. Also influences the bridge table aging timer during
the Topology Change Notification process (discussed later).
•
Hello Time - Time between periodic Configuration BPDUs. •
Forward Delay - The time spent in the Listening and Learning states. Also influences timers during
the Topology Change Notification process
•
Each port on a switch using Spanning-Tree Protocol exists in one of the following fivestates:• Blocking• Listening• Learning• Forwarding• DisabledA port moves through these five states as follows:
What is Root port?Switch ports are closet to the root bridge from switch ports.
What is designated port?
All non-root ports that are permitted to forward traffic on the network.one root port per non-root bridge
What is non-designated port?All ports configure to be in the blocking state to prevent loops.
CCENT Page 80
A port moves through these five states as follows:• From initialization to blocking• From blocking to listening or to disabled• From listening to learning or to disabled• From learning to forwarding or to disabled• From forwarding to disabledFigure C-4 illustrates how a port moves through the five states.When the spanning-tree algorithm determines that a port should be placed in the forwardingstate, the following occurs:• The port is put into the listening state while it waits for protocol information thatsuggests it should go to the blocking state.• The port waits for the expiration of a protocol timer that moves the port to the learningstate.• In the learning state, the port continues to block frame forwarding as it learns stationlocation information for the forwarding database.• The expiration of a protocol timer moves the port to the forwarding state, where bothlearning and forwarding are enabled.
The ports negotiating the trunk will not participate in spanning tree until the negotiation is complete. Recently,
IEEE 802.1Q is being implemented in networks because it is an IEEE standard, whereas ISL is proprietary to Cisco.
Blocking Listening Learning Forwarding Disabled
Receive and process BPDUs: Yes Yes Yes Yes No
Forward data frames received
on interface:
No No No Yes No
Forward data frames switched
from another interface:
No No No Yes No
Learn MAC addresses: No No Yes Yes No
Hello Time Determines how often the switch broadcasts its hello message to otherSwitches. The time between each BDU frame that is sent on a port .(2 second by default).
Maximum Age Timer Measures the age of the received protocol information recorded for a port and ensures that this information is discarded when its age limit exceeds the value to the maximum age parameter recorded by the switch. The timeout value for this timer is the maximum age parameter of the switches.( between 6 and 40 seconds).(20 second by default).
Forward Delay Timer Monitors the time spent by a port in the learning and listening states.The timeout value is the forward delay parameter of the switches.(15 seconds)
Which two items are true regarding the spanning port fast command?Port fast is cisco propriety•
If an access port is configured with Port Fast, it immediately transitions from a blocking to a forwarding state.•
What is a port fast?Port fast should only be enabled to a single host. Connecting hubs, concentrators, switches ,bridges etc. It can cause temporary bridging loops. It will only effect on when the interface is in a non-trunking mode.
CCENT Page 81
temporary bridging loops. It will only effect on when the interface is in a non-trunking mode.S2(config-if) #spanning-tree port fast
What is RSTP?Rapid Spanning Tree Protocol. It action take immediately…..no do listening and learning to forward the packet than STP.
IPVSTUse Cisco proprietary ISL trunking protocolAbility to do load balance at layer 2Each Vlan has a separated spanning tree.Include extension Backbone Fast, Uplink Fast, Port Fast
immediately loses its edge status
becomes a normal spanning-tree port
16. What three link types have been defined for Rapid Spanning-Tree Protocol? (Choose three.)
Three link types have been defined for RSTP:
Shared
Edge-Type
Point-to-Point
. Which two actions does an RSTP edge port take if it receives a BPDU? (Choose two.)
CCENT Page 82
CCENT Page 83
CCENT Page 84
CCENT Page 85
The scenario of STP:The port cost associated with each switch port? The port cost is for communication between the switch port and the root port. This is true whether it is a financial cost, as in your long-distance telephone calls,
or a logical cost, as in how fast (maximum bandwidth) each network segment is that the frame must cross
on its way from source to destination.
•
A path cost value is given to each port. The cost is typically based on a guideline established as part of
802.1d. According to the original specification, cost is 1,000 Mbps (1 gigabit per second) divided by the
bandwidth of the segment connected to the port. Therefore, a 10 Mbps connection would have a cost of
(1,000/10) 100.
To compensate for the speed of networks increasing beyond the gigabit range, the standard cost has been
slightly modified. The new cost values are:
•
Bandwidth STP Port Cost Value
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2
One BPDU is superior to another if it has a lower
Root bridge ID•Path cost to the root•Sending bridge ID•Sending port ID•Each switch originates, but does not forward, configuration BPDUs that are used to compute the spanning-tree topology. The BPDU frame is sent across the LAN, and all connected bridges and switches receive this
BPDU. The receiving switch uses the information in the BPDU to determine changes in the network
topology. If there is a change, the receiving switch sends a new BPDU across all attached network
segments.
BPDUs contain information about the sending switch and its ports, including the following:
Switch and port MAC address? This is the MAC address of each switch and bridge port that is part of the tree.
•
Switch and port priority? When switches and bridges are running the STP, each has a bridge or switch port priority associated with it. By default, all STP switches are configured with a bridge priority value of
32,768. After the exchange of BPDUs, the switch with the lowest priority value becomes the root bridge.
•
Port cost? Cost is determined according to the speeds that the ports support; the faster the port, the lower the port cost. Switches use port costs in determining the root port for each and every switch. This
determines how far away the root bridge is. For example, if the data has to travel over three 100-Mbps
segments to reach the root bridge, then the cost is (19 + 19 + 0) 38. The segment attached to the root
bridge will normally have a path cost of zero.
•
The exchange of BPDUs results in the following:
One bridge or switch port is elected as the root bridge/switch port. This election is similar to a bunch of switches going to a voting booth and choosing their favourite switch. The BPDUs are used as a voter
information guide, or ballot, to select the correct candidate. The purpose of this election is to determine
which switch has the lowest identifier.
•
The shortest distance to the root switch is calculated for each switch. Recall that the shortest distance between two points is a straight line, and the exchange of these BPDUs determines the direction of the
straight line between bridge/switch ports.
•
A designated switch is selected. This designated switch is the closest switch to the root switch through which frames will be forwarded to the root. There is only one designated switch per segment or VLAN.
•
A designated port for each switch is selected, providing the best path to the root switch. Every LAN segment needs to know which switch is its entry/exit point to the rest of the network; otherwise, frames
would wander aimlessly around the same network segment, never getting anywhere.
•
Ports included in the STP are selected. Because all ports might not be part of the spanning tree, the exchange of BPDUs determines which ports have an invitation to the spanning tree (forwarding) and
which ports do not. (Those that don't are disabled.) If STP is not running on some ports or switches, loops
can occur on those non-STP ports, which then circumvent the STP blocks.
•
Pasted from <http://etutorials.org/Networking/Lan+switching+first-step/Chapter+7.+Spanning+Tree+Protocol+STP/Root+Bridge+or+Switch+Port/>
802.1Dis a standard for STP protocol. It's working on layer 2 OSI model
CCENT Page 86
Path cost is the sum of total costs of port cost .Port cost is the cost between the individual ports .
CCENT Page 87
Protocol Port TCP/UDP Description
FTP 20 TCP FTP data port.
FTP 21 TCP FTP control port (21 is the primary port for FTP).
SSH 22 TCP Secure Shell.
Telnet 23 TCP Telnet.
SMTP 25 TCP Simple Mail Transfer Protocol. To send and transfer emails.
DNS 53 Both Domain Name System.(Mostly, DNS uses UDP.)
HTTP 80 TCP Hypertext Transfer Protocol.
HTTPS 443 TCP Hypertext Transfer Protocol Secure.
POP3 110 TCP Post Office Protocol (retrieve contents of mailbox).
ICMP- Source Quench, Destination unreachable ,Redirect , and Echo.International Classed mango produced in South Queensland, Destinationunreachable to go so far so to Redirect and after to Exchange with the Oak.
Free 3=2+1SSH =Shwe sin at home = 2+2Telnet extra= 22+1=23SMTP=Shwesin Main Family plus 5= 2+ 5DNS= 53HTTP=80HTTPS=443POP3= 110
Size of IPv4 address = 32 bits = 4 bytes1 byte= 8 bits, 4 bytes * 8 = 32 bits32 bits /8= 4 bytes,
8 8 8 8
So, if the subnet mask is /0 , thenLeft side = 0 bitsRight side = 32 - 0 = 32 bitsthe right size is 32 bits=2 ^32 = ~4.2 billion IP addresses.
Another example,So, if the subnet mask is /18 , thenLeft side = 18 bitsRight side =32 -18 = 14 bitsthe right size is 14 bits= 2 ^14=16,384 IP addresses.If u want to find the number of host addresses = 16384-2=16382 host addresses.
2^8=256 2^9=5122^10=1,0242^11=2,0482^12=4,0962^13=8,1922^14=16,3842^15=32,7682^16=65,5362^17=131,0722^18=262,1442^19=524,2882^20=1,048,576----------------------------------------2^32=4,294,967,296
TCP and UDP port numbers
128/32 = seem look like four times bigger than IPv4 address
2^(32*4) = 2^128
Port noMonday, 29 November 20108:41 PM
CCENT Page 88
TCP and UDP port numbersSize = 16 bits = 2 bytesCount of different port numbers = 2^16=65,536 portsMinimum number = 0Maximum port number = 65,536-1=65,535 Well-known port= ( 0 to 1023)Dynamic or private ports = (49152 t0 655535)"Well-known ports" are those from 0 to 1023 (less than 1024). Dynamic or private ports are from 49152 to 65535.
4,294,967,296 bits = 4,294,967,296/ 10^9 =4.2 Gigabits4,294,967,296 Bytes = 4,294,967,296/2^30=4.0 GigaBytes
Normal scale for kilo etc:
10^3=kilo=thousand 10^-3=milli
10^6=Mega=million 10^-6=micro
10^9=Giga=billion 10^-9=nano
10^12=Tera=trillion 10^-12=Pico
Bytes are based on powers of 2 not 10, so:
2^10 bytes = 1 kiloByte
2^20 bytes = 1 MegaByte
2^30 bytes =1 GigaByte
2^40 bytes = 1 TeraByte
2^10=1,024 2^20=1,048,576 1024*1024=1,048,576 2^30=1,073,741,824 1024 * 1024 * 1024 = 1,073,741,8242^40 = 1,099,511,627,7761024 * 1024 * 1024 * 1024 = 1,099,511,627,776
128/32 = seem look like four times bigger than IPv4 address
2^(32*4) = 2^128(2^32)*4 != 2^128
CCENT Page 89
Flow control method contains windowing, buffering and sending source-quench message.
Data is checked for the error by calculating CRC(Cyclic Redundancy Check).
CRC works with the same principles as checksum. Example:
At sender4,65,4,8,2Checksum=83At the receiver3,65,9,8,2Checksum=83Checksum calculated for second time = 87So 83 does not equal 87, therefore the packet must be damaged.
Flow control and error checkingMonday, 29 November 20109:01 PM
CCENT Page 90
CDP neighbour command show the directly connected cisco devices. CDP doesn't show the host address because computers are not cisco devices.
#show cdp neighbors :summary line of each neighbors and their interface device.#show cdp neighbors details: all neighbors ' devices information such as IP Address, their Device Model and Type and outgoing port (other directly connected ports and local device ports)#show cdp entry: It's the details of specific device by the name of device, not all neighbors 'devices
CDPMonday, 29 November 20109:23 PM
CCENT Page 91
The running copy of IOS software is stored in DRAM.The non-running IOS is stored in Flash.
networking > docs > cisco router boot sequence
Booting up the Router
Cisco routers can boot Cisco IOS software from
these locations:
1. Flash memory FTR
2. TFTP server
3. ROM (not full Cisco IOS)
Multiple source options provide flexibility and fall back
alternatives
Locating the Cisco IOS Software
Default boot sequence for Cisco IOS software:
1. NVRAM NFTR
2. Flash (sequential)
3. TFTP server (network boot)
4. ROM (partial IOS)
Note: boot system commands can be used to specify
the primary IOS source and fall back sequences.
Booting up the router and locating the Cisco IOS
1. POST (power on self test) PBC
2. Bootstrap code executed
3. Check Configuration Register value (NVRAM) which
can be modified using the config-register command
0 = ROM Monitor mode
1 = ROM IOS
2 - 15 = startup-config in NVRAM
4. Startup-config file: Check for boot system
commands (NVRAM)
If boot system commands in startup-config
a. Run boot system commands in order they appear in startup-config to locate the IOS
b. [If boot system commands fail, use default fallback sequence to locate the IOS (Flash, TFTP, ROM)?]
If no boot system commands in startup-config use the default fallback sequence in locating the IOS:
a. Flash (sequential) b. TFTP server (netboot)
c. ROM (partial IOS) or keep retrying TFTP depending
upon router model
5. If IOS is loaded, but there is no startup-config file,
the router will use the default fallback sequence for
locating the IOS and then it will enter setup mode or
the setup dialogue.
6. If no IOS can be loaded, the router will get the
partial IOS version from ROM
==================================
=================================
Memory ChartMonday, 29 November 201010:29 PM
CCENT Page 92
Default (normal) Boot Sequence
Power on Router - Router does POST - Bootstrap starts
IOS load - Check configuration register
to see what mode the router should boot up in (usually
0x102 to 0x10F to look in NVRAM) - check the startup-
config file in NVRAM for boot-system commands
(normally there aren't any) - load IOS from Flash.
Boot System Commands
Router(config)# boot system flash IOS filename -
boot from FLASH memory
Router(config)# boot system tftp IOS filename tftp
server ip address - boot from a TFTP server
Router(config)# boot system rom - boot from
system ROM
Configuration Register Command
Router(config)# config-register 0x10x (where that last x is 0-F in hex)
When the last x is:
0 = boot into ROM Monitor mode1 = boot the ROM IOS
2 - 15 = look in startup config file in NVRAM
b/johnson:02
Pasted from <http://www.svrops.com/svrops/documents/ciscoboot.htm>
The Memory Location
Types of memory
The location in the inside hardware of a router.
Size The functions The advantages.and disadvantages
ROM(Read only memory)
Flash memory
Boot ROM is nearest the flash memory.
SIMM cards orPCMCIA cards near the high speed WIC
2 MB(Bytes)
32MB to 128MB
2. the Bootstrap, 3. the ROMmon,
POBO ROX 4. the Rxboot,
Holds 1. the POST(power-on self test),
1. the POST-the basic inventory and test
the bootstrap is responsible and finding2.an operation system to load. the ROMmon is the minimum command set- can be used
3.
to connect a TFTP server,•to restore a missing corrupted IOS server.• the Rxboot is a mini-IOS more familiar than RoMmon and more features, easier to use for IOS restoration from TFTP.
4.
of hardware in device.
Stores the full version of IOS image,Backup of the configuration file,
Advantages:Contents of memory (data) will not disappear when power off like a RAM
Disadvantages:No, read only. Contents/data cannot be modified after manufacture: Speed is not as well as RAM
Advantages:Flash has an enough space
CCENT Page 93
RAM(Random Access Memory)DRAM:
NVRAM(Non-volatile RAM)
the high speed WIC port.
DRAM DIMMS (primary memory)which is the nearest location of the CPU.
Near the flash memory.
128MB to 348MB
32KB(very small)
2. The Buffers, 3.The ARP cache, 4.The Running copy of IOS configuration.
Stores 1.The Routing tables, (RBAR)
Stores the startup-config/ configuration register or config file when "copy running-config startup-config"command used.From RAM, to save the current configuration file into NVRAM." --- System Configuration Dialog ---""Continue with configuration dialog? [yes/no]:"This system configuration file tell about that there is no file/empty in the NVRAM.
Flash has an enough space to store full IOS version and backups.Disadvantages:Slower than the RAM, because it's far from CPUunlike RAM.Advantages:Very Fast Volatile memory and can learn dynamically all information.Disadvantages:Contents of memory (data) will disappear when power off .
Advantages:Contents of memory (data) will not disappear when power off like a RAM memory.Disadvantages:Very small space unlike a Flash memory and not fast to learn like a RAM memory.
The Boot sequences of IOS
Run The POST/Bootstrap.(RFL- FL)…...Po, Bo, IOS , RAM CONFIG to RAM.1.Find the IOS.(the bootstrap) 2.Load the IOS to RAM.3.Find the configuration register file.4.Load the configuration to RAM.5.
RUN the POST:1.The bootstrap check the stratup-config file in NVRAM.IF there is a save previous running copy of current configuration file from RAM into NVRAM, again copy into RAM. Run from RAM .If NVRAM is empty in boot system command,
2.
It's directly go to the" --- System Configuration Dialog ---" "Continue with configuration dialog? [yes/no]:no"
Find the IOS in Flash and load in the RAM because the fastest RAM to load the system configuration.3.If there is no usable IOS in Flash, finding the IOS in TFTP server where we can download and use. So, to upgrade the IOS in flash, The ROMmon fuction starts helping: Firstly, save the IOS from Flash to TFTP ,download the new version of IOS from TFTP file and copy the IOS form TFTP to Flash.
4.
Router>enablea. 1. Backup image to TFTP server:
CCENT Page 94
Router>enablea.Router#copy flash:{your IOS image filename} tftp://{TFTP server IP address}b.
Router>enablea.Router#copy tftp://{TFTP server IP address} flash:b.
2. Download image from TFTP server:
5. If the ROMmon fail ,the router will load the Rxboot mini-IOS which is some feature of full valid IOS. It's easier to use for IOS restoration from TFTP and allow to connect the TFTP server and to download the original valid IOS image to flash. Load the configuration file from TFTP/Flash into RAM.
Note that mostly, the IOS image is decompressed and copied to RAM and then ,to run from RAM.Similarly, the startup-config is copied from NVRAM : into RAM: and run from RAM.
The default value of the "configuration register" is 0x2102. The last hex digit (last 4 bits) can be changed to modify the boot behavior:
0x2100 = Always Boot into ROMMON OS for repairing the router (to remember: "ROMMON" contains two letter "O" and "O" looks like zero)." reset" command is only valid for ROMMON mode.Router1# reset
To enter the following command at the global configuration prompt, if a router cannot find an IOS image during the boot process .Router#config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)#config-register 0x2100Router(config)#endRouter#
0x2101 = Use smaller IOS image file (RXBOOT) found in Flash (to remember: 1 is like first).Reload command should issue from privileged mode to complete the update the IOS from the TFTP :Router1(config)#boot system flash:c2600-p-1.1130.11bin.Router1# reload
0x2102 = (Default) Use boot commands in NVRAM.
0x2142= tells the router to ignore NVRAM.
"show version" command can show the current configuration register file, IOS version, the amount of memory installed.To change the config register setting, should issue the config-registerOX….value command .OX value means the hexadecimal value.
What is usually stored in NVRAM? (Choose all that reply)Ans: A, DA. Configuration registerB. Backup copy of IOSC. Limited version of IOSD. Configuration file
Which command could you use to backup the IOSto a TFTP server?Ans: BA. copy fttp IOSB. copy flash tftpC. copy rom tftpD. copy run tftpE. None of the aboveNVRAM and flash memory used for storing the ROMMON boot code as well as NVRAM data.
CCENT Page 95
ITE PC v4.0Chapter 1 12© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Router components
CCENT Page 96
CCENT Page 97
CCENT Page 98
Router Light situation on system or port status.System statusA system LED off show system no power up.An amber Light LED on the system power shows a failure during on the power on self-test.A solid green system LED show s the switch is power on and functioning properly.
Port-statusPort Status LED off show no link. May be wrong cable type or cable improperly connected or damaged cable. Port Status LED Solid Amber Port is not forwarding. Port is shutdown (administratively down) or an address violation (port security) or was blocked by Spanning Tree Protocol (STP). If initially amber then turns green, STP was in progress. Port Status LED Solid Green Link present.Port Status LED Flashing Green Link present, and there is activity (port is transmitting or receiving data.Port Status LED Alternating Green-Amber show link fault, frex excessive collisions or CRC errors.
Port Duplex LED Off Port is operating in half duplex. Port Duplex LED Green Port is operating in full duplex.
Four wired circuit, a line from teleco with four wire , composed of two twisted pair wired ,each pair is used to send in one direction, so four wired circuit allow full duplex connection.
Ethernet -AUI- (Eating Australia 's Ice-cream)T1-Serial - SITConsole-Rollover-Come RolloverAUX-Modem ( AU-Oxford - Modern)BRI-ISDN (Bridge in Island)
Router's port or physical architectureMonday, 29 November 201010:59 PM
CCENT Page 99
CCENT Page 100
Testing purpose mean 127.0.0.1/8 which is called loop back address.Private addresses are
192.168.0.0/16 meaning 192.168.0.0 to 192.168.255.255
10.0.0.0/8 meaning 10.0.0.0 to 10.255.255.255
172.16.0.0 /12 meaning 172.16.0.0 to 172.31.255.255
Multicast address: 224.0.0.0/4 meaning 224.0.0.0 to 239.255.255.255
Class A Network -- binary address start with 0, therefore the decimal number can be anywhere from 1 to 126. The first 8 bits (the first octet) identify the network and the remaining 24 bits indicate the host within the network. An example of a Class A IP address is 102.168.212.226, where "102" identifies the network and "168.212.226" identifies the host on that network
The first two bits of the first octet are “10”. The remaining bits can be any combination of ones and zeroes. This is normally represented as “10xx xxxx” (shown as two groups of four for readability.) Thus, the binary range for the first octet can be from “1000 0000” to “1011 1111”. This is 128 to 191 in decimal. So, in the “classful” scheme, any IP address whose first octet is from 128 to 191 (inclusive) is a class B address.
IP Address Class
First Octet of
IP Address
Lowest Value of
First Octet (binary)
Highest Value of
First Octet (binary)
Range of First Octet
Values (decimal)
Octets in Network ID /
Host ID
Theoretical IP Address Range
Class A
0xxx xxxx 0000 0001 0111 1110 1 to 126 1 / 3 1.0.0.0 to 126.255.255.255
Class B
10xx xxxx 1000 0000 1011 1111 128 to 191 2 / 2 128.0.0.0 to
Be careful types of subnet addressTuesday, 30 November 20106:29 PM
CCENT Page 101
B10xx xxxx 1000 0000 1011 1111 128 to 191 2 / 2 128.0.0.0 to
191.255.255.255Class
C110x xxxx 1100 0000 1101 1111 192 to 223 3 / 1 192.0.0.0 to
223.255.255.255Class
D1110 xxxx 1110 0000 1110 1111 224 to 239 — 224.0.0.0 to
239.255.255.255Class
E1111 xxxx 1111 0000 1111 1111 240 to 255 — 240.0.0.0 to
255.255.255.255Table 44: IP Address Class Bit Patterns, First-Octet Ranges and Address Ranges
P
CCENT Page 102
Previously, cisco solid firewalls with the trade name PIX. Currently, cisco hardware network security with the trade name ASA. It sit inside the packet forwarding path examining each packets comparing to set a rule defined by enterprise Engineer to decide which packet should be allowed or not.
Allow web clients on the inside network such as PC1 send packets to the web servers in the inside network.
•
Prevent web clients in the outside network such as PC5 form sending packets to web server in the inside network.
•
Allow web clients in the outside network such as PC5 to connect to DMZ web server.
•
Different types of attack and their purposes:Denial of Service Attack- the purpose is to break the things.•Destroyers- try to harm the hosts, erasing the data and software.Crashers- try to harm the software by causing the hosts to fail or causing the machine no longer to connect the network.Flooders- flood the network with the packets to make the network unusable, preventing any useful communication with server.
Reconnaissance Attack- may be disruptive as a side effect, the goal is gathering to perform the side effect.
•
Ping sweep-try to discover the existing hosts sequentially pinging all possible IP address.Key stroke loggers- which record the keys you press when logging into secure website.
Access Attack-attempt to steal the data for financial advantage or the competitive advantage.
•
The functions of firewall are:
SDM(Security Device Manager or FirewallTuesday, 30 November 20106:55 PM
CCENT Page 103
competitive advantage.
"Anti-X" tools to "the whole class of security tool"The primary difference between an IDS and an IPS is that .
IDS -Intrusion Detection System- is a reactive security mechanism andIntrusion Detection Systems simply detect possible intrusions and possibly notify the administrator. An IDS will attempt to attacks as they are occurring (that is, once the system has recognized that an attack is occuring) .An IDS is easier to build; for example, an IDS can reject any traffic attempting to access ‘/etc/passwd’.IDS sit outside the packet forwarding path monitoring copies of packets forwarded by switch or router monitoring port, watching for the trends in the sequences of packets with the ability to report the details of any attack
IPS-Intrusion Prevention System -is a proactive security mechanism and an IPS will attempt to determine or attack /block whether incoming traffic is ‘probably’ malicious before it is received by the intended recipient. An IPS *can* be more effective; for example, an IPS can categorize traffic (in real-time) and determine whether its malicious or not, and before it received by the intended recipient. IPS is siting in the packet forwarding path, but also to react and filters the network.
Some people criticize that IPS has an inherent problem of automatic response to suspicious attack signals. This automatic response action can in turn be used by hackers to trigger incorrect but damaging action by the IPS.
For example, it can initiate an IPS to stop the connection of an active and normal port in a network hub by sending some traffic pattern that triggers the IPS’s monitoring system to response by shutting down the port. But actually, the port is running normally and the hacker simply wants the IPS to do this to achieve Denial of Service (DOS) attack to that port.Snort and Cisco PIX can do these types of things, to name a few
These security tool are working in the following type of field.
Network-based
Network Behavior analysis
Wireless
Host-basedWithout VPN technology, sending the packets between the two devices over the internet are unsecure coherently.An access VPN-support home or office user.Site to site VPN- connects two site of the same Enterprise.
CCENT Page 104
DHCP Messages to acquired an IP address
Client- DHCP discover Message to the broadcast address.1.Server-DHCP offer Message directly to the client.2.Client- DHCP Request Message directly to the server.3.Server- DHCP Acknowledgment directly to the client.4.
My note: In this case, there is two different port to lease as HTTP sever which is put as the entry of NAT table, another one is as DNS server which is put as the entry of the DHCP table so that the router1 DHCP address pool does not contain both two address.
DHCPTuesday, 30 November 20107:08 PM
CCENT Page 105
Router(config)# ip dhcp excluded-address 192.168.66.1 192.168.66.199Router(config)# ip dhcp excluded-address 192.168.66.241 192.168.66.255Router(config)# service dhcpRouter(dhcp-config)# ip dhcp pool SubnetAPoolRouter(dhcp-config)# network 192.168.66.0 255.255.255.0Router(dhcp-config)# lease 1 0 0 Router(dhcp-config)# default-router 192.168.66.1Router(dhcp-config)# dns-server 192.168.66.5 192.168.66.6Router(dhcp-config)# domain-name contoso.comRouter(dhcp-config)# exit
Router(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10Router(config)#do show ip dhcp bindingIP address Client-ID/ Lease expiration Type Hardware address192.168.1.2 0001.4286.A521 -- Automatic192.168.1.3 00E0.B018.C155 -- Automatic192.168.1.4 0003.E476.A17B -- Automatic192.168.1.5 0060.7076.0993 -- AutomaticRouter(config)#
You must enter "ip dhcp excluded-address" command first, before the other commands.
Note :there is two services: One is the local DHCP server service which can release and reacquire an IP address from Router .On the other hand, the ISP use NAT translation to acquire the public address ,by acting a DHCP client.
1.It must have a config mode when DHCP service on.2.Acronym:IP Diplohigher posapol ip dhcp pool subnetapool3.network (local network)4.lease 1 0 05.default- router ………..6.dns- server ……………7.domain-name …..com8.exit.
CCENT Page 106
commands.If you fail to do it ,The DHCP server start using the excluded address to assign on all PCS.
PC>ipconfig /release (from PC command)
IP Address......................: 0.0.0.0Subnet Mask.....................: 0.0.0.0Default Gateway.................: 0.0.0.0DNS Server......................: 0.0.0.0
PC>ipconfig /renew
IP Address......................: 192.168.1.15Subnet Mask.....................: 255.255.255.0Default Gateway.................: 192.168.1.1DNS Server......................: 0.0.0.0
Dns-server 10.1.1.1 command configure DHCP client for host name to IP add(DNS resolution) to use in the DHCP server at 10.1.1.1 as the dns server.Not the real DNS in the whole routing process. If you want to do DNS server for the router, you can use" Router1(config)#ip name server 10.1.1.1 "command.
CCENT Page 107
Static NAT mean an unregistered IP add to a registered IP add .One to one basisDynamic NAT mean an unregistered IP add to a registered IP add from a group of registered IP add(Pool).
Inside Local mean the local address or private address in the local network/Inside network.Outside local mean the subnet address from host PC to directly connected router in the inside network.
Inside global mean the subnet address from Fa0/1(which is connected with the ISP) to the Internet.especially work in the outside network.
Outside global mean the subnet which has one of subnet from a group of registered IP add.especially work in the outside network.
for example,Inside Network--------------Inside Network-----------------Outside Network--------Outside Network
Source Destination(Router Fa0/0) Source(fa0/1) Destination( Internet)192.168.1.22 192.168.1.30 22.23.24.25 15.16.17.18
one of add form a group of registered add by host owner
By the DHCP works, Dynamic NAT translation.
(Inside local) (Outside Local) (Inside global) (outside global)
In the reverse translation from ISP to customer's PC,Source Destination(Router Fao/o) Source(fao/1) Destination( Internet)192.168.1.22 192.168.1.30 22.23.24.25 15.16.17.18(outside local) (inside local) (Outside global) (inside global)
My NAT An PAT translation topicsTuesday, 30 November 201011:56 PM
CCENT Page 108
NAT /PATNAT mean Net address translation.PAT mean Port address translation.
What is meant by the term NAT overloading; is this PAT?
A. Yes. NAT overloading is PAT, which involves using a pool with a range of one or more addresses or using an interface IP address in combination with the port. When you overload, you create a fully extended translation. This is a translation table entry containing IP address and source/destination port information, which is commonly called PAT or overloading.
PAT (or overloading) is a feature of Cisco IOS NAT that is used to translate internal (inside local) private addresses to one or more outside (inside global, usually registered) IP addresses. Unique source port numbers on each translation are used to distinguish between the conversations.
Cisco IOS NAT supports Cisco Express Forwarding switching, fast switching, and process switching. The NAT session limit is bounded by the amount of available DRAM in the router. Each NAT translation consumes about 312 bytes in DRAM. As a result, 10,000 translations (more than would generally be handled on a single router) consume about 3 MB. Therefore, typical routing hardware has more than enough memory to support thousands of NAT translations.
PAT allow the local hosts to use public address while access router allow to use many hosts to one or a single registered public IP address.to tell which packets need to be sent back to which host local, the router track the IP address and port no.
Inside global
An external address that represent as the local host (Inside global).•Note: the external address is located on the outside network ,but It's not the outside host from the side of customer.
The NAT translates the local address of PCs to the global address in the internet..(Inside global).
•
Represent the internal host to an external network.(Inside global)•
Inside global from PC
The ISP provide the PCS by one of ISP's Inside global address, It's given to the PC as the PC's global address.(choose two).
•
Outside global from PC Inside Local from ISP Outside global from ISP.Ans: Outside global from ISP. Inside global from PC.
Outside global
The external address that represent as the outside host. (outside global)•Represent the external host to the external network.(outside global)•
CCENT Page 109
Represent the external host to the external network.(outside global)•
Outside local
An external host that can only present in the internal network.( Outside local).
•
An Internal address that can represent as an external host.(Outside local)•Note: An internal address is located in the internal network But It's not the local host of computer. It's the address of Fa0/0 Router's address as a Pc's external host.So, It can define as Outside local.
The NAT translates the PC's IP address from It's inside local address into it's external host in the inside network.(Outside Local)
•
Inside local
The Pcs address which is inside the local Network.(Inside local).(private address can be Inside local.
•
CCENT Page 110
PPP authentication commandThursday, 2 December 20107:06 PM
CCENT Page 111
Types of Ethernet
Speed bits/sec Command
Original Ethernet
10Mbit/s R1(config)# interface e0/0
Fast Ethernet 100Mbit/s R1(config)#interface fa0/0
Gigabit Ethernet
1,000Mbit/s R1(config)#interface gi0/0
10 Gigabit Ethernet
10,000Mbit/s
1 Terabit Ethernet(doesn't exist yet)
1000 Gbit/s or 1000,000 Mbit/s
CSMA/CD is half-duplex Ethernet and it is just for Hubs not for the switches. they must wait a random amount of time after a collision has occurred .The CSMA/CD protocol functions somewhat like a dinner party in a dark room. Everyone around the table must listen for a period of quiet before speaking (Carrier Sense). Once a space occurs everyone has an equal chance to say something (Multiple Access). If two people start talking at the same instant they detect that fact, and quit speaking (Collision Detection.) To translate this into Ethernet terms, each interface must wait until there is no signal on the channel, then it can begin transmitting. If some other interface is transmitting there will be a signal on the channel, which is called carrier. All other interfaces must wait until carrier ceases before trying to transmit, and this process is called Carrier Sense.
All Ethernet interfaces are equal in their ability to send frames onto the network. No one gets a higher priority than anyone else, and democracy reigns. This is what is meant by Multiple Access. Since signals take a finite time to travel from
Ethernet /CSMA-CDSunday, 5 December 20108:15 PM
CCENT Page 112
Multiple Access. Since signals take a finite time to travel from one end of an Ethernet system to the other, the first bits of a transmitted frame do not reach all parts of the network simultaneously. Therefore, it's possible for two interfaces to sense that the network is idle and to start transmitting their frames simultaneously. When this happens, the Ethernet system has a way to sense the "collision" of signals and to stop the transmission and resend the frames. This is called Collision Detect.
The CSMA/CD protocol is designed to provide fair access to the shared channel so that all stations get a chance to use the network. After every packet transmission all stations use the CSMA/CD protocol to determine which station gets to use the Ethernet channel next
a-full (auto-negotiated) means full duplex.a-half(auto-negotiated) means half duplex.If the speed is not known, use 10Mbps,half duplex.If the speed is somehow known to be 10 or 100Mbps,default to use half duplex.If the speed is somehow known to be 1000Mbps/1 Gbps, default to use full duplex.Ethernet interfaces using speed faster than 1 Gbps always use full duplex.
5Q- scenario: new NIC install in pc, which operates at half duplex and switch, operates at full duplex so they can not communicate what is solution.Your solution is to match up the duplex settings. Full duplex.
Ethernet frames do not have a time to live (TTL) like IP packets traversing routers
CCENT Page 113
IP packet UDP packet TCP packet
1. version , Sequence no, 1.
2. TTL , Acknowledgement no,2.
3.Protocol, Urgent pointer3.
4. header checksum, 1 check sum, Checksum4.
5.Source address, 2 Source port, Source port,5.
6. destination address,
3. destination port,
Destination port,6.
7. data size.(32 bits). 4. Data size.(32 bit)
Data size (32 bit).7.
Flow control method contains windowing, buffering and sending source-quench message.
Butterfly flow over the window to send message to source-quench.
IP PacketsSunday, 12 December 201012:15 AM
CCENT Page 114
Step1. Establish IP connectivity
Step2. Install and Access SDM.
Step3. Configure DHCP and PAT.
Step4. Plan for DHCP services
Step5. Configure the DHCP server.
Instead of using telnet and ssh,the user connect to the router using the web browser. Including, DHCP clients for customers, DHCP server functions enable on the local interface. Pat function enable also.
SDM configure interface and connections Window•Choose the Ethernet (PPPoE or unencapsulated Routing)radio button.•Click the create new connection.•
If check the Ethernet (encapsulated routing)•If not check the box.(un-encapsulated routing)•The router forward the Ethernet frames on the interface with the IP packet inside the Ethernet frame.
•
PAT configuration changing the source IP addresses of packets enteringinside/ router interfaces and then exiting the outside/Internet facing interface. It act as the DHCP server on the local network.
•
DHCP client interfaces assumed to be outside/Internet facing interfaces.•
SDM use the Web browser on a PC and a web server function on the routerrequiring the user to connect through the IP network rather than a console.
•
SDM does not use SSH or telnet. SDM configuration is only added to the running-config file.
•
Q1. Which of the following are common problem when configure a new internet access router.The optional information from DHCP server such IP address of the DNS server.
•
Setting the wrong interface as the NAT inside and outside interface.•
SDM need to configure IP add and subnet mask address of the interface.
Install and access SDM/Internet access routerWednesday, 15 December 20109:55 AM
CCENT Page 115
NVRAM error:As a result of the above error, the entire contents of NVRAM are erased, including the startup configuration.%SYS-4-NV_BLOCK_INITFAIL: Unable to initialize the geometry of nvram The %SYS-4-NV_BLOCK_INITFAIL: Unable to initialize the geometry of nvram error message appears when the free space in the NVRAM is less than 2K.
The temporary solution is to use the write erase command (format NVRAM ) and then issue the write memory command. The other option is to issue the service compress-config command.
Workaround: Decrease the number of bits in the modules for the RSA keys by using the service compress-config global configuration command to reduce consumed NVRAM space, or use the boot config flash: command to save
some of the configurations in a Flash file rather than in NVRAM.
While you display the contents of the NVRAM with the show startup-config command:Router#show startup-config
Using 5524 out of 129016 bytes%Error opening nvram:/startup-config (Device or resource busy)
•
While you save a configuration to the NVRAM with the copy running-config startup-config command:Router#copy running-config startup-config
Destination filename [startup-config]? startup-config file open failed (Device or resource busy)
•
When there is simultaneous access to a router's NVRAM, you might encounter these two errors:
Solution
Enter the show users command in order to determine how many users are connected to the router.Router#show users
Line User Host(s) Idle Location
0 con 0 user1 idle 00:00:14
* 2 vty 0 user2 idle 00:00:00 64.104.207.114As shown in the output, there is another user connected to the router through the console.The "*" next to line 2 vty 0 indicates the line used in this session. If there are more than two users, clear all of them, except for the line with the "*". That user has accessed the NVRAM at this time and has locked it.
1.
In order to clear the line the other user(s) is (are) connected on and free the NVRAM, issue the clear line command.Router#clear line 0
[confirm][OK]
2.
Issue the show users command again in order to verify.Router#show users
Line User Host(s) Idle Location* 2 vty 0 user2 idle 00:00:00 64.104.207.114
3.
Here is a step-by-step approach to help you resolve the issue shown in this document:
MY first attempt real CCENT examFriday, 17 December 20108:50 AM
CCENT Page 116
1Q- switch receives a frame, which has no destination mac address what will switch does?
A- Broadcast the frame
B- Forwards frame out all interfaces except the interface it received
ANS:1. It does not "broadcast" it. It "floods" it. While this may seem equivalent, it is not. a broadcast is a specific address that will mean something different at the receiving stations!
2Q- what is command for resuming telnet session?
a- PC>connect 1
b- PC>resume 1
ANS:2. Resume 1 (also you can just type # of session; like 1 or 2
3Q- how CDP operates means to say it includes information about directly connected devices or indirectly connected devices also?
ANS. just directly
4Q- what switch reduces?
A-collision domains
B- broadcast domain
The size of collision domain is reduced by switch but switch increases the no of collision domain instead of using hub.( what is a collision?)switch has a full duplex so it can reduce the collision but hub can't reduce.
5Q- scenario: new NIC install in pc, which operates at half duplex and switch, operates at full duplex so they can not communicate what is solution.
Your solution is to match up the duplex settings. Full duplex.
6Q- using the command in PC.
PC>telnet www.cisco.co
CCENT Page 117
translating ……..domain name not found.
what is wrong with this command is this spell mistake or in correct command?
Or we have to use telnet command with only ip addresses ? or dns server is not configured ?
6. If there is DNS that will translate name, you can use DSN name with telnet or ping,Also, if you miss-spell name; it will NOT work.
10. Which three features differentiate switches from bridges? (Choose three.)
large frame buffers•
use of a table of MAC addresses to determine the segment to which the data is to be sent
•
support for mixed media rates•
high port densities•
ability to segment LANs•
As a correct answer, they listed the following.large frame buffers•
support for mixed media rates•
high port densities•
CCENT Page 118
Switch>Switch>Switch>Switch>enSwitch#dir flash:Directory of flash:/
1 -rw- 4414921 <no date> c2960-lanbase-mz.122-25.FX.bin
64016384 bytes total (59601463 bytes free)Switch#copy flash tftpSource filename []? c2960-lanbase-mz.122-25.FX.binAddress or name of remote host []? 192.18.0.4%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Destination filename [c2960-lanbase-mz.122-25.FX.bin]? Switch#Switch#Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#interface FastEthernet0/1Switch(config-if)#Switch(config-if)#exitSwitch(config)#interface vlan 99Switch(config-if)#switchport mode access ^% Invalid input detected at '^' marker.
Switch(config-if)#switchport access ^% Invalid input detected at '^' marker.
Switch(config-if)#exitSwitch(config)#interface fa0/1Switch(config-if)#vlan 99
%LINK-5-CHANGED: Interface Vlan99, changed state to upSwitch(config-vlan)#ip add 172.17.99.11 255.255.255.0
Tuesday, 8 March 201110:26 PM
CCENT Page 119
Switch(config-vlan)#ip add 172.17.99.11 255.255.255.0 ^% Invalid input detected at '^' marker.
Switch(config-vlan)#no shut ^% Invalid input detected at '^' marker.
Switch(config-vlan)#no shut ^% Invalid input detected at '^' marker.
Switch(config-vlan)#exitSwitch(config)#vlan 99Switch(config-vlan)#name managementSwitch(config-vlan)#exitSwitch(config)#interface vlan 99Switch(config-if)#ip add 192.168.1.2 255.255.255.0Switch(config-if)#exitSwitch(config)#interface fa0/8Switch(config-if)#switchport access vlan 99Switch(config-if)#endSwitch#%SYS-5-CONFIG_I: Configured from console by console
Switch#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan99, changed state to up
Switch(config)#ping 192.168.1.10 ^% Invalid input detected at '^' marker.
Switch(config)#do ping 192.168.1.10
CCENT Page 120
Switch(config)#do ping 192.168.1.10
Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:.!!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 31/50/63 ms
Switch(config)#dir flash: ^% Invalid input detected at '^' marker.
Switch(config)#exitSwitch#%SYS-5-CONFIG_I: Configured from console by console
Switch#dir flash:Directory of flash:/
1 -rw- 4414921 <no date> c2960-lanbase-mz.122-25.FX.bin 2 -rw- 616 <no date> vlan.dat
64016384 bytes total (59600847 bytes free)Switch#copy flash tftpSource filename []? c2960-lanbase-mz.122-25.FX.binAddress or name of remote host []? 192.168.1.10Destination filename [c2960-lanbase-mz.122-25.FX.bin]?
Writing c2960-lanbase-mz.122-25.FX.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 4414921 bytes]
4414921 bytes copied in 2.84 secs (1554000 bytes/sec)Switch#copy flash tftpSource filename []? c2960-lanbase-mz.122-25.FX.binAddress or name of remote host []? ?Host name or address not specified
Switch#copy flash tftpSource filename []? c2960-lanbase-mz.122-25.FX.binAddress or name of remote host []? 192.168.1.10Destination filename [c2960-lanbase-mz.122-25.FX.bin]? mytestfile.bin
Writing c2960-lanbase-mz.122-25.FX.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
CCENT Page 121
!!!!!!!!!!!!!![OK - 4414921 bytes]
4414921 bytes copied in 3.026 secs (1458000 bytes/sec)Switch#dir flash:Directory of flash:/
1 -rw- 4414921 <no date> c2960-lanbase-mz.122-25.FX.bin 2 -rw- 616 <no date> vlan.dat
64016384 bytes total (59600847 bytes free)Switch#copy tftp flash:Address or name of remote host []? 192.168.1.10Source filename []? mytestfile.binDestination filename [mytestfile.bin]?
Accessing tftp://192.168.1.10/mytestfile.bin...Loading mytestfile.bin from 192.168.1.10: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK - 4414921 bytes]
4414921 bytes copied in 2.746 secs (43683 bytes/sec)Switch#dir flash:Directory of flash:/
1 -rw- 4414921 <no date> c2960-lanbase-mz.122-25.FX.bin 3 -rw- 4414921 <no date> mytestfile.bin 2 -rw- 616 <no date> vlan.dat
64016384 bytes total (55185926 bytes free)Switch#boot system flash:mytestfile.bin ^% Invalid input detected at '^' marker.
Switch#conf tEnter configuration commands, one per line. End with CNTL/Z.Switch(config)#boot system flash:mytestfile.binSwitch(config)#reload ^% Invalid input detected at '^' marker.
Switch(config)#exitSwitch#%SYS-5-CONFIG_I: Configured from console by consoleSwitch#reload
CCENT Page 122
Switch#reloadProceed with reload? [confirm]C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.2960-24TT starting...Base ethernet MAC Address: 0030.A339.6870Xmodem file system is available.Initializing Flash...flashfs[0]: 3 files, 0 directoriesflashfs[0]: 0 orphaned files, 0 orphaned directoriesflashfs[0]: Total bytes: 64016384flashfs[0]: Bytes used: 8830458flashfs[0]: Bytes available: 55185926flashfs[0]: flashfs fsck took 1 seconds....done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3Parameter Block Filesystem (pb:) installed, fsid: 4
Loading "flash:/mytestfile.bin"...########################################################################## [OK] Restricted Rights Legend
Use, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.
cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706
CCENT Page 123
TCP error controlWednesday, 16 March 20112:33 PM
CCENT Page 124
R1(config-router)# redistribute rip subnetsIt means Ospf can redistribute into rip "not only class less subnet but also for class-full subnet .
DHCP command:
To redistribute From Ospf to RipSunday, 5 June 20111:44 PM
CCENT Page 125
SecurityTuesday, 14 June 201112:59 PM
CCENT Page 126
VOIPTuesday, 14 June 20111:21 PM
CCENT Page 127
Normal condition is straight-through cable.Router-Switch-computers.Abnormal condition such as routers directly connected are used by the crossover cable and switch-switch , router-router ,computer-computer, switch-hub, hub-hub are crossover cable.As normal type of roll-over use for the router console port as the type of "pin 8-pin1".Switch-Access Point use the straight through cable
Trunking is supported switch-switch, switch-router, switch-PC(if a PC NIC supported).
Physical layer problemsTuesday, 14 June 20111:47 PM
CCENT Page 128
There are three different categories of VPNs, based upon the role they play in a business:•Remote access VPNs Remote access VPNs allow remote users like telecommuters to securely access the corporate network wherever and whenever they need to.
•
Site-to-site VPNs Site-to-site VPNs, or intranet VPNs, allow a company to connect its remote sites to the corporate backbone securely over a public medium like the Internet instead of requiring more expensive WAN connections like MPLS or Frame Relay.
•
Extranet VPNs Extranet VPNs allow an organization’s suppliers, partners, and customers to be connected to the corporate network in a limited way for Business-to-Business (B2B communications.
•
There’s more than one way to bring a VPN into being. The first approach uses IPSec to create authentication and encryption services between endpoints on an IP network.
•
The second way is done via tunneling protocols, allowing you to establish a tunnel between endpoints on a network.
•
The tunnel itself is a means for data or protocols to be encapsulated inside another protocol—clean!
•
I really need to describe four of the most common tunneling protocols in use:•Layer 2 Forwarding (L2F) Layer 2 Forwarding (L2F) is a Cisco proprietary tunneling protocol and their initial tunneling protocol created for virtual private dial-up networks (VPDNs).
•
A VPDN allows a device to use a dial-up connection to create a secure connection to a corporate network.
•
L2F was later replaced by L2TP, which is backward compatible with L2F.•Point-to-Point Tunneling Protocol (PPTP) Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to allow the secure transfer of data from remote networks to the corporate network.
•
Layer 2 Tunneling Protocol (L2TP) Layer 2 Tunneling Protocol (L2TP) was created by Cisco and Microsoft to replace L2F and PPTP. L2TP merged the capabilities of both L2F and PPTP into one tunneling protocol.
•
Generic Routing Encapsulation (GRE) Generic Routing Encapsulation (GRE) is another Cisco proprietary tunneling protocol. It forms virtual point-to-point links, allowing for a variety
•
of protocols to be encapsulated in IP tunnels.
VPNSaturday, 18 June 20115:13 PM
CCENT Page 129
Mnemonic: APSTNDP, or in reverse "Please Do Not Take Sales Person's Advice"
# Layer Name PDU Address Function
7 Application Data Encoded
Applicati
on Data
Provide interfaces between
application software.
File, Print, Database.
Provide Network service to
the applications.
6 Presentation Data Encoded
Applicati
on Data
Standardizes data formats
between systems.
Encryption. Compression.
Translation.
5 Session Data Encoded
Applicati
on Data
Manages user sessions and
dialogs.
4 Transport Segment(transport layer
header and its
encapsulated data is
called a segment ),
Datagram)
Port
number
End-to-end delivery of
messages over the network.
Guarantees the delivery of
data across the network.
TCP uses the mechanism of
acknowledgements to
guaranty the transmission
of data across the
network.
3 Network IP Packet( IP header
and its encapsulated
data , which includes
transport layer ,
application layer and
any data)
Logical
address,
for
example
IP
Address.
Routes packets according
to unique network address.
2 DataLink Frame Physical
address,
for
example
MAC
Address.
Procedures for accessing
the media. LLC (Logical
Link Control).
1 Physical Bits Timing
and
synchroni
zation
bits.
The actual hardware.
Cabling, voltages, rates.
PDU = Protocol Data Unit
Examples of protocols at each layer:
# Layer Name Protocol Name Address PDU
7 Application Data
6 Presentation Data
5 Session Data
4 Transport Transmission Control Protocol Port Segment;
OSI Model
Sunday, 20 February 20116:24 PM
CCENT Page 130
4 Transport Transmission Control Protocol
(TCP);
User Datagram Protocol (UDP)
Port
Number
Segment;
Datagram
3 Network Internet Protocol (IP) IP address Packet
2 DataLink Ethernet MAC
address
Frame
1 Physical Bits
Device Operating at which layer(s)?
Hub Layer 1 only = Physical
Layer 2 Switch Layers 1 and 2 = Physical, DataLink
Layer 3 Switch Layers 1, 2, and 3 = Physical, DataLink, Network
Router Layers 1, 2, and 3 = Physical, DataLink, Network
The TCP/IP Model
Mnemonic: ATINa
# Layer Name PDU Address Equivalent OSI Layers
4 Application Data Encoded Application
Data
OSI 7-Application, 6-Presentation,
5-Session
3 Transport Segment Port number OSI 4-Transport
2 Internetwork Packet IP Address OSI 3-Network
1 Network
Access
Frame MAC Address OSI 2-DataLink, and 1-Physical
TCP/IP Encapsulation
Application data is divided into Segments1.
TCP header is added to Segments2.
Segments are divided into Packets3.
IP Header is added to Packets4.
Ethernet header is added to Packets to make Frames5.
CCENT Page 131
