0% found this document useful (0 votes)

24 views462 pages

Computer Network II

The document provides an overview of configuring IP addresses on routers and switches, including management IP addresses and interface settings. It covers troubleshooting techniques, memory types in Cisco devices, and procedures for password recovery and IOS licensing. Additionally, it explains the functions of routers and the structure of routing tables with examples of connected and local routes.

Uploaded by

moonkemo221

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

24 views462 pages

Computer Network II

Uploaded by

moonkemo221

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 462

Router IP Addresses

A router provides connectivity between different IP subnets

An IP address must be configured on the interfaces in each subnet
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
no shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
no shutdown

FastEthernet0/1 FastEthernet0/0
192.168.1.1/24 192.168.0.1/24
Switch Management IP Address

A Layer 2 Switch is not IP routing aware.

It does however support a single IP address for management.
The IP address and subnet mask is configured on the Switched Virtual
Interface (SVI) for the default VLAN 1
A default gateway also needs to be configured to allow connectivity to
other subnets
Management IP Address
Switch(config)# interface vlan 1
Switch(config-if)# ip address 192.168.0.10 255.255.255.0
Switch(config-if)# no shutdown
Switch(config-if)# exit
Switch(config)# ip default-gateway 192.168.0.1

Additional commands need to be entered to allow Telnet or SSH (Secure

Shell) access, we’ll cover these in the ‘Securing Cisco Devices’ section
Lab Example

VLAN 1 SVI:
192.168.0.10
192.168.0.1
LAN R1 B
SW1
FE0/0 FE0/1
Hostname

A descriptive hostname makes it easier to identify the device.

Eg. NY-F1-SW1

Switch(config)# hostname SW1

SW1(config)#
Interface Descriptions

Interface descriptions can aid troubleshooting

SW1(config)# interface FastEthernet 0/1

SW1(config-if)# description Link to R1
Interface Speed and Duplex

Interface speed and duplex is set to ‘auto’ by default

Both sides of a link should auto-negotiate to full duplex and the fastest
available speed
Best practice is to manually set the speed and duplex on ports which are
connected to another network infrastructure device or server
It is very important to set matching speed and duplex settings on both
sides of the link
Interface Speed and Duplex

SW1(config)# interface FastEthernet 0/1

SW1(config-if)# duplex full
SW1(config-if)# speed 100
Verification Commands

SW1# show running-config

SW1# show ip interface brief
SW1# show run interface vlan 1
SW1# show interface vlan 1
SW1# show version
CDP Cisco Discovery Protocol

Cisco Discovery Protocol (CDP) is a Cisco proprietary Layer 2 protocol.

It is used to share information with other directly connected Cisco
equipment, such as the operating system version and IP address.
This aids in troubleshooting by allowing administrators to map out how
Cisco devices are connected to each other.
It is enabled by default on most Cisco equipment.
It works at Layer 2 so it is not necessary for the device to have an IP
address.
CDP Cisco Discovery Protocol
Switch(config)# cdp run
Switch(config)# no cdp run
Switch(config-if)# no cdp enable
Switch# show cdp
Switch# show cdp neighbors
Switch# show cdp neighbors detail
LLDP Link Layer Discovery Protocol
LLDP (Link Layer Discovery Protocol) is an open standard protocol which
provides similar information to CDP.
Differences with CDP:
Depending on the switch and version it may be disabled by default
It is only supported on physical interfaces
It can only discover up to one device per port
It can discover Linux servers
LLDP Link Layer Discovery Protocol Configuration
Switch(config)# lldp run
Switch(config)# no lldp run
Switch(config-if)# no lldp transmit
Switch(config-if)# no lldp receive
Switch# show lldp
Switch# show lldp neighbors
Switch# show lldp neighbors detail
Layer 1 Troubleshooting

Basic switch troubleshooting involves checking for Layer 1 and Layer 2

issues
Copper and Fibre cables are liable to break if not handled correctly
Layer 1 Troubleshooting
Common Layer 1 problems include:
The interface is administratively shut down
The cable is disconnected on either or both ends
The device on the other end of the cable is powered off
Broken connectors which cause loose connections
Bent or stretched cables which lead to broken wires or fibres
Electro-Magnetic Interference (EMI) sources such as motors or
microwaves which cause errors in transmission (newer cable is less
susceptible to this)
Layer 1 Troubleshooting Commands
Switch# show ip interface brief

‘administratively down’ – Issue ‘no shutdown’

‘down/down’ – This indicates a Layer 1 issue. Check the interface is
cabled at both ends and the device on the other side is powered on
‘up/down’ – This indicates a Layer 2 issue or speed mismatch. Check the
interface configuration matches on both sides of the link
Show ip interface brief
SW1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/2 unassigned YES unset administratively down down
FastEthernet0/2 unassigned YES unset down down
FastEthernet0/2 unassigned YES unset up down
Show Interface
Switch# show interface

If the interface is reporting an excessive amount of errors it could be

either a Layer 1 or Layer 2 problem
Check the integrity of the cable
Check the configuration matches on both sides of the link
Show Interface
SW1#show interface fastEthernet 0/2
FastEthernet0/2 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0014.6a8c.2884 (bia 0014.6a8c.2884)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:15, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
367 packets input, 41739 bytes, 0 no buffer
Received 60 broadcasts (58 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 58 multicast, 0 pause input
0 input packets with dribble condition detected
1894 packets output, 150623 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
Cisco Device Memory
Cisco routers and switches have 4 built-in memory locations:
ROM – Read Only Memory
Flash – newer devices use removable CompactFlash
NVRAM – Non-Volatile RAM
RAM – Random Access Memory

An external USB device can also be used

ROM Read Only Memory
When the device is powered on, it will first load from ROM
Two main functions are performed:
1) Power On Self Test (POST)
2) Load bootstrap
The bootstrap will look in Flash for an IOS software image to load
ROM Read Only Memory
If an IOS image cannot be found the device will show the ROMMON
prompt at the command line
The ROM Monitor can be used to recover a missing or corrupted
software image
In this case you can boot from USB or an external TFTP (Trivial File
Transfer Protocol) server
Search for ‘Cisco ROMMON Recovery’ for your device model
Flash Memory

The system will load the first IOS image found in Flash by default
You can override this with the boot system command
You can copy additional IOS system images to Flash via TFTP or USB
NVRAM Non-Volatile RAM Memory

When the system has finished loading the IOS system image from Flash,
it will load the startup-config configuration file from NVRAM
The saved startup-config becomes the current running-config in RAM
If no startup-config file is found, the device will load the Setup Wizard
NVRAM Non-Volatile RAM Memory
Whenever you enter a command in IOS it takes effect immediately and
goes into the running-config
To make your changes permanent across a reboot:
copy running-config startup-config
RAM Random Access Memory
The IOS system image and startup-config are loaded from Flash and
NVRAM into RAM during bootup
RAM is used as the normal working memory of the device
ROM, Flash and NVRAM are permanent memory, their contents are not
lost when the device is powered off or rebooted
RAM is volatile memory, its contents are lost when the device is powered
off
The VLAN Database

On a switch, the VLAN database (vlan.dat) is saved in either Flash or

NVRAM, depending on the model of switch
Booting from TFTP
The system can also load a system image and/or startup-config from
an external TFTP server instead of Flash/NVRAM
This is not recommended because the device will not be able to boot
if it loses connectivity to the server. It is usually only used where the
device does not have enough capacity in Flash to save the system
image
Lab Example
Factory Reset
To factory reset a router or switch:
write erase

This will erase the startup-config

Reload to boot up with a blank configuration
The Setup Wizard will run
The Config Register
The configuration register can be used to change the way the router
boots
Use the config-register command in global configuration mode or
confreg at the rommon prompt
Eg config-register 0x2142

0x2102: boot normally (default)

0x2120: boot into rommon
0x2142: ignore contents of NVRAM (startup-config)
Router Password Recovery Procedure
Press the break sequence (Ctrl-Break) at power on to break into rommon
prompt
confreg 0x2142 to ignore the startup-config on boot
The startup-config is still there with the full configuration including the
unknown enable secret, but the router does not use it when it boots
reset to reload
The router will bootup with no configuration. Type no to bypass the setup
wizard
Enter enable mode. You will not be prompted for the enable secret as it is not
in the running configuration
Router Password Recovery Procedure
Copy the startup config to the running config
This will copy the entire previous configuration into the running config
including the unknown enable secret. You are already in enable mode so you
do not need to know what it is.
Enter a new enable secret in global configuration mode to overwrite the
old one. This will go into the running config
config-register 0x2102 so the router will boot normally on the next
restart
copy run start to save the configuration. This will merge the new
enable password into the existing startup-config
Switch Password Recovery Procedure
The switch password recovery procedure is very similar, but you may
have to physically press the ‘Mode’ button on the front of the switch to
break into the switch loader
Search for ‘Cisco password recovery’ for your model of switch for full
instructions
Backing up the System Image and Config
Copies of the device’s IOS system image and configuration can be saved
to Flash, FTP, TFTP or USB
If you copy a config file into the running-config, it will be merged with the
current configuration
To replace a configuration, factory reset and then copy the new
configuration into the startup-config

copy flash tftp

copy running-config tftp
copy startup-config usb
Lab Example
Upgrading the IOS System Image
IOS software images can be downloaded from:
https://software.cisco.com/

After downloading the software, copy to the device’s Flash using TFTP:
copy tftp flash
Delete the old system image or use the boot system command
Lab Example
Router IOS Licensing
Prior to IOS 15.0, different IOS system images were available for
different feature sets, such as Security or Telephony
Licensing was not enforced
A universal system image is provided from IOS 15.0
License codes must be entered to activate the Technology Packages
Licensing Procedure
When you purchase a license you will be provided with a Product
Activation Key (PAK) code
The license will be tied to an individual device. To get the device’s
Unique Device Identifier (UDI) enter show license udi
Go the the Cisco License Portal http://www.cisco.com/go/license and
enter the PAK code and UDI to generate the license
Copy the license to Flash on the router
license install flash:
license show
Router Functions

A router has two main functions:

Determining the best path to available networks
Forwarding traffic to those networks
The Routing Table

The best available path or paths to a destination network are listed in

a router’s routing table and will be used for forwarding traffic
A routing table consists of directly connected networks and routes
configured statically by the administrator or dynamically learned
through a routing protocol.
Connected and Local Routes
The administrator configures IP addresses on the router’s interfaces
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
interface FastEthernet1/0
ip address 10.0.1.1 255.255.255.0
interface FastEthernet2/0
ip address 10.0.2.1 255.255.255.0

FastEthernet1/0
FastEthernet0/0 10.0.1.1/24
10.0.0.1/24

FastEthernet2/0
10.0.2.1/24
show ip route - Connected Routes
This will automatically enter connected routes into the routing table:
R1#sh ip route
C 10.0.0.0/24 is directly connected, FastEthernet0/0
C 10.0.1.0/24 is directly connected, FastEthernet1/0
C 10.0.2.0/24 is directly connected, FastEthernet2/0

If any traffic for the 10.0.0.0/24 network is received in another interface on the
router, it will forward it out interface FastEthernet0/0

FastEthernet1/0
FastEthernet0/0 10.0.1.1/24
10.0.0.1/24

FastEthernet2/0
10.0.2.1/24
show ip route - Local Routes
From IOS 15, local routes will also be added to the routing table
Local routes always have a /32 mask and show the IP address configured on the
interface

R1#sh ip route
L 10.0.0.1/32 is directly connected, FastEthernet0/0
L 10.0.1.1/32 is directly connected, FastEthernet1/0
L 10.0.2.1/32 is directly connected, FastEthernet2/0

FastEthernet1/0
FastEthernet0/0 10.0.1.1/24
10.0.0.1/24

FastEthernet2/0
10.0.2.1/24
Lab
Static Routes
If a router receives traffic for a network which it is not directly attached to,
it needs to know how to get there in order to forward the traffic
An administrator can manually add a static route to the destination, or the
router can learn it via a routing protocol
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.2.0 255.255.255.0 10.0.0.1
10.0.1.1/24
10.0.0.0/24 F1/0
10.1.0.2/24 .2 .1
R2 R1
F1/0 F0/0 F0/0 10.0.2.1/24
F2/0

ip route 10.1.0.0 255.255.255.0 10.0.0.2

Static Routes
ip route 10.1.1.0 255.255.255.0 10.1.0.1
ip route 10.0.1.0 255.255.255.0 10.0.0.1
ip route 10.0.2.0 255.255.255.0 10.0.0.1

ip route 10.0.0.0 255.255.255.0 10.1.0.2

ip route 10.0.1.0 255.255.255.0 10.1.0.2
ip route 10.0.2.0 255.255.255.0 10.1.0.2

10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0

ip route 10.1.0.0 255.255.255.0 10.0.0.2

ip route 10.1.1.0 255.255.255.0 10.0.0.2
Lab
Static Routes
Routes on R1:
ip route 10.1.0.0 255.255.255.0 10.0.0.2
ip route 10.1.1.0 255.255.255.0 10.0.0.2
ip route 10.1.2.0 255.255.255.0 10.0.0.2
FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
10.0.2.1/24
Summary Routes
For static routing, summary routes lessen administrative overhead and
memory usage on the routers
Routes on R1:
ip route 10.1.0.0 255.255.0.0 10.0.0.2
FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
10.0.2.1/24
Summary Routes
Summarisation doesn’t have to be on classful boundaries
To summarise the range 10.1.0.0 to 10.1.3.0:
ip route 10.1.0.0 255.255.252.0 10.0.0.2

FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
10.0.2.1/24
Longest Prefix Match
When there are overlapping routes, the longest prefix will be selected
ip route 10.1.0.0 255.255.0.0 10.0.0.2
ip route 10.1.3.0 255.255.255.0 10.0.3.2

10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24

R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
Load Balancing
When multiple equal length routes are added for the same destination, the
router will add them all to the routing table and load balance between them
R1(config)# ip route 10.1.0.0 255.255.0.0 10.0.0.2
R1(config)# ip route 10.1.0.0 255.255.0.0 10.0.3.2

10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0

10.0.1.1/24
.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24

R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
Default Route (Gateway of Last Resort)
ip route 10.1.0.0 255.255.0.0 10.0.0.2
ip route 10.1.3.0 255.255.255.0 10.0.3.2
ip route 0.0.0.0 0.0.0.0 203.0.113.2
Internet
FE1/0
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 203.0.113.1 .2

.1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24

R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
Lab
Dynamic Routing Protocols

When a routing protocol is used, routers automatically advertise their

best paths to known networks to each other.
Routers use this information to determine their own best path to the
known destinations.
When the state of the network changes, such as a link going down or a
new subnet being added, the routers update each other.
Routers will automatically calculate a new best path and update the
routing table if the network changes.
Dynamic Routing Protocols

You can get to these

networks via me:
10.0.1.0/24
10.0.2.0/24

10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

10.1.1.2/24 .2 .1 FE1/0
.1 .2 R1
R3 R2
FE0/0 FE1/0 FE0/0 FE0/0 10.0.2.1/24
FE1/0
FE2/0
Dynamic Routing Protocols
Routing Table:
10.0.0.0/24 Connected FE0/0
10.1.0.0/24 Connected FE1/0
10.0.1.0/24 10.0.0.1 FE0/0
10.0.2.0/24 10.0.0.1 FE0/0

10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 FE1/0
10.1.1.2/24 .1 .2 R1
R3 R2
FE0/0 FE1/0 FE0/0 FE0/0 10.0.2.1/24
FE1/0
FE2/0
Dynamic Routing Protocols
You can get to these
networks via me:
10.0.0.0/24
10.0.1.0/24
10.0.2.0/24

10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 FE1/0
10.1.1.2/24 .1 .2 R1
R3 R2
FE0/0 FE1/0 FE0/0 FE0/0 10.0.2.1/24
FE1/0
FE2/0
Dynamic Routing Protocols
Routing Table:
10.1.1.0/24 Connected FE0/0
10.1.0.0/24 Connected FE1/0
10.0.0.0/24 10.1.0.2 FE1/0
10.0.1.0/24 10.1.0.2 FE1/0
10.0.2.0/24 10.1.0.2 FE1/0

10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 FE1/0
10.1.1.2/24 .1 .2 R1
R3 R2
FE0/0 FE1/0 FE0/0 FE0/0 10.0.2.1/24
FE1/0
FE2/0
Summary Routes

You can get to these

networks via me:
10.0.0.0/16

10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 FE1/0
10.1.1.2/24 .1 .2 R1
R3 R2
FE0/0 FE1/0 FE0/0 FE0/0 10.0.2.1/24
FE1/0
FE2/0
Summary Routes

Summary routes lead to less memory usage in routers as their routing

tables contain less routes
They also lead to less CPU usage as changes in the network only affect
other routers in the same area
For example, if the link on R1 to the 10.0.1.1/24 network goes down, R2
will lose its route there and try to compute a new path
R3 will not be affected as its summary route to 10.0.0.0/16 is unchanged
Dynamic Routing Protocols vs Static Routes

Routing protocols are more scalable than administrator defined static

routes.
Using purely static routes is only feasible in very small environments.
Dynamic Routing Protocol Advantages

The routers automatically advertise available subnets to each other

without the administrator having to manually enter every route on every
router.
If a subnet is added or removed the routers will automatically discover
that and update their routing tables.
If the best path to a subnet goes down routers automatically discover
that and will calculate a new best path if one is available.
Dynamic Routing Protocols vs Static Routes

Using a combination of a dynamic routing protocol and static routes is

very common in real world environments.
In this case the routing protocol will be used to carry the bulk of the
network information.
Static routes can also be used on an as needed basis. For example for
backup purposes or for a static route to the Internet (which will typically
be injected into the dynamic routing protocol and advertised to the rest
of the routers.)
Lab

100 Mbps 100 Mbps 100 Mbps FE1/0

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24

10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
Routing Protocol Types
Routing protocols can be split into two main types:
Interior gateway protocols (IGPs)
Exterior gateway protocols (EGPs)

Interior gateway protocols are used for routing within an organisation

Exterior gateway protocols are used for routing between organisations
over the Internet
The only EGP in use today is BGP (Border Gateway Protocol)
Interior Gateway Protocols
Interior gateway protocols can be split into two main types:
Distance Vector routing protocols
Link State routing protocols
Distance Vector Routing Protocols
In Distance Vector protocols, each router sends its directly connected
neighbours a list of all its known networks along with its own distance to
each of those networks
Distance vector routing protocols do not advertise the entire network
topology
A router only knows its directly connected neighbours and the lists of
networks those neighbours have advertised. It doesn’t have detailed
topology information beyond its directly connected neighbours
Distance Vector routing protocols are often called ‘Routing by rumour’
Link State Routing Protocols
In Link State routing protocols, each router describes itself and its
interfaces to its directly connected neighbours
This information is passed unchanged from one router to another
Every router learns the full picture of the network including every router,
its interfaces and what they connect to
Dynamic Routing Protocols

Interior Gateway Protocols (IGPs) Exterior Gateway Protocols (EGPs)

Distance Vector Link State Path Vector

Routing Protocol Routing Protocol Routing Protocol

Advanced

RIP EIGRP OSPF IS-IS BGP

RIP: Routing Information Protocol

EIGRP: Enhanced Interior Gateway Routing Protocol
OSPF: Open Shortest Path First
IS-IS: Intermediate System – Intermediate System
BGP: Border Gateway Protocol
Interior Gateway Protocols

All of the IGPs do the same job, which is to advertise routes within an
organisation and determine the best path or paths
An organisation will typically pick one of the IGPs
If an organisation has multiple IGPs in effect (for example because of a
merger), information can be redistributed between them. This should
generally be avoided if possible
Lab

100 Mbps 100 Mbps 100 Mbps FE1/0

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24

10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
Metric

A router may receive multiple possible paths to get to a destination

network
Only the best path will make it into the routing table and be used
The different IGPs use different methods to calculate the best path to a
destination network
Metric
Each possible path will be assigned a ‘metric’ value by the routing
protocol which indicates how preferred the path is
The lowest metric value is preferred
Distance Vector routers advertise to each other the networks they know
about, and their metric to get to each of them
Link State routers advertise all the links in their area of the network to
each other
Each router will take this information and then make an independent
calculation of its own best path to get to each destination
Metric

If the best path to a destination is lost (for example because a link went
down) it will be removed from the routing table and replaced with the
next best route
Metric

A router will typically only learn routes to a particular destination from a

single routing protocol
When multiple routes to a destination are learned through a routing
protocol, the router will install the path or paths with the best (lowest)
metric into the routing table
Different routing protocols use different methods to calculate the metric
Metric

For example in RIP, path A>B>C>D has a hop count of 3, path A>B>D has a
hop count of 2, so A>B>D would be preferred
In OSPF, if path A>B>C>D has a cost of 60, and path A>B>D has a cost of
100, then A>B>C>D would be used
Administrative Distance
If paths to the same destination are received from different routing
protocols, their metrics cannot be compared
For example, a RIP hop count of 5 cannot be compared to an OSPF cost of
60. The comparison would be meaningless because the routing protocols
calculate the metric in completely different ways
The router must use a different method to choose when routes to the
same destination are received from different routing protocols
The Administrative Distance (AD) is used for this
Administrative Distance

The Administrative Distance is a measure of how trusted the routing

protocol is
If routes to the same destination are received via different routing
protocols, the protocol with the best (lowest) AD wins
Default Administrative Distance

Route Source Default AD

Connected Interface 0
Static Route 1
External BGP 20
EIGRP 90
OSPF 110
IS-IS 115
RIP 120
Administrative Distance and Metric

Administrative Distance is used to choose between multiple paths

learned via different routing protocols
Metric is used to choose between multiple paths learned via the same
protocol
The Administrative Distance is considered first to narrow the choice
down to the single best routing protocol
The Metric is then considered to choose the best path or paths which
make it into the routing table
Show ip route
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override Connected interfaces
Gateway of last resort is not set
have an AD of 0

10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks

C 10.0.0.0/24 is directly connected, FastEthernet0/0
L 10.0.0.1/32 is directly connected, FastEthernet0/0
R 10.1.0.0/24 [120/1] via 10.0.0.2, 00:00:00, FastEthernet0/0
R 10.1.1.0/24 [120/2] via 10.0.0.2, 00:00:00, FastEthernet0/0

Administrative Distance Metric

Administrative Distance Example

Example: A router receives multiple routes to the 10.10.10.0/24 network

from both OSPF and RIP
When paths to the same destination are received from multiple routing
protocols, the Administrative Distance is considered first
OSPF has a better AD than RIP so the RIP routes will be discarded
Administrative Distance Example

The router will then compare the routes received via OSPF and install the
one with the lowest cost in the routing table
If multiple equal cost paths are received via OSPF they will all be installed
in the routing table and the router will load balance outbound traffic to
the destination between them
Floating Static Routes

If the best path to a destination is lost (for example because a link went
down) it will be removed from the routing table and replaced with the
next best route
We might want to configure a static route as a backup for the route
learned via a routing protocol
A problem is that static routes have a default Administrative Distance of 1
which will always be preferred over routes learned via an IGP
Floating Static Routes – OSPF
We can change the Administrative Distance of a static route to make it
act as the backup (rather than the preferred) route
Floating static route for OSPF example
R4(config)#ip route 10.0.1.0 255.255.255.0 10.1.3.2 115

100 Mbps 100 Mbps 100 Mbps FE1/0

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24
NO OSPF SUPPORT
10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
Floating Static Routes – Static Routes
Floating static routes can also be used where we are using purely static
routing
ip route 10.0.1.0 255.255.255.0 10.1.1.2
ip route 10.0.1.0 255.255.255.0 10.1.3.2 5

100 Mbps 100 Mbps 100 Mbps FE1/0

10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24

10 Mbps 10 Mbps
R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
Loopback Interfaces

Loopback interfaces are logical interfaces

They allow you to assign an IP address to a router or L3 switch, which is
not tied to a physical interface
Because they don’t have any physical attributes which can fail, loopback
interfaces never go down
Loopbacks are logical so they cannot be physically in the same subnet as
other devices, so they are usually assigned a /32 subnet mask to avoid
wasting IP addresses
Loopback Interface Uses

It is best practice to assign a loopback interface to your routers

The loopback is commonly used for traffic that terminates on the router
itself
This could be management traffic, Voice over IP, BGP peering etc.
This provides redundancy if there are multiple paths to the router
The loopback is also used to identify the router (Router ID) in OSPF
Adjacencies

IGP routing protocols are configured under global configuration mode

and then enabled on individual interfaces
When the routing protocol is enabled on an interface the router will look
for other devices on the link which are also running the routing protocol
The router does this by sending out and listening for hello packets
When a matching peer is found, the routers will form an adjacency with
each other
They will then exchange routing information
Adjacencies

Modern routing protocols use multicast for the hello packets

This is more efficient than broadcast which was used by earlier protocols
Only routers which are running the same routing protocol will process
the packet
Passive Interfaces

Passive interfaces allow you to include an IP subnet in the routing

protocol without sending updates out of the interface
If FastEthernet2/0 is configured as a passive interface, RA and RB will
learn routes to 10.0.2.0, but internal network information will not be
sent to RC

10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA

Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
Passive Interfaces

It is best practice to configure loopback interfaces as passive interfaces

It is impossible to form an adjacency on a loopback interface because
they are not physical interfaces
Making the loopback passive means that it will be advertised by the
routing protocol but it will not waste resources sending out and listening
for hello packets

10.0.1.1/24 RB
FE0/0 FE1/0
10.0.0.1/24 R1
RA

Loopback0 FE2/0
10.0.2.1/24
192.168.1.1/32 RC
Passive Interface Use Cases

Passive interfaces are used on:

Loopback interfaces
Physical interfaces where the device on the other side belongs to
another organisation. We do not want to send routing information
out but we do want our internal devices to know about the link
Lab

Loopback0
192.168.1.1/32 FE1/0
100 Mbps 100 Mbps 100 Mbps 10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE2/0
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0
10.0.2.1/24
FE2/0 FE3/0
10.1.3.1/24 10.0.3.1/24 FE2/0
10.0.2.2/24
10 Mbps 10 Mbps
R5
FE2/0 FE3/0 R6
10.1.3.2/24 10.0.3.2/24
Ping
ICMP: Internet Control Message Protocol

ICMP Echo Request

SRC IP: 10.0.0.1
DST IP: 10.1.0.1

10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
Ping
ICMP: Internet Control Message Protocol

ICMP Echo Reply

SRC IP: 10.1.0.1
DST IP: 10.0.0.1

10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
Ping Responses
If the ping is successful:

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
Traceroute

ICMP Echo Reply

SRC IP: 10.1.0.1
DST IP: 10.0.0.1

10.1.0.0/24 10.0.0.0/24 10.0.1.1/24

.2 .1 F1/0
10.1.1.1/24 .1 .2 R1
R3 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
Traceroute Responses
Successful Traceroute:

R1#traceroute 10.1.2.1
Type escape sequence to abort.
Tracing the route to 10.1.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.2 20 msec 16 msec 16 msec
2 10.1.0.1 36 msec 40 msec 40 msec
3 10.1.1.1 60 msec 64 msec 60 msec
Traceroute Responses
The packet is getting as far as 10.1.0.1. Start troubleshooting there.
Press Ctrl-Shift-6 to abort

R1#traceroute 10.1.2.1
Type escape sequence to abort.
Tracing the route to 10.1.2.10
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.0.2 28 msec 16 msec 16 msec
2 10.1.0.1 36 msec 36 msec 40 msec
3 * * *
4 * * *
Other Tools – Layer 1
Show ip interface brief
Show interface
Other Tools – Layer 2
Show arp
Show mac address-table
Other Tools – Layer 4
Telnet
Other Tools – DNS
nslookup
Ping by FQDN
OSPF Characteristics
OSPF is a Link State routing protocol
It supports large networks
It has very fast convergence time
Messages are sent using multicast
OSPF is an open standard protocol
It uses Dijkstra’s Shortest Path First algorithm to determine the best path
to learned networks
Link State Routing Protocols
In Link State routing protocols, each router describes itself and its
interfaces to its directly connected neighbours
This information is passed unchanged from one router to another
Every router learns the full picture of the network including every router,
its interfaces and what they connect to
OSPF routers use LSA Link State Advertisements to pass on routing
updates
OSPF Operations
1. Discover neighbours
2. Form adjacencies
3. Flood Link State Database (LSDB)
4. Compute Shortest Path
5. Install best routes in routing table
6. Respond to network changes
OSPF Packet Types
Hello: A router will send out and listen for Hello packets when OSPF is
enabled on an interface, and form adjacencies with other OSPF routers
on the link
DBD DataBase Description: Adjacent routers will tell each other the
networks they know about with the DBD packet
LSR Link State Request: If a router is missing information about any of
the networks in the received DBD, it will send the neighbour an LSR
OSPF Packet Types (Cont.)
LSA Link State Advertisement: A routing update
LSU Link State Update: Contains a list of LSA’s which should be updated,
used during flooding
LSAck: Receiving routers acknowledge LSAs
OSPF Configuration – Process ID
R1(config)#router ospf 1

Different interfaces on a router can run in different instances of OSPF.

Different instances have different Link State Databases
Only one instance is typically configured on OSPF routers – multiple
Process IDs are very rarely used
The Process ID is locally significant. It does not have to match on the
neighbour router to form an adjacency
OSPF Configuration – Process ID
This is a normal configuration. All routers will learn all routes

R2(config)#router ospf 1
R2(config-router)#network 10.0.0.0 0.0.0.255 area 0
R2(config-router)#network 10.1.0.0 0.0.0.255 area 0

10.1.1.1/24 10.1.0.0/24 10.0.0.0/24

.1 .2 .2 .1
R3 R2 R1
ID 1 ID 1 ID 1 ID 1 ID 1
OSPF Configuration - network
R1(config)#router ospf 1
R1(config-router)#network 10.0.0.0 0.0.255.255 area 0

The network command uses a wildcard mask which is the inverse of a

subnet mask.
Subtract each octet in the subnet mask from 255 to calculate the wildcard
mask
A subnet mask of 255.255.0.0 equals a wildcard mask of 0.0.255.255
A subnet mask of 255.255.255.252 equals a wildcard mask of 0.0.0.3
OSPF Configuration - network
R1(config)#router ospf 1
R1(config-router)#network 10.0.0.0
% Incomplete command.

The command does not default to using the classful boundary

You must enter a wildcard mask
OSPF Configuration - network
R1(config-router)# network 10.0.0.0 0.0.255.255 area 0
The network command means:
Look for interfaces with an IP address which falls within this
range.
Enable OSPF on those interfaces – send out and listen for
OSPF hello messages, and peer with adjacent OSPF routers.
Advertise the network and mask which is configured on
those interfaces.
OSPF Configuration Example - network
R1(config-router)# network 10.0.0.0 0.0.255.255 area 0

Interface FE1/0 and FE2/0 fall within this range, FE0/0 does not
OSPF will be enabled on FE1/0 and FE2/0 and the router will peer with
adjacent OSPF routers
Networks advertised: FE1/0
10.0.1.1/24
10.0.1.0/24 FE0/0
10.1.0.1/24
R1
10.0.2.0/24
FE2/0
10.1.0.0/24 is NOT advertised 10.0.2.1/24

10.0.0.0/16 is NOT advertised

OSPF Verification – show run | section ospf
R1#sh run | section ospf
router ospf 1
network 10.0.0.0 0.255.255.255 area 0
OSPF Verification – show ip protocols
R1#show ip protocols
*** IP Routing is NSF aware ***

Routing Protocol is "ospf 1"

Neighbor ID Pri State Dead Time Address Interface

10.0.2.1 1 FULL/BDR 00:00:35 10.0.0.1 FastEthernet0/0

10.0.0.0/24 10.0.1.1/24
.2 .1 F1/0
R2 R1
F0/0 F0/0 10.0.2.1/24
F2/0
OSPF Operations
1. Discover neighbours
2. Form adjacencies
3. Flood Link State Database (LSDB)
4. Compute Shortest Path
5. Install best routes in routing table
6. Respond to network changes
OSPF Verification - show ip ospf database
R2#show ip ospf database

OSPF Router with ID (10.1.0.2) (Process ID 1)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

10.0.3.1 10.0.3.1 102 0x80000004 0x009015 4
10.1.0.2 10.1.0.2 109 0x80000004 0x00AA37 2
203.0.113.1 203.0.113.1 463 0x80000003 0x000846 3

Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum

10.0.0.2 10.1.0.2 550 0x80000001 0x00A065
10.1.1.1 203.0.113.1 495 0x80000001 0x00EEB3
10.1.3.1 203.0.113.1 463 0x80000001 0x00F2AB
OSPF Operations
1. Discover neighbours
2. Form adjacencies
3. Flood Link State Database (LSDB)
4. Compute Shortest Path
5. Install best routes in routing table
6. Respond to network changes
OSPF Verification - show ip route
R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks

C 10.0.0.0/24 is directly connected, FastEthernet0/0
L 10.0.0.2/32 is directly connected, FastEthernet0/0
O 10.0.1.0/24 [110/2] via 10.0.0.1, 00:07:11, FastEthernet0/0
O 10.0.2.0/24 [110/2] via 10.0.0.1, 00:07:11, FastEthernet0/0

10.0.0.0/24 10.0.1.1/24
.2 .1 F1/0
R2 R1
F0/0 F0/0 10.0.2.1/24
F2/0
OSPF Router ID
OSPF routers identify themselves using an OSPF Router ID which is in
the form of an IP address.
This will default to being the highest IP address of any loopback
interfaces configured on the router, or the highest other IP address if a
loopback does not exist.
Loopback interfaces never go down so the Router ID will not change.
You can also manually specify the Router ID.
Best practice is to use a Loopback or manually set the Router ID.
OSPF Router ID – No Loopback
R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.0.1 YES NVRAM up up
FastEthernet1/0 10.0.1.1 YES NVRAM up up
FastEthernet2/0 10.0.2.1 YES NVRAM up up
FastEthernet3/0 10.0.3.1 YES NVRAM up up

R1#show ip protocols
*** IP Routing is NSF aware ***

Routing Protocol is "ospf 1"

Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 10.0.3.1
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
10.0.0.0 0.0.255.255 area 0
Routing Information Sources:
Gateway Distance Last Update
10.1.1.2 110 00:24:12
10.1.0.2 110 00:17:30
10.1.3.2 110 00:24:01
203.0.113.1 110 00:23:22
Distance: (default is 110)
OSPF Router ID - Loopback
R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.0.1 YES NVRAM up up
FastEthernet1/0 10.0.1.1 YES NVRAM up up
FastEthernet2/0 10.0.2.1 YES NVRAM up up
FastEthernet3/0 10.0.3.1 YES NVRAM up up
Loopback0 1.1.1.1 YES manual up up
If a loopback or higher IP
R1#sh ip protocols
*** IP Routing is NSF aware *** address is configured, the
Routing Protocol is "ospf 1" Router ID will change on
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 1.1.1.1
OSPF process restart.
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Maximum path: 4
Routing for Networks:
10.0.0.0 0.0.255.255 area 0
Routing Information Sources:
Gateway Distance Last Update
10.1.1.2 110 00:31:38
10.1.0.2 110 00:03:46
10.1.3.2 110 00:31:27
Distance: (default is 110)
OSPF Router ID – Manually Configured
R1(config-router)#router ospf 1
R1(config-router)#router-id 2.2.2.2
% OSPF: Reload or use "clear ip ospf process" command, for this to take effect
R1#clear ip ospf process

R1#show ip protocols
*** IP Routing is NSF aware ***
Routing Protocol is "ospf 1"
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Router ID 2.2.2.2
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
! truncated
Passive Interface Configuration

R1(config)#router ospf 1
R1(config-router)#passive-interface loopback 0
R1(config-router)#passive-interface f2/0
Passive Interface Configuration

Loopback0
192.168.1.1/32 FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE2/0
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0
10.0.2.1/24
FE2/0 FE3/0
10.1.3.1/24 10.0.3.1/24 FE2/0
10.0.2.2/24
R5
FE2/0 FE3/0 R6
10.1.3.2/24 10.0.3.2/24
R1(config)#router ospf 1
R1(config-router)#passive-interface default
R1(config-router)#no passive-interface f0/0
R1(config-router)#no passive-interface f1/0
R1(config-router)#no passive-interface f3/0
Default Route Injection
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24 FE1/0
10.0.1.1/24
FE1/0 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE3/0 10.0.2.1/24
203.0.113.1

203.0.113.2

Internet

R4(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.2

R4(config)#router ospf 1
R4(config-router)#default-information originate
Default Route Injection Verification
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.0.0.2 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 10.0.0.2, 00:00:01, FastEthernet0/0

1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback0
10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
C 10.0.0.0/24 is directly connected, FastEthernet0/0
L 10.0.0.1/32 is directly connected, FastEthernet0/0
C 10.0.1.0/24 is directly connected, FastEthernet1/0
L 10.0.1.1/32 is directly connected, FastEthernet1/0
C 10.0.2.0/24 is directly connected, FastEthernet2/0
L 10.0.2.1/32 is directly connected, FastEthernet2/0
C 10.0.3.0/24 is directly connected, FastEthernet3/0
L 10.0.3.1/32 is directly connected, FastEthernet3/0
O 10.1.0.0/24 [110/51] via 10.0.0.2, 01:40:53, FastEthernet0/0
O 10.1.1.0/24 [110/52] via 10.0.0.2, 00:00:11, FastEthernet0/0
O 10.1.2.0/24 [110/53] via 10.0.0.2, 00:00:01, FastEthernet0/0
O 10.1.3.0/24 [110/2] via 10.0.3.2, 00:00:40, FastEthernet3/0
The speed command

The rate that Ethernet interfaces physically transmit at is set by the

‘speed’ command
GigabitEthernet interfaces transmit at 1000 Mbps by default
FastEthernet interfaces transmit at 100 Mbps by default
If you use the ‘speed 10’ command on a FastEthernet interface it will
physically transmit at 10 Mbps
The clock rate command

The rate that Serial interfaces physically transmit at is set by the ‘clock
rate’ command
Serial interfaces transmit at 1.544 Mbps by default
If you use the ‘clock rate 64000’ command on a Serial interface it will
physically transmit at 64 Kbps
The bandwidth command

Interfaces also have a default bandwidth (eg 100 Mbps on FastEthernet

interfaces, 1.544 Mbps on a serial interface)
The bandwidth usually matches the physical transmission rate of the interface
The ‘bandwidth’ setting on an interface does not affect the physical
transmission rate – that is set by the ‘speed’ or ‘clock rate’
If you set a bandwidth of 50 Mbps on a FastEthernet interface, it will still
transmit at 100 Mbps
OSPF Metric Calculation
As OSPF is a Link State routing protocol, the router will learn
about all destinations in its area, the links and their cost
The router will select routes based on its lowest cost to get to
the destination
OSPF Metric Calculation
In this example R2 will choose the path via R3 to get to the
10.0.1.0/24 network as it is lower cost

.2 10.0.0.0/24 .1 F1/0 10.0.1.1/24

R2 R1
F0/0 Cost: 50 F0/0 Cost: 10
F1/0.1 F1/0
.1

10.0.2.0/24 10.0.3.0/24
Cost: 10 Cost: 10
.2 .2
F1/0 R3 F0/0
Reference Bandwidth
The cost is automatically derived from the interface bandwidth
Cost = Reference Bandwidth / Interface Bandwidth
The default reference bandwidth is 100 Mbps
FastEthernet link cost defaults to 1 (100 / 100)
T1 link cost defaults to 64 (100 / 1.544)
Reference Bandwidth
OSPF treats all interfaces of 100 Mbps or faster as equal
FastEthernet, Gigabit Ethernet, 10 Gigabit Ethernet etc. all
default to a cost of 1
This can cause undesirable routing in modern networks

.2 10.0.0.0/24 .1 F1/0 10.0.1.1/24

R2 R1
F0/0 Cost: 1 F0/0 Cost: 1
G1/0.1 G1/0
.1

10.0.2.0/24 10.0.3.0/24
Cost: 1 Cost: 1
.2 .2
G1/0 R3 G0/0
Reference Bandwidth
R1(config)#router ospf 1
R1(config-router)#auto-cost reference-bandwidth 100000

The reference bandwidth should be changed on all routers

.2 10.0.0.0/24 .1 F1/0 10.0.1.1/24

R2 R1
F0/0 Cost: 1000 F0/0 Cost: 1000
G1/0.1 G1/0
.1

10.0.2.0/24 10.0.3.0/24
Cost: 100 Cost: 100
.2 .2
G1/0 R3 G0/0
Manipulating the OSPF Metric
OSPF takes the bandwidth of an interface into account when
calculating the metric, so paths along higher bandwidth links will be
preferred
The most desirable path will typically be automatically selected
Manipulating the OSPF Metric (Cont.)
If you want to use a different path, you can manipulate this by
manually changing the bandwidth or OSPF cost on interfaces
It is recommended to use cost because the bandwidth setting can
affect many features other than OSPF (such as QoS)
OSPF Metric - Bandwidth
R1#show interface serial1/0
Serial1/0 is administratively down, line protocol is down
Hardware is M4T
MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
!
R1(config)#interface serial1/0
R1(config-if)#bandwidth 768
!
R1#show interface serial1/0
Serial1/0 is administratively down, line protocol is down
Hardware is M4T
MTU 1500 bytes, BW 768 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
OSPF Metric - Cost

A manually configured OSPF cost overrides the value

automatically derived from the bandwidth

R1(config)#interface FastEthernet 0/0

R1(config-if)#ip ospf cost 50
OSPF Metric - Cost
R1#show ip ospf interface FastEthernet 0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 10.0.0.1/24, Area 0, Attached via Network Statement
Process ID 1, Router ID 192.168.0.1, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 50 no no Base
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
oob-resync timeout 40
Hello due in 00:00:02
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.1.0.2 (Designated Router)
! truncated
OSPF Operations
1. Discover neighbours
2. Form adjacencies
3. Flood Link State Database (LSDB)
4. Compute Shortest Path
5. Install best routes in routing table
6. Respond to network changes
Hello Packets
OSPF routers discover each other and form adjacencies via Hello
packets
They send Hello packets out each interface where OSPF is enabled
(except passive interfaces)
Multicast to 224.0.0.5 (‘all OSPF routers’)
Sent every 10 seconds by default
Hello Packet Contents
Router ID: 32 bit number that uniquely identifies each OSPF router
Hello Interval: How often router sends Hello packets. Default 10 secs.
Dead Interval: How long a router waits to hear from a neighbor
before declaring it out of service. Default 4x Hello Interval.
Neighbors: A list of adjacent OSPF routers that this router has
received a Hello packet from.
Hello Packet Contents (Cont.)
Area ID: The area configured for that interface
Router Priority: An 8 bit number used to select DR and BDR.
DR and BDR IPv4 Address: If known.
Authentication Flag: Authentication details if configured.
Stub Area Flag: If the area is a stub area. Stub areas have a default
route to their ABR rather than learning routes outside the area.
Hello Packet Contents (Cont.)
These settings must match for a pair of OSPF routers to form an
adjacency with each other:
Must be in each other’s Neighbor list
Hello and Dead Intervals
Area ID
IP subnet
Authentication Flag
Stub Area Flag
Neighbor States - Down

172.16.1.1/24 172.16.2.1/24

LSU
Neighbor States - Full

172.16.1.1/24 172.16.2.1/24

10.0.0.1/30 10.0.0.2/30
R1 R2

Acknowledged
LSAck

Acknowledged
LSAck
OSPF on Multiaccess Segments
On point to point links, OSPF router pairs form a FULL adjacency
On multiaccess segments (such as Ethernet) where there can be
multiple routers, it is inefficient for all routers to form a FULL OSPF
adjacency with each other

R1 R2
10.0.0.1/24 10.0.0.2/24

R3 10.0.0.3/24 10.0.0.4/24 R4
DR and BDR
A DR Designated Router and BDR Backup Designated
Router are elected
The router with the highest priority becomes DR, and the
router with the 2nd highest priority becomes BDR
Default priority is 1, the higher the better (0 - 255)
Highest Router ID is used in case of a tie
Neighbor States – 2-Way

On multiaccess segments such as Ethernet, the routers elect

the DR and BDR at the 2-Way stage
There is no election on point to point links
Setting OSPF Priority
R1(config)#interface FastEthernet 0/0
R1(config-if)#ip ospf priority 100

R4(config)#interface FastEthernet 0/0

R4(config-if)#ip ospf priority 0

Restart OSPF on interface to take effect

Multiaccess Segment Neighbor States

The DR and BDR establish FULL neighbor state with all

routers on the network segment
The neighbor state of other neighbors remains in 2-Way
and they do not directly exchange routes with each other
Multiaccess Segment LSA Updates

When a link state changes on a router connected to a

multiaccess segment, it sends a multicast LSU packet to
224.0.0.6 (‘all designated routers’)
The DR multicasts the update to 224.0.0.5 (‘all OSPF
routers’)
OSPF DR and BDR Lab

Area 0
R6 FE0/0 FE0/0 R7
172.16.0.6/24 172.16.0.7/24

R8 FE0/0 FE0/0 R9
172.16.0.8/24 172.16.0.9/24
OSPF Areas
Every router learns the full picture of the network including every router,
its interfaces and what they connect to
This can cause issues in large networks:
Too many routes can use up too much router memory
Network changes cause all routers to reconverge which takes time
and CPU resources
OSPF Areas
OSPF supports a hierarchical design which segments large networks into
smaller areas to solve this problem
Each router maintains full information about its own area, but only
summary information about other areas
OSPF Areas
A two level hierarchy is used:
Transit area (backbone or area 0). Does not generally contain end users.
Regular areas (nonbackbone areas). Used to connect end users to the Transit area.
By default, all transit traffic goes through the Transit area.
Small networks do not require a hierarchical design and all routers can be in Area 0

Area 0

Area 1 Area 2
OSPF Configuration - network
R1(config-router)# network 10.0.0.0 0.0.255.255 area 0
The area is configured at the interface level with the ‘network’
command
For a router to form an adjacency, its neighbour must be
configured to be in the same area
OSPF Router Types – Backbone Routers
Routers which have all their OSPF interfaces in Area 0 are Backbone Routers
Routers maintain a full LSDB of other routers and links in their own area

Area 0
Internal Routes
Routes received from other routers in the same area appear as Internal OSPF routes
R3#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks

O 10.1.2.0/24 [110/2000] via 10.1.1.1, 00:08:53, FastEthernet0/0
O 10.1.3.0/24 [110/2500] via 10.1.1.1, 00:04:04, FastEthernet0/0
O 203.0.113.0/24 [110/2000] via 10.1.1.1, 00:08:43, FastEthernet0/0
! truncated
OSPF Router Types - ABRs
Routers which have interfaces in multiple areas are Area Border Routers (ABRs)

Area 0

Area 1 Area 2
OSPF Router Types - ABRs
An ABR has the following characteristics:
It separates LSA flooding zones.
It becomes the primary point for area address summarization.
It functions regularly as the source for default routes.
It maintains the LSDB for each area with which it is connected.

The ideal design is to have each ABR connected to two areas only, the
backbone and another area, with three areas being the upper limit.
Manual Summarization
ABRs do not automatically summarise
If you do not configure summarisation, all routes are flooded everywhere
R2(config)#router ospf 1
R2(config-router)#network 10.1.0.0 0.0.255.255 area 0
R2(config-router)#network 10.0.0.0 0.0.255.255 area 1
R2(config-router)#area 0 range 10.1.0.0 255.255.0.0
R2(config-router)#area 1 range 10.0.0.0 255.255.0.0
Area 0 Area 1
10.1.0.0/24 10.0.0.0/24 10.0.1.1/24
10.1.1.1/24 R4
.2 .1 F1/0
.1 .2 R3
R1 R2
F0/0 F1/0 F1/0 F0/0 F0/0 10.0.2.1/24
F2/0
Inter Area Routes
Routes to other areas appear as Inter Area IA routes
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks

O IA 10.0.0.0/16 [110/2000] via 10.1.0.2, 00:06:15, FastEthernet1/0
O 192.168.0.4 [110/1001] via 10.1.1.1, 00:08:53, FastEthernet0/0
O 203.0.113.0/24 [110/2000] via 10.1.1.1, 00:08:43, FastEthernet0/0
! truncated
OSPF Router Types – Normal Area Routers
Routers which have all their OSPF interfaces in a normal area are normal internal
routers
Area 0

Area 1 Area 2
OSPF Router Types – Normal Area Routers
Routers maintain a full LSDB of other routers and links in their own area
They learn Inter Area routes to other areas from their ABRs
Area 0

Area 1 Area 2
OSPF Router Types - ASBRs
Routers which redistribute into OSPF are Autonomous System Boundary Routers

Area 0

Area 1 Area 2

Another AS
External Routes
Routes which are redistributed into OSPF appear as External Routes
R1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

O*E2 0.0.0.0/0 [110/1] via 10.1.1.1, 00:19:35, FastEthernet0/0

10.0.0.0/8 is variably subnetted, 10 subnets, 2 masks
O IA 10.0.0.0/16 [110/2000] via 10.1.0.2, 00:18:18, FastEthernet1/0
O 10.1.2.0/24 [110/2000] via 10.1.1.1, 00:20:56, FastEthernet0/0
O 10.1.3.0/24 [110/2500] via 10.1.1.1, 00:16:07, FastEthernet0/0
192.168.0.0/32 is subnetted, 3 subnets
O IA 192.168.0.1 [110/2001] via 10.1.0.2, 00:18:18, FastEthernet1/0
Single Area OSPF Lab

Area 0
FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24

R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24
Multi Area OSPF Lab

Area 0
FE1/0
10.0.1.1/24
10.1.1.0/24 10.1.0.0/24 10.0.0.0/24
10.1.2.1/24 .1 .2 .1 .2 .2 .1
R4 R3 R2 R1
FE1/0 FE0/0 FE0/0 FE1/0 FE1/0 FE0/0 FE0/0
FE2/0
FE2/0 FE3/0 10.0.2.1/24
10.1.3.1/24 10.0.3.1/24

R5
FE2/0 FE3/0
10.1.3.2/24 10.0.3.2/24

Area 1
Campus Design - Access, Distribution and Core Layers

The campus LAN should be designed for scalability, performance and

security
To aid in a best practice design process, the network topology is split
into access, distribution and core layers
The layers have their own design principles and characteristics
Campus Design – Access Layer

Access Layer

Main Building Building 1

The Access Layer
End hosts such as desktop computers, servers and IP phones connect
into the network at the access layer
It is designed to have a high port count at an affordable cost
Desktops typically have only one Network Interface Card (NIC) so they
connect into one switch or Wireless Access Point
Servers will often have dual NICs and connect to a pair of redundant
switches
Client access security measures are enabled at the Access Layer
Campus Design - Distribution Layer

Distribution Layer

Access Layer

Main Building Building 1

The Distribution Layer

Access Layer switches uplink to Distribution Layer switches

The Distribution Layer switches serve as an aggregation point for the
Access Layer and provide scalability
Distribution Layer switches are typically deployed in redundant pairs,
with downstream Access Layer switches connected to both
End hosts are not typically connected here
Most software policy such as QoS is enabled at this layer
Campus Design - Core Layer
Wide Area
Network

Core Layer

Distribution Layer

Access Layer

Main Building Building 1

The Core Layer

Distribution Layer switches uplink to Core Layer switches

Core Layer switches are typically deployed in redundant pairs, with
downstream Distribution Layer switches connected to both
Traffic between different parts of the campus travels through the core
so it is designed for speed and resiliency
Software policy slows the switch down so should be avoided in the
Core Layer
Collapsed Distribution and Core

Smaller campuses do not need the scalability of three separate layers

In these cases a Collapsed Distribution and Core layer is used, where
the Distribution and Core layer functions are performed on the same
hardware device
Collapsed Distribution and Core
Wide Area
Network

Distribution/Core Layer

Access Layer

Main Building
Traditional Campus Design
Wide Area
Network

Core Layer

Distribution Layer

Access Layer

Main Building Building 1

Traditional Campus Design
Wide Area
Network

VLANs on our switches
VLANs segment the LAN into separate broadcast domains at Layer 2
There is typically a one-to-one relationship between an IP subnet and
a VLAN
VLAN Virtual Local Area Networks
ROUTER
ENG VLAN Wide Area
SALES VLAN ENG Default Gateway SALES Default Gateway
Network

IP Address: 10.10.10.1 IP Address: 10.10.20.1

ENG PC3
IP Address: 10.10.10.12

Switches only
F0/3 F0/1 F0/2 Ethernet Switch allow traffic within
F0/4
F0/6
F0/7 the same VLAN
F0/5

ENG PC1 ENG PC2 SALES PC1 SALES PC2

IP Address: 10.10.10.10 IP Address: 10.10.10.11 IP Address: 10.10.20.11 IP Address: 10.10.20.10
Unicast Traffic within same IP subnet
ROUTER
ENG VLAN Wide Area
SALES VLAN ENG Default Gateway SALES Default Gateway
Network

IP Address: 10.10.10.1 IP Address: 10.10.20.1

ENG PC3
IP Address: 10.10.10.12

F0/3 F0/1 F0/2 Ethernet Switch

F0/4 F0/7
F0/5 F0/6

ENG PC1 ENG PC2 SALES PC1 SALES PC2

IP Address: 10.10.10.10 IP Address: 10.10.10.11 IP Address: 10.10.20.11 IP Address: 10.10.20.10
Unicast Traffic between different IP subnets
ROUTER
ENG VLAN Wide Area
SALES VLAN ENG Default Gateway SALES Default Gateway
Network

IP Address: 10.10.10.1 IP Address: 10.10.20.1

ENG PC3
IP Address: 10.10.10.12

F0/3 F0/1 F0/2 Ethernet Switch

F0/4 F0/7
F0/5 F0/6

ENG PC1 ENG PC2 SALES PC1 SALES PC2

IP Address: 10.10.10.10 IP Address: 10.10.10.11 IP Address: 10.10.20.11 IP Address: 10.10.20.10
Broadcast Traffic
ROUTER
ENG VLAN Wide Area
SALES VLAN ENG Default Gateway SALES Default Gateway
Network

IP Address: 10.10.10.1 IP Address: 10.10.20.1

ENG PC3
IP Address: 10.10.10.12

F0/3 F0/1 F0/2 Ethernet Switch

F0/4 F0/7
F0/5 F0/6

ENG PC1 ENG PC2 SALES PC1 SALES PC2

IP Address: 10.10.10.10 IP Address: 10.10.10.11 IP Address: 10.10.20.11 IP Address: 10.10.20.10
VLAN Access Ports

ENG PC1 SALES PC1

IP Address: 10.10.10.10 IP Address: 10.10.20.11

Ethernet Switch

SALES PC2 ENG PC2

IP Address: 10.10.20.10 IP Address: 10.10.10.11
What about the links between switches?
ROUTER
ENG VLAN Wide Area
ENG Default Gateway
SALES VLAN IP Address: 10.10.10.10 SALES Default Gateway
Network

IP Address: 10.10.20.1
ENG PC3
IP Address: 10.10.10.12

ENG PC1 SALES PC1

IP Address: 10.10.10.10 IP Address: 10.10.20.11

Ethernet Switch

SALES PC2 ENG PC2

IP Address: 10.10.20.10 IP Address: 10.10.10.11
Dot1Q Trunks
ROUTER
ENG VLAN Wide Area
ENG Default Gateway
SALES VLAN IP Address: 10.10.10.10 SALES Default Gateway
Network

TRUNK IP Address: 10.10.20.1

ENG PC3
IP Address: 10.10.10.12

ENG PC1 SALES PC1

IP Address: 10.10.10.10 IP Address: 10.10.20.11

Ethernet Switch

SALES PC2 ENG PC2

IP Address: 10.10.20.10 IP Address: 10.10.10.11
Dot1Q Trunks

An access port carries traffic for one specific VLAN

Dot1Q trunks are configured on the links between switches where we
need to carry traffic for multiple VLANs
ISL (Inter-Switch Link) was a Cisco proprietary trunking protocol which
is now obsolete
Dot1Q Trunks

When the switch forwards traffic to another switch, it tags the layer 2
Dot1Q header with the correct VLAN
The receiving switch will only forward the traffic out ports that are in
that VLAN
The switch removes the Dot1Q tag from the Ethernet frame when it
sends it to the end host
Dot1Q Format

Ethernet frame received from host

Switch inserts Dot1Q tag when

sending out a trunk port

A receiving switch will remove the Dot1Q tag when forwarding the frame out an access port
Dot1Q Trunks
ROUTER
ENG VLAN Wide Area
ENG Default Gateway
SALES VLAN IP Address: 10.10.10.10 SALES Default Gateway
Network

TRUNK IP Address: 10.10.20.1

ENG PC3
IP Address: 10.10.10.12
Strip Dot1q tag
Strip Dot1q tag

ENG PC1 3 Sales VLAN SALES PC1

IP Address: 10.10.10.10 Sales VLAN IP Address: 10.10.20.11

2 4
Dot1q tag: Sales VLAN Ethernet Switch
Sales VLAN
1 5
SALES PC2 ENG PC2
IP Address: 10.10.20.10 IP Address: 10.10.10.11
The Native VLAN
The switch needs to know which VLAN to assign to any traffic which
comes in untagged on a trunk port
This used to be required for when a switch was connected to a hub.
Hubs are Layer 1 devices so are not VLAN aware
The Native VLAN is used for this
The default Native VLAN is VLAN 1
There are some security issues with using VLAN 1 as the Native VLAN so
best practice is to change it to an unused VLAN
The Native VLAN must match on both sides of a trunk for it to come up
Native VLAN Configuration
SW1(config)#vlan 199
SW1(config-vlan)#name Native

SW1(config)#interface GigabitEthernet 0/1

SW1(config-interface)#description Trunk to SW2
SW1(config-interface)#switchport trunk encapsulation dot1q
SW1(config-interface)#switchport mode trunk
SW1(config-interface)#switchport trunk native vlan 199
Verification – show interface switchport
SW1#show interface gig0/1 switchport
Name: Gig0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 199 (Inactive)
Voice VLAN: none
truncated
Limiting Allowed VLANs

ACCOUNTS PC1 ENG PC3

IP Address: 10.10.10.12
IP Address: 10.10.30.10
ACCOUNTS PC2
IP Address: 10.10.30.11

ENG PC1 ENG PC2 SALES PC1 SALES PC2

IP Address: 10.10.10.10 IP Address: 10.10.10.11 IP Address: 10.10.20.10 IP Address: 10.10.20.11
Allowed VLAN Configuration
SW1(config)#interface GigabitEthernet 0/1
SW1(config-if)#switchport trunk allowed vlan 10,30
VLAN Lab
Dynamic Trunking Protocol DTP

If two Cisco switches are cabled together they can negotiate a trunk
connection using Cisco’s Dynamic Trunking Protocol DTP
It is however recommended to manually configure switch ports
Manual configuration:
switchport mode access
switchport mode trunk
Dynamic Trunking Protocol DTP

DTP configuration:
Switchport mode dynamic auto: will form a trunk if the
neighbour switch port is set to trunk or desirable. Trunk will not be
formed if both sides are set to auto. Default on newer switches.
Switchport mode dynamic desirable: will form a trunk if
the neighbour switch port is set to trunk, desirable or auto. Default on
older switches.
Switchport nonegotiate: disables DTP.
DTP Lab
VLANs and IP subnets in the LAN

There is typically a one-to-one relationship between an IP subnet and

a VLAN in the LAN campus
For example Engineering hosts are in IP subnet 10.10.10.0/24 and
VLAN 10, and Sales hosts are in IP subnet 10.10.20.0/24 and VLAN 20
Hosts are segregated at Layer 3 by being in different IP subnets, and at
Layer 2 by being in different VLANs
Hosts in different IP subnets need to send traffic via a router to
communicate with each other
Option 1: Router with separate interfaces
F0/3
ENG VLAN 203.0.113.1/24 Wide Area
SALES VLAN F0/1 F0/2
Network

ENG Default Gateway SALES Default Gateway

IP Address: 10.10.10.1 IP Address: 10.10.20.1
ENG PC3
IP Address: 10.10.10.12

F0/3 F0/1 F0/2 Ethernet Switch

F0/4 F0/7
F0/5 F0/6

ENG PC1 ENG PC2 SALES PC1 SALES PC2

IP Address: 10.10.10.10 IP Address: 10.10.10.11 IP Address: 10.10.20.11 IP Address: 10.10.20.10
Option 1 Configuration
R1(config)#interface FastEthernet 0/1
R1(config-interface)#ip address 10.10.10.1 255.255.255.0
R1(config)#interface FastEthernet 0/2
R1(config-interface)#ip address 10.10.20.1 255.255.255.0
R1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.2

SW1(config)#interface FastEthernet 0/1

SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW1(config)#interface FastEthernet 0/2
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 20
Router with separate interfaces - Disadvantages

You need a separate physical interface for every VLAN – you are liable
to run out of interfaces
Traffic being routed within the campus has to go up and down physical
Ethernet cables to the router
Inter-VLAN Routing Lab
Option 2: Router on a Stick
F0/2
ENG VLAN 203.0.113.1/24 Wide Area
SALES VLAN Network
F0/1.10 F0/1.20
ENG Default Gateway SALES Default Gateway
ENG PC3 IP Address: 10.10.10.1 IP Address: 10.10.20.1
IP Address: 10.10.10.12

F0/3 F0/1
F0/4 F0/7
F0/5 F0/6

ENG PC1 ENG PC2 SALES PC1 SALES PC2

IP Address: 10.10.10.10 IP Address: 10.10.10.11 IP Address: 10.10.20.11 IP Address: 10.10.20.10
Option 2 Configuration
R1(config)#interface FastEthernet 0/1
R1(config-interface)#no ip address
R1(config-interface)#no shutdown
R1(config)#interface FastEthernet 0/1.10
R1(config-interface)#encapsulation dot1q 10
R1(config-interface)#ip address 10.10.10.1 255.255.255.0
R1(config)#interface FastEthernet 0/1.20
R1(config-interface)#encapsulation dot1q 20
R1(config-interface)#ip address 10.10.20.1 255.255.255.0
R1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.2

SW1(config)#interface FastEthernet 0/1

SW1(config-if)#switchport mode trunk
Router on a Stick Considerations

You do not need a separate physical interface for every VLAN – you are
less likely to run out of interfaces
Traffic being routed within the campus has to go up and down the
same physical Ethernet cable to the router – there is more contention
for bandwidth than when using separate interfaces
Inter-VLAN Routing Lab
Option 3: Layer 3 Switch
ROUTER F0/2
ENG VLAN 203.0.113.1/24 Wide Area
SALES VLAN Network
F0/1
10.10.100.2/24
ENG PC3 Interface VLAN 10
IP Address: 10.10.10.12
ENG Default Gateway
10.10.100.1/24 IP Address: 10.10.10.1 SVI
F0/1 Switched Virtual
F0/3 Interface VLAN 20 Interfaces
F0/4 F0/7 SALES Default Gateway
F0/5 F0/6 IP Address: 10.10.20.1

ENG PC1 ENG PC2 SALES PC1 SALES PC2

IP Address: 10.10.10.10 IP Address: 10.10.10.11 IP Address: 10.10.20.11 IP Address: 10.10.20.10
Option 3 Inter-VLAN Routing Configuration
SW1(config)#ip routing
SW1(config)#interface vlan 10
SW1(config-if)#ip address 10.10.10.1 255.255.255.0
SW1(config)#interface vlan 20
SW1(config-if)#ip address 10.10.20.1 255.255.255.0
Option 3 WAN Routing Configuration
SW1(config)#interface FastEthernet 0/1
SW1(config-if)#no switchport
SW1(config-if)#ip address 10.10.100.1 255.255.255.0
SW1(config)#ip route 0.0.0.0 0.0.0.0 10.10.100.2

R1(config)#interface FastEthernet 0/1

R1(config-interface)#ip address 10.10.100.2 255.255.255.0
R1(config)#interface FastEthernet 0/2
R1(config-interface)#ip address 203.0.113.1 255.255.255.0
R1(config)#ip route 0.0.0.0 0.0.0.0 203.0.113.2
R1(config)#ip route 10.10.0.0 255.255.0.0 10.10.100.1
Layer 3 Switch Considerations

Traffic being routed within the campus is routed across the switch
backplane, it does not need to travel over physical cables to an
external router
You may still need an external router for WAN connectivity and
services
Layer 3 Switch Lab
DHCP – Dynamic Host Configuration Protocol

DHCP is a client/server protocol that automatically provides a host

with its IP address and other related configuration information such as
the subnet mask and default gateway.
DHCP clients obtain their IP configuration information from a DHCP
server, rather than being manually configured.
DHCP – Dynamic Host Configuration Protocol
DHCP Benefits – Reduced Network Admin

Centralized and automated IP configuration, rather than manually

assigning an IP address to every host.
Can assign additional IP configuration values by means of DHCP
options.
Efficient handling of clients that must be updated frequently, such as
laptops that move to different locations on a wireless network.
The forwarding of initial DHCP messages by using a DHCP relay agent,
which eliminates the need for a DHCP server on every subnet.
DHCP Benefits - Reliable IP address configuration

DHCP minimizes configuration errors caused by manual IP address

configuration, such as typos, or address conflicts caused by the
assignment of an IP address to more than one computer at the same
time.
DHCP Clients

Desktop PCs are good candidates to be DHCP clients because there will
typically be many of them in an office. Using DHCP saves a lot of admin
work that would be necessary if manually configuring IP addresses.
They do not accept incoming connections so it does not matter if their
IP address changes.
DHCP Clients

Servers and network infrastructure devices such as routers and

switches will not typically be DHCP clients.
They are mission critical devices which do not move and are required
for the network and its services to function.
Their IP addresses are manually configured to ensure they will not
change and are not dependant on DHCP.
Option 1: Cisco DHCP Server Configuration
Option 1: Cisco DHCP Server Configuration
R1(config)#ip dhcp excluded-address 10.10.10.1 10.10.10.10
R1(config)#ip dhcp pool 10.10.10.0_Clients
R1(dhcp-config)#network 10.10.10.0 255.255.255.0
R1(dhcp-config)#default-router 10.10.10.1
R1(dhcp-config)#dns-server 10.10.20.10
Verification – show ip dhcp pool
R1#show ip dhcp pool

Pool 10.10.10.0_Clients :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 2
Excluded addresses : 1
Pending event : none

1 subnet is currently in the pool

Current index IP address range Leased/Excluded/Total
10.10.10.1 10.10.10.1 - 10.10.10.254 2 / 1 / 254
Verification – show ip dhcp binding
Lab
Option 2: External DHCP Server Configuration

DHCP Request (broadcast)

Option 2: External DHCP Server Configuration

R1(config)#interface f0/1
R1(config-if)#ip helper-address 10.10.20.10
Configuring a Cisco Router as a DHCP Client

Cisco routers are typically manually configured with static IP addresses

An exception to this is where an office is connected to the Internet but
has not bought static public IP addresses (because it does not contain
any publicly available servers which would need a fixed IP address for
incoming connections)
The office still requires a public IP address to allow internal hosts
outbound connectivity to the Internet through NAT
In this case the router will receive the public IP address on its outside
interface from the Internet service provider via DHCP
Configuring a Cisco Router as a DHCP Client
R1(config)#interface f0/0
R1(config-if)#ip address dhcp
R1(config-if)#no shutdown
Verification – show dhcp lease
R1#show dhcp lease
Temp IP addr: 203.0.113.2 for peer on Interface: FastEthernet0/0
Temp sub net mask: 255.255.255.0
DHCP Lease server: 203.0.113.1 , state: Bound
DHCP Transaction id: 64B8EE07
Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs
Temp default-gateway addr: 203.0.113.1
Next timer fires after: 11:53:13
Retry count: 0 Client-ID:cisco-0001.63C2.9701-Fa0/0
Client-ID hex dump: 636973636F2D303030312E363343322E
93730312D4661302F30
Hostname: R1
STP Terminology – The Bridge
Hubs were Layer 1 devices which performed the same function as
switches – connecting Ethernet LAN hosts
Hubs did not learn MAC addresses so they flooded all traffic out all
ports apart from the one it was received on

Hub Hub Hub

STP Terminology – The Bridge
Switches provide performance and security improvements by only
forwarding traffic to known unicast MAC addresses out the relevant port
Early switches were expensive, had very few ports and were called bridges
They segmented LANs which were built with hubs

Hub Bridge Hub

STP Terminology – The Bridge

A switch is a multi-port bridge

Spanning Tree was invented back when bridges were in use so it uses
that terminology (the ‘Root Bridge’ and ‘Bridge Protocol Data Units’)

Hub Bridge Hub

How Spanning Tree Works

Spanning Tree is an industry standard protocol and is enabled by

default on all vendor’s switches
Switches send Bridge Protocol Data Units out all ports when they come
online. These are used to detect other switches and potential loops
The switch will not forward traffic out any port until it is certain it is
loop free
Spanning Tree Port States
When the port first comes online it will be in a Blocking state.
Spanning Tree will detect if the port forms a potential loop
If there is no loop the port will transition to Forwarding
The process can take up to 50 seconds
The Bridge ID

The BPDU contains the switch’s Bridge ID which uniquely identifies the
switch on the LAN
The Bridge ID is comprised of the switch’s unique MAC address and an
administrator defined Bridge Priority value
The Bridge Priority can be from 0 – 65535, with 32768 being the
default
The Root Bridge

A Root Bridge is elected based on the switches’ Bridge ID values

The switch with the lowest Bridge Priority value is preferred (16384 is
better than 49152)
In the case of a tie the switch with the lowest MAC address will be
selected
The switches build a loop free forwarding path Tree leading back to the
Root Bridge
Spanning Tree Example

In our example we have not manually set Bridge Priority on any

switches
CD1 is elected as the Root Bridge as it has the lowest MAC address
Spanning Tree Example

The other switches will detect their lowest cost path to the Root Bridge
These paths will transition to a forwarding state
Spanning Tree Cost

When a switch calculates its best path towards the Root Bridge, higher
bandwidth links are preferred
Root Ports

Each switch’s exit interface on the lowest cost path to the Root Bridge
is selected as its Root Port
Load Balancing
A Spanning Tree instance does not do load balancing
If a switch has multiple equal cost paths towards the Root Bridge, it
will select the neighbour switch with the lowest Bridge ID

Acc3 selects the path to the Core1

Root Bridge via Dist2 as it has a
lower Bridge ID
Load Balancing
A Spanning Tree instance does not do load balancing
If a switch has multiple equal cost paths via the same neighbour switch
towards the Root Bridge, it will select the port with the lowest Port ID

Acc3 selects the path to the Core1

Root Bridge via Dist2 F0/1 as it is the
port with the lowest Port ID going to
the lowest Bridge ID
Designated Ports
Ports on the neighbour switch opposite the Root Port are Designated
Ports
Root Ports point towards the Root Bridge, Designated Ports point away
from it
All ports on the Root Bridge are always Designated Ports
Root Ports and Designated Ports Forward Traffic

Root Ports and Designated Ports are the most direct paths to and from
the Root Bridge and transition to a forwarding state
Other Links
On the remaining links, the switches determine which of them has the
least-cost path to the root
If they have equal cost paths then the Bridge ID is used as a tiebreaker
The port connecting this switch to the link is selected as a Designated
Port.
Blocking Ports

Any ports which have not been selected as a Root Port or Designated
Port pair would potentially form a loop
These are selected as Blocking Ports
Blocking Ports

Spanning Tree only blocks ports on one side of the blocked link
BPDUs continue to be sent over the link but other traffic is dropped
Root, Designated and Blocking Ports
The easy way to figure out which ports are Root, Designated and
Blocking:
1. Determine the Root Bridge first (best Bridge ID)
2. All ports on the Root Bridge are Designated Ports
3. Determine the Root Ports on the other switches (lowest cost to
Root Bridge)
Root, Designated and Blocking Ports (Cont.)

4. The ports on the other side of those links are Designated Ports
5. On the links which are left, one port will be Blocking
6. Determine the Blocking Port (highest cost path to Root Bridge or
highest Bridge ID)
7. The ports on the other side of those links are Designated Ports
Campus Design - Oversubscription
Wide Area
Network

Core Layer

Distribution Layer

Access Layer

Main Building Building 1

Campus Design - Oversubscription

End hosts do not constantly send traffic onto the network, most of the
time their network connection is sitting idle
Because of this you can connect less uplinks to each higher layer than
the number of hosts you have and still maintain acceptable network
performance
Campus Design - Oversubscription

A starting rule-of-thumb recommendation for oversubscription is 20:1

from the access layer to the distribution layer
Meaning if you had 20 PCs connected with 1Gbps NICs at the access
layer, you would require a single 1Gbps uplink to the distribution layer
The recommendation is 4:1 for the distribution to core layer links
These are general values, you should analyse the traffic on your
network to verify links are not congested
Campus Design - Oversubscription

Switches often have dedicated uplink ports with higher bandwidth

than their access ports
For example a 48 port 1Gbps switch with a pair of 10Gbps uplinks
This can help with the subscription ratio
48 x 1Gbps clients = 48 Gbps
2 x 10Gbps uplinks = 20 Gbps
Subscription ratio = 2.4:1
But we have a problem when we connect 2 uplinks…
Spanning Tree Load Balancing
A Spanning Tree instance provides redundancy, but not load balancing
If a switch has multiple equal cost paths via the same neighbour switch
towards the Root Bridge, it will select the port with the lowest Port ID
Access1 selects the single best
path towards the Root Bridge
T0/1 is selected as the Root Port
T0/1 T0/2 as it has the lowest Port ID
T0/2 is blocking
We only have 10Gbps (not
20Gbps) uplink bandwidth in
our example
EtherChannel
Etherchannel groups multiple physical interfaces into a single logical
interface
Spanning Tree sees the EtherChannel as a single interface, so it does
not block any ports
We now get the full 20Gbps bandwidth
EtherChannel Load Balancing and Redundancy
Traffic is load balanced across all the links in the EtherChannel
If an interface goes down its traffic will fail over to the remaining links
NIC Teaming
NIC Teaming combines multiple physical network cards into a single
logical interface

Physical Physical
NIC1 Switch
Logical
Interface
IP Address:
10.10.10.10

Physical
NIC2

Server 1
Terminology
EtherChannel is also known as:
A Port Channel
LAG Link Aggregation
A link bundle

NIC Teaming is also known as:

Bonding
NIC balancing
Link aggregation
EtherChannel Load Balancing
A flow is a communication from a client to a server
If PC-1 opens a web session to Server-1, and PC-2 opens an FTP
session to Server-2, we have two flows going through the switch
A single flow is load balanced onto a single port channel interface
For example all packets in the flow from PC-1 to Server-1 always go
over interface G0/1, all packets in the flow from PC-2 to Server-2
always go over interface G0/2

S-1 S-2

PC-1 PC-2
EtherChannel Load Balancing – 1 Packet
st

1st packet in the flow from PC-1 to Server-1

EtherChannel Load Balancing – 2 Packet
nd

2nd Packet from PC-1 to Server-1 goes over the same link
EtherChannel Load Balancing – 1 Packet
st

1st packet in the flow from PC-2 to Server-2

EtherChannel Load Balancing – 2 Packet
nd

2nd Packet from PC-2 to Server-2 goes over the same link
EtherChannel Load Balancing
Packets from the same flow are not load balanced round robin across
all the interfaces in the port channel
We do not load balance the first packet from PC-1 to Server-1 on to
interface G0/1, the second packet onto G0/2
Round robin load balancing could cause packets to arrive out of order
which would break some applications
EtherChannel Load Balancing – 1 Packet
st

This does NOT happen:

EtherChannel Load Balancing – 2 Packet
nd

This does NOT happen:

EtherChannel Load Balancing
Any single flow receives the bandwidth of a single link in the port
channel as a maximum
That’s a maximum of 1 Gbps bandwidth per flow in our example, with
the aggregate bandwidth of 4 Gbps available across all flows
EtherChannel Load Balancing
You can think of a port channel as a multi-lane motorway. The cars stay
in a single lane, but because there are multiple lanes the overall traffic
gets there quicker
Etherchannel provides redundancy as well as load balancing. If a link
fails the flows will be load balanced to the remaining links
EtherChannel Protocols - LACP
LACP Link Aggregation Control Protocol:
Open standard
The switches on both sides negotiate the port channel creation
and maintenance
This is the preferred method
EtherChannel Protocols - PAgP
PAgP Port Aggregation Protocol:
Cisco proprietary.
The switches on both sides negotiate the port channel creation
and maintenance.
EtherChannel Protocols - Static
Static Etherchannel:
The switches do not negotiate creation and maintenance but the
settings must still match on both sides for the port channel to
come up.
Use if LACP is not supported on both sides.

All protocols are configured with the channel-group command

EtherChannel Parameters
The switches on both sides must have a matching configuration
The member interfaces must have the same settings on both sides:
Speed and duplex
Access or Trunk mode
Native VLAN and allowed VLANs on trunks
Access VLAN on access ports
LACP Configuration
LACP interfaces can be set as either Active or Passive
If SW1’s interfaces are set as Active and SW2’s as Passive, the port
channel will come up
If both sides are Passive, the port channel will not come up
If both sides are Active, the port channel will come up
It is recommended to configure both sides as Active so you don’t have
to think about which side is which
LACP Configuration
SW1(config)#interface range f0/23 - 24
SW1(config-if-range)#channel-group 1 mode active
This creates interface port-channel 1

SW1(config)#interface port-channel 1
SW1(config-if)#switchport mode trunk
Configure the interface settings on the port channel
LACP Configuration
Configure matching settings on the other switch on the other side of the links:

SW2(config)#interface range f0/23 - 24

SW2(config-if-range)#channel-group 1 mode active

SW2(config)#interface port-channel 1
SW2(config-if)#switchport mode trunk
PAgP Configuration
PAgP interfaces can be set as either Desirable or Auto
If one side is Desirable and the other Auto, the port channel will come
up
If both sides are Auto, the port channel will not come up
If both sides are Desirable, the port channel will come up
If you configure both sides as Desirable you don’t have to think about
which side is which
PAgP Configuration
SW1(config)#interface range f0/23 - 24
SW1(config-if-range)#channel-group 1 mode desirable

SW1(config)#interface port-channel 1
SW1(config-if)#switchport mode trunk

Configure matching settings on the switch on the other side of the links
Static Configuration
SW1(config)#interface range f0/23 - 24
SW1(config-if-range)#channel-group 1 mode on

SW1(config)#interface port-channel 1
SW1(config-if)#switchport mode trunk

Configure matching settings on the switch on the other side of the links
Verification – show etherchannel summary
Verification – show spanning-tree vlan
Before EtherChannel configured:
Verification – show spanning-tree vlan
After EtherChannel configured:
1 Port Channel – Acc3 to CD1 - LACP
st

Acc3 Port Channel 1:

Acc3 F0/23 – CD1 F0/23
Acc3 F0/24 – CD1 F0/24

CD1 Port Channel 1:

CD1 F0/23 - Acc3 F0/23
CD1 F0/24 - Acc3 F0/24
2nd Port Channel – Acc3 to CD2 - PAgP
Acc3 Port Channel 2:
Acc3 F0/21 – CD2 F0/21
Acc3 F0/22 – CD2 F0/22

CD2 Port Channel 2:

CD2 F0/21 - Acc3 F0/21
CD2 F0/22 - Acc3 F0/22
3rd Port Channel – Acc4 to CD2 - Static
Acc4 Port Channel 1:
Acc4 F0/23 – CD2 F0/23
Acc4 F0/24 – CD2 F0/24

CD2 Port Channel 1:

CD2 F0/23 – Acc4 F0/23
CD2 F0/24 – Acc4 F0/24
4 Port Channel – Acc4 to CD1 - LACP
th

Acc4 Port Channel 2:

Acc4 F0/21 – CD1 F0/21
Acc4 F0/22 – CD1 F0/22

CD1 Port Channel 2:

CD1 F0/21 – Acc4 F0/21
CD1 F0/22 – Acc4 F0/22
EtherChannel across Redundant Switches
Matching EtherChannel settings have to be configured on the switches
on both sides of the link
You can configure separate port channels from a switch to redundant
upstream switches
EtherChannel across Redundant Switches
Spanning Tree will see the port channels as two separate interfaces
and block one path if a loop is formed
This brings us back to the problem of only using half our available
physical bandwidth
Before EtherChannel Configured
After EtherChannel Configured
Multi-chassis EtherChannel
Cisco support Multi-chassis EtherChannel technologies on some
switches
These switches support a shared EtherChannel from different switches
The switches must be configured with matching settings
Multi-chassis EtherChannel
Spanning Tree is still enabled but it does not detect any loops
This supports full load balancing and redundancy across all interfaces
StackWise, VSS and vPC
Multi-chassis EtherChannel is supported with these technologies:
StackWise on selected Catalyst switch platforms including the Catalyst
3750, 3850 and 9000 families
VSS Virtual Switching System on other selected Catalyst switch
platforms including the Catalyst 4500 and 6500 families
vPC Virtual Port Channel on the Nexus switch family
Layer 3 Etherchannel
Switch1(config)#interface range GigabitEthernet 1/0/1 - 2
Switch1(config-if-range)#no switchport
Switch1(config-if-range)#channel-group 1 mode | active | auto
| desirable | on | passive

Switch1(config)#interface port-channel 1
Switch1(config-if)#ip address 192.168.0.1 255.255.255.252
Switch1(config-if)#no shutdown
Layer 3 Campus Design
Wide Area
Network

Core Layer

Distribution Layer

Access Layer

Main Building Building 1

Access Layer Switch Security Mechanisms

DHCP Snooping
DAI Dynamic ARP Inspection
802.1X Identity Based Networking

Port Security
External DHCP Server Configuration

R1(config)#interface f0/1
R1(config-if)#ip helper-address 10.10.20.10
Rogue DHCP Server
DHCP Snooping

SW1(config)#ip dhcp snooping

SW1(config)#ip dhcp snooping vlan 10
SW1(config)#int f0/1
SW1(config-if)#ip dhcp snooping trust

When DHCP Snooping is enabled, DHCP Server responses are

dropped if they don’t arrive on a trusted port.
ARP Address Resolution Protocol
ARP Request: I’m looking for 10.10.10.1,
what’s your MAC address?

R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Address Resolution Protocol
I’m 10.10.10.1, my MAC
address is 2.2.2

R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2
ARP Address Resolution Protocol
10.10.10.10 > 10.10.10.1
1.1.1 > 2.2.2

R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2
Man in the Middle ARP Spoofing
Gratuitous ARP: ‘I am 10.10.10.1, my MAC address is 3.3.3’

R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
Man in the Middle ARP Spoofing

R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 3.3.3 Attacker
10.10.10.100/24
MAC: 3.3.3
Man in the Middle ARP Spoofing
Gratuitous ARP: ‘I am 10.10.10.10, my MAC address is 3.3.3’

R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 3.3.3 Attacker
10.10.10.100/24
MAC: 3.3.3
Man in the Middle ARP Spoofing

R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 3.3.3
ARP Cache
10.10.10.1 = 3.3.3 Attacker
10.10.10.100/24
MAC: 3.3.3
Man in the Middle ARP Spoofing
10.10.10.10 > 10.10.10.1
1.1.1 > 3.3.3

R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
Man in the Middle ARP Spoofing
10.10.10.10 > 10.10.10.1
3.3.3 > 2.2.2

R1
PC1
10.10.10.1/24
10.10.10.10/24
MAC: 2.2.2
DG: 10.10.10.1
MAC: 1.1.1
ARP Cache
10.10.10.10 = 1.1.1
ARP Cache
10.10.10.1 = 2.2.2 Attacker
10.10.10.100/24
MAC: 3.3.3
Dynamic ARP Inspection DAI

When you enable DHCP snooping, the switch inspects the DHCP traffic
and keeps track of which IP addresses were assigned to which MAC
addresses
For example, PC1 with MAC address 1.1.1 was assigned IP address
10.10.10
If invalid ARP traffic tries to pass through the switch, for example 3.3.3
saying it is 10.10.10, the switch drops the traffic
DAI Configuration

SW1(config)#int f0/1
SW1(config-if)#ip arp inspection trust
!
SW1(config)#ip arp inspection vlan 10

DAI is not performed on trusted ports.

Enable this for non DHCP clients.
Dynamic ARP Inspection DAI

SBH-SW2(config)#int g1/0/23
SBH-SW2(config-if)#ip arp inspection trust
!
SBH-SW2(config)#ip arp inspection vlan 12
802.1X Identity Based Networking

When 802.1X is enabled, only authentication traffic is allowed on

switch ports until the host and user are authenticated
When the user has entered a valid username and password, the switch
port transitions to a normal access port in the relevant VLAN
802.1X Identity Based Networking
Shut Down Unused Interfaces

Best practice is to administratively shut down unused switch ports

This stops somebody getting access to the network if they physically
connect to the port

SW1(config)#int f0/2
SW1(config-if)#shutdown
Port Security

Port Security enables an administrator to specify which MAC address

or addresses can send traffic in to an individual switch port.
This can be used to lock a port down to a particular host or hosts

f0/2
PC1 Allowed MAC: 1.1.1
MAC: 1.1.1
Port Security

f0/2
PC2 Allowed MAC: 1.1.1
MAC: 2.2.2
Port Security
It is easy to spoof a MAC address, so locking ports down to a specific
host is not usually Port Security’s main role in production networks
Port Security can also configure individual switch ports to allow only a
specified number of source MAC addresses to send traffic in to the
port
It can learn connected MAC addresses

f0/2
PC1 Allow 1 MAC address
MAC: 1.1.1 Learned MAC: 1.1.1
Port Security
This is useful to prevent users from adding Wireless Access Points or
other shared devices

PC2
MAC: 2.2.2

f0/2
Allow 1 MAC address
Learned MAC: 1.1.1

PC1
MAC: 1.1.1
Port Security Configuration

SW1(config)#int f0/2
SW1(config-if)#switchport port-security
Port Security Default Behaviour

If you configure Port Security with no additional parameters then only

one MAC address is allowed to transmit on the port
The current MAC address can be disconnected and replaced. The port is
not locked down to a particular MAC address
If a shared device is connected and multiple hosts try to transmit the port
will be shut down
Port Security Verification - Defaults
SW1#show port-security interface f0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0CA0.A359:1
Security Violation Count : 0
Security Violation Actions
You have three options when an unauthorised MAC address sends traffic
in to the port:
Shutdown (Default): The interface is placed into the error-disabled
state, blocking all traffic
Protect: Traffic from unauthorised addresses is dropped. Traffic from
allowed addresses is forwarded
Restrict: Traffic from unauthorised addresses is dropped, logged and the
violation counter incremented. Traffic from allowed addresses is
forwarded
Violation Action Configuration
SW1(config)#int f0/2
SW1(config-if)# switchport port-security violation protect

SW1(config-if)# switchport port-security violation restrict

Error-Disabled Interfaces

If the Violation Action is set to Shutdown and a violation occurs, the

port will move to an error-disabled state
To bring an error-disabled interface back into service:
Physically remove the host with the offending MAC address
Manually shutdown then no shutdown the interface
Auto-Recovery

You can bring error disabled ports back into service automatically after
they have been disabled for a configurable period of time (in seconds)

SW1(config)# errdisable recovery cause psecure-violation

SW1(config)# errdisable recovery interval 600
Maximum MAC Addresses
When Port Security is enabled the maximum number of MAC addresses
allowed to send traffic into the interface is one by default
This can be increased if multiple hosts share the port, for example an IP
phone with a PC plugged into the back of it

SW1(config)# interface f0/2

SW1(config-if)# switchport port-security maximum 2
Maximum MAC Addresses
SW1#show port-security int f0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0CA0.A359:1
Security Violation Count : 0
Manually Adding MAC Addresses

You can statically configure allowed MAC addresses if you want to lock
the port down to a particular host:

SW1(config)# interface f0/10

SW1(config-if)# switchport port-security
SW1(config-if)#switchport port-security mac-address
1111.2222.3333
SW1(config-if)# switchport port-security maximum 1
MAC Address Learning
Scenario: You have 1000 authorised hosts connected to the network. You
want to lock the ports down to these particular hosts
Manually adding the MAC addresses is not a scalable solution
Sticky MAC addresses add the learned MAC address to the running
configuration. Save to the startup config to make them permanent
SW1(config)# interface f0/2
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security mac-address sticky
Verify Port Security Addresses
View Summary Information
Access Control Lists

An ACL identifies traffic based on characteristics of the packet such as

source IP address, destination IP address, port number
The router or switch can take an action based on the result of the ACL
ACL’s are supported on both routers and switches. I will refer to
‘routers’ throughout this section
Access Control Lists for Security

The original use of ACLs was as a security feature to decide if traffic

should be allowed to pass through the router
By default a router will allow all traffic to pass between its interfaces
When ACLs are applied the router identifies traffic and then decides if
it will be allowed or not
Access Control Lists

ACL’s are also used in other software policies when traffic has to be
identified, for example:
Identify traffic to give better service to in a QoS Quality of Service
policy
Identify traffic to translate to a different IP address in a NAT
Network Address Translation policy
ACE Access Control Entries

Access Control Lists are made up of Access Control Entries which are a
series of permit or deny rules
Each ACE is written in a separate line
ACE Access Control Entry Example

R2(config)# Source Destination

access-list 100 deny tcp 10.10.30.0 0.0.0.255 gt 49151 10.10.20.1 0.0.0.0 eq 23

No. Action Protocol IP Wildcard Qual. Port IP Wildcard Qual. Port
Access Control List Example
R1(config)# access-list 100 deny tcp 10.10.10.10 0.0.0.0
gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 permit tcp 10.10.10.0
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 deny tcp 10.10.20.10 0.0.0.0
gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 permit tcp 10.20.10.0
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq 23
ACE Access Control Entry Example

R2(config)# Source Destination

access-list 100 deny tcp 10.10.30.0 0.0.0.255 gt 49151 10.10.20.1 0.0.0.0 eq 23

No. Action Protocol IP Wildcard Qual. Port IP Wildcard Qual. Port
Standard vs Extended ACLs
R1(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1300-1999> IP standard access list (expanded range)
<2000-2699> IP extended access list (expanded range)
! truncated
Original Implementation: Standard vs Extended ACLs

Standard ACLs reference the source address only

Extended ACLs check based on the protocol, source address,
destination address, and port number

Standard ACL Range: 1 – 99

Extended ACL Range: 100 - 199
ACL Improvement: Expanded Ranges

Cisco expanded the original ACL Ranges

Standard: 1-99, 1300-1999
Extended: 100-199, 2000-2699
Standard Access List Example
R1(config)# access-list 1 deny 10.10.10.10 0.0.0.0
R1(config)# access-list 1 permit 10.10.10.0 0.0.0.255
Standard Access List Example
The default wildcard mask for a Standard ACL is 0.0.0.0, meaning an individual host
address.
R1(config)# access-list 1 deny 10.10.10.10

Do not forget to enter the wildcard when specifying an IP subnet

R1(config)# access-list 1 deny 10.10.10.0
Extended Access List Example
R1(config)# access-list 100 deny tcp 10.10.10.10 0.0.0.0
gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 permit tcp 10.10.10.0
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
Extended Access List Example
There is no default wildcard mask for Extended ACLs

R1(config)#access-list 150 deny tcp 10.10.10.10 ge 1024 10.10.50.10 eq 23

^
% Invalid input detected at '^' marker.
ACL Improvement: Named ACLs
You can now reference ACLs by number or by a name
Named ACLs begin with the command ‘ip access-list’ instead of
‘access-list’

R1(config)#ip access-list ?
extended Extended Access List
standard Standard Access List
! truncated
Named ACL Syntax
R1(config)#ip access-list standard Flackbox-Demo
R1(config-std-nacl)#deny 10.10.10.10 0.0.0.0
R1(config-std-nacl)#permit 10.10.10.0 0.0.0.255
Extended Access List Example
R1(config)# access-list 100 deny tcp 10.10.10.10 0.0.0.0
gt 49151 10.10.50.10 0.0.0.0 eq 23
R1(config)# access-list 100 permit tcp 10.10.10.0
0.0.0.255 gt 49151 10.10.50.10 0.0.0.0 eq telnet
ACL Action
R1(config)#access-list 100 ?
deny Specify packets to reject
permit Specify packets to forward
remark Access list entry comment
! Truncated
ACL Protocol
R1(config)#access-list 100 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
ip Any Internet Protocol
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
! truncated
ACL Protocol
Use TCP or UDP if you want the ACE to apply to traffic for a particular
application between a source and destination address

R1(config)#access-list 100 deny tcp 10.10.10.0 0.0.0.255 10.10.50.0

0.0.0.255 eq 80
ACL Protocol
Use IP if you want the ACE to apply to all traffic between a source and
destination address

R1(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 10.10.50.0

0.0.0.255
ACL Source
R1(config)#access-list 100 permit tcp ?
A.B.C.D Source address
any Any source host
host A single source host
Wildcards
Wildcards save you typing out the wildcard mask
These examples mean the same thing:

R1(config)#access-list 100 permit tcp 10.10.10.10 0.0.0.0

R1(config)#access-list 100 permit tcp host 10.10.10.10

R1(config)#access-list 100 permit tcp 0.0.0.0 255.255.255.255

R1(config)#access-list 100 permit tcp any
Source Port Number
Specifying the source port number is optional, it defaults to any port

R1(config)#access-list 100 permit tcp 10.10.10.0 0.0.0.255 ?

A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
Destination Address
The destination address uses the same format as the source address

R1(config)#access-list 100 permit tcp host 10.10.10.10 10.10.20.0

0.0.0.255
Final Options
Additional options are available after entering the destination address such as destination port,
TCP flags and logging.

R1(config)#access-list 100 permit tcp host 10.10.10.10 10.10.20.0 0.0.0.255 ?

ack Match on the ACK bit
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
urg Match on the URG bit
Complete ACE Example
R1(config)#access-list 100 deny tcp host 10.10.10.10 10.10.20.0
0.0.0.255 eq www log
Verification – show access-lists
R2#sh access-lists 100
Extended IP access list 100
permit tcp host 10.10.30.10 host 10.10.20.1 eq telnet (13 match(es))
deny tcp 10.10.30.0 0.0.0.255 host 10.10.20.1 eq telnet (4 match(es))

The ‘log’ keyword is not required to log hit counts. It is used to log to the console
or an external monitoring server
Access Groups

ACLs are applied at the interface level with the Access-Group command
ACLs can be applied in the inbound or outbound direction
You can have a maximum of one ACL per interface per direction
You can have both an inbound and an outbound ACL on the same
interface, but not 2 inbound or outbound ACLs
An interface can have no ACL applied, an inbound ACL only, an
outbound ACL only, or ACLs in both directions
Access-Group Configuration
R1(config)# interface GigabitEthernet0/1
R1(config-if)# ip access-group 100 out
R1(config-if)# ip access-group 101 in
Access-Group Configuration – show ip interface
R3#show ip interface f1/0 | include access list
Outgoing access list is 100
Inbound access list is 101

(‘not set’ if ACL is not applied)

Access Control Entry Order

The ACL is read by the router from top to bottom

As soon as a rule matches the packet, the permit or deny action is
applied and the ACL is not processed any further
The order of rules is important
Access Control Entry Order

This will deny 10.10.10.10 but permit the rest of the 10.10.10.0/24 subnet
R1(config)# access-list 1 deny host 10.10.10.10
R1(config)# access-list 1 permit 10.10.10.0 0.0.0.255

This will permit all of the 10.10.10.0/24 subnet including 10.10.10.10

R1(config)# access-list 1 permit 10.10.10.0 0.0.0.255
R1(config)# access-list 1 deny host 10.10.10.10
Injecting ACEs in an Existing ACL

ACEs are automatically numbered in increments of 10

R1#sh access-lists 110

Extended IP access list 110
10 deny tcp host 10.10.10.10 host 10.10.50.10 eq telnet
20 permit tcp 10.10.10.0 0.0.0.255 host 10.10.50.10 eq telnet
30 deny tcp host 10.10.20.10 host 10.10.50.10 eq telnet
40 permit tcp 10.20.10.0 0.0.0.255 host 10.10.50.10 eq telnet
Injecting ACEs in an Existing ACL
Support for injecting ACEs in an existing ACL started in Named ACLs but is
also supported in Numbered ACLs now

R1(config)#ip access-list extended 110

R1(config-ext-nacl)#15 deny tcp host 10.10.10.11 host 10.10.50.10 eq telnet

R1#sh access-lists 110

Extended IP access list 110
10 deny tcp host 10.10.10.10 host 10.10.50.10 eq telnet
15 deny tcp host 10.10.10.11 host 10.10.50.10 eq telnet
20 permit tcp 10.10.10.0 0.0.0.255 host 10.10.50.10 eq telnet
30 deny tcp host 10.10.20.10 host 10.10.50.10 eq telnet
40 permit tcp 10.20.10.0 0.0.0.255 host 10.10.50.10 eq telnet
Implicit Deny All

There is an implicit ‘deny any any’ rule at the bottom of ACLs

If an ACL is not applied to an interface, all traffic is allowed
If an ACL is applied, all traffic is denied except what is explicitly allowed

Traffic from 10.10.10.0/24 will be permitted, everything else is denied

R1(config)# access-list 1 permit 10.10.10.0 0.0.0.255
Explicit Deny All

Many organisations include an explicit deny all at the end of ACLs to

log illegal traffic

R1(config)# access-list 1 permit 10.10.10.0 0.0.0.255

R1(config)# access-list 1 deny any log
Explicit Permit All

If an ACL is applied, all traffic is denied except what is explicitly allowed

If you want to reverse this so that all traffic is permitted except what is
explicitly denied, add a permit all statement to the end of the ACL

Traffic from 10.10.10.0/24 is denied, everything else is permitted

R1(config)# access-list 1 deny 10.10.10.0 0.0.0.255
R1(config)# access-list 1 permit any
Traffic Sourced from Router
ACL’s applied to an interface do not apply to traffic which originates from
the router itself
The hosts in the 10.1.1.0/24 subnet cannot Telnet to R2
An administrator can Telnet to R2 from the CLI on R1
R1(config)# access-list 100 deny tcp any any eq 23
R1(config)# interface f1/0
R1(config)# ip access-group 100 out

10.1.0.0/24
10.1.1.1/24 .1 .2
10.1.1.10 R1 R2
F0/0 F1/0 F1/0

10.1.1.11
RFC 1918 Private Addresses
The Internet Engineering Task Force (IETF) documents standards with
RFC’s (Requests For Comments)
RFC 1918 specifies private IP address ranges which are not routable on
the public internet
RFC 1918 Private Addresses
Private addresses were originally designed for hosts which should have
no internet connectivity
Public IP addresses cost money
If an organisation has a part of their network where the hosts need to
communicate with each other over IP, but do not require connectivity
to the Internet, they can assign private IP addresses
RFC 1918 Private Addresses
There is a range of private addresses in each address class.
10.0.0.0 – 10.255.255.255
‒ 10.0.0.0/8
‒ 10.0.0.0 255.0.0.0
172.16.0.0 – 172.31.255.255
‒ 172.16.0.0/12
‒ 172.16.0.0 255.240.0.0
192.168.0.0 – 192.168.255.255
‒ 192.168.0.0/16
‒ 192.168.0.0 255.255.0.0
The IPv4 Global Address Space Problem
The designers of IPv4 did not envision the explosive growth of its use
4.3 billion addresses seemed more than enough
The protocol is not particularly efficient in its use of the available
space, with many addresses being wasted
IPv6
The Internet authorities started to predict address exhaustion in the
late 1980’s, and IPv6 was developed in the 90’s as the long term
solution
IPv6 uses a 128 bit address, compared to IPv4’s 32 bit address
IPv6 provides more than 7.9×1028 times as many addresses as IPv4
The IPv6 Problem and NAT
There is not a seamless migration path from IPv4 to IPv6
NAT (Network Address Translation) was implemented as a temporary
workaround to mitigate the lack of IPv4 addresses until organisations
had time to migrate to IPv6
The IPv6 Problem and NAT
An organisation can use private IP addresses on their inside network,
but still grant their hosts Internet access by translating them to their
outside public IP addresses
Many hosts on the inside can share a few or a single public IP address
on the outside
Private Addresses and NAT

Office A Office B
Internet
Public Public
203.0.113.1/28 203.0.113.16/29
14 Addresses 6 Addresses

Private Private
192.168.10.0/24 192.168.10.0/24
200 Hosts 100 Hosts
Today’s Networks
Many industry experts predicted in the early 2000’s that IPv6 would be
ubiquitous within a few years
It hasn’t worked out that way – most enterprises today use RFC 1918
IPv4 addresses with NAT
RFC 1918 has the security benefit of hiding inside hosts by default
(they don’t have a publicly routable IP address), plus network
engineers have more experience with IPv4 than v6
NAT Types
Static NAT – permanent one-to-one mapping usually between a
public and private IP address. Used for servers which must accept
incoming connections.
Dynamic NAT – uses a pool of public addresses which are given out on
an as needed first come first served basis. Usually used for internal
hosts which need to connect to the Internet but do not accept
incoming connections.
PAT (Port Address Translation)– allows the same IP address to be
reused.
NAT Lab
Static NAT Scenario
We have bought the range of public IP addresses 203.0.113.0/28 from
our service provider
203.0.113.2 is used on the outside interface on our Internet edge
router R1
203.0.113.1 is used as the default gateway address. It is the SP1 router
on the other side of the link
203.0.113.3 – 203.0.113.14 remain available
Static NAT Scenario
Int-S1 at 10.0.1.10 is an internal web server which needs to accept
incoming connections from the Internet
We need to assign a fixed public IP address to accept incoming
connections. We will use the first available address 203.0.113.3
A static NAT translation is required to translate the public IP address
203.0.113.3 on F0/0 to 10.0.1.10 on F1/0 for incoming connections
The translation is bidirectional so will also translate 10.0.1.10 to
203.0.113.3 for outbound traffic from the server
Static NAT Configuration
R1(config)#int f0/0
R1(config-if)#ip nat outside

R1(config)#int f1/0
R1(config-if)#ip nat inside

R1(config)#ip nat inside source static 10.0.1.10 203.0.113.3

NAT Verification – show ip nat translation
R1#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 203.0.113.3:1 10.0.1.10:1 203.0.113.20:1 203.0.113.20:1
tcp 203.0.113.3:80 10.0.1.10:80 203.0.113.20:45849 203.0.113.20:45849
--- 203.0.113.3 10.0.1.10 --- ---
NAT Verification – show ip nat translation
R1#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 203.0.113.3:1 10.0.1.10:1 203.0.113.20:1 203.0.113.20:1
tcp 203.0.113.3:80 10.0.1.10:80 203.0.113.20:45849 203.0.113.20:45849
--- 203.0.113.3 10.0.1.10 --- ---
NAT Definitions
Inside local address—The IP address actually configured on the inside
host’s Operating System.
Inside global address— The NAT’d address of the inside host as it will
be reached by the outside network.
Outside local address—The IP address of the outside host as it
appears to the inside network.
Outside global address—The IP address assigned to the host on the
outside network by the host’s owner.
Outside Local vs Outside Global
Router R1 in our example knows one address to reach the outside host
(203.0.113.20) and does not translate that address.
For one way NAT, the Outside Local and Outside Global addresses will
be reported as being the same.
Two Way NAT

Company A Company B
A1 B1

10.10.10.0/24 10.10.10.0/24
NAT: 10.10.20.0/24 NAT: 10.10.30.0/24

Translate the source address from 10.10.10.10 to 10.10.20.10

Translate the destination address from 10.10.30.10 to 10.10.10.10
Two Way NAT

Company A Company B
A1 B1

10.10.10.0/24 10.10.10.0/24

Inside Local Inside Global Outside Local Outside Global

Source IP Source IP Destination IP Destination IP
10.10.10.10 10.10.20.10 10.10.30.10 10.10.10.10
NAT Types
Static NAT – permanent one-to-one mapping usually between a public
and private IP address. Used for servers which must accept incoming
connections.
Dynamic NAT – uses a pool of public addresses which are given out
on an as needed first come first served basis. Usually used for
internal hosts which need to connect to the Internet but do not
accept incoming connections.
PAT (Port Address Translation)– allows the same IP address to be
reused.
NAT Lab
Dynamic NAT Scenario
We have bought the range of public IP addresses 203.0.113.0/28 from our
service provider
203.0.113.2 is used on the outside interface on our Internet edge router R1
203.0.113.1 is used as the default gateway address. It is the SP1 router on
the other side of the link
203.0.113.3 is used for a static NAT translation for the 10.0.1.10 web server
203.0.113.4 – 203.0.113.14 remain available
Dynamic NAT Scenario
The hosts in the 10.0.2.0/24 network do not accept incoming connections
so they don’t need a fixed public IP address with a static NAT translation
They do need outbound connectivity to the Internet so need to be
translated to a public IP address
We will use the remaining public addresses 203.0.113.4 - 14 as a NAT pool
The inside hosts will be translated to the public IP addresses on a first come
first served basis when they send traffic out
The first host to send traffic out will be translated to 203.0.113.4, the
second host to 203.0.113.5 etc., up to 203.0.113.14 at the end of the pool
Dynamic NAT Scenario
With standard dynamic NAT you need a public IP address for every
inside host which needs to communicate with the outside
If you have 30 hosts, you need 30 public IP addresses
When all the addresses in the pool have been used, new outbound
connections from other inside hosts will fail because there will be no
addresses left to translate them to
These hosts would have to wait for existing connections to be torn
down and the translations to be released back into the pool when they
time out
Dynamic NAT Configuration
R1(config)#int f0/0
R1(config-if)#ip nat outside
R1(config)#int f2/0
R1(config-if)#ip nat inside

Configure the pool of global addresses.

R1(config)#ip nat pool Flackbox 203.0.113.4 203.0.113.14 netmask 255.255.255.240

Create an access list which references the internal IP addresses we want to translate.
R1(config)#access-list 1 permit 10.0.2.0 0.0.0.255

Source Source Destination Destination
10.10.10.12:49152 203.0.113.6:4098 203.0.113.11:80 203.0.113.11:80
Dynamic NAT with Overload
10.10.10.10
203.0.113.10
10.10.10.11

10.10.10.12 203.0.113.11

10.10.10.13 203.0.113.6:4099 > 203.0.113.11:80

Inside Local Inside Global Outside Local Outside Global

Source Source Destination Destination
10.10.10.13:49152 203.0.113.6:4099 203.0.113.11:80 203.0.113.11:80
Dynamic NAT with Overload
10.10.10.10
203.0.113.10
10.10.10.11

10.10.10.12 203.0.113.11

10.10.10.13 203.0.113.6:4099 < 203.0.113.11:80

Inside Local Inside Global Outside Local Outside Global

Source Source Destination Destination
10.10.10.13:49152 203.0.113.6:4099 203.0.113.11:80 203.0.113.11:80
Standard Dynamic NAT Configuration
R1(config)#int f0/0
R1(config-if)#ip nat outside
R1(config)#int f2/0
R1(config-if)#ip nat inside

Configure the pool of global addresses.

R1(config)#ip nat pool Flackbox 203.0.113.4 203.0.113.6 netmask 255.255.255.240

Create an access list which references the internal IP addresses we want to translate.
R1(config)#access-list 1 permit 10.0.2.0 0.0.0.255

Associate the access list with the NAT pool to complete the configuration.
R1(config)#ip nat inside source list 1 pool Flackbox
Dynamic NAT with Overload Configuration
R1(config)#int f0/0
R1(config-if)#ip nat outside
R1(config)#int f2/0
R1(config-if)#ip nat inside

Configure the pool of global addresses.

R1(config)#ip nat pool Flackbox 203.0.113.4 203.0.113.6 netmask 255.255.255.240

Create an access list which references the internal IP addresses we want to translate.
R1(config)#access-list 1 permit 10.0.2.0 0.0.0.255

Associate the access list with the NAT pool to complete the configuration.
R1(config)#ip nat inside source list 1 pool Flackbox overload
PAT with Single IP Address
The last NAT scenario to cover is a small office which has not
purchased a range of public IP addresses
In this case the outside interface will most likely get its IP address via
DHCP from the service provider
PAT can be used to allow multiple inside hosts to share the single
outside public IP address
PAT with Single IP Address
The configuration is very similar to Dynamic NAT with Overload but
translates to the outside interface address rather than a pool of
addresses
You must translate to the outside interface rather than a specific IP
address because a DHCP address can change
PAT with Single IP Address Configuration
R1(config)#int f0/0
R1(config-if)#ip address dhcp
R1(config-if)#ip nat outside

R1(config)#int f1/0
R1(config-if)#ip nat inside

R1(config)#access-list 1 permit 10.0.2.0 0.0.0.255

R1(config)#ip nat inside source list 1 interface f0/0 overload

NAT Verification – show ip nat translation
NAT Verification – debug ip nat
R1#debug ip nat

Outbound
*Aug 21 23:52:55.739: NAT*: TCP s=52670->4097, d=23
*Aug 21 23:52:55.739: NAT*: s=10.0.2.11->203.0.113.13, d=203.0.113.20
[34332]
Return Traffic
*Aug 21 23:52:55.763: NAT*: TCP s=23, d=4097->52670
*Aug 21 23:52:55.763: NAT*: s=203.0.113.20, d=203.0.113.13->10.0.2.11
[45975]

6.1 14-06 Basic Layer 1 and Layer 2 Troubleshooting PDF
No ratings yet
6.1 14-06 Basic Layer 1 and Layer 2 Troubleshooting PDF
9 pages
CCNA2 - 1 - Configuring Network Devices and Introduction To Routing
No ratings yet
CCNA2 - 1 - Configuring Network Devices and Introduction To Routing
60 pages
CCNP Routing Overview and Commands
No ratings yet
CCNP Routing Overview and Commands
30 pages
Essential Cisco IOS Command Guide
No ratings yet
Essential Cisco IOS Command Guide
36 pages
Cisco Switch Configuration Lab Guide
No ratings yet
Cisco Switch Configuration Lab Guide
23 pages
Switch Configuration and Troubleshooting Guide
No ratings yet
Switch Configuration and Troubleshooting Guide
29 pages
100 105 Icnd1 v3 PDF
No ratings yet
100 105 Icnd1 v3 PDF
4 pages
CCNA V7 2 Module 1 - Basic Device Configuration
No ratings yet
CCNA V7 2 Module 1 - Basic Device Configuration
5 pages
CCNP Switch Study Guide: Layer 2
100% (1)
CCNP Switch Study Guide: Layer 2
30 pages
Chapter 6 - Routers and Basic Configuration
No ratings yet
Chapter 6 - Routers and Basic Configuration
92 pages
Week 2 LAN Switching Technologies
No ratings yet
Week 2 LAN Switching Technologies
111 pages
Catalyst 3750 Series Switches Troubleshoot
No ratings yet
Catalyst 3750 Series Switches Troubleshoot
19 pages
Cisco Networking Exam Guide
No ratings yet
Cisco Networking Exam Guide
2 pages
2 1
No ratings yet
2 1
13 pages
Configuring and Verifying Switch
No ratings yet
Configuring and Verifying Switch
39 pages
By Emad Al-Atoum
No ratings yet
By Emad Al-Atoum
27 pages
Lab 5 - Basic Switch Configuration
No ratings yet
Lab 5 - Basic Switch Configuration
13 pages
6.4.3.5 Lab - Building A Switch and Router Network
No ratings yet
6.4.3.5 Lab - Building A Switch and Router Network
11 pages
200-120 Composite2
No ratings yet
200-120 Composite2
8 pages
200-120CCNA Cisco Certified Network Associate CCNA (803) 2014-06-02
100% (1)
200-120CCNA Cisco Certified Network Associate CCNA (803) 2014-06-02
8 pages
Class 10 Switching
No ratings yet
Class 10 Switching
28 pages
Basic Config
No ratings yet
Basic Config
52 pages
Cisco Router & Switch Configuration Lab
No ratings yet
Cisco Router & Switch Configuration Lab
10 pages
CCNA Quick Notes Before Exam
No ratings yet
CCNA Quick Notes Before Exam
10 pages
Basic Commands
No ratings yet
Basic Commands
3 pages
Fazer 5.3.2.4 Lab - Troubleshooting Inter-VLAN Routing PDF
No ratings yet
Fazer 5.3.2.4 Lab - Troubleshooting Inter-VLAN Routing PDF
8 pages
CCNA Guide To Cisco Networking Fundamentals
100% (1)
CCNA Guide To Cisco Networking Fundamentals
46 pages
Vicente Alfonso Aguilar Vidal Lab - Basic Switch Configuration
No ratings yet
Vicente Alfonso Aguilar Vidal Lab - Basic Switch Configuration
11 pages
Basic Switch Configuration
No ratings yet
Basic Switch Configuration
19 pages
Welcome To CCNA 2/3/4: Some Important Info To Follow
No ratings yet
Welcome To CCNA 2/3/4: Some Important Info To Follow
60 pages
10.4.4 Lab - Build A Switch and Router Network
No ratings yet
10.4.4 Lab - Build A Switch and Router Network
5 pages
Cisco IOS Switch Basic Configuration
No ratings yet
Cisco IOS Switch Basic Configuration
23 pages
chpt6 1
No ratings yet
chpt6 1
56 pages
2.2.2.5 Lab - Troubleshooting Inter-VLAN Routing
No ratings yet
2.2.2.5 Lab - Troubleshooting Inter-VLAN Routing
8 pages
3.2.2.4 Lab - Troubleshooting EtherChannel - ILM PDF
94% (34)
3.2.2.4 Lab - Troubleshooting EtherChannel - ILM PDF
25 pages
Assignment 1.1 Basic Switch Configuration
No ratings yet
Assignment 1.1 Basic Switch Configuration
18 pages
Router Configuration Commands Guide
No ratings yet
Router Configuration Commands Guide
3 pages
Network Connectivity Verification Guide
No ratings yet
Network Connectivity Verification Guide
9 pages
4 - Router and IOS Basics
No ratings yet
4 - Router and IOS Basics
26 pages
Lab 1.1 - 1.1.7 Lab - Basic Switch Configuration
No ratings yet
Lab 1.1 - 1.1.7 Lab - Basic Switch Configuration
13 pages
2 - Cisco Router and Switch
No ratings yet
2 - Cisco Router and Switch
22 pages
Basic Cisco Troubleshooting PDF
0% (1)
Basic Cisco Troubleshooting PDF
1 page
Icnd1 Cram
No ratings yet
Icnd1 Cram
64 pages
Switching Basics - Interfaces - VLANs - VTP - DTP
No ratings yet
Switching Basics - Interfaces - VLANs - VTP - DTP
9 pages
TABLE 3-16 Lessons-Learned Report (Abbreviated)
No ratings yet
TABLE 3-16 Lessons-Learned Report (Abbreviated)
1 page
Identify Stakeholders
No ratings yet
Identify Stakeholders
2 pages
TABLE 3-17 Final Project Report Table of Contents
No ratings yet
TABLE 3-17 Final Project Report Table of Contents
2 pages
TABLE 3-14 Sample Weekly Progress Report
No ratings yet
TABLE 3-14 Sample Weekly Progress Report
2 pages
TABLE 3-6 Project Charter
No ratings yet
TABLE 3-6 Project Charter
1 page
Quick Quiz (Chapter 1&2&3)
No ratings yet
Quick Quiz (Chapter 1&2&3)
9 pages
Chapter2 KeyTerms
No ratings yet
Chapter2 KeyTerms
2 pages
Chapter1 KeyTerms
No ratings yet
Chapter1 KeyTerms
2 pages
Operating Systems Lab Manuel 2
No ratings yet
Operating Systems Lab Manuel 2
1 page
What Is Strategic Planning in Project Management
No ratings yet
What Is Strategic Planning in Project Management
1 page
Operating Systems Lab Manuel 1
No ratings yet
Operating Systems Lab Manuel 1
2 pages
HDLC Protocol Overview & Frame Types
No ratings yet
HDLC Protocol Overview & Frame Types
8 pages
CLASS 3comp Annual REVISION
No ratings yet
CLASS 3comp Annual REVISION
4 pages
Fortinet FSAE User Logon Monitoring
No ratings yet
Fortinet FSAE User Logon Monitoring
4 pages
ICT 9 Q4 Summative
No ratings yet
ICT 9 Q4 Summative
5 pages
Ua 48 H 6400
No ratings yet
Ua 48 H 6400
205 pages
(NUR 215) UNIT 5 - Nursing Information System
No ratings yet
(NUR 215) UNIT 5 - Nursing Information System
7 pages
TK2153 Information Sharing Tutorial 3
No ratings yet
TK2153 Information Sharing Tutorial 3
3 pages
22071352423-Final A Study On Cyber Crime Cases in Nepal, 2022
No ratings yet
22071352423-Final A Study On Cyber Crime Cases in Nepal, 2022
99 pages
Digital Ranking for Brands
No ratings yet
Digital Ranking for Brands
23 pages
Black Hat
No ratings yet
Black Hat
177 pages
IoT Based Smart Parking System
No ratings yet
IoT Based Smart Parking System
6 pages
Literature Review of State Bank of India
No ratings yet
Literature Review of State Bank of India
20 pages
7 Minute Workout Guide
No ratings yet
7 Minute Workout Guide
40 pages
How To Load CCcam - CFG Card Sharing Into Skybox - Openbox HD Satellite Decoder Using Thumb Drive
No ratings yet
How To Load CCcam - CFG Card Sharing Into Skybox - Openbox HD Satellite Decoder Using Thumb Drive
5 pages
Google Privacy Policy en-GB
No ratings yet
Google Privacy Policy en-GB
29 pages
HTML Form Fundamentals
No ratings yet
HTML Form Fundamentals
74 pages
TH e 10 Tools of Online Oppressors: A Special Report by The Committee To Protect Journalists
No ratings yet
TH e 10 Tools of Online Oppressors: A Special Report by The Committee To Protect Journalists
9 pages
Digitel 3G NodeB Test Case Results
No ratings yet
Digitel 3G NodeB Test Case Results
12 pages
Samsung Un65d8000xfxza Fast Track Guide
No ratings yet
Samsung Un65d8000xfxza Fast Track Guide
4 pages
HPCN QB
No ratings yet
HPCN QB
14 pages
NS LogMessages
No ratings yet
NS LogMessages
54 pages
Interview Questions On DHCP - Network Engineer Interview Questions
No ratings yet
Interview Questions On DHCP - Network Engineer Interview Questions
2 pages
Palo Alto Networks Certified Network Security Engineer (Pcnse) Exam Blueprint
No ratings yet
Palo Alto Networks Certified Network Security Engineer (Pcnse) Exam Blueprint
11 pages
Social Media and Academic Performance of Students in Federal University Dutsinm1
No ratings yet
Social Media and Academic Performance of Students in Federal University Dutsinm1
69 pages
Social Media Marketing on Pinterest
No ratings yet
Social Media Marketing on Pinterest
107 pages
What Do You Usually Do in Your Spare Time
No ratings yet
What Do You Usually Do in Your Spare Time
2 pages
Screenshot 2025-02-03 at 6.11.37 AM
No ratings yet
Screenshot 2025-02-03 at 6.11.37 AM
1 page
The Case of The Cyber City Network
0% (1)
The Case of The Cyber City Network
6 pages
Device Maintenance System Guide
No ratings yet
Device Maintenance System Guide
120 pages
Marine de Carné: Early Life
No ratings yet
Marine de Carné: Early Life
3 pages