Professional Documents
Culture Documents
Ccna PART-2: Nasir Majeed Assistant Professor PTCL Academy Islamabad
Ccna PART-2: Nasir Majeed Assistant Professor PTCL Academy Islamabad
Ccna PART-2: Nasir Majeed Assistant Professor PTCL Academy Islamabad
PART-2
Nasir Majeed
Assistant Professor
PTCL Academy
Islamabad
1
Basic Switching Concepts
and
Configuration
2
Switches
4
Switch Forwarding Methods
• Cut-through Switching
There are two variants of cut-through switching:
–Fast-forward switching
–Fragment-free switching
•Fast-forward switching: the switch forwards a packet after reading
the destination MAC address.
5
Switch Forwarding Methods
•Fragment-free switching: the switch stores the first 64
bytes of the frame before forwarding
6
Switch Forwarding Methods
Adaptive cut-through
• Some switches are configured to perform cut-
through switching on a per-port basis until a user-
defined error threshold is reached and then they
automatically change to store-and-forward.
–When the error rate falls below the threshold,
the port automatically changes back to cut-
through switching.
7
Asymmetric and Symmetric Switching
• LAN switching may be classified as Asymmetric or Symmetric based on the way
bandwidth is allocated to the switch ports.
• Asymmetric
–Asymmetric LAN switch provides switched connections between ports of unlike
bandwidth, such as a combination of 10 Mb/s, 100 Mb/s, and 1000 Mb/s ports.
–Memory buffering is used
8
Asymmetric and Symmetric Switching
• Symmetric
–Symmetric switching provides switched connections between ports with the same
bandwidth, such as all 100 Mb/s ports or all 1000 Mb/s ports.
–Port-based buffering is used
9
The Command Line Interface (CLI) Modes
10
Context Sensitive Help
11
Console Error Messages
12
The Command History Buffer
13
Prepare to Configure the Switch
Step 1. Before starting the switch, verify:
–All network cable connections are secure.
–Your PC is connected to the console port.
–Your terminal emulator application, such as
HyperTerminal, is running and configured
correctly.
Step 2. Attach the power cable plug to the
switch power supply socket.
–Some Catalyst switches, including the Cisco
Catalyst 2960 series, do not have power
buttons.
Step 3. Observe the boot sequence:
–When the switch is on, the POST begins.
–During POST, the LEDs blink while a series
of tests determine that the switch is functioning
properly.
–If the switch fails POST, the SYST LED turns
amber.
14
Configure Duplex and Speed
15
Switch Port Settings: (Auto-MDIX)
Automatic Medium-Dependent Interface Crossover
The auto-MDIX feature is enabled by default on switches running Cisco IOS Release
12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and
12.2(18)SE, the auto-MDIX feature is disabled by default.
“correct cabling” means a cross-over cable and “incorrect cabling” means a straight-through cable
Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# mdix auto
Switch(config-if)# end
16
Managing the MAC Address Table
Switch#show mac address-table
17
Using the Show Commands
18
Clearing Configuration Information
• Clearing Configuration File
– When you erase the startup
configuration file when the
switch reboots, it enters the
setup mode so that you can
reconfigure the switch with new
settings.
–To clear the contents of your
startup configuration, use the
erase nvram: or the erase
startup-config command.
• Deleting a Stored
Configuration File
–You may have been working
on a complex configuration
task and stored many backup
copies of your files in Flash. To
delete a file from Flash
memory, use the delete
flash:filename privileged EXEC
command.
19
Using Port Security
Port security limits the number of valid MAC addresses allowed on a port
20
Using Port Security: Security Violation Modes
21
Disable Unused Ports
• A simple method many
administrators use to help secure
their network from unauthorized
access is to disable all unused
ports on a network switch.
• Navigate to each unused
port and issue this
shutdown command.
• An alternate way to
shutdown multiple ports is
to use the interface range
command.
• If a port needs to be
activated, you can
manually enter the no
shutdown command on
that interface.
22
Configure Management Interface
23
Management Interface Considerations
24
Management Interface Considerations
25
Virtual LANs (VLANs)
26
VLAN Introduction
27
Benefits of VLANs
• The key benefit of VLANs is that they permit the
network administrator to organize the LAN
logically instead of physically.
• This means that an administrator is able to do all
of the following:
– Easily move workstations on the LAN.
– Easily add workstations to the LAN.
– Easily change the LAN configuration.
– Easily control network traffic.
– Improve security.
28
Broadcast Domains with VLANs and Routers
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
Without VLANs.
• each group (switch) is on a different IP network.
• Three switches and one router can be used without VLANs in this example
• Each switch treats all ports as members of one broadcast domain
• Router is used to route packets among the three broadcast domains
29
Broadcast Domains with VLANs and Routers
One link per VLAN or a single VLAN Trunk
10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
With VLANs
• Switch is configured with the ports on the appropriate VLAN.
• The ports belonging to a particular VLAN share the broadcast
• One switch and one router could be used with VLANs in this example
• Router is used to route packets between the VLANs
30
VLAN Operation
32
VLAN
Operation 172.30.1.21
Switch 1
172.30.2.12
255.255.255.0
255.255.255.0
VLAN 1
VLAN 2
172.30.2.10 172.30.99.1
172.30.1.23
255.255.255.0 255.255.255.0
1 2 3 4 5 6 . Port
1 2 1 2 2 1 . VLAN VLAN 2 VLAN 1
Two VLANs
Ÿ Two Subnets Same VLAN but
different IP subnets
1. VLANs are assigned on the switch port.
2. In order for a host to be a part of that VLAN, it must be assigned an IP
address that belongs to the proper subnet. Even if a host is attached
to a switch port on the right VLAN, if it does not have the right IP
address it will not be able to communicate with other devices on that
VLAN (including the default gateway) or other VLANs.
Remember: VLAN = Subnet
33
Without VLANs – No Broadcast Control
ARP Request
172.30.1.21
Switch 1
172.30.2.12
255.255.255.0
255.255.255.0
172.30.2.10 172.30.1.23
255.255.255.0 255.255.255.0
No VLANs
Ÿ Same as a single VLAN
Ÿ Two Subnets
• Without VLANs, the ARP Request would be seen by all hosts
consuming unnecessary network bandwidth and host processing
cycles.
34
With VLANs – Broadcast Control
Switch Port: VLAN ID
ARP Request
172.30.1.21
Switch 1
172.30.2.12
255.255.255.0
255.255.255.0
VLAN 1
VLAN 2
172.30.2.10 172.30.1.23
255.255.255.0 255.255.255.0
VLAN 2 VLAN 1 1 2 3 4 5 6 . Port
1 2 1 2 2 1 . VLAN
Two VLANs
Ÿ Two Subnets
35
Configuring VLANs and Trunks
36
Step 1: Configure a VLAN
37
Step 2: Assign a Switch Port
38
Step-2: Configuring Ranges of VLANs
vlan 2 vlan 3
39
Step-2: Verifying VLANs
40
Step 3: Verify VLANs and Port Memberships
41
Step 3: Manage Port Memberships
42
Step 3: Delete VLANs
• Use the global configuration command no vlan 20 to remove VLAN 20
–The show vlan brief command verifies that VLAN 20 is no longer in the vlan.dat file.
• Alternatively, the entire vlan.dat file can be deleted using the command delete
flash:vlan.dat from privileged EXEC mode.
–After the switch is reloaded, the previously configured VLANs will no longer be present.
–This effectively places the switch into is "factory default" concerning VLAN configurations.
• Note: Before deleting a VLAN, be sure to first reassign all member ports to a
different VLAN. Any ports that are not moved to an active VLAN are unable to
communicate with other stations after you delete the VLAN.
43
Step 4: Configure an 802.1Q Trunk
• The example configures port F0/1 on switch S1 as the trunk port. It
reconfigures the native VLAN as VLAN 99 and adds VLANs 10, 20, and
30 as allowed VLANs on port F0/1
44
Step 5: Verify Trunk Configuration
45
Step 5: Managing a Trunk Configuration
46
Common Problems with Trunks
47
VLANs Trunking Protocol (VTP)
48
Benefits of VTP (VLAN Trunking Protocol)
• VTP is a Cisco proprietary protocol that allows
VLAN configuration to be consistently maintained
across a common administrative domain.
• VTP minimizes the possible configuration
inconsistencies that arise when changes are
made.
• Additionally, VTP reduces the complexity of
managing and monitoring VLAN networks,
allowing changes on one switch to be propagated
to other switches via VTP.
• On most Cisco switches, VTP is running and has
certain defaults already configured.
49
VLAN Trunking / Tagging
• VLAN Tagging is used when a link needs to carry traffic for more
than one VLAN.
• As packets are received by the switch from any attached end-station
device, a unique packet identifier is added within each header.
• The packet is then forwarded to the appropriate switches or routers
based on the VLAN identifier and MAC address.
• Upon reaching the destination node (Switch) the VLAN ID is
removed from the packet by the adjacent switch and forwarded to
the attached device.
50
VLAN Tagging
ISL
IEEE 802.1Q
51
Configuring Trunking
Note: On many
switches, the
switchport trunk
encapsulation
command must be
done BEFORE the
switchport mode
trunk command.
53
VTP Configuration
54
Verifying VTP
55
Adding a switch to an existing VTP domain
• Delete the VLAN database, erase the startup configuration, and power
cycle the switch.
• From the privileged mode, issue the delete vlan.dat and erase
startup-config commands, then power cycle the switch.
56
Three types of VTP messages
57
Inter-VLAN Routing
58
Physical and logical interfaces
• "Router-on-a-stick"
is a type of router configuration in which a single
physical interface routes traffic between multiple VLANs on a
network.
• The router interface is configured to operate as a trunk link and is
connected to a switch port configured in trunk mode.
• Subinterfaces are multiple virtual interfaces, associated with one
physical interface.
–Subinterfaces are configured for different subnets
corresponding to their VLAN assignment to facilitate logical
routing before the data frames are VLAN tagged and sent back
out the physical interface.
59
Dividing Physical Interfaces into Subinterfaces
60
Configuring Inter-VLAN Routing
61
Access Control Lists (ACLs)
62
What are ACLs?
65
How ACLs work
• Extended IP ACLs
– Can filter on:
• Source IP address
• Destination IP address
• Protocol (TCP, UDP)
• Port Numbers (Telnet – 23, http – 80, etc.)
• and other parameters
67
Creating Standard ACLs – 2 Steps
68
Example 1
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0
• Task:
– Permit only the host 172.16.30.2 from exiting the Sales network.
– Deny all other hosts on the Sales network from leaving the
172.16.30.0/24 network.
69
Example 1
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0
70
Example 2
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0
• Task:
– Permit only the hosts 172.16.30.2, 172.16.30.3, 172.16.30.4, 172.16.30.5
from exiting the Sales network.
– Deny all other hosts on the Sales network from leaving the 172.16.30.0/24
network.
71
Example 2
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0
Once a condition is met, all other statements are ignored, so the implicit
deny any only applies to not-matched packets.
RouterB(config)#access-list 10 permit 172.16.30.2
RouterB(config)#access-list 10 permit 172.16.30.3
RouterB(config)#access-list 10 permit 172.16.30.4
RouterB(config)#access-list 10 permit 172.16.30.5
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
72
Example 2
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0
RouterB(config)# interface e 0
RouterB(config-if)# no ip access-group 10 in
73
Example 3
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0
• Task:
– Deny only the host 172.16.30.2 from exiting the Sales network.
– Permit all other hosts on the Sales network to leave the
172.16.30.0/24 network.
• Keyword “any” can be used to represent all IP Addresses.
74
Example 3
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0
Order matters! What if these two statements were reversed? (next slide)
Does the implicit deny any ever get a match? No, the permit any will cover all other packets.
RouterB(config)#access-list 10 deny 172.16.30.2
RouterB(config)#access-list 10 permit any
RouterB(config)#access-list 10 deny 0.0.0.0
255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
75
Example 3
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0
Order matters! In this case all packets would be permitted, because all packets would match
the first access list statement. Once a condition is met, all other statements are ignored. The
second access list statement and the implicit deny any would never be used. This would not
do what we want.
RouterB(config)#access-list 10 permit any
RouterB(config)#access-list 10 deny 172.16.30.2
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
76
Wildcard Masks
77
Wildcard Masks
or
81
Relationship! Bitwise-not on the Subnet Mask
D. 172.16.32.0 255.255.240.0
RouterB(config)#access-list 10 permit 172.16.32.0
0.0.15.255
82
Verifying Access Lists
83
Verifying Access Lists
84
Verifying Access Lists
85
Inbound and Outbound Access Lists
86
Extended Access Lists
87
Extended Access Lists
88
Extended Access Lists - Examples
172.16.10.2/24
Port 172.16.30.2/24 172.16.50.2/24
80
RouterA(config)#inter e 0
RouterA(config-if)#ip access-group 110 out
91
Example 2
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0
Port
Administration Sales Engineering
80
172.16.10.2/24
Port 172.16.30.2/24 172.16.50.2/24
80
RouterA(config)#inter e 0
RouterA(config-if)#ip access-group 110 out
• When configuring access list statements, use the “?” to walk yourself through
the command!
93
Named ACLs
94
Named ACLs
96
Placing ACLs
Source
10.0.0.0/8
Destination 172.16.0.0/16
The general rule:
• Standard ACLs do not specify destination addresses, so they
should be placed as close to the destination as possible.
• Put the extended ACLs as close as possible to the source of the
traffic denied.
97
Complex ACLs
Dynamic
Reflexive
Time-based
98
Restricting Virtual Terminal Access
99
Dynamic Host Configuration
Protocol (DHCP)
100
BOOTP and DHCP differences
101
Major DHCP Configuration Information
102
DHCP Operation
103
Configuring DHCP
107
Configuring IP helper addresses
Broadcast Unicast
Broadcast Unicast
Helper address configuration that relays broadcasts to all servers on the segment.
RTA(config)#interface e0
RTA(config-if)#ip helper-address 172.24.1.255
But will RTA forward the broadcast?
109
Directed Broadcast
• RTA interface e3, which connects to the server farm, is not configured with
helper addresses. Also for this interface, directed broadcast forwarding is
disabled.
• This means that the router will not convert the logical broadcast 172.24.1.255
into a physical broadcast with a Layer 2 address of FF-FF-FF-FF-FF-FF.
• To allow all the nodes in the server farm to receive the broadcasts at Layer 2,
e3 will need to be configured to forward directed broadcasts with the following
command:
RTA(config)#interface e3
RTA(config-if)#ip directed-broadcast
110
Configuring IP helper addresses
L3 Broadcast L2 Broadcast
Helper address configuration that relays broadcasts to all servers on the segment.
RTA(config)#interface e0
RTA(config-if)#ip helper-address 172.24.1.255
RTA(config)#interface e3
RTA(config-if)#ip directed-broadcast
111
Network Address Translation (NAT)
112
Private Addressing
113
Introducing
NAT and PAT
114
NAT Example
1 2
DA SA DA SA
1 IP Header 2 IP Header
DA SA DA SA
4 IP Header 3 IP Header
• Translation back, from Public Destination IP address to Private Destination IP address.
117
PAT – Port Address Translation
118
PAT Example
NAT/PAT table
maintains translation
of:
DA, SA, SP
DA SA DP SP DA SA DP SP
DA SA DP SP DA SA DP SP
DA SA DP SP DA SA DP SP
121
Configuring Dynamic NAT
Translate to these
outside addresses
Start
here
Source IP address
must match here
122
Configure PAT – Overload
• In this example a single Public IP addresses is used, using PAT, source ports,
to differentiate between connection streams.
123
Configure PAT – Overload
This is a different
example, using the IP
address of the outside
interface instead
specifying an IP
address
124
Verifying NAT/PAT
125
DHCP-NAT-PAT: Topology
126
DHCP-NAT-PAT: Address Table
127
DHCP-NAT-PAT: Configuration
Perform Basic Router Configurations
Configure the R1, R2, and ISP routers according to the following guidelines:
128
DHCP-NAT-PAT: Configuration
Configure PC1 and PC2 to receive an IP address through DHCP
129
DHCP-NAT-PAT: Configuration
Enable OSPF with process ID 1 on R1 and R2. Do not advertise the
209.165.200.224/27
R1(config)#router ospf 1
R1(config-router)#network 10.1.1.0 0.0.0.3 area 0
R1(config-router)# network 192.168.10.0 0.0.0.255 area 0
R1(config-router)# network 192.168.11.0 0.0.0.255 area 0
130
DHCP-NAT-PAT: Configuration
Configure a Cisco IOS DHCP Server on R2
Test DHCP
On PC1 and PC2 test whether each has received an IP address automatically. On
each PC go to Start -> Run -> cmd -> ipconfig
131
DHCP-NAT-PAT: Configuration
Configure a helper address
R1(config)#interface fa0/0
R1(config-if)#ip helper-address 10.1.1.2
R1(config)#interface fa0/1
R1(config-if)#ip helper-address 10.1.1.2
Test DHCP
On PC1 and PC2 test whether each has received an IP address automatically. On
each PC go to Start -> Run -> cmd -> ipconfig
132
DHCP-NAT-PAT: Configuration
R2(config)#router ospf 1
R2(config-router)#default-information originate
133
DHCP-NAT-PAT: Configuration
Configure Dynamic NAT with a Pool of Addresses
Establish dynamic source translation by binding the pool with the ACL
R2(config)#ip nat inside source list NAT pool MY-NAT-POOL
134
DHCP-NAT-PAT: Configuration
Test Dynamic NAT with a Pool of Addresses
PC1>ping PC2 IP
PC1>ping 192.168.20.254
PC1>ping 209.165.200.226
PC2>ping PC1 IP
PC2>ping 192.168.20.254
PC2>ping 209.165.200.226
135
DHCP-NAT-PAT: Configuration
Configure Static NAT
136
DHCP-NAT-PAT: Configuration
Configure NAT Overload
Note: In the previous task, you could have added the keyword overload to the ip
nat inside source list NAT pool MY-NAT-POOL
137
Point to Point Protocol (PPP)
138
Point-to-Point Protocol (PPP)
139 139
PPP Phases
140 140
PPP layered architecture
141 141
Link-establishment phase
143 143
Authentication Phase (Optional)
144 144
PPP Authentication Protocols
145 145
Password Authentication Protocol (PAP)
• After the PPP link establishment phase is complete, a
username/password pair is repeatedly sent by the remote node across
the link until authentication is acknowledged or the connection is
terminated.
• PAP is not a strong authentication protocol.
• Passwords are sent across the link in clear text and there is no
protection from playback or repeated trial-and-error attacks.
• The remote node is in control of the frequency and timing of the login
attempts.
146 146
PAP Packets
147 147
Challenge Handshake Authentication Protocol (CHAP)
• After the PPP link establishment phase is complete, the local router sends a
"challenge" message to the remote node.
• The remote node responds with a value calculated using a one-way hash function,
which is typically Message Digest 5 (MD5).
• This response is based on the password and challenge message.
• The local router checks the response against its own calculation of the expected
hash value.
• If the values match, the authentication is acknowledged, otherwise the connection
is immediately terminated.
148 148
CHAP Packets
149 149
Network Layer Protocol Phase
• In this phase the PPP devices send NCP packets to choose and configure
one or more network layer protocols, such as IP.
• Once each of the chosen network layer protocols has been configured,
packets from each network layer protocol can be sent over the link.
• If LCP closes the link, it informs the network layer protocols so that they can
take appropriate action.
• The show interfaces command reveals the LCP and NCP states under
PPP configuration.
• The PPP link remains configured for communications until LCP or NCP
frames close the link or until an inactivity timer expires or a user intervenes.
150 150
IPCP Packet
151 151
PPP Phases: An Example
152 152