CCNA

PART-2
Nasir Majeed
Assistant Professor
PTCL Academy
Islamabad

1
 Basic Switching Concepts
and
Configuration

2
Switches

• Switches are dedicated, specialized computers; with

• Central Processing Unit (CPU)
• Random Access Memory (RAM)
• Non-Volatile Random Access Memory (NVRAM)
• Flash
• Read Only Memory (ROM)
• Operating System (IOS)
• A switch can be configured by connecting to the console port
• Switches typically have no power switch to turn them on and off.
3
Switch Forwarding Methods
• Switches used one of the following forwarding methods for switching
data between network ports:
– store-and-forward
– cut-through
• Store-and-Forward Switching: when the switch receives the frame, it
stores the data in buffers until the complete frame has been received.

4
Switch Forwarding Methods
• Cut-through Switching
There are two variants of cut-through switching:
–Fast-forward switching
–Fragment-free switching
•Fast-forward switching: the switch forwards a packet after reading
the destination MAC address.

5
Switch Forwarding Methods
•Fragment-free switching: the switch stores the first 64
bytes of the frame before forwarding

6
Switch Forwarding Methods

Adaptive cut-through
• Some switches are configured to perform cut-
through switching on a per-port basis until a user-
defined error threshold is reached and then they
automatically change to store-and-forward.
–When the error rate falls below the threshold,
the port automatically changes back to cut-
through switching.

•However, store-and-forward is the sole

forwarding method used on current models of
Cisco Catalyst switches.

7
Asymmetric and Symmetric Switching
• LAN switching may be classified as Asymmetric or Symmetric based on the way
bandwidth is allocated to the switch ports.
• Asymmetric
–Asymmetric LAN switch provides switched connections between ports of unlike
bandwidth, such as a combination of 10 Mb/s, 100 Mb/s, and 1000 Mb/s ports.
–Memory buffering is used

8
Asymmetric and Symmetric Switching
• Symmetric
–Symmetric switching provides switched connections between ports with the same
bandwidth, such as all 100 Mb/s ports or all 1000 Mb/s ports.
–Port-based buffering is used

9
The Command Line Interface (CLI) Modes

10
Context Sensitive Help

11
Console Error Messages

12
The Command History Buffer

13
 Prepare to Configure the Switch
Step 1. Before starting the switch, verify:
–All network cable connections are secure.
–Your PC is connected to the console port.
–Your terminal emulator application, such as
HyperTerminal, is running and configured
correctly.
Step 2. Attach the power cable plug to the
switch power supply socket.
–Some Catalyst switches, including the Cisco
Catalyst 2960 series, do not have power
buttons.
Step 3. Observe the boot sequence:
–When the switch is on, the POST begins.
–During POST, the LEDs blink while a series
of tests determine that the switch is functioning
properly.
–If the switch fails POST, the SYST LED turns
amber.

14
Configure Duplex and Speed

15
 Switch Port Settings: (Auto-MDIX)
Automatic Medium-Dependent Interface Crossover
The auto-MDIX feature is enabled by default on switches running Cisco IOS Release
12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and
12.2(18)SE, the auto-MDIX feature is disabled by default.

Table Link Conditions and Auto-MDIX Settings

Remote Side Auto- With Incorrect

Local Side Auto-MDIX MDIX With Correct Cabling Cabling
On On Link up Link up

On Off Link up Link up

Off On Link up Link up

Off Off Link up Link down

“correct cabling” means a cross-over cable and “incorrect cabling” means a straight-through cable
Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# mdix auto
Switch(config-if)# end

16
Managing the MAC Address Table
 Switch#show mac address-table

 The maximum size of the

MAC address table varies
with different switches.
–For example, the
Catalyst 2960 series
switch can store up to
8,192 MAC addresses.

17
Using the Show Commands

18
Clearing Configuration Information
• Clearing Configuration File
– When you erase the startup
configuration file when the
switch reboots, it enters the
setup mode so that you can
reconfigure the switch with new
settings.
–To clear the contents of your
startup configuration, use the
erase nvram: or the erase
startup-config command.

• Deleting a Stored
Configuration File
–You may have been working
on a complex configuration
task and stored many backup
copies of your files in Flash. To
delete a file from Flash
memory, use the delete
flash:filename privileged EXEC
command.
19
Using Port Security
Port security limits the number of valid MAC addresses allowed on a port

The following describes the ways to configure port security

–Static secure MAC addresses:
• MAC addresses are manually configured .MAC addresses
configured in this way are stored in the address table and are
added to the running configuration.
–Dynamic secure MAC addresses:
• MAC addresses are dynamically learned and stored only in the
address table. MAC addresses configured in this way are
removed when the switch restarts.
–Sticky secure MAC addresses:
• You can configure a port to dynamically learn MAC addresses
and then save the MAC addresses to the running configuration

20
Using Port Security: Security Violation Modes

You can configure the interface for one of 3 violation modes:

Protect: Packets with unknown source addresses are dropped until
you remove a sufficient number of secure MAC addresses or
increase the number of maximum allowable addresses.
• You are not notified that a security violation has occurred.
Restrict: Packets with unknown source addresses are dropped until
you remove a sufficient number of secure MAC addresses or
increase the number of maximum allowable addresses.
• You are notified that a security violation has occurred.
Shutdown: A port security violation causes the interface to
immediately become error-disabled and turns off the port LED.
• When a secure port is in the error-disabled state, you can bring it
out of this state by entering the shutdown and no shutdown
interface commands.

21
 Disable Unused Ports
• A simple method many
administrators use to help secure
their network from unauthorized
access is to disable all unused
ports on a network switch.
• Navigate to each unused
port and issue this
shutdown command.
• An alternate way to
shutdown multiple ports is
to use the interface range
command.
• If a port needs to be
activated, you can
manually enter the no
shutdown command on
that interface.

22
Configure Management Interface

23
Management Interface Considerations

24
Management Interface Considerations

25
 Virtual LANs (VLANs)

26
 VLAN Introduction

• VLANs are a major benefit of layer 2 switching

• By using VLANs, you can split a single switch into
multiple broadcast domains
• Using VLANs does allow separation of broadcast
domains to be done with much less hardware than
is normally required
• A layer 2 switch still can’t route the packets
between different VLANs. A router is used to route
the packets between VLANs

27
Benefits of VLANs
• The key benefit of VLANs is that they permit the
network administrator to organize the LAN
logically instead of physically.
• This means that an administrator is able to do all
of the following:
– Easily move workstations on the LAN.
– Easily add workstations to the LAN.
– Easily change the LAN configuration.
– Easily control network traffic.
– Improve security.

28
Broadcast Domains with VLANs and Routers

10.1.0.0/16

10.2.0.0/16

10.3.0.0/16

Without VLANs.
• each group (switch) is on a different IP network.
• Three switches and one router can be used without VLANs in this example
• Each switch treats all ports as members of one broadcast domain
• Router is used to route packets among the three broadcast domains
29
Broadcast Domains with VLANs and Routers
One link per VLAN or a single VLAN Trunk

10.1.0.0/16

10.2.0.0/16

10.3.0.0/16

With VLANs
• Switch is configured with the ports on the appropriate VLAN.
• The ports belonging to a particular VLAN share the broadcast
• One switch and one router could be used with VLANs in this example
• Router is used to route packets between the VLANs
30
VLAN Operation

• Each switch port could be assigned to a different VLAN.

• Ports assigned to the same VLAN share broadcasts.
• This improves network performance because unnecessary
broadcasts are reduced
31
VLAN Operation

• Static membership VLANs are called port-based and port-centric

membership VLANs.
• As a device enters the network, it automatically assumes the VLAN
membership of the port to which it is attached.
• The default VLAN for every port in the switch is the management VLAN.
• The management VLAN is always VLAN 1 and may not be deleted.
• All other ports on the switch may be reassigned to alternate VLANs.

32
VLAN
Operation 172.30.1.21
Switch 1
172.30.2.12
255.255.255.0
255.255.255.0
VLAN 1
VLAN 2

172.30.2.10 172.30.99.1
172.30.1.23
255.255.255.0 255.255.255.0
1 2 3 4 5 6 . Port
1 2 1 2 2 1 . VLAN VLAN 2 VLAN 1

Two VLANs
Ÿ Two Subnets Same VLAN but
different IP subnets
1. VLANs are assigned on the switch port.
2. In order for a host to be a part of that VLAN, it must be assigned an IP
address that belongs to the proper subnet. Even if a host is attached
to a switch port on the right VLAN, if it does not have the right IP
address it will not be able to communicate with other devices on that
VLAN (including the default gateway) or other VLANs.
Remember: VLAN = Subnet
33
 Without VLANs – No Broadcast Control

ARP Request

172.30.1.21
Switch 1
172.30.2.12
255.255.255.0
255.255.255.0

172.30.2.10 172.30.1.23
255.255.255.0 255.255.255.0
No VLANs
Ÿ Same as a single VLAN
Ÿ Two Subnets
• Without VLANs, the ARP Request would be seen by all hosts
consuming unnecessary network bandwidth and host processing
cycles.
34
With VLANs – Broadcast Control
Switch Port: VLAN ID
ARP Request

172.30.1.21
Switch 1
172.30.2.12
255.255.255.0
255.255.255.0
VLAN 1
VLAN 2

172.30.2.10 172.30.1.23
255.255.255.0 255.255.255.0
VLAN 2 VLAN 1 1 2 3 4 5 6 . Port
1 2 1 2 2 1 . VLAN

Two VLANs
Ÿ Two Subnets

35
Configuring VLANs and Trunks

36
Step 1: Configure a VLAN

37
Step 2: Assign a Switch Port

38
Step-2: Configuring Ranges of VLANs

vlan 2 vlan 3

SydneySwitch(config)#interface range fastethernet 0/5-

fastethernet 0/7
SydneySwitch(config-if)#switchport access vlan 2

SydneySwitch(config)#interface range fastethernet 0/8-

fastethernet 0/12
SydneySwitch(config-if)#switchport access vlan 3
SydneySwitch(config-if)#exit

39
Step-2: Verifying VLANs

vlan 1 vlan 2 vlan 3

default

40
Step 3: Verify VLANs and Port Memberships

41
Step 3: Manage Port Memberships

42
 Step 3: Delete VLANs
• Use the global configuration command no vlan 20 to remove VLAN 20
–The show vlan brief command verifies that VLAN 20 is no longer in the vlan.dat file.
• Alternatively, the entire vlan.dat file can be deleted using the command delete
flash:vlan.dat from privileged EXEC mode.
–After the switch is reloaded, the previously configured VLANs will no longer be present.
–This effectively places the switch into is "factory default" concerning VLAN configurations.
• Note: Before deleting a VLAN, be sure to first reassign all member ports to a
different VLAN. Any ports that are not moved to an active VLAN are unable to
communicate with other stations after you delete the VLAN.

43
Step 4: Configure an 802.1Q Trunk
• The example configures port F0/1 on switch S1 as the trunk port. It
reconfigures the native VLAN as VLAN 99 and adds VLANs 10, 20, and
30 as allowed VLANs on port F0/1

44
Step 5: Verify Trunk Configuration

•The first highlighted area

shows that port F0/1 is in
trunking mode.
•The next highlighted area
verifies that the native
VLAN is VLAN 99, the
management VLAN.
•The last highlighted area
shows that the enabled
trunking VLANs are
VLANs 10, 20, and 30.

45
Step 5: Managing a Trunk Configuration

46
Common Problems with Trunks

47
 VLANs Trunking Protocol (VTP)

48
Benefits of VTP (VLAN Trunking Protocol)
• VTP is a Cisco proprietary protocol that allows
VLAN configuration to be consistently maintained
across a common administrative domain.
• VTP minimizes the possible configuration
inconsistencies that arise when changes are
made.
• Additionally, VTP reduces the complexity of
managing and monitoring VLAN networks,
allowing changes on one switch to be propagated
to other switches via VTP.
• On most Cisco switches, VTP is running and has
certain defaults already configured.

49
VLAN Trunking / Tagging

• VLAN Tagging is used when a link needs to carry traffic for more
than one VLAN.
• As packets are received by the switch from any attached end-station
device, a unique packet identifier is added within each header.
• The packet is then forwarded to the appropriate switches or routers
based on the VLAN identifier and MAC address.
• Upon reaching the destination node (Switch) the VLAN ID is
removed from the packet by the adjacent switch and forwarded to
the attached device.
50
VLAN Tagging
ISL

IEEE 802.1Q

• 802.1Q is recommended by Cisco and is used with multi-vendor switches.

• Caution: Some older Cisco switches will only do ISL while some new Cisco
switches will only do 802.1Q.
• Many of Cisco switches do not support ISL any more.

51
Configuring Trunking

Note: On many
switches, the
switchport trunk
encapsulation
command must be
done BEFORE the
switchport mode
trunk command.

When configuring switches that allow multiple trunking

encapsulations, dot1q or isl, the switchport trunk encapsulation
command must be used before the switchport mode trunk command.
52
VTP Operation
VTP switches operate in one of three modes:
– Server
– Client
– Transparent

53
VTP Configuration

VTP Configuration in Global configuration mode:

Switch#config terminal
Switch(config)#vtp version 2
Switch(config)#vtp mode server
Switch(config)#vtp domain cisco
Switch(config)#vtp password mypassword

54
Verifying VTP

55
Adding a switch to an existing VTP domain

• Delete the VLAN database, erase the startup configuration, and power
cycle the switch.
• From the privileged mode, issue the delete vlan.dat and erase
startup-config commands, then power cycle the switch.

56
Three types of VTP messages

57
 Inter-VLAN Routing

58
Physical and logical interfaces

• "Router-on-a-stick"
is a type of router configuration in which a single
physical interface routes traffic between multiple VLANs on a
network.
• The router interface is configured to operate as a trunk link and is
connected to a switch port configured in trunk mode.
• Subinterfaces are multiple virtual interfaces, associated with one
physical interface.
–Subinterfaces are configured for different subnets
corresponding to their VLAN assignment to facilitate logical
routing before the data frames are VLAN tagged and sent back
out the physical interface.
59
Dividing Physical Interfaces into Subinterfaces

60
Configuring Inter-VLAN Routing

61
 Access Control Lists (ACLs)

62
What are ACLs?

• An access list is a sequential series of commands

• An ACL is a sequential list of permit or deny statements that apply to
addresses or upper-layer protocols.
• These lists tell the router what types of packets to:
– accept or
– deny
• Acceptance and denial can be based on specified conditions.
• ACLs are applied on the router's interfaces.
• Routers provide basic traffic filtering capabilities, such as blocking
Internet traffic, with access control lists (ACLs).
63
What are ACLs?

• The router examines each packet to determine whether to forward

or drop it, based on the conditions specified in the ACL.
• Some ACL decision points are:
– IP source address
– IP destination addresses
– UDP or TCP protocols
– upper-layer (TCP/UDP) port numbers
64
What are ACLs?

• ACLs must be defined on a:

– per-protocol (IP, IPX, AppleTalk)
– per direction (in or out)
– per port (interface) basis.
• ACLs control traffic in one direction at a time on an interface.
• A separate ACL would need to be created for each direction, one for
inbound and one for outbound traffic.

65
How ACLs work

• An ACL is a group of statements that define whether packets are

accepted or rejected coming into an interface or leaving an interface.
• ACL statements operate in sequential, logical order.
• If a condition match is true, the packet is permitted or denied and the
rest of the ACL statements are not checked.
• If all the ACL statements are unmatched, an implicit "deny any"
statement is placed at the end of the list by default. (not visible)
66
Two types of ACLs
• Standard IP ACLs
– Can only filter on source IP addresses

• Extended IP ACLs
– Can filter on:
• Source IP address
• Destination IP address
• Protocol (TCP, UDP)
• Port Numbers (Telnet – 23, http – 80, etc.)
• and other parameters
67
Creating Standard ACLs – 2 Steps

68
Example 1
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

• Task:
– Permit only the host 172.16.30.2 from exiting the Sales network.
– Deny all other hosts on the Sales network from leaving the
172.16.30.0/24 network.

69
 Example 1
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Step 2 – Apply to an interface(s)

RouterB(config)#access-list 10 permit 172.16.30.2
RouterB(config)#access-list 10 deny 0.0.0.0
255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in

70
Example 2
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

• Task:
– Permit only the hosts 172.16.30.2, 172.16.30.3, 172.16.30.4, 172.16.30.5
from exiting the Sales network.
– Deny all other hosts on the Sales network from leaving the 172.16.30.0/24
network.

71
 Example 2
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Once a condition is met, all other statements are ignored, so the implicit
deny any only applies to not-matched packets.
RouterB(config)#access-list 10 permit 172.16.30.2
RouterB(config)#access-list 10 permit 172.16.30.3
RouterB(config)#access-list 10 permit 172.16.30.4
RouterB(config)#access-list 10 permit 172.16.30.5
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in
72
 Example 2
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

To remove an Access List, use the no access-list command. Removing the

access-group only from from the interface leaves the access list, but they are
not currently being applied. Usually, best to remove it from both.
RouterB(config)#no access-list 10

RouterB(config)# interface e 0
RouterB(config-if)# no ip access-group 10 in
73
Example 3
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

• Task:
– Deny only the host 172.16.30.2 from exiting the Sales network.
– Permit all other hosts on the Sales network to leave the
172.16.30.0/24 network.
• Keyword “any” can be used to represent all IP Addresses.

74
 Example 3
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Order matters! What if these two statements were reversed? (next slide)
Does the implicit deny any ever get a match? No, the permit any will cover all other packets.
RouterB(config)#access-list 10 deny 172.16.30.2
RouterB(config)#access-list 10 permit any
RouterB(config)#access-list 10 deny 0.0.0.0
255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in

75
 Example 3
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Order matters! In this case all packets would be permitted, because all packets would match
the first access list statement. Once a condition is met, all other statements are ignored. The
second access list statement and the implicit deny any would never be used. This would not
do what we want.
RouterB(config)#access-list 10 permit any
RouterB(config)#access-list 10 deny 172.16.30.2
RouterB(config)#access-list 10 deny 0.0.0.0 255.255.255.255
RouterB(config)# interface e 0
RouterB(config-if)# ip access-group 10 in

76
Wildcard Masks

A wildcard mask address:

• Tells how much of the packet’s source IP
address (or destination IP address) needs to
match for this condition to be true.

77
Wildcard Masks

• A wildcard mask is a 32-bit quantity that is divided into

four octets.
• A wildcard mask is paired with an IP address.
• The numbers one and zero in the mask are used to identify
how to treat the corresponding IP address bits.
• Wildcard masks have no functional relationship with subnet
masks.
– They are used for different purposes and follow different
rules.
• Wildcard masks are designed to filter individual or groups
of IP addresses permitting or denying access to resources
based on the address.
78
 Wildcard Masks
Test Condition
Test
Conditon
10101100.00010000.00000000.00000000
00000000.00000000.11111111.11111111
------------------------------------
A Match… Matching packets will look like this…
The packet
10101100.00010000.any value.any value
• Wildcard masking used to identify how to treat the corresponding IP address bits.
– 0 - “check the corresponding bit value.”
– 1 - “do not check (ignore) that corresponding bit value.”
• A zero in a bit position of the access list mask indicates that the corresponding
bit in the address must be checked and must match for condition to be true.
• A one in a bit position of the access list mask indicates the corresponding bit in
the address does not need to match, and can be ignored.
79
 “any” keyword
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

RouterA(config)#access-list 11 deny 0.0.0.0 255.255.255.255

Or
RouterA(config)#access-list 11 deny any

any = 0.0.0.0 255.255.255.255

Simply put, the any option substitutes 0.0.0.0 for the IP address and
255.255.255.255 for the wildcard mask.
• This option will match any address that it is compared against.
80
“host” option
RouterB(config)#access-list 10 permit 192.168.1.100 0.0.0.0

or

RouterB(config)#access-list 10 permit host 192.168.1.100

172.16.10.100 0.0.0.0 replaced by host 172.16.10.100

192.168.1.100 0.0.0.0 replaced by host 192.168.1.100

81
Relationship! Bitwise-not on the Subnet Mask

D. 172.16.32.0 255.255.240.0
RouterB(config)#access-list 10 permit 172.16.32.0
0.0.15.255

Subnet Mask: 255 . 255 . 240 . 0

Wildcard Mask: + 0 . 0 . 15 . 255
----------------------
255 . 255 . 255 . 255

So, we could calculate the Wildcard Mask by:

255 . 255 . 255 . 255
Subnet Mask: - 255 . 255 . 240 . 0
---------------------
Wildcard Mask: 0 . 0 . 15 . 255

82
Verifying Access Lists

83
Verifying Access Lists

84
Verifying Access Lists

85
Inbound and Outbound Access Lists

• With inbound Access Lists the IOS checks the

packets before it is sent to the Routing Table
Process.
• With outbound Access Lists, the IOS checks the
packets after it is sent to the Routing Table
Process.
– This is because the output interface is not
known until the forwarding decision is made.

86
Extended Access Lists

87
Extended Access Lists

• If the operator and operand

follow the source address it
refers to the source port
• If the operator and operand
follow the destination
address it refers to the
destination port.

88
Extended Access Lists - Examples

port number or protocol name

• The ip access-group command links an existing extended ACL

to an interface.
• Remember that only one ACL per interface, per direction, per
protocol is allowed. The format of the command is:
• Router(config-if)#ip access-group access-list-
number {in | out}
89
 Example 1
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Port Sales Engineering

Administration
80

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Task
• What if we wanted Router A to permit only the Engineering workstation 172.16.50.2 to be
able to access the web server in Administrative network with the IP address 172.16.10.2
and port address 80.
• All other traffic is denied.
90
Example 1
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24
Port 172.16.30.2/24 172.16.50.2/24
80

RouterA(config)#access-list 110 permit tcp

host 172.16.50.2 host 172.16.10.2 eq 80

RouterA(config)#inter e 0
RouterA(config-if)#ip access-group 110 out

91
 Example 2
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Port
Administration Sales Engineering
80

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24 172.16.30.2/24 172.16.50.2/24

Task
• What if we wanted Router A to permit any workstation on the Sales network be able to
access the web server in Administrative network with the IP address 172.16.10.2 and
port address 80.
• All other traffic is denied.
92
Example 2
172.16.20.0/24 172.16.40.0/24
s0 s0 s1 s0
RouterA .1 .2 RouterB .1 .2 RouterC
.1 e0 .1 e0 .1 e0

Administration Sales Engineering

172.16.10.3/24 172.16.30.3/24 172.16.50.3/24

172.16.10.2/24
Port 172.16.30.2/24 172.16.50.2/24
80

RouterA(config)#access-list 110 permit tcp

172.16.30.0 0.0.0.255 host 172.16.10.2 eq 80

RouterA(config)#inter e 0
RouterA(config-if)#ip access-group 110 out

• When configuring access list statements, use the “?” to walk yourself through
the command!
93
Named ACLs

• IP named ACLs were introduced in Cisco IOS Software Release

11.2.
• Allows standard and extended ACLs to be given names instead of
numbers.
• The advantages that a named access list provides are:
– Identify an ACL using an alphanumeric name.
– Named ACLs provide the ability to modify ACLs without deleting
and then reconfiguring them.
– It is important to note that a named access list will allow the
deletion of statements but will only allow for statements to be
inserted at the end of a list.
– Even with named ACLs it is a good idea to use a text editor to
create them.

94
Named ACLs

• A named ACL is created with the ip access-

list command.
• This places the user in the ACL configuration
mode.
95
Named ACLs

96
Placing ACLs

Source
10.0.0.0/8

Destination 172.16.0.0/16
The general rule:
• Standard ACLs do not specify destination addresses, so they
should be placed as close to the destination as possible.
• Put the extended ACLs as close as possible to the source of the
traffic denied.
97
Complex ACLs

 Dynamic

 Reflexive

 Time-based

98
 Restricting Virtual Terminal Access

99
 Dynamic Host Configuration
Protocol (DHCP)

100
BOOTP and DHCP differences

There are two primary differences between DHCP and BOOTP:

• DHCP defines mechanisms through which clients can be assigned an

IP address for a finite lease period.
– This lease period allows for reassignment of the IP address to
another client later, or for the client to get another assignment, if
the client moves to another subnet.
– Clients may also renew leases and keep the same IP address.
• DHCP provides the mechanism for a client to gather other IP
configuration parameters, such as WINS and domain name.

101
Major DHCP Configuration Information

102
DHCP Operation

103
Configuring DHCP

• Note: The network statement enables DHCP on any router

interfaces belonging to that network.
– The router will act as a DHCP server on that interface.
– It is also the pool of addresses that the DHCP server
will use.
104
Configuring DHCP

• The ip dhcp excluded-address command configures the router to

exclude an individual address or range of addresses when assigning
addresses to clients.
• Other IP configuration values such as the default gateway can be set from the
DHCP configuration mode.
• The DHCP service is enabled by default on versions of Cisco IOS that support
it. To disable the service, use the no service dhcp command.
• Use the service dhcp global configuration command to re-enable the DHCP
server process.
105
DHCP Relay

• DHCP clients use IP broadcasts to find the DHCP server on the

segment.
• What happens when the server and the client are not on the same
segment and are separated by a router?
– Routers do not forward these broadcasts.
• When possible, administrators should use the ip helper-address
command to relay broadcast requests for these key UDP services.
106
Using Helper Addresses

107
Configuring IP helper addresses

Broadcast Unicast

To configure RTA E0 interface, the interface that receives the Host A

broadcasts, to relay DHCP broadcasts as a unicast to the DHCP server:
RTA(config)#interface e0
RTA(config-if)#ip helper-address 172.24.1.9
108
Configuring IP helper addresses

Broadcast Unicast

Helper address configuration that relays broadcasts to all servers on the segment.
RTA(config)#interface e0
RTA(config-if)#ip helper-address 172.24.1.255
But will RTA forward the broadcast?
109
Directed Broadcast

• RTA interface e3, which connects to the server farm, is not configured with
helper addresses. Also for this interface, directed broadcast forwarding is
disabled.
• This means that the router will not convert the logical broadcast 172.24.1.255
into a physical broadcast with a Layer 2 address of FF-FF-FF-FF-FF-FF.
• To allow all the nodes in the server farm to receive the broadcasts at Layer 2,
e3 will need to be configured to forward directed broadcasts with the following
command:
RTA(config)#interface e3
RTA(config-if)#ip directed-broadcast
110
Configuring IP helper addresses

L3 Broadcast L2 Broadcast

Helper address configuration that relays broadcasts to all servers on the segment.
RTA(config)#interface e0
RTA(config-if)#ip helper-address 172.24.1.255
RTA(config)#interface e3
RTA(config-if)#ip directed-broadcast
111
Network Address Translation (NAT)

Port Address Translation (PAT)

112
 Private Addressing

• 172.16.0.0 – 172.31.255.255: 172.16.0.0/12

– Where does the /12 come from?
12 bits in common
10101100 . 00010000 . 00000000 . 00000000 – 172.16.0.0
10101100 . 00011111 . 11111111 . 11111111 – 172.16.255.255
-------------------------------------------------------------
10101100 . 00010000 . 00000000 . 00000000 – 172.16.0.0/12

113
Introducing
NAT and PAT

• NAT is designed to conserve IP addresses and enable networks to use

private IP addresses on internal networks. These private, internal
addresses are translated to routable, public addresses.
• NAT, as defined by RFC 1631, is the process of swapping one address for
another in the IP packet header, called one-to-one
• In practice, NAT is used to allow hosts that are privately addressed to access the
Internet.
• NAT translations can occur dynamically or statically.
• The most powerful feature of NAT routers is their capability to use Port Address
Translation (PAT), which allows multiple inside addresses to map to the same
global address, called many-to-one

114
NAT Example
1 2

• Inside local address – The IP address assigned to a host on the inside

network.
• Inside global address – A legitimate (Internet routable or public) IP address
assigned the service provider.
• Outside global address – The IP address assigned to a host on the outside
network. The owner of the host assigns this address.
115
NAT Example
1 2

DA SA DA SA

128.23.2.2 10.0.0.3 .... Data 128.23.2.2 179.9.8.80 .... Data

1 IP Header 2 IP Header

• The translation from Private Source IP address to Public Source IP address.

116
NAT Example
4 3

DA SA DA SA

10.0.0.3 128.23.2.2 .... Data 179.9.8.80 128.23.2.2 .... Data

4 IP Header 3 IP Header
• Translation back, from Public Destination IP address to Private Destination IP address.
117
PAT – Port Address Translation

• With PAT multiple private IP addresses can be translated by a single public

address (many-to-one translation).This solves the limitation of NAT which is
one-to-one translation.
• PAT modifies the TCP/UDP source port to track inside Host addresses.
• Tracks and translates SA, DA and SP (which uniquely identifies each
connection) for each stream of traffic.

118
PAT Example

NAT/PAT table
maintains translation
of:
DA, SA, SP
DA SA DP SP DA SA DP SP

128.23.2.2 10.0.0.3 80 1331 Data 128.23.2.2 179.9.8.80 80 3333 Data

1 IP Header TCP/UDP 2 IP Header TCP/UDP

Header Header

DA SA DP SP DA SA DP SP

128.23.2.2 10.0.0.2 80 1555 Data 128.23.2.2 179.9.8.80 80 2222 Data

IP Header TCP/UDP IP Header TCP/UDP

119 Header Header
PAT Example

NAT/PAT table maintains

translation of:
SA (DA), DA (SA), DP (SP)
DA SA DP SP DA SA DP SP

10.0.0.3 128.23.2.2 1331 80 Data 179.9.8.80 128.23.2.2 3333 80 Data

4 IP Header TCP/UDP 3 IP Header TCP/UDP

Header Header

DA SA DP SP DA SA DP SP

10.0.0.2 128.23.2.2 1555 80 Data 179.9.8.80 128.23.2.2 2222 80 Data

IP Header TCP/UDP IP Header TCP/UDP

120 Header Header
Configuring Static NAT

121
Configuring Dynamic NAT

Translate to these
outside addresses

Start
here

Source IP address
must match here
122
Configure PAT – Overload
• In this example a single Public IP addresses is used, using PAT, source ports,
to differentiate between connection streams.

123
Configure PAT – Overload

This is a different
example, using the IP
address of the outside
interface instead
specifying an IP
address

124
Verifying NAT/PAT

125
DHCP-NAT-PAT: Topology

126
DHCP-NAT-PAT: Address Table

127
DHCP-NAT-PAT: Configuration
Perform Basic Router Configurations

Configure the R1, R2, and ISP routers according to the following guidelines:

• Configure the device hostname.

• Disable DNS lookup.
• Configure a privileged EXEC mode password.
• Configure a message-of-the-day banner.
• Configure a password for the console connections.
• Configure a password for all vty connections.

• Configure IP addresses on all routers. The PCs receive IP addressing

from DHCP later in the lab.

• Enable OSPF with process ID 1 on R1 and R2. Do not advertise the

209.165.200.224/27

128
DHCP-NAT-PAT: Configuration
Configure PC1 and PC2 to receive an IP address through DHCP

• On a Windows PC go to Start -> Control Panel -> Network

Connections -> Local Area Connection. Right mouse click on the Local
Area Connection and select Properties.

•Scroll down and highlight Internet Protocol (TCP/IP). Click on the

Properties button.

•Make sure the button is selected that says Obtain an IP address

automatically.

129
DHCP-NAT-PAT: Configuration
Enable OSPF with process ID 1 on R1 and R2. Do not advertise the
209.165.200.224/27

R1(config)#router ospf 1
R1(config-router)#network 10.1.1.0 0.0.0.3 area 0
R1(config-router)# network 192.168.10.0 0.0.0.255 area 0
R1(config-router)# network 192.168.11.0 0.0.0.255 area 0

R2(config)# router ospf 1

R2(config-router)# network 10.1.1.0 0.0.0.3 area 0
R2(config-router)# network 192.168.20.0 0.0.0.255 area 0

130
DHCP-NAT-PAT: Configuration
Configure a Cisco IOS DHCP Server on R2

Exclude statically assigned addresses

R2(config)#ip dhcp excluded-address 192.168.10.1 192.168.10.10
R2(config)#ip dhcp excluded-address 192.168.11.1 192.168.11.10

Configure the pool

R2(config)#ip dhcp pool R1Fa0/0
R2(dhcp-config)#network 192.168.10.0 255.255.255.0
R2(dhcp-config)#dns-server 192.168.11.5
R2(dhcp-config)#default-router 192.168.10.1

R2(config)#ip dhcp pool R1Fa0/1

R2(dhcp-config)#network 192.168.11.0 255.255.255.0
R2(dhcp-config)#dns-server 192.168.11.5
R2(dhcp-config)#default-router 192.168.11.1

Test DHCP
On PC1 and PC2 test whether each has received an IP address automatically. On
each PC go to Start -> Run -> cmd -> ipconfig
131
DHCP-NAT-PAT: Configuration
Configure a helper address

R1(config)#interface fa0/0
R1(config-if)#ip helper-address 10.1.1.2

R1(config)#interface fa0/1
R1(config-if)#ip helper-address 10.1.1.2

Test DHCP
On PC1 and PC2 test whether each has received an IP address automatically. On
each PC go to Start -> Run -> cmd -> ipconfig

Verify the DHCP configuration

R2#show ip dhcp binding

132
DHCP-NAT-PAT: Configuration

Configure Static Route on ISP Router

ISP(config)#ip route 209.165.200.240 255.255.255.240 serial 0/0/1

Configure Default Route on R2 Router

R2(config)#ip route 0.0.0.0 0.0.0.0 209.165.200.226

R2(config)#router ospf 1
R2(config-router)#default-information originate

133
DHCP-NAT-PAT: Configuration
Configure Dynamic NAT with a Pool of Addresses

Define a pool of global addresses

R2(config)#ip nat pool MY-NAT-POOL 209.165.200.241 209.165.200.246 netmask
255.255.255.248

Create an ACL to identify which inside addresses are translated

R2(config)#ip access-list extended NAT
R2(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 any
R2(config-ext-nacl)#permit ip 192.168.11.0 0.0.0.255 any

Establish dynamic source translation by binding the pool with the ACL
R2(config)#ip nat inside source list NAT pool MY-NAT-POOL

Specify inside and outside NAT interfaces

R2(config)#interface serial 0/0/0
R2(config-if)#ip nat inside
R2(config)#interface serial 0/0/1
R2(config-if)#ip nat outside

R2#show ip nat translations

R2#show ip nat statistics

134
DHCP-NAT-PAT: Configuration
Test Dynamic NAT with a Pool of Addresses

PC1>ping PC2 IP
PC1>ping 192.168.20.254
PC1>ping 209.165.200.226

PC2>ping PC1 IP
PC2>ping 192.168.20.254
PC2>ping 209.165.200.226

135
DHCP-NAT-PAT: Configuration
Configure Static NAT

Statically map a public IP address to a private IP address

R2(config)#ip nat inside source static 192.168.20.254 209.165.200.254

Specify inside and outside NAT interfaces

R2(config)#interface serial 0/0/1
R2(config-if)#ip nat outside
R2(config-if)#interface fa0/0
R2(config-if)#ip nat inside

Verify the static NAT configuration

From ISP, ping the public IP address 209.165.200.254

136
DHCP-NAT-PAT: Configuration
Configure NAT Overload

Remove the NAT pool and mapping statement

R2(config)#no ip nat inside source list NAT pool MY-NAT-POOL
R2(config)#no ip nat pool MY-NAT-POOL 209.165.200.241 209.165.200.246
netmask 255.255.255.248

Configure PAT on R2 using the serial 0/0/1 interface public IP address

R2(config)#ip nat inside source list NAT interface S0/0/1 overload

Verify the configuration

R2#show ip nat translations

Note: In the previous task, you could have added the keyword overload to the ip
nat inside source list NAT pool MY-NAT-POOL

137
 Point to Point Protocol (PPP)

138
Point-to-Point Protocol (PPP)

• One of the most common protocol for point-to-

point access

• Millions of Internet users who need to connect

to an ISP use PPP

• Majority of these users have traditional

modems

139 139
PPP Phases

1. Link establishment - (LCPs)

2. Authentication - Optional (LCPs)

3. Link quality determination - Optional (LCPs)

4. Network layer protocol configuration (NCPs)

5. Link termination (LCPs)

140 140
PPP layered architecture

PPP contains two sub-protocols:

– Link Control Protocol (LCP)
• The LCP sits on top of the physical layer and is used to establish,
configure, and test the data-link connection.

– Network Control Protocol(NCP)

• Encapsulate and negotiate options for multiple network layer
protocols.

141 141
Link-establishment phase

• In this phase each PPP device sends LCP frames to

establish link
• LCP frames contain a configuration option field that allows
devices to negotiate the use of options such as the maximum
transmission unit (MTU), compression, and the link-
authentication protocol.
• Before any network layer packets can be exchanged, LCP
must first open the connection and negotiate the
configuration parameters.
• This phase is complete when a configuration request frame
has been sent and configuration acknowledgement frame has
been received.
142 142
LCP Packet

143 143
Authentication Phase (Optional)

• After the link has been established and the authentication

protocol decided on, the peer may be authenticated.
• Authentication, if used, takes place before the network layer
protocol phase is entered.
• As part of this phase, LCP also allows for an optional link-
quality determination test.
– The link is tested to determine whether the link quality is
good enough to bring up network layer protocols

144 144
PPP Authentication Protocols

• Password Authentication Protocol

(PAP)

• Challenge Handshake Authentication

Protocol (CHAP)

145 145
Password Authentication Protocol (PAP)
• After the PPP link establishment phase is complete, a
username/password pair is repeatedly sent by the remote node across
the link until authentication is acknowledged or the connection is
terminated.
• PAP is not a strong authentication protocol.
• Passwords are sent across the link in clear text and there is no
protection from playback or repeated trial-and-error attacks.
• The remote node is in control of the frequency and timing of the login
attempts.

146 146
PAP Packets

147 147
Challenge Handshake Authentication Protocol (CHAP)
• After the PPP link establishment phase is complete, the local router sends a
"challenge" message to the remote node.
• The remote node responds with a value calculated using a one-way hash function,
which is typically Message Digest 5 (MD5).
• This response is based on the password and challenge message.
• The local router checks the response against its own calculation of the expected
hash value.
• If the values match, the authentication is acknowledged, otherwise the connection
is immediately terminated.

148 148
CHAP Packets

149 149
Network Layer Protocol Phase

• In this phase the PPP devices send NCP packets to choose and configure
one or more network layer protocols, such as IP.
• Once each of the chosen network layer protocols has been configured,
packets from each network layer protocol can be sent over the link.
• If LCP closes the link, it informs the network layer protocols so that they can
take appropriate action.
• The show interfaces command reveals the LCP and NCP states under
PPP configuration.
• The PPP link remains configured for communications until LCP or NCP
frames close the link or until an inactivity timer expires or a user intervenes.

150 150
IPCP Packet

151 151
PPP Phases: An Example

152 152