1|Page

INDUSTRIAL TRAINING REPORT

Submitted in partial fulfillment of the Requirements for the award of the degree

Of

Bachelor of Technology
In COMPUTER SCIENCE ENGENEERING IBRAHIM ZARGAR

2|Page

Acknowledgement
This project was one of the most productive & knowledgeable experience in my engineering carrier. I have learned so many new things during this project like how to work in a group ,leadership, how to use different skills and knowledge, group discussion etc. It provided me a golden opportunity to improve my basic skills and practical aspects which is the primary requirement of the todays companies and organizations. It gives me an immense pleasure to thank those people who have contributed directly or indirectly during the completion of this project. I would like to express my gratitude to MR. ASHUTOSH Sir for all time cooperation in guiding this project into final shape. Last but not the least, I wish to thank our College Principal and H.O.D. Sir to encourage me to complete this project.

(SUMIT CHANDEL)

3|Page

CERTIFICATE

This is to certify that the project report entitled NETWORK SYSTEM Submitted by SUMIT CAHNDEL, in the partial fulfillment of the requirement of the course of NETWORKING AND TECHNOLOGY in INFORMATION TECHNOLOGY embodies the Work done by them under my guidance.

Project Incharge & Guide:

Mr. ASHUTOSH SHARMA (PROJECT ASSISTANT) DIT-SHIMLA

4|Page

INDEX
Sr. No. 1 2 Topic Training Organization detail Introduction to Computer Networking Principles Building Blocks: The basic components of a network 3 4 5 6 7 8 9 10 11 12 OSI Model TCP/IP Cisco IOS Routing Table STP TCP/IP VLAN Access-Lists Network Address Translation Bibliography 19 - 21 22 - 25 26 - 30 31 - 32 33 - 34 35 - 36 37 - 38 39 - 40 41 - 44 45 - 45 Page 05 - 05 06 - 18

5|Page

CHAPTER-1
TRAINING ORGANISATION DETAIL
Department of Information Technology is the state level organization that provides all the software needs to the state of Himachal Pradesh. It is a national level government organization that provides training to young individuals in the field of Information Technology and Computer Science field. The entire software maintenance and development task is done by this very organization. DIT is a dynamic, growing institution, focused on the development of cutting edge solutions in the following domains: Health Informatics Multilingual Technologies Software Technologies Cyber Forensics and Security Multimedia Technologies

The organization inculcates the tangible need of flexible nature of software market. It has various plans to implement and to share with trainees. They make to work in some of the live projects of the state. So this is overall training to an individual here at DIT National Informatics Centre is the major player for the spread of IT in the State and Districts. The IT requirements at the District are being fulfilled by the District Informatics Centres of NIC established in each District.

6|Page

CHAPTER- 2
Computer Network
A computer network is interconnection of various computer systems located at different places. In computer network two or more computers are linked together with a medium and data communication devices for the purpose of communication data and sharing resources. The computer that provides resources to other computers on a network is known as server. In the network the individual computers, which access shared network resources, are known as nodes.

Types of Networks:
There are many different types of networks. However, from an end user's point of view there are two basic types: Local-Area Networks (LANs) The computers are geographically close together (that is, in the same building). Wide-Area Networks (WANs) The computers are farther apart and are connected by telephone lines or radio waves. In addition to these types, the following characteristics are also used to categorize different types of networks.

Other Definitions:

Topology
The geometric arrangement of computer system is termed as a topology. Common topologies include bus, star, and ring.

Protocol
The protocol defines a common set of rules and signals that computers on the network use to communicate. One of the most popular protocols for LANs is called Ethernet. Another popular LAN protocol for PCs is the IBM token-ring network.

Architecture

7|Page Networks can be broadly classified as using either peer-to-peer or client/server architecture. Computers on a network are sometimes called nodes. Computers and devices that allocate resources for a network are called servers.

LANs
LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected to other LANS over any distance via telephone lines and radio waves. A system of LANs connected in this way is called a wide-area network (WAN). Most LANs as shown in Figure connect workstations and personal computers. Each node (individual computer) in a LAN has its own CPU with which it executes programs, but it is also able to access data and devices anywhere on the LAN. This means that many users can share expensive devices, such as laser printers, as well as data. Users can also use the LAN to communicate with each other, by sending e-mail or engaging in chart sessions. There are many different types of LANs-token-ring networks, Ethernets, and ARCnets being the most common for PCs.

A Typical LAN LANs are capable of transmitting data at very fast rates, much faster than data can be transmitted over a telephone line; but the distance are limited, and there is also a limit on the number of computers that can be attached to a single LAN.

8|Page

WANs
A WAN is a computer network that spans a relatively large geographical area. Typically, A WAN consists of two or more local-area networks (LANs). Computers connected to a widearea network are often connected through public networks, such as the telephone system. They can also be connected through leased lines or satellites. The largest WAN in existence is the Internet.

DCE DTE WAN Connection WANs connect users and LANs spread between various sites, whether in the same city, across the country, or around the world. Remote access refers to a simple connection, usually dialled up over telephone lines as needed, between an individual user or very small branch office and a central network. Your campus gains access to the Internet through some type of remote connection. A single user can use a modem to dial up an Internet service provider (ISP). Multiple users within a campus might choose to rely on a router to connect to the ISP, who then connects the campus to the Internet. In general, LAN speeds are much greater than WAN and remote access speeds. For example, a single shared- Ethernet connection runs at 10 Mbps (mega means million). Todays fastest analogue modem runs at 56 kilobits per second (Kbps) (kilo means thousand) less than one percent of the speed of an Ethernet link. Even the more expensive, dedicated WAN services such as T1 lines dont compare (with bandwidth of 1.5 Mbps, a T1 lines has only 15 percent of the capacity of a single Ethernet link). For this reason, proper network design aims to keep most traffic localthat is, contained within one siterather than allowing that traffic.

Network Topologies

9|Page

As we have seen earlier, topology is the geometric arrangement of the computers in a network. Common topologies include star, ring and bus.

Star Network
The star network as shown in Fig 5.6 is frequently used to connect one or more small computers or peripheral devices to a large host computer or CPU. Many organizations use the star network or a variation of it in a time-sharing system, in which several users are able to share a central processor.

In a time-sharing setup, each terminal receives a fixed amount of the CPU's time, called a time slice. If you are sitting at a terminal and cannot complete your task during the time slice, the computer will come back to you to allow you to do so. Actually, because the CPU operates so much faster than terminals, you will probably not even notice that the CPU is away. By establishing time-sharing, many people in a large organization can use a centralized computing facility. Time-sharing can also be purchased from an outside service, which is an economical way to operate for a small company that cannot afford its own large computer. Star network is frequently used in a LAN to connect several microcomputers to a central unit that works as a communications controller. If the user of one microcomputer wants to send a document or message to a user at another computer, the message is routed through the central communications controller. Another common use of the star network is the feasibility of connecting several microcomputers to a mainframe computer that allows access to an organization's database. Access and control of star network typically is maintained by a polling system. Polling means that the central computer or communications controller "polls" or asks each device in the network if it has a message to send and then allows each in turn to transmit data.

Ring Network
The ring network is a Local Area Network (LAN) whose topology is a ring - can be as simple as a circle or point-to-point connections of computers at dispersed locations, with no central host computer or communications controller. That is, all of the nodes are connected in a closed loop. Messages travel around the ring, with each node reading those messages addressed to it. One of the advantages of ring networks is that they can span larger distance than other types of networks, such as bus networks, because each node regenerates messages as they pass through it.

10 | P a g e

Access and control of ring networks are typically maintained by a "token-passing" system. IBM's Token-Ring network is thought by some observers to be a watershed event comparable to the development of the IBM PCV itself, because the Token-Ring network is designed to link all types of computers together, including not only personal computers but also possible mini computes and mainframes.

Bus Network
Bus networks are similar to ring network that the ends are not connected. All communications are carried on a common cable or bus and are available to each device on the network.

Access and control of bus networks are typically maintained by a method called contention, whereby if a line is unused, a terminal or device can transmit its message at will, but if two or more terminals initiate messages simultaneously, they must stop and transmit again at different intervals.

Network Architecture
The term architecture can refer to either hardware or software, or a combination of hardware and software. The architecture of a system always defines its broad outlines, and may define precise mechanisms as well. An open architecture allows the system to be connected easily to devices and programs made by other manufacturers. Open architectures use off-the-shelf components and conform to approved standards. A system with a closed architecture, on the other hand, is one whose design is proprietary, making it difficult to connect the system to other systems. As we have seen before, network architectures can be broadly classified as using either peer-to-peer or client/server architecture.

11 | P a g e

Peer-to-peer Architecture
This is a type of network in which each workstation has equivalent capabilities and responsibilities. This differs from client/server architecture, in which some workstations are dedicated to serving the others. Peer-to-peer networks are generally simpler and less expensive, but they usually do not offer the same performance under heavy loads.

Client/Server Architecture
This is network architecture in which each computer or process on the network is either a client or a server. Servers are powerful computers or processors dedicated to managing disk drives (file servers), printers (print servers), or network traffic (network servers). Clients are less powerful PCs workstations on which users run applications. Clients rely on servers for resources, such as files, devices, and even processing power.

Network Protocol Overview

The OSI model, and any other network communication model, provides only a conceptual framework for communication between computers, but the model itself does not provide specific methods of communication. Actual communication is defined by various communication protocols. In the context of data communication, a protocol is a formal set of rules, conventions and data structure that governs how computers and other network devices exchange information over a network. In other words, a protocol is a standard procedure and format that two data communication devices must understand, accept and use to be able to talk to each other.

12 | P a g e In modern protocol design, protocols are "layered" according to the OSI 7 layer model or a similar layered model. Layering is a design principle which divides the protocol design into a number of smaller parts, each part accomplishing a particular sub-task and interacting with the other parts of the protocol only in a small number of well-defined ways. Layering allows the parts of a protocol to be designed and tested without a combinatorial explosion of cases, keeping each design relatively simple. Layering also permits familiar protocols to be adapted to unusual circumstances. The header and/or trailer at each layer reflect the structure of the protocol. Detailed rules and procedures of a protocol or protocol group are often defined by a lengthy document. For example, IETF uses RFCs (Request for Comments) to define protocols and updates to the protocols. A wide variety of communication protocols exists. These protocols were defined by many different standard organizations throughout the world and by technology vendors over years of technology evolution and development. One of the most popular protocol suites is TCP/IP, which is the heart of Internetworking communications. The IP, the Internet Protocol, is responsible for exchanging information between routers so that the routers can select the proper path for network traffic, while TCP is responsible for ensuring the data packets are transmitted across the network reliably and error free. LAN and WAN protocols are also critical protocols in network communications. The LAN protocols suite is for the physical and data link layers of communications over various LAN media such as Ethernet wires and wireless radio waves. The WAN protocol suite is for the lowest three layers and defines communication over various wide-area media, such as fiber optic and copper cables. Network communication has slowly evolved. Today's new technologies are based on the accumulation over years of technologies, which may be either still existing or obsolete. Because of this, the protocols which define the network communication are highly inter-related. Many protocols rely on others for operation. For example, many routing protocols use other network protocols to exchange information between routers. In addition to standards for individual protocols in transmission, there are now also interface standards for different layers to talk to the ones above or below (usually operating system specific). The protocols for data communication cover all areas as defined in the OSI model. However, the OSI model is only loosely defined. A protocol may perform the functions of one or more of the OSI layers, which introduces complexity to understanding protocols relevant to the OSI 7 layer model. In real-world protocols, there is some argument as to where the distinctions between layers are drawn; there is no one black and white answer. To develop a complete technology that is useful for the industry, very often a group of protocols is required in the same layer or across many different layers. Different protocols often describe different aspects of a single communication; taken together, these form a protocol suite. For example, Voice over IP (VOIP), a group of protocols developed by many vendors and standard organizations, has many protocols across the 4 top layers in the OSI model. Protocols can be implemented either in hardware or software or a mixture of both. Typically, the lower layers are implemented in hardware, with the higher layers being implemented in software. Protocols could be grouped into suites (or families, or stacks) by their technical functions, or origin of the protocol introduction, or both. A protocol may belong to one or multiple protocol suites, depending on how you categorize it. For example, the Gigabit Ethernet

13 | P a g e protocol IEEE 802.3z is a LAN (Local Area Network) protocol and it can also be used in MAN (Metropolitan Area Network) communications. Most recent protocols are designed by the IETF for Internetworking communications and by the IEEE for local area networking (LAN) and metropolitan area networking (MAN). The ITU-T contributes mostly to wide area networking (WAN) and telecommunications protocols. ISO has its own suite of protocols for internetworking communications, which is mainly deployed in European countries.

Compare the Network Protocols

Protocol Ethernet Fast Ethernet Local Talk Token Ring FDDI ATM Cable Twisted Pair, Coaxial, Fiber Twisted Pair, Fiber Twisted Pair Twisted Pair Fiber Twisted Pair, Fiber Speed 10 Mbps 100 Mbps .23 Mbps 4 Mbps - 16 Mbps 100 Mbps 155-2488 Mbps Topology Linear Bus, Star, Tree Star Linear Bus or Star Star-Wired Ring Dual ring Linear Bus, Star, Tree

INTERNET BACKBONE
The Internet backbone refers to the principal data routes between large, strategically interconnected networks and core routers in the Internet. These data routes are hosted by commercial, government, academic and other high-capacity network centers, the Internet exchange points and network access points that interchange Internet traffic between the countries, continents and across the oceans of the world. Traffic interchange between the Internet service providers (often Tier 1 networks) participating in the Internet backbone exchange traffic by privately negotiated interconnection agreements, primarily governed by the principle of settlement-free peering.

Infrastructure
The internet backbone is a conglomeration of multiple, redundant networks owned by numerous companies. It is typically a fiber optic trunk line. The trunk line consists of many fiber optic cables bundled together to increase the capacity. The backbone is able to re route traffic in case of a failure. The data speeds of backbone lines have changed with the times. In 1998, all of the United States backbone networks had utilized the slowest data rate of 45 Mbps. However the changing technologies allowed for 41 percent of backbones to have data rates of 2,488 Mbps or faster by the mid 2000's. The FCC currently defines "high speed" as any connection with data speeds that exceed 200 kilobits per second. An Azerbaijani based telecommunication company, Delta Telecom, has recently developed a very efficient trunk line with possible speeds of to 1.6 terabits per second. Internet traffic from this line goes through

14 | P a g e the countries of Iran, Iraq and Georgia. Fiber-optic cables are the medium of choice for internet backbone providers for many reasons. Fiber-optics allow for fast data speeds and large bandwidth; they suffer relatively little attenuation, allowing them to cover long distances with few repeaters; they are also immune to crosstalk and other forms of EM interference which plague electrical transmission.

The Building Blocks: Basic Components of Networks Every network includes:

At least two computers A network interface on each computer (the device that lets the computer talk to the network usually called a network interface card [NIC] or adapter) A connection mediumusually a wire or cable, but wireless communication between networked computers and peripherals is also possible Network operating system softwaresuch as Microsoft Windows 95 or Windows NT, Novell NetWare, AppleShare etc. Most networkseven those with just two computers, have a hub or a switch to act as a connection point between

When their computers are joined in a network, people can share files and peripherals such as modems, printers, tape backup drives, and CD-ROM drives. When networks at multiple locations are connected using services available from phone companies, people can send e-mail, share links to the global Internet, or conduct videoconferences in real time with other remote users on the network.

Twisted-pair

15 | P a g e This wire comes in several standards. Unshielded twisted pair (UTP) Category 3 wire (also called 10BaseT) is often used for your phone lines, and UTP Category 5 (also called 10Base2) wire is the current networking standards. Coaxial resembles round cable TV wiring.

Fiber-optic
Usually reserved for connections between backbone devices in larger networks, though in some very demanding environments, highly fault resistant cable is used to connect desktop workstations to the network and to link adjacent buildings. Fiber-optic cable is the most reliable wiring but also the most expensive. For instance, Ethernet can useUTP Category 3 wiring. However, Fast Ethernet requires at least the higher-grade UTP Category 5 wiring. As a result, all new wiring installations should be Category 5.

Network interface cards

Network interface cards (NICs), or adapters, are usually installed inside a computers case. With portable and notebook computers, the NIC is usually in the credit card sized PC card (PCMCIA) format, which is installed in a slot. Ethernet NICs support only Ethernet connections, while 10/100 NICs cost about the same and can work with either Ethernet or higher-performance Fast Ethernet connections .In addition, you need to ensure that your NICs will support the type of cabling you will usetwisted-pair(also called 10BaseT), coaxial (also called 10Base2), or a mixture of both.

Hubs

16 | P a g e Hubs, or repeaters, are simple devices that interconnect groups of users. Hubs forward any data packets they receive over one port from one workstationincluding e-mail, word processing documents, spreadsheets, graphics, or print requeststo all of their remaining ports. All users connected to a single hub or stack of connected hubs are in the same segment, sharing the hubs bandwidth or data-carrying capacity. As more users are added to a segment, they compete for a finite amount of bandwidth devoted to that segment.

Switches
Switches are smarter than hubs and offer more bandwidth. A switch forwards data packets only to the appropriate port for the intended recipient, based on information in each packets header. To insulate the transmission from the other ports, the switch establishes a temporary connection between the source and destination then terminates the connection when the conversation is done. As such, a switch can support multiple conversations and move much more traffic through the network than a hub. A single eight-port Ethernet hub provides a total of 10 megabits per second (Mbps) of data-carrying capacity shared among all users on the hub. A full-duplex, eight-port Ethernet switch can support eight 10-Mbps conversations at once, for a total data-carrying capacity of 160 Mbps. Full-duplex refers to simultaneous two-way communications, such as telephone communication. With half-duplex communications, data can move across the cable or transmission medium in just one direction at a time.

Routers
Compared to switches and bridges, routers are smarter still. Routers use a more complete packet address to which router or workstation should receive each packet. Based on a network roadmap called a routing table, routers can help ensure that packets are travelling the most efficient paths to their destinations. If a link between two routers goes down, the sending router can determine an alternate route to keep traffic moving. Routers also provide links between networks that speak different languagesor, in computer speak networks that use different protocols. Examples include IP (Internet Protocol), the IPX (Internet Packet Exchange Protocol), and AppleTalk. Routers not only connect networks in a single location or set of buildings, but they provide interfaces or socketsfor connecting to wide-area network (WAN) services. These WAN services, which are offered by telecommunications companies to connect geographically, dispersed networks.

17 | P a g e

Ethernet and Fast Ethernet

Ethernet has been around since the late 1970s and remains the leading network technology for local-area networks (LANs). Ethernet is based on carrier sense multiple access with collision detection (CSMA/CD). Simply put, an Ethernet workstation can send data packets only when no other packets are travelling on the network, that is, when the network is quiet. Otherwise, it waits to transmit, just as a person might wait for another to speak during conversation. Networking Technologies Overview If multiple stations sense an opening and start sending at the same time, a collision occurs. Then, each station waits a random amount of time and tries to send its packet again. After 16 consecutive failed attempts, the original application that sent the packet has to start again. As more people try to use the network, the number of collisions, errors, and subsequent retransmits grows quickly, causing a snowball effect. Collisions are normal occurrences, but too many can start to cause the network to slow down. When more than 50 percent of the networks total bandwidth is used, collision rates begin to cause congestion. Files take longer to print, applications take longer to open, and users are forced to wait. At 60 percent or higher bandwidth usage, the network can slow dramatically or even grind to a halt.

Ethernets bandwidth or data-carrying capacity (also called throughput) is 10 Mbps. Fast Ethernet (or 100BaseT) works the same waythrough collision detectionbut it provides 10 times the bandwidth, or 100 Mbps. Shared Ethernet is like a single-lane highway with a 10Mbps speed limit (see diagrams below). Shared Fast Ethernet is like a much wider highway with a 100-Mbps speed limit; there is more room for cars, and they can travel at higher speeds. What would Switched Ethernet look like? A multilane highway with a speed limit of 10 Mbps in each lane, Switched Fast Ethernet also would be a multilane highway, but with a speed limit of 100 Mbps in each lane.

Ethernet Cabling

18 | P a g e

Although Ethernet networks originally used thick or thin coaxial cable, most installations currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and is terminated with an RJ45 type connector. A normal straight-through UTP Ethernet cable follows the EIA568B standard wiring as described below. Category 5 Cable Quality Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.) or 100 meters (m) in length, divided as follows: 20 ft. (6 m) between the hub and the patch panel (if used) 295 ft. (90 m) from the wiring closet to the wall outlet 10 ft. (3 m) from the wall outlet to the desktop device The patch panel and other connecting hardware must meet the requirements for 100-Mbps operation (Category 5). Only 0.5 inch (1.5 cm) of untwist in the wire pair is allowed at any termination point. A twisted pair Ethernet network operating at 10 Mbits/second (10BASE-T) will often tolerate low-quality cables, but at 100 Mbits/second (10BASETx) the cable must be rated as Category 5, or Cat 5, by the Electronic Industry Association (EIA). This rating will be printed on the cable jacket. A Category 5 cable will meet specified requirements regarding loss and crosstalk. In addition, there are restrictions on maximum cable length for both 10- and 100Mbits/second networks.

CHAPTER 3

19 | P a g e

OSI MODEL

The Open Systems Interconnection model (OSI model) was a product of the Open Systems Interconnection effort at the International Organization for Standardization. It is a way of sub-dividing a communications system into smaller parts called layers. Similar communication functions are grouped into logical layers. A layer provides services to its upper layer while receiving services from the layer below. On each layer, an instance provides service to the instances at the layer above and requests service from the layer below.

Layer 1: Physical Layer

The Physical Layer defines electrical and physical specifications for devices. In particular, it defines the relationship between a device and a transmission medium, such as a copper or optical cable. This includes the layout of pins, voltages, cable specifications, hubs, repeaters, network adapters, host bus adapters (HBA used in storage area networks) and more. The major functions and services performed by the Physical Layer are: Establishment and termination of a connection to a communications medium. Participation in the process whereby the communication resources are effectively shared among multiple users. For example, contention resolution and flow control. Modulation or conversion between the representation of digital data in user equipment and the corresponding signals transmitted over a communications channel. These are signals operating over the physical cabling (such as copper and optical fiber) or over a radio link.

Layer 2: Data Link Layer

20 | P a g e The Data Link Layer provides the functional and procedural means to transfer data between network entities and to detect and possibly correct errors that may occur in the Physical Layer. Originally, this layer was intended for point-to-point and point-to-multipoint media, characteristic of wide area media in the telephone system. Local area network architecture, which included broadcast-capable multi-access media, was developed independently of the ISO work in IEEE Project 802. IEEE work assumed sub layering and management functions not required for WAN use. In modern practice, only error detection, not flow control using sliding window, is present in data link protocols such as Point-to-Point Protocol (PPP), and, on local area networks, the IEEE 802.2 LLC layer is not used for most protocols on the Ethernet, and on other local area networks, its flow control and acknowledgment mechanisms are rarely used.

Layer 3: Network Layer

The Network Layer provides the functional and procedural means of transferring variable length data sequences from a source host on one network to a destination host on a different network, while maintaining the quality of service requested by the Transport Layer (in contrast to the data link layer which connects hosts within the same network). The Network Layer performs network routing functions, and might also perform fragmentation and reassembly, and report delivery errors. Routers operate at this layersending data throughout the extended network and making the Internet possible. This is a logical addressing scheme values are chosen by the network engineer. The addressing scheme is not hierarchical. Careful analysis of the Network Layer indicated that the Network Layer could have at least three sub layers: Sub network Access that considers protocols that deal with the interface to networks, such as X.25; Sub network Dependent Convergence when it is necessary to bring the level of a transit network up to the level of networks on either side; Sub network Independent Convergence which handles transfer across multiple networks.

Layer 4: Transport Layer

The Transport Layer provides transparent transfer of data between end users, providing reliable data transfer services to the upper layers. The Transport Layer controls the reliability of a given link through flow control, segmentation/segmentation, and error control. Some protocols are state and connection-oriented. This means that the Transport Layer can keep track of the segments and retransmit those that fail. The Transport layer also provides, the acknowledgement of the successful data transmission and sends the next data if no errors occurred. Although not developed under the OSI Reference Model and not strictly conforming to the OSI definition of the Transport Layer, typical examples of Layer 4 are the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

21 | P a g e

Layer 5: Session Layer

The Session Layer controls the dialogues (connections) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for full-duplex, half-duplex, or simplex operation, and establishes check pointing, adjournment, termination, and restart procedures. The OSI model made this layer responsible for graceful close of sessions, which is a property of the Transmission Control Protocol, and also for session check pointing and recovery, which is not usually used in the Internet Protocol Suite. The Session Layer is commonly implemented explicitly in application environments that use remote procedure calls.

Layer 6: Presentation Layer

The Presentation Layer establishes context between Application Layer entities, in which the higher-layer entities may use different syntax and semantics if the presentation service provides a mapping between them. If a mapping is available, presentation service data units are encapsulated into session protocol data units, and passed down the stack. This layer provides independence from data representation (e.g., encryption) by translating between application and network formats. The presentation layer transforms data into the form that the application accepts. This layer formats and encrypts data to be sent across a network. It is sometimes called the syntax layer.

Layer 7: Application Layer

The Application Layer is the OSI layer closest to the end user, which means that both the OSI application layer and the user interact directly with the software application. This layer interacts with software applications that implement a communicating component. Such application programs fall outside the scope of the OSI model. When determining resource availability, the application layer must decide whether sufficient network or the requested communication exists. In synchronizing communication, all communication between applications requires cooperation that is managed by the application layer. Some examples of application layer implementations also include: On OSI stack: FTAM File Transfer and Access Management Protocol X.400 Mail Common management information protocol (CMIP)

CHAPTER 4
TCP/IP

22 | P a g e In the TCP/IP model of the Internet, protocols are deliberately not as rigidly designed into strict layers as the OSI model. However, TCP/IP does recognize four broad layers of functionality which are derived from the operating scope of their contained protocols, namely the scope of the software application, the end-to-end transport connection, the internetworking range, and lastly the scope of the direct links to other nodes on the local network. Even though the concept is different from the OSI model, these layers are nevertheless often compared with the OSI layering scheme in the following way: The Internet Application Layer includes the OSI Application Layer, Presentation Layer, and most of the Session Layer. Its end-to-end Transport Layer includes the graceful close function of the OSI Session Layer as well as the OSI Transport Layer. The internetworking layer (Internet Layer) is a subset of the OSI Network Layer (see above), while the Link Layer includes the OSI Data Link and Physical Layers, as well as parts of OSI's Network Layer. These comparisons are based on the original seven-layer protocol model as defined in ISO 7498, rather than refinements in such things as the internal organization of the Network Layer document. The presumably strict peer layering of the OSI model as it is usually described does not present contradictions in TCP/IP, as it is permissible that protocol usage does not follow the hierarchy implied in a layered model. Such examples exist in some routing protocols (e.g., OSPF), or in the description of tunneling protocols, which provide a Link Layer for an application, although the tunnel host protocol may well be a Transport or even an Application Layer protocol in its own right.

Internet Protocol (IP) Addresses

Because TCP/IP networks are interconnected across the world, each computer on the Internet must have a unique address (called an IP address) to make sure that transmitted data reaches the correct destination. Blocks of addresses are assigned to organizations by the Internet Assigned Numbers Authority (IANA). Individual users and small organizations may obtain their addresses either from the IANA or from an Internet service provider (ISP).The Internet Protocol (IP) uses a 32-bit address structure. The address is usually written in dot notation (also called dotted-decimal notation), in which each group of eight bits is written in decimal form, separated by decimal points. For example, the following binary address: 11000011 00100010 00001100 00000111 is normally written as: 195.34.12.7 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application. There are five standard classes of IP addresses. These address classes have different ways of determining the network and host sections of the address, allowing for different numbers of hosts on a network. Each address type begins with a unique bit pattern, which is used by the TCP/IP software to identify the address class. After the address class has been determined, the software can correctly identify the host section of the address. The figure below shows the three main address classes, including network and host sections of the address for each address type.

23 | P a g e

The five address classes are: Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an 8-bit network number and a 24-bit node number. Class A addresses are in this range: 1.x.x.x to 126.x.x.x. Class B Class B addresses can have up to 65,354 hosts on a network. A Class B address uses a 16-bit network number and a 16-bit node number. Class B addresses are in this range: 128.1.x.x to 191.254.x.x. Class C Class C addresses can have up to 254 hosts on a network. A Class C address uses a 24-bit network number and an 8-bit node number. Class C addresses are in this range: 192.0.1.x to 223.255.254.x. Class D Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are in this range: 224.0.0.0 to 239.255.255.255. Class E Class E addresses are for experimental use.

Net mask
In each of the address classes previously described, the size of the two parts (network address and host address) is implied by the class. This partitioning scheme can also be expressed by a netmask associated with the IP address. A netmask is a 32-bit quantity that, when logically combined (using an AND operator) with an IP address, yields the network address. For instance, the netmasks for Class A, B, and C addresses are 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively. For example, the address 192.168.170.237 is a Class C IP address whose network portion is the upper 24 bits. When combined (using an AND operator) with the Class C netmask, as shown here, only the network portion of the address remains: 11000000 10101000 10101010 11101101 (192.168.170.237) combined with: 11111111 11111111 11111111 00000000 (255.255.255.0) equals: 11000000 10101000 10101010 00000000 (192.168.170.0) As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as /n. In the example, the address could be written as 192.168.170.237/24, indicating that the netmask is 24 ones followed by 8 zeros.

24 | P a g e

25 | P a g e

Media Access Control (MAC) Addresses and Address Resolution Protocol

An IP address alone cannot be used to deliver data from one LAN device to another. To send data between LAN devices, you must convert the IP address of the destination device to its MAC address. Each device on an Ethernet network has a unique MAC address, which is a 48-bit number assigned to each device by the manufacturer. The technique that associates the IP address with a MAC address is known as address resolution. Internet Protocol uses the Address Resolution Protocol (ARP) to resolve MAC addresses. If a device sends data to another station on the network and the destination MAC address is not yet recorded, ARP is used. An ARP request is broadcast onto the network. All stations (computers, for example) on the network receive and read the request. The destination IP address for the chosen station is included as part of the message so that only the station with this IP address responds to the ARP request. All other stations discard the request.

Domain Name System (DNS) Server

Many of the resources on the Internet can be addressed by simple descriptive names such as http://www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as a telephone directory maps names to phone numbers, or as an ARP table maps IP addresses to MAC addresses, a DNS server maps descriptive names of network resources to IP addresses. When a computer accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The computer sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses.

Private IP Addresses
If youre local network is isolated from the Internet (for example, when using Network Address Translation, NAT, which is described below), you can assign any IP addresses to the hosts without problems. However, the IANA has reserved the following three blocks of IP addresses specifically for private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Choose your private network number from this range.

CHAPTER 5

26 | P a g e

Cisco Inter-network Operating System

Cisco IOS Modes of Operation
The Cisco IOS software provides access to several different command modes. Each command mode provides a different group of related commands. For security purposes, the Cisco IOS software provides two levels of access to commands: user and privileged. The unprivileged user mode is called user EXEC mode. The privileged mode is called privileged EXEC mode and requires a password. The commands available in user EXEC mode are a subset of the commands available in privileged EXEC mode. The following table describes some of the most commonly used modes, how to enter the modes, and the resulting prompts. The prompt helps you identify which mode you are in and, therefore, which commands are available to you

User EXEC Mode: When you are connected to the router, you are started in user EXEC mode. The user EXEC commands are a subset of the privileged EXEC commands. Privileged EXEC Mode: Privileged commands include the following: Configure Changes the software configuration. Debug Display process and hardware event messages. Setup Enter configuration information at the prompts. Enter the command disable to exit from the privileged EXEC mode and return to user EXEC mode.

Configuration Mode

27 | P a g e Configuration mode has a set of sub modes that you use for modifying interface settings, routing protocol settings, line settings, and so forth. Use caution with configuration mode because all changes you enter take effect immediately. To enter configuration mode, enter the command configure terminal and exit by pressing Ctrl-Z. Note: Almost every configuration command also has a no form. In general, use the no form to disable a feature or function. Use the command without the keyword no to re-enable a disabled feature or to enable a feature that is disabled by default. For example, IP routing is enabled by default. To disable IP routing, enter the no ip routing command and enter ip routing to re-enable it.

Getting Help
In any command mode, you can get a list of available commands by entering a question mark (?). Router>? To obtain a list of commands that begin with a particular character sequence, type in those characters followed immediately by the question mark (?). Router#co? configure connect copy To list keywords or arguments, enter a question mark in place of a keyword or argument. Include a space before the question mark. Router#configure ? memory Configure from NV memory network Configure from a TFTP network host terminal Configure from the terminal You can also abbreviate commands and keywords by entering just enough characters to make the command unique from other commands. For example, you can abbreviate the show command to sh.]

Configuration Files
Any time you make changes to the router configuration, you must save the changes to memory because if you do not they will be lost if there is a system reload or power outage. There are two types of configuration files: the running (current operating) configuration and the startup configuration. Use the following privileged mode commands to work with configuration files. configure terminal modify the running configuration manually from the terminal. show running-config display the running configuration. show startup-config display the startup configuration. copy running-config startup-config copy the running configuration to the startup configuration. copy startup-config running-config copy the startup configuration to the running configuration.

28 | P a g e erase startup-config erase the startup-configuration in NVRAM. copy tftp running-config load a configuration file stored on a Trivial File Transfer Protocol (TFTP) server into the running configuration. copy running-config tftp store the running configuration on a TFTP server.

IP Address Configuration
Take the following steps to configure the IP address of an interface. Step 1: Enter privileged EXEC mode: Router>enable password Step 2: Enter the configure terminal command to enter global configuration mode. Router#config terminal Step 3: Enter the interface type slot/port (for Cisco 7000 series) or interface type port (for Cisco 2500 series) to enter the interface configuration mode. Example: Router (config)#interface ethernet 0/1 Step 4: Enter the IP address and subnet mask of the interface using the ip address ipaddress subnetmask command. Example, Router (config-if)#ip address 192.168.10.1 255.255.255.0 Step 5: Exit the configuration mode by pressing Ctrl-Z Router(config-if)#[Ctrl-Z] Routing Protocol Configuration Routing Information Protocol (RIP) Step 1: Enter privileged EXEC mode: Router>enable password Step 2: Enter the configure terminal command to enter global configuration mode. Router#config terminal Step 3: Enter the router rip command Router(config)#router rip Step 4: Add the network number to use RIP and repeat this step for all the numbers. Router(config-router)#network network-number Example: Router(config-router)#network 192.168.10.0 Note: To turn off RIP, use the no router rip command. Router(config)#no router rip Other useful commands Specify a RIP Version

29 | P a g e By default, the software receives RIP version 1 and version 2 packets, but sends only version 1 packets. To control which RIP version an interface sends, use one of the following commands in interface configuration mode:

To control how packets received from an interface are processed, use one of the following commands:

Open Shortest Path First (OSPF) Step 1: Enter privileged EXEC mode: Router>enable password Step 2: Enter the configure terminal command to enter global configuration mode. Router#config terminal Step 3: Enter the router ospf command and follow by the process-id. Router(config)#router ospf process-id Pick the process-id which is not being used. To determine what ids are being used, issue the show process command. Router(config)#show process Step 4: Add the network number, mask and area-id Router(config-router)#network network-number mask area area-id The network-number identifies the network using OSPF. The mask tells which bits to use from the network-number, and the area-id is used for determining areas in an OSPF configuration. Example: Router(config-router)#network 192.168.10.0 255.255.255.0 area 0.0.0.0 Repeat this step for all the network numbers. To turn off OSPF, use the following command. Router(config)#no router ospf process-id

Other useful commands

Configure OSPF Interface Parameters

30 | P a g e You are not required to alter any of these parameters, but some interface parameters must be consistent across all routers in an attached network.

Command
ip ospf cost cost ip ospf retransmit-interval seconds

Purpose
Explicitly specify the cost of sending a packet on an OSPF interface. Specify the number of seconds between link state advertisement retransmissions for adjacencies belonging to an OSPF interface. Set the estimated number of seconds it takes to transmit a link state update packet on an OSPF interface. Set router priority to help determine the OSPF designated router for a network. Specify the length of time, in seconds, between the hello packets that a router sends on an OSPF interface. Set the number of seconds that a routers hello packets must not have been seen before its neighbors declare the OSPF router down.

ip ospf transmit-delay seconds

ip ospf priority number ip ospf hello-interval seconds

ip ospf dead-interval seconds

How to read router/link status

Status of router and links can be easily determined by power LED of router and link LED of each interface (if any). However, you may find a transceiver connected to an AUI port looks like the following:

CHAPTER 6

31 | P a g e

ROUTING TABLE
In computer networking a routing table, or Routing Information Base (RIB), is a data structure in the form of a table-like object stored in a router or a networked computer that lists the routes to particular network destinations, and in some cases, metrics associated with those routes. The routing table contains information about the topology of the network immediately around it. The construction of routing tables is the primary goal of routing protocols. Static routes are entries made in a routing table by non-automatic means and which are fixed rather than being the result of some network topology 'discovery' procedure. Routing tables are generally not used directly for packet forwarding in modern router architectures; instead, they are used to generate the information for a smaller forwarding table which contains only the routes which are chosen by the routing algorithm as preferred routes for packet forwarding, often in a compressed or pre-compiled format that is optimized for hardware storage and lookup. The remainder of this article will ignore this implementation detail, and refer to the entire routing/forwarding information subsystem as the "routing table".

Basics
A routing table utilizes the same idea that one does when using a map in package delivery. Whenever a node needs to send data to another node on a network, it must know where to send it, first. If the node cannot directly connect to the destination node, it has to send it via other nodes along a proper route to the destination node. Most nodes do not try to figure out which route(s) might work; instead, a node will send an IP packet to a gateway in the LAN, which then decides how to route the "package" of data to the correct destination. Each gateway will need to keep track of which way to deliver various packages of data, and for this it uses a Routing Table. A routing table is a database which keeps track of paths, like a map, and allows the gateway to provide this information to the node requesting the information. With hop-by-hop routing, each routing table lists, for all reachable destinations, the address of the next device along the path to that destination; the next hop. Assuming that the routing tables are consistent, the simple algorithm of relaying packets to their destination's next hop thus suffices to deliver data anywhere in a network. Hop-by-hop is the fundamental characteristic of the IP Internetwork layer and the OSI Network Layer, in contrast to the functions of the IP End-to-End and OSI Transport Layers. Current router architecture separates the Control Plane function of the routing table from the Forwarding Plane function of the forwarding table.

Difficulties with routing tables

The need to record routes to large numbers of devices using limited storage space represents a major challenge in routing table construction. In the Internet, the currently dominant address aggregation technology is a bitwise prefix matching scheme called Classless Inter-Domain Routing (CIDR).

Since in a network each node presumably possesses a valid routing table, routing tables must be consistent among the various nodes or routing loops can develop. This is particularly problematic in the hop-by-hop routing model in which the net effect of inconsistent tables in several different routers could be to forward packets in an endless loop. Routing

32 | P a g e Loops have historically plagued routing, and their avoidance is a major design goal of routing protocols.

Contents of routing tables

The routing table consists of at least three information fields:The network id: i.e. the destination network id Cost: i.e. the cost or metric of the path through which the packet is to be sent Next hop: The next hop, or gateway, is the address of the next station to which the packet is to be sent on the way to its final destination Depending on the application and implementation, it can also contain additional values that refine path selection: Quality of service associated with the route. For example, the U flag indicates that an IP route is up. links to filtering criteria/access lists associated with the route Interface: such as eth0 for the first Ethernet card, eth1 for the second Ethernet card, etc.

CHAPTER 7
SWITCHES

33 | P a g e

Function
The network switch plays an integral part in most modern Ethernet local area networks (LANs). Mid-to-large sized LANs contain a number of linked managed switches. Small office/home office (SOHO) applications typically use a single switch, or an all-purpose converged device such as a gateway to access small office/home broadband services such as DSL or cable internet. In most of these cases, the end-user device contains a router and components that interface to the particular physical broadband technology. User devices may also include a telephone interface for VoIP. An Ethernet switch operates at the data link layer of the OSI model to create a separate collision domain for each switch port. With 4 computers (e.g., A, B, C, and D) on 4 switch ports, A and B can transfer data back and forth, while C and D also do so simultaneously, and the two conversations will not interfere with one another. In the case of a hub, they would all share the bandwidth and run in half duplex, resulting in collisions, which would then necessitate retransmissions. Using a switch is called micro segmentation. This allows computers to have dedicated bandwidth on a point-to-point connection to the network and to therefore run in full duplex without collisions.

Role of switches in networks

Switches may operate at one or more layers of the OSI model, including data link, network, or transport (i.e., end-to-end). A device that operates simultaneously at more than one of these layers is known as a multilayer switch. In switches intended for commercial use, built-in or modular interfaces make it possible to connect different types of networks, including Ethernet, Fibre Channel, ATM, ITU-T G.hn and 802.11. This connectivity can be at any of the layers mentioned. While Layer 2 functionality is adequate for bandwidth-shifting within one technology, interconnecting technologies such as Ethernet and token ring are easier at Layer 3.

Interconnection of different Layer 3 networks is done by routers. If there are any features that characterize "Layer-3 switches" as opposed to general-purpose routers, it tends to be that they are optimized, in larger switches, for high-density Ethernet connectivity. In some service provider and other environments where there is a need for a great deal of analysis of

34 | P a g e network performance and security, switches may be connected between WAN routers as places for analytic modules. Some vendors provide firewall, network intrusion detection, and performance analysis modules that can plug into switch ports. Some of these functions may be on combined modules. In other cases, the switch is used to create a mirror image of data that can go to an external device. Since most switch port mirroring provides only one mirrored stream, network hubs can be useful for fanning out data to several read-only analyzers, such as intrusion detection systems and packet sniffers.

Switch

A Switched Network

Basic functions performed:

Address learning Forwarding based on the learned addresses

CHAPTER 8
STP
STP is a bridge-to-bridge protocol used to maintain a loop-free network.

35 | P a g e To maintain a loop-free network topology, STP establishes a root bridge, a root port, designated ports. and

With STP, the root bridge has the lowest BID, which is made up of the bridge priority and the MAC address. When STP is enabled, every bridge in the network goes through the blocking state and the transitory states of listening and learning at power up. If properly configured, the ports then stabilize to the forwarding or blocking state. If the network topology changes, STP maintains connectivity by transitioning some blocked ports to the forwarding state. RSTP significantly speeds the recalculation of the spanning tree when the network topology changes.

STP provides a loop-free redundant network topology by placing certain ports in the blocking state One root bridge per broadcast domain One root port per no root bridge One designated port per segment No designated ports are unused

Spanning Tree Protocol Root Bridge Selection

36 | P a g e

BPDU (default = sent every two seconds Root bridge = bridge with the lowest bridge ID Spanning tree transits each port through several different states:

Spanning Tree Convergence

Convergence occurs when all the switch and bridge ports have transitioned to either the forwarding or the blocking state. When the network topology changes, switches and bridges must recomputed STP, which disrupts user traffic.

CHAPTER 9

37 | P a g e

VLAN
A virtual local area network, virtual LAN or VLAN, is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain, regardless of their physical location. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together even if they are not located on the same network switch. LAN membership can be configured through software instead of physically relocating devices or connections. To physically replicate the functions of a VLAN, it would be necessary to install a separate, parallel collection of network cables and equipment which are kept separate from the primary network. However unlike a physically separate network, VLANs must share bandwidth; two separate one-gigabit VLANs using a single one-gigabit interconnection can suffer both reduced throughput and congestion. It virtualizes VLAN behaviors (configuring switch ports, tagging frames when entering VLAN, lookup MAC table to switch/flood frames to trunk links, and untangling when exit from VLAN.)

Uses
VLANs are created to provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address issues such as scalability, security, and network management. Routers in VLAN topologies provide broadcast filtering, security, address summarization, and traffic flow management. By definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain. This is also useful if someone wants to create multiple layer 3 networks on the same layer 2 switch. For example, if a DHCP server is plugged into a switch it will serve any host on that switch that is configured to get its IP from a DHCP server. By using VLANs you can easily split the network up so some hosts won't use that DHCP server and will obtain link-local addresses, or obtain an address from a different DHCP server. VLANs are layer 2 constructs, compared with IP subnets which are layer 3 constructs. In an environment employing VLANs, a one-to-one relationship often exists between VLANs and IP subnets, although it is possible to have multiple subnets on one VLAN. VLANs and IP subnets provide independent Layer 2 and Layer 3 constructs that map to one another and this correspondence is useful during the network design process. By using VLANs, one can control traffic patterns and react quickly to relocations. VLANs provide the flexibility to adapt to changes in network requirements and allow for simplified administration.

Establishing VLAN memberships

The two common approaches to assigning VLAN membership are as follows: Static VLANs Dynamic VLANs Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are created by assigning ports to a VLAN. As a device enters the network, the device automatically assumes the VLAN of the port. If the user changes ports and needs access to the same VLAN, the network administrator must manually make a port-to-VLAN assignment for the new connection.

38 | P a g e

Dynamic VLANs are created through the use of software. With a VLAN Management Policy Server (VMPS), an administrator can assign switch ports to VLANs dynamically based on information such as the source MAC address of the device connected to the port or the username used to log onto that device. As a device enters the network, the device queries a database for VLAN membership.

Cisco VLAN Trunking Protocol (VTP)

On Cisco Devices, VTP (VLAN Trunking Protocol) maintains VLAN configuration consistency across the entire network. VTP uses Layer 2 trunk frames to manage the addition, deletion, and renaming of VLANs on a network-wide basis from a centralized switch in the VTP server mode. VTP is responsible for synchronizing VLAN information within a VTP domain and reduces the need to configure the same VLAN information on each switch. VTP minimizes the possible configuration inconsistencies that arise when changes are made. These inconsistencies can result in security violations, because VLANs can cross connect when duplicate names are used. They also could become internally disconnected when they are mapped from one LAN type to another, for example, Ethernet to ATM LANE ELANs or FDDI 802.10 VLANs. VTP provides a mapping scheme that enables seamless trunking within a network employing mixed-media technologies. VTP provides the following benefits: VLAN configuration consistency across the network Mapping scheme that allows a VLAN to be trunked over mixed media Accurate tracking and monitoring of VLANs Dynamic reporting of added VLANs across the network Plug-and-play configuration when adding new VLANs As beneficial as VTP can be, it does have disadvantages that are normally related to the spanning tree protocol (STP) as a bridging loop propagating throughout the network can occur. Cisco switches run an instance of STP for each VLAN, and since VTP propagates VLANs across the campus LAN, VTP effectively creates more opportunities for a bridging loop to occur. Before creating VLANs on the switch that will be propagated via VTP, a VTP domain must first be set up. A VTP domain for a network is a set of all contiguously trunked switches with the same VTP domain name. All switches in the same management domain share their VLAN information with each other, and a switch can participate in only one VTP management domain. Switches in different domains do not share VTP information. Using VTP, each Catalyst Family Switch advertises the following on its trunk ports:

CHAPTER 10
ACCESS-LISTS

39 | P a g e Standard Access Control Lists (ACL) is Cisco IOS-based commands used to filter packets on Cisco routers based on the source IP Address of the packet. Extended Access Control Lists have the ability to filter packets based on source and destination IP addresses.

Numbered Standard Access Control Lists

Numbers between 1 and 99, 1300 and 1999 or named explicitly with 'ip access-list standard name' can be used as a Standard ACL. The number used in this range doesn't affect how the ACL is processed or which ACL is more important to the router. A standard ACL is concerned with only one factor, the source IP address of the packet. T he destination is not Considered. The number takes the place of a name you might give to a specific rule. The number in no way corresponds to a list of pre-defined ACLs

Named Standard Access Control Lists

The difference between Named and Numbered ACLs is that a name, not a number, is associated with a named ACL. Names are easier to remember than numbers. Either way, the name of an ACL is given as either a number or a name.

Access List Rules

Regardless of the type of access list you create, standard or extended, you must follow certain rules. For instance, you must create and apply access lists sequentially and must remember that they end with an implicit deny. Router_A(config)#access-list 1 deny 172.16.5.2 0.0.0.0 Router_A(config)#access-list 1 deny 172.16.5.3 0.0.0.0 Router_A(config)#access-list 1 permit any The previous example is a standard IP access list that denies the hosts 172.16.5.2 and 172.16.5.3, while allowing all other traffic. The list is applied sequentially from the top down as the router checks the packets arriving at the interface where this access list is applied, in order to check if the packets match the permit and deny statements. In the process of applying the access list, the router first checks an arriving packet to determine if it matches the deny 172.16.5.2 0.0.0.0 statement. If it does, the router discards the packet. If it does not, the router applies the second statement, deny 172.16.5.3 0.0.0.0. If the packet matches the second statement, the router discards the packet. Once again, if the packet does not meet the rules of the first two lines, the router applies the final permit any statement, and the packet is forwarded through the interface. If you wish to remove an access-list, you use the no access-list (list #) command. For example, to remove the above list, you enter global configuration mode and type the no access-list command. The information below shows the correct procedure for typing this command.

Creating Numbered Standard Access Control Lists

From Global Configuration mode, type in: Access-list [access-list-number] [deny/permit] [source-ip-address interface [interface-number] ip access-group [number of list] in/out

40 | P a g e Example: access-list 5 permit 11.0.3.0 0.0.0.255 access-list 5 permit 10.0.5.0 0.0.0.255 int fa0/0 ip access-group 5 in The above example permits traffic from two specific networks. Note that the access-list must be defined, and assigned an interface. An access-list by itself (not assigned to an interface) doesn't do anything at all. "in" or "out" refer to the traffic into, or out of, the router that is being configured.

Creating Named Standard Access Control Lists

From Global configuration mode type: ip access-list standard [name] deny [source ip or keyword any] [wildcard mask or keyword any] OR permit [source ip or keyword any] [wildcard mask or keyword any]

Problems with Access Lists

I. One of the most common problems associated with access lists is a lack of planning. Before you even begin the process of creating access lists on your router, you must plan exactly what needs to be filtered and where it needs to be filtered. II. Another troublesome area is the sequential nature in which you must enter the lists into the router. You cannot remove individual statements once they are entered. When making changes, you must remove the list, using the no access-list command, and then retype the commands. 20 permit 1.1.1.2 III. Finally, many new network administrators find themselves in trouble when they Telnet into a router and begin applying an access list. An access list begins to work the second it's applied to an interface. It's very possible that many new administrators will find themselves inadvertently blocked from the same router on which they're applying the access list.

CHAPTER 11
Network address translation
In computer networking, network address translation (NAT) is the process of modifying IP address information in IP packet headers while in transit across a traffic routing device.

41 | P a g e The simplest type of NAT provides a one to one translation of IP addresses. RFC 2663 refers to this type of NAT as basic NAT. It is often also referred to as one-to-one NAT. In this type of NAT only the IP addresses, IP header checksum and any higher level checksums that include the IP address need to be changed. The rest of the packet can be left untouched (at least for basic TCP/UDP functionality, some higher level protocols may need further translation). Basic NATs can be used when there is a requirement to interconnect two IP networks with incompatible addressing. However it is common to hide an entire IP address space, usually consisting of private IP addresses, behind a single IP address (or in some cases a small group of IP addresses) in another (usually public) address space. To avoid ambiguity in the handling of returned packets, a one-to-many NAT must alter higher level information such as TCP/UDP ports in outgoing communications and must maintain a translation table so that return packets can be correctly translated back. Other names include PAT (port address translation), IP masquerading, NAT Overload and many-to-one NAT. Since this is the most common type of NAT it is often referred to simply as NAT. As described, the method enables communication through the router only when the conversation originates in the masqueraded network, since this establishes the translation tables. For example, a web browser in the masqueraded network can browse a website outside, but a web browser outside could not browse a web site in the masqueraded network. However, most NAT devices today allow the network administrator to configure translation table entries for permanent use. This feature is often referred to as "static NAT" or port forwarding and allows traffic originating in the "outside" network to reach designated hosts in the masqueraded network. In the mid-1990s NAT became a popular tool for alleviating the consequences of IPv4 address exhaustion. It has become a standard, indispensable feature in routers for home and small-office Internet connections. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address Network address translation has serious drawbacks on the quality of Internet connectivity and requires careful attention to the details of its implementation. In particular all types of NAT break the originally envisioned model of IP end-to-end connectivity across the Internet and NAPT makes it difficult for systems behind a NAT to accept incoming communications. As a result, NAT traversal methods have been devised to alleviate the issues encountered.

42 | P a g e

Visibility of Operation
NAT operation is typically transparent to both the internal and external hosts. Typically the internal host is aware of the true IP address and TCP or UDP port of the external host. Typically the NAT device may function as the default gateway for the internal host. However the external host is only aware of the public IP address for the NAT device and the particular port being used to communicate on behalf of a specific internal host.

NAT and TCP/UDP

"Pure NAT", operating on IP alone, may or may not correctly parse protocols that are totally concerned with IP information, such as ICMP, depending on whether the payload is interpreted by a host on the "inside" or "outside" of translation. As soon as the protocol stack is traversed, even with such basic protocols as TCP and UDP, the protocols will break unless NAT takes action beyond the network layer. IP packets have a checksum in each packet header, which provides error detection only for the header. IP datagrams may become fragmented and it is necessary for a NAT to reassemble these fragments to allow correct recalculation of higher-level checksums and correct tracking of which packets belong to which connection. The major transport layer protocols, TCP and UDP, have a checksum that covers all the data they carry, as well as the TCP/UDP header, plus a "pseudo-header" that contains the source and destination IP addresses of the packet carrying the TCP/UDP header. For an originating NAT to pass TCP or UDP successfully, it must recomputed the TCP/UDP header checksum based on the translated IP addresses, not the original ones, and put that checksum into the TCP/UDP header of the first packet of the fragmented set of packets. The receiving NAT must recomputed the IP checksum on every packet it passes to the destination host, and also recognize and recomputed the TCP/UDP header using the retranslated addresses and pseudo-header. This is not a completely solved problem. One solution is for the receiving NAT to reassemble the entire segment and then recomputed a checksum calculated across all packets.

43 | P a g e The originating host may perform Maximum transmission unit (MTU) path discovery to determine the packet size that can be transmitted without fragmentation, and then set the don't fragment (DF) bit in the appropriate packet header field.

Configuring Static Translation

Router(config)# ip nat inside source static local-ip global-ip Establishes static translation between an inside local address and an inside global address Router(config-if)# ip nat inside Marks the interface as connected to the inside Router(config-if)# ip nat outside Marks the interface as connected to the outside

Enabling Static NAT: Address Mapping Example

44 | P a g e

Configuring Dynamic Translation

EXAMPLE:

WAN

45 | P a g e

BIBLIOGRAPHY

Books:
CCNA 6th Edition (Todd Lammle) Network security fundamental

Sites:
www.google.com