Вы находитесь на странице: 1из 149


Courseware Director: Tom Nguyen

Courseware Developers: Chris Jones, and Tom Nguyen


This courseware is copyrighted: © ETEC, LLC. January 2001. No part of this manual may
be copied, photocopied or reproduced in any form or by any means without the permission
in writing from ETEC, LLC. Violation of these laws will lead to prosecution. All trademarks,
service marks, products or services are trademarks or registered trademarks of their
respective holders and are acknowledged by the authors.


Every effort has been made to ensure complete and accurate information concerning the
material presented in this manual. However, ETEC, LLC. cannot be held legally responsible
for any mistakes in printing or faulty instructions contained within this manual. The
authors appreciate receiving notice of any errors or misprints.

Information in this manual is subject to change without notice.

This courseware and all materials supplied for training are designed to familiarize the user
with the operation of software programs. We urge the user to review the manuals
provided by the software publisher regarding specific questions as to the operation of the

There are no warranties, expressed or implied, including warranties of merchantability or

fitness for a particular purpose, made with respect to the materials or any information
provided to the user herein. Neither the author nor publisher shall be liable for any direct,
indirect, special, incidental or consequential damages arising out of the use or inability to
use the contents of this manual.


This courseware is owned and distributed by ETEC, LLC. The Professional Choice of
accelerated training. For sales inquiries, email, telephone, fax or write to:

Email: sales@etecenter.com
Phone: 800-798-3832
Fax: 281-537-8558
Address: ETEC, 3920 Cypress Creek Pkwy, Suite 280 Houston, TX 77068
Table of Contents
100-101 ICND1 CCENT EXAM Information ................................................................... 5

Chapter 1 - Networking Concepts ................................................................................. 6

OSI Reference Model .....................................................................................................6
OSI vs. the TCP/IP or DoD Model ........................................................................... 12
Data Encapsulation ...................................................................................................... 12
LAN Technology ........................................................................................................... 14
Network Segmentation ............................................................................................ 15
Physical Transmission Media ....................................................................................... 18
Ethernet Network .................................................................................................... 22
10Base2 .................................................................................................................. 24
10Base5 .................................................................................................................. 24
Ethernet over twisted pair........................................................................................ 26
Fiber Optic............................................................................................................... 28
Network Communication Devices ........................................................................... 30
Topologies .................................................................................................................... 35

Chapter 2 - TCP/IP ........................................................................................................ 42

Transmission Control Protocol...................................................................................... 42
Flow Control ................................................................................................................. 43
User Datagram Protocol ............................................................................................... 44
TCP/IP network layer protocols .................................................................................... 44
Data delivering methodologies ..................................................................................... 47
IP Addressing Fundamental ......................................................................................... 49
Private IP Addresses .................................................................................................... 51
Data Link and Network Addressing .............................................................................. 51

Chapter 3 – Ipv4 and Subnetting................................................................................. 53

Subnetting Concept ...................................................................................................... 53
Troubleshooting TCP/IP ............................................................................................... 56

Chapter 4 - Network Devices and Cisco IOS .............................................................. 57

Boot Sequence ............................................................................................................. 57
Router Elements ........................................................................................................... 58
Configuration Register............................................................................................. 58
CISCO IOS ................................................................................................................... 60
IOS Router Modes .................................................................................................. 60
Managing Configuration Files.................................................................................. 62
Router Identification ................................................................................................ 63
Passwords............................................................................................................... 64
Interface Setup ........................................................................................................ 65
Banners ................................................................................................................... 67
System Message Logging ....................................................................................... 67
Other Services and utilities...................................................................................... 70

ETEC1999. All rights reserved
Rev 05/2014 Page 2
CDP .............................................................................................................................. 72
LLDP ............................................................................................................................ 73
Password Recovery ...................................................................................................... 74
Backup/Restore/Upgrade the Cisco IOS ...................................................................... 75

Chapter 5 - Layer 2 Switching ..................................................................................... 76

Basic Layer 2 Switching ............................................................................................... 76
LAN Switching .............................................................................................................. 77
Setting IP information .............................................................................................. 78

Chapter 6 - DHCP ......................................................................................................... 79

DHCP Address Assignment and Allocation Mechanisms ............................................. 79
DHCP Address Allocation Process ............................................................................... 81
Cisco DHCP Server ...................................................................................................... 82

Chapter 7 – Virtual LAN (VLAN) .................................................................................. 83

What is a LAN?............................................................................................................. 83
What is a VLAN? .......................................................................................................... 83
VLANs benefits ....................................................................................................... 83
Switch Ports.................................................................................................................. 84
Trunking Protocols........................................................................................................ 84
The 802.1Q ............................................................................................................. 85
Inter-Switch Link (ISL) ............................................................................................. 85
Dynamic Trunking Protocol (DTP) ................................................................................ 86

Chapter 8 - Port Security ............................................................................................. 88

Why Port Security ......................................................................................................... 88
Security Violations: ....................................................................................................... 89
Port Security with Sticky MAC Addresses ............................................................... 89

Chapter 9 - IP Routing.................................................................................................. 90
Static Routes ................................................................................................................ 91
Inter-VLAN Routing ...................................................................................................... 93
Configuring VLANs Routing (Router on a stick) ...................................................... 95
Dynamic Routing .......................................................................................................... 96
Distance Vector Concepts ............................................................................................ 97
Distance Vector Topology Changes ........................................................................ 97
Problems with Distance Vector ............................................................................... 98
Link State Concepts ..................................................................................................... 99
Differences between Distance Vector and Link State ................................................... 99
Problems with any Dynamic Routing Protocols ....................................................... 99
Administrative Distances ............................................................................................ 100
Routing Information Protocol (RIP) ............................................................................. 101
RIP Operational Overview, Advantages and Limitations ....................................... 102
RIP Route Determination and Information Propagation ........................................ 104
Problems with Distance Vector ............................................................................. 109

ETEC1999. All rights reserved
Rev 05/2014 Page 3
RIPv2 .......................................................................................................................... 112
Configuring RIPv2 ................................................................................................. 113
Dynamic Routing Protocol Enhancements ................................................................. 114
Passive-interface ................................................................................................... 114
Loopback Interface ................................................................................................ 114

Chapter 10 - Network Address Translation (NAT) ................................................... 115

Static NAT .................................................................................................................. 117
Dynamic NAT ............................................................................................................. 118
Overloading or Port Address Translation (PAT) ......................................................... 118
NAT Terminology ........................................................................................................ 121
NAT Configuration Commands ................................................................................... 123
NAT Example ............................................................................................................. 125
Static NAT ............................................................................................................. 125
Dynamic NAT ........................................................................................................ 127
Overload NAT or PAT (Port Address Translation) ................................................. 128
NAT at Small office/Home office (SoHo) Example ................................................ 129
Corporate NAT Example ....................................................................................... 130

Chapter 11 - Internet Protocol Version 6 .................................................................. 132

IPv6 Introduction......................................................................................................... 132
Simplified Presentation of IPv6 Address ............................................................... 133
Advanced Features ............................................................................................... 134
Specifying Sources ............................................................................................... 134
IPv6 Routing ............................................................................................................... 136
Static Routing ........................................................................................................ 136
RIPng for IPv6 ....................................................................................................... 137
Integrating IPv4 and IPv6 ........................................................................................... 137

Chapter 12 – Troubleshooting .................................................................................. 139

General Troubleshooting Guidelines ..................................................................... 139

Comprehensive Review ............................................................................................. 142

Case Study 1: Layer2 Resolving ............................................................................... 142
Case Study 2: A Packet Journey ............................................................................... 145

ETEC1999. All rights reserved
Rev 05/2014 Page 4
100-101 ICND1 CCENT EXAM Information

Exam Number: 100-101 ICND1 EXAM

Associated Certifications: ICND
Duration: 90 min (45-50 Questions)
Passing Score: 805 on a scale from 300-1000

Note that during the exam, you cannot return to a question once you have answered it.

Once you have obtained the CCENT certification, it is valid for three years.

Recertification requires you to either pass the current version of the CCENT exam, or
any exam in the Professional or Cisco Qualified Specialist series which have the exam
prefix of 200 or 642.

As of the latest exam revision, you can expect 3 CLI simulations on troubleshooting
and/or configuring, several drag and drop questions, and Testlet.

Daily Expectations (Lectures, Labs, and Exam Review are Monday – Friday).

Monday Chapter 1
Tuesday Chapter 2,3
Wednesday Chapter 4,5
Thursday Chapter 6
Friday Chapter 7
Friday Exam

ETEC1999. All rights reserved
Rev 05/2014 Page 5
Chapter 1 - Networking Concepts
OSI Reference Model
In the early years of computer era, there are no standards and protocols existed between
various manufacturers. As time went on and computer technology continued to improve
and become more widespread, it became apparent to all manufacturers that standards
must be implemented to ensure compatibility. This is even more so with regard to
networks, and networking technology. Since the main purpose of a network is to share
information, a standard that governs how this information is formatted, transmitted,
received and verified would make it possible for information to be shared openly,
especially when dealing with dissimilar networks.

The OSI (Open System Interconnection) model is developed by ISO in 1984 to provide a
reference model for the complex aspects related to network communication. It divides
the different functions and services provided by network hardware and software in 7
layers. By providing guidelines regarding the way network equipment should be
manufactured and how network operating systems communicate on a network, the OSI
model became the common link that allows data to be transmitted and exchanged

In this way, the OSI model provides a universal set of rules that make it possible for
various manufacturers and developers to create hardware and software that is
compatible with each other. This facilitates modular engineering, complex and scalable
network designing, isolating problems and allows vendors to focus on just the layer(s) in
which their hardware or software is implemented and be able to create products that are
compatible, standardized and interoperable.

The diagram below shows the 7 layers of the OSI Model; to remember them in the
correct order a common mnemonic is often used:

 All People Seem To Need Data Processing

 Please Do Not Throw Sauce Pizza Away.

ETEC1999. All rights reserved
Rev 05/2014 Page 6
The OSI has seven different layers, divided into two groups. The top three layers define
how the applications within the end stations will communicate with each other and with
users. The bottom four layers define how data is transmitted end-to-end.

The Application, Presentation and Session layer are known as the Upper Layer and are
implemented in software. The Transport and Network layer are mainly concerned with
protocols for delivery and routing of packets to a destination and are implemented in
software as well. The Data Link is implemented in hard- and software and the Physical
layer is implemented in hardware only, hence its name. These last two layers define LAN
and WAN specifications.

A more detailed description of each layer follows below, but here's what basically
happens when data passes from Host A to Host B:

1. The Application, Presentation and

Session layer take user input and
converts it into data,
2. The Transport layer adds a segment
header converting the data into
3. The Network layer adds a network
header and converts the segments
into packets ,
4. The Data Link layer adds a frame
header converting the packets into
5. The MAC sublayer layer converts the
frames into bits which the Physical
layer can put on the wire.

The steps are known as the 5 steps of data encapsulation. When the bits stream arrives
at the destination, the Physical layer takes it of the wire and converts it into frames, each
layer will remove their corresponding header while the data flows up the OSI model until
it is converted back to data and presented to the user, this is known as DE capsulation.

ETEC1999. All rights reserved
Rev 05/2014 Page 7
Most of us use application to create documents or spreadsheet such as Microsoft Word
or Excel, the Application layer we are talking here is to provide network services directly
to the user's application such as a web browser, email software and Windows Explorer
(this layer is said to be "closest to the user).
This layer supports application and end-user processes. Communication partners are
identified, quality of service is identified, user authentication and privacy are considered,
and any constraints on data syntax are identified. Everything at this layer is application-
specific. This layer provides application services for file transfers, e-mail, and other
network software services. Telnet and FTP are applications that exist entirely in the
application level. Tiered application architectures are part of this layer.
Protocols that operate on this layer include: TELNET, HTTP, FTP, TFTP, SMTP, NTP,

The presentation layer is the format of data that application on both side can understand
each other (Windows application to MAC application). It also translates the data from
application to the network format. Presentation layer is also responsible for the protocol
conversion, encryption, decryption and data compression thus providing freedom from
compatibility problems. It is sometimes called the syntax layer. Presentation layer is a
best layer for cryptography. Typical coding schemes include HTML, ASP, Java, ASCII,

SESSION (Layer 5)
Session layer establish and manages the session between the two users at different
ends in a network and keep them separately. Session layer also manages who can
transfer the data in a certain amount of time and for how long. The examples of session
layers and the interactive logins and file transfer sessions. Session layer reconnect the
session if it disconnects. It also reports and logs and upper layer errors.
Protocols that work on the session layer are NetBIOS, Mail Slots, Names Pipes, and

This layer converts the data received from the upper layers into segments. The
Transport layer is responsible for end-to-end (also called source-to-destination) delivery
of entire messages.
 Provides end-to-end connectivity by allows data to be transferred reliably and
sequencing to guarantee that it will be delivered in the same order that it was
 Provides services such as error checking and flow control (software).
 Protocols that operate on this layer: TCP, UDP, NETBEUI, SPX.

ETEC1999. All rights reserved
Rev 05/2014 Page 8
These protocols are either connectionless or connection-oriented:

 Connection-oriented (TCP) means that a connection (a virtual link) must be

established before data can be exchanged. This can guarantee that data will
arrive, and in the same order it was sent. It guarantees delivery by sending
acknowledgements back to the source when data are received.
Sending computer breaks the data to small segments and sequencing numbering
them. It then sequentially sends these segment to receiving computer but must
receive the acknowledgement from the receiving computer before sending the
next segment. If segment is lost or arrived corrupted, the acknowledgment will as
for resend.
 Connectionless (UDP) is the opposite of connection-oriented; the sender does
not establish a connection before it sends data, it just sends without guaranteeing
delivery. UDP is an example of a connectionless transport protocol.

NETWORK (Layer3)
This layer converts the segments from the Transport layer into packets (or datagrams)
and is responsible for path determination, routing, and the delivery of these individual
packets across multiple networks without guaranteed delivery. The network layer treats
these packets independently, without recognizing any relationship between those
packets; it relies on upper layers for reliable delivery and sequencing.

Also this layer is responsible for logical addressing (also known as network addressing
or Layer 3 addressing) for example IP addresses.

Examples of protocols defined at this layer: IPv4, IPv6, IPX, AppleTalk, ICMP, RIP,
Devices that operate on this layer: Routers, Layer 3 Switches.

Network layer addresses

Also known as Layer 3 or Logical addresses. These types of addresses are protocol-
dependent, for example if the network protocol is IP, IP addressing will be used which
is made up of a network part and a host part and needs a subnet mask to determine
the boundaries of these parts. An example of an IP address is: and a
subnet mask:

Another example is Novell's IPX addressing, which uses a combination of a

hexadecimal network address + the layer 2 MAC address to form a network layer
address, for example" 46.0010E342A8BC

ETEC1999. All rights reserved
Rev 05/2014 Page 9
DATA LINK (Layer2)
The Data Links provides transparent network services to the Network layer so the
Network layer can be ignorant about the physical network topology and provides access
to the physical networking media.

 Responsible for reassembling bits taken of the wire by the Physical layer to
frames, makes sure they are in the correct order and requests retransmission of
frames in case an error occurs.
 Provides error checking by adding a CRC to the frame, and flow control.

Examples of devices that operate on this layer are switches, bridges, WAPs, and NICs.

IEEE 802 Data Link sub layers

Around the same time the OSI model was developed, the IEEE developed the 802-
standards such as 802.5 Token Ring and 802.11 for wireless networks. Both
organizations exchanged information during the development which resulted in two
compatible standards. The IEEE 802 standards define physical network components
such as cabling and network interfaces, and correspond to the Data Link and/or
Physical layer of the OSI model. The IEEE refined the standards and divided the
Data Link layer into two sub layers: the LLC and the MAC sublayer.

 LLC sublayer (Wide Area Network or WAN)

LLC is short for Logical Link Control. The Logical Link Control is the upper
sublayer of the Data Link layer. LLC masks the underlying network technology
by hiding their differences hence providing a single interface to the network
layer. The LLC sublayer uses Source Service Access Points (SSAPs) and
Destination Service Access Points (DSAPs) to help the lower layers
communicate to the Network layer protocols acting as an intermediate
between the different network protocols (IPX, TCP/IP, etc.) and the different
network types (Ethernet, Token Ring, etc.) This layer is also responsible for
frames sequencing and acknowledgements.
The LLC sublayer is defined in the IEEE standard 802.2.
Other standards on this layer include: X.25 and Frame Relay

 MAC sublayer (Local Area Network or LAN)

The Media Access Control layer takes care of physical addressing and allows
upper layers’ access to the physical media, handles frame addressing, error
checking. This layer controls and communicates directly with the physical
network media through the network interface card. It converts the frames into
bits to pass them on to the Physical layer who puts them on the wire (and vice
IEEE LAN standards such as 802.3, 802.4, 802.5 and 802.10 define standards
for the MAC sublayer as well as the Physical layer.

ETEC1999. All rights reserved
Rev 05/2014 Page 10
Data Link layer addresses
Also known as layer 2 addresses, BIAs (Burned-in Address), physical address and
most commonly referred to as MAC address. This is a fixed address programmed
into a NIC or a router interface for example.
00-10-E3-42-A8-BC is an example of a MAC address. The first 6 hexadecimal digits
(3 bytes) specify the vendor/manufacturer of the NIC; the other 6 digits (3 bytes)
define the host.
The layer 2 broadcast address is FF-FF-FF-FF-FF-FF.

PHYSICAL (Layer 1)
This layer communicates directly with the physical media; it is responsible for activating,
maintaining and deactivating the physical link. It handles the raw bits stream and places
it on the wire to be picked up by the Physical layer at the receiving node. It defines
electrical and optical signaling, voltage levels, data transmission rates and distances as
well as mechanical specifications such as cable lengths and connectors, the amount of
pins and their function.
Devices that operate on this layer: HUBs/concentrators, repeaters, NICs, and LAN and
WAN interfaces such as RS-232, OC-3, BRI, V.24, V.35, X.25 and Frame Relay.

ETEC1999. All rights reserved
Rev 05/2014 Page 11
OSI vs. the TCP/IP or DoD Model
TCP/IP operation is defined in its own model: The DoD model. DoD is short for
Department of Defense, who designed TCP/IP for Arpanet. Although they are similar, in
contrary to the 7-layer OSI model the DoD model has 4 layers. Each DoD layer and its
functions correspond to 1 or more OSI layers and their functions, which is represented in
the image below:

For the CCENT exam you don't need to know the DoD model in detail, but if you know
the OSI model and the related DoD layers you can easily identify the layer at which a
certain protocol or standard is specified, for example:
Process/Application: Telnet, FTP, SMTP, HTTP, SNMP, etc.
Host to Host: TCP UDP
Internet: IP, ICMP, ARP, RARP, BootP, etc.
Network Access: Ethernet, Fast Ethernet, Token Ring, FDDI, etc.
Some of the above will be cover in this and next chapters.

Data Encapsulation
When a host transmits data across a network to another device, the data goes through
encapsulation: it is wrapped with protocol information at each layer of the OSI model.
Each layer communicates only with its peer layer on the receiving device.

To communicate and exchange information, each layer use Protocol Data Units (PDUs).
These hold the control information attached to the data at each layer of the model.

Segment: When the data stream is handed down to the transport layer, the transport
layer sets up a virtual circuit to the receiving device by sending over a synch packet.
Next, the data is broken up into smaller pieces, and a transport layer header (a PDU) is
created and attached to the header of the data field; now this piece of data is called

ETEC1999. All rights reserved
Rev 05/2014 Page 12
1. User information is converted to data for transmission on the network.
2. Data is broken up into smaller pieces, converted to segments and a reliable
connection is set up between the transmitting and receiving hosts.
3. Segments are converted to packets or datagrams, and a logical address (IP) is
placed in the header so each packet can be routed through an internetwork.
4. Packets or datagrams are converted to frames for transmission on the local
network. Hardware (Ethernet) addresses are used to uniquely identify hosts on a
local network segment. (If the destination host is on the remote network, then the
frame is sent to the router to be routed through an internetwork and the
destination MAC address is the MAC of the Router.)
5. Frames are converted to bits, and a digital encoding and clocking scheme is used.

Make sure that you can recreate the OSI model and interject the encapsulation
relationship (See Comprehensive Review Example B for operation details).

ETEC1999. All rights reserved
Rev 05/2014 Page 13
LAN Technology
In general terms, LAN (Local Area Network) refers to a group of computers
interconnected into a network so that they are able to communicate, exchange
information and share resources (e.g. printers, application programs, database etc.). In
other words, the same computer resources can be used by multiple users in the network,
regardless of the physical location of the resources.

Each computer in a LAN can effectively send and receive any information addressed to
it. This information is in the form of data 'packets'. The standards followed to regularize
the transmission of packets, are called LAN standards. There are many LAN standards
as Ethernet, Token Ring, and FDDI etc. Usually LAN standards differ due to their media
access technology and the physical transmission medium. Some popular technologies
and standards are being covered in this chapter.

Network Collision
A collision on a physical network segment is where data packets can "collide" with one
another when being sent on a shared medium, particularly in the Ethernet networking
protocol. If two end stations transmit data simultaneously, a collision occurs and the
result is a composite, garbled message (intersection with no stop signs or red lights).

To minimize network collision, Carrier Sensing Multi-Access / Collision Detection was
developed. In a CSMA/CD network, each station listens to check if the network is
busy, if the network is free then the station transmits data. When two stations listen,
and both determine the network is available, they will start sending the data
simultaneously and a collision occurs. When the collision is detected both stations will
retransmit the data after a random wait time created by a back-off algorithm. Each
end station that wants to transmit waits a random amount of time and then attempts
to transmit again.

Collision Domain
A network collision is a scenario wherein one particular device sends a packet on a
network segment, forcing every other device on that same segment to pay attention to it.
When an end station (network device) transmits data, every end station on the LAN
receives it. Each end station checks the data packet to see whether the destination
address matches its own address. If the addresses match, the end station accepts and
processes the packet. If they do not match, it disregards the packet. This becomes a
source of inefficiency in the network. All stations connecting to a hub is called one big
collision domain. Another inefficient of collision domain is only one device can send at a
This method is usually used for traditional Ethernet LAN. In today's large-fast-growing-
bandwidth-eating network environments this will soon become a problem, stations will
have to wait more often before they can transmit data and more collisions will occur. The
solution to this is to separate the network in multiple collisions domains. Device such as

ETEC1999. All rights reserved
Rev 05/2014 Page 14
bridge or switch can be used for this purpose will be explained using a network diagram
for each of the following relevant network components below.
Broadcast Domain
A broadcast domain is a logical division of a computer network, in which all nodes can
reach each other by broadcast at the data link layer. A broadcast domain can be within
the same LAN segment or it can be bridged to other LAN segments.

In terms of current popular technologies: Any computer connected to the same Ethernet
repeater or switch is a member of the same broadcast domain. Further, any computer
connected to the same set of inter-connected switches/repeaters or on the same subnet
are members of the same broadcast domain. Routers and other higher-layer devices
form boundaries between broadcast domains.

Network Segmentation
As networks become larger, there tends to be problems with congestion as more traffic is
introduced. To overcome the chances of reduced success in transmission between
hosts we can segment the networks into smaller areas.

A network segment is a portion of a computer network wherein every device

communicates using the same physical layer. Devices that extend the physical layer,
such as repeaters or network hubs, are also considered to extend the segment.
However, a device that operates at the data link layer level or higher creates new
physical layers and thus creates rather than extend segments.

Let's take an example, Mr. Smith (CPA) own a computer named ComputerA in his small
Accounting firm. Business has suddenly taken off, and Mr. Smith has hired 19 new
employees. Each employee is required to have a host on the local network. All the
devices are sharing the same media. The architecture is one Ethernet LAN segment.

Now the question arises, how do 20 hosts share one Ethernet LAN segment?

The ComputerA must now share the wire with many other devices. The Ethernet protocol
uses mechanisms at the MAC sub-layer of layer 2 for flow control and CSMA/CD. The
network card will listen to the physical wire (layer 1) for a moment where there are no
electrical pulses (transmissions). If the wire is quiet, as would be the case for our original
two-host network, the ComputerA could easily place its Ethernet frame on the wire.

Consuming bandwidth on a single segment

Now, there are 19 other devices on the network that the ComputerA must contend with
for frame transmission. If the ComputerA Ethernet adapter senses a transmission on the
wire, the adapter will wait to transmit. After the wait period has expired, the network card
will attempt once more to transmit the frame onto the wire. If the wire is still busy by
another device, the Ethernet adapter will wait once more before attempting to transmit.
The Ethernet adapter uses a back-off counter to tally these attempts. If the back-off

ETEC1999. All rights reserved
Rev 05/2014 Page 15
counter exceeds 15 tries, the adapter will assume the wire is too busy to send the frame.
It will then clean the frame from its memory.

ETEC1999. All rights reserved
Rev 05/2014 Page 16
Frame collisions
In the event two network devices transmit simultaneously, a packet collision occurs.
When a collision occurs and is detected, the Ethernet adapter will generate an alarm on
the wire to signal other stations of the event. If the collisions occur continuously, the
adapter would dump the frame and not attempt to transmit. Such a condition would arise
if too many devices were on one network segment. A scenario could occur where a
faulty network card could transmit continuously, causing collisions on the network.

If we have too many hosts on the Mr. Smith's network, it is time to break up the segment
into other, smaller network segments. The primary reason for segmenting is to increase
bandwidth (only one host can transmit at a time) and to span the network over greater
distances. The Ethernet 10-Base T topology has a distance limitation of 100 meters in

Layer 1 Segmentation
When all 20 hosts are connected in same network segment via a Hub, they are all in one
big collision domain. A single collision domain has two big limitations:

 Only one host can send data at a time.

 All host include the sending host will receive the same data.

We need to increase in dedicated paths between sending and receiving hosts and more
availability of bandwidth by breaking up the collision domain in to segments. This can be
done quickly by replacing the hub with a bridge or a switch where every port on a bridge
or switch is a single collision domain.

Now every host on Mr. Smith's network can simultaneously send and receive data, we
are still in one big broadcast domain. Increasing segmentation can be done with VLANs
or routers. Broadcast can consume bandwidth because it duplicates the data and send
to all station on the network.

Layer 2 Segmentation
We now can break up the 20 hosts into multiple broadcast domains by creating multiple
VLAN on the switch (Accounting VLAN, Sales VLAN ...) and assign ports to its
perspective VLAN. These methods increase the number of broadcast domains while
decreasing the number of users/hosts on each domain.

Segmentation can be performing on switches by creating Virtual Local Area Network

(VLAN) where each VLAN has a separate IP subnet.
Within a switch, ports can be assigning to its perspective VLAN. Each VLAN is a
broadcast domain and all ports in that domain can access each other only.
However; if you need one VLAN to reach the other, a layer 3 device such as router is
needed. We will cover VLAN and VLAN routing latter in this course.

ETEC1999. All rights reserved
Rev 05/2014 Page 17
Physical Transmission Media
Cables constitute the Physical Transmission Medium in a LAN and could be of the
following types.

Coaxial cable - Coaxial cable consists of a stiff copper conductor wire as core
surrounded by an insulating material. There are two type of coaxial cables used in
Ethernet LAN - Thick coaxial cable used for distances up to 500m and thin coaxial
cables up to 185m.

Twisted pair cable - They are four pairs of insulated copper conductors twisted and
bounded by single plastic sheath with or without conductor shield termed as STP and
UTP respectively. Twisted-pair Ethernet standards are such that the majority of cables
can be wired "straight-through" (pin 1 to pin 1, pin 2 to pin 2 and so on), but others may
need to be wired in the "crossover" form (receive to transmit and transmit to receive).
It is conventional to wire cables for 10- or 100-Mbit/s Ethernet to either the T568A or
T568B standards. Since these standards differ only in that they swap the positions of the
two pairs used for transmitting and receiving (TX/RX), a cable with T568A wiring at one
end and T568B wiring at the other is referred to as a crossover cable.

Cabling Types
When using Ethernet cabling, there are three types available:

 Straight-through cable is used to

connect dis-similar devices such as a
host to a switch or a hub, a router to a
switch or hub (router is a host with 2

The pins in the cables that are used in

a straight-through configuration are 1,
2, 3, and 6. The only thing that is
required is to ensure that they are
paired up as 1-1, 2-2, 3-3, and 6-6.
You will see these as 568-A or 568-B
wiring specifications.

 Crossover cable is used to connect

similar devices such as switch to a
switch, hub to a hub, router to router,
host to a host, hub to a switch, router directly to a host. Modern technologies
have adopted Auto MDI-X.

 Auto MDI-X automatically detects the required cable connection type and
configures the connection appropriately, removing the need for crossover cables

ETEC1999. All rights reserved
Rev 05/2014 Page 18
to interconnect switches or connecting PCs peer-to-peer. As long as it is enabled
on either end of a link, either type of cable can be used.
 Rolled cable (aka rollover, flat cable): used to connect a host (serial port) to a
console port of a network devices such as routers and switches for configuring
and managing.
In this configuration, all eight pins are used. To make this cable simply cut the
end off of a straight through cable and reverse the end.

Crosstalk is signal interference from adjacent cable pairs. To reduce the amount of
unwanted crosstalk category 5 cable uses more twists per foot than category 3 cable.

There are two types of crosstalk. Near-end crosstalk and Far-end crosstalk. Simply
put, near-end crosstalk occurs closer to the source of the transmission, whereas far-
end crosstalk is just the opposite, occurring closer to the destination.

Fiber Optic Cables - In Fiber Optic cable, the medium used is optical fiber instead of
any conductors. The information is transmitted in form of optical signal. Due to the high
speed of optical signals the cable can support high bandwidth for longer distance.
Depending upon the type of fiber, there are two types of Fiber Optic cables, single mode
and multi-mode.

STP vs UTP Cables

Differentiated physically by little more than a conducting shield, shielded twisted pair
cables and unshielded twisted pair cables nonetheless have different advantages,
disadvantages, and best applications.

Both shielded twisted pair (STP) and

unshielded twisted pair (UTP) have
interference canceling capacities, however
the way that each one is designed to cancel
the interference is different. Interference
caused by power lines, radar systems or
other high power electromagnetic signals,
called noise, can cause an imbalance in the
current flowing through the shield or conductors of the cables which interferes with the
signal. STP cables have a conducting shield made of metallic foil encasing the twisted
wire pairs, which blocks out electromagnetic interference, allowing it to carry data at a
faster rate of speed.

However, they have several disadvantages. STP cables work by attracting interference
to the shield, then running it off into a grounded cable. If the cable is improperly
grounded, then its noise-canceling capabilities are severely compromised. Additionally,
STP cables are bigger than UTP cables, and are more expensive. Finally, they are more
fragile than UTP cables, as the shield must be kept intact in order for them to work
properly. The best use for STP cables are in industrial settings with high amounts of

ETEC1999. All rights reserved
Rev 05/2014 Page 19
electromagnetic interference, such as a factory with large electronic equipment, where
they can be properly installed and maintained.

ETEC1999. All rights reserved
Rev 05/2014 Page 20
Category 5 - Category 5 cable (Cat 5) is a twisted pair cable for carrying signals. This
type of cable is used in structured cabling for computer networks such as Ethernet. The
cable standard provides performance of up to 100 MHz and is suitable for 10BASE-T,
100BASE-TX (Fast Ethernet), and 1000BASE-T (Gigabit Ethernet). Cat 5 is also used to
carry other signals such as telephony and video.

Category 5e - The category 5e specification improves upon the category 5 specification

by tightening some crosstalk specifications and introducing new crosstalk specifications
that were not present in the original category 5. The bandwidth of category 5 and 5e is
the same. Plenum cable is jacketed with a fire-retardant plastic jacket of either a low-
smoke polyvinyl chloride (PVC) {patented 1987} or a fluorinated ethylene polymer (FEP)

 Plenum (CMP) complies with NFPA-262 and UL-910. Only cable allowed in
spaces defined as air plenums such as raised flooring systems and air handling
ducts. Plenum cables must self-extinguish and not reignite. They also produce
less smoke than traditional PVC cables which are toxic.
 Riser (CMR) complies with UL-1666. Defined for usage in vertical tray
applications such as cable runs between floors through cable risers or in elevator
shafts. These spaces cannot be used for environmental air. These cables must
self-extinguish and must also prevent the flame from traveling up the cable in a
vertical burn test.

Category 6 - commonly referred to as Cat 6 or Class E, is a standardized cable for

Gigabit Ethernet and other network physical layers that is backward compatible with the
Category 5/5e and Category 3 cable standards but more stringent specifications for
crosstalk and system noise. Cat 6 standard provides performance of up to 250 Mhz.
Whereas Category 6 cable has a reduced maximum length when used for 10GBASE-T;
Category 6a cable, (or Augmented Cat 6), is characterized to 500 MHz and has
improved alien crosstalk characteristics, allowing 10GBASE-T to be run for the same
distance as previous protocols.

ETEC1999. All rights reserved
Rev 05/2014 Page 21
Category 7 - Class F channel and Category 7 cable
are backward compatible with Category 5e and Class
E/Cat6. Cat7 features even stricter specifications for
crosstalk and system noise than Cat6. To achieve
this, shielding has been added for individual wire
pairs and the cable as a whole. Besides the shield,
the twisting of the pairs and number of turns per unit
length increases RF shielding and protects from
The Category 7 cable standard has been created to allow 10 Gigabit Ethernet over 100m
of copper cabling (also, 10 Gbit/s Ethernet now is typically run on Cat 6A). The cable
contains four twisted copper wire pairs, just like the earlier standards.

Ethernet Network
Ethernet was developed by DIX (Digital, Intel and Xerox) in the 1970s. In 1980 the IEEE
802.3 standard was released. Two years later version 2 was introduced, which is the
basis for today's Ethernet networks.
An Ethernet network is a broadcast system; this means that when a station transmits
data every other station receives the data. The frames contain an address in the frame
header; only the station with that address will pick up the frame and pass it on to upper-
layer protocols to be processed.
The Ethernet protocol allows for linear bus, star, or tree topologies. Data can be
transmitted over wireless access points, twisted pair, coaxial, or fiber optic cable at a
speed of 10 Mbps up to 1000 Mbps.


ETEC1999. All rights reserved
Rev 05/2014 Page 22
Using 1 pair of wire to transmits or receives data (i.e. walkie talkie). Both hosts on
either end of a half-duplex communication use the same wire and must wait for one
host to complete its transmission before the other can respond over the same wire.
Ethernet networks generally operate using broadcasts.

Full-Duplex Ethernet
Can provide double the bandwidth of traditional Ethernet, but requires a single
workstation on a single switch port, and the NIC must support it. Collision free
because there are separate send and receive wires, and only one workstation is on
the segment.

ETEC1999. All rights reserved
Rev 05/2014 Page 23
Coaxial Cable
Coaxial cable conducts electrical signal using an inner conductor (usually a solid copper,
stranded copper or copper plated steel wire) surrounded by an insulating layer and all
enclosed by a shield, typically one to four layers of woven metallic braid and metallic

The cable is protected by an outer insulating jacket.

Normally, the shield is kept at ground potential and a
voltage is applied to the center conductor to carry
electrical signals. The advantage of coaxial design is
that electric and magnetic fields are confined to the
dielectric with little leakage outside the shield.
Conversely, electric and magnetic fields outside the
cable are largely kept from causing interference to
signals inside the cable. Larger diameter cables and
cables with multiple shields have less leakage.

A type of standard for implementing Ethernet networks.
10Base2 is sometimes referred to as thinnet (or “thin coax”)
because it uses thin coaxial cabling for connecting stations
to form a network. 10Base2 supports a maximum
bandwidth of 10 Mbps, but in actual networks, the presence
of collisions reduces this to more like 4 to 6 Mbps.
10Base2 networks are wired together in a bus topology, in
which individual stations (computers) are connected
directly to one long cable. The maximum length of any
particular segment of a 10Base2 network is 185 meters.

Similar to 10Base2, 10Base5 is sometimes referred to
as thicknet because it uses thick coaxial cabling for
connecting stations to form a network. Another name
for 10Base5 is Standard Ethernet because it was the
first type of Ethernet to be implemented. 10BASE5
coaxial cables had a maximum length of 500 meters
(1,640 ft).10Base5 networks were often used as
backbones for large networks. In a typical
configuration, transceivers on the thicknet backbone
would attach to repeaters, which would join smaller
thinnet segments to the thicknet backbone. In this
way, a combination of 10Base5 and 10Base2 standards could support sufficient
numbers of stations for a moderately large company.

ETEC1999. All rights reserved
Rev 05/2014 Page 24
5-4-3 rule
One of the most important issues to remember in an
Ethernet coax wiring scheme is the 5-4-3 rule which states
that you can have up to five cable segments, connected by
four repeaters, with no more than three of these segments
being mixing segments.
In the days of coaxial cable networks, this meant that you
could have up to three mixing segments of 500 or 185
meters each (for 10Base5 and 10Base2, respectively)
populated with multiple computers and connected by two
repeaters. You could also add two additional repeaters to
extend the network with another two cable segments of 500
or 185 meters each, as long as these were link segments
connected directly to the next repeater in line, with no
intervening computers,

A 10Base2 network could therefore span up to 925 meters

and a 10Base5 network up to 2,500 meters which states
that there can only be 5 segments in a series and 4
repeaters between these 5 segments, although only 3 of the
segments can be populated with devices. 10Base2 uses
BNC connectors and is implemented as both a physical and
logical bus topology using RG-58 cabling.

The minimum distance for cables between

workstations must be at least a half-meter. Drop
cables should not be used to connect a BNC
connector to the network interface card (NIC)
because this will cause signaling problems unless the
NIC is terminated. 10Base2 ThinNet segments
cannot be longer than 185 meters, although it is often
exaggerated to 200 meters, and you can't put more
than 30 devices on each populated segment. The
entire cabling scheme, including all five segments,
can't be longer than 925 meters.

10Base2 or 10Base5 networks are not implemented

much anymore for two reasons. First, because their
speed is limited to 10 Mbps, the networks perform
poorly in today’s bandwidth-hungry, Internet-connected world. Second, both networks
have a single point of failure (the long, linear bus cable used to connect the stations). A
single break or loose connection brings down the entire network, and every cable
segment and station connection must be checked to determine the problem.

ETEC1999. All rights reserved
Rev 05/2014 Page 25
Ethernet over twisted pair
Ethernet over twisted pair technologies use twisted-pair cables for the physical layer of
an Ethernet computer network. Early versions developed in the 1980s included StarLAN
followed by 10BASE-T. By the 1990s, fast, inexpensive technologies began to emerge.
Currently the most popular are 100BASE-TX (fast Ethernet; 100 Mbit/s) and 1000BASE-
T (gigabit Ethernet; 1 Gbit/s). Meanwhile higher-speed implementations generally
support lower-speed standards inclusively; thus it is possible to mix different generations
of equipment. Inclusive capability is designated 10/100 or 10/100/1000- for connections
that support such combinations.
The cables usually have four pairs of wires (though 10BASE-T and 100BASE-TX only
require two of the pairs). The three standards support both full-duplex and half-duplex
communication. High-grade twisted pair cabling can transport up to 10 Gbit/s Ethernet

Using twisted pair cabling, in a star topology, for Ethernet addressed several
weaknesses of the previous standards:
 Twisted pair cables could be used more generally and were already present in
many office buildings, lowering overall cost.
 The centralized star topology was a more common approach to cabling than the
bus in earlier standards and easier to manage.
 Using point-to-point links instead of a shared bus greatly simplified
troubleshooting and was less prone to failure.
 Exchanging cheap repeater hubs for more advanced switching hubs provided a
viable upgrade path.
 Mixing different speeds in a single network became possible with the arrival of
Fast Ethernet.

10BASE-T Ethernet became popular due its ease of use, its usage of unshielded twisted
pair (UTP) cabling and its low cost. 10 is for 10 Megabits per second (Mbps) operation,
BASE is for baseband operation, and T is for the twisted pair cable used for the network.
The Network Interface Card (NIC) performs the functions of a transceiver so that no
external transceiver is needed for stations. 10BaseT requires the use of a hub or
concentrator because it uses a star topology. The hub serves as a central switching
station thus controlling the incoming and outgoing signals. When using star topology if a
station goes down it does not affect the rest of the network. Typically a RJ45 connector
is connected to UTP cabling and is run straight from the hub to the NIC (10BaseT NIC's
have a built-in RJ45 transceiver). Pins 1 and 3 transmit data and pins 3 and 6 receive
data (the other pins are not used). A 10BASE-T transmitter sends two differential
voltages, +2.5 V or −2.5 V.

100BASE-TX follows the same wiring patterns as 10BASE-T, but is more sensitive to
wire quality and length, due to the higher bit rates. A system designed to achieve 100
Mbps access time on Ethernet networks, which is 10 times the speed of standard
Ethernet. The IEEE* amended the 802.3 specifications to include 100 Base TX, 100
BaseT4 and 100 BaseFX. A 100BASE-TX transmitter sends three differential voltages,
+1 V, 0 V, or −1 V.

ETEC1999. All rights reserved
Rev 05/2014 Page 26
1000BASE-T uses all four pairs bi-directionally and the standard includes auto MDI-X;
however, implementation is optional. With the way that 1000BASE-T implements
signaling, how the cable is wired is immaterial in actual usage. The standard on copper
twisted pair is IEEE 802.3ab for Cat 5e UTP, or 4D-PAM5; four dimensions using PAM
(pulse amplitude modulation) with five voltages, −2 V, −1 V, 0 V, +1 V, and +2 V While
+2 V to −2 V voltage may appear at the pins of the line driver, the voltage on the cable is
nominally +1 V, +0.5 V, 0 V, −0.5 V and −1 V.

100BASE-TX and 1000BASE-T were both designed to require a minimum of Category 5

cable and also specify a maximum cable length of 100 meters. Category 5 cable has
since been deprecated and new installations use Category 5e.

Unlike earlier Ethernet standards using broadband and coaxial cable, such as 10BASE5
(thicknet) and 10BASE2 (thinnet), 10BASE-T does not specify the exact type of wiring to
be used, but instead specifies certain characteristics that a cable must meet. This was
done in anticipation of using 10BASE-T in existing twisted-pair wiring systems that may
not conform to any specified wiring standard. Some of the specified characteristics are
attenuation, characteristic impedance, timing jitter, propagation delay, and several types
of noise. Cable testers are widely available to check these parameters to determine if a
cable can be used with 10BASE-T. These characteristics are expected to be met by 100
meters of 24-gauge unshielded twisted-pair cable. However, with high quality cabling,
cable runs of 150 meters or longer are often obtained and are considered viable by most
technicians familiar with the 10BASE-T specification.

1000BASE-TX - The Telecommunications Industry Association (TIA) created and

promoted a standard similar to 1000BASE-T that was simpler to implement, calling it
1000BASE-TX (TIA/EIA-854). The simplified design would have, in theory, reduced the
cost of the required electronics by only using two unidirectional pairs in each direction
instead of 4 bidirectional. However, this solution has been a commercial failure, likely
due to the required Category 6 cabling and the rapidly falling cost of 1000BASE-T

1000BASE-T products are sometimes marketed as 1000BASE-TX despite the difference

in standards. The confusion possibly stems from the most popular form of Fast Ethernet
(100 Mbit/s) is known as 100BASE-TX, leading to many products supporting multiple
speeds of 10/100/1000Mbit/s marketed as "10/100/1000BASE-TX".

Token Ring - This is a 4-Mbps or 16-Mbps token-passing method, operating in a ring

topology developed by IBM in the mid-1980s. Devices on a Token Ring network get
access to the media through token passing. Token and data pass to each station on the
ring. The devices pass the token around the ring until one of the computer who wants to
transmit data, takes the token and replaces it with a frame.
Each device passes the frame to the next device, until the frame reaches its destination.
As the frame passes to the intended recipient, the recipient sets certain bits in the frame
to indicate that it received the frame. The original sender of the frame strips the frame
data off the ring and issues a new token.

ETEC1999. All rights reserved
Rev 05/2014 Page 27
FDDI (Fiber Distributed Data Interface) - FDDI provides data speed at 100Mbps which is
faster than Token Ring and Ethernet LANs. FDDI comprise two independent, counter-
rotating rings: a primary ring and a secondary ring. Data flows in opposite directions on
the rings. The counter-rotating ring architecture prevents data loss in the event of a link
failure, a node failure, or the failure of both the primary and secondary links between any
two nodes. This technology is usually implemented for a backbone network.

Fiber Optic
Optical fiber is used by many telecommunications companies to transmit telephone
signals, Internet communication, and cable television signals. Due to much lower
attenuation and interference, optical fiber has large advantages over existing copper wire
in long-distance and high-demand applications. Fiber-optic communication is a method
of transmitting information from one place to another by sending pulses of light through
an optical fiber. The light forms an electromagnetic carrier wave that is modulated to
carry information. First developed in the 1970s, fiber-optic communication systems have
revolutionized the telecommunications industry and have played a major role in the
advent of the Information Age. Because of its advantages over electrical transmission,
optical fibers have largely replaced copper wire communications in core networks in the
developed world.

Fiber Optics is sending signals down hair-thin strands of glass

or plastic fiber. The light is "guided" down the center of the fiber
called the "core". The core is surrounded by an optical material
called the "cladding" that traps the light in the core using an
optical technique called "total internal reflection."
The core and cladding are usually made of ultra-pure glass. The
fiber is coated with a protective plastic covering called the "primary buffer coating" that
protects it from moisture and other damage. More protection is provided by the "cable"
which has the fibers and strength members inside an outer covering called a "jacket".

The process of communicating using fiber-optics involves the following basic steps:
Creating the optical signal involving the use of a transmitter, relaying the signal along the
fiber, ensuring that the signal does not become too distorted or weak, receiving the
optical signal, and converting it into an electrical signal.

The most commonly used optical transmitters are semiconductor devices such as light-
emitting diodes (LEDs) and laser diodes. The difference between LEDs and laser diodes
is that LEDs produce incoherent light, while laser diodes produce coherent light.

The main component of an optical receiver is a photodetector, which converts light into
electricity using the photoelectric effect. The photodetector is typically a semiconductor-
based photodiode.

ETEC1999. All rights reserved
Rev 05/2014 Page 28
Single Mode Fiber
Single Mode fiber optic cable has a small diametral core that allows only one mode of
light to propagate. Because of this, the number of light reflections created as the light
passes through the core decreases, lowering attenuation and creating the ability for the
signal to travel faster, further. This application is typically used in long distance, higher
bandwidth runs by Telco, CATV companies, and Colleges and Universities.

Multimode Fiber
Multimode fiber optic cable has a large diametral core that allows multiple modes of light
to propagate. Because of this, the number of light reflections created as the light passes
through the core increases, creating the ability for more data to pass through at a given
time. Because of the high dispersion and attenuation rate with this type of fiber, the
quality of the signal is reduced over long distances. This application is typically used for
short distance, data and audio/video applications in LANs. RF broadband signals, such
as what cable companies commonly use, cannot be transmitted over multimode fiber.

Name Medium Specified distance

1000BASE-CX Shielded balanced copper cable 25 meters
1000BASE-KX Copper backplane 1 meter
220 to 550 meters pending
1000BASE-SX Multi-mode fiber
on diameter and bandwidth
1000BASE-LX Multi-mode fiber 550 meters
1000BASE-LX Single-mode fiber 5 km
1000BASE-LX10 Single-mode fiber using 1,310 nm wavelength 10 km
1000BASE-EX Single-mode fiber at 1,310 nm wavelength ~ 40 km
1000BASE-ZX Single-mode fiber at 1,550 nm wavelength ~ 70 km
Single-mode fiber, over single-strand fiber: 1,490 nm
1000BASE-BX10 10 km
downstream 1,310 nm upstream
1000BASE-T Twisted-pair cabling (Cat-5, Cat-5e, Cat-6, or Cat-7) 100 meters
1000BASE-TX Twisted-pair cabling (Cat-6, Cat-7) 100 meters

ETEC1999. All rights reserved
Rev 05/2014 Page 29
Network Communication Devices
A LAN comprises of different communication devices across the network such as the

Repeaters & Hubs

 Repeater
Repeater is device that amplifies and regenerates signals so they can be
transmits for longer distance on the cable. It forwards the digital signal out all
active ports without looking at any data. They do not control broadcast or collision
domains, they are not aware of upper-layer protocols and frame formats, they
merely regenerate/amplify the signal.

 Hub
A Hub is really a multiple-port repeater which means all devices plugged into a
hub are in the same collision domain as well as in the same broadcast domain.
There are two main types of hubs: passive and active. An active hub takes the
incoming frames, amplifies the signal, and forwards it to all other ports; a
passive hub simply splits the signal and forwards it. Another type of hubs can
be managed allowing individual port configuration and traffic monitoring, these
are known as intelligent- or managed hubs.

Hubs and Repeaters operate on the physical layer of the OSI model and they are
protocol transparent, which means they are not aware of the upper-layer protocols
and such as IP, IPX or MAC addressing. Hence they do not control broadcast or
collision domains, but they extend them.

ETEC1999. All rights reserved
Rev 05/2014 Page 30
Bridges & Switches

An OSI layer 2 device, bridge or switches maintain a MAC Table that maps individual
MAC addresses on the network to the physical ports on the switch. This allows the
switch to direct data out of the physical port where the recipient is located, as opposed to
indiscriminately broadcasting the data out of all ports as a hub does.
The advantage of this method is that data is bridged exclusively to the network segment
containing the computer that the data is specifically destined for.

A bridge or switch performs the following steps:

 First, takes an incoming frame, reads its source MAC address, consults the
database to decide if it needed to add to the database (record source MAC
on in-coming port).
 Second, read the destination MAC address and consults the database to
decide what should be done with the frame; if the location of the destination
MAC address is listed in the database, the frame is forwarded to the
corresponding port. If the destination port is the same as the port where the
frame arrived, it will be discarded. If the location is not known the frame will
be flooded through all outgoing ports/segments except the source port.

***** Know the above and know it well *****

They also allow a network to maintain full-duplex Ethernet. Before switching, Ethernet
was half-duplex, which means that data could be transmitted in only one direction at a
time. In a fully switched network, each node communicates only with the switch, not
directly with other nodes. Information can travel from node to switch and from switch to
node simultaneously.

In early 1980’s, Bridge was developed to overcome the limitation of Hub/Repeater where
Switch was developed latter and faster than Bridge.

 Bridges
At the Data Link layer of the OSI model, they are used to increase network
performance by segmenting networks in separate collision domains. Bridges are
also protocol transparent; they are not aware of the upper-layer protocols. They
keep a table with MAC addresses of all nodes, and on which segment they are

ETEC1999. All rights reserved
Rev 05/2014 Page 31
 Switches
To improve network performance even more switches were developed, switches
are very similar to bridges; they also keep a table with MAC addresses per port to
make switching decisions, operate in the OSI model and are protocol transparent.
Some of the main differences are:
 a switch has more ports than a bridge
 bridges switch in software whereas switches switch in hardware (integrated
 Switches offer more variance in speed, an individual port can be assigned
10 Mbps, 100 Mbps, 1 Gbps or even more.
 Bridges can connect different types of media.

Switches are able to use software to create Virtual LANs; a logical grouping of
network devices where the members can be on different physical segments. A
VLAN can be based on Port IDs, MAC addresses, protocols or applications. For
example, in the network diagram above port 1 to 12 on the switch could be
assigned to VLAN 1, and port 13 to 24 to VLAN 2, resulting in two different
broadcast domains, or station 1, 2 and 3 could be using IPX/SPX while station 4,
5 and 6 could be using TCP/IP.

An example of a large network with VLANs could be an office building with a

switch on each of the three floors and a main switch connecting them all together.
An administrator would be able to keep a list of MAC addresses and assign
stations from different floors to a single VLAN and for example create a VLAN
(broadcast domain) for each department in the company. Switches share their
MAC address table information with other switches so the path to a destination
can be found quickly.
ETEC1999. All rights reserved
Rev 05/2014 Page 32
The basic function of the router is to route the traffic from one network to another
network efficiently. It provides intelligent redundancy and security required to select the
optimum path. Usually routers are used for connecting remote networks.

Broadcasts will be filtered and by default, will not be forward. Each packet will be routed
based upon the destination network. Router provides a separate broadcast domain for
each interface.

Routers forward packet based on Routing Table. These routing tables can be create by
static or dynamic and will be cover in latter chapters.

Here are some points about routers that should commit to memory:

 Routers, by default, will not forward any broadcast or multicast packets.

 Routers use the logical address in a Network layer header to determine the next
hop router to forward the packet to.
 Routers can use access lists, created by an administrator, to control security on
the types of packets that are allowed to enter or exit and interface.
 Routers can provide layer 2 bridging functions if needed and can simultaneously
route through the same interface.
 Layer 3 device (Routers in this case) provide connections between virtual LANs
 Routers can provide quality of service (QoS) for specific types of network traffic.

ETEC1999. All rights reserved
Rev 05/2014 Page 33
BRouters are devices that function as a bridge and a router. They act as a bridge for
non-routable protocols and as routers for routable protocols. BRouters operates at the
Data Link and Network layers (layers two and three). Not very popular these days and
not tested in the CCENT.

A gateway (as a network component) is a device that connects networks with dissimilar
network protocols or architectures and translates between the networks. Gateways are
very intelligent devices; generally, they operate on the Transport layer and on those
above it (Session, Presentation, and Application). A gateway could be used to allow
IPX/SPX clients to use a gateway with a TCP/IP uplink to an internet connection. TCP/IP
would be converted to IPX/SPX. Another common use of a gateway is to connect an
Ethernet network to an IBM SNA mainframe environment.

A NIC (Network Interface Card) is an expansion cards for a computer used to connect to
the physical network. The NIC's interface itself is defined at the Physical layer (Layer 1)
of the OSI model, the physical address (also known as Burned-In Address and
commonly: MAC address) of the adapter as well as the drivers to control the NIC are
located at the Data Link layer's MAC sub-layer. The reason the physical address is
defined at the Data Link layer is that the Physical layer only handles bits.

ETEC1999. All rights reserved
Rev 05/2014 Page 34
Network Topology
The physical topology of a network refers to the configuration of cables, computers, and
other peripherals. Physical topology should not be confused with logical topology which
is the method used to pass information between workstations. Logical topology was
discussed in the Protocol chapter.

Main Types of Network Topologies in networking, the term "topology" refers to the layout
of connected devices on a network. This article introduces the standard topologies of
computer networking.

One can think of a topology as a network's virtual shape or structure. This shape does
not necessarily correspond to the actual physical layout of the devices on the network.
For example, the computers on a home LAN may be arranged in a circle in a family
room, but it would be highly unlikely to find an actual ring topology there.

Network topologies are categorized into the following basic types:

 Star Topology
 Ring Topology
 Bus Topology
 Tree Topology
 Mesh Topology
 Hybrid Topology

More complex networks can be built as hybrids of two or more of the above basic

Bus Topology
Bus networks (not to be confused with the system bus of a computer) use a common
backbone to connect all devices. A single cable which functions as a backbone where all
devices can attach or tap into it with an interface connector. A device wanting to
communicate with another device on the network sends a broadcast message onto the
wire that all other devices see, but only the intended recipient actually accepts and
processes the message.

Ethernet bus topologies are relatively easy to install and don't require much cabling
compared to the alternatives. 10Base-2 ("ThinNet") and 10Base-5 ("ThickNet") both
were popular Ethernet cabling options many years ago for bus topologies. However, bus
networks work best with a limited number of devices. If more than a few dozen
computers are added to a network bus, performance problems will likely result. In
addition, if the backbone cable fails, the entire network effectively becomes unusable.

ETEC1999. All rights reserved
Rev 05/2014 Page 35
Advantages of a Linear Bus Topology
 Easy to connect a computer or peripheral to a linear bus.
 Requires less cable length than a star topology.

Disadvantages of a Linear Bus Topology

 Entire network shuts down if there is a break in the main cable.
 Terminators are required at both ends of the backbone cable.
 Difficult to identify the problem if the entire network shuts down.
 Not meant to be used as a stand-alone solution in a large building.

Ring Topology
In a ring network, every device has exactly two neighbors for communication purposes.
All messages travel through a ring in the same direction (either "clockwise" or
"counterclockwise"). A failure in any cable or device breaks the loop and can take down
the entire network.

To implement a ring network, one typically uses FDDI, SONET, or Token Ring
technology. Ring topologies are found in some office buildings or school campuses.

ETEC1999. All rights reserved
Rev 05/2014 Page 36
Star Topology
Many home networks use the star topology. A star network features a central connection
point called a "hub" that may be a hub, switch or router. Devices typically connect to the
hub with Unshielded Twisted Pair (UTP) Ethernet.

Compared to the bus topology, a star network generally requires more cable, but a
failure in any star network cable will only take down one computer's network access and
not the entire LAN. (If the hub fails, however, the entire network also fails.)

Advantages of a Star Topology

 Easy to install and wire.
 No disruptions to the network then connecting or removing devices.
 Easy to detect faults and to remove parts.

Disadvantages of a Star Topology

 Requires more cable length than a linear topology.
 If the hub or concentrator fails, nodes attached are disabled.
 More expensive than linear bus topologies because of the cost of the

The protocols used with star configurations are usually Ethernet or LocalTalk. Token
Ring uses a similar topology, called the star-wired ring.

Star-Wired Ring
A star-wired ring topology may appear (externally) to be the same as a star topology.
Internally, the MAU of a star-wired ring contains wiring that allows information to pass
from one device to another in a circle or ring. The Token Ring protocol uses a star-wired
ring topology.

ETEC1999. All rights reserved
Rev 05/2014 Page 37
Tree Topology
Tree topologies integrate multiple star topologies together onto a bus. In its simplest
form, only hub devices connect directly to the tree bus and each hub functions as the
"root" of a tree of devices. This bus/star hybrid approach supports future expandability of
the network much better than a bus (limited in the number of devices due to the
broadcast traffic it generates) or a star (limited by the number of hub connection points)

Advantages of a Tree Topology

 Point-to-point wiring for individual segments.
 Supported by several hardware and software venders.

Disadvantages of a Tree Topology

 Overall length of each segment is limited by the type of cabling used.
 If the backbone line breaks, the entire segment goes down.
 More difficult to configure and wire than other topologies.

ETEC1999. All rights reserved
Rev 05/2014 Page 38
Mesh Topology
Mesh topologies involve the concept of routes. Unlike each of the previous topologies,
messages sent on a mesh network can take any of several possible paths from source to
destination. (Recall that even in a ring, although two cable paths exist, messages can
only travel in one direction.) Some WANs, most notably the Internet, employ mesh

A mesh network in which every device connects to every other is called a full mesh.
As shown in the illustration below, partial mesh networks also exist in which some
devices connect only indirectly to others.

Hybrid Topology
A combination of any two or more network topologies. Note 1: Instances can occur
where two basic network topologies, when connected together, can still retain the basic
network character, and therefore not be a hybrid network. For example, a tree network
connected to a tree network is still a tree network. Therefore, a hybrid network accrues
only when two basic networks are connected and the resulting network topology fails to
meet one of the basic topology definitions. For example, two star networks connected
together exhibit hybrid network topologies. Note 2: A hybrid topology always accrues
when two different basic network topologies are connected.

Considerations When Choosing a Topology

 Money. A linear bus network may be the least expensive way to install a network;
you do not have to purchase concentrators.
 Length of cable needed. The linear bus network uses shorter lengths of cable.
 Future growth. With a star topology, expanding a network is easily done by adding
another concentrator.
 Cable type. The most common cable in schools is unshielded twisted pair, which
is most often used with star topologies.

ETEC1999. All rights reserved
Rev 05/2014 Page 39
Local Area Network Technologies Overview

Local Area Network (LAN) is a data communications network connecting terminals,

computers and printers within a building or other geographically limited areas. These
devices could be connected through wired cables or wireless links. Ethernet, Token Ring
and Wireless LAN using IEEE 802.11 are examples of standard LAN technologies.

Ethernet is by far the most commonly used LAN technology. Token Ring technology is
still used by some companies. FDDI is sometimes used as a backbone LAN
interconnecting Ethernet or Token Ring LANs. WLAN using IEEE 802.11 technologies is
rapidly becoming the new leading LAN technology for its mobility and easy to use

Local Area Network could be interconnected using Wide Area Network (WAN) or
Metropolitan Area Network (MAN) technologies. The common WAN technologies include
TCP/IP, ATM, and Frame Relay etc. The common MAN technologies include SMDS and
10 Gigabit Ethernet.

LANs are traditionally used to connect a group of people who are in the same local area.
However, the working groups are becoming more geographically distributed in today's
working environment. There, virtual LAN (VLAN) technologies are defined for people in
different places to share the same networking resource.

ETEC1999. All rights reserved
Rev 05/2014 Page 40
Local Area Network protocols are mostly at data link layer (layer 2). IEEE is the leading
organization defining most of the LAN protocols.

ETEC1999. All rights reserved
Rev 05/2014 Page 41
Chapter 2 - TCP/IP
TCP/IP transport layer protocols
The Internet Protocol Suite resulted from research and development conducted by the
Defense Advanced Research Projects Agency (DARPA) in the early 1970s. After
initiating the pioneering ARPANET in 1969, DARPA started work on a number of other
data transmission technologies.

Several other TCP/IP prototypes were developed at multiple research centers between
1975 and 1983. The migration of the ARPANET to TCP/IP was officially completed on
January 1, 1983, when the new protocols were permanently activated.

In March 1982, the US Department of Defense declared TCP/IP as the standard for all
military computer networking. In 1985, the Internet Architecture Board held a three day
workshop on TCP/IP for the computer industry, attended by 250 vendor representatives,
promoting the protocol and leading to its increasing commercial use.

The Internet Protocol Suite (commonly known as TCP/IP) is the set of communications
protocols used for the Internet and other similar networks. It is named from two of the
most important protocols in it: the Transmission Control Protocol (TCP) and the Internet
Protocol (IP), which were the first two networking protocols defined in this standard.

The Internet Protocol Suite, like many protocol suites, may be viewed as a set of layers.
Each layer solves a set of problems involving the transmission of data, and provides a
well-defined service to the upper layer protocols based on using services from some
lower layers. Upper layers are logically closer to the user and deal with more abstract
data, relying on lower layer protocols to translate data into forms that can eventually be
physically transmitted.

Transmission Control Protocol

TCP is a connection oriented transport layer protocol with built in reliability. Takes large
blocks of data and breaks it down into segments. It numbers and sequences each
segment so the destination’s TCP protocol can reassemble back into the original order.
TCP uses acknowledgement via sliding windows. Has a large overhead due to build in
error checking. This protocol uses Port 6.

TCP is the most commonly used protocol on the Internet. The reason for this is because
TCP offers error correction. When the TCP protocol is used there is a "guaranteed
delivery." This is due largely in part to a method called "flow control." Flow control
determines when data needs to be re-sent, and stops the flow of data until previous
packets are successfully transferred. This works because if a packet of data is sent, a
collision may occur. When this happens, the client re-requests the packet from the server
until the whole packet is complete and is identical to its original.

ETEC1999. All rights reserved
Rev 05/2014 Page 42
Flow Control
In computer networking, flow control is the process of managing the rate of data
transmission between two nodes to prevent a fast sender from outrunning a slow
receiver. It provides a mechanism for the receiver to control the transmission speed, so
that the receiving node is not overwhelmed with data from transmitting node. Flow
control should be distinguished from congestion control, which is used for controlling the
flow of data when congestion has actually occurred. Flow control mechanisms can be
classified by whether or not the receiving node sends feedback to the sending node.

Flow control is important because it is possible for a sending computer to transmit

information at a faster rate than the destination computer can receive and process them.
This can happen if the receiving computers have a heavy traffic load in comparison to
the sending computer, or if the receiving computer has less processing power than the
sending computer.

There are three commonly used methods for handling network congestion:

1. Buffering - Buffering is used by network devices to temporarily store bursts of

excess data in memory until they can be processed. Occasional data bursts are
easily handles by buffering. However, buffers can overflow if data continues at
high speeds.

2. Source Quench Messages (Congestion Notification) - If device A is sending

data to device B across a Frame Relay infrastructure and one of the intermediate
Frame Relay switches encounters congestion, congestion being full buffers,
oversubscribed port, overloaded resources, etc., it will set the BECN bit on
packets being returned to the sending device and the FECN bit on the packets
being sent to the receiving device. This has the effect of telling the sending router
to Back off and apply flow control like traffic Shaping and informs the receiving
device that the flow is congested and that it should inform upper layer protocols, if
possible, that it should close down windowing etc. to inform the sending
application to slow down.

A FECN tells the receiving device that the path is congested so that the upper
layer protocols should expect some delay. The BECN tells the transmitting device
that the Frame Relay network is congested and that it should "back off" to allow
better throughput.

FECN (Forward Error Congestion Notification)

BECN (Backward Error Congestion Notification)

ETEC1999. All rights reserved
Rev 05/2014 Page 43
User Datagram Protocol
UDP is a connectionless oriented transport protocol for use when the upper layers
provide error-recovery and reliability. UDP does not sequence data or reassemble it into
any order after transmission. This protocol uses Port 17.

UDP is another commonly used protocol on the Internet. However, UDP is never used to
send important data such as Web Pages, database information, etc.; UDP is commonly
used for streaming audio and video. Streaming media such as Windows Media audio
files (.WMA), Real Player (.RM), and others use UDP because it offers speed! The
reason UDP is faster than TCP is because there is no form of flow control or error
correction. The data sent over the Internet is affected by collisions, and errors will be
present. Remember that UDP is only concerned with speed. This is the main reason why
streaming media is not high quality.

TCP/IP network layer protocols

TCP/IP Network Layer (OSI) or Internet (DOD) protocols are IP, ARP, RARP, BOOTP,
and ICMP.

Internet protocol
IP provides routing and a single interface to the upper layers. No upper layer protocol
and no lower layer protocol have any functions relating to routing. IP receives segments
from the transport layer and fragments them into packets including the host’s IP address.

Address Resolution Protocol

ARP is responsible for resolving IP addresses to MAC addresses. It stores these in its
Arp cache for later use. It does this to inform a lower layer of the destination’s MAC

Reverse Address Resolution Protocol

RARP, implemented at the datalink layer, resolves MAC addresses to IP addresses on
diskless workstations.

Boot Strap Protocol

BootP is used also for diskless workstations when it requires an IP address.

ETEC1999. All rights reserved
Rev 05/2014 Page 44
Internet Control Message Protocol
ICMP is a management protocol and messaging service provide for IP. Its messages
are carried as IP datagrams.

ICMP is used to perform the following functions:

 Destination Unreachable – If a router cannot send an IP packet any further it uses
an ICMP echo to send a message back to the sender notifying it that the remote
node is unreachable.
 Buffer Full – If a router’s memory buffer is full, ICMP will send out a message to
the originator.
 Hops – Each IP datagram is assigned a path. This consists of hops. If it goes
through the maximum number of hops the packet is discarded and the discarding
router sends an ICMP echo to the host.
 Ping – Ping uses ICMP echo messages to check connectivity.

Generic composition of an ICMP packet

 Header (in blue):
 Protocol set to 1 and Type of Service set to 0.
 Payload (in red):
 Type of ICMP message (8 bits)
 Code (8 bits)
 Checksum (16 bits), calculated with the ICMP part of the packet (the
header is not used)
 The ICMP 'Quench' (32 bits) field, which in this case (ICMP echo request
and replies), will be composed of identifier (16 bits) and sequence number
(16 bits).
 Data load for the different kind of answers (Can be an arbitrary length, left
to implementation detail. However must be less than the maximum MTU of
the network.
 Data Transportation

Note that ICMP (and therefore Ping) resides on the Network layer (level 3) of the OSI
(Open Systems Interconnection) model. This is the same layer as IP (Internet
Protocol). Consequently, Ping does not use a port for communication.

ETEC1999. All rights reserved
Rev 05/2014 Page 45
Ping is a computer network administration utility used to test whether a particular host is
reachable across an Internet Protocol (IP) network and to measure the round-trip time for
packets sent from the local host to a destination computer, including the local host's own

Ping operates by sending Internet Control Message Protocol (ICMP) echo request
packets to the target host and waits for an ICMP response, sometimes casually called a
pong. In the process it measures the round-trip time and records any packet loss. The
results of the test are printed in form of a statistical summary of the response packets
received, including the minimum, maximum, and the mean round-trip times, and
sometimes the standard deviation of the mean.

The use of the ping utility is usually described as pinging a host computer. Ping has
various command line options depending on the host operating system that enable
special operational modes, such as to specify the packet size used as the probe,
automatic repeated operation for sending a specified count of probes, time stamping
options, or to perform a ping flood. Flood pinging may be abused as a simple form of
denial-of-service attack, in which the attacker overwhelms the victim with ICMP echo
request packets.
Message format

Echo request
The echo request is an ICMP message whose data is expected to be received back in
an echo reply ("ping"). The host must respond to all echo requests with an echo reply
containing the exact data received in the request message.

 The Identifier and Sequence Number can be used by the client to match the reply
with the request that caused the reply. In practice, most Linux systems use a
unique identifier for every ping process, and sequence number is an increasing
number within that process. Windows uses a fixed identifier, which varies between
Windows versions, and a sequence number that is only reset at boot time.
 The data received by the Echo Request must be entirely included in the Echo

ETEC1999. All rights reserved
Rev 05/2014 Page 46
Echo reply
The echo reply is an ICMP message generated in response to an echo request, and is
mandatory for all hosts and routers.

 Type and code must be set to 0.

 The identifier and sequence number can be used by the client to determine which
echo requests are associated with the echo replies.
 The data received in the echo request must be entirely included in the echo reply.

Data delivering methodologies

The Internet Protocol and other network addressing systems recognize five main data
delivering methodologies:

 Unicast uses a one-to-one association between destination address and network

endpoint: each destination address uniquely identifies a single receiver endpoint.

 Broadcast uses a one-to-many association, datagrams are routed from a single

sender to multiple endpoints simultaneously in a single transmission. The network
automatically replicates datagrams as needed for all network segments (links) that
contain an eligible receiver.

ETEC1999. All rights reserved
Rev 05/2014 Page 47
 Multicast uses a one-to-unique many association, datagrams are routed from a
single sender to multiple selected endpoints simultaneously in a single

 Anycast uses a one-to-nearest association, datagrams are routed to a single

member of a group of potential receivers that are all identified by the same
destination address.

 Geocast refers to the delivery of information to a group of destinations in a

network identified by their geographical locations. It is a specialized form of
Multicast addressing used by some routing protocols for mobile ad hoc networks.

ETEC1999. All rights reserved
Rev 05/2014 Page 48
IP Addressing Fundamental
A host or node is a computer or device on a TCP/IP network. Every TCP/IP host is
uniquely identified by its IP address. An IP address consists of a network ID and a host
ID. If two different hosts belong to the same network, they have the same network ID.
The two hosts will have different host ID’s and can communicate with each other locally
without going through a router. If two hosts have different network ID’s, they belong to
different segments on the network. They must communicate with each other remotely
through a router or default gateway.

An IP address consists of 32 binary bits, where each bit is either a 0 or 1. We write the
32 bits into four 8-bit numbers (octets) separated by a period.

For Example: 11000001.00001010.00011110.00000010 (IP address in binary form)

To convert the IP address from binary to decimal form, we convert each of the four 8-bit
numbers in each octet according to the following table:

Decimal Value 128 64 32 16 8 4 2 1

Octet Value x x x x x x x x

So the first octet in the above binary number would be translated as:

Decimal Value 128 64 32 16 8 4 2 1

Octet Value 1 1 0 0 0 0 0 1
Everywhere a 1 appears in the table, the decimal value in that column is added to
determine the decimal value of the entire octet.

11000001 = 128 + 64 + 1 = 193

Using the same table to translate the other three octets would give us the following

00001010 = 8 + 2 = 10

00011110 = 16 + 8 + 4 + 2 = 30

00000010 = 2

So in decimal form, the above IP address is: 193 .10 .30 .2

ETEC1999. All rights reserved
Rev 05/2014 Page 49
Address Classes
An IP address consists of two parts, one identifying the network and one identifying the
host. The Class of the address determines which part is the network address and which
part is the host address.

There are 5 different address classes. Classes can be distinguished by the decimal
notation of the very first octet. The following Address Class table illustrates how you can
determine to which class and an address belongs.
A 1-126 First Octet AVAILABLE
B 128-191 First 2 Octets AVAILABLE
C 192-223 First 3 Octets AVAILABLE
E 240-255 N/A N/A RESERVED

Note: 127 is reserved for loopback ( and is used for internal testing on the
local machine layer 4 and 3 (TCP/IP) protocol stacks.

Using this table, we can see the IP address in our above example is a Class C address.
We can also see which part of that IP address is the Network ID and which is the Host

Network ID: (First 3 Octets) = 193.10.30

Host ID: (However many Octets are left) = 1

Whenever you want to refer to your entire network with an IP address, the host section is
set to all 0’s (binary=00000000) = 0. For example, specifies the network for
the above address. When the host section is set to all 1’s (binary=11111111) = 255, it
specifies a broadcast that is sent to all hosts on a network. specifies a
broadcast address for our example IP address.

ETEC1999. All rights reserved
Rev 05/2014 Page 50
Private IP Addresses
You can use certain IP addresses privately within your own Intranet as long as they are
not seen by the global community. These addresses are listed below:

 –
 –
 –

** You must know how to subnet and apply default as well as variable length subnet
masks (VLSMs) with regard to specified criteria such as allowing for a specific number of
subnets and/or hosts. **

Data Link and Network Addressing

MAC Addresses

Uniquely identifies devices on the same medium. Addresses are 48 bits in length and are
expressed as 12 hexadecimal digits. The first 6 digits specify the manufacturer and the
remaining 6 are unique to the host. An example would be 00-00-13-35-FD-AB. No two
MAC addresses are the same in the world. Ultimately all communication is made to the
MAC address relationship. MAC addresses are copied to RAM when a network card is

Hexadecimal: Hex=Six Deci=Ten, 10+6=16, therefore Hexadecimal is counting by


Number of Numbers decimal Binary Hex

1 0 0000 0
2 1 0001 1
3 2 0010 2
4 3 0011 3
5 4 0100 4
6 5 0101 5
7 6 0110 6
8 7 0111 7
9 8 1000 8
10 9 1001 9
11 10 1010 A
12 11 1011 B
13 12 1100 C
14 13 1101 D
15 14 1110 E
16 15 1111 F

ETEC1999. All rights reserved
Rev 05/2014 Page 51
Data Link Addresses

Addresses that operate at the data link layer. A MAC address is a data link layer
address and these are built in by the manufacturer and cannot usually be changed.
They can be virtualized for Adapter Fault Tolerance or HSRP. Switches and Bridges
operate at the Data Link layer and use Data Link addresses to switch/bridge.

Network Addresses

Addresses that operate at the Network Layer:

These are IP addresses or IPX addresses that are used by Routers to route packets.
Network addresses are made up of two parts, the Network number and the Host ID. IP
addresses are 32 bit dotted decimal numbers. IPX addresses are 80 bit dotted
hexadecimal numbers. Network addresses are host specific and one must be bound to
each interface for every protocol loaded on the machine. There is not fixed relationship
between the host and the Network Address. For example, a router with three interfaces,
each running IPX, TCP/IP, and AppleTalk, must have three network layer addresses for
each interface. The router therefore has nine network layer addresses.

Why a Layered Model?

Standardizing hardware and software to follow the 7 layers of the OSI Model has several
major benefits:

1. It reduces complexity
2. Allows for standardization of interfaces
3. Facilitates modular engineering
4. Ensures interoperability
5. Accelerates evolution
6. Simplifies teaching and learning

ETEC1999. All rights reserved
Rev 05/2014 Page 52
Chapter 3 – Ipv4 and Subnetting
Subnetting Concept
The word subnet is short for sub network--a smaller network within a larger one. The
smallest subnet that has no more subdivisions within it is considered a single "broadcast
domain," which directly correlates to a single LAN (local area network) segment on an
Ethernet switch. The broadcast domain serves an important function because this is
where devices on a network communicate directly with each other's MAC addresses,
which don't route across multiple subnets, let alone the entire Internet. MAC address
communications are limited to a smaller network because they rely on ARP broadcasting
to find their way around, and broadcasting can be scaled only so much before the
amount of broadcast traffic brings down the entire network with sheer broadcast noise.
For this reason, the most common smallest subnet is 8 bits, or precisely a single octet,
although it can be smaller or slightly larger.

Subnets have a beginning and an ending, and the beginning number is always even and
the ending number is always odd. The beginning number is the "Network ID" and the
ending number is the "Broadcast ID." You're not allowed to use these numbers because
they both have special meaning with special purposes. The Network ID is the official
designation for a particular subnet, and the ending number is the broadcast address that
every device on a subnet listens to. Anytime you want to refer to a subnet, you point to
its Network ID and its subnet mask, which defines its size. Anytime you want to send
data to everyone on the subnet (such as a multicast), you send it to the Broadcast ID.
Later in this article, I'll show you an easy mathematical and graphical way to determine
the Network and Broadcast IDs.

Subnetting is the process used to divide the total available IP addressed (hosts) for your
Network into smaller sub networks (subnets). For example, the Network ID we used in
the discussion above ( This network would consist of 256 possible IP
addresses ( – We know this because in a Class C address,
only the last octet is available for host IDs (0000000 – 11111111) or (0-255). Since 0 is
used to identify the whole network and 255 is reserved for broadcasts that leaves us with
254 possible hosts ( –

Suppose we wanted to divide those 254 addresses up into 6 smaller subnets. This can
be done by using what is referred to as a Subnet Mask. By looking at the above table
we can see Class C addresses all have a default subnet mask of Since
the last octet of the subnet mask is 0, it means that the hosts IDs have not been
subdivided into smaller subnets. However, if we choose to divide our network into a few
smaller segments (subnets), then we would change the default subnet mask by replacing
the last octet with one of the valid subnet masks.

ETEC1999. All rights reserved
Rev 05/2014 Page 53
On the exam you will be asked to calculate subnet masks, valid ranges within a subnet,
number of subnets possible and number of hosts possible. If you understand the 2
tables below, you should have no problem answering any of these questions.

Here’s how it works:

QUESTION: If you have a class B IP network with a 10-bit subnet mask, how many
subnets and hosts can you have?

ANSWER: 1024 subnets with 62 hosts (just look on the table for this answer)

QUESTION: You have an IP address of with a subnet mask of What is your network ID and what range of addresses in this subnet?

ANSWER: Network ID is, range is –

ETEC1999. All rights reserved
Rev 05/2014 Page 54
(Since you are sub netting all 8-bits in the3rd octet, the number in the 3 rd octet becomes
part of your network ID. By looking at the table you see you have 126 hosts in each
subnet. You also see the address range for each subnet is 128. Since the 0 is your
network address and 127 is your broadcast address, the valid range of hosts addresses
in this subnet is – = 126).

QUESTION: You have a subnet mask of in a class B network. How

many subnets and hosts do you have?

ANSWER: 8192 subnets, each with 6 hosts.

QUESTION: If you have a Class C network with a 6-bit subnet mask, how many subnets
and hosts to you have?

ANSWER: 64 subnets, each with 2 hosts.

QUESTION: You have an IP address of with an 11-bit subnet mask. What
is the Network ID, range of subnet addresses, and Broadcast address for this subnet?

ANSWER: Network ID = =1

Host IDs = – = 30
Broadcast Address = = 32

By looking at the table above, you can see that a class B address with an 11 bit subnet
mask has a RANGE of 32 with 30 HOSTS. Since this is a class B address we know that
the first 2 octets are the original Network ID ( Since we are sub netting all 8-
bits of the 3rd octet, then the 3rd octet automatically becomes part of our Sub network ID
(172.16.3). We know by the table that an 11-bit subnet mask will have 30 hosts and 32
addresses in each range. Since we are sub netting more than 8-bits, the fourth octet of
our subnet will always begin with 0. So the first 32 IP addresses available to us in
172.16.3 are – Our given IP address ( is not in this
range. The next range of 32 IP addresses is –, Bingo...This is
the subnet we are looking for. We know that the first address in the subnet range is
always the Network ID ( The next 30 are all valid hosts ( – The remaining address ( is our broadcast address.

QUESTION: You have a class C network address of You need the largest
possible number of subnets with up to 12 hosts on each. Which subnet mask would you

ANSWER: (look at the table)

ETEC1999. All rights reserved
Rev 05/2014 Page 55
Good table to remember (only work with Class C subnets)

N X=2N Host(s)
(# of bits (# of Mask / Notation per
borrow) Networks) subnet
1 2 128 /25 128 126
2 4 192 /26 64 62
3 8 224 /27 32 30
4 16 240 /28 16 14
5 32 248 /29 8 6
6 64 252 /30 4 2
7 128 254 /31 2 0

/32 is typically used describe a single host or used on a loopback address.

Note: Subnetting is a very difficult subject for student to understand and have a good
grasp on it. So pay attention during this chapter and please ask your instructor to
explain one on one if needed. There are so many ways, so many different tables but in
the real world, we can use a subnet calculator to do this. However; you need to know
how to figure it out as quickly as possible. Each instructor at ETEC is trained to find a
way to explain you in different methods.

Troubleshooting TCP/IP
There are recommended steps to troubleshooting network connectivity. Rather than try
to recall several different methods for determining what type of problem may be causing
a loss in connectivity, a more methodical approach is in order.

1. Does your host have an IP address? Can’t contact DHCP server? Your Windows
OS should have an IP address of 169.254.x.x if the host can’t contact the DHCP
2. Can’t get to the internet? Can you ping the Gateway address? Is your Gateway
set? Is your DNS address correctly set?
3. No light on the NIC card? Are you using the correct cable?
4. Determine if you can ping the loopback address; If this is successful,
then the TCP/IP stack is functioning properly. If it fails, then a reinstallation of
TCP/IP on the problem host is warranted.
5. Ping the local host address. If this is successful, then your network interface card
(NIC) is functioning properly. Otherwise, the NIC is malfunctioning.

If everything was successful, there could be issues remotely with the server. If all of the
above fails, there could be an issue with your Domain Name System (DNS) settings.

DNS is what allows us to use friendly easy to remember names in place of IP addresses
when we are communicating with hosts on the network or the internet.
ETEC1999. All rights reserved
Rev 05/2014 Page 56
Chapter 4 - Network Devices and Cisco IOS
Boot Sequence
Like a computer, every networking device when first power up will go through a boot
sequence. This boot sequence is necessary in order to test the hardware and load the
required software.

The following is a brief overview of the steps in the boot sequence:

1. The router performs the POST which tests the hardware to verify that all
components are operational and present. The POST is in the ROM.
2. Once POST has passed, a program in the ROM called the bootstrap, which is
used to tell where to looks for and loads the CISCO IOS. By default, the IOS
software is loaded from flash memory in all Cisco routers (0x2102). If no IOS
found in flash, router will search for a TFTP server. If no IOS are located, router
will enter rommon mode.
3. The IOS is de-compress to DRAM and the router will boot the IOS.
4. During the booting, NVRAM is checked to see if there is a valid configuration file
stored. This would be the startup-config and has to be copied there from the
5. If there is a startup-config present, then the router will copy the startup-config file
to running-config file and run it. If no startup-config is present, the router will enter
setup mode once it is booted.

The default startup sequence above can be change in many different modes by
changing the configuration registry:

 Change the boot sequence to look for IOS from a TFTP server first. This mode
allows you to test out a new IOS version or allows company taking security
measure by keeping all IOS on a remote server.
 Boot normally but skip the startup-config and go straight to setup dialog mode.
This allows you to recover password.
 Boot normally but look for startup-config file from a TFTP server instead of
NVRAM. This again is for security measure. If a device was to be stolen, their
configuration would not be compromise.

ETEC1999. All rights reserved
Rev 05/2014 Page 57
Router Elements
Read-only memory (ROM)
Holds the POST and the bootstrap program, as well as the mini-IOS. Used to start and
maintain the router.

Power-on self-test (POST)

Stored in the microcode of the ROM, the POST is used to check the basic functionality of
the router hardware.

ROM monitor
Stored in the microcode of the ROM, the ROM monitor is used for testing,
troubleshooting, IOS recovery and Password recovery.

Called the RXBOOT or bootloader by Cisco, the mini-IOS is a small IOS in ROM that can
be used to open an interface and un-compress the IOS into flash memory.

Random-access memory (RAM)

Upon boot, routers expand the IOS from flash into RAM then boot. The running-config
file is also stored in RAM. RAM is also to hold packet buffers, ARP cache, routing
tables, and the software and data structures that allow the router to function.

Memory Used to store the Cisco IOS by default. Flash memory is not erased when the
router is reloaded. It is electronically erasable programmable read only memory
(EEPROM). Switch use Flash to store VLAN database and Firewall store its signature in

Nonvolatile RAM (NVRAM)

Used to hold the startup configuration. NVRAM is not erased when the router or switch is
reloaded. Does not store an IOS. The configuration-register file is stored in NVRAM.

Configuration Register
The configuration register can be used to change router behavior in several ways, such

 how the router boots (into ROMmon, NetBoot)

 options while booting (ignore configuration, disable boot messages)
 console speed (baud rate for a terminal emulation session)

ETEC1999. All rights reserved
Rev 05/2014 Page 58
The configuration register can be set from configuration mode using the config-register
command. From ROMmon, use the confreg command. Issue the show version command
to view the current setting of the configuration register:

There are 16 bits in the configuration register which are read from 15 to 0, left to right.
The default setting on Cisco routers is 0x2102.

(Cisco uses the ‘0x’ to let you know that this value is hexadecimal.)

When looking at the bits in the configuration register, they are set out as shown below:

Configuration Register Bit Numbers

Register 2 1 0 2

Bit number 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0

Binary 0 0 1 0 0 0 0 1 0 0 0 0 0 0 1 0

A standard method of bypassing the settings in NVRAM is setting the configuration

register to 0x2142. When this setting is enabled one can bypass the startup-config and
perform password recovery and other tasks.


0x2102= normal boot sequence

0x2142= skip startup-configuration file on the boot

ETEC1999. All rights reserved
Rev 05/2014 Page 59
The CISCO Internetwork Operating System (IOS) is the operating system software that
comes with all CISCO routers.

IOS Router Modes

The IOS interface provides for 6 basic modes of operation.
MODE Description Access Command Prompt
Setup Mode Prompted dialog that guide a Type setup at Priv Will display a wizard
basic user to setup devices for mode prompt and guide the user to
remote connection so an configure the device.
experience technician could
remote in and finish the device
User EXEC Mode Provides for limited examination Default mode at Router>
of router information login
Privileged EXEC Provides detailed examination, Type enable at Router#
Mode testing, debugging and file command prompt
manipulation such as saving
and backup
Global Configuration Allows you to change high level Type config t at Router(config)#
Mode router configuration the Privileged
mode prompt
ROM Monitor Mode Automatic if the IOS does not Ctrl+Break at >or rommon>
exist or the boot sequence is power on
RXBoot Mode Helper software that helps the N/A Router<boot>
router boot when it cannot find
the IOS image in FLASH

Setup Mode
If the router has no initial configuration, it will bring you to the setup mode to establish a
basic configuration. You can also enter setup mode at any time from the command line
by typing the command setup from privileged mode. Setup mode helps you to enter
basic information about the router such as Hostname, Passwords and configures only
enough connectivity for management of the system. Here is an example:

Would you like to enter the initial configuration dialog? [yes/no]: y

Would you like to enter basic management setup? [yes/no]: y
Configuring global parameters:
Enter host name [Router]: CorpRouter

User EXEC Mode

Provides limited examination of router information. Here are some examples:

Router>show ip route display routing table

Router>show version display router IOS, RAM, Flash, etc.

ETEC1999. All rights reserved
Rev 05/2014 Page 60
Privileged EXEC Mode
Provides detailed examination, testing, debugging and file manipulation. Only in this
mode, you can save your configuration. Here are some examples:

Router>enable enter privilege mode

Router#show run display running configuration
Router#copy run start save running configuration to startup configuration
Router#exit exit privileged mode to user EXEC mode

Global Configuration Mode

Allows you to change high level router configuration.

Router#conf t enter global configuration mode

Router(config)#interface fa0/1 enter interface fa0/1 configuration
Router(config)#hostname CorpRouter set host name to CorpRouter
Router(config)#enable password cisco Set enable password to Cisco
Router(config)#exit exit global configuration to privilege

Context Sensitive Help

The IOS has a built in Context-sensitive help. The main tool is the ? symbol. If you are
unsure of what a command or the entire syntax for a command should be, type in a
partial command followed by a ? and the help facility will provide you with the available
Default settings are in square brackets '[ ]'.
Configuration aborted, no changes made.
At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.

Command History
The IOS user interface provides a history or record of commands that you have entered.
This feature is particularly useful for recalling long or complex command entries. By
default, the system records the 10 most recent command lines in its history buffer.

show history To display the entries in the history buffer

terminal history <size To change the numbers of command lines recorded
number-of-command lines> during the current terminal session use the following
history <size number-of- To configure the number of command lines the system
command lines> records by default, enter the following command line in
configuration mode

ETEC1999. All rights reserved
Rev 05/2014 Page 61
Editing Commands
Helpful shortcuts

Ctrl-W Erases a word

Ctrl-U Erases a line
Ctrl-A Moves the cursor to the beginning of the current line
Ctrl-E Moves the cursor to the end of the current line
Ctrl-F (or right arrow) Move forward one character
Ctrl-B (or left arrow) Move back one character
Ctrl-P (or up arrow) Recall commands in the history buffer starting with the
most recent command.
Ctrl-N (or down arrow) Return to more recent commands in the history buffer
after recalling commands with Ctrl-P or the up arrow key
ESC+B Move backward one word
ESC+F Move forward one word
Ctrl-Z Ends Configuration Mode and returns to the Privileged
EXEC Mode.
TAB Key Finishes a partial command
Ctrl+^ Break current process

Managing Configuration Files

Router configuration information can be generated by several means. From privileged
EXEC mode you can enter the configure command to configure the running configuration
from either a Terminal (Console), Memory (NVRAM), or Network (TFTP).

These 4 commands are holdovers from the 10.0 IOS days.

config terminal Allows you to configure manually from the console terminal.
config memory Loads the configuration file from NVRAM, same as copy startup
config network Loads the configuration from a TFTP server to RAM, same as
copy TFTP startup.
config overwrite Loads a configuration file directly to NVRAM without affecting
the running configuration.

ETEC1999. All rights reserved
Rev 05/2014 Page 62
You can also use the copy command:

copy run start Copies the running config (RAM) to the Startup config (NVRAM).
Used after real time changes via config term has been made that
are required to be saved.
copy start run Copies startup configuration from NVRAM into RAM where it
becomes the running configuration.
copy run tftp Makes a backup of the running config file to a TFTP server.
copy tftp run Loads configuration information from a TFTP server.
copy tftp start Copies the config file from the TFTP server into NVRAM.
copy tftp flash Loads a new version of the CISCO IOS into the router.
Copy flash tftp Makes a backup copy of the software image onto a network

To use a TFTP server you must specify the TFTP server’s hostname or IP address and
the name of the file.

show start To view the configuration in NVRAM

show run To view the current running configuration
configure mem To re-execute the configuration commands located in NVRAM
erase start To erase the contents of NVRAM
show ip route To display the current state of the routing table
show interfaces To display statistics for all interfaces configured on the router or
access server

Router Identification

The Router can be assigned a name by entering the following command at the global
config prompt:

Router(config)#hostname <router name>

If no name is entered, the default name “Router” will be used.

ETEC1999. All rights reserved
Rev 05/2014 Page 63
There are five different passwords that can be used when securing your Cisco Router;
Enable Secret, Enable Password, Virtual Terminal Password, Auxiliary Password, and
Console Password.

Enable Password
This password guards the privilege mode. It can be set up during setup mode or from
global configuration.

Router(config)#enable password <password>

Telnet Password
Telnet is a virtual terminal protocol that allows you to make connections to remote
devices, get information about them and run programs.
Once telnet is set up a console cable is not required to connect to the device. It can be
set up during setup mode or from global config.

Router(config)#line vty 0 4
Router(config-line)#password <password>

Line vty 0 4 specifies the number of Telnet sessions allowed in the router concurrently
and login command is needed to allows remote login.

Note: In order for telnet to work, you need to have both VTY passwords and enable
password or enable secret password set on the routers.

Auxiliary Password - Used for connections via the Aux port on the Router such as dial-

Router(config)#line aux 0
Router(config-line)#password <password>

Console Password - Used for connections via the console port on the Router. This
password will secure the User EXEC Mode.

Router(config)#line console 0
Router(config-line)#password <password>

Note: the “0” on both auxiliary and console due to 1 concurrent login is allowed by

ETEC1999. All rights reserved
Rev 05/2014 Page 64
With the exception of Enable Secret Password, when you show the running configuration
file, all passwords are shown in clear text.
To hash (hide) all current and future password, use the service password-encryption

Router(config)#service password-encryption

Using service password-encryption, those passwords are displayed as a hash value

using MD5 level 7. MD5 level 7 is a very week hashing algorithm that only used number
0-9 and uppercase alphabet. MD5 level 7 has been cracked and can be decrypt in
seconds (http://packetlife.net/toolbox/type7/, http://www.firewall.cx/cisco-technical-

The most important password on networking devices is the privilege password. Knowing
the privilege password, attacker can copy your devices configuration, alter your device
configuration in global configuration mode. Cisco recognize this and create an alternate
solution for privilege password:

Enable Secret Password

This is the same as the enable password but it’s also a cryptographic password using
MD5 level 5, which has precedence over the enable password when it exists. It can
be set up during setup mode or from global configuration.

Router(config)#enable secret <password>

The enable and enable secret password cannot be the same. If both are set, only the
enable secret will be used.

Interface Setup
All interfaces on Cisco routers are administrative shutdown (disable) by default for
security. The IP address can be setup manually or by DHCP server. The no shut
command used to enable the interface.

Router(config-if)#ip address <IP address> <Subnet Mask>

Fast Ethernet Interface

Router(config)#interface f0/0
Router(config-if)#ip address
Router(config-if)#no shut

Serial Interface
When connecting a serial cable to the serial interface of the router, clocking is provided
by an external device, such as a CSU/DSU device. A CSU/DSU (Channel Service
Unit/Data Service Unit) is a digital-interface device used to connect a router to a digital
circuit. The router is the DTE (Data Terminal Equipment) and the external device is the

ETEC1999. All rights reserved
Rev 05/2014 Page 65
DCE (Data Communications Equipment), where the DCE provides the clocking.
However, in some cases we might connect two routers back-to-back using the routers’
serial interfaces (Example: Inside the router labs). Each router is a DTE by default.
The cable decides which end to be DCE or DTE and it is usually marked on the
cable. The picture below shows back to back cable.

Router(config)#interface s0/0
Router(config-if)#ip address
Router(config-if)#clock rate 1000000
Router(config-if)#no shut

You can give each interface a description to help identify the interface. This is done in
interface configuration mode by typing.

Router(config-if)#description <description name>

This will label the interface with the string you enter.

Other configuration can be applied on Interface command such as Bandwidth, Speed,

Duplex and sub-interfaces.

The following commands can be used to monitor your IP information:

show ip protocol
show ip route
show ip interface
show ip interface brief

The Show Interface command can be used to troubleshoot problems with interfaces.
Here is a partial readout from the Show Interface command:

- MTU 1500 bytes, Bw 10000 Kbit, Dly 100 Usec. reliability 128/255,
txload 1/255.

Notice the portion that reads “reliability”. Looking at this we see that there is about a
50% loss in reliability (128 divided by 255).

ETEC1999. All rights reserved
Rev 05/2014 Page 66
You can configure a message of the day (MOTD) banner on your router to be displayed
on all connecting terminals. This is done by entering the banner motd command in the
global configuration mode.

Router(config)# banner motd #<message>#

The # sign is any delimiting character you choose to use. The message part of the
command must begin and end with the same delimiting character.

To specify a banner used when you have an incoming connection to a line from a host
on the network, use the banner incoming global configuration command. The no form of
this command deletes the incoming connection banner.

Router(config)# banner incoming#<message>#

Router(config)# no banner incoming

An incoming connection is one initiated from the network side of the router. Incoming
connections are also called reverse Telnet sessions. These sessions can display MOTD
banners and INCOMING banners. Use the no motd-banner line configuration command
to disable the MOTD banner for reverse Telnet sessions on asynchronous lines.

System Message Logging

By default, switches send the output from system messages and debug privileged EXEC
commands to a logging process. The logging process controls the distribution of logging
messages to various destinations, such as the logging buffer, terminal lines, or a UNIX
syslog server, depending on your configuration. The process also sends messages to
the console.

When the logging process is disabled, messages are sent only to the console. The
messages are sent as they are generated, so message and debug output are
interspersed with prompts or output from other commands. Messages are displayed on
the console after the process that generated them has finished.
You can access logged system messages by using the switch command-line interface
(CLI) or by saving them to a properly configured syslog server. The switch software
saves syslog messages in an internal buffer. You can remotely monitor system
messages by accessing the switch through Telnet, through the console port, or by
viewing the logs on a syslog server.

ETEC1999. All rights reserved
Rev 05/2014 Page 67
Setting the Message Display Destination Device
If message logging is enabled, you can send messages to specific locations in addition
to the console. Beginning in privileged EXEC mode, use one or more of the following
commands to specify the locations that receive messages:

logging buffered [size] Log messages to an internal buffer. The default buffer size is 4096. The
range is 4096 to 4294967295 bytes.

Note Do not make the buffer size too large because the switch could run
out of memory for other tasks. Use the show memory privileged EXEC
command to view the free processor memory on the switch; however, this
value is the maximum available, and the buffer size should not be set to
this amount.
logging host Log messages to a UNIX syslog server host.
For host, specify the name or IP address of the host to be used as the
syslog server.
To build a list of syslog servers that receive logging messages, enter this
command more than once.
logging file flash:filename Store log messages in a file in Flash memory.
[max-file-size] [min-file-size] For filename, enter the log message filename.
[severity-level-number | type]  (Optional) For max-file-size, specify the maximum logging file size. The
range is 4096 to 2147483647. The default is 4069 bytes.
 (Optional) For min-file-size, specify the minimum logging file size. The
range is 1024 to 2147483647. The default is 2048 bytes.
 (Optional) For severity-level-number | type, specify either the logging
severity level or the logging type. The severity range is 0 to 7.

The logging buffered global configuration command copies logging messages to an

internal buffer. The buffer is circular, so newer messages overwrite older messages after
the buffer is full. To display the messages that are logged in the buffer, use the show
logging privileged EXEC command. The first message displayed is the oldest message
in the buffer. To clear the contents of the buffer, use the clear logging privileged EXEC

To disable logging to the console, use the no logging console global configuration
command. To disable logging to a file, use the no logging file [severity-level-number |
type] global configuration command.

Synchronizing Log Messages

You can configure the system to synchronize unsolicited messages and debug privileged
EXEC command output with solicited device output and prompts for a specific console
port line or virtual terminal line.

 You can identify the types of messages to be output asynchronously based on the
level of severity.
 You can also determine the maximum number of buffers for storing asynchronous
messages for the terminal after which messages are dropped.

ETEC1999. All rights reserved
Rev 05/2014 Page 68
When synchronous logging of unsolicited messages and debug command output is
enabled, unsolicited device output is displayed on the console or printed after solicited
device output is displayed or printed. Unsolicited messages and debug command output
is displayed on the console after the prompt for user input is returned. Therefore,
unsolicited messages and debug command output are not interspersed with solicited
device output and prompts. After the unsolicited messages are displayed, the console
again displays the user prompt.

Example Configuration: Here’s a basic configuration of a router

 Set the hostname of the router to ETEC
 Set enable secret password to cisco
 Configure a motd banner
 Configure the interface f0/0 for the LAN side and enable it
 Configure the interface serial 0/0 for the WAN side and enable it
 Configure and allows 2 concurrent telnet sessions
 Configure and secure user EXEC mode
 Save the configuration.

Router#config t
Router(config)#hostname ETEC
ETEC(config)#enable secret cisco
ETEC(config)#banner motd #Authorized Access Only!#
ETEC(config)#interface f0/0
ETEC(config)#description LAN Network Connection
ETEC(config-if)#ip address
ETEC(config-if)#no shut
ETEC(config)#interface s0/0
ETEC(config-if)#description WAN Network Connection
ETEC(config-if)#ip address
ETEC(config-if)#clock rate 1000000
ETEC(config-if)#no shut
ETEC(config)#line vty 0 1
ETEC(config-line)#password cisco
ETEC(config)#line con 0
ETEC(config-line)#password cisco
ETEC(config-line)#logging synchronous
ETEC#copy run start

ETEC1999. All rights reserved
Rev 05/2014 Page 69
Other Services and utilities

Domain Name Service (DNS)

Domain Name Service (DNS) is how IP addresses are mapped to a friendly name. An
example of this is the DNS name www.cisco.com, which maps to
Every computer on the internet has to have an IP address to communicate. Although
DNS names are optional, they are essential to ease of management and allow people to
readily remember various destinations on the internet.

Verifying IP addresses
IP addresses can be verified by using Telnet, ping, or trace.

Verifies the application-layer software between source and destination stations. This is
the most complete test mechanism available. Telnet is a typically common way to
remote in network devices for management. However; telnet is a clear text protocol that
can be capture by attacker. For security remote management, use Secure Shell or SSH.

Secure Shell
As you well known, Telnet data are send in clear text. Using Secure Shell (SSH), you
can create a more secure session than the Telnet. SSH uses encrypted keys to send
data so that your username and password are not sent in the clear.

ip domain-name Sets your domain name. (required)

crypto key generate rsa Sets the size of the key
general-keys modulus
ip ssh time-out Sets the idle timeout
ip ssh authentication-retries Sets the max failed attempts
line vty 0 4 Chooses your VTY lines to configure
transport input ssh Tells the router to use only SSH.
transport input ssh telnet Tells the router to use SSH and then

ETEC1999. All rights reserved
Rev 05/2014 Page 70
Uses the ICMP protocol to verify the hardware connection at the logical address of the
network layer. The ping command is configurable from normal executive and privileged
EXEC mode. Ping returns one of the following responses:
 Normal response—the normal response (hostname is alive) occurs in 1 to 10
seconds, depending on network traffic.
 Destination does not respond—if the host does not respond, a No Answer
message is returned.
 Unknown host—if the host does not exist, an Unknown Host message is returned.
 Destination unreachable—if the default gateway cannot reach the specified
network, a Destination Unreachable message is returned.
 Network or host unreachable—if there is no entry in the route table for the host or
network, a Network or Host Unreachable message is returned.

To stop a ping in progress, press Ctrl-C.

Uses Time-To-Live (TTL) values to generate messages from each router used along the
path. This is very powerful in its ability to locate failures in the path from the source to
the destination.

ETEC1999. All rights reserved
Rev 05/2014 Page 71
The Cisco Discovery Protocol (CDP) is a device discovery protocol that runs over Layer
2 (the data link layer) on all Cisco-manufactured devices (routers, bridges, access
servers, and switches). CDP allows network management applications to automatically
discover and learn about other Cisco devices connected to the network.
CDP can also be used to show information about the interfaces your router uses. CDP is
media- and protocol-independent, and runs on all Cisco-manufactured equipment
including routers, bridges, access servers, and switches

Enable CDP globally: cdp run

Disable CDP globally: no cdp run

At the Interface configuration mode, you can only enable or disable CDP.
Router(config-if)#no cdp enable

Cisco devices send CDP announcements to the multicast destination address 01-00-0c-
cc-cc-cc, which is also used in other Cisco protocols such as VTP.

CDP announcements are sent by default every 60 seconds on interfaces that support
Subnetwork Access Protocol (SNAP) headers, including Ethernet, Frame Relay and
Asynchronous Transfer Mode (ATM).
Each Cisco device that supports CDP stores the information received from other devices
in a table that can be viewed using the show cdp neighbors command. The CDP table
information is refreshed each time an announcement is received, and the holdtime for
that entry is reinitialized.
The holdtime specifies the lifetime of an entry in the table - if no announcements are
received from a device for a period in excess of the holdtime, the device information is
discarded (default 180 seconds).

At the global configuration mode, you can also set the hold time and timer. For example:

Router(config)#cdp timer 30
Router(config)#cdp holdtime 120

When CDP is enabled you can view details of other Cisco devices by typing:

show cdp neighbors

show cdp neighbors detail

The information contained in CDP announcements varies by the type of device and the
version of the operating system running on it. This displays the information about
neighboring routers such as Router’s hostname, Hardware platform, Port identifiers,
Capabilities list, Version information, Up to one address for each protocol supported.

ETEC1999. All rights reserved
Rev 05/2014 Page 72
To support non-Cisco devices and to allow for interoperability between other devices, the
switch supports the IEEE 802.1AB LLDP. LLDP is a neighbor discovery protocol that is
used for network devices to advertise information about themselves to other devices on
the network. This protocol runs over the data-link layer, which allows two systems
running different network layer protocols to learn about each other.
LLDP supports a set of attributes that it uses to discover neighbor devices. These
attributes contain type, length, and value descriptions and are referred to as TLVs. LLDP
supported devices can use TLVs to receive and send information to their neighbors.
Details such as configuration information, device capabilities, and device identity can be
advertised using this protocol.

LLDP is disabled by default.

enable LLDP globally: lldp run

disable LLDP globally: no lldp run

This example shows how to configure a holdtime of 120 second, a delay time of 2
seconds and an update frequency of 30:
Switch# configure terminal
Switch(config)# lldp holdtime 120
Switch(config)# lldp reinit 2
Switch(config)# lldp timer 30
Switch(config)# end

This example shows how to transmit only LLDP packets:

switch# configure terminal
switch(config)# no lldp receive
switch(config)# end

If you want to receive LLDP packets again, do the following:

switch# configure terminal
switch(config)# lldp receive
switch(config)# end

ETEC1999. All rights reserved
Rev 05/2014 Page 73
Password Recovery
For a moment, consider this: What happens when a password is lost or forgotten?

Here are the basics, outlined in this Step-by-Step Procedure:

1. Attach a terminal or PC with terminal emulation to the console port of the router.

2. Using the power switch, turn the router off and then turn it back on.

3. Send a break sequence (Ctrl+Break) from the terminal keyboard within 5 seconds
of the power-up to put the router into ROMMON.
The break sequence depends on your Operating System/Terminal Emulator.

4. At the Rommon>, change the register to 0x2142 (by pass the startup-config file
and go to the setup dialog):

confreg 0x2142

5. Type reset to reboot the router

6. Once the router is completely rebooted, skip the setup dialog and go to privilege

7. At this time, your startup-config file is still intact but you have logged into the
router already so you can:

 View your password if it’s no encrypted

Show startup-config

 Copy the Startup-Config to Running-Config then change your password

copy start run

8. Save your running-config

copy run start

9. Important: Now you need to change the bootstrap back to 0x2102 (normal

10. Go to the Global configuration mode and issue the command:

config-register 0x2102

11. There’s no need to reboot your router since it is loaded with your old

ETEC1999. All rights reserved
Rev 05/2014 Page 74
Backup/Restore/Upgrade the Cisco IOS
Most routers are not as familiar to most of us as workstations. When we want to load a
program onto a workstation, and we have a diskette, we can simply place the diskette
into the appropriate drive and initial the process. Even loading a file from a remote
location onto a workstation is commonplace. But how would one load a new copy of the
Cisco IOS onto a router?

We can use a TFTP server to store a current copy of the IOS, and then load the IOS on
a selected router. This can be accomplished using the following command syntax:

copy tftp flash (upgrade a new IOS version)

copy flash tftp (backup an IOS in case of corruption)

The above is a basic introduction to the command because there are other parameters
required, such as the IP address of the TFTP server and the name of the file you want to
download. As you continued through the process you would be prompted for information
and upon providing the requisite responses you will have a copy of the IOS loaded into
flash on the router.

Before you back up an IOS image to a network TFTP server on your internetwork, do
these three things:

1. Make sure that you can access the TFTP server. Try pinging it; make sure that
you can reach it via IP.
2. Make sure that the TFTP server has enough space to accommodate the IOS file.
The IOS is a file that can be several MB in size. You need to have enough room
on the server to copy this file to the server.
3. Verify file naming and path requirement. Naming the file IOS.bin, would make it
difficult to find if you have 20 other IOS’s on the server for different platforms.

ETEC1999. All rights reserved
Rev 05/2014 Page 75
Chapter 5 - Layer 2 Switching
Basic Layer 2 Switching

Switching occurs at layer two of the OSI. As will most things, current switching
equipment has gotten cheaper and will therefore allow an economical alternative to using
hubs (which operate at layer one), allowing the creation of separate collision domains.

The first layer two device is called a bridge. While not as common now as they once
were, a bridge literally a hub running a software and a CAM table to help learning MAC
address of connecting network host. Same as switches, bridges also allowed the
segmenting of networks into separate collision domains. Bridge is slower than switch
due to software and has less ports than switches.

A switch is essentially a multi-port bridge. And, while they allow us to separate collision
domains, bridged networks still belong to the same broadcast domain. And, as a
network grows, broadcasts and multicasts coupled with slow convergence of spanning
trees will cause bandwidth problems.

Layer 2 switches are great; however, they will never completely replace routers (which
operate at layer 3).

There are 3 switch functions that occur at layer 2:

1. Address learning: layer 2 switches learn the source MAC address of each frame
received on an interface. This is where it begin to populate its MAC address
table. Once the switch learned all MAC address of all devices connect to it, this is
called converged. (see Comprehensive Review Case Study 1 for further details)

2. Forward/filter decisions: Once a frame is received on an interface, the destination

MAC address is examined and the proper exit interface is located by using the
MAC database. If it is found, switch will forward the frame out to the destination
port. If it is not in the MAC table or a broadcast MAC address of
FF:FF:FF:FF:FF:FF (i.e. ARP request), it will then flood the frame to all interfaces
(in that VLAN) including all trunk interfaces except the source port.

3. Loop avoidance: Spanning Tree Protocol (STP) is used to stop network loops
and permit redundancy (this is not cover in ICND but you should ask instructor
about it).

Question: Why on the MAC address table of a switch, there are more than one MAC
address on an interface?

Answer: Because that interface is directly connected to another network device such as
a hub or another switch.

ETEC1999. All rights reserved
Rev 05/2014 Page 76
Note: If an interface of a switch is connected to a host or a hub, that port is called an
access port. If it’s connected to another switch then it can be an access port or a trunk
port. An access port only allow the same VLAN to cross where the trunk will allows all
known VLAN frames to cross.

LAN Switching
LAN switch types decide how a frame is handled when it’s received on a switch port.
Latency – the time it takes for a frame to be sent out an exit port once the switch
receives the frame depends on the chosen switching mode. There are three switching

Cut-Through (Fast Forward) Switching

With Cut-Through switching, the switch copies only the Destination Address that is the
first 6 bytes after the frame preamble into its buffer. The LAN switch then looks up the
destination address in its switching table and determines the outgoing interface. The
frame is then sent to the interface. A cut-through switch provides reduced latency
because it begins to forward the frame as soon as it reads the destination address and
determines the outgoing interface.

Fragment Free (Modified Cut-Through) Switching

This is the default mode for the Catalyst 1900 switch. In Fragment Free mode, the
switch checks the first 64 bytes of a frame before forwarding it for fragmentation, thus
guarding against forwarding runts, which are caused by collisions.

Store-and-Forward Switching
With Store-and-Forward switching, the switch copies the entire frame into its buffer and
computes the CRC.

The frame is discarded if a CRC error is detected or if the frame is a runt (less than 64
bytes including the CRC) or a giant (more than 1518 bytes including the CRC). The LAN
switch then looks up the destination address in its switching table and determines the
outgoing interface. The frame is then sent to the interface.
Store-and-Forward switching is standard on Cisco Catalyst 5000 switches.
Latency using Store-and-Forward switching is dependent upon the frame size and is
slower than Cut-through switching.

Switch CLI
Cisco Switches can be used as plug and play meaning you can just plug them into your
network and let them do their thing. But you may want to Telnet into the switch or use
some other management software as well as configure the switch with different Virtual
Local Area Networks (VLANs).

ETEC1999. All rights reserved
Rev 05/2014 Page 77
Using the command line interface (CLI) is very similar to that of a Cisco router. While
some of the more basic commands are similar, there are differences; however, you will
become more adept at the differences the more you utilize the CLI.
Setting IP information
Remember, you don’t have to set any IP configuration on the switch to make it work. But
there are two reasons you probably do want to set the IP address:

 To manage the switch via Telnet or other management software

 Troubleshoot VLAN Trunking Protocol (VTP) (next chapter)
 To configure the switch with different VLANs and other network functions (next

You actually configure it under the VLAN1 interface. Remember that every port on every
switch is a member of VLAN1 by default. This can confuse a lot of people – just
remember that you set an IP address “for” the switch so you can manage it

2950#config t
2950#int vlan1
2950(config-if)#ip address
2950(config-if)#no shut
2950(config)#ip default-gateway

Above I have set the ip address of the switch to a class C of with the
default class C subnet mask, and then set the default gateway. Default-Gateway must
be set at the Global Configuration mode.

We must specify both the IP address as well as the default gateway for the switch
to be managed remotely. Additionally, any remote workstation has to be able to get
access to the management VLAN on the switch.

By default, all ports on all switches are part of the management VLAN (VLAN 1).

ETEC1999. All rights reserved
Rev 05/2014 Page 78
Chapter 6 - DHCP
DHCP Address Assignment and Allocation Mechanisms
The two main functions of the Dynamic Host Configuration Protocol are to provide a
mechanism for assigning addresses to hosts, and a method by which clients can request
addresses and other configuration data from servers. Both functions are based on the
ones implemented in DHCP's predecessor, BOOTP, but the changes are much more
significant in the area of address assignment than they are in communication. It makes
sense to start our look at DHCP here, since this will naturally lead us into a detailed
discussion of defining characteristic of DHCP: dynamic addressing.

DHCP Address Allocation Mechanisms

Providing an IP address to a client is the most fundamental configuration task performed
by a host configuration protocol. To provide flexibility for configuring addresses on
different types of clients, the DHCP standard includes three different address allocation

 Manual Allocation: A particular IP address is pre-allocated to a single device by an

administrator. DHCP only communicates the IP address to the device.
 Dynamic Allocation: DHCP assigns an IP address from a pool of addresses for a
limited period of time chosen by the server, or until the client tells the DHCP
server that it no longer needs the address.

The use of dynamic address allocation in DHCP means a whole new way of thinking
about addresses. A client no longer owns an address, but rather leases it. This means
that when a client machine is set to use DHCP dynamic addressing, it can never assume
that it has an address on a permanent basis. Each time it powers up, it must engage in
communications with a DHCP server to begin or confirm the lease of an address. It also
must perform other activities over time to manage this lease and possibly terminate it.

The DHCP Lease "Life Cycle"

Calling dynamic address assignments leases is a good analogy, because a DHCP IP
address lease is similar to a “real world” lease in a number of respects. For example,
when you rent an apartment, you sign the lease. Then you use the apartment for a
period of time. Typically, assuming you are happy with the place, you will renew the
lease before it expires, so you can keep using it. If by the time you get near the end of
the lease the owner of the apartment has not allowed you to renew it, you will probably
lease a different apartment to ensure you have somewhere to live. And if you decide,
say, to move out of the country, you may terminate the lease and not get another at all.

ETEC1999. All rights reserved
Rev 05/2014 Page 79
DHCP leases follow a similar lease “life cycle”, which generally consists of the following
 Allocation: A client begins with no active lease, and hence, no DHCP-assigned
address. It acquires a lease through a process of allocation.

 Reallocation: If a client already has an address from an existing lease, then when
it reboots or starts up after being shut down, it will contact the DHCP server that
granted it the lease to confirm the lease and acquire operating parameters. This is
sometimes called reallocation; it is similar to the full allocation process but shorter.

 Normal Operation: Once a lease is active, the client functions normally, using its
assigned IP address and other parameters during the “main part” of the lease.
The client is said to be bound to the lease and the address.

To implement DHCP, an administrator must first set up a DHCP server and provide it
with configuration parameters and policy information: IP address ranges, lease length
specifications, and configuration data that DHCP hosts will need to be delivered to them.
Host devices can then have their DHCP client software enabled, but nothing will happen
until the client initiates communication with the server. When a DHCP client starts up for
the first time, or when it has no current DHCP lease, it will be in an initial state where it
doesn't have an address and needs to acquire one. It will do so by initiating the process
of lease allocation.

 Renewal: After a certain portion of the lease time has expired, the client will
attempt to contact the server that initially granted the lease, to renew (refresh) the
lease so it can keep using its IP address.

 Rebinding: If renewal with the original leasing server fails (because, for example,
the server has been taken offline), then the client will try to rebind to any active
DHCP server, trying to extend its current lease with any server that will allow it to
do so.

 Release: The client may decide at any time that it no longer wishes to use the IP
address it was assigned, and may terminate the lease, releasing the IP address.
Like the apartment-renter moving out of the country, this may be done if a device
is moving to a different network, for example. Of course, unlike DHCP servers,
landlords usually don't let you cancel a lease at your leisure, but hey, no analogy
is perfect.

ETEC1999. All rights reserved
Rev 05/2014 Page 80
DHCP Address Allocation Process
The process that describes DHCP is what I like to call "DORA" and here's the

 Discover
 Offer
 Request
 Acknowledge

Let's now take each one and briefly explain what happens:

 Discover: The host will initially send a broadcast in an attempt to discover a DHCP
server on the network.
 Offer: The DHCP server always listen for DHCP discovery broadcast and respond
with an 'offer', which is an IP address, its subnet mask and optional information
such as IP address of Default Gateway, WINS and DNS.
 Request: The client will receive the 'offer' and, in most cases, will accept it. This
means it sends an 'official request' for the same IP address offered previously by
the server.
 Acknowledge: The DHCP server will complete the transaction by sending an
'accept' message and marking the particular IP address for the specific host and
lock that IP for the duration of the lease time.

An address conflict occurs when two hosts use the same IP address.
During address assignment, DHCP checks for conflicts using ping and gratuitous
ARP. If a conflict is detected, the address is removed from the pool. The address
will not be assigned until the administrator resolves the conflict.

ETEC1999. All rights reserved
Rev 05/2014 Page 81
Cisco DHCP Server
Most Cisco Routers and Layer 3 switches can be configure as a DHCP server. To
configure Cisco devices as a DHCP server, first and foremost – Set the exclusion
addresses. Second – Create your scope and scope options.

Example - Configuring DHCP service on a Cisco router:

Router(config)#service dhcp
Router(config)#ip dhcp excluded-address
Router(config)#ip dhcp pool ETEC_DHCP
Router(config-dhcp)#domain-name ETEC.com
Router(config-dhcp)#lease {days [hours][minutes] | infinite}
Router> show ip dhcp binding
Router# show ip dhcp database
Router> show ip dhcp conflict

Router# clear ip dhcp conflict address | *

ETEC1999. All rights reserved
Rev 05/2014 Page 82
Chapter 7 – Virtual LAN (VLAN)

What is a LAN?
As describe in chapter 1, all switches either by themselves or connected together is
defined as a broadcast domain. A LAN is a local area network and is defined as all
devices in the same broadcast domain. If you remember, routers stop broadcasts,
switches just forward them.

What is a VLAN?
VLANs are broadcast domains defined within switches to allow control of broadcast,
multicast, unicast, and unknown unicast within a Layer 2 device. By default, a manage
switch does have a VLAN and a term that you’re commonly known as default VLAN,
manage VLAN or VLAN 1. All ports in a single VLAN are in a single broadcast domain.

A VLAN (Virtual Local Area Network) is a switched network that is logically segmented
by communities of interest without regard to the physical location of users. Each port on
the Switch can belong to a VLAN. Ports in the same VLAN share broadcasts, which
means they are one the same subnet.
A VLAN has the same attributes as a physical LAN, but it allows for end stations to be
grouped together even if they are not located on the same network switch.

So, in effect, if you only have a switched network and want to break up broadcast
domains, then VLANs are the way to go. But, if you want to communicate between them,
then you still need to have a router; thought you could skimp on that, didn’t you?

Ports that do not belong to the VLAN do not share these broadcasts, thus improving the
overall performance of the network. VLANs remove the physical constraints of
workgroup communications. Layer 3 routing provides communications between VLANs.
In other words, users can be in totally different physical locations and still be on the
same VLAN. Likewise, users in the same physical location can be on different VLANs.

VLANs benefits

 One Switch with 2 VLANs instead of 2 LAN switches.

 Reduced administration costs from solving problems associated with
moves and changes – As users physically move they just have to be re-
patched and enabled into their existing VLAN.
 Workgroup and network security – You can restrict the number of users in a
VLAN and also prevent another user from joining a VLAN without prior
approval from the VLAN network management application.
 Controlled Broadcast activity – Broadcasts are only propagated within the
VLAN. This offers segmentation based on logical constraints.

ETEC1999. All rights reserved
Rev 05/2014 Page 83
 Leveraging of existing hub investments – Existing hubs can be plugged
into a switch port and assigned a VLAN of their own. This segregates all users
on the hub to one VLAN.
 Centralized administration control – VLANs can be centrally administered.

Switch Ports
In general, there are two port settings of connecting switches to some network device.
The switch port settings can be either access or trunk port. When switch port is set as
access port, then the switch considers the connected network device as non-switch, or to
be specific is unable to understand BPDU (Bridge Protocol Data Unit). When switch port
is set as trunk port, then the switch consider the connected network device as
switch/bridge, or to be specific is able to speak and read BPDU.

 Access Ports: Ports that connected to PC, Servers or a host are an access ports.
Any device attached to this is not aware of any VLAN membership and has no
understanding of the physical layout of the network.

 Trunk Ports: Ports that connected from one switch to another switch allowing you
to extend a broadcast domain. Bye default, if you only have one VLAN (default
VLAN), the ports connected between the switches can either ben an Access Port
or Trunk Ports. But if you have multiple VLANs, these ports must be set to Trunk

How does a switch identify which frame belong to what VLAN? With the help of
VLAN trunking protocols (802.1q or isl), these frames a “flagged” with the VLAN
information so when they are forward from one switch to the other, the receiving
switch can identify which VLAN the frame belongs to.

By default, a Trunk Ports will allow all known VLAN to be forward. These trunks
can carry multiple VLANs and must be 100Mbps or greater. Both switches must
use the same trunking protocol to establish a trunk link.

Trunking Protocols
The protocol most commonly used today in configuring virtual LANs is IEEE 802.1Q.
The IEEE committee defined this method of multiplexing VLANs in an effort to provide
multivendor VLAN support.
Prior to the introduction of the 802.1Q standard, several proprietary protocols existed,
such as Cisco's ISL (Inter-Switch Link) and 3Com's VLT (Virtual LAN Trunk). Cisco also
implemented VLANs over FDDI by carrying VLAN information in an IEEE 802.10 frame
header, contrary to the purpose of the IEEE 802.1Q standard.

ETEC1999. All rights reserved
Rev 05/2014 Page 84
Both ISL and IEEE 802.1Q tagging perform "explicit tagging" - the frame itself is tagged
with VLAN information. ISL uses an external tagging process that does not modify the
existing Ethernet frame, while 802.1Q uses a frame-internal field for tagging, and so
does modify the Ethernet frame. This internal tagging is what allows IEEE 802.1Q to
work on both access and trunk links: frames are standard Ethernet, and so can be
handled by commodity hardware.

The 802.1Q
An industry networking standard that supports virtual LANs (VLANs) on an Ethernet
network. The standard defines a system of VLAN tagging for Ethernet frames and the
accompanying procedures to be used by bridges and switches in handling such frames.

Portions of the network which are VLAN-aware (i.e., IEEE 802.1Q conformant) can
include VLAN tags. Traffic on a VLAN-unaware (i.e., IEEE 802.1D conformant) portion of
the network will not contain VLAN tags. When a frame enters the VLAN-aware portion of
the network, a tag is added to represent the VLAN membership of the frame's port or the
port/protocol combination, depending on whether port-based or port-and-protocol-based
VLAN classification is being used. Each frame must be distinguishable as being within
exactly one VLAN. A frame in the VLAN-aware portion of the network that does not
contain a VLAN tag is assumed to be flowing on the native (or default) VLAN.

The IEEE 802.1Q header contains a 4-byte tag header containing a 2-byte tag protocol
identifier (TPID) and a 2 byte tag control information (TCI). The TPID has a fixed value of
0x8100 that indicates that the frame carries the 802.1Q/802.1p tag information. The TCI
contains the following elements:

 Three-bit user priority

 One-bit canonical format indicator (CFI)
 Twelve-bit VLAN identifier (VID)-Uniquely identifies the VLAN to which the frame

Inter-Switch Link (ISL)

Cisco proprietary protocol used to interconnect multiple switches and maintain VLAN
information as traffic travels between switches on trunk links. This technology provides
one method for multiplexing bridge groups (VLANs) over a high-speed backbone. It is
defined for Fast Ethernet and Gigabit Ethernet, as is IEEE 802.1Q. ISL has been
available on Cisco routers since Cisco IOS Software Release 11.1.

With ISL, an Ethernet frame is encapsulated with a header that transports VLAN IDs
between switches and routers. ISL does add overhead to the packet as a 26-byte header
containing a 10-bit VLAN ID. In addition, a 4-byte CRC is appended to the end of each
frame. This CRC is in addition to any frame checking that the Ethernet frame requires.

The fields in an ISL header identify the frame as belonging to a particular VLAN.

ETEC1999. All rights reserved
Rev 05/2014 Page 85
A VLAN ID is added only if the frame is forwarded out a port configured as a trunk link. If
the frame is to be forwarded out a port configured as an access link, the ISL
encapsulation is removed.

Early network designers often configured VLANs with the aim of reducing the size of the
collision domain in a large single Ethernet segment and thus improving performance.
When Ethernet switches made this a non-issue (because each switch port is a collision
domain), attention turned to reducing the size of the broadcast domain at the MAC layer.
Virtual networks can also serve to restrict access to network resources without regard to
physical topology of the network, although the strength of this method remains debatable
as VLAN Hopping [2] is a common means of bypassing such security measures.

Virtual LANs operate at Layer 2 (the data link layer) of the OSI model. Administrators
often configure a VLAN to map directly to an IP network, or subnet, which gives the
appearance of involving Layer 3 (the network layer). In the context of VLANs, the term
"trunk" denotes a network link carrying multiple VLANs, which are identified by labels (or
"tags") inserted into their packets. Such trunks must run between "tagged ports" of
VLAN-aware devices, so they are often switch-to-switch or switch-to-router links rather
than links to hosts. (Note that the term 'trunk' is also used for what Cisco calls "channels"
Link Aggregation or Port Trunking). A router (Layer 3 device) serves as the backbone for
network traffic going across different VLANs.

Dynamic Trunking Protocol (DTP)

Many Cisco switches employ an automatic trunking mechanism known as the Dynamic
Trunking Protocol (DTP), which allows a trunk to be dynamically established between
two switches. All COS switches and integrated IOS switches can use the DTP protocol to
form a trunk link. The COS options auto, desirable, and on and the IOS options of
dynamic auto, dynamic desirable, and trunk configure a trunk link using DTP. If one
side of the link is configured to trunk and will send DTP signals, the other side of the link
will dynamically begin to trunk if the options match correctly.

If you want to enable trunking and not send any DTP signaling, use the option
nonegotiate for switches that support that function. If you want to disable trunking
completely, use the off option for a COS switch or the no switchport mode trunk
command on an IOS switch.
The following list describes the different options for trunking:

 Auto (switchport mode dynamic auto) – These links will only become trunk links if
they receive a DTP signal from a link that is already trunking or desires to trunk.
This will only form a trunk with other ports in the states on or desirable. This is
the default mode for most COS switches.

ETEC1999. All rights reserved
Rev 05/2014 Page 86
 Desirable (switchport mode dynamic desirable) – These links would like to
become trunk links and will send DTP signals that attempt to initiate a trunk. They
will only become trunk links if the other side responds to the DTP signal. This will
form a trunk with other ports in the states on, auto, or desirable that are running
DTP. This is the default mode for most IOS switches.
 On (switchport mode trunk) – Trunking is on for these links. They will also send
DTP signals that attempt to initiate a trunk with the other side. This will form a
trunk with other ports in the states on, auto, or desirable that are running DTP. A
port that is in on mode always tags frames sent out the port.
 Nonegotiate (switchport mode nonegotiate) – Sets trunking on and disables DTP.
These will only become trunks with ports in on or nonegotiate mode.
 Off (no switchport mode trunk) – This option sets trunking and DTP capabilities
off. This is the recommended setting for any dynamic establishments of trunk

VLAN configuration example:

Creating VLANs
Switch#config t
Switch(config)#vlan 2
Switch(config-vlan)#name Engineering
Switch(config-vlan)#Vlan 3
Switch(config-vlan)#name Sales
Switch(config-vlan)#Vlan 4
Switch(config-vlan)#name Finance
Switch(config-vlan)#ctrl z

Assigning Switch Ports to VLANs

Switch#config t
Switch(config)#int f0/2
Switch(config-if)#switchport access vlan 2
Switch(config-if)#int f0/3
Switch(config-if)#switchport access vlan 3
Switch(config-if)#Vlan 4
Switch(config-if)#interface range f0/6 -10 ------>(selecting only
F0/6 to F0/10)
Switch(config-if-range)#switchport access vlan 4
Switch(config-if-range)#ctrl z

Configuring Trunk Ports

Switch(config)#int f0/12
Switch(config-if-range)switchport mode trunk
Switch(config-if)switchport trunk encapsulation dot1q

Note: again, ports that are trunked must be a minimum of 100mbps

ETEC1999. All rights reserved
Rev 05/2014 Page 87
Chapter 8 - Port Security

Quick review: The MAC address table of a switch maps individual MAC addresses of all
host on the same LAN to the physical ports on the switch. This allows the switch to direct
data out of the physical port where the recipient is located, as opposed to
indiscriminately broadcasting the data out of all ports as a hub does.

Why Port Security

In a typical MAC flooding attack (bad guy), a switch is fed many Ethernet frames, each
containing different source MAC addresses by the attacker. The (bad guy) intention is to
consume the CAM table memory set aside in the switch to store the MAC address table.

Switches are able to store numerous amounts of entries in the CAM table for each
VLAN. However, once the resources are exhausted, the traffic is flooded out on the
VLAN as the CAM table can no longer store MAC addresses. The switch is no longer
able to locate the MAC destination MAC address within a packet. Simply put it, the
switch become nothing more than a HUB.

After launching a successful MAC flooding attack, a malicious user could then use a
packet analyzer to capture sensitive data being transmitted between other computers,
which would not be accessible were the switch operating normally. The attacker may
also follow up with an ARP spoofing attack which will allow them to retain access to
privileged data after switches recover from the initial MAC flooding attack.

One of many ways to counter MAC flooding attack or just simple allows authorized
computers only is to implement Port Security. You can use the port security feature to
restrict input to an interface by limiting and identifying MAC addresses of the
workstations that are allowed to access the port. When you assign secure MAC
addresses to a secure port, the port does not forward packets with source addresses
outside the group of defined addresses.

After you have set the maximum number of secure MAC addresses on a port, the secure
addresses are included in an address table in one of these ways:

 You can configure a static MAC addresses by using the switchport port-security
mac-address (mac_address) command.
 You can allow the port to dynamically learn a MAC addresses with the MAC
addresses of connected devices.
 You can configure a number of static addresses and allow the rest to be learn

Note: If the port shuts down, all dynamically learned addresses are removed.

ETEC1999. All rights reserved
Rev 05/2014 Page 88
Security Violations:
It is a security violation when one of these situations occurs:

 The maximum number of secure MAC addresses have been added to the
address table and a station whose MAC address is not in the address table
attempts to access the interface.
 An address learned or configured on one secure interface is seen on another
secure interface in the same VLAN.

You can configure the interface for one of these violation modes:

 Protect - Drops packets with unknown source addresses until you remove a
sufficient number of secure MAC addresses to drop below the maximum value.
 Restrict - Drops packets with unknown source addresses until you remove a
sufficient number of secure MAC addresses to drop below the maximum value
and causes the Security Violation counter to increment.
 Shutdown - Puts the interface into the error-disabled state immediately and
sends an SNMP trap notification.

By Default, when implement Port Security, the default setting allows only 1 secure MAC
address to be learn and violation mode is Shutdown. Port Security can only be
implement on an Access Port or non-negotiating trunk.

Configuration Example:
We will implement Port Security on interface f0/12, allows it to learn up to 5 MAC
addresses with 1 static MAC address (4 more dynamically) and place it in Protect mode
if violated:

Switch(config)#interface fastethernet 1/12

Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 5
Switch(config-if)#switchport port-security mac-address 00-01-B2-0A-2D-23
Switch(config-if)#switchport port-security violation protect

Port Security with Sticky MAC Addresses

Port security with sticky MAC addresses provides many of the same benefits as port
security with static MAC addresses, but sticky MAC addresses can be learned
dynamically. Port security with sticky MAC addresses retains dynamically learned MAC
addresses and save it to the running-config file. You still have to save to the startup-
config file if you want to save it permanently.
Switch(config-if)#switchport port-security mac-address sticky

ETEC1999. All rights reserved
Rev 05/2014 Page 89
Chapter 9 - IP Routing

Routing is the process of selecting paths in a network along which to send network
traffic. Routing is performed for many kinds of networks, including the telephone network,
electronic data networks (such as the Internet), and transportation networks. CCENT is
concerned primarily with routing in electronic data networks using packet switching

When an IP packet is to be forwarded, a router uses its forwarding table to determine the
next hop for the packet's destination (based on the destination IP address in the IP
packet header), and forwards the packet appropriately. The next router then repeats this
process using its own forwarding table, and so on until the packet reaches its
destination. At each stage, the IP address in the packet header is sufficient information
to determine the next hop; no additional protocol headers are required.

Routers don’t really care about hosts; they only care about networks and the best path to
each network. To be able to route packets, a router must know, at a minimum, the

 Destination Address
 Neighbor routers from which it can learn about remote networks
 Possible routes to all remote networks
 The best route to each remote network
 How to maintain and verify routing information

Router can learn about remote networks from an administrator create an entry manually
(static routing) or an advertisement from neighbor routers (dynamic routing). The router
then builds a routing table that describes how to find the remote networks.

Static Routing – Manual entries of all network locations into the routing table. If a
change occurs in the network, the administrator is responsible for updating all changes
by hand into all routers.

Dynamic Routing – In Dynamic Routing, a protocol (RIP, EIGRP or OSPF) on one

router communicates with the same protocol running on neighbor routers. The routers
then update each other about all the networks they know about and place this
information into the routing table.

Note: IP routing is enabled by default on Cisco routers.

ETEC1999. All rights reserved
Rev 05/2014 Page 90
Static Routes
Static routing is a data communication concept describing one way of configuring path
selection of routers in computer networks. It is the type of routing characterized by the
absence of communication between routers regarding the current topology of the
network. This is achieved by manually adding routes to the routing table. The opposite
of static routing is dynamic routing, sometimes also referred to as adaptive routing.

In these systems, routes through a data network are described by fixed paths (statically).
These routes are usually entered into the router by the system administrator. An entire
network can be configured using static routes, but this type of configuration is not fault
tolerant. When there is a change in the network or a failure occurs between two statically
defined nodes, traffic will not be rerouted. This means that anything that wishes to take
an affected path will either have to wait for the failure to be repaired or the static route to
be updated by the administrator before restarting its journey. Most requests will time out
(ultimately failing) before these repairs can be made. There are, however, times when
static routes make sense and can even improve the performance of a network. Some of
these include stub networks and default routes.

The syntax for creating a static route is:

ip route [destination_network] [mask] [next-hop_address or

exitinterface] [administrative distance] [permanent]

Broken down, here are the parts of the above command:

 ip route: used to create the static route

 destination_network: the network being placed in the routing table
 mask: subnet mask being used on the network
 next-hop_address: the address of the next-hop router that will receive the packet
and forward it to the remote network. This is a router interface that’s on a directly
connected network
 exitinterface: you can use it in place of the next-hop address as long as it’s on a
point-to-point link like a WAN
 administrative_distance: the value used to determine the trustworthiness of the
 permanent: using this option will keep the entry in the routing table regardless if
the interface gets shut down, etc.

ETEC1999. All rights reserved
Rev 05/2014 Page 91
To configure a static route to network, pointing to a next-hop router with
the IP address of, type: (Note that this example is written in the Cisco IOS
command line syntax and will only work on certain Cisco routers)

Router#configure terminal
Router(config)#ip route

The other option is to define a static route with reference to the outgoing interface which
is connected to the next hop towards the destination network.

Router#configure terminal
Router(config)#ip route Fa0/0

Now you may wonder why you would ever use a static route. There is nothing wrong
with using a static route. If you have a simple internetworking, and things never change,
static routes would be a great option as your routers will not send routing information
across the network. However, if things are changing, and different routes are becoming
available, you will need to manually adjust the static routes.

Another reason why you will use a static route is to configure a ‘gateway of last resort’ or
a default route. Default routes are used to direct packets addressed to networks not
explicitly listed in the routing table. Default routes are invaluable in topologies where
learning all the more specific networks is not desirable. 3 different types of gateway of
last resort:

1. The default route is typically use when you have only one exit on a router. When
a router cannot match a destinations network, it will then forward the packet to the
exit interface or the next hop IP address of the default route.

Router(config)#ip route f0/0

2. The ip default-network command allows you to configure robustness into the

selection of a gateway of last resort. Rather than configuring static routes to
specific next-hops, you can have the router choose a default route to a particular
network by checking in the routing table.

Router(config)#ip default-network

3. The ip default-gateway command differs from the other two commands. It's use
only for managing network device such as a switch remotely. Router typically
don't use ip default-gateway unless you turn off IP routing

Router(config)#ip default-gateway

ETEC1999. All rights reserved
Rev 05/2014 Page 92
Inter-VLAN Routing
Understanding How Inter-VLAN Routing Works

Network devices in different VLANs cannot communicate with one another without a
router to route traffic between the VLANs. In most network environments, VLANs are
associated with individual networks or sub-networks.

For example, in an IP network, each sub-network is mapped to an individual VLAN. In a

Novell IPX network, each VLAN is mapped to an IPX network number. In an AppleTalk
network, each VLAN is associated with a cable range and AppleTalk zone name.

Configuring VLANs helps control the size of the broadcast domain and keeps local traffic
local. However, when an end station in one VLAN needs to communicate with an end
station in another VLAN, inter-VLAN communication is required.
This communication is supported by inter-VLAN routing. You configure one or more
routers to route traffic to the appropriate destination VLAN.

The topology below shows a basic inter-VLAN routing topology. Switch A is in VLAN 10
and Switch B is in VLAN 20. The router has an interface in each VLAN.

Basic Inter-VLAN Routing Topology

When Host A in VLAN 10 needs to communicate with Host B in VLAN 10, it sends a
packet addressed to that host. Switch A forwards the packet directly to Host B, without
sending it to the router.

When Host A sends a packet to Host C in VLAN 20, Switch A forwards the packet to the
router, which receives the traffic on the VLAN 10 interface. The router checks the routing
table, determines the correct outgoing interface, and forwards the packet out the VLAN
20 interface to Switch B. Switch B receives the packet and forwards it to Host C.

The next topology shows another common scenario, inter-VLAN routing over a single
trunk connection to the router. The switch has ports in multiple VLANs. Inter-VLAN
routing is performed by a Cisco 7505 router connected to the switch through a full-duplex
Fast Ethernet trunk link.

ETEC1999. All rights reserved
Rev 05/2014 Page 93
Inter-VLAN Routing Over a Single Trunk Link

Multiple sub-interfaces are configured on the physical Fast Ethernet router interface, one
for each VLAN supported on the trunk. Intra-VLAN traffic (traffic with the source and
destination host in the same VLAN) is handled entirely by the switch.

Inter-VLAN traffic is sent across the trunk to the router. The router checks the routing
table, determines the outgoing sub-interface (destination VLAN), and sends the traffic
back over the trunk to the switch, where it is forwarded out the appropriate switch port.

ETEC1999. All rights reserved
Rev 05/2014 Page 94
Configuring VLANs Routing (Router on a stick)
Basic Steps to configure Router on a stick:

 Configure trunk port on the switch

 Configure sub-interfaces on the router

We’re going to configure allowing VLAN 10 to communicate with VLAN 20 as in the

figure below.

Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport mode trunk
Switch(config-if)#int f0/2
Switch(config-if)#switchport access vlan 10
Switch(config-if)#int f0/3
Switch(config-if)#switchport access vlan 20

(note: some Cisco switches need to define encapsulation type on the

trunk interfaces. Cisco 2950 catalyst default to 802.1Q)

Router#config t
Router(config-if)#int f0/0
Router(config-if)#no ip address
Router(config-if)#no shut
Router(config-if)#int f0/0.1
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address
Router(config-subif)#int f0/0.2
Router(config-subif)#encapsulation dot1q 20
Router(config-subif)#ip address

No Need for Routing Protocol since the router will treats the sub-interfaces as
connected interfaces. You will need to apply ACL to prevent one VLAN to another

ETEC1999. All rights reserved
Rev 05/2014 Page 95
Dynamic Routing
When reading (or being lectured about) all the glorious details of dynamic routing
protocols, it's hard not to come away with the impression that dynamic routing is always
better than static routing. It's important to keep in mind that the primary duty of a
dynamic routing protocol is to automatically detect and adapt to topological changes in
the internetwork. The price of this "automation" is paid in bandwidth, queue space in
memory, and in processing time.

Dynamic routing performs the same function as static routing except it is more robust.
Static routing allows routing tables in specific routers to be set up in a static manner so
network routes for packets are set. However, many drawback of static routing can be
summarized in three ways:

 Every router in your topology must be manually configured.

 Every new network or topology changes, you could potentially configure all
routers in your topology.
 If a router on the route goes down the destination may become unreachable.

Dynamic routing allows routing tables in routers to change as the possible routes
change. There are several protocols used to support dynamic routing including RIP,
EIGRP and OSPF. It’s easier than using static or default routing, but it’ll cost you in
terms of router CPU process and bandwidth on the network links.
A routing protocol defines the set of rules used by a router when it communicates routing
information between neighbor routers.

In CCENT, there are two types of dynamic routing protocols:

 Distance-vector routing protocols are based on a distributed form of Bellman-

Ford algorithm to find shortest paths. They work by exchanging a vector of
distances to all destinations known to each node. No further topological
information is ever exchanged. Thus, each node knows about all destinations
present in the network and it knows the resulting distance to each destination via
every of the node's neighbors. However, the node does not have any idea of the
actual network topology, nor does the node need it.

 Link-state routing protocols are based on algorithms to find shortest paths in a

graph (the most often used algorithm is Dijkstra algorithm). They work by
exchanging a description of each node and its exact connections to its neighbors
(in essence, each node describes its adjacencies to neighboring nodes and this
information is flooded throughout the network). Therefore, each node knows the
exact network topology, i.e. it has a graph representation of the network. Using
this graph, each node computes the shortest paths from itself to each available

ETEC1999. All rights reserved
Rev 05/2014 Page 96
Distance Vector Concepts
Distance vector algorithms use the Bellman-Ford algorithm. This approach assigns a
number, the cost, to each of the links between each node in the network. Nodes will
send information from point A to point B via the path that results in the lowest total cost
(i.e. the sum of the costs of the links between the nodes used).

The algorithm operates in a very simple manner. When a node first starts, it only knows
of its immediate neighbors, and the direct cost involved in reaching them. (This
information, the list of destinations, the total cost to each, and the next hop to send data
to get there, makes up the routing table, or distance table.) Each node, on a regular
basis, sends to each neighbor its own current idea of the total cost to get to all the
destinations it knows of. The neighboring node(s) examine this information, and compare
it to what they already 'know'; anything which represents an improvement on what they
already have, they insert in their own routing table(s). Over time, all the nodes in the
network will discover the best next hop for all destinations, and the best total cost.

When one of the nodes involved goes down, those nodes which used it as their next hop
for certain destinations discard those entries, and create new routing-table information.
They then pass this information to all adjacent nodes, which then repeat the process.
Eventually all the nodes in the network receive the updated information, and will then
discover new paths to all the destinations which they can still "reach".

Routers using distance vector protocol do not have knowledge of the entire path to a
destination. Instead DV uses two methods:

 Direction in which or interface to which a packet should be forwarded.

 Distance from its destination by number of routers in between (hop counts).

RIP and IGRP are Distance Vector Routing Protocols. They are also known as Classful
routing protocols, meaning that they do not understand subnets.

Distance Vector Topology Changes

When a topology in a distance vector network changes, routing updates must occur to
reflect changes made. As with the network discovery process, topology change
notification must occur router to router:

 Distance Vector protocols call for each router to send its entire routing table to
each of its adjacent neighbors.
 When a router receives an update from a neighboring router, it compares the
updates to its own routing table.
 If it learns about a better route (smaller hop count) to a network from its neighbor,
the router updates its own routing table.

ETEC1999. All rights reserved
Rev 05/2014 Page 97
Problems with Distance Vector
Distance Vector routing protocols are older routing protocols which has many limitations
such as:

 Routing loops can occur if the internet work’s slow convergence on a new
configuration causes inconsistent routing entries.

 Counting to infinity continuously loops packets around the network, despite the
fundamental fact that the destination network is down.

 Slow conversion: Distance Vector protocol use update timer (every 30 seconds)
to update its neighbor. In a large network, it could take several minutes before all
routers in your topology have the updates.

 No bandwidth awareness: Distance Vector protocol use hop counts as metric

(cost to remote network). Therefore, it will take a path with slower link to the
remote network due to lower hop counts rather a faster path.

 Chatty: Distance Vector send each other entire routing table every 30 seconds
even if there is no change occurs. This will waste bandwidth.

ETEC1999. All rights reserved
Rev 05/2014 Page 98
Link State Concepts
The Link State algorithm uses Link State Packets (LSP) to inform other routers of distant
links. All routers exchange LSP to build a total view of the network. OSPF is a Link
State Routing Protocol where EIGRP is a hybrid (link state and DV)

When applying link-state algorithms, each node uses as its fundamental data a map of
the network in the form of a graph. To produce this, each node floods the entire network
with information about what other nodes it can connect to, and each node then
independently assembles this information into a map. Using this map, each router then
independently determines the least-cost path from itself to every other node using a
standard shortest paths algorithm such as Dijkstra or DUAL algorithm. The result is a
tree rooted at the current node such that the path through the tree from the root to any
other node is the least-cost path to that node. This tree then serves to construct the
routing table, which specifies the best next hop to get from the current node to any other
node. All routers then recalculate the best path (shortest) to any affected route. Link
State routing protocols are more intensive in terms of power, memory and bandwidth

Link-state router creates three separate tables.

1. Neighbors Table: Keeps track of directly attached neighbors.
2. Topology Table: Topology of the entire Internetwork.
3. Routing Table: Used as the routing table.

Link-state routers know more about the Internetwork than any distance-vector routing

Differences between Distance Vector and Link State

 Distance Vector gets all its information second hand or gossip whereas link state
routing obtains a total topology of the internetwork.
 Distance Vector determines the best path by counting hops. Link State uses a
complex bandwidth analysis.
 Distance Vector updates topology changes every 30 seconds as default, which
causes a slow convergence time. Link State can be triggered by topology
changes resulting in faster convergence times.
 Distance Vector updates its neighbors by sending the entire database (consume
bandwidth). Link State perform Incremental Updates.
 Link State is harder to setup and some Link State protocol (OSPF) needs lots of
processing power to rebuild the routing database.

Problems with any Dynamic Routing Protocols

Link State protocols use complex algorithm such as Dijkstra or DUAL to calculate
shortest path and loop free, those algorithms will take up CPU resource as well as
memory usage. If you have a small network, sometime it is best to use static route.

ETEC1999. All rights reserved
Rev 05/2014 Page 99
Administrative Distances

First, let’s start by saying that in the real world, there is no benefit to using multiple
routing protocols. So why does it? You might be left with no other options if you have a
mixed router environment.

An administrative distance (AD) is used to rate the trustworthiness of information

received regarding a route. The value of an AD ranges anywhere from 0 through 255. A
value of 255 simply means no traffic will pass.

If there are two routes to a network, the one with the lowest AD will be the one used and
it is placed in the routing table.

What happens if both routes happen to have the same AD? Routing protocol metrics
(i.e.…bandwidth of the lines or hop count) will be used in determining the best path.

Here are some default administrative distances that Cisco routers use:

Route Source Default AD

Connected interface 0

Static route 1


IGRP 100

OSPF 110

RIP 120

External EIGRP 170

Unknown 255 (route not used)

In viewing, for example, RIP route information on a router, you would see a readout
referencing RIP like the following:

R [120/3] via, 00:00:09, Serial 0/0

In this particular example, notice the [120/3] portion of the readout. In this example the
number of 120 is the Administrative Distance and 3 is the metric for that route.

ETEC1999. All rights reserved
Rev 05/2014 Page 100
Routing Information Protocol (RIP)
RIP Overview, History, Standards and Versions
RIP is a dynamic, distance vector routing protocol based around the Berkeley BSD
application routed and was developed for smaller IP based networks. RIP uses UDP port
520 for route updates. RIP calculates the best route based on hop count. Like all
distance vector routing protocols, RIP takes some time to converge. While RIP requires
less CPU power and RAM than some other routing protocols, RIP does have some
RIP has been the most popular interior routing protocol in the TCP/IP suite for many
years. The history of the protocol and how it came to achieve prominence is a rather
interesting one. Unlike many of the other important protocols in the TCP/IP suite, RIP
was not first developed formally using the RFC standardization process. Rather, it
evolved as a de facto industry standard and only became an Internet standard later on.

Early History of RIP

The history of RIP shares some commonality with that of another networking
heavyweight: Ethernet. Like the formidable LAN technology, RIP's roots go back to that
computing pioneer, Xerox's Palo Alto Research Center (PARC). At the same time that
Ethernet was being developed for tying together local area networks, PARC created a
higher layer protocol to run on Ethernet called the Xerox PARC Universal Protocol
(PUP). PUP required a routing protocol, so Xerox created a protocol called the Gateway
Information Protocol (GWINFO). This was later renamed the Routing Information
Protocol and used as part of the Xerox Network System (XNS) protocol suite.

RIP entered the mainstream when developers at the University of California at Berkeley
adapted it for use in the Berkeley Standard Distribution (BSD) of the UNIX operating
system. RIP first appeared in BSD version 4.2 in 1982, where it was implemented as the
UNIX program routed (pronounced “route-dee”, not “rout-ed”—the “d” stands for
daemon, a common UNIX term for a server process.)

BSD was (and still is) a very popular operating system, especially for machines
connected to the early Internet. As a result, RIP was widely deployed and became the
industry standard for internal routing protocols. It was used both for TCP/IP and also
other protocol suites. In fact, a number of other routing protocols, such as the RTP
protocol in the AppleTalk suite, were based on this early version of RIP.

ETEC1999. All rights reserved
Rev 05/2014 Page 101
RIP Standardization
For a while, the BSD implementation of routed was actually considered the standard for
the protocol itself. However, this was not a formally defined standard, and this meant
there was no formal definition of how exactly it functioned. This process leads to slight
differences in various implementations of the protocol over time. To resolve potential
interoperability issues between implementations, the IETF formally specified RIP in the
Internet standard RFC 1058, Routing Information Protocol, published in June 1988. This
RFC was based directly on the BSD routed program. This original version of RIP is now
also sometimes called RIP version 1 or RIP-1 to differentiate it from later versions.

RIP's popularity was due in large part to its inclusion in BSD; this was in turn a result of
the relative simplicity of the protocol. RIP uses the distance-vector algorithm (also called
the Bellman-Ford algorithm after two of its inventors) to determine routes. Each router
maintains a routing table containing entries for various networks or hosts in the
internetwork. Each entry contains two primary pieces of information: the address of the
network or host, and the distance to it, measured in hops, which is simply the number of
routers that a datagram must pass through to get to its destination.

RIP Operational Overview, Advantages and Limitations

On a regular basis, each router in the internetwork sends out its routing table in a special
message on each of the networks to which it is connected, using UDP. Other routers
receive these tables and use them to update their own tables. This is done by taking
each of the routes they receive and adding an extra hop. For example, if router A
receives an indication from router B that network N1 is 4 hops away, then since router A
and router B are adjacent, the distance from router A to N1 is 5. After a router updates
its tables, it in turn sends out this information to other routers on its local networks. Over
time, routing distance information for all networks propagates over the entire

RIP is straight-forward in operation, easy to implement, and undemanding of router

processing power, which makes it attractive especially in smaller autonomous systems.
There are, however, some important limitations that arise due to the simplicity of the
protocol. For starters, hops are often not the best metric to use in selecting routes.
There are also a number of problems that arise with the algorithm itself. These include
slow convergence (delays in having all routers agree on the same routing information)
and problems dealing with network link failures.

RIP includes several special features to resolve some of these issues, but others are
inherent limitations of the protocol. For example, RIP only supports a maximum of 15
hops between destinations, making it unsuitable for very large autonomous systems, and
this cannot be changed.

ETEC1999. All rights reserved
Rev 05/2014 Page 102

 Distance Vector (no bandwidth awareness)

 15 hops max (not suitable for large networks)
 Chatty (broadcast or multicast the entire routing table every 30 seconds)

RIP Routing Information and Route Distance Metric

The job of RIP, like any routing protocol, is to provide a mechanism for exchanging
information about routes so routers can keep their routing tables up to date. Each router
in an RIP internetwork keeps track in its routing table of all networks (and possibly
individual hosts) in the internetwork. For each network or host, the device includes a
variety of information, of which the following are the most important:

 The address of the network or host.

 The distance from that router to the network or host.
 The first hop for the route: the device to which datagrams must first be sent to
eventually get to the network or host.

In theory, the distance metric can be any assessment of cost, but in RIP, distance is
measured in hops. As you probably already know, in TCP/IP vernacular, a datagram
makes a hop when it passes through a router. Thus, the RIP distance between a router
and a network measures the number of routers that the datagram must pass through to
get to the network. If a router connects to a network directly, then the distance is 1 hop. If
it goes through a single router, the distance is 2 hops, and so on. In RIP, a maximum of
15 hops are allowed for any network or host.
The value 16 is defined as infinity, so an entry with 16 in it means “this network or host is
not reachable”.

RIP Route Determination Algorithm

On a regular basis, each router running RIP will send out its routing table entries to
provide information to other routers about the networks and hosts it knows how to reach.
Any routers on the same network as the one sending out this information will be able to
update their own tables based on the information they receive. Any router that receives a
message from another router on the same network saying it can reach network X at a
cost of N, knows it can reach network X at a cost of N+1 by sending to the router it
received the message from.

ETEC1999. All rights reserved
Rev 05/2014 Page 103
RIP Route Determination and Information Propagation
Let's take a specific example to help us understand better how routes are determined
using RIP.

Example 1:
Consider a relatively simple internetwork with 2 individual networks, connected as

Dallas LAN users ( need to reach ABC server in Houston LAN
We will configure RIP as dynamic routing protocol on both Houston and Dallas router.

To configure RIP on a router, we need to enable which connected network(s) that will
participate in RIP. For example, Houston router f0/0 is on network and
the f0/1 is on the network:

Houston(config)# router rip

Houston(config-router)# network
Houston(config-router)# network

On Dallas router, we enter the following commands to enable RIP

Dallas(config)# router rip

Dallas(config-router)# network
Dallas(config-router)# network

ETEC1999. All rights reserved
Rev 05/2014 Page 104
Both Houston and Dallas router will begin to broadcast out on all interfaces that was
configure under RIP about all networks that it knows. Dallas router will receive
advertisements about network from Houston router on IP address of (IP address of Houston f0/1 interface). Let exam the routing table of Dallas

 The letter C stands for direct connected networks on Dallas f0/0 and f0/1.
 The letter R stood for remote network learned via RIP protocol.
o – remote network was learned via RIP
o [120/1] – 120 is the administrative distance for RIP and 1 is the number of
hop away
o Via – the IP address of neighbor router that advertise the remote
network as well as it is the IP next hop that will be used to reach that
remote network
o 00:00:05 – this remote network was advertised to Houston router 5
seconds ago. (RIP will advertise every 30 seconds. If everything is working
correctly, you will never see 31)
o FastEthernet0/1 – Dallas router exiting interface to reach the remote

Let exam a trace from a workstation in Dallas office to ABC server in Houston office:

As you can see, the first hop is the default gateway in Dallas. The next hop is the
WAN IP address of Houston router and the last is the ABC server IP address.

ETEC1999. All rights reserved
Rev 05/2014 Page 105
Now we exam the dynamic routing protocol running on Dallas router:

 Invalid, hold down and flushed timers will be explained latter in this chapter
 Outgoing and Incoming update filter are used when you want to filter advertising
or receiving networks
 RIP operates in 2 versions, currently running version 1 but will receive version 2.
Version 2 will be explained latter in this chapter
 Automatic network summarization – RIP version 1 automatically summarize
classless networks to classful network (no VLSM)
 RIP version 2 can have authentication. Authentication can be implemented per
 Routing information sources is your RIP neighbors and how long ago have been

Please discuss with ETEC instructor if you don’t understand everything on this output.

ETEC1999. All rights reserved
Rev 05/2014 Page 106
Example 2:

In this example, we will focus on SanAntonio router. Let assumed the following
commands was entered on all 4 routers:

Router(config)# router rip

Router(config-router)# network 192.168.x.0
Router(config-router)# network

Note: x is the LAN network number on each router.

We can see that network is 3 hops away, is 2 hops away
and is 1 hop away. However; to reach all 3 remote networks,
SanAntonio router have the same next hop of which is the neighbor router
(Austin) that advertise those remote networks.

ETEC1999. All rights reserved
Rev 05/2014 Page 107
Example 2:

In this example, SanAntonio router is connected back to Houston router as a redundant

link if any fastEthernet WAN connection fails. The backup connection is a T-1
connection with a much slower link of 1.544 mbps where fastEthernet is 100 mbps. Let
look at the routing table of SanAntonio router:

 We can see that from SanAntonio router to reach network, it will go
directly over the slow T-1 Link. RIP have no awareness of bandwidth (major

 Here, SanAntonio router will load balance to network on Dallas router via Houston
and Austin routers. Users that direct over Houston the Dallas routers will be
slower that other users (major complains)

ETEC1999. All rights reserved
Rev 05/2014 Page 108
Problems with Distance Vector
Whether you’re running RIP version 1, 2 or even RIPng (RIP new generation – used in
IPv6), they all have major drawbacks as follows:

 Used hop count instead of bandwidth as seen on Example 3

 Longer to converged due to fixed timers of advertisement (let say the router just
finish receiving advertisement from a neighbor and a new remote network just
come up afterward, it won’t know that network until 30 seconds latter
 Distance Vector routing protocols are prone to Routing Loops

Routing loops can occur if the internet work’s slow convergence on a new configuration
causes inconsistent routing entries.

Counting to infinity continuously loops packets around the network, despite the
fundamental fact that the destination network is down or being looped.

To overcome routing loop, RIP implemented the following settings:

 Defining a maximum number of hops – Specify a maximum distance vector

metric as infinity. 16 with RIP and 256 (100 default) with EIGRP. A network
cannot be reached more than 15 hops. A router will not advertise that network to
its neighbor.
 Split Horizon – If a router learns a route on an interface (neighbor), it does not
send that route back out that interface. That will definitely cause a loop.
 Route Poisoning – Mark a network 16 hops (un-reachable) for a period of time
such as a network not receiving from an update (lost route/flapping interface) from
its neighbor or hold down time expired (see hold down timer).
 RIP Timers – RIP uses the following types of timers to regulate RIP’s
performance. They are:

1. Update Timer: Sets the interval (usually 30 seconds) between periodic

routing updates, in which the router sends a complete copy of its routing table
out to all neighbors.

2. Hold down Timer: If a router receive a notice of a network goes down, it will
mark that the network is down for a specific amount of time (default is 180
seconds) and will not bring it back up even if a notification that it is up. It also
will inform other neighbors that the network is down.
In a redundancy network with multi-path, update timers can be different with
each neighbor. If a network goes down, it’s time to update one neighbor.
Then the network goes up, it’s now time to update a different neighbor. If
there wasn’t a way to stabilize this, the network would never converge or could
bring the entire network down.

ETEC1999. All rights reserved
Rev 05/2014 Page 109
Hold down Timer prevents regular update messages from reinstating a route
that is going up and down (flapping) allowing the network goes down to reach
all neighbors before bringing it back up.

3. Invalid Timer: Routers receive updates from its neighbor every 30 seconds.
If a router has not heard any updates from its neighbor in 180 seconds, it will
poison (mark un-reachable 16 hops) all the networks that it received from that
neighbor. This timer is continuous running and reset back to 0 every time it
receives and update from its neighbor.

4. Flush Timer: This is similar to Invalid Timer. The different is if it does not
receive any updates from a neighbor in 240 seconds, it will remove all routes
that it learned from that neighbor from its table. Before it’s removed from the
table, the router notifies its neighbors of that route’s impending demise so they
also remove those routes from their table.

 Poison Reverse – If a router receives information about a network goes down

from the originated router, it also sends a message back to the originated router
that the network is also 16 hops through it. Poison Reverse work together with
Split Horizon to prevent routing loops.

Problems and Overcome summaries:

 Routing Loops:
o If Routers running RIP advertise the entire table that it has, it will cause a
routing loop.
o RIP counter Routing Loop problem by using Split Horizon and Max Hop

 Flapping Interface:
o Due to RIP routers advertise every 30 seconds to its neighbor, an interface
going up and down can cause ripple effects and routers in the RIP domain
has no idea if the network is up or down.
o RIP counter flapping interface by using Hold Down Timer.

 Dead Neighbor:
o If a RIP neighbor is down, RIP router has no idea when to remove all of the
routes that it learns from the down router and can send packet out of that
o RIP counter dead neighbor by using Invalid Timer and Flush Timer.

ETEC1999. All rights reserved
Rev 05/2014 Page 110
 RIP prevents routing loop by using split horizon and maximum hop counts. Split
horizon blocks information about routes from being advertised by a router out of
any interface from which that information originated. And the maximum hop
counts preventing if there’s such a loop, the packet will not be forward after 15

 The rip timers such as hold down, invalid and flush timer can be a little confusing
at time. Just remember that hold down timer is preventing flapping interface
causing instability of your entire networks where invalid and flush timers are for a
lost RIP neighbor.

 Hold-down timers allowing the routers to ignore routing update information for a
specified period of time. Hold-down timers can be reset when the timer expires, a
routing update is received that has a better metric, or a routing update is received
indicating that the original route to the network is valid. Hold-down timers are
useful in preventing routing information from flooding the network when network
links are unstable.

ETEC1999. All rights reserved
Rev 05/2014 Page 111
Feature Overview
Much like its predecessor, RIPv2 is a distance vector routing protocol that uses hop
count as it’s metric. However, unlike RIPv1, RIPv2 provides these differences:

 Multicast instead of broadcast via reserved ip address of

 Classless by default but will summarize routes learned by neighbors to other
neighbors. By using the no auto-summary command, it will forward the subnet
mask out to its neighbor so they can support VLSM.
 Designed to supports discontiguous networks.
 Provides Authentication per interfaces.

Using the summary IP address feature for RIP means that there is no entry for child
routes in the RIP routing table, reducing the size of the table and allowing the router to
handle more routes.

Summary IP address functions more efficiently than multiple individually advertised IP
routes, because:

 The summarized routes in the RIP database are processed first.

 Any associated child routes that are included in a summarized route are skipped
as RIP looks through the routing database, reducing the processing time required.

Network Summary
The IP Summary Address for RIP feature enables Cisco routers running RIPv2 to
advertise a summarized of its networks to reduce the routing table of its neighbors. For
example, if a router is connected to multiple networks (child networks) such as,, and, you could
configure the command:

Router(Config-if)#ip summary-address rip

This command will suppressed the 4 child networks and only send out 1 so that the
neighbor will only have on its routing table instead of 4 networks.
Because a summary route is advertised, advertisement of the /32 host routes (installed
when the dialup client connects) is suppressed so that the router does not advertise
these routes to the network access interface.

ETEC1999. All rights reserved
Rev 05/2014 Page 112
Configuring RIPv2
RIPv2 is enabled by typing:

Router(config-router)#version 2


A#Config t C#Config t
A(config)#router rip C(config)#router rip
A(config)#version 2 C(config)#ver 2
A(config-router)#net C(config-router)#net
A(config-router)#net C(config-router)#net
A(config-router)#net C(config-router)#no auto-summary
A(config-router)# no auto-summary

B#Config t
B(config)#router rip
B(config)#ver 2
B(config-router)# no auto-summary

Note: because RIPv2 sending subnet mask of its connected interfaces, we only have to
type the Classful network ID. As we can see, router B only needs one network
command to cover both networks and router C need 2 network statements.
The no auto-summary command prevents RIPv2 from summarizing the networks thereby
become classless routing protocols.

ETEC1999. All rights reserved
Rev 05/2014 Page 113
Dynamic Routing Protocol Enhancements
To stop unwanted routing updates from dynamic routing protocols being advertised
across your LAN or WAN, you could use the passive-interface router configuration
command. Once you are done using this command, you can reverse it by using the no
form of this command. This basically tells an interface to listen, but not to speak.

passive-interface [default] {interface-type interface-number}

no passive-interface interface-type interface-number

Loopback Interface
You can specify a software-only interface called a loopback interface to emulate a
physical interface. A loopback interface is a virtual interface that is always up and allows
Routing Protocol sessions, to stay up even if the outbound interface is down.
Packets routed to the loopback interface are rerouted back to the router or access server
and processed locally. IP packets routed out the loopback interface but not destined to
the loopback interface are dropped. Under these two conditions, the loopback interface
can behave like a null interface.

router#configure t
router(config)#interface Loopback 3
router(config-if)#ip address
router(config-if)#no shut

Loopback interface can be useful in many cases:

 Router ID for OSPF stabilization
 Update source for BGP routing protocol
 Telnet
 Interface emulation

ETEC1999. All rights reserved
Rev 05/2014 Page 114
Chapter 10 - Network Address Translation (NAT)

If you are reading this, you are most likely connected to the Internet and there's a very
good chance that you are using Network Address Translation (NAT) right now!

The Internet has grown larger than anyone ever imagined it could be. Although the exact
size is unknown, the current estimate is that there are about 100 million hosts and over
350 million users actively on the Internet. That is more than the entire population of the
United States! In fact, the rate of growth has been such that the Internet is effectively
doubling in size each year.

With the explosion of the Internet and the increase in home networks and business
networks, the number of available IP addresses is simply not enough. The obvious
solution is to redesign the address format to allow for more possible addresses. This is
being developed (IPv6) but will take several years to implement because it requires
modification of the entire infrastructure of the Internet.

With the limited amount of Internet Protocol (IP) addresses, the use of private IP
addresses is essential in extending the life of the current method of assigning identifiable
addresses to hosts.

The use of IP addresses in the private ranges is convenient, but in order to

communication with hosts on the public internet a form of Network Address Translation
(NAT) is needed.

The NAT router translates traffic coming into and leaving the private network:

This is where NAT (RFC 1631) comes to the rescue. Basically, Network Address
Translation allows a single device, such as a router, to act as agent between the Internet
(or "public network") and a local (or "private") network. This means that only a single
unique IP address is required to represent an entire group of computers to anything
outside their network.

The shortage of IP addresses is not the only one reason to use NAT. Two other good
reasons are:
 Security
 Administration

ETEC1999. All rights reserved
Rev 05/2014 Page 115
ETEC1999. All rights reserved
Rev 05/2014 Page 116
You will learn more about how NAT can benefit you, but first, let us take a closer look at
NAT and what it can do…

Behind the Mask

NAT is like the receptionist in a large office. Let's say you have left instructions with the
receptionist not to forward any calls to you unless you request it. Later on, you call a
potential client and leave a message for them to call you back. You tell the receptionist
that you are expecting a call from this client and to put them through.

The client calls the main number to your office, which is the only number the client
knows. When the client tells the receptionist who they are looking for, the receptionist
checks a lookup table that matches up the person's name and extension. The
receptionist knows that you requested this call, therefore the receptionist forwards the
caller to your extension.

Network Address Translation is used by a device (firewall, router or computer) that sits
between an internal network and the rest of the world. NAT has many forms and can
work in several ways:

Static NAT
Mapping an unregistered IP address to a registered IP address on a one-to-one basis.
Particularly useful when a device needs to be accessible from outside the network.

In static NAT, the computer with the IP address of will always
translate to

ETEC1999. All rights reserved
Rev 05/2014 Page 117
Dynamic NAT
Maps an unregistered IP address to a registered IP address from a group of registered
IP addresses. Dynamic NAT also establishes a one-to-one mapping between
unregistered and registered IP address, but the mapping could vary depending on the
registered address available in the pool, at the time of communication.

In dynamic NAT, the computer with the IP address of will translate to the
first available address in the range from to

Overloading or Port Address Translation (PAT)

Overloading or Port Address Translation (PAT) feature, a subset of NAT functionality,
can be used to translate several internal addresses into only one or a few external
addresses. PAT offers the following capabilities:

 Provides many-to-one address translation

 Maps multiple IP addresses to one or a few IP addresses
 Identifies a unique source port number in each session
 Conserves registered IP addresses

PAT uses unique source port numbers on the private global IP address to distinguish
between translations. Because the port number is encoded in 16 bits, the total number
could theoretically be as high as 65,536 per IP address. PAT will attempt to preserve the
original source port number. If this number is already allocated then PAT will attempt to
find the first available port number starting from the beginning of the appropriate port
group 0-511, 512-1023, or 1024-65535.

ETEC1999. All rights reserved
Rev 05/2014 Page 118
NAT can be configured in various ways. In the example below the NAT router is
configured to translate unregistered IP addresses (inside local addresses) that reside on
the private (inside) network to registered IP addresses. This happens whenever a
device on the inside with an unregistered address needs to communicate with the public
(outside) network.
 An ISP assigns a range of IP addresses to your company. The assigned block of
addresses is registered unique IP addresses and are called inside global
addresses. Unregistered private IP addresses are split into two groups, a small
group (outside local addresses) that will be used by the NAT routers and the
majority that will be used on the stub domain known as inside local addresses.
The outside local addresses are used to translate the unique IP addresses, known
as outside global addresses, of devices on the public network.

NAT only translates traffic which travel between the inside and outside network
and is specified to be translated. Any traffic not matching the translation criteria or
those that are forwarded between other interfaces on a router are never
translated, and they are forwarded as such.

IP addresses have different designations based on whether they are on the

private network (stub domain) or on the public network (Internet) and
whether the traffic is incoming or outgoing:

 Most computers on the stub domain communicate with each other using the
inside local addresses.
 Some computers on the stub domain communicate a lot outside the network.
These computers have inside global addresses which means that they do not
require translation.
 When a computer on the stub domain that has an inside local address wants to
communicate outside the network, the packet goes to one of the NAT routers by
way of normal routing to the default-gateway.
 The NAT router checks the routing table to see if it has an entry for the destination
address. If the destination address is not in the routing table, the packet is
dropped. If an entry is available, it verifies whether the packet is traveling from the
inside to the outside network and checks if the packet matches the criteria
specified for translation. The router then checks the address translation table to
find if an entry exists for the inside local address with a corresponding inside
global address. If an entry is found, it translates the packet by using the inside

ETEC1999. All rights reserved
Rev 05/2014 Page 119
global address. If static NAT alone is configured and no entry is found, it sends
the packet without translation.
 Using an inside global address, the router sends the packet on to its destination.
 A computer on the public network sends a packet to the private network. The
source address on the packet is an outside global address. The destination
address is an inside global address.
 When the packet arrives on the outside network, the NAT router looks at the
address translation table and determines that the destination address is in there,
mapped to a computer on the stub domain.
 The NAT router translates the inside global address of the packet to the inside
local address and then checks the routing table before it sends it to the
destination computer. Whenever an entry is not found for an address in the
translation table, it is not translated and proceeds with verifying the routing table
for the destination address. The packet is dropped if a route to the destination is
not found in the routing table.

NAT overloading utilizes a feature of the TCP/IP protocol stack, multiplexing, that allows
a computer to maintain several concurrent connections with a remote computer(s) using
different TCP or UDP ports. An IP packet has a header that contains the following

 Source Address—The IP address of the originating computer, for example,
 Source Port—The TCP or UDP port number assigned by the originating computer
for this packet, for example, Port 1080.
 Destination Address—The IP address of the receiving computer. For example,
 Destination Port—The TCP or UDP port number the originating computer is
requesting the receiving computer to open, for example, Port 3021.

The addresses specify the two machines at each end while the port numbers ensure that
the connection between the two computers has a unique identifier. The combination of
these four numbers defines a single TCP/IP connection. Each port number uses 16 bits,
which means that there are a possible 65,536 (216) values. Realistically, since different
manufacturers map the ports in slightly different ways, you can expect to have about
4,000 ports available.

ETEC1999. All rights reserved
Rev 05/2014 Page 120
NAT Terminology
Cisco defines these terms as:
 Inside local address—The IP address assigned to a host on the inside network.
This is the address configured as a parameter of the computer OS or received via
dynamic address allocation protocols such as DHCP. The address is likely not a
legitimate IP address assigned by the Network Information Center (NIC) or service
 Inside global address—A legitimate IP address assigned by the NIC or service
provider that represents one or more inside local IP addresses to the outside
 Outside local address—The IP address of an outside host as it appears to the
inside network. Not necessarily a legitimate address, it is allocated from an
address space routable on the inside.
 Outside global address—The IP address assigned to a host on the outside
network by the host owner. The address is allocated from a globally routable
address or network space.

These definitions still leave a lot to be interpreted. For this example, this document
redefines these terms by first defining local address and global address. Keep in mind
that the terms inside and outside are NAT definitions. Interfaces on a NAT router are
defined as inside or outside with the NAT configuration commands, ip nat inside and ip
nat outside. Networks to which these interfaces connect can then be thought of as
inside networks or outside networks, respectively.

 Local address—A local address is any address that appears on the inside portion
of the network.
 Global address—A global address is any address that appears on the outside
portion of the network.

Packets sourced on the inside portion of the network have an inside local address as the
source address and an outside local address as the destination address of the packet,
while the packet resides on the inside portion of the network.
When that same packet gets switched to the outside network, the source of the packet is
now known as the inside global address and the destination of the packet is known as
the outside global address.

Conversely, when a packet is sourced on the outside portion of the network, while it is on
the outside network, its source address is known as the outside global address. The
destination of the packet is known as the inside global address. When the same packet
gets switched to the inside network, the source address is known as the outside local
address and the destination of the packet is known as the inside local address.

Inside Local: Configured IP address assigned to a host on the inside network. Address
may be globally unique, allocated out of the private address space defined in RFC 1918,
or might be officially allocated to another organization

ETEC1999. All rights reserved
Rev 05/2014 Page 121
Inside Global: The IP address of an inside host as it appears to the outside network,
“Translated IP Address”. Addresses can be allocated from a globally unique address
space, typically provided by the ISP (if the enterprise is connected to the global Internet)

Outside Local: The IP address of an outside host as it appears to the inside network.
These addresses can be allocated from the RFC 1918 space if desired.
Outside Global: The configured IP address assigned to a host in the outside network.

ETEC1999. All rights reserved
Rev 05/2014 Page 122
NAT Configuration Commands
Interface Configuration Commands

ip nat { inside | outside }

Interfaces need to be defined whether they are on the inside or the outside. Only packets
arriving on a marked interface will be subject to translation.

Defining a list of computers allowed to go out

Access-list <number> permit <network-ID> <wildcard mask>

Defines an Access Control List (ACL) of workstation(s) allowed to be NAT. This can be a single
computer or multiple networks.

Defining a pool

ip nat pool <name> <start-ip> <end-ip> { netmask <netmask>

| prefix-length <prefix-length> } [ type { rotary } ]

Defines a pool of addresses using start address, end address, and netmask. These addresses
will be allocated as needed for dynamic NAT.

Enabling translation of inside source addresses

ip nat inside source { list <acl> pool <name> [overload] | static

<local-ip><global-ip> }

The first form enables dynamic translation. Packets from addresses that match those on
the simple access list are translated using global addresses allocated from the named
pool. The optional keyword overload enables port translation for UDP and TCP. The
term overload is equivalent to Port Address Translation (PAT). The second form of the
command sets up a single static translation.

Enabling translation of inside destination addresses

ip nat inside destination { list <acl> pool <name> | static <global-

ip> <local-ip> }

This command is similar to the source translation command. For dynamic destination
translation to make any sense, the pool should be a rotary-type pool.

ETEC1999. All rights reserved
Rev 05/2014 Page 123
Enabling translation of outside source addresses

ip nat outside source { list <acl> pool <name> | static <global-ip>

<local-ip> }

The first form (list..pool..) enables dynamic translation. Packets from addresses that
match those on the simple access list are translated using local addresses allocated from
the named pool. The second form (static) of the command sets up a single static

Exec Commands

Showing active translations

show ip nat translations [ verbose ]

Showing translation statistics

show ip nat statistics

Clearing dynamic translations

clear ip nat translation * Clears all dynamic translations. clear ip

nat translation <global-ip> Clears a simple translation.

debug ip nat [ <list> ] [ detailed ]

ETEC1999. All rights reserved
Rev 05/2014 Page 124
NAT Example

The orange area is our DMZ where currently hosting a web and a FTP server. These
servers are need to be reachable from the internet.
The blue area is our LAN and all host needed to connect to the internet with the
exception of Database server.

Static NAT
Let configure static NAT and map a local IP address to a Global IP address permanently:

Step 1 – Define NAT interfaces

Corp(config)# interface f1/0

Corp(config-if)# description Internet Interface
Corp(config-if)# ip address
Corp(config-if)# no shut
Corp(config-if)# ip nat outside
Corp(config-if)# !
Corp(config)# interface f0/1
Corp(config-if)# description DMZ Interface
Corp(config-if)# ip address
Corp(config-if)# no shut
Corp(config-if)# ip nat inside
Corp(config-if)# !

Step 2 – Static map inside server IP address to a unique global address for each server

Corp(config)#ip nat inside source static

Corp(config)#ip nat inside source static

ETEC1999. All rights reserved
Rev 05/2014 Page 125
As you can see above output, we perform NAT on the inside where an Inside global
address is mapped to an Inside local address. These entries will be permanent on router
memory so internet users can access our services.

The above is another output with the following statistic:

 2 hosts ( and are accessing our webserver on port 80
 1 host ( is accessing our FTP server on port 21


Static translations with ports:

When translating addresses to an interface’s address, outside-initiated connections to
services on the inside network (like mail) will require additional configuration to send
the connection to the correct inside host. This command allows the user to map
certain services to certain inside hosts.

ip nat inside source static { tcp | udp } <localaddr> <localport>

<globaladdr> <globalport>


ip nat inside source static tcp 172.1678.10.10 80 80

In this example, outside-initiated connections to the http port (80) will be sent to the
inside host on port 80 and no other port. This can provide some
protection to the webserver since only port 80 can be translated.

ETEC1999. All rights reserved
Rev 05/2014 Page 126
Dynamic NAT
Now let configure dynamic NAT and map users on the LAN to the remaining public IP

Step 1 – Define NAT interfaces (we already configure the Outside and DMZ interfaces)

Corp(config)# interface f0/0

Corp(config-if)# description LAN Interface
Corp(config-if)# ip address
Corp(config-if)# no shut
Corp(config-if)# ip nat inside
Corp(config-if)# !

Step 2 – Create an Access List (number 25) that deny or permit LAN users to internet

Corp(config)# access-list 25 deny host

Corp(config)# access-list 25 permit
Corp(config)# !

Note: The first entry denies the database server where the second entry permit the
entire LAN subnet. Access list is read top down. Once a match is found, the router
will apply permission and will not read the line below.

Step 3 – Create a pool named “LanUsers” that mapped to the remaining IP public IP

Corp(config)# ip nat pool LanUsers mask

Step 4 – Perform NAT by map the ACL 25 to the LanUsers pool

Corp(config)# ip nat inside source list 25 pool LanUsers

As you can see from the above output:

 Host go to (google) has been translated to a public address
 Host go to (facebook) also been translated to

ETEC1999. All rights reserved
Rev 05/2014 Page 127
Problem with Dynamic NAT
Dynamic NAT can only translate what available IP address in the pool. As we only 2
IP address in the pool, only 2 host can concurrently access the internet. Other must
wait until the current session times out. Here’s another output:

Overload NAT or PAT (Port Address Translation)

With public IPv4 address has been exhausted, it become costly to have a public IP
address for every single host (dynamic NAT). Overload NAT of PAT overcome that by
using the assistance of layer 4 port number and map to a single public IP address.
When a host create a session to another, it randomly picks a port ranging from 1024 to
65,534. Router running PAT will renumber those port with its own arrangement so it
could tell the return packet apart. Let configure PAT and exam the translation output:

To configure Overload or PAT, all you have to do is enter overload at the end of your
NAT statement of step 4:

Step 4 – Perform NAT by map the ACL 25 to the LanUsers pool

Corp(config)# ip nat inside source list 25 pool LanUsers overload

Things to notice from the above output:

 On the Inside local column, all 4 host are accessing website on the internet
with host and accessing at the same time
 The NAT router NAT each host to a single public IP address but change the
original port to its own port number as seen on the Inside global column
 When return packets from the internet, the NAT router can look at the
destination port on the packet and translated it back to original hosts

ETEC1999. All rights reserved
Rev 05/2014 Page 128
NAT at Small office/Home office (SoHo) Example (most of your home
wireless router look like this)

Step 1 – Define nat interfaces

interface S0
ip address dhcp
ip nat outside
interface Ethernet0
ip address
ip nat inside

Step 2 – Create an access-list that permits the private address to use the Nat Pool
access-list 1 permit any

Step 3 – Map an access list to the outside interface

ip nat inside source list 1 interface s0 overload

ETEC1999. All rights reserved
Rev 05/2014 Page 129
Corporate NAT Example
The following sample configuration translates between inside hosts addressed from
either the or nets to the globally-unique

Step 1 – Define nat interfaces

interface S0
ip address
ip nat outside
interface Ethernet0
ip address
ip nat inside
interface Ethernet1
ip address
ip nat inside

Step 2 – Create an access-list that permits the private address to use the Nat Pool
access-list 1 permit
access-list 1 permit

Step 3 – Create a pool (this example gives the name cisco as a pool name)
ip nat pool cisco netmask

Step 4 – Map an access list to the nat pool

ip nat inside source list 1 pool cisco overload

(remember the default is dynamic, if you have more hosts than global
addresses, use overload command at the end of the “ip nat inside” map

ETEC1999. All rights reserved
Rev 05/2014 Page 130
Security and Administration

Implementing dynamic NAT automatically creates a firewall between your internal

network and outside networks or the Internet. Dynamic NAT allows only connections that
originate inside the stub domain. Essentially, this means that a computer on an external
network cannot connect to your computer unless your computer has initiated the contact.
So you can browse the Internet and connect to a site, even download a file. But
somebody else can't simply latch onto your IP address and use it to connect to a port on
your computer.

Network Address Translation is sometimes confused with proxy servers but there are
definite differences. NAT is transparent to the source and destination computers. Neither
one realizes that it is dealing with a third device. But a proxy server is not transparent.
The source computer knows that it is making a request to the proxy server and must be
configured to do so. The destination computer thinks that the proxy server IS the source
computer and deals with it directly. Also, proxy servers usually work at Layer 4
(Transport) of the OSI Reference Model or higher, while NAT is a Layer 3 (Network)
protocol. Working at a higher layer makes proxy servers slower than NAT devices in
most cases.

NAT operates at the Network layer (Layer 3) of the OSI Reference Model which
makes sense, because this is the layer at which routers work:

A real benefit of NAT is apparent in network administration. For example, you can move
your Web server or FTP server to another host computer without having to worry about
broken links. Simply change the inbound mapping with the new inside local address at
the router to reflect the new host. You can also make changes to your internal network
easily since the only external IP address either belongs to the router or comes from a
pool of global addresses.

NAT and DHCP are a natural fit, you can choose a range of unregistered IP addresses
for your stub domain and have the DHCP server dole them out as necessary. It also
makes it much easier to scale up your network as your needs grow. You don't have to
request more IP addresses from IANA. You can just increase the range of available IP
addresses configured in DHCP and immediately have room for additional computers on
your network.

ETEC1999. All rights reserved
Rev 05/2014 Page 131
Chapter 11 - Internet Protocol Version 6
IPv6 Introduction
IPv6 is an extension of IPv4 with several advanced features:
• Larger address space
• Simpler header
• Auto configuration
• Extension header
• Flow labels
• Mobility
• "Baked in" security

Of these, many capabilities have been back ported to IPv4. The primary adoption of IPv6
will be driven by the need for more addresses. Given the growth in Internet use and the
emergence of large groups of Internet users in developing countries, this is a significant

IPv6 Routing Prefix

IPv4 addresses are 32 bits long, whereas IPv6 addresses are 128 bits. IPv6 addresses
are composed of the following elements:

• The first three bits (/3) of unicast always 001.

• The next 13 bits (/16) are Top-level Aggregator (TLA) the upstream ISP 
The next 24 bits (/40) are the next-level aggregator or regional ISP 
Enterprises are assigned /48 and have 16 bits of subnetting.

IPv6 Interface ID
The host portion of the address is last 64 bits. It can be assigned manually, using DHCP
v6, or using stateless auto configuration.

An end-system uses stateless auto configuration by waiting for a router to advertise the
local prefix. If the end system has a 64-bit MAC, it concatenates the prefix and its MAC
to form an IPv6 address. If the end system has a 48-bit MAC, it flips the global/local bit
and inserts 0xFFFE into the middle of the MAC. The resulting 64-bit number is called the
EUI64. The prefix and EUI64 are concatenated to form the address. Figure below shows
how a host uses its MAC address to create its IPv6 address.

ETEC1999. All rights reserved
Rev 05/2014 Page 132
Simplified Presentation of IPv6 Address
There are two ways to shorten the representation of an IPv6 address.

Take the example address


• Leading zeros may be omitted. This makes the example 01:0:1:2:0:0:0:ABCD

• Sequential zeros may be shown as double colons once per address. This
makes the example 4001:0:1:2::ABCD.

IPv6 Header
The IPv6 header is similar to the IPv4 header. The largest changes have to do with the
larger addresses, aligning fields to 64-bit boundaries and stowing fragmentation to an
extension header.

ETEC1999. All rights reserved
Rev 05/2014 Page 133
The fields are:
• Priority - Similar to DSCP in version 4, this eight-bit field is used to describe
relative priority.
• Flow - 20-bit flow label allows tagging in a manner similar to MPLS.
• Length - The length of the data in the packet.
• Next Header - Indicates how the bits after the IP header should be interpreted.
Could indicate TCP or UDP, or it could show an extension header.
• Hop Limit - Similar to TTL.
• Source and Destination - IPv6 addresses.

Zero or more extension headers could follow, including:

• Hop-by-hop options - Options for intermediate devices.
• Destination options - Options for the end node.
• Source routing - Specifies stations" that the route must include.
• Fragmentation - Used to divide packets.
• Authentication - Used to attest to source. Replaces the AH header from IPSec.
• Encryption Replaces the IPSec ESP header.

Advanced Features
"Advanced" features are elements that are not available in IPv4 or have significantly
changed. For instance, it's important to know that the idea of broadcasts has been
abandoned and that devices will typically respond to a set of iPv6 addresses.

Specifying Destinations
IPv6 does not support broadcasts, but replaces broadcasts with multicasts. IPv6 also
uses Anycast, which involves using the same address on two devices. Anycast can be
used to implement redundancy and has been back ported to IPv4.

Specifying Sources
Each IPv6 system must recognize the following addresses:
• Unicast address
• Link local address (FE80/10 | EUI64)
• Loopback (::1)
• All-nodes multicast (FF00::1)
• Site-local multicast (FF02::2)
• Solicited-nodes multicast (FF02::1.FF00/104}

Additionally, some systems will also use the following addresses:

• IPv4 mapped address (0:FFFF | 32-bit. IPv4 address).
• Second unicast address shared with another system (anycast).
• Additional multicast groups.
• Routers must support subnet-router anycast (all zeros EUI64).
Routers must support local all-routers multicast (FF01::2), link local (FF02::2),
and sitelocal (FF05:2).

Routers must support routing protocol multicast groups.

ETEC1999. All rights reserved
Rev 05/2014 Page 134
ETEC1999. All rights reserved
Rev 05/2014 Page 135
IPv6 supports easy network renumbering. A router sends out a "router advertisement"
with a new prefix and a token that instructs end systems to perform stateless auto
configuration. Hosts then recognize the command and update their addresses.

Anyone who has had to renumber a large range of IPv4 addresses can testify to what an
advantage this feature will be!

IPv6 also includes better support for roaming systems. Using IPv6 Mobility, roamers
keep in touch with a "home agent;' which is their home router. Traffic sent to the "home
address" is forwarded by the agent to the current address. The roamer then sends back
a binding update to its corresponding agent so that future traffic is sent directly to the
roaming address.

IPv6 Routing
IPv6 is not enabled by default on Cisco routers. To enable iPv6 routing, the command is:

Router(config)#ipv6 unicast-routing.

After IPv6 s enabled, addresses are assigned to Interfaces much like version 4:

Router(config-if)#ipv6 address prefix/prefix-length

Enabling IPv6 Routing and Assigning Addresses

RouterA#configure terminal
RouterA(config)#ipv6 unicast-routing
RouterA(config)#interface fastethernet0/0
RouterA(config-if)#description Local LAN
RouterA(config-if)#ipv6 address 4001:0:1:1::2/64
RouterA(config-if)#interface serial1/0
RouterA(config-if)#description point-to-point line to Internet
RouterA(config-if)#ipv6 address 4001:0:1:5::1/64

Static Routing
Static routing with IPv6 works exactly like it does with version 4.
Aside from understanding the address format, there are no differences. Static routes are
not currently on the BSCI test. The syntax for the IPv6 static route command is shown
below and example below is supplied so that the command may be viewed in context as
it might be applied.

Router(config)# ipv6 route ipv6-prefix|prefix-length

{ipv6address|interface-type interface-number [Ipv6-address]}
(administrative-distance) [administrative-multicast-distance | unicast
| multicast] (tag tag)

ETEC1999. All rights reserved
Rev 05/2014 Page 136
EXAMPLE: Configuring Static IPv6 Routes

RouterA(config)#ipv6 route 4001:0:1:2::/64 4001:0:1:1::1

RouterA(config)#ipv6 route ::/0 serial1/0

RIPng for IPv6

RIPng is the iPv6 of RIP and is defined in RFC 2080. Like RIPv2 for IPv4, RIPng is a
distance vector routing protocol that uses a hop count for its metric and has a maximum
hop count of 15. RIPng also uses periodic multicast updates - every 30 seconds - to
advertise routes. The northeast address is FF02::9.

There are two important differences between the old RIP and the next generation RIP:

 First, RIPng supports multiple concurrent processes, each identified by a process

number (this is similar to OSPFv2).
 Second. RIPng is initialized in global configuration mode and then enabled cm
specific interfaces.


Router(config)#ipv6 router rip process

Router(config-rtr)#interface f0/0
Router(config-if)#ipv6 rip process enable

Like RIP for IPv4, troubleshoot RIPng by looking at the routing table (show ipv6 route),
by reviewing the routing protocols (show ipv6 protocols), and by watching routing
updates propagated between routers (debug ipv6 rip).

Integrating IPv4 and IPv6

There are several strategies for migrating from IPv4 to IPv6. Each of these strategies
should be considered when organizations decide to make the move to IPv6 because
each has positive points to aiding a smooth migration. It should also be said that there
does not have to be a global decision on strategy your organization may choose to run
dual-stack in the U.S., go completely to IPv6 in Japan, and use tunneling in Europe- The
transition mechanisms include:

 Dual stack - Running IPv6 and IPv4 concurrently.

 IPv6 to IPv4 tunneling (6-to-4) - Routers that straddle the IPv4 and IPv6 worlds
to encapsulate the IPv6 traffic inside IPv4 packets.
 Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) - This protocol is
similar to 6-to-4, but it treats the IPv4 network as an NBMA network.
 Teredo/Shipworm - Encapsulates ipv6 packets in IPv4/UDP segments.


ETEC1999. All rights reserved
Rev 05/2014 Page 137
Instead of replacing IPv4, there are several ways to coordinate the functioning of IPv4
and v6 concurrently. NAT-protocol translation is an example of this coexistence strategy.
NAT-PT maps IPv6 addresses to IPv4 addresses. If IPv6 is used on the inside of your
network, a NAT-PT device will receive IPv6 traffic on its inside interface and replace the
IPv6 header with an IPv4 header before sending it to an outside interface. Reply traffic
will be able to follow the mapping backward to enable two-way communication.

NAT-PT is able to interpret application traffic and understand when IP information is

included in the application data.
It is also possible to connect IPv4 and IPv6routing domains using application-level
gateways (ALG), proxies, or Bump-in-the-API (BIA) and Bump-in-the-Stack (BIS) which
are NAT-PT implementations within a host.

ETEC1999. All rights reserved
Rev 05/2014 Page 138
Chapter 12 – Troubleshooting
Troubleshooting is a method of finding the cause of a problem and correcting it. The
ultimate goal of troubleshooting is to get the equipment back into operation. This is a
very important job because the entire production operation may depend on the
troubleshooter's ability to solve the problem quickly and economically, thus returning the
equipment to service. Although the actual steps the troubleshooter uses to achieve the
ultimate goal may vary, there are a few general guidelines that should be followed. There
are often cases where a familiar piece of equipment or system breaks down. In those
cases, an abbreviated five-step troubleshooting process can be used to find the fault, get
the system up and running. It is important to note that, although it is a five-step
approach, the same basic guidelines of the seven-step troubleshooting method are
followed. The steps are simply combined to be specific to the problem at hand. This
article will briefly cover the five-step troubleshooting process, followed by a more in-
depth look at the seven-step troubleshooting process.

General Troubleshooting Guidelines

The general guidelines for a good troubleshooter to follow are:
 Use a clear and logical approach
 Work quickly
 Work efficiently
 Work economically
 Work safely and exercise safety precautions

There are many guidelines to troubleshoot anything. The following are some basic steps
of troubleshooting techniques:

Seven-Step Troubleshooting Philosophy

1. Symptom Recognition
2. Symptom Elaboration
3. Listing of Probable Faulty Functions
4. Localizing the Faulty Function
5. Localizing the Fault to a Component and repair
6. Document and perform Failure Analysis
7. Retest Requirements

Troubleshooting with Flowcharts

1. Talk with the Operator
2. Verify Symptoms
3. Attempt Quick Fixes
4. Review Troubleshooting Aid
5. Step-by-Step Search
6. Clear the Trouble
7. Perform Preventive Maintenance
ETEC1999. All rights reserved
Rev 05/2014 Page 139
8. Make Final Checks
9. Complete Paperwork
10. Inform Area Supervision/Instruct Operators

The Systematic Model

1. Verify That a Problem Actually Exists
2. Isolate the Cause of the Problem
3. Correct the Cause of the Problem
4. Verify That the Problem Has Been Corrected
5. Follow Up to Prevent Future Problems

Cause and Effect Diagrams

 Identify the Trouble or Problem
 Draw a Main Line Pointing to the Problem
 Identify the Possible Major Causes of the Problem
 Identify Each Possible Minor Cause Associated With the Major Causes
 Identify Each Contributing Factor to the Minor Causes
 Review the Cause and Effect Diagram

Intermittent Failures
 Attempt to Recreate the Problem
 Thermally Induced Failure
 Mechanically Induced Failure
 Erratic Failure
 Alternatives to Recreating Failures
 Identifying All Possible Causes of Trouble

CompTIA troubleshooting steps:

1. Identify the Problem
 Gather Information
 Identify Symptoms
 Question Users
2. Establish a theory of probable cause
 Question the obvious
3. Test the theory of probable cause
 Once theory is confirmed, determine next step to resolve the problem
 If theory is not confirmed, reestablish new theory or escalate
4. Establish a plan of action to resolve the problem and identify potential effects
5. Implement and test the solution and escalate a necessary
6. Verify full system functionality and, if applicable, implement preventative
7. Document findings, actions, and outcomes.

ETEC1999. All rights reserved
Rev 05/2014 Page 140
Cisco 8 steps of troubleshooting

1. Gather detailed information.

2. Consider probable cause for the failure.
3. Devise a plan to solve the problem.
4. Implement the plan.
5. Observe the results of the implementation.
6. Repeat the process if the plan does not resolve the problem.
7. Document the changes made to solve the problem.

ETEC1999. All rights reserved
Rev 05/2014 Page 141
Comprehensive Review
Case Study 1: Layer2 Resolving
Small network with 5 client computers and 2 servers. All clients and server have static
IP addresses as follows:

Host IP Address

Let’s assume the switch just powered up; its mac address-table will be empty as no host
has transmitted any data.

Let’s take a detailed look at when Client1 needs to ping Client4 using a hostname.

1. Client1 will send a request to the DNS server for Client4’s IP address.
Client1 does know the IP address of the DNS server but it does not know the
MAC address of the DNS server. Client1 sends an ARP out to
asking for the MAC address. The destination MAC of the ARP will be

At this time, the Switch will learn the MAC address of Client1 from the source
MAC address of the ARP frame.

When the ARP needs to resolve a given IP address to Ethernet address, it

broadcasts an ARP request packet. The ARP request packet contains the source
MAC address, the source IP address and the destination IP address. Each host in
the local network receives this packet. The host with the specified destination IP
address sends an ARP reply packet to the originating host with its IP address.
ETEC1999. All rights reserved
Rev 05/2014 Page 142
ETEC1999. All rights reserved
Rev 05/2014 Page 143
2. DNS Server will send a reply back to Client1 with the IP address of Client4.
The return frame from the DNS server will be a unicast all the way, because the
DNS knows the IP and MAC address of Client1.
By this time, the Switch will add the MAC address of the DNS to its MAC table
and will only forward the frame to Client1 port since it already knows where
Client1 is.

3. Client1 will send an ARP out to the IP address of Client4 and request for its MAC
Again, the destination ARP MAC address will be FF:FF:FF:FF:FF:FF and will be
forwarded out to all ports (including the port of the DNS Server), except for the
source port of Client1.

4. Client4 will send back its MAC address to Client1.

Now the Switch will add Client4’s MAC address to its MAC table.

5. Client1 will send 4 ping packets to Client4.

The frame now will go from the Client1 port to the Client4 port.

Port Client
Fa0/2 DNS
Fa0/5 Client1
Fa0/8 Client4

As you can see the switch has learned 3 MAC addresses and its port.

If Client1 is now trying to ping Client5, the same thing will start, except when a DNS
request takes place. Client1 will remember the MAC address of the DNS server, and the
Switch will only forward ping to Port #2.

ETEC1999. All rights reserved
Rev 05/2014 Page 144
Case Study 2: A Packet Journey
Here we have 3 routers connecting 4 broadcasting network as follow:

In this example, we have PC1 using a browser and connecting to the WEB server. Let’s
examine step by step as the packet travels from PC1 to the WEB server.

1. PC1 first opens a browser and types http://WEB/.

a. By using http, PC1 knows that the layer-4 destination port number will be 80.
PC1 will randomly pick a port number from 1024 to 65535 as its source port.
In our example here, PC1 will choose 1025 as its source port.

Layer-2 Layer-3 Layer-4

Destination MAC Source MAC Source IP Destination IP Source Port Destination Port
0009.7C7D.1460 1025 80 Data

b. Now, PC1 will send a request to the DNS server for the IP address of the WEB
server. DNS will send back PC1 has now completed its layer-3

Layer-2 Layer-3 Layer-4

Destination MAC Source MAC Source IP Destination IP Source Port Destination Port
0009.7C7D.1460 1025 80 Data

c. PC1 examines the Destination IP address, and realizes that it’s not on the
same subnet; PC1 now must forward to its Default Gateway.
d. PC1 will send an ARP to (Default Gateway IP address) requesting
its MAC address.
e. R0 returns its MAC address of interface Fa0/0 to PC1

ETEC1999. All rights reserved
Rev 05/2014 Page 145
f. PC1 uses the MAC address of R0 as its Destination MAC to complete the
Frame. Convert it to Layer-1 (bits) and forward it to R0.

Layer-2 Layer-3 Layer-4

Destination MAC Source MAC Source IP Destination IP Source Port Destination Port
000B.BE22.6401 0009.7C7D.1460 1025 80 Data

2. R0 receives the data, converts the data back to examine the packet, and
determines where to forward it.
a. R0 will strip out the layer 2 header so it can look up the Destination IP address
from its routing table.

Layer-2 Layer-3 Layer-4

Destination MAC Source MAC Source IP Destination IP Source Port Destination Port 1025 80 Data

b. R0 will see that to get to network, it must forward to

which is directly connected to its Fa0/1 interface. It will send an ARP to its
neighbor requesting its MAC address.
c. R1 return its MAC address of its Fa0/0 interface.
d. R0 now can complete layer 2 and forward it out of its Fa0/1 interface.

Layer-2 Layer-3 Layer-4

Destination MAC Source MAC Source IP Destination IP Source Port Destination Port
0003.E402.3901 000B.BE22.6402 1025 80 Data

ETEC1999. All rights reserved
Rev 05/2014 Page 146
3. R1 receives the data, converts the data back to examine the packet, and
determines where to forward it. (same as R0 did).
a. R1 will strip out the layer 2 header so it can look up the Destination IP address
from its routing table.

Layer-2 Layer-3 Layer-4

Destination MAC Source MAC Source IP Destination IP Source Port Destination Port 1025 80 Data

b. R1 will see that to get to network, it must forward to

which is directly connected to its Fa0/1 interface. It will send an ARP to its
neighbor requesting its MAC address.
c. R2 returns its MAC address of its Fa0/0 interface.
d. R1 now can complete layer 2 and forward it out of its Fa0/1 interface.

ETEC1999. All rights reserved
Rev 05/2014 Page 147
Layer-2 Layer-3 Layer-4
Destination MAC Source MAC Source IP Destination IP Source Port Destination Port
0001.96E8.0C01 0003.E402.3902 1025 80 Data

4. R2 receives the data, convert the data back to examine the packet, and
determines where to forward it (same as R0 did).
a. R2 will strip out the layer 2 header so it can look up the Destination IP address
from its routing table.

Layer-2 Layer-3 Layer-4

Destination MAC Source MAC Source IP Destination IP Source Port Destination Port 1025 80 Data

ETEC1999. All rights reserved
Rev 05/2014 Page 148
b. Now it is a little different than the previous 2 routers. When R2 exams the
Destination IP address, it will see that is directly connected to its Fa0/1. R2
can send an ARP to the Destination IP ( out of its Fa0/1 interface
for the final destination MAC address.
c. The WEB server return its MAC address.
d. R2 completes its layer-2 and forward it out to the WEB server.

Layer-2 Layer-3 Layer-4

Destination MAC Source MAC Source IP Destination IP Source Port Destination Port
00D0.97C8.338E 0001.96E8.0C02 1025 80 Data

Once the WEB server receives the request from PC1 and returns its web page, the
packet now is reversed, where the Source Port, IP and MAC become the Destination.

Things to note:
1. You can see that the source and destination IP do not change during transient
due to all the routers in between needing the final destination IP so it can forward
the packet to the next hop. Also the destination (WEB server) device needs to
know the source IP so it can return what it wants. We call IP’s our end-to-end.
2. Layer-2 MAC addresses change from hop-to-hop where the exiting interface MAC
address is the source MAC and the neighbor receiving interface is the destination
MAC address.
3. The Switch does not come to play as it just forwarding the frame to the router or
from the router to the PC or Server.
4. Routers make their decision based on its Routing Table. If the destination IP
address is not on its table:
a. Examine the source IP address of the packet,
b. Drop the packet, add the word “and” or “or” here
c. Send an ICMP with the message “Destination Unreachable” back to the
source IP address.
ETEC1999. All rights reserved
Rev 05/2014 Page 149