My Project Report

B.
TECH PROJECT REPORT
Designing Wide Area Network using

CISCO PACKET TRACE
BY
ALISINA GHAFORI (11630020) (ECE 1)
ABHILEKH DOWERAH (11610419) (ECE4)
MD SHAAD ALAM (11610417) (ECE 4)
Under the Supervision of

Asstt. Prof. Shweta Meena
DEPARTMENT OF ELECTRONICS AND COMMUNICATION
ENGINEERING, NATIONAL INSTITUTE OF TECHNOLOGY
KURUKSHETRA – 136119, HARYANA (INDIA)
July – Dec 2019

NETWORK SECURITY
OBJECTIVE
This Project introduces the architecture, structure, functions, components, and models of
the Internet and other computer networks. It uses the OSI and TCP layered models to
examine the nature and roles of protocols and services at the application, network, data
link, and physical layers. The principles and structure of IP addressing and fundamentals
of Ethernet concepts, media, and operations are introduced to provide a foundation for the
project. Packet Tracer (PT) is being used to analyze protocol and network operation and
build small networks in a simulated environment with all sorts of security features. At the
end of the project, building simple WAN topologies by applying basic principles of
cabling; performing basic configurations of network devices, including routers and
switches; and implementing IP addressing schemes.
ABSTRACT
Designing of wide area network, where a system on the network can interact in safe and
secure environment. Network security starts with authentication, commonly with a
username and a password. Since this requires just one detail, authenticating the user name
and the password—this is sometimes termed one-factor authentication. Once
authenticated, a firewall enforces access policies such as what services are allowed to be
accessed by the network users. The project is all about designing of wide area network
with security feature. For making the project virtually realizable , CISCO Packet tracer is
used as an simulating application. Lots of protocols and functionality are used in order to
connect all the component of the network like computer hardware, cabling, network
devices, computer software , routers, switches etc. And all of these components are
interacting with each other in secure and risk free environment of networking . Router are
basically coded and designed to control the traffic of data packets between different
networks, and most of time it is being configured to serve the purpose to direct the data
packets intelligently to the destination .
NETWORK SECURITY
CONTENTS
CHAPTER Topic
 INTRODUCTION TO PROJECT
1.NETWORKING BASICS13
1.1 Types of Network
1.1.1 Local area network
1.1.2 Personal area network
1.1.3 Wide area network
1.1.4 Metropolitan area network
1.1.5 Virtual private network
1.2 Networking Models
1.2.1 Advantages of Reference Models
1.2.2 Types of Networking Models
1.3 OSI Model
1.4 TCP/IP model
1.5 TCP/IP Model vs. OSI Model
2 INTERNETWORKING DEVICES
2.1 Networking Cables
2.1.1 Twisted Pair
2.1.2 Optical fiber cable
2.1.3 Straight Cable

NETWORK SECURITY
2.1.4 Crossover Cable
2.2 Networking Components
2.2.1 Hubs
2.2.2 Switches
2.2.3 Routers
3 IP ADDRESSING AND SUBNETTING

3.1 IP Addressing
3.1.2 Broadcast address
3.2 Network Addressing
3.3 Subnetting
4. IP ROUTING
4.1 Routing
4.2 Different Types of Routing
4.2.1 Static Routing
4.2.2 Default Routing
4.2.3 Dynamic routing
4.2.4 Dynamic Routing types
4.3 Routing Protocols Basics
4.3.1 Path Determination
4.3.2 Metrics
4.4 EIGRP
4.4.1 The Diffusing Update Algorithm
4.4.2 Sophisticated Metric

NETWORK SECURITY
4. 4.3 Configuring EIGRP on CISCO Routers
4.5 RIP
4.5.1 RIP V2
4.6 OSPF
4.7 BGP
4.8 Ping
4.9 Loopbacks
4.10 TELNET
4.11 REDISTRIBUTION
5. SECURITY
5.1 Access Lists
5.1.1 Access List Basics
5.2 Standard Access Control Lists
5.2.1 Standard Access-list Format
5.2.2 Extended IP Access Lists
5.2.3 Name Access-list
5.3 PORT Security
5.4 NAT
5.5 FIREWALL
6. IPv6
6.1 IP Version 6
6.2 Packet contents
6.3 IPv6 Compression techniques

NETWORK SECURITY
7. FRAME RELAY
7.1 Frame-Relay
7.2 Frame Relay Devices
7.3 Data-Link Connection Identifier (DLCI)
8. SWITCHING
8.1 MAC
8.2 LAN SEGMENTATION
8.3 Layer 2 Switching
8.4 LAN Switching
8.5 Virtual LAN
8.6 STP
8.7 Ether Channels
9. VOIP
9.1 VOIP Protocols
9.2 IP Phones
10. PROJECT WORK
10.1 Project Overview
10.2 Features
11. CONCLUSION
12. REFERENCES
NETWORK SECURITY
NETWORK SECURITY
INTRODUCTION TO PROJECT
The structure of this project based on back end structure of internet. This project is
combination of two devices servers and routers. Computer Networking is a very vast
project in the present developing era of electronics and communication. Now days,
computers are used in a wider range. All the organizations are using multiple computers
within their departments to perform their day to day work. Computer network allows the
user to share data, share folders and files with other users connected in a network with
high security. Computer Networking has bound the world in a very small area with it
wide networking processes like LAN, MAN, WAN.
Routing is a process or technique to identify the path from one network to another.
Routers don’t really care about hosts—they only care about networks and the best path to
each network.
Network Security
Network security consists of the provisions and policies adopted by a network
administrator to prevent and monitor unauthorized access, misuse, modification, or denial
of a computer network and network-accessible resources. Network security involves the
authorization of access to data in a network, which is controlled by the network
administrator. Users choose or are assigned an ID and password or other authenticating
information that allows them access to information and programs within their authority.
Network security covers a variety of computer networks, both public and private, that are
used in everyday jobs conducting transactions and communications among businesses,
government agencies and individuals. Networks can be private, such as within a
company, and others which might be open to public access. Network security is involved
in organizations, enterprises, and other types of institutions. It does as its title explains: It
secures the network, as well as protecting and overseeing operations being done. The
most common and simple way of protecting a network resource is by assigning it a
unique name and a corresponding password.
Network security is accomplished through hardware and software. The software must be
constantly updated and managed to protect you from emerging threats.
A network security system usually consists of many components. Ideally, all components
work together, which minimizes maintenance and improves security.
NETWORK SECURITY
Network security components often include:
 Anti-virus and anti-spyware

 Firewall, to block unauthorized access to your network
 Intrusion prevention systems (IPS), to identify fast-spreading threats, such as zero-
day or zero-hour attacks
 Virtual Private Networks (VPNs), to provide secure remote access.
 Port security.
 Authentication and Authorization.
 Access control lists.
 Ipsec suite.
Features of project
 Network security for authentication and authorization.

 Port security or MAC address filteration.
 DHCP (Dynamic Host Configuration Protocol) enabled for automatic
configuration of IP addresses.
 DNS server to resolve URL to corresponding ip addresses.
 HTTP, HTTPs access to share information.
 FTP service for data sharing.
 SMTP service for e-mail conversations.
 Data Security.
 Firewall, to block unauthorized access to your network.
 Access control list.
 Password encryption.
 Logins.
 NAT
NETWORK SECURITY
CHAPTER 1. NETWORKING BASICS
What’s a Network?
A combination of computer hardware, cabling, network devices, and computer software

used together to allow computers to communicate with each other.
1.1 Types of networks

1.1.1 Local area network
A local area network (LAN) is a network that connects computers and devices in a limited
geographical area such as home, school, computer laboratory, office building, or closely
positioned group of buildings. Each computer or device on the network is a node.
1.1.2 Personal area network
A personal area network (PAN) is a computer network used for communication among
computer and different information technological devices close to one person. Some
examples of devices that are used in a PAN are personal computers, printers, fax
machines, telephones, PDAs, scanners, and even video game consoles. A PAN may
include wired and wireless devices. The reach of a PAN typically extends to 10 meters.
1.1.3 Wide area network
A wide area network (WAN) is a computer network that covers a large geographic area
such as a city, country, or spans even intercontinental distances, using a communications
channel that combines many types of media such as telephone lines, cables, and air
waves. A WAN often uses transmission facilities provided by common carriers, such as
telephone companies. WAN technologies generally function at the lower three layers of
the OSI reference model: the physical layer, the data link layer, and the network layer.
1.1.4 Metropolitan area network
A Metropolitan area network is a large computer network that usually spans a city or a
large campus.
1.1.5Virtual private network

NETWORK SECURITY
A virtual private network (VPN) is a computer network in which some of the links
between nodes are carried by open connections or virtual circuits in some larger network
(e.g., the Internet) instead of by physical wires. The data link layer protocols of the virtual
network are said to be tunnelled through the larger network when this is the case. One
common application is secure communications through the public Internet, but a VPN
need not have explicit security features, such as authentication or content encryption.
VPNs, for example, can be used to separate the traffic of different user communities over
an underlying network with strong security features.
1.2 Networking Models
When networks first came into being, computers could typically communicate only with
computers from the same manufacturer. For example, companies ran either a complete
DECnet solution or an IBM solution—not both together. In the late 1970s, the OSI (Open
Systems Interconnection) model was created by the International Organization for
Standardization (ISO) to break this barrier. The OSI model was meant to help vendors
create interoperable network devices. Like world peace, it’ll probably never happen
completely, but it’s still a great goal. The OSI model is the primary architectural model
for networks. It describes how data and network information are communicated from
applications on one computer, through the network media, to an application on another
computer. The OSI reference model breaks this approach into layers.
1.2.1 Advantages of Reference Models
The OSI model is hierarchical, and the same benefits and advantages can apply to any
layered model. The primary purpose of all models, and especially the OSI model, is to
allow different vendors to interoperate. The benefits of the OSI model include, but are not
limited to, the following:
 Dividing the complex network operation into more manageable layers
 Changing one layer without having to change all layers. This allows application
developers to specialize in design and development.
 Defining the standard interface for the “plug-and-play” multi-vendor integration
NETWORK SECURITY
1.2.2 Types of Networking Models

The TCP/IP Model- This model is sometimes called the DOD model since it was
designed for the department of defence. It is also called the internet model because
TCP/IP is the protocol used on the internet.
OSI Network Model- The International Standards Organization (ISO) has defined a
standard called the Open Systems Interconnection (OSI) reference model. This is a seven
layer architecture listed in the next section.
1.3 OSI Model
The OSI, or Open System Interconnection, model defines a networking framework for
implementing protocols in seven layers. Control is passed from one layer to the next,
starting at the application layer in one station, and proceeding to the bottom layer, over
the channel to the next station and back up the hierarchy.
Application (Layer 7)
This layer supports application and end-user processes. Communication partners are
identified, quality of service is identified, user authentication and privacy are considered,
and any constraints on data syntax are identified.
Presentation (Layer 6)
This layer provides independence from differences in data representation (e.g.,

encryption) by translating from application to network format, and vice versa.
Session (Layer 5)
This layer establishes, manages and terminates connections between applications. The
session layer sets up, coordinates, and terminates conversations, exchanges, and dialogues
between the applications at each end. It deals with session and connection coordination.
Transport (Layer 4)
This layer provides transparent transfer of data between end systems, or hosts, and is
responsible for end-to-end error recovery and flow control. It ensures complete data
transfer.
NETWORK SECURITY
Network (Layer 3)
This layer provides switching and routing technologies, creating logical paths, known as
virtual circuits, for transmitting data from node to node.
Data Link (Layer 2)
At this layer, data packets are encoded and decoded into bits. It furnishes transmission
protocol knowledge and management and handles errors in the physical layer, flow
control and frame synchronization. The data link layer is divided into two sub layers: The
Media Access Control (MAC) layer and the Logical Link Control (LLC) layer.
Physical (Layer 1)This layer conveys the bit stream - electrical impulse, light or radio
signal -- through the network at the electrical and mechanical level.
Fig 1.1 shows function of OSI layers

NETWORK SECURITY
Fig 1.2 TCP/IP Model
1.4 TCP/IP model
Application Layer (process-to-process):This is the scope within which

applications create user data and communicate this data to other processes or applications
on another or the same host. The communications partners are often called peers. This is
where the "higher level" protocols such as SMTP, FTP, SSH, HTTP, etc. operate.
Transport Layer (host-to-host):The Transport Layer constitutes the networking

regime between two network hosts, either on the local network or on remote networks
separated by routers.
Internet Layer (internetworking):The Internet Layer has the task of exchanging

datagram’s across network boundaries. It is therefore also referred to as the layer that
NETWORK SECURITY
establishes internetworking; indeed, it defines and establishes the Internet. This layer
defines the addressing and routing structures used for the TCP/IP protocol suite.
Link Layer: This layer defines the networking methods with the scope of the local
network link on which hosts communicate without intervening routers. This layer
describes the protocols used to describe the local network topology and the interfaces
needed to affect transmission of Internet Layer datagram’s to next- neghbour hosts.
1.5 TCP/IP Model vs. OSI Model
Sr.
TCP/IP Reference Model OSI Reference Model
No.
1 Defined after the advent of Internet. Defined before advent of internet.
Service interface and protocols were not Service interface and protocols are
2
clearly distinguished before clearly distinguished
3 TCP/IP supports Internet working Internet working not supported
4 Loosely layered Strict layering
5 Protocol Dependant standard Protocol independent standard
6 More Credible Less Credible
TCP reliably delivers packets, IP does not

7 All packets are reliably delivered
reliably deliver packets
Table 1.1
CHAPTER 2.INTERNETWORKING DEVICES
2.1 Networking Cables
Networking Cables are used to connect one network device to other or to connect two or
more computers to share printer, scanner etc. Different types of network cables
like Coaxial cable, Optical fiber cable, Twisted Pair cables are used depending on the
network's topology, protocol and size.
NETWORK SECURITY
2.1.1 Twisted Pair
Twisted pair cabling is a type of wiring in which two conductors (the forward and return
conductors of a single circuit) are twisted together for the purposes of cancelling
out electromagnetic interference (EMI) from external sources; for
instance, electromagnetic radiation from unshielded twisted pair (UTP) cables,
and crosstalk between neighbouring pairs. It was invented by Alexander Graham Bell.
Unshielded twisted pair cable with different twist rates

Shielded twisted pair
2.1.2 Optical cable
An optical fibers is a single, hair-fine filament drawn from molten silica glass. These
fibers are replacing metal wire as the transmission medium in high-speed, high-capacity
communications systems that convert information into light, which is then transmitted via
fibers optic cable. Currently, American telephone companies represent the largest users of
fibers optic cables, but the technology is also used for power lines, local access computer
networks, and video transmission.
2.1.3 Straight Cable
You usually use straight cable to connect different type of devices. This type of cable will
be used most of the time and can be used to:
1) Connect a computer to a switch/hub's normal port.

2) Connect a computer to a cable/DSL modem's LAN port.
3) Connect a router's WAN port to a cable/DSL modem's LAN port.
NETWORK SECURITY
4) Connect a router's LAN port to a switch/hub's uplink port. (Normally used for
expanding network)
2.1.4 Crossover Cable

A crossover cable connects two devices of the same type, for example DTE-DTE
or DCE-DCE, usually connected asymmetrically (DTE-DCE), by amodified cable calleda
crosslink. Such distinction of devices was introduced by IBM.
2.2 Networking Components
Computer networking devices are units that mediate data in a computer network.
2.2.1 Hubs
The central connecting device in a computer network is known as a hub. There are two
types of a hub i.e. active hub and passive hub. Every computer is directly connected with
the hub. When data packets arrives at hub, it broadcast them to all the LAN cards in a
network and the destined recipient picks them and all other computers discard the data
packets. Hub has five, eight, sixteen and more ports and one port is known as uplink port,
which is used to connect with the next hub.
NETWORK SECURITY
2.2.2 Switches
Like the router, a switch is an intelligent device that maps the IP address with the MAC
address of the LAN card. Unlike the hubs, a switch does not broadcast the data to all the
computers, it sends the data packets only to the destined computer. Switches are used in
the LAN, MAN and WAN. In an Ethernet network, computers are directly connected
with the switch via twisted pair cables.
We have two types of switch.

1. Mangeable switch: it has console port by using this we can manage this switch
according to our need.
2. Non-manageable: it has no console port we use this switch as we purchase it.

NETWORK SECURITY
2.2.3 Routers
A router is a device that interconnects two or more computer networks, and selectively
interchanges packets of data between them. Each data packet contains address
information that a router can use to determine if the source and destination are on the
same network, or if the data packet must be transferred from one network to another. A
router is a device whose software and hardware are customized to the tasks of routing and
forwarding information. A router has two or more network interfaces, which may be to
different types of network or different network standards.
Types of routers
Basically these are of two types–
1) Modular: - these routers do not have fixed interfaces. These can be added and
removed according to need.
2) Non-modular routers:- These routers have fixed interfaces and these cannot be
removed
CHAPTER 3.IP ADDRESSING AND SUBNETTING
3.1 IP Addressing
One of the most important topics in any discussion of TCP/IP is IPaddressing. An IP
address is a numeric identifier assigned to each machine on an IP network. It designates
the location of a device on the network. An IP address is a software address, not a
hardware address—the latter is hardcoded on a network interface card (NIC) and used for
finding hosts on a local network. IP addressing was designed to allow a host on one
network to communicate with a host on a different network, regardless of the type of
LANs the hosts is participating in.
IP stands for Internet Protocol, it's a communications protocol used from the smallest
private network to the massive global Internet. An IP address is a unique identifier given
to a single device on an IP network. The IP address consists of a 32-bit number that
ranges from 0 to 4294967295. This means that theoretically, the Internet can contain
approximately 4.3 billion unique objects. But to make such a large address block easier to
NETWORK SECURITY
handle, it was chopped up into four 8-bit numbers, or "octets," separated by a period.
Instead of 32 binary base-2 digits, which would be too long to read, it's converted to four
base-256 digits. Octets are made up of numbers ranging from 0 to 255.
Here are a few of the most important terms: -

Bit One digit; either a 1 or a 0.
Byte 8 bits.
Octet Always 8 bits. Base-8 addressing scheme.
3.1.1 Network address The designation used in routing to send packets to a remote
network, for example, 10.0.0.0, 172.16.0.0, and 192.168.10.0.
3.1.2 Broadcast address

Used by applications and hosts to send information to all nodes on a network.
Examples include 255.255.255.255, which is all networks, all nodes; 172.16.255.255,
which is all subnets and hosts on network 17.16.0.0; and 10.255.255.255, which
broadcasts to all subnets and hosts on network 10.0.0.0.
3.2 Network Addressing

The network address uniquely identifies each network. Every machine on the same
network shares that network address as part of its IP address. In the IP address
172.16.30.56, for example, 172.16 is the network address.
The node address is assigned to, and uniquely identifies, each machine on a network.
This part of the address must be unique because it identifies a particular machine—an
individual—as opposed to a network, which is a group. This number can also be referred
to as a host address.
Figure summarizes the three classes of networks:
NETWORK SECURITY
Fig 3.1 shows the classes of networks
3.2.1 Network Address Range: Class A

The designers of the IP address scheme said that the first bit of the first byte in a Class A
network address must always be off, or 0
Here is how those numbers are defined:
0xxxxxxx
00000000=0
01111111=127
3.2.2 Network Address Range: Class B
In a Class B network, the RFCs state that the first bit of the first byte must always be
turned on, but the second bit must always be turned off. If you turn the other six bits all
off and then all on, you will find the range for a Class B network:
10000000=128
10111111=191
3.2.3 Network Address Range: Class C
For Class C networks, the RFCs define the first two bits of the first octet always turned
on, but the third bit can never be on. Following the same process as the previous classes,
convert from binary to decimal to find the range. Here is the range for a Class C network:
11000000=192
11011111=223
3.2.4 Network Address Ranges: Classes D and E
The addresses between 224 and 255 are reserved for Class D and E networks.
Class D is used for multicast addresses and Class E for scientific purposes.
NETWORK SECURITY
Fig 3.2 shows the reserved ip addresses

3.3 Subnetting
The word subnet is short for sub network--a smaller network within a larger one. The
smallest subnet that has no more subdivisions within it is considered a single "broadcast
domain," which directly correlates to a single LAN (local area network) segment on an
Ethernet switch.
Subnetting is just the concept of borrowing the bits from the host part to reduce the host
part and to include it in the network part. With this the no. of available network will be
increase and the no of hosts the subnetted will be decreased. This way more efficient
assignment of IP addressing in the network is possible with least possible wasting of IPs
as they very limited in no .in IPv4
CHAPTER 4. IP ROUTUNG
4.1 Routing
Routing is the act of moving information across an internetwork from a source to a

destination. Routing is used for taking a packet from one device and sending it through
the network to another device on a different network. If your network has no routers, then
you are not routing. Routers route traffic to all the networks in your inter-network. routing
directs packet forwarding, the transit of logically addressed packets from their source
NETWORK SECURITY
toward their ultimate destination through intermediate nodes; typically hardware devices
called routers, bridges, gateways, firewalls, or switches. General-purpose computers with
multiple network cards can also forward packets and perform routing, though they are not
specialized hardware and may suffer from limited performance. The routing process
usually directs forwarding on the basis of routing tables which maintain a record of the
routes to various network destinations. Thus, constructing routing tables, which are held
in the routers' memory, is very important for efficient routing. Most routing algorithms
use only one network path at a time, but multipath routing techniques enable the use of
multiple alternative paths.
To be able to route packets, a router must know, at a minimum, the

following:
 Destination address
 Neighbor routers from which it can learn about remote networks
 Possible routes to all remote networks
 The best route to each remote network
4.2 Different Types of Routing
 Static routing
 Default routing
 Dynamic routing
Configuring a Router
A router can be configured in three ways:
 Console
 Telnet
 Auxiliary line telephone link (not used these days)
NETWORK SECURITY
Table 4.1-Cisco Router Basic Operations
Enter privileged mode Router> enable
Return to user mode from privileged Disable
Exit Router Logout or exit or quit
Recall last command up arrow or <Ctrl-P>
Recall next command down arrow or <Ctrl-N>
Refresh screen output <Ctrl-R>
Complete Command TAB
Table 4.2-Some basic commands
Set a console password to cisco Router(config)# line con 0

Router(config-line)# login
Router(config-line)# password cisco
Set a telnet password Router(config)# line vty 0 4

Router(config-line)# login
Router(config-line)# password cisco
Set the enable password to cisco Router(config)# enable password cisco

NETWORK SECURITY
Set the enable secret password to peter. Router(config)# enable secret peter
This password overrides the enable

password
and is encypted within the config file
To enter in Interface mode Router(config)# interface serial x/y or

Router(config)# interface fastethernet
x/y
Enable an interface Router(config-if)#no shutdown
To disable an interface Router(config-if)#shutdown
Set the clock rate for a router with a DCE Router(config-if)clock rate 64000
cable to 64K
To add an IP address to a interface Router(config-if)# ip address 10.1.1.1

255.255.255.0
Table 4.3-Cisco Router Show Commands (Privilege Mode)
View version information Router# show version

NETWORK SECURITY
View current configuration (DRAM) Router# show running-config
View startup configuration (NVRAM) Router# show startup-config
Show IOS file and flash space Router# show flash
Overview all interfaces on the router Router# show ip interfaces brief
Display current routing protocols Router#showip protocols
Display IP routing table Router#showip route
Display Interface Properties Router# Show Interface serial x/y
Router# Show interface fastehternet x/y
Display IP Properties of Interface Router# Show ip interface serial x/y
Router# Show ip interface fastehternet x/y
4.2.1 Static Routing
Static routingis the process of an administrator manually adding routes in each router’s
routing table. There are benefits and disadvantages to all routing processes. Static routing
is not really a protocol, simply the process of manually entering routes into the routing
table via a configuration file that is loaded when the routing device starts up.
Static routing has the following benefits:
 No overhead on the router CPU

 No bandwidth usage between routers for updates each other.
NETWORK SECURITY
 Security (because the administrator only allows routing to certain networks)
Static routing has the following disadvantages:
 The administrator must really understand the internetwork and how each router is
connected to configure the routes correctly.
 If one network is added to the internetwork, the administrator must add a route to
it on all routers.
 It’s not feasible in large networks because it would be a full-time job.
 One major problem in Static Routing is that Admin has to select the Best route to
each network when redundant paths are available.
The command used to add a static route to a routing table is
Router(config)# ip route [destination-network] [mask] [next-hop-address or exit-

interface] [administrative-distance][permanent]
R1(config)# ip route 2.0.0.0 255.255.255.0 fastethernet 0/0 192.168.12.2

NETWORK SECURITY
& so on.
4.2.2Default Routing
Default Routing is the routing in which all the packets to unknown addresses are routed
through particular interface of the router and this interface will act as the default gateway
for that particular router and one router can only have on gateway.
Router(config)#ip route 0.0.0.0 0.0.0.0 (Interface out address) (Next hop address)
(Admin Distance)
Router(config)#Ip route 0.0.0.0 0.0.0.0 int Serial x/y A.B.C.D 20
Admin Distance is use to give the priority of the default route.
And with this command one can set the default gateway to the router and when using the
Show ip route command then the Gateway to last resort will be set to the next hop address
of the Adjacent router.
4.2.3Dynamic routing
Dynamic Routing is the process of routing protocols running on the router

communicating with neighbor routers .The routers then update each other about all the
networks they know about. If a change occurs in the network, the dynamic routing
protocols automatically inform all routers about the change. If static routing is used, the
administrator is responsible for updating all changes by hand into all routers .The success
of dynamic routing depends on two basic router functions:
 Maintenance of a routing table

 Timely distribution of knowledge in the form of routing updates to other routers
This is the process of using protocols to find and update routing tables on routers. This is
easier than static or default routing, but one can use it at the expense of router CPU
processes and bandwidth on the network links.
NETWORK SECURITY
A routing protocol defines the set of rules used by a router when it communicates
between neighbor routers.
4.2.4Dynamic Routing is of two types:-
 Distance Vector Routing Protocols

Routing Information Protocol (RIP)
Enhanced Interior Gateway Routing Protocols (EIGRP)
 Link State Routing Protocols

Open Shortest Path First (OSPF)
Integrated Intermediate Systems-Intermediate Systems (IS-IS)
4.3Routing Protocols Basics
All dynamic routing protocols are built around an algorithm. Generally, an algorithm is a
step-by-step procedure for solving a problem. A routing algorithm must, at a minimum,
specify the following:
 A procedure for passing reach-ability information about networks to other routers.

 A procedure for receiving reach-ability information from other routers
 A procedure for determining optimal routes based on the reach-ability information
it has and for recording this information in a route table.
 A procedure for reacting to, compensating for, and advertising topology changes
in an Internet work.
 A few issues common to any routing protocol are path determination, metrics,
convergence, and load-balancing.
4.3.1 Path Determination
 All networks within an internetwork must be connected to a router, and wherever

a router has an interface on a network that interface must have an address on the
network. This address is the originating point for reach-ability information.
NETWORK SECURITY
A simple three-router inter-network. Router A knows about networks 192.168.1.0,

192.168.2.0, and 192.168.3.0 because it has interfaces on those networks with
corresponding addresses and appropriate address masks. Likewise, router B
knows about 192.168.3.0, 192.168.4.0, 192.168.5.0, and 192.186.6.0; Router C
knows about 192.168.6.0, 192.168.7.0, and 198.168.1.0. Each interface
implements the data link and physical protocols of the network to which it is
attached, so the router also knows the state of the network (up or down).
Each router knows about its directly connected networks from its assigned
addresses and masks. And Network that are not directly connected to router must
be known to router via static routing or dynamic routing.
 Router A examines its IP addresses and associated masks and deduces that it is
attached to networks 192.168.1.0, 192.186.2.0, and 192.168.3.0.
 Router A enters these networks into its route table, along with some sort of flag
indicating that the networks are directly connected.
 Router A places the information into a packet: "My directly connected networks
are 192.168.1.0, 192.186.2.0, and 192.168.3.0."
 Router A transmits copies of these route information packets, or routing updates,
to routers B and C.
 Routers B and C, having performed the same steps, have sent updates with their
directly connected networks to A. Router A enters the received information into
its route table, along with the source address of the router that sent the update
packet. Router A now knows about all the networks, and it knows the addresses of
the routers to which they are attached.
4.3.2 Metrics
 A metric is a variable assigned to routes as a means of ranking them from best to

worst or from most preferred to least preferred.
 Different Routing Protocols uses different metrics so there is no comparison
between the two or more routing protocols which one is better. Metric is only used
to find the best route with-in the routing protocol.
RIP Ver1 &2 Hop Counts
NETWORK SECURITY
OSPF Bandwidth
EIGRP Bandwidth + Delay
IS-IS Reference Value
4.4 Table—Admin distance for diff routing protocols
Protocol Default Admin Dist Protocol Default Admin-Dist
Directly connected 0 RIP 120
Static route 1 EGP 140
EIGRP summary 5 ODR 160

route
External BGP 20 External EIGRP 170
EIGRP 90 Internal BGP 200
OSPF 110 Unknown 255
IS-IS 115
4.4Enhanced Interior Gateway Routing Protocol (EIGRP)
4.4.1 The Diffusing Update Algorithm
The design philosophy behind DUAL is that even temporary routing loops are detrimental
to the performance of an internetwork. DUAL uses diffusing computations, first proposed
by E. W. Dijkstra and C. S. Scholten, to perform distributed shortest-path routing while
maintaining freedom from loops at every instant. Although many researchers have
contributed to the development of DUAL, the most prominent work is that of J. J. Garcia-
Luna-Aceves.
4.4.2 Sophisticated Metric

NETWORK SECURITY
EIGRP uses a sophisticated metric that considers bandwidth, load, reliability, and delay.
That metric is:
The K-values are constants that are used to adjust the relative contribution of the various
parameters to the total metric. In other words, if you wanted delay to be much more
relatively important than bandwidth, you might set K3 to a much larger number. You next
need to understand the variables:
By default, K1=K3=1 and K2=K4=K5=0.Therefore, given the default K-values the

equation becomes
4.4.3 Configuring EIGRP on CISCO Routers
First select the As No. for the network.
To enable EIGRP on the router we following command
Router(config)# router eigrp<As. no> (As No. range 1 – 65535)
Router(config-router)# network A.B.C.D (Wild Card Bits)
Router(config-router)#no auto-summary
Command to enable EIGRP on interface and to advertize is same.
By default EIGRP support Auto-summary but with adding no auto-summary it

start sending update with subnet-mask info in packet.
4.5Routing Information Protocol (RIP)
 Routing Information Protocol is a true distance-vector routing protocol.

 It sends the complete routing table out to all active interfaces every 30 seconds.
NETWORK SECURITY
 RIP only uses hop count to determine the best way to remote network, but it has a
maximum allowable hop count of 0-15 by default, meaning that 16 is deemed
unreachable.
 RIP version 1 uses only class full routing, which means that all devices in the
network must use the same subnet mask.
 RIP version 2 provides something called prefix routing, and does send subnet
mask information with the route updates. This is called classless routing.
RIP Timers
RIP uses three different kinds of timers to regulate its performance.
Route update timer
Router update timer sets the interval 30 seconds between periodic routing updates,
in which the router sends a complete copy of its routing table out to all neighbors.
Router invalid timers
A router invalid timer determines the length of time that must elapse 180 seconds
before a router determines that a route has become invalid. It will come to this conclusion
if it hasn’t heard any updates about a particular route for that period. When that happens,
thee router will send out updates to all its neighbors letting them know that the route is
invalid.
Hold-down timer
This sets the amount of time during which routing information is suppressed.
Routers will enter into the hold-down state when an update packet is received that
indicated the route is unreachable. This continues until entire an update packet is received
with a better metric or until the hold-down timer expires. The default is 180 seconds
Route flush timer
Route flush timers’ sets the time between a route becoming invalid and its interval
from the routing table 240 seconds. Before it’s removed from the table, the router notifies
its neighbors of that route’s impending demise. The value of the route invalid timer must
be less than that of the route flush timers.
NETWORK SECURITY
4.5.1Routing Information Protocol version 2
 Both RIPv1 and RIPv2 are distance-vector protocols, which means that each router
running RIP sends its complete routing tables out all active interfaces at periodic time
intervals.
 The timers and loop-avoidance schemes are the same in both RIP versions.
 Both RIPv1 and RIPv2 are configured as classful addressing, (but RIPv2 is
considered classless because subnet information is sent with each route update)
 Both have the same administrative distance (120)
 RIP is an open standard, you can use RIP with any brand of router.
 Alogrithm – Bellman Ford
 Multicast address 224.0.0.9
RIP Version 1 RIP Version 2
Distance Vector Distance Vector
Maximum hop count of 15 Maximum hop count of 15
Classful Classless
No support for VLSM Supports VLSM networks
No support for dis contiguous Support discontiguous networks
4.6 OSPF (Open Shortest Path First)
Open Shortest Path First (OSPF)is an open standards routing protocol that’s been
implemented by a wide variety of network vendors, including Cisco.This works by using
the Dijkstra algorithm. First, a shortest path tree is constructed, and then the routing table
is populated with the resulting best paths. OSPF converges quickly, although perhaps not
as quickly as EIGRP, and it supports multiple, equal-cost routes to the same destination.
But unlike EIGRP, it only supports IP routing.
OSPF provides the following features:

NETWORK SECURITY
 Consists of areas and autonomous systems

 Minimizes routing update traffic
 Allows scalability
 Supports VLSM/CIDR
 Has unlimited hop count
 Allows multi-vendor deployment (open standard)
Note:
OSPF is the first link-state routing protocol that most people are introduced to.
OSPF and RIP comparison
Chracteristics OSPF RIPv2 RIPv1
Type of protocol Link-state Distance-vector Distance-vector
Classless support Yes Yes No
VLSM support Yes Yes No
Auto summarization No Yes Yes
Manual summarization Yes No No
Discontiguous Yes Yes No
Route propagation Multicast on Periodic multicast Periodic

change multicast
Path metric Bandwidth Hops Hops
Hop count limit None 15 15
Convergence Fast Slow Slow
Peer authentication Yes Yes No
Hierarchical network Yes (using areas) Yes No
Updates Event Triggered Route table Routable

updates updates
NETWORK SECURITY
Route computation Dijkstra Bellman-Ford Bell-Ford
OSPF is supposed to be designed in a hierarchical fashion, which basically means

that you can separate the larger internetwork into smaller internetworks called areas. This
is the best design for OSPF.
The reasons for creating OSPF in a hierarchical design include:
 To decrease routing overhead

 To speed up convergence
 To confine network instability to single areas of the network
Each router in the network connects to the backbone called area 0, or the backbone area.
OSPF must have an area 0, and all routers should connect to this area if at all possible.
But routers that connect other areas to the backbone within an AS are called Area Border
Routers (ABRs). Still, at least one interface must be in area 0. OSPF runs inside an
autonomous system, but can also connect multiple autonomous systems together. The
router that connects these ASes together is called an Autonomous System Boundary
Router (ASBR).
OSPF Terminology
Link
A link is a network or router interface assigned to any given network. When an

interface is added to the OSPF process, it’s considered by OSPF to be a link.
Router ID:-The Router ID (RID) is an IP address used to identify the router. Cisco
chooses the Router ID by using the highest IP address of all configured loopback
interfaces. If no loopback interfaces are configured with addresses, OSPF will choose the
highest IP address of all active physical interfaces.
Neighbors
NETWORK SECURITY
Neighbors are two or more routers that have an interface on a common network,
such as two routers connected on a point-to-point serial link.
Adjacency
An adjacency is a relationship between two OSPF routers that permits the direct
exchange of route updates. OSPF is really picky about sharing routing information—
unlike EIGRP, which directly shares routes with all of its neighbors. Instead, OSPF
directly shares routes only with neighbors that have also established adjacencies. And not
all neighbors will become adjacent—this depends upon both the type of network and the
configuration of the routers.
Hello protocol
The OSPF Hello protocol provides dynamic neighbor discovery and maintains
neighbor relationships. Hello packets and Link State Advertisements (LSAs) build and
maintain the topological database. Hello packets are addressed to 224.0.0.5.
Neighborship database
The neighborship database is a list of all OSPF routers for which Hello packets
have been seen. A variety of details, including the Router ID and state, are maintained on
each router in the neighborship database.
Topology database
The topology database contains information from all of the Link State
Advertisement packets that have been received for an area. The router uses the
information from the topology database as input into the Dijkstra algorithm that computes
the shortest path to every network. LSA packets are used to update and maintain the
topology database.
Link State Advertisement
A Link State Advertisement (LSA) is an OSPF data packet containing link-state

and routing information that’s shared among OSPF routers. There are different types of
LSA packets. An OSPF router will exchange LSA packets only with routers to which it
has established adjacencies.
NETWORK SECURITY
Designated router
A designated router (DR) is elected whenever OSPF routers are connected to the
same multi-access network. A prime example is an Ethernet LAN.
Backup designated router
A backup designated router (BDR) is a hot standby for the DR on multi-access

links The BDR receives all routing updates from OSPF adjacent routers, but doesn’t flood
LSA updates.
OSPF areas
An OSPF area is a grouping of contiguous networks and routers. All routers in

the same area share a common Area ID.
Broadcast (multi-access)
Broadcast (multi-access) networks such as Ethernet allow multiple devices to

connect to (or access) the same network, as well as provide a broadcast ability in which a
single packet is delivered to all nodes on the network. In OSPF, a DR and a BDR must be
elected for each broadcast multi-access network.
Non-broadcast multi-access
Non-Broadcast Multi-Access (NBMA) networks are types such as Frame Relay,

X.25, and Asynchronous Transfer Mode (ATM). These networks allow for multi-access,
but have no broadcast ability like Ethernet. So, NBMA networks require special OSPF
configuration to function properly and neighbor relationships must be defined.
Point-to-point
Point-to-point refers to a type of network topology consisting of a direct

connection between two routers that provides a single communication path. The point-to-
point connection can be physical, as in a serial cable directly connecting two routers, or it
can be logical.
Point-to-multipoint
NETWORK SECURITY
Point-to-multipoint refers to a type of network topology consisting of a series of

connections between a single interface on one router and multiple destination routers.
4.7 BGP(Border Gateway Protocol)

BGP is basically used on internet level. So, it is called internet routing protocol. BGP is
unicast routing Protocol. In BGP unicast communication is depend upon admin. BGP is
depending upon admin. It performs function just like static routing. Difference is that in
BGP routing table is defined by BGP but path is manually defined by admin.
REQUIREMENTS
Autonomous number
BGP also configured with AS number, but in BGP AS no. is different on each
router.
Neighbor ID
In BGP we define neighbor IP for communication.
Neighbor AS
BGP is dependent upon neighbor AS no. for communication.
TYPES OF BGP
 IBGP
 EBGP
IBGP
Interior Border gateway Protocol basically used to perform communication

between two AS.
EBGP
Exterior Border Gateway Protocol is basically used to perform communication

between a group of AS to other group of AS.
COMMANDS
NETWORK SECURITY
Router(config)#Router BGP <ASno.>
Router(config)#Network x.x.x.x
Router(config)#Neighbor <IP><neighbor AS>
Router(config)#Redistribute connected
4.8Ping
Ping is a computer network administration utility used to test whether a particular host is
reachable across an Internet Protocol (IP) network and to measure the round-trip time for
packets sent from the local host to a destination computer. Ping operates by sending
Internet Control Message Protocol (ICMP) echo request packets to the target host and
waits for an ICMP response.
Command can be used in given formant for any device whether Microsoft OS or the
Cisco Routers
C:\>ping Address(IP or www.xyz.com)
C:\>ping 127.0.0.254
Pinging 127.0.0.254 with 32 bytes of data:
Reply from 127.0.0.254: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.254:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
4.9Loopbacks: - A loop back device is a virtual network interface implemented in
software only and not connected to any hardware, but which is fully integrated into the
router’s internal network infrastructure. Any traffic that router sends to the loopback
interface is immediately received on the same interface.
NETWORK SECURITY
Any address can be given to loopbacks and it behave as the real interface to all the other
devices the traffic send to the loopback is equivalent to the traffic send to the real
interface or host and proper reply is send to the sender. As is testing environment we
cannot create a large real networks so the loopbacks are the only tool which helps in
creating the large virtual network.
Router(config)#interface loopback ?
<0-2147483647> Loopback interface number
Router(config)#interface loopback 1
Router(config-if)#
*Mar 1 00:01:32.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface

Loopback1, changed state to up
Router(config-if)#ip address 1.0.0.1 255.255.255.0
Router(config-if)#no shut
Router# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Loopback0 unassigned YES unset up up
Loopback1 1.0.0.1 YES manual up up
4.10TELNET
TELNET (TELe-NETwork) is a network protocol used on the Internet or local area
networks to provide a bidirectional interactive text-oriented communications facility via a
virtual terminal connection. User data is interspersed in-band with TELNET control
information in an 8-bit byte oriented data connection over the Transmission Control
Protocol (TCP).
Telnet is to get the privilege to configure the router from the remote location or from any
host on the network without having the console directly connected to the system.
NETWORK SECURITY
4.11REDISTRIBUTION:
It is the mechanism that allows to connect different domains, so as the different Routing
protocol can exchange and advertise routing updates as if they are a single protocol. The
redistribution is performed on the router that lies at the boundary between different
domains or runs multiple protocols.
CHAPTER 5.SECURITY
5.1 Access Lists

Access lists are probably misnamed these days. As the name implies, the original
intention of an access list was to permit or deny access of packets into, out of, or through
a router. Access lists have become powerful tools for controlling the behavior of packets
and frames. Their use falls into three categories
 Security filters protect the integrity of the router and the networks to which it is
passing traffic. Typically, a security filter permits the passage of a few, well-
understood packets and denies the passage of everything else.
 Traffic filters prevent unnecessary packets from passing onto limited-bandwidth
links. These filters look and behave much like security filters, but the logic is
generally inverse: Traffic filters deny the passage of a few unwanted packets and
permit everything else.
 Many tools available on Cisco routers, such as dialer lists, route filters, route
maps, and queuing lists, must be able to identify certain packets to function
properly. Access lists may be linked to these and other tools to provide this packet
identification function.
NETWORK SECURITY
Fig 5.1—Packet Identification
5.1.1Access List Basics

An access list is a sequential series of filters. Each filter comprises some sort of matching
criteria and an action. The action is always either permit or deny
Fig 5.2—Packet permission

In Figure , a permit means that the packet will be allowed to exit on interface E0; a deny
means that the packet will be dropped. The first filter specifies match criteria of HOST A,
so the packet will not match and will drop to the second layer. The second filter specifies
SUBNET 3—again, no match. The packet drops to the third filter, which specifies
NETWORK SECURITY
NETWORK 5. This matches; the action at layer three is permit, so the packet is allowed
to exit interface E0.
Implicit Deny Any
What happens if a packet drops through all the filters and a match never occurs? The
router has to know what to do with a packet in this situation; that is, there must be a
default action. The default action could be either to permit all packets that don't match or
to deny them. Cisco chose to deny them: Any packet that is referred to an access list and
does not find a match is automatically dropped. This last filter is called an implicit deny
any (Figure 2). All access lists end with an implicit deny any, which discards all
packets that do not match a line in the list.
Applying ACL on the Interface

ACL on an interface.
 Router(config)# interface <interface>
 Router(config)# ip access-group <acl-number>in|out
To see the access-list on the router
 Router# show ip access-lists
 Router# show ip access-list <access-list number>
5.1.2Access Control list types
 Standard IP
 Extended IP
 Name Access-list
 Time-Based List
 Reflexive List
NETWORK SECURITY
5.2Standard Access Control Lists:Standard IP ACLs range from 1 to 99. A

Standard Access List allows you to permit or deny traffic FROM specific IP addresses.
5.2.1Standard Access-list Format
The format of a standard access list line is:
 Router(config)#access-list <access-list-number>{deny|permit} source [source-
wildcard]
 Router(config)#access-list <access list number> {deny|permit} A.B.C.D {Wild
card Mask}
To break the implicit deny statement
 Router(config)#access-list <access-list number>
To select the particular host or IP
 Router(config)#access-list<access-list number> {permit|deny} host A.B.C.D
This command specifies the access list number, which according to is between 1 and 99;
the
action (permit or deny); a source IP address; and the wildcard (or inverse) mask. An
example of a
standard IP access list is:
router(config)# access-list 1 permit 172.22.30.6 0.0.0.0
router(config)# access-list 1 deny 172.22.30.0 0.0.0.255
router(config)# access-list 1 deny 172.22.0.0 0.0.255.255
5.2.2 Extended IP Access Lists

Extended Access-control List is more selective in selecting the source address, destination
address and the type of service and the source and destination port no.
Extended IP access lists provide far more flexibility in the specification of what is to be
filtered. The basic
format of the extended IP access list line is
 Router(config)# access-list <access-list-number> {deny|permit} protocol source
source-wildcard destination <destination wildcard>[precedence
precedence][tostos][log]
NETWORK SECURITY
Some of the features here are familiar, and some are new.
access-list-number, for extended IP access lists, is between 100 and 199.
protocolis a new variable that looks for a match in the protocol field of the IP packet
header. The keyword choices are eigrp, gre, icmp, igmp, igrp, ip, nos, ospf, dns, tcp, or
udp. An integer in the range 0 to 255 representing an IP protocol number may also be
used. ipis a generic keyword, which will match any and all IP protocols, in the same way
inverse mask 255.255.255.255 will match all addresses.
Router(config)#access-list 101 permit ip 172.22.30.6 0.0.0.0 10.0.0.0 0.255.255.255
Router(config)#access-list 101 permit tcp 172.22.30.95 0.0.0.0 10.11.12.0 0.0.0.255
Router(config)#access-list 101 permit udp 10.0.0.0 0.0.0.255 host 4.2.2.2 eq 57
Router(config)#access-list 101 permit ip 0.0.0.0 255.255.255.255 0.0.0.0
255.255.255.255
Router#Sh access-lists 101

Extended IP access list 101
10 permit ip host 172.22.30.6 10.0.0.0 0.255.255.255
20 permit tcp host 172.22.30.95 10.11.12.0 0.0.0.255
60 permit udp 10.0.0.0 0.0.0.255 host 4.2.2.2 eq 57
70 permit ip any any
Line 1:
IP packets with a source address of 172.22.30.6 and with a destination address that
belongs to network 10.0.0.0 are permitted.
Line 2:
IP packets with a source address of 172.22.30.95 and with a destination address that
belongs to subnet 10.11.12.0/24 are permitted.
Line 6:
UDP packets from Network 10.0.0.0 |24 to the Host 4.2.2.2 with the port no equals to 57
will be denied
Line 7:
IP packets from any source to any destination are permitted
NETWORK SECURITY
5.2.3 Name Access-list

Name access control lists are more flexible than the no. lists as the no’s are suppose to
remember but with the name access-list one can know the purpose of list by seeing the
name of the list. It is easy to edit after making a ones as every next statement addition
gives us the privilege of adding 9 more statement by assigning the default gape of 10 no.
in between the two statements.
To form a standard access-list
Router(config)#ipaccess-list standard <name>
And then permit or deny statements
Router(config)#ip access-listextended<name>
router(config)#ip access-list extended test
router(config-ext-nacl)#permit ip host 2.2.2.2 host 3.3.3.3
router(config-ext-nacl)#permit tcp host 1.1.1.1 host 5.5.5.5 eq www
router(config-ext-nacl)#permit icmp any any
router(config-ext-nacl)#permit udp host 6.6.6.6 10.10.10.0 0.0.0.255 eq domain
To edit ant any kind of access-list

Router(config)#ip access-list <standard | extended><List no / Name>
Router(config-<standard / extended>-Nacl )# Y <permit/deny>statement
Where Y is numeric where the statement is suppose to be edited.
5.3PORT SECURITY
Port security limits the number of MAC addresses allowed per port and can also limit
which MAC addresses are allowed. Allowed MAC addressed can be manually configured
or the switch can sticky learn them. MAC address of a device can be sticked to a specific
port. Port security limits the number of MAC addresses allowed per port and can also
limit which MAC addresses are allowed.
Allowed MAC addressed can be manually configured or the switch can sticky learn them.
Command Description
switchport port-security Enables port security on that interface.

NETWORK SECURITY
switchport port-security Specifies the max MAC addresses allowed on this port. Default
is 1.maximum value
switchport port-security Configures the action to be taken when the maximum number
is reached and a MAC address
violation {shutdown | not associated with the port attempts to use the port, or when a
station whose MAC address
restrict| protect} is associated with a different port attempt to access this port. Default is
shutdown.
switchport port-security Statically associates a specific MAC address with a port.
mac-addressmac-address
switchport port-security Enables the switch port to dynamically learn secure MAC
addresses. MAC addresses learned
mac-address sticky through that port, up to the maximum number, if a maximum is

configured, are treated as secure MAC addresses.
show port security [interface Verifies port security actions.
5.4 NAT (Network Address Translation)

NAT is a router service which is used to transform original ip address to other fake ip
address from other address space. NAT is useful service to protect ip address from
hackers. NAT comes in three types
 Static
 Dynamic
 PAT
IN Static NAT each private user has unique public IP for transmission in Static NAT
table is manually defined by admin and it is fixed.
In Dynamic NAT we use no of public IP to translate the no of private IP. In dynamic
NAT table is automatically design by dynamic NAT.
PAT (Port Addressing Translation) we use single public ip to translate the no of private
ip.
NETWORK SECURITY
5.5 FIREWALL
Firewall is a security which is used to secure the network or filter the network traffic.
Firewall stops unauthorised access to computers. It blocks devices and does not allow
others to access system. Firewall comes both in hardware and software form. High
security may require hardware version of firewall. OS like windows include firewall
service.
CHAPTER 6.IPv6
6.1 IP Version 6
Internet Protocol version 6 (IPv6) is an Internet Protocol version which is
designed to succeed IPv4, the first implementation which is still in dominant use
currently. It is an Internet Layer protocol for packet-switched internetworks. The main
driving force for the redesign of Internet Protocol is the foreseeable IPv4 address
exhaustion. IPv6 was defined in December 1998 by the Internet Engineering Task Force
(IETF) with the publication of an Internet standard specification, RFC 2460
IPv6 has a vastly larger address space than IPv4. This results from the use of a 128-bit
address, whereas IPv4 uses only 32 bits. The new address space thus supports 2 128 (about
3.4×1038) addresses. This expansion provides flexibility in allocating addresses and
routing traffic and eliminates the primary need for Network Address translation (NAT),
which gained widespread deployment as an effort to alleviate IPv4 address exhaustion.
IPv6 also implements new features that simplify aspects of address assignment (stateless
address auto-configuration) and network renumbering (prefix and router announcements)
when changing Internet connectivity providers. The IPv6 subnet size has been
standardized by fixing the size of the host identifier portion of an address to 64 bits to
facilitate an automatic mechanism for forming the host identifier from Link Layer media
addressing information (MAC address).
Network security is integrated into the design of the IPv6 architecture. Internet
Protocol Security (IP-sec) was originally developed for IPv6, but found widespread
optional deployment first in IPv4 (into which it was back-engineered). The IPv6
specifications mandate IP-sec implementation as a fundamental interoperability
requirement.
NETWORK SECURITY
Motivation and origins

The first publicly used version of the Internet Protocol, Version 4 (IPv4), provides
an addressing capability of about 4 billion addresses (2 32). This was deemed
sufficient in the early design stages of the Internet when the explosive growth and
worldwide proliferation of networks was not anticipated.
6.2 Packet contents

Version - Indicates the version of the Internet Protocol.
Basics conversions from hex-decimal to binary and binary to hex-decimal
I char of hex-decimal is represented by 4 bits of binary

1 hex – char = * * * * of binaries
Hex - Decimal 0 1 2 3 4 5 6 7
Binary 0000 0001 0010 0011 0100 0101 0110 0111
Hex - Decimal 8 9 A B C D E F
Binary 1000 1001 1010 1011 1100 1101 1110 1111
IP Version 6 address Format
Written in 8 octets 4 char in each octet separated by colon.
XXXX :XXXX : XXXX : XXXX : XXXX : XXXX : XXXX

Example IPv6 address
In binary form
1100111111001101 :1101001100010010 : 1110000000010011 : 1000000000000011 :
1100101011011110 :0000000000110111 : 0000111100110101 : 1010101010101010
In Hex-Decimal
CFCD :D312 : E013 : 8003 : CADE : 0037 : 0F37 : AAAA
6.3 IPv6 Compression techniques

NETWORK SECURITY
Zero compression The method allows a single string of contiguous zeroes in an IPv6
address to be replaced by a double-colon.
Caution Only one time can be used in the address
So, for example, the address below could be expressed in two ways:
FE80:0000:0000:0000:00A1:0000:0000:0010
FE80::00A1:0000:0000:0010
OR
FE80:0000:0000:0000:00A1::0010
We know how many zeroes are replaced by the “::” because we can see how many fully-
expressed (“uncompressed”) hex words are in the address. In this case there are six, so the
“::” represents two zero words. To prevent ambiguity, the double-colon can appear only
once in any IP address, because if it appeared more than once we could not tell how many
zeroes were replaced in each instance.
Leading Zeroes compression
Leading zeroes can be suppressed in the notation.
FE80::00A1:0000:0000:0010
FE80::A10:0:0:10
OR
FE80:0:0:0:A10::10
CHAPTER 7. FRAME RELAY

7.1 Frame-Relay
Frame Relay is a high-performance WAN protocol that operates at the physical and data
link layers of the OSI reference model. Frame Relay originally was designed for use
across Integrated Services Digital Network (ISDN) interfaces. Today, it is used over a
variety of other network interfaces as well. This chapter focuses on Frame Relay’s
specifications and applications in the context of WAN services.
Frame Relay is an example of a packet-switched technology. Packet-switched
networks enable end stations to dynamically share the network medium and the available
bandwidth.
7.2 Frame Relay Devices
Devices attached to a Frame Relay WAN fall into the following two general categories:
• Data terminal equipment (DTE)
NETWORK SECURITY
• Data circuit-terminating equipment (DCE)

DTEs generally are considered to be terminating equipment for a specific network and
typically are located on the premises of a customer. In fact, they may be owned by the
customer. Examples of DTE devices are terminals, personal computers, routers, and
bridges.
DCEs are carrier-owned internetworking devices. The purpose of DCE equipment is to
provide clocking and switching services in a network, which are the devices that actually
transmit data through the WAN. In most cases, these are packet switches. Figure 1 shows
the relationship between the two categories of devices.
Fig 7.1 Frame Relay Connectivity

7.3Data-Link Connection Identifier (DLCI)
Frame Relay virtual circuits are identified by data-link connection identifiers (DLCIs).
DLCI values typically are assigned by the Frame Relay service provider (for example, the
telephone company). Frame Relay DLCIs have local significance, which means that
their values are unique in the LAN, but not necessarily in the Frame Relay WAN.
Example.
NETWORK SECURITY
Fig 7.2—Assigning DLCI values
Type of LMIs
 Cisco (Cisco Propriety)
 ANSI (Industry Standard)
 Q933a (Industry Standard)
CHAPTER 8. SWITCHING
8.1 Mac-Address
It is defined as the layer 2 address of the packet in OSI model. It is a 48 bits Hex-decimal
character address use to communicate on the switches and bridges. It is physically coded
on the Ethernet interface. Mac-address is unique for all the systems.
It consists of two parts
First 24 bits or first 6 Hex-decimal char. Represent the organizationally unique identifier
OUI controlled and assigned by Internet Corporation of Assigned Names and Numbers.
And rest 24 bits or last 6 Hex-decimal characters are assigned by the vendor and are
called vendor specified.
NETWORK SECURITY
When all the 48 bits of the Mac-address are 1s, this represents the Broadcast Mac-address
of the system. FFFF.FFFF.FFFF. If a packet with destination Mac-address as broadcast
is send on the switch than the switch will forward this packet to all the host in the network
and when a host get the packet with destination Mac-address is broadcast it will process
the packet and will forward it to the layer 3 irrespective to whether the packet is destined
for it or not.
4 bits = 1 Hex-Decimal character
48bits = 12 Hex-Decimal characters
0000 = 0, 0001 = 1, 0010 = 2, 0011 = 3, 0100 = 4, 0101 = 5, 0110 = 6, 0111
= 7, 1000 = 8, 1001 = 9, 1010 = A, 1011 = B, 1100 = C, 1101 = D,
1110 = E, 1111 = F
Mac-Address is written in the two forms
AA:AA:AA:AA:AA:AA way of Microsoft
AAAA.AAAA.AAAA way of Cisco
Representation of above Mac-address in Binary
101010101010101010101010101010101010101010101010.
2nd example
ABC1.BCA2.3321
101010111100000110111100101000100100010000110001
8.2 LAN Segmentation
In a collision domain, a frame sent by a device can cause collision with a frame
sent by another device in the same collision domain. Moreover, a device can hear the
frames destined for any device in the same collision domain.
In a broadcast domain, a broadcast frame sent by a device can be received by all

other devices in the same broadcast domain. ALAN segment or an Ethernet network
segment consists of the devices connected with a coaxial cable or a hub. The devices are
in the same collision domain.
Ethernet congestion problem

NETWORK SECURITY
Ethernet congestion problem occurs when too many devices are connected to the
same Ethernet network segment, such that the high network bandwidth utilization
increases the possibility of collision, which causes degradation of network performance.
LAN segmentation solves the congestion problem by breaking the network into
separate segments or collision domains using bridges, switches or routers (but not hub s
or repeaters). LAN segmentation can reduce the number of collisions in the network and
increase the total bandwidth of the network (e.g. 10 Mbps for one segment, 20 Mbps for
two segments, 30 Mbps for three segments, and so on).
80/20 rule
The 80/20 rule should be used when designing how to segment a network, i.e.
80% or more data traffic should be on the local network segment while 20% or less data
traffic should cross network segments.
8.3 Layer 2Switching
 Layer – 2 switching is hardware based, which means it uses the MAC address from
the host NIC card to filter the network traffic.
 Layer 2 switch can be considered as multi port bridge.
 Layer 2 switches are fast because they do not look at the network layer header
information, instead it looks at the frames hardware address before deciding to either
forward the frame or drop it.
Layer 2 Switching Provides the Following:
• Hardware based bridging

• Wire speed
• Low latency
• Low cost.
Limitations of Layer 2 Switching
With bridge the connected networks are still one large broadcast domain.
Layer 2 switch cannot break the broadcast domain, this cause performance issue which
limits the size of your network.
NETWORK SECURITY
For this one reason the switch cannot completely replace routers in the internetwork.
Bridging v/s LAN Switching
Layer 2 switches are just bridges with more ports, however there are some important
differences.
Bridges are software based. While switches are hardware based because they use ASIC
(Application Specific Integrated Circuit) chip that help make filtering decisions.
8.4LAN Switching
1. Address learning – learning the MAC addresses of the connected devices to build
the bridge table.
2. Forward and filter decision – forwarding and filtering frames based on the bridge
table entries and the bridge logic.
3. Loop avoidance – avoiding network loop by using Spanning Tree Protocol
A bridge or switch maintains a forwarding table (also known as bridge table or MAC
address table) which maps destination physical addresses with the interfaces or ports to
forward frames to the addresses.
A bridge or switch builds a bridge table by learning the MAC addresses of the connected
devices. When a bridge is first powered on, the bridge table is empty. The bridge listens
to the incoming frames and examines the source MAC addresses of the frames. For
example, if there is an incoming frame with a particular source MAC address received
from a particular interface, and the bridge does not have an entry in its table for the MAC
address, an entry will be created to associate the MAC address with the interface.
The default aging time for an entry in a bridge table is 300 seconds (5 minutes). It means
that an entry will be removed from the bridge table if the bridge has not heard any
message from the concerned host for 5 minutes.
ADDRESS LEARNING
How Switches Learn Addresses

NETWORK SECURITY
Examining the Forward/Filter Process

NETWORK SECURITY
A bridge or switch forwards or filters a frame based on the following logic:
1. If the destination MAC address of the frame is the broadcast address

(i.e.FFFF.FFFF.FFFF) or a multicast address, the frame is forwarded out all
interfaces, except the interface at which the frame is received.
2. If the destination MAC address is an unicast address and there is no associated

entry in the bridge table, the frame is forwarded out all interfaces, except the
interface at which the frame is received.
3. If there is an entry for the destination MAC address in the bridge table, and the
associated interface is not the interface at which the frame is received, the frame is
forwarded out that interface only.
4. Otherwise, drop the frame.
Broadcast and Multicast Frames
• Broadcast and multicast frames do not have a destination address specified.

• The source address will always be the hardware address of the device transmitting
the frame, and the destination address will either be all 1’s which is a broadcast.
• With the network or subnet address specified and the host address all 1’s are
multicast.
eg: 255.255.255.255 (broadcast)
NETWORK SECURITY
172.16.255.255 (multicast)
o Multicast sends the frame to a certain network or subnet and all hosts
within that network or subnet.
o broadcast of all 1’s sends the frame to all networks and hosts.
There are three types of switching method:
Store-and-forward switching
The entire frame is received and the CRC is computed and verified before
forwarding the frame. If the frame is too short (i.e. less than 64 bytes including the CRC),
too long (i.e. more than 1518 bytes including the CRC), or has CRC error, it will be
discarded. It has the lowest error rate but the longest latency for switching. However, for
high-speed network (e.g. Fast Ethernet or Gigabit Ethernet network), the latency is not
significant.
Cut-through switching(also known as Fast Forward switching )

A frame is forwarded as soon as the destination MAC address in the header has
been received (the 1st 6 bytes following the preamble).It has the highest error rate
(because a frame is forwarded without verifying the CRC and confirming there is no
collision) but the shortest latency for switching.
Fragment-free switching( Modified Cut-through switching )

A frame is forwarded after the first 64 bytes of the frame have been received.
Since a collision can be detected within the first 64 bytes of a frame, fragment-free
NETWORK SECURITY
switching can detect a frame corrupted by a collision and drop it. Therefore, fragment-
free switching provides better error checking than cut-through switching.
The error rate of fragment-free switching is above store-and-forward switching

and below cut-through switching. The latency of fragment-free switching is shorter than
store-and- forward switching and longer than cut-through switching.
NOTE:
Bridges only support store-and-forward switching. Most new switch models also
use store-and-forward switching.
However, it should be noted that Cisco 1900 switches use fragment-free switching by
default.
Redundant Topology Overview
– Redundant topology eliminates single points of failure.

– Redundant topology causes broadcast storms, multiple frame copies, and
MAC address table instability problems.
Broadcast Storms
NETWORK SECURITY
• Host X sends a broadcast.

• Switches continue to propagate broadcast traffic over and over.
Multiple Frame Copies
 Host X sends a unicast frame to router Y.

 MAC address of router Y has not been learned by either switch yet.
 Router Y will receive two copies of the same frame.
MAC Database Instability

NETWORK SECURITY
• Host X sends a unicast frame to router Y.

• MAC address of router Y has not been learned by either switch.
• Switches A and B learn the MAC address of host X on port 0.
• The frame to router Y is flooded.
• Switches A and B incorrectly learn the MAC address of host X on port 1
8.5 Virtual LANs
Consider a network design that consists of Layer 2 devices only. For example, this design
could be a single Ethernet segment, an Ethernet switch with many ports, or a network
with several interconnected Ethernet switches. A full Layer 2–only switched network is
referred to as a flat network topology. A flat network is a single broadcast domain, such
that every connected device sees every broadcast packet that is transmitted. As the
number of stations on the network increases, so does the number of broad casts.A VLAN
consists of hosts defined as members, communicating as a logical network segment.
In contrast, a physical segment consists of devices that must be connected to a physical

cable segment. A VLAN can have connected members located anywhere in the campus
network, as long as VLAN connectivity is provided among all members. Layer 2 switches
are configured with a VLAN mapping and provide the logical connectivity among the
VLAN members.
NETWORK SECURITY
Figure shows how a VLAN can provide logical connectivity between switch ports.
Two workstations on the left Catalyst switch are assigned to VLAN 1, whereas a third
workstation is assigned to VLAN 100. In this example, no communication can occur
between VLAN 1 and VLAN 100. Both ends of the link between the Catalysts are
assigned to VLAN 1. One workstation on the right Catalyst also is assigned to VLAN 1.
Because there is end-to-end connectivity of VLAN 1, any of the workstations on VLAN 1
can communicate as if they were connected to a physical network segment.
VLAN Membership
When a VLAN is provided at an access-layer switch, an end user must have some means
of gaining membership to it. Two membership methods exist on Cisco Catalyst switches:
■ Static VLAN configuration
■ Dynamic VLAN assignment
Static VLANs
Static VLANs offer port-based membership, in which switch ports are assigned to
specific VLANs. End-user devices become members in a VLAN based on the physical
switch port to which they are connected. No handshaking or unique VLAN membership
NETWORK SECURITY
protocol is needed for the end devices; they automatically assume VLAN connectivity
when they connect to a port. Normally, the end device is not even aware that the VLAN
exists. The switch port and its VLAN simply are viewed and used as any other network
segment, with other “locally attached” members on the wire. Switch ports are assigned to
VLANs by the manual intervention of the network administrator, hence the static nature.
Each port receives a Port VLAN ID (PVID) that associates it with a VLAN number. The
ports on a single switch can be assigned and grouped into many VLANs. Even though
two devices are connected to the same switch, traffic will not pass between them if they
are connected to ports on different VLANs. To perform this function, you could use either
a Layer 3 device to route packets or an external Layer 2 device to bridge packets between
the two VLANs.
The static port-to-VLAN membership normally is handled in hardware with

applicationspecific integrated circuits (ASIC) in the switch. This membership provides
good performance because all port mappings are done at the hardware level, with no
complex table lookups needed.
Dynamic VLANs
Dynamic VLANs provide membership based on the MAC address of an end-user device.
When a device is connected to a switch port, the switch must, in effect, query a database
to establish VLAN membership. A network administrator also must assign the user’s
MAC address to a VLAN in the database of a VLAN Membership Policy Server
(VMPS).
With Cisco switches, dynamic VLANs are created and managed using network-
management tools such as Cisco Works. Dynamic VLANs allow a great deal of flexibility
and mobility for end users but require more administrative overhead.
VLAN Interoperability
Cisco IOS features bring added benefits to the VLAN technology. Enhancements to ISL,
IEEE 802.10, and ATM LAN Emulation (LANE) implementations enable routing of all
major protocols between VLANs. These enhancements allow users to create more robust
networks incorporating VLAN configurations by providing communications capabilities
between VLANs.
NETWORK SECURITY
Inter-VLAN Communications
The Cisco IOS supports full routing of several protocols over ISL and ATM LANE
virtual LANs. IP, Novell IPX, and AppleTalk routing are supported over IEEE 802.10
VLANs. Standard routing attributes, such as network advertisements, secondaries, and
help addresses are applicable and VLAN routing is fast switched. Table shows protocols
supported for each VLAN encapsulation format and corresponding Cisco IOS releases.
Table :Inter-VLAN Routing Protocol Support
Protocol ISL ATM LANE IEEE 802.10
IP Release 11.1 Release 10.3 Release 11.1
Novell IPX (default encapsulation) Release 11.1 Release 10.3 Release 11.1
Novell IPX (configurable encapsulation) Release 11.3 Release 10.3 Release 11.3
AppleTalk Phase II Release 11.3 Release 10.3
DECnet Release 11.3 Release 11.0
Banyan VINES Release 11.3 Release 11.2
XNS Release 11.3 Release 11.2
VLAN Trunking Protocol
As the previous chapter demonstrated, VLAN configuration and trunking on a switch or a

small group of switches is fairly intuitive. Campus network environments, however,
usually consist of many interconnected switches. Configuring and managing a large
number of switches, VLANs, and VLAN trunks quickly can get out of control.
Cisco has developed a method to manage VLANs across the campus network. The VLAN
NETWORK SECURITY
Trunking Protocol (VTP) uses Layer 2 trunk frames to communicate VLAN information
among a group of switches. VTP manages the addition, deletion, and renaming of VLANs
across the network from a central point of control. Any switch participating in a VTP
exchange is aware of and can use any VLAN that VTP manages.
VTP Domains
VTP is organized into management domains, or areas with common VLAN requirements.
A switch can belong to only one VTP domain, in addition to sharing VLAN information
with other switches in the domain. Switches in different VTP domains, however, do not
share VTP information.
Switches in a VTP domain advertise several attributes to their domain neighbours. Each
advertisement contains information about the VTP management domain, VTP revision
number, known VLANs, and specific VLAN parameters. When a VLAN is added to a
switch
in a management domain, other switches are notified of the new VLAN through VTP
advertisements. In this way, all switches in a domain can prepare to receive traffic on their
trunk ports using the new VLAN.
VTP Modes
To participate in a VTP management domain, each switch must be configured to operate
in one of several modes. The VTP mode determines how the switch processes and
advertises VTP information. You can use the following modes:
Server mode -
VTP servers have full control over VLAN creation and modification for their domains.
All VTP information is advertised to other switches in the domain, while all received
VTP information is synchronized with the other switches. By default, a switch is in VTP
server mode. Note that each VTP domain must have at least one server so that VLANs
can be created, modified, or deleted, and VLAN information can be propagated.
NETWORK SECURITY
Client mode -
VTP clients do not allow the administrator to create, change, or delete any VLANs.
Instead, they listen to VTP advertisements from other switches and modify their VLAN
configurations accordingly. In effect, this is a passive listening mode. Received VTP
information is forwarded out trunk links to neighbouring switches in the domain, so the
switch also acts as a VTP relay.
Transparent mode -
VTP transparent switches do not participate in VTP. While in transparent mode, a switch
does not advertise its own VLAN configuration, and as witch does not synchronize its
VLAN database with received advertisements. In
VTP version 1, a transparent mode switch does not even relay VTP information it
receives to other switches unless its VTP domain names and VTP version numbers match
those of the other switches. In VTP version 2, transparent switches do forward received
VTP advertisements out of their trunk ports, acting as VTP relays. This occurs regardless
of the VTP domain name setting.
VTP Configuration
By default, every switch operates in VTP server mode for the management domain NULL
(a blank string), with no password or secure mode. If the switch hears a VTP summary
advertisement on a trunk port from any other switch, it automatically learns the VTP
domain name, VLANs, and the configuration revision number it hears. This makes it easy
to bring up a new switch in an existing VTP domain. However, be aware that the new
switch stays in VTP server mode, something that might not be desirable.
You should get into the habit of double-checking the VTP configuration of any switch
before you add it into your network. Make sure that the VTP configuration revision
number is set to 0. You can do this by isolating the switch from the network, powering it
up, and using the show vtp status command, as demonstrated in the following output:
Switch# show vtp status
VTP Version : 2
Configuration Revision : 0
NETWORK SECURITY
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Here, the switch has a configuration revision number of 0, and is in the default state of
VTP server mode with an undefined VTP domain name. This switch would be safe to add
to a network.
You can configure the VTP mode with the following sequence of global configuration
commands:
Switch(config)# vtp mode {server | client | transparent}
Switch(config)# vtp password password
If the domain is operating in secure mode, a password also can be defined. The password
can be configured only on VTP servers and clients. The password itself is not sent;
instead,
an MD5 digest or hash code is computed and sent in VTP advertisements (servers)
and is used to validate received advertisements (clients). The password is a string of 1 to

32
characters (case sensitive).

NETWORK SECURITY
If secure VTP is implemented using passwords, begin by configuring a password on the

VTP servers. The client switches retain the last-known VTP information but cannot
process received advertisements until the same password is configured on them, too.
VTP Mode Characteristics
Server All VLAN and VTP configuration changes occur here. The server advertises
settings and changes to all other servers and clients in a VTP domain. (This is the default
mode for Catalyst switches.)
Client listens to all VTP advertisements from servers in a VTP domain. Advertisements
are relayed out other trunk links. No VLAN or VTP configuration changes can be made
on a client.
Transparent VLAN configuration changes are made locally, independent of any VTP
domain.
VTP advertisements are not received but merely are relayed out other trunk links, if
possible.
VTP Configuration Example
As an example, a switch is configured as the VTP server in a domain named

MyCompany.
The domain uses secure VTP with the password big secret. You can use the following
configuration commands to accomplish this:
Switch(config)# vtp domain MyCompany
Switch(config)# vtp mode server
Switch(config)# vtp password bigsecret
VTP Status
The current VTP parameters for a management domain can be displayed using the show
vtp status command. Example 5-1 demonstrates some sample output of this command
from a switch acting as a VTP client in the VTP domain called CampusDomain.
NETWORK SECURITY
Switch# show vtp status
VTP Version : 2
Configuration Revision : 89
Maximum VLANs supported locally : 1005
Number of existing VLANs : 74
VTP Operating Mode : Client
VTP Domain Name :Campus Domain
VTP Pruning Mode : Enabled VTP V2 Mode : Disabled VTP
Traps Generation : Disabled
8.6 Spanning Tree Protocol (STP)
A robust network design not only includes efficient transfer of packets or frames, but also
considers how to recover quickly from faults in the network. In a Layer 3 environment,
the routing protocols in use keep track of redundant paths to a destination network so that
a secondary path can be used quickly if the primary path fails. Layer 3 routing allows
many paths to a destination to remain up and active, and allows load sharing across
multiple paths.
In a Layer 2 environment (switching or bridging), however, no routing protocols are used,

and active redundant paths are neither allowed nor desirable. Instead, some form of
bridging provides data transport between networks or switch ports. The Spanning Tree
Protocol
(STP) provides network link redundancy so that a Layer 2 switched network can recover
from failures without intervention in a timely manner. The STP is defined in the IEEE
802.1D standard.
Preventing Loops with Spanning Tree Protocol
Bridging loops form because parallel switches (or bridges) are unaware of each other.
STP was developed to overcome the possibility of bridging loops so that redundant
switches and switch paths could be used for their benefits. Basically, the protocol enables
NETWORK SECURITY
switches to become aware of each other so they can negotiate a loop-free path through the
network.
Loops are discovered before they are made available for use, and redundant links are
effect shut down to prevent the loops from forming. In the case of redundant links,
switches can be made aware that a link shut down for loop prevention should be brought
up quickly in case of a link failure.
STP is communicated among all connected switches on a network. Each switch executes
the spanning-tree algorithm based on information received from other neighbouring
switches. The algorithm chooses a reference point in the network and calculates all the
reduct paths to that reference point. When redundant paths are found, the spanning-tree
algorithm picks one path by which to forward frames and disables, or blocks, forwarding
on the other redundant paths.
As its name implies, STP computes a tree structure that spans all switches in a subnet
ornet work. Redundant paths are placed in a Blocking or Standby state to prevent frame
forwarding.
The switched network is then in a loop-free condition. However, if a forwarding port fails
or becomes disconnected, the spanning-tree algorithm re computes the spanning tree
topology so that the appropriate blocked links can be reactivated.
How STP Works ?
Electing a Root Bridge
For all switches in a network to agree on a loop-free topology, a common frame of

reference must exist to use as a guide. This reference point is called the root bridge. (The
term bridge continues to be used even in a switched environment because STP was
developed for use in bridges. Therefore, when you see bridge, think switch.)An election
process among all connected switches chooses the root bridge. Each switch has a unique
bridge ID that identifies it to other switches. The bridge ID is an 8-bytevalue consisting of
the following fields:
Bridge Priority (2 bytes)—The priority or weight of a switch in relation to all other

switches. The Priority field can have a value of 0 to 65,535 and defaults to 32,768(or
0x8000) on every Catalyst switch.
NETWORK SECURITY
MAC Address (6 bytes)—The MAC address used by a switch can come from the
supervisor module, the backplane, or a pool of 1,024 addresses that are assigned to every
supervisor or backplane, depending on the switch model. In any event, this address is
hard-coded and unique, and the user cannot change it.
As an example, consider the small network shown in Figure. For simplicity, assume that
each Catalyst switch has a MAC address of all 0s, with the last hex digit equal to the
switch label.
In this network, each switch has the default bridge priority of 32,768. The switches are
interconnected Fast Ethernet links. All three switches try to elect themselves as the root,
but all of them have equal Bridge Priority values. The election outcome produces the root
bridge, determined by the lowest MAC address—that of Catalyst A.
Electing Root Ports
Now that a reference point has been nominated and elected for the entire switched
network, each non root switch must figure out where it is in relation to the root bridge.
This action can be performed by selecting only one root porton each non root switch.
Ther oot port always points toward the current root bridge.
STP uses the concept of cost to determine many things. Selecting a root port involves
evaluating the root path cost. This value is the cumulative cost of all the links leading to
NETWORK SECURITY
the root bridge. A particular switch link also has a cost associated with it, called the path
cost. To understand the difference between these values, remember that only the root path
cost is carried inside the BPDU. As the root path cost travels along, other switches can
modify its value to make it cumulative. The path cost, however, is not contained in the
BPDU. It is known only to the local switch where the port (or “path” to a neighbouring
switch) resides.
Path costs are defined as a 1-byte value. Generally, the higher the bandwidth of a link, the
lower the cost of transporting data across it. The original IEEE 802.1D standard defined
path cost as 1000 Mbps divided by the link bandwidth in megabits per second. These
values are shown in the center column of the table. Modern networks commonly use
Gigabit Ethernet and OC-48 ATM, which are both either too close to or greater than the
maximum scale of 1000 Mbps. The IEEE now uses a nonlinear scale for path cost.
The root path cost value is determined in the following manner:
1. The root bridge sends out a BPDU with a root path cost value of 0 because its portssit
directly on the root bridge.
2. When the next-closest neighbour receives the BPDU, it adds the path cost of its own
port where the BPDU arrived. (This is done as the BPDU is received.)
3. The neighbour sends out BPDUs with this new cumulative value as the root path cost.
4. The root path cost is incremented by the ingress port path cost as the BPDU is received
at each switch down the line.
5. Notice the emphasis on incrementing the root path cost as BPDUs are received.
When computing the spanning-tree algorithm manually, remember to compute a new root
path cost as BPDUs come in to a switch port, not as they go out.
NETWORK SECURITY
Electing Designated Ports
By now, you should begin to see the process unfolding: A starting or reference point has
been identified, and each switch “connects” itself toward the reference point with the
single link that has the best path. A tree structure is beginning to emerge, but links have
only been identified at this point. All links still are connected and could be active, leaving
bridging loops.
To remove the possibility of bridging loops, STP makes a final computation to identify
one designated porton each network segment. Suppose that two or more switches have
ports connected to a single common network segment. If a frame appears on that segment
,all the bridges attempt to forward it to its destination. Recall that this behaviour was the
basis of a bridging loop and should be avoided.
In each determination process discussed so far, two or more links might have identical
root path costs. This results in a tie condition, unless other factors are considered. All tie
STP decisions are based on the following sequence of four conditions:
1. Lowest root bridge ID
2. Lowest root path cost to root bridge
3. Lowest sender bridge ID

NETWORK SECURITY
4. Lowest sender port ID
The three switches have chosen their designated ports (DP) for the following reasons:
Catalyst A
Because this switch is the root bridge, all its active ports are designated ports, by
definition. At the root bridge, the root path cost of each port is 0.
Catalyst B
Catalyst A port 1/1 is the DP for the Segment A–B because it has the lowest root path
cost (0). Catalyst B port 1/2 is the DP for segment B–C. The root path cost for each end
of this segment is 19, determined from the incoming BPDU on port 1/1. Because the root
path cost is equal on both ports of the segment, the DP must be chosen by the next
criteria—the lowest sender bridge ID. When Catalyst B sends a BPDU to Catalyst C, it
has the lowest MAC address in the bridge ID. Catalyst
C also sends a BPDU to Catalyst B, but its sender bridge ID is higher. Therefore, Catalyst
B port 1/2 is selected as the segment’s DP.
Catalyst C
Catalyst A port 1/2 is the DP for Segment A–C because it has the lowest root path cost
(0). Catalyst B port 1/2 is the DP for Segment B–C. Therefore, Catalyst C port 1/2 will be
NETWORK SECURITY
neither a root port nor a designated port. As discussed in the next section, any port that is
not elected to either position enters the Blocking state.
STP States
To participate in STP, each port of a switch must progress through several states. A port
begins its life in a Disabled state, moving through several passive states and, finally, into
an active state if allowed to forward traffic. The STP port states are as follows:
Disabled—Ports that are administratively shut down by the network administrator, or by

the system because of a fault condition, are in the Disabled state. This state is special and
is not part of the normal STP progression for a port.
Blocking—After a port initializes, it begins in the Blocking state so that no bridging

loops can form. In the Blocking state, a port cannot receive or transmit data and cannot
add MAC addresses to its address table. Instead, a port is allowed to receive only BPDUs
so that the switch can hear from other neighbouring switches. In addition, ports that are
put into standby mode to remove a bridging loop enter the Blocking state.
Listening—A port is moved from Blocking to Listening if the switch thinks that the port
can be selected as a root port or designated port. In other words, the port is on its way to
begin forwarding traffic.
In the Listening state, the port still cannot send or receive data frames. However, the port
is allowed to receive and send BPDUs so that it can actively participate in the Spanning
Tree topology process. Here, the port finally is allowed to become a root port or
designated port because the switch can advertise the port by sending BPDUs to other
switches. If the port loses its root port or designated port status, it returns to the Blocking
state.
Learning—After a period of time called the Forward Delay in the Listening state, the
port is allowed to move into the Learning state. The port still sends and receives BPDUs
as before. In addition, the switch now can learn new MAC addresses to add to its address
table. This gives the port an extra period of silent participation and allows the switch to
assemble at least some address information. The port cannot yet send any data frames,
however.
NETWORK SECURITY
Forwarding—After another Forward Delay period of time in the Learning state, theport
is allowed to move into the Forwarding state. The port now can send and receive data
frames, collect MAC addresses in its address table, and send and receive BPDUs.
The port is now a fully functioning switch port within the spanning-tree topology.
Remember that a switch port is allowed into the Forwarding state only if no redundant
links (or loops) are detected and if the port has the best path to the root bridge as the root
port or designated port.
8.7 Ether Channel
Ethernet, Gigabit, or 10-Gigabit Ethernet ports to scale link speeds by a factor of ten.
Cisco offers another method of scaling link bandwidth by aggregating, or bundling,
parallel links, termed the Ether Channel technology. Two to eight links of either Fast
Ethernet(FE), Gigabit Ethernet (GE), or 10-Gigabit Ethernet (10GE) are bundled as one
logical link of Fast Ether Channel (FEC), Gigabit Ether Channel (GEC), or 10-Gigabit
Ether channel(10GEC), respectively. This bundle provides a full-duplex bandwidth of up
to 1600 Mbps(eight links of Fast Ethernet), 16 Gbps (eight links of Gigabit Ethernet), or
160 Gbps (eight links of 10-Gigabit Ethernet).
This also provides an easy means to “grow,” or expand, a link’s capacity between two
switches, without having to continually purchase hardware for the next magnitude of
throughput. For example, a single Fast Ethernet link (200 Mbps throughput) can be
incrementally expanded up to eight Fast Ethernet links (1600 Mbps) as a single Fast Ether
Channel.
If the traffic load grows beyond that, the growth process can begin again with a single
Gigabit Ethernet link (2 Gbps throughput), which can be expanded up to eight Giga bit
Ethernet links as a Gigabit Ether channel (16 Gbps). The process repeats again by moving
to a single 10-Gigabit Ethernet link, and so on.
Ordinarily, having multiple or parallel links between switches creates the possibility of
bridging loops, an undesirable condition. Ether Channel avoids this situation by bundling
parallel links into a single, logical link, which can act as either an access or a trunk link.
Switches or devices on each end of the Ether Channel link must understand and use the
Ether Channel technology for proper operation. Although an Ether Channel link is seen as
NETWORK SECURITY
a single logical link, the link doesn’t necessarily have an inherent total bandwidth equal to
the sum of its component physical links. For example, suppose that an FEC link is made
up of four full-duplex, 100-Mbps Fast Ethernet links.
Although it is possible for the FEC link to carry a total throughput of 800 Mbps(if each
link becomes fully loaded), the single resulting FEC bundle does not operate at this speed.
Ether Channel also provides redundancy with several bundled physical links. If one of the
links within the bundle fails, traffic sent through that link automatically is moved to an
adjacent link. Failover occurs in less than a few milliseconds and is transparent to the end
user. As more links fail, more traffic is moved to further adjacent links. Likewise, as
linksare restored, the load automatically is redistributed among the active links.
Bundling Ports with Ether Channel
Ether Channel bundles can consist of up to eight physical ports of the same Ethernet
media type and speed. Some configuration restrictions exist to ensure that only similar
configured links are bundled. Generally, all bundled ports first must belong to the same
VLAN. If used as a trunk, bundled ports must be in trunking mode, have the same native
VLAN, and pass the same set of VLANs. Each of the ports should have the same speed
and duplex settings before being bundled. Bundled ports also must be configured with
identical spanning-tree settings.
Configuring Ether Channel Load Balancing
The hashing operation can be performed on either MAC or IP addresses and can be base
dsolely on source or destination addresses, or both. Use the following command to
configure frame distribution for all Ether Channel switch links:
Switch (config)# port-channel load-balance method
EtherChannel Configuration
For each Ether Channel on a switch, you must choose the Ether Channel negotiation
protocol and assign individual switch ports to the Ether Channel. Both PAgP- and LACP-
negotiated Ether Channels are described in the following sections. You also can configure
an Ether Channel to use the on mode, which unconditionally bundles the links. In this
case ,neither PAgP nor LACP packets are sent or received. As ports are configured to be
NETWORK SECURITY
members of an Ether channel, the switch automatically creates a logical port-channel

interface. This interface represents the channel as a whole.
CHAPTER 9. VOIP
Voice over Internet Protocol is a category of hardware and software that enables people to
use the Internet as the transmission medium for telephone calls by sending voice data in
packets using IP rather than by traditional circuit transmissions of the PSTN.
One advantage of VoIP is that the telephone calls over the Internet do not incur a
surcharge beyond what the user is paying for Internet access, much in the same way that
the user doesn't pay for sending individual emails over the Internet. With VoIP, you can
make a call from anywhere you have broadband connectivity.
VoIP systems employ session control and signaling protocols to control the signaling, set-
up, and tear-down of calls. They transport audio streams over IP networks using special
media delivery protocols that encode voice, audio, video with audio codecs, and video
codecs as Digital audio by streaming media.
9.1 VOIP PROTOCOLS
Voice over IP has been implemented in various ways using both proprietary protocols
and protocols based on open standards. Examples of the VoIP protocols are:
NETWORK SECURITY
 H.323
 Media Gateway Control Protocol (MGCP)
 Session Initiation Protocol (SIP)
 H.248 (also known as Media Gateway Control (Megaco))
 Real-time Transport Protocol (RTP)
 Real-time Transport Control Protocol (RTCP)
 Secure Real-time Transport Protocol (SRTP)
 Session Description Protocol (SDP)
 Inter-Asterisk eXchange (IAX)
 JingleXMPP VoIP extensions
 Skype protocol
 TeamSpeak
The H.323 protocol was one of the first VoIP protocols that found widespread
implementation for long-distance traffic, as well as local area network services. However,
since the development of newer, less complex protocols such as MGCP and SIP, H.323
deployments are increasingly limited to carrying existing long-haul network traffic. In
particular, the Session Initiation Protocol (SIP) has gained widespread VoIP market
penetration.
These protocols can be used by special-purpose software, such as Jitsi, or integrated into a
web page (web-based VoIP), like Google Talk.
9.2 IP PHONES
VoIP phones utilize packet-switched Voice over Internet Protocol (VoIP), or Internet
telephony, to transmit telephone calls over the Internet as opposed to the circuit-switched
telephony used by the traditional Public Switched Telephone Network (PSTN). The
advantage to VoIP phone calls is that unlike regular long-distance calls, phone calls made
through a VoIP phone service are free – there are no fees beyond the cost of your Internet
access.
These specialized phones look just like normal phones with a handset, cradle and buttons
.Also referred to as online phones or Internet phones, a VoIP phone can be a physical
NETWORK SECURITY
telephone with built-in IP technology and an RJ-45 Ethernet connector instead of the RJ-
11 phone connector found in standard phones, or it can be a voice-capable computer that
uses VoIP hardware such as Magic Jack or VoIP software like Skype. This flexibility
makes it possible for VoIP phone calls to function as Internet phone-to-phone, Internet
phone-to-PC, PC-to-PC or PC-to-phone calls.
IP phones connect directly to your router and have all the hardware and software
necessary right onboard to handle the IP call. Wi-Fi phones allow subscribing callers to
make VoIP calls from any Wi-Fi hot spot.
Caller ID support among VoIP providers varies, but is provided by the majority of VoIP
providers. Many VoIP service providers allow callers to configure arbitrary caller ID
information, thus permitting spoofing attacks. Business-grade VoIP equipment and
software often makes it easy to modify caller ID information, providing many businesses
great flexibility.
The United States enacted the Truth in Caller ID Act of 2009 on December 22, 2010. This
law makes it a crime to "knowingly transmit misleading or inaccurate caller identification
information with the intent to defraud, cause harm, or wrongfully obtain anything of
value.
Why Use VOIP?
• Cheaper telecommunications
NETWORK SECURITY
• Less phone line rental
• Less wiring required
• “Free” phone calls in some situations
• Video conferencing possibilities
• Branch offices may not need a PABX
• Use Wifi bridges to connect phone system
Disadvantages of VOIP
• Quality of calls across Internet is not assured
• Broadband equivalent connection needed for connecting offsite
• Network switches may need replacement
• Power on Ethernet may need to be established over the LAN
• Phone availability is dependent on network hardware and power
• Some VOIP providers have fees
• Emergency calls 000 do not issue an origin
10. PROJECT WORK
Planning of work
First of all we need to decide structure of network and then devices being used. In this
project we used routers, switches, servers, Linksys and end devices (pc, laptop etc). We
used both wired and wireless network. Our main goal is to apply security services. After
creating structure it’s time to provide networks and routing protocols to make routers
communicate and then DHCP to provide IP addresses to end devices. After this providing
security services like NAT, ACL , Port Security, Login Passwords etc.
NETWORK SECURITY
10.1 Project Overview: Network security consists of the provisions and policies
adopted by a network administrator to prevent and monitor unauthorized access, misuse,
modification, or denial of a computer network and network-accessible resources. Network
security involves the authorization of access to data in a network, which is controlled by
the network administrator.
In this project all work is done on CISCO packet tracer software and is practically
performed on real devices.
10.2 FEATURES OF PROJECT
 Authentication and Authorization – Login passwords like console password,

telnet password, enable passwords are configured to verify authorized user access.
NETWORK SECURITY
User authentication
 Port security or MAC addresses filtration- Port security limits the number of
MAC addresses allowed per port and can also limit which MAC addresses are
allowed. Allowed MAC addressed can be manually configured or the switch can
sticky learn them. MAC address of a device can be sticked to a specific port.
NETWORK SECURITY
Port security configuration
 Access control list- the original intention of an access list was to permit or deny
access of packets into, out of, or through a router. Access lists have become
powerful tools for controlling the behavior of packets and frames.
 NAT - NAT is a router service which is used to transform original IP address to

other fake IP address from other address space. NAT is useful service to protect IP
address from hackers.
NETWORK SECURITY
 WPA2-AES – This technique is used to authorize user access in wireless

communication.
 REDISTRIBUTION – Redistribution is a method which is used to perform
communication between two different routing protocols.
 DHCP (Dynamic Host Configuration Protocol) enabled for automatic
configuration of IP addresses.
 ETHERCHANNELS - Cisco offers another method of scaling link bandwidth by
aggregating, or bundling, parallel links, termed the Ether Channel technology.
 DNS server to resolve URL to corresponding IP addresses.
 HTTP, HTTPs access to share information.
 FTP service for data sharing.
 SMTP service for e-mail conversations.
 Firewall, to block unauthorized access to your network.
 Password encryption.
NETWORK SECURITY
11. Conclusion
Computer Networking is a very vast project in the present developing era of
electronics and communication. Now days, computers are used in a wider range. All the
organizations are using multiple computers within their departments to perform their day
to day work. Computer network allows the user to share data , share folders and files with
other users connected in a network. Computer Networking has bound the world in a very
small area with it wide networking processes like LAN, MAN, WAN. Every network
requires security for confidential data and to secure that data
Applications
 Communication Field
 Industries
 Medical Field
 Research Field
 Organizations
 School
 Colleges
 Military
 Domestic use
12. REFERENCES
 www.dikvininfotech.com
 www.google.com
 www.microsoft.com
 www.cisco.com
 www.digitech-engineers.com
 www.wikipedia.com
 www.netcad.com
NETWORK SECURITY

My Project Report

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

My Project Report

Загружено:

Авторское право:

Доступные форматы

B.

TECH PROJECT REPORT

Designing Wide Area Network using

Under the Supervision of

DEPARTMENT OF ELECTRONICS AND COMMUNICATION

ENGINEERING, NATIONAL INSTITUTE OF TECHNOLOGY

KURUKSHETRA – 136119, HARYANA (INDIA)

July – Dec 2019

1.1 Types of Network

1.1.1 Local area network

1.1.2 Personal area network

1.1.3 Wide area network

1.1.4 Metropolitan area network

1.1.5 Virtual private network

1.2 Networking Models

1.2.1 Advantages of Reference Models

1.2.2 Types of Networking Models

1.3 OSI Model

1.4 TCP/IP model

1.5 TCP/IP Model vs. OSI Model

2.1 Networking Cables

2.1.1 Twisted Pair

2.1.2 Optical fiber cable

2.1.3 Straight Cable

2.1.4 Crossover Cable

2.2 Networking Components

3 IP ADDRESSING AND SUBNETTING

3.1.2 Broadcast address

3.2 Network Addressing

4.2 Different Types of Routing

4.2.1 Static Routing

4.2.2 Default Routing

4.2.3 Dynamic routing

4.2.4 Dynamic Routing types

4.3 Routing Protocols Basics

4.3.1 Path Determination

4.4.1 The Diffusing Update Algorithm

4.4.2 Sophisticated Metric

4. 4.3 Configuring EIGRP on CISCO Routers

5.1 Access Lists

5.1.1 Access List Basics

5.2 Standard Access Control Lists

5.2.1 Standard Access-list Format

5.2.2 Extended IP Access Lists

5.2.3 Name Access-list

5.3 PORT Security

6.2 Packet contents

6.3 IPv6 Compression techniques

7.2 Frame Relay Devices

7.3 Data-Link Connection Identifier (DLCI)

8.2 LAN SEGMENTATION

8.3 Layer 2 Switching

8.4 LAN Switching

8.5 Virtual LAN

8.7 Ether Channels

9.1 VOIP Protocols

10. PROJECT WORK

10.1 Project Overview

Network security components often include:

 Anti-virus and anti-spyware

 Network security for authentication and authorization.

CHAPTER 1. NETWORKING BASICS