You are on page 1of 135


Cisco Certified Entry

Networking Technician
(Interconnecting Cisco Networking Devices Part 1)

© Train Signal, Inc., 2002-2007

Introduction to CCENT

© Train Signal, Inc., 2002-2007

• Introduction to Networking And The Networking Models

• Ethernet and CSMA/CD
• Switching
• Switch (and Router) Commands
• IP Addressing and The Routing Process
• Basic Network Protocols
• Memory, Config Files, and More Basic Commands
• Wireless LANs
• Binary and Subnetting
• Static Routing and RIP
• Wide Area Networks (WANs)
• Troubleshooting
• Basic Network Security

© Train Signal, Inc., 2002-2007

• Your Instructor: Chris Bryant, CCIE #12933
• Earned my CCIE on February 26, 2004
• Founded The Bryant Advantage in June of
that year.
• My Video Boot Camps and other study
materials place an emphasis on clearly
explained theory and plenty of work on REAL
CISCO routers and switches.
• Visit the website:
© Train Signal, Inc., 2002-2007

• Exam Prep Tips:

– Take your time and master the material.
– If possible, practice the commands on real Cisco
routers and switches.
– Do not practice debugs on a production network on
any time.
– Get plenty of rest the day before exam. By that time,
the die is cast.
– Don’t cram for the exam. Prepare.
© Train Signal, Inc., 2002-2007

Video 1
Introduction to Networking
and the Networking Models

© Train Signal, Inc., 2002-2007

Intro to Networking
and the Networking

• What is A Network
• The OSI Model
• The Data Transmission Process
• The TCP/IP Model
• Why Use Networking Models?
• Ports, Sockets, and Port Numbers
© Train Signal, Inc., 2002-2007

• When you break networking down into

the simplest concept possible, this
what we have:
– We need to get data from one point to another
in the most effective manner possible.

© Train Signal, Inc., 2002-2007

• We build networks to allow devices such as the ones you see

here to communicate with each other, and as different devices
are added to the network, this communication becomes more
challenging to allow.
• And it's not just allowing communication that's challenging -
there are communications that we do not want to allow as
well. Perhaps we only want one of those PCs to have access to
the e-commerce server, and we don't want any other PCs to
even know about that server. We also have to be wary of
intruder attacks, because there are all kinds of bad guys who
want to get into our network, and we've got to keep them out!

© Train Signal, Inc., 2002-2007

• The thought of learning all of this can be
intimidating at first. Having worked my way
from entry-level certifications all the way to
the CCIE, and having taught thousands of
CCNAs and CCNPs worldwide, I can tell you
that the key to networking success in both
the exam room and working with real-world
networks can be summed up in five words:

© Train Signal, Inc., 2002-2007

Know And
Understand The

• Nothing fancy, right? Right! Learning and

understanding the fundamentals of networking are
what this course is all about. Most of you will go on
to more advanced studies, and that's great - because
in this business, we're always learning new
skills. The key to mastering intermediate and
advanced networking is to master the fundamentals -
because if you don't understand how networks
operate, you can't fix them!

© Train Signal, Inc., 2002-2007

Why Are These

Models Important?

• When it comes to the OSI and TCP/IP networking

models, a common question is "Beyond passing the
exam, why do I have to learn this?" I freely admit
that I had that thought more than once when I began
studying networking. It's particularly tough because
this is usually the first material presented to
networking students, and to be frank, it's not as
exciting as configuring routers and switches.

© Train Signal, Inc., 2002-2007

• I can tell you from personal experience that you are
going to use the material in this chapter throughout
your networking career, so it's not just something
that you have to learn to pass the CCENT and CCNA
• I've personally found networking models to be
helpful in developing an effective troubleshooting
process, and I'll talk more about that in the
Troubleshooting section of this course. I just want
to let you know that this really is useful information,
not just something to memorize.
© Train Signal, Inc., 2002-2007

The Application

• This is the layer where the end users themselves

interact with the network. Authentication services
also run at Layer 7, but encryption runs at the next
layer down.
• The Application layer ensures that the remote
communication partner is available, that the needed
communication resources exist (a modem, for
example), and that both ends of the communication
agree on procedures involving data integrity,
privacy, and error recovery.

© Train Signal, Inc., 2002-2007

• When trying to decide if a protocol is an Application

layer protocol, just remember that protocols that
require the end user to enter a request are
Application layer protocols. Firewalls, devices
intended to keep network intruders out, operate at
• Protocols and services that run at L7 include:
– Email protocols SMTP and POP3
– Telnet
– File Transfer Protocol (FTP)
– Simple Network Management Protocol (SNMP)

© Train Signal, Inc., 2002-2007

The Presentation

• This layer answers one simple question: "How

should this data be presented?" In addition to
properly formatting data, encryption occurs at this
• Have you ever opened a file in a word processing
application, and you got pages of unrecognizable
characters? That’s a Presentation Layer issue. The
applications have not agreed on how the data is to
be presented.

© Train Signal, Inc., 2002-2007

• There are four primary tasks that the Presentation

Layer is concerned with:
1. Compatibility with the operating system
2. Proper encapsulation of data for network transmission.
3. Data formatting (ASCII, binary)
4. Data encryption, compression, and translation.
• You've probably seen some of the file types that are
used at the Presentation layer - JPEG, ASCII, GIF,

© Train Signal, Inc., 2002-2007

The Session Layer

• Layer 5 is the "manager" of the two-way

communication between two remote
hosts. This is the layer that handles the
creation, maintenance, and teardown of
communications between those two
hosts. The overall communication itself is
referred to as a session.
• Some sessions last just long enough to send
a unidirectional message, where other
sessions will be of longer duration.

© Train Signal, Inc., 2002-2007

The Transport

• The Transport Layer’s purpose is to establish a

logical end-to-end connection between two systems,
segment data received from the upper layers of the
OSI model, and to make sure the data gets to the
destination in the correct order and free of errors.
• At the Transport Layer, there are two methods for
transporting data: connection-oriented, referring to
TCP, and connectionless, referring to UDP. We'll
take a much more detailed look at TCP and UDP later
in this section.

© Train Signal, Inc., 2002-2007

The Network Layer

• It's at Layer 3 of the OSI model that you and I as

network admins begin to have a great deal of
interaction with the network. IP runs at this layer,
and since routers operate here at L3, this layer is
often called "the routing layer".
• In a nutshell, routing is a two-question process:
– What valid paths exist from the local router to a given
– What is the best path (the "optimal path") to take to get there?
• Lots more on this layer to come later in the course!

© Train Signal, Inc., 2002-2007

The Data Link


• The switches that we'll spend so much time with later in the
course operate at Layer 2. Wireless Access Points (WAPs) also
operate at this layer - more on WAPs in the Wireless
section. Devices that you may well be using right now to
access the Internet, cable modems and DSL modems, also run
at L2.
• We've got four major specifications that run here, some of
which you may already be familiar with:
– Ethernet
– High Data Link Control (HDLC)
– Point-to-Point Protocol (PPP)
– Frame Relay

© Train Signal, Inc., 2002-2007

• A very important distinction: The data link layer
does perform error detection through something
called the Frame Check Sequence (more on that
later), but this layer does not perform error
• The Data Link Layer is generally referred to as Layer
2, and MAC addresses as Layer 2 addresses. If
you're not familiar with MAC addresses, they will be
discussed in more detail in the Ethernet and LAN
Switching sections.

© Train Signal, Inc., 2002-2007

• Another name for the MAC address is a little

misleading, so let's nail this down. MAC addresses
are sometimes called hardware addresses and
physical addresses. That's because a MAC address
is physically burned into the Network Interface Card
(NIC), which leads to another name for this address -
a burned-in address (BIA).
• What's the misleading part? Remember that
physical addresses are not used at the Physical
layer of the OSI model - they're Data Link layer
addresses. That's right - a physical address is used
to deliver a frame, but not a physical layer address.

© Train Signal, Inc., 2002-2007

• Switches operate at L2, as do bridges. Layer

3 Switches do exist, but when operating at
Layer 3, they’re not switching or
bridging. They’re routing. You don't need
to know about L3 switches for the
CCENT exam, but you should know they
exist as they're becoming more and more
popular in today's networks.

© Train Signal, Inc., 2002-2007

The Physical Layer

• When things get a little complicated in

networking, I like to remind myself that "it's
all ones and zeroes!" Whatever data our end
users are creating, it's going to eventually be
"translated" into a series of 1s and 0s. Once
that is done, it's the Physical layer that
handles the actual data
transmission. Anything to do with a physical
cable or the standards in use - the pins, the
connectors, the electrical current itself - is
running at the Physical layer.
© Train Signal, Inc., 2002-2007

The Data
• When the end user sends data, that data will go
through all seven layers of the OSI model. The data
is broken up into smaller and smaller parts
beginning at Layer 4 (the Transport layer) until it's in
the form of electric signals that can be sent across
the physical media.
• As the data flows down the OSI model, it's referred
to by different terms. You really have to master
these and watch for them on your exams. There are
four different terms you need to know:

© Train Signal, Inc., 2002-2007

• At the Application, Presentation, and Session layers,

data is simply called "data".
• At the Transport layer, data is placed into segments.
• At the Network layer, data is placed into packets.
• At the Data Link layer, data is placed into frames.
• Finally, at the Physical layer, data takes the form of
bits - and remember, it's all ones and zeroes!

© Train Signal, Inc., 2002-2007

• Those are very important terms for
your career and especially for your
exams. If I mention "segments", you
should know I'm discussing the
Transport layer of the OSI model
without any other hints, because you
might not get any other hints!

© Train Signal, Inc., 2002-2007

• As data flows down the OSI model, each layer adds a

header that will be removed by the same layer on the
other end of the session. These headers are layer-
specific in that the Network layer couldn't care less
about the contents of any header except the Network
layer on the other end of the session.
• As an end user enters data for transmission to a
remote host, the first six layers of the OSI model will
add a layer-specific header that contains information
to be read by the same layer of the OSI model at the
remote location. Note that Layer 2, the Data Link
layer, adds both a trailer and a header.

© Train Signal, Inc., 2002-2007

• The combination of data and a layer-specific header

is called a Protocol Data Unit (PDU). There's a PDU
for each layer; that is, the combination of data and
L7 header information is called an L7 PDU, the data
and L6 header information is called an L6 PDU, and
so forth.
• After the data is successfully transmitted by the
Physical layer to the remote location, the data begins
to travel back up the model. Each layer will remove
the header added by its counterpart - that is, Layer 3
removes the L3 header and reads it, L4 removes the
L4 header and reads it, and so forth.

© Train Signal, Inc., 2002-2007

• The term same-layer interaction describes
the process of a given OSI layer removing
the header placed on the data by the same
layer on the sending side. For example,
the Application layer on the receiving end
will remove only the header placed onto the
data by the Application layer on the sending
side, and so forth.

© Train Signal, Inc., 2002-2007

• This model is another way to look at the overall data

transport process, and it also uses layers to
illustrate the process. However, the TCP/IP model
uses only four layers to do so. For the CCENT,
CCNA, and any entry-level certification exam from
another vendor, it's a very good idea to know…
– the layers of both the TCP/IP and OSI model
– the responsibilities of each layer
– how the layers map from one model to another

© Train Signal, Inc., 2002-2007

• The Application layer of the TCP/IP model maps to

the top three layers of the OSI model
(Application, Presentation,
and Session). Everything that the top three layers
of the OSI model do is performed by the TCP/IP
model's Application layer.
• The Transport layer of the TCP/IP model maps
directly to the Transport layer of the OSI model. TCP
and UDP both operate at this layer, and data takes
the form of segments.

© Train Signal, Inc., 2002-2007

• The Internet layer of the TCP/IP model maps to the
Network layer of the OSI model. Both layers are
responsible for routing through the use of IP
addresses, static routes, and dynamic routing
• (You will occasionally see some non-Cisco
documentation call this layer the Internetwork layer,
but "Internet" is the name used in Cisco
• Finally, the Network Access layer of the TCP/IP
model maps to the Data Link and Physical layers of
the OSI model.
© Train Signal, Inc., 2002-2007

So Why Do We Go
Through All Of
This, Anyway?

• It's natural to ask why we use networking

models in the first place. It's a good
question, and there are some good answers!
• Networking models do help software vendors
create products that are interoperable. (At
least, we hope they're interoperable.) That
doesn't affect us directly as network admins,
but two uses of these models affect us
directly both as admins and as students.

© Train Signal, Inc., 2002-2007

• Breaking networking operations up into

smaller parts make it easier to learn
networking in the first place. By using the
OSI model in particular, you can take a
structured approach to your learning:
– First, learn about cables and physical specifications
– Then learn about switches and MAC addresses (L2)
– Then start on routing (L3)
© Train Signal, Inc., 2002-2007

• Using the OSI model to structure your
troubleshooting approach is a real help,
too. I always tell students to "start
troubleshooting at the physical layer", and
you'll see what I mean in the Troubleshooting
section of the course. There are two kinds of
troubleshooters in the world:
– Those who have a structured approach
– Those who don't and are basically throwing stuff out
there and hoping something works
© Train Signal, Inc., 2002-2007

• TCP:
– Guaranteed delivery
– Error detection via sequence and ACK numbers
– Windowing
– "Connection-Oriented"
• UDP:
– "best-effort" delivery, but no guarantee of delivery
– No error detection
– No windowing
– "Connectionless"
© Train Signal, Inc., 2002-2007

TCP's "Three-Way

• With TCP, there's work to be done before

data is transmitted. The two devices have to
agree on some basic parameters before
segments can be sent - and this negotiation
has the curious name three-way handshake.
If that's the first time you've heard this term,
you're probably wondering how a handshake
can be three-way! Then again, maybe you
don't want to know - but to pass the CCENT
and CCNA exams, we gotta know! Let's take
a step-by-step look at this process.
© Train Signal, Inc., 2002-2007

• Before the sender can start sending, there's
going to be a negotiation between the two
devices regarding rules for data
transmission. That negotiation is the three-
way handshake itself, which begins with the
sender transmitting a TCP segment with the
Synchronization ("SYN") bit set. The primary
value being negotiated here is the TCP
sequence number, which we'll discuss in
more detail in the next section. This is the
first part of the three-way handshake.
© Train Signal, Inc., 2002-2007

• The recipient responds with a TCP

segment with both the synchronization
and acknowledgement bits set - a
"SYN/ACK". This is part two of the
three-way handshake.

© Train Signal, Inc., 2002-2007

• The sender responds with an ACK, and the

three-way handshake is complete.

• UDP does not use a three-way handshake.

• In addition to the orderly construction of the

communication channel, TCP uses the FIN
("finish) bit to bring the channel down when
the communication is closed.
© Train Signal, Inc., 2002-2007

TCP's Error
Detection / Error
Recovery Feature

• Before we take a look at how TCP performs

both error detection and error recovery, we
need to draw a very clear line between those
two terms. They are not the same thing!
– Error detection is finding an error
– Error recovery is doing something about the error
• Watch that on your exam. :)

© Train Signal, Inc., 2002-2007

• TCP does both, and it uses both a sequence number and an

acknowledgement number ("ack") in the TCP header to do
so. In the following example, one host is sending four
segments to another host. Each of the segments has a
sequence number. That sequence number tells the recipient in
what order to reassemble the segments, and it's also a
fundamental concept in error detection and recovery.
• For simplicity's sake, we'll assume the first segment has a
sequence number of 100, and we'll add 100 to the subsequent
sequence numbers. (Remember, we're at the Transport layer -
these are segments!)

© Train Signal, Inc., 2002-2007

• The recipient will now send a segment back

that contains no data, but does have an ack
number set. You might think that the ack
number would reflect the last sequence
number received, but that's not quite
right. The ack number will actually indicate
the next sequence number the data recipient
expects to see!

© Train Signal, Inc., 2002-2007

• This entire process revolves around two
– The sender is waiting for a positive message from the
recipient that the data was received
– If that message isn't received, the data is
• That's why we call this entire process
Positive Acknowledgement with
Retransmission (PAR).

© Train Signal, Inc., 2002-2007

• "Windowing" refers to the amount of data

that a data sender is allowed to transmit
without waiting for an ack. In this case, the
size of the window is 2400 bytes, meaning
that the data sender can transmit 2400 bytes
before it has to stop and wait for an ack.
• The data recipient decides the size of the
window, not the sender. This gives the
recipient some control over how much data
is sent ("flow control").

© Train Signal, Inc., 2002-2007

• The term sliding window refers to this

dynamic adjustment of the window
• UDP does not have windowing

© Train Signal, Inc., 2002-2007

• All of the features we've looked at here - the
three-way handshake, windowing, sequence
numbering, error detection and recovery -
are all TCP features. UDP doesn't use any of
them. Two questions come to mind:
– Why doesn't UDP offer these features?
– Why in the world do we use UDP for anything?
• A look at the TCP and UDP headers will
answer both of those questions! Here's the
TCP header...

© Train Signal, Inc., 2002-2007

• Quite a difference! Take a few moments to compare

the two and you'll see that UDP can't perform any of
those TCP features because UDP literally can't offer
them. The UDP header has no sequence number
field, no ack number field, no ACK bit, no SYN bit,
and no window field.
• The TCP and UDP headers have only three values in
– Source port
– Destination port
– Checksum

© Train Signal, Inc., 2002-2007

• Now that we've answered the question about why

UDP doesn't offer the features that TCP does, let's
answer the second question regarding why UDP is
used in the first place. That question can really be
answered with one word... overhead.
• The TCP header is much larger than the UDP
header. That header is being applied to every
segment, and that adds up! UDP's advantage over
TCP is that its header is much smaller than TCP's.

© Train Signal, Inc., 2002-2007

• If you're not familiar with MAC or IP
addressing, we're going to cover that in
another section, but for now it's
enough to know that when two hosts
communicate on a network, they're
using these MAC and IP addresses as
the destination when the data is sent.

© Train Signal, Inc., 2002-2007

• So far, so good. But what if one host is

sending multiple flows of information to the
remote host? Let's say that the PC at is sending three different kinds of
information to the PC at
– transferring a file via Trivial File Transfer Protocol
– email via Simple Mail Transfer Protocol (SMTP)
– opening a remote connection via Telnet
© Train Signal, Inc., 2002-2007

• If you're not familiar with those three

protocols, don't worry about it - you will be
before you're done with this course. For now,
it's enough to know that one PC is sending
three different types of information to the
other, and the MAC and IP source and
destination addresses for all three
transmissions is going to be the same. How
can the receiving host tell TFTP from SMTP if
that's the case?

© Train Signal, Inc., 2002-2007

• We need a way for the recipient to
differentiate one data flow from the other,
and since the source and destination MAC
and IP addresses will be the same for all
three flows, that won't do. What will do is the
TCP or UDP port number. While these three
data flows will have the same Layer 2 (MAC)
and Layer 3 (IP) source and destination
addresses, they'll have different, pre-
assigned port numbers.

© Train Signal, Inc., 2002-2007

• These port numbers allow the host at

to mix these three data streams when
sending to, rather than sending all
the SMTP data, then the Telnet data, then the
TFTP data. The PC at will use the
port numbers to drive the three different data
streams to the appropriate application. This
mixing of data streams is called multiplexing.

© Train Signal, Inc., 2002-2007

• A socket may sound like something physical on the

PC, but it's not. The socket is simply a combination
of IP address and port number. For example, the
socket on for port 69 is That
socket can also be expressed with this format:

• (IP address, transport protocol, port number)

• That would make the TFTP socket on that PC

(, UDP, 69).

© Train Signal, Inc., 2002-2007

• The port number system works beautifully, but
naturally the hosts need to agree on what port is
used for a given protocol. In the previous example,
if used TCP port 45 for Telnet and
used TCP port 55, we'd have some serious
• That's why most protocols use the same port
number at all times, and these port numbers are
referred to as well-known port numbers. All port
numbers below 1024 are reserved, well-known port
numbers -- but you don't have to memorize 1024
numbers for the exams!

© Train Signal, Inc., 2002-2007

• I do strongly recommend you have the following port

numbers memorized, however. These numbers will
become second nature to you as you progress in
your networking studies and your career, but for
now we gotta memorize these! After this list, I'll
show you a little trick you can use on a Cisco router
to see a list of well-known port numbers.
• Since you won't be allowed to carry a router into the
exam room, though, know this list cold! Don't worry
if there are services or protocols on here you're not
yet familiar with - you will be before the end of this

© Train Signal, Inc., 2002-2007

• Some Common TCP Ports:

– FTP - File Transfer Protocol - Uses TCP ports 20 and
– SSH - Secure Shell - Uses TCP port 22
– Telnet uses TCP port 23
– SMTP - Simple Mail Transfer Protocol - uses TCP
port 25
– HTTP - HyperText Transfer Protocol - uses TCP port
– POP3 - Post Office Protocol 3 - uses TCP port 110
– SSL - Secure Socket Layer - uses TCP port 443
© Train Signal, Inc., 2002-2007

• Some Common UDP Ports:
– DHCP - Dynamic Host Control Protocol - uses UDP ports 67 and
– TFTP - Trivial File Transfer Protocol - uses UDP port 69
– SNMP - Simple Network Management Protocol - uses UDP port
• Protocols Using Both TCP And UDP Ports
– DNS - Domain Name Service - uses UDP and TCP port 53
– The port number 24 is reserved in both UDP and TCP for private
mail systems

© Train Signal, Inc., 2002-2007

• With Voice over IP (VoIP) becoming

more and more commonplace in
today's networks, it couldn't hurt to
know that the entire range of UDP ports
from 16384 - 32767 are reserved for
voice traffic.

© Train Signal, Inc., 2002-2007

Video 2
Ethernet Standards
And Cable Types

© Train Signal, Inc., 2002-2007

Standards and
Cable Types

• The Need For And Operation of CSMA/CD

• Ethernet Types And Standards
• Pins And Transmissions
• Crosstalk
• Cable Types
• Ethernet Addressing
• Intro to WAN Cabling And a Cable Type
© Train Signal, Inc., 2002-2007

• With each host connected to its own switch

port, we no longer have to worry about
collisions when hosts send data
simultaneously. In the old days of
networking, though, that wasn't the
case. While you may not see the following
physical topology very often in your career, if
at all, I'm presenting it here so you know how
hosts on a shared Ethernet segment practice
CSMA/CD - Carrier Sense Multiple Access
with Collision Detection.
© Train Signal, Inc., 2002-2007

• The Ethernet standard you're most likely to be

familiar with is 10Base-T, specified by IEEE
802.3. The "T" stands for twisted-pair cable, and the
maximum length of a 10Base-T copper cable is 100
meters. The "10" refers to the 10 MegaBits Per
Second (MBPS) capacity.
• You may be asking "Why twist the cable
pairs?" Twisting pairs of wires inside the cable cuts
down on the possibility of electromagnetic
interference, whether that interference comes from
another cable or an outside source - elevators are
notorious for generating such interference.

© Train Signal, Inc., 2002-2007

• In the previous illustrations, we looked at a network
with a single coaxial cable and multiple hosts
connected to that coax cable. That topology was
used by the first Ethernet standards, 10Base5 and
• The sole physical components were the Ethernet
cards in the computers and coaxial cable, which is
the topology we looked at in the previous
example. The cable made up a bus that all the
connected devices would use. (This type of bus is
referred to as a shared bus.)
© Train Signal, Inc., 2002-2007

• The ending numbers in the terms “10Base5”

and “10Base2” allegedly refer to the limit on
the length of the cable, expressed in units of
100 meters. This is true for 10Base5; the limit
on the cable length is 500 meters. It’s not
quite accurate for 10Base2, though; the limit
on that cable is 185 meters, NOT 200 meters.

© Train Signal, Inc., 2002-2007

• Fast Ethernet is defined by IEEE

802.3u, and has a maximum capacity of
100 MBPS. Fast Ethernet copper
cables also have a maximum cable
length of 100 meters.

© Train Signal, Inc., 2002-2007

• Defined by IEEE 802.3z, Gigabit
Ethernet has a maximum capacity of
1000 MBPS, also expressed as 1 GBPS
(GigaBits Per Second). The maximum
cable length is 100 meters here as well,
but we cannot use a regular copper
cable for Gigabit Ethernet.

© Train Signal, Inc., 2002-2007

• Ethernet runs at 10 MBPS, defined by IEEE 802.3,

and its copper cable has a maximum length of 100
meters. Variations include 10Base-T, 10Base-2, and
10Base-5, with the last two involving a shared cable
• Fast Ethernet runs at 100 MBPS, is defined by IEEE
802.3u, and its copper cable has a maximum length
of 100 meters.
• Gigabit Ethernet runs at 1000 MBPS (1 GBPS), is
defined by IEEE 802.3z, and also has a 100 meter
cable length maximum - but it cannot use copper
© Train Signal, Inc., 2002-2007

• A standard Ethernet cabling type is Category

5 Unshielded Twisted-Pair, commonly known
as CAT 5 UTP. The connector on the end of
a typical Cat 5 UTP cable is an RJ-45
connector. This type of connector has a tab
on the bottom that snaps into place when the
connector is correctly placed into the
device. (You can usually hear the “snap”
sound, unless you’re in a very loud wiring

© Train Signal, Inc., 2002-2007

• The cable will contain separate wires inside,
and the endpoints of these wires are referred
to as pins. While you now know that bits are
sent over these wires, it’s important to know
that the same set of pins is always used to
transmit, and a separate set of pins is always
used to receive.
– Pins 1 and 2 Transmit
– Pins 3 and 6 Receive

© Train Signal, Inc., 2002-2007

• Crosstalk is caused by the electromagnetic

interference mentioned a moment ago. Basically, a
signal “crosses over” from one pair of cables to
another, causing the signals to become unusable.
• NEXT (near-end crosstalk) is a condition generally
caused by crossed or crushed pairs of wires. The
conductors inside the wires don’t even have to be
exposed – but if the conductors are too close, the
signal traveling on one wire can actually interfere
with the signal on another wire. The “near-end” is a
relative term, referring to the end of the cable being
tested (as opposed to far-end crosstalk, or FEXT).

© Train Signal, Inc., 2002-2007

• In a typical RJ-45 connection, the crosstalk is

actually at its highest level as data enters the
• You may occasionally see the term
PSNEXT. This is short for “Power Sum Near
End Cross Talk”, and refers to the
calculation carried out when a NEXT test is
run. When the NEXT results for each pair of
wires is added, the result is the PSNEXT

© Train Signal, Inc., 2002-2007

• In the following exhibit, we've got three
separate physical connections:
– A laptop connected to a switch (Cable 3)
– Two switches connected to each
other (Cable 2)
– A PC connected to a switch (Cable 1)

© Train Signal, Inc., 2002-2007

• For Cable 1, we need a straightthrough

cable. A straightthrough cable is used to
connect a PC to a switch or hub. In a
straight-through cable, the wire connected to
Pin 1 on one side is connected to Pin 1 on
the other, the wire connected to Pin 2 on one
side is connected to Pin 2 on the other, and
so forth.

© Train Signal, Inc., 2002-2007

• You may have occasion to connect two similar

devices directly with Ethernet, which can cause a
problem since both devices will use the same pair of
wires for transmitting data.
• It's very common to connect two switches to allow
them to send data over that connection, called a
trunk. You'll learn all about the particulars of
trunking in your CCNA studies, but the first thing we
have to do is make sure we have the correct cable!

© Train Signal, Inc., 2002-2007

• What we need is a crossover
cable. The wire connected to Pin 1 on
one side will no longer be connected to
Pin 1 on the other, as it was in a
straight-through cable. Four wires will
"cross over" in a crossover cable:

© Train Signal, Inc., 2002-2007

Local Cable End

Pin 1
Pin 2
Pin 3
Pin 6

Remote Cable End

Pin 3
Pin 6
Pin 1
Pin 2

© Train Signal, Inc., 2002-2007

• Two cables down, one to go! To

connect that laptop directly to a switch,
we've got to be careful of two things:
– Using the right cable
– Connecting the right cable to the right port on
the switch

© Train Signal, Inc., 2002-2007

• The cable we need is a rollover
cable. All eight wires in the cable will
"roll over" to another pin at the remote
end, with the wire on Pin 1 at one end
rolling over to Pin 8 at the other end,
the wire on Pin 2 at one end rolling over
to Pin 7 at the remote end, and so forth.

© Train Signal, Inc., 2002-2007

• You may also need an adapter for your

rollover cable, since one end of the cable is a
DB-9 connector, and few if any of today's
laptops have such a port. You probably do
have USB ports on your laptop, and you can
get an adapter that allows you to connect a
rollover cable to your laptop's USB port from
just about any cable dealer.

© Train Signal, Inc., 2002-2007

• As for the connection to the switch,

you need to make sure you connect the
RJ-45 connector on the other end of the
rollover cable to the Console port of the
switch. I'll drive this point home at
least one more time elsewhere in the

© Train Signal, Inc., 2002-2007

Ethernet / NIC /
Physical / LAN /
BIA Addressing
• You may be thinking "oh, man, that's a lot of
addressing!" Actually, it's not, because these are all
different names for the same thing. The fifth name is
the term you hear most often -- MAC address, short
for Media Access Control.
• The MAC address is used by switches to send
frames to the proper destination, as you'll see in the
LAN Switching section. Before you get to that
section, let's take a look at the format of the MAC

© Train Signal, Inc., 2002-2007

• The entire MAC address is a 48-bit

address that looks a little something
like this:


© Train Signal, Inc., 2002-2007

• That MAC address actually has two

parts, the first being
the Organizationally Unique Identifier
(OUI). The OUI is assigned to hardware
vendors by the Institute of Electrical
and Electronics Engineers (IEEE). A
given OUI is assigned to one and only
one vendor.
© Train Signal, Inc., 2002-2007

• The second half of the MAC address is a
value not yet used by that particular
vendor. Looking at the MAC address
example given earlier, we now know that:
– The OUI is aa-bb-cc
– The vendor has not yet used 11-22-33 with that
particular OUI, so the vendor is doing so now

© Train Signal, Inc., 2002-2007

• The MAC is sometimes called the physical

address because it physically exists on the
network card. The address is burned into the
card, giving it yet another name - the Burned-
In Address (BIA).
• As with IP addresses, we have broadcast and
multicast MAC addresses. It's a good idea to
be able to identify these addresses, and
here's how to do it!

© Train Signal, Inc., 2002-2007

• The broadcast MAC address is the "all-Fs"

address: ff-ff-ff-ff-ff-ff (or FF-FF-FF-FF-FF-FF,
as case does not matter in hexadecimal)
• There is a range of multicast MAC addresses,
and the first half of a multicast MAC address
is always 0100.5e. The second half of a
multicast MAC address will fall in the range
00-00-00 through 7F-FF-FF. Watch that 7! :)

© Train Signal, Inc., 2002-2007

WAN Cabling

• Cisco routers will use serial cables for

connections using their serial
interfaces (typical frame relay)
• In home labs, you may connect Cisco
router serial interfaces directly with a
DTE/DCE cable

© Train Signal, Inc., 2002-2007

Cable Type Review

• Crossover cables are used to connect two

like devices, typically two switches.
• Rollover cables are used to connect a
laptop’s serial port to the router or switch
Console port.
• Straightthrough cables are used to connect a
PC to a switchport.
• Watch the cable types and the cable lengths
– any cable over 100 meters is cause for
© Train Signal, Inc., 2002-2007

Video 3

© Train Signal, Inc., 2002-2007


• Repeaters, Hubs and Bridges

• Building the MAC Table
• “Flood, Filter or Forward?”
• Frame Processing Methods
• Virtual LANs
• Cisco Three-Layer Switching Model
• Introduction to STP
• Basic Switch Security
• Port Security Defaults, Options and Configurations

© Train Signal, Inc., 2002-2007

• With many networking terms, the name is indeed the

recipe, and that's very true of a repeater. A
repeater's job is to repeat an electrical signal, the
form that our data has taken to be sent across a
cable. Remember, "it's all ones and zeroes!"
• The repeater takes an incoming signal and then
generates a new, clean copy of that exact
signal. This prevented maximum cable lengths from
stopping transmissions, and also helped to ward off
attenuation - the gradual weakening of an electric
signal as it travels.
© Train Signal, Inc., 2002-2007

• A hub is basically the same as a repeater, but the

hub will have more ports. That's the only difference
between the two. (Some hubs have greater
capabilities than others, but a "basic" hub is simply
a multiport repeater.)
• Neither hubs nor repeaters have anything to do with
the Data Link layer of the OSI model, nor do they
perform any switching at all. Hubs and repeaters are
strictly Physical layer devices, and that's where the
trouble comes in. For our next example, we'll
consider a hub with four PCs connected to it.
© Train Signal, Inc., 2002-2007

• To prevent this, a host on a shared Ethernet
segment will use CSMA/CD (Carrier Sense
Multiple Access with Collision Detection). To
review, here's the CSMA/CD process:
– A host that wants to send data will first "listen to the
wire", meaning that it checks the shared media to see
if it's in use.
– If the media is in use, the host backs off for a few
milliseconds before checking again.
– If the media is not in use, the host sends the data.
© Train Signal, Inc., 2002-2007

• If two PCs happen to send data at the exact same time, the
voltage on the wire will actually change, indicating to the hosts
that there has been a data collision.
• The two PCs that sent the data will generate a "jam signal",
which indicates to the other hosts on the shared media that
they should not send data due to a collision.
• Those two PCs both invoke a backoff timer, also in
milliseconds. When each host's random timer expires, they will
each begin the entire process again by listening to the
wire. Since the backoff timer value is totally random, it's
unlikely the two hosts will have the same problem again.

© Train Signal, Inc., 2002-2007

• Before we talk about switches, here's

an old joke:
– Q. What's the difference between bridges
and switches?
– A. Marketing.

© Train Signal, Inc., 2002-2007

• Let's review the key concepts of hubs vs. switches.
– With hubs, we've got one big collision domain consisting of all
connected hosts. When hosts are connected to their own switch
ports, they each have their own individual collision domain.
– Hubs only allow one device to transmit at a time, resulting in
shared bandwidth. Switches allow hosts to transmit
– When one host connected to a hub sends a broadcast, every
other host receives that broadcast and there's nothing we can do
about it. When a host connected to a switch sends a broadcast,
every other host receives it by default - but there is something
we can do about that, as you'll see in the VLAN section of this
© Train Signal, Inc., 2002-2007

• Microsegmentation is a term
sometimes used in Cisco
documentation to describe the "one
host, one collision domain" effect of
that last bullet point. It's not a term I
hear a great deal in the field, and you
might not either, but it's a good term to
know for Cisco exams.
© Train Signal, Inc., 2002-2007

• A Cisco switch will do one of three things with an

incoming frame:
– Forward it
– Flood it
– Filter it
• To make this decision, the switch uses its MAC
Address table to check if there's an entry for the
destination MAC address - but first, the switch will
actually check to see if there's an entry for the
source MAC address of the frame, because it's that
source MAC that the switch will use to actually build
the table in the first place!

© Train Signal, Inc., 2002-2007

SW1#show mac-address-table
Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0008.7de9.9800 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 aaaa.aaaa.aaaa DYNAMIC Fa0/1
Total Mac Addresses for this criterion: 5

© Train Signal, Inc., 2002-2007

SW1#show mac-address-table dynamic

Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 aaaa.aaaa.aaaa DYNAMIC Fa0/1
Total Mac Addresses for this criterion: 1

© Train Signal, Inc., 2002-2007

• No, so the switch will create one.

SW1#show mac-address-table dynamic

Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 aaaa.aaaa.aaaa DYNAMIC Fa0/1
1 cccc.cccc.cccc DYNAMIC Fa0/2

© Train Signal, Inc., 2002-2007

SW1#show mac-address-table dynamic
Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 aaaa.aaaa.aaaa DYNAMIC Fa0/1
1 bbbb.bbbb.bbbb DYNAMIC Fa0/1
1 cccc.cccc.cccc DYNAMIC Fa0/2
1 dddd.dddd.dddd DYNAMIC Fa0/3

© Train Signal, Inc., 2002-2007

• We don't get to say "never" in networking

very often, and as you progress in your
studies, you'll learn there's almost always an
exception to the rule in CiscoLand. (That's
what makes it fun, though!) There is no
exception to this particular rule, though:
• Switches never send a frame back out the
same port it came in on.

© Train Signal, Inc., 2002-2007

• Flooding is performed when the switch has no entry for

the frame's destination MAC address. When a frame is
flooded, it is sent out every single port on the switch
except the one it came in on. Unknown unicast frames
are always flooded.
• Forwarding is performed when the switch does have an
entry for the frame's destination MAC
address. Forwarding a frame means the frame is being
sent out only one port on the switch.
• Filtering is performed when the switch has an entry for
both the source and destination MAC address, and the
MAC table indicates that both addresses are found off the
same port.

© Train Signal, Inc., 2002-2007

• There's one other frame type that is
sent out every port on the switch
except the one that received it, and
that's a broadcast frame. Broadcast
frames are intended for all hosts, and
the MAC broadcast address is ff-ff-ff-ff-
ff-ff (or FF-FF-FF-FF-FF-FF, as a MAC
address's case does not matter).
© Train Signal, Inc., 2002-2007

• Now that we've looked at how the MAC table is built,

let's take a look at the different names this table is
– CAM table (short for Content Addressable Memory)
– bridging table
– switching table
– MAC table
• Anytime you see those terms, they're referring to the
MAC address table. Four names for the same
thing? Welcome to networking! ;)

© Train Signal, Inc., 2002-2007

• Once the switch decides whether to forward,

filter, or flood the frame, there's one more
decision to be made - what processing
method will be used to handle this
• The processing options are:
– store-and-forward
– cut-through
– fragment-free

© Train Signal, Inc., 2002-2007

• This continual generation of new
broadcasts is called a broadcast storm,
and this is one storm that can sink your
switch for good.
• A broadcast storm can overwhelm a
switch's memory and CPU capabilities,
rendering the switch virtually useless.
© Train Signal, Inc., 2002-2007

• To illustrate how Virtual LANs can help limit

broadcast propagation, we'll assign an IP
address to each one of our hosts and then
take a look at the default Cisco switch
settings for VLANs. The circle(s) will
continue to illustrate the broadcast
domain(s). The numbers on the switch
indicate the switch port that's connected to
that host.

© Train Signal, Inc., 2002-2007

• It's vital to remember that no traffic -

pings or data packets - can be sent
from one VLAN to another without the
intervention of a Layer 3 device, most
likely a router.

© Train Signal, Inc., 2002-2007

• The first time you hear the term "campus network"
or "campus LAN", the word "campus" may suggest
a university or a school of some kind. While such a
school may well have a campus LAN, that term is
used to describe any network that connects multiple
buildings that are physically close to each other.
• The Cisco switching model consists of three layers:
– Access
– Distribution
– Core

© Train Signal, Inc., 2002-2007

• Cisco switches use the Spanning Tree

Protocol (STP) to prevent switching loops,
and luckily, STP is enabled by default. You'll
learn much more about STP in your CCNA
studies, but you need to know its basics
now. STP will determine a loop-free path for
frames, and ports that are not on that path
will be placed into blocking mode.

© Train Signal, Inc., 2002-2007

• The first one is about as basic as it gets. Lock up

your switches - preferably more than once!
• No casual passerby should even know your switches
exist, much less be able to yank a cable out just for
the fun of it. Many server rooms have passcard
systems or at least a locked door, but occasionally I
still see a server room that's relying on the kindness
of strangers.
• Don't do that!

© Train Signal, Inc., 2002-2007

• Unused VLANs - An Often Overlooked Security
• We spoke about VLANs at length earlier in this
section, but you can also use an unused VLAN as a
security feature.
• Cisco switch ports on many models have some
undesirable defaults:
– They're open, where router interfaces are shut by default
– They're actively attempting to trunk, meaning they are available
for connection to another switch
– All ports are in VLAN 1, and everyone knows that

© Train Signal, Inc., 2002-2007

• These are not desirable defaults when it

comes to unused ports on a switch. From
top to bottom, here's how we can change
those defaults to increase switch security:
– Close unused ports with the shutdown command
– Prevent the port from trunking with the switchport
mode access command
– Place the port into an unused VLAN

© Train Signal, Inc., 2002-2007

• As usual, the switch will first inspect the

source MAC address of an incoming
frame. If the incoming source MAC address
is considered secure, the user will be able to
access the network. If the source MAC is
considered non-secure, the port will take one
of several actions - more on that in a
moment. The source MAC address of the
incoming frame really acts as a password.

© Train Signal, Inc., 2002-2007

• aging allows you to set aging options
for secure MAC addresses.
• mac-address allows you to specify
secure MAC addresses.
• maximum allows you to specify how
many secure MAC addresses there will
be. The default is one.
© Train Signal, Inc., 2002-2007

• violation allows you to specify what should happen if

a non-secure source MAC address is received on the
port. Those options are:

SW2(config-if)#switchport port-security
violation ?
protect Security violation protect mode
restrict Security violation restrict mode
shutdown Security violation shutdown mode

© Train Signal, Inc., 2002-2007

• The default mode is shutdown, and this mode shuts

the port down, transmits a message to the log
indicating the action taken, and drops the violating
frames. The interface status will be err-disabled,
(short for error-disabled) meaning it must be
manually reopened.
• restrict drops the violating frames and transmits a
message to the log indicating an issue, but does not
shut the port down.
• protect simply drops the violating frames.

© Train Signal, Inc., 2002-2007

• To configure the port to shut down if a frame is
received with any source MAC address other than
bb-bb-bb-bb-bb-bb, we'd use the following config:

SW2(config)#int fast 0/3

SW2(config-if)#switchport mode access
SW2(config-if)#switchport port-security
SW2(config-if)#switchport port-security mac-
address bbbb.bbbb.bbbb

© Train Signal, Inc., 2002-2007

• There's always a chance that you don't know the

source MAC address that should act as the secure
address. If you configure the port with sticky port
security (don't blame me, I didn't name it!), the first
source MAC address learned on the port will be the
secure address, and all others will be non-secure
unless you use the maximum option to change that.

SW2(config-if)#switchport port-security mac-

address sticky

© Train Signal, Inc., 2002-2007

• The command show port-security

interface fast0/3 verifies that port
security is running, the port status,
violation mode, the number of
secure MAC addresses, and even
the last source address of the last
frame received!
© Train Signal, Inc., 2002-2007

SW2#show port-security int fast 0/3
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 00d0.58ad.4d51
Security Violation Count : 0

© Train Signal, Inc., 2002-2007

• That sticky MAC address will also appear in the


interface FastEthernet0/3
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky

© Train Signal, Inc., 2002-2007

• To illustrate what happens when a non-

secure address hits that port, I've
disconnected the host with the learned
secure sticky address and replaced it with
another host. What's the result?

SW2#show int fast 0/3

FastEthernet0/3 is down, line
protocol is down (err-disabled)
© Train Signal, Inc., 2002-2007

• An err-disabled port! When you see
err-disabled next to the line protocol
message, that means that an error of
some kind has shut that port down. In
this case, that's the result of a non-
secure MAC address hitting a port that
had already learned another address as
© Train Signal, Inc., 2002-2007

• A couple of important points regarding

err-disabled ports:
– The port LED will go dark
– The port must be manually reopened with the
no shutdown command

© Train Signal, Inc., 2002-2007

• The reason for the port shutdown can

be verified with show port-security
interface. The port status is "Secure-
shutdown", the violation mode is in the
default of shutdown, and note that the
last source address shown is not the
one we saw earlier - that's the reason
the port shut down.
© Train Signal, Inc., 2002-2007

SW2#show port-security int fast 0/3
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 0010.7b39.c5e9
Security Violation Count : 1

© Train Signal, Inc., 2002-2007

• If we want both this address and the

previous one to be secure, we can
change the port-security maximum
value to 2 and then reopen the port.

© Train Signal, Inc., 2002-2007

SW2(config-if)#switchport port-security maximum 2

SW2(config)#int fast 0/3
SW2(config-if)#no shutdown

4d10h: %LINK-5-CHANGED: Interface FastEthernet0/3, changed state

to administratively down
4d10h: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state
to down
4d10h: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state
to up
4d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthernet0/3, changed state to up

© Train Signal, Inc., 2002-2007

• Verify the interface is indeed back up
with show interface:
SW2#show int fast 0/3
FastEthernet0/3 is up, line
protocol is up (connected)

© Train Signal, Inc., 2002-2007

• Verify the changes to the port security scheme:

SW2#show port-security int fast 0/3
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 0010.7b39.c5e9
Security Violation Count : 0

© Train Signal, Inc., 2002-2007

Video 4
Common Router and Switch

© Train Signal, Inc., 2002-2007

Common Router
and Switch
• Physical Connections and Passwords
• Telnet And SSH
• User, Enable and Privilege Modes
• Enable Password vs. Enable Secret
• “privilege level 15”
• Physical Side of Cisco Switches
• Assigning an IP Address and Default Gateway To The Switch
• Speed, Duplex, and “Interface Range”
• Banners, “logging synch”, and “exec-timeout”
• Keystroke Shortcuts and Manipulating History

© Train Signal, Inc., 2002-2007

• What I'm about to say is probably a little

more true of a router than a switch, but there
are two "problems" with the initial
configuration of a Cisco device:
– Some features that you do want to use will not be
– Some features that you might not want to have
running will be running by default

© Train Signal, Inc., 2002-2007

line con 0
line vty 0 4
line vty 5 15
• This small, seemingly insignificant portion of the switch
configuration actually determines what passwords a user must
enter in order to connect to the switch successfully. When you
do connect to a Cisco switch, you're going to do so in one of
two ways:
– By physically connecting a laptop to the switch
– By logically connecting from a remote location via Telnet or SSH

© Train Signal, Inc., 2002-2007

• For a physical connection, you're going to
need a rollover cable. This is typically a blue
cable with an RJ-45 connector on one end
and a DB-9 connector on the other end. The
RJ-45 connector snaps into the Console port
of the switch or router, and the DB-9
connector connects to your laptop -- maybe!

© Train Signal, Inc., 2002-2007

• Did you notice that we were not prompted for a password

when connecting through the console port? That means
that anyone with a laptop and a rollover cable can
connect successfully to this switch - and we might not
want that! Let's take another look at the password
portion of our switch's configuration:

line con 0
line vty 0 4
line vty 5 15

© Train Signal, Inc., 2002-2007

• To protect the switch's console port, it's the

"line con 0" we need to be concerned with. If
we're going to use a single password to
protect the console port, we'll actually need
two commands:
– the password command (the one everyone
– the login command (the one a lot of people forget -
except you!)
© Train Signal, Inc., 2002-2007

• To review the methods available to
connect to a Cisco router:
– Physically connecting a laptop to the Console
– Connecting from a remote location via Telnet
or SSH

© Train Signal, Inc., 2002-2007

• We're going to telnet from one Cisco router

to another in this example, but there is one
major rule that holds true for any Telnet
configuration on a Cisco router or switch:
• You must configure a password on the VTY
lines. Without a password on the VTY lines,
no user will be able to telnet to a Cisco router
or switch!

© Train Signal, Inc., 2002-2007

User, Enable, And

Privilege Modes

• When you first connect to a Cisco

router or switch via Telnet or SSH, by
default you're going to be placed into
user exec mode. This mode is
indicated by the ">" symbol after the
device name.

© Train Signal, Inc., 2002-2007

• To configure the router, we need to go to the
next level, privileged EXEC mode (generally
called "enable mode"). To get there, we need
to enter the enable command in user exec
mode. The prompt should change slightly...


© Train Signal, Inc., 2002-2007

• Using an enable mode password is

optional - unless you have users
connecting via Telnet. (Thought I had
forgotten about the Telnet discussion,
didn't you? We're getting back to that
in just a minute!)

© Train Signal, Inc., 2002-2007

• To recap
– No password is required for connecting to the router
via the Console port, but it's recommended that you
configure one.
– A password on the VTY lines is required to allow
Telnet or SSH users to connect.
– For Telnet and SSH users to access enable mode,
either an enable password must be configured OR
the following command must be configured on the
VTY lines.

© Train Signal, Inc., 2002-2007

• You may want incoming Telnet users to
be placed directly into privileged exec
mode without being prompted for
an enable password To do so,
configure the privilege level 15
command on the VTY lines of the router
or switch allowing the connections.

© Train Signal, Inc., 2002-2007

What's So Secure
About Secure

• Telnet's a great way to communicate

remotely with routers and switches, but
there's a problem - all of the data sent to the
remote host, including passwords, is
transmitted in clear text. Any would-be
network intruder who intercepts the
password transmission can then easily enter
the network via Telnet, and then we're in real

© Train Signal, Inc., 2002-2007

• With SSH, we need to create a username / password

database. it sounds complex, but it's not. I'll show
you how to create one on a Cisco switch in just a
moment. We could also set up an AAA server
(Authentication, Authorization, and Accounting) that
would handle authentication. Setting up an AAA
server is out of the scope of the CCENT and CCNA
exams, but you should know the commands for
setting up a Cisco switch to perform authentication
via a local username/password database.

© Train Signal, Inc., 2002-2007

• We could use the username/password command to
create a database strictly for Telnet if we wanted to,
and the login local command would have the same
effect. Where the Telnet and SSH configuration
differ is that the SSH config requires the following
where Telnet does not:
– A domain name must be specified with the ip domain-name
– A crypto key must be created with the crypto key generate rsa

© Train Signal, Inc., 2002-2007

• Green always means "good"

• Amber indicates a problem if it doesn't
go away in a few seconds
• If a host is connected to a switch port
and the LED is dark, that's usually
really bad

© Train Signal, Inc., 2002-2007

• SYST, short for system. Green means the switch is

on, no light means it isn't. :)
• If you see SYST go amber, that indicates a failed
Power-On Self Test (POST), and you'll get a message
indicating the reason for that failure in the console
output. A failed POST indicates a serious problem
with the switch, and the switch will not even attempt
to load an IOS. A typical POST problem is a broken
fan - if you have no ventilation inside the switch,
there's no reason for the switch to power up!

© Train Signal, Inc., 2002-2007

• RPS (Redundant Power Supply). Green
indicates that the RPS is functioning
• STAT, short for status. When this is green,
the port status lights are operational.
• DUPLEX, where green indicates a full-duplex
port and an "off" light indicates a half-duplex
© Train Signal, Inc., 2002-2007

• SPEED, where solid green indicates a 100 MBPS

port, off indicates a 10 MBPS port, and flashing
green indicates a Gigabit Ethernet port (1000 MBPS)
Each individual port will have an LED as well.
• When you first connect a host's cable to a switch
port, you should see it go amber for a few seconds
while the speed and duplex are negotiated. If all
goes well, the LED goes green. If the light stays
amber, there's a problem with a setting on either the
host or the switch that needs to be resolved. (Really
narrows it down, eh?)
© Train Signal, Inc., 2002-2007

• There's one other common issue that a lack

of LEDs can help you track down very
quickly. In the cabling section, I mentioned
that crossover cables are used to connect
two switches to create a trunk. When you
connect two Cisco switches with a crossover
cable, you should see the lights go amber for
just a few seconds and then go green. If you
don't see any lights for a few seconds, you
can stop waiting - you're using
straightthrough cables by mistake!
© Train Signal, Inc., 2002-2007

So What Are Those
"logging synchronous"
and "exec-timeout 0 0"
Commands, Anyway?

• You might have noticed these two commands on the console


line con 0
exec-timeout 0 0
logging synchronous

• I've been recommending these commands for years to CCNA

and CCNP candidates putting their own home labs together,
but they can come in handy on the job as well. Let's take these
commands one at a time, starting with the logging
synchronous command.

© Train Signal, Inc., 2002-2007

R1(config)#int s0
R1(config-if)#no shut
R1#so here i am
4d04h: %SYS-5-CONFIG_I: Configured from
console by consoletyp
4d04h: %LINK-3-UPDOWN: Interface Serial0,
changed state to uping and
4d04h: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial0, changed state to upi've
been interrupted quite badly!
4d04h: %LINEPROTO-5-UPDOWN: Line protocol on
Interface Serial0, changed state to down
© Train Signal, Inc., 2002-2007

• By configuring the logging

synchronous command on the console
port, you're telling the router to hold
such messages until it detects no input
from the keyboard and no other output
from the router, such as a show
command's output.

© Train Signal, Inc., 2002-2007

• One of my favorites is the up arrow,
which will show you the last command you
entered. If you continue to hit the up arrow,
you'll continue to go through the command
history. <CTRL-P> does the same thing.
• As you might expect, the down arrow brings
you one command up in the command
history. It's a good key to use when you use
the up arrow too fast. :) < CTRL - N > does
the same thing.

© Train Signal, Inc., 2002-2007

• < CTRL - A > takes the cursor all the way to

the front of your current command; < CTRL -
E > takes the cursor all the way to the end of
your current command.
• Want to move around on a per-character
basis in your current command without
deleting characters? Use the left arrow or <
CTRL - B > to move backward one character,
and use the right arrow or < CTRL - F > to
move forward one character.

© Train Signal, Inc., 2002-2007

• <CTRL - D > deletes one character. You can

do the same thing with the BACKSPACE key.

• < ESC - B > moves back one word in the

current command.

• < ESC - F > moves forward one word in the

current command.
© Train Signal, Inc., 2002-2007

Video 5
IP Addressing And The
Routing Process

© Train Signal, Inc., 2002-2007

IP Addressing and
the Routing

• IP Addressing and Binary Conversions

• IP Address Classes
• Private IP Address Ranges
• Intro to the Routing Process
• Keeping Subnets On One “Side” of the

© Train Signal, Inc., 2002-2007

• If you've worked as a network admin for any length

of time, you're already familiar with IP
addresses. Every PC on a network will have one, as
will other devices such as printers. The term for a
network device with an IP address is host, and I'll try
to use that term as often as possible to get you used
to it!
• The PC...err, the host I'm creating this document on
has an IP address, shown here with the Microsoft
command ipconfig.

© Train Signal, Inc., 2002-2007

• First, we'll convert the IP address to a binary string. The
format that we're used to seeing IP
addresses take - like the
shown here - is often called a dotted
decimal address, since the values are
in decimal and there are dots
separating the decimals. (Clever, eh?)
© Train Signal, Inc., 2002-2007

• If you know the basics of binary and

decimal conversions, AND practice
these skills diligently, you can answer
any subnetting question Cisco asks

© Train Signal, Inc., 2002-2007

• I'll go ahead and show you the entire binary

string for the IP address below,
and the subnet mask is expressed in binary
directly below it. = 11000000 10101000 00000001 01100100 = 11111111 11111111 11111111 00000000

© Train Signal, Inc., 2002-2007

• Way back in the ancient times of technology -
September 1981, to be exact - IP address classes
were defined in RFC 791. If you'd like to read the
actual RFC, you can find it quickly using that number
and your favorite search engine.
• RFCs are Requests For Comments, which are
technical proposals and/or documentation. Not
always exciting, but it's well worth reading the RFC
that deals with the subject you're
studying. Advanced technical exams occasionally
like to ask about RFC numbers for a particular
protocol or network service

© Train Signal, Inc., 2002-2007

• To earn your CCENT and CCNA

certifications, you've got to know these
address classes and be able to identify what
class an IP address belongs to. Here are the
three ranges of addresses that can be
assigned to hosts:
– Class A: 1 - 126
– Class B: 128 - 191
– Class C: 192 - 223

© Train Signal, Inc., 2002-2007

• The following classes are reserved and

cannot be assigned to hosts:
– Class D: 224 - 239. Reserved for multicasting, a topic
not covered on the CCENT or CCNA exams.
– Class E: 240 - 255. Reserved for future use, also
called "experimental addresses".
– Any address with a first octet of 127 is reserved for
loopback interfaces. This range is *not* for Cisco
router loopback interfaces, though.

© Train Signal, Inc., 2002-2007

• Class A:
– Default network mask:
– Default number of network bits: 8
– Default number of host bits: 24
• Class B:
– Default network mask:
– Default number of network bits: 16
– Default number of host bits: 16
• Class C:
– Default network mask:
– Default number of network bits: 24
– Default number of host bits: 8
© Train Signal, Inc., 2002-2007

• We worked just a bit with the network and host bits

earlier in this section, and we're going to work with
them a lot more in the subnetting sections later in
the course. For now, make sure that you know....
– How to identify the class of an IP address
– Which addresses can be assigned to hosts (Class A, B, C)
– Which addresses cannot be assigned to hosts (Class D, E, any
address beginning with 127)
– The default network mask, network bits, and host bits for Class
A, B, and C addresses

© Train Signal, Inc., 2002-2007

• Address classes A, B, and C all have their

own reserved range of addresses. You
should be able to recognize an address from
any of these ranges immediately.
– Class A: -
– Class B: -
– Class C: -
• RFC 1918 Private Addresses

© Train Signal, Inc., 2002-2007

• You should be ready to identify those ranges
in that format, or with the dotted decimal
masks, or with prefix notation. More about
prefix notation later in this section.
– Class A:, or /8
– Class B:, or /12
– Class C:, or /16

© Train Signal, Inc., 2002-2007

• Let's take another look at a PC's ipconfig output.

Windows IP Configuration
Ethernet adapter Local Area Connection:
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
© Train Signal, Inc., 2002-2007

• When this host is ready to send data,

there are two and only two
– The destination IP address is on the network
– It's on another network

© Train Signal, Inc., 2002-2007

• If the destination is on the same subnet as
the host, the packet's destination IP address
will be that of the destination host. In the
following example, this PC is sending
packets to, a host on the same
subnet, so there is no need for the router to
get involved. In effect, those packets go
straight to

© Train Signal, Inc., 2002-2007

• If wants to send packets to the

host at, the sending host knows it's
not on the same subnet as In that
case, the host will send the packets to its
default gateway - in this case, the router's
ethernet0 interface. The host is basically
saying "I have no idea where this address is,
so I'll send it to my default gateway and let
that device figure it out."

© Train Signal, Inc., 2002-2007

• When a router receives a packet, there are

three possibilities regarding its destination:
– Destined for a directly connected network
– Destined for a non-directly connected network that
the router has an entry for in its routing table
– Destined for a non-directly connected network that
the router does not have an entry for

© Train Signal, Inc., 2002-2007

R1#show ip route
Codes: C - connected, S - static
Gateway of last resort is not set
C is directly connected, Ethernet1
C is directly connected, Ethernet0

© Train Signal, Inc., 2002-2007

• Also note that you don't see the mask expressed as

"" - you see it as "/8" instead. This is called
prefix notation, and the number simply represents
the number of 1s at the beginning of the network
mask when it's expressed in binary. That "/8" is
pronounced "slash eight". =
binary string 11111111 00000000 00000000 00000000 = /8

© Train Signal, Inc., 2002-2007

R1#show ip route
Codes: C - connected, S - static
Gateway of last resort is not set
C is directly connected, Ethernet1
C is directly connected, Ethernet0

© Train Signal, Inc., 2002-2007

• Static routes are created with the ip
route command.

R1(config)#ip route ethernet1

© Train Signal, Inc., 2002-2007

• The routing table now displays a route for

the /8 network. The letter "S"
indicates a static route.
R1#show ip route
Codes: C - connected, S - static
C is directly connected, Ethernet1
C is directly connected, Ethernet0
S is directly connected, Ethernet1

© Train Signal, Inc., 2002-2007

Video 6

© Train Signal, Inc., 2002-2007

ARP, DNS and

• One Destination, Two Destination Addresses

• The ARP Process
• Routers, Broadcasts, and Proxy ARP
• The DHCP Process
• Configuring DHCP on a Cisco Router With

© Train Signal, Inc., 2002-2007

• As network admins, we spend a lot of

time concerning ourselves with IP
addresses - assigning them, filtering
them, etc. We don't think about MAC
addresses that often, but data going
from Host A to Host B must have a
destination IP address for Host B and a
destination MAC address as well.
© Train Signal, Inc., 2002-2007

• To get these two required destination addresses,

Host A will use two separate protocols:
– Domain Name System (DNS) for the IP address
– Address Resolution Protocol (ARP) for the MAC address
• Host A will require the IP address first, since it must
know the IP address of the remote host in order for
the ARP process to work properly. Let's take a quick
look at the DNS process.

© Train Signal, Inc., 2002-2007

• Host A will know the computer name of Host
B - for this discussion we'll assume that
name to be "hostb". Now it needs an IP
address and a MAC address for that
hostname, and DNS will help it get that IP
address. The DNS process is very
simple. Each host will have the IP address of
a DNS server, and a host needing the IP
address of another host will send a DNS
Request to the DNS server.

© Train Signal, Inc., 2002-2007

• The natural question is "How does Host A

know the IP address of the DNS server in the
first place?" That happens in one of two
– The DNS server address is hard-coded on Host A
– The DNS server address was learned via DHCP
• We're going to take a look at DHCP later in
this section, but here's the partial output of
ipconfig /all on a Windows PC using DHCP.
The DNS server IP addresses are in bold.

© Train Signal, Inc., 2002-2007

C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . :
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82562V 10/100 Network
Physical Address. . . . . . . . . :
Dhcp Enabled. . . . . . . . . . .
Yes :
Autoconfiguration Enabled . . . .
Yes :
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
Lease Obtained. . . . . . . . . . : Monday, October 08, 7:23:17 AM
Lease Expires . . . . . . . . . . : Tuesday, October 09, 7:23:17 AM

© Train Signal, Inc., 2002-2007

• In our current network, we have a DNS
server that took care of the hostname-
IP address resolution, but now we need
the MAC address of Host B, and there
is no ARP server on the
network. Instead, the ARP process
uses a series of broadcasts and replies.

© Train Signal, Inc., 2002-2007

• Host A is the host needing a MAC address of

a remote device, so it'll be Host A that sends
out the initial ARP Request. This request is a
Layer 2 broadcast, meaning....
– The source MAC address will be that of Host A
– The destination MAC address will be ff-ff-ff-ff-ff-ff
– The source IP address will be that of Host A
– The destination IP address will be that of Host B
(learned via DNS)

© Train Signal, Inc., 2002-2007

• As network admins, we're always interested in limiting the

number of broadcasts on our network. Along those lines,
hosts build ARP caches that they consult before sending out
ARP Requests. These caches contain an IP address - MAC
address mapping table such as the one shown here on a
Windows PC with the command arp -a :

C:\>arp -a

Internet Address Physical Address Type bb-bb-bb-bb-bb-bb dynamic

© Train Signal, Inc., 2002-2007

• After learning Host B's IP and MAC
addresses (MAC addresses are also called
"physical addresses" because they
physically exist on the network card), Host A
would enter them into its ARP cache. The
next time Host A needs to send data to Host
B, the information needed to do so is right
there in the ARP cache and no ARP Request
needs to be sent.

© Train Signal, Inc., 2002-2007

• In that example, all of the devices were

on the same physical cable. That's
good for an example, but more likely
we're going to have something like this:

© Train Signal, Inc., 2002-2007

• The switch does not impact the ARP process

at all. Why? Because switches forward
broadcasts, and that's just what the ARP
Request is as indicated by its destination
MAC address of ff-ff-ff-ff-ff-ff. The switch will
send a copy of that ARP Request out every
single port except the one it came in on.

© Train Signal, Inc., 2002-2007

• If Host A sends an ARP Request for Host B's
MAC address, we know the switch will
forward it, because switches forward
broadcasts. The problem comes in with the
router, because routers do not forward
broadcasts. Instead, the router will use
proxy ARP to answer the ARP Request with
the MAC address of the router interface that
received the original Request.

© Train Signal, Inc., 2002-2007

• Interestingly enough, Host A has no idea that

the MAC address it received in the ARP
Response is actually not that of Host B, but
rather that of the Ethernet0 interface of the
router. All Host A knows is that it sent an
ARP Request and got a Response. Now
when Host A sends data to Host B, the data
will have the following destinations:
– IP destination address is Host B's IP address
– MAC destination address is the one assigned to the
router's E0 interface
© Train Signal, Inc., 2002-2007

• There are also other forms of ARP that

operate in today's networks, such as
Reverse ARP and Inverse ARP. Those are not
protocols you need to know for your CCENT
studies -- you'll see them during your CCNA
studies. For now, and for the CCENT exam,
make sure you know how ARP operates,
what it does, and when proxy ARP needs to
be used - and that's when there is a router
between the two involved hosts.

© Train Signal, Inc., 2002-2007

• A host's ability to send data to all the
required destinations requires quite a bit of
information. The host needs to know the
following at a minimum...
– What's my IP address?
– What's my network mask?
– What are the IP addresses of the DNS servers?
– What's my default gateway?

© Train Signal, Inc., 2002-2007

• How do we get all of this information to and

on our network hosts? We've got two
– Visit each workstation and configure the information
– Enable each workstation for DHCP
• And sooner or later, some of that information
is going to change and the hosts will need to
know about these changes.

© Train Signal, Inc., 2002-2007

• If you previously hard coded the information on all of

the hosts, you'll now have to go out and visit every
workstation again and change the information
• If you used DHCP to begin with, you now just have to
change the information on the DHCP server.
• DHCP is starting to sound pretty good! When the
choice is visiting the hundreds or thousands of
hosts on a typical network manually or using DHCP
to dynamically handle IP address assignment
information, there really is no choice.
© Train Signal, Inc., 2002-2007

• There are four basic steps that allow a
host (the DHCP Client) to acquire all of
this information from a DHCP
Server. The Client begins the process
by sending a DHCP Discover message
out. This message is a broadcast, so it
will not be forwarded by routers.

© Train Signal, Inc., 2002-2007

• Any DHCP Server that receives that message

will respond with a DHCP Offer. The Offer
contains the following:
– The IP address the DHCP Server is offering to the
– The network mask the DHCP Server is offering to the
– The amount of time the Client can keep this
information if the Offer is accepted (the lease)
– The IP address of the DHCP Server that is making
the offer

© Train Signal, Inc., 2002-2007

• Since the original DHCP Discovery sent by the host

is a broadcast, more than one DHCP Server may see
it and respond with an Offer, as shown above. In
this case, the host will respond to the first Offer it
receives with a DHCP Request.
• The Request has the IP address of the DHCP Server
that sent the accepted Offer. When the other DHCP
Server(s) see that their Offer was not accepted, they
put the offered IP address back into their address
pools. This DHCP Request is also a broadcast.

© Train Signal, Inc., 2002-2007

• You can see the IP address a host has
been assigned, along with the lease
length and other information, with
ipconfig /all. You can verify that the
host is running DHCP with this
command as well.

© Train Signal, Inc., 2002-2007

C:\>ipconfig /all

Network Connection
Physical Address. . . . . . . . . :
Dhcp Enabled. . . . . . . . .Yes. . :
Autoconfiguration Enabled . .Yes. . :
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . .
DHCP Server . . . . . . . . . . .
DNS Servers . . . . . . . . . . .
Lease Obtained. . . . . .. : Monday, October 08, 200x 7:23:17 AM
Lease Expires . . . .. . . : Tuesday, October 09, 200x 7:23:17 AM

© Train Signal, Inc., 2002-2007

• Many Cisco router models can be configured to

operate as DHCP servers. On some models, we're
limited to using the command-line interface to write
the DHCP config, and I'll be the first to say that can
be little tricky. Cisco is making a big push toward
GUI-based tools, and the GUI we'll look at here is the
Security Device Manager (SDM). This tool makes
DHCP configurations a breeze!
• In this lab, we'll use SDM to configure a Cisco router
as a DHCP server, and then test that configuration.

© Train Signal, Inc., 2002-2007

Video 7
Memory Components And
Config Files

© Train Signal, Inc., 2002-2007

Components And
Config Files

• ROM, RAM, NVRAM, And Flash

• The Boot Process
• Setup Mode
• Startup And Running Configuration Files
• The COPY Command
• IOS Upgrading
• The Configuration Register

© Train Signal, Inc., 2002-2007

• ROM: Read-Only Memory. ROM stores the

router’s bootstrap startup program,
operating system software, and power-on
diagnostic test programs (POST).
• Flash Memory: Generally referred to simply
as “flash”, the IOS images are held
here. Flash is erasable and reprogrammable
ROM. Flash memory content is retained by
the router on reload.

© Train Signal, Inc., 2002-2007

• RAM: Random-Access Memory. Stores operational
information such as routing tables and the running
configuration file. RAM contents are lost when the
router is powered down or reloaded. By default,
routers look here first for an Internetwork Operating
System (IOS) file during boot.
• NVRAM: Non-volatile RAM. NVRAM holds the
router’s startup configuration file. NVRAM contents
are not lost when the router is powered down or

© Train Signal, Inc., 2002-2007

• Some important comparisons:

– RAM contents are lost on reload, where NVRAM and
Flash contents are not.
– NVRAM holds the startup configuration file, where
RAM holds the running configuration file.
• We'll talk about the startup and running
configuration files later in this section. Let's
take a look at the boot process of a Cisco
router, and then talk about the dreaded Setup

© Train Signal, Inc., 2002-2007

• When a Cisco router powers up, it first

runs a series of POSTs (Power-On Self
Test). A POST is a series of diagnostic
tests designed to verify the basic
operation of the network interfaces,
memory, and the CPU.

© Train Signal, Inc., 2002-2007

• POSTs are particularly effective at detecting
major problems early in the boot
process, such as a broken fan. If the POST
detects such a problem (usually called an
"environmental factor") that would cause the
router or switch to overheat after booting,
the POST will fail, give you a clear message
as to why the POST failed, and will then stop
the boot process.
• But let's speak positively here!

© Train Signal, Inc., 2002-2007

• After the router passes the POST, it looks for a

source from which to load a valid Internetwork
Operating System (IOS) image. The router has three
sources from which it can load an IOS image, and
it's a good idea to know these sources and the
order in which the router will look in each for that
1. Flash memory (the default).
2. A TFTP server. (Trivial File Transfer Protocol)
3. Read-Only Memory (ROM)

© Train Signal, Inc., 2002-2007

• To change that order, a change must be made to the

configuration register. It's similar to the Microsoft
Registry in that you should never change this value
unless you are sure of the result.
• Once the IOS is found, the router looks for a valid
startup configuration file. By default, the router will
look for the startup configuration file in Non-volatile
RAM (NVRAM). If there's no startup file there, the
router looks for a TFTP Server that has a startup file.

© Train Signal, Inc., 2002-2007

• If no valid startup configuration file is
found, the router enters setup mode,
where the router runs the system
configuration dialogue, a series of
questions involving basic router setup.

© Train Signal, Inc., 2002-2007

• Believe it or not, when you take a Cisco router or

switch out of the box and boot it up for the first time,
it's dumber than a bag of rocks.
• Well, not quite. It's not dumb, you just haven't told it
anything yet. A router doesn't magically know what
IP addresses you want to assign to its interfaces,
what security features you do and do not want to
run, or any of your other preferences! We've got two
ways to tell it these things:
– Setup Mode
– Manually configuring all of this information at the Command-Line
Interface (CLI)

© Train Signal, Inc., 2002-2007

• We actually have two configuration

files running on a router at any time,
the startup-config and running-config
files. Most of the time they're the same
thing, but there is an important
difference between the two when
you've configured the router but have
not yet saved that new configuration.
© Train Signal, Inc., 2002-2007

• As you go through your Cisco studies
and your Cisco career, you'll use the
copy command more often than you
might think. It's a good idea to
remember the command syntax:
– The first location is where you're copying from
– The second location is where you're copying

© Train Signal, Inc., 2002-2007

• You can see that the commands copy run

start and copy start run are going to have
vastly different meanings. That's good to
keep in mind for both your exams and
working on production networks!
– copy run start -- Copying the running config over the
startup config
– copy start run -- Copying the startup config over the
running config
© Train Signal, Inc., 2002-2007

• And why would you ever need them? I've

seen three different situations where these
backups came in handy. In order of
– Network attackers changing or deleting the config
– An honest mistake made by a network admin
– Just as any file can become corrupt over time, so can
a startup-config file

© Train Signal, Inc., 2002-2007

• On occasion, the trickiest part of changing a router's
IOS image is actually getting the image you
want! You can download new IOSes from Cisco's
website, but a Cisco Connection Online (CCO) login
is not enough. The rules change as to who can and
cannot download IOS images, so I won't list those
rules here, but you can find out quickly by searching
Cisco's site. Just keep in mind that you can't just go
out to Cisco's website to download the latest IOS
image for your router on a whim.

© Train Signal, Inc., 2002-2007

• If you have to perform an IOS upgrade,

you might be tempted to do so
remotely rather than physically visit the
client site - until you see the following
warning! I've telnetted into a router and
issued the copy tftp flash command,
and that means we're copying from a
TFTP server to the router's Flash.
© Train Signal, Inc., 2002-2007

• Here's the warning I received, and I've bolded the very, very
important part:
BRYANT_AS_5#copy tftp flash
**** NOTICE ****
Flash load helper v1.0
This process will accept the copy options and then terminate
the current system image to use the ROM based image for the copy.
Routing functionality will not be available during that time.
If you are logged in via telnet, this connection will terminate.
Users with console access can see the results of the copy
---- ******** ----
[There are active users logged into the system]
Proceed? [confirm]

© Train Signal, Inc., 2002-2007

• As the new IOS is loaded, you'll see a
series of exclamation points. It looks
like a massive ping, as you can end up
with screens of "!". If those
exclamation points stop for a few
seconds, that's okay, but if they stop
and don't restart, there's a problem with
the copy.
© Train Signal, Inc., 2002-2007

• Once you do finish copying the new IOS to

Flash, this is one of the rare occasions where
you have to reload the router for the change
to take effect. Before copying to Flash,
though, run show flash to see how much
room you have left in Flash! The following
output indicates that we don't have much
room left on this particular router, so
copying a new IOS image to this router
without deleting the current one is just about
© Train Signal, Inc., 2002-2007

• This has always been an awkward subject for me to

teach and write about, because I feel like I'm
teaching you something and then telling you never
to use the knowledge!
• One day, you will have to change the config register,
most likely to perform a password recovery. I will
just give this warning one time: If you change the
register to an incorrect value and then reload the
router, you can cripple the router and even Cisco
can't bring it back.

© Train Signal, Inc., 2002-2007

• To review these common configuration
register settings:
– 0x2102: The default. Router looks for a
startup configuration file in NVRAM and for a
valid IOS image in Flash.
– 0x2142: NVRAM contents are bypassed,
startup configuration is ignored.
– 0x2100: Router boots into ROM Monitor
© Train Signal, Inc., 2002-2007

• A real-world reminder: When you

change the configuration register value
to perform password recovery, don't
forget to change it back and then
reload the router!

© Train Signal, Inc., 2002-2007

Video 8
Intro to Wireless Networks

© Train Signal, Inc., 2002-2007

Intro to Wireless
Networks (WLANs)

• Wireless Network Types

• Standards and Ranges
• Spread Spectrum
• Antenna Types
• CA vs. CD
• SSIDs and MAC Address Authentication
• WEP, WPA, and WPA2

© Train Signal, Inc., 2002-2007

• Wireless networks are created by configuring

Wireless Access Points (WAP or AP, depending on
documentation). If you're connecting to the Internet
or your company's network from a hotel or
restaurant, you're connected to a lily pad network.
• Unlike the physical networks we've discussed
previously in this course, the WAPs in a lily pad
network can be owned by different companies. The
WAPs create hotspots where Internet access is
available to anyone with a wireless host - and
hopefully, a username and password is required as

© Train Signal, Inc., 2002-2007

• WAPs are not required to create a

wireless network. In an ad hoc WLAN
("wireless LAN"), the wireless devices
communicate with no WAP involved.
Ad hoc networks are also called
Independent Basic Service Sets (iBSS
or IBSS, depending on whose
documentation you're reading).
© Train Signal, Inc., 2002-2007

• A much more common wireless configuration is an
infrastructure WLAN, where a WAP is used to allow
multiple devices to connect to the wired network. All
communications in an infrastructure WLAN must go
through a wireless access point (AP).
• There are two kinds of infrastructure WLANs, with
the most common being the following
topology. While a Basic Service Set (BSS) will have
a single AP, Extended Service Set WLANs
(ESS), have multiple access points.

© Train Signal, Inc., 2002-2007

• If you've ever used a wireless network while

traveling, you were on an ESS. Such a
network uses multiple APs to create
overlapping areas of coverage, called
cells. While your signal may occasionally
get weak near the point of overlapping, the
ESS allows roaming users to hit the network
at any time. (We hope!)

© Train Signal, Inc., 2002-2007

• We went over three different service set

types in that section, so to review:
– Independent Basic Service Sets have no APs; the few
wireless devices involved interact directly.
– Basic Service Sets have a single AP.
– Extended Service Sets have multiple APs, which
allow for a larger coverage area than the other two
types and also allow roaming users to fully utilize the

© Train Signal, Inc., 2002-2007

• The standards listed here are all part of the 802.11x
standards developed by the IEEE. IEEE uses the
802.11 standard to define Wi-Fi overall, but it's a
good idea to know the stats for the following.
• 802.11a has a typical data rate of 25 MBPS, but can
reach speeds of 54 MBPS. Indoor range is 100
feet. Operating frequency is 5 GHz.
• 802.11b has a typical data rate of 6.5 MBPS, but can
reach speeds of 11 MBPS. Indoor range is 100
feet. Operating frequency is 2.4 GHz.

© Train Signal, Inc., 2002-2007

• 802.11g has a typical data rate of 25 MBPS, a peak

data rate of 54 MBPS, and an indoor range of 100
feet. Operating frequency is 2.4 GHz. 802.11b and
802.11g are compatible to the point where many
wireless routers and cards that use these standards
are referred to as "802.11b/g", or just "b/g".
• 802.11n has a typical data rate of 200 MBPS, a peak
data rate of 540 MBPS, and an indoor range of 160
feet. Operating frequency is either 2.4 GHz or 5 GHz.

© Train Signal, Inc., 2002-2007

• Infrared Wireless
• Infrared wireless offers a high data rate,
but a very short range - generally too
short to be practical.

© Train Signal, Inc., 2002-2007

• It's a very good idea to have those maximum
speeds, ranges, and frequencies memorized
for the exam. For real-world wireless
networks, always keep in mind that
maximum speeds and ranges are theoretical
at best. That's particularly true with wireless
networks, which can suffer from unusual and
unexpected sources, such as weather, signal
attenuation, and popcorn.

© Train Signal, Inc., 2002-2007


• You can have trouble with 802.11g from a

highly unexpected source. Microwave ovens
also share the 2.4 GHz band, and the
presence of a microwave in an office can
actually cause connectivity issues. (And you
thought they were just annoying when
people burn popcorn in them!) Solid objects
such as walls and other buildings can
disturb the signal in any bandwidth. Some
wireless phones cause the same problem.

© Train Signal, Inc., 2002-2007

Spread Spectrum

• This is another one of those "the name is the

recipe" terms. Spread spectrum refers to a
method of spreading a signal over a range,
or spectrum, or frequencies. One popular
method is frequency-hopping spread
spectrum (FHSS), where the sender and
receiver agree on the range of frequencies to
use, and during the transmission the signal
will be sent over this range.

© Train Signal, Inc., 2002-2007

• DSSS (Direct Sequence Spread Spectrum)
doesn't have the signal hop around between
frequencies, but instead spreads the signal
over the entire range of frequencies at
once. 11.b, 11.g, and 11.n use DSSS.
• OFDM (Orthogonal Frequency Division
Multiplexing) splits the signal and sends the
signal fragments over different frequencies
at the same time. .11a uses OFDM.

© Train Signal, Inc., 2002-2007

• Now, why do we go through all

this? There are several good reasons
to spread a signal:
– increased resistance to noise
– allows sharing of a frequency band
– more difficult to intercept

© Train Signal, Inc., 2002-2007

Antenna Types

• A Yagi antenna (technically, the full name is

"Yagi-Uda antenna") sends its signal in a
single direction, which means it must be
aligned correctly and kept that way. Yagi
antennas are sometimes called directional
antennas, since they send their signal in a
particular direction. In contrast, an Omni
antenna sends a signal in all directions.

© Train Signal, Inc., 2002-2007

• Like some other topics we've covered
in this course, both of these are known
by several different names. Yagis are
also known as point-to-point and
directional antenna; Omni antennas are
also known as omnidirectional and
point-to-multipoint antenna.

© Train Signal, Inc., 2002-2007

• Both Yagi and Omni antennas have their

place in wireless networks. The
unidirectional signal a Yagi antenna sends
makes it particularly helpful in bridging the
distance between WAPs. The
multidirectional signal sent by Omni
antennas help connect hosts to WAPs,
including roaming laptop users -- like the
ones who connect to the Net while eating

© Train Signal, Inc., 2002-2007

• Ethernet has CSMA/CD, and wireless networking has

CSMA/CA, Carrier Sense Multiple Access with
Collision Avoidance. CSMA/CA works much the
same as CSMA/CD…
– a host that wants to transmit must listen first to see if another
host is transmitting
– if the channel is idle, the host invokes a random timer. When
that timer expires, the host listens one more time and then
transmits. (A lot more listening with CSMA/CA!)
– if the channel is busy, the host cannot transmit

© Train Signal, Inc., 2002-2007

• So what's the real difference between CSMA/CD and
CSMA/CA? CA is used on wireless networks, and
jam signals will not be sent over a wireless
network. Collisions are not detected on a wireless
network, they can only be avoided, so we use
CSMA/CA instead of CD.
• Another difference - while Ethernet is capable of full-
duplex (simultaneously sending and receiving data),
wireless clients are limited to half-duplex.

© Train Signal, Inc., 2002-2007

Service Set
Identifier (SSID)

• When you configure a name for your

WLAN, you've just configured a
SSID. The SSID theory is simple
enough - if the wireless client's SSID
matches that of the access
point, communication can proceed. The
SSID is case-sensitive and it has a
maximum length of 32 characters.
© Train Signal, Inc., 2002-2007

• A laptop can be configured with a null SSID,

resulting in the client basically asking the AP
for its SSID; if the AP is configured to
broadcast its SSID, it will answer and
communication can proceed.
• If that broadcasting is disabled, as it often is,
the SSID must be statically defined on the
client as shown in the previous example.

© Train Signal, Inc., 2002-2007

MAC Address

• During your CCNA studies, you learned about a

Cisco switch feature called port-based
authentication. This authentication scheme allowed
a device to successfully authenticate only if its MAC
address was considered secure for that particular
port. There are WLANs set up to use MAC
addresses in a similar fashion.
• Basically, the AP keeps a list of secure MAC
addresses; devices with a secure MAC address can
authenticate successfully, while those with a non-
secure MAC cannot.
© Train Signal, Inc., 2002-2007



• These three WLAN security standards are the

result of two evolutions:
– WEP came first
– WPA evolved from WEP
– WPA2 evolved from WPA
• There are significant differences between the
three, so let's take a look at each while
comparing them at the same time.

© Train Signal, Inc., 2002-2007

• Wired Equivalent Privacy (WEP) has some

real problems:
– Clear-text keys
– Static keys (makes passwords easier to guess)
– One-way authentication (client does not authenticate
AP, making it easier for rogue access points to
infiltrate the WLAN)
– Encryption scheme is very easily broken in a matter
of seconds
© Train Signal, Inc., 2002-2007

• WEP supports two forms of authentication,
open and shared key. Open authentication is
pretty much what it sounds like - the virtual
door to an AP is wide open. Any device can
authenticate and then open communication
with the AP. According to Cisco's website, if
both devices are using WEP but the key on
the client does not match that of the AP,
authentication will succeed but data cannot
be successfully passed.

© Train Signal, Inc., 2002-2007

• The next step in WLAN security was

Wi-Fi Protected Access (WPA). WPA
works with all wireless NICs, but you
may have trouble running it on legacy
(old) APs. If you can't run WPA on
your APs, it's time to get some new

© Train Signal, Inc., 2002-2007

• WPA's strengths:
– Two-way authentication - AP authenticates the client,
client authenticates the AP
– Dynamic keys and a stronger encryption scheme
through use of Temporal Key Integrity Protocol (TKIP,
– WPA uses an 8-byte Message Integrity Check (MIC),
sometimes called "Michael", to protect against replay
attacks, spoofing, and man-in-the-middle attacks.
– WPA uses 802.1x or pre-shared keys (PSK) for

© Train Signal, Inc., 2002-2007

• Some additional details regarding TKIP:
– The use of TKIP made it possible to use legacy ("old")
hardware that had originally been created with WEP
in mind.
– Both WEP and TKIP use the RC4 stream cipher for
encryption, but TKIP protects RC4 keys via per-
packet key mixing, which results in every packet
having a unique encryption key

© Train Signal, Inc., 2002-2007

• WPA requires the use of a passphrase

rather than a password. The
recommended length of a passphrase
is 20 - 30 characters, which will
immediately have some users running
WEP simply because WEP allows a
short password to be configured.

© Train Signal, Inc., 2002-2007

• There are other potential issues with WPA:

– There's always the legacy issue to consider when it
comes to backwards compatibility, but at this point,
you should strongly consider replacing WLAN
equipment that does not support WPA or a later,
stronger solution.
– There's a potential issue with "Michael"
(MIC). Access points that run WPA will shut down
their Basic Service Set if it receives two packets, one
right after the other, that has a bad MIC. A DoS
attack specifically designed to counteract Michael can
take advantage of this situation.
© Train Signal, Inc., 2002-2007

• Another potential issue lies with the
use of pre-shared keys (PSK). If a
small passphrase is allowed and then
intercepted, a dictionary attack can be
run by an attacker, resulting in a
compromised passphrase.

© Train Signal, Inc., 2002-2007

• Here's what happened next:

– After WPA was ratified by the Wi-Fi Alliance,
the IEEE came out with 802.11i.
– After the IEEE came out with .11i, the Wi-Fi
Alliance came out with WPA2.
• The good news: .11i and WPA2 are fully
compatible and interoperable.

© Train Signal, Inc., 2002-2007

• That's about it for this introduction to WLANs! I've

probably gone into more detail here than you'll need
for the CCENT, but with wireless LANs growing
rapidly in popularity, you need to know as much
about WLANs as you possibly can.
• You will see more about WLANs in your CCNA
studies, but even if you choose not to progress past
the CCENT, do yourself a favor and continue your
studies of wireless networking. Your career will
thank you for it!

© Train Signal, Inc., 2002-2007

Video 9
Binary Math and Subnetting

© Train Signal, Inc., 2002-2007

Binary Math and


• “The Secret” (Of Binary Success, That Is)

• Decimal > Binary, Binary > Decimal
• Subnetting Basics
• Calculating Number of Valid Subnets
• Prefix Notification
• Calculating Number of Valid Hosts
• Calculating Number of Valid IP Addresses in a Given
• Calculating the Subnet Number of a Given IP
• Meeting Stated Design Requirements
© Train Signal, Inc., 2002-2007

• Class A: 1 - 126, 8 NW Bits, 24 Host Bits

• Class B: 128 - 191, 16 NW Bits, 16 Host Bits
• Class C: 192 - 223, 24 NW Bits , 8 Host Bits
• Class A:
• Class B:
• Class C:

© Train Signal, Inc., 2002-2007

• Determining The Number Of Valid Subnets
– Number of subnets = (2 squared by the number of
subnet bits)
– Now here's the interesting part: You *may* need to
subtract 2 from that result to get the correct answer.
• You should subtract 2 from the result if:
– You see the no ip subnet-zero command in the
configuration. This command will appear near the top
of the router configuration.
– The routing protocol is classful, and that means
RIPv1 or IGRP.
© Train Signal, Inc., 2002-2007

• You should not subtract 2 from the result if:

– The classless protocols RIPv2, EIGRP, or OSPF are in use.
– The term "VLSM" for "Variable-Length Subnet Masking" is used.
• The ip subnet-zero command appears in the
configuration. This is the default setting, and you'll
see it near the top of the router configuration:

username R1 password 0 CCNA

ip subnet-zero
no ip domain-lookup

© Train Signal, Inc., 2002-2007

Prefix Notation

• Prefix notation is a quicker way of stating

what the subnet mask of a network is. Note
that the subnet mask consists of a number of
consecutive 1s. Prefix notation is simply a
slash followed by the number of 1s in the
subnet mask. The subnet mask
is instead referred to as “slash 24” when
spoken, or “/24” when written. This is the
generally accepted way subnet masks are
spoken and written about.

© Train Signal, Inc., 2002-2007

• Review the rules for network, subnet, and
host bits:
A. The rules for Class A, Class B, and Class C
determine the network portion.
B. Compare the remaining bits of the default and
actual mask. The portion where the Default Mask and
Subnet Mask both have zeroes is the host bits portion
of the address.
C. The remaining bits – where the Default Mask has
zeroes but the Subnet Mask has one – are the subnet
bits. These are the bits that are being “borrowed” from
the host bits.
© Train Signal, Inc., 2002-2007

• Determining The Number Of Valid Hosts

– To determine the number of valid hosts, a somewhat
similar formula is used:
• Valid Hosts On A Subnet = (2 squared by
number of host bits) – 2
– Thankfully, we always subtract the two when
determining the number of valid hosts on a subnet.

© Train Signal, Inc., 2002-2007

• Determining The Subnet Number Of A Given

IP Address
– Given an IP address and subnet mask, determining
the subnet it resides on is accomplished by
performing a Boolean AND operation. First, the IP
address and its subnet mask will be converted to
binary. The Boolean AND is simply a bit-by-bit
comparison of the address and the subnet mask.
– If both bits are 1, the result of the Boolean AND is 1. If
a 0 is set for that bit on either the subnet mask or IP
address, or both, the result of the AND is a 0.

© Train Signal, Inc., 2002-2007

• Determining The Range Of Valid Host Addresses On
A Subnet
• To determine the range of valid host addresses on a
subnet, first determine how many overall host
addresses are on that subnet. The first address in
the range is the network number and is not a valid
host address; the final address in the range is the
broadcast address for that subnet and is not a valid
host address. All addresses between the two are
valid host addresses.

© Train Signal, Inc., 2002-2007

Meeting Stated

• Consider this question:

– “Your network uses Class B network You
need at least 150 subnets that have no more than
200 hosts apiece. Which of the following subnet
masks should you use?”
– Remember the formulas for determining the number
of subnets, or the number of valid hosts per subnet:
• Number of subnets = (2 to the nth power), where n equals
the number of subnet bits.
• Number of valid hosts on a subnet = (2 to the nth power) – 2,
where n equals the number of host bits.

© Train Signal, Inc., 2002-2007

Watch Our For

• You could see something like this on your exam, but
this word of advice is valuable for your real-world
experiences - when you're building on someone
else's subnetting scheme, watch out for overlapping
• By overlapping networks, I mean two subnets in the
same network that are "overlapping" and therefore
using the a few of the same IP addresses.
• This is particularly true when you're left with a few
address blocks from a subnetting scheme that you
didn't create. Let's use the following network for an
© Train Signal, Inc., 2002-2007

• 50-host network address
range: -
• Range for /25 network:
- - Overlaps With Preexisting
• Range for / 25
network: - - Does
Not Overlap With The 50-host network.
© Train Signal, Inc., 2002-2007

Video 10
Static Routing And RIP

© Train Signal, Inc., 2002-2007

Static Routing And


• Static Routing Theory and Labs

• RIP Routing Theory and Labs
• “show ip protocols”, “show ip route
rip”, “debug ip rip”, And More!

© Train Signal, Inc., 2002-2007

• For this example and all others in this course, the
last octet of the IP address for any physical interface
will be the router number. That's a good habit to get
into for your home lab studies as well. For
loopbacks, we'll use the router number for each
– The networks used in this section:
– Frame Relay (Serial interfaces, all routers): 172.16.123.x /24
– R2's loopback interface: /24
– R3's loopback interface: /24

© Train Signal, Inc., 2002-2007

• We're going to use pings to test IP

connectivity throughout this section. When
you ping a remote IP address, you're sending
five ICMP Echo packets to the IP address you
specify. If we get five ICMP Echo Replies in
return, you'll see five exclamation points, and
that means you do have IP connectivity to
the specified destination.

© Train Signal, Inc., 2002-2007

• WARNING: Do NOT practice debugs on a production

network. Some debugs, especially debug ip packet,
can overwhelm a router or switch CPU and render
the device unable to route or switch.
• It's important to know how the debug output will look
when things are running correctly, because that's
the only way to know what you're looking for when
things aren't running correctly. If you have a home
lab, make sure to run plenty of debugs as you work -
but never practice them at work.

© Train Signal, Inc., 2002-2007

• Since we're in the static routing section of
the course, let's choose a static route! We
use the ip route command to create static
routes, and we actually have two more
choices when it comes to static routes. We
can create...
– A static route to a given host or destination network
– A default static route, which will be used when there
is no other match in the routing table for a destination
© Train Signal, Inc., 2002-2007

• At this point in the ip route command,

you must specify one of these two
– The local router's exit interface type (NOT the
IP address)
– The remote router's IP address that we want
to send that packet t

© Train Signal, Inc., 2002-2007

• When you send pings, it's not enough

for the local router to have connectivity
to the remote network - the
downstream routers need connectivity
to that remote network as well!

© Train Signal, Inc., 2002-2007

• The syntax for a default static route looks a bit odd,
so be ready to identify it on the exam:
R1#conf t
Enter configuration commands, one per line. End
with CNTL/Z.
R1(config)#ip route
• Both the destination network and the mask are all
zeroes in a default static route. As with a "regular"
static route, we have the option of configuring a
next-hop IP address or the local router's exit
© Train Signal, Inc., 2002-2007

• Default static routes serve two major

purposes, one of which we've just seen - we
can send data to networks that have no
specific entry in the routing table. This also
helps to keep routing tables concise and
complete, and as you advance in your Cisco
studies, you'll learn that it's important to
control the size of the routing table while
keeping it complete.

© Train Signal, Inc., 2002-2007

• Static routes have their place, but they're not terribly

scalable. Scalability refers to a network feature or
protocol's ability to remain useful without a great
deal of manual intervention as the network grows,
and it's a term you'll hear often in your Cisco studies
and your real-world job.
• Static routes do not dynamically adapt to network
changes, and they can be a pain to keep up with as
your network grows. That's why they're not
considered very scalable.

© Train Signal, Inc., 2002-2007

• A better choice for routing is the use of
dynamic routing protocols. You've probably
heard of one or more of the following:
– RIP (Routing Information Protocol)
– IGRP (Integrated Gateway Routing Protocol)
– EIGRP (Enhanced Integrated Routing Protocol)
– OSPF (Open Shortest Path First)

© Train Signal, Inc., 2002-2007

• There are two versions of RIP, and while

you're almost always going to run the more
recent of the two, you need to know about
them both for the exams and just in case you
do run into the original version in the
field. We're going to use almost the same
network we used in the static route
discussion here in our RIP discussion, with
the only difference being an additional
loopback address,, added to R1.

© Train Signal, Inc., 2002-2007

• Why change the default? Version 1 is quite limited

in that it is a classful protocol, while Version 2 is a
classless protocol. This is one time when it's good
to be classless!
• In your CCNA studies, you'll be introduced to manual
route summarization and variable-length subnet
masking (VLSM). I won't show you those advanced
skills now because we need to concentrate on the
basics, but I do want you to know that RIPv1 does
not support either of those, while RIPv2 supports
© Train Signal, Inc., 2002-2007

• RIPv1: classful, no VLSM, no manual
route summarization
• RIPv2: classless, VLSM support,
manual route summarization support
– To force RIP to send and receive only v2
updates, use the version 2 command under
the RIP process.

© Train Signal, Inc., 2002-2007

• The incoming update from R1's serial0

interface mentions "hops" several times, where the
outgoing update mentions a "metric". They're
actually the same thing.
• Both versions of RIP use hop count for their metric,
a measurement of how far it is to a remote
destination. That's a serious limitation for RIP when
it comes to Wide Area Networks (WANs), because
RIP will consider both paths in the following example
to have the same metric.

© Train Signal, Inc., 2002-2007

Video 11
Wide Area Networks (WANs)

© Train Signal, Inc., 2002-2007

Wide Area
Networks (WANs)

• Physical Side of WANs

• Directly Connecting Cisco Routers Via Serial
• HDLC and PPP
• Intro to Frame Relay
• RFC 1918 Addresses, NAT and PAT
• Intro to ATM
• Modems and DSL Variations
© Train Signal, Inc., 2002-2007

The Physical Side


• Going back to the previous illustration, one reason we refer to

the WAN connection as a "cloud" is that we don't know exactly
what hardware is in use in the WAN, and we're not responsible
for it - that's up to the service provider, the company that sells
WAN services such as Frame Relay.
• What we are responsible for are the routers you see in that
diagram, and our routers are going to have to communicate
with one of the service provider's devices. The service
provider's half of this communication is an external channel
service unit / data service unit, which thankfully is referred to
as a CSU/DSU.

© Train Signal, Inc., 2002-2007

• At some point, the responsibility for the

physical devices passes from us as network
admins to the service provider. This is the
demarcation point, typically referred to as
the demarc point. In theory, the demarc
point is easy to define; when you're arguing
with the service provider on a Friday
afternoon when everyone wants to go home,
the exact location of the demarc point
suddenly becomes a huge point of
© Train Signal, Inc., 2002-2007

• Theoretically, the demarc point is found at
the CSU/DSU. The cable leading from the
CSU/DSU to the router and the CSU/DSU
itself is considered to be the customer's
equipment and responsibility. That's us! All
cabling on the "other side" of the CSU/DSU,
along with the hardware in the WAN cloud, is
the service provider's equipment.

© Train Signal, Inc., 2002-2007

• The CSU/DSU fills the router in on a very

important piece of information, the clock
rate. When the CSU/DSU does this, it's
basically telling the router "here's how
quickly you can send and receive
data". Later in this section, we'll simulate a
point-to-point link on a Cisco router and
you'll see the command that allows a Cisco
router to give another router this vital

© Train Signal, Inc., 2002-2007

• When it comes to the clockrate:

– The Data Communications Equipment (DCE)
provides the clockrate
– The Data Terminal Equipment (DTE) receives
the clockrate. By default, a Cisco router acts
as a DTE.

© Train Signal, Inc., 2002-2007

• We're going to discuss two common WAN
protocols in just a moment, and I want you to
see the show commands that verify these
protocols. To do so, we're going to use a
configuration that isn't common in real life,
but is very common in home labs. We're
going to use two Cisco routers that are
directly connected at their Serial0 interfaces,
which means that one must serve as the
DCE. We also need a special cable, the
aptly-named DTE/DCE cable.
© Train Signal, Inc., 2002-2007

• After connecting the cable to the respective routers,

use show controller serial x to ensure the router
sees the cable as a DCE or DTE. You will see a great
deal more output than this when you run this
command, but the information that's important to us
right now is at the very top.
R3#show controller serial 1
HD unit 1, idb = 0x1C44E8, driver structure at 0x1CBAC8
buffer size 1524 HD unit 1, V.35 DCE cable

© Train Signal, Inc., 2002-2007

• Here's what show interface serial 1 on R1 reveals

before the clockrate command is configured:

R1#show interface serial 1

Serial1 is up, line protocol is down
Hardware is HD64570
Internet address is
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set

© Train Signal, Inc., 2002-2007

• When you see the physical interface up and
the line protocol down, there's some kind of
logical problem with the interface. In this
case, the DTE side is not receiving the
required clockrate. Once we do configure
the clockrate on the DCE's Serial1 interface,
the line protocol comes up and stays up. No
reset or reload is needed.

© Train Signal, Inc., 2002-2007

• I know I've mentioned this already during the

course, but this truly bears repeating as it's a
fundamental rule of troubleshooting:
– If the interface shows as administratively down, it's
simply shut down manually and needs to be opened.
– If the interface shows as down, there's a physical
problem, perhaps a loose cable.
– If the interface is up but the line protocol is down, that
means the interface is physically fine but there's a
logical issue, generally an encapsulation mismatch or
missing clockrate.

© Train Signal, Inc., 2002-2007

• Real-world hint: If you're troubleshooting a

line protocol issue and you see the line
protocol come up, make sure to stick around
for a minute and make sure it stays
up. Also, the line protocol may show as up
for about 20 seconds or so after you first
open a Serial interface, but stick around and
make sure it stays up.

© Train Signal, Inc., 2002-2007

• HDLC and PPP are the two data-link (Layer 2)
protocols to consider when choosing an
encapsulation method across a serial point-to-point
• The version of HDLC that runs on Cisco routers is
Cisco-proprietary, making it unsuitable for
multivendor environments. If RouterA is a Cisco
router running HDLC, the only way the line protocol
can come up is if the remote router is also a Cisco
router running HDLC.

© Train Signal, Inc., 2002-2007

• There are major points of distinction

between the two. First, HDLC is the
default encapsulation for a Cisco serial
interface. Here's the output of show
interface serial 1 from the previous
discussion. The encapsulation is
defaulting to HDLC.

© Train Signal, Inc., 2002-2007

• PPP allows data compression to be configured,

where HDLC does not. Compression is performed
on data before it's sent across the WAN, and the
data then uses less bandwidth to send the data
across the WAN.
• PPP multilink allows multiple physical channels to
be bundled into a single logical channel. HDLC
offers no multilink capability.
• PPP allows the use of two authentication schemes
for point-to-point links (PAP and CHAP), which HDLC
does not support either of these.
© Train Signal, Inc., 2002-2007

• To review:
– HDLC is the default encapsulation on a Cisco
router's Serial interface.
– PPP has features that allow the use of
authentication and data compression.
– PPP also allows multilink bundling, where
HDLC does not.

© Train Signal, Inc., 2002-2007

An Introduction To
Frame Relay

• Frame Relay's got three things going

for it that endears it to network admins:
– it's cheap
– it's reliable
– it's cheap and reliable

© Train Signal, Inc., 2002-2007

• In the case of Frame Relay, we call our friendly Frame Relay

Service Provider and tell him where our routers are, and how
much bandwidth we're willing to pay for. The provider then
configures some of his frame relay switches, gives us a few
numbers to add to our router configuration, and we're all set!
• The frame relay service provider guarantees a certain amount
of bandwidth will be available to a given user at any time. The
more guaranteed bandwidth desired, the more it costs, but it’s
still cheaper than a dedicated point-to-point link. This
guaranteed bandwidth is referred to as the committed
information rate (CIR).

© Train Signal, Inc., 2002-2007

• Frame relay is a packet-switching protocol.
The packets may take different physical
paths to the remote devices, at which point
they will be reassembled and will take the
form of the original message. In contrast,
circuit-switching protocols have dedicated
paths for data to travel from one point to

© Train Signal, Inc., 2002-2007

• There are two types of virtual circuits, one

much more popular than the other. A
permanent virtual circuit (PVC) is available at
all times, where a switched virtual circuit
(SVC) is up only when certain criteria are
met. You're going to see PVCs in most of
today's networks, and we'll build some
during your CCNA studies.

© Train Signal, Inc., 2002-2007

• You were introduced to the three RFC

1918 private address ranges in the IP
Addressing section, but let's review
them here:
– Class A: - ( /8)
– Class B: - ( /12)
– Class C: - ( /16)

© Train Signal, Inc., 2002-2007

• You also learned that these addresses are
not routable - without any additional help,
hosts with these addresses will not be able
to communicate with any other hosts outside
their private network. That means no
internet access and no communication with
other hosts across the LAN!

© Train Signal, Inc., 2002-2007

• The actual NAT and PAT translation

table can be viewed with the command
show ip nat translation. Even if you're
running PAT, the commands will still
reference NAT.
R3#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- ---
--- --- ---
--- --- ---

© Train Signal, Inc., 2002-2007

• Notice those four terms in the translation table - "inside

global", "inside local", and so forth? Here's what they
• Inside local addresses are used by hosts on the inside
network to communicate with other hosts on that same
network. These are the addresses that are actually
configured on the hosts, and generally they are RFC 1918
private addresses.
• These inside local addresses are translated into inside
global addresses. Inside global addresses are routable
addresses. In the following example, is the
inside local address and is the inside global

© Train Signal, Inc., 2002-2007

• Outside global addresses are the addresses
that are configured on the outside
hosts. These are fully routable addresses
used by Internet-based hosts.
• Finally, outside local addresses are the
actual addresses of remote hosts. These can
be (and probably are) RFC 1918 addresses as

© Train Signal, Inc., 2002-2007

• What follows is strictly an overview of some other

WAN communication methods, and with ATM, it's
really an overview! Configuration of ATM is far
beyond the scope of the CCENT and CCNA exams,
but it's a good idea to know the basics.
• The Asynchronous Transfer Mode (ATM) is unique in
that it does not handle frames, as Frame Relay
does. ATM places data into cells, and all ATM cells
are exactly the same size, 53 bytes - 48 bytes of data
and a 5-byte header.

© Train Signal, Inc., 2002-2007

• Remember the Frame Relay switches that

made up the Frame Relay cloud? ATM works
along the same lines in that the service
provider maintains ATM switches. ATM
networks are much faster than Frame Relay
networks, but are more expensive to build
and maintain. That includes the need for
specialized hardware. You can't just sit
down and configure ATM on a Cisco serial
interface as you could Frame Relay - you'll
need special interfaces to use ATM.
© Train Signal, Inc., 2002-2007

• Some ATM documentation says that
ATM is a packet-switching service like
Frame Relay, and technically that's
true, but more commonly you'll hear
ATM referred to as cell-switching. After
all, that's what ATM switches!

© Train Signal, Inc., 2002-2007

• On the other end of the speed spectrum, we've got

modems - and yes, they're still out there! In the
previous CSU/DSU illustrations, a modem could and
sometimes does take the place of the CSU/DSU.
• The word "modem" actually comes from the two
operations they carry out:
– Modulation, the process of translating digital signals into analog
signals that can be carried over a phone line
– Demodulation, the process of translating those analog signals
back into digital signals that the receiving device can understand

© Train Signal, Inc., 2002-2007

• The two real drawbacks of modems

– They're not as fast as other methods
– They tie up the phone line, and other calls
cannot be made while the modem is using the

© Train Signal, Inc., 2002-2007

• Asymmetrical DSL works under the assumption that
the user will download more information than they
send, and for the average Internet user, that's a safe
assumption. The connection speed from the provider
to the user is going to be 3 - 4 times faster than the
speed from the user to the provider. A typical ADSL
connection of 512 kbps will give the user 384 KBPS
download capabilities, but only 128 KBPS uploading
• ADSL allows a telephone call and internet access
© Train Signal, Inc., 2002-2007

• ADSL uses several different modulation methods, but the most

well-known is G.lite (also known as G.922.2), which requires no
splitter at the customer location. The customer simply hooks
up a G.lite modem in the same way an old-fashioned analog
modem would be installed.
• G.lite's limitation is speed - where standard ADSL can offer 8
MBPS download speed and 1.5 upload speed, G.lite's maximum
capability is 1.5 MBPS downloading and 512 KBPS
uploading. The key is that while G.lite is slower than true
ADSL, it's still a lot faster than the dialup options available to
today's home users.

© Train Signal, Inc., 2002-2007

• The distance limitation of ADSL must be taken into

account as well. Officially, there's an 18,000-foot
limitation on ADSL services, but most ISPs put a
lower limit on ADSL to avoid poor quality service for
those near the end of the cable. Of course, that
limitation is for data transmission, not voice.
• Since we have asymmetric DSL, it makes sense that
we'd have symmetric DSL (SDSL) as well. The term
"symmetric" refers to the fact that the sending and
receiving speed are the same. The drawback is that
the phone cannot be used while SDSL is in use.
© Train Signal, Inc., 2002-2007

• Two less-common DSL flavors:
• Very High Bit-Rate DSL (VDSL) has the capability to
deliver speed up to 52 MBPS. That's am amazing
speed to deliver over copper wire, but there's a
drawback - VDSL over copper has a maximum
distance of 4000 feet. As more fiber-optic cable
is installed by the telephone companies, VDSL is
becoming available in more communities as the
distance issue is resolved by the use of fiber.

© Train Signal, Inc., 2002-2007

• Rate-Adaptive DSL (RADSL) is just

what it sounds like - the software
calculates the maximum download and
upload speeds on the customer's
preexisting phone line and dynamically
adjusts those rates.

© Train Signal, Inc., 2002-2007

Video 12

© Train Signal, Inc., 2002-2007


• Where to Begin
• Cisco Discovery Protocol (CDP)
• L1 and L2 Troubleshooting
• LAN Troubleshooting
• WAN Troubleshooting
• Extended Ping and Traceroute
• Telnet and SSH Review and Maintenance Commands
• Administrative Distance
• The Real Key to Troubleshooting

© Train Signal, Inc., 2002-2007

• When you begin troubleshooting, make

sure everything's working at the
Physical layer of the OSI model. That's
a formal way of saying…
– Is this thing on?
– Is the right cable in use?
– Has the cable come loose just enough to
bring things down?

© Train Signal, Inc., 2002-2007

• That first bullet point is self-explanatory, so

I'll leave that one alone. When it comes to
the right cable, remember the basics:
– Crossover cables are required to connect switches for
– Rollover cables are required to connect a laptop to
the Console port of a router, and you may need an
adapter to use a rollover cable with your laptop

© Train Signal, Inc., 2002-2007

• You can check a Cisco device's
physical connections with Cisco
Discovery Protocol, which runs by
default on Cisco routers and switches,
both globally and on a per-interface

© Train Signal, Inc., 2002-2007

• For security purposes, many admins choose to

disable CDP. Here's the command to see if CDP is
indeed running on a router or switch:

Router1#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled

© Train Signal, Inc., 2002-2007

• That output means that CDP is indeed

enabled. If you see the following, it's off. But
you didn't need me to tell you that!

Router1#show cdp
% CDP is not enabled

© Train Signal, Inc., 2002-2007

• Device ID is the remote device's hostname.
• Local Interface is the local switch's
interface connected to the remote host.
• Holdtime is the number of seconds the local
device will retain the contents of the last CDP
Advertisement received from the remote

© Train Signal, Inc., 2002-2007

• Capability shows you what type of device the

remote host is. The first two connections are
to a switch, and the third is to a router.
• Platform is the remote device's hardware
platform. The top two connections are to a
2950 switch, and the third is to a 2520 router.
• Port ID is the remote device's interface on
the direct connection.
© Train Signal, Inc., 2002-2007

• When an interface is functioning

correctly, this is what we see at the top
of the show interface output.

Router1#show int serial0

Serial0 is up, line protocol is up

© Train Signal, Inc., 2002-2007

• Of course, if the interface looked like that, we
wouldn't be troubleshooting, would we? Let's
take a look at common show interface
outputs that do indicate a problem, along
with the solutions for these issues.

Router1#show int serial0

Serial0 is administratively down, line
protocol is down
© Train Signal, Inc., 2002-2007

• This one's easy! administratively down

means the interface is indeed shut
down. Open the interface with no

Router1(config)#int serial0
Router1(config-if)#no shut
© Train Signal, Inc., 2002-2007

• Always give the line protocol a minute

or so to come up after opening a serial

Router1#show interface serial0

Serial0 is up, line protocol is up

© Train Signal, Inc., 2002-2007

• Success! Let's look at another
potential readout:

Router1#show interface serial 0

Serial0 is down, line protocol is down

© Train Signal, Inc., 2002-2007

• After plugging this loose cable back in


20:14:47: %LINK-3-UPDOWN: Interface Serial0,
changed state to up
20:14:48: %LINEPROTO-5-UPDOWN: Line protocol
on Interface Serial0, changed state to up

© Train Signal, Inc., 2002-2007

• There's one other reason a port can be

down physically, and you saw this in
the Switching section:

SW2#show int fast 0/3

FastEthernet0/3 is down, line protocol is
down (err-disabled)

© Train Signal, Inc., 2002-2007

• There's one more physical / line
protocol combination we have to be
ready to troubleshoot:

Router1#show int serial 0

Serial0 is up, line protocol is down

© Train Signal, Inc., 2002-2007

• If a switch encounters a problem while

you're configuring it, it's probably
because you just misconfigured
something. Undo what you just did.
The same goes for routers. No big
deal, just fix it.

• Simple, right? Right!

© Train Signal, Inc., 2002-2007

• If we were still not able to ping between

those two hosts, I would check the VLAN
port membership on the switches with show
vlan brief.
• You'll see more of this in your CCNA studies,
but remember - if hosts are in different
VLANs, they will not be able to send IP
packets to each other without a Layer 3
device being involved.

© Train Signal, Inc., 2002-2007

• Just with that simple network, we ran
into quite a few things that could have
been the cause of the issue:
– Ethernet interface not open
– Ethernet interface had no IP address
– Hosts in different VLANs
– Loose cable (show interface verified the
physical cable was fine)
© Train Signal, Inc., 2002-2007

• For real-world PC troubleshooting, you can

run ipconfig /all to check a host's IP address,
network mask, DNS server location, and
much more. This is where I always start
troubleshooting when a PC can't access
network resources. The CCENT exam is not
a PC troubleshooting exam, but since we do
spend a good amount of time working with
PCs as network admins, it's a good idea to
be very familiar with the output of this
© Train Signal, Inc., 2002-2007

• Here are some other Microsoft PC

commands you may find helpful:
• ipconfig /release will release the PC's DHCP-
assigned information.
• ipconfig /renew will actively ask the DHCP
server(s) for an IP address and other
information needed for LAN connectivity,
including DNS server location.
© Train Signal, Inc., 2002-2007

• netstat -rn displays the host's routing
table. Yes, PCs have routing tables!
• It's my experience that ipconfig /all is
the best place to begin troubleshooting
at the PC level - but don't forget to
check the cables first!

© Train Signal, Inc., 2002-2007

Telnet And SSH

• We discussed both of these tools in

depth in another section, so I won't do
so again here. A couple of things to
watch with both Telnet and SSH:
– Cisco routers do not allow users to connect
via Telnet or SSH by default. A password
must be set on the VTY lines.

© Train Signal, Inc., 2002-2007

• Users who connect to a router via Telnet or SSH will

by default be put into user exec mode, and for those
users to have access to enable mode, an enable
password must be set, *or* you must configure the
privilege level 15 command on the VTY lines - that
will place the incoming user into enable mode
immediately upon VTY authentication.
• Telnet sends all data in clear text; SSH encrypts all
data, including passwords, but SSH does require
more configuration and possible extra hardware,
depending on the size of the deployment.
© Train Signal, Inc., 2002-2007

• If you have multiple Telnet sessions
open, you can run show sessions to
get basic information about each one.
BRYANT_ADVANTAGE_2#show sessions
Conn Host Address Byte Idle Conn Name
1 blondie 0 1 blondie
2 angeleyes 4 1 angeleyes
* 3 tuco 0 0 tuco

© Train Signal, Inc., 2002-2007

• To reconnect to any given Telnet session,

you can use the resume command followed
by the connection number, or just enter the
connection number. To resume the
connection to tuco, you could enter resume 3
or just the number 3.

[Resuming connection 3 to tuco ... ]

© Train Signal, Inc., 2002-2007

• To suspend the open session, use this

key combination:

< CTRL - ALT - 6 >, followed by < X >

© Train Signal, Inc., 2002-2007

• To disconnect any open session, use
the disconnect command followed by
the connection number. You will be
prompted to confirm this request.
BRYANT_ADVANTAGE_2#disconnect 2
Closing connection to angeleyes [confirm]

© Train Signal, Inc., 2002-2007

• We could use show sessions to verify, but

we'll use the where command instead. show
sessions and where do the exact same thing,
so watch that on exam day!

• Conn Host Address Byte Idle Conn Name
• 1 blondie 0 8 blondie
• * 3 tuco 4 1 tuco

© Train Signal, Inc., 2002-2007

Ping And

• You've seen "regular ping" throughout

the course, and that strange phrasing
may make you wonder "What do you
mean, regular ping?" The ping we've
seen throughout the course simply
specified a destination IP address, and
we received one of three returns so far:

© Train Signal, Inc., 2002-2007

• !!!!! -- IP connectivity to destination
• ..... -- IP connectivity to destination
does not exist
• U.U.U -- The local router has a route to
the destination, but a downstream
router does not
© Train Signal, Inc., 2002-2007

Type escape sequence to abort.
Tracing the route to
1 8 msec 8 msec 12 msec
2 12 msec 12 msec 12 msec
3 12 msec 12 msec 12 msec
4 12 msec 12 msec 12 msec
5 12 msec 12 msec 16 msec
6 24 msec 16 msec 16 msec
7 76 msec 76 msec 76 msec
8 80 msec 80 msec 76 msec
9 76 msec 80 msec 76 msec
10 80 msec 80 msec 76 msec
11 80 msec 76 msec 80 msec
12 80 msec 80 msec 76 msec
13 * * *
14 * * *
15 * * *
16 * * *
© Train Signal, Inc., 2002-2007

• By the way, if you just let those

asterisks keep coming, you're going to
see 30 rows of them. If you're running
this command and someone else is
there, they're going to ask the musical
– "Is it supposed to be doing that?"

© Train Signal, Inc., 2002-2007

• At the beginning of the traceroute output, the router
says "Type escape sequence to abort." Did you also
notice that the router doesn't tell you what the
sequence is? ARRRGH!!!
• That can be pretty frustrating and/or embarrassing,
so I'll tell you what that sequence is. Don't tell
anybody else, it's our secret:

< CTRL - SHIFT - 6>

© Train Signal, Inc., 2002-2007

• Microsoft offers a version of traceroute as well - use the tracert

command to see the options.

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w
timeout] target_name
-d Do not resolve addresses to
-h maximum_hops Maximum number of hops to search for
-j host-list Loose source route along host-list.
-w timeout Wait timeout milliseconds for each

© Train Signal, Inc., 2002-2007

• Consider this routing table:

D [90/25789217] via (D = EIGRP route)
R [120/4] via (R = RIP)
O [110/229840] via (O = OSPF)

© Train Signal, Inc., 2002-2007

• What if the routes for a destination are all the
same? Consider the same table, but with
subnet masks of the same length for each

D [90/25789217] via

R [120/4] via
O [110/229840] via

© Train Signal, Inc., 2002-2007

• Two key points about administrative

– AD is a measure of a route's
believability. The lower the AD, the more
believable the route. This is one time when
bigger is NOT better!
– AD only comes into play when there is a tie in
the "longest match" route comparison, as
shown previously.
© Train Signal, Inc., 2002-2007

Route Source Administrative Distance

Directly Connected 0
Static 1
EIGRP Summary 5
Internal EIGRP 90
IGRP 100
OSPF 110
ISIS 115
RIP 120
External EIGRP 170
iBGP 200

© Train Signal, Inc., 2002-2007

• The Real Keys To Becoming A World-Class
– Learning to troubleshoot networks is just that - a
learning experience. I've been in IT for well over a
decade and I learn something new every day. I have
always loved troubleshooting, and I can tell you this
from personal experience: Troubleshooting is all
about knowing the fundamentals *and* having a
structured approach. Learn the fundamentals,
develop your own approach, and you will be totally
unstoppable in both the exam room and dealing with
real-world networks.
© Train Signal, Inc., 2002-2007

Video 13
Introduction to Network

© Train Signal, Inc., 2002-2007

Introduction to
Network Security

• Firewalls and Proxy Servers

• The Attacker’s Arsenal
• Intro to PIX, ASA, IDS, and IPS
• Viruses, Worms, and Trojan Horses
• Preventing Virus Attacks
• One Final Cisco “Secret”
• A Final Word
© Train Signal, Inc., 2002-2007


• A firewall is your basic protection against

Internet-based attackers. A firewall is a
physical device that filters packets heading
for your network, and those filters are set to
block attempts to harm your network. The
firewall shown in the following illustration is
generally where you see them in networks -
between the inside network / end users and
the Internet.

© Train Signal, Inc., 2002-2007

• protocol ("don't allow any IPX traffic")

• source IP address ("don't allow any
traffic from the /24 network
to exit the network")
• port number ("don't allow any traffic
sourced from port 23 to enter the
© Train Signal, Inc., 2002-2007

• Users cannot receive email. Make sure the

incoming POP3 port (110) is open. This
happens a lot when new firewalls are put in.
• Users cannot send email. Make sure the
outgoing SMTP port (25) is open.
• You need to block users from accessing the
Web. Make sure the HTTP egress
("outgoing") port is blocked.
© Train Signal, Inc., 2002-2007

• Network attackers can have one or
more agendas:
– Financial gain, possibly blackmailing you for
access to your stolen and now inaccessible
– Simply seeing if they can gain access, just for
the fun of it
– Damaging the network for personal
© Train Signal, Inc., 2002-2007

• One network attack type is a Denial of

Service (DoS) attack. Basically, the
attacker(s) attempt to
overwhelm the server with TCP connection
requests, which has two negative effects:
– Legitimate users cannot access the server due to
network congestion caused by the DoS requests
– The attacked server's resources are so busy
attempting to answer the service requests that it
cannot answer legitimate requests, or the server
simply crashed under the load

© Train Signal, Inc., 2002-2007

• A DoS attack is really designed more to

damage network access than to steal
data. A common technique to steal
data and perhaps profit by its sale or
use is a combination of reconnaissance
attacks and access attacks.

© Train Signal, Inc., 2002-2007

• When a military patrol goes on a reconnaissance
mission, it's not looking for a fight with the enemy;
it's gathering information for a future attack, looking
for strengths and weaknesses. That's exactly what a
reconnaissance mission is in networking. The
intruder uses different techniques to gather
information about your network's strengths and
weaknesses, and the intruder will return later and
utilize that information to his advantage - and your

© Train Signal, Inc., 2002-2007

• While the information gathered during a

reconnaissance attack can be used for a DoS
attack, most likely it'll be used for an access
attack. That's where data is actually
compromised and/or stolen by the intruder
for their own personal use, financial gain, or
occasionally just to embarrass the company
they stole the data from.

© Train Signal, Inc., 2002-2007

• With so many different external network threats, it's

really not enough to "just" have a firewall in place
today. That's why Cisco developed the Adaptive
Security Appliance. From Cisco's website, here's
how they describe the ASA:
• "The Cisco ASA Series controls network and
application traffic, delivers flexible Virtual Private
Network (VPN) connectivity, and reduces the overall
deployment, operations costs and complexity that
would otherwise be associated with this level of
comprehensive security."
© Train Signal, Inc., 2002-2007

• When reading white papers and sales documents
regarding the ASA, you'll come across an interesting
term - "anti-x". No, "x" isn't some new mysterious
virus or network security issue! "x" is simply used
by Cisco to encompass all of the "antis" the ASA
offers, such as "anti-virus" and "anti-spam". Instead
of listing all of the "antis" their product offers, Cisco
simply says "anti-x". Just wanted you to know so it
wouldn't make you wonder as it did me the first time
I saw it! ;)

© Train Signal, Inc., 2002-2007

• Cisco also offers the Intruder Detection

System (IDS), which Cisco's website
describes as…
• "Providing complete intrusion protection,
Cisco IDS delivers a comprehensive,
pervasive security solution for combating
unauthorized intrusions, malicious Internet
worms, along with bandwidth and e-
Business application attacks."

© Train Signal, Inc., 2002-2007

• On the other hand, the Cisco IPS - Intrusion

Prevention System - is described by their
website as follows:
– "The Cisco Intrusion Prevention System (IPS) solution
is an integral part of the Cisco Self-Defending
Network and Cisco Threat Control solutions, providing
end-to-end protection. This inline, network-based
defense can identify, classify, and stop known and
unknown threats, including worms, network viruses,
application threats, system intrusion attempts, and
application misuse."

© Train Signal, Inc., 2002-2007

• If there's one thing you must have
working at full capacity in your
network, it's the antivirus programs.
• If there's one thing that is commonly
overlooked when it comes to updates,
it's the antivirus programs.

© Train Signal, Inc., 2002-2007

• In today's world, your network must be

protected from both internal and external
antivirus threats. By implementing and
executing an aggressive antivirus strategy,
you can greatly reduce your network's
chances of being hit with a virus. Literally
hundreds of millions of dollars in
productivity are lost every year due to virus
attacks, along with a few jobs. Make sure
both your network and career are protected!

© Train Signal, Inc., 2002-2007

• Just as a human virus is spread through

contact, so is a computer virus. A virus is a
program that gets onto a computer without a
user's knowledge and then performs an
action that can range from mischievous to
destructive. For a virus to be spread, there
has to be some kind of contact between an
infected user and another user - generally,
that contact is the forwarding of an email that
has an attachment that contains a virus.

© Train Signal, Inc., 2002-2007

• A worm is a type of virus, but a worm can
spread on its own without any "help" from
the infected host. Even worse, a worm can
replicate on its own, resulting in many more
worms attacking other hosts. A common
worm attack involves the worm sending a
copy of itself to every single user listed in
the infected host's email address book.

© Train Signal, Inc., 2002-2007

• A third, more insidious attacker is the Trojan

Horse. In history, the Trojan Horse was presented as
a gift to Troy by the Greeks, and it was filled with
Greek soldiers who attacked once the Horse was
taken inside the city's defenses.
• Today's Trojan Horses attack in much the same
fashion. The program installed by the user may look
legitimate and innocent, but there's another program
inside just waiting to attack the user's computer.

© Train Signal, Inc., 2002-2007

• It's a good idea to periodically remind your

end users about some basic steps they can
take to help prevent unleashing a virus:
– Don't open email attachments from anyone outside
the company.
– Don't download software and install it, especially "fun
and free" software such as gaming programs,
animated cursors, etc.
– Don't open email from anyone you don't know.
© Train Signal, Inc., 2002-2007

Choosing And
Configuring An
Antivirus Program
• I strongly recommend you choose an
antivirus program that offers automatic
updates. If you rely on manual updates - that
is, relying on remembering to go out and
check for updates yourself instead of having
them automatically downloaded when new
updates are available - I can practically
guarantee you're going to forget to do so,
and this can be a fatal mistake for both your
network and your career.

© Train Signal, Inc., 2002-2007

• The #1 mistake network administrators and home PC

owners alike make with antivirus software is not
keeping the program up-to-date. New viruses are
being created every minute of every day, and
reputable antivirus program vendors such as
Symantec are monitoring that situation, looking for
new viruses and writing virus signature updates or
virus definitions regularly. (A virus signature is the
actual binary pattern of a virus, and just as your
signature identifies you, a virus signature identifies
the virus.)

© Train Signal, Inc., 2002-2007

• Even with this protection, 100%

protection from viruses isn't
guaranteed. There are polymorphic
viruses that actually change their own
signature each time they replicate,
which makes it much more difficult for
an antivirus program to identify and
eliminate them
© Train Signal, Inc., 2002-2007

What Files Should
Be Scanned For

• When you configure antivirus software,

you'll have the option of setting a time
when a virus scan should run on the
host, as well as what files should be
scanned for viruses. If your network
PCs are left on at night, setting the
antivirus program to run a full scan at 1
AM is a great idea.
© Train Signal, Inc., 2002-2007

• First on your list should be any file whose

extension is .com, .exe, .ocx, or .dll. These
are all executable files, which are primary
carriers and targets of viruses. I personally
like to scan a host's Microsoft Word
documents as well, since those files are
passed from user to user more often than
any other file type.

© Train Signal, Inc., 2002-2007

• If You Turn Anti-Virus Software Off... TURN IT

• Sorry for the yelling, but this is a great way
for viruses to sneak into your network.
• Most network administrators have been in a
position where they've had to turn the
antivirus program off, and you may have
installed programs on your own PC where
the installation program recommends you to
turn the antivirus program off.
© Train Signal, Inc., 2002-2007

• And don't forget.... lock up your
hardware - literally!

© Train Signal, Inc., 2002-2007

"Hiding" A
Sensitive Network

• VLANs aren't just for limiting the scope

of broadcasts on your network - they're
actually a security feature as well!
• If you have a network in your business
that should be hidden from the rest of
the network, just put the "secret" hosts
in their own VLAN.
© Train Signal, Inc., 2002-2007