Cisco CCNA

Network Training
Yavuz BULUT
Network Consultant and Instructor
 I Introduction

Chapter-1 I About the Instructor

Introduction
I Educational content

I Cisco Certifications
I Welcome to CCNA Training
In this training, I will tell you about the basics of wired and wireless

networks, how Cisco Routers and Switches are configured, how to design a

wired and wireless network, and how to secure the networks we set up.

Cisco is one of the leading companies in the world in the field of networking.

There are not only network products, but all end-to-end IT products. By

obtaining this certificate, you can easily find a job in the IT sector. When

you look at job postings, Cisco Certificates are required even if there are no

Cisco devices in the infrastructure of their companies.

Because in this training, you will learn not only Cisco products but also

general network technologies. Other brands often have similar structures to

Cisco.
I About the Instructor
By establishing Ses Telekom company in Malatya in 2001, I Between 2013 and 2016, I worked as a project manager in a company that
continued sales and installation activities of telephone exchanges in is a Cisco Gold Partner in Istanbul. After 2016, I started to give
Malatya until 2009 and in Istanbul from 2009 to 2011. networking lessons and share free training videos on Youtube. In 2017, I

continued to give training by establishing ICT Academy. As the

After I closed Ses Telekom at the end of 2011, my work started to be
trainings started to slowly shift towards online education, I decided to
Network-based, so I entered the world of Networking by taking Cisco
publish all of the trainings I gave through ICT Academy on Udemy as of
training.
2020.
I received my first Cisco CCNA certification in 2013, and I got CCNA
Currently, I continue to give trainings and consultancy services to
Security in 2014, CCNA Voice in 2015, CCNP Routing and
corporate companies through Udemy.
Switching in 2016, CCNA Collaboration 2018, Cisco Video Network

Specialist in 2018, and CCNP Enterprise in 2020.

I Training Content
The training content has been prepared according to the curriculum of the Chapter-5 IPv4 Addressing and Subnetting
Looking at Subnetting, Analyzing Classful IPv4 Networks
Official book prepared by Cisco for the CCNA 200-301 training. Includes
Analyzing Subnet Masks, Analyzing Existing Subnets
all CCNA 200-301 exam topics. It consists of a total of 14 chapters and
nearly 50 main topics and sub-titles. You can download the Turkish Chapter-6 IPv4 Routing
Router Management, Static Routes, IPv4 Routing and Troubleshooting
document I prepared for each section under the first lesson of the section.

Chapter-1 Introduction Chapter-7 OSPF

Introduction, About Instructor, Training Content, and Cisco Certifications OSPF Concepts , OSPF Applications, OSPF Network Types

Chapter-2 Network Communication Chapter-8 IP Version 6

Introduction to TCP/IP, Ethernet Fundamentals, WAN and IP Routing IPv6 Fundamentals, IPv6 Address and Subnet, IPv6 Applications

Chapter-3 Switch Applications in Network Chapter-9 Wireless LANs

CLI Usage, Switches Overview, Basic Sw Configuration Wireless Fundamentals, Wireless Architecture, Wireless Security

Chapter-4 VLAN and STP Applications Chapter-10 Access Control List

VLANs, Spanning Tree Protocol, RSTP and EtherChannel Configuration TCP/IP Transport and Applications, Basic ACL, Advanced ACL
I Training Content
Chapter-11 Network Security
Security Architecture, Securing Network Devices
Switch Port Security, DHCP, DHCP Snooping and ARP Inspection

Chapter-12 IP Services
Device Management Protocols, NAT, QoS and Various IP Services

Chapter-13 Network Architecture

LAN Architecture, WAN Architecture, Cloud Architecture

Chapter-14 Network Automation

Controller-Based Networking, SDA, Rest-Json, Ansible, Puppet, Chef
I About Cisco Certifications and Exam

Before 2020 After 2020

 I Network Communication
Chapter-2 I Introduction to TCP/IP

Network Fundamentals I Ethernet Basics

I Wan and IP Routing

 I Network Communication

Network Communication
This first Chapter will help you understand how networks are There have been rapid developments in our networks in order to meet

interconnected and how networks are connected to each other using Cisco many more demands such as video sharing and movie watching
routers and switches. When we connect two or more LANs or WANs platforms. Considering that nowadays people who need to share network
together through a router and create a logical network addressing plan resources are not in the same office environment (an increasing
with a protocol such as IP, we create a network community. situation), what needs to be done is to connect many networks together

Fundamentals of Network Communication so that all users can use these network resources.

In some cases we may have to split a large network into several smaller
Networking operations have been growing very rapidly for the last 30-35
ones to reduce user response time. Because as the network grows, it will
years. Although these started with basic indispensable user needs such as
data and printer sharing, they are now also used as video conferencing. get heavier. With all this growth, congestion on the LAN will rise to very
high levels. The solution to this is to divide really large networks into
smaller networks, called network segmentation. We can do this using
devices such as routers and switches.

Network connection example for home users.

 I Network Communication

The main causes of traffic congestion in the LAN are; The four router functions in your network are as follows:

• Having many users in a broadcast domain • Packet switching

• Broadcast storm • Packet filtering

• Multicasting • network communication

• low bandwidth • Path selection

• Adding a hub to connect to the network Layer 2 switches perform packet switching using frame packets.

• Heavy ARP traffic Routers, unlike Layer 2 switches, provide packet switching using
logical addressing in Layer 3. Routers can also provide packet
Today, routers are used to interconnect networks and forward data
filtering using access lists. Routers use logical addressing (IPv4 or
packets from one network to another.
IPv6) when they connect two or more networks. We call this formation
There are two advantages to using a router in our network:
a community of networks. Finally, routers use a routing table (a map
• By default, they cannot forward broadcasts. of the ensemble of networks) for route selection and routing packets to

• They can filter packets with Layer 3 information such as IP remote networks.

address.
 I Network Communication

Switches, in contrast, are not used to create a community of networks (they do

not create broadcast domains by default); they are used to add functionality to
a network. The main task of a switch is to make a LAN work better by
providing higher bandwidth to LAN users and increasing their performance.
Switches do not forward packets to other networks as routers do. Instead, they
forward packets by switching from one port to another.

Enterprise network connection example.

 I TCP/IP Networking Model

I History to TCP/IP

I Overview of the TCP/IP Networking Model

Introduction to TCP/IP I TCP/IP and DoD Model

I TCP/IP Layers

I Data Encapsulation

I Osi Reference Model

 I Introduction to TCP/IP

TCP/IP Networking Model

The Transmission Control Protocol/Internet Protocol (TCP/IP) family In the late 1970s, the Open Systems Interconnection (OSI) reference
was developed by the Department of Defense (DoD) to both ensure data model was created by the International Organization for
integrity and protect and maintain communication in the event of a Standardization (ISO) to remove this limitation.
war. Therefore, if designed and implemented correctly, a TCP/IP network The OSI model was developed so that different vendor networks could
can be truly reliable and flexible. work together.

History to TCP/IP The OSI model is a primary architectural model for networks. OSI
Today, TCP/IP Networking model is used in networks. But there weren't describes how to transfer data and network information from an
many network protocols before, including TCP/IP. Manufacturers application on one computer to an application on another computer,
created their own network protocols, and these protocols only supported across the network environment.
computers they produced.

For example, IBM, the computer company that had the largest market
share in the 1970s and 1980s, released its System Network Architecture
(SNA) network model in 1974. Other vendors have also created their own
custom network models. If your company purchased computers from
three suppliers, communication was achieved by creating three different
networks and then connecting those networks together.
 I Introduction to TCP/IP

Overview of TCP/IP Networking Model

The TCP/IP model is a broad protocol model that allows computers to Many series of protocols come together in the Process/Application layer of
communicate, it uses Requests For Comments (RFC) documents to describe the DoD model to complete the various activities and tasks that OSI's top

these protocols. (You can find these RFCs using any online search engine.) three layers (Application, Presentation, and Session) describe.

Another institution is the IEEE, the Institute of Electrical and Electronic Process/ Application Layer: defines node-to-node application
communication and also controls user-interface arrangements.
Engineers (IEEE), which also sets the Ethernet standards. RFC specifies
Host-to-host Layer: Parallels the functions of OSI's Transport layer, it
protocols. IEEE, on the other hand, sets the ethernet standards.
deals with issues such as establishing secure end-to-end communication
and error-free transmission of data.
TCP/IP and DoD Model Internet Layer: It corresponds to the Network layer of OSI. It defines

The DoD model is basically a condensed version protocols for the logical transmission of packets across the entire network,
deals with IP addressing of user machines, and functions such as routing
of the OSI model.
packets across multiple networks.
It consists of four layers instead of seven:
Network Access Layer: monitors the information circulating between the
• Process/Application layer
user machine and the network. It corresponds to the Data Link layer and
• Host-to-Host layer
the Physical layer in the OSI model. The Network Access layer controls
• Internet layer
hardware addressing and defines protocols for physical transmission of
• Network Access layer
DoD model and OSI reference model
data.
shows a comparison.
 I Introduction to TCP/IP

TCP/IP Application Layer 5 (5-6-7) HTTP Protocol Mechanisms

The Application layer specifies where users actually communicate with When we take a closer look at the example below, we can see how
the computer. This layer only comes into play when access to the network applications on the computer (especially the web browser application and
is required within a short period of time. TCP/IP is like a NIC card. You the web server application) use the TCP / IP Application layer.

can remove all network card components from the system, but you can Applications use Hypertext Transfer Protocol (HTTP) to request a web

still use a web browser to browse the local HTML pages. But if you try to page and retrieve the web page's content.

do things like browse an HTML page that needs to be retrieved using

HTTP or download a file with FTP or TFTP, the web browser will try to
access the application layer and respond to such requests.

The Application layer is also responsible for identifying the appropriate

communication partner and determining whether it has sufficient
resources. Sometimes these tasks are important because their applications
require more than just desktop resources. Examples are file transfers and
e-mail. These applications will require remote access, network
management activities, and client/server operations.

It shows a simple web page request in the application layer.

 I Introduction to TCP/IP

TCP/IP Transport Layer (4)

The services in the transport layer divide the data coming from the The following sections describe the two protocols in this layer.
application layer, reassemble it and combine it in the same data flow. It
• Transmission Control Protocol (TCP)
provides end-to-end data transfer services and can establish a logical
• User Datagram Protocol (UDP)
connection between the sender and the destination in a network
community.
TCP and UDP protocols work at the Transport layer, we can say that TCP
is a reliable service and UDP is an unreliable service. That is, application
developers have a choice between the two protocols when working with TCP/
IP.
Port examples for TCP and UDP.
The transport layer is responsible for providing mechanisms for
multiplexing upper-layer applications, creating sessions, and closing
virtual circuits. It also hides the details of network-related information
from the upper layers by providing transparent data traffic.
 I Introduction to TCP/IP

An Example for TCP and UDP

To help you understand how TCP works, we can provide an example of a Using UDP is similar to sending a postcard. You don't need to first

telephone conversation. We know that before we can talk to someone on contact the other party to do this. You simply write your message,

the phone, we must first establish a connection with the person in front of specify the address for the postcard, and mail it. This is similar to the

us. This is similar to a virtual circuit set up with the TCP protocol. If connectionless orientation of UDP. Since the message on the postcard is

you're giving someone important information during your interview, not a matter of life and death, you do not need confirmation from the

say, "You know what? he might say, or “You got that, right?” we may sender. Therefore, UDP does not require acknowledgment.

ask. Saying such things is like many TCP acknowledgments designed

to verify you. Sometimes (especially in a phone call) people also ask,
“Are you still there?” they ask. They end the call by saying "Bye" at the
end of their conversation. Functions similar to this worked in TCPrır.
 I Introduction to TCP/IP

TCP/IP Network Layer (3)

The network layer (known as layer 3) manages device addressing, Data packets: Used to transfer user data across the network community.
monitors the location of devices on the network, and determines the best Protocols used to support data traffic are referred to as routed protocols;
path for data to be transported. In other words, the Network layer is IPv4 and IPv6 are examples of routed protocols.
responsible for transferring traffic between devices that are not locally Route update packets: Used to update network information on
connected to each other. Routers (layer 3 devices) work at the Network neighboring routers connected to all routers in the network community.
layer and provide routing services in a network community. Protocols that send route update packets are specified as routing
protocols; Commonly used routing protocols are RIP, RIPv2, EIGRP and
First, when it receives a packet from the router interface, it checks the
OSPF. Route update packages are used to help create and maintain
Destination IP address and checks whether there is a route for this address
routing tables on each router.
in the routing table, if there is a route in the routing table for this address,
it frames this packet to the output interface. If there is no record in the
routing table for the destination address of the packet, the router cancels
the packet.

Two types of packets are used at the network layer:

1-Data Packages, 2-Route Update Packages

A simple IP Routing example.

 I Introduction to TCP/IP

TCP/IP Data Link Layer (2)

The data link layer provides the physical transfer of data. It also handles
functions such as error reporting, network topology, and flow control. The
Data Link layer is responsible for transporting packets of a device using
a hardware address in the network and converting messages from the
Network layer into bits for the Physical layer.

In the Data Link layer, users use Mac addresses to send packets to other
devices on the local network and transfer packets between routers. Example of sending an Ethernet frame to the IP packet by adding an Ethernet frame in Layer 2

TCP/IP Physical Layer (1) Step 2: Larry physically transmits these Ethernet frame bits using
Finally, when we come to the bottom layer, the Physical layer has two
electricity flowing over Ethernet cables.
tasks: It sends and receives bits. Bits come and go in values of 1 and 0,
Step 3: R1 physically receives the electrical signal over a wire and
with just a numeric Morse code.
interprets the meaning of the electrical signals, recreating the same
Step 1: Larry creates an Ethernet frame by encapsulating the IP packet
bits.
between an Ethernet header and an Ethernet trailer.
Step 4: R1 extracts the Ethernet header and trailer and separates the IP
packet from the Ethernet frame.
 I Introduction to TCP/IP

Data Encapsulation
As you can understand from what we have explained about how all Step 3 Encapsulate the data provided by the transport layer within a
Layers do their jobs, when sending data, we can refer to the process of network layer (IP) header. IP defines IP addresses that uniquely
adding its own header information to the data provided by each Layer as identify each computer.
the Data Encapsulation process.
Step 4 Encapsulate the data provided by the network layer within the

In TCP/IP, hosts send data as a five-step process. The first four steps relate data layer header and fragment. This layer uses both the title and

to encapsulation by the TCP/IP layer, the final step is the physical fragment.

transmission of data by the host. Step 5 Transmit the bits. The physical layer encodes a signal to the

Step 1 Create and encapsulate application data with required application medium to transmit the frame.

layer headers. For example, the HTTP OK message might be returned in

an HTTP header followed by some of the content of a web page.
Step 2 Encapsulate the data provided by the application layer into a
transport layer header. A TCP or UDP header is often used for end-user
applications.

It shows Data Encapsulation in TCP/IP in 5 steps.

 I OSI Referans Model

OSI Referans Model

One of the best functions of OSI regulations is that it helps transfer data None of the upper layers (Layer 7-6-5) know anything about network
between completely different user machines. For example, they allow us to setup and network addresses, this TCP/IP grandfather is the same. These
transfer data between a Unix host, a PC or a Mac. are the responsibility of the lower four layers.
When we look at the figure below, you can see the operation of the four
However, OSI is not a physical model. Rather, it is a set of rules that
layers, which explains how data is transferred with the help of switches
application developers can use to build and complete applications
and routers or over a physical cable. These lower layers also determine
running on a network. It also provides a framework for creating and
how a data stream from the source host is regenerated in the destination
completing networking standards, devices, and inter-network
host's application.
communication plans. OSI has seven layers, divided into two groups. The
top three layers describe how applications on end stations communicate
with each other and with users. The bottom four layers describe how to
transfer data from end to end.
The Application Layer is responsible for the communication of the
applications between the computers and the user interfaces, as well as the
upper layers, the user machines.
Osi Referans Model Layer 4-3-2-1 Osi Reference Model vs. TCP/IP Model
 I OSI Referans Model

OSI Reference Model Layers

 I Overview of Lans

I SOHO and Enterprise LANs

I Ethernet Standards in Layer 1

I Ethernet Cabling

Ethernet Fundamentals I Copper Cable Types

I Fiber Cable Types

I Sending Data on Ethernet

I Ethernet Addressing

I Half and Full Duplex Ethernet

 I Ethernet Fundamentals

Overview of LANs Simple Enterprise LANs

Simple SOHO LANs Corporate networks have similar aspects to a SOHO network, For example,
Small Office / Home Office (SOHO) networks require a device called a Switch, corporate networks start when plugged into a LAN Switch in a cable closet
which provides a physical port to which many cables can be connected. The behind a locked door on each floor of a building. Electricians install Ethernet
switch uses Ethernet cables to connect different Ethernet devices or switches to cables from this cable locker into cabinets and conference rooms where devices
one of the Ethernet ports. may need to be connected to the LAN. At the same time, most businesses

The figure on the left shows a single switch, and its connected devices: three support wireless LANs in the same area, allowing people to move around and

PCs, a printer, and a router. (The router connects the LAN to the WAN, in this still work, and support an increasing number of devices without Ethernet

case the Internet.) LAN interfaces.

A simple SOHO LAN A simple Enterprise LAN

 I Ethernet Fundamentals

Ethernet Standards at the Physical Layer

Ethernet was first standardized by a group known as DIX (Digital, Intel

and Xerox). This group established IEEE to create the first Ethernet
standard. The first ethernet standard was a 10 Mbps ethernet standard
running on 802.3 coaxial cable and later on a spiral-pair and fiber
environment.
Later, in parallel with the developing technologies, the following new IEEE Example of sending data between different Ethernet standards.

ethernet standards were created.

Although Ethernet includes many physical layer standards, Ethernet
acts as a single LAN technology because it uses the same data link
layer standard over all types of Ethernet physical links. This standard
defines a common Ethernet header. Regardless of whether data flows over
a UTP cable or any fiber cable, the data link uses the same ethernet
Frame format.
Ethernet Types
While physical layer standards focus on sending bits over a cable,
Ethernet focuses on sending the frame.
 I Ethernet Fundamentals

The IEEE Ethernet 802.3 standards that we use frequently today are:

1000BaseT (IEEE 802.3ab): Category 5-6-7, up to 100 meters, quad-pair UTP

cabling.

1000BaseSX (IEEE 802.3z): MMF using 62.5 and 50-micron cores; It uses an

850 nanometer laser and can reach up to 220 meters with 62.5 microns and
10 Mbps ve 100 Mbps düz kablo pinout örneği.
550 meters with 50-microns.

1000BaseLX: 9-micron core, single-mode fiber that delivers a 1300 nano-meter

Crossover Cable
laser and can travel from 3km to 10km.
The crossover cable is used to connect.
Ethernet Cabling - Switch to switch
Ethernet cabling is an important topic, especially if you plan to take Cisco - hub to hub
exams. There are three types of Ethernet cables: - host to host
- Straight-through cable - Hub to switch
- Crossover cable
- rollover cable

Straight-Through Cable
Straight cable is used to connect:
Example of 10 Mbps and 100 Mbps Cross cable pinout.
- Host to switch or hub

- Router to switch or hub Note: Normally, the switches are connected with a cross cable when connecting to each other,
but generally flat cables are used when applying in the field, thanks to the auto-mdix feature
in the switches, we can connect them with a flat cable without any problems.
 I Ethernet Fundamentals

Copper Cable Types

The cable is one of the most important components in horizontal cabling in
terms of the performance of the entire connection, both in terms of product
quality and convenience of installation. Cable installation errors will
seriously compromise installation performance.

For structured cabling systems, standard Cat 5e, 6 and 6A (100 MHz, 250
MHz and 500 MHz, respectively) require the use of twisted symmetrical 4-pair
cables with 100 Ω impedance.

The cable can be one of the following types:

✓Unshielded U/UTP (Unshielded Twisted Pairs) Data transmission cables consist of four pairs arranged in a sheath

✓Shielded F/UTP (Foiled Twisted Pairs) according to a certain arrangement necessary to reduce power loss and
crosstalk problems. This arrangement consists of separately twisting
✓Dual screen SF/UTP or S/FTP.
pairs of conductors. These pairs are identified by standard colors. Each
NOTE: Category 7 has not been widely used to date, despite being standardized
of the pairs has a different area and is alternately twisted differently
and offering high levels of performance. The form factor is used where there are
inside the outer sheath. The conductor size allowed by the standards is
installation difficulties for cost reasons.
between 22 and 26 AWG: 23 AWG is most commonly used in any
case.
 I Ethernet Fundamentals

Cable Examples

Cat 5e U/UTP Cat 6 U/UTP

Cat 6 F/UTP Cat 6 U/FTP

Cat 6 F/FTP Cat 6A S/FTP

Cat5 and Cat6 Cable Examples.
 I Ethernet Fundamentals

UTP Cable 1000 BaseT (IEEE 802.3ab) Pinouts Multi Mode Fiber Cable
Category 5-6-7, up to 100 meters, quad-pair UTP cabling. Multi-mode fiber (MM) is a type of fiber optic cable used over short

1000BASE-T (Gigabit Ethernet) differs from 10BASE-T and 100BASE- distances, for example inside a building or campus. Multi mode fiber

T according to cable and pinouts. Four wire pairs are required for optic cable has a 50 or 62.5 micron core that allows multiple light modes

1000BASE-T. and the pins must match. to be emitted. Therefore, more data can pass through the Multi mode fiber
core at any given time. The maximum transmission distance for MM
cable is around 550m at 10Git/s, it goes to 2km at 100Mb/s, it can go
more distance at lower data rates. Multi mode fiber optic cables defined
by the ISO 11801 standard can be classified as OM1 fiber, OM2 fiber,
OM3 fiber, OM4 fiber and OM5 fiber.

Example of 1000 Mbps Straight and Cross cable pinout.

Multi Mode Fiber Cable Example.
 I Ethernet Fundamentals

MM OM1 Fiber MM OM3 Fiber

OM1 cables come with an orange sheath. It has a core size of 62.5 µm. It can OM3 fiber comes in Aqua or Turquoise. Like the OM2, the core size is 50 µm,
support 10 Gigabit Ethernet up to 33 meters long. Mostly used for 100 Megabit but the cable is optimized for laser-based equipment. OM3 supports 10 Gigabit
Ethernet applications. The OM1 usually uses an LED light source. Ethernet up to 300 meters. Also, OM3 can support 40 Gigabit and 100 Gigabit
MM OM2 Fiber Ethernet up to 100 meters, it is commonly used for 1 and 10 Gigabit Ethernet.
The OM2 comes with an orange casing similar to the OM1 and uses an LED MM OM4 Fiber
light source, but with a smaller core size of 50 µm. This supports 10 Gigabit
The OM4, on the other hand, is fully backward compatible with OM3 fiber and
Ethernet up to 82 meters, but is more commonly used for 1 Gigabit Ethernet
uses the same aqua outer sheath. The OM4 is specially developed for VSCEL
applications.
laser transmission. It can transmit 10 Gig/s link speed up to 550m. And it

can run 40/100GB up to 150 meters using an MPO connector.

MM OM5 Fiber
OM5 fiber, also known as WBMMF (wideband multimode fiber), is the newest

type of multimode fiber and is backward compatible with OM4. OM2 has the

same core size as OM3 and OM4. The color of the OM5 fiber sheath was chosen

as lime green. It is designed and specified to support at least four WDM

channels at a rate of at least 28 Gbps per channel through the 850-953 nm

window.

Multi Mode Fiber Cable Types History Chart

 I Ethernet Fundamentals

Single Mode Fiber Cable

In fiber optic technology, single mode fiber (SM) or mono mode fiber is an OS1 fiber is a tightly buffered cable designed for use in indoor applications
optical fiber designed to propagate a single mode of light as a carrier. (such as campuses or data centers) where the maximum distance is 10 km.
Generally, single mode cable has a narrow core diameter of 8 to 10 µm OS2 fiber is a loose conduit cable designed for use where the maximum
(micrometers), which can travel at wavelengths of 810 nm and 1550 nm. The distance is up to 200 km (such as street, underground and graveyard). Both
small single-mode fiber core size virtually eliminates any distortion from OS1 and OS2 fiber optic cable allow 10G Ethernet. In addition, OS2 fiber can
overlapping light jumps. Therefore, single mode fiber optic cable provides the support 40G and 100G Ethernet.
least signal attenuation and the highest transmission rates. For these reasons,
single mode optical fiber is the best choice for long-distance data transmission.

SMF fiber types can be categorized as OS1

and OS2. OS1 and OS2 are standard
Single and Mode Fiber Cable Core
single mode optical cables used at 1310nm Single Mode Advantages
and 1550nm wavelengths with a
✓Longer transmission distance
maximum derating of 1 dB/km and 0.4
✓Larger Bandwidth Capacity
dB/km respectively. ✓Increased Transmission Speed
✓Limited Data Distribution and External Noise
✓Low Signal Attenuation
Single Mode Fiber Cable Core
 I Ethernet Fundamentals

Sending Data on Ethernet

Ethernet Frames
The Data Link layer is responsible for combining bits into bytes and frames Destination Address (DA): DA is used by the receiving devices to detect whether

into bytes. Frames are used at the Data Link layer to encapsulate packets from an incoming packet is addressed at a particular switch. The destination

the Network layer for transfer in a media medium access type. address can be an individual address or a broadcast or multicast MAC

The function of Ethernet ports is to pass data frames among others, using a set address.

of bits known as the MAC frame format. This provides error detection with CRC Source Address (SA): SA is a 48-bit MAC address used to identify
(cyclic redundancy check). But remember that this is bug fixing, not bug transmitting devices. Broadcast and multicast address formats are invalid in
fixing. the SA field.

Lenght or Type: 802.3 uses a Lenght field, but the Ethernet frame uses a Type

field to detect the Network layer protocol. 802.3 cannot recognize top-layer

Ethernet Frame Format protocols and must be used with a proprietary LAN (such as IPX).
Preamble: The choppy 1.0 form provides a 5MHz speed at the start of each
Data: This is a packet sent from the Network layer to the Data Link layer. Its
packet. This allows the receiving devices to stop the incoming bit stream.
size can vary from 46 to 1,500 bytes.
Start Frame Delimiter (SFD)/Synch: SFD is 10101011, where a final pair

allows the receiver to change the 1.0 form somewhere in the middle, still Frame Check Sequence (FCS): FCS is a field at the end of the frame used to

maintain the sync state and determine the start of the data. store CRCs.
 I Ethernet Fundamentals

Ethernet Addressing
Ethernet addressing uses the Media Access Control (MAC) address
printed on Network interface cards (NIC). A MAC or hardware address is a
48-bit (6-byte) address written in hexadecimal format.
Below is the 48-bit MAC address and how the bits are split.

Sending data in Full Duplex Ethernet Lan

1. PC1 creates and sends the original Ethernet frame using its MAC address
as the source address and PC2's MAC address as the destination address.
Unicast Ethernet Address Format 2. SW1 receives Ethernet frame and transmits it from G0/1 interface to
SW2.
Organizationally unique identifier (OUI) is assigned to an
3. Switch SW2 receives Ethernet frame and transmits it from F0/2 interface
organization by the IEEE. It consists of 24 bits or 3 bytes. The to PC2.
organization, in turn, assigns a (24-bit or 3-byte) address that is 4. PC2 realizes that it is the destination MAC address and receives the frame
unique (by default and not guaranteed) on each NIC generation. and processes it.
 I Ethernet Fundamentals

Half and Full Duplex Ethernet

When IEEE first introduced the 10 BASE-T in 1990, Switches didn't
exist yet; instead, devices called Hubs were used, like a Switch, the Hub
used ports with RJ-45 connections to interconnect PCs; however, hubs
used different rules to transmit data.
Collision occurs due to the working logic of the hub
Hubs transmit data using physical layer standards rather than data
link standards and are therefore considered Layer 1 devices. When a hub If you replace the Hub with a Switch in the figure above, the switch avoids the
collision on the left. The switch operates as a Layer 2 device, meaning it looks
receives an electrical signal, the hub sends that electrical signal to all
after the data link header and frames. A switch looks up MAC addresses and
other ports (except the inbound port). Thus, the data reaches all other hosts
even if the switch has to forward both packets to Larry on the left, the switch
connected to the hub. sends the first packet and queues the other packet until the first packet is
The disadvantage of using hubs is that if two or more devices transmit a finished.

signal at the same time, the electrical signal will collide and become
corrupted. The hub repeats all received electrical signals, even if it receives
multiple signals at the same time. For example, in the Figure PC shows
Archie and Bob sending an electrical signal simultaneously (in Steps
1A and 1B) and the hub repeating both electrical signals to Larry on the
left (Step 2). Example of Half and Full Duplex Ethernet working together in a simple LAN.
 I Wide Area Network (WAN)

I Leased-Line WANs

WAN and IP Routing I Using Ethernet in WAN

I IP Routing

Fundamentals I How to Use IP Routing in Layer 3

I Layer 3 Other Features

I DNS, ARP, Ping

 I WAN Fundamentals

Wide Area Network (WAN) Leased-Line WANs

Cisco IOS supports many different wide area network (WAN) protocols to To connect your local networks to local networks in your remote offices

help you extend your local networks with other remote networks. Doing using WAN, it uses a router with WAN connection for each local

your own structured cabling between different regions and trying to network. First, you get the WAN connection suitable for your business

connect to all remote locations of your company using your own from the ISPs (Internet Service Provider) and start using it.

infrastructure may not be cost effective or possible. A much better Routers connect to both WAN and LAN as shown in the figure below.
solution is to lease existing infrastructure that service providers already Note that a curved line between routers is a common way to represent a
have. Leased-Line line when the drawing need not show any physical details

In this section, we will continue by talking about the different connection of the line.

types, technologies and devices commonly used in WANs. In this

Chapter, I will talk about High-Level Data-Link Control (HDLC), Point-
to-Point Protocol (PPP), Point-to-Point Protocol and Leased-Lines WANs
connections. Other WAN services such as Metro Ethernet, DSL, MPLS,
Example of Leased-Line on a simple Enterprise network.
and VPN will also be covered in Chapter-13 on Wan Architecture.
 I WAN Fundamentals

The Leased-Line service receives and sends bits in both directions at a Since Leased-Lines define only Layer 1 transmission service, many
predetermined rate using Full duplex logic. In fact, it logically behaves as companies and standards organizations have created data link
if you have a bidirectional crossover Full duplex Ethernet connection protocols to control and use Leased-Lines. Today, the two most popular
between the two Routers, as shown in Figure. Leased-Line uses two pairs of data-link layer protocols used for leased lines between two routers are
cables to send data, allowing bidirectional operation. High-Level Data Link Control (HDLC) and Point-to-Point Protocol
(PPP).

All data-link protocols follow a similar path to control the correct

distribution of data over a physical link of a certain type. For example,
an Ethernet data-link protocol uses a destination address field to
identify the correct device that should receive the data, and an FCS field

Logical View of Leased-Line Service in the ethernet frame to check that the receiving device is receiving the
data correctly. HDLC provides similar functionality.
HDLC Data-Link Details of Leased-Lines
Leased-Lines provide layer 1 service. In other words, it receives and sends
bits between devices connected to the leased-line. However, the lease-line
itself does not define a data link layer protocol to be used on the leased-
line.

Note: The default data protocol of Leased-Line lines is HDLC.

 I WAN Fundamentals

How Routers Use the WAN Data Link

Leased-Lines connect to routers and routers focus on delivering packets to
the target computer. However, routers are physically connected to both
LANs and WANs, the Router needs to send this data inside with frames.

First, the TCP/IP network layer focuses on forwarding IP packets from the
source device to the destination device. Basically, LANs and WANs act as LAN'lar ve WAN'lar üzerinden IP Yönlendirme Mantığı

a way to carry packets to the next router or end-user device. The figure
shows the point of view of the Network Layer.

General Concept of Routers De-encapsulating and Re-encapsulating IP packets

 I WAN Fundamentals

Using Ethernet on WAN

When Ethernet first came out, it was only suitable for LANs. Due to the
limitations in cable lengths and devices, we were able to set up a LAN that
extended up to a kilometer or two.

As time went on, the IEEE improved its Ethernet standards making it a
good WAN technology. For example, the 1000BASE-LX standard uses
single-mode fiber cable that supports a cable length of 5 km; The
Example of Fiber Ethernet Connection for Connecting to CPE Router Service Provider's WAN.
1000BASE-ZX standard also supports 70 km cable length. As time went
on and IEEE improved the cabling distances for fiber Ethernet
connections, Ethernet became a good WAN technology.

Many WAN service providers (SPs) today offer WAN services that
leverage Ethernet. SPs offer various Ethernet WAN services to their
customers.
 I IP Routing Fundamentals

IP Routing
Internet Protocol (IP)
Internet Protocol (IP) is actually the Network layer. Other protocols
available here are just to support it. The IP has an overview, it can be said
to see them all, and is aware of all interconnected networks. IP looks at
the address of each packet. It then chooses the best route using a routing
table and decides where to send a packet.

Network Layer Routing (Forwarding) Logic

Routers and end-user computers (called Host in TCP/IP network) work
together to perform IP routing. The host operating system (OS) has TCP/
IP software, including software that implements the network layer. This
software uses it to choose where to send IP packets, usually to a nearby
router. These routers choose where to send the IP packet. Together with the
host routers, the IP packet
CPE PC-1 to PC-2 Routing Logic
It transmits to the correct destination as shown in the example in the
figure.
 I IP Routing Fundamentals

How Does IP Routing Use in Layer 3 (Network Layer)?

Although the network layer routing logic ignores the physical Step 3: Compare the destination IP address in the IP packet with the

transmission details, the bits still need to be transmitted. To do this, routing table and find the most suitable route to the destination
address. This route shows the next router's IP address on the router's
Network layer logic in a host or router must deliver the packet to the Data
output interface.
Link layer protocols, which in turn ask the physical layer to actually
Step 4: It encloses the IP packet in a new data-link header and trailer
send data. Before sending the frames over each physical network, the
suitable for the outgoing interface and transmits the frame.
Data Link layer creates a frame and adds the appropriate header and
trailer to the packet.

The following list summarizes how a router interface is transmitted

from one router to the other from the network layer for each packet,
starting with the incoming frame:

Step 1: To ensure that there is no error in the frame, the data connection
uses the Frame Check Sequence (FCS-Frame Check Sequence) field and
discards the frame if an error occurs.

Step 2: Assuming the frame was not fired in Step 1, it discards the old
data link header and trailer when leaving the IP packet.
CPE PC-1 to PC-2 Routing Logic
 I IP Routing Fundamentals

In the figure, we will look at what stages the packet sent from PC-1 to PC-2 goes Next, R1 compares the destination address of the packet (150.150.4.10) with
through in Network Layer and Data Link Layer. the routing table and finds the outbound route to subnet 150.150.4.0. R1
forwards the packet from the interface (Serial0) to R2 (150.150.2.7) on this
matching route. R1 first encapsulates and sends the IP packet to an HDLC
frame.

Step C: When R2 receives HDLC frame, it repeats the same process as R1. R2
checks the FCS field and detects no errors, and then discards HDLC header
and trailer information. Then R2 compares the destination address of the
packet (150.150.4.10) with the routing table and finds the route to subnet
150.150.4.0 and sends the packet from Fast Ethernet 0/0 to 150.150.3.1. R2
sends the HDLC packet from R1 back to the Ethernet Frame by encapsulation.
Network Layer and Data-Link Layer Encapsulation

Step A: Network layer of PC1 adds PC2's IP address(150.150.4.10). To check if Step D: Like R1 and R2, R3 checks FCS, discards old data-link header and
trailer information, and looks at its own route table for 150.150.4.0 subnet,
this IP address is local, it should send it to the default router. PC1 adds an
but because R3 is directly connected to 150.150.4.0 subnet, there is no next
Ethernet data link frame with the IP address of PC2 and R1 to the IP packet
router. All R3 has to do is encapsulate it by adding PC2's mac address and
and sends the frame to Ethernet.
destination ethernet address to the incoming Ethernet frame information.
Step B: R1 checks if there is an error in the FCS of the incoming ethernet frame
Note: At the bottom of the Figure, R3 will use ARP once to learn PC2's MAC address before
and if there is no error, it discards the header and trailer information.
sending any packets to PC2.
 I IP Routing Fundamentals

IP Header
The routing process uses the IPv4 Header as shown in the figure below. The
32-bit source IP address and 32-bit destination IP address are listed in
the header.
Ethernet Frame Format
Of course, it has more information fields in the header. But we will cover
as much as the CCNA training covers. For now we will focus on the source
and destination ip fields. Note that in the examples in this section, the IP
Header information remains unchanged by the IP Routing process, while
routers remove and add data-link headers each time they forward a
packet.

IP Header is 20 Bytes in total

 I IP Routing Fundamentals

Layer 3 (Network Layer) Other Features

TCP/IP defines many functions in Network Layer beyond IP. Of course, IP Consider: What if you wanted to move your web page to another service
plays a huge role in networking today by defining IP addressing and IP provider? Your IP address would change and no one would know your new IP.
routing. However, it is very important at the network layer in other standards DNS lets you use a domain name to specify an IP address. You can change
and protocols defined by the RFC. In the last part of this section, I will talk your IP address as often as you want so no one will know about the change.
about 3 network layer features that will help you a lot in the future.
DNS; It is used to resolve an FQDN (fully qualified domain name) such as

✓ Domain Name System (DNS) www.yavuzbulut.com or ccna.yavuzbulut.com. FQDN is a hierarchy that can
✓ Address Resolution Protocol (ARP) logically place a domain identifier-based system.
✓ Internet Control Message Protocol (ICMP)

Domain Name System (DNS)

Domain Name Service (DNS) resolves computer names, especially internet

names such as www.routersim.com. You don't have to use DNS, you can just

type the IP address of a device you want to connect to. An IP address identifies

user machines on both the network and the internet. However, DNS is designed

to make our lives easier.

A simple DNS Request

 I IP Routing Fundamentals

Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP) finds the hardware address of a user

machine from a known IP address. When IP has a datagram to send, it
has to announce the hardware address of the destination in the local
network to a Network layer protocol such as Ethernet or Token Ring (the
destination's IP address is pre-announced by the upper-layer protocols).
If the IP cannot find the hardware address of the target machine in the
ARP cache, it will use ARP to find this information.

A simple ARP Query

Like the detective of IP, ARP queries the local network by sending a
broadcast requesting the hardware address of the machine it is asking
with a specific IP address. Essentially, ARP translates the software (IP)
address into a hardware address (for example, the Ethernet board address
of the target machine) and from that infers its location on the LAN by
sending a broadcast for the address. Figure 3-11 shows how ARP looks at
the local network.
 I IP Routing Fundamentals

Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP) runs at the Network layer and is Hops: Each IP packet is sent to a certain number of routers, known as hops, to
used by IP for many different services. ICMP is a management protocol and pass over it. If it reaches the hop limit before it reaches its destination, the last
messaging service provider for IP. Messages are carried like IP datagrams. RFC router that received this packet deletes it. Next, the hangman router uses ICMP
1256 is an addition to ICMP that provides expanded host capability for to send an obituary message. It notifies the sending machine that the packet
routing gateways. is dead.

ICMP packages have the following features: Ping: Packet Internet Groper (Ping) uses ICMP echo request and replay

- Provides user machines with information about network problems. messages to check the physical and logical connectivity of machines in a
network community.
- They are encapsulated in IP datagrams.
Traceroute: Using ICMP time-outs, Traceroute is used to find the path a packet
The following are some common ICMP-related events and messages:
travels through the network community.
Destination Unreachable: If a router can no longer send an IP packet, it uses
ICMP to send a message to the sender stating its status. For example, let's take
a look at Figure 3-12, which shows that the Lab_B router's E0 interface is
down. When HostA sends a packet destined for HostB, the Lab_B router will
send an ICMP destination unreachable message to the sending device (HostA
in this example).

Buffer Full: If the router's buffer is full to receive incoming packets, it will use
ICMP to send this message until the congestion is cleared.
A Simple ICMP Example

Note: Both the Ping and Troceroute command (also used as Trace, Microsoft Windows uses tracert)
allow you to verify your address settings in your network community.
Chapter-3 04 - Using Command-Line Interface

05 - Switches Overview
Switch Applications in 06 - Basic Switch Configuration

Network 07 - Configuring Switch Interfaces

 I Accessing Cisco Switch with CLI

I Connecting to Cisco Switch

I Connecting to Console with Cable

Using CLI I Connecting with Telnet

I Connecting via SSH

I Reviewing Router Modes

I Cisco IOS Configuration

 I Using the Command-Line Interface

Accessing Cisco Switch with CLI

IOS User Interface

The Cisco Internetwork Operating System (IOS) is the core of Cisco routers and many
switches. In case you didn't know, a kernel is an essential core part of an operating system,
providing administrative capabilities and resources such as low-level hardware interfaces
and security.

Connecting to Cisco Switch

Figure 4-1 CLI Connection Options
You can connect to configure a Cisco switch, verify the configuration, and check
statistics. There are different ways to do this, but the most common is to first
connect to it via the console port. The console port is an RJ-45 (8 pin modular)
connection, which is usually located on the back of the switch, on new models, on the
front. Newer models also have a mini-USB B Console port. By default, a password
may or may not be set. By default it uses Cisco as username and password.

The second way to connect to a Cisco switch is with the Telnet program from the
network. Telnet is a terminal emulation program that acts as a dumb terminal.
Another way of connection is to connect via SSH, which is the most secure way to Figure 4-2 USB or Serial Console Cable Connection Options

connect to devices over the network.

 I Using the Command-Line Interface

Connecting to Console with Cable

Figure 4-3 shows the Cisco 2960-XR Switch Console Port Inputs.

The switch console port settings must be configured to match the computer's
serial port settings. The default console port settings on a switch are as
follows. Figure 4-4 Terminal settings for console access.

✓ 9600 bits/second As a terminal program, you can use programs such as Putty or SecureCRT
✓ No hardware flow control in the simplest way. With these programs, you can make serial, telnet and
✓ 8-bit ASCII
ssh connections.
✓ No parity bits
✓ 1 stop bit
 I Using the Command-Line Interface

Connecting with Telnet Connecting via SSH

Telnet, part of the TCP/IP protocol stack, is a virtual terminal that allows you Instead of Telnet, you can use Secure Shell. SSH creates a more secure
to connect remote devices to gather information and run programs. session than Telnet applications that use unencrypted data streams. Secure

After your routers and switches are configured, you can use the Telnet Shell (SSH) uses encrypted keys to send data so your username and

program to reconfigure and/or control your switches and routers without password are not sent publicly.

using a console cable. For Telnet to work, you need to have VTY passwords on
Reviewing Switch Modes
switches and routers.
For configuration from the CLI, you can make general changes to the switch
line vty 0 ?
line vty 0 4 by typing configure terminal (or config t for short). This will take you to
password telnet
the global configuration mode and change the settings known as running-
login
config. A global command (running from the global config) is set only
once and affects the entire switch.

You can type config from the command line in privileged-mode and then
just press Enter to get to the terminal's default. As it looks below:

Bulut-R1#config

Figure 4-5 User ve Privileged Mode. Configuring from terminal, memory, or network [terminal]? [press
enter]
Enter configuration commands, one per line. End with CNTL/Z.
Bulut-R1(config)#
 I Using the Command-Line Interface

Cisco IOS Configuration

The User Mode example gives a warning as follows when you try to run the
reload command in user mode, this command works in privileged mode. Some Basic Commands We Will Use:

Press RETURN to get started. User Access Verification enable

disable
Password:
configure terminal
Bulut-SW1>
hostname
Bulut-SW1> reload
line console 0
Translating "reload"
password xxxxxxxx
% Unknown command or computer name, or unable to find computer
login
address Bulut-SW1> enable
interface GigabitEthernet
Password:
show running-config
Bulut-SW1#
show startup-config
Bulut-SW1# reload
write erase
Proceed with reload? [confirm] y erase startup-config
00:08:42: %SYS-5-RELOAD: Reload requested by console. Reload
erase nvram:
Reason: Reload Command.

Figure 4-6 Switching between modes.

 I LAN Switching Concepts

I Overview of Switch Operation Logic

Overview of Switches I Mac Address Learning

I Loop Avoidance

I Analyzing and Verifying Switch

 I Switches Overview

LAN Switching Concepts Overview of Switch Operation Logic

2 LAN examples are given in Figure 5-1, the first is Campus LAN and the other Consequently, the role of a switch is to transmit Ethernet frames. Switches are
is Data Center LAN. At first glance, it seems that there is no difference, but end connected to each other, connecting user devices, servers and other devices. The
user devices are connected to the access switches in Campus LAN, and servers are primary job of the switches is to forward the frames to the correct destination
connected to the access switches on the data center side. Although the topology is (MAC) address. And to achieve this goal, the switches use logic based on the
the same here, we will choose and design our switches according to where we will source and destination MAC address in the ethernet frameSample Switch
use the switches that we need to pay attention to when designing the network, Forwarding and Filtering Decision header.
what type of devices will be connected and how much traffic there will be.

Figure 5-1 Example of Campus LAN and Data Center LAN. Figure 5-2 Example of Switch Forwarding and Filtering Decision.
 I Switches Overview

Figure 5-3 Example of Two Switch Forwarding and Filtering Decisions. First Switch.

Layer 2 switch has three main functions.

✓Address learning

✓Forward and filter decisions

✓Avoid the loop.

Address Learning: Layer 2 switches remember the source hardware address of

each frame received from an interface and enter this information into a MAC
database called the forward/filter table.

Forward/filter Decisions: When a frame is received from the interface, the switch
looks at the target hardware address and finds the output interface in the MAC
database. The frame is sent from the specific destination port.

Loop Avoidance: Network vicious circles can occur if multiple connections

between switches are created for redundancy. Spanning Tree Protocol (STP) is
used to stop network loops while redundancy is still allowed.

Let's take a look at how forwarding and filtering is done in a two-switch

network in Figures 5-3 and 5-4.

Figure 5-4 Example of Two Switch Forwarding and Filtering Decisions. Second Switch.
 I Switches Overview

Mac Address Learning Avoiding the Loop

Fortunately, not all personnel need to know all these MAC addresses. Instead, Redundant links between switches are good as they protect the entire network
each switch performs one of its main functions, mac address learning. from becoming unusable if one link fails.
The switch creates the Address table by listening to the incoming frames and But backup links, although very useful, cause more problems than they solve.
examining the source MAC address in the frames. A frame enters the switch Due to the simultaneous sending of frames from all redundant links, it
and if the source MAC address is not in the MAC address table, the switch adds causes network vicious circles and other problems.
that mac address to the table. This table entry lists the interface from which the
If there is no loop prevention mechanism, the switches will send broadcasts
frame came. The learning logic of the Switch is that simple.
nonstop across the network community. This is sometimes described as a
broadcast storm. Figure 5-6 shows how a broadcast spreads across the network.
Observe how a frame is constantly circulating through the physical network
medium of the network community.

Figure 5-5 Switch Learning: Adding an Empty Table and Two Entries.

Figure 5-6 Formation of vicious circle and its transformation into a broadcast storm.
 I Switches Overview

Analyzing and Verifying the Switch Some Commands We Can Use For Analysis and Verification:

Cisco Catalyst switches come from the factory ready to replace frames from show mac address-table dynamic
Ethernet. All you have to do is connect the power cable, plug in the Ethernet We can see the mac addresses that the Switch learns dynamically.
cables and the switch starts changing incoming frames. When you show interfaces status
connect multiple switches together, the frames are ready to be transmitted We can see if the switch interface (port) is down or up.
between the switches as well. Let's take a look at the default settings. show interfaces f0/1 counters

✓Interfaces are enabled by default, ready to work once the cable is We can see outgoing packets from FastEthernet 0/1.

connected. show mac address-table dynamic address 0200.1111.1111

✓All interfaces are assigned Vlan1. We can see which interface this mac address is on.

show mac address-table dynamic interface fastEthernet 0/1

✓10/100 or 10/100/1000 Mbps speeds are in Auto mode.
We can see the mac address of the connected device on this
✓MAC learning, routing, filtering logic works by default.
interface.
✓STP is enabled. show mac address-table dynamic vlan 1

It shows us the mac addresses in Vlan 1.

show mac address-table count

We can see how many records are in the Switch mac table and how
much more we can record.
 I CLI Security on Switch

Basic Switch I Local Usernames

I AAA Server

Configuration I Configuring SSH

I Giving IP to Switch
 I Basic Switch Configuration

CLI Security on Switch

In this section, I will show you how we can secure our passwords when
we connect to the switch via the Console port or via telnet or ssh.

To protect user mode and privileged mode with simple passwords.

• To secure user mode access with local usernames.

• Securing user mode access with external authentication servers.

• Providing remote access with Secure Shell (SSH).

Figure 6-2 Basit şifre yapılandırma.

Switch# configure terminal

Switch(config)# enable secret love
Switch#(config)# line console 0
Switch#(config-line)# password faith
Switch#(config-line)# login
Switch#(config-line)# exit

Switch#(config)# line vty 0 15

Switch#(config-line)# password hope
Switch#(config-line)# login
Figure 6-1 Security concept with simple passwords. Switch#(config-line)# end
Switch#
 I Basic Switch Configuration

Switch# show running-config

Protecting User Mode Access with Local Usernames and Passwords
!
Building configuration...
Current configuration: 1333 bytes When we look at the show running-config output on the side, our passwords are open.
! Someone sitting next to us or someone listening to our network can see these
version 12.2
!
passwords. Now we will remove these passwords and add users in the local database
enable secret 5 $1$OwtI$A58c2XgqWyDNeDnv51mNR.
! and log in with them.
interface FastEthernet0/1
!
interface FastEthernet0/2
!
! Several lines have been omitted here - in particular, lines for
FastEthernet interfaces 0/3 through 0/23.
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
line con 0
password faith
login
!
line vty 0 4
password hope
login
!
line vty 5 15
password hope
login
Figure 6-3 Login with Local User.
 I Basic Switch Configuration

Protecting User Mode with External Authentication Servers Configuring SSH

In this option, our username and passwords are stored on a remote AAA server, SW1# configure terminal
!
SW1(config)# hostname SW1
and when we try to connect to the switch, the switch goes and verifies the
SW1(config)# ip domain-name example.com
SW1(config)# crypto key generate rsa
username and password we entered from the AAA server, if the information is The name for the keys will be: SW1.example.com
Choose the size of the key modulus in the range of 360 to 2048
correct, it allows us to log in. for your
General Purpose Keys. Choosing a key modulus greater than 512 may
take a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 4 seconds)
SW1(config)#
!
! Optionally, set the SSH version to version 2 (only) - preferred
!
SW1(config)# ip ssh version 2
Figure 6-4 Basic Authentication Process with External AAA Server. !
! Next, configure the vty lines for local username support, just
like ! with Telnet
Maintaining a Remote Connection with SSH !
SW1(config)# line vty 0 15
SW1(config-line)# login local
Instead of Telnet, you can use Secure Shell. SSH creates a more secure session SW1(config-line)# exit
!
than Telnet applications that use unencrypted data streams. Secure Shell ! Define the local usernames, just like with Telnet
!
(SSH) uses encrypted keys to send data so your username and password are SW1(config)# username yavuz password cisco
SW1(config)# username bulut password cisco
not sent publicly. SW1(config)# ^Z
SW1#
 I Basic Switch Configuration

Giving the Switch an IP Address for Remote Access

We need to give an ip to the switch so that we can access it remotely and make Bulut-Sw1# configure terminal
Bulut-Sw1(config)# interface vlan 1
our settings via telnet or ssh. Let's not forget to give the default gateway ip to
Bulut-Sw1(config-if)# ip address 192.168.1.200 255.255.255.0
be able to access from different subnets and vlans. Bulut-Sw1config-if)# no shutdown
00:25:07: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
00:25:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1,
changed

state to up
Bulut-Sw1(config-if)# exit
Bulut-Sw1(config)# ip default-gateway 192.168.1.1

Figure 6-5 Giving IP for Remote Access to the Switch.

Configuring I Configuring Speed, Duplex, and Description

I Checking Interface Status

Switch Interfaces I Auto-negotiation

 I Configuring Switch Interfaces

Configuring Speed, Duplex, and Description Interface Shutdown and Administratively Check Its Status

Here, we will configure the process of manually adjusting our speed under the Bulut-Sw1(config)# interface range FastEthernet 0/11 - 20

interface, manually selecting whether our connection will be half duplex or FastEthernet We can enter the same settings with multiple commands
from 11 to 20.
full duplex, and adding annotations to inform and help us later about that
interface. Bulut-Sw1(config)# interface fastEthernet 0/1
Bulut-Sw1(config-if)# shutdown
Bulut-Sw1# configure terminal
Bulut-Sw1(config-if)#
Bulut-Sw1(config)# interface FastEthernet 0/1 *Mar 2 03:02:19.701: %LINK-5-CHANGED: Interface FastEthernet0/1,
Bulut-Sw1(config-if)# duplex full changed state to administratively down

Bulut-Sw1(config-if)# speed 100 We can close an interface that we do not use, or we can close and
open the port remotely.
Bulut-Sw1config-if)# description “3.Kat yazıcı bagli-full 100 mb
ayarli”
Bulut-Sw1# show interfaces f0/1 status
Bulut-Sw1(config-if)# exit We can get information about the interface status.
Bulut-Sw1config)# interface range FastEthernet 0/11 - 20
SW1(config)# interface fastethernet 0/2
Bulut-Sw1(config-if-range)# description “Bu portlarda son SW1(config-if)# no speed
SW1(config-if)# no duplex
kullanıcılar var” SW1(config-if)# no description
SW1(config-if)# no shutdown
Bulut-Sw1(config-if-range)# ^Z
We can remove a configuration that we entered before by putting
Bulut-Sw1# the no command at the beginning.

Bulut-Sw1# show interfaces status

 I Configuring Switch Interfaces

Auto-negotiation
By default, interfaces are in Autonegotiation mode. That is, when a device is

connected to an interface, it negotiates with it and asks for information such

as speed status, connection type (half/full) and configures itself accordingly.

Figure 7-3 Example of Switch and Hub Connection
Let's look at a few examples:

Checking and Analyzing Interface Status

Bulut-SW1# show interfaces status

Bulut-SW1# show interfaces fa0/13
Bulut-SW1# show interfaces gi0/1 status

Figure 7-1 Example 1 Figure 7-2 Example 2

Chapter - 4
VLAN and STP I Virtual LANs ( VLAN )

I Spanning Tree Protocol ( STP )

APPLICATIONS I Configuring RSTP and EtherChannel

 I VLANs Concepts

I VLAN Trunking

VLANs I VLAN Tagging

I Inter-Vlan Data Forwarding

Virtual LANs I VLAN Configuration and Authentication

I VLAN Trunking Configuration

I Data and Voice VLAN

 I Virtual LANs ( VLANs )

Virtual LANs
Concepts
In a network of switches, we can create a Virtual local area network (VLAN) to
separate broadcast domains. A VLAN is a logical grouping of resources and
network users connected to administratively defined ports on a switch. When
you create VLANs, you have the ability to create smaller broadcast domains in Figure 8-1 Using different subnets with two physical switches without VLAN.

a Layer 2 switch network community by assigning different ports on the

switch to different subnets. Each VLAN acts as its own subnet or broadcast In Figure 8-2 below, we can see the example of dividing our network into two

domain. In other words, frames broadcast to the network are only switched subnets with VLANs on the switch using a single physical switch.

between logically grouped ports in the same VLAN.

Does this mean we won't need routers anymore? Maybe yes, maybe no. It all
depends on what you want and what your needs are. By default, hosts in a
particular VLAN cannot communicate with hosts that are members of another
VLAN. If you want inter-VLAN communication, the answer is that you still Figure 8-2 Using two subnets in one switch using VLAN.
need a router.

In figure 8-1 on the side, we can see that we have divided our network into two
subnets and two broadcast domains using 2 switches without VLAN.
 I Virtual LANs ( VLANs )

Using VLAN Trunking on Multiple Switches

We can interconnect two or more switches and connect hosts that are in the
same VLAN on these switches. As seen in the example given in Figure 8-3,
there are two switches and two different subnets are used by creating vlan 10
and vlan 20 in each switch. Separate cable is connected between 2 switches for
each vlan.

Figure 8-4 Using Vlan Trunking in multiple switches

Figure 8-3 Using VLAN in multi-switch without using VLAN Trunk

It would not be practical to use such an application in our network, for

example, if there were 5 vlans on each switch, then we would have to connect a
cable for each vlan between each switch, but such an application may make it
impossible to use VLANs in large networks, so you can use multiple switches
and multiple VLANs. In cases where we use the ports, we need to configure the
ports that we connect between the two switches as VLAN trunks. In Figure 8-4,
Figure 8-5 Example of Vlan Tagging between two Switches.
we can see an example of using VLAN trunk.
 I Virtual LANs ( VLANs )

Frame Tagging
Every switch that the frame reaches must first detect its VLAN ID from the By running ISL, you can interconnect many switches, and on trunk links,
frame tag. It then determines what to do with the frame by looking at the you can still provide VLAN information while traffic flows between switches.
information in the filter table. If the frame reaches a switch with another ISL operates at Layer 2 by encapsulating a data frame with a new header and
trunk link, the frame will be forwarded to the trunk link port. cyclic redundancy check (CRC).

When the frame reaches an output determined by the forward/filter table to be ISL is specific to Cisco switches and is used only for FastEthernet and Gigabit
an Access link matching the frame's VLAN ID, the switch removes the VLAN Ethernet links. ISL routing is versatile and can be used on a switch port,
identifier. Thus, the target device will be able to receive the frames without router interfaces, and server interface cards that are trunked to a server.
having to understand the VLAN IDs.
IEEE 802.1Q
Created by IEEE as a standard frame tagging method, IEEE 802.1Q adds a
field to the frame to identify the VLAN. If you are trunking between Cisco
switch link and a different brand switch, you should use 802.1Q for

Figure 8-6 802.1Q Trunking trunking.

Inter-Switch Link (ISL) It works like this: First, define each port to be trunked with 802.1Q
encapsulation. Ports must be assigned a specific VLAN ID for their
Inter-Switch Link (ISL) is a way to explicitly label VLAN information in an
communication, which makes them native VLANs. Ports placed on the same
Ethernet frame. This tagging information allows VLANs to be multiplexed
trunk form a group with this native VLAN and each port is tagged with an ID
across a trunk link with an external encapsulation method (ISL). ISL allows
number with default VLAN 1. Native VLAN allows trunks to carry received
the switch to detect the VLAN membership of a frame along the trunk link.
information without any VLAN IDs or frame tags.
 I Virtual LANs ( VLANs )

Inter-Vlan Data Forwarding VLAN Configuration and Verification

We have logically divided the switches with vlans, inter-vlan broadcasts and Let's create three vlans on a switch.
traffic no longer go to other vlans, but what should we do if we need to access
hosts in other vlans and they need to reach us too? Then we need a router or a
switch that can do Layer 3 routing. To access a different vlan, we need to enter
the default router ip information on our hosts, otherwise you cannot go out of
your own vlan.

Figure 8-9 Example of three vlans on the Switch.

Figure 8-7 There is no route between Layer 2 switch Vlans. SW1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)# vlan 10
SW1(config-vlan)# name Muhasebe-Vlan
SW1(config-vlan)# exit
SW1(config)# interface range fastethernet 0/11 - 12
SW1(config-if)# switchport access vlan 10
SW1(config-if)# switchport mode access
SW1(config-if)# end

SW1# show vlan brief

SW1# show running-config
Figure 8-8 Routing between two physical interfaces and two vlans.
SW1# show vlan id 10
 I Virtual LANs ( VLANs )

Vlan Trunk Configuration

Let's make two switch and three vlan examples and vlan trunk between two SW1# show interfaces gigabit 0/1 switchport
SW1# show interfaces trunk
switches. SW1(config)# interface gigabit 0/1
SW1(config-if)# switchport mode dynamic desirable
SW1# show interfaces gigabit 0/1 switchport
SW1# show interfaces trunk
SW1# show vlan id 2

Figure 8-11 Example of vlan trunk between three vlans and two switches.

Figure 8-10 Example of vlan trunk between three vlans and two switches.
 I Virtual LANs ( VLANs )

Data and Voice VLAN

Voice VLAN feature enables on access ports to carry IP voice traffic from an IP SW1# con gure terminal
Enter con guration commands, one per line. End with CNTL/Z.
phone.
SW1(con g)# vlan 10
You can also configure another VLAN for data traffic from a device such as a SW1(con g-vlan)# vlan 11
SW1(con g-vlan)# interface range FastEthernet0/1 - 4
Cisco IP phone connected access port, a VLAN for voice traffic, and a PC SW1(con g-if)# switchport mode access
attached to the phone. SW1(con g-if)# switchport access vlan 10
SW1(con g-if)# switchport voice vlan 11

SW1# show interfaces FastEthernet 0/4 switchport

SW1# show interfaces trunk
SW1# show interfaces F0/4 trunk

Figure 8-12 Pre-IP Phone

Figure 8-13 Post IP Phone

Figure 8-14 Using Voice and Data Vlan on LAN
fi
fi
fi
fi
fi
fi
fi
fi
 I STP Consecpts

STP/RSTP I How STP Works

I Root Switch Selection

Spanning Tree Protokol I RSTP Concepts

I EtherChannel
 I Spanning Tree Protocol STP

Spanning Tree Protocol

STP Concepts
Routing protocols have processes that stop network loops at the Network layer.
However, if there are physical redundant links between your switches, the
routing protocols will not do anything like stop loops at the Data Link layer.
The Spanning Tree Protocol was developed to stop the vicious circles in the Layer
2 switch network. The basis of this very important protocol and how it works in
a switch network are important topics that we will cover throughout this Chapter. Figure 9-1 Broadcast Storm.

Why Do We Need STP?

Redundant links between switches are good as they prevent the entire network
from becoming unusable if one link fails.

Sounds good, but redundant links, while very useful, cause more problems
than they solve. Due to the simultaneous sending of frames from all backup
links, it causes loops in the network, the Spanning Tree Protocol has been
developed to prevent this problem.

Figure 9-2 STP Blocks Loop in Network.

 I Spanning Tree Protocol STP

How STP Works

It constantly monitors the network to find all links and closes redundant Non-root Bridges: These are non-root bridges. Nonroot bridges swap their BPDUs
links to make sure there is no vicious circle. STP uses a spanning-tree with all bridges and update the STP topology database on all switches. They
algorithm (STA) to first create a topology database and then search and prevent loops and provide a defensive measure against link failures.
eliminate redundant links. With STP, frames will only be sent from priority Port cost: Port cost determines the best path when multiple links are used
links selected by STP. between switches and none of the links has a root port. The cost of a link is

Spanning Tree Terms determined by the bandwidth of a link.

Root port: The root port is always the direct link to the bridge or the shortest path
Root bridge: Root bridge is the bridge with the best bridge ID. Choosing a root
to the root bridge. If more than one link is connected to the root bridge, the port
bridge that is the central point in the network with STP is important for all
cost is determined by checking the bandwidth of each link. The lowest cost port
switches in the network. All decisions in the network, such as which port to
becomes the root port. If multiple links have the same cost, the bridge with the
block and which to put in forwarding mode, are made from the perspective of
lower bridge ID will be used. Since multiple links can be from the same device,
this root bridge.
the lowest port number will be used.
Bridge ID: Bridge ID is the record that STP keeps for all switches in the network.
Designated port: A designated port is one that has the best (lowest) cost. A
This is determined by a combination of bridge priority (32,768 by default on
designated port will be marked as a forwarding port. Nondesignated port: A
Cisco switches) and MAC address. The bridge with the lowest bridge ID becomes
nondesignated port is a higher-cost port than a designated port. Nondesignated
the root bridge in the network.
ports are put in blocking mode. They are not forwarding ports.
BPDU: All switches change their information for use both in root switch
Forwarding port: A forwarding port forwards frames.
selection and in subsequent network configuration. Each switch compares the
parameters in the Bridge Protocol Data Unit (BPDU) that it receives from one Blocked port: A blocked port will not forward frames to avoid vicious cycles.
neighbor and sends to the other. However, a blocked port will always listen for frames.
 I Spanning Tree Protocol STP

Root Switch Selection

Switch ID is used to select the root switch in the STP domain and to determine

the root port for each of the other devices in the STP domain. This ID is 8 bytes

in size and contains the priority and the MAC address of the device. The

default priority on all devices running IEEE STP is 32,768.

You use each switch's priority, along with its MAC address, to determine the

root switch. If two switches have the same priority value, the MAC address will

be decisive to determine which one has the lowest (good) ID. Here's how: If two

switches named A and B use the 32768 priority by default, their MAC

address will be used. If Switch A's MAC address is 0000.0c00.1111 and

Switch B's MAC address is 0000.0c00.2222, SwitchA will be the root switch. Figure 9-3 Root Switch Selection Process

Remember that lower value is best when choosing root switch.

By default, BPDUs will be sent every two seconds from all active ports on the
switch. (The switch with the lowest (good) switch ID is the root switch.) You can

change the ID of the switch by changing its priority. So it will automatically

become the root switch. Being able to do this is important in large networks.
 I Spanning Tree Protocol STP

Why is Root Switch Selection Important?

Convergence happens when all ports on switches switch to forwarding or blocking
mode. No data will be transmitted until the convergence is complete. And before
data can start transmitting again, all devices need to be updated. Yes, you read
that right: STP converges, while all host data stops the transfer! If you want to
stay connected (or always running) with your network users, you should make
sure that your switch network is physically well designed so that STP converges
quickly.

Convergence is really important as it ensures that all devices have the same
database. But as I specifically mentioned, it will cost you money. Usually, it
Figure 9-4 Using Cost on non-root ports
takes 50 seconds to go from blocking to forwarding, and I do not recommend
changing the STP timers (but you can change these timers if necessary). By
creating your physical switch design in a hierarchical fashion, as shown in
Figure 9-3, you can make your core switch the STP root. This will speed up the
STP converge time.

Figure 9-5 IEEE Default Cost Values

Note: Cost determines the best path when none of the links have a root port. The cost of a link is
determined by the bandwidth of a link.
Figure 9-3 An optimal hierarchical switch design.
 I Spanning Tree Protocol STP

Rapid Spanning Tree Protocol

RSTP Concepts 802.1w
Would you like to have an STP configuration that works well in your switch ✓RSTP adds a mechanism by which a switch can change the root port
network and have all the features effectively on each switch, regardless of the without going into forwarding mode.
switch brand? Definitely yes! Good, then, welcome to the world of Rapid
✓RSTP adds a mechanism to the designated port before a switch goes into
Spanning Tree Protocol (RSTP). forwarding mode.
Cisco developed Port-Fast, UplinkFast, and BackboneFast to correct the loopholes
✓RSTP reduces wait times in some cases.
and disadvantages of the IEEE 802.1d standards offered. The disadvantage of
these is that they are Cisco proprietary only and require additional
configuration. But the new 802.1w standard (RSTP) examines all these issues
in one package. Just enable RSTP and go.

STP and RSTP Comparison

✓RSTP and STP use the same rules when choosing root switches.

✓RSTP and STP use the same rules when choosing root ports.

✓RSTP and STP use the same rules when choosing designated ports.
Figure 9-6 Comparison of STP and RSTP Port Status
✓RSTP and STP make each connection port forwarding or blocking, but RSTP
uses discarding instead of blocking.
 I Spanning Tree Protocol STP

PortFast EtherChannel
If we use the portfast command on our switches, we avoid the problem of our In STP, a port is blocked and we actually use a single connection even though
hosts not getting a DHCP address. Because STP takes a lot of time to converge we have two connections, but with etherchannel you can combine the links and
and exceeds the hosts DHCP request time. create a logical aggregation. Thus, many of our links will appear as one. If
doing this will provide the same redundancy as STP, why not merge our backup
BPDU Guard
links? It provides both redundancy like STP and allows us to use the ports
If you open PortFast, it's a really good idea to open BPDUGuard. If a switch port
actively, plus we can connect up to eight mutual ports between two switches. (It
with PortFast enabled receives a BPDU from that port, it will make the port error
may vary according to the switch brand and model)
disabled. This prevents an administrator from accidentally connecting another
As usual, EtherChannel has Cisco version and IEEE version. The Cisco version is
switch or hub port to a PortFast configured switch port. In fact, you are
defined as Port Aggregation Protocol (PAgP) and the IEEE 802.3ad standard is
preventing this from happening and causing your network to crash or at least
called Link Aggregation Control Protocol (LACP). Both standards work
be seriously damaged. You can only configure this command on your Access
equally, the configuration of the two is different.
layer switches to which users are directly connected. Therefore, we will not
configure this on our Core switch.

Figure 9-7 Example of EtherChannel Connection.

 I Multiple Spanning Trees

I STP Modes and Standards

MST and EtherChannel I RSTP Configuration

I EtherChannel Configuration
 I MST and EtherChannel

STP Modes and Standards

Multiple Spanning Trees
In the mid-1990s, VLANs appeared along with switches. The emergence of PVST+ Peer VLAN Spanning Tree: Since there was only one 802.1D

VLANs posed a challenge for STP, which was the only type of STP available at Spanning Tree standard in the 1990s, Cisco developed the PVST+ protocol for a

the time, because STP defined a single Common Spanning Tree (CST) topology Spannin Tree to Every Vlan.

for the entire LAN. IEEE needed to create a Multiple Spanning Tree to balance RPVST+ Rapid Peer VLAN Spanning Tree: When IEEE created RSTP in 2001,

traffic between existing links as shown in Figure 10-1. In two different STP Cisco created RPVST+. This Standard provides Spanning Tree per Vlan but
more features than RSTP.
instances, SW3 can block on a different Interface in each VLAN as shown in
the figure. MSTP: IEEE did not fully adopt Cisco's PVST+ and RPVST+ and created a
different protocol as MSTP, initially defined as 802.1Q but later changed to
802.1S.

Figure 10-2 Timeline of Per-VLAN and Multiple STP Features

Figure 10-1 Load Balancing between an STP Vlan 1 and Vlan 2

Figure 10-3 STP Standard and Configuration Options.

 I MST and EtherChannel

Layer 2 EtherChannel Configuration

Let's simply configure Layer 2 EtherChannel between two switches. interface Port-channel 1
switchport mode trunk
no shut

interface range FastEthernet0/1-2

switchport mode trunk
channel-group 1 mode desirable
no shut

sh int trunk

Figure 10-4 Simple EtherChannel Example. sh etherchannel summary

SW2#show etherchannel load-balance

We do the same configuration on both Switches. In the second Switch, we

SW2(config)#port-channel load-balance ?
can set the channel-goup mode as auto or desirable. If you are not using dst-ip Dst IP Addr
dst-mac Dst Mac Addr
multiple vlans on switches, you do not need to switchport mode trunk.
src-dst-ip Src XOR Dst IP Addr
src-dst-mac Src XOR Dst Mac Addr
src-ip Src IP Addr
src-mac Src Mac Addr
Chapter - 5 I Introduction to IPv4 Subnetting

IPv4 ADDRESSING I IPv4 Addressing

I Analyzing Subnet Masks

ve SUBNETTING I Analyzing Existing Subnets

IPv4 I Subnetting Basics

I Subnet Design

Introduction to Subnetting I Subnet Mask Selection

I Using Host Bits

I Plan and Implementation

 I Introduction to IPv4 Subnetting

Subnetting Basics
How to Create Subnets?
If you want to take a single network address and create six networks from it, we To create subnets, you take bits from the host portion of the IP address and
will need to use the subnetting method. Because this will allow you to take a reserve them to define subnet addresses. This means fewer bits for the host, so
large network and divide them into smaller network segments. the more subnets there are, the fewer bits there will be to identify the host.
There are tons of reasons to use subnetting, including the following benefits: But before you actually subnetting, you have to define your plans based on
Low network traffic: We welcome any type of low traffic. Networks are no both your current needs and your future situation.
different. Without reliable routers, packet traffic on the switches brings the
entire network to a standstill. With routers, most traffic will remain in the local
1. Which hosts do we need to group with a subnet?
network, only packets destined for other networks will be passed through the
2. How many subnets are needed for this network?
router. Routers create broadcast domains. The more broadcast domains you
3. How many host IP addresses are required for each subnet?
create, the less network traffic and smaller broadcast domains occur in each
network segment. 4. For simplicity, will we use a single subnet size or not?

Optimized network performance: This is the result of a low network traffic.

Simplified management: Identifying and isolating network problems is easier

in smaller network groups than in a large network.

Streamlined, wide geographic distance distribution: Because WAN links are

slower and more expensive than LAN links, connecting many small networks Figure 11- 1 Subnet Planning, Design, and Implementation Tasks

will make the system more efficient if we have a large network spread over a
wide area.
 I Introduction to IPv4 Subnetting

One Size Subnet Fits All Designing

Public IP Networks
The IPs used in the internet environment had to
be unique and unique, so these IPs were divided
into Classes and allocated to ISPs and
companies. RFC Classes A, B and C have
reserved a certain part of IPs as Private IPs for
use in the LAN, let's take a look at them below.

Figure 11- Using 2 Single Subnets

Multiple Subnet Sizes (Variable-Length Subnet Masks)

Figure 11- 4 Two companies Public IP Usage Figure 11- 5 Two Companies Using Private IP

Private IP Networks
Private IP list reserved for use in our local network.

Figure 11- 3 Using Three Subnets and Three Masks

Figure 11- 6 RFC 1918 Private IP Addresses

 I Introduction to IPv4 Subnetting

Mask Selection Selecting Host Bits for Subnet

If you have followed the topics in order so far, you can answer the following How Many Subnets Do We Need?
questions. According to the example in Figure 11-3. How many hosts do we need?

Number of Subnets required

Number of hosts / subnets required
It was preferred to use only one mask, as all subnets are the same size (same
number of hosts / subnets).
Choosing the IP block we will use in the subnet. Figure 11- 9 Host and Subnet bit selection

✓Let's use a single mask for each subnet.

✓Let's have 200 Subnets.
✓Have 200 hosts in each subnet.
✓Let's use Class B 172.16.0.0 Network.
Figure 11- Class A, B and C Networks without 7 Subnets

Class A: 224 – 2 = 16,777,214 Figure 11- Class A, B and C Networks Using 8 Subnets

Class B: 216 – 2 = 65,534 Figure 11- 11 Creating the Subnet Mask

Binary—Class B Network
Class C: 28 –2 =254

Figure 11- 10 Mask selection N = 16, S = 8, H = 8

 I Introduction to IPv4 Subnetting

Figure 11-13 Plan and implementation steps.

Figure 11-12 Subnets we can use for our example. Figure 11-14 Applying subnets to different locations.

Plan and Implementation

Before starting the plan and implementation, we must choose which subnets

we will use for the devices and locations we will use. We can use the subnets in

the table above for our locations. If there are devices that will use Statip IP, we

can identify them and reserve those IPs on the DHCP server or adjust the DHCP

server IP distribution range accordingly.

Figure 11-14 Static IP usage and IP distribution from DHCP Server
 I IPv4 Address Classes and Related Information
IPv4 I Number and Size of Class A, B, and C Networks

Addresses I Default Mask

I Practicing IPv4
 I IPv4 Addressing

IP Terminology IPv4 Network Classes and Related Information

Bit: A bit is a number that is either 1 or 0. There are five types of Classes in IPv4, Classes A, B and C are Unicast
Byte: A byte is 7 or 8 bits, depending on the parity used. For the remainder of addresses, Class D is Mulicast addresses, and Class E is used in scientific
this module, we will think of a byte as 8 bits. research.

Octet: An 8-bit octet is an ordinary 8-bit binary number. The terms byte and
octet are completely interchangeable in this module.

Network address: This is the application used in routing to send packets to a

remote network.

For example, 10.0.0.0, 172.16.0.0, and 192.168.10.0.

Figure 12- 1 IPv4 Address Classes Based on First Octet Values
Broadcast address: This address, which is used by applications and user
machines to send information to all hosts on the network, is defined as the
broadcast address.

For example,

255.255.255.255 includes all networks and hosts, 172.16.255.255 specifies

all networks on the 172.16.0.0 network, and 10.255.255.255 is the broadcast
address for all subnets and users on the 10.0.0.0 network.

Figure 12- 2 Basic Information for Classes A, B and C

 I IPv4 Addressing

Number and Size of Class A, B, and C Networks

Default Mask
In Class A, the first octet is the network address, and the remaining three octets Default Masks are as in the list below.
are host addresses. In Class B the first two octets are the network addresses, the
last two octets are the host addresses, in Class C the first three octets are the
network addresses and the last octets are reserved for hosts.

Figure 12- 3 Classes A, B and C Network and Host Numbers

Figure 12- 5 Classes A, B and C Default Mask Addresses

Figure 12- 4 Network and Host Bits

 I IPv4 Addressing
Practicing IPv4
 I IPv4 Addressing
IPv4 Practice Answers
 I Subnet Mask Conversion

I Understanding the Powers of 2

Subnet Masks I Prefix (CIDR)

Analyzing I Prefix Conversion

I Subnet Mask Conversion Practice

I Classless and Classful Addressing

 I Analyzing Subnet Masks
Subnet Mask Conversion
Converting from Binary to Decimal Understanding the Powers of 2
What interests us in binary numbering is a value represented in typical decimal The exponents of the number 2 are important to understand and keep in mind
format with the base 10 number arrangement we have used since kindergarten. for IP subnetting. To browse to the power of 2, when you see a number with its
Binary numbers are placed in a value field: it starts from the right and power, you will multiply the number itself by the number of exponents
continues to the left. Each number has a value equal to twice the previous number specified. For example, 23 is 2x2x2 = 8. Here is a list of exponents of 2 that you

value. should memorize:

Byte Values
128 64 32 16 8 4 2 1

Since they are all used, we sum all the bit fields. The maximum value of a byte
is seen as: Figure 13-1 Powers of two memorization chart

11111111 = 128+64+32+16+8+4+2+1 = 255 Prefix Classless Inter-Domain Routing (CIDR)

There are many decimal values to which a binary number can equal. Let's look Another term you should know well is Prefix = Classless Inter-Domain Routing
at some examples:
(CIDR). It is actually the method that ISPs (internet service providers) use to
Which bits are used? Bits 128, 16, 4 and 2 are used, so we just add them. reserve an address for a business or home user.
10010110 = 128+16+4+2 = 150 When a block address is received from the ISP, it will be: 192.168.10.32/28. This
tells you what your subnet mask is. The slash notation (/) means how many
Which bits are used? Bits 64, 32, 8 and 4 are used, so we just add them.
bits will be 1. Obviously, the maximum can be /32 since a byte has 8 bits and
01101100 = 64+32+8+4 = 108
an IP address has 4 bytes (4x8=32). But keep in mind that since you have to
reserve at least 2 bits for the host bits, the largest available subnet mask
(regardless of the class of the address) can be /30.
 I Analyzing Subnet Masks

Convert Subnet Prefixes (CIDR) to Binary

Let's look at examples of Binary to Prefix and Prefix to Binary conversions.

Figure 13-5 Example of Decimal to Binary, Binary to Prefix

Figure 13-2 Example of Conversion from Prefix to Binary

Subnet Mask Conversion Practice

Figure 13-3 Example of Binary to Prefix Conversion

Figure 13-4 Example of Conversion from Prefix to Binary and from Binary to Decimal
 I Analyzing Subnet Masks

Classless and Classful Addressing

Figure 13-6 Classful Network Örneği

Figure 13-6 Classful Network Example Figure 13-7 Example of Classless Network
 I Analyzing Subnet Masks

Subnet Mask Conversion Practical Answers

 I Subnet Determination

Existing Subnets I Easy Mask Calculation

I Subnet ID Finding: Different Masks

Analyzing I Finding Broadcast Addresses: Different Masks

I Practicing
 I Analyzing Existing Subnets

Subnet Determination
We use blocks such as 4-8-16-32-64-128-256 when specifying subnets.

We can determine the size of the subnet according to the number of hosts that will
be in that subnet.
Figure 14-3 Resident Subnet for 172.16.150.41, 255.255.192.0
Two private IPs cannot be used in a Subnet Subnet ID and Broadcast Address
Analyzing Current Subnet:
172.16.0.0 Network and Four Subnet Examples
Easy Mask Calculation
For example, let's IP 172.16.150.41 and Subnet Mask 255.255.192.0 and find
Subnet ID:
these subnets.
Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is.
Step 2: If mask octet is 0, write 0.
Broadcast Address:
Figure 14-1 Class B Network and /18 Mask Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is.
Step 2: If mask octet is 0, write 255.

Figure 14-2 Network 172.16.0.0, Divided into Four Equal Subnets

Table 14-4 Subnet ID and Broadcast Address Practice
 I Analyzing Existing Subnets

Finding Subnet ID: Different Masks

Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is.

Step 2: If mask octet is 0, write 0.

Step 3: If the mask is not 255 or 0, we will use our magic number, subtract the
mask from 256 and find how many blocks the subnet has.

Figure 14-7 Finding Subnet ID: 192.168.5.77, 255.255.255.224

Subnet ID Practice
Figure 14-5 Calculating octets block by block

Figure 14-8 Finding Subnet ID: 192.168.5.77, 255.255.255.224

Figure 14-6 Finding Subnet ID: 130.4.102.1, 255.255.240.0
 I Analyzing Existing Subnets

Finding a Broadcast Address: Different Masks Broadcast Address Practicing

Step 1: If the mask octet is 255, write the decimal IP address in that octet as it is.
Figure 14-11 Kısa yoldan
Step 2: If mask octet is 0, write 255.
Figure 14-11 Kısa yoldan
Step 3: If the mask is not 255 or 0, we subtract the mask from 256 and find how Figure 14-11 Kısa yoldan

many blocks the subnet has. Let the example be 16. 16-1= 15 When we add 15 to Figure 14-11 Kısa yoldan

Figure 14-11 Kısa yoldan

the Subnet ID, we find the Broadcast Address.
Figure 14-11 Kısa yoldan

Figure 14-11 Finding Broadcast Address from Shortcut

Figure 14-9 Find the Subnet Broadcast: 130.4.96.0, 255.255.240.0

Figure 14-10 Find the Subnet Broadcast: 192.168.5.64, 255.255.255.224

 I Analyzing Existing Subnets

Figure 14-4 Subnet ID and Broadcast Address Responses Figure 14-11 Shortcut Broadcast Address Answers

Figure 14-8 Finding Subnet ID Shortcut Answers

Chapter - 6 I Cisco Router Management

I IPv4 Static Routes

IPv4 ROUTING I IPv4 Routing on LAN

I IPv4 Routing Troubleshooting

 I Running the Router

Cisco Router I Cisco ISR Router

I Cisco Router Interface

Management I Router Interface IP Address

I Router Auxiliary Port

 I Cisco Router Management

Running a Router
The first time you turn on a Cisco router, it runs a power-on self-test (POST). This is the first part of the router boot process output. It is the information

If it passes, it searches for Cisco IOS from the flash drive and loads it (if an about the bootstrap program when the POST runs first. Then it tells the router

IOS file exists). (By the way, if you don't know, flash memory is an how to load (default is to find IOS in flash memory). It also lists the RAM

electronically erasable programmable read-only memory-EEPROM.) After size in the router.

that, IOS loads and looks for a valid configuration (startup-config). It is The next Chapter shows us how to decompress IOS into RAM:
stored in non-volatile RAM (NVRAM).
program load complete, entry point: 0x8000f000, size: 0x14b45f8
The following messages are the ones that appear when you first boot or reload a Self decompressing the image :
##############################################################
router.
######

System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1) ############################################ [OK]

Technical Support: http://www.cisco.com/techsupport Pound signs tell us that IOS is being loaded into RAM. After unzipped IOS to
Copyright (c) 2006 by cisco Systems, Inc. RAM, IOS is loaded and the router starts working as seen below. Note that the
Initializing memory for ECC
iOS version is enhanced security version 12.4.(12):
c2811 platform with 262144 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC enabled Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M),
Upgrade ROMMON initialized Version
program load complete, entry point: 0x8000f000, size: 0xcb80 12.4(12), RELEASE SOFTWARE (fc1)
program load complete, entry point: 0x8000f000, size: 0xcb80 Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 17-Nov-06 12:02 by prod_rel_team
Image text-base: 0x40093160, data-base: 0x41AA0000
 I Cisco Router Management

One of the nice new features of ISR routers is that the IOS name is not
encrypted. The filename actually tells you what IOS can do, as in Advanced
Security. When IOS is loaded, the information learned from POST will be
displayed.

You can see it below.

[some output cut]

Cisco 2811 (revision 49.46) with 249856K/12288K bytes of memory.

Processor board ID FTX1049A1AB

Figure 15-1 A General Enterprise Network Diagram
2 FastEthernet interfaces

4 Serial(sync/async) interfaces

1 Virtual Private Network (VPN) Module Cisco Integrated Services Routers (ISR)
DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory. Other brands, including Cisco, often have several different types of router
62720K bytes of ATA CompactFlash (Read/Write) models. Routers today often do a lot more than just forward packets; they

actually act as a device or platform to provide many network services. Cisco

There are two FastEthernet, four serial interfaces and a VPN module. The size of
even branded enterprise routers not only as routers, but also as "Integrated
RAM, NVRAM and flash are also displayed. The router output above shows us
Services Routers (ISRs)", emphasizing the multi-purpose nature of the
256MB of RAM, 239K of NVRAM and 64MB of flash.
products.
Note: When IOS is loaded and running, a pre configuration (called startup-config) is copied

from NVRAM to RAM. A copy of this file is placed in RAM and designated as running-config.
 I Cisco Router Management

As an example, let's take the network functions needed in a typical branch

office. A typical corporate branch office needs a router for WAN/LAN
connectivity and a LAN switch to provide a LAN connection. Many branches
also need Voice over IP (VoIP) services and various security services to support IP
phones. In addition, it is difficult to imagine a company today with users
without Wi-Fi access. Therefore, Cisco has single router models that act as both
routers and switches and provide other functions, rather than requiring
multiple separate devices in a company, as shown in Figure 15-2.

Figure 15-3 Cisco 4321 Integrated Services Router (ISR) Model Router Photograph

Figure 15-3 shows a photo of the Cisco 4321 ISR and shows some of its more
important features. The figure shows a complete view of the back of the router.
This model comes with two internal Gigabit Ethernet Interface and two modular
slots that allow you to add small cards called Network Interface Modules
(NIMs). An example NIM (a NIM providing two serial interfaces) is shown on
the right of the figure. It has other inputs as well, including a router RJ-45 and
a USB console port.
Figure 15-2 A more detailed Enterprise Network Diagram

Note : Cisco has covered Serial connection issues ( Bandwidth and Clock Rate on Serial
Interfaces ) in CCNA curves since 1998, but since this technology is not used much anymore,
CCNA 200-301 has removed it from the training content.
 I Cisco Router Management

Cisco Router Interfaces Router Interfaces IP Address

Accessing the Cisco router CLI is the same as in sitches. We can connect via
Console, Telnet and SSH. If you forgot these connection methods, you can refer
to Chapter-2 topic 4 CLI usage again. Below we can see some types of interfaces
used in the router.interface ethernet 0

interface fastethernet 0/1

interface gigabitethernet 0/0
interface gigabitethernet 0/1/0
interface serial 1/0/1

Figure 15-4 IPv4 Address Example Diagram

R1# configure terminal

Enter configuration commands, one per line. End with CNTL/
Z. R1config)# interface G0/0
R1(config-if)# ip address 172.16.1.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# interface S0/0/0
R1(config-if)# ip address 172.16.4.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# interface G0/1/0
R1(config-if)# ip address 172.16.5.1 255.255.255.0
R1(config-if)# no shutdown
R1(config-if)# ^Z
R1#
 I IP Routing
IPv4 I IP Routing Process

Static Routes I IP Routing Example

I Configuration
 I IPv4 Static Routes

IP Routing

This is an important topic to understand, as all routes and configurations are

IP related. IP routing is the process of moving packets from one network to

another using routers.

Before you start explaining this section, you have to know the difference

between a routing protocol and a routed protocol. A routing protocol is used by Figure 16-1 Host Routing Logic Summary

routers to dynamically find all networks in the network community and

ensure that all routers are in the same routing table. Essentially, a routing

protocol determines the path a packet will follow through the network

community. Examples of routing protocols are RIP, RIPv2, EIGRP and OSPF.

When the routers learn all the networks, the routed protocol can be used to send

user data (packets) on the installed structure. Examples of routed protocols are

IPv4 and IPv6.

IP Routing Process

We've seen the basics of IP Routing in Chapter 1, chapter 3, and in this chapter,
Figure 16-2 Routing Logic Summary of Router
we'll use the IP addressing terms we covered in chapters 2, 3, and 4.
 I IPv4 Static Routes

IP Routing Example

Our IP address is 172.16.1.9 / 24

Destination IP 172.16.2.9 / 24

Our Default Gateway Address is 172.16.1.1 Figure 16-4 Host A sends the packet to Host B.

We add our Mac address to the Ethernet Frame and send the packet to our
Step :1 Router 1 checks the Target Mac and FCS in the incoming packet, if there is no error, it goes to step 2.
default gateway.

Step :2 Router 1 de-encapsulates the incoming packet.

Figure 16-3 Example of routing in five steps

 I IPv4 Static Routes

Step :3 Router 1 looks at the route table for the destination ip in the incoming packet If the packet were to go to 172.16.3.9, it would send it from the G0/1/0 LAN
and selects the interface to send if there is a route in the table. interface, then it would send the packet by encapsulating by adding an ethernet

frame, not hdlc.

Step :5 Router 1 sends the ready frame packet.

Step :4 Router 1 encapsulates the packet again.
 I IPv4 Static Routes

Configuring IP Addresses I am writing the Router 1 Ip configuration as an example, let's configure the other
routers together.

R1#
interface GigabitEthernet0/0
ip address 172.16.1.1 255.255.255.0
interface Serial0/0/0
ip address 172.16.4.1 255.255.255.0
interface GigabitEthernet0/1/0
ip address 172.16.5.1 255.255.255.0

R1# show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.16.1.0/24 is directly connected, GigabitEthernet0/0
L 172.16.1.1/32 is directly connected, GigabitEthernet0/0
Figure 16-5 Simple network diagram configuration. C 172.16.4.0/24 is directly connected, Serial0/0/0
L 172.16.4.1/32 is directly connected, Serial0/0/0
C 172.16.5.0/24 is directly connected, GigabitEthernet0/1/0
L 172.16.5.1/32 is directly connected, GigabitEthernet0/1/0

R1# show ip arp

Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.1.1 - 0200.2222.2222 ARPA GigabitEthernet0/0
Internet 172.16.1.9 35 0200.3333.3333 ARPA GigabitEthernet0/0
 I IPv4 Static Routes

Configuring Static Routes Floating Static Routes

R1# If you pay attention to the command line below, you will see the number 130
ip route 172.16.2.0 255.255.255.0 S0/0/0 at the end of the line, now you will say what is this, this is administrative
ip route 172.16.3.0 255.255.255.0 172.16.5.3
R1# show ip route static distance. administrative distance; The priority order in the route table is 110
in OSPF AD default, it is static route 1 but here it is changed to 130 so OSPF
has first priority.

ip route 172.16.2.0 255.255.255.0 172.16.5.3 130

Figure 16-6 Static Routes Concept

Static Host Routes

The first line sends 10.2.2.2 as the next-hop router for the 10.1.1.0 subnet, the Figure 16-7 Using Floating Static Route for Subnet 172.16.2.0

second line sends the incoming route requests to the 10.1.1.9 host on the same
Static Default Routes
subnet to 10.9.9.9.
R2# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
ip route 10.1.1.0 255.255.255.0 10.2.2.2
R2(config)# ip route 0.0.0.0 0.0.0.0 s0/0/1
ip route 10.1.1.9 255.255.255.255 10.9.9.9 R2(config)# ^Z
R2# show ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Serial0/0/1
 I VLAN Routing with I Router 802.1Q Trunk

LAN I Configuring ROAS ( Router On A Stick )

I Configuring VLAN Routing with SVI

IPv4 Routing I Configuring VLAN Routing with Route Port

I Layer 3 EtherChannel
 I IPv4 Routing (LAN)

VLAN Routing with Router 802.1Q Trunk ROAS ( Router On A Stick ) Configuration
Routing by connecting a cable to the router for each vlan on the switch will not In the example below, there are two vlans on the switch and it is connected to the
be very useful. There are more functional ways of doing this, I'll teach you router with a single cable, in this case, we will make Sub-interfaces and allow
about them. What are our options, let's take a look at them; different vlans to pass through with a single connection.
Router-On-A-Stick (ROAS)

Switched Virtual Interfaces (SVI) with Layer 3 Sw

VLAN Routing with Route Port on Layer 3 Switch

Ether Channel on Layer 3 Switch

Figure 17-2 Example of ROAS with Subinterfaces on Router B1

B1# show running-config

! Only pertinent lines shown
interface gigabitethernet 0/0
! No IP address up here! No encapsulation up here!
!
interface gigabitethernet 0/0.10
encapsulation dot1q 10
ip address 10.1.10.1 255.255.255.0
!
Figure 17-1 Example of Using Layer 3 Switch in Central Location interface gigabitethernet 0/0.20
encapsulation dot1q 20
ip address 10.1.20.1 255.255.255.0
 I IPv4 Routing (LAN)

Configuring Vlan Routing with Layer 3 SVI Configuring Vlan Routing with Route Port on Layer 3 Switch
Using a router with ROAS to route packets makes sense in some situations, When we use SVI in Layer 3 switches, the physical interfaces work as Layer 2
especially in small networks. In networks with larger LANs, we prefer to use as usual, that is, the ethernet receives the frame souce the mac learns and the
Layer 3 switches for Inter VLAN Routing. switch transmits the frame by adding the target mac address of the frame.
Instead, we can routing the Layer 3 switch physical port with the Layer 3 mode
as the route mode.

Figure 17-3 Example of Routing Using Vlan Interfaces on Layer 3 Switch

ip routing
! Figure 17-4 Example of Routing Using Route Port on Layer 3 Switch
interface vlan 10
ip address 10.1.10.1 255.255.255.0 ip routing
! !
interface vlan 20 interface vlan 10
ip address 10.1.20.1 255.255.255.0 ip address 10.1.10.1 255.255.255.0 !
! interface vlan 20
interface vlan 30 ip address 10.1.20.1 255.255.255.0
ip address 10.1.30.1 255.255.255.0
!
interface gigabitethernet 0/1
SW1# show ip route no switchport
ip address 10.1.30.1 255.255.255.0

SW1# show ip route

 I IPv4 Routing (LAN)

EtherChannel on Layer 3 Switch

If you prefer multiple and redundant connections rather than a single
connection, you can use the Layer 3 EtherChannel application.

Figure 17-5 Example of Layer 3 EtherChannel

interface GigabitEthernet1/0/13
no switchport
no ip address
channel-group 12 mode desirable
!
interface GigabitEthernet1/0/14
no switchport
no ip address
channel-group 12 mode desirable
!
interface Port-channel12
no switchport
ip address 10.1.12.1 255.255.255.0
 I Troubleshooting Using the Ping Command

IPv4 Routing I Using Extended Ping

Troubleshooting
I Using the TraceRoute Command

I Using Extended TraceRoute

I Telnet and SSH Troubleshooting

 I IPv4 Routing Troubleshooting

Troubleshooting Using the Ping Command Step 1: Open a command (cmd) window and ping 127.0.0.1. This is the
Debugging IP addressing is clearly a very important skill. That's why this is system diagnostic or loopback address, and your TCP/IP stack is considered to
where I'm going to show you the Cisco method of debugging IP addressing. Let's be working if you can ping it. If you can't, then you have an IP stack problem
look at Figure 18-1 for an example of your simple IP problem. Poor Sally cannot and need to reinstall TCP/IP on the host.
connect to the Windows server. Can you handle this by calling the Microsoft C:\Users\Yavuz>ping 127.0.0.1
team and mentioning that their server is a pile of garbage and is causing all Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
your problems? Probably not such a good idea. Let's revisit our network instead. Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Let's get started by following Cisco's troubleshooting steps. They are quite Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
simple, but equally important. Imagine you are at the client's machine and
Ping statistics for 127.0.0.1:
cannot communicate with the server that is on a remote network. Below are four Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Cisco recommended troubleshooting steps: Minimum = 0ms, Maximum = 0ms, Average = 0ms

Step 2: Ping the IP address of the local host from the command window. If this
is successful, your network interface card (NIC) is working. If you can't, then
there is a problem with the NIC. Success here does not mean that the cable is
plugged into the NIC. Only the IP protocol stack on the host can communicate
with the NIC (with the help of the LAN driver).

C:\>ping 172.16.10.2
Pinging 172.16.10.2 with 32 bytes of data:
Reply from 172.16.10.2: bytes=32 time<1ms TTL=128
Reply from 172.16.10.2: bytes=32 time<1ms TTL=128
Reply from 172.16.10.2: bytes=32 time<1ms TTL=128
Figure 18-1 Example of Simple Troubleshooting Reply from 172.16.10.2: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.10.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
 I IPv4 Routing Troubleshooting

Step 3: From the command window, ping the default gateway. If ping is If the user is still not able to communicate with the server after steps 1 to 4 are
working, it means that the NIC is connected to the network and can successful, you probably have some name resolution problems and you should
check your Domain Name System (DNS) settings. But if there is a problem
communicate with the local network. If it doesn't, you have a physical network
pinging the remote server, you know you have some physical network problems, you
problem somewhere between the NIC and the router.
need to go to the server machine and do steps 1 to 3 until you find the problem.
C:\>ping 172.16.10.1
Pinging 172.16.10.1 with 32 bytes of data: Before we discuss IP address problems and how to fix them, I want to describe some
Reply from 172.16.10.1: bytes=32 time<1ms TTL=128 basic DOS commands you can use to help troubleshoot your network from both a PC
Reply from 172.16.10.1: bytes=32 time<1ms TTL=128
Reply from 172.16.10.1: bytes=32 time<1ms TTL=128 and a Cisco router (the commands may do the same thing, but they work
Reply from 172.16.10.1: bytes=32 time<1ms TTL=128
differently):
Ping statistics for 172.16.10.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Packet InterNet Groper (ping): On a network, Ping uses ICMP echo request and
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms reply to test if the IP stack has started and is active.

Step 4: If steps 1 to 3 are successful, try to ping the remote server. If this works, traceroute: Displays a list of routers in the path to a destination network, using TTL
time-outs and ICMP error messages. This command will not work from a DOS
there is IP communication between the local host and the remote server. Also, you
command system.
know it's running on its remote physical network.
tracert: Same command as traceroute, but a Microsoft Window command and will
C:\>ping 172.16.20.2
Pinging 172.16.20.2 with 32 bytes of data: not work on a Cisco router.
Reply from 172.16.20.2: bytes=32 time<1ms TTL=128
arp -a: Used for IP-to-MAC address mapping on a Windows PC.
Reply from 172.16.20.2: bytes=32 time<1ms TTL=128
Reply from 172.16.20.2: bytes=32 time<1ms TTL=128 show ip arp: Same command as arp -a, but displays the ARP table on a Cisco router.
Reply from 172.16.20.2: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.20.2:
Like the traceroute and tracert commands, they are not interchangeable in DOS
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), and Cisco.
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms ipconfig /all: Only available from the DOS command line, it will show you the PC
network configuration.
 I IPv4 Routing Troubleshooting

Using Extended Ping Test the Reverse Route Troubleshooting Using the TraceRoute Command
Like ping, the traceroute command helps network engineers isolate problems. Here
is a comparison of the two:

Both send messages on the network to test the connection.

Both send a reply back to the incoming message.

Both have broad support for many different operating systems.

Figure 18-2 Extended Ping
Both can use a hotname or IP address to identify the target.
R1# ping
Protocol [ip]:
Routers have a standard and extended version of both, allowing better testing of
Target IP address: 172.16.2.101 the reverse route.
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]: Figure 18-3 Simple traceroute example.
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort. traceroute 172.16.2.101
Sending 5, 100-byte ICMP Echos to 172.16.2.101, timeout is 2 traceroute to 172.16.2.101, 64 hops max, 52 byte packets
seconds: Packet sent with a source address of 172.16.1.1
!!!!! 1 172.16.1.1 (172.16.1.1) 0.870 ms 0.520 ms 0.496 ms
Success rate is 100 percent (5/5), round-trip min/avg/max = 2 172.16.4.2 (172.16.4.2) 8.263 ms 7.518 ms 9.319 ms
1/2/4 ms 3 172.16.2.101 (172.16.2.101) 16.770 ms 9.819 ms 9.830 ms
 I IPv4 Routing Troubleshooting

Standard and Extended Traceroute Telnet and SSH Troubleshooting

Telnet and ssh work from PC1 to R1 but not from PC1 to R2 and R3.
R1# traceroute 172.16.2.101
Type escape sequence to abort.
Tracing the route to 172.16.2.101
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.4.2 0 msec 0 msec 0 msec 2 172.16.2.101 0 msec 0 msec *

R1# traceroute
Protocol [ip]:
Target IP address: 172.16.2.101 Figure 18-4 Telnet and SSH Error Example.
Source address: 172.16.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]: Telnet and ssh from PC1 to R1, R1 to R2 and R2 to R3 are working, but if
Maximum Time to Live [30]:
Port Number [33434]: PC1 still cannot reach other devices other than R1, there is probably a route
Loose, Strict, Record, Timestamp, Verbose[none]: Type escape
sequence to abort.
problem.
Tracing the route to 172.16.2.101
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.4.2 0 msec 0 msec 0 msec 2 172.16.2.101 0 msec 0 msec *

Figure 18-5 Example of Telnet and SSH.

Chapter - 7 I OSPF Concepts

OSPF I OSPF Applications

I OSPF Network Types and Neighbors

 I OSPF Fundamentals

I Interior and Exterior Routing Protocols

OSPF Concepts I Administrative Distance

I Neighbors

I OSPF Areas and LSAs

 I OSPF Concepts

Open Shortest Path First (OSPF) Fundamentals

Open Shortest Path First (OSPF) is an open standard routing protocol Routing Protocol: It consists of a set of messages, rules and algorithms used
implemented by many manufacturers, including Cisco. If you have multiple by routers to learn routes. This process includes the exchange and analysis of
routers and they are not all Cisco, you cannot use EIGRP. Your remaining
routing information. Each router chooses the best route for each subnet (route
options are basically RIP, RIPv2, and OSPF. If it's a large network then your
selection) and finally places these best routes in the IP routing table.
really only options are OSPF and route redistribution. Redistribution is a
Examples include RIP, EIGRP, OSPF, and BGP.
conversion service between routing protocols.

OSPF works using the Dijkstra algorithm. First, a shortest path tree (SPF) is Routed Protocol and Routable Protocol: Both terms refer to a protocol that

configured and the resulting best paths are placed in the routing table. Although defines packet structure and logical addressing, allowing routers to route or
not as fast as EIGRP, OSPF converges quickly and supports multiple, equal- forward packets. Routers forward packets defined by routed and routable
cost routes to the same destination. It supports both IPv4 and IPv6 routed protocols. Examples are IP Version 4 (IPv4) and IP Version 6 (IPv6).
protocols such as EIGRP.

OSPF provides the following features: Interior and Exterior Routing Protocols
It consists of Areas and autonomous systems.
IGP: A routing protocol designed for use within a single autonomous system
It minimizes routing update traffic. (AS). For example RipV2, EIGRP and OSPF
It provides scalability.
EGP: It is a routing protocol designed to be used between different
Supports Subnet / Prefixes.
autonomous systems. For example BGP (Border Gateway Protocols)
It has unlimited number of hops.

Many manufacturers allow its deployment (open standard).

OSPF is a link-state routing protocol most people are familiar with.

 I OSPF Concepts

IGP Routing Protocol Algorithms

The basic algorithm of a routing protocol determines how it will do the routing
work. The term routing protocol algorithm refers to the logic and processes of
learning all routes, choosing the good path for each subnet, and using
different methods to solve the converging problem in response to changes in
the network. It uses three different algorithms of IGP routing protocols.

Distance vector (sometimes called Bellman-Ford after its creators)

Advanced distance vector (sometimes called “balanced hybrid”)

link state

Figure 19 -1 Example of IGP and EGP Routing Protocols Metrics

It is used to choose the best route and compare routes.

Comparing Interior Gateway Protocols

Companies have several IGP options for their corporate networks, but most

companies nowadays use OSPF or EIGRP. We will learn OSPFv2 protocol,

EIGRP is in the training content of CCNP Enterprise certification.

Figure 19 -2 IGP Metrics

 I OSPF Concepts

If a router receives two updates listing the same remote network, the first
thing the router checks is AD. If one of the advertised routes has a lower AD
than the other, the route with the lowest AD will be put in the routing table.

If two advertised routes for the same network have the same AD, routing
protocol metrics (hop count or line bandwidth) will be used to find the best
route to the remote network. The advertised route with the lowest metric will
Figure 19 -3 Comparison of RIP and OSPF Metrics be put in the routing table. If two advertised routes have both the same AD
and the same metrics, then the routing protocol will load-balance the
remote network. (packages will be sent from both links).

Table 19 -4 Comparison of IGP Protocols

Administrative Distance
It is used to rate the reliability of a routing information from a neighboring
router. An administrative distance is a number between 0 and 255. 0 is
most reliable, 255 is untrusted, if AD 255 means no traffic will be passed
through this route.
Table 19 -5 Default Administrative Distances
 I OSPF Concepts

OSPF Terminology
Link: A link is the network or router interface assigned to a particular network. Neighbor: Neighbors are two or more routers with one interface in the public
When an interface is added to the OSPF process, it is considered a link on the network, such as two routers connected by a point-to-point serial link.
OSPF side. This link or interface will have status information about both up/
Adjacency: An adjacency is a relationship between two OSPF routers that
down and one or more IP addresses.
allows to exchange route updates directly. OSPF is very selective in sharing
routing information, unlike EIGRP, which shares routes directly with all its
Router ID: While OSPF has many optional features, most enterprise companies
neighbors. OSPF only shares routes with neighbors where it has established
using OSPF choose to configure an OSPF Router ID on each router. OSPF
adjacency. All neighbors will not be adjacent, this depends on both the network
speaking routers must have a Router ID (RID) to function properly. By default,
type and the configuration of the routers.
routers will choose an interface IP address to use as the RID. However, many
network engineers prefer to specify the router ID of each router, so the output from Hello protocol: OSPF Hello protocol provides dynamic neighbor detection and
commands like show ip ospf neigbors lists more recognizable Router IDs. maintain neighbor relations. Hello packets and Link State Advertisements
(LSA) create and maintain a topological database. Hello packets are sent to
The router uses the following methods to select the Router ID.
224.0.0.5.
If the Router ID is entered while configuring Ospf, it uses this ID.

If any Loopback address is configured, if the Loopback interface is up, the

Loopback Interface IP with the larger IP will be used as the Router ID.

If it is not available in the above two options, Router ID is the one with the highest
IP among the Up Interfaces.

Figure 19 -6 OSPF Hello Package

 I OSPF Concepts

Designated Router: A desiganted router (DR) is selected when OSPF routers are Calculating the Best Route
connected to the same multi-access networks. But in reality they are networks
OSPF LSAs contain useful information, but not specific information that
with a large number of receivers. Try not to confuse multi-access with
must be added to the router's IPv4 routing table. So to know which routes to
multipoint. Sometimes it can be easily confused.
add to the routing table, each router needs to do some SPF math to choose the
The prime example is an Ethernet LAN. To minimize the number of installed best routes. Then it selects the next-hop-router and adds which interface it will
neighborhoods, a DR is selected (eliminated) to spread/receive routing go from to the table.
information to or from other routers on the broadcast network or link. This
ensures that the topology tables are synchronized. All routers in shared
networks will be adjacent to DR and backup designated router (BDR). The
selection will be won by the router with the highest priority, and if the priority
is the same across multiple routers, Router ID is used for DR selection.

Backup Designated Router: A backup designated router (BDR) is a primary

backup for DR on multi-access links (remember Cisco sometimes refers to it as
a broadcast network). BDR receives all routing updates from OSPF neighbor
routers, but does not send LSA updates.

Figure 19 -7 DR and BDR selection and Database Exchange over Ethernet

Figure 19 -8 Path selection for the best route.

Note: We will look at the cost values in detail while making the application.
 I OSPF Concepts

OSPF Areas and LSAs We can list the problems related to a single-area design as follows.

It can be used in some networks that are not very wide, which were not A larger topology also requires more memory for the router database.
considered too much while designing. You just turn on OSPF on all routers, The larger the database, the longer it will take to process the SPF algorithm in
put all interfaces in the same area (usually area 0) and it works! Figure 19-9 the router. It will require more CPU power.
shows 11 routers configured with Area 0.
A single interface status change (up or down) anywhere on the network causes
the SPF (Shortest Path First) algorithm to work again in every router.

OSPF Areas
OSPF area design can take into account a few basic rules. To apply the rules,
after you have properly drawn the networks and determined the router
interfaces, select the areas for each router and interface as follows:

Place all interfaces connected to the same subnet in the same area.

Areas must be adjacent.

Figure 19 -9 Single Area OSPF
Some routers may have all interfaces in a single area.
Larger OSPFv2 networks may have a single-area design. For example, now
Some routers can be Area Border Router (ABR) because some interfaces are
imagine a corporate network with 900 routers and several thousand subnets
connected in the backbone area and some are connected in the non-backbone
instead of just 11. As it turns out, it takes a lot of CPU time to run the SPF
area.
algorithm on all this topology data. As a result, the OSPFv2 convergence time -
may be too slow to react to changes in the network. Routers may also have less All non-backbone areas must have a way to reach their area (area 0) by

RAM. connecting at least one ABR in both the backbone area and the non-backbone
area.
 I OSPF Concepts

Figure 19-10 Three OSPFv2 LSA Types Seen by Multi-Area OSPF Design

Figure 19 -9 Three-Area OSPF with D1 and D2 as ABRs

LSA (Link State Advertisement)

A Link State Advertisement (LSA) is an OSPF data packet containing link-
state and routing information shared between OSPF routers. An OSPF router
will only exchange LSA packets with routers for which it has set up adjacency.
When we look at it with the show ip ospf database command, it will seem like a
lot of complex code, but you will become familiar with them over time.
 I Single-Area OSPF Applications

I Wildcard Mask

I Verify OSPF

OSPF Applications I Configuring the OSPF Router ID

I Multi-Area OSPF Configuration

I Configuring OSPF Under Interface

I OSPF Additional Features

 I OSPF Applications

Single-Area OSPF Applications The way to understand the OSPFv2 configuration shown in this example is to
understand the OSPF network command. The OSPF network command
compares the first parameter in the command with the IP address of each
interface in the local router, trying to find a match. However, instead of
comparing the entire number in the network command with the entire IP
address on the interface, the router can compare wildcard masks as follows:

Wildcard Matching with the network Command

Wildcard 0.0.0.0: Compare four octets. In other words, the numbers must
match exactly.
Figure 20 -1 Example OSPFv2 configuration. Wildcard 0.0.0.255: Compare only the first three octets. Ignore the last octet
when comparing numbers.
interface GigabitEthernet0/0.1
encapsulation dot1q 1 native Wildcard 0.0.255.255: Compare only the first two octets. Ignore the last two
ip address 10.1.1.1 255.255.255.0
! octets when comparing numbers.
interface GigabitEthernet0/0.2
encapsulation dot1q 2
ip address 10.1.2.1 255.255.255.0 Wildcard 0.255.255.255: Compare only the first octet. Ignore the last three
!
interface GigabitEthernet0/0/0 octets when comparing numbers.
ip address 10.1.12.1 255.255.255.0
! Wildcard 255.255.255.255: Do not compare anything this wildcard mask
interface GigabitEthernet0/1/0
ip address 10.1.13.1 255.255.255.0
! means all addresses will match the network command.
interface GigabitEthernet0/2/0
ip address 10.1.14.1 255.255.255.0 Let's understand the working logic by making the configurations on other
router ospf 1 routers together and using different wildcard masks on those routers.
network 10.0.0.0 0.255.255.255 area 0
 I OSPF Applications

Verifying OSPF OSPF Router ID Configuration

We can control the configurations we have made using these commands. While OSPF has many optional features, most enterprise companies using
OSPF choose to configure an OSPF Router ID on each router. OSPF speaking
routers must have a Router ID (RID) to function properly. By default, routers
will choose an interface IP address to use as the RID. However, many network
engineers prefer to specify the router ID of each router, so the output from
commands like show ip ospf neigbors lists more recognizable Router IDs.

The router uses the following methods to select the Router ID.

If the Router ID is entered while configuring Ospf, it uses this ID.

If any loopback address is configured, if the lookback interface is up, it uses

the larger IP as the Router ID.

If it is not available in the above two options, Router ID is the one with the
highest IP among the interfaces with Up.
Figure 20 -2 OSPFv2 authentication commands..
 I OSPF Applications

Multi-Area OSPF Configuration Configuring OSPF Under Interface

R1(config)# router ospf 1

router ospf 1 R1(config-router)# no network 10.0.0.0 0.255.255.255 area 0
network 10.1.1.0 0.0.0.255 area 0 R1(config-router)# interface g0/0.1
network 10.1.2.0 0.0.0.255 area 0 R1(config-subif)# ip ospf 1 area 0
network 10.1.12.0 0.0.0.255 area 23 R1(config-subif)# interface g0/0.2
network 10.1.13.0 0.0.0.255 area 23 R1(config-subif)# ip ospf 1 area 0
network 10.1.14.0 0.0.0.255 area 4 R1(config-subif)# interface g0/0/0
R1(config-if)# ip ospf 1 area 0
R1(config-if)# interface g0/2/0
R1(config-if)# ip ospf 1 area 0
 I OSPF Applications

OSPF Additional Features Default Routes:

Passive interfaces
Default routes
Metrics
Load balancing

Passive Interface: After OSPF is enabled on an Interface, the router tries to

find neighboring OSPF routers and establish a neighbor relationship. To
do this, the router periodically sends OSPF Hello messages (called Hello
Interval). The router also listens for Hello messages from potential
neighbors.
In some cases, some Interfaces do not need to be neighbors. There is no other
example, or there may be an Interface facing the WAN side, in this case we
R1# show ip route static
can make this Interface a passive interface. Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
! Rest of the legend omitted for brevity
The interface continues to send the connected Subnet information, but Gateway of last resort is 192.0.2.1 to network 0.0.0.0
stops receiving and sending hello packets. S* 0.0.0.0/0 [254/0] via 192.0.2.1

B1# show ip route ospf

router ospf 1
passive-interface GigabitEthernet0/0.1 O*E2 0.0.0.0/0 [110/1] via 10.1.12.1, 00:20:51, GigabitEthernet0/1/0

passive-interface GigabitEthernet0/0.2 10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

O 10.1.3.0/24 [110/3] via 10.1.12.1, 00:20:51, GigabitEthernet0/1/0
O 10.1.13.0/24 [110/2] via 10.1.12.1, 00:20:51, GigabitEthernet0/1/0
 I OSPF Applications

OSPF Metrics (Cost): In Topic 19 OSPF Concepts, we talked about finding Interface Default Cost Values
the best route in SPF, now let's manually change the cost values here.

We can do it directly under Interface using ip ospf cost x command.

There are interface default cost values, we can change the cost settings by
changing these values, bandwidth settings.
We can change OSPF cost references.

Cost Value Change:

R1(config)# interface g0/0/0

R1(config-if)# ip ospf cost 4
R1(config-if)# interface g0/1/0 OSPF Cost Reference Replacement
R1(config-if)# ip ospf cost 5
Default 100 Mb 100 000 000
R1# show ip ospf interface brief
ospf auto-cost reference-bandwidth value
Interface PID Are Ip Address/Mask Cost State Nbrs F/C
no ospf auto-cost reference-bandwidth value
Gi0/0/0 1 0 10.1.12.1/24 4 DR 1/1
Gi0/1/0 1 0 10.1.13.1/24 5 BDR 1/1 OSPF Load Balancing
Gi0/2/0 1 0 10.1.14.1/24 1 DR 1/1
For example, if a network has six possible routes between parts of the network, if
you want all routes to be used, the router can be configured under the ospf x
command with the maximum-paths 6 subcommand.
OSPF Network I OSPF Broadcast Network Type

I DR/BDR Manual Selection

Types and Neighbors I OSPF Point-to-Point Network Type

I OSPF Neighbor Relationships

 I OSPF Network Types and Neighbors

OSPF Network Types

router ospf 1
OSPF Broadcast Network Type router-id 1.1.1.1
!
By default, OSPF uses a broadcast type on all Ethernet Interface types. Note interface gigabitEthernet0/0
ip ospf 1 area 0
that all Ethernet Interfaces in the examples in Chapter 20 depend on this !
interface gigabitEthernet0/1
default setting. ip ospf 1 area 0

Let's look at the following example to better understand the OSPF Broadcast
Network Type.

Figure 21 -2 R1’s List of Neighbors

Let's Verify Broadcast Network Type:

Let's take a look with the commands below.
Figure 21 -1 Single Area Design
show ip ospf interface brief
✓OSPF sends a broadcast to 224.0.0.5 IP to all routers to detect neighbors.
show ip ospf interface g0/0
Broadcast IP reserved for OSPF Routers.

✓Tries to select DR and BDR in each Subnet.

✓It becomes DR because there is no other router in the G0/1 subnet.

✓When there are 3 other routers in the G0/0 subnet, it will be DR, BDR or
DROther.

✓It sends a broadcast to 224.0.0.6 to select DR, BDR and DROther.

Figure 21 -3 OSPF DR/BDR/DROther Roles in the Network
 I OSPF Network Types and Neighbors

DR/BDR Manual Selection

Let's give priority to this router interface by entering the ip ospf
priority 99 command under Interface, but when we look with the show
ip ospf interface brief command, we will see that there is still no
change. This is because there is no reason to start the selection process again, so
the configuration we make will wait for the next election. If the interface of one
of the routers in the subnet is down, the process will start again. Let's turn one
of the interfaces off and on and test it and observe the results.
 I OSPF Network Types and Neighbors

OSPF Point-to-Point Network Type

By nature, this OSPF network type works well for data links between two These connections generally do not support datalink broadcasts. Also, having
routers. For example, let's take a look at the topology in Figure 21-4, which only two devices in the connection adds a bit more convergence time. Since we

shows two Ethernet WAN links with three WAN links and one serial link, R1. are using the Point-to-Point Network type, it tells the router not to use DR /
BDR.
R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

R1(config)# interface g0/0/0

R1(config-if)# ip ospf network point-to-point
R1(config-if)#

R1# show ip ospf interface g0/0/0

GigabitEthernet0/0/0 is up, line protocol is up

Internet Address 10.1.12.1/24, Area 0, Attached via Interface Enable Process

ID 1, Router ID 1.1.1.1, Network Type POINT_TO_POINT, Cost: 1 Topology-MTID
Cost Disabled Shutdown Topology Name
Figure 21 -4 Sample OSPF Design with Serial and Ethernet WAN
0 4 no no Base
Enabled by interface config, including secondary ip addresses
First, let's look at the serial connection. Since R1 and R4 are directly
Transmit Delay is 1 sec, State POINT_TO_POINT
connected, we cannot add a third router. As you can imagine, the data link
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
protocols used to control a link with up to two devices may work differently
from Ethernet. Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 2.2.2.2
For example, the most commonly used data link protocols (HDLC and PPP)
data link protocols do not support broadcast. R1# show ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Gi0/0/0 1 0 10.1.12.1/24 4 P2P 1/1
 I OSPF Network Types and Neighbors

OSPF Neighbor Relationships

When we enable OSPF on a router and interfaces, IOS then tries to discover Listed below are some commands with which we can check for problems
other neighbors connected to that interface by sending and listening OSPF
Hello messages. However, two routers may not be neighbors each time. They
must have compatible values for Hello packets exchanged between the two
routers and various other settings. Parameters in this hello package must
match, let's have a look at the list below.

Requirements for OSPF Neighbor Establishment;

Chapter - 8 I IPv6 Basics

I IPv6 Addressing and Subnetting

IP Version 6 I IPv6 Address Applications

I IPv6 Routing Applications

 I Internet Protocol Version 6 (IPv6)

IPv6 I IPv6 Routing

I IPv6 Addressing Formats and Conversion

Fundamentals I IPv6 Prefix (Subnet ID)

I Practicing IPv6
 I IPv6 Fundamentals

Internet Protocol Version 6 (IPv6)

People refer to IPv6 as the next generation Internet Protocol, and it was developed
as a solution to IPv4's inevitable, address exhaustion situation. You've probably
heard about IPv6 before. The capacity of its ancestor, IPv4, is insignificant
compared to it. That is why it will eventually be completely buried in history.

IPv6 addresses are 128 bits or 16 bytes..

Figure 22-1 IPv4 Adreslerinin tükenmesi, kısa ve uzun vade çözümleri.
2345:1111:2222:3333:4444:5555:6666:AAAA
2000:1:2:3:4:5:6:A

Why Do We Need IPv6? IPv6 Routing

It is a fact that the number of people and devices connected to the network is Like many functions of IPv6, IPv6 routing is similar to IPv4 routing from an
increasing day by day. This is not entirely a bad thing. We're always finding overview, let's take a look at them.
some new and exciting ways to get more people to know, which is nice. In fact, this To create and send IPv6 packets over an interface, end-user devices need an
is a basic human need. But the weather doesn't always mean perfectly blue skies IPv6 address on those interfaces.
and sunny weather. Because, as I implied in the introduction of this section, the
If the host needs to access a different subnet, it needs to know the default router
addresses we will use for IPv4, on which our communication capability depends,
IP.
will be exhausted for now. IPv4 has 4.3 billion addresses in theory, and we know
The router de-encapsulate and re-encapsulate when sending an IPv6 packet.
we can't use all of them. The use of Classless Inter-Domain Routing (CIDR) and
The router looks at the destination IP in the IPv6 packet and sends the packet
Network Address Translation (NAT) helps prolong the inevitable dwindling of
by matching it with the Route table.
addresses. But we will consume them, and that will be in a few years.
 I IPv6 Fundamentals

Figure 22-2 IPv6 Header Figure 22-4 IPv6 Router Performing Routine Encapsulation Tasks When Routing IPv6

Figure 22-3 IPv6 Host Building and Sending an IPv6 Packet Figure 22-5 Comparing an IPv6 Packet to R1’s IPv6 Routing Table
 I IPv6 Fundamentals

IPv6 Routing Protocols IPv6 Address Full Spelling

IPv6 routers need to learn routes for all possible IPv6 prefixes (subnets). As with IPv6 addresses use the hexadecimal (hex) format. It consists of eight blocks,
IPv4, IPv6 routers use the routing protocols we know for IPv6. We can see them in each block has four hex digits, each block separated by two dots. Let's look at
the table below. the example.

Figure 22-6 IPv6 Routing Protocols

IPv6 Addressing Formats and Conversion

I will briefly talk about these issues here, but we will deal with them in detail in the 23rd issue.

Interpret and convert IPv6 addresses consisting of 32 numbers and letters.

How to shorten and interpret IPv6 addresses.

Interpreting IPv6 prefixes Figure 22-7 Hexadecimal/Binary Conversion Chart

How to find IPv6 prefix (subnet id).

 I IPv6 Fundamentals

IPv6 Shortening and Extending And know that you cannot:

There are some subtleties that will help us when we write this long address. One is 2001::12::1234:56ab

that you can skip parts of the address to summarize. But to do this, you have to Instead, the best you can do is:
follow some rules. First, you can discard leading zeros in each of the reserved
2001::12:0:0:1234:56ab
blocks. After doing that, the address in the previous example looks like this:
The reason why the above example is the best; in the other example, if we
2001:db8:3c4d:12:0:0:1234:56ab
discard the two zero blocks, the device looking at the address has no chance of
This is a good development. At least we don't have to write those extra zeros. But knowing where to put the zeros back. In fact, the router will look at the wrong
what about the entire block with nothing but zeros in it? We can destroy at least address and say, "Shall I place two blocks in the first pair of colons, or
some of them. If we look at our example again, we can omit two blocks of zeros by should I place three blocks in the first set and one block in the second set?"
replacing them with two colons. The address will now be: will say. And since the information the router needs is not there, it will keep
2001:db8:3c4d:12::1234:56ab going.

Very nice! We wrote two colons in place of all zero blocks. The rule you have to

follow for this is that you can only place a contiguous block of zeros at an

address. So if your address has four zero blocks and they're all reserved, I can't

place all of them. Remember the rule that you can put a colon instead of just an

adjacent block. Check out this example:

2001:0000:0000:0012:0000:0000:1234:56ab
Figure 22-8 IPv6 Shortening and Extension Practical
 I IPv6 Fundamentals

Prefix (Subnet ID)

As in IPv4, IPv6 uses subnet masks, but here we call it prefix. The logic here is the
same, we specify how many bits the host will use and how many bits the subnet
will use. We can write in two ways as in the example below, you can leave a space
if you want, or you can write adjacent.

2222:1111:0:1:A:B:C:D/64 Figure 22-9 Creating the IPv6 Prefix from an Address/Length

2222:1111:0:1:A:B:C:D /64
Let's look at the example;

2000:1234:5678:9ABC:1234:5678:9ABC:1111/64
2000:1234:5678:9ABC:0000:0000:0000:0000/64
Finding IPv6 Prefix
2000:1234:5678:9ABC::/64
Copy the first bits

Put zero for remaining bits

Calculated as multiples of Prefix 4.

To find the hex length of the Prefix, we divide the Prefix bits by 4 to find how
many hex-digits to write.

Copy the prefix hex digits as in the example.

Substitute zeros for other hex values.

Figure 22-10 Finding Prefix Practice

 I IPv6 Fundamentals

Finding Different IPv6 Prefixes

2000:1234:5678:9ABC:1234:5678:9ABC:1111/56
2000:1234:5678:9A00:0000:0000:0000:0000/56
2000:1234:5678:9A00::/56
2000:1234:5678:9A::/56

Figure 22-10 Finding Different Prefixes

 I IPv6 Fundamentals

Ansvers

Figure 22-8 IPv6 Shortening and Extending Practical Answers Figure 22-10 Finding Different Prefixes Answers

Figure 22-10 Finding Prefix Practical Answers

 I Global Unicast Addressing Concepts

IPv6 Addressing I Public and Private IPv6 Addresses

I IPv6 Global Routing Prefix

and Subnetting I Global Unicast IPv6 Addresses Range

I Unique Local Unicast Addresses

 I IPv6 Addressing and Subnetting

Global Unicast Addressing Concepts IPv6 Global Routing Prefix

In this section, we will focus on Glabal Unicast addresses, as the name suggests, Companies that want to use these IPs should get the Global Routing Prefix and
they are IPs used in real real internet environment, such as Public IPs in IPv4. In then distribute it to the end users.
this section we will also cover how a block of IPv6 Subneting and Global Unicast
The term Global Routing Prefix actually refers to the idea that Internet routers
addresses is created for giving to companies.
can have a way to express all addresses in the address block without needing
Public and Private IPv6 Addresses routes for smaller sections of that block. For example, Figure 23-1 shows three
companies with three different IPv6 global routing prefixes; The router on the
IPv4 IPs were first distributed to each company for use in the public environment,
right (R4) has an IPv6 route for each global routing prefix.
but as it was understood that these IPs would run out in time, after 1990 RFC
reserved some IPs for use in the Private environment, we have seen these IPs before
in Chapter-5 and Thus, by giving companies a Public IP, they have extended the
IPv4 expiration process by using Private Ip inside. Of course, while going from
LAN to WAN, we converted these Private IPs to the Public IP given to us using
NAT, and we accessed the internet environment. I will cover NAT in Chapter-12.

There is a similar structure in IPv6 dada, so we can use it as Private and Public.

Global Unicast: Addresses that work like IPv4 public addresses. Companies that
need IPv6 addresses either allocate IPv6 address blocks to end users from Global
Prefixes assigned to them in ISPs. From now on, these companies only use IPv6 Figure 23-1 Three Global Routing Prefixes, with One Route per Prefix

blocks starting with this prefix.

Unique Local: Addresses used like IPv4 private addresses. Multiple companies
can use the same IPs, they don't need to get an IP from anywhere.
 I IPv6 Addressing and Subnetting

Using Global Unicast IPv6 Address Subnetting

Imagine an ISP has received a Global Routing Prefix and it needs to distribute
it by dividing it into subnets as in IPv4.

Where and how much do we need IPv6 Subnets, actually we need 4 subnets in
the same IPv4 in the example below.

Figure 23-2 Prefix Assignment with IANA, RIRs, and ISPs

Global Unicast IPv6 Addresses Range

In fact, in IPv6, Global Unicast Addresses use most of the space, in IPv4,
classes such as A, B, C, D and E were classified where IPs are used. Which IP
will be used for what purpose in IPv6 is categorized as in the list below. Figure 23-4 Locations for IPv6 Subnets

Figure 23-3 IPv6 Address Types

 I IPv6 Addressing and Subnetting

Assigning IPs to Hosts in Subnet

After deciding which subnet to use in which location, we can configure IP
addresses for hosts. We can either configure the IPs manually or by using a
DHCP server.
2001:0DB8:1111 and /48 Prefix Assigned.
The company uses /64 for Interface ID.
16 bits left for Subnet, (We can use 65,536 Subnets.)

Figure 23-6 We Select the Subnets to Apply.

Figure 23-5 First available 16 Subnets

Figure 23-7 Implementing IPv6 Addresses

 I IPv6 Addressing and Subnetting

Unique Local Unicast Addresses Using Unique Local Address IPv6 Subnetting
Unique Local Unicast addresses act as private IPv6 addresses. The division of It's the same as Global Unicast address, except that we don't choose the first two
these addresses into subnets has similar aspects to Global Unicast addresses. digits (8 bits) for prefix, we choose the next 40 bits.
The biggest difference is related to Unique Local addresses (starting with hex FD00:0001:0001::/48, or FD00:1:1::/48
FD) and the management process: Unique Local Prefixes are not registered with
any authority or company and can be used by multiple companies.

Although Unique Local addresses can be used without any registration or

assignment, we still have to follow some rules such as:

• In the first two digits we should use FD as hex.

• We must choose a unique 40-bit global ID.

• For the /48 Bit Prefix, we must add FD to the Global ID.
Figure 23-9 Using Unique Local Address Subnetting
• Use the next 16 bits as the subnet field.

• Note that 64 bit remains for Interface ID.

Figure 23-8 IPv6 Unique Local Unicast Address Format

 I Configuring Static Unicast Address

I Full 128-Bit Address Configuration

IPv6 Address I EUI-64 IPv6 Address Format

Applications I Configuring Dynamic Unicast Address

I Using Private Address on Router

I Link-Local Addresses
 I IPv6 Address Applications

Configuring Static Unicast Address

R1# show ipv6 interface GigabitEthernet 0/0
We have two options in IPv6 address configuration, the first option we specify GigabitEthernet0/0 is up, line protocol is up
all 128 bits, the second option we specify /64 prefix, the rest determine IPv6 is enabled, link-local address is FE80::1:AAFF:FE00:1
Interface ID from 64 bit Interface mac address (48bit+16 bit). I will explain No Virtual link-local address(es):
Global unicast address(es):
this in the upcoming issues.
2001:DB8:1111:1::1, subnet is 2001:DB8:1111:1::/64
Full 128-Bit Address Configuration
R1# show ipv6 interface brief
GigabitEthernet0/0 [up/up]
FE80::1:AAFF:FE00:1
2001:DB8:1111:1::1
GigabitEthernet0/1 [administratively down/down]
unassigned
GigabitEthernet0/0/0 [up/up]
FE80::32F7:DFF:FE29:8568
Figure 24-1 Full 128-Bit IPv6 Configuration
2001:DB8:1111:4::1
ipv6 unicast-routing
!
R1# show ipv6 route connected
interface GigabitEthernet0/0
IPv6 Routing Table - default - 5 entries
ipv6 address 2001:DB8:1111:1::1/64
Codes: C - Connected, L - Local, S - Static, U - Per-user Static
!
interface GigabitEthernet0/0/0 route
ipv6 address 2001:0db8:1111:0004:0000:0000:0000:0001/64 C 2001:DB8:1111:1::/64 [0/0]
via GigabitEthernet0/0, directly connected
C 2001:DB8:1111:4::/64 [0/0]
via GigabitEthernet0/0/0, directly connected
 I IPv6 Address Applications

EUI-64 IPv6 Address Format

Our second option in IPv6 address configuration, using EUI-64, we can
automatically assign the 64 bit after prefix as Interface ID. To do this, we can
use a DHCPv6 server with IPv4 or Stateless Address Auto Configuration
(SLAAC).

How does EUI-64 generate the Interface ID.

1- First, the interface takes the mac address and divides it into two. The mac
address is 48 bits 12 hex-digits, separating it into 6 hex-digits. Figure 24-3 EUI-64 Interface ID Creation Process two Examples

2- Interface ID should be 64 bit 16 hex-digit, it adds 16 bit 4 hex-digit FFFE to

the middle of the mac address it splits into two and completes it to 64 bit.

3- The seventh bit of the resulting Interface ID inverts. So if the seventh bit is 0 it
makes 1, if it is 1 it makes 0.

Figure 24-4 Seventh Bit Change in EUI-64 Interface ID Generation Process

Figure 24-2 IPv6 Address EUI-64 Format

 I IPv6 Address Applications

Configuring Dynamic Unicast Address

Normally, we prefer Dynamic IP configuration on end-user devices, we

usually determine the IP when making interface settings of devices such as
routers, but in some cases, for example, if there is a DSL or Cable Modem
connected to the Interface, we can use the DHCP or SLAAC method for that
interface.
Figure 24-5 Creating EUI-64 Interface ID Practice Cisco Routers support both methods.
interface GigabitEthernet0/0/0
ipv6 address 2001:DB8:1111:1::/64 eui-64
! This interface uses DHCP to learn its IPv6 address
!
interface FastEthernet0/0
interface GigabitEthernet0/0/1
ipv6 address dhcp
ipv6 address 2001:DB8:1111:4::/64 eui-64
!
! This interface uses SLAAC to learn its IPv6 address
R1# show ipv6 interface brief
interface FastEthernet0/1
GigabitEthernet0/0 [up/up]
ipv6 address autoconfig
FE80::1:AAFF:FE00:1
2001:DB8:1111:1:1:AAFF:FE00:1
GigabitEthernet0/0/1 [up/up]
FE80::32F7:DFF:FE29:8568
2001:DB8:1111:4:32F7:DFF:FE29:8568
 I IPv6 Address Applications

Using Private Address on Router

When the ipv6 unicast-routing command is enabled on the router, the router Routers also use Link-Local addresses as next-hop IP addresses in IPv6
performs the following steps to perform IPv6 routing. routers, as shown in Figure 24-6. In IPv6, hosts use the default router (default

• Gives the Interface an IPv6 Unicast IP. gateway) concept, but in IPv4, hosts use an ip from the same subnet, but IPv6
hosts use the router's Link-Local Ip. In the show ipv6 route command, the
• Allows inbound and outbound IPv6 Routing in the Interface.
neighboring router lists the link-local address of the neighboring router
• Defines the Prefix found in this Interface.
instead of the global unicast or unique local unicast address.
• Interface up/up adds it to the route table.

Link-Local Addresses
IPv6 Link-Local Addresses use as private IPv6 Unicast address. These addresses
are not used to stream data in IPv6 packets. Instead, these addresses are used by
some common protocols and for routing.
Figure 24-6 IPv6 Using Link-Local Addresses as the Next-Hop Address
Link-Local Address Concepts
IPv6 Link-Local Addresses define the rules so that sent packets are not
forwarded by any router to another subnet. As a result, protocol messages that
must remain within the Local LAN use IPv6 Link-Local addresses. For example,
Neighbor Discovery Protocol (NDP), which replaces the ARP functions of IPv4,
uses Link-Local addresses.
 I IPv6 Address Applications

Link-Local Address Configuration: If you use EUI-64 format in the interface, Anycast: Like multicast addresses, an anycast address defines multiple
the Link-Local address will be created with the same method, but if you specify interfaces. But there is one big difference: An anycast packet is delivered to a
the IPv6 address as static in the interface, you can configure the Link-Local single address (actually, to the first address it finds, defined by its routing

Address as well. distance). This address is special because you can assign a single address to
more than one interface. You can specify them as one-to-one-of-many addresses,
but just specify them as anycast for convenience.

Figure 24-7 Link-Local Address Format

Some Special Addresses
0:0:0:0:0:0:0:0 Equals :: This is equivalent to 0.0.0.0 of IPv4 and is typically a
host's source address when you use a stateful configuration.
0:0:0:0:0:0:0:1 Equals ::1 Equivalent to 127.0.0.1 in IPv4.
0:0:0:0:0:0:192.168.100.1 This is the way an IPv4 address is written in a mixed
IPv6/IPv4 network environment.
2000::/3 Global unicast address range.
FE80::/10 Link-local unicast range.
FF00::/8 Multicast range.
Multicast: As in IPv4, packets sent to a multicast address are delivered to all
3FFF:FFFF::/32 Reserved for example and documentation.
interfaces detected by the multicast address. Sometimes people refer to them as
2001:0DB8::/32 This too is reserved for example and documentation.
one-to-many addresses. Multicast addresses in IPv6 are really easy to spot 2002::/16 Used with 6to4, which is a transition system. A structure that allows
since they always start with FF. IPv6 packets across an IPv4 network without the need for specified tunnels.
I IPv6 Address Applications
 I IPv6 Routes

IPv6 Routing I Static IPv6 Routes

I Static Default Routes

Applications I Floating Static IPv6 Routes

I Neighbor Discovery Protocol NDP

 I IPv6 Routing Applications

IPv6 Routes
R1# show ipv6 route static
Cisco Routers follow a similar path to IPv4 when adding IPv6 routes to the route ! Legend omitted for brevity
table. S 2001:DB8:1111:2::/64 [1/0] via Serial0/0/0, directly connected
R1# show ipv6 route 2001:db8:1111:2::22
It adds the IPv6 addresses in the up interface to the route table as local and
Routing entry for 2001:DB8:1111:2::/64
connected. Known via "static", distance 1, metric 0
Route count is 1/1, share count 0
Adds statically entered routes to the routing table.
Routing paths: directly connected via Serial0/0/0
If OSPFv3 is configured, it adds the routes learned from OSPFv3.
Static Routes Using Next-Hop Address:
Static IPv6 Routes
R2's IPv6 address for our Next-Hop address R1, R1's IPv6 address in R2.
Static Routes Using Outgoing Interface:
R1(config)# ipv6 route 2001:db8:1111:2::/64 2001:DB8:1111:4::2
R1(config)# ipv6 route 2001:db8:1111:2::/64 S0/0/0 R2(config)# ipv6 route 2001:db8:1111:1::/64 2001:db8:1111:4::1

R2(config)# ipv6 route 2001:db8:1111:1::/64 s0/0/1

R1# show ipv6 route static
! Legend omitted for brevity
S 2001:DB8:1111:2::/64 [1/0] via 2001:DB8:1111:4::2
R1# show ipv6 route 2001:db8:1111:2::22/64
Routing entry for 2001:DB8:1111:2::/64
Known via "static", distance 1, metric 0
Backup from "ospf 1 [110]"
Route count is 1/1, share count 0 Routing paths:
Figure 25-1 IPv6 Static Route Example 2001:DB8:1111:4::2
 I IPv6 Routing Applications

Static Routes Using Link-Local Address: Static Default Routes:

! The first command is on router R1, listing R2's link-local address !Forward out B1's S0/0/1 local interface...
R1(config)# ipv6 route 2001:db8:1111:2::/64 S0/0/0 FE80::FF:FE00:2 B1(config)# ipv6 route ::/0 S0/0/1
! The next command is on router R2, listing R1's link-local address
R2(config)# ipv6 route 2001:db8:1111:1::/64 S0/0/1 FE80::FF:FE00:1 B1# show ipv6 route static
S ::/0 [1/0] via Serial0/0/1, directly connected
R1# show ipv6 route static
! Legend omitted for brevity
S 2001:DB8:1111:2::/64 [1/0] via FE80::FF:FE00:2, Serial0/0/0

R1# show ipv6 route 2001:db8:1111:2::22

Routing entry for 2001:DB8:1111:2::/64
Known via "static", distance 1, metric 0
Backup from "ospf 1 [110]"
Route count is 1/1, share count 0
Routing paths: Figure 25-2 Using Default Route in B1

FE80::FF:FE00:2, Serial0/0/0
Static IPv6 Host Routes
Last updated 00:08:10 ago
R1(config)#
! The next command also lists host B's address, prefix length /128,
! but with R2's global unicast address as next-hop, and no outgoing
interface.
R1(config)# ipv6 route 2001:db8:1111:2::22/128 2001:DB8:1111:4::2
 I IPv6 Routing Applications

Floating Static IPv6 Routes

R1# show ipv6 route static

! Legend omitted for brevity
S 2001:db8:1111:7::/64 [130/0] via 2001:db8:1111:9::3

R1# show ipv6 route 2001:db8:1111:7::/64

Routing entry for 2001:db8:1111:7::/64
Known via "static", distance 130, metric 0 Figure 25-4 Using the Floating Static Route
Route count is 1/1, share count 0
Routing paths:
2001:db8:1111:9::3
Last updated 00:00:58 ago

Table 25-3 Default Administrative Distance

 I IPv6 Routing Applications

Neighbor Discovery Protocol

Neighbor Discovery Protocol is a protocol that works like ARP in IPv4. NDP plays
an important role on routers. Let's look at some important functions of the NDP
protocol.

Neighbor MAC Discovery: Replaces ARP in IPv4. It can learn a Mac address from
a known IP address. Router Discovery: Allows Hosts in the same subnet to learn
IPv6 Router information.
Figure 25-6 Finding Default Router

SLAAC: When using Stateless Address Auto Configuration (SLAAC), the host
uses NDP messages to learn the prefix information used in the subnet.

DAD: Before the host uses an IPv6 address, it uses Duplicate Address Detection
(DAD) to check if another host is using that IPv6 address.

Figure 25-5 IPv6 Neighbor Table

 I Wireless Networks Fundamentals
Chapter - 9 I Cisco Wireless Architecture

Wireless LAN I Wireless Networks Security

I Creating a Wireless LAN

Wireless I Introduction to Wireless Technology

I Wireless LAN Topologies

Networks I Other Wireless Topologies

I RF Overview

Fundamentals I Wireless Bands and Channels

I AP and Wireless Standards

 I Wireless Networks Fundamentals

Introduction to Wireless Technology

Transferring a signal using the typical 802.11 arrangement works quite
similarly to a simple Ethernet hub: Both are two-way communication models.
They use the same frequency to send and receive, and this is referred to as half-
duplex as described in the previous sections.

Wireless LANs (WLAN) use radio frequencies (RF) radiated into the air from
an antenna that creates radio waves. These waves can be absorbed, refracted or
reflected by water, walls and metal surfaces, reducing the signal strength.
Because of the inherent sensitivity surrounded by these environmental factors, Table 26-1 Wireless Standard Organizations

it is clear that wireless will never be able to deliver the same service that wired
networks can. But this still does not mean that we will not use wireless. Believe
me, we will definitely use it!

Various organizations have long struggled to help manage the use of wireless
devices, frequencies, standards, and frequency spectrum. Table 26-1 shows the
existing institutions around the world that have helped create, provide, and even
implement wireless standards.
 I Wireless Networks Fundamentals

Wireless LAN Topologies

Wireless communication takes place over free space using radio frequency (RF) Since two devices use the same channel, one device sends data while the other
signals. The theory behind RF signals can be complex, which I'll explain in device receives, the other device waits to send data, so it's a one-way

more detail in the following sections. Assume for now that the transmitter of communication. If more than one signal is received at the same time with

one device is sending RF signals to the receiver of another device. As shown in wireless communication, they can interfere with each other. The greater the

Figure 26-2, the transmitter can always reach the receiver as long as both number of wireless devices, the greater the likelihood of interference. For
example, Figure 26-4 shows four devices tuned to the same channel and what
devices are tuned to the same frequency and use the same frequency to carry
can happen if some or all data are transmitted simultaneously.
data between them. Everything seems simple, though not very practical.

Figure 26-4 Several devices sending data on the same channel.

Figure 26-2 Unidirectional Communication Figure 26-3 Bidirectional Communication
In order to avoid interference and pending returns, devices need to work in half
To take full advantage of wireless communication, data must travel in both
duplex. If they do not send and receive sequentially, interference and waiting
directions, as shown in Figure 26-3. Sometimes Device A needs to send data to
times will increase, but more than one device can share the same channel and
Device B while sometimes Device B wants to communicate to send data.
access that channel in wireless networks. For this reason, only one device
should transmit at any time, and 802.11 standards were created to ensure this.
Wireless devices are produced according to these standards.
 I Wireless Networks Fundamentals

Basic Service Set Since the operation of a BSS is dependent on the AP, the BSS is limited to the
As a solution, things can be settled with an AP (Accees Point) that every area where the AP's signal is available. This is known as the Basic Set Area
wireless device can connect to. In order for the devices to connect to the AP, the (BSA) or cell. In Figure 26-5 the cell is shown as a simply shaded circular area
AP broadcasts a BSS and the devices use the 802.11 standards to register. The centered around the AP. Depending on the antenna attached to the AP and the
AP BSS broadcasts on a single channel and uses a single channel so that physical environment that may affect the AP's signals, cells may have other
devices can communicate correctly. shapes.

In addition, the AP identifies the wireless network with the Service Set Identifier
(SSID), which is a text string containing a logical name. It broadcasts a name
to the devices to be connected to the network with the AP SSID, and broadcasts
the mac address in the background with a BSSID broadcast for this SSID.

Figure 26-5 802.11 Basic Service Set

Figure 26-6 Traffic flow with BSS

 I Wireless Networks Fundamentals

Distribution System
We gathered the BSS and wireless devices in an AP in one place, but for now
they can only communicate with each other, but the task of the beep AP does not
end with BSS only, it needs to communicate the devices connected to the network
with the devices on the wired network. Fortunately, the AP has a wired Ethernet
connection and this It can move the hosts on it to other networks over the
connection. The figure below has an example of how this happens.

Figure 26-8 Using Multiple SSIDs on an AP

In the figure above, an example of using more than one SSID on an AP is

given. In this example, the connection between the AP and the switch is
configured as trunk and we can connect users to different networks by
creating different SSIDs on the AP.
Figure 26-7 Distribution System Supporting a BSS
 I Wireless Networks Fundamentals

Extended Service Set

Normally, an AP does not cover the entire area where clients can be found. For

example, you may need wireless coverage on all floors of a hotel, hospital, or

other large building. Simply add and configure more APs to cover more areas.

You must configure your network so that the APs communicate with each other

over the switch. As in the example given in Figure 26-9;

When you leave the coverage area of one AP and enter the coverage area of the

other AP, the host will automatically switch to the other AP without you needing

to take any action.

Figure 26-9 Extended Service Set Example

Figure 26-8 Using Multiple SSIDs on an AP
 I Wireless Networks Fundamentals

Other Wireless Topologies

Repeater Work Group Bridge
It is the transfer or extension of the signal by the existing AP to a region where Let's say you have a device that supports a wired Ethernet connection but does

the signal of the Repeater AP is weak. Normally, the problem should be solved by not have a wireless connection. For example, some mobile medical devices can

pulling a network cable to the area where the signal is weak and putting a new only be designed with a wired connection. While it is possible to plug the device

AP. But if you do not have the possibility to pull a cable and you need an into an Ethernet connection if needed, a wireless connection would be much

urgent solution, you can use this method. more practical. You can use the York group bridge (WGB) to connect the
device's wired network adapter to a wireless network.

Figure 26-10 Example of Repeater Usage

Figure 26-11 Using WGB for Non-Wireless Device

 I Wireless Networks Fundamentals

Outdoor Bridge Mesh Network

An AP can be configured to act as a Bridge to create a single wireless You may not be able to run Ethernet cables to every AP to provide wireless

connection from one network to another over a long distance. Outdoor Bridged coverage over a very large area. Instead, you can use APs by configuring them

connections are often used to connect buildings or cities. in mesh mode. In a mesh topology, wireless traffic is bridged from AP to AP

using another wireless channel in a daisy chain.

Figure 26-12 Point-to-Point Outdoor Bridge

Figure 26-14 Typical Wireless Mesh Network

Figure 26-13 Point-to-Multipoint Outdoor Bridge

 I Wireless Networks Fundamentals

RF Overview
To send data over a wired connection, an electrical signal is applied at one end Electromagnetic waves do not travel in a straight line. Instead, they are
and carried to the other. The wire of the cable is continuous and conductive, so transmitted away from the antenna, expanding in all directions. The
the signal is transmitted quite easily. But a wireless connection does not have resulting waves start small and expand outward, only to be replaced by new
any physical path to carry the signal. waves. In empty space, electromagnetic waves expand outward in all three
In RF, the sender (a transmitter) can send an alternating current to a section dimensions.
of wire (antenna), which tunes moving electric and magnetic fields that
Figure 26-16 shows a Simple antenna. The waves produced expand outward
propagate out and away as moving waves. Electric and magnetic fields move
together and are always at right angles to each other, as shown in Figure 26-15. circularly. The waves will eventually reach the receiver in addition to many

The signal must be constantly switched or flipped up and down to allow the other locations in other directions.

electric and magnetic field waves to overlap and push outward.

Figure 26-15 Moving Electric and Magnetic Waves.

Figure 26-16 Wave Propagation with a Simple Antenna

 I Wireless Networks Fundamentals

At the receiving end of the wireless connection, the process is reversed. As the
electromagnetic waves reach the antenna of the receiver, they create an electrical
signal. If all goes well, the received signal will be a reasonable copy of the
original sent signal.

The electromagnetic waves involved in a wireless connection can be measured Figure 26-18 Frequency Unit Names
and described in several ways. One of the key features is the frequency of the
wave, or the number of times the signal cycles fully up and down in 1 second.
Figure 26-17 shows how a wave cycle can be defined. A cycle begins when the
signal rises and falls from the centerline and rises again. The interval from the
apex of one center to the apex of the other center can be measured as a cycle.
Wherever you start measuring a loop, the signal should make a full row back to
its starting position, ready to repeat the same cyclic pattern.

Figure 26-17 Cycles in a Wave

Figure 26-19 Frekans Spektrumu
 I Wireless Networks Fundamentals

Wireless Bands and Channels

One of the two main frequency ranges used for wireless LAN communication is
between 2.400 and 2.4835 GHz. It is often referred to as the 2.4 GHz band,
although it does not cover the entire range between 2.4 and 2.5 GHz.
The other wireless LAN range is often referred to as the 5-GHz band because it is
between 5.150 and 5.825 GHz. The 5 GHz band actually includes the following
Figure 26-20 2.4 Ghz Band Channels
four separate bands:
• 5.150 to 5.250 GHz
• 5.250 to 5.350 GHz
• 5.470 to 5.725 GHz
• 5.725 to 5.825 GHz
A frequency band contains a continuous frequency range. If a single frequency
is required for a wireless connection between two devices, what frequency can they
use? How many unique frequencies can be used in a band? Bands are often split
into several different channels to keep everything organized and harmonious.
Each channel is known by a channel number and is assigned a specific
frequency. As long as the channels are defined by the national or international Figure 26-21 5 Ghz Band Channels
standards body, they can be used consistently in all locations. Figure 26-20 2.4
Figure 26-21 shows the channel layout for the 5 GHz bands.
 I Wireless Networks Fundamentals

AP and Wireless Standards

Wireless devices and APs must all be able to operate in the same band. For
example, on the 5 GHz band, a wireless phone can only communicate with an
AP that offers Wi-Fi service on 5 GHz channels. In addition, devices and APs
must work in compliance with the 802.11 standards.

As the IEEE 802.11 Wi-Fi standard develops and innovations, it specifies these
standards with new names under the 802.11 standard.

Figure 26-22 IEEE 802.11 Standards

Cisco I Autonomous AP Architecture

I Split-Mac AP Architecture

Wireless I Cloud-Based AP Architecture

I Comparing WLC Types

Architecture I Cisco AP Modes

 I Cisco Wireless Architecture

Autonomous AP Architecture
The primary task of an Access Point is to transmit data from wireless devices to An Autonomous AP must also be configured with a management IP address
a regular wired network. It acts as a bridge between the wired network and the before you can manage remotely (10.10.10.10 in Figure 27-1). Ultimately,

client to allow wireless clients to access the wired network. you will want to configure SSIDs, VLANs, and many RF parameters such as

An Autonomous AP works independently. It offers one or more BSS, we can the channel to use and transmit power. The Management address is not
normally part of data VLANs, so a special Management VLAN (i.e. VLAN 10)
make it work with different Vlans by creating different SSIDs. Figure 27-1
must be created to reach the AP. Unless you are leveraging a management
shows the basic architecture.
platform such as Cisco Prime Infrastructure or Cisco DNA Center, each AP
must be configured individually.

Figure 27-1 Wireless Network Architecture with Autonomous AP Figure 27-2 Data VLANs Coverage with Autonomous AP
 I Cisco Wireless Architecture

Split-Mac AP Architecture
Because Autonomous APs work alone, managing RF operations can be quite
challenging. As a network administrator, you are responsible for selecting and
configuring the channel used by each AP, and identifying and dealing with
any Rogue APs that may interfere.

Management functions are not integrated with the processing of frames on RF

channels, but are things that need to be managed centrally. Therefore, these
functions can be moved away from the AP to a central platform.
When the functions of an Autonomous AP are divided, it is known as a
Lightweight AP and only performs real-time 802.11 processing.

Administrative operations of Lightweight APs are done by a Wireless Lan

Controller (WLC) that controls it. This is shown in Figure 27-3. APs continue
their duties in Layers 1 and 2. All other WLAN functions such as
authenticating users, managing security policies and even selecting RF Figure 27-3 Comparison of Autonomous AP and Lightweight AP.
channels and output power are handled by WLC.

Note: Lightweight APs cannot run on their own without WLC.

 I Cisco Wireless Architecture

CAPWAP Control Messages: Carries control messages used to configure the AP

and manage its operation. Control messages are authenticated and encrypted
so that the AP is only securely controlled by the appropriate WLC, then
transported over the control tunnel.
CAPWAP Data: Used for outgoing and incoming packets to wireless clients.
Data packets are carried over the data tunnel, but are not encrypted by default.
When data encryption is enabled for an AP, packets are protected by Datagram
Transport Layer Security (DTLS).

Figure 27-5 CAPWAP Tunneling with WLC

When connecting Lightweigth APs to switches, the switch's port works in

access mode, not trunk mode, APs create CAPWAP Tunnels between
themselves with WLC and vlans go and come from this tunnel.
Figure 27-4 Linking a Lightweight AP and WLC with CAPWAP
 I Cisco Wireless Architecture

Cloud-Based AP Architecture
Autonomous APs work as standalone and we need to configure and maintain

them one by one or we need to use Cisco Prime Infrastructure. But as our

network grows, it will become increasingly difficult to control Autonomous

APs one by one.

Cloud-Based Cisco Meraki APs, on the other hand, can be easily managed from

a single center via a Management Portal on the Cloud. It can become very easy

to generate reports such as configurations of APs, user performance and

activity.

Figure 27-6 Cisco Meraki Cloud Based Wireless Network Architecture

 I Cisco Wireless Architecture

Comparing WLC Types

Figure 27-7 Unified WLC Figure 27-8 Cloud WLC Figure 27-9 Mobility Express WLC Figure 27-10 Embedded WLC
 I Cisco Wireless Architecture

Cisco AP Modes
Local: It is the default mode in Lightweight AP. When not transmitting, the AP Bridge : An AP becomes a private bridge (point-to-point or point-to-multipoint)
scans other channels to measure noise level, measure interference, find rogue between two networks. Two APs in bridge mode can be used to connect two
devices, and match intrusion detection system (IDS) events. locations separated by distance.
Monitor: The AP does not transmit at all, but its receiver is made to act as a Flex+Bridge : FlexConnect operation is enabled on a mesh AP.
special sensor. The AP checks for IDS events, detects rogue APs, and locates
SE-Connect : The AP is dedicated to performing spectrum analysis of its radios
stations via location-based services.
on all wireless channels. It sends spectrum analysis data to a PC running
FlexConnect: An AP at a remote location can carry the traffic between the SSID
software such as MetaGeek Chanalyzer or Cisco Spectrum Expert to collect and
and the VLAN locally over the switch, if WLC is turned off or cannot access, if
analyze to discover sources of interference.
WLC and CAPWAP tunneling cannot be established and configured to do so.
Sniffer: An AP is set to receive traffic from other sources such as other 802.11
wireless devices. The captured traffic is then forwarded to network analysis
software installed on a PC, such as Wildpackets OmniPeek or WireShark, where
it can be further analyzed.
Rogue Detector : An AP is set to detect rogue/rogue devices by comparing MAC
addresses advertised on wired and wireless network. Fake devices are devices
that appear on both networks.
Wireless I Secure Connection Anatomy

I Wireless Client Authentication Methods

Network Security I Wireless Privacy and Integrity Methods

I WPA, WPA2, and WPA3

 I Wireless Network Security

Secure Connection Anatomy Authentication

In a wired connection, a client is directly connected to the switch and what they Before users start using the wireless network, they need to be authenticated

send goes directly, but in a wireless connection, the clients are not directly with some authentication methods.

connected. Assume that your company's confidential information and documents can

Consider the scenario in Figure 28-1. The wireless user logs on to remote servers be accessed through your wireless network. In this case, only trusted and

and shares a secret password. Since both untrusted users are in range of the known devices should be given access to people. If guest users are allowed, they

client's signal, they can also learn the password by capturing the frames sent should be allowed to join a different guest WLAN where they can access non-

in the channel. It also makes it easier for malicious users to listen and use private or public resources.

signals that come and go in wireless communication.

Wireless authentication can take many forms. The first of these methods

only requires that all trusted users know a common preset password on the

APs. The password is stored on the user device and presented directly to the AP

when needed. What can happen if the device is stolen or lost? Most likely, any

user who owns the device can still authenticate to the network. One of the other

authentication methods requires use with an enterprise user database. In these

cases, the end user must enter a valid username and password, something

that will not be known to malicious people.

Figure 28-1 Unsecured Wireless Connection Traffic
 I Wireless Network Security

Message Privacy Integrity

Let's say you authenticate before joining the wireless network. However, data We encrypt our data and hide it from other users using the same channel.
passing to and from the client is available to eavesdropping users on the same Message integrity check (MIC) is a security tool that can protect against data
channel. tampering. It adds a secret stamp in the encrypted data frame of the sender of
To maintain data privacy on a wireless network, data must be encrypted a MIC. The stamp is based on the content of the data bits to be transmitted.
during air travel. Wireless data packets are encrypted when sent and decrypted When the receiver decrypts the frame, he can compare the hidden stamp with
when received. It is to use an encryption method that the transmitter and his own idea of what the stamp should be based on the data bits received. If the
receiver share so that data can be successfully encrypted and decrypted. two stamps are the same, the recipient can safely assume that the data has not
been tampered with. Figure 28-3 shows MIC operation.

Figure 28-2 Encrypting Wireless Data to Protect Data Privacy Figure 28-3 Checking Message Integrity over Wireless Network
 I Wireless Network Security

Wireless Client Authentication Methods WEP (Wired Equivalent Privacy)

You can use many authentication methods to connect wireless users to the As you can imagine, Open Authentication offers nothing that can hide or

network. These methods became obsolete over time and authentication methods encrypt data sent between a user and an AP. Alternatively, the 802.11

evolved as security vulnerabilities emerged and wireless hardware developed. In standard has traditionally defined Wired Equivalent Privacy (WEP)

this Chapter, I will describe the most common authentication methods you may standards as a method of making a wireless connection more similar or
equivalent to a wired connection.
encounter.
WEP uses the RC4 cipher algorithm to hide each wireless data frame. The same
Open Authentication
algorithm encrypts the data at the sender and decrypts it at the receiver. The
The original 802.11 standard offered only two options for authenticating a
algorithm uses a string of bits, often called a WEP key, as a key to derive other
user: Open Authentication and WEP. Open Authentication offers open access to encryption keys, one per wireless frame. As long as the sender and receiver have
a wireless network, just checking whether users support the wireless standard the same key, one can decrypt the other encryption.
802.11.
WEP keys can be 40 or 104 bits long, represented by a string of 10 or 26 hex
This method is often used in cafes, shopping malls and common places, where
digits. As a general rule, longer keys provide more unique bits for the
authentication is done through a web page. Most operating systems will give
algorithm, resulting in stronger encryption. WEP was defined in the 802.11
you a warning when joining such networks, informing you that your wireless standard in 1999, but in 2001, a number of weaknesses were discovered and
data will not be secure at all if you join such networks. exposed, so work began on finding better wireless security methods. WEP was
officially discontinued in 2004. WEP encryption is considered a weak method
to secure wireless LAN.
 I Wireless Network Security

802.1x EAP
A more secure authentication method was needed than Open Authentication

and WEP. Instead of creating additional authentication methods to the 802.11

standard, Extensible Authentication Protocol (EAP), a more flexible and

scalable authentication framework, was chosen. EAP defines a set of common

functions that real authentication methods can use to authenticate users.

EAP can integrate with the IEEE 802.1x port-based access control standard.

When 802.1x is enabled, access to the network environment is restricted until a Figure 28-4 802.1x Client Authentication Roles

client authenticates. This means that the wireless user cannot transmit data to WLC becomes the agent in the client authentication process and controls user
any other part of the network until successful authentication. access with 802.1x and communicates with the authentication server using the
Authentication is done without Open or WEP authentication. With 802.1x, it EAP framework.

uses open authentication to associate with the client AP and then forwards it to LEAP
a custom authentication server for the actual client authentication process. To close the weaknesses in WEP, Cisco developed a proprietary wireless
Figure 28-4 shows the three-sided 802.1x arrangement: authentication method called Lightweight EAP (LEAP). For authentication, the
client must provide username and password credentials. It asks for passwords
for messages received and sent for both the authentication server and the client.
This ensures mutual authentication as long as the messages can be
successfully decrypted, the client and AS have authenticated each other.
 I Wireless Network Security

EAP-FAST PEAP
Cisco has developed a more secure method called EAP Flexible Authentication Like EAP-FAST, the Protected EAP (PEAP) method uses internal and external
with Flexible Authentication by Secure Tunneling (EAP-FAST). authentication, while the AS provides a digital certificate to authenticate with
Authentication information is protected by passing a protected access credential the requester in external authentication.
(PAC) between the AS and the recipient. PAC is a shared password format AS's digital certificate consists of data in a standard format "signed" or
created by AS and used for mutual authentication. EAP-FAST is a sequence of
certified by the Certificate Authority. The third party is known as Certificate
three phases:
Authority (CA) and is known and trusted by both AS and recipients. The
Phase 1: The PAC is created or provisioned and installed on the client.
requestor must also have the CA certificate to be able to verify the certificate
Phase 2: After the requestor and AS authenticate each other, they agree on a
obtained from the AS. The certificate is also used to pass a public key in plain
Transport Layer Security (TLS) tunnel.
view, which can be used to help decrypt messages from the AS.
Phase 3: The end user is authenticated over the TLS tunnel for added security.
Note that only AS is PEAP certified. This means that the requester can easily

verify the AS. The client does not have or uses its own certificate, so it must be
Note that there are two separate authentication processes in EAP-FAST, one with
AS to the requestor and one with the end user. These happen as internal authenticated within the TLS tunnel using one of the following two methods:

authentication as external authentication (outside the TLS tunnel) and

internal authentication (inside the TLS tunnel). MSCHAPv2: Microsoft Challenge Authentication Protocol version 2

Like other EAP-based methods, a RADIUS server is required. However, in order GTC: A hardware device user that generates one-time passwords for the Generic
for the RADIUS server to generate one PAC per user, it must also function as an Token Card, or a manually generated password.
EAP-FAST server.
 I Wireless Network Security

EAP-TLS
PEAP uses the digital certificate in AS as a powerful method to authenticate the Note: EAP-TLS is only useful if wireless clients can accept and use digital certificates. Many wireless

devices, such as communicators, medical devices, and RFID tags, have a base operating system that cannot
RADIUS server. Getting and installing certificates on a single server is easy,
interface with a CA or use certificates.
but EAP Transport Layer Security (EAP-TLS) requires installing certificates

on the AS and on each client device.

With EAP-TLS, AS and client exchange certificates and can authenticate each

other. A TLS tunnel is then built so that encryption keys can be exchanged

securely.

EAP-TLS is considered the most secure wireless authentication method

available, however, it can be difficult to implement. Each wireless client with AS

must obtain and install a certificate. Manually installing certificates on

hundreds or thousands of clients may not be practical. Instead, you need to

implement a Public Key Infrastructure (PKI) that can securely and efficiently

issue certificates and revoke them when a client or user no longer needs access to

the network. This usually involves setting up your own CA or establishing a

trust relationship with a third-party CA who can provide certificates to your

customers.
 I Wireless Network Security

Wireless Privacy and Integrity Methods

CCMP
TKIP
The Counter/CBC-MAC Protocol (CCMP) is considered more secure than TKIP.
After WEP authentication was found to be vulnerable in wireless clients CCMP consists of two algorithms:
and APs, the Temporal Key Integrity Protocol (TKIP) was developed. AES counter mode encryption
TKIP uses the following security features using legacy hardware and Cipher Block Chaining Message Authentication Code (CBC-MAC) used as message

basic WEP encryption; integrity check (MIC)

MIC: This efficient algorithm adds a hash value every frame as a message The Advanced Encryption Standard (AES) is the current encryption algorithm

integrity check to prevent tampering; often referred to as “Michael” in adopted by the US National Institute of Standards and Technology (NIST) and the
US government and widely used all over the world. In other words, AES is public
unofficial reference to the MIC.
and offers the most secure encryption method available today.
Time Stamp: A timestamp is added to the MIC to prevent attacks that

attempt to reuse or reconstruct previously sent frames. For CCMP to be used to secure wireless networks, client devices and APs must
support AES Counter mode and CBC-MAC in hardware. CCMP is not available on
TKIP sequence counter: This feature provides a record of frames sent by a
devices that only support WEP or TKIP. CCMP is used with WPA and WPA2.
unique MAC address to prevent frame tampering.

Key mixing algorithm: This algorithm calculates a unique 128-bit WEP GCMP

key for each frame. Galois/Counter Mode Protocol (GCMP) is a robust authentication encryption suite
that is more secure and more efficient than CCMP. GCMP consists of two
algorithms:
AES counter mode encryption
Galois Message Authentication Code (GMAC) used as a message integrity check
(MIC) GCMP is used with WPA3.
 I Wireless Network Security

WPA, WPA2, and WPA3

In the previous sections, we covered various authentication methods, encryption It also uses Protected Management Frames (PMF) to secure critical 802.11
and message integrity algorithms. When it's time to configure a WLAN with management frames between APs and clients and prevent malicious activities
wireless security, should we know which one is the best or which one works well that could spoof or tamper with a BSS's operation.
together? Which authentication methods are compatible with which encryption
algorithms?

The Wi-Fi Alliance (http://wi-fi.org), a nonprofit wireless industry

association, has found easy ways to do this through its Wi-Fi Protected Access
(WPA) industry certifications. There are three different versions to date: WPA,
Figure 28-5 Comparison of WPA, WPA2, and WPA3
WPA2 and WPA3. Wireless products are tested in authorized testing
laboratories against strict criteria that represent the correct application of a
Also note that WPA, WPA2, and WPA3 simplify wireless network
standard. As long as the Wi-Fi Alliance certifies a wireless client device and
configuration and compliance because they limit what authentication and
an AP and its associated WLC for the same version of WPA, it must be
privacy/integrity methods can be used.
compliant and offer the same security components.
The Wi-Fi Alliance introduced WPA Version 3 (WPA3) as a future
replacement for WPA2 in 2018 and added several important and superior
security mechanisms. WPA3 benefits from stronger encryption by AES with
Galois/Counter Mode Protocol (GCMP).
 I Wireless Network Security

Figure 28-6 Overview of Wireless Security Mechanisms and Options

 I Connecting a Cisco AP
Wireless I Connecting the Cisco WLC to the Network

LAN Creation I Accessing Cisco WLC

I WLAN Configuration
 I Creating a Wireless LAN

Connecting a Cisco AP Connecting Cisco WLC to Network

A Cisco wireless network may consist of Lightweight APs or Autonomous APs Let's get to know the ports on WLC.

working with one or more Wireless LAN Controllers. You must know how to Service Port: Used for system recovery and first boot functions, always

connect each AP type to the switch side so that the APs can forward traffic connected to a switch port in access mode.

between the appropriate VLANs and WLANs. Distribution System Port : Used for all normal AP and AP management traffic,
usually connected to an 802.1Q trunked switch port.
Console Port : Used for system recovery and first boot functions; with a terminal
program (9600 baud by default, 8 data bits, 1 stop bit)
Redundancy Port: It allows us to backup the system by connecting a second
WLC.

Figure 29-5 Cisco Wireless LAN Controller Ports

Figure 29-1 Connecting Method of APs

Figure 29-6 Cisco 5508 Wireless LAN Controller

 I Creating a Wireless LAN

Accessing Cisco WLC

To connect and configure a WLC, you need to open a web browser and access the page that
opens ( http / https ) by typing the WLC's management IP. It can only be done if the
WLC has its initial configuration and a management IP address assigned to the
management interface. The web-based GUI provides an efficient way to monitor,
configure, and troubleshoot a wireless network. You can also connect to a WLC via an
SSH session, where you can use its CLI to monitor, configure, and debug activity.

When you open the web browser by typing management IP, you will see the first login
screen. Click the Login button as shown in Figure 29-2; then enter your user credentials
when prompted.
Figure 29-3 Switching to the Advanced Configuration Interface

Figure 29-4 WLC Advanced Configuration GUI

Figure 29-2 WLC Initial Login Screen
 I Creating a Wireless LAN

WLAN Configuration
It works with a Wireless LAN Controller and APs to provide network
connectivity to wireless clients. The AP broadcasts an SSID so that the client
can join. It connects to the switch via one of the WLC dynamic Interfaces. To
complete the path between SSID and VLAN as shown in Figure 29-7, we first
need to create a WLAN in WLC.

Figure 29-8 Displaying the List of RADIUS Authentication Servers

Figure 29-7 Connecting the Wired and Wireless Network

Step 1: Configure Radius Server

If you are going to perform 802.1x authentication on your network, you must
first set up the authentication server, if you do not have an authentication
server, you can skip this step.

Figure 29-9 Configuring a New RADIUS Server

 I Creating a Wireless LAN

Step 2: Configuring the Interface

Figure 29-10 Displaying a List of Dynamic Interfaces

Figure 29-11 Defining a Dynamic Interface Name and VLAN ID Figure 29-12 Editing the Dynamic Interface Parameters
 I Creating a Wireless LAN

Step 3: Configuring WLAN

Figure 29-13 Displaying a List of WLANs

Figure 29-14 Creating a New WLAN Figure 29-15 Configuring the General WLAN Parameters
 I Creating a Wireless LAN

WLAN Security Configuration

Figure 29-16 Configuring Layer 2 WLAN Security Figure 29-17 Selecting RADIUS Servers for WLAN Authentication
 I Creating a Wireless LAN

QoS Configuration

Figure 29-18 Configuring QoS Settings

Figure 29-20 Configuring Management Access from Wireless Networks

We Finish WLAN Configuration

Figure 29-19 Displaying WLANs Configured on a Controller

Chapter - 10 I TCP/IP Transport and Applications

I Basic - ACL Access Control Lists

ACCESS CONTROL LIST I Extended - ACL Access Control Lists

 I TCP/IP Transport

I TCP - Transmission Control Protocol

TCP/IP I UDP - User Datagram Protocol

Transport and Applications I TCP/IP Applications

I URI - Uniform Resource Identifiers

I Using DNS

I File Transfer via HTTP

 I TCP/IP Transport and Applications

TCP/IP Layer 4 Transport Protocols: TCP and UDP TCP - Transmission Control Protocol
The main difference between TCP and UDP is that TCP provides a wide variety Figure 30-1 shows TCP header fields. You do not need to memorize the names

of services to applications but UDP does not. For example, routers drop packets or locations of the fields. We'll cover more in the remainder of this section.

for many reasons, including bit errors, congestion, and when the correct route

is not known. Many data link protocols detect errors but discard frames with

errors, but TCP provides retransmission (error recovery) and helps prevent

congestion (flow control), but UDP does not retransmit. As a result, many

application protocols choose to use TCP.

Figure 30-1 TCP Header

But do not think that UDP is worse than TCP because of its shortcomings. By

providing fewer services, UDP headers require fewer bytes than TCP, which

means less byte overhead on the network. UDP software does not slow down data

transfer when TCP is slow. Also, some applications, especially Voice over IP

(VoIP) and Video over IP today, don't need error recovery, so they use UDP.

Therefore, UDP also has an important place in TCP / IP networks today.

Figure 30-2 Example of Adding TCP Header

 I TCP/IP Transport and Applications

Known (System) Ports: These are the ports used by the system, ports 0 to 1023 Figure 30-3 shows an example using three temporary port numbers on the left
are designated by IANA to be used by the system. user device; The server on the right uses two system ports and one user register
User Register Ports: Fewer rules apply by IANA to assign these ports compared port. Computers use three applications at the same time; therefore, the three port
to system ports, ports 1024 to 49151. connection is open. Because a port on a single computer must be unique, the
Temporary (Dynamic, Dedicated) Ports: Numbers 49152 through 65535 that connection between two ports must identify a unique port between the two
are unassigned and intended to be temporarily assigned and used for a client computers. This uniqueness means you can use multiple applications at the
application dynamically while the application is running. same time by talking to applications running on the same or different

computers. Port-based multiplexing ensures data is delivered to the right

applications.

Figure 30-3 Example of Port Usage between User and Server

Figure 30-4 Some of the Commonly Used Known System Ports
 I TCP/IP Transport and Applications

UDP - User Datagram Protocol TCP/IP Applications

UDP provides some of TCP's functions, such as data transfer and multiplexing Creating a corporate network or connecting a small home or office network to

using port numbers, and requires less byte overhead and less processing than the Internet is to use applications such as web browsing, text messaging,
TCP. email, file downloads, audio and video. In this Chapter we will examine a
Applications using UDP are tolerant of lost data or have some application specific application for web browsing using Hypertext Transfer Protocol
mechanism to recover lost data. For example, VoIP uses the UDP protocol because (HTTP).
if a voice packet is lost, there is too much delay until the lost packet is detected
The World Wide Web (WWW) consists of all Internet-connected web servers in
and retransmitted, and the voice is unintelligible so it uses UDP because the
the world and all Internet-connected users with web browsers. Web servers store
UDP protocol works faster than TCP. . Also, DNS requests use UDP because the
information (in the form of web pages) that can be useful to different people. A
user will retry an operation if DNS requests fail. As another example, Network
web browser installed on the end user's computer wants to connect to a web
File System(NFS), a remote file system implementation, performs recovery
with application layer code, so UDP features are used by NFS. server and view the web pages stored on the web server.

Several specific application processes must occur for this process to work. The

user must somehow define the server, the particular web page, and the protocol

used to retrieve data from the server. The client usually finds the web server's IP
Figure 30-5 UDP Header address using DNS. The client must request the web page consisting of

multiple individual files and the server must send the files to the web browser.
 I TCP/IP Transport and Applications

URI - Uniform Resource Identifiers Using DNS

In order for the browser to display a web page, we need to type the web page A host can use DNS to find the IP address of a particular web server. URIs

address to which we will connect to the browser, for example www.cisco.com. usually list the name of the server. The web browser cannot send an IP packet

The browser user can identify a web page when you click something on a web on behalf of the target web server, but the target web server can send a packet to

page or enter Uniform Resource Identifiers (URI) in the browser's address field. the IP address. So, before the browser sends a packet to the web server, the browser

Both options (clicking a link and typing a URI) point to a URI because when usually needs to resolve the name in the URI and the corresponding IP address

you click a link on a web page that link actually points to a URI. of that name. When we examine the example below, we can see how the process

takes place.
URIs used to connect to a web server include three basic components as outlined

in Figure 30-6. The figure shows the official names of the URI fields. More

importantly, remember that the text before // identifies the protocol used to

connect to the server, the text between // and / identifies the server with its

name, and the web page after the /.

http://www.yavuzbulut.com/blog

Figure 30-6 Web page URI example Figure 30-7 DNS Resolution and Web Page Request
 I TCP/IP Transport and Applications

File Transfer with HTTP

To retrieve a file from the web server, the client sends an HTTP GET request to the

server listing the filename. If the server decides to send the file, the server sends

an HTTP GET response with a return code of 200 (meaning OK) with its

contents.

Web pages often consist of multiple files. Most web pages contain text as well as

various graphic images, animated advertisements, and possibly audio or video.

Each of these components is stored as a different file on the web server. To get
them all, the web browser takes the first file. This file may (and often does)

contain references to other URIs, so the browser requests other files as well. Figure Figure 30-8 Multiple HTTP GET Requests/Responses

30-8 shows the scanner receiving the first file and then the other two files.
 I Basic Access Control List

I ACL Location and Direction

Basic - ACL I Types of ACLs

Access Control List I Subnet Matching with Wildcard

I Standard Numbered ACL

I Configuring ACL with Standard Number

 I Basic ACL - Access Control List

Basic Access Control List

IPv4 ACLs are most commonly used for packet filtering in Cisco routers. ACL The arrows in Figure 31-1 indicate locations in the topology where you can
provides filtering by checking packets passing through routers. Once enabled, filter packets flowing from left to right. For example, suppose you want to
the router decides whether to block or allow each IP packet. allow packets sent by user A to server S1 but block packets sent by user B to

However, ACLs can also be used for many other IOS features. As an example, server S1. Each arrowed line represents a location and direction in which a

ACLs can be used to match packages to implement Quality of Service (QoS) router can filter sent packets.

features. By prioritizing some packets we can forward packets according to the

priority we want. For example, voice packets need to have very low latency so

that ACLs can match voice packets and QoS logic transmits voice packets
faster than data packets.

ACL Location and Direction

Cisco routers can apply ACLs to packets at the point where IP packets enter or

exit an Interface. In other words, the ACL is associated with an Interface and Figure 31-1 Packet traffic from user A and B to S1 server

packet flow direction (In or Out). In other words, the router checks the applied

ACLs in the In or Out direction of the Interfaces without making the routing

decision and makes the routing accordingly or not.

 I Basic ACL - Access Control List

Matching Packages ACL Types

When you think about the location and direction of an ACL, you should ✓ Standard numbered ACLs (1–99)
already be thinking about which packets you want to allow or block. You must
✓ Extended numbered ACLs (100–199)
configure the router with an IP ACL that matches the packets. They are lists of
✓ Additional ACL numbers (1300–1999 standard, 2000–2699 extended)
how to configure ACL commands to look at each packet, and which packets

should be discarded and which should be allowed. ✓ Named ACLs

For example, imagine that you allow the traffic from Host A to the S1 server ✓ Improved editing with sequence numbers

and limit the outgoing traffic from the Host B user as in Figure 31-2, there are

already Host A and B IPs, we know where they want to go, accordingly, by

writing an ACL in R2, this is the ACL that we have decreased. We must

configure ' as In or Out in the right direction under S0/0/1 Interface. The

correct direction here is the In direction.

Figure 31-3 ACL Types

Figure 31-2 ACL Command Logic

 I Basic ACL - Access Control List

Subnet Matching with Wildcard Address

Typically when you want to enforce an ACL you want to map not a Let's practice by finding the IP ranges that the access-lists in the list below will check.
single private IP address, but a range of IP addresses or all IP addresses
in a subnet. If you want to check multiple IP addresses in one address
range.
You can map to subnets using WC masks. There is a short way to
calculate wildcards.

Subnet 10.1.1.0 SubnetMask 255.255.255.0

Subnet 172.16.8.0 SubnetMask 255.255.252.0
access-list 1 permit 172.16.8.0 0.0.3.255
From Subnet Mask
Finding Wildcard Easy

When you type the access list line as above, the access list allows all IPs
in the range from 172.16.8.0 to 172.16.11.255.

172.16.8.0
0. 0.3.255
+
———————————————
172.16.11.255
Figure 31-4 Using Wildcard
Note: When we add Subnet and Wildcard, we nd the IP range that ACL will control in an easy way.
fi
 I Basic ACL - Access Control List

Standard Numbered ACL Scripting

Standard ACLs are a type of Cisco filter that only looks at IPv4 packets, Standard numbered IP ACLs use the following generic command:
configured to identify ACLs that match the source IP address of the packet. access-list {1-99 | 1300-1999} {permit | deny} matching-parameters
access-list 1 permit 10.1.1.1
Let's examine the example below;
access-list 1 permit host 10.1.1.1

Figure 31-5 Example of Standard ACL

 I Basic ACL - Access Control List

Configuring Standard Numbered ACLs

Lab - 2
Lab - 1
1- S1 Server can access Subnet of Host A and B.
1- Host A can access S1 server.
2- S1 Server cannot access Host C's Subnet.
2- Subnet 10.1.1.0/24 cannot access S1 server.
3- Allow S2 Server to access Host C's Subnet.
3- All remaining 10.0.0.0/8 Subnets can be accessed.
4- S2 Server cannot access Host A and Binin Subnet.

Figure 31-6 Standart ACL Lab - 1

R1# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2# configure terminal R1(config)# access-list 1 remark Bu ACL S1 Sunucusunun Host A Subnetine Erisimine Izin Verir

Enter configuration commands, one per line. End with CNTL/Z. R1(config)# access-list 1 permit 10.2.2.1
R1(config)# access-list 2 remark Bu ACL S2 Sunucusunun Host C Subnetine Erisimine Izin Verir
R2(config)# access-list 1 permit 10.1.1.1
R1(config)# access-list 2 permit 10.2.2.2
R2(config)# access-list 1 deny 10.1.1.0 0.0.0.255 R1(config)# interface Fa0/0
R2(config)# access-list 1 permit 10.0.0.0 0.255.255.255 R1(config-if)# ip access-group 1 out
R2(config)# interface S0/0/1 R1(config)# interface Fa0/1
R1(config-if)# ip access-group 2 out
R2(config-if)# ip access-group 1 in
 I ACL with Extended Number

Extended - ACL I Configuring Extended Numbered ACLs

I Named ACL

Access Control List I Editing Named ACLs

I Named ACL Configuration

 I Extended ACL

Extended Numbered ACL Matching Packages

Extended ACLs are a type of Cisco filter that looks at IPv4 packets and is Like standard numbered ACLs, extended IP ACLs use the access-list global
configured to control source, destination addresses and protocols at Layer 4. command. The script is the same as the permit or deny keyword. At this point,
They are used between 100-199 or 2000-2699. the command lists matching parameters and they are different of course.

Specifically, the extended ACL access-list command requires three matching

parameters: IP protocol type, source IP address, and destination IP address.

Figure 32-2 IP Header Focusing on Required Fields in Extended ACLs

Figure 32-1 ACL Types

Figure 32-3 Extended ACL Scripting

 I Extended ACL

Mapping by TCP and UDP Port Numbers

Extended ACLs can also inspect the TCP and UDP header sections, specifically In the first example below, packet filtering is done with the destination port,

the source and destination port number fields. Port numbers identify the and in the second example, it is done with the source port.

application sending or receiving the data.

Figure 32-4 TCP Header and Port Number Fields After IP Header

Figure 32-6 Packet Filtering by Destination Port Number

Figure 32-5 Extended ACL Scripting in TCP and UDP usage

Figure 32-7 Source Port Numarası ile Paket Filtreleme

 I Extended ACL

Popular Port Numbers Example Extended ACL

 I Extended ACL

Application example on R1.

Configuring Extended Numbered ACLs
interface Serial0
Lab - 1 ip address 172.16.12.1 255.255.255.0
ip access-group 101 in
1- Larry Server 1 cannot access the web server.
!
2- Bob cannot access ftp services interface Serial1

3- Do not block the remaining traffic. ip address 172.16.13.1 255.255.255.0

ip access-group 101 in
!
access-list 101 remark Stop Bob to FTP servers, and Larry to Server1 web
access-list 101 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
access-list 101 deny tcp host 172.16.2.10 host 172.16.1.100 eq www
access-list 101 permit ip any any

Or

Con guring on R2 and R3.

interface Ethernet0
ip address 172.16.3.1 255.255.255.0
Figure 32-8 Extended ACL Lab - 1 ip access-group 103 in
access-list 103 remark deny Bob to FTP servers in subnet 172.16.1.0/24
access-list 103 deny tcp host 172.16.3.10 172.16.1.0 0.0.0.255 eq ftp
access-list 103 permit ip any any
fi
 I Extended ACL

Lab-2

1- Sam cannot access the subnet where Bugs and Daffy are located. We are making our configuration on the Yosemite Router.
interface ethernet 0
2- Users on the Yosemite subnet cannot access the Seville subnet
ip access-group 110 in
3- Do not block the remaining traffic. !
access-list 110 deny ip host 10.1.2.1 10.1.1.0 0.0.0.255
access-list 110 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 110 permit ip any any

Figure 32-9 Extended ACL Lab - 2

 I Extended ACL

Named ACL and Editing

We did the filtering with Standard and Extended ACLs, but since we used Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
sequence numbers, if you did not write a remark (reminder note) after a while, Router(config)# ip access-list extended barney
it may be difficult to remember why we wrote this ACL, but with Named ACLs, Router(config-ext-nacl)# permit tcp host 10.1.1.2 eq www any
Router(config-ext-nacl)# deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
you can give a name and then specify what this ACL is for. We remember that Router(config-ext-nacl)# deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
Router(config-ext-nacl)# deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
we typed it in, and Named ACLs are easier to edit later.
Router(config-ext-nacl)# permit ip any any
Router(config-ext-nacl)# interface serial1
Named ACL Router(config-if)# ip access-group barney out

Although they do the same things as Standard and Extended ACLs, they have Router# show running-config
some differences; ip access-list extended barney
permit tcp host 10.1.1.2 eq www any
Using names instead of numbers to describe the ACL makes it easy to
deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
remember what we wrote the ACL for. deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255
Using ACL subcommands instead of global commands to define parameters. permit ip any any

Using ACL editing features that allow the CLI user to delete individual lines
To delete a line where we wrote an edit.
from the ACL and add new lines. Router(config)# ip access-list extended barney
Router(config-ext-nacl)# no deny ip 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255

Router# show access-list

Extended IP access list barney
10 permit tcp host 10.1.1.2 eq www any
20 deny udp host 10.1.1.1 10.1.2.0 0.0.0.255
Figure 32-10 Numbered and Named ACL Spelling 30 deny ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255
50 permit ip any any
 I Security Architecture

Chapter - 11 I Securing Network Devices

I Switch Port Security Applications

Network Security I DHCP Applications

I DHCP Snooping and ARP Inspection

 I Security Terminology

Security Architecture
I Security Threats

I Types of Attacks

I Controlling User Access

 I Security Architecture

Security Terminology
Assuming that in a perfect world every user has access to everything on the The organization may want Guest users to connect to the wireless network. If
network and every user makes full use of the available resources, you can create the business offers a wireless connection to its employees (and guests), these
a network open to every user in a company. The network shown in Figure 33-1 signals can be accessed by unauthorized malicious people. And the list goes on.
may represent such a scenario. Even this ideal closed system is not completely As the network and its connectivity expands, the business will have more
secure, as a user may want to annoy a co-worker or view information on a
difficulty maintaining the secure, closed boundary around itself, as seen in
company server that should be restricted or confidential.
Figure 33-2.

Figure 33-1 An Example of a Closed Company Network

Now imagine that almost no company uses such a limited and closed
environment. Ultimately, the company will want to connect to the internet and
some of its dealers. They will also want to be mobile-connected to use their
employees' laptops, tablets, and smartphones inside and outside the
organization.
Figure 33-2 Example of a Versatile Company Network
 I Security Architecture

Security Threats
Because modern enterprise networks often consist of many parts working For example, an attacker could send packets from a fake IP address instead of
together, securing them can become a very complex task. You can't attempt to his own IP address as shown in Figure 4-4. When the target receives the packets,
secure it until you identify and assess most vulnerabilities and understand it sends return traffic to the fake address that came to it instead of the
where the threats might come from. Appropriate measures and mitigation attacker's real address. If there is a fake address, this device will receive the
measures can be taken after making the determinations. packet. If there is no address, it will be forwarded first and then dropped.

Attacks That Spoof Addresses

Parameters and services can be used reliably when systems operate normally.
For example, when a device sends you an IP packet, you expect the destination IP
address in that packet to be your IP address. You expect the souce MAC address
in the Ethernet frame to be the sender's MAC address. Services like DHCP and
DNS should also work properly. If a device sends a DHCP or DNS request, it
expects the DHCP or DNS response to come from a legitimate and trusted server. Figure 33-3 Simple Spoofing Attack

Spoofing attacks focus on this vulnerability. Attacks usually occur by An attacker can also send fake MAC addresses to add false information to
replacing the required information with fake information. Address Spoofing mac tables or ARP tables used by the switch. Fake MAC addresses can also be
attacks can be simple and straightforward; where one address value is replaced sent to the DHCP server and fill the address distribution pool, leaving no
by another. empty IP addresses for normal use.
 I Security Architecture

Denial-of-Service (DOS) Attacks

Suppose a malicious user found an abnormal connection path to the company

server. The TCP connection starts with the malicious user sending the SYN

flag, but the sourec IP address is replaced with a fake one. The server adds the

TCP connection to the client connections table and responds to the bogus

address with a SYN-ACK. Because the spoof address is not included in the TCP

connection, there is no ACK response to complete the TCP three-way handshake.

The incomplete connection remains in the server's table until it times out and is

removed. During this time, the attacker could try to open so many connections

that the server's connection table is populated. At this point, the server is no

longer able to respond to TCP connections with real users, so the server is

inactive and stops. Figure 33-4 illustrates this process.

Figure 33-4 Denial-of-Service (DOS) Attacks

 I Security Architecture

Man-in-the-Middle Attack

The man-in-the-middle attack uses the ARP table. Normally, if one host needs Step 1: Client sends arp request to ask which mac address 198.51.100.10 is
to send data to another, it looks for the host to which it will send data in the using.
ARP table. If found in the arp table, the Ethernet frame can be sent directly to Step 2: The arp request goes to everyone on the network. The attacker listens to
the destination MAC address; if it cannot find it in the arp table, it issues an the network and prepares.
ARP request containing the IP address of the target and should wait for the Step 3: The attacker sends his own mac address.
target to respond with an ARP response and its own MAC address.
Now the attacker has come between the server and the client, the traffic now
passes through the attacker.

Figure 33-5 A Man-in-the-Middle Attack Begins

Figure 33-6 A Man-in-the-Middle Attack Occurs

 I Security Architecture

Buffer Overflow Attacks Human Vulnerabilities

Operating systems and applications normally read and write data using An attacker can pose as IT staff and attempt to communicate with real end
buffers and volatile memory space. Buffers are also important when one system users via phone calls, emails and social media. The end goal may be to
communicates with another, as IP packets and Ethernet frames come and go. As persuade users to reveal their credentials or set their passwords to a "temporary"
long as memory space is properly protected and data is placed within the correct value due to some fictitious IT overhaul to occur, and allow the attacker to gain
buffer limits, everything should work as expected. easy access to secure systems. Attackers may also be physically present and

However, some systems and applications have vulnerabilities that could allow spy on users as they enter their credentials.

buffers to fill. An attacker can exploit this by sending larger-than-expected

data. Password Vulnerabilities
When users access a system, they usually enter a username and password. It
Malware
can be pretty easy to guess someone's username based on a person's real name.
Some security threats can be in the form of malware or malware. For example, a
An attacker can also easily gain access to the system if the user's password is
trojan is malicious software that is hidden and packaged inside other
set to a default value or an easy-to-guess word or text string.
seemingly legitimate and legitimate software. Trojan software is also installed
Think like an attacker for a moment and see if you can make some guesses
silently if a bona fide user decides to install it. Later, the malware can carry
about the passwords you can try if you want to log into a random system.
out its own attacks on the local system or against other systems. Trojan
Maybe the password is password123, 123456, etc. You have thought of
malware can only spread from one computer to another through user
passwords like Maybe you can try username admin and password admin.
interaction, such as opening email attachments, downloading software from
the Internet, and plugging a USB drive into a computer.
 I Security Architecture

Controlling and Monitoring User Access

You can manage user activities to and from systems with Authentication,
Authorization, and Accounting (AAA) mechanisms. AAA uses some standard
methods to provide users with credentials before access is granted or authorized.
Accounting protocols can also log user activity in enterprise systems. AAA is
widely used to control and monitor access to network devices such as routers,
switches, firewalls and so on.

Authentication: Who is the user?

Figure 33-7 Example AAA
Authorization : What is the user allowed to do?

Accounting : What did the user do? Developing a Security Program to Educate Users
AAA servers typically support the following two protocols to communicate with An effective approach a business can take to improve information security is to
corporate resources: educate users through a corporate security program. Many users may not have
TACACS+: A Cisco proprietary protocol that separates each of the AAA IT knowledge, so they may not recognize vulnerabilities or realize the
functions. Communication is secure and encrypted over TCP port 49. consequences of their own actions. For example, if a corporate user receives an

RADIUS: A standards-based protocol that combines Authentication and email message threatening to expose some illegal behavior, they may be tempted
Authorization into a single source. Communication uses UDP ports 1812 and to click a link to a malicious site. Such an action could introduce malware or
1813, but Accounting is not fully encrypted. worms to a user's computer that could affect business operations.
Network
I Securing IOS Passwords

I Firewall

Devices Securing I IPS ( Intrusion Prevention Systems )

I Next Generation Firewalls

 I Securing Network Devices

Securing IOS Passwords

The best way to protect passwords on Cisco IOS devices is to not store passwords Switch3# show running-config | section line con 0
line con 0
on IOS devices. So use (AAA) server. However, it is common for some passwords
password cisco
to be stored in a router or switch configuration, and here I will describe some
login
ways to protect these passwords.
Switch3(config)# service password-encryption
Switch3(config)# ^Z
Switch3# show running-config | section line con 0
line con 0
password 7 070C285F4D06
login

We can understand that we use the service password-encryption

Figure 34-1 Example Login Security Configuration command from the "7" that is automatically added after the password

command.
Hiding IOS Passwords
When we look at the passwords on Cisco IOS devices with show running-config,

you will see that these passwords are not hidden, we can protect these passwords

with the service password-encryption command.

 I Securing Network Devices

Enable Password Protection Local Username and Password Protection

Switch3(config)# enable secret fred
Switch3# show running-config | include enable secret
enable secret 5 $1$ZGMA$e8cmvkz4UjiJhVp7.maLE1

R1(config)# enable algorithm-type scrypt secret mypass1

R1# show running-config | include enable
Telnet-SSH Protection - ACL
enable secret 9 $9$II/EeKiRW91uxE$fwYuOE5EHoii16AWv2wSywkLJ/KNeGj8uK/
24B0TVU6 We must protect the routers or switches with an ACL, we can restrict access to the

hosts we want or from a particular subnet.

line vty 0 4
login local
access-class 3 in
!
! Next command is a global command that matches IPv4 packets with ! a
source address that begins with 10.1.1.
access-list 3 permit 10.1.1.0 0.0.0.255
 I Securing Network Devices

Firewall Security Zones

A firewall examines all packets so the firewall can choose which packets to Most companies have an inside and outside zone and a special zone called the
discard and which to allow. Firewall protects the network from problems by Demilitarized Zone (DMZ). While the name DMZ comes from the real world,
allowing only allowed types of traffic to flow in and out of the network. In its it has been used in IT for decades to refer to a firewall security zone used to
most basic form, firewall actually does the same job as routers do with ACLs, but place servers that should be available to users on the public Internet. For
the firewall can perform this packet filtering function with more options and example, Figure 5-8 shows a typical Internet design with several web servers
perform other security tasks. connected to its DMZ via firewall.
The figure shows a firewall connecting to the Cisco Adaptive Security Appliance

(ASA) Firewall Internet connected to a Cisco router. All corporate traffic to and

from the Internet is sent through the firewall. Firewall considers its own rules

and decides whether to allow the packet.

Figure 34-2 Traditional Firewall Usage Figure 34-3 Firewall Zone Usage Example
 I Securing Network Devices

IPS (Intrusion Prevention Systems)

A traditional intrusion prevention system (IPS) may sit on the path that

packets travel through the network and filter packets, but make their decisions

with different logic. IPS first downloads a database of exploit signatures. Each

signature identifies different header field values found in packet sequences

used by different vulnerabilities. The IPS can then examine the packets,

compare them with known exploit signatures, and recognize when packets

might be malicious. Once defined, IPS can log the event, discard packets, and

even forward packets to another security application for further inspection.

A traditional IPS differs from firewalls in that we create the rules on the Figure 34-4 IPS and Signature Database

firewall, based on the port numbers of the applications when creating these rules,

but the IPS implements logic based on signatures provided by the

manufacturer. These signatures look for such attacks:

• Dos

• DDos

• Worms

• Viruses
 I Securing Network Devices

Next Generation Firewalls

In the mid-2010s, Cisco and some of its competitors began using the term Next Advanced Malware Protection (AMP): A network-based anti-malware function
Generation to highlight new security products. In short, Next Generation can run on the firewall, block file transfers that will install malware, and save
Firewalls (NGFW) and Next Generation IPS (NGIPS) are Cisco's current copies of files for later analysis.
Firewall and IPS products. Next Generation products have useful features not URL Filtering: This feature inspects the URLs in each web request, categorizes
found in previous products. the URLs and filters traffic according to rules or speed limits. The Cisco Talos
As for Cisco products, Cisco has for many years called Firewalls Cisco Adaptive security group monitors and generates trust scores for every known domain on
Security Appliance (ASA). Cisco acquired Sourcefire, a security product the Internet; URL filtering can use these scores to decide on categorization,
company, around 2013. Most of the next-generation firewall (and IPS) features filtering, or rate limiting.
come from software through this purchase. As of 2019, all Cisco firewalls NGIPS : Cisco NGFW products can run NGIPS features along with the firewall.
currently sold are referred to as Cisco Firepower Firewall.

Some features of NGFW;

Traditional Firewall: Performs traditional firewall features such as packet
filtering, NAT/PAT and VPN termination.
Application Visibility and Control (AVC): This feature looks deep into
application layer data to identify the application. For example, it can identify
the application by data rather than port number to defend against attacks
using arbitrary port numbers. Figure 34-5 NGIPS ve NGFW
 I Switch Port Security Concepts

Switch Port Security I Configuring Switch Port Security

I Switch Port Security Violation Modes

 I Switch Port Security

Switch Port Security Concepts

If the network engineer knows which devices should be connected to which ports

on the switch, the engineer can use switch port security so that only those devices

can use these ports.

In the figure below, when PC1 will be connected to port F0/1 in SW1, if switch

port security is enabled on that port, the mac address of the connected device will Figure 35-2 Switch Port Security Methods

be checked.

Figure 35-1 Switch Port Security Concepts

Configuring Switch Port Security

There are four different methods of implementing switch port security, shown

in the figure below.

 I Switch Port Security

Switch Port Security Violation Modes Protect and Restrict Mode

We saw the switch port security configuration in the previous topic, but if there These mods block untrusted traffic but the port is not closed. As a result, the
is a security breach, what will this port do and what precautions will it take? In port continues to forward secure traffic, but blocks unsafe traffic. Restrict
this section, we will see the commands we need to configure so that the switch mode sends an SNMP message.
decides what to do in case of a security breach. The port has three security modes
switchport port-security violation protect
to apply; switchport port-security violation restrict

Shutdown Mode
The default violation mode is shutdown, the port becomes errdisable in case of

violation, we can see the status by using the show interfaces Fa0/13

status command. We have to go to the port and open it manually, but we

can do this automatically, we need to enter the following commands.

errdisable recovery cause psecure-violation

errdisable recovery interval seconds
 I Dynamic Host Configuration Protocol

DHCP I DHCP Concepts

I DHCP Relay

I DHCP Configuration
 I DHCP

Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) provides one of the most DHCP uses the following four messages between client and server;
commonly used services in a TCP/IP network. Majority of hosts in TCP/IP
Discover : The host sends a discovery packet to find the DHCP server.
network are user devices and majority of user devices learn IP information
Offer : It sends an offer to that client by the DHCP server to give a specific IP
using IPv4 settings using DHCP.
address.
It has many advantages over manually configuring IP settings. Hosts make Request : The host requests to accept the offer of this DHCP server.
requests to the DHCP server using DHCP messages to configure IP settings. As Acknowledgment: The DHCP server sends the information to the client with an
a result, the host IP configuration is controlled by IT personnel, resulting in acknowledgment message.
less user error. DHCP allows host addresses to be permanently assigned IP
addresses, but more commonly, DHCP assigns hosts a temporary IP address to
use for a specified period of time.

DHCP Concepts
The host acts as a DHCP client. As a DHCP client, the host starts without IP
settings No IPv4 address, no subnet mask, no default gateway and no DNS
server IP address. However, a DHCP client knows about the DHCP protocol, so the Figure 36-1 DHCP Discover and Offer
client can use this protocol to find a DHCP server or request to lease an IPv4
address.
 I DHCP

DHCP Relay
DHCP packets are sent on the same subnet and within the vlan. Setting up a

DHCP server in every vlan and subnet will not be very functional. For this, you

need to forward your requests from the subnet you are on to the subnet where

DHCP is located, for this we use a DHCP relay IP helper address, as in the example

below.

Figure 36-2 IP Helper Address Effect

 I DHCP Snooping

DHCP Snooping
I DHCP Snooping Logic

I Configuring DHCP Snooping

Arp Inspection I DAI - Dynamic ARP Inspection

I DAI - Dynamic ARP Logic

I DAI Configuration
 I DHCP Snooping ve Arp Inspection

DHCP Snooping
DHCP Snooping is to observe and block unwanted DHCP packets on our
network. For example, a malicious user connected to the switch can install a
DHCP server program on his computer and try to distribute IP by responding
to DHCP requests from the network, we can use DHCP snooping to prevent
this.

Figure 37-2 DHCP Attack Distributes correct IP but shows itself as GW.

Figure 37-1 Secure and insecure ports.

As in Figure 37-2, the attacker listens to DHCP requests coming from the
Figure 37-3 DHCP Attack Man in the Middle
network with the DHCP server software she installed on her own computer and
tries to attack by giving false information.
 I DHCP Snooping ve Arp Inspection

DHCP Snooping Logic

DHCP Snooping Configuration
DHCP Snooping prevents such attacks by making our desired ports untrusted.

Figure 37-5 Example of DHCP Snooping Configuration

ip dhcp snooping
Figure 37-4 DHCP Snooping Operating Rules
ip dhcp snooping vlan 10,20,30
no ip dhcp snooping information option
Step 1: Examines all incoming DHCP messages. ip dhcp snopping database flash:/snoopy.db
!
Step 2: Blocks DHCP server messages. interface GigabitEthernet1/0/2
Step 3: Filters if user requests. ip dhcp snooping trust

For DISCOVER and REQUEST messages, it checks for MAC address Limiting DHCP Messages
consistency between Ethernet frames and DHCP message. We can limit the dhcp messages that users can send.
Checks the IP address in the DHCP Snooping binding table for RELEASE or
errdisable recovery cause dhcp-rate-limit
DECLINE messages from the port. errdisable recovery interval 30
!
Step 4: Create a new entry in the DHCP Snooping binding table for unfiltered interface GigabitEthernet1/0/2
ip dhcp snooping limit rate 10
messages whose DHCP process is successful. !
interface GigabitEthernet1/0/3
ip dhcp snooping limit rate 2
 I DHCP Snooping ve Arp Inspection

DAI - Dynamic ARP Inspection

The Dynamic ARP Inspection (DAI) feature on a switch examines ARP Normally, a host uses ARP when it knows the IP address of another host and

messages from untrusted ports to filter out who it believes to be part of an wants to know the MAC address of that host. However, for certain reasons, a host

attack. The key feature of DAI compares incoming ARP messages with two may want to obtain information about all host MAC addresses in the subnet. It

data sources: the DHCP Snooping Binding table and any configured ARP can be useful, for example, when a host changes its MAC address.

ACLs. If the incoming ARP message does not match the tables in the switch,
For example PC A ; Instead of PC1, it sends an Arp Reply because my mac
the switch discards the ARP message.
address has changed and updates the mac table in R2. At this point, when R2

forwards the IP packets to the IP address of PC1 (172.16.2.101), it places PC A's

mac address in the Ethernet frame instead of PC1's MAC address. Let's take a

look at what's going on in Figure 37-8.

Figure 37-6 Normal ARP Request

Figure 37-7 Incorrect Use of ARP Response Causes Incorrect ARP Data on R2.
 I DHCP Snooping ve Arp Inspection

1- PC1 sends message to some server on left side of R2. Dynamic ARP Inspection Logic
2- Server returns to PC1 IP address, but R2 sends PC 1's chest to PC A's mac If a host does not yet have an IP address, that is, the DHCP process has not been

address. completed, it does not need to use ARP. After the host learns an IP address and

3- PC A copies the package for later viewing. subnet mask, it needs ARP to learn other host MAC addresses or the default

4- PC A forwards the packet in the new frame to PC1, so PC1 continues to work. router in the subnet, so it sends some ARP messages. In short, it becomes DHCP

first, then ARP.

DAI compares the starting IP and starting MAC address fields of the ARP

message with the DHCP Snooping Binding table for all untrusted ports. Allows

DAI ARP if found in the table, but discards DAI ARP if not.

Figure 37-8 Man-in-the-Middle Attack Result

Figure 37-9 DAI Filtering ARP Based on DHCP Snooping Binding Table
 I DHCP Snooping ve Arp Inspection

Note that although DAI can use DHCP Snooping Binding data as shown here, it

can also use similar statically structured data that lists the correct IP and MAC

address pairs through a tool called ARP ACL. Using ARP ACLs with DAI is

useful for ports connected to devices using static IP addresses rather than

DHCP. Note that DAI looks for both DCHP Snooping Binding data and ARP

ACLs.
Figure 37-10 DAI Configuration

DAI Dynamic ARP Inspection Configuration

Limiting DAI Messages
ip arp inspection vlan 11
ip dhcp snooping errdisable recovery cause dhcp-rate-limit

ip dhcp snooping vlan 11 errdisable recovery cause arp-inspection

errdisable recovery interval 30
no ip dhcp snooping information option
!
!
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/2
ip dhcp snooping limit rate 10
ip dhcp snooping trust
ip arp inspection limit rate 8
ip arp inspection trust

show ip arp inspection

SW2# show ip arp inspection interfaces
SW2# show ip arp inspection statistics
Chapter - 12 I Device Management Protocols

I Network Address Translation (NAT)

IP SERVICES I Quality of Service (QoS)

I Various IP Services
Device I System Message Logging (Syslog)

I Network Time Protocol (NTP)

Management Protocols I Cisco Discovery Protocol (CDP)

I Link Layer Discovery Protocol (LLDP)

 I Device Management Protocols

System Message Logging (Syslog) Saving Log Messages for Later Review
Cisco devices can send detailed system messages or notification messages. It is When the console is logged on via telnet and ssh, IOS sends messages to the
important to record these messages in order to keep these messages and to be able console and terminal sessions, and then IOS deletes the message. It's helpful

to be warned beforehand of problems that may occur on the network, there are to keep a copy of the log messages for later review, so IOS provides two basic

several ways to do this. ways to keep a copy.

When you want to log on to Cisco IOS devices and look at them instantly, we can If we enter the logging buffered command while in global mode, IOS

give you real-time status information or save it for future viewing. will store these messages in ram, we can see them later with the show logging
command.
Real-Time Message to Existing Users
Our other option is to send messages to a syslog server and store them there.
By default IOS shows log messages to all users. In fact, if you're using a console logging host {address | hostname}
port, you've probably noticed a lot of syslog messages like Interfaces up or down. We can send it to the server by entering the command.
The logging monitor command must be active in global configuration mode
in order for users connecting via Telnet and SSH to see these messages
instantly, and if the user wants to see these messages when connected, he or she
must also use the terminal monitor command in exec (enable) mode.

Figure 38-2 Storing Logs in Ram and Server

Figure 38-1 IOS Actions for Log Messages to Existing Users

 I Device Management Protocols

Log Message Notification Level

SysLog Configuration
We can ensure that the log messages are transmitted and stored at the level we
In the example below, we will see an example of configuring four devices to
choose between 0-7. send logs to the syslog server and store them in ram.

Figure 38-5 Simple syslog example

Figure 38-3 Log Message Levels
logging console 7
logging monitor debug
logging buffered 4
logging host 172.16.3.9
logging trap warning

show logging
Figure 38-4 Logging command options
 I Device Management Protocols

Network Time Protocol (NTP) Setting the Clock and Time Zone
It is very important that the time information is correct when recording system R1# configure terminal

log messages, let's take another example, there are problems in the serial Enter configuration commands, one per line. End with CNTL/Z.
R1(config)# clock timezone UTC 3 0
connection between R1 and R2, and the OSPF connections are constantly
R1(config)# clock summer-time utc recurring last Sun Mar 1:00 last
having problems, and you look at the system messages and see the results as Sun Oct 1:00

below. R1(config)# ^Z
R1#
R1# clock set 20:52:49 21 October 2015
R1# show clock
20:52:55.051 EDT Wed Oct 21 2015

Since the time information of the two routers is not correct, it will be very

difficult to solve the problem by looking at the logs, so time information is very

important in systems. We use NTP so that the clocks on the devices are

synchronized and show the correct time.

 I Device Management Protocols

Simple NTP Configuration

Cisco provides two ntp configuration commands that determine how NTP
! Configuration on R1:
works in a router or switch: ntp server 172.16.2.2
ntp master {stratum-level}: NTP Server mode — the device acts only ! Configuration on R2:

as an NTP server, not as an NTP client. The device gets the time information ntp server 172.16.3.3
! Configuration on R3:
from the internal clock in the device.
ntp master 2
ntp server {address | hostname}: NTP client / server mode — device
R1# show ntp status
acts as both client and server. First, it acts as an NTP client to synchronize
Clock is synchronized, stratum 4, reference is 172.16.2.2
time with a server. Once synchronized, the device can act as an NTP server to nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is
provide time to other NTP clients. 2**21 ntp uptime is 1553800 (1/100 of seconds), resolution is 4000
reference time is DA5E7147.56CADEA7 (19:54:31.339 EST Thu Feb 4 2016)

Figure 38-6 Simple NTP Configuration

 I Device Management Protocols

Redundant NTP Configuration ! Configuration on R1 ve R2:

To set our clock, you can refer to better resources on the Internet or purchase a ntp server 193.140.100.40
custom-built NTP server with better clocking hardware. For example, we can ntp server 178.79.155.116

enter ntp.ulakbim.gov.tr , tr.pool.ntp.org and directly nep server IP information. ntp master 7

178.79.155.116 193.140.100.40
In other Routers, we can enter R1 and R2 ip as ntp servers.

R1 and R2 also do not reach the ntp servers when the internet connection is

gone, so we used the ntp master command to continue the ntp server task to

other devices.

By making stratum 7 for R1 and R2, we have taken it to a worse level than

the ntp server on the internet.

Figure 38-7 Configuring Redundant NTP

 I Device Management Protocols

CDP and LLDP

Examining Information Learned by CDP
CDP: Discover basic information about neighboring routers and switches without
having to know the passwords of neighboring devices. Send CDP messages to each
of the interfaces to discover information. The messages essentially provide
information about the device that sent the CDP message. Devices that support CDP
learn about other devices by listening to messages sent by other devices.

CDP discovers some useful detail from neighboring Cisco devices:

Device identifier: Host Name
Address list: IP addresses
Port identifier: Port and Interface information
Capabilities list: Information about the type of device (router, switch, ip phone)
Platform: Model and software version of the device.

Figure 38-8 Using CDP

 I Device Management Protocols

Examining Information Learned by LLDP LLDP Configuration

Link Layer Discovery Protocol (LLDP), defined in IEEE standard 802.1AB, is lldp run
!
a standardized protocol that provides the same general features as CDP. LLDP interface gigabitEthernet1/0/17
no lldp transmit
has a similar configuration and practically the same show commands no lldp receive
!
compared to CDP. interface gigabitEthernet1/0/18
no lldp receive

interface gigabitEthernet1/0/19
lldp transmit
lldp receive
!
interface gigabitEthernet1/0/20
lldp receive

show lldp
show lldp interface g1/0/2
show lldp traffic
SW2# show lldp entry R1
 I NAT Concepts

NAT I Static NAT

I Dynamic NAT
Network Address Translation I Overload NAT (PAT)

I NAT Configuration
 I Network Address Translation

Availability of IPv4 Addresses

Initially, IPv4 addresses started to be given to each company and companies

were provided with access to the internet environment, but in the 1990s, with the

slow spread of the internet, it was understood that IPv4 addresses would not be

enough and it could not continue like this.

Many short-term solutions to the addressing problem have been proposed, but

three standards have been focused on to solve the problem. Two of the standards Figure 39-1 Example of CIDR Usage

work together: Network Address Translation (NAT) and Private Addresses.

Private Addressing
Together, these features allow many organizations to use the same IPv4 network
All IPs must be unique in the Internet environment, so since the IPv4
numbers internally and still communicate well with the Internet. The third
addresses will expire one day, some IPs have been reserved for use in the
standard, Classless Inter Domain Routing (CIDR), allows a company to reduce
corporate environment and every company can use these IPs within the
the waste of IPv4 addresses by dividing that network address into subnets
company without the approval of any institution, but they cannot use these
instead of the entire network.
IPs in the internet environment. . We call these IPs Private IPs.
CIDR
A rule that defines how ISPs should assign globally unique IPv4 addresses to

each organization. The Internet Assigned Numbers Authority (IANA) does this

IP allocation.
Figure 39-2 Private IP Range
 I Network Address Translation

Network Address Translation Concepts Static NAT

NAT public, defined in RFC 3022, allows a host without a unique IP address to Static NAT works like the example shown in Figure 39-4, but IP addresses are
communicate with another host on the Internet. Hosts may be using the same statically mapped to each other.
private IP addresses used by other companies. In both cases, NAT allows these

addresses that cannot be used in the Internet environment to continue to be

used.

Figure 39-3 Exchange of Public IP with Private IP address NAT Figure 39-4 Static NAT Example
 I Network Address Translation

Dynamic NAT
Overloading NAT with Port Address Translation (PAT)
In Dynamic NAT, imagine we have five public IPs available as in the example,
We use Nat Overload or Port Address Translation (PAT) when we have only
and we have five users on the Inside side. We create a Pool for these five public
one public IP. It is the most commonly used method. In this example, we have
IPs and when an insider accesses the internet, we dynamically give the IPs in
three users and all of them want to connect to a web server using port 80,
this Pool to these users.
where the NAT device takes the IP addresses and port numbers, converting

them to public IP, and forwards them to the target.

Figure 39-5 Example of Dynamic NAT Figure 39-6 NAT Overload (PAT) Example
 I Network Address Translation

Static NAT Configuration

Figure 39-7 Static NAT Configuration

 I Network Address Translation

Dynamic NAT Configuration

 I Network Address Translation

NAT Overload (PAT) Configuration

 I QoS Introduction

QoS
I Bandwidth, Delay, Jitter, and Loss Management

I Traffic Types

Quality of Service I Classification and Marking

I Queuing

I Shaping and Policing

 I Quality of Service

QoS Introduction QoS: Bandwidth, Delay, Jitter, and Loss Management

Routers work with both WAN and LAN interfaces. While these LAN There is a wide variety of QoS features in both routers and switches. These features

interfaces operate at higher speeds, WAN interfaces operate at slower speeds. help us manage the traffic on our network. These features are;

While the router is busy sending packets waiting on this WAN interface, • Bandwidth
hundreds or even thousands of IP packets may come from the LAN
• Delay
interface and it has to transmit all of them from the same WAN interface.
• Jitter
What should the router do? Send them all in the order they came in?
• Loss
Prioritize packets to send earlier than others, preferring one type of traffic

over another? Delete some packets when the number of packets waiting to Bandwidth ; Expresses the speed of a connection in bits per second (bps). The QoS

exit the router is too large? feature determines which packet is sent over the next connection; and controls how
much bandwidth each traffic type can use over time.

In the paragraph above, we talked about some of the many classic Quality Delay ; It can be defined as the round-trip delay in outgoing and incoming packets.

of Service (QoS) questions on the network. For example, WAN router jitter ; It refers to the variation in one-way delay between consecutive packets sent by
interfaces queue pending packets. The router may use a queue scheduling the same application.
algorithm to determine which packets will be sent first or later, and may Lost ; usually refers to the number of lost messages as a percentage of packets sent.
prioritize some packets and hold other packets. The comparison is simple: for some application, if the sender sent 100 packets and
only 98 reached the destination, that application stream lost 2 percent.
 I Quality of Service

Traffic Types
Data Applications Voice and Video Applications
First, consider a basic web application that is on a user PC or tablet. The user A phone call between two IP phones will create a flow for both directions. For

enters an address to open a web page. This request may require a single packet to video it can be security camera or Video conference call traffic.

be sent to the web server, but may result in hundreds or thousands of packets
VoIP takes the sound of a conversation made on one phone and puts it in IP
being returned to the web client, as shown in Figure 40-1.
packets so that it can be heard on the other phone. Figure 40-2 illustrates the

general idea.

The steps in the figure include:

1-The phone user makes a phone call and starts talking.

A chip called a 2-codec processes (digitizes) the audio to generate binary code
Figure 40-1 HTTP Traffic
for a given time (usually 20 ms). Usually the G.711 codec is used 160 bytes.
So what is the impact of bandwidth, delay, jitter and loss on an interactive web-
3-The phone encapsulates the data in an IP packet.
based application? First, packages require a certain amount of bandwidth
4-The phone sends the packet to the target IP phone.
capacity. As for delay, each of these packets takes some one-way delay from

server to client, and there is some jitter as well.

Figure 40-2 VOIP Paket G.711 Codec

 I Quality of Service

With the G.711 codec, this single call also requires approximately 80 Kbps of Classification and Marking
bandwidth (data-lik added on header and trailer). If we include the headers QoS tools, such as ACLs, stop on the path that packets take as they are
and VoIP payload as in the figures, each of the IP packets has 200 bytes. Each transmitted over a router or switch and check the passing traffic. Like ACLs,
holds 20 ms of digital audio, so the phone sends 50 packets per second. Each QoS tools are enabled for one direction on interfaces.
of these 50 packets of 200 bytes is equivalent to 10,000 bytes per second, or

80,000 bits per second, or 80 Kbps. Other audio codecs require less bandwidth, The term classification refers to the process of matching fields in a message to
the widely used G.729 takes about 24 Kbps (data-ness added on header and select a QoS traffic. So, if we compare QoS tools again with ACLs, they classify
trailer). and filter like ACLs; i.e. ACLs match (classify) package headers. ACLs help us
You can get quality voice traffic over an IP network, but you must implement decide which packages to discard or which packages to choose.
QoS to do so. QoS tools are tuned to respond to the behavior required by

different types of traffic. Cisco recommends the following guidelines for For example, if we enable QoS on the output interface of the router as in Figure
quality voice traffic: Video call For video; 40-3, it will classify the outgoing traffic according to the rules we set and put it

in a queue (Queue).
• Delay (one-way): 150 ms or less. • Bandwidth: 384 Kbps to 20+ Mbps

• Jitter: 30 ms or less. • Delay (one-way): 200–400 ms

• Loss: 1% or less.
• Jitter: 30–50 ms

• Loss: 0.1%–1%
 I Quality of Service

Figure 40-4 shows an example of a PC on the left sending an IP packet to

hosts (not shown) on the right of the figure. The first switch SW1 to forward

the packet does some mixed comparisons and marks the Differentiated

Services Code Point (DSCP) field of the packet as a 6-bit field, which means

the QoS flag in the IP herader. The next three devices that process this
Figure 40-3 Classifying and Queuing Traffic on a Router
message—SW2, R1, and R2—use simpler mapping to classify the packet,

comparing the packet's DSCP value, mapping packets to a DSCP value in

Step 1: The router makes a forwarding decision.
Class 1 and other packets to a DSCP value in Class 2.
Step 2: The router uses classification logic to determine the type of packets.

Step 3: The output interface of the router keeps the waiting packets in the

output queue.

Step 4: The scheduling logic of the Quene agent selects which packet to

prioritize and puts it in order.

Sometimes we can apply QoS to both the input and output interfaces of the

devices, which may cause the performance of the devices to decrease. It Figure 40-4 Systematically marking and classifying
recommends matching on packet headers recommended by both Cisco and

RFC, and then flagging the packet.

 I Quality of Service

Classification on Router with ACL and NBAR

This Chapter delves a little deeper into the Classification on routers, and we'll NBAR2 looks at more in a message than the ACL can review. Many

take a closer look at the marking function. applications cannot be identified by well-known port numbers alone. NBAR

solves these problems.

Figure 40-5 shows IP and TCP headers. All these areas can be mapped for QoS

classification. For example, the Cisco WebEx application provides audio and video conferencing

on the web. In a QoS plan, you may want to categorize WebEx differently from

other video traffic and categorize it differently from voice calls between IP

phones. That is, you can classify WebEx traffic and give it a unique DSCP
mark. NBAR provides easy built-in matching capability for WebEx and more
Figure 40-5 Five classification areas used by the Extended ACL
than 1000 different app subcategories.
For example, if all IP phones use a subnet in the address range of 10.3.0.0/16,
Pairing apps with NBAR2;
we can configure an extended ACL to map all its packets in the 10.3.0.0/16

subnet and use this ACL for QoS operations suitable for voice traffic.

However, not every classification can be easily done by pairing it with an

ACL. In more demanding situations, Cisco Network-Based Application

Recognition (NBAR) can be used. In short, NBAR2 maps packets for

classification in a wide variety of ways, which is very useful for QoS.

 I Quality of Service

IP Header Marking
Marking a QoS field in the IP header works well because the IP header goes from The IPP only gave us eight (0-7) different values to mark, so later RFCs
the source host to the destination host. When a host sends data, it sends the redefined the ToS byte with the DSCP field. DSCP increased the number of
data-link frame that contains the IP packet. Each router that forwards the IP mark bits to 6 bits and allowed 64 unique values that could be marked. DSCP;
packet assigns the old data-link header and adds a new header. Because routers It was considered the most common method to use when doing QoS in the late
do not discard and re-place IP headers, the flagging fields in the IP header 1990s, and it has become quite common to use the DSCP field for marking.
remain unchanged until they reach the destination host.

It defines a Type of Service (ToS) byte in the IP header as shown in Figure 40-6.

The original RFC defined a 3-bit IP Precedence (IPP) field for the QoS flag. This

field gives us eight separate binary values, for example 000, 001, 010, etc. - 111 -

When converting them to decimal numbers, we mark them with a number

between 0 and 7. Figure 40-6 DSCP and IPP area in IP Header

 I Quality of Service

Marking the Ethernet 802.1Q Header

Another useful Marking field is in the 802.1Q header. In the third byte of the

802.1Q header, it is marked as a 3-bit field and provides eight possible values

to mark (see Figure 40-7). It goes by two different names: Class of Service or

CoS and Priority Code Point or PCP.

Figure 40-8 Trunk Port’ta CoS Marking

Other Marking Areas

Figure 40-7 Class of Service Alanı 802.1Q/p Header

The 802.1Q header is not included in all Ethernet frames. The 802.1Q header

is only available when an 802.1Q trunk is used on a link. As a result, QoS

tools can only use CoS space for QoS features enabled on interfaces using

trunks as shown in Figure 40-8.

 I Quality of Service

Defining Confidence Boundaries

The end-user device can flag the DSCP domain or even the CoS domain if

trunk is used for the connection. Would you trust these devices and allow

DSCP and CoS markings?

Most of us wouldn't, because anything the end user controls can be used

inappropriately at times. For example, a PC user might know that for Voice Figure 40-9 Confidence Boundary SW

traffic it is marked with a DSCP called Expedited Forwarding (EF) 46. Since

voice traffic is prioritized by QoS, all traffic of PC users is marked as DSCP

46.

QoS plan creators must choose where to place the trust boundary of the network.

The trust boundary refers to the point in a packet path flowing over the network

at which network devices can trust valid QoS signals. This limit is typically
Figure 40-10 Confidence Limit IP Phone
located on a device under the control of IT personnel.
 I Quality of Service

DiffServ Recommended Marking Values Assured Forwarding (AF)

DiffServ is intended for consistent use of DSCP values across all networks by Assured Forwarding (AF) DiffServ RFC (2597) defines a set of 12 DSCP

recommending specific Markings for certain types of traffic. Thus, values that are intended to be used in concert with each other.

manufacturers can use these default settings for QoS features, so that QoS Assured Forwarding defines specific AF DSCP text names and equivalent
can work better between different brands and devices. decimal values as listed in Figure 11-11. Text names follow an AFXY format;

There are three DSCP values used in marking in DiffServ. EF-AF and CS X corresponds to Queue (1 to 4) and Y corresponds to drop priority (1 to 3).

Expedited Forwarding (EF)

DiffServ defines the recommended Accelerated Forwarding (EF) DSCP value

(a single value) for packets that require low latency (delay), low jitter, and low

loss. Defines DSCP 46 and an equivalent text name (EF). QoS configuration

commands allow the use of a decimal value or text name, but one purpose of

using the text abbreviation is to make the value more memorable, so many
Figure 40-11 Differentiated Services Assured Forwarding Values and Meaning
QoS configurations refer to text names.
For example, if you marked the packet value 12, AF11, AF12, and AF13 all
Many times QoS plans use EF to flag voice payload packets. By default, Cisco
enter a single Queue; Those with AF21, AF22 and AF23 enter another queue;
IP Phones mark voice packets with EF and send signaling (sip, scp) packets
and such that. For the same Queue, AF21 takes priority and AF23 stays last.
with CS3.
 I Quality of Service

Class Selector (CS)

Initially, the ToS field was defined by the 3-bit IPP field. When DiffServ ✓ DSCP EF: Voice payload
redefined the ToS domain, eight DSCP values were created so that the DSCP was ✓ AF4x: Interactive video (for example, videoconferencing)
backwards compatible with the IPP values. Class Selector (CS) DSCP values are
✓ AF3x: Streaming video
these settings.
✓ AF2x: High priority (low latency) data

✓ CS0: Standard data

Figure 40-12 Class Selector

Guidelines for DSCP Marking Values

With many different values, different uses of different DSCP values by

different devices in the same enterprise will complicate the deployment of QoS.

Without going into the depth of any QoS plans, the plans all set some

variation on how all devices should flag data:

 I Quality of Service

Queuing Round-Robin Scheduling (Prioritization)

The term queuing refers to the QoS toolset used to manage queues that hold Routers use a popular tool called Class-Based Weighted Fair Queuing (CBWFQ)

packets while they wait for their turn to exit an interface. In Figure 40-13, the to provide the least bandwidth for each class. That is, each class receives at least

output interface sends the first comer in a single queue, according to the the amount of bandwidth configured, but perhaps more based on availability

queued traffic. Since QoS tools are not used here, Interface sends the first later on. CBWFQ allows us to define weights as a percentage of link bandwidth

incoming traffic respectively. while using a weighted sequential turn timing algorithm. Figure 40-15 shows

an example where three queues in the system are given 20, 30 and 50 percent of

the bandwidth, respectively.

Figure 40-13 Queue traffic without QoS

In Figure 40-14, there is more than one queue and it exits Interface in order
of priority. Figure 40-15 CBWFQ Round-Robin Scheduling

With the queuing system shown in the figure, if the outbound link is
congested, the scheduler guarantees the percent bandwidth shown in the
figure for each queue. That is, queue 1 takes 20 percent of the connection
even at peak times. In this method, the bandwidth is guaranteed, but the
Figure 40-14 Queue traffic with QoS applied
output is determined by the sequential return algorithm.
 I Quality of Service

Low Latency Queuing (LLQ)

Unfortunately, a round-robin timer does not provide enough low latency, jitter or

loss. Solution: Add Low Latency Queuing (LLQ) to the timer.

The solution, LLQ, tells the scheduler to treat one or more queues as special priority

queues. The LLQ scheduler always receives the message after one of these special

priority queues. Problem solved: very little delay for packets in this queue causes

very little flickering. Figure 11-17 shows adding LLQ logic for the audio queue.

Figure 40-16 Using LLQ with CBWFQ

In LLQ, we guarantee bandwidth with priority, and if voice traffic comes in the

output queue, it goes to the front of the queue.

 I Quality of Service

Shaping and Policing Where to Use Policing

Both Policing and Shaping monitor the bitrate of composite messages flowing Policing monitors messages, measures speed and discards some messages. How
through a device. When enabled, it notes each packet that passes policing or does this help us with QoS? At first glance, it seems to harm the network by
shaping and measures the bits per second over time. Both try to keep the bitrate at throwing out the messages sent by the transport or application layer. How does
or below the configured rate, but use two different methods: discarding policing this bandwitdh improve delay, jitter or loss?
packets, shaping keeping packets in queue to delay packets.
Policing only makes sense in certain situations and can generally be used on
Policing routers between two networks. For example, consider a typical point-to-point
Traffic reaches network devices at a varying speed with spikes. In other words, if metro Ethernet WAN connection between R1 and R2.
you graph the bitrate of the batch bits entering or leaving any interface, the
graph will look like the left side of Figure 40-17. Policing measures this rate, the

horizontal dashed line on the left represents the rate configured for policing.

Therefore, policing has information about the measured bitrate over time, which
Figure 40-18 Ethernet WAN: Link Speed Versus CIR
can be compared to the preset rate. The right side of the figure cuts off excess

traffic at the rate set for policing. Now imagine you have a 200 Mbps metro ethernet connection as shown in the

figure. But keep in mind that the connection speed between the router and the

switch is 1 Gbps. Since the traffic leaving us is 1 Gb, but our main connection

speed is 200 Mbps, the packets leaving us will be held by the ISP, but we can

limit it to 200 Mbps before the traffic leaves us.

Figure 40-17 A Policing and Shaping Impact on Delivered Traffic Load
 I Quality of Service

Shaping
You have a 1 Gbps connection between an ISP's metro ethernet switch and your

router, but the speed you get from the ISP is 200 Mbps, the ISP will not always

allow traffic exceeding 200Mbps. Solution ; We can set our speed to 200 Mbps by

slowing down the traffic using Shaping.

Shaping slows down messages by queuing messages from queues schedules.

Following the left-to-right flow in Figure 40-19, the packet is forwarded to an Figure 40-20 One Second (1000 ms) Shaping Time Interval, Shaping at 20 percent of Line speed

interface for a router, so that the sending rate through shaping does not exceed.
The solution to this problem: configure a short time interval. Consider the

following time intervals (abbreviated Tc) and their effects with shorter time

intervals for the same example:

Tc = 1 second (1000 ms): Send at 1 Gbps for 200 ms, rest for 800 ms
Figure 40-19 Shaping Queues: Scheduling with LLQ and CBWFQ
Tc = .1 second (100 ms) : Send at 1 Gbps for 20 ms, rest for 80 msTc = .01
Setting Good Shaping Interval for Audio and Video second (10 ms) : Send at 1 Gbps for 2 ms, rest for 8 ms
We tried to solve a QoS (quality of service) problem with a QoS (quality of

service) tool but the side effect of shaping is that it slows packets down, which Use a short time frame when shaping. As a recommendation, use a 10ms
creates more latency and possibly more jitter. Fortunately, you can (and timeframe to support audio and video.
should) configure some setting of Shaping that changes its internal
operation, reducing the latency and jitter that causes audio and video traffic.
 I First Hop Redundancy Protocol (FHRP)

I HSRP Concepts

Various IP Services I HSRP Load Balancing

I Simple Network Management Protocol (SNMP)

I FTP / TFTP

I IOS Image Update

 I Various IP Services

First Hop Redundancy Protocol (FHRP)

When we use a design that includes redundant routers, switches, LAN In Figure 41-2, there are two routers and two WAN connections on the Main

connections, and WAN connections in networks, in some cases other protocols are Side, whichever route has priority when going to the remote site, it goes from

required to avoid the problems this causes. there if one of the lines breaks, it uses the other one, there is only one router

but two wan connections on the remote side.

For example, imagine a WAN with many remote branches. If each remote branch

has two WAN links connecting it to the rest of the network, these routers can use

the IP routing protocol to choose the best routes. The routing protocol learns routes

over both WAN links, adding the best route to the routing table. When the better

WAN link fails, the routing protocol takes advantage of the redundant link and

adds the alternate routing to the IP routing table.

Figure 41–2 R1 with two Wan Connections Redundancy
Let's give a few examples. In Figure 41-1, we see a single WAN connection and a
In Figure 41-3, backup was made with two routers, but only one gateway ip
single router connection network.
was given to the hosts.

Figure 41–1 Router with Single WAN Connection

Figure 41–3 Using Two Routers
 I Various IP Services

Why FHRP is Necessary

Of the designs shown so far, only the design in Figure 41-3 has two routers in the

network on the left side of the figure. Having redundant routers on the same

subnet gives us redundancy, but manual intervention is required to ensure

redundancy, in such cases it should use an FHRP in the network.

To see the necessity and benefit of using FHRP, first consider how these backup

routers can be used as default routers by hosts in VLAN 10 / subnet 10.1.1.0/24

Figure 41–4 Using Different Default Routers for Different Users
as shown in Figure 41-4. Host IPs will remain unchanged, so each host has a

single default router IP. Therefore, we have some design options for the default There are three types of FHRP solutions, but we will only cover HSRP in the
router settings; CCNA training curriculum.

All hosts in the subnet use R1 (10.1.1.9) as the default router and if R1 has a

problem, we can statically reconfigure the default router settings to IP 10.1.1.129

of R2.

Half the hosts use R1, half R2 as default routers, and if one of the routers fails,

we can statically reconfigure the default router settings of half the users. Figure 41–5 FHRP Solutions
 I Various IP Services

HSRP Concepts
It works with the HSRP active / standby model. HSRP allows two (or more) routers to

work together, all acting as default routers. However, only one router actively supports

end-user traffic at any given time.

Packets sent to the default gateway (router) by the hosts are transferred to this active

router. Then, other routers that are in an HSRP standby state will be on standby in case

the active HSRP router has a problem.

The HSRP active router implements a virtual IP address and a virtual MAC address.
Figure 41–6 Traffic exiting R1, R2 in Standby
This virtual IP address exists as part of an additional configuration, the HSRP

configuration.

Under the interface command, this virtual IP address is given in the same subnet as the

interface IP address, but with a different IP address. The router then automatically

generates a virtual MAC address. All cooperating HSRP routers know these virtual

addresses, but only active HSRP routers use these addresses.

In Figure 41-6, R1 is active and traffic is flowing through R1, R2 is in standby state.

In case of a problem occurring in R1, R2 will be activated as we will see in the figure Figure 41–7 R1 cannot be accessed and R2 has tripped.
below.
 I Various IP Services

HSRP Load Balancing HSRP Configuration

It works with the HSRP active / standby model, so the hosts in the same subnet exit R1# show running-config ! Lines omitted for brevity
interface GigabitEthernet0/0
through the active router. As in Figure 41-6, all traffic leaves R1 and R2 remains ip address 10.1.1.9 255.255.255.0
standby version 2
on hold. But when configuring HSRP, we can actively select different routers for standby 1 ip 10.1.1.1
standby 1 priority 110
different subnets, which allows us to actively use both devices by distributing
standby 1 preempt
traffic. Let's examine the example in Figure 41-8. standby 1 name HSRP-Group

R2# show running-config ! Lines omitted for brevity

interface GigabitEthernet0/0
ip address 10.1.1.129 255.255.255.0
standby version 2
standby 1 ip 10.1.1.1
standby 1 preempt
standby 1 name HSRP-Group

sh standby brief
Default priority is 100. When R1 is made priority 110, R1 becomes an active router.

Figure 41–8 Load Balancing with HSRP Using

Different Active Routers in Different Subnets

 I Various IP Services

Simple Network Management Protocol (SNMP) SNMP Notifications

NMS (Network Management System): It is a software that provides In addition to the Get and Set housings, SNMP can initiate communication

simultaneous monitoring and management of the information of all devices in with the NMS. These messages, often referred to as notifications, use two

the network. NMS typically polls the SNMP agent on each device. NMS can special SNMP messages: Trap and Inform, which tracks changes to devices via

report the status of devices on the network by sending e-mails or messages to a SNMP and sends a Trap or Inform SNMP message to the NMS to list their

user. You can configure devices via SNMP if you have allowed SNMP in status.

configuration changes. NMS uses SNMP Get message to request information

As an example of Trap, let's assume that Router 1's G0 / 0 Interface fails as
from a device. NMS sends an SNMP Set message to change the device's
shown in step 1 in Figure 41-10. When Traps is configured, the router sends
configuration. Figure 41-9 shows this SNMP get and set traffic.
an SNMP Trap message to the NMS and this Trap message informs that the
G0 / 0 Interface is down. Then the NMS software can send a text message to

the network support personnel, open a window on the NMS screen, change the

color of the correct router icon to red in the graphical interface, etc.

Figure 41–9 SNMP Get Request and Get Response Message Flow

Most commonly, a network administrator collects and stores statistics over

time using NMS. It can analyze various statistical data with stored data. To

be proactive, administrators can set limits for certain switch variables and tell

it to send a notification when a limit value is passed. Figure 41–10 SNMP Trap Notification Process
 I Various IP Services

Simple Network Management Protocol (SNMP)

NMS (Network Management System): It is a software that provides

simultaneous monitoring and management of the information of all devices

in the network. NMS typically polls the SNMP agent on each device. NMS

can report the status of devices on the network by sending e-mails or

messages to a user. You can configure devices via SNMP if you have allowed

SNMP in configuration changes. NMS uses SNMP Get message to request

information from a device. NMS sends an SNMP Set message to change the

device's configuration. Figure 41-9 shows this SNMP get and set traffic.
 I Various IP Services

FTP and TFTP IOS Image Upgrade

File Transfer Protocol (FTP) and Trivial File Transfer Protocol (TFTP). Both use a Step 1: First, IOS Image is downloaded from Cisco support page.

user and server model where a user connects to a server and then the user can Step 2: Place the downloaded file on FTP/TFTP and a USB stick.

copy files to or from the server. Step 3: Send it to Router Compact Flash Memory using the copy command.

Managing with Cisco IOS FTP / TFTP

IOS exists as a file (single file) that routers load into RAM to use as the

operating system.
Figure 41–11 IOS Image Update
Cisco routers often use flash memory without a hard disk drive. Flash memory is

rewritable permanent storage. It is ideal for storing files that need to be kept when

the power of the router goes out. Flash memory has no moving parts, so it is less

likely to fail. Some routers have flash memory on the motherboard. Others have

flash memory slots that allow easy removal and replacement of the flash card,

but the card remains in the device most of the time. Also, many devices have

USB ports that support USB flash drives.

The IOS operating system is stored compressed in this flash memory. It stores

other files that are used not only for IOS, but also for startup-config and

system.
 I Various IP Services

IOS Image Verification FTP Upload

We can verify if there is any interference with the IOS Image file that we There are many file transfer options in the network world; many of them IOS
downloaded from Cisco's site with the MD5 key we will get from the site. support IOS file system transfer found in routers. TFTP and FTP have been

supported for the longest time, but newer types of protocols such as SFTP and

SCP are starting to be supported.

Sw-1(config)#ip ftp username cisco

Sw-1(config)#ip ftp password cisco
Sw-1#copy ftp: flash:
Address or name of remote host []? 192.168.1.10
Source filename []? c2960-lanbase-mz.122-25.SEE1.bin
Destination filename [c2960-lanbase-mz.122-25.SEE1.bin]?

Accessing ftp://192.168.1.10/c2960-lanbase-mz.122-25.SEE1.bin...
[OK - 4670455 bytes]

64016384 bytes total (54929883 bytes free)

Sw-1(config)#boot system flash:c2960-lanbase-mz.122-25.SEE1.bin
Chapter - 13 I LAN Architecture

I WAN Architecture

Network Architecture I Cloud Computing Architecture

LAN I Two-Tier Campus Design (Collapsed Core)

I Three-Tier Campus Design (Core)

Architecture I Small Office/Home Office

I Power over Ethernet (POE)

 I LAN Architecture

Two-Tier Campus Design (Collapsed Core)

He uses some common terms to refer to Cisco -oriented LAN designs to determine Cisco uses three terms to describe the role of each switch in campus design:

all the requirements of a campus Lan and then to talk about it. You should know Access, Distribution and Core.

some important campus design terminology. Access: We define Switches as Access Layer.

The Two-Tier Campus Design Distribution: We define it as the layer where Access Switches are connected.

Core: We define the layer where the distribution switches are connected.
As shown in Figure 42-1, it shows a typical design of a large campus Lan. This

LAN has about 1000 pc, each connected to 40 Switch, each supporting about 25
Figure shows a two-layer design in 42-1; The layers are the Access Tier (or
ports.
Layer) and the Distribution Tier (or Layer). A two-layer Two-tier design solves

the main need.

Figure 42-1 Campus LAN with Design Terminology Listed

 I LAN Architecture

Two-Tier Design Terminology

Star: A design in which a central device is connected to other devices, so that

when you take the connections in any direction, the design looks like a light

shining star in all directions.

Full Mesh: All existing switches are the type of design in which they are

connected to each other.

Hybrid: A design that combines topology design concepts into a wider

(typically more complex) design.

Figure 42-3 Using a Full Mesh at the Distribution Layer, 6 Switches, 15 Links

Figure 42-2 The Star Topology Design Concept in Networking

 I LAN Architecture

Three-Tier Campus Design (Core)

The two-layer design in Figure 42-1 is the most common campus design. It also But, however, Three-Tier Layer (Core Layer) is a design, larger LAN designs;
passes with two common names; Two-tier and Collapsed Core. Collapsed Core Savings on switch ports and cables. And in the connections between the
means that two -layer design does not have a third layer, Core layer.
buildings, remember that the cables are withdrawn from the outside
Imagine that your campus has only two or three buildings. Each building has a
underground and that the installation is usually more expensive. Therefore, it
two-tier design in the building, and each building has a pair of distribution
can help reduce costs without increasing the number of cables used between
switch and access switches spread around the building when necessary. How do
buildings.
you tie the LANs in every building? As shown in only a few buildings, Figure

42-4, it makes sense to simply cable distribution switches.

Figure 42-4 Three Buildings Non-Core Two-Tier Design Figure 42-5 Three Buildings Three-Tier Design
 I LAN Architecture

Small Office/Home Office

Small Office/Home Office (Soho) Lan. Soho varies significantly depending on But, however, Three-Tier Layer (Core Layer) is a design, larger LAN designs;

the design of Campus LAN, a small number of switch, a few APs, a few router Savings on switch ports and cables. And in the connections between the

and WAN connection designs and applications. The term Soho refers to a small buildings, remember that the cables are withdrawn from the outside

office where a user or a small number of people work from home. underground and that the installation is usually more expensive. Therefore,

it can help reduce costs without increasing the number of cables used between
At home, you probably use a single device called a mini router. One side of the
buildings.
device is connected to the internet and the other side is connected to the devices in

the house. At home, the devices can be connected with either Wi-Fi or a cable Figure 42-7 shows how the only device used in the home or in the small office
ethernet cable. For example, as in Figure 42-6. does the work of a few devices.

Figure 42-6 Typical Soho Network Usage Figure 42-7 Distribution of tasks of a single device
 I LAN Architecture

Power Over Ethernet (Poe)

It has been developed for devices that can work through the Ethernet cable. On the

switch, it must provide this power to the device connected by cable. Companies

can save cable costs by using Poe.

Figure 42-9 Power over Ethernet Standards

Figure 42-8 Power Over Ethernet Example

Poe usually provides a great advantage for devices that are used to positions

without a pre -electrical cable or socket. For example, you need to attach an

AP to the ceiling, and there is no electric cable, then Poe is very

advantageous. IP cameras can also be placed in the ceiling corners or various

external locations. Instead of pulling new power and network cables for each

device, you can provide power to the device by pulling a single Ethernet cable

and communicate with normal Ethernet via the same cable.

 I Metro Ethernet

WAN I Multi Protocol Label Switching (MPLS)

I Internet

Architecture I VPN Fundamentals

I Site to Site VPN

 I WAN Architecture

Metro Ethernet
Metro Ethernet (Metroe) includes various WAN services with some common From the SP perspective, the SP must establish a network to create the Metro

features. Ethernet uses physical connections to connect the customer device to Ethernet service. To keep the costs lower, the SP places a device physically as
the device of the service provider. This service is the layer of the WAN provider close to many customers as possible. These SP switches need to be close to
transmitted to the Ethernet frames from the customer device to another. In many customer positions, so that Ethernet standards support the distance
Figure 43-1, the Metro Ethernet shows the use of four branches. from the POP ’point of the SP to each customer. Figure 43-2 brings together

some of these terms and ideas.

Figure 43-1 Metro Ethernet Concept as a Large Ethernet Switch

Figure 43-2 Ethernet Access Links into a Metro Ethernet Service

Metro Ethernet Design and Topology

In order to use Metro Ethernet service, each branch must be connected to the

service with an Ethernet connection.

Figure 43-3 Metro Ethernet Standards

 I WAN Architecture

Multi Protocol Label Switching (MPLS)

In Figure 43-4, you've learned a lot about Layer 3 orientation, as represented by MPLS creates a WAN service that directs IP packages among customer

the package flowing from left to right. Each router manifests a separate locations. It distributes corporate routers and switches as usual. The SP then

guidance to transmit the package as shown in Step 1, 2 and 3. Each router forms its own IP network covering a wide geographical region. The customer

makes a comparison between the target IP address of the package and the router's then connects to the MPLS network with a connection from each location, the

IP routing table; The matching IP routing table input informs the Router where customer sends IP packages from one location to another with SP orientation.

to send the next package. To learn these ways, routers typically run some For example, Figure represents the MPLS network of the Figure 43-5 and the

routing protocols. four router SPs in the middle, and the routers on the edges are routers of a

company.

Figure 43-4 Basic IP Routing of IP Packets

Figure 43-5 MPLS SP Topology Example

 I WAN Architecture
Internet
In order to install the Internet environment, internet service providers (ISP) need

connections to other ISPs and their customers on other ISPs. It connects ISPs by using

various high -speed technologies in the internet infrastructure. They connect their

customers to the Internet using various technologies on ISPs. The combination of

customer networks connected to ISP networks and ISPs creates the Internet worldwide.

Some WAN technologies work well especially in internet access technologies. For Figure 43-6 Internet Access Examples

example, many telephone companies use the phone line at home, so that the ISPs do not DSL - Digital Subscriber Line
have to establish additional cables. Some use TV cables while some use wirelessly.
DSL technology is widely used in Turkey. The ISPs use their internet connection to

Consumers can usually use the Internet as a WAN service while connecting to the homes or companies using existing telephone cables. There are varieties of DSL

Internet to achieve goals on the Internet. First, the company receives internet connection connection, there are varieties such as ADSL, VDSL and G.SHDSL, these connection

to each location. Then, using the virtual private network (VPN) technology, the models can be up to 100 MB/PS.

company can create VPN over the Internet. When sending VPN data over the internet, it

can keep the packages confidential by encrypt.

Access to the Internet

In addition to the traditional services shown in the figure, businesses can use internet

access technologies that are used more frequently by consumers, including DSL, cable,

4G / 5G and fiber ethernet. In this section, we will talk about Internet access

technologies before entering Internet VPN topics.

Figure 43-7 DSL Internet Access Example
 I WAN Architecture

Cable TV Internet Wireless Wan (3G, 4G, LTE, 5G)

Cable TV Internet is a very low cost connection for a SOHO (Small Office). Most of you have a mobile phone with internet access. So, you can check your e-

Even for larger companies, cable (or DSL) can be very good as a backup link. mail, navigate on the web, download app, and watch videos. Today, most of us

They use Dochis technology. rely on our mobile phones and our internet access to these phones. In this

DOCSIS (Data Over Cable Service Interface Specification): All cable modems section, we will examine mobile internet access technology.

and similar devices must comply with this standard. Mobile phones use radio waves to communicate through a nearby base station.

The phone has a small radio antenna, but the base station has a much larger

antenna. Telephones, tablet computers, laptops and even routers (Wireless Wan

cards) can communicate over the Internet using this technology, as shown in

Figure 43-9.

Figure 43-8 Cable tv Internet Access Sample Figure 43-9 Mobile Internet Access Example
 I WAN Architecture

Fiber (ethernet) Internet VPN BASES

Copper wires are used in cables used by DSL and cable internet, but by VPNs (Virtual Private Network) can provide significant security features such

comparing different types of physical environment, fiber optic cable usually as the following when sending data through an open network like the Internet:

supports higher speeds for longer distances. That is, by comparing physical • Confidentiality (Privacy)

network technologies over the width of the network, fiber optic wiring supports • Authentication

longer connections and these connections usually operate at equivalent or • Data Integrity

higher speeds. • Anti-Replay

Some ISPs now offer fiber Internet or Internet access, which is only called fiber. Let's examine the traffic in Figure 43-10.

To do this job, some local companies with the right to wiring underground

(usually a telephone company) set up new fiber optic cables. After the cable

plant is installed (usually a large budget, as well as years of process), fiber

ISP, fiber optic cable using the customers to the Internet connects to the

Internet. Usually fiber uses ethernet protocols on fiber. Conclusion: High -speed

internet usually using ethernet technology.

Figure 43-10 VPN Tunnel Concepts for a Site-to-Site Intranet VPN

 I WAN Architecture

Site to Site VPN Remote Access VPNS with TLS

The site provides VPN services with a single VPN tunnel for devices in two To support multiple devices in each location, a site to site VPN connection is
locations. For example, if there is dozens of devices that should communicate created by CT personnel. On the contrary, a user can dynamically start their
between locations in each location, not every devices should form VPN. Instead, VPN connections in cases where there is no site to site VPN. For example, a user
they configure devices such as routers or firewalls (as shown in Figure 43-10) can enter a café and connect to free Wi-Fi, but in this cafe, there is no site VPN
to form a VPN tunnel. The tunnel creates endpoints and always leaves a that can access the user's corporate network. Instead, the user can connect to the
working position, so that VPN is available when any device in both facilities company network via a previously installed Remote Access VPN program.
decides to send data. All devices in each location can access other devices using Remote access VPNs usually use the Transport Layer Security (TLS) protocol
VPN via Firewall and Router without having to create VPN. to create a secure VPN session.
The data encryption for an IPSEC VPN usually works as shown in Figure

43-11.

Figure 43-12 Remote Access VPN Options (TLS)

Figure 43-11 Basic IPsec Encryption Process

 I server virtualization
Cloud I Creating Virtual Switch

Computing Architecture I Physical Data Center Network

I Cloud Information Services

 I Cloud Architecture

Server Virtualization
Traditionally, when you think of a server, that server runs an operating Today, most companies are instead of a virtual data centers. Each OS is
system. Inside, hardware contains a CPU, some RAM, some kind of separated from the hardware and is therefore virtual (unlike physical). Any piece
permanent storage (such as disk drives) and one or more NIC. And an of hardware that we will consider as a physical server before can operate more than
operating system can use all the hardware on the server and then run one or one operating system at the same time with each virtual OS called virtual
more applications. Figure 44-1 shows these main ideas. machine.

Although a virtual server is separated from the hardware, an OS still needs

hardware. Each virtual machine has a configuration for minimum number of

VCPUs, minimum RAM and similar. The virtualization system then starts the

virtual machine, so that it has sufficient physical hardware capacity to support

all virtual machines running on that physical server. Therefore, virtual servers

use a subset of CPU, RAM, storage and NICs on the physical server. In Figure
Figure 44-1 is an OS on a classic physical server and working applications
44-2, it shows a graph of this concept with four different VMs working on a

With the physical server model shown in Figure 44-1, each physical server physical server.

operates an operating system and the operating system uses all the hardware

on that server. This was valid for the servers in the days before the server

virtualization.

Figure 44-2 Four virtual servers and applications working

under the management of Hypervisor on the physical server
 I Cloud Architecture

Creating Virtual Switch on the Virtualized Server

Generally, there are two nics on the servers today, of course, additional cards can

be increased, these cards have 1 GBPS, 10 GBPS or even 40 GBPS speeds that

support the speeds of NIC cards.

Normally, an operating system may be a NIC, maybe more. The operating

system has a NIC (at least) NIC to ensure normal operation, but it is a virtual

NIC for a VM. (For example, in VMware's virtualization systems, VM's virtual

NIC is called VNIC.) Figure 44-3 Basic Networking in a Virtualized Host with a Virtual Switch

The server must combine the physical nic in a switch with VNICs used by VMs. Ports Connected to VMS: VSWitch can configure a port in its own VLAN or

Often, each server usually usually uses a kind of internal ethernet switch share the same VLAN with other VMs or even use the VLAN channel to itself.

concept called a virtual switch or vswitch. In Figure 44-3, an example with four Ports Connected to Physical NICS: VSWitch uses physical NICs in server

VM, each of which is a VNIC, is shown. The physical server has two physical NICs. hardware, so that Switch works with external physical switch. VSWitch can

VNICs and physical NICs are built in a virtual key. use Vlan trunk (and uses it greatly).

Automated Configuration: Configuration can be easily done from the same

virtualization software that controls VMs. This programmability allows the

virtualization software to carry VMs VMs between servers and re -program the

VSWitch, so that VM has the same network capabilities, no matter where it

works.
 I Cloud Architecture

Physical Data Center Network Workflow with Virtualized Data Center

In a virtualized data center, each physical server must have a physical Virtualization engineers also establish and privatize virtualization tools.

connection with the network. Figure shows traditional cables for a data center Beyond the hypervisor on each server, many other useful tools help manage

LAN in 44-4. Each long rectangle represents a shelf in the data center; It and control a virtualized data center. For example, with data central

represents small squares and cables representing nic ports. management programs, the whole physical server can manage all

Hypervisor and virtual servers loaded on them.

Now a customer wants a "server". In fact, the developer requires a VM (or

many) with specific requirements: a certain number of VCPUs, a certain

amount of RAM, etc. The developer requesting the virtualization engineer to

establish VMs as shown in Figure 44-5.

Figure 44-4 Traditional Physical Data Center Network

Figure 44-5 Customer's virtual server request and creating an example

 I Cloud Architecture

Cloud computing services

Cloud Information is a different model of providing IT services. Cloud

computing usually uses virtualization products, but uses products specially

produced for cloud computing. Cloud computing is not only a product group to be

applied; Instead, it is a way to provide IT services.

Private Cloud (On-Premise)

To create Private Cloud, an organization usually expands CT tools (such as
Figure 44-6 Basic Private Cloud Workflow to Create One VM
virtualization tools) and changes internal workflow processes.
For the operation of this process, the cloud team must add some tools and
For example, imagine that an application developer in a company needs VMs to
processes to the virtualized data center. For example, it uploads software to
use to develop an application. The application developer may want these VMs to
create the cloud services interface catalog with the APIs of both user interface
start automatically and be available in minutes.
and virtualization systems. This interface software can react to user requests
A lot of cloud computing services use a catalog to achieve this. This catalog is
by using virtualization software with APIs to add, transport or create virtual
found for the user as a web application that lists everything that can be requested
machinery. In addition, a cloud team consisting of server, virtualization and
through the company's cloud infrastructure. 44-6, as shown in step 2, this step
network engineers can collect user statistics and updates accordingly to test
appears in minutes without human interaction and is ready for use.
and add new services in the user interface.
 I Cloud Architecture

Public Cloud
In Private Cloud, cloud provider and cloud user are part of the same company. In

Public Cloud, the opposite applies to this: The Public Cloud provider sells all services to

all users and all companies. The following figure shows the public cloud workflow.

Figure 44-8 IaaS Concept

Figure 44-7 Public Cloud Provider in the Internet

Figure 44-9 SaaS Concept

Cloud and the “as a service” model

In cloud computing, three most common models are used in the market today.

✓Infrastructure as a Service

✓Software as a Service

✓(Development) Platform as a Service

Figure 44-10 PaaS Concept
 I Controller Based Networks

Chapter - 14 I Cisco Software Defined Access-SDA

NETWORK AUTOMATION I Understanding REST and JSON

I Understanding Ansible, Puppet, and Chef

Controller I SDN and Controller Based Networks

I Controllers and Software-Defined Architecture

Based Networks I Network Programmability and SDN Examples

 I Controller Based Networks

SDN and Controller Based Networks Data Plane

Software Defined Networking (SDN) The term Data Plane refers to the tasks that a network device performs to

transmit a message. In other words, everything it does about receiving,

In this Chapter we will cover the most basic concepts of SDN and Network
processing and transmitting the same data is part of the Data Plane.
programmability. We will start by dividing some of the functions found in

traditional network devices, then I will talk about how we can easily manage a As an example, consider how routers forward IP packets, as shown in the figure

network using central management software called Controller. below. When you think of Layer 3 logic;

Step 1: The host sends the packet to its default router, R1.
Data, Control, and Management Planes
Step 2: R1 does some processing on the received packet, makes a forwarding
First, let's talk about some functions in network devices. Routers and switches, decision and forwards the packet.
for example, are physically wired and wirelessly connected to each other to form Steps 3 and 4: Routers R2 and R3 also receive, process and forward the packet.
a network. Switches transmit Ethernet frames, routers transmit IP packets.
This example takes place in the Data Plane phase of the router.
They use many different protocols, such as routing protocols, to learn network

layer routes.

Network devices can be categorized with a particular Plane, each function that it

does. These Categories are divided into three as Data Plane, Control Plane and
Figure 45-1 Data Plane Operations on a Router in Simple
Management Plane.
 I Controller Based Networks

Let's take a look at the details of some of the functions that are commonly performed in Traditional networks use both a distributed Data Plane and a distributed
the Data Plane phase in network devices from the list below. Control Plane. In other words, every device has a Data Plane and a Control

■ Un-encapsulating and re-encapsulating an ethernet frame packet (Router and Layer Plane. The example below shows the Data Plane and Control Plane stages in

3 Switches) routers.

■ Adding or removing 802.1Q Trunk Headers (Routers and Switches)

■ Matching the destination MAC address on an Ethernet Framin with the MAC address

table (Layer 2 Switches)

■ Matching the destination IP address of an IP packet with the IP routing table (Routers

and Layer 3 Switches)

Figure 45-2 Working Logic of Control and Data Plane Stages in Router
■ Encrypting data and adding a new IP Header (for VPN] operations)
In the figure above, OSPF, the Control Plane protocol, works on all Routers. Adds,
■ Changing the Source or Destination IP address (for NAT operation)
removes and changes routes in the OSPF IP Routing table on each Router. Once valid
Deleting a message due to a filter (ACLs and Port Security operations)
routes are determined, Data Plane can forward incoming packets. The following list
All the actions in the list make up the Data Plane phase, because the Data Plane contains includes most of the common Control Plane protocols:
all the actions per message.
■ Routing protocols OSPF, EIGRP, RIP, BGP
Control Plane ■ IPv4 ARP
The term Control Plane refers to any action that controls the Data Plane. You already ■ IPv6 Neighbor Discovery Protocol (NDP)
know many Control Plane protocols, for example all IP routing protocols work in Control
■ MAC Address learning of switches.
Plane phase.
■ STP
 I Controller Based Networks

Management Plane
Control Plane directly affects the behavior of the Data Plane. However,

Management Plane does not directly affect Data Plane. Instead, the

Management Plane includes protocols that allow us to manage network devices.

Telnet and SSH are Management Plane protocols.

The figure below shows some of the Management Plane Protocols.

Figure 45-3 Working Logic of Control and Data Plane Stages in Router
 I Controller Based Networks

Controllers and Software-Defined Architecture

A Controller centralizes control of software-based (SDN) network devices. The
New approaches to networking emerged in the 2010s, most of them porting degree of control and the type of control vary greatly. For example, Controller
Control Plane functionality to a piece of software called Controller that runs as a It can perform all Control Plane functions by replacing the distributed Control
central application. Plane of devices. Alternatively, the Controller can manage the ongoing
operation of distributed Data, Control and Management Planes without
Central Management with Controllers
changing the way devices operate. And the list goes on with many variations.
Most traditional Control plane operations use a distributed architecture. For
To better understand the idea of a Controller, consider a special case as shown
example, each Router runs its own OSPF Routing protocol process. To perform
in Figure 45-4, where an SDN Controller centralizes all important Control
operations, these distributed Control Plane processes use messages such as OSPF
Plane functions. First, the Controller connects to the network so that it can
protocol messages to establish communication between Routers. As a result,
access the devices on the network. Each of the network devices still has a Data
traditional networks are said to use a distributed Control Plane.
Plan; however, the Control Plane functions of the devices are now performed by
There are pros and cons to using distributed or centralized architectures to
the Controller. Programs the Controller Data Plane inputs directly. Network
perform any function in a network. Many Control Plane functions have a long
devices do not populate routing tables with traditional distributed Control
history of working well with a distributed architecture. However, a centralized
Plane operations.
application may be easier to write than a distributed application because the
centralized application collects all the data in one place. This emerging world of
software-defined architectures (SDA) uses a centralized architecture with a
central Control Plan at its foundation called the Controller.

Figure 45-4 Centralized Control Plane and a Distributed Data Plane

 I Controller Based Networks

Southbound Interface
In a Controller-based network architecture, the Controller must communicate with

network devices. In most network drawings and architectural drawings, these

network devices are typically located below the Controller as shown in Figure 45-4.

There is an Interface between the Controller and these devices, and given its location

at the bottom of the network devices in the drawings, these Interfaces came to be

known as the Southbound Interface (Southbound Interface) or SBI.

An SBI usually contains a protocol so that the Controller and devices can
Figure 45-4 Centralized Control Plane and a Distributed Data Plane
communicate, but usually includes an application programming interface (API).

An API is a method for an application (program) to exchange data with another

application. Programs process data so an API allows two programs to exchange data.

While a protocol usually exists as a document from a body of standards, an API

exists as generally usable codes (functions, variables, and data structures) that can

be used by a program to transmit and copy structured data between programs on a

network.

It is an interface between SBI Controller and network devices and allows two

programs to communicate, the sole purpose is to allow Controller to program Data

Plane routing tables of network devices.

 I Controller Based Networks

Northbound Interface
In a central control model, the Controller does most of the work required for the To see where the NBI is, first consider the Controller itself. A controller is

Control Plane and gathers all sorts of useful information about the Network. software that runs on a VM or physical servers. An application can run on the

The controller can create a central repository for all this useful information same server as the Controller and use an API, an NBI, so that the two programs

about the network. The following list lists the information that the Controller can communicate.

collects on the network; The Figure below shows just such an example. The big box in the figure
■ List of all devices on the network represents the system where the Controller software is located. This Controller is

■ Capabilities of each device Java based software and has a Java based native API. Controller manufacturer,

■ Interfaces / ports on each device another company, or anyone can write an application that runs on the same

operating system that uses the Controller's Java API. Using this API to
■ Current status of each Port
exchange data with the controller, the application can learn the information
■ Topology - which devices are connected to which interface
about the network.
Device configuration - IP addresses, VLANs, etc.

a Controller; It opens the Northbound Interface (NBI) so that its data and

functions can be used by other programs, enabling much faster network

programmability. Programs can retrieve information using the Controller's

APIs. NBIs also enable programs to use the Controller's capabilities to program
streams entering devices using the Controller's SBIs.
Figure 45-5 Java API: Java Applications Communicates with Controller
 I Controller Based Networks

Network Programmability and SDN Examples

In this Chapter, we will talk about three different SDN and network The Open SDN model centralizes most Control Plane functions, with network

programmability solutions Cisco offers. control by the Controller and all applications using the Controller's NBIs. The

Figure below, which actually shows network devices without Control Plane
• OpenDaylight Controller
functions, represents this centralized OpenFlow model of SDN.
• Cisco Application Centric Infrastructure (ACI)

• Cisco APIC Enterprise Module (APIC-EM)

In the OpenFlow model, applications can use any APIs (NBIs) they support in
OpenDaylight and OpenFlow It comes from the Open Networking Foundation their Controller to dictate what type of routing table entries to add to devices, but
(ONF), a common SDN format, and is called Open SDN. ONF network devices must be devices that support OpenFlow.
(www.opennetworking.org) acts as a consortium of users (operators) and

vendors to help establish SDN in the marketplace. The purpose of this study is

to try to help people implement their SDN vision using SBI and NBIs.

SDN's ONF model features OpenFlow. OpenFlow defines a Controller concept

with an IP-based SBI between Controller and network devices.

OpenFlow defines a standard idea of what a switch's capabilities are based on

the ASICs and TCAMs commonly used in switches today.

 I Controller Based Networks

OpenDaylight Controller Cisco Open SDN Controller (OSC)

OpenDaylight is one of the most successful SDN Controller platforms to In the 2010s, Cisco released a commercial version of its OpenDaylight
emerge from the consolidation process in the 2010s as an open source SDN Controller model called the Cisco Open SDN Controller (OSC). This Controller
Controller. All manufacturers can use the open source Controller as the basis was inspired by the model developed for the ODL project.
for their products, and each manufacturer can focus on product differentiation
Cisco no longer manufactures and sells Cisco OSC, I wanted to briefly
rather than core features.
mention the past products for your knowledge.

As a result, the OpenDaylight SDN Controller (www.opendaylight.org) was

born in the mid-2010s. OpenDaylight (ODL) started as a separate project, but

is now maintained as a project managed by the Linux Foundation. Figure

45-6 shows a generalized version of the ODL architecture.

Figure 45-6 Architecture of NBI, Controller Internals, and SBI to Network Devices
 I Controller Based Networks

Cisco Application Centric Infrastructure (ACI)

As Cisco redesigned networking for the data center, SCI designers focused on

the applications running in a data center and what they needed. As a result,

they created networking concepts around application architectures. Cisco has

made its network infrastructure application-centric, hence Cisco's SDN data

center solution is called Application Centric Infrastructure (ACI)

ACI Physical Design: Spine and Leaf

Cisco ACI uses a special physical switch topology called Spine and Leaf. With

ACI, the physical network contains a set of Spine Switches and a set of Leaf

switches, as shown in the Figure on the right.

Figure 45-7 Spine-Leaf Network Design
■ Each Leaf Switch must be connected to each Spine Switch.

■ Each Spine Switch must be connected to each Leaf Switch.

■ Leaf Switches cannot be interconnected.

■ Spine Switches cannot be interconnected.

■ Endpoints connect to Leaf switch only.

 I Controller Based Networks

Cisco APIC Enterprise Module

When Cisco started implementing new network designs in companies, they
faced a major hurdle. Most of the existing devices in the customers' networks did
not have any corporate SDN solution, since some of the existing devices support
SBIs, it was seen that SDN solutions could not be implemented centrally, APIC-
EM product was developed for this.

APIC-EM Basics

When Cisco introduced its first SDN (network programmability) solution, it

rejected the idea of customers replacing all their hardware and getting products Figure 45-8 APIC-EM Controller Model
compatible with SDN solutions. Instead, he looked for ways to add the benefits of
■ Topology Map: The application discovers and displays the topology of the
SDN to networks with a central Controller without replacing existing devices.
network.
Cisco APIC-EM product offered enterprise SDN solutions without changing
devices in existing networks. ■ Path Tracking: User provides a source and target device and the app shows the
route on the network with routing details at each step.
What advantages can a Controller-based architecture offer if devices on the
network do not have new SDN features? It can provide the advantages in Figure ■ Plug and Play: This app provides plug and play support so you can take a
45-8. new device out of the box and make it IP accessible through automation in the

Cisco announced the end of sales for its current APIC-EM product in 2019. Controller.

Many of the functions of the APIC-EM product have become key features of the ■ Easy QoS: With a few simple steps in the Controller, you can configure
Cisco DNA Center (DNAC). complex QoS features on each device.
SDA I SDA Fabric, Underlay, and Overlay

I DNA Center and SDA Operation

Software Defined Access I DNA Center as Network Management Platform

 I Software-Defined Access

SDA Fabric, Underlay, and Overlay

Cisco Software Defined Access (SDA) is a completely new way to create Campus Underlay : Overlay uses wired and wireless connections to dynamically find
LANs compared to traditional networking methods. Cisco began redesigning all SDA supported devices and provide IP connectivity for those devices as part
Campus LANs with SDA in the mid-2010s. of the process of creating VXLAN tunnels.

Fabric: It uses a combination of overlay and underlay, which offers all the
SDA uses a Software Based Architecture model with a Controller and various
features to transmit data over the network.
APIs. In this architecture, a physical network is still used, which includes

Switches, Routers, cables and various endpoints. As shown in the figure on the

right, Digital Network Architecture (DNA) software becomes the central

Controller, automation is provided using a graphical user interface (GUI) and

APIs. In short, DNA Center becomes the Controller of SDA networks.

Architecturally, the Controller SBI side includes; Fabric, Underlay and

Overlay.

Overlay: VXLAN tunnel mechanisms are created between SDA Switches, then

the SDA structure is used to move traffic from one device to another.

Figure 46-1 DNA-Centered SDA Architecture Model

 I Software-Defined Access

SDA Underlay SDA Overlay

SDA Underlay functions to provide connectivity between Switches in the SDA First, an endpoint sends a frame to be delivered over the SDA network. The first
environment to support VXLAN tunnels in the Overlay network. Underlay SDA Switch to receive the frame encapsulates the frame using a tunneling
uses the wired and wireless connections that make up the physical network to feature called VXLAN and forwards the frame. Other SDA Switches forward
do this. frames according to VXLAN tunnel details. The final SDA Switch removes the

VXLAN details and forwards the original frames to the target endpoint.
Using Existing Devices for SDA Underlay
Companies have two basic options for building an SDA underlay network.

They can use existing campus networks or alternatively purchase new

Switches and set up the SDA network without worrying about damaging

existing traffic and migrate endpoints to the new SDA network over time.
Figure 46-3 Basics of VXLAN Encapsulation in SDA

Using New Devices for SDA Underlay For this to work, Underlay will first configure all switches with these IP
numbers, using the 172.16.0.0/16 IPv4 address space. The figure below
Buying new devices for the SDA structure eliminates many of the difficulties
shows a small SDA design with four switches, each with the underlay IP
that can be encountered when using existing devices. You can easily order
address shown (from 172.16.0.0/16 address space).
compatible hardware and software and automatically configure all underlay

features with DNA Center.

 I Software-Defined Access

DNA Center and SDA Operation

Cisco DNA Center (www.cisco.com/go/dnacenter) has two important roles in our

networks:

• Working as a Controller in a network using Cisco SDA.

• Working as a network management platform for traditional (non-SDA)

network devices

Cisco DNA Center

Cisco DNA Center supports several Southbound APIs so it can communicate

with the devices it manages. You can think of them as two categories:

• Protocols supporting traditional network devices / software versions: Telnet,

SSH, SNMP

• Protocols supporting newer network devices / software versions: NETCONF,

RESTCONF
Figure 46-4 Cisco DNA Center with Northbound and Southbound Interfaces
Cisco DNA Center requires legacy protocols to support many legacy Cisco
devices and operating system versions. Over time, Cisco is adding support for
NETCONF and RESTCONF to its more current hardware and software.
 I Software-Defined Access

DNA Center as Network Management Platform

Cisco Prime Infrastructure (PI) (www.cisco.com/go/primeinfrastructure) The PI itself runs as an application on a server platform with GUI access via a
product is used to manage traditional corporate networks. Cisco Prime web browser. The PI server can be purchased from Cisco as a software package to
Infrastructure has been used for network management in companies for many install and run on your servers or as a physical device.
years. It includes the following features:

Similarities of DNA Center to Traditional Management

■ All PI functions and features are available through a single GUI.

■ Discovers network devices, creates an inventory, and creates a topology map All features of DNA Center are similar to traditional management software.
of them.
For example, both can discover network devices and create a network topology
■ Provides support for traditional enterprise LAN, WAN, and data center
map.
management functions.

■ Uses SNMP, SSH, and Telnet, as well as CDP and LLDP, to view and learn
information about devices on the network. As an example, the next page shows a network topology map in the DNA Center

in Figure 46-5. Both PI and DNA Center can perform a discovery process to
■ Simplifies QoS configuration to each device
find all devices on the network and then create topology maps to show the
It allows you to manage both wired and wireless networks from the same
management platform. devices. (Interestingly, DNA Center can work with PI using data discovered

■ Manages software on network devices and automates updates. by PI instead of performing the discovery work again.)

■ Performs initial setups for new network devices after physically installing
the new device, connecting a network cable and powering up the device.
 I Software-Defined Access

Figure 46-5 DNA Center Topology Map Figure 46-6 Details About a Cisco 9300 Switch from DNA Center and Click

The GUI mechanisms are relatively intuitive with the ability to click on more or I recommend you take some time to use and watch some videos about Cisco

less details. Figure 45-6 shows a little more detail after pointing and clicking DNA Center. You can find Cisco DNA Center virtual labs to practice with Cisco

one of the switches in the topology in Figure 45-5. DNA Center at https://developer.cisco.com.
 I Software-Defined Access

Differences between Traditional Management and DNA Center

Broadly speaking, there are a few key differences between Cisco DNA Center ■ EasyQoS: You can perform QoS, which is complicated to configure
and traditional network management platforms such as Cisco PI. The biggest manually, with just a few simple options from Cisco DNA Center.
difference: Cisco DNA Center supports SDA while other management Encrypted traffic analysis: Cisco DNA Center enables the use of different
applications do not. Cisco PI still has some traditional management features algorithms to recognize security threats even with encrypted traffic.
not found in Cisco DNA Center. So while focusing on future features such as ■ Provides comprehensive information about the health status of devices.
SDA support that Cisco DNA Center has many of these features, consider PI
■ Network time travel: Shows historical client performance on a timeline to
extensively for traditional device management.
compare current behavior

By improving Cisco DNA Center features, it aims to simplify the work done by

businesses and to make changes much faster with lower costs. Cisco DNA

Center helps make initial setups easier and simplify the job to implement

features with demanding configurations and help you spot problems faster.

Some of the Cisco DNA Center-specific features include:

Note: Cisco hopes to continue updating the DNA Center traditional network management features compared
to the Cisco PI to the point where DNA Center can replace the PI.
 I REST Based APIs
Understanding I REST APIs and HTTP

REST and JSON I Data Modeling and JSON

I Interpreting JSON
 I Understanding REST and JSON

REST Based APIs REST Based (RESTful) APIs

Applications use application programming interfaces (API) to communicate. To REST APIs follow a set of ground rules for what constitutes and does not
do this, a program can learn variables and data structures used by another constitute a REST API. It includes six properties defined by Roy Fielding,
program, make logical choices based on these values, change the values of these creator of REST APIs. (You can find a good summary at https://
variables, create new variables, and delete variables. APIs allow programs restfulapi.net). These six features
running on different computers to run collaboratively and exchange data to

achieve a goal. ■ Client/server architecture

In the API software world, some applications form an API along with many ■ Stateless Operation

other applications that use the API. Software developers add APIs to their ■ Clear statement of cacheable/uncacheable
software so that other applications can take advantage of the first application's
■ Uniform Interface
features.
■Layered
A developer writes some code when writing an application, but by using some Code-on-Demand

APIs that can provide data and functions, the developer can do more by writing

less code, reducing the amount of new code that needs to be written. The first three of these features form the basis of how a REST API works. You

can see these first three features more easily when working with networking

REST APIs, now let's look at these first three features.

 I Understanding REST and JSON

Client/Server Architecture Stateless Operation

Like many applications, REST applications use a client/server architectural The stateless nature of REST APIs means that REST does not save and use
model. First, an application developer creates a REST API, which acts as a REST information about how to handle subsequent API changes.
server while the application is executed. Any other application can make a REST
API call (REST client) by running some code that causes a request to flow For comparison, TCP protocol uses a stateful approach while UDP uses stateless
from the client to the server. For example, in Figure 47-1 processing. A TCP connection requires endpoints to initialize variables at each
end, update these variables over time, and use these variables for subsequent TCP
1- The REST client on the left sends a REST API message call to the REST messages. For example, TCP uses sequence numbers and confirmation numbers
server. to manage data flow in a TCP connection.
2- The REST server on the right has the API code that considers the request and
decides how to respond.
Cacheable (or Not)
3- The REST server returns the reply message with the appropriate data To understand what the word cacheable means, consider what happens when you
variables in the reply message. browse a website. When your browser loads a new web page, it contains various
objects (text, images, videos, audio) inside the page. Some objects rarely change,
so you'd better download the object once and not download it again; in this case,
the server marks this object as cacheable. For example, a logo or other image
displayed on many pages of a website hardly changes and can possibly be
cached. However, the product list returned in your most recent website search
cannot be cached because the server will want to update and provide a new list

Figure 47-1 Client / Server Operation with REST

each time you request the page.
 I Understanding REST and JSON

REST APIs and HTTP

Read: Stores a copy of the variable structures and values in the client, allowing
APIs are used to allow two programs to exchange data. Some APIs can be it to retrieve (read) the current value of the variables in the server.
designed as an interface between programs running on the same computer so Update: Allows the client to change (update) the value of variables located on the

that communication between programs takes place within a single operating server
Delete: Allows the client to delete different instances of data variables from the
system. Many APIs must be available for programs running on other
server
computers, so the API must define the type of network protocols supported by the
For example, if you're using a DNA Controller's Nourthbound REST API, you
API, and many REST-based APIs use the HTTP protocol.
might want to create something new, like a new security policy. From a
Developers of REST-based APIs often choose HTTP because the logic of HTTP programming perspective, the security policy is available as a set of

matches some of the concepts that define it more generally for REST APIs. configuration settings in the DNA Controller, represented internally by
variables. To do this, a REST client application uses a render action using the
HTTP uses the same principles as REST, works with a client/server model; It
DNA Center RESTful API, which creates variables on the DNA Controller via the
uses the stateless operation model and includes headers that mark objects as
DNA Center REST API. Creating new configuration in Controller is done via
cacheable or non-cacheable.
API using CRUD actions.

Software CRUD Actions and HTTP Verbs HTTP works well with REST in part because HTTP has Verbs that match

The software industry uses CRUD, a catchy acronym for the four main actions common program actions in the CRUD paradigm. Table 47-1 lists the terms
HTTP Verb and CRUD.
performed by an application. These actions

Create: Allows the client to create some new variables and data structures on the

server and initialize the values held on the server

Tablo 47-1 Comparing CRUD Actions to REST Verbs

 I Understanding REST and JSON

Data Modeling and JSON XML

Data modeling languages provide methods for using text to define variables so Extensible Markup Language (XML) was developed later to make some
that text can be sent over a network or stored in a file. Data modeling languages improvements to older markup languages. He needed a markup language that
give us a way to represent variables with text rather than the internal could define variables to use on a web page. XML defines a markup language
representations used by any particular programming language. with many features for describing variables, values, and data structures.

Every Data modeling language enables API servers to return data, so the API
Compared to XML vs JSON, both try to be human readable, but XML is a bit
client can replicate the same variable names as well as the data structures
harder to read. For example, like HTML, XML uses start and end tags for each
available on the API server. To describe data structures, data modeling
variable, as shown in the figure below. Specifies a variable name with the value
languages contain special characters and rules that convey ideas about list
located between the <macAddress> and </macAddress> tags in the
variables, dictionary variables, and other more complex data structures.
highlighted line in the example.

Data Modeling Languages

JSON

JavaScript Object Notation tries to strike a balance between human and

machine readability. At the same time, JSON data makes it easy for programs

to convert JSON text into variables, making it very useful for exchanging data

between applications that use APIs.

You can find details of JSON in IETF RFC 8259 and on a number of Internet

searches including www.json.org. Example 47-1 JSON Output from a REST API Call
 I Understanding REST and JSON

YAML (Ain't Markup Language)

XML tries to define markup details but YAML doesn't try to define markup

details. Instead, YAML focuses on the data model (structure) details. YAML

also tries to be clean and simple. YAML Data is the easiest to read of the

modeling languages.

Table 47-2 Comparing Data Modeling Languages

Example 47-2 YML File Used by Ansible

 I Understanding REST and JSON

Interpreting JSON
Even without knowing anything about the JSON command line, you can ■ Value: The element that represents the key value, after the colon.

probably understand it from your previous knowledge of Cisco Routers and ■ Text: Listed in double quotes.

Switches. You can probably understand that the example below shows a list of ■ Numeric: Listed without quotation marks.

Interfaces on both devices in the JSON command line. ■ Array: A special value [ ]
■ Object(Object): A special value { }
■ Multiple Pairs: When listing the Multiple Key Value pair, separate the pairs with a
comma
the end of each pair (except the last pair).
To work with some of these rules, consider the JSON data of Example 47-4 and focus
Example 47-3 Simple JSON Listing Router Interfaces
on three Key: Value Pairs. The text after the example will analyze the example.

JSON Key Interpretation: Value Pairs

Let's review these rules about Key: Value Pairs: in JSON, which you can think

of as argument names and values.

Key: Value Pairs: Defines a Key: Value Pairs with the value before and after the Example 47-4 One JSON Object (Dictionary) with Three Key:Value Pairs
colon.
As for other special characters, watch out for commas and curly braces. The first two
Key: Text used as a name that refers to a value, in double quotes, before a colon.
Key: Value Pairs: ends with a comma, so it must be followed by another Key: Value

Pairs:. The curly braces that start and end JSON data indicate a single JSON Object.
 I Understanding REST and JSON

Interpreting JSON Objects and Arrays

It uses JSON Object and JSON Arrays to pass data structures beyond Key:

Value Pairs: with a simple value. Object can be somewhat flexible, but in most

uses they act like a dictionary. Arrays list an array of values. Let's look at how

to interpret the command line for JSON Object and Array. Example 47-5 A JSON Snippet Showing a Single JSON Array (List)

{ } - Object : Consists of an Array and Key: Value Pairs, enclosed in a pair of

Now consider the entire structure of the JSON data in Figure 47-4. It has a
curly braces.
matching pair of curly braces to start and end text and enclose an object
[ ] - Array : Not an array of values (Key: Value Pairs) enclosed in square
(Object). This object contains two colons, so there are two Key: Value Pairs:
bracket pairs.
inside the object.
Key : All Key Value Pairs inside an object follow the rules of the previous Key:

Value Pairs.

Value Inside Arrays : For example, double quotes around text, no quotes around

numbers).

Example 47-5 shows a single array (Array) in JSON format. Notice that the

JSON data begins with square brackets [ followed by a list of three text values.

It then ends with a square bracket ].

Figure 47-4 Accurate/Complete JSON Data with One Object, Two Keys, Two JSON List Values
 I Understanding REST and JSON

Shortened and Smooth JSON

JSON allows or disallows spaces depending on your needs. For humans, JSON

can be much easier to read with space-organized and aligned text. For example,

having matching opening and closing braces on the same line makes it much

easier to find which braces end with which.

{"1stbest": "Messi", "2ndbest": "Ronaldo", "3rdbest": "Pele"}

Understanding I Ansible, Puppet and Chef Basics

Ansible, Puppet, and Chef I Summary of Configuration Management Tools

 I Ansible, Puppet, and Chef

Ansible, Puppet and Chef Basics

Ansible, Puppet, and Chef are configuration and management software Templates: Using the Jinja2 language, templates represent a device's
packages. There are paid and free versions of these software tools, but you may configuration with variables.
need to run them on Linux as some tools do not work on Windows operating Variables: Using YAML, a file can list variables that Ansible will substitute
system. into templates.
All three software agents emerged as part of the transition from hardware-based
Ansible uses an agent-less architecture to manage network devices. It means
servers to virtualized servers. As the number of Virtual Servers began to increase,
that Ansible does not trust any code (agent) running on the network device.
various automation software was needed to create, configure and remove VMs.
Instead, Ansible uses SSH or NETCONF features to make changes and get
Ansible information on network devices. When using SSH, Ansible makes changes on
You can install Ansible (www.ansible.com) on a Linux VM on Mac, Linux or a the device as its users do, but does the job with Ansible code instead of a human.
Windows to install its software. You can use the free open source version or use
Ansible uses the push model (Puppet and Chef use the pull model) as shown in
the paid Ansible Tower server version. Once installed, several files are created,
Figure 48-1, instead of the pull model. After installing Ansible, you need to
such as:
create and edit Playbooks and other Ansible files.
Playbooks: These files provide actions and logic for what Ansible should do.

Inventory: These files provide device names along with information about each

device so Ansible can perform functions for subsets of the inventory.

Figure 48-1 Ansible Push Model

 I Ansible, Puppet, and Chef

Puppet

To use Puppet (www.puppet.com), you can start by installing it on a Linux Puppet typically uses an agent-based architecture for network devices support.
operating system. You can install it on your own Linux server for testing, but Some network devices enable Puppet support via an on-device tool. However,
for normal use you need to install it on a Linux server called Puppet master. As not every Cisco operating system supports Puppet agents, so Puppet solves this
with Ansible, you can use the paid or free versions. You can start learning problem by using a proxy agent running on some external computer (called
Puppet without a separate server to learn and test. Agent-less process). The external agent then uses SSH to communicate with

the network device, as shown in Figure 48-2.

Once installed, Puppet also uses several important text files with different

components such as:

Manifest: A text file that makes the configuration status of a device human

readable in the Puppet master.

Resource, Class, Module: These terms refer to the components of the manifest.

Templates: Using a Puppet-specific language, these files allow Puppet to create

declarations (and modules, classes, and resources) by manipulating variables

in templates. Figure 48-2 Agent Based and Agent-less Puppet Operation

 I Ansible, Puppet, and Chef

Puppet agent (Agent) must be enabled earlier on the device, it uses a Pull model Chef
to make this configuration appear on the device as shown in the figure below. Chef (www.chef.io) is a software package that you install and run, like Ansible
Once installed these steps happen and Puppet. The Chef company has many products, while the Chef Automate

Step 1: You create and edit all the files on the Puppet server. software is what most people simply refer to as Chef. As in Puppet, in Chef you

Step 2: You need to configure and enable the agent or a proxy agent on each run its software by installing it on a server.

device. After installing the Chef software, you create several text files with different
Step 3: The Agent pulls the notification details from the server, which tells the components such as:
Agent what its configuration should be.
Resource: Chef-managed configurations are managed objects.
Step 4: If the Agent device configuration needs to be updated, the Puppet tool
Recipe: Chef logic applied to determine when and how to act on resources.
performs additional shots with the agent updating the device configuration to
Cookbooks: Provides a set of conveniences for the same type of work, grouped for
get all the necessary details.
easier management and sharing.

Runlist: An ordered list of Recipes that should be run on a particular device.

It uses a similar architecture to Chef Puppet. Runs an agent for network devices.

Ansible and Puppet are more used because the Cisco device does not support a

Chef client.

Figure 48-3 Pull Model with Puppet

 I Ansible, Puppet, and Chef

Summary of Configuration Management Tools

All three of the configuration management tools listed here have a good user

base and different strengths. Ansible is most commonly used to manage the

configuration of network devices, followed by Puppet and Chef. Supports

many Cisco devices with Ansible's Agent-less Architecture and use of SSH

Puppet's Agent-less model also provides broad support for Cisco devices.

Table 48-1 Comparison of Ansible, Puppet and Chef

 I Course Summary with Physical Devices | lab

I Exam Question Examples

Final I Exam Lab Examples

I How to enter the exam?

I Final
 I
Final

Course Summary with Physical Devices

Let's repeat some of the configurations that we have handled and used frequently
on physical devices.
Configurations that we will repeat frequently;
1- CLI Access and CLI Security, Telnet and SSH
2- Switch Interface Configuration
3- VLAN creation and VLAN Trunking.
4- Static Route, Default Route
5- Routing Between VLAns
6- Switchport Security
7- DHCP configuration, DHCP Snooping and ARP Inspection
8- NAT Overload (PAT)
9- Cisco IOS Config Backup and Deletion.
R1 Gi 0/1 192.168.2.1 —->>> D-Sw Fa0/1
D-Sw Fa 0/1 192.168.2.2 —->>> R1 Gi0/1
D-Sw Vlan 10 192.168.10.1
D-Sw Vlan 20 192.168.20.1
D-Sw Vlan 30 192.168.30.1
Sw-1 Vlan 10 192.168.10.101 D-Sw Fa0/4
Sw-POE Vlan 10 192.168.10.102 D-Sw Fa0/5
WLC Mngmt 192.168.20.254 D-Sw Fa0/2
ESXi Mngmt 192.168.10.120 D-Sw Fa0/3

Admin-YB Vlan 10 Sw-1 Fa0/1

AP-1602 Vlan 20 Sw-POE Fa0/1 Our Lab Topology
AP-1240 Vlan 20 Sw-POE Fa0/2
 I Final

Exam Question Examples

https://learningnetwork.cisco.com/s/certification-exam-tutorials

1- Multiple-Choice Single Answer

2- Multiple-Choice Multiple Answer
3- Drag and Drop
4- Fill-in-the-Blank
5- Testlet
6- Simlet
7- Simulation Multiple-Choice Single Answer

Drag and Drop Answer

Multiple-Choice Multiple Answer

 I Final

How to enter the exam?

https://home.pearsonvue.com/cisco.aspx

You can take the test at Pearson VUE Test Centers or at home.

The exam has an average of 55-65 questions.

Exam duration is 120 minutes.

Exam Fee 350 Usd

 Thank You.
For questions about education, you
can contact me at the Udemy question
and answer section.

www.udemy.com
www.yavuzbulut.com