Boot fieldMeaning 0x0The router will enter ROM monitor mode and remain at the system bootstrap prompt. 0x1The IOS image stored in ROM will be loaded. 0x2-0xFThe router will boot as normal and load the default IOS image stored in Flash

bugqueenNetworking and Communications

Oct 26, 2013 (3 years and 7 months ago)

79 views

ROUTER COMPONENTS


RAM

Random
-
Access Memory similar to the function as RAM in PCs. This is where the IOS runs its processes. It also
contains the running configuration, routing and other tables as well as packet buffers.


ROM

This Read
-
Only Memory stores
a older 'lite' IOS used to boot the router for the very first time, or when the
Flash memory is erased or corrupted.


FLASH

This piece of 'flash
-
able' memory stores the IOS image, the operating system of the router.


NVRAM

In contradiction to normal RAM,
Non
-
Volatile Random
-
Access Memory is a special type of memory that doesn't
lose its content when the router's power is turned off.

It stores the startup configuration and the configuration register.


Config register

The NVRAM has a special location which c
ontains the 16
-
bit
configuration register
. Every time the router boots
it reads this value. The config
-
register value is a hexadecimal value ranging from from 0x0000 to 0xFFFF and
can be set using the
config
-
register

command.


The most important portion of

the configuration register to understand for the exam is the
boot field
, (bit 0
through 3, hexadecimal range 0x0000
-
0x000F) the boot field value is used to specify from where the IOS
image should be loaded or bypassed even during startup.

Boot field

Meani
ng


0x0

The router will enter ROM monitor
mode and remain at the system
bootstrap prompt.


0x1

The IOS image stored in ROM will be
loaded.


0x2
-
0xF

The router will boot as normal and load
the default IOS image stored in Flash
and enables boot system com
mands.


The other 12 bits are used for various functions such as enabling/disabling the Break function, setting the
Console line speed, bypassing NVRAM and controlling the broadcast address. Click
here

for a more complete
list with the meaning of the remaining bits for a Cisco 4000.


To change the configuration register you have to enter be in global configura
tion mode. Use the command
configure terminal

often abbreviated to
conf t

in privileged EXEC mode to enter global config mode. You
can enter privileged EXEC mode using the command:
Router>enable

When you enter the correct password
the prompt will change to

Router#

(where "Router" is the hostname of the router).


Once you are in global config mode use the following command to change configuration register value:

Router(config)#config
-
register 0x2102

where 0x2102 is an example of a config
-
register value.


Y
ou can view the configuration setting using the
Router#show version
command. The last line of the
output will display the current value and if it is different, the value after reboot:

Configuration register is 0x2142 (will be 0x2102 at next reload)



Route
r start
-
up sequence


Routers boot similar to regular computers in which they first perform a power on self test (POST) of hardware,
next load bootstrap code from ROM, then the IOS image is loaded from Flash into RAM, then a hardware
inventory takes place a
nd finally the router will find and load a configuration file.

You can reboot a router using the power switch or the
reload

command.



Initial router configuration


As mentioned earlier the router configuration is stored in NVRAM, this is the place where t
he router will search
for a configuration file, alternatively you can configure the router to load a configuration file from a TFTP
server. If the router cannot locate a configuration file (on a new router for example) it will start
setup

and it
will ask i
f you want to enter the initial configuration dialog, if you answer with No, you'll be taken to the
command prompt and you'll be able to configure the router manually. If you answer with Yes, you'll be taken
through a list of questions allowing you to conf
igure the router e.g. set a hostname, enable password and
enable secret, configure routed and routing protocols and interface addressing. You can also initiate this
configuration dialog using the command:
setup



Manage configuration files



A Cisco router

usually contains two configurations: the
startup configuration (usually stored in NVRAM)

and the
running configuration (stored in RAM)
. Since IOS version 11.0 CISCO started using these terms in the
commands as well.


To copy the currently running active c
onfiguration to NVRAM, so it will be used the next time you reload the
router. This command is mainly used to save the configuration when you have changed it.

Router#copy running
-
config startup
-
config


The following command loads the startup configuration
stored in NVRAM into RAM and making it the active
configuration:

Router#copy startup
-
config running
-
config


You can also copy the running configuration to a TFTP server using the following command:

Router#copy running
-
config tftp 222.222.222.1


as well as
the startup config:

Router#copy startup
-
config tftp 222.222.222.1


You can view the running configuration using the command:

Router#show running
-
config

View the startup config using the command:

Router#show startup
-
config


You can use the
erase

command to
delete the content of NVRAM:

Router#erase startup
-
config



Load, backup, and upgrade IOS


Instead of using the IOS stored in flash you can load it from a TFTP server or you can load the limited IOS from
ROM. This can be configured in the configuration file

using the following commands in global configuration
mode:


To load Cisco IOS software from Flash memory use the command:

Router(Config)#boot system flash

Although this is default behavior, using this command can be useful especially when you multiple IOS

images
stored in FLASH, if you do not specify a filename the first image located will be loaded.


To load Cisco IOS software from a TFTP server use the command:

Router(Config)#boot system tftp


To load Cisco IOS software from ROM use the command:

Router(C
onfig)#boot system rom

Note that this will load the limited IOS version which might prevent normal operation.


You can use a combination of, or all these commands to provide some redundancy, you can even specify
multiple TFTP servers. Make sure you place t
hem in the correct order, flash first, tftp as backup, rom as last
resort. The configuration register's boot field must be set to 0x2 through 0xF, in order for the router to check
the configuration file in NVRAM for boot system commands.


To backup the IOS

stored in Flash to an TFTP server use the command:

Router#copy flash tftp 222.222.222.1 c2600
-
js
-
l_121
-
5.bin


To upgrade the IOS stored in Flash use the command:

Router#copy tftp flash


You will be prompted for an IP address of the TFTP server (defaults t
o the broadcast address 255.255.255.255)
and a filename.


To delete the content stored in Flash use the command:

Router#erase flash



CONNECTING TO A ROUTER

There are multiple ways to establish connectivity to a router to perform configuration tasks:


-

Co
nsole port

Cisco routers are equipped with a
Console

port. This is a RJ
-
45 port on most routers but on some high
-
end
routers it's a DB
-
25 connector. You can connect a terminal (a notebook or a PC for instance) to the console
port using a RJ
-
45 cable with R
J
-
45, DB
-
9 or DB
-
25 connectors on the ends. A common example is the use of a
RJ
-
45 cable with a RJ
-
45 connector connecting to the router's console port and a DB
-
9 connector on the other
end connecting to the PC's COM port. When you connect a PC to the rout
er's console port you can use a
terminal emulator to configure the router. When you start a session the following should appear:


Router con0 is now available.

Press RETURN to get started



-

Auxilary port

Cisco routers in the series 1700 and up are also e
quipped with an Auxilary port. This port can be used to
connect a modem to it and allow for remote adminstration of the router.


Managing a router using the ports mentioned above is called
out
-
of
-
band management
.

For more information about how to physical
ly connect to the Console and Auxilary port check the
Cabling Guide
for Console and AUX Ports

and
Configuring a Modem on the AUX Port for EXEC Dialin Connectivity

at
Cisco.com.



-

Telnet

Once your router is configured with an IP address a Telnet connection will probably b
e the most commonly
used way to connect to a router to configure and monitor it. Cisco IOS, the router's operating system, has a
build
-
in Telnet server and a Telnet client. This allows you to connect to a router using a telnet client from a PC
but from ano
ther Cisco router as well. This type of connection using the same network the router operates in is
also known as
in
-
band management
.



ROUTER MODES


User EXEC mode


This is the mode you enter once you are logged on to the router. In this mode you can perf
orm non
-
disruptive
troubleshooting, view the routing table and status of components. You can NOT view or modify the
configuration in User EXEC mode.


When you connect to the router and press the <Enter> key (
Press RETURN to get started
) you'll be
prompted
for a password:


User Access Verification

Password:


When you enter the correct console, telnet or AUX password password (depending on how you connect to the
router) and press <Enter> the User EXEC mode command prompt will appear.


Router>


"Router" is the

default hostname for all Cisco routers. The
>

indicates you are in User EXEC mode.


To exit User EXEC mode nd quit the session with the command
-
line executive use one of the following
commands:

Router>logout

or

Router>exit



Privileged EXEC mode


This is

similar to logging on as an adminstrator in Windows 2000 for example. When you are in this mode you
can do disruptive troubleshooting; you can view and modify the configuration.


Router>enable <enter>

Password:


After submitting the correct enable passwor
d (or enable secret) and pressing the <Enter> key the command
prompt will change again:


Router#


The
#

indicates you are in Privileged EXEC mode.


To exit Privileged EXEC mode and return to User EXEC mode use the following command:

Router#disable


To exit

Privileged EXEC mode and quit the session with the command
-
line executive use one of the following
commands:

Router#logout

or

Router#exit



Global Configuration mode


To actually change the content of the running configuration, you'll have enter global co
nfiguration mode using
the
configure terminal

(to configure the running configuration) or the command
configure memory

(to
configure the startup config) in Privileged EXEC mode. Global configuration mode allows you to configure
settings which affect the en
tire router, hence its name 'global'. To show you how this works we are going to
change the hostname of the router as an example:


Router#configure terminal

(usually abbreviated to
conf t
)

Enter configuration commands, one per line. End with CNTL/Z.

Router
(config)#hostname Rnewyork1

Rnewyork1(config)#


As you can see the change immediately takes effect by looking at the prompt, which now reflects the new
name.


To exit global configuration mode and return to User EXEC mode use one of the following commands:

Rnewyork1(config)#end

or

Rnewyork1(config)#exit

Or use the key combination
CTRL
-
Z



You can use the following command to save the configuration to NVRAM so it will be used next time the router
starts:

Rnewyork1#copy running
-
config startup



Interface Conf
iguration mode


You need to enter interface configuration mode when you want to configure settings specific to an interface,
such as configuring an IP address.


To enter interface configuration mode you must use the
interface

command and provide the name a
nd
number of an existing interface, examples are:


Router(config)#interface ethernet 0

Router(config
-
if)#


Router(config)#interface serial 2

Router(config
-
if)#



As you can see in the first example, the first possible interface is
0
, the second Ethernet in
terface on a router
would be
Ethernet 1
, also noticable is the change in the prompt.

These commands are usually abbreviated, for example to
int e1

or
int s0


To exit interface configuration mode and return to global configuration mode, enter the following
command:

Router(config
-
if)#exit


To exit interface configuration mode and return to Privileged EXEC mode, use the key combination
CTRL
-
Z

or

Router(config
-
if)#end



Other configuration modes include:

Sub
-
interface configuration mode
Router(config
-
subif)

Rou
ter configuration mode
Router(config
-
router)

Line configuration mode
Router(config
-
line)



CONFIGURING ROUTER PASSWORDS


This section decribes the 4 main passwords which are directly related to managing and configuring the router.


Console password

Use the

following commands to configure the console password, the first command is used to enter Line
configuration mode to modify the operation of a terminal line, followed by a line number:


Router(config)#line con 0

Router(config
-
line)#login

Router(config
-
line
)#password cisco123



Telnet password

Use the following commands to configure a password for Telnet access:


Router(config)#line vty 0 4

Router(config
-
line)#login

Router(config
-
line)#password cisco123



Auxilary password

Use the following commands to confi
gure the auxilary port password:


Router(config)#line aux 1

Router(config
-
line)#login

Router(config
-
line)#password cisco123



Enable password and enable secret


The
enable password

and
enable secret

are local passwords used to control access to Privileged
EXEC mode.
The difference between these two are that the enable password is stored in clear
-
text in the configuration file
and the enable secret is encrypted using irreversible MD5 encryption.

For example, in the configuration file an enable password could

be:

enable password cisco123

and and enable secret could be:

enable secret 5 $1$iSuI$i7TiENAn69392tYvh5wwZ
1


The enable secret password overrides the regular enable password, except when and old IOS image is used
that doesn't support the encrypted enable

secret.


To configure an enable password, go to global config mode and issue the following command:

Router(config)#enable password cisco123

where cisco123 is just an example for a password.


To configure an enable secret, go to global config mode and issu
e the following command:

Router(config)#enable secret cisco456

where cisco456 is just an example for a password.


If you do not set an enable password or enable secret, you don't have to enter a password when you type the
enable

command, but you will end
up having problems connecting to the router using telnet for example, you
won't be able to enter Privileged EXEC mode.


By default all password except the enable secret are stored as clear
-
text in the configuration file. When you
have backups on TFTP serve
rs or floppy disks even, this might be an important issue. This can be solved using
the following command to provide some encryption the passwords:

Router(config)#service password
-
encryption

The irreversible MD5 encryption used to encrypt the enable secret

is much stronger than the rather simple
encryption used by the
service password
-
encryption
, which can be decrypted by publicly available tools.



Context
-
sensitive help facility


An IOS feature that helps with using the correct command syntax. For example
, when you type a command but
you do not know the full syntax, you can type a
?

behind it and a list with possible options (in that particular
mode) will appear:


Router#show ?



access
-
expression List access expression



access
-
lists List access lists



a
ccounting Accounting data for active sessions



aliases Display alias commands



appletalk AppleTalk information



arap Show Appletalk Remote Access statistics



arp ARP table



async Information on terminal lines used as router interfaces



backup Backup
status



bridge Bridge Forwarding/Filtering Database [verbose]



buffers Buffer pool statistics



cdp CDP information



clock Display the system clock



compress Show compression statistics



configuration Contents of Non
-
Volatile memory



controllers Inte
rface controller status



debugging State of each debugging option



decnet DECnet information



dhcp Dynamic Host Configuration Protocol status



dialer Dialer parameters and statistics



dnsix Shows Dnsix/DMDP information



dxi atm
-
dxi information



entr
y Queued terminal entries

--
More
--


You don't need to press the <Enter> key after the
?

and when the end of the list is reached the command will
be after the prompt again, without the
?

so you can continue typing the correct option. (When a list like this
does not fit in the maximum allowed lines,
--
More
--

will be displayed on the last line, press the <Enter> key
to scroll down per line or the <Spacebar> to scroll down to the next screen.)


When you type a single
?

or just the command
help

a list with all p
ossible commands will be displayed.



Command history and editing features


This refers to another set of useful features which are meant to make working with the command line interface
a little bit more convinient.


By default the 10 previously issued com
mands are remembered. These commands can be retrieved to use
them again by pressing CTRL
-
P or the up arrow key. You can modify the command
-

lines history buffer size
using the following command:

Router#terminal history size 25

This will set the amount to 2
5.


You can view the history using the following command:

Router#show history


Some other useful key combinations:

CTRL
-
P (or UP arrow key) Displays the previous command in the history buffer.

CTRL
-
N (or DOWN arrow key) Displays the next command in the his
tory buffer.

CTRL
-
A Jumps to the beginning of the command line.

CTRL
-
E Jumps to the end of the command line.

CTRL
-
B (or LEFT arrow key) Moves the cursor back one character.

CTRL
-
F (or RIGHT arrow key) Moves the cursor forward one character.

Ctrl
-
W Deletes
the last word typed.


The arrow keys function only on ANSI
-
compatible terminals such as VT100s, you can configure your terminal
emulator to use VT100 emulation.


Another useful feature to assist with the command syntax is auto
-
complete. For example, when
you type a
command partly but you don't know how to spell a particular option you can let IOS complete it by pressing the
TAB key:


Router#show cdp nei<TAB>

Router#show cdp neighbors


This only works when the given part is enough to determine 1 particular
option, for example the command
Router#show access

does not result in
Router#show access
-
expression

because it could be
Router#show access
-
lists

as well.


These enhanced editing features are enabled by default, if you wish to disable them use the command:

Router(config)#no terminal editing




Current related exam objectives for the CCNA exam:


Cisco Basics, IOS & Network Basics

Describe router elements (RAM, ROM, Flash, NVRAM, config register)

Describe router start
-
up sequence

Configure router passwords,
identification
, and banner

Use the context
-
sensitive help facility

Use the command history and editing features

Establish connectivity from a host to the appropriate network device to perform configuration tasks


Network Management


Manage configuration f
iles from the privilege EXEC mode

Manage IOS images and device configuration files

Load Cisco IOS software from: Flash memory, a TFTP server, or ROM

Perform backup, upgrade, and loading of Cisco IOS software and configuration files
















LAN TECH
NOLOGIES:


ETHERNET


Ethernet is developed by DIX (Digital, Intel and Xerox) in the 1970s. In 1980 the IEEE 802.3 standard was
released. Two years later version 2 was introduced which is the basis for today's Ethernet networks. The access
method (how the w
ire is accessed) is Carrier Sense Multiple Access/Collision Detection (CSMA/CD). In a
CSMA/CD network stations listen to check if the network is busy, if the network is free the station transmits
data. When two stations listen, and both determine the netwo
rk is available, they will start sending the data
simultaneously and a
collision

occurs. When the collision is detected both stations will retransmit the data after
a random wait time created by a backoff algorithm. In today's large
-
fast
-
growing
-
bandwidth
-
eating network
environments this will soon become a problem, stations will have to wait more often before they can transmit
data and more collisions will occur. The solution to this is to separate the network in multiple collisions
domains, which devices c
an be used for this purpose will be explained using a network diagram for each of the
following relevant network components.

An Ethernet network is a broadcast system, this means that when a station transmits data every other station
receives the data. The

frames contain an address in the frame header, only the station with that address will
pick up the frame and pass it on to upper
-
layer protocols to be processed.



BROADCAST DOMAIN


All devices in this domain will receive broadcast frames originating from

any other device within the domain.
Broadcast domains are typically bounded by routers because routers do not forward broadcast frames.
Broadcast frames are frames explicitly directed to all nodes on the LAN, as networks grow this will become a
problem as

well.



REPEATERS


A repeaters is a simple device that is used to expand LANs over larger distances by connecting segments. They
do not control broadcast or collision domains, they are not aware of upper
-
layer protocols and frame formats,
they merely rege
nerate/amplify the signal.

Repeater operate at the Physical layer of the OSI model.

An important rule when using repeaters to expand a network is the
5
-
4
-
3 rule
, which defines that the
maximum distance between two hosts on the same network can be 5 segment
s, 4 repeaters, and only 3 of the
segments can be populated, as illustrated in the following logical network diagram:





HUBS/CONCENTRATORS


Hubs, also known as concentrato
rs or multiport repeaters, are used in star/hierarchical networks to connect
multiple stations/cable segments. There are two main types of hubs:
passive
and
active
. An active hub takes
the incoming frames, amplifies the signal, and forwards it to all other

ports, a passive hub simply splits the
signal and forwards it. Another type of hubs can be managed allowing individual port configuration and traffic
monitoring, these are know as intelligent
-

or managed hubs.


Hubs operate on the physical layer of the OS
I model and they are
protocol transparent
, that means they are
not aware of the upper
-
layer protocols and such as IP, IPX nor MAC addressing. Hence they do not control
broadcast or collision domains, but they extend them as illustrated below:





BRIDGES


Bridges are more intelligent than hubs; they operate on the Data Link layer of the OSI model.

They are used to increase network performance by
segmenting

networks i
n separate collision domains. Bridges
are also protocol transparent, they are not aware of the upper
-
layer protocols. They keep a table with MAC
addresses of all nodes, and on which segment they are located.

A bridge takes an incoming frame, reads its dest
ination MAC address and consults the database to decide what
should be done with the frame; if the location of the destination MAC address is listed in the database, the
frame is forwarded to the corresponding port. If the destination port is the same as t
he port where the frame
arrived it will be discarded. If the location is not known the frame will be
flooded

through all outgoing
ports/segments.


As illustrated below, bridges control collision domains, they do not control broadcast domains:





SWITCHES


To improve network performance even more switches were developed, switches are very similar to bridges;
they also keep a table with MAC addresses per port to make

switching decisions, operate in the OSI model and
are protocol transparent.

Some of the main differences are:

-

a switch has more ports than a bridge

-

bridges switch in software whereas switches switch in hardware (integrated circuits)

-

switches offer m
ore variance in speed, an individual port can be assigned 10 Mb/s or 100 Mb/s or even more.


As illustrated below, switches control collision domains, they do not control broadcast domains*:




* Do not control broadcast domains unless Virtual Local Area Networks (VLANs) are being used, and most
modern switches do support VLANs. The following diagram represents a router configured with two VLANs. Like
in the previou
s diagram each port forms an collision domain, but as you can see in this diagram the network is
separated in two broadcast domains using VLANs. If the network protocol used in this network would be TCP/IP
the VLANs would each have its own (sub
-
)network ad
dress, for example VLAN 1 could be Class C
192.168.110.x and VLAN 2 192.168.220.x.




Switches are able to use software to create Virtual LANs; a logical grou
ping of network devices where the
members can be on different physical segments. A VLAN can be based on Port IDs, MAC addresses, protocols
or applications. For example in the network diagram above port 1 to 12 on the switch could be assigned to
VLAN 1, and

port 13 to 24 to VLAN 2, resulting in two different broadcast domains, or station 1, 2 and 3 could
be using IPX/SPX while station 4, 5 and 6 could be using TCP/IP.


An example of a large network with VLANs could be an office building with a switch on each

of the three floors
and a main switch connecting them all together. An administrator would be able to keep a list of MAC
addresses and assign stations from different floors to a single VLAN and for example create a VLAN (broadcast
domain) for each departm
ent in the company. Switches share their MAC address table information with other
switches so the path to a destination can be found quickly.



ROUTERS


Routers are used to interconnect multiple (sub
-
)networks and route information between these networks b
y
choosing an optimal path ("route") to the destination. They operate on the Network layer (Layer 3) of the OSI
model and in contradiction to hubs, bridges and switches, routers are protocol
-
aware. Examples of these
protocols are: IP, IPX, and AppleTalk. R
outers make forwarding decisions based on a table with network
addresses and there corresponding ports, this table is known as the
route table.

Common use of routers is to
connect two different type of networks (for example Ethernet and Token ring) or to i
nterconnect LANs into a
WAN. The concept of routing will be covered in more detail in the Routing Protocols TechNote.


As illustrated below, routers control collision domains AND broadcast domains:





GATEWAYS


A gateway (as a network component) is a device that connects networks with dissimilar network protocols or
architectures and translates between the networks. Gateways are very intelligent devices, generally
they
operate on the Transport layer and on those above it (Session, Presentation, Application). A gateway could be
used to allow IPX/SPX clients to use a gateway with a TCP/IP uplink to an internet connection. TCP/IP would be
converted to IPX/SPX. Another
common use of a gateway is to connect an Ethernet network to an IBM SNA
mainframe environment.



NICs


A NIC (Network Interface Card) is an expansion cards for a computer used to connect a to the physical
network. The NIC's interface itself is defined at
the Physical layer (Layer 1) of the OSI model, the
physical
address

(also known as Burned
-
In Address and commonly: MAC address) of the adapter as well as the drivers
to control the NIC are located at the Data Link layer's MAC sub
-
layer. The reason the
phys
ical
address is
defined at the Data Link layer is that the Physical layer only handles bits.



Half duplex

Half
-
duplex means that only one host can communicate at a given time, two hosts communicating with each
other will take turns transmitting. This is t
he default on non
-
switched LANs.


Full
-
duplex

In full
-
duplex communication both hosts can transmit at the same time, theoretical allowing twice as much
data to be transmitted over the same connection.

In order for full
-
duplex to work, some requirements mus
t be met:

-

The NICs, hubs etc. must support it,

-

Collision Detection and Loopback functions must be disabled.

In reality the connections able to run at full
-
duplex are cross
-
cable connections and connection to a port on a
switch, where collisions cannot

occur because each end has it's own wire pair (segment).




Current related exam objectives for the CCNA exam:


LAN Technologies

Determine the appropriate uses for full
-

and half
-
duplex Ethernet operation

Describe the causes and effects of network conge
stion in Ethernet networks

Describe the benefits of network segmentation with various networking devices

Identify the cause(s) of LAN connectivity problem

Describe the function, operation, and primary components on a LAN



OSI MODEL
:



7
-
layer OSI MODEL


The OSI (Open System Interconnection) model is developed by ISO in 1984 to provide a reference model for
the complex aspects related to network communication. It divides the different functions and services provided
by network hardware and software in 7 l
ayers. This facilitates modular engineering, simplifies teaching and
learning network technologies, helps to isolate problems and allows vendors to focus on just the layer(s) in
which their hardware or software is implemented and be able to create products

that are compatible,
standardized and interoperable.


The diagram below shows the 7 layers of the OSI Model, to remember them in the correct order a common
mnemonic is often used:
A
ll
P
eople
S
eem
T
o
N
eed
D
ata
P
rocessing.

Host A



Host B



The Application, Presentation and Session layer are known as the
Upper Layer

and are implemented in
software. The Transport and Network layer are mainly concerned with protocols
for delivery and routing of
packets to a destination and are implemented in software as well. The Data Link is implemented in hard
-

and
software and the Physical layer is implemented in hardware only, hence its name. These last two layers define
LAN and WA
N specifications.


A more detailed description of each layer follows below, but here's what basically happens when data passes
from Host A to Host B:

1. the Application, Presentation and Session layer take user input and converts it into data,

2. the Trans
port layer adds a segment header converting the data into segments,

3. the Network layer adds a network header and converts the segments into packets ,

4. the Data Link layer adds a frame header converting the packets into frames,

5. the MAC sublayer layer

converts the frames into a bits which the Physical layer can put on the wire.


The steps are known as the 5 steps of
data encapsulation
. When the bits stream arrives at the destination, the
Physical layer takes it of the wire and converts it into frames,
each layer will remove their corresponding
header while the data flows up the OSI model until it is converted back to data and presented to the user, this
is known as
decapsulation
.



APPLICATION


The Application layer provides network services directly to

the user's application such as a web browser, email
software and Windows Explorer. This layer is said to be "closest to the user".

Protocols that operate on this layer include: TELNET, HTTP, FTP, TFTP, SMTP, NTP, SNMP, EDI.



PRESENTATION


This layer 'rep
resents' the data in a particular format to the Application layer. It defines encryption,
compression, conversion and other coding functions.

Specifications defined at this layer include: GIF, TIFF, JPEG, MPEG, MIME, and ASCII.



SESSION


Establishes, main
tains and terminates end
-
to
-
end connections (sessions) between two applications on two
network nodes. It controls the dialogue between the source and destination node, which node can send when
and how long. Also provides error reporting for the Application
, Presentation and Session layer.

Protocols/API's that operate on this layer include: RPC, SQL, NETBIOS.



TRANSPORT


This layer converts the data received from the upper layers into segments. The Transport layer is responsible
for end
-
to
-
end (also called

source
-
to
-
destination) delivery of entire messages. Provides end
-
to
-
end
connectivity, it allows data to be transferred reliably and sequencing to guarantee that it will be delivered in the
same order that it was sent. Provides services such as error check
ing and flow control (software).

Protocols that operate on this layer: TCP, UDP, NETBEUI, SPX.


These protocols are either
connectionless

or
connection
-
oriented
:


Connection
-
oriented
means that a connection (a virtual link) must be established before data
can be
exchanged. This can guarantee that data will arrive, and in the same order it was sent. It guarantees delivery
by sending acknowledgements back to the source when messages are received. TCP is an example of an
connection
-
oriented transport protocol.


A common example of connection
-
oriented communication is a telephone call: you call, the 'destination' picks
up the phone and acknowledges and you start talking (sending data). When a message or a piece of it doesn't
arrive, you say: "What!?" and the sen
der will retransmit the data.


Connectionless

is the opposite of connection
-
oriented; the sender does not establish a connection before it
sends data, it just sends without guaranteeing delivery. UDP is an example of an connectionless transport
protocol.



NETWORK


This layer converts the segments from the Transport layer into packets (or datagrams) and is responsible for
path determination,
routing
, and the delivery of these individual packets across multiple networks without
guaranteed delivery. The netwo
rk layer treats these packets independently, without recognizing any
relationship between those packets, it relies on upper layers for reliable delivery and sequencing.

Also this layer is is responsible for
logical addressing

(also known as network addres
sing or Layer 3 addressing)
for example IP addresses

Examples of protocols defined at this layer: IP, IPX, AppleTalk, ICMP, RIP, OSPF, BGP, IGRP, EIGRP, NLSP,
ARP, RARP, X.25

Devices that operate on this layer: Routers, Layer 3 Switches.


Network layer add
resses

Also known as Layer 3 or Logical addresses. These type of addresses are protocol
-
dependent, for example if
the network protocol is IP, IP addressing will be used which is made up of a network part and a host part and
needs a subnet mask to determine

the boundaries of these parts. An example of an IP address is: 172.16.0.1
and a subnet mask: 255.255.0.0

Another example is Novell's IPX addressing, which uses a combination of a hexadecimal network address + the
layer 2 MAC address to form a network laye
r address, for example" 46.0010E342A8BC



DATA LINK



The Data Links provides transparent network services to the Network layer so the Network layer can be
ignorant about the physical network topology and and provides access to the physical networking medi
a.
Responsible for reassambling bits taken of the wire by the Physical layer to frames, makes sure they are in the
correct order and requests retransmission of frames in case an error occurs. Provides error checking by adding
a CRC to the frame, and flow c
ontrol.


Devices that operate on this layer: Switches and Bridges


IEEE 802 Data Link sub layers


Around the same time the OSI model was developed, the IEEE developed the 802
-
standards such as 802.5
Token Ring and 802.11 for wireless networks. Both organiz
ations exchanged information during the
development which resulted in two compatible standards. The IEEE 802 standards define physical network
components such as cabling and network interfaces, and correspond to the Data Link and/or Physical layer of
the O
SI model. The IEEE refined the standards and divided the Data Link layer into two sublayers: the LLC and
the MAC sub layer.


-

LLC sublayer


LLC is short for Logical Link Control. The Logical Link Control is the upper sublayer of the Data Link layer. LLC
m
asks the underlying network technology by hiding their differences hence providing a single interface to the
network layer. The LLC sublayer uses Source Service Access Points (SSAPs) and Destination Service Access
Points (DSAPs) to help the lower layers co
mmunicate to the Network layer protocols acting as an intermediate
between the different network protocols (IPX, TCP/IP, etc.) and the different network types (Ethernet, Token
Ring, etc.) This layer is also responsible for frames sequencing and acknowledge
ments.

The LLC sublayer is defined in the IEEE standard 802.2.


-

MAC sublayer


The Media Access Control layer takes care of physical addressing and allows upper layers access to the physical
media, handles frame addressing, error checking. This layer cont
rols and communicates directly with the
physical network media through the network interface card. It converts the frames into bits to pass them on to
the Physical layer who puts them on the wire (and vice versa)


IEEE LAN standards such as 802.3, 802.4,
802.5 and 802.10 define standards for the MAC sublayer as well as
the Physical layer.


Other standards on this layer include: X.25 and Frame Relay


Data Link layer addresses

Also known as layer 2 addresses, BIAs (Burned
-
in Address), physical address and mo
st commonly referred to
as MAC address. This is a fixed address programmed into a NIC or a router interface for example.

00
-
10
-
E3
-
42
-
A8
-
BC is an example of a MAC address. The first 6 hexadecimal digits (3 bytes) specify the
vendor/manufacturer of the NIC,

the other 6 digits (3 bytes) define the host.

The layer 2 broadcast address is FF
-
FF
-
FF
-
FF
-
FF
-
FF.



PHYSICAL


This layer communicates directly with the physical media, it is responsible for activating, maintaining and
deactivating the physical link. It ha
ndles a raw bits stream and places it on the wire to be picked up by the
Physical layer at the receiving node. It defines electrical and optical signaling, voltage levels, data transmission
rates and distances as well as mechanical specifications such as c
able lengths and connectors, the amount of
pins and their function.

Devices that operate on this layer: HUBs/concentrators, repeaters, NICs, and LAN and WAN interfaces such as
RS
-
232, OC
-
3, BRI, V.24, V.35, X.25 and Frame Relay.



TCP/IP stack vs. the DoD
Model


TCP/IP operation is defined in its own model: the DoD model. DoD is short for Department of Defense, who
desgined TCP/IP for ArpaNet. ALthough they are similar, in contrary to the 7
-
layer OSI model the DoD model
has 4 layers. Each DoD layer and its
functions corresponds to 1 or more OSI layers and their functions, which
is represented in the image below:




For the CCNA exam you don't need to know the DoD model in

detail, but if you know the OSI model and the
related DoD layers you can easily identify the layer at which a certain protocol or standard is specified, for
example:

Process/Application: Telnet, FTP, SMTP, HTTP, SNMP, etc.

Host To Host: TCP UDP

Internet:
IP, ICMP, ARP, RARP, BootP, etc.

Network Access: Ethernet, Fast Ethernet, Token Ring, FDDI, etc.




Current related exam objectives for the CCNA exam.


OSI Reference Model & Layered Communication

Describe data link and network addresses and identify key
differences between them

Identify at least three reasons why the industry uses a layered model

Define and explain the conversion steps of data encapsulation and de
-
encapsulation

Describe connection
-
oriented network service and connectionless network servic
e, and identify their key
differences

Describe the functions of each the seven layers of the OSI model and their corresponding applications

Compare the OSI model with the TCP/IP stack

Match networking devices to their OSI layer(s)

Use the OSI model as a c
onceptual strategy to identify network problems










ISDN
:


ISDN


Integrated Services Digital Network, a circuit
-
switching network used for voice, data and video transfer over
existing copper telephone lines. ISDN is a bit similar to the normal telep
hone system but it is faster and needs
less time to setup a call. ISDN runs on the bottom three layers of the OSI reference model.


There are several types of ISDN channels, the two main being the 64 Kilobits per second B
-
channel for data,
and the D
-
channe
l for control information. Two B
-
channels + one D
-
channel make up ISDN BRI (Basic
-
Rate
Interface), some Remote Access servers support a feature called
multilink

allowing both B
-
channels to be
combined in a single virtual link of 128 Kbps. In SOHO networks
often 1 B
-
channel is used for data (an internet
connection for example) and 1 B
-
channel is used for voice (connected to a digital telephone for example). The
US and Japanese version of ISDN PRI (Primary
-
Rate Interface) is made up of 23 B
-
channels (total ra
te of
1.472 Mbps) and 1 D
-
channel. The European and Australian version supports 30 B
-
channels (total rate of
1.984 Mbps) and 1 D
-
channel.

A common implementation of these two types of ISDN is a remote access solution with ISDN PRI at the
corporate network
supporting 23 dial
-
in connections for employees with ISDN BRI at home. Also an ISDN BRI
connection is often implemented as a backup line between routers in WANs such as in a Frame Relay network
as shown in the following image:




Besides this dial
-
up ISDN configuration for backup and other Dial on Demand Routing (DDR) configurations
another service offered are ISDN BRI leased
-
line connections, the difference is they alwa
ys use both data
channels for the connection to the ISDN service provider and ISDN BRI leased
-
lines are always active.


ISDN Function groups


The ISDN function groups represent the devices in an ISDN environment such as terminals, terminal adapters,
networ
k
-
termination devices and line
-
termination equipment. The following table lists these devices:

TE1

(Terminal Equipment 1)

Specialized ISDN terminals that understand the ISDN standards, for
example an ISDN telephone.

TE2

(Terminal Equipment 2)

Non
-
ISDN Ter
minals that need a Terminal Adapter (TA) to connect to an
ISDN network, for example a regular telephone.

TA

(Terminal Adapter)

Converts some other form of signaling to ISDN to allow non
-
ISDN devices
(TE2) to work the 2
-
wire ISDN network.

NT1

(Network Ter
mination 1)

Connects TE1 or TA devices to the ISDN network. In the US, the NT1 is
located at the customer's premises and owned by the customer. In other
parts of the world the NT1 is usually provided by the carrier (typically a
telephone company).

NT2

(Ne
twork Termination 2)

The NT2 is a physical device that interfaces the NT1 to different types of
devices (TE1 or TA). In most cases it is a PBX at the customer's premises.

Take for example an apartment building or campus, if have a demand for
ISDN lines fro
m your renters (customers) you can order an ISDN PRI and
connect it to your local PBX. You can then extend the ISDN service to any
place in the building(s).


The following image shows the various function groups and reference points.





The following image illustrate some real
-
life situations. As you can see the NT2 is left out, most NT1 adapters
today have a U interface on one side and an s/t on the other so you si
mply plug your TE1 or TA into the NT1
and you're good to go.



The following image shows two type of routers, the upper is usually used in North America where the
demarcation

point between the customer premises and the carrier's network is the U reference point, this
router is actually a TE1 with a built
-
in NT1 and is also known as a 'U router'. The other router is used in most
other parts of the world where the NT1 is provide
d by the telco, this router is actually a TE2 with a built
-
in TA
and is also known as a 'S/T router'.





ISDN Reference points


ISDN specifies four reference points t
hat define the logical interfaces/connections between function groups
(also represented in the mage below):

R

defines the reference point between non
-
ISDN equipment (TE2) and a TA.

S

defines the reference point between and an NT2.

T

defines the reference p
oint between NT1 and NT2 devices.

U

defines the reference point between NT1 devices and line
-
termination equipment in a carrier network.
Relevant in North America where the NT1 function isn’t provided by the carrier network.



ISDN protocols


ISDN protocol
s are defined in ITU protocols that operates on the Physical, Data Link and Network layer of the
OSI model. There are several series of protocols dealing with different issues:

E

series defines the use of ISDN on the existing telephone network.

I

series de
als with concepts, aspects, and services.

Q

series covers switching and signaling. The LAPD protocol is formally specified in ITU
-
T Q.920 and ITU
-
T
Q.921. LAPD is the signaling protocol used on the D
-
channel in ISDN BRI and PRI.



Configure ISDN BRI and Le
gacy DDR


Configuring ISDN may seem to be complex but is rather simple in basic situations. The diagram below shows a
typical setup connecting two remote offices using an ISDN dial
-
up configuration.


First the ISDN switch type must be configured and should match the carrier's equipment. You can use the
isdn
switch
-
type

command in both global config mode (required) and interface configuration mode (optional if
diff
erent per interface). For example:


Router(config)#isdn switch
-
type basic
-
dms100

The correct switch type should be supplied by the carrier. Click
here

for a table at Cisco.com listing the ISDN
BRI service provider switch types. If you change the switch
-
type, you must reload the router for the new
switch type to take effect.


Although ISDN supports several upper
-
layer pro
tocols such as IP, IPX and Appletalk, typically IP is used and
this is also the one relevant to the CCNA exam. Configuring an IP address on an ISDN BRI interface is done in
the same way as configuring an IP address for any other interface such as Ethernet
or Serial:

Router(config)#interface bri 0

(to enter interface config mode)

Router(config
-
if)#ip address 172.16.22.115 255.255.255.0



Some service providers require the use of SPIDs for your ISDN device to be able to place or receive calls. A
SPID is usual
ly the telephone number of the channel with some optional numbers which can be used to identity
the service(s) the customer is subscribed to. The SPID numbering scheme depends on the service provider and
the switch
-
type. For example, the DMS
-
100 switch typ
e requires a SPID for each B channel.

Router(config
-
if)#isdn spid1 5055551234 0111

(B1 channel)

Router(config
-
if)#isdn spid2 5055551235 0111

(B2 channel)


The default encapsulation type for each B
-
channel is HDLC, however PPP encapsulation is recommended o
ver
HDLC in order to allow the use of CHAP authentication. The encapsulation type can be configured using the
following command in interface configuration mode:

Router(config
-
if)#encapsulation ppp


Now to configure the actual part that maps the link to the

network layer using the
dialer map

command, it
defines the remote host where the calls are going, specifies whether broadcast messages will be sent and the
dialing string to use to set up the call. Here's the syntax of the command:

Router(config
-
if)#diale
r map
protocol next
-
hop
-
address

name
remote
-
name

speed
56|64
dial
-
string

We'll break down the command using example options:

Router(config
-
if)#dialer map ip 172.16.22.114 name RouterB speed 64 broadcast
55588613213


-

The IP address of the remote router's
BRI interface used in this command is the
next hop
. In the global
configuration you will have to define a static route to the remote network pointing to the next hop address
used in the
dialer map

command. The use of static routes is very important, since
you don't want to use
dynamic routing protocols for this type of connection because the routing updates will keep the link up.

-

The remote name in
name
remote
-
name

is the hostname of the other router.

-

speed

defaults to 64 (in kilobits) but you may need
to set it to 56 in some situations.

-

The
broadcast

option specifies whether broadcast packets such as routing updates are sent.

-

The
dial
-
string
is the telephone number that should be dialed when making an outgoing connection. You
can leave out this numb
er to configure the interface to only accept incoming connections.


The following commands will define "interesting" traffic that will cause the router to place a call make the
connection. For example if you want the router to dial
-
in for all IP traffic yo
u need to configure a dialer
-
list and
bind it to the BRI interface:

Router(config)#dialer
-
list 1 protocol ip permit

Router(config)#int bri0

Router(config
-
if)#dialer
-
group 1


You can also use regular or extended access lists to permit all traffic except HTT
P/HTTPs for example. Instead
of using the options in the
dialer
-
list

command above you would specify the access list:

Router(config)#dialer
-
list 1 protocol ip list 101



The following command makes the router disconnect calls that haven't had any interesti
ng traffic for the
configured time:

Router(config
-
if)#dialer idle
-
timeout seconds


To add some level of security and to identify the router when it dials out, you should use the Challenge
Handshake Authentication Protocol (CHAP). The hostname of the router

is used to identify the router to another
router when sending messages.

Router(config
-
if)#ppp authentication chap



The global configuration
username

command is required when CHAP is used to specify the CHAP secret
message to use when challenged by anothe
r router. Important to know is that the two routers that need to talk
must share the same password.

Router(config)#username
routerB

password
password




PPP Multilink


Multilink is a feature that enables the use of both B
-
channels combined for one call. T
o turn on multilink use
the following command:

Router(config
-
if)#ppp multilink


Use the following command to specify when the second B
-
channel should kick
-
in (
bandwidth on demand
).
When the total load for this connection reaches this threshold, it brings
up the other B channel. This value
represents a utilization percentage; it is a number between 1 and 255, where 255 is 100 percent.

Router(config
-
if)#dialer load
-
threshold 60



TROUBLESHOOTING AND MONITORING ISDN


Here are some commonly used show commands
used to monitor and troubleshoot ISDN:


Router(config)#show interfaces bri
number

Displays information about the physical attributes of the ISDN BRI B and D channels.


Router(config)#show controllers bri
number

Displays protocol information about the ISDN
B and D channels. Checks Layer 1 (physical layer) of the BRI.


Router(config)#show isdn {active | history | memory | status | timers}

Displays information about calls, history, memory, status, and Layer 2 and Layer 3 timers.


Router(config)#show dialer int
erface bri
number

Obtains general diagnostic information about the specified interface. Checks Layer 3 (network layer).


Router(config)#show isdn status

Use to verify that ISDN BRI Layer 1 is ACTIVE, LAYER 2 State is MULTIPLE_FRAME_ESTABLISHED, and the
ser
vice profile identifiers (SPIDs) are valid.


Router(config)#debug q921

Checks Layer 2 (data link layer).


The following three commands offer more advanced methods to check Layer 3 (network layer) operation:


Router(config)#debug isdn events

Router(config)
#debug q931

Router(config)#debug dialer



REFERENCES TO CISCO ISDN DOCUMENTATION


-

Integrated Services Digital Network (ISDN)


-

ISDN Glossary


-

DDR Dialup Technology Overviews and Explanations


-

Basic ISDN Sample Configuration


-

More ISDN Configuration Examples


-

Designing ISDN Internetworks





Current related exam objectives for the CCNA exam.


WAN Protocols

Identify ISDN protocols, function groups, reference points, and channels

Configure ISDN BRI and legacy dial
-
on
-
demand routing (DDR)


Network Management

Configure authentication types (CHA
P/PAP) on PPP links



ACCESS LISTS


ACCESS LISTS


Access lists allow Cisco routers to function as a packet filter and are supported for several protocols, some of
them are listed in the following table:

Protocol

Range

IP standard

1 to 99 (and 1300 to 19
99 in IOS 12.0 and higher)

IP Extended

100
-
199 (and 2000 to 2699 in IOS 12.0 and higher)

Ethernet type code

200
-
299

DecNet

300
-
399

XNS

400
-
499

Extended XNS

500
-
599

AppleTalk

600
-
699

Ethernet address

700
-
799

IPX Standard

800
-
899

IPX Extended

900
-
99
9

IPX SAP

1000
-
1099


Access lists are lists of rules that either permit or deny certain inbound or outbound traffic from particular
hosts. The list is applied to one or more interfaces on the router. When the router routes traffic in and out
these interf
aces, the rules in the list are processed sequential, looking for a matching rule permitting the traffic
to pass. When there is not matching rule permitting the traffic to pass it is denied because of the implicit deny
any at the end of each rule. For exam
ple, if you deny telnet traffic to host 172.16.22.139 using the rule:
access
-
list 110 deny TCP any host 172.16.22.139 eq TELNET

and this would be the only rule in
the access list you would deny any IP traffic from entering or leaving the router's interface
.


The implicit deny all, for many, is a confusing part of access lists and often forgotten in practice, while in fact it
is very logical; if you want to protect a network using a packet filter you would typically start out with denying
everything and from

there permit certain traffic or hosts to communicate. However, instead of protecting
private networks from external intruders, access lists are also commonly used to manage network traffic, for
example, if you do not want certain protocols or services ava
ilable in particular subnets you can block only
those ports but permit all other traffic. This is also used as an effective way to prevent traffic such as ICMP
messages and routing updates from traveling over certain links.



Standard IP Access Lists


Stan
dard IP access lists are used to permit/deny traffic from or to one or more IP addresses.


Use the global exec
access
-
list

command to create access lists:

router(config)#access
-
list number deny|permit source|any [log]


Use the Interface config mode
access
-
group

command to bind the access list to an interface:
router(config
-
if)#ip access
-
group number in|out


For example, to deny hostC from sending traffic to the WAN in the network depicted in the diagram below, use
the following commands.


router(config)#acc
ess
-
list 10 deny 192.168.23.11

router(config)#access
-
list 10 permit any

router(config)#interface ethernet 0

router(config
-
if)#ip access
-
group 10 in




When traffic is
send to the router’s Ethernet interface the rules in access list 10 are processed, if the traffic is
send by hostC the router drops the packets and stops processing the rules. The rule
access
-
list 10
permit any

is included because of the implicit deny. The
re must be at least one ‘permit’ rule otherwise the
protocol is completely disabled for the interface as soon as you bind it.



Wildcard Masks/Inverse Masks


Instead of specifying a single IP address you can also permit or deny networks/subnets completely
or partly
using
wildcard masks
, also known as
inverse masks
. To understand this concept it helps a lot if you have some
basic understanding of subnetting.


The first example is simple: if you want to deny access to all hosts in the network 172.16.23.0 with

subnet
mask 255.255.255.0 you would use
172.168.23.0 0.0.0.255

as the source in the
access
-
list

command. When the router checks if the addressing information of an incoming packet matches the denied
address specified in the access list, it only cares abou
t the part of the address where the corresponding bits in
the inverse mask are 0. The part of the address where the corresponding bits in the inverse mask are set to 1
can be anything (in this example 0 to 255).


In other situations, where you want to spec
ify a range of addresses that does not have the boundary between
0s and 1s exactly between octets, you might need to convert it all to binary to determine the inverse mask. For
example, you want to specify the network 172.18.16.0 with the subnet mask 255.2
55.240.0. When you
convert this mask to binary it shows that in this subnet mask the first 20 bits are set to 1
(11111111.11111111.11110000.00000000), so the inverse mask would have the first 20 bits set to
00000000.00000000.00001111.11111111 which is 0.0.
15.255 in decimal notation. This would specify the
address range 172.18.16.0 to 172.18.31.255.


If you want the source or destination to be any host from any network you could use the address 0.0.0.0 with
the inverse mask 255.255.255.255, but to save you f
rom pressing so much keys you can use the keyword
any

instead.


In Extended Access lists the keyword
host
can be used to replace the 0.0.0.0 inverse mask. Instead of
specifying a single address with
192.168.23.11 0.0.0.0
you can use
host 192.168.23.11
.



Extended IP Access Lists


Extended IP access lists give more detailed control compared to standard lists which only allow you to deny or
permit traffic from a certain source. Extended lists allow you to permit or deny particular TCP/IP traffic based
on the

Transport protocol being used (TCP or UDP) and the service or application (e.g. SMTP, Telnet) from
source addresses AND destination addresses.


Use the global exec
access
-
list

command to create access lists, this command supports numerous
arguments, most
of them are beyond the scope of the CCNA exam, at the bottom of this TechNote are links to
documents at Cisco.com explaining the complete syntax. Nevertheless, here's the most important part:

router(config)#access
-
list
number

deny|permit
protocol

source
|an
y
destination
|any


When TCP or UDP is used as the

protocol

argument two other important arguments are
operator

port
.
The port argument can be a TCP or UDP port number or name (e.g. 21 or FTP, 23 or TELNET, 123 or NTP), the
operator is usually
eq

which mea
ns equal, other options include
lt

(less than) and
gt

(greater than).


Use the Interface config mode
access
-
group

command to apply the access list to an interface:
router(config
-
if)#ip access
-
group number in|out


Take a look at the diagram below for exampl
e:




You can prevent SMTP traffic originating from the WANs from traveling over link A by putting an outbound
extended IP access list on the Serial 0 interface of Rou
terX. Use the following commands on RouterX:


router(config)#access
-
list 105 deny TCP any host 172.16.11.253 eq SMTP

router(config)#access
-
list 105 permit IP any any

router(config)#interface serial 0

router(config
-
if)#ip access
-
group 105 out


Here's anothe
r example using the same diagram above. It shows how you can use extended access lists to
control ICMP traffic (used for utilities such as ping and trace). For example, to deny the hosts in the Ethernet
network attached to RouterY to use ICMP to communicat
e with hosts on the other side of the router, use the
following commands on RouterY:


router(config)#access
-
list 102 deny icmp 192.168.115.0 0.0.0.255 any

router(config)#access
-
list 102 permit IP any any

router(config)#interface serial 1

router(config
-
if)
#ip access
-
group 102 out



Remove access list from interface:

router(config
-
if)#no ip access
-
group number|name in|out

For example:
router(config
-
if)#no ip access
-
group 102 out


Delete access
-
list from configuration:

router(config)#no access
-
list number|nam
e

For example:
router(config)#no access
-
list 102



Named Access Lists


If your router is running IOS 11.2 or higher, you can create
named

access lists. Instead of choosing a number
between 1
-
99 for standard IP access lists, you can use a custom name, which

allows for more lists.

The commands to create a named access list are different from those mentioned above.


To create a list use the following command in global configuration mode:

router(config)#ip access
-
list {standard | extended}
name


This command wi
ll take you into access
-
list configuration mode where you can define the deny and permit
rules. For example to create a named access list with the name
wwwfilter

and permit only access from the
networks 192.168.132.0, 172.17.0.0 and 10.0.0.0 use the follow
ing commands:


router(config)#ip access
-
list standard wwwfilter

router(config
-
std
-
nacl)#permit 192.168.132.0 0.0.0.255

router(config
-
std
-
nacl)#permit 172.17.0.0 0.0.255.255

router(config
-
std
-
nacl)#permit 10.0.0.0 0.255.255.255


Use the
exit

command to exi
t access
-
list configuration mode.


A named list is applied to an interface in the same way as with numbered lists:

router(config
-
if)#ip access
-
group wwwfilter out



VTY Lines


You can also use standard access lists to limit access to VTY lines. For exampl
e:


router(config)#access
-
list 5 permit 192.168.23.8

router(config)#line 0 5

router(config)#access
-
class 5 in



Monitoring and Verifying


The following commands are useful for monitoring and verifying the operation of access lists


The
show ip interface

co
mmand displays which access lists are applied to the specified interface, for
example:

router(config)#show ip interface serial 1


The following command displays the contents of an access list, and if applied to an interface, the number of
matches per permi
t/deny rule:

router(config)#show access
-
lists
number
|
name


If you don't specify an access
-
list number or name, all the current access lists will be displayed. You can also
use the
show ip access
-
lists

command to display one or all the current IP access lis
ts.



Click one of the references below for more information about the commands and their exact arguments:


References:

-

Cisco IOS Software Releases 12.1 Mainline IP Services Commands
-

IP Services Commands

-

Cisco Systems

-

IP Addressing Servi
ces Configuring Commonly Used IP ACLs
-

Cisco Systems




Current related exam objectives for the CCNA exam:


Network Management

Monitor and verify selected access list operations on the router

Configure access lists to meet specified operational require
ments





EIGRP:


EIGRP


The Enhanced Interior Gateway Routing Protocol (EIGRP) is the successor of IGRP, it is more scalable and
offers faster convergence. Unlike IGRP, EIGRP is a classless routing protocol, hence it supports VLSM. It is
developed by Ci
sco and is supported on Cisco equipment only. In addition to IP, EIGRP can also be used to
route IPX and AppleTalk. In contrary to IGRP, EIGRP is consider to be a hybrid routing protocol, because it has
distance vector as well as link
-
state characteristics
. It is a distance vector protocol with link
-
state
characteristics, routing updates can be partial, they do not need to contain the complete routing table such as
with RIP and IGRP. Also, updates are not send periodically, but only when necessary, and only

to those
neighboring routers that need to know. This results in low bandwidth and CPU usage, and makes EIGRP a fast
routing protocol suitable for large networks. The maximum hopcount in EIGRP is 224. EIGRP allows for secure
routing updates using authentic
ation, to prevent unauthorized or false routing messages, although this is
disabled by default. EIGRP updates use the multicast address 224.0.0.10.


Besides maintaining a routing table, EIGRP maintains a topology table based on the information it receives
in
hello packets, and a neighbor table listing the directly connected neighbors. The neighbors are discovered using
hello

packets, which are send out periodically to check if the connection to the neighbor is still available. EIGRP
uses five packet types:
Hello/Acks, Updates, Queries, Replies, and Requests. When an EIGRP router stops
receiving hello packets from a neighbor for a configurable amount of time, it will consider the router as
unreachable. The topology database will be searched for backup route k
nown as a
feasible successor
, if there
isn't one, a multicast will be send out to find a new route. If another router responds with an alternative route,
a change will be made to the topology table and a new route will be added to the routing table.


EIGRP

uses the Diffusing Update Algorithm (DUAL) for route calculation and to prevent routing loops. The best
route is determined based on 2 metrics by default, bandwidth and delay, but others can be used as well:

bandwidth

Minimum bandwidth of the route in kb
ps * 256

delay

Sum of route delay (in tens of microseconds) * 256.

reliability

The value 255 means 100 percent reliability; 0 means no
reliability.

load

Effective bandwidth of the route expressed as a number from 0 to
255 (255 is 100 percent loading).

MTU

Maximum transmission unit (MTU) size of the route in bytes. It
can be 0 or any positive integer.


The formula used to calculate the
composite metric

is:
metric = [K1 * bandwidth + (K2 * bandwidth) / (256
-

load) + K3
* delay] * [K5 / (reliability + K4
)]

By default K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0. You can change these values, and hence the outcome of
the formula by using the
metric weights

command in router configuration mode:
Router(config
-
router)#metric weights
tos k1 k2 k3 k4 k5

Tos is short f
or Type of Service and must be
0

(zero). Note that the default bandwidth for an interface is T1
speed, you can change this by using the
bandwidth

command in Interface Configuration mode.


To configure EIGRP on a router, use the following command:

Router(co
nfig)#router eigrp
as
-
number

The
as
-
number

value is the
Autonomous System (AS)
, also known as
domain

and
process
. This must be a
positive decimal number. Routes from routers in one AS are not injected into another AS by default. Through a
process called
ro
ute tagging
, a router is able to be part of more than one AS, which for example, can be used
to route IPX and IP over the same network simultaneously. If a route from one AS is injected into another AS
using route redistribution, the route will be tagged a
s
external
, which influences the administrative distance.
The administrative distance for Internal EIGRP is 90 and for External EIGRP 170. These default values can be
changed by using the following command:

Router(config
-
router)#distance eigrp
internal ext
ernal

The internal and external value can be an integer from 0 to 255, remember that routes with an administrative
distance of 255 are marked
unknown
, and will not be used.


The network command is used to specify which networks are directly connected to th
e router, and to allow the
interface of this network to be advertised in EIGRP routing updates. The following is an example of a simple
EIGRP configuration:

Router(config)#router eigrp 22

Router(config
-
router)#network 10.0.0.0

Router(config
-
router)#network

192.168.10.0

Optionally, since IOS 12.0, the network command supports a network mask.


As mentioned earlier EIGRP sends routing updates to its neighbors only. A system using
hello

packets is used
to discover, identify and built relationships with neighbor
ing routers. The hello packets are sent periodically to
determine if a neighbor (and its interfaces) is still available. The default hello packets interval is 60 seconds for
low
-
speed (bandwidth T1 or slower) nonbroadcast multiaccess (NBMA) networks such a
s ATM and such as
multipoint Frame Relay, and 5 seconds for all other networks. You can change the hello interval by using the
following command in interface configuration mode:

Router(config
-
if)#ip hello
-
interval eigrp
as
-
number seconds


After a hello pac
ket is send, a router will wait until the hold timer expires for a response before it considers a
router to be unreachable. The hold time default to 3 times the hello interval, you can change this by using the
following command in interface configuration m
ode:

Router(config
-
if)ip hold
-
time eigrp
as
-
number seconds


EIGRP supports load balancing over unequal paths, this means adding multiple primary routes for a single
destination to the routing table even if the metrics are not the equal. For example, if you

want to load balance
between connection A and B, you can use the
variance

command to allow connection B to be included in the
routing table as a feasible route to the same destination, even if it has a greater metric than connection A. Use
the following c
ommand in router configuration mode:

Router(config
-
router)#variance
multiplier

The multiplier value can be a integer from 1
-
128, the default is 1, which means equal
-
cost load balancing. If
the value is set to 3, routes with a metric with 3 times greater th
an the local best metric are considered equal.


Another useful feature of EIGRP is automatic route summarization, this summarizes subnets to the classful
network boundary. This is enabled by default, you can turn this off per AS by using the following comm
and in
router configuration mode:

Router(config
-
router)#no auto
-
summary

(and turn it on again with:
Router(config
-
router)#auto
-
summary

)

EIGRP summary routes have an administrative distance value of 5.

You can also configure a summary aggregate address fo
r a specific interface by using the following command in
Interface configuration mode:

Router(config
-
if)#ip summary
-
address
as
-
number network
-
address subnet
-
mask [admin
-
distance]



Static routers and routes from other routing protocols such as RIP, IGRP, a
nd OSPF can be redistributed into
the EIGRP Autonomous System by using the redistribute command. For example if you want to redistribute
OSPF process 10 into EIGRP AS 20:

Router(config)#router eigrp 20

Router(config
-
router)#redistribute ospf 10

Router(conf
ig
-
router)#default
-
metric 10000 100 255 1 1500


The
default
-
metric

command is used to configure a default metric for external routes being redistributed
into the AS. The syntax for EIGRP is:
Router(config
-
router)#default
-
metric
bandwidth delay
reliability

loading mtu

IGRP routes can be automatically redistributed into EIGRP and vice versa, as long as the autonomous system is
the same.



Troubleshooting


First a very useful command which is often used to troubleshoot routing,
show ip protocols
. Per routing

protocol and AS it displays the parameters such as the value of the K0
-
K5 metrics, the networks involved,
timers, hop count, outgoing filters, redistributed networks and more. Use the command in EXEC mode:

Router#show ip protocols


To show all routes in t
he routing table, learned by EIGRP:

Router#show ip route eigrp

Show all ip routes in the routing table by omitting the
eigrp

option.


To display information about neighboring routers discovered using hello packets, including the interface type
and number,
the smooth round
-
trip timer (SRTT), and the hold time (the latter can be used to determine the
hello interval if it is not manually configured), use the following command:

Router#show ip eigrp neighbors


The following command displays entries in the EIGRP
topology table:

Router#show ip eigrp topology

If the command is used without any options, only routes that are feasible successors are displayed. The
following command would display only the
active

entries in the topology table and less detailed:

Router#sh
ow ip eigrp topology active summary


You can also specify an IP address and subnet mask to display a detailed description of the entry, for example:

Router#show ip eigrp topology 192.168.1.0 255.255.255.0


Shows the packet count for the five different typ
es of EIGRP packets sent and received.

Router#show ip eigrp traffic



Use the following command in EXEC mode to display information about the interfaces configured with EIGRP.
You can use this to determine on which interfaces EIGRP is active, if you do no
t specify an interface and/or AS,
all interfaces running EIGRP and/or from all ASs will be displayed.

Router#show ip eigrp interfaces [
interface
-
type interface
-
number
] [
as
-
number
]



EIGRP References


-

Introduction to EIGRP

-

Enhanced Interior Gateway Routing Protocol white p
aper

-

EIGRP Commands

-

Redistributing Routing Protocols




Current related exam topics for the 643
-
801 BSCI exam:


Exam Topics

-

Describe the features and operation of EIGRP


Implementation and Configuration

-

Given a set of network requirements, ident
ify the steps to configure an Enhanced IGRP environment and
verify proper operation (within described guidelines) of your routers


Troubleshooting

-

Identify the steps to verify Enhanced IGRP operation





CONFIGURING RIP:


Note: to perform this lab you
need 2 Cisco routers connected and two hosts, we assumed two 2501 routers, but
pretty much anything will do. This lab does not cover how to physically connect the routers and the hosts, but
rather assumes you can tell by looking at the diagram. This lab co
mes in three versions, the one you are looking
at, a printer
-
friendly version with the commands, and a printer
-
friendly version without the commands which
can be used as an assessment. The printer
-
friendly versions are for members only. Also note the the c
ommands
in this lab often include the router command prompt and never use the abbreviated form.


This first TechExams.Net CCNA Lab will cover the a couple of basic configuration tasks, such as setting
passwords and enabling IP routing using RIP. You will n
eed a lab setup similar to the network diagram below:







Before you start, make sure you clear both routers' configuration using the
Router#erase startup
-
config

co
mmand. First we will configure RouterA, after the router reboots, the following message will be displayed:


% Please answer 'yes' or 'no'.

Would you like to enter the initial configuration dialog? [yes/no]


Type
no

and press ENTER. Press ENTER again when
the message
Press RETURN to get started

appears.
Type
enable

at the
Router>

command prompt to enter Privileged Exec mode, notice the prompt chances to
Router#
.



STEP 1. Change the router's host name to RouterA


Enter configuration mode using the following

command:

Router#configure terminal



Change the host name of the router to RouterA using the following command:

Router(config)#hostname RouterA




STEP 2. Disable domain lookups


To prevent the router from interpreting every incorrectly typed command as a

host name and trying to resolve it
to an IP address to setup a telnet connection with it, use the following command:

Router(config)#no ip domain
-
lookup



STEP 3.

Configure passwords



First set the enable password to
cisco123

using the following command:

Router(config)#enable password cisco123


Next, set the password for telnet connections to
cisco456

using the following commands:

Router(config)#line vty 0 4

Router(config
-
line)#password cisco456

Router(config
-
line)#login


The passwords stored in the router
's configuration must be encrypted, use the following command:

Router(config)#service password
-
encryption



STEP 4. Configure LAN interfaces


Switch to Interface configuration mode for the Ethernet interface, using the following command:

Router(config)#int
erface Ethernet 0


Give it the description "Connected to LAN" using the following command:

Router(config
-
if)#description connected to LAN


Configure the IP address (see diagram for correct address) for the interface using the following command:

Router(conf
ig
-
if)#ip address 192.168.11.1 255.255.255.0


Enable the interface using the following command:

Router(config
-
if)#no shutdown



STEP 5. Configure WAN interfaces


Switch to Interface configuration mode for the first Serial interface, using the following com
mand:

Router(config)#interface Serial 0


Give it the description "Direct connection to RouterB" using the following command:

Router(config
-
if)#description connected to RouterB


Configure the IP address (see diagram for correct address) for the interface us
ing the following command:

Router(config
-
if)#ip address 192.168.22.5 255.255.255.0


Configure the interface to use PPP encapsulation using the following command:

Router(config
-
if)#encapsulation ppp


Enable the interface using the following command:

Router(
config
-
if)#no shutdown



STEP 6. Configure RIP


Use the following command to enable RIP on RouterA:

Router(config)#router rip


Configure the router to receive and send only RIP Version 2 packets using the following command:

Router(config
-
router)#version 2


Use the following commands to specify the networks directly connected to the router:

Router(config
-
router)#network 192.168.11.0

Router(config
-
router)#network 192.168.22.0



Change the
update timer

to 45 seconds, the
invalid timer

and the
holddown timer

t
o 270, and the
flush timer

to
360 seconds, using the following command:

Router(config
-
router)#timers
-
basic 45 270 270 360


STEP 7. Save configuration


To copy the currently running active configuration to NVRAM, so it will be used the next time you reload
the
router, use the following command:

Router#copy running
-
config startup
-
config



STEP 8. Configuration second router


To configure the other router, RouterB, repeat the steps above. Use the network diagram to determine the
correct addressing and names. T
o enable the back
-
to
-
back serial connection between te routers, you need to
configure one router as DCE using the following command in Interface configuration mode for the serial
connection on RouterB:

Router(config
-
if)#clock rate 64000



STEP 9. Verify an
d test the configuration


Verify using the ping command Host A to Host B, make sure you configured both hosts to use the nearest
router's interface as the default gateway in the TCP/IP settings.


On both routers, run the following command in Privileged Exe
c mode to determine which device is the DCE:

Router#show controllers s0


On one of the routers, run the following command in Privileged Exec mode to display the parameters and
current state of the active routing protocol process, and examine the output:

Ro
uter#show ip protocols


Use the following command to verify routing table entries on both routers:

Router#show ip route


Use the following command to list a summary of the interface's IP information and status on both routers, and
examine the output:

Route
r#show ip interface


Use the same command with the
brief

option, and the notice output:

Router#show ip interface brief