Wednesday, May 6, 2009
Router Boot Sequence
Booting up the Router
Cisco routers can boot Cisco IOS software from these locations:
1. Flash memory
2. TFTP server
3. ROM (not full Cisco IOS)
Multiple source options provide flexibility and fallback alternatives
Locating the Cisco IOS Software
Default boot sequence for Cisco IOS software:
1. NVRAM
2. Flash (sequential)
3. TFTP server (network boot)
4. ROM (partial IOS)
Note: boot system commands can be used to specify the primary IOS source and fallback sequences.
Booting up the router and locating the Cisco IOS
1. POST (power on self test)
2. Bootstrap code executed
3. Check Configuration Register value (NVRAM) which can be modified using the
config-register command
0 = ROM Monitor mode
1 = ROM IOS
2 - 15 = startup-config in NVRAM
4. Startup-config file: Check for boot system commands (NVRAM)
If boot system commands in startup-config
a. Run boot system commands in order they appear in startup-config to locate the IOS
b. If boot system commands fail, use default fallback sequence to locate the IOS (Flash, TFTP, ROM)?]
a. Flash (sequential)
b. TFTP server (netboot)
c. ROM (partial IOS) or keep retrying TFTP depending upon router model
5. If IOS is loaded, but there is no startup-config file, the router will use the default fallback sequence for locating the IOS and then it will enter setup mode or the setup dialogue.
6. If no IOS can be loaded, the router will get the partial IOS version from ROM
==========================================================
Default (normal) Boot Sequence
Power on Router - Router does POST - Bootstrap starts IOS load - Check configuration register
in NVRAM to see what mode the router should boot up in (usually 0x102 to 0x10F to look in startup-config file) - check the startup-config file in NVRAM for boot-system commands (normally there aren't any) - load IOS from Flash.
Boot System Commands
Router(config)# boot system flash IOS filename - boot from FLASH memory
Router(config)# boot system tftp IOS filename tftp server ip address - boot from a TFTP server
Router(config)# boot system rom - boot from system ROM
Configuration Register Command
Router(config)# config-register 0x10x (where that last x is 0-F in hex)
When the last x is:
0 = boot into ROM Monitor mode
1 = boot the ROM IOS
2 - 15 = look in startup config file in NVRAMCISCO 2500 Router Recovery Procedures
Cisco 2500 Router
Enable Secret Password Recovery Procedures
- Attach a PC to the console port of the router. Password recovery cannot be done remotely.
- Type a show version at the console prompt. You only have to be in User mode to run the show version command. Make a note of the configuration register number. It will almost always be 0x2102, but might be 0x102. If you cannot do a show version use 0x2102 or check a similar router for it's configuration register.
- Once you have this information follow these steps:
Basic Steps
Power reset the router.
Go into ROMMON mode for password recovery.
Set the configuration register to boot the router without loading the configuration file.
Reboot the router.
Copy the startup-configuration into memory.
Go into Global Configuration mode and change the password.
Reset the configuration register to boot the router using the startup configuration file.
Save the configuration back to NVRAM.
Reboot the router.
Step Details
Step 1 | Power reset the Router. |
Step 2 | Within 60 seconds of the router reboot, press the Ctrl+Break keys. This puts the router in ROMMON mode. |
Step 3 | The router should boot to a router> prompt with no router name. |
Step 4 | Type o/r 0x42 at the router> prompt. This tells the router to boot from Flash Memory without loading the configuration file. If you want to boot from ROM instead, type o/r 0x41. |
Step 5 | Type i at the router prompt. The router will now reboot, but ignore it's saved configuration (which contains the forgotten password). |
Step 6 | When the router boots up it will ask you if you want to configure the router. Press Ctrl+C to break out of the startup configuration. |
Step 7 | Type enable at the router> prompt. This will put you in enable or Privileged mode and the prompt will look like this: router# |
Step 8 | Type copy startup-config running-config (or copy start run) to copy the startup configuration into memory. With the startup configuration in memory you can now change the enable secret password. |
Step 9 | At the router# prompt type config t to go into global configuration mode. |
Step 10 | At the router(config)# prompt type enable secret new_password where new_password is a new password. |
Step 11 | You now need to change your configuration register to tell the router to boot up with the startup configuration file. Type config-register 0x2102 and press enter. This tells the router to load the startup-config file in NVRAM when it boots up. (use the number you saved from the show version command) |
Step 12 | Press Ctrl+Z to leave global configuration mode. |
Step 13 | At the router# prompt type copy running-config startup-config (or copy run start). This will save your password change to NVRAM. |
Step 14 | Type reload and press enter to reboot the router. |
Subnetting Tips
The questions you will be asked on the CCNA exam will probably be one or all of the following:
- If you are going to use the subnet mask, x.x.x.x, how many subnets does this subnet mask produce? (You'll know this answer automatically if you memorize the subnet mask tables in our memorization lists).
- How many valid hosts are available for the following subnet? (You'll know this answer automatically if you memorize the subnet mask tables in our memorization lists).
- What are the valid subnets that you can obtain from the given subnet mask?
- What is the broadcast address of each subnet?
- What are the valid hosts in each of the subnets?
- What subnet mask should you use if you need x subnets and y hosts?
The following is the easiest way to figure out the answers to each of these questions. It is the method used by Todd Lammle. If you have his CCNA book, he covers this method in the book.
First, memorize your "powers of two":
2^1 = 2 2^2 = 4 2^3 = 8 2^4 = 16 2^5 = 32 2^6 = 64 2^7 = 128 2^8 = 256 2^9 = 512 2^10 = 1024 |
Let's go over each of the above questions:
1. How many subnets:
Let's say you are going to use the subnet mask 255.255.255.224 with a class C address and you need to know how many subnets are available. Think of the subnet mask in binary as 11111111.11111111.11111111.11100000. Looking at the last octet (because you use this octet for subnetting on a class C address), you've got three "on" bits, or 1's. So, the formula to figure out how many subnets that this mask will produce is 2^n-2, where n is the number of "on" bits. 2^3-2 = 6 subnets. If you have memorized your subnet mask tables from our memorization lists, you'll know this is true and won't have to go through this procedure.
Let's try another one. Let's say you are going to use the subnet mask 255.255.255.224 with a class B address. Think of the subnet mask in binary as 11111111.11111111.11111111.11100000. Looking at the last two octets (because you use these two octets for subnetting on a class B address), you've got eleven "on" bits, or 1's. So, the formula to figure out how many subnets that this mask will produce is 2^n-2, where n is the number of "on" bits. 2^11-2 = 2046 subnets. If you have memorized your subnet mask tables in our memorization lists, you'll know this is true and won't have to go through this procedure.
2. How many hosts per subnet:
Let's say you are using the subnet mask 255.255.255.224 with a class C address and you want to figure out how many hosts are available for each subnet. Instead of looking at the "on" bits when trying to find the number of subnets, you will be looking at the "off" bits or 0's. So, once again think of your subnet mask as 11111111.11111111.11111111.11100000. You'll see that there are five "off" bits. So, the formula to figure out how many hosts per subnet that this mask will produce is 2^y-2, where y is the number of "off" bits. 2^5-2 = 30 hosts per subnet. If you have memorized your subnet mask tables from our memorization lists, you'll know this is true and won't have to go through this procedure.
Let's try another one: Let's say you are using the subnet mask 255.255.255.0 with a class B address and you want to figure out how many hosts are available for each subnet. Instead of looking at the "on" bits when trying to find the number of subnets, you will be looking at the "off" bits or 0's. So, think of your subnet mask as 11111111.11111111.11111111.00000000. You'll see that there are eight "off" bits. So, the formula to figure out how many hosts per subnet that this mask will produce is 2^y-2, where y is the number of "off" bits. 2^8-2 = 254 hosts per subnet. If you have memorized your subnet mask tables from our memorization lists, you'll know this is true and won't have to go through this procedure.
3., 4. and 5. Valid subnets, broadcast address, valid hosts
We can answer all of these at the same time using the following procedure. What are the valid subnets that you can obtain from the given subnet mask, what is the broadcast address of each subnet, and what are the valid hosts in each of the subnets.
Let's say that you need to subnet the network address 199.42.78.0 using the subnet mask 255.255.255.224.
First, to figure out the valid subnets, use the formula:
256 subnet mask = base number.
So, your base number is 256 224 = 32. Now just keep adding 32 to itself to get the valid subnets. 32, 32+32=64, 64+32=96, 96+32=128, 128+32=160, 160+32=192. You can't use 192+32=224 because 224 is your subnet mask. So, your valid subnets are 32, 64, 96, 128, 160, and 192. Let's start making a table to easily see what is happening:
Subnet 1 | Subnet 2 | Subnet 3 | Subnet 4 | Subnet 5 | Subnet 6 | |
Subnet Address | 32 | 64 | 96 | 128 | 160 | 192 |
First Valid Host | ||||||
Last Valid Host | ||||||
Broadcast Address |
Next, to figure out what the broadcast addresses are for each subnet, just use the number before the next subnet. So, for the subnet address 32, the number before the next subnet 64 is 63. This is the broadcast address for subnet 32. For the subnet address 64, the number before the next subnet 96 is 95. This is the broadcast address for subnet 64. Do this for each subnet. Remember, just use the number before the next subnet. Let's fill in our table to see what we have so far:
Subnet 1 | Subnet 2 | Subnet 3 | Subnet 4 | Subnet 5 | Subnet 6 | |
Subnet Address | 32 | 64 | 96 | 128 | 160 | 192 |
First Valid Host | ||||||
Last Valid Host | ||||||
Broadcast Address | 63 | 95 | 127 | 159 | 191 | 223 |
Finally, figuring out the valid hosts is easy. Just fill in the numbers between the subnet address and the broadcast address. Let's fill in the rest of the table:
Subnet 1 | Subnet 2 | Subnet 3 | Subnet 4 | Subnet 5 | Subnet 6 | |
Subnet Address | 32 | 64 | 96 | 128 | 160 | 192 |
First Valid Host | 33 | 65 | 97 | 129 | 161 | 193 |
Last Valid Host | 62 | 94 | 126 | 158 | 190 | 222 |
Broadcast Address | 63 | 95 | 127 | 159 | 191 | 223 |
Now that you know how to create the whole table to find all the subnets, the broadcast addresses, and the valid hosts, let's find out how to quickly figure out answers to what you need without doing the whole table. Let's say you receive the following question on the exam:
Using the subnet mask 255.255.255.224, what is the subnet that the host 199.42.78.133 belongs to and the broadcast for this address?
All you have to do is use your formula 256 subnet mask = base number.
256-224=32, which is your first subnet. Now just add the 32 to itself until you reach the subnet that contains the host 133. 32+32=64, 64+32=96, 96+32=128, 128+32=160. We can stop here because 133 is between 128 and 160. So, we know that the address 199.42.78.133 belongs within the 199.42.78.128 subnet and the broadcast is one less than the next subnet of 160, which is 159. So, the broadcast address is 199.42.78.159.
Let's try another one:
Given the network address 172.16.68.17 and the subnet mask 255.255.192.0, find the subnet it belongs to and its broadcast.
First, use the formula 256 subnet mask = base number. 256-192=64. 64+64=128, 128+64=192. We can't use 192 because it is your subnet mask. So, our valid subnets are 64.0 and 128.0 (notice that the subnetting is on the third octet of the mask 255.255.192.0, that's why the subnets are 64.0 and 128.0, not just 64 and 128 - Remember this!!!).
Let's use a chart for this one to make it easier to see:
Subnet 1 | Subnet 2 | |
Subnet address | 64.0 | 128.0 |
First valid host | 64.1 | 128.1 |
Last valid host | 127.254 | 191.254 |
Broadcast address | 127.255 | 191.255 |
We can tell from the chart that the host 172.16.68.17 is in the 172.16.64.0 subnet and its broadcast is 172.16.127.255.
The more examples that you do on subnetting, the easier it becomes. Here is a summary of what you need to know:
- Number of subnets = 2^n-2 where n is the number of "on" bits or 1's
- Number of hosts = 2^y-2 where y is the number of "off" bits or 0's
- 256 subnet mask = base number or first subnet (add this number to itself to find remaining subnets)
- Broadcast address = the number before the next subnet
- Valid hosts = the numbers between the subnets, not including the broadcast address
6. This is the final question that you saw at the beginning of this document. If you are given a particular network and you need x subnets and y hosts, which subnet mask should you use?
The easiest way to do these types of questions is to memorize the subnet mask tables in our memorization lists. The other way is to use the formulas:
Number of subnets = 2^n-2 where n is the number of "on" bits or 1's
Number of hosts = 2^y-2 where y is the number of "off" bits or 0's
Let's say you receive the following question on the exam:
You are given the network 130.175.0.0. You want at least 70 subnets and 500 hosts per subnet. What subnet mask should you use?
If you memorized our subnet mask tables, you could easily see that you would have to use subnet mask 255.255.254.0 to satisfy these conditions. If you don't memorize the lists, here is one way you could do it:
This is a class B address, so you have 16 bits that can be used for subnetting (the 0.0 in the subnet mask can be written 00000000.00000000, which is 16 bits).
Using your formulas above, you will want to come as close as you can to 70 subnets and 500 hosts. If we start by trying to find the amount of subnets (using "on" bits or 1's), we know that 2^6-2=62 (11111100.00000000) isn't enough subnets so let's use 2^7-2= 126 (11111110.00000000). This is enough but let's make sure it will give us enough hosts. Since we used 2^7-2=126 (11111110.00000000) for the subnets, we would use the "off" bits to find the hosts. Since we have 7 "on" bits, this means we have 9 "off" bits. So, 2^9-2=510, which just gives us enough hosts. This means that 11111110.00000000 would work for the subnet mask. Knowing what we do about binary, let's add up the "on" bits or 1's: 128+64+32+16+8+4+2=254. So, the subnet mask would be 255.255.254.0. You could also figure out this problem finding the hosts first instead of the subnets first.
CCNA Exam Tips and Preparation
In the IT industry, the Cisco Certified Network Associate (CCNA) program is hugely popular and is in fact Cisco's most popular certification. CCNA was introduced in April 1998 and is the entry-level certification for the Cisco Career Certification Program.
Cisco's globally recognized certifications certify the competence of Internetworking professionals in the areas of routing, switching and connectivity. And CCNA is the first step in this route.
The significance of CCNA isn't just because it is the first step for Cisco certification, but it is in addition proof of a solid foundation in networking. It is a prerequisite for CCNP, CCDP, and CCSP certifications, and recommended for CCIP certification.
How to get the CCNA
Candidates have two paths to approach CCNA certification:
¨ a single-exam path that includes exam #640-801
OR
¨ a two-exam path that includes exam #640-821 (Introduction to Cisco Networking Technologies, or INTRO) and exam #640-811 (Interconnecting Cisco Network Devices, or ICND).
Prerequisites
There are no prerequisites for CCNA certification.
Exam Interface
You need to be familiar with the nature of exam and the exam interface. "Cisco Career Certifications exams includes the following test formats: multiple-choice single answer, multiple-choice multiple answer, drag-and-drop, fill-in-the-blank, and simulations. Prior to taking the exam, candidates should become familiar with how all exam types function-especially the exam simulation tool. Such practice will allow candidates to focus their exam-taking effort on the exam questions rather than how to correctly use the tools".
Exam Focus for the 640-801
With the exam changes in the 640-801 is to ensure that only those who actually learn Cisco's stuff and can practice it can get certified. It has made CCNA tougher but it has also increased the credibility and value of the exam. It is indeed very hard to simply cram some materials and braindumps and pass the CCNA, without being able to configure a router.
What's the exam like? There is a heavy focus on Access Lists, Switching, Routing protocols, Subnetting and simulation. Subnetting is key in the exam. You have to know how to subnet very well. Can you subnet in your head? You really need to be comfortable with subnetting before you take the CCNA. If you have doubts start practicing now.
Practice and understand access-lists very well. What are your access-list commands and what do they do?
Simulation
You need to build your speed in doing simulations. In the exam, simulations can make or mar your efforts. To prepare well you need to have access to simulators or real routers. The actual number simulation questions may vary from three to five. Essentially, the exam will test your ability to configure routers and switches in different scenarios. These scenarios are designed to test your knowledge of configuration and listing commands as well as your ability to pay attention to detail, and your ability to analyze and troubleshoot scenarios. Simulations have been noted to be slow during the exam and when switching between the simulator-based questions and the rest of the exam. Even if the simulator engine appears slow, don't let this throw you off balance during the exam.
Time management
The test is 90 minutes. To get a good score and keep your CCNA dreams and hopes alive you must manage your time well. Determine how long you will spend on each question. Remember that you can't go back after answering a question. This means you can't review questions you've answered. As noted simulations are usually slow and will take more time. They also weigh heavily in your exam scores. So take your time on the simulations and don't panic or rush. Note that there will be a lot of subnetting. Be able to subnet fast. OSI model, the Access lists, the Subnetting etc, questions are time consuming. But concentrate, understand the basics and be ready for calculations.
Exam Preparation for the 640-801
How you prepare for CCNA depends largely on your current knowledge and experience of networking and your chosen certification preparation option. Options include instructor-led training, e-simulations, practical labs, practice tests, study materials, etc. Books and simulations are the most popular preparation tools. However, for efficiency and effectiveness, if you have the funds and time, it is advisable to include instructor-led training in your preparations.
VLAN - Part - 3 VLAN Routing
Communicating within VLANs: There are different protocols available for communicating between VLANs. These encapsulation schemes are also known as VLAN trunking protocols. These protocols are based on Layer 2 of the OSI model. These are:
|
Inter-Switch Link Protocol (ISL): The ISL protocol is used to interconnect two VLAN-capable Ethernet, Fast Ethernet, or Gigabit Ethernet devices. Here, VLAN information is tagged to the standard Ethernet frame. The packets on the ISL link contain a standard Ethernet, FDDI, or Token Ring frame and the VLAN information associated with that frame. ISL is a Cisco proprietary protocol.
IEEE 802.10 Protocol: This protocol provides connectivity between VLANs. The protocol incorporates authentication and encryption techniques to ensure data confidentiality and integrity. The protocol operates at layer 2 of OSI model, and hence ensures greater efficiency.
IEEE 802.1Q Protocol: This protocol is used to interconnect multiple switches and routers, and for defining VLAN topologies. IEEE 802.1Q is the industry standard for communicating within VLANs.
ATM LANE Emulation Protocol (LANE): Using LANE, you can benefit from the legacy LAN hardware. The LANE protocol operates over traditional LAN, emulating a broadcast environment like IEEE802.3. LANE makes. LANE allows standard LAN drivers like NDIS and ODI to be used. Applications can use normal LAN functions without the underlying complexities of the ATM implementation. Client work stations need LAN Emulation Client for running LANE protocol. The switches or routers also need to support appropriate LANE functionalities.
ATM LANE Fast Simple Server Replication Protocol (FSSRP): Cisco introduced the ATM LANE Fast Simple Server Replication Protocol (FSSRP). FSSRP provides better network redundancy. If a single LANE server is unavailable due to any technical reasons, the LANE client transparently switches over to the next LANE server and BUS.
Example:
Question:
Match the trunking protocols with respective media:
1. Inter Switch Link A. FDDI
2. LANE B. Fast Ethernet
3. 802.10 C. ATM
Choose the correct choice.
A. 1-> C, 2->B, 3->A
B. 1->B, 2->C, 3->A
C. 1->B, 2->A, 3->C
D. 1->A, 2->B, 3->C
Ans: B
Explanation: ISL, 802.1Q are the VLAN trunking protocols associated with Fast Ethernet. The VLAN trunking protocol defined by 802.10 is associated with FDDI. LANE (LAN Emulation) is associated with ATM.
VLAN - Part - 2 VLAN Types
How a Switch distinguishes between VLANs? This is done by associating the work stations to a specific VLAN using specified format. This is known as VLAN membership. Four prominent VLAN membership methods are by port, MAC address, protocol type, and subnet address. Each of these are discussed below: |
- VLAN membership by Port:
Here, you define which ports of a Switch belong to which VLAN. Any work station connected to a particular port will automatically be assigned that VLAN. For example, in a Switch with eight ports, ports 1-4 may be configured with VLAN 1, and ports 5-8 may be configured with VLAN2.
One of the disadvantages of this method is that it requires Switch port reconfiguration whenever a user (of course, with associated workstation) moves from one place to another. VLANs by port association operates at Layer 1 of the OSI model.
- VLAN membership by MAC Address:
Here, membership in a VLAN is based on the MAC address of the user workstation. A Switch that participates in VLAN, uses the MAC addresses to assign a VLAN to each workstation. When a workstation moves to another place, the corresponding switch automatically discovers the VLAN association based on the MAC address of the workstation. Since the MAC address is normally inseparable from that of the workstation, this method of VLAN membership is more amenable to workstation moves.
This type of VLAN works at Layer 2 of the OSI model.
- Membership by Protocol Type:
Layer 2 header contains the protocol type field. You can use this information to decide on the VLAN association. For example, all IP traffic may be associated with VLAN 1 and all IPX traffic may be associated with VLAN 2.
- Membership by IP Subnet Address
In this type of VLAN association, membership is based on the Layer 3 header. The Switch reads the Layer 3 IP address and associates a VLAN membership. Note that even though the Switch accesses Layer 3 information, it still works at Layer 2 of OSI model only. A VLAN Switch doesn't do any routing based on IP address.
Examples:
IP Subnet VLAN 192.23.160.0 1 192.23.161.0 2 112.18.0.0 3 IP Subnet addresses assignment to different VLAN's.
IP address based VLANs allow user moves. However, it is likely to take more time to forward a packet by a Switch because it has to read Layer 3 information. Hence the latency rates may be relatively more using this type of VLAN membership.
VLAN - Part -1 Virtual Local Area Networks
What is a VLAN?
To refresh your memory, a Local Area Network (LAN) is a set of connected devices like computers, hubs, and switches sharing the same pool of logical address space. Normally, a router is required to route packets from one LAN to another LAN. Traditionally, all packets within a LAN are broadcast to all other devices connected to that particular LAN.
As a result, a traditional LAN has several disadvantages as below:
- Usable bandwidth is shared among all the devices connected to the LAN
- ALL devices connected within a LAN can hear ALL the packets irrespective of whether the packet is meant for that device or not. It is possible for some unscrupulous node listening to data packets not meant for that.
- Suppose, your organization has different departments. Using a traditional LAN, when any changes take place within the organization, physical cables and devices need to be moved to reorganize the LAN infrastructure.
- A LAN cannot extend beyond its physical boundary across a WAN as in VLANs.
If you are looking for a simple networked solution for a small office, it may be a good idea to have a traditional LAN setup with a few hubs or switches. However, if you are planning for a large building or campus wide LAN for several individual departments, a VLAN is almost essential.
Virtual LANs (VLANs) can be considered as an intelligent LAN consisting of different physical LAN segments enabling them to communicate with each other as if they were all on the same physical LAN segment.
Benefits of VLAN: Several of the disadvantages of traditional LANs can be eliminated with the implementation of VLANs.
1. Improved Performance: In a traditional LAN, all the hosts within the LAN receive broadcasts, and contend for available bandwidth. As a result, the bandwidth is shared among all the connected devices within the LAN segment. If you are running high-bandwidth consumption applications such as groupware or server forms, a threshold point may easily be reached. After a threshold, the users may find the LAN too slow or un-responsive. With the use of VLAN, you can divide the big LAN into several smaller VLANs. For example, if there are two file servers, each operating at 100Mbps, in a traditional LAN both the servers have to share the LAN bandwidth of 100Mbps. If you put both the servers in separate VLANs, then both have an available bandwidth of 100Mbps each. Here the available bandwidth has been doubled.
2. Functional separation of an institute or a company: It is often required to separate the functional groups within a company or institute. For example, it might be necessary to separate HR department LAN from that of Production LAN. Traditionally, it requires a router to separate two physical LANs. However, you can set up two VLANs, one for Finance, and the other for Production without a router. A switch can route frames from one VLAN to another VLAN. With VLAN's it is easier to place a workgroup together eventhough they are physically in different buildings. In this case Finance VLAN does not forward packets to Production VLAN, providing additional security.
3. Ease of Network Maintenance:
Network maintenance include addition, removal, and changing the network users. With traditional LANs, when ever a User moves, it may be necessary to re-configure the user work station, router, and the servers. Some times, it may also be necessary to lay the cable, or reconfigure hubs and switches. If you are using VLANs, many of these reconfiguration tasks become unnecessary. For example, you can avoid network address configuration on the work station and the corresponding router if you use VLAN. This is because, routing traffic within VLANs doesn't require a router.
However, VLAN's add some administrative complexity, since the administration needs to manage virtual workgroups using VLANs.
4. Reduced Cost
VLANs minimize the network administration by way of reduced maintenance on account of workstation addition/deletion/changes. This in turn reduce the costs associated with LAN maintenance.
5. Security
Using a LAN, all work stations within the LAN get the frames meant for all other work stations within the broadcast domain. Since a VLAN splits the broadcast domain into two or more, it is possible to put work stations sharing sensitive data in one VLAN, and other work station in another VLAN. Of course, if two VLANs are not sufficient, you can split the work stations into as many VLANs as required. VLAN's can also be used to set up firewalls, restrict access, and send any intrusion alerts to the administrator.
Example:
Question: Your network has 100 nodes on a single broadcast domain. You have implemented VLANs and segmented the network to have 2 VLANs of 50 nodes each. The resulting broadcast traffic effectively:
A. Increases two fold
B. Remains same
C. Decreases by half
D. Increases 4 fold
Ans: C
CISCO Access Control List (ACL)
The Cisco Access Control List (ACL) is are used for filtering traffic based on a given filtering criteria on a router or switch interface. Based on the conditions supplied by the ACL, a packet is allowed or blocked from further movement. Cisco ACLs are available for several types of routed protocols including IP, IPX, AppleTalk, XNS, DECnet, and others. However, we will be discussing ACLs pertaining to TCP/IP protocol only. ACLs for TCP/IP traffic filtering are primarily divided into two types:
|
Standard Access Control Lists: Standard IP ACLs range from 1 to 99. A Standard Access List allows you to permit or deny traffic FROM specific IP addresses. The destination of the packet and the ports involved can be anything.
This is the command syntax format of a standard ACL.
access-list access-list-number {permit|deny}
{host|source source-wildcard|any}
Standard ACL example:
access-list 10 permit 192.168.2.0 0.0.0.255
This list allows traffic from all addresses in the range 192.168.2.0 to 192.168.2.255
Note that when configuring access lists on a router, you must identify each access list uniquely by assigning either a name or a number to the protocol's access list.
There is an implicit deny added to every access list. If you entered the command:
show access-list 10
The output looks like:
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 10 deny any
Extended Access Control Lists: Extended IP ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to have granular control by specifying controls for different types of protocols such as ICMP, TCP, UDP, etc within the ACL statements. Extended IP ACLs range from 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs began to use additional numbers (2000 to 2699).
The syntax for IP Extended ACL is given below:
access-list access-list-number {deny | permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
Note that the above syntax is simplified, and given for general understanding only.
Extended ACL example:
access-list 110 - Applied to traffic leaving the office (outgoing)
access-list 110 permit tcp 92.128.2.0 0.0.0.255 any eq 80
ACL 110 permits traffic originating from any address on the 92.128.2.0 network. The 'any' statement means that the traffic is allowed to have any destination address with the limitation of going to port 80. The value of 0.0.0.0/255.255.255.255 can be specified as 'any'.
Applying an ACL to a router interface:
After the ACL is defined, it must be applied to the interface (inbound or outbound). The syntax for applying an ACL to a router interface is given below:
interface <interface>
ip access-group {number|name} {in|out}
An Access List may be specified by a name or a number. "in" applies the ACL to the inbound traffic, and "out" applies the ACL on the outbound traffic.
Example:
To apply the standard ACL created in the previous example, use the following commands:
Rouer(config)#interface serial 0
Rouer(config-if)#ip access-group 10 out
Example Question:
Which command sequence will allow only traffic from network 185.64.0.0 to enter interface s0?
A. access-list 25 permit 185.64.0.0 255.255.0.0
int s0 ; ip access-list 25 out
B. access-list 25 permit 185.64.0.0 255.255.0.0
int s0 ; ip access-group 25 out
C. access-list 25 permit 185.64.0.0 0.0.255.255
int s0 ; ip access-list 25 in
D. access-list 25 permit 185.64.0.0 0.0.255.255
int s0 ; ip access-group 25 in
Correct answer: D
Explanation:
The correct sequence of commands are:
1. access-list 25 permit 185.64.0.0 0.0.255.255
2. int s0
3. ip access-group 25 in
CISCO IOS An Introducton
Cisco IOS (short for Internetwork Operating System) is the software used on a majority of Cisco Systems routers and switches. IOS consists of routing, switching, internetworking and telecommunications functions in a multitasking operating system. Cisco IOS has uses command line interface (CLI), and provides a fixed set of multiple-word commands. A Cisco IOS command line interface can be accessed through either a console connection, modem connection, or a telnet session. The set of commands available at any particular level is determined by the "mode" and the privilege level of the current user. Cisco IOS follows a command hierarchy, with each level offering different set of commands All commands are assigned a privilege level, from 0 to 15, and can only be accessed by users with the necessary privilege. Through the CLI, the commands available to each privilege level can be defined. |
Some of the widely used command hierarchy levels are given below:
User EXEC level: This is the level that a connected user is allowed initially. User EXEC allows access to a limited set of basic monitoring commands. A ">" sign denotes User EXEC mode.
Privileged EXEC level: Privileged EXEC level allows access to all router commands including router configuration and management commands. This level is usually password protected for security reasons. A "#"sign denotes privileged EXEC mode.
When a user is connected to a Cisco IOS, a User EXEC prompt appears. Now, the user can enter privileged EXEC mode by typing the password shown as below:
Router> enable
Password: [enable password]
Router# configure terminal
Router(config)#
Global configuration mode: "Global configuration mode" provides commands to change the system's configuration. This is typically represented by "(config)#" sign as shown in the above example.
Interface configuration mode: "Interface configuration mode" provides commands to change the configuration of a specific interface of the router. An interface configuration mode is denoted by "(config-in)#".
A summary of Cisco IOS router command prompt is given below:
Prompt | Explanation |
Router> | User EXEC mode |
Router# | Privileged EXEC mode |
Router(config)# | Global configuration mode. # sign indicates this is only accessible at privileged EXEC mode. |
Router(config-if)# | Interface level configuration mode. |
Router(config-router)# | Routing engine level within configuration mode. |
Router(config-line)# | Line level (vty, tty, async) within configuration mode. |
Context Sensitive Help
Cisco IOS CLI offers context sensitive help. At any time during an EXEC session, a user can type a question mark (?) to get help.
Two types of context sensitive help are available:
- Word help and
- Command syntax help.
Word help: Word help can be used to obtain a list of commands that begin with a given character string. To use word help, type in the characters in question followed immediately by the question mark (?). The following is an example of word help:
Router# co?
configure connect copy
Command syntax help: Command syntax help can be used to obtain a list of commands, keyword, or argument options that are available starting with the keywords that the user had already entered. To use command syntax help, enter a question mark (?) after hitting a space. The router will then display a list of available command options with <cr> standing for carriage return. The following is an example of command syntax help:
Router# configure ?
memory Configure from NV memory
network Configure from a TFTP network host
terminal Configure from the terminal
<cr>
Cisco IOS also allows abbreviated commands support. For example, consider the following:
Router#configure terminal
Router(config)#
Router#config term
Router(config)#
Both the above commands to the same job. The IOS correctly interprets the full command words. However, if there is any ambiguity, an error message is generated as below:
Router(config)#c
% Ambiguous command: "c"
Checkout a ccna router simulator available from certexams.com.
Example Question:
What is the command used to add a banner to a Cisco router configuration?
A. add banner
B. banner motd #
C. motd banner #
D. add banner #
Correct answer: B
Explanation:
The banner is displayed whenever anyone logs in to your Cisco router. The syntax is
"banner motd #
MOTD stands for "Message Of The Day".
# symbol signifies the start of the banner message to the router. You will be prompted for the
message to be displayed. You need to enter "#" symbol at the end of the message, signifying
that the msg has ended.
Alternatively, you can enter the banner in the same line as below:
"banner motd # your message here#
note that you need to begin and end the banner with a delimiter (here # sign).
Subnet Masking - Part - 2
What we discussed in the previous section is Classful subnet masking. A Subnetmask normally contains the host portion of the bits also. This is called Classless Inter Domain Routing (CIDR). This will enable more networks for a given class of network address. For example, allowing 3 host bits towards subnet portion in our previous IP address, will allow us to offer 2X2X2 or 8 additional subnetworks. Traditionally, all zeros, and all ones subnets are not used, and hence we are left with 6 subnets. |
192.189.210.078: 1100 0000.1011 1101.1101 0010.0100 1110 Class C IP Address
255.255.255.224: 1111 1111.1111 1111.1111 1111.1110 0000 Class C subnet mask with 3 additional bits of host portion used for Subnetting.
Broadcast address: 1100 0000.1011 1101.1101 0010.0101 1111 :192.189.210.95
The above is the broadcast address for a given subnet (192.189.210.078). Under Classful routing, the broadcast address would have been 192.189.210.255.
Note that by using Subnetting, we are able to increase the number of networks available within a given IP address. On the otherhand, we will be loosing the number of hosts available within a subnet to 24 or 16 hosts per subnet. Again, all zeros, and all ones host addresses are traditionally reserved for other purposes.
CIDR (Classless InterDomain Routing) notation: Subnet mask is also represented as below:
192.189.210.078/27, where 27 is the number of bits in the network portion of the IP address.
Why use CIDR?
Normally, ISPs allocate the IP addresses for individuals or Corporates. The reason being that it is almost impossible to allocate a classful IP address to every individual or a corporate. Using CIDR, the biggest ISPs are given large pool of IP address space. The ISP's customers such as individual or Corporates are then allocated networks from the big ISP's pool. This kind of arrangement will enable efficient management and utilization of the Internet.
Classful addresses can easily be written in CIDR notation
Class A = A.B.C.D/8, Class B = A.B.C.D/16, and Class C = A.B.C.D/24
Where A,B,C,D are dotted decimal octets.
Example Question:
You have an IP of 156.233.42.56 with a subnet mask of 7 bits. How many hosts and subnets are possible?
A. 126 hosts and 510 subnets
B. 128 subnets and 512 hosts
C. 510 hosts and 126 subnets
D. 512 subnets and 128 hosts
Correct answer: C
Explanation:
Class B network has the form N.N.H.H, the default subnet mask is 16 bits long.
There is additional 7 bits to the default subnet mask. The total number of bits in subnet are 16+7 = 23.
This leaves us with 32-23 =9 bits for assigning to hosts.
7 bits of subnet mask corresponds to (2^7-2)=128-2 = 126 subnets.
9 bits belonging to host addresses correspond to (2^9-2)=512-2 = 510 hosts.
Subnet Masking - Part - 1
| Subnetting an IP Network is done primarily for better utilization of available IP address space, and routing purpose. Other reasons include better organization, use of different physical media (such as Ethernet, WAN, etc.), and securing network resources. A subnet mask enables you to identify the network and node parts of the address. The network bits are represented by the 1s in the mask, and the node bits are represented by the 0s. A logical AND operation between the IP address and the subnet mask provides the Network Address.
|
For example, using our test IP address and the default Class C subnet mask, we get:
192.189.210.078: 1100 0000.1011 1101.1101 0010.0100 1110 Class C IP Address
255.255.255.000: 1111 1111.1111 1111.1111 1111.0000 0000 Default Class C subnet mask
192.189.210.0 1100 0000 1011 1101 1101 0010 0000 0000
As can be seen above, by using and AND operator, we can compute the network portion of an IP address. The network portion for the IP address given in the above example is 192.189.210.0, and the host portion of the IP address is 078.
For binary conversion, take first octet of a given IP address (in dotted decimal form), and lookup the binary value. Then take the second octet and lookup the binary value, and so on.
Binary Conversion Table
Decimal | Binary | Decimal | Binary | Decimal | Binary | Decimal | Binary |
0 | 0000 0000 | 64 | 0100 0000 | 128 | 1000 0000 | 192 | 1100 0000 |
1 | 0000 0001 | 65 | 0100 0001 | 129 | 1000 0001 | 193 | 1100 0001 |
2 | 0000 0010 | 66 | 0100 0010 | 130 | 1000 0010 | 194 | 1100 0010 |
3 | 0000 0011 | 67 | 0100 0011 | 131 | 1000 0011 | 195 | 1100 0011 |
4 | 0000 0100 | 68 | 0100 0100 | 132 | 1000 0100 | 196 | 1100 0100 |
5 | 0000 0101 | 69 | 0100 0101 | 133 | 1000 0101 | 197 | 1100 0101 |
6 | 0000 0110 | 70 | 0100 0110 | 134 | 1000 0110 | 198 | 1100 0110 |
7 | 0000 0111 | 71 | 0100 0111 | 135 | 1000 0111 | 199 | 1100 0111 |
8 | 0000 1000 | 72 | 0100 1000 | 136 | 1000 1000 | 200 | 1100 1000 |
9 | 0000 1001 | 73 | 0100 1001 | 137 | 1000 1001 | 201 | 1100 1001 |
10 | 0000 1010 | 74 | 0100 1010 | 138 | 1000 1010 | 202 | 1100 1010 |
11 | 0000 1011 | 75 | 0100 1011 | 139 | 1000 1011 | 203 | 1100 1011 |
12 | 0000 1100 | 76 | 0100 1100 | 140 | 1000 1100 | 204 | 1100 1100 |
13 | 0000 1101 | 77 | 0100 1101 | 141 | 1000 1101 | 205 | 1100 1101 |
14 | 0000 1110 | 78 | 0100 1110 | 142 | 1000 1110 | 206 | 1100 1110 |
15 | 0000 1111 | 79 | 0100 1111 | 143 | 1000 1111 | 207 | 1100 1111 |
16 | 0001 0000 | 80 | 0101 0000 | 144 | 1001 0000 | 208 | 1101 0000 |
17 | 0001 0001 | 81 | 0101 0001 | 145 | 1001 0001 | 209 | 1101 0001 |
18 | 0001 0010 | 82 | 0101 0010 | 146 | 1001 0010 | 210 | 1101 0010 |
19 | 0001 0011 | 83 | 0101 0011 | 147 | 1001 0011 | 211 | 1101 0011 |
20 | 0001 0100 | 84 | 0101 0100 | 148 | 1001 0100 | 212 | 1101 0100 |
21 | 0001 0101 | 85 | 0101 0101 | 149 | 1001 0101 | 213 | 1101 0101 |
22 | 0001 0110 | 86 | 0101 0110 | 150 | 1001 0110 | 214 | 1101 0110 |
23 | 0001 0111 | 87 | 0101 0111 | 151 | 1001 0111 | 215 | 1101 0111 |
24 | 0001 1000 | 88 | 0101 1000 | 152 | 1001 1000 | 216 | 1101 1000 |
25 | 0001 1001 | 89 | 0101 1001 | 153 | 1001 1001 | 217 | 1101 1001 |
26 | 0001 1010 | 90 | 0101 1010 | 154 | 1001 1010 | 218 | 1101 1010 |
27 | 0001 1011 | 91 | 0101 1011 | 155 | 1001 1011 | 219 | 1101 1011 |
28 | 0001 1100 | 92 | 0101 1100 | 156 | 1001 1100 | 220 | 1101 1100 |
29 | 0001 1101 | 93 | 0101 1101 | 157 | 1001 1101 | 221 | 1101 1101 |
30 | 0001 1110 | 94 | 0101 1110 | 158 | 1001 1110 | 222 | 1101 1110 |
31 | 0001 1111 | 95 | 0101 1111 | 159 | 1001 1111 | 223 | 1101 1111 |
32 | 0010 0000 | 96 | 0110 0000 | 160 | 1010 0000 | 224 | 1110 0000 |
33 | 0010 0001 | 97 | 0110 0001 | 161 | 1010 0001 | 225 | 1110 0001 |
34 | 0010 0010 | 98 | 0110 0010 | 162 | 1010 0010 | 226 | 1110 0010 |
35 | 0010 0011 | 99 | 0110 0011 | 163 | 1010 0011 | 227 | 1110 0011 |
36 | 0010 0100 | 100 | 0110 0100 | 164 | 1010 0100 | 228 | 1110 0100 |
37 | 0010 0101 | 101 | 0110 0101 | 165 | 1010 0101 | 229 | 1110 0101 |
38 | 0010 0110 | 102 | 0110 0110 | 166 | 1010 0110 | 230 | 1110 0110 |
39 | 0010 0111 | 103 | 0110 0111 | 167 | 1010 0111 | 231 | 1110 0111 |
40 | 0010 1000 | 104 | 0110 1000 | 168 | 1010 1000 | 232 | 1110 1000 |
41 | 0010 1001 | 105 | 0110 1001 | 169 | 1010 1001 | 233 | 1110 1001 |
42 | 0010 1010 | 106 | 0110 1010 | 170 | 1010 1010 | 234 | 1110 1010 |
43 | 0010 1011 | 107 | 0110 1011 | 171 | 1010 1011 | 235 | 1110 1011 |
44 | 0010 1100 | 108 | 0110 1100 | 172 | 1010 1100 | 236 | 1110 1100 |
45 | 0010 1101 | 109 | 0010 1101 | 173 | 1010 1101 | 237 | 1010 1101 |
46 | 0010 1110 | 110 | 0110 1110 | 174 | 1010 1110 | 238 | 1110 1110 |
47 | 0010 1111 | 111 | 0110 1111 | 175 | 1010 1111 | 239 | 1110 1111 |
48 | 0011 0000 | 112 | 0111 0000 | 176 | 1011 0000 | 240 | 1111 0000 |
49 | 0011 0001 | 113 | 0111 0001 | 177 | 1011 0001 | 241 | 1111 0001 |
50 | 0011 0010 | 114 | 0111 0010 | 178 | 1011 0010 | 242 | 1111 0010 |
51 | 0011 0011 | 115 | 0111 0011 | 179 | 1011 0011 | 243 | 1111 0011 |
52 | 0011 0100 | 116 | 0111 0100 | 180 | 1011 0100 | 244 | 1111 0100 |
53 | 0011 0101 | 117 | 0111 0101 | 181 | 1011 0101 | 245 | 1111 0101 |
54 | 0011 0110 | 118 | 0111 0110 | 182 | 1011 0110 | 246 | 1111 0110 |
55 | 0011 0111 | 119 | 0111 0111 | 183 | 1011 0111 | 247 | 1111 0111 |
56 | 0011 1000 | 120 | 0111 1000 | 184 | 1011 1000 | 248 | 1111 1000 |
57 | 0011 1001 | 121 | 0111 1001 | 185 | 1011 1001 | 249 | 1111 1001 |
58 | 0011 1010 | 122 | 0111 1010 | 186 | 1011 1010 | 250 | 1111 1010 |
59 | 0011 1011 | 123 | 0111 1011 | 187 | 1011 1011 | 251 | 1111 1011 |
60 | 0011 1100 | 124 | 0111 1100 | 188 | 1011 1100 | 252 | 1111 1100 |
61 | 0011 1101 | 125 | 0111 1101 | 189 | 1011 1101 | 253 | 1111 1101 |
62 | 0011 1110 | 126 | 0111 1110 | 190 | 1011 1110 | 254 | 1111 1110 |
63 | 0011 1111 | 127 | 0111 1111 | 191 | 1011 1111 | 255 | 1111 1111 |
Example Question: Which of the following is a Class C IP address?
A. 10.10.14.118 B. 135.23.112.57 C. 191.200.199.199 D. 204.67.118.54
|
Correct Answer: D.
Explanation:
IP addresses are written using decimal numbers separated by decimal points. This is called dotted decimal notation of expressing IP addresses. The different classes of IP addresses is as below:
Class | Format | Leading Bit pattern | Network address Range | Maximum networks | Maximum hosts |
A | N.H.H.H | 0 | 0-126 | 127 | 16,777,214 |
B | N.N.H.H | 10 | 128-191 | 16,384 | 65,534 |
C | N.N.N.H | 110 | 192-223 | 2,097,152 | 254 |
Network address of all zeros means "This network or segment".
Network address of all 1s means " all networks", same as hexadecimal of all Fs.
Network number 127 is reserved for loopback tests.
Host (Node) address of all zeros mean "This Host (Node)".
Host (Node) address of all 1s mean "all Hosts (Nodes) " on the specified network.