WKU College of Computing & Informatics, Department of IT

Chapter One: Basic Networking & Network Devices

Understanding IP Addresses

An IP address is an address used in order to uniquely identify a device on an IP network. There

are two types of IP addresses. Version four IP address (IPv4) which is made up of 32 binary bits
and Version six IP address (IPv6) having 128 binary bits, which can be divisible into a network
portion and host portion with the help of a subnet mask.

The IPv4 32 binary bits are broken into four octets in order that one octet will have eight bits.
Each octet is converted to decimal and separated by a dot so that it will be expressed in dotted
decimal format. The value in each octet ranges from 0 to 255 (00000000 – 11111111).

Here is how binary octets can easily be converted to decimal: -

IP Address Classes

Class A address: The first octet is the network portion, which means Class A has a major
network address of 1.0.0.0 - 127.255.255.255. Octets 2, 3, and 4 (24 bits) are for the network
manager to divide into subnets and hosts.
1
 Network Device Configuration, CH-I

Class B address: The first two octets are the network portion, so class B has a major network
address of 128.0.0.0 - 191.255.255.255. Octets 3 and 4 (16 bits) are for local subnets and hosts.

Class C address: The first three octets are the network portion. Class C has a major network
address of 192.0.0.0 - 223.255.255.255. Octet 4 (8 bits) is for local subnets and hosts – used for
networks with less than 254 hosts.

Classless IP Addresses

Classless Addressing is an improved IP Addressing system. It makes the allocation of IP

Addresses more efficient. It replaces the older classful addressing system based on classes. It is
also known as Classless Inter Domain Routing (CIDR).

Classless addressing uses a two-part view of IP addresses unlike the classful addressing that has
a three-part view. With classless addressing, the network and subnet parts from the classful view

2
 WKU College of Computing & Informatics, Department of IT

are combined into a single part, often called the subnet or prefix, with the address ending in the
host part.

Network Masks

A network mask helps you know which portion of the address identifies the network and which
portion of the address identifies the node. Class A, B, and C networks have default masks
(natural masks) as shown below:

Class A: 255.0.0.0
Class B: 255.255.0.0
Class C: 255.255.255.0

Example: In order to see how the mask helps to identify the network and node parts of the
address, convert the address and mask to binary numbers.

10.10.1.15 = 00001010.00001010.00000001.00001111
255.0.0.0 = 11111111.00000000.00000000.00000000

Once you have the address and the mask represented in binary, then identification of the network
and host ID is easier. Any address bits which have corresponding mask bits set to 1 represents
the network ID. Any address bits that have corresponding mask bits set to 0 represent the node
ID.

10.10.1.15 00001010.00001010.00000001.00001111
255.0.0.0 11111111.00000000.00000000.00000000
00001010.00000000.00000000.00000000
Net ID Host ID

Understanding Subnetting
Subnetting allows you to create multiple logical networks that exist within a single network. If a
network is not sub-netted, one can only able to use one network which is unrealistic.

Breaking a major network into smaller subnetworks allows you to create a network of
interconnecting subnetworks. Each link on this network would then have a unique
network/subnetwork ID. Any device, or gateway, that connects n networks/subnetworks has n
distinct IP addresses, one for each network / subnetwork that it interconnects.

In order to subnet a network, extend the default mask with some of the bits from the host ID
portion of the address in order to create a subnetwork ID.

3
 Network Device Configuration, CH-I

Example 1: Classful Address

With a Class C network of 201.16.4.0 which has a default mask of 255.255.255.0, subnets can be
created in this manner:-

201.16.4.0 - 11001001.00010000.00000100.00000000
255.255.255.224 - 11111111.11111111.11111111.11100000

By extending the mask to be 255.255.255.224, you have taken three bits from the original host
portion of the address and used them to make subnets. With these three bits, it is possible to
create eight subnets.

With the remaining five host ID bits, each subnet can have up to 32 host addresses, 30 of which
can actually be assigned to a device since host ids of all zeros or all ones are not allowed. So,
with this in mind, these subnets have been created.

Network First Usable Last Usable Broadcast

SNo Subnet Mask
Address Address Address Address
1 201.16.4.0 255.255.255.224 1 30 31
2 201.16.4.32 255.255.255.224 33 62 33
3 201.16.4.64 255.255.255.224 65 94 95
4 201.16.4.96 255.255.255.224 97 126 127
5 201.16.4.128 255.255.255.224 129 158 159
6 201.16.4.160 255.255.255.224 161 190 191
7 201.16.4.192 255.255.255.224 193 222 223
8 201.16.4.224 255.255.255.224 225 254 255

Example 2: Classless Address

With the remaining five host ID bits, each subnet can have up to 32 host addresses, 30 of
which can actually be assigned to a device since host ids of all zeros or all ones are not
allowed. So, with this in mind, these subnets have been created.

4
 WKU College of Computing & Informatics, Department of IT

Fixed-Length Subnet Masking (FLSM) is when all subnet masks in a major network must be
the same.

DLSM gives equal number of IP addresses in each subnet. Calculating the required subnet bits
from a particular IP address is performed as follows.

Let’s take the IP Address 10.10.10.0/24

a. Borrow the bit from the host side.

We will find it with the help of its subnet mask which is 255.255.255.0. We are having 24
1’s in network bit.

b. Find the updated subnet mask

Here, we need to configure 4 subnets which need us to borrow 2 bits. By making the most
significant bit of host bit of subnet mask to 1 we will get the mask value for the subnet.

11111111.11111111.11111111.11000000 (255.255.255.192)

c. Find the range of IP address in the subnet.

Formula:-
Range: (Maximum Subnet Mask – Updated Subnet Mask)
Maximum Subnet Mask is always 255.255.255.255

255.255.255.255
- 255.255.255.192
= 0. 0. 0. 63
The range for network is 0.0.0.63

d. Divide the whole network with the help of the range.

First Network Block: 10.10.10.0 – 10.10.10.63
The Network ID: 10.10.10.0
First IP address: 10.10.10.1
Last IP address: 10.10.10.62
Broadcast address: 10.10.10.63
Second Network Block: 10.10.10.64 – 10.10.10.127
Network ID: 10.10.10.64
First IP address: 10.10.10.65
Last IP address: 10.10.10.126
Broadcast address: 10.10.10.127

5
 Network Device Configuration, CH-I

Third Network Block: 10.10.10.128 – 10.10.10.191

Network ID: 10.10.10.128
First IP address: 10.10.10.129
Last IP address: 10.10.10.190
Broadcast address: 10.10.10.191
Fourth Network Block: 10.10.10.192 – 10.10.10.255
Network ID: 10.10.10.192
First IP address: 10.10.10.193
Last IP address: 10.10.10.254
Broadcast address: 10.10.10.255

The Subnet masks be the same for every network block i.e. 255.255.255.192

Variable -Length Subnet Masking (VLSM)

Variable -Length Subnet Masking (VLSM) is when subnet masks within a major network can
be different; that means, VLSM divide Network into multiple networks according to its
necessity. It is used to conserve the IP addresses. In this type of Subnetting, you will be given
number of required IP addresses and you have to find the Network Blocks accordingly.

Let’s take the previous IP address 10.10.10.0/24 and let’s assume you are given to configure a
network in such a way that the network will be able to provide 50 IP addresses, 30 IP addresses
and 10 IP addresses.

a. Calculate host bit

We have to start from the largest IP address in which case 50 IP addresses, 1 IP is required for
Network address and another is for Broadcast address. So total requirement is 50+2 = 52 IP
addresses.

To provide that much value, we have to compare like:-

If 21 = 2 < 52
2
2 =4 52 These are not
3
2 =8 < 52 sufficient for the
24 = 16 < 52 IP required.
25 = 32 < 52
26 = 64 >= 52 - Take this option, it is sufficient for the required IP addresses.
6 bits are used for the host and the remaining 2 bits are used for the subnet.

6
 WKU College of Computing & Informatics, Department of IT

b. Find the network bit - The network bit can be obtained as:
Network Bit = Total Bits – Host bits (32 – 6) = 26 Bits.

c. Calculate updated subnet mask

Network bit is represented by 1 and Host bit is represented by 0.

The updated subnet mask is:-

11111111.11111111.11111111.11000000
255 .255 .255 .192

d. The range will be computed as: -

Range = Maximum Subnet Mask – Updated Subnet Mask

255.255.255.255
- 255.255.255.192
= 0. 0. 0. 63

Therefore, Network Block for the 50 IP addresses is 10.10.10.0 to 10.10.10.63

The same procedure will be followed for the next IP.

Total IP required = 30 + 2 = 32

a. Calculate the Host

To provide that much value, we have to compare like:-

If 21 = 2 < 32
2 These are not sufficient for
2 =4 32 the IP required.
23 = 8 < 32
24 = 16 < 32
5
2 = 32 >= 32 Take this option, it is sufficient for the required IP
addresses. 5 bits are used for the host and the remaining 3 bits are used for the
subnet.

b. Find the network bit - The network bit can be obtained as:
Network Bit = Total Bits – Host bits (32 – 5) = 27 Bits.

c. Calculate updated subnet mask

The updated subnet mask is:-

11111111.11111111.11111111.11100000
255 .255 .255 .224

7
 Network Device Configuration, CH-I

d. The range will be computed as: -

Range = Maximum Subnet Mask – Updated Subnet Mask

255.255.255.255
- 255.255.255.224
= 0. 0. 0. 31

Therefore, Network Block for the 30 IP addresses is 10.10.10.0 to 10.10.10.31

For the third IP:-

Total IP required = 10 + 2 = 12

a. Calculate the Host

To provide that much value, we have to compare like:-

If 21 = 2 < 12
2 These are not sufficient for the IP
2 =4 12
required.
23 = 8 < 12
24 = 16 >= 12 Take this option, it is sufficient for the required IP
addresses. 4 bits are used for the host and the remaining 4 bits are used for the
subnet.

b. Find the network bit - The network bit can be obtained as:
Network Bit = Total Bits – Host bits (32 – 4) = 28 Bits.

c. Calculate updated subnet mask

The updated subnet mask is:-

11111111.11111111.11111111.11110000
255 .255 .255 .240

d. The range will be computed as: -

Range = Maximum Subnet Mask – Updated Subnet Mask

255.255.255.255
- 255.255.255.240
= 0. 0. 0. 15

Therefore, Network Block for the 30 IP addresses is 10.10.10.0 to 10.10.10.15

8
 WKU College of Computing & Informatics, Department of IT

Network Devices
Hub
Hubs connect multiple computer networking devices together. A hub also acts as a repeater in
that it amplifies signals that deteriorate after traveling long distances over connecting cables

Hubs do not filter packets and they do not perform addressing functions; they simply send
received data packets to all connected devices. Hubs operate at the Physical layer of the Open
Systems Interconnection (OSI) model.

Switch
A switch is a multiport device that maintains limited routing information about nodes in the
internal network. Switches can read and store the MAC addresses of incoming packets to
transmit them to the appropriate destination.

Switches improve network efficiency because of virtual circuit capability and they are also more
secured since virtual circuits are more difficult to examine with network monitors.

A switch can work at either the Data Link layer or the Network layer of the OSI model. A
multilayer switch is one that can operate at both layers, which means that it can operate as both a
switch and a router. A multilayer switch is a high-performance device that supports the same
routing protocols as routers.

Router

Routers are intelligent layer three devices that interconnect two or more heterogeneous networks.
They store information about the networks they’re connected to. That means they establish
communication by maintaining tables about destinations and source connections. Most routers
can be configured to operate as packet-filtering firewalls and use access control lists (ACLs).
Routers also serve as the outside connection of a LAN to a WAN (border routers).

Routers divide internal networks into two or more subnetworks. They can also be connected
internally to other routers, creating zones that operate independently.

9
 Network Device Configuration, CH-I

Because routers and gateways are the backbone of large computer networks like the internet,
they have special features that give them the flexibility and the ability to cope with varying
network addressing schemes and frame sizes through segmentation of big packets into smaller
sizes that fit the new network components.

Each router interface has its own Address Resolution Protocol (ARP) module, Media Access
Control (MAC) and Internet Protocol (IP) addresses.

Bridge

Bridges are used to connect two or more hosts or network segments together. The basic role of
bridges in network architecture is storing and forwarding frames between the different segments
that the bridge connects. They use hardware Media Access Control (MAC) addresses for
transferring frames. Bridges can also be used to connect two physical LANs into a larger logical
LAN.

Bridges work only at the Physical and Data Link layers of the OSI model. Bridges are used to
divide larger networks into smaller sections by sitting between two physical network segments
and managing the flow of data between the two.

Gateway

Gateways work at the Transport and Session layers of the OSI model. There are numerous
protocols and standards from different vendors running at the Transport layer and above;
therefore, gateways are used to deal with them. Gateways provide translation between
networking technologies such as Open System Interconnection (OSI) and Transmission Control
Protocol/Internet Protocol (TCP/IP) - protocol converter. Because of this, gateways connect two
or more autonomous networks, each with its own routing algorithms, protocols, topology,
domain name service, and network administration procedures and policies.

In fact, a router with added translation functionality is a gateway.

10
 WKU College of Computing & Informatics, Department of IT

Modem

Modems (modulators-demodulators) are used to transmit digital signals over analog telephone
lines. Thus, digital signals are converted by the modem into analog signals of different
frequencies and transmitted to a modem at the receiving location. The receiving modem
performs the reverse transformation and provides a digital output to a device connected to a
modem, usually a computer.

Repeater:-
A repeater is an electronic device that amplifies the signal it receives. You can think of repeater
as a device which receives a signal and retransmits it at a higher level or higher power so that the
signal can cover longer distances, more than 100 meters for standard LAN cables. Repeaters
work on the Physical layer.

Access Point:-
While an access point (AP) can technically involve either a wired or wireless connection, it
commonly means a wireless device. An AP works at the second OSI layer, the Data Link layer,
and it can operate either as a bridge connecting a standard wired network to wireless devices or
as a router passing data transmissions from one access point to another.

Wireless access points (WAPs) consist of a transmitter and receiver (transceiver) device used to
create a wireless LAN (WLAN). Access points typically are separate network devices with a
built-in antenna, transmitter and adapter. APs use the wireless infrastructure network mode to
provide a connection point between WLANs and a wired Ethernet LAN.

Each AP is limited by its transmission range and data process speed. The actual distance depends
on the wireless standard, the obstructions and environmental conditions between the client and
the AP.

APs might also provide many ports that can be used to increase the network’s size, firewall
capabilities and Dynamic Host Configuration Protocol (DHCP) service.

To connect to a wireless AP, you need a service set identifier (SSID) name. 802.11 wireless
networks use the SSID to identify all systems belonging to the same network, and client stations

11
 Network Device Configuration, CH-I

must be configured with the SSID to be authenticated to the AP. The AP might broadcast the
SSID, allowing all wireless clients in the area to see the AP’s SSID. However, for security
reasons, APs can be configured not to broadcast the SSID, which means that an administrator
needs to give client systems the SSID instead of allowing it to be discovered automatically.

CLI Configuration Manager

Access Methods

 Console - This is a physical management port that provides out-of-band access to a Cisco
device.
 Secure Shell (SSH) - SSH is a method for remotely establishing a secure CLI connection
through a virtual interface, over a network.
 Telnet - Telnet is an insecure method of remotely establishing a CLI session through a
virtual interface, over a network.

IOS Command Structure

 Keyword - a specific parameter defined in the operating system (IP protocols)

 Argument - not predefined; a value or variable defined by the user (192.168.10.5)

12
 WKU College of Computing & Informatics, Department of IT

Hot & Shortcut keys

Tab Completes a partial command name entry.
Backspace Erases the character to the left of the cursor.
Ctrl-D Erases the character to the cursor.
Ctrl-K Erases all characters from the cursor to the end of the command line.
Esc-D Erases all characters from the cursor to the end of the word.
Enter Key Displays the next line.
Space Bar Displays the next screen.
Any Key Ends the display string, returning to privileged EXEC mode.

Ctrl-C Ends the configuration mode and returns to privileged EXEC mode. But when in
setup mode, abort back to the command prompt.
Ctrl-Z Ends the configuration mode and returns to privileged EXEC mode.
Ctrl-Shift-6 All-purpose break sequence. (DNS lookup, ping, traceroute, …)

Command Modes
Mode Description Device Prompt
This mode has limited capabilities but is useful for Switch>
User EXEC Mode
basic operations. Router>
Privileged EXEC To execute configuration commands, a network Switch#
Mode administrator must access privileged EXEC mode. Router#
This mode is accessed before other specific
Global
configuration modes. From this mode, the user can Switch(config)#
Configuration Mode
enter different sub-configuration modes.
Line Configuration Used to configure console, SSH, Telnet, or AUX
Switch(config-line)#
Mode access.
Interface Used to configure a switch port or router network
Switch(config-if)#
Configuration Mode interface.

13
 Network Device Configuration, CH-IV

Chapter Two – Router and Switch

2.1. Basic configuration

2.1.1. Connecting to a Device

To connect to a Cisco device to configure it, verify its configuration, and check statistics, and
although there are different approaches to this,
1. The first place you would usually connect to is the console port. The console port is
usually an RJ45, 8-pin modular connection located at the back of the device, and there
may or may not be a password set on it by default.
2. An auxiliary port, which is really the same thing as a console port is the second way. The
main difference with an auxiliary port is that it also allows you to configure modem
commands so that a modem can be connected to the router. It also lets you dial up a
remote router and attach to the auxiliary port if the router is down and you need to
configure it remotely, out-of-band. One of the differences between Cisco routers and
switches is that switches do not have an auxiliary port.
3. The third way to connect to a Cisco device is in-band, through the program Telnet or
Secure Shell (SSH). In-band means configuring the device via the network, the opposite
of out-of-band.

2.1.2. Starting router or switch

1. It will run a power-on self-test - POST.
2. The machine will load the IOS from flash memory and expand it into RAM.
3. Load a valid configuration (startup-config) stored in nonvolatile RAM (NVRAM).
4. The startup-config will be copied from NVRAM into RAM and from then on
referred to as the running-config.
5. If a valid startup-config isn’t found in NVRAM, the switch will enter setup mode.

14
 WKU College of Computing & Informatics, Department of IT

2.2. Passwords

There are five passwords needed to secure Cisco routers. These are: console, auxiliary,
telnet/SSH (VTY), enable password, and enable secret. The enable secret and enable password
are the ones used to set the password for securing privileged mode. Once the enable commands
are set, users will be prompted for a password. The other three are used to configure a password
when user mode is accessed through the console port, through the auxiliary port, or via Telnet.

Enable Passwords

Enable Secret

Console Password

Telnet Password

Auxiliary Password

2.3. Wildcard masks

Wildcards are used with access lists to specify an individual host, a network, or a specific range
of a network or networks block sizes. The different block sizes available are 64, 32, 16, 8, and 4.
When you need to specify a range of addresses, you choose the next-largest block size for your
needs.
 To specify 34 networks …… you need a block size of 64.
 To specify 18 hosts …… you need a block size of 32.
 To specify only 2 networks …… go with a block size of 4.

15
 Network Device Configuration, CH-IV

Wildcards are used with the host or network address to tell the router a range of available
addresses to filter.

To specify a host, the address would look like this: 10.100.5.3 0.0.0.0. The four zeros represent
each octet of the address.

 The zero indicates that the octet in the address must exactly match the corresponding
reference octet.
 The number 255 indicate that an octet can be any value.

Example:-
 To specify a /24 subnet with a wildcard mask:
10.100.5.0 0.0.0.255. -> Tells the router to match up the first three octets exactly, but the
fourth octet can be any value.
If someone wants to specify only a small range of subnets he/she needs to specify the range of
values in a block size, so can’t choose to specify 20 networks. He/she can only specify the exact
amount that the block size value allows. This means the range has to be either 16 or 32, but not 20.
Example 1:-
 To block access to the part of the network that ranges from 10.100.5.0 through
10.100.10.255.
 You would go with a block size of 8.
 Your network number would be 10.100.5.0.
 The wildcard would be 0.0.7.255. The 7.255 equals the value the router will use to
determine the block size.
 The network number and the wildcard tell the router to begin at 10.100.5.0 and go up
a block size of eight addresses to network 10.100.5.0.
All you need to remember that the wildcard is always one number less than the block size. So, if
the block size is 8, the wildcard would be 7 and if you used a block size of 16, the wildcard
would be 15.
Example 2:
 To configuration a router to start network at 10.100.16.0 through 10.100.19.255.
 Use a block size of 4.

16
 WKU College of Computing & Informatics, Department of IT

 Your network number would be 10.100.16.0.

 The wildcard would be 0.0.3.255.
Exercise:-
Specify the range of address, wildcard mask and block size of the following ip addresses
1. 172.16.0.0/16 - 172.29.0.0/16
2. 192.168.6.0/24 - 192.168.12.0/24
3. 10.10.0.0 - 10.16.255.255

2.4. Access Control Lists

An access list is a list of conditions that categorize packets, and used when you need to exercise
control over network traffic. An ACL can be used for:-

 Filter unwanted packets when implementing security policies. (Allow only certain hosts
to access web resources on the Internet while restricting others).
 To enforce nearly any security policy.
 Access-list statements are basically packet filters that packets are compared against,
categorized by, and acted upon accordingly

Creating access lists is like programming a series of if … then statements. If a given condition is
met, then an action is taken and if otherwise nothing happens and the next statement is evaluated.

 Once the lists are built, they can be applied to either inbound or outbound traffic on any
interface.
 Access list causes the router to analyze every packet in that interface and take the
appropriate action.

There are three important rules that a packet follows when it’s being compared with an access
list:
1. The packet is always compared with each line of the access list in sequential order it will
always start with the first line of the access list.
2. The packet is compared with lines of the access list only until a match is made. Once the
matching condition is obtained, the packet will be acted upon and no further comparisons
take place.

17
 Network Device Configuration, CH-IV

3. There is an implicit “deny” at the end of each access list. Therefore, if a packet doesn’t
match any listed conditions it will be discarded.
There are two main types of access lists:
 Standard access lists: use only the source IP address in an IP packet as the condition test.
They permit or deny an entire suite of protocols.
 Extended access lists: Can evaluate source and destination IP addresses, the Protocol
field in the Network layer header, and the port number at the Transport layer header. They
have the ability to make much more decisions when controlling traffic.
Once an access list is created, you need to apply it to an interface on the router/switch where you
want the traffic filtered. And you need to specify which direction of traffic you want the access
list applied to. These directions are:
 Inbound access lists: Applied to inbound packets on an interface which are processed
before being routed to the outbound interface. Any packets that are denied won’t be routed
because they’re discarded before routing.
 Outbound access lists: Applied to outbound packets on an interface which are routed to
the outbound interface and then processed through the access list.

Access-list guidelines:

i. Assign only one access list per interface per protocol per direction. That means, one can
have only one inbound access list and one outbound access list per interface.
ii. More specific tests should be at the top.
iii. New entry is added to the access list will be placed at the bottom of the list.
iv. You can’t remove one line from an access list. It’s best to copy the access list to a text
editor before trying to edit the list.
v. All packets will be discarded if they do not meet any of the tests, unless the access list
ends with a permit any command.
vi. An access list applied to an interface without access-list test statements will not filter
traffic.
vii. Access lists will not filter traffic that has originated from the router. They are designed to
filter traffic going through the router.
viii. Place standard access lists as close to the destination as possible.

18
 WKU College of Computing & Informatics, Department of IT

ix. Place extended access lists as close to the source as possible.

Access list type is generally differentiated using a number. Standard access list are created by
using the access-list numbers 1–99 or numbers in the expanded range of 1300–1999.

Syntax used when creating a standard IP access list:

access-list 10 ?
deny - Specify packets to reject
permit - Specify packets to forward
remark - Access list entry comment

access-list 10 deny ?

any - IP address to specify either a single host or a range of them.

host - A command to specify a specific host address.
access-list 10 deny host 10.10.25.100

Using access-list with wildcard mask:

access-list 10 deny 10.10.25.0 0.0.0.255 - tells the router to match the first
three octets exactly but the last octet can be anything.
access-list 10 deny 10.10.0.0 0.0.255.255 - tells the router to match the
first two octets and the last two octets can be anything.

Example:

Based on the design shown below, let’s deny users on the HRM LAN not to have access to the
Registrar LAN, but should have access to the Internet and other LANs.
access-list 10 deny 10.10.30.0 0.0.0.255
access-list 10 permit any
The next step is applying the access and the best place to apply this access list is on the
Gigabit interface (Gig0/1) of the HRM department as an outbound list:
interface GigabitEthernet0/1
ip access-group 10 out

19
 Network Device Configuration, CH-IV

Exercise:
1. Write a standard access-list that will deny registrar LAN from accessing both HRM and
Finance network.
2. Write a standard access-list that will deny Finance LAN from accessing HRM and
Internet.
3. Write a standard access-list that will deny the Registrar LAN from accessing Internet.

Extended Access List

Extended ACLs allow specifying source and destination addresses as well as the protocol and
port number that identify the upper-layer protocol or application. They effectively allow access
to a physical LAN and deny them access to specific hosts and services. Extended access-list
ranges from 100 to 199 as well as an expanded range from 2000 to 2699.
Example:
access-list 110 deny tcp any host 10.10.30.2 eq 23 log
tcp - protocol and indicating the specific destination TCP port at the end of the line

20
 WKU College of Computing & Informatics, Department of IT

any - source address

10.10.30.2 - specific destination address
eq - equal to command entered as eq to specify type of service to deny
23 - Block Telnet (port 23) to host 10.10.30.2
log - Used to log messages every time the access list entry is hit.
In general, the access-list denies any source host trying to telnet to destination host 10.10.30.2.

Example:
To deny access to a host at 10.10.20.2 on the HRM department LAN for both Telnet and SSH
services while all other services on this and other hosts are acceptable for the Registrar and
Finance LAN.
access-list 120 deny tcp any host 10.10.20.2 eq 22
access-list 120 deny tcp any host 10.10.20.2 eq 23
access-list 120 permit ip any any
The next step is to apply the list to interface Gig0/1 to block all outside SSH and Telnet access to
the host 10.10.20.2.
interface gigabitEthernet 0/1
ip access-group 120 out

Exercise:
1. Write an access list that will prevent Telnet access to Finance and Registrar networks
attached to the Gig0/0 and Gig0/2 interfaces.
2. Write an access list that will deny HTTP and DNS access to HRM and Registrar networks.
3. Write an access list that will prevent SSH access from HRM network to Registrar network.
4. Assume you have identified that some unknown users are frequently trying to login to
registrar network through remote connection, which is completely forbidden, while the
reverse is allowed. So write an access list that will prevent registrar network from being
accesses from remote login.

21
 Network Device Configuration, CH-IV

2.5. Remote access

Setting Up Secure Shell (SSH)

Using Secure Shell (SSH) is better instead of Telnet because it creates a more secure session.
The Telnet application uses an unencrypted data stream, but SSH uses encryption keys to send
data so username and password aren’t sent in the clear plaintext.
To set-up SSH:
1. Set hostname:
2. Set domain name:
3. Set username to allow SSH client access:

4. Generate the encryption keys for securing the session:

5. Enable SSH version 2:

22
 WKU College of Computing & Informatics, Department of IT

6. Connect to the VTY lines of the switch or router:

7. Tell the lines to use the local database for password:
8. Configure access protocols:

Note:-
* If the keyword telnet is not used at the end of the command, only SSH will work.
* Both hostname and domain name are required for the encryption keys to be generated.

2.6. Logging with syslog usage

System messages from switches or routers internal buffer helps to see what’s going on in a
network at a particular time. Logging messages to a syslog server stores messages from users and
can even time-stamp and sequence them.

Syslog allows sorting, searching and display messages which makes it a really great
troubleshooting tool. The search feature enables to use keywords and even severity levels. The
server can email admins based on the severity level of the message.

Network devices can be configured to generate a syslog message and forward it to various
destinations. These are popular ways to gather messages from devices:

 Logging buffer
 Console line
 Terminal lines
 Syslog server

2.6.1. Syslog server:

Syslog server message format:

Seq no: timestamp: %facility-severity-MNEMONIC: description
 Seq no Logs messages with a sequence number. (Will show up only if configured)

 Timestamp Data and time of the message or event. (Will show up only if configured)

23
 Network Device Configuration, CH-IV

 Facility The facility to which the message refers.

 Severity A single-digit code from 0 to 7 that indicates the severity of the message.

 MNEMONIC Text string that uniquely describes the message.

 Description Text string containing detailed information about the event being reported.

Severity Level Name Explanation

Severity 0 Emergency System is unusable
Severity 1 Alert Immediate action is needed
Severity 2 Critical Critical condition
Severity 3 Error Error condition
Severity 4 Warning Warning condition
Severity 5 Notification Normal but significant condition
Severity 6 Informational Normal information message
Severity 7 Debugging Debugging message

Table: Severity Level

Enabling console and buffer to receive all log messages of all severities. These are actually the
default configurations.

To disable the defaults, use the following commands:

To see the buffers:

Configuring a device to send messages to a syslog server:

Limit the amount of messages sent to the syslog server, based on severity:

24
 WKU College of Computing & Informatics, Department of IT

To configure the router to use sequence numbers:

25
 Network Device Configuration, CH-IV

Routers
A router is hardware device designed to receive, analyze and move incoming packets to another
network. It may also be used to convert the packets to another network interface, drop them, and
perform other actions relating to a network.

A router has a lot more capabilities than other network devices. By contrast, routers can analyze
the data being sent over a network, change how it is packaged, and send it to another network or
over a different network.

4.1.Router basic configuration:

Routing is used to take a packet from one device and sending it through the network to another
device on a different network. Routers don’t care about hosts rather they care about networks and
the best path to each one of them. The logical network address (IP address) of the destination
host is used to get packets through a routed network. The hardware address of the host is used to
deliver the packet from a router to the correct destination host.

Router’s job is to route traffic to all the networks in your internetwork. Things that a given router
needs to know to route a given packet:-
 Destination address
 Neighbor routers from which it can learn about remote networks
 Possible routes to all remote networks
 The best route to each remote network
 How to maintain and verify routing information

The router builds a routing table, which is a map of the internetwork. It describes how to find
remote networks. If the network is directly connected, it already knows how to get to it but if the
network isn’t directly connected to the router, the router must use one of two ways to learn how
to get to the remote network. These are Static Routing and Dynamic Routing.

In static routing method it needs to type all network locations into the routing table, which can
be a pretty boring task.

26
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

In dynamic routing method, a protocol on one router communicates with the same protocol
running on neighboring routers. The routers then update each other about all the networks they
know about and place this information into the routing table.

4.2.Static routing
Static routing is the process in which when you need to manually enter routes in each router’s
routing table.
The advantage of Static Routing:
 There is no overhead on the router CPU
 There is no bandwidth usage between routers
 It is more secured since the administrator can allow routing access to certain networks only.
The disadvantage of Static Routing:
 The administrator must have a good understanding of internetwork and how each router is
connected in order to route correctly.
 If the administrator doesn’t have good and accurate map of the internetwork, things will get
very messy.
 When one network is added, a route has to tediously be added to it and on all routers by
hand, which becomes impractical as the network grows.
 It’s not feasible to use it in most large networks since maintaining it would be tedious.

Command syntax used to add a static route to a routing table:

wkuRouter(config)#ip route [Destination_network] [Subnet_mask] [Next-hop_address or

exit_interface] [administrative_distance]
 IP route - The command used to create the static route.

 Destination_network - The network you are placing in the routing table.

 Mask - The subnet mask of the network.

 Next-hop_address - This is the IP address of the next-hop router that will receive packets
and forward them to the remote network.
 Exit_interface - Used in place of the next-hop address if you want, and shows up as a
directly connected route.

27
 Network Device Configuration, CH-IV

 Administrative_distance (AD) - Used to measure the trustworthiness of routing

information received on a router from a neighbor router. An administrative distance is an
integer from 0 to 255, where 0 is the most trusted and 255 means no traffic will be passed
via this route. Static routes have an administrative distance of 1 or 0 if you use an exit
interface instead of a next-hop address.

Example -1:
wkuRouter(config)#ip route 10.194.6.0 255.255.255.0 10.10.10.2
 ip route – Static Routing command.
 10.194.6.0 - The remote network we want to send packets to.
 255.255.255.0 - The mask of the remote network.
 10.10.10.2 - The next hop, or router, that packets will be sent to.

Example - 2:
wkuRouter(config)#ip route 192.168.64.0 255.255.192.0 172.16.10.3 150
 ip route – Static Routing command.
 192.168.64.0 - The remote network we want to send packets to.

28
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

 255.255.192.0 - The mask of the remote network.

 172.16.10.3 - The next hop, or router, that packets will be sent to.
 150 – Administrative distance

Example - 3:
wkuRouter(config)#ip route 172.16.3.0 255.255.255.0 s0/0/0
 ip route – Static Routing command.
 172.16.3.0 - The remote network we want to send packets to.
 255.255.255.0 - The mask of the remote network.
 s0/0/0 - The exit interface of the router.

To see the routing table run the following command

wkuRouter#show IP route

Administrative Distance
Symbol Acronym Description
(AD)
L local network (Interface)
C Directly connected network 0
S Static route 1
E EGP Exterior Gateway Protocol 90
O OSPF Open Shortest Path First protocol 110
R RIP Routing Internet Protocol. 120

Default Routing (Gateway of last resort)

This default route is used by IP to forward any packet whose destination is not found in the
routing table.
A stub router indicates that the networks have only one way out to reach all other networks,
which means that instead of creating multiple static routes, we can just use a single default route.

wkuRouter#ip route 0.0.0.0 0.0.0.0 10.10.10.2

 Everything the router receives with a destination not found in the routing table will be
forwarded to 10.10.10.2 (Default route).

29
 Network Device Configuration, CH-IV

4.3.Dynamic routing:
 In dynamic routing method, a protocol on one router communicates with the same
protocol running on neighboring routers. The routers then update each other about all the
networks they know about and place this information into the routing table.
 If a change occurs in the network, the dynamic routing protocols automatically inform all
routers about the event
 This is easier than using static or default routing, but it will cost more router CPU
processing and network bandwidth.

4.4.Routing protocols
Two types of routing protocols are used in internetworks: interior gateway protocols (IGPs) and
exterior gateway protocols (EGPs).

IGPs are used to exchange routing information with routers in the same autonomous system (AS).
An AS is either a single network or a collection of networks under a common administrative
domain, which basically means that all routers sharing the same routing table information are in
the same AS. EGPs are used to communicate between ASs. An example of an EGP is Border
Gateway Protocol (BGP).

There are three classes of routing protocols:

Distance Vector - Finds the best path to a remote network by judging distance. In RIP routing,
each instance where a packet goes through a router is called a hop, and the route with the least
number of hops to the network will be chosen as the best one. The vector indicates the direction
to the remote network. RIP is a distance-vector routing protocol and periodically sends out the
entire routing table to directly connected neighbors.

Link State - Also called shortest-path-first (SPF) protocols. Each router creates three separate
tables. One table keeps track of directly attached neighbors, the other determines the topology of
the entire internetwork, and the third one is used as the routing table. Link-state routers know
more about the internetwork than any distance-vector routing protocol.

30
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

Link state routing tables are not exchanged periodically. Instead, triggered updates containing
only specific link-state information are sent. Periodic information that is small and efficient, in
the form of hello messages, is exchanged between directly connected neighbors to establish and
maintain neighbor relationships.

Advanced distance vector - Uses aspects of both distance-vector and link-state protocols. Uses
a Hello protocol to discover neighbors and form neighbor relationships. It is still based on the
key distance-vector routing protocol principle that information about the rest of the network is
learned from directly connected neighbors.

2.4.1. Routing Information Protocol (RI P)

RIP is a true distance-vector routing protocol. It sends the complete routing table out of all active
interfaces every 30 seconds. It relies on hop count to determine the best way to a remote
network. The maximum allowable hop count in RIP is 15 by default which means destination of
16 would be unreachable.

RIP works in very small networks, but it’s super inefficient on large networks with slow WAN
links, on networks with a large number of routers installed and completely useless on networks
that have links with variable bandwidths.

 RIP version 1 uses only classful routing - All devices in the network must use the same
subnet mask.
 RIP version 2 uses classless routing - Provides prefix routing and sends subnet mask
information with its route updates.

31
 Network Device Configuration, CH-IV

Figure: Sample Network for RIP Routing

RIP Configuration:

gubryeCampus:
Enable the RIP routing protocol
gubryeCampus(config)#router rip
Added directly connected networks
gubryeCampus(config-router)#network 192.168.0.0
gubryeCampus(config-router)#network 10.10.194.0
gubryeCampus(config-router)#network 172.16.40.0
Make sure to run only RIPv2, which is a classless routing protocol
gubryeCampus(config-router)#version 2
Disable auto-summary, which allows them to advertise subnets
gubryeCampus(config-router)#no auto-summary

wolkiteCampus:

32
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

wolkiteCampus(config)#router rip
wolkiteCampus(config-router)#network 192.168.0.0
wolkiteCampus(config-router)#network 10.10.160.0
wolkiteCampus(config-router)#network 172.16.30.0
wolkiteCampus(config-router)#version 2
wolkiteCampus(config-router)#no auto-summary

butajiraCampus:
butajiraCampus(config)#router rip
butajiraCampus(config-router)#network 172.16.30.0
butajiraCampus(config-router)#network 172.16.40.0
butajiraCampus(config-router)#network 10.10.150.0
butajiraCampus(config-router)#version 2
butajiraCampus(config-router)#no auto-summary

2.4.2. Interior Gateway Protocol (IGRP) / Enhanced IGRP (EIGRP)

EIGRP (Enhanced IGRP) is a classless, distance-vector protocol that uses the concept of
an autonomous system to describe a set of contiguous routers that run the same routing
protocol and share routing information (The range of values we can use to create an AS
with EIGRP is 1–65535). Unlike RIP, it includes the subnet mask in its route updates
which enables us to use VLSM and permits summarization to be included within the
design of EIGRP networks.

EIGRP has characteristics of both distance-vector and some link-state protocols.

 It doesn’t send link-state packets like OSPF does; but it sends traditional
distance-vector updates.
 It has link-state characteristics as well—it synchronizes network topology
information between neighbors at startup and then sends specific updates only
when topology changes occur.

33
 Network Device Configuration, CH-IV

 It has a default hop count of 100, with a maximum of 255. Hop count in EIGRP
shows how many routers an EIGRP route update packet can go through before it
will be discarded, which limits the size of the autonomous system (AS).

Configuring EIGRP:

There are two modes for entering EIGRP commands: router configuration mode and interface
configuration mode.
 In router configuration mode - enable the protocol, determine which networks will run
EIGRP, and set global factors.
 In interface configuration mode - customize summaries and bandwidth.

To initiate an EIGRP session, use the router eigrp command followed by our network’s AS
number. After that, enter the specific numbers of the networks that we want to connect to the
router using the network command followed by the network number.

Example:
gubryeCampus:
Enable the EIGRP routing protocol with an autonomous number of 40.
gubryeCampus(config)#router eigrp 40
gubryeCampus(config-router)#network 192.168.0.0 0.0.0.63
gubryeCampus(config-router)#network 10.10.194.0 0.0.0.31
gubryeCampus(config-router)#network 172.16.40.0 0.0.0.255
gubryeCampus(config-router)#no auto-summary

Unless you have tens of thousands of networks worldwide, then there is really no need to use
wildcards because they don’t provide any other administrative purpose. Therefore, we can
configure EIGRP without wildcard masks as shown below.

wolkiteCampus:
wolkiteCampus(config)#router eigrp 40
wolkiteCampus(config-router)#network 192.168.0.0
wolkiteCampus(config-router)#network 10.10.160.0

34
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

wolkiteCampus(config-router)#network 172.16.30.0
wolkiteCampus(config-router)#no auto-summary

butajiraCampus:
butajiraCampus(config)#router eigrp 40
butajiraCampus(config-router)#network 172.16.30.0
butajiraCampus(config-router)#network 172.16.40.0
butajiraCampus(config-router)#network 10.10.150.0
butajiraCampus(config-router)#no auto-summary

2.4.3. Open Shortest Path First (OSPF)

OSPF is an open standard routing protocol that’s been implemented by a wide variety of network
vendors. OSPF is flexible and popular because of its open standard characteristics.

OSPF’s convergence time is fast. Another two great advantages OSPF offers are:-
 It supports multiple, equal-cost routes to the same destination
 Like EIGRP, it also supports both IP and IPv6 routed protocols.
In general:
 Allows for the creation of areas and autonomous systems
 Minimizes routing update traffic
 Is highly flexible, versatile, and scalable
 Supports VLSM/CIDR (Variable Length Subnet Masking/ Classless Inter-Domain
Routing)
 Offers an unlimited hop count
 Is open standard and supports multi-vendor deployment

Configuring OSPF:

Single-area OSPF configuration:

The easiest and also least scalable way to configure OSPF is to just use a single area.
Doing this requires a minimum of two commands.
1. The first command used to activate/enable the OSPF routing process is as
follows:
35
 Network Device Configuration, CH-IV

wkuRouter(config)#router ospf 2

The number is a value in the range from 1 to 65,535 that identifies the OSPF process ID
which is needed to identify a unique instance of an OSPF database and is locally
significant.

Different OSPF routers don’t have to use the same process ID to communicate. More
than one OSPF process can run simultaneously on the same router but, they will
maintain an entirely separate copy of their topology table and manage their
communications independently.

2. The second command identifies the interfaces you want to activate OSPF on as
well as the area in which it resides using the network command.

wkuRouter(config-router)#network 172.16.40.0 0.0.0.255 area 0

The areas can be any number from 0 to 4.2 billion, which is quite different from the
process ID, which ranges from 1 to 65,535. OSPF routers will become neighbors only if
their interfaces share a network that’s configured to belong to the same area number.
The format of the area number is either a decimal value from the range 0 to
4,294,967,295 or a value represented in standard dotted-decimal notation. For
example, area 0.0.0.0 is a legitimate area and is identical to area 0.

Example: To configure the network shown below with OSPF

36
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

Figure: Sample Network for OSPF Routing

gubryeCampus:

The command below is always important to verify exactly what you are directly
connected to.

gubryeCampus(config)#show ip int brief

Enable the OSPF routing protocol with a process ID of 2.

gubryeCampus(config)#router ospf 2
gubryeCampus(config-router)#network 192.168.0.0 0.0.0.63 area 0
gubryeCampus(config-router)#network 10.10.194.0 0.0.0.255 area 0
gubryeCampus(config-router)#network 172.16.40.0 0.0.0. 31 area 0

wolkiteCampus:

The command below is always important to verify exactly what you are directly
connected to.

37
 Network Device Configuration, CH-IV

wolkiteCampus(config)#show ip int brief

wolkiteCampus(config)#router ospf 2
wolkiteCampus(config-router)#network 192.168.0.0 0.0.0.63 area 0
wolkiteCampus(config-router)#network 10.10.160.0 0.0.0.255 area 0
wolkiteCampus(config-router)#network 172.16.30.0 0.0.0.15 area 0

butajiraCampus:

The command below is always important to verify exactly what you are directly
connected to.

butajiraCampus(config)#show ip int brief

butajiraCampus(config)#router ospf 2
butajiraCampus(config-router)#network 172.16.30.0 0.0.0.15 area 0
butajiraCampus(config-router)#network 172.16.40.0 0.0.0.31 area 0
butajiraCampus(config-router)#network 10.10.150.0 0.0.0.255 area 0

The Gubrye Campus router is connected to the Internet off of S0/0/0. Therefore, we’ll
create a default route towards this Internet and then tell the other routers that this is the
route they’ll use to get to the Internet.

gubryeCampus #config t
gubryeCampus (config)#ip route 0.0.0.0 0.0.0.0 S0/0/0
gubryeCampus (config)#router ospf 2
gubryeCampus (config-router)#default-information originate

4.5.Dynamic Host Configuration Protocol (DHCP)

The DHCP enables clients on a network to dynamically obtain IP addresses and other
information from a DHCP server when it connects to the network. It automates the assignment of
IP addresses, subnet masks, gateway, and other IP networking parameters.

The DHCP server is contacted by sending a request, and an IP address is requested. The DHCP
server chooses an address from a configured range of addresses called a pool and assigns it to the
host client for a set period (lease time).

38
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

When a DHCP enabled client device boots up or connects to the network, the client broadcasts a
DHCP DISCOVER packet to identify any available DHCP servers on the network. A DHCP
server replies with a DHCP OFFER, which is a lease offer message with an assigned IP address,
subnet mask, DNS server, and default gateway information as well as the duration of the lease.

DHCP-distributed addresses are not permanently assigned to hosts but are only leased for a
period of time. If the host is powered down or taken off the network, the address is returned to
the pool for reuse.

DHCP Configuration on Wolkite campus router:

Exclude addresses which should not be included in the dhcp pool

wolkiteCampus(config)#ip dhcp excluded-address 10.10.194.1 10.10.194.50
wolkiteCampus(config)#ip dhcp pool wku
wolkiteCampus(dhcp-config)#network 10.10.194.0 255.255.255.0
wolkiteCampus(dhcp-config)#dns-server 10.10.194.1
wolkiteCampus(dhcp-config)#default-router 10.10.194.1

4.6.Network Address Translation (NAT) and Port Address Translation (PAT)

Network Address Translation (NAT) is used to slow the depletion of available IP address space
by allowing multiple private IP addresses to be represented by a much smaller number of public
IP addresses.

It is also a useful tool for network migrations and mergers, server load sharing, and creating
“virtual servers”.

NAT decreases the overwhelming amount of public IP addresses required in a networking

environment, so that two companies can have duplicate internal addressing schemes. NAT is also
a great tool to use when an organization changes its Internet service provider (ISP) but the
networking manager needs to avoid the difficulty of changing the internal address scheme.

Generally, NAT is important when:-

39
 Network Device Configuration, CH-IV

 When you need to connect to the Internet while the hosts don’t have public IP addresses.
 When you’ve changed to a new ISP that requires you to change the IP of your network.
 When you need to merge two intranets with duplicate addresses.

Types of Network Address Translation

There are three types of NATs. These are:-

Static NAT (one-to-one): this type of NAT is designed to allow one-to-one mapping between
local and global addresses. It requires one Internet IP address for every host on your network.

Dynamic NAT (many-to-many): Used to map an unregistered IP address to a registered IP

address from out of a pool of registered IP addresses.

Overloading (one-to-many): This is the most popular type of NAT configuration. Understand
that overloading really is a form of dynamic NAT that maps multiple unregistered IP addresses
to a single registered IP address (many-to-one) by using different source ports. It’s also known as
Port Address Translation (PAT), which is also commonly referred to as NAT Overload. Using
PAT allows you to permit thousands of users to connect to the Internet using only one real global
IP address. NAT Overload is the real reason we haven’t run out of valid IP addresses on the
Internet.

NAT Names:
 Inside local - Source host inside address before translation.
 Outside local - Address of an outside host as it appears to the inside network.
This is usually the address of the router interface connected to ISP—the actual
Internet address.
 Inside global - Source host address used after translation to get onto the
Internet. This is also the actual Internet address.
 Outside global - Address of outside destination host and, again, the real
Internet address.

40
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

How NAT is working?

In the table shown below, we can see hosts, on the left, sending an Internet-bound
packet to the routers, on the right side, configured with NAT. The router identifies the
source IP address as an inside local IP address destined for an outside network,
translates the source IP address in the packet, and documents the translation in the
NAT table.

Packets are sent to the outside interface with the new translated source address.
External hosts return the packet to the destination hosts and the NAT router translates
the inside global IP address back to the inside local IP address using the NAT table.

With PAT, all inside hosts get translated to one single IP address, hence the term
overloading.

Simple NAT Table NAT Table Overloading (PAT)

Inside Local Inside Global Inside Local Inside Global

10.10. 194.1 202.10.2.1 10.10. 194.1:1030 202.10.2.1:1030

10.10.160.1 202.10.4.1 10.10.160.1:1031 202.10.2.1:1031

10.10.150.1 202.10.6.2 10.10.150.1:1032 202.10.2.1:1032

172.16.30.1 202.10.8.2 172.16.30.1:1033 202.10.2.1:1033

172.16.40.1 202.10.10.1 172.16.40.1:1034 202.10.2.1:1034

NAT Configuration:

41
 Network Device Configuration, CH-IV

Static NAT Configuration:

First, configure a static translation between the inside local IP address 10.10.194.1 and
the outside global IP address 202.10.2.1.

gubryeCampus(config)#ip nat inside source static 10.10.194.1 202.10.2.1

Next, identify interfaces as the inside interface and the outside interfaces.
gubryeCampus(config)#interface gigabitEthernet 0/0
gubryeCampus(config-if)#ip nat inside
gubryeCampus(config)# interface S0/0/0
gubryeCampus(config-if)# ip nat outside

Dynamic NAT Configuration

Dynamic NAT means we have a pool of addresses that we’ll use to provide real IP
addresses to a group of users on the inside. Because we don’t use port numbers, we must
have real IP addresses for every user who’s trying to get outside the local network
simultaneously.

42
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

 Create an access list that select or designate interesting traffic. When interesting
traffic has been matched with the access list, it’s pulled into the NAT process to be
translated.
gubryeCampus(config)#access-list 10 permit 10.10.194.0 0.0.0.255

 Create a pool of addresses that will be distributed to the specific hosts that require
global addresses.
gubryeCampus(config)#ip nat pool wku 202.10.2.1 202.10.2.254 netmask 255.255.255.0

 Tell the router to translate IP addresses that match access-list 10 to an address found
in the IP NAT pool named wku.
gubryeCampus(config)#ip nat inside source list 10 pool wku
gubryeCampus(config)#interface gigabitEthernet 0/0
gubryeCampus(config-if)#ip nat inside
gubryeCampus(config)#interface S0/0/0
gubryeCampus(config-if)#ip nat outside

PAT (Overloading) Configuration

This is the typical form of NAT that we would use today. It’s actually now rare to use
static or dynamic NAT unless it is for something like statically mapping a server. PAT
will overload one public/global IP to many local/private ip addresses.

Example:
gubryeCampus(config)#access-list 10 permit 10.10.194.0 0.0.0.255
gubryeCampus(config)#ip nat pool wku 202.10.2.1 202.10.2.1 netmask 255.255.255.0
gubryeCampus(config)#ip nat inside source list 10 pool wku overload
gubryeCampus(config)#interface gigabitEthernet 0/0
gubryeCampus(config-if)#ip nat inside
gubryeCampus(config)#interface S0/0/0
gubryeCampus(config-if)#ip nat outside

43
 Network Device Configuration, CH-IV

4.7.Point-to-Point Protocol (PPP)

PPP is a Data Link layer protocol that can be used over either asynchronous serial (dial-
up) or synchronous serial media. It relies on Link Control Protocol (LCP) to build and
maintain data-link connections. Network Control Protocol (NCP) enables multiple
Network layer protocols (routed protocols) to be used on a point-to-point connection.

The basic purpose of PPP is to transport layer 3 packets across a Data Link layer point-
to-point link, and it’s nonproprietary. In addition, since PPP can encapsulate several
layer 3 routed protocols and provide authentication, dynamic addressing, and callback,
PPP could actually be the best encapsulation solution.

PPP contains four main components:

 EIA/TIA-232-C, V.24, V.35, and ISDN - A Physical layer international

standard for serial communication.
 HDLC - A method for encapsulating datagrams over serial links.
 LCP - A method of establishing, configuring, maintaining, and terminating the
point-to-point connection. It also provides features such as authentication.
 NCP - Is a method of establishing and configuring different Network layer
protocols for transport across the PPP link. NCP is designed to allow the
simultaneous use of multiple Network layer protocols like Internet Protocol
Control Protocol (IPCP).

There are three phases of session establishment when PPP connections are started.
These are:-

44
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

 Link-establishment phase - LCP packets are sent by each PPP device to

configure and test the link. These packets contain a field called Configuration
Option that allows each device to see the size of the data, the compression, and
authentication.
 Authentication phase - Either CHAP or PAP can be used to authenticate a
link. Authentication takes place before Network layer protocol information is
read.
 Network layer protocol phase - PPP uses the Network Control Protocol
(NCP) to allow multiple Network layer protocols to be encapsulated and sent over
a PPP data link.

PPP Authentication Methods

There are two methods of authentication that can be used with PPP links:
Password Authentication Protocol (PAP) - Is the less secure of the two methods.
Passwords are sent in clear text and PAP is performed only upon the initial link
establishment. When the PPP link is first established, the remote node sends the
username and password back to the originating target router until authentication is
acknowledged.

Challenge Handshake Authentication Protocol (CHAP) - Is used at the initial

startup of a link and at periodic checkups on the link to ensure that the router is still
communicating with the same host. That means, CHAP authenticates at the beginning
of the session and periodically throughout the session.

Configuring PPP
gubryeCampus(config)#config t
gubryeCampus(config)#int S0/0/0
gubryeCampus(config-if)#encapsulation ppp

PPP encapsulation has to be enabled on both interfaces connected to a serial line in

order to work.

45
 Network Device Configuration, CH-IV

After configuring the serial interface to support PPP encapsulation, then configure
authentication using PPP between routers.

Set the hostname of the router

gubryeCampus(config)# hostname wku
wku(config)#

Then, Set the username and password for the remote router that will be connecting to
your router.
wku(config)# username teleRouter password cisco

 Username is the hostname of the remote router that’s connecting to your router.
 The password on both routers must be the same.
 Username and password must be configured for each remote system.

Choose either CHAP or PAP as the authentication method

wku(config)#interface s0/0/0
wku(config-if)#ppp authentication chap pap

 The second method acts as a backup just in case the first method fails.

4.8.Frame Relay

Frame Relay is a packet-switched technology and is one of the most popular WAN
services deployed over the past decade. It is classified as a non-broadcast multi-access
(NBMA) network, meaning it doesn’t send any broadcasts such as RIP updates across
the network. It’s substantially more complex than the simple leased-line networks. The
leased-line networks are easy to conceptualize - but not so much when it comes to
Frame Relay. It is significantly more complex and versatile, which is why it’s often
represented as a “cloud” in networking graphics.

If you had to add many remote sites accessed from one corporate office and had only
one free serial port on your router, it’s Frame Relay to the rescue! But you will have a
single point of failure, which is not so good. But Frame Relay is used to save money, not
to make a network more resilient.

46
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

Frame Relay Encapsulation Types:

When configuring Frame Relay on Cisco routers, you need to specify it as an

encapsulation on serial interfaces. One can’t use HDLC or PPP with Frame Relay. When
configuring Frame Relay, specify an encapsulation of Frame Relay.

There are two encapsulation types: Cisco and IETF (Internet Engineering Task Force).
Cisco is default encapsulation unless you manually type in ietf.

 Cisco is used when connecting two Cisco devices.

 IETF-type encapsulation is needed to connect a Cisco device to a non-Cisco
device with Frame Relay.
 Make sure Frame Relay encapsulation is the same on both ends.

Virtual Circuits

Frame Relay operates using virtual circuits as opposed to the actual circuits that leased
lines use. These virtual circuits link the thousands of devices connected to the provider’s
“cloud” together.

Frame Relay provides a virtual circuit between two DTE devices, making them appear to
be connected via a circuit while they’re connected a large, shared infrastructure.

47
 Network Device Configuration, CH-IV

There are two types of virtual circuits - permanent and switched.

 Permanent virtual circuits (PVCs) – It creates the mappings and as long as

you pay the bill, they’ll remain in place.
 Switched virtual circuits (SVCs) - The virtual circuit is established during
data transmission, and then it’s taken down when the data transfer is complete.

Data Link Connection Identifiers (DLCIs):

Frame Relay PVCs are identified to DTE end devices by Data Link Connection
Identifiers (DLCIs).

A Frame Relay service provider typically assigns DLCI values, which are used on Frame
Relay interfaces to distinguish between different virtual circuits. Because many virtual
circuits can be terminated on one multipoint Frame Relay interface, many DLCIs are
often joined with it.

It runs on a Frame Relay router and maps the DLCI to an IP address for Frame Relay
so it knows how to get to the IP address at the other end of the PVC. IP-to-DLCI
mappings can be seen with the show frame-relay map command.

CorporateR(config)#interface s0/0/0
CorporateR(config-if)#encapsulation frame-relay cisco
CorporateR(config-if)#frame-relay lmi-type ansi
CorporateR(config-if)#frame-relay interface-dlci 16

48
 WKU College of CCI, Department of IT, Network Device Configuration - CH-III

4.9.Router on the stick (Will be covered under Chapter 4)

Router on a stick (ROAS): Is a means in which instead of using a router interface
for each VLAN, one can use one of the interfaces and run ISL or 802.1q trunking.
This allows all VLANs to communicate through one interface. Therefore, a single
router interface can connect all VLANs together for inter-VLAN communication.

Fig.: Router On stick.

49
 Network Device Configuration, CH-IV

4. Switches

7.1.Switch basic configuration

Layer 2 switches and bridges are faster than routers because they don’t take time looking for the
network layer header information. They only look at the frame’s hardware addresses before
deciding to either forward, flood, or drop the frame.
Unlike hubs, switches create private, dedicated collision domains and provide independent
bandwidth exclusive on each port.
Layer 2 switching is so efficient is that:-
 No modification to the data packet takes place.
 Breaking up collision domains - one can create more network segments than traditional
routed networks.
 Increases bandwidth for each user because, each connection, or interface is its own self-
contained collision domain.
Layer 2 Switch Functions
 Address learning – They remember the source hardware address of each frame received
on an interface and enter into a MAC database called a forward/filter table.
 Forward/filter decisions - When a frame is received on an interface, the switch looks at
the destination hardware address and forwarded out of the correct destination port by
choosing from the MAC database.
 Loop avoidance - If multiple connections between switches are created for redundancy
purposes, network loops can occur. Spanning Tree Protocol (STP) is used to prevent
network loops while still permitting redundancy.

7.2.Content Addressable Memory (CAM) table MAC forward/filter table

 When a switch is first powered on, the MAC forward/filter table (CAM) is empty.
 When a device transmits and an interface receives a frame, the switch places the frame’s
source address in the MAC forward/filter table. The switch then sends the frame out of
every port except the source port because it has no idea where the destination device is
actually located.

50
 WKU College of CCI, Department of IT, Network Device Configuration - CH-IV

 If a device replies for the sent frame and sends a frame back, then the switch will take the
source address from that frame and place that MAC address in its database. It will also
associate this address with the port that received the frame.
 Now the switch won’t flood the frame, rather will only be forwarded between these two
devices.

Forward/Filter Decisions:

 When a frame arrives at a switch interface, the destination hardware address is compared
to the forward/filter MAC database. If the destination hardware address is listed in the
database, the frame is only sent out of the appropriate exit interface.
 If the destination hardware address isn’t listed in the MAC database, then the frame will
be flooded out all active interfaces except the interface it was received on. If a device
answers the flooded frame, the MAC database is then updated with the device’s location.
 If a broadcast is sent on the LAN, the switch will flood the frame out all active ports
except the source port.

7.3.Port security

Port security is used to prevent someone from simply plugging a host into one of our switch
ports or worse, adding a hub, switch, or access point into the Ethernet jack in their office?

Port security can limit the number of MAC addresses that can be assigned dynamically to a
port, and set penalties for users who abuse policy.

You can configure the device to take one of the following actions when a security violation
occurs by using the switchport portsecurity command.

 Protect: This mode drops packets with unknown source addresses until you remove
enough secure MAC addresses to drop below the maximum value.
 Restrict: Drops packets with unknown source addresses until you remove enough secure
MAC addresses to drop below the maximum value. It also generates a log message,
causes the security violation counter to increment, and sends an SNMP trap.

51
 Network Device Configuration, CH-IV

 Shutdown: Shuts down the port and generates a log message, sends an SNMP trap, and
increments the violation counter. It is the default violation mode.

Configuring port security:

Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security ?
aging - Port-security aging commands
mac-address - Secure mac address
maximum - Max secure addresses
violation - Security violation mode
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security mac-address sticky

Sticky - Provide static MAC address security without having to type in absolutely everyone’s
MAC address on the network.

Switch(config-if)#switchport port-security maximum 2

Switch(config-if)#switchport port-security violation shutdown

7.4.VLANs
A virtual LAN is any broadcast domain that is partitioned and isolated in a computer network at
the data link layer. VLANs work by applying tags to network packets and handling these tags in
networking systems.

It creates network appearance and functionality that is physically on a single network but acts as
if it is split between separate networks. VLANs can keep network applications separate despite
being connected to the same physical network, and without requiring multiple sets of cabling and
networking devices to be deployed.

52
 WKU College of CCI, Department of IT, Network Device Configuration - CH-IV

It also allow to group hosts together even if the hosts are not directly connected to the same
network switch.

VLANs simplify network management by:

 Adding, moving and changing of network can be achieved easily by just configuring a
port into the appropriate VLAN.
 Putting groups that need high level of security into its own VLAN so that users outside of
that VLAN can’t communicate with that group.
 Creating independently considered VLANs from their physical or geographic locations.
 VLANs greatly enhance network security if implemented correctly. VLANs increase the
number of broadcast domains while decreasing their size.

 Broadcast Control

All devices within a VLAN are members of the same broadcast domain and receive all
broadcasts relevant to it. By default, these broadcasts are filtered from all ports on a switch that
aren’t members of the same VLAN. This is great because you get all the benefits you would
with a switched design without getting hit with all the problems you’d have if all your users
were in the same broadcast domain.

 Flexibility and Scalability

Layer 2 switches only read frames for filtering because they don’t look at the Network layer
protocol. They forward broadcasts to all ports. But VLANs create smaller broadcast domains at
layer 2.
As a result, broadcasts sent out from a node in one VLAN won’t be forwarded to ports
configured to belong to a different VLAN. But if we assign switch ports or users to VLAN
groups on a switch or on a group of connected switches, we gain the flexibility to exclusively
add only the users we want to let into that broadcast domain regardless of their physical
location. This will block broadcast storms caused by:-
 Faulty network interface card (NIC)
 Intermediate

53
 Network Device Configuration, CH-IV

This broadcast storm can still happen on the VLAN, but only on the originating VLAN.
When a VLAN gets too big, you can simply create more VLANs to keep the broadcasts from
consuming too much bandwidth.
The fewer users in a VLAN, the fewer users affected by broadcasts.

 Security

In a flat internetwork, security is to be tackled by connecting hubs and switches together with
routers. So it is the router’s job to maintain security. This arrangement is ineffective for several
reasons.

 First, anyone connecting to the physical network could access the network resources
located on that particular physical LAN.
 Second, users could easily join a workgroup by just plugging their workstations into the
existing hub.

But that’s exactly what makes VLANs so cool. If you build them and create multiple broadcast
groups, you can still have total control over each port and user! So the days when anyone could
just plug their workstations into any switch port and gain access to network resources are history
because now you get to control each port and any resources it can access.

VLAN Configuration:-

54
 WKU College of CCI, Department of IT, Network Device Configuration - CH-IV

Configuring VLANs is actually pretty easy. It’s just that figuring out which users you want in
each VLAN is not, and doing that can eat up a lot of your time.
But once you’ve decided on the number of VLANs you want to create and established which
users you want belonging to each one, it’s time to bring your first VLAN into the world.
 VLANs can only be created up to 1001.
 VLANs 1 or 1002 through 1005 are reserved and cannot be changed, renamed, or deleted.
 VLAN numbers above 1005 are called extended VLANs and won’t be saved in the database
unless your switch is set to VLAN Trunking Protocol (VTP) transparent mode.
To configure VLANs on a Cisco Catalyst switch, use the global config vlan command.
To configure vlan on ICT switch for 4 different departments:-
ICT(config)#vlan 10
ICT(config-vlan)#name Infromatics
ICT(config-vlan)#vlan 20
ICT(config-vlan)#name Engineering
ICT(config-vlan)#vlan 30
ICT(config-vlan)#name Natural

55
 Network Device Configuration, CH-IV

ICT(config-vlan)#vlan 40
ICT(config-vlan)#name ICT

Once the VLANs are created, verify your configuration with the show vlan command.
ICT#show vlan
Assigning Switch Ports to VLANs
You configure a port to belong to a VLAN by assigning a membership mode that specifies the
kind of traffic the port carries plus the number of VLANs it can belong to. You can also
configure each port on a switch to be in a specific VLAN (access port) by using the interface
switchport command. You can even configure multiple ports at the same time with the interface
range command.
To configure interface Fa0/1 of ICT switch to VLAN 40. This is the connection to hosts devices
on ICT switch:
ICT#config t
ICT(config)#int fa0/1

Tell the switch that this is a nontrunking layer 2 port.

ICT(config-if)#switchport mode access

Assign a VLAN to the port

ICT(config-if)#switchport access vlan 40
Configuring Trunk Ports

To configure trunking on a FastEthernet port, use the interface command switchport mode trunk
ICT(config)#int gi0/0
ICT(config-if)#switchport trunk encapsulation dot1q
Defining the Allowed VLANs on a Trunk

Trunk ports send and receive information from all VLANs by default, and if a frame is untagged,
it’s sent to the management VLAN.
To remove a range of VLANs, just use the hyphen:
ICT(config-if)#switchport trunk allowed vlan remove 10-20

To set the trunk back to default, just use this command:

56
 WKU College of CCI, Department of IT, Network Device Configuration - CH-IV

ICT(config-if)#switchport mode trunk

ICT(config-if)#switchport trunk allowed vlan all
7.5.Spanning Tree Protocol (STP)

STP is used to prevent network loops on layer 2 network bridges or switches by monitoring the
network to track all links and shut down the redundant ones. STP uses the spanning-tree
algorithm (STA) to first create a topology database and then search out and disable redundant
links.

With STP running, frames will be forwarded on only premium, STP-chosen links.

Spanning-Tree Terms:

Root Bridge - The Bridge with the lowest and the best bridge ID. Switches within the STP
network elect a root bridge, which becomes the focal point in the network. The port with the best
path to the root bridge is called the root port.

Non-root bridges - Non-root bridges exchange BPDUs with all the other bridges and update the
STP topology database on all switches. This prevents loops and helps defend against link
failures.

BPDU - A switch compares the parameters in the Bridge Protocol Data Unit (BPDU) that it
sends to a neighbor with the parameters in the BPDU that it receives from other neighbors.

Bridge ID The bridge ID is how STP keeps track of all the switches in the network. The bridge
with the lowest bridge ID becomes the root bridge in the network. Once the root bridge is
established, every other switch must make a single path to it. Most networks benefit by forcing a
specific bridge or switch to be on the root bridge by setting its bridge priority lower than the
default value.

Port cost - Determines the best path when multiple links are used between two switches which is
determined by the bandwidth of a link.

57
 Network Device Configuration, CH-IV

Path cost - A switch may encounter more than one possible path to one or more switches on its
path to the root bridge. All unique paths are analyzed individually, and a path cost is calculated
for each unique path by adding the individual port costs encountered.

PortFast and BPDU Guard

PortFast
This tool helps not to spend the usual 50 seconds to come up into forwarding mode while STP is
converging. This will be used if the devices connected into the switch won’t create a switching
loop if STP is disabled.

Since ports will transition from blocking to forwarding state immediately, PortFast can prevent
our hosts from being potentially unable to receive a DHCP address due to STP’s slow
convergence

PortFast Configuration:

ICT(config-if)#spanning-tree portfast

BPDU Guard

When PortFast is turned on for a switch port, it’s good idea to turn on BPDU Guard as well. If a
switch port that has PortFast enabled receives a BPDU on that port, it will place the port into
error disabled (shutdown) state, effectively preventing anyone from accidentally connecting
another switch or hub port into a switch port configured with PortFast.

BPDU Guard Configuration:

Global Configuration
ICT(config)#spanning-tree portfast bpduguard default
On Interface configuratuion:
S1(config-if)#spanning-tree bpduguard enable
7.6.VLAN Trunking Protocol (VTP)

VLAN Trunking Protocol (VTP) is used to manage all configured VLANs across a switched
internetwork and to maintain consistency throughout that network. VTP allows adding, deleting,

58
 WKU College of CCI, Department of IT, Network Device Configuration - CH-IV

and renaming VLANs information that is then propagated to all other switches in the VTP
domain.

Before getting VTP to manage your VLANs across the network, you have to create a VTP server
(But all switches default to VTP server mode). All servers that need to share VLAN information
must be on the same domain and must have the same domain name.
Requirements for VTP to communicate VLAN information between switches:
 The VTP version must be set the same
 The VTP management domain name of both switches must be set the same.
 One of the switches has to be configured as a VTP server.
 Set a VTP password if used.
VTP Modes
 VTP Server - This is the default mode for all Catalyst switches. At least one server should
be there in VTP domain to propagate VLAN information throughout that domain.
 VTP Client - In client mode, switches receive information from VTP servers, but they also
receive and forward updates.

Configuring VTP

ICT#config t
ICT#(config)#vtp mode server
ICT(config)#vtp domain wku
ICT(config)#vtp password 123@321
7.7.Inter VLAN communication

By default, only hosts that are members of the same VLAN can communicate. To change this
and allow inter-VLAN communication, we need a router or a layer 3 switch.

To support ISL or 802.1q routing on a FastEthernet interface, the router’s interface is divided
into logical interfaces (one for each VLAN). These are called subinterfaces. From a FastEthernet
or Gigabit interface, you can set the interface to trunk with the encapsulation command:

59
 Network Device Configuration, CH-IV

The sub-interface number is only locally significant, so it doesn’t matter which sub-interface
numbers are configured on the router.

Since the sub-interface number is used only for administrative purposes, configuring a sub-
interface with the same number as the VLAN is easy to remember. Each VLAN is a separate
subnet.

Upstream routing - a term used to define the router on a stick. This router will provide inter-
VLAN routing, but it can also be used to forward traffic upstream from the switched network to
other parts of the corporate network or Internet.

WKU Interface gigabitEthernet

Interface gigabitEthernet 0/0.30
0/0.10 Encapsulation dot1Q 30
Encapsulation dot1Q 10 IP address 192.168.0.65
IP address 192.168.0.1 Subnet Mask
Subnet Mask 255.255.255.224
255.255.255.224 Interface gigabitEthernet
Interface gigabitEthernet 0/0.40
0/0.20 Encapsulation dot1Q 40
Encapsulation dot1Q 20 IP address 192.168.0.97
IP address 192.168.0.33 Subnet Mask
Subnet Mask 255.255.255.224
255.255.255.224

The next step is to figure out which subnets are being used. By looking at the router
configuration in the figure, you can see that we’re using 192.168.00.0/27 for VLAN
configuration.

 192.168.0.0/27 for VLAN 10

60
 WKU College of CCI, Department of IT, Network Device Configuration - CH-IV

 192.168.0.32/27 for VLAN 20

 192.168.0.64/27 for VLAN 30
 192.168.0.96/27 for VLAN 40

WKU#config t
WKU(config-if)#int gi0/0
WKU(config-if)#no shut
WKU(config)#int gi0/0.10
WKU(config-subif)#encapsulation dot1Q 10
WKU(config-subif)#ip address 192.168.0.1 255.255.255.224
WKU(config)#int gi0/0.20
WKU(config-subif)#encapsulation dot1Q 20
WKU(config-subif)#ip address 192.168.0.33 255.255.255.224
WKU(config)#int gi0/0.30
WKU(config-subif)#encapsulation dot1Q 30
WKU(config-subif)#ip address 192.168.0.65 255.255.255.224
WKU(config)#int gi0/0.40
WKU(config-subif)#encapsulation dot1Q 40
WKU(config-subif)#ip address 192.168.0.97 255.255.255.224

To configure the gigabit switch port 0/0 so that it will establish a link with the router and provide
inter-VLAN communication. The commands can slightly vary depending on what type of switch
you’re working with.

ICT#config t
ICT(config)#int gi0/0
ICT(config-if)#switchport mode trunk
ICT(config-if)#switchport trunk allowed vlan all

Next to configure an access port to hosts on the ICT fast Ethernet switch is:
ICT#config t
ICT(config)#int fa0/1
ICT(config-if)#switchport mode access
ICT(config-if)#switchport access vlan 40

61