Introduction to TCP/IP

Network Protocol

Common Methods of Data Transmission

• Electrical signal transmission is achieved by representing data as electrical pulses on copper wire.
• Optical signals: transmission is achieved by converting the electrical signals into light pulses.
• Wireless signal transmission is achieved by using infrared, microwave, or radio waves through the air.

• UTP (Unshielded Twisted Pair): No shielding, cheaper, more flexible, but less resistant to interference. Used in home and office networks.
• STP (Shielded Twisted Pair): Has shielding to reduce interference, but is more expensive and less flexible. Used in industrial or high-EMI environments.

Types of Fiber Optic Cables

1. Single-Mode Fiber (SMF)
   • Uses a single beam of light (laser).
   • Supports long distances (up to 100+ km).
   • Higher bandwidth but more expensive.
2. Multi-Mode Fiber (MMF)
   • Uses multiple beams of light (LED).
   • Supports shorter distances (up to 2 km).
   • Cheaper but has more signal loss due to modal dispersion

Network Documentation

Network documentation is essential for managing, troubleshooting, and securing a network.

Physical Documentation

Focuses on hardware and cabling layout.

🔹 Includes:

✔ Network topology diagrams (physical)

✔ Rack elevation and cabling layout

✔ Hardware inventory (routers, switches, firewalls)

✔ Power & cooling systems

✅ Used for troubleshooting hardware, expansion planning, and audits.

📌 Logical Documentation

Focuses on data flow and network configurations.

🔹 Includes:

✔ Logical network topology diagrams

✔ IP addressing, VLANs, and routing tables

✔ Security policies and firewall rules

✔ Performance and monitoring reports

✅ Helps in troubleshooting, security management, and network planning.

Bandwidth Vs Throughput

Bandwidth is the capacity of a medium to carry data. Digital bandwidth measures the amount of data that can flow from one place to another in a given amount of time. Bandwidth is typically measured in the number of bits that (theoretically) can be sent across the media in a second. Common bandwidth measurements are as follows:

Thousands of bits per second (Kbps)

Millions of bits per second (Mbps)

Billions of bits per second (Gbps)

Like bandwidth, throughput measures the transfer of bits across the media over a given period. However, due to several factors, throughput does not usually match the specified bandwidth. Many factors influence throughput, including:

• The amount of data being sent and received over the connection.
• The types of data being transmitted.
• The latency is created by the number of network devices encountered between the source and the destination.

Latency refers to the amount of time, including delays, for data to travel from one given point to another.

TCP (Transmission Control Protocol) is a standard protocol that defines how to establish and maintain a network connection through which an application program can exchange data.

The TCP/IP model both defines and references a large collection of protocols that allow computers to communicate.

The name TCP/IP is simply the name of the two most common protocols (TCP and IP) separated by, which means the model refers to the most preferred protocols.

Application Layer: Refers to interfaces between the network and application software. It also includes authentication services.

Note: The application layer does not define the application itself.

Transport Layer: Provides a variety of services between two host computers, including connection establishment and termination, flow control, error recovery, and segmentation of large data blocks into smaller parts for transmission. the two most commonly used transport layer protocols are the Transmission control protocol (TCP) and the user datagram protocol (UDP).

Network: Refers to logical addressing, routing, and path determination.

Data Link: Formats data into frames appropriate for transmission onto some physical medium. Defines rules for when the medium can be used. Defines the means by which to recognize transmission errors.

Physical: Defines the electrical, optical, cabling, connectors, and procedural details required for transmitting bits, represented as some form of energy passing over a physical medium.

Which two TCP header fields are used to confirm receipt of data?

• Sequence Number
• Acknowledge number

How does TCP communicate?

• Three-way handshake.
• SYN, ACK, FIN, RST.
• Windows size (65,535)

The six control bits flags are as follows:

1. SYN: It is used to establish a connection between the hosts.
2. ACK: Acknowledgment flag used in connection establishment and session termination. If the ACK is set to 0, then it means that the data packet does not contain an acknowledgement.
3. PSH: is a control flag used to indicate that the receiving device should deliver the data to the receiving application as soon as possible, rather than buffering it.
4. RST: Reset the connection when an error or timeout occurs.
5. URG: It represents an urgent pointer. If it is set, then the data is processed urgently.
6. FIN: No more data from sender and used in session termination

When the PSH flag is set, it instructs the receiving device to deliver the data immediately to the application layer without waiting for more data to arrive.

Establish TCP Connection:

Terminate TCP connection:

How many exchanges are needed to end both sessions between two hosts?

Four exchanges.

TCP Reliability - Data Loss and Retransmission

The Sequence (SEQ) number and Acknowledge (ACK) number are used together to confirm receipt of the bytes of data contained in the transmitted segments.

• What field is used by the destination host to reassemble segments into the original order? Sequence Number

• What field is used to provide flow control? Window Size

  Flow control is the amount of data that the destination can receive and process reliably.

• Which field in the TCP header indicates the status of the three-way handshake process? control bits
• Network congestion has resulted in the source learning of the loss of TCP segments that were sent to the destination. What is one way that the TCP protocol addresses this?

The source decreases the amount of data that it transmits before it receives an acknowledgement from the destination

The four fields in the UDP header are as follows:

Ports

When a message is delivered using either TCP or UDP, the Protocols and services requested are identified by a port number.

What are well-known ports?

These are standardized ports assigned by IANA (Internet Assigned Numbers Authority) for widely used services and protocols.

• Range: 0 – 1023
• Assigned to common protocols (HTTP, HTTPS, FTP, SSH, DNS, etc.)

💡 DNS uses Both TCP and UDP. DNS uses UDP when clients send requests to a DNS server. However, communication between DNS servers always uses TCP.

💡 POP3: used to retrieve emails from a mail server and delete them from the mail server.
IMAP: used to retrieve emails from a mail server without deleting them on the server.

SMTP: Used by an email client to send emails.

IMAP: used to retrieve emails from a mail server without deleting them on the server.

SMTP: Used by an email client to send emails.

What are registered ports?

These ports are assigned by IANA to specific software applications and services that are not as universal as Well-Known Ports but are still used widely.

• Range: 1024 – 49151
• Used by specific applications (e.g., MySQL, RDP, VoIP services).

Register port used by Both TCP / UDP

What are Dynamic Ports?

Temporary ports are used by client devices for outgoing connections.

• Range: 49152 – 65535
• Not registered with IANA; used randomly for short-lived communication.

What are two characteristics of multicast transmission?

• Multicast transmission can be used by routers to exchange routing information.
• A single packet can be sent to a group of hosts.

Which two OSI model layers have the same functionality as the two layers of the TCP/IP model?

• Network
• Transport

How are port numbers used in the TCP/IP encapsulation process?

If multiple conversations occur that are using the same service, the source port number is used to track the separate conversations.

Both UDP and TCP use port numbers to provide a unique identifier for each conversation. Source port numbers are randomly generated and are used to track different conversations. Destination port numbers identify specific services by using either a default port number for the service or a port number that is assigned manually by a system administrator.

Which category of network components includes wires and cables used in a wired network?

• media

Which three elements do all communication methods have in common? (Choose three.)

• Message source.
• Message Destination.
• Message medium.

What two criteria are used to help select a network medium from various network media?

• The distance the selected medium can successfully carry a signal.
• The environment where the selected medium is to be installed.

Network Troubleshooting

A number of software utility programs are available that can help identify network problems, most of these software are provided by the operating system as a command line interface (CLI).

ping 192.168.1.1 repeat 9999999 = ping 192.167.1.1 -t

ping -t 192.168.1.1

-t refers to continuous ping on Linux, you don’t need -t option.

ping -n 10 192.168.1.1 (windows)
ping -c 10 192.168.1.1 (Linux)

-n and -c refer to a set number of packets, by default, the number of packets is 4 echo packets.

nslookup google.com 8.8.8.8

Query a specific DNS server

nslookup 8.8.8.8

get hostname from IP

netstat -o

Display process IDs

netstat -n

-n option can be used to display IP addresses and port numbers.

netstat -p tcp
netstat -p udp

Show protocol-specific connections

netstat -aon | find "443"

Find a Process Using a Specific Port

netstat -an | find "192.168.1.1"

netstat -ano

We can use more than one option together -a -n -o

Which command can be used on a Windows host to display the routing table?

netstat -r

Which command can be used on a Windows host to display the ARP table?

arp -a

Which command can be used on a Windows host to display the routing table IPv6?

route print

Verifying Network Connectivity

Using and interpreting the output of various testing tools is often the first step in isolating the cause of a network connectivity issue. The ping command can systematically test connectivity by looking for answers to the following questions, in this order:

Seven-Step Troubleshooting Process

Define Problem: Define what the problem is. Problems are usually identified by a sign (e.g., the network is slow or has stopped working). Network issues may appear in many different forms, including alerts from the network management system, console messages, and user complaints. In an organization, problems are typically assigned to network technicians as trouble tickets.

Gather Information: In this step, targets (i.e., hosts, devices) to be investigated must be identified, access to the target devices must be obtained, and information gathered.

Analyze Information: Possible causes must be identified. The gathered information is interpreted and analyzed using network documentation, network baselines, searching organizational knowledge bases, searching the internet, and talking with other technicians.

Eliminate Possible Causes: If multiple causes are identified, then the list must be reduced by progressively eliminating possible causes to eventually identify the most probable cause. Troubleshooting experience is extremely valuable to quickly eliminate causes and identify the most probable cause.

Purpose Hypothesis: When the most probable cause has been identified, a solution must be formulated. At this stage, troubleshooting experience is very valuable when proposing a plan.

Test Hypothesis: Before testing the solution, it is important to assess the impact and urgency of the problem. For instance, could the solution have an adverse effect on other systems or processes? The severity of the problem should be weighed against the impact of the solution. For example, if a critical server or router must be offline for a significant amount of time, it may be better to wait until the end of the workday to implement the fix.

Solve the Problem: When the problem is solved, inform the users and anyone involved in the troubleshooting process that the problem has been resolved. Other IT team members should be informed of the solution. It is important to properly document the cause and solution as this can assist other support technicians to prevent and solve similar problems in the future.

#

Establish a Network Baseline

A baseline is used to establish normal network or system performance to determine the “personality” of a network under normal conditions.

A network baseline should answer the following questions:

• How does the network perform during a normal or average day?
• Where are the most errors occurring?
• What part of the network is most heavily used?
• What part of the network is least used?
• Which devices should be monitored and what alert thresholds should be set?
• Can the network meet the identified policies?

#

Structured Troubleshooting Methods

Bottom-Up

In bottom-up troubleshooting, you start with the physical layer and the physical components of the network.

The disadvantage of the bottom-up troubleshooting approach is that it requires that you check every device and interface on the network until the possible cause of the problem is found.

Top-Down

top-down troubleshooting starts with the end-user applications and moves down through the layers of the OSI model until the cause of the problem has been identified.

Divide-and-Conquer

The network administrator selects a layer and tests in both directions from that layer.

In divide-and-conquer troubleshooting, you start by collecting user experiences of the problem, document the symptoms and then, using that information, make an informed guess as to which OSI layer to start your investigation.

Network Device Documentation

Network Topology and Architectures

SOHO

• Small office/home office (SOHO) LAN, use only Ethernet LAN technology.
• Switch and routes may be combined.

Wan

Private WAN infrastructure: Service providers may offer dedicated point-to-point leased lines, circuit-switched, such as PSTN or ISDN, and packet-switched links, such as Ethernet Wan, ATM, or frame Relay.

Public WAN Infrastructure: Service providers provide Internet access using broadband services such as DLS, cable, and satellite access, broadband connections. Data travelling between corporate sites over the public Wan infrastructure should be protected by using a VPN.

Private WAN: Leased Line

A point-to-point link is used to provide a pre-established WAN communication path from the customer premises to the provider network. Point-to-point Lines are usually leased from a service provider and are called leased lines.

Private Wan: Frame Relay

is a simple layer 2 non-broadcast multi-access(NBMA)

WAN technology is used to interconnect enterprise LANs. A single router interface can be used to connect multiple sites.

Note: old and useless and fast.

Private WAN: Ethernet WAN

Newer Ethernet standards using fiber-optic cables have made Ethernet a reasonable WAN access option. IEEE 1000BASE-LX standard supports fiber-optic cable lengths of 5km, white IEEE 1000BASE-ZX standard supports cable lengths up to 70 Km.

The Ethernet WAN Types:

• Metropolitan Ethernet(MetroE)
• Ethernet over MPLS (EoMPLS) popular
• Virtual Private LAN Service(VPLS)

Note: when you see IEEE it’s purpose of layer 1 or 2 technology , IEEE organization made Layer 1 and layer 2 as a standard

Private WAN: MPLS

• Multiprotocol Label Switching(MPLS) is a multiprotocol high-performance WAN technology that directs data from one router to the next. MPLS is based on short path labels rather than IP network addresses.
• It is multiprotocol, has the ability to carry any payload including IPV4, IPv6, Ethernet, ATM, DSL, and frame relay traffic. It uses labels that tell a router what to do with a packet. The labels identify paths between distant routes rather than endpoints, and while MPLS actually routes IPv4 and IPv6 packets, everything else is switched.
• MPLS can deliver any type of packet between sites. MPLS can encapsulate packets of various network protocols. It supports a wide range of WAN technologies including T-carrier/E-carrier links, Carrier Ethernet, ATM, Frame relay, and DSL.

Note: MPLS is described as layer 2.5.

The MPLS layer lies between layers 2 and 3 of the model ie the Data Link and the Network Layer. That’s why it is also known as the 2.5 layer protocol or “shim” protocol.

The MPLS header is 32 bits.

bookmark

Private WAN: VSAT

• A very small aperture terminal(VSAT) is a solution that creates a private WAN using satellite communications. A VSAT is a small satellite dissimilar to those used for home internet and TV. VSATs create a private WAN while providing connectivity to remote locations.

Public WAN

• DSL, ADSL, or cables
• Wireless(3G/4G, LTE, or WIMAX)
• VPN ( Site to Site VPN)

Introducing Cisco IOS

• User EXEC Mode - This mode has limited capabilities but is useful for basic operations. It allows only a limited number of basic monitoring commands but does not allow the execution of any commands that might change the configuration of the device. The user EXEC mode is identified by the CLI prompt that ends with the > symbol.
• Privileged EXEC Mode - To execute configuration commands, a network administrator must access privileged EXEC mode. Higher configuration modes, like global configuration mode, can only be reached from privileged EXEC mode. The privileged EXEC mode can be identified by the prompt ending with the # symbol.

An uplink port is a switch port designed to connect to another switch, router, or modem for network expansion. Traditionally, uplink ports required straight-through cables to connect to other network devices.

🔹 Common Uses:

• Connecting switch-to-switch (e.g., trunk links).
• Connecting a switch to a router (router-on-a-stick).
• Connecting to an ISP modem or fiber uplink.

🔹 Labeling on Cisco Switches:

• Typically labeled G0/1, G1/1, or GigabitEthernet 1/0/1.

A normal port (also called an access port) is a standard switch port used to connect end devices like PCs, printers, and IP phones.

Rollover Cable: Used for device configuration via the console port.

Crossover Cable: Used for network connections between similar devices (e.g., switch-to-switch, PC-to-PC in older networks)

Note:

• Use the straight cable to connect two different devices.
• Use the crossover cable for connecting two of the same type.

Today, all new devices of different types can be connected through a straight cable

###

RAM: RAM stores running configuration, CDP information, ARP memory, routing table, etc.

NVRAM: This memory stores the system configuration by typing the copy run start command.

FLASH: The FLASH memory is the router's IOS (Internetwork Operating System) memory.

ROM: Stands for Read Only Memory. This memory stores the boot or bootstrap of the system

1. Power supply
2. Fan
3. Protection for WAN (WIC) or high-speed WIC (HWIC) interface card
4. Dynamic synchronous RAM (SDRAM) is used to keep the configuration running and routing tables.
5. Non-volatile RAM (NVRAM) and boot flash memory are used to store the ROMMON boot code and NVRAM data.
6. CPU
7. The connection of the advanced integration module (AIM) downloads functions that demand a lot from the processor, such as encryption from the main CPU.
8. Protection for WAN (WIC) or high-speed WIC (HWIC) interface card

Access to Cisco IOS CLI

Before entering any commands, we need access to the CLI. Here are three options:

• Console - Uses a low-speed serial or USB connection to provide direct connect, out-of-band management access to a Cisco device.
• SSH - Method for remotely accessing a CLI session across an active network interface, including the management interface.
• AUX port - Used for remote management of the router using a dial-up telephone line and modem.
• ‌HTTP/HTTPS - Some routers and switches support web-based management connections, allowing administrators access using HTTP.

💡 To securely configure and monitor a router from a remote location, you use HTTPS to access the router's web-based management interface, ensuring that all transmitted data is encrypted.

In-Band and Out-of-Band Device Management

out-of-band management example:

💡 A terminal server and a console server a hardware or virtual devices used by network and system administrators to provide secure, remote access to the console ports (usually serial ports) of network equipment such as Routers, switches, servers, and firewalls.

Guidelines for OOB Management:

• Provide the highest level of security when using console ports and management interfaces.
• Mitigate the risk of passing insecure management protocols over the production network.

Guidelines for In-Band Management:

• Apply to devices that need to be managed or monitored.
• Use IPsec, SSH, or SSL when possible.
• Decide whether the management channel needs to be open at all times.

WebUI Configuration Example

Cisco IOS-XE routers and Catalyst switches come with a web-based management interface known as the WebUI or web GUI (Graphical User Interface). This tool allows administrators to configure and monitor the device using a web browser, offering a more visual approach to network management.

To configure a Cisco router or switch for WebUI access, you will need a username command configured and some ip http commands. In addition, securing WebUI with an access control list is recommended. For example, the following configuration allows secure WebUI access to R1 through the 192.168.1.1/24 interface by any user on the 192.168.1.0/24 network.

R1(config)# interface GigabitEthernet0/0/1
R1(config-if)# ip address 192.168.1.1 255.255.255.252
R1(config-if)# no shutdown
R1(config)# exit
R1(config)# username admin privilege 15 secret cisco123
R1(config)# no ip http server
R1(config)# ip http secure-server
R1(config)# ip http authentication local
R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255
R1(config)# ip http access-class ipv4 10

💡 IOS defines two privilege levels by default: 0 (user mode) and 15 (privileged mode).

Cloud Device Management

Cisco offers two advanced cloud applications that provide comprehensive graphical interfaces: Cisco Catalyst Center (formerly Cisco DNA Center) and Cisco Meraki Dashboard.

• Cisco Catalyst Center: Large, complex networks requiring detailed oversight and control.
• Small to medium-sized businesses or distributed networks.

Console Cabling

💡 Routers and switches have a blue colour cable used to connect to the console port to pc and perform configuration

How to save the Configuration?

💡 Copy running-config startup-config

then enter

---

WR (tab)

enter

Copy running-config startup-config

then enter

WR (tab)

enter

How to remove the saved configuration in NVRAM and reset the router?

💡 write erase

Changing Host Name and adding a banner to Cisco Devices

hostname: change the name of the router example:

hostname ISU-R1

Banner: A simple message shows up when we log in to the router through the terminal.

banner motd $ don’t access to this router without sysadmin permission $

💡 Switch(config)#service password-encryption

The service password-encryption command will encrypt every plaintext password.

Set password to Privilege (global) mode

To set a password to privilege mode, use the commands below:

💡 ISU-R1(config)# enable password [your-password]

When we use show running-configuration command, the password shows as plain text. Use this command to set a secure password

💡 ISU-R1(config)# enable secret [your-password]

To remove a password or a secret, just add no before the command, for example:

no enable password

Set password to User EXEC mode

To set a password for the router, the user should enter the password before the user mode opens and connect the cabling using the commands below:

line con 0 (line port always is zero)

line aux 0 (both console and aux port used to router configuration, aux port working as a backup port when the console port is not working )

line vty 0 4 “vty” (stands for Virtual teletype: it is a virtual line you can virtually configure the router)

Note: 0 4 means 5 connections can be established at the same time.

Router(config)#line console 0

Router(config-line)#password your-password

Router(config-line)#login

When you run this command, it shows the running-config

The console line should show logging, which means a login is required to enter the router and perform configuration

line con 0
password rebar
login
!
line aux 0
!
line vty 0 4
login
!

Set the Username and password account to the router account

If an employee leaves the company, others are required to change the password on all routers. Adding individual user accounts is a better approach to address this issue.

Router(config)#userame your-username secret your-password

Router(config)#line con 0

Router(config-line)#login local //using local databse to check username and password

Virtual login to the router (Telnet)

R1-isu(config)#line vty 0 4

R1-isu(config-line)#password rebar

R1-isu(config-line)#login // if you want to login with only password 
R1-isu(config-line)#login local  // use this command if you want to loing with user and passowrd

After adding a password, you can log in to the router through Telnet

telnet IP-address(router)

Then enter the password and log in to the router

💡 Note: Telnet is less secure because it transfers data as plain text without encryption

R1-isu(config)#no ip domain-lookup

Use the command above when you write a command by mistake, as it takes a lot of time

Translating "ded"...domain server (255.255.255.255)

Virtual login to the router (SSH)

Step 1. Verify SSH support.

Use the show ip ssh command to verify that the switch supports SSH. If the switch is not running an IOS that supports cryptographic features, this command is unrecognized.

Step 2. Configure the IP domain.

isu-R1(config)#ip domain-name [Enter Your Domain Name]
isu-R1(config)#ip domain-name ISU-Airport

### Step 3. Generate RSA key pairs.

isu-R1(config)#crypto key generate rsa

After entering the set key length of encryption recommended value is 1024 or 2048

isu-R1(config)#ip ssh version 2 [Version 2 is the newest version of SSH]

###

Step 4. Configure user authentication.

The SSH server can authenticate users locally or use an authentication server.

• Username and password Account

isu-R1(config)#userame your-username secret your-password

### Step 5. Configure the vty lines.

isu-R1(config)#line vty 0 4

isu-R1(config-line)#transport input ssh

with transport input, you can choose which protocol can be used for virtual configuration like telnet, SSH… etc.

R1-isu(config-line)#login local  // use this command if you want to loing with user and passowrd

Change interface speed and Duplex

When we have multiple switches, if we want to change the speed between the switches, use the commands below

For example, we want to change the speed ISU Switch to 10 bits from auto speed

ISUSW#show interfaces status

As you can see, FastEthernet0/5 speed is auto, and duplex by default is auto.

What is a Duplex?

• means the ability to send and receive data or signals between two points.
• Full-duplex all nodes can send and receive data on their port at the same time. The following types of connections can use full duplex: Switch to Switch, Switch to Host, Host to Host
• Half-duplex: When one node sends data and can’t receive data at the same time. The following types of connections can use half duplex: Hub to Hub, Switch to Hub

• Type:10/100baseTx: it means 10 (Mbps) megabit / 100 (Mbps) megabit per second

ISUSW(config-if)#speed 100

When we changed one router's speed to 100 Mbps, nothing happened to the next router because its speed was set to auto by default. However, when we changed the second router's speed from auto to 10 Mbps, an error occurred due to the mismatch in speeds between the two connected lines.

How to change duplex

ISUSW(config-if)#duplex full

EBLSW(config-if)#duplex full

💡 Both switches should have the same duplex setting.

Note: B**y default, duplex is set to auto. However, it's generally recommended to change it to a full duplex for optimal performance.**

Packet Capturing with Wireshark

ARP(Address Resolution Protocol)

is a network protocol used to find out the hardware (MAC) address of a device from an IP address It is used when a device wants to communicate with some other device on a local network (for example on an Ethernet network that requires physical addresses to be known before sending packets).

ARP request packets are sent to the broadcast addresses (FF:FF:FF:FF:FF:FF for the Ethernet broadcasts and 255.255.255.255 for the IP broadcast).

We can track computer requests when the process of releasing and renewing IP addresses occurred.

CMD → ipconfig /release the ipconfig /release

ipconfig /release sends a command to the DHCP server instructing it to dump the network configuration and then deletes the current network configuration for all adapters (IP address, DNS servers, gateway, etc).

/renew will instruct your computer to request a new IP address from the DHCP server as well as DNS, gateway, and whatever other information the DHCP server is set to configure.

MAC Addresses and Basic Switching Concepts

What is an Ethernet Frame?

An Ethernet frame is a data unit used in computer networks to transmit information between devices on a local area network (LAN). It contains the source and destination MAC addresses, payload data, and error-checking information, forming the basic structure for communication in Ethernet networks.

Ethernet protocols define how data is formatted and transmitted over a wired network.

Ethernet is defined by data link layer and physical layer protocols.

Preamble: It helps synchronize the receiving device’s clock with the incoming data.

SDF: marks the end of the preamble and the beginning of the rest of the frame.

Destination MAC: identifies the receiving device.

Source MAC: identifies the sending device.

Type: This indicates the length of the entire Ethernet frame (Usually IPv4 or IPv6).

FCS: Frame check sequence is used to detect errors in a frame.

Which Ethernet frame field indicates the beginning of an Ethernet frame?

Preamble and SFD

What is a MAC Address?

Media Access Control(MAC): the physical address, which uniquely identifies each device on a given network. To communicate between two networked devices, we need two addresses: an IP address and a MAC address**. It is assigned to the NIC** (Network Interface Card) of each device that can be connected to the internet.

It is globally unique: it means two devices cannot have the same MAC address. It is represented in a hexadecimal format on each device, such as 00:0a:95:9d:67:16.

It is 12 digits, 48 bits (6 bytes) long, out of which the first 24 bits(first 6 digits) are used for OUI(Organization Unique Identifier), for example (3C-8B-7F), and 24 bits(second 6 digits) for NIC/vendor-specific.

It works on the data-link layer of the OSI model.

IPV4 → uses ARP protocol to associate the logical address with the MAC Address.

IPV6 → uses ICMPV6 Neighbor Discovery(ND) to associate the logical address with the MAC Address.

Why should the MAC address be unique in the LAN network?

If a LAN network has two or more devices with the same MAC address, that network will not work.

There are two primary addresses assigned to a device on an Ethernet LAN:

• Physical Address (The MAC address) - used for NIC-to-NIC communication on the same Ethernet network.
• Logical Address (the IP address) - used to send the packet from the source device to the destination device. The destination device may be on the same network as the source, or it may be on a remote network.

Destination on the Same network

Layer 2 physical addresses (i.e., Ethernet MAC addresses) are used to deliver the data link frame with the encapsulated IP packet from one NIC to another NIC that is on the same network. If the destination IP address is on the same network, the destination MAC address will be that of the destination device.

Destination on the Remote network

When the destination IP address(IPv4 or IPV6) is on a remote network, the destination MAC address will be the address of the host default gateway(i.e., the router interface).

Routers examine the destination IPv4 address to determine the best path to forward the IPv4 packet. When the router receives the Ethernet frame, it de-encapsulates the Layer 2 information. Using the destination IPv4 address,g it determines the next-hop device and then encapsulates the IPv4 packet in a new data link frame for the outgoing interface.

Along each link in a path, an IP packet is encapsulated in a frame. The frame is specific to the data link technology that is associated with that link, such as Ethernet. If the next-hop device is the final destination, the destination MAC address will be that of the device's Ethernet NIC, as shown in the figure.

Ethernet LAN Switching

An Ethernet switch examines its MAC address table to make a forwarding decision for each frame.

Switch Learning and Forwarding

• Learn Every frame that enters a switch is checked for new information to learn. It does this by examining the source MAC address of the frame and the port number where the frame entered the switch. If the source MAC address does not exist, it is added to the table along with the incoming port number.
• Forwarding If the destination MAC address is a unicast address, the switch will look for a match between the destination MAC address of the frame and an entry in its MAC address table. If the destination MAC address is in the table, it will forward the frame out the specified port. If the destination MAC address is not in the table, the switch will forward the frame out all ports except the incoming port. This is called an unknown unicast.

Which network device has the primary function of sending data to a specific destination based on the information found in the MAC address table?

• switch

Ethernet switches add entries to their MAC address table based on what field of the Ethernet frame?

• source MAC address

When a switch receives an Ethernet frame and the destination MAC address of that frame is not in its MAC address table, the switch will:

• Forward the frame out of all ports except in the incoming port.

What addressing information is recorded by a switch to build its MAC address table?

• The source Layer 2 address of incoming frames

What is one function of a Layer 2 switch?

• Determines which interface is used to forward a frame based on the destination MAC address

Which information does a switch use to keep the MAC address table information current?

• The source MAC address and the incoming port.

What will a host on an Ethernet network do if it receives a frame with a unicast destination MAC address that does not match its own MAC address?

• It will discard the frame.

What kind of frame does a switch flood out of all interfaces except the one it was received on?

• Unknown Unicast

What happens to runt frames received by a Cisco Ethernet switch? • The frame is dropped.

ARP(Address Resolution Protocol)

ARP is a network protocol used to find out the hardware (MAC) address of a device from an IP address ( layer 3 address). It is used when a device wants to communicate with another device on a local network (for example, on an Ethernet network that requires physical addresses to be known before sending packets).

ARP request packets are sent to the broadcast addresses (FF:FF:FF:FF:FF: FF for the Ethernet broadcasts and 255.255.255.255 for the IP broadcasts).

Consists of two messages:

ARP Request is Broadcast = sent to all hosts on the network.

ARP Replay is Unicast = sent only to one host (The host that sent the request).

ARP provides two basic functions:

• Resolving IPv4 addresses to MAC addresses.
• Maintaining a table of IPv4 to MAC address mappings.

The sending device will search its ARP table for a destination IPv4 address and a corresponding MAC address.

• If the packet’s destination IPv4 address is on the same network as the source IPv4 address, the device will search the ARP table for the destination IPv4 address.
• Suppose the destination IPv4 address is on a different network from the source IPv4 address. In that case, the device will search the ARP table for the IPv4 address of the default gateway., It uses the ARP process to determine the MAC address of the default gateway.
• The ARP table temporarily saves (caches) the mapping for the devices on the LAN.
• The packet is dropped if no device responds to the ARP request because a frame cannot be created.
• Entries in the ARP table are time-stamped. If a device does not receive a frame from a particular device before the timestamp expires, the entry for this device is removed from the ARP table.

💡 Note: IPv6 uses a similar process to ARP for IPv4, known as ICMPv6 Neighbor Discovery (ND). IPv6 uses neighbor solicitation and neighbor advertisement messages, similar to IPv4 ARP requests and ARP replies.

On a Cisco router, the show ip arp command is used to display the ARP table

R1# show ip arp

On a Windows PC, the arp –a command is used to display the ARP table

C:∖Users∖PC> arp -a

ARP Security

In some cases, the use of ARP can lead to a potential security risk. A threat actor can use ARP spoofing to perform an ARP poisoning attack. This is a technique used by a threat actor to reply to an ARP request for an IPv4 address that belongs to another device, such as the default gateway, as shown in the figure. The threat actor sends an ARP reply with its own MAC address. The receiver of the ARP reply will add the wrong MAC address to its ARP table and send these packets to the threat actor.

Enterprise-level switches include mitigation techniques known as dynamic ARP inspection (DAI)**.**

We can track computer requests when the process of releasing and renewing IP addresses occurs.

CMD → ipconfig /release the ipconfig /release

ipconfig /release sends a command to the DHCP server instructing it to dump the network configuration and then deletes the current network configuration for all adapters (IP address, DNS servers, gateway, etc).

/renew will instruct your computer to request a new IP address from the DHCP server as well as DNS, gateway, and whatever other information the DHCP server is set to configure.

ARP request packets are sent to the broadcast addresses (FF:FF:FF:FF:FF:FF for the Ethernet broadcasts and 255.255.255.255 for the IP broadcasts).

We can track computer requests when the process of releasing and renewing IP addresses occurs.

CMD → ipconfig /release the ipconfig /release

ipconfig /release sends a command to the DHCP server instructing it to dump the network configuration and then deletes the current network configuration for all adapters (IP address, DNS servers, gateway, etc).

/renew will instruct your computer to request a new IP address from the DHCP server as well as DNS, gateway, and whatever other information the DHCP server is set to configure.

MAC Address Transmission types?

Unicast MAC address:

The Unicast MAC address represents the specific NIC on the network. A Unicast MAC address frame is only sent out to the interface that is assigned to a specific NIC and hence transmitted to the single destination device. If the LSB (least significant bit) of the first octet of an address is set to zero, the frame is meant to reach only one destination NIC.

Multicast MAC Address

Multicast addresses enable the source device to transmit a data frame to multiple devices or NICs. In Layer-2 (Ethernet) Multicast address, the LSB (least significant bit) or the first 3 bytes of the first octet of an address is set to one and reserved for the multicast addresses. The rest 24 bits are used by the device that wants to send the data in a group. The multicast address always starts with the prefix 01-00-5E.

Broadcast MAC address

It represents all devices within a Network. In broadcast MAC address, Ethernet frames with ones in all bits of the Destination address (FF-FF-FF-FF-FF-FF) are known as a broadcast address . All these bits are the reserved addresses for the broadcast. Frames that are destined with MAC address FF-FF-FF-FF-FF-FF will reach every computer belonging to that LAN segment. Hence if a source device wants to send the data to all the devices within a network, it can use the broadcast address as the destination MAC address.

How to find a MAC Address vendor?

Use the website below to find the vendor who creates the NIC card:

bookmark

Practice MAC Address

When we connect two or more devices through a switch and run this command below in the switch

ISUSW1#show mac address-table

As you can see, no MAC address record is found because no data was transmitted over the switch.

After executing the ping command from one PC to another, run the current command on the switch.

Now, all MAC addresses are connected to the switch and visible because the switches have a self-learning feature.

When we have two connected switches, as shown in the images below:

While sending a ping message from one pc to another pc connected to the other switch

Why are there three MAC addresses showing through port FA0/3?

because the MAC addresses of other computers are received by the switch through port 0/3

• Use the command below on your switch device to see the MAC address age

EBLSW#show mac-address-table aging-time

💡 After 300 seconds (5 minutes) of inactivity on the switch, it automatically resets the MAC address table.

• Use the commands below on your switch device to clean the MAC table

Switch#clear mac address-table dynamic

Additionally, we can delete a specific MAC address or interface from incoming frames.

Refer to the exhibit. Host A has sent a packet to host B. What will be the source MAC and IP addresses on the packet when it arrives at host B?

• Source MAC: 00E0.FE91.7799 Source IP: 10.1.1.10

What is CDP?

Cisco Discovery Protocol(CDP) is a network discovery tool that assists network administrators and engineers in identifying neighbouring Cisco devices. CDP is a layer 2 proprietary protocol that is default-enabled on all Cisco devices, including routers and switches.

EBLSW#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone Device ID Local Intrfce Holdtme Capability Platform Port ID ISUSW Fas 0/3 149 S 2960 Fas 0/20

💡 cdp run Enable CDP globally on the device.

cdp enable Enable CDP on a specific interface.

💡 Note: This protocol is exclusive to Cisco products only.

In a CDP environment, what happens when the CDP interface on an adjacent device is configured without an IP address?

• CDP operates normally, but it cannot provide IP address information for that neighbor

What is LLDP?

Link Layer Discovery Protocol (LLDP) is a layer 2 neighbour discovery protocol that allows devices to advertise device information to their directly connected peers/neighbours. It is best practice to enable LLDP globally to standardize network topology across all devices, especially in multi-vendor networks.

💡 ● LLDP is usually globally disabled by default.
● LLDP is also disabled on each interface by default.

Local Interface: the physical port on your switch where the neighbor is connected.

Port ID: the neighbor’s interface identifier (how the neighbor advertises its port).

Refer to the exhibit. The network administrator must prevent the switch Cat9K-2 IP address from being visible in LLDP without disabling the protocol.

Which action must be taken must be taken to complete the task?

A. Configure the no lldp tlv-select-management-address command globally on Cat9K-2 B. Configure the no lldp transmit command on interface G1/0/21 in Cat9K-1 C. Configure the no lldp receive command on interface G1/0/21 on Cat9K-1 D. Configure the no lldp mac-phy-cfg command globally on Cat9K-2

💡 To hide Cat9K‑2’s IP without disabling LLDP, stop advertising the Management Address TLV on the device that’s sending it. On Cat9K‑2: no lldp tlv-select management-address

Introducing IP Addresses

What is an IP Address?

Internet protocol(IP)address: an identifying number that is associated with a specific computer or computer network. When connected to the internet, the IP address allows the computers to send and receive information.

IP Addresses are 32-bit numbers that are typically displayed in dotted decimal notation. A 32-bit address contains two primary parts: The network prefix and the host prefix.

IP Address to Binary

Note: 0-255 includes 256 IP addresses.

Characteristics of IP

• Connectionless: There is no connection with the destination established before sending data packets.
• Best Effort: IP is inherently unreliable because packet delivery is not guaranteed.
• Media Independent: Operation is independent of the medium (e.g., copper, fiber-optic, or wireless) carrying the data.

IP Addresses Classes

💡 The starting IP is called the Network address and is not usable.
The ending IP address is called the broadcast address, which is not usable.

The ending IP address is called the broadcast address, which is not usable.

Network Part

The network part of an IPv4 address is located on the left side. It identifies the specific network to which the address belongs and indicates the IP address class. This portion is crucial for routing and network identification.

For example, we have the IPv4 address 192.168.10.100 and a /24 subnet mask. /24 simply means that the first 24 bits, starting from the left side, are the network portion of the IPv4 address. The 8 remaining bits of the 32 bits will be the host portion.

Host Part

The host portion of the IPv4 address uniquely identifies the device or the interface on your network. Hosts that have the same network portion can communicate with one another directly, without the need for the traffic to be routed.

• Network Portion: Identifies the network to which the IP address belongs.
• Host Portion: Identifies the specific device within that network.

Class A

• 1.0.0.1 to 126.255.255.254(useable address).
• Support 16 million hosts on each of 126 networks.

Class A addresses are for networks with a large number of total hosts.

Class B

• 128.1.0.1 to 191.255.255.254
• Supports 65,000 hots on each of 16,000 networks.

If you use a class B, you can build more networks, but fewer hosts per network.

Class C

• 192.0.1.1 to 223.255.254.254
• Support 254 hosts on each of 2 million networks.

Class D

• 224.0.0.0 to 239.255.255.255.
• Reserved for multicast groups.

When the IP Address Started from 224 to 239

Class E

• 240.0.0.0 to 254.255.255.254
• reserved for future use, or research and development purposes
• This IP class is reserved for experimental purposes only for R&D or study.

How to know the class of an IP address from binary?

• Class A: The first bit always has to be 0.
• Class B: The first 2 bits always have to be 10.
• Class C: The first 3 bits always have to be 110.

Subnet Mask

A subnet mask is a number that defines a range of IP addresses available within a network. A single subnet mask limits the number of Valid IPs for a specific network.

In this Image, three 255s are assigned to the network, and 0 octet is assigned to the host

Gateway

A gateway IP refers to a device on a network that routes local network traffic to other networks. The subnet mask defines the boundary between the network and host portions of an IP address, helping to determine which devices are on the same local network.

Public and Private IP addresses

• Public IP addresses are used on the Internet.
• Private IP addresses are used on your local area network and should not be used on the internet.

These are the Private IP address ranges:

• Class A: 10.0.0.0 – 10.255.255.255
• Class B: 172.16.0.0 – 172.31.255.255
• Class C: 192.168.0.0 – 192.168.255.255

Class A and B networks have a very large number of host addresses, and Class C has very few. Class A networks accounted for 50% of the IPv4 networks. This caused most of the available IPv4 addresses to go unused.

Loopback Address

A loopback address is a special IP address, 127.0.0.1, reserved by InterNIC for use in testing network cards, this IP address responds to the software loopback interface of the network card, which does not have hardware associated with it and does not require a physical connection to a network.

APIPA

Automatic Private IP Addressing(APIPA) is a feature in operating systems ( such as Windows) that enables computers to automatically self-configure an IP address and subnet mask when their DHCP server isn’t reachable. The IP Address range for APIPA is 169.254.0.1 to 169.254.255.254, with the subnet mask of 255.255.0.0

What are two features of IPv4 addresses? (Choose two.)

• IPv4 is a logical addressing scheme.
• An IPv4 addressing scheme is hierarchical.

Assignment of an IP address

Both IPv4 and IPv6 addresses are managed by the Internet Assigned Numbers Authority (IANA){ee·a·nuh}. The IANA manages and allocates blocks of IP addresses to the Regional Internet Registries (RIRs).

RIRs are responsible for allocating IP addresses to ISPs that provide IPv4 blocks to organizations and smaller ISPs.

Regional Internet Registries

Which organization or group of organizations receives IP addresses from IANA and is responsible for allocating these addresses to ISPs and some organizations?

RIRs

Refer to the exhibit. An administrator is troubleshooting connectivity on the office network. PC1 is able to send print jobs to Printer1, but is unable to access File Server1. Which action would correct the problem?

• Change the R1 Fa0/1 interface IP address to 10.231.64.1.
• Change the R1 Fa0/0 interface subnet mask to 255.255.0.0.
• Change the File Server1 IP address to 10.231.96.253.
• Change the PC1 IP address to 10.231.64.115.

Subnet ranges:

• 10.231.64.0 – 10.231.95.255 → Network B
• 10.231.96.0 – 10.231.127.255 → Network A

IP Address Placement

• PC1: 10.231.92.115 — in Network B (10.231.64.0/19) ✅
• Printer1: 10.231.95.252 — also in Network B ✅
• File Server1: 10.231.127.253 — in Network A ✅
• R1 Fa0/1: 10.231.128.1 — ⚠️ This is the problem
• Change the R1 Fa0/1 interface IP address to 10.231.64.1. (correct answer)

Network Segmentation (Basic of Subnetting)

Broadcast Domain: is a collection of network devices that receive broadcast traffic from each other.

Subnetting is the practice of dividing a network into two or more smaller networks. It increases routing efficiency, enhances network security, and reduces the size of the broadcast domain**.**

Routers do not propagate broadcasts. When a router receives a broadcast, it does not forward it out other interfaces. For instance, when R1 receives a broadcast on its Gigabit Ethernet 0/0 interface, it does not forward it out another interface.

Therefore, each router interface connects to a broadcast domain, and broadcasts are only propagated within that specific broadcast domain.

Problems with Large Broadcast Domains

A large broadcast domain is a network that connects many hosts. A problem with a large broadcast domain is that these hosts can generate excessive broadcast traffic, which negatively affects the network.

LAN 1 connects 400 users, which could generate an excessive amount of broadcast traffic. This results in slow network operations due to the significant amount of traffic it can cause, and slow device operations because a device must accept and process each broadcast packet.

The solution is to reduce the size of the network to create smaller broadcast domains in a process called subnetting.

In the figure, the 400 users in LAN 1 with network address 172.16.0.0 /16 have been divided into two subnets of 200 users each: 172.16.0.0 /24 and 172.16.1.0 /24. Broadcasts are only propagated within the smaller broadcast domains. Therefore, a broadcast in LAN 1 would not propagate to LAN 2.

💡 Notice how prefix length has changed from a single /16 network to two /24 networks. This is the basics of subnetting

Reasons for Segmenting Networks

Subnetting reduces overall network traffic and improves network performance. It also enables network administrators to implement security policies such as which subnets are allowed or not allowed to communicate together. Another reason is that it reduces the number of devices affected by abnormal broadcast due to misconfiguration, hardware/software problems, or malicious intent.

Network Administrator can group devices and services into subnets

• Subnetting by Locations

• Subnetting by group or function

• Subnetting by device type

###

Which devices will not forward an IPv4 broadcast packet by default?

• router

Which two situations are the result of excessive broadcast traffic?

• slow device operations
• slow network operations

class A

10.0.0.0/8 (network prefix) meaning 8-bit located for the network ID portion and 24-bits for the host portion

10.0.0.0 255.0.0.0 (subnet mask) — equivalent to writing prefixes.

class B

172.16.0.0/16 (network prefix) meaning 16 bits are located for the network ID portion and 16 bits for the host portion

172.16.0.0 255.255.0.0 (Subnet mask) equivalent to writing prefixes.

192.168.1.0/24 (network prefix) meaning 24-bit located for the network ID portion and 8-bits for the host portion

192.168.1.0 255.255.255.0 (Subnet mask) equivalent to writing prefixes.

Scenarios

Someone tells you to create three different networks for my organization or company

Class C

As you can see, we have created three networks in Class C. The third octet has been changed, and two routes have been added to route data from one network to another.

Note: if we don’t change the third octet, all devices are in the same network.

⚠️ This class includes 254 IP addresses for the host portion, unsuitable for large organizations.

Class B

Class A

Classless(CIDR)

• In the classful addressing method, millions of class A addresses are wasted.
• Many of the class B addresses are wasted.
• Class C is so small that it cannot cater to the needs of organizations.
• Classful networking was replaced by Classless Inter-Domain Routing(CIDR) in 1993

Subnetting

$2^n$=number of required network = total number of subnets

192.168.23.117/24 subnet this IP to 7 subnets

$2^n$=number of the required network

$2^n$(number of remaining bits for a host) - 2 = total hosts in the network.

2_^_3=8 any number but should be greater than 7

Now we borrow three bits from the host portion for the network portion.

128+64+32= 224 new subnet mask 255.255.255.224

The last 1 bit decides how the network is incremented.

In this example, our network incremented by 32 after minus 2 for the network ID and broadcast 14 active IPs for each subnet. 32-2=30

💡 First, write all network IDs, then write broadcast IDs, and then write the first and the last host.
Network ID: T**he last octet is always an even number.**

Broadcast ID: The last octet is always an odd number.

Network ID = incremented by the last bit value as I described.

Broadcast Id = Network ID before -1.

First valid host= Network.id+1.

Last Valid host id = broadcast.id -1

Network ID: T**he last octet is always an even number.**

Broadcast ID: The last octet is always an odd number.

Network ID = incremented by the last bit value as I described.

Broadcast Id = Network ID before -1.

First valid host= Network.id+1.

Last Valid host id = broadcast.id -1

If you would like to give an IP address to 30 hosts from your IP prefix, which subnet mask do you use most effectively?

PC1's IP address is 10.89.107.233/27. What is the network address of its subnet?

## Here are a few super-fast ways:

Quick Formula

• Block size = 256 − mask_octet
• Network = (⌊IP_octet ÷ block⌋ × block)
• Broadcast = Network + block − 1

Given:

• IP = 10.89.107.233/27
• Subnet mask /27 → 255.255.255.224
• Block size = 256 − 224 = 32

Formula:

Network = (⌊octet ÷ block⌋ × block)

• Focus on the last octet (233).
• Divide: 233 ÷ 32 = 7.28…
• Floor = 7
• Multiply: 7 × 32 = 224

Result:

Network address = 10.89.107.224/27 ✅

Broadcast Address

Broadcast = Network + block − 1

Broadcast = 224 + 32 = 256-1 = 255

Broadcast address = 10.89.107.255/27 ✅

Step 1: Understand the /27 Subnet Mask

• A /27 subnet means 27 bits for the network and 5 bits for the hosts.
• The subnet mask is:255.255.255.224
  • 224 in the fourth octet = 11100000 in binary.
• The block size (increment) in the fourth octet is:

$256−224=32$

• This means subnets increase in steps of 32 in the fourth octet.

Step 2: Identify the Network Address

• The fourth octet of 10.89.107.233 is 233.
• Find the X*32 that is ≤ 233: (x32 smaller than 233) $732=224 ≤ 233$
• So, the network address is: 10.89.107.224/27.

Question 2: A host has the IP address 192.168.249.177/28. What is the broadcast address of its subnet?

Step 1: Understand the /28 Subnet Mask

• A /28 subnet means 28 bits for the network and 4 bits for hosts.
• The subnet mask is: 255.255.255.240
• The block size (increment) in the fourth octet is: $256−240=16$
• This means subnets increase in steps of 16 in the fourth octet.

Step 2: Find the Broadcast Address

• The fourth octet of 192.168.249.177 is 177.
• Find the X*16 that is ≥ 177 (x*16 greater than 177):

$12*16 =192 ≥ 177 $

• The broadcast address is one less than the next subnet:
  • 192.168.249.192 - 1 = 192.168.249.191.

Easy way to find network ID (Subnet ID - network ID)

172.25.167.176

255.255.240.0

172.255. .0

3 rules applied to subnet mask

1. If the subnet mask value=255 writes the same IP, for example, 255 above 172.
2. If the subnet mask value=0, just set 0 zero instead of the IP.

3- 256- subnet mask = Network increment

We have three rules for Broadcast

1. 255 → Ip
2. 0 → 255

CCNA SUBNETTING: Find the Valid Host Range for a network

Find a valid Host range 172.130.146.133/19?

Now we need to find the ‌‌Host ID and Broadcast ID

Network ID

For the subnet mask, we chose a smaller number.

Broadcast ID

Differences between FLSM Subnetting and VLSM Subnetting

VLSM Subnetting

In this network: -

• The development department has 74 computers.
• The production department has 52 computers.
• The administration department has 28 computers.
• Departments are connected via the WAN links.
• Each WAN link requires two IP addresses.
• The given address space is 192.168.1.0/24.

VLSM

• Assign the largest at the start of the address space.
• Assign the second-largest subnet after it.
• Repeat the process until all subnets have been assigned.

Subnetting Question

10.10.13.160/29 The subnet mask is 255.255.255.248 (block size 8). That subnet covers 10.10.13.160–10.10.13.167 with usable hosts .161–.166 and .167 as broadcast.

D ✅

Netmask: 0xffffe000 → this hex mask equals 255.255.224.0, i.e. /19.

C ✅

The prefix /32 (mask 255.255.255.255) is a host route—it matches exactly one IP address, here 10.0.1.3. So that entry represents a route to just that single host,

B✅

The destination is the IP of GigabitEthernet0/0/0, which the table shows as the local route:

L 10.10.10.3/32 is directly connected, GigabitEthernet0/0/0

Routing uses the longest prefix match. Between 10.10.10.0/24 and 10.10.10.3/32The/32 host route is more specific, so it’s the destination route. A /32 corresponds to the subnet mask 255.255.255.255. D✅

The destination IP is 172.16.32.8. From the routing table, the matching routes are:

• 172.16.32.0/26
• 172.16.32.0/24
• 172.16.32.0/19

the /26 network. By longest-prefix match, /26 is preferred over /24 and /19

C✅

255.255.255.252 → mask is /30

10.2.1.3 255.255.255.252 → mask is /30 (correct), but .3 in a /30 is the broadcast of the block (.0–.3), so not usable.

D✅

8 floors × 30–40 users = about 320 users total. All users must be in one subnet. Need a subnet that can support at least 320 usable hosts.

2^9 B✅

Each floor needs ≈ 22–29 hosts → choose /27 (255.255.255.224), which gives 30 usable IPs per floor.

Four /27 subnets (4 × 32 addresses) occupy 128 addresses total, which aggregates perfectly into a /25 block.

If you have 4 (subnet) × /27

• 4 (subnet)× 32 (block size) =128 addresses total
• That means the four /27 networks together span 128 consecutive addresses.

The packet is going to: 172.16.3.254

Which network covers 172.16.3.254?

• 172.16.1.33/32 → only 172.16.1.33, does not cover 172.16.3.254.
• 172.16.2.1/32 → only 172.16.2.1, does not cover 172.16.3.254.
• 172.16.2.0/23 → covers 172.16.2.0 – 172.16.3.255, and yes, 172.16.3.254 is inside this range.

B✅

D✅

Group needing 24 hosts →/27 (255.255.255.224)

A and D → 255.255.254.0

• A: 10.70.148.1 /23 → network 10.70.148.0/23, and .1 is the first usable. ✅
• D misaligns a /23 (159 is odd; /23 networks start on even octets: …148.0, 150.0, 152.0, …, 158.0). ❌

Group needing 472 hosts → /23 (255.255.254.0)

D. ip route 10.10.2.1 255.255.255.255 192.168.1.4 100 The administrative distance 100 keeps it preferred over OSPF (110) even if prefix lengths were equal (not needed here, but harmless).

• 10.10.13.0 → 255.255.255.128 ( /25 )
• 10.10.13.128 → 255.255.255.240 ( /28 )
• 10.10.13.160 → 255.255.255.248 ( /29 )
• 10.10.13.252 → 255.255.255.252 ( /30 )

bookmark

bookmark

bookmark

bookmark

IP V6

Intro to IPV6 Address

• 128-bit Addresses are written as 32 hexadecimal digits.
• Digits are arranged into 8 groups of four to improve readability.
• Groups are separated by colons.

Hex:2001:0718:1c01:0016:20d:56ff:fe77:52a3

Why was Hexadecimal used in IPv6?

to create a large amount of unique IP addresses

Zero Suppression

• Zero compression can only be used to compress a single contiguous series of 16-bit blocks expressed in colon hexadecimal notation.
• Zero compression can only be used once in a given address.

Rules

1. If we have equal or more than two groups of 0000 we can change it to:: (The double colon (::) can only be used once within an address, otherwise there would be more than one possible resulting address.) Here is an example of the incorrect use of the double colon: 2001:db8::abcd::1234.
2. Change 0000 to 0 only.
3. Leading zero can be removed. 01ab can be represented as 1ab 00ab can be represented as ab 0a**00 can be represented as a**00

Original:2041:000:140f:0000:0000:0000:875B:131B

short:2041:0000:140F::875B:131B

shorter:2041:0:140F::875B:131B

IPV6 Prefixes

• The prefix is the part of the address that indicates the bits that have fixed values or are the bits of the subnet prefix.
• Prefixes for IPv6 subnets are expressed in the same way as (CIDR) notation for IPv4.
• For example, 21DA:D3::/48 and 21DA:D3:0:2F3b::/64 are IPv6 address prefixes.
• A subnet mask is not used for IPv6; only the prefix length notation is supported.

IPv6 Header

Simpler than IPv4:

• Fixed 40-byte header.
• no checksum → faster processing.

• Loopback IPv6 address: an IPv6 address used on a loopback interface. the IPv6 loopback address is 0:0:0:0:0:0:0:1 which can be notated as ::1/128.
• Unspecified address: an IPv6 unspecified address is 0:0:0:0:0:0:0:0, which can be notated as :::/128

Link-Local

• IPv6 link-local addresses are equivalent to IPv4 link-local addresses(169.254.0.0/16).
• IPv4 link-local addresses are known as automatic private IP addressing (APIPA) addresses for computers running the current Microsoft Windows operating system.
• A Link-local address is required for Neighbor Discovery(NDP) processes and is always automatically configured, even in the absence of all other unicast addresses.

Link-local(EUI-64)

• used only between nodes connected on the same local link.
• When an IPv6 stack is enabled on a node, one link-local address is automatically assigned to each interface of the node at boot time.
• IPv6 link-local prefix FE80::/10 is used, and the interface identifier in Extended Unique Identifier 64 (EUI-65) format is appended as the address's low-order 64-bit.
• Link-local addresses are only for link-local scope and must never be routed between subnets within a site.

There's a challenge with creating the second 64 bits from the MAC address, as MAC addresses are only 48 bits long. To solve this, we insert FFFE in the middle of the MAC address.

Example Calculation:

1. MAC Address: AA:BB:CC:DD:EE:FF
2. Split the MAC Address: AA:BB:CC | DD:EE:FF
3. Insert FFFE: AA:BB:CC:FF:FE:DD:EE:FF
4. Flip the 7th Bit in AA (10101010 → 10101000): A8:BB:CC:FF:FE:DD:EE:FF
5. Final EUI-64 Interface ID: A8BB:CCFF:FEDD:EEFF

Router 2 (config)# interface FastEthernet0/0
Router 2 (config-if)# ipv6 enable
Router 2 (config-if)# ipv6 address autoconfig

Loopback address

• The loopback address(0:0:0:0:0:0:0:1 or ::1) is used to identify a loopback interface, enabling the node to send a packet to itself.
• It is equivalent to the IPv4 loopback address of 127.0.0.1.
• Packets addressed to the loopback address must never be sent on a link or forwarded by an IPv6.

Broadcast

• Broadcast - There are no broadcast addresses in IPv6. Broadcast functionality is implemented using multicast addresses.

Anycast (not very important)

• An Anycast is an address that is assigned to a set of interfaces that typically belong to different nodes. A packet sent to an anycast address is delivered to the closest interface identified by the anycast address.
• Assigning a unicast address to more than one interface makes a unicast address an anycast address.
• Anycast is a network addressing and routing methodology in which datagrams from a single sender are routed to the topologically nearest node in a group of potential receivers, though it may be sent to several nodes, all identified by the same destination address. Example: Used in DNS query.

IPv6 Transaction

• Dual-stack: means a device runs both IPv4 and IPv6 at the same time. This allows networks to support both protocols during the transition from IPv4 to IPv6.

In a dual-stack environment, which protocol does a device prefer if both IPv4 and IPv6 are available?

• IPv6 is preferred if available

• Tunneling is a method of transporting an IPv6 packet over an IPv4 network. The IPv6 packet is encapsulated inside an IPv4 packet, similar to other types of data.

• Translation: Network Address Translation 64 (NAT64) allows IPv6-enabled devices to communicate with IPv4-enabled devices using a translation technique similar to NAT for IPv4. An IPv6 packet is translated to an IPv4 packet, and an IPv4 packet is translated to an IPv6 packet.

What is the most important motivating factor for moving to IPv6?

• Depletion of IPv4 addresses.

What is the default route address of IPv6?

• ::/0

Which field in an IPv6 packet is used by the router to determine if a packet has expired and should be dropped?

• Hop Limit

What is the prefix for the host address 2001:DB8:BC15:A:12AB::1/64?

• 2001:DB8:BC15:A

SLAAC (Stateless Address Auto Config):

a method used in IPv6 networks that allows devices to automatically configure their IPv6 addresses without the need for a DHCP server

3ffe:e54d:620a:a87a:f00d is a Global Unicast Address because it starts with 3 , which is part of the 2000::/3 range for globally routable addresses.

An Anycast Address is similar to a unicast address because it is assigned to multiple devices, but traffic sent to this address is delivered to the closest (nearest) device in the group

Anycast Address is similar to a unicast address because it is assigned to multiple devices, but traffic sent to this address is delivered to the closest (nearest) device in the group

The correct prefix length for the IPv6 address would be /128 because it refers to one specific host (the router interface).

Take the MAC of R1’s LAN interface (E0/1 in the figure):

13-19-be-67-00-01 → in hex bytes: 13:19:be:67:00:01.

Split and insert ff:fe

in the middle (that’s how EUI-64 expands 48-bit MAC to 64-bit):

13:19:be + ff:fe + 67:00:01 → 13:19:be:ff:fe:67:00:01.

Flip the U/L bit (the 7th bit) of the first byte:

Resulting interface ID bytes: 11:19:be:ff:fe:67:00:01.

Group into hextets (two bytes each): 1119:beff:fe67:0001 → 1119:beff:fe67:1.

Attach the /64 prefix for R1’s LAN shown in the diagram:

Prefix = 2001:db8:1006:1968::/64.

Final IPv6 address: 2001:db8:1006:1968:1119:BEFF:FE67:1 → option B.

A. ipv6 route 2000::1/128 2012::1

[route loopback through next router IP 2012::1 IP addresses of Se0/0/0 interface]

E. ipv6 route 2000::1/128 2023::3 5 This is a floating static backup via Washington (Washington S0/0/0 = 2023::3) with a higher administrative distance (5).

💡 ipv6 route ::/0 next-hop IPv6 or existing interface.

Answer: A On those two routers, the interface that faces New-York is Serial 0/0/0

The current default route is ND and the syntax [X/Y] shows the administrative distance (X) and the metric (Y). Therefore, the primary default route, learned via Neighbor Discovery (ND), has an administrative distance of 2.

ipv6 route ::/0 2001:db8:1234:2::1 3 Correct [Higher AD for the Backup Route]

Correct: B. 2001:db8:0234:cae3::1/128

• Anycast in IPv6 uses global unicast addresses (/128) that are configured on multiple devices.

VLAN

Collision Domain

A collision domain is a network segment where devices share the same communication medium, and if two devices transmit data at the same time, their signals can collide, causing the transmission to fail and requiring retransmission. It happens only in half-duplex mode.

For example, a hub is one collision domain. If one port stops working, all ports stop working.

Broadcast Domain

When a device sends out a broadcast message, all devices present in its broadcast domain must pay attention to it. This creates a lot of congestion in the network, commonly referred to as LAN congestion, which affects the bandwidth available to users within that network.

In a switch, each port has a collision domain, without affecting other ports. When one port receives data, it broadcasts it to all other ports (which means broadcasting a message to all ports and telling them I have received a packet, for which of you?), then, network engineers decided to separate switches into small parts by using VLANs.

• One broadcast domain for the whole network or only the user network can lead to unnecessary broadcast traffic, which, upon a traffic loop, might cause a complete service outage.
• Secondly, but even more important, large broadcast domains are vulnerable to traffic sniffing and easier man-in-the-middle kind of attacks.
• A lack of VLANs can cause an administrative mess.

PC1 --- Hub --- PC2 --- Switch --- PC3

• Hub side (PC1 + PC2) = 1 collision domain.
• Switch separates PC3 into its own collision domain.
• So total = 2 collision domains.

💡 - Switch increases collision domains (per port).

• Hub shares 1 collision domain for all.

• Switch increases collision domains (per port).
• Hub shares 1 collision domain for all.

VLAN

VLANs(Virtual LANs) are a logical grouping of devices in the same broadcast domain. VLANs are usually configured on switches by placing some interfaces into one broadcast domain and some interfaces into another. Each VLAN acts as a subgroup of the switch ports in an Ethernet LAN.

Note: All nodes from VLAN one can’t access the nodes in VLAN two.

Note: VLAN one (VLAN 1) is allocated for the default VLAN(native VLAN).

Advantages of using VLAN

• It solves a broadcast problem. By reducing the size of broadcast domains and increasing the number of Broadcast domains. (the primary advantage of using VLAN)
• VLAN allows you to add an additional layer of security.
• It can make device management simple and easier.
• VLAN makes managing physical devices less complex.
• It lets you easily segment your network.
• Make a single switch into multiple switches.

Native VLAN

The native VLAN is a special VLAN designated on a trunk port for carrying untagged traffic.

When a switch port is set as a trunk, any incoming Ethernet frame without a VLAN tag is assigned to the native VLAN.

💡 VLAN Hopping Attacks: By default, using VLAN 1 as the native VLAN can pose a security risk. A best practice is to configure the native VLAN as an unused or less critical VLAN to prevent potential VLAN hopping attacks.

Which VLANs exist by default on a Cisco switch and cannot be deleted?

• 1, 1002-1005

# Tagged VLANs

Tagged VLANs are a method of marking Ethernet frames with a VLAN identifier so that switches and network devices can distinguish between traffic from different VLANs on the same physical link. distinguish between traffic from different

The tagging standard used is IEEE 802.1Q.

When traffic is sent over a trunk port, each frame includes a VLAN tag (a 4-byte field added to the Ethernet frame header). This tag contains the VLAN ID, which specifies which VLAN the frame belongs to.

Trunk ports = Tagged ports

Access port = Untagged Ports

VLAN Configuration

SW1#show vlan
SW1(config)#vlan 10 (a number you assigned to the vlan)
SW1(config-vlan)# name sales (your vlan name)
SW1(config-vlan)#exit

SW1(config)# int fa0/3 (switch port that connected to the computer)
SW1(config)#switchport mode access(it means the port is not available on vlan1 and gets out from public accessing (valn1) and should be accessed by a VLAN I will assign to it.) 
SW1(config)#switchport access vlan 10 ( your vlan number)
SW1(config)#end

Note: if you have multiple switches, the same configuration should be applied to all of them.

VLAN 3 is not yet configured on your switch. What happens if you set the switchport access VLAN 3 command interface configuration mode?

The command is accepted, and the respective VLAN is added to vlan.dat.

How do you see all VLANs created and ports assigned to the specific VLAN?

SW1#show vlan

Remove a Port From a VLAN (SEFOS)

switch(config)# interface gigabitethernet 0/2
switch(config-if)#no switchport access vlan [number]
switch(config-if)#exit

How to remove VLANs

SW1(config)#no vlan 10(vlan number you want to delete it).

Trunk

A trunk is a network link that carries multiple VLANs between devices, such as between switches, routers, or other network devices. It allows the transmission of traffic for more than one VLAN over a single physical link, reducing the number of physical connections required.

Encapsulation Types

802.1 IEEE can be used on all vendor devices.

ISL →previously used by Cisco, not usable today.

• Access Port: A port that can be assigned to a single VLAN. This type of interface is configured on switch ports that are connected to end devices, such as workstations or printers.

• Trunk Port: A port that is connected to another switch. This type of interface can carry traffic of multiple VLANs.

  

Swith1(config)#interface fa0/0
Swith1(config-if)switchport mode trunk
Swith1(config-if)#switchport trunk allowed vlan (Vlan ID or range).
Swith1(config-if)#swithport nonegotiaite

Dynamic Trunking Protocol

• Dynamic Trunking Protocol is a Cisco proprietary protocol used for negotiating a trunk link between two switches, as well as the encapsulation type. It is a layer 2 protocol and is enabled by default.
• Switchport mode dynamic auto: This is a default mode on the older CISCO switches. This mode makes the interface able to convert to a trunk link. The interface will become a trunk link if the neighboring interface is set to trunk or desirable mode. If both switches’ interface mode is auto, then the trunk will not be formed.
• Switchport mode dynamic desirable: the interface will actively attempt to convert the link into a trunk link. The interface will become a trunk link port if the neighbouring interface is set to trunk. desirable or auto.
• Switchport nonegotiate (very usable technique): This mode prevents the interface from generating DTP frames. This command is used only when the switch port mode is accessed or turned on. You must manually configure the neighboring interface as a trunk interface to establish a trunk link.

Router on a stick (one-armed router)

A router on a stick is one method for allowing routing between VLANs. That kind of setup consists of a router and a switch connected through one Ethernet link configured as an 802.1q trunk link. Such a configuration is typical in networks where no layer-3 switch exists.

Router(config-if)# int fa0/0.10 (we should create 2 sub interfaces to each VLAN)
Router(config-subif)#encapuslation dot1q 10 (VLAN ID)
Router(config-subif)#ip address 192.168.1.55 255.255.255.0 (Assign an IP address from vlan 10 to the sub-interface) 
------------second sub-interface -------------
Router(config-if)# int fa0/0.20 
Router(config-subif)#encapuslation dot1q 10
Router(config-subif)#ip address 192.168.2.55 255.255.255.0

Use the same command to create a sub-interface to the second VLAN, then write the command no shutdown

💡 The subinterface number does not have to match the VLAN Number. However, it is highly recommended that they do match, to make it easier to understand.

💡 The gateway of all devices in VLAN 10 should be the IP address assigned to the sub-interface.

💡 The switch port connected to the router in the switch should be changed to a trunk.

VLAN Troubleshooting Commands

| show vlan show vlan brief | Lists each VLAN and all interfaces assigned to that VLAN (but does not include operational trunks) | | ----------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | show vlan id num | Lists both access and trunk ports in the VLAN | | show interfaces switchport show interfaces type number switchport | Identifies the interface’s access VLAN and voice VLAN, the configured and operational mode (access or trunk), and the state of the port (up or down) | | show interface status | Summarizes the status listing for all interfaces (connected, notconnect, err-disabled), the VLAN, duplex, speed, and type of port |

Which interfaces are shown in the output of "show vlan brief"?

• Access Ports

Trunking Troubleshooting

Step 1: Identify all access interfaces and their assigned access VLANs, and reassign them into the correct VLANs, as needed.

Step 2: Determine whether the VLANs exist and are active on each switch. If needed, configure and activate the VLANs to resolve problems.

Step 3: Check the allowed VLAN lists on the switches on both ends of the trunk and ensure that the lists of allowed VLANs are the same.

Step 4: Ensure that, for any links that should use trunking, one switch does not think it is trunking, while the other switch does not think it is trunking.

VLAN Trunking Protocol(VTP)

• The purpose of VTP is to provide a way to manage Cisco switches as a single group for VLAN configuration purposes. For example, if VTP is enabled on Cisco switches, the creation of a new VLAN on one switch makes that VLAN available to all switches within the same VTP management domain**.** A switch can be part of only one VTP management domain at a time, and is part of no VTP management domain by default.

To show VTP details

Router#show vtp status

VTP Operating Type: type of VTP.

How to set the VTP domain

Router(config)#vtp domain your-domain-name

VTP Operating Type:

Server: Receives and sends configuration from neighbouring switches.

Client: We only receive VLANs from the server switch and can’t create any VLAN with this mode.

Transparent: does not synchronize VLAN configuration information with other switches.

Router(config)#vtp mode your-mode

C. configure ports in a black hole VLAN

Because assigning unused ports to a blackhole VLAN ensures they are isolated, secure, and cannot be exploited if someone plugs into them.

• C → isolate unused ports in a dedicated, unused VLAN (blackhole VLAN).
• D → shut them down so no traffic pass

B and C

Answer: C — The router will not accept the addressing scheme.

In the diagram, Router1 has two physical interfaces in the same IP subnet (192.168.1.0/24). Cisco IOS does not allow assigning the same subnet to two different routed interfaces

Answer: A — VLAN 1 (On Cisco switches, the default VLAN is always VLAN 1)

B. It sends the traffic to VLAN 100. Frames in the native VLAN are sent untagged on an 802.1Q trunk.

Correct Answer: B (When a PC sends untagged traffic to the IP phone, the phone simply forwards it unchanged (still untagged) toward the switch.)

B. The phone uses VLAN 50, while the attached PC uses VLAN 1.

switchport voice vlan 50 tells the switch to expect tagged voice traffic from the Cisco IP phone on VLAN 50. PC traffic arriving via the phone is untagged and is placed into the port’s access VLAN—which, since none is configured, defaults to VLAN 1

C and E

A and C

VLAN Lab

In this scenario, we will configure VLANs on switches across multiple locations. We'll use trunking to allow devices in the same VLAN to connect, even when they're in different locations. Also providing routing between VLAN 10 and VLAN 30 through the Router on Stick technique.

North Branch Switch

Creating VLAN 10

Branch-SW#conf t
Branch-SW(config)#vlan 10 
Branch-SW(config-vlan)#name support 
Branch-SW(config-vlan)#exit
Branch-SW(config)#interface range e0/0-1 
Branch-SW(config-if-range)#switchport mode access
Branch-SW(config-if-range)#switchport access vlan 10

Creating VLAN 20

Branch-SW#conf t
Branch-SW(config)#vlan 20 
Branch-SW(config-vlan)#name marketing
Branch-SW(config-vlan)#exit
Branch-SW(config)#int e 1/0
Branch-SW(config-if)#switchport mode  access
Branch-SW(config-if)#switchport access vlan 20
Branch-SW(config-if)#exit
Branch-SW(config)#int e0/3
Branch-SW(config-if)#switchport mode access
Branch-SW(config-if)#switchport access vlan 20
Branch-SW(config-if)#exit

Verifying Created VLANs

Branch-SW#show vlan brief

South Branch Switch

Creating VLAN 30

Branch-SW#conf t
Branch-SW-South(config)#vlan 30
Branch-SW-South(config-vlan)#name sales 
Branch-SW-South(config-vlan)#exit
Branch-SW-South(config)#int range e0/1-2
Branch-SW-South(config-if-range)#switchport mode access
Branch-SW-South(config-if-range)#switchport access vlan 30
Branch-SW-South#wr

Creating VLAN 10

Branch-SW#conf t
Branch-SW-South(config)#vlan 10
Branch-SW-South(config-vlan)#name support 
Branch-SW-South(config)#vlan 99 //this vlan for native vlan, we use it in the trunking step
Branch-SW-South(config-vlan)#name managment //this vlan for native vlan
Branch-SW-South(config-vlan)#exit
Branch-SW-South(config)#int e0/3
Branch-SW-South(config-if-range)#switchport mode access
Branch-SW-South(config-if)#switchport access vlan 10
Branch-SW-South#wr

Verifying Created VLANs

Branch-SW-South#show vlan brief

Trunk Port Configuration

North Switch

Branch-SW-North(config)#int e0/2
Branch-SW-North(config-if)#switchport trunk encapsulation dot1q
Branch-SW-North(config-if)#switchport mode trunk
Branch-SW-North(config-if)#switchport trunk  allowed vlan 10
Branch-SW-North(config-if)#switchport trunk native vlan 99 (for security reason change the native vlan to 99)
Branch-SW-North(config-if)#switchport nonegotiate 
Branch-SW-North#wr

Verify Trunk

Branch-SW-North(config)#do show interfaces trunk 
Branch-SW-North(config)#do show interface ethernet 0/2 switchport

Core Switch

Core-SW(config)#vlan 99
Core-SW(config-vlan)#name managment
Core-SW(config-vlan)#vlan 9910
Core-SW(config-vlan)#support
Core-SW(config-vlan)#20
Core-SW(config-vlan)#name sales
Core-SW(config)#int range ethernet 0/0-3
Core-SW(config-if)#switchport trunk encapsulation dot1q
Core-SW(config-if)#switchport mode trunk
Core-SW(config-if)#switchport trunk allowed vlan 10,30
Core-SW(config-if)#switchport trunk native vlan 99
Core-SW(config-if)#switchport nonegotiate 

Core-SW#wr

South Switch

Branch-SW-North(config)#int e0/0
Branch-SW-North(config-if)#switchport trunk encapsulation dot1q
Branch-SW-North(config-if)#switchport mode trunk
Branch-SW-North(config-if)#switchport nonegotiate 
Branch-SW-North(config-if)#switchport trunkin  allowed vlan 10
Branch-SW-North(config-if)#switchport trunk native vlan 99 (for security reason change the native vlan to 99)
Branch-SW-North#wr

Finally, we have access between the same VLAN on different locations

Router On Stick

To establish routing between VLANs, we configure a router using a technique called "Router on a Stick."

Configuring the Trunk on the Switch Port Connected to the Router

Core-SW(config)#int e0/2
Core-SW(config-if)#switchport trunk encapsulation dot1q
Core-SW(config-if)#switchport trunk native vlan 99
Core-SW(config-if)# switchport trunk allowed vlan 10,30

Configure the Router to establish routing between

router(config)#int fa 0/0
router(config-if)#int fa0/0.10
router(config-subif)#ip address 172.17.10.55 255.255.255.0
router(config-subif)#exit
router(config)#int fa0/0
router(config-if)#int fa0/0.30
router(config-subif)#encapsulation dot1Q 30
router(config-subif)#ip address 172.17.30.55 255.255.255.0 
router(config-subif)#exit
router(config-if)#no shut

We have now successfully established connectivity between two distinct VLANs.

Spanning Tree Protocol (STP)

What is STP

Spanning Tree Protocol (STP) is a Layer 2 network protocol that prevents loops in networks with redundant links. It logically blocks physical loops in a Layer 2 network by placing redundant ports in a blocking state, essentially disabling the interface.

• Interfaces in a forwarding state behave normally, they send and receive all normal traffic.
• Interfaces act as backups that can enter a forwarding state if an active interface fails.
• Interfaces in a blocking state only send and receive STP messages (Called BPDUs= Bridge Protocol Data Units)
• By selecting which ports are forwarding and which ports are blocking, STP creates a single path to/from each point in the network.
• There is a set of processes that STP uses to determine which port should be forwarding and which should be blocking.
• STP-enabled switches send/receive Hello BPDUs out of all interfaces; the default timer is 2 seconds.
• If a switch receives a Hello BPDU on an interface, it knows that the interface is connected to another switch (routers, PCs, etc, do not use STP, so they do not send Hello BPDUs)

Bridge Priority Data Unit(BPDU): It contains the Bridge ID, the Sender’s bridge ID cost to the root bridge, and the Timer values on the root bridge.

All switches exchange BPDU in order to elect the root bridge. The switch with the lowest bridge ID, is elected as the root Bridge.

Bridge ID: an 8-byte field that combines the bridge priority (2 bytes) and Base Mac address(6 bytes) of a device. If there is a tie on bridge priority, then the base MAC address is considered.

Bridge Priority: The default priority value for all Cisco Switches is the decimal value 32768.

Root Bridge: The root bridge is the bridge with the lowest Bridge ID. All decisions, like which port is the root port (The port with the best path to the root bridge), are made from the perspective of the root bridge.

Path Cost: A switch may encounter one or more switches in the path to the root bridge. All the paths analyzed and the path with the lowest cost will be selected.

STP Ports

• Root Port(RP): The port on a non-root switch that has the shortest path to the root bridge. It forwards traffic to the root bridge.
• Designated Port: The designated port forwards traffic from a segment to the root bridge. All STP-enabled switches have one or more designated ports.

💡 Note: The root bridge only has designated ports.

Steps to a Loop-Free Topology

1-Selecting Root Bridge: When two switches are configured with the same priority and have the same extended system ID, the switch having the mac address with the lowest value, will have the Lower BID(Bridge ID) selected as the root bridge and no port of the switch blocked.

2-Select Designated Ports: All ports from the root bridge are called designated ports.

3-Select Root port:

• Lowest root cost
• Lowest neighbor bridge ID

Switch 2 was selected as a root bridge, Switch 3 has the same cost from both sides, and which neighbour has the lowest Bridge ID will be selected as the root port in this diagram. SW1 has a lower Bridge ID.

• Lowest neighbor pot ID

STP Port ID = Port priority(default 128**) + port number.** for example: Gi0/0 lower than Gi 0/1

Switch 3 has two connections with SW1 and a lower port ID will selected as a root port G0/1 lower than G0/2.

💡 The neighbor switch's port ID is used to determine the tie, not the local switch's port ID.

4-Bock Port: After the root bridge is selected, one of the remaining switches with a high Mac address value should block one of the ports.

1. Low Bridge ID selected, and SW3 is a root bridge.
2. If SW2 has multiple paths with the same cost, the path through the neighbor with the lowest Bridge ID is selected.
3. We have two connections between SW1 and SW2 Lowest neighbor port ID will be selected G0/0 smaller than G0/2.

Note: Blocking port depends on the cost; for the best path to the root bridge, the cost should be low. cost can be determined by the type of cables connected to the switches

The cost of switch number 2 (S2) to the root bridge through S1 = 38.

But directly from S2 to the root bridge is 19, therefore, the Line between S1 to S2 is blocked.

💡 Root/Designated ports remain stable in the Forwarding state.
Non-designated ports remain stable in the Blocking state.

Non-designated ports remain stable in the Blocking state.

How do you know which switch is a root bridge?

Switch#show spanning-tree

After writing this command, if the switch is selected as the root bridge in the Root ID shows this message: “ This is the root bridge“

Also, the bridge root ports have the same role as designated ports.

Using the same command on the switch, one of the ports has been blocked.

Spanning Tree Timers

Port Fast and BPDU guard

• PortFast is a Cisco Feature for PVST+ environments. When a switch port is configured with port fast, that port transitions from blocking to the forwarding state immediately, bypassing the usual 802.1D STP transition states(the Listening and learning state).

⚠️ If used, it must be enabled only on ports connected to end hosts.
If enabled on a port connected to another switch, it could cause a layer 2 loop.

Port Fast Configuration

Enable Port Fast per Interface

s1(config)# interface FastEthernet 0/1
s1(config-if)# spanning-tree portfast

Disable port fast on an interface

s1(config)# interface FastEthernet 0/1
s1(config-if)# spanning-tree portfast disable

Enable port fast on all access ports (not trunk ports)

s1(config)# spanning-tree portfast default

Portfast is a great feature for getting a switch port connected to an end host like a PC running quickly without having to wait for 30 seconds.

When plugging the cable into the switch port, we should wait for 30 Seconds for the listening and learning state (orange light). After that, the switch could forward data from the mentioned port.

After enabling portfast on the switch port, when the cable is plugged in, the switch immediately starts forwarding (Indicated by a Green Light) and ignores the listening and learning states.

BPDU Guard

• BPDU Guard: This is a feature used to protect the Layer 2 Spanning Tree Protocol (STP) topology from BPDU-related attacks. When a BPDU Guard-enabled port receives a BPDU from the connected device, BPDU Guard disables the port and puts it into the errdisable state.

For example, if PortFast is enabled on interface G0/3 for end-user devices, and an end-user mistakenly connects a switch to that port instead of a PC, BPDU Guard will protect the STP topology by automatically disabling the port upon receiving BPDUs.

BPDU Guard should be configured on:

• Access ports connecting to end devices (workstations, printers, etc.).
• Ports connecting to servers or virtualization hosts that do not participate in the STP topology.

⚠️ When used alongside PortFast, BPDU Guard ensures that an access port remains stable and does not inadvertently participate in the spanning tree, preventing potential topology changes.

• BPDU Guard protects the network from unauthorized switches being connected and participating in STP.

• It can be configured separately from PortFast, but they are typically used together on edge/access ports.

• BPDU Guard-enabled ports do not send BPDUs. If a BPDU is received, the port is placed in error-disabled state.

• BPDU Guard protects the network from unauthorized switches being connected and participating in STP.
• It can be configured separately from PortFast, but they are typically used together on edge/access ports.
• BPDU Guard-enabled ports do not send BPDUs. If a BPDU is received, the port is placed in error-disabled state.

Enable BPDU Guard Per Interface

s2(config)# interface FastEthernet 0/1
s2(config-if)# spanning-tree bpduguard enable
s2(config-if)# end

Enable BPDU Guard on all portfast interfaces

s2(config)# spanning-tree porfast bpduguard default

Recovery from BPDU Guard:

Manually Recovery

If a port is errdisableDue to BPDU Guard, it can be recovered manually or automatically by using the following command

s2(config)#interface FastEthernet 0/1
s2(config-if)#shutdown 
s2(config-if)#no shutdown

Automatically Recovery

s2#show errdisble recovery

s2(config)#errdisable recovery cause bpdugurad 
s2(config)#do show errdisable recovery

⚠️ If you didn’t solve the problem and the port is still connected to the switch and receives BPDU messages, the port will be disabled again.

💡 Best practice:

• Use PortFast + BPDU Guard on all access ports.

• Never enable on trunk ports.

• Use PortFast + BPDU Guard on all access ports.
• Never enable on trunk ports.

BPDU Filter

Prevent a port from sending BPDU messages

If the port doesn't connect to a switch, sending BPDUs is unnecessary and undesirable for a couple of reasons:

1. Sending BPDUs uses some bandwidth and processing power on the switch.
2. BPDUs contain information about the LAN’s STP topology. (You should avoid sending this information to end users)

BPDU Filter solves this by preventing the port from sending BPDUs.

Enable BPDU Filter Per Interface

s2(config-if)# spanning-tree bpdufilter enable

• The port will not send BPDUs.
• The port will ignore any BPDUs it receives.
• In effect, this disables STP on the port. Use with caution

Enable BPDU Filter on all interfaces (Global Mode)

s2(config)# spanning-tree portfast bpdufilter default

• BPDU filter will be activated on all portfast-enabled ports.
• The port will not send BPDU packets.

Disable BPDU filter per port

s2(config-if)# spanning-tree bpdufilter disable

💡 Enable PBDU filter by default (Global Config Mode). This is highly recommended

BPDU Guard and BPDU Filter can be enabled on the same port at the same time.

• If BPDU Filter is enabled in global config mode and the port receives BPDU:
• BPDU filter will be disabled.
• BPDU Guard will be triggered( errdisbale the interface).
• IF BPDU Filter is enabled in Interface config mode and the port receives BPDU:
• The BPDU will be ignored.
• BPDU Guard will not be triggered.

💡 Caution: Do not configure a port with BPDU Guard and BPDU Filter. Enabling both on the same interface effectively cancels the BPDU Guard feature. Specifically, a port configured with both features will not error-disable the port when a BPDU is received. Instead, it will default to the BPDU Filter and simply ignore the BPDUs.

Root guard

Root Guard is a feature in Spanning Tree Protocol (STP) that prevents a port from becoming a root port if it receives superior BPDUs (A BPDU that has a lower Bridge ID). When a switch port configured with Root Guard receives a BPDU that indicates a better root bridge (one with a lower bridge ID), the port is disabled and placed into a root-inconsistent state. This action enforces the current root bridge and ensures that the topology remains stable by preventing unauthorized or unintended switches from claiming root bridge status

In this example, the Service Provider's switches are connected to the customer's switches, and the customer's root bridge ID is lower than the Service Provider's root bridge ID. The Service Provider wants to protect its STP topology and prevent it from being affected by the customer's root bridge

Root Guard can be configured to protect the STP topology by preventing the service provider switch from accepting superior BPDUs from outside of service provider control.

Root Guard Configuration

Root Guard will be configured on the ports connected to switches outside of the control.

s2(config-if)# spanning-tree guard root

💡 - Loop Guard does not have a global default command

• If a Root Guard-enabled port receives a BPDU, it will enter the broken state, effectively disabling it.

• The port will not be able to forward data frames and will discard any frames it receives.

• SW1, SW2, and SW3 won’t accept SW6 as a root Bridge.

• To re-enable the ports disabled by Root Guard, you must solve the issue that disabled the port.
  The Disabled ports must stop receiving superior BPDUs.
  Tell the customer to increase the priority value of their switch.

• Ports in root-inconsistent state recover automatically after the port stops receiving superior BPDUs. Unlike BPDU guard, manual intervention is not required.

• Loop Guard does not have a global default command
• If a Root Guard-enabled port receives a BPDU, it will enter the broken state, effectively disabling it.
• The port will not be able to forward data frames and will discard any frames it receives.
• SW1, SW2, and SW3 won’t accept SW6 as a root Bridge.
• To re-enable the ports disabled by Root Guard, you must solve the issue that disabled the port. The Disabled ports must stop receiving superior BPDUs. Tell the customer to increase the priority value of their switch.
• Ports in root-inconsistent state recover automatically after the port stops receiving superior BPDUs. Unlike BPDU guard, manual intervention is not required.

Loop Guard

Loop Guard is a Spanning Tree Protocol (STP) feature designed to prevent Layer 2 loops, especially those caused by unidirectional link failures (e.g., a broken fiber pair where only one direction fails)

Unidirectional Fiber cut If a port stops receiving BPDUs, Loop Guard places that port into a loop-inconsistent blocking state to prevent it inadvertently transitioning to forwarding and forming a loop

💡 Note: Loop guard and root guard should be configured together. While Root Guard protects against unauthorized switches attempting to become the root bridge, Loop Guard protects against unintended loops caused by link failures. Together, these features help maintain the integrity and stability of the spanning tree topology.

Loop Guard Per Interface Configuration

S4(config-if)#spanning-tree guard loop

💡 Unlike BPDU Guard or Root Guard, there is no global command (like spanning-tree loopguard default).

STP Versions

As you can see, when a loop occurs in the network, STP needs some time to block one of the switch ports. We are waiting for a few seconds until the green light has been changed to green. After that, STP is updated, and 5 generations of it are created.

1. Common Spanning Tree (CST) or IEEE 802.1D (Standard)
2. Rapid Spanning Tree Protocol (RSTP) or IEEE 802.1W (Standard)
3. Per VLAN Spanning Tree + (PVST+) by Cisco
4. Rapid Per VLAN Spanning Tree+ (RPVST+) by Cisco
5. Multiple Spanning Tree IEEE 802.1s. (Standard)

STP (802.1D) VS RSTP(802.1W)

Alternate Port: Alternate ports are in a discarding state and quickly transition to the forwarding state when the root port path fails. Alternate ports are typically found on non-root bridges and help ensure rapid convergence in the event of a link failure.

Backup Port: Backup ports serve as a backup to designated ports on a switch. Backup ports discard traffic and immediately transition to the forwarding state if the designated port fails.

Per VLAN Spanning Tree+ (PVST+)

PVST+ is a proprietary Cisco feature that finds the root bridge per V. LAN. It is the default version of STP from Cisco. It finds separate 802.1d spanning-tree instances for each VLAN. It also provides backward compatibility with 802.1d or CST. This is more optimized for the IEEE because it provides optimal path selection as a separate instance of STP per VLAN is found. This is as slow as CST.

Advantages:

• Provide more optimization on the performance of a network than CST, as it selects the root bridge per VLAN.
• Bandwidth consumption is less than CST.
• Optimum load balancing is achieved.

Disadvantages:

• This is as slow as CST, and the convergence time is slow. By default, Cisco switches take 50 seconds to converge.
• More resources (CPU and memory) are required.
• Rapid Per VLAN Spanning Tree + (RPVST+): This is a spanning tree standard by Cisco that provides faster convergence than PVST+ and finds a separate instance of 802.1w per VLAN. It requires much more CPU and memory than other STP standards.

802.1s(Multiple Spanning Tree)

• 802.1s(Multiple Spanning Tree): This standard is developed by IEEE, in which grouping of VLANs is done, and for every single group, RSTP is run. This is basically a spanning tree protocol running over another spanning tree protocol.

Advantages:

• High redundancy.
• Load balancing can be achieved.
• Lower CPU and Memory usage is required

Disadvantages:

• More configuration is required, and not easy to implement.

Spanning Tree Configuration

s3(config)# spanning-tree vlan 20 root primary
s3(config)# spanning-tree vlan 10 root secondary [secondary switch add when primary root bridge removed the second one be a root bridge]
s3(config)# spanning-tree vlan 20 priority 4096
 s3# show spanning-tree
 s3# conf t
 s3(config)#spanning-tree mode rapid-pvst
 s3# show spanning-tree vlan 10

Which one is the first step in STP operation?

• Select the Root Bridge ✅

Which one is the last step in STP operation?

• Block all Non-Root & Non-DP’s ✅

What is the maximum number of Root Ports that each Cisco switch can have in the STP Topology?

• 1 ✅

D. Learning E. Forwarding

D. Learning

B. (In RSTP terms, this means discarding state (blocking equivalent in classic STP). The Backup Port is exactly this: a redundant path toward the designated bridge on a shared segment.)

D

D

B

Correct answers: A and E

panning tree enabled protocol rstp” ➜ on Cisco that means Rapid PVST+

Under Root ID, it shows Cost 19 and Port 1 (FastEthernet 2/1). When a switch is not the root, the interface listed here is the root port (the port used to reach the root bridge).

A E

B

EtherChannel

What is EtherChannel?

• EtherChannel(link aggregation) is a port link aggregation technology in which multiple physical port links are grouped into one logical link. It provides high speed and redundancy, load sharing, and increased bandwidth between switches, routers, and servers.
• A maximum of 8 links can be aggregated.

Note: only an even number of cables can be used between the switches, for example 2-4-6 cables, not odd numbers like 1-3-5.

When the bandwidth of the interfaces connected to end hosts is greater than the bandwidth of the connection to the distribution switch(es), this is called oversubscription. Some oversubscription is acceptable, but excessive oversubscription can cause congestion. To address this, the network administrator adds multiple links between the access switch and the distribution switch.”

EtherChannel groups multiple interfaces together to act as a single, high-bandwidth link. Without EtherChannel, in a redundant link environment, each link would be treated as a separate entity by Spanning Tree Protocol (STP). This would result in only one link being active, while the others remain in a blocking state

Requirement

1. Same duplex.
2. Same speed
3. Same VLAN configuration
4. Switch port modes should be the same ( access or trunk mode).

Port Aggregation Protocol(PAgP)

Port Aggregation Protocol (PAgP) is a Cisco proprietary protocol used with an EtherChannel.

There are different modes in which you can configure your interface.

• On: no negotiation takes place. (No protocol used.)
• Desirable: Actively negotiates EtherChannel.
• Auto: Passive, waits for the other side to initiate.
• Off: No EtherChannel configured on the interface.

💡 Up to 8 Interfaces can be formed into a single EtherChannel (LACP allows up to 16 links, but only 8 will be active, the other 8 will be in standby mode, waiting for an active interface to fail)

Link Aggregation Control Protocol(LACP)

Link Aggregation Control Protocol is an IEEE protocol, originally defined in 802.3ad, used to form an EtherChannel. This protocol is almost similar to Cisco PAgP. There are different modes in which you can configure your interface.

• ON: In this mode, the interface will be a part of EthernetChannel, but no negotiation takes place.
• Active: Actively negotiates EtherChannel.
• Passive: Passive, waits for initiation
• Off: No EtherChannel configured on the interface.

💡 ON mode only works with ON mode ( ON+ Active or On + Desirable will not work)

ASW1(config-if-range)#channel-group [1-255] number mode (ative for LACP, Desrible for PAgP)

What is the status of the port channel if LACP is misconfigured?

Disabled ✅

You have configured three trunk ports in an EtherChannel group. What will happen when one port in the grouping fails?

The channel cost has increased. ✅ (Because the EtherChannel group has lost some bandwidth, the cost of the grouped link is increased.)

C ( Not D because D adds 300 and removes other VLANs)

B

D and E

B Creating the port-channel interface and using port-channel min-links 1 tells the switch to keep the Port-Channel (Po1) operational as long as at least one member link is up.

EtherChannel LAB

In this scenario, we will implement EtherChannel Layer 2 and Layer 3 with different types of EtherChannel protocols, Static, PAgP, and LACP, for this topology.

EtherChannel Configuration on Access Switch 1 Using LACP Protocol

ASW1#conf t
ASW1(config)#interface range e0/2-3
ASW1(config-if-range)#channel-group 1 mode active
ASW1(config)#int po1 [port-channel 1]
ASW1(config-if)#switchport trunk encapsulation dot1
ASW1(config-if)#switchport mode  trunk

Verify EtherChannel Configuration on Access Switch 1

ASW1#show etherchannel summary

EtherChannel Configuration on Distribution Switch 1 Using LACP Protocol (Access Switch Side)

DSW1#conf t
DSW1(config)#int range e0/2-3
DSW1(config-if-range)#channel-group 1 mode active
DSW1(config)#int po1
DSW1(config-if)#switchport trunk encapsulation dot1q
DSW1(config-if)#switchport mode trunk

An EtherChannel connection has been established between the Access and Distribution switches using LACP.

Configure SVI (Switch Virtual Interface) as a Default gateway

DSW1(config)#int vlan 1
DSW1(config-if)#ip address 172.16.2.100 255.255.255.0
DSW1(config-if)#no shutdown

A Switch Virtual Interface (SVI) is a logical interface on a network switch that enables Layer 3 functionality for a VLAN. It allows the switch to perform routing between VLANs and provides IP connectivity for the VLAN.

💡 An EtherChannel is just a link bundle. A default gateway must be an IP address on a Layer-3 interface, not a link.

EtherChannel Configuration on Access Switch 2 Using PAgP Protocol

ASW2(config)#int range e0/1-2
ASW2(config-if-range)#channel-group 1 mode desirable 
ASW2(config-if-range)#int po1 
ASW2(config-if)#switchport trunk encapsulation dot1q 
ASW2(config-if)#switchport mode trunk
ASW2#show etherchannel summary

EtherChannel Configuration on Distribution Switch 2 Using PAgP Protocol (Access Switch Side)

DSW2(config)#int range e0/0-1
DSW2(config-if-range)#channel-group 1 mode desirable
DSW2(config-if-range)#no shutdown 
DSW2(config-if-range)#int po1
DSW2(config-if)#switchport trunk encapsulation dot1q
DSW2(config-if)#switchport mode trunk
DSW2#show etherchannel summary

Configure SVI (Switch Virtual Interface) as a Default gateway

DSW2(config)#int vlan 1
DSW2(config-if)# ip address 172.16.1.100 255.255.255.0
DSW2(config-if)#no shut

Layer 3 EtherChannel Configuration between two Layer 3 Switches

Distribution Switch 1 Configuration

DSW1(config)#int range e0/0-1
DSW1(config-if-range)#no switchport /change to routed port/
DSW1(config-if-range)#channel-group 2 mode on
DSW1(config-if-range)#no shutdown 
DSW1(config-if-range)#int po2
DSW1(config-if)#ip address 10.0.0.1 255.255.255.252

Distribution Switch 2 Configuration

DSW2(config)#int range e0/02-3
DSW2(config-if-range)#no switchport 
DSW2(config-if-range)#channel-group 2 mode on
DSW2(config-if-range)#no shutdown 
DSW2(config-if-range)#int po2
DSW2(config-if)#ip address 10.0.0.2 255.255.255.252

EtherChannel layer 3 has been established between two layer 3 switches.

Configure a static route to reach the IT Department pc to the Server in the Data Center

DSW1(config)#ip routing
DSW1(config)#ip route 172.16.1.0 255.255.255.0 10.0.0.2

DSW2(config)#ip routing
DSW2(config)#ip route 172.16.2.0 255.255.255.0 10.0.0.1

After completing the configuration, clients from the IT department have established a connection with the server located in the data center.

Notes:

• Channel-Group should be unique and not repeated on the same switch.
• PO= port-channel.
• Before starting the configuration of channel groups, make sure all interfaces are down.

Question #: 1266

Question #: 1339

Routing

What is a Router?

• A router is a layer 3 device used for interconnecting networks at layer 3**.**
• Routing is the process of identifying the best path to a destination.
• Routers make their forwarding decision based on Layer 3 (IP Address), unlike Switches, which make their decision based on Layer 2 ( MAC Address).
• Generally, a router has at least two interfaces, but with the use of VLANs, it can have only one interface.
• The router receives the message, de-encapsulates the Ethernet frame, and then reads the destination IP address (Network portion) in the IP packet. It then determines where to forward the message. It re-encapsulates the packet back into a new frame and forwards the frame to its destination.

The Routing Table

• A routing table is a data structure used by routers and networked devices (like servers, PCs, and switches with Layer 3 capabilities) to determine the best path for forwarding packets to their destinations.
• Routing table updates are done in two ways:
• Dynamically: Remote routes are automatically learned using a dynamic routing protocol.
• Manually: Remote networks are manually entered into the route table using static routes.
• If the router can't determine where to forward a message, it will drop it. The Network Administrator configures a static default route that is placed into the routing table so that a packet will not be dropped due to the destination network not being in the routing table.

Directly connected: means that the router is connected to the network directly.

Default Gateway

A default gateway is the router IP address on your local network that your device uses to send traffic outside of its subnet.

Think of it as the “exit door” from your local network to other networks (like the internet).

💡 Hosts with an incorrect default gateway can communicate with other hosts on a local network, but can’t communicate with hosts in other networks.

What is the purpose of ARP in an IPv4 network?

• to obtain a specific MAC address when an IP address is known.

The ARP table in a switch maps which two types of addresses together?

• Layer 3 address to a Layer 2 address

What does the router do after it determines that a data packet from Network 1 should be forwarded to Network 2?

• It reassembles the frame with MAC addresses different from the original frame.

A host needs to reach another host on a remote network, but the ARP cache has no mapping entries. To what destination address will the host send an ARP request?

• the broadcast MAC address

When we configure an IP address on an Interface and enable the interface, two routes are automatically added to the routing table:

• Connected Route C (Code C in the routing table): represents a network directly attached to the router interface,
• Local Route L (Code L in the Routing table) represents the IP address assigned and configured to the router's specific interface and is always a /32 (host route).

Router VS L3 Switch

The port density of a switch refers to the number of ports available on a single switch.

Type of Routing

Static Routing

Static routes are mainly configured when routing from a particular network to a stub network.

Router(config)# ip route 192.168.3.0 255.255.255.0 [next-hop ip address or exit interface]

Default Route (gateway of last resort)

A gateway of Last Resort is a route that a router uses when it does not have a more specific match for a destination in its routing table. It is essentially the default route, directing traffic to a next-hop router when no other routes match.

Router(config)# ip route 0.0.0.0 0.0.0.0 [next-hop ip address or exit interface]

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

     10.10.10.0/24 is directly connected, Gig0/0
     172.16.0.0/16 is directly connected, Gig0/1
     0.0.0.0/0 [1/0] via 192.168.1.1

• The router knows about 10.10.10.0/24 and 172.16.0.0/16.
• If traffic is going to, say, 8.8.8.8 (Google DNS), It doesn’t match any specific route.
• So the router sends it to the gateway of last resort: 192.168.1.1.

Static Route

Advantage:

• No routing overhead for the router CPU, which means a cheaper router can be used to do routing.
• It adds security because only the administrator can allow routing to particular networks.
• No bandwidth usage between routes, and any updating did not happen between routes, such as dynamic routing)

Disadvantage:

• For a large network, it is hectic for the administrator to manually add each route for the network in the routing table on each router.
• The administrator should have good knowledge of the topology. If a new administrator comes, then he has to manually add each route, so he should have a very good knowledge of the router topology.

Static Route Lab

In this scenario, we have three departments, each with a unique subnet. We will establish a connection between the departments through static routing and forward unknown destinations to the internet.

Operation Router Configuration

OPS-Router#conf t
OPS-Router(config)#int fa0/0
OPS-Router(config-if)#ip add 172.16.1.1 255.255.255.0 
OPS-Router(config-if)#no shutdown
OPS-Router(config-if)#exit
SUP-Router#conf t
OPS-Router(config)#int fa1/0
OPS-Router(config-if)#ip add 10.1.1.1 255.255.255.252
OPS-Router(config-if)#no shutdown

Support Router Configuration

SUP-Router#conf t
SUP-Router(config)#int fa1/0
SUP-Router(config-if)#ip add 10.1.1.2 255.255.255.252
SUP-Router(config-if)#no shutdown
SUP-Router(config-if)#exit


SUP-Router(config)#int fa2/0
SUP-Router(config-if)#ip add 10.1.2.1 255.255.255.252
SUP-Router(config-if)#no shutdown 


SUP-Router(config)#int fa0/0
SUP-Router(config-if)#ip add 172.16.2.1 255.255.255.0 
SUP-Router(config-if)#no shutdown 


SUP-Router(config)#int fa3/0
SUP-Router(config-if)#ip address 10.1.3.2 255.255.255.252
SUP-Router(config-if)#no shutdown

Development Router Configuration

DEV-Router#conf t
DEV-Router(config)#int fa1/0
DEV-Router(config-if)#ip address 10.1.2.2 255.255.255.252
DEV-Router(config-if)#no shutdown
DEV-Router(config-if)#exit

DEV-Router(config)#int fa0/0
DEV-Router(config-if)#ip add 172.16.3.1 255.255.255.0
EV-Router(config-if)#no shutdown

Internet Router Configuration

Internet#conf t
Internet(config)#int fa 0/0
Internet(config-if)#ip address 10.1.3.1 255.255.255.252
Internet(config-if)#no shutdown 
Internet#wr

PC Configuration Operation Department

PC-02> ip 172.16.1.2 255.255.255.0 172.16.1.1

PC Configuration Support Department

Support-PC02> ip 172.16.2.2 255.255.255.0 172.16.2.1

PC Configuration Development Department

DEV-PC01> ip 172.16.3.2 255.255.255.0 172.16.3.1

Operation Router Static Route Configuration

OPS-Router#conf t
OPS-Router(config)#ip route 172.16.2.0 255.255.255.0 10.1.1.2
OPS-Router(config)#ip route 172.16.3.0 255.255.255.0 10.1.1.2
OPS-Router(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
OPS-Router(config)#exit
OPS-Router#wr

OPS-Router#show ip route static

Support Router Static Route Configuration

SUP-Router#conf t
SUP-Router(config)#ip route 172.16.1.0 255.255.255.0 10.1.1.1
SUP-Router(config)#ip route 172.16.3.0 255.255.255.0 10.1.2.2
SUP-Router(config)#ip route 0.0.0.0 0.0.0.0 10.1.3.1
SUP-Router(config)#exit
SUP-Router#wr

DEV-Router#conf t
DEV-Router(config)#ip route 172.16.1.0 255.255.255.0 10.1.2.1
DEV-Router(config)#ip route 172.16.2.0 255.255.255.0 10.1.2.1
DEV-Router(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.1
DEV-Router(config)#exit
DEV-Router#wr

Now, as you can see, the connection between departments has been established.

Dynamic Routing

• Dynamic routing makes automatic adjustments to the routes according to the current state of the route in the routing table. Dynamic routing uses protocols to discover network destinations and the routes to reach them.

Dynamic protocols have the following features:

• The routers should have the same dynamic protocol running in order to exchange routes.
• When a router finds a change in the topology, the router broadcasts it to all other routers.

Advantages:

• Easy to configure
• More effective at selecting the best route to the destination remote network and also for discovering remote networks.

Disadvantage:

• Consumes more bandwidth for communication with other neighbours.
• Less secure than static routing. (because we decided in which path the data should be transferred).

Dynamic Routing Protocols:

• Routing Protocols: Help routers add information to their routing tables from connected routers automatically. These types of protocols also send out topology updates whenever changes happen in the topology.

Type of Routing Protocols

• Distance Victor or Link state protocols.
• Interior Gateway Protocols (IGP) or Exterior Gateway Protocols (EGP).
• Classful or Classless Protocols. (old not useful, classful can not be subnetted)

Type of Routing Protocols

• IGP (Interior Gateway Protocol): Used for routing inside a single organization or network (Autonomous System). It helps routers within the same network share routes. Examples: OSPF, EIGRP, RIP, and IS-IS.
• EGP (Exterior Gateway Protocol): Used for routing between different organizations or networks (Autonomous Systems). It helps networks on the internet share routes. The main example today is BGP (Border Gateway Protocol).

Distance Vector Routing Protocol

• Distance Vector Protocol broadcasts its routing table to every directly connected neighbour at specific time intervals, using a lot of bandwidth and slow convergence**.** In the Distance Vector Routing protocol, when a route becomes unavailable, all router tables need to be updated with new information.

Distance Vector Protocols work best in these situations:

• When the network is simple and flat, and doesn’t require a hierarchical design.
• When the administrators don’t have enough knowledge to configure and troubleshoot link-state protocols.
• When worst-case convergence times in a network are not a concern. (that the speed at which the network protocols adjust to changes, such as topology updates, link failures, or new configurations, is not critical to the network's operation or performance requirements)

Link State Protocols

• Link State protocols find the best routing path by sharing information with other routes in proximity. The route is calculated based on the speed of the path to the destination and the cost of resources.
• One key difference to a distance vector protocol is that link state protocols don’t send out routing tables instead, routes notify each other quickly when route changes are detected.
• Link State protocols use more resources (CPU) on the router because more information is shared.

Link-State works best in these situations:

• When the network design is hierarchical.
• When the administrators have good knowledge of the implemented link-state routing protocol.
• When the fast convergence of the network is crucial.

The total matric is the total cost of each link in the route. | | IS-IS | Cost | The total metric is the total cost of each link in the route. the cost of each link is not automatically calculated by default. All Links have a cost 10 by default. |

Administrative Distance

Routers use this feature to select the best path when there are two or more routes to the same destination using different routing protocols. Administrative distance defines the reliability of the routing protocol.

Lower AD is Preferred: The route with the lowest AD value is selected.

Static Value: Assigned by default but can be adjusted manually.

Metrics

A metric is a value that routing protocols use to determine the best path to a destination network. When multiple routes exist with the same routing protocol, the router chooses the path with the lowest metric because it is considered the most efficient.

• The following routes to the destination network 10.1.1.0/24 are learned:
• next hop 192.168.1.1, learned via RIP, metric 5
• next hop 192.168.2.1, learned via RIP, metric 3
• next hop 192.168.3.1, learned via OSPF, metric 10

Which route to 10.1.1.0/24 will be added to the route table?

next hop 192.168.3.1, learned via OSPF, metric 10

💡 We don't consider the metric directly because the routes are learned from different routing protocols. Each protocol has its own Administrative Distance (AD), and this value is used to select the best route. OSPF typically has a lower AD, making its routes more preferred

How to check the Administrative Distance and Metric of each Route

R1#show ip route

Administrative Distance = 90 Metric=30720

Autonomous System

An Autonomous System (AS) is a set of Internet-routable IP prefixes belonging to a network or a collection of networks that are all managed, controlled, and supervised by a single entity or organization. The AS is assigned a globally unique 16-digit identification number一known as the autonomous system number or ASN一by th e Internet Assigned Numbers Authority (IANA).

Routing Information Protocol (RIP)

• Routing Information Protocol(RIP): This is one of the first routing protocols to be created. There are multiple versions of RIP, including RIPv1 and RIPv2. The original version, RIPv1, determines network paths based on the IP destination and hop count of the journey and uses the broadcast address.
• RIPv2 is a little more sophisticated than this and sends its routing table to a multicast address. RIPv2 also uses authentication to keep data more secure and choose a subnet mask and gateway for future traffic. The main limitation of RIP is that it has a maximum hop count of 15, which makes it unsuitable for a large network.
• RIPng(RIP Next Generation), used for IPv6
• It uses two messages every 30 seconds: Request: To ask RIP-enabled neighbour routers to send their routing table. Response: To send the local router’s routing table to neighbouring routers

RIP&EIGRP Lab

In this scenario, we will be establishing dynamic routing between Network 1 in North Erbil and Network 2 in South Erbil using the RIP protocol.

Network 1 Basic IP Configuration

PC IP Address

VPC> ip 172.16.1.2 255.255.255.0 172.16.1.1

Router R1 IP configuration

R1#conf t
R1(config)#int fa 1/0
R1(config-if)#ip address 172.16.1.1 255.255.255.0 
R1(config-if)#no shutdown 
R1(config-if)#exit

R1(config)#int fa0/0 
R1(config-if)#ip add 10.0.0.1 255.255.255.0
R1(config-if)#no shutdown 
R1(config-if)#exit
R1(config)#exit
R1#wr

Network 2 Basic IP Configuration

PC IP Address

VPC> ip 172.16.2.2 255.255.255.0 172.16.2.1

Router R1 IP configuration

R2#conf t
R2(config)#int fa1/0
R2(config-if)#ip add 172.16.2.1 255.255.255.0 
R2(config-if)#no shutdown 
R2(config-if)#exit

R2(config)#int fa 0/0
R2(config-if)#ip add 10.0.0.2 255.255.255.0 
R2(config-if)#no shutdown 
R2(config-if)#exit
R2(config)#exit
R2#wr

RIP (Routing Information Protocol) Configuration

RIP Protocol Configuration Network 1

R1(config)#router rip 
R1(config-router)#version 2
R1(config-router)#no auto-summary 
R1(config-router)#network 10.0.0.0
R1(config-router)#network 172.16.1.0
R1(config-router)#passive-interface fa1/0 [prevent the router from sending routing table to the mentioned interface]
R1(config-router)#exit
R1(config)#exit
R1#wr

RIP Protocol Configuration Network 2

R2(config)#router  rip
R2(config-router)#version 2
R2(config-router)#no auto-summary 
R2(config-router)#network 10.0.0.0
R2(config-router)#network 172.16.2.0
R2(config-router)#passive-interface fa1/0
R2(config-router)#exit
R2(config)#exit
R2#wr

RIP Routing Verification

R1#show ip route rip

R1#debug ip rip

As you can see each router exchanges the routing table with neighbours, routing table entries are not advertised on interfaces connected to end devices. This is a key benefit of using the 'passive-interface' command in routing protocols.

R1#show ip protocols

It can be seen that a connection between network 1 and network 2 has been established using the RIP protocol.

EIGRP

• Enhanced Interior Gateway Routing Protocol (EIGRP) is an advanced distance vector routing protocol. EIGRP was a Cisco proprietary (till 2013) protocol that was designed to follow the original IGRP protocol. When using EIGRP, a router takes information from its neighbours’ routing tables through a multicast message.

EIGRP LAB

In this scenario, we will be establishing dynamic routing between Network 1 in North Sulaymaniyah and Network 2 in South Sulaymaniyah using the EIGRP protocol.

Network 1 Basic IP Configuration

PC IP Address

VPC> ip 172.17.1.2 255.255.255.0 172.17.1

Router R1 IP configuration

R1#conf t
R1(config)#int fa0/0   
R1(config-if)#ip add 172.17.1.1 255.255.255.0 
R1(config-if)#no shut
R1(config-if)#exit


R1(config)#int fa1/0
R1(config-if)#ip add 10.1.0.1 255.255.255.252
R1(config-if)#no shutdown 
R1(config-if)#exit
R1(config)#exit
R1#wr

Network 2 Basic IP Configuration

PC IP Address

VPC>  ip 172.17.2.2 255.255.255.0 172.17.2.1

Router R2 IP configuration

R2#conf t
R2(config)#int fa1/0
R2(config-if)#ip add 10.1.0.2 255.255.255.252
R2(config-if)#no shutdown 
R2(config-if)#exit

R2(config)#int fa 0/0
R2(config-if)#ip add 172.17.2.1 255.255.255.0
R2(config-if)#no shutdown 
R2(config-if)#exit
R2(config)#exit
R2#wr

EIGRP(Enhanced Interior Gateway Routing Protocol) Configuration

EIGRP Protocol Configuration Network 1

R1(config)#router eigrp 100 (<u>**Autonomous Systems (AS) ID**</u> )
R1(config-router)#network 10.1.0.0 0.0.0.3 ip wildcard (255.255.255.252 = 0.0.0.3 [255-252])
R1(config-router)#network 172.17.1.0 0.0.0.255
R1(config-router)#no auto-summary 
R1(config-router)#exit
R1(config)#exit
R1#wr

Note:

• All routers within an Autonomous System (AS) should have the same AS number, which is considered a unique identifier for a network.
• Auto-summary: This feature automatically summarizes routes to their classful network boundaries. For example, a network with a /26 or /27 prefix would be summarized as a /24. This can lead to subnetting issues and is generally not recommended for most modern networks.

EIGRP Protocol Configuration Network 2

R2(config)#router eigrp 100
R2(config-router)#network 10.1.0.0 0.0.0.3
R2(config-router)#network 10.1.0.0 0.0  
R2(config-router)#no auto-summary
R2(config-router)#exit
R2(config)#exit
R2#wr

EIGRP Routing Verification

R1#show ip route  eigrp

R1#show ip protocols

R1#show ip eigrp neighbors

A connection between Network 1 and Network 2 has been established using the EIGRP protocol.

Floating Static Route

Static routes have a very low distance value of 1. This means the router will prefer a static route over any routes learned through a dynamic routing protocol. If we want to use a static route as a backup route, we should change the administrative distance value of the static route. This is called a floating static route.

Floating Static Route

In this scenario, we will be establishing dynamic routing between Network 1 in North Sulaymaniyah and Network 2 in South Sulaymaniyah using the EIGRP protocol. A floating static route will be configured as a backup, ensuring network connectivity even if the EIGRP protocol encounters issues.

Network 1 Basic IP Configuration

PC IP Address

VPC> ip 172.17.1.2 255.255.255.0 172.17.1

Router R1 IP configuration

R1#conf t
R1(config)#int fa0/0   
R1(config-if)#ip add 172.17.1.1 255.255.255.0 
R1(config-if)#no shut
R1(config-if)#exit

R1(config)#int fa 2/0
R1(config-if)#ip add 10.2.0.1 255.255.255.252 
R1(config-if)#no shut
R1(config-if)#exit
R1(config)#exit

R1(config)#int fa1/0
R1(config-if)#ip add 10.1.0.1 255.255.255.252
R1(config-if)#no shutdown 
R1(config-if)#exit
R1(config)#exit
R1#wr

Network 2 Basic IP Configuration

PC IP Address

VPC>  ip 172.17.2.2 255.255.255.0 172.17.2.1

Router R2 IP configuration

R2#conf t
R2(config)#int fa1/0
R2(config-if)#ip add 10.1.0.2 255.255.255.252
R2(config-if)#no shutdown 
R2(config-if)#exit

R2(config)#int fa 0/0
R2(config-if)#ip add 172.17.2.1 255.255.255.0
R2(config-if)#no shutdown 
R2(config-if)#exit
R2(config)#exit

R2(config)#int fa2/0
R2(config-if)#ip add 10.3.0.1 255.255.255.252
R2(config-if)#no shu
R2(config-if)#no shutdown 

R2(config-if)#exit
R2(config)#exit
R2#wr

Router R3 IP configuration

R3#conf t 
R3(config)#int fa1/0
R3(config-if)#ip add 10.2.0.2 255.255.255.252 
R3(config-if)#no shut


R3(config-if)#exit
R3(config)#int fa0/0 
R3(config-if)#ip add 10.3.0.2 255.255.255.252     
R3(config-if)#no shut

R3(config-if)#exit
R3(config)#exit
R3#wr

Static Routing Configuration

R1(config)#ip route 172.17.2.0 255.255.255.0 10.2.0.2 
R1(config)#ip route 10.3.0.0 255.255.255.252 10.2.0.2  


R3(config)#ip route 172.17.2.0 255.255.255.0 10.3.0.1
R3(config)#ip route 172.17.2.0 255.255.255.0 10.3.0.1


 R2(config)#ip route  172.17.1.0 255.255.255.0 10.3.0.2
 R2(config)#ip route  10.2.0.0  255.255.255.252  10.3.0.2

After configuring the static route, data is forwarded through the static route because of the low administrative distance value.

Configure Floating Static Route

Our network topology is configured with EIRGP, and the default distance value of EIRGP is 90 our static route will be used as a backup. Let’s set the distance value to 91.

R1(config)#ip route 172.17.2.0 255.255.255.0 10.2.0.2 91
R1(config)#ip route 10.3.0.0 255.255.255.252 10.2.0.2  91


 R3(config)#ip route 172.17.2.0 255.255.255.0 10.3.0.1 91
 R3(config)#ip route 172.17.2.0 255.255.255.0 10.3.0.1  91


  R2(config)#ip route  172.17.1.0 255.255.255.0 10.3.0.2  91
  R2(config)#ip route  10.2.0.0  255.255.255.252  10.3.0.2 91

After configuring a floating static route, the routers in Network 1 and Network 2 utilize the EIGRP to route data between each other, and the static route works as a backup.

OSPF

• Open Shortest Path First (OSPF) is a link-state routing protocol that is used to find the best path between the source and the destination router using its own Shortest Path First.
• The protocol recalculates routes when a link fails and the network topology changes, Using the Dijkstra(dike·struh) algorithm, and minimizes the routing protocol traffic that it generates.
• It provides a multi-level hierarchy called “area routing” so that information about the topology within the defined area of the AS is hidden from routes outside this area. This enables an additional level of routing protection and reduction in routing protocol traffic.
• All protocol exchanges can be authenticated so that only trusted routers can join in the routing exchanges for the AS

Benefits of OSPF:

• Fast convergence.
• Efficient use of network resources.
• Support for large, complex networks.
• Ability to route IPv4 and IPv6 traffic (OSPFv2 for IPv4, OSPFv3 for IPv6).
• Redundancy and fault tolerance.
• VLSM (Classless Routing) and route summarization

OSPF Concepts

Area

• An area is a logical collection of OSPF networks, routers, and links that have the same area identification.
• The most important area in OSPF is the backbone area, also known as area 0. The backbone area is the central area that interconnects all other areas.
• In a large network, a single-area design can have negative effects:
• The SFP algorithm takes more time to calculate routes and it causes the algorithm to require more processing power.
• Any small change in the network causes every router to flood LSAs and run the SPF algorithm again.
• By dividing a large OSPF network into several smaller areas, you can avoid the above negative effects.

Neighbour

• Routers running OSPF need to establish a neighbour relationship before exchanging routing updates. Neighbours are dynamically discovered by sending Hello packets out of each OSPF-enabled interface.

• Hello Packets:

  OSPF uses multicast addresses to communicate and exchange Hello Packets between routers

  • 224.0.0.5: All OSPF routers.
  • 224.0.0.6: All OSPF designated routers (DRs) and backup designated routers (BDRs).
• Hello Interval:
  • The OSPF router sends a hello message on an interface. It is 10 seconds by default.
• Dead Interval:
  • The Dead interval is four times the Hello interval, which means a Dead interval of 40 seconds
  • If a router does not receive at least one Hello packet from a neighbour within the Dead interval, the neighbour is considered down.

ABR and ASBR

• Area Border Router(**ABR**): a router that connects two or more OSPF areas, one of which must be the backbone area (area 0).
• Autonomous System Boundary Router(**ASBR**) is a router that connects two different Autonomous Systems (AS) and helps them communicate with each other. It usually runs BGP (Border Gateway Protocol) to exchange routing information between the AS, while OSPF is used within an AS. It is responsible for importing and redistributing routes from non-OSPF sources into the OSPF routing source.

Designated Router and Backup Designated Router

• Designated Router (**DR) and Backup Designated Router(BDR**) are to act as a central point for exchanging OSPF information between multiple routers on the same network. Each non-DR and non-BDR router only exchanges routing information with the DR and BDR, instead of exchanging updates with every router on the segment. This significantly reduces the amount of OSPF updates sent across the network.

DR and BDR Election

OSPF uses the following tie-breaker order:

1- Interface priority (0–255, default = 1; if set to 0, the router never becomes DR/BDR).

R1(config)#interface fastEthernet 0/0
R1(config-if)#ip ospf priority 200

2- Highest router ID is a 32-bit number that uniquely identifies every OSPF router.

R1# conf t 
R1#(config) router ospf 100(OSPF process number).
R1#(config-router)# router-id 1.1.1.1

3- Highest IP address on a loopback address (first check loopback if no loopback IP configuration, then check physical interface IP) or an active physical interface.

💡 - OSPF Router ID should not be changed after the OSPF process has started and the OSPF neighborships have been established. If you change the OSPF Router ID, we need to either reload the IOS or use the command (clear ip ospf process), for the OSPF Router ID change to take effect. Reloading the IOS or using the command [clear ip ospf process] can cause a temporary network outage.

• OSPF Router ID should not be changed after the OSPF process has started and the OSPF neighborships have been established. If you change the OSPF Router ID, we need to either reload the IOS or use the command (clear ip ospf process), for the OSPF Router ID change to take effect. Reloading the IOS or using the command [clear ip ospf process] can cause a temporary network outage.

💡 Best Practice (What Network Engineers Prefer)
Use interface priority to control DR/BDR election.

• Set the router you want as DR with a higher priority (e.g., 100).

• Set critical backups as BDR with a slightly lower priority.

• Set devices that should never be DR (like access switches or less powerful routers) to priority 0.

Use interface priority to control DR/BDR election.

• Set the router you want as DR with a higher priority (e.g., 100).
• Set critical backups as BDR with a slightly lower priority.
• Set devices that should never be DR (like access switches or less powerful routers) to priority 0.

Loopback Interface Configuration

R1#conf t 
R1(config)#interface loopback 0 
R1(config-if)#ip address 10.0.0.1 255.255.255.0
R1(config-if)#exit

OSPF Process ID

• The process ID is the ID of the OSPF process to which the interface belongs. The process ID is local to the router, and two OSPF neighbouring routers can have different OSPF process IDs. (Not like EIGRP). Cisco IOS software can run multiple OSPF processes on the same router**, The Router ID should be a positive integer; for example, the process ID is 1**

## Link State Advertisement (LSAs)

• Link-State Advertisement (LSA) is a packet used to share routing and topology information between routers within the same area. LSAs help OSPF routers build a complete map of the network.

OSPF Concepts: Main LSAs

💡 - Hello messages are used for establishing and maintaining OSPF neighbour relationships.

• LSAs are used to share detailed routing and topology information within the OSPF domain.

• Hello messages are used for establishing and maintaining OSPF neighbour relationships.
• LSAs are used to share detailed routing and topology information within the OSPF domain.

Cost

• Open Shortest Path First(OSPF) uses cost as the value of metric value and uses a reference bandwidth of 100 Mbps for cost calculation. The formula to calculate the cost is Reference Bandwidth divided by interface bandwidth. For example, in the case of 10 Mbps Ethernet, OSPF metric cost value is 100 Mbps / 10 Mbps.

Modify the reference bandwidth

R1(config-router) **auto-cost reference-bandwidth** <u>megabits-per-second</u>

Manually configure the cost of an interface:

R1(config-if)**ip ospf cost** <u>cost</u>

Modify the interface bandwidth:

R1(config-if)**bandwith** kilobits-per-second

Which of these commands can be used to make a FastEthernet interface have an OSPF cost of 100?

• R(config-router)# auto-cost reference bandwidth 1000

Reference bandwidth/Interface bandwidth = cost

10000/100=100

💡 The SPF algorithm uses the cost of the outgoing interfaces toward the destination subnet, including the cost of the interface that connects to the subnet. The logic is illustrated in the following diagram.

Example Scenario

Scenario: You have two paths from Router A to Router D:

1. Path 1: A → B → D (10 Mbps and 100 Mbps links, respectively).
2. Path 2: A → C → D (100 Mbps links only).

Default Cost Calculation:

• Path 1: Cost = 10 (A → B) + 1 (B → D) = 11.
• Path 2: Cost = 1 (A → C) + 1 (C → D) = 2.

Result:

• OSPF chooses Path 2 because it has a lower total cost.

Wild Card Mask

• Wildcard masks are used to specify a range of network addresses. They are usually used with routing protocols (Such as OSPF) and access lists.
• A Wildcard mask is 32-bit long. It is an inverted subnet mask, with the zero bits indicating that the corresponding bit position must match the same bit position in the IP address.

Note: Change all 0s to 255 and all 255s to 0. In the second one, the last number is 255 − 192 = 063.

OSPF States

• Down State: No Hello received.
• Init State: Hello packet received, but no 2-way communication yet. At this stage, Communication is One-way.

• 2-Way State: Bi-directional communication established (seen in DR/BDR election on broadcast/NBMA).

• ExStart State: Routers decide who will be master/slave for the database description (DBD) exchange.
• Exchange State: Routers exchange DBD packets (summaries of LSAs).
• Loading State: Routers send LSRs (Link State Requests) for missing LSAs.
• Full State: LSDBs fully synchronized between neighbors..

Router(config)# router ospf <process-id>      ! Start OSPF process (1–65535, local to router)
Router(config-router)# router-id <x.x.x.x>    ! (Optional) Set OSPF Router-ID
Router(config-router)# network <ip> <wildcard> area <area-id>   ! Advertise networks


Router(config)# router ospf 1
Router(config-router)# router-id 1.1.1.1
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
Router(config-router)# network 10.0.0.0 0.0.0.3 area 0

IR1(config)# router ospf 1
R1(config-router)# network 192.168.1.1 0.0.0.0 area 0

**VS**

R1(config)# router ospf 1
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0

• Use 192.168.1.0 0.0.0.255 When enabling OSPF on all interfaces within the 192.168.1.0/24 subnet.
• Use 192.168.1.1 0.0.0.0 When enabling OSPF on a specific interface with the IP address 192.168.1.1.

Tip: To reduce manual configuration effort, use subnet-based configuration (192.168.1.0 0.0.0.255) for a larger network or dynamic environment. For specific control or precision, use interface-based configuration (192.168.1.1 0.0.0.0).

Verification Commands

show ip ospf neighbor      ! See adjacency & states
show ip ospf interface     ! Check OSPF timers, priority, area
show ip route ospf         ! Verify OSPF routes
show ip protocols          ! Protocol info & networks advertised

Configuring a Default Route in OSPF

Router(config)# router ospf 1
Router(config-router)# default-information originate always

The default-information originate always command in OSPF forces the advertisement of a default route (0.0.0.0/0) even if the router does not have a default static route in its routing table.

• Without always**:** Only advertises if the router already knows a default route.
• With always**:** Forces advertisement, even if no default exists.

OSPF on Point-to-Point Links

• Point-to-point links are direct links between two routers.
• In OSPF, point-to-point networks do not need DR/BDR elections.
• Each router advertises its connected networks via LSAs (Link-State Advertisements).

Router(config)# interface g0/0 [interface connected to the neighbor router]
Router(config-if)# ip address 10.0.0.1 255.255.255.252
Router(config-if)# ip ospf 1 area 0
Router(config-if)# ip ospf network point-to-point

CCNA OSPF Questions

B (When multiple routing protocols advertise the same destination, the router installs the route with the lowest administrative distance (AD).)

Check which routes contain 192.168.12.16

• EIGRP: 192.168.12.0/24 → range is 192.168.12.0–192.168.12.255 → ✅ contains 192.168.12.16
• RIP: 192.168.12.0/27 → range is 192.168.12.0–192.168.12.31 → ✅ contains 192.168.12.16
• OSPF: 192.168.12.0/28 → range is 192.168.12.0–192.168.12.15 → ❌ does not contain 192.168.12.16

Apply longest prefix match: 27 (RIP) is more specific than /24 (EIGRP). (Longest prefix match always wins, regardless of administrative distance.)

• EIGRP (D): 192.168.10.0/24 → 192.168.10.0 – 192.168.10.255
• RIP (R): 192.168.10.0/27 → 192.168.10.0 – 192.168.10.31
• OSPF (O): 192.168.10.0/23 → 192.168.10.0 – 192.168.11.255
• IS-IS (i L1): 192.168.10.0/13 → 192.168.8.0 – 192.168.15.255

All of these routes include 192.168.10.16. ✅

Apply the longest prefix match rule

• /13 → 8192 addresses (least specific)
• /23 → 512 addresses
• /24 → 256 addresses
• /27 → 32 addresses (most specific) Since /27 is the longest prefix (most specific match), the router will choose the RIP route.

A and D ✅ (Because both of them have the lowest administrative distance)

C. broadcast ✅ Ethernet (including FastEthernet and GigabitEthernet) interfaces, the default OSPF network type is broadcast.

D ✅ If a router has two static routes to the same destination with the same administrative distance and metric, they are considered equal-cost routes.

D ✅ The OSPF route present is 10.10.13.0/25 (via two next-hops). That covers addresses 10.10.13.0–10.10.13.127. The destination in question is 10.10.13.128/25 (addresses 10.10.13.128–10.10.13.255), which is a different /25, and no route for that network appears in the table.

A B✅

A C ✅

A ✅

A B E ✅

A C E ✅

D ✅

D E ✅

D ✅

A✅

A C✅

A ✅ The OSPF neighbors are stuck in the EXCHANGE state. This usually happens when the routers have different MTU sizes, so they cannot finish sharing database packets. Making both MTUs the same will let OSPF move to the FULL state.

C. ✅ R1 has no default route, so it can’t advertise one with default-information originate. Adding a static default (ip route 0.0.0.0 0.0.0.0 10.10.10.18Let's R1 reach the Internet and share the route with R2 and Site B.

D. ✅ Changing the interface to ip ospf network point-to-point removes the DR/BDR election and makes the adjacency form as FULL/- instead of FULL/DR.

C. ✅

C. ✅ [During adjacency formation, OSPF checks that both neighbors have the same MTU.]

D F ✅

Network 192.168.12.64 0.0.0.63 equals to network 192.168.12.64/26.

192.168.12.64(Net ID) [192.168.12.65-192.168.12.126] 192.168.12.127(Broadcast Address) (Increment: 64)

B C D✅

R2 has several possible sources for 10.1.1.0/24 (static, eBGP, OSPF, and EIGRP is misconfigured).

Cisco routers pick the route with the lowest administrative distance static route (0)

A✅

Internet: 10.10.10.16, 10.10.13.129, 10.10.100.128

Router1: 10.10.13.1, 10.10.13.150

Why: Router2 has OSPF routes only for 10.10.13.0/25 and 10.10.13.144/28 (to Router1). Addresses outside those (10.10.10.16, 10.10.13.129, 10.10.100.128) match no specific route, so they go via the default route to the Internet (0.0.0.0/0 → 10.10.10.13).

D✅

🔑 Easy Trick:

1. Look at the lowest subnet

   → Here it’s 10.1.40.0/25.

2. Look at the highest subnet

   → Here it’s 10.1.41.224/29.

3. Find the smallest network that covers from lowest to highest:

   • Lowest = 10.1.40.x

   • Highest = 10.1.41.x

     👉 Both fall under 10.1.40.0/23.

4. Check the options

   • Only /23 includes both 10.1.40.x and 10.1.41.x.

A and D have MTU mismatches (1400 vs 1500) — risky for adjacency/DBD.

Option B:

• The commands are presented in a scrambled/incorrect place (some ip ospf priority/router-id appear under the wrong context), so it’s not a clean, valid interface-level OSPF config even though it tries to make R14 the DR.

C✅

• A: MTU mismatch (R86 uses MTU 1400) — can break adjacency/DBD exchange.
• B: The commands are presented in a scrambled/incorrect place (some ip ospf priority/router-id appear under the wrong context), so it’s not a clean, valid interface-level OSPF config even though it tries to make R14 the DR.
• C: R14 is set to priority 0 (cannot become DR), so it cannot be the central point.

D✅

Single Area OSPF Configuration

In this scenario, we will configure an OSPF Single Area (Area 0) Configuration for an enterprise setup with a central data center and two branch offices.

Key Components:

• IQ Sulaymaniyah Data Center: Hosts an ERP web server, a switch, and IQSUL-DC1-RT1, which connects to the Internet and branches via IQ-Core-RT1.
• IQ Core Router (IQ-Core-RT1): The main hub, linking the data center to branches using /30 P2P connections.
• IQ Large Branch: Has two routers (LB-RT1 & LB-RT2) for redundancy, with 10.20.1.0/24 and 10.20.2.0/24 subnets for end-user PCs.
• IQ Small Branch: Uses IQSUL-SB-RT1 and the 10.20.3.0/24 subnet for local PCs.

Basic IP Configuration

End-Point Devices IP configuration (VPC)

LB-PC1> ip 10.20.1.2 255.255.255.0 10.20.1.1
LB-PC1> save



LB-PC2> ip 10.20.2.2 255.255.255.0 10.20.2.1
LB-PC2> save



SB-PC1> ip 10.20.3.2 255.255.255.0 10.20.3.1
SB-PC1> save

IQ Large Branch Routers IP Configuration

IQSUL-LB-RT1#
IQSUL-LB-RT1#conf t
IQSUL-LB-RT1(config)#int fa0/0
IQSUL-LB-RT1(config-if)#ip add 10.20.1.1 255.255.255.0
IQSUL-LB-RT1(config-if)#no shut
IQSUL-LB-RT1(config-if)#exit
IQSUL-LB-RT1(config)#int fa 1/0 
IQSUL-LB-RT1(config-if)#ip add 10.1.1.1 255.255.255.252
IQSUL-LB-RT1(config-if)#no shut
IQSUL-LB-RT1(config-if)#exit
IQSUL-LB-RT1(config)#exit
IQSUL-LB-RT1#wr

IQSUL-LB-RT2#
IQSUL-LB-RT2#conf t
IQSUL-LB-RT2(config)#int fa0/0
IQSUL-LB-RT2(config-if)#ip add 10.20.2.1 255.255.255.0 
IQSUL-LB-RT2(config-if)#no shut
IQSUL-LB-RT2(config-if)#exit


IQSUL-LB-RT2(config)#int fa1/0
IQSUL-LB-RT2(config-if)#ip add 10.1.2.1 255.255.255.252 
IQSUL-LB-RT2(config-if)#no shut 
IQSUL-LB-RT2(config-if)#exit
IQSUL-LB-RT2(config)#exit
IQSUL-LB-RT2#wr

IQ Large Branch Routers IP Configuration

IQSUL-SB-RT1#conf t
IQSUL-SB-RT1(config)#int fa0/0
IQSUL-SB-RT1(config-if)#ip add 10.20.3.1 255.255.255.0 
IQSUL-SB-RT1(config-if)#no shut
IQSUL-SB-RT1(config-if)#exit   
IQSUL-SB-RT1(config)#int fa1/0
IQSUL-SB-RT1(config-if)#ip add 10.1.3.1 255.255.255.252 
IQSUL-SB-RT1(config-if)#no shut
IQSUL-SB-RT1(config-if)#exit
IQSUL-SB-RT1(config)#exit
IQSUL-SB-RT1#wr

IQ Core Router IP Configuration

IQ-Core-RT1#conf t 
IQ-Core-RT1(config)#int fa 0/0
IQ-Core-RT1(config-if)#ip add 10.1.1.2 255.255.255.252 
IQ-Core-RT1(config-if)#no shut
IQ-Core-RT1(config-if)#exit

IQ-Core-RT1(config)#int fa 3/0
IQ-Core-RT1(config-if)#ip add 10.1.2.2 255.255.255.252 
IQ-Core-RT1(config-if)#no shut
IQ-Core-RT1(config-if)#exit

IQ-Core-RT1(config)#int fa1/0 
IQ-Core-RT1(config-if)#ip add 10.1.3.2 255.255.255.252 
IQ-Core-RT1(config-if)#no shut
IQ-Core-RT1(config-if)#exit

IQ-Core-RT1(config)#int fa2/0
IQ-Core-RT1(config-if)#ip add 10.1.4.1 255.255.255.252 
IQ-Core-RT1(config-if)#no shut

IQ-Core-RT1(config)#exit
IQ-Core-RT1#wr

IQ Data Center Router IP Configuration

IQSUL-DC1-RT1#conf t 
IQSUL-DC1-RT1(config)#int fa 1/0
IQSUL-DC1-RT1(config-if)#ip add 10.1.4.2 255.255.255.252
IQSUL-DC1-RT1(config-if)#no shut
IQSUL-DC1-RT1(config)#int fa 2/0
IQSUL-DC1-RT1(config-if)#ip add 10.1.5.2 255.255.255.252 
IQSUL-DC1-RT1(config-if)#no shut
IQSUL-DC1-RT1(config-if)#exit
IQSUL-DC1-RT1(config)#int fa0/0 
IQSUL-DC1-RT1(config-if)#ip add 10.1.6.1 255.255.255.248 
IQSUL-DC1-RT1(config-if)#no shut
IQSUL-DC1-RT1(config-if)#exit
IQSUL-DC1-RT1(config)#exit
IQSUL-DC1-RT1#wr

Internet#conf t 
Internet(config)#int fa0/0
Internet(config-if)#ip add 10.1.5.1 255.255.255.252 
Internet(config-if)#no shut
Internet(config-if)#exit
Internet(config)#exi

IQ Web Server IP Configuration

IQSUL-DC1-WEB1#conf t 
IQSUL-DC1-WEB1(config)#int fa0/0 
IQSUL-DC1-WEB1(config-if)#ip add 10.1.6.2 255.255.255.248 
IQSUL-DC1-WEB1(config-if)#no shut
IQSUL-DC1-WEB1(config-if)#exit
IQSUL-DC1-WEB1(config)#exit
IQSUL-DC1-WEB1#wr

OSPF Configuration

IQ Large Branch OSPF Configuration

IQSUL-LB-RT1#conf t
IQSUL-LB-RT1(config)#
IQSUL-LB-RT1(config)#router ospf 1
IQSUL-LB-RT1(config-router)#router-id 1.1.1.1
IQSUL-LB-RT1(config-router)#network 10.20.1.0 0.0.0.255 area 0
IQSUL-LB-RT1(config-router)#network 10.1.1.1 0.0.0.0 area 0
IQSUL-LB-RT1(config-router)#passive-interface fa0/0
IQSUL-LB-RT1(config-router)#exit
IQSUL-LB-RT1(config)#exit
IQSUL-LB-RT1#wr

IQSUL-LB-RT2#conf t
IQSUL-LB-RT2(config)#
IQSUL-LB-RT2(config)#router ospf 1 
IQSUL-LB-RT2(config-router)#router-id 2.2.2.2 
IQSUL-LB-RT2(config-router)#network 10.20.2.0 0.0.0.255 area 0
IQSUL-LB-RT2(config-router)#network 10.1.2.1 0.0.0.0 area 0
IQSUL-LB-RT2(config-router)#passive-interface fa0/0
IQSUL-LB-RT2(config-router)#exit
IQSUL-LB-RT2(config)#exit
IQSUL-LB-RT2#exit 
IQSUL-LB-RT2#wr

IQ Small Branch Routers OSPF Configuration

IQSUL-SB-RT1#conf t
IQSUL-SB-RT1(config)#
IQSUL-SB-RT1(config)#router ospf 1
IQSUL-SB-RT1(config-router)#router-id 3.3.3.3
IQSUL-SB-RT1(config-router)#network 10.20.3.0 0.0.0.255 area 0 
IQSUL-SB-RT1(config-router)#network 10.1.3.1 0.0.0.0  area 0
IQSUL-SB-RT1(config-router)#passive-interface fa0/0
IQSUL-SB-RT1(config-router)#exit
IQSUL-SB-RT1(config)#exit
IQSUL-SB-RT1#
IQSUL-SB-RT1#wr

IQ Core Router OSPF Configuration

IQ-Core-RT1#
IQ-Core-RT1#conf t 
IQ-Core-RT1(config)#int fa0/0
IQ-Core-RT1(config-if)#ip ospf priority 200
IQ-Core-RT1(config)#int fa3/0
IQ-Core-RT1(config-if)#ip ospf priority 200
IQ-Core-RT1(config-if)#exit
IQ-Core-RT1(config)#in fa1/0
IQ-Core-RT1(config-if)#ip ospf priority 200
IQ-Core-RT1(config-if)#exit
IQ-Core-RT1(config)#in fa2/0
IQ-Core-RT1(config-if)#ip ospf priority 200
IQ-Core-RT1(config-if)#exit
IQ-Core-RT1(config)#exit
IQ-Core-RT1#wr

IQ-Core-RT1#conf t
IQ-Core-RT1(config)#
IQ-Core-RT1(config)#router ospf 1
IQ-Core-RT1(config-router)#router-id 10.10.10.10
IQ-Core-RT1(config-router)#network 10.1.1.2 0.0.0.0 area 0
IQ-Core-RT1(config-router)#network 10.1.2.2 0.0.0.0 area 0
IQ-Core-RT1(config-router)#network 10.1.3.2 0.0.0.0 area 0
IQ-Core-RT1(config-router)#network 10.1.4.1 0.0.0.0 area 0
IQ-Core-RT1(config-router)#exit
IQ-Core-RT1(config)#EXIT
IQ-Core-RT1#clear ip ospf proces

IQ Data Center Router OSPF Configuration

IQSUL-DC1-RT1#
IQSUL-DC1-RT1#conf t
IQSUL-DC1-RT1(config)#router ospf 1
IQSUL-DC1-RT1(config-router)#router-id 6.6.6.6
IQSUL-DC1-RT1(config-router)#network 10.1.4.2 0.0.0.0 area 0 
IQSUL-DC1-RT1(config-router)#network 10.1.5.2 0.0.0.0 area 0
IQSUL-DC1-RT1(config-router)#network 10.1.6.0 0.0.0.7 area 0
IQSUL-DC1-RT1(config-router)#passive-interface fa0/0
IQSUL-DC1-RT1(config-router)#exit
IQSUL-DC1-RT1(config)#exit
IQSUL-DC1-RT1#exit

debug ip icmp debug ip packet detail

Multi-Area OSPF Configuration

In this scenario, we will configure a multi-area OSPF network within a single autonomous system for a travel technology company.

• Area 0 (Backbone): Connects all areas and external networks.
• Area 4 (Dev & IT): Hosts development resources and IT infrastructure.
• Area 8 (Booking & API Servers): Houses critical booking and payment servers.
• Area 26 (Customer Support): Manages customer support operations.

Basic IP Configuration

Core Routers IP Configuration

Core-RT1#conf t                       
Core-RT1(config)#int fa0/0
Core-RT1(config-if)#ip add 10.1.1.2 255.255.255.252
Core-RT1(config-if)#no shut
Core-RT1(config-if)#exit

Core-RT1(config)#int fa1/0
Core-RT1(config-if)#ip add 10.1.3.1 255.255.255.252 
Core-RT1(config-if)#no shut
Core-RT1(config-if)#exit

Core-RT1(config)#int fa2/0
Core-RT1(config-if)#ip add 10.10.1.1 255.255.255.252 
Core-RT1(config-if)#no shut


Core-RT1(config-if)#exit
Core-RT1(config)#exit
Core-RT1#wr

Core-RT2#conf t
Core-RT2(config)#int fa0/0
Core-RT2(config-if)#ip add 10.1.3.2 255.255.255.252
Core-RT2(config-if)#no shu

Core-RT2(config-if)#exit
Core-RT2(config)#int fa1/0
Core-RT2(config-if)#ip add 10.1.2.2 255.255.255.252 
Core-RT2(config-if)#no shut
Core-RT2(config-if)#exit

Core-RT2(config)#int fa2/0
Core-RT2(config-if)#ip add  10.10.2.1 255.255.255.0 
Core-RT2(config-if)#no shut
Core-RT2(config-if)#exit
Core-RT2(config)#exit
Core-RT2#wr

Area Border Router (ABR) IP Configuration

ABR1#conf t
ABR1(config)#int fa0/0 
ABR1(config-if)#ip add 10.1.7.2 255.255.255.252
ABR1(config-if)#no shut
ABR1(config-if)#exit

ABR1(config)#int fa1/0
ABR1(config-if)#ip add 10.1.6.2 255.255.255.252
ABR1(config-if)#no shut
ABR1(config-if)#exit
ABR1(config)#int fa2/0
ABR1(config-if)#ip add 10.1.1.1 255.255.255.252 
ABR1(config-if)#no shut
ABR1(config-if)#exit
ABR1(config)#exit
ABR1#wr

ARB2(config)#int fa1/0
ARB2(config-if)#ip add 10.1.2.1 255.255.255.252 
ARB2(config-if)#no shut
ARB2(config-if)#exit

ARB2(config)#int fa0/0
ARB2(config-if)#ip add 10.1.5.2 255.255.255.252
ARB2(config-if)#no shut
ARB2(config-if)#exit
ARB2(config)#exit
ARB2#wr

Autonomous System Border Router (ASBR) IP Configuration

ASBR1(config)#int fa1/0
ASBR1(config-if)#ip add 10.10.2.2 255.255.255.252
ASBR1(config-if)#no shut 
ASBR1(config-if)#exit
ASBR1(config)#int fa0/0
ASBR1(config-if)#ip add 10.10.1.2 255.255.255.252
ASBR1(config-if)#no shut
ASBR1(config-if)#exit
ASBR1(config)#exit
ASBR1#wr

Support Router and End-Device IP Configuration

Support-RT1#conf t
Support-RT1(config)#int fa0/0
Support-RT1(config-if)#ip add 10.1.5.1 255.255.255.252
Support-RT1(config-if)#no shut
Support-RT1(config-if)#exit
Support-RT1(config)#int fa1/0
Support-RT1(config-if)#ip add 172.16.1.1 255.255.255.0
Support-RT1(config-if)#no shut
Support-RT1(config-if)#exit
Support-RT1(config)#exit
Support-RT1#q 
Support-RT1#wr

Support-PC01> ip 172.16.1.2/24 172.16.1.1
Support-PC01> save

Booking Router and End-Device IP Configuration

Booking-RT1#conf t
Booking-RT1(config)#int fa0/0
Booking-RT1(config-if)#ip add 10.1.6.1 255.255.255.252 
Booking-RT1(config-if)#no shut
Booking-RT1(config-if)#exit
Booking-RT1(config)#int f1/0
Booking-RT1(config-if)#ip add 172.16.2.1 255.255.255.0  
Booking-RT1(config-if)#no shut
Booking-RT1(config-if)#exit
Booking-RT1(config)#exit
Booking-RT1#wr

API-SRV> ip 172.16.2.2/24 172.16.2.1
API-SRV> save

PAY-SRV> ip 172.16.2.3/24 172.16.1.1
PAY-SRV> save

DEV&IT Router and End-Device IP Configuration

DEVOPS-RT1#conf t                      
DEVOPS-RT1(config)#int fa0/0
DEVOPS-RT1(config-if)#ip add 10.1.7.1 255.255.255.252
DEVOPS-RT1(config-if)#no shut
DEVOPS-RT1(config-if)#exit

DEVOPS-RT1(config)#int fa1/0
DEVOPS-RT1(config-if)#ip add 172.16.3.1 255.255.255.0
DEVOPS-RT1(config-if)#no shut
DEVOPS-RT1(config-if)#exit
DEVOPS-RT1(config)#exit
DEVOPS-RT1#wr

IT-PC01> ip 172.16.3.2/24 172.16.3.1
IT-PC01> save

OSPF Configuration

Area Border Router (ABR) 1 OSPF Configuration

ABR1(config)#router ospf 10
ABR1(config-router)#router-id 12.12.12.12 
ABR1(config-router)#network 10.1.7.2 0.0.0.0 area 4
ABR1(config-router)#network 10.1.6.2 0.0.0.0 area 8
ABR1(config-router)#network 10.1.1.1 0.0.0.0 area 0
ABR1(config-router)#exit
ABR1(config)#exit
ABR1#wr

DEV&IT Router OSPF Configuration

DEVOPS-RT1#conf t
DEVOPS-RT1(config)#router ospf 1
DEVOPS-RT1(config-router)#router-id 4.4.4.4
DEVOPS-RT1(config-router)#network 10.1.7.1 0.0.0.0 area 4
DEVOPS-RT1(config-router)#network 172.16.3.0 0.0.0.255 area 4
DEVOPS-RT1(config-router)#passive-interface fa1/0
DEVOPS-RT1(config-router)#exit
DEVOPS-RT1(config)#exit
DEVOPS-RT1#wr

Booking Router OSPF Configuration

Booking-RT1(config)#router ospf 8
Booking-RT1(config-router)#router-id 8.8.8.8
Booking-RT1(config-router)#network 10.1.6.1 0.0.0.0 area 8
Booking-RT1(config-router)#network 172.16.2.0 0.0.0.255 area 8
Booking-RT1(config-router)#passive-interface fa1/0
Booking-RT1(config-router)#exit
Booking-RT1(config)#exit
Booking-RT1#wr

Area Border Router (ABR) 2 OSPF Configuration

ARB2(config)#router ospf 11
ARB2(config-router)#router-id 12.12.12.12
ARB2(config-router)#network 10.1.2.1 0.0.0.0 area 0
ARB2(config-router)# network 10.1.5.2 0.0.0.0 area 26 
ARB2(config-router)#exit              
ARB2(config)#exit
ARB2#wr

Support Router OSPF Configuration

Support-RT1(config)#router ospf 26
Support-RT1(config-router)#router-id 9.9.9.9 
Support-RT1(config-router)#network 10.1.5.1 0.0.0.0 area 26
Support-RT1(config-router)#network 172.16.1.0  0.0.0.255 area 26
Support-RT1(config-router)#passive-interface fa1/0
Support-RT1(config-router)#exit
Support-RT1(config)#exit
Support-RT1#

Core Routers OSPF Configuration

Core-RT1(config)#router ospf 5
Core-RT1(config-router)#router-id 3.3.3.3
Core-RT1(config-router)#network 10.1.1.2 0.0.0.0 area 0   
Core-RT1(config-router)#network 10.1.3.1 0.0.0.0 area 0 
Core-RT1(config-router)#network 10.10.1.1 0.0.0.0 area 0 
Core-RT1(config-router)#exit
Core-RT1(config)#exit

Core-RT2#conf t
Core-RT2(config)#router ospf 6
Core-RT2(config-router)#router-id 2.2.2.2
Core-RT2(config-router)#network 10.1.3.2 0.0.0.0 area 0
Core-RT2(config-router)#network 10.1.2.2 0.0.0.0 area 0
Core-RT2(config-router)#network 10.1.2.2 0.0.0.0 area 0
Core-RT2(config-router)#exit
Core-RT2(config)#exit
Core-RT2#

Verify OSPF Configuration

R#show ip ospf neighbor
R# show ip ospf neighbor detail

R#show ip ospf interface brief

R# debug ip ospf adj

R# debug ip ospf ?

LAB

OSPF configuration Single Area

R1(confgi)# router ospf 1[process id] 
R1(config-router)# network 192.168.0.0 0.0.0.255 [wildcard mask] area 0 [backbone area]
R1(config-router)# network 192.168.1.0 0.0.0.255 [wildcard mask] area 0



R2(confgi)# router ospf 1[process id] 
R2(config-router)# network 192.168.1.0 0.0.0.255 [wildcard mask] area 0 [backbone area]
R2(config-router)# network 192.168.2.0 0.0.0.255 [wildcard mask] area 0

.

R1(confgi)# show ip ospf interface

.

As you can see, The router connected into two interfaces[192.168.0.10-192.168.1.10] highest IP address elected as a router ID 192.168.1.10 is the router ID.

Also selected as a DR and the another router selected as a BDR

Router#show ip ospf neighbor

Implementing Single Area cost

To know which path used by the OSPF to send data to other computer we use the command below on the on PC0

.

tracert [ip]

We using exit ports to count cost

Note: as you can see the cost of Fast Ethernet =1 and the summation of all existing interfaces = 4 but cost of Ethernet = 10 + 3 Fast Ethernet = 13 not acceptable by OSPF.

DR and BDR Election

💡 In this example, Router ID is not configured and the IP Address of the router is defined as a Router ID

• Using this command below you could track every step of the process of the election

Router#debug ip ospf adj

The highest IP address was elected as DR and the second Highest IP address was elected as BDR.

When Router is configured OSPF protocol elects the highest ID as a DR and the second Highest as a BDR.

Multi-Area OSPF Configuration

.

At first, adding both two areas to the R1 and setting a higher router Id to become Designated Router (RD)

After OSPF configuration was added to the topology, a static route was applied between these two routers:

Now after adding the default route pc can't reach 8.8.8.8 defined as an internet

The reason for the unreachable is that the no default route add to the OSPF routing table

Router(config)#router ospf 1
Router(config-router)#default-information originate

use the command to automatically share the default route with other OSPF routers

Note: in packet tracer, only default-information originate working but at EVE you can use extra commands

it is better to use always with this command, which always means if the connection drops the default route continuously routing the default route.

then open one of the OSPF routers you and enter show ip route

As you can see, Default Route was added to the routing table through OSPF as an external network.

Dynamic Addressing with DHCP

Dynamic Addressing with DHCP

DHCP(Dynamic Host Configuration Protocol) is a network protocol that is used to assign unique IP address to a network devices.

DHCP is a client-server protocol. A Client DHCP is a device that configured to use DHCP Services From DHCP Server. A DHCP Server maintains a pool of available IP addresses and assign them to hosts.

DHCP is generally the preferred method of assigning IPv4 addresses to hosts on large networks because it reduces the burden on network support staff and virtually eliminates entry errors.

Another benefit of DHCP is that an address is not permanently assigned to a host but is only leased for a period of time. If the host is powered down or taken off the network, the address is returned to the pool for reuse. This is especially useful with mobile users that can come and go on a network.

Lease time in DHCP refers to the amount of time that a DHCP server assigns an IP address to a client device. During this time, the client can use the assigned IP address without needing to request a new one. Once the lease expires, the client must either renew the lease or request a new IP address from the server.

💡 The wireless Router is both DHCP Server-Client, acts as a client to receive its IPv4 configuration from the ISP, and then acts as a DHCP server for internal hosts on the local network.

1. A DHCP Client sends a (DHCP Discover) to discover DHCP servers on the LAN network. DHCP Discover is a broadcast packet with a Destination IPV4 address of 255.255.255.255 and a Destination MAC address of FF:FF:FF:FF:FF:FF.
2. A DHCP Server receives the DHCP Discover packet and responds with DHCP offer packets, offering IP addressing information.
3. If the client receives the DHCP offer packets from multiple DHCP servers, the first DHCP offer is accepted. the client responds by broadcasting a DHCP Request packet.
4. The DHCP server approves the lease with a DHCP acknowledgment packet, which includes lease duration and other configuration information.

Which DHCPv4 message will a client send to accept an IPv4 address that is offered by a DHCP server?

• Broadcast DHCPREQUEST

Which three statements describe a DHCP Discover message? (Choose three.)

• The destination IP address is 255.255.255.255.
• The message comes from a client seeking an IP address.
• All hosts receive the message, but only a DHCP server replies.

DHCP Relay agent

When a device is configured as a Dynamic Host Configuration Protocol (DHCP) client, it sends a broadcast packet to discover DHCP servers on the network. Routers don't forward broadcast packets by default. If the DHCP server is on a different network from the DHCP clients, it won't receive the DHCP discover packets from the clients.

R2 can be configured as a DHCP Server, but R1 doesn't forward the DHCP Discover to the DHCP Server. We can configure R1 as a DHCP Relay Agent to forward DHCP Client packets to the DHCP Server. IP helper-address (IP of DHCP Server). Apply this command on the R1 Router interface connected to the DHCP Client

R1(config-if)#ip helper-address 172.16.0.2

💡 If your DHCP server is on another network, configure the interface closest to clients

To verify a DHCP relay agent

show ip helper-address

DHCP Server Configuration Commands

# Step 1: Exclude addresses (gateway + reserved IPs)
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10

# Step 2: Create a DHCP pool
Router(config)# ip dhcp pool LAN-POOL

# Step 3: Define network and mask
Router(dhcp-config)# network 192.168.1.0 255.255.255.0

# Step 4: Define default gateway
Router(dhcp-config)# default-router 192.168.1.1

# Step 5: Define DNS server
Router(dhcp-config)# dns-server 8.8.8.8

# Step 6 (optional): Domain name
Router(dhcp-config)# domain-name ccna.local

# Step 7 (optional): Lease time (days hours minutes)
Router(dhcp-config)# lease 0 12 0
Router(dhcp-config)# exit
Router(config)# end

Router# show ip dhcp binding       # See which clients got IPs
Router# show ip dhcp pool          # Check pool statistics
Router# debug ip dhcp server events  # Debug DHCP process

DHCP Lab

DHCP Server and Relay Agent Configuration

In this scenario, we will configure a DHCP server for a company with three departments, each of which has its own subnet and connects to a departmental router.

IP configuration

Core router

Router>enable
Router#configure terminal
Router(config)#hostname Core-R01
Core-R01(config)# banner motd $This Router has been set up as core router$  
Core-R01(config)#int fa 1/0
Core-R01(config-if)#ip address 192.168.1.6 255.255.255.252
Core-R01(config-if)#no shutdown
Core-R01(config-if)#exit
Core-R01(config)#int fa 2/0 
Core-R01(config-if)#ip address 192.168.1.10 255.255.255.252
Core-R01(config-if)#no shutdown
Core-R01(config-if)#exit
Core-R01(config)#int fa 3/0
Core-R01(config-if)#ip address 192.168.1.14 255.255.255.252
Core-R01(config-if)#no shutdown
Core-R01(config-if)#exit
Core-R01(config)#int fa 0/0
Core-R01(config-if)#ip address 192.168.1.2 255.255.255.252
Core-R01(config-if)#no shutdown
Core-R01(config-if)#exit

Marketing router

Router>enable
Router#configure terminal
Router(config)#hostname Marketing-R01
Marketing-R01(config)# banner motd $This Router has been setup for the marketing department$  
Marketing-R01(config)#int fa 1/0
Marketing-R01(config-if)#ip address 10.0.0.1 255.0.0.0
Marketing-R01(config-if)#no shutdown
Marketing-R01(config-if)#exit
Marketing-R01(config)#int fa 0/0
Marketing-R01(config-if)#ip address 192.168.1.1 255.255.255.252
Marketing-R01(config-if)#no shutdown
Marketing-R01(config-if)#exit

Sales router

Router>enable
Router#configure terminal
Router(config)#hostname Sales-R01
Sales-R01(config)# banner motd $This Router has been set up for the sales department$  
Sales-R01(config)#int fa 1/0
Sales-R01(config-if)#ip address 192.168.1.5 255.255.255.252
Sales-R01(config-if)#no shutdown
Sales-R01(config-if)#exit
Sales-R01(config)#int fa 0/0
Sales-R01(config-if)#ip address 20.0.0.1 255.0.0.0 
Sales-R01(config-if)#no shutdown
Sales-R01(config-if)#exit

Finance router

Router>enable
Router#configure terminal
Router(config)#hostname Finance-R01
Finance-R01(config)# banner motd $This Router has been set up for the finance department$  
Finance-R01(config)#int fa 1/0
Finance-R01(config-if)#ip address 192.168.1.9 255.255.255.252
Finance-R01(config-if)#no shutdown
Finance-R01(config-if)#exit
Finance-R01(config)#int fa 0/0
Finance-R01(config-if)#ip address 20.0.0.1 255.0.0.0 
Finance-R01(config-if)#no shutdown
Finance-R01(config-if)#exit

Configuring RIP routing

Core router

Core-R01#conf t
Core-R01(config)#router rip 
Core-R01(config-router)#network 192.168.1.0
Core-R01(config-router)#network 192.168.4.0
Core-R01(config-router)#network 192.168.8.0
Core-R01(config-router)#no auto-summary
Core-R01(config-router)#exit
Core-R01#wr

Marketing router

Marketing-R01(config)#router rip
Marketing-R01(config-router)#network 10.0.0.0
Marketing-R01(config-router)#network 192.168.1.0
Marketing-R01(config-router)#no auto-summary

Sales router

Sales-R01#conf t
Sales-R01(config)#router rip 
Sales-R01(config-router)#network 192.168.1.4
Sales-R01(config-router)#network 20.0.0.0
Sales-R01(config-router)#no auto-summary 
Sales-R01(config)#exit
Sales-R01#wr

Finance router

Finance-R01#conf t
Finance-R01(config)#router rip
Finance-R01(config-router)#network 192.168.1.8
Finance-R01(config-router)#network 30.0.0.0  
Finance-R01(config-router)#no auto-summary
Finance-R01(config)#exit
Finance-R01#wr

Assigning a static IP to the DHCP server

Before we configure the DHCP service on the server, we have to assign a static IP address to the server.

Router>ena
Router#conf t
Router(config)#hostname DHCP-Server 
DHCP-Server(config)#int fa 0/0
DHCP-Server(config-if)#ip address 192.168.1.13 255.255.255.252
DHCP-Server(config-if)#no shutdown 
DHCP-Server(config)#exit
DHCP-Server#wr

Enabling and Configuring DHCP Service on the Server

Create DHCP Pools for Subnets and assign one pool to each subnet.

DHCP-Server#conf t
DHCP-Server(config)#ip dhcp pool marketing-pool
DHCP-Server(dhcp-config)#network 10.0.0.0 255.0.0.0
DHCP-Server(dhcp-config)#dns-server 8.8.8.8
DHCP-Server(dhcp-config)#domain-name rebar.it
DHCP-Server(dhcp-config)#default-router 10.0.0.1


DHCP-Server(config)# ip dhcp pool sales-pool
DHCP-Server(dhcp-config)#network 20.0.0.0 255.0.0.0 
DHCP-Server(dhcp-config)#dns-server 8.8.8.8
DHCP-Server(dhcp-config)#domain-name rebar.it
DHCP-Server(dhcp-config)#default-router 20.0.0.1


DHCP-Server(config)#ip dhcp pool finance-pool
DHCP-Server(dhcp-config)#network 30.0.0.0 255.0.0.0 
DHCP-Server(dhcp-config)#dns-server 8.8.8.8
DHCP-Server(dhcp-config)#domain-name rebar.it
DHCP-Server(dhcp-config)#default-router 30.0.0.1

• Each DHCP pool is usually associated with a specific subnet.
• When a client sends a DHCP request, the router or DHCP server checks the source IP subnet (if relay is used) or the incoming interface to determine which pool to use.
• The DHCP pool that matches the subnet of the incoming request is used.

Configure routers to act as DHCP relay agents.

Configure the DHCP relay agent on the router interface directly connected to the local subnet.

Marketing Router

Marketing-R01#conf t
Marketing-R01(config)#int fa 1/0
Marketing-R01(config-if)#ip helper-address 192.168.1.13
Marketing-R01(config-if)#exit

Sales Router

Sales-R01#conf t
Sales-R01(config)#int fa 0/0
Sales-R01(config-if)#ip helper-address 192.168.1.13
Sales-R01(config-if)#exit

Finance Router

Finance-R01#conf t
Finance-R01(config)#int fa 0/0
Finance-R01(config-if)#ip helper-address 192.168.1.13
Finance-R01(config-if)#exit

💡 Put the helper on the router interface that is the client’s default gateway (the access/branch router facing each department).

Verifying DHCP relay

To verify that the DHCP Service is working and each Client Received an IP address from the DHCP Pool, go to the client device and write in the terminal the command below:

C:\Users\AB>ipconfig /all

As you can see, devices from different departments or subnets have successfully obtained IP addresses from the DHCP Server.

DHCP Server Verification

To verify which IP addresses have been assigned to devices, use the following command:

DHCP-Server#show ip dhcp  binding

To get more information about DHCP Server, use the following command:

DHCP-Server#show ip dhcp  server  statistics

To check the DHCP Server to find out and detect any IP address conflict, use the following command:

DHCP-Server#show ip dhcp conflict

As you can see, we encountered two issues with these subnets because we're using these IP addresses statically and configured them as default gateways for each subnet.

To resolve this issue, use the following command to exclude these IP addresses from the DHCP Server Pool range:

DHCP-Server(config)# ip dhcp excluded-address (Ip of range of Ip)
DHCP-Server(config)# ip dhcp excluded-address  192.168.2.1 192.168.2.10
DHCP-Server(config)##ip dhcp excluded-address  203.0.113.1

💡 I suggest leaving at least the first of 10 IPs of each subnet for devices that require a static IP, such as printers or servers, .etc.

For our lab use the following command:

DHCP-Server(config)# ip dhcp excluded-address 20.0.0.1
DHCP-Server(config)# ip dhcp excluded-address 30.0.0.1

After choking the server again, no conflict is displayed.

DCHP Questions