You are on page 1of 540

CCNA 3.

0
Instructor Resource
Document
Section 1

IP Addressing
Table of Contents

IP ADDRESSING ............................................................................................................... 1
OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
1.1 IPV4 ADDRESSING ...................................................................................................................................... 5
1.1.1 Internet's address architecture ............................................................................................................. 5
1.1.2 Classes of IP addresses........................................................................................................................ 6
1.1.3 Classes of IP addresses (con't.) ............................................................................................................ 8
1.1.4 Subnet masking ................................................................................................................................... 9
1.2 IP ADDRESSING CRISIS AND SOLUTIONS ...................................................................................................... 12
1.2.1 IP addressing crisis ........................................................................................................................... 12
1.2.2 Classless Interdomain Routing (CIDR) ............................................................................................... 13
1.2.3 Route aggregation and supernetting ................................................................................................... 14
1.2.4 Supernetting and address allocation ................................................................................................... 16
1.3 VLSM..................................................................................................................................................... 18
1.3.1 Variable-Length Subnet Masks ........................................................................................................... 18
1.3.2 Classless and classful routing protocols .............................................................................................. 21
1.4 ROUTE SUMMARIZATION ........................................................................................................................... 23
1.4.1 An overview of route summarization ................................................................................................... 23
1.4.2 Route flapping .................................................................................................................................. 24
1.5 PRIVATE ADDRESSING AND NAT ................................................................................................................ 25
1.5.1 Private IP addresses (RFC 1918) ....................................................................................................... 25
1.5.2 Discontiguous subnets ....................................................................................................................... 27
1.5.3 Network Address Translation (NAT) ................................................................................................... 28
1.6 IP UNNUMBERED ..................................................................................................................................... 29
1.6.1 Using IP unnumbered........................................................................................................................ 29
1.7 DHCP AND EASY IP ................................................................................................................................. 31
1.7.1 DHCP overview ................................................................................................................................ 31
1.7.2 DHCP operation ...............................................................................................................................33
1.7.3 Configuring IOS DHCP server ........................................................................................................... 34
1.7.4 Easy IP ............................................................................................................................................ 36
1.8 HELPER ADDRESSES ................................................................................................................................. 38
1.8.1 Using helper addresses...................................................................................................................... 38
1.8.2 Configuring IP helper addresses ........................................................................................................ 39
1.8.3 IP helper address example ................................................................................................................. 40
1.9 IPV6 ....................................................................................................................................................... 42
1.9.1 IP address issues solutions................................................................................................................. 42
1.9.2 IPv6 address format .......................................................................................................................... 43
1.10 ADVANCED IP ADDRESSING MANAGEMENT LAB EXERCISES ....................................................................... 46
1.10.1 Configuring VLSM and IP Unnumbered............................................................................................ 46
1.10.2 VLSM ............................................................................................................................................. 46
1.10.3 Using DHCP and IP Helper Addresses ............................................................................................. 46
SUMMARY ..................................................................................................................................................... 47

1-2 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


Overview
A scalable network requires an addressing scheme that allows for growth. As
new nodes and networks are added to the enterprise, existing addresses may need
to be reassigned, enlarged routing tables may slow down routers, and the supply
of available addresses may run out. These unpleasant consequences can be
avoided with a careful plan and deployment of a scalable network-addressing
system.
Although network designers can choose among many different network
protocols and address schemes, the emergence of the Internet and its
nonproprietary protocol, TCP/IP, has meant that virtually every enterprise must
implement an IP addressing scheme. Companies such as Apple and Novell have
recently migrated away from their proprietary protocols to TCP/IP as their
network software. Many organizations opt to run TCP/IP as the only routed
protocol on their network. The bottom line is that today's administrators must
find ways to scale their networks by using IP addressing.
Unfortunately, the architects of TCP/IP could not have predicted that their
protocol would eventually sustain a global network of information, commerce,
and entertainment. Twenty years ago, IP version 4 (IPv4) offered an addressing
strategy that, although scalable for a time, resulted in an inefficient allocation of
addresses. Over the past two decades, engineers have successfully modified IPv4
so that it could survive the Internet's exponential growth. Meanwhile, an even
more extendible and scalable version of IP, IP version 6 (IPv6), has been defined
and developed. Today IPv6 is slowly being implemented in select networks.
Eventually, IPv6 may replace IPv4 as the Internet's dominant protocol.
This chapter explores the evolution and extension of IPv4, including the key
scalability features that engineers have added over the years: subnetting,
classless interdomain routing (CIDR), variable-length subnet masking (VLSM),
and route summarization. Finally, this chapter examines advanced IP
implementation techniques, such as IP unnumbered, Dynamic Host
Configuration Protocol (DHCP), and helper addresses.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-3


Objectives
After completing this chapter, the student will be able to perform tasks
related to:

1.1 IPv4 Addressing

1.2 IP Addressing Crisis and Solutions

1.3 VLSM

1.4 Route Summarization

1.5 Private Addressing and NAT

1.6 IP Unnumbered

1.7 DHCP and Easy IP

1.8 Helper Addresses

1.9 IPv6

1.10 Advanced IP Addressing Management Lab Exercises

1-4 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


1.1 IPv4 Addressing

1.1.1 Internet's address architecture

Figure 1: Structure of an IP Address

Figure 2: Dotted Decimal Notation

When TCP/IP was first introduced in the 1980s, it relied on a two-level


addressing scheme, which at the time offered adequate scalability. IPv4's 32-bit-
long address identifies a network number and a host number, as shown in Figure
[1].
Together, the network number and the host number uniquely identify all hosts
connected via the Internet. It is possible that the needs of a small, networked
community could be satisfied with just host addresses, as is the case with LANs.
However, network addresses are necessary for end systems on different networks
to communicate with each other. Routers use the network portion of the address
to make routing decisions and facilitate communication between hosts that
belong to different networks.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-5


Unlike routers, humans find working with strings of 32 ones and zeros tedious
and clumsy. Therefore, 32-bit IP addresses are written using dotted-decimal
notation. Each 32-bit address is divided into four groups of eight, called octets,
and each octet is converted to decimal and then separated by decimal points, or
dots. [2]
In the dotted decimal address, 132.163.128.17, which of these four octets
represents the network portion of the address? Which of the octets are the host
numbers? Recognizing that the number is in actuality a 32-bit number eases
determining the answer.
In the early days of TCP/IP, a class system was used to define the network and
host portions of the address. IPv4 addresses were grouped into five distinct
classes, according to the pattern of the first few bits in the first octet of the
address. Although the class system can still be applied to IP addresses, today's
networks often ignore the rules of class in favor of a classless IP scheme.
In the following sections, the limitations of the IP address classes, the
subsequent addition of the subnet mask, and the addressing crisis that led to the
adoption of a classless system will be examined.

1.1.2 Classes of IP addresses

Figure 1: Address Architecture

In a classful system, IP addresses can be grouped into one of five different


classes: A, B, C, D, and E based on the position of the first 0-bit in the first octet.
Each of the four octets of an IP address represents either the network portion or
the host portion of the address, depending on the address's class.
Only the first three classes (A, B, and C) are used for addressing actual hosts on
IP networks. Class D addresses are used for multicasting, and Class E addresses
are reserved for experimentation and are not shown in the figure. The following
sections explore each of the five classes of addresses.

1-6 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


Class A Addresses
If the first bit of the first octet of an IP address is a binary 0, then the address is a
Class A address. With that first bit a 0, the lowest number that can be
represented is 00000000 (decimal 0), and the highest number that can be
represented is 01111111 (decimal 127). Any address that starts with a value
between 0 and 127 in the first octet is a Class A address. The two numbers, 0
and 127, are reserved and cannot be used as a network address.
Class A addresses were intended to accommodate very large networks, so only
the first octet is used to represent the network number, which leaves three octets
(or 24 bits) to represent the host portion of the address. With 24 bits total, 2^24
(^ means to the power of) combinations are possible, yielding 16,777,216
possible addresses. Two of those possibilities, the lowest and highest values (24
zeros and 24 ones), are reserved for special purposes, so each Class A address
can support up to 16,777,214 unique host addresses.
Why are two host addresses reserved for special purposes? Every network
requires a network number, an ID number that is used to refer to the entire range
of hosts when building routing tables. The address that contains all 0s in the host
portion is used as the network number and cannot be used to address an
individual node. 46.0.0.0 is a class A network number. Similarly, every network
requires a broadcast address that can be used to address a message to every host
on a network. It is created with all 1s in the host portion of the address.
With almost 17 million host addresses available, a Class A network actually
provides too many possibilities for one company or campus. Although an
enormous global network with that many nodes can be imagined, the hosts in
such a network could not function as members of the same logical group.
Administrators require much smaller logical groupings to control broadcasts,
apply policies, and troubleshoot problems. Fortunately, the subnet mask allows
subnetting, which breaks a large block of addresses into smaller groups called
subnetworks. All Class A networks are subnetted. If they were not, Class A
networks would represent huge waste and inefficient allocation of address space.
How many Class A addresses are there? If only the first octet is used as network
number, and it contains a value greater than 0 and less than 127, then 126 Class
A networks exist. There are only 126 Class A addresses, each with almost 17
million possible host addresses, but these account for about half of the entire
IPv4 address space. Under this system, a small number of organizations control
half of the Internet's addresses.
Class B Addresses
Class B addresses start with a binary 10 pattern in the first 2 bits of the first
octet. Therefore, the lowest number that can be represented with a Class B
address is 10000000 (decimal 128), and the highest number that can be
represented is 10111111 (decimal 191). Any address that starts with a value in
the range of 128 to 191 in the first octet is a Class B address.
Class B addresses were intended to accommodate medium-size networks, so the
first two octets are used to represent the network number, which leaves two
octets (or 16 bits) to represent the host portion of the address. With 16 bits total,
2^16 combinations are possible, yielding 65,536 Class B addresses. Recall that
two of those numbers, the lowest and highest values, are reserved for special
purposes, so each Class B address can support 65,534 hosts. Though
significantly smaller than the networks created by Class A addresses, a logical
group of more than 65,000 hosts is still unmanageable and impractical.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-7


Therefore, like Class A networks, Class B addresses are subnetted to improve
efficiency.
There are 16,384 Class B networks. The first octet of a Class B address offers 64
possibilities (128 to 191), and the second octet has 256 (0 to 255). That yields
16,384 (64 * 256) addresses, or 25 percent of the total IP space. Nevertheless,
given the popularity and importance of the Internet, these addresses have run out
quickly, which essentially leaves only Class C addresses available for new
growth.

1.1.3 Classes of IP addresses (con't.)

Figure 1: IP Address Available to Internet Hosts

Class C Addresses
A Class C address begins with a binary 110 pattern. Therefore, the lowest
number that can be represented is 11000000 (decimal 192), and the highest
number that can be represented is 11011111 (decimal 223). If an IPv4 address
contains a number in the range of 192 to 223 in the first octet, it is a Class C
address.
Class C addresses were originally intended to support small networks; the first
three octets of a Class C address represent the network number, and the last octet
may be used for hosts. One octet for hosts yields 256 possibilities; after you
subtract the all 0s network number and all 1s broadcast address; only 254 hosts
may be addressed on a Class C network. Whereas Class A and Class B networks
prove impossibly large (without subnetting), Class C networks can impose too
restrictive a limit on hosts.
With 2,097,152 total network addresses containing a mere 254 hosts each, Class
C addresses account for 12.5 percent of the Internet's address space. With Class
A and B exhausted, the remaining Class C addresses are all that is left to be
assigned to new organizations that need IP networks. Figure 1 summarizes the
ranges and availability of the three address classes used to address Internet hosts.
Class D Addresses
A Class D address begins with a binary 1110 pattern in the first octet. Therefore,
the first octet range for Class D addresses is 11100000 to 11101111, or 224 to
239. Class D addresses are not used to address individual hosts. Instead, each
Class D address can be used to represent a group of hosts called a host group, or
multicast group.
For example, a router configured to run EIGRP joins a group that includes other
nodes that are also running EIGRP. Members of this group still have unique IP
addresses from the Class A, B, or C range, but they also listen for messages
addressed to 224.0.0.10, which is a Class D address. Therefore, a single routing

1-8 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


update message can be sent to 224.0.0.10, and all EIGRP routers will receive it.
A single message sent to several select recipients is called a multicast. Class D
addresses are also called multicast addresses.
A multicast is different from a broadcast. Every device on a logical network
receives a broadcast, whereas only devices configured with a Class D address
receive a multicast.
Class E Addresses
If the first octet of an IP address begins with a binary 1111 pattern, then the
address is a Class E address. Class E addresses are reserved for experimental
purposes and should not be used for addressing hosts or multicast groups.

1.1.4 Subnet masking

Figure 1: Structure of an IP Address After Subnetting

Figure 2: Class B Address Without Subnetting

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-9


Figure 3: Class B Address With Subnetting

Subnet masking, or subnetting, is used to break one large group into several
smaller subnetworks. These subnets can then be distributed throughout an
enterprise, resulting in less waste and better logical organization. Formalized
with RFC 950 in 1985, subnetting introduced a third level of hierarchy to the
IPv4 addressing structure. [1] The number of bits available to the network,
subnet, and host portions of a given address varies depending on the size of the
subnet mask.
A subnet mask is a 32-bit number that acts as a counterpart to the IP address.
Each bit in the mask corresponds to its counterpart bit in the IP address. If a bit
in the IP address corresponds to a 1 bit in the subnet mask, the IP address bit
represents a network number. If a bit in the IP address corresponds to a 0 bit in
the subnet mask, the IP address bit represents a host number.
In effect, the subnet mask (when known) overrides the address class to determine
whether a bit is either network or host. Routers and other hosts can be
configured to recognize addresses differently than the format dictated by classes.
For example, the mask can tell the hosts that, even though their addresses are
Class B, the first three octets (instead of the first two) are the network number.
In this case, the additional octet acts like part of the network number, but only
inside the organization where the mask is configured.
The subnet mask applied to an address ultimately determines the network and
host portions of an IP address. The network and host portions change when the
subnet mask changes. If you apply the mask 255.255.0.0, only the first 16 bits
(two octets) of the IP address 172.24.100.45 represent the network number, as
shown in Figure [2]. Therefore, the network number for this host address is
172.24.0.0. The shaded portion of the address in Figure [2] indicates the network
number.

Because the rules of class dictate that the first two octets of a Class B address are
the network number, this 16-bit mask does not create subnets within the
172.24.0.0 network.
To create subnets with this Class B address, a mask that identifies bits in the
third or fourth octet as part of the network number must be used.
A 24-bit mask, 255.255.255.0, specifies the first 24 bits of the IP address as the
network number. For this example, the network number is 172.24.100.0.

1-10 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


Routers and hosts configured with this mask will see all 8 bits in the third octet
as part of the network number. These 8 bits are considered the subnet field
because they represent network bits beyond the two octets prescribed by classful
addressing.
Inside this network, devices configured with a 24-bit mask will use the 8 bits of
the third octet to determine what subnet a host belongs. Because 172.24.100.45
and 172.24.101.46 have different values in the third octet, they do not belong to
the same logical network. Hosts must match subnet fields to communicate with
each other directly. Otherwise, the services of a router must be used so that a
host on one subnet can talk to a host on another subnet.
An 8-bit subnet field creates 2^8, or 256, potential subnets. Because 8 bits
remain in the host field, 254 hosts may populate each network (two host
addresses are reserved as the network number and broadcast address). By
dividing a Class B network into smaller logical groups, the internetwork is more
manageable, efficient, and scalable.
Subnet masks are not sent as part of an IP packet header, so routers outside this
network will not know what subnet mask is configured inside the network. An
outside router will therefore treat 172.24.100.45 as just one of sixty-five
thousand hosts that belong to the 172.24.0.0 network. In effect, subnetting
provides a logical structure that is hidden from the outside world.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-11


1.2 IP Addressing Crisis and Solutions

1.2.1 IP addressing crisis

Figure 1: IP Address Allocation

Class A and B addresses make up 75 percent of the IPv4 address space, but a
relative handful of organizations (fewer than 17,000) can be assigned a Class A
or B network number. Class C network addresses are far more numerous than
Class A and Class B addresses, although they account for only 12.5 percent of
the possible 4 billion (2^32) IP hosts, as shown in Figure 1.
Unfortunately, Class C addresses are limited to 254 hosts, which will not meet
the needs of larger organizations that can not acquire a Class A or B address.
Even if there were more Class A, B, and C addresses, too many network
addresses would cause Internet routers to slow to a halt under the weight of
enormous routing tables.
The classful system of IP addressing, even with subnetting, could not scale to
effectively handle global demand for Internet connectivity. As early as 1992, the
Internet Engineering Task Force (IETF) identified two specific concerns:
! Exhaustion of the remaining, unassigned IPv4 network addresses. At the
time, the Class B space was on the verge of depletion.
! The rapid and substantial increase in the size of the Internet's routing tables
is because of its growth. As more Class C's came online, the resulting flood
of new network information threatened Internet routers' capability to cope
effectively.
In the short term, the IETF decided that a retooled IPv4 would have to hold out
long enough for engineers to design and deploy a completely new Internet
Protocol. That new protocol, IPv6, solves the address crisis by using a 128-bit

1-12 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


address space. After years of planning and development, IPv6 promises to be
ready for wide-scale implementation, although that has not happened yet.
One reason that IPv6 has not been rushed into service is that the short-term
extensions to IPv4 have been so effective. By eliminating the rules of class, IPv4
now enjoys renewed viability.

1.2.2 Classless Interdomain Routing (CIDR)

Figure 1: Why Classless Interdomain Routing?

Routers use a form of IPv4 addressing called classless interdomain routing


(CIDR) (pronounced "cider") that ignores class. In a classful system, a router
determines the class of an address and then identifies the network and host octets
based on that class. With CIDR, a router uses a bitmask to determine the network
and host portions of an address, which are no longer restricted to using an entire
octet.
First introduced in 1993 by RFC 1517, 1518, 1519, and 1520, and later deployed
in 1994, CIDR dramatically improves IPv4's scalability and efficiency by
providing the following:
! The replacement of classful addressing with a more flexible and less
wasteful classless scheme
! Enhanced route aggregation, also known as supernetting
The following sections describe route aggregation, supernetting, and address
allocation in more detail.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-13


1.2.3 Route aggregation and supernetting

Figure 1: Route Aggregation and Supernetting

Figure 2: Route Aggregation and Supernetting

By using a bitmask instead of an address class to determine the network portion


of an address, CIDR allows routers to aggregate, or summarize, routing
information. This shrinks the size of the router's routing tables. Just one address
and mask combination can represent the routes to multiple networks.
Without CIDR and route aggregation, a router must maintain individual entries
for the Class B networks shown in Figure [1].
The shaded columns in Figure [1] identify the 16 bits that, based on the rules of
class, represent the network number. Classful routers are forced to handle Class
B networks using these 16 bits. Because the first 16 bits of each of these eight
network numbers are unique, a classful router sees eight unique networks and

1-14 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


must create a routing table entry for each. However, these eight networks do
have common bits, as shown by the shaded portion of Figure [2].
Figure [2] shows that the example eight-network addresses have the first 13 bits
in common. A CIDR-compliant router can summarize routes to these eight
networks by using a 13-bit prefix, in which these eight networks, and only these
networks, share these 13 bits:
10101100 00011
To represent this prefix in decimal terms, the rest of the address is padded with
zeros and then paired with a 13-bit subnet mask:
10101100 00011000 00000000 00000000 = 172.24.0.0
11111111 11111000 00000000 00000000 = 255.248.0.0
Thus, a single address and mask define a classless prefix that summarizes routes
to the eight networks, 172.24.0.0/13.
By using a prefix address to summarize routes, routing table entries are kept
manageable, which results in the following:
! More efficient routing
! A reduced number of CPU cycles when recalculating a routing table or when
sorting through the routing table entries to find a match
! Reduced router memory requirements
Supernetting is the practice of using a bitmask to group multiple classful
networks as a single network address. Supernetting and route aggregation are
different names for the same process, although the term supernetting is most
often applied when the aggregated networks are under common administrative
control. Supernetting and route aggregation are essentially the inverse of
subnetting.
Recall that the Class A and Class B address space is virtually exhausted, leaving
large organizations little choice but to request multiple Class C network
addresses from their providers. If a company can acquire a block of contiguous
(that is, sequential) Class C network addresses, supernetting can be used so that
the addresses appear as a single large network, or supernet.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-15


1.2.4 Supernetting and address allocation

Figure 1: Supernetting and Address Allocation

Figure 2: Addressing with CIDR

Consider Company XYZ, which requires addresses for 400 hosts. Under the
classful addressing system, XYZ could apply to a central Internet address
authority for a Class B address. If the company got the Class B and then used it
to address one logical group of 400 hosts, tens of thousands of addresses would
be wasted. A second option for XYZ would be to request two Class C network
numbers, yielding 508 (2 * 254) host addresses. The drawback to this approach
is that XYZ would have to route between its own logical networks, and default-
free Internet routers would need to maintain two routing table entries for XYZ's
network, rather than just one.

Under a classless addressing system, supernetting allows XYZ to get the address
space that it needs without wasting addresses or increasing the size of routing
tables unnecessarily. Using CIDR, XYZ asks for an address block from its
Internet service provider, not a central authority such as the InterNIC. The ISP
assesses XYZ's needs and allocates address space from its own large "CIDR
block" of addresses. Providers assume the burden of managing address space in a

1-16 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


classless system. With this system, Internet routers keep only one summary
route, or supernet route, to the provider's network, and the provider keeps routes
that are more specific to its customer networks. This method drastically reduces
the size of Internet routing tables.

In the following example, XYZ receives two contiguous Class C addresses,


207.21.54.0 and 207.21.55.0. The shaded portion of Figure [1], shows that these
network addresses have this common 23-bit prefix:

11001111 00010101 0011011

When supernetted with a 23-bit mask (207.21.54.0 /23), the address space
provides well over 400 host addresses (29) without the tremendous waste of a
Class B address. With the ISP acting as the addressing authority for a CIDR
block of addresses, the ISP's customer networks, which include XYZ, can be
advertised among Internet routers as a single supernet. In Figure [2], the ISP
manages a block of 256 Class C addresses and advertises them to the world
using a 16-bit prefix: 207.21.0.0 /16.

When CIDR enabled ISPs to hierarchically distribute and manage blocks of


contiguous addresses, IPv4 address space received the following benefits:
! Efficient allocation of addresses
! Reduced number of routing table entries

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-17


1.3 VLSM

1.3.1 Variable-Length Subnet Masks

Figure 1: Subnetting with One Mask

Figure 2: Using Subnets to Address the WAN

1-18 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


Figure 3: Subnetting With Variable Length Masks

Figure 4: Using VLSM to Address Point-to-Point Links

Figure 5: Configuring VSLM

VLSM allows an organization to use more than one subnet mask within the same
network address space. Implementing VLSM is often referred to as "subnetting a
subnet," and it can be used to maximize addressing efficiency.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-19


Consider the subnets created by borrowing 3 bits from the host portion of the
Class C address, 207.21.24.0, shown in Figure [1].

Using the ip subnet-zero command, this mask creates seven usable


subnets of 30 hosts each. Four of these subnets can address remote offices in the
organization pictured in Figure [2], at sites A, B, C, and D.

Unfortunately, only three subnets are left for future growth, and the three point-
to-point WAN links between the four sites have yet to be addressed. If the three
remaining subnets were assigned to the WAN links, the supply of IP addresses
would be exhausted. Moreover, squandering the remaining 30-host subnets to
address these two-node networks will waste more than a third of the available
address space.

Over the past 20 years, network engineers have developed three strategies for
efficiently addressing point- to-point WAN links:
! Use VLSM
! Use private addressing (RFC 1918)
! Use IP unnumbered
Private addresses and IP unnumbered are discussed in detail later in this chapter.
This section focuses on VLSM. If VLSM is applied to addressing problems, a
Class C address can be broken into groups (i.e., subnets) of various sizes. Large
subnets are created for addressing LANs, and very small subnets are created for
WAN links and other special cases.

A 30-bit mask is used to create subnets with only two valid host addresses, the
exact number needed for a point-to-point connection. Figure [3] shows what
happens if one of the three remaining subnets (subnet 6) is subnetted again using
a 30-bit mask.

Subnetting the 207.21.24.192 /27 subnet in this way supplies eight ranges of
addresses to be used for point-to-point networks. For example, the network
207.21.24.192/30 can be used to address the point-to-point serial link between
Site A's router and Site B's router [4].

How is VLSM configured on a Cisco router? Figure [5] shows the commands
needed to configure Site A's router (RTA) with a 27-bit mask on its Ethernet port
and a 30-bit mask on its serial port.

1-20 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


1.3.2 Classless and classful routing protocols

Figure1: Classful and Classless Routing Protocols

For routers in a variably subnetted network to properly update each other, they
must send masks in their routing updates. Without subnet information in the
routing updates, routers will have nothing but the address class and their own
subnet mask to work with. Only routing protocols that ignore the rules of address
class and use classless prefixes will work properly with VLSM (see the Figure
1).

RIPv1 and IGRP, common interior gateway protocols, cannot support VLSM
because they do not send subnet information in their updates. Upon receiving an
update packet, these classful routing protocols will use one of the following
methods to determine the network prefix of an address:
! If the router receives information about a network, and if the receiving
interface belongs to that same network (but on a different subnet), the router
applies the subnet mask that is configured on the receiving interface.
! If the router receives information about a network address that is not the
same as the one configured on the receiving interface, it applies the default
(by class) subnet mask.
Despite its limitations, RIP is a very popular routing protocol and is supported
by virtually all IP routers. RIP's popularity stems from its simplicity and
universal compatibility. However, the first version of RIP (RIPv1) suffers from
several critical deficiencies:
1. RIPv1 does not send subnet mask information in its updates. Without subnet
information, VLSM and CIDR cannot be supported.
2. Its updates are broadcast, increasing network traffic.
3. It does not support authentication.
In 1988, RFC 1058 prescribed the new (and improved) RIP version 2 to address
these deficiencies:
1. RIPv2 does send subnet information and therefore supports VLSM and
CIDR.
2. It multicasts routing updates using the Class D address 224.0.0.9, providing
better efficiency.
3. It provides for authentication in its updates.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-21


Because of these key features, RIPv2 should always be preferred over RIPv1,
unless some legacy device on the network cannot support it.

When RIP is first enabled on a Cisco router, the router listens for version 1 and 2
updates but sends only version 1. To take advantage of version 2's features,
version 1 support can be turned off and version 2 updates enabled with the
following command:

Router(config)#router rip
Router(router-config)#version 2
RIP's straightforward design ensures that it will continue to survive. A new
version has been designed to support future IPv6 networks.

1-22 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


1.4 Route Summarization

1.4.1 An overview of route summarization

Figure 1: Route Summarization

The use of CIDR and VLSM not only prevents address waste, but it also
promotes route aggregation, or summarization. Without route summarization,
Internet backbone routing would likely have collapsed sometime before 1997.
The figure illustrates how route summarization reduces the burden on upstream
routers. This complex hierarchy of variable-sized networks and subnetworks is
summarized at various points using a prefix address until the entire network is
advertised as a single aggregate route: 200.199.48.0 /20.

Recall that this kind of route summarization, or supernetting, is possible only if


the network's routers run a classless routing protocol, such as OSPF or EIGRP.
Classless routing protocols carry the prefix length (subnet mask) with the 32-bit
address in routing updates. In the figure, the summary route that eventually
reaches the provider contains a 20-bit prefix common to all of the addresses in
the organization, 200.199.48.0 /20 or 11001000 11000111 0001. For
summarization to work properly, the addresses must be carefully assigned in a
hierarchical fashion so that summarized addresses will share the same high-order
bits.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-23


1.4.2 Route flapping

Figure 1: Route Summarization

Route flapping occurs when a router's interface alternates rapidly between the
"up" and "down" states. This can be caused by a number of factors, including a
faulty interface or poorly terminated media.

Summarization can effectively insulate upstream routers from route flapping


problems. Consider RTC in the figure. If RTC's interface connected to the
200.199.56.0 network goes down, RTC will remove that route from its table. If
the routers were not configured to summarize, RTC would then send a triggered
update to RTZ about the removal of the specific network, 200.199.56.0. In turn,
RTZ would update the next router upstream, and so on. Every time these routers
are updated with new information, their processors must go to work. It is
possible (especially in the case of OSPF routing) that the processors can work
hard enough to noticeably impact performance. Now, consider the impact on
performance if RTC's interface to network 200.199.56.0 comes back up after
only a few seconds. The routers update each other and recalculate. In addition,
what happens when RTC's link goes back down seconds later? And then back
up? This is route flapping, and it can cripple a router with excessive updates and
recalculations.

However, the summarization configuration prevents RTC's route flapping from


affecting any other routers. RTC updates RTZ about a supernet (200.199.56.0
/21) that includes eight networks (200.199.56.0 through 200.199.63.0). The loss
of one network does not invalidate the route to the supernet. While RTC may be
kept busy dealing with its own route flap, RTZ (and all upstream routers) do not
notice a thing. Summarization effectively insulates the other routers from the
problem of route flapping.

1-24 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


1.5 Private addressing and NAT

1.5.1 Private IP addresses (RFC 1918)

Figure 1: Private IP Network Addresses

Figure 2: Using Private Addresses in the WAN

Because TCP/IP is the world's dominant routed protocol, most network


applications and operating systems offer extensive support for it. Thus, many
designers build their networks around TCP/IP, even if they do not require
Internet connectivity. Internet hosts require globally unique IP addresses.
However, private hosts that are not connected to the Internet can use any valid
address, as long as it is unique within the private network.

Because many private networks exist alongside public nets, grabbing "just any
address" is strongly discouraged. RFC 1918 sets aside three blocks of IP
addresses (i.e., a Class A, a Class B, and a Class C range) for private, internal
use. Addresses in this range will not be routed on the Internet backbone (see
Figure [1]). Internet routers immediately discard private addresses.

If you are addressing a nonpublic intranet, a test lab, or a home network, these
private addresses can be used instead of globally unique addresses. Global
addresses must be obtained from a provider or a registry at some expense.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-25


RFC 1918 addresses are used in production networks as well. Earlier in this
chapter, the advantages of using VLSM to address the point-to-point WAN links
in an internetwork were addressed. With VLSM, a subnet left in a Class C
network's address space could be further subnetted. Although this solution was
better than wasting an entire 30-host subnet on each two-host WAN link, it still
costs one subnet that could have been used for future growth. A less wasteful
solution is to address the WAN links using private network numbers. In Figure
[2], the WAN links are addressed using subnets from the private address space,
10.0.0.0 /8.

How can these routers use private addresses if LAN users at site A, B, C, and D
expect to access the Internet? End users at these sites should have no problem
because they use globally unique addresses from the 207.21.24.0 network. The
routers use their serial interfaces with private addresses merely to forward traffic
and exchange routing information. Upstream providers and Internet routers see
only the source and destination IP addresses in the packet; they do not care if the
packet traveled through links with private addresses at some point. In fact, many
providers use RFC 1918 network numbers in the core of their network to avoid
depleting their supply of globally unique addresses.

One trade-off of using private numbers on WAN links is that these serial
interfaces cannot be the original source of traffic bound for the Internet or the
final destination of traffic from the Internet. Routers do not normally spend time
surfing the web, so this limitation typically becomes an issue only when
troubleshooting with ICMP, using SNMP, or connecting remotely with Telnet
over the Internet. In those cases, the router can be addressed only by its globally
unique LAN interfaces.

The following sections discuss implementation of a private addressing scheme,


including the pitfalls of discontiguous subnets and the advantages of Network
Address Translation (NAT).

1-26 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


1.5.2 Discontiguous subnets

Figure: Discontiguous Subnets

Mixing private addresses with globally unique addresses can create


discontiguous subnets, which are subnets from the same major network that are
separated by a completely different major network or subnet.

In the figure, Site A and Site B both have LANs that are addressed using subnets
from the same major net (207.21.24.0). They are discontiguous because the
10.0.0.4/30 network separates them. Classful routing protocols, notably RIPv1
and IGRP, cannot support discontiguous subnets because the subnet mask is not
included in routing updates. If Site A and Site B are running RIPv1, Site A will
receive updates about network 207.21.24.0/24 and not about 207.21.24.32/27
because the subnet mask is not included in the update. Because Site A has an
interface directly connected to that network (in this case, E0), Site A will reject
Site B's route.

Even some classless routing protocols require additional configuration to solve


the problem of discontiguous subnets. RIPv2 and EIGRP automatically
summarize on classful boundaries unless explicitly told not to. Usually, this type
of summarization is desirable, but in the case of discontiguous subnets, the
following command must be entered for both RIPv2 and EIGRP to disable
automatic summarization:
Router(config-router)#no auto-summary

Finally, when using private addresses on a network that is connected to the


Internet, packets and routing updates should be filtered to avoid "leaking" any
RFC 1918 addresses between autonomous systems. For example, if both the user
and the provider use addresses from the 192.168.0.0 /16 block, the routers could
get confused if confronted with updates from both systems.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-27


1.5.3 Network Address Translation (NAT)

Figure 1: NAT Router

NAT, as defined by RFC 1631, is the process of swapping one address for
another in the IP packet header. In practice, NAT is used to allow hosts that are
privately addressed (using RFC 1918 addresses) to access the Internet.

A NAT-enabled device, such as a UNIX computer or a Cisco router, operates at


the border of a stub domain (i.e., an internetwork that has a single connection to
the outside world). When a host inside the stub domain wants to transmit to a
host on the outside, it forwards the packet to the NAT-enabled device. The NAT
process then looks inside the IP header and, if appropriate, replaces the inside IP
address with a globally unique IP address. When an outside host sends a
response, the NAT process receives it, checks the current table of network
address translations, and replaces the destination address with the original inside
source address. NAT translations can occur dynamically or statically and can be
used for a variety of purposes.

The most powerful feature of NAT routers is their capability to use port address
translation (PAT), which allows multiple inside addresses to map to the same
global address. This is sometimes called a "many-to-one" NAT. With PAT, or
address overloading, literally hundreds of privately addressed nodes can access
the Internet using only one global address. The NAT router keeps track of the
different conversations by mapping TCP and UDP port numbers.

1-28 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


1.6 IP Unnumbered

1.6.1 Using IP unnumbered

Figure 1: NAT Router

Figure 2: IP Unnumbered

Throughout this chapter, ways to maximize an organization's use of IP addresses


have been illustrated. In previous sections, methods that avoid wasting an entire
subnet on the point-to-point serial links by using VLSM or private addresses
have been discussed. Neither technique can be supported by classful routing
protocols, such as the popular RIPv1 and IGRP. Fortunately, the Cisco IOS
offers a third option for efficiently addressing serial links: IP unnumbered.

When a serial interface is configured for IP unnumbered, it borrows the IP


address of another interface (usually a LAN interface or loopback interface) and
therefore does not need its own address. [1] Not only does IP unnumbered avoid

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-29


wasting addresses on point-to-point WAN links, but it also can be used with
classful routing protocols, where VLSM and discontiguous subnets cannot. If the
network runs RIPv1 or IGRP, IP unnumbered may be the only solution to
maximize addresses.

RTA's S1 (168.71.5.1) and RTB's S1 (168.71.8.1) can communicate using


TCP/IP over this serial link, even though they do not belong to the same IP
network. [2] This is possible because it is a point-to-point link, so there is no
confusion about which device a packet is originating from or destined to. There
are two ground rules for configuring IP unnumbered on an interface:
! The interface is both serial and connected via a point-to-point link.
! The same major network with the same mask is used to address the LAN
interfaces that "lend" their IP address on both sides of the WAN link.
OR
Different major networks with no subnetting are used to address the LAN
interfaces on both sides of the WAN link.
Using IP unnumbered is not without its drawbacks, which include the following:
! Ping cannot be used to determine whether the interface is up because the
interface has no IP address.
! Booting cannot be done from a network IOS image over an unnumbered
serial interface.
! IP security options are not supported on an unnumbered interface.

1-30 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


1.7 DHCP and Easy IP

1.7.1 DHCP overview

Figure 1: Simple DHCP Operation

Figure 2: Simple DHCP Operation

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-31


Figure 3: Simple DHCP Operation

After designing a scalable IP addressing scheme for an enterprise, the daunting


task of implementation must still be addressed. Routers, servers, and other key
nodes usually require special attention from administrators, but desktop clients
are often automatically assigned IP configurations using Dynamic Host
Configuration Protocol (DHCP). Because desktop clients typically make up the
bulk of network nodes, DHCP is good news for systems administrators. Small
offices and home offices can also take advantage of DHCP by using Easy IP, a
Cisco IOS feature set that combines DHCP with NAT functions.
DHCP works by configuring servers to give out IP configuration information to
clients. Clients lease the information from the server for an administratively
defined period. When the lease is up, the host must ask for another address,
although the host is typically reassigned the same one. [1] - [3]
Administrators typically prefer to use a Microsoft NT server or a UNIX
computer to offer DHCP services because these solutions are highly scalable and
relatively easy to manage. Even so, the Cisco router IOS offers an optional, fully
featured DHCP server, which leases configurations for 24 hours by default.
Administrators set up DHCP servers to assign addresses from predefined pools
of addresses. DHCP servers can also offer other information, such as DNS server
addresses, WINS server addresses, and domain names. Most DHCP servers also
allow recording of client MAC addresses that can be serviced to automatically
assign the same number to a particular host each time.
Note: BootP was originally defined in RFC 951 in 1985. It is the predecessor of
DHCP, and it shares some operational characteristics. Both protocols use UDP
ports, 67 and 68, which are well known as "BootP" ports because BootP was
implemented before DHCP.

1-32 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


1.7.2 DHCP operation

Figure 1: DHCP Operation

The DHCP client configuration process is shown in Figure 1. This process


follows these steps:
1. The client sends a DHCPDISCOVER broadcast to all nodes. When a
client set up for DHCP needs an IP configuration (typically at boot time), it
tries to locate a DHCP server by sending a broadcast called a
DHCPDISCOVER.
2. The server sends a DHCPOFFER unicast to client. When the server
receives the broadcast, it determines whether it can service the request from
its own database. If it cannot, the server may forward the request on to
another DHCP server or servers, depending on its configuration. If it can
service the request, the DHCP server offers the client IP configuration
information in the form of a unicast DHCPOFFER. The DHCPOFFER is a
proposed configuration that may include IP address, DNS server address,
and lease time.
3. The client sends a DHCPREQUEST broadcast to all nodes. If the client
finds the offer agreeable, it will send another broadcast, a DHCPREQUEST,
specifically requesting those particular IP parameters. Why does the client
broadcast the request instead of unicasting it to the server? A broadcast is
used because the very first message, the DHCPDISCOVER, may have
reached more than one DHCP server (after all, it was a broadcast). If more
than one server makes an offer, the broadcasted DHCPREQUEST lets
everyone know which offer was accepted (it is usually the first offer
received).
4. The server sends a DHCPACK unicast to client. The server that receives
the DHCPREQUEST makes the configuration official by sending a unicast
acknowledgment, the DHCPACK. Note that it is possible but highly unlikely
that the server will not send the DHCPACK because it may have leased that
information to another client in the interim. Receipt of the DHCPACK
message enables the client to begin using the assigned address immediately.
Depending on an organization's policies, it may be possible for an end user or an
administrator to statically assign to a host an IP address that belongs in the

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-33


DHCP server's address pool. Just in case, the Cisco IOS DHCP server always
checks to make sure that an address is not in use before the server offers it to a
client. The server issues ICMP echo requests (pings) to a pool address before
sending the DHCPOFFER to a client. Although configurable, the default number
of pings used to check for potential IP address conflict is two (the more pings,
the longer the configuration process takes).

1.7.3 Configuring IOS DHCP server

Figure 1: Configuring a DHCP Address Pool

Figure 2: Assigning Key DHCP Information

1-34 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


Figure 3: Key DHCP Server Commands

Figure 4: Key Commands for Monitoring DHCP Operation

Although it is enabled by default on versions of the Cisco IOS that support it, the
DHCP server process can be re-enabled by using the service dhcp global
configuration command. The no service dhcp command disables the server.

Like NAT, DHCP server requires that the administrator define a pool of
addresses. In Figure [1], the ip dhcp pool command defines which addresses
will be assigned to hosts.

The first command, ip dhcp pool room12, creates a pool named “room12”
and puts the router in a specialized DHCP configuration mode. In this mode, the
network statement is used to define the range of addresses to be leased. If it is
desirable to exclude specific addresses on this network, then it is necessary to
return to global configuration mode, as shown in Figure [1].

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-35


This ip dhcp excluded-address command configures the router to exclude
172.16.1.1 through 172.16.1.10 when assigning addresses to clients. The ip
dhcp excluded-address command is used to reserve addresses that are
statically assigned to key hosts.

Typically, a DHCP server is used to configure much more than IP addresses.


Other IP configuration values can be set from the DHCP config mode, as shown
in Figure [2].

IP clients will not get very far without a default gateway, which can be set by
using the default-router command. The address of the DNS server (dns-
server) and WINS server (netbios-name-server) can be configured here as
well. The IOS DHCP server can configure clients with virtually any TCP/IP
information.

Figure [3] lists the key IOS DHCP server commands, which are entered in DHCP
pool configuration mode (identified by the dhcp-config# prompt).

The EXEC mode commands shown in Figure [4] are used to monitor DHCP
server operation.

1.7.4 Easy IP

Figure: Cisco IOS Easy IP

Easy IP is a combination of Cisco IOS features that allows a router to negotiate


its own IP address and to do NAT through that negotiated address. Typically
deployed on a small office/home office (SOHO) router, Easy IP is useful in cases
where a small LAN connects to the Internet via a provider that dynamically
assigns only one IP address for the entire remote site.

1-36 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


A SOHO router with the Easy IP feature set uses DHCP to automatically address
local LAN clients with RFC 1918 addresses. When the router dynamically
receives its WAN interface address via the Point-to-Point Protocol, it uses NAT
overload to translate between local inside addresses and the single global
address. Therefore, both the LAN side and the WAN side are dynamically
configured with little or no administrative intervention. In effect, Easy IP offers
"plug-and-play" routing.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-37


1.8 Helper Addresses

1.8.1 Using helper addresses

Figure 1: Purpose of Helper Addresses

DHCP is not the only critical service that uses broadcasts. Cisco routers and
other devices may use broadcasts to locate TFTP servers. Some clients may need
to broadcast to locate a TACACS (security) server. Typically, in a complex
hierarchical network, clients reside on the same subnet as key servers. Such
remote clients will broadcast to locate these servers, but routers, by default, will
not forward client broadcasts beyond their subnet. Because some clients cannot
function without services such as DHCP, the situation must be resolved in one of
two ways: place servers on all subnets, or use the Cisco IOS helper address
feature. Running services such as DHCP or DNS on several computers creates
overhead and administrative problems, so the first option is not very appealing.
When possible, administrators use the ip helper-address command to relay
broadcast requests for these key UDP services.

By using the helper address feature, a router can be configured to accept a


broadcast request for a UDP service and then forward it as a unicast to a specific
IP address. Alternately, the router can forward these requests as directed
broadcasts to a specific network or subnetwork.

1-38 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


1.8.2 Configuring IP helper addresses

Figure 1: Default Forwarded UDP Services

Figure 2: Configuring Custom UDP Forwarding

To configure the helper address, identify the router interface that will be
receiving the broadcasts for UDP services. In interface configuration mode, use
the ip helper-address command to define the address to which UDP
broadcasts for services should be forwarded.

By default, the ip helper-address command forwards the eight UDP


services shown in Figure [1].

What if Company XYZ needs to forward requests for a service not on this list?
The Cisco IOS provides the global configuration command ip forward-protocol
to allow an administrator to forward any UDP port in addition to the default
eight. In order to forward UDP on port 517, the global configuration command,
ip forward-protocol udp 517, would be used. This command is used not
only to add a UDP port to the "default eight" (see Figure [1]), but also to subtract
an unwanted service from the default group. For instance, if it is desired to
forward DHCP, TFTP, and DNS, and not Time, TACACS, and NetBIOS, the
Cisco IOS requires that the router be configured according to Figure [2].

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-39


1.8.3 IP helper address example

Figure 1: IP Helper Address Example

Figure 2: Verifying IP Helper Address Configuration

Figure 3: Verifying Directed Broadcast Forwarding

Consider this complex sample helper address configuration (see Figure [1]).
Assume Host A is to automatically obtain its IP configuration from the DHCP
server at 172.24.1.9. Because RTA will not forward Host A's DHCPDISCOVER
broadcast, RTA must be configured to help Host A.

1-40 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


To configure RTA's fa0/0 (the interface that receives Host A's broadcasts) to
relay DHCP broadcasts as a unicast to the DHCP server, use the following
commands:

RTA(config)#interface fa0/0
RTA(config-if)#ip helper-address 172.24.1.9

With this simple configuration, Host A broadcasts using any of the eight default
UDP ports will be relayed to the DHCP server's IP address. However, what if
Host A also needs to use the services of the NetBIOS server at 172.24.1.5? As
configured, RTA will forward NetBIOS broadcasts from Host A to the DHCP
server. Moreover, if Host A sends a broadcast TFTP packet, RTA also will
forward this to the DHCP server at 172.24.1.9. What is needed in this example is
a helper address configuration that relays broadcasts to all servers on the
segment. The following commands configure a directed broadcast to the IP
subnet that is being used as a server farm:

RTA(config)#interface fa0/0
RTA(config-if)#ip helper-address 172.24.1.255

Configuring a directed broadcast to the server segment (172.24.1.255) is more


efficient than entering the IP address of every server that could potentially
respond to Host A's UDP broadcasts.

Finally, some devices on Host A's segment need to broadcast to the TACACS
server, which does not reside in the server farm. RTA's fa0/0 can be configured
to by adding the command ip helper-address 172.16.1.2.

The correct helper configuration can be verified with the show ip interface
command, as shown in Figure [2].

Notice in Figure [3] that RTA's interface fa0/3 (which connects to the server
farm) is not configured with helper addresses. However, the output in Figure [3]
also shows that, for this interface, directed broadcast forwarding is disabled.
This means that the router will not convert the logical broadcast 172.24.1.255
into a physical broadcast (with a Layer 2 address of FF-FF-FF-FF-FF-FF). To
allow all the nodes in the server farm to receive the broadcasts at Layer 2,
configure fa0/3 to forward directed broadcasts with the following commands:

RTA(config)#interface fa0/3
RTA(config-if)#ip directed-broadcast

Interactive Lab Activity:

In this lab activity SanJose2 will be configured to act as a DHCP server. Then
SanJose1 will be configured to forward UDP broadcasts for DHCP requests.

Finally, the configuration will be tested using a DHCP client.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-41


1.9 IPv6

1.9.1 IP address issues solutions

Figure: How Big Is the Internet?

In this chapter, it has been shown that IPv4 addressing faces two major
problems: the depletion of addresses, particularly the key medium-sized space
(Class B), and dangerous overgrowth of Internet routing tables.

In the early 1990s, CIDR ingeniously built on the concept of the address mask
and stepped forward to temporarily alleviate these serious problems. The
hierarchical nature of CIDR dramatically improved IPv4's scalability. Once
again, a hierarchical design proves to be a scalable one.
Yet even with subnetting (1985), variable-length subnetting (1987), and CIDR
(1993), a hierarchical structure could not save IPv4 from one simple problem:
There just are not enough addresses to meet future need. At roughly 4 billion
possibilities, the IPv4 address space is formidable, but it will not suffice in a
future world of mobile Internet-enabled devices and IP-addressable household
appliances (RFC 2235 references the world's first "Internet toaster").

Recent short-term IPv4 solutions to the address dilemma are private addressing
(RFC 1918), which sets aside addresses for unlimited internal use, and NAT,
which allows thousands of hosts to access the Internet with only a handful of
valid addresses.

However, the ultimate solution to the address shortage is the introduction of IPv6
and its 128-bit address. Developed to create a supply of addresses that would
outlive demand, IPv6 is designed to eventually replace IPv4. The fantastically
large address space of IPv6 will provide not only far more addresses than IPv4,
but additional levels of hierarchy as well. For the record, 128 bits allows for
340,282,366,920,938,463,463,374,607,431,768,211,456 possibilities.

In 1994, the IETF proposed IPv6 in RFC 1752, and a number of working groups
were formed in response. IPv6 tackles issues such as address depletion, quality

1-42 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


of service, address autoconfiguration, authentication, and security.

It will not be easy for organizations deeply invested in the IPv4 scheme to
migrate to a totally new architecture. As long as IPv4 (with its recent extensions
and CIDR-enabled hierarchy) remains viable, administrators will be slow to
adopt IPv6. A new IP protocol requires new software, new hardware, and new
methods of administration. It is likely that IPv4 and IPv6 will coexist, even
within an autonomous system, for years to come.

1.9.2 IPv6 address format

Figure 1: Expressing IPv6

Figure 2: IPv6 Address Format

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-43


As defined first by RFC 1884 and later revised by RFC 2373, IPv6 addresses are
128-bit identifiers for interfaces and sets of interfaces, not nodes. Three general
types of addresses exist:
! Unicast -- An identifier for a single interface. A packet sent to a unicast
address is delivered to the interface identified by that address.
! Anycast -- An identifier for a set of interfaces (typically belonging to
different nodes). A packet sent to an anycast address is delivered to the
"nearest," or first, interface in the anycast group.
! Multicast -- An identifier for a set of interfaces (typically belonging to
different nodes). A packet sent to a multicast address is delivered to all
interfaces in the multicast group.
To write 128-bit addresses so that they are readable to human eyes, IPv6's
architects abandoned dotted-decimal notation in favor of a hexadecimal format.
Therefore, IPv6 can be written as 32 hex digits, with colons separating the values
of the eight 16-bit pieces of the address, as shown in Figure [1].

Under current plans, IPv6 nodes that connect to the Internet will use what is
called an aggregatable global unicast address, which is the counterpart to IPv4
global addresses. Like CIDR-enhanced IPv4, aggregatable global unicast
addresses rely on hierarchy to keep Internet routing tables manageable. IPv6
global unicast addresses feature three levels of hierarchy:
! Public topology -- The collection of providers that provide Internet
connectivity
! Site topology -- The level local to an organization that does not provide
connectivity to nodes outside itself
! Interface identifier -- The level specific to a node's individual interface
This three-level hierarchy is reflected by the structure of the aggregatable global
unicast address, which includes the following fields (see Figure [2]):
! FP field (3 bits) -- The 3-bit Format Prefix (FP) is used to identify the type
of address (unicast, multicast, and so on). The bits 001 identify aggregatable
global unicasts.
! TLA ID field (13 bits) -- The Top-Level Aggregation Identifier (TLA ID)
field is used to identify the authority responsible for the address at the
highest level of the routing hierarchy. Internet routers will necessarily
maintain routes to all TLA IDs. With 13 bits set aside, this field can
represent up to 8,192 TLAs.
! Res field (8 bits) -- IPv6 architect defined the reserved (Res) field so that the
TLA or NLA IDs could be expanded as future growth warrants. Currently,
this field must be set to zero.
! NLA ID field (24 bits) -- The Next-Level Aggregation Identifier (NLA ID)
field is used to identify ISPs. The field itself can be organized hierarchically
to reflect a hierarchy, or multitiered relationship, among providers.
! SLA ID field (16 bits) -- The Site-Level Aggregation Identifier (SLA ID) is
used by an individual organization to create its own local addressing
hierarchy and to identify subnets.

1-44 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


! Interface ID field (64 bits) -- The Interface ID field is used to identify
individual interfaces on a link. This field is analogous to the host portion of
an IPv4 address, but it is derived using the IEEE EUI-64 format, which, on
LAN interfaces, adds a 16-bit field to the interface's MAC address.
In addition to the global unicast address space, IPv6 offers internal network
numbers, or "site local use" addresses, which are analogous to RFC 1918
addresses. If a node is not addressed with a global unicast address or an internal
site local use address, it can be addressed using a link local use address, which is
specifically a network segment.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-45


1.10 Advanced IP Addressing
Management Lab Exercises

1.10.1 Configuring VLSM and IP Unnumbered

Lab Activity:

In this lab, you configure VLSM and test its functionality with two different
routing protocols, RIPv1 and RIPv2. Finally, you use IP unnumbered in place of
VLSM to further conserve addresses.

1.10.2 VLSM

Lab Activity:

In this lab, you create an addressing scheme using variable-length subnet


masking (VLSM).

Lab Activity:

In this lab, you create an addressing scheme using variable-length subnet


masking (VLSM).

Lab Activity:

In this lab, you create an addressing scheme using variable-length subnet


masking (VLSM).

1.10.3 Using DHCP and IP Helper Addresses

Lab Activity:

In this lab, you configure a Cisco router to act as a DHCP server for clients on
two separate subnets. You also use the IP helper address feature to forward
DHCP requests from a remote subnet

1-46 Routing Section 1: IP Addressing Copyright  2002, Cisco Systems, Inc.


Summary
This chapter, showed how subnet masks, VLSMs, private addressing, and
network address translation could enable more efficient use of IP addresses. The
chapter illustrated that hierarchical addressing allows for efficient allocation of
addresses and reduced number of routing table entries. VLSMs, specifically,
provide the capability to include more than one subnet mask within a network
and the capability to subnet an already subnetted network address. Proper IP
addressing is required to ensure the most efficient network operations.

Copyright  2002, Cisco Systems, Inc. Routing Section 1: IP Addressing 1-47


Section 2

Open Shortest Path


First (OSPF)
Table of Contents

SECTION 2 ........................................................................................................................ 1

OPEN SHORTEST PATH FIRST (OSPF)........................................................................... 1


OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
2.1 OSPF OVERVIEW ....................................................................................................................................... 5
2.1.1 Issues addressed by OSPF ................................................................................................................... 5
2.1.2 OSPF terminology...............................................................................................................................7
2.1.3 OSPF states...................................................................................................................................... 12
2.1.4 OSPF network types .......................................................................................................................... 16
2.1.5 The OSPF Hello protocol .................................................................................................................. 18
2.2. OSPF OPERATION ................................................................................................................................... 21
2.2.1 Steps of OSPF Operation ................................................................................................................... 21
2.2.2 Step 1: Establish router adjacencies ................................................................................................... 21
2.2.3 Step 2: Elect a DR and a BDR............................................................................................................ 22
2.2.4 Step 3: Discover routes...................................................................................................................... 23
2.2.5 Step 4: Select appropriate routes........................................................................................................ 26
2.2.6 Step 5: Maintain routing information.................................................................................................. 27
2.3 CONFIGURING OSPF ................................................................................................................................. 31
2.3.1 Configuring OSPF on routers within a single area............................................................................... 31
2.3.2 Optional configuration commands...................................................................................................... 33
2.3.3 Optional configuration commands (con't.)........................................................................................... 34
2.4 CONFIGURING OSPF OVER NBMA ............................................................................................................ 37
2.4.1 NBMA overview ................................................................................................................................ 37
2.4.2 Full-Mesh Frame Relay ..................................................................................................................... 39
2.4.3 Partial-Mesh Frame Relay................................................................................................................. 41
2.4.4 Point-to-Multipoint OSPF.................................................................................................................. 43
2.5 VERIFYING OSPF OPERATION.................................................................................................................... 45
2.5.1 Show commands................................................................................................................................ 45
2.5.2 Clear and debug commands ............................................................................................................... 45
2.6 OSPF CONFIGURATION LAB EXERCISES...................................................................................................... 47
2.6.1 Configuring OSPF ............................................................................................................................ 47
2.6.2 Examining the DR/BDR election process............................................................................................. 47
2.6.3 Configuring Point-to-Multipoint OSPF over Frame Relay .................................................................... 47
SUMMARY ..................................................................................................................................................... 48

1-2 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


Overview
Open Shortest Path First (OSPF) is a link-state routing protocol based on open
standards. Described in several RFCs, most recently RFC 2328, the Open in
Open Shortest Path First means that OSPF is open to the public and
nonproprietary. Among nonproprietary routing protocols, such as RIPv1 and
RIPv2, OSPF is preferred because of its remarkable scalability. Recall that both
versions of RIP are very limited. RIP cannot scale beyond 15 hops, it converges
slowly, and it chooses suboptimal routes that ignore critical factors such as
bandwidth. OSPF addresses all of these limitations and proves to be a robust,
scalable routing protocol appropriate for today's networks.
OSPF's considerable capability to scale is achieved through hierarchical design.
An OSPF network can be divided into multiple areas, which allows for extensive
control of routing updates. By defining areas in a properly designed network, an
administrator can reduce routing overhead and improve performance. Multiarea
OSPF is discussed in Semester five of the CCNP program.

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-3


Objectives
After completing this chapter, the student will be able to perform tasks
related to:

2.1 OSPF Overview

2.2 OSPF Operation

2.3 Configuring OSPF

2.4 Configuring OSPD over NMBA

2.5 Verifying OSPF Operation

2.6 OSPF Configuration Lab Exercises

1-4 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


2.1 OSPF Overview

2.1.1 Issues addressed by OSPF

Figure 1: OSPF vs RIP

Figure 2: OSPF vs RIP

OSPF uses link-state technology [1], as opposed to distance-vector technology


used by protocols such as RIP [2]. Link-state routers maintain a common picture
of the network and exchange link information upon initial discovery or network
changes. Link-state routers do not broadcast routing tables periodically like
distance-vector routing protocols. While RIP is appropriate for small networks,
OSPF was written to address the needs of large, scalable Internetworks. OSPF
addresses the following issues:
! Speed of convergence - In large networks, RIP convergence can take several
minutes, since the entire routing table of each router is copied and shared
with directly connected neighboring routers. In addition, a distance-vector
routing algorithm may experience hold down and/or route-aging periods.

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-5


With OSPF, convergence is faster because only the routing changes (not the
entire routing table) are flooded rapidly to other routers in the OSPF
network.
! Support for Variable-Length Subnet Masking (VLSM) - RIPv1 is a
classful protocol and does not support VLSM. In contrast, OSPF, a classless
protocol, supports VLSM. (Note: RIPv2 supports VLSM.)
! Network size - In a RIP environment, a network that is more than 15 hops
away is considered unreachable. Such limitations restrict the size of a RIP
network to small topologies. On the other hand, OSPF has virtually no
reachability limitations and is appropriate for intermediate to large size
networks.
! Use of bandwidth - RIP broadcasts full routing tables to all neighbors every
30 seconds. This is especially problematic over slow WAN links because
these updates consume bandwidth. Alternately, OSPF multicasts minimally
sized link-state updates and sends the updates only when there is a network
change.
! Path Selection - RIP selects a path by measuring the hop count, or distance,
to other routers. It does not take into consideration the available bandwidth
on the link or delays in the network. In contrast, OSPF selects optimal routes
using cost as a factor. ("Cost" is a metric based on bandwidth.)
! Grouping of members - RIP uses a flat topology and all routers are part of
the same network. Thus, communication between routers at each end of the
network must travel through the entire network. Unfortunately, changes in
even one router will affect every device in the RIP network. OSPF, on the
other hand, uses the concept of "areas" and can effectively segment a
network into smaller clusters of routers. By narrowing the scope of
communication within areas, OSPF limits traffic regionally and can prevent
changes in one area from affecting performance in other areas. This use of
areas allows a network to scale efficiently.
Although OSPF was written for large networks, implementing it requires proper
design and planning, which is especially important if the network has more than
50 routers. At this size, it is important to configure the network to let OSPF
reduce traffic and combine routing information whenever possible.

1-6 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


2.1.2 OSPF terminology

Figure 1: OSPF Terminology

Figure 2: OSPF Terminology

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-7


Figure 3: OSPF Terminology

Figure 4: OSPF Terminology

1-8 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


Figure 5: OSPF Terminology

Figure 6: OSPF Terminology

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-9


Figure 7: OSPF Terminology

Figure 8: OSPF Terminology

1-10 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


Figure 9: OSPF Terminology

As a link-state protocol, OSPF operates differently than the distance-vector


routing protocols. Link-state routers identify and communicate with neighbors so
that firsthand information can be gathered from other routers in the network. The
OSPF terminology is depicted in Figure [1].A brief description of each term is
given.
The information gathered from OSPF neighbors is not a complete routing table.
Instead, OSPF routers tell each other about the status of their connections, or
"links," [2] to the internetwork. In other words, OSPF routers advertise their link
states. [3] The routers process this information and build a link-state database
[4], which is essentially a picture of who is connected to what. All routers in a
given area [5] should have identical link-state databases. Independently, each
router then runs the Shortest Path First (SPF) algorithm, also known as the
Dijkstra algorithm, on the link-state database to determine the best routes to a
destination. The SPF algorithm adds up the cost (which is a value usually based
on bandwidth) [6] of each link between the router and the destination. The router
then chooses the lowest-cost path to add to its routing table, also known as a
forwarding database. [7]
OSPF routers keep track of neighbors in the adjacencies database. [8] To
simplify the exchange of routing information among several neighbors on the
same network, OSPF routers may elect a Designated Router (DR) and a Backup
Designated Router (BDR) [9] to serve as focal points for routing updates.

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-11


2.1.3 OSPF states

Figure 1: OSPF Packet Types

Figure 2: OSPF States

1-12 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


Figure 3: OSPF

Figure 4: Route Discovery

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-13


Figure 5: Important Databases Kept by OSPF Routers

OSPF routers establish relationships, or states, with neighbors for efficiently


sharing link-state information. In contrast, distance-vector routing protocols,
such as RIP, blindly broadcast or multicast their complete routing table out every
interface, hoping that a router is out there to receive it. Every 30 seconds, by
default, RIP routers send only one kind of message - their complete routing table.
OSPF routers, on the other hand, rely on five different kinds of packets to
identify neighbors and to update link-state routing information. [1]
These five packet types make OSPF capable of sophisticated and complex
communications. These packet types will be discussed in more detail later in the
chapter. At this point, it is important to become familiar with the different
relationships, or states, that are possible between OSPF routers, the different
OSPF network types, and the OSPF Hello protocol.
OSPF States
The key to effectively designing and troubleshooting OSPF networks is to
understand the relationships, or states, that develop between OSPF routers.
OSPF interfaces can be in one of seven states. [2] OSPF neighbor relationships
progress through these states, one at a time, in the order presented.
1. Down State
In the Down state, the OSPF process has not exchanged information with
any neighbor. OSPF is waiting to enter the next state, which is the Init state.
2. Init State
OSPF routers send Type 1 (hello) packets at regular intervals (usually 10
seconds) to establish a relationship with neighbor routers. When an interface
receives its first hello packet, the router enters the Init state, which means the
router knows a neighbor is out there and is waiting to take the relationship to
the next step.

–The two kinds of relationships are two-way and adjacency, although there
are many phases in between. A router must receive a hello from a neighbor
before it can establish any relationship.
3. Two-Way State
Using hello packets, every OSPF router tries to establish a Two-way state, or
bi-directional communication, with every neighbor router on the same IP

1-14 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


network. Among other things, hello packets include a list of the sender's
known OSPF neighbors. A router enters the Two-Way state when it sees
itself in a neighbor's hello. For example, as shown in Figure [3], when RTB
learns that RTA knows about RTB, RTB declares a two-way state to exist
with RTA.

The Two-Way state is the most basic relationship that OSPF neighbors can
have, but routing information is not shared between routers in this
relationship. To learn about other routers' link states and eventually build a
routing table, every OSPF router must form at least one adjacency. An
adjacency is an advanced relationship between OSPF routers that involves a
series of progressive states that rely not just on hellos, but also on the other
four types of OSPF packets. Routers that attempt to become adjacent to one
another exchange routing information even before the adjacency is fully
established. The first step toward full adjacency is the ExStart state, which is
described next.
4. ExStart State
Technically, when a router and the neighbor enter the ExStart state, the
conversation is characterized as an adjacency, but the routers have not
become fully adjacent yet. ExStart is established using Type 2 database
description (DBD) packets, also known as DDPs. The two neighbor routers
use hello packets to negotiate who is the "master" and who is the "slave" in
the relationship and DBD packets to exchange databases. [4]

The router with the highest OSPF router ID "wins" and becomes master.
(The OSPF router ID is discussed later in this chapter.) When the neighbors
establish the roles as master and slave, the Exchange state is entered and the
sending of routing information begins.
5. Exchange State
In the Exchange state, neighbor routers use Type 2 DBD packets to send
each other link-state information [4]. In other words, the routers describe
link-state databases to each other. The routers compare what is learned with
existing link-state databases. If either of the routers receives information
about a link that is not already in its database, the router requests a complete
update from its neighbor. Complete routing information is exchanged in the
Loading state.
6. Loading State
After the databases have been described to each router, they may request
information that is more complete by using Type 3 packets, called link-state
requests (LSRs). When a router receives an LSR, it responds with an update
by using a Type 4 link-state update (LSU) packet. [4] These Type 4 LSU
packets contain the actual link-state advertisements (LSAs), which are the
heart of link-state routing protocols. As shown in Figure [4], Type 4 LSUs
are acknowledged using Type 5 packets, called link-state acknowledgments
(LSAcks).
7. Full Adjacency
With the Loading state complete, the routers are fully adjacent. Each router
keeps a list of adjacent neighbors, called the adjacency database. The
adjacency database should not be confused with the link-state database or
the forwarding database. [5]

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-15


2.1.4 OSPF network types

Figure 1: OSPF Network Types

Figure 2: OSPF Network Types

1-16 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


Figure 3: The DR and BDR Receive LSAs

Because adjacency is required for OSPF routers to share routing information, a


router will try to become adjacent to at least one other router on each IP network
to which it is connected. Some routers may try to become adjacent to all
neighbor routers, and others may try with only one or two. OSPF routers
determine which routers to become adjacent to based on what type of network
connection.
OSPF interfaces automatically recognize broadcast multi-access networks,
nonbroadcast multiaccess (NBMA) networks, and point-to-point networks [1].
An administrator can configure a fourth network type called a point-to-
multipoint network. The four network types are listed in Figure [2].
The type of network dictates how OSPF routers relate to each other. An
administrator may have to override the detected network type in order for OSPF
to operate properly.
Some networks are defined as multiaccess because the number of routers
connected is unpredictible. A campus that uses a switched Ethernet core may
have half a dozen routers connected to the same backbone network. A school
district might have 10, 12, or 25 remote-site routers connected via Frame Relay
Permanent Virtual Circuits (PVCs) to the same IP subnet.
Because a significant number of routers can exist on a multiaccess network,
OSPF's designers developed a system to avoid the overhead that would be
created if every router established full adjacency with every other router. This
system restricts who can become adjacent to whom by employing the services of
one of the following:
! Designated router (DR) - For every multiaccess IP network, one router will
be elected the DR. This DR has two main functions. First, become adjacent
to all other routers on the network. Second, act as a spokesperson for the
network. As spokesperson, the DR will send network LSAs for all other IP
networks to every other router. Because the DR becomes adjacent to all
other routers on the IP network, it is the focal point for collecting routing
information (LSAs).
! Backup designated router (BDR) - The DR could represent a single point
of failure, so a second router is elected as the BDR to provide fault

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-17


tolerance. Thus, the BDR must also become adjacent to all routers on the
network and must serve as a second focal point for LSAs, as shown in Figure
[3]. However, unlike the DR, the BDR is not responsible for updating the
other routers or sending network LSAs. Instead, the BDR keeps a timer on
the DR's update activity to ensure that it is operational. If the BDR does not
detect activity from the DR before the timer expires, the BDR takes over the
role of DR and a new BDR is elected.
On point-to-point networks only two nodes exist. Therefore, a focal point for
routing information is not needed. No DR or BDR is elected. Both routers
become fully adjacent to one another.

2.1.5 The OSPF Hello protocol

Figure 1: The OSPF Packet Header

Figure 2: The OSPF Hello Header

When a router starts an OSPF routing process on an interface, it sends a hello


packet and continues to send hellos at regular intervals. The rules that govern the
exchange of OSPF hello packets are collectively referred to as the Hello
Protocol.

1-18 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


At Layer 3 of the OSI model, hello packets are addressed to the multicast
address 224.0.0.5. This address effectively means "all OSPF routers." OSPF
routers use hello packets to initiate new adjacencies and to ensure that adjacent
neighbors have not disappeared. Hellos are sent every 10 seconds by default on
multiaccess and point-to-point networks. On interfaces that connect to NBMA
networks, such as Frame Relay, hellos are sent every 30 seconds.
Although the hello packet is small (often less than 50 bytes), hellos contain
plenty of vital information. Like OSPF packet types, hello packets include an
OSPF packet header, which has the form shown in Figure [1].
All five types of OSPF packets use the OSPF packet header, which consists of
eight fields. The purpose of each of these fields is described below:
! Version, Type, and Packet Length - The first three fields of the OSPF
packet let the recipients know the version of OSPF that is being used by the
sender (version 1 and 2), the OSPF packet type, and length. OSPF version 2
was first introduced in 1991 (RFC 1247) and is not compatible with version
1, which is obsolete. The Cisco IOS uses OSPF version 2 and cannot be
configured to use OSPF version 1.
! Router ID - The function of the hello packet is to establish and maintain
adjacencies, so the sending router assigns the fourth field with its router ID,
which is a 32-bit number used to identify the router to the OSPF protocol. A
router uses its IP address as its ID because both the router ID and the IP
address must be unique within a network. Because routers support multiple
IP addresses, a loopback IP address is used as the router ID. In the absence
of a loopback IP address, the highest-value address interface IP is used as the
router ID, regardless of whether that interface is involved in the OSPF
process.
If the interface associated with that IP address goes down, the router can no
longer use that IP address as its router ID. When a router's ID changes for any
reason, the router must reintroduce itself to its neighbors on all links. To avoid
the unnecessary overhead caused by re-establishing adjacency and readvertising
link states, an administrator typically assigns an IP address to a loopback
interface. Unless an administrator shuts down a loopback interface, it always
stays up, so loopback interfaces make ideal router IDs.
Note: If a loopback interface is configured with an IP address, the Cisco IOS will
use that IP address as the router ID, even if the other interfaces have higher
addresses.
! Area ID - Multiple areas within an OSPF network can be defined to reduce
and summarize route information, which allows large and complex networks
to continue to grow. When configuring a single-area OSPF network, Area 0
is always used because it is defined as the "backbone" area. A backbone area
is needed to scale (add other OSPF areas).
! Checksum - As seen with other protocols, a 2-byte checksum field is used to
check the message for errors. Good packets are retained and damaged
packets are discarded.
! Authentication Type and Authentication Data - OSPF supports different
methods of authentication so that OSPF routers will not believe just anyone
sending hellos to 224.0.0.5. Routers with unequal authentication fields will
not accept OSPF information from each other.

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-19


The hello header [2], which is found only in Type-1 hello packets, carries
essential information. The following are the fields in the hello header:
! Network Mask - This 32-bit field carries subnet mask information for the
network.
! Hello Interval and Dead Interval - The hello interval is the number of
seconds that an OSPF router waits to send the next hello packet. The default
for multiaccess broadcast and point-to-point networks is 10 seconds. The
dead interval is the number of seconds that a router waits before it declares a
neighbor down (if the neighbor's hello packets are no longer being received).
The dead interval is four times the hello interval by default, or 40 seconds.
Both of these intervals are configurable, which is the reason for
advertisement. If two routers have different hello intervals or dead intervals,
OSPF information will not be accepted.
! Options - The router can use this field to indicate optional configurations,
including the stub area flag, which is discussed in Semester five of the
CCNP curriculum.
! Router Priority - This field contains a value that indicates the priority of
this router when selecting a designated router (DR) and backup designated
router (BDR). The default priority is 1 and can be configured to a higher
number to ensure that a specified router becomes the DR.
! Designated Router and Backup Designated Router - The router IDs of the
DR and BDR are listed here, if known by the source of the hello packet.
! Neighbor Address - If the source of the hello packet has received a valid
hello from any neighbor within the dead interval, its router ID is included
here.

1-20 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


2.2. OSPF Operation

2.2.1 Steps of OSPF Operation


OSPF routers progress through five distinct steps of operation:
1. Establish router adjacencies.
2. Elect a DR and BDR (if necessary).
3. Discover routes.
4. Select the appropriate routes to use.
5. Maintain routing information.
The following sections describe each of these steps in detail.

2.2.2 Step 1: Establish router adjacencies

Figure 1: Example of an OSPF Topology

A router's first step in OSPF operation is to establish router adjacencies. Each of


the three routers shown in the figure attempts to become adjacent to another
router on the same IP network.
To become adjacent with another router, RTB sends hello packets, advertising
its own router ID. Because no loopback interfaces are present, RTB chooses its
highest IP address, 10.6.0.1, as its router ID.
Assuming that RTB is appropriately configured, RTB multicasts hello packets
out both S0 and E0. RTA and RTC should both receive the hello packets. These
two routers then add RTB to the Neighbor ID field of the respective hello
packets and enter the Init state with RTB.

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-21


RTB receives hello packets from both of its neighbors and sees its own ID
number (10.6.0.1) in the Neighbor ID field. RTB declares a Two-Way state
between itself and RTA, and a Two-Way state between itself and RTC.
At this point, RTB determines which routers to establish adjacencies with, based
on the type of network that a particular interface resides on. If the network type
is point-to-point, the router becomes adjacent with its sole link partner. If the
network type is multiaccess, RTB enters the election process to become a DR or
BDR, unless both roles are already established (as advertised in the hello packet
header).
If an election is necessary, OSPF routers will proceed as described in the next
section, Step 2: Elect a DR and a BDR. However, if an election is not necessary,
the routers will enter the ExStart state, as described in the section, Step 3:
Discover Routes.

2.2.3 Step 2: Elect a DR and a BDR

Figure 1: The DR and BDR Election Process

Because multiaccess networks can support more than two routers, OSPF elects a
DR to be the focal point of all link-state updates and LSAs. The DR's role is
critical, therefore a BDR is elected to "shadow" the DR. In the event that the DR
fails, the BDR can smoothly take over.
Like any election, the DR/BDR selection process can be rigged. The "ballots"
are hello packets, which contain a router's ID and priority fields. The router with
the highest priority value among adjacent neighbors wins the election and
becomes the DR. The router with the second-highest priority is elected the BDR.
When the DR and BDR have been elected, the roles are kept until one of the
routers fail, even if additional routers with higher priorities show up on the
network. Hello packets inform newcomers of the identity of the existing DR and
BDR.
OSPF routers all have the same default priority value of 1. Apriority from 0 to
255 can be assigned on any given OSPF interface. A priority of 0 prevents the
router from winning any election on that interface. A priority of 255 ensures at
least a tie. The Router ID field is used to break ties. If two routers have the same

1-22 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


priority, the router with the highest ID will be selected. The router ID can be
manipulated by configuring an address on a loopback interface, although that is
not the preferred way to control the DR/BDR election process. The priority
value should be used instead because each interface can have its own unique
priority value. A router can be configured to win an election on one interface and
lose an election on another.
How does the DR election process affect the example network? As shown in the
figure, RTB and RTC are connected via PPP on a point-to-point link. Thus, there
is no need for a DR on the network 10.6.0.0/16 because only two routers can
exist on this link.
Because 10.4.0.0/16 and 10.5.0.0/16 networks are multiaccess Ethernet
networks, these two networks may potentially connect more than two routers.
Even if only one router is connected to a multiaccess segment, a DR is still
elected because the potential exists for more routers to be added to the network.
Thus, a DR must be elected on both 10.4.0.0/16 and 10.5.0.0/16.
Note: DRs and BDRs are elected on a per-network basis. An OSPF area can
contain more than one IP network, so each area can (and usually does) have
multiple DRs and BDRs.
In the example topology, RTA serves a dual role as both the DR and the BDR.
Because it is the only router on the 10.4.0.0/16 network, RTA elects itself as the
DR. After all, the 10.4.0.0/16 network is a multiaccess Ethernet network, so a
DR is elected because multiple routers could potentially be added to this
network. RTA is also the runner-up in the election for 10.5.0.0/16 and thus the
BDR for that network. Despite claiming equal priority value with RTA, RTB is
elected as DR for 10.5.0.0/16 by virtue of the tiebreaker, which is a higher router
ID (10.5.0.2 vs. 10.5.0.1).
With elections complete and bi-directional communication established, routers
are ready to share routing information with adjacent routers and build their link-
state databases. This process is discussed in the next section.

2.2.4 Step 3: Discover routes

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-23


Figure 1: Route Discovery

Figure 2: Route Discovery

Figure 3: Route Discovery

1-24 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


Figure 4: Route Discovery

Figure 5: Route Discovery

On a multiaccess network, the exchange of routing information occurs between


the DR or BDR and every other router on the network. As the DR and BDR on
the 10.5.0.0 /16 network, RTA and RTB will exchange link-state information.

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-25


Link partners on a point-to-point or point-to-multipoint network also engage in
the exchange process. That means that RTB and RTC will share link-state data.
[1]
However, who goes first? This question is answered in the first stage of the
Exchange process, the ExStart state. [2] The purpose of ExStart is to establish a
master/slave relationship between the two routers. The router that announces the
highest router ID in the hello packet acts as master, as shown in Figure [2]. The
master router orchestrates the exchange of link-state information, while the slave
router responds to prompts from the master. RTB engages in this process with
both RTA and RTC.
After the routers define roles as master and slave, the Exchange state is entered.
As shown in Figure [3], the master leads the slave through a swap of DBDs that
describe each router's link-state database in limited detail. These descriptions
include the link-state type, the address of the advertising router, the cost of the
link, and a sequence number.
The routers acknowledge the receipt of a DBD by sending an LSAck (Type 5)
packet, which echoes back the DBD's sequence number. Each router compares
the information that it receives in the DBD with the information that it already
has. If the DBD advertises a new or more up-to-date link state, the router will
enter the Loading state [4] by sending an LSR (Type 3) packet about that entry.
In response to the LSR, a router sends the complete link-state information, using
an LSU (Type 4) packet. LSUs carry LSAs.
With the Loading state complete, the routers have achieved full adjacency
(entered into the Full state). [5] RTB is now adjacent to RTA and to RTC.
Adjacent routers must be in the Full state before creating the routing tables and
routing traffic. At this point, the neighbor routers should all have identical link-
state databases.

2.2.5 Step 4: Select appropriate routes

Figure 1: Selection the Best Route

After a router has a complete link-state database, it is ready to create its routing
table so that it can forward traffic. As mentioned earlier in the chapter, OSPF
uses the metric value called cost to determine the best path to a destination (see
the figure above). The default cost value is based on media bandwidth. In
general, cost decreases as the speed of the link increases. RTB's 10-Mbps

1-26 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


Ethernet interface, for example, has a lower cost than its T1 serial line because
10 Mbps is faster than 1.544 Mbps.
To calculate the lowest cost to a destination, RTB uses the SPF algorithm. In
simple terms, the SPF algorithm adds up the total costs between the local router
(called the root) and each destination network. If there are multiple paths to a
destination, the lowest-cost path is preferred. By default, OSPF keeps up to four
equal-cost route entries in the routing table for load balancing.
Sometimes a link, such as a serial line, will go up and down rapidly (a condition
called flapping). If a flapping link causes LSUs to be generated, routers that
receive those updates must rerun the SPF algorithm to recalculate routes.
Prolonged flapping can severely affect performance. Repeated SPF calculations
can overtax the router's CPU. Moreover, the constant updates may prevent link-
state databases from converging.
To combat this problem, the Cisco IOS uses an SPF hold timer. After receiving
an LSU, the SPF hold timer determines how long a router will wait before
running the SPF algorithm. The timers spf command enables adjustment to
the timer, which defaults to 10 seconds.
After RTB has selected the best routes using the SPF algorithm, it moves into the
final phase of OSPF operation.

2.2.6 Step 5: Maintain routing information

Figure 1: Link-State Information

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-27


Figure 2: Link-State Information

Figure 3: Link-State Information

1-28 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


Figure 4: Link-State Information

When an OSPF router has installed routes in its routing table, it must diligently
maintain routing information. When there is a change in a link-state, OSPF
routers use a flooding process to notify other routers on the network about the
change. The Hello protocol's dead interval provides a simple mechanism for
declaring a link partner down. If RTB does not hear from RTA for a time period
exceeding the dead interval (usually 40 seconds), RTB declares its link to RTA
down.
RTB then sends an LSU packet containing the new link-state information, but to
whom?
! On a point-to-point network, no DR or BDR exists. New link-state
information is sent to the 224.0.0.5 multicast address. All OSPF routers
listen at this address.
! On a multiaccess network, a DR and BDR exist and maintain adjacencies
with all other OSPF routers on the network. If a DR or BDR needs to send a
link-state update, it will send it to all OSPF routers at 224.0.0.5. However,
the other routers on a multiaccess network are adjacent only to the DR and
the BDR and thus can send LSUs only to them. For that reason, the DR and
BDR have their own multicast address, 224.0.0.6. Non-DR/BDR routers
send their LSUs to 224.0.0.6, or "all DR/BDR routers" [1].
When the DR receives and acknowledges the LSU destined for 224.0.0.6, it
floods the LSU to all OSPF routers on the network at 224.0.0.5 [2]. Each router
acknowledges receipt of the LSU with an LSAck.
If an OSPF router is connected to another network, it floods the LSU to other
networks by forwarding the LSU to the DR of the multiaccess network, or to an
adjacent router if in a point-to-point network [3]. The DR, in turn, multicasts the
LSU to the other OSPF routers in that network.

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-29


Upon receiving an LSU that includes new information, an OSPF router updates
its link-state database. It then runs the SPF algorithm using the new information
to recalculate the routing table. After the SPF hold timer expires, the router
switches over to the new routing table. [4]
If a route already exists in a Cisco router, the old route is used while the SPF
algorithm is calculating the new information. If the SPF algorithm is calculating
a new route, the router will not use that route until after the SPF calculation is
complete.
It is important to note that even if a change in link state does not occur, OSPF
routing information is periodically refreshed. Each LSA entry has its own age
timer. The default timer value is 30 minutes. After an LSA entry ages out, the
router that originated the entry sends an LSU to the network to verify that the
link is still active.

1-30 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


2.3 Configuring OSPF

2.3.1 Configuring OSPF on routers within a single area

Figure 1: Basic OSPF Configuration

Figure 2: Basic OSPF Configuration

This section covers the process of configuring OSPF on routers within a single
area.
To configure OSPF, OSPF is enabled on the router and the router's network
addresses and area information are also configured [1], according to the
following steps:
1. Enable OSPF on the router using the following command:

router(config)# router ospf process-id

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-31


The process ID is a process number on the local router. The process ID is
used to identify multiple OSPF processes on the same router. The number
can be any value between 1 and 65,535. The numbering process does not
have to start at 1. Most network administrators keep the same process ID
throughout the entire autonomous system (AS). It is possible to run multiple
OSPF processes on the same router, but is not recommended because it
creates multiple database instances that add extra overhead to the router.
2. Identify IP networks on the router, using the following command:

router(config-router)# network address wildcard-


mask area area-id

For each network, an area must be identified to which the network belongs.
The network value can be the network address, subnet, or the address of the
interface. The router knows how to interpret the address by comparing the
address to the wildcard mask. A wildcard mask is necessary because OSPF
supports Classless InterDomain Routing (CIDR) and Variable Length Subnet
Masking (VLSM), unlike RIPv1 and IGRP. The area argument is needed
even when configuring OSPF in a single area. More than one IP network can
belong to the same area.

Interactive Lab Activity:

In this lab exercise, you will configure the SanJose 1 router for OSPF in a single
area. The Westasman router is already configured for OSPF.

You will first specify the OSPF process ID and then enter router configuration
mode.

In router configuration mode, you will configure OSPF for specific networks in
area 0.

1-32 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


2.3.2 Optional configuration commands

Figure: Monitoring OSPF with the show ip ospf interface Command

Configuring a Loopback Address


When the OSPF process starts, the Cisco IOS uses the highest local IP address as
its OSPF router ID. If a loopback interface is configured, that address is used,
regardless of its value. The loopback interface address is assigned with the
following commands:
router(config)#interface loopback number
router(config-if)#ip address ip-address subnet-mask
A loopback-derived router ID ensures stability because that interface is immune
to link failure. The loopback interface must be configured before the OSPF
process starts, to override the highest interface IP address.
It is recommended a loopback address be used on all key routers in an OSPF-
based network. To avoid routing problems, it is good practice to use a 32-bit
subnet mask when configuring a loopback IP address, as shown:
router(config)#interface loopback0
router(config-if)#ip address 192.168.1.1
255.255.255.255
A 32-bit mask is sometimes called a host mask, because it specifies a single host
and not a network or subnetwork. Note: To prevent propagation of bogus routes,
OSPF always advertises loopback addresses as host routes, with a 32-bit mask.
Modifying OSPF Router Priority
DR/BDR elections are manipulated by configuring the priority value to a
number other than the default value, which is 1. A value of 0 guarantees that the
router will not be elected as a DR or BDR. Each OSPF interface can announce a
different priority. The priority value (a number from 0 to 255) can be configured
with the ip ospf priority command, which has the following syntax:
router(config-if)#ip ospf priority number
To set a router's E0 with a priority of 0 (so that it cannot win DR/BDR elections
on that network), the following commands are used:

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-33


RTB(config)#interface e0
RTB(config-if)#ip ospf priority 0
For the priority value to figure into the election, it must be set before the election
takes place. An interface's priority value and other key information can be
displayed with the show ip ospf interface command as shown in the figure.
The output in this example tells which routers have been elected the DR and
BDR, the network type (in this case, broadcast multiaccess), the cost of the link
(10), and the timer intervals specific to this interface. The timer intervals
configured are Hello (10), Dead (40), Wait (40), Retransmit (5).

2.3.3 Optional configuration commands (con't.)

Figure 1: Cisco IOS Default OSPF Path Costs

Figure 2: The ip ospf message-digest-key Command Parameters

1-34 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


OSPF routers use costs associated with interfaces to determine the best route.
The Cisco IOS automatically determines cost based on the bandwidth of an
interface using the formula:
108/ bandwidth value = 100,000,000 / bandwidth value
Figure [1] shows common default path costs for a variety of media. For OSPF to
calculate routes properly, all interfaces connected to the same link must agree on
the cost of that link. In a multivendor routing environment, the default cost of an
interface may be overridden to match another vendor's value with the ip ospf
cost command, which has the following syntax:
router(config-if)#ip ospf cost number
The new cost can be a number between 1 and 65,535. This command can be used
to override the default cost on a router's S0 using these commands:
router(config)#interface s0
router(config-if)#ip ospf cost 1000
The ip ospf cost command can also be used to manipulate the desirability
of a route because routers install the lowest-cost paths in the tables.
For the Cisco IOS cost formula to be accurate, serial interfaces must be
configured with appropriate bandwidth values. Cisco routers default to T1 (1.544
Mbps) on most serial interfaces and require manual configuration for any other
bandwidth, as shown in this example:
router(config)#interface s1
router(config-if)#bandwidth 56
Configuring Authentication
Authentication is another interface-specific configuration. Each OSPF interface
on a router can present a different authentication key, which functions as a
password among OSPF routers in the same area. The following command syntax
is used to configure OSPF authentication:
router(config-if)#ip ospf authentication-key password
After a password is configured, authentication can be enabled on an area-wide
basis with the following syntax, which must be entered on all participating
routers:
router(config-router)#area number authentication
[message-digest]
Although the message-digest keyword is optional, it is recommended that it
always be used with this command. By default, authentication passwords will be
sent in clear text over the wire. A packet sniffer could easily capture an OSPF
packet and decode the unencrypted password. However, if the message-
digest argument is used, a message digest, or hash, of the password is sent
over the wire in place of the password itself. Unless the recipient is configured
with the proper authentication key, that person will not be able to make sense of
the message digest.
If message-digest authentication is chosen, the authentication key will not be
used. Instead, a message-digest key on the OSPF router's interface must be
configured. The syntax for this command is as follows:
router(config-if)#ip ospf message-digest-key key-id
md5 [encryption-type] password

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-35


Figure [2] describes the ip ospf message-digest-key command
parameters.
The following example sets the message-digest key to "itsasecret" and enables
message-digest authentication within Area 0.
router(config)#int s0
router(config-if)#ip ospf message-digest-key 1 md5 7
itsasecret
router(config-if)#int e0
router(config-if)#ip ospf message-digest-key 1 md5 7
itsasecret
router(config-if)#router ospf 1
router(config-router)#area 0 authentication message-
digest
Remember, the same parameters on the other routers in the same area would
have to be configured.
Configuring OSPF Timers
In order for OSPF routers to exchange information, the hello intervals and the
dead intervals must be the same. By default, the dead interval is four times the
value of the hello interval. That way, a router has four chances to send a hello
packet before being declared dead.
On broadcast OSPF networks, the default hello interval is 10 seconds, and the
default dead interval is 40 seconds. On nonbroadcast networks, the default hello
interval is 30 seconds, and the default dead interval is 2 minutes (120 seconds).
These default values typically result in efficient OSPF operation and therefore
do not need to be modified. There may be a situation in which the hello and dead
intervals need to be adjusted either to improve performance or to match another
router's timers. The syntax of the commands needed to configure both the hello
and dead intervals is as follows:
router(config-if)#ip ospf hello-interval seconds
router(config-if)#ip ospf dead-interval seconds
The following example sets the hello interval to 5 seconds, and the dead interval
to 20 seconds.
router(config)#interface e0
router(config-if)#ip ospf hello-interval 5
router(config-if)#ip ospf dead-interval 20
Note that although it is advised, the Cisco IOS does not require a configuration
of the dead interval to be four times the hello interval. If the dead interval is set
to less than that, the risk increases that a router could be declared dead, when in
fact a congested or flapping link has prevented one or two hello packets from
reaching the destination.

1-36 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


2.4 Configuring OSPF Over NBMA

2.4.1 NBMA overview

Figure 1: Neighbor Status in Different Network Types

Figure 2: Types of OSPF Networks

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-37


Figure 3: Neighbor Status in Different Network Types

This chapter has focused on broadcast multiaccess and point-to-point network


OSPF networks in detail.. Even if there is only one router, broadcast multiaccess
networks elect a DR and a BDR to serve as focal points for routing information.
In contrast, point-to-point OSPF networks do not elect a DR because there can
never be more than two nodes.
Another type of OSPF network, Nonbroadcast Multiaccess (NBMA), can
include more than two nodes [1] and therefore will try to elect a DR and a BDR.
Common NBMA implementations include Frame Relay, X.25, and SMDS.
NBMA networks follow rules at Layer 2 that prevent the delivery of broadcasts
and multicasts. Figure [2] summarizes the OSPF network types.
NBMA networks can create problems with OSPF operation, specifically with the
exchange of multicast hello packets. In the example shown in Figure [3], RTA,
RTB, and RTC belong to the same IP subnetwork and will attempt to elect a DR
and a BDR. However, these routers cannot hold a valid election if they cannot
receive multicast hellos from every other router on the network. Without
administrative intervention, a strange election takes place. As far as RTA is
concerned, RTC is not participating. Likewise, RTC goes through the election
process oblivious to RTA. This botched election can lead to problems if the
central router, RTB, is not elected the DR.
The Cisco IOS offers several options for configuring OSPF to overcome NBMA
limitations, including the OSPF neighbor command, point-to-point
subinterfaces, and point-to-multipoint configuration. The solutions that are
available depend on the NBMA network topology.

1-38 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


2.4.2 Full-Mesh Frame Relay

Figure 1: Frame Relay Topologies

Figure 2: Full-Mesh Frame Relay

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-39


Figure 3: Full-Mesh Subinterfaces

Before selecting an OSPF configuration strategy for a Frame Relay network (or
legacy X.25 network), the different NBMA topologies must be understood.
Fundamentally, two possible physical topologies exist for Frame Relay networks
[1]:
! Full-mesh topology
! Partial-mesh topology (including the hub-and-spoke topology)
The following sections describe how to configure OSPF in both full-mesh and
partial-mesh Frame Relay networks.
Full-Mesh Frame Relay
Organizations deploy Frame Relay primarily because it supports more than one
logical connection over a single interface, making it an affordable and flexible
choice for WAN links. A full-mesh topology takes advantage of Frame Relay's
capability to support multiple permanent virtual circuits (PVCs) on a single
serial interface. In a full-mesh topology, every router has a PVC to every other
router. [2]
For OSPF to work properly over a multiaccess full-mesh topology that does not
support broadcasts, each OSPF neighbor addresses must be entered on each
router, one at a time. The OSPF neighbor command tells a router about its
neighbors' IP addresses so that it can exchange routing information without
multicasts. The following example illustrates how the neighbor command is
used:
RTA(config)#router ospf 1
RTA(config-router)#network 3.1.1.0 0.0.0.255 area 0
RTA(config-router)#neighbor 3.1.1.2
RTA(config-router)#neighbor 3.1.1.3
Specifying each router's neighbors is not the only option to make OSPF work in
this type of environment. The following section explains how configuring
subinterfaces can eliminate the need for the neighbor command.

1-40 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


Configuring Subinterfaces to Create Point-to-Point Networks
The IOS subinterface feature can be used to break up a multiaccess network into
a collection of point-to-point networks.
In Figure [3], a different IP subnet is assigned to each PVC. OSPF automatically
recognizes this configuration as point-to-point, not NBMA, even with Frame
Relay configured on the interfaces. Recall that OSPF point-to-point networks do
not elect a DR. Instead, the Frame Relay router uses Inverse ARP or a Frame
Relay map to obtain the link partner's address so that routing information can be
exchanged.
A full-mesh topology offers numerous advantages, including maximum fault
tolerance. Unfortunately, full-mesh topologies can get expensive because each
PVC must be leased from a provider. An organization would have to lease 45
PVCs to support just 10 fully meshed routers! If subinterfaces are used to create
point-to-point networks, then the 45 IP subnets must also be allocated and
managed, which is an additional expense.

2.4.3 Partial-Mesh Frame Relay

Figure 1: A Hub-and-Spoke Topology

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-41


Figure 2: A Hub-and-Spoke Topology with Subinterfaces

Because a full-mesh topology is costly, many organizations implement a partial-


mesh topology instead. A partial-mesh topology is any configuration in which at
least one router maintains multiple connections to other routers, without being
fully meshed. The most cost-effective partial-mesh topology is a hub-and-spoke
topology, in which a single router (the hub) connects to multiple spoke routers.
The hub-and-spoke topology is a cost-effective WAN solution that introduces a
single point of failure (the hub router). Organizations typically deploy Frame
Relay because it is inexpensive, not because it is fault-tolerant. Since dedicated
leased lines (not Frame Relay links) typically carry mission-critical data, an
economical Frame Relay topology, such as hub-and-spoke, makes sense.
Unfortunately, the neighbor command that worked with a full-mesh topology
does not work as well with the hub-and-spoke topology. The hub router in Figure
[1] sees all the spoke routers and can send routing information to them using the
neighbor command, but the spoke routers can send hellos only to the hub.
The DR/BDR election will be held, but only the hub router sees all of the
candidates. Because the hub router must act as the DR for this OSPF network to
function properly, an OSPF interface priority of 0 could be configured on all the
spoke routers. Recall that a priority of 0 makes it impossible for a router to be
elected as a DR or a BDR for a network.
A second approach to dealing with this topology is to avoid the DR/BDR issue
altogether by breaking the network into point-to-point connections. Point-to-
point networks [2] will not elect a DR or a BDR.
Although they make OSPF configuration straightforward, point-to-point
networks have major drawbacks when used with a hub-and-spoke topology.
Subnets must be allocated for each link, which in turn can lead to WAN
addressing that is complex and difficult to manage. The WAN addressing issue
can be avoided by using IP unnumbered, but many organizations have WAN-
management policies that prevent using this feature. Are there any viable
alternatives to a point-to-point configuration? Fortunately, the Cisco IOS offers a
relatively new alternative. A hub-and-spoke physical topology can be manually

1-42 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


configured as a point-to-multipoint network type, as described in the following
section.

2.4.4 Point-to-Multipoint OSPF

Figure 1: A Hub-and-Spoke Topology with OSPF Point-to-Multipoint

<Configuration for RTA>


!
interface Serial0
encapsulation frame-relay
ip address 3.1.1.1 255.255.255.0
ip ospf network point-to-multipoint
frame-relay map ip 3.1.1.2 22 broadcast
!
router ospf 1
network 3.1.1.0 0.0.0.255 area 0
---------------------------------------------
<Configuration for RTB>
!
interface Serial0
encapsulation frame-relay
ip address 3.1.1.2 255.255.255.0
ip ospf network point-to-multipoint
frame-relay map ip 3.1.1.1 200 broadcast
frame-relay map ip 3.1.1.3 300 broadcast
!
router ospf 1
network 3.1.1.0 0.0.0.255 area 0
---------------------------------------------
<Configuration for RTC>
!
interface Serial0
encapsulation frame-relay
ip address 3.1.1.3 255.255.255.0
ip ospf network point-to-multipoint
frame-realy map ip 3.1.1.3 33 broadcast
!
router ospf 1
network 3.1.1.0 0.0.0.255 area 0

Figure 2: Configurations for Point-to-Multipoint OSPF

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-43


In a point-to-multipoint network, a hub router is directly connected to multiple
spoke routers, but all the WAN interfaces are addressed on the same subnet. [1]
This logical topology was seen earlier in the chapter, but OSPF does not work
properly as an NBMA OSPF network type. By manually changing the OSPF
network type to point-to-multipoint, this logical topology will work. Routing
between RTA and RTC will go through the router that has virtual circuits to both
routers, RTB. Note that it is not necessary to configure neighbors when using
this feature. (Inverse ARP will discover them.)
Point-to-multipoint networks have the following properties:
• Adjacencies are established between all neighboring routers. There is no
DR or BDR for a point-to-multipoint network. No network LSA is
originated for point-to-multipoint networks. Router priority is not
configured for point-to-multipoint interfaces or for neighbors on point-
to-multipoint networks.
• When originating a router LSA, the point-to-multipoint interface is
reported as a collection of point-to-point links to all the interface's
adjacent neighbors, together with a single stub link advertising the
interface's IP address with a cost of 0.
• When flooding out a nonbroadcast interface, the LSU or LSAck packet
must be replicated to be sent to each of the interface's neighbors.
To configure point-to-multipoint, the detected OSPF network type must be
overridden with the following syntax:
router(config-if)#ip ospf network point-to-multipoint
The interface should be configured with a frame-relay map ip command,
as in the following syntax:
router(config-if)#frame-relay map ip address dlci
broadcast
The broadcast keyword permits the router to send broadcasts via the
specified DLCI to the mapped neighbor or neighbors. When applying the point-
to-multipoint configuration to the example network [1], two separate frame-
relay map statements must be configured on the hub router, RTB. Partial
configurations for each router are shown in Figure [2].
In a point-to-multipoint configuration, OSPF treats all router-to-router
connections on the nonbroadcast network as if they were point-to-point links. No
DR is elected for the network. Neighbors can be manually specified using the
neighbor command or can be dynamically discovered using Inverse ARP.
Ultimately, point-to-multipoint OSPF offers efficient operation without
administrative complexity.

1-44 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


2.5 Verifying OSPF Operation

2.5.1 Show commands

Figure 1: OSPF Operation and Statistics Commands

The commands in the figure verify that OSPF is working properly. These
commands ensure that the routers are configured correctly and are performing
the way they should.

2.5.2 Clear and debug commands


The following commands and their associated options can be used when
troubleshooting OSPF:
To clear all routes from the IP routing table use the following command:
router#clear ip route *
To clear a specific route from the IP routing table use the following command:
router#clear ip route A.B.C.D
A.B.C.D Destination network route to delete
To debug OSPF operations use the following debug options:
router#debug ip ospf ?
adj OSPF adjacency events
events OSPF events
flood OSPF flooding

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-45


lsa-generation OSPF lsa generation
packet OSPF packets
retransmission OSPF retransmission events
spf OSPF spf
tree OSPF database tree

1-46 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


2.6 OSPF Configuration Lab Exercises

2.6.1 Configuring OSPF

Lab Activity:

In this lab, you configure OSPF on three Cisco routers. First, you configure
loopback interfaces to provide stable OSPF Router IDs. Then you configure the
OSPF process and enable OSPF on the appropriate interfaces. After OSPF is
enabled, you tune the update timers and configure authentication.

2.6.2 Examining the DR/BDR election process

Lab Activity:

In this lab, you observe the OSPF DR and BDR election process using debug
commands. Then you assign each OSPF interface a priority value to force the
election of a specific router as a DR.

2.6.3 Configuring Point-to-Multipoint OSPF over Frame


Relay

Lab Activity:

In this lab, configure OSPF as a point-to-multipoint network type so that it


operates efficiently over a hub-and-spoke Frame Relay topology.

Copyright  2002, Cisco Systems, Inc. Routing Section 2: OSPF 1-47


Summary
OSPF is a scalable, standards-based link-state routing protocol. OSPF's benefits
include no hop-count limitation, the capability to multicast routing updates,
faster convergence rates, and optimal path selection. The basic steps for OSPF
operation are as follows:
1. Establish router adjacencies
2. Select a designated router and a backup designated router
3. Discover routes
4. Select appropriate routes to use
5. Maintain routing information
Connecting multiple OSPF areas in order to support a larger hierarchical routing
environment is covered in the CCNP curriculum.

1-48 Routing Section 2: OSPF Copyright  2002, Cisco Systems, Inc.


Section 3

EIGRP
Table of Contents

EIGRP................................................................................................................................ 1
OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
3.1 EIGRP FUNDAMENTALS ............................................................................................................................. 5
3.1.1 EIGRP and IGRP compatibility............................................................................................................ 5
3.1.2 EIGRP design ..................................................................................................................................... 7
3.1.3 EIGRP support for Novell IPX and AppleTalk ....................................................................................... 8
3.1.4 EIGRP terminology ............................................................................................................................. 9
3.2 EIGRP FEATURES .................................................................................................................................... 10
3.2.1 EIGRP technologies .......................................................................................................................... 10
3.2.2. Neighbor discovery and recovery....................................................................................................... 11
3.2.3 Reliable transport protocol ................................................................................................................ 13
3.2.4 DUAL finite-state machine................................................................................................................. 14
3.2.5 Protocol-dependent modules .............................................................................................................. 18
3.3 EIGRP COMPONENTS ...............................................................................................................................19
3.3.1 EIGRP packet types........................................................................................................................... 19
3.3.2 EIGRP tables.................................................................................................................................... 21
3.3.3 EIGRP tables (con’t.) ........................................................................................................................ 23
3.3.4 Route tagging with EIGRP................................................................................................................. 26
3.4 EIGRP OPERATION .................................................................................................................................. 28
3.4.1 Convergence using EIGRP................................................................................................................. 28
3.5 CONFIGURING EIGRP ...............................................................................................................................31
3.5.1 Configuring EIGRP for IP networks ................................................................................................... 31
3.5.2 EIGRP and the bandwidth command .................................................................................................. 33
3.5.3. The bandwidth-percent command ...................................................................................................... 35
3.5.4 Configuring EIGRP for IPX networks ................................................................................................. 36
3.5.5 Controlling SAP updates.................................................................................................................... 38
3.5.6 Summarizing EIGRP routes for IP ...................................................................................................... 39
3.5.7 Summarizing EIGRP routes for IP, con’t............................................................................................. 40
3.6 MONITORING EIGRP ................................................................................................................................ 42
3.6.1 Verifying EIGRP operation ................................................................................................................ 42
3.7 EIGRP CONFIGURATION LAB EXERCISES .................................................................................................... 43
3.7.1 Configuring EIGRP with IGRP .......................................................................................................... 43
3.7.2 Configuring EIGRP fault tolerance..................................................................................................... 43
3.7.3 Configuring EIGRP summarization .................................................................................................... 43
3.8 CONFIGURING EIGRP CHALLENGE LAB EXERCISE ....................................................................................... 44
3.8.1 EIGRP challenge lab......................................................................................................................... 44
SUMMARY ..................................................................................................................................................... 45

1-2 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


Overview
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco-proprietary
routing protocol based on Interior Gateway Routing Protocol (IGRP). Unlike
IGRP, which is a classful routing protocol, EIGRP supports classless
interdomain routing (CIDR), allowing network designers to maximize address
space by using CIDR and variable-length subnet mask (VLSM). Compared to
IGRP, EIGRP boasts faster convergence times, improved scalability, and
superior handling of routing loops. Furthermore, EIGRP can replace Novell
Routing Information Protocol (RIP) and AppleTalk Routing Table Maintenance
Protocol (RTMP), serving both Internetwork Packet Exchange (IPX) and
AppleTalk networks with powerful efficiency.
EIGRP has been described as a hybrid routing protocol offering the best of
distance-vector and link-state algorithms. Technically, EIGRP is an advanced
distance-vector routing protocol that relies on features commonly associated
with link-state protocols. Some of the best features of OSPF, such as partial
updates and neighbor discovery, are similarly put to use by EIGRP. However,
the benefits of OSPF, especially its hierarchical design, come at the price
ofadministrative complexity. As seen in Chapter 5: Multiarea OSPF, multiarea
implementation of OSPF requires mastery of a complex terminology and
command set. On the other hand, the advanced features of EIGRP can be easily
implemented and maintained. Although it does not mirror the classic hierarchical
designof OSPF, EIGRP is an ideal choice for large, multiprotocol networks built
primarily on Cisco routers.
This chapter surveys the key concepts, technologies, and data structuresof
EIGRP. This conceptual overview is followed by a study of EIGRP convergence
and basic operation. Finally, this chapter shows how to configure and verify
EIGRP, including using route summarization.

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-3


Objectives
After completing this chapter, the student will be able to perform tasks
related to:

3.1 EIGRP Fundamentals

3.2 EIGRP Features

3.3 EIGRP Components

3.4 EIGRP Operation

3.5 EIGRP Configuration

3.6 EIGRP Monitoring

3.7 EIGRP Configuration Lab Exercises

3.8 EIGRP Configuration Challenge Lab Exercise

1-4 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


3.1 EIGRP Fundamentals

3.1.1 EIGRP and IGRP compatibility

Figure 1: IGRP and EIGRP Metric Calculation

Figure 2: Using EIGRP with IGRP

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-5


Figure 3: Command Outputs

Cisco released EIGRP in 1994 as a scalable, improved version of its proprietary


distance-vector routing protocol, IGRP. IGRP and EIGRP are compatible with
each other, although EIGRP offers multiprotocol support and IGRP does not.
Despite being compatible with IGRP, EIGRP uses a different metric calculation
and hop-count limitation. EIGRP scales IGRP's metric by a factor of 256. [1]
That is because EIGRP uses a metric that is 32 bits long, and IGRP uses a 24-bit
metric. By multiplying or dividing by 256, EIGRP can easily exchange
information with IGRP.
EIGRP also imposes a maximum hop limit of 224, slightly less than IGRP's
generous 255, but more than enough to support today's largest internetworks.
Sharing information between dissimilar routing protocols such as OSPF and RIP
requires advanced configuration. However sharing, or redistribution, is
automatic between IGRP and EIGRP as long as both processes use the same
autonomous system (AS) number. In Figure [2], RTB automatically redistributes
EIGRP-learned routes to the IGRP AS, and vice versa.
EIGRP will tag routes learned from IGRP (or any outside source) as external
because they did not originate from EIGRP routers. On the other hand, IGRP
cannot differentiate between internal and external routes. Notice that in the
show ip route command output for the routers in Figure [3], EIGRP routes
are flagged with D, and external routes are denoted by EX. RTA identifies the
difference between the network learned via EIGRP (172.16.1.0) and the network
that was redistributed from IGRP (192.168.1.0). RTC's table shows that IGRP
makes no such distinction.
RTC, which is running IGRP only, just sees IGRP routes, despite the fact that
both 10.1.1.0 and 172.16.1.0 were redistributed from EIGRP.

1-6 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


3.1.2 EIGRP design

Figure 1: EIGRP Advantages

Even though it is compatible with IGRP, EIGRP operates quite differently from
its predecessor. As an advanced distance-vector routing protocol, EIGRP acts
like a link-state protocol when updating neighbors and maintaining routing
information. EIGRP's advantages over simple distance-vector protocols include
the following:
! Rapid convergence - EIGRP routers converge quickly because they rely on
a state-of-the-art routing algorithm called the Diffusing Update Algorithm
(DUAL). DUAL guarantees loop-free operation at every instant throughout a
route computation and allows all routers involved in a topology change to
synchronize at the same time.
! Efficient use of bandwidth - EIGRP makes efficient use of bandwidth by
sending partial, bounded updates and by consuming minimal amounts of
bandwidth when the network is stable.
o Partial, bounded updates - EIGRP routers make partial,
incremental updates rather than sending their complete tables. This
may seem similar to OSPF operation, but unlike OSPF routers,
EIGRP routers send these partial updates only to the routers that
need the information, not to all routers in an area. For this reason,
they are called bounded updates.
o Minimal consumption of bandwidth when the network is stable -
Instead of using timed routing updates, EIGRP routers keep in touch
with each other using small hello packets. Though exchanged
regularly, hello packets do not consume a significant amount of
bandwidth.
! Support for VLSM and CIDR - Unlike IGRP, EIGRP offers full support
for classless IP by exchanging subnet masks in routing updates.
! Multiple network-layer support - EIGRP supports IP, IPX, and AppleTalk
through protocol-dependent modules (PDMs).
! Independence from routed protocols - PDMs protect EIGRP from
painstaking revision. Evolution of a routed protocol, such as IP, may require
a new protocol module, but not necessarily a reworking of EIGRP itself.

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-7


3.1.3 EIGRP support for Novell IPX and AppleTalk

Figure 1: EIGRP Support for Novell IPX RIP and SAP

In a legacy NetWare network, servers and routers may be configured to use IPX
RIP and the Service Advertising Protocol (SAP) to exchange information with
peers. As time-driven protocols, IPX RIP and SAP generate updates every 60
seconds by default. These updates can crowd low-speed WAN links, especially
in large internetworks.
EIGRP can redistribute IPX RIP and SAP information to improve overall
performance. In effect, EIGRP can take over for these two protocols. An EIGRP
router will receive routing and service updates and then update other routers only
when changes in the SAP or routing tables occur. Routing updates occur as they
would in any EIGRP network–, that is, through the use of partial updates. EIGRP
sends SAP updates incrementally on all serial interfaces by default. However,
incremental SAP updates must be configured manually on LAN interfaces (for
example, Ethernet, Token Ring, and FDDI).
Like IP RIP, IPX RIP restricts the diameter of a network to 15 hops. By using
EIGRP to redistribute IPX RIP, a network diameter can expand to EIGRP's
comfortable limit of 224 hops. Moreover, EIGRP's more advanced metric, which
uses bandwidth and delay, replaces Novell RIP's less optimal metric derived
from hop count and ticks.
The obvious shortcomings of IPX RIP and SAP spurred Novell's development of
a proprietary link-state routing protocol for NetWare, NetWare Link Services
Protocol (NLSP). A link-state protocol, NLSP replaces both RIP and SAP. On
servers running NetWare 3.11 or later, administrators can choose between using
RIP/SAP or NLSP. Note that since Cisco IOS version 11.1, EIGRP can
redistribute NLSP as well as IPX RIP.
EIGRP Support for AppleTalk
EIGRP can also take over for AppleTalk's Routing Table Maintenance Protocol
(RTMP). As a distance-vector routing protocol, RTMP relies on periodic and
complete exchanges of routing information. To reduce overhead, EIGRP
redistributes AppleTalk routing information using event-driven updates. EIGRP
also uses a configurable composite metric to determine the best route to an
AppleTalk network. RTMP uses hop count, which can result in suboptimal
routing.
AppleTalk clients expect RTMP information from local routers, so EIGRP for
AppleTalk should be run only on a clientless network, such as a WAN link.

1-8 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


3.1.4 EIGRP terminology
EIGRP routers keep route and topology information readily available in RAM so
they can react quickly to changes. Like OSPF, EIGRP keeps this information in
several tables, or databases. The following terms are related to EIGRP and its
tables and are used throughout this chapter:
! Neighbor table - Each EIGRP router maintains a neighbor table that lists
adjacent routers. This table is comparable to the adjacency database used by
OSPF. A neighbor table is maintained for each protocol that EIGRP
supports.
! Topology table - Every EIGRP router maintains a topology table for each
configured network protocol. This table includes route entries for all
destinations that the router has learned. All learned routes to a destination
are maintained in the topology table. Each EIGRP router maintains a
topology table for each network protocol
! Routing table - EIGRP chooses the best routes to a destination from the
topology table and places these routes in the routing table. Each EIGRP
router maintains a routing table for each network protocol.
! Successor - A successor is a route selected as the primary route to use to
reach a destination. Successors are the entries kept in the routing table.
Multiple successors for a destination can be retained in the routing table.
! Feasible successor - A feasible successor is a backup route. These routes are
selected at the same time the successors are identified but are kept in the
topology table. Multiple feasible successors for a destination can be retained
in the topology table.

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-9


3.2 EIGRP Features

3.2.1 EIGRP technologies

Figure 1: EIGRP technologies

EIGRP includes many new technologies, each of which represents an


improvement in operating efficiency, rapidity of convergence, or functionality
relative to IGRP and other routing protocols. Each of these new technologies
falls into one of the following four categories:
! Neighbor discovery and recovery
! Reliable Transport Protocol (RTP)
! DUAL finite-state machine
! Protocol-specific modules
The following sections examine these technologies in detail.

1-10 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


3.2.2. Neighbor discovery and recovery

Figure 1: Neighbor Routers Exchange their Routing Tables

Figure 2: Neighbor Routers Exchange their Routing Tables

Figure 3: Neighbor Routers Exchange their Routing Tables

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-11


Figure 4: Neighbor Routers Exchange their Routing Tables

Figure 5: Neighbor Routers Exchange their Routing Tables

Figure 6: Neighbor Routers Exchange their Routing Tables

1-12 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


Figure 7: Neighbor Routers Exchange their Routing Tables

Remember that simple distance-vector routers do not establish any relationship


with their neighbors. RIP and IGRP routers merely broadcast or multicast
updates on configured interfaces. In contrast, EIGRP routers actively establish
relationships with their neighbors, in much the same way as OSPF routers.
Figures [1] –[7] illustrate how EIGRP adjacencies are established. EIGRP routers
establish adjacencies with neighbor routers by using small hello packets. Hellos
are sent by default every five seconds. An EIGRP router assumes that, as long as
it is receiving hello packets from known neighbors, those neighbors (and their
routes) remain viable. By forming adjacencies, EIGRP routers do the following:
! Dynamically learn of new routes that join their network
! Identify routers that become either unreachable or inoperable
! Rediscover routers that had previously been unreachable

3.2.3 Reliable transport protocol


Reliable Transport Protocol (RTP) is a transportlayer protocol that can guarantee
ordered delivery of EIGRP packets to all neighbors. On an IP network, hosts use
TCP to sequence packets and ensure their timely delivery. However, EIGRP is
protocol-independent so it cannot rely on TCP/IP to exchange routing
information the way that RIP, IGRP, and OSPF do. To stay independent of
TCP/IP, EIGRP uses its own transport-layer protocol to guarantee delivery of
routing information. This Cisco proprietary transport protocol is RTP.
EIGRP can call on RTP to provide reliable or unreliable service as the situation
warrants. For example, hello packets do not require the overhead of reliable
delivery because they are frequent and should be kept small. Nevertheless, the
reliable delivery of other routing information can actually speed convergence
because EIGRP routers are not waiting for a timer to expire before they
retransmit.

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-13


With RTP, EIGRP can multicast and unicast to different peers simultaneously,
allowing for maximum efficiency.

3.2.4 DUAL finite-state machine

Figure 1: DUAL Example

Figure 2: DUAL Example

1-14 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


Figure 3: DUAL Example

Figure 4: DUAL Example

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-15


Figure 5: DUAL Example

Figure 6: DUAL Example

1-16 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


Figure 7: DUAL Example

The centerpiece of EIGRP is the Diffusing Update Algorithm (DUAL), EIGRP's


route-calculation engine. The full name of this technology is DUAL finite-state
machine (FSM). An FSM is an abstract machine, not a mechanical device with
moving parts. FSMs define a set of possible states that something can go
through, what events cause those states, and what events result from those states.
Designers use FSMs to describe how a device, computer program, or routing
algorithm will react to a set of input events. The DUAL FSM contains all the
logic used to calculate and compare routes in an EIGRP network.
DUAL tracks all the routes advertised by neighbors and uses the composite
metric of each route to compare them. DUAL also guarantees that each path is
loop-free. Lowest-cost paths are then inserted by the DUAL protocol into the
routing table.
As noted earlier in the chapter, EIGRP keeps important route and topology
information readily available in a neighbor table and a topology table. These
tables supply DUAL with comprehensive route information in case of network
disruption. DUAL selects alternate routes quickly by using the information in
these tables. If a link goes down, DUAL looks for a feasible successor in its
neighbor and topology tables.
A successor is a neighboring router that is currently being used for packet
forwarding. The successor provides the least-cost route to the destination and is
not part of a routing loop. Feasible successors provide the next lowest-cost path
without introducing routing loops. Feasible successor routes can be used in case
the existing route fails. Packets to the destination network are immediately
forwarded to the feasible successor, which at that point is promoted to the status
of successor as illustrated in Figures [1] – [7].
Note in the example that router D does not have a feasible successor identified.
The FD (feasible distance, or the lowest calculated metric for a destination) for
router D to router A is 2 and the AD (administrative distance) via router C is 3.
Because the AD is smaller than the best-route metric but larger than the FD, no
feasible successor is placed in the topology table. Router C has a feasible

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-17


successor identified as well as router E because the route is loop-free and
because the AD for the next hop router is less than the FD for the successor.

3.2.5 Protocol-dependent modules

Figure 1: EIGRP PDMs

One of EIGRP's most attractive features is its modular design. Modular, layered
designs prove to be the most scalable and adaptable. Support for routed
protocols such as IP, IPX, and AppleTalk is included in EIGRP through
protocol-dependent modules (PDMs). EIGRP can easily adapt to new or revised
routed protocols (for example, IPv6) by adding protocol-dependent modules.
Each PDM is responsible for all functions related to its specific routed protocol.
The IP-EIGRP module is responsible for the following:
! Sending and receiving EIGRP packets that bear IP data
! Notifying DUAL of new IP routing information that is received
! Maintaining the results of DUAL's routing decisions in the IP routing table
! Redistributing routing information that was learned by other IP-capable
routing protocols

1-18 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


3.3 EIGRP Components

3.3.1 EIGRP packet types

Figure 1: EIGRP Packet Types

Figure 2: Default Hello Intervals and Hold Times for EIGRP

Like OSPF, EIGRP relies on several different kinds of packets to maintain its
various tables and establish complex relationships with neighbor routers Figure
[1]. The five EIGRP packet types are listed here:
! Hello
! Acknowledgment
! Update
! Query
! Reply
The following sections describe these packet types in detail.
Hello Packets
EIGRP relies on hello packets to discover, verify, and rediscover neighbor
routers. Rediscovery occurs if EIGRP routers do not receive each other's hellos
for a hold time interval but then re-establish communication.

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-19


EIGRP routers send hellos at a fixed (and configurable) interval, called the hello
interval. The default hello interval depends on the bandwidth of the interface, as
shown in Figure [2].
EIGRP hello packets are multicast. On IP networks, EIGRP routers send hellos
to the multicast IP address 224.0.0.10.
An EIGRP router stores information about neighbors in the neighbor table,
including the last time that each neighbor responded, t This happens when any
EIGRP packets, hello or otherwise, are received from a neighbor. If a neighbor is
not heard from for the duration of the hold time, EIGRP considers that neighbor
down, and DUAL must re-evaluate the routing table. By default, the hold time is
three times the hello interval, but an administrator can configure both timers as
desired.
Recall that OSPF requires neighbor routers to have the same hello and dead
intervals to communicate. EIGRP has no such restriction. Neighbor routers learn
about each other's respective timers via the exchange of hello packets, and they
use that information to forge a stable relationship, despite unlike timers.
Acknowledgment Packets
An EIGRP router uses acknowledgment packets to indicate receipt of any
EIGRP packet during a "reliable" exchange. Recall that RTP can provide reliable
communication between EIGRP hosts. To be reliable, a sender's message must
be acknowledged by the recipient. Acknowledgment packets, which are
"dataless" hello packets, are used for this purpose. Unlike multicast hellos,
acknowledgment packets are unicast. Note also that acknowledgments can be
made by piggybacking on other kinds of EIGRP packets, such as reply packets.
Hello packets are always sent unreliably and thus do not require
acknowledgment.
Update Packets
Update packets are used when a router discovers a new neighbor. An EIGRP
router sends unicast update packets to that new neighbor so that it can add to its
topology table. More than one update packet may be needed to convey all the
topology information to the newly discovered neighbor.
Update packets are also used when a router detects a topology change. In this
case, the EIGRP router sends a multicast update packet to all neighbors, alerting
them to the change.
All update packets are sent reliably.
Query and Reply Packets
An EIGRP router uses query packets whenever it needs specific information
from one or all of its neighbors. A reply packet is used to respond to a query.
If an EIGRP router loses its successor and cannot find a feasible successor for a
route, DUAL places the route in the active state. At this point, the router
multicasts a query to all neighbors, searching for a successor to the destination
network. Neighbors must send replies that either provide information on
successors or indicate that no successor information is available.
Queries can be multicast or unicast, while replies are always unicast. Both
packet types are sent reliably.

1-20 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


3.3.2 EIGRP tables

Figure 1: EIGRP Neighbor Table

Figure 2: EIGRP PDMs

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-21


Figure 3: EIGRP Routing Table

DUAL can select alternate routes based on the tables kept by EIGRP. By
building these tables, every EIGRP router can track all the routing information in
an autonomous system (AS), not just the best routes.
The following sections examine the neighbor table, the routing table, and the
topology table in detail and provide an example of each. In addition, we will
look at the various packet types used by EIGRP to build and maintain these
tables.
The Neighbor Table
The most important table in EIGRP is the neighbor table (refer to Figure [1]).
The neighbor relationships tracked in the neighbor table are the basis for all
EIGRP routing update and convergence activity.
The neighbor table contains information about adjacent neighboring EIGRP
routers. Whenever a new neighbor is discovered, the address of that neighbor
and the interface used to reach it are recorded in a new neighbor table entry.
A neighbor table is used to support reliable, sequenced delivery of packets. One
field in each row of the table includes the sequence number of the last packet
received from that neighbor. EIGRP uses this field to acknowledge a neighbor's
transmission and to identify packets that are out of sequence.
As shown in Figure [1], an EIGRP neighbor table includes the following key
elements:
! Neighbor address (Address) - The network-layer address of the neighbor
router.
! Hold time (Hold Uptime) - The interval to wait without receiving anything
from a neighbor before considering the link unavailable. Originally, the
expected packet was a hello packet, but in current Cisco IOS software
releases, any EIGRP packets received after the first hello will reset the timer.
! Smooth Round-Trip Timer (SRTT) - The average time that it takes to send
and receive packets from a neighbor. This timer is used to determine the
retransmit interval (RTO).
! Queue count (Q Cnt) - The number of packets waiting in queue to be sent.
If this value is constantly higher than zero, then there may be a congestion

1-22 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


problem at the router. A zero means that there are no EIGRP packets in the
queue.
Note that an EIGRP router can maintain multiple neighbor tables, one for each
PDM running (for example, IP, IPX, and AppleTalk as shown in Figure [2]). A
router must run a unique EIGRP process for each routed protocol.
The Routing Table
The routing table contains the routes installed by DUAL as the best loop-free
paths to a given destination as shown in Figure [3]. EIGRP will maintain up to
four routes per destination. These routes can be of equal or unequal cost. EIGRP
routers maintain a separate routing table for each routed protocol.

3.3.3 EIGRP tables (con’t.)

Figure 1: EIGRP Topology Table

Figure 2: EIGRP Successors and Feasible Successors

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-23


Figure 3: EIGRP Successors and Feasible Successors

Figure 4: EIGRP Successors and Feasible Successors

The Topology Table


EIGRP uses its topology table to store all the information it needs to calculate a
set of distances and vectors to all reachable destinations. EIGRP maintains a
separate topology table for each routed protocol. A sample EIGRP topology
table is shown in Figure [1].
The topology table is made up of all the EIGRP routing tables in the autonomous
system. By tracking this information, EIGRP routers can find alternate routes
quickly. The topology table includes the following fields:
! Feasible distance (FD is xxxx) - The feasible distance (FD) is the lowest
calculated metric to each destination. For example, in Figure [1], the feasible
distance to 32.0.0.0 is 2195456 as indicated by FD is 2195456.
! Route source (via xxx.xxx.xxx.xxx) - The source of the route is the
identification number of the router that originally advertised that route. This

1-24 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


field is populated only for routes learned externally from the EIGRP
network. Route tagging can be particularly useful with policy-based routing.
For example, in Figure [1], the route source to 32.0.0.0 is 200.10.10.10 via
200.10.10.10.
! Reported distance (FD/RD) - The reported distance (RD) of the path is the
distance reported by an adjacent neighbor to a specific destination. For
example, in Figure [1], the reported distance to 32.0.0.0 is 281600 as
indicated by (2195456/281600).
In addition to these fields, each entry includes the interface through which the
destination is reachable.
EIGRP sorts the topology table so that the successor routes are at the top,
followed by feasible successors. At the bottom, EIGRP lists routes that DUAL
believes to be loops in the topology table.
How does an EIGRP router determine which routers are successors and which
routers are feasible successors? Assume that RTA's routing table includes a route
to Network Z via RTB (see Figure [2]). From RTA's point of view, RTB is the
current successor for Network Z; RTA will forward packets destined for
Network Z to RTB. RTA must have at least one successor for Network Z for
DUAL to place it in the routing table.
Can RTA have more than one successor for Network Z? If RTC claims to have a
route to Network Z with the exact same metric as RTB, then RTA also considers
RTC a successor, and DUAL will install a second route to Network Z via RTC
(see Figure [3]).
Any of RTA's other neighbors that advertise a loop-free route to Network Z (but
with an RD higher than the best-route metric and lower than the FD) will be
identified as feasible successors in the topology table, as shown in Figure [4].
A router views its feasible successors as neighbors that are downstream, or
closer, to the destination than it is. If something goes wrong with the successor,
DUAL can quickly identify a feasible successor from the topology table and
install a new route to the destination. If no feasible successors to the destination
exist, DUAL places the route in the active state. Entries in the topology table can
be in one of two states: active or passive. These states identify the status of the
route indicated by the entry rather than the status of the entry itself.
A passive route is one that is stable and available for use. An active route is a
route in the process of being recomputed by DUAL. Recomputation happens if a
route becomes unavailable and DUAL cannot find any feasible successors.
When this occurs, the router must ask neighbors for help in finding a new, loop-
free path to the destination. Neighbor routers are compelled to reply to this
query. If a neighbor has a route, it will reply with information about the
successor(s). If not, the neighbor notifies the sender that it does not have a route
to the destination either.
Excess recomputation is a symptom of network instability and results in poor
performance. To prevent convergence problems, DUAL always tries to find a
feasible successor before resorting to a recomputation. If a feasible successor is
available, DUAL can quickly install the new route and avoid recomputation.
"Stuck in Active" Routes
If one or more routers to which a query is sent do not respond with a reply within
the active time of 180 seconds (3 minutes), the route, or routes, in question are

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-25


placed in the "stuck in active" state. When this happens, EIGRP clears the
neighbors that did not send a reply and logs a "stuck in active" error message for
the route(s) that went active.

3.3.4 Route tagging with EIGRP

Figure 1: Viewing EIGRP Route Tag Information

Not only does the topology table track information regarding route states, but it
also can record special information about each route. EIGRP classifies routes as
either internal or external. EIGRP uses a process called route tagging to add
special tags to each route. These tags identify a route as internal or external and
may include other information as well.
Internal routes originate from within the EIGRP AS. External routes originate
from outside the system. Routes learned (redistributed) from other routing
protocols, such as RIP, OSPF, and IGRP are external. Static routes originating
from outside the EIGRP AS and redistributed inside are also external routes.
All external routes are included in the topology table and are tagged with the
following information:
! The identification number (router ID) of the EIGRP router that redistributed
the route into the EIGRP network
! The AS number of the destination
! The protocol used in that external network
! The cost or metric received from that external protocol
! The configurable administrator tag
The figure shows a specific topology table entry for an external route.
To develop a precise routing policy, take advantage of route tagging and, in
particular, the administrator tag shown in the shaded portion of the figure. A
network administrator can configure the administrator tag to be any number
between 0 and 255; in effect, this is a custom tag that can be used to implement
a special routing policy. External routes can be accepted, rejected, or propagated
based on any of the route tags, including the administrator tag. Because a
network administrator can configure the administrator tag, the route-tagging

1-26 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


feature affords a high degree of control. This level of precision and flexibility
proves especially useful when EIGRP networks interact with Border Gateway
Protocol (BGP) networks, which themselves are policy-based.

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-27


3.4 EIGRP Operation

3.4.1 Convergence using EIGRP

Figure 1: Convergence Using EIGRP

Figure 2: Topology Table Entries for Network 24

1-28 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


Figure 3: Convergence Using EIGRP

Figure 4: Convergence Using EIGRP

DUAL's sophisticated algorithm results in EIGRP's exceptionally fast


convergence. To better understand convergence using DUAL, consider the
scenario in Figure [1]. RTA can reach network 24 via three different routers:
RTX, RTY, or RTZ.
In Figure [1], EIGRP's composite metric is replaced by a link cost to simplify
calculations. RTA's topology table includes a list of all routes advertised by
neighbors. For each network, RTA keeps the real (computed) cost of getting to
that network and also keeps the advertised cost (reported distance) from its
neighbor, as shown in Figure [2].

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-29


At first, RTY is the successor to network 24, by virtue of its lowest computed
cost. RTA's lowest calculated metric to Network 24 is 31; this value is the FD to
Network 24.
What if the successor to Network 24, RTY, becomes unavailable, as shown
Figure [3]?
RTA follows a three-step process to select a feasible successor to become a
successor for Network 24:
Determine which neighbors have a reported distance (RD) to Network 24 that is
less than RTA's FD to network 24. The FD is 31; RTX's RD is 30, and RTZ's RD
is 220 (see Figure [2]). Thus, RTX's RD is below the current FD, while RTZ's
RD is not.
Determine the minimum computed cost to Network 24 from among the
remaining routes available. The computed cost via RTX is 40, while the
computed cost via RTZ is 230. Thus, RTX provides the lowest computed cost.
Determine whether any routers that met the criterion in Step 1 also met the
criterion in Step 2. RTX has done both, so it is the feasible successor.
With RTY down, RTA immediately uses RTX (the feasible successor) to
forward packets to Network 24. The capability to make an immediate switchover
to a backup route is the key to EIGRP's exceptionally fast convergence times.
However, what happens if RTX also becomes unavailable, as shown Figure [4]?
Can RTZ be a feasible successor? Using the same three-step process as before,
RTA finds that RTZ is advertising a cost of 220, which is not less than RTA's
FD of 31. Therefore, RTZ cannot be a feasible successor (yet). The FD can
change only during an active-to-passive transition, and this did not occur, so it
remains at 31. At this point, because there has not been a transition to active
state for network 24, DUAL has been performing what is called a local
computation.
RTA cannot find any feasible successors, so it finally transitions from passive to
active state for Network 24 and queries its neighbors about Network 24. This
process is known as a diffusing computation. When Network 24 is in active state,
the FD is reset. This allows RTA to at last accept RTZ as the successor to
Network 24.

1-30 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


3.5 Configuring EIGRP

3.5.1 Configuring EIGRP for IP networks

Figure 1: Configuring EIGRP for IP

Despite the complexity of DUAL, configuring EIGRP can be relatively simple.


EIGRP configuration commands vary depending on the protocol that is to be
routed (for example, IP, IPX, or AppleTalk). This section covers configuration
commands for each of these routed protocols, in addition to special controls for
IPX SAP.
Perform the following steps to configure EIGRP for IP:
1. Enable EIGRP and define the autonomous system.

router(config)# router eigrp autonomous-system-


number

The autonomous-system-number is the number that identifies the


autonomous system. It is used to indicate all routers that belong within the
internetwork. This value must be the same for all routers within the
internetwork.
2. Indicate which networks belong to the EIGRP autonomous system on the
local router.

router(config-router)# network network-number

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-31


The network-number is the network number that determines which
interfaces of the router are participating in EIGRP and which networks are
advertised by the router.

The network command configures only connected networks. For


example, network 3.1.0.0 (on the far left of the main Figure) is not directly
connected to Router A. Consequently, that network is not part of Router A's
configuration.
3. When configuring serial links using EIGRP, it is important to configure the
bandwidth setting on the interface. If the bandwidth for these interfaces is
not changed, EIGRP assumes the default bandwidth on the link instead of
the true bandwidth. If the link is slower, the router may not be able to
converge, routing updates might become lost, or suboptimal path selection
may result.

router(config-if)# bandwidth kilobits

The value, kilobits, indicates the intended bandwidth in kilobits per


second. For generic serial interfaces (PPP or HDLC), set the bandwidth to
the line speed.
Cisco also recommends adding the following command to all EIGRP
configurations:
router(config-if)# eigrp log-neighbor-changes
This command enables the logging of neighbor adjacency changes to monitor the
stability of the routing system and to help detect problems.

Interactive Lab Activity:

In this lab exercise, you will configure EIGRP on the Singapore router. The
SanJose3 router is already configured for EIGRP.

1-32 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


3.5.2 EIGRP and the bandwidth command

Figure 1: EIGRP WAN Configuration-Pure Multipoint

Figure 2: EIGRP WAN Configuration-Hybrid Multipoint

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-33


Figure 3: EIGRP WAN Configuration-Hybrid Multipoint (Preferred)

Network administrators should follow three rules when configuring EIGRP over
a nonbroadcast mulitaccess (NBMA) cloud such as Frame Relay:
! EIGRP traffic should not exceed the committed information rate (CIR)
capacity of the virtual circuit (VC).
! EIGRP's aggregated traffic over all the VCs should not exceed the access
line speed of the interface.
! The bandwidth allocated to EIGRP on each VC must be the same in both
directions.
If these rules are understood and followed, EIGRP works well over the WAN. If
care is not taken in the configuration of the WAN, EIGRP can swamp the
network.
Configuring Bandwidth over a Multipoint Network
The configuration of the bandwidth command in an NBMA cloud depends on
the design of the VCs. If the serial line has many VCs in a multipoint
configuration and all of the VCs share bandwidth evenly, set the bandwidth to
the sum of all of the CIRs. For example, in Figure [1], each VC's CIR is set to 56
Kbps. Since there are 4 VCs, the bandwidth is set to 224 (4 x 56).
Configuring Bandwidth over a Hybrid Multipoint Network
If the multipoint network has differing speeds allocated to the VCs, a more
complex solution is needed. There are two main approaches.
Take the lowest CIR and multiply this by the number of VCs. As shown in
Figure [2], this is applied to the physical interface. The problem with this
configuration is that the higher-bandwidth links may be underutilized.
Use subinterfaces. The bandwidth command may be configured on each
subinterface, which allows different speeds on each VC. In this case,
subinterfaces are configured for the links with the differing CIRs. The links that
have the same configured CIR are presented as a single subinterface with a
bandwidth, which reflects the aggregate CIR of all the circuits. In Figure [3],
three of the VCs have the same CIR, 256 Kbps. All three VCs are grouped
together as a multipoint subinterface, serial 0.1. The single remaining VC, which

1-34 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


has a lower CIR, 56 Kbps, can be assigned a point-to-point subinterface, serial
0.2.

3.5.3. The bandwidth-percent command

Figure 1: Using the ip bandwidth-percent Command

The bandwidth-percent command configures the percentage of bandwidth


that may be used by EIGRP on an interface. By default, EIGRP is set to use only
up to 50% of the bandwidth of an interface to exchange routing information. In
order to calculate its percentage, the bandwidth-percent command relies
on the value set by the bandwidth command.
Use the bandwidth-percent command when the bandwidth setting of a link
does not reflect its true speed. The bandwidth value may be artificially low for a
variety of reasons, such as to manipulate the routing metric or to accommodate
an oversubscribed multipoint Frame Relay configuration. Regardless of the
reasons, configure EIGRP to overcome an artificially low bandwidth setting by
setting the bandwidth-percent to a higher number. In some cases, it may
even be set to a number above 100.
For example, assume that the actual bandwidth of a router's serial link is 64
Kbps, but the bandwidth value is set artificially low, to 32 Kbps. The figure
shows how to modify EIGRP's behavior so that it limits routing protocol traffic
according to the actual bandwidth of the serial interface. The example
configuration sets serial 0's bandwidth-percent to 100 percent for the EIGRP
process running in AS 24. Since 100 percent of 32 kbps is 32, EIGRP will be
allowed to use half of the actual bandwidth of 64 Kbps.
Note that a network administrator can change EIGRP's percentage of bandwidth
for IP, IPX, and AppleTalk with the following commands:
! ip bandwidth-percent eigrp
! ipx bandwidth-percent eigrp
! appletalk eigrp-bandwidth-percent

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-35


3.5.4 Configuring EIGRP for IPX networks

Figure 1: Configuring EIGRP Support for IPX

Figure 2: Configuring EIGRP Support for IPX

1-36 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


To enable EIGRP for IPX, perform the following steps:
1. Enable IPX routing.

router(config)# ipx routing


2. Define EIGRP as the IPX routing protocol.

router(config)# ipx router {eigrp autonomous-


system-number | rip}

If IPX EIGRP is selected, an autonomous system number must be specified.


This number must be the same for all IPX EIGRP routers in the network.
Figure [1]- [2]
3. Indicate which networks belong to the EIGRP autonomous system.

router(config-ipx-router)# network network-number


4. (Optional) If IPX RIP is also operating on the router, remove RIP from the
networks using EIGRP by going to the ipx router rip configuration entry and
doing the following:

router(config-ipx-router)# no network network-number


By default, Cisco routers redistribute IPX RIP routes into IPX EIGRP, and vice
versa. When routes are redistributed, a RIP route to a destination with a hop
count of 1 is always preferred over an EIGRP route with a hop count of 1. This
ensures that the router always believes a Novell IPX server over a Cisco router
for internal IPX networks. (The only exception to this rule is if both the RIP and
EIGRP updates were received from the same router. In this case, the EIGRP
route always is preferred over the RIP route when the hop counts are the same.)
Controlling IPX RIP
IPX RIP runs by default when IPX routing is enabled. If a legacy Novell server
is using IPX RIP, a router's LAN interface must also run IPX RIP to exchange
routing information with the server. Because the IPX RIP routes are redistributed
into EIGRP, the router does not need to run IPX RIP on a serial link to another
Cisco router. IPX EIGRP should be used instead. An administrator can disable
IPX RIP on a network-by-network basis using the no network command, as
shown in step 4, above.
EIGRP offers other advantages over RIP in the exchange of IPX information
across WAN links, including controlling of SAP updates, which is discussed in
the following section.

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-37


3.5.5 Controlling SAP updates

Figure 1: Controlling SAP Updates

Figure 2: Configuring EIGRP for Incremental SAP Updates

If an IPX EIGRP router has another IPX EIGRP router as its link partner, a
network administrator can configure the router to send SAP updates periodically
or when a change occurs in the SAP table. When no IPX EIGRP peer is present
on the interface, periodic SAPs are always sent.
On serial lines, by default, if an EIGRP neighbor is present, the router sends SAP
updates only when the SAP table changes. Overhead is greatly reduced if a
router updates other routers only when a change occurs.
On Ethernet, Token Ring, and FDDI interfaces, the router sends SAP updates
periodically by default. To reduce the amount of bandwidth required to send
SAP updates, a network administrator might want to disable the periodic sending
of SAP updates on LAN interfaces. This is done only when all nodes out this
interface are EIGRP peers; otherwise, loss of SAP information on the other
nodes will result. If a router's LAN interface connects to a NetWare server, as
shown in the figure, do not disable periodic updates. However, Figure [1] shows
that incremental SAP updates on RTC's E0 can safely be configured.

1-38 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


To configure incremental SAP updates using EIGRP, issue the ipx sap-
incremental eigrp command, which has the following syntax:
router(config-if)#ipx sap-incremental eigrp
autonomous-system-number [rsup-only]
The rsup-only keyword is used to indicate that on this interface the system
uses EIGRP to carry reliable SAP update information only. RIP routing updates
are used, and EIGRP routing updates are ignored.
Configure incremental SAP for RTC as shown in Figure [2].
Note that in Figure [1], RTC does not need to run IPX RIP. Thus, it is explicitly
disabled by using the command no ipx router rip in the configuration
Figure [2].

3.5.6 Summarizing EIGRP routes for IP

Figure 1: EIGRP Automatically Summarizes Based on Class

Figure 2: EIGRP Automatically Summarizes Based on Class

EIGRP automatically summarizes routes at the classful boundary (that is, the
boundary where the network address ends as defined by class-based addressing).
This means that even though RTC is connected only to the subnet 2.1.1.0, it will
advertise that it is connected to the entire Class A network, 2.0.0.0. In most
cases, auto summarization is a good thing; it keeps routing tables as compact as
possible (see Figure [1]).

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-39


However, as illustrated in Chapter 2: IP Addressing, a network administrator
may not want automatic summarization to occur. If the network has
discontiguous subnetworks, as shown in Figure [2], auto-summarization must be
disabled for routing to work properly. To turn off auto-summarization, use the
following command:
router(config-router)#no auto-summary

3.5.7 Summarizing EIGRP routes for IP, con’t.

Figure 1: Manual Summarization with EIGRP

EIGRP also enables a network administrator to manually configure a prefix to


use as a summary address. Manual summary routes are configured on a per-
interface basis, so the network administrator must first select the interface that
will propagate the route summary. Then the summary address can be defined
with the ip summary-address eigrp command, which has the following
syntax:
router(config-if)#ip summary-address eigrp autonomous-
system-number ip-address mask administrative-distance
EIGRP summary routes have an administrative distance of 5 by default.
Optionally, they can be configured for a value between 1 and 255.
In the figure, RTC can be configured using the commands shown:
RTC(config)#router eigrp 2446
RTC(config-router)#no auto-summary
RTC(config-router)#exit
RTC(config)#interface serial0
RTC(config-if)#ip summary-address eigrp 2446 2.1.0.0
255.255.0.0
Thus, RTC will add a route to its table, as follows:
D 2.1.0.0/16 is a summary, 00:00:22, Null0
Notice that the summary route is sourced from Null0 and not an actual interface.
This is because this route is used for advertisement purposes and does not

1-40 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


represent a path that RTC can take to reach that network. On RTC, this route has
an administrative distance of 5.
In the figure, RTD is oblivious to the summarization but accepts the route, and it
assigns the route the administrative distance of a "normal" EIGRP route (which
is 90, by default). In the configuration for RTC, automatic summarization is
turned off, with the no auto-summary command. If automatic
summarization were not turned off, RTD would receive two routes, the manual
summary address (2.1.0.0 /16) and the automatic, classful summary address
(2.0.0.0 /8).
In most cases, when using manual summarization, the no auto-summary
command should be issued also.

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-41


3.6 Monitoring EIGRP

3.6.1 Verifying EIGRP operation

Figure 1: EIGRP show Commands

Figure 2: EIGRP debug Commands

Throughout this chapter, EIGRP show commands have been used to verify
EIGRP operation. Figure [1] lists the key EIGRP show commands and briefly
describes their functions.
The Cisco IOS debug feature also provides useful EIGRP monitoring
commands, as listed in Figure [2].

1-42 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


3.7 EIGRP Configuration Lab Exercises

3.7.1 Configuring EIGRP with IGRP

Lab Activity:

In this lab, you configure both EIGRP and IGRP within the International Travel
Agency WAN and observe the automatic sharing of route information between
both protocols.

3.7.2 Configuring EIGRP fault tolerance

Lab Activity:

In this lab, you configure EIGRP over a full-mesh topology so that you can test
and observe DUAL replace a successor with a feasible successor after a link
failure.

3.7.3 Configuring EIGRP summarization

Lab Activity:

In this lab, you configure EIGRP to test its operation over discontiguous subnets
by disabling automatic route summarization. Then you manually configure
EIGRP to use specific summary routes.

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-43


3.8 Configuring EIGRP Challenge Lab
Exercise

3.8.1 EIGRP challenge lab

Lab Activity:

In this lab, you configure an International Travel Agency EIGRP WAN link with
one IGRP segment within the same autonomous system. You also use EIGRP
interface summarization to reduce the number of routes in an EIGRP routing
table.

1-44 Routing Section 3: EIGRP Copyright  2002, Cisco Systems, Inc.


Summary
In this chapter, the reader learned that EIGRP, a routing protocol developed by
Cisco, is an advanced distance-vector routing protocol that uses the DUAL
algorithm. EIGRP includes features such as rapid convergence, reduced
bandwidth usage, and multiple network-layer support.
The text demonstrates that EIGRP converges rapidly, performs incremental
updates, routes IP, IPX, and AppleTalk traffic, and summarizes routes. The
reader learned how to configure and verify EIGRP configuration for various
protocols.
In the next chapter, how to optimize routing operations using static routes,
default routes, and route filtering will be discussed.

Copyright  2002, Cisco Systems, Inc. Routing Section 3: EIGRP 1-45


1.10.1 Configuring VLSM and IP Unnumbered

Host B
192.168.1.66 /27

Fa0/0 192.168.1.65 /27

Vista
S0/0 192.168.1.1 /30 S0/1 192.168.1.5 /30

S0/0 192.168.1.2 /30 Fa0/0 192.168.1.33 /27 S0/0 192.168.1.6 /30

San Jose1 San Jose2

Fa0/0 192.168.1.34 /27

Host A
192.168.1.35
Objective
In this lab, the student will configure VLSM and test its functionality with two different
routing protocols, RIPv1, and RIPv2. Finally, the student will use IP unnumbered in place
of VLSM to further conserve addresses.

Scenario
When International Travel Agency was much smaller, it wanted to configure its network
using a single Class C address: 192.168.1.0 as shown in the following table. The routers
need to be configured with the appropriate addresses. The company requires that at least
25 host addresses be available on each LAN, but it also demands that the maximum
number of addresses be conserved for future growth.

To support 25 hosts on each subnet, a minimum of five (5) bits is needed in the host
5
portion of the address. Five (5) bits will yield 30 possible host addresses (2 – 2 = 32 - 2).
If five (5) bits must be used for hosts, the other three (3) bits in the last octet can be
added to the default 24-bit Class C mask.Therefore, a 27-bit mask can be used to create
the following subnets:

1-3 Routing Section 1: IP Addressing – Lab 1.10.1 Copyright  2002, Cisco Systems, Inc.
To maximize this address space, the 192.168.1.0 /27 subnet is subnetted further using a
30-bit mask. This creates subnets that can be used on point-to-point links with minimal
waste, because each subnet can contain only two possible host addresses.

Note that in the following steps some commands may need to be changed to
match the actual equipment being used (ethernet may need to be used in place of
fastethernet).

Step 1.
Build and configure the network according to the diagram. This configuration requires the
use of subnet 0, so the ip subnet-zero command might need to be entered. This will
depend on which IOS version is being used. Note: Host A and Host B are not required to
complete this lab.

On all three routers, configure RIPv1 and enable updates on all active interfaces with this
network command:

SanJose1(config)#router rip
SanJose1(config-router)#network 192.168.1.0

Use ping to verify that each router can ping its directly connected neighbor.Note: Some
remote networks might be unreachable. Proceed to Step 2 anyway.

Step 2.
Issue the show ip route command on Vista, as shown in the following example:

Vista#show ip route
<output omitted>
Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks


C 192.168.1.64/27 is directly connected, FastEthernet0/0
C 192.168.1.0/30 is directly connected, Serial0/0
C 192.168.1.4/30 is directly connected, Serial0/1

The 192.168.1.32 /27 subnet is clearly absent from Vista’s table.

1. The other routers also have incomplete tables. Why is this so?

Because RIPv1 with VLSM is being used, routing has broken down on the network.
Remember that VLSM is not supported by classful routing protocols such as RIPv1 and
IGRP. These protocols do not send subnet masks in their routing updates. In order for
routing to work, RIPv2 must be configured, which does support VLSM.

Step 3.
At each of three router consoles, enable RIPv2 updates and turn off automatic route
summarization, as shown in the following example:

SanJose1(config)#router rip
SanJose1(config-router)#version 2
SanJose1(config-router)#no auto-summary

When all three routers are running RIPv2, return to Vista and examine its routing table. It
should now be complete, as shown below:

Vista#show ip route
<output omitted>

2-3 Routing Section 1: IP Addressing – Lab 1.10.1 Copyright  2002, Cisco Systems, Inc.
Gateway of last resort is not set

192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks


C 192.168.1.64/27 is directly connected, Ethernet0
R 192.168.1.32/27 [120/1] via 192.168.1.6, 00:00:12, Serial1
[120/1] via 192.168.1.2, 00:00:13, Serial0
C 192.168.1.0/30 is directly connected, Serial0
C 192.168.1.4/30 is directly connected, Serial1

Notice that Vista has received equal cost routes to 192.168.1.32 /27 from both SanJose1
and SanJose2.

Step 4.
Although VLSM has reduced ITA’s address waste by creating very small subnets for
point-to-point links, the IP unnumbered feature can make it unnecessary to address these
links altogether. Further maximize ITA’s address use by configuring IP unnumbered on
every serial interface in the WAN. To configure IP unnumbered, use the following
commands:

SanJose1(config)#interface serial 0/0


SanJose1(config-if)#ip unnumbered fastethernet 0/0

Vista(config)#interface serial 0/0


Vista(config-if)#ip unnumbered fastethernet 0/0
Vista(config-if)#interface serial 0/1
Vista(config-if)#ip unnumbered fastethernet 0/0

SanJose2(config)#interface serial 0/0


SanJose2(config-if)#ip unnumbered fastethernet 0/0

After the IP unnumbered configuration is complete, each serial interface borrows the
address of the local LAN interface. Check Vista’s table again:

Vista#show ip route
<output omitted>

Gateway of last resort is not set

192.168.1.0/27 is subnetted, 2 subnets


C 192.168.1.64 is directly connected, FastEthernet0/0
R 192.168.1.32 [120/1] via 192.168.1.34, 00:00:00, Serial0/1
[120/1] via 192.168.1.33, 00:00:08, Serial0/0

With IP unnumbered configured, only LANs require addresses. Because each LAN uses
the same 27-bit mask, VLSM is not required. This makes classful routing protocols, such
as RIPv1 and IGRP, viable options.

3-3 Routing Section 1: IP Addressing – Lab 1.10.1 Copyright  2002, Cisco Systems, Inc.
1.10.2.1: VLSM

Network: 192.168.10.0 28 hosts

60 hosts 12 hosts 12 hosts

Objective
Create an addressing scheme using variable length subnet masking (VLSM).

Scenario
The assignment is the Class C address 192.168.10.0 and it must support the network
shown in the diagram. The use of IP unnumbered or NAT is not permitted on this
network. Create an addressing scheme that meets the requirements shown in the
diagram.

1-1 Routing Section 1: IP Addressing – Lab 1.10.2.1 Copyright  2002, Cisco Systems, Inc.
1.10.2.2: VLSM

Network: 192.168.24.0 /22 50 hosts

400 hosts 50 hosts 200 hosts

Objective
Create an addressing scheme using VLSM.

Scenario
The assignment is the CIDR address 192.168.24.0 /22 and it must support the network
shown in the diagram. The use of IP unnumbered or NAT is not permitted on this
network. Create an addressing scheme that meets the requirements shown in the
diagram.

1-1 Routing Section 1: IP Addressing – Lab 1.10.2.2 Copyright  2002, Cisco Systems, Inc.
1.10.2.3: VLSM

Network: 192.168.30.0 /23 24 hosts

24 20 90
Hosts Hosts Hosts

30 hosts 120 hosts 60 hosts

Objective
Create an addressing scheme using VLSM.

Scenario
The assignment is the CIDR address 192.168.30.0 /23 and it must support the network
shown in the diagram. The use of IP unnumbered or NAT is not permitted on this
network. Create an addressing scheme that meets the requirements shown in the
diagram.

1-1 Routing Section 1: IP Addressing – Lab 1.10.2.3 Copyright  2002, Cisco Systems, Inc.
1.10.3: Using DHCP and IP Helper Addresses

Host B
DHCP Client

Fa0/0 192.168.3.1 /24

Vista
S0/0 192.168.1.1 /24

S0/0 192.168.1.2 /24

IOS DHCP Server


San Jose1
Fa0/0 10.0.0.1 /8

Host A
DHCP Client

Objective
In this lab, the student will configure a Cisco router to act as a DHCP server for clients
on two separate subnets. Also use the IP helper address feature to forward DHCP
requests from a remote subnet.

Scenario
Clients on the 192.168.3.0/24 network and the 10.0.0.0/8 network require the services of
DHCP for automatic IP configuration. Configure SanJose1 to serve both subnets by
creating two separate address pools. Finally, configure Vista’s FastEthernet interface to
forward UDP broadcasts, including DHCP requests, to SanJose1.

Note that in the following steps some commands may need to be changed
to match the actual equipment being used (ethernet may need to be used
in place of fastethernet).

Step 1.
Build and configure the network according to the diagram. Connect Host A and Host B as
shown, but configure these clients to obtain their IP addresses automatically. Because
these hosts rely on DHCP, they cannot be tested using ping until Step 5.

Configure RIPv2 on SanJose1 and Vista. Be sure to enable updates on all active
interfaces with the network command:

1-3 Routing Section 1: IP Addressing – Lab 1.10.3 Copyright  2002, Cisco Systems, Inc.
SanJose1(config)#router rip
SanJose1(config)#version 2
SanJose1(config-router)#network 192.168.1.0
SanJose1(config-router)#network 10.0.0.0

Use ping and show ip route to verify the work and test connectivity between
SanJose1 and Vista.

Step 2.
Configure SanJose1 to act as a DHCP server for clients on the 10.0.0.0/8 network.

First, verify that SanJose1’s software can use DHCP services and that they are enabled:

SanJose1(config)#service dhcp

Next, configure the DHCP address pool for the 10.0.0.0 network. Name
the pool 10-net:

SanJose1(config)#ip dhcp pool 10-net


SanJose1(dhcp-config)#network 10.0.0.0 255.0.0.0

Step 3.
International Travel Agency uses the first ten addresses in this address range to statically
address servers and routers. From global configuration mode, exclude addresses from
the DHCP pool so that the server does not attempt to assign them to clients. Configure
SanJose1 to dynamically assign addresses from the 10-net pool, starting with 10.0.0.11:

SanJose1(config)#ip dhcp excluded-address 10.0.0.1 10.0.0.10

Step 4.
Return to DHCP configuration mode and assign the following IP options: default gateway
address, DNS server address, WINS server address, and domain name:

SanJose1(dhcp-config)#default-router 10.0.0.1
SanJose1(dhcp-config)#dns-server 10.0.0.3
SanJose1(dhcp-config)#netbios-name-server 10.0.0.4
SanJose1(dhcp-config)#domain-name xyz.net

Step 5.
The DHCP server is now ready to be tested. Check the TCP/IP Properties on the
workstation to ensure that the it is set to obtain an IP address automatically.

Release and renew Host A’s IP configuration. On Windows 95/98, use winipcfg; on
Windows NT/2000, use ipconfig /release and ipconfig /renew.

Host A should be dynamically assigned the first available address in the pool, which is
10.0.0.11. Check Host A’s configuration with winipcfg to verify that it received the
proper IP address, subnet mask, default gateway, DNS server address, and WINS server
address. Check Host A’s configuration with ipconfig /all for Windows NT and
Windows 2000 users. Troubleshoot, if necessary.

Step 6.
Because Host B also requires dynamic IP configuration, create a second DHCP pool with
address and gateway options appropriate to Host B’s network, 192.168.3.0 /24:

SanJose1(config)#ip dhcp pool 192.168.3-net

2-3 Routing Section 1: IP Addressing – Lab 1.10.3 Copyright  2002, Cisco Systems, Inc.
SanJose1(dhcp-config)#network 192.168.3.0 255.255.255.0
SanJose1(dhcp-config)#default-router 192.168.3.1
SanJose1(dhcp-config)#dns-server 10.0.0.3
SanJose1(dhcp-config)#netbios-name-server 10.0.0.4
SanJose1(dhcp-config)#domain-name xyz.net

ITA has recently installed IP phones on the 192.168.3.0 network. These phones require a
DHCP server to provide a TFTP server address (10.0.0.5). The Cisco IOS DHCP server
configuration does not provide a keyword for TFTP servers, so configure this option using
its raw option number:

SanJose1(dhcp-config)#option 150 ip 10.0.0.5

Note: ’option 150’ is a keyword equivalent to the ’TFTP's IP address’.

Step 7.
The configuration of the DHCP server is now complete. However, Host B uses a UDP
broadcast to find an IP address, and Vista is not configured to forward broadcasts. In
order for DHCP to work, configure Vista’s FastEthernet interface to forward UDP
broadcasts to SanJose1:

Vista(config)#interface fastethernet 0/0


Vista(config-if)#ip helper-address 192.168.1.2

Step 8.
Release and renew Host B’s IP configuration while simultaneously logged into
SanJose1’s console. Use a second host, if necessary.

1. Did SanJose1 report any DHCP messages?

Verify, using winipcfg or ipconfig /all, that Host B received the correct IP
configuration, and troubleshoot if necessary.

2. An ip dhcp excluded-address command was not issued. The DHCP server did not
assign Host B 192.168.3.1. Why not?

Issue show ip dhcp ? and note the choices. Try the conflict and binding options.

3. How did SanJose1 know to assign Host B an address from the 192.168.3-net pool and
not the 10-net pool?

3-3 Routing Section 1: IP Addressing – Lab 1.10.3 Copyright  2002, Cisco Systems, Inc.
2.6.1 Configuring OSPF

Lo0 192.168.31.22 /32

SanJose2

Fa0/0 192.168.1.2 /24

Lo0 192.168.31.11 /32 Lo0 192.168.31.33 /32

SanJose1 SanJose3

Fa0/0 192.168.1.1 /24 Fa0/0 192.168.1.3 /24

AREA 0

Objective

In this lab, the student will configure OSPF on three Cisco routers. First, loopback
interfaces will be configured to provide stable OSPF Router IDs. Then the OSPF process
will be configured and OSPF will be enabled on the appropriate interfaces. After OSPF is
enabled, the update timers are tuned and authentication is configured.

Scenario
The backbone of International Travel Agency’s (ITA) WAN, located in San Jose, consists
of three routers connected via an Ethernet core. These core routers must be configured
as members of OSPF Area 0. Because the core routers are connected to the Internet,
security must be implemented to prevent unauthorized routers from joining Area 0. Also,
within the core, network failures need to be identified quickly.

Step 1.
Build and configure the network according to the diagram, but do not configure OSPF yet.
A switch or hub is required to connect the three routers via Ethernet.

Use ping to verify and test connectivity between the FastEthernet interfaces.

Step 2.
On each router, configure a loopback interface with a unique IP address. Cisco routers
use the highest loopback IP address as the OSPF Router ID. In the absence of a
loopback interface, the router uses the highest IP address among its active interfaces,
which might force a router to change router IDs if an interface goes down. Because
loopback interfaces are immune to physical and data link problems, they should be used

1-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright  2002, Cisco Systems, Inc.
to derive the router ID. To avoid conflicts with registered network addresses, use private
network ranges for the loopback interfaces. Configure the core routers using the following
commands:

SanJose1(config)#interface loopback 0
SanJose1(config-if)#ip address 192.168.31.11 255.255.255.255

SanJose2(config)#interface loopback 0
SanJose2(config-if)#ip address 192.168.31.22 255.255.255.255

SanJose3(config)#interface loopback 0
SanJose3(config-if)#ip address 192.168.31.33 255.255.255.255

Step 3.
Now that loopback interfaces are configured, configure OSPF. Use the following
commands as an example to configure each router:

SanJose1(config)#router ospf 1
SanJose1(config-router)#network 192.168.1.0 0.0.0.255 area 0

Note: An OSPF process ID is locally significant. It has no meaning beyond the local
router. The ID is needed to identify a unique instance of an OSPF database, because
multiple processes can run concurrently on a single router.

Step 4.
After OSPF routing is enabled on each of the three routers, verify its operation using
show commands. Several important show commands can be used to gather OSPF
information. First, issue the show ip protocols command on any of the three routers,
as follows:

SanJose1#show ip protocols
Routing Protocol is "ospf 1"
Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is
Incoming update filter list for all interfaces is
Redistributing: ospf 1
Routing for Networks:
192.168.1.0
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 110)

2-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright  2002, Cisco Systems, Inc.
Note: The update timers are set to zero (0). Updates are not sent at regular intervals.
Updates are event driven. Next, use the show ip ospf command to get more details
about the OSPF process, including the router ID:

SanJose1#show ip ospf
Routing Process "ospf 1" with ID 192.168.31.11
Supports only single TOS(TOS0) routes
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 0. Checksum Sum 0x0
Number of DCbitless external LSA 0
Number of DoNotAge external LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 5 times
Area ranges are
Number of LSA 4. Checksum Sum 0x1CAC4
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

1. What address is the router using as its router ID?

The loopback interface should be seen as the router ID. To see the OSPF neighbors, use
the show ip ospf neighbor command. The output of this command displays all
known OSPF neighbors, including their router IDs, their interface addresses, and their
adjacency status. Also issue the show ip ospf neighbor detail command, which
will output even more information:

SanJose1#show ip ospf neighbor


Neighbor ID Pri State Dead Time Address
Interface
192.168.31.22 1 FULL/BDR 00:00:36 192.168.1.2
FastEthernet0/0
192.168.31.33 1 FULL/DR 00:00:33 192.168.1.3
FastEthernet0/0

SanJose1#show ip ospf neighbor detail


Neighbor 192.168.31.22, interface address 192.168.1.2
In the area 0 via interface FastEthernet0/0
Neighbor priority is 1, State is FULL, 6 state changes
DR is 192.168.1.3 BDR is 192.168.1.2
Options 2
Dead timer due in 00:00:34
Index 2/2, retransmission queue length 0, number of
retransmission 2
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Neighbor 192.168.31.33, interface address 192.168.1.3
In the area 0 via interface FastEthernet0/0
Neighbor priority is 1, State is FULL, 6 state changes
DR is 192.168.1.3 BDR is 192.168.1.2
Options 2
Dead timer due in 00:00:30
Index 1/1, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec

3-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright  2002, Cisco Systems, Inc.
2. Based on the output of this command, which router is the Designated Router (DR) on this
network?

3. Which router is the Backup Designated Router (BDR)?

Most likely, the router with the highest router ID is the DR, the router with the second
highest router ID is the BDR, and the other router is a DRother.

Because each interface on a given router is connected to a different network, some of the
key OSPF information is interface specific. Issue the show ip ospf interface
command for the router’s FastEthernet interface shown as follows:

SanJose1#show ip ospf interface fa0/0


FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.1.1/24, Area 0
Process ID 1, Router ID 192.168.31.11, Network Type BROADCAST,
Cost: 1
Transmit Delay is 1 sec, State DROTHER, Priority 1
Designated Router (ID) 192.168.31.33, Interface address
192.168.1.3
Backup Designated router (ID) 192.168.31.22, Interface address
192.168.1.2
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Retransmit 5
Hello due in 00:00:09
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 0, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 192.168.31.22 (Backup Designated
Router)
Adjacent with neighbor 192.168.31.33 (Designated Router)
Suppress hello for 0 neighbor(s)

4. Based on the output of this command, what OSPF network type is the FastEthernet
interface connected to?

5. What is the Hello update timer set to?

6. What is the Dead timer set to?

Ethernet networks are known to OSPF as broadcast networks. The default timer values
are ten (10) second hello updates and 40 second dead intervals.

Step 5.
The OSPF timers need to be adjusted so that the core routers will detect network failures
in less time. This will increase traffic, but this is less of a concern on the high speed core
Ethernet segment than on a busy WAN link. The need for quick convergence at the core
outweighs the extra traffic. The Hello and Dead intervals must be manually changed on
SanJose1 as follows:

SanJose1(config)#interface fastethernet 0/0


SanJose1(config-if)#ip ospf hello-interval 5
SanJose1(config-if)#ip ospf dead-interval 20

4-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright  2002, Cisco Systems, Inc.
These commands set the Hello update timer to five (5) seconds and the Dead interval to
20 seconds. Although the Cisco IOS does not require it, configure the Dead interval to
four times the Hello interval. This ensures that routers experiencing temporary link
problems can recover and are not declared dead unnecessarily, causing a continuance of
updates and recalculations throughout the internetwork.

After the timers are changed on SanJose1, issue the show ip ospf neighbor
command.

7. Does SanJose1 still show that it has OSPF neighbors?

To find out what happened to SanJose1’s neighbors, use the IOS debug feature. Enter
the command debug ip ospf events.

SanJose1#debug ip ospf events


OSPF events debugging is on
SanJose1#
00:08:25: OSPF: Rcv hello from 192.168.31.22 area 0 from
FastEthernet0/0 192.168.1.2
00:08:25: OSPF: Mismatched hello parameters from 192.168.1.2
00:08:25: Dead R 40 C 20, Hello R 10 C 5 Mask R 255.255.255.0
C 255.255.255.0
SanJose1#
00:08:32: OSPF: Rcv hello from 192.168.31.33 area 0 from
FastEthernet0/0 192.168.1.3
00:08:32: OSPF: Mismatched hello parameters from 192.168.1.3
00:08:32: Dead R 40 C 20, Hello R 10 C 5 Mask R 255.255.255.0
C 255.255.255.0

8. According to the debug output, what is preventing SanJose1 from forming relationships
with the other two OSPF routers in Area 0?

The Hello and Dead intervals must be the same before routers within an area can form
neighbor adjacencies.

Turn off debug using undebug all, or just u all.

SanJose1#undebug all
All possible debugging has been turned off

The Hello and Dead intervals are declared in Hello packet headers. In order for OSPF
routers to establish a relationship, their Hello and Dead intervals must match.

Configure the SanJose2 and SanJose3 Hello and Dead timers to match the timers on
SanJose1. Before continuing, verify that these routers can now communicate by checking
the OSPF neighbor table.

Step 6.
No unauthorized routers should be exchanging updates within Area 0. Adding encrypted
authentication to each OSPF packet header can prevent this. Select message digest
(MD5) authentication. This mode of authentication sends a message digest, or hash, in
place of the password. OSPF neighbors must be configured with the same message
digest key number, encryption type, and password in order to authenticate using the
hash.
To configure a message digest password for SanJose1 to use on its Ethernet interface,
use these commands:

5-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright  2002, Cisco Systems, Inc.
SanJose1(config)#interface fastethernet 0/0
SanJose1(config-if)#ip ospf message-digest-key 1 md5 7 itsasecret
SanJose1(config-if)#router ospf 1
SanJose1(config-router)#area 0 authentication message-digest

After entering these commands, wait 20 seconds, and then issue the show ip ospf
neighbor command on SanJose1.

9. Does SanJose1 still show that it has OSPF neighbors?

Use the debug ip ospf events command to determine why SanJose1 does not see
its neighbors:

SanJose1#debug ip ospf events


OSPF events debugging is on
SanJose1#
00:49:32: OSPF: Send with youngest Key 1
SanJose1#
00:49:33: OSPF: Rcv pkt from 192.168.31.33, FastEthernet0/0 :
Mismatch Authentication type. Input packet specified type
0, we use type 2
00:49:33: OSPF: Rcv pkt from 192.168.31.22, FastEthernet0/0 :
Mismatch Authentication type. Input packet specified type ,
we use type 2
SanJose1#u all
All possible debugging has been turned off

Again, it is seen that OSPF routers will not communicate unless certain configurations
match. In this case, the routers are not communicating because the authentication fields
in the OSPF packet header are different.

Correct this problem by configuring authentication on the other two routers. Remember
that the same key number, encryption type, and password must be used on each router.

After the configurations are complete, verify that the routers can communicate by using
the show ip ospf neighborcommand.

SanJose1#show ip ospf neighbor


Neighbor ID Pri State Dead Time Address
Interface
192.168.31.33 1 FULL/DR 00:00:16 192.168.1.3
FastEthernet0/0
192.168.31.22 1 FULL/BDR 00:00:15 192.168.1.2
FastEthernet0/0

Step 7.
Save the configurations to NVRAM. These configurations will be used to begin the next
lab. At the conclusion of each lab, it is recommended that each router’s configuration file
be copied and saved for future reference.

6-6 Routing Section 2: OSPF - Lab 2.6.1 Copyright  2002, Cisco Systems, Inc.
2.6.2: Examining the DR/BDR Election Process

Lo0 192.168.31.22 /32

SanJose2

Fa0/0 192.168.1.2 /24

Lo0 192.168.31.11 /32 Lo0 192.168.31.33 /32

SanJose1 SanJose3

Fa0/0 192.168.1.1 /24 Fa0/0 192.168.1.3 /24

AREA 0

Objective
In this lab, the student will observe the OSPF DR and BDR election process using debug
commands. Then the student will assign each OSPF interface a priority value to force the
election of a specific router as a DR.

Scenario
The backbone of International Travel Agency’s enterprise network consists of three
routers connected via an Ethernet core. SanJose1 has more memory and processing
power than the other core routers. Unfortunately, other core routers are continually
elected as the DR under the default settings. In the interest of optimization, it is
necessary that SanJose1 be elected the DR. It is best suited to handle associated extra
duties, including management of Link State Advertisements (LSA) for Area 0. This lab
will show how to investigate and solve this problem..

Step 1.

Build and configure the network according to the diagram. Configure OSPF on all
Ethernet interfaces. A switch or hub is required to connect the three routers via Ethernet.
Be sure to configure each router with the loopback interface and IP address shown in the
diagram.

Use ping to verify and test connectivity between the Ethernet interfaces.

1-1 Routing Section 2: OSPF – Lab 2.6.2 Copyright  2002, Cisco Systems, Inc.
Step 2.
Use the show ip ospf neighbor detail command to verify that the OSPF routers
have formed adjacencies:

SanJose3#show ip ospf neighbor detail


Neighbor 192.168.31.11, interface address 192.168.1.1
In the area 0 via interface FastEthernet0/0
Neighbor priority is 1, State is FULL, 12 state changes
DR is 192.168.1.3 BDR is 192.168.1.2
Options 2
Dead timer due in 00:00:17
Index 2/2, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Neighbor 192.168.31.22, interface address 192.168.1.2
In the area 0 via interface FastEthernet0/0
Neighbor priority is 1, State is FULL, 6 state changes
DR is 192.168.1.3 BDR is 192.168.1.2
Options 2
Dead timer due in 00:00:15
Index 1/1, retransmission queue length 0, number of
retransmission 5
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec

1. Which router is the DR? Why?

2. Which router is the BDR? Why?

Recall that router IDs determine the DR and BDR.

Step 3.
If the network is configured according to the diagram, SanJose1 will not be the DR. It is
decided to temporarily shut down SanJose3, which has the highest router ID
(192.168.31.33), and to observe the DR/BDR election process. To observe the election,
issue the following debug command on SanJose1:

SanJose1#debug ip ospf adj

Now that OSPF adjacency events will be logged to SanJose1’s console, remove
SanJose3 from the OSPF network by shutting down its FastEthernet interface:

SanJose3(config)#interface fastethernet 0/0


SanJose3(config-if)#shutdown

Watch the debug output on SanJose1:

SanJose1#
00:48:47: OSPF: Rcv hello from 192.168.31.22 area 0 from
FastEthernet0/0 192.168.1.2
00:48:47: OSPF: Neighbor change Event on interface FastEthernet0/0
00:48:47: OSPF: DR/BDR election on FastEthernet0/0
00:48:47: OSPF: Elect BDR 192.168.31.11
00:48:47: OSPF: Elect DR 192.168.31.22
00:48:47: OSPF: Elect BDR 192.168.31.11
00:48:47: OSPF: Elect DR 192.168.31.22
00:48:47: DR: 192.168.31.22 (Id) BDR: 192.168.31.11 (Id)
00:48:47: OSPF: Remember old DR 192.168.31.33 (id)
00:48:47: OSPF: End of hello processing

2-2 Routing Section 2: OSPF – Lab 2.6.2 Copyright  2002, Cisco Systems, Inc.
3. Who is elected DR? Why?

The former BDR is promoted to DR.

In the debug output, look for a statement about remembering the ’old DR’. Unless
SanJose1 and SanJose2 are powered off, they will remember that SanJose3 was the old
DR. When SanJose3 comes back online, these routers will allow SanJose3 to reassume
its role as DR:

SanJose1#
00:51:32: OSPF: Rcv hello from 192.168.31.22 area 0 from
FastEthernet0/0 192.168.1.2
00:51:32: OSPF: End of hello processing
00:51:33: OSPF: Rcv hello from 192.168.31.33 area 0 from
FastEthernet0/0 192.168.1.3
00:51:33: OSPF: 2 Way Communication to 192.168.31.33 on
FastEthernet0/0, state 2WAY
00:51:33: OSPF: Neighbor change Event on interface FastEthernet0/0
00:51:33: OSPF: DR/BDR election on FastEthernet0/0
00:51:33: OSPF: Elect BDR 192.168.31.11
00:51:33: OSPF: Elect DR 192.168.31.33
00:51:33: DR: 192.168.31.33 (Id) BDR: 192.168.31.11 (Id)
00:51:33: OSPF: Send DBD to 192.168.31.33 on FastEthernet0/0 seq
0x21CF opt 0x2 flag 0x7 len 32
00:51:33: OSPF: Send with youngest Key 1
00:51:33: OSPF: Remember old DR 192.168.31.22 (id)
00:51:33: OSPF: End of hello processing

Step 4.
At this point, SanJose1 should have assumed the role of BDR. Bring SanJose3 back
online, and observe the new election process.

4. SanJose3 will assume its former role as DR. Who is elected BDR? Why?

SanJose1 remains the BDR even though SanJose2 has the higher router ID.

Step 5.
The router can be manipulated to become the DR using two methods. The router ID
could be changed to a higher number, but that could confuse the loopback addressing
system and affect elections on other interfaces. The same router ID is used for every
network that a router is a member of. For example, if an OSPF router has an
exceptionally high router ID, it could win the election on every multiaccess interface and,
as a result, do triple or quadruple duty as a DR.

3-3 Routing Section 2: OSPF – Lab 2.6.2 Copyright  2002, Cisco Systems, Inc.
Instead of reconfiguring router IDs, manipulate the election by configuring OSPF priority
values. Because priorities are an interface specific value, they provide better control of
the OSPF internetwork. They allow a router to be the DR in one network and a DRother
in another. Priority values are the first consideration in the DR election with the highest
priority winning. Values can range from 0-255. A value of zero (0) indicates that the
interface will not participate in an election. Use the show ip ospf interface
command to examine the current priority values of the Ethernet interfaces on the three
routers:

SanJose1#show ip ospf interface


FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.1.1/24, Area 0
Process ID 1, Router ID 192.168.31.11, Network Type BROADCAST,
Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID) 192.168.31.33, Interface address
192.168.1.3
Backup Designated router (ID) 192.168.31.11, Interface address
192.168.1.1
Timer intervals configured, Hello 5, Dead 20, Wait 20,
Retransmit 5
Hello due in 00:00:03
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 192.168.31.33 (Designated Router)
Adjacent with neighbor 192.168.31.22
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

5. What is the priority value of these interfaces?

The default priority is one (1). Because all have equal priority, router ID is used to
determine the DR and BDR.

Modify the priority values so that SanJose1 will become the DR and SanJose2 will
become the BDR, regardless of their router ID. To do this use the following commands:

SanJose1(config)#interface fastethernet 0/0


SanJose1(config-if)#ip ospf priority 200

SanJose2(config)#interface fastethernet 0/0


SanJose2(config-if)#ip ospf priority 100

In order to reset the election process, write each router’s configuration to NVRAM and
reload SanJose1, SanJose2, and SanJose3. Issue the following commands at each
router:

SanJose1#copy running-config startup-config


SanJose1#reload

4-4 Routing Section 2: OSPF – Lab 2.6.2 Copyright  2002, Cisco Systems, Inc.
When the routers finish reloading, try to observe the OSPF election on SanJose1 by
using the debug ip ospf adj command. Also verify the configuration by issuing the
show ip ospf interface command at both SanJose1 and SanJose2.

SanJose1#debug ip ospf adj


00:01:20: OSPF: Rcv hello from 192.168.31.22 area 0 from
FastEthernet0/0 192.168.1.2
00:01:20: OSPF: Neighbor change Event on interface FastEthernet0/0
00:01:20: OSPF: DR/BDR election on FastEthernet0/0
00:01:20: OSPF: Elect BDR 192.168.31.22
00:01:20: OSPF: Elect DR 192.168.31.11
00:01:20: DR: 192.168.31.11 (Id) BDR: 192.168.31.22 (Id)
00:01:20: OSPF: End of hello processing

SanJose2#show ip ospf interface


FastEthernet0/0 is up, line protocol is up
Internet Address 192.168.1.2/24, Area 0
Process ID 1, Router ID 192.168.31.22, Network Type BROADCAST,
Cost: 1
Transmit Delay is 1 sec, State BDR, Priority 100
Designated Router (ID) 192.168.31.11, Interface address
192.168.1.1
Backup Designated router (ID) 192.168.31.22, Interface address
192.168.1.2
Timer intervals configured, Hello 5, Dead 20, Wait 20,
Retransmit 5
Hello due in 00:00:03
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 1, maximum is 1
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 2, Adjacent neighbor count is 2
Adjacent with neighbor 192.168.31.33
Adjacent with neighbor 192.168.31.11 (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1

After the election is complete, verify that SanJose1 and SanJose2 have assumed the
correct roles by using the show ip ospf neighbor detail command. Troubleshoot,
if necessary.

SanJose3#show ip ospf neighbor detail


Neighbor 192.168.31.22, interface address 192.168.1.2
In the area 0 via interface FastEthernet0/0
Neighbor priority is 100, State is FULL, 6 state changes
DR is 192.168.1.1 BDR is 192.168.1.2
Options 2
Dead timer due in 00:00:17
Index 2/2, retransmission queue length 0, number of
retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec
Neighbor 192.168.31.11, interface address 192.168.1.1
In the area 0 via interface FastEthernet0/0
Neighbor priority is 200, State is FULL, 6 state changes
DR is 192.168.1.1 BDR is 192.168.1.2
Options 2
Dead timer due in 00:00:19
Index 1/1, retransmission queue length 0, number of
retransmission 2
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec

Note that the order in which routers join an area can be the most significant factor affecting which
routers are elected as DR and BDR. An election is necessary only when a DR or BDR does not

5-5 Routing Section 2: OSPF – Lab 2.6.2 Copyright  2002, Cisco Systems, Inc.
exist in the network. As a router starts its OSPF process, it checks the network for an active DR
and BDR. If they exist, the new router becomes a DRother, regardless of its priority or router ID.
Remember, the roles of DR and BDR were created for efficiency. New routers in the network
should not force an election when adjacencies are already optimized. However, there is an
exception. A known bug in some IOS versions allows a ’new’ router with higher election
credentials to force an election and assume the role of DR.

6-6 Routing Section 2: OSPF – Lab 2.6.2 Copyright  2002, Cisco Systems, Inc.
2.6.3: Configuring Point-to-Multipoint OSPF Over Frame Relay

Fa0/0 192.168.1.3 /24

DLCI 18 DLCI 16
SanJose3
S0/0 .1

PVC PVC
1/1

Frame Relay
DLCI 16 1/2 Atlas 550 2/2
S0/0 S0/0 DLCI 16
192.168.192.0 /24
.2 .4
London Singapore

Fa0/0 192.168.200.1 /24 Fa0/0 192.168.232.1 /24

AREA 0

Alternate:

Fa0/0 192.168.1.3 /24

DLCI 18 DLCI 16
SanJose3
S0/0 .1

PVC PVC

S0/0

DLCI 16 S0/1 S0/2


S0/0 S0/0 DLCI 17
FR switch
.2 192.168.192.0 /24 .4
London Singapore

Fa0/0 192.168.200.1 /24 Fa0/0 192.168.232.1 /24

AREA 0

1-1 Routing Section 2: OSPF – Lab 2.6.3 Copyright  2002, Cisco Systems, Inc.
Objective

In this lab, OSPF will be configured as a point-to-multipoint network type so that it


operates efficiently over a hub-and-spoke Frame Relay topology.

Scenario
International Travel Agency has just connected two regional headquarters to San Jose
using Frame Relay in a hub-and-spoke topology. OSPF routing is to be configured over
this type of network, which is known for introducing complications into OSPF adjacency
relationships. To avoid these complications, manually override the Non-Broadcast Multi-
Access (NBMA) OSPF network type and configure OSPF to run as a point-to-multipoint
network. In this environment, no DR or BDR is elected.

Step 1.
Cable the network according to the diagram.Note: This lab requires another router or
device to act as a Frame Relay switch. The first diagram assumes that an Adtran Atlas
550 will be used, which is preconfigured. The second diagram assumes that a router will
be configured with at least three serial interfaces as a Frame Relay switch. See the
configuration at the end of this lab for an example of how to configure a router as a
Frame Relay switch. If desired, copy the configuration to a 2600 router for use in this lab.

Configure each FastEthernet interface on each router as shown, but leave the serial
interfaces and OSPF routing unconfigured for now. If necessary, loopback interfaces can
be assigned to each router. Be sure the loopback interfaces are unique within that
network.

Until Frame Relay is configured, ping will not be able to test connectivity.

Step 2.
SanJose3 acts as the hub in this hub-and-spoke network. It reaches London and
Singapore via two separate PVCs. Configure Frame Relay on the SanJose3 serial 0
interface as follows:

SanJose3(config)#interface serial 0/0


SanJose3(config-if)#encapsulation frame-relay ietf
SanJose3(config-if)#ip address 192.168.192.1 255.255.255.0
SanJose3(config-if)#no shutdown
SanJose3(config-if)#frame-relay map ip 192.168.192.2 18 broadcast
SanJose3(config-if)#frame-relay map ip 192.168.192.4 16 broadcast
SanJose3(config-if)#ip ospf network point-to-multipoint

Notice that this configuration includes frame-relay map commands, which are
typically used with Frame Relay subinterfaces. These commands are needed here so
that Frame Relay can be configured to handle broadcast traffic with the broadcast
keyword. Without this configuration, OSPF multicast traffic will not be forwarded correctly
over this Frame Relay topology.

Configure London’s serial interface; use IETF encapsulation:

London(config)#interface serial 0/0


London(config-if)#encapsulation frame-relay ietf
London(config-if)#ip address 192.168.192.2 255.255.255.0
London(config-if)#no shutdown
London(config-if)#frame-relay map ip 192.168.192.1 16 broadcast
London(config-if)#frame-relay map ip 192.168.192.4 16 broadcast
London(config-if)#ip ospf network point-to-multipoint

2-2 Routing Section 2: OSPF – Lab 2.6.3 Copyright  2002, Cisco Systems, Inc.
Finally, configure Singapore’s serial interface:

Singapore(config)#interface serial 0/0


Singapore(config-if)#encapsulation frame-relay IETF
Singapore(config-if)#ip address 192.168.192.4 255.255.255.0
Singapore(config-if)#no shutdown
Singapore(config-if)#frame-relay map ip 192.168.192.1 17 broadcast
Singapore(config-if)#frame-relay map ip 192.168.192.2 17 broadcast
Singapore(config-if)#ip ospf network point-to-multipoint

Verify Frame Relay operation with a ping from each router to the other two. Use show
frame-relay pvc and show frame-relay map to troubleshoot connectivity
problems. Rebooting the Frame Relay switch might also solve connectivity issues.

SanJose3#show frame-relay pvc

PVC Statistics for interface Serial0/0 (Frame Relay DTE)

Active Inactive Deleted Static


Local 2 0 0 0
Switched 0 0 0 0
Unused 0 0 0 0

DLCI = 16, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE =


Serial0/0

input pkts 91 output pkts 76 in bytes 13322


out bytes 14796 dropped pkts 10 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 50 out bcast bytes 9808
pvc create time 00:38:04, last time pvc status changed 00:01:18

DLCI = 18, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE =


Serial0/0

input pkts 61 output pkts 57 in bytes 10786


out bytes 14076 dropped pkts 4 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 30 out bcast bytes 8940
pvc create time 00:48:17, last time pvc status changed 00:03:31

SanJose3#show frame-relay map


Serial0/0 (up): ip 192.168.192.2 dlci 18(0x12,0x420), static,
broadcast,
IETF, status defined, active
Serial0/0 (up): ip 192.168.192.4 dlci 16(0x11,0x410), static,
broadcast,
IETF, status defined, active

3-3 Routing Section 2: OSPF – Lab 2.6.3 Copyright  2002, Cisco Systems, Inc.
Step 3.
Configure OSPF to run over this point-to-multipoint network. Issue the following
commands at the appropriate router:

London(config)#router ospf 1
London(config-router)#network 192.168.200.0 0.0.0.255 area 0
London(config-router)#network 192.168.192.0 0.0.0.255 area 0

SanJose3(config)#router ospf 1
SanJose3(config-router)#network 192.168.1.0 0.0.0.255 area 0
SanJose3(config-router)#network 192.168.192 0.0.0.255 area 0

Singapore(config)#router ospf 1
Singapore(config-router)#network 192.168.232.0 0.0.0.255 area 0
Singapore(config-router)#network 192.168.192.0 0.0.0.255 area 0

Verify the OSPF configuration by issuing the show ip route command at each of the
routers:

London#show ip route

Gateway of last resort is not set

192.168.192.0/24 is variably subnetted, 3 subnets, 2 masks


C 192.168.192.0/24 is directly connected, Serial0/0
O 192.168.192.1/32 [110/64] via 192.168.192.1, 00:06:49,
Serial0/0
192.168.192.4/32 [110/128] via 192.168.192.1, 00:06:49,
Serial0/0
C 192.168.200.0/24 is directly connected, FastEthernet0/0
O 192.168.232.0/24 [110/129] via 192.168.192.1, 00:06:49,
Serial0/0
192.168.204.0/32 is subnetted, 1 subnets

O 192.168.1.0/24 [110/65] via 192.168.192.1, 00:06:50,


Serial0/0

If each router has a complete table, including routes to 192.168.1.0 /24, 192.168.200.0
/24, and 192.168.232.0 /24, OSPF has been successfully configured to operate over
Frame Relay.

Test these routes by pinging the FastEthernet interfaces of each router from London’s
console.

Finally, issue the show ip ospf neighbor detail command at any router console:

SanJose3#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface


192.168.200.1 1 FULL/ - 00:01:35 192.168.192.2 Serial0/0
192.168.232.1 1 FULL/ - 00:01:51 192.168.192.4 Serial0/0

SanJose3#show ip ospf neighbor detail


Neighbor 192.168.200.1, interface address 192.168.192.2
In the area 0 via interface Serial0/0
Neighbor priority is 1, State is FULL, 6 state changes
DR is 0.0.0.0 BDR is 0.0.0.0
Options 2
Dead timer due in 00:01:41

4-4 Routing Section 2: OSPF – Lab 2.6.3 Copyright  2002, Cisco Systems, Inc.
Index 2/2, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec
Neighbor 192.168.232.1, interface address 192.168.192.4
In the area 0 via interface Serial0/0
Neighbor priority is 1, State is FULL, 6 state changes
DR is 0.0.0.0 BDR is 0.0.0.0
Options 2
Dead timer due in 00:01:56
Index 1/1, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 1, maximum is 1
Last retransmission scan time is 0 msec, maximum is 0 msec

1. Is there a DR for this network? Why or why not?

There is no DR. Point-to-multipoint configuration creates a logical multiaccess network


over physical point-to-point links. Because each router has only one physical neighbor,
only one adjacency can be formed. No efficiency would be realized by electing a DR.

Router as Frame Relay Switch Configuration


The following example can be used to configure a router as the Frame Relay switch.
Frame-Switch#show run
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Frame-Switch
!
ip subnet-zero
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
frame-relay switching
!
process-max-time 200
!
interface Serial0/0
no ip address
no ip directed-broadcast
encapsulation frame-relay
clockrate 56000
cdp enable
frame-relay intf-type dce
frame-relay route 16 interface Serial0/2 17
frame-relay route 18 interface Serial0/1 16
!
interface Serial0/1
no ip address
no ip directed-broadcast
encapsulation frame-relay
clockrate 56000
cdp enable
frame-relay intf-type dce

5-5 Routing Section 2: OSPF – Lab 2.6.3 Copyright  2002, Cisco Systems, Inc.
frame-relay route 16 interface Serial0/0 18
!
interface Serial0/2
no ip address
no ip directed-broadcast
encapsulation frame-relay
clockrate 56000
cdp enable
frame-relay intf-type dce
frame-relay route 17 interface Serial0/0 16
!
interface Serial0/3
no ip address
no ip directed-broadcast
shutdown
!
ip classless
no ip http server
!
line con 0
password cisco
login
transport input none
line aux 0
line vty 0 4
password cisco
login
!
no scheduler allocate
end

6-6 Routing Section 2: OSPF – Lab 2.6.3 Copyright  2002, Cisco Systems, Inc.
3.7.1 Configuring EIGRP with IGRP

Fa0/0 192.168.232.1 /24

Singapore
S0/0 192.168.224.2 /30 S0/1 192.168.240.1 /30

EIGRP AS 100 IGRP AS 100

S0/0 192.168.224.1 /30 S0/0 192.168.240.2 /30

Lo0 192.168.0.2/24
SanJose3 Auckland
Fa0/0 192.168.1.3/24 Fa0/0 192.168.248.1/24

Objective

In this lab, the student will configure both EIGRP and IGRP within the International Travel
Agency WAN and observe the automatic sharing of route information between both
protocols.

Scenario
The International Travel Agency migrated from IGRP to EIGRP between its overseas
headquarters and its North American headquarters. However, the Auckland headquarters
is still unable to support EIGRP and must continue running IGRP for the time being.
EIGRP must be configured on the SanJose3 and Singapore routers so that they can
exchange information with the Auckland router.

Step 1.
Build and configure the network according to the diagram, but do not configure EIGRP or
IGRP yet.

Use ping to verify the work and test connectivity between serial interfaces. SanJose3
should be unable to ping Auckland until a routing protocol is enabled.

1-3 Routing Section 3: EIGRP – Lab 3.7.1 Copyright  2002, Cisco Systems, Inc.
Step 2.

On the Auckland router, configure IGRP for AS 100:

Auckland(config)#router igrp 100


Auckland(config-router)#network 192.168.248.0
Auckland(config-router)#network 192.168.240.0

Because the Singapore router has to use IGRP to communicate with the Auckland router,
configure the Singapore router for IGRP, but only on the network connected via the serial
interface to Auckland.

Singapore(config)#router igrp 100


Singapore(config-router)#network 192.168.240.0

Step 3.

Configure EIGRP. In order to redistribute routes from IGRP to EIGRP automatically, use
the same AS number for each routing process. On the Singapore router, enter these
commands:

Singapore(config)#router eigrp 100


Singapore(config-router)#network 192.168.224.0
Singapore(config-router)#network 192.168.232.0

To complete the configuration, configure EIGRP on the SanJose3 router:

SanJose3(config)#router eigrp 100


SanJose3(config-router)#network 192.168.224.0
SanJose3(config-router)#network 192.l68.0.0
SanJose3(config-router)#network 192.168.1.0

Step 4.
After enabling routing processes on each of the three routers, verify their operation using
the show ip route command on the Singapore router. The Singapore router should
have routes to all networks.

1. Based on the output of this command, which of the routes was learned via EIGRP?

2. Which route was learned via IGRP?

Now issue the show ip route command on the SanJose3 router, the EIGRP router.
The SanJose3 router received EIGRP routes that are internal to the EIGRP domain,
192.168.224.0.. The SanJose3 router also received routes that are external to the
domain, 192.168.240.0 and 192.168.248.0. Notice that these routes are differentiated in
the table. Internally learned routes have a D, and externally learned routes are denoted
by a D EX.

3. What is the administrative distance of an internal EIGRP route?

4. What is the administrative distance of an external EIGRP route?

Now issue the show ip route command on the Auckland router, the IGRP router.

2-3 Routing Section 3: EIGRP – Lab 3.7.1 Copyright  2002, Cisco Systems, Inc.
5. Does it tell which IGRP routes are internal and which are external based on the
information in this table?

6. What is the administrative distance of an IGRP route?

Step 5.
Now that EIGRP and IGRP are configured, use show commands to view EIGRP’s
neighbor and topology tables on the SanJose3 router.

From the SanJose3 router, issue the show command to view the neighbor table:

SanJose3#show ip eigrp neighbor

7. The Auckland router is not an EIGRP neighbor of the SanJose3 router. Why not?

To view the topology table, issue the show ip eigrp topology all-links
command.

8. How many routes are in passive mode?

To view more specific information about a topology table entry, use an IP address with
this command:

SanJose3#show ip eigrp topology 192.168.248.0

9. Based on the output of this command, does it tell what external protocol originated this
route to 192.168.248.0?

10. Does it tell which router originated the route?

Finally, use show commands to view key EIGRP statistics. On the SanJose3 router,
issue the show ip eigrp traffic command.

11. How many hello packets has the SanJose3 router received? How many has it sent?

3-3 Routing Section 3: EIGRP – Lab 3.7.1 Copyright  2002, Cisco Systems, Inc.
3.7.2 Configuring EIGRP Fault Tolerance

Fa0/0 192.168.72.1 /24

Westamap
S0/0 192.168.64.2 /30 S0/1 192.168.64.6 /30

EIGRP AS 100

S0/0 192.168.64.1 /30 S0/0 192.168.64.5 /30


Fa0/0 192.168.1.1/24
SanJose1 Fa0/0 192.168.1.2 /24 SanJose2

Objective

In this lab, the student will configure EIGRP over a full mesh topology. The student will
observe DUAL replace a successor with a feasible successor after a link failure.

Scenario
The International Travel Agency wants to run EIGRP on its core, branch, and regional
routers. EIGRP is to be configured and tested for its ability to install alternate routes in
the event of link failure.

Step 1.
Build and configure the network according to the diagram, configuring EIGRP as
indicated for AS 100.

Check each serial interface’s bandwidth and change to 1544 if necessary. Use the show
interface command to verify the configuration.

Use ping and show ip route to verify the work and test connectivity between all
routers.

Step 2.
Verify that EIGRP maintains all routes to destination networks in its topology table.
From the SanJose2 router, issue the show ip eigrp topology all-links
command:

SanJose2#show ip eigrp topology all-links


IP-EIGRP Topology Table for AS(100)/ID(192.168.64.5)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,


r - Reply status

P 192.168.72.0/24, 1 successors, FD is 20514560, serno 10


via 192.168.64.6 (20514560/28160), Serial0/0
via 192.168.1.1 (20517120/20514560), FastEthernet0/0
P 192.168.64.0/30, 1 successors, FD is 21024000, serno 11
via 192.168.64.6 (21024000/2169856), Serial0/0
P 192.168.64.0/24, 1 successors, FD is 20512000, serno 4
via Summary (20512000/0), Null0
via 192.168.1.1 (20514560/20512000), FastEthernet0/0
P 192.168.64.4/30, 1 successors, FD is 20512000, serno 3

1-3 Routing Section 3: EIGRP – Lab 3.7.2 Copyright  2002, Cisco Systems, Inc.
via Connected, Serial0/0
P 192.168.1.0/24, 0 successors, FD is Inaccessible, serno 0
via 192.168.64.6 (21026560/2172416), Serial0/0

The SanJose2 router’s topology table includes two paths to the 192.168.72.0 network.
Use the show ip route command to determine which of the two is installed in
SanJose2’s routing table.

1. Which route is installed?

2. According to the output of the show ip eigrp topology all-links command,


what is the feasible distance (FD) for the route 192.168.72.0?

Both paths to 192.168.72.0 are listed in the topology table with their computed distance
and reported distance in parentheses. Computed distance is listed first.

3. What is the reported distance (RD) of the route to 192.168.72.0 via 192.168.1.1?

4. Is this RD greater than, less than, or equal to the route’s FD?

Step 3.
Use the debug eigrp fsm command to observe how EIGRP deals with the loss of a
successor to a route.

On the SanJose2 router, issue the command debug eigrp fsm.

Next, shut down or unplug the SanJose2 router’s serial connection. This causes the
SanJose2 router to lose its preferred route to 192.168.72.0 via 192.168.64.6.
Examine the debug eigrp fsm output for information regarding the route to
192.168.72.0, as shown in this following example:

0:25:25: %LINK-3-UPDOWN: Interface Serial0/0, changed state to


down
00:25:25: DUAL: Find FS for dest 192.168.72.0/24. FD is 20514560,
RD is 20514560
00:25:25: DUAL: 192.168.64.6 metric 4294967295/4294967295
00:25:25: DUAL: 192.168.1.1 metric 20517120/20514560 not
found Dmin is 20517120
00:25:25: DUAL: Dest 192.168.72.0/24 entering active state.
00:25:25: DUAL: Set reply-status table. Count is 1.
00:25:25: DUAL: Not doing split horizon
00:25:25: DUAL: dual_rcvreply(): 192.168.72.0/24 via 192.168.1.1
metric 20517120/20514560
00:25:25: DUAL: Count is 1
00:25:25: DUAL: Clearing handle 0, count is now 0
00:25:25: DUAL: Freeing reply status table
00:25:25: DUAL: Find FS for dest 192.168.72.0/24. FD is
4294967295, RD is 4294967295 found
00:25:25: DUAL: Removing dest 192.168.72.0/24, nexthop
192.168.64.6
00:25:25: DUAL: RT installed 192.168.72.0/24 via 192.168.1.1
00:25:25: DUAL: Send update about 192.168.72.0/24. Reason: metric
chg
00:25:25: DUAL: Send update about 192.168.72.0/24. Reason: new if

2-3 Routing Section 3: EIGRP – Lab 3.7.2 Copyright  2002, Cisco Systems, Inc.
The highlighted portion of the sample output shows DUAL attempting to locate a feasible
successor (FS) for 192.168.72.0. In this case, DUAL failed to find a feasible successor,
and the router entered the active state. After querying its EIGRP neighbors, SanJose2
locates and installs a route to 192.168.72.0/24 via 192.168.1.1.

Step 4.
Verify that the new route has been installed by using the show ip route command.

Bring the SanJose2 router serial interface back up. 192.168.64.6 will be seen restored as
the preferred route to the 192.168.72.0 network.

3-3 Routing Section 3: EIGRP – Lab 3.7.2 Copyright  2002, Cisco Systems, Inc.
3.7.3 Configuring EIGRP Summarization

Lo0 172.16.9.1 /24


Lo1 172.16.10.1 /24
Lo2 172.16.11.1 /24
Lo3 172.16.12.1 /24
Lo4 172.16.13.1 /24
Fa0/0 172.16.8.1 /24 Lo5 172.16.14.1 /24
Lo6 172.16.15.1 /24

Westasman
S0/0 192.168.64.2 /30 S0/1 192.168.64.6 /30

EIGRP AS 100

S0/0 192.168.64.1 /30 S0/0 192.168.64.5 /30


Fa0/0 172.16.1.1 /24
SanJose1 Fa0/0 172.16.1.2 /24 SanJose2

Objective
In this lab, the student will configure EIGRP to test its operation over discontiguous
subnets by disabling automatic route summarization. (Discontiguous subnets are subnets
from one major network that are separated by a subnet, or subnets, from another major
network). Then the student will manually configure EIGRP to use specific summary
routes.

Scenario
The International Travel Agency uses VLSM to conserve IP addresses. All LANs are
addressed using contiguous subnets, but the company would like to examine the effects
of discontiguous subnets using EIGRP for future reference. The existence of multiple
networks is simulated by loopback interfaces on the Westasman router. The WAN links
are addressed using 192.168.64.0 with a 30-bit mask.

Because this scheme creates discontiguous subnets, the default summarization behavior
of EIGRP should result in incomplete routing tables. The problem should be resolved by
disabling EIGRP’s default summarization while maintaining a route summary at the
Westasman router with manual route summarization.
Step 1.
Build and configure the network according to the diagram. This configuration requires the
use of subnet zero (0). The ip subnet-zero command may need to be entered
depending on which IOS version is used. Configure the Westasman router with seven
loopback interfaces using the IP addresses from the diagram. These interfaces simulate
the existence of multiple networks behind the Westasman router. Configure EIGRP as
indicated for AS 100.

Use ping to verify that all serial interfaces can ping each other. Note: Until additional
configurations are performed, not all networks will appear in each router’s routing table.

1-1 Routing Section 3: EIGRP – Lab 3.7.1 Copyright  2001, Cisco Systems, Inc.
Step 2.
Use show ip route to check SanJose1’s routing table.

1. Which routes are missing?

The SanJose1 router has installed a ’summary route’ to network 172.16.0.0 /16 via Null0.
EIGRP routers create these summary routes automatically. Because the local router, in
this case, the SanJose1 router, has generated the summary, there is no next hop for the
route.Therefore, the SanJose1 router maps this summary route to its null interface.

2. Look again at SanJose1’s routing table. What is the subnet mask for the route to
192.168.64.0?

Check Westasman’s routing table.

3. Which route is missing?

Examine SanJose2’s routing table.

4. Which routes are missing?

If these routing tables complete are to be complete, EIGRP must not automatically
summarize routes based on classful boundaries.

Step 3.
In this step, disable EIGRP’s automatic summarization feature.

On each router, issue these commands:

Westasman(config)#router eigrp 100


Westasman(config-router)#no auto-summary

After these commands are issued on all three routers, return to the SanJose1 router and
type the show ip route command.

5. What has changed in SanJose1’s routing table?

All three routers should now have complete routing tables.

Step 4.
Now that autosummarization is disabled, the International Travel Agency’s routers should
build complete routing tables. Unfortunately, this would mean that the Westasman router
would be advertising eight routes that should be summarized for efficiency. Use EIGRP’s
manual summarization feature to summarize these addresses.

2-2 Routing Section 3: EIGRP – Lab 3.7.1 Copyright  2001, Cisco Systems, Inc.
The Westasman router should be advertising the existence of eight subnets:

172.16.8.0
172.16.9.0
172.16.10.0
172.16.11.0
172.16.12.0
172.16.13.0
172.16.14.0
172.16.15.0

The first 21 bits of these addresses are the same, so a summary route for all subnets can
be created using a /21 prefix, 255.255.248.0 in dotted-decimal notation.

Because the Westasman router must advertise the summary route to the SanJose1 and
SanJose2 routers, enter the following commands on the Westasman router:

Westasman(config)#interface s0/0
Westasman(config-if)#ip summary-address eigrp 100 172.16.8.0
255.255.248.0
Westasman(config-if)#interface s0/1
Westasman(config-if)#ip summary-address eigrp 100 172.16.8.0
255.255.248.0

These commands configure EIGRP to advertise summary routes for AS 100 via the serial
0 and 1 interfaces. Verify this configuration by issuing the show ip protocols
command.

6. Which metric is the Westasman router using for its address summarization?

After verifying manual address summarization on the Westasman router, check the
routing tables on the SanJose1 and SanJose2 routers.

7. What has happened in RTA’s table since it was looked at it in Step 3?

From the SanJose1 or SanJose2 router, verify that it can be pinged 172.16.8.1.

172.16.15.1 should be able to be pinged from the SanJose1 router.

8. Is there a route to 172.16.15.0 in the SanJose1 router’s routing table? Explain.

3-3 Routing Section 3: EIGRP – Lab 3.7.1 Copyright  2001, Cisco Systems, Inc.
3.8.1 EIGRP Challenge Lab

Lo0 192.168.216.1/24 EIGRP Lo0 192.168.232.1/24


AS 100

Capetown Singapore
S0/0 192.168.208.2/24 S0/0 192.168.224.2/24 S0/0 192.168.240.1/24
IGRP
AS 100
S0/0 192.168.208.1/24 S0/0 192.168.224.1/24 S0/0 192.168.240.2/24

SanJose3 Auckland

Lo0 192.168.1.3/24 Lo0 192.168.248.1/24


Lo1 192.168.0.2/24

Objective
In this lab, the student will configure an International Travel Agency EIGRP WAN link with
one IGRP segment within the same autonomous system. The student will also use
EIGRP interface summarization to reduce the number of routes in an EIGRP routing
table.

Scenario
The International Travel Agency is migrating from IGRP to EIGRP between its overseas
headquarters and its North American headquarters. Unfortunately, the Auckland
headquarters must continue running IGRP between itself and Singapore. To help reduce
the EIGRP routing table of the SanJose3 router, the Singapore router should be
configured to advertise only a summary of the Auckland addresses. This will cause both
the SanJose3 and Capetown routers to receive summaries of the Auckland address
space, which will result in smaller routing tables on both SanJose3 and Capetown.

Design Considerations
Before this lab is begun, it is recommended that each router be reloaded after its startup
configuration is erased. This prevents problems caused by residual configurations. It is
also recommended that the network be built and configured according to the diagram.
However, do not configure EIGRP or IGRP until the connectivity between directly
connected networks can be verified and tested. The respective loopback addresses
simulate local networks, so no physical connections for local Ethernet networks need to
be made.

Implementation Completion Tests

• A successful ping to every network interface from every router.

1-2 Routing Section 3: EIGRP – Lab 3.8.1 Copyright  2002, Cisco Systems, Inc.
Capture Files/Printouts

After initial EIGRP and IGRP configuration, but before interface summarization, capture
or print the following output:

• show run and show ip route for each router.


• show ip eigrp neighbor of the SanJose3 and Singapore routers.
• show ip eigrp topology all-links of the SanJose3 and Singapore routers.

After interface summarization, capture or print the following output:

• show run and show ip route of the Singapore router.


• show ip route of the SanJose3 and Capetown routers.

2-2 Routing Section 3: EIGRP – Lab 3.8.1 Copyright  2002, Cisco Systems, Inc.
Routing Resources

TCP/IP:

Academy Curriculum:
TCP/IP is a two level addressing scheme http://ccnp.netacad.net/prot-
doc/curriculum/sem5sv_v2/en/ch2/2_1_1/index.html

CCO:
An overview on TCP/IP and Cisco’s implementation, as well as a brief look into
IP routing protocols. http://www.cisco.com/warp/public/535/4.html
A summary of addressing and subnetting with IP.
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cwhubs/starvwug/834
28.htm
Information on configuring IP with Cisco IOS.
http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/tsc_r/54008.ht
m

Internet:
Extensive information on the tcp/ip protocol with almost everything you need
and many things you don’t need.
http://www.redbooks.ibm.com/pubs/pdfs/redbooks/gg243376.pdf
OSI model and TCP/IP model and how the two go together. Very good
descriptions without all the technical details.
http://mike.passwall.com/networking/netmodels/tcpip5layermodel.html
Q&A on TCP/IP. Find answers to various questions about the protocol.
http://www.geocities.com/SiliconValley/Vista/8672/network/
Article about tcp/ip with its history.
http://www.networkmagazine.com/article/NMG20000727S0022
Short summary on tcp/ip with descriptions of its layers and some properties
about the protocol. http://userpages.umbc.edu/~jack/ifsm498d/tcpip-intro.html
Tutorial about tcp/ip from the RFC. ftp://ftp.isi.edu/in-notes/rfc1180.txt
FAQ on TCP/IP, good for people that want to know what TCP/IP is if they have
no background on it. http://www.faqs.org/faqs/internet/tcp-ip/tcp-ip-faq/part1/

Copyright  2002, Cisco Systems, Inc. Routing: Resources 1-1


VLSM

Academy Curriculum:
Use more than one subnet mask in your network and maximize addressing
efficiency. http://ccnp.netacad.net/prot-
doc/curriculum/sem5sv_v2/en/ch2/2_3_1/index.html

CCO:
A complete example of subnetting with VLSMs.
http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd20a.htm

Internet:
Very short description of VLSM and why it was made. Offers little details of the
actual subnettting procedures. Good read to find out what is VLSM.
http://www.faqs.org/faqs/cisco-networking-faq/section-37.html
Tutorial on subnetmasking and VLSM. Good place to learn how to do
subnetmasking with VLSM. http://www.wildpackets.com/compendium/IP/IP-
VLSM.html
Extensive information on VLSM. Teaches how to do subnets, how the routing
works, problems associated with it, and some FAQs. Good place to learn VLSM
in detail. http://khimich.com/books/e-
books/IP%20Addressing%20&%20Subnetting/69_ipad_ce_05.htm

Single-Area OSPF

Academy Curriculum:
Comparing the differences between RIP and OSPF. Configure single-area OSPF
on your router. http://ccnp.netacad.net/prot-
doc/curriculum/sem5sv_v2/en/ch4/4_3_1/index.html

CCO:
Background and specifications of the OSPF routing protocol.
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ospf.htm
A guide to configuring OSPF.
http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/advcfggd/ospf.ht
m

1-2 Routing: Resources Copyright  2002, Cisco Systems, Inc.


Internet:
Short summary on deploying single area ospf. Very short reading.
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windo
ws2000/en/server/help/sag_rras-ch3_04e.htm

EIGRP

Academy Curriculum:
Let's take a look at EIGRP Fundamentals. http://ccnp.netacad.net/prot-
doc/curriculum/sem5sv_v2/en/ch6/6_1_1/index.html

CCO:
Background and a summary of EIGRP.
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/en_igrp.htm
Detailed information on configuring EIGRP.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_
c/ipcprt2/1cfeigrp.htm

Internet:
Definition of EIGRP for basic knowledge without knowing the intricate details
of the protocol.
http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214442,00.html
Good summary of EIGRP with short but detailed descriptions of the various
parts of the protocol. Explains the parts of the packets and metrics very well.
http://www.rware.demon.co.uk/eigrp.htm
Short description of EIGRP and some commands and a simple comparison with
other routing protocols. http://www.routeru.com/arc/EIGRP/eigrp.htm

Copyright  2002, Cisco Systems, Inc. Routing: Resources 1-3


Section 1

WANs
Table of Contents

WANS ................................................................................................................................ 1
OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 5
1.1 REMOTE ACCESS ........................................................................................................................................ 6
1.1.1 WAN connection types ......................................................................................................................... 6
1.1.2 Dedicated connections......................................................................................................................... 8
1.1.3 Dedicated connections (cont’) ............................................................................................................ 10
1.1.4 Circuit-switched connections.............................................................................................................. 11
1.1.5 Asynchronous dialup connections....................................................................................................... 12
1.1.6 ISDN connections.............................................................................................................................. 14
1.1.7 Packet-switched networks .................................................................................................................. 15
1.1.8 WAN encapsulation protocols ............................................................................................................ 16
1.2 SELECTING APPROPRIATE WAN TECHNOLOGIES ......................................................................................... 18
1.2.1 Choosing a WAN connection.............................................................................................................. 18
1.2.2 Identifying site requirements and solutions.......................................................................................... 20
1.2.3 Central-site considerations ................................................................................................................ 21
1.2.4 Branch-office considerations.............................................................................................................. 22
1.2.5 Telecommuter-site considerations....................................................................................................... 23
1.3 SELECTING CISCO REMOTE ACCESS SOLUTIONS........................................................................................... 25
1.3.1 Routers............................................................................................................................................. 25
1.3.2 Determining the appropriate interfaces - fixed interfaces...................................................................... 27
1.3.3 Determining the appropriate interfaces - modular interfaces ................................................................ 28
1.4 ASSEMBLING AND CABLING WAN COMPONENTS......................................................................................... 30
1.4.1 Network Overview ............................................................................................................................. 30
1.4.2 Central site route equipment .............................................................................................................. 31
1.4.3 Central site router equipment (cont’) .................................................................................................. 34
1.4.4 Branch office router equipment .......................................................................................................... 36
1.4.5 Telecommuter-site router equipment ................................................................................................... 40
1.5 CASE STUDY ............................................................................................................................................ 43
1.5.1 International Travel Agency (ITA) ...................................................................................................... 43
1.6 INTRODUCTORY LAB EXERCISES ................................................................................................................ 45
1.6.1 Getting started and building Start.TXT................................................................................................ 45
1.6.2 Capturing HyperTerminal and Telnet sessions..................................................................................... 45
1.6.3 Access control list basics and extended ping........................................................................................ 46
SUMMARY ..................................................................................................................................................... 47

1-2 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
Overview

Modem

Central site

AAA Server

BRI
PRI
ISDN/analog Serial

Async
Windows 98 PC
Frame Relay
BRI
Service
Modem

Serial
Branch Office

This chapter covers various remote access technologies and considerations


that face an enterprise when it builds its corporate network. In addition, this
chapter shows you how to connect remote sites via WAN connections. Finally,
this chapter explains what router platform to install and how to cable it,
depending on the environment.
Figure 1 Typical Corporate Network Topology

Over the last several years, web-based applications, wireless devices, and virtual
private networking (VPN) have changed our expectations about computer
networks. Today's corporate networks are accessible virtually anytime from
anywhere with many users expecting some degree of access to their company's
network while at home or on the road.
Corporate networks are typically built around one central site that houses key
network resources. These resources include file servers, web servers, and e-mail
servers that deliver information and services to all users in a company. Such
services are readily accessible to central site users by way of the LAN. But how
will users working remotely gain access to these resources?
A networking professional provides users with remote access to the network.
Remote users may be working at branch offices or home offices, or they may
even be on the road with a laptop or a handheld mobile device. Essentially, a
remote user is any user who is not presently working at the company's central
site. Figure [1] presents several remote access solutions.
Remote access solutions come in all shapes and sizes. Each company's solution
typically involves a combination of varied WAN services. Most of these services
are obtained from a service provider, such as a regional telecommunications
company. Since the transmission facilities belong to a service provider, the task
is to select the appropriate service, not actually to design and maintain the WAN
facilities themselves.
Types of available WAN services and their costs vary depending on
geographical region and the provider. Real-world budgetary constraints and
service availability are often the overriding selection criteria.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-3
In order to implement the most appropriate solution the advantages and
disadvantages of the different types of WAN services, must be understood. This
chapter surveys the general types of WAN connections and provides criteria to
use in the selection of the service or blend of services, best suited to the
organization's needs, budget, and geography. In addition, this chapter offers
guidelines for selecting the best remote access solution from the large number of
available products.

1-4 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:

1.1 Remote Access

1.2 Selecting Appropriate WAN Technologies

1.3 Selecting Cisco Remote Access Solutions

1.4 Assembling and Cabling WAN Components

1.5 Case Study

1.6 Introductory Lab Exercises

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-5
1.1 Remote Access

1.1.1 WAN connection types

Figure 1 Remote Access Overview

Figure 2 Character Framing in Asynchronous Communication

1-6 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
Figure 3 WAN Connection Types

A WAN is a data communications network that covers a relatively broad


geographic area, often using transmission facilities leased from service providers
and telephone companies. As shown in Figure [1], WANs are used to connect
various users and devices so they can exchange information.
There are two basic methods of data communications: asynchronous
transmission and synchronous transmission. Typically, synchronous
communications are more efficient, but dial-up asynchronous transmission is
usually cheaper and more readily available.
Asynchronous Transmission
Asynchronous means "without respect to time." In terms of data transmission,
asynchronous means that no clock or timing source is needed to keep both the
sender and the receiver synchronized. Without the benefit of a clock, the sender
must signal the start and stop of each character so that the receiver knows when
to expect data.
Asynchronous transmission is often described as "character-framed" or
"start/stop" communication because this method frames each character with a
start and stop bit. Each character is typically a 7- or 8-bit value that can represent
a number, a letter, a punctuation mark, etc. Each character is preceded by a start
bit and followed by a stop bit, or in some cases, two stop bits (see Figure [2]).
An additional bit may be added for parity error checking prior to the first stop
bit.
Synchronous Transmission
Synchronous means "with time." In terms of data transmission, "synchronous"
means that a common timing signal is used between hosts. A clock signal is
either embedded in the data stream or is sent separately to the interfaces.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-7
If two hosts use a timing signal to "synch up," start and stop bits for every 8-bit
character value are not necessary. Instead, a large amount of data (e.g., hundreds
or even thousands of bytes) can be preceded by synchronization bits. For
example, in Ethernet a field of synchronization bits precedes the data payload.
This field of synchronization bits, called a preamble, forms a pattern of
alternating ones and zeros. The receiver uses this pattern to synchronize with the
sender.
Service providers offer a variety of synchronous and asynchronous WAN
services. These services can be grouped into three categories depending on their
connection type:
• dedicated connectivity
• circuit-switched networks
• packet-switched networks
Figure [3] illustrates these three different types of WAN connections. Each
connection type offers distinct advantages and disadvantages, which are
described in the following sections.

1.1.2 Dedicated connections

Figure 1 Dedicated Connections

1-8 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
Figure 2 Dedicated Serial Connections

A dedicated connection is a continuously available point-to-point link between


two sites. Dedicated connections typically carry high-speed transmissions.
Because of the expense associated with building and maintaining transmission
facilities, dedicated connections are almost always leased from the telephone
company or some other carrier network. Therefore, a dedicated connection is
often referred to as a leased line.
A point-to-point dedicated link provides a single, pre-established WAN path
from the customer premises, through a carrier network to a remote network
(refer to Figure [1]). A dedicated line is not actually a "line" at all. Dedicated
lines are switched circuits that establish a fixed path through the carrier network.
Leased lines are circuits that are reserved full-time by the carrier for the private
use of the customer. The private nature of a dedicated line allows an
organization to maximize its control over the WAN connection.
Leased lines also offer high speeds of up to 45 Mbps. Leased lines are ideal for
high-volume environments with steady-rate traffic patterns. However, because
the line is not shared, they tend to be more costly. The line charges accrue
whether or not traffic is being transmitted. Some services, such as T1, provide a
fixed fee for local-loop access for both locations, and then provide a distance fee
for linking those two locations.

If the organization's network must support a constant flow of mission-critical


data, such as e-commerce or financial transactions, then a high-speed leased line
might be suitable.
Dedicated leased lines typically require synchronous serial connections. Each
leased line connects to a synchronous serial port on the router, via a channel
service unit/data service unit (CSU/DSU) (refer to Figure [2]). Therefore, each
connection requires a router port and a CSU/DSU, in addition to the actual

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-9
circuit from the service provider. The cost of maintaining multiple leased lines
can add up quickly. For this reason, most companies find a fully meshed WAN
(i.e., every site maintains a connection to every other site), too costly to build
using only dedicated lines.

1.1.3 Dedicated connections (cont’)

Figure 1 Dedicated Serial Connections

A CSU/DSU is classified as a data communications equipment (DCE) device. A


DCE adapts the physical interface on a data terminal equipment (DTE) device to
the signaling used by the carrier network. A router is an example of a DTE
device.
The CSU/DSU provides signal timing for communication and is used for
interfacing with the digital transmission facility. Essentially, the CSU/DSU is
used by a router to connect to a digital line in much the same way that a PC uses
a modem to connect to an analog line.
Typical connections on a dedicated network may operate at the following
speeds:
• 56 kbps
• 64 kbps
• T1 (1.544 Mbps) US standard
• E1 (2.048 Mbps) European standard
• E3 (34.064 Mbps) European standard
• T3 (44.736 Mbps) US standard
Typically, a router's synchronous serial port connects to a DCE (e.g., a
CSU/DSU) using one of the following standards:
• EIA/TIA-232 (RS-232)
• EIA/TIA-449

1-10 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
• V.35
• X.21
• EIA-530
When connecting a DTE (for example, a router) to an analog modem, EIA/TIA-
232 compliant cabling and interfaces will be typically used. First released over
30 years ago as RS-232, the EIA/TIA-232 standard is very common. However, it
provides relatively low transmission speeds (typically less than 64 kbps), and is
not appropriate for high-capacity dedicated lines. Today many synchronous
serial interfaces, such as T1, have the CSU/DSU integrated on the interface card.
This eliminates the need for a separate CSU/DSU.
When connecting a Cisco router to a T1/E1 or fractional T1/E1 via a CSU/DSU,
V.35 cabling and interfaces should be used as they are capable of much higher
throughput (over 2 Mbps).

1.1.4 Circuit-switched connections

Figure 1 Circuit Switched Connections

In a circuit-switched network, a dedicated physical circuit is temporarily


established for each communication session. Switched circuits are established by
an initial set-up signal. This call set-up process determines the caller's ID and the
destination's ID, as well as the connection type. A teardown signal brings the
circuit down when transmission is complete.
Plain old telephone service (POTS) is the most common circuit-switched
technology. With telephone service, the circuit doesn't exist until the call is
placed. Once the temporary circuit is built, it is fully dedicated to the call.
Although circuit switching is not as efficient as other WAN services, it is
extremely common and relatively reliable.
Circuit-switched connections provide mobile and home users with access to the
central site or to an Internet Service Provider (ISP). Corporate networks typically
use circuit-switched connections as backup links, or as primary links for branch
offices that exchange low-volume or periodic traffic. In such cases, a router must
route traffic over the switched circuit.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-11
Anyone who pays a long-distance phone bill knows that circuit-switched
connections can be costly if left continuously established. For this reason,
routers connected to circuit-switched networks are configured to operate in a
specialized way, called dial-on demand routing (DDR). A router configured for
DDR only places a call when it detects traffic defined by a network administrator
as "interesting."
• Typical circuit-switched connections include:
• Asynchronous Dialup (POTS)
• ISDN Basic Rate Interface (BRI)
• ISDN Primary Rate Interface (PRI)

1.1.5 Asynchronous dialup connections

Figure 1 Asynchronous Dialup Connections

Figure 2 Asynchronous Dialup Connection

1-12 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
Figure 3 Asynchronous Dialup Connection

Asynchronous serial connections offer inexpensive WAN service via the existing
telephone network. In order for digital devices, such as computers and routers, to
use analog telephone lines, modems are required at each end of the connection
(refer to Figure [1]). Modems convert digital data signals to analog signals that
can be transported over the telephone company's local loops asynchronously.
While this is convenient, modems have one overwhelming drawback; they do not
provide high throughput. Today's modems provide transmission speeds of only
56 kbps or less.
Because modems can be used with virtually any phone line, mobile and home
users often rely on asynchronous serial connections to connect to a corporate
network or ISP. An end user can easily initiate and teardown a call using
software that controls the modem.
Routers can also use asynchronous serial connections to route traffic using DDR.
Because modems do not support high transmission speeds, asynchronous serial
connections are typically used as backup links (refer to Figure [2]) or for load
sharing (refer to Figure [3]).
Some routers are designed with dozens of asynchronous lines to support a large
number of dial-in users. Routers that act as concentration points for dial-in and
dial-out calls are called access servers. Throughout this course, the term "access
server" will be used to refer to a router with at least one asynchronous interface.
To place or receive an asynchronous serial call, a router must have at least one
asynchronous serial interface, such as the AUX (Auxilary) port, which connects
to a modem (typically external).

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-13
1.1.6 ISDN connections

Figure 1 Circuit-Switched ISDN Connections

Integrated Services Digital Network (ISDN) connections are typically


synchronous dial-up connections. Like asynchronous dial-up connections, ISDN
provides WAN access when needed, rather than providing a permanent link.
ISDN offers more bandwidth than asynchronous dial-up connections, and is
designed to carry data, voice, and other traffic across a digital telephone
network. ISDN is commonly used with DDR to provide remote access for small
office/home office (SOHO) applications, backup links, and load sharing.
ISDN offers two levels of service, BRI and PRI (illustrated in the figure). With
BRI, there are two channels, called B channels, designed to carry data. A third
channel, called the D channel, is used to send call set-up and teardown signals.
When both B channels are used together to send data, ISDN BRI yields 128 kbps
(more than twice the top speed of POTS).
With PRI, there are 23 B channels on T1 used in North America and Japan.
There are 30 B channels on E1 used in Europe and other parts of the world. PRI
employs a single D channel as well.
ISDN BRI requires straight through cables with RJ-45 connections. ISDN PRI
requires crossover cables with RJ-48 connections for T1 and DB-15 connections
for E1.

1-14 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
1.1.7 Packet-switched networks

Figure 1 Packet-Switched Connections

Figure 2 Virtual Circuits

Unlike leased lines and circuit-switched connections, packet switching does not
rely on a dedicated, point-to-point connection through the carrier network.
Instead, data packets are routed across the carrier network based on addressing
contained in the packet or frame header. This means that packet-switched WAN
facilities can be shared with other customers, which allows service providers to
support multiple customers over the same physical lines and switches. Typically,
customers connect to the packet-switched network via a leased line, such as a T1
or fractional T1.
In a packet-switched network, the provider configures its switching equipment to
create virtual circuits (VCs) that supply end-to-end connectivity (refer to Figure
[1]). Frame Relay is the most common packet-switched WAN service in the
United States, although the older X.25 remains a prominent packet-switching
technology worldwide.
Packet-switched networks offer an administrator less control than a point-to-
point connection. However, the cost of a packet-switched VC is generally less
than that of a leased line because the WAN facilities are shared. VCs can be
permanent, or they can be built on demand.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-15
A Frame Relay VC offers speeds of up to T3, making this packet-switched
technology a high-speed, cost-effective alternative to leased lines. As well, a
single synchronous serial connection can support several logical VCs in a point-
to-multipoint configuration (refer to Figure [2]). This process of combining
multiple data conversations into a single physical line is called multiplexing.
Multiplexing in a packet-switched network is made possible because a DTE
(usually a router) encapsulates the packet with addressing information. The
provider's switches use the addressing to determine how and where to deliver a
specific packet. In the case of Frame Relay, these addresses are Data Link
Control Identifiers, or DLCIs. The ability to multiplex means that a single router
port and CSU/DSU can support dozens of VCs each leading to a different site.
Therefore, packet-switching makes a full- or partial-mesh topology relatively
affordable.
Frame Relay is a popular WAN service for providing high-speed WAN
connections to branch offices and other remote sites. However, Frame Relay
does not offer the degree of reliability, flexibility, and security afforded by
dedicated lines. Despite Frame Relay's lower cost and multipoint capability,
dedicated lines are the preferred WAN service for mission-critical traffic and
continuous, high-volume exchanges.

1.1.8 WAN encapsulation protocols

Figure 1 Typical WAN Protocols

Routers encapsulate packets with a Layer 2 frame before sending them across a
WAN link. Although there are several common WAN encapsulations, most have
similar anatomies. This is because the most common WAN encapsulations are
derived from High-Level Data Link Control (HDLC) and its forerunner
Synchronous Data Link Control (SDLC). Despite their similar structures, each

1-16 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
data link protocol specifies its own specific type of frame, which is incompatible
with other types. The Figure shows which common data link protocols are used
with each of the three WAN connection types.
By default, serial interfaces on a Cisco router are set to encapsulate packets
using HDLC. The interface must be manually configured for any other type of
encapsulation. The choice of encapsulation protocol depends on the WAN
technology and the communicating equipment that is being used. Common WAN
protocols include the following:
• PPP - Point-to-Point Protocol (PPP) is a standards-based protocol for
router-to-router and host-to-network connections over synchronous and
asynchronous circuits.
• Serial Line Internet Protocol (SLIP) - SLIP is the forerunner to PPP,
and is used for point-to-point serial connections using TCP/IP.
• High-Level Data Link Control (HDLC) - HDLC implementations are
proprietary, so Cisco's HDLC is typically used only when connecting
two Cisco devices. When connecting routers from different vendors,
PPP (which is standards-based) is used instead.
• X.25/LAPB - X.25 is an ITU-T standard that defines the way
connections between DTE and DCE devices are maintained for remote
terminal access and computer communications in public data networks.
X.25 provides extensive error-detection and windowing features because
it was designed to operate over error-prone analog copper circuits.
• Frame Relay - Frame Relay is a high-performance, packet-switched,
WAN protocol that can be used over a variety of network interfaces.
Frame Relay is streamlined to operate over highly reliable digital
transmission facilities.
• Asynchronous Transfer Mode (ATM) - ATM is an international
standard for cell relay, in which multiple service types (e.g., voice,
video, or data) are conveyed in fixed-length cells. ATM is designed to
take advantage of high-speed transmission media such as Synchronous
Optical Network (SONET).
PPP, X.25, and Frame Relay encapsulations are discussed at length in later
chapters.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-17
1.2 Selecting Appropriate WAN
Technologies

1.2.1 Choosing a WAN connection

Figure 1 WAN Connections Summary

Figure 2 WAN Connection Speed Comparison

1-18 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
Figure 3 Cost Comparison of WAN Connections

Each WAN connection type has advantages and disadvantages. For example,
setting up a dialup asynchronous connection offers only limited bandwidth, but a
user can call into the office from anywhere over the existing telephone network.
In this case, throughput is sacrificed for convenience. This section examines the
factors that should be considered when selecting a WAN service.
Figure [1] compares applications for various types of WAN connections and
Figure [2] compares their potential bandwidth.
While every home user would like a T1 line run to their house, and every
administrator would like to run an OC-12 to all remote offices, the cost of
deploying such services so liberally would be ridiculous. A networking
professional must carefully gauge which connections require high-cost, high-
throughput links, and then spend accordingly. It is important to note that WAN
usage costs are typically 80 percent of a company's entire Information Services
budget. When possible, "shop around" for WAN services. If more than one
provider offers service it may be possible to purchase services at competitive
prices. [3]
There are other important factors to consider when choosing a WAN service,
including ease of management, quality of service (QoS), and reliability. Leased
lines are easier to manage and configure than packet-switched connections. In
terms of QoS, some applications, such as Voice over IP (VoIP), require
guaranteed bandwidth, minimal delay, and high reliability, which can make
anything short of a leased line problematic.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-19
1.2.2 Identifying site requirements and solutions

Figure 1 Company Sites

When selecting WAN services, a networking professional must evaluate the


needs of each site within a company. Individual worksites within a company can
be broadly categorized as one of the following: a central site, a branch office, or
a telecommuter site. The term "telecommuter site" applies to both mobile users
and small office/home office (SOHO) locations. These categorizations are
applied to the WAN depicted in the figure.

1-20 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
1.2.3 Central-site considerations

Figure 1 Central-Site Considerations

Figure 2 Cisco 3660 Modular Router

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-21
The central site is the focal point of a company's network (refer to Figure [1]).
Typically, all remote sites and users must connect to the central site to access
information, either intermittently or continuously. Because many users access
this site in a variety of ways, a central site's routers should have a modular
design so that interface modules can be added (or swapped out) as needed. The
chassis of a modular router allows installation of the interfaces needed to support
virtually any media type. Figure [2] illustrates the slots on a modular router, the
Cisco 3660. According to the example network as shown in Figure [1], the
central site's router must accommodate circuit-switched connections (e.g.,
ISDN/analog), packet-switched connections (e.g., Frame Relay), and could
feasibly have a dedicated line to the ISP.

1.2.4 Branch-office considerations

Figure 1 Branch Office Considerations

A branch office, commonly referred to as a remote site, typically maintains at


least one WAN connection to the central site, and may have several links to
other remote sites. Generally, branch-office networks support fewer users than
the central site, and therefore require less bandwidth.
Because remote-site traffic can be sporadic, or bursty, careful determination
should be made whether it is more cost-effective to offer a permanent or dialup
solution. The network depicted in the figure employs both: a Frame Relay
connection as a primary link, and an ISDN connection as a backup.
Telecommuters may also require access to the branch office through various
connection types. Therefore, the branch office routers should have the capability
to support a variety of WAN connections. Typical WAN solutions for
connecting the branch office to the central site include:
• Leased lines

1-22 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
• Frame Relay
• X.25
• ISDN
• DSL ([digital subscriber line] - This technology enables delivery of
high-speed data, voice, and multimedia over conventional telephone
wires. In order for a remote site to connect to the corporate network
without traversing the public Internet, DSL typically requires ATM at
the central site.)
• Wireless
• VPN ([Virtual Private Network] - This technology typically requires that
both sites are already connected to the public Internet.)

1.2.5 Telecommuter-site considerations

Figure 1 Telecommuter-Site Considerations

Over the past decade, the improvement of WAN technologies, notably DSL and
cable modems, has allowed many employees to do their jobs remotely. As a
result, the number of telecommuters and small offices has increased.
As with the corporate and branch office solutions, the telecommuter site's WAN
solution must be evaluated by weighing cost and bandwidth requirements.
An asynchronous dialup solution using the existing telephone network and an
analog modem is often the solution for telecommuters because it is easy to set up
and the telephone facilities are already installed. But if usage and bandwidth
requirements increase, other remote-access technologies should be considered.
Since mobile users must connect from many different locations, an asynchronous
dialup connection may be the only remote access solution that is consistently

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-23
available. Employees on the road can use their PCs with modems and the
existing telephone network to connect to the company.
Typical WAN connections employed at telecommuter sites include:
• Asynchronous dialup
• ISDN BRI
• Cable modems
• DSL
• Wireless and Satellite
• VPN

1-24 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
1.3 Selecting Cisco Remote Access
Solutions

1.3.1 Routers

Figure 1 Cisco Remote-Access Solutions

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-25
Figure 2 Remote-Access Options for Each Series of Router

Cisco offers access servers, routers, and other equipment that allow connection
to various WAN services. Figure [1] highlights some of the products that are
suited for the various company sites. Figure [2] lists the key features and WAN
options for each series of routers.

Web Links
Latest product information may be located at:
http//www.cisco.com

1-26 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
1.3.2 Determining the appropriate interfaces - fixed
interfaces

Figure 1 Determining the Appropriate Interfaces – Fixed Interfaces

The router selected for the WAN connection must offer the interfaces that will
support the WAN service, such as the following:
• Asynchronous serial - supports asynchronous dialup connections using
a modem.
• Synchronous serial - supports leased lines, Frame Relay, and X.25.
• High-speed serial interface (HSSI) - supports high-speed serial lines,
such as T3.
• BRI - supports ISDN BRI connections.
• T1 or E1 - supports connections such as leased lines, dialup, ISDN PRI,
and Frame Relay.
• DSL - supports Asymmetric Digital Subscriber Line (ADSL),
Symmetric DSL (SDSL), or ISDN DSL (IDSL) connections.
• ATM - supports ATM connections.
Some routers, such as the 2501, offer fixed interface configurations. A fixed
configuration is one that cannot be changed or upgraded. The advantage of a
fixed interface configuration is that WAN or LAN interface modules do not have
to purchased. The number and type of interfaces are predetermined for a specific
model of router.
A fixed-configuration router may be appropriate for a small remote office or
telecommuter. In such cases, the flexibility afforded by a modular design may
not be worth additional expense and complexity. Instead, a fixed-configuration
router may offer the most affordable, and simplest, WAN solution for the small
office.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-27
1.3.3 Determining the appropriate interfaces - modular
interfaces

Figure 1 Determining the Appropriate Interfaces – Modular Interfaces

Figure 2 Cisco 3660 Modular Router

Unlike a fixed-configuration router, a modular router allows adding, removing,


and swapping out interfaces to meet the needs of a growing network. Modular
routers and access servers are usually built with one or more slots that allowing
customization of the interface configuration.

1-28 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
With a modular router, some or all of the interfaces on the router may be chosen
by installing various feature cards, network modules, or WAN interfaces.
Although modular routers require the purchase of each interface card separately,
they are more scalable than their fixed-configuration counterparts. For that
reason, modular routers are typically installed at large remote sites, and should
always be used at the central site. In the long run, it's cheaper to add new
interface modules rather than to replace an entire router.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-29
1.4 Assembling and Cabling WAN
Components

1.4.1 Network Overview

Figure 1 An Example of WAN Topology

The figure presents three routers in a company's network: one at the central site,
one at the branch office, and one at a telecommuter site. Each of these sites has
different requirements in terms of bandwidth and availability. For example, the
central site requires a permanent high-speed connection to the Internet, while the
telecommuter site merely requires a switched connection for intermittent, low-
speed access to the rest of the network. The following sections examine the
specific requirements of each of the three sites in this example, and suggest
solutions appropriate to each.

1-30 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
1.4.2 Central site route equipment

Figure 1 An Example of WAN Topology

Figure 2 Cisco 3600 Series Router

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-31
Figure 3 Cisco AS 5300 Series Router

Figure 4 Cisco 7200 Series Router

In the example network (refer to Figure [1]), the central-site router must have the
following interfaces:
• ISDN PRI interface
• Asynchronous serial interface and modem for asynchronous calls

1-32 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
• Serial interface for Frame Relay connections
• Serial interface for the leased line to the ISP
• Ethernet interface to access resources on the central-site LAN
To meet the requirements of a central site, a modular router should be selected
that will allow for growth. Depending on the amount of growth expected and the
number of connections to be supported, a modular router from one of the
following series could be utilized:
• Cisco 3600 series - The Cisco 3600 series modular routers (refer to
Figure [2]) can provide dial access, routing, and LAN-to-LAN services
and multiservice integration of voice, video, and data in the same device.
The 3600 series replaces the legacy 4000 series routers. Like the newer
3600 series, Cisco 4000 series routers are modular and can support many
variations of protocols, line speeds, and transmission media.
• Cisco AS5x00 series - The Cisco AS5x00 series access servers (refer to
Figure [3]) combine the functions of an access server, a router, and
analog and digital modems in one chassis. They provide a high level of
scalability, and multiprotocol capabilities for both ISPs and enterprises.
• Cisco 7200 series - The Cisco 7200 series routers (refer to Figure [4])
allow for maximum scalability and flexibility, by combining high-
performance hardware and software with a modular design. The 7200
series supports any combination of Ethernet, Fast Ethernet, Token Ring,
Fiber Distributed Digital Interface (FDDI), ATM, serial, ISDN, and
HSSI interfaces.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-33
1.4.3 Central site router equipment (cont’)

Figure 1 An Example of WAN Topology

Figure 2 Cisco 3600 Series Router

For the central site (refer to Figure [1]), the 3600 series router makes the most
sense. For now, the central site only needs to support five interfaces. The 3600
series will provide the necessary scalability and support of Frame Relay, ISDN,
and asynchronous dialup through specialized interface modules.

1-34 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
The AS5x00 series offers a high-density dialup solution. But since the central
site does not require a large number of dialup interfaces, an AS5x00 solution
would be overkill and not cost-effective. Likewise, a 7200 series router would
probably offer more expandability and horsepower than necessary for so few
connections. The large chassis of this series would provide more scalability than
a 3600 series router, but unless the company is planning on significant short-
term growth, the 7200 may prove too costly a solution.
Of the three product series, the Cisco 3600 series offers the right combination of
scalability and affordability. With over 70 modular interface options, the 3600
series is often called the "Swiss Army knife" of routers, because of its versatility.
The 3600 series (refer to Figure [2]) includes the following models:
• The 3660 has six network module slots
• The 3640 has four network module slots
• The 3620 has two slots
An ideal solution for this example would be the 3640 router. The 3620 may not
provide enough interfaces as the network grows, and, although the 3660 would
provide maximum scalability, it will cost more. In order to serve our example
network, the 3640 can be equipped with the following interface cards:
• 1-Ethernet 2-WAN card slot network module - supports a single
Ethernet connection, as well as two WAN connections.
• 1-port CT1/PRI-CSU network module - provides the PRI interface.
• Digital modem network module - internal modem used in conjunction
with the PRI for dial-in connections. One digital modem network module
can support up to 30 Modem ISDN channel aggregation (MICA)
modems.
Optionally, a 4-port serial WAN network module which could be used for Frame
Relay and, if needed, to connect to an external modem. However, budgetary
constraints may dictate the fourth slot remain open for future expansion.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-35
1.4.4 Branch office router equipment

Figure 1 An Example of WAN Topology

Figure 2 Cisco 1600 Series Router

1-36 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
Figure 3 Cisco 1700 Series Router

Figure 4 Cisco 2500 Series Router

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-37
Figure 5 Cisco 2600 Series Router

In contrast to the central site solution, the branch-office router needs only one
primary WAN connection and a second WAN interface for dial backup (refer to
Figure [1]). The branch router must have the following interfaces:
• Serial interface for Frame Relay connections
• BRI interface for ISDN BRI
To meet the requirements of a branch office, a modular router or a fixed-
configuration router could be selected. If the remote office will act as a WAN
hub for smaller offices (in which case a 3600 series router may be needed), an
access router from one of the following series may fit:
• Cisco 1600 Series [2] - The Cisco 1600 series routers are designed to
connect small offices with Ethernet LANs to the public Internet, and to a
company's internal intranet or corporate LAN through several WAN
connections such as ISDN, asynchronous serial, and synchronous serial.
The Cisco 1601 R - 1604 R models have an Ethernet port, a built-in
WAN port, and a slot for an optional second WAN port. The 1605 R
router has two Ethernet ports and one WAN slot.
• Cisco 1700 Series [3]- The Cisco 1700 router is a small, modular
desktop router that links small- to medium-size remote Ethernet and
FastEthernet LANs over one to four WAN connections to regional and
central offices.
• Cisco 2500 Series [4]- The Cisco 2500 series routers provide a variety
of models that are designed for branch office and remote site
environments. These routers are typically fixed-configuration with at

1-38 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
least two of the following interfaces: Ethernet, Token Ring, synchronous
serial, and ISDN BRI.
• Cisco 2600 Series [5]- The Cisco 2600 series of modular routers
features single or dual fixed LAN interfaces, a network module slot, two
Cisco WAN interface card (WIC) slots, and a new Advanced Integration
Module (AIM) slot. LAN support includes 10/100 Mbps autosensing
Ethernet and Token Ring. WAN interface cards support a variety of
serial, ISDN BRI, and integrated CSU/DSU options for primary and
backup WAN connectivity. The AIM slot supports integration of
advanced services such as hardware-assisted data compression and data
encryption for optimizing the 2600 series for VPNs. The Cisco 2600
series shares modular interfaces with the Cisco 1600, 1700, and 3600
series.
A 1600 series router with the appropriate WAN interface card may meet the
immediate WAN requirements of the branch office shown in Figure [1].
However, a more flexible solution, such as the 1700 series or 2600 series router,
may be needed if the company plans to implement Voice over IP (VoIP), or
allow telecommuters to dial in to the branch office. Also, the 1600 series routers
do not come with a FastEthernet interface, while the 1700 and 2600 series
routers do.
If the company has no immediate plans to offer expanded service, and a
FastEthernet connection is not necessary, a 1600 series router will make the most
cost-effective solution. The 1600 series includes the following:
• the 1601 (one Ethernet, one serial, one WAN interface card (WIC) slot)
• the 1602 (one Ethernet, one serial with integrated 56-kbps DSU/CSU,
one WIC)
• the 1603 (one Ethernet, one ISDN BRI (S/T interface), one WIC)
• the 1604 (one Ethernet, one ISDN BRI with integrated NT1 (U
interface), one S-bus port for ISDN phones, one WIC slot)
• and the 1605 (two Ethernet slots, one WIC slot)
In this case, the 1603 or 1604 routers would meet the branch site's ISDN BRI
requirement, and have a WAN slot for a serial interface that can be used for
Frame Relay.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-39
1.4.5 Telecommuter-site router equipment

Figure 1 An Example of WAN Topology

Figure 2 Cisco 770 Series Router

1-40 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
Figure 3 Cisco 800 Series Router

Figure 4 Cisco 1000 Series Router

According to Figure [1], the telecommuter site should have an ISDN BRI
connection to the branch or central sites. The mobile user requires an
asynchronous dialup connection to the central site. Therefore, the telecommuter
WAN solutions must include the following interfaces:

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-41
• PC and modem for asynchronous dialup calls
• BRI interface for ISDN BRI
• Ethernet LAN interface
When selecting routers for a telecommuter site, cost is typically the primary
concern, especially since only minimal flexibility and scalability are required. In
most cases, a telecommuter-site solution would come from the following router
families:
• Cisco 700 Series (760 or 770) [2]- The Cisco 700M family products are
low-cost, easy-to-manage multiprotocol ISDN access routers. These
devices provide small professional offices, home offices, and
telecommuters with high-speed remote access to enterprise networks and
the Internet. However, the 700 series does not support the Cisco IOS.
• Cisco 800 Series [3]- The Cisco 800 Series router is the entry-level
platform that, unlike the 700 series, contains Cisco IOS technology. The
fixed-configuration 800 series is designed to connect a small Ethernet
LAN to a corporate network or ISP. Various models include support for
DSL, ISDN, and serial connections.
• Cisco 1000 Series [4]- The Cisco 1000 series routers are easy-to-install,
inexpensive, multiprotocol access products, designed for small offices.
This IOS-based series currently includes three models: the 1003 (1
Ethernet port, 1 ISDN BRI S/T interface), the 1004 (1 Ethernet port, 1
ISDN BRI U-interface), and the 1005 (1 Ethernet port, 1 serial port).
Models from each of these router families can provide the ISDN connection
required by the telecommuter site (refer to Figure [1]). (The dialup requirement
for the mobile user can be met by connecting a modem to the Windows PC.) The
Cisco 800 series might make the best choice for this telecommuter site, because
it is the most affordable series that supports ISDN and runs the feature-rich
Cisco IOS.

1-42 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
1.5 Case Study

1.5.1 International Travel Agency (ITA)

Figure 1 International Travel Agency, Inc.

Figure 2 ITA: Company Structure and Locations

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-43
POTS
192.168.8.0/24
ISDN
Frame Relay
192.168.16.0/24
192.168.192.0/24

.1 .1
.4
.1
.2
Singapore San Jose1 .2
.1 .1
.2 London
San Jose2 .1
.5 .1
.3 .3

Capetown
Sales Engineer .1
192.168.0.0/24
192.168.232.0/24 192.168.200.0/24

192.168.1.0/24

192.168.216.0/24

Figure 3 ITA: Company Topology

The labs in this course reference the fictitious International Travel Agency (ITA)
(refer to Figure [1]), which maintains a global data network (refer to Figures [2]
and [3]). The ITA business scenario provides a tangible, real-world application
for each of the concepts introduced in the labs.

1-44 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
1.6 Introductory Lab Exercises

1.6.1 Getting started and building Start.TXT

Lab Activity:

This lab introduces the CCNP lab equipment and some IOS features that might
be new. This introductory activity also describes how to use a simple text editor
to create all (or part) of a router configuration file. After creating a text
configuration file, apply that configuration to a router quickly and easily by
using the techniques described in this lab.

1.6.2 Capturing HyperTerminal and Telnet sessions

Lab Activity:

This activity describes how to capture HyperTerminal and Telnet sessions.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-45
1.6.3 Access control list basics and extended ping

Figure 1 Access Control List Basics and Extended Ping

Lab Activity:

This lab activity reviews the basics of standard and extended access lists, which
are used extensively in the CCNP curriculum.

1-46 Remote Access Section 1: WANs Copyright  2002, Cisco Systems, Inc.
Summary

This chapter explored WAN connections and how to determine the requirements
of a central site, a branch office, and a telecommuter site. Cisco products to suit
the specific needs of each site and how to utilize Cisco tools to select the proper
equipment were also covered. In addition, to the identification and connection of
the necessary components for central-site, branch-office, and small-office WAN
solutions.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 1: WANs 1-47
Section 2

Scaling IP Addresses
with NAT
Table of Contents

SCALING IP ADDRESSES WITH NAT ............................................................................. 1


OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
2.1 NAT OVERVIEW ........................................................................................................................................ 5
2.1.1 NAT terminology................................................................................................................................. 5
2.1.2 Private addressing .............................................................................................................................. 7
2.1.3 NAT terminology................................................................................................................................. 8
2.1.4 NAT functions ..................................................................................................................................... 9
2.2 CONFIGURING NAT .................................................................................................................................. 11
2.2.1 Dynamic NAT ................................................................................................................................... 11
2.2.2 Configuring dynamic NAT ................................................................................................................. 12
2.2.3 Dynamic NAT configuration example.................................................................................................. 13
2.2.4 Static NAT ........................................................................................................................................ 15
2.2.5 Configuring static NAT...................................................................................................................... 16
2.2.6 NAT overload ................................................................................................................................... 17
2.2.7 Configuring NAT overload................................................................................................................. 18
2.2.8 TCP load distribution ........................................................................................................................ 20
2.2.9 Configuring TCP load distribution ..................................................................................................... 21
2.2.10 TCP load distribution configuration example..................................................................................... 22
2.2.11 Overlapping networks...................................................................................................................... 23
2.3 VERIFYING NAT CONFIGURATION .............................................................................................................. 27
2.3.1 Verifying NAT translations................................................................................................................. 27
2.3.2 Troubleshooting NAT translations ...................................................................................................... 28
2.3.3 Clearing NAT translations ................................................................................................................. 29
2.4 NAT CONSIDERATIONS ............................................................................................................................. 30
2.4.1 NAT advantages................................................................................................................................ 30
2.4.2 NAT disadvantages............................................................................................................................ 31
2.4.3 Traffic types supported by Cisco......................................................................................................... 31
2.5 NAT CONFIGURATION LAB EXERCISES ....................................................................................................... 33
2.5.1 Configuring static NAT...................................................................................................................... 33
2.5.2 Configuring dynamic NAT ................................................................................................................. 34
2.5.3 Configuring NAT overload................................................................................................................. 35
2.5.4 Configuring TCP load distribution ..................................................................................................... 36
SUMMARY ..................................................................................................................................................... 37

1-2 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
Overview

Figure 1 NAT

There is a limited supply of Internet Protocol (IP) version 4 addresses. In the


early 1990s, many experts believed that the supply of IP addresses would run out
(if the Internet didn't collapse under the weight of too many IP networks first).
Today, IPv4 no longer faces imminent address depletion thanks to new
technologies and enhancements. One of the technologies that has helped IPv4
stave off address depletion is Network Address Translation (NAT).
NAT, as defined in RFC 1631, is the process of swapping one address for
another in the IP packet header. In practice, NAT is used to allow privately-
addressed hosts the Internet.
NAT is particularly effective when connecting a small office or home office
(SOHO) to the corporate network. By using NAT, a company does not have to
allocate a "real" IP address for each of its remote users.
This chapter provides an overview of NAT, and describes how to configure NAT
functions, including: static NAT, dynamic NAT, NAT overload, and TCP
distribution. Finally, we will discuss the drawbacks of NAT and how its
operation can be monitored using the Cisco IOS [1].

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-3
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:

2.1 NAT Overview

2.2 Configuring NAT

2.3 Verifying NAT Configuration

2.4 NAT Considerations

2.5 NAT Configuration Lab Exercises

1-4 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.1 NAT Overview

2.1.1 NAT terminology

Figure 1 A Simple NAT Topology

Figure 2 A Simple NAT Topology

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-5
Figure 3 A Simple NAT Topology

Figure 4 A Simple NAT topology

Strictly speaking, NAT is the process of altering the IP header of a packet so that
the destination address, the source address, or both addresses are replaced in the
header by different addresses. This swapping process is performed by a device
running specialized NAT software or hardware. Such a NAT enabled device is
often called a NAT box because it can be a Cisco router, a UNIX system, a
Windows XP server, or several other kinds of systems.
A NAT enabled device typically operates at the border of a stub domain. A stub
domain is a network that has a single connection to the outside world. Figure [1]
presents a simple example of a stub domain. When a host inside the stub domain,
such as 10.1.1.6, wants to transmit to a host on the outside, it forwards the packet
to its default gateway. In this case, the host's default gateway is also the NAT
box.
The NAT process running on the router looks inside the IP header and, if
appropriate, replaces the local IP address with a globally unique IP address.
Figure [2] illustrates this address translation. RTA, the NAT router, determines
that the source IP address of the packet (10.1.1.6) should be swapped. In this

1-6 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
case, RTA replaces the private address with a global (real) address, 171.70.2.1.
RTA also keeps a record of this translation in a NAT translation table.
When an outside host sends a response (refer to Figure [3]), the NAT router
receives it, checks the current table of network address translations, and replaces
the destination address with the original inside source address (refer to Figure
[4]).
NAT translations can occur dynamically or statically, and can be used for a
variety of purposes, as described in the following sections.

2.1.2 Private addressing

Figure 1 Private IP Addresses

RFC 1918 sets aside three blocks of IP addresses--a Class A, a Class B, and a
Class C range--for private, internal use (see the figure). These three ranges
provide more than 17 million private addresses.
Public addresses must be registered by a company or leased from a provider. On
the other hand, private IP addresses are set aside to be used by anyone. That
means two networks, or two million networks, can each use the same private
address. The restriction is that private addresses cannot be used on the public
Internet. A private address cannot be used on the Internet because ISPs typically
configure their routers to prevent privately-addressed customer traffic from
being forwarded.
NAT provides tremendous benefits to individual companies and the Internet as
well. Before NAT, a host with a private address could not access the Internet.
With NAT, individual companies can address some or all of their hosts with
private addresses and then use NAT to access the public Internet. At the same
time, these hosts connect to the Internet without necessarily depleting its address
space.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-7
2.1.3 NAT terminology

Figure 1 The Cisco Implementation of NAT Uses the Following Terms Related to
NAT

Figure 2 NAT Overview and Terminology

When configuring NAT using the Cisco IOS, it's critical to understand NAT
terminology Figure [1]. In particular, a strong grasp of the following terms.

1-8 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
• Inside addresses - The set of networks that are subject to translation.
Inside addresses are typically RFC 1918 addresses, but they can be any
valid IP addresses.
• Outside addresses - All other addresses. Usually these are valid
addresses located on the Internet.
Inside addresses are associated with hosts inside the NAT boundary regardless
of whether they are private (RFC 1918) or public addresses. Inside addresses are
part of the network. Outside addresses are typically associated with all Internet
addresses. However, in some cases, outside addresses can be associated with
hosts on the network, beyond the NAT boundary. There are two different kinds
of inside addresses, and two different types of outside addresses.
• Inside local address - Configured IP address assigned to a host on the
inside network. Address may be globally unique, allocated out of the
private address space defined in RFC 1918, or might be officially
allocated to another organization (refer to Figure [2]).
• Inside global address - The IP address of an inside host as it appears to
the outside network. The inside global address is the translated address.
These addresses are typically allocated from a globally unique address
space, typically provided by the ISP (if the enterprise is connected to the
Internet).
• Outside local address - The IP address of an outside host as it appears
to the inside network. These addresses can be allocated from the RFC
1918 space if desired.
• Outside global address - The configured IP address assigned to a host
in the outside network.

2.1.4 NAT functions

Figure 1 NAT Functions

NAT can be used to perform several functions. This chapter describes in detail
the operation of the following NAT functions:
• Translating inside local addresses - This function establishes a
mapping between inside local and global addresses.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-9
• Overloading inside global addresses - Addresses can be conserved in
the inside global address pool by allowing source ports in TCP
connections or UDP conversations to be translated. When different
inside local addresses map to the same inside global address, the TCP or
UDP port numbers of each inside host are used to distinguish between
them.
• TCP load distribution - A dynamic form of destination translation can
be configured for some outside-to-inside traffic. When a mapping
scheme is established, destination addresses that match an access list are
replaced with an address from a pool. Allocation is done on a round-
robin basis, and is done only when a new connection is opened from the
inside to the outside. All non-TCP traffic is passed untranslated (unless
other translations are in effect).
• Handling overlapping networks - NAT can be used to resolve
addressing issues that arise when inside addresses overlap with
addresses in the outside network. This can occur when two companies
merge, both with duplicate addresses in the networks. It can also occur
when switching ISPs and the previously assigned address was reassigned
to another client.

1-10 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.2 Configuring NAT

2.2.1 Dynamic NAT

Figure 1 Dynamic NAT

With dynamic NAT, translations don't exist in the NAT translation table until the
router receives traffic that requires translation (such traffic is defined by an
administrator). Dynamic translations are temporary, and will eventually time out.
For example, host 10.4.1.1 transmits a packet to an Internet host, as shown in the
figure. Since a private address can't be routed on the Internet, this host uses the
services of a router configured for NAT.
The NAT router alters the IP packet by removing the original source address,
10.4.1.1, and replacing it with a globally unique address from a pool defined by
an administrator.
As shown in the figure, the inside host is dynamically assigned 2.2.2.2 from the
address pool. The NAT router keeps a record of this address translation in its
NAT table. When an Internet host's reply packet is sent to 2.2.2.2, it arrives at
the NAT router, which checks its NAT table for the mapping to the local inside
address. The NAT router then replaces the destination address with the original
local address, 10.4.4.1. The translation mapping is not permanent; it will age out
after a configurable period of time.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-11
2.2.2 Configuring dynamic NAT

Figure 1 Configuring Dynamic NAT

When configuring dynamic NAT, a pool of global addresses, is typically created


to be allocated as needed. Use the ip nat pool command (see the figure) to
configure the address pool, as shown:
Router(config)#ip nat pool name start-ip end-ip
{netmask netmask | prefix-length prefix-length}
When using the ip nat pool command, the user has the option of specifying
the subnet mask or the prefix length. The netmask keyword uses a dotted-
decimal argument, such as 255.255.255.0. A 24-bit mask can also be specified
using the prefix-length command.
Packets that should be translated must be specified matching a certain range of
source addresses. Use the access-list global configuration command to
create an access list to match addresses that the router should translate:
Router(config)#access-list access-list-number
permit source [source-wildcard]
To establish a dynamic translation based on source address, use the ip nat
inside source list command:
Router(config)#ip nat inside source list access-
list-number pool name
This command must specify the access list number.
Finally, at least one interface must be configuredon the router as the inside
interface, using the following interface configuration command:
Router(config-if)#ip nat inside
The router will only create dynamic entries in the translation table for packets
arriving on interfaces configured with the ip nat inside command.
Use the ip nat outside command to mark an interface as an outside
interface:
Router(config-if)#ip nat outside

1-12 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.2.3 Dynamic NAT configuration example

Figure 1 Dynamic NAT Configuration Example

Figure 2 Using the show ip nat translations Command

To configure RTA for dynamic NAT (see Figure [1]), follow these steps:
First, define the NAT pool.
RTA(config)#ip nat pool mynatpool 171.70.2.1
171.70.2.254 netmask 255.255.255.0
This command creates a pool of global addresses called mynatpool that can be
used by inside local hosts. But which local hosts are allowed to use this pool? An
access list may be used to match the source addresses to be translated, as shown
here:
RTA(config)#access-list 24 permit 10.1.1.0
0.0.0.255
RTA(config)#ip nat inside source list 24 pool
mynatpool
The last command configures the router to use access-list 24 to decide
whether to translate the IP source address using mynatpool.
As the final configuration steps on the NAT router, the following commands
configure the appropriate interfaces to take on the role of outside and inside.
RTA(config)#interface bri0
RTA(config-if)#ip nat outside
RTA(config-if)#interface e0
RTA(config-if)#ip nat inside

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-13
If the host at 10.1.1.6 sends an IP packet to an outside host, such as 4.1.1.1, RTA
will translate the source address and create a NAT table entry. Use the show
ip nat translations command to view the translation table.
Figure [2] shows that the inside local address 10.1.1.6 has been translated to the
inside global address 171.70.2.1. While this table entry exists, outside hosts can
use the global IP address 171.70.2.1 to reach the 10.1.1.6 host.
On a Cisco router, dynamic NAT table entries remain in the table for 24 hours
by default. Once the entry ages out, outside hosts will no longer be able to reach
10.1.1.6 until a new table entry is created. The table entry can only be created
from the inside.
A 24-hour timeout is relatively long. Therefore the translation timeout can be
adjusted using the following command:
Router(config)#ip nat translation timeout seconds
One of the primary advantages to dynamic NAT is the ability to serve a large
number of hosts with a smaller number of globally routable IP addresses. It is
important for translation table entries to timeout so that addresses in the pool
become available for other hosts.
A pool of 30 inside global addresses for 250 inside local hosts might be
configured however, only 30 of the inside hosts could use a global address at any
one time. This configuration may work well in an environment where outside
(Internet) connectivity is infrequent and short-lived. If the inside hosts are using
outside connections for occasional web surfing or e-mail, this configuration may
be appropriate. However, if translation table entries don't age out fast enough,
the entire pool of addresses could be in use and additional hosts would be unable
to access the Internet. In order to serve a large number of hosts with just a
handful of addresses, overloading will have to be utilized, (see "NAT Overload"
later in this chapter).
Although NAT is not a security firewall, it can prevent outsiders from initiating
connections with inside hosts, unless a permanent global address mapping exists
in the NAT table (static NAT). Because outside hosts never see the "pre-
translated" inside addresses, NAT has the effect of hiding the inside network
structure.

1-14 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.2.4 Static NAT

Figure 1 Static NAT

Static translation occurs when addresses are specifically configured in a lookup


table. A specific inside local address maps to a pre-specified inside global
address. The inside local and inside global addresses are statically mapped one
for one. This means that for every inside local address, static NAT requires an
inside global address (see the figure). If an organization uses static NAT
exclusively, it is are not conserving real IP addresses.
For this reason, static NAT is typically used in conjunction with dynamic NAT,
in cases where overlapping networks exist, in cases when a change from one
numbering scheme to another has occurred or for network servers that need to
keep the same address such as DNS or web servers.
Consider this example of how static NAT can be used in conjunction with
dynamic NAT. Company XYZ uses dynamic NAT to allow inside hosts to
access the Internet. But what if the company wants outside users to access an
internally addressed Web server? Without a permanent global address, outside
hosts will not be able to consistently access the server.
Company XYZ can statically map a global address (171.70.2.10) to an inside
address (10.1.1.7). Static mappings exist in the NAT table until an administrator
removes them. Internet hosts, and Domain Name System (DNS) can use the
global address (171.70.2.10) to access the privately and statically addressed Web
server.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-15
2.2.5 Configuring static NAT

Figure 1 Configuring Static NAT

Figure 2 Static NAT

Figure [1] shows the steps to configure static NAT. To configure static NAT as
shown in Figure [2] enter the following command:
RTA(config)#ip nat inside source static 10.1.1.7
171.70.2.10
Once the static mapping(s) have been configured, an inside and outside interface
must be specified, as shown here:
RTA(config)#interface bri0
RTA(config-if)#ip nat outside
RTA(config-if)#interface e0
RTA(config-if)#ip nat inside
The ability to create static mappings makes NAT a useful tool if an organization
was ever to change providers. If the company moves from one ISP to another, it
may have to completely readdress its systems. Instead of readdressing, NAT can

1-16 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
be deployed to temporarily translate the old addresses to new ones, with static
mappings in place to keep Web and other public services available to the
outside.

2.2.6 NAT overload

Figure 1 NAT Overload

One of the most powerful features of NAT routers is their ability to use Port
Address Translation (PAT), which allows multiple inside addresses to map to the
same global address. This is sometimes called a "many-to-one" NAT, or address
overloading. With address overloading, literally hundreds of privately addressed
nodes can access the Internet using a single global address. The NAT router
keeps track of the different conversations by mapping TCP and UDP port
numbers in the translation table. A translation entry that maps one IP address and
port pair to another is called an extended table entry.
For example, the figure shows three inside nodes using the same translated
global address of 171.70.2.2. Each of these hosts can communicate with different
Internet hosts, or even with the same outside host.
According to the NAT table shown in the figure, RTA translates the packet from
the inside local address, 10.1.1.5, TCP port 1232. The translated inside global
address is 171.70.2.2, also on port 1232.
The outside host at 2.2.2.2, TCP port 80 will reply to the address 171.70.2.2, on
port 1232. When RTA (the NAT router) receives this reply, it uses the
destination port number to determine whether the destination IP address should
be translated to 10.1.1.5, 10.1.1.6, or 10.1.1.7.
As long as the inside global port numbers are unique for each inside local host,
NAT overload will work. For example, if the host at 10.1.1.5 and 10.1.1.6 both
use TCP port 1234, the NAT router can create the extended table entries
mapping 10.1.1.5:1234 to 171.70.2.2:1234 and 10.1.1.6:1234 to
171.70.2.2:1235. In fact, NAT implementations don't necessarily try to preserve
the original port number.
NAT overload can go a long way to alleviate address depletion, but its
capabilities are limited. Over 65,000 inside addresses can theoretically map to a
single outside address. However, the actual number of translations supported by

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-17
a Cisco router varies, but a realistic number is approximately 4,000 local
addresses per global address. Each Nat translation consumes about 160 bytes of
router DRAM.
NAT overload can be used in conjunction with dynamic mappings to a NAT
pool. A NAT device, such a Cisco PIX Firewall, can then use a one-to-one
dynamic mapping until the available addresses are almost depleted, at which
time NAT can overload the remaining address or addresses. However, on a Cisco
IOS router, NAT will overload the first address in the pool until it's maxed out,
and then move on to the second address, and so on.

2.2.7 Configuring NAT overload

Figure 1 NAT Overload

Figure 2 NAT Overload Using an Outside Interface Address

1-18 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
Configure NAT overload by using the keyword overload:
Router(config)#ip nat inside source list access-
list-number pool name overload
RTA is configured as shown here:
RTA(config)#ip nat pool mypatpool 171.70.2.1
171.70.2.30 netmask 255.255.255.0
RTA(config)#access-list 24 permit 10.1.1.0
0.0.0.255
RTA(config)#ip nat inside source list 24 pool
mypatpool overload
RTA(config)#interface bri 0
RTA(config-if)#ip nat outside
RTA(config-if)#interface ethernet 0
RTA(config-if)#ip nat inside
The ip nat pool command creates the pool of addresses that are used for
overloading. Notice that this pool, mypatpool, contains only 30 addresses. Using
NAT overload, these 30 addresses can comfortably serve hundreds, or even
thousands, of inside hosts (see Figure [1]). The access-list command
creates the access list that is used to match addresses that are to be translated.
The ip nat inside source list 24 command configures the router to
translate addresses that match access list 24 using inside global addresses from
mypatpool.
An address pool does not have to be configured in order for NAT overload to
work. If there are not any available IP addresses, the address of the outside
interface may be overloaded, as shown:
Router(config)#ip nat inside source list access-
list-number interface interface-name overload
Typically, home users receive only one IP address by their provider. Figure [2]
shows how NAT overload can be configured using the outside interface.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-19
2.2.8 TCP load distribution

Figure 1 TCP Load Distribution

Figure 2 TCP Load Distribution Without Private Addresses

As an extension to static mapping, Cisco routers support TCP load distribution.


This powerful NAT feature allows the mapping of one global address to multiple
inside addresses for the purpose of distributing conversations among multiple
hosts. In Figure [1], the NAT router rotates conversations between two inside
Web servers at 10.1.1.6 and 10.1.1.7 when an outside host requests web services
at 171.70.2.10.
TCP load distribution can be used even if not translating between private
addresses and public addresses. The scenario depicted in Figure [2] shows that
RTA is configured to map both www1 (171.70.2.3/24) and www2
(171.70.2.4/24) to the same inside global IP address (171.70.2.10/24). All three
of these IP addresses are public addresses on the same subnet. In such
configurations, the address 171.70.2.10 is referred to as a virtual host.

1-20 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.2.9 Configuring TCP load distribution

Figure 1 Configuring TCP Load Distribution

The following are the steps for configuring a TCP load distribution:
1. Define a pool of addresses containing the addresses of the real hosts:
Router(config)#ip nat pool name start-ip end-
ip {netmask netmask | prefix-length prefix-
length} type rotary
2. Define an access list permitting the address of the virtual host:
Router(config)#access-list access-list-number
permit source [source-wildcard]
3. Establish dynamic inside destination translation, identifying the access
list defined in Step 2:
Router(config)#ip nat inside destination list
access-list-number pool name
4. Specify the inside interface:
Router(config)#interface type number
5. Mark the interface as connected to the inside:
Router(config-if)#ip nat inside
6. Specify the outside interface:
Router(config-if)#interface type number
7. Mark the interface as connected to the outside:
Router(config-if)#ip nat outside

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-21
2.2.10 TCP load distribution configuration example

Figure 1 TCP Load Distribution Without Private IP Addresses

In the figure, RTA is configured as shown:


RTA(config)#ip nat pool webservers 171.70.2.3
171.70.2.4 netmask 255.255.255.0 type rotary
RTA(config)#access-list 46 permit host 171.70.2.10
RTA(config)#ip nat inside destination list 46 pool
webservers
RTA(config)#interface e0
RTA(config-if)#ip nat inside
RTA(config-if)#interface s0
RTA(config)#ip nat outside
The keyword rotary is used so that the router will rotate through the webservers
pool when translating. Access list 46 is used to define the virtual host address.
RTA is configured to translate destination addresses that match 171.70.2.10
(access list 46), using the webservers pool. Because the webservers pool was
defined using the rotary keyword, the first translation will be to 171.70.2.3, but
the second will be to 171.70.2.4, the third back to 171.70.2.3, and so on. In this
way, the load is distributed among the Web servers.

1-22 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.2.11 Overlapping networks

Figure 1 Overlapping Networks

Figure 2 Overlapping Networks

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-23
Figure 3 Overlapping Networks

Figure 4 Overlapping Networks

Figure 5 Overlapping Networks

1-24 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
Figure 6 Output of show ip nat translations in Overlapping Network Scenario

Overlapping networks result when an IP address is assigned to a device on the


network that is already legally owned and assigned to a different device on the
Internet or outside network. Overlapping networks also result when two
companies, both of whom use RFC 1918 IP addresses in their networks, merge.
These two networks need to communicate, preferably without having to
readdress all their devices.
Figure [1] illustrates an overlapping network scenario. Notice that the inside
device, HostA, is addressed using the same IP subnet as the outside device,
HostZ. HostA can't reach HostZ by using HostZ's IP address. If HostA pings
10.1.1.6, it will be pinging its local neighbor and not HostZ.
One way to allow HostA to communicate with HostZ is to use DNS and NAT.
Instead of using HostZ's actual IP address, HostA can use HostZ's hostname. For
example, a user on HostA could issue the command ping HostZ, which
would result in a name-to-address lookup using DNS (see Figure [2]).
A NAT translation is done for the DNS query sourced from 10.1.1.7. The query
from 10.1.1.7 is translated by RTA so that it appears to be from the inside global
address 192.168.1.7. The DNS server responds to this query, as shown in Figure
[3].
This DNS response is the key to making overlapping networks coexist. The DNS
server responds with HostZ's actual IP address, 10.1.1.6. But, RTA translates the
payload of the DNS response. Cisco's implementation of NAT will actually alter
the contents of a DNS packet. Thus creating a simple table entry and mapping
the outside global address, (10.1.1.6), to an outside local address, (192.168.3.6).
In this way, HostA will believe that HostZ is at 192.168.3.6 (presumably, a
reachable IP network).
Note: NAT doesn't look at the payload of the DNS reply unless translation
occurs on the IP header of the reply packet.
HostA can then begin a conversation with HostZ. When HostA sends a packet to
HostZ, RTA creates an extended table entry, as shown in Figure [4]. From
HostA's point of view, this conversation is between 10.1.1.7 (HostA) and
192.168.3.6 (HostZ). However, both the source and destination addresses are
translated by RTA so that HostZ believes this same conversation is between
192.168.1.7 (HostA) and 10.1.1.6 (HostZ).
The configuration for RTA is shown in Figure [5].
RTA uses the inGlobal address pool to translate HostA's address so that outside
hosts can reach HostA. RTA uses the outLocal pool to translate outside hosts in

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-25
the overlapping network so that HostA can reach those hosts. Figure [6] provides
the output of the show ip nat translations command after HostA has
sent HostZ an IP packet.
The first entry shown in Figure [6] was created when HostA sent a DNS query.
The second entry was created when RTA translated the payload of the DNS
reply. The third entry was created when the packet was exchanged between
HostA and HostZ. The third entry is a summary of the first two entries, and is
used for more efficient translations.

1-26 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.3 Verifying NAT Configuration

2.3.1 Verifying NAT translations

Figure 1 Using the show ip nat translations verbose Command

Figure 2 Show IP NAT Translation Display with Address Overlapping

Figure 3 Using the show ip nat statistics Command

Translation information and clear address translation entries from the NAT
translation may be shown using the commands covered in this section.
The show ip nat translations [verbose] command can be used to
verify the active translations, as shown in Figure [1]. The verbose keyword can
be used with this command to display more information, including the time
remaining for a dynamic entry. Figure [2] shows the output of this command
while address overloading.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-27
Use the show ip nat statistics command to see NAT statistics, as
shown in Figure [3].

2.3.2 Troubleshooting NAT translations

Figure 1 Debug IP NAT Display

To trace the NAT operation use the debug ip nat command to display a line
of output for each packet that gets translated. The detailed keyword may be
added to output even more information. The output shown in the figure is a
sample of a debug of address translation inside to outside.
To decode the above debug output use the following key points:
• The asterisk next to NAT indicates that the translation is occurring in the
fast path. The first packet in a conversation will always go through the
slow path (i.e., be process-switched). The remaining packets will go
through the fast path if a cache entry exists.
• s = a.b.c.d is the source address.
• a.b.c.d -> w.x.y.z is the address that the source was translated to.
• d = a.b.c.d is the destination address.
• The value in brackets is the IP identification number. This information
may be useful for debugging because it enables correlation with other
packet traces from sniffers, for example.

1-28 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.3.3 Clearing NAT translations

Figure 1 Effect of clear ip nat translation * Command

After enabling NAT, changes may not be made to the NAT process while
dynamic translations are active. To clear all translated entries, use the clear
ip nat translation * command.
It is possible to clear a simple translation entry containing an inside translation,
or both an inside and outside translation, by using the clear ip nat
translation inside global-ip local-ip [outside local-
ip global-ip] command.
To clear a simple translation entry that contains an outside translation by using
the clear ip nat translation outside local-ip global-ip
command.
To clear an extended entry (in its various forms), use the clear ip nat
translation protocol inside global-ip global-port
local-ip local-port [outside local-ip local-port
global-ip global-port] command. The following example shows the
use of this command.
RTX#clear ip nat translations udp inside
192.168.2.2 1220 10.1.1.2 1220 outside 171.69.2.132
53 171.69.2.132 53
If NAT is properly configured but translations are not occurring, clear the NAT
translations and check to see if new translations occur.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-29
2.4 NAT Considerations

2.4.1 NAT advantages

Figure 1 NAT Implementation Considerations

NAT has several advantages, including the following:


• NAT conserves the legally registered addressing scheme by allowing the
privatization of intranets, yet it allows legal addressing scheme pools to
be set up to gain access to the Internet.
• NAT also reduces the instances in which addressing schemes overlap.
This could occur if a scheme was originally set up within a private
network, and the network was connected to the public network (which
may use the same addressing scheme). Without address translation, the
potential for overlap exists globally.
• NAT increases the flexibility of connection to the public network.
Multiple pools, backup pools, and load sharing/balancing pools can be
implemented to help ensure reliable public network connections.
Network design is also simplified because planners have more flexibility
when creating an address plan.
• De-privatization of a network requires the renumbering of the existing
network; the costs can be associated with the number of hosts that
require conversion to the new addressing scheme. NAT allows the
existing scheme to remain, and it still supports the new assigned
addressing scheme outside the private network.

1-30 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.4.2 NAT disadvantages

Figure 2 NAT Implementation Considerations

NAT is not without drawbacks. The tradeoff for address translation is a loss of
functionality, particularly with any protocol or application that involves sending
IP address information outside the IP header. NAT disadvantages include the
following:
• NAT increases delay. Switching path delays, of course, are introduced
because of the translation of each IP address within the packet headers.
Performance may be a consideration because NAT is currently
accomplished by using process switching. The CPU must look at every
packet to decide whether it has to translate it, and then alter the IP
header--and possibly the TCP header. It is not likely that this process
will be easily cacheable.
• One significant disadvantage when implementing and using NAT is the
loss of end-to-end IP traceability. It becomes much more difficult to
trace packets that undergo numerous packet address changes over
multiple NAT hops. This scenario does, however, lead to more secure
links because hackers who want to determine the source of a packet will
find it difficult, if not impossible, to trace or obtain the original source or
destination address.
• NAT also forces some applications that use IP addressing to stop
functioning because it hides end-to-end IP addresses. Applications that
use physical addresses instead of a qualified domain name will not reach
destinations that are translated across the NAT router. Sometimes, this
problem can be avoided by implementing static NAT mappings.

2.4.3 Traffic types supported by Cisco

Traffic types supported by Cisco ISO NAT:


• Any TCP/UDP traffic that does not carry source or destination IP
addresses in the application data stream
• Hypertext Transfer Protocol (HTTP)
• Trivial File Transfer Protocol (TFTP)

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-31
• Telnet
• Archie
• Finger
• Network Timing Protocol (NTP)
• Network File System (NFS)
• rlogin, rsh, rcp
Although the following traffic types carry IP addresses in the application data
stream, they are supported by Cisco IOS NAT:
• ICMP
• File Transfer Protocol (FTP) (including PORT and PASV commands)
• NetBIOS over TCP/IP (datagram, name, and session services)
• Progressive Networks' RealAudio
• White Pines' CuSeeMe
• Xing Technologies' Streamworks
• DNS "A" and "PTR" queries
• H.323/NetMeeting [12.0(1)/12.0(1)T and later]
• VDOLive [11.3(4)11.3(4)T and later]
• Vxtreme [11.3(4)11.3(4)T and later]
• IP multicast [12.0(1)T] (source address translation only)
The following traffic types are not supported by Cisco IOS NAT:
• Routing table updates
• DNS zone transfers
• BOOTP
• talk, ntalk
• Simple Network Management Protocol (SNMP)
• NetShow

1-32 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.5 NAT Configuration Lab Exercises

2.5.1 Configuring static NAT

Figure 1 Configuring Static NAT

Lab Activity

Configure Network Address Translation (NAT) static translation to provide


reliable outside access to three shared company servers.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-33
2.5.2 Configuring dynamic NAT

Figure 1 Configuring Dynamic NAT

Lab Activity

Configure dynamic NAT to provide privately addressed users with access to


outside resources.

1-34 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
2.5.3 Configuring NAT overload

Figure 1 Configuring NAT Overload

Lab Activity

Configure dynamic NAT with overload.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-35
2.5.4 Configuring TCP load distribution

Figure 1 Configuring TCP Load Distribution

Lab Activity

This lab will configure NAT with the TCP Load Distribution option. The prefix-
length option will also be used as an alternative to the netmask option of the ip
nat pool command.

1-36 Remote Access Section 2: Scaling IP Addresses with NAT Copyright  2002, Cisco Systems, Inc.
Summary
This chapter demonstrated that NAT allows the network to scale without
depleting the limited supply of global IP addresses. It also covered configuring
static NAT in addition to dynamic NAT and NAT overload (PAT). It was also
shown how NAT can be used to provide connectivity in overlapping IP
networks.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 2: Scaling IP Addresses with NAT 1-37
Section 3

Emerging Remote
Access Technologies
Table of Contents

EMERGING REMOTE ACCESS TECHNOLOGIES ......................................................... 1


OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
3.1 CABLE MODEMS......................................................................................................................................... 5
3.1.1 Two-way, high-speed data transmission ................................................................................................ 5
3.1.2 How cable modems work ..................................................................................................................... 6
3.1.3 Cable data network architecture........................................................................................................... 9
3.1.4 Cable and OSI model ........................................................................................................................ 11
3.1.5 Cable summary ................................................................................................................................. 13
3.2 WIRELESS NETWORK ACCESS .................................................................................................................... 15
3.2.1 Overview .......................................................................................................................................... 15
3.2.2 Direct broadcast satellite................................................................................................................... 16
3.2.3 DBS architecture...............................................................................................................................17
3.2.4 Data service ..................................................................................................................................... 19
3.3 MULTICHANNEL MULTIPOINT DISTRIBUTION SERVICES ................................................................................ 20
3.3.1 Overview .......................................................................................................................................... 20
3.3.2 MMDS history .................................................................................................................................. 20
3.3.3 MMDS architecture........................................................................................................................... 21
3.4 LOCAL MULTIPOINT DISTRIBUTION SERVICES .............................................................................................. 23
3.4.1 Overview .......................................................................................................................................... 23
3.4.2 LMDS architecture............................................................................................................................ 24
3.4.3 Wireless broadband summary ............................................................................................................ 26
3.5 WIRELESS LOCAL AREA NETWORKING ....................................................................................................... 27
3.5.1 Overview of wireless local-area networking ........................................................................................ 27
3.5.2 In-building WLANs............................................................................................................................ 28
3.5.3 Building-to-building WLANs .............................................................................................................. 29
3.5.4 The wireless LAN standard ................................................................................................................ 30
3.5.5 The future of wireless local-area networking ....................................................................................... 31
3.5.6 Mobility services ...............................................................................................................................33
3.5.7 Conclusion ....................................................................................................................................... 34
3.6 DIGITAL SUBSCRIBER LINE ........................................................................................................................ 35
3.6.1 DSL background ...............................................................................................................................35
3.6.2 Asymmetric digital subscriber line (ADSL) .......................................................................................... 36
3.6.3 ADSL services architecture ................................................................................................................ 37
3.6.4 ASDL capabilities ............................................................................................................................. 39
3.6.5 ADSL technology .............................................................................................................................. 41
3.6.6 ADSL standards and associations....................................................................................................... 42
3.7 VERY-HIGH-DATA-RATE DIGITAL SUBSCRIBER LINE ................................................................................... 44
3.7.1 Overview .......................................................................................................................................... 44
3.7.2 VDSL projected capabilities............................................................................................................... 45
3.7.3 VDSL technology .............................................................................................................................. 46
3.7.4 VDSL issues...................................................................................................................................... 49
3.7.5 Standards status................................................................................................................................ 50
3.7.6 Relationship of VDSL to ADSL ........................................................................................................... 51
SUMMARY ..................................................................................................................................................... 53

1-2 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
Overview
This appendix gives an overview of emerging remote-access technologies.
Additionally, it discusses the pros and cons of accessing the Internet via cable
modems, wireless connections, and digital subscriber lines (xDSL).

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-3
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:

3.1 Cable Modems

3.2 Wireless Network Access

3.3 Multichannel Multipoint Distribution Services (MMDS)

3.4 Local Multipoint Distribution Services (LMDS)

3.5 Wireless Local Area Networking (WLAN)

3.6 Digital Subscriber Line (DSL)

3.7 Very-High-Data-Rate Digital Subscriber Line (VHDSL)

1-4 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.1 Cable Modems

3.1.1 Two-way, high-speed data transmission

Figure 1 Cable Modem

Cable modems enable two-way, high-speed data transmission using the same
coaxial lines that transmit cable television. Some cable service providers are
promising data speeds up to 6.5 times that of T1 leased lines. This speed makes
cable an attractive medium for transferring large amounts of digital information
quickly, including video clips, audio files, and large chunks of data. Information
that would take two minutes to download using ISDN can be downloaded in two
seconds through a cable-modem connection.
Cable-modem access provides speeds superior to leased lines, with lower costs
and simpler installation. When the cable infrastructure is in place, a firm can
connect through installation of a modem or router. Additionally, because cable
modems do not use the telephone system infrastructure, there are no local-loop
charges. Products such as the Cisco uBR904 universal broadband router cable
modem make cable access an even more attractive investment by integrating a
fully functional Cisco IOS router, four-port hub, and cable-modem into one unit
(see the figure). This combination allows businesses to replace combinations of
routers, bridges, hubs, and single-port cable modems with one product.
Cable modems provide a full-time connection. As soon as users turn on their
computers, they are connected to the Internet. This removes the time and effort
of dialing in to establish a connection. The "always-on" cable connection also
means that a company's "information pipe" is open at all times. This increases
the vulnerability of data to hackers and necessitates the installion of firewalls to

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-5
maximize security. Fortunately, the industry is moving toward standardization in
cable modems and addressing encryption needs. New models of the Cisco
uBR904 cable modem will provide IP Security (IPSec) and firewall capabilities.
These features protect company LANs and provide virtual private network
(VPN) tunneling, with options for authentication and encryption.
Because the connection is permanently established, cable modems connections
take place over the Internet. Employees using a cable modem at home to surf the
Web can connect to a company LAN only if the business connects its LAN to
the Internet. Moving through the Internet in this way can restrict the speedy
connection of cable modems. To address this problem, many cable access
service providers are in the process of developing services that combine cable
and T1 connections. This will provide fast and reliable remote office-to-
corporate network connections.
Availability may be the biggest barrier to cable-modem adoption by businesses
because only a few office buildings have been outfitted for cable reception,
compared to the almost 85 percent of households in North America that are
wired for cable.
Some cable operators are in the process of replacing traditional one-way cable
systems with the more interactive two-way architecture known as hybrid fiber
coaxial (HFC). Due to the magnitude of this upgrade and the need to expand
networks to include businesses, the market penetration of cable modems is
expected to lag behind DSLs

3.1.2 How cable modems work

Figure 1 How Cable Modems Work

1-6 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
Figure 2 How Cable Modems Work

Figure 3 How Cable Modems Work

Like telephone modems, cable modems modulate and demodulate data signals.
However, cable modems incorporate more functionality designed for today's
high-speed Internet services. In a cable network, data flowing from the network
to the user is referred to as downstream and data flowing from the user to the
network is referred to as upstream. From a user perspective, a cable modem is a
64/256 QAM radio frequency (RF) receiver capable of delivering up to 30 to 40
megabits per second (Mbps) of data in one 6-megahertz (MHz) cable channel.
This is almost 500 times faster than a 56-kilobit-per-second (kbps) modem. The
headend manages traffic flow from the user to the network. [1]
• Receive programming (for example, from NBC, CBS, and cable
networks such as MTV and ESPN)

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-7
• Convert each channel to the channel frequency desired; scramble
channels as needed (for the premium channels)
• Combine all the frequencies onto a single, broadband analog channel
(frequency-division multiplexing [FDM])
• Broadcast the combined analog stream downstream to subscribers
The data is modulated using a QPSK/16 QAM transmitter with data rates from
320 kbps up to 10 Mbps. The upstream and downstream data rates can be
configured to meet the needs of the subscribers. For instance, a business service
can be programmed to both transmit and receive at relatively high rates. A
residential user, on the other hand, can have their service configured to receive
higher bandwidth access to the Internet while limited to low-bandwidth
transmission to the network.
With a cable modem, a subscriber can continue to receive cable television
service while simultaneously receiving data to be delivered to a personal
computer. This is accomplished with the help of a simple one-to-two splitter.
The data service offered by a cable modem can be shared by up to 16 users in a
local-area network (LAN) configuration. [2]
Because some cable networks are suited for broadcast television services, cable
modems may use either a standard telephone line or a QPSK/16 QAM modem
over a two-way cable system to transmit data upstream from a user location to
the network. When a telephone line is used in conjunction with a one-way
broadcast network, the cable data system is referred to as a telephony return
interface (TRI) system. Telephone return means that the consumer (or the
subscriber modem) makes a telephone call to a terminal server when the
consumer requires return-path service. At the cable headend, data from
individual users is filtered by telephone-return systems for further processing by
a cable modem terminal server (CMTS). The CMTS communicates with the
cable modem to enforce the Media Access Control (MAC) protocol and RF
control functions, such as frequency hopping and automatic gain control.
A CMTS provides data switching necessary to route data between the Internet
and cable-modem users. Data from the network to a user group is sent to a
64/256 QAM modulator. The result is user data modulated into one 6-MHz
channel, which is the spectrum allocated for a cable television channel such as
ABC, NBC, or TBS for broadcast to all users. [3]
A cable headend combines the downstream data channels with the existing
video, pay-per-view, audio, and local advertiser programs that are received by
television subscribers. The combined signal is now ready to be transmitted
throughout the cable distribution network. When the signal arrives at the user's
site two different devices receive it. A converter box generally located on the top
of a television receives the television signal, while a cable modem or router
receives user data and sends it to a PC.
The CMTS, an important new element for support of data services, integrates
upstream and downstream communication over a cable data network. The
number of upstream and downstream channels in any particular CMTS can be
designed and adjusted based on the size of the serving area, number of users, and
data rates offered to each user.
Another important element in the operations and day-to-day management of a
cable data system is an element management system (EMS). An EMS is an
operations system designed specifically to configure and manage a CMTS and

1-8 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
associated cable-modem subscribers. These operations include provisioning,
day-to-day administration, monitoring, alarms, and testing of various
components of a CMTS. From a central Network Operations Center (NOC), a
single EMS can support many CMTS systems in a particular geographic region.
Beyond modulation and demodulation, a cable modem or router incorporates
many features necessary to extend broadband communications to wide-area
networks (WANs). The Internet Protocol (IP) is used at the network layer to
support the Internet services such as e-mail, Hypertext Transfer Protocol
(HTTP), and File Transfer Protocol (FTP). The data link layer comprises three
sublayers, including the Logical Link Control (LLC) sublayer, link security
sublayer conforming to the security requirements, and MAC sublayer suitable
for cable-system operations. Cable systems use the Ethernet frame format for
data-transmission over data channels. The downstream data channels and the
associated upstream data channels on a cable network basically form an Ethernet
WAN. As the number of subscribers increase, the cable operator can add more
upstream and downstream data channels to meet the additional bandwidth
requirements.
The link security sublayer is defined in three (sub) sets of requirements: baseline
privacy interface (BPI), security system interface (SSI), and removable security
module interface (RSMI). BPI provides cable-modem users with data privacy
across the cable network by encrypting data traffic between the cable modem
and CMTS. The operational support provided by the EMS allows a CMTS to
map cable-modem identities to paying subscribers and thereby authorize
subscriber access to data network services. These privacy and security
requirements are designed to protect user data as well as prevent unauthorized
use of cable data services.

3.1.3 Cable data network architecture

Figure 1 Cable Data Network Architecture

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-9
Figure 2 Cable Data Network Architecture

A CMTS provides an extended Ethernet network over a WAN with a geographic


reach up to 100 miles. The cable data network may be fully managed by the local
cable operations unit or operations may be aggregated at a regional NOC for
better scaling. A given geographic or metropolitan region may have a few cable
television headend locations that are connected by fiber links. The day-to-day
operations and management of a cable data network may be consolidated at a
single location, such as a regional center, while other headend locations may be
economically managed as local centers.
A basic distribution center is a minimal data network configuration that exists
within a cable television headend. A typical headend is equipped with satellite
receivers, fiber connections to other regional headend locations, and upstream
RF receivers for pay-per-view and data services. [1] The minimal data network
configuration includes a CMTS system capable of upstream and downstream
data transport and an IP router to connect to the regional location.
A regional center is a cable headend location with additional temperature-
controlled facilities to house a variety of computer servers, which are necessary
to run cable data networks.
The servers provide the following services:
• file transfer
• user authorization and accounting
• log control (syslog)
• IP address assignment and administration and Dynamic Host
Configuration Protocol [DHCP] servers
• Domain Name System or Service (DNS) servers

1-10 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
• Data-over-Cable Service Interface Specification (DOCSIS) control
servers
In addition, a regional center may contain support and network management
systems necessary for the television as well as data network operations.
User data from local and regional locations is received at a regional data center
for further aggregation and distribution throughout the network. Figure [2] A
regional data center supports the DHCP, DNS, and log control servers necessary
for cable data network administration. It also provides connectivity to the
Internet, the World Wide Web and contains the server farms necessary to
support Internet services. These servers include e-mail, Web hosting, news, chat,
proxy, caching, and streaming-media servers

3.1.4 Cable and OSI model

Figure 1 Cable and the OSI Model

The cable data system comprises many different technologies and standards. For
cable modems to be mainstreamed, modems from different vendors must be
interoperable.
Physical Layer
Downstream Data Channel
At the physical layer, the downstream data channel is based on North American
digital video specifications (specifically, International Telecommunications
Union [ITU-T] Recommendation J.83 Annex B) and includes the following
features:
• 64 and 256 QAM
• 6 MHz-occupied spectrum that coexists with other signals in the cable
plant
• Variable-length interleaving support, both latency-sensitive and latency-
insensitive data services
• Contiguous serial bit stream with no implied framing, providing
complete physical and data link layer decoupling
Upstream Data Channel
The upstream data channel is a shared channel featuring the following:
• QPSK and 16 QAM formats

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-11
• Data rates from 320 kbps to 10 Mbps
• Flexible and programmable cable modem under control of CMTS
• Time-division multiple access
• Support of both fixed-frame and variable-length protocol data units
(PDUs)
Data Link Layer
The data link layer provides the general requirements for many cable-modem
subscribers to share a single upstream data channel for transmission to the
network. Among these requirements are collision detection and retransmission
capability. The large geographic reach of a cable data network poses special
problems as a result of the transmission delay between users close to headend
versus users at a distance from cable headend. To compensate for cable losses
and delay as a result of distance, the data link layer performs ranging, by which
each cable modem can assess time delay in transmitting to the headend. The data
link layer supports:
• timing and synchronization
• bandwidth allocation to cable modems at the control of CMTS
• error detection, handling and error recovery
• procedures for registering new cable modems
Network Layer
Cable data networks use IP for communication from the cable modem to the
network. The Internet Engineering Task Force (IETF) compliant DHCP typically
forms the basis for IP address assignment and administration in the cable
network.
Transport Layer
Cable data networks support both the Transmission Control Protocol (TCP) and
the User Datagram Protocol (UDP) at the transport layer.
Application Layer
All of the Internet-related applications are supported here. These applications
include HTTP, FTP, e-mail, Trivial File Transfer Protocol (TFTP), news, chat,
and Simple Network Management Protocol (SNMP). The use of SNMP provides
for management of the CMTS and cable data networks.

1-12 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.1.5 Cable summary

Figure 1 Cable Modem

Many people are tuning into the Internet channel on their TV. Of all the high-
speed Internet access solutions, cable TV systems are probably the most talked
about. That is partly because they take advantage of existing broadband cable
TV networks and partly because they promise to deliver high-speed access at an
affordable price.
Although Internet access, via cable, is spreading rapidly cable operators face an
uphill battle to reach the mainstream. Like telephone companies offering ISDN
service, cable operators must gain expertise in data communications to win and
keep customers.
One of the technical hurdles that cable providers face is the fact that satellites are
only one-way devices. If cable operators make their one-way networks into
interactive HFC networks, cable modems could work in both directions. When
this is accomplished, the technology could offer the best price/performance
combination of any Internet access method to date, delivering close to 10-Mbps
speeds at less than $50 per month. This is significantly better than the
cost/performance factor of ISDN access.
As discussed, making the cable-to-PC connection requires a cable modem to
modulate and demodulate the cable signal into a stream of data. The similarity
with analog modems ends there. Cable modems also incorporate the following:
• a tuner for separating the data signal from the rest of the broadcast
stream
• bridge and router technology to connect to multiple devices
• network-management software agents to enable the cable company to
control and monitor operations)

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-13
• encryption devices to deter data interception
Each cable modem has an Ethernet interface for internal network connectivity
and a coaxial cable connection for the WAN connection. A network interface
card (NIC) is installed in the PC and connected to the cable modem Ethernet port
with a straight through cable. There are no phone numbers to dial and no
limitations on serial-port throughput (as is the case with ISDN modems). The
result is high-speed throughput with download speeds varying from 500 kbps to
30 Mbps and uploads from 96 kbps to 10 Mbps.

1-14 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.2 Wireless Network Access

3.2.1 Overview

Figure 1 Wireless Access Networks

Tremendous strides have been made on wired networks. Copper and fiber
networks dominate the Layer 1 space. The transmission capacity of wired
networks is virtually limitless as carriers can arbitrarily add bandwidth as
demand increases.
Despite the capacity of wired networks, wireless networks have had the greatest
success among consumers. Broadcast television, cellular telephone, paging, and
direct broadcast satellite are all wireless services that have met with commercial
success, despite the fact that wireless networks typically carry lower bit rates and
higher costs than wired networking.
When installing cables underground it may be necessary to obtain permission
from residents or obtain permits and easements. Product managers who roll out
wired services struggle with marketing and demographic studies to determine the
best neighborhoods in which to introduce services.
Even if the right neighborhoods are identified, it is expensive and time-
consuming to dig or install overhead cables. To some observers, the fixed
networks of wired systems look like vulnerable high-capital assets in a world of
fast-changing technologies.
Numerous wireless access network technologies are intended by their proponents
to serve the consumer market. These are Direct Broadcast Satellite (DBS),
Multichannel Multipoint Distribution Services (MMDS), and Local Multipoint
Distribution Services (LMDS). The figure illustrates the network architecture of
a typical wireless network. The return-path flows through wired networks or, in
the case of LMDS, through wireless networks.
The content provider forwards content through the core network and to the
wireless access node. This access node reformats data and modulates it for
satellite or land-based microwave transmission. A receiving antenna at the home
end forwards traffic through the home network to the terminal equipment, which
is either a TV set-top box or a PC.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-15
In the return path, the consumer uses either the same network that is used for the
forward transmission or another access network. Another access network is
needed when using DBS or MMDS services, which are one-way networks. The
return-path network could be a telephone return, xDSL, or another wireless
service, such as digital personal communications services (PCS). PCS service
includes wireless voice, a digital form of cellular telephony, as well as wireless
data.
Because forward and return path traffic can use different physical media, traffic
sources must be matched so that a single bidirectional session exists between the
content provider and the terminal equipment. The wireless access node or
another switching/routing device inside the core network can perform this
matching.

3.2.2 Direct broadcast satellite

Figure 1 Worldwide DBS Networks

While cable operators were only talking about digital TV, DBS companies
actually achieved it, taking the entire cable industry by surprise. Early entrants
were Primestar, DirecTV, and United States Satellite Broadcasting (USSB), all
of which launched in 1994.
In the United States, DBS is viewed as a commercial success. DBS signed a
surprising five million customers in its first three years of operation. This
response is particularly strong considering the fact that customers initially paid
up to $800 for a home satellite dish and installation. Such a strong start has cable
TV operators concerned. More troubling for U.S. cable operators is that the
average DBS subscriber spends about 50 percent more per month than the

1-16 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
average cable subscriber (about $52 versus $35 per month). This difference is
partly due to sales of premium sports and movie packages.
Much of the success of DBS is due to imaginative programming packages.
Aggressive marketing of sports packages has created varied content for which
DBS has found an eager market.

3.2.3 DBS architecture

Figure 1 DBS Architecture

Architecturally, DBS is a simple concept. As shown in the Figure, DBS


operators receive analog TV reception from the various networks at a single
giant headend. The DirecTV headend, for example, is in Castle Rock, Colorado.
The analog programming is encoded into Motion Picture Experts Group (MPEG)
format for digital retransmission. A control function regulates the amount of
bandwidth accorded to each MPEG stream and determines how the MPEG knobs
(control parameters), such as the length of a group of pictures, are specified.
The settings of the knobs are closely guarded secrets among DBS operators.
ESPN, tends to require more bandwidth than the Food Channel as it has a lot
more motion. ESPN also has a larger audience and greater advertising revenue.
How much more would ESPN pay for access than the Food Channel? How much
extra bandwidth is ESPN getting, and for how much? What MPEG knobs should
the carrier use, and what knobs does its competition use? This is not public
information.
ESPN, the Food Channel, and all other channels are encoded into MPEG
transport streams, multiplexed together, and then converted to the uplink
frequency.
The major North American geosynchronous satellites for DBS so far are placed
at longitudes 85 degrees west (Primestar), 101 degrees west (DirecTV), and 119
degrees west (Echostar). The Primestar slot rests on the longitude that passes
through the East Coast of the United States, the DirecTV longitude bisects the
center of North America, and the Echostar longitude passes through the West

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-17
Coast. From these orbits, each satellite can broadcast over the contiguous United
States, southern Canada, and Mexico.
The satellite receives a signal and remodulates it to the designated spectrum for
DBS. DBS occupies 500 MHz in the 12.2 KU Band. The Ku band occupies the
frequency range from 10.7 GHz to 12.75 GHz. DBS satellites are allowed by
regulation to broadcast at 120W to enable reception on small satellite dishes.
This is more power than the larger C-band satellite dishes that predate the
smaller DBS satellite dishes. This higher-powered transmission and smaller dish
distinguish DBS from other forms of satellite reception.
The DBS uses Quadrature Phase Shift Keying (QPSK) modulation to encode
digital data on the RF carriers. DirecTV encodes using MPEG-2 format to enable
a density of up to 720x480 pixels on the user's monitor. Primestar used a
proprietary video compression system developed by General Instruments called
DigiCipher-1. (NOTE: Primestar was purchased by DIRECTV in 1999 and
stopped broadcasting in 2000.) Echostar uses a transmission system based on the
European Digital Video Broadcast (DVB) standard. DVB uses the MPEG-2 and
standardizes control elements of the total system, such as conditional access.
Although 720x480 is the maximum resolution offered today, DBS is capable of
higher pixel resolution. In fact, DBS is an early delivery vehicle for high-
definition TV (HDTV) programming, with HBO, Showtime, and Pay-Per-View
broadcasting in 1080i and 720P formats. These formats are backward compatible
to standard definition (480i resolution) through composite and S-Video outputs.

1-18 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.2.4 Data service

DirecTV partnered with Microsoft to produce a push-mode data service over


DBS. The service broadcasts approximately 200 popular Web sites, which are
cached in the consumer's PC. Some content will be cached at the service
provider's site. Instead of having a point-to-point connection with the Internet,
consumers access content on the hard drive or service-provider cache. In
addition to Web sites, other data services such as AgCast or stock quotes can be
offered, either by continuous feeds or by caching on the consumer's PC. The
problem with this model is that a Web site that is not part of the service may not
be accessed, because no point-to-point return-path connection exists.
One form of point-to-point data service, called DirectPC, can reach the Internet.
DirectTV and Hughes Network Systems jointly own DirectPC. DirectPC
reserves 12 Mbps of downstream service and uses a telephone as a return path.
Another example is DishNetwork's StarBand. Its service differs from DirectTV
by offering two-way satellite communications, not requiring a telephone for a
return path.
The portion of the Earth's surface covered by the signal from a communications
satellite is called its footprint. Because a geosynchronous satellite has a very
large footprint, it is possible that thousands of users will want to use the common
12 Mbps of service concurrently. The more concurrent users there are, the less
bandwidth each user gets. To provide a balance between bit rate and the number
of concurrent users, DirectPC offers approximately 400 kbps of service to
concurrent users.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-19
3.3 Multichannel Multipoint Distribution
Services

3.3.1 Overview

The success of DBS convinced telephone companies and other potential cable
competitors that delivering digital video to consumers is a viable business. When
these competitors analyzed the issues associated with DBS, they found that local
content plays the greatest role in marketing a given service. Thus, some would-
be competitors to DBS sought to improve on it by providing a wireless,
multichannel broadband service with local channels. This is called Multichannel
Multipoint Distribution Service (MMDS) and is referred to by DAVIC (Digital
Audio-Visual council) as Multipoint Video Distribution Systems (MVDS).
MMDS provides local over-the-air stations and local advertiser access to digital
delivery.

3.3.2 MMDS history

MMDS was designed initially as a one-way service for bringing cable TV to


subscribers in remote areas or in locations that are difficult to install cable.
MMDS supports approximately 33 analog channels and more than 100 digital
channels of TV. In 1998, the FCC opened up the technology for two-way
transmission, enabling MMDS to provide data and Internet services to
subscribers. MMDS takes advantage of a microwave transmission technology
known as wireless cable, which is a microwave technology used to deliver
analog cable television service over the air to rural areas that cannot be served
economically by wired cable.
The areas served by wireless cable were too sparsely populated to generate
strong revenue as reflected in the lack of financial success for wireless cable
operators. However, the success of DBS and continued progress with digital
technology (such as MPEG, digital modulation techniques, and advances in
semiconductors) changed the perception of microwave from simply a rural
delivery system to a system that could be used in urban areas. Telephone
companies view microwave as a fast-start service to allow video distribution that
can compete against cable and DBS.
In 1996, the FCC conducted spectrum auctions for MMDS. The FCC auctions
offered 200 MHz in each of the nation's 493 basic trading areas (BTA). A BTA
represents a contiguous geographic market. BTA boundaries are drawn on
county lines. The counties are aggregated by considering physical topography,
population, newspaper circulation, economic activities, and transportation
facilities (such as regional airports, rail hubs, and highways). The BTA concept
was licensed by the FCC from Rand McNally.

1-20 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
MMDS uses 198 MHz of licensed spectrum, which could support 33 analog TV
channels, in the range of 2.5 GHz. This is channel capacity to DBS. Note that the
bit rate available to the MMDS operator is comparable to the bit rate available
from DBS systems, even though a narrower spectrum is available. This is
because MMDS uses more aggressive modulation techniques. DBS has 500
MHz of bandwidth using QPSK modulation (2 b/Hz). MMDS has 200 MHz
using QAM-64 modulation (6 b/Hz). After overhead bits and error correction,
both DBS and MMDS can achieve nearly 1 Gb of bandwidth. The auction rules
provided no regulations regarding spectrum use. Operators are free to decide
whether to offer Internet access, TV, or a combination of the two.

3.3.3 MMDS architecture

Figure 1 MMDS Architecture

The key technical difference between MMDS and DBS is the use of ground-
based, or terrestrial microwave, rather than geosynchronous satellites. This
represents a difference in the delivery of local content. MMDS provides this
service by having local production facilities that can insert local over-the-air
channels into the national feeds. The figure shows a schematic of MMDS
service.
The programmer delivers national television feeds to a production facility. The
feeds can come from geosynchronous satellite transmission or high-speed wired
services, such as fiber-optic networks. Despite what appears to be a good
technical fit, there is little current movement to link MMDS with DBS. DBS
could provide economic national distribution of programming for resale by
MMDS.
Local content and advertising are acquired over the air, encoded into MPEG, and
multiplexed with the national programming for local distribution to the viewers.
MPEG enables digital multiplexing and thus is a key facilitator of MMDS. Data
services may also be received from Web content providers. In this case, the

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-21
information is in digital format but requires additional processing, such as
encapsulation into MPEG and address resolution, before being transmitted.
After the programming mix is determined, composite programming is delivered
by satellite or fiber to the MMDS broadcast tower. Generally, the MMDS
headend and the MMDS broadcast tower are not co-located because the tower
should be placed at a high elevation. At the receiving site, a small microwave-
receiving dish, a little larger than a DBS dish is mounted outside the home to
receive the signals. A decoder presents the TV images to the TV set. Other units
are capable of decoding data for PC users. Return-path data is transmitted on
another access network; telephone networks commonly are used for this purpose.
For example, it is possible to have an RJ-11 telephone jack on the set-top box.
Consideration is also being given to other wireless networks, such as digital PCS
and paging networks, for return-path purposes.
The range of MMDS is limited primarily by line-of-sight. In relatively flat areas,
if the transmitter can be located high enough, the signal can reach over 50 miles.
Pacific Bell Video Services (PBVS), for example, currently is rolling out
MMDS in Los Angeles and Orange counties in southern California using only
two towers. About 75 percent of homes will be able to receive MMDS signals
reliably. The remaining 25 percent are limited by line-of-sight problems.
Because of the availability of telephone return path, MMDS operators are
capable of providing data service very similar to that of cable. Zenith, Hybrid,
and General Instruments are taking advantage of their data and cable TV
experience to provide data and MMDS modems using telephone return.

1-22 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.4 Local Multipoint Distribution Services

3.4.1 Overview
Local Multipoint Distribution Service (LMDS) is a delivery service with a more
aggressive strategy than MMDS. This service is known in Canada as Local
Multipoint Communication Service (LMCS). The major disadvantages of
MMDS are the lack of an inband return path and the lack of sufficient bandwidth
to surpass cable channel capacity (by offering superior interactive data services).
A strong Internet access network must have two-way service and enough
bandwidth to compete with data and cable.
LMDS is a two-way, high-bit-rate, wireless service under development by a
variety of carriers to solve the return-path problem and vastly increase
bandwidth. If significant technological hurdles can be overcome, LMDS offers
the greatest two-way bit rate of any residential service, wired or wireless, at
surprisingly low infrastructure costs.
No restrictions exist as to how carriers use their bandwidth, so bandwidth can be
subdivided in any manner carriers see fit. If an LMDS carrier had 1150 MHz of
bandwidth, for example, it would be possible to use 500 MHz for broadcast TV,
50 MHz for local broadcast, 300 MHz for forward data services, and 300 MHz
for upstream data. Using only the relatively robust QPSK modulation, this
bandwidth can provide the following:
• All the broadcast channels of DBS (500 MHz)
• All local over-the-air channels (50 MHz)
• Up to 1 Gb of full-duplex data service (600 MHz)
In other words, the potential exists to offer more TV than satellite and more data
than cable. This frequency plan is just one example of how a carrier could
choose to offer service. Other carriers might choose to segment their frequencies
differently and would be permitted to do so under FCC rules.
For businesses in cities, LMDS is a very cost-effective broadband wireless
alternative to land-lines for multiple services. LMDS operates at higher
frequencies where more spectrum is available (bandwidths currently range up to
155 Mbps) and smaller, cheaper antennas are possible

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-23
3.4.2 LMDS architecture

Figure 1 LMDS Architecture

Figure 2 LMDS Architecture

LMDS is a small-cell technology, with each cell having about a 3- to-6-km


radius. Small cells coupled with two-way transmission create a different set of
architectural problems than MMDS. Figure [1] shows a schematic of LMDS
service.
Content acquisition at the LMDS headend functions similarly to MMDS. The
programmer delivers national television feeds to a production facility. In many
cases, these national feeds come from DBS, but the feeds also can come from
other geosynchronous satellite transmission or high-speed wired services, such
as fiber-optic networks.
Local content and advertising are acquired over the air, encoded into MPEG, and
multiplexed with the national programming for local distribution. As in the case
of MMDS, MPEG is an important facilitator of LMDS because it enables digital
multiplexing.
Data services received from Web content providers are already in digital format
but would need additional processing, such as encapsulation into MPEG and
address resolution, before being transmitted.

1-24 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
The program mix is delivered by satellite or fiber to the LMDS broadcast tower.
Generally, the LMDS headend and the LMDS broadcast tower are not co-located
because the headend production facilities are normally shared among several
towers.
An LMDS transmitter tower is erected in the neighborhood, and traffic is
broadcast to consumers using QPSK modulation with forward error correction
(FEC). It is possible to use QAM modulation, but QPSK is chosen because it is
more robust than QAM 16 or QAM 64 and because bandwidth is so plentiful
that spectral efficiency is not an issue.
As shown in Figure [2], consumers receive the signal on a small dish about the
size of a DBS dish or a flat-plate antenna. The dish is mounted outside the home
and is connected by cable to a set-top converter, much the same way in which
DBS connections are made. The signal is demodulated and fed to a decoder.
Unlike DBS, LMDS is capable of two-way service, so both TV sets and PCs
must be connected to the satellite dish. Furthermore, a two-way home
networking capability must be supported instead of just the simple broadcast
scheme of DBS.
In the return path, the customer transmits to the carrier using the same dish with
QPSK modulation. A MAC protocol is required because the residences in the
coverage area share the return spectrum.
Architecturally, LMDS looks very much like cable TV. Cable TV clusters serve
500. The MAC protocol is similar to cable TV, as are the application-specific
integrated circuits (ASICs) for the customer premises modulators and
demodulators. Upstream users request data slots on a contention basis. After
slots are granted, the sender transmits in those slots, free of contention. Ranging
and power-level controls are also required, as is the case with cable.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-25
3.4.3 Wireless broadband summary

Figure 1 Wireless Broadband Summary

Multiple wireless options exist that potentially can support broadband services.
The services discussed in this chapter, DBS, MMDS, and LMDS, overlap
somewhat in functionality but differ enough to attract a particular segment of
users. The table in the figure to the left compares features among these
technologies.

1-26 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.5 Wireless Local Area Networking

3.5.1 Overview of wireless local-area networking

Figure 1 What is Wireless Local-Area Networking

In the simplest of terms, a wireless local-area network (WLAN) does exactly


what the name implies: it provides all the features and benefits of traditional
LAN technologies, such as Ethernet and Token Ring, without the limitations of
wires or cables. To view a WLAN just in terms of the cables it does not have is
to miss the point: WLANs redefine the way we view LANs. Connectivity no
longer implies attachment. Local areas are measured not in feet or meters, but
miles or kilometers. An infrastructure does not need to be buried in the ground or
hidden behind the walls--an "infrastructure" can move and change at the speed of
the organization. This technology has several immediate applications, including:
• IT professionals or business executives who want mobility within the
enterprise, perhaps in addition to a traditional wired network
• Business owners or IT directors who need flexibility for frequent LAN
wiring changes, either throughout the site or in selected areas
• Any company whose site is not conducive to LAN wiring because of
building or budget limitations, such as older buildings, leased space, or
temporary sites
• Any company that needs the flexibility and cost savings offered by a
line-of-sight, building-to-building bridge to avoid expensive trenches,
leased lines, or right-of-way issues

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-27
WLANs use a transmission medium, just like wired LANs. Instead of using
twisted-pair or fiber-optic cable, WLANs use either infrared (IR) light or RF
(radio frequency). Of the two, RF is far more popular for its longer range, higher
bandwidth, and wider coverage. Most wireless LANs today use the 2.4-gigahertz
(GHz) frequency band, the only portion of the RF spectrum reserved around the
world for unlicensed devices. The freedom and flexibility of wireless networking
can be applied both within buildings and between buildings.

3.5.2 In-building WLANs

Figure 1 In-Building WLANs

WLAN technology can take the place of a traditional wired network or extend its
reach and capabilities. Much like their wired counterparts, in-building WLAN
equipment consists of PC Card, Personal Computer Interface (PCI), and
Industry-Standard Architecture (ISA) client adapters. They also have access
points, which perform functions similar to wired networking hubs. Similar to
wired LANs for small or temporary installations, a WLAN can be arranged in a
peer-to-peer or improvised topology using only client adapters. For added
functionality and range, access points can be incorporated to act as the center of
a star topology while simultaneously bridging with an Ethernet network.

1-28 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.5.3 Building-to-building WLANs

Figure 1 Building-to-Building WLANs

In much the same way that a commercial radio signal can be picked up in all
sorts of weather, miles from its transmitter, WLAN technology applies the power
of radio waves to truly redefine the "local" in LAN. With a wireless bridge,
networks located in buildings miles from each other can be integrated into a
single local-area network. When bridging between buildings with traditional
copper or fiber-optic cable, freeways, lakes, and even local governments can be
impassible obstacles. A wireless bridge makes them irrelevant, transmitting data
through the air and requiring no license or right of way.
Without a wireless alternative, organizations frequently resort to wide-area
networking (WAN) technologies to link together separate LANs. Contracting
with a local telephone provider for a leased line presents a variety of drawbacks.
Installation is typically expensive and rarely immediate. Monthly fees are often
quite high for bandwidth that, by LAN standards, is very low. A wireless bridge
can be purchased and then installed in an afternoon for a cost that is often
comparable to a T1 installation charge alone. After the investment is made, there
are no recurring charges. Today's wireless bridges provide the bandwidth one
would expect from a technology rooted in data, rather than voice,
communications.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-29
3.5.4 The wireless LAN standard

Figure 1 Wireless LAN

In the wired world, Ethernet has grown to become the predominant LAN
technology. Its evolution parallels, and indeed foreshadows, the development of
the wireless LAN standard. Defined by the Institute of Electrical and Electronics
Engineers (IEEE) with the 802.3 standard, Ethernet provides an evolving, high-
speed, widely available, and interoperable networking standard. It has continued
to evolve to keep pace with the data rate and throughput requirements of
contemporary LANs. Originally providing for 10-Mbps transfer rates, the
Ethernet standard evolved to include the 100-Mbps transfer rates required for
network backbones and bandwidth-intensive applications. The IEEE 802.3
standard is open, decreasing barriers to market entry and resulting in a wide
range of suppliers, products, and price points from which Ethernet users can
choose. Perhaps most importantly, conformance to the Ethernet standard allows
for interoperability, enabling users to select individual products from multiple
vendors while secure in the knowledge that they will all work together.
The first wireless LAN technologies were low-speed (1-2 Mbps) proprietary
offerings. Despite these shortcomings, their freedom and flexibility allowed
these early products to find markets in retail and warehousing where mobile
workers use hand-held devices for inventory management and data collection.
Later, hospitals applied wireless technology to deliver patient information right
to the bedside. As computers made their way into the classrooms, schools and
universities began installing wireless networks to avoid cabling costs and to
share Internet access. The pioneering wireless vendors soon realized that for the
technology to gain broad market acceptance, an Ethernet-like standard was
needed. The vendors joined together in 1991, first proposing, and then building,

1-30 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
a standard based on contributed technologies. In June 1997, the IEEE released
the 802.11 standard for wireless local-area networking.
Just as the 802.3 Ethernet standard allows for data transmission over twisted-pair
and coaxial cable, the 802.11 WLAN standard allows for transmission over
different media. Compliant media include infrared light and two types of radio
transmission within the unlicensed 2.4-GHz frequency band:
• frequency hopping spread spectrum (FHSS)
• direct sequence spread spectrum (DSSS)
Spread spectrum is a modulation technique developed in the 1940s that spreads a
transmission signal over a broad band of radio frequencies. This technique is
ideal for data communications because it is less susceptible to radio noise and
creates little interference. FHSS is limited to a 2-Mbps data transfer rate and is
recommended for only very specific applications; for example, certain types of
watercraft lend themselves to this technology. For all other wireless LAN
applications, DSSS is the better choice. The recently released evolution of the
IEEE standard, 802.11b, provides for a full Ethernet-like data rate of 11 Mbps
over DSSS. FHSS does not support data rates greater than 2 Mbps.

3.5.5 The future of wireless local-area networking

Figure 1 How a Wireless LAN Works

The history of technology improvement in the wired LANs can be summed up


with the slogan "Faster, Better, and Cheaper." Wireless LAN technology has
already started down that road. Data rates have increased from 1 to 11 Mbps,
interoperability became reality with the introduction of the IEEE 802.11
standard, and prices have dramatically decreased. The improvements seen so far
are just a beginning.
Performance
IEEE 802.11b standard 11-Mbps WLANs operate in the 2.4-GHz frequency

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-31
band where there is room for increased bandwidth. Using an optional modulation
technique within the 802.11b specification, it is possible to double the current
data rate. Cisco already has 22 Mbps on the road map for the future. Wireless
LAN manufacturers migrated from the 900-MHz band to the 2.4-GHz band to
improve data rate. This pattern promises to continue, with a broader frequency
band capable of supporting higher bandwidth available at 5 GHz. The IEEE has
already issued a specification (802.11a) for equipment operating at 5 GHz that
supports up to a 54-Mbps data rate. This generation of technology will likely
carry a significant price premium when it is introduced sometime in 2001. As is
typical, this premium will decrease over time while data rates increase. The 5.7-
GHz band promises to allow for the next breakthrough data rate of 100 Mbps.
Security
The wired equivalent privacy (WEP) option to the 802.11 standard is only the
first step in addressing customer security concerns. Security is currently
available today for wireless networking, offering up to 128-bit encryption and
supporting both the encryption and authentication options of the 802.11
standard. The algorithm with a 40- or 128-bit key is specified in the standard.
When WEP is enabled, each station (clients and access points) has up to four
keys. The keys are used to encrypt the data before it is transmitted through the
air. If a station receives a packet that is not encrypted with the appropriate key,
the packet will be discarded and never delivered to the host. The figure shows an
outside user being rejected because of an incorrect ID.
Although the 802.11 standard provides strong encryption services to secure the
WLAN, the means by which the secure keys are granted, revoked, and refreshed
is still undefined. Fortunately, several key administration architectures are
available for use in the enterprise. The best approach for large networks is
centralized key management, which uses centralized encryption key servers. A
popular strategy includes the addition of encryption key servers to ensure that
valuable data is protected. Encryption key servers provide for centralized
creation of keys, distribution of keys, and ongoing key rotation. Key servers
enable the network administrator to command the creation of RSA public/private
key pairs at the client level that are required for client authentication. The key
server will also provide for the generation and distribution to clients and access
points of the keys needed for packet encryption. This implementation eases
administration and helps avoid compromising confidential keys.

1-32 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.5.6 Mobility services

Figure 1 Mobility Services

A primary advantage of WLANs is mobility, but no industry standard currently


addresses the tracking or management of mobile devices in its Management
Information Base (MIB). This omission would prohibit users from roaming
between wireless access points that cover a common area, such as a complete
floor of a building. Individual companies such as Cisco have addressed this
issue, providing their own versions of mobility algorithms that facilitate roaming
within an IP domain (such as a floor) with an eye toward optimizing roaming
across IP domains (such as an enterprise campus).
Management
Wireless access points share the functions of both hubs and switches. Wireless
clients associating with access points share the wireless LAN, similar to the way
a hub functions. However, the access point can additionally track movement of
clients across its domain and permit or deny specific traffic or clients from
communicating through it. For network managers to use these services to their
advantage, it is necessary to configure the access point like a hub and a switch.
The Cisco WLAN devices are manageable through common Telnet or SNMP (I
or II) services and a Web browser interface to facilitate its monitoring and
control. In addition to bridge statistics and counters, the access point also offers
additional features that make it powerful and manageable. These include
mapping of wireless access points and their associated clients as well as
monitoring and reporting of client statistics. Access points can also control
access and the flow of traffic through the wireless LAN via MAC and protocol-
level access lists. Configuration parameters, as well as code images for access

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-33
points, can be centrally configured and managed to facilitate consistency of
WLAN network policy.

3.5.7 Conclusion

Today, the WLAN has redefined what it means to be connected. It has stretched
the boundaries of the local-area network. It makes an infrastructure as dynamic
as it needs to be. It has only just begun: the standard is less than three years old,
with the high-speed 802.11b yet to reach its first birthday. With standard and
interoperable wireless products, LANs can reach scales unimaginable with a
wired infrastructure. They can make high-speed interconnections for a fraction
of the cost of traditional wide area technologies. In a wireless world, users
cannot only just roam within a campus but also within a city, while maintaining
a high-speed link to extranets, intranets, and the Internet itself.

1-34 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.6 Digital Subscriber Line

3.6.1 DSL background

Figure 1 DSL 101

Digital subscriber line (DSL) technology is a modem technology that uses


existing twisted-pair telephone lines to transport high-bandwidth data, such as
multimedia and video, to service subscribers. The term xDSL covers numerous
similar yet competing forms of DSL, including.
• asymmetric DSL (ADSL)
• single-line DSL (SDSL)
• high-data-rate DSL (HDSL)
• Rate-adaptive DSL (RADSL)
• very-high-data-rate DSL (VDSL)
xDSL is drawing significant attention from implementers and service providers
because it promises to deliver high-bandwidth data rates to dispersed locations
with relatively small changes to the existing Telco infrastructure. xDSL services
constitute dedicated, point-to-point, public network access over twisted-pair
copper wire on the local loop ("last mile") between a network service provider's
(NSP's) central office and the customer site, or on local loops created either
intra-building or intra-campus. Currently the primary focus in xDSL is the
development and deployment of ADSL and VDSL technologies and
architectures. This section covers the characteristics and operations of ADSL
and VDSL.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-35
3.6.2 Asymmetric digital subscriber line (ADSL)

Figure 1 Asymmetric Digital Subscriber Line

DSL technology is asymmetric. It allows more bandwidth from an NSP's central


office to the customer site (downstream) than from the subscriber to the central
office (upstream). This asymmetry, combined with always-on access (which
eliminates call setup), makes ADSL ideal for Internet/intranet surfing, video on
demand, and remote LAN access. Users of these applications typically download
much more information than they send.
ADSL transmits more than 6 Mbps to a subscriber, and as much as 640 kbps
more in both directions, as shown in the figure. Such rates expand existing
access capacity by a factor of 50 or more without new cabling. ADSL can
literally transform the existing public information network from one limited to
voice, text, and low-resolution graphics to a powerful, universal system capable
of bringing multimedia, including full motion video, to every home this decade.
ADSL will play a crucial role over the next decade or more as telephone
companies enter new markets for delivering information in video and multimedia
formats. New broadband cabling will take decades to reach all prospective
subscribers. Success of these new services will depend on reaching as many
subscribers as possible during the first few years. By bringing movies, television,
video catalogs, remote CD-ROMs, corporate LANs, and the Internet into homes
and small businesses, ADSL will make these markets viable and profitable for
telephone companies and application vendors alike.

1-36 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.6.3 ADSL services architecture

Figure 1 Basic DSL Network Topology

Figure 2 Basic DSL Network Components

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-37
Figure 3 End-to-End DSL Protocol Stack

A typical end-to-end ADSL services architecture is illustrated in Figure [1]. It


consists of customer premises equipment (CPE) and supporting equipment at the
ADSL point of presence (POP). Network access providers (NAPs) manage Layer
2 network cores, while NSPs manage Layer 3 network cores. These roles are
divided or shared among incumbent local exchange carrier (ILEC), competitive
local exchange carrier (CLEC), and Tier 1 and Tier 2 Internet service provider
(ISP) businesses. It is expected that over time, market forces will redefine
current relationships between ADSL providers. Some NAPs may add Layer 3
capabilities or extend service across the core.
CPE represents any combination of end-user PCs or workstations, remote ADSL
terminating units (ATU-Rs), and routers. For instance, a residential user may
have a single PC with an integrated ADSL modem on a peripheral component
interface card, or perhaps a PC with an Ethernet or universal serial bus (USB)
interface to a standalone ADSL modem (the ATU-R). In contrast, business users
will more often connect many end-user PCs to a router with an integrated ADSL
modem or a router plus ATU-R pair.
At the ADSL POP, the NAP deploys one or more DSL access multiplexers
(DSLAMs) servicing the copper loops between the POP and CPE. In a process
called subtending, DSLAMs can be chained together to enhance ATM pipe
utilization. DSLAMs connect locally or via an inter-central office (CO) link to a
local access concentrator (LAC) that provides ATM "grooming," PPP tunneling,
and Layer 3 termination to local or cached content (see Figures [2] and [3]). A
service selection gateway (SSG) may be collocated with the LAC, so customers
can dynamically select destinations (see Figure [2]). From the LAC/SSG,
services extend over the ATM core to the NSP or IP network core.
As illustrated in Figure [1], three different architectures are applicable to
wholesale ADSL services:
• ATM point to point - cross-connects subscribers to their ISP or
enterprise destination with permanent virtual circuits (PVCs) from the
CPE to the endpoint

1-38 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
• Aggregation - aggregates multiple subscriber virtual circuits (VCs) into
trunk PVCs to reduce the number of VC connections across the network
core; instead of one VC per subscriber, this uses one VC for many
subscribers to the same destination
• SVC and MPLS - uses switched virtual circuits (SVCs) to
autoprovision connections from the CPE through the DSLAM to an edge
label switch router (edge LSR), where it enters the Multiprotocol Label
Switching (MPLS)-enabled network core.
Figure [3] outlines the end-to-end protocol stack used with xDSL.

3.6.4 ASDL capabilities

Figure 1 ADSL and POTS

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-39
Figure 2 ADSL Capabilities

An ADSL circuit connects an ADSL modem on each end of a twisted-pair


telephone line, creating three information channels: a high-speed downstream
channel, a medium-speed duplex channel, and a basic telephone service channel
(Figure [1]). The basic telephone service channel is split off from the digital
modem by filters, thus guaranteeing uninterrupted basic telephone service, even
if ADSL fails. The high-speed channel ranges from 1.5 to 6.1 Mbps, and duplex
rates range from 16 to 640 kbps. Each channel can be submultiplexed to form
multiple lower-rate channels.
ADSL modems provide data rates consistent with North American T1 1.544-
Mbps and European E1 2.048-Mbps digital hierarchies and can be purchased
with various speed ranges and capabilities. The minimum configuration provides
1.5 or 2.0 Mbps downstream and a 16-kbps upstream channel. Others provide
rates of 6.1 Mbps and 64-kbps upstream. Products with downstream rates up to 8
Mbps and upstream rates up to 640 kbps are available today as well. ADSL
modems accommodate Asynchronous Transfer Mode (ATM) transport with
variable rates and compensation for ATM overhead, as well as IP protocols.
Downstream data rates depend on many factors, including the length of the
copper line, its wire gauge, presence of bridged taps, and cross-coupled
interference. Line attenuation increases with line length and frequency and
decreases as wire diameter increases. Ignoring bridged taps, ADSL performs as
shown in Figure [2].
Although the measure varies from telco to telco, these capabilities can cover up
to 95 percent of a loop plant, depending on the desired data rate. Customers
beyond these distances can be reached with fiber-based digital loop carrier
(DLC) systems. As these DLC systems become commercially available,
telephone companies can offer virtually unlimited global access in a relatively
short time.
Many applications envisioned for ADSL involve digital compressed video. As a
real-time signal, digital video cannot use link-level or network-level error control
procedures commonly found in data communications systems. ADSL modems,
therefore, incorporate FEC (Forward Error Correction) that dramatically reduces

1-40 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
errors caused by impulse noise. Error correction on a symbol-by-symbol basis
also reduces errors caused by continuous noise coupled into a line.

3.6.5 ADSL technology

Figure 1 ADSL Transceiver – Network End

Figure 2 ADSL Technology

ADSL depends on advanced digital signal processing and creative algorithms to


squeeze so much information through twisted-pair telephone lines. In addition,
many advances have been required in transformers, analog filters, and
analog/digital (A/D) converters. Long telephone lines may attenuate signals at 1
MHz (the outer edge of the band used by ADSL) by as much as 90 decibels (dB),
forcing analog sections of ADSL modems to work very hard to realize large
dynamic ranges, separate channels, and maintain low noise figures. On the
outside, ADSL looks simple. It is just transparent synchronous data pipes at

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-41
various data rates over ordinary telephone lines. The inside, where all the
transistors work, is a miracle of modern technology. Figure [1] displays the
ADSL transceiver network end.
To create multiple channels, ADSL modems divide the available bandwidth of a
telephone line in one of two ways: FDM or echo cancellation (Figure [2]). FDM
(Frequency-Division Multiplexing) assigns one band for upstream data and
another band for downstream data. The downstream path is then divided by time-
division multiplexing (TDM) into one or more high-speed channels and one or
more low-speed channels. The upstream path is also multiplexed into
corresponding low-speed channels. Echo cancellation assigns the upstream band
to overlap the downstream, and separates the two by means of local echo
cancellation, a technique well known in V.32 and V.34 modems. With either
technique, ADSL splits off a 4-kHz region for basic telephone service at the DC
end of the band.
An ADSL modem organizes the aggregate data stream created by multiplexing
downstream channels, duplex channels, and maintenance channels together into
blocks, and attaches an error correction code to each block. The receiver then
corrects errors that occur during transmission up to the limits implied by the
code and the block length. The unit may, at the user's option, also create
superblocks by interleaving data within subblocks. This allows the receiver to
correct any combination of errors within a specific span of bits. This in turn
allows for effective transmission of both data and video signals.

3.6.6 ADSL standards and associations


The American National Standards Institute (ANSI) Working Group T1E1.4
recently approved an ADSL standard at rates up to 6.1 Mbps (ANSI Standard
T1.414). The European Technical Standards Institute (ETSI) contributed an
annex to T1.414 to reflect European requirements. T1.414 currently embodies a
single terminal interface at the premises end. Issue II, now under study by
T1E1.4, will expand the standard to include a multiplexed interface at the
premises end, protocols for configuration and network management, and other
improvements.
The ATM Forum and the Digital Audio-Visual Council (DAVIC) have both
recognized ADSL as a physical-layer transmission protocol for unshielded
twisted-pair (UTP) media.
The ADSL Forum was formed in December 1994 to promote the ADSL concept
and facilitate development of ADSL system architectures, protocols, and
interfaces for major ADSL applications. The Forum has more than 200
members, representing service providers, equipment manufacturers, and
semiconductor companies throughout the world. At present, the Forum's formal
technical work is divided into the following six areas, each of which is dealt with
in a separate working group within the technical committee:
• ATM over ADSL (including transport and end-to-end architecture
aspects)
• Packet over ADSL (this working group recently completed its work)
• CPE/CO configurations and interfaces
• Operations

1-42 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
• Network management
• Testing and interoperability

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-43
3.7 Very-High-Data-Rate Digital
Subscriber Line

3.7.1 Overview

Figure 1 VDSL

It is becoming increasingly clear that telephone companies around the world are
making decisions to include existing twisted-pair loops in their next-generation
broadband access networks. Hybrid fiber coaxial (HFC), a shared-access
medium well suited to analog and digital broadcast, comes up somewhat short
when used to carry voice telephony, interactive video, and high-speed data
communications at the same time. Fiber all the way to the home (FTTH) is still
prohibitively expensive in the marketplace. An attractive alternative, soon to be
commercially viable, is a combination of fiber cables feeding neighborhood
optical network units (ONUs) and last-leg-premises copper connections. This
topology, which is often called fiber to the neighborhood (FTTN), encompasses
fiber to the curb (FTTC) with short drops and fiber to the basement (FTTB),
serving tall buildings with vertical drops.
One of the enabling technologies for FTTN is VDSL. In simple terms, VDSL
transmits high-speed data over short reaches of twisted-pair copper telephone
lines, with a range of speeds depending on actual line length. The maximum
downstream rate under consideration is between 51 and 55 Mbps over lines up to
1000 feet (300 m) long. Downstream speeds as low as 14 Mbps over lengths
beyond 4000 feet (1500 m) are also common. Upstream rates in early models
will be asymmetric, just like ADSL, at speeds from 1.6 to 2.3 Mbps. Both data
channels will be separated in frequency from bands used for basic telephone
service and Integrated Services Digital Network (ISDN), enabling service
providers to overlay VDSL on existing services. At present the two high-speed
channels are also separated in frequency. As needs arise for higher-speed
upstream channels or symmetric rates, VDSL systems may need to use echo
cancellation.

1-44 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.7.2 VDSL projected capabilities

Figure 1 VDSL Projected Capabilities

Although VDSL has not achieved the same degree of definition as ADSL, it has
advanced far enough that we can discuss realizable goals, beginning with data
rate and range. Downstream rates derive from fractional multiples of the
Synchronous Optical Network (SONET) and Synchronous Digital Hierarchy
(SDH) canonical speed of 155.52 Mbps, namely 51.84 Mbps, 25.92 Mbps, and
12.96 Mbps. Each rate has a corresponding target range (see the figure).
Upstream rates under discussion fall into three general ranges:
1.6-2.3 Mbps
19.2 Mbps
Equal to downstream
Early versions of VDSL will almost certainly incorporate the slower asymmetric
rate. Higher upstream and symmetric configurations may be possible only for
very short lines. Like ADSL, VDSL must transmit compressed video; a real-time
signal unsuited to error retransmission schemes used in data communications. To
achieve error rates compatible with those of compressed video, VDSL will have
to incorporate FEC with sufficient interleaving to correct all errors created by
impulsive noise events of some specified duration. Interleaving introduces delay,
on the order of 40 times the maximum length correctable impulse.
Data in the downstream direction will be broadcast to every CPE on the premises
or be transmitted to a logically separated hub that distributes data to addressed
CPE based on cell or TDM within the data stream itself. Upstream multiplexing
is more difficult. Systems using a passive network termination (NT) must insert
data onto a shared medium, either by a form of TDM access (TDMA) or a form
of FDM. TDMA may use a species of token control called cell grants passed in
the downstream direction from the ONU modem, or contention, or both
(contention for unrecognized devices, cell grants for recognized devices). FDM
gives each CPE its own channel, making a MAC protocol unnecessary, but either
limiting data rates available to any one CPE or requiring dynamic allocation of
bandwidth and inverse multiplexing at each CPE. Systems using active NTs
transfer the upstream collection problem to a logically separated hub that
(typically) uses Ethernet or ATM upstream multiplexing.
Migration and inventory considerations dictate VDSL units that can operate at
various (preferably all) speeds, with automatic recognition of a newly connected
device to a line or to a change in speed. Passive network interfaces need to have
hot insertion, whereas a new VDSL premises unit can be put on the line without
interfering with the operation of other modems.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-45
3.7.3 VDSL technology

Figure 1 VDSL Technologies

Figure 2 Active Network Termination

1-46 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
Figure 3 Passive Network Termination

VDSL technology resembles ADSL to a large degree, although ADSL must face
much larger dynamic ranges and is considerably more complex as a result.
VDSL must be lower in cost and lower in power, and premises VDSL units may
have to implement a physical-layer MAC for multiplexing upstream data.
Line-Code Candidates
Four line codes have been proposed for VDSL:
• Carrierless amplitude modulation/phase modulation (CAP) - A
version of suppressed carrier quadrature amplitude modulation (QAM).
For passive NT configurations, CAP would use quadrature phase shift
keying (QPSK) upstream and a type of TDMA for multiplexing
(although CAP does not preclude an FDM approach to upstream
multiplexing).
• Discrete multitone (DMT) - A multicarrier system using discrete
fourier transforms to create and demodulate individual carriers. For
passive NT configurations, DMT would use FDM for upstream
multiplexing (although DMT does not preclude a TDMA multiplexing
strategy).
• Discrete wavelet multitone (DWMT) - A multicarrier system using
wavelet transforms to create and demodulate individual carriers. DWMT
also uses FDM for upstream multiplexing, but also allows TDMA.
• Simple line code (SLC) - A version of four-level baseband signaling
that filters the based band and restores it at the receiver. For passive NT
configurations, SLC would most likely use TDMA for upstream
multiplexing, although FDM is possible.
Channel Separation
Early versions of VDSL will use FDM to separate downstream from upstream
channels and both of them from basic telephone service and ISDN, as shown in
Figure [1]. Echo cancellation may be required for later-generation systems
featuring symmetric data rates. A rather substantial distance, in frequency, will
be maintained between the lowest data channel and basic telephone service to
enable very simple and cost-effective basic telephone service splitters. Normal
practice would locate the downstream channel above the upstream channel.
However, the DAVIC specification reverses this order to enable premises
distribution of VDSL signals over coaxial cable systems.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-47
Forward Error Control
FEC will no doubt use a form of Reed Soloman coding and optional interleaving
to correct bursts of errors caused by impulse noise. The structure will be very
similar to ADSL, as defined in T1.414. An outstanding question is whether FEC
overhead (in the range of 8 percent) will be taken from the payload capacity or
added as an out-of-band signal. The former reduces payload capacity but
maintains nominal reach, whereas the latter retains the nominal payload but
suffers a small reduction in reach. ADSL puts FEC overhead out of band.
Upstream Multiplexing
If the premises VDSL unit comprises the network termination (an active NT),
then the means of multiplexing upstream cells or data channels from more than
one CPE into a single upstream becomes the responsibility of the premises
network. The VDSL unit simply presents raw data streams in both directions. As
illustrated in Figure [2], one type of premises network involves a star connecting
each CPE to a switching or multiplexing hub; such a hub could be integral to the
premises VDSL unit.
In a passive NT configuration, each CPE has an associated VDSL unit. [3] (A
passive NT does not conceptually preclude multiple CPE per VDSL, but then the
question of active versus passive NT becomes a matter of ownership, not a
matter of wiring topology and multiplexing strategies.) Now the upstream
channels for each CPE must share a common wire. Although a collision-
detection system could be used, the desire for guaranteed bandwidth indicates
one of two solutions. The first invokes a cell-grant protocol in which
downstream frames generated at the ONU or farther up the network contain a
few bits that grant access to specific CPE during a specified period subsequent to
receiving a frame. A granted CPE can send one upstream cell during this period.
The transmitter in the CPE must turn on, send a preamble to condition the ONU
receiver, send the cell, and then turn itself off. The protocol must insert enough
silence to let line ringing clear. One construction of this protocol uses 77 octet
intervals to transmit a single 53-octet cell.
The second method divides the upstream channel into frequency bands and
assigns one band to each CPE. This method has the advantage of avoiding any
MAC with its associated overhead (although a multiplexor must be built into the
ONU), but either restricts the data rate available to any one CPE or imposes a
dynamic inverse multiplexing scheme that lets one CPE send more than its share
for a period. The latter would look a great deal like a MAC protocol, but without
the loss of bandwidth associated with carrier detect and clear for each cell.

1-48 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.7.4 VDSL issues

VDSL is still in the definition stage. Some preliminary products exist, but not
enough is known yet about telephone line characteristics, radio frequency
interface emissions and susceptibility, upstream multiplexing protocols, and
information requirements to frame a set of definitive and standard properties.
One large unknown is the maximum distance that VDSL can reliably realize for
a given data rate. This is unknown because real line characteristics at the
frequencies required for VDSL are speculative. Additionally, items such as short
bridged taps or unterminated extension lines in homes, which have no effect on
telephony, ISDN, or ADSL, may have very detrimental affects on VDSL in
certain configurations. Furthermore, VDSL invades the frequency ranges of
amateur radio, and every above ground telephone wire is an antenna that both
radiates and attracts energy in amateur radio bands. Balancing low signal levels
to prevent emissions that interfere with amateur radio with higher signals needed
to combat interference by amateur radio could be the dominant factor in
determining line reach.
A second dimension of VDSL that is far from clear is the services environment.
It can be assumed that VDSL will carry information in ATM cell format for
video and asymmetric data communications, although optimum downstream and
upstream data rates have not been ascertained. What is more difficult to assess is
the need for VDSL to carry information in non-ATM formats (such as
conventional Plesiochronous Digital Hierarchy [PDH] structures) and the need
for symmetric channels at broadband rates (above T1/E1). VDSL will not be
completely independent of upper-layer protocols, particularly in the upstream
direction, where multiplexing data from more than one CPE may require
knowledge of link-layer formats (that is, ATM or not).
A third difficult subject is premises distribution and the interface between the
telephone network and CPE. Cost considerations favor a passive network
interface with premises VDSL installed in CPE and upstream multiplexing
handled similarly to LAN buses. System management, reliability, regulatory
constraints, and migration favor an active network termination that can operate
like a hub, with point-to-point or shared-media distribution to multiple CPE on-
premises wiring that is independent and physically isolated from network wiring.
This is the same as ADSL and ISDN.
However, costs cannot be ignored. Small ONUs must spread common equipment
costs, such as fiber links, interfaces, and equipment cabinets, over a small
number of subscribers compared to HFC. VDSL, therefore, has a much lower
cost target than ADSL because VDSL may connect directly from a wiring center
or cable modems, which also have much lower common equipment costs per
user. Furthermore, VDSL for passive NTs may (only may) be more expensive
than VDSL for active NTs, but the elimination of any other premises network
electronics may make it the most cost-effective solution, and highly desired,
despite the obvious benefits of an active NT. Stay tuned.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-49
3.7.5 Standards status

Figure 1 VDSL Standard Status

At present, five standards organizations/forums have begun work on VDSL:


• T1E1.4 - The U.S. ANSI standards group T1E1.4 has just begun a
project for VDSL, making a first attack on system requirements that will
evolve into a system and protocol definition.
• ETSI (European Telecommunication Standards Institute) - The
ETSI has a VDSL standards project, under the title High-Speed Metallic
Access Systems, and has compiled a list of objectives, problems, and
requirements. Among its preliminary findings are the need for an active
NT and payloads in multiples of SDH virtual container VC-12, or 2.3
Mbps. ETSI works very closely with T1E1.4 and the ADSL Forum, with
significant overlapping attendees.
• DAVIC - DAVIC has taken the earliest position on VDSL. Its first
specification due to be finalized will define a line code for downstream
data, another for upstream data, and a MAC for upstream multiplexing
based on TDMA over shared wiring. DAVIC is specifying VDSL only
for a single downstream rate of 51.84 Mbps and a single upstream rate of
1.6 Mbps over 300m or less of copper. The proposal assumes, and is
driven to a large extent by, a passive NT, and further assumes premises
distribution from the NT over new coaxial cable or new copper wiring.
• The ATM Forum - The ATM Forum has defined a 51.84-Mbps
interface for private-network User-Network Interfaces (UNIs) and a
corresponding transmission technology. It has also addressed the
question of CPE distribution and delivery of ATM all the way to
premises over the various access technologies described above.
• The ADSL Forum - The ADSL Forum has just begun consideration of
VDSL. In keeping with its charter, the Forum will address network,
protocol, and architectural aspects of VDSL for all prospective
applications, leaving line code and transceiver protocols to T1E1.4 and
ETSI and higher-layer protocols to organizations such as the ATM
Forum and DAVIC.

1-50 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
3.7.6 Relationship of VDSL to ADSL

Figure 1 Relationship of VDSL to ADSL

Figure 2 DSL Modem Technology

VDSL has an odd technical resemblance to ADSLVDSL achieves data rates


nearly ten times greater than those of ADSL (see Figure [1]), but ADSL is the
more complex transmission technology. This is in large part because ADSL must
contend with much larger dynamic ranges than VDSL. However, the two are
essentially cut from the same cloth. ADSL employs advanced transmission
techniques and FEC to realize data rates from 1.5 to 9 Mbps over twisted pair,
ranging to 18,000 feet; VDSL employs the same advanced transmission
techniques and FEC to realize data rates from 14 to 55 Mbps over twisted pair,
ranging to 4500 feet. Indeed, the two can be considered a series, a set of

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-51
transmission tools that delivers about as much data as theoretically possible over
varying distances of existing telephone wiring.
VDSL is clearly a technology suitable for a full-service network (assuming that
full service does not imply more than two HDTV channels over the highest-rate
VDSL). It is equally clear that telephone companies cannot deploy ONUs
overnight, even if all the technology were available. ADSL may not be a full-
service network technology, but it has the singular advantage of offering service
over lines that exist today, and ADSL products are more widely available than
VDSL. Many new services being contemplated today, such as
videoconferencing, Internet access, video on demand, and remote LAN access,
can be delivered at speeds at or below T1/E1 rates. For such services,
ADSL/VDSL provides an ideal combination for network evolution. On the
longest lines, ADSL delivers a single channel. As line length shrinks, either from
natural proximity to a central office or deployment of fiber-based access nodes,
ADSL and VDSL simply offer more channels and capacity for services that
require rates above T1/E1 (such as digital live television and virtual CD-ROM
access). Figure [2] outlines the differences between all flavors of xDSL.

1-52 Remote Access Section 3: Emerging Remote Access Technologies Copyright  2002, Cisco Systems, Inc.
Summary

Figure 1 Consumer Access Options

This appendix gave an overview of several emerging remote-access solutions:


cable modems, wireless and xDSL. The figure summarizes the major issues
surrounding these options. The key issues seem to revolve around speed, cost,
and availability. Over the next few years, it will be interesting to see if there is
one key winner in the race for market share.

Copyright  2002, Cisco Systems, Inc. Remote Access Section 3: Emerging Remote Access Technologies 1-53
Lab 1.6.1: Getting Started and Building Start.TXT
Objective
This lab introduces the CCNP lab equipment and certain IOS features that might be the
first time used or seen. This introductory activity also describes how to use a simple text
editor to create all, or part of a router configuration file. After creating a text configuration
file, that configuration can be applied to a router quickly and easily by using the
techniques described in this lab.

Equipment Requirements

• A single router, preferably a 2600 series router, and a workstation running a Windows
operating system.
• One 3 1/2 inch floppy disk with label

Preliminary
Modular interfaces
Cisco routers can come with a variety of interface configurations. Some models have only
fixed interfaces. This means that the interfaces cannot be changed or replaced by the
user. Other models have one or more modular interfaces, allowing the user to add,
remove, or replace interfaces as needed.

Fixed interface identification, such as Serial 0, S0, Ethernet 0, and E0, may already be
familiar. Modular routers use notation such as Serial 0/0 or S0/1, where the first number
refers to the module and the second number refers to the interface. Both notations use 0
as their starting reference, so S0/1 indicates that there is another serial interface S0/0.

Fast Ethernet
Many routers today are equipped with Fast Ethernet, 10/100 Mbps auto sensing,
interfaces. Fast Ethernet 0/0 or Fa0/0 on routers must be used with Fast Ethernet
interfaces.

The ip subnet-zero command


The ip subnet-zero command is enabled by default in IOS 12. This command allows
IP addresses to be assigned in the first subnet, called subnet 0. Because subnet 0 uses
only binary zeros in the subnet field, its subnet address can potentially be confused with
the major network address. With the advent of classless IP, the use of subnet 0 has
become more common. The labs in this manual assume that the student can assign
addresses to the router’s interfaces using subnet 0. If any routers are used that have an
IOS earlier than 12.0, the global configuration command, ip subnet-zero, must be
added to the router’s configuration.

The no shutdown command


Interfaces are shut down by default. Remember to clearly issue a no shutdown
command in interface configuration mode when the interface is ready to be brought up.

Passwords
The login command is applied to virtual terminals by default. This means that in order
for the router to accept Telnet connections, a password must be configured. Otherwise,
the router will not allow a Telnet connection, replying with the error message “password
required, but none set.”

Step 1.
Take a few moments to examine the router. Become familiar with any serial, BRI (ISDN),
PRI (ISDN), and DSU/CSU interfaces on the router. Pay particular attention to any
connectors or cables that are unfamiliar.

1-1 Remote Access Setion 1: WANs - Lab 1.6.1 Copyright  2002, Cisco Systems, Inc.
Step 2.
Establish a HyperTerminal session to the router.

Enter privileged EXEC mode.

Step 3.
To clear the configuration, issue the erase start command.

Confirm when prompted, and answer ’no’ if asked to save changes. The result should
look something like the following:

Router#erase start
Erasing the nvram filesystem will remove all files! Continue?
[confirm]
[OK]
Erase of nvram: complete
Router#

When the prompt returns, issue the reload command.

Confirm when prompted. After the router finishes the boot process, choose not to use the
Auto install feature, shown as follows:

Would you like to enter the initial configuration dialog?


[yes/no]: no
Would you like to terminate autoinstall? [yes]: ! Press Enter to
accept default.
Press RETURN to get started!

Step 4.
In privileged mode, issue the show run command.

Notice the following default configurations while scrolling through the running
configuration:

• The version number of the IOS


• The ip subnet-zero command, which allows the use of the subnet 0
• Each available interface and its name. Note: Each interface has the shutdown
command applied to its configuration.
• The no ip http server command, which prevents the router from being
accessed by a Web browser.
• No passwords are set for CON, AUX, and VTY sessions,shown as follows:

line con 0
transport input none
line aux 0
line vty 0 4

Using Copy and Paste with Notepad


In the next steps, the copy and paste feature will be used to edit router configurations. A
text file needs to be created that can be pasted into the labs and used as a starting point
for the router configuration. Specifically, a login configuration must be built that can be
used with every lab included in this manual.

Step 5.

2-2 Remote Access Setion 1: WANs - Lab 1.6.1 Copyright  2002, Cisco Systems, Inc.
If necessary, issue the show run command again so that line con and line vty are
showing on the screen:

line con 0
transport input none
line aux 0
line vty 0 4
!
end

Select this text and choose the copy command from HyperTerminal’s Edit menu.

Next, open Notepad, which is typically found on the Start menu under Programs,
Accessories. After Notepad opens, select Paste from the Notepad Edit menu.

Edit the lines in Notepad to look like the following lines. The one space indent is optional.

enable secret class


line con 0
transport input none
password cisco
login
line aux 0
password cisco
login
line vty 0 4
password cisco
login

This configuration sets the enable secret to class and requires a login for all console,
AUX port, and virtual terminal connections. The password for these connections is set to
cisco. The AUX port is usually a modem.
Note: Each of the passwords can be set to something else if desired.

Step 6.
Save the open file in Notepad to a floppy disk as start.txt.

Select all the lines in the Notepad document and choose Edit, Copy.

Step 7.
Use the Windows taskbar to return to the HyperTerminal session, and enter global
configuration mode.

From HyperTerminal’s Edit menu, choose Paste to Host.

Issue the show run command to see if the configuration looks okay.

As a shortcut, paste the contents of the start.txt file to any router before getting started
with a lab.

Other Useful Commands


To enhance the start.txt file, consider adding one of the following commands:
• ip subnet-zero ensures that an older IOS allows IP addresses from subnet 0.
• ip http server allows access to the routers using a Web browser. Although this
configuration might not be desirable on a production router, it does give an HTTP
server for testing purposes in the lab.

3-3 Remote Access Setion 1: WANs - Lab 1.6.1 Copyright  2002, Cisco Systems, Inc.
• no ip domain-lookup prevents the router from attempting to query a DNS when
a word is input that is not recognized as a command or a host table entry. This saves
time if a typo is made or there is a misspelling of a command.
• logging synchronous in the line con 0 configuration returns to a fresh line when
the input is interrupted by a console logging message.
• configure terminal can be used in a file so that the command does not need
to be typed before pasting the contents of the file to the router.

Step 8.

Use the Windows taskbar to return to Notepad and edit the lines so that they read
asfollows:

config t
!
enable secret class
ip subnet-zero
ip http server
no ip domain-lookup
line con 0
logging synchronous
password cisco
login
transport input none
line aux 0
password cisco
login
line vty 0 4
password cisco
login
!
end
copy run start

Save the file to the floppy disk so work is not lost.

Select and copy all the lines, and return to the HyperTerminal session.

Normally global configuration mode would be entered before pasting from Notepad.
However, because the configure terminal command was included in the script,
paste can be done in privileged mode.

If necessary, return to privileged EXEC mode. From the Edit menu, select Paste to Host.

After the paste is complete, confirm the copy operation.

Use show run to see if the configuration looks okay.

Using Notepad to Assist in Editing


Understanding how to use Notepad can lessen typing and typos during editing sessions.
Another benefit is that an entire router configuration can be done in Notepad at home or
at the office and then it can be pasted to the router’s console when access becomes
available. In the next steps, a simple editing example will be looked at.

Step 9.

Configure the router with the following commands:

4-4 Remote Access Setion 1: WANs - Lab 1.6.1 Copyright  2002, Cisco Systems, Inc.
Router#config t
Router(config)#router rip
Router(config)#network 192.168.1.0
Router(config)#network 192.168.2.0
Router(config)#network 192.168.3.0
Router(config)#network 192.168.4.0
Router(config)#network 192.168.5.0

Press Ctrl+Z, and verify the configuration with show run. RIP was just set up to
advertise a series of networks.What if the routing protocol is to be changed to IGRP?
With the no router rip command, RIP can be easily removed, however, the
network commands would still need to be retyped. The next steps show an alternative
to retyping the commands.

Step 10.
Issue the show run command and hold the output so that the router rip commands
are displayed. Using the keyboard or mouse, select the router rip command and all
network statements.

Copy the selection.

Use the taskbar to return to Notepad.

Open a new document and paste the selection onto the blank page.

Step 11.
In the new document, type the word no and a space in front of the word router.

Press the End key, and press Enter.

Type router igrp 100, but do not press Enter. The result should look the following:

no router rip
router igrp 100
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
network 192.168.5.0

Step 12.
Select the results and copy them.

Use the taskbar to return to the HyperTerminal session.

While in global configuration mode, paste the results.

Use the show run command to verify the configuration.

Reflection
How could using copy and paste with Notepad be helpful in other editing situations?

5-5 Remote Access Setion 1: WANs - Lab 1.6.1 Copyright  2002, Cisco Systems, Inc.
Lab 1.6.2: Capturing HyperTerminal and Telnet Sessions
Objective
This activity describes how to capture HyperTerminal and Telnet sessions.

Note: Try to master these techniques. These techniques lessen the amount of typing in
later labs and while working in the field.

Step 1.
Log in to a router using HyperTerminal.

It is possible to capture the results of the HyperTerminal session in a text file, which can
be viewed and/or printed using Notepad, WordPad, or Microsoft Word.

Note: This feature captures future screens, not what is currently on screen. Basically this
is turning on a recording session.

To start a capture session, choose the menu option Transfer, Capture Text. The Capture
Text dialog box appears, as shown in the following figure.

The default filename for a HyperTerminal capture is CAPTURE.TXT, and the default
location of this file is C:\Program Files\Accessories\HyperTerminal.
Note: When using Telnet, the command to begin a capture, or log, is Terminal, Start
Logging. The document created has LOG as the extension. Other than the name and
path of the capture file, the logging procedures are the same for both Telnet and
HyperTerminal.

Make sure that a floppy disk is in the A: drive. When the Capture Text dialog box
appears, change the File path to A:\TestRun.txt.
Click the Start button. Anything that appears onscreen after this point is copied to the file.
Step 2.
Issue the show running-config command and view the entire configuration file.
From the Transfer menu, choose Capture Text, Stop.
Telnet users should select Stop Logging from the Terminal menu to end the session.
Step 3.
Using the Start menu, launch Windows Explorer. Windows Explorer might be found under
Programs or Accessories, depending on which version of Windows is in use.
In the left pane, select the 3½ floppy (A:) drive. On the right side, the file that was just
created should be seen.

1-1 Remote Access Section 1: WANs - Lab 1.6.2 Copyright  2002, Cisco Systems, Inc.
Double-click the TestRun.txt document’s icon. The result should look something like the
following:
Router# show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$HD2B$6iXb.h6QEJJjtn/NnwUHO.
!
!
ip subnet-zero
no ip domain-lookup
!
interface FastEthernet0/0
--More-- □□□□□□□ □□□□□□□ no ip address
no ip directed-broadcast
shutdown

Unrecognizable characters may appear near the word ’More’. This is where the spacebar
was pressed to see the rest of the list. Use basic word processing techniques to clean
that up.

Suggestion
Consider capturing each router configuration for every lab that is done. Captured files can
be valuable as while reviewing configuration features and preparing for certification
exams.
Reflection
Could the capture techniques be useful if a member of a lab team misses a lab session?
Can capture techniques be used to configure an off site lab?

2-2 Remote Access Section 1: WANs - Lab 1.6.2 Copyright  2002, Cisco Systems, Inc.
Lab 1.6.3: Access Control List Basics and Extended Ping
Workstation
192.168.3.2 /24

Fa0/0 192.168.3.1/24

Vista
S0/0 192.168.1.1 /24 S0/1 192.168.2.1 /24

S0/0 192.168.1.2 /24 S0/1 192.168.2.2 /24


Fa0/0 10.0.0.1 /24
SanJose1 Fa0/0 10.0.0.2/ 24 SanJose2

Objective
This lab activity reviews the basics of standard and extended access lists, which are used
extensively in the CCNP curriculum.
Scenario
The LAN users connected to the Vista router are concerned about access to their
network from hosts on network 10.0.0.0. Use a standard access list to block all access to
Vista’s LAN from network 10.0.0.0/24.
Also use an extended ACL to block network 192.168.3.0 host access to Web servers on
the 10.0.0.0/24 network.

Step 1.
Build and configure the network according to the diagram. Use RIPv1, and enable
updates on all active interfaces with the appropriate network commands. The
commands necessary to configure SanJose1 are shown as an example:
SanJose1(config)#router rip
SanJose1(config-router)#network 192.168.1.0
SanJose1(config-router)#network 10.0.0.0

Use the ping command to verify the work and test connectivity between all interfaces.

Step 2.
Check the routing table on Vista using the show ip route command. Vista should
have all four networks in its table. Troubleshoot, if necessary.

1-1 Remote Access Section 1: WANs - Lab 1.6.3 Copyright  2002, Cisco Systems, Inc.
Access Control List Basics
Access Control Lists (ACLs) are simple but powerful tools. When the access list is
configured, each statement in the list is processed by the router in the order in which it
was created. If an individual packet meets a statement’s criteria, the permit or deny is
applied to that packet, and no further list entries are checked. The next packet to be
checked starts again at the top of the list.
It is not possible to reorder an access list, skip statements, edit statements, or delete
statements from a numbered access list. With numbered access lists, any attempt to
delete a single statement results in the entire list’s deletion. Named ACLs (NACLs) do
allow for the deletion of individual statements.
The following concepts apply to both standard and extended access lists:
Two-step process
First, the access list is created with one or more access-list commands while in
global configuration mode. Second, the access list is applied to or referenced by other
commands, such as the access-group command, to apply an ACL to an interface. An
example would be the following:

Vista#config t
Vista(config)#access-list 50 deny 10.0.0.0 0.0.0.255
Vista(config)#access-list 50 permit any
Vista(config)#interface fastethernet 0/0
Vista(config-if)#ip access-group 50 out
Vista(config-if)#^Z

Syntax and Keywords


The basic syntax for creating an access list entry is as follows:
router(config)#access-list acl-number {permit | deny}...
The permit command allows packets matching the specified criteria to be accepted for
whatever application the access list is being used for. The deny command discards
packets matching the criteria on that line.
Two important keywords that can be used with the access-list command are any
and host. The keyword any matches all hosts on all networks, equivalent to 0.0.0.0
255.255.255.255. The keyword host can be used with an IP address to indicate a single
host address. The syntax is host ip-address, such as host 192.168.1.10. This is treated
exactly the same as 192.168.1.10 0.0.0.0.

Implicit deny statement


Every access list contains a final ’deny’ statement that matches all packets. This is called
the implicit deny. Because the implicit deny statement is not visible in show command
output, it is often overlooked, with serious consequences. As an example, consider the
following single line access list:

Router(config)#access-list 75 deny host 192.168.1.10

Access-list 75 clearly denies all traffic sourced from the host, 192.168.1.10. What might
not be obvious is that all other traffic will be discarded as well. This happens because the
implicit deny any is the final statement in any access list.
At least one permit statement is required
There is no requirement that an ACL contains a deny statement. If nothing else, the
implicit deny any statement takes care of that. But if there are no permit statements,
the effect will be the same as if there were only a single deny any statement.

2-2 Remote Access Section 1: WANs - Lab 1.6.3 Copyright  2002, Cisco Systems, Inc.
Wildcard mask
In identifying IP addresses, ACLs use a wildcard mask instead of a subnet mask. Initially,
they might look like the same thing, but closer observation reveals that they are very
different. Remember that a binary 0 in a wildcard bitmask instructs the router to match
the corresponding bit in the IP address.
In/out
When deciding whether an ACL should be applied to inbound or outbound traffic, always
view things from the router’s perspective. In other words, determine whether traffic is
coming into the router, inbound, or leaving the router, outbound.
Applying ACLs
Extended ACLs should be applied as close to the source as possible, thereby conserving
network resources. Standard ACLs, by necessity, must be applied as close to the
destination as possible. This is because the standard ACL can only match the source
address of a packet.

Step 3.
On the Vista router, create the following standard ACL and apply it to the LAN interface:
Vista#config t
Vista(config)#access-list 50 deny 10.0.0.0 0.0.0.255
Vista(config)#access-list 50 permit any
Vista(config)#interface fastethernet 0/0
Vista(config-if)#ip access-group 50 out
Vista(config-if)#^Z

Try pinging 192.168.3.2 from SanJose1.


SanJose1#ping 192.168.3.2
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
4/4/4 ms

The ping should be successful. This result might be surprising, because all traffic from
the 10.0.0.0/24 network was just blocked. The ping is successful because, even though
it came from SanJose1, it is not sourced from the 10.0.0.0/24 network. A ping or
traceroute from a router uses the closest interface to the destination as the source
address.Therefore, the ping is coming from 192.168.1. 2/24, SanJose1’s Serial 0/0
interface.
In order to test the ACL from SanJose1, use the extended ping command to specify a
specific source interface.
Step 4.
On SanJose1, issue the following commands. Remember that the extended ping works
only in privileged mode.

SanJose1#
SanJose1#ping
Protocol [ip]:
Target IP address: 192.168.3.2
Repeat count [5]:
Datagram size [100]:

3-3 Remote Access Section 1: WANs - Lab 1.6.3 Copyright  2002, Cisco Systems, Inc.
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.0.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.2, timeout is 2
seconds:
U.U.U
Success rate is 0 percent (0/5)

Step 5.
Standard ACLs are numbered one (1) through 99. IOS 12 also allows standard lists to be
numbered 1300 through 1699. Extended ACLs are numbered 100 through 199. IOS 12
allows numbers 2000 through 2699. Extended ACLs can be used to enforce highly
specific criteria for filtering packets. In this step, configure an extended ACL to block
access to a Web server.
Before proceeding, issue the no access-list 50 and no ip access-group 50
commands on the Vista router to remove the ACL configured previously.
First, configure both SanJose1 and SanJose2 to act as Web servers, by using the ip
http server command, shown as follows:
SanJose1(config)#ip http server
SanJose2(config)#ip http server
From the workstation at 192.168.3.2, use a Web browser to view both SanJose1 and
SanJose2’s Web servers at 10.0.0.1 and 10.0.0.2. The Web login requires that the
router’s enable secret password be entered as the password.
After verifying Web connectivity between the workstation and the routers, proceed to
Step 6.
Step 6.
On the Vista router, enter the following commands:
Vista(config)#access-list 101 deny tcp 192.168.3.0
0.0.0.255 10.0.0.0 0.0.0.255 eq www
Vista(config)#access-list 101 deny tcp 192.168.3.0
0.0.0.255 any eq ftp
Vista(config)#access-list 101 permit ip any any
Vista(config)#interface fastethernet 0/0
Vista(config-if)#ip access-group 101 in

From the workstation at 192.168.3.2, again attempt to view the Web servers at 10.0.0.1
and 10.0.0.2. Both attempts should fail.
Next, browse SanJose1 at 192.168.1.2. Why is this not blocked?

4-4 Remote Access Section 1: WANs - Lab 1.6.3 Copyright  2002, Cisco Systems, Inc.
Lab 2.5.1: Configuring Static NAT

Host B
192.168.0.20 /24

S0/0 10.0.0.5 /30

ISP1 SanJose1 Fa0/0


S0/0 10.0.0.6 /30 192.168.0.1 /24
Lo0
10.0.1.2 /30

Host A
192.168.0.5 /24
Objective
Configure Network Address Translation (NAT) static translation to provide reliable outside
access to three shared company servers.

Scenario
When the International Travel Agency (ITA) expanded and updated their network, they
chose to use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with
the outside world. In order to secure the outside IP addresses from their ISP, ITA must
pay a monthly fee per IP address. ITA has asked that a series of prototypes be set up
that would demonstrate NAT’s capabilities to meet ITA’s requirements. The company
hopes to be able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of
reasons including security concerns, the company wishes to hide the internal network
from the outside.

Step 1.
Build and configure the network according to the diagram. This configuration requires the
use of subnet zero, so the ip subnet-zero command may need to be entered,
depending on the version of IOS being used.

Configure SanJose1 to use a default route to ISP1, as shown:

SanJose1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.5

Host A represents one of the proposed shared servers that will be part of an Ethernet
LAN attached to SanJose1. Host B represents a user in the ITA network.

1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1 Copyright  2001, Cisco Systems, Inc.
Step 2.
Verify the configurations with the show running-config command.

Verify that SanJose1 can ping ISP1’s serial interface, 10.0.0.5, and that ISP1 can ping
SanJose1’s serial interface, 10.0.0.6.

At this time, ISP1 cannot ping either workstation or SanJose1’s Fast Ethernet
interface, 192.168.0.1.

1. Both workstations can ping each other and 10.0.0.6, but cannot ping 10.0.0.5. Why
does the latter ping fail?

In fact, the ping request should be getting to 10.0.0.5. Because ISP1 has no entry in its
routing table for the 192.168.0.0 /24, ISP1 cannot reply. Continue a static route to solve
this problem in Step 7.

Step 3.
SanJose1 is the boundary router where NAT will be configured. The router will be
translating the inside local addresses to inside global addresses, essentially converting
the internal private addresses into legal public addresses for use on the Internet.

On SanJose1, create static translations between the inside local addresses, the servers
to be shared, and the inside global addresses using the following commands:

SanJose1(config)#ip nat inside source static 192.168.0.3 42.0.0.49


SanJose1(config)#ip nat inside source static 192.168.0.4 42.0.0.50
SanJose1(config)#ip nat inside source static 192.168.0.5 42.0.0.51

2. If a static translation is needed for a fourth server, 192.168.0.6, what would be the
appropriate command?

Step 4.
Next, specify an interface on SanJose1 to be used by inside network hosts requiring
address translation:

SanJose1(config)#interface fastethernet0/0
SanJose1(config-if)#ip nat inside

Also specify an interface to be used as the outside NAT interface:

SanJose1(config)#interface serial0/0
SanJose1(config-if)#ip nat outside
Step 5.
To see the translations, use the show ip nat translations command. The results
should look something like the following:

SanJose1#show ip nat translations


Pro Inside global Inside local Outside local Outside
global
--- 42.0.0.49 192.168.0.3 --- ---
--- 42.0.0.50 192.168.0.4 --- ---
--- 42.0.0.51 192.168.0.5 --- ---

2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1 Copyright  2001, Cisco Systems, Inc.
Use the show ip nat statistics command to see what NAT activity has occurred.
The results should look something like the following:

SanJose1#show ip nat statistics


Total active translations: 3 (3 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial0/0
Inside interfaces:
FastEthernet0/0
Hits: 0 Misses: 0
Expired translations: 0
Dynamic mappings:
SanJose1#

Notice that the Hits value is currently 0.

Step 6.
From Host A, ping 10.0.0.5, ISP1’s serial interface. The pings should still fail
because ISP1 has no route for 192.168.0.0 /24 in its routing table.

Return to the console connection of SanJose1 and type show ip nat statistics,
as shown here:

SanJose1#show ip nat statistics


Total active translations: 3 (3 static, 0 dynamic; 0 extended)
Outside interfaces:
Serial0/0
Inside interfaces:
FastEthernet0/0
Hits: 4 Misses: 0
Expired translations: 0
Dynamic mappings:

The hits equal 4 as now shown. This indicates that the translation was made even though
no response was given. Remember that the ping replies are not sent because ISP1
does not have route back to SanJose1. It is now time to remedy this.

Step 7.
On ISP1, configure the following static route to the global addresses used by
SanJose1 for NAT:

ISP1(config)#ip route 42.0.0.48 255.255.255.240 10.0.0.6

The subnet mask defines the pool of IP addresses as 42.0.0.48 /28.

It should now be possible to successfully ping 42.0.0.51. Which is the translated


address of the shared server, 192.168.0.5.

The show ip route command confirms that the static route is present, as shown here:

ISP1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile,
B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS
inter area
* - candidate default, U - per-user static route, o - ODR

3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1 Copyright  2001, Cisco Systems, Inc.
P - periodic downloaded static route

Gateway of last resort is not set

42.0.0.0/28 is subnetted, 1 subnets


S 42.0.0.48 [1/0] via 10.0.0.6
10.0.0.0/30 is subnetted, 2 subnets
C 10.0.1.0 is directly connected, Loopback0/0
C 10.0.0.4 is directly connected, Serial0/0

Step 8.
From Host A, ping the ISP1 router at 10.0.0.5. This ping should now be successful.

It should also be possible to ping ISP1’s loopback address, 10.0.1.2, as well.

From the console connection to SanJose1, issue the show ip nat statistics
command and look over the statistics. The number of hits should be much larger than
before.

Try the show ip nat translations verbose command. The results should look
something like the following:

SanJose1#show ip nat translations verbose


Pro Inside global Inside local Outside local Outside
global
--- 42.0.0.49 192.168.0.3 --- ---
create 00:40:25, use 00:40:25,
flags:
static, use_count: 0
--- 42.0.0.50 192.168.0.4 --- ---
create 00:40:25, use 00:40:25,
flags:
static, use_count: 0
--- 42.0.0.51 192.168.0.5 --- ---
create 00:40:25, use 00:06:46,
flags:
static, use_count: 0

Note: The verbose option includes information about how recently each translation was
used.

Step 9.

From SanJose1, use the show ip nat statistics command and make a note of the
number of hits.

From Host B, ping both 10.0.0.5 and 10.0.1.2.

3. Both should fail. Why?

From SanJose1, issue the show ip nat statistics command again and note that
the number of hits has not changed. The problem is that NAT did not translate Host B’s
IP address, 192.168.0.20, to one of the global addresses. The show ip nat
translations command should confirm this.

4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1 Copyright  2001, Cisco Systems, Inc.
A static translation for Host B, which represents a LAN user has not been set up. A static
translation could be quickly configured for this single end user. However, configuring a
static translation for every user on the LAN could be a huge task, resulting in hundreds of
configuration commands. Dynamic NAT allows configuring the router to assign global
addresses dynamically, on an as needed basis. While static translation may be
appropriate for servers, dynamic translation is almost always used with end user stations.
Dynamic NAT will be studied in the next lab exercise.

5 - 5 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.1 Copyright  2001, Cisco Systems, Inc.
Lab 2.5.2: Configuring Dynamic NAT

Host B
192.168.0.20 /24

S0/0 10.0.0.5 /30

ISP1 SanJose1 Fa0/0


S0/0 10.0.0.6 /30 192.168.0.1 /24
Lo0
10.0.1.2 /30

Host A
192.168.0.21 /24

Objective
Configure dynamic NAT to provide privately addressed users with access to outside
resources.

Scenario
The International Travel Agency (ITA) expanded and updated their network. ITA chose to
use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with the
outside world. In securing the outside IP addresses from their ISP, ITA has to pay a
monthly fee per IP address. ITA has asked for a series of prototypes to be set up that
would demonstrate NAT’s capabilities to meet ITA’s requirements. The company hopes
to be able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of reasons
including security concerns, the company wishes to hide the internal network from the
outside.

ITA is hoping to limit user access to the Internet and other outside resources by
limiting the number of connections. Prototype the basic dynamic translation to see if it will
meet ITA’s objectives.

Step 1.
Build and configure the network according to the diagram. This configuration requires the
use of subnet zero, so the ip subnet-zero command may need to be entered,
depending on the IOS version being used. Both Host A and Host B represent users on
the ITA network.

Configure SanJose1 to use a default route to ISP1:

SanJose1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.5

On ISP1, configure a static route to the global addresses used by SanJose1 for NAT:

ISP1(config)#ip route 42.0.0.48 255.255.255.240 10.0.0.6

1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2 Copyright  2002, Cisco Systems, Inc.
Step 2.
Define a pool of global addresses to be allocated by the dynamic NAT process. Issue the
following command on SanJose1:

SanJose1(config)#ip nat pool MYNATPOOL 42.0.0.55 42.0.0.55


netmask255.255.255.240

The name MYNATPOOL is the name of the address pool. However, another word may
be chosen. The first 42.0.0.55 in the command is the first IP address in the pool. The
second 42.0.0.55 is the last IP address in the pool. This command creates a pool that
contains only a single address. Typically, a larger range of addresses in a pool would be
configured. For now, only one address will be used.

Next, configure a standard access list to define which internal source


addresses can be translated. Since any users are translating on the ITA network, use the
following command:

SanJose1(config)#access-list 2 permit 192.168.0.0 0.0.0.255

To establish the dynamic source translation, link the access list to the name of the NAT
pool, as shown here:

SanJose1(config)#ip nat inside source list 2 pool MYNATPOOL

Finally, specify an interface on SanJose1 to be used by inside network hosts requiring


address translation:

SanJose1(config)#interface fastethernet0/0
SanJose1(config-if)#ip nat inside

Also specify an interface to be used as the outside NAT interface:

SanJose1(config)#interface serial0/0
SanJose1(config-if)#ip nat outside

Step 3.
On SanJose1, enter the show ip nat translations command, which should result
in no output. Unlike static translations, which are permanent and always remain in the
translations table, dynamic translations are only assigned as needed, and only appear
when active.

From Host A, ping ISP1’s serial and loopback IP addresses. Both pings should work.
Troubleshoot as necessary.

Issue the show ip nat translations command on SanJose1 again. This should
now get a single translation for that workstation. The result might look like the following:

SanJose1#show ip nat trans


Pro Inside global Inside local Outside local Outside global
--- 42.0.0.55 192.168.0.21 --- ---

From Host B, ping ISP1’s serial and loopback IP addresses. They should both fail. The
one available IP address in the pool is being used by the other workstation. If a larger
pool of addresses had been assigned, Host B could be assigned an address from the
pool.

2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2 Copyright  2002, Cisco Systems, Inc.
Step 4.
Issue the show ip nat translations verbose command and examine the output:

SanJose1#show ip nat translations verbose


Pro Inside global Inside local Outside local Outside global
--- 42.0.0.55 192.168.0.21 --- ---
create 00:13:18, use 00:13:06, left 23:46:53,
flags: none, use_count: 0

1. According to the output of this command, how much time is left before the dynamic
translation times out?

The default timeout value for dynamic NAT translations is 24 hours. This means the
second workstation will have to wait until the next day before it can be assigned the
address.

Next, issue the show ip nat statistics command. Notice that it summarizes the
translation information, shows the pool of global addresses, and indicates that only one
address has been allocated, or translated, as shown here:

SanJose1#show ip nat statistics


Total active translations: 1 (0 static, 1 dynamic; 0 extended)
Outside interfaces:
Serial0/0
Inside interfaces:
FastEthernet0/0
Hits: 45 Misses: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 2 pool MYNATPOOL refcount 1
pool MYNATPOOL: netmask 255.255.255.240
start 42.0.0.55 end 42.0.0.55
type generic, total addresses 1, allocated 1 (100%), misses 4

To change the default NAT timeout value from 24 hours, 86,400 seconds, to 120
seconds, issue the following command:

SanJose1(config)#ip nat translation timeout 120

Clear the existing address allocation before the new timer can take effect. Type clear
ip nat translation * to immediately clear the translation table.

Now, from Host B, try pinging either interface of ISP1 again. The ping should be
successful.

Use the show ip nat translations and show ip nat translations verbose
commands to confirm the translation and to see that the new translations expire in two
minutes.

Next, perform a ping from Host B and issue the show ip nat translations
verbose command again. It should see that the ’time left’ timer has been reset. This
means that additional hosts will not be allocated an address until a translation has been
inactive for the timeout period.

Step 5.

3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2 Copyright  2002, Cisco Systems, Inc.
In this step, configure the NAT pool to include the complete range of global
addresses available to ITA. Issue the following command on SanJose1:

SanJose1(config)#ip nat pool MYNATPOOL 42.0.0.55 42.0.0.62 netmask


255.255.255.240

This command redefines MYNATPOOL to include a range of eight addresses. It will now
be possible to ping ISP1 from both workstations.

The show ip nat translations command confirms that two translations have
occurred, as shown here:

SanJose1#show ip nat translations


Pro Inside global Inside local Outside local Outside
global
--- 42.0.0.55 192.168.0.20 --- ---
--- 42.0.0.56 192.168.0.21 --- ---

Increasing the address range in the pool allows more hosts to be translated. However, if
every address in the pool is allocated, the timeout period must expire before any other
hosts can be allocated an address. As was seen in the last step, an allocated address
cannot be released until its host is inactive for the duration of the timeout period.

In the next lab, many-to-one NAT, or NAT overload will be learned. An overload
configuration can allow hundreds of hosts to use a handful of global addresses, without
hosts waiting for timeouts.

4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.2 Copyright  2002, Cisco Systems, Inc.
Lab 2.5.3: Configuring NAT Overload

Host B
192.168.0.20 /24

S0/0 10.0.0.5 /30

ISP1 SanJose1 Fa0/0


S0/0 10.0.0.6 /30 192.168.0.1 /24
Lo0
10.0.1.2 /30

Host A
192.168.0.21 /24

Objective
Configure dynamic NAT with overload.

Scenario
The International Travel Agency (ITA) expanded and updated their network. ITA chose to
use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with the
outside world. In securing the outside IP addresses from their ISP, ITA is having to pay a
monthly fee per IP address. ITA has asked for a series of prototypes to be set up that
would demonstrate NAT’s capabilities to meet ITA’s requirements. The company hopes
to be able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of reasons
including security concerns, the company wishes to hide the internal network from the
outside.

It appears that the basic dynamic NAT translations will be too limiting and cumbersome to
meet ITA’s needs. Modify the prototype to use the overload feature.

Step 1.
Build and configure the network according to the diagram. This configuration requires the
use of subnet zero, so the ip subnet-zero command may need to be entered,
depending on the IOS version being used. Both Host A and Host B represent users on
the ITA network.

Configure SanJose1 to use a default route to ISP1:

SanJose1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.5

On ISP1, configure a static route to the global addresses used by SanJose1 for NAT:

ISP1(config)#ip route 42.0.0.48 255.255.255.240 10.0.0.6

Define a pool of global addresses to be allocated by the dynamic NAT process. Issue the
following command on SanJose1:

1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3 Copyright  2002, Cisco Systems, Inc.
SanJose1(config)#ip nat pool MYNATPOOL 42.0.0.55 42.0.0.62 netmask
255.255.255.240

Configure a standard access list to define which internal source addresses can be
translated. Because all users are being translated on the ITA network, use the following
command:

SanJose1(config)#access-list 2 permit 192.168.0.0 0.0.0.255

Specify an interface on SanJose1 to be used by inside network hosts requiring address


translation:

SanJose1(config)#interface fastethernet0/0
SanJose1(config-if)#ip nat inside

Also specify an interface to be used as the outside NAT interface:

SanJose1(config)#interface serial0/0
SanJose1(config-if)#ip nat outside

Step 2.
In the last exercise, a pool of ’real’ global IP addresses were seen that can be used to
provide internally addressed hosts with access to the Internet and other outside
resources. However, in the previous implementation, each global address could be
allocated to only one host at a time.

The most powerful feature of NAT is address overloading, or port address translation
(PAT). Overloading allows multiple inside addresses to map to a single global
address. With PAT, literally hundreds of privately addressed nodes can access the
Internet using only one global address. The NAT router keeps track of the different
conversations by mapping TCP and UDP port numbers.

Configure address overloading on SanJose1 with the following command:

SanJose1(config)#ip nat inside source list 2 pool MYNATPOOL


overload

After the overload feature is configured, ping both interfaces of ISP1, 10.0.1.2 and
10.0.0.5, from Host A. The pings should be successful. Next, issue the show ip nat
translations command:

SanJose1#show ip nat translation


Pro Inside global Inside local Outside local Outside global
icmp 42.0.0.55:1536 192.168.0.21:1536 10.0.0.5:1536 10.0.0.5:1536
icmp 42.0.0.55:1536 192.168.0.21:1536 10.0.1.2:1536 10.0.1.2:1536

1. What port number is the source of the ping?

2. What port number is the destination of the ping?

In addition to tracking the IP addresses translated, the translations table also records the
port numbers being used. Also notice that the first column, Pro, shows the protocol used.

Now look at the output of the show ip nat translation verbose command:

2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3 Copyright  2002, Cisco Systems, Inc.
SanJose1#show ip nat translation verbose
Pro Inside global Inside local Outside local Outside global
icmp 42.0.0.55:1536 192.168.0.21:1536 10.0.0.5:1536 10.0.0.5:1536
create 00:00:09, use 00:00:06, left 00:00:53,
flags:
extended, use_count: 0
icmp 42.0.0.55:1536 192.168.0.21:1536 10.0.1.2:1536 10.0.1.2:1536
create 00:00:04, use 00:00:01, left 00:00:58,
flags:
extended, use_count: 0

Note: The timeout for these overloaded dynamic translations of ICMP is 60 seconds.
Notice also that each session has its own timeout timer. New activity only resets one
specific session’s timer. To see the result on the router, it may need to be pinged again.

From the MS-DOS prompt of Host A, quickly issue the following commands and then
return to the SanJose1 console to issue the show ip nat translation command.
The commands must be done fast due to the 60 second timeout:

HostA:\>ping 10.0.0.5
HostA:\>telnet 10.0.0.5 (Do not login. Return to command window)
HostA:\>ftp: 10.0.0.5 (It will fail. Do not worry aboutthis)

Note: To quit the Windows FTP program, type bye and press Enter.

After these three sessions are initiated, the output of the show ip nat translation
command should look something like the following:
SanJose1#show ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 42.0.0.55:1536 192.168.0.21:1536 10.0.0.5:1536 10.0.0.5:1536
tcp 42.0.0.55:1095 192.168.0.21:1095 10.0.0.5:21 10.0.0.5:21
tcp 42.0.0.55:1094 192.168.0.21:1094 10.0.0.5:23 10.0.0.5:23

Although the NAT router has a pool of eight IP addresses to work with, it chooses to
continue to use the 42.0.0.55 for both workstations. The Cisco IOS will continue to
overload the first address in the pool until it has reached its limit and then move to the
second address, and so on.

Step 3.
In this step, examine the timeout values in more detail. From Host A, initiate FTP and
HTTP sessions with ISP1 at 10.0.0.5. Since ISP1 is not configured as an FTP server or
Web server, both sessions will fail.

HostA:\>ftp: 10.0.0.5

To open an HTTP session, type ISP1’s IP address in the URL field of a Web browser
window.

After both FTP and HTTP sessions are attempted, use the show ip nat
translation verbose command and examine the time left entries, as shown here:

SanJose1# show ip nat translation verbose


Pro Inside global Inside local Outside local Outside global
icmp 42.0.0.55:1536 192.168.0.21:1536 10.0.0.5:1536 10.0.0.5:1536
create 00:00:29, use 00:00:26, left 00:00:33,
flags:
extended, use_count: 0

3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3 Copyright  2002, Cisco Systems, Inc.
tcp 42.0.0.55:1114 192.168.0.21:1114 10.0.0.5:21 10.0.0.5:21
create 00:00:16, use 00:00:15, left 00:00:44,
flags:
extended, timing-out, use_count: 0
tcp 42.0.0.55:1113 192.168.0.21:1113 10.0.0.5:23 10.0.0.5:23
create 00:00:22, use 00:00:22, left 23:59:37,
flags:
extended, use_count: 0
tcp 42.0.0.55:1115 192.168.0.21:1115 10.0.0.5:80 10.0.0.5:80
create 00:00:12, use 00:00:11, left 23:59:48,
flags:
extended, use_count: 0

Notice that some of the TCP transactions are using a 24 hour timeout timer. To see the
other timers that can be set, use the ip nat translation ? command while in global
configuration mode, as shown here:

SanJose1(config)#ip nat translation ?


dns-timeout Specify timeout for NAT DNS flows
finrst-timeout Specify timeout for NAT TCP flows after a FIN or
RST
icmp-timeout Specify timeout for NAT ICMP flows
max-entries Specify maximum number of NAT entries
port-timeout Specify timeout for NAT TCP/UDP port specific flows
syn-timeout Specify timeout for NAT TCP flows after a SYN and
no further
data
tcp-timeout Specify timeout for NAT TCP flows
timeout Specify timeout for dynamic NAT translations
udp-timeout Specify timeout for NAT UDP flows

The actual timeout options vary with versions of the IOS. The defaults for some of the
more common times are:

• dns-timeout DNS session, lasts 60 seconds


• finrst-timeout TCP session after a FIN or RST / end of session, lasts 60
seconds
• icmp-timeout ICMP session, lasts 60 seconds
• tcp-timeout TCP port session, last 86,400 seconds or 24 hours
• timeout Dynamic NAT translations, lasts 86,400 seconds or 24 hours
• udp-timeout UDP port session, lasts 300 seconds or 5 minutes

The finrst-timeout timer makes sure that TCP sessions close the related port 60
seconds after the TCP termination sequence.

Dynamic NAT sessions can only be initiated by an internal host. It is not possible to
initiate a NAT translation from outside the network. To some extent, this adds a level of
security to the internal network. It may also help to explain why the dynamic timeout timer
for overload sessions is so short. The session stays open just long enough to make sure
that legitimate replies like Web pages, FTP and TFTP sessions, and ICMP messages
can get in.

In Lab 11.5.1 it was seen that outside hosts can ping the static NAT translations at any
time, provided the inside host is up. This is so Web, FTP, TFTP, DNS, and other types of
servers can be shared with the outside world.

With dynamic NAT not configured for overload, the translation stays up for 24 hours. This
could allow an outside host to try to access the translation and therefore the host. But

4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3 Copyright  2002, Cisco Systems, Inc.
with the overload option, the outside host has to be able to recreate the NAT IP address
plus the port number. Therefore, this reduces the likelihood of an unwanted host gaining
access to the system.

Step 4.
To see the actual translation process and troubleshoot NAT problems, can use the
debug ip nat command and its related options.

Remember as with all debug commands, this can seriously impair the performance of
the production router and should be used wisely. The undebug all command turns off
all debugging.

On SanJose1, use the debug ip nat command to turn on the debug feature.

From A, ping ISP1’s serial interface, 10.0.0.5, and observe the translations as shown
here:

SanJose1#debug ip nat
IP NAT debugging is on
06:37:40: NAT: s=192.168.0.21->42.0.0.55, d=10.0.0.5 [63]
06:37:40: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 [63]
06:37:41: NAT*: s=192.168.0.21->42.0.0.55, d=10.0.0.5 [64]
06:37:41: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 [64]
06:37:42: NAT*: s=192.168.0.21->42.0.0.55, d=10.0.0.5 [65]
06:37:42: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 [65]
06:37:43: NAT*: s=192.168.0.21->42.0.0.55, d=10.0.0.5 [66]
06:37:43: NAT*: s=10.0.0.5, d=42.0.0.55->192.168.0.21 [66]
06:38:43: NAT: expiring 42.0.0.55 (192.168.0.21) icmp 1536 (1536)

Turn off debugging.

SanJose1#undebug all
All possible debugging has been turned off

Notice that both translations can be seen as the pings pass both ways through the NAT
router. Notice that the number at the end of the row is the same for both translations of
each ping. The s= indicates the source, d= indicates the destination and -> shows the
translation.

The 06:38:43 in the translations shows the expiration of the NAT translation.

The detailed option can be used with debug ip nat to provide the port numbers as
well as the IP address translations, as shown here:

SanJose1#debug ip nat detailed


IP NAT detailed debugging is on
07:03:50: NAT: i: icmp (192.168.0.21, 1536) -> (10.0.0.5, 1536) [101]
07:03:50: NAT: address not stolen for 192.168.0.21, proto 1 port 1536
07:03:50: NAT: ipnat_allocate_port: wanted 1536 got 1536
07:03:50: NAT*: o: icmp (10.0.0.5, 1536) -> (42.0.0.55, 1536) [101]
07:03:51: NAT*: i: icmp (192.168.0.21, 1536) -> (10.0.0.5, 1536) [102]
07:03:51: NAT*: o: icmp (10.0.0.5, 1536) -> (42.0.0.55, 1536) [102]
07:03:52: NAT*: i: icmp (192.168.0.21, 1536) -> (10.0.0.5, 1536) [103]
07:03:52: NAT*: o: icmp (10.0.0.5, 1536) -> (42.0.0.55, 1536) [103]
07:03:53: NAT*: i: icmp (192.168.0.21, 1536) -> (10.0.0.5, 1536) [104]
07:03:53: NAT*: o: icmp (10.0.0.5, 1536) -> (42.0.0.55, 1536) [104]

5 - 5 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.3 Copyright  2002, Cisco Systems, Inc.
Lab 2.5.4: Configuring TCP Load Distribution

Fa0/0
S0/0 10.0.0.5 /30 192.168.0.5 /24

ISP1 SanJose1 Web2


Fa0/0
S0/0 10.0.0.6 /30
Fa0/0 10.0.2.1 /24 192.168.0.6 /24

Host A
10.0.2.20 /24

Objective
In this lab, the student will configure NAT with the TCP Load Distribution option. The
student will also learn to use the prefix-length option as an alternative to the
netmask option of the ip nat pool command.

Scenario
The International Travel Agency (ITA) expanded and updated their network. ITA chose to
use the 192.168.0.0 /24 private addresses and NAT to handle connectivity with the
outside world. In securing the outside IP addresses from their ISP, ITA is having to pay a
monthly fee per IP address. ITA has asked that a series of prototypes be set up that
demonstrate NAT’s capabilities to meet ITA’s requirements. The company hopes to be
able to get by with 14 real IP addresses, 42.0.0.48 /28. For a variety of reasons including
security concerns, the company wishes to hide the internal network from the outside.

ITA’s Web server, 192.168.0.5, is overwhelmed by outside traffic. A pool of two mirrored
servers needs to be created to handle the load. These servers will be addressed as
192.168.0.5 and 192.168.0.6.

Outside users and DNS use the global IP address, 42.0.0.51, to access the Web server.
ITA would like to continue using the single address and have the NAT router distribute
the requests between the two mirrored servers. A prototype needs to be created that will
demonstrate TCP load distribution using NAT.

Step 1.
Build and configure the network according to the diagram. Host A represents a user
outside of ITA’s network. Make sure to configure Host A with the correct default gateway.
Note: SanJose1’s Fast Ethernet interface should be configured with the IP address
192.168.0.5 /24. This is for testing purposes, so that SanJose1 can respond to HTTP
requests directed to 192.168.0.5.

Configure SanJose1 to use a default route to ISP1:

SanJose1(config)#ip route 0.0.0.0 0.0.0.0 10.0.0.5

On ISP1, configure a static route to the global addresses used by SanJose1 for NAT:

ISP1(config)#ip route 42.0.0.48 255.255.255.240 10.0.0.6

1 - 1 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4 Copyright  2002, Cisco Systems, Inc.
Specify an interface on SanJose1 to be used by inside network hosts requiring address
translation:

SanJose1(config)#interface fastethernet0/0
SanJose1(config-if)#ip nat inside

Also specify an interface to be used as the outside NAT interface:

SanJose1(config)#interface serial0/0
SanJose1(config-if)#ip nat outside

Verify that the workstation can ping 10.0.0.5 and 10.0.0.6. Troubleshoot as
necessary.

Step 2.
For testing purposes, configure SanJose1 as a Web server at 192.168.0.5, as shown
here:

SanJose1(config)#ip http server

For the purposes of this lab, another router will act as the second Web server. Configure
this router as shown here:

Router(config)#hostname Web2
Web2(config)#enable password cisco
Web2(config)#ip default-gateway 192.168.0.5
Web2(config)#no ip routing
Web2(config)#interface fastethernet0/0
Web2(config-if)#ip address 192.168.0.6 255.255.255.0
Web2(config-if)#exit
Web2(config)#ip http server

Step 3.
Create a NAT pool to represent the planned Web servers, shown as follows:

SanJose1(config)#ip nat pool WebServers 192.168.0.5 192.168.0.6


prefix-length 24 type rotary

Note: In this command, the keyword prefix-length is used instead of the keyword
netmask. Both keywords specify the subnet mask. The prefix-length option allows
the mask to be specified as a bitcount, 24 instead of 255.255.255.0.
The type rotary sets up a rotation through the designated pool. The name
WebServers is a user defined variable, so it can be any useful word.

Next, create an access list to define the global address that will be used to access the
server pool. Remember, to use 42.0.0.51, which was the original Web server IP address
that is known to the outside users:

SanJose1(config)#access-list 50 permit 42.0.0.51

The command that links the pool and the global address is:

SanJose1(config)#ip nat inside destination list 50 pool


WebServers

The inside destination indicates that the NAT translations will be established from
the outside network to the inside network.

2 - 2 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4 Copyright  2002, Cisco Systems, Inc.
Step 4.
Ping 42.0.0.51 from Host A. The ping should fail because ping uses ICMP and not
TCP, which is the only protocol supported by the NAT load distribution feature. To test
the configuration, have Host A open a Web browser window.

Type 42.0.0.51 into the address line of the Web browser on Host A. When the following
screen appears, use any username and cisco as the password. Note: the password is
case sensitive. If the router is not configured with cisco as the enable password, then
enter the password that it is configured with instead.

After the router has been authenticated, a page similar to the following should be seen:

1. What is the inside address of the router whose Web server is being viewed?

Click on the refresh button of the Web browser. A new page should appear, as shown in
the following figure.

3 - 3 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4 Copyright  2002, Cisco Systems, Inc.
2. What is the inside address of the router whose Web server that is being viewed?

3. If refresh is clicked again, what will happen?

To verify that SanJose1 is distributing the TCP load in addition to itself and Web2, issue
the show ip nat translation command, as shown here:

SanJose1#show ip nat translation


Pro Inside global Inside local Outside local Outside global
tcp 42.0.0.51:80 192.168.0.5:80 10.0.2.20:1322 10.0.2.20:1322
tcp 42.0.0.51:80 192.168.0.6:80 10.0.2.20:1323 10.0.2.20:1323
tcp 42.0.0.51:80 192.168.0.5:80 10.0.2.20:1324 10.0.2.20:1324
tcp 42.0.0.51:80 192.168.0.6:80 10.0.2.20:1325 10.0.2.20:1325
tcp 42.0.0.51:80 192.168.0.5:80 10.0.2.20:1326 10.0.2.20:1326
tcp 42.0.0.51:80 192.168.0.6:80 10.0.2.20:1327 10.0.2.20:1327
tcp 42.0.0.51:80 192.168.0.5:80 10.0.2.20:1328 10.0.2.20:1328
tcp 42.0.0.51:80 192.168.0.6:80 10.0.2.20:1329 10.0.2.20:1329
tcp 42.0.0.51:80 192.168.0.5:80 10.0.2.20:1330 10.0.2.20:1330
tcp 42.0.0.51:80 192.168.0.6:80 10.0.2.20:1331 10.0.2.20:1331
tcp 42.0.0.51:80 192.168.0.5:80 10.0.2.20:1332 10.0.2.20:1332
tcp 42.0.0.51:80 192.168.0.6:80 10.0.2.20:1333 10.0.2.20:1333

4 - 4 Remote Access Section 2: Scaling IP Addresses with NAT - Lab 2.5.4 Copyright  2002, Cisco Systems, Inc.
Remote Access Resources

WAN

Cisco Connection
A book of LAN and WAN terms used by Cisco.
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/ita_book.pdf

NAT

Cisco Connection
A detailed overview of NAT, including configuration procedures.
http://www.cisco.com/warp/public/732/nat/

Internet
Overview of NAT from the RFC. Explains the need and usage of NAT.
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1631.html
Overview of NAT and some of its shortcomings and solutions to some
problems. http://www.ehsco.com/reading/19970215ncw1.html
Some things to consider when using NAT and how it works.
http://www.vicomsoft.com/knowledge/reference/nat.html
Peer to peer apps and the effect of NAT on it as well as solutions.
http://www.alumni.caltech.edu/~dank/peer-nat.html

Copyright  2002, Cisco Systems, Inc. Remote Access: Resources 1-1


Section 1

LAN Media
Table of Contents

LAN MEDIA ...................................................................................................................... 1


OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
1.1 LEGACY MEDIA TYPES ................................................................................................................................ 5
1.1.1 Legacy Ethernet .................................................................................................................................. 5
1.1.2 CSMA/CD .......................................................................................................................................... 6
1.1.3 Ethernet addressing............................................................................................................................. 7
1.1.4 Unicast frames.................................................................................................................................... 8
1.1.5 Broadcast frames ................................................................................................................................ 9
1.1.6 Multicast frames ...............................................................................................................................10
1.1.7 LAN frames and hex values ................................................................................................................ 11
1.2 FAST ETHERNET ....................................................................................................................................... 13
1.2.1 10Mbps vs. 100Mbps ......................................................................................................................... 13
1.2.2 Full duplex and half duplex................................................................................................................ 14
1.2.3 100BASE-TX .................................................................................................................................... 16
1.2.4 100BASE-T4 ..................................................................................................................................... 17
1.2.5 100BASE-FX .................................................................................................................................... 18
1.2.6 Practical considerations before moving to Fast Ethernet ...................................................................... 19
1.3 GIGABIT ETHERNET .................................................................................................................................. 21
1.3.1 Specifications.................................................................................................................................... 21
1.3.2 Gigabit architecture .......................................................................................................................... 22
1.3.3 Full duplex and half duplex support.................................................................................................... 23
1.3.4 Gigabit media options ....................................................................................................................... 24
1.4 DETERMINING BANDWIDTH NEEDS ............................................................................................................. 26
1.4.1 Determining bandwidth needs ............................................................................................................ 26
1.4.2 Gathering user statistics .................................................................................................................... 27
1.4.3 Gathering traffic statistics.................................................................................................................. 28
1.4.4 Determining the access-layer requirements ......................................................................................... 29
1.4.5 Determining the distribution-layer requirements.................................................................................. 30
SUMMARY ..................................................................................................................................................... 32

1-2 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
Overview

Figure 1 A Traditional Campus Network

Since the inception of local-area networks (LANs) in the 1970s, numerous LAN
technologies have come and gone. The Attached Resource Computer Network
(ARCNet), a coaxial-based LAN technology using a token-bus access method, is
one example of an essentially defunct LAN technology. ARCNet was the basis
for some of the earliest office networks in the 1980s.
ARCNet (2Mbps) was easy to deploy in an office with only a few workstations.
ARCNet (2Mbps) enjoyed limited success on the market because higher-speed
technologies such as 10 Mbps Ethernet and 4Mbps Token Ring were introduced
soon after its inception. With the higher-bandwidth capacity of these newer
technologies and the rapid development of high-speed workstations, ARCNet
was quickly phased out of the marketplace.
LAN technologies such as Ethernet, Token Ring, and Fiber Distributed Data
Interface (FDDI) have managed to remain in existence. [1] The legacy networks
(Ethernet, Token Ring, FDDI) continue to be utilized as distribution and
backbone technologies for both manufacturing and office environments. But,
like ARCNet, even these technologies see higher-speed networks such as Fast
Ethernet and ATM crowding them out. However, due to the wide installation
and use of legacy systems, they will likely remain in place for many more years.
Users will replace Ethernet and Token Ring in phases as applications demand
more bandwidth.
In this chapter, the student will learn about legacy, or standard Ethernet, as well
as Fast Ethernet and Gigabit Ethernet. In addition, the student will also learn
how the access methods operate, some of the physical characteristics of each,
and various frame formats and address types.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-3
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:

1.1 Legacy Media Types

1.2 Fast Ethernet

1.3 Gigabit Ethernet

1.4 Determining Bandwidth Needs

1-4 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
1.1 Legacy Media Types

1.1.1 Legacy Ethernet

Figure 1 Ethernet Technology – Operation

When mainframe computers dominated the industry, user terminals attached


either directly to ports on the mainframe or to a controller that gave the
appearance of a direct connection. Each wire connection was dedicated to an
individual terminal. Users entered data, and the terminal immediately transmitted
signals to the host (the term host here refers to the mainframe, a usage that may
be confusing because normally the term is applied to end systems). Performance
was driven by the horsepower in the host. If the host became overworked, users
experienced delays. Note, though, that the connection between the host and
terminal was not the cause of the delay. The users had full media bandwidth on
the link, regardless of the workload of the host device.
Facility managers installing the connections between the terminals and the host
experienced distance constraints imposed by the terminal line technology of the
host. The technology limited users to locations that lay within a small radius of
the host. Further, labor to install the cables inflated installation and maintenance
expenses. LANs mitigated these issues to a large degree. One of the immediate
benefits of a LAN was to reduce the installation and maintenance costs by
eliminating the need to install dedicated wires to each user. Instead, a single
cable pulled from user to user allowed users to share a common infrastructure
instead of having dedicated infrastructures for each station.
A problem arises when users share a cable, however. Specifically, how does the
network control who uses the cable and when? Broadband technologies such as
cable television (CATV) support multiple users by multiplexing data on different
channels (frequencies). Think of each video signal on a CATV system as a data
stream,each data stream is transported over its own channel.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-5
A CATV system carries multiple channels on a single cable, and can therefore,
carry multiple data streams concurrently. This is an example of frequency-
division multiplexing (FDM). The initial LANs were conceived as baseband
technologies, which do not have multiple channels. Baseband technologies do
not transmit using FDM. Rather, they use bandwidth sharing, meaning simply
that users take turns transmitting.
Ethernet and other LAN technologies define sets of rules known as access
methods for sharing the cable. The access methods approach media sharing
differently, but have essentially the same end goal in mind.

1.1.2 CSMA/CD

Figure 1 Ethernet Technology – Operation

Carrier sense multiple access collision detect (CSMA/CD) describes the Ethernet
access method. In Ethernet, multiple access is the terminology for many stations
attaching to the same cable and having the opportunity to transmit. No station
has any priority over any other station. However, the stations do need to take
turns, as defined by the access algorithm.
Carrier sense refers to the process of listening before speaking. The Ethernet
device wishing to communicate looks for energy on the media (an electrical
carrier). If a carrier exists, the cable is in use and the device must wait to
transmit. Many Ethernet devices maintain a counter of how many times they
have to defer a transmission. Some devices call the counter a deferral or back-off
counter. If the deferral counter exceeds a threshold value of 15 retries, the device
attempting to transmit assumes that it will never get access to the cable to
transmit the packet. In this situation, the source device discards the frame. This
might happen if there are too many devices on the network, implying that there is
not enough bandwidth available.
When two or more devices, on the same segment, attempt to transmit at the same
time, a collision occurs. The devices that were transmitting can sense that a
collision has occurred because the power level on the cable exceeds a certain

1-6 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
mark. When stations detect that a collision has occurred, the participants
generate a collision enforcement signal. The enforcement signal lasts as long as
the smallest frame size. In the case of Ethernet, that equates to 64 bytes. This
ensures that all stations know about the collision and that no other station
attempts to transmit during the collision event. If a station experiences too many
consecutive collisions, the station stops attempting to transmit the frame. Some
workstations display an error message to the user; the exact message differs from
platform to platform, but every workstation attempts to convey to the user that it
was unable to send data for one reason or another.

1.1.3 Ethernet addressing

Figure 1 A Simple Ethernet Network

How do stations identify each other? In Ethernet, an application can choose to


address the entire group, a set of hosts, or a specific host within the scope of
communication (the Ethernet segment). Speaking to the group requires a
broadcast; contacting a set of individual stations requires a multicast; and
addressing one end system requires a unicast. Most traffic in a network is unicast
in nature, characterized as traffic from a specific station to another specific
device. Some applications generate multicast traffic. Examples include
multimedia services over LANs. These applications intend for more than one
station to receive the traffic, but not necessarily all the stations.
Video conferencing applications frequently implement multicast addressing to
specify a group of recipients. Networking protocols typically have a need to
create broadcast traffic in certain instances. For example, IP creates broadcast
packets for Address Resolution Protocol (ARP) requests. Routers often transmit
routing updates as broadcasts. AppleTalk, Novell Internetwork Packet Exchange
(IPX), and other Layer 3 protocols create broadcasts to perform name resolution
and to carry out various other functions.
The Figure shows a simple Ethernet system with several devices attached. The
Ethernet adapter card of each device has a 48-bit (6-octet) address built into it
that uniquely identifies the station. This is called the Media Access Control
(MAC) address, or the hardware address. All the devices in a LAN must have a
unique MAC address. Devices express MAC addresses as hexadecimal values.
Sometimes MAC address octets are separated by hyphens "-", sometimes by
colons ":", and sometimes by periods ".". The three formats, 00-60-97-8F-4F-86,
00:60:97:8F:4F:86, and 0060.978F.4F86, all specify the same host.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-7
To help ensure uniqueness, the first three octets indicate the vendor that
manufactured the interface card. This is known as the Organizational Unique
Identifier (OUI). Each manufacturer has a unique IEEE-assigned OUI value.
The last three octets of the MAC address amount to a host identifier for the
device. The last three octets are assigned by the vendor. The combination of OUI
and "host number" creates a unique address for that device. Each vendor is
responsible to ensure that each of the Ethernet adapters that it manufactures has
a unique combination of six octets.

1.1.4 Unicast frames

Figure 1 A Simple Ethernet Network

In a LAN, stations use the Layer 2 MAC address in a frame to identify the
source and destination. When Station 1 transmits to Station 2 in the Figure,
Station 1 generates a frame that includes the Station 2 MAC address (00-60-08-
93-AB-12) for the destination and the Station 1 address (00-60-08-93-DB-C1)
for the source. This is a unicast frame. Because the LAN is a shared media, all
stations on the network receive a copy of the frame. Only Station 2 performs any
processing on the frame, however all stations compare the destination MAC
address with their own MAC address. If they do not match, the interface module
of the station discards (ignores) the frame. This prevents the packet from
consuming CPU cycles within the device. Station 2, however, sees a match and
sends the packet to the CPU for further analysis. The CPU examines the network
protocol information and the intended application and decides whether to drop or
use the packet.

1-8 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
1.1.5 Broadcast frames

1.5 Mb

Video
Server I do not want to
receive this video
1.5 Mb stream, but my
1.5 Mb
CPU still needs to
process that 1.5
MB of data!

1.5 Mb 1.5 Mb 1.5 Mb 1.5 Mb

Receiver Receiver Receiver Not a


Receiver

In a broadcast design, an application sends only one copy of each packet


using a broadcast address. This method of transmission is easier to
implement than unicast applications, but can have serious effects on the
network. Allowing the broadcast to propagate throughout the network is a
significant burden on both the network and the hosts connected to the
network. Routers can be configured to stop broadcasts at the LAN
boundary, but this technique limits the receivers according to physical
location.

Figure 1 Broadcast Traffic

Not all frames contain unicast destination addresses. Some have broadcast or
multicast destination addresses. Workstations and network devices treat
broadcast and multicast frames differently from unicast frames. Stations view
broadcast frames as public service announcements. When a station receives a
broadcast, the source is saying, "Pay attention, I might have an important
message.
A broadcast frame has a destination MAC address of FF-FF-FF-FF-FF-FF (all
binary 1s). Like unicast frames, all stations receive a frame with a broadcast
destination address. When the interface compares its own MAC address against
the destination address, they do not match. Normally, a station discards the
frame because the destination address does not match its own hardware address.
But broadcast frames are treated differently. Even though the destination and
built-in address do not match, the interface module is designed so that it still
passes the broadcast frame to the processor. This is intentional because the
broadcast frame might have an important request or information. Unfortunately,
probably only one or at most a few stations really need to receive the broadcast
message.
For example, an IP ARP request creates a broadcast frame, even though it
intends for only one station to respond. The source sends the request as a
broadcast because it does not know the destination MAC address and is
attempting to find it. When a source only knows the destination IP address it
creates an ARP request. However, that is not enough information to address a
station on the LAN. The frame must also contain the destination MAC address.
Routing protocols sometimes use broadcast MAC addresses when they announce
their routing tables. For example, by default, routers send IP Routing

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-9
Information Protocol (RIP) updates every 30 seconds. The router transmits the
update in a broadcast frame. The router does not necessarily know all the routers
on the network. By sending a broadcast message, the router is sure that all
routers attached to the network will receive the message. There is a downside to
this, however. All devices on the LAN receive and process the broadcast frame,
even though only a few devices really needed the updates. This consumes CPU
cycles in every device. If the number of broadcasts in the network becomes
excessive, workstations cannot do the things they need to do, such as run word
processors or flight simulators.

1.1.6 Multicast frames

Figure 1 Multicast Frames

Multicast frames differ from broadcast frames in a subtle way. Multicast frames
address a group of devices with a common interest. The source sends only one
copy of the frame on the network, even though it intends for several stations to
receive it. When a station receives a multicast frame, it compares the multicast
address with its own address. Unless the card is preconfigured to accept
multicast frames, the multicast is discarded on the interface and does not
consume CPU cycles. (This behaves just like a unicast frame.)
For example, Cisco devices running the Cisco Discovery Protocol (CDP) make
periodic announcements to other locally attached Cisco devices. The information
contained in the announcement is interesting only to other Cisco devices (and the
network administrator). To make the announcement, the Cisco source could send
a unicast to each Cisco device. That however, means multiple transmissions on
the segment, which consume network bandwidth with redundant information.
Furthermore, the source might not know about all the local Cisco devices and
could, therefore, choose to send one broadcast frame. All Cisco devices would

1-10 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
receive the frame. Unfortunately, so would all third-party devices. The last
alternative is a multicast address. Cisco has a special multicast address reserved,
01-00-0C-CC-CC-CC, which enables Cisco devices to transmit to all other Cisco
devices on the segment. All third-party devices ignore this multicast message.
Open Shortest Path First (OSPF), an IP routing protocol, sends out routing
updates via a specially reserved multicast address. The reserved multicast OSPF
IP addresses 224.0.0.5 and 224.0.0.6 translate to MAC multicast addresses of 01-
00-5E-00-00-05 and 01-00-5E-00-00-06. Only router interfaces configured to
receive OSPF announcements will process these packets. All other devices filter
the frame.

1.1.7 LAN frames and hex values

Figure 1 Common Ethernet Frame Formats

Figure 2 Common Routed Protocols and Their Hex Type Values

When stations transmit to each other on a LAN, they format the data in a
structured manner so that devices know what octets signify what information.
Various frame formats are available. When configuring a device, define the
format that the station will use, realizing that more than one format might be
configured, as is the case for a router.
Figure [1] illustrates four common frame formats for Ethernet. Some users
interchange the terms packets and frames rather loosely. However, according to
RFC 1122, a significant difference does exist. Frames refer to the entire
message, from the data link layer (Layer 2) header information through and

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-11
including the user data. Packets exclude Layer 2 headers and include only the
Layer 3 protocol header through and including user data.
The frame formats developed as the LAN industry and associated protocol
requirements evolved. When Xerox developed the original Ethernet (which was
later adopted by the industry), a frame format like the Ethernet frame in Figure
was defined. The first six octets contain the destination MAC address, and the
next six octets contain the source MAC address. Two bytes following that
indicate to the receiver the type of Layer 3 protocol encapsulated within the data
portion of the frame. For example, if the frame encapsulates an IP packet, then
the type field value is 0x0800. Figure [2] lists several common protocols and
their associated type values.
Following the type value, the receiver expects to see a protocol header. For
example, if the type value indicates that the packet is IP, the receiver expects to
decode IP headers next. If the value is 8137, the receiver decodes the
encapsulated packet as a Novell packet.
IEEE defined an alternative frame format. In the IEEE 802.3 formats, the source
and destination MAC addresses remain, but instead of a type field value, the
packet length is indicated. Three derivatives of this format are used in the
industry: raw 802.3, 802.3 with 802.2 Logical Link Control (LLC), and 802.3
with 802.2 and Subnetwork Access Protocol (SNAP).
A receiver recognizes that a packet follows 802.3 formats rather than Ethernet
formats by the value of the 2-byte field following the source MAC address. If the
value falls within the range of 0x0000 and 0x05DC (1500 decimal), the value
indicates length; protocol type values begin after 0x05DC, in which case the
frame type is Ethernet Version II. Further, if the 16-bit value following the
type/length field is 0xAAAA, then the frame is a SNAP (or IEEE 802.3 SNAP)
frame; if this value is 0xFFFF, then the frame is a raw 802.3 (or Novell 802.3
raw) frame; otherwise, it is a 802.3 with 802.2 LLC (or IEEE 802.3 ) frame.

1-12 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
1.2 Fast Ethernet

1.2.1 10Mbps vs. 100Mbps

Figure 1 10Mbps vs. 100Mbps

When Ethernet technology availed itself to users, the 10Mbps bandwidth seemed
like an unlimited resource. However, workstations have developed quite rapidly
since then, and applications demand much more data in shorter amounts of time.
When the data comes from remote sources rather than from a local storage
device, the application needs more network bandwidth. Many new applications
actually find 10 Mbps to be too slow. For example, think about a surgeon
downloading an image from a server over a 10Mbps shared-media network.
He/she needs to wait for the image to download so that he/she can begin an
operation. If the image is a 100MB high-resolution image, it could take awhile to
receive the image. Suppose the shared network makes the available user
bandwidth about 500 kbps on the average. It would take the physician 27
minutes to download the image.
The hospital administration would be exposing themselves to surgical
complications at worst and idle physician time at best. Obviously, this is not an
ideal situation. Clearly, more bandwidth would be needed to support this medical
application.
Recognizing the growing demand for higher-speed networks, the IEEE formed
the 802.3u committee to begin work on a 100Mbps technology that works over
twisted-pair cables. In June 1995, IEEE approved the 802.3u specification
defining a system that offered vendor interoperability at 100 Mbps.
Like 10Mbps systems such as 10BASE-T, the 100Mbps systems use CSMA/CD,
but provide a huge improvement over legacy 10Mbps networks. Because they
operate at ten times the speed of 10Mbps Ethernet, all timing factors scale by a
factor of 10. For example, the slot time (the time it takes to transmit a 64-byte, or

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-13
512-bit, frame) for 100Mbps Ethernet is 5.12 microseconds, one-tenth that of
10Mbps Ethernet.
An objective of the 100BASE-X standard (here the X is a variable whose value
correlates to a particular 100Mbps standard) was to maintain a common frame
format with legacy Ethernet. Therefore, 100BASE-X uses the same frame sizes
and formats as 10BASE-X. Everything else scales by one-tenth because of the
higher data rate. When passing frames from a 10BASE-X to a 100BASE-X
system, the interconnecting device does not need to recreate the frame Layer 2
header because they are identical on the two systems.
The original Ethernet over twisted-pair cable standard, 10BASE-T supports
Category 3, 4, and 5 cables up to 100 meters in length. The 10BASE-T Ethernet
uses the Manchester encoding technique and signals at 20 megahertz (MHz), a
level well within the bandwidth capacity of all three cable types. Because of the
higher signaling rate of 100BASE-T, creating a single method to work over all
cable types was highly unlikely. The encoding technologies that were available
at the time forced IEEE to create variants of the standard to support both
Category 3 and 5 cables. A fiber-optic version was created as well.

1.2.2 Full duplex and half duplex

Figure 1 Half-Duplex Ethernet Design (Standard Ethernet)

1-14 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
Figure 2 Full-Duplex Ethernet Design

This chapter began with discussion about legacy Ethernet and CSMA/CD.
Legacy Ethernet uses CSMA/CD because it operates on a shared media where
only one device can talk at a time. When a station talks, all other devices must
listen or else the system experiences a collision. In a 10Mbps system operating at
half-duplex, the total bandwidth available is dedicated to transmitting or
receiving, depending upon whether the station is the source or the destination.
The original LAN standards operate in half-duplex mode, allowing only one
station to transmit at a time as shown in Figure [1]. This was a result of the early
physical media Ethernet implementations, such as 10BASE-5 and 10BASE-2,
where all stations were attached to the same cable or "bus." With the
introduction of 10BASE-T, networks deployed hubs and attached each station to
a hub on a dedicated point-to-point link. Stations do not share the wire in this
topology. The 100BASE-X Ethernet uses hubs with dedicated point-to-point
links. Because each link is not shared, a new operational mode becomes feasible.
Rather than running in half-duplex mode, the systems can operate in full-duplex
mode, which allows stations to transmit and receive at the same time, as shown
in Figure [2], eliminating the need for collision detection. This provides a
tremendous asset of possibly the most precious network commodity-bandwidth.
When a station operates in full-duplex mode, the station transmits and receives
at full bandwidth in each direction.
The most bandwidth that a legacy Ethernet device can expect to enjoy is 10
Mbps. It either listens at 10 Mbps or transmits at 10 Mbps. In contrast, a
100BASE-X device operating in full-duplex mode sees 200 Mbps of bandwidth-
100 Mbps for transmitting and 100 Mbps for receiving. Users upgraded from
10BASE-T to 100BASE-X have the potential to immediately enjoy a twentyfold
or more bandwidth improvement. If the user was previously attached to a shared
10Mbps system, he/she might practically enjoy only a few megabits per second
of effective bandwidth. Upgrading to a full-duplex 100Mbps system might
provide a perceived one-hundredfold improvement.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-15
The IEEE 802.3x committees designed standards for full-duplex operations for
10BASE-T, 100BASE-X, and 1000BASE-X. The 802.3x standards also defined
a flow-control mechanism, which allows a receiver to send a special frame back
to the source whenever the receiver buffers overflow. The receiver sends a
special packet called a pause frame. In the pause frame, the receiver can request
the source to stop sending for a specified period of time. If the receiver can
handle incoming traffic again before the timer value in the pause frame expires,
the receiver can send another pause frame with the timer set to zero. This tells
the receiver that it can start sending again.

1.2.3 100BASE-TX

Figure 1 100BASE-X Media Comparisons

Many existing 10Mbps twisted-pair systems use a cabling infrastructure based


upon Category 5 unshielded twisted-pair (UTP) and shielded twisted-pair (STP).
The devices use two wire pairs within the cable: one pair on pins 1 and 2 for
transmit and one pair on pins 3 and 6 for receive and collision detection. The
100BASE-TX Ethernet format also uses this infrastructure. The existing
Category 5 cabling for 10BASE-T should support 100BASE-TX, also implying
that 100BASE-TX works up to 100 meters, the same as 10BASE-T. 100BASE-
TX Ethernet format uses an encoding scheme like FDDI of 4B/5B. This
encoding scheme adds a fifth bit for every four bits of user data. That means
there is a 25-percent overhead in the transmission required to support the
encoding.

1-16 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
1.2.4 100BASE-T4

Figure 1 100BASE-X Media Comparisons

Not all building infrastructures use Category 5 cable; some use Category 3.
Category 3 cable was installed in many locations to support voice transmission,
and it is frequently referred to as voice-grade cable. It is tested for voice and
low-speed data applications up to 16 megahertz (MHz). Category 5 cable, on the
other hand, is intended for data applications, and is tested up to 100 MHz.
Because Category 3 cable exists in so many installations, and because many
10BASE-T installations are on Category 3 cable, the IEEE 802.3u committee
included this as an option.
As with 10BASE-T, 100BASE-T4 links work up to 100 meters. To support the
higher data rates, 100BASE-T4 uses more cable pairs. Three pairs support
transmission and one pair supports collision detection. Another technology
aspect to support the high data rates over a lower bandwidth cable comes from
the encoding technique used for 100BASE-T4. 100BASE-T4 uses an encoding
method of 8B/6T (8 bits/6 ternary signals), thus significantly lowering the
signaling frequency and making it suitable for voice-grade wire.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-17
1.2.5 100BASE-FX

Figure 1 100BASE-X Media Comparisons

The 802.3u specification identifies a variant for single-mode and multimode


fiber-optic cables. The 100BASE-FX Ethernet format uses two strands (one pair)
of fiber-optic cables, one for transmitting and one for receiving. Like 100BASE-
TX, 100BASE-FX uses a 4B/5B encoding signaling at 125 MHz on the optical
fiber. When should the fiber-optic version be used? In situations with extended
distance requirements, electrical interference concerns or security concerns. One
clear case is when distances greater than 100 meters need to be supported.
Multimode supports up to 2000 meters in full-duplex mode, and 412 meters in
half-duplex mode. Single-mode works up to 10 kilometers (km)-a significant
distance advantage. Other advantages of fiber include its electrical isolation
properties.
For example, if the cable needs to be installed in areas where there are high
levels of radiated electrical noise (near high-voltage power lines or
transformers), fiber-optic cable is best. The immunity of the cable to electrical
noise makes it ideal for this environment. If installing the system in an
environment where lightning frequently damages equipment, or where ground
loops exist between buildings on a campus, use fiber. Fiber-optic cable carries
no electrical signals to damage the equipment.
In security conscious locations fiber offers a more secure solution over copper,
because it is more difficult to tap and does not give off radio frequency RF.
Note that the multimode fiber form of 100BASE-FX specifies two distances. If
the equipment is running in half-duplex mode, transmission is limited to only
412 meters. Full-duplex mode reaches up to 2 kilometers (km).

1-18 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
1.2.6 Practical considerations before moving to Fast
Ethernet

Figure 1 An Extended 100BASE-X Network with Catalyst Switches

The 100BASE-X networks offer at least a tenfold increase in network bandwidth


over shared legacy Ethernet systems. In a full-duplex network, the bandwidth
increases twentyfold. Is all this bandwidth really needed? After all, many
desktop systems cannot generate anywhere near 100 Mbps of traffic. Most
network systems are best served by a hybrid of network technologies. Some
users are content on a shared 10Mbps system. These users normally do little
more than e-mail, Telnet, and simple Web browsing. The interactive applications
they use demand little network bandwidth, so the user rarely notices delays in
usage. Of the applications mentioned for this user, Web browsing is most
susceptible to delay because many pages incorporate graphic images that can
take some time to download if the available network bandwidth is low.
If the user does experience delays that affect work, increase the user's
bandwidth by doing the following:
• Upgrade the user to 10BASE-T full duplex and immediately double the
bandwidth.
• Upgrade the user to 100BASE-X half duplex.
• Upgrade the user to 100BASE-X full duplex.
The choice of option depends upon the user's application needs and the
workstation capability. If the user's applications are mostly interactive, either of
the first two options will likely suffice.
However, if the user transfers large files, as in the case of a physician retrieving
medical images, or if the user frequently needs to access a file server, 100BASE-
X full duplex might be most appropriate.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-19
Another appropriate use of Fast Ethernet is for backbone segments. A corporate
network often has an invisible hierarchy where distribution networks to the users
are lower-speed systems, whereas the networks interconnecting the distribution
systems operate at higher rates. The decision to deploy Fast Ethernet as part of
the infrastructure is driven by corporate network needs, as opposed to individual
user needs, as previously considered.

1-20 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
1.3 Gigabit Ethernet

1.3.1 Specifications

Figure 1 Specifications

Another higher-bandwidth technology became available in June 1998. Gigabit


Ethernet (IEEE standard 802.3z) specifies operations at 1000 Mbps, another
tenfold bandwidth improvement. It was discussed earlier how stations are hard-
pressed to fully utilize 100Mbps Ethernet. Why then is gigabit-bandwidth
technology needed? Gigabit Ethernet proponents expect to find it as either a
backbone technology or as a pipe into very-high-speed file servers. This
contrasts with Fast Ethernet in that network administrators can deploy Fast
Ethernet to clients or servers, or use it as a backbone technology.
In a switched network, Gigabit Ethernet interconnects switches to form a high-
speed backbone. The switches in the figure have low-speed stations connecting
to them (10 and 100 Mbps), but have 1000Mbps to pass traffic between
switches. A file server in the network also benefits from a 1000Mbps connection
supporting more concurrent client accesses.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-21
1.3.2 Gigabit architecture

Figure 1 Gigabit Architecture

Gigabit Ethernet merges aspects of 802.3 Ethernet and fiber channel, a gigabit
technology intended for high-speed interconnections between file servers as a
LAN replacement. The fiber-channel standard details a layered network model
capable of scaling to bandwidths of 4 gigabits per second (Gbps) and to extend
to distances of 10 km. Gigabit Ethernet borrows the bottom two layers of the
standard: FC-1 for encoding/decoding and FC-0, the interface and media layer.
FC-0 and FC-1 replace the physical layer of the legacy 802.3 model. The 802.3
MAC and LLC layers contribute to the higher levels of Gigabit Ethernet. The
Figure illustrates the merger of the standards to form Gigabit Ethernet.
The fiber-channel standard incorporated by Gigabit Ethernet transmits at 1.062
MHz over fiber optics and supports 800Mbps data throughput. Gigabit Ethernet
increases the signaling rate to 1.25 gigahertz (GHz). Further, Gigabit Ethernet
uses 8B/10B encoding, meaning that 1 Gbps is available for data. The 8B/10B
encoding is similar to 4B/5B discussed for 100BASE-TX, except that for every 8
bits of data, 2 bits are added, creating a 10-bit symbol. This encoding technique
simplifies fiber-optic designs at this high data rate. The optical connector used
by fiber channel, and therefore by Gigabit Ethernet, is the switching controller
(SC) style connector. This is the push-in/pull-out, or snap-and-click connector
used by manufacturers to overcome deficiencies with the snap-and-twist (ST)
style connector. The ST style connector previously preferred was a bayonet-type
connector that required finger space on the front panel to twist the connector into
place. The finger-space requirement reduced the number of ports that could be
built into a module.

1-22 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
1.3.3 Full duplex and half duplex support

Figure 1 Full-Duplex and Half-Duplex Support

Like Fast Ethernet, Gigabit Ethernet supports both full- and half-duplex modes
with flow control. In half-duplex mode, the system operates using CSMA/CD
and must consider the reduced slotTime even more than Fast Ethernet. The
slotTimes for 10BASE-X and 100BASE-X networks are 51.2 and 5.12
microseconds, respectively. These are derived from the smallest frame size of 64
octets. In the 100BASE-X network, the slotTime translates into a network
diameter of about 200 meters. If the same frame size is used in Gigabit Ethernet,
the slotTime reduces to 0.512 microseconds and about 20 meters in diameter.
This is not feasible. Therefore, 802.3z developed a carrier extension that enables
the network distance to extend further in half-duplex mode and still support the
smallest 802.3 packets.
The carrier-extension process increases the slotTime value to 4096 bits or 4.096
microseconds. The transmitting station expands the size of the transmitted frame
to ensure that it meets the minimal slotTime requirements by adding nondata
symbols after the frame check sequence (FCS) field of the frame. Not all frame
sizes require carrier extension. The 8B/10B encoding scheme used in Gigabit
Ethernet defines various combinations of bits called symbols. Some symbols
signal real data, whereas the rest indicate nondata. The station appends these
nondata symbols to the frame. The receiving station identifies the nondata
symbols, strips off the carrier extension bytes, and recovers the original message.
The figure shows the anatomy of an extended frame.
The addition of the carrier extension bits does not change the actual Gigabit
Ethernet frame size. The receiving station still expects to see no fewer than 64
octets and no more than 1518 octets.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-23
1.3.4 Gigabit media options

Figure 1 Gigabit Ethernet Media Options

IEEE 802.3z specified several media options to support different grades of fiber-
optic cable and one version to support a new copper cable implementation. The
fiber-optic options vary according to the size of the fiber and the modal
bandwidth. The table in the graphic summarizes the options and the distances
supported by each.
The 1000BASE-SX Ethernet format uses the short wavelength of 850
nanometers (nm). Although this is a laser-based system, the distances supported
are generally shorter than for 1000BASE-LX. This results from the interaction of
the light with the fiber cable at this wavelength. Why use 1000BASE-SX then?
Because the components are less expensive than for 1000BASE-LX. Use this
least-expensive method for short distances (for example, within an equipment
rack).
In fiber-optic systems, light sources differ in the type of device (LED or laser)
generating the optical signal and in the wavelength they generate. Wavelength
correlates to the frequency of radio frequency (RF) systems. In the case of
optics, wavelength is specified rather than the frequency. In practical terms, this
corresponds to the color of the light.
Typical wavelengths are 850 and 1300 nm; 850-nm light is visible to the human
eye as red, whereas 1300 nm is invisible. The 1000BASE-LX Ethernet format
uses 1300-nm optical sources. In fact, the L of LX stands for long wavelength.
The 1000BASE-LX Ethernet uses laser sources. Use the LX option for longer-
distance requirements. If single mode must be used, use LX. Be careful when
using fiber-optic systems. Do not look into the port or the end of a fiber. It can
be hazardous to eyes.
Not included in the table in the figure to the left is a copper media option. The
1000BASE-CX Ethernet format uses a 150-ohm balanced shielded copper cable.
This new cable type is not well-known in the industry, but is necessary to
support high-bandwidth data over copper. The 1000BASE-CX Ethernet format
supports transmissions up to 25 meters. It is intended to be used to interconnect
devices collocated within an equipment rack. This is appropriate when Catalyst

1-24 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
switches are stacked in a rack and a high-speed link between them is desired,
but the expense of fiber-optic interfaces is too high.
Another copper version is the 1000BASE-T standard, which uses Category 5
twisted-pair cable. It supports up to 100 meters, and uses all four pairs in the
cable. This offers another low-cost alternative to 1000BASE-SX and
1000BASE-LX and does not depend upon the special cable used with
1000BASE-CX. This standard is under the purview of the IEEE 802.3ab
committee.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-25
1.4 Determining Bandwidth Needs

1.4.1 Determining bandwidth needs

Figure 1 A Network Topology Using Ethernet and Fast Ethernet Links

In order to determine the bandwidth needed for each link, one must determine
the aggregate average bandwidth of all devices that will use that link. The figure
shows a sample network topology that uses both standard Ethernet and Fast
Ethernet links. In the following sections, information about user traffic patterns
and network connections will be presented and a decision made as to whether or
not a Fast Ethernet link will be sufficient.

1-26 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
1.4.2 Gathering user statistics

Figure 1 A Network Topology Using Ethernet and Fast Ethernet Links

The following list outlines the user statistics for this sample network.
• One thousand users are housed in this building.
• Each floor houses 100 users.
• Each floor has one 24-port 10Mbps switch, allowing four users per port
via use of a hub.
• Shared-media Ethernet can support approximately 4 Mbps of data under
load; therefore, in this example each user has 1 Mbps of bandwidth.
• User standard applications are e-mail and word processing.
• Each floor is a separate IP subnet.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-27
1.4.3 Gathering traffic statistics

Figure 1 A Network Topology Using Ethernet and Fast Ethernet Links

Figure 2 Example Statistics

When determining bandwidth use in campus networks, many network


administrators simply put as much bandwidth as possible in the uplinks from the
access layer to the distribution layer and from the distribution layer to the core
layer. In general, aggregate bandwidth of the access-layer devices should not
exceed the bandwidth of the link they use to reach the distribution-layer switch.
Further, the aggregate of all uplinks to the distribution switches should not
exceed the bandwidth of the links to the core layer. These rules will help avoid a
"bottleneck" situation where one link is overloading another link.
• The following list outlines the traffic characteristics of the sample
network. [1]
• Eighty percent of the user traffic remains local to the floor.
• Twenty percent of the traffic must cross the core and reach the e-mail
server.

1-28 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
• If all users simultaneously accessed the network, the switch would
receive 24 ports x 4 Mbps, yielding an aggregate bandwidth of 96
Mbps.
Table [2] outlines these statistics.

1.4.4 Determining the access-layer requirements

Figure 1 A Network Topology Using Ethernet and Fast Ethernet Links

As calculated in the previous section, the link between the access- and
distribution-layer switches must be capable of carrying up to 96 Mbps of traffic.
The decision for the type of link depends on the following factors:
• If the link is Fast Ethernet in full-duplex mode, the link is capable of
carrying 100 Mbps of traffic in each direction. This type of link would
indeed support a 96Mbps load.
• If the link is standard Ethernet in full-duplex mode, the link is capable of
carrying 10 Mbps of traffic. This capacity is one-tenth the offered load,
and packets would be dropped after switch and port buffers are
consumed. If this situation is unacceptable, then Fast Ethernet must be
chosen.
• If virtual LANs (VLANs) are implemented in this network, then it is
possible that the link may have to operate in "trunk" mode. If this were
the case, then Fast Ethernet would be required.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-29
1.4.5 Determining the distribution-layer requirements

Figure 1 Determining the Distribution-Layer Requirements

In this example, the distribution layer must be capable of providing the following
capacity:
• Total load at the distribution-layer switch is the number of access
switches x 96 Mbps. In this scenario, there are ten access switches, or 10
x 96 Mbps, yielding a 960Mbps aggregate bandwidth requirement at the
distribution layer.
• Eighty percent of the traffic is local to the switch block and is not routed
across the core.
• Twenty percent of the traffic is remote and is routed toward the core.
• Taking into consideration that only 20 percent of traffic is remote, 20
percent x 960 Mbps, yields 192 Mbps of traffic that must be able to
cross the core.
This sample network supports a redundant core; therefore, each core subnet
would carry 50 percent of the traffic load, or 96 Mbps of traffic. Given this
amount of traffic, the performance of the distribution switch must be capable of
switching 187,000 packets per second.
The Layer 3 module of the distribution-layer switch will be responsible for
routing the remote traffic to the core. Therefore, a switch must be chosen that
will support this amount of traffic.
This topology presents no redundancy between the end user and the core. If the
link between an access switch and distribution device fails, 100 users lose
connectivity. If the distribution device fails, the whole building is disconnected

1-30 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
from the network. One solution is to add a second distribution switch with
backup links to each access switch.

Copyright  2002, Cisco Systems, Inc. Switching Section 1: LAN Media 1-31
Summary
After completing this chapter, the student should a have a firm understanding of
the following concepts:
• Despite the advent of superior standards, 10 Mbps Ethernet is the most
pervasive LAN technology in the networking industry.
• Several 10 Mbps systems still exist with varied media options such as
copper and fiber. This type of connection method will exist for at least
another few years.
• Because of the limitations that legacy Ethernet can impose on some
applications, higher speed network technologies had to be developed.
IEEE created Fast Ethernet to meet this need.
• With the capability to run in full-duplex modes, Fast Ethernet offers
significant bandwidth leaps to meet the needs of many users.
• For real bandwidth consumers, Gigabit Ethernet offers even more
capacity to meet the needs of trunking switches together and to feed high
performance file servers.

1-32 Switching Section 1: LAN Media Copyright  2002, Cisco Systems, Inc.
Section 2

Configuring the Switch


Table of Contents

CONFIGURING THE SWITCH ......................................................................................... 1


OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
2.1 INITIAL CONNECTIVITY TO THE SWITCH......................................................................................................... 5
2.1.1 Cabling the switch block ...................................................................................................................... 5
2.1.2 Connecting to the console port ............................................................................................................. 5
2.1.3 Connecting an Ethernet port ................................................................................................................ 6
2.2 BASIC CONFIGURATION OF THE SWITCH ........................................................................................................ 7
2.2.1 Clearing a configuration and Cisco 2900 series..................................................................................... 7
2.2.2 Setting a password ............................................................................................................................ 10
2.2.3 Naming the switch ............................................................................................................................. 12
2.2.4 Configuring the switch for remote access ............................................................................................ 14
2.2.5 Identifying individual ports ................................................................................................................ 16
2.2.6 Defining link speed............................................................................................................................ 17
2.2.7 Defining line mode on a switch........................................................................................................... 18
2.3 IMPORTANT IOS FEATURES ....................................................................................................................... 21
2.3.1 Command-line recall ......................................................................................................................... 21
2.3.2 Using the help feature........................................................................................................................ 22
2.3.3 Show commands on a set command-based switch ................................................................................ 24
2.3.4 Password recovery ............................................................................................................................ 31
2.3.5 Setting an IDLE timeout .................................................................................................................... 32
2.3.6 Verifying connectivity ........................................................................................................................ 33
2.3.7 Backup and restoration of a configuration using a TFTP server............................................................ 34
2.3.8 HTTP switch commands .................................................................................................................... 37
SUMMARY ..................................................................................................................................................... 40

1-2 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
Overview
Those familiar with Cisco routers use a command-line interface (CLI) embedded
in the Cisco IOS Software. The CLI characteristics are seen across nearly all of
the router product line. However, most Catalyst switch CLIs differ from those
found on Cisco routers. This chapter describes the CLI, including aspects such as
command-line recall, command editing, uploading and downloading code
images, and configuration files.

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-3
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:

2.1 Initial Connectivity to the Switch

2.2 Basic Configuration of the Switch

2.3 Important IOS Features

1-4 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
2.1 Initial Connectivity to the Switch

2.1.1 Cabling the switch block

Before beginning switch configuration, a physical connection between the


switch and a workstation must be made. There are two types of cable
connections used to manage the switch. The first type is through the console
port. The second type is via the Ethernet port. The console port is used to
initially configure the switch, and the port itself normally does not require
configuration. In order to access the switch via the Ethernet port, the switch must
be assigned an IP address.
When connecting the switch's Ethernet ports to Ethernet-compatible servers,
routers, or workstations, use a straight-through Category 5 cable. When
connecting the switch to another switch, a crossover cable is required.

2.1.2 Connecting to the console port


To connect a management terminal to the Cisco 1900/2800 or 2900 XL Switch
through the serial console, use the RJ-45-to-RJ-45 rollover cable supplied with
the switch. Perform the following steps to cable the two devices:
Step 1 Connect one end of the supplied rollover cable to the console port.
Step 2 Attach one of the following supplied adapters to a management station or
modem:
• RJ-45-to-DB-9 female data terminal equipment (DTE) adapter (labeled
Terminal) to connect a PC
• RJ-45-to-DB-25 female DTE adapter (labeled Terminal) to connect a
UNIX workstation
• RJ-45-to-DB-25 male data communications equipment (DCE) adapter
(labeled Modem) to connect a modem
Step 3 Connect the other end of the supplied rollover cable to the adapter.
Step 4 From the management station, start the terminal emulation program.
To connect a management terminal to the Supervisor Engine of a Catalyst
4000/5000/6000 switch through the console, use the RJ-45-to-RJ-45 rollover
cable and the appropriate adapter, both are supplied with the switch. Perform the
following steps to cable the two devices:
Step 1 Connect one end of the supplied rollover cable to the console port.
Step 2 Attach one of the following supplied adapters to a management station or
modem:
• RJ-45-to-DB-9 female DTE adapter (labeled Terminal) to connect a PC

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-5
• RJ-45-to-D-subminiature female adapter (labeled Terminal) to connect a
UNIX workstation
• RJ-45-to-D-subminiature male adapter (labeled Modem) to connect a
modem
Step 3 Connect the other end of the supplied rollover cable to the RJ-45 port.
Step 4 From start management station, start the terminal emulation program.

2.1.3 Connecting an Ethernet port

On the Cisco 1900 and 2800 Series switches, the port types are fixed. All
10BASE-T ports (ports 1x through 12x or ports 1x through 24x) can be
connected to any 10BASE-T-compatible device. The 100BASE-TX ports (ports
Ax and Bx) can be connected to any 100BASE-TX-compatible device.
The Cisco 4000/5000/6000 Series switches have ports that can be configured for
either 10BASE-T or 100BASE-T connections.
When connecting the switch to servers, workstations, and routers, it is necessary
to use a straight-through cable. When connecting to other switches or repeaters,
it is necessary to use a crossover cable. The port status LED will illuminate
when both the switch and the connected device are powered up. If the LED is not
illuminated, it is possible that one of the devices may not be turned on; there
may be a problem with the adapter on the attached device or with the cable, or
the wrong type of cable may be in use.

Lab Activity

In this lab activity, you will learn how to upgrade the 4006 Supervisor software.

Lab Activity

In this lab activity, you will learn how to configure a Cisco Catalyst 4000
Ethernet switch for first time.

1-6 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
2.2 Basic Configuration of the Switch

2.2.1 Clearing a configuration and Cisco 2900 series

Figure 1 Clearing Configurations on an IOS Based Switch

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-7
Figure 2 clear config all Output

When connecting to a Catalyst OS "set command" based switch (such as the


Catalyst 4000 and 6000), a password prompt appears at the initial login. The
default password for a Catalyst 4000 is pressing the ENTER key. The correct
password opens the switch's NORMAL mode. Normal mode equates to a router's
User EXEC mode, allowing most switch parameters to be viewed, but not
permitting any configuration changes. To make changes, enter PRIVILEGED
mode. The privileged mode functionally equates to the router PRIVILEGED
EXEC mode. , In the switch privileged mode configuration changes can be
made, unlike a router requiring global configuration mode. With both a CLI-
based switch and a set command-based switch, enter the switch privileged
mode with the enable command. With a CLI-based switch, the command
prompt turns to Switch#, where a pound sign (#) rather than a greater than
sign (>) follows the switch name. With a set command-based switch, the
command prompt turns to Console> (enable). The switch then prompts
for a password to enter privileged mode.
Remember access to the switch CLI can be through the console interface or a
Telnet session. Like in a router, commands in a switch are additive. This means
that adding configuration statements to an existing file will not completely
overwrite the existing configuration.
A foolproof way of ensuring that a new configuration completely overwrites an
existing configuration is to enter the clear config all command, as
shown in Figure [2]. Clearing the configuration while accessing the switch via
Telnet, will not allow the output to be viewed. This can be seen only when
directly attached to the console. This CLI command returns the switch
Supervisor module to its default configuration where all ports belong to virtual
LAN (VLAN) 1, there is no Virtual Trunking Protocol (VTP) domain (explained
in Chapter 4), and all Spanning-Tree parameters go back to their default values.
It is important to note also that entering this command also clears the console IP
address. Clearing the configuration can be accomplished with any of the access
methods, but if done while telnetting to the Catalyst Switch, the connection to
the switch will be lost because the switch no longer has an IP address. On a 2900

1-8 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
switch, the erase startup-config command erases the configuration
that is stored in NVRAM. On a 2900 switch, this does not erase the VLAN
information. In order to erase the VLAN information, use the del
flash:vlan.dat command. [1]
The clear config all command affects only modules that are directly
configured from the Supervisor module. To clear the configurations on the router
modules, access the modules with the session module_number
command. This command performs the equivalent of an internal Telnet to the
module. To display which slot the router module is in, use the show module
command. The router modules on a switch use Cisco IOS commands to change,
save, and clear configurations.
Unlike routers, the set command-based switch immediately stores commands in
nonvolatile random-access memory (NVRAM) and does not require the copy
run start command. Any command typed into a switch is immediately
stored and remembered, even through a power cycle. This presents a challenge
when attempting to reverse a series of commands. On a router, to reverse a series
of commands perform a reload without writing the running configuration into
NVRAM.
Before making serious changes to a set command-based switch, copy the
configuration to a backup text file or to a Trivial File Transfer Protocol (TFTP)
server (described later in this section). Use the clear config all
command to clear the switch. Then load the previously saved configuration file.
On the other hand, when working with a Cisco IOS command-based switch, the
switch behaves much more like a router. In the switch user exec mode,changes
cannot be made. Use the enable command to access privileged mode and
view the extensive list of configuration parameters. To configure the switch,
enter configuration mode by using the configure command. This command
puts the switch in global configuration mode..
Configuring the switch through the console and through Telnet allows
commands to be entered in real time, but only one at a time. Unlike set
command-based switches, the Cisco IOS command-based switch does not
immediately store commands in NVRAM, and does require a copy run
start like a router. This greatly reduces the challenge when attempting to
reverse a series of commands. As with a router, to reverse a series of
commands execute a reload (provided that the running configuration wasn’t
saved into NVRAM).

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-9
2.2.2 Setting a password

Figure 1 Set Based Switch

Figure 2 IOS Based Switch

1-10 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
Figure 3 Setting a Password

Figure 4 Setting a Password

One of the first tasks to perform when configuring a device is to secure it against
unauthorized access. The simplest form of security is to limit access to the
switches with passwords. Seeting passwords limits the level of access or
completely excludes a user from logging on to a switch.
Two types of login passwords can be applied to switches. The login password
requires authorization before accessing any line, including the console. The
enable password requires authentication before setting or changing switch
parameters.

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-11
Cisco also provides levels of authority. A privilege level of "1" allows the user
normal EXEC-mode user privileges. A privilege level of "15" is the level of
access permitted by the enable password.
To set passwords on a set-based switch, enter the commands demonstrated in
Figure [1]. To remove a password, enter the no enable password level
number command. Figure [2] shows an example of a Cisco 5000 Series Switch
that has both a console login and enable password set. Passwords are displayed
in encrypted text.
To set passwords on a Cisco IOS software-based switch, enter either one or both
of the following commands in global configuration mode:
Switch(config)#enable password password
Switch(config)#enable secret password
where password is a combination of four to eight alphanumeric characters. The
difference between the two is that the enable secret command encrypts the
password, whereas the enable password command displays the password in
cleartext. Figure [3] has an example of these commands being used.
Figure [4] contains an example of a switch where the console password is cisco
and the password cisco4me is the enable password required for privileged mode.
Notice how both passwords are encrypted.

2.2.3 Naming the switch

Figure 1 IOS Based Switch

Figure 2 Set Based Switch

1-12 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
Every switch arrives from the factory with the same default prompt. In a large
campus network, it is crucial to establish a coherent naming structure for the
switches. This is especially true because most network administrators use Telnet
to connect to many switches across the campus.
To set the host or system name on a Cisco IOS software-based switch such as the
Cisco 2900 XL, enter the following command in global configuration mode:
Switch(config)#hostname name
where name can be from 1 to 255 alphanumeric characters.
As soon as the hostname command is executed, the system prompt assumes
the hostname, as see in Figure [1]. To remove the system name, enter the no
hostname command in global configuration mode.
If the switch is a set-based switch, the name assigned for the system name is
used to define the system prompt. To assign a system name to the switch, enter
the following command in privileged mode:
System> (enable) set system name name
where name sets the system's name.
To assign a name to the CLI prompt that differs from the system enter the
following command in privileged mode.
System> (enable) set prompt name
where name sets the CLI prompt. [2]

Lab Activity

In this lab activity, you will learn how to configure a Cisco Catalyst 2900
Ethernet switch for first time.

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-13
2.2.4 Configuring the switch for remote access

Figure 1 IOS Based Switch

Figure 2 Set Based Switch

To Telnet , ping, or globally manage a switch, to the switch requires an IP


address and management VLAN. Although LAN switches are essentially Layer
2 devices, these switches do maintain an IP stack for administrative purposes.
Assigning an IP address to the switch associates that switch with the
management VLAN, provided the subnet portion of the switch IP address
matches the subnet number of the management VLAN.

1-14 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
To assign an IP address on a Cisco IOS software-based switch, follow these
steps [1]:
1. Enter global configuration mode on the switch.
2. Go to interface VLAN 1 by issuing the command:
Switch(config)#interface vlan 1.
3. Enter the switch IP address with the command: Switch(config-
if)#ip address address mask.
4. To access you’re a switch via a router, a default gateway must be
configured on the switch. This can be done in global configuration mode
with the command: Switch(config)#ip default-gateway
address.
The show ip interface command displays the IP address and the subnet
mask for the device. In the example in Figure [1], the management interface
resides in VLAN1, which is the default management VLAN, and has a subnet
mask of 255.255.255.0.
To remove the IP address and subnet mask, enter the no ip address
command on the vlan interface.
If the switch is a Catalyst OS set command-based switch, assign the IP address to
the in-band logical interface. To assign an IP address to this interface, enter the
following command in privileged mode:
Switch>(enable) set interface sc0 address netmask
[broadcast address]
Defining the in-band management IP address, also assigns the IP address to its
associated management VLAN. The number of the VLAN must match the
subnet number of the IP address. To associate the in-band logical interface to a
specific VLAN, enter the following command in privileged mode:
Switch>(enable) set interface sc0 [vlan]
If a VLAN is not specified, the system automatically defaults to VLAN1 and
the management VLAN.
The show interface command displays the IP address and the subnet mask
for the device. In the previous example, the management interface resides in
VLAN1 and has a subnet mask of 255.255.255.0. [2]

Interactive Lab Activity

In this activity, you will learn how to configure basic switch management on the
Catalyst 4000.

Interactive Lab Activity

In this activity, you will learn how to configure basic management on the
Catalyst 2900 series access switch.

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-15
2.2.5 Identifying individual ports

Figure 1 IOS Based Switch

Figure 2 Set Based Switch

A description can be added to an interface or port to help remember specific


information about that interface, such as what access or distribution-layer device
the interface services. This command is very useful in an environment where a
switch has numerous connections and the administrator needs to check a link to a
specific location. This description is meant solely as a comment to help identify
how the interface is being used or where it is connected (such as which floor,
which office, and so on). The description will appear in the display output of
the configuration information.

1-16 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
To add a unique comment to an interface on a Cisco IOS Software-based switch,
enter the following command in interface configuration mode.
Switch(config-if)# description description string
To enter a description with spaces between characters, enclose the string in
quotation marks. For example: Switch(config-if)#description "Port
to fourth floor switch." An example of this is shown in Figure [1].
To clear a description, enter the no description command on the interface
in interface configuration mode.
If the access switch uses a set-based command structure, assign a description to a
port by entering the following command in privileged mode.
Switch> (enable) set port name mod/number
description

Variable Description

mod Specifies the target module on which the port resides

number Identifies the specific port

description Describes the specific text string

The description must be less than 21 alphanumeric characters, and spaces can be
entered in the description without having to use quotation marks.
To clear a port name, enter the set port name mod/num command,
followed by a carriage return in privileged mode. By not defining a port name,
the value for this parameter is cleared. This command can be verified by using
the show port command, as shown in Figure [2].

2.2.6 Defining link speed

Figure 1 Set Based Switch

On a Cisco IOS software-based switch, the speed of the ports are set using the
speed {10|100|auto} command from the interface mode.
If the switch is a set-based switch, enter the following command in privileged
mode to configure the port speed on 10/100-Mbps Fast Ethernet modules:

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-17
Switch> (enable) set port speed mod/num 10|100|auto
Mod indicates the port module number.
num indicates the port number.
{10 | 100 | auto} indicates the port speed. If the port is placed in auto, both
speed and port duplex will be automatically negotiated.

2.2.7 Defining line mode on a switch

Figure 1 IOS Based Switch

Figure 1 Set Based Switch

1-18 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
Full-duplex is the simultaneous action of transmitting and receiving data by two
devices. This operation is achievable only if the devices on each end support
full-duplex.
Full-duplex links not only double potential throughput, but also eliminate
collisions and the need for each station to wait until the other station finishes
transmitting. If reads and writes on a full-duplex link are symmetric, data
throughput can be theoretically doubled. However, in reality, bandwidth
improvements are more modest.
Full-duplex links are particularly useful for server-to-server, server-to-switch,
and switch-to-switch connections.
To set the duplex mode of an interface on a Cisco IOS software-based switch,
enter the following command in interface configuration mode:
Switch(config-if)#duplex auto | full | half

Parameter Definition

auto Sets the 100BASE-TX port into auto-negotiation mode; this is the
default for the 100BASE-TX port; this argument is valid on
100BASE-T ports only

full Forces the 10BASE-T or 100BASE-TX port into full-duplex


mode

half Forces the 10BASE-T or 100BASE-TX port into half-duplex


mode; this is the default for a 10BASE-T port

Note: Use the auto argument only for fixed Fast Ethernet TX ports. In
auto-negotiation mode, the switch attempts to negotiate full-duplex
connectivity with the connecting device. If negotiation is successful, the
port operates in full-duplex mode. If the connecting device is unable to
operate in full duplex, the port operates in half duplex. This process is
repeated whenever there is a change in link status.
The example in Figure [1] shows that the fixed port FastEthernet 0/2 is
configured for full-duplex mode. To return the duplex parameter to the default
setting, enter the no duplex command in the interface configuration mode.
To set the port duplex mode on a set-based switch, enter the following command
in privileged mode:
Switch> (enable) set port duplex mod/port full |
half
where
• Half-duplex mode is the default for 10-Mbps ports.
• Full-duplex mode is the default for 100-Mbps ports.

Note: The duplex mode of ports configured for auto-negotiation cannot be


changed.

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-19
Use the show port command to verify the configuration. The example in
Figure [2] shows that the 10/100 Ethernet module 6 port 1 is connected and is
operating in full-duplex mode. It is important to note that sometimes ports are
not activated by default. To activate a port, enter the set port enable
mod/port command in privileged mode.

1-20 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
2.3 Important IOS Features

2.3.1 Command-line recall

Figure 1 Command Recall from Catalyst History Buffer

Figure 2 Catalyst Command Recall with Substitution

Figure 3 Catalyst History Buffer Example

When a command on the switch is entered, it retains the command in a buffer


called the history buffer. On a Cisco IOS command-based switch, the history
buffer holds the last ten commands, like a router does. To access these
commands, use the up and down arrows on the keyboard.
The history buffer on a set command-based switch stores up to 20 commands.
Various devices have specific methods of recalling commands. The switch uses
abbreviated key sequences to recall commands.

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-21
A "bang" is an ! (exclamation point) on a keyboard. When dictating commands,
"exclamation mark" is too difficult to say, so "bang" is used as a verbal shortcut.
Figure [1] summarizes the key sequence for recalling previous commands in the
history buffer.
It is possible to not only recall a command, but to also edit it. Figure [2]
shows the sequences to recall and edit previous commands. For example observe
the command set vlan 3 2/1-10,4/12-216/1,5/7. This command
string assigns a set of ports to VLAN 3. However, in the host machines were
meant for VLAN 4 rather than VLAN 3. Instead of retyping the whole command
a second time and moving the ports to VLAN 4, simply type ^3^4. This forces
the Catalyst switch not only to use the previous command, but also to change the
number 3 to a number 4, which in this case, corrects the VLAN assignment.
One frustration when mentally recalling commands can be the difficult time
remembering what command was entered seven lines previously. This can
become particularly challenging because the Catalyst history buffer stores up to
20 commands. Use the history command to see the history buffer. Figure [3]
shows output from a history command. Notice that the commands are
numbered, allowing the user to reference a specific entry for command recall.
For example, the output recalls command 2 from the history buffer. This caused
the Catalyst switch to recall the history command. Note also that new
commands add to the bottom of the list. Newer commands have higher numbers.

2.3.2 Using the help feature

Figure 1 Catalyst Help Example

Figure 2 Another Catalyst Help Example

1-22 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
Figure 3 Command Recall after Help

The help command on a Cisco IOS command-based switch works the same as
that on a router. On a switch, access help by entering ? on a command line. The
switch then prompts the user with all possible choices for the next parameter.
By typing in the next parameter and typing ? again, the switch displays the next
set of command-line choices. In fact, the switch displays help on a parameter-by-
parameter basis. Additionally, when the switch displays help options, it also ends
by displaying the portion of the command that was entered so far. This enables
the user to continue to append commands to the line without needing to reenter
the previous portion of the command.
The help system on a set command-based switch functions differently from the
router. Help is accessed in the same manner as in a router, but the results
differ. For example, where a router prompts the user for the next parameter, a
Catalyst switch displays the entire usage options for the command. Figure [1]
shows the help result for a partial command string. The string does not uniquely
identify what parameter should be modified and lists all related commands.
On the other hand, if enough of the command is entered on the line that the
Catalyst switch recognizes what command was intended, it displays the options
for that command. This time, in Figure [2], the string identifies a specific
command and the Catalyst switch displays help appropriate for that command.
The user here wants to modify the console interface in some way, but is unsure
of the syntax used with the command.
Notice that when the console displays help, it returns the command line with a
blank line. The command string entered so far is not displayed as it is on a
router. Now use command recall. To disable the logical interface, sc0. enter
the command set int sc0 down. Use command recall to complete the
command. What happens if the command typed is !! sc0 down ? The
command usage screen appears again, without the console changing state to
down. This happens because the command recall executes the previous statement
that was set int ? with the help question mark and the appended parameters.
With the additional parameters, the switch interprets the string as set int ?
sc0 down, sees the question mark, and displays help. [3]

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-23
2.3.3 Show commands on a set command-based switch

Console> (enable) show config

...

.........

.........

........

........

..

begin

set password $1$FMFQ$HfZR5DUszVHIRhrz4h6V70

set enablepass $1$FMFQ$HfZR5DUszVHIRhrz4h6V70

set prompt Console>

set length 24 default

set logout 20

set banner motd ^C^C

#system

set system baud 9600

set system modem disable

set system name

set system location

set system contact

#snmp

set snmp community read-only public

set snmp community read-write private

set snmp community read-write-all secret

!Other SNMP commands deleted

#IP

!This sets up the console or slip interfaces.

1-24 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
set interface sc0 1 144.254.100.97 255.255.255.0 144.254.100.255

set interface sl0 0.0.0.0 0.0.0.0

set arp agingtime 1200

set ip redirect enable

set ip unreachable enable

set ip fragmentation enable

set ip alias default 0.0.0.0

#Command alias

#vmps

set vmps server retry 3

set vmps server reconfirminterval 60

set vmps tftpserver 0.0.0.0 vmps-config-database.1

set vmps state disable

#dns

set ip dns disable

#tacacs+

!This section configures the TACACS+ authentication parameters

#bridge

!This section defines FDDI module behavior

#vtp

!This section characterizes the virtual trunk protocol and

!vlan parameters

#spantree

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-25
#uplinkfast groups

set spantree uplinkfast disable

#vlan 1

set spantree enable 1

set spantree fwddelay 15 1

set spantree hello 2 1

set spantree maxage 20 1

set spantree priority 32768 1

!Other VLAN Spanning Tree information deleted. This section

!describes Spanning Tree for each VLAN.

#cgmp

!This group of commands controls the Catalyst multicast behavior

#syslog

set logging console enable

set logging server disable

!Other logging commands deleted. This characterizes what events

!are logged.

#ntp

!This sets up network time protocol

#set boot command

set boot config-register 0x102

set boot system flash bootflash:cat5000-sup3.3-1-1.bin

!Any special boot instructions are placed here.

#permit list

!The access list is found here

1-26 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
set ip permit disable

#drip

!This is Token Ring stuff to take care of duplicate ring

!numbers.

!On a per module basis, the Catalyst displays any module specific

!configurations.

#module 1 : 2-port 10/100BaseTX Supervisor

set module name 1

set vlan 1 1/1-2

set port channel 1/1-2 off

set port channel 1/1-2 auto

set port enable 1/1-2

set port level 1/1-2 normal

set port speed 1/1-2 auto

set port trap 1/1-2 disable

set port name 1/1-2

set port security 1/1-2 disable

set port broadcast 1/1-2 100%

set port membership 1/1-2 static

set cdp enable 1/1-2

set cdp interval 1/1-2 60

set trunk 1/1 auto 1-1005

set trunk 1/2 auto 1-1005

set spantree portfast 1/1-2 disable

set spantree portcost 1/1 100

set spantree portcost 1/2 100

set spantree portpri 1/1-2 32

set spantree portvlanpri 1/1 0

set spantree portvlanpri 1/2 0

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-27
set spantree portvlancost 1/1 cost 99

set spantree portvlancost 1/2 cost 99

#module 2 empty

#module 3 : 24-port 10BaseT Ethernet

set module name 3

set module enable 3

set vlan 1 3/1-24

set port enable 3/1-24

set port level 3/1-24 normal

set port duplex 3/1-24 half

set port trap 3/1-24 disable

set port name 3/1-24

set port security 3/1-24 disable

set port broadcast 3/1-24 0

set port membership 3/1-24 static

set cdp enable 3/1-24

set cdp interval 3/1-24 60

set spantree portfast 3/1-24 disable

set spantree portcost 3/1-24 100

set spantree portpri 3/1-24 32

#module 5 : 1-port Route Switch

!Note that the only things in this configuration are Spanning

!Tree and bridge related. There are no routing configs here.

set module name 5

set port level 5/1 normal

set port trap 5/1 disable

set port name 5/1

set cdp enable 5/1

1-28 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
set cdp interval 5/1 60

set trunk 5/1 on 1-1005

set spantree portcost 5/1 5

set spantree portpri 5/1 32

set spantree portvlanpri 5/1 0

set spantree portvlancost 5/1 cost 4

#switch port analyzer

!If you set up the ability to monitor switched traffic, the

!the configs will show up here

set span disable

#cam

!set bridge table aging to five minutes

set cam agingtime 1,1003,1005 300

end

Console> (enable)
Figure 1 Annotated Supervisor Configuration File

Figure 2 show interface Display

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-29
Figure 3 show module Output

To view configurations on a set command-based switch, use the show


command. Figures [1] annotate a simple Supervisor module configuration file
displayed through the show config command. Some configuration lines are
editorially deleted because they are redundant and needlessly take up space. The
remaining portion of the file enables the user to see the general organization of
the configuration file.
Note in Figures [1] that the file collates in logical sections. First, the Catalyst
switch writes any globally applicable configuration items such as passwords,
Simple Network Management Protocol (SNMP) parameters, system variables,
and so forth. Then, it displays configurations for each module installed. Note
that the module configuration files refer to spanning tree and VLAN
assignments. Further, it does not display any details about other functions within
the module. For example, a route switch module (RSM) is installed in module 5
of this switch. Although this is a router module, it attaches to a virtual bridge
port internally. The Catalyst switch displays the bridge attachment parameters,
but not the RSM configuration lines. To view module-specific configurations,
use the command session module_number followed by the appropriate
show command for the module.
Other show commands display item-specific details. For example, to look at the
current configuration for the in-band (sc0) interface, out-of-band management
Ethernet (me1) interface, and SLIP (sl0) interface, use the show interface
command, as demonstrated in Figure [2].
Another useful show command displays the modules loaded in the switch (see
Figure [3]). The output in Figure [3] displays details about the model number and
description of the modules in each slot. The second block of the output displays
what Media-Access-Control (MAC) addresses are associated with each module.
Notice that the Supervisor module reserves 1024 MAC addresses. Many of these
addresses support spanning-tree operations, but other processes are also
involved. Module 3, the 24-port Ethernet module, reserves 24 MAC addresses,
one for each port. These addresses also support spanning tree because they are
the values used for the port ID in the spanning tree convergence algorithm. The
third block of the display offers details regarding the Supervisor module.

1-30 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
2.3.4 Password recovery
If at any time the the normal mode or enable passwords are lost, a password
recovery process must be started. Password recovery on the Catalyst
4000/5000/6000 Series differs from the methods used on a Cisco router or on
other models of switches.
To perform the password recovery procedure a console connection must be
made. Password recovery requires a power cycle of the system by toggling the
power switch. Performing a power cycle on the switch, forces it through its
initialization routines and eventually prompts the user for a password to enter the
normal mode. At this point, the use has 30 seconds to perform password
recovery.
The trick in password recovery on the switch lies in its behavior during the first
30 seconds after booting. When the switch first boots, it ignores the passwords in
the configuration file. It uses the default password <ENTER> during this time.
Therefore, when the Catalyst Switch prompts the user for an existing password
at any time, simply type <ENTER> and the Catalyst switch accepts the
response. Immediately enter set password or set enablepass to change
the appropriate password(s).
During the password recovery process, when the switch prompts for the new
password, simply respond with <ENTER>. Otherwise, trying to type in new
passwords sometimes forces the user to reboot again . To minimize the
probability of entering a bad value initially set the password to the default value.
After setting the enable and EXEC passwords to the default, the user can then go
back and change the values without the pressure of completing the process
during the 30-second time window provided for in password recovery.
As with many security situations, it is extremely important to consider physical
security of the equipment. As demonstrated in the password recovery process, an
attacker simply needs the ability to reboot the Catalyst switch and access to the
console to get into the privileged mode. When in the privileged mode, the
attacker can make any changes that he or she desires. Keep wiring closets
secured and minimize access to console ports.

Lab Activity

In this lab activity, you will learn how to regain control of a Cisco Catalyst 4000
Ethernet switch after you have lost the passwords.

Lab Activity

In this lab activity, you will learn how to regain control of a Cisco Catalyst 2900
Ethernet switch after you have lost the passwords.

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-31
2.3.5 Setting an IDLE timeout

Figure 1 Set Based Switch

Figure 2 IOS Based Switch

If a user is logged into a switch and performs no keystrokes (remains idle) for 5
minutes, the switch will automatically log the user out. This feature is referred to
as an "idle timeout." If a user forgets to log out and leaves the terminal
unattended, this feature would prevent someone from gaining unauthorized
access to the switch by using the terminal. Although the default setting of this
feature is 5 minutes, it can be altered with the set logout command on a set
command-based switch:
Switch> (enable) set logout number of minutes
The example in Figure [1] shows how to set the automatic session logout to 20
minutes and how to disable the automatic logout feature.
To configure a timeout on a Cisco IOS command-based switch, the user must
first choose the line (console or vty) to apply it to and then specify the amount of
time. This works just as a router would. The default timeout is 10 minutes. The
commands to set the timeout on the console port of a Cisco IOS command-based
switch to 20 minutes are shown in Figure [2].

1-32 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
2.3.6 Verifying connectivity

Figure 1 Reaching the Destination IP Address

Figure 2 Reaching the Destination IP Address

After the switch is assigned an IP address and at least one switch port is
connected to the network and properly configured, the switch can communicate
with other nodes on the network (beyond simply switching traffic).
To test connectivity to remote hosts, enter the following command in privileged
mode.
Switch> (enable) ping destination ip address
An example of this command is shown in Figure [1].
The ping command will return one of the following responses:
• Success rate is 100 percent or ip address is alive. This response occurs
in 1 to 10 seconds, depending on network traffic and the number of
Internet Control Message Protocol (ICMP) packets sent.
• Destination does not respond. No answer message is returned if the host
does not respond.
• Unknown host. This response occurs if the targeted host does not exist.
• Destination unreachable. This response occurs if the default gateway
cannot reach the specified network.
• Network or host unreachable. This response occurs if there is no entry in
the route table for the host or network.
The example in Figure [2] states that the destination IP address 10.1.1.1 can be
reached by the device generating the ping.

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-33
2.3.7 Backup and restoration of a configuration using a
TFTP server

Figure 1 Uploading a Configuration File to a TFTP Server

Figure 2 Retrieving a Configuration File

1-34 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
Figure 3 Recovering Configuration Files from a TFTP Server

Most switches have a TFTP client, allowing users to retrieve and send
configuration files from/to a TFTP server. The actual syntax to perform TFTP
configuration file transfers varies based on the type of switch and version of
Supervisor module installed in the switch.
To save a configuration file from either a Supervisor I or Supervisor II module,
use the write net command. Figure [1] shows a session writing a
configuration file to a TFTP server. The server IP address and the filename are
clearly seen in the output.
For the switch to obtain the new configuration over the network, after having
cleared the configuration, a valid IP address and default gateway setting must
be restored. Retrieving a file from the server uses the command configure
network. When retrieving a file, a user must specify the source filename on the
TFTP server. [2]
For complete system recovery, make sure that to have a copy of the
configuration file of each switch stored somewhere other than on the switch
itself. If anything happens to the Supervisor module, it might not be possible to
recover the configuration file. It is a big mistake to have to rebuild the entire
configuration file from scratch during a system outage, especially when a backup
copy could have easily been created as a backup on a network-accessible
machine.
Through TFTP, a copy of the configuration file can be stored on a TFTP server
and recoverd later when needed. The syntax varies, depending upon the version
of Supervisor module.. This section assumes either a Cisco IOS command-based
switch or a set command-based switch with a Supervisor module.
As a side note, TFTP servers are inherently weak security wise. It is highly
recommended not to keep configuration files in a TFTP directory space until
there is an actual need to retrieve them. Anyone who compromises TFTP server
can modify the configuration files without the owners knowledge. The prudent
network administrator will maintain configuration files in a secure directory
space and copy them back to the TFTP directory space only when he or she is

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-35
ready to use them. Although this adds another step to the recovery process, the
security benefits definitely outweigh the procedural disadvantages.
Transferring Cisco IOS command-based switch configuration files via TFTP to
another device works the same as with a router. The command copy
running-config tftp will copy the configuration file to a TFTP server at
the location specified. The recovery process works in reverse. To recover a
configuration file from a TFTP server, issue the command copy tftp
running-config. This will load the configuration specified file into
NVRAM and the "active" memory of the switch.
Transferring Supervisor III and Catalyst 4000/6000 configuration files via TFTP
to another device looks much like it does with a router. The command copy
config flash | file-id | tftp copies the configuration file to one
of three locations. The configuration file can be stored in the bootflash memory,
a Flash card in a Flash slot (with a supervisor module that supports flash cards),
or to a TFTP server. When copying configuration files to or from the switch,
specify the source filename. Because of the Flash architecture on the Supervisor
III, several configuration files may be stored locally. However, only one can be
active. Therefore, the user must specify which of the local files are to becopied.
Recovering a configuration file works in reverse. To retrieve the file from a
TFTP server, use the command copy tftp flash | file-id |
config. When retrieving, write the configuration file to your bootflash, a
Flash card, or to the running configuration. To write the configuration file to the
running configuration, use the command form copy tftp config. Figure
[3] shows a session recovering the configuration filename cat to a Flash device.
To recover a configuration from Flash use the command copy flash tftp
| file-id | config.

Lab Activity

In this lab activity, you will learn how to copy your current configuration from a
Catalyst 4000 switch to a TFTP server.

Lab Activity

In this lab activity, you will learn how to copy your current configuration from a
Catalyst 2900 switch to a TFTP server.

1-36 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
2.3.8 HTTP switch commands

Figure 1 Cat4000 Config Example

Figure 2 Authentication Login Example

The Catalyst Web Interface (CWI) is a browser-based tool that can be used to
configure the Cisco 6000, 5000, and 4000 Family Switches. It consists of a
graphical user interface (GUI) that runs on the client, Catalyst CiscoView (CV),
and a Hypertext Transfer Protocol (HTTP) server that runs on the switch.
A GUI alternative to the CLI and SNMP interfaces, the CWI provides a real-time
graphical representation of the switch and detailed information, such as port

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-37
status, module status, type of chassis, and modules. The CWI uses HTTP to
download Catalyst CV from the server to the client.
Communication between the client and server usually occurs on a TCP/IP
connection. The TCP/IP port number for HTTP is 80. In this client/server mode,
the client opens a connection to the server and sends a request. The server
receives the request, sends a response back to the client, and closes the
connection.
To configure the HTTP server on a set command-based switch, perform the
following tasks at the CLI: [1]
1. Assign an IP address to the switch, if necessary using the command set
interface sc0 [ip_addr / netmask].
2. Enable the HTTP server on the switch using the command set ip
http server enable.
3. Configure the HTTP port (TCP/IP port default is 80; perform this step
only if to change the default) using the command set ip http
port port_number default.
4. Verify the HTTP server and CWI support by using the command show
ip http.
Catalyst Switch software allows the user to configure authentication for console
and Telnet logins using the RADIUS/TACACS/Kerberos/Local database. With
software Release 5.4(2) or later, the software also allows configuring
authentication for HTTP users.
When logging into the switch using HTTP, a dialog box appears and requests a
username and password. After providing a username and password, the system
authenticates the login with the HTTP user-authentication method. The system
denies access unless the username and password are valid. In the default
configuration, verification is enabled for all users of the CWI. The system
validates the login password against the local login password.
Authentication for the CWI occurs at these two security levels:
• Level 1 - Username and Password Authentication
Level 1 requires user authentication by providing a username and
password. This process is similar to the authentication that is obtained at
the command prompt for Telnet and console sessions.
After passing the first level of security, it is possible to download the
Catalyst CV.
• Level 2 - SNMP IP Permit Restriction
Level 2 restricts the IP address of the incoming SNMP request. The IP
address of the SNMP request must be configured correctly before the
CWI can communicate with the switch.
To configure authentication, perform these tasks at the CLI:
Task Command

Step 1 Configure authentication login. set authentication login

1-38 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
Step 2 Display authentication. show authentication

The example in Figure [2] shows how to set the authentication login for the
HTTP option.
To download the Catalyst CV from the browser, follow these steps:
Step 1 - Enter the switch address in the Universal Resource Locator (URL) field
of the browser. For example, open Netscape Navigator or Internet Explorer and
enter the following:
http://10.1.1.1
In this example, 10.1.1.1 is the switch IP address. After connecting to the
switch, a login dialog appears and prompts for username and password.
Step 2 - Provide a username and password. The home page of the switch appears
in the browser.
Step 3 - Click the Switch Manager link to download the Catalyst CV. The switch
downloads the Catalyst CV, and the browser opens with a real-time view of the
switch chassis.

Copyright  2002, Cisco Systems, Inc. Switching Section 2: Configuring the Switch 1-39
Summary
After completing this chapter, the reader should a have a firm understanding of
the following concepts:
■ How to make initial connections to the switch, connecting to the console
port and connecting an Ethernet port
■ Basic configuration of the switch including:
■ Clearing a configuration
■ Setting a password
■ Naming the switch
■ Configuring the switch for remote access
■ Identifying individual ports
■ Defining link speed
■ Defining line mode on a switch
Important IOS features such as:
■ Command line recall
■ Using the help feature
■ Show commands
■ Password recovery
■ Verifying connectivity
■ Saving the configuration
■ Backup and restoration of a configuration using a TFTP server

1-40 Switching Section 2: Configuring the Switch Copyright  2002, Cisco Systems, Inc.
Section 3

Introduction to VLANs
Table of Contents

INTRODUCTION TO VLANS............................................................................................ 1
OVERVIEW ...................................................................................................................................................... 3
OBJECTIVES..................................................................................................................................................... 4
3.1 VLAN BASICS ........................................................................................................................................... 5
3.1.1 Describe a VLAN ................................................................................................................................ 5
3.1.2 Why are VLANs necessary?.................................................................................................................. 6
3.1.3 VLANs and network security ................................................................................................................ 7
3.1.4 VLANs and broadcast distribution ........................................................................................................ 9
3.1.5 VLANs and bandwidth utilization ....................................................................................................... 10
3.1.6 VLANs vs. network latency from routers.............................................................................................. 10
3.1.7 VLANs vs. complex access lists........................................................................................................... 12
3.1.8 Wrong motives for implementing VLANs ............................................................................................. 13
3.2 VLAN TYPES .......................................................................................................................................... 14
3.2.1 VLAN Boundaries ............................................................................................................................. 14
3.2.2 End-to-end VLANs ............................................................................................................................ 15
3.2.3 Local VLANs .................................................................................................................................... 16
3.2.4 Establishing VLAN memberships ........................................................................................................ 17
3.2.5 Port-based VLAN membership ........................................................................................................... 18
3.2.6 Dynamic VLANs................................................................................................................................ 19
3.3 CONFIGURING VLANS .............................................................................................................................. 22
3.3.1 Configuring static VLANs .................................................................................................................. 22
3.3.2 Verify VLAN configuration................................................................................................................. 24
3.3.3 Deleting VLANs ................................................................................................................................ 25
3.3.4 Configure the VMPS server................................................................................................................ 26
3.3.5 Configure a VMPS client ................................................................................................................... 27
3.3.6 Access links and trunk links................................................................................................................ 29
3.4 VLAN IDENTIFICATION ............................................................................................................................. 31
3.4.1 VLAN frame identification ................................................................................................................. 31
3.4.2 ISL................................................................................................................................................... 32
3.4.3 IEEE 802.1Q .................................................................................................................................... 34
3.4.4 LANE ............................................................................................................................................... 35
3.4.5 IEEE 802.10 Protocol ....................................................................................................................... 36
3.5 TRUNKING ............................................................................................................................................... 38
3.5.1 Trunking overview............................................................................................................................. 38
3.5.2 Configuring a VLAN trunk ................................................................................................................. 39
3.5.3 Removing VLANs from a trunk ........................................................................................................... 41
3.6 VLAN TRUNKING PROTOCOL (VTP).......................................................................................................... 44
3.6.1 VTP Benefits..................................................................................................................................... 44
3.6.2 VTP operation .................................................................................................................................. 45
3.6.3 VTP modes ....................................................................................................................................... 46
3.6.4 Adding a switch to a VTP domain....................................................................................................... 47
3.6.5 VTP advertisements........................................................................................................................... 49
3.7 VTP Configuration...............................................................................................................................52
3.7.1 Basic configuration steps ................................................................................................................... 52
3.7.2 Configure the VTP version ................................................................................................................. 52
3.7.3 Configure the VTP domain................................................................................................................. 54
3.7.4 Configure VTP mode ......................................................................................................................... 55
3.7.5 Verify VTP configuration ................................................................................................................... 56
3.8 VTP PRUNING.......................................................................................................................................... 58
3.8.1 Default behavior of a switch............................................................................................................... 58
3.8.2 Configure VTP pruning ..................................................................................................................... 60
3.8.3 Verifying VTP pruning....................................................................................................................... 62
SUMMARY ..................................................................................................................................................... 64

1-2 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Overview
When the industry started to articulate virtual LANs (VLANs) in the trade
journals and the workforce, a lot of confusion arose. What exactly did they mean
by VLAN? Authors had different interpretations of the new network terminology
that were not always consistent with each other, much less in agreement.
Vendors took varied approaches to creating VLANs, which further muddled the
understanding.
This chapter:
• Presents definitions and categorizations for VLANs
• Explains how to configure VLANs
• Discusses reasons to use and not use VLANs
• Attempts to clarify misinformation about VLANs
In this chapter, the student will learn how to break the Layer 2 switch block into
separate broadcast domains called VLANs. The chapter will also introduce
VLAN management tools such as the VLAN Trunk Protocol (VTP).

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-3
Objectives
After completing this chapter, the student will be able to perform tasks
relating to:

3.1 VLAN Basics

3.2 VLAN Types

3.3 Configuring VLANS

3.4 VLAN Identification

3.5 Trunking

3.6 VLAN Trunking Protocol (VTP)

3.7 VTP Configuration

3.8 VTP Pruning

1-4 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.1 VLAN Basics

3.1.1 Describe a VLAN

Figure 1 Describe a VLAN

A virtual LAN (VLAN) logically segments a switched network based on an


organization's functions, project teams, or applications rather than on a physical
or geographical basis. For example, all workstations and servers used by a
particular workgroup team can be connected to the same VLAN, regardless of
their physical connections to the network or the fact that they might be
intermingled with other teams. Reconfiguration of the network can be done
through software rather than by physically unplugging and moving devices or
wires.
As shown in the Figure, a VLAN can be thought of as a broadcast domain that
exists within a defined set of switches. A VLAN consists of a number of end
systems, either hosts or network equipment (such as bridges and routers),
connected by a single bridging domain. The bridging domain is supported on
various pieces of network equipment; for example, LAN switches that operate
bridging protocols between them with a separate bridge group for each VLAN.
VLANs are created to provide the segmentation services traditionally provided
by routers in LAN configurations. VLANs address scalability, security, and
network management. Routers in VLAN topologies provide broadcast filtering,
security, address summarization, and traffic flow management. By definition,
switches may not bridge any traffic between VLANs. This would violate the
integrity of the VLAN broadcast domain. Traffic should only be routed between
VLANs. Several key issues need to be considered when designing and building
switched-LAN internetworks.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-5
3.1.2 Why are VLANs necessary?

Reasons to use VLANs include:

Assignments are logically, not geographically, based.


Keep up with moves and changes.
Group multiple topologies.
VLANs offer network security.
VLANs offer broadcast control.
Bandwidth utilization is efficient with VLANs.

Figure 1 Why are VLANs Necessary?

In a legacy network, administrators assign users to networks based on


geography. The administrator attaches the user's workstation to the nearest
network cable. If the user belongs to the engineering department and sits next to
someone from the accounting department, they both belong to the same network
because they attach to the same cable. This creates some interesting network
issues and highlights some of the reasons for using VLANs. VLANs help to
resolve many of the problems associated with legacy network designs.
Network managers can logically group networks that span all major topologies,
including high-speed technologies such as Asynchronous Transfer Mode (ATM),
Fiber Distributed Data Interface (FDDI), and Fast Ethernet. By creating VLANs,
system and network administrators can control traffic patterns, react quickly to
relocations, and keep up with constant changes in the network due to moving
requirements and node relocation. VLANs provide the flexibility to carry out
these actions. The network administrator simply changes the VLAN member list
in the switch configuration. The administrator can add, remove, or move devices
or make other changes to the network configuration using software. The sections
that follow examine the five issues listed in the Figure that warrant
implementation of a VLAN.

1-6 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.1.3 VLANs and network security

Figure 1 Security Problems in a Legacy Network

Figure 2 A Known Unicast Frame in a Switched Network

The first issue is the shared-media nature of legacy networks. Whenever a station
transmits in a shared network such as a legacy half-duplex 10BASE-T system,
all stations attached to the segment receive a copy of the frame, even if they are
not the intended recipients. This does not prevent the network from functioning.
There are, however, readily available software packages that monitor network
traffic. Anyone with such a package can capture passwords, sensitive e-mail, and
any other traffic on the network.
If the users on the network belong to the same department, this might not be
disastrous, but when users from mixed departments share a segment, undesirable
information captures can occur. If someone from human resources or accounting
sends sensitive data such as salaries, stock options, or health records on the
shared network, anyone with a network monitoring package can decode the
information.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-7
Neither of these scenarios is constrained to a single segment. These problems
can occur in multisegment environments interconnected with routers. In Figure
[1], the accounting department resides on two isolated segments. For users on
one segment to transmit to users on the other segment, the frames must cross the
engineering network. When they cross the engineering segment, it is possible
that they can be intercepted and misused.
One way to eliminate the problem is to move all accounting users onto the same
segment. However, this is not always possible because there might be space
limitations that prevent all accountants from sharing a common part of the
building. Another reason may deal with the geographical makeup of the
company, users on one segment might be a considerable distance from users on
the other segment.
Another approach is through the use of VLANs, which enable all process-
related users to be contained in the same broadcast domain and isolated from
users in other broadcast domains. All accounting users can be assigned to the
same VLAN, regardless of their physical location in the facility. They no longer
have to placed in a network based upon their location. Users can be assigned to
a VLAN based upon their job function. Keep all the accounting users on one
VLAN, the marketing users on another VLAN, and engineering in yet a third.
By creating VLANs with switched network devices, another level of protection
is created. Switches bridge traffic within a VLAN. When a station transmits, the
frame goes to the intended destination. As long as it is a known unicast frame,
the switch does not distribute the frame to all users in the VLAN [2].
Station A in Figure [2] transmits a frame to Station B attached to another
Catalyst® Switch. Although the frame crosses through a Catalyst Switch, only
the destination receives a copy of the frame. The switch filters the frame from
the other stations, whether they belong to a different VLAN or the same VLAN.
This switch feature limits the opportunity for someone to capture packets with a
network analyzer.
Although these security methods may seem like overkill, in the corporate
network they are crucial. Consider the data transferred among the accounting
department. This department has salary information, stock-option information,
personal information, and other sensitive and personal material. It is very
important to protect the privacy of the users and the integrity of the data.
VLANs greatly assist in this endeavor.

1-8 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.1.4 VLANs and broadcast distribution

Figure 1 VLANs and Broadcast Distribution

Practically every network protocol creates broadcast traffic for one reason or
another. For example, consider the amount of broadcast traffic AppleTalk
generates. AppleTalk routers generate routing updates in the form of broadcast
frames every ten seconds. Broadcasts go to all devices in the broadcast domain
and must be processed by the receiving devices. Further, many multimedia
applications create broadcast and multicast frames that get distributed across the
broadcast domain.
So why do network administrators dislike broadcast traffic? Broadcasts are
necessary to support protocol operations and therefore are overhead frames in
the network. With the exception of multimedia-based traffic, broadcast frames
rarely transport user data. Since broadcasts tend not to carry user data, they
consume bandwidth in the network, resulting in a reduction of the bandwidth for
productive traffic.
Broadcasts also have a profound effect on the performance of workstations. Any
broadcast received by a workstation interrupts the CPU and prevents it from
working on user applications. As the number of broadcasts per second increases
at the interface, effective CPU utilization diminishes. The actual level of
degradation depends upon the applications running in the workstation, the type
of network interface card and drivers, the operating system, and the workstation
platform.
If broadcasts are creating problems in the network, creating smaller broadcast
domains can mitigate the negative effects. In VLANs, this means creating
additional VLANs and attaching fewer devices to each one. The effectiveness of
this action depends upon the source of the broadcast. If the broadcasts come
from a local server, isolate the server in another domain. If the broadcasts come
from end stations, creating multiple domains might help to reduce the number of
broadcasts in each domain.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-9
3.1.5 VLANs and bandwidth utilization

Figure 1 Concurrent Transmissions in a Catalyst

When users attach to the same shared segment, all of them share the bandwidth
of the segment. Every additional user attached to the shared medium means there
is less average bandwidth available for each user. If the sharing becomes too
great, user application performance will begin to suffer. The network
administrator will begin to suffer as well because users will begin complaining
and asking for more bandwidth. VLANs, which are usually created with LAN
switch equipment, can offer more bandwidth to users than is inherent in a shared
network.
Remember that each interface on a switch behaves like a port on a legacy bridge.
Bridges filter traffic that does not need to go to segments other than the source.
If a frame needs to cross the bridge, the bridge forwards the frame to the correct
interface and to no others. If the bridge or switch does not know where the
destination resides, it floods the frame to all ports in the broadcast domain
(VLAN) except the "source port."
In a switched environment, a station will usually see only traffic destined
specifically for it. The switch will filter most of the other background traffic in
the network. This allows the workstation to have full, dedicated bandwidth for
sending or receiving interesting traffic. Unlike a shared-hub system where only
one station can transmit at a time, the switched network in the Figure allows
many concurrent transmissions within a broadcast domain without directly
affecting other stations inside or outside of the broadcast domain. Station pairs
A/B, C/D, and E/F can all communicate without affecting the other station pairs.

3.1.6 VLANs vs. network latency from routers

1-10 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Figure 1 Network Latency from Routers vs. VLANs

In the legacy network shown in the Figure, accounting users on the two segments
have to cross the engineering segment to transfer any data. The frames have to
pass through two routers. Software-based routers tend to be slower than other
internetworking products such as a Layer 2 bridge or switch. As a frame passes
through a router, the router introduces latency to the network. Latency
constitutes the amount of time necessary to transport a frame from the source
port to the destination port. Every router that the frame transits increases the end-
to-end latency. Further, every congested segment that a frame must cross
increases latency.
By moving all the accounting users into one VLAN, the need to cross through
multiple routers and segments is eliminated. This reduces latency in a network
that will improve performance for users, especially if they use a connection-
oriented protocol such as TCP. Connection-oriented protocols do not send more
data until an acknowledgement is received referencing the previous data.
Network latency dramatically reduces the effective throughput for connection-
oriented protocols. If the need for user traffic to pass through a router can be
eliminated, by placing users in the same VLAN, cumulative router latency can
be eliminated. If frames must pass through routers, enabling Layer 3 switching
will significantly reduce router transit latencies as well.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-11
3.1.7 VLANs vs. complex access lists

Figure 1 VLANs vs. Complex Access Lists

Routers allow administrators to introduce policies that control the flow of traffic
in the network. Access lists control traffic flow and provide varied degrees of
policy granularity. Through the implementation of access lists, a specific user
can be prevented from communicating with another user or network, or an
entire network can be prevented from accessing a user or network. A network
administrator might exercise these capabilities for security reasons, or may elect
to prevent traffic from flowing through a segment to protect local bandwidth.
In any case, the management of access lists can be quite cumbersome. The
access list must be developed based on the company's business and security
needs.
In the network example shown in the Figure, filters in the routers attached to the
engineering segment can include access lists allowing the accounting traffic to
pass through the engineering segment, but never talk to any engineering devices.
That does not prevent engineers from monitoring the traffic, but does prevent
direct communication between the engineering and accounting devices.
Accounting will not see the engineering traffic, but engineering can see all the
accounting transit traffic.
VLANs can simplify the network in some cases by allowing the administrator to
keep all accounting users in one VLAN. Then their traffic does not need to pass
through a router to get to peers within the VLAN. This can simplify access-list
design because the administrator can treat networks as groups with similar or
equal access requirements.

1-12 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.1.8 Wrong motives for implementing VLANs

Figure 1 Wrong Motives for Implementing VLANs

One common motivation for using VLANs tends to get network administrators
excited. Unfortunately, reality quickly meets enthusiasm, revealing errors in
motivation. The advent of VLANs led many to believe that a network
administrator's life would be simplified. Administrators thought that VLANs
would eliminate the need for routers, everyone could be placed in one giant flat
network, and administrators could go home at reasonable hours each evening.
This turns out to be far from the truth. VLANs do not eliminate Layer 3 issues.
They may allow the network administrator to more easily perform some Layer 3
tasks, such as developing simpler access lists, but Layer 3 routing still must
exist.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-13
3.2 VLAN Types

3.2.1 VLAN Boundaries

Figure 1 VLAN Boundaries

The number of VLANs in the switch block may vary greatly, depending on
several factors. This includes traffic patterns, types of applications, network
management needs, and group commonality. In addition, an important
consideration in defining the size of the switch block and the number of VLANs
is the IP addressing scheme.
For example, suppose the network uses a 24-bit mask to define a subnet. Given
this criterion, a total of 254 host addresses are allowed in one subnet. Because a
one-to-one correspondence between VLANs and IP subnets is strongly
recommended, there can be no more than 254 devices in any one VLAN. It is
further recommended that VLANs should not extend outside of the Layer 2
domain of the distribution switch. As demonstrated in the Figure, with many
users in the building under the recommended constraints, a minimum of four
VLANs will be in the switch block.
When scaling VLANs in the switch block, there are two basic methods of
defining the VLAN boundaries:
• End-to-end VLANs
• Local VLANs

1-14 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.2.2 End-to-end VLANs

Switched Ethernet
Wiring Closet
Fast Ethernet

Distribution Layer
Fast Ethernet
Workgroup
Servers
Core Layer
Fast or Gigabit Ethernet

Inter-VLAN
Routing
Enterprise Servers

End-to-end VLANs were originally Cisco's recommended approach to


configuring VLANs in the switch block. This helped facilitate the old 80/20
rule. That is, 80 percent of the traffic should be local, and 20 percent of the
traffic should be remote. As the corporate community began to move to
server farms, application servers, and enterprise-wide servers, this became
increasingly difficult to manage. Cisco no longer recommends that using
end-to-end VLANs due to the management and spanning-tree concerns.

Figure 1 End-to-End VLANs

VLANs can exist either as end-to-end networks, which span the entire switch
fabric, or they can exist inside of geographic boundaries.
An end-to-end VLAN network comprises the following characteristics:
• Users are grouped into VLANs independent of physical location and
dependent on group or job function.
• All users in a VLAN should have the same 80/20 traffic flow patterns.
• As a user moves around the campus, VLAN membership for that user
should not change.
• Each VLAN has a common set of security requirements for all members.
In the Figure, starting in the wiring closet, 10-megabit-per-second (Mbps)
dedicated Ethernet ports are provisioned for each user. Each color represents a
subnet, and because people have moved around over time, each switch
eventually becomes a member of all VLANs. Fast Ethernet Inter-Switch Link
(ISL) or IEEE 802.1Q is used to carry multiple VLAN information between the
wiring closets and the distribution-layer switches.
Note: ISL is a Cisco-proprietary protocol that maintains VLAN information
as traffic flows between switches and routers. IEEE 802.1Q is an open-

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-15
standard (IEEE) VLAN tagging mechanism that predominates in modern
switching installations.
Workgroup servers operate in a client/server model, and attempts have been
made to keep users in the same VLAN as their server to maximize the
performance of Layer 2 switching and keep traffic localized.
In the core, a router allows inter-subnet communication. The network is
engineered, based on traffic flow patterns, to have 80 percent of the traffic
within a VLAN and 20 percent crossing the router to the enterprise servers and
to the Internet and WAN.

3.2.3 Local VLANs

Figure 1 Local VLANs

End-to-end VLANs allow devices to be grouped based upon resource usage.


This includes such parameters as server usage, project teams, and departments.
The goal of end-to-end VLANs is to maintain 80 percent of the traffic on the
local VLAN.
As many corporate networks have moved to centralize their resources, end-to-
end VLANs became more difficult to maintain. Users are required to use many
different resources, many of which are no longer in their VLAN. Because of this
shift in placement and usage of resources, VLANs are now more frequently
being created around geographic boundaries rather than commonality
boundaries.
This geographic location can be as large as an entire building or as small as a
single switch inside a wiring closet. In a geographic VLAN structure, it is typical
to find the new 20/80 rule in effect with 80 percent of the traffic remote to the
user and 20 percent of the traffic local to the user. Although this topology means
that the user must cross a Layer 3 device in order to reach 80 percent of the
resources, this design allows the network to provide for a deterministic,
consistent method of accessing resources.
Geographic VLANs are also considerably easier to manage and conceptualize
than VLANs that span different geographic areas.

1-16 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.2.4 Establishing VLAN memberships

Figure 1 Establishing VLAN Memberships

y
TFTP Server
Catalyst 5000
Primary VMPS
Server 1 Switch 1 172.20.26.150 Router

End 3/1 Client


172.20.22.7
Station 1 Switch 2 172.20.26.151

Secondary VMPS
Server 2 Switch 3 172.20.26.152

Switch 4 172.20.26.153

Switch 5 172.20.26.154

Switch 6 172.20.26.155

Switch 7 172.20.26.156

Switch 8
172.20.26.157
Client
End
Station 2 Switch 9 172.20.26.158

Secondary VMPS
Server 3 Switch 10
172.20.26.159

Figure 2 Dynamic VLANs

The two common approaches to assigning VLAN membership are as follows:

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-17
• Static VLANs - This method is also referred to as port-based
membership. Static VLAN assignments are created by assigning ports to
a VLAN. As a device enters the network, the device automatically
assumes the VLAN of the port. If the user changes ports and needs
access to the same VLAN, the network administrator must manually
make a port-to-VLAN assignment for the new connection. An example
of this is shown in Figure [1].
• Dynamic VLANs - Dynamic VLANs are created through the use of
software packages such as CiscoWorks 2000. With a VLAN
Management Policy Server (VMPS), the network administrator can
assign switch ports to VLANs dynamically based on the source MAC
address of the device connected to the port. Dynamic VLANs currently
allow for membership based on the MAC address of the device. As a
device enters the network, the device queries a database for VLAN
membership. An example of this is shown in Figure [2].

3.2.5 Port-based VLAN membership

Figure 1 Port-Based VLAN Membership

In port-based VLAN membership, the port is assigned to a specific VLAN


independent of the user or system attached to the port. This means all users
attached to the port should be members in the same VLAN. The network
administrator typically performs the VLAN assignment. The port configuration
is static and cannot be automatically changed to another VLAN without manual
reconfiguration.
As with other VLAN approaches, the packets forwarded using this method do
not leak into other VLAN domains on the network. After a port has been
assigned to a VLAN, the port cannot send to, or receive from, devices in another
VLAN without the intervention of a Layer 3 device.

1-18 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
The device that is attached to the port likely has no understanding that a VLAN
exists. The device simply knows that it is a member of a subnet and that the
device should be able to talk to all other members of the subnet by simply
sending information to the cable segment. The switch is responsible for
identifying that the information came from a specific VLAN and for ensuring
that the information gets to all other members of the VLAN. The switch is
further responsible for ensuring that ports in a different VLAN do not receive the
information.
This approach is quite simple, fast, and easy to manage in that there are no
complex lookup tables required for VLAN segmentation. If port-to-VLAN
association is done with an application-specific integrated circuit (ASIC), the
performance is very good. An ASIC allows the port-to-VLAN mapping to be
done at the hardware level.

3.2.6 Dynamic VLANs


y
TFTP Server
Catalyst 5000
Primary VMPS
Server 1 Switch 1 172.20.26.150 Router

End 3/1 Client


172.20.22.7
Station 1 Switch 2 172.20.26.151

Secondary VMPS
Server 2 Switch 3 172.20.26.152

Switch 4 172.20.26.153

Switch 5 172.20.26.154

Switch 6 172.20.26.155

Switch 7 172.20.26.156

Switch 8
172.20.26.157
Client
End
Station 2 Switch 9 172.20.26.158

Secondary VMPS
Server 3 Switch 10
172.20.26.159

Figure 1 Dynamic VLANs

With a VLAN Management Policy Server (VMPS), switch ports can be


assigned to VLANs dynamically, based on the source MAC address of the
device connected to the port. When a host is moved from a port on one switch in
the network to a port on another switch in the network, the switch assigns the
new port to the proper VLAN for that host dynamically.
When VMPS is enabled, a MAC address-to-VLAN mapping database
downloads from a Trivial File Transfer Protocol (TFTP) server and VMPS
begins to accept client requests. If the network administrator resets or power

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-19
cycles a Catalyst 5000, 4000, 900, 3500, or 6000 Series Switch, the VMPS
database downloads from the TFTP server automatically and VMPS is
reenabled.
VMPS opens a User Datagram Protocol (UDP) socket to communicate and listen
to client requests. When the VMPS server receives a valid request from a client,
it searches its database for a MAC address-to-VLAN mapping.
If the assigned VLAN is restricted to a group of ports, VMPS verifies the
requesting port against this group. If the VLAN is allowed on the port, the
VLAN name is returned to the client. If the VLAN is not allowed on the port and
VMPS is not in secure mode, the host receives an "access-denied" response. If
VMPS is in secure mode, the port is shut down.
If a VLAN in the database does not match the current VLAN on the port and
active hosts are on the port, VMPS sends an access-denied or a port-shutdown
response based on the secure mode of the VMPS.
The network administrator can configure a fallback VLAN name. If a device
with a MAC address that is not in the database is connected, VMPS sends the
fallback VLAN name to the client. If the network administrator does not
configure a fallback VLAN and the MAC address does not exist in the database,
VMPS sends an access-denied response. If VMPS is in secure mode, it sends a
port-shutdown response.
An explicit entry can also be made in the configuration table to deny access to
specific MAC addresses for security reasons by specifying a --NONE-- keyword
for the VLAN name. In this case, VMPS sends an access-denied or port-
shutdown response.
On a set command-based switch, a dynamic (nontrunking) port can belong to
only one VLAN at a time. When the link comes up, a dynamic port is isolated
from its static VLAN. The source MAC address from the first packet of a new
host on the dynamic port is sent to VMPS, which attempts to match the MAC
address to a VLAN in the VMPS database. If there is a match, VMPS provides
the VLAN number to assign to the port. If there is no match, VMPS either denies
the request or shuts down the port (depending on the VMPS secure mode
setting).
Multiple hosts (MAC addresses) can be active on a dynamic port if they are all
in the same VLAN. If the link goes down on a dynamic port, the port returns to
an isolated state. Any hosts that come on line through the port are checked again
with VMPS before the port is assigned to a VLAN.
The following guidelines and restrictions apply to dynamic port VLAN
membership:
• The VMPS must be configured before configuring ports as dynamic.
• When a port is configured as dynamic, Spanning-Tree PortFast is
enabled automatically for that port. Automatic enabling of Spanning-
Tree PortFast prevents applications on the host from timing out and
entering loops caused by incorrect configurations. Spanning-Tree
PortFast mode can be disabled on a dynamic port.
• If a port is reconfigured from a static port to a dynamic port on the same
VLAN, the port connects immediately to that VLAN. However, VMPS
checks the legality of the specific host on the dynamic port after a
certain period.

1-20 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
• Static secure ports cannot become dynamic ports. Security must be
turned off on the static secure port before it can become dynamic.
• Static ports that are trunking cannot become dynamic ports. Trunking on
the trunk port must be turned off before changing it from static to
dynamic.
It is also important to note that the VLAN Trunking Protocol (VTP) management
domain and the management VLAN of VMPS clients and the VMPS server must
be the same.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-21
3.3 Configuring VLANs

3.3.1 Configuring static VLANs

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/3
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 2
Switch(config-if)#

Figure 1 Cisco IOS Software-Based Switch

Switch#show running-config

hostname Switch
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport access vlan 2
!
<Output omitted>

Figure 2 Cisco IOS Software-Based Switch

Switch> (enable) set vlan 41 2/1-10


VLAN 41 modified.
VLAN 1 modified.
VLAN Mod/Ports
41 2/1-10

Figure 3 Set Command-Based Switch

Static VLANs are ports on a switch that are manually assigned to a VLAN by
using a VLAN management application or by working directly within the switch.
These ports maintain their assigned VLAN configuration until they a changed
manually. Although static VLANs require manual entry changes, they are secure,

1-22 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
easy to configure, and straightforward to monitor. This type of VLAN works
well in networks where moves are controlled and managed; where there is robust
VLAN management software to configure the ports; and where it is not desirable
to assume the additional overhead required when maintaining end-station MAC
addresses and custom filtering tables.
The creation of a VLAN on a switch is a very straightforward and simple task. If
using a Cisco IOS command-based switch, simply go to the interface to to
configured and issue the command:
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan number
In Figure [1], interface FastEthernet 0/3 is being assigned to vlan 2. As
demonstrated in Figure [2], this configuration has been verified by using the
show running-config command.
If using a set-based switch, simply enter the set vlan command to create a
VLAN, as shown below and in Figure [3].
switch> (enable) set vlan vlan_num
mod_num/port_list

Lab Activity

In this lab activity, the student will learn how to configure a Distribution Layer
Catalyst 4000 Ethernet Switch to support three VLANs - Marketing, Accounting,
and Engineering.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-23
Lab Activity

In this lab activity, the student will learn how to configure an Access Layer
Catalyst 2900 Ethernet Switch to support three VLANs - Marketing, Accounting,
and Engineering.

3.3.2 Verify VLAN configuration

Switch#show vlan brief


VLAN Name Status Ports
---- --------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/4, Fa0/5,
Fa0/6, Fa0/7, Fa0/8, Fa0/9,
Fa0/10, Fa0/11, Fa0/12, Fa0/13,
Fa0/14, Fa0/15, Fa0/16, Fa0/17,
Fa0/18, Fa0/19, Fa0/20, Fa0/21,
Fa0/22, Fa0/23, Fa0/24
2 VLAN0002 active Fa0/3
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

Figure 1 Verifying VLAN Configuration

Switch> (enable) show vlan


VLAN Mod/Ports
1 1/1-2
10 2/3-10
20 2/11-24

Figure 2 Verifying VLAN Configuration

As shown in Figure [1], it is considered to be good practice to verify VLAN


configuration by using the show vlan brief command while in privileged
mode. The output example from a Cisco IOS command-based switch shows that
VLAN 2 is configured on module 0, port 3.
The output example from a set command-based switch in Figure [2] shows that
VLAN 1 is configured on Module 1, Ports 1 and 2; VLAN 10 is configured on
Module 2, Ports 1 through 10; and VLAN 20 is configured on Module 2, Ports
11 through 24.
The following facts should be remembered:

1-24 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
• A created VLAN remains unused until it is mapped to switch ports. Use
the set vlan command to map VLANs to ports.
• The default configuration has all Ethernet ports on VLAN 1. However,
Groups of ports can be entered as individual entries, for example, 2/1,
3/3, 3/4, or 3/5. A hyphenated format can also be used to map multiple
ports, for example, 2/1-4 or 3/3-5.
• Do not enter spaces between the port numbers. The switch will respond
with an error message because a space delimits another argument that is
not in the command structure of this command.

Interactive Lab Activity

In this activity, the student will learn how to configure and verify VLAN's on a
Catalyst 4000 switch.

Interactive Lab Activity

In this activity, the student will learn how to configure and verify VLAN's on a
Catalyst 2900 switch.

3.3.3 Deleting VLANs

Console> (enable) clear vlan 2


This command will deactivate all ports on vlan 2
in the entire management domain
Do you want to continue(y/n) [n]?y
Vlan 2 deleted
Console> (enable)

Figure 1 Deleting VLANs

Switch(config-if)#no switchport access vlan 2


Switch(config-if)#

Figure 2 Cisco IOS Software-Based Switch

Removing a VLAN from a set command-based switch is just as easy as


configuring one. To remove a VLAN from the switch, issue the clear vlan
vlan_number command, as shown in Figure [1]. In this example, VLAN 2 is

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-25
being removed from the domain by using the command clear vlan 2 on the
set-based switch. It is important to note that this command must be issued on a
VTP server switch. VLANs cannot be deleted from a VTP client switch. If the
switch is configured in transparent mode, the VLAN can be deleted. However,
the VLAN is removed only from the one Catalyst Switch and is not deleted
throughout the management domain. All VLAN creations and deletions are
locally significant only on a transparent switch. VTP domains are covered in this
section.
When an attempt to delete the VLAN is made, the switch will issue a warning
that all ports belonging to the VLAN in the management domain will be
deactivated. If there are 50 devices as members of the VLAN when it is deleted
, all 50 stations become isolated because their local switch port becomes
disabled. If recreated, the VLAN, the ports will automatically become active
again because the switch remembers what VLAN the port belongs to. In other
words, if the VLAN exists, the ports become active. If the VLAN does not exist,
the ports become inactive. Use caution when deleting VLANs because it could
be catastrophic to accidentally eliminate a VLAN that still has active users on it.
Removing a VLAN from a Cisco IOS command-based switch interface is just
like removing a command from a router. In a previous example, we created vlan
2 on FastEthernet 0/3 by using the command Switch(config-
if)#switchport access vlan 2. To remove this VLAN from the
interface, simply use the "no" form of the command, as shown in Figure [2].

3.3.4 Configure the VMPS server

Task Command
Step 1 Configure the IP address of the TFTP server on which set vmps tftpserver
the ASCII text VMPS database configuration file resides. ip_addr [filename]
Step 2 Enable VMPS. set vmps state
enable
Step 3 Verify the VMPS configuration. show vmps

Console> (enable) set vmps state enable


Vlan Membership Policy Server enable is in progress.
Console> (enable)

Figure 1 Configure the VMPS Server

1-26 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
To disable VMPS, perform this task in privileged mode:
Task Command
Step 1 Disable VMPS. set vmps state
disable
Step 2 Verify that VMPS is disabled. show vmps

Console> (enable) set vmps state disable


All the VMPS configuration information will be lost and
the resources released on disable.
Do you want to continue (y/n[n]): y
Vlan Membership Policy Server disabled.
Console> (enable)

Figure 2 Disable VMPS

When VMPS is enabled, it downloads the VMPS database from the TFTP
server and begins accepting VMPS requests.
The configuration of VMPS is basically a two-step process. To configure VMPS
on a set command-based switch, follow the steps in Figure [1].
Disabling VMPS is an equally simple process. To disable VMPS on a set
command-based switch, simply issue the command set vmps state
disable, as shown in Figure [2].

3.3.5 Configure a VMPS client

Task Command
Step 1 Specify the IP address of the VMPS set vmps server ip_addr
server (the switch with VMPS enabled). [primary]
Step 2 Verify the VMPS server specification. show vmps server
Step 3 Configure the VLAN membership set port membership mod_num/
assignment to a port. port_num {dynamic | static}
Step 4 Verify the dynamic port assignments. show port [mod_num[/port_num]]

Console> (enable) show vmps server

VMPS domain serverVMPS Status


---------------------------------------
192.0.0.6
192.0.0.1 primary
192.0.0.9

Console> (enable) set port membership 3/1-3 dynamic


Ports 3/1-3 vlan assignment set to dynamic.
Spantree port fast start option enabled for ports 3/1-3.

Figure 1 Configuring Dynamic Ports on a VMPS Client

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-27
Console> show port
Port Name Status Vlan Level Duplex Speed Type
1/1 connect dyn-3 normal full 100 100 BASE-TX
1/2 connect trunk normal half 100 100 BASE-TX
2/1 connect trunk normal full 155 OC3 MMF ATM
3/1 connect dyn-5 normal half 10 10 BASE-T
3/2 connect dyn-5 normal half 10 10 BASE-T
3/3 connect dyn-5 normal half 10 10 BASE-T
Console> (enable)

Figure 2 Verifying VMPS Configuration

Task Command
Step 1 Enter global configuration mode. configure terminal
Step 2 Enter the IP address of the switch vmps server ipaddress primary
acting as the primary VMPS server.
Step 3 Enter the IP address for the switch vmps server ipaddress
acting as a secondary VMPS server.
Step 4 Return to privileged EXEC mode. end

Step 5 Verify the VMPS server entry. show vmps

Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# vmps server 172.20.128.179 primary
Switch(config)# vmps server 172.20.128.178
Switch(config)# end

Figure 3 Configuring a Software-Based Switch as a VMPS Client

Switch#show vmps
VQP Client Status:
--------------------
VMPS VQP Version: 1
Reconfirm Interval: 60
min Server Retry Count: 3

VMPS domain server: 172.20.128.179 (primary, current)


172.20.128.178
Reconfirmation status
---------------------
VMPS Action: No Dynamic Port

Figure 4 Verifying Configuration on a Software-Based Switch

1-28 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
To configure dynamic ports on VMPS client set command-based switches,
perform the tasks listed in Figure [1] while in privileged mode on the switch. The
example shows how to specify the VMPS server, verify the VMPS server
specification, and assign dynamic ports. To verify the VMPS configuration,
issue the command show port, as shown in Figure [2]. It is important to note
that the show port command displays dyn- under the Vlan column of the
display when it has not yet been assigned a VLAN for a port.
To configure a Cisco IOS Software-based switch as a client, it is simply a matter
of entering the IP address of the switch or the other device acting as the VMPS.
An example of this is shown in Figure [3]. To verify the VMPS configuration,
issue the command show vmps, as shown in Figure [4].

3.3.6 Access links and trunk links

Figure 1 Access Links and Trunk Links

An access link is a link on the switch that is a member of only one VLAN. This
VLAN is referred to as the native VLAN of the port. Any device that is attached
to the port is completely unaware that a VLAN exists. The device simply
assumes that it is part of a network or subnet based on the Layer 3 information
that is configured on the device. In order to ensure that it does not have to
understand that a VLAN exists, the switch is responsible for removing any
VLAN information from the frame before it is sent to the end device. Because
only one VLAN is configured on the port, other VLANs cannot communicate
with the device unless the information is routed by a Layer 3 device.
A trunk link differs from an access link in that it is capable of supporting
multiple VLANs. Trunk links are typically used to connect switches to other
switches or routers. Switches support trunk links on both Fast Ethernet and
Gigabit Ethernet ports.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-29
The switch has two methods of identifying the VLAN that a frame belongs to
when the switch receives the frame on a trunk link. The identification techniques
currently used are the Cisco proprietary ISL standard and the IEEE 802.1Q
standard.
It is important to understand that a trunk link does not belong to a specific
VLAN. The responsibility of a trunk link is to act as a conduit for VLANs
between switches and routers. The trunk link can be configured to transport all
VLANs or to transport a limited number of VLANs.
A trunk link may, however, have a native VLAN. The native VLAN of the trunk
is the VLAN that the trunk uses if the trunk link fails for any reason.
In the Figure, Port A and Port B have been defined as access links on the same
VLAN. By definition, they can belong to only VLAN 200 and cannot receive
frames with a VLAN identifier. As Switch Y receives traffic from Port A
destined for Port B, Switch Y will not add an ISL encapsulation to the frame.
Port C is also an access link. Port C has been defined as a member of VLAN
200. If Port A sends a frame destined for Port C, the switch does the following:
1. Switch Y receives the frame and identifies it as traffic destined for
VLAN 200 by the VLAN and port number association.
2. Switch Y encapsulates the frame with an ISL header identifying VLAN
200 and sends the frame through the intermediate switch on a trunk link.
3. This process is repeated for every switch that the frame must transit as it
moves to its final destination of Port C.
4. Switch Z receives the frame, removes the ISL header, and forwards the
frame to Port C.

1-30 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.4 VLAN Identification

3.4.1 VLAN frame identification

Figure 1 Frame Tagging and Encapsulation Methods

VLAN identification logically identifies which packets belong to which VLAN


group. Multiple trunking methodologies exist, as follows:
• IEEE 802.1Q - This protocol is an IEEE standard method for identifying
VLANs by inserting a VLAN identifier into the frame header. This
process is referred to as frame tagging.
• ISL - This protocol is a Cisco proprietary encapsulation protocol for
interconnecting multiple switches; it is supported in switches as well as
routers.
• 802.10 - This standard is a Cisco proprietary method of transporting
VLAN information inside the standard 802.10 frame (FDDI) - The
VLAN information is written to the security association identifier
(SAID) portion of the 802.10 frame. This method is typically used to
transport VLANs across FDDI backbones.
• LAN Emulation (LANE) - LANE is an ATM Forum standard that can be
used for transporting VLANs over Asynchronous Transfer Mode (ATM)
networks.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-31
3.4.2 ISL

Figure 1 IDSL Frame Format

Figure 2 ISL Frame Format

1-32 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Octet Description

DA A 40-bit multicast address with a value of 0x01-00-0C-00-00 that indicates


to the receiving Catalyst that the frame is an ISL encapsulated frame.
Type A 4-bit value indicating the source frame type. Values include 0 0 0 0
(Ethernet), 0 0 0 1 (Token Ring), 0 0 1 0 (FDDI), and 0 0 1 1 (ATM).
User A 4-bit value usually set to zero, but can be used for special situations
when transporting Token Ring.
SA The 802.3 MAC address of the transmitting Catalyst. This is a 48-bit value.
Length The LEN field is a 16-bit value indicating the length of the user data and
ISL header, but excludes the DA , Type, User, SA, Length, and ISL CRC
bytes.
SNAP A three-byte field with a fixed value of 0xAA-AA-03.
HSA This three-byte value duplicates the high order bytes of the ISL SA field.
VLAN A 15-bit value to reflect the numerical value of the source VLAN that the
user frame belongs to. Note that only 10 bits are used.
BPDU A single-bit value that, when set to 1, indicates that the receiving Catalyst
should immediately examine the frame at an end station because the data
contains either a Spanning Tree, ISL, VTP, or CDP message.
Index The value indicates what port the frame exited from the source Catalyst.

Reserved Token Ring and FDDI frames have special values that need to be
transported over the ISL link. These values, such as AC and FC, are
carried in this field. The value of this field is zero for Ethernet frames.
User The original user data frame is inserted here incuding the frame's FCS.
Frame

CRC ISL calculates a 32-bit CRC for the header and user frame. This double-
checks the integrity of the message as it crosses an ISL trunk. It does
not replace the User Frame CRC.

Figure 3 ISL Encapsulation Description

ISL is a vendor-specific, Cisco proprietary protocol used to interconnect multiple


switches and maintain VLAN information as traffic travels between switches on
trunk links.
With ISL, an Ethernet frame is encapsulated with a header that transports VLAN
IDs between switches and routers. ISL does add overhead to the packet as a 26-
byte header containing a 10-bit VLAN ID. In addition, a 4-byte cyclic
redundancy check (CRC) is appended to the end of each frame. This CRC is in
addition to any frame checking that the Ethernet frame requires.
A VLAN ID is added only if the frame is forwarded out a port configured as a
trunk link. If the frame is to be forwarded out a port configured as an access link,
the ISL encapsulation is removed. Figure [1] illustrates the ISL frame format.
Figure [2] lists the sizes of the various ISL fields and Figure [3] describe the ISL
fields contained within the frame.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-33
3.4.3 IEEE 802.1Q

Figure 1 Frame identification with 802.IQ

The official name for the IEEE 802.1Q protocol is the Standard for Virtual
Bridged Local-Area Networks, and relates to the ability to carry the traffic of
more than one subnet down a single cable. The IEEE 802.1Q committee defined
this method of multiplexing VLANs in an effort to provide multivendor VLAN
support.
Both ISL and IEEE 802.1Q tagging are explicit tagging, meaning that the frame
is tagged with VLAN information explicitly. However, while ISL uses an
external tagging process that does not modify the existing Ethernet frame, IEEE
802.1Q uses an internal tagging process that does modify the Ethernet frame.
This internal tagging process is what allows IEEE 802.1Q tagging to work on
both access and trunk links, because the frame appears to be a standard Ethernet
frame.
The IEEE 802.1Q frame-tagging scheme also has significantly less overhead
than the ISL tagging method. As opposed to the 30 bytes added by ISL, 802.1Q
inserts only an additional 4 bytes into the Ethernet frame, as shown in the Figure.
• The IEEE 802.1Q header contains the following:
o A 4-byte tag header containing a tag protocol identifier (TPID)
and tag control information (TCI) with the following elements:
o A 2-byte TPID with a fixed value of 0x8100. This value
indicates that the frame carries the 802.1Q/802.1p tag
information.
o A TCI containing the following elements:
! Three-bit user priority
! One-bit canonical format indicator (CFI)
! Twelve-bit VLAN identifier (VID)-Uniquely identifies
the VLAN to which the frame belongs

1-34 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Note: The CFI is used in Ethernet frames to indicate the presence of a
Routing Information Field (RIF) - the RIF is used in Token Ring networks
to indicate the route the frame is to take through the network (source-route
bridging).
The 802.1Q standard can create an interesting scenario on the network.
Recalling that the maximum size for an Ethernet frame as specified by IEEE
802.3 is 1518 bytes, this means that if a maximum-sized Ethernet frame gets
tagged, the frame size will be 1522 bytes, a number that violates the IEEE 802.3
standard. To resolve this issue, the 802.3 committee created a subgroup called
802.3ac to extend the maximum Ethernet size to 1522 bytes. If using network
devices that do not support a larger frame size, they will process the frame
successfully but may report these anomalies as "baby giant."

3.4.4 LANE

Figure 1 LANE

LANE (LAN Emulation) is a standard defined by the ATM Forum that gives
two stations attached via ATM the same capabilities they normally have with
legacy LANs, such as Ethernet and Token Ring. As the name suggests, the
function of the LANE protocol is to emulate a LAN on top of an ATM network.
Specifically, the LANE protocol defines mechanisms for emulating either an
IEEE 802.3 Ethernet or an 802.5 Token Ring LAN.
The LANE protocol defines a service interface for higher-layer (that is, network-
layer) protocols that is identical to that of existing LANs. Data sent across the
ATM network is encapsulated in the appropriate LAN MAC format. In other
words, the LANE protocols make an ATM network look and behave like an

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-35
Ethernet or Token Ring LAN, albeit one operating much faster than actual
Ethernet or Token Ring LAN networks.
An ELAN (emulated LAN) provides Layer 2 communication between all users
on an ELAN. One or more ELANs can run on the same ATM network. However,
each ELAN is independent of the others and users on separate ELANs cannot
communicate directly. Just like a VLAN, communication between ELANs is
possible only through routers or bridges.
Because an ELAN provides Layer 2 communication, it can be equated to a
broadcast domain. VLANs can also be thought of as broadcast domains. This
makes it possible to map an ELAN to a VLAN on Layer 2 switches with
different VLAN multiplexing technologies such as ISL or 802.10. In addition, IP
subnets and Internetwork Packet Exchange (IPX) networks that are defined on
Layer 3-capable devices such as routers frequently map into broadcast domains
(barring secondary addressing). This makes it possible to assign an IP
subnetwork or an IP network to an ELAN.
It is important to note that LANE does not attempt to emulate the access method
of the specific LAN concerned (that is, carrier sense multiple access collision
detect (CSMA/CD) for Ethernet or token passing for IEEE 802.5). LANE
requires no modifications to higher-layer protocols to enable their operation over
an ATM network. Because the LANE service presents the same service interface
of existing MAC protocols to network-layer drivers (such as a network driver
interface specification (NDIS) or Open Data-Link Interface (ODI) like driver
interface), no changes are required for these drivers.

3.4.5 IEEE 802.10 Protocol

The IEEE 802.10 protocol provides connectivity between VLANs. Originally


developed to address the growing need for security within shared LAN/MAN
environments, it incorporates authentication and encryption techniques to ensure
data confidentiality and integrity throughout the network.
Additionally, by functioning at Layer 2, it is well suited to high-throughput, low-
latency switching environments. IEEE 802.10 protocol can run over any LAN or
HDLC serial interface.
VLAN Routing implementation treats the ISL and 802.10 protocols as
encapsulation types. On a physical router interface that receives and transmits
VLAN packets, an arbitrary subinterface can be selected and mapped to the
particular VLAN "color" embedded within the VLAN header. This mapping
allows selective control over how LAN traffic is routed or switched outside of
its own VLAN domain. In the VLAN routing paradigm, a switched VLAN
corresponds to a single routed subnet, and the network address is assigned to the
subinterface.
To route a received VLAN packet the Cisco IOS software VLAN switching code
first extracts the VLAN ID from the packet header (this is a 10-bit field in the
case of ISL and a 4-byte entity known as the security association identifier in the
case of IEEE 802.10), then demultiplexes the VLAN ID value into a subinterface
of the receiving port. If the VLAN color does not resolve to a subinterface, the
Cisco IOS software can transparently bridge the foreign packet natively (without
modifying the VLAN header) on the condition that the Cisco IOS software is

1-36 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
configured to bridge on the subinterface itself. For VLAN packets that bear an
ID corresponding to a configured subinterface, received packets are then
classified by protocol type before running the appropriate protocol specific fast
switching engine. If the subinterface is assigned to a bridge group then non-
routed packets are de-encapsulated before they are bridged. This is termed "fall-
back bridging" and is most appropriate for nonroutable traffic types.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-37
3.5 Trunking

3.5.1 Trunking overview

Figure 1 Trunking

In basic terminology, a trunk is a point-to-point link that supports several


VLANs. The purpose of a trunk is to save ports when creating a link between
two devices implementing VLANs, typically two switches. In the top figure, we
can see two VLANs that we want available on two switches, Sa and Sb. The first
easy method of implementation is to create two physical links between the
devices, each one carrying the traffic for a separate VLAN.
Of course, this first solution does not scale very well. If we wanted to add a third
VLAN, we would need to sacrifice two additional ports. This design is also
inefficient in terms of load sharing; the traffic on some VLANs may not justify a
dedicated link. A trunk will bundle virtual links over one physical link, as shown
in the bottom figure.
Here, the unique physical link between the two switches is able to carry traffic
for any VLAN. In order to achieve this, each frame sent on the link is tagged by
Sa so that Sb knows which VLAN it belongs to. Different tagging schemes exist.
The most common for Ethernet segments follow:
• ISL (this is the original Cisco proprietary InterSwitch Link protocol)
• 802.1Q (the IEEE standard we focus on in this section)

1-38 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.5.2 Configuring a VLAN trunk

Switch(config-if)#switchport mode trunk


Switch(config-if)#switchport trunk ?
allowed Set allowed VLAN characteristics when interface is in
trunking mode
encapsulation Set trunking encapsulation when interface is in
trunking mode
native Set trunking native characteristics when interface is
in trunking mode
pruning Set pruning VLAN characteristics when interface is in
trunking mode

Switch(config-if)#switchport trunk encapsulation ?


dot1q Interface uses only 801.1q trunking encapsulation when trunking
isl Interface uses only ISL trunking encapsulation when trunking

Switch(config-if)#switchport trunk encapsulation isl


Switch(config-if)#

Figure 1 Cisco IOS Software-Based Switch

Console> (enable) show port capabilities 2/1


Model WS-X4232-GB-RJ
Port 2/1
Type No GBIC
Speed 1000
Duplex full
Trunk encap type 802.1Q
Trunk mode on,off,desirable,auto,nonegotiate
Channel 2/1-2
Flow control receive-(off,on,desired),send-(off,on,desired)
Security yes
Membership static,dynamic
Fast start yes
QOS scheduling rx-(none),tx-(2q1t)
CoS rewrite no
ToS rewrite no
Rewrite no
UDLD yes
SPAN source,destination
--------------------------------------------------------------
Console> (enable) set trunk 2/1 on dot1q
Port(s) 2/1 trunk mode set to on.
Port(s) 2/1 trunk type set to dot1q.
Console> (enable)

Figure 2 Set Command-Based Switch

To create or configure a VLAN trunk on a Cisco IOS command-based switch,


configure the port first as a trunk and then specify the trunk encapsulation. To do
this, issue the commands:
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk encapsulation ?
dot1q Interface uses only 802.1q trunking

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-39
encapsulation when trunking
isl Interface uses only ISL trunking encapsulation
when trunking
These commands are shown in Figure [1].
Before attempting to configure a VLAN trunk on a port, it is wise to determine
what encapsulation the port can support. This can be done using the show
port capabilities command on a set command-based switch, as shown in
Figure [2]. In this example, you can see that Port 2/1 will support only the IEEE
802.1Q encapsulation.
To create or configure a VLAN trunk on a set command-based switch, enter the
set trunk command to configure the port on each end of the link as a trunk
port and to specify the VLANs that will be transported on this trunk link. Also,
use the set trunk command to change the mode of a trunk.
Switch> (enable) set trunk mod_num/port_num [on |
off | desirable | auto | nonegotiate] vlan_range
[isl | dot1q | dot10 | lane | negotiate]
Fast Ethernet and Gigabit Ethernet trunking modes are as follows:
• On - This mode puts the port into permanent trunking. The port becomes a
trunk port even if the neighboring port does not agree to the change. The on
state does not allow for the negotiation of an encapsulation type. Therefore,
the encapsulation must be specified in the configuration.
• Off - This mode puts the port into permanent nontrunking mode and
negotiates to convert the link into a nontrunk link. The port becomes a
nontrunk port even if the neighboring port does not agree to the change.
• Desirable - This mode makes the port actively attempt to convert the link to
a trunk link. The port becomes a trunk port if the neighboring port is set to
on, desirable, or auto mode.
• Auto - This mode makes the port willing to convert the link to a trunk link.
The port becomes a trunk port if the neighboring port is set to on or desirable
mode. This is the default mode for Fast and Gigabit Ethernet ports. Notice
that if the default setting is left on both sides of the trunk link, it will never
become a trunk; neither side will be the first to ask to convert to a trunk.
• Nonegotiate - This mode puts the port into permanent trunking mode but
prevents the port from generating Dynamic Trunking Protocol (DTP) frames.
The neighboring port must be manually cofigured as a trunk port to establish
a trunk link.
The example in Figure [2] configures Port 2/1 as a permanent trunk using the
IEEE 802.1Q encapsulation.

1-40 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.5.3 Removing VLANs from a trunk

Figure 1 Cisco IOS Software-Based Switch

Figure 2 Set Based Switch

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-41
Figure 3 Set Based Switch

By default, all VLANs are transported across a trunk link when the set
trunk command is issued. However, there are instances where the trunk link
should not carry all VLANs:
• Broadcast suppression - All broadcasts are sent to every port in a VLAN.
A trunk link acts as a member port of the VLAN and, therefore, must
pass all the broadcasts. Bandwidth and processing time are wasted if
there is no port at the other end of the trunk link that is a member of that
VLAN.
• Topology change - Changes that occur in the topology must also be
propagated across the trunk link. If the VLAN is not used on the other
end of the trunk link, there is no need for the overhead of a topology
change.
By default, a Cisco IOS command-based switch trunk port sends to and receives
traffic from all VLANs in the VLAN database. All VLANs, 1 to 1005, are
allowed on each trunk. However, VLANs can be removed from the allowed list,
preventing traffic from those VLANs from passing over the trunk. To restrict the
traffic a trunk carries, use the remove vlan-list parameter to remove
specific VLANs from the allowed list:
Switch(config-if)#switchport trunk allowed vlan
remove vlan-list
The example in Figure [1] shows first how to remove VLAN 3 from a trunk and
then how to remove VLANs 6-10 from the trunk. This is verified by using the
show running-config command.
In order to remove a VLAN from a trunk link on a set command-based switch,
use the following command:
Switch> (enable) clear trunk mod_num/port_num
vlan_range
The example in Figure [2] shows how to remove VLANs 6-10 from the set
command-based switch.

1-42 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Verify that trunking has been configured and verify the settings by using the
show trunk [mod_num/port_num] command from privileged mode on
the switch, as shown in Figure [3].
The example in Figure [3] shows how to verify the trunk configuration on a set
command-based switch. Remember that when a trunk is configured, VLANs 1
to 1000 are automatically transported, even if a VLAN range is specified. Use
the clear trunk command in order to remove the VLANs from the link.
To remove a large number of VLANs from a trunk link, it is probably easier to
clear all VLANs from the trunk link before specifying the VLANs that are
supposed to be on the link.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-43
3.6 VLAN Trunking Protocol (VTP)

3.6.1 VTP Benefits

Figure 1 VTP Benefits

The role of the VLAN Trunking Protocol (VTP) is to maintain VLAN


configuration consistency across the entire network. VTP is a messaging
protocol that uses Layer 2 trunk frames to manage the addition, deletion, and
renaming of VLANs on a network-wide basis. Further, VTP allows centralized
changes that are communicated to all other switches in the network.
VTP minimizes the possible configuration inconsistencies that arise when
changes are made. These inconsistencies can result in security violations because
VLANs crossconnect when duplicate names are used; they also could become
internally disconnected when they are mapped from one LAN type to another
(for example, Ethernet to ATM or FDDI).
VTP provides the following benefits:
• VLAN configuration consistency across the network
• Mapping scheme that allows a VLAN to be trunked over mixed media;
example: mapping Ethernet VLANs to a high-speed backbone VLAN
such as ATM LANE or FDDI
• Accurate tracking and monitoring of VLANs
• Dynamic reporting of added VLANs across the network
• Plug-and-play configuration when adding new VLANs
Before creating VLANs on the switch, first set up a VTP management domain,
within which the current VLANs on the network can be verified. All switches in
the same management domain share their VLAN information with each other,
and a switch can participate in only one VTP management domain. Switches in
different domains do not share VTP information.
Using VTP, each Catalyst Family Switch advertises the following on its trunk
ports:

1-44 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
• Management domain
• Configuration revision number
• Known VLANs and their specific parameters

3.6.2 VTP operation

Figure 1 VTP Operation

ADMIN 1
CONFIG-REV# N+1
1 Default
2 first-vtp-vlan
1002 fddi-default
1003 token-ring-default
1004 fddinet-default N+1
1003 trnet-default

BCMSN ce_domain
Domain C5000-3 C5000-6
N+1
4/1 4/2
N+1 3/1 3/2
1/1 2/2 5/1 1/1

C5000-1 C5000-2 C5000-4 C5000-5


1/2 2/1

The configuration revision database is incremented every time a VLAN is


added, deleted, or modified. If a switch sees an advertisement with a
configuration revision number that is higher than the one stored it will
overwrite its own VTP database with the new VTP database. This overwrite
process means that if the VLAN does not exist in the new database it is
deleted from the switch. In addition, VTP maintains its own NVRAM. A clear
config all command clears the configuration NVRAM, but does not clear the
VTP NVRAM. This means that clearing the configuration does not clear the
configuration revision number. The only way to clear the configuration
number is to power off the switch. This will set the configuration revision
number back to 0.
Figure 2 VTP Operation

A VTP domain is made up of one or more interconnected devices that share the
same VTP domain name. A switch can be configured to be in one VTP domain
only. Global VLAN information is propagated across the network by way of
connected switch trunk ports.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-45
When transmitting VTP messages to other switches in the network, the VTP
message is encapsulated in a trunking protocol frame such as ISL or IEEE
802.1Q. Figure [1] shows the generic encapsulation for VTP within an ISL
frame. The VTP header varies, depending upon the type of VTP message, but
generally, four items are found in all VTP messages:
• VTP protocol version - Either Version 1 or 2
• VTP message type - Indicates one of four types
• Management domain name length - Indicates size of the name that
follows
• Management domain name - The name configured for the management
domain
It is important to note that switches can be configured not to accept VTP
information. These switches will forward VTP information on trunk ports in
order to ensure that other switches receive the update, but the switches will not
modify their database, nor will the switches send out an update indicating a
change in VLAN status. This is referred to as transparent mode.
By default, management domains are set to a nonsecure mode, meaning that the
switches interact without using a password. Adding a password automatically
sets the management domain to secure mode. A password must be configured on
every switch in the management domain to use secure mode.
Detecting the addition of VLANs within the advertisements serves as a
notification to the switches (servers and clients) that they should be prepared to
receive traffic on their trunk ports with the newly defined VLAN IDs, emulated
LAN names, or 802.10 security association identifiers (SAIDs).
In Figure [2], C5000-3 transmits a VTP database entry with additions or
deletions to C5000-1 and C5000-2. The configuration database has a revision
number that is notification +1. A higher configuration revision number indicates
that the VLAN information that is being sent is more current then the stored
copy. Any time a switch receives an update that has a higher configuration
revision number, the switch will overwrite the stored information with the new
information being sent in the VTP update.

3.6.3 VTP modes

Figure 1 VTP Mode Comparisons

1-46 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Switches can operate in any one of the following three VTP modes:
• Server - When the switch is configured for server mode, VLANs can
be created, modified, and deleted , and other configuration parameters
(such as VTP version and VTP pruning) for the entire VTP domain can
be specified. VTP servers advertise their VLAN configuration to other
switches in the same VTP domain, and synchronize the VLAN
configuration with other switches based on advertisements received over
trunk links. This is the default mode on the switch.
• Client - VTP clients behave the same way as VTP servers. However,
VLANs cannot be created, changed, or deleted on a VTP client.
• Transparent - VTP transparent switches do not participate in VTP. A
VTP transparent switch does not advertise its VLAN configuration, and
does not synchronize its VLAN configuration based on received
advertisements. However, in VTP Version 2, transparent switches do
forward VTP advertisements that the switches receive out their trunk
ports.

3.6.4 Adding a switch to a VTP domain

Figure 1 Adding a Switch to a VTP Domain

Use caution when inserting a new switch into an existing domain. In order to
prepare a switch to enter an existing VTP domain, perform the following steps:
Issue a clear config all or erase startup-config command to
remove the existing configuration. This will not clear the VTP configuration
revision number. Clearing the revision number is done only by power cycling the
switch.
Power cycle the switch to clear the VTP nonvolatile RAM (NVRAM). This will
reset the configuration revision number to 0. This ensures that the new switch
will not propagate incorrect information across the domain.
Determine the VTP mode of operation of the switch and include the mode when
setting the VTP domain information on the switch using the show vtp
status or show vtp domain command. The default for most switches is
server mode. If the switch remains in server mode, be sure to verify that the
configuration revision number is set to 0 before adding the switch to the VTP
domain. Having several servers in the domain is generally recommended, with

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-47
all other switches set to client mode for purposes of controlling VTP
information.
It is also highly recommended that secure mode is used in the VTP domain.
Assigning a password to the domain will accomplish this. This will prevent
unauthorized switches from participating in the VTP domain. Use the vtp
password password or the set vtp passwd passwd commands.

Lab Activity

In this lab activity, the student will learn how to configure a VLAN trunk
between a Catalyst 4000 and Catalyst 2900 switch.

1-48 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.6.5 VTP advertisements

Advert-Request
1 2 3 4

Version Code Rsvd MgmtD Len

Management Domain Name


(zero-padded to 32 bytes)

Start Value

Summary-Advert
1 2 3 4

Version Code Followers MgmtD Len

Management Domain Name


(zero-padded to 32 bytes)

Configuration Revision Number

Updater Identity

Updater Timestamp
(12 bytes)

MD5 Digest
(16 bytes)

Subset-Advert
1 2 3 4
Version Code Seq-Num MgmtD Len

Management Domain Name


(zero-padded to 32 bytes)

Configuration Revision Number

VLAN-info field 1

Updater Timestamp
(12 bytes)

VLAN-info field N

Switches only listen to advertisements that are coming from the same domain.
Transparent switches do not listen to VTP advertisements, nor do they send out
advertisements containing their information. They will propagate VTP information
to ensure that other server/client switches receive the VTP advertisements.

Figure 1 Three Types of Messages

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-49
Number of Subnet
Domain Name
Version Type Advertisement
Length
Messages
Management Domain Name
(Padded to 32 Bytes)
Configuration Revision Number
Updater Identity
Update Timestamp
(12 Bytes)
MD5 Digest
(16 Bytes)

Figure 2 VTP Summary Advertisement Format

Domain Name
Version Code Seq-Number
Length
Management Domain Name
(Zero Padded to 32 Bytes)
Configuration Revision Number
VLAN-info Field 1
.
.
.
VLAN-info Field N
The VLAN-info Field Contains Information for Each VLAN
and is Formatted as Follows:

Info Length Status VLAN-Type VLAN-name Len

ISL VLAN-id MTU Size


802.10 Index
VLAN-name (Padded with zeros to Multiple of 4 Bytes

Figure 3 VTP Subset Advertisement Format

With VTP, each switch advertises on its trunk ports its management domain,
configuration revision number, the VLANs that it knows about, and certain
parameters for each known VLAN. These advertisement frames are sent to a
multicast address so that all neighboring devices can receive the frames;
however, the frames are not forwarded by normal bridging procedures. All
devices in the same management domain learn about any new VLANs now
configured in the transmitting device. A new VLAN must be created and
configured on one device only in the management domain. The information is
automatically learned by all the other devices in the same management domain.

1-50 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Advertisements on factory-default VLANs are based on media types. User ports
should not be configured as VTP trunks.
Each advertisement starts as configuration revision number 0. When changes are
made, the configuration revision number increments (n + 1). The revision
number in the management domain continues to increment until it reaches
2,147,483,648, at which point the counter will reset back to zero.
There are two types of advertisements:
• Requests from clients that want information at bootup
• Response from servers
There are three types of messages:
• Advertisement requests - Clients request VLAN information, and the
server responds with summary and subset advertisements. Figure [1]
• Summary advertisements - By default, server and client Catalyst
switches issue summary advertisements every five minutes. They inform
neighbor switches what they believe to be the current VTP revision
number. Assuming the domain names match, the receiving server or
client compares the configuration revision number. If the revision
number in the advertisement is higher than the current revision number
in the receiving switch, the receiving switch then issues an
advertisement request for new VLAN information. Figure [2]
• Subset advertisements - These contain detailed information about
VLANs such as VTP version type, domain name and related fields, and
the configuration revision number. Creating or deleting a VLAN,
suspending or activating a VLAN, changing the name of a VLAN, and
changing the maximum transmission unit (MTU) of a VLAN can trigger
these advertisements. Figure [3]
Advertisements may contain some or all of the following information:
• Management domain name - Advertisements with different names are
ignored.
• Configuration revision number - The higher number indicates a more
recent configuration.
• Message Digest 5 (MD5) - MD5 is the key that is sent with the VTP
when a password has been assigned. If the key does not match, the
update is ignored.
• Updater identity - The updater identity is the identity of the switch that
is sending the VTP summary advertisement.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-51
3.7 VTP Configuration

3.7.1 Basic configuration steps

Figure 1 Basic Configuration Steps

The following list outlines the basic tasks that must be considered before
configuring VTP and VLANs on the network:
1. Determine the version number of VTP that will be running in the
environment.
2. Decide if this switch is to be a member of an existing management
domain or if a new domain should be created. If a management domain
does exist, determine the name and password of the domain.
3. Choose a VTP mode for the switch.

3.7.2 Configure the VTP version

Figure 1 Configure the VTP Version

Figure 2 Configure the VTP Version

1-52 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Two different versions of VTP can run in the management domain, VTP
Version 1 and VTP Version 2. The two versions are not interoperable. If one
switch in the management domain is configured for VTP Version 2, all
switches in the management domain must be configured for VTP Version 2.
VTP Version 1 is the default. It may be necessary to implement VTP Version 2
if some of the specific features that VTP Version 2 offers, that are not offered in
VTP Version 1, are needed. The most common feature that is needed is Token
Ring VLAN support.
To configure the VTP version on a Cisco IOS command-based switch, first
enter VLAN database mode. From there, set the VTP version as shown in
Figure [1]. In this example, VTP Version 2 has been configured.
Use the following command to change the VTP version number on a set
command-based switch. [2]
Switch (enable) set vtp v2 enable
VTP Version 2 supports the following features not supported in Version 1:
• Token Ring support - VTP Version 2 supports Token Ring LAN
switching and VLANs.
• Unrecognized type/length/value (TLV) support - A VTP server or client
propagates configuration changes to its other trunks, even for TLVs it is
not able to parse. The unrecognized TLV is saved in NVRAM.
• Version-dependent transparent mode - In VTP Version 1, a VTP
transparent switch inspects VTP messages for the domain name and
version, and forwards a message only if the version and domain name
match. Because only one domain is supported in the supervisor engine
software, VTP Version 2 forwards VTP messages in transparent mode
without checking the version.
• Consistency checks - In VTP Version 2, VLAN consistency checks
(such as VLAN names and values) are performed only when new
information is entered through the command-line interface (CLI) or
Simple Network Management Protocol (SNMP). Consistency checks are
not performed when new information is obtained from a VTP message,
or when information is read from NVRAM. If the digest on a received
VTP message is correct, its information is accepted without consistency
checks. A switch that is capable of running VTP Version 2 can operate
in the same domain as a switch running VTP Version 1 if VTP Version
2 remains disabled on the VTP Version 2-capable switch.
If all switches in a domain are capable of running VTP Version 2, enable VTP
Version 2 on only one switch (using the set vtp v2 enable command).
The version number is propagated to the other VTP Version 2-capable switches
in the VTP domain.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-53
3.7.3 Configure the VTP domain

Switch(vlan)#vtp domain cisco


Changing VTP domain name from NULL to cisco

Figure 1 Cisco IOS Software-Based Switch

Console> (enable) set vtp domain cisco


VTP domain cisco modified
Console> (enable)

Figure 2 Set-Based Switch

If the switch being installed is the first switch in the network, The management
domain will have to be created. However, if other Catalyst switches exist, the
switch will probably join an existing management domain. Verify the name of
the management domain that the switch should join. If the management domain
has been secured, it will be necessary to configure the password for the domain.
To create a management domain or to add the switch to a management domain
with a Cisco IOS command-based switch, use the following command:
Switch(vlan)#vtp domain name
An example of this is shown in Figure [1]. In this example, the domain name is
set to cisco.
To create a management domain or to add the switch to a management domain
on a set command-based switch, use the following command:
Switch (enable) set vtp domain domain_name
An example of this is shown in Figure [2]. In this example, the domain name is
set to cisco.
The domain name can be up to 32 characters, and the password must be between
8 and 64 characters long.

1-54 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
3.7.4 Configure VTP mode

Switch(vlan)#vtp client
Setting device to VTP CLIENT mode.
Switch(vlan)#

Figure 1 Cisco IOS Software-Based Switch

Console> (enable) set vtp mode server


VTP domain cisco modified
Console> (enable)

Figure 2 Set-Based Switch

Choose one of the three available VTP modes for this switch. Some general
guidelines for choosing the mode of the switch are as follows:
If this is the first switch in the management domain and intentions are to add
additional switches, set the mode to server. The additional switches will be able
to learn VLAN information from this switch. The management domain should
have at least one server.
If there are any other switches in the management domain, set the switch mode
to client to prevent the new switch from accidentally propagating the incorrect
information to the existing network. If the switch is supposed to become a
VTP server, change the mode of the switch to server after it has learned the
correct VLAN information from the network.
If the switch is not going to share VLAN information with any other switch on
the network, set the switch to transparent mode. Transparent mode will allow
creation, deletion, and renaming of VLANs at will without the switch
propagating changes to other switches. If a large number of people are
configuring devices within the network, the risk of overlapping VLANs with
two different meanings in the network but the same VLAN identification exists.
To set the correct mode of a Cisco IOS command-based switch, use the
following command:
Switch(vlan)#vtp client | server | transparent
An example of this is shown in Figure [1], as the switch is configured to be in
VTP client mode.
To set the correct mode of a set command-based switch, use the following
command:

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-55
Switch> (enable) set vtp mode server | client |
transparent
An example of this is shown in Figure [2], as the switch is configured to be in
VTP server mode.

3.7.5 Verify VTP configuration

Switch#show vtp status


VTP Version 2 :
Configuration Revision 2 :
Maximum VLANs supported locally 68 :
Number of existing VLANs 6 :
VTP Operating Mode :
Client
VTP Domain Name :
cisco
VTP Pruning Mode :
Disabled
VTP V2 Mode :
Enabled
VTP Traps Generation :
Disabled
MD5 digest :
0x35 0x84 0x7B 0x04 0x3D
0x55 0x3B 0xDA
Configuration last modified by 0.0.0.0 at 10-5-00 20:33:41
Switch#

Figure 1 Cisco IOS Software-Based Switch

Console> (enable) show vtp domain


Domain Name Domain Index VTP Version Local Mode Password
------------- ------------ ----------- ----------- --------
cisco 1 2 server -

Vlan-count Max-vlan-storage Config Revision Notifications


---------- ---------------- --------------- -------------
5 1023 0 disabled

Last Updater V2 Mode Pruning PruneEligible on Vlans


--------------- -------- -------- -------------------------
0.0.0.0 disabled disabled 2-1000
Console> (enable)

Figure 2 Set-Based Switch

1-56 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Console> (enable) show vtp statistics
VTP statistics:
summary advts received 0
subset advts received 0
request advts received 0
summary advts transmitted 0
subset advts transmitted 0
request advts transmitted 0
No of config revision errors 0
No of config digest errors 0

Figure 3 Set-Based Switch

Figure [1] shows an example of the show vtp status command used to
verify VTP configuration settings on a Cisco IOS command-based switch.
Figure [2] is an example of the show vtp domain command used to verify
VTP configuration settings on a set command-based switch.
Figure [3] displays the results of the show vtp statistics command on a
set command-based switch. This command shows a summary of VTP
advertisement messages sent and received, as well as configuration errors
detected. Use this command to assist in troubleshooting VTP.

Interactive Lab Activity

In this activity, the student will learn how to configure a VLAN trunk link
between a Catalyst 4000 (DL1) and a Catalyst 2900 (AL1) to pass traffic for
VLANs 100 and 200.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-57
3.8 VTP Pruning

3.8.1 Default behavior of a switch

Figure 1 Flooded Traffic with VTP Pruning Disabled

Figure 2 Flooded Traffic with VTP Pruning Enabled

The default behavior of a switch is to propagate broadcast and unknown packets


across the network. This behavior results in a large amount of unnecessary
traffic crossing the network.
VTP pruning enhances network bandwidth use by reducing unnecessary flooding
of traffic, such as broadcast, multicast, unknown, and flooded unicast packets.
VTP pruning increases available bandwidth by restricting flooded traffic to those

1-58 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
trunk links that the traffic must use to access the appropriate network devices.
By default, VTP pruning is disabled.
Figure [1] shows a switched network without VTP pruning enabled. Port 1 on
Switch 1 and Port 2 on Switch 4 are assigned to the green VLAN. A broadcast is
sent from the host connected to Switch 1.
Switch 1 floods the broadcast and every switch in the network receives this
broadcast, even though Switches 3, 5, and 6 have no ports in the green VLAN.
Figure [2] shows a switched network with VTP pruning enabled. The broadcast
traffic from Switch 1 is not forwarded to Switches 3, 5, and 6 because traffic for
the green VLAN has been pruned on the links indicated (Port 5 on Switch 2 and
Port 4 on Switch 4).

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-59
3.8.2 Configure VTP pruning

Switch(vlan)#vtp pruning
Pruning switched ON
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface fastethernet 0/3
Switch(config-if)#switchport trunk pruning vlan remove 5-10
Switch(config-if)#

Figure 1 Cisco IOS Software-Based Switch

Console> (enable) set vtp pruneeligible 2-50


Vlans 2-50 eligible for pruning on this device.
VTP domain cisco modified.

Console> (enable) clear vtp pruneeligible 2-1005


Vlans 1-1005 will not be pruned on this device.
VTP domain cisco modified.
Console> (enable)

Figure 2 Set-Based Switch

Enabling VTP pruning on a VTP server enables pruning for the entire
management domain. VTP pruning takes effect several seconds after being
enabled. By default, VLANs 2 through 1000 are pruning eligible. VTP pruning
does not prune traffic from VLANs that are pruning ineligible. VLAN 1 is
always pruning ineligible, so traffic from VLAN 1 cannot be pruned. There is
the option to make specific VLANs pruning eligible or pruning ineligible on the
device. To make VLANs pruning eligible on a Cisco IOS command-based
switch, enter the following:
Switch(vlan)#vtp pruning
To make specific VLANs pruning ineligible on a Cisco IOS command-based
switch, enter the following:
Switch(config)#interface fastethernet0/3
Switch(config-if)#switchport trunk pruning vlan
remove vlan-id
Figure [1] shows an example where pruning is enabled for all VLANs except for
VLANs 5-10.
To make specific VLANs pruning eligible on a set command-based switch, enter
the following:
Console> (enable) set vtp pruneeligible vlan_range
To make specific VLANs pruning ineligible on a set command-based switch,
enter the following:

1-60 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Console> (enable) clear vtp pruneeligible
vlan_range
Examples of each of these tasks are illustrated in Figure [2].

Lab Activity

In this lab activity, the student will learn how to configure VTP pruning
between a Catalyst 4000 switch and Catalyst 2900 switch.

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-61
3.8.3 Verifying VTP pruning

Switch#show running-config

<output omitted>

hostname Switch
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
switchport trunk allowed vlan 1,2,4,5,11-1005
switchport trunk pruning vlan 2-4,11-1001
switchport mode trunk
!
interface FastEthernet0/4

<output omitted>

Switch#show interface fastethernet 0/3 switchport


Name: Fa0/3
Switchport: Enabled
Administrative mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: isl
Operational Trunking Encapsulation: isl
Negotiation of Trunking: Disabled
Access Mode VLAN: 0 ((Inactive))
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: 1,2,4,5,11-1005
Trunking VLANs Active: 1,2
Pruning VLANs Enabled: 2-4,11-1001

Priority for untagged frames: 0


Override vlan tag priority: FALSE
Voice VLAN: none
Appliance trust: none
Switch#

Figure 1 Verify VTP Pruning

1-62 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
switch> (enable) show trunk 1/1
Port Mode Encapsulation Status Native vlan
---- ---------- ------------- ---------- -----------
1/1 desirable isl trunking 1

Port Vlans allowed on trunk


------ ------------------------------------------------
1/1 1-100,250,500-1005
Port Vlans allowed and active in management domain
------ ------------------------------------------------
1/1 1,521-524
Port Vlans in spanning tree forwarding state and not pruned
------ -------------------------------------------------------
1/1 1,521-524

Figure 2 Verify VTP Pruning

In order to verify the VLANs that are either pruned or not pruned on a Cisco IOS
command-based switch, use either the show running-config or the show
interface interface-id switchport command. These commands
are both illustrated in Figure [1].
In order to verify the VLANs that are either pruned or not pruned on a set
command-based switch, use the show trunk command. This command is
illustrated in Figure [2].

Copyright  2002, Cisco Systems, Inc. Switching Section 3: Introduction to VLANs 1-63
Summary
After completing this chapter, the student should have a firm understanding of
the following concepts:
• VLANs solve many of the issues found in Layer 2 environments. These
issues include broadcast control, isolation of problem components in the
network, security, and load balancing through the use of a Layer 3
protocol between VLANs.
• VLAN identification allows different VLANs to be carried on the same
physical link, called a trunk link. There are two different types of frame
identification methods: ISL and 802.1Q.
• The VLAN Trunking Protocol provides support for dynamic reporting of
the addition, deletion, and renaming of VLANs across the switch fabric.
• The overwrite process would mean that if the server deleted all VLANs
and had a higher configuration revision number, the other devices in the
VTP domain would also delete their VLANs.

1-64 Switching Section 3: Introduction to VLANs Copyright  2002, Cisco Systems, Inc.
Lab 2.1.3.1: Upgrading the 4006 Supervisor Software

Console
Cable
RJ-45 jumper to
10/100 Mgt
Workstation
172.16.0.2 /24
TFTP server

Objective

It is possible that when the new Catalyst 4006 arrives, the Supervisor unit will not recognize the
L3 module. The software image must be at least 5.5(4) to recognize the L3 module. Many early
shipments came with 5.4(2) or older. This set of instructions will cover upgrading the software
image.
The same process will work for any future upgrades.

Scenario

A WS-X4232-L3 layer three Router Switch Card has been added to an existing 4003 or 4006
chassis. After installing it, it is discovered that the Supervisor unit does not recognize the new
module. A check of the configuration shows that the software image is too old to support the
new module. The following steps cover the process of upgrading the software.

Step 1.

To confirm the software version, use the show config command while connected to the
Supervisor module via the console port or roll-over cable. Note: If the Catalyst 4006 has not
been used before, getting to the privilege (or enable) mode, is the same as other Cisco
devices. If passwords have not been set, just press Enter when prompted for both passwords.

Console> (enable)
Console> (enable) show config
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.
..........
..................
..

begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
#time: Wed Apr 18 2001, 14:46:47
!
#version 5.4(2) (Shows the current version)
!

1-1 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright  2002, Cisco Systems, Inc.
#system web interface version(s)
!
#test
set test diaglevel minimal
!
#frame distribution method
set port channel all distribution mac both
!
#ip
set interface sl0 down
!
#syslog
set logging level cops 2 default
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat4000.5-4-2.bin (Shows image used)
!
#mls
set mls nde disable
!
#port channel
set port channel 1/1-2 1
!
#module 1 : 2-port 1000BaseX Supervisor
!
#module 2 empty
!
#module 3 empty
!
#module 4 empty
!
#module 5 empty
!
#module 6 empty
end

The L3 module is in Module 3, slot 3 from the top, on the unit. The ’empty’ above the module
confirms that the Supervisor module does not recognize the new L3 module.

Step 2.

This is optional for students. The following steps show the process to download the image from
the www.cisco.com site. Students: The instructor will explain where to find the appropriate im-
age.
Go to the Web site and login with the CCO account information based on the Smartnet agree-
ment. Choose Software Center from the Service & Support section.

2-2 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright  2002, Cisco Systems, Inc.
Choose LAN Switching Software from the Software Products & Downloads list.

Choose Catalyst 4000 from the list of Catalyst Switch Software choices.

3-3 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright  2002, Cisco Systems, Inc.
Choose the version by clicking on the link. The newest link is near the bottom of this list.

Agree to the Software License Agreement.


Chose a Download Site and then just follow normal download instructions.

Step 3.

The upgrade process uses TFTP very much like the CCNA and other CCNP exercises, with
just a couple differences unique to this model of switch.
Make sure that the TFTP server is running and that the software image is in the default direc-
tory for the server. Note the IP address of the TFTP server.
Cabling: Use a Cisco console cable to the Supervisor Console port to execute the commands
and monitor the process. Use a straight-thru RJ-45 jumper to connect the Supervisor module
10/100Mgmt port to the TFTP server’s NIC. If going through a switch to get to the TFTP server,
a crossover cable will be needed between the 4006 and the switch. The 10/100Mgmt interface
is a standard switch port.
Configuring the me1 (10/100Mgmt) port: The me1 interface must be assigned an address in
the same subnet as the TFTP server. The commands to set the me1 from the enable prompt
are as follows:
Console> (enable) set interface me1 172.16.0.5 255.255.255.0

4-4 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright  2002, Cisco Systems, Inc.
Interface me1 IP address and netmask set.
Console> (enable)

Note: The address fit in with the initial TFTP server. However the address would undoubtedly
be different if this was anything but a practice lab.

Verify that the change, by using the show config command:


Console> (enable) show config
This command shows non-default configurations only.
begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
#time: Wed Apr 18 2001, 14:48:43
!
#version 5.4(2)
!
#system web interface version(s)
!
#test
set test diaglevel minimal
!
#frame distribution method
set port channel all distribution mac both
!
#ip
set interface sl0 down
set interface me1 172.16.0.5 255.255.255.0 172.16.0.255 (here it is)
!
#syslog
set logging level cops 2 default
! (rest of output omitted)

Step 4.

Confirm connectivity with the TFTP server by pinging the server:


Console> (enable) ping 172.16.0.2
!!!!!

----172.16.0.2 PING Statistics----


5 packets transmitted, 5 packets received, 0% packet loss
round-trip (ms) min/avg/max = 14/15/17
Console> (enable)

Note: On some versions of the IOS a “172.16.0.2 is alive” message will be received instead of
the typical Cisco ping output.

If this fails, check that the TFTP server is on, the IP addresses are correct, and that the cabling
is correct. See Step 3 for cabling information. Troubleshoot as needed.

Step 5.

Use the show flash command to check the contents of Flash to confirm that space is avail-
able for the new image. The contents will ultimately be in there with the existing image or
images:
Console> (enable) show flash
-#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name
1 .. ffffffff 548c8f9c 39cf70 17 3526384 --- -- ---- --:--:-- cat4000.5-4-2.bin

5-5 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright  2002, Cisco Systems, Inc.
12071928 bytes available (3526384 bytes used)
Console> (enable)

Step 6.

To make sure there is a backup of the current image, start by copying the image to the TFTP
server. In addition to creating a backup, this will demonstrate the steps and the time required
before copying the new image into the 4006.
Enter the TFTP server IP address and the current image name. This final item is case sensitive
and might be best handled by copying it from the show flash output and pasting it here as
needed.
Console> (enable) copy flash tftp
Flash device [bootflash]? Name of file to copy from []? cat4000.5-4-2.bin
IP address or name of remote host []? 172.16.0.2
Name of file to copy to []? cat4000.5-4-2.bin (This could be renamed
here)
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCX
File has been copied successfully.

Console> (enable)

The X shown at the end of the second row of Cs is to represent a spinning line that looks very
much like a turnstile. This will appear on the screen for several minutes until the copy is done. It
is a 4MB file so it will take several minutes to copy.

Step 7.

This is optional for students. Now proceed to the actual upgrading. Suggestion: Use Windows
Explorer and select the new image name, as if it were going to be renamed, and do a copy.
Use this when the copy tftp command asks for the file name.
Note that the following default values for each prompt assumes the copy flash tftp step
was done earlier. Just press Enter at the prompt one (1). Press Enter at prompt three (3) and
four (4) unless the image is to be renamed.
Console> (enable) copy tftp flash
IP address or name of remote host [172.16.0.2]?
Name of file to copy from [cat4000. 5-4-2.bin]? cat4000.6-2-1.bin
Flash device [bootflash]?
Name of file to copy to [cat4000.6-2-1.bin]?
7981064 bytes available on device bootflash, proceed (y/n) [n]? y
XCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
File has been copied successfully.

Console> (enable)

The X shown before the first row of Cs is to represent a spinning line that looks very much like
a turnstile. This will appear on the screen for several minutes until the copy is done. This is ex-
actly the opposite of when coping to the TFTP server.

Step 8.

This is optional for students. To confirm that it happened, use the show flash command. Both
images are now present.
Console> (enable) show flash
-#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name
1 .. ffffffff 548c8f9c 39cf70 17 3526384 --- -- ---- --:--:-- cat4000.5-4-2.bin
2 .. ffffffff d39d5c46 783778 17 4089736 Apr 17 2001 14:40:15 cat4000.6-2-1.bin

7981192 bytes available (7616376 bytes used)

6-6 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright  2002, Cisco Systems, Inc.
Console> (enable)

Step 9.

This is optional for students. Use the set boot system flash bootflash: image_name
prepend command to tell the 4006 which image to use. It is critical that the prepend option is
added to the end of the command to move this image ahead of the existing image. Both images
will be listed on the configuration. If this option is omitted the machine will boot to the old image.
The following output starts with using the help ? feature to see the options:
Console> (enable) set boot system flash bootflash:cat4000.6-2-1.bin ?
prepend Put as first priority
<mod> Module number
<cr>
Console> (enable) set boot system flash bootflash:cat4000.6-2-1.bin prepend

Console> (enable)

Use the show config command to confirm that the command worked. The following is only
the appropriate output lines.
Console> (enable) show config
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat4000.6-2-1.bin
set boot system flash bootflash:cat4000.5-4-2.bin
!
#mls
set mls nde disable

Step 10.

This is optional for students. Reboot the device with the reset command. The configuration is
automatically saved on a 4006. Therefore, a copy run start command does not need to be
done first.
Use the show config and show module commands to confirm that the changes have been
made.
Console> (enable) show config
This command shows non-default configurations only.
Use 'show config all' to show both default and non-default configurations.
..........
..................
..

begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
#time: Wed Apr 18 2001, 15:04:09
!
#version 6.2(1) (Note the new version)
!
#system web interface version(s)
!
#test
set test diaglevel minimal
!
#frame distribution method
set port channel all distribution mac both

7-7 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright  2002, Cisco Systems, Inc.
!
#ip
set interface sl0 down
set interface me1 172.16.0.5 255.255.255.0 172.16.0.255
!
#syslog
set logging level cops 2 default
!
#set boot command
set boot config-register 0x2
set boot system flash bootflash:cat4000.6-2-1.bin
set boot system flash bootflash:cat4000.5-4-2.bin (This is ignored. Can be removed)
!
#mls
set mls nde disable
!
#port channel
set port channel 1/1-2 1
!
#module 1 : 2-port 1000BaseX Supervisor
!
#module 2 empty
!
#module 3 : 34-port Router Switch Card (The L3 module is now appearing)
!
#module 4 empty
!
#module 5 empty
!
#module 6 empty
end
Console> (enable)
Console> (enable) show module
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- --- --------
1 1 2 1000BaseX Supervisor WS-X4013 no ok
3 3 34 Router Switch Card WS-X4232-L3 no ok

Mod Module-Name Serial-Num


--- ------------------- --------------------
1 JAB044200Q9
3 JAB044204L3

Mod MAC-Address(es) Hw Fw Sw
--- -------------------------------------- ------ ---------- -----------------
1 00-03-6b-a8-13-00 to 00-03-6b-a8-16-ff 1.2 5.4(1) 6.2(1)
3 00-01-96-d8-d9-ca to 00-01-96-d8-d9-eb 1.5 12.0(7)W5( 12.0(7)W5(15d)
Console> (enable)

Step 11.

This is optional for students. If the old image is to be removed from the flash, use the cd
bootflash: command to move to the bootflash area. The dir command can be used to see
the contents. Notice that the output is a little different than the show flash command earlier.
Console> cd bootflash:
Console> dir
-#- -length- -----date/time------ name
1 3526384 --- -- ---- --:--:-- cat4000.5-4-2.bin
2 4089736 Apr 17 2001 14:40:15 cat4000.6-2-1.bin

7981192 bytes available (7616376 bytes used)

Go to the privilege mode and use the delete command to remove the file. Use the dir com-
mand to confirm that the file appears to be gone.

8-8 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright  2002, Cisco Systems, Inc.
Console> enable

Enter password:

Console> (enable) delete cat4000.5-4-2.bin


Console> (enable) dir
-#- -length- -----date/time------ name
2 4089736 Apr 17 2001 14:40:15 cat4000.6-2-1.bin

7981192 bytes available (7616376 bytes used)

Notice that the ’bytes available’ and ’bytes used’ have not changed. The file is actually just hid-
den. This is much like deleting records in a database. To see the deleted file, use the dir
deleted command. To remove the file, use the squeeze bootflash: command.

Console> (enable) dir deleted


-#- ED --type-- --crc--- -seek-- nlen -length- ----date/time---- name
1 .. ffffffff 548c8f9c 39cf70 17 3526384 -- -- ---- --:-:- cat4000.5-4-2.bin

7981192 bytes available (7616376 bytes used)


Console> (enable) squeeze bootflash:

All deleted files will be removed, proceed (y/n) [n]? y

Squeeze operation may take a while, proceed (y/n) y

This may take less than two minutes.


Console> (enable) dir
-#- -length- -----date/time------ name
1 4089736 Apr 17 2001 14:40:15 cat4000.6-2-1.bin

12070928 bytes available (4089736 bytes used)

The lab is now complete.

9-9 Switching Section 2: Configuring the Switch - Lab 2.1.3.1 Copyright  2002, Cisco Systems, Inc.
Lab 2.1.3.2: Catalyst 4000 Setup

Native
VLAN1

Console
Cable

Workstation
DLSwitch1 10.1.1.10/24
4006
10.1.1.251/24

Objective:

Configure a Cisco Catalyst 4000 Ethernet switch for the first time.

Scenario:

A new Catalyst 4000 Ethernet switch with a supervisor module and a 32 port layer 3 switch
module has just been purchased. Configure the supervisor module so that it has a name, IP
address, and basic password security using the Command Line Interface (CLI).

Lab Tasks:

Step 1.
Connect the serial port to the console port of the Catalyst 4000. Notice that both the layer 3
switch module and the supervisor module both have a console port. Since configuring the switch
plug into the supervisor module console port.

Use a standard Cisco console cable kit with a roll-over cable to connect.

Use the communications settings: eight (8) data bits, no parity, one (1) stop bit, no flow control.

Step 2.
Power on the 4000 switch and watch it start up. It may take several minutes for the 4000 to boot
up. Notice that the 4000 switch is more wordy in its startup messages than Cisco routers.

WS-X4013 bootrom version 5.4(1), built on 2000.04.04 10:48:54


H/W Revisions: Crumb: 5 Rancor: 8 Board: 2
Supervisor MAC addresses: 00:02:4b:59:30:00 through
00:02:4b:59:33:ff (1024 addresses)
Installed memory: 64 MB
Testing LEDs.... done!

1-1 Switching Section 2: Configuring the Switch - Lab 2.1.3.2 Copyright  2002, Cisco Systems, Inc.

Step 3.
Once boot up is complete, a password prompt will be received:

IP address for Catalyst not configured


DHCP/BOOTP will commence after the ports are online
Ports are coming online ...

Cisco Systems, Inc. Console

Enter password:

Notice that because the switch has not been configured yet and does not have an IP address, the
switch will try to obtain an address via DHCP. In the event that the switch does gain an IP
address from a DHCP server, CDP information from a neighboring Cisco device could always be
used to determine which address it obtained.

To log into the switch, just hit enter at the password prompt. The switch user exec prompt
appear:

Console>

Step 4.
Next, configure the switch name, user exec password, and privileged mode password:

To do this, go into the enable mode:

Console> enable
Console> (enable)

Console> (enable) set system name DLSwitch1


System name set.
DLSwitch1> (enable)

Setting the passwords requires that a password setting dialog is entered. This is different from
other Cisco devices where the password is entered as part of the password command itself. The
Catalyst 4000 has two passwords just like other Cisco IOS devices. The first password is a user-
exec password and the second is a privileged exec mode password.

DLSwitch1> enable) set password


Enter old password: (Because currently there is not a password, just hit enter)
Enter new password: cisco (Password is not displayed)
Retype new password: cisco
Password changed.

DLSwitch1> (enable) set enablepass


Enter old password: (Because currently there is not a password, just hit enter)
Enter new password: class (Password is not displayed)
Retype new password: class
Password changed.

DLSwitch1> (enable)

2-2 Switching Section 2: Configuring the Switch - Lab 2.1.3.2 Copyright  2002, Cisco Systems, Inc.
Step 5.
Now type show config to view the configuration of the switch.

This command shows non-default configurations only.


Use 'show config all' to show both default and non-default
configurations.
.....
................
..

begin
!
# ***** NON-DEFAULT CONFIGURATION *****
!
#time: Wed Nov 1 2000, 10:13:54 CST
!
#version 5.4(2)
!
set password $2$CBqb$emYj5ImVlOCgbNQTg.TC31
set enablepass $2$0o8Z$gGVzWMgEwfQEZIi2F340Q.
.
.
.

Notice the switch shows that only non-default commands are displayed. If all commands were
displayed, the configuration would be hard to read. The show config all command is given
as an option if the entire configuration needs to be displayed.

Type show config all just to see how big the configuration really is.

1. What is noticed about the passwords that are stored in the configuration?
Are they encrypted?

2. Was there anything special that had to be done to encrypt them?

Step 6.
Next, configure the IP address on the switch so that communication with the switch can be done
via the network for management purposes.

Notice that there is a port on the supervisor module that is labeled ’10/100 MGT’. This is not a
normal switch port, but rather an Ethernet interface that can be used to plug the management
part of the switch into another network. This is sometimes referred to as ’out-of-band’
management. This port would be connected to some other Ethernet network that is not part of
the normal production network. In the event that the Ethernet networks within this switch failed
for some reason, communication with the switch would continue through this external Ethernet
interface. This out-of-band Ethernet port is much like a NIC card that exists on the switch.

The 10/100 MGT port is referred to as interface ME1 on the switch.

There is also a virtual interface inside the switch. This is a virtual connection to the backplane of
the switch and can be configured to be a member of any VLAN that the switch has configured.

This virtual interface is called sc0.

3-3 Switching Section 2: Configuring the Switch - Lab 2.1.3.2 Copyright  2002, Cisco Systems, Inc.
Configure the management IP address on the sc0 virtual interface. Configuring the sc0 interface
allows access to the switch management through the normal switch ports on the 4000. The ME1
10/100 MGT port will not be used.

DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0

Another option would be to configure what VLAN the sc0 virtual interface is a part of:

DLSwitch1> (enable) set interface sc0 1

This places the virtual management interface in VLAN 1. By default the sc0 interface is in VLAN
1, so this command is not entirely necessary. However, this command would be necessary if the
management was to be associated to a different VLAN.

This is a switch and not a router. Therefore, the ability to configure any routing protocols on this
device is not possible. To ensure that there is capability to reach all of the networks that are a
part of the internetwork, configure a default router to send all traffic to when there is uncertainty of
what path to take to get to the destination.

DLSwitch1> (enable) set ip route default 10.1.1.1

This command installs a default route that points to the 10.1.1.1 router.

Step 7.
Configure the workstation so that it is a part of the 10.1.1.0/24 network, which is the same
network as the switch's management port.

Plug the workstation into any of the Ethernet switch ports on the L3 ROUTING MODULE. By
default, all of the ports in the switch are in VLAN 1. If virtual management interface sc0 remains
in VLAN 1, communication with the switch is still possible.

Use the configured IP address, 10.1.1.250, to telnet to the switch.

Log in using the configured password of cisco.

Step 8.
Using the telnet interface, explore some of the 4000 show commands:

Type show module from the user exec prompt.

This command gives information about what modules are installed in this switch. Because the
4000 is a modular switch with removable blades, this display could vary. Also seen is the
hardware, firmware, and software each of the modules is running. This is very useful when
determining which modules need to be upgraded.

DLSwitch1> sh mod
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- --- --------
1 1 2 1000BaseX Supervisor WS-X4013 no ok
2 2 34 Router Switch Card WS-X4232-L3 no ok

Mod Module-Name Serial-Num


--- ------------------- --------------------
1 JAB043402VU
2 JAB04300JN8

Mod MAC-Address(es) Hw Fw Sw

4-4 Switching Section 2: Configuring the Switch - Lab 2.1.3.2 Copyright  2002, Cisco Systems, Inc.
--- -------------------------------------- ------ ---------- -----------------
1 00-03-6b-0b-7c-00 to 00-03-6b-0b-7f-ff 1.2 5.4(1) 5.5(1)
2 00-01-96-c8-e4-c6 to 00-01-96-c8-e4-e7 1.5 12.0(7)W5( 12.0(7)W5(15d)

Type show system from the user exec prompt.

This command gives information about the physical operation of the switch. It tells the status of
the power supplies, status of the fans, system uptime, and the percentage of current and peak
traffic the switch has observed.

DLSwitch1> sh system
PS1-Status PS2-Status PS3-Status PEM Installed
---------- ---------- ---------- -------------
ok ok none no

Fan-Status Temp-Alarm Sys-Status Uptime d,h:m:s Logout


---------- ---------- ---------- -------------- ---------
ok off ok 1,00:52:12 20 min

PS1-Type PS2-Type PS3-Type


------------ ------------ ------------
WS-C4008 WS-C4008 none

Modem Baud Traffic Peak Peak-Time


------- ----- ------- ---- -------------------------
disable 9600 0% 0% Thu Nov 2 2000, 10:43:34

System Name System Location System Contact CC


------------------------ ------------------------ ------------------------ ---

Type show port from the user exec prompt.

This command gives the status of the ports that are installed on this switch. Based on what
modules have been installed, this display could vary.

DLSwitch1> sh port
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
1/1 notconnect 1 normal full 1000 No GBIC
1/2 notconnect 1 normal full 1000 No GBIC
2/1 connected 1 normal full 1000 No GBIC
2/2 connected 1 normal full 1000 No GBIC
2/3 notconnect 1 normal auto auto 10/100BaseTX
2/4 notconnect 1 normal auto auto 10/100BaseTX
2/5 notconnect 1 normal auto auto 10/100BaseTX
2/6 notconnect 1 normal auto auto 10/100BaseTX
2/7 notconnect 1 normal auto auto 10/100BaseTX
2/8 notconnect 1 normal auto auto 10/100BaseTX
2/9 notconnect 1 normal auto auto 10/100BaseTX
2/10 notconnect 1 normal auto auto 10/100BaseTX

5-5 Switching Section 2: Configuring the Switch - Lab 2.1.3.2 Copyright  2002, Cisco Systems, Inc.
Lab 2.2.3: Catalyst 2900 Setup

Native
VLAN1

Console Cable

ALSwitch
Workstation
2900XL
10.1.1.10/24
10.1.1.251/24

Objective:

Configure a Cisco Catalyst 2900 Ethernet switch for the first time.

Scenario:

A new Catalyst 2900 Ethernet switch has just been purchased. Configure the switch so that it
has a name, IP address, and basic password security using the Command Line Interface (CLI).

Lab Tasks:

Step 1.
Connect the serial port to the console port of the Catalyst 2900. The console port for the 2900 is
located on the back of the switch, much like the 1900 series switched.

Use a standard Cisco console cable kit with a rollover cable to connect.

Use the same communications settings: eight (8) data bits, no parity, one (1) stop bit, no flow
control, 9600 bits per second.

Step 2.
Power on the 2900 switch and watch it start up. It will take a little over one minute for the 2900 to
boot up.

C2900XL Boot Loader (C2900-HBOOT-M) Version 12.0(5)XU, RELEASE


SOFTWARE (fc1)
Compiled Mon 03-Apr-00 17:20 by swati
starting...
Base ethernet MAC Address: 00:02:b9:9a:85:80
Xmodem file system is available.
Initializing Flash...
flashfs[0]: 108 files, 3 directories

1-1 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright  2002, Cisco Systems, Inc.
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672
flashfs[0]: Bytes used: 2775040
flashfs[0]: Bytes available: 837632
flashfs[0]: flashfs fsck took 6 seconds.
...done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
Loading "flash:c2900XL-c3h2s-mz-120.5-
XU.bin"...##########################################################
####################################################################
#############################

Step 3.
Once the boot up is complete, a prompt will ask for the System Configuration Dialog. This prompt
is due to not currently having a saved configuration on this switch.

IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)XU,


RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Mon 03-Apr-00 16:37 by swati

--- System Configuration Dialog ---

At any point you may enter a question mark '?' for help.
Use ctrl-c to abort configuration dialog at any prompt.
Default settings are in square brackets '[]'.

Continue with configuration dialog? [yes/no]:

Configure the switch manually without the assistance of the setup dialog. The setup dialog is
simpler than that of an IOS based router. After completing this lab, reconfigure the switch using
the Setup Configuration Dialog.

There will not be a prompt for a password. Hit enter to log directly into user exec mode.

Switch>

Step 4.
Before configuring the switch, take a look at the current default running configuration prior to
adding any configuration commands.

Go into the enable mode. Because there is not an enable password set yet, there will not be a
prompt for one.

Switch>enable

Switch#show running-config

Building configuration...

Current configuration:

2-2 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright  2002, Cisco Systems, Inc.
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
ip subnet-zero
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface VLAN1
no ip directed-broadcast
no ip route-cache
!
!
line con 0
transport input none
stopbits 1
line vty 5 15
!
end

Notice that the configuration is much like that of an IOS based router. The interfaces on the
switch are the actually ports of the switch. Also notice the lack of any routing protocol, and so on.
Because this is a switch and not a router, no commands will be seen that relate to the routing of
packets.

Step 5.
Now configure the switch name, user exec password, and privileged exec mode password:

The Catalyst 2900 uses IOS style configuration commands. These commands will look similar to
configuring a router.

3-3 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright  2002, Cisco Systems, Inc.
Set the switch name.

Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#

Set the passwords.

ALSwitch(config)#enable password class


ALSwitch(config)#line con 0
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login
ALSwitch(config-line)#line vty 0 15
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login

Like the IOS, use the copy command to save the current running configuration.
Older software uses the write command. Return to the user privileged mode.

ALSwitch#copy running-config startup-config

Step 6.
Now configure the IP address on the switch so that communication can begin with the switch via
the network for management purposes.

The management portion of the 2900 series switch defaults to using VLAN 1 as their network
connection. When the show running-config command was done earlier, notice that interface
VLAN 1 is part of the default configuration.

All ports default to membership of VLAN 1. Therefore, configure the switch management to also
use VLAN 1. Configure interface vlan 1 just as a router interface would be done when assigning
the switch's management IP address.

ALSwitch#config terminal
ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0

This immediately assigns the IP address of the switch to VLAN 1. The 2900 can be configured
with multiple VLANs simultaneously. Make sure that each VLAN interface has an IP address
from that VLAN. Additional VLAN interfaces can be created temporarily by using the interface
vlan x command, where x is the VLAN number.

Since this is a switch and not a router, no routing protocols can be configured on this device. To
be able to reach all of the networks that are a part of this internetwork, a default router needs to
be configured. This default router will be used to send all traffic when routing is done between
VLANs.

ALSwitch(config)#ip default-gateway 10.1.1.1

This command installs a default route that points at the 10.1.1.1 router.

Step 7.
Configure the workstation so that it is a part of the 10.1.1.0/24 network. This network is the same
network as the switch's management port.

4-4 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright  2002, Cisco Systems, Inc.
Plug the workstation into any of the switch ports that reside on the switch. By default all of the
ports in the switch will be in VLAN 1. Therefore as long as the management IP address is
configured on VLAN 1 communicate with the switch will be possible.

Use the configured IP address, 10.1.1.251, to telnet to the switch.

Log in using the configured password of cisco.

Step 8.
Using the telnet interface, explore some of the commands in the 2900. Notice that the 2900XL is
much like other IOS devices.

Use the show interfaces command to look at the switch ports. Notice that the command
output is similar to that of a router.

ALSwitch#show interfaces
FastEthernet0/1 is down, line protocol is down
Hardware is Fast Ethernet, address is 0002.fd49.7b81 (bia
0002.fd49.7b81)
MTU 1500 bytes, BW 0 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Auto-duplex , Auto Speed , 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1 packets input, 64 bytes
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast
0 input packets with dribble condition detected
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
--More--

1. What other types of interfaces are seen besides the switch ports?

Type show version and look at the hardware/software information.

5-5 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright  2002, Cisco Systems, Inc.
ALSwitch#show version
Cisco Internetwork Operating System Software
IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)XU,
RELEASE SOFTWARE
(fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Mon 03-Apr-00 16:37 by swati
Image text-base: 0x00003000, data-base: 0x00301398

ROM: Bootstrap program is C2900XL boot loader

ALSwitch uptime is 16 minutes


System returned to ROM by power-on
System image file is "flash:c2900XL-c3h2s-mz-120.5-XU.bin"

cisco WS-C2924-XL (PowerPC403GA) processor (revision 0x11) with


8192K/1024K byte
s of memory.
Processor board ID 0x0E, with hardware revision 0x01
Last reset from power-on

Processor is running Enterprise Edition Software


Cluster command switch capable
Cluster member switch capable
24 FastEthernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.


Base ethernet MAC Address: 00:02:FD:49:7B:80
Motherboard assembly number: 73-3382-08
Power supply part number: 34-0834-01
Motherboard serial number: FAB04301ANJ
Power supply serial number: PHI04150042
Model revision number: A0
Motherboard revision number: B0
Model number: WS-C2924-XL-EN
System serial number: FAB0432S2GJ
Configuration register is 0xF

ALSwitch#

2. What type of memory is included in the Catalyst 2900 series switch, but is not listed in the
show version output?

6-6 Switching Section 2: Configuring the Switch - Lab 2.2.3 Copyright  2002, Cisco Systems, Inc.
Lab 2.3.4.1: Catalyst 4000 Password Recovery

Native
VLAN1

Console Cable

Workstation
DLSwitch1 10.1.1.10/24
4006
10.1.1.250/24

Objective:

Regain control of a Cisco Catalyst 4000 Ethernet switch after all the passwords have been lost.

Scenario:

With a new job at a company that used Catalyst 4000 Ethernet switches, it is found that the
previous network manager did not leave any documentation containing the passwords for the
switches. Perform password recovery on the Catalyst 4000. Change the user exec password to
cisco and the privileged exec mode password to class.

Lab Tasks:

Step 1.
First, configure the 4000 switch to the according diagram. Skip this step if the Lab 3.1.3, 4000
initial setup, configuration is complete.

Console> enable
Console> (enable) set system name DLSwitch1
System name set.
DLSwitch1> (enable)

In the steps that follow, have a classmate set the passwords. The passwords to be used should
be made up and not the standard passwords used in the labs. Make sure the classmate does not
divulge the password.

DLSwitch1> (enable) set password


Enter old password: (Because currently there is not a password, just hit enter)

1-1 Switching Section 2: Configuring the Switch - Lab 2.3.4.1 Copyright  2002, Cisco Systems, Inc.
Enter new password:
Retype new password:
Password changed.

DLSwitch1> (enable) set enablepass


Enter old password: (Because currently there is not a password, just hit enter)
Enter new password:
Retype new password:
Password changed.

DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0


DLSwitch1> (enable) set interface sc0 1

Configure the IP address of the workstation to 10.1.1.10/24

Step 2.
Attempt to telnet into the Catalyst switch. Because the passwords are unknown, access will be
denied.

The Catalyst 4000 series of switches deals with password recovery differently than the other
Cisco IOS based devices.

The Catalyst 4000 series switch does not require a password when logging in from the console
port during the first 30 seconds after it has booted up. A password is still required during this time
if trying to log in via telnet.

This is a great example of why physical security of devices is so important. Anyone who can get
access to the console port will have the ability to change passwords.

Step 3.
Make sure there is a connection to the console port and power off the Catalyst 4000 switch.
Read through the rest of this step. It will need to be completed within 30 seconds after the switch
is powered back up. It is important to power off the switch. A warm reset will not allow entrance
without a password, therefore, it must be a full power off.

Turn on the power to the Catalyst 4000 switch by plugging in the power cords.

Watch the start-up messages. When the following is seen:

Cisco Systems, Inc. Console

Enter password:

Hit enter immediately. Remember, a password is not needed to log in.

DLSwitch1>

Enter privileged mode. Again, a password will not be needed so hit enter.

DLSwitch1> enable
DLSwitch1> (enable)

Now reset the password using the set password and set enablepass commands.
When prompted for the current passwords, hit enter.

2-2 Switching Section 2: Configuring the Switch - Lab 2.3.4.1 Copyright  2002, Cisco Systems, Inc.
DLSwitch1> (enable) set password
Enter old password: (just hit enter)
Enter new password: (“cisco” hit enter)
Retype new password: (“cisco” hit enter)
Password changed.

DLSwitch1> (enable) set enablepass


Enter old password: (just hit enter)
Enter new password: (“class” hit enter)
Retype new password: (“class” hit enter)
Password changed.

The password change is now complete.

If this were done fast enough, the new passwords become part of the savedconfiguration. The
rest of the switches configuration is unchanged.

1. Is the Catalyst 4000 password recovery better or worse than other IOS based devices?

3-3 Switching Section 2: Configuring the Switch - Lab 2.3.4.1 Copyright  2002, Cisco Systems, Inc.
Lab 2.3.4.2: Catalyst 2900 Password Recovery

Native
VLAN1

Console Cable

ALSwitch
Workstation
2900XL
10.1.1.10/24
10.1.1.251/24

Objective:

Regain control of a Cisco Catalyst 2900 Ethernet switch after the passwords have been lost.

Scenario:

With a new job at a company that used Catalyst 2900 Ethernet switches in their IDFs, it is found
that the previous network manager did not leave any documentation containing the passwords for
the switches. Perform password recovery on the Catalyst 2900. Change the user exec password
to cisco and the privileged exec mode password to class.

Lab Tasks:

Step 1.
First, configure the 2900 switch according to the diagram. Skip this step if the Lab 3.2.3, 2900
initial setup, configuration is complete.

Switch>enable
Switch#

Set the switch name.

Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#

In the steps that follow, have a classmate set the passwords. The passwords to be used should
be made up and not the standard passwords used in the labs. Make sure the classmate keeps
the passwords to themselves.

ALSwitch(config)#enable password somethingdifferent

1-1 Switching Section 2: Configuring the Switch - Lab 2.3.4.2 Copyright  2002, Cisco Systems, Inc.
ALSwitch(config)#line con 0
ALSwitch(config-line)#password somethingelse
ALSwitch(config-line)#login
ALSwitch(config-line)#line vty 0 15
ALSwitch(config-line)#password somethingelse
ALSwitch(config-line)#login

ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0

Configure the IP address of the workstation to 10.1.1.10/24

Step 2.
Attempt to telnet into the Catalyst switch. Because the passwords are unknown, access will be
denied.

The Catalyst 2900 series of switches deals with password recovery in a similar fashion to other
IOS devices. The idea is to move the current startup configuration out of the way so that the
switch loads the default configuration, which has no passwords. Once the switch is up and
running, go into enable mode, move the saved startup configuration into running configuration,
modify the passwords, and then move it back into the startup configuration.

Step 3.
Make sure there is connection to the console port and power off the Catalyst 2900 switch.

Hold down the ’MODE’ button on the front of the Catalyst 2900 switch at the same time that the
switch is powered on. Let go of the ’MODE’ button a second or two after the LED light above port
1 is no longer lit.

Watch the start-up message. Whenthe following is seen:

C2900XL Boot Loader (C2900-HBOOT-M) Version 12.0(5)XU, RELEASE


SOFTWARE (fc1)
Compiled Mon 03-Apr-00 17:20 by swati
starting...
Base ethernet MAC Address: 00:02:b9:9a:85:80
Xmodem file system is available.

The system has been interrupted prior to initializing the


flash filesystem. The following commands will initialize
the flash filesystem, and finish loading the operating
system software:

flash_init
load_helper
boot

switch:

Type: flash_init and then type load_helper.

switch: flash_init
Initializing Flash...
flashfs[0]: 109 files, 3 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 3612672

2-2 Switching Section 2: Configuring the Switch - Lab 2.3.4.2 Copyright  2002, Cisco Systems, Inc.
flashfs[0]: Bytes used: 2776064
flashfs[0]: Bytes available: 836608
flashfs[0]: flashfs fsck took 8 seconds.
...done Initializing Flash.
Boot Sector Filesystem (bs:) installed, fsid: 3
Parameter Block Filesystem (pb:) installed, fsid: 4
switch: load_helper

This is similar to changing the configuration-register on a router to boot into rom-monitor mode.

Now, list the contents of the switch's flash memory:

switch: dir flash:


Directory of flash:/

2 -rwx 1644046 <date> c2900XL-c3h2s-mz-120.5-


XU.bin
3 -rwx 105961 <date> c2900XL-diag-mz-120.5-XU
4 drwx 6784 <date> html
111 -rwx 286 <date> env_vars
112 -rwx 648 <date> config.text

836608 bytes available (2776064 bytes used)

Rename the config.text file to a temporary name, – such as config.old.

switch: rename flash:config.text flash:config.old

Now reboot the switch:

Switch: boot

When the switch reboots, it will prompt for the Configuration Dialog to be entered. Answer no.

When the switch finishes the boot up sequence, enter privileged exec mode and rename the
temporary file back into the original name or the startup-config.

Switch>
Switch>enable
Switch#rename flash:config.old flash:config.text

Now copy the startup-configuration, (config.text) , to the running-config.

Switch#copy flash:config.text system:running-config


Destination filename [running-config]? (Press Enter)
648 bytes copied in 1.206 secs (648 bytes/sec)
ALSwitch#

While currently in global configuration mode, the passwords can be reassigned:

ALSwitch(config)#enable password class


ALSwitch(config)#line con 0
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#line vty 0 15
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login

3-3 Switching Section 2: Configuring the Switch - Lab 2.3.4.2 Copyright  2002, Cisco Systems, Inc.
Now save the changes.

ALSwitch#copy running-config startup-config

The password change is now complete.

4-4 Switching Section 2: Configuring the Switch - Lab 2.3.4.2 Copyright  2002, Cisco Systems, Inc.
Lab 2.3.7.1: Catalyst 4000 TFTP Configuration Files

Native
VLAN1

Console Cable

Workstation
DLSwitch1 10.1.1.10/24
4006 TFTP Server
10.1.1.250/24

Objective:

Copy the current configuration to a TFTP server.

Scenario:

The company uses Catalyst 4000 Ethernet switches for their backbone. A copy of the
configuration file from the Catalyst 4000 switch to a TFTP server is desired for safekeeping.

Lab Tasks:

Step 1.
First, configure the 4000 switch according to the diagram. Skip this step if the Lab 3.1.3, 4000
initial setup, configuration is complete.

Console> enable
Console> enable) set system name DLSwitch1
System name set.
DLSwitch1> (enable)

DLSwitch1> (enable) set password


Enter old password: (Because there is not currently a password, just hit enter)
Enter new password:
Retype new password:
Password changed.

DLSwitch1> (enable) set enablepass


Enter old password: (Because there is not currently a password, just hit enter)
Enter new password:

1-1 Switching Section 2: Configuring the Switch - Lab 2.3.7.1 Copyright  2002, Cisco Systems, Inc.
Retype new password:
Password changed.

DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0


DLSwitch1> (enable) set interface sc0 1

Configure the IP address of the workstation to 10.1.1.10/24.

Make sure the Cisco TFTP server is loaded on this workstation.

Step 2.
Use the copy command to copy the configuration from the switch to the TFTP server. Type
copy ? to see what other options there are.

1. What other locations can the configuration file be copied to?

Step 3.
Now use the copy config tftp command to move the configuration to the TFTP server.

DLSwitch1> (enable) copy config tftp


This command uploads non-default configurations only.
Use 'copy config tftp all' to upload both default and non-default
configurations.
IP address or name of remote host []? 10.1.1.10
Name of file to copy to [DLSwitch1.cfg]? (Just hit enter)

Upload configuration to tftp:DLSwitch1.cfg, (y/n) [n]? y


.....

..
-
Configuration has been copied successfully.
DLSwitch1> (enable)

Step 4.
Check the configuration file that was saved to the TFTP server.

2. Is the copy a full version of the configuration, or just the nondefault commands?

3. What command would be used to save both default and nondefault commands?

2-2 Switching Section 2: Configuring the Switch - Lab 2.3.7.1 Copyright  2002, Cisco Systems, Inc.
Lab 2.3.7.2: Catalyst 2900 TFTP Configuration Files

Native
VLAN1

Console Cable

ALSwitch Workstation
2900XL 10.1.1.10/24
10.1.1.251/24 TFTP Server

Objective:

Copy the current configuration to a TFTP server.

Scenario:

The company uses Catalyst 2900 Ethernet switches in their IDFs. A copy of the configuration file
from the Catalyst 2900 switch to a TFTP server is desired for safekeeping.

Lab Tasks:

Step 1.
First, configure the 2900 switch according to the diagram. Skip this step if the Lab 3.2.3, 2900
initial setup, configuration is complete.

Switch>enable
Switch#

Set the switch name.

Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#

ALSwitch(config)#enable password class


ALSwitch(config)#line con 0
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login
ALSwitch(config-line)#line vty 0 15
ALSwitch(config-line)#password cisco

1-1 Switching Section 2: Configuring the Switch - Lab 2.3.7.2 Copyright  2002, Cisco Systems, Inc.
ALSwitch(config-line)#login

ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0

Configure the IP address of the workstation to 10.1.1.10/24.

Make sure the Cisco TFTP server is loaded on this workstation.

Step 2.
Use the copy command to copy the configuration from the switch to the TFTP server. Type
copy ? to see what other options there are.

1. What other locations can the configuration file be copied to?

Step 3.
Now use the copy running-config tftp command to move the configuration to the TFTP
server.

ALSwitch#copy running-config tftp


Address or name of remote host []? 10.1.1.10
Destination filename [running-config]? ALSwitch (Use the switch name)
!!
1165 bytes copied in 4.173 secs (291 bytes/sec)
ALSwitch#

Step 4.
Check the configuration file that was saved to the TFTP server.

2. Is the copy a full version of the configuration, or just the nondefault commands?

2-2 Switching Section 2: Configuring the Switch - Lab 2.3.7.2 Copyright  2002, Cisco Systems, Inc.
Lab 3.3.1.1: Catalyst 4000 Static VLANs

Native
VLAN1 Accounting
VLAN10
10.1.1.0/24
Ports 19-24 Test
10.1.10.0/24
Marketing
VLAN20 Workstation
10.1.x.3
Ports 25-30
10.1.20.0/24

DLSwitch1
4006 Engineering
10.1.1.250/24 VLAN30

Ports 31-34
Engineering 10.1.30.0/24
Workstation
10.1.30.2

Objective:

Configure the Distribution Layer Catalyst 4000 Ethernet Switch to support three VLANs -
Marketing, Accounting, and Engineering.

Scenario:

The current hub based network is being migrated to a Catalyst 4000 switch based network.
There are currently three hubs, one for each network. The three VLANs will need to be created
on the new switch. Three ports will be assigned to each VLAN.

Design:

Switch VLAN Port Assignments:

VLANs VLAN 1 Default VLAN 10 VLAN 20 VLAN 30


Accounting Marketing Engineering
Port Number 19-24 25-30 31-34

Lab Tasks:

Step 1.
First, configure the 4000 switch according to the diagram. Skip this step if the Lab 3.1.3, 4000
initial setup, configuration is complete.

Console> enable
Console> (enable) set system name DLSwitch1

1-1 Switching Section 3: Introduction to VLANs - Lab 3.3.1.1 Copyright  2002, Cisco Systems, Inc.
System name set.
DLSwitch1> (enable)

DLSwitch1> (enable) set password


Enter old password: (Because there is currently not a password, just hit enter)
Enter new password:
Retype new password:
Password changed.

DLSwitch1> (enable) set enablepass


Enter old password: (Because there is currently not a password, just hit enter)
Enter new password:
Retype new password:
Password changed.

DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0


DLSwitch1> (enable) set interface sc0 1

Step 2.
Before the VLANs can be configured, a little understanding about the default operation of the
Catalyst 4000 is needed.

By default, the Catalyst 4000 is configured as a VLAN Trunking Protocol (VTP) server. More will
be learned about this in later labs. Since the switch defaults to a VTP server, a VTP domain
name must be assigned to the switch.

DLSwitch1> (enable) set vtp domain corp

This command sets the VTP server domain name to ’corp’, which will be used during the rest of
the labs.

Once this is set, configuring VLANs will be possible.

Step 3.
Next assign the ports to their appropriate VLANs.

Use the set vlan 10 slot#/port# to assign the ports to their appropriate VLANs.

DLSwitch1> (enable) set vlan 10 2/19-24

Notice that multiple ports can be specified by indicating a range of port numbers. –For example,
2/19-24 will include ports 19 through 24 on slot 2.

The switch will return a confirmation of the VLAN assignment:

Vlan 10 configuration successful


VLAN 10 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
10 2/19-24

1. Why does the switch indicate that VLAN 1 was modified?

2-2 Switching Section 3: Introduction to VLANs - Lab 3.3.1.1 Copyright  2002, Cisco Systems, Inc.
Continue with the other VLANs:

DLSwitch1> (enable) set vlan 20 2/25-30


DLSwitch1> (enable) set vlan 30 2/31-34

The other ports do not need to be configured as VLAN 1 because they are in VLAN 1 by default.

Use the show vlan command to verify that the ports are assigned to the correct VLAN.

2. What is the maximum number of VLAN supported on a Catalyst 4000 switch?

Step 4.
Now configure the Engineering workstation that will be connected to the Engineering VLAN using
the IP address 10.1.30.2/24. Make sure the Engineering workstation is plugged into one of the
Engineering VLAN ports.

3. What ports are connected to the Engineering VLAN?

4. What command could be used to determine what ports are assigned to what VLAN?

VLANs can be named so they are easier to identify when doing show commands on the switch.
These names do not affect the functionality of the VLANs.

DLSwitch1> (enable) set vlan 10 name Accounting


DLSwitch1> (enable) set vlan 20 name Marketing
DLSwitch1> (enable) set vlan 30 name Engineering

Do another show vlan command:

Console> (enable) sh vlan


VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
1 default active 6 1/1-2
2/1-18
10 Accounting active 45 2/19-24
20 Marketing active 46 2/25-30
30 Engineering active 47 2/31-34
1002 fddi-default active 7
1003 token-ring-default active 10
1004 fddinet-default active 8
1005 trnet-default active 9

Step 5.
Configure the Test workstation so it has an IP address of 10.1.20.3/24 and plug it into the

3-3 Switching Section 3: Introduction to VLANs - Lab 3.3.1.1 Copyright  2002, Cisco Systems, Inc.
Marketing VLAN.

5. What ports are in the Marketing VLAN?

6. Can the IP address, 10.1.30.2, of the Engineering workstation be pinged?

7. What is needed to enable pinging the Engineering workstation?

Step 6.
Change the IP address of the Test workstation to 10.1.30.3/24.

8. Can the Engineering workstation be pinged now?

If the Engineering workstation still cannot be pinged after the IP address was changed, move
the Test workstation to the Engineering VLAN. The ping should now be successful.

4-4 Switching Section 3: Introduction to VLANs - Lab 3.3.1.1 Copyright  2002, Cisco Systems, Inc.
Lab 3.3.1.2: Catalyst 2900 Static VLANs

Native
VLAN1 Accounting
VLAN10
10.1.1.0/24
Ports fa0/4-fa0/6
10.1.10.0/24 Marketing Test
VLAN20 Workstation
10.1.x.3
Ports fa0/7-fa0/9
10.1.20.0/24
ALSwitch
2900XL
10.1.1.251/24 Engineering
VLAN30

Ports fa0/10-fa0/12
Engineering 10.1.30.0/24
Workstation
10.1.30.2

Objective:

Configure the Access Layer Catalyst 2900 Ethernet Switch to support three VLANs: Marketing,
Accounting, and Engineering.

Scenario:

The current hub based network is being migrated to a Catalyst 2900 switch based network.
There are currently three hubs, one for each network. The three VLANs will need to be created
on the new switch. Three ports will be assigned to each VLAN.

Design:

Switch VLAN Port Assignments:

VLANs VLAN 1 Default VLAN 10 VLAN 20 VLAN 30


Accounting Marketing Engineering
Port Number Fa0/1-Fa0/3 Fa0/4-Fa0/6 Fa0/7-Fa0/9 Fa0/10-Fa0/12

Lab Tasks:

Step 1.
First, configure the 2900 switch according to the diagram. Skip this step if the Lab 3.2.3, 2900
initial setup, configuration is completed.

Switch> enable
Switch#

1-1 Switching Section 3: Introduction to VLANs - Lab 3.3.1.2 Copyright  2002, Cisco Systems, Inc.
Set the switch name.

Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#

ALSwitch(config)#enable password class


ALSwitch(config)#line con 0
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login
ALSwitch(config-line)#line vty 0 15
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login

ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0

Step 2.
Next configure the VLANs. Refer to the Design section for VLAN port assignments.

First set all of the ports to ’access’ ports. A port on a 2900 switch can be one of three modes: A
trunk port, a multi-VLAN port, or an access port. Trunk ports and multi-VLAN ports are used
when connecting a switch to another switch, or another device that understands VLAN trunking.
Because workstations will be connected to these ports, configure these ports as ’access’ ports.
This means that these will be single VLAN ports with standard devices attached.

By default all ports should be configured as access ports. This command is not necessary unless
the ports have been setup as trunk ports.

ALSwitch(config)#interface fa0/1
ALSwitch(config-if)#switchport mode access

Repeat this step for all ports that need to be converted back to access ports.

1. What command or commands could be used to determine if a port is in access or trunk


mode and needs to be converted?

Step 3.
Next assign the ports to the appropriate VLANs.

Use the switchport access vlan n, where n is the VLAN number, to assign the ports to
their appropriate VLANs.

ALSwitch(config)#interface fa0/4
ALSwitch(config-if)#switchport access vlan 10

ALSwitch(config)#interface fa0/5
ALSwitch(config-if)#switchport access vlan 10

ALSwitch(config)#interface fa0/6
ALSwitch(config-if)#switchport access vlan 10

2-2 Switching Section 3: Introduction to VLANs - Lab 3.3.1.2 Copyright  2002, Cisco Systems, Inc.
ALSwitch(config)#interface fa0/7
ALSwitch(config-if)#switchport access vlan 20

ALSwitch(config)#interface fa0/8
ALSwitch(config-if)#switchport access vlan 20

ALSwitch(config)#interface fa0/9
ALSwitch(config-if)#switchport access vlan 20

ALSwitch(config)#interface fa0/10
ALSwitch(config-if)#switchport access vlan 30

ALSwitch(config)#interface fa0/11
ALSwitch(config-if)#switchport access vlan 30

ALSwitch(config)#interface fa0/12
ALSwitch(config-if)#switchport access vlan 30

Be default, ports fa0/1-fa0/3 do not need to be configured as VLAN 1 because that is the default
VLAN that ports are assigned to.

Use the show vlan command to verify that the ports are assigned to the correct VLAN.

2. What is the maximum number of VLAN supported on a Catalyst 2900 switch?

Step 4.
Now configure the Engineering workstation that will sit on the Engineering VLAN using the IP
address 10.1.30.2/24. Make sure the Engineering workstation is plugged into one of the
Engineering VLAN ports.

3. What ports are connected to the Engineering VLAN?

4. What command could be used to determine what ports are assigned to what VLAN?

Step 5.
Configure the Test Workstation so it has an IP address of 10.1.20.3/24 and plug it into the
Marketing VLAN.

5. What ports are in the Marketing VLAN?

6. Can the IP address, 10.1.30.2, of the Engineering workstation be pinged?

7. What needs to be done to enable the Engineering workstation to be pinged?

3-3 Switching Section 3: Introduction to VLANs - Lab 3.3.1.2 Copyright  2002, Cisco Systems, Inc.
Step 6.
Change the IP address of the Test Workstation to 10.1.30.3/24.

8. Can g the Engineering workstation be pinged now?

If the Engineering workstation still cannot be pinged after the IP address was changed, move
the Test workstation to the Engineering VLAN. The ping should now be successful.

4-4 Switching Section 3: Introduction to VLANs - Lab 3.3.1.2 Copyright  2002, Cisco Systems, Inc.
Lab 3.6.4: VLAN Trunking and VTP Domain

10.1.1.0/24 10.1.1.0/24
Ports 2/4-16 fa0/2-fa0/3
10.1.10.0/24 10.1.10.0/24
Ports 2/19-2/24 fa0/4-fa0/6
Native Native
Accounting VLAN1 VLAN1 Accounting
VLAN10 VLAN10

10.1.20.0/24 10.1.20.0/24
Ports 2/25-2/30 fa0/7-fa0/9

Marketing Marketing
VLAN20 VLAN20

10.1.30.0/24 Trunk 802.1q 10.1.30.0/24


Ports 2/31-2/34 fa0/10-fa0/12
Port 2/3 Port 1
Engineering ALSwitch Engineering
VLAN30 DLSwitch1 2900XL VLAN30
4006 10.1.1.251/24
10.1.1.250/24

Workstation Workstation

Objective:

Configure a VLAN trunk between a Catalyst 4000 switch and Catalyst 2900 switch.

Scenario:

The network is growing. The network has outgrown the 2900 and requires more port capacity.
As time goes on, the plan is to continue to add Catalyst 2900 switches in the IDFs. At this point a
Catalyst 4000 is added in the MDF to tie all of these 2900s together. In order to make additions,
moves, and changes easier to manage, VLANs will be configured throughout the entire network.
The 4000 will be at the core of this switch configuration.

The link between the 4000 and 2900 will need to be configured as a trunk line, which will extend
the VLAN configuration between both switches. The Catalyst 4000 switch will act as a VLAN
VTP server that will propagate VLAN information to the 2900.

Design:

Switched Network VTP Configuration Information:

Switch VTP Domain VTP Mode


DLSwitch1 Corp Server
ALSwitch Corp Client

1-1 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright  2002, Cisco Systems, Inc.
Switch VLAN Port Assignments:

Switch VLAN 1 Default VLAN 10 VLAN 20 VLAN 30


Accounting Marketing Engineering
DLSwitch1 19-24 25-30 31-34
ALSwitch 4-6 7-9 10-12

Lab Tasks:

Step 1.
First, configure the 4000 switch to the diagram. Skip this step if the Lab 3.1.3, 4000 initial setup,
configuration is completed.

Console> enable
Console> (enable) set system name DLSwitch1
System name set.
DLSwitch1> (enable)

DLSwitch1> (enable) set password


Enter old password: (Because there is not currently a password, just hit enter)
Enter new password:
Retype new password:
Password changed.

DLSwitch1> (enable) set enablepass


Enter old password: (Because there is not currently a password, just hit enter)
Enter new password:
Retype new password:
Password changed.

DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0


DLSwitch1> (enable) set interface sc0 1

Step 2.
Next, configure the 2900 switch to the diagram. Skip this step if the Lab 3.2.3, 2900 initial setup,
configuration is completed.

Switch>enable
Switch#

Set the switch name.

Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#

ALSwitch(config)#enable password class


ALSwitch(config)#line con 0
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login
ALSwitch(config-line)#line vty 0 15
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login

2-2 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright  2002, Cisco Systems, Inc.
ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0

Step 3.
Configure VLAN Trunking Protocol (VTP) on both switches. VTP is the protocol that will
communicate information about which VLANs exist from one switch to another. If VTP did not
provide this information, the VLANs on all switches would have to be created individually.

By default, the Catalyst 4000 is configured as a VTP server.

Because the switch defaults to a VTP server, the VTP server does not have to be turned on. In
the event that this was shut off, use the following command:

DLSwitch1> (enable) set vtp mode server

The 4000 is to act as a VTP server to provide the VLAN information to all the other switches.
Once the 4000 is setup as a VTP server, the VTP domain name needs to be specified:

DLSwitch1> (enable) set vtp domain corp

This command sets the VTP server domain name to ’corp’. This name must match all other
switches that are in this VTP domain.

The Catalyst 2900XL will be configured as the VTP client. The 2900XL needs to learn the VLANs
from the 4000s VTP server.

This is done through the vtp database command on the 2900XL. This command enters into a
new type of IOS configuration mode. Notice that this mode is entered from the privileged mode
exec prompt, and not the traditional ’config term’ configuration mode.

ALSwitch#vlan database
ALSwitch(vlan)#vtp client
ALSwitch(vlan)#vtp domain corp
ALSwitch(vlan)#exit
ALSwitch#

This sets the 2900XL in client VTP mode and sets the VTP domain name to ‘corp’.

Once the VTP protocol is configured, VLANs can then be configured.

Step 4.
Next ports will be assigned on the 4000 to their appropriate VLANs and set their names. Skip this
step if Lab 4.3.1.1 is configured.

DLSwitch1> (enable) set vlan 10 2/19-24


DLSwitch1> (enable) set vlan 20 2/25-30
DLSwitch1> (enable) set vlan 30 2/31-34
DLSwitch1> (enable) set vlan 10 name Accounting
DLSwitch1> (enable) set vlan 20 name Marketing
DLSwitch1> (enable) set vlan 30 name Engineering

The other ports do not need to be configured as VLAN 1 because that is the default VLAN to
which ports are assigned.

3-3 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright  2002, Cisco Systems, Inc.
Use the show vlan command to verify that the ports are assigned to the correct VLAN.

DLSwitch1> (enable) sh vlan


VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
1 default active 6 1/1-2
2/1-18
10 Accounting active 45 2/19-24
20 Marketing active 46 2/25-30
30 Engineering active 47 2/31-34
1002 fddi-default active 7
1003 token-ring-default active 10
1004 fddinet-default active 8
1005 trnet-default active 9

The 2900XL is in client VTP mode. Therefore, VLAN information should get passed on to the
2900XL from the 4000.

Step 5.
Now cable up the trunk line. Connect Port 1 (fa0/1) on the ALSwitch to port 2/3, (first 10/100
Ethernet port), on the DLSwitch1. Note: The ALSwitch is the 2900XL switch and the DLSwitch is
the 4000 switch.

1. What type of cable is used to connect the two switches together?

Use the appropriate cable to connect these two switches together.

Step 6.
Configure each end of the trunk link as an 802.1q encapsulated trunk line.

On the Catalyst 4000:

DLSwitch1> (enable) set trunk 2/3 nonegotiate dot1q 1-1005

This command sets port 2/3 to a dot1q trunk line that supports VLANs 1-1005. The
nonegotiate command tells the switch that it should not try to auto sense what type of trunk
link this is.

On the Catalyst 2900XL:

ALSwitch#config term
ALSwitch(config)#int fa0/1
ALSwitch(config)#switchport mode trunk
ALSwitch(config)#switchport trunk encapsulation dot1q

The first interface command tells the switch that this switch port is a trunk link. The second
command tells the switch that this is 802.1q trunk line.

Step 7.
Now that the VLAN trunk link is configured, check to see if the VTP client (the 2900XL) has
picked up the defined VLANs.

The two switches may need a few moments to exchange VLAN information.

4-4 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright  2002, Cisco Systems, Inc.
Use the show vlan command on the 2900XL to see if it has learned the new VLANs from the
4000.

ALSwitch#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5,
Fa0/6, Fa0/7, Fa0/8, Fa0/9,
Fa0/10, Fa0/11, Fa0/12
10 Accounting active
20 Marketing active
30 Engineering active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
1002 fddi 101002 1500 - 0 - - - 0 0
1003 tr 101003 1500 - 0 - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

The three VLANs that were created on the 4000 can now be seen showing up on the 2900XL.

Even though the VLANs are now configured on the 2900XL, no ports have been assigned to
those VLANs.

Step 8.
Assign ports on the 2900XL to their appropriate VLANs:

ALSwitch(config)#interface fa0/4
ALSwitch(config-if)#switchport access vlan 10

ALSwitch(config)#interface fa0/5
ALSwitch(config-if)#switchport access vlan 10

ALSwitch(config)#interface fa0/6
ALSwitch(config-if)#switchport access vlan 10

ALSwitch(config)#interface fa0/7
ALSwitch(config-if)#switchport access vlan 20

ALSwitch(config)#interface fa0/8
ALSwitch(config-if)#switchport access vlan 20

ALSwitch(config)#interface fa0/9
ALSwitch(config-if)#switchport access vlan 20

ALSwitch(config)#interface fa0/10
ALSwitch(config-if)#switchport access vlan 30

ALSwitch(config)#interface fa0/11
ALSwitch(config-if)#switchport access vlan 30

5-5 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright  2002, Cisco Systems, Inc.
ALSwitch(config)#interface fa0/12
ALSwitch(config-if)#switchport access vlan 30

Step 9.
On the Catalyst 2900XL, examine the output of the show vtp counters and show vtp
status commands.

2. What command shows how many VTP advertisements have been transmitted and
received?

3. What command shows which mode, server or client, the switch is in?

Step 10.
On the Catalyst 4000, examine the output of the show vtp statistics and show vtp
domain commands.

4. What command shows how many VTP advertisements have been transmitted and
received?

5. What command shows which mode, server or client, the switch is in?

Step 11.
Now place two workstations in the same VLAN but on different switches. Try to ping one
another. This should be successful.

6-6 Switching Section 3: Introduction to VLANs - Lab 3.6.4 Copyright  2002, Cisco Systems, Inc.
Lab 3.8.2: VTP Pruning

10.1.1.0/24 10.1.1.0/24
Ports 2/4-16 fa0/2-fa0/3
10.1.10.0/24 10.1.10.0/24
Ports 2/19-2/24 fa0/4-fa0/6
Native Native
Accounting VLAN1 VLAN1 Accounting
VLAN10 VLAN10

10.1.20.0/24 10.1.20.0/24
Ports 2/25-2/30 fa0/7-fa0/9

Marketing Marketing
VLAN20 VLAN20

10.1.30.0/24 Trunk 802.1q 10.1.30.0/24


Ports 2/31-2/34 fa0/10-fa0/12
Port 2/3 Port 1
Engineering ALSwitch Engineering
VLAN30 DLSwitch1 2900XL VLAN30
4006 10.1.1.251/24
10.1.1.250/24

Workstation Workstation

Objective:

Configure VTP pruning between a Catalyst 4000 switch and Catalyst 2900 switch.

Scenario:

A VTP trunk line has been configured between the distribution layer switch and the access layer
switch. However, there are no workstations in VLANs 10 and 20 connected to the access layer
switch. There is no reason for broadcast traffic for VLANs 10 and 20 to travel over the trunk link
and down to the access layer any more because there are no devices down there.

VTP pruning allows VTP to intelligently determine that there are no devices in a particular VLAN
at the other end of a trunk link. VTP will then temporarily prune that VLAN from the trunk. Should
a device join that VLAN in the future, the VLAN will be placed back on the trunk line.

Design:

Switched Network VTP Configuration Information:

Switch VTP Domain VTP Mode


DLSwitch1 Corp Server
ALSwitch Corp Client

1-1 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright  2002, Cisco Systems, Inc.
Switch VLAN Port Assignments:

Switch VLAN 1 Default VLAN 10 VLAN 20 VLAN 30


Accounting Marketing Engineering
DLSwitch1 19-24 25-30 31-34
ALSwitch 4-6 7-9 10-12

Lab Tasks:

If this is a continuance on from the VTP trunk and domain lab, skip to step 10.

Step 1.
First, configure the 4000 switch according to the diagram. Skip this step if the Lab 3.1.3, 4000
initial setup, configuration is complete.

Console> enable
Console> (enable) set system name DLSwitch1
System name set.
DLSwitch1> (enable)

DLSwitch1> (enable) set password


Enter old password: (Because there is not currently a password, just hit enter)
Enter new password:
Retype new password:
Password changed.

DLSwitch1> (enable) set enablepass


Enter old password: (Because there is not currently a password, just hit enter)
Enter new password:
Retype new password:
Password changed.

DLSwitch1> (enable) set interface sc0 10.1.1.250 255.255.255.0


DLSwitch1> (enable) set interface sc0 1

Step 2.
Next, configure the 2900 switch to the diagram. The same configuration that was used in Lab
3.2.3, Catalyst 2900 Initial Setup, can be used here. If using that configuration, then skip this
step.

Switch>enable
Switch#

Set the switch name.

Switch#config terminal
Switch(config)#host ALSwitch
ALSwitch(config)#

ALSwitch(config)#enable password class


ALSwitch(config)#line con 0

2-2 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright  2002, Cisco Systems, Inc.
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login
ALSwitch(config-line)#line vty 0 15
ALSwitch(config-line)#password cisco
ALSwitch(config-line)#login

ALSwitch(config)#interface vlan 1
ALSwitch(config-if)#ip address 10.1.1.251 255.255.255.0

Step 3.
Configure VLAN Trunking Protocol (VTP) on both switches. VTP is the protocol that will
communicate information about which VLANs exist from one switch to another. If VTP did not
provide this information, the VLANs on all switches would have to be created individually.

By default, the Catalyst 4000 is configured as a VTP server.

The switch defaults to a VTP server, so the VTP server mode does not need to beenabled.
In the event that this was disabled, use the following command:

DLSwitch1> (enable) set vtp mode server

The 4000 is to act as a VTP server to provide the VLAN information to the other switches.

Once the 4000 is setup as a VTP server, the VTP domain name needs to be specified:

DLSwitch1> (enable) set vtp domain corp

This command sets the VTP server domain name to ’corp’. This name must match all other
switches that are in this VTP domain.

The Catalyst 2900XL will be configured as the VTP client. The 2900XL is to learn the
VLANs from the 4000s VTP server.

This is done through the vtp database command on the 2900XL. This command enters
into a new type of IOS configuration mode. Notice that this mode is entered from the
privileged mode exec prompt, and not from the typical global configuration mode.

ALSwitch#vlan database
ALSwitch(vlan)#vtp client
ALSwitch(vlan)#vtp domain corp
ALSwitch(vlan)#exit
ALSwitch#

This sets the 2900XL in client VTP mode and sets the VTP domain name to ’corp’.

Once the VTP protocol is configured, the VLANs can then be configured.

Step 4.
Next the ports will be assigned on the 4000 to their appropriate VLANs and set their names.

DLSwitch1> (enable) set vlan 10 2/19-24


DLSwitch1> (enable) set vlan 20 2/25-30
DLSwitch1> (enable) set vlan 30 2/31-34
DLSwitch1> (enable) set vlan 10 name Accounting

3-3 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright  2002, Cisco Systems, Inc.
DLSwitch1> (enable) set vlan 20 name Marketing
DLSwitch1> (enable) set vlan 30 name Engineering

The other ports do not need to be configured as VLAN 1 because that is the default VLAN to
which ports are assigned.

Use the show vlan command to verify that the ports are assigned to the correct VLAN.

DLSwitch1> (enable) sh vlan


VLAN Name Status IfIndex Mod/Ports, Vlans
---- -------------------------------- --------- ------- ------------------------
1 default active 6 1/1-2
2/1-18
10 Accounting active 45 2/19-24
20 Marketing active 46 2/25-30
30 Engineering active 47 2/31-34
1002 fddi-default active 7
1003 token-ring-default active 10
1004 fddinet-default active 8
1005 trnet-default active 9

The 2900XL is in client VTP mode. All of this VLAN information should get passed on to the
2900XL from the 4000.

Step 5.
Now cable up the trunk line. Connect Port 1 (fa0/1) on the ALSwitch to port 2/3, (first 10/100
Ethernet port,) on the DLSwitch1. Note: The ALSwitch is the 2900XL switch and the DLSwitch is
the 4000 switch.

Use the appropriate cable to connect these two switches together.

Step 6.
Configure the end of each trunk link as an 802.1q encapsulated trunk line.

On the Catalyst 4000:

DLSwitch1> (enable) set trunk 2/3 nonegotiate dot1q 1-1005

This command sets port 2/3 to a dot1q trunk line that supports VLANs 1-1005. The
nonegotiate tells the switch that it should not try to auto sense what type of trunk link this is.

On the Catalyst 2900XL:

ALSwitch#config term
ALSwitch(config)#int fa0/1
ALSwitch(config)#switchport mode trunk
ALSwitch(config)#switchport trunk encapsulation dot1q

The first interface command tells the switch that this switch port is a trunk link. The second
command tells the switch that this is an 802.1q trunk line.

Step 7.
Now that the VLAN trunk link is configured, check to see if the VTP client, the 2900XL, has picked
up the defined VLANs.

4-4 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright  2002, Cisco Systems, Inc.
The two switches may need a few moments to exchange VLAN information.

Use the show vlan command on the 2900XL to see if it has learned the new VLANs from
the 4000.

ALSwitch#sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5,
Fa0/6, Fa0/7, Fa0/8, Fa0/9,
Fa0/10, Fa0/11, Fa0/12
10 Accounting active
20 Marketing active
30 Engineering active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
1002 fddi 101002 1500 - 0 - - - 0 0
1003 tr 101003 1500 - 0 - - srb 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

The three VLANs that were created on the 4000 can be seen showing up on the 2900XL.

Even though the VLANs are now configured on the 2900XL, no ports have been assigned to
those VLANs.

Step 8.
Assign ports on the 2900XL to their appropriate VLANs:

ALSwitch(config)#interface fa0/4
ALSwitch(config-if)#switchport access vlan 10

ALSwitch(config)#interface fa0/5
ALSwitch(config-if)#switchport access vlan 10

ALSwitch(config)#interface fa0/6
ALSwitch(config-if)#switchport access vlan 10

ALSwitch(config)#interface fa0/7
ALSwitch(config-if)#switchport access vlan 20

ALSwitch(config)#interface fa0/8
ALSwitch(config-if)#switchport access vlan 20

ALSwitch(config)#interface fa0/9
ALSwitch(config-if)#switchport access vlan 20

ALSwitch(config)#interface fa0/10
ALSwitch(config-if)#switchport access vlan 30

5-5 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright  2002, Cisco Systems, Inc.
ALSwitch(config)#interface fa0/11
ALSwitch(config-if)#switchport access vlan 30

ALSwitch(config)#interface fa0/12
ALSwitch(config-if)#switchport access vlan 30

Step 9.
From the ALSwitch, attempt to ping the DLSwitch1. This ping should be successful.

ALSwitch#ping 10.1.1.250

Type escape sequence to abort.


Sending 5, 100-byte ICMP Echos to 10.1.1.250, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/13/36
ms

Step 10.
Make sure that there are no devices plugged into the non-trunk ports on ALSwitch.

Examine the output from the show trunk command on DLSwitch1:

DLSwitch1> (enable) sh trunk


* - indicates vtp domain mismatch
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
2/3 nonegotiate dot1q trunking 1

Port Vlans allowed on trunk


-------- ---------------------------------------------------------------------
2/3 1-1005

Port Vlans allowed and active in management domain


-------- ---------------------------------------------------------------------
2/3 1,10,20,30

Port Vlans in spanning tree forwarding state and not pruned


-------- ---------------------------------------------------------------------
2/3 1,10,20,30

Notice that all defined VLANs 10, 20, and 30 are in spanning tree forwarding state and not
pruned. However, there are no devices on ALSwitch. It would be a waste to forward
broadcast traffic for VLANs 10, 20 and 30 if there are no hosts there to receive it.

Step 11.
Configure VTP pruning.

VTP pruning solves this problem. Pruning checks the other end of a trunk link to see if there
are any members in a VLAN. If there are not, then it ’prunes’ them from the spanning tree
forwarding state. This temporarily keeps traffic from coming down that trunk line.

On DLSwitch1:

DLSwitch1> (enable) set vtp pruning enable


This command will enable the pruning function in the entire
management domain. All devices in the management domain should be
pruning-capable before enabling.

6-6 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright  2002, Cisco Systems, Inc.
Do you want to continue (y/n) [n]? y

On ALSwitch:

ALSwitch#vlan database
ALSwitch(vlan)#vtp pruning
ALSwitch(vlan)#exit

This now enables VTP pruning of the spanning-tree state table.

Step 12.
Verify that pruning is in process:

DLSwitch1> (enable) sh trunk


* - indicates vtp domain mismatch
Port Mode Encapsulation Status Native vlan
-------- ----------- ------------- ------------ -----------
2/3 nonegotiate dot1q trunking 1

Port Vlans allowed on trunk


-------- ---------------------------------------------------------------------
2/3 1-1005

Port Vlans allowed and active in management domain


-------- ---------------------------------------------------------------------
2/3 1,10,20,30

Port Vlans in spanning tree forwarding state and not pruned


-------- ---------------------------------------------------------------------
2/3 1

Notice that now, only VLAN 1 is in a forwarding state.

1. Why is VLAN 1 there?

2. Why are all of the other VLANs not there?

Plug a workstation into a VLAN 30 port on ALSwitch.

3. Check the show trunk command again. What has changed?

Move the workstation to a port in either VLAN 10 or 20.

4. Does the spanning tree forwarding state update?

5. How long does it take?

7-7 Switching Section 3: Introduction to VLANs - Lab 3.8.2 Copyright  2002, Cisco Systems, Inc.
Switching Resources

Modern Ethernet:

Academy Curriculum:
This link provides information about Gigabit Ethernet in your high speed
backbone. http://ccnp.netacad.net/prot-
doc/curriculum/sem7sv/en/ch2/2_3_1/index.html

Cisco Documentation CD:


The following page provides background information on the many different
forms of Ethernet. Visit the link for a detailed comparison of Ethernet standards,
Media, and performance characteristics.
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ethernet.htm

The following link is to the Cisco documentation CD Ethernet technologies


chapter. Topics are general, but include Ethernet history, topologies,
comparison to ISO Reference Model, etc.
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ethernet.htm

This link accesses the Cisco documentation CD for the Catalyst 2950 switch. It
is documentation for the CLI software configuration guide.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swcl
i.htm

This link accesses the Cisco documentation CD for the Catalyst 2900 series
switch. It is documentation for the Cisco IOS CLI configuration and reference
guide.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2900/cgcr29k/admin.ht
m

This link accesses the Cisco documentation CD. Information is provided for the
Cisco IOS CLI for the Catalyst 2900 XL and Catalyst 3500 XL switch.
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc5/scg/sw
cli.htm

Internet:
This link provides very detailed information about Ethernet frame over
SDH/WDM.
http://grouper.ieee.org/groups/802/3/ad_hoc/etholaps/public/docs/3151r1.pdf
This article is an informative review on 10 Gigabit Ethernet connected to Wide
Area Networks using SONET.
http://www.10gea.org/10GbE%20Interconnection%20with%20WAN_0302.pdf

Copyright  2002, Cisco Systems, Inc. Switching: Resources 1-1


This link provides general information on 10Gbit Ethernet, IEEE802.ae.
http://www.ethermanage.com/ethernet/10gig.html
This link is a tutorial on the functional basics and physical encoding of
1000Base-T Gigabit Ethernet. ftp://ftp.iol.unh.edu/pub/gec/training/pcs.pdf
This link provides background and technical information about Gigabit Ethernet
over 4-pair, 100 ohm, Category 5 cable.
http://www.10gea.org/GEA1000BASET1197_rev-wp.pdf
This link provides information on 1Gbps Ethernet physical encoding (8B/10B).
http://www.iol.unh.edu/training/ge/index.html
This link provides configuration guideline information about Ethernet Multi-
Segments . It is chapter 13 of a book by Charles E. Spurgeon.
http://www.ethermanage.com/ethernet/ch13-ora/ch13.html

This link is a white paper from Intel that provides information on the new
Ethernet. It is a discussion on new advances in Ethernet technology, and how
these trends are affecting the way to work, connect, and communicate.
http://www.intel.com/network/ethernet/ethernet_r03.pdf

This link from Cisco and Intel is an informative solution to deploying Gigabit
Ethernet over copper throughout the campus network. It also contains
information on Cisco equipment layout throughout the enterprise.
http://www.cisco.com/offer/tdm_home/pdfs/infrastructure/lan/ciscointel_sb.pdf

Switch CLI

Academy Curriculum:

This link provides a lab activity to configure a Cisco Catalyst 2900 Ethernet
switch for first time.
http://ccnp.netacad.net/prot-
doc/curriculum/sem7sv/en/ch3/lab_3_2_3/index.html

This link provides a lab activity to regain control of a Cisco Catalyst 2900
Ethernet switch after the passwords have been lost or stolen.
http://ccnp.netacad.net/prot-doc/curriculum/sem7sv/en/ch3/3_3_4/index.html

This link provides an interactive lab activity to configure basic management on


the Catalyst 2900 series access switch.
http://ccnp.netacad.net/prot-doc/curriculum/sem7sv/en/ch3/3_2_4/index.html

CCO:
This link accesses the FAQs page for Cisco Long-Reach Ethernet (LRE)
technology.
http://www.cisco.com/warp/public/794/lre_faq.html

This link provides access to a white paper on the Cisco Long-Reach Ethernet
(LRE) networking solution.
http://www.cisco.com/warp/public/146/news_cisco/ekits/Lre-wp.pdf

1-2 Switching: Resources Copyright  2002, Cisco Systems, Inc.


This is the CCO site. Documentation is provided on the steps necessare to
upgrade the Catalyst 1900 and 2820 IOS images. While the link does not
specify the specific IOS image used for the academy, it does provide a general
upgrade procedure. http://www.cisco.com/warp/customer/473/10.html#3
This Cisco White Paper provides an overview of FastEthernet technology. It
includes FastEthernet history, media, and operational specifications.
http://cisco.com/warp/public/cc/so/neso/lnso/lnmnso/feth_tc.htm

Copyright  2002, Cisco Systems, Inc. Switching: Resources 1-3

You might also like