What is a Computer Network?
A computer network allows sharing of resources and information among interconnected devices. In the
1960s, the Advanced Research Projects Agency (ARPA) started funding the design of the Advanced
Research Projects Agency Network (ARPANET) for the United States Department of Defense. It was the
first computer network in the world. Development of the network began in 1969, based on designs
developed during the 1960s.
Computer networks can be used for a variety of purposes:
Facilitating communications. Using a network, people can communicate efficiently and easily via
email, instant messaging, chat rooms, telephone, video telephone calls, and video conferencing.
Sharing hardware. In a networked environment, each computer on a network may access and use
hardware resources on the network, such as printing a document on a shared network printer.
Sharing files, data, and information. In a network environment, authorized user may access data
and information stored on other computers on the network. The capability of providing access to
data and information on shared storage devices is an important feature of many networks.
Sharing software. Users connected to a network may run application programs on remote
What is a Networking?
Networking is a common synonym for developing and maintaining contacts and personal connections
with a variety of people who might be helpful to you and your career.
Networking is the practice of linking two or more computing devices together for the purpose of sharing
data. Networks are built with a mix of computer hardware and computer software. It is an especially
important aspect of career management in the financial services industry, since it is helps you keep
Types of networks
A local area network (LAN) is a network that connects computers and devices in a limited
geographical area such as home, school, computer laboratory, office building, or closely
positioned group of buildings. Each computer or device on the network is a node. Current wired
LANs are most likely to be based on Ethernet technology, although new standards like ITU-T
G.hn also provide a way to create a wired LAN using existing home wires (coaxial cables, phone
lines and power lines)
A personal area network (PAN) is a computer network used for communication among computer
and different information technological devices close to one person. Some examples of devices
that are used in a PAN are personal computers, printers, fax machines, telephones, PDAs,
scanners, and even video game consoles. A PAN may include wired and wireless devices. The
reach of a PAN typically extends to 10 meters. A wired PAN is usually constructed with USB
and Firewire connections while technologies such as Bluetooth and infrared communication
typically form a wireless PAN.
Home area network
A home area network (HAN) is a residential LAN which is used for communication between
digital devices typically deployed in the home, usually a small number of personal computers
and accessories, such as printers and mobile computing devices. An important function is the
sharing of Internet access, often a broadband service through a CATV or Digital Subscriber Line
(DSL) provider. It can also be referred to as an office area network (OAN).
Wide area network
A wide area network (WAN) is a computer network that covers a large geographic area such as a
city, country, or spans even intercontinental distances, using a communications channel that
combines many types of media such as telephone lines, cables, and air waves. A WAN often
uses transmission facilities provided by common carriers, such as telephone companies. WAN
technologies generally function at the lower three layers of the OSI reference model: the physical
layer, the data link layer, and the network layer.
A campus network is a computer network made up of an interconnection of local area networks
(LAN's) within a limited geographical area. The networking equipments (switches, routers) and
transmission media (optical fiber, copper plant, Cat5 cabling etc.) are almost entirely owned (by
the campus tenant / owner: an enterprise, university, government etc.).
In the case of a university campus-based campus network, the network is likely to link a variety
of campus buildings including; academic departments, the university library and student
A Metropolitan area network is a large computer network that usually spans a city or a large
Virtual private network
A virtual private network (VPN) is a computer network in which some of the links between
nodes are carried by open connections or virtual circuits in some larger network (e.g., the
Internet) instead of by physical wires. The data link layer protocols of the virtual network are
said to be tunneled through the larger network when this is the case. One common application is
secure communications through the public Internet, but a VPN need not have explicit security
features, such as authentication or content encryption. VPNs, for example, can be used to
separate the traffic of different user communities over an underlying network with strong
What is network topology?
Network topology is the layout pattern of interconnections of the various elements (links, nodes,
etc.) of a computer network. Network topologies may be physical or logical. Physical
topology means the physical design of a network including the devices, location and cable
installation. Logical topology refers to how data is actually transferred in a network as opposed
to its physical design.
Various topologies ::
Many devices connect to a single cable "backbone". If the backbone is broken, the entire
segment fails. Bus topologies are relatively easy to install and don't require much cabling
compared to the alternatives.
In a ring network, every device has exactly two neighbours for communication purposes. All
messages travel through a ring in the same direction. Like the bus topology, a failure in any cable
or device breaks the loop and will take down the entire segment. A disadvantage of the ring is
that if any device is added to or removed from the ring, the ring is broken and the segment fails
until it is "reforged" (by dwarfish goldsmiths?) It is also considerably more expensive than
A star network has a central connection point - like a hub or switch. While it takes more cable,
the benefit is that if a cable fails, only one node will be brought down.
All traffic emanates from the hub of the star. The central site is in control of all the nodes
attached to it. The central hub is usually a fast, self contained computer and is responsible for
routing all traffic to other nodes. The main advantages of a star network is that one
malfunctioning node does not affect the rest of the network. However this type of network can be
prone to bottleneck and failure problems at the central site.
Also known as the 'Hierarchical topology', the tree topology is a combination of bus and star
topologies. They are very common in larger networks. A typical scenario is: a file server is
connected to a backbone cable (e.g. coaxial) that runs through the building, from which switches
are connected, branching out to workstations.
In the topologies shown above, there is only one possible path from one node to another node. If
any cable in that path is broken, the nodes cannot communicate.
Mesh topology uses lots of cables to connect every node with every other node. It is very
expensive to wire up, but if any cable fails, there are many other ways for two nodes to
communicate. Some WANs, like the Internet, employ mesh routing. In fact the Internet was
deliberately designed like this to allow sites to communicate even during a nuclear war.
Hybrid network is the combination of different topologies such as star, Ring, Mesh, Bus etc. For
example, if a department uses a Bus network, second department uses the ring network, third
department uses the Mesh network and fourth department uses the star network. All the networks
of different types (of four departments) can be connected together through a central hub (in the
form of star network) as shown in the figure below.
Basic networking devices
Computer networking devices are units that mediate data in a computer network. Computer
networking devices are also called network equipment, Intermediate Systems (IS) or
InterWorking Unit (IWU). Units which are the last receiver or generate data are called hosts or
data terminal equipment.
A router is a communication device that is used to connect two logically and physically different
networks, two LANs, two WANs and a LAN with WAN. The main function of the router is to
sorting and the distribution of the data packets to their destinations based on their IP addresses.
Routers provides the connectivity between the enterprise businesses, ISPs and in the internet
infrastructure, router is a main device. Cisco routers are widely used in the world. Every router
has routing software, which is known as IOS. Router operates at the network layer of the OSI
model. Router does not broadcast the data packets.
We have two types of router:
2.software. – this router is provided by RRAS SERVICE.
Like the router, a switch is an intelligent device that maps the IP address with the MAC address
of the LAN card. Unlike the hubs, a switch does not broadcast the data to all the computers, it
sends the data packets only to the destined computer. Switches are used in the LAN, MAN and
WAN. In an Ethernet network, computers are directly connected with the switch via twisted pair
cables. In a network, switches use the three methods to transmit the data i.e. store and forward,
cut through and fragment free.
We have two types of switch.
1.Mangeable switch: it has console port by using this we can mange this switch according to
our need .
2.non-mangeable : it ha no console port we use this switch as we purchase it.
The central connecting device in a computer network is known as a hub. There are two types of
a hub i.e. active hub and passive hub. Every computer is directly connected with the hub. When
data packets arrives at hub, it broadcast them to all the LAN cards in a network and the destined
recipient picks them and all other computers discard the data packets. Hub has five, eight,
sixteen and more ports and one port is known as uplink port, which is used to connect with the
A modem is a communication device that is used to provide the connectivity with the internet.
Modem works in two ways i.e. Modulation and Demodulation. It converts the digital data into
the analogue and analogue to digital.
LAN cards or network adapters are the building blocks of a computer network. No computer can
communicate without a properly installed and configured LAN card. Every LAN card is
provided with a unique IP address, subnet mask, gateway and DNS (if applicable). An UTP/STP
cable connects a computer with the hub or switch. Both ends of the cable have the RJ-45
connectors one is inserted into the LAN card and one in the hub/switch. LAN cards are inserted
into the expansion slots inside the computer. Different LAN cards support different speed from
10/100 to 10/1000.
Ethernet = speed 10mbps
Fast Ethernet = 100mbps
Giga Ethernet = 1000mbps
Fastgiga Ethernet = 10000mbps
A repeater connects two segments of your network cable. It retimes and regenerates the signals
to proper amplitudes and sends them to the other segments. When talking about, ethernet
topology, you are probably talking about using a hub as a repeater. Repeaters require a small
amount of time to regenerate the signal. This can cause a propagation delay which can affect
network communication when there are several repeaters in a row. Many network architectures
limit the number of repeaters that can be used in a row. Repeaters work only at the physical layer
of the OSI network model.
A bridge reads the outermost section of data on the data packet, to tell where the message is
going. It reduces the traffic on other network segments, since it does not send all packets.
Bridges can be programmed to reject packets from particular networks. Bridging occurs at the
data link layer of the OSI model, which means the bridge cannot read IP addresses, but only the
outermost hardware address of the packet. In our case the bridge can read the ethernet data which
gives the hardware address of the destination address, not the IP address. Bridges forward all
broadcast messages. Only a special bridge called a translation bridge will allow two networks of
different architectures to be connected. Bridges do not normally allow connection of networks
with different architectures.
The hardware address is also called the MAC (media access control) address. To determine the
network segment a MAC address belongs to, bridges use one of:
Transparent Bridging - They build a table of addresses (bridging table) as they receive packets. If
the address is not in the bridging table, the packet is forwarded to all segments other than the one
it came from. This type of bridge is used on ethernet networks.
Source route bridging - The source computer provides path information inside the packet. This is
used on Token Ring networks.
A gateway can translate information between different network data formats or network
architectures. It can translate TCP/IP to AppleTalk so computers supporting TCP/IP can
communicate with Apple brand computers. Most gateways operate at the application layer, but
can operate at the network or session layer of the OSI model. Gateways will start at the lower
level and strip information until it gets to the required level and repackage the information and
work its way back toward the hardware layer of the OSI model. To confuse issues, when talking
about a router that is used to interface to another network, the word gateway is often used. This
does not mean the routing machine is a gateway as defined here, although it could be.
When dealing with networking, you may hear the terms "network model" and "network layer"
used often. Network models define a set of network layers and how they interact. There are
several different network models depending on what organization or company started them. The
most important two are:
The TCP/IP Model - This model is sometimes called the DOD model since it was designed
for the department of defense It is also called the internet model because TCP/IP is the protocol
used on the internet.
OSI Network Model - The International Standards Organization (ISO) has defined a
standard called the Open Systems Interconnection (OSI) reference model. This is a seven layer
architecture listed in the next section.
Layers in the TCP/IP model
Application Layer (process-to-process): This is the scope within which applications create user
data and communicate this data to other processes or applications on another or the same host.
The communications partners are often called peers. This is where the "higher level" protocols
such as SMTP, FTP, SSH, HTTP, etc. operate.
Transport Layer (host-to-host): The Transport Layer constitutes the networking regime
between two network hosts, either on the local network or on remote networks separated by
Internet Layer (internetworking): The Internet Layer has the task of exchanging datagrams
across network boundaries. It is therefore also referred to as the layer that establishes
internetworking, indeed, it defines and establishes the Internet. This layer defines the addressing
and routing structures used for the TCP/IP protocol suite.
Link Layer: This layer defines the networking methods with the scope of the local network link
on which hosts communicate without intervening routers. This layer describes the protocols used
to describe the local network topology and the interfaces needed to affect transmission of
Internet Layer datagrams to next-neighbor hosts.
The OSI, or Open System Interconnection, model defines a networking framework for
implementing protocols in seven layers. Control is passed from one layer to the next, starting at
the application layer in one station, and proceeding to the bottom layer, over the channel to the
next station and back up the hierarchy.
Application (Layer 7)
This layer supports application and end-user processes. Communication partners are identified,
quality of service is identified, user authentication and privacy are considered, and any
constraints on data syntax are identified.
Presentation (Layer 6)
This layer provides independence from differences in data representation (e.g., encryption) by
translating from application to network format, and vice versa.
This layer establishes, manages and terminates connections between applications. The session
layer sets up, coordinates, and terminates conversations, exchanges, and dialogues between the
applications at each end. It deals with session and connection coordination.
Transport (Layer 4)
This layer provides transparent transfer of data between end systems, or hosts, and is responsible
for end-to-end error recovery and flow control. It ensures complete data transfer.
Network (Layer 3)
This layer provides switching and routing technologies, creating logical paths, known as virtual
circuits, for transmitting data from node to node.
Data Link (Layer 2)
At this layer, data packets are encoded and decoded into bits. It furnishes transmission protocol
knowledge and management and handles errors in the physical layer, flow control and frame
synchronization. The data link layer is divided into two sub layers: The Media Access Control
(MAC) layer and the Logical Link Control (LLC) layer.
Physical (Layer 1)
This layer conveys the bit stream - electrical impulse, light or radio signal -- through the network
at the electrical and mechanical level. .
TCP/IP Modelvs OSI Model
TCP/IP Reference Model OSI Reference Model
1 Defined after the advent of Internet. Defined before advent of internet.
Service interface and protocols were not clearly
Service interface and protocols are clearly
3 TCP/IP supports Internet working Internet working not supported
4 Loosely layered Strict layering
5 Protocol Dependant standard Protocol independent standard
6 More Credible Less Credible
TCP reliably delivers packets, IP does not reliably deliver
All packets are reliably delivered
Basic Networking Cables
Networking Cables are used to connect one network device to other or to connect two or more
computers to share printer, scanner etc. Different types of network cables like Coaxial
cable, Optical fiber cable, Twisted Pair cables are used depending on the
network's topology, protocol and size. The devices can be separated by a few meters (e.g.
via Ethernet) or nearly unlimited distances (e.g. via the interconnections of the Internet).
While wireless may be the wave of the future, most computer network today still utilize cables to
transfer signals from one point to another
Twisted pair cabling is a type of wiring in which two conductors (the forward and return conductors ofa
single circuit) are twisted togetherfor the purposes ofcanceling out electromagnetic interference (EMI) from
external sources; for instance, electromagnetic radiation from unshielded twisted pair (UTP) cables,
and crosstalkbetween neighboring pairs. It was invented by Alexander Graham Bell.
Unshielded twisted pair cable with different twist rates Shielded twisted pair
It is a thin, flexible cable that is easy to string between walls.
More lines can be run through the same wiring ducts.
UTP costs less permeter/foot than any other type of LAN cable.
Twisted pair’s susceptibility to electromagnetic interference greatly depends on the pair twisting schemes
(usually patented by the manufacturers) staying intact during the installation. As a result, twisted pair cables
usually have stringent requirements for maximum pulling tension as well as minimum bend radius. This relative
fragility of twisted pair cables makes the installation practices an important part of ensuring the cable’s
In video applications that send information across multiple parallel signal wires, twisted pair cabling can
introduce signaling delays known as skew which results in subtle color defects and ghosting due to the image
components not aligning correctly when recombined in the display device
Optical fiber cable
An optical fiber cable is a cable containing one or more optical fibers. The optical fiber elements are typically
individually coated with plastic layers and contained in a protective tube suitable for the environment where the
cable will be deployed.
An optical fiber is a single, hair-fine filament drawn from molten silica glass. These fibers are
replacing metal wire as the transmission medium in high-speed, high-capacity communications
systems that convert information into light, which is then transmitted via fiber optic cable.
Currently, American telephone companies represent the largest users of fiber optic cables, but
the technology is also used for power lines, local access computer networks, and video
Coaxial cable, or coax, is an electrical cable with an inner conductorsurrounded by a flexible, tubular insulating
layer, surrounded by a tubular conducting shield. The term coaxial comes from the inner conductorand the outer
shield sharing the same geometric axis. Coaxial cable was invented by English engineer and mathematician Oliver
Heaviside, who first patented the design in 1880.
Coaxial cable is used as a transmission line for radio frequency signals, in applications such as connectingradio
transmitters and receivers with their antennas,computer network (Internet) connections,and distributingcable
television signals. One advantage of coax over other types of radio transmission line is that in an ideal coaxial cable
the electromagnetic field carrying the signal exists only in the space between the inner and outerconductors.This
allows coaxial cable runs to be installed next to metal objects such as gutters without the power losses that occur in
other types of transmission lines, and provides protection of the signal from externalelectromagnetic interference.
You usually use straight cable to connect different type of devices.This type of cable will be used most of the time
and can be used to:
1) Connect a computer to a switch/hub's normal port.
2) Connect a computer to a cable/DSL modem's LAN port.
3) Connect a router's WAN port to a cable/DSL modem's LAN port.
4) Connect a router's LAN port to a switch/hub's uplink port. (normally used for expanding network)
5) Connect 2 switches/hubs with one of the switch/hub using an uplink port and the otherone using normal port.
A crossover cable connects two devices of the same type,for example DTE-DTE or DCE-DCE, usually connected
asymmetrically (DTE-DCE), by a modified cable called a crosslink. Such distinction of devices was introduced
Sometimes you will use crossovercable, it's usually used to connect same type of devices. A crossovercable can be
1) Connect 2 computers directly.
2) Connect a router's LAN port to a switch/hub's normal port. (normally used for expanding network)
3) Connect 2 switches/hubs by using normal port in both switches/hubs
We use two types of cable in networking :
1. straight cable
2. cross cable
Colour cording of cable:
1. orange white 1.orange white
2. orange 2.orange
3. green white 3.green white
4. blue 4. blue
5. blue white 5. blue white
6. green 6. green
7. brown white 7. brown white
8. brown 8. Brown
1. orange white 1.green white
2. orange 2.green
3. green white 3.orange white
4. blue 4. blue
5. blue white 5. blue white
6. green 6. orange
7. brown white 7. brown white
8. brown 8. Brown
Colour coding for cables
T-568B Straight-Through Ethernet Cable
RJ-45 Crossover Ethernet Cable
In today networks, UTP CABLES are commonly used to connect computers in a network.
Depending on the color codings, we have different cables like straight cable, cross cable and roll-
The cable used between the PC and the hub/switch is called straight cable.
Straight cable can be used between
PC - SWITCH
HUB(UPLINK PORT) - HUB
According to TIA/EIA(Telecommunications industry standard/Electronics industry standard),we
have the following
two standards for making straight cable:
The cable used to connect two PCs is called cross-over cable.
Cross cable can be used between:
PC - PC
HUB - HUB
SWITCH - SWITCH
ROUTER - PC
The cable used between a hardware router and a PC is called roll-over cable.
In this cable,the color coding used in one end is reversed in the other end.
DATA TRAVELL ONLY GREEN OR ORANGE PAIR OF CABLE.
There are two kinds of addresses used in networks:
1.It is also called hardware address or MAC address.MAC stands for media access control.
2.It is present in the chip of a NIC card.
3.It is unique for every NIC card and cannot be changed.
4.It is 48 bits.Out of 48 bits,24 bits of address is given by the manufacturer of NIC card and the
remaining 24 bits of address is defined as per instructions given by IEEE.
5.IEEE stands for Institute of Electronics and Electrical Engineers.
1.It is also called software address.
2.It is given by the user and can be changed anytime.
3.Several schemes or protocols are used to define logical address in a computer.
4.These protocols are :
TCP/IP (TRANSMISSION CONTROL PROTOCOL/INTERNET PROTOCOL)
IPX/SPX (Internetwork Packet Exchange/Sequential Packet EXchange)
DLC (Data Link Control)
PROTOCOL is a set of rules which in communication between computers.
1.It has become industry-standard
2.It was developed by DOD(Department of Defence) of USA.
3.It is used both in Internet(public network) and Intranet(private network).
4.It is of 32 bits.
5.Currently used version is IP v4.
6.IP v6 is also available.
7.It has four fields or octetes.
8.Each octet is of 8 bits.
9.It can be repesented by
10.Minimum value of a octet is 0 and maximum is 255
11.Eaxh octet or field can have decimal values ranging from 0 to 255.
12.According to the value of w or first field, we have five classes of TCP/IP Addresses.
The first three classes are only used for computer addressing in a network.
IP (INTERNER PROTOCOL) ip stands on internet protocol it is 32 bit.it is divided in 4 octet
each octet contain 8 bit.it is numerical identification of computer on network .it is divided in to
two parts one is network and second is host .we use private ip address in LAN which is provided
by IANA(INTERNET ASSIGNING NUMBRING AUTHOURTIY). The minimum value (per
octet) is 0 and the maximum value is 255.IP address are divided in five classes.
1. Network ID : it represent no. of on bit that is (1).
2. Host ID : it represent the no. of off bit that is (0).
class Range N/W ID Host/ID Subnet Mask TotalIP Valid IP
A 1-126 8 24 255.0.0.0 16777216 16777214
B 128-191 16 16 255.255.0.0 65536 65534
C 192-223 24 8 255.255.255.0 256 254
D 224-239 it is reserved for multicasti.
E 240-255 it is reserved for research /scientific use.
We use only first three class which is provide by IANA in LAN .
IP Addresses are divided into two parts:
1. Private IP address
2. Public (live) IP address.
Range of private IP address: 10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
Range of public IP address: 18.104.22.168 to 22.214.171.124
126.96.36.199 to 188.8.131.52
184.108.40.206 to 220.127.116.11
18.104.22.168 to 22.214.171.124
126.96.36.199 to 188.8.131.52
And another range is called APIPA (Automatic private internet protocol addressing ) range is
169.254.0.0 to 169.254.255.255.
we can assign the IP address by using two methods:
(1) Statically or manually
(2) Dynamically (by using DHCP server- dynamic host configuration protocol)
But in case of your computer has no IP address then IP address is assigned to the computer from
Range . but communication is not possible when computer has IP address from APIPA.
127.0.0.1 it is the loop back address it is used for self communication and for troubleshooting
Subnet mask: subnet mask is also 32 bit address, which tell us how many bits are used for
network and how many bits are used for host address.
In subnet mask network bits are always 1 and host bits are always 0.
IP Address invalid or reserve IP Address:
When we are going to assign IP Address to our computer interface then we have to follow some
1. All Host bits cannot be 0 (10.0.0.0), because it represent network address which is reserved for
2. All Host bit cannot be 1 (10.255.255.255.), because it is broadcast address of that network
3. All bits cannot be 0 (0.0.0.0), because this address is reserved for default routing.
Default routing is used in case of stub n/w (means our network has no exit point).
4. All bits cannot be 1 (255.255.255.255), because it reserved for Broadcasting
127.0.0.1 – this is loopback address, which is used for self-communication or troubleshooting
C:> IPCONFIG (this command is use for IP check).
C:> IPCONFIG /ALL (This cmd is show all detail of your interface.).
Ping – Packet Internet Groper
This command is used to check the connectivity with other computer. Ping is performed with in
network or outside the network. In this process four packets are send to destination address and
four packets received from the destination address. ICMP (Internet control massage protocol ) is
used for this process.
Internet Control Messaging Protocol is used by ping and traceroute utilities.
Ping (Packet Internet Groper) enables you to validate that an IP address exists and can accept
requests. The following transmissions are used by the Ping utility:
. Ping sends an echo request packet to receive the echo response.
. Routers send Destination Unreachable messages when they can’t reach the destination
network and they are forced to drop the packet. The router that drops the packet sends
the ICMP DU message.
C:> ping (IP of destination) for e.g 10.0.0.1
C:> ping (IP of destination ) –t (for continue).
Press ctrl+c to stop ping.
1.Reply from Destination :
Reply from 10.1.1.1: bytes=32 time<1ms TTL=255
Reply from 10.1.1.1: bytes=32 time<1ms TTL=255
Reply from 10.1.1.1: bytes=32 time<1ms TTL=255
Reply from 10.1.1.1: bytes=32 time<1ms TTL=255
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
1. Minimum = 0ms, Maximum = 0ms, Average = 0ms
This massage appear when destination computer properly configured and connected with same
netwok ip address.
2.Request time out (R.T.O):- This massage appear when Destination computer has some
problem .For e.g : IP address does not exit, network cable unplugged, computer shutdown,
interconnection firewall enable.
3.Destination host unreachable :- This massage appear when our computer desire to
communicate with another n/w but our computer has no gateway IP address.
4.Reply from gateway but Destination host unreachable:-This massage appear when
computer desire to communicate with another network computer but our router has no route
information in its routing table for Destination n/w.
5.Hardware error:- This massage appears when during communication our network goes
6.Negoshating IP sequirty:- This massage appears when our computer has IP-Sec service
enabled with sequre communication rule negoshation.
We have designed a network Scienario in which we have used the concepts of
routers,switches,servers,NAT,Access list,Vlan,server publishing,we have given detail study of
Routing is the process of selecting paths in a network along which to send network traffic. Routing is performed for
many kinds of networks, including the telephone network (Circuit switching) , electronic data networks (such as
the Internet), and transportation networks. This article is concerned primarily with routing in electronic data
networks using packet switching technology.
In packet switching networks, routing directs packet forwarding, the transit of logically addressed packets from their
source toward their ultimate destination through intermediate nodes,typically hardware devices
called routers, bridges, gateways,firewalls, or switches. General-purpose computers can also forward packets and
perform routing, though they are not specialized hardware and may suffer from limited performance. The routing
process usually directs forwarding on the basis of routing tables which maintain a record of the routes to various
network destinations.Thus,constructing routing tables, which are held in the router's memory, is very important for
efficient routing. Most routing algorithms use only one network path at a time, but multipath routing techniques
enable the use of multiple alternative paths.
Types of routing
Static routing is a data communication concept describing one way of configuring path
selection of routers in computer networks. It is the type of routing characterized by the absence of communication
between routers regarding the current topology of the network. This is achieved by manually adding routes to the
routing table. The opposite of static routing isdynamic routing, sometimes also referred to as adaptive routing.
To configure a static route to network 10.10.20.0/24, pointing to a next-hop router with the IP address of
192.168.100.1, type: (Note that this example is written in the Cisco IOScommand line syntaxand will only work on
certain Cisco routers)
Router# configure terminal
Router(config)# ip route 10.10.20.0 255.255.255.0 192.168.100.1
The other option is to define a static route with reference to the outgoing interface which is connected to the next
hop towards the destination network.
Router# configure terminal
Router(config)# ip route 10.10.20.0 255.255.255.0 Serial 0/0
Dynamic routing performs the same function as static routing except it is more robust. Static
routing allows routing tables in specific routers to be set up in a static manner so network routes
for packets are set. If a router on the route goes down the destination may become unreachable.
Dynamic routing allows routing tables in routers to change as the possible routes change. There
are several protocols used to support dynamic routing including RIP and OSPF
.A default route, also known as the gateway of last resort, is the network route used by a router when no other
known route exists for a given IP packet's destination address.All the packets for destinations not known by the
router's routing table are sent to the default route. This route generally leads to another router, which treats the
packet the same way: If the route is known, the packet will get forwarded to the known route. If not,the packet is
forwarded to the default-route of that router which generally leads to another router. And so on. Each router
traversal adds a one-hop distance to the route.
TCP/IP, IPX-SPX are protocols which are used in a Local Area Network (LAN) so computers can communicate
between with each otherand with other computers on the Internet.
Chances are that in your LAN you are most probably running TCP/IP. This protocol is what we call a "routed"
protocol. The term "routed" refers to something which can be passed on from one place (network) to another. In the
example of TCP/IP, this is when you construct a data packet and send it across to anothercomputer on the Internet
Routing protocols were created for routers. These protocols have been designed to allow the exchange of routing
tables, or known networks, between routers. There are a lot of different routing protocols, each one designed for
specific network sizes, so I am not going to be able to mention and analyse them all, but I will focus on the most
Dynamic Routing Protocols
There are 3 types of Dynamic routing protocols,these differ mainly in the way that they discover and make
calculations about routes (click to select):
1) Distance Vector
2) Link State
Distance Vector routers compute the best path from information passed to themfrom neighbors
Link State routers each have a copy of the entire network map
Link State routers compute best routes from this local map
DISTANCE VECTOR ROUTING PROTOCOLS
Distance Vector routing protocols use frequent broadcasts (255.255.255.255 or FF:FF:FF:FF) of their entire routing
table every 30 sec. on all their interfaces in order to communicate with their neighbours.The bigger the routing
tables, the more broadcasts.This methodology limits significantly the size of network on which Distance Vector can
Routing Information Protocol (RIP) is a true Distance-Vector routing protocol. It sends the complete routing table
out to all active interfaces every 30 seconds. RIP only uses hop count to determine the best way to a remote network,
but it has a maximum allowable hop count of 15, meaning that 16 is deemed unreachable. RIP works well in small
networks, but it is inefficient on large networks with slow WAN links or on networks with large number of routers
RIP comes in two different versions. RIP version 1 uses only classful routing, which means that all devices in the
network must use the same subnet mask. This is because RIP version 1 does not include the subnet mask when it
sends updates. RIP v1 uses broadcasts (255.255.255.255).
RIP version 2 does,however, and this is what we call classless routing (check the Subnetting section for more
details). RIP v2 uses multicasts (184.108.40.206) to update its routing tables.
Use thefollowing command to enable RIP on RouterA:
Configure therouter to receive and send only RIP Version 2 packets using the following command:
Use thefollowing commands to specify the networks directly connected to the router:
Interior GatewayProtocol- IGRP
Interior Gateway Routing Protocol (IGRP) is a Cisco proprietary Distance-Vector routing protocol. This means that
all yourrouters must be Cisco routers in order to use IGRP in yournetwork, keep in mind that Windows 2000 now
supports it as well because they have bought a licence from Cisco to use the protocol!
Cisco created this routing protocol to overcome the problems associated with RIP.
IGRP has a maximum hop count of 255 with a default of 100. This is helpful in larger networks and solves the
problem of there being only 15 hops maximum possible in a RIP network. IGRPalso uses a different metric
from RIP. IGRP uses bandwidth and delay of the line by default as a metric for determining the best route to an
internetwork. This is called a composite metric. Reliability, load and Maximum Transmission Unit (MTU) can also
be used,although they are not used by default.
Enter configuration commands, one per line. End with Cntl/z
RouterA#(config)#router igrp AS no.
RouterA#(config-router)#network ip address
Link State Routing Protocols
Link State protocols,unlike Distance Vector broadcasts,use multicast. Link State routing protocols do not view
networks in terms of adjacent routers and hop counts,but they build a comprehensive view of the overall network
which fully describes the all possible routes along with their costs.Using the SPF (Shortest Path First) algorithm, the
router creates a "topological database" which is a hierarchy reflecting the network routers it knows about.It then
puts it's self on the top of this hierarchy, and has a complete picture from it's own perspective.
Link State protocols in comparison to Distance Vector protocols have:
Big memory requirements
Shortest path computations require many CPU circles
If network is stable little bandwidth is used; react quickly to topology changes
Announcements cannot be “filtered”. All items in the database must be sent to neighbors
All neighbors must be trusted
Authentication mechanisms can be used to avoid undesired adjacencies
No split horizon techniques are possible
Open ShortestPath First (OSPF)Routing Protocol
Open Shortest Path First (OSPF) is a routing protocoldeveloped for Internet Protocol (IP) networks by the
interior gateway protocol (IGP) working group of the Internet Engineering Task Force (IETF). The
working group was formed in 1988 to design an IGP based on the shortest path first (SPF) algorithm for
use in the Internet. Similar to the Interior Gateway Routing Protocol (IGRP), OSPF was created because in
the mid-1980s, the Routing Information Protocol (RIP) was increasingly unable to serve large,
OSPF is a classless routing protocol, which means that in its updates,it includes the subnet ofeach route it
knows about,thus,enabling variable-length subnet masks. With variable-length subnet masks, an IP
network can be broken into many subnets ofvarious sizes. This provides network administrators with extra
network-configuration flexibility.These updates are multicasts at specific addresses
(220.127.116.11 and 18.104.22.168).
OSPF has two primary characteristics:
1) The protocolis open (non proprietary), which means that its specification is in the public domain.
The OSPF specification is published as Request For Comments (RFC) 1247.
2) The second principal characteristic is that OSPF is based on the SPF algorithm, which sometimes is
referred to as the Dijkstra algorithm, named for the person credited with its creation.
Router(config)#router ospf process-id
Router(config-router)#network network-number mask area area-id
Router(config-router)#network 192.168.10.0 255.255.255.0 area
Hybrid Routing Protocols
Hybrid Routing, commonly referred to as balanced-hybrid routing, is a combination of distance-
vector routing, which works by sharing its knowledge of the entire network with its neighbors
and link-state routing which works by having the routers tell every router on the network about
its closest neighbours
.Enhanced Interior Gateway Routing Protocol (EIGRP) is another Cisco proprietary, hybrid (has
feature of Distance Vector and Link State protocols), interior gateway protocol (IGP) used by
routers to exchange routing information. EIGRP uses a composite metric composed of
Bandwidth, Delay, Reliability, and Loading to determine the best path between two locations.
EIGRP can route IP, IPX and Appletalk. Along with IS-IS, it is one of the few multi-protocol
The Diffusing Update Algorithm (DUAL) is the heart of EIGRP. In essence, DUAL always
keeps a backup route in mind, in case the primary route goes down. DUAL also limits how many
routers are affected when a change occurs to the network.
There is no maximum allowable number of hops. In a EIGRP network, each router multi-casts
"hello" packs to discover its adjacent neighbor. This adjcency database is shared with other
router to build a topology database. From the topology database the best route (Successor) and
the second best route (Feasible Successor) is found.
EIGRP is classless, meaning it does include the subnet mask in routing updates. However, by
default 'auto-summary' is enable. You must disable if you want subnet information from other
The EIGRP metric is a can be a complex calculation, but by default it only uses bandwidth and
delay to determine the best path.
Router (config)# router eigrp AS
Router (config-router)# network X.X.X.X
Network Address Translation(NAT)
The NAT Concept
NAT is not only used for networks that connect to the Internet. You can use NAT even
between private networks as we will see in the pages to follow, but because most
networks use it for their Internet connection, we are focusing on that.
The NAT concept is simple: it allows a single device to act as an Internet gateway for
internal LAN clients by translating the clients' internal network IP Addresses into the IP
Address on theNAT-enabled gateway device.
In other words, NAT runs on the device that's connected to the Internet and hides the rest
of your network from the public, thus making your whole network appear as one device
(or computer, if you like) to the rest of the world.
NAT is transparent to your network, meaning all internal network devices are not
required to be reconfigured in order to access the Internet. All that's required is to let your
network devices know that the NAT device is the default gateway to the Internet.
NAT is secure since it hides your network from the Internet. All communications from
your private network are handled by the NAT device, which will ensure all the
appropriate translations are performed and provide a flawless connection between your
devices and the Internet.
As you can see, we have a simple network of 4 hosts (computers) and one router that connects
this network to the Internet. All hosts in our network have a private Class C IP Address,
including the router's private interface (192.168.0.1), while the public interface that's connected
to the Internet has a real IP Address (22.214.171.124).
The NAT Table
The NAT table is the heart of the whole NAT operation, which takes place within the router (or
any NAT-enabled device) as packets arrive and leave its interfaces. Each connection from
the internal (private) network to the external (public-Internet) network, and vice versa, is tracked
and a special table is created to help the router determine what to do with all incoming packets
on all of its interfaces; in our example there are two. This table, known as the NAT table, is
populated gradually as connections are created across the router and once these connections are
closed the entries are deleted, making room for new entries.
TYPES OF NAT:
Static Network Address Translation
Static NAT (also called inbound mapping) is the first mode we're going to talk about and also
happens to be the most uncommon between smaller networks.
Static NAT was mainly created to allow hosts on your private network to be direcly accessible
via the Internet using real public IPs; we'll see in great detail how this works and is
maintained. Static NAT is also considered a bit dangerous because a misconfiguration to your
firewall or other NAT-enabled device can result in the full exposure of the machine on your
private network to which the public IP Address maps, and we'll see the security risks later on this
As mentioned in the introduction, Static NAT allows the mapping of public IP Addresses to
hosts inside the internal network. In simple english, this means you can have a computer on your
private network that exists on the Internet with its own real IP.
The diagram below has been designed to help you understand exactly how Static NAT works:
Dynamic Network Address Translation
Dynamic NAT is the second NAT mode we're going to talk about. Dynamic NAT, just
like Static NAT, is not that common in smaller networks but you'll find it used within larger
corporations with complex networks.
The way Dynamic NAT differentiates from Static NAT is that where Static NAT provides a one-
to-one internal to public static IP mapping, Dynamic NAT does the same but without making the
mapping to the public IP static and usually uses a group of available public IPs.
With Dynamic NAT, we also map our internal IP Addresses to real public IP Addresses, but the
mapping is not static, meaning that for each session our internal hosts communicate with the
Internet, their public IP Addresses remain the same, but are likely to change. These IPs are taken
from a pool of public IP Addresses that have been reserved by our ISP for our public network.
The diagram above is our example network and shows our router, which is configured to
perform Dynamic NAT for the network. We requested 4 public IPs from our ISP
(126.96.36.199 to 188.8.131.52), which will be dynamically mapped by our router to our
internal hosts. In this particular session our workstation, with IP Address 192.168.0.1, sends a
request to the Internet and is assigned the public IP address 184.108.40.206. This mapping
between the workstation's private and public IP Address will remain until the session finishes.
The router is configured with a special NAT timeout and, after this timeout is reached (no traffic
sent/received during that time), the router will expire the particular mapping and reuse it for a
different internal host.
Network Address Translation Overload
NAT Overload is the most common NAT method used throughout all networks that connect to
the Internet. This is because of the way it functions and the limitations it can overcome, and we'll
explore all of these in the next two pages.
Whether you use a router, firewall appliance, Microsoft's Internet sharing ability or any 3rd party
program that enables all your home computers to connect to the Internet via one connection,
you're using NAT Overload.
This NAT mode is also know by other names, like NAPT (Network Address Port Translation),
IP Masquerading and NAT with PAT (Port Address Translation). The different names logically
come from the way NAT Overload works, and you'll understand this by the time we're finished
with the topic.
NAT Overload is a mix of Static & Dynamic NAT with a few enhancements thrown in (PAT-
Port Address Translation) to make it work the way we need. By now you understand how
bothStatic & Dynamic NAT work so we won't get into the details again. NAT Overload takes a
Static or Dynamic IP Address that is bound to the public interface of the gateway (this could be a
PC, router or firewall appliance) and allows all PCs within the private network to access the
If you find yourself wondering how this is possible with one only IP Address, you will be happy
to find that the answer lies within PAT.
The diagram below shows you how a single session is handled by a NAT Overload enabled
So we have a host on a private network, its IP Address is 192.168.0.1 and it's sending a packet to
the Internet, more specifically to IP Address 220.127.116.11, which we're assuming is a server. The
Port, which is 23, tells us that it's trying to telnet to 18.104.22.168, since this is the default port telnet
As the original packet passes through the router, the Source IP Address field is changed by the
router from 192.168.0.1 to 22.214.171.124. However, notice that the ports are not ‘changed.
access-list1 permit your_lan_address_range
example: access-list 1 permit 192.168.1.0
Now that we defined the addresses that are allowed to use the NAT address we enable the actual NAT:
ip nat inside source list access-list number interface overload
example: ip nat inside source list 1 dialer0 overload
This command states that it will use the addresses from the access-list we defined in step 1 and NAT it to the Public
IP address on the interface, e.g. serial 0, dialer 0, ethernet 1,… The overload keyword specifies that multiple LAN
addresses can be NAT’d to that address.The router uses the TCP and UDP ports of the hosts [LAN addresses]to
translate the public IP address back to the originating local host address.
The last steps we need to configure is to tell the router which our inside and outsideaddresses. This is achieved
using the following commands:
- for the inside
interface ethernet | fastethernet number
ip nat inside
- for the outside, assume we are dealing with an xDSL router
ip nat outside
Now that NAT is configured we can check to see which addresses are being used by using the show ip nat
INTERNET CONNECTION SHARING
ICS provides networked computers with the ability to share a single connection to the Internet.
If you have multiple computers, you can use ICS to allow you and others on your local area
network (LAN) to perform different tasks simultaneously. For example, one person can send and
receive e-mail messages, while another person downloads a file, and another person browses the
Internet. You can also gain access to your corporate e-mail accounts from a client computer
while others on your LAN cannot. You can use Web-enabled programs (such as downloading
updates) as well as Microsoft NetMeeting and other video conferencing programs.
Internet ConnectionSharing Components
DHCP Allocator - A simplified DHCP service that assigns the IP address, gateway, and
name server on the local network.
DNS Proxy - Resolves names on behalf of local network clients and forwards queries.
Network Address Translation (NAT) - Maps a set of private addresses to a set of public
addresses. NAT tracks private-source IP addresses and public-destination IP addresses
for outbound flows. It changes the IP address information and edits the required IP
header information dynamically.
Auto-dial - Automatically dials connections.
Application programming interfaces (APIs) - For configuration, status, and dial control
How to use Internet Connection Sharing
To use Internet Connection Sharing to share your Internet connection, the host computer must
have one network adapter that is configured to connect to the internal network, and one network
adapter or modem that is configured to connect to the Internet.
On the host computer
On the host computer, follow these steps to share the Internet connection:
1. Log on to the host computer as Administrator or as Owner.
2. Click Start, and then click Control Panel.
3. Click Network and Internet Connections.
4. Click Network Connections.
5. Right-click the connection that you use to connect to the Internet. For example, if you
connect to the Internet by using a modem, right-click the connection that you want
6. Click Properties.
7. Click the Advanced tab.
8. Under Internet Connection Sharing, select the Allow other network users to connect
through this computer's Internet connection check box.
9. If you are sharing a dial-up Internet connection, select the Establish a dial-up
connection whenever a computer on my network attempts to access the
Internet check box if you want to permit your computer to automatically connect to the
10. Click OK. You receive the following message:
When Internet Connection Sharing is enabled, your LAN adapter will be set to use IP
address 192.168.0.1. Your computer may lose connectivity with other computers on
your network. If these other computers have static IP addresses, it is a good idea to set
to obtain their IP addresses automatically. Are you sure you want to enable Internet
11. Click Yes.
On the client computer
To connect to the Internet by using the shared connection, you must confirm the LAN adapter IP
configuration, and then configure the client computer. To confirm the LAN adapter IP
configuration, follow these steps:
1. Log on to the client computer as Administrator or as Owner.
2. Click Start, and then click Control Panel.
3. Click Network and Internet Connections.
4. Click Network Connections.
5. Right-click Local Area Connection, and then click Properties.
6. Click the General tab, click Internet Protocol (TCP/IP) in the This connection uses
the following items list, and then click Properties.
7. In the Internet Protocol (TCP/IP) Properties dialog box, click Obtain an IP address
automatically (if it is not already selected), and then click OK.
Note You can also assign a unique static IP address in the range of 192.168.0.2 to
192.168.0.254. For example, you can assign the following static IP address, subnet mask,
and default gateway:
8. IP Address 192.168.0.2
9. Subnet mask 255.255.255.0
10. Default gateway 192.168.0.1
11. In the Local Area Connection Properties dialog box, click OK.
12. Quit Control Panel.
What is a VLAN?
As I said, a VLAN is a virtual LAN. In technical terms, a VLAN is a broadcast domain created by switches. Normally, it is a
router creating that broadcast domain. With VLAN’s, a switch can create the broadcast domain.
This works by, you, theadministrator, puttingsome switch ports in a VLAN other than 1, the default VLAN. All ports in a single
VLAN are in a single broadcast domain.
Because switches can talk to each other, some ports on switch A can be in VLAN 10 and other ports on switch B can be in
VLAN 10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However,
these devices can all communicate because they are on the same VLAN. Without additional configuration, they would not be
able to communicate with any other devices, not in their VLAN.
How can devices on different VLAN’s communicate?
Devices on different VLAN’s can communicate with a router or a Layer 3 switch. As each VLAN is its own subnet, a router or
Layer 3 switch must be used to route between the subnets.
What is a trunk port?
When there is a link between two switches or a router and a switch that carries the traffic of more than one VLAN, that port is a
A trunk port must run a special trunking protocol. The protocolused would be Cisco’s proprietary Inter-switch link (ISL) or the
IEEE standard 802.1q.
How do I create a VLAN?
Configuring VLAN’s can vary even between different models of Cisco switches. Your goals, no matter what the commands are,
Create the newVLAN’s
Put each port in the properVLAN
Let’s say we wanted to create VLAN’s 5 and 10. We want to put ports 2 & 3 in VLAN 5 (Marketing) and ports 4 and 5 in VLAN
10 (Human Resources). On a Cisco 2950 switch, here is how you would do it:
At this point, only ports 2 and 3 should be able to communicate with each other and ports 4 & 5 should be able to communicate.
That is because each of these is in its own VLAN. For the device on port 2 to communicate with thedevice on port 4, you would
have to configure a trunk port to a router so that it can strip off theVLAN information, route the packet, and add back the VLAN
What do VLAN’s offer?
VLAN’s offer higher performance for medium and large LAN’s because they limit broadcasts. As the amount of traffic and the
number of devices grow, so does the number of broadcast packets. By using VLAN’s you are containing broadcasts.
VLAN’s also provide security because you are essentially puttingone group of devices, in one VLAN, on their own network.
INTER VLAN ROUTING:
Applicable Network Scenarios
As shown in the figure below, the addition of a router makes it possible to send traffic between
while still containing broadcast traffic within VLAN boundaries.
The router uses IP subnets to move traffic between VLANs. Each VLAN has a different IP
there is a one-to-one correspondence of VLAN and IP subnet boundaries. If a host is in a given
it is also in a given VLAN, and vice-versa.
Access Control List, ACL is a listing containing one or more ACE that tells a computer
operating system or other network device what rights users have to each item on a computer or
network device. For example, an ACL may specify if a user or the users group have access to a
file or folder on that computer or network.
Access Control Lists (ACLs) allow a router to permit or deny packets based on a variety of
criteria. The ACL is configured in global mode, but is applied at the interface level. An ACL
does not take effect until it is expressly applied to an interface with the ip access-group
command. Packets can be filtered as they enter or exit an interface.
If a packet enters or exits an interface with an ACL applied, the packet is compared against the
criteria of the ACL. If the packet matches the first line of the ACL, the appropriate “permit” or
“deny” action is taken. If there is no match, the second line’s criterion is examined. Again, if
Each of these rules has some powerful implications when filtering IP and IPX packets with
There are two types of access lists used with IP and IPX:
Standard access lists
These use only the source IP address in an IP packet to filter the network. This basically permits
or denies an entire suite of protocols. IPX standards can filter on both source and
destination IPX address.
Extended access lists
These check for both source and destination IP address, protocol field in the Network layer
header, and port number at the Transport layer header. IPX extended access lists use source and
destination IPX addresses, Network layer protocol fields, and socket numbers in the Transport
Define In, Out, Inbound, Outbound, Source, and Destination
The router uses the terms in, out, source, and destination as references. Traffic on the router can
be compared to traffic on the highway. If you were a law enforcement officer in Pennsylvania
and wanted to stop a truck going from Maryland to New York, the source of the truck is
Maryland and the destination of the truck is New York. The roadblock could be applied at the
Pennsylvania–New York border (out) or the Maryland–Pennsylvania border (in).
When you refer to a router, these terms have these meanings.
Out—Traffic that has already been through the router and leaves the interface. The
source is where it has been, on the other side of the router, and the destination is where it
In—Traffic that arrives on the interface and then goes through the router. The source is
where it has been and the destination is where it goes, on the other side of the router.
Inbound —If the access list is inbound, when the router receives a packet, the Cisco IOS
software checks the criteria statements of the access list for a match. If the packet is
permitted, the software continues to process the packet. If the packet is denied, the
software discards the packet.
Outbound—If the access list is outbound, after the software receives and routes a packet
to the outbound interface, the software checks the criteria statements of the access list for
a match. If the packet is permitted, the software transmits the packet. If the packet is
denied, the software discards the packet.
Standard IP Access Lists
Standard IP access lists filter the network by using the source IP address in an IP packet.
You create a standard IP access list by using the access list numbers 1–99.
Here is an example of the access list numbers that you can use to filter your network.
The different protocols that you can use with access lists depend on your IOS version.
<1-99> IP standard access list
<100-199> IP extended access list
<200-299> Protocol type-code access list
<300-399> DECnet access list
<400-499> XNS standard access list
<500-599> XNS extended access list
<600-699> Appletalk access list
<700-799> 48-bit MAC address access list
<800-899> IPX standard access list
<900-999> IPX extended access list
<1000-1099> IPX SAP access list
<1100-1199> Extended 48-bit MAC address access list
<1200-1299> IPX summary address access list
By using the access list numbers between 1–99, you tell the router that you want to create a
standard IP access list.
RouterA(config)#access-list 10 ?
deny Specify packets to reject
permit Specify packets to forward
After you choose the access list number, you need to decide if you are creating a permit or deny
list. For this example, you will create a deny statement:
RouterA(config)#access-list 10 deny ?
Hostname or A.B.C.D Address to match
any Any source host
host A single host address
The next step requires a more detailed explanation. There are three options available. You can
use the any command to permit or deny any host or network, you can use an IP address to
specify or match a specific network or IP host, or you can use the host command to specify a
specific host only.
Here is an example of using the host command:
RouterA(config)#access-list 10 deny host 172.16.30.2
This tells the list to deny any packets from host 172.16.30.2. The default command is host. In
other words, if you type access-list 10 deny 172.16.30.2, the router assumes you
mean host 172.16.30.2.
However, there is another way to specify a specific host: you can use wildcards. In fact, to
specify a network or a subnet, you have no option but to use wildcards in the access list.
Extended IP Access Lists
In the standard IP access list example, notice how you had to block the whole subnet from
getting to the finance department. What if you wanted them to gain access to only a certain
server on the Finance LAN, but not to other network services, for obvious security reasons? With
a standard IP access list, you can’t allow users to get to one network service and not another.
However, extended IP access lists allow you to do this. Extended IP access lists allow you to
choose your IP source and Destination address as well as the protocol and port number, which
identify the upper-layer protocol or application. By using extended IP access lists, you can
effectively allow users access to a physical LAN and stop them from using certain services.
Here is an example of an extended IP access list. The first command shows the access list
numbers available. You’ll use the extended access list range from 100 to 199.
At this point, you need to decide what type of list entry you are making. For this example, you’ll
choose a deny list entry.
RouterA(config)#access-list 110 ?
deny Specify packet
dynamic Specify a DYNAMIC list of PERMITs or DENYs
permit Specify packets to forward
Once you choose the access list type, you must choose a Network layer protocol field entry. It is
important to understand that if you want to filter the network by Application layer, you must
choose an entry here that allows you to go up through the OSI model. For example, to filter by
Telnet or FTP, you must choose TCP here. If you were to choose IP, you would never leave the
Network layer, and you would not be allowed to filter by upper-layer applications.
RouterA(config)#access-list 110 deny ?
<0-255> An IP protocol number
eigrp Cisco's EIGRP routing protocol
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
Once you choose to go up to the Application layer through TCP, you will be prompted for the
source IP address of the host or network. You can choose the any command to allow any source
RouterA(config)#access-list 110 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
After the source address is selected, the destination address is chosen.
RouterA(config)#access-list 110 deny tcp any ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
In the example below, any source IP address that has a destination IP address of 172.16.30.2 has
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 ?
eq Match only packets on a given port number
established Match established connections
fragments Check fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
tos Match packets with given TOS value
Now, you can press Enter here and leave the access list as is. However, you can be even more
specific: once you have the host addresses in place, you can specify the type of service you are
denying. The following help screen gives you the options. You can choose a port number oruse
the application or even the program name.
RouterA(config)#access-list 110 deny tcp any host 172.16.30.2 eq ?
<0-65535> Port number
Monitoring IP Access Lists
It is important to be able to verify the configuration on a router. The following commands can be
used to verify the configuration:
show access-list Displays all access lists and their parameters configured on the router.
This command does not show you which interface the list is set on.
show access-list 110 Shows only the parameters for the access list 110. This command
does not show you the interface the list is set on.
show ip access-list Shows only the IP access lists configured on the router.
show ip interface Shows which interfaces have access lists set.
show running-config Shows the access lists and which interfaces have access lists set.
A server is primarily a program that runs on a machine, providing a particular and specific service to
other machines connected to the machine on which it is found.
Nowadays,server functionality has become so rich, complex and varied in nature that there are whole
very powerful computers dedicated to being exclusively servers. This has led many non-technical people
to denote servers as being machines that run services.
A network server is a computer designed to process requests and deliver data to other (client) computers
over a local network or the Internet. Network servers typically are configured with additional
processing, memory and storage capacity to handle the load of servicing clients.
DHCP (Dynamic Host Configuration Protocol) is a protocol that allows a central
computer to automatically assign the TCP/IP network configuration to
individual work-stations on a private network.
With DHCP enabled it suffices to enable the "Obtain an IP address
automatically" in the TCP/IP configuration on the private network. The DHCP
Server then takes over the responsibility of assigning the TCP/IP parameters,
significantly lowering the task of network maintenance
How Does DHCP Work?
At boot time the computer has no network parameters assigned to it. The
following list provides an overview of the typical network parameters:
• IP address and network mask
• Default route/gateway ñ an IP address which will be used for forwarding
packets whose destinations are beyond local network
• DNS servers for resolving Internet names (e.g. internet.com) to IP
• Workstation parameters, e.g., domain name or workgroup/workstation
• Static routes
• IP forwarding setting
• MTU size
• Other settings (a complete list can be found in the DHCP RFCs)
• Static configuration.
With static configuration, the client computer uses pre-configured network parameters. The
disadvantages of this approach include the possibility of IP address conflicts and the
administrative issues possible when manually configuring many internal clients.
• DHCP configuration (automatic).
With automatic configuration, the computer obtains its network parameters from the DHCP
Server. This way the IP addresses are automatically managed and accordingly address conflicts
are avoided. If manual and automatic network configurations are used together, the administrator
must ensure that the DHCP Server wonít assign IP addresses used by manually-configured
How to configure the DHCP server.
Once you have considered the implications of DHCP in your network, you are ready to get
started with the simple configuration.
For a small network, the configuration of the DHCP Server is not very challenging and the InJoy
DHCP Server Plugin is deliberately designed to be extremely simple. In fact, in the InJoy
Firewallô, you can immediately enable the DHCP Server and have it operational in less than a
minute. Here is how.
The Domain Name System (DNS) is a standard technology for managing the names of Web sites
and other Internet domains. DNS technology allows you to type names into your Web browser
like compnetworking.about.com and your computer to automatically find that address on the
Internet. A key element of the DNS is a worldwide collection of DNS servers. What, then, is a
Answer: A DNS server is any computer registered to join the Domain Name System. A DNS
server runs special-purpose networking software, features a public IP address, and contains a
database of network names and addresses for other Internet hosts.
DNS servers communicate with each other using private network protocols. All DNS servers are
organized in a hierarchy. At the top level of the hierarchy, so-called root servers store the
complete database of Internet domain names and their corresponding IP addresses. The Internet
employs 13 root servers that have become somewhat famous for their special role. Maintained by
various independent agencies, the servers are aptly named A, B, C and so on up to M. Ten of
these servers reside in the United States, one in Japan, one in London, UK and one in Stockholm,
DNS Server Hierarchy
The DNS is a distributed system, meaning that only the 13 root servers contain the complete
database of domain names and IP addresses. All other DNS servers are installed at lower levels
of the hierarchy and maintain only certain pieces of the overall database.
Most lower level DNS servers are owned by businesses or Internet Service Providers (ISPs). For
example, Google maintains various DNS servers around the world that manage the google.com,
google.co.uk, and other domains. Your ISP also maintains DNS servers as part of your Internet