2. 1
1 Table of Contents
1 Table of Contents ................................................................................................................................................................ 1
2 Reliable and Secure Campus LAN Switching ....................................................................................................................... 2
2.1 Basic Wireless Router Configurations ........................................................................................................................ 3
2.2 Configuring Multiple Wifi for seamless roaming and less congestion ....................................................................... 5
2.3 Configuring Wireless Mac Address Filtering on Linksys WRT 300 N .......................................................................... 7
2.3.1 What is a MAC Address ..................................................................................................................................... 7
2.3.2 Implementation of Wireless MAC Address Filtering ......................................................................................... 7
2.4 Broadcast & Collision Domains, CSMA/CD, and VLAN ............................................................................................... 9
2.4.1 What is a broadcast domain ? ........................................................................................................................... 9
2.4.2 Collision domains and role of CSMA/CD............................................................................................................ 9
CSMA/CD (Carrier sense Multiple Access and Collision Detection) .................................................................................. 12
2.4.3 What is a VLAN ? ............................................................................................................................................. 12
2.5 IP Addressing ............................................................................................................................................................ 13
2.5.1 What is an IP Address ? ................................................................................................................................... 13
2.5.2 IP Addresses (Binary to Decimal and Decimal to Binary Conversion )............................................................. 14
2.5.3 Public and Private IP Addresses ....................................................................................................................... 16
2.5.4 Classes of IP Addresses .................................................................................................................................... 16
2.5.5 Sub netting: ..................................................................................................................................................... 19
2.6 Configuring VLANS on Cisco Switch ........................................................................................................................ 25
2.7 Configuring Trunk Ports on Cisco Switches ............................................................................................................. 27
2.7.1 Access Port ...................................................................................................................................................... 27
2.7.2 Trunk Port ........................................................................................................................................................ 27
2.7.3 Trunk Configuration commands on Cisco Switches and Routers .................................................................... 27
2.8 Configuring DHCP on Cisco 3560 Switch .................................................................................................................. 28
2.8.1 What is Dynamic Host Configuration Protocol (DHCP)? .................................................................................. 28
2.8.2 What is the DHCP Scope? ................................................................................................................................ 28
2.8.3 DHCP Configuration commands ...................................................................................................................... 29
2.9 Configuring InterVLAN Routing on Cisco 3560 Switch ............................................................................................. 30
2.10 Access Control List (ACL) .......................................................................................................................................... 32
2.10.1 What is ACL ? ................................................................................................................................................... 32
2.10.2 Standard access list: ........................................................................................................................................ 32
2.10.3 Extended access list: ........................................................................................................................................ 32
2.10.4 Named based access list: ................................................................................................................................. 32
2.10.5 Access Control List configuration command on a Cisco 3560 switch .............................................................. 33
3. 2
2 Reliable and Secure Campus LAN Switching
Suppose this is your first day in office as a Cisco Network Engineer and your supervisor hands in a complex
network diagram and task you to interconnect different devices in different departments. Your task is to achieve
following goals
• Everyone in branch must have access to internet and e-mail server.
• The CEO should have access to all servers, printers, and computers.
• Only finance department must have access to finance server, printer, and computers.
• The only operation department must have access to operations printer, and computers.
• Computers in finance department may communicate with each other but not with computers of another
department and same goes for the operations department.
• No employee can access computers and printers of managers, CEO or CFO.
• Managers can access the computers of their respective department.
Network diagram that you need to complete is below
You are expected to finish the project in a short time and have no clue from where to start. We are here to help
you out in a step by step fashion. As the time progresses we will keep on increasing the complexity of the
network by adding more devices, scenarios interconnected with each other securely.
4. 3
2.1 Basic Wireless Router Configurations
First step is to bring CEO and CFO laptops and printers on a local area network using Linksys WRT 300 N router,
so that they can start using network printer and sharing files with each other. We will also connect Linksys WRT
300 N router to the internet so that senior executives have access to the internet. It is assumed that your DSL
modem is already configured for internet access by service provider. Connect the internet port of the router to
the Ethernet port of DSL Modem.
Open GUI of Linksys WRT 300 N and do below mentioned steps
• Give IP address to router as 192.168.1.1 with a subnet mask of 255.255.255.0
• Enable DHCP Server with a start IP Address of 192.168.1.33 and the maximum number of users as 10.
• Now Click on the wireless and then basic wireless setting and set the SSID as NY Branch
5. 4
• Now Click on Wireless Security and make security mode as “WPA2 Personal” , make Encryption as “AES”
and set your secret paraphrase for WiFi connectivity.
Your Linksys WRT 300 N is configured for internet access, and file & printer sharing. You can connect CFO and
CTO laptop to wifi network “NY Branch” and connect the Pinter with LAN port of Linksys WRT 300N using a
straight UTP Cable. Assign an IP Address of “192.168.1.201” to the Printer with a subnet mask of 255.255.255.0.
CTO and CFO can browse the internet, send prints to network printer and can share files with each other.
We will discuss IP addressing and sub netting in details but for the time being following IP Addressing Schema
would be handy to retain.
Servers and Networking Devices 192.168.1.1 – 192.168.1.30
Laptops and Desktops and Tablets 192.168.1.33 – 192.168.1.190
Printers 192.168.1.201 - 250
6. 5
2.2 Configuring Multiple Wifi for seamless roaming and less congestion
Below is what you accomplished on Day -1, i.e. bringing C Level Executives on local area network ( LAN) and
Internet using Linksys WRT 300 N routers.
You need to move on and bring managers’ laptops and printer on the network. We are adding another
performance related restriction here
• SSID and Security Key of Both LinkSys WRT 300 N Routers should be same.
Below are the advantages of keeping SSID and Security Key same on both wireless access points ( AP ) / Routers
• Users are able to roam between the two locations seamlessly without facing any disconnection
• You are able to accommodate a double number of users on the same wireless network
You will configure the Managers’ wireless router ( Linksys WRT 300 N ) exactly the same way as you configured
the wireless router on Day-1 except three changes.
1. In wireless settings, you will make wires channel as 1 for router-1 and make wireless channel as 6 for
router-2 , this will help keep both wireless signals in the non overlapping range, thus doubling the
number of users being accommodated.
2. Assign an IP address of 192.168.1.2 to the Managers’ Wireless Router
3. Enable the DHCP on Managers’ router with start IP address of 192.168.1.43 and the maximum number
of users as 10.
Assign an IP address of 192.168.1.202 to managers’ printer with default gateway as 192.168.1.2 and connect it
to the LAN port of managers’ wireless router Linksys WRT 300 N
There must be a communication channel between the two wireless routers so that wireless clients connecting to
Managers’ wifi can have an IP assigned by DHCP running on the C level wireless router. Here comes the role of
our access switch Cisco 2950, connect the LAN ports of both wireless routers to Fast Ethernet Ports of CISCO
2950 Switch using a crossover UTP Cable.
7. 6
Now the next step is to connect your DSL Modem or Internet CPE to Ethernet port of the Cisco 2950. Here you
internet connectivity is operational for managers and C level executives and they can access each other laptops
and printers. Below is how your network looks like today.
Below is how your IP addressing scheme is looking now.
Servers and Networking Devices 192.168.1.1 – 192.168.1.30
C Level Wireless Router 192.168.1.1
Managers’ Wireless Router 192.168.1.2
Laptops and Desktops and Tablets 192.168.1.33 – 192.168.1.190
Available Host IPs for Dynamic client IP in DHCP 192.168.1.33 -192.168.1.42
Server of C Level router.
Available Host IPs for Dynamic client IP in DHCP
192.168.1.43- 192.168.1.52
Server of Managers’ router.
Printers 192.168.1.201 – 250
C Level Printer IP 192.168.1.201
Managers’ Printer IP 192.168.1.202
8. 7
2.3 Configuring Wireless Mac Address Filtering on Linksys WRT 300 N
The problem we inherited from previous scenario is that wireless clients are being connected to random
wireless access points as they SSID and security key is same. We did this to implement seamless roaming but we
are having serious information security concern here. The solution is to implement wireless Mac address
filtering, which will allow us to specify which wireless clients are allowed to connect to a particular wireless
access point.
First we need to understand what wireless Mac address filtering and then we will implement it on Linksys WRT
300 N
2.3.1 What is a MAC Address
A Media Access Control address (MAC address) is a unique identifier assigned to network interfaces for
communications on the physical network segment. MAC addresses are most often assigned by the manufacturer
of a network interface card (NIC) and are stored in its hardware, the card's read-only memory. Wireless MAC
Address Filtering & its Implementation
2.3.2 Implementation of Wireless MAC Address Filtering
Wireless MAC address filtering is a method by which you control the access to your network devices from
unauthorized devices by defining a list of authorized MAC Addresses which can connect to your network device.
You can obtain the MAC address of wireless NIC of CEO laptop by going to command prompt and typing
ipconfig /all .
Below is the result of the command in which MAC address is being highlighted.
Physical Address................: 0090.2B41.3871
IP Address......................: 192.168.1.36
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 192.168.1.1
DNS Servers.....................: 0.0.0.0
9. 8
Now you will add this MAC address to allowed wireless client list in your C level Router and deny access to all
other devices.
• Open the GUI of C level wireless Router
• Click on Wireless, then Wireless MAC Filter
• Check “Enable”
• Check “Permit PCs listed below to access wireless network”
You can add up to 50 wireless clients in the list.
Repeat the same process for CFO laptop.
Add wireless Mac address of operation manager and finance manager laptops to allowed client list on Managers
router.
Here you go, only C level Executives will be able to connect to the C level Router and only Managers will be able
to connect to Managers Router. You have added layer of security also by only authorizing trusted wireless
clients. If someone get to know the SSID and Security Key of your Wifi, he/she still cannot access your wifi
network.
Your task is not finished yet, following is a serious information security issue in above network:
C level wireless clients and printers are in the same broadcast domain and managers can access C Level
executives’ devices. In Next topics we will learn what broadcast domains, collision domains, IP Addressing and
how we can use Vlans to create multiple broadcast domains, and segregate traffic between different networks.
10. 9
2.4 Broadcast & Collision Domains, CSMA/CD, and VLAN
We carried following problems from our last network diagram :
All wireless clients are in the same broadcast domain and able to communicate with each other.
The solution is to create multiple broadcast domains on a single switch using VLANs. First we have to understand
what a broadcast domain is ? What a collision domain is? And what is the role of the CSM / CD. We will also
learn IP Addressing before jumping into VLAN Configuration.
2.4.1 What is a broadcast domain ?
In an Ethernet LAN, a set of terminals that receive a broadcast transmitted by any one of the terminals in the
Same network is known as a broadcast domain. On switches that have no support for virtual LANs (VLAN),
A switch simply sends all broadcasts on all interfaces, except the interface on which it received
The frame. Consequently, all the interfaces on an individual switch are in the single broadcast domain.
Also, if the switch attaches to other switches and hubs, the interfaces on those switches and hubs
are also in the same broadcast domain.
2.4.2 Collision domains and role of CSMA/CD
Just imagine yourself in the old world of Hubs and Repeaters. As you know repeaters were used in the network
for the re-generation of the signal for its transmission for longer distances. In a simple network topology as
given below:
11. 10
In the above network, all the hosts are connected to a hub. If PC1 will send some packets to PC0, the packets will
be broadcast to all the hosts on the hub, that’s why a hub is a single broadcast domain. In such
Scenarios, it’s quite a possibility that when PC1 is sending some packets, in the same instant PC2 is also sending
packets, as the medium is shared and there are maximum chances for packet collision. From this we can
conclude that a hub has a single broadcast and a single collision domain:
The Major drawback of such a network scenario, if we increase the number of hosts in above network, there will
be un-necessary broadcasts and collisions, which will ultimately affect the network performance and will cause
unbearable latency and congestion in the network:
12. 11
So to avoid such a case we use Switch. A switch is a data link layer device. The switch learns the MAC addresses
of the all the hosts connected to its interfaces using ARP (Address Resolution Protocol). Once MAC addresses are
learned by a switch and maintained in its CAM table, then a switch will not send un- necessary broadcasts.
Switch only broadcast, in case it doesn’t know about any host, once it knows about some host, it never
broadcast again to trace that host. A thumb rule to remember is that, each switch port is a collision domain and
each switch is a single broadcast domain. It’s illustrated in below diagram:
A few more things to remember: each switch has a single broadcast domain; the broadcast domain can be
expanded via creating Vlans on a switch. For example 2 vlans will create two broadcast domains on a switch.
One more point, router’s each interface is a single broadcast and a single collision domain.
13. 12
CSMA/CD (Carrier sense Multiple Access and Collision Detection) is a media access mechanism used on a
shared Ethernet to avoid collision of different packets. Let suppose we have two stations on our shared Ethernet
medium A and B. In the language of CSMA, station A first scan the shared Ethernet medium or listen for any
ongoing packet transmission on the medium. If it senses some packets, it will stop from transmission, in case it
sense that the link is free, it will transmit its packets.
If at the same instance station B is also transmitting, station A will sense the collision and will back off for a
certain amount of time ( mostly in milliseconds), this is how it avoid collision of packets in the network. In reality
the collision is detected by voltage changes. Everyone on the network is notified about the collision via a Jam
Signal and hosts stop sending data. After a random timer the hosts will again start scanning or listening to the
network, if its free they will start sending packets.
Use of CSMA/CD is now obsolete in modern networks, switches and full duplex connection don’t use CSMA/CD
any more. But it was one of the best protocols of the good old days!
2.4.3 What is a VLAN ?
A VLAN is group of ports which acts as an independent switch inside a switch. By default port in different Vlans
cannot communicate with each other, however communication between different VLans can be made possible
using intervlan routing. An access switch port can be part of one vlan only while a trunk port may carry traffic
of multiple vlans. Configuring VLANs in a network of Cisco switches is done by defining the Vlan # and
associating the switch ports with VLAN.
14. 13
2.5 IP Addressing
It's time to learn IP Addressing before jumping into VLAN configurations. In the real life, we as human beings,
trace each other via the use of different sort of addresses and location services. The same pattern was applied
when computer networks were designed, in the form of IP addressing. An IP address is just like the home
address of a computer node! As is the rule in real life, when we want to send some Mail, we write a destination
address on it and it is delivered by the postal services to the concerned person. Same is the case in computer
networks, when one Computer wants to send some data to another computer, it writes down the destination
address on the data ( packet in computer networks) and the packet is sent via the Postal service ( our network
services) of the computer system.
2.5.1 What is an IP Address ?
In simple words, an IP Address is a decimal representation of the address of different network nodes which
enable them to exchange data packets with each other and hence many network applications. So what is the
abbreviation of IP? Internet Protocol, so simple!
The IP address evolution began in 1969. The original IP address was of 5 bits only! Which means according to
binary calculations it was able to cover a network of only 32 nodes! ( 2 to the power of 5 = 32), which was
enough at that time for the experimental requirements of that time, mostly interconnection of different
research organizations. Gradually it was increased to 32 bits, the currently used range in IPv4, which is enough
for around 4 billion network nodes only! (Only? Yes, because it has become short for the ever expanding human
world, that’s why techno geek has moved toward IPv6). Especially advent of smart phones and smart sensor
devices which are able to connect to internet through easily available wifi spots and 3 G cellular connection will
make it possible in the near future that a tech savvy person will be carrying around 4 -10 devices with him/her
with a public IP address.
In technical terms, IPv4 is represented by 4 blocks, each separated by a dot (.) and each block composed of 8
bits, represented as follows:
00000000.00000000.00000000.00000000
10000000.00000000.00000000.00000000
11000000.00000000.00000000.00000000
Don’t give up if you are learning for the first time, as IP addresses are not represented in binary, as it would not
be able for everyone to remember the binary digits, for ease they are represented in decimal representation of
its binary form.
So an IP address: 192.168.100.2 and 11000000.10101000.01100100.00000010 are same.
In simple words, each block can be written as:
11000000 = 192
10101000 =168
01100100 =100
00000010 =2
As now we have discussed IP addressing, its representation/bits requirements, and now we will do a little
discussion on how to convert from Binary to decimal and decimal to Binary.
15. 14
2.5.2 IP Addresses (Binary to Decimal and Decimal to Binary Conversion )
Now we will discuss how to convert a binary representation of an IP address in decimal one and vice versa. We
will take following sample IP Address:
11000000.10101000.01100100.00000010
Each block is comprised of 0 or 1, 0/1 in binary represent On/Off states respectively. We will take below chart to
convert the above binary into decimal or base 10 systems. To convert the first Octet (an octet is composed of 8
bits) into decimal:
11000000 = 1*128 + 1*64 + 0*32 + 0*16 + 0*8 + 0*4 + 0*2 + 0*1 = 128 + 64 + 0 + 0 + 0 + 0 + 0 + 0 = 192
10101000 = 1 *128 + 0*64 + 1*32 + 0*16 + 1*8 +0*4 + 0*2 + 0*1 = 128 + 0 + 32 + 0 + 8 + 0 + 0 + 0 = 168
And so on
In the above conversion process each bit in (11000000) is multiplied by its corresponding bit position value in
decimal starting from least significant bit to the most significant bit. Please remember below mentioned chart
for efficient conversion of Binary into decimal:
The 8th bit position will be multiplied by 128, 7th bit position will be multiplied by 64 and so on!
Conversion from Decimal to Binary is a little tricky. Suppose we want to convert 15 from decimal into binary.
Consider below mentioned chart, which combination of digits added together can give a sum of 15? After a little
brainstorming on below mentioned chart we conclude 8+4+2+1 sums up to 15, so we will change the status of
these bits to ON (1) and will turn OFF (0) all the remaining bits:
128 64 32 16 8 4 2 1
128 64 32 16 8 4 2 1
0 0 0 0 1 1 1 1
16. 15
So the resulting value of 15 in an 8 bit binary representation is 00001111! Another example to solidify the
concepts:
Conversion of 130 into binary:
130 can be made from summing 128 and 2, so we will ON these bits and will turn OFF the remaining bits:
128 64 32 16 8 4 2 1
1 0 0 0 0 0 1 0
So 130 = 10000010 in binary, I hope now you can easily convert between binary and decimals. The interesting
thing about the above chart is that, it can be used for binary to decimal conversion as well. Suppose we want to
convert 11100100 into decimal, simply put these values according to its bit positions and then add up
corresponding decimal values to get the value.
128 64 32 16 8 4 2 1
1 1 1 0 0 1 0 0
= 128 + 64 + 32 + 4 = 228
Please do the following examples yourself to clarify the concepts:
Convert: 192.168.140.20 in binary.
Convert: 11110011 in decimal.
After learning conversion between decimal and binary notations, we will turn our focus to private and public IP
addresses and classes of IP Addresses.
17. 16
2.5.3 Public and Private IP Addresses
Continuing our IP addressing discussion. IP addresses can be further divided into Private IP addresses and Public
IP Addresses. To preserve IP address space Private IP Addresses were introduced. Private IP addresses are used
on the internal network and never advertised to the public network. Private IP addresses are defined in below
mentioned ranges:
10.0.0.0 - 10.255.255.255
Addresses: 16,777,216
172.16.0.0 - 172.31.255.255
Addresses: 1,048,576
192.168.0.0 - 192.168.255.255
Addresses: 65,536
Private IP addresses go through a process of NATing if they want to communicate with Public Internet.
Public addresses are those addresses which are advertised on the public network, inter-networks etc.
2.5.4 Classes of IP Addresses
Several classes of IP addresses have been defined for Network identification and network address assignment
according to design requirements. For these classes numeric ranges were defined, each range can be used for a
specific number of hosts and network addresses. IP address classes are: A, B, C, D, E. Each class has its own Host
and Network Ranges. The IP address classes were developed keeping in mind: to accommodate large
companies with a lot of host requirements and small companies with minimum host requirements!
The normal range used mostly in public network is Class A, B and C. Class D and Class E are used for special
purposes.
• Class D: this range IP addresses are used for Multicast addressing requirements.
• Class E: this range is reserved for research and scientific purposes.
Before moving forward into this class discussion, let us discuss one more important aspect of IP addressing. IP
addressing is a hierarchical design. The telephone number system is the best example of a hierarchical design
model. A telephone number is composed of Country Code, Area Code, and local exchange code. The same is
true for an IP address. An IP address is made of two parts, one part is called the Network Portion and the second
part is called the Host Portion. The Network portion of the IP address is used to keep track of the domain to
which some specific host belongs and the host portion of the IP address is used to trace the machine or
computer node.
18. 17
Below we will discuss Class A, B and C in more detail.
2.5.4.1 Class A IP Addresses:
The first octet of the Class A address is composed of Network Portion and its most significant bit is always off. All
other three octets denote the host portion. Simply we can say:
N.H.H.H
0xxxxxxx.H.H.H
If we want to calculate the range of Class A IP addresses, we can move as:
00000000.H.H.H (0.H.H.H)
01111111.H.H.H (127.H.H.H)
If the 1st portion of an IP address is in range (0-127), then that IP address belongs to Class A! But as you know
127.0.0.1 range is reserved for loop back interface and we can’t use it for Class A and also not use an IP address
starting from 0 , then the revised range would be from (1-126)! A few examples of Class A IP address are:
10.0.0.1
100.2.3.1
110.130.13.4
123.4.1.110
2.5.4.2 Class B IP Addresses:
The first two octets of Class B IP address are composed of Network Portion, and the other two octets are
composed of Host portion, in doted representation it can be given as:
N.N.H.H
The most significant two bits in the first octet are kept 10,
10xxxxxx. xxxxxxxx. H. H
So the range of Class B IP address space can be calculated from its first octet as follow:
10000000 to 10111111 (128 – 191)
Some examples of Class B IP addresses are:
130.50.3.3
170.16.3.1
172.31.3.3
19. 18
2.5.4.3 Class C IP Addresses:
The first three 8 bit portions of a class C IP address are composed of Network Portion, and the last one denotes
the host portion. It can be simplified as:
N.N.N.H
The three most significant bits are kept 110 despite all bit position changes. So the range for Class C IP address
space can be calculated as:
110xxxxx. xxxxxxxx. H. H
11000000- 11011111
192 – 223
Some examples of Class C IP address are:
192.168.100.3
220.221.120.135
210.49.66.110
All of the above discussion regarding IP address Classes can be summed up in below table:
IP Address 1st Octet Range Usable Network and Host IDs
Class A (N.H.H.H) 1-126 Networks : 2^8-2 and Hosts= 2^24-2
Class B (N.N.H.H) 128-191 Networks : 2^16-2 and Hosts= 2^16-2
Class C (N.N.N.H) 191-223 Networks : 2^24-2 and Hosts= 2^8-2
Two more ranges for your technical mind:
D: Multicast range: 224 – 239 (Examples: 224.0.0.9)
E: IP Address range for R&D: 240 – 255 (Example: 241.0.0.9)
20. 19
2.5.5 Sub netting:
One of the most important topics in Computer Networks and CISCO realm is sub netting. The main motivation
behind sub netting was the best utilization of the scarce resources of available IP addresses. In simple words,
sub netting is the process of taking a single Network address and creating further smaller Network IDs from it,
called Subnets (Sub Networks). In the process of sub netting , bits can be borrowed from the host portion of an
IP Address, the borrowed bits are added to the Subnet Mask of that IP address. We will further clarify the sub
netting process via different examples. The main goal behind sub netting a given network address is to create
our required number of smaller network IDs and to achieve our desired number of hosts per subnet ID.
2.5.5.1 What is a Subnet Mask?
We will end this discussion with Subnet mask. A subnet mask is used by routers and end machines to check, to
which network, the host belongs. The network ID of the IP address is calculated by Logical ANDING of the Subnet
mask with the IP Address. Each Class has its own subnet mask:
Class A Subnet Mask is: 255.0.0.0 and is also denoted by /8
In binary: 11111111.00000000.00000000.00000000
Class B Subnet Mask is: 255.255.0.0 and is also denoted by /16
In binary: 11111111.11111111.00000000.00000000
Class C Subnet Mask is: 255.255.255.0 and is also denoted by /24
In binary: 11111111.11111111.11111111.00000000
21. 20
2.5.5.2 Sub Netting a Class C IP Address
We learned what a sub net mask is, and what is sub netting. Now we will learn how to sub net. The basic Sub
netting process starts from below mentioned questions:
• How many subnets are required?
• How many hosts per subnet are required?
• Compute the effective subnets?
• Compute the valid host IP Addresses?
For keeping the sub netting process simple we will stick to these questions for time being, will further add up
things as per demand.
The anatomy of a typical Class C address is:
N.N.N.H with subnet mask 255.255.255.0 or /24
Suppose we have an IP address: 192.168.10.0 /24 and our network design requirement is 8 subnets!
For 8 subnets, how many bits we can take from the host portion (last octet) of the given IP address? For this, just
do a mental calculation using below formula:
2^y = 8, two to the power which value can give us 8? Simply
2^3 = 8, great! For getting 8 subnets, 3 bits can be borrowed from the host portion of the given IP address
(192.168.10.0), the borrowed bits are moved to the given subnet mask:
11111111.11111111.11111111.11100000
3 borrowed
The new Subnet mask is: 255.255.255.224 in CIDR Notation /27!
Now the mystery of hosts per subnet! As we have borrowed three bits from the last octet of the host portion,
how many bits are remaining? 5! Yes, you are right, 5 bits are remaining. So the number of usable hosts per
subnet will be given as:
2^5-2 = 32 – 2 = 30
From above two steps, we have achieved two tasks:
We will have 8 subnets and there will be 30 usable host addresses per subnet!
22. 21
Okay, now the tricky part, what are the valid subnets block size? Please keep this formula in mind:
Subnet block size = 256 – subnet mask modified octet.
As we have new subnet mask 255.255.255.224, the modified octet is the last one (224), so
Subnet block size = 256 – 224 = 32
So our subnet block will start from 0, 32, and 64 and will go on for increment of 32. So our 10 new subnets are:
192.168.10.0
192.168.10.32
192.168.10.64
192.168.10.96
192.168.10.128
192.168.10.160
192.168.10.192
192.168.10.224
All the valid hosts and IP ranges given by each subnet can be summarized in below table:
IP Address Network Address 1st Host Address Last Host Address Broadcast Address
192.168.10.0 192.168.10.0 192.168.10.1 192.168.10.30 192.168.10.31
192.168.10.32 192.168.10.32 192.168.10.33 192.168.10.62 192.168.10.63
192.168.10.64 192.168.10.64 192.168.10.65 192.168.10.94 192.168.10.95
192.168.10.96 192.168.10.96 192.168.10.97 192.168.10.126 192.168.10.127
192.168.10.128 192.168.10.128 192.168.10.129 192.168.10.158 192.168.10.159
192.168.10.160 192.168.10.160 192.168.10.161 192.168.10.190 192.168.10.191
192.168.10.192 192.168.10.192 192.168.10.193 192.168.10.222 192.168.10.223
The usable host portion for each octet is highlighted! And we are done with sub netting for Class C! Was it
simple? No, you will need some practice to get the full command on it Now we can use the above mentioned
IP plan, in our network design, a single IP has been converted into 8 usable sub networks and each network
having 30 host capacity, isn’t it amazing?
23. 22
2.5.5.3 Sub netting a Class B Address:
We will use the method explained previously to subnet a Class B address and a class A address. The network
design requirements are the same as above (i.e. 8 sub networks required):
Given Class B Address is: 172.16.0.0
Default Class B Mask: 255.255.0.0
How many host bits needed? 3! Yes absolutely right. Okay now we are going to embed these 3 bits in the Class B
mask:
11111111.11111111.00000000.00000000
11111111.11111111.11100000.00000000
The modified Subnet mask is
255.255.224.0 /19
So what’s next? Yeah, you got it,
Subnet block size = 256 – subnet mask modified octet
Subnet block size = 256 – 224 = 32
As we have taken bits from 3rd octet, our new subnets are:
172.16.0.0 – 172.16.32.0 – 172.16.63.0 – 172.16.95.0 – 172.16.127.0 - - - - - > 172.16.224.0
IP Address Network Address 1st Host Address Last Host Address Broadcast Address
172.16.0.0 172.16.0.0 172.16.0.1 172.16.31.254 172.16.31.255
172.16.32.0 172.16.32.0 172.16.32.1 172.16.62.254 172.16.62.255
172.16.63.0 172.16.63.0 172.16.63.1 172.16.94.254 172.16.94.255
172.16.95.0 172.16.95.0 172.16.95.1 172.16.126.254 172.16.126.255
172.16.127.0 172.16.127.0 172.16.127.1 172.16.158.254 172.16.158.255
172.16.159.0 172.16.159.0 172.16.159.1 172.16.190.254 172.16.190.255
24. 23
As only 3 bits were reserved, the number of usable hosts per subnet is:
Usable hosts per subnet = 2^13-2 = 8190! (8190 hosts/subnet)
2.5.5.4 Sub netting Class A Address:
If you have mastered Class B and Class C sub netting then Class A is not that hard! The network design
requirements are the same as above (i.e. 8 sub networks required) and we have a Class A IP address of 10.0.0.0:
Given Class A Address is: 10.0.0.0
Default Class B Mask: 255.0.0.0
How many host bits needed? 3! Yeah that’s right. Okay now we are going to embed these 3 bits in the Class A
mask:
11111111.00000000.00000000.00000000
11111111.11100000.00000000.00000000
The modified Class A mask is
255.224.0.0 /11
Pretty easy!
As we have modified our second octet in the Subnet Mask of Class A, so it will be subtracted only from 256, so:
Subnet block size = 256 – subnet mask modified octet
Subnet block size = 256 – 224 = 32
So our new subnets are:
10.0.0.0 - 10.32.0.0 - 10.64.0.0 – And so on
The feel of the 8 subnets would be best visible in the tabular form as follows :
IP Address Network Address 1st Host Address Last Host Address Broadcast Address
10.0.0.0 10.0.0.0 10.0.0.1 10.31.255.254 10.31.255.255
10.32.0.0 10.32.0.0 10.32.0.1 10.63.255.254 10.63.255.255
10.64.0.0 10.64.0.0 10.64.0.1 10.95.255.254 10.95.255.255
10.96.0.0 10.96.0.0 10.96.0.0 10.127.255.254 10.127.255.255
10.128.0.0 10.128.0.0 10.128.0.1 10.159.255.254 10.159.255.255
10.160.0.0 10.160.0.0 10.160.0.1 10.191.255.254 10.191.255.255
10.192.0.0 10.192.0.0 10.192.0.1 10.223.255.254 10.223.255.255
10.224.0.0 10.224.0.0 10.224.0.1 10.255.255.254 10.255.255.255
25. 24
Believe me, by just looking at the above given examples, you will be frightened by sub netting, but if you actually
begin practicing them, then you will realize that how easy sub netting is. So don’t give up, reread the above
examples, you will find plenty of sub netting problems online. Remember, only Practice and more Practice are
the key to success in sub netting.
One very interesting tool while practicing Subnetting is Solar Winds, Advance Subnet Calculator. You can
download it and verify your sub netting from it. For example, for above Class A Subnetting, the Solar Winds
Subnetting Calculator output is:
This sub netting tool is awesome and you will love it!
26. 25
2.6 Configuring VLANS on Cisco Switch
We carried following problems from our last network diagram :
All wireless clients are in same broadcast domain and able to communicate with each other.
Solution is to create multiple broadcast domains on a single switch using VLANs.
Below is the procedure to configure Vlans on a cisco switch
Switch#config terminal (this command takes you in configuration mode)
Switch(config)#interface fastEthernet0/1 ( enables configuration of Interface Fa 0/1)
Switch(config-if)#switchport access vlan 2 ( make fa 0/1 part of VLAN 2)
Switch(config-if)#exit (go back in configuration mode)
Switch(config)#vlan 2 (go In configuration of VLAN 2)
Switch(config-vlan)#name c-level-ap ( assign a name to VLAN )
Repeat the same process and create VLAN 3 with name Managers-AP and put interface Fast Ethernet 0/2 in this
VLAN. Fast Ethernet 0/1 is the interface with which C level wireless router is connected and Fast Ethernet 0/2 is
the interface with which Managers’ wireless router is connected.
Now traffic from the C level router and Managers router is segregated from each other on switch level and they
cannot access each other devices .
Now our task is to subnet our network into smaller portions and each subnet must be able to accommodate at
least 14 hosts so that we can configure each subnet in each VLAN. Subnetting lets
you generate numerous logical networks available within a specific Class A , B , or C network . If you do not opt
for subnetting , you are only able to utilize just one network from your Class A , B , or C network , and it is not
realistic . To be able to subnet a network, expand the original mask using a portion of the bits from the host ID
portion of the address to build a sub network ID . To illustrate, given a Class C network of 192.168.1.0 which
has original mask of 255 .255 .255 .0, you can create subnets in this manner:
27. 26
IP Address 192.168.1.0 11000000 10101000 00000001 00000000
Subnet Mask 255.255.255.240 11111111 11111111 11111111 11110000
By borrowing 4 bits from host portion of network in last octet you are able to create 16 subnets (24 ) and 14
hosts ( 24-2).
Below is a useful link to calculate variable length subnet mask for variety of network scenarios
http://www.vlsm-calc.net/
Following table lists the Subnets of each VLAN in our scenario
VLAN Network ID / Subnet Broadcast IP Address Available Host IP Address Range
Number
VLAN2 192.168.1.32/255.255.255.240 192.168.1.47 192.168.1.33 -192.168.1.46
VLAN3 192.168.1.48/255.255.255.240 192.168.1.63 192.168.1.49 - 192.168.1.62
VLAN4 192.168.1.64/255.255.255.240 192.168.1.79 192.168.1.65 -192.168.1.78
VLAN5 192.168.1.80/255.255.255.240 192.168.1.81 192.168.1.82- 192.168.1.94
Now its time to configure different subnets for different vlans on cisco 3560 switch, go into configuration mode
of your cisco 3560 switch and give following commands
interface vlan 2
ip add 192.168.1.33 255.255.255.240
interface vlan 3
ip add 192.168.1.49 255.255.255.240
interface vlan 4
ip add 192.168.1.65 255.255.255.240
interface vlan 5
ip add 192.168.1.82 255.255.255.240
These commands will assign IP address to each VLAN in its respective subnet.
28. 27
2.7 Configuring Trunk Ports on Cisco Switches
In our last two lectures, we put our wireless clients in different VLANS and configured wireless Mac address
filtering on CISCO WRT 300 N. Our next challenge is to to bring our departmental desktops on LAN too. In order
to achieve the result we want to get rid of individual DHCP servers running in each subnet . Before we do that
we need to configure a single trunk port which will carry traffic of all VLANs to Cisco 3560 on which we will
configure our DHCP server. We also configured access switch ports when configuring VLANs on Cisco 2950
switches, but did not explain the difference between a trunk port and an access port. First we will understand
the difference between trunk port and access port then we will configure trunk ports on Cisco switches and
router.
2.7.1 Access Port
An access port can be part of a single VLAN and can carry traffic of single VLAN. Access ports are usually
configured for end devices in a network.
2.7.2 Trunk Port
Trunk port can carry traffic from two or more Vlans in a single link. Trunk ports are used usually configured on
uplinks between access and distribution switches and routers. Major reason for using trunk ports is that
interfaces on Cisco distribution switches and Cisco routers comes with a price tag. You don’t want an interface
for each Vlan. Instead a single link carrying traffic from all VLANs serve our purpose. ISL and 802.1 q are the
trunking protocols used for defining trunk ports. Both trunk ports must have a similar Trunking protocol
configured on them. ISL is a Cisco proprietary protocol While 802.1 q is an IEEE standard. ISL and 802.1Q differ
in how they add a header to the Ethernet frame before sending it over a trunk. Cisco switches make use of the
Dynamic Trunk Protocol (DTP) to dynamically know whether the device on the other end of the cable wants to
perform Trunking and, if so, which Trunking protocol to use. If we set the mode of DTP desirable, switches
automatically negotiates the Trunking parameters and forms trunk.
2.7.3 Trunk Configuration commands on Cisco Switches and Routers
Connect your Cisco 2950 access switches with Cisco 3560 distribution switch using a straight UTP Cable on
gigabit interfaces of Cisco 3560 switch. Go into configuration mode of Cisco 3560 switch and enter following
commands
Switch(config)#inter gigabitEthernet 0/1
Switch(config-if)#switchport mode dynamic desirable
Repeat the process on other interfaces of Cisco 3560 switch. Similarly repeat the command on the interfaces of
departmental and wifi access switches which are connected to distribution switch through uplink.
You can check the status of your trunks by following command
Switch#show interfaces trunk
29. 28
2.8 Configuring DHCP on Cisco 3560 Switch
After configuring trunk ports which are linking Cisco 2950 access switches to Cisco 3560 distribution switches,
we are all set to configure a single DHCP server for the whole network on a Cisco 3560 switch. Before that do
following steps:
• Disable DHCP servers on wireless routers.
• Connect all the desktops and printers in the operations department to operations access switch through
straight UTP Cables.
• Connect all the desktops and printers in the finance department to finance access switch through
straight UTP Cables.
• Create Vlan 4 on operations switch ,name it operations-vlan, and make all the ports connecting the
devices part of vlan-4.
• Create vlan-5 on finance switch and name it finance-vlan, and make all the ports connecting the devices
part of vlan-5.
• Remove the static IP address of printers and set them to obtain an IP from DHCP.
• Set all desktops to get IP from DHCP server
We must first understand, what is DHCP and DHCP scope
2.8.1 What is Dynamic Host Configuration Protocol (DHCP)?
Dynamic Host Configuration Protocol ( DHCP ) is a client/server protocol that completely on its own supplies an
Internet Protocol ( IP ) host with its IP address as well as associated configuration information such as the subnet
mask and default gateway . RFCs 2131 and 2132 clearly define DHCP as an Internet Engineering Task Force ( IETF
) standard based on the Bootstrap Protocol ( BOOTP ) , a protocol with which DHCP
shares numerous functioning features . DHCP helps network devices to secure requisite TCP/IP
configuration data from a DHCP server
2.8.2 What is the DHCP Scope?
A Dynamic Host Configuration Protocol ( DHCP ) scope is the continuous range of potential IP addresses that the
DHCP server will be able to lease to network devices on a subnet . Scopes in general specify a single physical
subnet on your network to which DHCP services are available . Scopes are the prime method for the DHCP
server to control the distribution and assignment of IP addresses and any linked configuration parameters to
DHCP clients on the network .
30. 29
2.8.3 DHCP Configuration commands
We studied DHCP scope in the previous section, now we also need to define separate scope for each VLAN in
Cisco 3560 switch. Following command will serve the purpose
ip dhcp pool vlan”#”
network “Network Address” “Subnet Mask”
Where # is VLAN number for example VLAN2
Network Address is Network IP Address for example 192.168.1.32
Subnet Mask is 255.255.255.240 for all Vlans in our case.
For instance following commands will configure a DHCP scope for clients present in VLAN 2 , such that there will
be a maximum of 14 hosts allowed in the VLAN and start IP address of hosts will be 192.168.1.33 and end IP
address will be 192.168.1.46. Repeat the process for all VLANs and remember to remove static IP Addresses
from Printers and let them have an IP assigned by DHCP.
Now devices in different VLANs cannot communicate with each other, but we have to get the CEO and CFO to
communicate with the rest of the company. We will achieve this by learning interVLAN routing and access
control lists ( ACL)
31. 30
2.9 Configuring InterVLAN Routing on Cisco 3560 Switch
In our former scenario, VLANs segregated Hosts into different broadcast domains and Layer 3 subnets. Now
Hosts in Vlan2 cannot communicate with hosts in vlan3 unless we configure the inter VLAN routing. Layer 2-only
switches require a Layer 3 router. The router may be present as a separate device in the network or it may be
another module of a Layer 3 switch. Layer 3 Switches like Cisco 3560 incorporate routing capability within the
switch. The Cisco 3560 switch gets a packet, decides that the packet needs to be sent to another VLAN, and
routes the packet to the correct port on the other VLAN. A good network topology fragments the network based
on the departments or functions. For instance, the Finance VLAN only has hosts that belong to Finance
Department, and the Operations VLAN only has hosts that are present in the Operations Department. If you
configure inter VLAN routing on a Cisco 3560 switch, the hosts in VLAN 2,3,4,5 will be able to communicate with
each other without being in the same broadcast domain in a single subnet. Such Network topology allows the
network administrator to restrict communication between VLANs with the use of access lists. We will learn in
the next topic, how we can use access control lists to restrict communication between different VLANs.
Now that we have understood the theory behind inter VLAN routing, its time to configure interVLAN routing on
cisco 3560 distribution switch. We need to configure inter VLAN routing for following user defined VLANs
• VLAN 2— Traffic Coming from C Level Access Point
• VLAN 3— Traffic coming from Managers’ Access Point
• VLAN 4— Operations Vlan
• Vlan5 ---- Finance Vlan
We must enable IP routing globally so that Cisco 3560 switch can act as layer 3 device and can provide the
functionality of Inter VLAN routing.
32. 31
Go into configuration mode of Cisco 3560 Switch and give following commands
Switch(config)# ip routing //Enables IP Routing on Cisco 3560 Switch
The default gateway settings on every machine needs to be the VLAN interface IP address that matches on a
Cisco 3560 Switch . For example, for Finance department machines, the default gateway is 192 .168 .1 .82 which
is the IP address which we created for VLAN 5 interface on a Cisco 3560 switch. The access layer switches, which
are the Catalyst 2950, are already trunked to the Catalyst 3560 switch.
Now hosts in all VLANs will be able to communicate with each other but this communication is not allowed
according to our information security criteria which stated that machines in operations and finance VLAN should
not be able to access C level machines and CEO and CFO should be able to access machines in rest of the
departments. We will achieve this goal by understanding Access Control List and implementing Access Control
List in Next Topic.
33. 32
2.10 Access Control List (ACL)
Now our task is to make ACL at Cisco Distribution 3560 switch end so that no employee can reach computers
and printers of managers, CEO or CFO and allow CEO to get all servers, printers, and computers. So we are going
to block IP address of Finance and Operation Department from accessing the wireless network (192.1681.1.0)
and only allow CFO or CEO network t ( 192.168.1.33 – 192.168.1.46) to use the rest of the network. For this we
will use Named based extended access control list. Before configuration we need to know the basic concept
behind the Access Control list.
2.10.1 What is ACL ?
Access Control list (ACL) is a control list that block or allow particular traffic in a network. It mainly works in
ascending order. In the Cisco environment there are three basic types of access lists.
2.10.2 Standard access list:
Standard access list mainly identifies network traffic using source IP address in the packet. We can create a
standard access list using access-list number 1-99 or 1300-1999.
Syntax:
access-list [acl number] [permit/deny] [network-address/ host/any][wildcard mask][log]
Here permit and deny keyword allow and discard a particular rule. And the host keyword is used to find a
particular host and any keyword is any host in the network. Wildcard mask is used to identify a particular host
or certain range of networks. Log keyword is used for logging.
2.10.3 Extended access list:
Extended access is more robust than Standard access list. It identifies network traffic using source and
destination IP address, protocols, port number of upper layer application.
Syntax:
access-list [acl number] [permit/deny] [protocol-type] [source-network-address/host /any][wildcard mask]
[destination-network-address/host /any][wildcard mask][log]
Here protocol-type field identifies layer 4 or layer 3 protocol type.
2.10.4 Named based access list:
Named based access list is another way of creating standard or extended access list which are easy to
understand. In normal standard and extended access list we cannot easily change access list. But in named
based access list we can easily edit the access list.
34. 33
Syntax:
ip access-list [standard/extended] [name of acl] [permit/deny] [protocol-type] [source-network-address/host
/any][wildcard mask] [destination-network-address/host /any][wildcard mask][log]
After creating the access list we have to apply it to an interface. ACL mainly are implemented on inbound or
outbound interfaces according to network traffic flow.
Syntax:
ip access-group [acl-number/ acl-name ] in|out
To see the configuration of access list write show access-list in privileged mode.
2.10.5 Access Control List configuration command on a Cisco 3560 switch
First we will enter into configuration mode of Cisco 3560 switch then create two named based extended ACL
one for Finance and Operation Department and another for CFO and CEO
ACL 1:
Switch(config)#ip access-list extended FIN&OP
Switch(config-ext-nacl)#deny ip any 192.168.1.0 0.0.0.255
Switch(config-ext-nacl)#permit ip any any
ACL 2:
Switch(config)#ip access-list extended CLEVEL
Switch(config-ext-nacl)#permit ip 192.168.1.32 0.0.0.15 any
Now we will add ACL 1 in outbound and ACL 2 in the inbound end of all VLAN using following command.
Switch(config)# interface vlan 2
Switch(config-if)#ip access-group FIN&OP OUT
Switch(config-if)#ip access-group CLEVEL IN
Here you go, you can implement rest of information security policies by defining making more access control
lists.