Category: CCNA

In this blog post, we will cover the role of 2 important services – DHCP and DNS. The CCNA exam includes the following topics that we will explore in detail:

4.3 Explain the role of DHCP and DNS within the network

4.6 Configure and verify DHCP client and relay

Domain Name System

Domain Name System (DNS) is a naming protocol for hosts and services on the Internet. It is also a client-server application that maintains and provides access to DNS records. Many Internet services, such as web browsing and email delivery, rely on DNS service.

In addition to its role of naming hosts on the Internet, DNS is also often used by organizations to support their internal applications. For example, Microsoft Active Directory is a directory service that requires DNS to store its records. In such scenarios, the internal records are not exposed to the Internet.

Domains and FQDNs

Hosts are uniquely identified by their Fully Qualified Domain Name (FQDN). For example, server1.sales.fastreroute.com is a fully qualified domain name of a server. The name consists of 2 parts separated by a dot:

• Hostname portion, or server1
• Domain portion, or sales.fastreroute.com

The domain component is hierarchical, with the parent domains specified on the right side. In the example above, domain .com is a parent domain of fastreroute.com, which in turn is a parent domain of sales.fastreroute.com.

To understand domain hierarchy, a file system can be used as an analogy, in which folders are replaced with domains and files with hosts. Domains can contain sub-domains or hostnames, in the same way as a file-system folder can contain subfolders or files.

Name Servers

Name server functionality can be implemented as an operating system component, an application, or Software-As-A-Service (SAAS). For example, BIND is one of the most popular DNS servers on the Internet and is available on Unix-like operating systems. Windows platforms have a DNS server built-in into the server operating system.

Public cloud providers offer managed DNS service, for example, AWS offers Route53, which can provide advanced features beyond traditional DNS servers.  Cisco routers can be configured to act as a DNS server too. We will provide an example of how to set it up in this blog post.

A name server can act as an authoritative server or name resolver, or both at the same time. The authoritative server role focuses on storing naming information in DNS zones. The resolver role is about providing requested information after receiving a query from a client. We will discuss these roles in detail in the next two sections.

Authoritative Name Servers and Zones

An authoritative name server stores a DNS zone for a specific domain subtree and doesn’t rely on querying other name servers for entries in this zone. A domain hierarchy defines a logical structure of a namespace, while zones are actual files or databases storing the DNS data.

The very top zone in the hierarchy of public DNS is called the root zone. It contains pointers on how to find information about domains such as .com, .net, and different country codes. These domains are called Top-Level Domains (TLDs).

The root zone is serviced by 13 groups of DNS servers, which are also called root hints. Each group contains geographically distributed servers that share the same anycast IP address and allocated a letter of the alphabet as hostname, in the root-server.net domain. The location of these servers on the world map can be checked here, scroll down to see members within each cluster, and their location.

When an organization registers a domain name, for example, fastreroute.com, the parent domain (.com) delegates administrative control over fastreroute.com and all domains under it to the organization. If no further delegation is done, then the zone fastreroute.com will store all entries in the domain and all subdomains under it.

Administrators of fastreroute.com can delegate control of a subdomain sales.fastreroute.com to the sales department. A different set of DNS servers can host the zone for sales.fastreroute.com and all subdomains under it, such as us.sales.fastreroute.com.

If we continue the analogy with the file system, delegation is similar to creating a link or shortcut that will redirect users to another file server. This server, in turn, can create shortcuts to other file servers and so on.

Name Resolvers and Query Types

Name resolution is the process of a DNS client sending a query and DNS server replying to it. The most commonly used type of request is to resolve hostnames to IP addresses. Some name servers can perform only name resolution functionality and do not host any zones, i.e. not being authoritative for any domain namespaces.

There are 2 modes that name resolvers can operate in – recursive and iterative. A recursive server can perform additional queries to another server if it doesn’t have the required information locally. Recursive name resolvers can also cache answers, so the subsequent queries can be serviced using a local cache. An iterative resolver, instead of doing all the queries on the client behalf, can return an address of another name server for the client to query directly.

Record types

DNS stores information in domain zones using several types of records. SOA record contains authoritative zone information, administrative contacts, and different timers. NS record contains pointers to authoritative DNS servers.

“A” record maps a hostname to an IPv4 address. AAAA record is the IPv6 version of A record. PTR record stores reversed A record, so one can resolve a hostname by using an IP address.

CNAME record keeps hostname to hostname mapping and also often called alias record. MX record is used to specify the SMTP mail server for a domain. TXT record stores a piece of text information.

Check this article on Wikipedia with the full list of DNS record types.

Cisco Routers and Switches as a DNS Client

Cisco devices can be configured as a DNS client. The device has multiple system services such as, Smart Licensing and NTP servers, that use hostnames and need to figure out the IP addresses. Hostname and domain name is also used to create RSA keys for services, such as the SSH server.

The following configuration commands configure DNS client functionality:

hostname edgerouter1
ip name-server 8.8.8.8 8.8.4.4
ip domain name fastreroute.com

In this example, the router will have FQDN of edgerouter1.fastreroute.com. It will use two Google’s name servers in the specified order and it will also append suffix fastreroute.com if only a hostname is specified in various commands.

To display name server information, validate cache and enable debugging, use the following 3 commands:

show ip dns servers
show hosts
debug ip domain

Cisco Routers and Switches as DNS Server

It is possible to configure Cisco routers to provide DNS server functionality. To enable it use the following command:

ip dns server

By default, the server will use name servers configured on the router, as shown in the earlier example, to perform query forwarding. It is possible to create conditional forwarding patterns useful when you might want to use internal DNS servers for some queries and ISP’s DNS servers for Internet access at the remote branch. The configuration guide on the Cisco website provides more information for such a configuration.

It is also possible to create static entries that can be useful for different testing scenarios:

ip host test.local.lab 1.2.3.4

In this example, the router will reply with the IP address of 1.2.3.4 to clients that are trying to resolve “test.local.lab” via the Cisco router.

Dynamic Host Configuration Protocol (DHCP)

A host needs an IP address to communicate on the network. An address can be assigned to a device via manual configuration or dynamic assignment. Administrators manually configure IP addresses on servers and network devices that expect static IP addresses. DHCP server dynamically assigns IP addresses to workstations and client devices, as they don’t expect inbound connections and manual configuration would be time-consuming and unpractical.

DHCP Client-Server Communication

When a DHCP client starts up, it broadcasts a discover message looking for a DHCP server. As the client doesn’t have an IP address during bootstrap, all communications described below use broadcasts and can only communicate on the same broadcast domain (VLAN).

If any of the DHCP servers received a discover message from the client, they reply with an offer of IP address for the client to use. The client receives one or many replies, in which case it usually uses the first one, and sends a request back to the server confirming that it accepts offered IP address. Finally, the server sends an acknowledgment to the client to complete the address negotiation process.

This handshake uses 4 messages: DHCP Discover, DHCP Offer, DHCP Request, DHCP Ack. It can be memorized by using acronym DORA (Discover, Offer, Request, Acknowledgment).

DHCP Pools and Leases

An administrator creates a pool of IP addresses for the DHCP server to allocate individual addresses from. Addresses must be returned back to the pool after a period of time or a client must request a lease renewal.

Multiple settings, such as subnet mask, default gateway, DNS server and domain, and lease duration can be managed on a pool level. Cisco devices acting as DHCP servers use the pool configuration mode for subnets and individual IP address reservations.

DHCP lease or binding is created when a client has been allocated an IP address from a pool. The lease is provided for a specific time. The client will attempt to renew the lease at the predetermined periods prior to the lease expiration.

Printers often need to have the same IP address. Instead of configuring printers manually, an administrator can configure a DHCP server to reserve an IP address for a specific MAC address. Such a lease is called DHCP reservation.

DHCP Client Configuration on Cisco Devices

DHCP client configuration is usually done on Internet-facing interfaces.

interface GigabitEthernet0
 ip address dhcp

ip route 0.0.0.0 0.0.0.0 dhcp

The example above configures the GigabitEthernet0 interface to acquire its IP address dynamically via DHCP. The optional “ip route” command enables the use of the default gateway sent by the DHCP server.

DHCP Relay Configuration on Cisco Devices

As we discovered earlier, DHCP is based on broadcast communications. As broadcasts are contained within a subnet boundary, clients must be placed into the same subnet as the DHCP server or DHCP server must have multiple interfaces to be placed into every subnet. Both scenarios are not optimal and don’t scale well.

To address this DHCP relay can be configured on a switch. DHCP relay listens for DHCP messages on the interfaces where it is enabled. If a relay sees a broadcast, it processes the message and then sends it as a unicast directly to the DHCP server. Further communications flow via DHCP relay, which also encodes source IP address of the interface where the query from the client was received, so the DHCP server knows from which address pool to allocate the address.

DHCP relay or often called “ip helper”, is configured using the following commands:

interface Vlan100
 ip helper-address 192.168.1.10

In this example, the DHCP broadcasts received from clients in VLAN 100 will be forwarded to the DHCP server with an IP address of 192.168.1.10.

DHCP Server Configuration on Cisco Devices

In SOHO networks, no traditional servers may be available to perform the DHCP server role. In these scenarios, a router can be configured as a DHCP server. The configuration consists of defining a DHCP pool with its settings and excluding certain IP addresses from allocation.

The configuration commands to create a network pool:

ip dhcp excluded-address 192.168.10.1 192.18.10.10

ip dhcp pool VLAN-10
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 192.168.10.1

To create a reservation for a device, its MAC address needs to be specified:

ip dhcp pool PRINTER-01
 host 192.168.10.9 255.255.255.0
 client-identifier abcd.efab.cdef
 default-router 192.168.10.1
 dns-server 192.168.10.1

To validate assigned IP addresses and see debug messages:

show ip dhcp binding
debug ip dhcp server packets
debug ip dhcp server events

Recommended Resources

Check other articles on our website.

Self-Test Questions

In this blog post, we will discover how a Cisco router selects the best route to use for packet forwarding. The CCNA exam includes the following topics which we will cover in detail:

3.2 Determine how a router makes a forwarding decision by default

• 3.2.a Longest match

• 3.2.b Administrative distance

• 3.2.c Routing protocol metric

Exam blueprint lists selection criteria in the order of preference that a router uses when choosing the best path among multiple available options. However, to compile the routing table the process is reversed.

Firstly, each routing protocol selects the best route using its own metric comparison procedure. If there are more than one candidate routes from different protocols, then administrative distances are compared and only one protocol installs its route into the routing table. In some cases, a routing protocol, instead of preferring a single path, can use multiple next-hops for the same network to split the load between several links.

The forwarding decision is then based only on the longest match, as the routing table is already filtered of all but the best routes. The router looks for the longest match for a destination and prefers more specific IP prefix routes over broader ones.

To describe these options in this blog post, we will follow the bottom-up approach, i.e. starting with protocol choice, then moving to inter-protocol choice, and finally performing the longest match comparison.

Sample network

Figure 1 shows a sample diagram with a router selecting the best path to forward traffic to a host with the IP address of 10.1.1.25. By the end of this post, you will be able to identify the path router A will select. In the next several sections we will discuss these selection steps one by one.

Routing Protocol Metric

Dynamic routing protocols calculate and use a numerical value to describe the cost of a path to a destination. This number is called a metric and it is specific to each routing protocol. Metric values of two different routing protocols are not compared with each other. All routing protocols either use different properties of the path or use different calculations.

For example, some protocols use a simple metric like the number of routers or hops that a packet needs to cross to get to the remote network. If two peers advertise routes to such a network, the one that has a smaller number of hops is chosen. Some other protocols can use bandwidth as its path cost.

Table 1 lists different routing protocols and the metric that they use.

Table 1. Routing Protocol Metrics

Interior Gateway Protocols (IGP) Metric

IGP metrics with the exception of RIP provide a good measurement of path performance. They are based on static link parameters, such as bandwidth and delay. Only EIGRP metric calculation formula can include dynamic link features, such as utilization and reliability, however, they are not used by default.

IGP protocols also prefer routes that were injected into the protocol internally. This mostly comprises of routes which routers have interfaces in. External routes are represented by routes injected by redistribution from another protocol or a static route. For example, OSPF selects intra-area routes, then inter-area routes, and finally external routes. This selection happens before metric comparison.

Exterior Gateway Protocols (EGP) Metric

BGP has a different objective when choosing the best path. As the protocol is used between different organizations, it was designed to include multiple attributes that can be used to influence and communicate the desired traffic flow. The BGP path selection process consists of more than 10 steps. Many of the attributes are statically configured to influence the selection process and represent an administrative view of path cost, as opposed to IGP’s calculation based on some objective evaluation of the path performance.

The routing domain controlled by a single organization in BGP is called an Autonomous System. As a route propagates from the injecting router it is being updated and includes AS numbers of all routers it has traversed. AS_PATH attribute stores this information. Member AS count in AS_PATH can be used to compare different routes. The shorter AS_PATH is preferred over a longer one. The other attributes that BGP routers exchange and can be used to affect the best path selection include LOCAL_PREF, MED, ORIGIN, and closest IGP metric to the next hop.

Example of the best route selection using routing protocol metric

In the sample topology, router A can see 2 paths to 10.1.1.0/24 in its EIGRP topology table. As shown in Figure 2, the path via D has a cost of 1024 and path via E – 2048. EIGRP process on router A chooses path via D as a candidate route. The next section will describe the process the router goes through to decide if EIGRP should be allowed to install its route.

Administrative Distance

Administrative Distance is a tie-breaker that is used when there are two or more candidate routes of the same length but learned via different routing protocols. Only one version of these routes to the same network will be installed into the routing table.

Administrative Distance is a pre-configured numerical value of the trustworthiness of a routing information source. More preferred protocols have smaller administrative distance numbers.

Table 2. Default Administrative Distances

Directly connected networks and static routes

As table 1 shows, directly connected networks have the lowest administrative distance. A router has an interface in each of the connected networks.

Static routes, by default, are more preferred than any dynamically learned route of the same prefix length. By changing a static route’s administrative distance to be numerically higher than dynamic routing protocol is a common way to provide backup connectivity. In this configuration, if a dynamic route is no longer available, a static route replaces it and provides a secondary path. Such a route is called a floating static route.

Interior Gateway Protocols (IGP) Administrative Distance

The default administrative distance values rank IGP protocols in the following order of preference: EIGRP, OSPF, IS-IS, and RIP. With the exception of RIP, the priority doesn’t mean that one protocol is more reliable or accurate than another.

In many networks, there is a single IGP, so having default preference for OSPF over IS-IS doesn’t make a difference. However, in some situations, such as networks merge or transition to different protocol an administrator may run several IGPs at the same time. In such networks, the default administrative distances can be adjusted to make one protocol more preferred than another. It is recommended to test the settings in a lab, as incorrect configuration can cause different issues, such as network loops and non-predictable traffic paths.

Exterior Gateway Protocol (EGP) Administrative Distance

There is only a single non-obsolete Exterior Gateway Protocol – Border Gateway Protocol (BGP). If a router doesn’t run any other dynamic routing protocols, then as with IGPs, its default administrative distance value doesn’t affect the route selection process.

However, in enterprise networks, it is common to run BGP along with one of the IGPs. For example, a company can exchange routes via BGP with its Internet or WAN providers. At the same time, internally it can run OSPF or EIGRP. In such scenarios, the routes can be divided into external and internal.  BGP is authoritative for the external, and IGP – for the internal routes.

Default Administrative Distance of external BGP routes ensures that a router will not start preferring a route to external networks via adjacent IGP router, which can often advertise such network back if there is more than one router performing redistribution between protocols.

Differently, IBGP peers have an administrative distance of 200, which is higher than any IGP’s route AD. This causes a router to use IGP as the source of truth for the internal destinations.

Interestingly, in some cases, internal BGP can overtake external BGP routes even if the latter has a lower administrative distance. The reason for it is that the BGP process performs its own evaluation when selecting the best path before placing the route into the routing table. For example, BGP routes received via internal peer can have a better value of Local Preference and as the result more preferred over the same route learned via external peer, which would be installed with AD of 20.  As the best route is from an internal BGP peer, it will be installed into the routing table with AD of 200.

Example of the best router selection based on Administrative Distance

Following our previous example, as shown in Figure 3, after EIGRP selected path via D, we left with 3 possible paths, via B, C, and D. Both B and D want to install the same network – 10.1.1.0/24 into the routing table. Administrative distance is used to decide which one is better. As EIGRP has better administrative distance (90) than internal BGP (200), the path via B is selected. This selection happens before any packet forwarding decisions are made as part of router protocol convergence. Both routes (10.0.0.0/8 and 10.1.1.0/24) are now installed into the routing table. The next step for the router is to perform selection based on the longest match.

Longest Match

All unicast routing protocols lookup routes using the destination IP address of a packet. The longest match refers to the process of identifying the route to the most specific network that the packet matches.

For example, the default route or route to 0.0.0.0/0 matches every packet. Next hop of such routes is often called gateway of last resort because it is the least preferred route, which is used only if no other matching routes exist.

The most specific route is a host route with a prefix length of 32 (or subnet mask of 255.255.255.255). For example, 192.168.100.25/32 is a host route, and packets sent to that specific host will be always following this route.

The important difference of the longest match from the other two steps is that the router compares two different routes, with one being a superset of another. Both networks will appear in the routing table. Such a situation often exists when there is summarization being performed in the network, which is the process of combining multiple routes into a single one.

Example of the best route selection based on the longest match

In our example network, in Figure 4, router A needs to choose between 2 routes: statically configured 10.0.0.0/8 and dynamically learned 10.1.1.0/24. The /24 route is more specific and is a longer match.

Importance of identifying IP address range of a subnet

When evaluating a packet against multiple routes, identify the network part of the IP prefix and what is the useable range of addresses it contains. For example, let’s say you have a route to 192.168.0.0/16 and a route to 192.168.20.0/23. You need to identify which of these two routes a packet with the destination of 192.168.21.200 will match.

It may look like the packet matches only the first wider prefix – 192.168.0.0/16. However, 192.168.20.0/23 has the range of useable addresses between 192.168.20.1 and 192.168.21.254, which destination of 192.168.21.200 being part of it. Because /23 is a longer match than /16, the second route will be preferred.

Self-Test Questions

New CCNA exam blueprint includes the following exam topics:

1.2 Describe characteristics of network topology architectures

1.2.a 2 tier

1.2.b 3 tier

1.2.c Spine-leaf

1.2.d WAN

1.2.e Small office/home office (SOHO)

1.2.f On-premises and cloud

We wrote a blog post about 2-tier and 3-tier campus network architecture, which is one of the topics of the older version of the CCNA exam. The content is still relevant, so we will provide only summary information here for completeness. Other topics that will be covered in this post include data center leaf-and-spine architecture, WAN topologies, small office/home office networks, and comparison between on-premises and cloud environments.

LAN Design

2-tier vs 3-tier

Campus networks design defines the following tiers or layers:

• Access
• Distribution
• Core

Access tier provides connectivity for the end-users. The access layer requires high-port density capable to deliver Power-over-Ethernet (POE). Switches at the access layer connect to the distribution layer switches and should not be connected to each other. As access switches have direct visibility into devices that connect to them, security access checks, such as 802.1x authentication, and QoS traffic classification are usually performed at this tier.

The distribution tier is responsible for connecting access switches together. Distribution switches usually have high-speed fiber (and less often copper) ports. Traditionally, VLAN’s or subnet’s default gateway functions were provided by distribution layer switches. For this reason, different types of security enforcement, such as inter-VLAN ACLs were implemented on this layer. In modern networks, however, it is also common to see access layer switches configured as default gateways for VLANs.

Core tier connects distribution switches together when there is a requirement to have a 3rd level of the hierarchy. The main responsibility of this layer is to route traffic as fast as possible over multiple redundant paths.

Figure 1 shows a 2-tier design. This architecture comprises only of access and combined distribution-core tiers. It is also referred to as a collapsed core design. The switches on the top perform distribution tier features by providing uplink connectivity for access layer switches. The core feature, or connecting distribution switches together, is implemented by 1 link between these two switches. When the new access layer switches added to the network, it is possible to introduce additional distribution switches to accommodate the expansion.

As the number of distribution switches goes up, establishing full-mesh connectivity becomes difficult. Implementing a dedicated set of core devices, so each distribution switch only needs to connect to them can be a good alternative. 3-tier architecture has all 3 layers implemented, as shown in Figure 2.

Data Center Design

Physical topologies

A typical data center consists of multiple server racks connected together. Physical cabling usually follows one of two patterns:

• Top-Of-Rack (TOR)
• End-Of-Row (EOR)

Top-Of-Rack implies that each rack has a single or pair of switches usually installed on the top. The servers are connected to these switches, so all internal cabling stays inside the rack. Top-Of-Rack switches then connect to aggregation switches outside of the rack. End-Of-Row, on the other hand, indicates that only certain racks, for example, first and last rack in each row, have high-port-density switches installed. Servers are then connected using a cross-rack cabling system to these End-Of-Row switches.

Both topologies have their pros and cons in different scenarios. For example, TOR design requires extra switches to be placed into each rack but has simplified cable management. The TOR switches may be underutilized depending on a number of servers within each rack. EOR topology requires more cables to be installed between racks as port requirements within each rack grow. Racks also should be adjacent to each other, so adding an additional rack may not be as easily accomplished as in TOR design.

Data center design requirements

Data centers host physical and virtual servers. Communication between servers within the data center network produces east-west traffic. It includes traffic between applications and databases, different replication types between servers, and file exchange.

There is a much higher demand for east-west bandwidth in a data center compared to a campus network, which usually doesn’t have much client-to-client communication.

Horizontal scalability, or ability to expand by adding new switches, is another requirement of a data center network. To accommodate an increase in a number of racks, the network must provide ways to connect new switches without affecting available bandwidth for the existing switches.

To address these requirements, the leaf-and-spine design is commonly used to build data centers. This connectivity pattern came from telecommunication circuit switching systems and called the Clos network.

Spine-leaf architecture

The leaf-and-spine topology consists of 2 layers – leaf layer and spine layer. In such topology, every device on one layer connects to every single device on another. No direct links exist between devices located on the same layer. Collectively, network devices on both layers form so-called switch fabric.

Leaf switches are the access layer of the data center. The servers plug only into leaf switches. The links between leaf and spine switches are point-to-point Layer 3 links and all actively forwarding traffic.

This architecture provides predictable bandwidth between pair of any leaf switches. For example, in figure 4, each leaf switch has 4 uplinks. If each link is 100Gbps, then each leaf switch can provide 400Gbps of uplink bandwidth available to servers connected to it. With 48 10Gbps access ports on leaf switch, the oversubscription ratio is 480/400Gbps or 1.2 to 1. This ratio is preserved even if a number of leaf switches grow, so the network can scale horizontally. If more bandwidth is required, additional spine switches can be added.

Two Cisco data center solutions use leaf-and-spine topology – Cisco ACI and programmable VXLAN EVPN fabrics. Check our article on Cisco ACI foundation.

WAN

WAN or Wide Area Network provides connectivity between offices and remote branches of a company. There are 2 broad categories of WAN networks, which differ by how different sites can communicate with each other, – multi-access and point-to-point networks.

Multi-access vs Point-to-Point WAN

In the multi-access network, the Service Provider (SP) network connects WAN sites in a full-mesh scheme. Depending on the SP infrastructure, this design can provide better performance because of direct site-to-site connectivity. In Figure 5, an example of a multi-access network is shown. All three sites can reach each other directly.

Examples of multi-access networks include:

• Layer 3 MPLS service
• Metro Ethernet E-LAN service (L2 VPLS)
• Older WAN technologies, such as Frame Relay and ATM

VPN-based WANs, such as DMVPN and SD-WAN

Point-to-point connections provide direct connectivity between two sites. Such services have advantages such as simplified bandwidth planning and QoS configuration. It can also provide very high bandwidth when there is dedicated fiber connectivity between sites.

It is still possible to route traffic between spokes via a central hub. For example, in Figure 6 Site B can communicate to Site C by traversing site A. This will increase the load on Site A links and can add delay.

Examples of point-to-point connections include:

• Metro Ethernet E-Line service (L2 MPLS-based or dedicated physical fiber or DWDM)
• VPN-based site-to-site links

Many networks can combine these types of connectivity, for example, large offices can connect over dedicated fiber links to a data center, which has connectivity to the L3 MPLS network connecting smaller sites together.

Layer 2 vs Layer 3 WAN

WAN topologies can also be classified as Layer 2 or Layer 3. The difference between the two is how the service provider network is seen by the customer.

Layer 2 WAN looks like an Ethernet switch in multi-access or as a piece of wire in point-to-point setup. Some Layer 2 services allow 802.1q tagging, so multiple VLANs can be transported over the same link. Metro Ethernet E-LAN (VPLS), E-Line, and direct fiber links are all example of Layer 2 services. Figure 7 shows two variations of using a layer 2 service provider network.

Network on the top part of Figure 7 has edge routers deployed at each site. These routers create Layer 3 boundaries for devices behind them. The WAN-facing interfaces on the routers are in the same VLAN and IP subnet. The benefit of such setup is that a company can use its routing protocol of choice without relying on its support by the service provider.

Network on the bottom part of Figure 7 extends a single Layer 2 subnet to site devices using Layer 2 switches. This topology is rarely used to extend VLANs containing end-user devices due to a lack of practical use. However, it is often used to extend server VLANs when an application requires Layer 2 adjacency across different sites.

Layer 3 WAN appears like a router managed by the service provider. A site router needs to communicate to the provider network which networks it has behind it. Routing information can be either statically configured by the provider or dynamically exchanged. Service providers may not support routing protocol that is used internally by the customer, for example, EIGRP is rarely supported by Service Providers due to its proprietary nature. L3 MPLS VPN is the most commonly used Layer 3 WAN service.

Small Office/Home Office (SOHO)

SOHO networks are usually designed to meet requirements such as reducing the number of devices and minimizing the complexity of configuration while maintaining enterprise-level security. In many cases, VPN-based solutions over the Internet is the most practical way to provide access to enterprise resources.

Depending on the protocol stack used in the rest of the network, there are 3 available Cisco platforms to choose from:

• Cisco IOS/IOS-XE based
• Cisco SD-WAN
• Meraki MX-based

All three stacks include compact devices with built-in Ethernet switch, built-in WiFi options, and a WAN interface (or two) with 4G backup. Check our article about different SD-WAN platforms.

There are two design options available with SOHO that relate to security.

Centralized Internet vs Local Internet Breakout (Split-tunneling)

Two options are different in what traffic is sent over a VPN tunnel to the corporate VPN gateway.

Centralized option forces all traffic to be sent over the tunnel. This includes Internet traffic which breaks out via the data center, which has a full set of security services available to ensure that there is the same level of security protection available to SOHO users.

With the split-tunnel option, only traffic to the company data center and offices is sent over the tunnel. Internet traffic is not tunneled and sent directly via a local Internet Service Provider. As a result, security inspection must be performed locally by the device.

On-Premises vs Cloud

Data centers traditionally hosted centralized enterprise infrastructure. It is referred to as on-premises infrastructure, which implies that companies have full control over the network, compute, storage, and software components.

As public cloud offerings gained popularity, many organizations shifted their workload out of data centers. Compared to on-premises data centers, public clouds offer very good scalability and rapid deployment with a consumption-based billing model.

In this blog post, we covered different cloud resources from the previous CCNA exam blueprint.

Self-Test Questions

The new CCNA exam now includes topics from the discontinued CCNA Wireless exam. The current blueprint includes the topics listed below.

1.11 Describe wireless principles

1.11.a Nonoverlapping Wi-Fi channels

1.11.b SSID

1.11.c RF

1.11.d Encryption

5.9 Describe wireless security protocols (WPA, WPA2, and WPA3)

We will divide these topics into several blog posts – this one will focus on radio fundamental topics and the following posts will cover SSIDs, security protocols, and encryption. The purpose of the series of short articles is to help CCNA candidates with exam preparation.

Frequency

A radio signal is propagated in the form of a wave. One of the most important characteristics of a wave is its frequency.  As figure 1 demonstrates, radio wave propagates in repeating cycles, with frequency calculated as a 1 full cycle per second. The frequency of 1 cycle per second is called 1 Hertz. The full cycle also constitutes a wave’s length. Measurement can be performed between any adjacent points of the same phase, for example, in figure 1 the orange wave’s cycle is measured between zero crossings and the blue’s one is between two crests. Lower frequencies have longer wavelengths and can travel further if the same amount of power is applied. For example, to provide some perspective of the actual size, a wave of a frequency of 1 Hertz has a length of 343m or 1125ft, 2.4GHz – 12.5cm or 4.92 inch, 5Ghz – 6cm or 2.36 inch.

Frequencies between 20 kilohertz (kHz) and 300 gigahertz (GHz) are classified as radio frequencies. FM/AM radio, television, DECT phones, and microwave ovens are all operating in the radio frequency range.

802.11 wireless network devices exchange data by transmitting and receiving radio signals in portions of 2 frequency bands – 2.4GHz and 5GHz. Many countries allow unlicensed use of subsets of these frequencies, but there are regulations restricting channel use and maximum transmit power. There are also restrictions on indoor vs outdoor use and even requirements for dynamic switching away from the specific channels when weather radars are discovered. A specific region that the device is certified to work in is called a regulatory domain.

Radio Channels

Radio Channel numbers provide a simple reference to a specific frequency within a band. For example, channel 1 of the 2.4GHz band corresponds to the center frequency of 2412MHz. It is easier to remember channel 1 than its value of 2412MHz. Channel 2 has a center frequency of 2417MHz, or plus additional 5MHz.

Each channel has a range of frequencies to the left and to the right of the center frequency. Channel 1 from our example above has a range of frequencies between 2401 to 2423MHz. The channel’s range is 22MHz, however, their center frequencies are only 5MHz apart. The reason behind this is that the standard uses 5MHz channels for numbering. Devices, on the other hand, use 22MHz or 20MHz-wide channels. We will clarify the difference between 20MHz and 22MHz channels in the following section.

Manual setting of a channel number is usually not required; Wireless LAN Controller will perform required adjustments dynamically to ensure that there are no overlaps between adjacent access points. However, it is important to know the number of available non-overlapping channels when performing wireless network design and site surveys.

DSSS vs OFDM (or 22MHz vs 20MHz)

Direct-Sequence Spread Spectrum (DSSS) is a modulation technique that uses the whole 22-MHz-wide channel to send information. DSSS was introduced with 802.11b standard and 2.4GHz channels frequency ranges were standardized to match its requirement of 22MHz wide-channels. DSSS supports a maximum of 11Mbps.

Orthogonal Frequency-Division Multiplexing (OFDM) uses a different approach by splitting each 20MHz range into multiple smaller sub-channels or carriers. It was introduced with 802.11a for 5GHz and later in 802.11g for use in 2.4GHz. OFDM replaced DSSS as it was capable to provide higher bandwidth. As with DSSS, a single device can transmit at a time, as different sub-carriers in OFDM cannot be used at the same time by multiple transmitters.

Recently released 802.11ax standard or Wi-Fi 6 provides an ability to divide and share these smaller sub-channels between different devices at the same time. The updated OFDM modulation scheme in Wi-Fi 6 is called Orthogonal Frequency-Division Multiplexing Access (OFDMA).

2.4GHz Channels

The table below shows all available 2.4GHz channels. Countries in North America use only the first 11, while the majority of other countries allow the use of 2 additional channels.

Table 1. 2.4GHz Channels

There are only 3 non-overlapping channels in the 2.4GHz range – 1, 6, and 11. There is also channel 14 (2484Mhz), but it can be used only in Japan with 802.11b.

5GHz

5GHz range has several subranges available, which are called Unlicensed National Information Infrastructure (U-NII) bands:

• U-NII-1: 5.150-5.250GHz (4 channels)
• U-NII-2: 5.250-5.350GHz (4 channels)
• U-NII-2 Extended: 5.470-5.725GHz (11 channels)
• U-NII-3: 5.725-5.850GHz (5 channels)

None of the standards for 5GHz don’t support DSSS with its 22MHz channels. Only OFDM and 20MHz-wide channels are used. 802.11n and later 802.11ac allowed bonding of 20MHz channels together to form 40MHz, 80MHz and even 160MHz channels to provide more bandwidth.

The table below shows a larger number of channels that are available in the 5GHz band. Compared to 2.4GHz, the channels don’t overlap, so the whole 2.4GHz range would only take 3 lines if we would remove all overlapping channels.

Numbering is still based on 5MHz increments. Channel 1 starts at 5000MHz, this explains why the first configurable channel number is 36, it corresponds to 5180MHz center frequency (5000 + 36×5).

Table 2. 5GHz Channels

The channel availability and power restrictions depend on regulatory domain.

An easy way to check the number of channels that an AP will support in a specific country is based on the following procedure. Navigate to Cisco’s online tool to find out what regulatory domain country is in. Then check the datasheet for the access point. Look for the “Frequency band and 20-MHz operating channels” section of the datasheet. It will list the number of channels supported in different regulatory domains.

Signal Power

Signal power is measured in watts. Radio waves can propagate further when a higher level of transmit power is applied. Amplitude describes signal strength and is a distance between a crest and a trough of the radio wave as shown in figure 1. Typical power levels in wireless networks are measured in milliwatts (1/1000 of a watt). For example, the maximum available transmit power setting for the Catalyst 9130 access point is 200mW in 2.4GHz and 400mW in 5GHz ranges.

Units of Measurement

Power levels can also be represented using a relative value in decibels compared to 1mW (dBm). This measurement is based on a logarithmic scale. Imagine that you want to compare 4 power values in milliwatts with values of 1mW, 10mW, 20mW, 100mW, and 1000mW (1 Watt) by drawing them on a bar chart. Due to the large difference between values we cannot fit 1000mW value into the chart.

The logarithmic scale allows representing these values evenly by comparing how it changed instead of absolute values. A simplified way to transfer from mW to dB and vice versa is based on adding (or removing) 3dBm when the value in mW doubles (or halves). Similarly, add (or remove) 10dBm when the value in mW increases by ten (or decreases by ten).

Let’s re-map the previous values on a bar chart with a logarithmic scale. The first value of 1mW is the same as our reference value of 1mW in dBm. As there is no change in power value 1mW is translated to 0 dBm. Then there is a tenfold increase to 10mW, which means we need to add 10dBm and the final value is 10dBm. The next value of 20mW is two times larger than 10mW, so we need to add 3dBm which gives us 13dBm.

100mW is tenfold increase from 10mW (10dBm), so we add another 10dBm to get 20dBm. The final value of 1000mW is tenfold increase from 100mW (20dBm); by adding another 10dBm we will get value of 30dBm for 1000mW. The result is shown on figure 3.

dBm can also be negative values to represent values that are smaller than 1mW. For example, -3dBm can be calculated as half of 1mW, which equals to 0.5mW. Refer to this Wikipedia article about logarithmic calculations for more information.

EIRP

Regulations usually specify value called Effective Isotropic Radiated Power (EIRP). EIRP measures actual signal strength as it is emitted by the antenna. For example, transmit power can be low and within allowed limit, however, the antenna can amplify this signal to be higher than the legal threshold.

EIRP represents adjusted signal strength by loss in the cable between an access point and antenna, and gain provided by antenna. It is calculated using the following formula in dBm:

EIRP = transmit power – cable loss + antenna gain

Modulation Techniques

The purpose of a wireless network is to transfer data. We know that there are different parameters that characterize a radio wave. The process of changing radio waves parameters to encode the data in the radio signal is called modulation. The reverse process performed by the receiver is to extract this data back from the signal is called demodulation.

Wireless networks use 2 parameters of radio wave to encode data:

• Phase
• Amplitude

Phase

Radio waves follow the same repeating pattern. As shown in figure 4, a phase starts at zero-crossing (0°) and then reaches a peak (90°), then back to zero-crossing (180°) and reaching the trough (270°). Then it repeats after reaching the next zero-crossing (360° or 0°). Phase modulation is based on changing this pattern.

We will discuss 2 types of phase modulations – BPSK and QPSK. Binary Phase Shift Keying (BPSK) can encode a single bit – 0 or 1. As shown in the figure below, the orange wave travels using its normal pattern. No change to a pattern means 0. If the wave is then rotated by 180°, the receiver knows that value 1 is now being transmitted. In figure 4, rotation from 0° to 180° can be visually represented by inserting the third blue pattern into the placeholder. The figure shows a simplified representation of the phase shifts using a single wave cycle. The actual implementation is timer-based and spans several cycles.

Quadrature Phase Shift Keying (QPSK) can carry 2 bits of information – 00, 01, 10, and 11. To do this additional two patterns from our diagram will be used to do 90° or 270° rotation.

Amplitude

The second parameter that can be changed to encode information is amplitude. The transmitter can increase and decrease the power to change the amplitude of the signal. Quadrature Amplitude Modulation (QAM) is a modulation scheme that combines QPSK together with amplitude modulation.

With 4 phase shifts of QPSK 2 bits can be encoded. If at the same time 4 different levels of power can be applied to signal, we will get another 2 bits. This way we have 4 bits in total or 16 possible combinations. This QAM is called 16-QAM.

By increasing the number of available phase shifts and amplitude levels, more information can be packed into the signal. For example, there are 64-QAM (8 phase shifts x 8 amplitudes), 256-QAM (16 x 16).

Self-Test Questions