Routing and Switching

In part 1 of my recaps, I touched up on core foundations for CCNA 1, to clear up misconceptions new readers may face.  This section however, is probably the harshest portion of material to digest, primarily because of the dense capacity combined with routing protocols and subnetting. So here goes round two of my condensed notes to help solidify some ground here.  If you would like to view the raw compilation I've written, please feel free to check out my repo.

Each section is separated by a divider, so feel free to skip around.

The first portion of material contains fluff about purchasing decisions which I'm going to gloss over, but whenever you see the term ingress in reference to ports, think of the word "in" because it's a reference to where frames enter a port, with the adverse being true for the term egress ("out"). Things start to get interesting when we discuss Content Addressable Tables, not solely because of attacks, but because it's how switches know which ports to send frames to.  Switches have to learn about the devices on each port, and in order to do so they build a special table from populated MAC addresses that forwards frames out of ALL ports when incoming frames aren't found within. So basically, a switch receives a frame on a certain port, examines the MAC address it's coming from and runs a comparison with what's in the table.  If it finds an address, it resets an aging timer and records information.  

There are a few forwarding methods switches use, but the two to remember are: Store-and-forward and Cut-through.  Store-and-forward uses a CRC (Cyclic Redundancy Check) and drops anything that doesn't pass. Cut-through forwards frames before they're totally received and promotes fragment free, and rapid frame forwarding for speed. When we talk about rapid frame forwarding, it means that decisions are made as soon as they're looked up in the destination frames of a MAC table.  Switches don't have to wait before making decisions here, but that also makes it's prone to errors which impact bandwidth. With fragment free forwarding, a switch waits for a collision window, or 64 bytes, to pass through before pushing it out, without the lack of error checks like with cut-through methods. When you're studying the material, familiarize the concepts of collision and broadcast domains because it ties into how switches help with LAN segmentation and services.

IOS Commands to Know

I have a cheat sheet on IOS commands, but I'm going to cover a few really fast. When you use configure terminal and interface statements, you're going into different modes (global and int config here) and in order to get to global you have to do an enable or en prior to your conf t statement.  Also of note is the fact that the do command before statements allows you to bypass the current user, or privilege mode you're in.

You should always run a check with the no shutdown command on interfaces and while you're setting up addresses, because the default state is typically down. If you're unsure of the current state of an interface, try sh ip int br (show ip interface brief) to list them.

I won't get into how switches attempt to boot using information from the BOOT environment variable, but I'll briefly list some commands you should be aware of.  You can use tab in IOS just like many other command-line environments and you can abbreviate statements like show with sh in order to conserve time.

/* Basic switch management access (IPv4) */

switch conf t
switch(config) int vlan 99
switch(config) ip address
switch(config) no shut 
switch(config) end
switch copy run start // running-config startup-config

Verification commands

/* Show commands useful to know */

sh int [int-ID] // Display an interfaces status/config
show start // Display startup config
sh run // Display current config
sh flash // Display information about the flash file system
sh ver // Display the system hardware/software status
sh history // Display the history of commands entered
sh ip [int-ID] // display IP information about an int
sh mac-address-table OR sh mac address-table // Display MAC table

CAM Overflow Attacks, DHCP Spoofing and CDP Leveraging

There are a few lower layer attacks that can be performed here with tools like macof and yersinia, which I'll briefly cover.  

CAM overflows deal with MAC flooding and the age-out periods MAC tables have. Remember when I mentioned age resets when a MAC address was found in a populated table?😊 That comes into play here because you can populate a table with a bunch of unknown addresses since tables are limited on how many they can hold.  This causes a switch to get overworked and enter fail-open mode, which means it starts broadcasting to every machine on a network. Tools can get hundreds of thousands of MAC entries a minute too, so as long as that table is full, broadcasts are going crazy out of all ports.    

How is this mitigated? The short answer is through configuring port security, which limits the number of valid MAC addresses on ports: Everything that isn't allowed is automatically denied and generates a security violation. You can use the switchport port-security command to set this up (I'm not going to go into the details here but you should know the differences).

DHCP spoofing and starvation attacks work by flooding DHCP requests, effectively creating a Denial of Service, and spoofing for fake DHCP configurations so networks issue out IP's to clients that force false DNS/WINS settings.  These can be mitigated with port security and DHCP snooping, which is the ip dhcp snooping command in global config.  You can also define ports as trusted by using the ip dhcp snooping trust command and limit the rate of bogus DHCP requests with ip dhcp snooping limit rate.  Additionally, you can look into and setup stuff like Source Guard, and should shutdown any ports not in use.

This brings us to Cisco Discovery Protocol leverage attacks. CDP is proprietary and helps to discover connected Cisco devices while setting up auto-configurations for them. It's on by default, sets up these configurations with unencrypted broadcasts and puts them into a localized database. Needless to say, you can capture all kinds of information about a device by using a tool like Wireshark. Disable CDP on devices and ports that don't need it with the no cdp run command in global config to help mitigate this sort of thing.

VLAN Configurations

VLAN's or Virtual Local Area Networks allow for logical network segmentation, so any port can belong to one and they can work as different types (data, default, native, management, voice) for different needs.  A trunk is a point-to-point link between two devices and carries more than one VLAN, with Cisco using 8021.Q standards for trunks. 802.1Q tags work by adding extra information to VLAN header frames on trunks specified by IEEE standards.

I'm not going to go into the details about VLAN's, how they work, or switch spoofing, double-tagging and hopping attacks, because this is condensed but it's exceptionally important to know.  Instead, I'm going to give the goodies on configurations here and toss out a reminder to change native VLAN configurations for security purposes:

/* Configure normal range VLANs */

switch conf t
switch(config) vlan [vlan-ID]
switch(config) name yourName
switch(config) end

// You can also assign multiple VLANs 
switch(config) vlan 100,102,105-107

switch sh vlan br // Display vlan.dat to show configurations
/* Assign ports to VLANs */ 

switch conf t
switch(config) int [int-ID]
switch(config) switchport mode access
switch(config) switchport access vlan [ID]
switch(config) end
/ * Delete VLAN information */

switch conf t
switch(config) no vlan [vlan-ID]
switch(config) end

// Delete vlan.dat
switch delete flash:vlan.dat
delete flash.vlan.dat 
/ * Trunk links with 802.1Q */

switch conf t
switch(config) int [ID]
switch(config-if) switchport mode trunk // Forces a link to be a trunk
switch(config-if) switchport trunk native vlan // Native VLAN:Untagged 802.1Q trunks
switch(config-if) switchport trunk allow vlan [vlan-LIST] 
switch(config-if) end

/* Adding a no in front of switcport trunk allowed vlan / native vlan resets the trunk to a default state */

Routers and Forwarding Packets

When we think about routers, it's important to realize they perform two very important functions: One that helps to determine the best possible path or route and the other to forward packets (data) received.  There are three primary ways routers forward things: Process switching, fast switching and CEF (Cisco Express Forwarding). Process switching is an older technique, but packets that arrive on an interface are forwarded to match a destination address with an entry in a routing table.  The exit interface is determined and the packet is forwarded. This is done for EVERY packet received, so it' slower.  With fast-switching we see the use of path information for packets stored in a cache that can be re-used without a CPU match. CEF builds a Forwarding Information Base and adjacency table which contain all forwarding information.

/ * Handy commands to know */

sh ip route // Displays contents of the routing table
sh ipv6 route // Displays contents of IPv6 routing tables

Different routing protocols use different metrics like: RIP (Routing Information Protocol), which uses a hop count, OSPF (Open Shortest Path First), which bases decisions on cumulative bandwidth from source to destination, and EIGRP (Enhanced Interior Gateway Routing Protocol), which looks at delay and supports unequal cost with load balancing.  Load balancing increases performance by looking for metric comparisons to the same destinations and Administrative Distance is used to determine the route to install into an IP table.  The lower an AD value, the more "trusty" a source is, and each routing protocol has AD defaults. Routes can be configured dynamically and statically and each entry in the routing table can be identified by a code, which I won't go into here.

Classful and Classless Network Addressing

Classful network addressing was released in 1981 and used until classless routing became a thing years later.  It was created to provide a way to divide addressing space in small, medium and large networks.  Class A, B, C, D and E respectively.  I want you to envision a this like you would a pizza pie. When a pizza isn't cut up, nowhere near as many people can eat it, thus making the world a much darker and dim place. When you slice that sucker up however, more people get to eat and those who want more can grab a second slice.

  • Class A starts at 0, was intended for large organizations and covers addresses -
  • Class B begins at 10, was intended for medium-to-large organizations and ranges from -
  • Class C starts at 110, was intended for medium-to-large organizations and covers -
  • Class D starts at 1110 and was reserved for multicasting and future use
  • Class E starts at 1111 and was reserved for experimental and future use

It's important to understand that subnet masks work with each class listed above and all that it does is help to define the addresses that can be used. Since this can get confusing I'll provide another list. It's important to understand that an octet is an informational unit consisting of 8 bit groupings and is not uncommonly used within the networking realm. Don't freak out just yet, I'll explain further below.

  • Class A The 1st octet identifies the network portion of the address Remember the list above? This means - is our mask
  • Class B The first 2 octets identify the network portion of the address
  • Class C The first 3 octets identify the network portion of the address

The representations of IP's and prefixes (our masks) exist for each range. Whenever we see a /8, /16, or /24, the /number is a prefix, so /24 is an address with a prefix. The classes listed for IPv4 above aren't actually too scary when you space out exactly what is going on.  

Let's say we have a mask
Try to look at it this way: Class A is  X.Y.Y.Y Y being the hosts by number

If we have a /24 and need to understand how this translates: is the value we end up with because the binary equivalent to 255 is 11111111  

If we do this for every portion of our mask we get: 11111111.11111111.11111111.00000000. We end up with /24 because we are counting each set of 1's (11111111 + 11111111 + 11111111 = 24). All we're essentially doing here when we subnet is counting the bits and looking at a mask.  If you look at it this way then the 2^n-2 formula makes a lot more sense and becomes clearer.  

What would be a /26? 11111111.11111111.11111111.11000000 or 24 + 2

  • We added 2 bits to the sum we had when we converted and if we convert 11000000 again, we get 192 as a number. Then we subtract.

There is a lot more to this portion of the text, but this is the gut of the things that tend to confuse most people, so I will only be covering that bit instead of VLSM and getting more specific with CIDR notation.


There is a lot of stuff in this section of CCNA material that goes into the differences between static and dynamic routing and the varying routing protocols that you'll begin to learn, like how routes are advertised with either distance or vector. Since this is core material most people will know, I will keep it to more fun stuff. RIP (Routing Information Protocol) uses the Bellman-Ford algorithm, which is based on two algorithms, while IGRP/EIGRP (Interior Gateway Routing Protocol/Enhanced Interior Gateway Routing Protocol) use DUAL, or the Diffusing Update algorithm, and OSPF (Open Shortest Path First), uses Dijkstra's algorithm.  While you're learning this, take a look into the algorithms for more depth.

At this point, you should also start to build out some sort of lab.  I do realize not everyone has access to Netacad and Packet Tracer, so try to look for alternatives to get your hands dirty, like GNS3 and Eve-ng. Doing labs daily and solving different lab problems will help solidify a lot of the IOS statements you will learn.  For cheat sheets, I recommend checking out Packet Life as well and Discord servers like The LANTamers offer great places to communicate and learn with others about networking concepts and check out for subnetting practice.

Happy learning!