TCP/IP Transmission Control Protocol/Internet Protocol 1

TCP/IP

TCP/IP is a complete suite of protocols and services which enable communication to take place
over networks. Earlier competitors to TCP/IP, such as IPX/SPX, have all but died out due to their
lack of adoption and ongoing development.
TCP/IP is a freely available and free to use set of standards maintained by the Internet
Engineering Task Force (IETF), and it is used for end-to-end device connectivity. It has been
developed and improved upon through submission of Requests for Comments (RFCs), which
are documents submitted by engineers to convey new concepts or for peer review. One
example is Network Address Translation (NAT) discussed in RFC 2663. IETF adopted some of
these RFCs as Internet standards. You can learn more about the IETF and RFCs at the link
below:
www.ietf.org/rfc.html
TCP/IP offers many services but many are outside the scope of the CCNA exam and will not be
covered. I will also omit those covered in other sections, such as DNS and DHCP. The following
sections outline the basics of TCP/IP. Because the CCNA isn’t a basic networking exam, it is
expected that you already have a good grasp of networking concepts such as those learned in
the Network+ exam from CompTIA.

Transmission Control Protocol (TCP)

TCP operates at the Transport Layer of the OSI model. It provides a connection-oriented service
for reliable transfer of data between network devices. TCP also provides flow control,
sequencing, windowing, and error detection. It attaches a 32-bit header to the Application
Layer data, which is in turn encapsulated in an IP header. TCP is described in RFC 793. Common
TCP ports include the following:

1. FTP Data – 20
2.  FTP Control – 21
3.  SSH – 22
4.  Telnet – 23
5.  SMTP – 25
6.  DNS – 53 (also uses UDP)
7.  HTTP – 80
8.  POP3 – 110
9.  NNTP – 119
10.  NTP – 123
11.  TLS/SSL – 443 

Internet Protocol (IP)

IP operates at the Network Layer of the OSI model. It is connectionless and is responsible for
transporting data over the network. IP addressing is a function of Internet Protocol. IP examines
the Network Layer address of every packet and determines the best path for that packet to take
to reach its destination. IP is discussed in detail in RFC 791.

User Datagram Protocol (UDP)

UDP also operates at the Transport Layer of the OSI model. It transports information between
network devices but, unlike TCP, no connection is established first. UDP is connectionless, gives
best-effort delivery, and gives no guarantee that the data will reach its destination. UDP is
much like sending a letter with no return address. You know it was sent, but you never know if
the letter got there.
UDP consumes less bandwidth than TCP does and is suitable for applications in which low
latency is preferred over reliability or guarantees. Both TCP and UDP are carried over IP. UDP is
described in RFC 768. Common UDP port numbers include the following:

1.  DNS – 53
2.  TFTP – 69
3.  SNMP – 161/162

File Transfer Protocol (FTP)

FTP operates at the Application Layer and is responsible for reliably transporting data across a
remote link. Because it has to be reliable, FTP uses TCP for data transfer.
You can debug FTP traffic with the debug ip ftp command.
FTP uses ports 20 and 21. Usually, a first connection is made to the FTP server from the client
on port 21. A second data connection is then made either leaving the FTP server on port 20 or
from a random port on the client to port 20 on the FTP server. You may wish to read more
about active versus passive FTP for your own information, but it is unlikely that this will be
covered in CCNA-level exams.
IN THE REAL WORLD: Having a server on a network containing backup copies of the startup configuration and IOS is a very
good idea indeed.

Trivial File Transfer Protocol (TFTP)

For less reliable transfer of data, TFTP provides a good alternative. TFTP provides a
connectionless transfer by using UDP port 69. TFTP can be difficult to use because you have to
specify exactly the directory in which the file is located.
To use TFTP, you need to have a client (the router, in your case) and a TFTP server, which could
be a router or a PC, or a server on the network (preferably on the same subnet). You need to
have TFTP software on the server so the files can be pulled off it and forwarded on to the
client.
TFTP is used extensively on Cisco routers to back up configurations and upgrade the router. The
following command will carry out these functions:
RouterA#copy tftp flash:
You will be prompted to enter the IP address of the other host in which the new flash file is
located:
Address or name of remote host []? 10.10.10.1
You will then have to enter the name of the flash image on the other router:
Source filename []? / c2500-js-l.121-17.bin
Destination filename [c2500-js-l.121-17.bin]?
If you have an older version of IOS, you may be prompted to erase the flash on your router
before copying, and then the file will be transferred. When the router reloads, your new flash
image should be available for use.
Other optional commands are copy flash tftp if you want to store a backup copy or copy
running config tftp if you want to back up your running configuration file.
You can run a debug on TFTP traffic with the debug tftp command.

Simple Mail Transfer Protocol (SMTP)

SMTP defines how e-mails are sent to the e-mail server from the client. It uses TCP to ensure a
reliable connection. SMTP e-mails are pulled off the SMTP server in different ways, and SMTP is
used as an e-mail delivery service by most networks. POP3 is another popular way to do this.
POP3 is a protocol that transfers the e-mail from the server to the client. SMTP uses TCP port
25.

Hyper Text Transfer Protocol (HTTP)

HTTP uses TCP (port 80) to send text, graphics, and other multimedia files from a web server to
clients. This protocol allows you to view web pages, and it sits at the Application Layer of the
OSI model. HTTPS is a secure version of HTTP that uses Secure Sockets Layer (SSL) or Transport
Layer Security (TLS) to encrypt the data before it is sent.
You can debug HTTP traffic with the debug ip http command.

Telnet

Telnet uses TCP (port 23) to allow a remote connection to network devices. You will learn more
about Telnet in the labs. Telnet is not secure so many administrators are now using Secure
Shell (SSH), which uses TCP port 22, as an alternative to ensure a secure connection. Telnet is
the only utility that can check all seven layers of the OSI model, so if you Telnet to an address,
then all seven layers are working properly. If you can’t Telnet to another device, it doesn’t
necessarily indicate a network problem. There could be a firewall or an access control list
blocking the connection purposely, or Telnet may not be enabled on the device.
In order to connect remotely to a Cisco router or switch, there must be an authentication
method for VTY lines configured on the router. If you are trying to Telnet to another device but
cannot connect to it, you can enter Ctrl+Shift+6 and then enter X to quit. To quit an active
Telnet session, you can simply type exit or disconnect.
You can debug Telnet with the debug telnet command.

Internet Control Message Protocol (ICMP)

ICMP is a protocol used to report problems or issues with IP packets (or datagrams) on a
network. ICMP is a requirement for any vendor who wishes to use IP on their network. When a
problem is experienced with an IP packet, the IP packet is destroyed and an ICMP message is
generated and sent to the host that originated the packet.
As defined in RFC 792, ICMP delivers messages inside IP packets. The most popular use of ICMP
is to send ping packets to test the network connectivity of remote hosts. A ping command
issued from a network device generates an echo request packet that is sent to the destination
device. Upon receiving the echo request, the destination device generates an echo reply.
Because pings also have a Time to Live (TTL) field, they give a good indication of network
latency (delay). The ping output below is from a desktop PC:
C:\>ping cisco.com
Pinging cisco.com [198.133.219.25] with 32 bytes of data:
Reply from 198.133.219.25: bytes=32 time=460ms TTL=237
Reply from 198.133.219.25: bytes=32 time=160ms TTL=237
Reply from 198.133.219.25: bytes=32 time=160ms TTL=237
Reply from 198.133.219.25: bytes=32 time=180ms TTL=237
Ping statistics for 198.133.219.25:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 160ms, Maximum = 460ms, Average = 240ms
In the output above, the ping packet is 32 bytes long, the Time field reports how many
milliseconds the response took, and the TTL is the Time to Live field (i.e., how many
milliseconds before the packet expires).
The ping command on a Cisco router has a verbose facility that provides more granularity from
which you can specify the source you are pinging, how many pings, and what size you are

sending, along with other parameters. 

This feature is very useful for testing and is used several times in the accompanying lab scenarios, as illustrated in the output below:

Router#ping ← press Enter here
Protocol [ip]:
Target IP address: 172.16.1.5
Repeat count [5]:
Datagram size [100]: 1200
Timeout in seconds [2]:
Extended commands [n]: yes
Source address: ← you can specify a source address or interface here
Type of service [0]:
Set DF bit in IP header? [no]: yes
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Sending 5, 1000-byte ICMP Echos to 131.108.2.27, timeout is 2 seconds:
U U U U U
Success rate is 0% percent, round-trip min/avg/max = 4/6/12 ms
Several notations represent the response the ping packet receives, as follows:

1.  ! – One exclamation mark per response
2.  . – One period for each timeout
3. U – Destination unreachable message
4.  N – Network unreachable message
5.  P – Protocol unreachable message
6.  Q – Source quench message
7.  M – Could not fragment
8.  ? – Unknown packet type

You can terminate a ping session by holding down the Ctrl+Shift+6 keys (all together) and then
the X key (on its own).
ICMP packet types are defined in RFC 1700. Learning all the code numbers and names is outside
the scope of the CCNA syllabus.
Many junior network engineers misuse the ping facility when it comes to troubleshooting. A
failed ping could indicate a network issue or that ICMP traffic is blocked on the network.
Because ping attacks are a common way to attack a network, ICMP is often blocked.
Traceroute
Traceroute is a very widely used facility which can test network connectivity and is a handy tool
for measurement and management. Traceroute follows the destination IP packets by sending
UDP packets with a small maximum TTL field, and then listens for an ICMP time-exceeded
response. As the Traceroute packet progresses, the records are displayed hop by hop. Each hop
is measured three times. An asterisk [*] indicates that a hop has exceeded its time limit.
Cisco routers use the traceroute command, where as
Windows PCs use tracert, as illustrated in
the output below:
C:\Documents and Settings\pc>tracert hello.com
Tracing route to hello.com [63.146.123.17]
over a maximum of 30 hops:
1 81 ms 70 ms 80 ms imsnet-cl10-hg2-berks.ba.net [213.140.212.45]
2 70 ms 80 ms 70 ms 192.168.254.61
3 70 ms 70 ms 80 ms 172.16.93.29
4 60 ms 81 ms 70 ms 213.120.62.177
5 70 ms 70 ms 80 ms core1-pos4-2.berks.ukore.ba.net [65.6.197.133]
6 70 ms 80 ms 80 ms core1-pos13-0.ealng.core.ba.net [65.6.196.245]
7 70 ms 70 ms 80 ms transit2-pos3-0.eang.ore.ba.net [194.72.17.82]
8 70 ms 80 ms 70 ms t2c2-p8-0.uk-eal.eu.ba.net [165.49.168.33]
9 151 ms 150 ms 150 ms t2c2-p5-0.us-ash.ba.net [165.49.164.22]
10 151 ms 150 ms 150 ms dcp-brdr-01.inet.qwest.net [205.171.1.37]
11 140 ms 140 ms 150 ms 205.171.251.25
12 150 ms 160 ms 150 ms dca-core-02.inet.qwest.net [205.171.8.221]
13 190 ms 191 ms 190 ms atl-core-02.inet.qwest.net [205.171.8.153]
14 191 ms 180 ms 200 ms atl-core-01.inet.net [205.171.21.149]
15 220 ms 230 ms 231 ms iah-core-03.inet.net [205.171.8.145]
16 210 ms 211 ms 210 ms iah-core-02.inet.net [205.171.31.41]
17 261 ms 250 ms 261 ms bur-core-01.inet.net [205.171.205.25]
18 230 ms 231 ms 230 ms bur-core-02.inet.net [205.171.13.2]
19 211 ms 220 ms 220 ms buc-cntr-01.inet.net [205.171.13.158]
20 220 ms 221 ms 220 ms msfc-24.buc.qwest.net [66.77.125.66]
21 221 ms 230 ms 220 ms www.hello.com [63.146.123.17]
Trace complete.

The fields in the Traceroute output are as follows:

1.  ... – Timeout
2.  U – Port unreachable message
3.  H – Host unreachable message
4.  P – Protocol unreachable message
5.  N – Network unreachable message
6.  ? – Unknown packet type
7.  Q – Source quench received

Traceroute is a very useful command when you want to troubleshoot network connectivity
issues. Although it is outside the scope of the CCNA syllabus, here is a more detailed
explanation of how it operates.
Traceroute works by sequentially incrementing the TTL field of UDP packets (only used in Cisco
and Linux; Microsoft Windows tracert command uses ICMP echo request datagrams instead of
UDP datagrams as probes) destined for a host and recording the replies received from
intermediate routers.
Every packet has a TTL value associated with it and each time the packet reaches a hop, its TTL
value is decreased by 1. The first packet is sent to the destination with TTL=1, which reaches
Router 1, but because its TTL value has dropped to 0, the router sends an error message (TTL
exceeded in transit). Then a second packet is sent with TTL=2. This reaches Router 2, which also
sends the same error message that Router 1 sent. This is continued until the destination is
reached.
All hops, except for the last one, should return a “TTL exceeded in transit” message, whereas
the last hop should return a “destination unreachable/port unreachable” message, indicating
that it cannot handle the received traffic (UDP Traceroute packets are typically addressed to a
pseudorandom high port on which the end host is not likely to be listening).