Command Guide Ccna Routing and Switching PDF

Table of Contents
Preface
Using the Book
Connecting to the Cisco Device
For Windows
For Linux
PART I - Routing
Learning the Basics
Command Modes
Saving Configurations
Show Commands for Information Gathering
Setting Hostname
Configuring an Ethernet Interface
Assigning an IP Address
Interface Speed and Duplex
Subinterfaces
Remote Management
Enabling Telnet
Enabling SSH
Annoying IOS Features
Asynchronous Logging
IP Domain-lookup
User Accounts and Banners
Creating a Local User Account
Service Password-Encryption
Setting Enable Secret
Creating Login and MOTD Banners
Static Routing
Next-hop Method
Exit Interface Method
Assigning IP Default Gateway
Show Commands
RIP
Starting RIP Routing Instance
Announcing Networks
Optional Tweaks
Show Commands
Debugging
What to Keep in Mind
RIP Configuration Sample
OSPF
Starting OSPF Routing Instance
Announcing Networks
Optional Tweaks
Show Commands
Debugging
OSPF Configuration Sample
EIGRP
Starting EIGRP Routing Instance
Announcing Networks
Optional Tweaks
Show Commands
Debugging
EIGRP Configuration Sample
IP Access Control List
Creating and Applying a Standard ACL
Creating and Applying an Extended ACL
Removing Specific Rules in an ACL
Show Commands
Address Translation (NAT)
PAT
Static NAT
Dynamic NAT
Show Commands
Debugging
Connecting to WAN
Configuring a Serial Interface
HDLC
PPP
Frame Relay
DHCP
Enabling DHCP Service
Defining a DHCP Pool
Excluding IP Addresses From the Leased Range
Show Commands
Debugging
Managing Configurations and Software
Backing Up Configuration
Restoring Configuration
Upgrading IOS Software
Activating IOS Software
Resetting Configuration to Factory Defaults
PART II Switching
Its The Same as on Routers
VLAN
Creating VLANs
Configuring an Access Interface
Show Commands
VLAN Configuration Sample
Assigning a Management IP Address
MAC Address Table
Clearing MAC Address Entries
Static MAC Address
Show Commands
Port Security
Limiting Permitted MAC Address Entries
Show Commands
IEEE 802.1q Trunk Encapsulation
Setting Interface Trunk Encapsulation Method
Setting Interface Operation Mode to Trunk
Native VLAN (Untagged)
Limiting Permitted VLANs
IEEE 802.1q Configuration Sample
VLAN Trunking Protocol (VTP)
VTP Domain
Operation Modes
VTP Pruning
Show Commands
VTP Configuration Sample
Dynamic Trunking Protocol (DTP)
EtherChannel
EtherChannel Interface Modes and Protocols
Static EtherChannel
LACP
PAgP
Show Commands
Debugging
EtherChannel Configuration Sample
Spanning-Tree Protocol (STP)
Enabling and Disabling Spanning-Tree
Primary Root
Secondary Root
Port Priority
Portfast
Uplinkfast
BPDU Guard
Spanning-Tree Operation Mode
Show Commands
Debugging
Spanning-Tree Configuration Sample
Inter VLAN Routing
Configuring Router Subinterfaces
Configuring a Switch Uplink Interface
Inter VLAN Routing Configuration Sample

Preface
My primary concern in writing this book has been to get you started with Cisco routers and
switches in the fastest time possible. It is a simple and practical foundation, from which you can
begin to explore further if you wish to become a network engineer.

Actual network management skills can be obtained by troubleshooting or configuring. Theres
not much you can do with your knowledge of networking concepts if you are not comfortable
with the command line interface.

What can you expect of this book?

1. Easy to follow configuration instructions.

2. No pages dedicated to theory.

3. Nothing beyond what you must know for the CCNA 200-120 R&S exam.

Using the Book
The purpose of this section is to let you know how to read and use the book to your best
advantage.

1. Its a reference, not a novel. Youll be given samples of configurations that you need to
adjust to meet the needs of your network.

2. All commands that need to be typed into the terminal are formatted like this:

Router(config)# hostname gateway

3. Below each command is a line explaining what it does:

Router(config)# hostname gateway
Sets router hostname to "gateway".

4. Notes are used to explain default characteristics of Cisco IOS in a given scenario, or to
give you useful hints:

Note: Administratively down is the default state of all Ethernet and Serial interfaces on
Cisco routers.

5. Quotes under chapter titles are only there for entertainment. Dont take them seriously.

6. This book does not cover theory, and has a heavy focus on configuration. If you ever get
stuck with what a term means, just Google it!

Connecting to the Cisco Device
Most of the Cisco enterprise-class network equipment doesnt ship with a default IP address.
The easiest way to apply initial configuration is to connect to your device using the Console
port. Depending on the particular device model, it may be located on the front or back side.

What will you need?

1. A serial cable.
2. (Windows) Virtual terminal software, such as Putty.
3. (Linux) A program called cu, which you can run inside the Linux terminal.

For Windows
This sample covers connecting to a Cisco device using Windows 7.

Step 1: Install Putty (free software)

1. Download software at http://www.putty.org/
2. Execute installer and follow instructions

Step 2: Identify COM port number

1. Go to Device Manager
2. Select "View" from the upper menu, then click on "Show Hidden Devices"
3. Now expand the COM ports section. You will see the list of all active COM ports.

Step 3: Connect to your device

In my case, the relevant COM port number was 3, and the full port label is "COM3".

1. Open Putty
2. Select Serial as the connection type
3. Enter your COM port number in the Serial line field
4. Click open

Youre done!

Would you like to enter the initial configuration dialog? [yes/no]: no
Router>

For Linux
This sample covers connecting to a Cisco device using Debian-based Linux distributions, such
as Ubuntu.

Step 1: Install cu (free software)

user@linux~# sudo apt-get install cu
Downloads and prompts to install cu, a common program.

Step 2: Identify TTY number

If you are using a serial-to-USB adapter:

user@linux~# cd /dev/ | ls l | grep ttyUSB
Navigates to the /dev/ directory and lists all teletype terminals (TTY) that have ttyUSB
included in the name.

If you are using an old-fashioned COM port:

user@linux~# cd /dev/ | ls l | grep ttyS
Navigates to the /dev/ directory and lists all teletype terminals (TTY) that have ttyS
included in the name.

Step 3: Connect to your device

In my case, the relevant TTY number was 0, and the full TTY label was ttyUSB0.

user@linux~# cu /dev/ttyUSB0 s 9600
Cu starts emulating a Cisco terminal inside your Linux terminal. The parameter s specifies
the line speed; 9600 is supported by most devices, and you really dont need more to
apply the initial configuration.

Youre done!

Would you like to enter the initial configuration dialog? [yes/no]: no
Router>

Note to VirtualBox users:
You might be unable to identify your COM/TTY number, because the VirtualBox host has
ownership of the serial cable hardware. For instance, serial-to-USB adapters cant be shared
by the host and guest systems at the same time. You can give the hardware ownership to the
VirtualBox guest from the Devices submenu.

Part I
Routing

Learning the Basics

Would you like to enter the initial configuration dialog? [yes/no]:

- Where am I?

Command Modes
Cisco IOS has three main command modes user EXEC, privileged EXEC and global
configuration. Each command mode has its own set of commands for specific purposes.Youll
start at user EXEC mode.

User execution mode

Some verification and troubleshooting commands are available. Often used by 1st level
helpdesk personnel.

You can identify user execution mode by the following prompt:

Router>

Theres not much to do in this command mode for a network administrator, elevate to next
command mode by typing in enable command:

Router> enable
Moves to privileged execution mode.

Privileged execution mode

All verification and troubleshooting commands are available. Used by network administrators.

The greater than prompt changes to hash:

Router#

If you are looking to verify or troubleshoot something, youll find all the necessary commands
available in this command mode. If you are looking to apply a configuration change, then
elevate to the global configuration mode.

Router# configure terminal
Moves to global configuration mode.

Global configuration mode

Majority of configuration changes are applied here. Entering this command mode requires user
to be in privileged execution mode, there are no shortcuts.

You can easily tell if you are in global configuration mode by the following prompt:

Router(config)#

This concludes the three main command modes of Cisco IOS. Type in exit or end, to move
back to privileged execution mode:

Router(config)# exit
Moves back to privileged EXEC mode.

Saving Configurations
When you make a configuration change its only the running-config (contents of DRAM) that
gets updated. All configuration changes are lost in case of power outages or system reboots
unless changes were also written to startup-config (NVRAM).

For saving configurations navigate to privileged execution mode and use one of the commands
below:

Router# write memory
Building configuration...
[OK]

Or

Router# copy running-config startup-config
Building configuration...
[OK]

Both of these commands copy contents of running-config to NVRAM. Theres no functional
difference.

Show Commands for Information Gathering
Show commands help you verify configurations and troubleshoot. Some of them are listed
below.

Router> enable
Navigates to privileged execution mode.

Router# show interfaces description
Lists all interfaces and their descriptions.
Router# show interfaces summary
Shows counter summary on all interfaces.
Router# show ip interface brief
Lists all interfaces and IP address information.
Router# show interface gigabitEthernet 0/1
Shows counter summary and status of the interface specified.
Router# show running-config interface gigabitEthernet 0/1
Shows configuration of the interface specified.
Router# show version
Shows brief system hardware information, including IOS version and configuration register
value.
Router# show cdp neighbors detail
Shows detailed information of neighboring devices that have Cisco Discovery Protocol enabled.

Setting Hostname
Lets take a look at how you can apply your very first configuration change. You can change the
router hostname in global configuration mode.

Router> enable
Navigates to privileged execution mode.
Navigates to global configuration mode.
Router(config)# hostname CupOfTea
Sets router hostname to CupOfTea.

Terminal prompt will change:
CupOfTea(config)#

Starting to feel like a network engineer already? Dont forget to save the configuration!

CupOfTea(config)# exit
Navigates back to privileged execution mode.
CupOfTea# write memory
Saves changes to NVRAM.

Configuring an Ethernet Interface
Easy! Just use the no shut command.
If the interface still doesnt come up try to reboot the router.

Assigning an IP Address
Lists all available interfaces on the router. In this sample were going to modify configuration of
the gigabitEthernet 0/0 interface.

Router(config)# interface gigabitEthernet 0/0
Moves to interface configuration mode.
Router(config-if)# ip address 192.168.101.1 255.255.255.0
Sets IPv4 address and network mask.
Router(config-if)# ipv6 address 2001:0db8:3c4d:0015:0011:0000:abcd:ed1a/64
Router(config-if)# no shutdown
Enables the interface.

Note: Administratively down is the default state of all Ethernet interfaces on Cisco routers.

Interface Speed and Duplex
According to best practice its recommended to only change interface speed and duplex
settings if you suspect that there might be a problem with auto negotiation. By default all
Ethernet interfaces are configured with auto negotiation setting for interface speed and duplex.

Router# show interface gigabitEthernet 0/0
Shows interface speed and duplex settings.

Router(config-if)# speed auto
Enables speed auto-negotiation. This is default setting.
Router(config-if)# speed 1000
Forces interface into 1000Mbit/s operation mode.
Router(config-if)# speed 100
Forces interface into 100Mbit/s operation mode.
Router(config-if)# duplex auto
Enables duplex auto-negotiation. This is default setting.
Router(config-if)# duplex full
Forces interface into full duplex operation mode.
Router(config-if)# duplex half
Forces interface into half duplex operation mode.

Subinterfaces
One physical interface can be divided into multiple virtual interfaces.

Lists all available interfaces on your router (including subinterfaces).

Router(config)# interface gigabitEthernet 0/0.1
Creates subinterface (.1) on gigabitEthernet 0/0 and moves to subinterface configuration mode.
Router(config-subif)# ip address 192.168.1.1 255.255.255.0
Assigns IPv4 address and network mask.
Router(config-subif)# encapsulation dot1q 1
Assigns subinterface to VLAN1 broadcast domain. Sets VLAN encapsulation method to dot1q.
Router(config-subif)# exit
Moves back to global configuration mode.

Creates another subinterface (.2) on gigabitEthernet 0/0 and moves to subinterface
configuration mode.
Assigns subinterface to VLAN2 broadcast domain. Sets VLAN encapsulation method to dot1q.

Remote Management
This chapter teaches you how to enable Telnet and SSH protocols.

Enabling Telnet
Telnet enables you to remotely manage router. Its unencrypted and not very secure; the
reason its still being used is that not all devices support SSH.

Note: Telnet sessions are prohibited by default. Without vty password configured youll notice a
following message, when you attempt to log in to your router, using Telnet:

Password required, but none set.

Configuring vty password:

Router(config)# line vty 0 4
Enters into vty line configuration mode for lines 0 - 4.
Router(config-line)# password cookie
Sets password to cookie on vty lines 0,1,2,3 and 4.
Router(config-line)# login
Enables vty password authentication.

Enabling SSH
If your device also supports SSH its recommended that you use it instead of Telnet for remote
management.

As a first step you must create RSA crypto key pairs.

Note: RSA crypto keys are non-exportable on Cisco routers and switches.

Router(config)# crypto key generate rsa
The name for the keys: MyRSA-Keys
How many bits in the modulus: 1024
Generates RSA crypto key pairs. These will be used for SSH encryption.

Router(config)# ip ssh version 2
Enables SSH version 2.
Router(config-line)# password cookie
Sets password to cookie on vty lines 0,1,2,3 and 4.
Router(config-line)# login
Enables vty password authentication.

Optional: Prohibit Telnet and permit only SSH

Router(config-line)# transport input ssh
Permits remote management over vty lines 0 4 only via SSH protocol.

Annoying IOS Features
What? Nothing about Cisco IOS is annoying!
Asynchronous Logging
Log messages are informative, but by default they come with an annoying flaw. If log event
occurs it generates a new line in the command prompt, but doesnt include an ending line break
after the message itself. Refer to the examples below.

Lets say youre working on something and the command youre trying to execute is write
memory. While at the middle of typing a log event occurs.

Log event with asynchronous logging:

Router# write me
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed
state to upmory

- Notice the last 4 letters (mory) of your command are now at the end of log event message.

Log event without asynchronous logging:

Router# write me
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed
state to up

- Your input remains on the same line.

Configuring synchronous logging:

Enters into line configuration mode for VTY lines 0 - 4.
Router(config-line)# logging synchronous
Forces a line break after log event.
Router(config-line)# exit
Router(config)# line console 0
Enters into line configuration mode for console line 0.
Router(config-line)# logging synchronous
Forces a line break after log event.

IP Domain-lookup
If you make a mistake when typing in commands IOS first tries to resolve input as a hostname.
This causes excessive delays and makes you wonder if the router is having performance
issues.

Router(config)# no ip domain-lookup
Disables IP domain-lookup feature.

User Accounts and Banners
Welcome! This is the primary router: rtr-01.

You can log in with password Cisco.

Password:

Creating a Local User Account
Router(config)# username joe privilege 15 secret joe
Creates a local user joe with full rights to all command modes. Users secret password is set
to joe.
Router(config)# username joe privilege 15 password joe
Same as above but password is saved to configuration in plain-text, unless password-
encryption feature is globally enabled.

Privilege level: Valid values are from 0 to 15. Higher value means more access.

Service Password-Encryption
Router(config)# service password-encryption
Encrypts all system passwords.

Password-encryption feature: Globally encrypts all the passwords that would otherwise be
added to configuration files in plain-text.

Setting Enable Secret
Router(config)# enable secret cookie
Protects access to privileged exec mode with secret passphrase cookie.

Creating Login and MOTD Banners
Banners serve informational purpose. You can send out a warning to all unauthorized folks
attempting to access your device by configuring a login banner. With a MOTD banner you can
share operational information with your colleagues.

Router(config)# banner login * This router belongs to company X. Unauthorized use
is strictly prohibited. *
Sets a login message that is displayed before user authentication.

Router(config)# banner motd * Due to service migrations please do not apply any
changes from 25.th to 27.th July. *
Sets a welcome message that is displayed after successful user authentication.

Message separator:
You may use any special character as a message separator instead of asterisk (*).
Requirement is that the same special character must not be used inside the message itself.

Static Routing
This chapter teaches you how to create static routes. There are 2 methods for creating a static
route next-hop or exit interface. Use the method you prefer.
Next-hop Method
Router(config)# ip route 10.10.20.0 255.255.255.0 192.168.1.1
Specifies that to get to 10.10.20.0/24 network next-hop to take is 192.168.1.1.
Router(config)# ipv6 route 2001:0db8:3c4d::/64
2001:0db8:3c99:1111:2222:3333:4444:aaa1/64
Specifies that to get to 2001:0db8:3c4d::/64 network next-hop to take is
2001:0db8:3c99:1111:2222:3333:4444:aaa1/64

Exit Interface Method
Router(config)# ip route 10.10.20.0 255.255.255.0 gigabitEthernet 0/0
Specifies that to get to 10.10.20.0/24 network packets must be sent out of the gigabitEthernet
0/0 interface.
Router(config)# ipv6 route 2001:0db8:3c4d::/64 gigabitEthernet 0/0
Specifies that to get to 2001:0db8:3c4d::/64 network packets must be sent out of the
gigabitEthernet 0/0 interface.

Assigning IP Default Gateway
IP packets with destinations that dont match any of the specified static or dynamically learned
routes will be forwarded to default gateway. Destination address of a default route is 0.0.0.0/0
in IPv4 and ::/0 in IPv6.

Router(config)# ip default-gateway 33.33.33.33
Sets IPv4 default gateway to 33.33.33.33.
Router(config)# ipv6 route ::/0 2001:0db8:3c99:1111:2222::1/64
Sets IPv6 default gateway to 2001:0db8:3c99:1111:2222::1/64

Show Commands
Router# show ip route static
Shows all IPv4 static routes.
Router# show ip route
Shows full IPv4 routing table.
Router# show ipv6 static
Shows all IPv6 static routes.
Router# show ipv6 route
Shows full IPv6 routing table.

RIP
This chapter teaches you how to configure RIP protocol.
Starting RIP Routing Instance
Router(config)# router rip
Starts RIP routing instance and moves to RIP configuration mode.
Router(config-router)# version 2
Sets RIP version to 2.

Note: Try to avoid using RIPv1 whenever possible.

Announcing Networks
Router(config)# router rip
Starts RIP routing instance and moves to RIP configuration mode.
Router(config-router)# version 2
Router(config-router)# network 192.168.1.0
Announces network 192.168.1.0 as directly connected.

Note: By default all the RIP-announced networks are summarized to their classful boundaries.
In this case our network 192.168.1.0 will be seen as a /24 (class C) network. But what if we
wanted to announce 192.168.1.0/25 instead?

To announce more specific networks via RIP protocol this auto-summarization process must be
stopped.

Router(config-router)# no auto-summary
Disables auto summarization. Although this command also works in RIPv1 it only has intended
effect in RIPv2.

Note: With auto-summary feature disabled RIP subnet masks are based on the interface
configurations.


Note: At this point the RIP announcement of 192.168.1.0/25 network should work as expected.

Optional Tweaks
Router(router-config)# distance 90
Adjusts administrative distance from 120 (default) to 90. Possible values are from 1 to 255.
Disables auto summarization to classful boundaries (enabled by default).
Router(config-router)# auto-summary
Enables auto summarization.
Router(config-router)# no ip split-horizon
Disables IP split-horizon (enabled by default).
Router(config-router)# ip split-horizon
Re enables IP split-horizon.
Router(config-router)# passive interface gigabitEthernet 0/0
Sets interface Gi0/0 into passive state. RIP announcements will not be sent out of this interface
anymore.

Show Commands
Router# show ip rip
Shows brief overview of RIP routing processes.
Router# show ip route rip
Shows all routes learned from RIP protocol.
Router# show ip rip neighbors
Shows all RIP neighbors and their states.
Router# show ip rip database
Shows IPv4 RIP database

Debugging
Router# debug ip rip events
Displays all RIP events.
Router# debug ip rip database
Displays RIP database events.
Router# debug ip rip bfd
Displays RIP bfd events.
Router# undebug all
Stops all debugging events.

RIP has default administrative distance of 120.

RIP is a distance-vector routing protocol.

RIP maximum hop count is 15.

RIP Configuration Sample

Objective
Configure RIP routings so that all routers know about all the networks.

Step 1: Configure the interfaces

#R-one

R-one(config)# interface gigabitEthernet 0/0
R-one(config-if)# ip address 192.168.1.1 255.255.255.252
R-one(config-if)# no shutdown

#R-two

R-two(config)# interface gigabitEthernet 0/0
R-two(config-if)# ip address 192.168.1.2 255.255.255.252
R-two(config-if)# no shutdown

#R-three

R-three(config)# interface gigabitEthernet 0/0
R-three(config-if)# ip address 192.168.1.6 255.255.255.252
R-three(config-if)# no shutdown

Step 2: Configure RIP

#R-one

R-one(config)# router rip
Starts RIP routing instance. Moves to RIP configuration mode.
R-one(config-router)# version 2
R-one(config-router)# no auto-summary
Disables auto summarization.
R-one(config-router)# network 192.168.1.0
Announces network 192.168.1.0/30 as directly connected.

#R-two

R-two(config)# router rip
R-two(config-router)# version 2
R-two(config-router)# no auto-summary
R-two(config-router)# network 192.168.1.0
R-two(config-router)# network 192.168.1.4

#R-three

R-three(config)# router rip
R-three(config-router)# version 2
R-three(config-router)# no auto-summary
R-three(config-router)# network 192.168.1.4

OSPF
Better than EIGRP, because its not Cisco proprietary.

Starting OSPF Routing Instance
Every routing instance of OSPF must be assigned the process ID number.

The process ID number is only locally significant and nothing happens if other routers use
different process ID numbers.

Router(config)# router ospf 1
Starts OSPF routing instance with process ID set to 1. Moves to OSPF configuration mode.

Announcing Networks
In OSPF the announced network must be associated with an area type. Were just going to
stick to area 0, which represents the core or backbone area. Unlike regular subnet mask the
network size of announced networks in OSPF must be defined by wildcard mask (reverse bits).

Router(config)# router ospf 1
Router(config-router)# network 10.0.0.0 0.255.255.255 area 0
Announces network 10.0.0.0/8 as directly connected in OSPF area 0.
Router(config-router)# network 192.168.0.0 0.0.255.255 area 0

Optional Tweaks
Router(router-config)# distance 100
Sets administrative distance to 100. Possible values are from 1 to 255.
Router(router-config)# event-log size 100
Sets event log cap to 100.
Router(router-config)# neighbor 99.99.99.99
Manually sets 99.99.99.99 as an OSPF neighbor.
Prevents OSPF updates to be sent out of Gi0/0 interface.

Show Commands
Router# show ip ospf
Shows brief overview of OSPF routing processes.
Router# show ip route ospf
Shows all routes learned from OSPF protocol.
Router# show ip ospf neighbor
Shows all OSPF neighbors and their states.
Router# show ip ospf interface gigabitEthernet 0/0
Shows ospf information on Gi0/0 interface.

Debugging
Router# debug ip ospf events
Displays all OSPF events.
Router# debug ip ospf adj
Displays OSPF adjacency and neighbor state changes.
Router# debug ip ospf hello
Displays all OSPF hello messages.
Router# undebug all

OSPF default administrative distance is 110.

OSPF is a link-state routing protocol that operates within a single AS.

OSPF area 0 is also known as the core area.

OSPF Configuration Sample

Objective
Configure OSPF routings so that all routers know about all the networks.


#Router1

Router1(config)# interface gigabitEthernet 0/0
Router1(config-if)# ip address 88.88.88.5 255.255.255.252
Router1(config-if)# no shutdown
Router1(config-if)# exit

#Router2


#Router3


Step 2: Configure OSPF

#Router1

Router1(config)# router ospf 1
Router1(config-router)# network 88.88.88.4 0.0.0.3 area 0

#Router2


#Router3


EIGRP
Its exactly like IGRP, only the letter E is different.

Starting EIGRP Routing Instance
Routing instances of EIGRP are started within a specified autonomous system. If you only use
EIGRP internally you can make up any AS number you want for yourself.

Router(config)# router eigrp 100
Starts EIGRP routing instance with the specified autonomous system number of 100. Moves to
EIGRP configuration mode.

Announcing Networks
To announce networks via EIGRP wildcard mask must be used instead of subnet mask.

Router(config)# router eigrp 100
Starts EIGRP routing instance with the specified autonomous system number. Moves to EIGRP
configuration mode.
Router(config-router)# network 55.55.55.0 0.0.0.3
Announces network 55.55.55.0/30 as directly connected in AS100.

Optional Tweaks
Disables auto summarization to classful boundaries. By default this setting is already disabled
on newer IOS versions.
Router(config-router)# auto-summary
Enables auto summarization.
Router(config-router)# distance 60
Sets administrative distance to 60. Possible values range from 1 to 255.
Router(router-config)# neighbor 99.99.99.99
Manually sets 99.99.99.99 as a neighbor.
Prevents EIGRP updates to be sent out of Gi0/0 interface.

Show Commands
Router# show ip eigrp
Shows brief overview of EIGRP routing processes.
Router# show ip route eigrp
Shows all routes learned from EIGRP protocol.
Router# show ip eigrp neighbors
Shows all EIGRP neighbors and their states.
Router# show ip eigrp interface gigabitEthernet 0/0
Shows EIGRP information on Gi0/0 interface.

Debugging
Router# debug ip eigrp notifications
Displays all EIGRP events.
Router# debug ip eigrp summary
Displays EIGRP summary route processing events.
Router# undebug all

EIGRP default administrative distance is 90.

EIGRP is a distance-vector routing protocol.

Its Cisco proprietary.

EIGRP Configuration Sample

Objective
Configure EIGRP routings so that all routers know about all the networks.


#R-one

R-one(config-if)# exit

#R-two

R-two(config-if)# exit

#R-three

R-three(config-if)# exit

Step 2: Configure EIGRP

#R-one

R-one(config)# router eigrp 10
R-one (config-router)# network 33.33.33.0 0.0.0.3
Announces network 33.33.33.0/30 as directly connected in AS area 10.
R-one(config-router)# network 11.11.11.0 0.0.0.3

#R-two

R-two(config)# router eigrp 10
R-two (config-router)# network 22.22.22.0 0.0.0.3
R-two(config-router)# network 33.33.33.0 0.0.0.3

#R-three

R-three(config)# router eigrp 10
R-three (config-router)# network 22.22.22.0 0.0.0.3
R-three(config-router)# network 11.11.11.0 0.0.0.3

IP Access Control List
Can I use it to prevent my sister from accessing the internet?

Creating and Applying a Standard ACL
IP standard access list
Filtering decisions are made based on source IP only.
Numbers 1-99 and 1300-1999 are used to define IP standard ACLs.

Router(config)# access-list 1 permit 192.168.10.0 0.0.0.255
Creates access list 1 and adds a rule that permits all packets originating from 192.168.10.0/24
network.

Note: At this point our ACL has no effect because its not yet applied to any of the interfaces.

--
Meanings behind the commands

Access-list: defines that we want to create or modify an ACL.

1: access list ID number which also defines that we are working with standard type of
ACLs.

Permit: packets that match all rule statements will be permitted.

192.168.10.0: source network address criteria.

0.0.0.255: source network wildcard mask for a /24 network.
--

Adds another permitting rule to ACL 1 that permits packets originating from 192.168.20.0/24
network.

Note:
Packets originating from 192.168.10.0/24 and 192.168.20.0/24 will be permitted regardless of
service port used. All other packets that dont match this criteria will be dropped, because of
implicit deny rule at the end of every ACL.

Router(config-if)# ip access-group 1 out
Applies ACL 1 to Gi0/0 interface. Every packet that goes out of Gi0/0 interface will be
investigated.

Creating and Applying an Extended ACL
IP extended access list
Filtering decisions are made based on source IP, destination IP, service port number and IP
protocol.
Numbers 100199 and 2000-2699 are used to define IP extended ACLs.

Router(config)# access-list 100 permit tcp 192.168.20.0 0.0.0.255 192.168.30.0
0.0.0.255 eq 443
Creates an extended ACL 100, and adds a permitting rule with the following criteria:

1. Source IP is inside 192.168.20.0/24 network
2. Destination IP is inside 192.168.30.0/24 network
3. Destination service port is TCP 443 (HTTPS)

--
Meanings behind the commands

Access-list: defines that we want to create or modify an ACL.

100: access list ID number which also defines that we are working with extended type of
ACLs.

Permit: packets that match rule statements will be permitted.

Tcp: protocol criteria.

192.168.20.0: source network address.

0.0.0.255: source network wildcard mask for a /24 network.

192.168.30.0: destination network address.

0.0.0.255: destination network wildcard mask for a /24 network.

Eq: destination port number must be equal to.

443: destination port number must be 443.
--

Router(config)# access-list 100 permit tcp host 192.168.20.5 host 192.168.30.6 eq 80
Adds another permitting rule to extended ACL 100. This permitting rule is only for single host
addresses.

Router(config-if)# ip access-group 100 in
Applies ACL 100 to Gi0/0 interface. Every packet that comes in from Gi0/0 will be investigated.

Removing Specific Rules in an ACL
Router(config)# ip access-list standard 1
Moves to ACL1 configuration mode.
Router(config-std-nacl)# no 10
Removes first rule from ACL 1.

Note: ACL rules/lines are numbered in increments of 10. First rule is nr.10, second nr.20 and
so on.

Show Commands
Router# show access-lists
Shows all ACLs, rules and rule numbers.
Router# show access-list 1
Shows all ACL 1 information.

Address Translation (NAT)
NAT usually indicates a firewall in network diagrams.

PAT
This is the most widely used NAT method. It enables multiple internal hosts to be hidden behind
the same external IP address when communication in the public internet.

Step 1: Create NAT pool

Router(config)# ip nat pool public 20.20.20.1 20.20.20.1 netmask 255.255.255.255
Creates a NAT pool named public and defines an external IP address used inside the pool.
IOS Syntax requires from to specification for the IP addresses even if we only want to use
single IP in the whole pool.

--
Meanings behind the commands:

Ip nat pool: defines that we want to create a NAT pool.

Public: name of the NAT pool. This can be anything you prefer.

20.20.20.1: first IP address of the NAT pool.

20.20.20.1: last IP address of the NAT pool.

Netmask: keyword to specify a subnet mask.

255.255.255.255: subnet mask.
--

Step 2: Create ACL

Creates ACL where we define our internal network that we want to use in address translations.
Network size is defined by wildcard mask.

Step 3: Specify NAT mapping

Router(config)# ip nat inside source list 1 pool public overload
Creates a NAT rule which says that outbound connections initiated from our internal network
192.168.10.0/24 will be used in NAT translations. External IP will be taken from pool named
public.

Overload subcommand
Allows NAT to translate multiple inside devices to the single address in the pool.

Step 4: Specify internal and external interfaces

Router(config-if)# ip nat inside
Defines that Gi0/0 interface leads to our private network (192.168.10.0/24).
Router(config-if)# exit
Moves back to global config mode.
Router(config-if)# ip nat outside
Defines that Gi0/1 interface leads to public internet.

Static NAT
With this method one internal host will permanently get a dedicated external IP. This is widely
used to make self-hosted web and mail servers publicly accessible.


Router(config)# ip nat inside source static 192.168.10.1 20.20.20.1
Creates a NAT rule which says that outbound connections initiated by 192.168.10.1 will always
be hidden behind 20.20.20.1.



Dynamic NAT
With this method each internal host will get a temporary external IP from a predefined pool until
all the public connections are closed or timed out. For example if you have 8 external IP
addresses to use then only 8 internal hosts are able to concurrently browse the public internet.

There arent many business situations where this NAT method would suit the best. In short its a
waste of public IP addresses.

Step 1: Create NAT pool

Router(config)# ip nat pool public 20.20.20.1 20.20.20.254 netmask 255.255.255.0
Creates NAT pool named public and defines external IP addresses that will be used to hide
outbound connections. IP addresses from 20.20.20.1 to 20.20.20.254 are used to hide
outbound connections.

Step 2: Create ACL

Creates ACL where we define our internal network that we want to use in address translations.
Network size is defined by wildcard mask.


Router(config)# ip nat inside source list 1 pool public
Creates a NAT rule which says that outbound connections initiated from our internal network
192.168.10.0/24 will be used in NAT translations. External IP will be taken from pool named
public.



Show Commands
Router# show ip nat translations
Shows all NAT translations.

Debugging
Router# debug ip nat
Real-time display of all translated packets.
Router# undebug all

Connecting to WAN
Easy! I just have to plug a cable into my PC.

Configuring a Serial Interface
Serial interfaces are typically used to interconnect client and ISP equipment.

Router(config)# interface serial 0/0/0
Router(config-if)# clock rate 64000
Sets interface clock rate to 64Kbit/s.
Enables interface.

Clock rate
If your device is DTE (client-side) you dont need to specify clock rate. Clock rate must be
specified on DCE (service provider) equipment.

HDLC
For serial interface to work you need to specify encapsulation method, either HDLC or PPP. If
you dont specify an encapsulation method then HDLC will be used.

Router(config-if)# encapsulation hdlc
Sets encapsulation to HDLC.

Encapsulation
HDLC encapsulation is already default setting on synchronous serial interfaces and you only
need to use this command if you want to return to HDLC from another encapsulation method.
Alternative encapsulation method for serial links is PPP.

PPP
PPP is an alternative to HDLC as an encapsulation method on serial links. You should use it
when you are concerned about security. In other cases default HDLC works fine. This protocol
has optional authentication capabilities PAP (Password Authentication Protocol) and CHAP
(Challenge Handshake Authentication Protocol).

#Configuring PPP encapsulation method:

Router(config-if)# encapsulation ppp
Sets encapsulation method to PPP.

Optional Tweaks:

Router(config-if)# ppp quality 90
Periodically checks PPP link for quality and sets quality threshold to 90%. If link quality goes
below 90% link will shut down. This command is useful if you have a backup link available. This
percentage threshold can be anything you prefer from 1 to 100.
Router(config-if)# compress mppc
Enables mppc compression algorithm. This reduces total traffic overhead on your serial link.
Alternative compression algorithms for PPP are predictor and stac.

#Configuring PAP (Password Authentication):

Step 1: Create a dummy user for authentication:

RouterOne(config)# username RouterTwo password PAP
Creates user RouterTwo with case-sensitive password set to PAP. This is required to verify
PAP authentication with peer.

Important: Its required that username equals hostname of the peering router and the password
must be exactly the same for both dummy users.

RouterTwo(config)# username RouterOne password PAP
Creates user RouterOne with case-sensitive password set to PAP.

Step 2: Configure serial interface for PAP authentication:

RouterOne(config)# interface serial 0/0/0
RouterOne(config-if)# ppp authentication pap
Enables PAP authentication protocol.
RouterOne(config-if)# ppp pap sent-username RouterTwo password PAP
Sets user credentials for PAP authentication.

RouterTwo(config)# interface serial 0/0/0
RouterTwo(config-if)# ppp authentication pap
Enables PAP authentication protocol.
RouterTwo(config-if)# ppp pap sent-username RouterOne password PAP
Sets user credentials for PAP authentication.

Note: Unfortunately PAP does not encrypt user credentials when exchanging authentication
details. For security reasons its recommended to use CHAP protocol instead.

#CHAP (Challenge Handshake Authentication):

Step 1: Create a dummy user for authentication.

RouterOne(config)# username RouterTwo password PAP
Creates user RouterTwo with case-sensitive password set to PAP. This is required to verify
PAP authentication with peer.

RouterTwo(config)# username RouterOne password PAP
Creates user RouterOne with case-sensitive password set to PAP.

Step 2: Configure serial interface for CHAP authentication:

RouterOne(config)# interface serial 0/0/0
RouterOne(config-if)# ppp authentication chap
Enables CHAP authentication protocol.

RouterTwo(config)# interface serial 0/0/0
RouterTwo(config-if)# ppp authentication chap
Enables CHAP authentication protocol.

Frame Relay
Frame relay is a legacy technology that is mostly replaced by MPLS today. There are no more
multipoint frame-relay clouds in modern service provider networks, but its quite common to see
it configured between a service provider and client devices.

#Configuring Frame Relay:

This example covers setting up PVC 100 and 101 on separate subinterfaces. Both
subinterfaces are configured on the same s0/0/0 physical interface.

Router(config-if)# encapsulation frame-relay ietf
Sets frame relay encapsulation type to IETF. This also affects all the subinterfaces.
Router(config-if)# frame-relay lmi-type ansi
Sets LMI type to ANSI.
Enables interface.
Router(config)# interface serial 0/0/0.100 point-to-point
Creates a point-to-point subinterface .100 on s0/0/0 and moves to subinterface configuration
mode.
Sets IP address and network mask to the subinterface.
Router(config-subif)# frame-relay interface-dlci 100
Sets DLCI 100 to the subinterface.

#If you need to add another PVC just keep creating new subinterfaces:

Router(config)# interface serial 0/0/0.101 point-to-point
Creates a point-to-point subinterface .101 on s0/0/0 and moves to subinterface configuration
mode.
Sets IP address and network mask to the subinterface.
Router(config-subif)# frame-relay interface-dlci 101
Sets DLCI 101 to the subinterface.

#Show commands:

Router# show frame-relay pvc
Shows status of all PVCs configured.
Router# show frame-relay map
Shows DLCI map entries.
Router# show frame-relay lmi
Shows LMI stats.
DHCP
This chapter teaches you how to configure your router as a DHCP server.

Enabling DHCP Service
Router(config)# service dhcp
Enables DHCP server and relay services. By default DHCP services are already enabled.

To disable DHCP:

Router(config)# no service dhcp
Disables DHCP server and relay services.

Defining a DHCP Pool
Router(config)# ip dhcp pool water
Creates a DHCP pool named water and moves to DHCP configuration mode. Pool name can
be anything you want.
Router(dhcp-config)# network 192.168.1.0 255.255.255.0
Specifies the range of IP addresses to be leased.
Router(dhcp-config)# default-router 192.168.1.1
Specifies the default router for the DHCP client.
Router(dhcp-config)# dns-server 192.168.1.2
Specifies the DNS server IP address.
Router(dhcp-config)# lease 2 0 0
Adjusts DHCP lease time to 2 days, 0 hours and 0 minutes. Default setting is 1 day, 0 hours, 0
minutes.

Excluding IP Addresses From The Leased Range
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.100
Specifies that IP addresses from 192.168.1.1 to 192.168.1.100 must not be leased via DHCP.

Show Commands
Router# show ip dhcp binding
Shows all DHCP bindings.
Router# show ip dhcp conflict
Lists all IP conflicts learned by DHCP server.

Debugging
Router# debug ip dhcp server events
Real-time display of all DHCP server events.
Managing Configurations and Software
I started copying the IOS image about 10 minutes ago.
How long will it take?

Backing Up Configuration
TFTP protocol is used to copy files between a Cisco device and a server. With appropriate
software any regular PC is able to act as a TFTP server.

Note: TFTP protocol uses UDP port 69.

Copying configuration to TFTP server:

Router# copy running-config tftp:
Address or name of remote host []? 192.168.100.100
Destination filename [Router-config]? running-config_backup
Copies running-config to TFTP server 192.168.100.100 and names it running-config_backup.

Restoring Configuration
Router# copy tftp: running-config
Address or name of remote host []? 192.168.100.100
Source filename []? running-config_backup
Destination filename [running-config]? [ENTER] key
Copies a file named running-config_backup from TFTP server 192.168.100.100 to router and
loads its contents into running-config.

Alternatively you can copy the configuration file to NVRAM so that changes wont become
active before system reboot.

Router# copy tftp: startup-config
same as the above

Upgrading IOS Software
Step 1: Copy new IOS image from TFTP server to router

Router# copy tftp flash:
>Address or name of remote host? 192.168.100.100
>source filename? /etc/ios_images/c3800-universalk9-mz.150-1.bin
>Destination filename? c3800-universalk9-mz.150-1.bin
Fetches new IOS image from TFTP server to flash memory.

Step 2: Update system boot sector

Router(config)# boot system flash: c3800-universalk9-mz.150-1.bin
Instructs system to load from the new software image after next reboot.

Step 3: Save configuration and reboot router

Saves configuration to startup-config (NVRAM).
Router# reload
Reboots the system.

Step 4 (optional): Delete old software image

Router# dir flash:
Lists all contents on flash memory. Software images have .bin file extension.
Router# delete flash:c3800-lanbase-mz.150-0.bin
Deletes old software image that is no longer needed.

Activating IOS Software
Below is the standard procedure of IOS software activation.

Step 1 of 5: Obtain PAK

This is provided to you when you purchase a software image or additional feature set. Check
your E-Mail inbox or delivery notes.

Step 2 of 5: Obtain UDI

Switch# show license udi
Displays UDI values that can be licensed.

Step 3 of 5: Generate License

Go to: http://www.cisco.com/go/license

Follow instructions and generate license. PAK and UDI are required for this step. Copy
received license file to TFTP server.

Step 4 of 5: Install License

Switch# license install tftp://srv/ios_licenses/29a.lic
Installs license from 29a.lic file located on TFTP server.

Step 5 of 5: Reboot the system

Switch# reload
After next reboot system will load with the new feature set enabled.

Resetting Configuration to Factory Defaults
Router# erase startup-config
Removes statup-config file on NVRAM.
Router# reload
Reboots router. Do not save changes to NVRAM at this point.

If everything is done correctly you will see the prompt indicating the system loaded from default
configuration file:

Would you like to enter the initial configuration dialog? [yes/no]:
Im sure you already know what the right answer to this question is.

Resetting a switch configuration to factory defaults requires you to type in one additional
command:

Switch# delete flash:vlan.dat
Removes VLAN database (vlan.dat file) on flash memory.

Part II
Switching

Its The Same as on Routers
Didnt find the chapter you were looking for in Part II Switching? Please refer to chapters in
Part I Routing.

Many aspects about configuring a switch are exactly the same as on routers.

VLAN
This chapter teaches you how to configure isolated broadcast domains (VLANs).

Creating VLANs
Switch(config)# vlan 2
Creates VLAN2 broadcast domain and moves to VLAN configuration mode.
Switch(config-vlan)# name Network Administrators
Sets optional VLAN name.

Configuring an Access Interface
Switch(config)# interface range gigabitEthernet 0/1
Enters into interface configuration mode.
Switch(config-if)# switchport mode access
Sets interface to access mode. This prevents all trunk negotiations and permits operation of a
single VLAN on the interface.
Switch(config-if)# switchport access vlan 2
Assigns interface to VLAN2 broadcast domain.

Show Commands
Switch# show vlan brief
Lists all VLANs and the interfaces they are currently active on.
Switch# show vlan id 5
Shows information about a particular VLAN.
Switch# show running-config interface vlan 5
Shows running-config of a particular virtual VLAN interface.

VLAN Configuration Sample

Objective
Configure VLANs and switch interfaces as in network diagram.

Step 1: Create VLANs

L2Switch(config)# vlan 5
L2Switch(config-vlan)# name Business Management
L2Switch(config-vlan)# vlan 10
L2Switch(config-vlan)# name Network Administrators
L2Switch(config-vlan)# name Software Developers
L2Switch(config-vlan)# name Wireless Users


Note: Were using the interface range command to concurrently apply identical configurations
to multiple interfaces.

L2Switch(config)# interface range gigabitEthernet 0/1 32
Enters into interface range configuration mode.
L2Switch(config-if-range)# switchport mode access
Sets interfaces to access mode.
L2Switch(config-if-range)# exit

#Business management

L2Switch(config-if-range)# switchport access vlan 5
Assigns interfaces to VLAN5 broadcast domain.
Navigates back to global config mode.

#Network administrators


#Software developers


#Wireless users


Assigning a Management IP Address
Switches cant have IP addresses because they are layer 2 devices.

Assigning a management IP address:

Switch(config)# vlan 10
Creates regular VLAN10 broadcast domain and moves to VLAN configuration mode.
Switch(config-vlan)# name Dedicated Management VLAN
Sets an optional VLAN name.
Switch(config-vlan)# exit
Switch(config)# interface vlan 10
Creates virtual VLAN interface 10 and moves to VLAN interface configuration mode.
Switch(config-if)# description Management interface
Sets optional interface description.
Switch(config-if)# ip address 192.168.10.15 255.255.255.0

Note: To remotely manage a switch via Telnet or SSH you must also configure the vty lines.
Please refer to Remote Management chapter in Part I Routing.

MAC Address Table
Verifying MAC address entries is usually the first thing administrator does to troubleshoot any
potential layer-2 issues.

This chapter teaches you a couple of things related to MAC addresses.

Clearing MAC Address Entries
Switch# clear mac address-table
Clears all MAC address entries.
Switch# clear mac address-table dynamic
Clears MAC address entries that are dynamically learned by switch. Static MAC addresses
entered by network administrator will remain in the table.

Static MAC Address
Switch(config)# mac address-table static aa:bb:aa:bb:aa:bb vlan 10 interface
gigabitEthernet 0/10
Enters a static MAC address entry to Gi0/10 interface.
Switch(config)# no mac address-table static aa:bb:aa:bb:aa:bb vlan 10 interface
gigabitEthernet 0/10
Removes static MAC address entry from Gi0/10 interface.

Show Commands
Switch# show mac address-table
Shows all MAC address entries.
Switch# show mac address-table interface gigabitEthernet 0/1
Shows MAC address entries on a specific interface.
Switch# show mac address-table address aa:bb:cc:00:11:22
Shows an interface that has learned MAC address aa:bb:cc:00:11:22.

Port Security
Port security features help to secure network from unauthorized access. All of these features
are optional and not required.

Limiting Permitted MAC Address Entries
Switch(config)# interface gigabitEthernet 0/10
Switch(config-if)# switchport port-security
Enables port security on the interface.
Switch(config-if)# switchport port-security maximum 1
Limits allowed MAC address entries to maximum of 1 on the port.
Switch(config-if)# switchport port-security mac-address aa:bb:cc:dd:00:11
Sets a static secure MAC address entry into MAC address table.
Switch(config-if)# switchport port-security violation protect
Configures port to drop frames of unauthorized MAC addresses. Authorized MAC addresses
can still send and receive frames.
Switch(config-if)# switchport port-security violation shutdown
Configures port to err-disable itself if a violation occurs. This also affects frames of authorized
MAC address.

Show Commands
Switch# show port-security
Shows all port security information on all interfaces.
Switch# show port-security interface gigabitEthernet 0/10
Shows port security information on gigabitEthernet 0/10 port.

IEEE 802.1q Trunk Encapsulation

Trunk is the word you can use to describe me on Fridays and Saturdays.
Ive tried IEEE 802.1q just once, it burns like hell!

Setting Interface Trunk Encapsulation Method
Enters to interface configuration mode.
Switch(config-if)# switchport trunk encapsulation dot1q
Sets trunk encapsulation method to dot1q.

Setting Interface Operation Mode to Trunk
Switch(config-if)# switchport mode trunk
Sets interface operation mode to trunk.

Native VLAN (Untagged)
By default all VLANs on a trunk link are tagged except for VLAN1. In more complicated network
setups its often required to have another VLAN as untagged. This can be accomplished by
setting another VLAN as the native VLAN.

Switch(config-if)# switchport trunk native vlan 10
Sets VLAN10 as native VLAN. Frames belonging to VLAN10 broadcast domain will be
untagged.

Note: Native VLAN must be the same on both ends of the trunk link. In case of native VLAN
mismatch the trunk link will fail.

Limiting Permitted VLANs
All VLANs are permitted on trunk interfaces by default. In production networks its not the most
optimal setting due to security reasons.

Switch(config-if)# switchport trunk allowed vlan 10,20
Permits VLANs 10 and 20. All the other VLANs are now prohibited.

Restoring a situation where all VLANs are permitted:

Switch(config-ig)# switchport trunk allowed vlan all
Permits all VLANs on a trunk interface. This is also the default setting.

Adding and removing permitted VLANs:

Switch(config-if)# switchport trunk allowed vlan add 30
Adds VLAN30 to the list of permitted VLANs.
Switch(config-if)# switchport trunk allowed vlan remove 30
Removes VLAN30 from the list of permitted VLANs.

IEEE 802.1q Configuration Sample

Objective
Configure interface Gi0/1 as in network diagram. Restrict permitted VLANs to only those that
are required. Also note that the frames of VLAN99 broadcast domain must be untagged.

Step 1: Configure interface operation mode and encapsulation method

L2Switch(config)# interface gigabitEthernet 0/1
Enters to interface configuration mode.
L2Switch(config-if)# switchport trunk encapsulation dot1q
L2Switch(config-if)# switchport mode trunk
Sets interface operation mode to trunk.

Step 2: Specify native (untagged) VLAN

L2Switch(config-if)# switchport trunk native vlan 99
Sets native VLAN to 99.

Step 3: Prohibit unrequired VLANs

L2Switch(config-if)# switchport trunk allowed vlan 11,12,13,99
Permits VLANs 11, 12, 13 and 99. All the other VLANs are now prohibited.

VLAN Trunking Protocol (VTP)
This protocol converts VLANs into trunks.

VTP Domain
Switch(config)# vtp domain vtp-domain.com
Assigns switch to VTP domain named vtp-domain.com.
Switch(config)# vtp password coffee
Sets VTP domain password to coffee.

Note: VTP password is an optional security feature.

Operation Modes
There are 3 VTP operation modes - server, transparent and client. Below is a brief description
regarding the behavior of the switch, assuming all of the switches are configured in the same
VTP domain.

VTP Server
Propagates own VLAN database to neighboring switches.

VTP Transparent
Shares propagations of VTP server with neighboring switches and updates own VLAN
database.

VTP Client
Updates own VLAN database only. VTP server propagations are not shared with neighboring
switches.

Switch(config)# vtp mode server
Sets VTP operation mode to server. This is also default setting on all Cisco switches.
Switch (config)# vtp mode transparent
Sets VTP operation mode to transparent.
Switch(config)# vtp mode client
Sets VTP operation mode to client.

Note: Theres no command to disable VTP globally. However, if you dont want to use VTP you
can set VTP operation mode to transparent on all the switches in your network, and refrain
from configuring any VTP domains.

VTP Pruning
VTP Pruning is an optional performance tweak. VTP pruning reduces bandwidth consumption
by restricting flooded traffic only to those trunk links that must be used to reach the destination.

Switch(config)# vtp pruning
Enables VTP pruning (disabled by default).

Note: VTP pruning only needs to be configured on the VTP server switch.

Show Commands
Switch# show vtp status
Shows VTP mode and VTP domain information.
Switch# show vtp password
Used to verify if VTP administrative domain is protected by a password.

VTP Configuration Sample

Objective
Configure VTP for standard hierarchy core (VTP server), distribution (VTP transparent) and
access (VTP client).

All interfaces operate in trunk mode with dot1q encapsulation.

Step 1: Configure VTP server switch

Coral(config)# vtp mode server
Sets VTP operation mode to server.
Coral(config)# vtp domain vtp-domain.com

Step 2: Configure VTP transparent switch

Amber(config)# vtp mode transparent
Sets VTP operation mode to transparent.
Amber(config)# vtp domain vtp-domain.com

Step 3: Configure VTP client switches

Opal(config)# vtp mode client
Sets VTP operation mode to client.
Opal(config)# vtp domain vtp-domain.com
Jade(config)# vtp mode client
Sets VTP mode to client.
Jade(config)# vtp domain vtp-domain.com

Dynamic Trunking Protocol (DTP)
l usually configure DTP in case I want to increase
network complexity for no reason.

Configuring DTP:

Switch(config-if)# switchport mode dynamic desirable
Makes interface attempt to establish a trunk link. Interface generates DTP frames and
responds to them if received.

Note: Trunk link is established if a neighboring interface is set to desirable, auto or trunk.

Switch(config-if)# switchport mode dynamic auto
Makes interface able to establish a trunk link. Interface wont generate DTP frames but
responds to them if received.

Note: Trunk link is established if neighboring a interface is set to desirable or trunk.

Switch(config-if)# switchport nonegotiate
Prevents interface from participating in DTP negotiations.

EtherChannel
EtherChannel technology allows grouping of 2-8 physical Ethernet interfaces to create one
logical interface for the purpose of providing high-speed interconnect links.
EtherChannel Interface Modes and Protocols
Mode ON / No Protocol
Forces interface into EtherChannel without negotiation.
Mode Desirable / PAgP Protocol
Initiates EtherChannel negotiation.
Mode Auto / PAgP Protocol
Does not initiate EtherChannel negotiation, but responds to PAgP frames.
Mode Active / LACP Protocol
Initiates EtherChannel negotiation.
Mode Passive / LACP Protocol
Does not initiate EtherChannel negotiation, but responds to LACP frames.

Static EtherChannel
Switch(config)# interface range gigabitEthernet 0/1 2
Moves into interface-range configuration mode.
Switch(config-if-range)# channel-group 1 mode on
Assigns interfaces into EtherChannel group 1. Forces interfaces into EtherChannel without
negotiation.

Note: For EtherChannel to be established both ends of the connection must have channel-
group mode set to on.

LACP
Switch(config-if-range)# channel-group 1 mode active
Assigns interfaces into EtherChannel group 1. Sets slave interfaces into negotiation initiating
state and forces use of LACP protocol.
Switch(config-if-range)# channel-group 1 mode passive
Assigns interfaces into EtherChannel group 1. Sets slave interfaces into passive negotiation
state and forces use of LACP protocol.

Note: For EtherChannel to be established at least one end of the connection must have
channel-group mode set to active, while the other end must be set to passive or active.

PAgP
Switch(config-if-range)# channel-group 1 mode desirable
Assigns interfaces into EtherChannel group 1. Sets slave interfaces into negotiation initiating
state and forces use of PAgP protocol.
Switch(config-if-range)# channel-group 1 mode auto
Assigns interfaces into EtherChannel group 1. Sets slave interfaces into passive negotiation
state and forces use of PAgP protocol.

Note: For EtherChannel to be established one or both ends of the connection must have
channel-group mode set to desirable, while the other end must be set to desirable or auto.

Show Commands
Switch# show etherchannel summary
Shows all EtherChannels and assigned slave interfaces.
Switch# show interfaces port-channel 1
Shows EtherChannel1 status and counters.
Switch# show running-config interface port-channel 1
Shows configuration of EtherChannel1.
Switch# show etherchannel detail
Shows detailed information of all EtherChannels.

Debugging
Switch# debug etherchannel all
Real-time display of all EtherChannel events.
Switch# debug lacp all
Real-time display of all LACP events.
Switch# debug pagp all
Real-time display of all PAgP events.
Switch# undebug all

EtherChannel Configuration Sample

Objective
Configure some 2-port EtherChannels as shown in network diagram. Dynamic EtherChannel
negotiations should only be initiated by Distribution switch.

All the switch interfaces shown in diagram operate as IEEE 802.1q encapsulated trunks.

Step 1: Configure LACP EtherChannel

Distribution(config)# interface range gigabitEthernet 0/47 48
Distribution(config-if-range)# channel-group 1 mode active
Assigns interfaces gi0/47 and gi0/48 into EtherChannel group 1. Sets slave interfaces into
negotiation initiating state and forces use of LACP protocol.

Access1(config)# interface range gigabitEthernet 0/47 48
Access1(config-if-range)# channel-group 1 mode passive
Assigns interfaces gi0/47 and gi0/48 into EtherChannel group 1.
Sets slave interfaces into passive negotiation state and forces use of LACP protocol.

Step 2: Configure PAgP EtherChannel

Distribution(config-if-range)# channel-group 2 mode desirable
Assigns interfaces gi0/45 and gi0/46 into EtherChannel group 2. Sets slave interfaces into
negotiation initiating state and forces use of PAgP protocol.

Access2(config-if-range)# channel-group 2 mode auto
Assigns interfaces gi0/45 and gi0/46 into EtherChannel group 2.
Sets slave interfaces into passive negotiation state and forces use of PAgP protocol.

Step 3: Configure Static EtherChannel

Distribution(config-if-range)# channel-group 3 mode on
Assigns interfaces gi0/43 and gi0/44 into EtherChannel group 3. Forces interfaces into
EtherChannel without negotiation.

Access3(config-if-range)# channel-group 3 mode on
Assigns interfaces gi0/43 and gi0/44 into EtherChannel group 3. Forces interfaces into
EtherChannel without negotiation.

Spanning-Tree Protocol (STP)
This chapter teaches you how to configure STP and its optional features.

Enabling and Disabling Spanning-Tree
Most Cisco switches come with STP enabled by default. Default operation mode is
PVST/PVST+ (one instance per VLAN). It means is that most likely you dont have to enable
spanning-tree yourself; its already operational out of the box.

Enabling Spanning-Tree:

Switch(config)# spanning-tree vlan 1
Enables STP on VLAN1.

Disabling Spanning-Tree:

Switch(config)# no spanning-tree vlan 1
Disables STP on VLAN1.
Switch(config)# no spanning-tree vlan all
Disables STP on all VLANs.

Primary Root
Switch(config)# spanning-tree vlan 1 root primary
Alters switch bridge priority for VLAN1, allowing it to become primary root for VLAN1.

Secondary Root
Switch(config)# spanning-tree vlan 1 root secondary
Alters switch bridge priority for VLAN1, allowing it to become secondary root for VLAN1.

Port Priority
I highly recommended that you only configure spanning-tree topology using root primary and
root secondary commands. However, these 2 commands alone dont always guarantee the
results you want.

Configuring port priority is one way of ensuring that a particular interface will be put into
forwarding or blocking state.

Switch(config-if)# spanning-tree vlan 1 port-priority 32
Sets port-priority value to 32.

Note: Port-priority can be set in increments of 16 from 0 to 240. Lower number means the
interface is more likely to be put into forwarding state. This parameter must be configured on
an interface that is closer to the root switch.

Portfast
Normal STP convergence time is 50 seconds and the end user traffic is blocked until
designated port reaches the forwarding state.

The STP portfast command can be used to speed up convergence on ports that are
connected to workstations or servers.

Switch(config-if)# spanning-tree portfast
Applies STP portfast configuration on an access port.
Switch(config-if)# spanning-tree portfast trunk
Applies STP portfast configuration on a trunk port.

Uplinkfast
STP Uplinkfast configuration allows the switch to quickly failover to secondary root port if it
detects a failure on the primary root port.

This parameter should only be configured on the uplink ports.

Switch(config-if)# spanning-tree uplinkfast
Applies STP uplinkfast configuration.

Note: With STP uplinkfast configuration the secondary root port moves from blocking state to
forwarding in less than 5 seconds.

BPDU Guard
As an optional security feature BPDU guard can be configured to prevent end user devices
from affecting the STP topology. It should not be applied to ports that are connected to other
switches as it prevents incoming STP frames.

Switch(config)# spanning-tree portfast bpduguard default
Globally enables BPDU guard on all interfaces that have portfast configuration (disabled by
default).
Switch(config)# errdisable recovery cause bpduguard
Allows error-disabled interface to re-enable itself after recovery interval has been reached (300
seconds by default).

Switch# show spanning-tree summary totals
Used to verify if BDPU guard is enabled or disabled.

Spanning-Tree Operation Mode
Switch(config)# spanning-tree mode pvst
Sets STP mode to PVST/PVST+ (creates separate STP instance per each VLAN).

Note: PVST/PVST+ is default spanning-tree operation mode on Cisco switches. PVST+ mode
extends regular PVST so that IEEE 802.1q encapsulation can be utilized. Regular PVST only
worked if trunk links were ISL encapsulated.

Rapid-PVST mode:

Switch(config)# spanning-tree mode rapid-pvst
Sets STP mode to rapid-pvst.

For Rapid-PVST mode to work you need to set interface link-type to either point-to-point or
shared.

Switch(config-if)# spanning-tree link-type point-to-point
Sets STP link-type to point-to-point.

Or

Switch(config-if)# spanning-tree link-type shared
Sets STP link-type to shared.

Show Commands
Switch# show spanning-tree
Shows general STP information.
Switch# show spanning-tree brief
Shows brief overview of STP.
Switch# show spanning-tree vlan 10
Shows STP information on VLAN10 instance.
Switch# show spanning-tree detail
Shows detailed STP information.

Debugging
Switch# debug spanning-tree all
Real-time display of all STP events.
Switch# debug spanning-tree switch state
Real-time display of STP interface state changes.
Switch# debug spanning-tree uplinkfast
Real-time display of STP UplinkFast events.
Switch# undebug all

Spanning-Tree Configuration Sample

Objective
Configure spanning-tree protocol as in network diagram. See detailed description below.

Data Core switch:
a) Primary root for VLAN5.
b) Secondary root for VLAN10.
c) Gi0/46 48: Dot1q trunk ports connected to other switches.

Voice Core switch:
a) Primary root for VLAN10.
b) Secondary root for VLAN5.
c) Gi0/46 48: Dot1q trunk ports connected to other switches.

Floor1 Access switch:
a) Gi0/11 20: Access ports connected to user PCs.
b) Gi0/21 30: Access ports connected to user IP phones.
c) Gi0/47: Forwards VLAN10 frames; blocks VLAN5 frames. Is standby as a failover link for
VLAN5. Dot1q trunk port connected to other switch.
d) Gi0/48: Forwards VLAN5 frames; blocks VLAN10 frames. Is standby as a failover link for

Floor2 Access switch:
a) Gi0/11 20: Access ports connected to user PCs.
b) Gi0/21 30: Access ports connected to user IP phones.
c) Gi0/47: Forwards VLAN5 frames; blocks VLAN10 frames. Is standby as a failover link for
d) Gi0/48: Forwards VLAN10 frames; blocks VLAN5 frames. Is standby as a failover link for

Step 1: Configure Data Core switch

#Create VLANs

Data Core(config)# vlan 5
Creates VLAN5 and moves to VLAN configuration mode.
Data Core(config-vlan)# name PC Data
Sets a VLAN name.
Data Core(config-vlan)# vlan 10
Data Core(config-vlan)# name Voice
Sets a VLAN name.
Data Core(config-vlan)# exit

# Adjust switch bridge priority

Data Core(config)# spanning-tree vlan 5 root primary
Adjusts switch bridge priority for VLAN5, allowing it to become the primary root for VLAN5.
Data Core(config)# spanning-tree vlan 10 root secondary
Adjusts switch bridge priority for VLAN10, allowing it to become the secondary root for
VLAN10.

#Configure trunk interfaces

Data Core(config)# interface range gigabitEthernet 0/46 - 48
Data Core(config-if)# switchport trunk encapsulation dot1q
Data Core(config-if)# switchport mode trunk
Forces interface into trunk mode.
Data Core(config-if)# exit

Step 2: Configure Voice Core switch

#Create VLANs

Voice Core(config-vlan)# name PC Data
Sets a VLAN name.
Voice Core(config-vlan)# vlan 10
Voice Core(config-vlan)# name Voice
Sets a VLAN name.
Voice Core(config-vlan)# exit

# Adjust switch bridge priority

Voice Core(config)# spanning-tree vlan 10 root primary
Alters switch bridge priority for VLAN10, allowing it to become the primary root for VLAN10.
Voice Core(config)# spanning-tree vlan 5 root secondary
Alters switch bridge priority for VLAN5, allowing it to become secondary root for VLAN5.


Voice Core(config)# interface range gigabitEthernet 0/46 - 48
Moves to interface configuration mode
Voice Core(config-if)# switchport trunk encapsulation dot1q
Voice Core(config-if)# switchport mode trunk
Voice Core(config-if)# exit

Step 3: Configure Floor1/Floor2 Access switch

#Create VLANs

Access Switch(config)# vlan 5
Access Switch(config-vlan)# name PC Data
Sets a VLAN name.
Access Switch(config-vlan)# vlan 10
Access Switch(config-vlan)# name Voice
Sets a VLAN name.
Access Switch(config-vlan)# exit


Access Switch(config)# interface range gigabitEthernet 0/47 - 48
Access Switch(config-if)# switchport trunk encapsulation dot1q
Access Switch(config-if)# switchport mode trunk
Access Switch(config-if)# spanning-tree uplinkfast
Applies STP uplinkfast configuration.
Access Switch(config-if)# exit

#Configure access interfaces

Moves to interface range configuration mode.
Access Switch(config-if)# switchport mode access
Forces interface into access mode.
Access Switch(config-if)# switchport access vlan 5
Access Switch(config-if)# spanning-tree portfast
Applies STP portfast configuration.
Moves to interface range configuration mode.
Applies STP portfast configuration.

Inter VLAN Routing
This chapter teaches you how to make cross-VLAN communication possible.

Configuring Router Subinterfaces
# Enable the physical interface:

Router(config-if)#no shutdown
Router(config-if)#exit

# Create 1 subinterface per-VLAN:

Creates subinterface (.1) on gigabitEthernet 0/0 and moves to subinterface configuration mode.
Assigns VLAN1 to subinterface. Sets VLAN encapsulation method to dot1q.
Router(config-subif)# exit

Creates another subinterface (.2) on gigabitEthernet 0/0 and moves to subinterface
configuration mode.

Configuring a Switch Uplink Interface
A switch interface connected to a router must be configured as IEEE 802.1q encapsulated
trunk.

Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk

Inter VLAN Routing Configuration Sample
Objective
Configure VLANs and switch interfaces as in network diagram. Configure inter
VLAN routing using a router to make communication between 192.168.6.0/24 and
192.168.7.0/24 networks possible.

Step 1: Configure Gateway Router
#Enable the physical interface

Gateway Router(config)# interface gigabitEthernet 0/0
Gateway Router(config-if)# no shutdown
Enables interface.
Gateway Router(config-if)# exit

#Configure virtual subinterfaces

Gateway Router(config)# interface gigabitEthernet 0/0.6
Creates subinterface .6 on gigabitEthernet 0/0 and moves to subinterface configuration mode.
Gateway Router(config-subif)# ip address 192.168.6.1 255.255.255.0
Gateway Router(config-subif)# encapsulation dot1q 6
Gateway Router(config-subif)# exit
Assigns VLAN 7 to subinterface. Sets VLAN encapsulation method to dot1q.
Gateway Router(config-subif)# exit
Assigns VLAN 50 to subinterface. Sets VLAN encapsulation method to dot1q.

Step 2: Configure Access Switch

#Create VLANs

Access Switch(config-vlan)# name Webserver Network
Sets a VLAN name.
Access Switch(config-vlan)# name Database Network
Sets a VLAN name.
Access Switch(config-vlan)# name Management Network
Sets a VLAN name.

#Assign a management IP address and default gateway

Access Switch(config)# interface vlan 50
Creates virtual VLAN interface 10 and moves to VLAN interface configuration mode.
Access Switch(config-if)# description Management interface
Sets optional interface description.
Access Switch(config-if)# ip address 192.168.50.6 255.255.255.0
Access Switch(config)# ip default-gateway 192.168.50.1
Assign IP default-gateway.

#Configure the trunk interface

Access Switch(config)# interface gigabitEthernet 0/48
Access Switch(config-if)# switchport trunk encapsulation dot1q
Access Switch(config-if)# switchport mode trunk

#Configure access interfaces

Applies STP portfast configuration for fast recovery.
Applies STP portfast configuration for fast recovery.

With Best Wishes, And Many Thanks
References

If you don't have real Cisco equipment to practice on, I recommend that you start with network
simulation software, such as GNS3 or Packet Tracer.

Network simulation software GNS3, Cisco IOS emulator Dynamips
www.gns3.net
Cisco networking academy, Packet Tracer software
www.netacad.net

--

Contact

Want to ask something or give feedback? Please send me an Email.

ConfGuide@gmail.com

Wish you all the best!
Hannes Rapp

Command Guide Ccna Routing and Switching PDF

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Command Guide Ccna Routing and Switching PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Table of Contents

Welcome! This is the primary router: rtr-01.

Você também pode gostar