Escolar Documentos
Profissional Documentos
Cultura Documentos
The routers
The routers used in our CCNA TechLabs are 2501 routers, displayed in the picture above.
The upper router in the picture shows the back, where you'll find the connectors and, also
important, the power switch. The 2501 router is equipped with the following interfaces:
• AUI - This is a traditional Ethernet LAN port.
• Serial 0 and Serial 1 - These are synchronous serial WAN ports.
• Console - This is the management console port.
• AUX - A modem can be connected to this port to allow 'out-of-band'
management.
Serial Connection
The picture on the left shows a V.35 DTE cable with a male DB60 connector and a
male standard 34-pin Winchester-type connector. The right picture shows a V.35
DCE serial cable with a male DB60 connector and a female 34-pin Winchester-type
connector. As you probably guessed already, the male connector of the DTE cable is
attached to the DCE cable's female connector, this is depicted in the picture below.
This is known as a back-to-back connection, and 'simulates' a WAN link. In a real
world setup, the DTE cable's male connector typically connects to a port on a
CSU/DSU provided by a service provider (i.e. telco), which in turn connects to a
CSU/DSU at another location, thru a T1 link for example. The DB60 connector
connects to a Serial interface on a router.
2
These two small devices are Ethernet Transceivers and are used as an adapter
between the AUI interface on the router and a twisted pair cable that leads to the
NIC on your PC, a port on a switch, hub, or other router. This is essentially your LAN.
Console cable
This is a UTP roll-over cable with an RJ-45 connector that connects to the Console
port of the router. The other end of the cable typically connects to a small adapter
with a DB-9 female connector that allows you to connect it to a COM port on a PC. A
router that is installed and configured with IP addressing is typically managed using
TELNET. The initial configuration is performed thru the management console. Besides
the initial setup, the console connection must also be used if you need to perform
password recovery on a router.
The end results
When everything is connected properly, and the power is turned on, it should look
like the picture above. Click here for a huge version of this picture.
3
LAN TECHNOLOGIES
ETHERNET
Ethernet was developed by DIX (Digital, Intel and Xerox) in the 1970s. In 1980 the
IEEE 802.3 standard was released. Two years later version 2 was introduced, which
is the basis for today's Ethernet networks. The access method (how the wire is
accessed) is Carrier Sense Multiple Access/Collision Detection (CSMA/CD). In a
CSMA/CD network stations listen to check if the network is busy, if the network is
free the station transmits data. When two stations listen, and both determine the
network is available, they will start sending the data simultaneously and a collision
occurs. When the collision is detected both stations will retransmit the data after a
random wait time created by a backoff algorithm. In today's large-fast-growing-
bandwidth-eating network environments this will soon become a problem, stations
will have to wait more often before they can transmit data and more collisions will
occur. The solution to this is to separate the network in multiple collisions domains,
which devices can be used for this purpose will be explained using a network
diagram for each of the following relevant network components.
An Ethernet network is a broadcast system, this means that when a station transmits
data every other station receives the data. The frames contain an address in the
frame header, only the station with that address will pick up the frame and pass it on
to upper-layer protocols to be processed.
BROADCAST DOMAIN
All devices in this domain will receive broadcast frames originating from any other
device within the domain. Broadcast domains are typically bounded by routers
because routers do not forward broadcast frames. Broadcast frames are frames
explicitly directed to all nodes on the LAN, as networks grow this will become a
problem as well.
REPEATERS
A repeaters is a simple device that is used to expand LANs over larger distances by
connecting segments. They do not control broadcast or collision domains, they are
not aware of upper-layer protocols and frame formats, they merely
regenerate/amplify the signal. Repeaters operate at the Physical layer of the OSI
model. An important rule when using repeaters to expand a network is the 5-4-3
rule, which defines that the maximum distance between two hosts on the same
network can be 5 segments, 4 repeaters, and only 3 of the segments can be
populated, as illustrated in the following logical network diagram:
HUBS/CONCENTRATORS
Hubs, also known as concentrators or multiport repeaters, are used in star or
4
Hubs operate on the physical layer of the OSI model and they are protocol
transparent, that means they are not aware of the upper-layer protocols and such as
IP, IPX nor MAC addressing. Hence they do not control broadcast or collision
domains, but they extend them as illustrated below:
BRIDGES
Bridges are more intelligent than hubs; they operate on the Data Link layer of the
OSI model.
They are used to increase network performance by segmenting networks in separate
collision domains. Bridges are also protocol transparent, they are not aware of the
upper-layer protocols. They keep a table with MAC addresses of all nodes, and on
which segment they are located.
A bridge takes an incoming frame, reads its destination MAC address and consults
the database to decide what should be done with the frame; if the location of the
destination MAC address is listed in the database, the frame is forwarded to the
corresponding port. If the destination port is the same as the port where the frame
arrived it will be discarded. If the location is not known the frame will be flooded
through all outgoing ports/segments.
As illustrated below, bridges control collision domains, they do not control broadcast
domains:
5
SWITCHES
To improve network performance even more switches were developed, switches are
very similar to bridges; they also keep a table with MAC addresses per port to make
switching decisions, operate in the OSI model and are protocol transparent.
Some of the main differences are:
- a switch has more ports than a bridge
- bridges switch in software whereas switches switch in hardware (integrated
circuits)
- switches offer more variance in speed, an individual port can be assigned 10 Mb/s
or 100 Mb/s or even more.
As illustrated below, switches control collision domains, they do not control broadcast
domains*:
* Do not control broadcast domains unless Virtual Local Area Networks (VLANs) are
being used, and most modern switches do support VLANs. The following diagram
represents a router configured with two VLANs. Like in the previous diagram each
port forms an collision domain, but as you can see in this diagram the network is
separated in two broadcast domains using VLANs. If the network protocol used in
this network would be TCP/IP the VLANs would each have its own (sub-)network
address, for example VLAN 1 could be Class C 192.168.110.x and VLAN 2
192.168.220.x.
Switches are able to use software to create Virtual LANs; a logical grouping of
network devices where the members can be on different physical segments. A VLAN
can be based on Port IDs, MAC addresses, protocols or applications. For example in
the network diagram above port 1 to 12 on the switch could be assigned to VLAN 1,
and port 13 to 24 to VLAN 2, resulting in two different broadcast domains, or station
1, 2 and 3 could be using IPX/SPX while station 4, 5 and 6 could be using TCP/IP.
6
An example of a large network with VLANs could be an office building with a switch
on each of the three floors and a main switch connecting them all together. An
administrator would be able to keep a list of MAC addresses and assign stations from
different floors to a single VLAN and for example create a VLAN (broadcast domain)
for each department in the company. Switches share their MAC address table
information with other switches so the path to a destination can be found quickly.
ROUTERS
GATEWAYS
NICs
Half duplex
Half-duplex means that only one host can communicate at a given time, two hosts
communicating with each other will take turns transmitting. This is the default on
non-switched LANs.
Full-duplex
In full-duplex communication both hosts can transmit at the same time, theoretical
allowing twice as much data to be transmitted over the same connection.
In order for full-duplex to work, some requirements must be met:
- The NICs, hubs etc. must support it,
- Collision Detection and Loopback functions must be disabled.
In reality the connections able to run at full-duplex are cross-cable connections and
connection to a port on a switch, where collisions cannot occur because each end has
it's own wire pair (segment).
LAN Technologies
Determine the appropriate uses for full- and half-duplex Ethernet operation
Describe the causes and effects of network congestion in Ethernet networks
Describe the benefits of network segmentation with various networking devices
Identify the cause(s) of LAN connectivity problem
Describe the function, operation, and primary components on a LAN
OSI MODELS
7-layer OSI MODEL
The diagram below shows the 7 layers of the OSI Model, to remember them in the
correct order a common mnemonic is often used: All People Seem To Need Data
Processing.
Host B
Host A
8
The Application, Presentation and Session layer are known as the Upper Layer and
are implemented in software. The Transport and Network layer are mainly concerned
with protocols for delivery and routing of packets to a destination and are
implemented in software as well. The Data Link is implemented in hard- and
software and the Physical layer is implemented in hardware only, hence its name.
These last two layers define LAN and WAN specifications.
A more detailed description of each layer follows below, but here's what basically
happens when data passes from Host A to Host B:
1. the Application, Presentation and Session layer take user input and converts it into
data,
2. the Transport layer adds a segment header converting the data into segments,
3. the Network layer adds a network header and converts the segments into
packets ,
4. the Data Link layer adds a frame header converting the packets into frames,
5. the MAC sublayer layer converts the frames into a bits which the Physical layer
can put on the wire.
The steps are known as the 5 steps of data encapsulation. When the bits stream
arrives at the destination, the Physical layer takes it of the wire and converts it into
frames, each layer will remove their corresponding header while the data flows up
the OSI model until it is converted back to data and presented to the user, this is
known as decapsulation.
APPLICATION
The Application layer provides network services directly to the user's application such
as a web browser, email software and Windows Explorer. This layer is said to be
"closest to the user".
Protocols that operate on this layer include: TELNET, HTTP, FTP, TFTP, SMTP, NTP,
SNMP, EDI.
PRESENTATION
This layer 'represents' the data in a particular format to the Application layer. It
defines encryption, compression, conversion and other coding functions.
Specifications defined at this layer include: GIF, TIFF, JPEG, MPEG, MIME, and ASCII.
SESSION
Establishes, maintains and terminates end-to-end connections (sessions) between
two applications on two network nodes. It controls the dialogue between the source
and destination node, which node can send when and how long. Also provides error
reporting for the Application, Presentation and Session layer.
Protocols/API's that operate on this layer include: RPC, SQL, NETBIOS.
TRANSPORT
This layer converts the data received from the upper layers into segments. The
Transport layer is responsible for end-to-end (also called source-to-destination)
delivery of entire messages. Provides end-to-end connectivity, it allows data to be
transferred reliably and sequencing to guarantee that it will be delivered in the same
order that it was sent. Provides services such as error checking and flow control
(software).Protocols that operate on this layer: TCP, UDP, NETBEUI, SPX.
These protocols are either connectionless or connection-oriented:
9
NETWORK
This layer converts the segments from the Transport layer into packets (or
datagrams) and is responsible for path determination, routing, and the delivery of
these individual packets across multiple networks without guaranteed delivery. The
network layer treats these packets independently, without recognizing any
relationship between those packets, it relies on upper layers for reliable delivery and
sequencing.
Also this layer is is responsible for logical addressing (also known as network
addressing or Layer 3 addressing) for example IP addresses
Examples of protocols defined at this layer: IP, IPX, AppleTalk, ICMP, RIP, OSPF,
BGP, IGRP, EIGRP, NLSP, ARP, RARP, X.25
Devices that operate on this layer: Routers, Layer 3 Switches.
DATA LINK
The Data Links provides transparent network services to the Network layer so the
Network layer can be ignorant about the physical network topology and and provides
access to the physical networking media. Responsible for reassambling bits taken of
the wire by the Physical layer to frames, makes sure they are in the correct order
and requests retransmission of frames in case an error occurs. Provides error
checking by adding a CRC to the frame, and flow control. Examples of devices that
operate on this layer are switches, bridges, WAPs, and NICs.
Around the same time the OSI model was developed, the IEEE developed the 802-
standards such as 802.5 Token Ring and 802.11 for wireless networks. Both
organizations exchanged information during the development which resulted in two
compatible standards. The IEEE 802 standards define physical network components
10
such as cabling and network interfaces, and correspond to the Data Link and/or
Physical layer of the OSI model. The IEEE refined the standards and divided the Data
Link layer into two sublayers: the LLC and the MAC sub layer.
- LLC sublayer
LLC is short for Logical Link Control. The Logical Link Control is the upper sublayer of
the Data Link layer. LLC masks the underlying network technology by hiding their
differences hence providing a single interface to the network layer. The LLC sublayer
uses Source Service Access Points (SSAPs) and Destination Service Access Points
(DSAPs) to help the lower layers communicate to the Network layer protocols acting
as an intermediate between the different network protocols (IPX, TCP/IP, etc.) and
the different network types (Ethernet, Token Ring, etc.) This layer is also responsible
for frames sequencing and acknowledgements.
The LLC sublayer is defined in the IEEE standard 802.2.
- MAC sublayer
The Media Access Control layer takes care of physical addressing and allows upper
layers access to the physical media, handles frame addressing, error checking. This
layer controls and communicates directly with the physical network media through
the network interface card. It converts the frames into bits to pass them on to the
Physical layer who puts them on the wire (and vice versa)
IEEE LAN standards such as 802.3, 802.4, 802.5 and 802.10 define standards for the
MAC sublayer as well as the Physical layer.
PHYSICAL
This layer communicates directly with the physical media, it is responsible for
activating, maintaining and deactivating the physical link. It handles a raw bits
stream and places it on the wire to be picked up by the Physical layer at the
receiving node. It defines electrical and optical signaling, voltage levels, data
transmission rates and distances as well as mechanical specifications such as cable
lengths and connectors, the amount of pins and their function.
Devices that operate on this layer: HUBs/concentrators, repeaters, NICs, and LAN
and WAN interfaces such as RS-232, OC-3, BRI, V.24, V.35, X.25 and Frame Relay.
TCP/IP operation is defined in its own model: the DoD model. DoD is short for
Department of Defense, who desgined TCP/IP for ArpaNet. ALthough they are
similar, in contrary to the 7-layer OSI model the DoD model has 4 layers. Each DoD
11
layer and its functions corresponds to 1 or more OSI layers and their functions,
which is represented in the image below:
For the CCNA exam you don't need to know the DoD model in detail, but if you know
the OSI model and the related DoD layers you can easily identify the layer at which a
certain protocol or standard is specified, for example:
Process/Application: Telnet, FTP, SMTP, HTTP, SNMP, etc.
Host To Host: TCP UDP
Internet: IP, ICMP, ARP, RARP, BootP, etc.
Network Access: Ethernet, Fast Ethernet, Token Ring, FDDI, etc.
ISDN
Integrated Services Digital Network, a circuit-switching network used for voice, data
and video transfer over existing copper telephone lines. ISDN is a bit similar to the
normal telephone system but it is faster and needs less time to setup a call. ISDN
runs on the bottom three layers of the OSI reference model.
There are several types of ISDN channels, the two main being the 64 Kilobits per
second B-channel for data, and the D-channel for control information. Two B-
channels + one D-channel make up ISDN BRI (Basic-Rate Interface), some Remote
Access servers support a feature called multilink allowing both B-channels to be
combined in a single virtual link of 128 Kbps. In SOHO networks often 1 B-channel is
used for data (an internet connection for example) and 1 B-channel is used for voice
(connected to a digital telephone for example). The US and Japanese version of ISDN
PRI (Primary-Rate Interface) is made up of 23 B-channels (total rate of 1.472 Mbps)
and 1 D-channel. The European and Australian version supports 30 B-channels (total
rate of 1.984 Mbps) and 1 D-channel.
A common implementation of these two types of ISDN is a remote access solution
with ISDN PRI at the corporate network supporting 23 dial-in connections for
employees with ISDN BRI at home. Also an ISDN BRI connection is often
implemented as a backup line between routers in WANs such as in a Frame Relay
network as shown in the following image:
12
Besides this dial-up ISDN configuration for backup and other Dial on Demand
Routing (DDR) configurations another service offered are ISDN BRI leased-line
connections, the difference is they always use both data channels for the connection
to the ISDN service provider and ISDN BRI leased-lines are always active.
The ISDN function groups represent the devices in an ISDN environment such as
terminals, terminal adapters, network-termination devices and line-termination
equipment. The following table lists these devices:
The following image shows the various function groups and reference points.
The following image illustrate some real-life situations. As you can see the NT2 is left
out, most NT1 adapters today have a U interface on one side and an s/t on the other
so you simply plug your TE1 or TA into the NT1 and you're good to go.
13
The following image shows two type of routers, the upper is usually used in North
America where the demarcation point between the customer premises and the
carrier's network is the U reference point, this router is actually a TE1 with a built-in
NT1 and is also known as a 'U router'. The other router is used in most other parts of
the world where the NT1 is provided by the telco, this router is actually a TE2 with a
built-in TA and is also known as a 'S/T router'.
ISDN specifies four reference points that define the logical interfaces/connections
between function groups (also represented in the mage below):
R defines the reference point between non-ISDN equipment (TE2) and a TA.
S defines the reference point between and an NT2.
T defines the reference point between NT1 and NT2 devices.
U defines the reference point between NT1 devices and line-termination equipment
in a carrier network. Relevant in North America where the NT1 function isn’t provided
by the carrier network.
ISDN protocols
ISDN protocols are defined in ITU protocols that operates on the Physical, Data Link
and Network layer of the OSI model. There are several series of protocols dealing
with different issues:
E series defines the use of ISDN on the existing telephone network.
I series deals with concepts, aspects, and services.
Q series covers switching and signaling. The LAPD protocol is formally specified in
ITU-T Q.920 and ITU-T Q.921. LAPD is the signaling protocol used on the D-channel
in ISDN BRI and PRI.
Configuring ISDN may seem to be complex but is rather simple in basic situations.
The diagram below shows a typical setup connecting two remote offices using an
ISDN dial-up configuration.
14
First the ISDN switch type must be configured and should match the carrier's
equipment. You can use the isdn switch-type command in both global config mode
(required) and interface configuration mode (optional if different per interface). For
example:
Router(config)#isdn switch-type basic-dms100
The correct switch type should be supplied by the carrier. Click here for a table at
Cisco.com listing the ISDN BRI service provider switch types. If you change the
switch-type, you must reload the router for the new switch type to take effect.
Although ISDN supports several upper-layer protocols such as IP, IPX and Appletalk,
typically IP is used and this is also the one relevant to the CCNA exam. Configuring
an IP address on an ISDN BRI interface is done in the same way as configuring an IP
address for any other interface such as Ethernet or Serial:
Router(config)#interface bri 0 (to enter interface config mode)
Router(config-if)#ip address 172.16.22.115 255.255.255.0
Some service providers require the use of SPIDs for your ISDN device to be able to
place or receive calls. A SPID is usually the telephone number of the channel with
some optional numbers which can be used to identity the service(s) the customer is
subscribed to. The SPID numbering scheme depends on the service provider and the
switch-type. For example, the DMS-100 switch type requires a SPID for each B
channel.
Router(config-if)#isdn spid1 5055551234 0111 (B1 channel)
Router(config-if)#isdn spid2 5055551235 0111 (B2 channel)
The default encapsulation type for each B-channel is HDLC, however PPP
encapsulation is recommended over HDLC in order to allow the use of CHAP
authentication. The encapsulation type can be configured using the following
command in interface configuration mode:
Router(config-if)#encapsulation ppp
Now to configure the actual part that maps the link to the network layer using the
dialer map command, it defines the remote host where the calls are going, specifies
whether broadcast messages will be sent and the dialing string to use to set up the
call. Here's the syntax of the command:
Router(config-if)#dialer map protocol next-hop-address name remote-name speed
56|64 dial-string
We'll break down the command using example options:
Router(config-if)#dialer map ip 172.16.22.114 name RouterB speed 64 broadcast
55588613213
- The IP address of the remote router's BRI interface used in this command is the
next hop. In the global configuration you will have to define a static route to the
remote network pointing to the next hop address used in the dialer map command.
The use of static routes is very important, since you don't want to use dynamic
routing protocols for this type of connection because the routing updates will keep
the link up.
- The remote name in name remote-name is the hostname of the other router.
- speed defaults to 64 (in kilobits) but you may need to set it to 56 in some
situations.
15
- The broadcast option specifies whether broadcast packets such as routing updates
are sent.
- The dial-string is the telephone number that should be dialed when making an
outgoing connection. You can leave out this number to configure the interface to only
accept incoming connections.
The following commands will define "interesting" traffic that will cause the router to
place a call make the connection. For example if you want the router to dial-in for all
IP traffic you need to configure a dialer-list and bind it to the BRI interface:
Router(config)#dialer-list 1 protocol ip permit
Router(config)#int bri0
Router(config-if)#dialer-group 1
You can also use regular or extended access lists to permit all traffic except
HTTP/HTTPs for example. Instead of using the options in the dialer-list command
above you would specify the access list:
Router(config)#dialer-list 1 protocol ip list 101
The following command makes the router disconnect calls that haven't had any
interesting traffic for the configured time:
Router(config-if)#dialer idle-timeout seconds
To add some level of security and to identify the router when it dials out, you should
use the Challenge Handshake Authentication Protocol (CHAP). The hostname of the
router is used to identify the router to another router when sending messages.
Router(config-if)#ppp authentication chap
PPP Multilink
Multilink is a feature that enables the use of both B-channels combined for one call.
To turn on multilink use the following command:
Router(config-if)#ppp multilink
Use the following command to specify when the second B-channel should kick-in
(bandwidth on demand). When the total load for this connection reaches this
threshold, it brings up the other B channel. This value represents a utilization
percentage; it is a number between 1 and 255, where 255 is 100 percent.
Router(config-if)#dialer load-threshold 60
Here are some commonly used show commands used to monitor and troubleshoot
ISDN:
Router(config)#debug q921
Checks Layer 2 (data link layer).
The following three commands offer more advanced methods to check Layer 3
(network layer) operation:
ACCESS LISTS
Access lists allow Cisco routers to function as a packet filter and are supported for
several protocols. The most common of these protocols are listed in the following
table:
Protocol Range
IP standard 1 to 99 (and 1300 to 1999 in IOS 12.0 and higher)
IP Extended 100-199 (and 2000 to 2699 in IOS 12.0 and higher)
Ethernet type code 200-299
DecNet 300-399
XNS 400-499
Extended XNS 500-599
AppleTalk 600-699
Ethernet address 700-799
IPX Standard 800-899
IPX Extended 900-999
IPX SAP 1000-1099
Access lists are lists of rules that either permit or deny certain inbound or outbound
17
traffic from and to particular hosts or networks. The access list and its rules are
applied to one or more interfaces on the router. When the router routes traffic
through these interfaces, the rules in the list are processed sequential, looking for a
matching rule permitting the traffic to pass. When there is not a matching rule
permitting the traffic to pass, it is denied by default because of the implicit deny any
at the end of each rule. For example, if you deny telnet traffic to host 172.16.22.139
using the rule: access-list 110 deny TCP any host 172.16.22.139 eq TELNET and this
would be the only rule in the access list, you would effectively deny all IP traffic from
entering or leaving the router's interface.
The implicit deny all, for many, is a confusing part of access lists and often forgotten
in practice while in fact it is very logical. If you want to protect a network using a
packet filter, you would typically start out with denying all traffic, and from there
permit certain hosts or networks to communicate certain traffic.
In addition to protecting private networks from external intruders, access lists are
also commonly used to manage network traffic. For example, if you do not want
certain protocols or services available in particular subnets you can block only those
ports but permit all other traffic. This is also used as an effective way to prevent
traffic such as ICMP messages and routing updates from traveling over certain links.
Standard IP access lists are used to permit/deny traffic from or to one or more IP
addresses.
Use the Interface config mode access-group command to bind the access list to an
interface: router(config-if)#ip access-group number in|out
For example, to deny hostC from sending traffic to the WAN in the network depicted
in the diagram below, use the following commands.
When traffic is send to the router’s Ethernet interface the rules in access list 10 are
processed, if the traffic is send by hostC the router drops the packets and stops
processing the rules. The rule access-list 10 permit any is included because of the
18
implicit deny. There must be at least one ‘permit’ rule otherwise the protocol is
completely disabled for the interface as soon as you bind it.
The first example is simple: if you want to deny access to all hosts in the network
172.16.23.0 with subnet mask 255.255.255.0 you would use 172.168.23.0
0.0.0.255 as the source in the access-list command. When the router checks if the
addressing information of an incoming packet matches the denied address specified
in the access list, it only cares about the part of the address where the corresponding
bits in the inverse mask are 0. The part of the address where the corresponding bits
in the inverse mask are set to 1 can be anything (in this example 0 to 255).
In other situations, where you want to specify a range of addresses that does not
have the boundary between 0s and 1s exactly between octets, you might need to
convert it all to binary to determine the inverse mask. For example, you want to
specify the network 172.18.16.0 with the subnet mask 255.255.240.0. When you
convert this mask to binary it shows that in this subnet mask the first 20 bits are set
to 1 (11111111.11111111.11110000.00000000), so the inverse mask would have
the first 20 bits set to 00000000.00000000.00001111.11111111 which is 0.0.15.255
in decimal notation. This would specify the address range 172.18.16.0 to
172.18.31.255.
If you want the source or destination to be any host from any network you could use
the address 0.0.0.0 with the inverse mask 255.255.255.255, but to save you from
pressing so much keys you can use the keyword any instead.
In Extended Access lists the keyword host can be used to replace the 0.0.0.0 inverse
mask. Instead of specifying a single address with 192.168.23.11 0.0.0.0 you can use
host 192.168.23.11.
Extended IP access lists offer more granular control compared to standard lists that
only allow you to deny or permit traffic from a certain source. Extended access lists
allow you to control TCP/IP traffic based on the Transport protocol being used (TCP
or UDP) and the service or application (e.g. SMTP, Telnet) from source addresses
AND destination addresses.
Use the global exec access-list command to create the access lists. This command
supports numerous arguments, most of them are beyond the scope of the CCNA
exam. At the bottom of this TechNote are links to documents at Cisco.com explaining
the complete syntax. Nevertheless, here is the most important part:
router(config)#access-list number deny|permit protocol source|any destination|any
When TCP or UDP is used as the protocol argument two other important arguments
19
are operator port. The port argument can be a TCP or UDP port number or name
(e.g. 21 or FTP, 23 or TELNET, 123 or NTP), the operator is usually eq which means
equal, other options include lt (less than) and gt (greater than).
Use the Interface config mode access-group command to apply the access list to an
interface: router(config-if)#ip access-group number in|out
You can prevent SMTP traffic originating from the WANs from traveling over link A to
an SMTP server wuth destination 192.168.115.20 by putting an outbound extended
IP access list on the Serial 0 interface of RouterX and using the following commands
on RouterX (or RouterY):
Following is another example using the same diagram above. It shows how you can
use extended access lists to control ICMP traffic (used for utilities such as ping and
trace). For example, to deny the hosts in the Ethernet network attached to RouterY
to use ICMP to communicate with hosts on the other side of the router, use the
following commands on RouterY:
The following command allows you to remove an access list from interface:
router(config-if)#no ip access-group number|name in|out
For example: router(config-if)#no ip access-group 102 out
The following commands allows you to completely delete an access list from the
configuration:
router(config)#no access-list number|name
For example: router(config)#no access-list 102
If your router is running IOS 11.2 or higher, you can create named access lists.
Instead of choosing a number between 1-99 for standard IP access lists, you can use
a custom name allowing for more lists and more convenient management. The
commands to create a named access list are different for standard and extended
access lists.
To create a named access list, use the following command in global configuration
mode:
router(config)#ip access-list {standard | extended} name
This command will take you into access-list configuration mode where you can define
the deny and permit rules. For example to create a named access list with the name
wwwfilter and permit only access from the networks 192.168.132.0, 172.17.0.0 and
10.0.0.0 use the following commands:
A named list is applied to an interface in the same way as with numbered lists:
router(config-if)#ip access-group wwwfilter out
VTY Lines
You can also use standard access lists to limit access to VTY lines. For example:
The following commands are useful for monitoring and verifying the operation of
access lists.
The show ip interface command displays which access lists are applied to the
specified interface, for example:
router(config)#show ip interface serial 1
The following command displays the contents of an access list, and if applied to an
interface, the number of matches per permit/deny rule:
router(config)#show access-lists number|name
If you do not specify an access-list number or name, all the current access lists will
be displayed. You can also use the show ip access-lists command to display one or
all of the current IP access lists.
21
If you turn on the power of the router after you start HyperTerminal and connect,
you will see a similar output as shown below:
System Bootstrap, Version 11.0(10c), SOFTWARE, Copyright (c) 1986-1996 by Cisco Systems2500
processor with 8192 Kbytes of main memory
Read the Basic Cisco Router Configuration and Management TechNotes for more
information about the router start-up sequence.
If the router is turned on already, and you connect to it, the following output will be
shown by default:
If there isn't a startup configuration available the intial Setup dialog will be started, which
is like a text-based wizard. In general, you should skip it, and configure the router
manually.
If this is 'your first time', or you simply want to check everything, run the following
commands at the command prompt and check out the output:
Router> show version
Router> show interfaces
Router> show flash (This shows the flash memory and the IOS file.)
Router> ?
ROUTER COMPONENTS
RAM
Random-Access Memory similar to the function as RAM in PCs. This is where the IOS
runs its processes. It also contains the running configuration, routing and other
tables as well as packet buffers.
22
ROM
This Read-Only Memory stores a older 'lite' IOS used to boot the router for the very
first time, or when the Flash memory is erased or corrupted.
FLASH
this piece of 'flash-able' memory stores the IOS image, the operating system of the
router.
NVRAM
In contradiction to normal RAM, Non-Volatile Random-Access Memory is a special
type of memory that doesn't lose its content when the router's power is turned off. It
stores the startup configuration and the configuration register.
Config register
The NVRAM has a special location that contains the 16-bit configuration register.
Every time the router boots it reads this value. The config-register value is a
hexadecimal value ranging from from 0x0000 to 0xFFFF and can be set byusing the
config-register command. The most important portion of the configuration register to
understand for the exam is the boot field (bit 0 through 3, hexadecimal range
0x0000-0x000F). The boot field value is used to specify from which location the IOS
image should be loaded or bypassed even during startup.
The remaining 12 bits of the configuration register are used for various functions
such as enabling/disabling the Break function, setting the Console line speed,
bypassing NVRAM, and controlling the broadcast address. To change the
configuration register you have to enter be in global configuration mode. Use the
command configure terminal often abbreviated to conf t in privileged EXEC mode
to enter global config mode. You can enter privileged EXEC mode using the enable
command. When you enter the correct password the prompt will change to Router#
(where "Router" is the hostname of the router).
Once you are in global config mode use the following command to change
configuration register value:
Router(config)#config-register 0x2102
where 0x2102 is an example of a config-register value.
You can view the current configuration setting by using the Router#show version
command. The last line of the output will display the current value and if it is
different, the value after reboot:
Configuration register is 0x2142 (will be 0x2102 at next reload)
A router boots similar to a regular computer as it first performs a power on self test
23
(POST) for the hardware, next loads bootstrap code from ROM, loads the IOS image
from Flash into RAM, performs a hardware inventory, and finally the router locates
and loads a configuration file. You can reboot a router by using the power switch or
the reload command.
As mentioned earlier, the router configuration is stored in NVRAM. This is the place
where the router will search for a configuration file. Alternatively, you can configure
the router to load a configuration file from a TFTP server. If the router cannot locate
a configuration file (on a new router for example) it will start setup and it will ask if
you want to enter the initial configuration dialog. If you answer with No, you'll be
taken to the command prompt and you'll be able to configure the router manually. If
you answer with Yes, you'll be taken through a list of questions allowing you to
configure the router e.g. set a hostname and enable password and secret, configure
routed and routing protocols, and assign addresses to interfaces. You can initiate this
configuration dialog at any time by using the setup command.
A Cisco router contains two configurations: the startup configuration (usually stored
in NVRAM) and the running configuration (stored in RAM). When you make changes
to the router configuration by entering global configuration mode by using the
config terminal command, the changes are made to the running configuration.
The following command loads the startup configuration stored in NVRAM into RAM
and makes it the active running configuration.
Router#copy startup-config running-config
You can also copy the running configuration to a TFTP server using the following
command:
Router#copy running-config tftp 222.222.222.1
This can be done with the startup configuration as well:
Router#copy startup-config tftp 222.222.222.1
You can use the erase command to delete the content of NVRAM:
Router#erase startup-config
Instead of using the IOS stored in flash, you can load it from a TFTP server, or you
can load the limited IOS from ROM. This can be configured in the configuration file
using the following commands in global configuration mode:
To load Cisco IOS software from Flash memory use the following command:
Router(Config)#boot system flash
Although this is default behavior, using this command can be useful especially when
you have multiple IOS images stored in FLASH. If you do not specify a filename, the
first locatedimage will be loaded.
To load Cisco IOS software from a TFTP server use the following command:
Router(Config)#boot system tftp
To load Cisco IOS software from ROM use the following command:
Router(Config)#boot system rom
Note that this will load the limited IOS version and will likely prevent normal
operation.
You can use a combination of these commands to provide some redundancy. You can
even specify multiple TFTP servers. Make sure you place them in the correct order,
flash first, tftp as backup, and rom as last resort. The configuration register's boot
field must be set to 0x2 through 0xF, in order for the router to check the
configuration file in NVRAM for boot system commands.
To backup the IOS stored in Flash to an TFTP server use the following command:
Router#copy flash tftp 222.222.222.1 c2600-js-l_121-5.bin
You will be prompted for an IP address of the TFTP server (defaults to the broadcast
address 255.255.255.255) and a filename.
To delete the content stored in Flash use the command:
Router#erase flash
CONNECTING TO A ROUTER
There are multiple ways to establish connectivity to a router to perform configuration
tasks:
- Console port
Cisco routers are equipped with a Console port, which is an RJ-45 port on most
routers but on some high-end routers it's a DB-25 connector. You can connect a
terminal (a notebook or a PC for example) to the console port using a RJ-45 roll-over
cable with RJ-45, DB-9, or DB-25 connectors on the ends. A common example is a
cable with a RJ-45 connector connecting to the router's console port and a DB-9
connector on the other end connecting to the PC's COM port. When you connect a PC
to the router's console port you can use a terminal emulator to configure the router.
When you start a session the following should appear:
Router con0 is now available.
Press RETURN to get started
- Auxilary port
Many Cisco routers are also equipped with an Auxilary port, which can be used to
connect a modem and allow for remote adminstration of the router.
25
- Telnet
Once your router is configured with an IP address, a Telnet connection is the most
common way to connect to a router to manually configure and monitor it. Cisco IOS,
the router's operating system, has a build-in Telnet server and a Telnet client. This
allows you to connect to a router using a telnet client from a PC but from another
Cisco router as well. This type of connection using the same network the router
operates in is also known as in-band management. Telnet sends username and
password credentials in clear text and should be replaced with SSH connections if
supported.
ROUTER MODES
This is the mode you enter once you are connected, and if required, logged on to the
router. In this mode you can perform non-disruptive troubleshooting, for example,
view the routing table and status of components. You can NOT view or modify the
configuration in User EXEC mode.
When you connect to the router and press the <Enter> key (Press RETURN to get
started) you'll be prompted for a password:
User Access Verification
Password:
When you enter the correct console, telnet or AUX password password (depending
on how you connect to the router) and press <Enter> the User EXEC mode
command prompt will appear.
Router>
"Router" is the default hostname for all Cisco routers. The > indicates you are in
User EXEC mode.
To exit User EXEC mode and quit the session with the command-line executive use
one of the following commands:
Router>logout
or
Router>exit
Router#disable
To exit Privileged EXEC mode and quit the session with the router, use one of the
following commands:
Router#logout
or
Router#exit
Global Configuration mode
To exit global configuration mode and return to User EXEC mode use one of the
following commands:
Rnewyork1(config)#end
or
Rnewyork1(config)#exit
Or use the key combination CTRL-Z
You can use the following command to save the configuration to NVRAM so it will be
used next time the router starts:
Rnewyork1#copy running-config startup
You need to enter interface configuration mode when you want to configure settings
specific to an interface, such as assigning an IP address. To enter interface
configuration mode you must use the interface command and provide the name and
number of an existing interface. Following are some examples:
Router(config)#interface ethernet 0
Router(config-if)#
Router(config)#interface serial 2
Router(config-if)#
As you can see in the first example, the first possible interface is 0, the second
Ethernet interface on a router would be Ethernet 1, also noticable is the change in
the prompt.
These commands are usually abbreviated, for example to int e1 or int s0
To exit interface configuration mode and return to global configuration mode, enter
the following command:
Router(config-if)#exit
To exit interface configuration mode and return to Privileged EXEC mode, use the
key combination CTRL-Z
or
Router(config-if)#end
27
Console password
Use the following commands to configure the console password. The first command
is used to enter Line configuration mode. The second configures the password
"cisco123", and the third command configures the console line to require a login.
Router(config)#line con 0
Router(config-line)#password cisco123
Router(config-line)#login
Telnet password
Use the following commands to configure a password for Telnet access:
Router(config)#line vty 0 4
Router(config-line)#password cisco123
Router(config-line)#login
Auxilary password
Use the following commands to configure the auxilary port password:
Router(config)#line aux 1
Router(config-line)#password cisco123
Router(config-line)#login
The enable password and enable secret are local passwords used to control
access to Privileged EXEC mode. The difference between these two is that the enable
password is stored in clear-text in the configuration file, and the enable secret is
encrypted using irreversible MD5 encryption.
For example, in the configuration file an enable password could be:
enable password cisco123
and and enable secret could be:
enable secret 5 $1$iSuI$i7TiENAn69392tYvh5wwZ1
The enable secret password overrides the regular enable password, except when and
old IOS image is used that doesn't support the encrypted enable secret.
To configure an enable password, go to global config mode and issue the following
command:
Router(config)#enable password cisco123
where cisco123 is just an example for a password.
To configure an enable secret, go to global config mode and issue the following
command:
Router(config)#enable secret cisco456
where cisco456 is just an example for a password.
If you do not set an enable password or enable secret, you don't have to enter a
password when you type the enable command, but you will end up having problems
connecting to the router using telnet for example, you won't be able to enter
28
Router#show ?
access-expression List access expression
access-lists List access lists
accounting Accounting data for active sessions
aliases Display alias commands
appletalk AppleTalk information
arap Show Appletalk Remote Access statistics
arp ARP table
async Information on terminal lines used as router interfaces
backup Backup status
bridge Bridge Forwarding/Filtering Database [verbose]
buffers Buffer pool statistics
cdp CDP information
clock Display the system clock
compress Show compression statistics
configuration Contents of Non-Volatile memory
controllers Interface controller status
debugging State of each debugging option
decnet DECnet information
dhcp Dynamic Host Configuration Protocol status
dialer Dialer parameters and statistics
dnsix Shows Dnsix/DMDP information
dxi atm-dxi information
entry Queued terminal entries
--More--
You don't need to press the <Enter> key after the ?, and when the end of the list is
reached the command will be after the prompt again without the ? so you can
continue typing the correct option. (When a list like this does not fit in the maximum
allowed lines, --More-- will be displayed on the last line, press the <Enter> key to
scroll down per line or the <Spacebar> to scroll down to the next screen.)
When you type a single ? or just the command help a list with all possible commands
will be displayed.
This refers to another set of useful features which are meant to make working with
the command line interface a little bit more convinient.
By default the 10 previously issued commands are remembered. These commands
can be retrieved to use them again by pressing CTRL-P or the up arrow key. You can
29
modify the command- lines history buffer size using the following command:
The arrow keys function only on ANSI-compatible terminals such as VT100s. You can
configure your terminal emulator to use VT100 emulation.
Another useful feature to assist with the command syntax is auto-complete. For
example, when you type a command partly but you don't know how to spell a
particular option, you can let IOS complete it by pressing the TAB key:
Router#show cdp nei<TAB>
Router#show cdp neighbors
This only works when the given part is enough to determine a single particular
option. For example, the command Router#show access does not result in
Router#show access-expression because it could be Router#show access-
lists as well.
These enhanced editing features are enabled by default. If you wish to disable them,
use the following command:
Router(config)#no terminal editing
Note: to perform this lab you need 2 Cisco routers connected and two hosts, we
assumed two 2501 routers, but pretty much anything will do. This lab does not cover
how to physically connect the routers and the hosts, but rather assumes you can tell
by looking at the diagram. This lab comes in three versions, the one you are looking
at, a printer-friendly version with the commands, and a printer-friendly version
without the commands which can be used as an assessment. The printer-friendly
versions are for members only. Also note the the commands in this lab often include
the router command prompt and never use the abbreviated form.
This first TechExams.Net CCNA Lab will cover the a couple of basic configuration
tasks, such as setting passwords and enabling IP routing using RIP. You will need a
lab setup similar to the network diagram below:
30
Before you start, make sure you clear both routers' configuration using the
Router#erase startup-config command. First we will configure RouterA, after the
router reboots, the following message will be displayed:
Type no and press ENTER. Press ENTER again when the message Press RETURN to
get started appears. Type enable at the Router> command prompt to enter
Privileged Exec mode, notice the prompt chances to Router#.
To prevent the router from interpreting every incorrectly typed command as a host
name and trying to resolve it to an IP address to setup a telnet connection with it,
use the following command:
RouterA(config)#no ip domain-lookup
First set the enable password to cisco123 using the following command:
RouterA(config)#enable secret cisco123
Next, set the password for telnet connections to cisco456 using the following
commands:
RouterA(config)#line vty 0 4
RouterA(config-line)#password cisco456
RouterA(config-line)#login
Although the enable secret command is used to encrypt the enable password, other
passwords stored in the router's configuration should be encrypted as well. To do
this, use the following command:
RouterA(config)#service password-encryption
Enter Interface configuration mode for the Ethernet interface, using the following
command:
RouterA(config)#interface Ethernet 0
Give it the description "Connected to LAN" using the following command:
RouterA(config-if)#description Connected to LAN1
Configure the IP address (see diagram for correct address) for the interface using
the following command:
RouterA(config-if)#ip address 192.168.11.1 255.255.255.0
Enable the interface using the following command:
RouterA(config-if)#no shutdown
Switch to Interface configuration mode for the first Serial interface, using the
following command:
RouterA(config)#interface Serial 0
Give it the description "Direct connection to RouterB" using the following command:
RouterA(config-if)#description connected to RouterB
Configure the IP address (see diagram for correct address) for the interface using
the following command:
RouterA(config-if)#ip address 192.168.22.5 255.255.255.0
Configure the interface to use PPP encapsulation using the following command:
RouterA(config-if)#encapsulation ppp
To copy the currently running active configuration to NVRAM, so it will be used the
next time you reload the router, use the following command:
RouterA#copy running-config startup-config
To configure the other router, RouterB, repeat the steps above. Use the network
diagram to determine the correct addressing and names. To enable the back-to-back
serial connection between the routers, you need to configure one router as DCE
32
using the following command in Interface configuration mode for the serial
connection on RouterB:
RouterB(config-if)#clock rate 64000
Verify using the ping command Host A to Host B, make sure you configured both
hosts to use the nearest router's interface as the default gateway in the TCP/IP
settings.
On both routers, run the following command in Privileged Exec mode to determine
which device is the DCE:
RouterA#show controllers s0
On one of the routers, run the following command in Privileged Exec mode to display
the parameters and current state of the active routing protocol process, and examine
the output:
RouterA#show ip protocols
Use the following command to verify routing table entries on both routers:
RouterA#show ip route
Use the following command to list a summary of the interface's IP information and
status on both routers, and examine the output:
RouterA#show ip interface
Use the same command with the brief option, and the notice output:
RouterA#show ip interface brief
In this second CCNA TechLab you will learn how to configure a simple frame relay
network. Frame relay is a layer 1 and 2 protocol used for WAN connection. It is used
by many companies to provide links between branch offices and the company
headquarters.
If you haven’t already, set up the router's basic configuration (hostname, passwords,
telnet access, etc.) If don't know how to do these things then refer to the TechLab
"Configuring a RIP network". Here is our example network:
33
First we will configure the frame relay switch (in my lab the 2520). It has links to all
of the endpoints via back-to-back serial cables. It will be the DCE for all connections.
Configure the router to act as a frame relay switch by using the following command:
frame-switch(config)# frame-relay switching
Enter interface configuration mode for the first connected serial interface, e.g. serial 0:
frame-switch(config)# interface serial 0
Remove the IP address:
frame-switch(config-if)# no ip address
Set the clock rate to 64000:
frame-switch(config-if)# clock rate 64000
Set the encapsulation type to Frame Relay:
frame-switch(config-if)# encapsulation frame-relay
Set the LMI type to ANSI:
frame-switch(config-if)# frame-relay lmi-type ansi
Set the Frame Relay interface type to dce:
frame-switch(config-if)# frame-relay intf-type dce
Enable the interface:
frame-switch(config-if)# no shutdown
34
Repeat the commands above for the other connected interfaces on the frame relay
switch.
Change the host name of the router to 2501-A, 2501-B, or 2501-C, as shown in the
network diagram by using the following command:
Router(config)# hostname 2501-A
Enter interface configuration mode for the connected serial interface:
2501-A(config)# interface serial 0
Assign the IP address as shown in the diagram (ie. for router 2501-A, use
10.10.12.2 with subnet 255.255.255.240):
2501-A(config-if)# ip address 10.10.12.2 255.255.255.240
Set the encapsulation type to Frame Relay:
2501-A(config-if)# encapsulation frame-relay
On the frame-switch, use the show interface command to verify the operation for all
connected interfaces. The output should be as following:
29 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
Now we need to configure the DLCI mappings for each interface by using the frame-
relay route command. The format for this command is:
frame-switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
frame-switch(config)# interface serial 1
frame-switch(config-if)# frame-relay route 100 interface s3 101
frame-switch(config-if)# frame-relay route 300 interface s2 301
Go to one of the endpoints and look at the output of some of the "show frame-relay"
commands. You can see the DLCI mappings have propagated to the endpoints. You
don't need to set them up on the endpoints, only on the switch.
Display the frame relay DLCI mappings by using the following command:
Display the frame relay pvc statistics by using the following command:
DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 7 output pkts 6 in bytes 580
out bytes 550 dropped pkts 1 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
36
DLCI = 301, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 16 output pkts 6 in bytes 1110
out bytes 550 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
pvc create time 00:04:45, last time pvc status changed 00:04:35
As you can see (if you configured everything correctly) the end-point routers can
communicate with each other without a routing protocol or static routes being
configured on the frame relay switch.
You can display the switching table on the router by using the following command:
EIGRP
The Enhanced Interior Gateway Routing Protocol (EIGRP) is the successor of IGRP, it
is more scalable and offers faster convergence. Unlike IGRP, EIGRP is a classless
routing protocol, hence it supports VLSM. It is developed by Cisco and is supported
on Cisco equipment only. In addition to IP, EIGRP can also be used to route IPX and
AppleTalk. In contrary to IGRP, EIGRP is consider to be a hybrid routing protocol,
because it has distance vector as well as link-state characteristics. EIGRP is a
distance vector protocol with link-state characteristics, routing updates can be
partial, they do not need to contain the complete routing table such as with RIP and
IGRP. Also, updates are not send periodically, but only when necessary, and only to
those neighboring routers that need to know. This results in low bandwidth and CPU
usage, and makes EIGRP a fast routing protocol suitable for large networks. The
maximum hopcount in EIGRP is 224. EIGRP allows for secure routing updates using
authentication, to prevent unauthorized or false routing messages, although this is
disabled by default. EIGRP updates use the multicast address 224.0.0.10.
Besides maintaining a routing table, EIGRP maintains a topology table based on the
information it receives in hello packets, and a neighbor table listing the directly
connected neighbors. The neighbors are discovered using hello packets, which are
send out periodically to check if the connection to the neighbor is still available.
EIGRP uses five packet types: Hello/Acks, Updates, Queries, Replies, and Requests.
When an EIGRP router stops receiving hello packets from a neighbor for a
configurable amount of time, it will consider the router as unreachable. The topology
database will be searched for backup route known as a feasible successor, if there
isn't one, a multicast will be send out to find a new route. If another router responds
with an alternative route, a change will be made to the topology table and a new
route will be added to the routing table.
EIGRP uses the Diffusing Update Algorithm (DUAL) for route calculation and to
prevent routing loops. The best route is determined based on 2 metrics by default,
bandwidth and delay, but others can be used as well:
The formula used to calculate the composite metric is: metric = [K1 * bandwidth +
(K2 * bandwidth) / (256 - load) + K3 * delay] * [K5 / (reliability + K4)]
By default K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0. You can change these values,
and hence the outcome of the formula by using the metric weights command in
router configuration mode: Router(config-router)#metric weights tos k1 k2 k3 k4 k5
Tos is short for Type of Service and must be 0 (zero). Note that the default
bandwidth for an interface is T1 speed, you can change this by using the bandwidth
command in Interface Configuration mode.
38
The network command is used to specify which networks are directly connected to
the router, and to allow the interface of this network to be advertised in EIGRP
routing updates. The following is an example of a simple EIGRP configuration:
Router(config)#router eigrp 22
Router(config-router)#network 10.0.0.0
Router(config-router)#network 192.168.10.0
Optionally, since IOS 12.0, the network command supports a network mask.
As mentioned earlier EIGRP sends routing updates to its neighbors only. A system
using hello packets is used to discover, identify and built relationships with
neighboring routers. The hello packets are sent periodically to determine if a
neighbor (and its interfaces) is still available. The default hello packets interval is 60
seconds for low-speed (bandwidth T1 or slower) nonbroadcast multiaccess (NBMA)
networks such as ATM and such as multipoint Frame Relay, and 5 seconds for all
other networks. You can change the hello interval by using the following command in
interface configuration mode:
Router(config-if)#ip hello-interval eigrp as-number seconds
After a hello packet is send, a router will wait until the hold timer expires for a
response before it considers a router to be unreachable. The hold time default to 3
times the hello interval, you can change this by using the following command in
interface configuration mode:
Router(config-if)ip hold-time eigrp as-number seconds
EIGRP supports load balancing over unequal paths, this means adding multiple
primary routes for a single destination to the routing table even if the metrics are not
the equal. For example, if you want to load balance between connection A and B, you
can use the variance command to allow connection B to be included in the routing
table as a feasible route to the same destination, even if it has a greater metric than
connection A. Use the following command in router configuration mode:
Router(config-router)#variance multiplier
The multiplier value can be a integer from 1-128, the default is 1, which means
equal-cost load balancing. If the value is set to 3, routes with a metric with 3 times
greater than the local best metric are considered equal.
this off per AS by using the following command in router configuration mode:
Router(config-router)#no auto-summary
(and turn it on again with: Router(config-router)#auto-summary )
EIGRP summary routes have an administrative distance value of 5.
You can also configure a summary aggregate address for a specific interface by using
the following command in Interface configuration mode:
Router(config-if)#ip summary-address eigrp as-number network-address subnet-
mask [admin-distance]
Static routers and routes from other routing protocols such as RIP, IGRP, and OSPF
can be redistributed into the EIGRP Autonomous System by using the redistribute
command. For example if you want to redistribute OSPF process 10 into EIGRP AS
20:
Router(config)#router eigrp 20
Router(config-router)#redistribute ospf 10
Router(config-router)#default-metric 10000 100 255 1 1500
The default-metric command is used to configure a default metric for external routes
being redistributed into the AS. The syntax for EIGRP is: Router(config-
router)#default-metric bandwidth delay reliability loading mtu
IGRP routes can be automatically redistributed into EIGRP and vice versa, as long as
the autonomous system is the same.
Troubleshooting
First a very useful command which is often used to troubleshoot routing, show ip
protocols. Per routing protocol and AS it displays the parameters such as the value of
the K0-K5 metrics, the networks involved, timers, hop count, outgoing filters,
redistributed networks and more. Use the command in EXEC mode:
Router#show ip protocols
Shows the packet count for the five different types of EIGRP packets sent and
received. Router#show ip eigrp traffic
40
Use the following command in EXEC mode to display information about the interfaces
configured with EIGRP. You can use this to determine on which interfaces EIGRP is
active, if you do not specify an interface and/or AS, all interfaces running EIGRP
and/or from all ASs will be displayed.
Router#show ip eigrp interfaces [interface-type interface-number] [as-number]
To perform this lab you need 1 Cisco Catalyst 2950 Switch and at least 1 PC.
However, most of the commands will work on other switch models as well. We are
going to use two different PCs but they can be one and the same physical PC. You
will need to connect them as depicted in the following the network diagram:
Connect the console cable to the to the console port on the switch and the other end
to the serial port of PC1. Connect PC2 to first FastEthernet port (i.e. FA0/1) using an
UTP/STP cable. PC1 must have a terminal client (i.e. Windows HyperTerminal)
installed, and PC2 must be able to setup a telnet connection. For more information
on how to setup the terminal client, please read the Hardware TechLab.
Before you start with the configuration of the switch, clear the switch configuration
by using the erase startup-config command or the erase nvram: command in
Privileged EXEC mode, and then use the reload command to reboot the switch. After
the switch rebooted, the following message will be displayed:
% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]
Type no and press ENTER.
41
Press ENTER when the message Press RETURN to get started appears. Type enable
at the Switch> command prompt to enter Privileged Exec mode, notice the prompt
chances to Switch#.
Change the host name of the switch to "TEswitch1" using the following command:
Switch(config)#hostname TEswitch1
Notice how the prompt changes to TEswitch1(config)# to reflect the hostname.
First set the enable secret to cisco123 using the following command:
TEswitch1(config)#enable secret cisco123
Next, set the password for all telnet lines to 'cisco456' using the following
commands:
TEswitch1(config)#line vty 0 15
TEswitch1(config-line)#password cisco456
TEswitch1(config-line)#login
Although the enable secret is encrypted, other passwords stored in the switch's
configuration are still in clear text. You can see this by returning to Privileged EXEC
mode and running the show running-config:
TEswitch1(config)#end (or press CTRL-Z)
TEswitch1#show running-config
When you log on with the enable secret, the switch calculates the hash value again
and compares it with the hash value stored in the configuration. If they match, you
typed in the correct secret and will enter Privileged EXEC mode. You can configure a
password by using the enable password command instead, but in contrary to the
enable secret, the enable password is not encrypted by default. If an enable
password and an enable secret are configured, you will need to enter the enable
secret to logon. In other words, there’s no need to configure an enable password if
you configured an enable secret.
Near the end of the configuration, you will notice the vty password you just
configured, and that it is stored in plain text format. To ensure this password, as well
as others such as the console password are also encrypted, use the service
password-encryption command in Global configuration mode:
TEswitch1#configure terminal
TEswitch1(config)#service password-encryption
42
If you would run the show running-config command in Privileged EXEC mode again,
you will notice the vty password is now also encrypted. For example:
1511021F07257F717E
You can also set a password on the aux or console connection, for example to set the
password to cisco789:
TEswitch1(config)#line con 0
TEswitch1(config-line)#password cisco789
TEswitch1(config-line)#login
To be able to manage the switch using telnet, you will need to configure it with an IP
address. Instead of assigning an IP address to one of the switch ports, we are going
to assign an IP address to the Management VLAN.
Use the following commands to assign the IP address 192.168.0.9 to interface VLAN
1, which is the management VLAN by default:
TEswitch1(config)#interface vlan 1
TEswitch1(config-if)#ip address 192.168.0.9 255.255.255.0
If you need to be able to connect to the switch from other networks, you will also
need to configure a default gateway address. For example, if the switch is connected
to a router with the IP address 192.168.0.254, use the following command, in Global
Configuration mode, to use it as the default gateway:
TEswitch1(config-if)#exit
TEswitch1(config)#ip default-gateway 192.168.0.254
Configure PC2 (or PC1 if you are using only one PC) with an IP address from the
same class C network as the switch, for example: 192.168.0.20 with subnet mask
255.255.255.0.
Open your favorite Telnet client and connect to the IP address you assigned to the
switch. Instead of using a third-party client, you can just type the following on the
command prompt:
telnet 192.168.0.9
If you completed the steps above successfully, you should now be able to configure
the switch through telnet in a similar manner as through the console terminal
session. When the connection is established, you will first be prompted for the Telnet
password. When you enter the correct password you will still have to use the enable
command and enter the enable secret before you can change the configuration of the
switch. Also note an enable secret (or enable password) must be configured or else
the switch will not allow you to log on to Privileged Exec mode through telnet.
Saving the configuration on a modern Cisco Catalyst switch running IOS software
works the same as on Cisco routers. This means you have to copy the running
configuration (in RAM) to the startup configuration (in NVRAM) by using the following
command in Privileged EXEC mode:
TEswitch1#copy running-config startup-config
If you run the show startup-config command, you should get the same output as the
show running-config command. The dir nvram: command should show the startup-
config file with a size greater than zero. The configuration is also stored in the
config.text file in flash, which content you can see by using the show flash command.
The show version command allows you to display information about the switch’s
hardware and IOS. The first half shows information about the IOS in flash, the boot
loader on ROM, the uptime, what caused the switched to reboot, and the IOS edition
it runs. The second half shows information about the hardware, including the
interfaces, the memory and serial numbers.
TEswitch1#show version
In this TechLab, we will go over the essentials of layer 2 switching. Cisco offers a
complete line of switches in different series and models, for small LANs to large
internetworks. This TechLab pertains to layer 2 switching only.
The Network
The example network we'll be using in this TechLab consists of one layer-2 switch
and two PCs. Attach PC1 to the Fa0/1 interface and PC2 to the Fa0/2 interface of the
switch. Configure PC1 with the IP address 10.0.0.1 and the default Class A subnet
mask (255.0.0.0). Configure PC2 with the IP address 10.0.0.2 and the default Class
A subnet mask (255.0.0.0).
Switching
If the two PCs were directly connected to each other they would both be on the same
collision domain . This would also be the case if the PCs were connected through a
hub. With a switch however, every connection creates an additional collision domain,
so in our case, PC1 and PC2 are each in their own collision domain (cd). Both PCs are
still in one and the same broadcast domain because they are in the same logical
subnet and belong to VLAN1 by default.
45
Being in their own separate collision domain, the signals, hence the frames, send by
one PC cannot collide with signals from the other PC. This also means collision
detection can be disabled on the connections between the switch and the PCs, and
that they can operate in full-duplex mode.
A hub would simply forward the signal out of all interfaces, except the incoming
interface. Unlike a hub, a switch processes the signals it receives up to layer 2 to be
able to read the MAC addresses in frame header. Both the source and the destination
MAC address play an important role in the switching process. A switch maintains a
MAC forwarding table, also known as the CAM (Content Addressable Memory) table.
After connecting the switch to at least one other device, the MAC table will be filled
with information learned from incoming frames.
When a switch receives a frame, it will consult the MAC table to check whether the
source MAC address of the frame is already ‘learned'. If it is not a known address,
the switch will add the source MAC to the table and include the interface on which
the frame was received. When the switch receives a frame destined for this MAC
address, it will know out of which interface it needs to forward the frame based on
the entry in the MAC table. If the switch has not learned the destination MAC address
of a frame yet, it will forward the frame out of all interfaces, except the incoming
interface.
This selective forwarding allows a LAN switch to offer much better network
performance than a hub does. In a LAN with a hub, hence a single collision domain,
all hosts see all of the traffic send between any hosts. They only process the frames
if the destination address is theirs, but it does take up additional space on the media
(in this case the cable). In a switched LAN however, given that the addresses are
learned, the hosts only receive traffic that is actually destined to them.
As mentioned earlier, the hosts still belong to a single broadcast domain. Hence,
broadcasts are sent out of all interfaces.
Note that a switch does not change the contents of the frames it forwards. This
means switching is transparent to PCs, they cannot tell whether the frame arrived
from another directly connected PC, or through a hub or a switch.
Now let's see how this works in the small switched LAN we created. To do this we are
going to use the ping utility on the PCs. This will generate ARP broadcasts and ICMP
unicast messages.
> Open the command prompt console for PC1 and enter the command ping 10.0.0.2
(the IP address of PC2).
> Run arp -a in the console for PC1 and notice the entry for the IP to MAC address
mapping for PC2. The latter will have an entry for PC1.
1. PC1 broadcasts an ARP Request to discover the MAC address for PC2's IP address.
2. PC2 receives the ARP request and adds the entry for PC1 based on the info in the
ARP Request
46
3. PC2 sends an ARP Reply with his own MAC address and IP to PC1
4. PC1 receives the ARP Reply with the requested information (the MAC address of
PC2) and now knows what destination address to use for frames destined to PC2,
hence can send the ICMP packets (encapsulated in the frames).
Although the results would be the same if the PCs were directly connected (from the
PC's perspective), the switch performed several actions the PCs are unaware of.
1. When the switch receives the ARP Request broadcast from PC1, it learns PC1's
MAC address from the frame header and stores it together with the interface (in this
case FastEthernet0/1) in the MAC forwarding table.
2. The destination address of the ARP Request is the broadcast address ffff.ffff.ffff, so
the switch forwards it out of all ports except the incoming port.
3. Even if other devices where connected, only PC2 replies with an ARP Reply. When
the switch receives this reply frame, it learns the MAC address from PC2 and stores it
together with the interface (in this case FastEthernet0/2) in the MAC forwarding
table.
4. The ARP Reply is targeted directly to the MAC address of PC1 (which PC2 learned
from the ARP Request sent by PC1) and since the switch learned on which interface
the target MAC address can be reached in step 1, it will forward the ARP Reply only
out of FastEthernet0/1.
5. The switch now learned the MAC addresses and interfaces for both PCs, so when
PC1 sends the frames that contain the ICMP packets to PC2, the switch will switch
traffic directly between FastEthernet0/1 and FastEthernet0/2. If any other PC or
network device were attached to the switch, they wouldn't even notice the traffic and
won't have to waste time on reading the frames' header to check if their own MAC
address matches the one in the frames.
> Start a console or telnet session with the switch and use the following command to
display the contents of the MAC forwarding table:
Switch# show mac address-table
The output should be similar as follows (may be different depending on your IOS
version and switch model):
In addition to the destination address and destination port, the switch stores the
Address Type (Dynamic for learned addresses and Static for manually configured
static entries) and the VLAN. The interfaces have to belong to the same VLAN for the
47
attached hosts to be able to communicate with each other without a router or layer 3
switch. As you can see in the output above, all interfaces belong to VLAN 1 by
default.
The show mac address-table command supports several keywords and options to
filter the output. For example, you can add the count keyword to list the number of
addresses per VLAN:
Switch#show mac-address-table count
Note both show mac address-table and show mac-address-table (an older variant
with a dash between mac and address) are accepted as valid commands.
VLANS
VLANs (Virtual LAN)
VLANs (Virtual LAN)
A virtual LAN (VLAN) is a logical LAN, or a logical subnet.Vlan defines a broadcast
domain. A physical subnet is a group of devices that shares the same physical wire.
A logical subnet is a group of switch ports assigned to the same VLAN.
Erasing VLANs
Switch#delete flash:vlan.dat-----> Removes the entire VLAN database from flash