Ccna

1
The routers
The routers used in our CCNA TechLabs are 2501 routers, displayed in the picture above.
The upper router in the picture shows the back, where you'll find the connectors and, also
important, the power switch. The 2501 router is equipped with the following interfaces:
• AUI - This is a traditional Ethernet LAN port.
• Serial 0 and Serial 1 - These are synchronous serial WAN ports.
• Console - This is the management console port.
• AUX - A modem can be connected to this port to allow 'out-of-band'
management.
Serial Connection
The picture on the left shows a V.35 DTE cable with a male DB60 connector and a
male standard 34-pin Winchester-type connector. The right picture shows a V.35
DCE serial cable with a male DB60 connector and a female 34-pin Winchester-type
connector. As you probably guessed already, the male connector of the DTE cable is
attached to the DCE cable's female connector, this is depicted in the picture below.
This is known as a back-to-back connection, and 'simulates' a WAN link. In a real
world setup, the DTE cable's male connector typically connects to a port on a
CSU/DSU provided by a service provider (i.e. telco), which in turn connects to a
CSU/DSU at another location, thru a T1 link for example. The DB60 connector
connects to a Serial interface on a router.
2
Ethernet LAN connections
These two small devices are Ethernet Transceivers and are used as an adapter
between the AUI interface on the router and a twisted pair cable that leads to the
NIC on your PC, a port on a switch, hub, or other router. This is essentially your LAN.
Console cable
This is a UTP roll-over cable with an RJ-45 connector that connects to the Console
port of the router. The other end of the cable typically connects to a small adapter
with a DB-9 female connector that allows you to connect it to a COM port on a PC. A
router that is installed and configured with IP addressing is typically managed using
TELNET. The initial configuration is performed thru the management console. Besides
the initial setup, the console connection must also be used if you need to perform
password recovery on a router.
The end results
When everything is connected properly, and the power is turned on, it should look
like the picture above. Click here for a huge version of this picture.
3
LAN TECHNOLOGIES
ETHERNET
Ethernet was developed by DIX (Digital, Intel and Xerox) in the 1970s. In 1980 the
IEEE 802.3 standard was released. Two years later version 2 was introduced, which
is the basis for today's Ethernet networks. The access method (how the wire is
accessed) is Carrier Sense Multiple Access/Collision Detection (CSMA/CD). In a
CSMA/CD network stations listen to check if the network is busy, if the network is
free the station transmits data. When two stations listen, and both determine the
network is available, they will start sending the data simultaneously and a collision
occurs. When the collision is detected both stations will retransmit the data after a
random wait time created by a backoff algorithm. In today's large-fast-growing-
bandwidth-eating network environments this will soon become a problem, stations
will have to wait more often before they can transmit data and more collisions will
occur. The solution to this is to separate the network in multiple collisions domains,
which devices can be used for this purpose will be explained using a network
diagram for each of the following relevant network components.
An Ethernet network is a broadcast system, this means that when a station transmits
data every other station receives the data. The frames contain an address in the
frame header, only the station with that address will pick up the frame and pass it on
to upper-layer protocols to be processed.
BROADCAST DOMAIN
All devices in this domain will receive broadcast frames originating from any other
device within the domain. Broadcast domains are typically bounded by routers
because routers do not forward broadcast frames. Broadcast frames are frames
explicitly directed to all nodes on the LAN, as networks grow this will become a
problem as well.
REPEATERS
A repeaters is a simple device that is used to expand LANs over larger distances by
connecting segments. They do not control broadcast or collision domains, they are
not aware of upper-layer protocols and frame formats, they merely
regenerate/amplify the signal. Repeaters operate at the Physical layer of the OSI
model. An important rule when using repeaters to expand a network is the 5-4-3
rule, which defines that the maximum distance between two hosts on the same
network can be 5 segments, 4 repeaters, and only 3 of the segments can be
populated, as illustrated in the following logical network diagram:
HUBS/CONCENTRATORS
Hubs, also known as concentrators or multiport repeaters, are used in star or
4
hierarchical networks to connect multiple stations/cable segments. There are two

main types of hubs: passive and active. An active hub takes the incoming frames,
amplifies the signal, and forwards it to all other ports, a passive hub simply splits the
signal and forwards it. Another type of hubs can be managed allowing individual port
configuration and traffic monitoring, these are know as intelligent- or managed hubs.
Hubs operate on the physical layer of the OSI model and they are protocol
transparent, that means they are not aware of the upper-layer protocols and such as
IP, IPX nor MAC addressing. Hence they do not control broadcast or collision
domains, but they extend them as illustrated below:
BRIDGES
Bridges are more intelligent than hubs; they operate on the Data Link layer of the
OSI model.
They are used to increase network performance by segmenting networks in separate
collision domains. Bridges are also protocol transparent, they are not aware of the
upper-layer protocols. They keep a table with MAC addresses of all nodes, and on
which segment they are located.
A bridge takes an incoming frame, reads its destination MAC address and consults
the database to decide what should be done with the frame; if the location of the
destination MAC address is listed in the database, the frame is forwarded to the
corresponding port. If the destination port is the same as the port where the frame
arrived it will be discarded. If the location is not known the frame will be flooded
through all outgoing ports/segments.
As illustrated below, bridges control collision domains, they do not control broadcast
domains:
5
SWITCHES
To improve network performance even more switches were developed, switches are
very similar to bridges; they also keep a table with MAC addresses per port to make
switching decisions, operate in the OSI model and are protocol transparent.
Some of the main differences are:
- a switch has more ports than a bridge
- bridges switch in software whereas switches switch in hardware (integrated
circuits)
- switches offer more variance in speed, an individual port can be assigned 10 Mb/s
or 100 Mb/s or even more.
As illustrated below, switches control collision domains, they do not control broadcast
domains*:
* Do not control broadcast domains unless Virtual Local Area Networks (VLANs) are
being used, and most modern switches do support VLANs. The following diagram
represents a router configured with two VLANs. Like in the previous diagram each
port forms an collision domain, but as you can see in this diagram the network is
separated in two broadcast domains using VLANs. If the network protocol used in
this network would be TCP/IP the VLANs would each have its own (sub-)network
address, for example VLAN 1 could be Class C 192.168.110.x and VLAN 2
192.168.220.x.
Switches are able to use software to create Virtual LANs; a logical grouping of
network devices where the members can be on different physical segments. A VLAN
can be based on Port IDs, MAC addresses, protocols or applications. For example in
the network diagram above port 1 to 12 on the switch could be assigned to VLAN 1,
and port 13 to 24 to VLAN 2, resulting in two different broadcast domains, or station
1, 2 and 3 could be using IPX/SPX while station 4, 5 and 6 could be using TCP/IP.
6
An example of a large network with VLANs could be an office building with a switch
on each of the three floors and a main switch connecting them all together. An
administrator would be able to keep a list of MAC addresses and assign stations from
different floors to a single VLAN and for example create a VLAN (broadcast domain)
for each department in the company. Switches share their MAC address table
information with other switches so the path to a destination can be found quickly.
ROUTERS
Routers are used to interconnect multiple (sub-)networks and route information

between these networks by choosing an optimal path ("route") to the destination.
They operate on the Network layer (Layer 3) of the OSI model and in contradiction
to hubs, bridges and switches, routers are protocol-aware. Examples of these
protocols are: IP, IPX, and AppleTalk. Routers make forwarding decisions based on a
table with network addresses and there corresponding ports, this table is known as
the route table. Common use of routers is to connect two different type of networks
(for example Ethernet and Token ring) or to interconnect LANs into a WAN. The
concept of routing will be covered in more detail in the Routing Protocols TechNote.
As illustrated below, routers control collision domains AND broadcast domains:
GATEWAYS
A gateway (as a network component) is a device that connects networks with

dissimilar network protocols or architectures and translates between the networks.
Gateways are very intelligent devices, generally they operate on the Transport layer
and on those above it (Session, Presentation, Application). A gateway could be used
to allow IPX/SPX clients to use a gateway with a TCP/IP uplink to an internet
connection. TCP/IP would be converted to IPX/SPX. Another common use of a
gateway is to connect an Ethernet network to an IBM SNA mainframe environment.
NICs
A NIC (Network Interface Card) is an expansion cards for a computer used to

connect a to the physical network. The NIC's interface itself is defined at the Physical
layer (Layer 1) of the OSI model, the physical address (also known as Burned-In
Address and commonly: MAC address) of the adapter as well as the drivers to control
the NIC are located at the Data Link layer's MAC sub-layer. The reason the physical
address is defined at the Data Link layer is that the Physical layer only handles bits.
7
Half duplex
Half-duplex means that only one host can communicate at a given time, two hosts
communicating with each other will take turns transmitting. This is the default on
non-switched LANs.
Full-duplex
In full-duplex communication both hosts can transmit at the same time, theoretical
allowing twice as much data to be transmitted over the same connection.
In order for full-duplex to work, some requirements must be met:
- The NICs, hubs etc. must support it,
- Collision Detection and Loopback functions must be disabled.
In reality the connections able to run at full-duplex are cross-cable connections and
connection to a port on a switch, where collisions cannot occur because each end has
it's own wire pair (segment).
LAN Technologies
Determine the appropriate uses for full- and half-duplex Ethernet operation
Describe the causes and effects of network congestion in Ethernet networks
Describe the benefits of network segmentation with various networking devices
Identify the cause(s) of LAN connectivity problem
Describe the function, operation, and primary components on a LAN
OSI MODELS
7-layer OSI MODEL
The OSI (Open System Interconnection) model is developed by ISO in 1984 to

provide a reference model for the complex aspects related to network
communication. It divides the different functions and services provided by network
hardware and software in 7 layers. This facilitates modular engineering, simplifies
teaching and learning network technologies, helps to isolate problems and allows
vendors to focus on just the layer(s) in which their hardware or software is
implemented and be able to create products that are compatible, standardized and
interoperable.
The diagram below shows the 7 layers of the OSI Model, to remember them in the
correct order a common mnemonic is often used: All People Seem To Need Data
Processing.
Host B
Host A
8
The Application, Presentation and Session layer are known as the Upper Layer and
are implemented in software. The Transport and Network layer are mainly concerned
with protocols for delivery and routing of packets to a destination and are
implemented in software as well. The Data Link is implemented in hard- and
software and the Physical layer is implemented in hardware only, hence its name.
These last two layers define LAN and WAN specifications.
A more detailed description of each layer follows below, but here's what basically
happens when data passes from Host A to Host B:
1. the Application, Presentation and Session layer take user input and converts it into
data,
2. the Transport layer adds a segment header converting the data into segments,
3. the Network layer adds a network header and converts the segments into
packets ,
4. the Data Link layer adds a frame header converting the packets into frames,
5. the MAC sublayer layer converts the frames into a bits which the Physical layer
can put on the wire.
The steps are known as the 5 steps of data encapsulation. When the bits stream
arrives at the destination, the Physical layer takes it of the wire and converts it into
frames, each layer will remove their corresponding header while the data flows up
the OSI model until it is converted back to data and presented to the user, this is
known as decapsulation.
APPLICATION
The Application layer provides network services directly to the user's application such
as a web browser, email software and Windows Explorer. This layer is said to be
"closest to the user".
Protocols that operate on this layer include: TELNET, HTTP, FTP, TFTP, SMTP, NTP,
SNMP, EDI.
PRESENTATION
This layer 'represents' the data in a particular format to the Application layer. It
defines encryption, compression, conversion and other coding functions.
Specifications defined at this layer include: GIF, TIFF, JPEG, MPEG, MIME, and ASCII.
SESSION
Establishes, maintains and terminates end-to-end connections (sessions) between
two applications on two network nodes. It controls the dialogue between the source
and destination node, which node can send when and how long. Also provides error
reporting for the Application, Presentation and Session layer.
Protocols/API's that operate on this layer include: RPC, SQL, NETBIOS.
TRANSPORT
This layer converts the data received from the upper layers into segments. The
Transport layer is responsible for end-to-end (also called source-to-destination)
delivery of entire messages. Provides end-to-end connectivity, it allows data to be
transferred reliably and sequencing to guarantee that it will be delivered in the same
order that it was sent. Provides services such as error checking and flow control
(software).Protocols that operate on this layer: TCP, UDP, NETBEUI, SPX.
These protocols are either connectionless or connection-oriented:
9
Connection-oriented means that a connection (a virtual link) must be established

before data can be exchanged. This can guarantee that data will arrive, and in the
same order it was sent. It guarantees delivery by sending acknowledgements back to
the source when messages are received. TCP is an example of an connection-
oriented transport protocol.
A common example of connection-oriented communication is a telephone call: you
call, the 'destination' picks up the phone and acknowledges and you start talking
(sending data). When a message or a piece of it doesn't arrive, you say: "What!?"
and the sender will retransmit the data.
Connectionless is the opposite of connection-oriented; the sender does not

establish a connection before it sends data, it just sends without guaranteeing
delivery. UDP is an example of an connectionless transport protocol.
NETWORK
This layer converts the segments from the Transport layer into packets (or
datagrams) and is responsible for path determination, routing, and the delivery of
these individual packets across multiple networks without guaranteed delivery. The
network layer treats these packets independently, without recognizing any
relationship between those packets, it relies on upper layers for reliable delivery and
sequencing.
Also this layer is is responsible for logical addressing (also known as network
addressing or Layer 3 addressing) for example IP addresses
Examples of protocols defined at this layer: IP, IPX, AppleTalk, ICMP, RIP, OSPF,
BGP, IGRP, EIGRP, NLSP, ARP, RARP, X.25
Devices that operate on this layer: Routers, Layer 3 Switches.
Network layer addresses

Also known as Layer 3 or Logical addresses. These type of addresses are protocol-
dependent, for example if the network protocol is IP, IP addressing will be used
which is made up of a network part and a host part and needs a subnet mask to
determine the boundaries of these parts. An example of an IP address is: 172.16.0.1
and a subnet mask: 255.255.0.0
Another example is Novell's IPX addressing, which uses a combination of a
hexadecimal network address + the layer 2 MAC address to form a network layer
address, for example" 46.0010E342A8BC
DATA LINK
The Data Links provides transparent network services to the Network layer so the
Network layer can be ignorant about the physical network topology and and provides
access to the physical networking media. Responsible for reassambling bits taken of
the wire by the Physical layer to frames, makes sure they are in the correct order
and requests retransmission of frames in case an error occurs. Provides error
checking by adding a CRC to the frame, and flow control. Examples of devices that
operate on this layer are switches, bridges, WAPs, and NICs.
IEEE 802 Data Link sub layers
Around the same time the OSI model was developed, the IEEE developed the 802-
standards such as 802.5 Token Ring and 802.11 for wireless networks. Both
organizations exchanged information during the development which resulted in two
compatible standards. The IEEE 802 standards define physical network components
10
such as cabling and network interfaces, and correspond to the Data Link and/or
Physical layer of the OSI model. The IEEE refined the standards and divided the Data
Link layer into two sublayers: the LLC and the MAC sub layer.
- LLC sublayer
LLC is short for Logical Link Control. The Logical Link Control is the upper sublayer of
the Data Link layer. LLC masks the underlying network technology by hiding their
differences hence providing a single interface to the network layer. The LLC sublayer
uses Source Service Access Points (SSAPs) and Destination Service Access Points
(DSAPs) to help the lower layers communicate to the Network layer protocols acting
as an intermediate between the different network protocols (IPX, TCP/IP, etc.) and
the different network types (Ethernet, Token Ring, etc.) This layer is also responsible
for frames sequencing and acknowledgements.
The LLC sublayer is defined in the IEEE standard 802.2.
- MAC sublayer
The Media Access Control layer takes care of physical addressing and allows upper
layers access to the physical media, handles frame addressing, error checking. This
layer controls and communicates directly with the physical network media through
the network interface card. It converts the frames into bits to pass them on to the
Physical layer who puts them on the wire (and vice versa)
IEEE LAN standards such as 802.3, 802.4, 802.5 and 802.10 define standards for the
MAC sublayer as well as the Physical layer.
Other standards on this layer include: X.25 and Frame Relay
Data Link layer addresses

Also known as layer 2 addresses, BIAs (Burned-in Address), physical address and
most commonly referred to as MAC address. This is a fixed address programmed into
a NIC or a router interface for example.
00-10-E3-42-A8-BC is an example of a MAC address. The first 6 hexadecimal digits
(3 bytes) specify the vendor/manufacturer of the NIC, the other 6 digits (3 bytes)
define the host.
The layer 2 broadcast address is FF-FF-FF-FF-FF-FF.
PHYSICAL
This layer communicates directly with the physical media, it is responsible for
activating, maintaining and deactivating the physical link. It handles a raw bits
stream and places it on the wire to be picked up by the Physical layer at the
receiving node. It defines electrical and optical signaling, voltage levels, data
transmission rates and distances as well as mechanical specifications such as cable
lengths and connectors, the amount of pins and their function.
Devices that operate on this layer: HUBs/concentrators, repeaters, NICs, and LAN
and WAN interfaces such as RS-232, OC-3, BRI, V.24, V.35, X.25 and Frame Relay.
TCP/IP stack vs. the DoD Model
TCP/IP operation is defined in its own model: the DoD model. DoD is short for
Department of Defense, who desgined TCP/IP for ArpaNet. ALthough they are
similar, in contrary to the 7-layer OSI model the DoD model has 4 layers. Each DoD
11
layer and its functions corresponds to 1 or more OSI layers and their functions,
which is represented in the image below:
For the CCNA exam you don't need to know the DoD model in detail, but if you know
the OSI model and the related DoD layers you can easily identify the layer at which a
certain protocol or standard is specified, for example:
Process/Application: Telnet, FTP, SMTP, HTTP, SNMP, etc.
Host To Host: TCP UDP
Internet: IP, ICMP, ARP, RARP, BootP, etc.
Network Access: Ethernet, Fast Ethernet, Token Ring, FDDI, etc.
ISDN
Integrated Services Digital Network, a circuit-switching network used for voice, data
and video transfer over existing copper telephone lines. ISDN is a bit similar to the
normal telephone system but it is faster and needs less time to setup a call. ISDN
runs on the bottom three layers of the OSI reference model.
There are several types of ISDN channels, the two main being the 64 Kilobits per
second B-channel for data, and the D-channel for control information. Two B-
channels + one D-channel make up ISDN BRI (Basic-Rate Interface), some Remote
Access servers support a feature called multilink allowing both B-channels to be
combined in a single virtual link of 128 Kbps. In SOHO networks often 1 B-channel is
used for data (an internet connection for example) and 1 B-channel is used for voice
(connected to a digital telephone for example). The US and Japanese version of ISDN
PRI (Primary-Rate Interface) is made up of 23 B-channels (total rate of 1.472 Mbps)
and 1 D-channel. The European and Australian version supports 30 B-channels (total
rate of 1.984 Mbps) and 1 D-channel.
A common implementation of these two types of ISDN is a remote access solution
with ISDN PRI at the corporate network supporting 23 dial-in connections for
employees with ISDN BRI at home. Also an ISDN BRI connection is often
implemented as a backup line between routers in WANs such as in a Frame Relay
network as shown in the following image:
12
Besides this dial-up ISDN configuration for backup and other Dial on Demand
Routing (DDR) configurations another service offered are ISDN BRI leased-line
connections, the difference is they always use both data channels for the connection
to the ISDN service provider and ISDN BRI leased-lines are always active.
ISDN Function groups
The ISDN function groups represent the devices in an ISDN environment such as
terminals, terminal adapters, network-termination devices and line-termination
equipment. The following table lists these devices:
TE1 Specialized ISDN terminals that understand the ISDN

(Terminal Equipment 1) standards, for example an ISDN telephone.
TE2 Non-ISDN Terminals that need a Terminal Adapter (TA) to
(Terminal Equipment 2) connect to an ISDN network, for example a regular
telephone.
TA Converts some other form of signaling to ISDN to allow
(Terminal Adapter) non-ISDN devices (TE2) to work the 2-wire ISDN network.
NT1 Connects TE1 or TA devices to the ISDN network. In the
(Network Termination 1) US, the NT1 is located at the customer's premises and
owned by the customer. In other parts of the world the NT1
is usually provided by the carrier (typically a telephone
company).
NT2 The NT2 is a physical device that interfaces the NT1 to
(Network Termination 2) different types of devices (TE1 or TA). In most cases it is a
PBX at the customer's premises.
Take for example an apartment building or campus, if have
a demand for ISDN lines from your renters (customers) you
can order an ISDN PRI and connect it to your local PBX. You
can then extend the ISDN service to any place in the
building(s).
The following image shows the various function groups and reference points.
The following image illustrate some real-life situations. As you can see the NT2 is left
out, most NT1 adapters today have a U interface on one side and an s/t on the other
so you simply plug your TE1 or TA into the NT1 and you're good to go.
13
The following image shows two type of routers, the upper is usually used in North
America where the demarcation point between the customer premises and the
carrier's network is the U reference point, this router is actually a TE1 with a built-in
NT1 and is also known as a 'U router'. The other router is used in most other parts of
the world where the NT1 is provided by the telco, this router is actually a TE2 with a
built-in TA and is also known as a 'S/T router'.
ISDN Reference points
ISDN specifies four reference points that define the logical interfaces/connections
between function groups (also represented in the mage below):
R defines the reference point between non-ISDN equipment (TE2) and a TA.
S defines the reference point between and an NT2.
T defines the reference point between NT1 and NT2 devices.
U defines the reference point between NT1 devices and line-termination equipment
in a carrier network. Relevant in North America where the NT1 function isn’t provided
by the carrier network.
ISDN protocols
ISDN protocols are defined in ITU protocols that operates on the Physical, Data Link
and Network layer of the OSI model. There are several series of protocols dealing
with different issues:
E series defines the use of ISDN on the existing telephone network.
I series deals with concepts, aspects, and services.
Q series covers switching and signaling. The LAPD protocol is formally specified in
ITU-T Q.920 and ITU-T Q.921. LAPD is the signaling protocol used on the D-channel
in ISDN BRI and PRI.
Configure ISDN BRI and Legacy DDR
Configuring ISDN may seem to be complex but is rather simple in basic situations.
The diagram below shows a typical setup connecting two remote offices using an
ISDN dial-up configuration.
14
First the ISDN switch type must be configured and should match the carrier's
equipment. You can use the isdn switch-type command in both global config mode
(required) and interface configuration mode (optional if different per interface). For
example:
Router(config)#isdn switch-type basic-dms100
The correct switch type should be supplied by the carrier. Click here for a table at
Cisco.com listing the ISDN BRI service provider switch types. If you change the
switch-type, you must reload the router for the new switch type to take effect.
Although ISDN supports several upper-layer protocols such as IP, IPX and Appletalk,
typically IP is used and this is also the one relevant to the CCNA exam. Configuring
an IP address on an ISDN BRI interface is done in the same way as configuring an IP
address for any other interface such as Ethernet or Serial:
Router(config)#interface bri 0 (to enter interface config mode)
Router(config-if)#ip address 172.16.22.115 255.255.255.0
Some service providers require the use of SPIDs for your ISDN device to be able to
place or receive calls. A SPID is usually the telephone number of the channel with
some optional numbers which can be used to identity the service(s) the customer is
subscribed to. The SPID numbering scheme depends on the service provider and the
switch-type. For example, the DMS-100 switch type requires a SPID for each B
channel.
Router(config-if)#isdn spid1 5055551234 0111 (B1 channel)
Router(config-if)#isdn spid2 5055551235 0111 (B2 channel)
The default encapsulation type for each B-channel is HDLC, however PPP
encapsulation is recommended over HDLC in order to allow the use of CHAP
authentication. The encapsulation type can be configured using the following
command in interface configuration mode:
Router(config-if)#encapsulation ppp
Now to configure the actual part that maps the link to the network layer using the
dialer map command, it defines the remote host where the calls are going, specifies
whether broadcast messages will be sent and the dialing string to use to set up the
call. Here's the syntax of the command:
Router(config-if)#dialer map protocol next-hop-address name remote-name speed
56|64 dial-string
We'll break down the command using example options:
Router(config-if)#dialer map ip 172.16.22.114 name RouterB speed 64 broadcast
55588613213
- The IP address of the remote router's BRI interface used in this command is the
next hop. In the global configuration you will have to define a static route to the
remote network pointing to the next hop address used in the dialer map command.
The use of static routes is very important, since you don't want to use dynamic
routing protocols for this type of connection because the routing updates will keep
the link up.
- The remote name in name remote-name is the hostname of the other router.
- speed defaults to 64 (in kilobits) but you may need to set it to 56 in some
situations.
15
- The broadcast option specifies whether broadcast packets such as routing updates
are sent.
- The dial-string is the telephone number that should be dialed when making an
outgoing connection. You can leave out this number to configure the interface to only
accept incoming connections.
The following commands will define "interesting" traffic that will cause the router to
place a call make the connection. For example if you want the router to dial-in for all
IP traffic you need to configure a dialer-list and bind it to the BRI interface:
Router(config)#dialer-list 1 protocol ip permit
Router(config)#int bri0
Router(config-if)#dialer-group 1
You can also use regular or extended access lists to permit all traffic except
HTTP/HTTPs for example. Instead of using the options in the dialer-list command
above you would specify the access list:
Router(config)#dialer-list 1 protocol ip list 101
The following command makes the router disconnect calls that haven't had any
interesting traffic for the configured time:
Router(config-if)#dialer idle-timeout seconds
To add some level of security and to identify the router when it dials out, you should
use the Challenge Handshake Authentication Protocol (CHAP). The hostname of the
router is used to identify the router to another router when sending messages.
Router(config-if)#ppp authentication chap
The global configuration username command is required when CHAP is used to

specify the CHAP secret message to use when challenged by another router.
Important to know is that the two routers that need to talk must share the same
password.
Router(config)#username routerB password password
PPP Multilink
Multilink is a feature that enables the use of both B-channels combined for one call.
To turn on multilink use the following command:
Router(config-if)#ppp multilink
Use the following command to specify when the second B-channel should kick-in
(bandwidth on demand). When the total load for this connection reaches this
threshold, it brings up the other B channel. This value represents a utilization
percentage; it is a number between 1 and 255, where 255 is 100 percent.
Router(config-if)#dialer load-threshold 60
TROUBLESHOOTING AND MONITORING ISDN
Here are some commonly used show commands used to monitor and troubleshoot
ISDN:
Router(config)#show interfaces bri number

Displays information about the physical attributes of the ISDN BRI B and D channels.
16
Router(config)#show controllers bri number

Displays protocol information about the ISDN B and D channels. Checks Layer 1
(physical layer) of the BRI.
Router(config)#show isdn {active | history | memory | status | timers}

Displays information about calls, history, memory, status, and Layer 2 and Layer 3
timers.
Router(config)#show dialer interface bri number

Obtains general diagnostic information about the specified interface. Checks Layer 3
(network layer).
Router(config)#show isdn status

Use to verify that ISDN BRI Layer 1 is ACTIVE, LAYER 2 State is
MULTIPLE_FRAME_ESTABLISHED, and the service profile identifiers (SPIDs) are
valid.
Router(config)#debug q921
Checks Layer 2 (data link layer).
The following three commands offer more advanced methods to check Layer 3
(network layer) operation:
Router(config)#debug isdn events

Router(config)#debug q931
Router(config)#debug dialer
ACCESS LISTS
Access lists allow Cisco routers to function as a packet filter and are supported for
several protocols. The most common of these protocols are listed in the following
table:
Protocol Range
IP standard 1 to 99 (and 1300 to 1999 in IOS 12.0 and higher)
IP Extended 100-199 (and 2000 to 2699 in IOS 12.0 and higher)
Ethernet type code 200-299
DecNet 300-399
XNS 400-499
Extended XNS 500-599
AppleTalk 600-699
Ethernet address 700-799
IPX Standard 800-899
IPX Extended 900-999
IPX SAP 1000-1099
Access lists are lists of rules that either permit or deny certain inbound or outbound
17
traffic from and to particular hosts or networks. The access list and its rules are
applied to one or more interfaces on the router. When the router routes traffic
through these interfaces, the rules in the list are processed sequential, looking for a
matching rule permitting the traffic to pass. When there is not a matching rule
permitting the traffic to pass, it is denied by default because of the implicit deny any
at the end of each rule. For example, if you deny telnet traffic to host 172.16.22.139
using the rule: access-list 110 deny TCP any host 172.16.22.139 eq TELNET and this
would be the only rule in the access list, you would effectively deny all IP traffic from
entering or leaving the router's interface.
The implicit deny all, for many, is a confusing part of access lists and often forgotten
in practice while in fact it is very logical. If you want to protect a network using a
packet filter, you would typically start out with denying all traffic, and from there
permit certain hosts or networks to communicate certain traffic.
In addition to protecting private networks from external intruders, access lists are
also commonly used to manage network traffic. For example, if you do not want
certain protocols or services available in particular subnets you can block only those
ports but permit all other traffic. This is also used as an effective way to prevent
traffic such as ICMP messages and routing updates from traveling over certain links.
Standard IP Access Lists
Standard IP access lists are used to permit/deny traffic from or to one or more IP
addresses.
Use the global exec access-list command to create access lists:

router(config)#access-list number deny|permit source|any [log]
Use the Interface config mode access-group command to bind the access list to an
interface: router(config-if)#ip access-group number in|out
For example, to deny hostC from sending traffic to the WAN in the network depicted
in the diagram below, use the following commands.
router(config)#access-list 10 deny 192.168.23.11

router(config)#access-list 10 permit any
router(config)#interface ethernet 0
router(config-if)#ip access-group 10 in
When traffic is send to the router’s Ethernet interface the rules in access list 10 are
processed, if the traffic is send by hostC the router drops the packets and stops
processing the rules. The rule access-list 10 permit any is included because of the
18
implicit deny. There must be at least one ‘permit’ rule otherwise the protocol is
completely disabled for the interface as soon as you bind it.
Wildcard Masks/Inverse Masks
Instead of specifying a single IP address, you can also permit or deny

networks/subnets entirely or partly by using wildcard masks, also known as inverse
masks. To understand this concept, it helps a lot if you have some basic
understanding of subnetting.
The first example is simple: if you want to deny access to all hosts in the network
172.16.23.0 with subnet mask 255.255.255.0 you would use 172.168.23.0
0.0.0.255 as the source in the access-list command. When the router checks if the
addressing information of an incoming packet matches the denied address specified
in the access list, it only cares about the part of the address where the corresponding
bits in the inverse mask are 0. The part of the address where the corresponding bits
in the inverse mask are set to 1 can be anything (in this example 0 to 255).
In other situations, where you want to specify a range of addresses that does not
have the boundary between 0s and 1s exactly between octets, you might need to
convert it all to binary to determine the inverse mask. For example, you want to
specify the network 172.18.16.0 with the subnet mask 255.255.240.0. When you
convert this mask to binary it shows that in this subnet mask the first 20 bits are set
to 1 (11111111.11111111.11110000.00000000), so the inverse mask would have
the first 20 bits set to 00000000.00000000.00001111.11111111 which is 0.0.15.255
in decimal notation. This would specify the address range 172.18.16.0 to
172.18.31.255.
If you want the source or destination to be any host from any network you could use
the address 0.0.0.0 with the inverse mask 255.255.255.255, but to save you from
pressing so much keys you can use the keyword any instead.
In Extended Access lists the keyword host can be used to replace the 0.0.0.0 inverse
mask. Instead of specifying a single address with 192.168.23.11 0.0.0.0 you can use
host 192.168.23.11.
Extended IP Access Lists
Extended IP access lists offer more granular control compared to standard lists that
only allow you to deny or permit traffic from a certain source. Extended access lists
allow you to control TCP/IP traffic based on the Transport protocol being used (TCP
or UDP) and the service or application (e.g. SMTP, Telnet) from source addresses
AND destination addresses.
Use the global exec access-list command to create the access lists. This command
supports numerous arguments, most of them are beyond the scope of the CCNA
exam. At the bottom of this TechNote are links to documents at Cisco.com explaining
the complete syntax. Nevertheless, here is the most important part:
router(config)#access-list number deny|permit protocol source|any destination|any
When TCP or UDP is used as the protocol argument two other important arguments
19
are operator port. The port argument can be a TCP or UDP port number or name
(e.g. 21 or FTP, 23 or TELNET, 123 or NTP), the operator is usually eq which means
equal, other options include lt (less than) and gt (greater than).
Use the Interface config mode access-group command to apply the access list to an
interface: router(config-if)#ip access-group number in|out
Take a look at the diagram below for example:
You can prevent SMTP traffic originating from the WANs from traveling over link A to
an SMTP server wuth destination 192.168.115.20 by putting an outbound extended
IP access list on the Serial 0 interface of RouterX and using the following commands
on RouterX (or RouterY):
router(config)#access-list 105 deny TCP any host 192.168.115.20 eq SMTP

router(config)#access-list 105 permit IP any any
router(config)#interface serial 0
router(config-if)#ip access-group 105 out
Following is another example using the same diagram above. It shows how you can
use extended access lists to control ICMP traffic (used for utilities such as ping and
trace). For example, to deny the hosts in the Ethernet network attached to RouterY
to use ICMP to communicate with hosts on the other side of the router, use the
following commands on RouterY:
router(config)#access-list 102 deny icmp 192.168.115.0 0.0.0.255 any

router(config)#access-list 102 permit IP any any
router(config)#interface serial 1
router(config-if)#ip access-group 102 out
The following command allows you to remove an access list from interface:
router(config-if)#no ip access-group number|name in|out
For example: router(config-if)#no ip access-group 102 out
The following commands allows you to completely delete an access list from the
configuration:
router(config)#no access-list number|name
For example: router(config)#no access-list 102
Named Access Lists

20
If your router is running IOS 11.2 or higher, you can create named access lists.
Instead of choosing a number between 1-99 for standard IP access lists, you can use
a custom name allowing for more lists and more convenient management. The
commands to create a named access list are different for standard and extended
access lists.
To create a named access list, use the following command in global configuration
mode:
router(config)#ip access-list {standard | extended} name
This command will take you into access-list configuration mode where you can define
the deny and permit rules. For example to create a named access list with the name
wwwfilter and permit only access from the networks 192.168.132.0, 172.17.0.0 and
10.0.0.0 use the following commands:
router(config)#ip access-list standard wwwfilter

router(config-std-nacl)#permit 192.168.132.0 0.0.0.255
Use the exit command to exit access-list configuration mode.
A named list is applied to an interface in the same way as with numbered lists:
router(config-if)#ip access-group wwwfilter out
VTY Lines
You can also use standard access lists to limit access to VTY lines. For example:
router(config)#access-list 5 permit 192.168.23.8

router(config)#line vty 0 4
router(config)#access-class 5 in
Monitoring and Verifying
The following commands are useful for monitoring and verifying the operation of
access lists.
The show ip interface command displays which access lists are applied to the
specified interface, for example:
router(config)#show ip interface serial 1
The following command displays the contents of an access list, and if applied to an
interface, the number of matches per permit/deny rule:
router(config)#show access-lists number|name
If you do not specify an access-list number or name, all the current access lists will
be displayed. You can also use the show ip access-lists command to display one or
all of the current IP access lists.
21
BASIC ROUTER TECHNICS
Configure the router

To configure the router we are going to use HyperTerminal (included in Windows),
but most terminal emulators will do. Make sure the console cable is attached to a
COM port on your PC and the other end to the Console port of one of the routers.
- Start up HyperTerminal (Start, Programs, Accessories, Communication)

- When the New Connection dialog box opens, enter a description for the connection
(i.e. Cisco 2501), select an Icon and click OK.
- Select the COM port to which the console cable is connected and click OK.
- Set the properties of the COM port to: Bits per second 9600, Data bits 8, Parity
None, Stop Bits 1, and Flow control None.
- Save the connection and place the shortcut on a meaningful location, i.e. your
desktop.
If you turn on the power of the router after you start HyperTerminal and connect,
you will see a similar output as shown below:
System Bootstrap, Version 11.0(10c), SOFTWARE, Copyright (c) 1986-1996 by Cisco Systems2500
processor with 8192 Kbytes of main memory
Read the Basic Cisco Router Configuration and Management TechNotes for more
information about the router start-up sequence.
If the router is turned on already, and you connect to it, the following output will be
shown by default:
Router con0 is now available

Press RETURN to get started.
(Router is the hostname of the router, which can be different.)
If there isn't a startup configuration available the intial Setup dialog will be started, which
is like a text-based wizard. In general, you should skip it, and configure the router
manually.
If this is 'your first time', or you simply want to check everything, run the following
commands at the command prompt and check out the output:
Router> show version
Router> show interfaces
Router> show flash (This shows the flash memory and the IOS file.)
Router> ?
Or start right-away with our first TechLab: Configuring a RIP network
ROUTER COMPONENTS
RAM
Random-Access Memory similar to the function as RAM in PCs. This is where the IOS
runs its processes. It also contains the running configuration, routing and other
tables as well as packet buffers.
22
ROM
This Read-Only Memory stores a older 'lite' IOS used to boot the router for the very
first time, or when the Flash memory is erased or corrupted.
FLASH
this piece of 'flash-able' memory stores the IOS image, the operating system of the
router.
NVRAM
In contradiction to normal RAM, Non-Volatile Random-Access Memory is a special
type of memory that doesn't lose its content when the router's power is turned off. It
stores the startup configuration and the configuration register.
Config register
The NVRAM has a special location that contains the 16-bit configuration register.
Every time the router boots it reads this value. The config-register value is a
hexadecimal value ranging from from 0x0000 to 0xFFFF and can be set byusing the
config-register command. The most important portion of the configuration register to
understand for the exam is the boot field (bit 0 through 3, hexadecimal range
0x0000-0x000F). The boot field value is used to specify from which location the IOS
image should be loaded or bypassed even during startup.
Boot field Meaning

0x0 The router will enter ROM monitor
mode and remain at the system
bootstrap prompt.
0x1 The IOS image stored in ROM will be
loaded.
0x2-0xF The router will boot as normal and load
the default IOS image stored in Flash
and enables boot system commands.
The remaining 12 bits of the configuration register are used for various functions
such as enabling/disabling the Break function, setting the Console line speed,
bypassing NVRAM, and controlling the broadcast address. To change the
configuration register you have to enter be in global configuration mode. Use the
command configure terminal often abbreviated to conf t in privileged EXEC mode
to enter global config mode. You can enter privileged EXEC mode using the enable
command. When you enter the correct password the prompt will change to Router#
(where "Router" is the hostname of the router).
Once you are in global config mode use the following command to change
configuration register value:
Router(config)#config-register 0x2102
where 0x2102 is an example of a config-register value.
You can view the current configuration setting by using the Router#show version
command. The last line of the output will display the current value and if it is
different, the value after reboot:
Configuration register is 0x2142 (will be 0x2102 at next reload)
Router start-up sequence
A router boots similar to a regular computer as it first performs a power on self test
23
(POST) for the hardware, next loads bootstrap code from ROM, loads the IOS image
from Flash into RAM, performs a hardware inventory, and finally the router locates
and loads a configuration file. You can reboot a router by using the power switch or
the reload command.
Initial router configuration
As mentioned earlier, the router configuration is stored in NVRAM. This is the place
where the router will search for a configuration file. Alternatively, you can configure
the router to load a configuration file from a TFTP server. If the router cannot locate
a configuration file (on a new router for example) it will start setup and it will ask if
you want to enter the initial configuration dialog. If you answer with No, you'll be
taken to the command prompt and you'll be able to configure the router manually. If
you answer with Yes, you'll be taken through a list of questions allowing you to
configure the router e.g. set a hostname and enable password and secret, configure
routed and routing protocols, and assign addresses to interfaces. You can initiate this
configuration dialog at any time by using the setup command.
Manage configuration files
A Cisco router contains two configurations: the startup configuration (usually stored
in NVRAM) and the running configuration (stored in RAM). When you make changes
to the router configuration by entering global configuration mode by using the
config terminal command, the changes are made to the running configuration.
To copy the currently running active configuration to NVRAM, i.o.w. to save a

changed running configuration to the startup configuration so it will be used the next
time you reload the router, use the following command:
Router#copy running-config startup-config
The following command loads the startup configuration stored in NVRAM into RAM
and makes it the active running configuration.
Router#copy startup-config running-config
You can also copy the running configuration to a TFTP server using the following
command:
Router#copy running-config tftp 222.222.222.1
This can be done with the startup configuration as well:
Router#copy startup-config tftp 222.222.222.1
You can view the running configuration using the command:

Router#show running-config
And view the startup config using the command:
Router#show startup-config
You can use the erase command to delete the content of NVRAM:
Router#erase startup-config
Load, backup, and upgrade IOS

24
Instead of using the IOS stored in flash, you can load it from a TFTP server, or you
can load the limited IOS from ROM. This can be configured in the configuration file
using the following commands in global configuration mode:
To load Cisco IOS software from Flash memory use the following command:
Router(Config)#boot system flash
Although this is default behavior, using this command can be useful especially when
you have multiple IOS images stored in FLASH. If you do not specify a filename, the
first locatedimage will be loaded.
To load Cisco IOS software from a TFTP server use the following command:
Router(Config)#boot system tftp
To load Cisco IOS software from ROM use the following command:
Router(Config)#boot system rom
Note that this will load the limited IOS version and will likely prevent normal
operation.
You can use a combination of these commands to provide some redundancy. You can
even specify multiple TFTP servers. Make sure you place them in the correct order,
flash first, tftp as backup, and rom as last resort. The configuration register's boot
field must be set to 0x2 through 0xF, in order for the router to check the
configuration file in NVRAM for boot system commands.
To backup the IOS stored in Flash to an TFTP server use the following command:
Router#copy flash tftp 222.222.222.1 c2600-js-l_121-5.bin
To upgrade the IOS stored in Flash use the following command:

Router#copy tftp flash
You will be prompted for an IP address of the TFTP server (defaults to the broadcast
address 255.255.255.255) and a filename.
To delete the content stored in Flash use the command:
Router#erase flash
CONNECTING TO A ROUTER
There are multiple ways to establish connectivity to a router to perform configuration
tasks:
- Console port
Cisco routers are equipped with a Console port, which is an RJ-45 port on most
routers but on some high-end routers it's a DB-25 connector. You can connect a
terminal (a notebook or a PC for example) to the console port using a RJ-45 roll-over
cable with RJ-45, DB-9, or DB-25 connectors on the ends. A common example is a
cable with a RJ-45 connector connecting to the router's console port and a DB-9
connector on the other end connecting to the PC's COM port. When you connect a PC
to the router's console port you can use a terminal emulator to configure the router.
When you start a session the following should appear:
Router con0 is now available.
Press RETURN to get started
- Auxilary port
Many Cisco routers are also equipped with an Auxilary port, which can be used to
connect a modem and allow for remote adminstration of the router.
25
Managing a router using the ports mentioned above is called out-of-band

management.
For more information about how to physically connect to the Console and Auxilary
port check the Cabling Guide for Console and AUX Ports and Configuring a Modem on
the AUX Port for EXEC Dialin Connectivity at Cisco.com.
- Telnet
Once your router is configured with an IP address, a Telnet connection is the most
common way to connect to a router to manually configure and monitor it. Cisco IOS,
the router's operating system, has a build-in Telnet server and a Telnet client. This
allows you to connect to a router using a telnet client from a PC but from another
Cisco router as well. This type of connection using the same network the router
operates in is also known as in-band management. Telnet sends username and
password credentials in clear text and should be replaced with SSH connections if
supported.
ROUTER MODES
User EXEC mode
This is the mode you enter once you are connected, and if required, logged on to the
router. In this mode you can perform non-disruptive troubleshooting, for example,
view the routing table and status of components. You can NOT view or modify the
configuration in User EXEC mode.
When you connect to the router and press the <Enter> key (Press RETURN to get
started) you'll be prompted for a password:
User Access Verification
Password:
When you enter the correct console, telnet or AUX password password (depending
on how you connect to the router) and press <Enter> the User EXEC mode
command prompt will appear.
Router>
"Router" is the default hostname for all Cisco routers. The > indicates you are in
User EXEC mode.
To exit User EXEC mode and quit the session with the command-line executive use
one of the following commands:
Router>logout
or
Router>exit
Privileged EXEC mode
This is similar to logging on as an adminstrator in Windows 2000 for example. When

you are in this mode, you can view and modify the configuration.
Router>enable <enter>
Password:
After submitting the correct enable password (or enable secret, which we'll discuss
later on) and pressing the <Enter> key the command prompt will change again:
Router#
The # indicates you are in Privileged EXEC mode.
To exit Privileged EXEC mode and return to User EXEC mode use the following
command:
26
Router#disable
To exit Privileged EXEC mode and quit the session with the router, use one of the
following commands:
Router#logout
or
Router#exit
Global Configuration mode
To actually change the running configuration, you'll have to enter global

configuration mode by using the commandconfigure terminal (to configure the
running configuration), or the command configure memory (to configure the startup
config) in Privileged EXEC mode. Global configuration mode allows you to configure
settings that affect the entire router, hence its name 'global'. To show you how this
works we are going to change the hostname of the router as an example:
Router#configure terminal (usually abbreviated to conf t)
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname Rnewyork1
Rnewyork1(config)#
As you can see the change immediately takes effect by looking at the prompt, which
now reflects the new name.
To exit global configuration mode and return to User EXEC mode use one of the
following commands:
Rnewyork1(config)#end
or
Rnewyork1(config)#exit
Or use the key combination CTRL-Z
You can use the following command to save the configuration to NVRAM so it will be
used next time the router starts:
Rnewyork1#copy running-config startup
Interface Configuration mode
You need to enter interface configuration mode when you want to configure settings
specific to an interface, such as assigning an IP address. To enter interface
configuration mode you must use the interface command and provide the name and
number of an existing interface. Following are some examples:
Router(config)#interface ethernet 0
Router(config-if)#
Router(config)#interface serial 2
Router(config-if)#
As you can see in the first example, the first possible interface is 0, the second
Ethernet interface on a router would be Ethernet 1, also noticable is the change in
the prompt.
These commands are usually abbreviated, for example to int e1 or int s0
To exit interface configuration mode and return to global configuration mode, enter
the following command:
Router(config-if)#exit
To exit interface configuration mode and return to Privileged EXEC mode, use the
key combination CTRL-Z
or
Router(config-if)#end
27
Other configuration modes include:

Sub-interface configuration mode Router(config-subif)
Router configuration mode Router(config-router)
Line configuration mode Router(config-line)
CONFIGURING ROUTER PASSWORDS

This section decribes the four main passwords that are directly related to managing
and configuring the router.
Console password
Use the following commands to configure the console password. The first command
is used to enter Line configuration mode. The second configures the password
"cisco123", and the third command configures the console line to require a login.
Router(config)#line con 0
Router(config-line)#password cisco123
Router(config-line)#login
Telnet password
Use the following commands to configure a password for Telnet access:
Router(config)#line vty 0 4
Auxilary password
Use the following commands to configure the auxilary port password:
Router(config)#line aux 1
Enable password and enable secret
The enable password and enable secret are local passwords used to control
access to Privileged EXEC mode. The difference between these two is that the enable
password is stored in clear-text in the configuration file, and the enable secret is
encrypted using irreversible MD5 encryption.
For example, in the configuration file an enable password could be:
enable password cisco123
and and enable secret could be:
enable secret 5 $1$iSuI$i7TiENAn69392tYvh5wwZ1
The enable secret password overrides the regular enable password, except when and
old IOS image is used that doesn't support the encrypted enable secret.
To configure an enable password, go to global config mode and issue the following
command:
Router(config)#enable password cisco123
where cisco123 is just an example for a password.
To configure an enable secret, go to global config mode and issue the following
command:
Router(config)#enable secret cisco456
where cisco456 is just an example for a password.
If you do not set an enable password or enable secret, you don't have to enter a
password when you type the enable command, but you will end up having problems
connecting to the router using telnet for example, you won't be able to enter
28
Privileged EXEC mode.

By default all password except the enable secret are stored as clear-text in the
configuration file. When you have backups on TFTP servers or floppy disks even, this
might be an important issue. This can be solved using the following command to
provide some encryption the passwords:
Router(config)#service password-encryption
The irreversible MD5 encryption used to encrypt the enable secret is much stronger
than the rather simple encryption used by the service password-encryption, which
can be decrypted by publicly available tools.
Context-sensitive help facility

An IOS feature that helps with using the correct command syntax. For example,
when you type a command but you do not know the full syntax, you can type a ?
behind it and a list with possible options (in that particular mode) will appear:
Router#show ?
access-expression List access expression
access-lists List access lists
accounting Accounting data for active sessions
aliases Display alias commands
appletalk AppleTalk information
arap Show Appletalk Remote Access statistics
arp ARP table
async Information on terminal lines used as router interfaces
backup Backup status
bridge Bridge Forwarding/Filtering Database [verbose]
buffers Buffer pool statistics
cdp CDP information
clock Display the system clock
compress Show compression statistics
configuration Contents of Non-Volatile memory
controllers Interface controller status
debugging State of each debugging option
decnet DECnet information
dhcp Dynamic Host Configuration Protocol status
dialer Dialer parameters and statistics
dnsix Shows Dnsix/DMDP information
dxi atm-dxi information
entry Queued terminal entries
--More--
You don't need to press the <Enter> key after the ?, and when the end of the list is
reached the command will be after the prompt again without the ? so you can
continue typing the correct option. (When a list like this does not fit in the maximum
allowed lines, --More-- will be displayed on the last line, press the <Enter> key to
scroll down per line or the <Spacebar> to scroll down to the next screen.)
When you type a single ? or just the command help a list with all possible commands
will be displayed.
Command history and editing features
This refers to another set of useful features which are meant to make working with
the command line interface a little bit more convinient.
By default the 10 previously issued commands are remembered. These commands
can be retrieved to use them again by pressing CTRL-P or the up arrow key. You can
29
modify the command- lines history buffer size using the following command:
Router#terminal history size 25

(This will set the amount to 25).
You can view the history using the following command:

Router#show history
Some other useful key combinations:

CTRL-P (or UP arrow key) Displays the previous command in the history buffer.
CTRL-N (or DOWN arrow key) Displays the next command in the history buffer.
CTRL-A Jumps to the beginning of the command line.
CTRL-E Jumps to the end of the command line.
CTRL-B (or LEFT arrow key) Moves the cursor back one character.
CTRL-F (or RIGHT arrow key) Moves the cursor forward one character.
Ctrl-W Deletes the last word typed.
The arrow keys function only on ANSI-compatible terminals such as VT100s. You can
configure your terminal emulator to use VT100 emulation.
Another useful feature to assist with the command syntax is auto-complete. For
example, when you type a command partly but you don't know how to spell a
particular option, you can let IOS complete it by pressing the TAB key:
Router#show cdp nei<TAB>
Router#show cdp neighbors
This only works when the given part is enough to determine a single particular
option. For example, the command Router#show access does not result in
Router#show access-expression because it could be Router#show access-
lists as well.
These enhanced editing features are enabled by default. If you wish to disable them,
use the following command:
Router(config)#no terminal editing
CONFIGURING RIP NETWORK
Note: to perform this lab you need 2 Cisco routers connected and two hosts, we
assumed two 2501 routers, but pretty much anything will do. This lab does not cover
how to physically connect the routers and the hosts, but rather assumes you can tell
by looking at the diagram. This lab comes in three versions, the one you are looking
at, a printer-friendly version with the commands, and a printer-friendly version
without the commands which can be used as an assessment. The printer-friendly
versions are for members only. Also note the the commands in this lab often include
the router command prompt and never use the abbreviated form.
This first TechExams.Net CCNA Lab will cover the a couple of basic configuration
tasks, such as setting passwords and enabling IP routing using RIP. You will need a
lab setup similar to the network diagram below:
30
Before you start, make sure you clear both routers' configuration using the
Router#erase startup-config command. First we will configure RouterA, after the
router reboots, the following message will be displayed:
% Please answer 'yes' or 'no'.

Would you like to enter the initial configuration dialog? [yes/no]
Type no and press ENTER. Press ENTER again when the message Press RETURN to
get started appears. Type enable at the Router> command prompt to enter
Privileged Exec mode, notice the prompt chances to Router#.
CONFIGURING THE FIRST ROUTER

STEP 1. Change the router's host name to RouterA
Enter configuration mode using the following command:

Router#configure terminal
Change the host name of the router to RouterA using the following command:
Router(config)#hostname RouterA
STEP 2. Disable domain lookups
To prevent the router from interpreting every incorrectly typed command as a host
name and trying to resolve it to an IP address to setup a telnet connection with it,
use the following command:
RouterA(config)#no ip domain-lookup
STEP 3. Configure passwords
First set the enable password to cisco123 using the following command:
RouterA(config)#enable secret cisco123
Next, set the password for telnet connections to cisco456 using the following
commands:
RouterA(config)#line vty 0 4
RouterA(config-line)#password cisco456
RouterA(config-line)#login
Although the enable secret command is used to encrypt the enable password, other
passwords stored in the router's configuration should be encrypted as well. To do
this, use the following command:
RouterA(config)#service password-encryption
STEP 4. Configuring the Ethernet interface

31
Enter Interface configuration mode for the Ethernet interface, using the following
command:
RouterA(config)#interface Ethernet 0
Give it the description "Connected to LAN" using the following command:
RouterA(config-if)#description Connected to LAN1
Configure the IP address (see diagram for correct address) for the interface using
RouterA(config-if)#ip address 192.168.11.1 255.255.255.0
Enable the interface using the following command:
RouterA(config-if)#no shutdown
STEP 5. Configure the serial WAN interface
Switch to Interface configuration mode for the first Serial interface, using the
following command:
RouterA(config)#interface Serial 0
Give it the description "Direct connection to RouterB" using the following command:
RouterA(config-if)#description connected to RouterB
Configure the IP address (see diagram for correct address) for the interface using
RouterA(config-if)#ip address 192.168.22.5 255.255.255.0
Configure the interface to use PPP encapsulation using the following command:
RouterA(config-if)#encapsulation ppp
Enable the interface using the following command:

RouterA(config-if)#no shutdown
STEP 6. Configure RIP
Use the following command to enable RIP on RouterA:

RouterA(config)#router rip
Configure the router to receive and send only RIP Version 2 packets using the
following command:
RouterA(config-router)#version 2
Use the following commands to specify the networks directly connected to the
router:
RouterA(config-router)#network 192.168.11.0
RouterA(config-router)#network 192.168.22.0
STEP 7. Save configuration
To copy the currently running active configuration to NVRAM, so it will be used the
next time you reload the router, use the following command:
RouterA#copy running-config startup-config
STEP 8. Configuration second router
To configure the other router, RouterB, repeat the steps above. Use the network
diagram to determine the correct addressing and names. To enable the back-to-back
serial connection between the routers, you need to configure one router as DCE
32
using the following command in Interface configuration mode for the serial
connection on RouterB:
RouterB(config-if)#clock rate 64000
STEP 9. Verify and test the configuration
Verify using the ping command Host A to Host B, make sure you configured both
hosts to use the nearest router's interface as the default gateway in the TCP/IP
settings.
On both routers, run the following command in Privileged Exec mode to determine
which device is the DCE:
RouterA#show controllers s0
On one of the routers, run the following command in Privileged Exec mode to display
the parameters and current state of the active routing protocol process, and examine
the output:
RouterA#show ip protocols
Use the following command to verify routing table entries on both routers:
RouterA#show ip route
Use the following command to list a summary of the interface's IP information and
status on both routers, and examine the output:
RouterA#show ip interface
Use the same command with the brief option, and the notice output:
RouterA#show ip interface brief
Configuring a Frame Relay network

Lab Requirements: To perform this lab you need at least 3 Cisco routers. I used 4:
three 2501's for the endpoints and a 2520 for the frame-relay switch, but pretty
much anything will do. This lab does not cover how to physically connect the routers
and the hosts, but rather assumes you can tell by looking at the diagram. This lab
comes in three versions, the one you are looking at, a printer-friendly version with
the commands, and a printer-friendly version without the commands that can be
used as an assessment. The printer-friendly versions are accessible for members
only. Also note the commands in this lab often include the router command prompt
and never use the abbreviated form.
In this second CCNA TechLab you will learn how to configure a simple frame relay
network. Frame relay is a layer 1 and 2 protocol used for WAN connection. It is used
by many companies to provide links between branch offices and the company
headquarters.
If you haven’t already, set up the router's basic configuration (hostname, passwords,
telnet access, etc.) If don't know how to do these things then refer to the TechLab
"Configuring a RIP network". Here is our example network:
33
CONFIGURING THE FRAME RELAY SWITCH
First we will configure the frame relay switch (in my lab the 2520). It has links to all
of the endpoints via back-to-back serial cables. It will be the DCE for all connections.
STEP 1. Change the router's name to frame-switch
Enter configuration mode by using the following command:

Router# configure terminal
Change the host name of the router to frame-switch by using the following
command:
Router(config)# hostname frame-switch
frame-switch(config)#
STEP 2. Enable the router to become a frame-relay switch
Configure the router to act as a frame relay switch by using the following command:
frame-switch(config)# frame-relay switching
STEP 3. Configure the frame relay switch's interfaces
Enter interface configuration mode for the first connected serial interface, e.g. serial 0:
frame-switch(config)# interface serial 0
Remove the IP address:
frame-switch(config-if)# no ip address
Set the clock rate to 64000:
frame-switch(config-if)# clock rate 64000
Set the encapsulation type to Frame Relay:
frame-switch(config-if)# encapsulation frame-relay
Set the LMI type to ANSI:
frame-switch(config-if)# frame-relay lmi-type ansi
Set the Frame Relay interface type to dce:
frame-switch(config-if)# frame-relay intf-type dce
Enable the interface:
frame-switch(config-if)# no shutdown
34
Repeat the commands above for the other connected interfaces on the frame relay
switch.
STEP 4. Configuring the end-point routers and their interfaces
Change the host name of the router to 2501-A, 2501-B, or 2501-C, as shown in the
network diagram by using the following command:
Router(config)# hostname 2501-A
Enter interface configuration mode for the connected serial interface:
2501-A(config)# interface serial 0
Assign the IP address as shown in the diagram (ie. for router 2501-A, use
10.10.12.2 with subnet 255.255.255.240):
2501-A(config-if)# ip address 10.10.12.2 255.255.255.240
Set the encapsulation type to Frame Relay:
2501-A(config-if)# encapsulation frame-relay
Set the LMI type to ANSI:

2501-A(config-if)# frame-relay lmi-type ansi
Enable the interface:

2501-A(config-if)# no shutdown
Repeat the steps above for the other end-point routers.
STEP 5. Verify your progress
On the frame-switch, use the show interface command to verify the operation for all
connected interfaces. The output should be as following:
frame-switch# show interface serial 1

Serial1 is up, line protocol is up
Hardware is CD2430 in sync mode
MTU 1500 bytes, BW 115 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation FRAME-RELAY, loopback not set
Keepalive set (10 sec)
LMI enq sent 42, LMI stat recvd 0, LMI upd recvd 0
LMI enq recvd 44, LMI stat sent 1, LMI upd sent 0, DCE LMI up
LMI DLCI 0 LMI type is ANSI Annex D frame relay DCE
FR SVC disabled, LAPF state down
Broadcast queue 0/64, broadcasts sent/dropped 0/0, interface broadcasts 0
Last input 00:00:09, output 00:00:09, output hang never
Last clearing of "show interface" counters 00:18:29
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/1/32 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 86 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
45 packets input, 630 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
44 packets output, 616 bytes, 0 underruns
0 output errors, 0 collisions, 36 interface resets
0 output buffer failures, 0 output buffers swapped out
35
29 carrier transitions
DCD=up DSR=up DTR=up RTS=up CTS=up
STEP 6. Configure DLCI mappings
Now we need to configure the DLCI mappings for each interface by using the frame-
relay route command. The format for this command is:
frame-switch(config-if)# frame-relay route <input dlci> interface <output

interface> <output dlci>
You need to configure the appropriate mappings on all the connected interface on
the frame relay switch. Following are the commands that need to be configured for
our example network.
frame-switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
frame-switch(config)# interface serial 1
frame-switch(config-if)# frame-relay route 100 interface s3 101
frame-switch(config-if)# interface serial 2

frame-switch(config-if)# interface serial 3

CTRL-Z
STEP 7. Verify configuration and connection
Go to one of the endpoints and look at the output of some of the "show frame-relay"
commands. You can see the DLCI mappings have propagated to the endpoints. You
don't need to set them up on the endpoints, only on the switch.
Display the frame relay DLCI mappings by using the following command:
2501-A# show frame-relay map

Serial0 (up): ip 10.10.12.3 dlci 201(0xC9,0x3090), dynamic,
broadcast,, status defined, active
Serial0 (up): ip 10.10.12.4 dlci 301(0x12D,0x48D0), dynamic,
broadcast,, status defined, active
Display the frame relay pvc statistics by using the following command:
2501-A# show frame-relay pvc

PVC Statistics for interface Serial0 (Frame Relay DTE)
DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 7 output pkts 6 in bytes 580
out bytes 550 dropped pkts 1 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
36
in DE pkts 0 out DE pkts 0

pvc create time 00:05:03, last time pvc status changed 00:04:13
DLCI = 301, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0
input pkts 16 output pkts 6 in bytes 1110
out bytes 550 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
pvc create time 00:04:45, last time pvc status changed 00:04:35
Ping the other two end-point routers from 2501-A:
2501-A# ping 10.10.12.3
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echoes to 10.10.12.3, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/60/60 ms
2501-A# ping 10.10.12.4
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echoes to 10.10.12.4, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/59/60 ms
As you can see (if you configured everything correctly) the end-point routers can
communicate with each other without a routing protocol or static routes being
configured on the frame relay switch.
You can display the switching table on the router by using the following command:
frame-switch# show frame route

Input Intf Input Dlci Output Intf Output Dlci Status
Serial1 100 Serial3 101 active
37
EIGRP
The Enhanced Interior Gateway Routing Protocol (EIGRP) is the successor of IGRP, it
is more scalable and offers faster convergence. Unlike IGRP, EIGRP is a classless
routing protocol, hence it supports VLSM. It is developed by Cisco and is supported
on Cisco equipment only. In addition to IP, EIGRP can also be used to route IPX and
AppleTalk. In contrary to IGRP, EIGRP is consider to be a hybrid routing protocol,
because it has distance vector as well as link-state characteristics. EIGRP is a
distance vector protocol with link-state characteristics, routing updates can be
partial, they do not need to contain the complete routing table such as with RIP and
IGRP. Also, updates are not send periodically, but only when necessary, and only to
those neighboring routers that need to know. This results in low bandwidth and CPU
usage, and makes EIGRP a fast routing protocol suitable for large networks. The
maximum hopcount in EIGRP is 224. EIGRP allows for secure routing updates using
authentication, to prevent unauthorized or false routing messages, although this is
disabled by default. EIGRP updates use the multicast address 224.0.0.10.
Besides maintaining a routing table, EIGRP maintains a topology table based on the
information it receives in hello packets, and a neighbor table listing the directly
connected neighbors. The neighbors are discovered using hello packets, which are
send out periodically to check if the connection to the neighbor is still available.
EIGRP uses five packet types: Hello/Acks, Updates, Queries, Replies, and Requests.
When an EIGRP router stops receiving hello packets from a neighbor for a
configurable amount of time, it will consider the router as unreachable. The topology
database will be searched for backup route known as a feasible successor, if there
isn't one, a multicast will be send out to find a new route. If another router responds
with an alternative route, a change will be made to the topology table and a new
route will be added to the routing table.
EIGRP uses the Diffusing Update Algorithm (DUAL) for route calculation and to
prevent routing loops. The best route is determined based on 2 metrics by default,
bandwidth and delay, but others can be used as well:
bandwidth Minimum bandwidth of the route in kbps * 256

delay Sum of route delay (in tens of microseconds) * 256.
reliability The value 255 means 100 percent reliability; 0 means no
reliability.
load Effective bandwidth of the route expressed as a number
from 0 to 255 (255 is 100 percent loading).
MTU Maximum transmission unit (MTU) size of the route in
bytes. It can be 0 or any positive integer.
The formula used to calculate the composite metric is: metric = [K1 * bandwidth +
(K2 * bandwidth) / (256 - load) + K3 * delay] * [K5 / (reliability + K4)]
By default K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0. You can change these values,
and hence the outcome of the formula by using the metric weights command in
router configuration mode: Router(config-router)#metric weights tos k1 k2 k3 k4 k5
Tos is short for Type of Service and must be 0 (zero). Note that the default
bandwidth for an interface is T1 speed, you can change this by using the bandwidth
command in Interface Configuration mode.
38
To configure EIGRP on a router, use the following command:

Router(config)#router eigrp as-number
The as-number value is the Autonomous System (AS), also known as domain and
process. This must be a positive decimal number. Routes from routers in one AS are
not injected into another AS by default. Through a process called route tagging, a
router is able to be part of more than one AS, which for example, can be used to
route IPX and IP over the same network simultaneously. If a route from one AS is
injected into another AS using route redistribution, the route will be tagged as
external, which influences the administrative distance. The administrative distance
for Internal EIGRP is 90 and for External EIGRP 170. These default values can be
changed by using the following command:
Router(config-router)#distance eigrp internal external
The internal and external value can be an integer from 0 to 255, remember that
routes with an administrative distance of 255 are marked unknown, and will not be
used.
The network command is used to specify which networks are directly connected to
the router, and to allow the interface of this network to be advertised in EIGRP
routing updates. The following is an example of a simple EIGRP configuration:
Router(config)#router eigrp 22
Router(config-router)#network 10.0.0.0
Router(config-router)#network 192.168.10.0
Optionally, since IOS 12.0, the network command supports a network mask.
As mentioned earlier EIGRP sends routing updates to its neighbors only. A system
using hello packets is used to discover, identify and built relationships with
neighboring routers. The hello packets are sent periodically to determine if a
neighbor (and its interfaces) is still available. The default hello packets interval is 60
seconds for low-speed (bandwidth T1 or slower) nonbroadcast multiaccess (NBMA)
networks such as ATM and such as multipoint Frame Relay, and 5 seconds for all
other networks. You can change the hello interval by using the following command in
interface configuration mode:
Router(config-if)#ip hello-interval eigrp as-number seconds
After a hello packet is send, a router will wait until the hold timer expires for a
response before it considers a router to be unreachable. The hold time default to 3
times the hello interval, you can change this by using the following command in
interface configuration mode:
Router(config-if)ip hold-time eigrp as-number seconds
EIGRP supports load balancing over unequal paths, this means adding multiple
primary routes for a single destination to the routing table even if the metrics are not
the equal. For example, if you want to load balance between connection A and B, you
can use the variance command to allow connection B to be included in the routing
table as a feasible route to the same destination, even if it has a greater metric than
connection A. Use the following command in router configuration mode:
Router(config-router)#variance multiplier
The multiplier value can be a integer from 1-128, the default is 1, which means
equal-cost load balancing. If the value is set to 3, routes with a metric with 3 times
greater than the local best metric are considered equal.
Another useful feature of EIGRP is automatic route summarization, this summarizes

subnets to the classful network boundary. This is enabled by default, you can turn
39
this off per AS by using the following command in router configuration mode:
Router(config-router)#no auto-summary
(and turn it on again with: Router(config-router)#auto-summary )
EIGRP summary routes have an administrative distance value of 5.
You can also configure a summary aggregate address for a specific interface by using
the following command in Interface configuration mode:
Router(config-if)#ip summary-address eigrp as-number network-address subnet-
mask [admin-distance]
Static routers and routes from other routing protocols such as RIP, IGRP, and OSPF
can be redistributed into the EIGRP Autonomous System by using the redistribute
command. For example if you want to redistribute OSPF process 10 into EIGRP AS
20:
Router(config)#router eigrp 20
Router(config-router)#redistribute ospf 10
Router(config-router)#default-metric 10000 100 255 1 1500
The default-metric command is used to configure a default metric for external routes
being redistributed into the AS. The syntax for EIGRP is: Router(config-
router)#default-metric bandwidth delay reliability loading mtu
IGRP routes can be automatically redistributed into EIGRP and vice versa, as long as
the autonomous system is the same.
Troubleshooting
First a very useful command which is often used to troubleshoot routing, show ip
protocols. Per routing protocol and AS it displays the parameters such as the value of
the K0-K5 metrics, the networks involved, timers, hop count, outgoing filters,
redistributed networks and more. Use the command in EXEC mode:
Router#show ip protocols
To show all routes in the routing table, learned by EIGRP:

Router#show ip route eigrp
Show all ip routes in the routing table by omitting the eigrp option.
To display information about neighboring routers discovered using hello packets,

including the interface type and number, the smooth round-trip timer (SRTT), and
the hold time (the latter can be used to determine the hello interval if it is not
manually configured), use the following command:
Router#show ip eigrp neighbors
The following command displays entries in the EIGRP topology table:

Router#show ip eigrp topology
If the command is used without any options, only routes that are feasible successors
are displayed. The following command would display only the active entries in the
topology table and less detailed:
Router#show ip eigrp topology active summary
You can also specify an IP address and subnet mask to display a detailed description
of the entry, for example:
Router#show ip eigrp topology 192.168.1.0 255.255.255.0
Shows the packet count for the five different types of EIGRP packets sent and
received. Router#show ip eigrp traffic
40
Use the following command in EXEC mode to display information about the interfaces
configured with EIGRP. You can use this to determine on which interfaces EIGRP is
active, if you do not specify an interface and/or AS, all interfaces running EIGRP
and/or from all ASs will be displayed.
Router#show ip eigrp interfaces [interface-type interface-number] [as-number]
SWITCH CONFIGURATION LAB

In this CCNA TechLab we will cover several basic switch configuration tasks on a
Cisco Catalyst 2950 switch. This includes configuring passwords, password
encryption, assigning a host name and IP address configuration to the switch, and
saving the configuration. This lab comes in three different versions, the one you are
looking at, a printer-friendly version with the commands, and a printer-friendly
version without the commands that can be used as an assessment. The printer-
friendly versions are for registered users only. Also note the commands in this lab
often include the switch command prompt and never use the abbreviated form.
Lab equipment requirements
To perform this lab you need 1 Cisco Catalyst 2950 Switch and at least 1 PC.
However, most of the commands will work on other switch models as well. We are
going to use two different PCs but they can be one and the same physical PC. You
will need to connect them as depicted in the following the network diagram:
Connect the console cable to the to the console port on the switch and the other end
to the serial port of PC1. Connect PC2 to first FastEthernet port (i.e. FA0/1) using an
UTP/STP cable. PC1 must have a terminal client (i.e. Windows HyperTerminal)
installed, and PC2 must be able to setup a telnet connection. For more information
on how to setup the terminal client, please read the Hardware TechLab.
Configuring the Switch
Before you start with the configuration of the switch, clear the switch configuration
by using the erase startup-config command or the erase nvram: command in
Privileged EXEC mode, and then use the reload command to reboot the switch. After
the switch rebooted, the following message will be displayed:
% Please answer 'yes' or 'no'.
Would you like to enter the initial configuration dialog? [yes/no]
Type no and press ENTER.
41
Press ENTER when the message Press RETURN to get started appears. Type enable
at the Switch> command prompt to enter Privileged Exec mode, notice the prompt
chances to Switch#.
STEP 1. Change the switch's host name to TEswitch1
Enter configuration mode using the following command:

Switch#configure terminal
Change the host name of the switch to "TEswitch1" using the following command:
Switch(config)#hostname TEswitch1
Notice how the prompt changes to TEswitch1(config)# to reflect the hostname.
STEP 2. Configure passwords
First set the enable secret to cisco123 using the following command:
TEswitch1(config)#enable secret cisco123
Next, set the password for all telnet lines to 'cisco456' using the following
commands:
TEswitch1(config)#line vty 0 15
TEswitch1(config-line)#password cisco456
TEswitch1(config-line)#login
Although the enable secret is encrypted, other passwords stored in the switch's
configuration are still in clear text. You can see this by returning to Privileged EXEC
mode and running the show running-config:
TEswitch1(config)#end (or press CTRL-Z)
TEswitch1#show running-config
Notice the enable secret is replaced by a hashed version, for example:

enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDq
When you log on with the enable secret, the switch calculates the hash value again
and compares it with the hash value stored in the configuration. If they match, you
typed in the correct secret and will enter Privileged EXEC mode. You can configure a
password by using the enable password command instead, but in contrary to the
enable secret, the enable password is not encrypted by default. If an enable
password and an enable secret are configured, you will need to enter the enable
secret to logon. In other words, there’s no need to configure an enable password if
you configured an enable secret.
Near the end of the configuration, you will notice the vty password you just
configured, and that it is stored in plain text format. To ensure this password, as well
as others such as the console password are also encrypted, use the service
password-encryption command in Global configuration mode:
TEswitch1#configure terminal
TEswitch1(config)#service password-encryption
42
If you would run the show running-config command in Privileged EXEC mode again,
you will notice the vty password is now also encrypted. For example:
1511021F07257F717E
You can also set a password on the aux or console connection, for example to set the
password to cisco789:
TEswitch1(config)#line con 0
TEswitch1(config-line)#password cisco789
TEswitch1(config-line)#login
STEP 3. Configure an IP address for the switch
To be able to manage the switch using telnet, you will need to configure it with an IP
address. Instead of assigning an IP address to one of the switch ports, we are going
to assign an IP address to the Management VLAN.
Use the following commands to assign the IP address 192.168.0.9 to interface VLAN
1, which is the management VLAN by default:
TEswitch1(config)#interface vlan 1
TEswitch1(config-if)#ip address 192.168.0.9 255.255.255.0
If you need to be able to connect to the switch from other networks, you will also
need to configure a default gateway address. For example, if the switch is connected
to a router with the IP address 192.168.0.254, use the following command, in Global
Configuration mode, to use it as the default gateway:
TEswitch1(config-if)#exit
TEswitch1(config)#ip default-gateway 192.168.0.254
STEP 4. Establish a Telnet connection to the switch
Configure PC2 (or PC1 if you are using only one PC) with an IP address from the
same class C network as the switch, for example: 192.168.0.20 with subnet mask
255.255.255.0.
Open your favorite Telnet client and connect to the IP address you assigned to the
switch. Instead of using a third-party client, you can just type the following on the
command prompt:
telnet 192.168.0.9
If you completed the steps above successfully, you should now be able to configure
the switch through telnet in a similar manner as through the console terminal
session. When the connection is established, you will first be prompted for the Telnet
password. When you enter the correct password you will still have to use the enable
command and enter the enable secret before you can change the configuration of the
switch. Also note an enable secret (or enable password) must be configured or else
the switch will not allow you to log on to Privileged Exec mode through telnet.
STEP 5. Saving the configuration

43
Saving the configuration on a modern Cisco Catalyst switch running IOS software
works the same as on Cisco routers. This means you have to copy the running
configuration (in RAM) to the startup configuration (in NVRAM) by using the following
command in Privileged EXEC mode:
TEswitch1#copy running-config startup-config
If you run the show startup-config command, you should get the same output as the
show running-config command. The dir nvram: command should show the startup-
config file with a size greater than zero. The configuration is also stored in the
config.text file in flash, which content you can see by using the show flash command.
STEP 6. Display switch hardware and firmware information
The show version command allows you to display information about the switch’s
hardware and IOS. The first half shows information about the IOS in flash, the boot
loader on ROM, the uptime, what caused the switched to reboot, and the IOS edition
it runs. The second half shows information about the hardware, including the
interfaces, the memory and serial numbers.
TEswitch1#show version
Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(9)EA1
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Wed 24-Apr-02 06:57 by antonino
Image text-base: 0x80010000, data-base: 0x804E8000
ROM: Bootstrap program is CALHOUN boot loader
Switch uptime is 2 hours, 40 minutes

System returned to ROM by power-on
System restarted at 06:43:48 UTC Tue Aug 8 2006
System image file is "flash:/c2950-i6q4l2-mz.121-9.EA1.bin"
cisco WS-C2950-12 (RC32300) processor (revision F0) with 20815K bytes of

memory.
Processor board ID FHK0637X0AV
Last reset from system-reset
Running Standard Image
12 FastEthernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:0A:F4:67:C1:80
Motherboard assembly number: 73-5782-11
Power supply part number: 34-0965-01
Motherboard serial number: FOC06360ZK2
Power supply serial number: PHI063403L1
Model revision number: F0
Motherboard revision number: A0
Model number: WS-C2950-12
44
System serial number: FHK0637X0AV

Configuration register is 0xF
Layer 2 Switching Basics
In this TechLab, we will go over the essentials of layer 2 switching. Cisco offers a
complete line of switches in different series and models, for small LANs to large
internetworks. This TechLab pertains to layer 2 switching only.
The Network
The example network we'll be using in this TechLab consists of one layer-2 switch
and two PCs. Attach PC1 to the Fa0/1 interface and PC2 to the Fa0/2 interface of the
switch. Configure PC1 with the IP address 10.0.0.1 and the default Class A subnet
mask (255.0.0.0). Configure PC2 with the IP address 10.0.0.2 and the default Class
A subnet mask (255.0.0.0).
Switching
If the two PCs were directly connected to each other they would both be on the same
collision domain . This would also be the case if the PCs were connected through a
hub. With a switch however, every connection creates an additional collision domain,
so in our case, PC1 and PC2 are each in their own collision domain (cd). Both PCs are
still in one and the same broadcast domain because they are in the same logical
subnet and belong to VLAN1 by default.
45
Being in their own separate collision domain, the signals, hence the frames, send by
one PC cannot collide with signals from the other PC. This also means collision
detection can be disabled on the connections between the switch and the PCs, and
that they can operate in full-duplex mode.
A hub would simply forward the signal out of all interfaces, except the incoming
interface. Unlike a hub, a switch processes the signals it receives up to layer 2 to be
able to read the MAC addresses in frame header. Both the source and the destination
MAC address play an important role in the switching process. A switch maintains a
MAC forwarding table, also known as the CAM (Content Addressable Memory) table.
After connecting the switch to at least one other device, the MAC table will be filled
with information learned from incoming frames.
When a switch receives a frame, it will consult the MAC table to check whether the
source MAC address of the frame is already ‘learned'. If it is not a known address,
the switch will add the source MAC to the table and include the interface on which
the frame was received. When the switch receives a frame destined for this MAC
address, it will know out of which interface it needs to forward the frame based on
the entry in the MAC table. If the switch has not learned the destination MAC address
of a frame yet, it will forward the frame out of all interfaces, except the incoming
interface.
This selective forwarding allows a LAN switch to offer much better network
performance than a hub does. In a LAN with a hub, hence a single collision domain,
all hosts see all of the traffic send between any hosts. They only process the frames
if the destination address is theirs, but it does take up additional space on the media
(in this case the cable). In a switched LAN however, given that the addresses are
learned, the hosts only receive traffic that is actually destined to them.
As mentioned earlier, the hosts still belong to a single broadcast domain. Hence,
broadcasts are sent out of all interfaces.
Note that a switch does not change the contents of the frames it forwards. This
means switching is transparent to PCs, they cannot tell whether the frame arrived
from another directly connected PC, or through a hub or a switch.
Now let's see how this works in the small switched LAN we created. To do this we are
going to use the ping utility on the PCs. This will generate ARP broadcasts and ICMP
unicast messages.
> Open the command prompt console for PC1 and enter the command ping 10.0.0.2
(the IP address of PC2).
> Run arp -a in the console for PC1 and notice the entry for the IP to MAC address
mapping for PC2. The latter will have an entry for PC1.
The results should be described next:
1. PC1 broadcasts an ARP Request to discover the MAC address for PC2's IP address.
2. PC2 receives the ARP request and adds the entry for PC1 based on the info in the
ARP Request
46
3. PC2 sends an ARP Reply with his own MAC address and IP to PC1
4. PC1 receives the ARP Reply with the requested information (the MAC address of
PC2) and now knows what destination address to use for frames destined to PC2,
hence can send the ICMP packets (encapsulated in the frames).
Although the results would be the same if the PCs were directly connected (from the
PC's perspective), the switch performed several actions the PCs are unaware of.
1. When the switch receives the ARP Request broadcast from PC1, it learns PC1's
MAC address from the frame header and stores it together with the interface (in this
case FastEthernet0/1) in the MAC forwarding table.
2. The destination address of the ARP Request is the broadcast address ffff.ffff.ffff, so
the switch forwards it out of all ports except the incoming port.
3. Even if other devices where connected, only PC2 replies with an ARP Reply. When
the switch receives this reply frame, it learns the MAC address from PC2 and stores it
together with the interface (in this case FastEthernet0/2) in the MAC forwarding
table.
4. The ARP Reply is targeted directly to the MAC address of PC1 (which PC2 learned
from the ARP Request sent by PC1) and since the switch learned on which interface
the target MAC address can be reached in step 1, it will forward the ARP Reply only
out of FastEthernet0/1.
5. The switch now learned the MAC addresses and interfaces for both PCs, so when
PC1 sends the frames that contain the ICMP packets to PC2, the switch will switch
traffic directly between FastEthernet0/1 and FastEthernet0/2. If any other PC or
network device were attached to the switch, they wouldn't even notice the traffic and
won't have to waste time on reading the frames' header to check if their own MAC
address matches the one in the frames.
> Start a console or telnet session with the switch and use the following command to
display the contents of the MAC forwarding table:
Switch# show mac address-table
The output should be similar as follows (may be different depending on your IOS
version and switch model):
Mac Address Table

-------------------------------------------
Vlan Mac Address Type Ports

---- ----------- -------- -----
All 0014.6922.5440 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 0f08.0a01.9b54 DYNAMIC Fa0/1
1 0f08.0a02.42f9 DYNAMIC Fa0/2
Total Mac Addresses for this criterion: 26
In addition to the destination address and destination port, the switch stores the
Address Type (Dynamic for learned addresses and Static for manually configured
static entries) and the VLAN. The interfaces have to belong to the same VLAN for the
47
attached hosts to be able to communicate with each other without a router or layer 3
switch. As you can see in the output above, all interfaces belong to VLAN 1 by
default.
The show mac address-table command supports several keywords and options to
filter the output. For example, you can add the count keyword to list the number of
addresses per VLAN:
Switch#show mac-address-table count
Mac Entries for Vlan 1:

---------------------------
Dynamic Address Count : 22
Static Address Count : 0
Total Mac Addresses : 22
Total Mac Address Space Available: 8168
Or, you can specify the MAC address:

Switch#show mac address-table address 0f08.0a01.9b54
Or, you can specify the Interface:

Switch#show mac address-table interface fastethernet0/1
Another common option is to specify the VLAN id:

Switch#show mac address-table vlan 1
Note both show mac address-table and show mac-address-table (an older variant
with a dash between mac and address) are accepted as valid commands.
VLANS
VLANs (Virtual LAN)
VLANs (Virtual LAN)
A virtual LAN (VLAN) is a logical LAN, or a logical subnet.Vlan defines a broadcast
domain. A physical subnet is a group of devices that shares the same physical wire.
A logical subnet is a group of switch ports assigned to the same VLAN.
· Logically divide a switch into multiple, independent switches at L2

· Create separate broadcast domains in a switch, increasing the number of broadcast
domains
· Span multiple switches using trunks
· Allow logical grouping of users by function
· Simplify adding, moving, and changing hosts in the network
· Enhance security
48
VLAN configuration steps:

1. The VLAN must be created.
2. The VLAN may be named.
3. The desired ports must be added to the new VLAN.
Note: Routing between VLANs requires a router or Layer 3 switch.
Creating Static VLANs

There are 2 ways of create Vlans:
• Using the VLAN configuration mode, which is the recommended way to create
VLANs
• Using the VLAN database mode (which should not be used but is still available)
Using VLAN Configuration Mode

Switch(config)#vlan 2----->Creates VLAN 3 and enters VLAN configuration mode for
further definitions.
Switch(config-vlan)#name Marketing-----> Assigns a name to the VLAN.
Switch(config-vlan)#exit
Switch(config)#
Using VLAN Database Mode
Switch#vlan database ----->Enters VLAN database mode.
Switch(vlan)#vlan 5 name Engineering ----->Creates VLAN 5 and names it
Engineering.
Switch(vlan)#vlan 10 ----->Creates VLAN 10 and gives it a name of VLAN0010 as a
default.
Switch(vlan)#apply----->Applies changes to the VLAN database and increases the
revision number by 1.
Switch(vlan)#exit
Switch#
Assigning Ports to VLANs
Switch(config)#interface fastethernet 0/0-----> Moves to interface configuration
mode
Switch(config-if)#switchport mode access ----->Sets the port to access mode
Switch(config-if)#switchport access vlan 2-----> Assigns this port to VLAN 2
Using the range Command
Switch(config)#interface range fastethernet 0/1 – 8----->Enables you to set the
same configuration parameters on multiple ports at the same time.
49
Switch(config-if-range)#switchport mode-----> Access Sets ports 1–9 as access

ports.
Switch(config-if-range)#switchport access vlan 5-----> Assigns ports 1–9 to VLAN 5.
Verifying VLAN Information

Switch#show vlan-----> Displays VLAN information
Switch#show vlan brief ----->Displays VLAN information in brief
Switch#show vlan id 5-----> Only displays information about VLAN 5
Switch#show vlan name sales ----->Only displays information about VLAN named
sales
Switch#show interfaces vlan x ----->Displays interface characteristics for the
specified VLAN
Erasing VLANs
Switch#delete flash:vlan.dat-----> Removes the entire VLAN database from flash
Switch(config)#interface fastethernet 0/0

Switch(config-if)#no switchport access vlan 2
Switch(config-if)#exit
Switch(config)#no vlan 2
Or
Switch#vlan database
Switch(vlan)#no vlan 2
Switch(vlan)#exit

Ccna

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Ccna

Enviado por

Direitos autorais:

Formatos disponíveis

1

Ethernet LAN connections

hierarchical networks to connect multiple stations/cable segments. There are two

Routers are used to interconnect multiple (sub-)networks and route information

As illustrated below, routers control collision domains AND broadcast domains:

A gateway (as a network component) is a device that connects networks with

A NIC (Network Interface Card) is an expansion cards for a computer used to

The OSI (Open System Interconnection) model is developed by ISO in 1984 to

Connection-oriented means that a connection (a virtual link) must be established

Connectionless is the opposite of connection-oriented; the sender does not

Network layer addresses

IEEE 802 Data Link sub layers

Other standards on this layer include: X.25 and Frame Relay

Data Link layer addresses

TCP/IP stack vs. the DoD Model

ISDN Function groups

TE1 Specialized ISDN terminals that understand the ISDN

ISDN Reference points

Configure ISDN BRI and Legacy DDR

The global configuration username command is required when CHAP is used to

TROUBLESHOOTING AND MONITORING ISDN

Router(config)#show interfaces bri number

Router(config)#show controllers bri number

Router(config)#show isdn {active | history | memory | status | timers}

Router(config)#show dialer interface bri number

Router(config)#show isdn status

Router(config)#debug isdn events

Standard IP Access Lists

Use the global exec access-list command to create access lists:

router(config)#access-list 10 deny 192.168.23.11

Wildcard Masks/Inverse Masks

Instead of specifying a single IP address, you can also permit or deny

Extended IP Access Lists

Take a look at the diagram below for example:

router(config)#access-list 105 deny TCP any host 192.168.115.20 eq SMTP

router(config)#access-list 102 deny icmp 192.168.115.0 0.0.0.255 any

Named Access Lists

router(config)#ip access-list standard wwwfilter

Use the exit command to exit access-list configuration mode.

router(config)#access-list 5 permit 192.168.23.8

Monitoring and Verifying

BASIC ROUTER TECHNICS

Configure the router

- Start up HyperTerminal (Start, Programs, Accessories, Communication)

Router con0 is now available

Or start right-away with our first TechLab: Configuring a RIP network

Boot field Meaning

Router start-up sequence

Initial router configuration

Manage configuration files

To copy the currently running active configuration to NVRAM, i.o.w. to save a

You can view the running configuration using the command:

Load, backup, and upgrade IOS

To upgrade the IOS stored in Flash use the following command:

Managing a router using the ports mentioned above is called out-of-band

User EXEC mode

Privileged EXEC mode

This is similar to logging on as an adminstrator in Windows 2000 for example. When

To actually change the running configuration, you'll have to enter global

Interface Configuration mode

Other configuration modes include:

CONFIGURING ROUTER PASSWORDS