Ccna Icnd1 Study Notes

Cisco Certified Entry Network Technician
Interconnecting Cisco Network Devices Part 1 Version 3
Part I - Networking
Fundamentals
Chapter 1 - Introduction to TCP/IP
Networking
TCP/IP Application Layer - HTTP:
HTTP GET Request, HTTP Reply, and One Data-Only Message (Encapsulation):
Step 1: Send GET request

Step 2: Return HTTP header (status code, e.g. 200 OK, 404)
Step 3: Transfer additional data without header
TCP error recovery:

Bob's TCP logic requests segment sequence 2.
Concept Description
The two computers use a protocol (an agreed-to set of rules)
Same-layer to communicate with the same layer on another computer. The protocol defined by each layer
interaction on uses a header that is transmitted between the computers to communicate what each computer
different computers wants to do. Header information added by a layer of the sending computer is processed by the
same layer of the receiving computer.
Adjacent-layer On a single computer, one layer provides a service to a higher layer. The software or hardware
interaction on the that implements the higher layer requests that the next lower layer perform the needed
same computer function.
Same-layer Interaction: two computers' communication with the same layer using headers;
TCP error recovery (TCP creates sequence numbers, TCP receives and reacts to the
segments)
Adjacent-layer Interaction: Single computer, HTTP (Layer 5) requests => error recovery on
TCP (Layer 4)
TCP/IP Network Layer:
Major protocol: IP
IP = Addressing, Routing
Sender: Application/Transport Layers

Postal Service: L1/2/3, IP, routers
- All Larry's IP addresses begin with 1, Bob's with 2 and Archie's with 3.
- Routers route/forward IP packets to correct destination
IP header: Source address (1.1.1.1), Destination address (2.2.2.2)

Step 1: Larry sends IP packet to nearest router on the same LAN
Step 2: Router R1 process compares destination address to its known IP routes and forwards
to packet to Router R2 (IP Routing)
Step 3: Router R2 repeats same process and sends to Bob, who is on the same LAN.
TCP/IP Link Layer:
Step 1: Larry encapsulates the IP packet between an Ethernet header and Ethernet trailer =>
Ethernet frame.
Step 2: Larry physically transmits the bits of the Ethernet frame, using electricity flowing
over the Ethernet cabling.
Step 3: Router R1 physically receives the electrical signal over a cable, and re-creates the
same bits by interpreting the meaning of the electrical signals.
Step 4: Router R1 de-encapsulates the IP packet from the Ethernet frame by removing and
discarding the Ethernet header and trailer.
- WAN standards: PPP, Frame relay
TCP/IP Model and Terminology:
Data encapsulation:
Step 1: Create and encapsulate the application data with any required application
layer headers, e.g. HTTP OK message in HTTP header, followed by part of the contents of a
web page.
Step 2: Encapsulate the data supplied by the application layer inside a transport layer
header, e.g. TCP/UDP headers for end-user applications.
Step 3: Encapsulate the data supplied by the transport layer inside a network layer
(IP) header. IP defines the IP addresses that uniquely identify each computer.
Step 4: Encapsulate the data supplied by the network layer inside a data link layer
header and trailer, e.g. Ethernet header and trailer
Step 5: Transmit the bits. The physical layer encodes a signal onto the medium to
transmit the frame.
Segment: Headers defined by the Transport layer and data encapsulated

Packet: Headers defined by the Network layer and data encapsulated
Frame: Headers and trailers defined by the Data Link layer and data encapsulated
OSI Model
OSI, TCP/IP Original, TCP/IP Updated Model Comparison
Open Systems Interconnect Transmission Control Transmission Control

Protocol/ Internet Protocol Protocol/ Internet Protocol
Original Updated
Application
Presentation
Session Application Application
Transport Transport Transport
Network Internet Network
Data Link Data Link
Physical Link Physical
OSI Reference Model Layer Descriptions

Layer Functional Description
Application layer. Provides an interface from the application to the network by supplying a protocol with
7
actions meaningful to the application, for example, “get web page object.”
6 Presentation layer. This layer negotiates data formats, such as ASCII text, or image types like JPEG.
Session layer. This layer provides methods to group multiple bidirectional messages into a workflow for
5
easier management and easier backout of work that happened if the entire workflow fails.
Transport layer. In function, much like TCP/IP’s transport layer. This layer focuses on data delivery between
4
the two endpoint hosts (for example, error recovery).
Network layer. Like the TCP/IP network (Internet) layer, this layer defines logical addressing, routing
3
(forwarding), and the routing protocols used to learn routes.
Data link layer. Like the TCP/IP data link layer, this layer defines the protocols for delivering data over a
2
particular single type of physical network (for example, the Ethernet data link protocols).
Physical layer. This layer defines the physical characteristics of the transmission medium, including
1
connectors, pins, use of pins, electrical currents, encoding, light modulation, and so on.
OSI Reference Model: Device and Protocol Examples

Layer Name Protocols and Specifications Devices
Application, presentation, session Telnet, HTTP, FTP, SMTP, POP3,
Hosts, firewalls
(Layers 5–7) VoIP, SNMP
Transport (Layer 4) TCP, UDP Hosts, firewalls
Network (Layer 3) IP Router
LAN switch, wireless access point, cable
Data link (Layer 2) Ethernet (IEEE 802.3), HDLC
modem, DSL modem
Physical (Layer 1) RJ-45, Ethernet (IEEE 802.3) LAN hub, LAN repeater, cables
Benefits of Layered models:

 Less complex: Compared to not using a layered model, network models break the concepts into
smaller parts.
 Standard interfaces: The standard interface definitions between each layer allow multiple
vendors to create products that fill a particular role, with all the benefits of open competition.
 Easier to learn: Humans can more easily discuss and learn about the many details of a protocol
specification.
 Easier to develop: Reduced complexity allows easier program changes and faster product
development.
 Multivendor interoperability: Creating products to meet the same networking standards means
that computers and networking gear from multiple vendors can work in the same network.
 Modular engineering: One vendor can write software that implements higher layers—for
example, a web browser—and another vendor can write software that implements the lower
layers—for example, Microsoft’s built-in TCP/IP software in its operating systems.
OSI Encapsulation Terminology
OSI >> Protocol Data Unit (PDU)

TCP segment = L4PDU
IP packet = L3PDU
Ethernet frame = L2PDU
Terminology:
Encapsulation: Process of putting headers and sometimes trailers around some data.
Chapter 2 - Fundamentals of
Ethernet LANs
- Wireless Router can replace Router + Switch + Access Point
- PC >> Switch >> Distribution Switch (SWD) >> Router

- Example: PC3 >> SW3 >> SWD >> SW2 >> PC2
- Router connects LAN to WAN
- Ethernet standards come from the IEEE and include the number 802.3 as the beginning part
of the standard name.
- UTP (Unshielded Twisted-Pair) Cabling saves money compared to optical fibers.
- Informal IEEE standard name notation: SPEED + BASE + (T for UTP or X for fiber.)
- Ethernet nodes forward encapsulated Ethernet frame (Ethernet Header + Data + Ethernet
Trailer)
- Two wires inside a single UTP cable.

- Encoding scheme: Sender and receiver uses the same rules and interpret those changes as
either 0s or 1s.
- Solves electromagnetic interference (EMI) issues (crosstalk, wire pairs in the same cable).
- Components: Cable + connectors on each end + matching ports

- 10BASE-T & 100BASE-T require 2 pairs of wires.
- 1000BASE-T requires 4 pairs of wires.
- RJ-45: common connector with 8 physical locations into which the wires in the cables can
be inserted (pin positions/pins).
- Network Interface Card (NIC) has RJ-45 ports.
- Has swappable transceivers/port hardware.

- Small form-factor pluggable (SFP+) runs at 10 Gbps
UTP Cabling Pinouts for 10BASE-T and 100BASE-T
Straight-Through Cable Pinout

- NIC transmitters use the pair connected to pins 1 and 2.
- NIC receivers use a pair of wires at pin positions 3 and 6.
- Pin 1 to Pin 1, Pin 2 to Pin 2, Pin 3 to Pin 3, Pin 6 to Pin 6

- Wire pairs: 1 and 2 | 3 and 6
- Straight-through cables only work when the nodes use opposite pairs for transmitting data.
Crossover Cable
- Only when two like devices are transmitting on the same pins.
- Connect 1 and 2 to 3 and 6, and 3 and 6 to 1 and 2
Crossover cable: If the endpoints transmit on the same pin pair.

Straight-through cable: If the endpoints transmit on different pin pairs.
- Straight-through Cables: PCs to Switches (e.g. PC to SW11)

- Crossover Cables: Switches to Switches (e.g. SW12 to SW22)
- Cisco switches have an 'auto-mdix' feature which changes its logic to make the link work
for wrong cable insertions.
UTP Cabling Pinouts for 1000BASE-T
- Four wire pairs required.
- (1,2) pair, (3,6) pair, (4,5) pair and (7,8) pair
- Both ends can transmit and receive simultaneously on each wire pair.
- Straight-through Cables: pin 1 to pin 1, pin 2 to pin 2 ... pin 8 to pin 8
- Crossover Cables: (1,2) to (3,6) | (3,6) to (1,2) | (4,5) to (7,8) | (7,8) to
(4,5)
- Ethernet data-link protocol defines the Ethernet frame: and Ethernet header at the front, the
encapsulated data in the middle, and an Ethernet trailer at the end.
Ethernet addressing:
- Sending node puts its own address in the source address field.
Media Access Control (MAC) addresses:

- 6 bytes (48 bits) long binary numbers
- 12-digit hexadecimal numbers (e.g. 0000.0C12.3456)
- Unicast Ethernet Address: MAC address that represents one interface to the Ethernet LAN
- Multicast Ethernet Address
- Broadcast Ethernet Address
MAC Address Assignment:

Step 1: Manufacturer asks IEEE to assign unique 3-byte code, called the Organizationally
Unique Identifier (OUI).
Step 2: Manufacturer agrees to assign all its NICs a MAC address beginning with the OUI.
Step 3: Manufacturer assigns unique last 3-byte value.
=> All MAC addresses of every device in the world is unique.
(Universal MAC address = Global MAC Address)
Ethernet Address =
- LAN Address
- Ethernet Address
- Hardware Address
- Burned-In Address (BIA): permanent MAC address that is encoded into the ROM chip on
the NIC
- Physical Address
- Universal Address: Emphasis of uniqueness of addresses
- MAC Address
Group Addresses
- Identification of more than one LAN interface card
- Frames can be sent to a set of devices on the LAN, or all devices on the LAN.
Broadcast address: Frames sent to this address should be delivered to all devices on the
Ethernet LAN. It has a value of FFFF.FFFF.FFFF
Multicast address: Frames sent to a multicast Ethernet address will be copied and forwarded
to a subset of the devices on the LAN that volunteers to receive frames sent to a specific
multicast address.
Ethernet Type Field
- Specifies Protocols
- IPv4, IPv6, DECnet, SNA, Novell NetWare
Error Detection with FCS

- Only field in data-link trailer
- Comparison of results of complex math formulas of both sending and receiving nodes
- Upon error detection => Discard frame
- Error Detection (FCS) != Error Recovery (TCP)
Full Duplex/Half Duplex - Sending Ethernet Frames With Switches And Hubs
Step 1: PC1 builds and sends the original Ethernet frame, using its own MAC address as the
source address and PC2's MAC address as the destination address.
Step 2: Switch SW1 receives and forwards the Ethernet frame out its G0/1 interface (short for
Gigabit interface 0/1) to SW2.
Step 3: Switch SW2 receives and forwards the Ethernet frame out its F0/2 interface (short for
Fast Ethernet interface 0/2) to PC2.
Step 4: PC2 receives the frame, recognizes the destination MAC address as its own, and
processes the frame.
Half duplex: The device must wait to send if it is currently receiving a frame; in other words,
it cannot send and receive at the same time.
Full duplex: The device does not have to wait before sending; it can send and receive at the
same time.
CSMA/CD
Step 1: A device with a frame to send listens until the Ethernet is not busy.
Step 2: When the Ethernet is not busy, the sender begins sending the frame.
Step 3: The sender listens while sending to discover whether a collision occurs; collisions
might be caused by many reasons, including unfortunate timing. If a collision occurs, all
currently sending nodes do the following:
A. They send a jamming signal that tells all nodes that a collision happened.
B. They independently choose a random time (16, backoff) to wait before trying
again, to avoid unfortunate timing.
C. The next attempt starts again at Step 1.
- Connection to hub requires a Half Duplex setting.

Chapter 3 - Fundamentals of WANs
Leased-Line WANs
- Similar to Ethernet crossover cables connecting two routers (full duplex)

- Forwards data between two routers
- Routers separate LAN and WAN.
- Crooked line in diagram represents 'no need to show any physical details of the line'
- Leased lines use two pairs of wires, one pair for each direction => Full Duplex operation
- Leased lines: companies pay monthly fees to use line
- Service provider: companies that provide WAN connectivity, including Internet services
- "Serial" = "Sequential"
- CO: Central offices - Telcos put equipment in COs

- Each customer sites has CPE (Customer Premises Equipment), including the router, serial
interface card and CSU/DSU (Channel Service Unit/Data Service Unit).
- Serial interface card: Router's Ethernet NIC-like card that sends/receives data over physical
link.
- CSU/DSU: Function that is integrated into serial interface card in router or sit outside router
as an external device
- Router >> short serial cable >> external CSU/DSU (using RJ-48 connector, similar to RJ-
45)
- Speeds are predefined - slower-speeds run at multiples of 64kbps, faster links run at
multiples of about 1.5Mbps
Building a WAN Link in a Lab

- DTE: Data Terminal Equipment cables, male connector, acts as straight-through cables
- DCE: Data Communications Equipment cable, female connector, acts as crossover cables
- Clocking: Router tells router exactly when to send each bit through signalling over the serial
cable.
Data-Link Details of Leased Lines

- Leased line provides a Layer 1 service.
- Two most popular data link layer protocols used for leased lines between two routers: High-
Level Data Link Control (HDLC) and Point-to-Point Protocol (PPP).
HDLC
- HDLC has less work than Ethernet data-link protocol because of point-to-point topology.
- HDLC frames can only go to one place: to other end of link
- Address field exists, but the destination is implied.
- International Organization for Standardization (ISO) made HDLC.
- ISO-standard HDLC does not have Type field.

- Cisco-proprietary variation of HDLC adds a Type field.
Step 1: PC1's network layer (IP) logic tells it to send the packet to a nearby router (R1).
Step 2: Router R1's network layer logic tells it to forward (route) the packet out the leased
line to Router R2 next.
Step 3: Router R2's network layer logic tells it to forward (route) the packet out the LAN link
to PC2 next.
- Three hops though the internetwork

Step 1: To send the IP packet to Router R1 next, PC1 encapsulates the IP packet in an
Ethernet frame that has the destination MAC address of R1.
Step 2: Router R1 de-encapsulates (removes) the IP packet from the Ethernet frame,
encapsulates the packet into an HDLC frame using and HDLC header and trailer, and
forwards the HDLC frame to Router R2 next.
Step 3: Router R2 de-encapsulates (removes) the IP packet from the HDLC frame,
encapsulates the packet into an Ethernet frame that has the destination MAC address of PC2,
and forwards the Ethernet frame to PC2.
HDLC
Pros Cons
- Simple for the customer - Higher cost
- Widely available - Typically, longer lead times to get the
- High quality service installed
- Private
Ethernet as a WAN Technology

- New IEEE improved Ethernet standards:
1000BASE-LX standard: uses single-mode fiber cabling, with support for a 5-km
cable length.
1000BASE-ZX standard: supports 70-km cable length.
- Ethernet used between customer site and the SP (Service Provider)'s network
- PoP: Point of Presence
- SP uses Ethernet switch instead of telco switch
- Ethernet emulation = EoMPLS (Ethernet over Multiprotocol Label Switching (MPLS))

EoMPLS provides:
- A point-to-point connection between two customer devices
- Behaviour as if a fiber Ethernet link existed between the two devices
- Forwarding IP packets from one site to another.

- Uses same Ethernet protocols (802.3) as the Ethernet LAN links at each site.
- Link uses the same Ethernet header and trailer.
- Each router discards old data-link header/trailer and re-encapsulates.
Step 1: To send the IP packet to Router R1 next, PC1 encapsulate the IP packet in an Ethernet
frame that has the destination MAC address of R1.
Step 2: Router R1 de-encapsulates (removes) the IP packet from the Ethernet frame and
encapsulates the packet into a new Ethernet frame, with a new Ethernet header and trailer.
The destination MAC address is R2's G0/0 MAC address, and the source MAC address is
R1's G0/1 MAC address. R1 forwards this frame over the EoMPLS service to R2 next.
Step 3: Router R2 de-encapsulates (removes) the IP packet from the Ethernet frame,
encapsulates the packet into an Ethernet frame that has the destination MAC address of PC2,
and forwards the Ethernet frame to PC2.
Accessing the Internet

- WAN technologies used to gain access to the Internet: Digital Subscriber Line (DSL) and
cable.
The Internet as a Large WAN

- Internet = one huge TCP/IP network.
- Internet core: LANs and WANs owned and operated by Internet Service Providers (ISP).
- ISP networks connect to customers and each other.
Internet Access (WAN) Links

- Internet Access Links: Some kind of WAN link that uses a cable or uses wireless
technology (phones)
- Business use Leased Lines
- Customers use DSL or Cable. (Also Internet access for businesses)
- Requires a pair of routers, customer side and ISP side.
Digital Subscriber Line

- Short (miles long but not tens of miles) high-speed link between telco customer and ISP
- Uses same single-pair telephone line used for a typical home phone line.
- Phone line: nearby telco CO <=> home
- Wall plates are often RJ-11 ports (skinnier cousin of RJ-45 connector).
- PSTN: Public Switched Telephone Network, provides infrastructure and services for public
telecommunication.
- [DSL-capable devices at home + DSL equipment at telco's CO] needed for 3-15 >> DSL
service
- DSL modem: sends data to/from the telco via physical and data link layer standards.
- Home-based router also needs to be able to send data to/from the Internet.
- Telephones now require short extra cable with filter installed at the wall jack to filter
higher electrical frequencies of DSL.
- DSLAM: Direct Subscriber Line Access Multiplexer, splits data to router and voice signals
to voice switch
- DSL supports asymmetric speeds, transmission speed from the ISP to home (downstream)
is much faster than the transmission toward the ISP (upstream).
- Clicking web page sends smaller data upstream and bigger data downstream.
Cable Internet
- Uses existing Cable TV (CATV) cable to send data.
- Uses asymmetric speeds.
- Short WAN links from customer to ISP
- Telephone line of DSL replaced by coaxial cable of CATV.
- DSL modem replaced by Cable modem.
- CATV company splits data to router and video from video dishes (to TVs)
Final Comparison: DSL vs CATV

DSL CATV
- Lower speeds - Faster speeds
- Cheaper cost - More cost
- Asymmetric speeds - Asymmetric speeds
- "Always on" service - can communicate - "Always on" service - can communicate
with Internet w/o the need to first take some with Internet w/o the need to first take some
action to start the Internet connection action to start the Internet connection
Chapter 4 - Fundamentals of IPv4

Addressing and Routing
Role of TCP/IP network layer
- IP routing: The process of hosts and routers forwarding IP packets (L3PDU), while relying
on the underlying LANs and WANs to forward the bits
- IP addressing: Addresses used to identify a packet's source and destination host computer.
Addressing rules also organize addresses into groups, which greatly assists the routing
process.
- IP routing protocol: A protocol that aids routers by dynamically learning about the IP
address groups so that a router knows where to route IP packets so that they go to the right
destination host.
- Other utilities: The network layer also relies on other utilities. For TCP/IP, these utilities
include DNS, ARP and ping.
Overview of Network Layer Functions

- IP focuses on logical details, rather than physical details (L2)
Network Layer Routing (Forwarding) Logic
- Path selection: Routing process in 4-1
- PC1's logic: 168.1.1.1 is not on the same LAN, so send to default router
- Default Router = Default Gateway
- R1 & R2's logic: compare destination IP address to IP routing table entries. Forward over
correct next LAN or WAN link according to matching entries.
- R3's logic: R3 forwards packet directly to PC2, which is on the same LAN.
How Network Layer Routing Uses LANs and WANs

- Network layer: bigger view of the goal
- Data link layer: specifics
- ARP: dynamically learns the data-link address of an IP host connected to a LAN.
Routing concepts
- process of forwarding L3PDU based on L3 address in packet
- process of encapsulating L3 packets to L2 frame for transmission
IP Addressing and How Addressing Helps IP Routing

- IP defines network layer addresses that identify any host or router interface.
- IP grouping: IP network, IP subnet
- Grouped by location and actual address values
- Router can list one routing table entry for each IP network or subnet, instead of every IP
address.
- IPv4 header: 20-byte source IP address and destination IP address.
Routing Protocols
- Hosts need to know IP address of default router
- Routers need to know routes
- Step 1: R3 sends routing protocol message to R2, with information of R3's network
- Step 2: R2 sends routing protocol message to R1, with information of R3's network.
IPv4 Addressing
Rules for IP Addresses
- IP host: any device that has at least one interface with an IP address
- IP address is a 32-bit number, in DDN (Dotted-Decimal Notation)
- Each DDN has 4 decimal octets (bytes), separated by periods
- Octet represents 8-bit number, has range of 0-255 inclusive
- NIC, wireless NIC, router interfaces have IP addresses for each interface
Rules for Grouping IP Addresses

- Left network: Network ID of 8.0.0.0
- Serial link between R1 & R2: Network ID of 199.1.1.0
- Routers define IP grouping
Class A, B, and C IP Networks

- Class A: First octet of 1-126
- Class B: First octet of 128-191
- Class C: First octet of 192-223
- Class D: Multicast addresses (packets to multiple hosts)
- Class E: Defined as reserved for future use
- Class A: more than 16 million hosts, 126 networks

- Class B: 65,534 addresses per network, 16,384 networks
- Class C: 254 addresses each, more than 2 million networks
The Actual Class A, B, and C IP Networks

- Network Identifier = Network ID
- Network ID: single DDN value per network
- Class A: first octet defines group

- Class B: first two octets define group
- Class C: first three octets define group
IP Subnetting
- Subnet = Subdivided Network
- Waste of many IP addresses
- One group of 254 addresses beginning with 150.9.1

IPv4 Routing
IPv4 Host Routing
- PC1 to PC11: PC1 >> SW >> PC11

- PC1 to PC2: PC1 >> Core Router >> Router B1 >> PC2
Router Forwarding Decisions and the IP Routing Table

A Summary of Router Forwarding Logic
- Router logic at Step 3: In which groups (networks/subnets) does this packet's destination
address reside?
A Detailed Routing Example

- All routers use Open Shortest Path First (OSPF) routing protocol
Step 1: PC1 places packet into Ethernet frame >> send to default router R1
Step 2: R1 checks FCS >> de-encapsulate Ethernet header and trailer >> compare routing
table entry >> encapsulate packet with next-hop router address in HDLC frame >> forward
packet out S0 on serial link to R2
Step 3: R2 checks FCS >> de-encapsulate HDLC header and trailer >> compare routing table
entry >> encapsulate packet with next-hop router address in Ethernet frame >> forward
packet out F0/0 on (EoMPLS) link
Step 4: R3 checks FCS >> de-encapsulates Ethernet header and trailer >> compare routing
table entry >> encapsulate packet with PC2's MAC address in Ethernet frame and forward
frame
IPv4 Routing Protocols

- Steps of routing protocols
Step 1: Each router adds a route to its routing table for each subnet directly connected to it.
Step 2: Each router's routing protocol tells its neighbours about routes in its routing table,
including directly connected routes and routes learned from other routers.
Step 3: After learning new route from neighbour, router's routing protocol adds route to its
own IP routing table, with next-hop router of that route typically being the neighbour from
which it was learned.
Step A: Subnet 150.150.4.0 is connected to Router R3

Step B: R3 adds a connected route for 150.150.4.0 to its IP routing table
Step C: R3 sends routing protocol message (routing update) to R2
Step D: R2 adds a route for 150.150.4.0 to its routing table with next-hop router of R3
Step E: R2 sends a routing update to R1
Step F: R1 adds route for 150.150.4.0, with Serial0 as outgoing interface and R2 as next-hop
router.
Other Network Layer Features

- Domain Name System (DNS)
- Address Resolution Protocol (ARP)
- Packet Internet Groper (ping)
Using Names and the Domain Name System

- TCP/IP defines ways to use hostnames to identify other computers
- Hostname: www.google.com
- IP address: 8.8.8.8
- DNS resolves hostnames to matching IP address
Step 1: PC11 sends DNS query for IP address of Server1 to DNS server
Step 2: DNS server sends back DNS reply with. Server1's IP address
Step 3: PC11 sends IP packet to destination address 10.1.2.3
- DNS query lists DNS server's IP
- Web browsing follow DNS naming standards
- DNS servers are distributed around the world
The Address Resolution Protocol

- ARP: any host or router on a LAN can dynamically learn MAC address of another IP host
or router on the same LAN.
- ARP request: "If this is your IP address, please reply with your MAC address."
- ARP reply: list both original IP address and the matching MAC address.
- R3's ARP reply is a LAN broadcast.
- Hosts keep ARP results in ARP cache or ARP table.
- arp -a command to see ARP cache
ICMP Echo and the ping Command

- ping command: tests basic network connectivity
- Ping (Packet Internet Groper) uses the Internet Control Message Protocol (ICMP) and sends
an ICMP echo request to another IP address.
- Computer with that IP sends an ICMP echo reply.
- Goal: to see if network can deliver a packet from one host to the other and back
- ICMP just tests basic IP connectivity (L1/2/3)
Chapter 5 - Fundamentals of
TCP/IP Transport and Applications
TCP/IP Layer 4 Protocols: TCP and UDP
- Most data-link protocols: Error Detection - discard frames
- TCP: Error Handling - retransmission
- TCP: Flow control - avoid congestion
- UDP: fewer bytes of overhead - VoIP, video over IP
Transmission Control Protocol

Pros Cons
- Error recovery - More bandwidth
- Flow control (windowing) - More processing cycles
- Multiplexing - More bytes in overhead networks
- Connection establishment/termination - Slower speed
- Ordered data transfer/segmentation
- TCP: RFC 793
- Adjacent-layer interaction with Application Layer
- TCP segment/L4PDU - message created by TCP that begins with TCP header
Multiplexing Using TCP Port Numbers

- Multiplexing: TCP & UDP
- Multiplexing: tells receiving computer to which application to give received data
Jessie's running applications:
- UDP-based advertisement application
- TCP-based wire-transfer application
- TCP web server application
- Problem: Jessie does not know which application to give data to.
- Solution: Use of port number fields in the TCP or UDP headers

Socket:
- IP address
- Transport protocol
- Port number
- Jessie's web server application: (10.1.1.2, TCP, port 80)
- Hannah's possible socket: (10.1.1.1, TCP, 1030)
- Port numbers 0 - 1023 are reserved for well-known applications
- Port numbers 1024 (- 49151) and up are dynamical port numbers
- Sockets allow multiplexing by creating unique connection between two computers.

- FTP, Telnet, listen for connection requests and clients need to know well-known port
numbers.
- www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
- 100 applications to 1 server, server uses source port of application as destination port
- WWW (World Wide Web): Web browsers accessing the content available on web servers
- DNS (Domain Name System): Users can refer to computers as their names, and DNS finds
corresponding IP address, client-server model
- SNMP (Simple Network Management Protocol): Network device management, Cisco Prime
uses SNMP to query network devices (query, compile, store and display information about
network's operation)
- TFTP (Trivial File Transfer Protocol): Protocol for basic file transfer, simple
- FTP (File Transfer Protocol): Many more features than TFTP, general choice
Connection Establishment and Termination

- Connection establishment: process of initializing Sequence and Acknowledgement fields
and agreeing on the port numbers used.
- Three-way connection establishment flow = three-way handshake
- Sockets: IP address (source/destination IP address)/ TCP (TCP header protocol field value)
is implied.
- SYN: Synchronize the sequence numbers
- ACK: Acknowledgement of establishment
- FIN: 'Finishing' of connection/ termination of connection
- Four-way handshake for TCP connection termination

- In case of long reply time, right PC sends ACK-FIN to acknowledge that left PC wants to
terminate connection
- UDP has no connection termination sequence
- TCP: connection-oriented protocol

- UDP: connectionless protocol
Error Recovery and Reliability

- Sequence Number field + Acknowledgement field = Reliability
Step 1: Web Browser encapsulates 1000 bytes of data with TCP header with Sequence
number of 1000 and sends to Web Server.
Step 4: Web Server sends TCP header with ACK value of 4000 to Web Browser.
- Web Server's ACK: "I received all data with sequence numbers up through one less than
4000, so I am ready to receive your byte 4000 next"
- TCP: forward acknowledgement, convention of acknowledging by listing next expected
byte
- TCP uses SEQ and ACK fields so receiving host can notice lost data >> ask sending host to
resend >> acknowledge that re-sent data arrived
Step 1: Web Server receives bytes 1000-1999 and 3000-3999, so it asks for missing data of
bytes 2000-2999 next with ACK value of 2000.
Step 2: Web browser sends missing data with SEQ of 2000
Step 3: Web server receives bytes 2000-2999, and asks for 4000 next with ACK value of
4000 (already received data + recently received data).
Flow Control Using Windowing

- Windowing: process of host telling sender how much data it can receive right now, to
control sending speed
- Sliding window or dynamic window: Receiver slides window size up/down
Step 1: Web Server sends Web Browser TCP header with ACK value of 1000 and window of
3000 (= send me bytes 1000 and up until SEQ value of 3000).
Step 2: Web Browser sends bytes 1000-3999, with segments with SEQ values of 1000, 2000,
3000.
Step 3: Web Server acknowledges receiving the data without error with an ACK value of
4000, and grants a new window of 4000.
Step 4: Web Browser can now send bytes 4000-7999 if necessary.
User Datagram Protocol

TCP UDP
- Multiplexing using port numbers - Multiplexing using port numbers
- Error recovery - No reliability/error recovery
- Flow control with windowing - No windowing
- Reordering of received data - No reordering of received data
- Segmentation of large chunks of data - No segmentation of large chunks of data
- Connection-oriented - Connectionless
- Slower speed - Faster speed
- More bandwidth/ bigger header - Less bandwidth/ smaller header
- VoIP: by the time of retransmission, too much delay of voice would have occurred
- DNS requests: user will retry if DNS fails
- NFS (Network File System): recovery is performed with application layer code
- Less work to do => Shorter header
TCP/IP Applications
- Purpose of connection to Internet is to use applications (web browsing, text messaging,
email etc.)
- Web servers: Storage of information (web pages)
- Web browser: End user software to connect to web server and display web pages
- Web browsers = web clients
Uniform Resource Identifiers

- Link & URI refer to URI
- Universal Resource Locator (URL), web address = (formal) URI
- Protocol: Hypertext Transfer Protocol (HTTP)

- Hostname: www.certskills.com
- Web page: blog
Finding the Web Server Using DNS
- Name inside URI needs to be resolved to corresponding IP address.
Step 1: The user enters the URI into the browser's address area.
Step 2: The client sends a DNS request to the DNS server (client learns DNS server's IP
address through DHCP), with a UDP header and DPort of 53.
Step 3: DNS server sends a reply, listing IP address of URI with Dest. IP address of client's
source IP address and UDP header with source port 53.
Step 4: Client begins establishment of TCP connection to web server. The packet includes
TCP header (since HTTP uses TCP) with DPort of 80 and SYN bit.
Transferring Files with HTTP

- Step 1: User sends HTTP GET request to server, listing filename
- Step 2: Server sends HTTP GET response, with return code of 200 (OK), 404 (File not
found) etc.
- Web pages consist of multiple files called objects.

- First file includes references to other URIs
- All HTTP commands flow over TCP connection => error recovery is provided
How the Receiving Host Identifies the Correct Receiving Application

- Different applications use different port numbers
- Encapsulation: Data >> HTTP header >> TCP header >> IPv4 header >> Ethernet header
- Ethernet Ether Type field: 0x0800 = IPv4 header
- IPv4 Protocol field: 6 = TCP header (17 = UDP header)
- TCP Destination Port Number field: 1024 = unique connection to HTTP
PART I REVISION
Terms Definition
Chapter 1
Adjacent-layer Interaction On a single computer, one layer provides a
service to a higher layer. The higher layer
requests that the next lower layer perform
the needed function. (HTTP & TCP)
De-encapsulation Process of discarding headers and/or
trailers.
Encapsulation Process of prepending/appending headers
and/or trailers.
Frame A data link layer protocol message and its
encapsulated data and header/trailer;
L2PDU.
Networking Model A networking model defines rules about
how each part of the network should work,
how the parts should work together so that
the entire network functions correctly.
Packet A network layer protocol message and its
encapsulated data and header; L3PDU.
Protocol Data Unit (PDU) The bits that include the headers and trailers
for a layer, as well as the encapsulated data.
Same-layer Interaction The process of two computers
communicating with the same layer. (TCP)
Segment A transport layer protocol message and its
encapsulated data and header; L4PDU
Chapter 2
Ethernet A family of LAN standards that together
define the physical and data link layers of
wired LAN technology. (IEEE 802.3)
Institute of Electrical and Electronics The institute that defines the standards of
Engineers (IEEE) the cabling, connectors on each end of the
cables, the protocol rules and everything
required to create an Ethernet LAN.
Wired LAN LANs that use wires to create physical
connections between devices.
Wireless LAN LANs that use wireless technology to create
connections between devices.
Ethernet Frame A message which contains encapsulated
data and Ethernet header/trailer.
10BASE-T Twisted-pair cables that run at 10 Mbps
(802.3, copper, 100m)
(802.3u, copper, 100m)
(802.3ab, copper, 100m)
Fast Ethernet Common name for 100BASE-T
Gigabit Ethernet Common name for 1000BASE-T or
1000BASE-LX.
Ethernet Link Any physical cable between. two Ethernet
nodes.
RJ-45 Connectors that exist on both ends of cables
and has 8 pin positions.
Ethernet Port Ports in which Ethernet connectors can
connect to.
Network Interface Card (NIC) A computer hardware component that
connects a computer to a computer network.
Straight-through Cable A cable used when both nodes send and
receive on different pins.
Crossover Cable A cable used when both nodes send and
receive on same pins.
Ethernet Address A MAC address.
MAC (Media Access Control) Address 12-digit hexadecimal (48-bit long binary)
numbers which are the physical address of a
device.
Unicast Address An address that represents a single interface
to the Ethernet LAN.
Broadcast Address Frames sent to this address should be
delivered to all devices on the Ethernet
LAN, and has a value of FFFF.FFFF.FFFF.
Frame Check Sequence (FCS) A way for nodes to detect errors and discard
frames if necessary.
Full Duplex The device does not have to wait before
sending; it can send and receive at the same
time.
Half Duplex The device must wait to send if it is
currently receiving a frame; in other words,
it cannot send and receive at the same time.
Chapter 3
Leased Line Full duplex lines that companies (service
providers) pay monthly fees to use it.
Wide-area Network (WAN) WANs connect devices that a far apart.
Telco Telecommunications company; telephony
and data communications provider
Serial Interface
High-level Data Link Control (HDLC) A data link protocol to control the correct
delivery of data over a physical link
Digital Subscriber Line (DSL)
Cable Internet
Ethernet over MPLS (EoMPLS)
CSU/DSU
CPE
DTE Data terminal equipment; Serial cables used
between router and external CSU/DSU,
straight-through cable, male connector
DCE Data communications equipment; crossover
cable, serial cable connecting router and
external CSU/DSU with DTE, female
connector
Chapter 4
Default Router (Default Gateway) The router that a device sends its frames to
when the receiving node is outside the
LAN.
Routing Table The table that keeps the logs of routes (e.g.
next-hop router address for subnet)
IP Network
IP Subnet
IP Packet
Routing Protocol Protocols that help routers to learn routes
for all IP networks and subnets.
Dotted-decimal Notation (DDN) Decimal numbers that are separated by dots.
IPv4 Address
Unicast IP Address The IP address of a single interface.
Subnetting
Hostname
Domain Name System (DNS)
Address Resolution Protocol (ARP)
Packet Internet Groper (ping)
Chapter 5
Connection Establishment
Error Detection
Error Recovery
Flow Control
Forward Acknowledgement
Hypertext Transfer Protocol (HTTP)
Ordered Data Transfer
Port
Segment
Sliding Windows
Uniform Resource Identifier (URI)
Web Server
Part II - Implementing
Basic Ethernet LANs
Chapter 6 - Using the Command-
Line Interface
Accessing the Cisco Catalyst Switch CLI
- CLI: Command-Line Interface; text-based interface in which the user sends commands to
the device.
Cisco Catalyst Switches

- 2960-X typical usage in campus LAN design
- Interface type: Ethernet (Eth)/Fast Ethernet (Fa)/Gigabit Ethernet (Gi) etc.
- Interface number: two digit (x/y) or three digits (x/y/z)
Accessing the Cisco CLI

- Internetwork Operating System (IOS)
- Ways of connection: console, Telnet, Secure Shell (SSH)
- Console: cabling/physical port
- Telnet & SSH: IP network
Cabling the Console Connection

- Three main components: physical console port on the switch, physical serial port on the PC,
cable that works with console/serial ports.
- Three types of cables: Newer connectors on PC and switch, older connectors on both, newer
USB connector on PC, older connector on switch
- Left: RJ-45 console port >> UTP rollover cable (pins: 1-8, 2-7, 3-6 etc.) >> D-shell
connector (nine pins, a.k.a. DB-9)
- Centre: RJ-45 console port >> UTP rollover cable >> USB converter >> USB cable >>
USB port
- Right: USB console port >> USB cable >> USB port
- Terminal emulator software on PC

- Emulator configurations (8N1):
Accessing the CLI with Telnet and SSH

- Console cables to console ports - X, IP network - O
- Telnet client - Terminal application
- Telnet server - Device e.g. switch
Telnet SSH
- Uses IP network connection - Uses IP network connection
- Uses a terminal emulator - Uses a terminal emulator
- All data is sent in clear-text and no data is - Contents of all messages, including
encrypted. passwords, are encrypted.
- Uses TCP port 23 - Uses TCP port 22
User and Enable (Privileged) Modes

- User EXEC mode: default mode when accessing CLI
- Enable mode: accessed via enable command and password, powerful commands may be
executed, e.g. reload command.
- reload command does not work in user mode, but does in enable mode.
- Use enable command to switch to enable mode.
Password Security for CLI Access from the Console

- By default, switch has no password for console and enable mode for users connecting via
console.
- Getting physical access = complete control over switch
- Two places for password: when user connects from console & when user moves to enable
mode.
- show running-config: lists current configuration in switch

- enable secret love: define password for enable mode as 'love'
- line console 0: identifies the console; "these next commands apply to the console only"
- login: perform simple password checking at the console
- password faith: defines password for console as 'faith'
CLI Help Features

- command = any command & parm = a command's parameter
- When you enter ?, Enter key does not need to be pressed
- You can get help in each configuration submode, and the configuration mode
- Commands are stored in history buffer, ten commands by default

The debug and show Commands
- show lists current operational status, of almost every feature of Cisco IOS
- debug command tells user operational details

- show lists status at one instant of time, debug lists current, live messages
Configuring Cisco IOS Software- --

- User mode: Non-disruptive commands, displays some information
- Privileged mode: Superset of commands, disruptive commands
- Configuration mode: Changes configuration
Configuration Submodes and Contexts

- Global configuration mode: initial mode
- Interface configuration mode: interface command, e.g. interface FastEthernet 0/1
- Subcommands, e.g. interface subcommands
- configure terminal: Move from enable mode to global configuration mode

- hostname Fred: Configure switch's name
- line console 0: Move from global configuration mode to console line configuration mode
- password hope: Set console's password to 'hope'
- interface FastEthernet 0/1: Move from console configuration mode to interface
configuration mode
- speed 100: Set speed to 100 Mbps for Fa0/1
- exit: Move from interface configuration mode to global configuration mode
- Global commands: Only one configuration per switch, e.g. hostname

- Configuration subcommands: Configuration can apply. to different switch interfaces etc.,
e.g. speed
Storing Switch Configuration Files

- RAM (Random-Access Memory) or DRAM (Dynamic Random-Access Memory): Working
storage; running (active) configuration files storage
- Flash memory: Default location of switch's Cisco IOS at boot time; storage for other files
e.g. backup copies of configuration files
- ROM (Read-Only Memory): Storage for bootstrap (boothelper) when switch first powers
on; loads Cisco IOS into RAM
- NVRAM (Nonvolatile RAM): Initial/startup configuration file on switch's first power on or
reload
- Configuration commands stored in configuration file.
- Configuration mode changes only running-config file, and power loss = loss of
configuration => copy running-config file to NVRAM
Step 1: Running-config & startup-config have hostname 'hannah' though hostname hannah
command
Step 2: hostname jessie in configuration mode
Step 3: show running-config & show startup-config show different hostname
Copying and Erasing Configuration Files

- copy running-config startup-config: overwrites current startup-config file with current
running-config file
- write erase or erase startup-config or erase nvram:: erases the startup-config file, then
use reload command to empty running-config as well
Chapter 7 - Analysing Ethernet

LAN Switching
LAN Switching Concepts
- Campus LAN: Supports end users, switches sit in wiring closets near end users
- Data Centre LAN: Servers in data centers connect to LAN
Figure 7-1 Campus LAN and Data Centre LAN, Conceptual Drawing
Overview of Switching Logic

- Switch's main goal: Forward frames to correct MAC addresses
- Switch port = Switch interface
Forwarding Known Unicast Frames

Step 1: Fred sends a frame with destination address 0200.2222.2222 (Barney)
Step 2: The switch compares the destination MAC address to the MAC address table
Step 3: The matched table entry tells the switch to forward the frame out only port F0/2.
Step 4: The switch filters (does not send) on F0/3 and F0/4
- MAC address table = switching table, bridging table, Content-Addressable Memory (CAM)
table
Step 1: Fred sends a frame with destination address 0200.3333.3333 on F0/1

Step 2: SW1 compares the destination MAC address to the MAC address table
Step 3: The matched table entry tells SW1 to forward the frame out only port G0/1
(Repeat)
Step 4: SW2 receives a frame with destination address 0200.3333.3333 from SW1 on G0/2
Step 5: SW2 compares the destination MAC address to the MAC address table
Step 6: The matched table entry tells SW2 to forward the frame out only port F0/3
- Known unicast frames/ known unicasts: the destination address is a unicast address, and the
destination is known.
Learning MAC Addresses

- Switch adds unknown source MAC address from frame to MAC address table
Step A1: Fred sends a frame with destination address 0200.2222.2222 and source address of
0200.1111.1111
Step A2: Switch adds unknown source address 0200.1111.1111 to MAC address table with
F0/1 as the outgoing interface
(Step A3: Switch floods frame to every port except the incoming port)
Step B1: Barney sends a frame with destination address 0200.1111.1111 and source address
of 0200.2222.2222
Step B2: Switch adds unknown source address 0200.2222.2222 to MAC address table with
F0/2 as the outgoing interface
(Step B3: Switch sends frame out port F0/1)
Flooding Unknown Unicast and Broadcast Frames

- Flooding: switch forwarding the frame out all interfaces except the incoming interface
- Unknown unicast frame or unknown unicast: frame whose destination address is unknown
to the switch
- Switch floods unknown unicasts
- Switch floods LAN broadcast frames (FFFF.FFFF.FFFF)
Avoiding Loops Using Spanning Tree Protocol

- STP: loop prevention
- All switches have empty MAC address tables

Step 1: Larry sends a frame with destination address of Bob
Step 2: Larry's Switch floods the frame out all interfaces except incoming interface
Step 3: Archie's and Bob's switches receive and flood the frame out all interfaces except
incoming interface
Step 4: The frame rotates in both directions until Bob sends a reply and his MAC address is
stored in the MAC address tables
- States of STP:
- Blocking state: interface can't forward or receive data frames
- Forwarding state: interface can send and receive data frames
LAN Switching Summary
Verifying and Analysing Ethernet Switching

- Cisco Catalyst switch from factory is ready to send frames with power cable, Ethernet
cables
- Default settings:
- The interfaces are enabled by default
- All interfaces are assigned to VLAN 1
- 10/100 and 10/100/1000 interfaces use autonegotiation (two connected devices
agree on speed, duplex mode, flow control and other transmission parameters) by default
- MAC learning, forwarding, flooding logic works by default
- STP is enabled by default
Demonstrating MAC Learning

- show mac address-table: lists all known MAC addresses in the MAC table
- show mac address-table dynamic: lists all dynamically learned MAC addresses only
- How to simulate a newly unboxed switch:
- erase startup-config - erase startup-config file
- delete vlan.dat - delete VLAN configuration
- reload - reload the switch
- MAC Address + Port columns = MAC address with matching ports
- Type column: dynamic or static

- VLAN column: when frame enters via port in VLAN 1, the switch will only forward or
flood that frame out other ports in VLAN 1
Switch Interfaces
- show interfaces status - Lists statuses of interfaces
- Cisco Catalyst switches name their ports based on the fastest specification
- Connected state and notconnected state (port not functioning)
- show interfaces f0/1 status - lists status of f0/1
- show interfaces f0/1 counters - lists number of unicast, multicast and broadcast frames of
f0/1
Finding Entries in the MAC Address Table

- show mac address-table dynamic address address: shows a specific, dynamically MAC
address entry in the MAC address table
- show mac address-table dynamic interface interface: shows all dynamically learned
MAC address entries from a particular port in the MAC address table
- show mac address-table dynamic vlan vlan number: shows dynamic MAC address table
entries for one VLAN
Managing the MAC Address Table (Aging, Clearing)

- Switches remove entries that have not been used for a defined aging time (default 300
seconds)
- Switches reset inactivity timer to 0 for entry if incoming frame has source MAC address of
entry
- show mac address-table count: shows amount of dynamic and static MAC addresses in
the MAC address table
- MAC address table uses Content-Addressable Memory (CAM)
- If table is full, to add a new table entry, the switch times out (removes) oldest table entry.
- clear mac address-table dynamic: Removes dynamic entries from the MAC address table
MAC Address Tables with Multiple Switches

Chapter 8 - Configuring Basic
Switch Management
- Data plane: the work a switch does to forward frames
- Control plane: configurations and processes that control and change choices made by data
plane
- Management plane: Managing of the device itself
Securing the Switch CLI

- If you have access to console port of switch, you have control over switch physically
- Protection of user mode + enable mode
- Switch needs IP address configuration for Telnet SSH
- Login security:
- Securing user mode and enable mode with simple passwords
- Securing user mode access with local usernames
- Securing user mode access with external authentication access
- Securing remote access with Secure Shell (SSH)
Securing User Mode and Privileged Mode with Simple Passwords

- Default settings prevent Telnet and SSH users from accessing user mode
- Simple shared password with no username

- Console password for console users and vty password (Telnet password) for Telnet users
- Shared passwords: people tell (share with) new worker the password, all appropriate staff
know the passwords
- enable password for enable command
Step 1: Enter console or vty line configuration mode with line console 0 or line vty 0 15
Step 2: Define a password for the console or vty with password password-value
Step 3: Enable the use of a simple shared password (no username) with login
- Enable password configuration: enable secret password-value in global configuration mode
Securing User Mode Access with Local Usernames and Passwords

- Local username/password option & external authentication servers
- Local username/password option for Telnet and SSH
Step 1: Define username and password with username name password pass-value or
username name secret pass-value
Step 2: Enter console or vty line configuration mode with line console 0 or line vty 0 15
Step 3: Enable local username/password login with login local
Securing User Mode Access with External Authentication Servers

- Local usernames/passwords need to be individually configured each change
- AAA server: Authentication, Authorization and Accounting server
Step 1: Telnet or SSH user inputs username and password at login

Step 2: Switch asks whether username and password are allowed.
Step 3: AAA server replies to the switch stating validity of username/password
Step 4: Switch logins in the user if username/password is allowed
- AAA server uses RADIUS or TACACS+ protocol, all are encrypted
Securing Remote Access with Secure Shell

- vty local login configuration affects both Telnet and SSH
Step 1: Enter global configuration mode and define the hostname with hostname name
Step 2: Define the domain name of the switch using ip domain-name example.com
Step 3: Generate the SSH encryption keys with crypto key generate rsa [modulus modulus-
value]
- FQDN: Fully Qualified Domain Name, hostname of a host + domain name
- transport input all or transport input telnet ssh: Support both Telnet and SSH
- transport input none: Support neither Telnet nor SSH (Cisco router default)
- transport input telnet: Support only Telnet
- transport input ssh: Support only SSH
- ip ssh version 2: Support only SSHv2 (default is both 1 and 2)
- show ip ssh: lists status information about SSH server itself

- show ssh: lists information about each SSH client currently connected into the switch
Enabling IPv4 for Remote Access
- Switch needs IP address to support overhead management traffic (e.g. SNMP: Simple
Network Management Protocol)
Host and Switch IP Settings

PC Switch
- CPU - CPU
- OS running on CPU - OS (IOS) on CPU
- Ethernet NIC - Switched Virtual Interface (SVI) or VLAN
- IP address associated with NIC interface
- By using VLAN 1 for IP configuration, switch can send/receive frames on any ports in
VLAN 1
- VLAN up/up state: VLAN enabled + physical port

- VLAN up/down state: VLAN enabled + no physical port
- Host logic when sending IP packets
- To send IP packets to hosts in the same subnet, send them directly
- To send IP packets to hosts in a different subnet, send them to the local router; that
is, the default gateway
- Switch uses IP address 192.168.1.200 on VLAN 1

- Switch (255.255.255.0) needs to configure default gateway setting pointing to R1
(192.168.1.1 255.255.255.0, same subnet) to send packets to host A
Configuring IPv4 on a Switch

- Switch configures IPv4 address and mask on VLAN interface
- [no] shutdown: enables/disables an interface
Configuring a Switch to Learn Its IP Address with DHCP

- DHCP: Dynamic Host Configuration Protocol
- Steps to enable DHCP on interface
Step 1: Enter VLAN 1 configuration mode using interface vlan 1 in global
configuration mode.
Step 2: Enable the interface with no shutdown
Step 3: Assign an IP address and mask using ip address dhcp
Verifying IPv4 on a Switch

- Ways to check switch IPv4 configuration
1. show running-config: check current configuration
2. show interfaces vlan x: IP address and mask information and detailed status
information about VLAN x
3. show dhcp lease: check temporarily leased IP address
- Up/up state (no shutdown) vs "administratively down" (shutdown)
- When DHCP fails, IP address after show interfaces vlan x is not listed
Miscellaneous Settings Useful in Lab
History Buffer Commands
- Displays recently used commands
The logging synchronous, exec-timeout, and no ip domain-lookup Commands

- IOS default: displays unsolicited (not asked for) syslog messages on the console's screen at
any time (while typing command, in the middle of a show command output etc.)
- no logging console: disables unsolicited syslog messages, global command
- logging console: enables unsolicited syslog messages, global command
- logging synchronous: displays syslog messages with show command output, console line
subcommand
- Telnet/SSH default: automatic disconnection of console and vty users after 5 minutes of
inactivity
- exec-timeout minutes seconds: sets length of inactivity timer, 0 stands for "never time out",
line subcommand
- IOS default: mistype of command => switch tries DNS name resolution on IP hostnames,
tries to Telnet to a host by that name, takes about a minute to return to normal state
- no ip domain-lookup: disables IOS's attempt to resolve the mistyped hostname into IP
address, global configuration command
Chapter 9 - Configuring Switch

Interfaces
Configuring Switch Interfaces
Configuring Speed, Duplex, and Description
- Duplex {auto | full | half}: Configure duplex of interface
- speed {auto | 10 | 100 | 1000}: Configure speed of interface
- description text: Adds text description to interface
- FastEthernet 0/1 (Fa0/1): - Lists configured description

- Lists configured speed of 100
- Lists configured duplex of full
- Lists status of notconnect
- FastEthernet 0/2 (Fa0/2): - Default configuration
- Lists speed auto (pre-autonegotiation)
- Lists duplex auto (pre-autonegotiation)
- Lists status of notconnect
- FastEthernet 0/4 (Fa0/4): - Default configuration
- Lists speed a-100 (post-autonegotiation)
- Lists duplex a-full (post-autonegotiation)
- Lists status of connected
Configuring Multiple Interfaces with the interface range Command
- interface range interface-type lowest-interface-id - highest-interface-id (int ran): Defines a
range for the next set of subcommands if all interfaces are the same type and are numbered
consecutively
Administratively Controlling Interface State with shutdown

- shutdown (shut): Disable interface
- no shutdown (no shut): Enable interface
- show interfaces status output: State: disabled

- show interfaces output: FastEthernet 0/1 is administratively down
Removing Configuration with the no Command

- no speed: Sets interface speed to default configuration = speed auto
- no duplex: Sets interface duplex to default configuration = duplex auto
- no description: Sets interface description to default configuration = no text description
- show running-config and show startup-config do not show default configurations
Autonegotiation
- Autonegotiation commands: speed auto and duplex auto
Autonegotiation Under Working Conditions

- Both ends need to use the exact same standards (same speed, same duplex)
- IEEE autonegotiation protocol (802.3u), same wiring pinouts for 10BASE-T and
100BASE-T and 1000BASE-T adds two pairs to those pinouts
- PC1:
- Switch top speed: 1000 Mbps
- PC1 NIC top speed: 10 Mbps
- Autonegotiation: speed - 10 Mbps, duplex - full
- PC2:
- PC3:
Autonegotiation Results When Only One Node Uses Autonegotiation

- Configuring both speed and duplex on a Cisco switch interface disables autonegotiation
- IEEE autonegotiation rules for autonegotiation failures
- Speed: Use slowest supported speed
- Duplex: If your speed = 10 or 100, use half duplex; otherwise use full duplex
- Cisco switch autonegotiation rules for autonegotiation failures
- Speed: Sense the speed, but if that fails, use IEEE default of slowest supported speed
- Duplex: IEEE defaults: If your speed = 10 or 100, use half duplex; otherwise use full
duplex
- PC1:
- Speed: Switch senses speed of 100 Mbps and uses 100 Mbps
- Duplex: Since speed = 100 Mbps, use half duplex
- PC2:
- Speed: Switch senses speed of 1000 Mbps and uses 1000 Mbps
- Duplex: Since speed = 1000 Mbps, use full duplex
- PC3:
- Speed: Switch senses speed of 10 Mbps
- Duplex: Since speed = 10 Mbps, use half duplex
- Duplex mismatch: PC1 uses full duplex while switch uses half duplex. PC1 does not use
CSMA/CD (only for half duplex) and switch port will believe collisions occur on the link,
even if none physically occur. The link is up, but it performs poorly
Autonegotiation and LAN Hubs

- Hubs do no react to autonegotiation messages
- Devices connected to hub must use IEEE rules for default settings (often 10 Half)
Port Security
- Examination of source MAC address so only expected devices can use interface
- MAC addresses can be predefined to be allowed

- Sticky secure MAC addresses: port security learns MAC addresses off each port and stores
them in port security configuration (running-config file)
Configuring Port Security
- Access ports: Only 1 VLAN can connect to it at once

- Trunk ports: 2 or more VLANs can connect to it at once
- switchport port-security: Enables port security, with all defaults

- switchport mode access {access | trunk}: Configure the port as an access or trunk port
- switchport port-security mac-address mac-address: Defines an allowed specific source
MAC address
- switchport port-security mac-address sticky: Tells the switch to dynamically learn source
MAC addresses and add port-security commands to the running-config
- F0/1:
- Access port
- Port security enabled with default configurations
- Source MAC address 0200.1111.1111 is allowed (and is the only allowed source
MAC address; default maximum MAC addresses is 1)
- F0/2:
- Access port
- Sticky learn source MAC addresses
- F0/3:
- Access port
- F0/4:
- Trunk port
- Maximum number of source MAC addresses is 8
Verifying Port Security

- show port-security interface interface-type interface-number: Lists configuration settings
for port security on an interface
- Port F0/1 is in secure-shutdown state because a violation occurred on F0/1 and is disabled
because of maximum MAC addresses
- switchport port-security mac-address sticky mac-address: Adds a MAC address to sticky
learned MAC addresses
Port Security Violation Actions

- switchport port-security violation {protect | restrict | shutdown}: Define additional
actions interface should take in case of violation
- IOS displays error disabled (err-disabled) state instead of no shutdown

- To recover from err-disabled state, someone needs to manually do shutdown and then no
shutdown to disabled and enable the interface
Port Security MAC Addresses as Static and Secure but Not Dynamic
- Switch port configured with port security does not consider dynamic entries in show mac
address-table dynamic
- show mac address-table secure: Lists MAC addresses associated with ports that use port
security
- show mac address-table static: Lists MAC addresses associated with ports that use port
security, as well as any other statically defined MAC addresses
Part II Revision
Key Terms You Should Know
Key Terms Definition
Chapter 6
Command-Line Interface (CLI)
Telnet
Secure Shell (SSH)
Enable mode
User mode
Configuration mode
Startup-config file
Running-config file
Chapter 7
Broadcast frame
Known unicast frame
Spanning Tree Protocol (STP)
Unknown unicast frame
MAC address table
Forward
Flood
Chapter 8
Local username
AAA
AAA server
Default gateway
VLAN interface
History buffer
DNS
Name resolution
Log message
Chapter 9
Port security
Autonegotiation
10/100
10/100/1000
Part III - Ethernet LANs:

Design, VLANs and
Troubleshooting
Chapter 10 - Analysing Ethernet
LAN Designs
Analysing Collision Domains and Broadcast
Domains
Ethernet Collision Domains
10BASE-T with Hub

- Uses cabling star topology
- Hub does not look at the frame, but forwards the regenerated electrical signal out all ports
except the incoming port
- Connected devices must use CSMA/CD to prevent collision

Step 1: Larry sends a frame to the hub
Step 2: The hub repeats frame to all ports except incoming port (Archie and Bob)
Step 1A: Archie sends a frame to Hub 1

Step 1B: Bob sends a frame to Hub 1 at the exact same time as Archie
Step 2: The two forwarded frames collide as they get forwarded to Larry at the same time
- All devices connected to the hub are in one collision domain
Ethernet Transparent Bridges

- Bridges sat between hubs and divided the network into multiple collision domains
- Bridges separate instances of CSMA/CD so each collision domain can have one sender at a
time, thus increasing the capacity
- Bridge uses CSMA/CD rules

- Bridge separates collision domains; each interface is a separate collision domain
Ethernet Switches and Collision Domains

- Switches are faster, enhanced version of bridges
- Switch collision domains that use full duplex has no collisions; CSMA/CD is not needed
- Each interface of a switch is a separate collision domain
- Each LAN interface (not apply to WAN) of a router is a separate collision domain
The Impact of Collisions on LAN Design
Ethernet Broadcast Domains

- If all switch ports are assigned to VLAN 1, broadcast frames would flow to all the
connected devices
- Hubs forward broadcast frames (repeats on all non-incoming ports)

- Bridges and switches flood LAN broadcasts
- Routers do not forward Ethernet broadcast frames; they separate a network into separate
broadcast domains
Virtual LANs
- LAN: A LAN consists of all devices in the same broadcast domain
- VLANs create multiple broadcast domains; switch forwarding logic does not forward
frames from one VLAN to another VLAN
- Routers must forward packets between VLANs using routing logic
- Two disconnected switches are required to create broadcast domains without VLANs
- switchport access vlan 2: puts switch interfaces into VLAN 2
The Impact of Broadcast Domains on LAN Design

- Less broadcast domains => More interruption to CPU to process broadcasts
- More broadcast domains => Less devices affected by broadcast
Analysing Campus LAN Topologies

- Campus LAN: LAN created to support devices in close proximity
- Considerations: Cable length, cable speed, cable type, expenses etc.
Two-Tier Campus Design (Collapsed Core)
The Two-Tier Campus Design
- Uplink: A link that leads from a small network to a larger network

- Downlink: A link that leads from a large network to a smaller network
- Access switches: Connects directly to end users; sends traffic to and from end-user devices
to and from distribution switches
- Distribution switches: Provides a path through which the access switches can forward traffic
to each other (often 2 per access switch); forwards traffic to other parts of LAN (often 2+
uplinks to distribution switches)
- Two-tier design's solution to two major design needs
- Provides a place to connect end-user devices (access layer)
- Connects the switches with a reasonable number of cables and switch ports by
connecting access switches to a few distribution switches
Topology Terminology Seen Within a Two-Tier Design
- Two-tier design
- Star topology at access layer
- Partial mesh topology at distribution layer
- Overall, is a hybrid design
- Full mesh requires many links and many switch ports
- Links in full mesh formula: N(N - 1) / 2

- Ports in full mesh formula: 2N(N - 1) / 2
Three-Tier Campus Design (Core)

- Collapsed core = no core tier
- Instead of core tier, distribution switches can be cabled together with full mesh or partial
mesh
- Three-tier core design uses less switch ports and cables
- N.B.: Core switches often sit in the same room as distribution switches
- Core tier uses partial mesh
- Three-tier designs are a hybrid design
- Access layer: Provides connection point for end-user devices; does not forward frames
between other access switches
- Distribution layer: Provides connectivity to the rest of the devices in the LAN for access
switches; forwards frames between switches, but does not connect directly to end-user
devices
- Core layer: Aggregates distribution switches in large campus LANs
Topology Design Terminology
- Star topology: devices connecting to a single centralised device

- Partial mesh: group of nodes that connect with more links than a star topology, but not all
nodes have a direct link between each other
- Full mesh: a design that connects all nodes with a link
- Hybrid design: combination of different topologies in one network
Analysing LAN Physical Standard Choices

- Access switches in locked wiring closets connect to end-user devices via UTP
Ethernet Standards
- Wired LAN standards: IEEE 802.3
Choosing the Right Ethernet Standard for Each Link

- Considerations for choice of cable:
- The speed
- The maximum distance allowed between devices when using that standard/cabling
- The cost of the cabling and switch hardware
- The availability of that type of cabling already installed at your facilities
- TIA (Telecommunications Industry Association) cable categories:
- 10BASE-T: CAT3 or better
- 100BASE-T: CAT5 or better
- 1000BASE-T: CAT5e or better
UTP Optical cabling

Pros - Cheaper cost - Longer maximum
distances
- Higher speed
- Less outside interference
Cons - Shorter distances - Higher cost
- Lower speed
- More outside interference
Wireless LANs Combined with Wired Ethernet

- Describe the impact of infrastructure components in an enterprise network: Access points
and wireless controllers
Home Office Wireless LANs

- Wireless standards: IEEE 802.11 (Wi-Fi)
- Wireless router features:

- Ethernet switch: for wired Ethernet connections
- Wireless Access Point (AP): for communication with wireless devices and forward
frames to/from wired network
- Router: to route IP packets to/from LAN/WAN interfaces
- Autonomous wireless AP communicates with wireless devices with 802.11 protocols and
radio waves, and converts header formats between 802.11 and 802.3
- Autonomous AP must perform control and management functions e.g. authentication of
new devices, definition of name of WLAN (Service Set ID, SSID) etc.
Enterprise Wireless LANs and Wireless LAN Controllers

- Household APs disconnect user if they are out of range, and do not connect user to others'
secured APs
- Enterprise APs allow user to roam around building and office campus while connected to
Wi-Fi network
- AP coverage: approx. 30m to 60m
Step 1: User connects to Wireless AP connected to A1

Step 2: User moves around the building, and connects to Wireless AP connected to A3 with
roaming feature
- Autonomous APs are removed of their control and management features => Lightweight
APs (LWAPs)
- Control and management features are moved to Wireless LAN Controllers (WLCs)
- Wireless LAN Controller (WLC): Controls and manages all AP functions (e.g. roaming,
defining WLANs, authentication)
- Lightweight AP (LWAP): Forwards data between wired and wireless LAN; forwards data
specifically through the WLC with protocol (e.g. Control And Provisioning of Wireless
Access Points (CAPWAP))
- WLC: centralised control/management functions

- Phone => LWAP1 (=> Switch) => WLC (Roaming) (=> Switch) => LWAP4 => Phone
Chapter 11 - Implementing
Ethernet Virtual LANs
Virtual LAN Concepts
- LAN: A LAN includes all devices in the same broadcast domain
- VLANs create multiple broadcast domains with a single switch; broadcast frames from one
VLAN does not get forwarded to other VLANs
- VLAN Advantages:
Creating Multiswitch VLANs Using Trunking

- VLAN trunking: Use of VLAN tagging by adding a VLAN Identifier (VLAN ID) field to
frames sent on same cable but directed to different VLANs
- Without VLAN trunking: Each VLAN needs a separate physical link, and separate ports on
each switch
VLAN Tagging Concepts

- Switches treat VLAN trunk links as part of all VLANs
- SW1 adds VLAN header with VLAN ID of 10 to send broadcast frames to SW2, which can
then flood out all ports in VLAN 10
Step 1: PC11 sends Ethernet broadcast frame to SW1

Step 2: SW1 adds a VLAN header with VLAN ID of 10 to Ethernet header and sends it out
G0/1, which is the only port except incoming port that is in VLAN 10
Step 3: SW2 receives the frame, determines that the frame's VLAN ID is 10, and sends it out
all ports in VLAN 10 (Fa0/1 and Fa0/2)
The 802.1Q and ISL VLAN Trunking Protocol

- Cisco supported trunking protocols: IEEE 802.1Q (more popular) and Inter-Switch Link
(ISL, 2960 switch does not use)
- 802.1Q inserts extra 4-byte 802.1Q header
- Usable VLAN IDs: 1 - 4094

- All switches can use normal-range VLANs: 1 - 1005
- Some switches can use extended-range VLANs: 1006 - 4094
- Native VLAN: VLAN 1; 802.1Q does not add 802.1Q header to frames in native
VLAN
- Native VLANs let switches that do not understand 802.1Q headers to at least pass traffic in
native VLAN
Forwarding Data Between VLANs

- Layer 2 switch: forwards data based on layer 2 logic; cannot send frames between VLANs
on its own
- Layer 3 switch/Multilayer switch: forwards data based on layer 2 and layer 3 logic; can
send frames between VLANs on its own
Routing Packets Between VLANs with a Router

- Devices in same VLAN need to be in same subnet
- Layer 2 switches do not forward L2PDUs to other VLANs

- Layer 3 routers forward L3PDUs to other VLANs
- Router routes packets between VLANs via two physical links and two ports: one link and
port for each VLAN
- Routers use subnets to separate VLANs
- VLAN trunking used by routers: saves physical links and ports

- Router-on-a-stick design: single physical link connected to LAN switch
- X - "Routing packets between VLANs."
- O - "Routing Layer 3 packets between Layer 3 subnets, with those subnets each mapping to
a Layer 2 VLAN."
Routing Packets with a Layer 3 Switch

- Problem with Layer 2 switch with router: router may not be able to route a large number of
pps (packets per second)
- Layer 3 switch: Does both Layer 2 switching and Layer 3 routing
- Layer 3 switch = Layer 2 switch + Layer 3 router + intermediary cables
VLAN and VLAN Trunking Configuration and

Verification
- No configuration needed for VLAN 1
- Configuration required for multiple VLANs
Creating VLANs and Assigning Access VLANs to an Interface

- Switch must have nontrunking interfaces (access interfaces) and/or trunks that support the
VLAN
- Example configuration of VLAN 11, VLAN 12, VLAN 13:
Step 1: Create three VLANs with vlan 11, vlan 12 and vlan 13
Step 2: For each interface, assign it to a VLAN with switchport access vlan 11 (or 12
or 13)
- Default VLAN = VLAN 1
VLAN Configuration Example 1: Full VLAN Configuration

- Configuring VLAN 2:
- show vlan brief: Shows vlan statuses; in this case, default settings
- vlan 2: Creates a VLAN with VLAN ID 2
- name Freds-vlan: Defines VLAN name as Freds-vlan
- interface range fastethernet 0/13 - 0/14: Selects interfaces F0/13 and F0/14 as applicant
for next set of subcommands
- switchport access vlan 2: Assigns F0/13 and F0/14 to VLAN 2
- switchport mode access: Assigns F0/13 and F0/14 as always being access (nontrunking)
ports
- show vlan id 2: displays information for VLAN 2
VLAN Configuration Example 2L Shorter VLAN Configuration

- switchport access vlan 3 without doing vlan 3 first dynamically creates VLAN 3 with
default name VLAN0003
VLAN Trunking Protocol

- VTP advertises each VLAN configured in one switch
- Many enterprises choose not to use VTP
- vtp mode transparent: sets switch to use VTP transparent mode
- vtp mode off: sets switch to disable VTP
- show vtp status: shows the VTP status
- If switch uses VTP server or client mode:
- VTP server switches can configure VLANs in the standard range only (1 - 1005)
- VTP client switches cannot configure VLANs
- Both servers and clients may be learning new VLANs from other switches, and
seeing their VLANs deleted by other switches, because of VTP
- show running-config does not list any vlan commands
VLAN Trunking Configuration

- Static configuration: switchport mode trunk or switchport mode access (to disable
trunking)
- Dynamic configuration:
- Type of trunking: IEEE 802.1Q, ISL or negotiate
- Administrative mode: Always trunk, always not trunk, or negotiate
- Cisco switches that support ISL and 802.1Q negotiate which to use using DTP (Dynamic
Trunking Protocol)
- If both switches use both protocols, they use ISL, otherwise they use protocol that both
support
- switchport trunk encapsulation {dot1q | isl | negotiate}: statically configures or allows
DTP to negotiate the type
- Administrative mode: configuration setting for whether trunking should be used
- Operational mode: refers to what is currently happening on the interface
- If both switches are set to dynamic auto, when one switch is set to dynamic desirable,
trunking negotiation begins, and trunking is used
- show interfaces interface-id switchport: Lists settings of interface

- "Administrative Mode: dynamic auto" : Interface is configured to receive negotiation
messages and respond accordingly
- "Operational Mode: static access" : Interface is currently in access mode
- "Administrative Trunking Encapsulation: dot1q" : Interface is currently using 802.1Q
- "Operational Trunking Encapsulation: native" : Interface does not tag frames; it is in access
mode so no trunking protocol headers are required
- show interfaces trunk: lists all currently operational trunk interfaces
- switchport mode dynamic desirable: tells switch to both negotiate as well as begin the
negotiation process
- Interface goes down and back up again to change from one mode to another
- "Administrative Mode: dynamic desirable" : switch is configured to initiate negotiation
process
- "Operation Mode: trunk" : switch is currently negotiated to be in trunk mode
- "Administrative Trunking Encapsulation: dot1q" : switch is configured to use 802.1Q
tagging
- "Operational Trunking Encapsulation: dot1q" : switch is currently using 802.1Q tagging
- show interfaces trunk now displays dynamic desirable configured G0/1
- Disabling trunk negotiation on most ports provide better security

- switchport nonegotiate: disables DTP negotiations
Implementing Interfaces Connected to Phones

- When using IP telephony, switch's Ethernet port acts like an access port and a trunk
Data and Voice VLAN Concepts

- Before IP telephony: phone used UTP cabling connected to voice device (called voice
switch or private branch exchange [PBX]) and PCs connected to LAN switch in wiring
closet, sometimes with voice switch
- IP telephony: telephones using IP packets to send and receive voice

- IP phones connected to IP network via Ethernet cable and built-in Ethernet port
- Cisco Unified Communication Manager
- Problems of transition to IP phones:
- Older non-IP phones used UTP that didn't support 100-Mbps or 1000-Mbps Ethernet
- Single UTP cable from PC to wiring closet => two cables for PC and IP phone
- Installation of new cables to every desk was expensive and required more switch
ports
- Solution: embedding of small three-port switches into each phone
- PC => Patch cable => IP phone embedded switch => Ethernet UTP cable => Ethernet
switch
- IP phone switch port acts as an access link for PC's traffic and trunk for phone's traffic
Data and Voice VLAN Configuration and Verification

- F0/1 - F0/4 data and voice VLAN configuration
- CDP must be enabled on interface for voice access port to work with Cisco IP phones; CDP
is enabled by default
- show interfaces switchport command displays voice VLAN configuration
- switchport mode access: statically configures the administrative mode to always be an

access port
- switchport access vlan 10: Assigns port to data VLAN 10
- switchport voice vlan 11: Assigns port to voice VLAN 11
- show interfaces type number switchport: proclaims "Operational Mode: static access"
- show interfaces type number trunk: lists status as not-trunking, but VLANs 10 and 11 are
allowed on the trunk
Summary: IP Telephony Ports on Switches

Chapter 12 - Troubleshooting
Ethernet LANs
- Four technical topics:
- Analysing switch interfaces and cabling
- Predicting where switches will forward frames
- Troubleshooting port security
- Analysing VLANs and VLAN trunks
Perspectives on Applying Troubleshooting
Methodologies
- Troubleshooting methods
Troubleshooting on the Exams

- Exams: (a) fix the problem (b) answer a multichoice question
- Sim questions: Fixing or completing broken configuration
- Simlet questions: Verify current operation of network and answer multichoice questions
A Deeper Look at Problem Isolation

- Simlet questions may require 5 - 10 show commands
- ping 10.1.1.2 command verifies network connection
- ping commands test whether the IP network can deliver packets in both directions
- Can PC1 resolve the hostname?

- Routing steps:
- Step 1: PC1 sends packet to its default gateway (R1) via switches in between
because the destination IP address of web server is in a different subnet
- Step 2: R1 forwards packet to next-hop router R2 based on R1's routing table via
serial link
- Step 3: R2 forwards packet to web server based on R2's routing table (same
subnet)
- Step 4: Web server sends a packet back toward PC1 to default gateway R2
- Step 5: R2 forwards packet destined for PC1 by forwarding packet to R1 according
to R2 routing table
- Step 6: R1 forwards packet to PC1 based on R1's routing table
- Failure at steps 1,3,4 or 6: root cause relates to Ethernet or Layer 2 issues
- Failure at steps 2.5: root cause relates to routers or Layer 3 issues
- What engineer needs to determine to isolate root causes:
- The MAC address of PC1 and R1's LAN interface
- The switch interfaces used on SW1 and SW2
- The interface status of each switch interface
- The VLANs that should be used
- The expected forwarding behaviour of a frame sent by PC1 to R1 as the destination
MAC address
Troubleshooting as Covered in This Book

- Examining interface status and statistics: determination of whether an interface is working,
and potential root causes for a failed switch interface
- Analysing where switches will forward frames: analysis of switch's MAC address table and
prediction of how a switch will forward a particular frame
- Analysing port security: Knowledge of what behaviour will happen when a violation
occurs, and how to know if it is happening right now or not
- Analysing VLANs and VLAN trunking: Knowledge of what can go wrong with VLANs
and VLAN trunks
Analysing Switch Interface Status and Statistics
- Cisco switches do not use interfaces at all unless the interface is first considered to be in a
functional or working state
Interface Status Codes and Reasons for Nonworking States

- Two-code status: show interfaces and show interfaces description: lists two-code status
(line status and protocol status, L1 status and L2 status)
- Single-code status: show interfaces status: lists connected state for working interfaces
- Some root causes of cabling problems:

- EMI of equipment
- Damaged cable
- Macrobending of cable (bending into too tight a shape)
Interface Speed and Duplex Issues

- Switch/router disables autonegotiation when both speed and duplex are statically configured
- show interfaces status: shows if duplex was autonegotiated or statically configured

- show interfaces type number: shows duplex is enabled but does not state whether it was
autonegotiated or statically configured
- Duplex mismatch: one interface uses autonegotiation, another uses static configuration;
speeds are autonegotiated to be the same, but duplexes are autonegotiated to be different
- Duplex mismatch will still display up/up (connected) state

- Half duplex device uses CSMA/CD logic, believes collision has happened when they
physically have not
How CSMA/CD responds to duplex mismatch:
Half-duplex device: SW1
Full-duplex device: SW2
Step 1: SW1 sends frame to SW2
Step 2: SW2, able to receive and send simultaneously, sends frames to SW1 while
receiving frame from SW1
Step 3: SW1 receives frames from SW2 when it is sending and CSMA/CD issues a jam
signal
Step 4: SW1 waits a random amount of time before retrying; process loops to provide poor
performance
Common Layer 1 Problems on Working Interfaces

- Interface counters: helps identify problem even at up/up state
- CRC (Cycle Redundancy Check) error: frames that do not pass FCS error detection =>
discarded
- Collisions counter: natural collisions when using CSMA/CD

- Duplex mismatch counters
- Late collisions: when collision happens after switch sends first 64 bytes of a frame
- Runts: when less than the minimum amount of bytes arrive
- Input errors: total count of runts/giants/no buffer/CRC/frame overrun/ignored counts
- CRC: if not all data arrives and FCS and CRC is wrong
- When late collision counter increases: duplex mismatch suspected
- When CRC counter increases and collisions do not: interference on the cables suspected
Predicting Where Switches Will Forward Frames

Predicting the Contents of the MAC Address Table
- Beginning of formal troubleshooting process: prediction of flow of frames
- show mac address-table dynamic: lists dynamically learned MAC addresses (if port
security is disabled)
- Barney 0200.2222.2222>> In SW1 Fa0/12 >> Out SW1 Gi0/1 >> In SW2 Gi/02 >> Out
SW2 Fa0/13 >> In R1 Gi0/1 0200.5555.5555
Analysing the Forwarding Path
Is interface on up/up state?

Is portYes
security Port cannot send/receive
configured? frames. No
Yes
Apply port security logic No
to filter frames as
appropriate Is the port an access
port?
YesIs the frame a No
(A)
Determine interface's Known unicast?
Determine the frame's
access VLAN. (B) Unknown unicast? tagged VLAN.
(C) Broadcast?
(A) (B) or (C)
Forward frame out only Flood frame out all other
matched address table access ports except
entry. incoming port in same
VLAN and allowed
trunks.
- Example of Barney sending to R1 (default gateway) via SW2

- SW1 Step 1
- A: Port does not have port security enabled
- B: SW1 receives frame on its Fa0/12 interface, an access port in VLAN 10
- SW1 Step 2:
- A: SW1 finds a MAC address table entry for 0200.5555.5555 in VLAN 10,
outgoing interface Gi0/1, so SW1 forwards frame out only Gi0/1 (trunk,
802.1Q header added)
- SW2 Step 1:
- A: Port does not have port security enabled
- B: SW2 receives frame on Gi0/2 interface, a trunk, with 802.1Q header and
VLAN ID of 10
- SW2 Step 2:
- A: SW1 finds a MAC address table entry for 0200.5555.5555 in VLAN 10,
outgoing interface Fa0/13, so SW1 forwards frame out only Fa0/13
Analysing Port Security Operations on an Interface

- ACL: Access Control Lists; examination of packets/frames and discarding of them
- Port security filter features:
- Limit which specific MAC addresses can send/receive frames on switch interface
(discard if not allowed)
- Limit the number of MAC addresses using the interface (discard if over maximum
limit)
- Combination of the two
Step 1: Identify all interfaces on which port security is enabled (show running-config or
show port-security)
Step 2: Determine whether a security violation is currently occurring based on the violation
modes
- A: shutdown: Interface is put to err-disabled state, with port security port status
secure-down
- B: restrict: Interface remains in connected state, port security port status would be
secure-up, but show port-security interface displays incrementing violations counter
- C: protect: Interface remains in connected state, but show port-security interface
will not display an incrementing violations counter
Step 3: Compare port security configurations to diagram and Last Source Address field in
show port-security interfaces
Troubleshooting Shutdown Mode and Err-disabled Recovery

- Err-disabled: switchport port-security violation shutdown or default configured,
violation has occurred and no traffic is allowed
- show port-security interface: secure-shutdown = violation, no traffic, shutdown

configured
- shutdown and no shutdown: Recovers interface, resets violation counter to 0
- Last Source Address helps identify MAC address of error
Troubleshooting Restrict and Protect Modes

- Restrict/protect remains in up/up state and secure-up state => forwards good traffic, discard
offending traffic
- show port-security: reveals practically nothing about discarding traffic

- IOS shows indication of port security activity: incrementing violation counter, port security
syslog message
- Common problems: low maximum number of MAC addresses, misconfiguration of MAC

addresses
Analysing VLANs and VLAN Trunks

- To forward frames in VLAN:
- Switch must know about a VLAN
- VLAN must be active
- If using trunk, trunk must currently allow that VLAN to pass over the trunk
Ensuring That the Right Access Interfaces Are in the Right VLANs
- Determine which switch interfaces are access interfaces, determine assigned access VLANs
on each interface, and compare information to documentation
- show vlan and show vlan brief does not list operational trunks
- show mac address-table: lists MAC address table, with each entry including a MAC
address, interface and VLAN ID (use if show vlan and show interface switchport are not
available)
- switchport access vlan vlan-id assigns interface to correct VLAN if needed
Access VLANs Not Being Defined

- Switches do not forward frames for:
- (a) Not configured VLANs
- (b) Configured but disabled (shut down) VLANs
- VLAN configuration: vlan number or VTP learning
- VLAN listing: show vlan lists all VLANs known to switch, show running-config does not
list VTP servers and clients
Access VLANs Being Disabled

- VLAN state values:
- active: VLAN is operational and active
- act/lshut: VLAN is shut down, switch will not forward frames in that VLAN
- [no] shutdown or [no] shutdown vlan number: disables/enables VLAN
Mismatched Trunking Operational States

- Issue 1: when both switches use switchport mode dynamic auto; both will passively wait
for negotiation messages
- Issue 2: when one switch has operational state of "trunk" and other has operational state of
"static access"; status on each end will be up/up or connected, traffic in native VLAN will
cross successfully, traffic in all other VLANs will not
- switchport mode trunk does not disable DTP negotiations; switchport nonegotiate
required to disable DTP negotiations
- SW1 Gi0/1: "trunk", SW2 Gi0/2: dynamic desirable but autonegotiation is denied, so it
uses "static access" => all frames received by SW2 Gi0/2 that has an 802.1Q header is
discarded
- Solution: check both operational states using show interfaces trunk and show interfaces
switchport and re-configure if necessary
Part III Revision
Vocabulary List
Terms Definitions
Chapter 10
Autonegotiation
Broadcast domain
Broadcast frame
Collision domain
Flooding
Virtual LAN
Access point
Wireless LAN controller
Star topology
Full mesh
Partial mesh
Hub
Transparent bridge
Collapsed core design
Core design
Access layer
Distribution layer
Core layer
Chapter 11
802.1Q
Trunk
Trunking administrative mode
Trunking operational mode
VLAN
VTP
VTP transparent mode
Layer 3 switch
Access interface
Trunk interface
Data VLAN
Voice VLAN
Chapter 12
Up and up
Connected
Error disabled
Problem isolation
Root cause
Duplex mismatch
Resolve
Escalate
Part IV - IP Version 4
Addressing and Subnetting
Chapter 13 - Perspectives on IPv4
Subnetting
Introduction to Subnetting
- Subnetting: Chopping (subnetting) a large network into smaller pieces and assign subnets to
different parts of the enterprise internetwork
Subnetting Defined Through a Simple Example

- Class A network, Class B network, Class C network
- Class B network example: Everything beginning with 172.16
- Class B subnet example: Everything beginning with 172.16.1
Operational View Versus Design View of Subnetting

- Design view: designing how IP addressing and subnetting would work for enterprise
network
- Operational view: taking other's design and interpreting it
Analyse Subnetting and Addressing Needs

- Four basic questions:
1. Which hosts should be grouped together into a subnet?
2. How many subnets does this network require?
3. How many host IP addresses does each subnet require?
4. Will we use a single subnet size for simplicity, or not?
Rules About Which Hosts Are in Which Subnet

- Every interface using IP network requires an IP address
- Rules:
- R1 separates Subnet 1 and Point to Point WAN link

- R2 separates Point to Point WAN link and Subnet 3
- Routers connect to multiple subnets (LAN/WAN) to forward packets
Determining the Number of Subnets

- Engineer should plan for one subnet for every
- 2 EoMPLS subnets, 1 serial link subnet + at least one subnet (native VLAN) for LAN at
each site
- 12 (central site VLANs) + 3 X 2 (branch VLANs) + 2 (EoMPLS WAN links) + 1 (serial

WAN link) = total 21 subnets
- Subnetting plans need to include reasonable estimated growth of number of subnets
Determining the Number of Hosts per Subnet

- Population at site, number of devices etc. helps to calculate hosts per subnet
- Hosts in subnet = hosts IP address + router interface IP address + switch IP address. used to
remotely manage switch
- Largest branch has 50 hosts/subnet, so all other smaller branches need around 50 hosts
One Size Subnet Fits All - Or Not

- Subnet's size/length = number of usable IP addresses in the subnet
Defining the Size of a Subnet

- Subnet mask defines size of subnet
- Subnet mask sets aside host bits to number different host IP addresses in that subnet
- When H = host bits, the subnet contains 2H unique numeric values
- Subnet size= 2H-2 (numeric values - subnet number (lowest) - subnet broadcast address
(highest))
- Subnet number = subnet ID = subnet address
One-Size Subnet Fits All

- The one mask needs to provide enough host IP addresses to support the largest subnet
- Largest subnet: 200 host addresses

- 2H-2 (when H = 8) = 254, 254 > 200
- Therefore, 8 host bits are required when using one subnet mask across all subnets
Advantages Disadvantages
- Provides operational simplicity - Wastes IP addresses (solution: private IP
- IT staff can get used to working with one networks)
mask
Multiple Subnet Sizes (Variable-Length Subnet Masks)

- Different masks, different numbers of host bits, different number of hosts in some subnets
- Largest subnet: 8 host bits (28 - 2 = 254)

- Smaller subnets: 6 host bits (26 - 2 = 64)
- Point-to-point WAN links: 2 host bits (22 - 2 = 2)
- Still some addresses are wasted as they need to be exponents of 2
This Book: One-Size Subnet Fits All (Mostly)

- Makes process of learning subnetting easier
- Calculating number of subnets in the classful network only make sense when single mask is
used
Make Design Choices
- Know how many subnets are needed => know how many host addresses are in largest
subnet => know that single-size subnet masks are used => ...
Choose a Classful Network

- Public classful IP networks => private IP networks
Public IP networks
- Company requests for registered public IP network, either a Class A, B, or C network
- Company has universally unique IP address
- No duplicate addresses exist
Growth Exhausts the Public IP Address Space

- IPv4 address exhaustion:
- IANA, which assigns public IPv4 address blocks to the five RIR (Regional Internet
Registries) around the globe, assigned the last of its IPv4 address in 2011
- ARIN, RIR for North America, exhausted its supply of IPv4 addresses by 2015
- Companies had to return unused public IPv4 addresses to ARIN before they can re-
assign them to new companies
- Possible solutions:
- Duplicates of private networks can exist, communicate with the Internet, and even
communicate with each other
- NAT translates IP addresses inside packets using a small number of public IP addresses to
support tens of thousands of private IP addresses
NAT translates a private IP address to a single public IP address.
When it receives a packet, it compares the port number to its NAT translations table and
forwards it to the matching private IP address.
Private IP Networks
- Will never be assigned to an organisation as a public IP network
- Can be used by organisations that will use NAT when sending packets into the Internet
- Can also be used by organisations that never need to send packets into the Internet
Choosing an IP Network During the Design Phase

- Private network does not have penalties for wasting IP addresses
Choose the Mask

Design engineer should know the following
- The. number of subnets required
- The number of host/subnet required
- That a choice was made to use only one mask for all subnets, so that all subnets are the
same size (same number of hosts/subnet)
- The classful IP network number that will be subnetted
Classful IP Networks Before Subnetting

- Private IP address vs public IP address
- The addresses have the same value in the network part
- The addresses have different values in the host part
- Size of unsubnetted Class A, B, or C network:

- Class A: 224 - 2 = 16,777,214
- Class B: 216 - 2 = 65,534
- Class C: 28 - 2 = 254
Borrowing Host Bits to Create Subnet Bits

- Some of host bits are used as subnet bits (ratio can be changed)
- Network bits are locked at 8, 16, 24

- Host bits and subnet bits are not locked
Choosing Enough Subnet and Host bits

- Gathered information to determine number of subnet/host bits
- Number of subnets required
- Number of hosts/subnet
- Subnet bits: 2S = no. of subnets
- Host bits: 2H - 2 = no. of hosts/subnet
- 2S only used when single mask is used for all subnets
Example Design: 172.16.0.0, 200 Subnets, 200 Hosts

- So far:
- Use a single mask for all subnets
- Plan for 200 subnets
- Plan for 200 host IP addresses per subnet
- Use private Class B network 172.16.0.0
- At least 8 subnet bits for 200 subnets (max. 256)
- At least 8 host bits for 200 hosts/subnet (max. 254)
Masks and Mask Formats

- Number of binary 0s equals the number of host bits, e.g.
11111111.11111111.11111111.00000000 (255.255.255.0)
- Subnet mask cannot have interleaved 0s and 1s
Build a List of All Subnets

- Group of consecutive IP address
- Network 172.16.0.0
- Mask 255.255.255.0 (for all subnets)
Plan the Implementation

- Which subnet should be used for each VLAN at site?
- For interfaces that require static IP addresses, which addresses should be used in each case?
- What range IP addresses from inside each subnet should be configured in the DHCP server,
to be dynamically leased to host for use as their IP address?
Assigning Subnets to Different Locations
- Prefix /24: first 24 bits are the same, i.e. 11111111.11111111.11111111.00000000

(255.255.255.0)
- Organisation of subnets, specifically geographic organisation allows route summarisation
Choose Static and Dynamic Ranges per Subnet

- Static configuration vs DHCP lease
- Static IP addresses on lower end, DHCP-assigned IP addresses on higher end of subnet
- Subnet ID: .0
- Static: .1 - .100
- DHCP: .101 - .254
- Subnet broadcast: .255
Chapter 14 - Analysing Classful

IPv4 Networks
Classful Network Concepts
- With a single IP address, you can find out its:
- Class (A, B, or C)
- Default mask
- Number of network octets/bits
- Number of host octets/bits
- Number of host addresses in the network
- Network ID
- Network broadcast address
- First and last usable address in the network
IPv4 Network Classes and Related Facts

- Class A, B, C: Unicast addresses
- Class D: Multicast addresses
- Class E: Reserved for future use
- 128 Class A networks, with 0.0.0.0 and 127.0.0.0 reserved
The Number and Size of the Class A, B, and C Networks

- Number of networks from each class significantly differs
- Size of networks from each class significantly differs
Address Formats
- Address structure: network part (prefix) and host part
- E.g. 10.0.0.0 has locked first octet and variable last three octets
Default Masks
- Default mask = network bits as 1s, host bits as 0s
Number of Hosts per Network

- For H host bits, 2H unique combinations exist
- Network ID and network broadcast address is reserved
Deriving the Network ID and Related Numbers

- Four key numbers that can be derived from a single IP address:
- Network number
- First (numerically lowest) usable address
- Last (numerically highest) usable address
- Network broadcast address
- First usable address = network number + 1
- Last usable address = network broadcast address - 1
- Step 1: Find out which class network it is

- Step 2: Divide octets into network part and host part
- Step 3: Set all host octets to 0 (network ID)
- Step 4: Add 1 to fourth octet of network ID (first usable)
- Step 5: Set all host octets to 255 (network broadcast)
- Step 6: Subtract 1 from fourth octet of network broadcast address (last usable)
Unusual Network IDs and Network Broadcast Addresses

- Reservation of 0.0.0.0 and 127.0.0.0
- 128.0.0.0 is still Class B network
- 223.255.255.0 is Class C network
Chapter 15 - Analysing Subnet

Masks
Subnet Mask Conversion
Three Mask Formats
- Binary subnet mask rules:
- Illegal values: 10101010 01010101 11110000 00001111, 00000000 00000000 00000000

11111111
- Legal values: 11111111 00000000 00000000 00000000, 11111111 11111111 11111111
00000000
- DDN values: 255.0.0.0, 255.255.255.0
- Prefix values: /8, /24
- Prefix = prefix mask = CIDR (Classless Interdomain Routing) mask = slash mask
Converting Between Binary and Prefix Masks
Converting Between Binary and DDN Masks

- For each octet, perform a decimal-to-binary conversion
- Do decimal-binary conversion OR memorise nine possible decimal values possible
Converting Between Prefix and DDN Masks

- Prefix => binary => DDN
Identifying Subnet Design Choices Using Masks

- Subnet: all IPv4 addresses that have the same value in the prefix part of their IPv4 addresses
Masks Divide the Subnet's Addresses into Two Parts
- Separation of host part and prefix with subnet mask
Masks and Class Divide Addresses into Three Parts

- Subnet part divides prefix into network part and subnet part
- Subnet 10.1.1.0 with subnet mask 255.255.255.0: 10.1.1 is subnet, .x is host
Classless and Classful Addressing
Calculations Based on the IPv4 Address Format

- Hosts in the subnet: 2H - 2, where H is the number of host bits
- Subnets in the network: 2S, where S is the number of subnet bits. Only use this formula if
only one mask is used throughout the network
- Address 200.1.1.1, mask 255.255.255.252
- Prefix = /30
- Class = Class C
- Network bits = 24
- Subnet bits = 30 - 24 = 6
- Host bits = 32 - 30 = 2
- Hosts/subnet = 22 - 2 = 2
- Subnets in network = 26 = 64
Chapter 16 - Analysing Existing

Subnets
Defining a Subnet
An Example with Network 172.16.0.0 and Four Subnets

- Subnet ID = resident subnet
- Because each subnet uses a single mask, all subnets must be the same size
Subnet ID Concepts
- Router advertises subnet ID/mask and stores in IP routing table
Subnet Broadcast Address
Range of Usable Addresses

- Subnet ID + 1 = First usable
- Subnet broadcast - 1 = Last usable
Analysing Existing Subnets: Binary

- With IP address and subnet mask, find:
- Subnet ID
- Subnet broadcast address
- Range of usable addresses
Finding the Subnet ID: Binary

- All numbers in the subnet have the same value in the prefix part of the numbers
- The subnet ID is the lowest numeric value in the subnet, so its host part, in binary, is all 0s
- Binary subnet ID: all host bits changed to 0
- Binary subnet broadcast address: all host bits changed to 1
- Step 1: Convert prefix into binary (/18 => 11111111.11111111.11000000.00000000)

- Step 2: Convert IP address to binary (172.16.150.41 => 10101100 00010000 10010110
00101001)
- Step 3: For all prefix bits in the IP address, leave it (10101100 00010000 10010110
00101001)
- Step 4: For all host bits in the IP address, set it to 0 (10101100 00010000 10000000
00000000)
- Step 5: Convert 8 bits at a time, into DDN form (10101100 00010000 10000000 00000000
=> 172.16.128.0)
Finding the Subnet Broadcast Address Binary

- Set all host bits to 1
- Step 1: Convert prefix into binary (/18 => 11111111.11111111.11000000.00000000)

- Step 2: Convert IP address to binary (172.16.150.41 => 10101100 00010000 10010110
00101001)
- Step 3: For all prefix bits in the IP address, leave it (10101100 00010000 10010110
00101001)
- Step 4: For all host bits in the IP address, set it to 1 (10101100 00010000 10111111
11111111)
- Step 5: Convert 8 bits at a time, into DDN form (10101100 00010000 10111111
11111111=> 172.16.191.255)
Binary Practice Problems
Shortcut for the Binary Process

- Subnet ID and subnet broadcast address are equal to the IP address in octets for which the
DDN mask is 255
- Subnet ID and subnet broadcast address are equal 0 in octets for which the DDN mask is 0
Brief Note About Boolean Math

(optional fact)
- How computers calculate subnet ID and subnet broadcast address
- Perform a Boolean AND of the IP address and mask. This process converts all host bits to
binary 0.
- Invert the mask, and then perform a Boolean OR of the IP addresses and inverted subnet
mask. This process converts all host bits to binary 1s.
Finding the Range of Addresses

- First usable = subnet ID + 1
- Last usable = subnet broadcast address - 1
Analysing Existing Subnets: Decimal

Analysis with Easy masks
- Easy masks: 255.0.0.0, 255.255.0.0, 255.255.255.0
- Finding subnet ID:
- Step 1: If the mask octet = 255, copy the decimal IP address
- Step 2: If the mask octet = 0, write a decimal 0
- Finding subnet broadcast address:
- Step 1: If the mask octet = 255, copy the decimal IP address
- Step 2: If the mask octet = 0, write decimal 255
Predictability in the Interesting Octet

- "Interesting octet" = non-0 and non-255 octets
- Subnet ID is only predictable when single-size subnet masks are used

Mask Pattern
255.255.128.0 Multiples of 128
255.255.192.0 Multiples of 64
255.255.224.0 Multiples of 32
255.255.240.0 ... Multiples of 16 ...
Finding the Subnet ID: Difficult Masks
Resident Subnet Example 1

- Example for IP address 130.4.102.1, mask 255.255.240.0
- Step 1: If the DDN mask octet = 255, copy the DDN octets (130.4._._)
- Step 2: If the DDN mask octet = 0, turn octet into 0 (130.4._.0)
- Step 3: Find the closest multiple of (256 - mask octet) to IP address octet (256 -240 = 16,
closest multiple = 96 => 130.4.96.0)
Practice Analysing Existing Subnets

A Choice: Memorise of Calculate
Part IV Revision
Key Terminology
Terminology Definition
Chapter 13
Subnet
Network
Classful IP network
Variable-length subnet masks (VLSM)
Network part
Subnet part
Host part
Public IP network
Private IP network
Subnet mask
Chapter 14
Network number
Network ID
Network address
Network broadcast address
Network part
Host part
Default mask
Chapter 15
Binary mask
Decimal mask
Prefix mask
CIDR mask
Classful addressing
Classless addressing
Chapter 16
Resident subnet
Subnet ID
Subnet number
Subnet address
Subnet broadcast address
Part V - Implementing
IPv4
Chapter 17 - Operating Cisco
Routers
Installing Cisco Routers
- Routers are capable of forwarding packets end to end through. a network; main feature of
network layer
- Routers forward packets by connecting to various physical network links, like Ethernet,
serial links, and Frame Relay
Installing Enterprise Routers
- At least one LAN switch at each site for end-user support

- Connection to WAN link for provision of remote connectivity
- Routers use UTP cable with straight-through pinout

- Integrated or external CSU/DSU (Channel Service Unit/Data Service Unit)
- Telco leased line with RJ-48 connector connects to router or CSU/DSU
Cisco Integrated Services Routers

- Integrated services routers: routers providing many network services
- ISR = router for WAN/LAN connectivity + LAN. switch for local network + VoIP services
for IP phones + Wi-Fi access for wireless connectivity + security services
- NIM (Network Interface Module): interface
Physical Installation
- Router has on/off switch
Installing Internet Access Routers

- SOHO "router" connects LAN end-users to high-speed Internet
- Requirements: UTP cables, CATV cables, DSL cables, cable modem, DSL modem
- Consumer-grade SOHO routers =
- Router
- Switch
- Cable or DSL modem
- Wireless access point
- Hardware-enabled encryption
Enabling IPv4 Support on Cisco Router Interfaces

Accessing the Router CLI
- Accessing router CLI = accessing switch CLI
- Same commands:
- Different commands:
- L2: show mac address-table

- L3: show ip route
Router Interfaces
Switch Router
- Supports Ethernet LAN interfaces of - Supports serial interfaces, cable TV, DSL,
various speeds (fa0/1, gi0/1) 3G/4G wireless, Ethernet interfaces etc.
- Point-to-point serial link can use: HDLC (default) or PPP
- Referring to interfaces
- interface ethernet 0
- interface fastEthernet 0/1
- interface gigabitethernet 0/0
- interface serial 1/0/1
- show ip interface brief: interface, IP address, OK?, method, line & protocol status
- show interfaces [interface-id]: detailed list of statistics of interface
- sh int fa0/0= show interfaces fastethernet 0/0
- description text: sets description for interface
Interface Status Codes

- up/up required to function
Router Interface IP Addresses

- Basic configuration to route
- Enable interface with no shutdown (default: shutdown)
- Configure IP address and mask (default: no IP address and mask)
- Cisco routers attempt to route IP packets for any interfaces that are in an up/up state and
that have an IP address/mask assigned
- ip address address mask: configures address and mask
- show protocols: lists status and IP address of interfaces
Bandwidth and Clock Rate on Serial Interfaces

- Clocking: CSU/DSU dictates speed for router
- Routers that need external CSU/DSU can simply use DTE and DCE cables without buying
two CSU/DSUs
- If no CSU/DSU are on the link, router with the DCE cable must supply clocking function
- clock rate: tells router to provide clocking
- Newer router IOS versions add default clock rate 2000000, may be too high for some types
of back-to-back serial cables (DTE + DCE)
- show controllers interface-id: confirms DCE cable is connected and lists clock rate
- bandwidth: documented speed of the interface, which doesn't have to match actual Layer 1
speed
- OSPF and EIGRP base routing protocol metrics on bandwidth by default
- Default serial bandwidth: 1544 kbps (T1 speed)

- To see clock rate: clock rate interface or show controllers serial type number
- To see bandwidth: show running-config or show interfaces [type number]
- bandwidth 128: sets link bandwidth to 128 kbps
Router Auxiliary Port

- Allows phone call to router to issue commands from CLI
- Aux port >> cable >> analog modem >> phone line << modem << terminal emulator << PC
- line aux 0: aux line configuration mode
Chapter 18 - Configuring IPv4
Addresses and Static Routes
IP Routing
- IP routing: process of forwarding IP packets which relies on network layer logic on hosts
and routers, and data-link and physical details at each link, such as serial links, Ethernet
LANs, wireless LANs etc. by using protocols, encapsulation and transmission.
IPv4 Routing Process Reference

- LAN host routing logic:
- Local packet is sent directly to host, remote packet is sent to default router/gateway
- Router's routing logic
- Paraphrased summary: The router receives a frame, removes the packet from inside the
frame, decides where to forward the packet, puts the packet into another frame, and sends the
frame
- Step 1: Router R1 notes that the received Ethernet frame passes the FCS check, and that the
destination Ethernet MAC address is R1's MAC address, so R1 processes the frame
- Step 2: R1 de-encapsulates the IP packet from inside the Ethernet frame's header and trailer
- Step 3: R1 compares the IP packet's destination IP address to R1's IP routing table
- Step 4: R1 encapsulates the IP packet inside a new data-link frame, in this case, inside a
HDLC header and trailer
- Step 5: R1 transmits the IP packet, inside the new HDLC header frame, out the serial link
An Example of IP Routing
- Address abbreviations: Host A : 172.16.1.9, R1 S0/0/0 : 172.16.4.1 etc.
Host Forwards the IP Packet to the Default Router (Gateway)

- Host A's routing logic:
- My IP address/mask is 172.16.1.9/24, so my local subnet contains numbers
172.16.1.0 - 172.16.1.255
- The destination address is 172.16.2.9, which is not in my local subnet
- Send the packet to my default gateway, which is set to 172.16.1.1
- To send the packet, encapsulate it in an Ethernet frame and make the destination
MAC address be R1's G0/0 MAC address (default gateway)
Routing Step 1: Decide Whether to Process the Incoming Frame

- 1A: Use FCS field to check frame for errors
- If error: discard the frame (no error recovery)
- If no errors: Continue
- 1B: Check destination MAC address to decide whether the frame is intended for router
- If it is for the router: Process the frame
- If it isn't for the router: Ignore the frame
- Unknown unicast frames can send non-intended frames
Routing Step 2: De-encapsulation of the IP Packet

- 2: Discard original frame's data-link header and trailer
Routing Step 3: Choosing Where to Forward the Packet

- 3: Compare destination IP address to routing table and decide which interface is to be used
- Routing entry: subnet ID, subnet mask, next-hop router address, outgoing interface
- Router finds match for subnet that destination address is in, and decides to forward it out the
matching interface, to the matching next-hop router IP address
Routing Step 4: Encapsulating the Packet in a New Frame

- HDLC (default) or PPP encapsulation on serial link; does not require resolution of IP
address
- Ethernet encapsulation on EoMPLS link; requires address resolution with ARP table and
ARP learning
Routing Step 5: Transmitting the Frame
Configuring IP Addresses and Connected Routes

- Interface routing minimum configurations: up/up status configured, IP address configured
- Routes are required after interfaces are configured
Connected Routes and the ip address Command

- Cisco router automatically adds a route to its routing table for the subnet connected to each
interface, assuming that the following two facts are true:
- Router figures out subnet ID by subnet calculation with IP address and mask
- show ip route: lists statuses of routes

- Route code C - connected route, L - local route
- Each local route has /32 prefix, defining a host route, a route that matches only the IP
address of the local route
The ARP Table on a Cisco Router

- Used to find destination MAC address for a destination IP address
- Age counter will increase when entry is not used and will timeout when it reaches age
(default 240 minutes)
- Age of -: never time out
- clear ip arp [ip-address]: removes all dynamic entries or a single entry
- Step 1: R1 looks in its ARP table for an entry for 172.16.1.9

- Step 2: R1 encapsulates the IP packet in an Ethernet frame, adding destination
0200.3333.3333 to the Ethernet header
- Step 3: R1 transmits the frame out interface G0/0
Routing Between Subnets on VLANs

- Some router needs to have a connected route to each subnet
- Three options for connecting a router to each subnet on a VLAN:
- Layer 3 switches route between all 12 VLANs and routers use VLAN trunks to connect to
and route between both VLANs
Configuring Routing to VLANs Using 802.1Q on Routers

- Routing packets to subnets associated with VLANs connected to a router 802.1Q trunk:
router-on-a-stick (ROAS)
- Subinterfaces: virtual router interfaces, one associated with each VLAN on that trunk
- Each subinterface has IP address/mask
- Frames tagged with VLAN 10 are treated as if they came in or out of G0/0.10
- Both router and switch need to manually configure trunking (switch: switchport mode
trunk)
- subinterface number needs to be unique and can be 1 to over 4 billion

- encapsulation [dot1q | isl] vlan-id: defines VLAN whose frames are considered to be
coming in and out of the subinterface
- How to configure to use native VLAN:
- Configuration results of native VLAN 10:
- show vlans: lists which router trunk interfaces use which VLANs, which is the native
VLAN + packet statistics
Configuring Routing to VLANs Using a Layer 3 Switch

- Layer 3 switch needs virtual interface connected to each VLAN internal to the switch
- VLAN interface: Switched Virtual Interface (SVI)
- Layer 3 switch connects to router via access link and VLANs on each SVI
- Layer 3 switch adds connected IP routes for each VLAN
Configuring Static Routes

- All routers add connected routes, and static routes can be configured
Static Route Configuration

- ip route: defines destination subnet ID and mask and outgoing interface or next-hop router's
IP address
- Static route:
- destination subnet ID: 172.16.2.0
- destination subnet mask: 255.255.255.0
- outgoing interface : S0/0/0
OR
- next-hop router IP address: 172.16.4.2
- To send packets to subnet 172.16.2.0/24, send them to 172.16.4.2

- To send packets to subnet 172.16.3.0/24, send them out S0/0/1
- show ip route displays outgoing interface as directly connected
- If S0/0/1 fails, router removes static route to 172.16.3.0/24 until interface comes up again
- Network route or subnet route: defines route to an IP network or subnet
Static Host Routes

- ip route with mask of 255.255.255.255 creates static routes for remote hosts
- ip route 10.1.1.0 255.255.255.0 10.2.2.2
- ip route 10.1.1.9 255.255.255.255 10.9.9.9
- Router selects most specific match (longest prefix) of 10.1.1.9/32, and so it is forwarded to
next-hop router 10.9.9.9
Static Routes with No Competing Routes

- Checklist for adding route to IP routing table:
- Is there any competing routes?
- For ip route with outgoing interface, is the interface in an up/up state?
- For ip route with next-hop IP address, does the local router have a route to reach
that IP address?
- ip route 172.16.2.0 255.255.255.0 172.16.4.2
- If 172.16.4.0/24 is removed, static route to 172.16.2.0/24 is also removed
permanent keyword configures IOS to ignore basic checks
Static routes with Competing Routes

- If there are competing routes, router compares administrative distance (lower the better)
- IOS considers static routes better than OSPF-learned routes

- Static route default administrative distance: 1
- OSPF route default administrative distance: 110
- Floating static routes: floats or moves into and out of IP routing table depending on
whether the better administrative distance route happens to exist currently; router ignores
static route during times when the better routing protocol route is known
- Static route administrative distance needs to be changed to allow OSPF route
- show ip route subnet-id: lists administrative distance
Static Default Routes

- Default: router discards packet if no route matches packet's destination IP address
- Default route is used if packet does not match any other more specific route
- If there is one, slow link to branch, routing protocol wastes bandwidth so default route is set
to core router
- ip route 0.0.0.0 0.0.0.0 S0/0/1 creates static default route with outgoing interface of S0/0/1
- candidate default route: a candidate from which the router can choose one to use as its
"Gateway of Last Resort"
Troubleshooting Static Routes

- Troubleshooting perspectives:
- Route is in the routing table but is incorrect
- Route is not in the routing table
- Route is in the routing table, and is correct, but the packets do not arrive
Troubleshooting Incorrect Static Routes that Appear in the IP Routing Table

- If range of addresses in specified subnet in command does not include actual addresses,
there is a problem
The Static Route Does Not Appear in the IP Routing Table

- ip route may have correct syntax and added to running-config and startup-config files but
not be placed into IP routing table because:
The Correct Static Route Appears but Works Poorly

- Static route can be perfect, but packets still may not arrive
- Root cause may be static route, or something else
- If permanent keyword is used when configuring a static route, you need to check if:
- for ip route commands with an outgoing interface, the interface is in an up/up state
- for ip route commands with a next-hop IP address, the local router has a route to
reach that next-hop address
Chapter 19 - Learning IPv4 Routes

with RIPv2
RIP and Routing Protocol Concepts
- Each routing protocol causes routers to:
- Learn routing information about IP subnets from other neighbouring routers
- Advertise routing information about IP subnets to other neighbouring routers
- If a router learns of more than one route to reach one subnet, choose the best route
based on that routing protocol's concept of a metric
- React to changes when the network topology changes, e.g. a link fails, and converge
to use a new choice of best route for each destination subnet
History of Interior Gateway Protocols
- OSPFv2: IPv4 only, OSPFv3: IPv6 only, OSPFv3 with address families: IPv4 + IPv6
Comparing IGPs
- EIGRP and OSPFv2 are most popular
- Inside one company or organisation: Interior Gateway (Router) Protocol (IGP)
- Between companies or ISPs: Exterior Gateway (Router) Protocol (EGP)
- RIP uses hop count metric: smallest number of links and routers
- Disadvantage of RIP hop count metric:
- RIP may use less number of links, but slower links
Distance Vector Basics
The Concept of a Distance and a Vector

- When routers learn a route to a subnet, they learn:
- Destination subnet
- Distance (routing protocol metric)
- Vector (link and next-hop router to use as part of that route)
- E.g. Four-hop route (distance) through R2 (vector) for subnet X (subnet)

- R1 picks the route with the best (lowest) metric
Full Update Messages and Split Horizon

- Periodic routing update: RIP repeats the same update over and over on a timed basis even if
no changes occur
- Step 1: R2 interface G0/2 has an IP address and is in an up/up state

- Step 2: R2 adds a connected route for 172.30.22.0/24, off interface G0/2, to R2's routing
table
- Step 3: R2 advertises its route for 172.30.22.0/24 to R1, with metric 1 (hop count 1), in a
RIP update sent to R1
- Step 4: R1 adds a route for subnet 172.30.22.0/24, listing it as a RIP learned route with
metric 1
- [Route for: subnet, outgoing interface: received interface, next-hop router IP address:
sender of update]
Split Horizon
- Split horizon tells router to omit some routes from an update sent out an interface
- The routes that use interface X as the outgoing interface does not get sent out interface X,
i.e. the router does not advertise routes that receiving router would already know of
Route Poisoning
- DV protocols prevent routing loops with route poisoning
- Route poisoning: advertising a failed route with special metric value infinity (16, meaning
failed)
- Step 1: R2's G0/2 interface fails

- Step 2: R2 removes its connected route for 172.30.22.0/24 from its routing table
- Step 3: R2 advertises 172.30.22.0 with an infinite metric (16 for RIP)
- Step 4: R1 removes the route from its routing table or marks the route as unusable before
removing the route for 172.30.22.0/24
- 16 = infinity, 15 = longest valid route in RIP network
Summarising RIPv2 Features

- RIPv2 features:
- Supports authentication
- Supports manual route summarisation
- Sends update message to 224.0.0.9 multicast address instead of 255.255.255.255
broadcast address (RIPv1)
- Supports VLSM
Core RIPv2 Configuration and Verification

Configuring Core RIPv2 Features
- RIPv2 configuration process:
Understanding the RIP network Command

- Classful network identifies interface to enable RIPv2
- Once enabled:
RIP Configuration Example, with Many IP Networks
- network commands for each Class C network each interface is part of
- If IOS receives non-classful network number

- IOS will not issue an error message
- IOS will change configuration to matching classful address (e.g. 10.1.2.3 =>
10.0.0.0)
RIP Configuration Example, with One IP Network
- Since all subnets are in same Class A network 10.0.0.0, RIPv2 only requires one network
command:
RIPv2 Verification
Examining RIP Routes in the IP Routing Table
- Routing code R for RIP-learned routes

- show ip route rip only lists RIP-learned routes
- Each line in the output:
- When interface fails etc., router converges to use other, non-best routes
Comparing Routing Sources with Administrative Distance

- When enterprises use multiple IP routing protocols, router compares administrative distance
(AD) and chooses the lowest
- For example, RIP and EIGRP metrics can't be compared
- EIGRP default AD = 90
- RIP default AD = 120
- Router chooses EIGRP routes over RIP routes
Revealing RIP Configuration with the show ip protocols Command
- version 2: RIPv2 configured to be only allowed

- auto-summary: Automatic summarisation is enabled
- maximum-paths 4: There can be up to 4 routes with the same metric (default)
- network commands: Enables RIP on certain interfaces in certain networks
- "Routing information sources" lists neighbouring routers from which this router has
received RIP updates from
Examining the Best RIP Routes Using RIP Database

- show ip rip database: Lists prefix/length of each subnet known to local router's RIP
process
- It lists:
- Routes for subnets learned from other RIP routers
- Routes for connected subnets for which RIP is enabled on interfaces due to RIP
network commands
show ip route Lists RIP-learned routes, you cannot tell
which interfaces are RIP enabled
show ip protocols Identifies interfaces on which RIP is
enabled, you don't know RIP-learned routes
show ip rip database Lists both learned routes and connected
routes
Optional RIPv2 Configuration and Verification

Controlling RIP Updates with the passive-interface Command
- passive-interface type number: stops all RIPv2 updates from being sent out the interface
that is matched by a network command; RIP will still process received updates and advertise
about the connected subnet
- passive-interface default: makes all interfaces passive by default
- no passive-interface type number: makes interface not be passive
Supporting Multiple Equal-Cost Routes with Maximum Paths

- RIP's default behaviour for equal-cost routes to same subnet: use maximum-path amount of
same routes and use them all with equal-cost load balancing
- maximum-paths number-of-paths: sets amount of maximum paths allowed (default 4)
- Setting maximum path to 1 disables the feature
Understanding Autosummarisation and Discontiguous Classful Networks

- Classful routing protocols (RIPv1, IGRP) needed to avoid discontiguous classful networks
- Classless routing protocols (RIPv2, EIGRP, OSPF) avoid discontiguous classful networks
or can be configured to avoid them (no auto-summary for RIP)
- Routing protocol with autosummarisation automatically creates summary route when:
- That one router connects to subnets of multiple different classful networks
- That router uses a routing protocol that uses the autosummary feature
- Step 1: R3 has autosummary enabled, with the RIPv2 auto-summary router subcommand
- Step 2: R3 advertises a route for all of Class A network 10.0.0.0 instead of advertising
routes for each subnet inside network 10.0.0.0 (since R2 is in another subnet)
- Step 3: R2 learns one route for network 10.0.0.0/8, which represents all of network 10.0.0.0,
with R3 as the next-hop router
- Definitions:
- Contiguous network: A network topology in which subnets of network X are not
separated by subnets of any other classful network
- Discontiguous network: A network topology in which subnets of network X are
separated by subnets of some other classful network
- Both R3 and R1 have all of network 10.0.0.0, and R2 balances the traffic over both routes
- Two solutions:
- Keep all classful networks together in a design
- Disable autosummarisation with no auto-summary
- R1 and R3 has autosummarisation disabled
Verifying Optional RIP Features
- show ip protocol: separates list of interfaces and passive interfaces
- R1 learned two 1-hop routes to subnet 192.168.6.0/24, show ip route lists two next-hop
router IP addresses for one subnet
RIPv2 Default Routes

- B01 and B02 uses default route. to R1, which uses a default route to ISP1
Learning Default Routes Using Static Routes and RIPv2

- Static default route configuration for router directly connected to true default route
- RIPv2 advertisement of a route to 0.0.0.0/0 teaches remote routers pointing to the router
that sent advertisement
- Step 1: R1 is configured with ip route 0.0.0.0 0.0.0.0 192.0.2.1, i.e. R1's default route is
192.0.2.1
- Step 2: R1 advertises the default route as 0.0.0.0 0.0.0.0 R1 to B01 and B02
- default-information originate: "If the IPv4 routing table has a default route in it, advertise
a default route with RIP, with this local router as the eventual destination of those default
routes"
- R1's Gateway of Last Resort is set to next-hop address 192.0.2.1
- B01 sets default route with next-hop address 10.1.12.1 (R1's IP address)
Learning a Default Route Using DHCP

- DHCP: lets hosts learn their IP addresses, subnet mask to use, DNS server IP addresses, IP
address of default gateway
- Step 1: R1 learns its address and default gateway with DHCP

- Step 2: R2 lists next-hop address 192.0.2.1 as Gateway of Last Resort
- ip address dhcp: enables dhcp on interface

- IOS default administrative distance is 254 for DHCP-learned routes
- DHCP-learned routes are shown as static routes
Troubleshooting RIPv2
- show ip route and show ip protocols
Symptoms with Missing and Incorrect network Commands

- Problem: missing network commands, incorrect network commands
- Consequence:
- The router does not advertise about the subnets on those interfaces
- The router does not exchange routing information with other routers on those
interfaces
- If network 192.168.12.0 was missing:
- "Routing for Networks" lists only enabled interfaces
Issues Related to Passive Interfaces

- Passive interfaces should not be connected to active interfaces
- R1 receives and processes R2's RIP messages, but does not send updates to R2
Issues Related to auto-summary

- If a router does not connect to subnets of two different classful networks, no auto-
summary does not affect its operation
RIP Issues Caused by Other Router Features
- RIP operates only on working interfaces (up/up state)
- RIP requires that all neighbours on a link be in the same subnet; if routers are in different
subnets, routers ignore RIP updates
- ACLs could filter/discard RIP messages
Summary of RIP Troubleshooting Issues
Chapter 20 - DHCP and IP

Networking on Hosts
Implementing and Troubleshooting DHCP
- Any host that uses IPv4 needs four IPv4 settings to work properly:
- IP address
- Subnet mask
- Default routers
- DNS server IP addresses
- Advantages of DHCP:
- Centralised configuration and management rather than local configurations
- User mobility, DHCP configuration at each new location
- Prevents user-side errors/mistakes
DHCP Concepts
- DHCP client uses DHCP protocol to:
- discover a DHCP server
- request to lease an IPv4 address
- DHCP message types (DORA):
- Discover: Sent by the DHCP client to find a willing DHCP server
- Offer: Sent by a DHCP server to offer to lease to that client a specific IP address
(and inform the client of its other parameters)
- Request: Sent by the DHCP client to ask the server to lease the IPv4 address listed
in the Offer message
- Acknowledgement: Sent by the DHCP server to assign the address, and to list the
mask, default router and DNS server IP addresses
- For DHCP clients without IPv4 addresses:
- Discover packet has source address 0.0.0.0 and destination address 255.255.255.255
- Step 1: Host A sends a Discover message with source address 0.0.0.0 and destination
address 255.255.255.255 (broadcast)
- Step 2: The DHCP server sends an Offer message with source address 172.16.1.11 and
destination address 255.255.255.255 (broadcast)
- Assumes that host uses broadcast flag DHCP option
- Host A lists its own DHCP client ID in the Discover message, so broadcast Offer messages
get ignored by other devices and only host A processes the packet
Supporting DHCP for Remote Subnets with DHCP Relay

- To support centralised DHCP servers, DHCP client's messages need to travel between
subnets, i.e. broadcast messages will not reach the DHCP server
- ip helper-address server-ip: tells router to do the above steps (DHCP Relay)
- Step 1: Host A sends a Discover message with source address 0.0.0.0 and destination
address 255.255.255.255 (local broadcast)
- Step 2: R1 forwards the Discover messages with source address 172.16.1.1 (incoming
interface) and destination address 172.16.2.11 (configured ip helper-address DHCP server
address)
- Routers need to act as DHCP relay agents to let DHCP clients send and receive packets
- Step 1: The returning Offer message from the DHCP server reverses the source and
destination address of the Discover message.
- Step 2: R1 takes the Offer message and edits the destination address to 255.255.255.255
(local broadcast)
Information Stored at the DHCP Server

- Types of settings DHCP server needs to know to support DHCP clients:
- Subnet ID and mask: lets server know of all addresses in the subnet
- Reserved (excluded ) addresses: lets server know which addresses in the subnet to
not lease
- Default router(s): IP address of the router on that subnet
- DNS IP address(es): list of DNS server IP addresses
- Additional parameters: maximum time limit for lease, allocation mode, TFTP server setting
etc.
- DHCP three allocation modes:
- Dynamic allocation: DHCP dynamically leases IP addresses
- Automatic allocation: Sets DHCP lease time to infinite; hands out permanent IP
addresses
- Static allocation: Manually preconfigured IP address is sent to client by DHCP
server
- TFTP server setting: Cisco IP phones need TFTP to retrieve configuration files when phone
initialises
DHCP Server Configuration on Routers

- DHCP pool: per-subnet settings go into a pre-subnet DHCP pool; ip dhcp excluded-
address command is outside DHCP pool
- Subnet 172.16.2.0/24 configurations:
- Reserves 172.16.2.0 to 172.16.2.100
- Sets default router's IP address 172.16.2.1
- Sets DNS server's IP address 172.16.1.12
- Sets lease time as 1 day, 2 hours and 3 minutes
- Sets TFTP server IP address of UCM (United Communications Manager) as
172.16.2.5
- R1 needs ip helper-address command to serve as DHCP relay agent to DHCP server at R2
IOS DHCP Server Verification
- Output does not list the excluded addresses, but the addresses begin from the first leasable
address
- IPv4 DHCP server = stateful DHCP server; i.e. the DHCP server keeps status information
(DHCP client ID, IP address leased to client) about each DHCP client that leases an address
Troubleshooting DHCP Services
DHCP Relay Agent Configuration Mistakes and Symptoms

- Problem: missing configuration or omission of ip helper-address on DHCP relay agents
- Consequence: router does not attempt to forward DHCP messages at all or is not sent to the
actual DHCP server
- Solution: find out the router connected to host's subnet and correct the ip helper-address
subcommands
- Points to remember:
- DHCP relay agent feature is only needed on interfaces only if the DHCP server is on
a different subnet
- In ROAS configurations, subinterfaces require ip helper-address commands
- show ip interface [type number] command to view ip helper-address settings on
interface
- ip helper-address 172.16.2.11
IOS DHCP Server Configuration Mistakes and Symptoms

- Failure in DHCP lease process factors:
- Packet from relay agent to DHCP server uses relay agent's interface IP address as
source IP address
- DHCP server compares source IP address to network commands to find right pool
- Each network subnet mask implies a range of addresses
- If source IP address is not in the range of addresses implied by network command,
DHCP server does not reply at all
- Every interface with an ip helper-address command configured should be included in a

pool defined at the IOS DHCP server
- Mistakes and symptoms:
- If the DNS server IP addresses are incorrectly configured or omitted, hosts would
fail to resolve hostnames to IP addresses
- If the default gateway IP address is incorrectly configured or omitted, hosts could
not communicate outside the local subnet
- If the TFTP server IP address is incorrectly configured or omitted, an IP phone
would fail to correctly load its configuration
IP Connectivity from DHCP Relay Agent to DHCP Server

- IP broadcast packets must flow between the client and relay agent, and IP unicast packets
must flow between relay agent and DHCP server
LAN Connectivity Between the DHCP Client and Relay Agent

- When a packet uses 255.255.255.255:
- the address is called the local broadcast address
- packets sent to this address are not forwarded as-is by routers
- broadcast packets are encapsulated in Ethernet broadcast destination address
FFFF.FFFF.FFFF
Summary of DHCP Troubleshooting
- Network may have outages, and DHCP clients that have already leased an address can
continue to work without any problem
Detecting Conflicts with Offered Versus Used Addresses

- No protocols can prevent a host from statically configuring and using an IP address from
within the range of addresses used by DHCP server
- Conflict: when a host statically configures an address from within the range of addresses in
the DHCP pool
- DHCP solutions:
- DHCP server pings an address before - DHCP client sends an ARP request for the
offering a new IP address to a client address offered by DHCP
- If DHCP server receives a response to the - If another host replies, there is a conflict
ping, some other host must already be using - Client sends a DHCP message back to the
the address => conflict server, rejecting the use of the used address
- DHCP does not offer the address
- (Gratuitous: uncalled for)

- show ip dhcp conflict: lists method through which the server added each address to the
conflict list (gratuitous ARP by client, or ping by server)
- Server avoids offering conflicted addresses until clear ip dhcp conflict command clears the
list
Verifying Host IPv4 Settings

IP Address and Mask Configuration
- Most every OS have windows that list many IPv4 settings in one place
- Network commands: ipconfig (Windows) or ifconfig (Linux and Mac OS)

Name Resolution with DNS
- Routers and switches does not need to pay attention to DNS messages; i.e. routers and
switches do not need to take special action, but can forward it like any normal frame/packet
- Step 1: 10.1.1.1 sends a DNS request to resolve the IP address of Server1 to DNS server
10.3.3.3
- Step 2: The DNS server sends a DNS reply containing the resolved IP address of Server1
(10.1.2.3) to 10.1.1.1
- Step 3: 10.1.1.1 sends data to Server1, with destination address 10.1.2.3
- All destination IP addresses are known unicast addresses, so router/switch action is not
required to support DNS
Default Routers
- Two-part host routing choice:
- If packet is destined for a host in the same subnet, the local host sends the packet
directly
- If the packet is destined for a host in a different subnet, the local host sends the
packet to the default gateway
- Check settings in router CLI: show interfaces, show ip interface brief, show protocols,
show running-config
- Check VLAN assignments in switch CLI: show interfaces status, show vlan, show
interfaces switchport
- netstat -rn: displays default gateway IP address as default route
- Host A needs an ARP entry for Host D (for local packet) and R1 (for remote packet)
- arp -a: shows host's ARP table

- Only local IP addresses are listed
IPv4 Address Types

- Unicast, multicast and broadcast addresses
Review of Unicast (Class A, B, and C) IP Addresses

- Unicast IP addresses identify one interface on one device to IP
- Examples:
- Router with four LAN interfaces and two LAN interfaces = 6 unicast addresses
- PC with Ethernet NIC and wireless NIC = 2 unicast addresses
IP Broadcast Addresses
- Different types of IPv4 broadcast addresses:
- Step 1: Host 1 sends a broadcast message destined to 10.1.1.255 to its default gateway, R1
- Step 2: R1 forwards the packet to subnet 10.1.1.0/24
- Step 3: R2 encapsulates the packet into a local broadcast frame and floods it out all ports
- Security vulnerability: ping to subnet broadcast address causes many hosts to reply
- Cisco default setting of no ip directed-broadcast: disables forwarding of subnet broadcasts
to connected subnet (Step 3)
IPv4 Multicast Addresses (Class D Addresses)

- Used mainly for applications: e.g. send 1 packet to subnet, gets copied 10 times and
delivered to all 10 hosts in subnet
- Host uses unicast IP address for normal traffic, and multicast IP address for multicast
application
- Host registers to local router to notify to receive packets with destination address 226.1.1.1
- Step 1: Server on the left generates and sends a multicast packet

- Step 2: Router R1 replicates the packet to send a copy to both R2 ...
- Step 3: ... and to R3. R1 does not replicate and send a copy to R4 because no hosts near R4
are listening for packets sent to 226.1.1.1
- Step 4: R2 forwards the packet out all interfaces since at least one host from both its
branches registered and is listening for packets sent to 226.1.1.1
- Step 5: R3 knows that only one of its LAN interfaces connect to a subnet with hosts
listening for packets sent to 226.1.1.1, and forwards a copy of the packet out that one
interface only
Unicast IP address Multicast IP address

- Uses Class A, B, and C addresses - Uses Class D addresses
- Identifies a single interface on a single - Identifies multiple interfaces across
device multiple devices
- Can be used as both source and destination - Can only be used as destination address
IP address
- Routers use ARP caches to find the - MAC address is formed by 25-bit prefix
associated MAC address (01-00-5E) + last 23 bits of IP address
- Multicast frame forwarding; one of the following:
- the switch floods the multicast frame as if it were a broadcast
- the switch uses other Ethernet multicast features that flood the frame only to those
same devices that registered to receive a copy
Comparing and Contrasting IP Address Types
Part V Revision
Chapter 17
Bandwidth
Clock rate
Chapter 18
Default gateway/router
ARP table
Routing table
Next-hop router
Outgoing interface
Subinterface
VLAN interface
Layer 3 switch
Connected route
Static route
Default route
Host route
Floating static route
Network route
Administrative distance
Chapter 19
Distance vector
Exterior gateway protocol (EGP)
Interior gateway protocol (IGP)
Metric
Routing update
Contiguous network
Discontiguous network
Autosummarisation
Passive interface
IP routing table
Hop count
Chapter 20
DHCP client
DHCP server
DHCP relay agent
Local broadcast IP address
Subnet broadcast IP address
Network broadcast IP address
Multicast IP address
DNS Request
DNS Reply
Part VI - IPv4 Design and

Troubleshooting
Chapter 21 - Subnet Design
Choosing the Mask(s) to Meet Requirements
- Assumption of existing:
- number of subnets
- number of hosts per subnet
- network number to be subnetted
- choice of single mask
Review: Choosing the Minimum Number of Subnet and Host Bits
- At least 2S subnets and 2H - 2 hosts/subnet
- Step 1: Determine number of network bits based on class

- Step 2: Determine smallest value of S, so that 2S >= required no. of subnets
- Step 3: Determine the smallest value of H, so 2H >= required no. of hosts/subnet
No Masks Meet Requirements

- If the minimum number of subnet bits required and the minimum number of host bits
required => subnet mask does not fit into 32-bit mask => INVALID SUBNET
One Mask Meets Requirements

- If network bit + subnet bit + host bit = exactly 32, there is only one subnet that meets the
requirements
Multiples Masks Meet Requirements
Finding All the Masks: Concepts

- For network 172.16.0.0:
- Network bits: 16
- Subnet bits: 6 (50 subnets)
- Host bits: 8 (180 hosts/subnet)
- Network and subnet bits on the far left

- Host bits on the far right
Finding All the Masks: Math

- Math to find the range of masks that meet the requirements
Choosing the Best Mask
- Longer prefix mask maximises number of subnet bits

- Shorter prefix mask maximises number of host bits
- Mask in the middle provides growth in both subnets and hosts/subnet
The Formal Process

- Summary of formal process:
Finding All Subnet IDs

- First subnet ID = network ID
First Subnet ID: The Zero Subnet

- First subnet ID = subnet zero or zero subnet = classful network ID
- ip subnet-zero: allows configuration of addresses in the zero subnet
- no ip subnet-zero: prevents configuration of addresses in the zero subnet
- Router rejects use of address in subnet zero with "bad mask"
Finding the Pattern Using the Magic Number

- Magic number = 256 - decimal value of interesting octet e.g. for 172.16.0.0 255.255.128.0,
magic number is 256 - 128 = 128
- Number of subnets in a network = 256 / {256 - (interesting octet)}
A Formal Process with Less Than 8 Subnet Bits
Example 1: Network 172.16.0.0 255.255.240.0

- Magic number = 256 - 240 = 16
- Subnet zero = 172.16.0.0
- Subnet IDs = 172.16.0.0, 172.16.16.0, 172.16.(n+16).0
Finding All Subnets with Exactly 8 Subnet Bits

- Two cases with subnets with exactly 8 subnet bits:
- Class A network with mask 255.255.0.0 or 255.255.255.0
- Class B network with mask 255.255.255.0
- Interesting octet is the subnet octet
- Magic number = 256 - 255 = 1, subnet IDs increase by 1
Finding All Subnets with More Than 8 Subnet Bits

- Process for 9 - 16 subnet bits, 17+ subnet bits
Process with 9 - 16 Subnet Bits
- Octet to the left of the interesting octet => just-left octet
- Step 1: Calculate the interesting octet's subnet IDs as per usual (create a "subnet block")
- Step 2: Replicate the subnet block for each increasing value of the just-left octet ...
- Step 3: ... until you reach 255 when you go no further
Process with 17 or More Subnet Bits

- At least 217 (131,072) subnets
- Only Class A networks can be subnetted in this way
- Subnet blocks in subnet blocks

Chapter 22 - Variable-Length
Subnet Masks
VLSM Concepts and Configuration
- VLSM: When internetwork uses more than one mask for different subnets of a single
classful network
- Using more than one mask in a single classful network

- If 10.0.0.0 uses 1 mask and 11.0.0.0 uses 1 mask, there is no VLSM
- Less wasted IP addresses; less IP assignment by authorities in public networks
Classless and Classful Routing Protocols

- To support VLSM, routing protocol must advertise mask along with each subnet, classful
routing protocols do not
VLSM Configuration and Verification

- No way to disable/enable VLSM support in classless routing protocol
- VLSM is a side effect of ip address interface subcommand
- show ip route lists subnet masks of each listed subnet
Finding VLSM Overlaps
Designing Subnetting Plans with VLSM
- Possible brand-new VLSM design

- VLSM overlapped subnet IDs cannot be used
- Routing problems occur when overlapping subnets are implemented => some hosts cannot
communicate outside their subnets
- Look at entire range of addresses to find VLSM overlaps
An Example of Finding a VLSM Overlap

- Find address range of all subnet IDs to determine overlaps
- Hosts being unable to ping each other may be a root cause
- Example:
Adding a New Subnet to an Existing VLSM Design

- IP Address Management (IPAM)
- Question: add a new subnet with mask ___ to the design
An Example of Adding a New VLSM Subnet
- Step 1: Select prefix mask for subnet with 300 hosts:

Minimum 9 host bits (510 hosts/subnet)
Prefix mask: /23 (32 total bits - 9 host bits)
- Step 2: List of first five possible /23 subnets:
172.16.0.0 - 172.16.1.255
172.16.2.0 - 172.16.3.255
172.16.4.0 - 172.16.5.255
172.16.6.0 - 172.16.7.255
172.16.8.0 - 172.16.9.255
- Step 3: List of existing subnet address ranges
172.16.2.0 - 172.16.3.255
172.16.4.0 - 172.16.5.255
172.16.6.0 - 172.16.6.255
172.16.9.0 - 172.16.9.3
172.16.9.4 - 172.16.9.7
- Step 4: Comparison of Step 2 and Step 3 lists to find overlaps
- Step 5: Numerically lowest subnet number:
172.16.0.0/23
- Zero subnet should be avoided if
- (a) question implies use of classful routing protocols
- (b) the routers are configured with the no ip subnet-zero command
Chapter 23 - IPv4 Troubleshooting

Tools
Problem Isolation Using the ping Command
Ping Command Basics
- ping tests connectivity by sending packet to an IP address and "if it is addressed to you,
send a reply back."
- ping uses ICMP echo request and ICMP echo reply messages
- Step 1: Host A issues ping 172.16.2.101 and sends a packet with an ICMP echo request
- Step 2: Host B sends an ICMP echo reply on receipt of ICMP echo request
- Packet size | source IP address | ICMP sequence number | time-to-live | time taken
Strategies and Results When Testing with the ping Command

- Customer Support Representative (CSR)
- No single router ping can replicate a user's ping
Testing Longer Routes from Near the Source of the Problem
- Best option: ping from host, if unavailable >> ping from nearest router
- Default ping settings: five echo messages, 2 second timeout

- If timeout, a period (.) is listed
- If success, an exclamation mark (!) is listed
- Common behaviour: first ping shows one failure to start because some devices are missing
an ARP table entry
- What ping tells us of this internetwork:

- R1 can send ICMP echo request messages to host B
- R1's 172.16.4.1 interface can send ICMP echo request messages to host B
- Host B can send ICMP echo reply messages to R1's 172.16.4.1
- R1 has a route (static or protocol) that matches host B's address (fig. 23-3)
- Host B has a valid default router setting
- R2 has a route for 172.16.4.1 (connected route)
- Data link and physical layer details are working
- Serial link is working
- Router LAN/serial interfaces are up/up
- All Ethernet LAN features are working
- Switch interfaces are in a connected (up/up) state
- Port security does not filter frames sent by R2 or host B
- STP has placed right ports into forwarding state
- ACLs did not filter ICMP messages (fig. 23-4)
- ARP worked on R2 and host B and they have matching ARP table entries (fig. 23-5)
- SW2 learned MAC addresses for its MAC address table
Using Extended Ping to Test the Reverse Route

- Standard ping uses router's outgoing interface as source interface and can't test for reverse
routes to host's subnet
- Extended ping allows use of router's LAN IP address from within host's subnet
- Extended ping: ping command (Enter)with guided options

- ping 172.16.2.101 source 172.16.1.1
- Extended ping tests same forward route but reverse route now has to be to host's subnet, not
router's outgoing interface in another subnet
- Standard and extended pings cannot test for:
- ACL: router looks at packets as they exit or enter an interface, make comparisons to header
fields, and if matched, make a choice to either discard the packet or let it through
- R1 issues ping 172.16.1.51 to test LAN connectivity to confirm:

- The host with address 172.16.1.51 replied
- The LAN can pass unicast frames from R1 to host 172.16.1.51 and vice versa
- The switches learned the MAC addresses of the router and the host, adding those to
the MAC address tables
- Host A and Router R1 completed the ARP process and list each other in their
respective ARP tables
- Potential root causes in case of failure:
Testing LAN Neighbours with Extended Ping

- Extended ping can test for host's default router setting
- Both standard and extended tests can be useful because
- Step 1: R1 sends an ICMP echo request from a source interface not in the host's subnet
- Step 2: Host A decides to use the default router because the destination address is in another
subnet
- Step 3: Host A sends ICMP echo reply to R1's interface not in its subnet
Testing WAN Neighbours with Standard Ping
- Standard ping across a serial WAN link confirms IP packet can be sent over the link and
back
- Successful standard ping confirms that:
- Both router's serial interfaces are in an up/up state
- The Layer 1 and 2 features of the link work
- The routers believe that the neighbouring router's IP address is in the same subnet
- Inbound ACLs on both routers do not filter the incoming packets, respectively
- The remote router is configured with the expected IP address
- ping does not confirm:
- routes for subnets on LANs
- host's ACL issues
Using Ping with Names and with IP Addresses

- ping can use hostnames, which allows testing of DNS process
- ping B on host A makes it look in its local DNS name cache and if it has not already
resolved the name B, it asks the DNS to resolve the name
- If ping of the hostname fails but the ping of the IP address works, the problem usually is to
do with DNS
Problem Isolation Using the traceroute Command

- Similarity of ping and traceroute:
traceroute Basics
- Identifies next-hop IP address of each router
How the traceroute Command Works

- traceroute uses ICMP Time-to-Live Exceeded (TTL Exceeded) message, originally used to
notify hosts when a packet is in a routing loop
- Router sets initial TTL value, each forwarding router decreases TTL by 1 and packet is
discarded if TTL = 0 and sending host is notified with TTL Exceeded message
- Step 1: Host A issues a traceroute command and sends a packet with TTL = 1 to (default)
router
- Step 2: R1 subtracts 1 from the TTL value, which triggers a TTL Exceeded error
- Step 3: R1 sends a TTL Exceeded message to Host A with source address of R1's LAN
interface
- traceroute sends packet with increasing TTL value to next routers
- Step 1: traceroute command sends a packet from the second set with TTL = 2
- Step 2: R1 decrements TTL to 1 and forwards the packet
- Step 3: R2 decrements TTL to 0 and discards the packet
- Step 4: R2 notifies the sending host of the discarded packet by sending a TTL Exceeded
ICMP message with source address of its incoming interface
- Routers use source interface address where original message was discarded
Standard and Extended traceroute

- Extended traceroute lets user choose source address
- traceroute with guided parameters:
- Windows: tracert, pathping

- Linux/ Mac OS X: traceroute
- Host OS traceroute usually creates ICMP echo requests while Cisco IOS traceroute
creates IP packets with a UDP header
Using traceroute to Isolate the Problem to Two Routers

- Where to look next to isolate problem:
- Successful listing of R2 confirms:

- R1's forward route to 5.5.5.5
- R2's reverse route to 1.1.1.1
- Successful listing of R3 confirms:

- Failure of listing of R4 confirms:

- R3's problem with forward route to 5.5.5.5
OR
- R4's problem with reverse route to 1.1.1.1
Telnet and SSH

Common Reasons to Use the IOS Telnet and SSH Client
- Telnet/SSH from host to router or from router to router
- Telnet/SSH from host to router may fail, but individual links may still work, allowing
telnet/SSH from a router to a router
IOS Telnet and SSH Examples

- R1 using Telnet to connect to R2
- telnet 10.1.2.2 => local username authentication => show ip interfaces brief
- ssh -l username host connects to router with SSH client
- -l: next parameter is the login username; username is not required at local username
authentication
- exit or quit logs out from Telnet/SSH connection

- IOS supports hotkeys for moving between connections
Chapter 24 - Troubleshooting IPv4

Routing
Problems Between the Host and the Default Router
Root Causes Based on a Host's IPv4 Settings

- Host's four key settings can be learnt by static configuration or DHCP
Ensure IPv4 Settings Correctly Match

- ipconfig/ifconfig shows IPv4 settings
- DNS server setting should match actual DNS server IP addresses
- Compare show interfaces G0/0 to ipconfig /all
Mismatched Masks Impact Route to Reach Subnet
- Host A's subnet mask implies address range of 10.1.1.0 - 10.1.1.255, so destination address
NOT within the range will be sent to 10.1.1.150/25
- R1's subnet mask implies address range of 10.1.1.128 - 10.1.1.255, and host A is NOT
within the route to 10.1.1.128/25
- Connected route to 10.1.1.128/25, which does NOT include 10.1.1.9/24, is advertised by

OSPF
- Hosts should use the same subnet mask as the default router, and the two devices should be
in the same subnet
Typical Root Causes of DNS Problems
- when ping and traceroute with names fail, but with IP addresses, succeeds, there is a
problem with the DNS setting
- If DNS server is statically configured, change the setting

- If DNS server is learned with DHCP, examine the DHCP server configuration, and if using
the IOS DHCP server feature, change the setting with dns-server server-address in DHCP
pool configuration mode
- Two packet flows can have IP connectivity issues

- Router must have ip name-server dns1-address dns2-address... and ip domain-lookup
(default) global commands
Wrong Default Router IP Address Setting
- Incorrect default router setting => hosts unable to send packets to different subnet
- Sending within LAN works, it does not require a default router
Root Causes Based on the Default Router's Configuration

- LAN between host and router must work
- Router and its interfaces must work
DHCP Issues
- Router needs to enable DHCP Relay to let DHCP messages cross subnets (ip helper-
address DHCP-server-address)
- Step 1: Host A sends a DHCP Discover message to 255.255.255.255 ff:ff:ff:ff:ff:ff (local
subnet broadcast address)
- Step 2: R1, with the ip helper-address 172.16.2.11 command, changes the destination
address to the DHCP server address as configured in ip helper-address command, and
source address to the incoming interface
- For ROAS, each subinterface needs to be configured with the ip helper-address command
- To test IP connectivity between the DHCP relay agent and the DHCP server, use extended
ping or extended traceroute, with source address of the incoming interface and destination
address of the DHCP server
Router LAN Interface and LAN Issues

- If host and default router can't send packets to each other, the root causes fall into:
- Problems that cause the router LAN interface to fail
- Problems with the LAN itself
- Router LAN interface must be in up/up state to receive/send packets
=> if not, find root cause for router interface to not be up
- LAN details, like Ethernet cable pinouts, port security and STP may cause LAN issues
- speed 1000 command for router and speed 100 for switch causes down/down
Problems with Routing Packets Between Routers
IP Forwarding by Matching the Most Specific Route
- Following router features can create overlapping subnets:
- Autosummarisation
- Manual route summarisation
- Static routes
- Incorrectly designed subnetting plans that cause subnets to overlap their address
ranges
- If packet's destination address matches one route, the router uses that one route
- If more than one route matches a packet's destination address:
Using show ip route and Subnet Math to Find the Best Route
- show ip route ospf lists only OSPF-learned routes, but statistics for numbers of subnets and
masks are for all routes
- When address matches more than one route, the route with the longer prefix length is used
- Example destination IP address' routes:
Address Matches Longest prefix Route to
172.16.1.1 172.16.1.1/32 /32 172.16.1.1 (local
172.16.1.0/24 route)
172.16.0.0/22
172.16.0.0/16
0.0.0.0/0
172.16.1.2 172.16.1.0/24 /24 172.16.1.0/24
172.16.0.0/22
172.16.0.0/16
0.0.0.0/0
172.16.2.3 172.16.0.0/22 /22 172.16.0.0/22
172.16.0.0/16
0.0.0.0/0
172.16.4.3 172.16.0.0/16 /16 172.16.0.0/16
0.0.0.0/0
172.17.1.1 0.0.0.0/0 /0 0.0.0.0/0 (default
route)
Using show ip route address to Find the Best Route

- Router lists the route it would use to route a packet sent to the address in the parameter
show ip route Reference
Routing Problems Caused by Incorrect Addressing Plans

- One router can claim to be connected to a subnet with one address range, while another
router claim to be connected to another subnet with an overlapping range
Recognising When VLSM Is Used or Not
- An internetwork is considered to be using VLSM when multiple subnet masks are used for
different subnets of a single classful network
- VLSM does not apply for all 10.0.0.0 subnets using /20, all 172.16.0.0 subnets using /24
etc.
- Only classless routing protocols can support VLSM:
- RIPv2
- OSPF
- EIGRP
Overlaps When Not Using VLSM
- Overlap when all subnets use the same mask => exact same subnet ID, exact same address
range
- Both R3 and R4 advertises 10.1.1.128/25 with OSPF

- R1 will send to R4, R2 will send to R3
- No IP addressing plan should use the same subnet on two different LANs
Overlaps When Using VLSM

- Overlaps between subnets with different masks (i.e. when using VLSM) cause a partial
overlap
- Problems occur for some destinations within the overlapped ranges
- 172.16.5.0/24 (172.16.5.0 - 172.16.5.255) completely overlaps with parts of 172.16.4.0/23

(172.16.4.0 - 172.16.5.255)
- ping commands fail, traceroute commands complete for only certain hosts
- Subnet with overlapping addresses should be changed
Configuring Overlapping VLSM Subnets

- IOS overlap recognition:
- IOS only performs the subnet overlap check for interfaces that are not in a shutdown state
- IOS accepts IP address configurations that overlap with shutdown interfaces
- When no shutdown is issued on the overlapping interface, the interface is shut
down until overlap condition has been resolved
- Allowing of overlaps on different routers:
Pointers to Related Troubleshooting Topics
Router WAN Interface Status

- For a serial link, both routers must have working serial interfaces in an up/up state before
they can send IPv4 packets to each other
- The two routers should have serial IP addresses in the same subnet
Filtering Packets with Access Lists

- Device can monitor packets during forwarding process, compare those packets to a list of
rules, and filter some packets based on those rules => ACLs
Part VI Revision
Terms Definitions
Chapter 21
Zero subnet
Subnet zero
Broadcast subnet
Chapter 22
Classful routing protocol
Classless routing protocol
Overlapping subnets
Variable-length subnet masks (VLSM)
Chapter 23
Ping
Traceroute
ICMP echo request
ICMP echo reply
Extended ping
Forward route
Reverse route
DNS
Chapter 24
Part VII - IPv4 Services:

ACLs and NAT
Chapter 25 - Basic IPv4 Access
Control Lists
IPv4 Access Control List Basics
- ACL configuration lists values router can see in IP, TCP, UDP etc. headers
- Source/destination IP address
- Source/destination TCP/UDP port
- ACL's features:
- Packet filter
- QoS (Quality of Service); give some packets (e.g. voice) faster service or slower
service
ACL Location and Direction

- Inbound ACL: before router makes its forwarding decision
- Outbound ACL: after router makes its forwarding decision and determined exit interface
- Locations to filter packets going left to right:

- R1's inbound F0/0
- R1's outbound S0/0/0
- R2's inbound S0/0/1
- R2's outbound F0/0
- Inbound ACL on R2's F0/0 would NOT filter packets going left to right
Matching Packets
- ACL command logic: "look for these values in the packet header, and if found,
discard/allow the packet"
- When ACL is enabled, R2 examines every inbound IP packet on S0/0/1 and packets sent by
host A (10.1.1.1) are allowed through, and those sourced by host B (10.1.1.2) are discarded
Taking Action When a Match Occurs

- deny: discard packet
- permit: allow packet as if ACL did not exist
- Router can use permit to apply NAT functions
Types of IP ACLs
- ACL features:
- Standard numbered ACLs (1-99)
- Extended numbered ACLs (100-199)
- Additional ACL numbers (1300-1999 standard, 2000-2699 extended)
- Named ACLs
- Improved editing with sequence numbers
Standard Numbered IPv4 ACLs

- Standard: matching only source IP address of packet
- Numbered: identifying ACLs using numbers rather than names
- IPv4: looking at IPv4 packets
- ACLs: Cisco filters
List Logic with IP ACLs

- ACL processing:
- Host A matches all 3 ACL lines, but the first match is for source address 10.1.1.1, which is
to permit
- Host B matches last 2 ACL lines, but the first match is for source address 10.1.1.0
0.0.0.255, which is to deny
- Host C matches last ACL line for source address 10.0.0.0 0.255.255.255, which is to permit
- If packet does not match any items in ACL, packet is discarded (default configuration: deny
any)
Matching Logic and Command Syntax

- Standard numbered ACLs: access-list {1-99} {permit | deny} matching-parameters
Matching the Exact IP address

- To match the exact, entire source IP address, use:
access-list ACL-no. {permit | deny} host-address
- Example: access-list 1 permit 10.1.1.1
- Earlier IOS versions used host keyword before address, and later IOS versions still accept
the command, but removes the keyword
- Example: access-list 1 permit host 10.1.1.1
Matching a Subset of the Address with Wildcards

- Wildcard mask (WC mask) tells IOS to ignore parts of the address when making
comparisons, essentially treating those parts as wildcards, as if they already matched
- 0.0.0.255: last octet is ignored as a wildcard = 10.1.2.x

- 0.0.255.255: last two octets are ignored as wildcards = 10.1.x.x
- 0.255.255.255: last three octets are ignored as wildcards = 10.x.x.x
- Line 1: Match and permit all packets with source address of exactly 10.1.1.1
- Line 2: Match and deny all packets with source address with first three octets 10.1.1
- Line 3: Match and permit all addresses with first octet 10
- IOS will specify a source address to be 0 for the parts that will be ignored, even if nonzero
values were configured (e.g. 10.1.2.3 0.255.255.255 => 10.0.0.0 0.255.255.255)
Binary Wildcard Masks

- Binary mask logic:
- Compare binary access-list command address and binary packet header address bit
by bit
- Ignore any bits for which the binary WC mask lists a binary 1
- If all bits that are checked are equal, it's a match
Finding the Right Wildcard Mask to Match a Subnet

- To match a subnet:
- For example, for subnet 172.16.8.0 255.255.252.0:

- address parameter = 172.16.8.0 (subnet number)
- wildcard mask =
- Completed command: access-list 1 permit 172.168.0.0 0.0.3.255
Matching Any/All Addresses

- any keyword, e.g. access-list 1 permit any
- Can override default deny any by using permit any
- Explicitly configured deny any lets show ip access-lists list the counter for how many
packets are matched by the deny any logic
Implementing Standard IP ACLs

- access-list command, with generic syntax:
access-list access-list-number {deny | permit} source [source-wildcard]
Standard Numbered ACL Example 1

- Requirements for this ACL:
- Enable ACL inbound on R2's S0/0/1 interface
ip access-group 1 in
- Permit packets coming from host A
access-list 1 permit 10.1.1.1
- Deny packets coming from other hosts in host A's subnet
access-list 1 deny 10.1.1.0 0.0.0.255
- Permit packets coming from any other address in Class A network 10.0.0.0
access-list 1 permit 10.0.0.0 0.255.255.255
- Deny all other traffic (default)
(access-list 1 deny any)
- access-list command: global configuration mode

- ip access-group 1 in: interface configuration mode
- show ip access-lists: lists details about IPv4 ACLs only

- show access-lists: lists details about IPv4 ACLs plus other types of ACLs, e.g. IPv6 ACLs
- show ip interface interface-id: lists details about inbound/outbound ACL configurations (ip
access-group)
Standard Numbered ACL Example 2
- Standard numbered ACL requirements:

- Enable ACL inbound on R2's F0/0 interface
- Permit packets from S1 going to hosts in A's subnet
- Deny packets from S1 going to hosts in C's subnet
- Permit packets from S2 going to hosts in C's subnet
- Deny packets from S2 going to hosts in A's subnet
- Deny all other packets (default)
- Above requirements require an extended ACL
- Improved requirements for standard numbered ACLs:
- Use outbound ACL on R1's F0/0, permit packets from S1, and deny all other packets
ip access-group 2 out
- Use outbound ACL on R1's F0/1, permit packets from S2, and deny all other packets
ip access-group 3 out
- access-list access-list-number remark: leaves text documentation that stays with ACL
- Router does not filter packets that the router itself creates with an outbound ACL (e.g. ping,
traceroute etc.)
Troubleshooting and Verification Tips

- To tell if router is matching packets or not, use log keyword to make IOS issue log
messages with occasional statistics about matches of that particular line of ACL
- access-list 1 permit 100.0.0.0 0.0.0.255 log
- Troubleshooting ACL requires thought on both:

- Interface on which the ACL is enabled, and
- Direction of packet flow
Practice Applying Standard IP ACLs

Practice Building access-list Commands
Reverse Engineering from ACL to Address Range

- Address range = address in command - (address in command + wildcard mask)
- For access-list 1 permit 172.16.200.0 0.0.7.255:
- address in command = 172.16.200.0
- wildcard mask = 0.0.7.255
- Address range = 172.16.200.0 - 172.16.207.255
- IOS could potentially change command before placing command into running-config file
- For example: access-list 21 permit 10.1.1.1 0.0.255.255 => 10.1.0.0, wildcard 0.0.255.255
- show ip access-lists lists final command
Chapter 26 - Advanced IPv4 Access

Control Lists
Extended Numbered IP Access Control Lists
- Comparison of standard numbered ACLs and extended numbered ACLs
Similarities Differences
- Can be enabled on interfaces for inbound - Variety of packet header fields that can be
or outbound packets used to match a packet
- IOS searches list sequentially - Numbers (1-99 1300-1999, 100-199 2000-
- Uses first-match logic 2699)
Matching the Protocol, Source IP and Destination IP

- Extended ACL access-list command requires at least 3 parameters:
- IP protocol type
- Source IP address (or address range with wildcard mask)
- Destination IP address (or address range with wildcard mask)
- Protocol type identifies type of segment header
- Protocol parameter keywords:
- tcp
- udp
- icmp
- eigrp
- ospf
- ip (for all IPv4 packets)
- Extended ACL access-list commands MUST use the host keyword for source/destination
IP addresses
- For example, to match access-list 101 deny udp 1.1.1.0 0.0.0.255 any, packet must have:
- UDP header
- Source IP address 1.1.1.1 - 1.1.1.254
- Any destination IP address
Matching TCP and UDP Port Numbers

- Extended ACLs examine parts of TCP/UDP headers, especially source/destination ports
- Extended ACLs with tcp or udp keyword may have source/destination port parameters
- Syntax of ACL that matches:

- tcp: Packets that include a TCP header
- 172.16.1.0 0.0.0.255: Packets sent from 172.16.1.0/24 (client subnet)
- 172.16.3.0 0.0.0.255: Packets sent to 172.16.3.0/24 (server subnet)
- eq 21: Packets with TCP destination port 21 (FTP server control port)
- EXTRA INFO: the source port of the client is going to be greater than 1023 (gt 1023)
- Reverse flow:
- Source address: server subnet
- Source port: 21 (FTP server control port)
- Destination address: client subnet
(- Destination port: greater than 1023)
Extended IP ACL Configuration

- Summary of syntax options:
- Like standard ACLs, the location and direction in which to enable the ACL must be chosen:
- Which interface?
- Which direction: inbound or outbound?
Extended IP Access Lists: Example 1

- Extended access-list numbers: 100 - 199, 2000 - 2699
- Protocol parameter: IP, TCP/UDP, ICMP/EIGRP etc.
- TCP/UDP port numbers: may be used when checking for TCP/UDP headers
- eq 80, eq www: matching port 80 (HTTP traffic), when eq 80 is configured, config shows
eq www
- Cisco suggests locating extended ACLs as close to source of packet (saves bandwidth) so
configurations on R2 and R3 could have worked
- R3 does not match Larry's traffic because Larry's traffic will never enter R3's E0 interface
Named ACLs and ACL Editing

Named IP Access Lists
- Similarities between named and numbered ACLs:
- Can be used to filter packets etc.
- Can match the same fields; standard numbered ACL = standard named ACL and
extended numbered ACL = extended named ACL
- Differences between named and numbered ACLs:
- ip access-list: defines whether ACL is standard or extended, and defines the name and
moves user to ACL configuration mode
- no command-you-want-to-delete: deletes a single entry from the ACL
Editing ACLs Using Sequence Numbers

- ACL sequence numbers provide following features for both numbered and named ACLs
- Configuration of standard numbered IP ACL, with new alternative configuration style:

- Step 1: Numbered ACL 24 is configured within ip access-list standard 24, with
three permit commands
- Step 2: do show ip access-lists 24 shows three permit commands with sequences
numbers 10, 20, and 30
- Step 3: Second permit command is deleted using no 20
- Step 4: do show ip access-lists 24 confirms that ACL now has two lines (10, 30)
- Step 5: A new deny command is added to the beginning of the ACL, with 5 deny
10.1.1.1
- Step 6: do show ip access-lists 24 confirms that ACL now has three lines (5, 10, 30)
- EXTRA INFO: do show ... executes show command in configuration mode
Numbered ACL Configuration Versus Named ACL Configuration

- Numbered ACLs:
- access-list global commands
- ACL configuration mode subcommands
- IOS always stores numbered ACLs as global access-list commands, even if it was
configured in ACL configuration mode
(- Continuing on from the steps above: )
- Step 7: The configuration is listed with do show running-config, which lists old-
style global configuration commands
- Step 8: A new statement is added to the end of the ACL using access-list 24 permit
10.1.4.0 0.0.0.255 global command
- Step 9: do show ip access-lists 24 confirms that old-style command is added to the
end of the ACL (sequence number 40)
- Step 10: do show running-config confirms that both new- and old- style commands
are all listed in the same global commands
ACL Implementation Considerations
- Filtering closer to source of packet: less bandwidth taken up in the network (extended
ACLs)
- Filtering closer to destination: less unwanted packets being filtered (standard ACLs)
- Place more specific matching parameters early in each list:
- Example: 10.1.1.1 after 10.1.1.0 0.0.0.255, packets will never match 10.1.1.1
- Cisco recommends you disable ACLs on the interfaces before you change statements in the
list
- If an entire ACL is deleted while ACL is enabled on interface, IOS does not filter
any packets (as is the case with disabling an ACL on interface)
- As soon as one statement is added to enabled ACL, IOS filters packets based on that
ACL, and the implicit deny any (deny ip any any) is activated
Troubleshooting with IPv4 ACLs

Analysing ACL Behaviour in a Network
- ping and traceroute might work fine, but other end-user packets may be matched with a
deny command
- Steps to analysing an ACL:
- Step 1, Step 2: Simlet questions
ACL Troubleshooting Commands

- Finding location & direction of ACLs in enable mode: show running-config
- Finding location & direction of ACLs in user mode: show ip interfaces {interface-id}
- Finding contents of ACL: show running-config, show access-lists and show ip access-lists
- Commands also list counters for number of packets that have matched each line in ACL
- Not increasing counter may mean:

- Packets are not matching that line in that ACL
- Packets are matching an earlier line in the same ACL
- Packets are not reaching that router for some reason
- Find address range for ACL: address in command + wildcard mask
Example Issue: Reversed Source/Destination IP Addresses
- Requirements:
- Allow hosts in subnet 10.3.3.0/25 and subnet 10.1.1.0/24 to communicate
- Prevent hosts in subnet 10.4.4.0/23 and subnet 10.1.1.0/24 from communicating
- Allow all other communications between hosts in network 10.0.0.0
- Prevent all other communications
- R2's G0/2 inbound interface does not match outbound packets from 10.4.4.0/23
- Can apply for TCP/UDP source/destination ports
Steps 3D and 3E: Common Syntax Mistakes

- IOS rejects commands with missing tcp or udp keyword for matching ports
- ICMP is a separate keyword: icmp
Example Issue: Inbound ACL Filters Routing Protocol Packets

- Router bypasses outbound ACL logic for packets the router itself generates
- Outbound ACL can discard forwarded packets, but not generated packets
- R1 would match RIP messages with the implicit deny any

- R1 would never learn routes from R2, but R2 could still learn RIP routes from R1
- RIPv2 uses UDP as a transport, EIGRP and OSPF do not use a transport protocol
- You can include these lines in any inbound ACL to ensure that routing protocol packets
would be permitted
ACL Interactions with Router-Generated Packets
Local ACLs and a Ping from a Router

- ping generates ICMP echo request messages and may receive an ICMP echo reply message
- ICMP messages by pinging server S1 can be filtered at locations B, C, and D

- EXTRA INFO: if R1 pinged R2, only locations B and D could filter the packets as R2 sends
its own ICMP echo reply with its IP address
Router Self-Ping of a Serial Interface IPv4 Address

- Self-ping of a serial interface:
- Step 1: Router sends ICMP echo request out the point-to-point serial link to other
router
- Step 2: The neighbouring router receives and routes the packet with the ICMP echo
request back to the original router
- Self-ping tests parts of point-to-point serial link:

- The link must work at Layers 1, 2, and 3
- Both routers have a working (up/up) serial interface, with correct IPv4 addresses
configured
- ACLs B, C, and D must permit the ICMP echo request and reply packets
Router Self-Ping of an Ethernet Interface IPv4 Address

- Self-ping of an Ethernet interface:
- Tests status of local router interface (up/up)
- Does not test security features on neighbouring devices (port security or ACL), since
ICMP messages are not physically forwarded out the interface
- Incoming IP ACL on local router process router self-ping
- Only the ACL on incoming interface of the local router will filter self-ping
Chapter 27 - Network Address

Translation
Perspectives on IPv4 Address Scalability
- Long-term solution:
- IPv6 (theoretically has 1038 addresses)
- Short-term solution:
-NAT: allows for private networks to connect to Internet
- Private addressing: use of unregistered networks
- CIDR (Classless Interdomain Routing): assignment of subnets, not entire networks,
by ISPs and ability to summarise routes
CIDR
- CIDR's main goals according to RFC 4632:
- Defines a way to assign public IP addresses
- Allows route aggregation or route summarisation
- Assignment of all addresses that begin with 198 to one ISP lets other ISPs use one route for
198.0.0.0/8 to match all those addresses
- CIDR reduces wasted addresses by assigning subnets (CIDR blocks)
Private Addressing
- If a computer would never connect to the Internet, it can use duplicates of registered IP
addresses or private addresses
- RFC 1918 defines a set of networks that will never be assigned to any organisation as a
registered network number called private internets
- Private addresses cannot be advertised using a routing protocol on the Internet
Network Address Translation Concepts

- NAT allows addresses not Internet-ready to communicate across the Internet by
representing them with registered address/es
- NAT router changes outgoing packet source addresses and incoming packet destination
addresses
- Source NAT
Static NAT
- IP addresses are statically mapped to each other

- NAT router configures one-to-one mapping between the private address and public address
(200.1.1.0, as assigned by ISP)
- Terminology:
- Inside local addresses: private IP addresses (e.g. 10.1.1.1)
- Inside global addresses: public IP addresses (e.g. 200.1.1.1)
- "Inside": part of enterprise network that uses private addresses (e.g. 10.1.1.0)
- "Outside": Internet side of NAT function (e.g. 200.1.1.0)
- Source NAT table: lists inside local address with matching inside global address
- Destination NAT uses outside global/local
Dynamic NAT
- One-to-one mapping of inside local address to inside global address happens dynamically
- Step 1: Host 10.1.1.1 sends its first packet to 170.1.1.1

- Step 2: Router uses NAT matching logic to decide whether packet should have NAT
applied, since it has a match, router adds it to the NAT table
- Step 3: NAT router allocates the first available IP address from the pool of valid inside
global addresses and adds it to the NAT table to complete the entry
- Step 4: NAT router translates source IP address and forwards the packet
- Dynamic entry times out
- clear ip nat translation *: clears NAT table
- If inside global address pool is all allocated, packet is discarded
- Address can be reallocated if timed out
Overloading NAT with Port Address Translation

- Static NAT requires as much public addresses as private addresses
- Dynamic NAT requires fewer public addresses, but to a small degree
- TCP/UDP uses port numbers to communicate
- Server does not care whether all connections came from a single host, or from multiple
hosts
- PAT takes advantage of this, and translates ports and address
- NAT overload can use more than 65000 port numbers to translate addresses and ports
NAT Configuration and Troubleshooting

Static NAT Configuration
- Static NAT Configuration steps:
- Step 1: Use ip nat inside in interface configuration mode to configure interfaces to
be in the inside part of the NAT design
- Step 2: Use ip nat outside in interface configuration mode to configure interfaces to
be in the outside part of the NAT design
- Step 3: Use ip nat inside source static inside-local inside-global in global
configuration mode to configure the static mappings
- Extra addresses can be used to connect enterprise to Internet, or loopback address
- inside: NAT translates addresses for hosts on the inside part of the network
- source: NAT translates the source IP address of packets coming into its inside interfaces
- static: Static entry is defined
- show ip nat translations lists NAT table
- show ip nat statistics lists statistics on NAT, such as number of hits, active translations etc.
Dynamic NAT Configuration

- Dynamic NAT needs:
- ACL to specify inside local addresses for which the NAT should apply
- Pool to specify inside global address ranges for which the inside local addresses
should translate to
- Example dynamic NAT configuration
- ip nat pool my-pool 200.1.1.1 200.1.1.10 netmask 255.255.255.240: configures for inside
global addresses in between, and including 200.1.1.1 and 200.1.1.10 to be translated to
- netmask checks if both lowest and highest addresses are in the same subnet
- If netmask doesn't match, then IOS rejects the command
- ip nat inside source list 1 pool fred:
- Create NAT table entries that map between hosts matched by ACL 1, for packets
entering any inside interface, allocating an inside global address from the pool called
fred
Dynamic NAT Verification

- Before user traffic happens, NAT table is empty, with show ip nat statistics listing 0 active
translations
- First "misses" indicates number of times a new packet does not find a NAT entry, at which
point, dynamic NAT reacts and builds an entry
- Second "misses" indicates number of times dynamic NAT tries to allocate a new NAT table
entry and finds no available addresses, probably resulting in a discard
- After host 10.1.1.1 telnets to host 170.1.1.1, show ip nat statistics lists:
- 1 active translation
- 1 miss (host tried to find NAT entry, but couldn't find one)
- 69 hits (dynamic NAT created entry, and host can now be translated)
- 1 pool member allocated | 50% of the pool are currently in use
- NAT entry can time out or clear ip nat translation * can remove all entries
- debug ip nat causes router to issue a message every time a packet has its address translated
for NAT
NAT Overload (PAT) Configuration

- Two versions of PAT configuration:
- PAT is enabled on one interface, and uses one inside global IP address
- PAT uses a pool of inside global IP addresses
- Difference between NAT overload and one-to-one NAT:
- PAT configuration checklist:
- Example: ip nat inside source list 1 pool fred overload
- Certskills is given 200.1.1.248/30, and PAT is enabled on 200.1.1.249

- 10.1.1.1 creates one Telnet connection, and 10.1.1.2 creates two Telnet connections
- interface serial 0/0/0: only inside global IP address available is the IP address of the NAT
router's interface serial 0/0/0
- overload parameter means that NAT overload feature is enabled
NAT Troubleshooting
- Most of NAT troubleshooting issues relate to getting the configuration correct
- Troubleshooting checklist for most common source NAT issues:
- Troubleshoot two different IP addresses:

- Step 1: Inside host sends packet with destination address 170.1.1.1
- Step 2: NAT router forwards packet with unchanged destination address of 170.1.1.1
- Step 3: Server sends packet with inside global destination address 200.1.1.249
- Step 4: NAT router forwards packet with inside local destination address 10.1.1.1
Part VII Revision

Key Terms to Remember
Chapter 25
Standard access list
Wildcard mask
Chapter 26
Extended access list
Named access list
Chapter 27
CIDR
Inside global
Inside local
NAT overload (PAT)
Outside global
Port Address Translation (PAT)
Private IP network
Source NAT
Part VIII - IP Version 6
Chapter 28 - Fundamentals of IP
Version 6
Introduction to IPv6
- IPv6 serves as the replacement protocol for IPv4
- Around 340 undecillion theoretic addresses
- Different size address field, different addressing rules, different routing protocols, different
subnetting rules etc.
The Historical Reasons for IPv6
- ARPANET => research => fixed Internet access with dial, DSL and cable => pervasive
mobile Internet
- IANA and RIRs exhausted IPv4 addresses, and THE DAY HAS COME WHEN NEW
COMPANIES' ONLY OPTION WILL BE IPv6
- IETF used NAT, CIDR and IPv6 to solve IPv4 address exhaustion problem
The IPv6 Protocols

- Protocol migrations:
- OSPFv2 => OSPFv3 (Supports advertising of both IPv4 and IPv6 routes)
- ICMP => ICMPv6
- ARP => NDP (Neighbour Discovery Protocol)
- One specific protocol called IPv6 defines the new 128-bit IPv6 address
- IPv6 addresses are represented as hexadecimal values
- IPv6's simpler 40-bit header
IPv6 Routing
- PC1, with address 2345::1, wants to send a packet to host PC2 in another subnet, so sends
the packet to the default gateway, 2345::2, with the packet encapsulated inside an Ethernet
header and trailer
- Step 1: R1 de-encapsulates the IPv6 packet, discarding the Ethernet header and trailer
- Step 2: R1 makes a forwarding decision and re-encapsulates the IPv6 packet into a HDLC
header and trailer
- IPv6 packets use IPv6 routing table, listing information about prefixes (subnets), outgoing
interface and next-hop router
- Dual stack: migration strategy of running both IPv4 and IPv6 (on a router, by adding
additional configuration)
IPv6 Routing Protocols
- Same IGP/EGP conventions as IPv4: IGP advertises IPv6 routes inside an enterprise
IPv6 Addressing Formats and Conventions

Representing Full (Unabbreviated) IPv6 Addresses
- Address with 128 bits, 32 hex digits, 8 quartets
- Conversion from hexadecimal to binary and vice versa
Abbreviating and Expanding IPv6 Addresses

- Computers and routers use the shortest abbreviation, even if you type all 32 hex digits of the
address
Abbreviating IPv6 Addresses

- Two basic rules:
- For example:
- Unabbreviated address: FE00:0000:0000:0001:0000:0000:0000:0056
- Remove the leading 0s: FE00:0:0:1:0:0:0:56
- Remove consecutive 0s:
- Shortest abbreviation: FE00:0:0:1::56
- Longer, valid abbreviation: FE00::1:0:0:0:56
- Invalid abbreviations:
- FE:0:0:1::56
- FE00::1::56
Expanding Abbreviated IPv6 Addresses

- Two reverse-logic rules:
Representing the Prefix Length of an Address

- IPv6 prefix-length (IPv4: subnet mask) uses slash notation
- Cisco routers may require configuration of either:
- No space between address and prefix length (e.g. 2222:1111:0:1:A:B:C:D/64)
- Space between address and prefix length (e.g. 2222:1111:0:1:A:B:C:D /64)
- Prefix length can be from /0 to /128
Calculating the IPv6 Prefix (Subnet ID)

- IPv6 address and prefix length can calculate IPv6 prefix (IPv4: subnet ID)
Finding the IPv6 Prefix

- Rules to find IPv6 prefix:
- Rule to find IPv6 prefix which is a multiple of 4:

1. Identify the number of hex digits in the prefix by dividing the prefix length by 4
2. Copy the hex digits determined to be in the prefix per the first step
3. Change the rest of the hex digits to 0
- Example:
- Abbreviating prefix lengths:

- Address: 34BA:B:B:0:5555:0:6060:707/64
- Prefix length: 34BA:B:B:0:0:0:0:0/64 (34BA:B:B:0::/64)
- Abbreviation: 34BA:B:B::/64
Working with More-Difficult IPv6 Prefix Lengths

- If prefix length is a multiple of 16, copy entire quartets
- If prefix length is a multiple of 4: copy entire hex digits
- If not, work in binary to form new hex digit
- For example:
- Address: 210F:A:B:C:CCCC:B0B0:9999:9009/40
- Prefix length: 210F:A:0000:0:0:0:0:0/40
- Abbreviation: 210F:A::/40
Chapter 29 - IPv6 Addressing and

Subnetting
Global Unicast Addressing Concepts
A Brief Review of Public and Private IPv4 Addresses
Review of Public IPv4 Addressing Concepts

- Three steps in planning to ensure that each unicast was unique:
- The company or organisation asked for an received the rights to the exclusive use of
a public Class A, B, or C IPv4 network number
- The classful network into smaller subnets
- Individual IPv4 addresses are allocated to each host interface
- The following each need a separate subnet:
- If all devices were in the same VLAN, serial link, EoMPLS link and data branches require a
different subnet (subnets for the Internet will be assigned by ISP)
Review of Private IPv4 Addressing Concepts

- Using NAT/PAT allows one public IPv4 address to support many private addresses
Public and Private IPv6 Addresses

- Global unicast IPv6 addresses = public IPv4 addresses
- Unique local IPv6 addresses = private IPv4 addresses
- Each company is given a unique IPv6 address block, and each company subnets the block,
and only uses unique addresses from that block OR
- IPv6 NAT/PAT is used to assign unique local addresses to hosts
- Summary of global unicast and unique local:
- Site local (begin with FEC, FED, FEE or FEF): originally intended to be used like IPv4
private addresses and is not removed from the IPv6 standards
The IPv6 Global Routing Prefix

- The reserved block of IPv6 addresses that are allocated to companies, are called a global
routing prefix (meaning that Internet routers can have one route that refers to all the addresses
inside the block)
- Assignment process: IANA, ICANN => RIRs => ISPs
- Step 1: IANA gives ARIN prefix 2001::/16

- Step 2: ARIN gives NA-ISP1 prefix 2001:0DB8::/32
- Step 3: NA-ISP1 gives Company 1 2001:0DB8:1111::/48
Address Ranges for Global Unicast Addresses

- Global unicast address (2000::/3) includes all IPv6 addresses not otherwise allocated for
other purposes
IPv6 Subnetting Using Global Unicast Addresses

- Most everyone uses /64 because dynamic IPv6 address assignment process works better
Deciding Where IPv6 Subnets Are Needed

- A subnet for each:
- VLAN
- Point-to-point WAN link:
- Serial link
- EoMPLS
- Data branches
The Mechanics of Subnetting IPv6 Global Unicast Addresses

- IPv4 uses classful rules for network and host bits in unsubnetted IPv4 addresses
- When a classful network is subnetted, subnet bits "borrow" host bits

- Network bits stay locked, but subnet and host bits are flexible
- IPv6 subnetted addresses use:

- Global routing prefix; as set by IANA, RIR, or ISP
- Subnet part; as set by the local engineer
- Interface ID; as set by the local engineer
- IPv6 has no concept of address classes, but authorities give a locked global routing prefix
and prefix length (prefix length of global routing prefix is often between /32 and /48 or
possibly as long as /56)
- Interface ID doesn't have to be 64 bits long, but there is no reason to avoid it
- Subnet field is typically 128 - Interface ID - Global Routing Prefix (or 64 - Global Routing
Prefix)
- For 2001:0DB8:1111:0001:0000:0000:0000:0001:
- Company was assigned prefix 2001:0DB8:1111/48
- Company uses a 64-bit interface ID
- Company has a subnet field of 16 bits, allowing 216 (65536) IPv6 subnets
- Each subnet supports [264 - reserved values] hosts
Listing the IPv6 Subnet Identifier

- Routers list the IPv6 prefix ID (subnet ID) with prefix length in their IPv6 routing tables, in
this case, 2001:DB8:1111:1::/64
List All IPv6 Subnets

- If a single prefix length is used for all subnets, you can write down all the IPv6 prefix IDs
- Rules to find all prefix IDs:
- Global routing prefix followed by different subnet bits, and all 0s for interface IDs
- The IPv6 subnet ID is more formally called the subnet router anycast address, is reserved,
and should not be used as an IPv6 address for any host
Assign Subnets to the Internetwork Topology
- Company 1's four subnets for all its data link instances, with global routing prefix
2001:DB8:1111::/48
Assigning Addresses to Hosts in a Subnet

- Host can have the IPv6 address static configuration with:
- IPv6 address
- IPv6 prefix length
- Default router IPv6 address
- DNS server IPv6 addresses
- Hosts can have their configuration dynamically learnt using either:
- DHCP or
- SLAAC (Stateless Address Autoconfiguration)
Unique Local Unicast Addresses

- Begins with hex FD, and is not registered with any numbered authority and can be used by
multiple organisations
- Unique local address rules:
Subnetting with Unique Local IPv6 Addresses

- First 8 bits are preset, and next 40 global routing prefix bits can be random:
- E.g. FD00:0001:0001::/48 (FD00:1:1::/48)
- Treat entire fourth quartet as a subnet field
The Need for Globally Unique Local Addresses

- Short global routing prefixes are good for testing, but not for real situations
- For a real network, global routing prefixes should be chosen randomly, so that it is globally
unique
- Globally unique addresses helps the merging of two enterprise networks much easier, as no
two addresses overlap
Chapter 30 - Implementing IPv6

Addressing on Routers
Implementing Unicast IPv6 Addresses on Routers
- IPv6 requires a long-term migration strategy, usually with a dual-stack strategy
Static Unicast Address Configuration

- Two options when configuring static IPv6 addresses:
- Configure the full 128-bit address
- Configure a 64-bit prefix and let the router derive the interface ID
Configuring the Full 128-Bit Address

- ipv6 address address/prefix-length interface subcommand:
- Address can be either global unicast or unique local
- Address can be either abbreviated or can be the full 32-digit hex address
- Address and the prefix length has no space between them
Enabling IPv6 Routing

- ipv6 unicast-routing global command enables IPv6 routing
- Router must both enable IPv6 globally and enable IPv6 on the interface (ipv6 address) to
route packets
- If only ipv6 address is configured, the router acts like an IPv6 host and does not route IPv6
packets
Verifying the IPv6 Address Configuration

- show ipv6 interface brief: gives interface IPv6 address info, but not prefix length info
- show ipv6 interface: gives details of IPv6 interface settings
- WARNING: show interfaces tells nothing about IPv6
- show ipv6 interface lists IPv6 address, prefix length and subnet that interface is in
- show ipv6 interface brief: lists IPv6 addresses, but not the prefix length or prefixes
- Router adds IPv6 connected routes to the IPv6 routing table off each interface that is up/up
Generating a Unique Interface ID Using Modified EUI-64
- Routers typically use static IPv6 addresses, while user devices use DHCP or SLAAC
- Modified EUI-64 (Extended Unique Identifier) rules for creating interface IDs:
- Step 1: Start with the MAC address => 0013.1234.ABCD

- Step 2: Split the MAC address into halves => 001312 34ABCD
- Step 3: Insert FFFE between the two halves => 001312FFFE34ABCD
- Step 4: Insert a colon every four hex digits => 0013:12FF:FE34:ABCD
- Step 5A: Take the first 2 hex digits => 00

- Step 5B: Convert the first 2 hex digits to binary => 0000 0000
- Step 5C: Invert the 7th bit => 0000 0010
- Step 5D: Convert to hex => 02
=> Address: Prefix + 0213:12FF:FE34:ABCD
- Table avoids hex/binary conversions
- Configuring router interface to use EUI-64 format:

ipv6 address address/prefix-length eui-64 interface subcommand
- Serial interfaces DO NOT have associated MAC addresses
- Router chooses the MAC of the lowest-numbered router interface that does have a MAC
Dynamic Unicast Address Configuration

- Cisco routers support two ways for router interface to dynamically learn an IPv6 address:
- Stateful DHCP
- Stateless Address Autoconfiguration (SLAAC)
Special Addresses Used by Routers

- After configuration of ipv6 unicast-routing and unicast IPv6 address on an interface, the
router:
Link-Local Addresses
- Not used for normal IPv6 packet flows, but by overhead protocols and for routing
Link-Local Address Concepts

- IPv6 protocols that need to send messages inside a single subnet typically uses link-local
addresses, such as NDP
- Routers use link-local addresses as the next-hop IPv6 addresses in IPv6 routes
- Hosts use default router's link-local address
- Key facts about link-local addresses:
Creating Link-Local Addresses on Routers

- Link-local address start with FE80::/10 (FE8, FE9, FEA, FEB), but RFC says the next 54
bits should be binary 0, so link-local address should ALWAYS start with
FE80:0000:0000:0000
- Link-local address can be created:

- With EUI-64 format (Cisco routers)
- By random (Microsoft OS)
- With static configuration
- IOS creates link-local addresses for any interface that has configured at least one other
unicast address with the ipv6 address command (global unicast, unique local)
- Unicast and link-local addresses have same interface IDs if using EUI-64
- IOS chooses link-local address for interface based on the following rules:
- If configured, router uses value in ipv6 address address link-local
- If not, IOS calculates link-local address with EUI-64 rules
Routing IPv6 with Only Link-Local Addresses on an Interface

- ipv6 enable interface subcommand enables IPv6 and router creates a link-local address
- Two routers on WAN link do not need global unicast addresses, whereas hosts on each
LAN need global unicast addresses
IPv6 Multicast Address

- Multicast address: FF00::/8
Local Scope Multicast Addresses

- FF02::/16 is a link-local scope multicast: routers will not forward these packets outside the
local subnet
- Organisation-scope multicast (FF08::/16): packets are forwarded throughout the
organisation but not out the Internet
- Most common local-scope IPv6 multicast addresses:
- show ipv6 interface lists multicast addresses used by interface:
Solicited-Node Multicast Addresses

- Value varies from host to host
- Every interface with unicast addresses has a solicited-node multicast address
- Solicited-node multicast address concepts:
- Multicast: The address is a multicast address
- Link-local: The scope is link-local, meaning routers do not forward messages sent
to this address
- Calculated: The address is calculated based on the last six hex digits of the unicast
IPv6 address
- Operation: Each host interface must listen for packets sent to its solicited-node
multicast address
- Overlap: Some hosts might have the same solicited-node multicast address
- Packets sent to solicited-node multicast address might be processed by one or multiple hosts
- Some protocols want the logic of sending one multicast packet to all hosts using similar
unicast IPv6 addresses
- Solicited-node multicast address:
RFC-defined FF02::1:FF/104 + last 6 hex digits of unicast address
- One for global unicast address, one for link-local address
Anycast Addresses
- Packets sent to this address is sent to the nearest device that supports the address
- Two steps of anycast addressing:

- Step 1: Two routers configure the exact same IPv6 address, designated as an anycast
address, to support some service
- Step 2: Routers route the packet to the nearest of the routers that support the address
- Anycast address is configured and advertised with /128 prefix so it is a host route
- anycast keyword for anycast address configuration

- show ipv6 interface identifies address as anycast, but show ipv6 interface brief does not
- Subnet router anycast address sends packet to any router on a subnet
Miscellaneous IPv6 Addresses

- All IPv6 hosts can use two additional special addresses:
- :: is used when its own IPv6 address is not yet known, or wonders if its own IPv6 address
might have problems (e.g. dynamic IPv6 address configuration)
- ::1 is used as loopback address to test its own protocol stack (down to IPv6 and back up to
application)
IPv6 Addressing Configuration Summary

- Summary of IPv6 address types:

Addressing on Hosts
The Neighbour Discovery Protocol
- Host IPv6 settings:
- Interface IPv6 address, DNS servers: typically global unicast or unique local unicast address
- Default router: typically link-local address
- NDP functions:
Discovering Routers with NDP RS and RA

- ICMPv6 includes all the NDP messages
- Two messages that enable routers to learn addressing and subnet information from any
routers in the subnet:
- PC1 learning R1's link-local address:
- RS uses all-routers multicast address (FF02::2)

- RA uses PC1's address or all-nodes multicast address (FF02::1)
Discovering Addressing Info for SLAAC with NDP RS and RA

- RS/RA: basic query/response protocol (hosts asking, routers supplying info)
- Host can learn prefix and prefix length from router global unicast address
- SLAAC uses prefix/prefix length info from RS/RA
Discovering Neighbour Link Addresses with NDP NS and NA

- NS = IPv4 ARP Request
- NA = IPv4 ARP Reply (lists host MAC address)
- RS/RA sends to router, NS/NA sends to host
- NS/NA lets hosts discover the link-layer address of other on-links (hosts on same data link)
- NS: "What is your link address?" to target IPv6 unicast address
- Step 1:
- PC1 looks in its NDP neighbour table, and doesn't find MAC address
- PC1 sends RS to solicited-node multicast address to find PC2's MAC address,
asking for MAC address
- Step 2:
- PC2 sends back an NA message, listing PC2's MAC address
- PC1 record PC2's MAC address in PC1's NDP neighbour table
Windows Linux Mac OS
interface ipv6 show ip -6 neighbour show ndp -an
neighbors
Discovering Duplicate Addresses Using NDP NS and NA

- IPv6 uses Duplicate Address Detection (DAD) before using unicast address
- If another host already uses that address, first host doesn't use the address until
problem is resolved
- DAD uses NDP NS/NA
- Step 1: PC1 must use DAD before using address 2001:DB8:1111:1::11
- Step 2: PC1 sends an NS for target 2001:DB8:1111:1::11
- Step 3: PC2 sends back an NA, listing the IPv6 address and MAC address of itself
- Step 4: Because PC1 received an NA, PC1 realises a duplicate address exists
- Host uses DAD for each unicast and link-local address, when address is first used and each
time host's interface comes up
NDP Summary
Dynamic Configuration of Host IPv6 Settings

- DHCPv6 has disadvantage of requiring a server => SLAAC
Dynamic Configuration Using Stateful DHCP and NDP

- Similarities between stateful DHCPv6 and IPv4 DHCP:
- Stateful DHCPv6 tracks info about which client has a lease for what IPv6 address
- Stateless DHCP servers do not track any per-client information
Differences Between DHCPv6 and DHCPv4

- Stateful DHCPv6 does not supply default router information to client (use NDP for that)
- Stateful DHCPv6 messages:
- Solicit: Client searching for IPv6 address of DHCPv6 server

- Advertise: Server advertises an address and other configuration settings for client to
possibly use
- Request: Client asks to lease the address
- Reply: Server confirms the lease
DHCPv6 Relay Agents

- Client uses following addresses in Solicit message:
- Source of link-local: client uses its own link-local address as source
- Destination address of "all-DHCP-agents" FF02::1:2: Multicast sends to DHCP
servers and DHCP relay agents
- Step 1:
From: A's link-local address
To: FF02::1:2 (all-DHCP-agents address)
- Step 2:
From: R1's OUTGOING interface address (DHCPv4: incoming)
To: DHCPv6 server address
- Return DHCPv6 messages follow reverse process
- ipv6 dhcp relay destination server-address command enables DHCP relay

- show ipv6 interface lists interface as listening to FF02::1:2
Using Stateless Address Auto Configuration

- Stateful DHCPv6 server requires IT staff management
- SLAAC dynamically learns part of IPv6 address without a server
Building an IPv6 Address Using SLAAC

- SLAAC IPv6 address choice process:
- Host can use modified EUI-64 or random interface ID:
Combining SLAAC with NDP and Stateless DHCP

- Host uses three different tools to find its four IPv6 settings:
- DHCPv6 client asks for only DNS server addresses, and NOT a lease of an IPv6 address
- Stateless DHCPv6 server:
- Needs simple configuration only; small number of DNS server addresses
- Needs no per-subnet configuration; no lists, pools, excluded addresses etc.
- Does not need to track state information about DHCP leases because it does not
lease addresses to any clients
Troubleshooting IPv6 Addressing

- Verification of host's IPv6 settings and ability to send packets (ping and traceroute)
Verifying Host IPv6 Connectivity from Hosts

- Four IPv6 host settings on GUI:
- SLAAC gave host two IPv6 address (one with EUI-64, one with random interface ID)
- ipconfig or ifconfig examines IPv6 settings:
- ping (ping6), traceroute (traceroute6) checks host connectivity
- IPv6 pings to R1 and PC2, IPv4 ping to PC2:
- traceroute6 from PC1 to PC2:
Verifying Host Connectivity from Nearby Routers

- Standard ping and traceroute command work on Cisco routers for IPv6
- Extended ping and traceroute requires ipv6 keyword in Protocol parameter
- Another verification: look at router's neighbour table (checks host NA/NS response)
- Router can clear its neighbour table with clear ipv6 neighbor and then ping a host on some
connected interface
- Router sends NDP NS
- Host needs to send NDP NA back
- If host MAC address shows in neighbour table, host replied with NDP NA
- Cisco routers watch for (unsolicited) RA messages received from other routers
- show ipv6 routers lists any other routers in the local subnet
- R1 does not hear any RA messages from other routers on that LAN subnet
- R2 and R3 hears RAs from each other in the same LAN subnet
- Host neighbour tables give routers "flag" "R" if RA was received

Routing
Connected and Local IPv6 routes
- A router adds IPv6 routes based on:
Rules for Connected and Local Routes
- If interface is up/up and ipv6 address is configured, router adds both a connected and local
route
- Routers DO NOT create IPv6 routes for link-local addresses
- ipv6 address 2000:1:1:1::1/64:
- Local route for 2000:1:1:1::1/128
- Connected route for 2000:1:1:1::/64
Example of Connected IPv6 Routes
- Prefixes (subnets) with abbreviated interface IPv6 addresses
- R1 should have three local and connected routes, one of each on each interface
- Each connected route lists:

- Routing code "C" for connected route
- Destination IPv6 prefix length (subnet ID) of "2001:DB8:1111:1::/64"
- Administrative distance of "0" (connected route default value)
- Metric of "0" (static route)
- Outgoing interface of "GigabitEthernet0/0"
- "Directly connected" route
Examples of Local IPv6 Routes
- Each working interface has a local route + one local route for multicast
- Lists interface address with prefix length /128 (matches only that address)
Static IPv6 Routes

- ipv6 route + prefix + prefix length + next-hop address OR outgoing interface OR both
Static Routes Using the Outgoing Interface

- Command uses the local outgoing interface:
- Both R1 and R2 needs to have routes for each other's subnet for a successful ping:
- Verification: ping, traceroute, show ipv6 route and show ipv6 route static:
- Facts about static route:

- Routing code "S"
- Destination prefix length
- AD "1" and metric "0"
- Outgoing interface
- "Directly connected"
- show ipv6 route 2001:db8:1111:2::22 lists which route R1 would use:
Static Route Using Next-Hop IPv6 Address
- Global unicast or unique local OR link-local with interface
Example Static Route with a Global Unicast Next-Hop Address

- Static IPv6 routes with global unicast addresses (2-way):
- Verification with show ipv6 route 2001:db8:1111:2::22:
Example Static Route with a Link-Local Next-Hop Address

- Link-local address does not tell the local route which outgoing interface to use by itself
- ipv6 route with global unicast address can deduce the outgoing interface from the
connected route
- show ipv6 route lists route with next-hop address AND outgoing interface
Static Default Routes

- IPv6 routing logic:
- With no default route, router discards the IPv6 packet
- With default route, router forwards the IPv6 packet based on the default route
- Branch routers with one WAN link use default routes:
- ::/0: address is all 0s, prefix length is 0 = matching all IPv6 addresses
- IPv6 default routes (::/0) don't have candidates (*s), and are simply added
Static IPv6 Host Routes

- Host route uses /128 mask, identifying a single host
- Host route with host's full address and /128 mask:
Floating Static IPv6 Routes
- Both primary OSPF-learned link and backup T1 link reach subnet 2001:DB8:1111:7::/64
- R1 chooses backup T1 link over faster primary link because:
- AD of OSPF-learned route is 110
- AD of static route is 1
- Lowest AD (static route) gets chosen
- Floating static route: static route with overridden default AD value
- ipv6 route 3444:4:4:4::/64 3444:2:2:2::2 130: static route does not get learnt because
OSPF-learned route's AD is lower
- show ipv6 route and show ipv6 route 3444:4:4:4::/64 list ADs:
- List of some default IPv6 administrative distance values:

Default Routes with SLAAC on Router Interfaces
- DHCP's default route mechanism => SLAAC's default route mechanism
- Step 1: ipv6 address autoconfig default on router interface enables SLAAC and dynamic
default route learning
- Step 2: R1 sends an NDP RS to ISP1 to find the prefix and default router address
- Step 3: ISP1 sends an NDP RA to R1 with prefix and default router address
- When R1 receives the NDP RA:

Interface address: Builds own interface IPv6 address using SLAAC and prefix
learned from RA
Local /128 Route: Adds a local (/128) route for the address
Connected Route for Prefix: Adds a connected route for prefix learned from RA
Default route: R1 adds a default route (::/0) with next-hop address of ISP1's address,
as learned in the RA
- Routing code:
- "ND": NDP-learned default route
- "NDp": NDP-learned prefix
Troubleshooting Static IPv6 Routes

- Two cases:
- Route is in the routing table, but is incorrect
- Route is not in the routing table, but is correct
Troubleshooting Incorrect Static Routes That Appear in the IPv6 Routing Table
- If command syntax is correct, ipv6 route command is placed into running-config, then, if
no other problem exists, IOS puts route into IP routing table
- Incorrect commands, such as using local interface address as a next-hop address, are
accepted and put into the IPv6 routing table
- Check for mistakes:
- IOS would accept the command, but the route will not work
- Step 1: Prefix has a typo and doesn't match actual prefix

- Step 2A: Neighbour link-local address is incorrect
- Step 2B: The outgoing interface is omitted (router rejects command)
- Step 3: Next-hop router address is incorrect
- Step 4: Outgoing interface is incorrect
- IOS rejects the command if outgoing interface is omitted and next-hop address is a link-
local address
The Static Route Does Not Appear in the IPv6 Routing Table
- IOS makes checks before adding a route:
- ipv6 route with incorrect next-hop address of R2's LAN interface:
- Since R1 doesn't have a route to the next-hop address 2001:DB8:9:3::2, IOS does not add
the route
Part VIII Revision
Chapter 28
IPv4 address exhaustion
IP version 6 (IPv6)
OSPF version 3 (OSPFv3)
EIGRP version 6 (EIGRPv6)
Prefix
Prefix length
Quartet
Chapter 29
Global unicast address
Global routing prefix
Unique local address
Subnet ID (prefix ID)
Subnet router anycast address
Chapter 30
Dual stacks
EUI-64
Link-local address
Link-local scope
Solicited-node multicast address
All-nodes multicast address (FF02::1)
All-routers multicast address (FF02::2)
Anycast address
Subnet-router anycast address (prefix)
Chapter 31
Neighbor Discovery Protocol (NDP)
Router Solicitation (RS)
Router Advertisement (RA)
Neighbor Solicitation (NS)
Neighbor Advertisement (NA)
Stateless Address Auto Configuration
(SLAAC)
Duplicate Address Detection (DAD)
Stateful DHCPv6
Stateless DHCPv6
IPv6 neighbor table
Chapter 32
-
Part IX - Network Device
Management
Chapter 33 - Device Management
Protocols
System Message Logging (Syslog)
- IOS can send syslog messages to currently-logged users or store them
Sending Messages in Real Time to Current Users

- Default: IOS shows log messages to console users for all severity levels of messages
(logging console)
- Two-step configuration for Telnet/SSH users:
- logging monitor: tells IOS to enable sending of log messages to all logged users
- terminal monitor: tells IOS that this terminal session would like to receive log
messages
- B receives syslog messages, C does not
Storing Log Messages for Later Review

- Default: IOS sends message to console (and terminal sessions) and discards the message
- Option 1 - Storing in RAM:
- logging buffered: IOS stores copies of log messages in RAM
- show logging: user can review the old log messages in RAM
- Option 2 - Storing in a syslog server:
- Device uses UDP to send messages to syslog server for storage
- logging host {address | hostname}
- User can connect to server (typically with GUI) and browse log messages
Log Message Format
- Format:
timestamp: *Dec 18 17:10:15.079
facility on router that generated message: %LINEPROTO
severity level: 5
mnemonic for message: UPDOWN
description: Line protocol on Interface FastEthernet0/0, changed state to down
- User can toggle on/off the use of timestamp (default: on)

- User can toggle on/off log message sequence number (default: not enabled)
Log Message Severity Levels
- IOS severity levels (lower = more severe):
- E.g. interface failing to physically down state: severity level 3 message

- When severity level is set, IOS sends that service messages of that severity level and more
severe
- no command disables service
Configuring and Verifying System Logging

- Both switches and routers use the same configuration:
- show logging confirms configuration settings:
- show logging lists severity levels by name, not number

- Buffered log messages are listed at the end of the command
- clear logging clears old messages
- logging buffered 4 allows only %LINK-3-UPDOWN message to be stored in RAM
The debug Command and Log Messages

- debug remains active, even if user is logged out, until no debug command is issued
- debug monitors RIPv2's 30-second periodic messages

- debug messages do not get stored in RAM or syslog server because of logging buffered
warning and logging trap 4
- Telnet/SSH users need to issue terminal monitor before they can see messages
- Debug options use router CPU, and the more CLI users that receive debug messages, the
more CPU is consumed
- show process cpu: for monitoring CPU
- Some installations choose to not include debug-level log messages for console/terminal
logging, requiring users to look at the logging buffer or syslog server to reduce router CPU
load
Network Time Protocol (NTP)

- NTP synchronises device's time-of-day clocks
- If routers from different time zones are not synchronised, user at syslog server may
experience problems:
- Two unsynchronised timestamps look irrelevant

- NTP allows all devices to have the same time of day, other than differences in time zone
Setting the Time and Timezone

- NTP works best if you set if set the device clock to reasonably close time before enabling
NTP client function
- clock timezone EST -5:
- EST: can be any meaningful value
- -5: UTC value
- clock summer-time EDT recurring:
- EDT: can be any meaningful value
- recurring: tells router to automatically apply daylight saving
- clock set 20:52:49 21 October 2015:
- 20:52:49: 24-hour time
- 21 October 2015: date, month, year (in that order)
- show clock lists current time
Implementing NTP Clients, Servers, and Client/Server Mode
- A real network would have 1 server and all others being clients
- NTP terms:
- ntp server address | hostname:

- Tells the router to act as an NTP client, referencing the NTP server's IP address or
hostname
- Tells router to also act as an NTP server after that router has synchronised its time
with some reliable source (e.g. NTP server)
- NTP server must be a trusted clock source:

- Purpose-built NTP servers are good sources
- ntp master tells router to act as NTP server and trust its internal clock as a good
clock source
- Multiple ntp server commands for redundancy:
- Router compares stratum level (lower = better)
- ntp master 2 > ntp master 5
- * means R1 peered with 172.16.2.2 with NTP

- show ntp status lists "unsynchronised":
- Until client synchronises with at least one server
- Never, when device is an NTP server
NTP Using a Loopback Interface for Better Availability
- If one of R4's interface fails, clients referencing that address:

- Would likely still have a route to reach R4 itself
- Would not be able to send packets to the configured address because it is down
- Loopback interfaces:
- interface loopback number
- Interface is not tied to any physical interface
- Can be assigned an IP address, routing protocols can advertise about the subnet, you
can ping/traceroute to that address
- Loopback interfaces remain up/up as long as:
- Loopback interface address can be referenced by NTP clients

Analysing Topology Using CDP and LLDP
Examining Information Learned by CDP
- CDP discovers information about neighbouring devices by listening for the advertisements
sent by other devices
- CDP discovers:
- CDP's two general roles:

1. Provide info to devices to support some function
- Cisco IP phones use CDP to learn data and voice VLAN IDs on the access switch
2. Provide info the network engineers
- show commands
- show cdp neighbors lists:

- Device ID (hostname)
- Local device's interface
- Holdtime, capability & platform
- Neighbouring device's interface
- show cdp neighbors detail lists more detail:

- Full name of switch model
- IP address on the neighbouring device
- CDP creates a security exposure, so Cisco recommends CDP being disabled on unnecessary
interfaces:
- Any switchport connected to another switch, a router, or to an IP phone should use CDP
Configuring and Verifying CDP Itself

- IOS typically enables CDP globally, and on each interface by default:
- no cdp enable/cdp enable on interfaces
- no cdp run/cdp run globally
Implementing Link Layer Discovery Protocol

- CDP: Cisco-proprietary Layer 2 protocol
- LLDP: IEEE-standard (802.1AB) Layer 2 protocol
- CDP and LLDP have similar command syntaxes:
- show cdp neighbors and show lldp neighbors have "local intf" and "port ID" columns
- lldp run: enables LLDP globally
- lldp transmit and lldp receive: enables LLDP on interfaces (configures LLDP to only
send, or only receive messages)
Chapter 34 - Device Security

Features
Securing IOS Passwords
- Best way to store passwords => AAA server
- Enable passwords:
- To enter privileged EXEC mode
- To connect via Telnet
- To connect via SSH and Telnet (username & password)
- EXTRA INFO: line vty 0 4 can be used to refer to Telnet only
Encrypting Older IOS Passwords with service password-encryption

- password command stores passwords in clear-text in configuration files, backups etc.
- service password-encryption encrypts:
- Configuration/verification:
- IOS adds encryption/encoding type of "7" - passwords encrypted with service password-
encryption command
- | section password-encryption lists the section on password
- Encoding type "0": clear-text passwords
- no service password-encryption: password remains encrypted until password is changed

- service password-encryption is not effective as the Internet has tools to decrypt
Encoding the Enable Passwords with Hashes

- Secure replacement: enable password => enable secret
Interactions Between Enable Password and Enable Secret

- Use enable secret instead of enable password
- Rules of both commands:
Making the Enable Secret Truly Secret with a Hash

- enable secret uses MD5 (Message Digest 5) by default
- IOS compares the hashed value of entered password at login to the enable secret value
- enable secret configuration/verification:
- Encoding type "5": MD5 hash of the clear-text password

- no enable secret deletes the enable secret password
- Another enable secret command overwrites the old password
- | include enable secret shows output including lines with "enable secret"
Improved Hashes for Cisco's Enable Secret

- MD5 is much easier to crack now (rainbow table)
- Two newer security hashes for passwords to router IOS images:
- SHA-256
- Scrypt
- Configuration of all three algorithm types:
- Another enable secret command with a different algorithm type it replaces any existing
enable secret command
- Encoding type "9": Scrypt | Encoding type "8": SHA-256
Hiding the Passwords for Local Usernames

- username name password pass: stores password in clear-text
- IOS allows:
- Only one username command for a given username - either a username password
OR username secret command
- A mix of commands in the same router or switch
- username password is needed when router needs to know the clear-text password for
performing authentication over serial links
Cisco Device Hardening

- Device hardening: making it more difficult for attackers to gain access to the device
Configuring Login Banners

- Banner: text that appears on the screen for the user (at login)
- Banner types:
- Console, Telnet | SSH banner orders:
- banner command default is motd

- banner command uses 'beginning delimiter character' to start and end a banner and can be
any character
Securing Unused Switch Interfaces

- Cisco recommendations to secure unused ports:
- Administratively disable the interface using shutdown
- Prevent VLAN trunking by making the port a nontrunking interface using
switchport mode access
- Assign the port to an unused VLAN using switchport access vlan number
(blackhole VLAN)
- Set the native VLAN to an unused VLAN using switchport trunk native vlan vlan-
id
- shutdown removes security exposure but others prevent any immediate problems when no
shutdown is configured
Controlling Telnet and SSH Access with ACLs

- IOS can apply ACL to inbound connections to filter host addresses
- access-class in refers to Telnet and SSH connections into this router

- access-class out filters outbound Telnet and SSH connections connecting out of the local
device to another device
- Protecting inbound connections is more important
- Standard VTY ACL for outbound connections looks at the destination IP address (the
device to which the telnet or ssh is trying to connect)
Firewalls
Typical Location and Uses of Firewalls

- Firewalls sit in the forwarding path of all packets so that the firewall can protect the whole
network
- Firewall performs packet filtering function with many more options, as well as other
security tasks
- Enterprise with Cisco Adaptive Security Appliance (ASA) firewall:
- Firewall's logic to discard/allow a packet:

- Like ACLs, match the source and destination IP address
- Like ACLs, identify applications by matching their static well-known TCP/UDP
ports
- Know what additional TCP and UDP ports are used by a particular flow, and filter
based on those ports
- Match the text in the URI of an HTTP request and match patterns to decide whether
to allow or deny the download of the web page identified by that URI
- Keep state information by storing info about each packet, and make decisions about
filtering future packets based on the historic state information (stateful inspection/
stateful firewall)
- Routers spend as little time as possible processing each packet so that they experience little
delay, whereas firewalls have stateful information used for future filtering decisions
- In a DoS attack, the attacker creates a large volume of TCP connections to the server
- Stateful firewalls can track the number of TCP connections per second and notice that the
number of requests is very large from a small number of clients and stateful firewall can start
filtering those packets
- Stateless firewall or router ACL cannot realise that a DoS attack was occurring
Security Zones
- Firewalls pay close attention to which host initiates communications by looking at the initial
TCP segments (SYN)
- When user opens web browsers, company doesn't want unauthorised hosts to connect to the
payroll server
- Security zones define which hosts can initiate new connections and firewall can place
multiple interfaces into the same one to have same rules applied
- Basic firewall rule in above security zones:

Allow hosts from zone inside to initiate connections to hosts in zone outside, for a
predefined set of safe well-known ports (e.g. HTTP)
- Firewalls typically disallow all traffic unless a rule specifically allows the packet
- Demilitarised Zone (DMZ): firewall security zone used to place servers that need to be
available for use by users in the public Internet
- Firewall needs another rule that users in zone outside can initiate connections to web servers
in the DMZ
- Enterprise can prevent Internet users from attempting to connect to internal devices in zone
inside, preventing many types of attacks
Chapter 35 - Managing IOS Files

Managing Cisco IOS Images and Upgrades
- IOS = a single file that router loads into RAM to use as its OS
The IOS File System

- File system: storage including directories, structure, filenames, with associated rules
- Cisco routers typically use flash memory (USB)
- For each physical memory device in the router, IOS creates an IFS (IOS file system)
- Disk and usbflash are the physical storage devices in that router
- IFS types:
- Opaque: logical internal file systems
- Network: external file systems found on different types of servers
- Disk: for flash
- Usbflash: for a USB flash
- NVRAM: a special type of NVRAM memory, the default location of startup-config
- Use of formal names:
- more flash0:/wotemp/fred displays content of file fred in directory /wotemp
- Use of keywords:
- show running-config refers to file system:running-config
- show startup-config refers to file nvram:startup-config
- show flash refers to default flash IFS (usually flash0:)
Upgrading IOS Images

- New IOS image can be in local physical file systems or on an external server
- Process to upgrade an IOS image into flash memory:
- Step 1: Obtain the IOS image from Cisco by downloading the IOS image from
cisco.com using HTTP or FTP
- Step 2: Place the IOS image someplace that the router can reach (TFTP/FTP servers,
USB flash drive)
- Step 3: Issue copy command from router, copying the file into the flash memory that
usually remains with the router on a permanent basis (router usually can't boot from
IOS image in USB flash drive
Copying a New IOS Image to a Local IOS File System Using TFTP
- R2 (2901) copying IOS image from TFTP server at IP address 2.2.2.1:
- copy command check questions:

1. What is the IP address or hostname of the TFTP server?
2. What is the name of the file?
3. Ask the server to learn the size of the file, and then check the local routers flash to
ask whether enough space is available for this file in flash memory
4. Does the server actually have a file by that name?
5. Do you want the router to erase any old files in flash?
- Press Enter for default answer => erases flash memory if directed => copies file => verifies
checksum
- show flash shows files in default flash file system (flash0:)

- dir flash0: lists the contents in the same file system, with similar information
- show flash lists bytes used dir lists total bytes (bytes used + bytes free)
EXTRA INFO: Components of a filename

C1900-universalk9-mz.SPA.152-4.M3.bin
C1900 The hardware this image Cisco 1900 router

runs on
universalk9 Image designation universalk9 (contains strong
encryption which can only
be used in some countries)
m Memory location - where m = RAM
the image runs
z Compression format z = zip
SPA Digital signature indicator SPA - file is digitally signed
by Cisco
15 Major release IOS Release 15
2 Minor release 2
4 Maintenance release - new 4
features
M Extended maintenance M
release
3 Maintenance rebuild 3
.bin File extension Binary executable file
Verifying IOS Code Integrity with MD5

- Cisco publishes MD5 hash value for entire IOS file
- verify /md5 command checks Cisco's hash value and router's hash value
Copying Images with FTP

- List of file transfer protocols:
- Copying files with FTP: copy ftp flash

- copy can use URI for source/destination and refers to formal name of file in IFS
- copy ftp://wendell:odom@192.168.1.170/c2900-universalk9-mz.SPA.155-2.T1.bin flash

protocol://username:password@FTP-server's-IP-address/filename
- Source (URI) and then destination flash (flash0:)
- Configuring FTP username/password so it does not have to be included in copy command:
- ip ftp username name
- ip ftp password pass
=> copy ftp://192.168.1.170/...
Copying Images with SCP
- SCP makes router be configured as SCP server and desktop computer to use SCP client to
transfer files
- SCP uses SSH to:
- Authenticate the user
- Encrypt all data transfer
- Configuring SCP server on a router:
ERRATA: username fred privilege-level 15 password barney is WRONG

Correct command => username fred privilege 15 password barney
- Privilege level 15: enable mode (highest privilege level)
- Command-line SCP file copy with scp:
- Source (second parameter) filename and destination (third parameter) full URI
- User must reload the router to start using the new IOS copied into a local IOS file system
The Cisco IOS Software Boot Sequence

- Router can have multiple IOS images available and so it picks which image to load into
RAM and use
- ROMMON (special-purpose OS) is used for password recovery, can send and receive
packets to load a new IOS, but does not route packets
- RXBOOT: very old special-purpose OS
- Four steps when router first powers on or is reloaded:
- If any of first two steps fail, call Cisco Technical Assistance Centre (TAC)
- Steps 3 and 4 are configurable:
- Step 4: Routers almost always load the configuration from NVRAM (startup-config)
The Configuration Register

- Routers use configuration register to find some settings at boot time before router loads IOS
and reads the startup-config file (16 bits, 4 hex digits)
- Console speed (default 9600bps), which IOS to load etc. can be configured in the
configuration register
- config-register sets the configuration register for the next time the router is reloaded
- config-register 0x2100: causes router to load ROMMON OS rather than IOS
- Router automatically saves config-register in startup-config
- Default configuration register: 0x2102
How a Router Chooses Which OS to Load

- Router chooses OS to load based on:
- The last hex digit in the configuration register (called boot field)
- Any boot system commands in startup-config
- Cisco represents hexadecimal values by preceding the hex digits with 0x (e.g. 0xAB)
- Process to choose which OS to load:
- boot system points to files in flash memory, filenames, IP addresses of servers, telling the
router where to look for an IOS image to load
- boot system can be configured multiple times, and each is added to end of a list
- Router tries to load IOS images in the order of the configured boot system commands
- Routers number files in flash memory, and loads the IOS file with the lowest number (first
file found in memory)
- Most routers use step 3B because default configuration register is 0x2102 and router has a
single IOS file in flash by factory default
- Routers consider one flash file system to be the default IFS to look for IOS images
- boot system commands:
- After an upgraded IOS is copied into flash, boot system needs to refer to the new file, save
the configuration and reload the router to boot to the new IOS image
Verifying the IOS Image Using the show version Command

- show version lists version of software, source from which router found the IOS image etc.
- show version lists (in order):
1. IOS version
2. Uptime (time that has passed since last reload)
3. Reason for last reload of IOS (reload, power off/on, software failure)
4. Time of last loading of IOS (if router's clock is set)
5. Source from which router loaded the current IOS
6. Amount of RAM memory
7. Number and types of interfaces
8. Amount of NVRAM memory
9. Amount of flash memory
10. Configuration register's current and future setting (if different)
Password Recovery
- If connected to the router console, anyone can reset all the passwords on the router to new
values
- Cisco refers to the topic as password recovery, but you change the password to a new value
The General Ideas Behind Cisco Password Recovery/Reset

- If router boots while ignoring initial configuration (startup-config), router has no passwords
- Ignore configuration bit (second bit, third nibble [hex digit]): if binary 1, router ignores
startup-config next time router is loaded (0x2102 => 0x2142)
- ROMMON has confreg command to set the configuration register
- Press break key at console during boot of router OR remove all flash memory
A Specific Password Reset Example

- Sample password recovery/reset on a 2901 router:
- Use copy startup-config running-config to restore the ignored startup-config and put the
configuration register value back to its normal value (usually 0x2102)
- Using copy running-config startup-config instead could result in shut down interfaces so
check and no shutdown any interfaces
Managing Configuration Files
Copying and Erasing Configuration Files
- Configuration files can be copied with TFTP, FTP or SCP or to a removable USB flash
- Centralised server is better with thousands of devices than USBs
Traditional Configuration Backup and Restore with the copy Command

- When any file is copied into the running-config file in RAM with copy, the file is added to
the old configuration, not replacing it (unless some cases)
- E.g. ip address new command will replace the old value of the address, but access-list
commands will be added to existing ACLs, creating a different configuration
- Red commands are configurations that are added

- Because of the defect of copying configurations into the running-config file, restore process
avoids using copy into running-config
- Complete process to back up and restore configurations using copy:
- Instead of copy tftp running-config, copy tftp startup-config with reload is used so that
the startup-config file is restored, and reloading the router replaces the running-config with
the startup-config, so that no defects occur
Alternatives for Configuration Backup and Restore

- Cisco's two improvements to backup and restore:
- Archive is defined by when to automatically save the configuration and where to save them
- configure replace allows user to copy a configuration archive into the running-config file
so that it completely replaces the running-config file
- The ACL and hostname configured after the archive was configured with archive config
has been removed after configure replace
Erasing Configuration Files

- Three commands to erase startup-config file in NVRAM:
- write erase (older)
- erase startup-config (older)
- erase nvram: (more recent and recommended)
- To clear out the running-config file, erase the startup-config file, then reload so that the
router loads an empty startup-config file into the running-config
Initial Configuration (Setup Mode)

- Two primary methods of giving a router/switch an initial basic configuration:
- Configuration mode
- Setup mode
- Two ways of getting into setup mode:
- If the router boots with no initial configuration, router asks if the user wants to enter
the "initial configuration dialogue" A.K.A. setup mode
- Use setup command from privileged EXEC mode
Chapter 36 - IOS License
Management
IOS Packaging
- IOS is a single file that is copied onto the flash memory on the router
IOS Images per Model, Series and per Software Version/Release

- Since the 1980s to late 2000s, Cisco created each IOS image for a particular router model,
version and release, and feature set
- Cisco needed different IOS images for different router models or router families because of
hardware differences (e.g. different processors, types of interface cards)
- Cisco needed different IOS images for each new version/release of Cisco IOS software:
- Major revisions to software => version
- Smaller changes to IOS => release
- To move to a new release/version, you need a whole new IOS file and install it
- Routers had different IOS images for each router model/model series, version/release
Original Packaging: One IOS Image per Feature Set Combination

- Feature set: a group of related IOS features (e.g. voice, security [e.g. IPS {Intrusion
Prevention System}])
- Cisco created one image for each combination of IOS feature sets
- All images have the same basic IP functions, some have additional features
- If you needed security feature, you could opt for one of the four images
- More feature sets = higher price
New IOS Packaging: One Universal Image with All Feature Sets
- Universal image has all feature sets which can be enabled later
- Universal image has all the feature sets a router model supports
IOS Software Activation with Universal Images

- Until late 2000s, Cisco permitted anyone to download any IOS image for any Cisco router
- User had to agree to the policy, and there was no mechanism to confirm that the person
installing the IOS file had the right to do so
- Customers could choose to avoid paying for new versions through Cisco service agreement
(SMARTnet)
- In the late 2000s, Cisco introduced a process that verified the rights of the user
- Cisco checks user's rights by looking at their profile which lists a company, and checks if
the company paid for a current service agreement
- User must use software activation process to unlock the feature sets in the universal image
- Three major goals for software activation process:
- Automatically enables IP Base: Router arrives from Cisco with IP base feature set
already enabled and activated (no further action required)
- Enables other feature sets: Network engineer must enable additional feature sets
- Verifies legal rights: Process checks and confirms that the customer has paid for the
right to use that feature set on that router
- IP Base is enabled already, with a license key for that feature already installed on the router
- Feature sets with the most significant set of features => technology packages:
The Future: Cisco ONE Licensing

- Removes the per-device effort to add and remove licenses
- Process just checks to see that company has rights to feature sets
- If you upgrade to a new router model, you still have the rights to use the feature set from
before, unlike the current licensing, which is tied to the hardware
Managing Software Activation with Cisco License

Manager
- Cisco License Manager (CLM) is used to manage Cisco licenses. The CLM:
- Communicates with Cisco's Product License Registration Portal over the Internet
- Takes as input information about feature licenses purchased from any Cisco reseller
- Communicates with the company's routers/switches to install license keys, enabling.
features on the correct devices
- CLM tracks the licensing information with easy-to-use GUI
Manually Activating Software Using Licenses

- You can manually do the process that CLM does for you
- Each of the same router models that support software licensing has a UDI (Unique Device
Identifier)
- UDI = PID (Product ID) + SN (Serial Number)
- show license udi shows PID, SN and UDI

- PAK (Product Authorisation Key) provides proof that you paid for a license
- License key file can be acquired by entering in the UDI and PAK at the Cisco Product
License Registration Portal
- Summary of first three steps:
- Step 1: At Cisco Product License Registration Portal (www.cisco.com/go/license),
input UDI from show license udi
- Step 2: At the same portal, type in the PAK for the license
- Step 3: Copy the license key file from the portal
- Copy license key file to USB flash drive or TFTP, FTP or HTTP server
- Summary of steps (continued)
- Step 4: Make the file available to the router via USB or some network server
- Step 5: Issue license install url | filename to install the license key file into the
router
- Step 6: Reload the router to pick up the changes
Example of Manually Activating a License
Showing the Current License Status

- R1 (2901 router) has only IP Base feature enabled:
- IP Base is enabled permanently, and Security, UC, Data licenses are listed as Not Activated
- show license lists longer status information than show version and show license feature
- show license feature lists one-line information per feature

- show version lists license information for the main technology feature packages at the end
Adding a Permanent Technology Package License

- Final steps to install the license file on router R1 which has completed Steps 1 through 4:
- Verifying status for Data feature set after reload:
Right-to-Use Licenses
- Customers who want to test a router feature before buying can enable most features for a
60-day evaluation period, after which the feature stays enabled, with no time limit
- Right-to-use license does not require a PAK and uses license boot module command
- Process to add Security feature to R1 as right-to-use evaluation license:
- After a reload, the feature set is available

- Output of show license after right-to-use license:
- "Period left" is set to 60 days, and it counts down to 0, after which it converts to a lifetime
time period
Part XI Revision
Chapter 33
Log message
Syslog server
Network Time Protocol (NTP)
NTP client
NTP Client/Server Mode
NTP Server
NTP synchronisation
CDP
LLDP
Chapter 34
Telnet
SSH
Local username
Login banner
Message of the day (MOTD)
MD5 hash
Device hardening
Chapter 35
Boot field
Configuration register
IOS image
ROMMON
Startup-config file
Running-config file
Setup mode
IOS
ROM
Flash memory
NVRAM
IOS File System (IFS)
Code integrity
Configuration archive
Secure Copy Protocol (SCP)
Chapter 36
IOS feature set
Universal image
Product Authorisation Key (PAK)
Universal Device Identifier (UDI)
Commands List
Command Mode/Submode Command Command Comma
Name Description Parameters nd
Abbrevi
ations
line Global Changes line con
console 0 configuration context to 0
mode console
configuratio
n mode
login Line (console Tells IOS to
and vty) prompt for a
configuration password.
mode
password Line (console Sets password hello
pass-value and vty) password for
configuration login if login
mode is configured
interface Global Changes interface FastEthernet 0/1 int type
type port- configuration context to port-
number mode interface number
mode
hostname Global Sets the hostname chris
name configuration switch's
mode hostname
exit Configuration Moves back
mode to next
higher
configuratio
n mode
end Configuration Exits
mode configuratio
n mode and
returns to
enable mode
from any
submodes.
Ctrl + Z Two-key = end
combination/co
nfiguration
mode
no debug Privileged Disable all
all EXEC mode currently
undebug enabled
all debugs.
reload Privileged Reboot.
EXEC mode
copy Privileged Saves active
running- EXEC mode config to
config startup-
startup- config
config
copy Privileged Merges
startup- EXEC mode startup-
config config with
running- currently
config active config
file in RAM.
show User EXEC Lists
running- mode running-
config config file.
1. write Privileged Erase the
erase EXEC mode startup-
2. erase config file.
startup-
config
3. erase
nvram:
quit User EXEC Disconnects
mode user from
CLI session.
show User EXEC Lists startup-
startup- mode config file.
config
enable User EXEC Moves user
mode to enable
mode and if
configured,
prompts for
a password.
disable Privileged Moves user
EXEC mode from enable
mode to user
mode.
configure Privileged Moves user
terminal EXEC mode into
configuratio
n mode.
show mac User EXEC Shows all

address- mode MAC table
table entries of all
types
show mac User EXEC Shows all
address- mode dynamically
table learned
dynamic MAC table
entries
show mac User EXEC Shows all show mac address-table
address- mode dynamically dynamic vlan 1
table learned
dynamic MAC table
vlan vlan- entries in
id that VLAN
show mac User EXEC Shows the show mac address-table
address- mode dynamically dynamic address
table learned 0200.2222.2222
dynamic MAC table
address entries with
MAC- that MAC
address address
show mac User EXEC Shows all show mac address-table
address- mode dynamically dynamic interface
table learned fastEthernet 0/1
dynamic MAC table
interface entries
interface id associated
with that
interface
show mac User EXEC Shows the
address- mode number of
table count entries in the
MAC table,
and the
remaining
empty slots
show mac User EXEC Shows the
address- mode global and
table per-VLAN
aging-time aging
timeout
clear mac Privileged Empties the
address- EXEC mode MAC table
table of all
dynamic dynamic
entries
show User EXEC Lists basic show
interfaces mode status and int
status operating status
information
as a single
line for each
interface
show User EXEC Displays a show interfaces f0/1 show
interfaces mode detailed set int
interface id of messages interfac
about the e id
interface
show User EXEC Lists status show interfaces f0/1 status show
interfaces mode of interface int
interface id in a single interfac
status line of e id
output status
show User EXEC Lists show interfaces f0/1 counters show
interfaces mode statistics int
interface id about interfac
counters incoming e id
and counter
outcoming s
frame on the
interfaces
line vty Privileged Changes line vty 0 15
1st-vty last- EXEC mode context to
vty vty
configuratio
n mode for
the range of
vty lines
listed
login local Console and vty Tells IOS to
configuration prompt for a
mode username
and
password, to
be checked
against local
configuratio
n
username Global Defines username chris secret cisco
name configuration username
secret pass- mode and
value password
crypto key Global Creates and crypto key generate rsa
generate configuration stores (in modulus 1024
rsa mode hidden
[modulus location in
360..2048] flash
memory)
keys
required by
SSH (at least
768-bit
required for
SSHv2)
transport Vty line Defines transport input ssh
input configuration whether
(telnet | ssh mode Telnet/SSH
| all (telnet access is
ssh) | none) allowed
interface Global Changes interface vlan 1 int vlan
vlan configuration context to number
number mode VLAN
interface
mode
ip address VLAN interface Statistically ip address 192.168.10.1
ip-address mode configures 255.255.255.0
subnet- switch's IP
mask address and
mask
ip address VLAN interface Configures
dhcp mode switch as
DHCP client
to discover
its IPv4
address,
mask &
default
gateway
ip default- Global Configures ip default-gateway
gateway configuration switch's 192.168.1.1
address mode default
gateway
IPv4 address
(if no
DHCP)
ip name- Global Configures ip name-server 192.168.1.1
server configuration IPv4
server-ip-1 mode addresses of
server-ip- DNS servers,
2 ... so any
commands
will use
DNS for
name
resolution
enable Global Sets enable enable secret cisco
secret pass- configuration mode
value mode password
history size Line Defines history size 20
length configuration number of
mode commands
held in the
history
buffer
logging Console or vty Tells IOS to
synchrono configuration send syslogs
us mode to user at
natural break
points
between
commands
[no] Global Disables/ena
logging configuration bles display
console mode of log
messages to
console
exec- Console or vty Sets the exec-timeout 3 0
timeout configuration inactivity
minutes mode timeout
[seconds]
show Privileged Lists
running- EXEC mode running-
config | config
begin line beginning
vty with the first
line that
contains the
text line vty
show dhcp Privileged Lists
lease EXEC mode information
the switch
acquires as a
DHCP client
(IP address,
subnet mask,
default
gateway)
show User EXEC Lists public
crypto key mode and shared
mypubkey key created
rsa for SSH
using crypto
key
generate rsa
show ip ssh User EXEC Lists status
mode information
for the SSH
server
show ssh User EXEC Lists status
mode information
for current
SSH
connections
into and out
of switch
show User EXEC Lists the show interfaces vlan 1 show
interfaces mode interface int vlan
vlan status, number
number switch's IPv4
address and
mask etc.
show ip Privileged Lists switch's
default- EXEC mode setting for
gateway IPv4 default
gateway
terminal User EXEC Changes terminal
history size mode length of history size 15
x history
buffer for the
current user
of the
current login
session to
switch
show User EXEC Lists the
history mode commands in
the current
history
buffer
interface Global The interface range FastEthernet

range type configuration subcommand 0/1 - 24
port- mode s that follow
number - apply to all
end-port- interfaces in
number the range
[no] Interface Disables or no shutdown
shutdown configuration enables the
mode interface
speed {10 | Interface Manually speed auto
100 | 1000 | configuration sets the
auto} mode speed of the
interface
duplex Interface Manually duplex full
{auto | full configuration sets the
| half} mode duplex of the
interface
description Interface Defines any description link to R1
text configuration information
mode text that the
engineer
wants to
track for the
interface
no duplex Interface Sets duplex
configuration to default
mode settings =
duplex auto
no speed Interface Sets speed to
configuration default
mode settings =
speed auto
no Interface Does not set
description configuration description
mode text
switchport Interface Tells the switchport mode access
mode configuration switch to be
{access | mode an access
trunk} port or a
trunk port
switchport Interface Statically switchport port-security mac-
port- configuration adds a address 0200.1111.1111
security mode specific
mac- MAC
address address as an
mac- allowed
address MAC
address on
the interface
switchport Interface Tells switch
port- configuration to learn
security mode MAC
mac- addresses on
address the interface
sticky and add
them as
secure MAC
addresses
switchport Interface Sets the switchport port-security
port- configuration maximum maximum 10
security mode number of
maximum static secure
value MAC
addresses
that can be
assigned to a
single
interface
switchport Interface Tells switch switchport port-security
port- configuration what to do if violation protect
security mode inappropriate
violation MAC
{protect | address tries
restrict | to access
shutdown} network
show Privileged Displays show running-config |
running- EXEC mode listed interface F0/2
config | interface and
interface its
type subcommand
number s in the
running-
config file
show mac Privileged Lists MAC show mac address-table
address- EXEC mode addresses secure interface G0/1
table defined or
secure learned on
[interface ports
type configured
number] with port
security
show mac Privileged Lists static show mac address-table static
address- EXEC mode MAC interface F0/4
table static addresses
[interface and
type learned/defin
number] ed MAC
addresses
with port
security
show port- Privileged Lists show port-security interface
security EXEC mode interface's GigabitEthernet 0/2
interface port security
type configuratio
number n settings
and security
operational
status
show port- Privileged Lists port
security EXEC mode security
settings for
any interface
on which is
enabled (1
per line)
switchport Interface Statically switchport access vlan 3

access vlan configuration configures
vlan-id mode the interface
into that one
VLAN
vlan vlan- Global Creates vlan 2

id configuration VLAN and
mode puts CLI into
VLAN
config mode
name vlan- VLAN Defines the name my-vlan
name configuration name of
mode VLAN
[no] VLAN Enables or no shutdown
shutdown configuration disables
mode VLAN
[no] Global Enables or no shutdown vlan 2
shutdown configuration disables
vlan vlan- mode specified
id VLAN
vtp mode Global Defines VTP vtp mode transparent
{server | configuration mode
client | mode
transparen
t | off}
switchport Interface Configures switchport mode dynamic
mode configuration trunking desirable
{access | mode administrativ
dynamic e mode on
{auto | interface
desirable} |
trunk}
switchport Interface Defines switchport trunk
trunk configuration which type encapsulation dot1q
encapsulati mode of trunking
on {dot1q | to use,
isl | assuming
negotiate} trunking is
configured/n
egotiated
switchport Interface Defines switchport trunk native vlan
trunk configuration native 1
native vlan mode VLAN for a
vlan-id trunk. port
switchport Interface Disables
nonegotiat configuration negotiation
e mode of VLAN
trunking
(DTP)
switchport Interface Defines switchport voice vlan 3
voice vlan configuration voice VLAN
vlan-id mode on a port;
switch uses
802.1Q
tagging for
frames in
this VLAN
switchport Interface Defines list switchport trunk allowed
trunk configuration of allowed vlan add 3, 4, 5
allowed mode VLANs
vlan {add |
all | except
| remove}
vlan-id
show Privileged Lists show interfaces F0/2
interfaces EXEC mode information switchport
interface-id about any
switchport interface
about
administrativ
e settings
and
operational
state
show Privileged Lists show interfaces F0/1 trunk
interfaces EXEC mode information
interface-id about all
trunk operational
trunks,
including list
of VLANs
that can be
forwarded
over trunk
show vlan Privileged Lists show vlan id 2
[brief | id EXEC mode information
vlan-id | about VLAN
name vlan-
name |
summary]
show vlan Privileged Displays show vlan 2
[vlan] EXEC mode VLAN
information
show vtp Privileged Lists VTP
status EXEC mode configuratio
n and status
information
show mac Privileged Displays the show mac address-table

address- EXEC mode MAC dynamic address
table address 0200.1111.1111
[dynamic | table; static
static] option
[address displays
hw-addr] information
[interface about
interface- restricted or
id] [vlan static
vlan-id] settings
show port- Privileged Displays show port-security interface
security. EXEC mode information f0/1
[interface about
interface- security
id] options
[address] configured
on an
interface
show Privileged Displays one
interfaces EXEC mode line per
description interface,
with two-
item status
and
configured
description
show Privileged Displays a show interfaces fastethernet
interfaces EXEC mode large variety 0/1 switchport
[type of
number] configuratio
switchport n settings
and current
operation
status e.g.
VLAN
trunking
details,
access and
voice VLAN
and native
VLAN
show Privileged Lists show interfaces f0/2 trunk
interfaces EXEC mode information
[type about
number] currently
trunk operational
trunks and
the VLAN
supported on
those trunks
show vlan Privileged Lists each
brief, show EXEC mode VLAN and
vlan interfaces
assigned to
that VLAN
but does not
include
operational
trunks
show vlan Privileged Lists both show vlan id 10
id num EXEC mode access and
trunk ports
in the VLAN
Route
r
ip address Interface Sets the ip address 192.168.1.0
address configuration router's IPv4 255.255.255.0
mask mode address and
mask
clock rate Interface Sets the clock rate 2000000
rate-in-bps configuration speed at
mode which the
router
supplies a
clocking
signal (only
when router
has DCE
cable)
bandwidth Interface Sets the bandwidth 128
rate-in- configuration speed at
kbps mode which router
considers the
interface to
operate (not
the physical
speed)
show ip EXEC mode Lists IP
interface address, line
brief and protocol
status,
method with
which the
address was
configured
for each
interface per
line (manual
| DHCP)
show EXEC mode Lists show protocols f0/2
protocols information
[type about
number] interface(s),
including IP
address,
mask,
line/protocol
status
show EXEC mode Lists many show controllers f0/2
controllers lines of
[type information
number] per interface
interface Interface Creates and interface g0/0.10

type configuration enters
number.sub mode subinterface
int configuratio
n mode
encapsulati Subinterface Tells router encapsulation dot1q 10 native
on dot1q configuration to use
vlan-id mode 802.1Q
[native] trunking for
a particular
VLAN, and
with native
keyword, to
make that
VLAN a
native
VLAN
encapsulati Subinterface Tells router encapsulation isl 10
on isl vlan- configuration to use ISL
identifier mode trunking for
a particular
VLAN
sdm prefer Global Enables the
lanbase- configuration switch to
routing mode (Layer 3 support IP
switch) routing if
configured
[no] ip Global Enables or no ip routing
routing configuration disables IPv4
mode (Layer 3 routing
switch)
ip route Global Creates a ip route 192.168.1.0
prefix mask configuration static route 255.255.255.0 192.168.2.1 130
{ip-address mode permanent
| interface-
type
interface-
number}
[distance]
[permanen
t]
show ip EXEC mode Lists router's
route entire
routing table
show ip EXEC mode Lists a show ip route static
route subset of the
[connected IP routing
| static | table
rip]
show ip EXEC mode Lists detailed show ip route 192.168.2.3
route ip- information
address about route
that a router
matches for
listed IP
address
show vlans EXEC mode Lists VLAN
configuratio
n and
statistics for
VLAN
trunks
configured
on routers
show arp, EXEC mode Lists router's
show ip IPv4 ARP
arp table
clear ip Privileged Removes clear ip arp 192.168.1.2
arp [ip- EXEC mode dynamically
address] learned ARP
table entries
router rip Global Moves user

configuration into RIP
mode configuratio
n mode
network RIP Enables RIP network 192.168.2.0
network- configuration on all of that
number mode router's
interface in
that classful
network
version 2 RIP Sets RIP
configuration version to 2
mode
passive- RIP Changes
interface configuration default
default mode setting on
RIP-enabled
interfaces to
be passive
passive- RIP Tells RIP to passive-interface f0/1
interface configuration no longer
{interface- mode advertise
type RIP updates
interface- on listed
number} interface
[no] auto- RIP Toggles no auto-summary
summary configuration autosummari
mode sation
feature of
RIP
maximum- RIP Sets number maximum-paths 2
paths configuration of equal-
number mode metric routes
for same
subnet that
RIP will add
to IP routing
table
default- RIP Tells RIP to
informatio configuration advertise a
n originate mode default route
(0.0.0.0/0), if
the local
router has a
default route
in its routing
table already
ip address Interface Causes
dhcp configuration interface to
mode learn IPv4
address and
dynamically
learn a
default route
that uses
DHCP-
announced
default
gateway
address as
next-hop IP
address in a
static route
show ip EXEC mode Lists routing show ip route rip
route [rip] table
including, or
just, RIP-
learned
routes
show ip EXEC mode Lists
protocols information
about RIP
configuratio
n, IP
addresses of
neighbouring
RIP routers
from which
the local
router has
learned
routes
show ip rip EXEC mode Lists IP
database address and
interface
status
ip dhcp Global Reserves a ip dhcp excluded-address

excluded- configuration range of 192.168.1.1 192.168.1.50
address mode addresses
first last that DHCP
cannot lease
out
ip dhcp Global Creates a ip dhcp pool mysubnet
pool pool- configuration pool, by
name mode name, and
moves user
to DHCP
server pool
configuratio
n mode
network DHCP server Defines a network 192.168.1.0 /24
subnet-id pool network or
{ddn-mask | configuration subnet
prefix- mode causing
length } DHCP to
lease out IP
addresses in
that subnet
default- DHCP server Defines one default-router 192.168.1.1
router pool or more
address1 configuration routers as
address2... mode default
routers for
clients
dns-server DHCP server Defines the dns-server 10.0.1.1
address1 pool list of DNS
address2... configuration servers for
mode clients
lease {days DHCP server Defines the lease 1 12 0
[hours pool length of
[minutes]] | configuration time for a
infinite} mode DHCP lease
for clients
ip helper- Interface Tells the ip helper-address 192.168.2.1
address IP- configuration router to
address mode notice local
subnet
broadcasts
that use UDP
and change
the
source/destin
ation IP
address
(DHCP relay
agent)
dhcp currently
binding leased IP
addresses on
a DHCP
server with
client IDs
and lease
time
show ip EXEC mode Lists show ip dhcp pool mysubnet
dhcp pool configured
name range of
addresses in
pool with
usage
statistics and
high/low-
water marks
(high
limit/low
limit)
dhcp statistics
server about
statistics requests
served by
DHCP server
show ip EXEC mode Lists IP
dhcp addresses
conflict that the
DHCP server
found were
already in
use when
server tried
to lease that
address to a
host
clear ip Privileged Removes all
dhcp EXEC mode entries from
conflict the DHCP
server's
conflict list
ipconfig Host Lists IP
settings for
NIC
netstat -rn Host Lists host's
routing table
arp -a Host Lists host's
ARP table
[no] ip Global Allows/prev no ip subnet-zero

subnet- configuration ents
zero mode configuratio
n of
addresses in
the zero
subnet
Chapter 25
access-list Global Defines access-list 1 permit
access-list- configuration standard 192.168.1.0 0.0.0.255 log
number mode numbered
{deny | access lists
permit} (1-99 or
source 1300-1999)
[source-
wildcard]
[log]
access-list Global Defines a access-list 10 remark Filter
access-list- configuration remark that packets from server S1
number mode helps you
remark remember
text what the
ACL is
supposed to
do
ip access- Interface Enable ip access-group 2 out
group configuration inbound/outb
number {in mode ound access-
| out} lists on
interface
show ip EXEC mode Includes show ip interface f0/1
interface reference to
[type the access
number] lists enabled
on the
interface
(inbound/out
bound)
show EXEC mode Shows show access-lists 21
access-lists details of
[access-list- configured
number | access lists
access-list- for all
name] protocols
show ip EXEC mode Shows IP show ip access-lists 10
access-lists access lists
[access-list-
number |
access-list-
name]
Chapter 26
access-list Global Global access-list 101 permit tcp
access-list- configuration command for 192.168.1.0 0.0.0.255 host
number mode extended 192.168.2.20 log
{deny | numbered
permit} access-list
protocol configuratio
source ns
source-
wildcard
destination
destination-
wildcard
[log]
access-list Global Version of access-list 101 permit tcp
access-list- configuration access-list 192.168.1.0 0.0.0.255 lt 1024
number mode global 10.1.1.0 0.0.0.255 eq www log
{deny | command
permit} with TCP-
tcp source specific
source- parameters
wildcard
[operator
[port]]
destination
destination-
wildcard
[operator
[port]] [log]
access-list Global Defines a access-list 124 remark filter
access-list- configuration remark that host A's packets
number mode helps you
remark remember
text what the
ACL is
supposed to
do
ip access- Interface Interface ip access-group 2 out
group configuration subcommand
{number | mode to enable
name [in | access lists
out]} either
inbound or
outbound
access- Line Line access-class ACL-B in
class configuration subcommand
{number | mode to enable
name} [in | either
out] standard or
extended
access lists
on vty lines
ip access- Global Global ip access-list extended
list configuration command to myACL
{standard | mode configure
extended} named
name standard or
extended
ACL and
enter ACL
configuratio
n mode
{deny | ACL ACL mode deny 10.1.1.0 0.0.0.3
permit} configuration subcommand
source mode to configure
[source matching
wildcard] details and
[log] action for
standard
named ACL
{deny | ACL ACL mode deny icmp host 10.0.0.1
permit} configuration subcommand 172.16.0.0 0.0.255.255
protocol mode to configure
source the matching
source- details and
wildcard action for an
destination extended
destination- named ACL
wildcard
[log]
{deny | ACL ACL mode permit tcp any host
permit} configuration subcommand 192.168.1.1 eq telnet
tcp source mode to configure
source- the matching
wildcard details and
[operator action for a
[port]] named ACL
destination that matches
destination- TCP
wildcard segments
[operator
[port]] [log]
remark ACL ACL mode remark filter packets from R1
text configuration subcommand
mode to configure
a description
of a named
ACL
show ip User EXEC Includes a show ip interface f1/1
interface mode reference to
[type access lists
number] enabled on
the interface
show EXEC mode Shows show access-lists ACL-C
access-lists details of
[access-list- configured
number | access lists
access-list- for all
name] protocols
show ip EXEC mode Shows IP show ip access-lists 105
access-lists access lists
[access-list-
number |
access-list-
name]
Chapter 27
ip nat Interface Enables ip nat inside
{inside | configuration NAT and
outside} mode identifies
whether the
interfaces is
in the inside
or outside of
the network
ip nat Global Enables ip nat inside source list 1 pool
inside configuration NAT my-pool overload
source {list mode globally,
{access- referencing
list-number the ACL that
| access- defines
list-name}} which source
{interface addresses to
type NAT, and
number | the interface
pool pool- or pool from
name} which to find
[overload] global
addresses
ip nat pool Global Defines a ip nat pool my-pool 200.1.1.1
name start- configuration pool of NAT 200.1.1.10 netmask
ip end-ip mode addresses 255.255.255.240
{netmask
netmask |
prefix-
length
prefix-
length}
ip nat Global Lists the ip nat inside source static
inside configuration inside and 192.168.1.1 200.1.1.1
source mode outside
static address (or
inside-local interface) to
inside- be paired
global and added to
the NAT
translation
table
nat counters for
statistics packets and
NAT table
entries as
well as basic
configuratio
n
information
show ip EXEC mode Displays the show ip nat translations
nat NAT table verbose
translation
s [verbose]
clear ip nat EXEC mode Clears all or clear ip nat translation inside
translation some of the 200.1.1.1 192.168.1.1
{* | [inside dynamic
global-ip entries in the
local-ip] NAT table
[outside depending
local-ip on which
global-ip]} parameters
are used
clear ip nat EXEC mode Clears some clear ip nat translation tcp
translation of the inside 200.1.1.1 1030 10.1.1.1
protocol dynamic 1024
inside entries in the
global-ip NAT table,
global-port depending
local-ip on which
local-port parameters
[outside are used
local-ip
global-ip]
debug ip EXEC mode Issues a log
nat message
describing
each packet
whose IP
address is
translated
with NAT
Chapter 30
ipv6 Global Enables IPv6
unicast- configuration routing
routing mode globally on
the router
ipv6 Interface Manually ipv6 address 2001:1:1:1::/64
address configuration configures eui-64
ipv6- mode either the
address/pre entire
fix-length interface
[eui-64] IPv6
address, or a
/64 prefix
with the
router
building the
EUI-64
format
interface ID
automaticall
y
ipv6 Interface Manually ipv6 address
address configuration configures 2001:2:3:4:5:6:7:8ABC/128
ipv6- mode an address to anycast
address/pre be used as an
fix-length anycast
[anycast] address
ipv6 enable Interface Enables IPv6
configuration on an
mode interface and
generates a
link-local
address
ipv6 Interface Enables IPv6
address configuration on an
dhcp mode interface,
causes the
router to use
DHCP client
processes to
try to lease
an IPv6
address, and
creates a
link-local
address for
the interface
show ipv6 EXEC mode Lists IPv6 show ipv6 route connected
route routes, or
[connected just the
] [local] connected
routes, or
just the local
routes
show ipv6 EXEC mode Lists IPv6 show ipv6 interface g0/0
interface settings on
[type an interface,
number] including
link-local
and other
unicast IP
addresses
(e.g. anycast)
show ipv6 EXEC mode Lists show ipv6 interface brief s2/0
interface interface
brief [type status and
number] IPv6
addresses for
each
interface
Chapter 31
ipv6 dhcp Interface Enables IPv6 ipv6 dhcp relay destination
relay configuration DHCP relay 200.1.1.1
destination mode agent
server-
address
ping {host- EXEC mode Tests IPv6 ping
name | routes by 2000:A:B:C:0:22FF:FE22:222
ipv6- sending 2
address} ICMP packet
to the
destination
host
traceroute EXEC mode Tests IPv6 traceroute
{host-name routes by 2001::1:300:33FF:FE33:3333
| ipv6- discovering
address} the IP
addresses of
the routes
between a
router and
the listed
destination
show ipv6 EXEC mode Lists the
neighbors router's IPv6
neighbour
table
show ipv6 EXEC mode Lists any
routers neighbouring
routers that
advertised
themselves
through an
NDP RA
message
ipconfig / Host Lists ifconfig [Mac]
ifconfig / interface
ifconfig settings,
including
IPv4 and
IPv6
addresses
ping / Host Tests IP ping6 2001::A:B:C:D [Mac]
ping6 / routes by
ping6 sending
ICMPv6
packet to
destination
host
tracert / Host Tests IP traceroute6 2001::D:C:B:1
traceroute routes by [Mac]
6/ discovering.
traceroute the IPv6
6 addresses of
the routes
between a
router and
destination
netsh Host Lists a host's netsh interface ipv6 show
interface IPv6 neighbors [Windows]
ipv6 show neighbour
neighbors / table
ndp -an /
ip -6
neighbor
show
Chapter 32
ipv6 route Global Defines an ipv6 route 2000:db8:1:2::/64
prefix/lengt configuration IPv6 static 2000:db8:1:2::1
h next-hop- mode route to a
address next-hop
router IPv6
address
prefix/lengt configuration IPv6 static s2/0
h outgoing- mode route, with
interface local router's
outgoing
interface
prefix/lengt configuration IPv6 static s2/0 fe80::200:22ff:fe22:0
h next-hop- mode route, with
address both the
outgoing- next-hop
interface address and
local router
outgoing
interface
listed
ipv6 Global Defines a ipv6 route ::/0 g0/1
route ::/0 configuration default IPv6
{[next-hop- mode static route
address]
[outgoing-
interface]}
ipv6 Interface Tells the ipv6 address autoconfig
address configuration router to use default
mode SLAAC to
autoconfig find/build its
[default] own
interface
IPv6
address, and
to add a
default route
with a next
hop of the
router that
responds
with the RA
message
show ipv6 Privileged Lists routes show ipv6 route static
route EXEC mode in the
[connected routing table
| local |
static]
show ipv6 Privileged Displays show ipv6 route
route EXEC mode detailed 2000:db8:1:2::2
address information
about the
route this
router uses
to forward
packets to
the IPv6
address
Chapter 33
[no] Global Enables/disa no logging console
logging configuration bles logging
console mode to the
console
device
[no] Global Enables/disa no logging monitor
monitor mode to users
connected to
the device
with SSH or
Telnet
[no] Global Enables/disa no logging buffered
buffered mode to an internal
buffer
logging Global Enables logging host 172.16.1.9
[host] ip- configuration logging to a
address | mode syslog server
hostname
logging Global Sets the log logging console notification
console configuration message
level-name | mode level for
level- console log
number messages
logging Global Sets the log logging monitor 7

monitor configuration message
level-name | mode level for log
level- messages
number sent to SSH
and Telnet
users
logging Global Sets the log logging buffered critical
buffered configuration message
level-name | mode level for
level- buffered log
number messages
logging Global Sets the log logging trap 4
trap level- configuration message
name | mode level for
level- messages
number sent to
syslog
servers
[no] Global Enables/disa no service timestamps
service configuration bles the use
timestamp mode of
s timestamps
[no] Global Enables/disa no service sequence-numbers
service configuration bles the use
sequence- mode of sequence
numbers numbers in
log messages
clock Global Names a clock timezone AEST +10
timezone configuration timezone and
name +- mode defines the
number +/- offset
versus UTC
clock Global Names a clock summertime AEST-
summerti configuration daylight daylight-savings recurring
me name mode savings time
recurring for a
timezone and
tells IOS to
adjust the
clock
automaticall
y
ntp server Global Configures ntp server 203.15.16.7
address | configuration the device as
hostname mode an NTP
client by
referring to
the address
or name of
an NTP
server
ntp master Global Configures ntp master 4
stratum- configuration the device as
level mode an NTP
server and
assigns its
local clock
stratum level
ntp source Global Tells NTP to ntp source g0/2
name/numb configuration use the listed
er mode interface for
the source IP
address for
NTP
messages
interface Global Creates a interface loopback 0
loopback configuration loopback
number mode interface and
moves the
user into
interface
configuratio
n mode
[no] cdp Global Enables/disa no cdp run
run configuration bles CDP for
mode the entire
switch/router
[no] cdp Interface Enables/disa no cdp enable
enable configuration bles CDP for
mode a particular
interface
[no] lldp Global Enables/disa no lldp run
run configuration bles LLDP
mode for the entire
switch or
router
[no] lldp Interface Enables/disa no lldp transmit
transmit configuration bles
mode transmission
of LLDP
messages on
the interface
[no] lldp Interface Enables/disa no lldp receive
receive configuration bles
mode processing of
received
LLDP
messages on
the interface
show EXEC mode Lists current
logging logging
configuratio
n, and lists
buffered log
messages at
the end
terminal Privileged For a terminal no monitor
[no] EXEC mode Telnet/SSH
monitor session,
toggles
on/off the
receipt of log
messages,
for that one
session
(logging
monitor
needs to be
configured)
[no] debug EXEC mode Enables/disa no debug ip nat
{various} bles one of a
multitude of
debug
options
show clock EXEC mode Lists time-
of-day and
date per the
local device
show ntp EXEC mode Shows all
association NTP clients
s and servers
with which
the local
device is
attempting to
synchronise
with NTP
show ntp EXEC mode Shows
status current NTP
client status
in detail
show EXEC mode Shows show interfaces loopback 2
interfaces current status
loopback of the listed
number loopback
interface
show cdp | EXEC mode Lists one show cdp neighbors g0/1
lldp summary
neighbors line of info
[type about each
number] neighbour
show cdp | EXEC mode Lists one show lldp neighbors detail
lldp large set of
neighbors info (~15
detail lines) for
every
neighbour
show cdp | EXEC mode Displays show cdp entry SW1
lldp entry detailed info
name but only for
the named
neighbour
show cdp | EXEC mode States show lldp
lldp whether
CDP/LLDP
is enabled
globally, and
lists the
default
update and
holdtime
timers
show cdp | EXEC mode States show cdp interface f0/2
lldp whether
interface CDP/LLDP
[type is enabled on
number] each
interface, or
a single
interface
show cdp | EXEC mode Displays show lldp traffic
lldp traffic global
statistics for
the number
of
CDP/LLDP
advertisemen
ts
sent/received
Chapter 34
line Configuration Changes the
console 0 mode context to
console
configuratio
n mode
line vty Configuration Changes the line vty 0 15
1st-vty last- mode context to
vty vty
configuratio
n mode for
the range of
vty lines
listed in the
command
login Console line Tells IOS to
mode and vty password
line
configuration
mode
password Console line Lists the password mypass1
pass-value configuration password
mode and vty required if
line the login
configuration command is
mode configured
login local Console line Tells IOS to
mode and vty username
line and
configuration password, to
mode be compared
against
locally
configured
username
username Global Defines one username chris secret
name configuration of possibly pass1234
secret pass- mode multiple
value usernames
and
associated
passwords,
stored as a
hashed value
username Global Defines a username admin password
name configuration username subnet255
password mode and
pass-value password,
stored in
clear text in
the
configuratio
n by default
crypto key Global Creates and crypto key generate rsa
generate configuration stores (in a modulus 1024
rsa mode hidden
[modulus location in
512 | 768 | flash
1024] memory) the
keys
required by
SSH
transport Vty line Defines transport input all
input configuration whether
{telnet | mode Telnet and/or
ssh | all | SSH access
none} is allowed
into this
switch
[no] Global Encrypts/dis no service password-
service configuration ables all encryption
password- mode clear-text
encryption passwords in
the running-
config
enable Global Creates the enable secret thisishashed
secret pass- configuration enable
value mode password,
stored as a
hashed value
enable Global Creates the enable password
password configuration enable thisisnothashed
pass-value mode password,
stored as a
clear text
enable Global Create enable algorithm-type sha-
[algorithm configuration enable 256 secret
-type md5 | mode password, thisissha256encrypted
sha-256 | stored as a
scrypt] hashed value
secret pass- defined by
value the algorithm
type
no enable Global Deletes the
secret configuration enable
mode secret
command
no enable Global Deletes the
password configuration enable
mode password
command
banner Global Defines a banner exec #
[motd | configuration banner that Hosts in subnet 10.1.1.0/24
exec | mode is displayed needs to be configured with
login] at different DHCP #
delimiter times when
banner-text users log in
delimiter to the
switch/router
shutdown Interface Disables the

configuration interface
mode
switchport Switch interface Makes the
mode configuration switch act as
access mode an access
port and not
as a trunk
port
switchport Switch interface Defines the switchport access vlan 99
access vlan configuration switch's
number mode access
VLAN ID
switchport Switch interface Defines the switchport trunk native vlan
trunk configuration switch's 999
native vlan mode native
number VLAN ID
used when
trunking
no cdp Interface Disables
enable configuration CDP on that
mode interface
no cdp run Global Disables
configuration CDP
mode globally
access- Vty line Enables access-class 5 in
class configuration inbound
number | mode ACL checks
name in against
Telnet/SSH
clients
connecting
to the router
show Privileged Lists vty
running- EXEC mode lines and
config subcommand
| section s from the
vty configuratio
n
show Privileged Lists the
running- EXEC mode console and
config | subcommand
section con s from the
configuratio
n
show Privileged Lists all lines
running- EXEC mode in the
config | configuratio
include n with the
enable word
"enable"
Chapter 35
config- Global Sets the config-register 0x2100
register configuration hexadecimal
value mode value of the
configuratio
n register
boot Global Identifies an boot system
system configuration externally ftp://user:pass@192.168.1.190/
{file-uri | mode located IOS copy-of-new-ios-image
filename} image using
a URI
boot Global Identifies the boot system flash
system configuration location of flash0:upgraded-ios-15-4
flash mode an IOS
[flash-fs:] image in
[filename] flash
memory
boot Global Identifies an boot system ftp ios-v15-4
system configuration external 192.168.1.180
{tftp | ftp} mode server,
filename protocol, and
[ip- filename to
address] use to load
an IOS from
an external
server
archive Global Moves the
configuration user into
mode
archive
mode
write- Archive mode Tells the
memory router to
archive the
configuratio
n each time
the
configuratio
n is saved to
startup-
config
time- Archive mode Defines the time-period 1440
period time between
minutes the
automatic
creation of a
new
configuratio
n archive
path uri Archive mode Defines path
where to ftp://cs:cisco@192.168.1.170/
store
configuratio
ns
ip ftp Global Defines the ip ftp username cs
username configuration username
name mode used when
referencing
the ftp: IFS
but not
supplying a
username
ip ftp Global Defines the ip ftp password cisco
password configuration password
pass mode used when
referencing
the ftp: IFS
but not
supplying a
password
username Global Defines a username cs privilege 15
name configuration username secret cisco
privilege mode useful to
15 secret SCP with a
pass privilege
level that
enables SCP
file transfers
reload
copy from- copy tftp flash
location to-
location
copy
running-
config
startup-
config
copy
startup-
config
running-
config
show
running-
config
write erase
erase
startup-
config
erase
nvram:
setup
show flash
dir dir usbflash0:
filesystem:
dir dir flash0:archived-config1
filesystem:d
irectory
verify verify /md5 flash0:new-ios-
/md5 image 84hIHGswiiuri
filesystem:n
ame [MD5-
hash]
archive
config
configure configure replace flash0:new-
replace running-config
filesystem:n
ame
confreg ROMMON OS Defines the confreg 0x2142
value configuratio
n register
while in
ROMMON
OS
Chapter 36
license Global Adds a right- license boot module c2900
boot configuration to-use technology-package
module mode license to a securityk9
c2900 router
technology
-package
package-
name
show EXEC mode Displays a
license group of
lines for
each feature
in the
currently
running IOS
image, along
with several
status
variable
related to
software
activation
and
licensing,
and
activation
status
show EXEC mode Displays one
license line for each
feature feature in the
currently
running IOS
image, along
with several
status
variable
related to
software
activation
and
licensing,
and
activation
status
show EXEC mode Displays the
license udi UDI of the
router
dir EXEC mode Displays the dir usbflash1:
filesystem files inside
the listed file
system
show EXEC mode Displays
version various
information
about the
current IOS
version,
including the
licensing
details at the
end
license EXEC mode Installs a license install
install url license key usbflash0:FTX1628838P_2013
file into a 02111432454180.lic
router
Troubleshooting Checklist
Cable Issue:
- Cables may experience EMIs from nearby electrical devices
- Cables bent too sharply (macrobending), or pressed by too much force could
damage cables
- Use the appropriate cabling type:
- Straight-through for connecting different devices (PC to switch)
- Crossover for connecting same devices (switch to switch)
- Rollover for connecting PC to devices (PC to console port)
- Serial cable for connecting point-to-point WAN routers
- Consider:
- Cable's supported speed
- Cable's maximum distance supported between two devices
- Cost and availability of type of cabling
Interface Issue:
- Use show ip interfaces brief or show interfaces status
- If interface is administratively down/down:
- For routers, use no shutdown if interface has never been configured, or
shutdown command has been configured
- If interface is down/down:
- Switch port-security shutdown mode may be in effect
=> shutdown and then no shutdown puts interface back to secure-up state
pg257
Configuration Checklist
SWITCH
Configuring simple password security (171)
for console
for vty
for privileged EXEC mode access
Configuring local username/password security
for console/vty
Configuring SSH (178)
hostname R1
ip domain-name cisco.com
crypto key generate rsa modulus 1024
(ip ssh version 2)
username cisco secret cisco
login local
(transport input ssh)
Configuring IPv4 for a switch(182)
interface vlan 10
ip address 192.168.1.2 255.255.255.0
ip default-gateway 192.168.1.1
ip name-server 172.16.1.8
Configuring DHCP for a switch (183)
ip address dhcp
Configuring miscellaneous settings (184)
exec-timeout 5 0
logging synchronous
no ip domain-lookup
Configuring speed, duplex and description (193)
speed 1000
duplex auto
description connected to R1
Configuring port-security (203)
switchport port-security
switchport port-security maximum 4
switchport port-security mac-address 0200.0000.2222
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0100.0000.1111
switchport port-security violation restrict
Configuring VLANs (253)
vlan 10
name myvlan
switchport access vlan 10
Configuring VLAN trunking (258)
switchport mode trunk
Configuring IP phone VLANs (265)
switchport voice vlan 20
ROUTER
Installing enterprise routers (388)
Installing Internet access routers (389)
Configuring IPv4 Addresses on Cisco routers (395)
ip address 192.168.1.1 255.255.255.0
Configuring clock rate (397)
clock rate 2000000
Configuring 802.1Q (417)
interface g0/0.10
encapsulation dot1q 10
Configuring native VLANs (419)
interface g0/0.20
encapsulation dot1q 20 native
Configuring routing to VLANs using a Layer 3 switch (421)
sdm prefer lanbase-routing
ip routing
interface vlan 15
ip address 192.168.2.3 255.255.255.128
no shutdown
Configuring static routes (423)
ip route 192.168.1.0 255.255.255.0 s2/0
ip route 192.168.2.0 255.255.255.0 192.168.2.1
Configuring static host routes (424)
ip route 192.168.2.5 255.255.255.255 f0/0
ip route 192.168.4.2 255.255.255.255 192.168.2.1
Configuring permanent static routes (425)
ip route 192.168.1.0 255.255.255.0 192.168.3.1 permanent
Configuring floating static routes (426)
ip route 10.0.1.0 255.255.255.0 s3/0 114
Configuring static default routes (428)
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Configuring RIPv2 (444)
router rip
version 2
network 10.0.0.0
Configuring RIPv2 passive-interfaces (457)
passive-interface s2/0
passive-interface default
no passive-interface s3/0
Configuring RIPv2 auto-summary and maximum-paths (458)
no auto-summary
maximum-paths 2
Configuring RIPv2 default route advertising (459)
default-information originate
Configuring router DHCP client (461)
ip address dhcp
Configuring DHCP relay (475)
ip helper-address 172.31.200.2
Configuring IOS DHCP server (478)
ip excluded-address 192.168.1.1
ip dhcp pool mypool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.2.2
next-server 192.168.3.2
domain-name cisco.com
lease 0 6 0
Configuring zero subnets (514)
ip subnet-zero
Configuring VLSM (531)
ip address 192.168.1.1 255.255.255.128
ip address 192.168.1.128 255.255.255.192
Configuring standard numbered IP ACLs (603)
access-list 10 permit 10.0.0.0 0.255.255.255 log
access-list 10 deny any
ip access-class 10 out
Configuring extended numbered IP ACLs (621)
access-list 100 deny tcp 10.0.0.0 0.0.255.255 eq 80 192.168.1.0
0.0.0.127 gt 1023 log-input
ip access-group 100 in
Configuring named IP ACLs (626)
ip access-list standard test
5 permit 172.16.1.0 0.0.0.63
Configuring new-style numbered ACLs (627)
ip access-list extended 120
no 30
Configuring static NAT (653)
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.2 200.1.1.2
Configuring dynamic NAT (655)
ip nat inside
ip nat outside
ip nat pool test1 200.1.1.1 200.1.1.254 netmask 255.255.255.0
ip nat inside source list 1 pool test1
Configuring NAT overload (PAT) (660)
ip nat inside
ip nat outside
ip nat inside source list 2 interface s2/0 overload
IPv6
Configuring static IPv6 unicast addresses (707)
ipv6 address FD00::1/64
Configuring IPv6 Routing (708)
ipv6 unicast-routing
ipv6 enable
Configuring static IPv6 unicast addresses with modified EUI-64 (714)
ipv6 address 2001:2:3:4::/64 eui-64
Configuring dynamic IPv6 unicast addresses (715)
ipv6 address dhcp
ipv6 address autoconfig
Configuring IPv6 link local addresses (718)
ipv6 enable
ipv6 address 2001::2/64
ipv6 address fe80::10 link-local
Configuring IPv6 anycast addresses (722)
ipv6 address 2001::3/128 anycast
Configuring various IPv6 address types (724)
Configuring DHCPv6 relay agents (738)
Configuring IPv6 static routes:
With outgoing interface (757)
With global unicast next-hop address (758)
With link-local next-hop address (759)
Configuring IPv6 static default routes (761)
ipv6 route ::/0 2001::11
Configuring IPv6 static host routes (762)
ipv6 route 2001:db8:1111:4::2/128 s3/0
Configuring IPv6 floating static routes (763)
ipv6 route 2001:db8:1:2::/64 g0/1 fe80::0200:00ff:fe00:2222 100
Configuring IPv6 default routes with SLAAC (764)
ipv6 address autoconfig default
INFRASTRUCTURE MANAGEMENT
Configuring syslog
for console users (780)
logging console 5
for Telnet/SSH users (781)
logging monitor 3
terminal monitor
to store messages in RAM (781)
logging buffered 2
to store messages in syslog server (781)
logging host 160.1.1.3
logging trap 7
timestamps and sequence numbers (782)
no service timestamps
service sequence-numbers
logging message levels (783)
Configuring NTP
clock (time and timezone) (788)
clock timezone AEST -10
clock summer-time SAEST recurring
clock set 22:08:28 22 January 2019
client/server (790)
ntp server 170.1.1.1
ntp master 5
with loopback interface (792)
interface loopback 0
ntp source loopback 0
Configuring CDP globally and on interfaces (796)
no cdp run
no cdp enable
Configuring LLDP globally and on interfaces (799)
no lldp run
no lldp transmit
no lldp receive
Configuring login security (804)
Configuring service password-encryption (805)
service password-encryption
Configuring password encryption
with MD5 (807)
enable secret cisco
with SHA-256 and scrypt (809)
enable algorithm-type sha-256 secret cisco
enable algorithm-type scrypt secret cisco
for usernames (810)
username jack secret cisco
Configuring login banners (812)
banner M Maintenance tonight M
banner login # Unauthorised access prohibited #
banner exec ! Welcome !
Configuring security for unused switch interfaces (812)
shutdown
switchport trunk native vlan 99
Configuring inbound/outbound ACLs for Telnet and SSH (813)
access-list 1 deny 192.168.1.1
access-list 1 permit any
access-class 1 out
Upgrading IOS images (824)
Copying images with FTP (828)
copy ftp://jack:cisco@192.168.1.1/new-ios-image flash
Copying images with SCP (829)
[SSH is enabled]
username jack privilege 15 secret cisco
ip scp server enable
Client:
scp new-ios-file.bin jack@192.168.2.1:flash0:new-ios-file.bin
Configuring the configuration register (831)
config-register 0x2101
Configuring the boot system (833)
boot system tftp new-ios-version.bin 10.1.1.1
Configuring password recovery/reset (837)
Boot ROMMON
confreg 0x2142
reset
Copying files to USB flash (839)
copy running-config usbflash0:backup-running-config
Backing up and restoring configurations (840)
copy running-config tftp
copy tftp startup-config
reload
Configuring configuration archives (841)
archive
path ftp://jack:cisco@192.168.1.1/
time-period 2880
write-memory
archive config
Restoring configuration archives (842)
config replace ftp://jack:cisco@192.168.1.1/-Oct-24-09-46.165-2
Erasing configuration files (843)
write erase
erase startup-config
erase nvram:
Configuring at setup mode (843)
setup
Configuring manual license activation (856)
license install usbflash1:license-key-file.lic
Configuring right-to-use licenses (861)
license boot module c2900 technology-package securityk9
RFC LIST
Verification checklist
no
interface range
line aux 0

Ccna Icnd1 Study Notes

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Ccna Icnd1 Study Notes

Caricato da

Copyright:

Formati disponibili

Cisco Certified Entry Network Technician

Interconnecting Cisco Network Devices Part 1 Version 3

Step 1: Send GET request

TCP error recovery:

Sender: Application/Transport Layers

IP header: Source address (1.1.1.1), Destination address (2.2.2.2)

TCP/IP Link Layer:

- WAN standards: PPP, Frame relay

TCP/IP Model and Terminology:

Segment: Headers defined by the Transport layer and data encapsulated

Open Systems Interconnect Transmission Control Transmission Control

OSI Reference Model Layer Descriptions

OSI Reference Model: Device and Protocol Examples

Benefits of Layered models:

OSI Encapsulation Terminology

OSI >> Protocol Data Unit (PDU)

- PC >> Switch >> Distribution Switch (SWD) >> Router

- Two wires inside a single UTP cable.

- Components: Cable + connectors on each end + matching ports

- Has swappable transceivers/port hardware.

UTP Cabling Pinouts for 10BASE-T and 100BASE-T

Straight-Through Cable Pinout

- Pin 1 to Pin 1, Pin 2 to Pin 2, Pin 3 to Pin 3, Pin 6 to Pin 6

Crossover cable: If the endpoints transmit on the same pin pair.

- Straight-through Cables: PCs to Switches (e.g. PC to SW11)

Media Access Control (MAC) addresses:

MAC Address Assignment:

Error Detection with FCS

- Connection to hub requires a Half Duplex setting.

- Similar to Ethernet crossover cables connecting two routers (full duplex)

- CO: Central offices - Telcos put equipment in COs

Building a WAN Link in a Lab

Data-Link Details of Leased Lines

- International Organization for Standardization (ISO) made HDLC.

- ISO-standard HDLC does not have Type field.

- Three hops though the internetwork

Ethernet as a WAN Technology

- Ethernet emulation = EoMPLS (Ethernet over Multiprotocol Label Switching (MPLS))

- Forwarding IP packets from one site to another.

Accessing the Internet

The Internet as a Large WAN

- ISP networks connect to customers and each other.

Internet Access (WAN) Links

Digital Subscriber Line

Final Comparison: DSL vs CATV

Chapter 4 - Fundamentals of IPv4

Overview of Network Layer Functions

How Network Layer Routing Uses LANs and WANs

IP Addressing and How Addressing Helps IP Routing

- IPv4 header: 20-byte source IP address and destination IP address.

Rules for Grouping IP Addresses

- Routers define IP grouping

Class A, B, and C IP Networks

- Class A: more than 16 million hosts, 126 networks

The Actual Class A, B, and C IP Networks

- Class A: first octet defines group

- Waste of many IP addresses

- One group of 254 addresses beginning with 150.9.1

- PC1 to PC11: PC1 >> SW >> PC11

Router Forwarding Decisions and the IP Routing Table

A Detailed Routing Example

IPv4 Routing Protocols

Step A: Subnet 150.150.4.0 is connected to Router R3

Other Network Layer Features