Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Part I - Networking
Fundamentals
Chapter 1 - Introduction to TCP/IP
Networking
TCP/IP Application Layer - HTTP:
HTTP GET Request, HTTP Reply, and One Data-Only Message (Encapsulation):
Concept Description
The two computers use a protocol (an agreed-to set of rules)
Same-layer to communicate with the same layer on another computer. The protocol defined by each layer
interaction on uses a header that is transmitted between the computers to communicate what each computer
different computers wants to do. Header information added by a layer of the sending computer is processed by the
same layer of the receiving computer.
Adjacent-layer On a single computer, one layer provides a service to a higher layer. The software or hardware
interaction on the that implements the higher layer requests that the next lower layer perform the needed
same computer function.
Same-layer Interaction: two computers' communication with the same layer using headers;
TCP error recovery (TCP creates sequence numbers, TCP receives and reacts to the
segments)
Adjacent-layer Interaction: Single computer, HTTP (Layer 5) requests => error recovery on
TCP (Layer 4)
TCP/IP Network Layer:
Major protocol: IP
IP = Addressing, Routing
- All Larry's IP addresses begin with 1, Bob's with 2 and Archie's with 3.
- Routers route/forward IP packets to correct destination
Step 1: Larry encapsulates the IP packet between an Ethernet header and Ethernet trailer =>
Ethernet frame.
Step 2: Larry physically transmits the bits of the Ethernet frame, using electricity flowing
over the Ethernet cabling.
Step 3: Router R1 physically receives the electrical signal over a cable, and re-creates the
same bits by interpreting the meaning of the electrical signals.
Step 4: Router R1 de-encapsulates the IP packet from the Ethernet frame by removing and
discarding the Ethernet header and trailer.
Data encapsulation:
Step 1: Create and encapsulate the application data with any required application
layer headers, e.g. HTTP OK message in HTTP header, followed by part of the contents of a
web page.
Step 2: Encapsulate the data supplied by the application layer inside a transport layer
header, e.g. TCP/UDP headers for end-user applications.
Step 3: Encapsulate the data supplied by the transport layer inside a network layer
(IP) header. IP defines the IP addresses that uniquely identify each computer.
Step 4: Encapsulate the data supplied by the network layer inside a data link layer
header and trailer, e.g. Ethernet header and trailer
Step 5: Transmit the bits. The physical layer encodes a signal onto the medium to
transmit the frame.
Terminology:
Encapsulation: Process of putting headers and sometimes trailers around some data.
Chapter 2 - Fundamentals of
Ethernet LANs
- Wireless Router can replace Router + Switch + Access Point
- Ethernet standards come from the IEEE and include the number 802.3 as the beginning part
of the standard name.
- UTP (Unshielded Twisted-Pair) Cabling saves money compared to optical fibers.
- Informal IEEE standard name notation: SPEED + BASE + (T for UTP or X for fiber.)
- Ethernet nodes forward encapsulated Ethernet frame (Ethernet Header + Data + Ethernet
Trailer)
- RJ-45: common connector with 8 physical locations into which the wires in the cables can
be inserted (pin positions/pins).
- Network Interface Card (NIC) has RJ-45 ports.
- Straight-through cables only work when the nodes use opposite pairs for transmitting data.
Crossover Cable
- Only when two like devices are transmitting on the same pins.
- Connect 1 and 2 to 3 and 6, and 3 and 6 to 1 and 2
- Ethernet data-link protocol defines the Ethernet frame: and Ethernet header at the front, the
encapsulated data in the middle, and an Ethernet trailer at the end.
Ethernet addressing:
- Sending node puts its own address in the source address field.
Ethernet Address =
- LAN Address
- Ethernet Address
- Hardware Address
- Burned-In Address (BIA): permanent MAC address that is encoded into the ROM chip on
the NIC
- Physical Address
- Universal Address: Emphasis of uniqueness of addresses
- MAC Address
Group Addresses
- Identification of more than one LAN interface card
- Frames can be sent to a set of devices on the LAN, or all devices on the LAN.
Broadcast address: Frames sent to this address should be delivered to all devices on the
Ethernet LAN. It has a value of FFFF.FFFF.FFFF
Multicast address: Frames sent to a multicast Ethernet address will be copied and forwarded
to a subset of the devices on the LAN that volunteers to receive frames sent to a specific
multicast address.
Ethernet Type Field
- Specifies Protocols
- IPv4, IPv6, DECnet, SNA, Novell NetWare
Full Duplex/Half Duplex - Sending Ethernet Frames With Switches And Hubs
Step 1: PC1 builds and sends the original Ethernet frame, using its own MAC address as the
source address and PC2's MAC address as the destination address.
Step 2: Switch SW1 receives and forwards the Ethernet frame out its G0/1 interface (short for
Gigabit interface 0/1) to SW2.
Step 3: Switch SW2 receives and forwards the Ethernet frame out its F0/2 interface (short for
Fast Ethernet interface 0/2) to PC2.
Step 4: PC2 receives the frame, recognizes the destination MAC address as its own, and
processes the frame.
Half duplex: The device must wait to send if it is currently receiving a frame; in other words,
it cannot send and receive at the same time.
Full duplex: The device does not have to wait before sending; it can send and receive at the
same time.
CSMA/CD
Step 1: A device with a frame to send listens until the Ethernet is not busy.
Step 2: When the Ethernet is not busy, the sender begins sending the frame.
Step 3: The sender listens while sending to discover whether a collision occurs; collisions
might be caused by many reasons, including unfortunate timing. If a collision occurs, all
currently sending nodes do the following:
A. They send a jamming signal that tells all nodes that a collision happened.
B. They independently choose a random time (16, backoff) to wait before trying
again, to avoid unfortunate timing.
C. The next attempt starts again at Step 1.
- Leased lines use two pairs of wires, one pair for each direction => Full Duplex operation
- Leased lines: companies pay monthly fees to use line
- Service provider: companies that provide WAN connectivity, including Internet services
- "Serial" = "Sequential"
- CSU/DSU: Function that is integrated into serial interface card in router or sit outside router
as an external device
- Router >> short serial cable >> external CSU/DSU (using RJ-48 connector, similar to RJ-
45)
- Speeds are predefined - slower-speeds run at multiples of 64kbps, faster links run at
multiples of about 1.5Mbps
HDLC
- HDLC has less work than Ethernet data-link protocol because of point-to-point topology.
- HDLC frames can only go to one place: to other end of link
- Address field exists, but the destination is implied.
Step 1: PC1's network layer (IP) logic tells it to send the packet to a nearby router (R1).
Step 2: Router R1's network layer logic tells it to forward (route) the packet out the leased
line to Router R2 next.
Step 3: Router R2's network layer logic tells it to forward (route) the packet out the LAN link
to PC2 next.
HDLC
Pros Cons
- Simple for the customer - Higher cost
- Widely available - Typically, longer lead times to get the
- High quality service installed
- Private
- Ethernet used between customer site and the SP (Service Provider)'s network
- PoP: Point of Presence
- SP uses Ethernet switch instead of telco switch
- [DSL-capable devices at home + DSL equipment at telco's CO] needed for 3-15 >> DSL
service
- DSL modem: sends data to/from the telco via physical and data link layer standards.
- Home-based router also needs to be able to send data to/from the Internet.
- Telephones now require short extra cable with filter installed at the wall jack to filter
higher electrical frequencies of DSL.
- DSLAM: Direct Subscriber Line Access Multiplexer, splits data to router and voice signals
to voice switch
- DSL supports asymmetric speeds, transmission speed from the ISP to home (downstream)
is much faster than the transmission toward the ISP (upstream).
- Clicking web page sends smaller data upstream and bigger data downstream.
Cable Internet
- Uses existing Cable TV (CATV) cable to send data.
- Uses asymmetric speeds.
- Short WAN links from customer to ISP
- Telephone line of DSL replaced by coaxial cable of CATV.
- DSL modem replaced by Cable modem.
- CATV company splits data to router and video from video dishes (to TVs)
Routing Protocols
- Hosts need to know IP address of default router
- Routers need to know routes
- Step 1: R3 sends routing protocol message to R2, with information of R3's network
- Step 2: R2 sends routing protocol message to R1, with information of R3's network.
IPv4 Addressing
Rules for IP Addresses
- IP host: any device that has at least one interface with an IP address
- IP address is a 32-bit number, in DDN (Dotted-Decimal Notation)
- Each DDN has 4 decimal octets (bytes), separated by periods
- Octet represents 8-bit number, has range of 0-255 inclusive
- NIC, wireless NIC, router interfaces have IP addresses for each interface
IP Subnetting
- Subnet = Subdivided Network
IPv4 Routing
IPv4 Host Routing
- Router logic at Step 3: In which groups (networks/subnets) does this packet's destination
address reside?
Chapter 5 - Fundamentals of
TCP/IP Transport and Applications
TCP/IP Layer 4 Protocols: TCP and UDP
- Most data-link protocols: Error Detection - discard frames
- TCP: Error Handling - retransmission
- TCP: Flow control - avoid congestion
- UDP: fewer bytes of overhead - VoIP, video over IP
- TCP segment/L4PDU - message created by TCP that begins with TCP header
- WWW (World Wide Web): Web browsers accessing the content available on web servers
- DNS (Domain Name System): Users can refer to computers as their names, and DNS finds
corresponding IP address, client-server model
- SNMP (Simple Network Management Protocol): Network device management, Cisco Prime
uses SNMP to query network devices (query, compile, store and display information about
network's operation)
- TFTP (Trivial File Transfer Protocol): Protocol for basic file transfer, simple
- FTP (File Transfer Protocol): Many more features than TFTP, general choice
- TCP uses SEQ and ACK fields so receiving host can notice lost data >> ask sending host to
resend >> acknowledge that re-sent data arrived
Step 1: Web Server receives bytes 1000-1999 and 3000-3999, so it asks for missing data of
bytes 2000-2999 next with ACK value of 2000.
Step 2: Web browser sends missing data with SEQ of 2000
Step 3: Web server receives bytes 2000-2999, and asks for 4000 next with ACK value of
4000 (already received data + recently received data).
TCP/IP Applications
- Purpose of connection to Internet is to use applications (web browsing, text messaging,
email etc.)
- Web servers: Storage of information (web pages)
- Web browser: End user software to connect to web server and display web pages
- Web browsers = web clients
Step 1: The user enters the URI into the browser's address area.
Step 2: The client sends a DNS request to the DNS server (client learns DNS server's IP
address through DHCP), with a UDP header and DPort of 53.
Step 3: DNS server sends a reply, listing IP address of URI with Dest. IP address of client's
source IP address and UDP header with source port 53.
Step 4: Client begins establishment of TCP connection to web server. The packet includes
TCP header (since HTTP uses TCP) with DPort of 80 and SYN bit.
- Encapsulation: Data >> HTTP header >> TCP header >> IPv4 header >> Ethernet header
- Ethernet Ether Type field: 0x0800 = IPv4 header
- IPv4 Protocol field: 6 = TCP header (17 = UDP header)
- TCP Destination Port Number field: 1024 = unique connection to HTTP
PART I REVISION
Terms Definition
Chapter 1
Adjacent-layer Interaction On a single computer, one layer provides a
service to a higher layer. The higher layer
requests that the next lower layer perform
the needed function. (HTTP & TCP)
De-encapsulation Process of discarding headers and/or
trailers.
Encapsulation Process of prepending/appending headers
and/or trailers.
Frame A data link layer protocol message and its
encapsulated data and header/trailer;
L2PDU.
Networking Model A networking model defines rules about
how each part of the network should work,
how the parts should work together so that
the entire network functions correctly.
Packet A network layer protocol message and its
encapsulated data and header; L3PDU.
Protocol Data Unit (PDU) The bits that include the headers and trailers
for a layer, as well as the encapsulated data.
Same-layer Interaction The process of two computers
communicating with the same layer. (TCP)
Segment A transport layer protocol message and its
encapsulated data and header; L4PDU
Chapter 2
Ethernet A family of LAN standards that together
define the physical and data link layers of
wired LAN technology. (IEEE 802.3)
Institute of Electrical and Electronics The institute that defines the standards of
Engineers (IEEE) the cabling, connectors on each end of the
cables, the protocol rules and everything
required to create an Ethernet LAN.
Wired LAN LANs that use wires to create physical
connections between devices.
Wireless LAN LANs that use wireless technology to create
connections between devices.
Ethernet Frame A message which contains encapsulated
data and Ethernet header/trailer.
10BASE-T Twisted-pair cables that run at 10 Mbps
(802.3, copper, 100m)
100BASE-T Twisted-pair cables that run at 100 Mbps
(802.3u, copper, 100m)
1000BASE-T Twisted-pair cables that run at 1000 Mbps
(802.3ab, copper, 100m)
Fast Ethernet Common name for 100BASE-T
Gigabit Ethernet Common name for 1000BASE-T or
1000BASE-LX.
Ethernet Link Any physical cable between. two Ethernet
nodes.
RJ-45 Connectors that exist on both ends of cables
and has 8 pin positions.
Ethernet Port Ports in which Ethernet connectors can
connect to.
Network Interface Card (NIC) A computer hardware component that
connects a computer to a computer network.
Straight-through Cable A cable used when both nodes send and
receive on different pins.
Crossover Cable A cable used when both nodes send and
receive on same pins.
Ethernet Address A MAC address.
MAC (Media Access Control) Address 12-digit hexadecimal (48-bit long binary)
numbers which are the physical address of a
device.
Unicast Address An address that represents a single interface
to the Ethernet LAN.
Broadcast Address Frames sent to this address should be
delivered to all devices on the Ethernet
LAN, and has a value of FFFF.FFFF.FFFF.
Frame Check Sequence (FCS) A way for nodes to detect errors and discard
frames if necessary.
Full Duplex The device does not have to wait before
sending; it can send and receive at the same
time.
Half Duplex The device must wait to send if it is
currently receiving a frame; in other words,
it cannot send and receive at the same time.
Chapter 3
Leased Line Full duplex lines that companies (service
providers) pay monthly fees to use it.
Wide-area Network (WAN) WANs connect devices that a far apart.
Telco Telecommunications company; telephony
and data communications provider
Serial Interface
High-level Data Link Control (HDLC) A data link protocol to control the correct
delivery of data over a physical link
Digital Subscriber Line (DSL)
Cable Internet
Ethernet over MPLS (EoMPLS)
CSU/DSU
CPE
DTE Data terminal equipment; Serial cables used
between router and external CSU/DSU,
straight-through cable, male connector
DCE Data communications equipment; crossover
cable, serial cable connecting router and
external CSU/DSU with DTE, female
connector
Chapter 4
Default Router (Default Gateway) The router that a device sends its frames to
when the receiving node is outside the
LAN.
Routing Table The table that keeps the logs of routes (e.g.
next-hop router address for subnet)
IP Network
IP Subnet
IP Packet
Routing Protocol Protocols that help routers to learn routes
for all IP networks and subnets.
Dotted-decimal Notation (DDN) Decimal numbers that are separated by dots.
IPv4 Address
Unicast IP Address The IP address of a single interface.
Subnetting
Hostname
Domain Name System (DNS)
Address Resolution Protocol (ARP)
Packet Internet Groper (ping)
Chapter 5
Connection Establishment
Error Detection
Error Recovery
Flow Control
Forward Acknowledgement
Hypertext Transfer Protocol (HTTP)
Ordered Data Transfer
Port
Segment
Sliding Windows
Uniform Resource Identifier (URI)
Web Server
Part II - Implementing
Basic Ethernet LANs
Chapter 6 - Using the Command-
Line Interface
Accessing the Cisco Catalyst Switch CLI
- CLI: Command-Line Interface; text-based interface in which the user sends commands to
the device.
- Left: RJ-45 console port >> UTP rollover cable (pins: 1-8, 2-7, 3-6 etc.) >> D-shell
connector (nine pins, a.k.a. DB-9)
- Centre: RJ-45 console port >> UTP rollover cable >> USB converter >> USB cable >>
USB port
- Right: USB console port >> USB cable >> USB port
- reload command does not work in user mode, but does in enable mode.
- Use enable command to switch to enable mode.
- Configuration mode changes only running-config file, and power loss = loss of
configuration => copy running-config file to NVRAM
Step 1: Running-config & startup-config have hostname 'hannah' though hostname hannah
command
Step 2: hostname jessie in configuration mode
Step 3: show running-config & show startup-config show different hostname
Figure 7-1 Campus LAN and Data Centre LAN, Conceptual Drawing
Switch Interfaces
- show interfaces status - Lists statuses of interfaces
- Cisco Catalyst switches name their ports based on the fastest specification
- Connected state and notconnected state (port not functioning)
- show interfaces f0/1 status - lists status of f0/1
- show interfaces f0/1 counters - lists number of unicast, multicast and broadcast frames of
f0/1
- show mac address-table dynamic interface interface: shows all dynamically learned
MAC address entries from a particular port in the MAC address table
- show mac address-table dynamic vlan vlan number: shows dynamic MAC address table
entries for one VLAN
- show mac address-table count: shows amount of dynamic and static MAC addresses in
the MAC address table
- MAC address table uses Content-Addressable Memory (CAM)
- If table is full, to add a new table entry, the switch times out (removes) oldest table entry.
- clear mac address-table dynamic: Removes dynamic entries from the MAC address table
Step 1: Enter console or vty line configuration mode with line console 0 or line vty 0 15
Step 2: Define a password for the console or vty with password password-value
Step 3: Enable the use of a simple shared password (no username) with login
- Enable password configuration: enable secret password-value in global configuration mode
Step 1: Define username and password with username name password pass-value or
username name secret pass-value
Step 2: Enter console or vty line configuration mode with line console 0 or line vty 0 15
Step 3: Enable local username/password login with login local
Step 1: Enter global configuration mode and define the hostname with hostname name
Step 2: Define the domain name of the switch using ip domain-name example.com
Step 3: Generate the SSH encryption keys with crypto key generate rsa [modulus modulus-
value]
- FQDN: Fully Qualified Domain Name, hostname of a host + domain name
- transport input all or transport input telnet ssh: Support both Telnet and SSH
- transport input none: Support neither Telnet nor SSH (Cisco router default)
- transport input telnet: Support only Telnet
- transport input ssh: Support only SSH
- ip ssh version 2: Support only SSHv2 (default is both 1 and 2)
- By using VLAN 1 for IP configuration, switch can send/receive frames on any ports in
VLAN 1
- Telnet/SSH default: automatic disconnection of console and vty users after 5 minutes of
inactivity
- exec-timeout minutes seconds: sets length of inactivity timer, 0 stands for "never time out",
line subcommand
- IOS default: mistype of command => switch tries DNS name resolution on IP hostnames,
tries to Telnet to a host by that name, takes about a minute to return to normal state
- no ip domain-lookup: disables IOS's attempt to resolve the mistyped hostname into IP
address, global configuration command
Autonegotiation
- Autonegotiation commands: speed auto and duplex auto
- PC1:
- Switch top speed: 1000 Mbps
- PC1 NIC top speed: 10 Mbps
- Autonegotiation: speed - 10 Mbps, duplex - full
- PC2:
- Switch top speed: 1000 Mbps
- PC2 NIC top speed: 100 Mbps
- Autonegotiation: speed - 100 Mbps, duplex - full
- PC3:
- Switch top speed: 1000 Mbps
- PC3 NIC top speed: 1000 Mbps
- Autonegotiation: speed - 1000 Mbps, duplex - full
- PC1:
- Speed: Switch senses speed of 100 Mbps and uses 100 Mbps
- Duplex: Since speed = 100 Mbps, use half duplex
- PC2:
- Speed: Switch senses speed of 1000 Mbps and uses 1000 Mbps
- Duplex: Since speed = 1000 Mbps, use full duplex
- PC3:
- Speed: Switch senses speed of 10 Mbps
- Duplex: Since speed = 10 Mbps, use half duplex
- Duplex mismatch: PC1 uses full duplex while switch uses half duplex. PC1 does not use
CSMA/CD (only for half duplex) and switch port will believe collisions occur on the link,
even if none physically occur. The link is up, but it performs poorly
Port Security
- Examination of source MAC address so only expected devices can use interface
- Port F0/1 is in secure-shutdown state because a violation occurred on F0/1 and is disabled
because of maximum MAC addresses
- switchport port-security mac-address sticky mac-address: Adds a MAC address to sticky
learned MAC addresses
Port Security MAC Addresses as Static and Secure but Not Dynamic
- Switch port configured with port security does not consider dynamic entries in show mac
address-table dynamic
- show mac address-table secure: Lists MAC addresses associated with ports that use port
security
- show mac address-table static: Lists MAC addresses associated with ports that use port
security, as well as any other statically defined MAC addresses
Part II Revision
Key Terms You Should Know
Key Terms Definition
Chapter 6
Command-Line Interface (CLI)
Telnet
Secure Shell (SSH)
Enable mode
User mode
Configuration mode
Startup-config file
Running-config file
Chapter 7
Broadcast frame
Known unicast frame
Spanning Tree Protocol (STP)
Unknown unicast frame
MAC address table
Forward
Flood
Chapter 8
Local username
AAA
AAA server
Default gateway
VLAN interface
History buffer
DNS
Name resolution
Log message
Chapter 9
Port security
Autonegotiation
10/100
10/100/1000
- Switch collision domains that use full duplex has no collisions; CSMA/CD is not needed
- Each interface of a switch is a separate collision domain
- Each LAN interface (not apply to WAN) of a router is a separate collision domain
The Impact of Collisions on LAN Design
Virtual LANs
- LAN: A LAN consists of all devices in the same broadcast domain
- VLANs create multiple broadcast domains; switch forwarding logic does not forward
frames from one VLAN to another VLAN
- Routers must forward packets between VLANs using routing logic
- Two disconnected switches are required to create broadcast domains without VLANs
- Two-tier design
- Star topology at access layer
- Partial mesh topology at distribution layer
- Overall, is a hybrid design
- Instead of core tier, distribution switches can be cabled together with full mesh or partial
mesh
- Three-tier core design uses less switch ports and cables
- N.B.: Core switches often sit in the same room as distribution switches
- Core tier uses partial mesh
- Three-tier designs are a hybrid design
- Access layer: Provides connection point for end-user devices; does not forward frames
between other access switches
- Distribution layer: Provides connectivity to the rest of the devices in the LAN for access
switches; forwards frames between switches, but does not connect directly to end-user
devices
- Core layer: Aggregates distribution switches in large campus LANs
Ethernet Standards
- Autonomous wireless AP communicates with wireless devices with 802.11 protocols and
radio waves, and converts header formats between 802.11 and 802.3
- Autonomous AP must perform control and management functions e.g. authentication of
new devices, definition of name of WLAN (Service Set ID, SSID) etc.
Chapter 11 - Implementing
Ethernet Virtual LANs
Virtual LAN Concepts
- LAN: A LAN includes all devices in the same broadcast domain
- VLANs create multiple broadcast domains with a single switch; broadcast frames from one
VLAN does not get forwarded to other VLANs
- VLAN Advantages:
- Without VLAN trunking: Each VLAN needs a separate physical link, and separate ports on
each switch
- SW1 adds VLAN header with VLAN ID of 10 to send broadcast frames to SW2, which can
then flood out all ports in VLAN 10
- show vlan brief: Shows vlan statuses; in this case, default settings
- vlan 2: Creates a VLAN with VLAN ID 2
- name Freds-vlan: Defines VLAN name as Freds-vlan
- interface range fastethernet 0/13 - 0/14: Selects interfaces F0/13 and F0/14 as applicant
for next set of subcommands
- switchport access vlan 2: Assigns F0/13 and F0/14 to VLAN 2
- switchport mode access: Assigns F0/13 and F0/14 as always being access (nontrunking)
ports
- show vlan id 2: displays information for VLAN 2
- If both switches are set to dynamic auto, when one switch is set to dynamic desirable,
trunking negotiation begins, and trunking is used
- switchport mode dynamic desirable: tells switch to both negotiate as well as begin the
negotiation process
- Interface goes down and back up again to change from one mode to another
- "Administrative Mode: dynamic desirable" : switch is configured to initiate negotiation
process
- "Operation Mode: trunk" : switch is currently negotiated to be in trunk mode
- "Administrative Trunking Encapsulation: dot1q" : switch is configured to use 802.1Q
tagging
- "Operational Trunking Encapsulation: dot1q" : switch is currently using 802.1Q tagging
- show interfaces trunk now displays dynamic desirable configured G0/1
- PC => Patch cable => IP phone embedded switch => Ethernet UTP cable => Ethernet
switch
- IP phone switch port acts as an access link for PC's traffic and trunk for phone's traffic
- CDP must be enabled on interface for voice access port to work with Cisco IP phones; CDP
is enabled by default
- ping commands test whether the IP network can deliver packets in both directions
- Duplex mismatch: one interface uses autonegotiation, another uses static configuration;
speeds are autonegotiated to be the same, but duplexes are autonegotiated to be different
- CRC (Cycle Redundancy Check) error: frames that do not pass FCS error detection =>
discarded
- show mac address-table dynamic: lists dynamically learned MAC addresses (if port
security is disabled)
- Barney 0200.2222.2222>> In SW1 Fa0/12 >> Out SW1 Gi0/1 >> In SW2 Gi/02 >> Out
SW2 Fa0/13 >> In R1 Gi0/1 0200.5555.5555
Yes
Apply port security logic No
to filter frames as
appropriate Is the port an access
port?
YesIs the frame a No
(A)
Determine interface's Known unicast?
Determine the frame's
access VLAN. (B) Unknown unicast? tagged VLAN.
(C) Broadcast?
(A) (B) or (C)
Forward frame out only Flood frame out all other
matched address table access ports except
entry. incoming port in same
VLAN and allowed
trunks.
Step 1: Identify all interfaces on which port security is enabled (show running-config or
show port-security)
Step 2: Determine whether a security violation is currently occurring based on the violation
modes
- A: shutdown: Interface is put to err-disabled state, with port security port status
secure-down
- B: restrict: Interface remains in connected state, port security port status would be
secure-up, but show port-security interface displays incrementing violations counter
- C: protect: Interface remains in connected state, but show port-security interface
will not display an incrementing violations counter
Step 3: Compare port security configurations to diagram and Last Source Address field in
show port-security interfaces
Ensuring That the Right Access Interfaces Are in the Right VLANs
- Determine which switch interfaces are access interfaces, determine assigned access VLANs
on each interface, and compare information to documentation
- show vlan and show vlan brief does not list operational trunks
- show mac address-table: lists MAC address table, with each entry including a MAC
address, interface and VLAN ID (use if show vlan and show interface switchport are not
available)
- switchport access vlan vlan-id assigns interface to correct VLAN if needed
- Issue 2: when one switch has operational state of "trunk" and other has operational state of
"static access"; status on each end will be up/up or connected, traffic in native VLAN will
cross successfully, traffic in all other VLANs will not
- switchport mode trunk does not disable DTP negotiations; switchport nonegotiate
required to disable DTP negotiations
- SW1 Gi0/1: "trunk", SW2 Gi0/2: dynamic desirable but autonegotiation is denied, so it
uses "static access" => all frames received by SW2 Gi0/2 that has an 802.1Q header is
discarded
- Solution: check both operational states using show interfaces trunk and show interfaces
switchport and re-configure if necessary
Part III Revision
Vocabulary List
Terms Definitions
Chapter 10
Autonegotiation
Broadcast domain
Broadcast frame
Collision domain
Flooding
Virtual LAN
Access point
Wireless LAN controller
Star topology
Full mesh
Partial mesh
Hub
Transparent bridge
Collapsed core design
Core design
Access layer
Distribution layer
Core layer
Chapter 11
802.1Q
Trunk
Trunking administrative mode
Trunking operational mode
VLAN
VTP
VTP transparent mode
Layer 3 switch
Access interface
Trunk interface
Data VLAN
Voice VLAN
Chapter 12
Up and up
Connected
Error disabled
Problem isolation
Root cause
Duplex mismatch
Resolve
Escalate
Part IV - IP Version 4
Addressing and Subnetting
Chapter 13 - Perspectives on IPv4
Subnetting
Introduction to Subnetting
- Subnetting: Chopping (subnetting) a large network into smaller pieces and assign subnets to
different parts of the enterprise internetwork
- Largest branch has 50 hosts/subnet, so all other smaller branches need around 50 hosts
Public IP networks
- Company requests for registered public IP network, either a Class A, B, or C network
- Company has universally unique IP address
- Duplicates of private networks can exist, communicate with the Internet, and even
communicate with each other
- NAT translates IP addresses inside packets using a small number of public IP addresses to
support tens of thousands of private IP addresses
NAT translates a private IP address to a single public IP address.
When it receives a packet, it compares the port number to its NAT translations table and
forwards it to the matching private IP address.
Private IP Networks
- Will never be assigned to an organisation as a public IP network
- Can be used by organisations that will use NAT when sending packets into the Internet
- Can also be used by organisations that never need to send packets into the Internet
- Network 172.16.0.0
- Mask 255.255.255.0 (for all subnets)
- Subnet ID: .0
- Static: .1 - .100
- DHCP: .101 - .254
- Subnet broadcast: .255
- E.g. 10.0.0.0 has locked first octet and variable last three octets
Default Masks
- Default mask = network bits as 1s, host bits as 0s
- Because each subnet uses a single mask, all subnets must be the same size
Subnet ID Concepts
- Router advertises subnet ID/mask and stores in IP routing table
- Step 1: If the DDN mask octet = 255, copy the DDN octets (130.4._._)
- Step 2: If the DDN mask octet = 0, turn octet into 0 (130.4._.0)
- Step 3: Find the closest multiple of (256 - mask octet) to IP address octet (256 -240 = 16,
closest multiple = 96 => 130.4.96.0)
Part IV Revision
Key Terminology
Terminology Definition
Chapter 13
Subnet
Network
Classful IP network
Variable-length subnet masks (VLSM)
Network part
Subnet part
Host part
Public IP network
Private IP network
Subnet mask
Chapter 14
Network number
Network ID
Network address
Network broadcast address
Network part
Host part
Default mask
Chapter 15
Binary mask
Decimal mask
Prefix mask
CIDR mask
Classful addressing
Classless addressing
Chapter 16
Resident subnet
Subnet ID
Subnet number
Subnet address
Subnet broadcast address
Part V - Implementing
IPv4
Chapter 17 - Operating Cisco
Routers
Installing Cisco Routers
- Routers are capable of forwarding packets end to end through. a network; main feature of
network layer
- Routers forward packets by connecting to various physical network links, like Ethernet,
serial links, and Frame Relay
Physical Installation
- Requirements: UTP cables, CATV cables, DSL cables, cable modem, DSL modem
- Consumer-grade SOHO routers =
- Router
- Switch
- Cable or DSL modem
- Wireless access point
- Hardware-enabled encryption
- Different commands:
Router Interfaces
Switch Router
- Supports Ethernet LAN interfaces of - Supports serial interfaces, cable TV, DSL,
various speeds (fa0/1, gi0/1) 3G/4G wireless, Ethernet interfaces etc.
- Point-to-point serial link can use: HDLC (default) or PPP
- Referring to interfaces
- interface ethernet 0
- interface fastEthernet 0/1
- interface gigabitethernet 0/0
- interface serial 1/0/1
- show ip interface brief: interface, IP address, OK?, method, line & protocol status
- show interfaces [interface-id]: detailed list of statistics of interface
- sh int fa0/0= show interfaces fastethernet 0/0
- description text: sets description for interface
- If no CSU/DSU are on the link, router with the DCE cable must supply clocking function
- clock rate: tells router to provide clocking
- Newer router IOS versions add default clock rate 2000000, may be too high for some types
of back-to-back serial cables (DTE + DCE)
- show controllers interface-id: confirms DCE cable is connected and lists clock rate
- bandwidth: documented speed of the interface, which doesn't have to match actual Layer 1
speed
- OSPF and EIGRP base routing protocol metrics on bandwidth by default
- Local packet is sent directly to host, remote packet is sent to default router/gateway
- Paraphrased summary: The router receives a frame, removes the packet from inside the
frame, decides where to forward the packet, puts the packet into another frame, and sends the
frame
- Step 1: Router R1 notes that the received Ethernet frame passes the FCS check, and that the
destination Ethernet MAC address is R1's MAC address, so R1 processes the frame
- Step 2: R1 de-encapsulates the IP packet from inside the Ethernet frame's header and trailer
- Step 3: R1 compares the IP packet's destination IP address to R1's IP routing table
- Step 4: R1 encapsulates the IP packet inside a new data-link frame, in this case, inside a
HDLC header and trailer
- Step 5: R1 transmits the IP packet, inside the new HDLC header frame, out the serial link
An Example of IP Routing
- Address abbreviations: Host A : 172.16.1.9, R1 S0/0/0 : 172.16.4.1 etc.
- Routing entry: subnet ID, subnet mask, next-hop router address, outgoing interface
- Router finds match for subnet that destination address is in, and decides to forward it out the
matching interface, to the matching next-hop router IP address
- Router figures out subnet ID by subnet calculation with IP address and mask
- Layer 3 switches route between all 12 VLANs and routers use VLAN trunks to connect to
and route between both VLANs
- Frames tagged with VLAN 10 are treated as if they came in or out of G0/0.10
- Both router and switch need to manually configure trunking (switch: switchport mode
trunk)
- show vlans: lists which router trunk interfaces use which VLANs, which is the native
VLAN + packet statistics
- Layer 3 switch connects to router via access link and VLANs on each SVI
- Static route:
- destination subnet ID: 172.16.2.0
- destination subnet mask: 255.255.255.0
- outgoing interface : S0/0/0
OR
- next-hop router IP address: 172.16.4.2
- If S0/0/1 fails, router removes static route to 172.16.3.0/24 until interface comes up again
- Network route or subnet route: defines route to an IP network or subnet
- If there is one, slow link to branch, routing protocol wastes bandwidth so default route is set
to core router
- ip route 0.0.0.0 0.0.0.0 S0/0/1 creates static default route with outgoing interface of S0/0/1
- candidate default route: a candidate from which the router can choose one to use as its
"Gateway of Last Resort"
- OSPFv2: IPv4 only, OSPFv3: IPv6 only, OSPFv3 with address families: IPv4 + IPv6
Comparing IGPs
- EIGRP and OSPFv2 are most popular
- Inside one company or organisation: Interior Gateway (Router) Protocol (IGP)
- Between companies or ISPs: Exterior Gateway (Router) Protocol (EGP)
- RIP uses hop count metric: smallest number of links and routers
- Disadvantage of RIP hop count metric:
- RIP may use less number of links, but slower links
Split Horizon
- Split horizon tells router to omit some routes from an update sent out an interface
- The routes that use interface X as the outgoing interface does not get sent out interface X,
i.e. the router does not advertise routes that receiving router would already know of
Route Poisoning
- DV protocols prevent routing loops with route poisoning
- Route poisoning: advertising a failed route with special metric value infinity (16, meaning
failed)
- Once enabled:
- Since all subnets are in same Class A network 10.0.0.0, RIPv2 only requires one network
command:
RIPv2 Verification
Examining RIP Routes in the IP Routing Table
- When interface fails etc., router converges to use other, non-best routes
- Step 1: R3 has autosummary enabled, with the RIPv2 auto-summary router subcommand
- Step 2: R3 advertises a route for all of Class A network 10.0.0.0 instead of advertising
routes for each subnet inside network 10.0.0.0 (since R2 is in another subnet)
- Step 3: R2 learns one route for network 10.0.0.0/8, which represents all of network 10.0.0.0,
with R3 as the next-hop router
- Definitions:
- Contiguous network: A network topology in which subnets of network X are not
separated by subnets of any other classful network
- Discontiguous network: A network topology in which subnets of network X are
separated by subnets of some other classful network
- Both R3 and R1 have all of network 10.0.0.0, and R2 balances the traffic over both routes
- Two solutions:
- Keep all classful networks together in a design
- Disable autosummarisation with no auto-summary
- R1 learned two 1-hop routes to subnet 192.168.6.0/24, show ip route lists two next-hop
router IP addresses for one subnet
- Step 1: R1 is configured with ip route 0.0.0.0 0.0.0.0 192.0.2.1, i.e. R1's default route is
192.0.2.1
- Step 2: R1 advertises the default route as 0.0.0.0 0.0.0.0 R1 to B01 and B02
- default-information originate: "If the IPv4 routing table has a default route in it, advertise
a default route with RIP, with this local router as the eventual destination of those default
routes"
- B01 sets default route with next-hop address 10.1.12.1 (R1's IP address)
Troubleshooting RIPv2
- show ip route and show ip protocols
- R1 receives and processes R2's RIP messages, but does not send updates to R2
DHCP Concepts
- DHCP client uses DHCP protocol to:
- discover a DHCP server
- request to lease an IPv4 address
- DHCP message types (DORA):
- Discover: Sent by the DHCP client to find a willing DHCP server
- Offer: Sent by a DHCP server to offer to lease to that client a specific IP address
(and inform the client of its other parameters)
- Request: Sent by the DHCP client to ask the server to lease the IPv4 address listed
in the Offer message
- Acknowledgement: Sent by the DHCP server to assign the address, and to list the
mask, default router and DNS server IP addresses
- For DHCP clients without IPv4 addresses:
- Discover packet has source address 0.0.0.0 and destination address 255.255.255.255
- Step 1: Host A sends a Discover message with source address 0.0.0.0 and destination
address 255.255.255.255 (broadcast)
- Step 2: The DHCP server sends an Offer message with source address 172.16.1.11 and
destination address 255.255.255.255 (broadcast)
- Assumes that host uses broadcast flag DHCP option
- Host A lists its own DHCP client ID in the Discover message, so broadcast Offer messages
get ignored by other devices and only host A processes the packet
- Step 1: Host A sends a Discover message with source address 0.0.0.0 and destination
address 255.255.255.255 (local broadcast)
- Step 2: R1 forwards the Discover messages with source address 172.16.1.1 (incoming
interface) and destination address 172.16.2.11 (configured ip helper-address DHCP server
address)
- Routers need to act as DHCP relay agents to let DHCP clients send and receive packets
- Step 1: The returning Offer message from the DHCP server reverses the source and
destination address of the Discover message.
- Step 2: R1 takes the Offer message and edits the destination address to 255.255.255.255
(local broadcast)
- Additional parameters: maximum time limit for lease, allocation mode, TFTP server setting
etc.
- DHCP three allocation modes:
- Dynamic allocation: DHCP dynamically leases IP addresses
- Automatic allocation: Sets DHCP lease time to infinite; hands out permanent IP
addresses
- Static allocation: Manually preconfigured IP address is sent to client by DHCP
server
- TFTP server setting: Cisco IP phones need TFTP to retrieve configuration files when phone
initialises
- Output does not list the excluded addresses, but the addresses begin from the first leasable
address
- IPv4 DHCP server = stateful DHCP server; i.e. the DHCP server keeps status information
(DHCP client ID, IP address leased to client) about each DHCP client that leases an address
- ip helper-address 172.16.2.11
- Network may have outages, and DHCP clients that have already leased an address can
continue to work without any problem
- Step 1: 10.1.1.1 sends a DNS request to resolve the IP address of Server1 to DNS server
10.3.3.3
- Step 2: The DNS server sends a DNS reply containing the resolved IP address of Server1
(10.1.2.3) to 10.1.1.1
- Step 3: 10.1.1.1 sends data to Server1, with destination address 10.1.2.3
- All destination IP addresses are known unicast addresses, so router/switch action is not
required to support DNS
Default Routers
- Two-part host routing choice:
- If packet is destined for a host in the same subnet, the local host sends the packet
directly
- If the packet is destined for a host in a different subnet, the local host sends the
packet to the default gateway
- Check settings in router CLI: show interfaces, show ip interface brief, show protocols,
show running-config
- Check VLAN assignments in switch CLI: show interfaces status, show vlan, show
interfaces switchport
- Host A needs an ARP entry for Host D (for local packet) and R1 (for remote packet)
IP Broadcast Addresses
- Different types of IPv4 broadcast addresses:
- Step 1: Host 1 sends a broadcast message destined to 10.1.1.255 to its default gateway, R1
- Step 2: R1 forwards the packet to subnet 10.1.1.0/24
- Step 3: R2 encapsulates the packet into a local broadcast frame and floods it out all ports
- Security vulnerability: ping to subnet broadcast address causes many hosts to reply
- Cisco default setting of no ip directed-broadcast: disables forwarding of subnet broadcasts
to connected subnet (Step 3)
Part V Revision
Key Terms You Should Know
Terminology Definition
Chapter 17
Bandwidth
Clock rate
Chapter 18
Default gateway/router
ARP table
Routing table
Next-hop router
Outgoing interface
Subinterface
VLAN interface
Layer 3 switch
Connected route
Static route
Default route
Host route
Floating static route
Network route
Administrative distance
Chapter 19
Distance vector
Exterior gateway protocol (EGP)
Interior gateway protocol (IGP)
Metric
Routing update
Contiguous network
Discontiguous network
Autosummarisation
Passive interface
IP routing table
Hop count
Chapter 20
DHCP client
DHCP server
DHCP relay agent
Local broadcast IP address
Subnet broadcast IP address
Network broadcast IP address
Multicast IP address
DNS Request
DNS Reply
- Step 1: Calculate the interesting octet's subnet IDs as per usual (create a "subnet block")
- Step 2: Replicate the subnet block for each increasing value of the just-left octet ...
- Step 3: ... until you reach 255 when you go no further
- Routing problems occur when overlapping subnets are implemented => some hosts cannot
communicate outside their subnets
- Look at entire range of addresses to find VLSM overlaps
- Example:
- Step 1: Host A issues ping 172.16.2.101 and sends a packet with an ICMP echo request
- Step 2: Host B sends an ICMP echo reply on receipt of ICMP echo request
- Packet size | source IP address | ICMP sequence number | time-to-live | time taken
- Extended ping tests same forward route but reverse route now has to be to host's subnet, not
router's outgoing interface in another subnet
- Standard and extended pings cannot test for:
- ACL: router looks at packets as they exit or enter an interface, make comparisons to header
fields, and if matched, make a choice to either discard the packet or let it through
- Step 1: R1 sends an ICMP echo request from a source interface not in the host's subnet
- Step 2: Host A decides to use the default router because the destination address is in another
subnet
- Step 3: Host A sends ICMP echo reply to R1's interface not in its subnet
- Standard ping across a serial WAN link confirms IP packet can be sent over the link and
back
- Successful standard ping confirms that:
- Both router's serial interfaces are in an up/up state
- The Layer 1 and 2 features of the link work
- The routers believe that the neighbouring router's IP address is in the same subnet
- Inbound ACLs on both routers do not filter the incoming packets, respectively
- The remote router is configured with the expected IP address
- ping does not confirm:
- routes for subnets on LANs
- host's ACL issues
- If ping of the hostname fails but the ping of the IP address works, the problem usually is to
do with DNS
traceroute Basics
- Identifies next-hop IP address of each router
- Step 1: Host A issues a traceroute command and sends a packet with TTL = 1 to (default)
router
- Step 2: R1 subtracts 1 from the TTL value, which triggers a TTL Exceeded error
- Step 3: R1 sends a TTL Exceeded message to Host A with source address of R1's LAN
interface
- traceroute sends packet with increasing TTL value to next routers
- Step 1: traceroute command sends a packet from the second set with TTL = 2
- Step 2: R1 decrements TTL to 1 and forwards the packet
- Step 3: R2 decrements TTL to 0 and discards the packet
- Step 4: R2 notifies the sending host of the discarded packet by sending a TTL Exceeded
ICMP message with source address of its incoming interface
- Routers use source interface address where original message was discarded
- telnet 10.1.2.2 => local username authentication => show ip interfaces brief
- ssh -l username host connects to router with SSH client
- -l: next parameter is the login username; username is not required at local username
authentication
- Host A's subnet mask implies address range of 10.1.1.0 - 10.1.1.255, so destination address
NOT within the range will be sent to 10.1.1.150/25
- R1's subnet mask implies address range of 10.1.1.128 - 10.1.1.255, and host A is NOT
within the route to 10.1.1.128/25
- Hosts should use the same subnet mask as the default router, and the two devices should be
in the same subnet
Typical Root Causes of DNS Problems
- when ping and traceroute with names fail, but with IP addresses, succeeds, there is a
problem with the DNS setting
- Incorrect default router setting => hosts unable to send packets to different subnet
- Sending within LAN works, it does not require a default router
DHCP Issues
- Router needs to enable DHCP Relay to let DHCP messages cross subnets (ip helper-
address DHCP-server-address)
- Step 1: Host A sends a DHCP Discover message to 255.255.255.255 ff:ff:ff:ff:ff:ff (local
subnet broadcast address)
- Step 2: R1, with the ip helper-address 172.16.2.11 command, changes the destination
address to the DHCP server address as configured in ip helper-address command, and
source address to the incoming interface
- For ROAS, each subinterface needs to be configured with the ip helper-address command
- To test IP connectivity between the DHCP relay agent and the DHCP server, use extended
ping or extended traceroute, with source address of the incoming interface and destination
address of the DHCP server
- speed 1000 command for router and speed 100 for switch causes down/down
Problems with Routing Packets Between Routers
IP Forwarding by Matching the Most Specific Route
- Following router features can create overlapping subnets:
- Autosummarisation
- Manual route summarisation
- Static routes
- Incorrectly designed subnetting plans that cause subnets to overlap their address
ranges
- If packet's destination address matches one route, the router uses that one route
- If more than one route matches a packet's destination address:
Using show ip route and Subnet Math to Find the Best Route
- show ip route ospf lists only OSPF-learned routes, but statistics for numbers of subnets and
masks are for all routes
- When address matches more than one route, the route with the longer prefix length is used
- Example destination IP address' routes:
Address Matches Longest prefix Route to
172.16.1.1 172.16.1.1/32 /32 172.16.1.1 (local
172.16.1.0/24 route)
172.16.0.0/22
172.16.0.0/16
0.0.0.0/0
172.16.1.2 172.16.1.0/24 /24 172.16.1.0/24
172.16.0.0/22
172.16.0.0/16
0.0.0.0/0
172.16.2.3 172.16.0.0/22 /22 172.16.0.0/22
172.16.0.0/16
0.0.0.0/0
172.16.4.3 172.16.0.0/16 /16 172.16.0.0/16
0.0.0.0/0
172.17.1.1 0.0.0.0/0 /0 0.0.0.0/0 (default
route)
- Overlap when all subnets use the same mask => exact same subnet ID, exact same address
range
- ping commands fail, traceroute commands complete for only certain hosts
- Subnet with overlapping addresses should be changed
- IOS only performs the subnet overlap check for interfaces that are not in a shutdown state
- IOS accepts IP address configurations that overlap with shutdown interfaces
- When no shutdown is issued on the overlapping interface, the interface is shut
down until overlap condition has been resolved
- Allowing of overlaps on different routers:
Part VI Revision
Key Terms You Should Know
Terms Definitions
Chapter 21
Zero subnet
Subnet zero
Broadcast subnet
Chapter 22
Classful routing protocol
Classless routing protocol
Overlapping subnets
Variable-length subnet masks (VLSM)
Chapter 23
Ping
Traceroute
ICMP echo request
ICMP echo reply
Extended ping
Forward route
Reverse route
DNS
Chapter 24
Matching Packets
- ACL command logic: "look for these values in the packet header, and if found,
discard/allow the packet"
- When ACL is enabled, R2 examines every inbound IP packet on S0/0/1 and packets sent by
host A (10.1.1.1) are allowed through, and those sourced by host B (10.1.1.2) are discarded
Types of IP ACLs
- ACL features:
- Standard numbered ACLs (1-99)
- Extended numbered ACLs (100-199)
- Additional ACL numbers (1300-1999 standard, 2000-2699 extended)
- Named ACLs
- Improved editing with sequence numbers
- Host A matches all 3 ACL lines, but the first match is for source address 10.1.1.1, which is
to permit
- Host B matches last 2 ACL lines, but the first match is for source address 10.1.1.0
0.0.0.255, which is to deny
- Host C matches last ACL line for source address 10.0.0.0 0.255.255.255, which is to permit
- If packet does not match any items in ACL, packet is discarded (default configuration: deny
any)
- Line 1: Match and permit all packets with source address of exactly 10.1.1.1
- Line 2: Match and deny all packets with source address with first three octets 10.1.1
- Line 3: Match and permit all addresses with first octet 10
- IOS will specify a source address to be 0 for the parts that will be ignored, even if nonzero
values were configured (e.g. 10.1.2.3 0.255.255.255 => 10.0.0.0 0.255.255.255)
- access-list access-list-number remark: leaves text documentation that stays with ACL
- Router does not filter packets that the router itself creates with an outbound ACL (e.g. ping,
traceroute etc.)
- Extended ACL access-list commands MUST use the host keyword for source/destination
IP addresses
- For example, to match access-list 101 deny udp 1.1.1.0 0.0.0.255 any, packet must have:
- UDP header
- Source IP address 1.1.1.1 - 1.1.1.254
- Any destination IP address
- Extended ACLs with tcp or udp keyword may have source/destination port parameters
- Reverse flow:
- Source address: server subnet
- Source port: 21 (FTP server control port)
- Destination address: client subnet
(- Destination port: greater than 1023)
- Like standard ACLs, the location and direction in which to enable the ACL must be chosen:
- Which interface?
- Which direction: inbound or outbound?
- R3 does not match Larry's traffic because Larry's traffic will never enter R3's E0 interface
- ip access-list: defines whether ACL is standard or extended, and defines the name and
moves user to ACL configuration mode
- Filtering closer to source of packet: less bandwidth taken up in the network (extended
ACLs)
- Filtering closer to destination: less unwanted packets being filtered (standard ACLs)
- Place more specific matching parameters early in each list:
- Example: 10.1.1.1 after 10.1.1.0 0.0.0.255, packets will never match 10.1.1.1
- Cisco recommends you disable ACLs on the interfaces before you change statements in the
list
- If an entire ACL is deleted while ACL is enabled on interface, IOS does not filter
any packets (as is the case with disabling an ACL on interface)
- As soon as one statement is added to enabled ACL, IOS filters packets based on that
ACL, and the implicit deny any (deny ip any any) is activated
- Finding contents of ACL: show running-config, show access-lists and show ip access-lists
- Commands also list counters for number of packets that have matched each line in ACL
- Requirements:
- Allow hosts in subnet 10.3.3.0/25 and subnet 10.1.1.0/24 to communicate
- Prevent hosts in subnet 10.4.4.0/23 and subnet 10.1.1.0/24 from communicating
- Allow all other communications between hosts in network 10.0.0.0
- Prevent all other communications
- R2's G0/2 inbound interface does not match outbound packets from 10.4.4.0/23
- Can apply for TCP/UDP source/destination ports
- You can include these lines in any inbound ACL to ensure that routing protocol packets
would be permitted
- Only the ACL on incoming interface of the local router will filter self-ping
CIDR
- CIDR's main goals according to RFC 4632:
- Defines a way to assign public IP addresses
- Allows route aggregation or route summarisation
- Assignment of all addresses that begin with 198 to one ISP lets other ISPs use one route for
198.0.0.0/8 to match all those addresses
- CIDR reduces wasted addresses by assigning subnets (CIDR blocks)
Private Addressing
- If a computer would never connect to the Internet, it can use duplicates of registered IP
addresses or private addresses
- RFC 1918 defines a set of networks that will never be assigned to any organisation as a
registered network number called private internets
- Private addresses cannot be advertised using a routing protocol on the Internet
- NAT router changes outgoing packet source addresses and incoming packet destination
addresses
- Source NAT
Static NAT
- Source NAT table: lists inside local address with matching inside global address
- Destination NAT uses outside global/local
Dynamic NAT
- One-to-one mapping of inside local address to inside global address happens dynamically
- Server does not care whether all connections came from a single host, or from multiple
hosts
- PAT takes advantage of this, and translates ports and address
- NAT overload can use more than 65000 port numbers to translate addresses and ports
- inside: NAT translates addresses for hosts on the inside part of the network
- source: NAT translates the source IP address of packets coming into its inside interfaces
- static: Static entry is defined
- show ip nat translations lists NAT table
- show ip nat statistics lists statistics on NAT, such as number of hits, active translations etc.
- ip nat pool my-pool 200.1.1.1 200.1.1.10 netmask 255.255.255.240: configures for inside
global addresses in between, and including 200.1.1.1 and 200.1.1.10 to be translated to
- netmask checks if both lowest and highest addresses are in the same subnet
- If netmask doesn't match, then IOS rejects the command
- ip nat inside source list 1 pool fred:
- Create NAT table entries that map between hosts matched by ACL 1, for packets
entering any inside interface, allocating an inside global address from the pool called
fred
- First "misses" indicates number of times a new packet does not find a NAT entry, at which
point, dynamic NAT reacts and builds an entry
- Second "misses" indicates number of times dynamic NAT tries to allocate a new NAT table
entry and finds no available addresses, probably resulting in a discard
- After host 10.1.1.1 telnets to host 170.1.1.1, show ip nat statistics lists:
- 1 active translation
- 1 miss (host tried to find NAT entry, but couldn't find one)
- 69 hits (dynamic NAT created entry, and host can now be translated)
- 1 pool member allocated | 50% of the pool are currently in use
- NAT entry can time out or clear ip nat translation * can remove all entries
- debug ip nat causes router to issue a message every time a packet has its address translated
for NAT
- interface serial 0/0/0: only inside global IP address available is the IP address of the NAT
router's interface serial 0/0/0
- overload parameter means that NAT overload feature is enabled
NAT Troubleshooting
- Most of NAT troubleshooting issues relate to getting the configuration correct
- Troubleshooting checklist for most common source NAT issues:
- ARPANET => research => fixed Internet access with dial, DSL and cable => pervasive
mobile Internet
- IANA and RIRs exhausted IPv4 addresses, and THE DAY HAS COME WHEN NEW
COMPANIES' ONLY OPTION WILL BE IPv6
- IETF used NAT, CIDR and IPv6 to solve IPv4 address exhaustion problem
IPv6 Routing
- PC1, with address 2345::1, wants to send a packet to host PC2 in another subnet, so sends
the packet to the default gateway, 2345::2, with the packet encapsulated inside an Ethernet
header and trailer
- Step 1: R1 de-encapsulates the IPv6 packet, discarding the Ethernet header and trailer
- Step 2: R1 makes a forwarding decision and re-encapsulates the IPv6 packet into a HDLC
header and trailer
- IPv6 packets use IPv6 routing table, listing information about prefixes (subnets), outgoing
interface and next-hop router
- Dual stack: migration strategy of running both IPv4 and IPv6 (on a router, by adding
additional configuration)
- Same IGP/EGP conventions as IPv4: IGP advertises IPv6 routes inside an enterprise
- For example:
- Unabbreviated address: FE00:0000:0000:0001:0000:0000:0000:0056
- Remove the leading 0s: FE00:0:0:1:0:0:0:56
- Remove consecutive 0s:
- Shortest abbreviation: FE00:0:0:1::56
- Longer, valid abbreviation: FE00::1:0:0:0:56
- Invalid abbreviations:
- FE:0:0:1::56
- FE00::1::56
- If all devices were in the same VLAN, serial link, EoMPLS link and data branches require a
different subnet (subnets for the Internet will be assigned by ISP)
- Site local (begin with FEC, FED, FEE or FEF): originally intended to be used like IPv4
private addresses and is not removed from the IPv6 standards
- IPv6 has no concept of address classes, but authorities give a locked global routing prefix
and prefix length (prefix length of global routing prefix is often between /32 and /48 or
possibly as long as /56)
- Interface ID doesn't have to be 64 bits long, but there is no reason to avoid it
- Subnet field is typically 128 - Interface ID - Global Routing Prefix (or 64 - Global Routing
Prefix)
- For 2001:0DB8:1111:0001:0000:0000:0000:0001:
- Company was assigned prefix 2001:0DB8:1111/48
- Company uses a 64-bit interface ID
- Company has a subnet field of 16 bits, allowing 216 (65536) IPv6 subnets
- Each subnet supports [264 - reserved values] hosts
- Global routing prefix followed by different subnet bits, and all 0s for interface IDs
- The IPv6 subnet ID is more formally called the subnet router anycast address, is reserved,
and should not be used as an IPv6 address for any host
- Company 1's four subnets for all its data link instances, with global routing prefix
2001:DB8:1111::/48
- show ipv6 interface lists IPv6 address, prefix length and subnet that interface is in
- show ipv6 interface brief: lists IPv6 addresses, but not the prefix length or prefixes
- Router adds IPv6 connected routes to the IPv6 routing table off each interface that is up/up
Generating a Unique Interface ID Using Modified EUI-64
- Routers typically use static IPv6 addresses, while user devices use DHCP or SLAAC
- Modified EUI-64 (Extended Unique Identifier) rules for creating interface IDs:
Link-Local Addresses
- Not used for normal IPv6 packet flows, but by overhead protocols and for routing
- IOS creates link-local addresses for any interface that has configured at least one other
unicast address with the ipv6 address command (global unicast, unique local)
- Unicast and link-local addresses have same interface IDs if using EUI-64
- IOS chooses link-local address for interface based on the following rules:
- If configured, router uses value in ipv6 address address link-local
- If not, IOS calculates link-local address with EUI-64 rules
- Two routers on WAN link do not need global unicast addresses, whereas hosts on each
LAN need global unicast addresses
Anycast Addresses
- Packets sent to this address is sent to the nearest device that supports the address
- :: is used when its own IPv6 address is not yet known, or wonders if its own IPv6 address
might have problems (e.g. dynamic IPv6 address configuration)
- ::1 is used as loopback address to test its own protocol stack (down to IPv6 and back up to
application)
- Interface IPv6 address, DNS servers: typically global unicast or unique local unicast address
- Default router: typically link-local address
- NDP functions:
- NS/NA lets hosts discover the link-layer address of other on-links (hosts on same data link)
- NS: "What is your link address?" to target IPv6 unicast address
- Step 1:
- PC1 looks in its NDP neighbour table, and doesn't find MAC address
- PC1 sends RS to solicited-node multicast address to find PC2's MAC address,
asking for MAC address
- Step 2:
- PC2 sends back an NA message, listing PC2's MAC address
- PC1 record PC2's MAC address in PC1's NDP neighbour table
Windows Linux Mac OS
interface ipv6 show ip -6 neighbour show ndp -an
neighbors
NDP Summary
- Stateful DHCPv6 tracks info about which client has a lease for what IPv6 address
- Stateless DHCP servers do not track any per-client information
- Step 1:
From: A's link-local address
To: FF02::1:2 (all-DHCP-agents address)
- Step 2:
From: R1's OUTGOING interface address (DHCPv4: incoming)
To: DHCPv6 server address
- Return DHCPv6 messages follow reverse process
- DHCPv6 client asks for only DNS server addresses, and NOT a lease of an IPv6 address
- Stateless DHCPv6 server:
- Needs simple configuration only; small number of DNS server addresses
- Needs no per-subnet configuration; no lists, pools, excluded addresses etc.
- Does not need to track state information about DHCP leases because it does not
lease addresses to any clients
- SLAAC gave host two IPv6 address (one with EUI-64, one with random interface ID)
- ipconfig or ifconfig examines IPv6 settings:
- Another verification: look at router's neighbour table (checks host NA/NS response)
- Router can clear its neighbour table with clear ipv6 neighbor and then ping a host on some
connected interface
- Router sends NDP NS
- Host needs to send NDP NA back
- If host MAC address shows in neighbour table, host replied with NDP NA
- Cisco routers watch for (unsolicited) RA messages received from other routers
- show ipv6 routers lists any other routers in the local subnet
- R1 does not hear any RA messages from other routers on that LAN subnet
- R2 and R3 hears RAs from each other in the same LAN subnet
- R1 should have three local and connected routes, one of each on each interface
- Each working interface has a local route + one local route for multicast
- Lists interface address with prefix length /128 (matches only that address)
- Both R1 and R2 needs to have routes for each other's subnet for a successful ping:
- Verification: ping, traceroute, show ipv6 route and show ipv6 route static:
- show ipv6 route lists route with next-hop address AND outgoing interface
- ::/0: address is all 0s, prefix length is 0 = matching all IPv6 addresses
- IPv6 default routes (::/0) don't have candidates (*s), and are simply added
- Both primary OSPF-learned link and backup T1 link reach subnet 2001:DB8:1111:7::/64
- R1 chooses backup T1 link over faster primary link because:
- AD of OSPF-learned route is 110
- AD of static route is 1
- Lowest AD (static route) gets chosen
- Floating static route: static route with overridden default AD value
- ipv6 route 3444:4:4:4::/64 3444:2:2:2::2 130: static route does not get learnt because
OSPF-learned route's AD is lower
- show ipv6 route and show ipv6 route 3444:4:4:4::/64 list ADs:
- Routing code:
- "ND": NDP-learned default route
- "NDp": NDP-learned prefix
Troubleshooting Incorrect Static Routes That Appear in the IPv6 Routing Table
- If command syntax is correct, ipv6 route command is placed into running-config, then, if
no other problem exists, IOS puts route into IP routing table
- Incorrect commands, such as using local interface address as a next-hop address, are
accepted and put into the IPv6 routing table
- Check for mistakes:
- IOS would accept the command, but the route will not work
- IOS rejects the command if outgoing interface is omitted and next-hop address is a link-
local address
The Static Route Does Not Appear in the IPv6 Routing Table
- IOS makes checks before adding a route:
- Since R1 doesn't have a route to the next-hop address 2001:DB8:9:3::2, IOS does not add
the route
Part VIII Revision
Key Terms You Should Know
Terminology Definition
Chapter 28
IPv4 address exhaustion
IP version 6 (IPv6)
OSPF version 3 (OSPFv3)
EIGRP version 6 (EIGRPv6)
Prefix
Prefix length
Quartet
Chapter 29
Global unicast address
Global routing prefix
Unique local address
Subnet ID (prefix ID)
Subnet router anycast address
Chapter 30
Dual stacks
EUI-64
Link-local address
Link-local scope
Solicited-node multicast address
All-nodes multicast address (FF02::1)
All-routers multicast address (FF02::2)
Anycast address
Subnet-router anycast address (prefix)
Chapter 31
Neighbor Discovery Protocol (NDP)
Router Solicitation (RS)
Router Advertisement (RA)
Neighbor Solicitation (NS)
Neighbor Advertisement (NA)
Stateless Address Auto Configuration
(SLAAC)
Duplicate Address Detection (DAD)
Stateful DHCPv6
Stateless DHCPv6
IPv6 neighbor table
Chapter 32
-
Part IX - Network Device
Management
Chapter 33 - Device Management
Protocols
System Message Logging (Syslog)
- IOS can send syslog messages to currently-logged users or store them
- Format:
timestamp: *Dec 18 17:10:15.079
facility on router that generated message: %LINEPROTO
severity level: 5
mnemonic for message: UPDOWN
description: Line protocol on Interface FastEthernet0/0, changed state to down
- A real network would have 1 server and all others being clients
- NTP terms:
- show cdp neighbors and show lldp neighbors have "local intf" and "port ID" columns
- lldp run: enables LLDP globally
- lldp transmit and lldp receive: enables LLDP on interfaces (configures LLDP to only
send, or only receive messages)
- Enable passwords:
- To enter privileged EXEC mode
- To connect via Telnet
- To connect via SSH and Telnet (username & password)
- EXTRA INFO: line vty 0 4 can be used to refer to Telnet only
- Configuration/verification:
- IOS adds encryption/encoding type of "7" - passwords encrypted with service password-
encryption command
- | section password-encryption lists the section on password
- Encoding type "0": clear-text passwords
- IOS compares the hashed value of entered password at login to the enable secret value
- Another enable secret command with a different algorithm type it replaces any existing
enable secret command
Firewalls
Security Zones
- Firewalls pay close attention to which host initiates communications by looking at the initial
TCP segments (SYN)
- When user opens web browsers, company doesn't want unauthorised hosts to connect to the
payroll server
- Security zones define which hosts can initiate new connections and firewall can place
multiple interfaces into the same one to have same rules applied
- Firewall needs another rule that users in zone outside can initiate connections to web servers
in the DMZ
- Enterprise can prevent Internet users from attempting to connect to internal devices in zone
inside, preventing many types of attacks
- Disk and usbflash are the physical storage devices in that router
- IFS types:
- Opaque: logical internal file systems
- Network: external file systems found on different types of servers
- Disk: for flash
- Usbflash: for a USB flash
- NVRAM: a special type of NVRAM memory, the default location of startup-config
- Use of formal names:
- more flash0:/wotemp/fred displays content of file fred in directory /wotemp
- Use of keywords:
- show running-config refers to file system:running-config
- show startup-config refers to file nvram:startup-config
- show flash refers to default flash IFS (usually flash0:)
Copying a New IOS Image to a Local IOS File System Using TFTP
- R2 (2901) copying IOS image from TFTP server at IP address 2.2.2.1:
- verify /md5 command checks Cisco's hash value and router's hash value
- Source (second parameter) filename and destination (third parameter) full URI
- User must reload the router to start using the new IOS copied into a local IOS file system
- If any of first two steps fail, call Cisco Technical Assistance Centre (TAC)
- Steps 3 and 4 are configurable:
- Step 4: Routers almost always load the configuration from NVRAM (startup-config)
- boot system points to files in flash memory, filenames, IP addresses of servers, telling the
router where to look for an IOS image to load
- boot system can be configured multiple times, and each is added to end of a list
- Router tries to load IOS images in the order of the configured boot system commands
- Routers number files in flash memory, and loads the IOS file with the lowest number (first
file found in memory)
- Most routers use step 3B because default configuration register is 0x2102 and router has a
single IOS file in flash by factory default
- Routers consider one flash file system to be the default IFS to look for IOS images
- After an upgraded IOS is copied into flash, boot system needs to refer to the new file, save
the configuration and reload the router to boot to the new IOS image
Password Recovery
- If connected to the router console, anyone can reset all the passwords on the router to new
values
- Cisco refers to the topic as password recovery, but you change the password to a new value
- Use copy startup-config running-config to restore the ignored startup-config and put the
configuration register value back to its normal value (usually 0x2102)
- Using copy running-config startup-config instead could result in shut down interfaces so
check and no shutdown any interfaces
Managing Configuration Files
Copying and Erasing Configuration Files
- Configuration files can be copied with TFTP, FTP or SCP or to a removable USB flash
- Instead of copy tftp running-config, copy tftp startup-config with reload is used so that
the startup-config file is restored, and reloading the router replaces the running-config with
the startup-config, so that no defects occur
- Archive is defined by when to automatically save the configuration and where to save them
- configure replace allows user to copy a configuration archive into the running-config file
so that it completely replaces the running-config file
- The ACL and hostname configured after the archive was configured with archive config
has been removed after configure replace
- Routers had different IOS images for each router model/model series, version/release
- All images have the same basic IP functions, some have additional features
- If you needed security feature, you could opt for one of the four images
- More feature sets = higher price
New IOS Packaging: One Universal Image with All Feature Sets
- Universal image has all feature sets which can be enabled later
- Universal image has all the feature sets a router model supports
- IP Base is enabled already, with a license key for that feature already installed on the router
- Feature sets with the most significant set of features => technology packages:
- Copy license key file to USB flash drive or TFTP, FTP or HTTP server
- Summary of steps (continued)
- Step 4: Make the file available to the router via USB or some network server
- Step 5: Issue license install url | filename to install the license key file into the
router
- Step 6: Reload the router to pick up the changes
Example of Manually Activating a License
- IP Base is enabled permanently, and Security, UC, Data licenses are listed as Not Activated
- show license lists longer status information than show version and show license feature
Right-to-Use Licenses
- Customers who want to test a router feature before buying can enable most features for a
60-day evaluation period, after which the feature stays enabled, with no time limit
- Right-to-use license does not require a PAK and uses license boot module command
- Process to add Security feature to R1 as right-to-use evaluation license:
- "Period left" is set to 60 days, and it counts down to 0, after which it converts to a lifetime
time period
Part XI Revision
Key Terms You Should Know
Terminology Definition
Chapter 33
Log message
Syslog server
Network Time Protocol (NTP)
NTP client
NTP Client/Server Mode
NTP Server
NTP synchronisation
CDP
LLDP
Chapter 34
Telnet
SSH
Local username
Login banner
Message of the day (MOTD)
MD5 hash
Device hardening
Chapter 35
Boot field
Configuration register
IOS image
ROMMON
Startup-config file
Running-config file
Setup mode
IOS
ROM
Flash memory
NVRAM
IOS File System (IFS)
Code integrity
Configuration archive
Secure Copy Protocol (SCP)
Chapter 36
IOS feature set
Universal image
Product Authorisation Key (PAK)
Universal Device Identifier (UDI)
Commands List
Command Mode/Submode Command Command Comma
Name Description Parameters nd
Abbrevi
ations
line Global Changes line con
console 0 configuration context to 0
mode console
configuratio
n mode
login Line (console Tells IOS to
and vty) prompt for a
configuration password.
mode
password Line (console Sets password hello
pass-value and vty) password for
configuration login if login
mode is configured
interface Global Changes interface FastEthernet 0/1 int type
type port- configuration context to port-
number mode interface number
mode
hostname Global Sets the hostname chris
name configuration switch's
mode hostname
exit Configuration Moves back
mode to next
higher
configuratio
n mode
end Configuration Exits
mode configuratio
n mode and
returns to
enable mode
from any
submodes.
Ctrl + Z Two-key = end
combination/co
nfiguration
mode
no debug Privileged Disable all
all EXEC mode currently
undebug enabled
all debugs.
reload Privileged Reboot.
EXEC mode
copy Privileged Saves active
running- EXEC mode config to
config startup-
startup- config
config
copy Privileged Merges
startup- EXEC mode startup-
config config with
running- currently
config active config
file in RAM.
show User EXEC Lists
running- mode running-
config config file.
1. write Privileged Erase the
erase EXEC mode startup-
2. erase config file.
startup-
config
3. erase
nvram:
quit User EXEC Disconnects
mode user from
CLI session.
show User EXEC Lists startup-
startup- mode config file.
config
enable User EXEC Moves user
mode to enable
mode and if
configured,
prompts for
a password.
disable Privileged Moves user
EXEC mode from enable
mode to user
mode.
configure Privileged Moves user
terminal EXEC mode into
configuratio
n mode.
Route
r
ip address Interface Sets the ip address 192.168.1.0
address configuration router's IPv4 255.255.255.0
mask mode address and
mask
clock rate Interface Sets the clock rate 2000000
rate-in-bps configuration speed at
mode which the
router
supplies a
clocking
signal (only
when router
has DCE
cable)
bandwidth Interface Sets the bandwidth 128
rate-in- configuration speed at
kbps mode which router
considers the
interface to
operate (not
the physical
speed)
show ip EXEC mode Lists IP
interface address, line
brief and protocol
status,
method with
which the
address was
configured
for each
interface per
line (manual
| DHCP)
show EXEC mode Lists show protocols f0/2
protocols information
[type about
number] interface(s),
including IP
address,
mask,
line/protocol
status
show EXEC mode Lists many show controllers f0/2
controllers lines of
[type information
number] per interface
Troubleshooting Checklist
Cable Issue:
- Cables may experience EMIs from nearby electrical devices
- Cables bent too sharply (macrobending), or pressed by too much force could
damage cables
- Use the appropriate cabling type:
- Straight-through for connecting different devices (PC to switch)
- Crossover for connecting same devices (switch to switch)
- Rollover for connecting PC to devices (PC to console port)
- Serial cable for connecting point-to-point WAN routers
- Consider:
- Cable's supported speed
- Cable's maximum distance supported between two devices
- Cost and availability of type of cabling
Interface Issue:
- Use show ip interfaces brief or show interfaces status
- If interface is administratively down/down:
- For routers, use no shutdown if interface has never been configured, or
shutdown command has been configured
- If interface is down/down:
- Switch port-security shutdown mode may be in effect
=> shutdown and then no shutdown puts interface back to secure-up state
pg257
Configuration Checklist
SWITCH
Configuring simple password security (171)
for console
for vty
for privileged EXEC mode access
Configuring local username/password security
for console/vty
Configuring SSH (178)
hostname R1
ip domain-name cisco.com
crypto key generate rsa modulus 1024
(ip ssh version 2)
username cisco secret cisco
login local
(transport input ssh)
Configuring IPv4 for a switch(182)
interface vlan 10
ip address 192.168.1.2 255.255.255.0
ip default-gateway 192.168.1.1
ip name-server 172.16.1.8
Configuring DHCP for a switch (183)
ip address dhcp
Configuring miscellaneous settings (184)
exec-timeout 5 0
logging synchronous
no ip domain-lookup
Configuring speed, duplex and description (193)
speed 1000
duplex auto
description connected to R1
Configuring port-security (203)
switchport mode access
switchport port-security
switchport port-security maximum 4
switchport port-security mac-address 0200.0000.2222
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0100.0000.1111
switchport port-security violation restrict
Configuring VLANs (253)
vlan 10
name myvlan
switchport access vlan 10
Configuring VLAN trunking (258)
switchport mode trunk
Configuring IP phone VLANs (265)
switchport mode access
switchport access vlan 10
switchport voice vlan 20
ROUTER
Installing enterprise routers (388)
Installing Internet access routers (389)
Configuring IPv4 Addresses on Cisco routers (395)
ip address 192.168.1.1 255.255.255.0
Configuring clock rate (397)
clock rate 2000000
Configuring 802.1Q (417)
interface g0/0.10
encapsulation dot1q 10
Configuring native VLANs (419)
interface g0/0.20
encapsulation dot1q 20 native
Configuring routing to VLANs using a Layer 3 switch (421)
sdm prefer lanbase-routing
ip routing
interface vlan 15
ip address 192.168.2.3 255.255.255.128
no shutdown
Configuring static routes (423)
ip route 192.168.1.0 255.255.255.0 s2/0
ip route 192.168.2.0 255.255.255.0 192.168.2.1
Configuring static host routes (424)
ip route 192.168.2.5 255.255.255.255 f0/0
ip route 192.168.4.2 255.255.255.255 192.168.2.1
Configuring permanent static routes (425)
ip route 192.168.1.0 255.255.255.0 192.168.3.1 permanent
Configuring floating static routes (426)
ip route 10.0.1.0 255.255.255.0 s3/0 114
Configuring static default routes (428)
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Configuring RIPv2 (444)
router rip
version 2
network 10.0.0.0
Configuring RIPv2 passive-interfaces (457)
passive-interface s2/0
passive-interface default
no passive-interface s3/0
Configuring RIPv2 auto-summary and maximum-paths (458)
no auto-summary
maximum-paths 2
Configuring RIPv2 default route advertising (459)
default-information originate
Configuring router DHCP client (461)
ip address dhcp
Configuring DHCP relay (475)
ip helper-address 172.31.200.2
Configuring IOS DHCP server (478)
ip excluded-address 192.168.1.1
ip dhcp pool mypool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.2.2
next-server 192.168.3.2
domain-name cisco.com
lease 0 6 0
Configuring zero subnets (514)
ip subnet-zero
Configuring VLSM (531)
ip address 192.168.1.1 255.255.255.128
ip address 192.168.1.128 255.255.255.192
Configuring standard numbered IP ACLs (603)
access-list 10 permit 10.0.0.0 0.255.255.255 log
access-list 10 deny any
ip access-class 10 out
Configuring extended numbered IP ACLs (621)
access-list 100 deny tcp 10.0.0.0 0.0.255.255 eq 80 192.168.1.0
0.0.0.127 gt 1023 log-input
ip access-group 100 in
Configuring named IP ACLs (626)
ip access-list standard test
5 permit 172.16.1.0 0.0.0.63
Configuring new-style numbered ACLs (627)
ip access-list extended 120
no 30
Configuring static NAT (653)
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.2 200.1.1.2
Configuring dynamic NAT (655)
ip nat inside
ip nat outside
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool test1 200.1.1.1 200.1.1.254 netmask 255.255.255.0
ip nat inside source list 1 pool test1
Configuring NAT overload (PAT) (660)
ip nat inside
ip nat outside
access-list 2 permit 10.0.0.0 0.255.255.255
ip nat inside source list 2 interface s2/0 overload
IPv6
Configuring static IPv6 unicast addresses (707)
ipv6 address FD00::1/64
Configuring IPv6 Routing (708)
ipv6 unicast-routing
ipv6 enable
Configuring static IPv6 unicast addresses with modified EUI-64 (714)
ipv6 address 2001:2:3:4::/64 eui-64
Configuring dynamic IPv6 unicast addresses (715)
ipv6 address dhcp
ipv6 address autoconfig
Configuring IPv6 link local addresses (718)
ipv6 enable
ipv6 address 2001::2/64
ipv6 address fe80::10 link-local
Configuring IPv6 anycast addresses (722)
ipv6 address 2001::3/128 anycast
Configuring various IPv6 address types (724)
Configuring DHCPv6 relay agents (738)
Configuring IPv6 static routes:
With outgoing interface (757)
With global unicast next-hop address (758)
With link-local next-hop address (759)
Configuring IPv6 static default routes (761)
ipv6 route ::/0 2001::11
Configuring IPv6 static host routes (762)
ipv6 route 2001:db8:1111:4::2/128 s3/0
Configuring IPv6 floating static routes (763)
ipv6 route 2001:db8:1:2::/64 g0/1 fe80::0200:00ff:fe00:2222 100
Configuring IPv6 default routes with SLAAC (764)
ipv6 address autoconfig default
INFRASTRUCTURE MANAGEMENT
Configuring syslog
for console users (780)
logging console 5
for Telnet/SSH users (781)
logging monitor 3
terminal monitor
to store messages in RAM (781)
logging buffered 2
to store messages in syslog server (781)
logging host 160.1.1.3
logging trap 7
timestamps and sequence numbers (782)
no service timestamps
service sequence-numbers
logging message levels (783)
Configuring NTP
clock (time and timezone) (788)
clock timezone AEST -10
clock summer-time SAEST recurring
clock set 22:08:28 22 January 2019
client/server (790)
ntp server 170.1.1.1
ntp master 5
with loopback interface (792)
interface loopback 0
ntp source loopback 0
Configuring CDP globally and on interfaces (796)
no cdp run
no cdp enable
Configuring LLDP globally and on interfaces (799)
no lldp run
no lldp transmit
no lldp receive
Configuring login security (804)
Configuring service password-encryption (805)
service password-encryption
Configuring password encryption
with MD5 (807)
enable secret cisco
with SHA-256 and scrypt (809)
enable algorithm-type sha-256 secret cisco
enable algorithm-type scrypt secret cisco
for usernames (810)
username jack secret cisco
Configuring login banners (812)
banner M Maintenance tonight M
banner login # Unauthorised access prohibited #
banner exec ! Welcome !
Configuring security for unused switch interfaces (812)
shutdown
switchport mode access
switchport access vlan 99
switchport trunk native vlan 99
Configuring inbound/outbound ACLs for Telnet and SSH (813)
access-list 1 deny 192.168.1.1
access-list 1 permit any
access-class 1 out
Upgrading IOS images (824)
Copying images with FTP (828)
copy ftp://jack:cisco@192.168.1.1/new-ios-image flash
Copying images with SCP (829)
[SSH is enabled]
username jack privilege 15 secret cisco
ip scp server enable
Client:
scp new-ios-file.bin jack@192.168.2.1:flash0:new-ios-file.bin
Configuring the configuration register (831)
config-register 0x2101
Configuring the boot system (833)
boot system tftp new-ios-version.bin 10.1.1.1
Configuring password recovery/reset (837)
Boot ROMMON
confreg 0x2142
reset
Copying files to USB flash (839)
copy running-config usbflash0:backup-running-config
Backing up and restoring configurations (840)
copy running-config tftp
copy tftp startup-config
reload
Configuring configuration archives (841)
archive
path ftp://jack:cisco@192.168.1.1/
time-period 2880
write-memory
archive config
Restoring configuration archives (842)
config replace ftp://jack:cisco@192.168.1.1/-Oct-24-09-46.165-2
Erasing configuration files (843)
write erase
erase startup-config
erase nvram:
Configuring at setup mode (843)
setup
Configuring manual license activation (856)
license install usbflash1:license-key-file.lic
Configuring right-to-use licenses (861)
license boot module c2900 technology-package securityk9
RFC LIST
Verification checklist
no
interface range
line aux 0