100 CCNA Exam Gotchas!

Chris Bryant, CCIE #12933 -- www.thebryantadvantage.com Back To Index

100 CCNA Exam Gotchas!

Overview
Switching Frame Relay Binary / Hex Conversions Config. Register / Passwords / CDP Static Routing RIP OSPF EIGRP Advanced Topics

Almost all of these sections have a "Hot Spots And Gotchas" section at the end of their individual sections - make sure to read that for additional review. And as always, reading the summaries is no substitute for reading the chapter! :)
Switching Gotchas

The MAC Address Table is built from source MAC addresses, not the destination MAC. The first part of the frame examined by the switch is indeed the source MAC, which is used in port security as well as building the MAC address table. To create a trunk between two 2950s, use a crossover cable. Keep in mind that with a crossover cable, only four of the wires actually cross over. A 2950s trunk settings are desirable (the default), auto, and on. If both sides are set to dynamic auto, no trunk results. There is no trunk mode off command; to prevent a port from ever becoming a trunk port, make it

an access port. STP prevents switching loops; it has nothing to do with routing loops. Make sure to know the details of port security: 1.Protect mode only drops frames from non-secure MAC addresses. 2.Restrict mode drops those frames as well, and also sends a syslog message alerting the network admin to the situation. 3.Shutdown mode, the default, places the port into err-disabled state and sends a syslog message. A port in err-disabled state must be manually reopened. The lowest BID wins the root bridge election. If the priorities are the same, the switch with the lowest MAC will win the election. If the priorities have been changed, the MAC address cant come into play, because the BID looks like this: <priority>:<mac_address>. STP considers port speed when calculating the root port. If a switch has two ports leading to the root bridge, with one on a 100 MBPS link and the other on a 10 MBPS link, the port on the 100 MBPS link will become the root port, since it will have the lowest cost of the two. Ports in blocking mode still accept BPDUs. When running VTP, the domain name is case sensitive. The domain names CCNA and ccna are two different VTP domain names. If you want to create a VLAN that only a VTP Client will use, you still have to create it on the VTP Server. Cisco switches use one of two trunking protocols, ISL or IEEE 802.1q (dot1q). ISL is Cisco-proprietary; dot1q is the industry standard. ISL does not recognize native vlans and encapsulates the entire frame. Dot1q places a 4-byte header on a frame, unless it is destined for the native vlan. In that case, no header is placed on the frame.
Frame Relay Gotchas

The DTEs have to agree on the frame encapsulation type; the LMI has to be agreed upon between the DCE and DTE. Its the DTE that initiates LMI autosense. The DTE sends three LMI, the DCE answers with a status message using its LMI type, and the DTE then

sends LMI from that point on using only that LMI type (cisco, ansi, or q933a). Frame map statements map a local DLCI to a remote IP address. Leaving the broadcast option off a frame map statement prevents multicasts from being transmitted to that remote IP address as well. This will stop routing updates of any kind from getting to that remote address. To prevent dynamic frame mappings from occurring, run no frame inversearp before opening the interface.
R1#conf t R1(config)#int serial0 R1(config-if)#encapsulation frame-relay R1(config-if)#no frame inverse-arp

Point-to-point serial interfaces do not use the frame map statement; they use the frame-relay interface-dlci statement.
R3(config)#int s0 R3(config-if)#encap frame R3(config-if)#no frame inverse-arp R3(config-if)#int s0.31 point R3(config-subif)#frame map ip 110.1.1.1 110 broadcast FRAME-RELAY INTERFACE-DLCI command should be used interfaces R3(config-subif)#frame interface-dlci 110

on

point-to-point

Directly Connected SerialInterfaces

The DCE supplies the clock rate, not the DTE. After running show controller serial x to see which end of the DTE/DCE cable is connected to a router, configure the clock rate command on the DCE interface. The Cisco-proprietary version of HDLC is the default encapsulation type for serial and ISDN interfaces.
R2#show interface serial0 Serial0 is up, line protocol is up Hardware is HD64570 MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation HDLC, loopback not set, keepalive set (10 sec)

Binary / Hex / Decimal Conversions Watch the value that Ciscos asking you to express the answer in. We are not going to convert the value and then choose the answer thats in another format. If they want a binary value, choose a binary string, not a hex equivalent. Were working too hard on your CCNA to give points away. Be careful

and read the question twice. Configuration Register / Passwords / CDP

There are two reasons a router goes into setup mode: 1.The startup configuration was deleted with write erase 2.The contents of NVRAM were ignored because the configuration register was set to 0x2142. Note that the first option actually got rid of the startup config, while the second option just ignored it. You view the configuration register setting with show version. Its at the very bottom of all this output:
R1#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(21), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Mon 31-Dec-01 21:34 by nmasa Image text-base: 0x0303E258, data-base: 0x00001000 ROM: System Bootstrap, Version 11.0(10c), SOFTWARE BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), RELEASE SOFTWARE (fc1) R1 uptime is 12 minutes System restarted by reload System image file is "flash:c2500-is-l.120-21.bin" cisco 2520 (68030) processor (revision M) with 14336K/2048K memory. Processor board ID 07884164, with hardware revision 00000003 Bridging software. X.25 software, Version 3.0.0. Basic Rate ISDN software, Version 1.1. 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 2 Low-speed serial(sync/async) network interface(s) 1 ISDN Basic Rate interface(s) --More-00:12:41: %SYS-5-CONFIG_I: Configured from console by console 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read ONLY) Configuration register is 0x2102 bytes of Version 11.0(10c),

The default configuration register setting of a Cisco 2500 router is 0x2102. IOS Help uses one character, but has two applications. By not leaving a space between the word and the ?, you can see all possible commands that begin with those letters. By putting a space in, you can see the list of possible options that follow that command.

R1#show? show R1#show ? access-expression List access expression access-lists List access lists accounting Accounting data for active sessions aliases Display alias commands alps Alps information arp ARP table async Information on terminal lines interfaces backup Backup status

used

as

router

If both enable secret and enable password are in use, the enable secret takes precedence. If you want to see the IP address of the remotely connected Cisco device, you need to run show cdp neighbor detail. Show cdp neighbor doesnt show the remote IP address.
SW1#show cdp nei detail
Device ID: R2 Entry address(es): IP address: 10.1.1.2 Platform: cisco 2520, Capabilities: Router Interface: FastEthernet0/2, Port ID (outgoing port): Ethernet0 Holdtime : 163 sec

Static Routing

A gateway of last resort (default static route) is configured with ip route 0.0.0.0 0.0.0.0 <next-hop-ip or EXIT-interface>.
R3(config)#ip route 0.0.0.0 0.0.0.0 ? A.B.C.D Forwarding router's address Ethernet IEEE 802.3 Null Null interface Serial Serial

A static routes default Administrative Distance can be changed by specifying the desired AD at the end of the ip route command. (This is referred to as a floating static route.)
R3(config)#ip route 0.0.0.0 0.0.0.0 ethernet0 ? <1-255> Distance metric for this route

Split horizon can be turned off at the interface level.

R1#conf t R1(config)#int serial0 R1(config-if)#no ip split-horizon

RIP

RIPs default behavior is to send version 1 updates, but to accept both version 1 and 2 routing updates.
R2(config)#router rip

R2(config-router)#net 172.16.0.0 R2(config-router)#^Z R2#show ip protocols Routing Protocol is "rip" Sending updates every 30 seconds, next due in 6 seconds Invalid after 180 seconds, hold down 180, flushed after 240 Outgoing update filter list for all interfaces is Incoming update filter list for all interfaces is Redistributing: rip Default version control: send version 1, receive any version Interface Send Recv Key-chain Serial0 1 1 2

By default, RIP v2 autosummarizes routing updates send across classful network boundaries. To disable this behavior, run no auto-summary under the RIP process.
R1#conf t R1(config)#router rip R1(config-router)#version 2 R1(config-router)#no auto-summary

You do not specify a subnet mask or wildcard mask when configuring RIP just the classful network, even if youre running RIP v2.
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#router rip R1(config-router)#version 2 R1(config-router)#no auto-summary R1(config-router)#network 172.10.0.0 ? <cr>

Debug ip rip displays the routing updates and metrics as the advertisements are sent and requested. To see this in action without waiting for the next regularly scheduled update, run clear ip route *.
R1#debug ip rip RIP protocol debugging is on R1#clear ip route * 01:16:54: RIP: sending v1 update to 255.255.255.255 via Loopback1 (1.1.1.1) 01:16:54: network 2.0.0.0, metric 2 01:16:54: network 3.0.0.0, metric 2 01:16:54: network 172.16.0.0, metric 1 01:16:54: network 10.0.0.0, metric 2 01:16:54: RIP: sending v1 update to 255.255.255.255 via Serial0 (172.16.123.1) 01:16:54: subnet 172.16.123.0, metric 1 01:16:54: network 1.0.0.0, metric 1 01:16:54: network 2.0.0.0, metric 2 01:16:54: network 3.0.0.0, metric 2 01:16:54: network 10.0.0.0, metric 2

To see only the routes discovered by a routing protocol, run show ip route followed by the name of the protocol:
R1#show ip route rip R 2.0.0.0/8 [120/1] via 172.16.123.2, 00:00:26, Serial0 R 3.0.0.0/8 [120/1] via 172.16.13.2, 00:00:09, Serial1 [120/1] via 172.16.123.3, 00:00:09, Serial0 R 10.0.0.0/8 [120/1] via 172.16.13.2, 00:00:09, Serial1 [120/1] via 172.16.123.3, 00:00:09, Serial0

 [120/1] via 172.16.123.2, 00:00:26, Serial0

To turn off all currently running debugs, run undebug all.

R1#undebug all All possible debugging has been turned off

EIGRP

EIGRP isCisco-proprietary anduses Autonomous System numbers. As a Cisco-proprietary protocol,it isunsuited for a multivendor environment.
R1(config)#router eigrp ? <1-65535> Autonomous system number

EIGRP allows unequal-cost load sharing with the variance command.

EIGRP uses bandwidth and delay as default values in metric calculation;it can use bandwidth, delay, load, and reliability.

EIGRP routes are indicated with the letter D. Its not E because EGP was in the routing table already when EIGRP was introduced. A router only considers administrative distance if the routing table contains two or more routes to a destination that are reported by different protocols and have the same length mask. AD is a measure of a routes believability. The lowest AD is zero, that of a connected route.
OSPF

OSPF configurations use wildcard masks, not subnet masks.

R2#conf t R2(config)#router ospf 1 R2(config-router)#network 2.2.2.2 ? A.B.C.D OSPF wild card bits

The OSPF process numbers do not have to match to form an adjacency.

R2#conf t R2(config)#router ospf 1 R2(config-router)#net 10.1.1.0 0.0.0.255 area 0 R3#conf t R3(config)#router ospf 2 R3(config-router)#network 10.1.1.0 0.0.0.255 area 0 R3#show ip ospf nei Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/BDR 00:00:36 10.1.1.2 Ethernet0

OSPF-enabled routers do not send routing updates. OSPF sends linkstate advertisements.

The OSPF hello and dead timers must match for an adjacency to form, as youre about to see. The OSPF dead-time is four times the hello-interval. If you change the hello interval, the dead timer dynamically changes to four times the new hello-interval value. (Notice that OSPFs metric is cost.)
R3#show ip ospf int e0 Ethernet0 is up, line protocol is up Internet Address 10.1.1.3/24, Area 0 Process ID 2, Router ID 10.1.1.3, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.1.3, Interface address 10.1.1.3 Backup Designated router (ID) 10.1.1.2, Interface address 10.1.1.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 R3(config)#int e0 R3(config-if)#ip ospf hello 5 R3#show ip ospf int e0 Ethernet0 is up, line protocol is up Internet Address 10.1.1.3/24, Area 0 Process ID 2, Router ID 10.1.1.3, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.1.3, Interface address 10.1.1.3 Backup Designated router (ID) 10.1.1.2, Interface address 10.1.1.2 Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 5

Note that the dead timer adjusted dynamically. Also, since the timer is now different than the neighbors, this adjacency dropped seconds later. The network type is still the same, but the timers are different, resulting in a lost adjacency. In a hub-and-spoke network, use the ip ospf priority 0 command on the spoke interfaces to prevent them from becoming a DR or BDR. A point-to-point OSPF network has no DR or BDR.
R1#show ip ospf nei Neighbor ID Pri StateDead Time Address Interface 20.1.1.3 1 FULL/ - 00:00:36 20.1.1.3 Serial1 R1#show ip ospf int serial1 Serial1 is up, line protocol is up Internet Address 20.1.1.1/24, Area 0 Process ID 1, Router ID 20.1.1.1, Network Type POINT_TO_POINT, Cost: 195 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

R1 has a point-to-point OSPF network connection to R3. The show neighbor command reveals a dash under state, showing neither a DR or BDR. If an OSPF-enabled router has a loopback interface, that interfaces IP address will be the Router ID (RID) of that router, regardless of whether that loopback is advertised via OSPF.

If an OSPF-enabled router has no loopback interface, the highest IP address assigned to a physical interface will be the RID, regardless of whether that interface is advertised via OSPF. To hardcode the OSPF RID, use the router-id command. There are two ways to make the router-id command take effect: reload the router or run the clear ip ospf process command.
R1#conf t R1(config)#router ospf 1 R1(config-router)#router-id 1.1.1.1 Reload or use "clear ip ospf process" command, for this to take effect

OSPF runs the SPF algorithm, also referred to as the Dijkstra algorithm. More EIGRP EIGRP configurations use wildcard masks, not subnet masks.
R3#conf t R3(config)#router eigrp 100 R3(config-router)#net 172.10.0.0 ? A.B.C.D EIGRP wild card bits

Like RIPv2, EIGRP autosummarizes route advertisements at classful network boundaries. To disable this behavior, run no auto-summary.
R3#conf t R3(config)#router eigrp 100 R3(config-router)#no auto-summary

EIGRP has three tables of interest; the route table, which contains the best routes; the topology table, which contains the best routes (successor) and less-desirable but still valid routes (feasible successor); and the neighbor table. EIGRP uses the DUAL algorithm to compute the route metrics and to send queries in case the successor is lost and there is no feasible successor. Advanced TCP/IP Topics Standard ACLs filter only on the source IP address. Regular pings can be sent from user exec, but extended pings cannot.
R3>ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

R3>ping % Incomplete command. R3>ping ? WORD Ping destination address or hostname ip IP echo tag Tag encapsulated IP echo

Standard ACL Ranges are 1-99 and 1300-1999. Extended ACL Ranges are 100-199 and 2000 2699. A named ACL is written in the following format, but its applied in the same way as a standard or extended ACL.
R3#conf t R3(config)#ip access-list extended BLOCK_WEB_TRAFFIC R3(config-ext-nacl)#deny tcp any any eq www R3(config-ext-nacl)#interface serial0 R3(config-if)#ip access-group BLOCK_WEB_TRAFFIC out

Explicit denies do not nullify the implicit deny. In the above example, that list wouldnt just stop web traffic .. it would stop ALL traffic. WWW traffic is stopped explicitly, and then the implicit deny will stop everything else! An interface can have two ACLs applied; one affecting inbound traffic and the other affecting outbound traffic. The word any is used to represent a wildcard mask of 255.255.255.255. The word host is used to represent a wildcard mask of 0.0.0.0.
R3(config)#access-list Hostname or A.B.C.D any host 17 deny ? Address to match Any source host A single host address

To apply an ACL to your VTY lines, use the access-class command.

R1#conf t R1(config)#access-list 24 permit 200.14.87.23 R1(config)#line vty 0 4 R1(config-line)#access-class 24 in

To enable PAT, configure the word overload at the end of the ip nat inside source command.
R1(config)#ip nat inside source list 1 interface serial0 ? overload Overload an address translation

Cisco routers require a password for telnet access. Anyone trying to telnet to a router with no VTY password set will get the message Password required, but none set.
R2#ping 10.1.1.3 Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms R2#telnet 10.1.1.3 Trying 10.1.1.3 ... Open Password required, but none set [Connection to 10.1.1.3 closed by foreign host]

By default, users who telnet into a router are placed into user exec mode. For them to enter privileged exec mode, an enable password or enable secret must be set. In the example below, a password has been entered for the VTY lines, allowing a user to telnet in from R2. The user cannot enter privileged exec, though, because no enable password has been set.
R3#conf t R3(config)#line vty 0 4 R3(config-line)#login R3(config-line)#password CCNA R3(config-line)#^Z R3#wr R2#telnet 10.1.1.3 Trying 10.1.1.3 ... Open User Access Verification Password: R3>enable % No password set

An enable password is then set on R3. The user on R2 can now telnet in with CCNA and then enter privileged exec mode with coach.
R3#conf t R3(config)#enable password coach R3(config)#^Z R2#telnet 10.1.1.3 Trying 10.1.1.3 ... Open User Access Verification Password: R3>enable Password: R3#

To allow users who telnet into a router to be placed directly into privileged exec mode, run the command privilege level 15 under the VTY lines. In the below example, the user telnetting from R2 immediately enters privileged exec mode after entering the telnet password CCNA.
R3#conf t R3(config)#line vty 0 4 R3(config-line)#privilege level 15 R3(config-line)#login R3(config-line)#password CCNA

R2#telnet 10.1.1.3 Trying 10.1.1.3 ... Open User Access Verification Password: R3#

Back To Index

Copyright 2011 The Bryant Advantage. All Rights Reserved.