Академический Документы
Профессиональный Документы
Культура Документы
com)
Network Technologies
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
1/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Document History
Date Version By Remarks
4 April 2010 1.00 T. D. Win, K. P. Thant, First version
T. Naing
28 April. 1.01 T. D. Win, S. T. D. Testing , modifying and adding for
2010 Win, K. P. Thant, T. training course with Cisco devices
Naing
5 July.2010 1.02 S.T. D.Win, K.P.Thant Modifying and adding sub topics
30 Jan 2011 1.03 K. P. Thant Redraw some figure, support Cisco
1800 Series, Cisco 2600, Cisco 2800
and Catalyst 2960 Series
1 Aug 2011 1.04 K.P. Thant, T. Naing Editing some facts and LAB.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
2/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Copyright Information
Copyright 2006 ICTTI. All rights reserved.
Cisco and Cisco Systems are registered trademarks of Cisco Systems, Inc. and /or its
affiliates in the U.S. and certain countries.
SUSE, openSUSE, the openSUSE logo, Novell, the Novell logo, the N logo, are
registered trademarks of Novell, Inc. in the United States and other countries. Linux is a
registered trademark of Linus Torvalds.
The example companies, organizations, products, domain names, e-mail address, logos,
people, places, and events depicted herein are fictitious. No association with any real
company, organization product, domain name, e-mail address, logo, person, place, or event
is intended or should be inferred.
All other products and company names are the trademarks, registered trademarks, and
service marks of the respective owners. Throughout this manual, ICTTI and JICA have used
its best efforts to distinguish proprietary trademarks from descriptive names by following the
capitalization styles used by the manufacturer.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
3/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Contents at a Glance
1. CISCO Routers and LAN Switches <Day 1> ................................................................ 10
2. Router Basic Configuration <Day 2> ............................................................................ 29
3. IP Routing <Day 3-4-5> ................................................................................................ 62
4. LAN Switching <Day 6> ................................................................................................ 99
5. Virtual LANs <Day 7>.................................................................................................. 124
6. Network Security <Day 8-9> ....................................................................................... 144
7 WAN <Day 10> ........................................................................................................... 182
References ......................................................................................................................... 197
Tables and Figures ............................................................................................................. 198
Indexes ............................................................................................................................... 200
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
4/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Table of Contents
1. CISCO Routers and LAN Switches <Day 1> ................................................................ 10
1.1. Cisco Router Management .................................................................................... 10
1.1.1. Cisco Router Introduction ............................................................................... 10
1.1.2. The Router Boot Sequence ............................................................................ 11
1.1.3. Managing Configuration Register ................................................................... 12
1.1.4. Cisco Router Series ........................................................................................ 13
1.1.5. Cisco Switching Products ............................................................................... 16
1.1.6. Cisco IOS ........................................................................................................ 17
1.1.7. Cisco IOS Modes ............................................................................................ 18
1.2. Connecting to a Cisco Router ................................................................................ 22
1.3. Console Connection............................................................................................... 22
1.3.1. Linux ............................................................................................................... 22
1.3.2. Windows ......................................................................................................... 23
1.4. Managing Cisco IOS Images ................................................................................. 25
1.4.1. Backing up and Restoring the Cisco IOS ....................................................... 25
1.4.2. Download IOS in ROMmon Mode .................................................................. 26
2. Router Basic Configuration <Day 2> ............................................................................ 29
2.1. Command Line Interface (CLI) .............................................................................. 29
2.1.1. Content Sensitive Help ................................................................................... 29
2.1.2. Command Syntax Check ................................................................................ 30
2.1.3. Command Abbreviation .................................................................................. 30
2.1.4. Hot Keys ......................................................................................................... 30
2.2. Basic Configuration ................................................................................................ 31
2.2.1. Status .............................................................................................................. 31
2.2.2. Hostname ....................................................................................................... 32
2.2.3. Banners........................................................................................................... 32
2.2.4. Clock and NTP................................................................................................ 33
2.2.5. Domain Name Services .................................................................................. 34
2.2.6. Simple Network Management Protocol (SNMP) ............................................ 34
2.3. Login Configuration ................................................................................................ 34
2.3.1. Privileged password ....................................................................................... 34
2.3.2. Virtual Terminal (VTY) .................................................................................... 35
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
5/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
6/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
7/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
8/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
9/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Cisco routers use flash memory, rather than disks, for storing information. Flash storage
media is significantly more expensive and slower than disk storage, but the amount of
storage needed to run a router is relatively small compared to the amount needed to run a
general-purpose computer. Flash also has the important benefit that it tends to be more
reliable than disk storage.
Flash storage is similar to Random Access Memory (RAM), but it does not need power to
retain information, so it is called non-volatile RAM (NVRAM). There are other types of
non-volatile solid state storage, such as Erasable Programmable Read Only Memory
(EPROM).
On most Cisco routers, the NVRAM area is somewhere between 16 and 256Kb, depending
on the size and function of the router.
There are two important configuration files on any router. There is the configuration file that
describes the current running state of the router, which is called the running-config. Then,
there is the configuration file that the router uses to boot, which is canned the
startup-config. Only the startup-config is stored in NVRAM. You can synchronize the
two configuration files by simply copying the running-config onto the startup-config file:
Most of the examples throughout this book assume that you have IOS Version 12.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
10/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
RAM
(running-config
Programme
Running configuration file buffer)
show startup-config
show flash show interface (show configuration)
Step 2. The bootstrap which is a program in ROM looks for and loads the Cisco IOS
software from flash memory in all Cisco routers.
Step 3. The IOS software looks for a valid configuration file stored in NVRAM,
startup-config file.
Step 4. If a startup-config file is in NVRAM, the router will copy this file and place it in
RAM, called running-config file.
IOS (tm) C2600 Software (C2600-C-M), Version 12.2(4)T1, RELEASE SOFTWARE (fc1)
Before you change the configuration register, make sure you know the current configuration
register value. These are the main reasons you would want to change the configuration
register:
To force the system into the ROM monitor mode
To select a boot source and default boot filename
To enable or disable the Break function
To control broadcast addresses
To set the console terminal baud rate
To load operation software from ROM
To enable booting from a Trivial File Transfer Protocol (TFTP) server
You can change the configuration register by using the config-register command.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
12/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router(config)#config-register 0x2102
Router(config)#^z
Router#sh ver
The show version command displays the current configuration register value and also what
that value will be when the router reboots. Any change to the configuration register wont
take effect until the router is reloaded.
7200
Series
AS 5000
Series
4000
Series
3600
Series
2600
Series
2500
1700 Series Central site solutions
Series
1600
Series
1000
Series
800
Series Branch office solutions
700
Series
Small office solutions
Figure 2 Cisco Router Series and the sites for which they are Suited
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
13/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
The Cisco 800 series routers are Ciscos lowest-priced routers that are based on Cisco IOS
software. The 800 series ISDN access routers provide big-business networking benefits to
small offices and corporate telecommuters. The Cisco 800 series offers secure,
manageable, high performance solutions for Internet and corporate LAN access.
The Cisco 1000 series router is intended for remote office networking where Cisco IOS
software, higher performance, and WAN options beyond ISDN are important.
The Cisco 1600 series routers are similar to the Cisco 1000 series routers, but they have a
slot that accepts a WAN interface card. These cards are shared with the 1700, 2600, and
3600 series, and will be shared in future modular branch office-type products.
The Cisco 1720 access router delivers optimized security, integration, and flexibility in a
desktop form factor for small- and medium-sized businesses, and for small branch offices
that want to deploy Internet/intranet access or Virtual Private Networks (VPNs). The Cisco
1720 access router features two modular WAN slots that support 1600, 2600, and 3600 data
WAN interface cards; and an autosensing 10/100-Mbps Fast Ethernet LAN port to provide
investment protection and flexibility for growth.
The Cisco 2500 series routers provide a variety of models that are designed for branch
office and remote site environments. These routers are typically fixed configuration, with at
least two of the following interfaces: Ethernet, Token Ring, synchronous serial,
asynchronous serial, ISDN BRI, and a hub.
The Cisco 2600 series features single or dual fixed LAN interfaces. A network module slot
and two WAN interface card slots are available for WAN connections.
The 3600 series multiservice access servers/routers also offer a modular solution for dial-up
and permanent connectivity over asynchronous, synchronous, and ISDN lines. Up to four
network module slots are available for LAN and WAN requirements.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
14/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
The Cisco 4500 and 4700 series access routers are high-performance modular Central site
routers with support for a wide range of LAN and WAN technologies. The 4500 and 4700
are intended for large regional offices that do not require the density of the 7200 series.
Their modular design allows easy reconfiguration as needs change.
The Cisco AS5000 series is Ciscos line of universal integrated access servers. The AS5000
series is extremely popular because it integrates the functions of standalone CSUs, channel
banks, modems, communication servers, switches, and routers in a single chassis. The
AS5000 series contains synchronous serial, digital ISDN, and asynchronous modem access
server functionality, which are ideal for the mixed-media requirements that are becoming
more prevalent every day.
The Cisco 7200 routers are also very high-performance, modular Central site routers that
support a variety of LAN and WAN technologies. The 7200 is targeted for large regional
offices that require high-density solutions.
Branch Routers Cisco 800, 2800 and 3800 Integrated Series Routers
WAN Routers Cisco 7200 VXR Series and Cisco 7301 Router
The following table highlights some of the features and WAN options for each series of
routers.
Table 2 Remote Access Options for each Series of Router
Router Platform Remote Access Options
700 series ISDN BRI, basic telephone service ports
800 series ISDN BRI, basic telephone service ports, entry-level Cisco IOS
software
1000 series ISDN BRI, serial (1005 router)
1600 series ISDN BRI, 1 WAN interface card slot
1700 series 2 WAN interface card slots
2500 series Family of routers that offers various ISDN BRI, serial, and WAN
interfaces
2600 series Various fixed LAN interface configurations, one network module slot,
two WAN interface card slots
3600 series Two and four network module slots on the 3620 and 3640,
respectively
4000 series T1/E1 ISDN PRI
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
15/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
AS5000 series Access server with multiple T1/E1 ISDN PRI and modem capabilities
7200 series Supports a wide range of WAN services, with the required high port
density necessary for a scalable enterprise WAN
The Cisco Linksys switch brand includes a variety of switches designed for use in the home.
The Cisco Catalyst switch brand includes a large collection of switches, all of which have
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
16/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
been designed with Enterprises (companies, governments, and so on) in mind. The Catalyst
switches have a wide range of sizes, functions, and forwarding rates. Cisco offers a wide
variety of Catalyst switches that fit within each Layer of the Cisco Hierarchical network
model.
Cisco IOS Software is implemented on most Cisco hardware platforms, including switches
and routers. This software enables network services in Cisco products, including carrying
the chosen network protocols and functions, controlling access and prohibiting unauthorized
network use, and adding interfaces and capability as needed for network growth.
applications, and a wide array of platforms, Cisco IOS Software diversified from one train of
releases to multiple trains supporting different feature sets for different customer needs.
The Cisco IOS Software image name represents the hardware, feature set, format and other
information about the image file. Figure 3 shows the image name of Cisco IOS Software
Release 12.4(22) T with the Enterprise Base feature set for the Cisco 3825 router.
c3825-entbasek9-mz.124-22.T.bin
Hardware
Feature Set
Memory Location
Compression Format
Train Number
Maintenance Release
Train Identifier
and out of several different modes while configuring a router, and which mode you are in
determines what commands you can use. Each mode has a set of commands available in
that mode, and some of these commands are only available in that mode. In any mode,
typing a question mark will display a list of the commands available in that mode.
Router>?
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
19/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
configuration. privileged
EXEC mode,
enter
command
setup.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
20/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
User EXEC
Router>
enable exit
Privileged EXEC
Router#
configure terminal exit
Ctrl+z
Interface Config
Router(config-if)#
From global configuration mode, you can access specific configuration modes, which
include, but are not limited to, the following:
Commands that affect the entire device are called global commands. The hostname and
enable password commands are examples of global commands.
Commands that point to or indicate a process or interface that will be configured are called
major commands. When entered, major commands cause the CLI to enter a specific
configuration mode. Major commands have no effect unless you immediately enter a
subcommand that supplies the configuration entry. Notice that entering a major command
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
21/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
We can connect to a Cisco router to configure it, verify its configuration, and check statistics.
There are different ways to connect a router, but the first place is the console port. The
console port is usually an RJ-45 connection located at the back of the router. There is
another port, an auxiliary port which is the same as a console port. The auxiliary port allows
configuring modem commands so that a modem can be connected to the router. For
example, it lets you dial up a remote router and attach to the auxiliary port if the router is
down and you need to configure it out-of-band (that is out of the network). We can use
Telnet, in-band, to connect to any active interface on a router, such as an Ethernet or serial
port.
If your PC does not have a COM port especially on laptop PC, you can use an USB-Serial
port converter, so the console cable can be connected.
1.3.1. Linux
From Linux, minicom command can be used to the Cisco device, so install the minicom
package.
This command with -s option shows the setup menu to configure for the configuration.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
22/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
# minicom s
C - Callin Program :
D - Callout Program :
Select Save setup as dfl and then Exit. The terminal will connect to the Cisco device.
To close the terminal session, you need to press the Ctrl-A, and q key, then go back the
shell prompt.
1.3.2. Windows
(1) Hyper Terminal
[Hyper Terminal] is the default tool shipped together with Windows. When you open the
[Hyper Terminal], enter the connection name, and click [OK].
Change the COM properties especially at the [Bits per second] textbox to 9600.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
23/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
(2) Putty
Putty to connect the console, select [Serial].
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
24/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Firstly, we need to set up TFTP server. To install TFTP server, we can get TFTPD32 from,
http://pagesperso-orange.fr/philippe.jounin/tftpd32.html. It can easily start TFTP
server.
We make sure solid connectivity to the TFTP server by using ping command. For example,
the IP address of TFTP server is 192.16.0.129, check connectivity like this.
Router#ping 192.168.0.129
!!!!!
Secondly, we check the source filename of the router by using show flash command.
Router#show flash
Directory of flash:/
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
25/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
!!!!!!!!
Router#
or
This will copy the IOS file on the machine into the TFTP server.
#copy flash:c2800nm-ipbase-mz.124-3g.bin tftp://192.168.0.129
FastEthernet0/0):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Router#
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
26/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
You can view the ROMmon environment variables by using the set command, as shown
here. The IOS file is available at TFTP servers iosfoder/c2600-jk9o3s-mz.123-10.bin.
You do not need to specify .bin extension.
rommon 3 > set
PS1=rommon ! >
IP_ADDRESS=172.16.0.123
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=172.16.0.2
TFTP_SERVER=172.18.16.10
TFTP_FILE=iosfolder/c2600-jk9o3s-mz.123-10
You need use the sync command to save ROMmon environment variables to nonvolatile
RAM (NVRAM).
IP_ADDRESS: 192.168.0.250
IP_SUBNET_MASK: 255.255.255.0
DEFAULT_GATEWAY: 192.168.0.1
TFTP_SERVER: 192.168.0.3
TFTP_FILE: iosfolder/c2600-jk9o3s-mz.123-10
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
27/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
rommon 22 >
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
28/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Word help can be used to obtain a list of commands that begin with a particular character
sequence. To use word help, type in the characters in question followed immediately by the
question mark (?). Do not include a space before the question mark. The router will then
display a list of commands that start with the characters that were entered. The following is
an example of word help:
Router#co?
Command syntax help can be used to obtain a list of command, keyword, or argument
options that are available based on the syntax the user has already entered. To use
command syntax help, enter a question mark (?) in the place of a keyword or argument.
Include a space before the question mark. The router will then display a list of available
command options with <cr> standing for carriage return. The following is an example of
command syntax help:
Router#configure ?
<cr>
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
29/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
30/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(19c), RELEASE SOFTWARE (fc2)
Building configuration...
version 12.2
service timestamps debug uptime
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
31/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
no service password-encryption
version 12.2
no service password-encryption
2.2.2. Hostname
You can set the identity of the router with the hostname command. This is only locally
significant, which means that it has no bearing on how the router performs name lookups or
how the router works on the internetwork. Change routers hostname
Router>enable
Router#configure terminal
Router(config)#hostname cisco1
cisco1(config)#
2.2.3. Banners
A banner is a little security notice to give any and all who dare attempt to telnet or dial into
your internetwork. And you can create a banner to give anyone who shows up on the router
exactly the information you want to them to have.
There are four available banner types: exec process creation banner, incoming terminal line
banner, login banner, and message of the day banner.
Router(config)#banner ?
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
32/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Message of the day (MOTD) is the most extensively used banner. It gives a message to
every person dialing into or connecting to the router via Telnet or an auxiliary port, or even
through a console port as seen here:
Router(config)#banner motd ?
Router(config)#banner motd c
Router(config)#banner motd #
If you are not authorized to be in ICTTI network, then you must disconnect
immediately.
#
Router(config)#^z
Router#exit
If you are not authorized to be in ICTTI network, then you must disconnect
immediately.
Router>en
Router#
The preceding MOTD banner essentially tells anyone connecting to the router to get lost if
theyre not on the guest list. The part to understand is the delimiting character which is used
to tell the router when the message is done. You can use any character you want for it, but
you cant use the delimiting character in the message itself.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
33/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router#configure terminal
When you miss type a command, the router will wait a while for a timeout, so you might
disable the domain lookup.
Router(config)#no ip domain-lookup
Note: SNMP version 1 transmits clear text community string which can easily revealed by
sniffer.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
34/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
To enable strong, nonreversible encryption of the privileged password, use the enable
secret command.
Router(config)#enable secret testuser
You should never use the same password for the enable password and enable secret
commands. The router warns you against doing this, but will accept it.
Router(config)#enable password test
Router(config-line)#password cisco2
Router(config-line)#login
Router(config-line)#exit
Increase the telnet session timeout, so the connection will not be disconnected.
Router(config)#line vty 0 4
Router(config-line)#exec-timeout 0 0
the console port can be used to configure the complete configuration at any time. This
makes it very important to protect the console port with a password. To configure a console
user-mode password, use the Line command from global configuration mode. There is only
one console port on all routers, so the command is
Router#conf t
Router(config-line)#password cisco2
Router(config-line)#login
Router(config-line)#exit
We can set the console to go from never timing out (0 0) to timing out in 35,791 minutes and
2,147,483 seconds. The default is 10 minutes.
Router(config)#line con 0
Router(config-line)#exec-timeout 0 0
To stop annoying console messages from popping up and disrupting the input when we are
trying to type, logging synchronous is a very cool command. The messages still pop up,
but you are returned to your router prompt without your input interrupted.
Router(config)#line console 0
Router(config-line)#exec-timeout 0 0
Router(config-line)#logging synchronous
Router(config-line)#
To configure the auxiliary password, go into global configuration mode and type line aux ?.
R0(config)#line axu 0
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
36/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
R0(config-line)#login
R0(config-line)#password aux
Trying 192.168.0.100
Connected to Router.
Username: user1
Password: password1
Router>
Trying 192.168.0.101
Connected to Router.
Password: password1
Router2>
configuration file as enable password, and line connection as VTY, console, and AUX.
Router(config)#service password-encryption
Following command shows what the enable secret command looks like in the routers
configuration file
Router#show running-config | include secret
2.3.7. SSH
SSH is used to increase the security to access router instead of Telnet
You need the following configuration,
Hostname
Domain name
Asymmetric keys
Local authentication
Router>
Router>en
Router#conf t
Router(config)#host R1
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
38/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
R1(config-line)#login local
R1(config-line)#exit
Serial Serial
Router(config-if)#no shutdown
00:08:47 %LINK-3-UPDOWN: Interface Fastethernet0/0, changed state to up
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
39/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router(config-if)#exit
Router(config)#exit
Router(config-if)#no shut
If you want to add a second subnet address to an interface, then you must use,
Router(config-if)#ip address 192.168.2.80 255.255.255.0 secondary
DCE-Router(config)#int s0/0
The next, you need the bandwidth for the serial interface. Unlike the clock rate command,
the bandwidth command is configured in kilobits.
DCE-Router(config-if)#bandwidth 64
Note that the value of the clock rate and the bandwidth are depending on the WAN
connectivity.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
40/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Hardware is HD64570
Based on the output of the show interfaces command, possible problems can be fixes as
follows:
Operational fa0/0 is up, line protocol is up
Connection problem fa0/0 is up, line protocol is down
- no keepalives
- mismatch in the encapsulation type
Interface problem fa0/0 is down, line protocol is down
- a cable might never have been attached
- some other interface problem
Disabled fa0/0 is administratively down, line protocol is down
- manually disabled by using shutdown command
2.5. Logging
Many network administrators overlook the importance of router logs. Logging is critical for
fault notification, network monitoring, and security auditing.
A good rule is to set your logging buffer to 16KB for smaller routers. Routers with more than
32MB of memory can safely dedicate 32KB, or even 64KB without problem. To be safe,
always check the amount of free memory on your router with the show memory command
before increasing your buffer size.
You can use the show logging command to view this buffer.
Router>show logging
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
41/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
filtering disabled
filtering disabled
Router(config)#logging on
Forwarding log messages to a remote slog server has several advantages over just
retaining log messages locally on the router. The primary advantage is that messages sent
to the server are stored to disk. All other form of router logging are lost when the router
reload, including vital log messages that occur just before a router crashes due to error.
Another advantage of using a remote syslog server is storage capacity. A router stores
logging messages in internal system memory, which severely limits the number of log
messages that can be stored.
Finally, being able to view log messages from all of your routers in a single location can be
quite useful. Forwarding all router log messages to a common log file can assist in fault
isolation, problem resolution, and security investigations.
The syslog protocol uses UDP port 514, and messages are forwarded asynchronously
without acknowledgement from the server. In other words, communications between the
router and server flow in a single direction with the server acting as a passive receiver.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
42/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router#conf t
Router(config)#cdp ?
timer Specify the rate at which CDP packets are sent (in sec)
run
Router(config)#cdp hold
Router(config)#cdp holdtime ?
<10-255> Length of time (in sec) that receiver must keep this packet
Router(config)#cdp timer ?
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
43/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
R1 R0
f 0/0 f 0/0
192.168.0.1 192.168.0.2
R1#config t
R1(config)#int f0/0
R1(config-if)#no shut
R1(config-if)#cdp enable
R1(config)#cdp holdtime 10
R1(config)#cdp timer 5
R0#config t
R0(config)#int f0/0
R0(config-if)#no shut
R0(config-if)#cdp enable
R0(config)#cdp holdtime 10
R0(config)#cdp timer 5
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
44/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
-------------------------
Device ID: R0
Entry address(es):
IP address: 192.168.0.2
Holdtime : 7 sec
Version :
IOS (tm) C2600 Software (C2600-C-M), Version 12.2(4)T1, RELEASE SOFTWARE (fc1)
advertisement version: 2
Duplex: half
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
45/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
-------------------------
Device ID: R1
Entry address(es):
IP address: 192.168.0.1
Holdtime : 8 sec
Version :
IOS (tm) C2600 Software (C2600-C-M), Version 12.2(4)T1, RELEASE SOFTWARE (fc1)
advertisement version: 2
Duplex: half
The show cdp entry * protocols command and show cdp entry * version will show the
IP address and IOS version of each directly connected neighbor.
IP address: 192.168.0.2
IOS (tm) C2600 Software (C2600-C-M), Version 12.2(4)T1, RELEASE SOFTWARE (fc1)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
46/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
IP address: 192.168.0.1
IOS (tm) C2600 Software (C2600-C-M), Version 12.2(4)T1, RELEASE SOFTWARE (fc1)
CDP counters :
CDP counters :
The show cdp interface command gives you the CDP status on router interfaces or switch
ports.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
47/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Encapsulation ARPA
Holdtime is 10 seconds
Encapsulation ARPA
Holdtime is 10 seconds
Encapsulation ARPA
Holdtime is 10 seconds
Encapsulation ARPA
Holdtime is 10 seconds
R1#sh run
Building configuration...
hostname R1
!
cdp timer 5
cdp holdtime 10
end
R0#sh run
Building configuration...
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
48/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
hostname R0
cdp timer 5
cdp holdtime 10
end
Router#erase startup-config
Router#reload
First, connect a console cable to the router. In Windows, I prefer to use Tera Term.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
49/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
If succeeded, the prompt shows as ROMmon, and then change the configuration registry,
and then type reset to reboot the router.
rommon 1>confreg 0x2142
rommon 2>reset
After reboot, type no to the setup question, change to enable mode, remove the
startup-config, change the configuration registry back to normal.
--- System Configuration Dialog ---
Router>enable
Router#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue?
[confirm]Enter
Erase of nvram: complete
Router#conf t
Router(config)#config-register 0x2102
Router(config)#^Z
Switch off and on the router. It shows a configuration dialog because there is no
startup-config.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
50/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Reference:
http://www.cisco.com/en/US/products/hw/routers/ps259/products_password_recover
y09186a0080094675.shtml
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
51/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
1. Connect to your routers Console port. What type of cable did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
2. What software program did you use to connect to your routers Console port? What
settings did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
52/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
7. Log back into your router. Enter into privileged mode, and then enter into global
configuration mode. To enter into global configuration mode, what command do you
use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
12. Set the encrypted password for privileged mode to be cisco. What mode did you need
to enter to accomplish this? What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
53/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
________________________________________________________________________
13. Set the password for your console port to be cisco. What mode did you need to enter to
accomplish this? What commands did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
14. Set the password for your virtual terminal (telnet) ports to be cisco. What mode did you
need to enter? What commands did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
15. Set a banner message to appear on your router at login. Type whatever banner you wish
(feel free to be creative). What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
54/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
1. Enter interface configuration mode for the first Ethernet interface on your router. What
command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
2. Bring this interface up from being administratively down. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
3. Do the same for the first Serial interface on your router. What commands did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
4. Configure the correct IP address for your Ethernet interface (supplied by your instructor).
What command(s) did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
5. Configure the correct IP address for your Serial interface (supplied by your instructor).
What command(s) did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
55/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
6. View the current status of your interfaces. What command(s) did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
8. At this point, your serial interface may show a line protocol status of down. What
additional command must you configure on your Serial interface, to ensure communication
with the serial interface of the directly connected router?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
9. Should the above command be configured on the connected serial interfaces of both
routers, or on just one side of the serial cable? If the latter, on what side of the serial cable
should this command be used?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
10. Set the hostname for your router. Ensure that your router number is reflected
somewhere in the hostname, but you can be creative. For example: My_Router2.
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
11. Set a description on both of your interfaces, to document what they are connecting to.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
56/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
12. View the configuration file stored in RAM. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
13. View the configuration file stored in NVRAM (25xx series router) or Flash (26xx series
router). What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
14. What command would you use to erase the startup configuration?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
15. If you erase the startup configuration, what will happen the next time the router is
rebooted?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
16. Ping your neighbors router. Did you receive a reply? Can you ping all routers directly
connected to you?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
57/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
17. Can you currently ping routers not directly connected to you? Why or why not?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
18. What command will provide you with a brief, summarized view of the status and IP
information on your interfaces?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
19. Save your router configuration. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
58/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
2. Check the current value of the configuration register on your router, and write it below.
What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
3. Back up your current IOS to a tftp server. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
4. When backing up your IOS, what additional information were you asked to specify?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
5. Copy that same IOS image back to the router. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
6. Verify that CDP is enabled on your router. What command did you use? How often does
your router send CDP packets?
________________________________________________________________________
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
59/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
________________________________________________________________________
________________________________________________________________________
7. Check the status of your connected neighbors. What CDP command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
9. Ensure that anyone logged into your router, via either console or telnet, are automatically
logged off after 5 minutes, 30 seconds of inactivity. What mode did you need to enter to
accomplish this? What commands did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
10. Disable name resolution on your router. What command did you use?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
11. Pretend that you forgot your enable password. Perform the password recovery
procedure: Change the enable password to ICTTI, but change only the password
(leave all other configuration intact). What steps did you take to accomplish this?
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
60/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
61/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
172.16.0.0/16
.0.0/24 .3.0/24
.10 .10
pc0 pc1
Connect to the Router0 and set the hostname, password, interface descriptions, and IP
addresses of each interface.
Router>enable
Router#conf t
Router(config)#hostname Router0
Router0(config)#line console 0
Router0(config-line)#password testuser
Router0(config-line)#login
Router0(config-line)#exit
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
62/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router0(config-line)#line vty 0 4
Router0(config-line)#password testuser
Router0(config-line)#login
Router0(config-line)#exit
Router0(config-if)#no shutdown
Router0(config-if)#no shutdown
Router0(config-if)#exit
Router0(config)#exit
Router#conf t
Router(config)#hostname Router1
Router1(config)#line console 0
Router1(config-line)#password testuser
Router1(config-line)#login
Router1(config-line)#line vty 0 4
Router1(config-line)#password testuser
Router1(config-line)#login
Router1(config-if)#no shutdown
Router1(config-if)#no shutdown
Router1(config-if)#exit
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
63/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router1(config)#exit
Router#conf t
Router(config)#hostname Router2
Router2(config)#line console 0
Router2(config-line)#password testuser
Router2(config-line)#login
Router2(config-line)#line vty 0 4
Router2(config-line)#password testuser
Router2(config-line)#login
Router2(config-if)#no shutdown
Router2(config-if)#no shutdown
Router2(config-if)#exit
Router2(config)#exit
Router0#show ip route
The running-config shows the complete configuration your router is running. The show ip
route command is used to see the routing table on your router. It is important to notice that
only the directly connected networks are showing. It means the routers can only route to the
directly connected networks. In order to send packets to another network not in the routing
table, we must configure the routing table with this network.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
64/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Once you verify the routing tables in all routers, use the ping command to verify IP
connectivity between routers, and PCs
You can only configure default routing on a router that is connected to a stub network,
which means that there is not another router on the connected networks. In other words,
there is only one way in and out. Router0 and Router2 are stub routers to the LANs because
they are the only way in and out of the LAN. Router1 cannot use default routing since it is
connected to multiple routers.
To configure default routing, use ip route command, but instead of using the network and
subnet mask, you use all zero, which means all networks all masks. You must also use the
ip classless command enabled when using default routing. This tells the router to not drop
Before configuring router Router0 and Router2 with default routing, you must remove the
static routers we created previously.
Remove static routes from the Router0 router.
Router0(config)#no ip route 172.16.2.0 255.255.255.0 172.16.1.2
From the Router0, add the default route to router Router1. The default route command will
tell the router to send all packets destined for any network not in the routing table to the
Router1, which will then route the packet.
Router0(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router0(config)#ip classless
Router2(config)#ip classless
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
66/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
PC5 PC6
192.168.64.0/24 192.168.65.0/24
R0
10.0.0.0/30 10.0.0.4/30
PC3
PC1
192.168.0.0/24
172.24.0.0/16
R1 R2
192.168.1.0/24
172.25.0.0/16
PC4
PC2
F0/1 NA
S0/0 NA
PC1
PC2
PC3
PC4
PC5
PC6
4. Test connectivity
You should now have end-to-end connectivity. Use ping to test connectivity across the
network.
Troubleshoot until pings are successful.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
68/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
69/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
F0/0
SRV
1. Select the device from Cisco 1800 series, Cisco2800 series, and Cisco2600 series.
5. Test connectivity
You should now have end-to-end connectivity. Use ping to test connectivity across the
network.
Each router should be able to ping all other router interface and the Server.
Troubleshoot until pings are successful.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
70/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
3.3. RIP
Dynamic routing is the process of routers running routing protocols that find and advertise
networks in the inter-network to other routers. Routing tables are then converged, which
means that all routers in the inter-network have the same routing information.
Routing Information Protocol (RIP) is a true distance-vector routing protocol. RIP sends the
complete routing table out to all active interfaces every 30 seconds. RIP only uses hop count
to determine the best way to a remote network, but it has a maximum allowable hop count of
15 by default, meaning that 16 is deemed unreachable. RIP works well in small networks,
but its inefficient on large networks with slow WAN links or on networks with a large number
of routers installed.
RIP version 1 uses only classful routing, which means that all devices in the network must
use the same subnet mask. This is because RIP version 1 doesnt send updates with subnet
mask information. RIP version 2 provides something called prefix routing and does send
subnet mask information with the route updates. This is called classless routing.
This lab will configure Routing Information Protocol (RIP), one of the first dynamic routing
protocols created. It is easy and works pretty well in small to medium size networks.
To configure RIP routing, first remove the static and default routing configured on the routers.
Then use the router rip command to configure RIP.
From the Router0, delete the default route, and then verify the routing table with the show
ip route command. Only the directly connected networks should be in the routing table.
Router0(config)#no ip route 0.0.0.0 0.0.0.0 172.16.1.2
Router0(config)#exit
Router0#show ip route
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
71/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router1(config)#exit
Router1#show ip route
Router2(config)#exit
Router2#show ip route
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
72/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router0(config-router)#network 172.16.0.0
The important thing to notice here is that the network address is a classful address, which
means you use the classful boundary. For instance, we use 172.16.0.0 class B network
address and subnet that network with 24bits of subnetting. This means that third octet is
used for subnets and the fourth octet is the host addresses for each subnet. RIP is a classful
routing protocol, which means that you do not type in any subnet addresses, only the class
B address.
Router1(config-router)#network 172.16.0.0
Router2(config-router)#network 172.16.0.0
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
73/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Notice the R, which means it is a RIP found route. The C is a directly connected network.
You should see two directly connected.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
74/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router2#
From the Router0, use the debug ip rip command to see RIP updates being sent and
received on the router
Router0#debug ip rip
(172.16.1.1)
RIP: build update entries
172.16.3.0 in 2 hops
172.16.4.0 in 1 hops
You can see from the updates that were sending out information about networks 172.16.0.0,
172.16.1.0, 172.16.2.0, 172.16.3.0. But both the 172.16.0.0 network and the 172.16.1.0
network are being advertised with a hop count (metric) of 1, meaning that these networks
are directly connected. The 172.16.2.0 is being advertised as a metric of 2, which means
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
75/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
To turn off debugging, use the no debug all command or the undebug all command.
Router0#no debug all
To see the routing protocol timers, use the show ip protocols command
Router0#show ip protocols
Invalid after 180 seconds, hold down 180, flushed after 240
Redistributing: rip
FastEthernet0/0 1 2 1
FastEthernet0/1 1 2 1
Maximum path: 4
172.16.0.0
Passive Interface(s):
Another good command is the show protocols command, which shows you the routed
protocol configuration of each interface.
Router0#show protocols
Global values:
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
76/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
3.3.3. RIP v2
This lab will configure RIP v2
Router0(config-router)#version 2
Router0(config-router)#network 172.16.0.0
Router1(config-router)#version 2
Router1(config-router)#network 172.16.0.0
Router2(config-router)#version 2
Router2(config-router)#network 172.16.0.0
To see the routing protocol timers, use the show ip protocols command. Notice the timers,
RIP is sent out every 30 seconds by defaults. The administrative distance is 120 by default.
Both RIPv1 and RIPv2 use the same timers.
Router0#config t
Router0(config)#router rip
Router0(config-router)#version 2
Router0(config-router)#network 172.16.0.0
Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary Hybrid routing
protocol. It uses the properties of both Distance Vector and Link State and uses an
administrative distance of 90, so it will automatically overwrite RIP found routes in the
routing table. Also, it uses Autonomous System (AS) to create groups of routers that share
routing information, just like IGRP. The major difference between IGRP and EIGRP is that
EIGRP uses three different tables to create a stable routing environment and additionally
EIGRP only sends updates when needed whereas IGRP broadcasts routing table entries
every 90 seconds.
Open Shortest Path First (OSPF) is an open standards routing protocol that has been
implemented by a wide variety of network vendors, including Cisco.
Router0(config-router)#network 172.16.0.0
Router1(config-router)#network 172.16.0.0
Router2(config-router)#network 172.16.0.0
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
78/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
The hello-interval can be changed with the following command in interface configuration
mode:
Router(config-if)# ip hello-interval eigrp autonomous-system-number seconds
A rule of thumb is to keep the hold-time at three times the hello-interval. The hold timer can
also be adjusted on a per interface basis:
Router(config-if)# ip hold-time eigrp autonomous-system-number seconds
From the Router0, use the show ip route command to verify the routing table.
Router0#show ip route
The command show ip route destination-network-number output the total delay, minimum
bandwidth, reliability, minimum MTU, and load for a path and the composite metric.
Router0# sh ip route 172.16.1.0
Use the show ip protocols command from the Router0 router. Notice that EIGRP, IGRP
and RIP are running on the router. Notice also that there is no timer for EIGRP, which
means it does not periodically.
Router0#show ip protocols
From the Router0, use the show ip eigrp neighbors command to see the EIGRP neighbor
table. This table holds information about the routers directly connected neighbor.
Router0#show ip eigrp neighbors
From the Router, use the show ip eigrp topology command to see the EIGRP topology
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
79/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
table. This table shows the entire network as the Router0 understands it.
Router0#show ip eigrp topology
r - Reply status
<1-65535>
A value in the range 1-65535 identifies the OSPF Process ID, which is a unique number on
this router that groups a series of OSPF configuration commands under a specific running
process. Different OSPF routers do not have to use the same Process ID in order to
communicate. It is purely a local value and its number is basically irrelevant. The only time
an OSPF number would matter is when you have multiple OSPF Autonomous System (AS)
connecting together on the same network.
This lab will be simple. We will process on each router, and then configure the interfaces to
be in OSPF area 0. Since, EIGRP has a better administrative distance than OSPF; we need
to also disable the EIGRP routing processes on each router.
Configure the Router0 to start the OSPF process. Remember the number does not matter.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
80/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
The number can even all be the same on all routers. First disable EIGRP and IGRP.
Router0(config)#no router eigrp 10
After starting the OSPF process (and disabling EIGRP on each router), you need to identify
the interfaces on which to activate OSPF communications and the area in which each
resides. This will also configure the networks you will advertise to others. This is achieved
with the following command as an example.
Router0(config-router)#network 10.0.0.0 0.255.255.255 area ?
The first two arguments of the network command are the network number (10.0.0.0) and
wildcard mask (0.255.255.255). The combination of the two numbers identifies the
interfaces that OSPF will operate on and that will also be included in its OSPF Link State
Advertisements (LSA).
A 0 octet in the wildcard mask indicates that the corresponding octet in the network must
match exactly. A 255, on the other hand, indicates that you do not care what the
corresponding octet is in the network number. A network and wildcard mask combination of
1.1.1.1 0.0.0.0 would match 1.1.1.1 only and nothing else. This is useful if you want to
activate OSPF on a specific interface.
If you insist on matching a range of networks, the network and wildcard mask combination of
1.1.0.0 0.0.255.255 would match anything in the range 1.1.0.0-1.1.255.255. It is simpler and
safer to stick to using wildcard masks of 0.0.0.0 and identify each OSPF interface
individually.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
81/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
The final argument is the area number. It indicates the area to which the interfaces identified
in the network and wildcard mask portion belong. Remember that OSPF routers will only
become neighbors if their interfaces share a network that is configured to the same area
number. The format of the area number is either a decimal value from the range
1-4294967295 or a value represented in standard dotted-decimal notation. Area 0.0.0.0 is a
legitimate area, for instance, and is identical to area 0. Again, we only support area 0 in this
module at this time.
Configure the Router0 to advertise both directly connected networks with OSPF
Router0(config-router)#network 172.16.1.1 0.0.0.0 area 0
The command: network 172.16.1.1 0.0.0.0 area 0 tells the OSPF process to advertise the
interface 172.16.1.1 into area 0. The wildcard mask of 0.0.0.0 tells the process to match
each octet exactly.
The command: network 172.16.0.0 0.0.0.255 area 0 tells the router OSPF process to look
for any interface in subnet 172.16.0.0 and advertise that in area 0. With a wildcard of
0.0.0.255, this tells the OSPF process to match the first three octets exactly, but the fourth
octet value is irrelevant.
We could have used this command as well: network 172.16.0.1 0.0.0.0 area 0 which is
just another way to advertise the same interface, but is more precise. No difference in
function on the router or OSPF.
Understand that all we are doing is advertising OSPF networks and this lab is showing the
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
82/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
The command: network 172.16.1.2 0.0.0.0 area 0 tells the OSPF process to advertise the
interface 172.16.1.2 into area 0. The wildcard mask of 0.0.0.0 tells the process to match all
four octets exactly.
The command: network 172.0.0.0 0.255.255.255 area 0 tells the OSPF process to look for
an interface configured with network 172 in the first octet, but the other three octets can be
any value. Once found, place that interface in area 0. Understand that with this second
command, the first command is really not needed; it is just for some example.
The network command 172.0.0.0 will find any interface that has an IP address that starts
with 172 and put that in area 0.
Configure the Router2 to advertise both directly connected networks with OSPF.
Router2(config-router)#network 172.16.2.2 0.0.0.0 area 0
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
83/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Area BACKBONE(0)
The information displayed by the show ip ospf database command indicates the number of
links and the neighboring Router ID. The output is broken down by area. Here is a sample
output from the Router0.
Router0#show ip ospf database
The show ip ospf interface command displays all interface-related OSPF information. Data
is displayed about OSPF information for all interfaces or for specified interfaces. Information
includes the interface IP address, area assignment, Process ID, Router ID, network type,
cost, priority, DR/BDR (if applicable), timer intervals, and adjacent neighbor information.
Router0#show ip ospf interface
The show ip ospf neighbor command is very useful. It summarizes the pertinent OSPF
information regarding neighbors and the adjacency state. If DR or BDR exists, that
information is also displayed..
Router0#show ip ospf neighbor
The show ip protocols command is useful whether you are running OSPF, EIGRP, IGRP,
RIP, BGP, ISIS, or any other routing protocol you can configure on your router. It provides
an excellent overview of the actual operation of all currently running protocols
Router0#show ip protocols
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
84/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Based upon this output, you can determine the OSPF Process ID, OSPF Router ID, type of
OSPF area, networks and areas configured for OSPF, and OSPF Router IDs of neighbors.
172.10.1.0/30 192.168.1.0/30
R1 R2 ISP
s0/0 s0/1 s0/0 s0/0
.2 .1 .2 .1
DCE
DCE
.1 f0/0 .129 f0/0 .1 f0/0
172.10.0.0/25 172.10.0.128/25
192.168.0.0/24
interface FastEthernet0/0
interface Serial0/0
router rip
version 2
passive-interface FastEthernet0/0
network 172.10.0.0
!
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
85/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
R2
hostname R2
interface FastEthernet0/0
interface Serial0/0
interface Serial0/1
clockrate 64000
router rip
version 2
passive-interface FastEthernet0/0
passive-interface Serial0/0
network 172.10.0.0
ISP
hostname ISP
interface FastEthernet0/0
interface Serial0/0
clockrate 64000
Routing table on R1
R1#sh ip route
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
86/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Routing table on R2
R2#sh ip route
U.U.U
PC2#ping 192.168.0.10
.U.U.
R2(config)#^Z
R2#sh ip route
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
87/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
!!!!!
R2(config)#router rip
R2(config-router)#default-information originate
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
88/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
!!!!!
router-id 1.1.1.1
log-adjacency-changes
default-information originate
!
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
89/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Hands-on-Lab 6 RIPv2
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway
HQ F0/0 NA
F0/1 NA
S0/0 210.165.201.2 255.255.255.252 NA
S0/1 NA
S0/2 NA
B1 F0/0 NA
F0/1 NA
S0/0 NA
B2 F0/0 NA
F0/1 NA
S0/0 NA
ISP F0/0 210.165.202.129 255.255.255.252 NA
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
90/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
1. Select the devices (Cisco 1800 series, Cisco2800 series, and Cisco2600 series).
4. Test connectivity
Before continuing, make sure that each device can ping its directly connected
neighbor.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
92/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Hands-on-Lab 7 EIGRP
Addressing Table
Device Interface IP Address Subnet Mask Default Gateway
HQ F0/0 NA
F0/1 NA
S0/0 210.165.201.2 255.255.255.252 NA
S0/1 NA
S0/2 NA
B1 F0/0 NA
F0/1 NA
S0/0 NA
B2 F0/0 NA
F0/1 NA
S0/0 NA
ISP F0/0 210.165.202.129 255.255.255.252 NA
S0/0 210.165.201.1 255.255.255.252 NA
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
93/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
3. Test connectivity
Before continuing, make sure that each device can ping its directly connected
neighbor.
Configure all devices with EIGRP routing. In your configuration, make sure you include the
following
Disable automatic summarization
Stop routing updates on interfaces that are not connected to EIGRP neighbors
Use verification commands to check your configuration. All routers should be
converged on all the 10.2.32.0/22, and 172.30.0.0/28 subnets.
5. Fine-tune EIGRP
Adjust bandwidth values used to calculate metrics. The links between the branch
routers are for back up purposes only. Configure the bandwidth value to 64 kbps so
that EIGRP does not equal-cost load across the T1 links to HQ and the backup
links to the neighboring branch router.
Change the hello intervals for the 64 kbps links to 60 seconds, and the hold down
timer to 180 seconds.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
95/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Hands-on-Lab 8 OSPF
Addressing Table
Device Interface IP Address Subnet Mask
R1 F0/0 10.1.1.1 255.255.255.248
S0/0 211.165.202.2 255.255.255.252
R2 F0/0 10.1.1.2 255.255.255.248
F0/1
F1/0
R3 F0/0 10.1.1.3 255.255.255.248
F0/1
R4 F0/0 10.1.1.4 255.255.255.248
F0/1
F1/0
ISP F0/0 211.165.202.5 255.255.255.252
S0/0 211.165.202.1 255.255.255.252
SRV 211.165.202.6 211.165.202.5
PC1
PC2
PC3
PC4
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
96/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
PC5
4. Fine-tuning OSPF
R1 will never participate in a DR/BDR election
R2 will always become the DR
R3 and R4 will both have the same priority of 100.
R4 should always become the BDR
All priorities should be set on f0/0
Restart R1, R2, R3, and R4 to force the DR/BDR election.
5. Configure Static and Default Routing
On R1, create a default route to ISP and propagate the route within OSPF
updates.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
98/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
At its most basic level, an Ethernet switch provides isolation from other connected hosts in
several ways:
The collision domains scope is severely limited. On each switch port, the collision
domain consists of the switch port itself and the devices directly connected to that
porteither a single host or, if a shared-media hub is connected, the set of hosts
connected to the hub.
Host connections can operate in full-duplex mode because there is no contention on
the media. Hosts can talk and listen at the same time.
Bandwidth is no longer shared. Instead, each switch port offers dedicated bandwidth
across a switching fabric to another switch port. (These connections change
dynamically.)
Errors in frames are not propagated. Each frame received on a switch port is
checked for errors. Good frames are regenerated when they are forwarded or
transmitted. This is known as store-and-forward switching technology: Packets are
received, stored for inspection, and then forwarded.
You can limit broadcast traffic to a volume threshold.
Other types of intelligent filtering or forwarding become possible.
Layer 2 switches contain queues where frames are stored after they are received and
before they are sent. When a Layer 2 switch receives a frame on a port, it places that frame
in one of the ports ingress queues. When the switch decides which port that frame should
sent out of, it places the frame in that ports egress queue. If the destination MAC address
in the frame is not in the MAC address table, the frame is placed in the egress queue of all
ports and is flooded throughout the network. All the decisions are made simultaneously by
independent portions of switching hardware and can be described as follows:
L2 forwarding table
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
99/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
SecurityACLs
QOS ACls
Each port can be configured with multiple ingress or egress queues. Using Quality of
Service (QoS), each queue can be assigned a different priority. Thus, we can give a higher
preference to more critical traffic, such as video conferencing, by placing that traffic in a high
priority queue.
Before a Layer 2 switch can take a frame from one ports ingress queue to another ports
egress queue, it must consult two tables:
Content Addressable Memory (CAM), which is Ciscos term for the MAC address
table. It can also be referred to as the Layer 2 Forwarding Table. By default, idle
CAM table entries are kept for 300 seconds before they are deleted.
Ternary Content Addressable Memory (TCAM), which contains access lists that
can filter frames by MAC address, and QoS accesslists to prioritize traffic. In
multi-layer switches, the TCAM also contains access lists to filter frames based on
IP address or TCP/UDP port.
To allow Telnet or SSH access to the switch, to allow other IP-based management protocols
such as Simple Network Management Protocol (SNMP) to function as intended, or to allow
access to the switch using graphical tools such as Cisco Device Manager (CDM), the switch
needs an IP address. Switches do not need IP address to be able to forward Ethernet
frames. You can statically configure a switch with its IP address/mask/gateway or the switch
can dynamically learn this information using DHCP.
An IOS-based switch configures its IP address and mask on special virtual interface called
the VLAN 1 interface. This interface plays the same role as an Ethernet interface on a PC. In
effect, a switchs VLAN 1 interface gives the switch an interface into the default VLAN used
on all ports of the switch namely, VLAN 1.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
100/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Switch#configure terminal
Switch(config)#interface vlan 1
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch#configure terminal
Switch(config)#interface vlan 1
Switch(config-if)#no shutdown
Switch(config-if)#exit
You can configure the individual ports on a switch with various information and settings, as
detailed in the following sections.
To select a single switch port, enter the following command in global configuration mode:
To select several arbitrary ports for a common configuration setting, you can identify them
as a range entered as a list. All port numbers and the commas that separate them must be
separated with spaces. Use the following command in global configuration mode:
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
101/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
To specify the port speed on a particular Ethernet port, use the following
interface-configuration command:
To set the link mode on a switch port, enter the following command in interface configuration
mode:
Switch(config-if)# duplex {auto | full | half}
For instance, you could use the commands in the followings to configure 10/100/1000
interfaces GigabitEthernet 3/1 for autonegotiation and 3/2 for 100-Mbps full duplex (no
autonegotiation).
Switch(config)# interface gig 3/1
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
102/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Cisco originally chose the default interface configuration settings on Cisco switches so that
the interfaces would work without any overt configuration. The interfaces automatically
negotiate the speed and duplex, and each interface begins in and enabled (no shutdown)
state, with all interfaces assigned to VLAN 1. Additionally, every interface defaults to
negotiate to used VLAN features called VLAN trunking and VLAN Trunking Protocol (VTP).
The good intentions of Cisco for plug and play operation have an unfortunate side effect in
that defaults expose switches to some security threats. So, for any currently unused switch
interfaces, Cisco makes some general recommendations to override the default interface
settings to make the unused ports more secure. The recommendations for unused
interfaces are as follows:
Administratively disable the interface using the shutdown interface subcommand.
Prevent VLAN trunking and VTP by making the port a nontrunking interface using
the switchport mode access interface subcommand.
Assign the port to an unused VLAN using the switchport access vlan number
interface subcommand.
4.2.4. Configuring the Layer 2 Forwarding Path with the MAC Address
Table (CAM)
All Catalyst switch models use a CAM table for Layer 2 switching. As frames arrive on
switch ports, the source MAC addresses are learned and recorded in the CAM table. The
port of arrival and the VLAN both are recorded in the table, along with a time stamp. If a
MAC address learned on one switch port has moved to a different port, the MAC address
and time stamp are recorded for the most recent arrival port. Then, the previous entry is
deleted. If a MAC address is found already present in the table for the correct arrival port,
only its time stamp is updated.
To view the contents of the CAM table, you can use the following form of the show mac
address-table EXEC command:
Switch# show mac address-table dynamic [address mac-address | interface type mod/num
| vlan vlan-id ]
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
103/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
------------------------------------------
Switch#
To change the aging timer for dynamically learned MAC addresses in the CAM from its
default of 300 seconds to 360 seconds:
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
104/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
To statically add to the CAM a MAC address of 0011.2233.4455, which resides on Port
FA0/0 on VLAN 1:
Switch(config)# mac address-table static 0011.2233.4455 vlan 1 interface fa0/0
Secondary
Root Bridge Root Bridge
Core
BackboneFast
Layer
Distribution
BackboneFast
Layer
Loop Guard
The three waiting periods of (by default) 20 seconds for Maximum Age, 15 seconds for
Forward Delay ( Listening) , and 15 seconds for Forward Delay ( Learning) create STPs
relatively slow convergence. RSTP convergence times typically take less than 10 seconds.
In some cases, they can be as low as 1 to 2 seconds.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
106/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Because of its proprietary nature, PVST requires the use of Cisco Inter-Switch Link (ISL)
trunking encapsulation between switches. In networks where PVST and CST coexist,
interoperability problems occur. Each requires a different trunking method, so BPDUs are
never exchanged between STP types.
To do this, PVST+ acts as a translator between groups of CST switches and groups of
PVST switches.
STP uses three criteria to choose whether to put an interface in forwarding state:
STP elects a root bridge. STP puts all interfaces on the root bridge in forwarding
state.
Each non-root bridge considers one of its ports to have the least administrative cost
between itself and the root bridge. STP places this least-root-cost interface, called
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
107/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Each non-root bridges Forwarding The root port is the port receiving the lowest-cost
root port BPDU from the root.
Each LANs designated Forwarding The bridge forwarding the lowest-cost BPDU onto
port the segment is the designated bridge for that
segment.
All other ports Blocking The port is not used for forwarding frames, nor are
any frames received on these interfaces
considered for forwarding.
On a root bridge
Switch(config)#spanning-tree vlan 1-100 root primary
Or specify the priority to 0 (zero). The priority must be 0-61440, and the default is 32,768.
Switch(config)#spanning-tree vlan 1-100 priority 0
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
108/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
The Root Path Cost for each active port of a switch is determined by the cumulative cost as
a BPDU travels along. As a switch receives a BPDU, the port cost of the receiving port is
added to the root path cost in the BPDU. The port or port path cost is inversely proportional
to the ports bandwidth. If desired, a ports cost can be modified from the default value.
For example, a Gigabit Ethernet interface has a default port cost of 4. You can use the
following command to change the cost to 2, but only for VLAN 10:
Switch(config-if)# spanning-tree vlan 10 cost 2
You can see the port cost of an interface by using the following command:
Switch# show spanning-tree interface type mod/num [cost]
As an example, GigabitEthernet 0/1 is configured as a trunk port, carrying VLANs 1, 10, and
20. shows the port cost for each of the VLANs.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
109/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
The next criteria of an STP decision is the port ID. The port ID value that a switch uses is
actually a 16-bit quantity: 8 bits for the port priority and 8 bits for the port number. The port
priority is a value from 0 to 255 and defaults to 128 for all ports. Whichever interface has the
lowest Port ID will become the Root Port. Remember, that port priority is the last tiebreaker
STP will consider . Lowering this values will ensure a specific interface becomes the Root
Port.
To Confirm STP Port Priority Values with the show spanning-tree interface command,
Switch#show spanning-tree interface gigabitEthernet 3/16
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
110/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
The third and final step in the STP process is to identify Designated Ports. Each network
segment requires a single Designated Port, which has the lowest path cost leading to the
Root Bridge. This port will not be placed in a blocking state. A port cannot be both a
designated Port and a Root Port. Ports on the Root Bridge are never placed in a blocking
state, and thus become Designated Ports for directly attached segments.
4.3.5. PortFast
PortFast enables fast connectivity to be established on access-layer switch ports to
workstations that are booting up.
Switch(config-if-range)#switchport host
4.3.6. UplinkFast
UplinkFast enables fast-uplink failover on an access-layer switch when dual uplinks are
connected into the distribution layer.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
111/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
4.3.7. BackboneFast
BackboneFast enables fast convergence in the network backbone (core) after a
spanning-tree topology change occurs.
To configure BPDU guard as a global default, affecting all switch ports with a single
command,
Switch(config)# spanning-tree portfast bpduguard default
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
112/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
4.3.12 UDLD
Usually two unidirectional links as uplink and downlink are used for one fiber link. If any link
problem happens in one link, STP protocol cannot detect the problem. UDLD (Unidirectional
Link Detection) must be configured on Fiber and SPF ports in order to detect unidirectional
link problem.
If it is configured on the global configuration, this configuration will be applied on all the fiber
ports otherwise configure only on a specific interface. It must be enabling at both side of
fiber.
Switch(config)#udld enable
The following examples were taken from a small network with two switches, as shown in
Figure 10. Two 2950s connect using crossover cables. The cables are plugged into
interfaces 0/9 and 0/12 on both switches.
Fa0/9 Fa0/9
Fa0/12 Fa0/12
S1-2950 S2-2950
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
113/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S1#sh spanning-tree
VLAN0001
Address 0009.43bd.7340
Cost 19
Port 9 (FastEthernet0/9)
Address 0019.568d.4880
S2#sh spanning-tree
VLAN0001
Address 0009.43bd.7340
Address 0009.43bd.7340
This example lists the output of the show spanning-tree command on SW1. At the beginning
of the example, the SW1 output lists the root bridge ID, comprised of the priority and MAC
address, first. The bridge ID combines the priority and the MAC address used to identify
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
114/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
each bridge or switch. Next, the output lists SW1-2950s own bridge ID. Notice that the root
bridge ID is different from SW1-2950's bridge ID.
The topology in this example ends up with SW2 as the root bridge, so it forwards on both
interfaces. SW1-2950 receives BPDUs on FastEthernet ports 0/9 and 0/12. From the
topology, you know that the two BPDUs are both from SW2, and both tie in every respect.
However, SW1 must choose one interface to put into forwarding state and one into blocking
state to avoid a loop. You can see in the example that the port cost is 19 on each interface,
the default IEEE port cost for FastEthernet interfaces. So SW1 breaks the tie by using the
lowest internal interface number, which is FastEthernet 0/9. So, in the example, you see
SW1 port 0/9 in forwarding state and 0/12 in blocking state.
S1(config)#int f0/12
S1(config-if)#spanning-tree cost 2
S1(config-if)#
S1#sh spanning-tree
VLAN0001
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
115/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Address 0009.43bd.7340
Cost 2
Port 12 (FastEthernet0/12)
Address 0019.568d.4880
S1(config)#
00:43:16: setting bridge id (which=1) prio 24577 prio cfg 24576 sysid 1 (on) id
6001.0019.568d.4880
S1#sh spanning-tree
VLAN0001
Address 0019.568d.4880
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
116/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Address 0019.568d.4880
S2#sh spanning-tree
VLAN0001
Address 0019.568d.4880
Cost 19
Port 9 (FastEthernet0/9)
Address 0009.43bd.7340
This example starts with the debug spanning-tree command on SW1-2950. This command
tells the switch to issue informational messages whenever STP performs any significant
work. These messages show up in the example as a result of the commands shown later in
the example output. Next, the port cost of the SW1-2950 interface fastethernet 0/12 is
changed using the spanning-tree cost 2 command. (The default cost on a 100-Mbps link is
19.) Immediately following this command, you see the first meaningful debug messages.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
117/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
SW1-2950 issues a message each time an interface transitions to another state, and it
includes a time stamp.
Notice that the message stating that fastethernet 0/12 moves to listening state is followed by
a message stating that fastethernet 0/12 has been placed in learning stateand the time
stamp shows that this message was issued 15 seconds after the first one. Similarly, the
message stating that fastethernet 0/12 was placed in forwarding state happens 15 seconds
after that. So the debug messages simply reinforce the notion of the Forward Delay timer.
Following the debug messages, the output of the show spanning-tree command lists
fastethernet 0/9 as blocking and fastethernet 0/12 as forwarding, with the cost to the root
bridge now only 2, based on the changed cost of interface fastethernet 0/12. The next
change occurs when the spanning-tree vlan 1 root primary command is issued on
SW1-2950. This command changes the bridge priority to 24,576, which makes SW1-2950
the root. The debug messages that follow confirm this fact.
Switch1(config-if)#no shutdown
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
118/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Switch2(config-if)#no shutdown
Switch2#ping 172.16.0.10
!!!!!
Configure Switch3.
Switch3(config)#int vlan 1
Switch3(config-if)#no shutdown
!!!!!
Switch3#ping 172.16.0.20
Type escape sequence to abort.
!!!!!
Switch1#sh spanning-tree
VLAN0001
Root ID Priority 1
Address 0060.3E3A.DE25
Address 0060.3E3A.DE25
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
119/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Switch2#show spanning-tree
VLAN0001
Root ID Priority 1
Address 0060.3E3A.DE25
Cost 19
Port 1(FastEthernet0/1)
Address 000C.853E.006E
Aging Time 20
Switch3#show spanning-tree
VLAN0001
Root ID Priority 1
Address 0060.3E3A.DE25
Cost 19
Port 2(FastEthernet0/2)
Address 000C.85DA.5AB3
Aging Time 20
Interface Role Sts Cost Prio.Nbr Type
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
120/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S1 S2
Fa0/2 Fa0/2
Fa0/4 Fa0/3
S3
Fa0/4 Fa0/3
Fa0/10
Fa0/9
PC1 PC2
Switch Switch Enable Secret Enable, VTY, VLAN 1 IP Default Subnet Mask
Passwords Address
Objective
Create a basic switch configuration and verify it.
Determine which switch is selected as the root switch with the factory default
settings.
Force the other switch to be selected as the root switch.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
121/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Background/Preparation
Cable a network similar to the one in the diagram. The configuration output used in this lab
is produced from a 2950 series switch. Any other switch used may produce different output.
The following steps are to be executed on each switch unless specifically instructed
otherwise.
Step 3 Verify connectivity and display the show interface VLAN options
___________________
a. What are the MAC addresses of the switches : S1, S2 and S3?
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
b. Which switch should be the root of the spanning-tree for VLAN 1? __________________
______________________________________________________________________
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
122/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
123/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Host A
Now, individual collision domain segments are created for each device plugged into each
port on the switch by having the largest benefit of the layer 2 switched networks as shown in
Figure 11. For example, the larger number of users and devices, the more broadcasts and
packets each switch must handle.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
124/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Host A Host D
One of considerable issue in the switched networks is security. All users can see all devices
by default in typical layer 2 switched internetworks. And you cannot stop devices from
broadcasting, plus you cannot stop users from trying to respond to broadcasts. So, such
kinds of problems can be solved by associating layer 2 switching with virtual LAN (VLAN).
Software Development
Department
VLAN1 VLAN2
Network Technology
Department
Physical LAN
Physical LAN
VLAN3
When VLANs are created, you are given the ability to create smaller broadcast domains
within a layer 2 switched internetworks by assigning different ports on the switch to different
sub networks. A VLAN is treated like its own subnet or broadcast domain, meaning that
frames broadcast onto the network are only switched between the ports logically grouped
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
125/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
within the same VLAN. In the other words, a VLAN is a broadcast domain created by one or
more switches. The switch creates a VLAN simply by putting some interfaces in one VLAN
and some in another.
First, before VLANs existed, if a design specified two separate broadcast domains, two
switches would be usedone for each broadcast domain.
VLANs are pretty simple in concept and in practice. The following list hits the high points:
A collision domain is a set of network interface cards (NICs) for which a frame sent by
one NIC could result in a collision with a frame sent by any other NIC in the same
collision domain.
A broadcast domain is a set of NICs for which a broadcast frame sent by one NIC is
received by all other NICs in the same broadcast domain.
A VLAN is essentially a broadcast domain.
VLANs are typically created by configuring a switch to place each port in a particular
VLAN.
Layer 2 switches forward frames between devices in the same VLAN; they cannot
forward frames between different VLANs.
A Layer 3 switch, multilayer switch, or router can be used to essentially route packets
between VLANs.
The set of devices in a VLAN typically also is in the same IP subnet; devices in different
VLANs are in different subnets.
Generally, the first consideration for setting up VLANs in your network is planning your
environment. Will the VLANs span multiple switches, or will you only be segmenting one
switch? If you only have one switch to segment, you can just configure the VLANs with no
other considerations. If you need to span multiple switches with VLAN information, you will
need to decide which switches need which VLANs. You will also need to configure trunking
and set up VLAN Trunking Protocol (VTP). Detailed explanations concerned with VTP are
discussed in section 5.2.
Static VLANs are also referred to as port-based VLANs. Static VLAN assignments are
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
126/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
created by assigning ports to a VLAN. As a device enters the network, the device
automatically assumes the VLAN of the port. If the user changes ports and needs access to
the same VLAN, the network administrator must manually make a port-to-VLAN assignment
for the new connection. For example, let us say a 12 port fastethernet switch is split for the
creation of 2 VLANs. The first 6 ports are associated with VLAN1 and the last 6 ports are
associated with VLAN2. If a machine is moved from port 3 to port 11, it will effectively
change VLANs.
Dynamic VLANs are specified by MAC address. With a VLAN Management Policy Server
[VMPS], an administrator can assign switch ports to VLANs dynamically based on
information such as the source MAC address of the device connected to the port or the
username used to log onto that device. The VMPS database automatically maps MAC
addresses to VLANs. As a device enters the network, the device queries a database for
VLAN membership. See also FreeNAC which implements a VMPS server. Assuming the
same scenario, a system administrator will enter MAC addresses for all machines
connecting to the switch. These addresses will be stored in a memory chip inside the switch
that forms a database of local MAC addresses. Each MAC address can then be associated
with a certain VLAN. This way, if a machine is moved, it will retain the original VLAN
membership regardless of its port number.
Not all switches support VLANs. While most expensive switches do, you won't get "the
works" unless you are using a Cisco Catalyst. Cisco has created proprietary protocols to
manage VLANs. VLAN Trunking Protocol (VTP) enables Cisco switches to advertise VLAN
routes to other VTP enabled switches. It also allows a system administrator to manage all
VLANs from a central point and order all switches to update the VLAN information along the
entire network. 3com Superstack switches also have great VLAN support. However, there
has been some compatibility issues associated with multi-vendor VLAN devices. Most
organizations using VLANs have figured out it is worth shelling out the extra cash to go with
Cisco equipment and get the extra features and functionality.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
127/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
(5) Security
Periodically, sensitive data may be broadcast on a network. In such cases, placing only
those users who can have access to that data on a VLAN can reduce the chances of an
outsider gaining access to the data. VLAN's can also be used to control broadcast domains,
set up firewalls, restrict access, and inform the network manager of an intrusion.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
128/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
When you want traffic from multiple VLANs to be able to traverse a link that interconnects
two switches (or) VLANs span multiple switches, you need to configure a VLAN tagging
method on the ports that supply the link.
Figure 14 shows the tagged frames and untagged frames. Frames are handled according to
the type of link they are traversing. A means of keeping track of users & frames as they
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
129/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
130/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
IEEE 802.1Q
802.1Q is an Industry standard trunking protocol if you need to interconnect switches of
different types (for example, a Cisco switch and an Avaya switch).
VLAN Trunking Protocol (VTP) ensures that all switches in the VTP domain are aware of all
VLANs. There are occasions, however, when VTP can create unnecessary traffic. All
unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN. All switches
in the network receive all broadcasts, even in situations where few users are connected in
that VLAN. VTP pruning is a feature used to eliminate (or prune) this unnecessary traffic.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
131/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
By default, all Cisco Catalyst switches are configured to be VTP servers. Cisco switches use
the proprietary VTP to exchange VLAN configuration information between switches. VTP
defines a Layer 2 messaging protocol that allows the switches to exchange VLAN
configuration information so that the VLAN configuration stays consistent throughout a
network. For instance, if you want to use VLAN 3 and name it accounting, you can
configure that information in one switch, and VTP will distribute that information to the rest of
the switches. VTP manages the additions, deletions, and name changes of VLANs across
multiple switches, minimizing misconfigurations and configuration inconsistencies that can
cause problems, such as duplicate VLAN names or incorrect VLANtype settings.
VTP makes VLAN configuration easier. However, you have not yet seen how to configure
VLANs, so to better appreciate VTP, consider this example: If a network has ten
interconnected switches, and parts of VLAN 3 were on all ten switches, you would have to
enter the same config command on all ten switches to create the VLAN. With VTP, you
would create VLAN 3 on one switch, and the other nine switches would learn about VLAN 3
dynamically. The VTP process begins with VLAN creation on a switch called a VTP server.
The changes are distributed as a broadcast throughout the network. Both VTP clients and
servers hear the VTP messages and update their configuration based on those messages.
So VTP allows switched network solutions to scale to large sizes by reducing the manual
configuration needs in the network.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
132/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
VTP
Server
VTP VTP
Client Client
ServerIn VTP server mode, you can create, modify, and delete VLANs and specify
other configuration parameters, such as VTP version and VTP pruning, for the entire VTP
domain. VTP servers advertise their VLAN configuration to other switches in the same
VTP domain and synchronize their VLAN configuration with other switches based on
advertisements received over trunk links. VTP server is the default mode.
ClientVTP clients behave the same way as VTP servers, but you cannot create,
change, or delete VLANs on a VTP client.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
133/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
that do not have any ports in that VLAN. It enabled switches sends broadcasts only to trunk
links that actually must have the information.
VTP Version : 2
Configuration Revision : 1
MD5 digest : 0x7F 0x37 0x5A 0xA6 0x0A 0xAA 0xA9 0x19
found)
Pruning switched on
VTP Version : 2
Configuration Revision : 2
MD5 digest : 0x09 0x93 0x62 0xEA 0x38 0x07 0x14 0xE1
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
134/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
hostname Router0
interface FastEthernet0/0
no ip address
interface FastEthernet0/0.1
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
135/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
interface FastEthernet0/0.2
description vlan2
encapsulation dot1Q 2
interface FastEthernet0/0.3
description vlan3
encapsulation dot1Q 3
To configure VLANs on a Cisco Catalyst switch, use the global config vlan command. See
the following example,
Swich# config t
Switch(config)# vlan ?
Switch(config)# vlan 2
Switch(config)# vlan 3
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
136/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
2960A(vlan)#
2. To configure VLANs on the 2960 switch, use the vlan # name command.
Switch0(vlan)#vlan 2 name Sales
VLAN 2 added:
Name: Sales
VLAN 3 added:
VLAN 2 added:
Name: Sales
Switch0(vlan)#exit
APPLY completed.
Exiting.
Switch0#exit
...
...
You can also configure multiple ports at the same time with the interface range command.
For example, from port number 6 to 12 can access VLAN 3.
Switch# conf t
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
137/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Switch# conf t
...
Switch0 configuration
hostname Switch0
interface FastEthernet0/1
interface FastEthernet0/10
switchport access vlan 2
interface FastEthernet0/20
interface Vlan1
ip default-gateway 192.168.1.1
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
138/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
(1) Router
Router0#sh run
hostname Router0
interface FastEthernet0/0
no ip address
interface FastEthernet0/0.1
interface FastEthernet0/0.2
encapsulation dot1Q 2
interface FastEthernet0/0.3
encapsulation dot1Q 3
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
139/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
(2) Switch
Connect into Switch0 switch and set the hostname, interface descriptions, IP address,
subnet mask, and default-gateway information. The IP address of the switch will be
172.16.1.10/24, with a default gateway of 172.16.1.1.
Switch>en
Switch#conf t
Switch(config)#hostname Switch0
Switch0(config)#line console 0
Switch0(config-line)#password test
Switch0(config-line)#login
Switch0(config-line)#line vty 0 15
Switch0(config-line)#password test
Switch0(config-line)#login
Switch0(config-line)#exit
Switch0(config)#interface VLAN 1
Switch0(config-if)#no shutdown
Switch0(config-if)#exit
Switch0(config)#exit
Switch0#ping 172.16.1.1
Create a VTP domain of testdomain and leave the Switch0 as a VTP server
Switch0(config)#vtp domain testdomain
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
140/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Connect to the Switch1 switch and set the hostname, interface descriptions, IP address,
subnet mask, and default-gateway information. The IP address of the switch will be
172.16.1.11/24, with a default gateway of 172.16.1.1.
Switch>en
Switch#conf t
Switch(config)#hostname Switch1
Switch1(config)#line console 0
Switch1(config-line)#password test
Switch1(config-line)#login
Switch1(config-line)#line vty 0 15
Switch1(config-line)#password test
Switch1(config-line)#login
Switch1(config-line)#exit
Switch1(config)#interface vlan 1
Switch1(config-if)#no shutdown
Switch1 (config-if)#exit
Switch1(config)#exit
Switch1#ping 172.16.1.1
Configure the Switch1 to be a member of the VTP domain testdomain, and configure the
Switch1 as a VTP client.
Switch1(config)#vtp domain testdomain
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
141/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
VLAN 2 modified:
Name: Sales
VLAN 3 modified:
Name: Marketing
Switch0(vlan)#exit
APPLY completed.
Exiting.
Note that we created the two VLANs using 2 and 3. VLAN 1 is configured by default on all
switches and cannot be changed or deleted.
Go to the Switch1 and type in show VLAN to verify the VLAN information was shared with
VTP.
Switch1#show vlan
2 Sales active
3 Marketing active
You should see three VLANs, 1-3, that were shared via VTP from the 2960A switch.
PC0 and PC2 will be in VLAN2, Sales, which has a subnet address of 172.16.2.0/24. PC0
will be 172.16.2.10 and PC2 will be 172.16.2.11. The default gateway will be 172.16.2.1,
which is configured on the Router0.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
142/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
You can configure portfast on the access port. This enables a switch port to come up
quickly and not to wait the typical 50 seconds for spanning-tree to go through its cycle.
However, if you turn portfast on, then you better be sure you do not create a physical loop
on the switch network or it will bring your network down. You are telling the switch not to
check for loops using these ports.
Switch1(config-if)#spanning-tree portfast
Once you can ping, you know you have configured at least one VLAN correctly.
Configure PC1 and PC3 to be in VLAN3. From the Switch0, configure port F0/20 to be a
member of VLAN 3.
Switch0#config t
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
143/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Catalyst switches have a variety of methods that can secure or control user access. Users
can be authenticated as they connect to or through a switch, and can be authorized to
perform certain actions on a switch. User access can be recorded as switch accounting
information. The physical switch port access also can be controlled based on the users
MAC address or authentication.
In addition, Catalyst switches can detect and prevent certain types of attacks. Several
features can be used to validate information passing through a switch so that spoofed
addresses cant be used to compromise hosts.
Where user workstations are stationary, their MAC addresses always can be expected to
connect to the same access-layer switch ports. If stations are mobile, their MAC addresses
can be learned dynamically or added to a list of addresses to expect on a switch port.
Catalyst switches offer the port security feature to control port access based on MAC
addresses. To configure port security on an access-layer switch port, begin by enabling it
with the following interface-configuration command:
Switch(config)# interface fa0/5
Next, you must identify a set of allowed MAC addresses so that the port can grant them
access. You can explicitly configure addresses or they can be learned dynamically from port
traffic. By default, Port Security will allow only one MAC on an interface. The maximum
number of allowed MACs can be adjusted, up to 1024:
Switch(config-if)# switchport port-security maximum 2
Only hosts configured with the above two MAC addresses will be able to send traffic through
this port. If the number of static addresses configures is less than the maximum number of
addresses secured on a port, the remaining addresses are learned dynamically.
MAC addresses that are dynamically learned with Port Security are referred to as Sticky
Addresses.
Switch(config-if)# switchport port-security mac-address sticky
Dynamically learned addresses can be aged out after a period of inactivity (measured in
minutes). By default, no aging occurs.
Switch(config-if)# switchport port-security aging time 10
Port Security can instruct the switch on how to react if an unauthorized MAC address
attempts to forward traffic through an interface (this is considered a violation). There are
three violation actions a switch can take:
shutdownPuts the interface into the error-disabled state immediately and sends
an SNMP trap Notification
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
145/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
protect}
As an example of the portect mode, a switch interface has received the following
configuration commands:
Switch(config)#int f 0/1
Switch(config-if)#switchport port-security
Server 1
Fa0/1
0200.1111.1111
Server 2
Fa0/2
0200.2222.2222
Fa0/3 User1
Switchport port-security
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
146/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
To show the port status with the show port-security interface command,
Switch#show port-security interface fa0/2
To display a summary of the port-security status with the show port-security command,
Switch#sh port-security
---------------------------------------------------------------------------
Fa0/1 1 1 1 Up
Fa0/2 1 1 1 Up
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
148/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
none
6.2 DHCP
Router1#conf t
Router1(dhcp-config)#domain-name domain1.site
Router1(dhcp-config)#netbios-name-server 192.168.1.2
Router1(dhcp-config)#netbios-node-type h-node
Router1(dhcp-config)#lease 2 12 30
Router1(dhcp-config)#exit
The lease command takes up to three options: lease days hours minutes with hours and
minutes being optional.
When DHCP is enabled, the router will allocate IP addresses by binding them to device
MAC addresses in the configured pool. You can see the address bindings
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
149/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
DHCP Server
DHCP
Request
IP IP
DHCP Client
IP
DHCP Client
The sub-interfaces f0/0.2 and f0/0.3 are configured as a DHCP Relay Agent, and DHCP
Discover request is forwarded to the DHCP server of 192.168.0.3.
interface FastEthernet0/0.1
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip helper-address 192.168.0.3
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
150/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
interface FastEthernet0/0.3
encapsulation dot1Q 3
ip helper-address 192.168.0.3
!
In a case of Linux DHCP server, /etc/dhcp.conf would include the following subnet lease
ranges as follows,
subnet 192.168.0.0 netmask 255.255.255.0 {
The same concept can be used at any DHCP server product (i.e. Cisco Router and MS
Windows Server).
With access lists, managers can gather basic statistics on packet flow and security policies
can be implemented. Sensitive device can also be protected from unauthorized access.
Access lists can be used to permit or deny packets moving through the router, permit or
deny Telnet (VTY) access to or from a router.
Extended access lists: It checks for source and destination IP address, protocol field in
the Network layer header, and port number at the Transport layer header.
Once you create an access list, you apply it to an interface with either an inbound or
outbound list
Inbound access list: Packets are processed through the access list before being routed
to the outbound interface.
Outbound access list: Packets are routed to the outbound interface and then processed
through the access list.
Add the access-list 10 to the serial 0/1 interface of Router0 and filtered any incoming
packets.
Router0(config)#interface serial 1/0
Router0(config-if)#ip access-group 10 in
This applied the access-list 10 to the serial 0/1 interface of Router0 and filtered any
incoming packets.
Type show running-config to see both the access-list and to verify the interface where the
access-list is applied.
Router0#show running-config
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
152/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
PC1 cant also ping to PC0 and Router0. PC1 can ping Router1.
Apply the access-list directly to the VTY lines and not to an interface.
Router0(config)#line vty 0 4
Router0(config-line)#access-class 20 in
Router0(config)#no access-list 10
Router0(config)#no access-list 20
Router0(config-if)#no ip access-group 10 in
Router0(config)#line vty 0 4
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
153/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router0(config-line)#no access-class 20 in
Router0(config-if)#no ip access-group 10 in
Create an access-list on the Router0 to block Telnet access into the 172.16.40.0 network,
but still allow to ping.
Router0(config)#access-list 110 deny tcp host 172.16.50.3 172.16.40.0 0.0.0.255
eq telnet
Apply this access-list to the serial interface 0/1 of the Router0 to filter the packets coming
into the router.
Router0(config)#interface serial 1/0
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip accounting access-violations
no cdp enable
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
154/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
no cdp run
line vty 0 4
access-class 101 in
exec-timeout 0 0
password 7 12345678901234567890
R0 192.168.1.0/24
R1
.1 .10
F0/1 F0/0
F0/0 .1
192.168.0.0/24
S0
.10 .11
PC1 PC2
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
155/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
interface FastEthernet0/0
interface FastEthernet0/1
ip access-group 1 out
R1
hostname r1
interface FastEthernet0/0
PC1
hostname pc1
interface FastEthernet0/0
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
156/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
PC2
hostname pc2
interface FastEthernet0/0
R0 192.168.1.0/24
R1
.1 .10
F0/1 F0/0
F0/0 .1
192.168.0.0/24
S0
.10 .11
PC1 PC2
interface FastEthernet0/0
ip access-group 100 in
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
157/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
interface FastEthernet0/1
hostname r1
interface FastEthernet0/0
line vty 0 4
exec-timeout 0 0
password 7 0822455D0A16
login
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
158/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Password:
r1>
Named IP ACLs allow you to delete individual entries in a specific ACL. If you are using
Cisco IOS Release 12.3, you can use sequence numbers to insert statements anywhere in
the named ACL. If you are using a software version earlier than Cisco IOS Release 12.3,
you can insert statements only at the bottom of the named ACL.
R0 192.168.1.0/24
R1
.1 .10
F0/1 F0/0
F0/0 .1
192.168.0.0/24
S0
.10 .11
PC1 PC2
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
159/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
6.4 NAT
One of the most important drawbacks to IP version 4 (IPv4) is the limited number of unique
network addresses; the Internet is running out of address space. Two solutions to this
dilemma are Network Address Translation (NAT) and IP version 6 (IPv6).
NAT provides a short-term solution to this problem by translating private IPv4 addresses into
globally unique, routable IPv4 addresses. IPv6 is the long-term solution by increasing the
size of an IP address to 128 bits.
In the Network Address Translation (NAT) configuration, all of your internal devices use the
same external global address as the routers external interface.
Router#conf t
Router(config)#access-list 15 permit 192.168.0.0 0.0.0.255
Router(config-if)#exit
LAN DMZ
Network Address: 192. 168.0.0 Network Address: 202.0.0.0/28
Network Mask: 255. 255. 255.0 Network Mask: 255. 255. 255. 224
Default Gateway: 192. 168.0.21 Default Gateway: 202.0.0.30
192.168.0.1
. 202.0.0.14
HOST: 2800A
PCs SNMP, NAT, ACL
Servers
LAN 192.168.0.0/24
External Network (DMZ) 202.0.0.0/28
CISCO Router GigabitEthernet0/0: 192.168.0.1
GigabitEthernet0/1: 202.0.0.14
Domain Name domain1.site
DNS server 202.0.0.1, 202.0.0.2
NTP server 202.0.0.2
Building configuration...
version 12.3
no service password-encryption
hostname 2800A
boot-start-marker
boot-end-marker
no network-clock-participate aim 0
no network-clock-participate aim 1
no aaa new-model
ip subnet-zero
no ip source-route
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
161/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
ip cef
ip name-server 202.0.0.1
ip name-server 202.0.0.2
no ftp-server write-enable
interface GigabitEthernet0/0
description LAN
ip access-group 100 in
no ip redirects
no ip proxy-arp
ip accounting access-violations
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description WAN
no ip redirects
no ip proxy-arp
ip accounting access-violations
ip nat outside
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
162/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
ip classless
no ip http server
no ip http secure-server
no cdp run
control-plane
line con 0
line aux 0
line vty 0 4
access-class 102 in
password secret
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
163/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
login
end
NAT has many forms and can work in the following ways:
Static NAT: Maps an unregistered IPv4 address to a registered IPv4 address (one to
one). Static NAT is particularly useful when a device must be accessible from
outside the network.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
164/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
This is a practice of making a NAT router. The cloud is connected to the existing LAN
(192.168.0.0/24). R0: f0/0 is connected to the C0 cloud therefore bridged, so the f 0/0 has
the IP address of the existing LAN. PC1 is in the different network 192.168.1.1/24.
F0/1 F0/0
PC1 R0
hostname r0
ip name-server 192.168.0.3
interface FastEthernet0/0
ip nat outside
interface FastEthernet0/1
ip nat inside
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
165/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
!!!!!
This command shows the total number of active translations, NAT configuration parameters,
and how many addresses are in the pool, and how many have been allocated.
# show ip nat statistics
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
166/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
hostname R0
ip name-server 192.168.0.3
interface FastEthernet0/0
ip nat outside
interface FastEthernet0/1
ip nat inside
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
167/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
!!!!!
PC1
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
168/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
interface FastEthernet0/0
ip nat outside
interface FastEthernet0/1
ip nat inside
R1 configuration
hostname r1
interface FastEthernet0/0
interface FastEthernet0/1
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
169/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
NAT translation result at FW after pinging from PC1 and PC2 to 192.168.0.3.
fw#show ip nat translations
PC1 to the external network by traceroute. The gateway .2 redirects to .1 by ICMP redirect
reply and communicate to the external.
pc1>traceroute 192.168.0.3
Bridge Connection
S0 R0
interface FastEthernet0/0
no ip address
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
171/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
interface FastEthernet0/0.1
encapsulation dot1Q 2
ip nat inside
interface FastEthernet0/0.2
encapsulation dot1Q 3
ip nat inside
interface FastEthernet0/1
ip nat outside
6.5 Security
6.5.1 Anti-Spoofing
The IP Address Spoofing is a technique to change a source IP address in a packet to
become someone. Figure 28 explains the attacker in the WAN crafts packets which have a
source IP address of an administrator PC which is located in the LAN.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
172/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
LAN WAN
192. 168.1.0/24 192. 168.0.0/24
.1 .1
F0/1 F0/0
. 254
Administrator
To protect from the spoofing access, following ACL needs to be configured at each
interface.
interface FastEthernet0/0
ip access-group 100 in
interface FastEthernet0/1
ip access-group 101 in
In default, these options are enabled before IOS 11, and disabled after IOS 12.0.
Router(config)#no ip source-route
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
173/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
174/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Fa0/1 Fa0/4
PC1 PC2 PC3
Switch Switch Enable Secret Enable, VTY, VLAN 1 IP Default Subnet Mask
Passwords Address
Objective
Create and verify a basic switch configuration.
Configure port security on individual FastEthernet ports.
Background/Preparation
Cable a network similar to the one in the diagram. The configuration output used in this lab
is produced from a 2950 series switch. The following steps are intended to be executed on
each switch unless specifically instructed otherwise.
Note: Go to the erase and reload instructions at the end of this lab. Perform those steps on
all switches in this lab assignment before continuing.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
175/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
b. There is a third host needed for this lab. It needs to be configured with the address
192.168.1.7. The subnet mask is 255.255.255.0 and the default gateway is
192.168.1.1.
Note: Do not connect this PC to the switch yet.
Step 5 Determine what MAC addresses that the switch has learned
a. Determine what MAC addresses the switch has learned by using the show
mac-addresstable command.
b. How many dynamic addresses are there? -------------------------------------------------------
c. How many total MAC addresses are there? -----------------------------------------------------
d. Do the MAC addresses match the host MAC addresses? -----------------------------------
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
176/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
177/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
178/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Hands-on-Lab 11 DHCP
PC1 PC2
Configure the above network with the above network addressing. Configure Router1 to
provide DHCP to PC1 and Router2 to provide DHCP to PC2. At the end of the lab, PC1 and
PC2 should be able to ping each other.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
179/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
NAT
www R1 ISP 210.0.1.0/24 SRV
192.168.30.0/24 210.0.0.0/30
S0/0 S0/0
.10 .1 .2 .1 .10
.1
S0/1 .1 .5 S0/2
Inside Web Server
10.0.0.0/30 10.0.0.4/30
S0/0 .2 S0/0
.6 DHCP
192.168.10.100 254
192.168.11.100 254
F0/0 192.168.20.100 - 254
R2 R3 F0/0
F1/0-7 F1/ 8 -15
VLAN 10: Marketing VLAN 11: Sales
S0
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
180/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
5. Configure DHCP
Configure PCs as a DHCP client.
On R3, three DHCP pools on R2 for the network 192.168.10.0/24,
192.168.11.0/24, and 192.168.20.0/24.
On R2, configure DHCP Relay Agent so the PC1 and PC2 can acquire IP
addresses from R3.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
181/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
A variety of WAN technologies exist, most WAN technologies operate at the lowest two
levels of the OSI model the physical and data link layers although some implement the
network layer as well. Higher-layer protocols such as IP are encapsulated when sent across
the WAN link. Figure 27 illustrates the relationship between the common WAN technologies
and the OSI model.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
182/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
183/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
The choice of encapsulation protocol depends on the WAN technology and the
communicating equipment. Typical WAN protocols include the following:
Asynchronous Transfer Mode (ATM) - ATM is the international standard for cell
relay, in which multiple service types (such as voice, video, or data) are conveyed in
fixed-length (53-byte) cells. Fixed-length cells allow processing to occur in hardware,
thereby reducing transit delays. ATM is designed to take advantage of high-speed
transmission media such as E3, Synchronous Optical Network (SONET), and T3.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
184/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
HDLC is also Ciscos default encapsulation type for serial point-to-point links. HDLC
provides no authentication mechanism.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
185/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
186/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Because it is standardized, PPP supports vendor interoperability. PPP uses its Network
Control Protocol (NCP) component to encapsulate multiple protocols, as shown in Figure 30.
PPP uses another of its major components, the Link Control Protocol (LCP), to negotiate
and set up control options on the WAN data link. PPP supports several features that
standalone HDLC does not:
Authentication
Compression
Multilink
Callback
Error Control
Three phases of a PPP session establishment are described in the following list:
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
187/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
CHAP, which uses a three-way handshake, occurs at the startup of a link and periodically
thereafter to verify the identity of the remote node using a three-way handshake. After the
PPP link establishment phase is complete, the local router sends a challenge message to
the remote node. The remote node responds with a value that is calculated using a one-way
hash function, typically Message Digest Algorithm 5 (MD5), based on the password and
challenge message.
The local router checks the response against its own calculation of the expected hash value.
If the values match, the authentication is acknowledged. Otherwise, the connection is
terminated immediately. CHAP uses an MD5 has.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
188/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Router(config)#int s0
Router(config-if)#encapsulation ppp
Router(config-if)#^Z
Router#
Router(config)#hostname RouterA
When using the hostname command, remember that the username is the hostname of the
remote router thats connecting to your router. And its case sensitive too. Also, the
password on both routers must be the same. Its a plain-text password that you can see with
a show run command; you can encrypt the password by using the command service
password-encryption.
You must have a username and password configured for each remote system you plan to
connect to. The remote routers must also be configured with usernames and passwords.
Now, after youve set the hostname, usernames, and passwords, choose the authentication
type, either CHAP or PAP:
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
189/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
RouterA#config t
RouterA(config)#int s0
RouterA(config-if)#^Z
RouterA#
S0/1 S0/1
R1 R2
hostname R1 hostname R2
username R2 password cisco username R1 password cisco
! !
int serial 0/1 int serial 0/1
ip address 10.0.1.1 255.255.255.0 ip address 10.0.1.2 255.255.255.0
encapsulation ppp encapsulation ppp
ppp authentication chap ppp authentication chap
encapsulation ppp
clockrate 64000
R2
hostname R2
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
190/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
encapsulation ppp
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
191/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
30 carrier transitions
R2
R2#sh int s0/1
LCP Open
1 carrier transitions
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
192/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
If your PPP encapsulation and authentication are set up correctly on both routers, and your
usernames and passwords are all good, then the debug ppp authentication command will
display an output that looks like this:
Debug ppp authentication
changed state to up
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
193/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
7.6 Troubleshooting
S0/1 S0/1
R1 R2
hostname R1 hostname R2
username R2 password cisco username R1 password cisco
! !
int serial 0/1 int serial 0/1
ip address 10.0.1.1 255.255.255.0 ip address 10.0.1.2 255.255.255.0
encapsulation ppp encapsulation hdlc
ppp authentication chap ppp authentication chap
The serial interface is down and LCP is sending requests but will never receive any
responses because router R2 is using the HDLC encapsulation. To fix this problem, you
configure the PPP encapsulation on the serial interface on router R2.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
194/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
S0/1 S0/1
R1 R2
hostname R1 hostname R2
username R2 password cisco username R1 password cisco
! !
int serial 0/1 int serial 0/1
ip address 10.0.1.1 255.255.255.0 ip address 10.2.1.2 255.255.255.0
encapsulation ppp encapsulation hdlc
ppp authentication chap ppp authentication chap
LCP Open
The IP addresses between the routers are wrong but the link looks like its working fine. This
is because PPP, like HDLC and Frame Relay, is a layer 2 WAN encapsulation and doesnt
care about IP addresses at all. So yes, the link is up, but you cant use IP across this link
since its misconfigured.
To find and fix this problem, you can use the show running-config or the show interfaces
command on each router, or you can use the show cdp neighbors detail command:
R2
R2# sh cdp neighbors detail
-------------------------
Device ID: R1
Entry address(es):
IP address: 10.0.1.1
Platform: cisco 2611XM, Capabilities: Router
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
195/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Version :
IOS (tm) C2600 Software (C2600-I-M), Version 12.3(6c), RELEASE SOFTWARE (fc1)
advertisement version: 2
R1
R1#sh cdp neighbors detail
-------------------------
Device ID: R2
Entry address(es):
IP address: 10.2.1.2
Version :
IOS (tm) C2600 Software (C2600-I-M), Version 12.2(21b), RELEASE SOFTWARE (fc2)
advertisement version: 2
You can view and verify the directly connected neighbors IP address and then solve
your problem.
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
196/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
References
Bibliography
Lammle, T. (2006). Ccna intro: introduction to cisco networking technologies study guide.
Sybex. ISBN: 0470068507
External Links
Cisco Systems, Inc. http://www.cisco.com/
GNS3. http://www.gns3.net/
Packet Tracer, http://www.packettracerdownload.com/
VLAN, http://en.wikipedia.org/wiki/Virtual_LAN
http://www.cisco.com/warp/cpropub/45/tutorial.htm
http://itknowledgeexchange.techtarget.com/itanswers/show-interface-command-output/
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
197/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Figures
Tables
References
1. http://www.cisco.com/warp/cpropub/45/tutorial.htm
2. http://itknowledgeexchange.techtarget.com/itanswers/show-interface-command-out
put/
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
199/200
This copy of textbook is granted only for: Chan Myae (shweyoe.ucss@gmail.com)
Indexes
Keywords
A N
ACL, 151 non-volatile RAM (NVRAM), 10
CDP, 43, 49
CLI, 29, 30, 189 R
Routing Information Protocol (RIP), 71
D
Dynamic VLANs, 127 S
Static VLANs, 126
E switched networks, 124
(EIGRP), 78 V
Erasable Programmable Read Only Memory variable length subnet masks (VLSM), 77
IOS, 10, 11, 14, 18, 26, 27, 29, 30, 31, 173, 196 VTP transparent, 133
L
Link State Advertisements (LSA), 81
S-AN-A-1.04
Network Technologies ICTTI, Union of Myanmar
200/200